IntermediateNetwork Troubleshooting 7 min read

How to Troubleshoot VLAN and Trunking Problems

Master VLAN troubleshooting with real Cisco IOS commands and proven techniques.

VLAN and trunking misconfigurations are among the most common causes of network connectivity failures in enterprise environments. Whether you're preparing for the CCNA or Network+ certification, understanding how to systematically troubleshoot these issues is essential. This guide walks through real-world scenarios using Cisco IOS commands to verify VLAN existence, check trunk status, identify native VLAN mismatches, and resolve pruning problems. Each step includes actual CLI output and configuration snippets to mirror what you'll encounter in the field or on exam simulators.

1

Verify VLAN Existence and Port Assignment

Start by confirming the VLAN is created on the switch and that the access port is assigned to the correct VLAN. Use 'show vlan brief' to list all VLANs and their ports. If the VLAN is missing, create it with 'vlan <id>' in global config mode. Then check the port with 'show interfaces <interface> switchport' to verify the operational mode and access VLAN.

Cisco IOS
Switch# show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3
10   Sales                            active    Fa0/4, Fa0/5
20   Engineering                      active    

Switch# show interfaces fa0/4 switchport
Name: Fa0/4
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Access Mode VLAN: 10 (Sales)

Always check the VLAN database on the VTP server if using VTP; clients may not have the VLAN locally.

If the VLAN is not in the 'show vlan brief' output, traffic will be dropped even if the port is configured.

2

Check Trunk Status and Allowed VLANs

Trunk ports must be properly configured to carry multiple VLANs. Use 'show interfaces trunk' to see all trunk ports, their mode, encapsulation, and allowed VLAN list. If a VLAN is missing from the allowed list, traffic will not pass. Use 'switchport trunk allowed vlan add <vlan-id>' to include it.

Cisco IOS
Switch# show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       desirable    802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       1-1005

Port        Vlans allowed and active in management domain
Gi0/1       1,10,20

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1,10,20

Use 'switchport trunk allowed vlan remove <vlan-id>' to prune unused VLANs and reduce broadcast traffic.

Never forget to add the native VLAN to the allowed list if it's not VLAN 1.

3

Identify Native VLAN Mismatches

A native VLAN mismatch occurs when two ends of a trunk have different native VLANs. This can cause broadcast storms or connectivity issues. Use 'show interfaces trunk' on both switches to compare native VLAN values. If mismatched, configure the correct native VLAN with 'switchport trunk native vlan <vlan-id>' on the mismatched side.

Cisco IOS
SwitchA# show interfaces gi0/1 trunk
Port        Native vlan
Gi0/1       1

SwitchB# show interfaces gi0/1 trunk
Port        Native vlan
99

! Mismatch detected - CDP will log an error
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (1), with SwitchB (99).

! Fix on SwitchB:
SwitchB(config)# interface gi0/1
SwitchB(config-if)# switchport trunk native vlan 1

CDP automatically detects native VLAN mismatches and logs them; always check 'show logging' for these messages.

Changing the native VLAN on a live trunk can cause temporary disruption; schedule during maintenance windows.

4

Verify VLAN Pruning and STP State

VLAN pruning (via VTP pruning or manual configuration) can remove VLANs from a trunk. Additionally, Spanning Tree Protocol (STP) may block a VLAN on a port. Use 'show spanning-tree vlan <vlan-id>' to check the port state. If a port is in blocking or alternate state, investigate the STP topology.

Cisco IOS
Switch# show spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol ieee
  Root ID    Priority    32778
             Address     0011.2233.4455
             Cost        19
             Port        25 (GigabitEthernet0/1)

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     0011.2233.4466

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- ------------------------------
Gi0/1               Root FWD 19        128.25   P2p
Gi0/2               Desg FWD 19        128.26   P2p
Gi0/3               Altn BLK 19        128.27   P2p

If a VLAN is pruned, it won't appear in 'show interfaces trunk' under 'Vlans allowed and active'. Check VTP configuration.

Disabling STP on a port can cause loops; only do this in lab environments.

5

Test Layer 2 Connectivity with Ping and Traceroute

After verifying configurations, test end-to-end connectivity. Use 'ping' from a host or switch to confirm reachability. If ping fails, use 'traceroute' to identify where packets stop. On Cisco switches, you can use 'extended ping' to source from a specific VLAN interface (SVI).

Cisco IOS
Switch# ping 192.168.10.1 source vlan 10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Switch# traceroute 192.168.20.1

Type escape sequence to abort.
Tracing the route to 192.168.20.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.10.1 4 msec 4 msec 4 msec
  2 192.168.20.1 8 msec 8 msec 8 msec

Use 'ping repeat 100' to stress-test the link and detect intermittent drops.

If ping succeeds but applications fail, check ACLs or firewall rules on the SVI.

6

Inspect MAC Address Table for VLAN Issues

The MAC address table shows which MAC addresses are learned on which VLAN and port. Use 'show mac address-table vlan <vlan-id>' to verify that hosts are appearing on the correct port. If a MAC is missing or on the wrong port, there may be a loop or misconfiguration.

Cisco IOS
Switch# show mac address-table vlan 10

          Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    0050.7966.6800    DYNAMIC     Fa0/4
  10    0050.7966.6801    DYNAMIC     Fa0/5
  10    0050.7966.6802    DYNAMIC     Gi0/1

! If a MAC appears on the wrong port, check for loops or unauthorized devices.

Clear the MAC table with 'clear mac address-table dynamic' to force re-learning after a configuration change.

A MAC flapping between ports indicates a loop; use 'show logging | include %SW_MATM-4-MACFLAP_NOTIF' to detect it.

Key tips

  • Always start with 'show vlan brief' and 'show interfaces trunk' to get a quick overview of the VLAN and trunking state.

  • Use 'show cdp neighbors detail' to verify that neighboring switches are expected devices and check their capabilities.

  • When troubleshooting inter-VLAN routing, ensure the SVI is up with 'show ip interface brief' and that the VLAN exists.

  • Keep a baseline of 'show running-config | section interface' for critical ports to compare when issues arise.

  • Use 'debug trunk' sparingly in production; it can generate high CPU load. Prefer 'show interfaces trunk' for routine checks.

  • Document native VLAN changes in your change management system; mismatches are a leading cause of trunk failures.

Frequently asked questions

What is the most common cause of VLAN connectivity issues?

The most common cause is a native VLAN mismatch on a trunk link. This occurs when two switches have different native VLANs configured on the same trunk port, causing CDP errors and potential broadcast storms. Always verify native VLAN consistency with 'show interfaces trunk' on both ends.

How do I fix a VLAN that is not appearing in 'show vlan brief'?

If the VLAN is missing, create it with 'vlan <id>' in global configuration mode. If using VTP, ensure the server has the VLAN and the client is in transparent or server mode. You may also need to enable the VLAN with 'no shutdown' at the VLAN interface level if it's an SVI.

Why can hosts in the same VLAN not ping each other?

Possible reasons include: the access port is in the wrong VLAN, the VLAN is not active on the switch, STP is blocking the port, or there is a misconfigured ACL. Check the port's switchport mode, VLAN assignment, and STP state with 'show spanning-tree vlan <id>'.

What does 'Vlans allowed and active in management domain' mean in trunk output?

This line shows VLANs that are both allowed on the trunk (via 'switchport trunk allowed vlan') and active in the VLAN database. If a VLAN is allowed but not active (e.g., deleted or pruned), it won't appear here. Use 'show vlan brief' to verify VLAN status.

How do I troubleshoot a trunk that is not coming up?

First, check physical connectivity and interface status with 'show interfaces status'. Then verify that both sides are set to trunking mode (e.g., 'switchport mode trunk') and that encapsulation matches (dot1q). Use 'show interfaces trunk' to see if the port is trunking and check for errors like native VLAN mismatch.

Related glossary terms

Browse full glossary →

Practice with real exam questions

Apply what you just learned with exam-style practice questions.

Related guides