How to Troubleshoot VLAN and Trunking Problems
Master VLAN troubleshooting with real Cisco IOS commands and proven techniques.
VLAN and trunking misconfigurations are among the most common causes of network connectivity failures in enterprise environments. Whether you're preparing for the CCNA or Network+ certification, understanding how to systematically troubleshoot these issues is essential. This guide walks through real-world scenarios using Cisco IOS commands to verify VLAN existence, check trunk status, identify native VLAN mismatches, and resolve pruning problems. Each step includes actual CLI output and configuration snippets to mirror what you'll encounter in the field or on exam simulators.
Verify VLAN Existence and Port Assignment
Start by confirming the VLAN is created on the switch and that the access port is assigned to the correct VLAN. Use 'show vlan brief' to list all VLANs and their ports. If the VLAN is missing, create it with 'vlan <id>' in global config mode. Then check the port with 'show interfaces <interface> switchport' to verify the operational mode and access VLAN.
Switch# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3
10 Sales active Fa0/4, Fa0/5
20 Engineering active
Switch# show interfaces fa0/4 switchport
Name: Fa0/4
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Access Mode VLAN: 10 (Sales)Always check the VLAN database on the VTP server if using VTP; clients may not have the VLAN locally.
If the VLAN is not in the 'show vlan brief' output, traffic will be dropped even if the port is configured.
Check Trunk Status and Allowed VLANs
Trunk ports must be properly configured to carry multiple VLANs. Use 'show interfaces trunk' to see all trunk ports, their mode, encapsulation, and allowed VLAN list. If a VLAN is missing from the allowed list, traffic will not pass. Use 'switchport trunk allowed vlan add <vlan-id>' to include it.
Switch# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 desirable 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/1 1-1005
Port Vlans allowed and active in management domain
Gi0/1 1,10,20
Port Vlans in spanning tree forwarding state and not pruned
Gi0/1 1,10,20Use 'switchport trunk allowed vlan remove <vlan-id>' to prune unused VLANs and reduce broadcast traffic.
Never forget to add the native VLAN to the allowed list if it's not VLAN 1.
Identify Native VLAN Mismatches
A native VLAN mismatch occurs when two ends of a trunk have different native VLANs. This can cause broadcast storms or connectivity issues. Use 'show interfaces trunk' on both switches to compare native VLAN values. If mismatched, configure the correct native VLAN with 'switchport trunk native vlan <vlan-id>' on the mismatched side.
SwitchA# show interfaces gi0/1 trunk
Port Native vlan
Gi0/1 1
SwitchB# show interfaces gi0/1 trunk
Port Native vlan
99
! Mismatch detected - CDP will log an error
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (1), with SwitchB (99).
! Fix on SwitchB:
SwitchB(config)# interface gi0/1
SwitchB(config-if)# switchport trunk native vlan 1CDP automatically detects native VLAN mismatches and logs them; always check 'show logging' for these messages.
Changing the native VLAN on a live trunk can cause temporary disruption; schedule during maintenance windows.
Verify VLAN Pruning and STP State
VLAN pruning (via VTP pruning or manual configuration) can remove VLANs from a trunk. Additionally, Spanning Tree Protocol (STP) may block a VLAN on a port. Use 'show spanning-tree vlan <vlan-id>' to check the port state. If a port is in blocking or alternate state, investigate the STP topology.
Switch# show spanning-tree vlan 10
VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 32778
Address 0011.2233.4455
Cost 19
Port 25 (GigabitEthernet0/1)
Bridge ID Priority 32778 (priority 32768 sys-id-ext 10)
Address 0011.2233.4466
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- ------------------------------
Gi0/1 Root FWD 19 128.25 P2p
Gi0/2 Desg FWD 19 128.26 P2p
Gi0/3 Altn BLK 19 128.27 P2pIf a VLAN is pruned, it won't appear in 'show interfaces trunk' under 'Vlans allowed and active'. Check VTP configuration.
Disabling STP on a port can cause loops; only do this in lab environments.
Test Layer 2 Connectivity with Ping and Traceroute
After verifying configurations, test end-to-end connectivity. Use 'ping' from a host or switch to confirm reachability. If ping fails, use 'traceroute' to identify where packets stop. On Cisco switches, you can use 'extended ping' to source from a specific VLAN interface (SVI).
Switch# ping 192.168.10.1 source vlan 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Switch# traceroute 192.168.20.1
Type escape sequence to abort.
Tracing the route to 192.168.20.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.10.1 4 msec 4 msec 4 msec
2 192.168.20.1 8 msec 8 msec 8 msecUse 'ping repeat 100' to stress-test the link and detect intermittent drops.
If ping succeeds but applications fail, check ACLs or firewall rules on the SVI.
Inspect MAC Address Table for VLAN Issues
The MAC address table shows which MAC addresses are learned on which VLAN and port. Use 'show mac address-table vlan <vlan-id>' to verify that hosts are appearing on the correct port. If a MAC is missing or on the wrong port, there may be a loop or misconfiguration.
Switch# show mac address-table vlan 10
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 0050.7966.6800 DYNAMIC Fa0/4
10 0050.7966.6801 DYNAMIC Fa0/5
10 0050.7966.6802 DYNAMIC Gi0/1
! If a MAC appears on the wrong port, check for loops or unauthorized devices.Clear the MAC table with 'clear mac address-table dynamic' to force re-learning after a configuration change.
A MAC flapping between ports indicates a loop; use 'show logging | include %SW_MATM-4-MACFLAP_NOTIF' to detect it.
Key tips
Always start with 'show vlan brief' and 'show interfaces trunk' to get a quick overview of the VLAN and trunking state.
Use 'show cdp neighbors detail' to verify that neighboring switches are expected devices and check their capabilities.
When troubleshooting inter-VLAN routing, ensure the SVI is up with 'show ip interface brief' and that the VLAN exists.
Keep a baseline of 'show running-config | section interface' for critical ports to compare when issues arise.
Use 'debug trunk' sparingly in production; it can generate high CPU load. Prefer 'show interfaces trunk' for routine checks.
Document native VLAN changes in your change management system; mismatches are a leading cause of trunk failures.
Frequently asked questions
What is the most common cause of VLAN connectivity issues?
The most common cause is a native VLAN mismatch on a trunk link. This occurs when two switches have different native VLANs configured on the same trunk port, causing CDP errors and potential broadcast storms. Always verify native VLAN consistency with 'show interfaces trunk' on both ends.
How do I fix a VLAN that is not appearing in 'show vlan brief'?
If the VLAN is missing, create it with 'vlan <id>' in global configuration mode. If using VTP, ensure the server has the VLAN and the client is in transparent or server mode. You may also need to enable the VLAN with 'no shutdown' at the VLAN interface level if it's an SVI.
Why can hosts in the same VLAN not ping each other?
Possible reasons include: the access port is in the wrong VLAN, the VLAN is not active on the switch, STP is blocking the port, or there is a misconfigured ACL. Check the port's switchport mode, VLAN assignment, and STP state with 'show spanning-tree vlan <id>'.
What does 'Vlans allowed and active in management domain' mean in trunk output?
This line shows VLANs that are both allowed on the trunk (via 'switchport trunk allowed vlan') and active in the VLAN database. If a VLAN is allowed but not active (e.g., deleted or pruned), it won't appear here. Use 'show vlan brief' to verify VLAN status.
How do I troubleshoot a trunk that is not coming up?
First, check physical connectivity and interface status with 'show interfaces status'. Then verify that both sides are set to trunking mode (e.g., 'switchport mode trunk') and that encapsulation matches (dot1q). Use 'show interfaces trunk' to see if the port is trunking and check for errors like native VLAN mismatch.
Related glossary terms
Dynamic route
A route that is automatically learned and updated by a router using a routing protocol, rather than being manually configured.
Bash script
A Bash script is a text file containing a sequence of commands for the Unix shell Bash, allowing users to automate repetitive tasks and streamline system administration on Linux and macOS.
File Transfer Protocol
File Transfer Protocol (FTP) is a standard network protocol used to transfer files between a client and a server over a TCP/IP network.
Public IP address
A globally unique IP address assigned to a device that allows it to communicate directly over the internet.
Persistent Disk
Persistent Disk is a durable, high-performance block storage service for Google Cloud virtual machines that retains data even after the VM is shut down or deleted.
Extensible Authentication Protocol
Extensible Authentication Protocol (EAP) is a flexible authentication framework used in network access control, particularly in wireless and point-to-point connections, that supports multiple authentication methods without requiring changes to the underlying protocol.
Practice with real exam questions
Apply what you just learned with exam-style practice questions.