Checking VLAN connectivity requires a systematic, multi-layered approach, beginning with basic physical and configuration checks and progressing to logical network tests.
The process involves inspecting switch configurations, verifying trunk port settings, and using diagnostic commands like ping and traceroute to confirm communication paths. A thorough check ensures that devices within the same VLAN can communicate, while also validating proper routing between different VLANs.
Layer 1 and 2: The foundation
Start by confirming the physical and data link layers, which must be correct for any VLAN configuration to function.
Verify physical connectivity
- Check cables: Ensure that all cables are securely plugged in and are not damaged.
- Check interface status: Log in to the switch and verify that the ports in question are active. On Cisco IOS, you can use the
show interface statuscommand to see if a port is "up". A port showing as "down" or "err-disabled" indicates a physical or configuration issue.
Inspect the VLAN configuration
- Check VLAN existence and port assignment: Verify that the VLAN exists on the switch and that the correct ports are assigned to it. The
show vlan briefcommand (Cisco IOS) provides a summary of all VLANs and their member ports. - Verify access ports: For end-user devices (e.g., computers, printers), ensure the port is configured as an "access port" and is assigned to the correct VLAN. Use
show interfaces <interface_id> switchportto check a specific port's configuration.- Correct configuration:```
switchport mode access
switchport access vlan <vlan_id>
- Correct configuration:```
switchport mode access
switchport access vlan <vlan_id>
- Verify trunk ports: For switch-to-switch connections, confirm the port is configured as a "trunk port," allowing multiple VLANs to pass through. Use
show interfaces <interface_id> trunkto see which VLANs are allowed on the trunk.- Common misconfigurations:
- Dynamic Auto/Desirable Mismatch: Forcing trunk negotiation can lead to issues. A best practice is to manually configure
switchport mode trunkon both ends. - Native VLAN Mismatch: If the native (untagged) VLANs on both ends of a trunk link do not match, traffic from the native VLAN can be misrouted.
- VLAN Pruning/Allowed VLANs: Check that the desired VLANs are not being pruned or explicitly disallowed on the trunk link. Use
show interfaces <interface_id> trunkto view the "allowed VLANs."
- Dynamic Auto/Desirable Mismatch: Forcing trunk negotiation can lead to issues. A best practice is to manually configure
- Common misconfigurations:
Test Layer 2 communication
- Use the MAC address table: Check if a device's MAC address is being learned by the switch. The
show mac address-table address <mac_address>orshow mac address-table interface <interface_id>command can show this. If the MAC is not present, it indicates a Layer 2 communication failure. - Use CDP or LLDP: If enabled, Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP) can show you which devices are connected to which ports. The
show cdp neighborsorshow lldp neighborscommand is a powerful tool for quickly verifying Layer 2 adjacency.
Layer 3: Inter-VLAN communication
Once you've confirmed Layer 2 connectivity, move to the network layer (Layer 3) to test communication between VLANs.
Verify Layer 3 routing configuration
- Check VLAN interfaces (SVIs): On a Layer 3 switch or router, ensure that the VLAN interfaces (Switch Virtual Interfaces or SVIs) are properly configured and in an "up/up" state. Each VLAN should have a corresponding SVI. The
show ip interface briefcommand will list the status of all interfaces, including SVIs. - Confirm IP routing is enabled: On a Layer 3 switch, use the
show running-config | include ip routingcommand to ensure IP routing is globally enabled. - Check routing table: Verify that the routing table has an entry for the destination VLAN's subnet. The
show ip routecommand displays all known routes.
Use ping and traceroute
- Test intra-VLAN connectivity: From a device within a VLAN, ping another device in the same VLAN. This confirms that basic Layer 2 forwarding is working and that IP addressing is correct for that segment.
- Test inter-VLAN connectivity: From a device in VLAN 10, ping a device in VLAN 20. This tests the Layer 3 routing functionality. If this fails, the issue is likely with the routing configuration.
- Use extended ping (advanced): For a more specific test, use an extended ping from the switch itself, specifying the source interface as the SVI for one VLAN and the destination as a device in another VLAN.```
Switch# ping
Protocol [ip]:
Target IP address: <destination_ip>
Source address or interface: <source_vlan_interface>
- Run traceroute: The
traceroutecommand is an excellent way to see the exact path a packet takes, revealing where it is being dropped. If a traceroute from VLAN 10 to VLAN 20 fails after the first hop (the default gateway), you know the routing is broken.
Advanced troubleshooting techniques
When standard checks fail, more detailed methods may be needed.
Monitor VLAN traffic
- Packet capture: For difficult-to-diagnose issues, perform a packet capture on a port. Tools like Wireshark can analyze the packets and confirm if VLAN tags are being added correctly, if traffic is being dropped, or if there are unexpected broadcasts.
- Switch port analyzer (SPAN): Configure a SPAN session on your switch to mirror traffic from a problem port to a monitoring port. This allows a network analyzer to non-intrusively capture and inspect the traffic.
Check for security policies
- Access Control Lists (ACLs): Verify that no ACLs are blocking traffic between VLANs. The
show access-listscommand can display configured ACLs. - VLAN Access Control Lists (VACLs): These are security features that filter traffic within a VLAN or between different VLANs. Check for any VACLs that might be causing an issue.
VLAN connectivity checklist
| Step | Action | Command (Cisco IOS) | Potential Issue |
|---|---|---|---|
| Physical | Verify cable and port status. | show interfaces status |
Faulty cable, port shut down |
| Layer 2 | Check VLAN and port assignment. | show vlan brief |
Port in wrong VLAN, VLAN doesn't exist |
| Verify trunk configuration. | show interfaces trunk |
Native VLAN mismatch, allowed VLANs wrong | |
| Confirm MAC address learned. | show mac address-table |
No Layer 2 connectivity, device offline | |
| Layer 3 | Check SVI status. | show ip interface brief |
VLAN interface is down |
| Verify IP routing. | `show running-config | include ip routing` | |
| Check routing table. | show ip route |
Missing route to destination VLAN | |
| Testing | Ping within the same VLAN. | ping <destination_ip> |
Intra-VLAN communication fails |
| Ping between different VLANs. | ping <destination_ip> |
Inter-VLAN communication fails | |
| Use traceroute. | traceroute <destination_ip> |
Route is being dropped at a specific hop | |
| Security | Check for blocking ACLs. | show access-lists |
Firewall rules are blocking traffic |
Enjoyed this article? Share it with a friend.