Thank you, the last config changes that were made to that port (before we patched into it today) was a month ago and were

Fri Dec 15 14:28:32 2017 interface Ethernet1/48 ; no switchport (REDIRECT)
Fri Dec 15 14:28:32 2017 interface Ethernet1/48 ; no switchport (SUCCESS)
Fri Dec 15 14:28:43 2017 interface Ethernet1/48 ; switchport (REDIRECT)
Fri Dec 15 14:28:43 2017 interface Ethernet1/48 ; switchport (SUCCESS)
Fri Dec 15 14:28:47 2017 interface Ethernet1/48 ; switchport mode trunk (REDIRECT)
Fri Dec 15 14:28:47 2017 interface Ethernet1/48 ; switchport mode trunk (SUCCESS)
Fri Dec 15 14:28:57 2017 interface Ethernet1/48 ; switchport trunk allowed vlan add 10 (REDIRECT)
Fri Dec 15 14:28:57 2017 interface Ethernet1/48 ; switchport trunk allowed vlan add 10 (SUCCESS)

So when we patched into it there was actually a command saying allow vlan add 10 (although the running config didnt show it). No one has added a command switchport trunk allowed vlan none at any point. It seems the Nexus has added it between us patching the fibre in and the pings then dropping (the only two people who can log into the Nexus are myself and a colleague who was sat next to me, both scratching our heads).

If a trunk is being set up from scratch, like above, should the command initially be switchport trunk allowed vlan 10 and not switchport trunk allowed vlan add 10? Possibly it hasnt liked that? Although I cant believe Cisco would have not fixed that years ago.

Many thanks,

P

Hello,

Thank you for the clarification!

The effect of configuring switchport trunk allowed vlan add 10 on a trunk that already has all VLANs allowed is that the configuration does not change at all: You only allow a VLAN that is already allowed, so effectively there is no change at all. Configuring it would not cause any harm, and it is also expected that under the circumstances, this command would not show in the interface configuration as it implicitly (by means of all VLANs allowed) already there.

This is getting interesting. By any chance, do you have a config-sync configured between this switch and a peer N7K?

Also, you said that after you noticed the "allowed vlan none" command added, you tried to "specifically added vlan 10 to the interface trunk, shut, no shut, but the layer 2 link wouldnt come back up ". What does this mean exactly? Can you elaborate on this?

Thank you!

Best regards,
Peter

Hi Peter,

Excitement over I think, you were right about checking what config had been entered.

1. The fibre was patched in, link came up and was working.
   1. 2018 Jan 19 09:30:04 KHM22N04-KGH-MDP2 %ETHPORT-5-IF_HARDWARE: Interface Ethernet1/48, hardware type changed to 1G
2. Then a few minutes later my colleague tried to tidy up the trunk with
   1. Fri Jan 19 09:32:25 2018 Ethernet1/48 ; switchport trunk allowed vlan 10 (SUCCESS) 
   2. Firstly this wasnt needed, secondly it had the effect that the link stopped working - that I cant explain, should adding vlan 10 to a trunk that already has vlan 10 added cause an issue?
3. With devices now not pingable he has tried to back out with
   1. Fri Jan 19 09:35:30 2018 Ethernet1/48 ; no switchport trunk allowed vlan 10 (SUCCESS)
   2. To remove a vlan from a trunk is switchport trunk allowed vlan remove 10, not no switchport.... I think that is where the Nexus has added switchport trunk allowed vlan none. Does that sound right?
4. I have then logged on to the nexus and seen switchport trunk allowed vlan none

Am I right?

I can then see that after reconfiguring the port to allow vlan 10, I bounced the interface for good measure, between me re-enabling the interface and us backing out of the change was 38 seconds. That should have been long enough for a 1Gbps link to start passing traffic again(?) but pings were still dropping, downtime had been 8 minutes so we couldnt really hold on any longer. I wonder if we had left it for 60sec it would have sorted itself out.

Hello,

You're spot on: Under NX-OS for N7K, removing the whole switchport trunk allowed vlan vlan-list command using the no keyword will result in the switch disabling ALL VLANs on the trunk, and understandably placing the switchport trunk allowed vlan none into the port's configuration. This is different from IOS behavior on Catalyst switches, and also from other Nexus platforms, such as N9K.

Then a few minutes later my colleague tried to tidy up the trunk with [switchport trunk allowed vlan 10]. Firstly this wasnt needed, secondly it had the effect that the link stopped working - that I cant explain, should adding vlan 10 to a trunk that already has vlan 10 added cause an issue?

To VLAN 10, there should have been no perceptible change whatsoever. Understandably, however, all other VLANs would become blackholed on this trunk. Was the connectivity truly provided in VLAN10 - could that have been a different VLAN that got pruned off this trunk as a result of the added command?

I also wonder if STP could have had anything to do with this. What kind of STP are you running - is it Rapid-PVST+, or is it MST?

With devices now not pingable he has tried to back out with no switchport trunk allowed vlan 10

Right - and that would have caused the switch to take the unexpected action and disable all VLANs on the trunk. I have just now tested the behavior on a N7K running 7.2(2)D1(2) and I can 100% confirm the behavior: Removing the whole switchport trunk allowed vlan vlan-list command with the no keyword is equivalent to configuring switchport trunk allowed vlan none. I can also confirm that a N9K NX-OS 7.0(3)I7(1) behaves in the expected way - it reverts back to allowing all VLANs. Definitely a quirk of the N7K NX-OS in particular.

I can then see that after reconfiguring the port to allow vlan 10, I bounced the interface for good measure, between me re-enabling the interface and us backing out of the change was 38 seconds. That should have been long enough for a 1Gbps link to start passing traffic again(?) but pings were still dropping, downtime had been 8 minutes so we couldnt really hold on any longer. I wonder if we had left it for 60sec it would have sorted itself out.

There seems to be something else going on. 38 seconds would be enough for the link to become forwarding in STP even if STP had to go through the full Discarding->Learning->Forwarding sequence (that would take 30 seconds if you are running on default STP timers). I wonder if the logs on the device attached to e1/48 could shed some more light to this mystery.

Let me ask a set of questions:

1. What kind of device is connected to your e1/48? I believe you've mentioned it is a switch. Can you clarify what exact type and perhaps what OS version that device is running?
2. Once again, what kind of STP are you running between this N7K and the switch connected to e1/48?
3. Is there any chance that the connectivity was actually occurring in a different VLAN than VLAN10?
4. Are you using VTP, and VTP Pruning in particular?

Thank you!

Best regards,
Peter

Hi Peter, 

1. What kind of device is connected to your e1/48? I believe you've mentioned it is a switch. Can you clarify what exact type and perhaps what OS version that device is running?
   1. It is a cisco WS-C3750G-24TS-1U 
   2. Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 15.0(2)SE4, RELEASE SOFTWARE (fc1)
   3. It is a remote site switch, it runs through a ISP but it is a layer 2 link, hence being able to see the switch from the Nexus using #show cdp neighbor even when the vlan stuff was not working. What is strange is that to get the link working we have to piggy back vlan 10 through another trunk to an end user switch stack (c3850's) and then we connect into the NTU of our provider using gig1/1/2. What we are wanting to do is connect the Nexus directly to the NTU. The interface config for the 3850 is 
   4. interface GigabitEthernet1/1/2
      switchport trunk allowed vlan 10
      switchport mode trunk
      and that is it (apart from a description). It cant be a vlan mismatch because otherwise it would also fail on that interface.
      
2. Both sides, infact all three devices are running Rstp so the 38 seconds is being even more generous. By chance I had done a packet capture on the link the other day and I can see that the STP messages are correct for the configuration, its not like the remote switch is failing.
3. I dont think we are using vtp, its been years since I configured it but #show vtp status said disabled for pruning and #show vtp counters showed 0 for all interfaces.

Finally there are no logs on the remote switch for this work and no logs on the nexus for any vlan issues.

I appreciate your help with this,

Paddy