Solved: Hi Norberto,I am not aware of

Norberto Salgado · ‎05-20-2015

Hi,

In which conditions can a VLAN in a 2960 switch can go to suspended state (beside manual config)?

Thank you.

BR,

NS

Peter Paluch · ‎05-20-2015

Hi Norberto,

Are you running VTP in your network?

I may have an idea. Do you happen to have any of the following two commands configured on your switch?

errdisable detect cause bpduguard shutdown vlan
errdisable detect cause security-violation shutdown vlan

If so, they can be related to the issue you have experienced. These two commands activate a specific reaction to the particular violation, either BPDU Guard or Port Security. If any of these commands are configured, and a corresponding cause is experienced, the switch will shutdown (or suspend) the entire VLAN instead of the offending port. That could explain what you have observed today.

Unless you have a specific need for deactivating the entire VLAN whenever a BPDU Guard or Port Security violation occurs, I suggest you remove those two commands.

Best regards,
Peter

View solution in original post

Peter Paluch · ‎05-20-2015

Hi Norberto,

I am not aware of any circumstance in which a VLAN status would spontaneously change to suspended. Do you have a different experience?

Best regards,
Peter

Norberto Salgado · ‎05-20-2015

Hi Peter,

we're investigating an issue, in which some VLANs went to the suspended state in a few switches. For what is indicated without manual intervention, but there is no logs from the time of the issue. With VTP active I know that the suspended state will be propagated in the domain, but I don't find any reason for automatic change to suspended.

Peter Paluch · ‎05-20-2015

Hi Norberto,

Are you running VTP in your network?

I may have an idea. Do you happen to have any of the following two commands configured on your switch?

errdisable detect cause bpduguard shutdown vlan
errdisable detect cause security-violation shutdown vlan

If so, they can be related to the issue you have experienced. These two commands activate a specific reaction to the particular violation, either BPDU Guard or Port Security. If any of these commands are configured, and a corresponding cause is experienced, the switch will shutdown (or suspend) the entire VLAN instead of the offending port. That could explain what you have observed today.

Unless you have a specific need for deactivating the entire VLAN whenever a BPDU Guard or Port Security violation occurs, I suggest you remove those two commands.

Best regards,
Peter

Norberto Salgado · ‎05-25-2015

Hi Peter,

Yes, they're running VTP. Those two are not in the configuration, but perhaps they're enable by default. I'll check the show run all.

Thank you for your help!

BR,

Norberto

Peter Paluch · ‎05-25-2015

Hi Norberto,

I do not believe those commands are default. With BPDU Guard and Port Security violations, only the affected port is shutdown by default, not the entire VLAN.

However, if a VLAN was shutdown anywhere in the VTP domain, it would propagate across the entire domain. The fact that you are running VTP at least enables the possibility that the VLAN was suspended on another switch in the domain, and this change propagated to the switch you were working with. Tracking the source of changes in a VTP domain can be difficult, as this history is not usually kept anywhere. The show vtp status will show you the source of the last update but if multiple changes have occurred, the history will not be recorded (I believe that SNMP traps could be configured for that purpose, though).

Best regards,
Peter

Suspended VLAN