Vlan pruning caused switch connectivity degredation

After pruning vlans on a 2950 and copied run to start all of a sudden connectivity to switch is slower. The 2950 is trunked to a 6513 with dual trunks using spanning tree. Both sides of the trunks native vlans are vlan 1 and they are both set up for 802.1q. Tried adding vlans back in to the switch still slow. Can't see why deleting vlans from a switch would cause degredation in the connection. Also Vlan 1 on the 2950 is taking a lot of input errors. The port on the 6513 has not been pruned.

Hello,
are you manually pruning with a VLAN list, or have you globally configured VTP pruning on the VTP server ? Are all switches running the same version of VTP ? Can you post the output of 'show vtp status' from both the 2950 and the 6513 ?
Regards,
GP

Similar Messages

VLAN Pruning

Is is a good idea to enable VLAN pruning on switch stacks or does this add to more CPU usage which could cause other problems. The network consists of 3750,3500 and 2900 switches.

Hi,
Pruning unneeded vlans off of trunks is a good idea, and may actually lower your CPU utilization, as the number of STP instances may be reduced as well.
From the best practices doc:
http://www.cisco.com/en/US/products/hw/switches/ps700/products_white_paper09186a00801b49a4.shtml
"VLANs can be pruned from trunks down to switches that do not have ports in the VLAN. This results in frame flooding that is more bandwidth-efficient. Manual pruning also has a reduced spanning-tree diameter. A per-switch VLAN configuration also encourages this practice."
HTH,
Bobby
*Please rate helpful posts.

Design help related to ACE to Switch connectivity using Port-Channel

Hi,
I have a Cisco ACE 4710 configured in One-Arm mode. This ACE is getting connected with 2 3750 switches. These 2 3750 switches connected in trunk mode.
ACE is connected to these 3750 switches using Port-channel.
ACE Config:
================================
interface gigabitEthernet 1/1
description One-arm mode port to DMZ Switch 1 port 20
channel-group 1
no shutdown
interface gigabitEthernet 1/2
description One-arm mode port to DMZ Switch 2 port 20
channel-group 1
no shutdown
interface port-channel 1
switchport access vlan 51
port-channel load-balance src-dst-ip
no shutdown
interface vlan 51
ip address 10.40.56.131 255.255.255.128
access-group input everyone
access-group output everyone
nat-pool 1 10.40.56.215 10.40.56.215 netmask 255.255.255.255 pat
service-policy input LB
service-policy input remote-access
no shutdown
===========================================================
The problem is that 3750 switches are not stacked.
Application is working fine. But i am getting a lot of MAC flapping messages..
kindly suggest whether this design is OK or something needs to be done to rectify it...
Attached a small diagram..

Hello acharyr123,
I don't think this design is ok, and it would cause mac flapping since the two indepedendent 3750 switches will learn the ace mac addresses off of two different interfaces. The 3750s would have to be stacked so that they would act as one switch then this should work correctly.
Thanks
Joel Lamousnery
TAC CSE

Two VLANs on one switch port?

Currently we have the following
Cat 4003 with VLAN trunking turned on to multiple switches. Each port in those exterior switches is assigned to a vlan(we have about 60 different vlans).
What I would like to do is on those exterior switches have two vlans assigned to it.
We'd like to create a single IP Phone VLAN(let's call it 999) that can span our entire enterprise and would have dhcp deployed on it.
Each port is connected to an IP phone which has a 2 port switch in them. One port to the wall, one to the pc.
The switch ports on those phones support vlan tagging
How would setup an exterior switch to access 2 vlans that connect to 2 port switch on an IP phone?

To facilitate ease of deployment, use VTP so that you can centrally create the vlans and propagate to each exterior switch. Now I believe you already do have a layer 3 engine or router that does routing between all these vlans. What switches are used on teh exterior ? This is to find out if voice vlan support is available.
In cat switches, voice vlan is created using command,
set port auxiliaryvlan vlan
In IOS based switches,
int fa0/1
switchport mode trunk
switchport trunk encap dot1q
switchport trunk native vlan
switchport voice vlan
switchport priority cos extend 0
or
int fa0/1
switchport mode access
switchport access vlan
switchport voice vlan
I am not sure about support of voice/aux vlan in 4003. We will have check your other switch models/ software versions to determine support for this command.

Spanning vlans across access switches in distribution block.... please help

Hi All
Can someone please explain why Cisco states that in a Campus Hierarchical modle if Vlans are spanned across Access switches in a distribution block, then the Distrubution to distribution link should be Layer 2. Is this really necesary or just a recommendation, and if so why? Can't this link be a L3 link when spanning vlans across Access switches in distribution block, as I understand the benefit of having a L3 distribution to distribution link so that SPT is avoided.
Please help

Hello,
The cisco recommended design is L3 links, but these is only possible if you have no vlans you need to span over the hole network.
It depends on your topology or what you want achieve.
If you need for one or more vlan's spanned the LAN, you need to use a layer 2 connection between all switches and between distribution too.
In my company we have for example a few vlans for restricted areas, like device management or else, so we can't use L3 Links in the distribution area because these vlan's are terminated at the firewall. I think these is good thing.
I would recommend you if you don't have to span one or more vlan's across the network to use L3 Links, specially in the case of redundancy way's. So you need no spanning-tree, but need to use other protocols like GLBP or else. The works faster and are not so confusing (for some people) as STP.
best regards,
Sebastian

Disable portfast on switch-to-switch connection

Hi,
From http://www.cisco.com/en/US/customer/tech/tk389/tk621/technologies_configuration_example09186a008009467c.shtml, it says, "do not use portfast when you have switch-to-switch connection. In this case, the command can result in a loop."
For e.g. when someone connects a switch port(with portfast enabled) to another switch port(with portfast enabled)
1) can this scenario cause a loop even though the connection between these switch is only a single link?
2) If it does not cause a loop, what will happen? STP recalculation which causes a short network outage?
Thanks.
Christina

Hi Christina,
1) Only if there is a redundant physical path between the switches, such as through another switch. If the only physical path between the two switches is the switch-to-switch link in question, then no loop can occur.
2) Portfast simply ignores the standard STP state transitions and immediately enters the forwarding state, so assuming no loop, a switch-to-switch link that has portfast configured will skip the 50 second STP convergence time and immediately forward traffic.
HTH,
Bobby
*Please rate helpful posts.

Telnet from Outside switch to DMZ switch connected to ASA.

Hi all,
I have switch b connected to ASA with fas0/40 under vlan 40.
ASA connection to this switch is under Vlan 3 which is DMZ.
OSPF is running between OSPF and DMZ switch.
I was trying to telnet from Outside interface switch to DMZ switch which goes through the ASA.
My question is is it possible from Outside Switch to ping the DMZ switch or telnet to it as connection has to pass by ASA ?
Thanks
Mahesh

Hello Mahesh,
Yes, as I said on my previous post
access-list outside_in permit tcp host outside_switch_ip host dmz_switch_ip eq 23
access-group outside_in in interface outside
If you want to check if everything is properly setup for that connection to work across the ASA do the following:
packet-tracer input outside tcp outside_ip_switch 1025 dmz_switch_ip 23
Remember to rate all of the helpful posts
Julio

Help config vlan and inter routing vlan on 2 switches SF300-24 ???

Dear Cisco!
now we have 2 switches: SF300-24
on one SF300-24 we config it at layer 3 mode with VLAN configuration same as following
VLAN ID 2 (ports: 2 -6) have ip interface 192.168.2.254/24
VLAN ID 3 (ports: 7 - 10) have ip interface 192.168.3.254/24
VLAN ID 4 (ports 11- 15 ) have ip interface 192.168.4.254/24
and VLAN 1 default have IP address: 192.168.1.200
DHCP relay - DHCP server 192.168.3.1
- DHCP relay: VLAN2; VLAN3; VLAN4
ip route: 0.0.0.0 0.0.0.0 192.168.3.1
all ports of VLAN2, VLAN3, VLAN4 set access mode.
and another SF300-24
was configed at layer 2. We config VLAN ID 2 ̣̣̣have ports 2 -6; VLAN ID 3 ports 7 -10; VLAN ID 4 port 11-15 ,too.
And we use port 26 on 2 switches SF300-24 is trunk mode then we connect both SF300-24 switches.
But on SF300-24 layer 2 cann't inderstand VLAN from Sf300-24 layer 3!!!
Could you please help me check this situation?
How to config VLAN on 2 switches SF300-24 Layer 3 and SF300-24 layer 2?
Thanks!
See you soon!

Son Nquyen,
First i would upgrade to 1.1.8 since the 1.0.0.27 was beta code.
Next when when connecting both switches together each port will need set via Trunk mode with proper native vlan and tagged vlan traffic. What's the configuration of your trunk ports on each switch?
Thanks,
Jasbryan.

Configure VLANs across multiple switches

Hi.
I'm trying to configure a segregated network using a VLAN. There are 5 switches on the site (all SG200). A router with 2 interfaces - one for the normal network and for the segregated network - is connected and located at switch 1. The network which needs to be segregated and the PCs on it are connected to a port on switch 5. Switch 1 is connected to switch 2, 2 to 3, 3 to 4 and 4 to 5.
I have created a VLAN but can't get the network to talk to the first switch over the link. I have created a VLAN ID 10 on each switch. Do the switches have to be linked together logically in some way to get this to work.
Thanks.

Hi,
Try to create the VLAN 5 in all switches.I have assumed that Management VLAN for all switches are VLAN 1.Kindly configure Trunk between switch 1 to S2 ,S2 to S3,S3 to S4,S4 to S5, S5 to S1.Allow the VLAN's 1U,10T.
regards
Moorthy

Web Acceleration Client Error (513) - Internal Error The Web Acceleration Client detected an internal error which caused the connection between the Web Acceler

Web Acceleration Client Error (513) - Internal Error
The Web Acceleration Client detected an internal error which caused the connection between the Web Acceleration Client and Web Acceleration Server to be broken. Retrying the web page may correct the problem.
I get this error continuously when working in the ancestry.com website. I have to reload the page on almost every search I do on that website. This is the ONLY website that I get this error message on, can work continuously for several hours on other websites and never get this message. I've talked to the people at Ancestry.com support and they made 2 recommendations: turn of antivirus (did not help) or switch to another web browser. I tried both IE 11 and Chrome Version 31.0.1650.63 m and I did not have the problem with either of those 2 browsers getting this error.
Is there a problem with how Firefox and ancestry.com are communicating with each other?

Hello byron.lewis, many site issues can be caused by corrupt cookies or cache. In order to try to fix these problems, the first step is to clear both cookies and the cache.
Note: ''This will temporarily log you out of all sites you're logged in to.''
To clear cache and cookies do the following:
#Go to Firefox > History > Clear recent history or (if no Firefox button is shown) go to Tools > Clear recent history.
#Under "Time range to clear", select "Everything".
#Now, click the arrow next to Details to toggle the Details list active.
#From the details list, check ''Cache'' and ''Cookies'' and uncheck everything else.
#Now click the ''Clear now'' button.
Further information can be found in the [[Clear your cache, history and other personal information in Firefox]] article.
Did this fix your problems? Please report back to us!
Thank you.

SF-302 switch connectivity issue

Hi Forumers'
i found that cisco small business SF302 PoE managed switch connect with the end device (RFID component) would causing packet drop issue.
how should i isolate the issue and proper troubleshooting? would it cause by the PoE issue, or the 10/100 base etc.
any suggestion are welcome, thank you
Noel

Hi Noel,
Interesting series of exchanges, sorry for jumping in Mr Carr.
Alarm bells ring in my mind, when you say ". Switchport is running o autonego, so the switch prefix it to 10-Full, any ohter mode than this is not working."
Did you manually set a port speed to 10-full or does autonegotiation settle for 10-full?
Can you also check within the RFID device, what it thinks is it's link speed and duplex ?
( if the switch port or the RFID device have their speeds manually set, then the NIC/switchport autonegotiation process WILL not work. for autonegotiation to work, both the RFID NIC and the switch port must be set to autonegotiate)
I am thinking there is a autonegotiation or flow control issue between the RFID device and the switch. A previous cisco Question and answer section says (in blue) that ;
Autonegotiation issues can result from nonconforming implementation, hardware incapabilities, or software defects.
Noel, this brings up a point, have you checked if the manufacturer of the RFID devicefor the latest NIC driver firmware ?
Please be diligent and check this with the manufacturer of the RFID device, as these issues can be caused by old firmware..
When NICs or vendor switches do not conform exactly to the IEEE specification 802.3u, problems can result.
I think you have flow control to work with , but now I can understand packet loss, if the is a autonegotiation issue then packet loss can result.
Hardware incompatibility and other issues can also exist as a result of vendor-specific advanced features, such as autopolarity or cable integrity, which are not described in IEEE 802.3u for 10/100 Mbps autonegotiation.
It could be very interesting to see a screen capture like the one below;
1. of the Etherlike statistics for the port that is connected to the RFID device .
2. the error log, might be very informative to indicate a potential cause of this issue.
But, in the back of my mind, seeing 10megFull duplex as a setting tells me that autonegotiation is having issues, which points me to a NIC firmware issue in the RFID device.
You must be good and try to get a updated NIC drivers for the RFID device.
regards Dave

Vlans on 2 switches

Hi,
Our network's as follow :
router (2611XM) --- switch1 (2950G) ---- switch2 (2950T)
We've configured vlan 2,3 on switch1 and vlan 4,5 on switch2.
The router do intervlan routing :
IP: 192.168.2.254 for vlan2
IP: 192.168.3.254 for vlan3
IP: 192.168.4.254 for vlan4
IP: 192.168.5.254 for vlan5
on switch1, the port connected to router and switch2 are configured as trunk
on switch2, the port connected to switch1 are configured as trunk.
Users on vlan 2 and 3 can ping each other.
Users on vlan 4 / 5 can't ping 192.168.4.254 / 192.168.5.254.
When switch 2 is connected directly to the router, vlan 4 and 5 can ping each other.

I suggest configuring these switches as VTP server-client. The VTP server should be the switch connected to the router since this device will forward the VLANs that are known internally. It will not forward VLANs that reside in another database.
In order to fix your problem, follow these steps:
On Switch1:
config t
vtp domain cisco
vtp mode server
vlan 2
vlan 3
vlan 4
vlan 5
exit
On Switch 2:
config t
vtp domain cisco
vtp mode client
exit
Wait a minute or two and then issue SH VLAN on
switch 2, you should have all VLANs from switch1.
Make sure the port connected between switches is set
to trunk and verify if it's trunking with the command
sh int trunk.
Please let us know the outcome.

Two switches connected with fiber in mode trunk - Problem

Hi to all.
Iam new in the forum, and my english is bad.
I want to post a problem. I have two switches connected with fiber in mode trunk, in the switch C3550 i have this configuration:
interface FastEthernet0/1
description Enlace LAB Medicion
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
duplex full
spanning-tree portfast
In the switch C2960 this configuration, on interfaces Fa0/48, Giga0/1:
interface FastEthernet0/48
switchport trunk allowed vlan 1,20,229
switchport mode trunk
spanning-tree portfast
interface GigabitEthernet0/1
switchport trunk allowed vlan 1,20,229
switchport mode trunk
media-type sfp
duplex full
spanning-tree portfast
The problem:
The ip phones with Voice vlan (vlan 20), not find the DHCP server located in the data vlan (vlan 229)
However, using the command:
#switchport trunk native vlan 229
The result is the voice vlan works, but the data vlan not and viceversa depending if the native vlan 229 is present.
I will appreciate any suggestion.

leolaohoo.
The configuration on ports switch C2960, have the mode access with voice vlan 20:
interface FastEthernet0/1
switchport access vlan 229
switchport mode access
switchport voice vlan 20
spanning-tree portfast
interface FastEthernet0/2
switchport access vlan 229
switchport mode access
switchport voice vlan 20
spanning-tree portfast
I will remove from trunk links:
spanning-tree portfast
Thanks alot.

Cisco Switch connecting to Radius Server

Hello Team,
I discovered that anytime the Uplink of my Cisco C2960CG-8TC-L goes down and reconnects, before the switch connects with the Radius Server, the access ports starts to connect into Guest VLAN, which is not the correct production VLAN that has been assigned to the Mac addresses.
I thought I could resolve this with Link state track Upstream and Downstream, but it's not working effectively.
The solution to the problem should be when the UPLINK port does down for whatsoever reason and comes back up, it should communicate with the Radius Server first, thereafter the access ports comes up and connect to the assigned Production VLAN not the Guest VLAN.
How do I achieve this? Any positive advise would be highly appreciated. Configuration can be uploaded if needed.
Thanks
Peter

I haven't ever done it, but I think you can set up the Access point as a radius server. Then configure Mac authentication and either filter with the local list or an access list.
Thanks,
Alex

Native vlan on 3750 switch

Is it possible to configure AAA and EAPFAST on a 3750G switch to use a vlan other than vlan1 for management/native vlan? We are working with RADIUS on Server 2008.

Hi John,
Yes, you can do that.
On 3750 you can take a look at the feature called 802.1x Authentication with VLAN Assignment:
http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/sw8021x.html#wp1289244.
Basically, you define on the RADIUS server what VLAN each User (or User Group) you want to assign, then when the user connects the PC to the port, it authenticates and the RADIUS server returns the required attributes for VLAN assignament to the switch. The switch interprets them and changes the switchport to the configured VLAN.
The switch will be a simple man-in-the middle during authentication and only processes the RADIUS Reject (if authe fails) or RADIUS Accept (if authe passes).
The authentication methods like EAP-FAST must be agreed between the RADIUS server (AAA Server) and the PC (AAA supplicant).
If you want to authenticate users based on certificates you have to use either EAP-FAST, EAP-TLS or EAP-TTLS.
The most widely spread (which comes by default on WinXP machines) authentication method is PEAP which uses MS-CHAP (username/password) to authenticate users.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Vlan pruning caused switch connectivity degredation

Similar Messages

Maybe you are looking for