Cisco – Bridge is always root for a vlan

ciscocisco-2960ieee-802.1wspanning tree

I have a switch that is not receiving BPDU Hellos properly and I have not been able to pin point the problem. Switch 1 puts all ports for vlan4 into desg mode and claims it is the root for vlan4 (the root is upstream), while switch 2 knows the root is upstream on port Gi0/24, so it places that port as root and Gi017 as desg. Running debug spanning-tree events shows that each side sends BPDU's to the other but they do not arrive. So i have no idea why switch 1 will not realize it is not root for vlan4. The only way I can get this switch to not think it is root is to put the interface on both ends of the trunk as access and set the access vlan to 4.

Switch1 Interface 0/24 is configured as follows:

interface GigabitEthernet0/24
 switchport trunk allowed vlan 1,4
 switchport mode trunk

Swtich2 Interface G0/17 is configured as follows:

interface GigabitEthernet0/17  
 switchport trunk allowed vlan 1,4
 switchport mode trunk

Show Spanning-tree results
Switch1

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    16385
             Address     4055.39cc.6780
             Cost        12
             Port        24 (GigabitEthernet0/24)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     0021.1b59.ae80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
Gi0/24              Root FWD 4         128.24   P2p Peer(STP)

VLAN0004
  Spanning tree enabled protocol rstp
  Root ID    Priority    61444
             Address     0021.1b59.ae80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    61444  (priority 61440 sys-id-ext 4)
             Address     0021.1b59.ae80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
Gi0/18              Desg FWD 4         128.18   P2p
Gi0/24              Desg FWD 4         128.24   P2p

Switch2

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    16385
             Address     4055.39cc.6780
             Cost        4
             Port        24 (GigabitEthernet0/24)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     0021.1b59.cb00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
Gi0/10           Desg FWD 4         128.10   Edge P2p 
Gi0/11           Desg FWD 4         128.11   Edge P2p 
Gi0/12           Desg FWD 4         128.12   Edge P2p 
Gi0/13           Desg FWD 4         128.13   Edge P2p
Gi0/14           Desg FWD 19        128.14   Edge P2p 
Gi0/15           Desg FWD 19        128.15   Edge P2p 
Gi0/16           Desg FWD 19        128.16   Edge P2p
Gi0/17           Desg FWD 4         128.17   P2p Peer(STP)
Gi0/18           Desg FWD 4         128.18   Edge P2p 
Gi0/19           Desg FWD 19        128.19   Edge P2p 
Gi0/20           Desg FWD 19        128.20   Edge P2p 
Gi0/24           Root FWD 4         128.24   P2p 


VLAN0004
  Spanning tree enabled protocol rstp

  Root ID    Priority    16388
             Address     4055.39cc.6780
             Cost        4
             Port        24 (GigabitEthernet0/24)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32772  (priority 32768 sys-id-ext 4)
             Address     0021.1b59.cb00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
Gi0/17           Desg FWD 4         128.17   P2p 
Gi0/24           Root FWD 4         128.24   P2p

Other Information about the trunk…

Switch 1

Show Interface Trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/24      on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/24      1,4
Port        Vlans allowed and active in management domain
Gi0/24      1,4
Port        Vlans in spanning tree forwarding state and not pruned
Gi0/24      1,4

Switch2

Port        Mode         Encapsulation  Status        Native vlan
Gi0/17      on           802.1q         trunking      1
Gi0/24      on           802.1q         trunking      1
Port        Vlans allowed on trunk
Gi0/17      1,4
Gi0/24      1-4094
Port        Vlans allowed and active in management domain
Gi0/17      1,4
Gi0/24      1-4,10,100-101,600
Port        Vlans in spanning tree forwarding state and not pruned
Gi0/17      1,4
Gi0/24      1-4,100-101

Show CDP NE
Switch1

Switch1#sh cdp ne

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
Switch2          Gig 0/24          140              S I   WS-C2960G Gig 0/17

Switch2

switch2#sh cdp ne

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
Switch.domain.lcl
                 Gig 0/17          159           S I      WS-C2960G Gig 0/24
root-3750        Gig 0/24          164          R S I     WS-C3750X Gig 2/0/20

Switch1 Configuration file

   Current configuration : 2834 bytes
!
! Last configuration change at 15:14:14 EST Thu Oct 6 2016
! NVRAM config last updated at 10:45:43 EST Thu Oct 6 2016
!

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch1
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
clock timezone EST -5
system mtu routing 1500
udld enable

!
!
ip domain-lookup source-interface GigabitEthernet0/24
ip domain-name .......
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree logging
spanning-tree extend system-id
!
vlan internal allocation policy ascending

!
ip tftp source-interface Vlan1
!
!
interface GigabitEthernet0/1
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/2
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/3
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/4
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/5
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/6
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/7
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/8
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/9
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/10
 switchport access vlan 4
!
interface GigabitEthernet0/11
 switchport access vlan 4
!
interface GigabitEthernet0/12
 switchport access vlan 4
!
interface GigabitEthernet0/13
 switchport access vlan 4
!
interface GigabitEthernet0/14
 switchport access vlan 4
!
interface GigabitEthernet0/15
 switchport access vlan 4
!
interface GigabitEthernet0/16
 switchport access vlan 4
!
interface GigabitEthernet0/17
 switchport access vlan 4
!
interface GigabitEthernet0/18
 switchport access vlan 4
!
interface GigabitEthernet0/19
 switchport access vlan 4
!
interface GigabitEthernet0/20
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/21
 switchport access vlan 4
!
interface GigabitEthernet0/22
 switchport access vlan 4
!
interface GigabitEthernet0/23
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet0/24
description Trunk to switch2 
switchport trunk allowed vlan 1,4
 switchport mode trunk
!
interface Vlan1
 ip address dhcp
!
interface Vlan4
 ip address xxx.xxx.xxx.x xxx.xxx.xxx.x
!
ip default-gateway xxx.xxx.x.x
ip http server
ip http secure-server
!
line con 0
 exec-timeout 40 0
 logging synchronous
line vty 0 4
 login
line vty 5 15
 login
!
!
monitor session 61 source vlan 4

ntp clock-period ..........
ntp server ........
end

Switch2 Configuration file

    Current configuration : 5278 bytes
!
! Last configuration change at 16:12:50 EDT Thu Oct 6 2016 by 
! NVRAM config last updated at 15:37:44 EDT Thu Oct 6 2016 by 
!
version 12.2
no service pad
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname Switch2
!
enable secret ..
!
username ..
username ..
aaa new-model
aaa authentication login .. group radius local
aaa authentication login .. group radius local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization exec ... group radius local 
aaa authorization exec ... group radius local 
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
system mtu routing 1500
udld enable
ip subnet-zero
!
no ip domain-lookup
!
!
!
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
 switchport access vlan 3
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/2    
 switchport access vlan 3
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/3
switchport access vlan 3
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/4
switchport access vlan 3
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/5
switchport access vlan 3
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/6
switchport access vlan 3
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/7
switchport access vlan 3
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/8
 switchport access vlan 3
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/9
switchport access vlan 3
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/10
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/11
switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/12
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/13
switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/14
switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/15
switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/16
switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/17
 description Trunk to Switch1             
 switchport trunk allowed vlan 1,4
 switchport mode trunk
!
interface GigabitEthernet0/18
switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/19
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/20
switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/21
switchport access vlan 3
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/22
switchport access vlan 3
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/23
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet0/24
switchport mode trunk
 spanning-tree portfast
!
interface Vlan1
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.x
 no ip route-cache
!         
interface Vlan4
 no ip address
 no ip route-cache
!
interface Vlan11
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.x
 no ip route-cache
!
interface Vlan66
 no ip address
 no ip route-cache
 shutdown
!
ip default-gateway xx.x.x.x
no ip http server
ip radius source-interface Vlan1 
snmp-server community xxxxxxxxx XX
radius-server host xxx.xxx.xx.x auth-port .......
radius-server source-ports ..........
!
control-plane
!
!
line con 0
 exec-timeout 5 0
 password .......
 authorization exec ....
 logging synchronous
 login authentication .....
line vty 0 4
 exec-timeout 14 59
 password 7 ......
 authorization exec ......
 logging synchronous
 login authentication ....
 length 0
 history size 40
line vty 5 15
 exec-timeout 14 59
 password .......
 authorization exec.....
 logging synchronous
 login authentication.....
 length 0
 history size 40
!
!

ntp clock-period ......
ntp server ......
end

Root-2750 Switch This Bridge is root for ALL vlans.

!
version 12.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname Root-3750
!
boot-start-marker
boot-end-marker
!
enable secret 5 
!
!
!
aaa new-model
!
!
aaa authentication login .. group radius local
aaa authentication login.. group radius local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization exec ..group radius local
aaa authorization exec .. group radius local
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
switch 1 provision ws-c3750x-24
switch 2 provision ws-c3750x-24
system mtu routing 1500
ip routing
ip dhcp excluded-address ...
ip dhcp excluded-address ...
!
ip dhcp pool Phones
   network ....
   default-router ....
   domain-name ...
   dns-server ...
   option 160 ascii .......
!
!
ip name-server ....
ip name-server ...
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
track 10 list boolean or
 object 1
 object 2
!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
crypto pki .............
 enrollment selfsigned
 ..............
.............
...............
!
!
crypto pki certificate chain,,,,,,,,,,,,,
 certificate s,,,,,,,,,,,
  ,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
  quit
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 16384
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh time-out,,,,
ip ssh ve,,,,,,
lldp run
!
!
!
interface Port-channel1
!
interface Port-channel2
!
interface Port-channel3
!
interface Port-channel4
!
interface Port-channel5
!
interface FastEthernet0
 no ip address
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 shutdown
!
interface GigabitEthernet1/0/1
 description ..
 spanning-tree portfast
!
interface GigabitEthernet1/0/2
 description ..
 spanning-tree portfast
!
interface GigabitEthernet1/0/3
 description...
 spanning-tree portfast
!
interface GigabitEthernet1/0/4
 description
 spanning-tree portfast
!
interface GigabitEthernet1/0/5
 description
 spanning-tree portfast
!
interface GigabitEthernet1/0/6
 description 
 spanning-tree portfast
!
interface GigabitEthernet1/0/7
 description 
 spanning-tree portfast
!
interface GigabitEthernet1/0/8
 description 
 spanning-tree portfast
!
interface GigabitEthernet1/0/9
 description 
 spanning-tree portfast
!
interface GigabitEthernet1/0/10
 description
 spanning-tree portfast
!
interface GigabitEthernet1/0/11
 description
 spanning-tree portfast
!
interface GigabitEthernet1/0/12
 description 
 spanning-tree portfast
!
interface GigabitEthernet1/0/13
 description 
 spanning-tree portfast
!
interface GigabitEthernet1/0/14
 description 
 spanning-tree portfast
!
interface GigabitEthernet1/0/15
 description 
 spanning-tree portfast
!
interface GigabitEthernet1/0/16
 description 
 spanning-tree portfast
!
interface GigabitEthernet1/0/17
 description to 
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/18
 description 
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/19
 description 
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/20
 description 
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/21
 description OPEN
 switchport trunk encapsulation dot1q
 switchport mode access
!
interface GigabitEthernet1/0/22
 description OPEN
 switchport trunk encapsulation dot1q
 switchport mode trunk
 shutdown
!
interface GigabitEthernet1/1/1
 description Trunk 2 a switch
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-599,601-4094
 switchport mode trunk
!
interface GigabitEthernet1/1/2
 description Trunk to a switch
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-599,601-4094
 switchport mode trunk
!
interface GigabitEthernet1/1/3
 description Trunk to a switch
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-599,601-4094
 switchport mode trunk
!
interface GigabitEthernet1/1/4
 description 
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet2/0/20
 description Switch2
 switchport trunk allowed vlan 1-599,601-4094
 spanning-tree portfast

!
interface GigabitEthernet2/0/24
 description 
 switchport access vlan 600
 switchport mode access
 load-interval 30
!
!
interface Vlan1
 ip address ..
!
interface Vlan2
 description
 ip address ..
!
interface Vlan3
 ip address ...
!
interface Vlan4
 ip address ..
 ip helper-address ...
!
interface Vlan100
 ip address ..
!
interface Vlan101
 ip address ..
!
interface Vlan600
 ip address ....
 ip summary-address eigrp ..
!
!
router eigrp 100
 network .
 network..
 network .....
 network .
 network ..
!
ip classless
ip route
ip route.
ip route ..
ip route ..
ip route .....
ip route ..
ip route ..
ip route ..
ip route ..
ip route ..
ip route ..
ip route...
ip route ...
!
ip http server
ip http secure-server
!
ip access-list standard ..
 permit ..
 permit ..
 permit ...
 permit ...
!
ip access-list extended .....
 permit ip host ..... any
ip access-list extended ..
 permit ip host ...any
 permit ip host .. any
 permit ip host .......any
 permit ip host ....... any
 permit ip host ..... any
 permit ip host ...... any
 permit ip host ........ any
 permit ip host .... any
 permit ip host ...... any
 permit ip host ...... any
 permit ip host ...... any
 permit ip host ........ any
 permit ip host ........ any
 permit ip host .. any
 permit ip host .. any
!
ip radius source-interface Vlan1
ip sla 1
 dns w...
 frequency 10
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 4.2.2.1
 frequency 10
ip sla schedule 2 life forever start-time now
ip sla enable reaction-alerts
route-map TEST permit 5
 match ip address TEST
 set ip next-hop ..
!
route-map .. permit 5
 match ip address ..
 set ip next-hop ...
!
route-map ...permit 10
 match ip address ..

!
snmp-server community read4netmon RO
radius-server host ... auth-port . acct-port ...key..
!
!
line con 0
 exec-timeout 5 0
 password ..
 authorization exec ..
 logging synchronous
 login authentication ..
line vty 0 4
 session-timeout 4  output
 exec-timeout 4 59
 password ..
 authorization exec ..
 logging synchronous
 login authentication..
 transport input ssh
line vty 5 15
 session-timeout 4  output
 exec-timeout 4 59
 password ...
 authorization exec ..
 logging synchronous
 login authentication ..
 length 0
 transport input ssh
!
ntp clock-period 36027768
ntp server ..........
end

Root-3750 Trunk ports & Show cdp ne

Root-3750#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi1/1/1     on               802.1q         trunking      1
Gi1/1/2     on               802.1q         trunking      1
Gi1/1/3     on               802.1q         trunking      1
Gi2/0/20    auto             n-802.1q       trunking      1

Port        Vlans allowed on trunk
Gi1/1/1     1-599,601-4094
Gi1/1/2     1-599,601-4094
Gi1/1/3     1-599,601-4094
Gi2/0/20    1-599,601-4094

Port        Vlans allowed and active in management domain
Gi1/1/1     1-4,10,100-101
Gi1/1/2     1-4,10,100-101
Gi1/1/3     1-4,10,100-101
Gi2/0/20    1-4,10,100-101

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/1/1     1,4,100
Gi1/1/2     1,4,100
Gi1/1/3     1,100
Gi2/0/20    1,3-4

Best Answer

I see some good suggestions already that you should follow plus I have some other observations for both good practice and what I think is causing the real issue.

Secondary Issues: 1. I see you are using both DTP and VTP on switch 1 and VTP on the other switches. You should hard code your trunk mode on all switch-to-switch links and turn off DTP negotiation with the no-negotiation command. Note: Only after you do manual pruning (switchport trunk allowed vlan xxx) should you stop VTP changes and pruning by changing the VTP mode to transparent. I do not see any VTP configs in your show run output so I am going to assume you are running VTP version 2.

I would hard code the trunk encapsulation mode to dot1q even though your show interface trunk output shows that they are all running dot1q. If the platform and version of IOS you are running only uses dot1q encapsulation and will not take the "switchport trunk encapsulation dot1q" command on the trunk interfaces then ignore this.

Primary issue: When I look at your spanning tree output for switch 1 and switch 2 they show different versions of spanning tree protocol running for VLAN 1 and VLAN 4 on the same link connecting them together. That is not right.

From the Spanning-tree output on Switch 1 you see,

VLAN0001
Interface        Role Sts Cost      Prio.Nbr Type
Gi0/24           Desg FWD 4         128.17   P2p Peer(STP)

VLAN0004
Gi0/18           Desg FWD 4         128.18   P2p
Gi0/24           Desg FWD 4         128.17   P2p

and from the spanning-tree output on Switch 2 you see,

VLAN0001
Interface        Role Sts Cost      Prio.Nbr Type
Gi0/17           Desg FWD 4         128.17   P2p Peer(STP)

VLAN0004
Gi0/17           Desg FWD 4         128.17   P2p

When you see the spanning-tree type is P2P, it means it is running rapid per vlan spanning tree protocol or in the case of Switch 2 PVST (though the output of show spanning-tree is different from what I would expect). When you see "P2p Peer(STP)" it means that it has fallen back to common spanning-tree protocol (aka 1 STP instance for all VLANs running on VLAN 1). I think that you have mixed your configurations and your show spanning-tree output - meaning that the show output was taken after you made changes to the running config.

Before doing anything I would do a "show interface status" and see if switch 1 or switch 2 has err-disabled one of the VLANs on the trunk port. This is just out of curiosity and to pinpoint the real cause of your problem. Flap the port (shut/no shut) if you see it is err-disabled on a vlan basis.

I would fix this by doing each of the following steps in turn and check if it fixes the issue.

Change the spanning-tree mode on Switch 1 to Per-Vlan rapid spanning tree mode to match what you have on Switch 2,

spanning-tree mode rapid-pvst
Flap the link on both sides connecting Switch 1 and Switch 2 using shut and then no shut on their respective interfaces.
And if that does not fix the issue, reload Switch 1.

I hope that fixes the issue.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco – 802.1x on Access VLAN only, not on Voice VLAN

You would need to configure MAB (Mac Auth Bypass) authentication for the ip phone in the multi-vlan interface. You also need multi-auth so the switch knows to look for more than one MAC address.

-authentication host-mode multi-auth

-authentication order mab dot1x

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Cisco – 802.1x on Access VLAN only, not on Voice VLAN

Related Topic