Back
Lesson 2 of 5

Layer 1-2 Troubleshooting

Lab Objectives

  • Practice Layer 1–2 troubleshooting steps for VLAN and trunk issues (VTP, VLAN creation, trunking).
  • Configure and verify VTP, VLANs, and 802.1Q trunks using the base topology.
  • Diagnose and fix a trunk/VLAN problem using show/debug-style verification.

Base Topology (exact IPs on every router interface)

                [Internet]
               203.0.113.1
                    |
               R1 (Gateway)
              Gi0/0: 10.10.10.1
              Gi0/1: 10.10.20.1
              Gi0/2: 10.10.30.1
              /     |     \
           R2      R3      R4

Gi0/0: 10.10.10.2 | Gi0/0: 10.10.30.2 Gi0/1: 10.10.40.1 | / \ | S1 S2 S3 / \ | /
PC1 PC2 PC3 PC4 PC5

IP networks used in switches/hosts:

  • 192.168.1.0/24 — VLAN 10 (Sales)
  • 192.168.2.0/24 — VLAN 20 (Engineering)
  • 192.168.3.0/24 — VLAN 30 (Management)

Tip: Think of VTP as a broadcast that tells switches which VLANs exist. If trunks are down or misconfigured, the "broadcast" won't reach other switches and VLANs will be missing on clients. In production, this matters because missing VLANs break connectivity and slow down triage.

Lab Tasks (Try It Yourself First!)

Complete these tasks WITHOUT looking at the solution below. Use ? and show commands to figure it out.

Task 1: Configure S1 as VTP Server and create VLANs

On S1 configure a VTP server using the VTP domain lab.nhprep.com, VTP version 2, password Lab@123. Then create VLANs 10, 20 and 30 on S1.

Task 2: Configure 802.1Q trunks between S1–S2 and S1–S3

Configure the links between S1 and S2 and between S1 and S3 as 802.1Q trunks using the Ethernet ports shown below. Use the switchport trunk encapsulation dot1q and switchport mode trunk commands on the correct interface ranges.

  • S1 interfaces E0/0–E0/1 and E0/2–E0/3 (connected to S2 and S3)
  • S2 interfaces E0/0–E0/1
  • S3 interfaces E0/0–E0/1

Task 3: Configure STP root bridge selection (PVST)

Make S1 the preferred root for VLANs 1, 10, and 20 by lowering its priority. Make S2 the backup root by raising its priority reasonably above the default.

Think About It: Why will a missing trunk encapsulation or a trunk in the wrong mode prevent VLANs from appearing on a downstream switch, even if the VLAN exists on the VTP server?

Lab Solution

Task 1 Solution: Configure S1 as VTP Server and create VLANs

What we are doing: We set S1 to be the VTP server so it will distribute VLAN configuration to the other switches. We create VLAN 10, 20, 30 on the server so clients receive them. Using lab.nhprep.com as the VTP domain and Lab@123 as the password ensures domain and authentication match across switches.

hostname S1
vtp mode server
vtp domain lab.nhprep.com
vtp version 2
vtp password Lab@123
vlan 10,20,30

What each command does and why it matters:

  • hostname S1 — sets the device name so outputs are identifiable; helps during troubleshooting.
  • vtp mode server — makes S1 the authoritative VTP server that can create/change VLANs and advertise them to clients.
  • vtp domain lab.nhprep.com — sets the VTP domain; only switches in the same domain will exchange VLAN info.
  • vtp version 2 — sets VTP version 2 to match other switches (version mismatch blocks VTP exchanges).
  • vtp password Lab@123 — secures VTP updates; mismatch prevents VLAN synchronization.
  • vlan 10,20,30 — creates VLANs 10, 20 and 30 on the server (these VLANs will be advertised).

Verify VTP server status (expected output shows domain, version, and operating mode):

show vtp status

Expected output (representative):

VTP Version                     : 2
Configuration Revision          : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 3
VTP Operating Mode              : Server
VTP Domain Name                 : lab.nhprep.com
VTP Password                    : lab.nhprep.com (password set)

Why check this? If the domain, version, or password is wrong, clients won't learn VLANs.

Task 2 Solution: Configure 802.1Q trunks between S1–S2 and S1–S3

What we are doing: We enable 802.1Q encapsulation and set the ports to trunk mode. Trunks must carry VLAN tags so VLANs learned via VTP traverse to other switches and hosts.

On S1 (two interface ranges toward S2 and S3):

interface range E 0/0 -1
 switchport trunk encapsulation dot1q
 switchport mode trunk
interface range E 0/2 -3
 switchport trunk encapsulation dot1q
 switchport mode trunk

What each command does and why it matters:

  • interface range E 0/0 -1 / E 0/2 -3 — selects the groups of interfaces connected to other switches.
  • switchport trunk encapsulation dot1q — configures the switch to use 802.1Q tagging on those ports; necessary when the platform supports multiple trunk encapsulations.
  • switchport mode trunk — forces the port into trunking; ensures VLAN tags are forwarded rather than treating the link as access.

On S2:

hostname S2
interface range E 0/0 -1
 switchport trunk encapsulation dot1q
 switchport mode trunk

On S3:

hostname S3
interface range E 0/0 -1
 switchport trunk encapsulation dot1q
 switchport mode trunk

Verify spanning-tree and trunk status to ensure trunks are forwarding VLANs:

show spanning-tree

Expected excerpt (representative):

VLAN0001
  Spanning tree enabled protocol pvst
  Root ID    Priority    24577
             Address     0011.2233.4455
             This bridge is the root
  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     0011.2233.4455
Interface        Role Sts cost      Prio.Nbr Type
---------------- ---- --- --------- -------- ----------------
Et0/0            Root FWD 19       128.1    P2p
Et0/1            Desg FWD 19       128.2    P2p

Why check STP? A misconfigured trunk can cause the port to be in a non-forwarding STP state or not carry VLANs, visible here as non-root or blocked ports.

Task 3 Solution: Configure STP root bridge selection (PVST)

What we are doing: We steer STP root election so S1 becomes the root for VLANs 1, 10, and 20; S2 is backup. This stabilizes port roles and predictable forwarding paths.

On S1:

spanning-tree vlan 1,10,20 priority 0

On S2:

spanning-tree vlan 1,10,20 priority 4096

What each command does and why it matters:

  • spanning-tree vlan 1,10,20 priority 0 — sets S1's bridge priority low (0) for those VLANs, making it the root; root bridge selection defines the shortest path for all VLANs, so making a predictable device root is operationally important.
  • spanning-tree vlan 1,10,20 priority 4096 — raises S2's priority so it will be backup root after S1.

Verify root status for VLAN 10:

show spanning-tree vlan 10

Expected excerpt (representative):

VLAN010
  Spanning tree enabled protocol pvst
  Root ID    Priority    0
             Address     0011.2233.4455
             This bridge is the root
  Bridge ID  Priority    0  (priority 0 sys-id-ext 10)
             Address     0011.2233.4455
Interface        Role Sts cost      Prio.Nbr Type
Et0/2            Desg FWD 19       128.2    P2p
Et0/3            Desg FWD 19       128.3    P2p

Why set root priorities? In production, you want core/distribution switches to be root to avoid suboptimal blocked links or traffic hairpins.

Troubleshooting Scenario

Scenario: Trunk to S3 not carrying VLANs

Symptom: Hosts on S3 cannot reach VLAN 10 (Sales). S1 shows VLANs created, but S3 has no VLAN 10 entries and PCs in VLAN 10 on S3 cannot ping PCs in VLAN 10 on S1.

Your task: Find and fix the issue.

Hint: Check VTP domain/version/password on S3 and check the trunk encapsulation/mode on the link between S1 and S3.

Solution:

  • On S3, inspect VTP status:
show vtp status

If the VTP Domain Name, VTP Version or VTP Password differs from S1, set them to match:

vtp domain lab.nhprep.com
vtp version 2
vtp password Lab@123
vtp mode client
  • Next verify trunk config on S3 E0/0–E0/1. If switchport trunk encapsulation dot1q or switchport mode trunk is missing, add them:
interface range E 0/0 -1
 switchport trunk encapsulation dot1q
 switchport mode trunk

Why this fixes it: A mismatched VTP domain/version/password prevents VLAN information from propagating. A missing trunk encapsulation or non-trunk mode prevents VLAN tags from traversing, so S3 will not have VLAN 10 in its forwarding table.

Verification Checklist

  • show vtp status — domain lab.nhprep.com, VTP Version 2, S1 = Server, S2/S3 = Client.
  • show spanning-tree vlan 10 — S1 reports itself as root for VLAN 10.
  • show spanning-tree — trunks toward S2/S3 are in forwarding state for relevant VLANs.

Common Mistakes

SymptomCauseFix
VLANs present on S1 but not on S2/S3VTP domain/version/password mismatchSet identical vtp domain, vtp version, and vtp password on all switches
Trunk link shows as access/not carrying VLANsMissing switchport trunk encapsulation dot1q or switchport mode trunkConfigure the interface range with switchport trunk encapsulation dot1q and switchport mode trunk
Spanning-tree blocking expected forwarding pathRoot bridge not set correctlyAdjust spanning-tree vlan <list> priority so the intended switch becomes root

Challenge Task

Without step-by-step guidance, reconfigure the lab so that:

  • S1 is root for VLANs 1,10,20
  • S2 is root for VLAN 30
  • Ensure VLANs 10,20,30 are present on all switches and trunks are active You must verify using only show vtp status, show spanning-tree, and the interface configuration commands used above.

Final note: When troubleshooting Layer 1–2, follow a simple methodology — inspect physical, verify link/trunk configuration, confirm VLAN/VTP agreement, then check STP roles. That ordered approach reduces time-to-fix in real networks.

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security