Re: Switch client ports spontaneously reconfigure to Vlan 1

Alex Pashko · ‎06-29-2022

We started to have a massive problem (after switching users from wifi to ethernet). It lies in the fact that the switch port randomly falls into vlan 1, although it is configured in another vlan.

Version 03.08.02.E RELEASE SOFTWARE (fc2) - cat4500es8-universalk9.SPA.03.08.02.E.152-4.E2.bin

Version 03.11.00.E RELEASE SOFTWARE (fc3) - cat4500es8-universalk9.SPA.03.11.00.E.152-7.E.bin

Version 03.08.05a.E RELEASE SOFTWARE (fc1)- cat4500es8-universalk9.SPA.03.08.05a.E.152-4.E5a.bin

Chassis: WS-C4510R+E

Line-cards: WS-X4748-UPOE+E

sup: WS-X45-SUP8-E

Shut and no shut the port does not solve the problem, disconnecting the user's physical cable too. Helps to change the vlan number and return the desired one back.

I noticed that if you configure ports through the interface range, then all ports immediately fall into vlan 1, almost always.

This is the example of one of the port configuration

!

interface GigabitEthernet3/32
description -U- FreeSeat
switchport access vlan 3493
switchport mode access
switchport nonegotiate
switchport voice vlan 3449
ip arp inspection limit rate 200
logging event link-status
storm-control broadcast level 0.50
storm-control action shutdown
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable
ip verify source vlan dhcp-snooping
!

sh interfaces GigabitEthernet3/32 switchport
Name: Gi3/32
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: 3449 (vd-voice-25fl)
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

balaji.bandi · ‎06-29-2022

if you are using Extend VLAN you need to config :

spanning-tree extend system-id

also post show version (full output)

just for referene :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/31sga/configuration/guide/config/vlans.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Alex Pashko · ‎06-30-2022

Perhaps the question was not asked correctly. The problem port usually works fine, in the right vlan. At some point, the user connects to it and gets into vlan 1, and the port is stuck until you change the vlan in the configs to another one or completely reset it.

Alex Pashko · ‎06-30-2022

spanning-tree extend system-id - enabled

balaji.bandi · ‎06-30-2022

Thank you for the information, is this for all the ports ? only 1 port ?

One of mate asked here already, how is your VTP config status ?

if you lost the config on the port ( you still see show vlan that data vlan ?) - you loosing only data vlan, i can see voice vlan intact.

also your pruning vlan - Pruning VLANs Enabled: 2-1001

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

marce1000 · ‎06-29-2022

- What do you get when just using show interface status

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MHM Cisco World · ‎06-29-2022

do you add vlan to database ?

if yes then check VTP domain mismatch or VTP mode that may delete the vlan.

Alex Pashko · ‎06-30-2022

VTP - disabled

MHM Cisco World · ‎06-30-2022

not so sure but for port with data voice vlan you need run CDP.

MHM Cisco World · ‎06-30-2022

Try this way and also can you answer why you disable CDP?

Your config
switchport access vlan 3493
switchport mode access

instead config

switchport mode access

switchport access vlan 3493

Leo Laohoo · ‎06-29-2022

The port is not configured for Dot1X so it is not "automated".

Next, those IOS versions are scary. 3.11.0 is a version "0" (last digit). 3.8.X are low number (except 3.8.5).

I started 3.8.X with 3.8.7 and I am slowly moving a lot of my Sup7 to 3.8.11. Our switches have Dot1X but we never saw this behaviour before.

I would recommend upgrading the firmware and see if it makes any difference.

Alex Pashko · ‎06-30-2022

If updated, then to what version? I remember that there are no Flex Links in the latest versions, but we need them.

vd-sw24-1#sh version
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500es8-UNIVERSALK9-M), Version 03.11.00.E RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Sat 23-Mar-19 10:27 by prod_rel_team

Cisco IOS-XE software, Copyright (c) 2005-2015 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.
(http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: 15.1(1r)SG5
vd-sw24-1 uptime is 2 years, 32 weeks, 4 days, 12 hours, 49 minutes
Uptime for this control processor is 2 years, 32 weeks, 4 days, 12 hours, 51 minutes
System returned to ROM by reload
System restarted at 23:47:15 MSK Thu Nov 14 2019
System image file is "bootflash:cat4500es8-universalk9.SPA.03.11.00.E.152-7.E.bin"
Jawa Revision 3, RadTrooper Revision 0x0.0x41, Conan Revision 0x1658

Last reload reason: Reload command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Information for 'WS-X45-SUP8-E'
License Level: ipbase Type: Permanent
Next reboot license Level: ipbase

cisco WS-C4510R+E (P5040) processor (revision 2) with 4194304K bytes of physical memory.
Processor board ID FXS2003Q1HD
P5040 CPU at 2.2GHz, Supervisor 8-E
Last reset from Reload
2 Virtual Ethernet interfaces
384 Gigabit Ethernet interfaces
16 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Configuration register is 0x2102

David Ruess · ‎06-30-2022

Hello,

Usually when a port reverts back to VLAN 1 after either being in a VLAN or configured it’s because the VLAN is not in the local database or had the VLAN and lost it somehow. What does your “show vlan” command look like?

You said VTP is disabled but can you do a “show vtp status”. If it’s in client mode it won’t let you create VLANs on the switch.

Also if you are using dot1x depending on what features you’re using it can put the port in a VLAN that doesn’t exist on the switch therefore making it VLAN 1. For example you configure the port for VLAN 20, but dot1x authenticates the decode and out it in VLAN 30, if VLAN 30 is not on the switch it will revert to VLAN 1.

Lastly the VLAN you are trying to add the port to is being pruned further upstream but that may be less likely.

Hope that helps

-David

Alex Pashko · ‎06-30-2022

Let's talk again, there are a lot of ports on the switch with the specified Vlan, they work. At the time of failure on one or more ports, the rest still work. This is not a problem in the absence of a VLAN, otherwise all ports would not work. Dot1x is disabled on the port.

vd-sw24-1#sh vtp status
VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 : VD-Office
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 00f2.8ba3.8f00
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

Feature VLAN:
--------------
VTP Operating Mode                : Off
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 5
Configuration Revision            : 0
MD5 digest                        : 0x2B 0xCA 0x5A 0xF4 0x37 0x84 0xD5 0xBD
                                    0x5A 0x1F 0x78 0xC2 0xCE 0x16 0x88 0xA9

vd-sw24-1#sh run int Gi1/2
Building configuration...

Current configuration : 408 bytes
!
interface GigabitEthernet1/2
description -U- FreeSeat
switchport access vlan 3492
switchport mode access
switchport nonegotiate
switchport voice vlan 3448
ip arp inspection limit rate 200
logging event link-status
no cdp enable
storm-control broadcast level 5.00
storm-control action shutdown
spanning-tree portfast edge
spanning-tree bpduguard enable
ip verify source vlan dhcp-snooping
end

vd-sw24-1#sh vlan id 3492

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
3492 vd-guest-24fl                    active    Gi1/2, Gi1/4, Gi1/7, Gi1/8, Gi1/10, Gi1/11, Gi1/12, Gi1/13, Gi1/14, Gi1/15, Gi1/16
                                                Gi1/17, Gi1/18, Gi1/19, Gi1/20, Gi1/22, Gi1/23, Gi1/24, Gi1/25, Gi1/26, Gi1/27, Gi1/28
                                                Gi1/29, Gi1/30, Gi1/31, Gi1/32, Gi1/33, Gi1/34, Gi1/35, Gi1/36, Gi1/37, Gi1/38, Gi1/39
                                                Gi1/40, Gi1/41, Gi1/42, Gi1/43, Gi1/44, Gi1/45, Gi1/46, Gi1/47, Gi2/1, Gi2/2, Gi2/3
                                                Gi2/4, Gi2/5, Gi2/6, Gi2/7, Gi2/8, Gi2/9, Gi2/11, Gi2/14, Gi2/15, Gi2/16, Gi2/17
                                                Gi2/18, Gi2/19, Gi2/21, Gi2/22, Gi2/23, Gi2/24, Gi2/25, Gi2/26, Gi2/27, Gi2/28, Gi2/29
                                                Gi2/30, Gi2/31, Gi2/34, Gi2/36, Gi2/37, Gi2/38, Gi2/39, Gi2/40, Gi2/41, Gi2/42, Gi2/44
                                                Gi2/45, Gi2/46, Gi2/47, Gi2/48, Gi3/1, Gi3/2, Gi3/3, Gi3/4, Gi3/5, Gi3/6, Gi3/7, Gi3/9
                                                Gi3/10, Gi3/13, Gi3/14, Gi3/15, Gi3/16, Gi3/17, Gi3/18, Gi3/19, Gi3/20, Gi3/21, Gi3/23
                                                Gi3/24, Gi3/25, Gi3/28, Gi3/29, Gi3/30, Gi3/31, Gi3/33, Gi3/34, Gi3/35, Gi3/36, Gi3/37
                                                Gi3/39, Gi3/41, Gi3/43, Gi3/45, Gi3/47, Gi3/48, Gi4/1, Gi4/5, Gi4/6, Gi4/9, Gi4/11
                                                Gi4/14, Gi4/15, Gi4/19, Gi4/20, Gi4/21, Gi4/22, Gi4/25, Gi4/27, Gi4/31, Gi4/33, Gi4/35
                                                Gi4/36, Gi4/38, Gi4/42, Gi4/44, Gi4/45, Gi4/47, Gi4/48, Gi7/2, Gi7/3, Gi7/5, Gi7/6
                                                Gi7/7, Gi7/9, Gi7/10, Gi7/12, Gi7/13, Gi7/15, Gi7/19, Gi7/20, Gi7/21, Gi7/22, Gi7/23
                                                Gi7/24, Gi7/25, Gi7/26, Gi7/27, Gi7/28, Gi7/29, Gi7/30, Gi7/31, Gi7/32, Gi7/33, Gi7/34
                                                Gi7/36, Gi7/37, Gi7/38, Gi7/39, Gi7/40, Gi7/41, Gi7/42, Gi7/43, Gi7/44, Gi7/45, Gi7/46
                                                Gi7/47, Gi7/48, Gi8/2, Gi8/3, Gi8/4, Gi8/5, Gi8/6, Gi8/7, Gi8/8, Gi8/9, Gi8/10, Gi8/11
                                                Gi8/12, Gi8/13, Gi8/15, Gi8/16, Gi8/17, Gi8/18, Gi8/19, Gi8/20, Gi8/21, Gi8/22, Gi8/23
                                                Gi8/24, Gi8/25, Gi8/26, Gi8/27, Gi8/29, Gi8/30, Gi8/31, Gi8/32, Gi8/33, Gi8/35, Gi8/36
                                                Gi8/37, Gi8/38, Gi8/39, Gi8/40, Gi8/42, Gi8/44, Gi8/45, Gi8/47, Gi9/2, Gi9/3, Gi9/4
                                                Gi9/5, Gi9/6, Gi9/7, Gi9/8, Gi9/9, Gi9/10, Gi9/11, Gi9/12, Gi9/13, Gi9/14, Gi9/15
                                                Gi9/16, Gi9/17, Gi9/18, Gi9/19, Gi9/20, Gi9/21, Gi9/22, Gi9/23, Gi9/24, Gi9/25, Gi9/26
                                                Gi9/27, Gi9/28, Gi9/29, Gi9/30, Gi9/31, Gi9/32, Gi9/33, Gi9/34, Gi9/35, Gi9/36, Gi9/37
                                                Gi9/38, Gi9/39, Gi9/40, Gi9/41, Gi9/42, Gi9/43, Gi9/44, Gi9/45, Gi9/46, Gi9/47, Gi9/48
                                                Po41, Po42

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
3492 enet 103492 1500 - - - - - 0 0

Remote SPAN VLAN

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
----------------
Disabled

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------

Jitendra Kumar · ‎07-01-2022

Can you please try to disable bpdugaurd and check.

as you say its user access port on the port current bpdugaurd enabled. Sometimes its creates an issue just disable it and check.

spanning-tree bpduguard enable

Thanks,
Jitendra