VTP ensures that all switches in the VTP domain are aware of all VLANs. However, there are occasions when VTP can create unnecessary traffic. All unknown unicasts and broadcasts in a VLAN are flooded over the entire VLAN. All switches in the network receive all broadcasts, even in situations in which few users are connected in that VLAN. VTP pruning is a feature that you use in order to eliminate or prune this unnecessary traffic.
In most cases CORE Switch is the default gateway for the Clients.
Typical Troubleshooting is as follows
1) Is the ARP complete ?
CORE#sh ip arp 10.10.1.144Protocol Address Age (min) Hardware Addr Type InterfaceInternet 10.10.1.144 100 8cb6.4faa.8a41 ARPA Vlan93
YES IT IS
2) Is the switch learning mac address ?
CORE# sh mac-address-table address 8cb6.4faa.8a41 <NOT LEARNING MAC ADDRESS>
That should not cause connectivity loss as the packets will be flooded and will make its way to the clients
3) Lets check the spanning tree status for vlan 93
CORE # show spanning-tree vlan 93<SNIP>Gigabitethernet 1/1 shows forwarding
Well, spanning tree status is forwarding – so my packets are supposed to leave interface Gi1/1
Lets SPAN interface Gi1/1 and see if packets are leaving – Result: SPAN Captures show no packets leave the interface.
Crazy !! so it is the CORE switch that is culprit – lets replace it ??
NO WAY -- Are we sure it is a hardware issue – No
What have we missed ? Hmm.. Lets add a static mac entry and see if that helps
CORE(config)# mac address-table static 8cb6.4faa.8a41 vlan 93 int gi1/1
CORE# ping 10.10.1.144
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.144, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Lets remove the static mac address and now initiate traffic from end client – mac address learned and everyone in the network can reach the client
From the troubleshhoting performed so far the observations made are as follows:
We intermittently lose connectivity to client. When traffic is initiated from client, we are immediately able to establish connectivity to client and finally, we observe that the problem is seen when mac address of client ages out on the CORE switch
So what feature can block unicast flooding?
switchport block unicast command on the interface - not configured here
VTP pruning – Ah ha!!
Let us check if any vlan is pruned
CORE#show int gi1/1 trunk
Port Mode Encapsulation Status Native vlan
Gi1/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Port Vlans allowed and active in management domain
Port Vlans in spanning tree forwarding state and not pruned
CORE#show int gi1/1 pruning
Port Vlans pruned for lack of request by neighbor
Gi1/1 11-18,20-21,23-30,32,60-61,90-103,111,138,155-156,201-203,400 -> All these VLAN’s are pruned because neighbor did not request for them
Port Vlan traffic requested of neighbor
Gi1/1 1,10-18,20-30,32,60-61,90-103,111,138,155-156,201-203,400 -> This is what CORE Switch is requesting from its neighbor switch
So VTP pruning was the culprit – As the mac address of end client aged out, the switch would have to unicast flood the packet to all ports on VLAN 93, which is not sent on Gi1/1 as VLAN 93 was pruned.
Once VTP pruning is turned off – All connectivity issues are corrected.
When can such a scenario occur ?
1) In environment which has switches in VTP server/client mode along with switch that maybe in VTP transparent mode
2) When a non Cisco switch that does not understand VTP is connected to a Cisco Switch which has VTP turned ON (in most cases)
So please keep in mind that VTP pruning can be the cause of connectivity issues.
In an all Cisco environment where all switches are configured to be in VTP server or client mode, you can turn ON VTP pruning as this will help limit unnecessary flooding in the network and is of great help.
After all, VTP pruning need not be a PIA
(PS: For those of you who are wondering what PIA stands for.. Don’t worry about it )
My vpn router has been running for a very long time using ios version 12.0 (c2600-is56i-mz.120-28a.bin) however I recently upgraded the ios to 12.3 (c2600-i-mz.123-9.bin) but after doing so the crypto isakmp configuration no longer works, during boot I ge...
Hope someone can assist. Am having an issue with our 3650 connection. Have already replaced the SFP and still having connection issues. Am getting reliability of either 241/255 or 245/255. Am thinking it is possibly the fiber. Below is the result of sh in...
I have taken ownership of a project that Nexus NX-OS switches, specifically 5548; however, I am very new to the Nexus line. Due to the latter, what is the best upgrade path - meaning when should I upgrade this type of switch? Is this something I keep...
I am having trouble grasping a concept with vedges. The vEdges have physical interfaces that are referenced in "vpn 0" VPN 0 is the transport VPN. It contains the interfaces that connect to the WAN transports. Secure DTLS/ TLS connections to th...