CCNA Lab 8: Common Switch Misconfigurations and Pitfalls
Most network outages are not caused by hardware failure. They are caused by configuration errors. Here are the most common ones I have seen in production networks.
The single most common trunk misconfiguration.
! Switch A
interface Gi0/24
switchport trunk native vlan 99
! Switch B
interface Gi0/24
switchport trunk native vlan 1
! Result: VLAN hopping, STP issues, traffic leakingDetection:
show interfaces trunk
Port Mode Native VLAN Trunking VLANs
Gi0/24 on 99 1-100
Gi0/24 on 1 1-100Native VLAN mismatch also generates syslog messages:
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/24
Fix: Match the native VLAN on both ends. Use a dedicated native VLAN (not VLAN 1).
! Engineer forgets to add the new VLAN to the trunk
interface Gi0/24
switchport trunk allowed vlan 10,20
! New VLAN 30 is created but not added
! Users on VLAN 30 cannot reach the rest of the networkFix: Always update the allowed VLAN list when adding a new VLAN:
interface Gi0/24
switchport trunk allowed vlan add 30interface Gi0/1
switchport port-security
switchport port-security maximum 1
! User swaps a laptop for a desktop with a different MAC
! Port goes into err-disabled stateRecovery:
interface Gi0/1
shutdown
no shutdownBetter approach โ sticky learning:
interface Gi0/1
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security mac-address stickyviolation restrict drops the violating traffic but keeps the port up.
An access layer switch becomes the root bridge, forcing all traffic through it instead of the core.
Detection:
show spanning-tree root
VLAN0001
Root Bridge : 32769.aaaa.bbbb.cccc
Root Port : Gi0/24
Root Path Cost : 19If the root bridge MAC is not your core switch, the root is misplaced.
Fix:
! On the core switch
spanning-tree vlan 1-1000 root primaryOr manually:
spanning-tree vlan 1-1000 priority 4096VLAN 1 is the default management VLAN. Using it for user traffic is a security risk.
Never use VLAN 1. Create a dedicated management VLAN:
vlan 99
name MANAGEMENT
interface vlan 99
ip address 192.168.1.10 255.255.255.0
no shutdown
ip default-gateway 192.168.1.1DTP negotiates trunking automatically. It should be disabled.
! An attacker can negotiate a trunk and see all VLANs
interface Gi0/1
switchport mode dynamic desirableFix:
interface Gi0/1
switchport nonegotiate
switchport mode access ! If it is an access port
switchport mode trunk ! If it is a trunk portCDP and LLDP leak device information. Disable them on edge ports:
interface Gi0/1
no cdp enable
no lldp transmit
no lldp receiveaaa authentication login default group tacacs+
! No 'local' fallbackWhen the TACACS server goes down, no one can log in. Fix:
aaa authentication login default group tacacs+ localIdle VTY sessions remain open:
line vty 0 15
! No exec-timeoutFix:
line vty 0 15
exec-timeout 10 0! Default is VTP server mode
! A switch with higher revision number can wipe the VLAN databaseFix:
vtp mode transparent# Check for native VLAN mismatches
show interfaces trunk | include on
# Check for ports in err-disabled
show interfaces status | include err
# Check CPU (high = possible loop)
show processes cpu | include CPU
# Check STP root
show spanning-tree root
# Check for flapping MACs
show mac address-table | include flapping
# Check VTP status
show vtp status
# Check AAA server status
show aaa servers
# Check for unused VLANs
show vlan brief | include unused
# Check DTP status
show interfaces switchport | include Dynamic! --- BASE CONFIG ---
hostname ACCESS-SW-X
no ip domain-lookup
ip domain-name rootlog.in
enable secret MyStrongPassword
service password-encryption
! --- MANAGEMENT ---
vlan 99
name MANAGEMENT
interface vlan 99
ip address 192.168.X.Y 255.255.255.0
no shutdown
ip default-gateway 192.168.X.1
! --- SSHV2 ---
crypto key generate rsa modulus 2048
ip ssh version 2
ip scp server enable
username admin privilege 15 secret StrongPass
! --- AAA ---
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs server TACACS-1
address ipv4 192.168.1.100
key TacacsKey
! --- INTERFACES ---
interface range Gi0/1-24
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard enable
no cdp enable
no lldp transmit
no lldp receiveshow processes cpu sorted
show memory
show interfaces | include line protocol|rate # Check interface errors
show logging | include down|err|flap # Recent issues
show environment # Temperature, power
show inventory # Hardware, serials
show vlan brief # VLAN consistency
show interfaces trunk # Trunk status| Command | Purpose |
|---|---|
show interfaces status | Port link status and description |
show interfaces trunk | Trunk port status and allowed VLANs |
show spanning-tree | STP topology |
show mac address-table | CAM table |
show vlan brief | VLAN to port mapping |
show logging | Recent system messages |
show running-config interface Gi0/1 | Port configuration |
debug spanning-tree events | STP changes in real-time |
show processes cpu | CPU utilization |
show interfaces Gi0/1 | Interface counters and errors |
terminal monitor | View debug/log messages over SSH |
show cdp neighbors detail | Connected devices |
Related Articles
CCNA Lab 8: Common Switch Misconfigurations and Pitfalls
The most frequent switch configuration mistakes that cause outages, and how to avoid them. BKMs and quick commands every network engineer should know.
CCNA Lab 9: Load Troubleshooting and Switch Performance
Diagnose high CPU, memory exhaustion, TCAM pressure, and interface errors on Cisco switches โ keep your network running under load.
CCNA Lab 14: Network Health Checks, BKMs, and Command Reference
Daily, weekly, and monthly health checks for your switches. Best known methods, maintenance procedures, and a comprehensive command reference for L2 engineers.