05-01-2012 06:24 AM - edited 03-07-2019 06:26 AM
We are having to change our IP structure and I came across a problem with the vtp pruning. I have been configuring our WAP 1231 with new vlans for the ssid. I create new sub interfaces for the radio 0 and fa0. This is the first time configuring 2 access points that we use as bridges. I changed the vlan on it the same as I changed the other WAPs. This time though the Cat 6513 on one bridge and the Cat 3750 on the other side are both pruning my management vlan. This 6513 is not the root primary for any of the vlans. It is connected to the root. Here are some of the show commands:
Dwight-IDF4-6513-140#sho int trunk
Port Mode Encapsulation Status Native vlan
Gi1/43 on 802.1q trunking 100
Port Vlans allowed on trunk
Gi1/43 8,83-84,100
Port Vlans allowed and active in management domain
Gi1/43 8,83-84,100
Port Vlans in spanning tree forwarding state and not pruned
Gi1/43 8,83-84
Port Gi1/43 should not be pruning vlan 100.
Here is some more:
interface GigabitEthernet1/43
description Wireless Bridge To Special Ed
no ip address
mls qos trust cos
switchport
switchport trunk native vlan 100
switchport trunk allowed vlan 8,83,84,100
switchport mode trunk
Dwight-IDF4-6513-140#sho vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 27
VTP Operating Mode : Transparent
VTP Domain Name : dwight
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
Dwight-IDF4-6513-140#sho spanning-tree vlan 100
VLAN0100
Spanning tree enabled protocol ieee
Root ID Priority 24676
Address 0017.0f5f.7140
Cost 4
Port 386 (GigabitEthernet4/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32868 (priority 32768 sys-id-ext 100)
Address 00d0.0559.8c00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi1/43 Desg BKN*19 128.43 P2p *PVID_Inc
Gi1/45 Desg FWD 19 128.45 P2p
Gi1/46 Desg FWD 19 128.46 P2p
Gi1/47 Desg FWD 19 128.47 P2p
Gi1/48 Desg FWD 19 128.48 P2p
Gi4/1 Altn BLK 4 128.385 P2p
Gi4/2 Root FWD 4 128.386 P2p
interface GigabitEthernet1/45
description WIRELESS AP
no ip address
mls qos trust cos
switchport
switchport trunk native vlan 100
switchport trunk allowed vlan 44,100,141,241
switchport mode trunk
spanning-tree portfast
spanning-tree bpduguard enable
Interface Gi1/43 is the port to my bridge. Interface Gi1/45 is just another WAP. These ports do not allow me to configure encapsulation dot1q as my other ports for the switches do.
Here is the version on the 6513:
Version 12.2(17d)SXB11a, RELEASE SOFTWARE (fc1)
Right now I can't connect to the other side but it has the same configuration.
Does anyone know why I can't get the management vlan to work on this port?
Here is what I have configured on the WAP bridge:
interface Dot11Radio0.84
encapsulation dot1Q 84
no ip route-cache
bridge-group 84
bridge-group 84 spanning-disabled
interface Dot11Radio0.100
encapsulation dot1Q 100 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
interface FastEthernet0.84
encapsulation dot1Q 84
no ip route-cache
bridge-group 84
bridge-group 84 spanning-disabled
interface FastEthernet0.100
encapsulation dot1Q 100 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
05-01-2012 08:06 AM
Here is some debugging:
Dwight-IDF4-6513-140#
May 1 09:21:19.484 CDT: %SPANTREE-SP-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on GigabitEthernet1/43 VLAN100.
May 1 09:21:19.484 CDT: %SPANTREE-SP-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet1/43 on VLAN0100. Inconsistent local vlan.
Dwight-IDF8-SpecEd#
3w6d: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on GigabitEthernet1/0/48 VLAN100.
3w6d: %SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet1/0/48 on VLAN0001. Inconsistent peer vlan.
3w6d: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet1/0/48 on VLAN0100. Inconsistent local vlan.
05-01-2012 12:12 PM
Jeremy,
Your problem does not lie in VTP Pruning but rather in a problem with STP.
According to what your switches tell you, they are receiving a PVST+ BPDU on VLAN100. However, in this BPDU, there is also an internal record which VLAN was this BPDU originated in - and this record claims that this BPDU originally comes from VLAN1. That is what the switch is telling you:
May 1 09:21:19.484 CDT: %SPANTREE-SP-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on GigabitEthernet1/43 VLAN100.
This situation is called Primary VLAN ID Inconsistency. Cisco's PVST+ is build to detect these PVID inconsistencies and block the port in the conflicting VLAN. You may read more about these inconsistencies and recommended steps in their solution in this document:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00801d11a0.shtml
The question is, however, what went wrong in your network so that this problem was created in the first place. Reading through that document carefully may give you very helpful insights as to what is happening. It seems, however, that somehow, you have bridged together two VLANs, or caused a native VLAN mismatch on some trunk. As you are using them as bridges to interconnect two wired networks, it is very probable that something similar happened.
Best regards,
Peter
05-01-2012 01:58 PM
Peter,
Thanks for that. I was able to get one of them talking to the 6513 switch. The other one I am still having a problem with it. I am sure now what I did wrong on the WAP configuration. I started configuring it the same as a regular WAP instead of as a bridge. The bridge-group 1 were not set properly creating the native issue with the sub interfaces for the Fa0 port and the dot11radio0.xxx.
The one thing I think is still a problem at the far side of the bridge is the Fastethernet 0 interface. Here is what it looked like before:
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 160 in
Here is what it looks like now:
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bidge-group 1
hold-queue 160 in
I checked my commands again and I did not type that into the interface Fa0. Now it has bridge-group 1 and it tells me command invalid when I try to remove it.
Would this be causing the issue or something else.
05-01-2012 04:28 PM
Hi Jeremy,
The bridge-group command is necessary because the WAPs, regardless of their operating mode on the wireless side (wireless bridge or wireless access point) perform bridging between their wireless and wired interface. In order to create this bridging association between a particular SSID and a particular VLAN, both subinterfaces on the radio and Fa interface have to be joined together using a bridge-group with an identical number. On these WAPs, having both the wired and wireless interface bridged is a must.
I am somehow lost in understanding how exactly do you plan to perform the bridging. Is there any topology illustration or exhibit you could post to help us understand better how the WAPs are being deployed in your network? Thank you!
Best regards,
Peter
05-02-2012 07:31 AM
Hi Peter,
Thanks for the information. I wanted to let you know I did get the other side to finally connect to the 3750G switch. That Fa0 using the bridge-group 1 was creating a problem. I kept trying to take it off but it would tell me invalid command. I use the subinterifaces to send the bridge-group I want. I finally had to do a write erase on that WAP and re-apply the config. This took the interface Fa0 out of the bridge-group and now I have the correct trunking and no spanning-tree issues.
We have a school with a MDF and several IDFs. The MDF connects to this IDF that has the WAP acting as a bridge. That connects to a directional antenna that points across the street and about a block away to the other building. That connects to the other 1231G that then connects to the 3750G which in turn has 2 more WAP that are autonomous.
Every WAP is autonomous in the school district.
When I do a show ip int brief it says the interfaces are up and up and the notification did say that the two are connected. But it is not routing. The goal here is to adjust the vlans and IP addresses to be more manageable. I have changed the vlans on half our WAP and have not seen this problem where everything just falls apart.
Thanks. You have been helpful.
05-02-2012 08:50 AM
Hello Jeremy,
Thank you for keeping me posted. But I wonder: how is the WAP now configured? Can you post its configuration here please?
Anyway, if the network currently runs as expected, I am glad to hear that.
Best regards,
Peter
05-02-2012 08:52 AM
Usually that message indicates that your native vlans do not matchup on each end of the trunk .
05-02-2012 10:49 AM
I posted that config. It is on the original posting.
Now I lost connectivity to it.
Everything shows up and up. It worked yesterday. Today I came in and no connectivity. I can't even ping it. When I get onto the WAP it doesn't show any problems but I can't ping out from it either.
It shows packets moving on the native vlan but I still get nothing.
DMS_Bridge_to_SpecialEd#sho ip int brief
Interface IP-Address OK? Method Status Protocol
BVI1 10.60.0.222 YES NVRAM up up
Dot11Radio0 unassigned YES TFTP up up
Dot11Radio0.84 unassigned YES unset up up
Dot11Radio0.100 unassigned YES unset up up
FastEthernet0 unassigned YES NVRAM up up
FastEthernet0.84 unassigned YES unset up up
FastEthernet0.100 unassigned YES unset up up
Virtual-Dot11Radio0 unassigned YES TFTP up up
Virtual-Dot11Radio0.84 unassigned YES unset up up
Virtual-Dot11Radio0.100 unassigned YES unset up up
Clients: 8021x auth in prog 0 allowed 0
Client AID VLAN Status Age Tx Mode Rate Encr Key
0016.9de1.4940 1 100 0000 0000 29/30 0-0 00B1 1EFF 0000 0-13
Vlan BSSID Clients PSP Pri Encr Key0 Key1 Key2 Key3 SSIDs
0 47D0 0 0 0 0 0
84 47D0 0 0 0 0 0
100n 47D0 0 0 0 0 4 x128 DWIGHT
Virtual LAN ID: 100 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interfaces: Dot11Radio0.100
FastEthernet0.100
Virtual-Dot11Radio0.100
This is configured as native Vlan for the following interface(s) :
Dot11Radio0
FastEthernet0
Virtual-Dot11Radio0
Protocols Configured: Address: Received: Transmitted:
Bridging Bridge Group 1 11397 21221
Other 0 6
0 packets, 0 bytes input
10686 packets, 751549 bytes output
Bridging Bridge Group 1 11398 21223
Other 0 6
6744 packets, 510542 bytes input
4373 packets, 262719 bytes output
Bridging Bridge Group 1 11398 21223
Other 0 6
4819 packets, 293394 bytes input
6169 packets, 476047 bytes output
To me everything seems to be working. Any ideas?
05-03-2012 01:41 PM
I finally found another WAP. I reconfigured the one I found and installed it. Now I can ping and telnet to the otherside of the bridge. I have no way of updating the version so I can't check for that. I just can't get to the switch on the other side.
05-11-2012 02:24 PM
Jeremy,
I sincerely apologize for a late reply - some rather busy weeks right now at my work. Is this issue still open?
Best regards,
Peter
05-11-2012 04:49 PM
No. We solved it. Thanks for checking up.
Sent from my iPad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide