I have covered most show commands throughout the previous topics. Therefore I will list them quickly here plus a few others:
show ip interface brief
show vlan brief
show interface switchport
show interface trunk
show vtp status
show spanning-tree summary
As I’m using PacketTracer there isn’t much in terms of debugging commands for switches. I would highly recommend using physical switches if possible and build a small network and run some debug commands.
This topic will cover configuring, verifying and troubleshooting the rapid spanning tree protocol.
To enable rapid spanning tree protocol on our three switches:
spanning-tree mode rapid-pvst
spanning-tree mode rapid-pvst
spanning-tree mode rapid-pvst
We will also enable portfast on our access ports (PCs connected to the switches) – This will enable the ports to go straight to a forwarding state meaning the ports will instantly come up. You do not want to enable this on trunk links, this may cause issues with switching loops.
You will get a warning message about enabling portfast on trunk links.
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/3 but will only
have effect when the interface is in a non-trunking mode.
That’s all that’s needed to enabled rapid spanning-tree and portfast. Lets go one step further and lets force switch C become the root bridge for VLAN 1. Currently Switch B is the root.
We can do this two ways, one to set the priority of VLAN 1 to a much lower value for example 4096 or force the switch as the root.
I have gone with changing the priority to 4096, The above will only change the root bridge for VLAN 1.
Now if we do a show spanning-tree vlan 1 on Switch C:
The above shows a show spanning-tree output from Switch C. We can see the priority address has been changed to 4096+VLAN 1 (4097) and the bridge is the root for VLAN 1.
To verify RSTP has been configured correctly we can go through the configuration by using the show running-config command and verifying spanning-tree mode rapid-pvst has been entered on all three switches.
The next command we can verify RSTP with is show spanning-tree, this will show what type of spanning-tree is enabled and root bridge/interface statuses.
Show spanning-tree summary can be used to give a quick indication of what mode spanning tree is configured for and some other useful information such as what VLANs are taken part in spanning-tree.
Ensure all switches are configured for rapid-spanning tree – rapid-spanning tree is backwards compatible meaning it will match the normal spanning-tree timers and can cause slowness
Check cables between switches are correct – Crossover cable
Check you haven’t made a trunk link portfast by mistake
Using the verify commands above can greatly help with understanding why RSTP isn’t work (root bridge incorrect, port blocked, rapid-spanning tree not configured)
No need to specify the server mode. By default switches are servers. If required to change between client/transparent the command is vtp mode server.
On Switch C we will create four VLANs 10, 20 30 and 40. VLAN 10 and 20 are already configured, We’re just naming them here:
If we go to Switch B and switch A and issue a show vlan command we will notice the two VLANs have automatically been created for us:
Lets try and configure VLAN 50 on Switch A:
We are unable to do so! VTP is working correctly.
VTP Pruning isn’t supported as of writing this on Packet Tracer version 5.3.3. The command would be vtp pruning under global configuration. This will stop the advertisement of unused VLANs to other switches. This cannot be set on clients only servers but will propagate down to VTP clients. You could instead use switchport trunk allowed vlan #vlan under each interface to manually prune – this does give you much greater control.
I haven’t configured a transparent switch, the command to make a transparent switch is vtp mode transparent. A transparent switch will forward VTP information but has its own local database.
The following commands will help with verifying VTP on each switch:
show vtp status
The show VTP status command will show what VTP version is running, how many revisions, operating mode and VTP domain name.
The VTP version is in fact 1, I’m not sure why its showing 2. Trying to force VTP version 1 results in the following:
Switch C(config)#vtp version 1
VTP mode already in V1.
show running-config – to verify vtp is configured correctly
show vlan – will show the VLANs that have been created
show vtp status – checking revision numbers are consistent across switches will indicate if VTP is working correctly
show vtp password will display the password if you’ve forgotten it
Ensure Domain name, version and password are the same – these are case sensitive!
If you cannot add a VLAN, the switch may be configured with client instead of server
We will configure PC1 and PC2 with an IP address and default gateway.
IP Address: 10.0.0.2
Default Gateway: 10.0.0.1
IP Address: 10.0.1.2
Default Gateway: 10.0.1.1
If we try and ping PC2 from PC1 the result will fail. Why? Because there’s no way for VLAN 10 and VLAN 20 to communicate, Also they’re in different subnets.
To allow these two PCs to communicate we need to configure Router A to route frames between VLAN 10 and VLAN 20.
If you noticed we set default gateways on PC1 and PC2, we will now configure these on Router A. This way, when PC1 or PC2 wants to send a frame to a different subnet, it will forward to the default gateway, the default gateway will lookup to see if it has an entry in its routing table if it does, it will forward otherwise it will drop the frame.
We will configure two sub interfaces on Router A under fa0/0 one for VLAN 10 and one for VLAN20. First we need to bring up the fast ethernet 0/0 interface up, otherwise the sub interfaces once configured will not work.
Now to configure the sub interfaces on Router A:
encapsulation dot1q 10
ip address 10.0.0.1 255.255.255.0
encapsulation dotq1 20
ip address 10.0.1.1 255.255.255.0
I tend to create sub-interfaces that match the VLAN number, this is handy when trying to troubleshoot as you can quickly identify which VLAN belongs to which sub-interface.
The encapsulation dot1q 10/20 command defines the sub interface as a trunk link and that it expects to send/receive VLAN 10/20 traffic on this interface.
That’s pretty much it. If we try to ping PC2 from PC1 we should see a successful ping:
When configuring a trunk, the trunk needs to be enabled on both switches. We will configure fa0/1 as a trunk link on both Switch A and Switch B. I will be doing this via Cisco’s packet tracer program on two Cisco 2950 switches.
By default all VLANs are allowed to be received and sent across trunk links, this can be changed and will be discussed later on.
Configuring trunk on a layer 3 switch is slightly different, you have the choice of either using 802.1Q (dot1q) or ISL as the encapsulation. Newer routers don’t support ISL so It would be wise to use 802.1Q.
It is possible to do a range of interfaces to turn them into trunk links:
interface range fa0/1-fa0/5
switchport mode trunk
We can restrict or allow which VLANs are allowed across a trunk link using the trunk allowed command. To configure allowed VLANs make sure you’re under the interface where the trunk is enabled such as interface fa0/1.
This will reset the trunk to default allowing all VLANs across the trunk:
switchport trunk allowed vlan all
This will stop VLANs 2 through 6 from communicating over the trunk:
switchport trunk allowed vlan remove 2-6
This will allow VLAN 6 to communicate over the trunk if we removed it by mistake:
switchport trunk allowed vlan 6
Verifying a trunk:
There are few commands to verify a trunk link. The first is to run a show running-config on both switches.
As shown above, we can see both the interfaces have been configured for trunking.
The next is to display the switchport information for both interfaces on the switches.
show int fa0/1 switchport
Switch B:We can see from this information that the operational mode is trunk and the encapsulaton is dot1q.
Lastly we can display information based on all interfaces that are enabled for trunk and what VLANs are allowed across these trunk links.
show int trunk
Troubleshooting a trunk:
Make sure trunk is enabled on both connecting sides of the interfaces
Ensure the encapsulation at both ends meet
Check the cable is connected and the correct type of cable is used
Check to see whether any restrictions are on the trunk that are preventing a VLAN across the link (show int trunk)
A VLAN is a virtual logical area network. VLANs allow you to logically group ports on a switch. You may want to do this to ensure the IT department cannot see traffic from the Finance department for example. VLANs can be spanned across multiple switches, meaning all you have to do is change the VLAN number on a port and bingo you’re in that VLAN (assuming VTP is enabled across the switched network). VLANs break up broadcast domains by broadcasting frames only to the same VLAN.
We have the ability with VLANs to improve our security by controlling what VLANs have access to which other VLANs on the network. We can also isolated a VLAN so it cannot communicate with any devices but just have access to the internet (handy for open areas).
By default VLANs cannot communicate with other VLANs. However this can be achieved with either a layer 3 switch (not covered in the CCNA but is in the CCNP) or by you guessed it a router, as a routers job is to route frames. This method is known as a router on a stick.
VLANs 0 and 4095 For system use only
VLAN 1 is Cisco default VLAN, all ports are by default a member of this VLAN
VLANs 2-1001 You can use, create and delete VLANS within this range
VLANs 1002-1005 are used with FDDI and TokenRing. You cannot delete these
VLANs 1006-4094 These VLANs are the extended range for Ethernet, can not be propagated by VTP
VLAN information can be found in VLAN.DAT which is stored in Flash memory. This can be viewed using “show flash”
VLANs cannot send between VLANs, a Layer 3 device is needed
The way router on a stick works is, say a device on VLAN 20 wanted to communicate with a device VLAN 30 both VLAN frames would need to be sent to a router via a trunk link from the Layer 2 switch. The router will look at its sub-interfaces and see if it has a match for the VLANs, if it does it will route the frame to the correct destination. Remembering that without this method VLAN 20 will not be able to communicate with VLAN 30.
Layer 3 device such as a router or switch required
Links between the switch and router must be in trunk mode
Encapsulation between the switch and router must match either 802.1Q or ISL
Encapsulation can only be configured on a Fast Ethernet/Gigabit interface
Encapsulation must be configured on the subinterface to match the VLAN
Subinterfaces must be configured with an IP address that is on the same subnet of the VLAN, this will also be the default gateway for that VLAN
the parent interface of the subinterface must be up (no shutdown) for the subinterfaces to work