Real World Scenario for everyone ...

jsb515jsb515 Member Posts: 253
So at 2am this morning I get a call that one of our offices network went down. So after getting there and noticed that a stack of 4 3750x switches connected by stack cables all had orange lights on them expect the layer 3 uplink ports. Then after consoling into the switches I noticed no vlan database was not present! and VTP was set to Server with domain null but VTP is a layer 2 protocol and the uplinks are set to layer 3. So I had to manually put the vlan info back in from a backup config and got them back up and working.

Anyone have any clue what could cause the vlan database to go proof on a set of switches that have been running fine for almost 4 months now? icon_scratch.gif

Comments

  • cpartincpartin Member Posts: 84 ■■□□□□□□□□
    I think if the domain name is blank the switch will automatically update if it receives any advertisement from another server switch with either a domain name set or a higher vlan database revision number. Put the switches in transparent mode or configure a VTP domain name / password to make sure this can't happen again.
  • DoubleNNsDoubleNNs Member Posts: 2,015 ■■■■■□□□□□
    Maybe an employee plugged another device into the network which sent VTP messages and wiped the VLAN database out?
    Goals for 2018:
    Certs: RHCSA, LFCS: Ubuntu, CNCF CKA, CNCF CKAD | AWS Certified DevOps Engineer, AWS Solutions Architect Pro, AWS Certified Security Specialist, GCP Professional Cloud Architect
    Learn: Terraform, Kubernetes, Prometheus & Golang | Improve: Docker, Python Programming
    To-do | In Progress | Completed
  • TheNewITGuyTheNewITGuy Member Posts: 169 ■■■■□□□□□□
    show vtp status will give you the last update and from who - do you have logging turned on or config archive as well?
  • DirtySouthDirtySouth Member Posts: 314 ■□□□□□□□□□
    I can't explain why this happened, but I know from experience that VTP can burn you bad. My recommendation is to do "vtp mode transparent" on ALL Cisco switches in your network. It's really not that difficult to configure VLANs manually and the risk of miss-configured VTP is not worth it.
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    As others said, probably someone plugging in another switch in server mode with a higher revision number that wiped everything out.

    For smaller sites, I'll use VTP but I always set a VTP domain, VTP version 2, and password and only have one server per site. If I have the option of building a new site from scratch, I'll have a fiber L3 switch (usually 3750-X) and all the access switches home run back to it. Have the 3750 as the VTP master and STP root and all the access layer switches as VTP clients. That way when I have to add another VLAN for a project or whatever, I just log into one switch and BLAM. Propagated to all the other switches on that LAN. When connecting a new switch to the environment, make sure the switch is initially in VTP transparent mode and then change it over to client. Make sure your admins and engineers understand that standard.

    For bigger more complex sites or data centers, VTP transparent all the way...

    I suppose it's preference but there are some good best practices to have because you never want your VLANs wiped out by one erroneous network addition so put some safeguards in place
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • jsb515jsb515 Member Posts: 253
    But we are doing layer 3 no trunking so how can vtp work? Its a layer 2 protocol correct? It said it updated from itself.
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    Random question: This is for an office location, right? Are these 4 stacked switches providing access to a small office or something and they function as the access switches as well as L3 for people at that office? The only reason I ask is if the ports aren't hard set to access ports with nonegiotate, those ports could still process DTP messages if someone decided to randomly plug a switch into their desk port. Plug a switch in that's in VTP Server mode (or even VTP client mode with a higher revision number) and only VLAN 1 on it = Buh-bye VLAN database!

    Same advice everyone gives you still applies but I would now add to hardcode any non-trunk ports as access ports with nonegotiate.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • routergodsroutergods Member Posts: 66 ■■□□□□□□□□
    As NewITGuy said.. I hope you had config archive set, because there is a really good chance that someone typed in stuff they shouldn't have.

    Also, look at the log for that time and see if any ports flapped (which might show cables being plugged in/out).

    Friends don't let friends use VTP
  • jsb515jsb515 Member Posts: 253
    we don't use vlan 1, but vlan 100 for data and vlan 400 for phone and vlan 300 for wireless. The fiber modules are set to use port channel to the vss core that is one site. The core then uses MetroE from local provider to home back to our main office computer room that also has the same local provider switch that then goes to another switch that is ours that then goes to our distribution vss that then goes to our main core vss...

    I always set transparent on switches I setup and ports are always access ports..but I will check and see if auto nonegiotate is on. Unfortunately I did not set these switches up and I even pointed out to them that they have server on. They said they set domain to null and it shouldn't matter....

    doing sh log shows nothing unusual any other commands I might not be thinking of?

    one of the ports and all 47 others are set the same.

    interface GigabitEthernet1/0/1
    switchport access vlan 100
    switchport voice vlan 400
    srr-queue bandwidth share 1 30 35 5
    priority-queue out
    mls qos trust device cisco-phone
    spanning-tree portfast
    service-policy input Per-Port-Policing
    end
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    I wasn't implying you use VLAN 1.

    Looks like your port isn't configured exclusively as an access port (switchport mode access). By default, a Cisco switchport is set to dynamic desirable which means if you connect another switch that supports it, it'll negotiate a trunk which could cause that change in VTP/VLANs that you saw there.

    Check it out: https://supportforums.cisco.com/thread/147893
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • RouteMyPacketRouteMyPacket Member Posts: 1,104
    Check your logs, check vtp status

    If you had ACS in the environment, you could easily discern the idiot who most likely plugged in a switch with vtp "server" with a higher rev number that held no vlan db.

    Anyway, good times...get some traceability in your environment man, I wouldn't stand for that situation for a second. If anyone touches my gear, I want to know be it they tell me or I check logs.

    Unrelated but I would suggest you configure spanning-tree bpduguard on your access ports as well. Not to mention define them as such with switchport mode access.
    Modularity and Design Simplicity:

    Think of the 2:00 a.m. test—if you were awakened in the
    middle of the night because of a network problem and had to figure out the
    traffic flows in your network while you were half asleep, could you do it?
Sign In or Register to comment.