VLAN mismatches, STP blocking, and port-security violations—the three most common Layer-2 issues in enterprise networks.

 Below is a clear, practical troubleshooting guide for VLAN mismatches, STP blocking, and port-security violations—the three most common Layer-2 issues in enterprise networks.

1. VLAN Mismatch Troubleshooting

A VLAN mismatch happens when two connected switch ports (usually trunks) have different VLAN configurations, causing traffic loss.

Symptoms

  • Cannot reach devices across switches

  • Trunk link up but hosts in same VLAN cannot communicate

  • CDP/LLDP warnings like “Native VLAN mismatch detected”

Troubleshooting Steps

Step 1: Check trunk configuration

Cisco:

show interfaces trunk
show interface <int> switchport

Look for:

  • Allowed VLANs

  • Native VLAN

  • Operational mode (trunk / access)

Step 2: Compare both sides of the trunk

  • Allowed VLANs must match

  • Native VLAN must match

  • Encapsulation (dot1q) must match

Step 3: Fix inconsistent settings

Example (Cisco):

interface g0/1
 switchport mode trunk
 switchport trunk allowed vlan 1,10,20,30
 switchport trunk native vlan 99

Step 4: Verify after changes

show interfaces trunk

2. STP Blocking Troubleshooting

STP blocks ports to prevent loops. Sometimes the wrong port gets blocked due to STP priority or path cost.

Symptoms

  • Port in blocking or discarding state

  • Intermittent connectivity

  • Slow network convergence

Troubleshooting Steps

Step 1: Check STP state

show spanning-tree
show spanning-tree interface <int>

Identify:

  • Root bridge

  • Which port is root / designated / alternate / blocking

Step 2: Verify root bridge correctness

If the wrong switch is root:

show spanning-tree root

Step 3: Fix root bridge by adjusting STP priority

Example:

spanning-tree vlan 10 priority 4096

Lower priority = more likely to be root.

Step 4: Check port cost or path cost

You may need to influence STP decisions:

spanning-tree cost <value>

Step 5: Look for unintentional loops

  • Check for unmanaged switches

  • Check if someone connected two wall ports together

  • Patch panel mistakes

3. Port Security Violations Troubleshooting

Port security protects access ports. Violations occur when:

  • MAC address changes

  • More MACs appear than allowed

  • Device moves to another port (sticky vs static)

  • Unauthorized device plugged in

Symptoms

  • Port goes into err-disabled

  • Logs show:
    “Port-Security Violation”

Troubleshooting Steps

Step 1: Check port security status

show port-security interface <int>
show interface status err-disabled

Step 2: Identify violation reason

  • Security violation count

  • Allowed MAC vs detected MAC

Step 3: Clear err-disabled state

shutdown
no shutdown

Step 4: Fix the configuration

Common secure configuration:

interface f0/1
 switchport mode access
 switchport access vlan 10
 switchport port-security
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 switchport port-security violation restrict

Change violation action if needed:

  • protect → silently drop

  • restrict → drop + log

  • shutdown → port disabled

Step 5: Remove old MACs if laptop moved

clear port-security sticky interface <int>

📌 Summary Table

IssueCommon CauseKey CommandFix
VLAN mismatchTrunk allowed/native VLAN mismatchshow interfaces trunkAlign allowed VLANs + native VLAN
STP blockingWrong root, loops, path costshow spanning-treeAdjust priority/cost, remove loops
Port-security violationMAC changes, too many MACsshow port-security int xClear MACs, adjust max, change mode

Comments

Post a Comment

Popular posts from this blog

Step by Step CCTV installation and troubleshooting

 Nice — here’s a practical, no-nonsense, step-by-step guide to installing CCTV (both IP and analog/HD) plus a thorough troubleshooting checklist and quick fixes. I’ll assume you want something you can follow on-site with common tools. If you tell me your camera type/model or whether you’re using PoE/NVR/DVR, I can tailor this further — but for now, here’s a complete general workflow. 1) Tools & materials checklist Cameras (IP or analog/HD-TVI/CVI) NVR (for IP) or DVR (for analog/HD) or PC with VMS PoE switch or PoE injector (for IP PoE cameras) OR 12V DC power supplies / power distribution box Cat5e/Cat6 cable (IP) or coax RG59 / RG6 (analog/HD) BNC connectors & crimping tool (analog), RJ45 connectors & crimper (IP) Drill, masonry bit, screwdrivers, anchors Ethernet tester / cable toner, multimeter Ladder, cable ties, conduit, weatherproof junction boxes, silicone sealant Laptop with web browser + camera discovery tools (or manufacturer softw...
Read more

IT Admin responsibilities.

Design, configure, and maintain secure and efficient network infrastructures. Monitor network performance and troubleshoot issues. Implement network upgrades. Ensure data security and minimize user downtime 1. Network Design (Foundations of a Secure & Efficient Infrastructure) 1.1 Requirements Analysis Identify number of users/devices. Determine application requirements (latency-sensitive apps, VoIP, CCTV, backups). Assess security/compliance needs (ISO 27001, NIST, GDPR, HIPAA depending on org). Define budget and scalability expectations (1–3 year growth plan). 1.2 Logical Network Design Create network topology : Core → Distribution → Access (3-tier) or Collapsed Core. Define VLAN structure : Users Servers IoT / CCTV Guest Wi-Fi Voice Management Create an IP addressing plan (summarized, scalable, documented). Design routing architecture : Static, OSPF, EIGRP, or BGP (for multi-site). Plan redundancy : Dual routers/firewa...
Read more