Cisco NX-OS Troubleshooting Guide, Release 4.0
Troubleshooting VLANs
Download this chapter
Troubleshooting VLANsTroubleshooting VLANs
Download the complete book
Cisco NX-OS Troubleshooting Guide, Release 4.0Cisco NX-OS Troubleshooting Guide, Release 4.0 (PDF - 1 MB)
give_us_feedback

Table Of Contents

Troubleshooting VLANs

Information About Troubleshooting VLANs

Initial Troubleshooting Checklist

VLAN Issues

You Cannot Create a VLAN

You Cannot Create a PVLAN

The VLAN Interface is Down


Troubleshooting VLANs

This chapter describes how to troubleshoot VLANs.

This chapter includes the following sections:

Information About Troubleshooting VLANs

Initial Troubleshooting Checklist

VLAN Issues

Information About Troubleshooting VLANs

VLANs provide a method of isolating devices that are physically connected to the same network but are logically considered to be part of different LANs that do not need to be aware of one another.

You should use only following characters in a VLAN name:

a through z or A through Z

0 through 9

- (hyphen) or _ (underscore)

Follow these guidelines when configuring VLANs:

Keep user traffic off the management VLAN; keep the management VLAN separate from user data.

You can apply different Quality of Service (QoS) configurations to primary, isolated, and community VLANs.

To apply output VACLs to all outgoing private VLAN traffic, map the secondary VLANs on the Layer 3 VLAN interface, of the primary VLAN, and then configure the VACLs on the SVI of the primary VLAN.

VACLs that apply to the Layer 3 VLAN interface of a primary VLAN automatically apply to the associated isolated and community VLANs.

If you do not map the secondary VLAN to the Layer 3 VLAN interface of the primary VLAN, you can have different VACLs for primary and secondary VLANs.

Because traffic in a private VLAN flows in different directions in different VLANs, you can have different VACLs for ingressing traffic and different VACLs for egressing traffic.

Note We recommend that you keep the same VACLs for the primary VLAN and all secondary VLANs in the private VLAN.

You can enable DHCP snooping on private VLANs. When you enable DHCP snooping on the primary VLAN, it is propagated to the secondary VLANs. If you configure DHCP on a secondary VLAN, the configuration does not take effect if the primary VLAN is already configured.

Note We recommend that you enable sticky Address Resolution Protocol (ARP) when you configure private VLANs. ARP entries learned on Layer 3 private VLAN interfaces, or SVIs, that are sticky ARP entries. For security reasons, private VLAN port sticky ARP entries do not age out.

You can configure IEEE 802.1X port-based authentication on a private VLAN port, but do not configure 802.1X with port security or per-user ACL on private VLAN ports.

802.1x works with private VLANs, but not the 802.1X dynamic VLAN assignment or the guest VLAN assignment

IGMP runs only on the primary VLAN and uses the configuration of the primary VLAN for all secondary VLANs.

Any IGMP join request in the secondary VLAN is treated as if it is received in the primary VLAN.

Private VLANs support these Switched Port Analyzer (SPAN) features:

You can configure a private VLAN port as a SPAN source port.

You can use VLAN-based SPAN (VSPAN) on primary, isolated, or community VLANs or use SPAN on only one VLAN to separately monitor egress or ingress traffic.

Do not configure a remote SPAN (RSPAN) VLAN as a private VLAN primary or secondary VLAN.

A private VLAN host or promiscuous port cannot be a SPAN destination port. If you configure a SPAN destination port as a private VLAN port, the port becomes inactive.

A destination SPAN port cannot be an isolated port. (However, a source SPAN port can be an isolated port.)

You can configure SPAN to span both primary and secondary VLANs or, alternatively, to span either one if the user is interested only in ingress or egress traffic.

A MAC address learned in a secondary VLAN is placed in the shared table of the primary VLAN. When the secondary VLAN is associated to the primary VLAN, their MAC address tables are merged into one, shared MAC table.

Initial Troubleshooting Checklist

Troubleshooting a VLAN problem involves gathering information about the configuration and connectivity of individual devices and the entire network. Begin your troubleshooting VLAN issues by checking the following issues first:

Checklist 
Checkoff

Verify the physical connectivity for any problem ports or VLANs.

Verify that you have both end devices in the same VLAN.


The following CLI commands are used to display VLAN information:

show vlan vlan-id

show vlan private-vlan

show vlan all-ports

show vlan private-vlan

show vlan private-vlan type

show interface vlan vlan-id private-vlan mapping

show tech-support vlan

VLAN Issues

This section includes the following topics:

You Cannot Create a VLAN

You Cannot Create a PVLAN

The VLAN Interface is Down

You Cannot Create a VLAN

You may experience issues creating a VLAN.

See Table 7-1 for possible causes and solutions.

Symptom    You cannot create a VLAN.

Table 7-1 You Cannot Create a VLAN

Symptom
Possible Cause
Solution

You cannot create a VLAN.

There area not enough resources in the virtual device context (VDC).

Use the show vdc resource vlan CLI command to determine how many unused VLANs that you can configure. If this value is 0, log in as network admin and use the limit-resource CLI command in VDC configuration mode to add more VLAN resources to this VDC.

You are using a reserved VLAN ID.

VLANs 3968 to 4047 and 4094 are reserved for internal use in each VDC; you cannot change or use these reserved VLANs.


You Cannot Create a PVLAN

You may experience issues creating a private VLAN (PVLAN).

See Table 7-2 for possible causes and solutions.

Symptom    You cannot create a PVLAN.

Table 7-2 You Cannot Create a PVLAN

Symptom
Possible Cause
Solution

You cannot create a PVLAN.

The PVLAN feature is not enabled.

Use the feature pvlan CLI command to enable the PVLAN feature.


The VLAN Interface is Down

You may experience issues with VLAN interfaces.

See Table 7-3 for possible causes and solutions.

Symptom    The VLAN interface is down.

Table 7-3 The VLAN Interface is Down

Symptom
Possible Cause
Solution

The VLAN interface is down.

The VLAN does not exist.

Use the show vlan CLI command to determine if the VLAN exists. Use the vlan CLI command to create the VLAN.

 

No interfaces on the VLAN are in the STP forwarding state.

Use the show vlan internal vlan-info CLI command to check the operating state of the Spanning Tree Protocol (STP). Configure STP so that at least one interface goes into the STP forwarding state.

 

One or more services prevented the VLAN interface from coming up.

Use the show vlan internal vlan-info CLI command to determine the state of the VLAN interface. If the state is oper-es, use the show tech-support interface vlan CLI command to gather more information.

 

The VLAN is a secondary VLAN.

Use the show vlan internal vlan-info CLI command to determine the state of the VLAN interface. Change the VLAN to a primary or user VLAN.

 

The interface is in the wrong VRF.

Use the show vrf interface CLI command to determine the interface that the VLAN interface is assigned to.