Solved: STP Blocking VTP

aerickagomez · ‎11-02-2020

Hello,

I am attempting feed VLANS from one switch to another. The problem I am seeing is that the switch in between the two, which is a 9k in the same domain in transparent mode, is not feeding the VLANS to an access switch. The vtp servers switches on one side of the 9k and the access switch is on the other side. They are all in the same VTP domain and the same VTP Password is set across the devices. The two vtp servers connected to each other on one side of the 9k are both servers and when a vlan is created on one it is propagated for the other.

When I debug all vtp on the 9k I see the following:

vtp : vtp_msg_handlers.c/vtp_handle_packet():575 packet length 102, tagged = 0 type =0x58

vtp : vtp_msg_handlers.c/vtp_receive_packet():2853 Dropping packet received on trunk port-channelxxx -in Transparent Mode

vtp : vtp_msg_handlers.c/vtp_relay_packet():2772 Drop packet received on STP blocked port 0x16000004

The port channel between the access switch and 9k doesn't appear to have any issues nor does the port channel between the server switches and the 9k.

Any help is greatly appreciated.

paul driver · ‎11-02-2020

Hello
N9k can only support vtp transparent mode and it should as you have said relay vtp packets from one trunk to another.

Make sure you allowing vlan 1 across the trunks and on the vtp server switch create an additional vlan and then see if the vtp database of the alternate switch via the Nk9 gets populated.

Edited - Just managed to lab this up and it works accordingly (see attached file)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Reza Sharifi · ‎11-02-2020

If you want to switches to be part of the VTP domain, make them clients. Switches in transparent mode will not advertise their vlan configuration. Also, VTP is not enabled on Nexus series switches by default. That said, it is usually a good idea to stay away from VTP all together especially if you don't have many vlans as it can cause more harm than help.

HTH

aerickagomez · ‎11-02-2020

Reza,

Thank you for taking the time to respond, but this response does not help me. I am under the impression that VTP transparent mode will forward advertisements within the same domain as they are coming from the servers and just being passed, just not it's own vlans. So the Transparent mode should be fine, the access switch is the client in this scenario. I have already assured VTP is enabled. Also, just to help with any other information I left out, all devices are running VTP Version 2. I don't need to be advised that I should stay away from VTP, there is a reason we are running it in our environment. If that's what I needed help on I would have phrased the question "Is running VTP a smart idea?"

Reza Sharifi · ‎11-02-2020

Here the documenataion:

In VTP transparent mode, you can configure VLANs (add, delete, or modify) and private VLANs. VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. The VTP configuration revision number is always set to zero (0). Transparent switches do forward VTP advertisements that they receive out their trunk ports in VTP version 2.

Link:

https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/l2/vtp-mode.html

HTH

aerickagomez · ‎11-02-2020

Do you have a link referencing something to the logs I posted? Can you provide a location that may resolve my issue? I don't need copy and paste of how vtp works. I get that. I posted vtp should forward updates coming from a server to a client when it's in transparent mode and you just pasted a document that confirms exactly what i said.

Let me repeat the problem just to be clear. Vtp version two on all devices. Transparent switch in between server and client. All in the same vtp domain. Server created vlan not updating on client. Error messages as listed above.

.......

paul driver · ‎11-02-2020

Hello
N9k can only support vtp transparent mode and it should as you have said relay vtp packets from one trunk to another.

Make sure you allowing vlan 1 across the trunks and on the vtp server switch create an additional vlan and then see if the vtp database of the alternate switch via the Nk9 gets populated.

Edited - Just managed to lab this up and it works accordingly (see attached file)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

aerickagomez · ‎11-04-2020

Unfortunately my supervisor doesn't want me to pursue this any further. Due to the security requirements for our environment, we cannot allow vlan 1 and have it shutdown where possible. I did try doing this before it was mentioned, but I think I may have failed to check if VLAN 1 was no shut after I added VLAN 1 to the allowed VLANs.

In any case thank you for your help. I will mark your answer as the solution since you took the time to lab it up.

Thank you Paul!

willwetherman · ‎11-02-2020

Agree with @paul driver

VLAN 1 needs to be permitted on the Nexus 9K trunk ports otherwise VTP messages will be dropped with the STP message that you are receiving. Can you try and add VLAN 1 to the port-channel trunk interfaces that connect to the VTP server and client switches and test again