Skip to content

Cisco Fundamentals Footguns

Mistakes that cause network outages, misconfigurations, or wasted hours in bridge calls.

1. Confusing running-config with startup-config

You make changes in enable mode. Everything works. The switch reboots (power event, firmware upgrade). Your changes are gone — they were in running-config but never written to startup-config. The switch comes back with the old configuration.

Fix: After any change, run copy running-config startup-config (or wr mem). Always verify with show startup-config that your changes are persisted. Treat this as muscle memory.

2. Setting a trunk port to access mode

You configure a port as switchport mode access that connects to another switch or a hypervisor expecting tagged VLANs. All VLANs except the native VLAN stop working. VMs on other VLANs lose connectivity. The symptom is "some things work, some do not" — the hardest kind to debug.

Fix: Verify port mode matches the connected device: show interfaces trunk, show interfaces switchport. Trunk ports carry tagged VLANs, access ports carry one untagged VLAN. Know which you need before configuring.

3. Not checking STP before connecting switches

You connect a new switch to the network without considering spanning tree. The new switch becomes root bridge because it has a lower default priority. STP reconverges across the entire L2 domain. Every port transitions through blocking and learning states. The network is down for 30-50 seconds.

Fix: Set root bridge priority explicitly on your designated root switch: spanning-tree vlan 1 priority 0. Set all other switches higher. Verify with show spanning-tree before and after connecting new equipment.

4. Changing the native VLAN on one side of a trunk

You change the native VLAN on one switch but not the other end of the trunk link. Frames on the native VLAN are now tagged on one side and untagged on the other. STP BPDUs may be affected, causing topology changes. Some traffic works, some silently drops.

Fix: Native VLANs must match on both sides of a trunk. Change both ends in the same maintenance window. Verify with show interfaces trunk on both switches. Use spanning-tree portfast bpduguard on access ports to catch misconfigurations early.

5. Locking yourself out with a bad ACL

You apply an access list to the VTY lines or a management interface. A typo in the ACL blocks your own management IP. You cannot SSH back in. The only way to recover is a console connection or waiting for someone on-site.

Fix: Always include your management subnet as the first permit entry. Test ACLs on a non-critical interface first. Use reload in 5 before applying — the switch will reboot and revert if you lose access and cannot cancel the reload.

6. Allowing VLAN 1 everywhere

You leave VLAN 1 as the default on all trunk ports and never prune it. Every switch in the network carries VLAN 1 broadcast traffic. STP, CDP, VTP, and DTP all run on VLAN 1 by default. A broadcast storm in VLAN 1 takes down management connectivity across the entire campus.

Fix: Move management traffic off VLAN 1. Prune VLAN 1 from trunks where it is not needed: switchport trunk allowed vlan remove 1. Use dedicated management VLANs.

7. Port-channel member config mismatch

You add two interfaces to a port-channel but they have different speed, duplex, VLAN, or STP settings. The port-channel fails to form or becomes unstable. One member stays suspended. You get half the bandwidth you expected and intermittent packet loss.

Fix: All port-channel members must have identical configuration: speed, duplex, VLAN, trunk mode, STP cost. Configure the port-channel interface first, then add members. Verify with show etherchannel summary and show etherchannel detail.

8. Relying on DTP for trunk negotiation

You leave ports in dynamic desirable or dynamic auto mode. A rogue device or misconfigured server sends DTP frames and the port trunks up, exposing all VLANs to that device. This is a VLAN hopping attack vector.

Fix: Explicitly set every port: switchport mode access or switchport mode trunk. Disable DTP with switchport nonegotiate on trunk ports. Never rely on dynamic negotiation in production.

9. Not reading show interface output during troubleshooting

A server team reports connectivity issues. You check show ip route and show vlan brief but skip show interface. The port shows err-disabled due to a BPDU guard violation, or has thousands of CRC errors indicating a bad cable. You waste 30 minutes investigating the wrong layer.

Fix: Always start with show interface <port>. Check: line protocol status, error counters (CRC, input/output errors, collisions), speed/duplex, and whether the port is err-disabled. Physical layer problems mask everything above them.

10. Assuming the switch config matches the diagram

The network diagram shows VLAN 100 on ports Gi1/0/1-24. But someone changed ports 20-24 to VLAN 200 six months ago and never updated the diagram. You provision a server on port 22, assign VLAN 100 in your automation, and wonder why it cannot reach the gateway.

Fix: Always verify with show running-config interface and show vlan brief on the actual switch. Trust CLI output over documentation. When you make changes, update the diagram (or better, use automated documentation from the switch config itself).