cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5229
Views
0
Helpful
11
Replies

VTP Pruning Problem

Jeremy Phillips
Level 1
Level 1

We are having to change our IP structure and I came across a problem with the vtp pruning. I have been configuring our WAP 1231 with new vlans for the ssid.  I create new sub interfaces for the radio 0 and fa0.  This is the first time configuring 2 access points that we use as bridges.  I changed the vlan on it the same as I changed the other WAPs.  This time though the Cat 6513 on one bridge and the Cat 3750 on the other side are both pruning my management vlan.  This 6513 is not the root primary for any of the vlans.  It is connected to the root. Here are some of the show commands:

Dwight-IDF4-6513-140#sho int trunk

Port      Mode         Encapsulation  Status        Native vlan

Gi1/43    on           802.1q         trunking      100

Port      Vlans allowed on trunk

Gi1/43    8,83-84,100

Port      Vlans allowed and active in management domain

Gi1/43    8,83-84,100

Port      Vlans in spanning tree forwarding state and not pruned

Gi1/43    8,83-84

Port Gi1/43 should not be pruning vlan 100.

Here is some more:

interface GigabitEthernet1/43

description Wireless Bridge To Special Ed

no ip address

mls qos trust cos

switchport

switchport trunk native vlan 100

switchport trunk allowed vlan 8,83,84,100

switchport mode trunk

Dwight-IDF4-6513-140#sho vtp status

VTP Version                     : 2

Configuration Revision          : 0

Maximum VLANs supported locally : 1005

Number of existing VLANs        : 27

VTP Operating Mode              : Transparent

VTP Domain Name                 : dwight

VTP Pruning Mode                : Disabled

VTP V2 Mode                     : Disabled

VTP Traps Generation            : Disabled

Dwight-IDF4-6513-140#sho spanning-tree vlan 100

VLAN0100

  Spanning tree enabled protocol ieee

  Root ID    Priority    24676

             Address     0017.0f5f.7140

             Cost        4

             Port        386 (GigabitEthernet4/2)

             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32868  (priority 32768 sys-id-ext 100)

             Address     00d0.0559.8c00

             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Gi1/43           Desg BKN*19        128.43   P2p *PVID_Inc

Gi1/45           Desg FWD 19        128.45   P2p

Gi1/46           Desg FWD 19        128.46   P2p

Gi1/47           Desg FWD 19        128.47   P2p

Gi1/48           Desg FWD 19        128.48   P2p

Gi4/1            Altn BLK 4         128.385  P2p

Gi4/2            Root FWD 4         128.386  P2p

interface GigabitEthernet1/45

description WIRELESS AP

no ip address

mls qos trust cos

switchport

switchport trunk native vlan 100

switchport trunk allowed vlan 44,100,141,241

switchport mode trunk

spanning-tree portfast

spanning-tree bpduguard enable

Interface Gi1/43 is the port to my bridge.  Interface Gi1/45 is just another WAP.  These ports do not allow me to configure encapsulation dot1q as my other ports for the switches do.

Here is the version on the 6513:

Version 12.2(17d)SXB11a, RELEASE SOFTWARE (fc1)

Right now I can't connect to the other side but it has the same configuration.

Does anyone know why I can't get the management vlan to work on this port?

Here is what I have configured on the WAP bridge:

interface Dot11Radio0.84

encapsulation dot1Q 84

no ip route-cache

bridge-group 84

bridge-group 84 spanning-disabled

interface Dot11Radio0.100

encapsulation dot1Q 100 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

interface FastEthernet0.84

encapsulation dot1Q 84

no ip route-cache

bridge-group 84

bridge-group 84 spanning-disabled

interface FastEthernet0.100

encapsulation dot1Q 100 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

11 Replies 11

Jeremy Phillips
Level 1
Level 1

Here is some debugging:

Dwight-IDF4-6513-140#

May  1 09:21:19.484 CDT: %SPANTREE-SP-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on GigabitEthernet1/43 VLAN100.

May  1 09:21:19.484 CDT: %SPANTREE-SP-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet1/43 on VLAN0100. Inconsistent local vlan.

Dwight-IDF8-SpecEd#

3w6d: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on GigabitEthernet1/0/48 VLAN100.

3w6d: %SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet1/0/48 on VLAN0001. Inconsistent peer vlan.

3w6d: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet1/0/48 on VLAN0100. Inconsistent local vlan.

Jeremy,

Your problem does not lie in VTP Pruning but rather in a problem with STP.

According to what your switches tell you, they are receiving a PVST+ BPDU on VLAN100. However, in this BPDU, there is also an internal record which VLAN was this BPDU originated in - and this record claims that this BPDU originally comes from VLAN1. That is what the switch is telling you:

May  1 09:21:19.484 CDT: %SPANTREE-SP-2-RECV_PVID_ERR: Received BPDU  with inconsistent peer vlan id 1 on GigabitEthernet1/43 VLAN100.

This situation is called Primary VLAN ID Inconsistency. Cisco's PVST+ is build to detect these PVID inconsistencies and block the port in the conflicting VLAN. You may read more about these inconsistencies and recommended steps in their solution in this document:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00801d11a0.shtml

The question is, however, what went wrong in your network so that this problem was created in the first place. Reading through that document carefully may give you very helpful insights as to what is happening. It seems, however, that somehow, you have bridged together two VLANs, or caused a native VLAN mismatch on some trunk. As you are using them as bridges to interconnect two wired networks, it is very probable that something similar happened.

Best regards,

Peter

Peter,

Thanks for that.  I was able to get one of them talking to the 6513 switch.  The other one I am still having a problem with it.  I am sure now what I did wrong on the WAP configuration. I started configuring it the same as a regular WAP instead of as a bridge.  The bridge-group 1 were not set properly creating the native issue with the sub interfaces for the Fa0 port and the dot11radio0.xxx.

The one thing I think is still a problem at the far side of the bridge is the Fastethernet 0 interface.  Here is what it looked like before:

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

hold-queue 160 in

Here is what it looks like now:

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bidge-group 1

hold-queue 160 in

I checked my commands again and I did not type that into the interface Fa0.  Now it has bridge-group 1 and it tells me command invalid when I try to remove it.

Would this be causing the issue or something else.

Hi Jeremy,

The bridge-group command is necessary because the WAPs, regardless of their operating mode on the wireless side (wireless bridge or wireless access point) perform bridging between their wireless and wired interface. In order to create this bridging association between a particular SSID and a particular VLAN, both subinterfaces on the radio and Fa interface have to be joined together using a bridge-group with an identical number. On these WAPs, having both the wired and wireless interface bridged is a must.

I am somehow lost in understanding how exactly do you plan to perform the bridging. Is there any topology illustration or exhibit you could post to help us understand better how the WAPs are being deployed in your network? Thank you!

Best regards,

Peter

Hi Peter,

Thanks for the information.  I wanted to let you know I did get the other side to finally connect to the 3750G switch.  That Fa0 using the bridge-group 1 was creating a problem.  I kept trying to take it off but it would tell me invalid command.  I use the subinterifaces to send the bridge-group I want.  I finally had to do a write erase on that WAP and re-apply the config.  This took the interface Fa0 out of the bridge-group and now I have the correct trunking and no spanning-tree issues.

We have a school with a MDF and several IDFs.  The MDF connects to this IDF that has the WAP acting as a bridge.  That connects to a directional antenna that points across the street and about a block away to the other building.  That connects to the other 1231G that then connects to the 3750G which in turn has 2 more WAP that are autonomous.

Every WAP is autonomous in the school district.

When I do a show ip int brief it says the interfaces are up and up and the notification did say that the two are connected.  But it is not routing.  The goal here is to adjust the vlans and IP addresses to be more manageable.  I have changed the vlans on half our WAP and have not seen this problem where everything just falls apart.

Thanks.  You have been helpful.

Hello Jeremy,

Thank you for keeping me posted. But I wonder: how is the WAP now configured? Can you post its configuration here please?

Anyway, if the network currently runs as expected, I am glad to hear that.

Best regards,

Peter

  Usually that message indicates that your native vlans do not matchup on each end of the trunk .

I posted that config.  It is on the original posting. 

Now I lost connectivity to it.

Everything shows up and up.  It worked yesterday.  Today I came in and no connectivity. I can't even ping it.  When I get onto the WAP it doesn't show any problems but I can't ping out from it either. 

It shows packets moving on the native vlan but I still get nothing.

DMS_Bridge_to_SpecialEd#sho ip int brief

Interface                  IP-Address      OK? Method Status                Protocol

BVI1                       10.60.0.222     YES NVRAM  up                    up

Dot11Radio0                unassigned      YES TFTP   up                    up

Dot11Radio0.84             unassigned      YES unset  up                    up

Dot11Radio0.100            unassigned      YES unset  up                    up

FastEthernet0              unassigned      YES NVRAM  up                    up

FastEthernet0.84           unassigned      YES unset  up                    up

FastEthernet0.100          unassigned      YES unset  up                    up

Virtual-Dot11Radio0        unassigned      YES TFTP   up                    up

Virtual-Dot11Radio0.84     unassigned      YES unset  up                    up

Virtual-Dot11Radio0.100    unassigned      YES unset  up                    up

Clients: 8021x auth in prog 0 allowed 0

   Client      AID VLAN   Status   Age   Tx   Mode Rate Encr  Key

0016.9de1.4940   1  100 0000 0000 29/30  0-0  00B1 1EFF 0000 0-13

Vlan BSSID   Clients PSP Pri Encr  Key0 Key1 Key2 Key3 SSIDs

   0  47D0 0       0   0   0    0

  84  47D0 0       0   0   0    0

100n 47D0 0       0   0   0    4  x128                DWIGHT

Virtual LAN ID:  100 (IEEE 802.1Q Encapsulation)

   vLAN Trunk Interfaces:  Dot11Radio0.100

FastEthernet0.100

Virtual-Dot11Radio0.100

This is configured as native Vlan for the following interface(s) :

Dot11Radio0

FastEthernet0

Virtual-Dot11Radio0

   Protocols Configured:   Address:              Received:        Transmitted:

        Bridging        Bridge Group 1              11397               21221

        Other                                          0                   6

   0 packets, 0 bytes input

   10686 packets, 751549 bytes output

        Bridging        Bridge Group 1              11398               21223

        Other                                          0                   6

   6744 packets, 510542 bytes input

   4373 packets, 262719 bytes output

        Bridging        Bridge Group 1              11398               21223

        Other                                          0                   6

   4819 packets, 293394 bytes input

   6169 packets, 476047 bytes output

To me everything seems to be working.  Any ideas?

I finally found another WAP.  I reconfigured the one I found and installed it.  Now I can ping and telnet to the otherside of the bridge.  I have no way of updating the version so I can't check for that. I just can't get to the switch on the other side.

Jeremy,

I sincerely apologize for a late reply - some rather busy weeks right now at my work. Is this issue still open?

Best regards,

Peter

No. We solved it. Thanks for checking up.

Sent from my iPad

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: