The Troubleshooting Methodology
VLAN and trunk problems follow a predictable pattern. Start at the access port and work your way through the trunk to the distribution switch:
- Verify the port's access VLAN (or trunk mode).
- Confirm the VLAN exists in the VLAN database.
- Check if the port is in the right state (forwarding, blocking, etc.).
- On trunks, verify the VLAN is allowed and active.
- Check native VLAN alignment across trunk.
- Verify spanning tree state if traffic still doesn't flow.
Let's walk through real scenarios using the PingLabz lab topology.
Scenario 1: VLAN Not in Database
Symptom: Device on Gi1/0/10 (ACC-SW1) cannot reach VLAN 15. Other VLANs work fine.
Host Details: - Hostname: SERVER-1 - IP: 10.10.15.5 (expected) - Currently assigned to: Gi1/0/10 on ACC-SW1
Step 1: Check Port VLAN Assignment
ACC-SW1# show interfaces GigabitEthernet1/0/10 switchport
Name: GigabitEthernet1/0/10
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 15
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
The port is configured for access VLAN 15.
Step 2: Check if VLAN 15 Exists
ACC-SW1# show vlan id 15
% VLAN ID not found
DIAGNOSIS: VLAN 15 does not exist in the VLAN database.
FIX: Create the VLAN:
ACC-SW1# configure terminal
ACC-SW1(config)# vlan 15
ACC-SW1(config-vlan)# name VLAN-15
ACC-SW1(config-vlan)# exit
ACC-SW1(config)# end
Step 3: Verify Port State
ACC-SW1# show interfaces GigabitEthernet1/0/10 status
Port Name Status Vlan Duplex Speed Type
Gi1/0/10 SERVER-1 connected 15 full auto 10/100/1000BaseTX
ACC-SW1# show interfaces GigabitEthernet1/0/10
GigabitEthernet1/0/10 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 1111.2222.3333 (bia 1111.2222.3333)
MTU 1500 bytes, BW 1000000 Kbit/sec
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s
Status: Up/up. Port is active in VLAN 15.
Step 4: Check Spanning Tree
ACC-SW1# show spanning-tree vlan 15 interface GigabitEthernet1/0/10
Role: Designated Port
State: Forwarding
Cost (STP): 19
Prio: 128
Port is forwarding. Traffic should now flow.
Scenario 2: Port in Wrong Access VLAN
Symptom: VLAN 10 workstation on Gi1/0/5 (ACC-SW1) cannot ping VLAN 10 gateway (10.10.10.254). No routing error; traffic just doesn't cross.
Host Details: - IP: 10.10.10.50 (VLAN 10) - MAC: aaaa.bbbb.cccc - Connected to: Gi1/0/5 (ACC-SW1)
Step 1: Check Port Assignment
ACC-SW1# show interfaces GigabitEthernet1/0/5 switchport
Name: GigabitEthernet1/0/5
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Access Mode VLAN: 20
DIAGNOSIS: The port is in VLAN 20 (Servers), not VLAN 10 (Users).
FIX: Reconfigure to VLAN 10:
ACC-SW1# configure terminal
ACC-SW1(config)# interface GigabitEthernet1/0/5
ACC-SW1(config-if)# switchport access vlan 10
ACC-SW1(config-if)# no shutdown
ACC-SW1(config-if)# end
Verification:
ACC-SW1# show vlan id 10 | include Gi1/0/5
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
10 Users active Gi1/0/1, Gi1/0/2, Gi1/0/5, ...
The host now reaches the gateway.
Scenario 3: Trunk Not Forming
Symptom: ACC-SW1 and DIST-SW1 are cabled with Gi1/0/24 on each side. DIST-SW1 should carry VLANs 10, 20, 30, 40 to ACC-SW1, but traffic between them doesn't flow.
DIST-SW1 Configuration:
interface Port-Channel 10
switchport mode trunk
switchport trunk allowed vlan 10,20,30,40
!
interface range GigabitEthernet1/0/23 - 24
channel-group 10 mode active
exit
ACC-SW1 Configuration:
interface GigabitEthernet1/0/24
switchport mode trunk
switchport trunk allowed vlan 10,20,30,40
exit
Step 1: Check Trunk Mode on ACC-SW1
ACC-SW1# show interfaces GigabitEthernet1/0/24 switchport
Name: GigabitEthernet1/0/24
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Trunk mode is active on ACC-SW1.
Step 2: Check if DIST-SW1 is Receiving LACP PDUs
On DIST-SW1, member Gi1/0/24 should show as bundled:
DIST-SW1# show etherchannel summary
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
10 Po10(SD) LACP Gi1/0/23(P) Gi1/0/24(D)
DIAGNOSIS: Gi1/0/24 shows (D) — down or suspended. It's not bundling.
Step 3: Check Physical Link
DIST-SW1# show interfaces GigabitEthernet1/0/24
GigabitEthernet1/0/24 is down, line protocol is down (notconnect)
DIAGNOSIS: The physical link is down. Check cabling or SFP.
FIX: Reseat the cable or check for bad SFP:
DIST-SW1# show interfaces GigabitEthernet1/0/24 status
Port Name Status Vlan Duplex Speed Type
Gi1/0/24 (No interface description) notconnect 1 auto auto (not connected)
Replace the cable. Once the link is up:
DIST-SW1# show etherchannel summary
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
10 Po10(SU) LACP Gi1/0/23(P) Gi1/0/24(P)
Both ports bundled. Trunk is now active.
Scenario 4: VLAN Pruned from Trunk
Symptom: VLAN 40 (Voice) workstations on ACC-SW1 cannot reach the voice gateway on DIST-SW1. Other VLANs (10, 20, 30) work fine.
DIST-SW1 Trunk Config:
switchport trunk allowed vlan 10,20,30
! (VLAN 40 not in the allowed list)
Step 1: Check Trunk Allowed VLANs
DIST-SW1# show interfaces Port-Channel 10 trunk
Port Mode Encapsulation Status Native vlan
Po10 on 802.1q trunking 99
Port Vlans allowed on trunk
Po10 10,20,30
Port Vlans allowed and active in management domain
Po10 10,20,30
Port Vlans in spanning tree forwarding state and not pruned
Po10 10,20,30
DIAGNOSIS: VLAN 40 is not in the allowed list. It's pruned from the trunk.
FIX: Add VLAN 40 to the trunk:
DIST-SW1# configure terminal
DIST-SW1(config)# interface Port-Channel 10
DIST-SW1(config-if)# switchport trunk allowed vlan add 40
DIST-SW1(config-if)# end
Verification:
DIST-SW1# show interfaces Port-Channel 10 trunk
Port Vlans allowed on trunk
Po10 10,20,30,40
Port Vlans in spanning tree forwarding state and not pruned
Po10 10,20,30,40
VLAN 40 is now active on the trunk.
Scenario 5: Native VLAN Mismatch
Symptom: Untagged traffic from ACC-SW1 to DIST-SW1 arrives tagged (or doesn't arrive at all). Typically affects management traffic.
DIST-SW1 Config:
interface Port-Channel 10
switchport trunk native vlan 99
ACC-SW1 Config:
interface GigabitEthernet1/0/24
switchport trunk native vlan 1
! (Did not explicitly set native VLAN; defaults to 1)
Step 1: Check Native VLANs on Both Sides
DIST-SW1# show interfaces Port-Channel 10 trunk | include native
Trunking Native Mode VLAN: 99 (VLAN0099)
ACC-SW1# show interfaces GigabitEthernet1/0/24 trunk | include native
Trunking Native Mode VLAN: 1 (default)
DIAGNOSIS: Native VLAN mismatch. DIST-SW1 uses VLAN 99; ACC-SW1 uses VLAN 1. Untagged frames sent from ACC-SW1 are interpreted as VLAN 1 on DIST-SW1 but should be VLAN 99.
FIX: Set both to the same native VLAN:
ACC-SW1# configure terminal
ACC-SW1(config)# interface GigabitEthernet1/0/24
ACC-SW1(config-if)# switchport trunk native vlan 99
ACC-SW1(config-if)# end
Verification:
ACC-SW1# show interfaces GigabitEthernet1/0/24 trunk | include native
Trunking Native Mode VLAN: 99 (VLAN0099)
DIST-SW1# show interfaces Port-Channel 10 trunk | include native
Trunking Native Mode VLAN: 99 (VLAN0099)
Now both sides treat untagged frames as VLAN 99.
Scenario 6: VLAN Active vs Allowed Mismatch
Symptom: VLAN 30 is allowed on a trunk but doesn't appear in "active" list. Ports in VLAN 30 on the far side show no connectivity.
Check Trunk Status:
DIST-SW1# show interfaces Port-Channel 10 trunk
Port Vlans allowed on trunk
Po10 10,20,30,40,99,100
Port Vlans allowed and active in management domain
Po10 10,20,30,40,99
Port Vlans in spanning tree forwarding state and not pruned
Po10 10,20,30,40,99
DIAGNOSIS: VLAN 100 is allowed but not active. This can happen if VLAN 100 is not in the VLAN database on DIST-SW1.
Step 1: Check VLAN Database
DIST-SW1# show vlan id 100
% VLAN ID not found
VLAN 100 doesn't exist.
FIX: Create VLAN 100:
DIST-SW1# configure terminal
DIST-SW1(config)# vlan 100
DIST-SW1(config-vlan)# name VLAN-100
DIST-SW1(config-vlan)# exit
DIST-SW1(config)# end
Verification:
DIST-SW1# show interfaces Port-Channel 10 trunk
Port Vlans allowed and active in management domain
Po10 10,20,30,40,99,100
VLAN 100 now appears as active.
Scenario 7: STP Blocking on VLAN-Specific Basis
Symptom: VLAN 10 traffic flows between ACC-SW1 and DIST-SW1, but VLAN 20 traffic is stuck. Both VLANs use the same trunk (Po10).
Step 1: Check Port-Channel STP State
DIST-SW1# show spanning-tree interface Port-Channel 10 brief
Interface Role Sts Cost Prio.Nbr Type
----------- ---- --- --------- -------- --------------------------------
Po10 Desg FWD 100 128.25 P2p,Aggregated
DIST-SW1# show spanning-tree vlan 10 interface Port-Channel 10
Interface Po10 in VLAN 10
Role: Designated Port
State: Forwarding
DIST-SW1# show spanning-tree vlan 20 interface Port-Channel 10
Interface Po10 in VLAN 20
Role: Root Port
State: Forwarding
Both VLANs show forwarding on Po10. STP is not the issue.
Step 2: Check Port-Channel Status on Far Side
ACC-SW1# show spanning-tree vlan 20 interface GigabitEthernet1/0/24
Interface Gi1/0/24 in VLAN 20
Role: Alternate Port
State: Blocked
DIAGNOSIS: Gi1/0/24 on ACC-SW1 is blocked for VLAN 20 by STP. This happens if there's an alternate root bridge or loop.
Typical Cause: There's a second uplink from ACC-SW1 (e.g., Gi1/0/23 to a different distribution switch) that's the designated port for VLAN 20.
FIX: Verify STP topology and ensure one uplink is blocked at the distribution layer, not at the access layer:
DIST-SW1# show spanning-tree vlan 20
...
Root ID Priority 32788
Address 5555.6666.7777
Cost 100
Port 25 (Port-Channel 10)
...
The root is reachable via Po10 at cost 100. ACC-SW1 should see this and prefer this path. If it doesn't, there may be a lower-cost path via another port.
Check if another port on ACC-SW1 is also trunking VLAN 20:
ACC-SW1# show vlan id 20
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
20 Servers active Gi1/0/23, Gi1/0/24
ACC-SW1# show interfaces GigabitEthernet1/0/23 trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/23 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi1/0/23 20
Gi1/0/23 also carries VLAN 20 to a different distribution switch. STP has calculated a lower cost to that switch. To fix this, either: - Remove VLAN 20 from the secondary uplink (Gi1/0/23). - Increase the STP priority on the secondary switch to make the primary (DIST-SW1) preferred.
Systematic Troubleshooting Checklist
When VLAN connectivity fails, run this checklist:
- On access switch (ACC-SW1):
show interfaces <port> switchport ! Verify access VLAN show vlan id <vlan> ! VLAN exists? show spanning-tree vlan <vlan> interface <port> ! STP state - On distribution switch (DIST-SW1):
show interfaces <port-channel> trunk ! Allowed & active VLANs show vlan id <vlan> ! VLAN exists on dist show spanning-tree vlan <vlan> interface <port-channel> ! STP role/state - Cross-link verification:
ping <gateway IP in VLAN> ! End-to-end test show mac address-table vlan <vlan> ! MAC learning confirmed? - Common fixes:
- Create missing VLAN.
- Add VLAN to trunk allowed list.
- Fix native VLAN mismatch.
- Adjust STP priority if needed.
- Reseat cables if port shows down.
Key Takeaways
- Always start with port assignment:
show interfaces <port> switchportto confirm access VLAN or trunk mode. - Verify VLAN exists in the database: Use
show vlan brieforshow vlan id <vlan>. - Check trunk allowed list: VLANs must be explicitly allowed with
switchport trunk allowed vlan. - Native VLAN must match on both sides of a trunk, or untagged frames are misinterpreted.
- Use
show spanning-tree vlan <vlan> interface <port>to diagnose STP-level blocking, not port-level blocking. - Test end-to-end with ping from client to gateway IP in the VLAN to confirm full path connectivity.