Wednesday, July 31, 2013

Troubleshooting Trunk Links and Spanning Tree using Dia - Part 2 of 5

Continuing the series on using Dia to troubleshoot trunk links and spanning tree instances, let's move on to VLAN 11.

We start with the original dia map (no colored links) to show the physical topology:


Let's start with the 'show spanning-tree vlan 11' command:

DS1:

We can see that under the Root ID section that this switch is the root and that all the ports are in the Designated - Forwarding state.

However, notice that neither of the Gigabit ports are listed.  Only the FastEthernet ports are forwarding.  So, here is the first time we are seeing an issue with the current configuration.

Documented on dia as such:

Over to DS2 now.  Again, we start with the 'show spanning-tree vlan 11' command:

DS2:

On this switch, we can see that Fa0/13 is being used as the connection back to the root switch (DS1 in this case, now labeled on the dia map).  Fa0/14 is blocking to prevent a loop between DS2 and AS1.  Both connections from DS2 to AS2 are forwarding traffic.  Since VLAN 11 is not on the Gigabit connection between DS1 and DS2, I have left the links black to show that they are physically connected but not involved in the spanning tree instance.


Next, AS1 and the 'show spanning-tree vlan 11' command:

AS1:

AS1 is behaving as expected.  Interface Fa0/11 back to DS1 is the root port, Fa0/12 is blocking and Fa0/13 and Fa0/14 are designated ports back to DS2.


Last, let's head over to AS2 and run the 'show spanning-tree vlan 11' command:


On AS2, we see that only Fa0/23 and Fa0/24 are involved in the spanning tree instance for VLAN11.   Here is the final map:



So, with the help of our dia map, we can see that traffic on VLAN 11 originating from AS2 has to go through two switches to get back to the root switch (AS2 to DS2 to AS1 to DS1).  This is also confirmed by the Cost listed under the Root ID section of the 'show spanning-tree vlan 11' command on AS2.  The cost of a FastEthernet link is 19 and there are 3 FastEthernet links back to the root, so 19 times 3 equals 57.

So, what is the cause of the problem?  I would start with checking out the trunk configurations on each switch, but especially the trunk configuration on AS2.  

Let's run the 'show interfaces trunk' command on each switch.

DS1

Here we can see that under the 'Vlans allowed on trunk' section that VLAN 11 is not allowed on Gi0/1 and Gi0/2 (which we documented on the map).

DS2

Same configuration on DS2.  Under the 'Vlans allowed on trunk' section, VLAN 11 is not listed.

AS1

On AS1, VLAN 11 is allowed on all ports and that is also documented on the map (two designated ports, two blocking ports).

AS2

And here we can see that VLAN 11 is allowed on Fa0/23 and Fa0/24 (root port and blocking port), but that VLAN 11 is pruned from Fa0/21 and Fa0/22 (which are the direct links back to DS1).

Now, what about HSRP (aka the default gateway) out of VLAN 11?

Let's run the 'show standby vlan 11' command on DS1 and DS2:

DS1

Right away, we can see that DS1 is the 'Active' router for VLAN 11.

So for any traffic originating from AS2 on VLAN 11 and would need to leave the VLAN, the frames would be forwarded from AS2 to DS2 to AS1 to DS1.  Not efficient at all!

So, what would be the best way to fix these problems?

VLAN 11 should be added to all the trunk links especially the Gigabit links between DS1 to DS2 and also the links between DS1 and AS2 so that AS2 as a direct link to the HSRP router (aka the default gateway).

VLAN 11 should match VLAN1 in this instance.

I hope you can see how using dia and a few IOS commands can show you how spanning tree is running and how looking at the trunk configuration is fundamental at fixing spanning tree configurations.

VLAN22 is up next.

Thank you for reading!
Posted by at No comments:
Labels: , , , , ,

Tuesday, July 30, 2013

Troubleshooting Trunk Links and Spanning Tree using Dia - Part 1 of 5

A few weeks back, we replaced a Cisco chassis with a newer model.  As part of the verification process, I checked the spanning tree output and noticed some discrepancies.  For example, some of the VLANs were using the first distribution layer switch as the spanning tree root while other VLANs were using the second distribution layer switch as the root.

In order to get a visual of the current spanning tree instances, I chose to use the open source program Dia (http://dia-installer.de/).  Dia has a number of Cisco icons to be used.  One problem I noticed is that if I use the straight lines to connected icons together it is impossible to make redundant links.  However, using the arc line type, we can offset the lines to show redundant links.


So, using my home lab equipment, I've set up an example to show how Dia can be used to map out spanning tree instances.

I have two 3550s as Distribution Layer switches (DS1 and DS2) while two 2950s are set as Access Layer switches (AS1 and AS2).  The VLANs in place are:  1, 11, 22, 33 and 44.

The black lines are the physical layer (cable) connections:



 VLAN 1 will be the Management VLAN and the native VLAN on the trunks.  HSRP is also configured for each of the VLANs.

VLAN number = x
  Default Gateway:  10.1.x.1 255.255.255.0
  DS1:  10.1.x.11
  DS2:  10.1.x.12
  AS1:  10.1.x.13
  AS2:  10.1.x.14

Let's start with a 'show spanning tree summary' command on each switch:
DS1:

Note that DS1 is the Root bridge for VLANs 1, 11, 22 and 33.

DS2:

Again, note that DS is the Root bridge for VLAN 44.

AS1:

AS1 is not a Root bridge for any VLANs, which is what we want and expect.

AS2:

So, here is our first sign of a problem.  AS2 is showing itself as the Root bridge for VLAN 44.  However, DS2 also thinks it is the Root bridge for VLAN 44.  So, we obviously have a problem with our trunk links and/or spanning tree.

Next, let's take a look at the spanning tree instances:
DS1 - VLAN 1

We can see that DS1 believes it is the root for VLAN 1 and that all the trunks are Designated ports and are in FWD (forwarding) status.

So, in Dia, we copy the original layout and rename it (for example, VLAN-1.dia) and we then change the links from DS1 to green to show that they are Designated ports.  To change the color of the link, double-click the link and change the drop box named 'Line Color' from black to green.


Now that VLAN 1 on DS1 is documented, let's move over to the other distribution switch.
DS2 - VLAN 1

Here we can see that the FastEthernet ports are Designated ports, Gi 0/1 is the Root port (the port that is being utilized to access the Root bridge) and that Gi 0/2 is an Alternate port and is in the Blocking state.  When we look at the topology in Dia, we can see that if Gi 0/2 was in a Forwarding state that a loop would occur.  To document the blocking port, I suggest changing the link color to red and using the circled X located in the SDL icon section:


It is large when it is brought over to the map, so it will be necessary to resize the icon.

I also add an arrow for the Root port to show the direction toward the Root bridge.  To add an arrow, double-click the line and choose an arrow style from the drop down box labeled either 'Start Arrow' or 'End Arrow'.

Here is the diagram once DS2's perspective of the VLAN is added:


Moving on to AS1:
AS1 - VLAN 1

Here we can see that AS1 is doing most of the blocking for the triangle between DS1, DS2 and AS1.  Fa0/11 is Root port back to DS1 (the root bridge) while the rest of the ports are blocking to prevent a loop between DS1, DS2 and AS1 and the loop between the dual uplinks between DS2 and AS1.  Here is the updated diagram:


And now to finish it off, let's go through AS2:
AS2 - VLAN 1

Same type of blocking as before on AS1:  we have a Root port back to DS1 while the rest of the trunks are in Blocking.

And so the finished map looks like this:

Everything here looks great.  One link from each switch going directly to the Root bridge.

Since HSRP is being used for gateway redundancy, let's check that out using the 'show standby vlan 1' command on DS1 and DS2.


DS1 is the Active gateway.  This is verified by the 'State is Active' and 'Active router is local' lines.

DS2 should appear as the standby router:


And it is.  This is verified by the the 'State is Standby' and 'Active router is 10.1.1.11, priority 250' lines.

It is important to verify what router (or Layer 3 switch in this lab) is the default gateway as we will see later on.

The next four VLANs (11, 22, 33 and 44) has been intentionally misconfigured to show how to use Dia to diagram the spanning tree instances to find problems with the trunk configurations.

Part 2 will be for VLAN 11.

Thank you for reading!



Posted by at No comments:
Labels: , , , , ,

Thursday, July 18, 2013

Three Years of "Don't Break the Chain"

On July 18th 2010, I read about the “Don’t Break the Chain” habit on lifehacker.com.  I’m proud to say that today marks three years of daily study on Cisco and networking technology.  Because of this method, I’ve passed three Cisco exams (CCENT, CCNA and CCNP SWITCH) and I am working towards the next two exams to earn the CCNP and then on to the CCIE.  If you have a goal (or multiple goals), I highly recommend this method.  
If you want to read about the story behind the method, here is a link:  http://lifehacker.com/281626/jerry-seinfelds-productivity-secret
Start your own chain at:http://dontbreakthechain.com

Posted by at 2 comments:
Subscribe to: Posts (Atom)