Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2006
Views
5
Helpful
4
Replies

9300 Switch access broke on adding new vlan to trunk uplink port

colossus1611
Level 1
Level 1

‎10-21-2021 04:18 AM - edited ‎10-21-2021 04:20 AM

Hi All,

 

Trying to wrap my head around this high priority issue that accidentally happened. I thought it was pretty safe practice to add a new vlan to existing trunk port by using the 'switchport trunk allowed vlan add <vlan>' command, however this broke my remote access to switch and caused outage.

 

Though I did it first on the port itself which is part of port-channel, my understanding is that this should have had no impact to existing traffic as long as I remember to use the keyword 'add' which I did.

 

I didn't really had an opportunity to troubleshoot it via console as it was a critical site and just did a quick fix by removing the added vlan, but I was wondering if this problem stemmed from the etherchannel misconfig guard that is configured under spanning-tree.

 

SWA01#show spanning-tree sum
Switch is in rapid-pvst mode
Root bridge for: none
EtherChannel misconfig guard is enabled
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default is enabled
UplinkFast is enabled but inactive in rapid-pvst mode
BackboneFast is disabled

 

Am I right in suspecting that it could be culprit here? Should I have taken any different an approach?

 

Should I have added the vlan to core switch first rather and then made my way down to access switch? I think so now in hindsight.

 

Thank you.

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎10-21-2021 04:44 AM 

Though I did it first on the port itself which is part of port-channel,

This cause the inconsistency to bring the Port-channel down, since member of the port have different config.

 

take example :

 

port-channel X have port g1/1 and g1/2

you always need to add VLAN in the switch before adding to port-channel both the side of the switch.

then add allow list in port-channel X (not member ports)

 

show logg will give you why it went down and come up

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

colossus1611
Level 1
Level 1
In response to balaji.bandi

‎10-21-2021 04:52 AM

Yes it was a bit of a rookie error.

@balaji.bandi wrote:
you always need to add VLAN in the switch before adding to port-channel both the side of the switch.

VLAN was added before hand, no issues. 

 

Also my access didn't restore until I removed the added VLAN.

 

Pretty sure in the past if I did add it to port before adding it to port-channel, it did not work, but it didn't break anything either.

 

 

 

 

colossus1611
Level 1
Level 1

‎10-21-2021 04:55 AM

Need to bring out logs from Syslog with buffer overwritten to an extent, but I found below log message when I removed the newly added vlan and services restored:

 

%SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port Port-channel1

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to colossus1611

‎10-21-2021 05:28 AM

yes that would the cause the issue, make a note always add VLAN to port-channel (not to individual interface)

 

that is save never see any oiutage - you can try and let me know how iot goes, (you are safe).

 

hope this resolve the issue.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card