NETWORK SECURITY

  • 04/25/2018
    7:00 AM
  • Rating: 
    0 votes
    +
    Vote up!
    -
    Vote down!

VLAN Troubleshooting Commands

Save time by using these four commands to quickly track down and resolve VLAN-related problems.

Troubleshooting VLANs and VLAN trunks occasionally can be a frustrating ordeal even for the most seasoned network administrators. The entire concept of the VLAN is to streamline the management of network devices so data flows are performed in an efficient manner. Yet sometimes, a misconfiguration, oversight or architecture misstep can lead to hours wasted troubleshooting. In this article, I cover at a few commands to help you quickly identify and resolve problems when troubleshooting VLAN-related issues on your network switch.

show vlan

When devices are not communicating with each other while supposedly configured on the same VLAN, the first command you should run on the switch is show vlan. In the following example, you can see on the right side of the command output, there is a column that lists all the switch port numbers. When troubleshooting intra-VLAN problems, simply find the problematic ports and verify that they are in the correct VLAN and also that the VLAN is in an "active" state.

(Click on image for larger view)

show interfaces vlan (#)

When trying to figure out why devices configured in one VLAN cannot communicate with devices configured in another VLAN on a layer 3 switch, make sure you have a switch virtual interface (SVI) configured for each VLAN and that the SVI is in an up/up state. Inter-VLAN communication must be routed from one VLAN to the next, thus, a Layer 3 gateway must be configured on each VLAN that needs to talk. On layer 3 switches, the gateway is configured using SVIs. In this example, I use the show interfaces vlan command followed by the VLAN number to show that: 1. VLAN 10 has an SVI configured, 2. the SVI is in an up/up state, and 3. the SVI has the proper default gateway IP and subnet configured.

(Click on image for larger view)

show interfaces trunk

When a VLAN spans more than one switch, you can use a VLAN trunk to connect VLANs together. Depending on how you have your trunk configured, it may share information about all VLANs or only specific VLANs spanning the two switches. If you have one or more VLANs that are configured on two switches connected by a trunk link, yet the VLANs are not communicating for some reason, the first command you should run is show interfaces trunk. The command output will show you all the configured trunk links on the local switch. In addition, it will tell you the trunking mode, status of the trunk, and what the native (untagged) VLAN is configured for.

More importantly, you'll see three types of port status for troubleshooting VLANs that are not communicating on the trunk: "Vlans allowed on trunk," "Vlans allowed and active in management domain," and "Vlans in spanning tree forwarding state and not pruned." The bottom line here is, if your VLAN is not showing up in all three of these lists, you either have a VLAN that is not allowed on the trunk per the configuration command, the local-switch trunk configuration, or the remote-switch trunk configuration.

(Click on image for larger view)

show run interface

Finally, if you are troubleshooting problems with Cisco phones, the problem may be that they are not configured for the proper voice VLAN. Cisco phones have a unique feature that essentially allows them to trunk two VLANs on a single port. One VLAN is for voice traffic and the other is for PC traffic. The switch connects to the phone and another Ethernet connection from the phone to the PC is used. That way, each desk or cube uses a single cable, yet the phone and PC reside in separate VLANs.

In some situations, the voice VLAN may either not be configured on the port or is configured for the incorrect voice VLAN. Not having the correct voice VLAN configured on the problematic port can mean the difference between a working or non-working phone.  If the phone uses DHCP to receive an IP address, the voice VLAN requires a special DHCP option configuration that points the phone to a TFTP server, where it can download the necessary phone configuration file. This file is used to properly register the phone to the Cisco Call Manager. It’s also possible that you have access controls or firewall rules that only allow access from voice VLANs to Call Managers and voice mail servers.

To quickly verify the access and voice VLAN configured on a specific switch port, simply use the show run interface command followed by the type and switch port number as shown here:

 

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.

Log in or Register to post comments