in the private area will be 3550 or 3750.. on the public area it will either be 3550 or a 4000 series.. 2 switch connections in front and back for redundancy.. the css will be using ASR those are in the middle using 11506.. from all my checking it works in th current one access switch level but the concern is when spanning tree picks the best path that is pick the master css..

i noticed from a trace the master was sending vrrp messages which i think should resolve the prob but i'm unsure

if you double the number of switches I would recommend not to connect each CSS to each switch.

This has proven to be source of trouble due to spanning-tree.

SW1 ------ trunk -------SW2

|.......................|

CSS1...................CSS2

|.......................|

SW3------- Trunk ------SW4

If the link between SW1 and CSS1, let the CSS fails over instead of relying on spanning-tree.

This solutions works better from past experience.

Gilles.

if i'm understanding you correctly..

only have 1 switch front and back per CSS?

the Backup CSS would have the same configuration the only common link the CSS's would be is the isc port..

once it (the backup)notices the master goes down via isc the ports for the back up would become active

Even I do not understand what Gilles says, assuming Gilles said that, what if the pri css goes complete dead?

What we did was that connect the Server interfaces to L2/L3 switches using NIC teaming. An L2/L3 port is connected to each CSS. Between the L2/L3 run the Etherchannel or Stack GBIC/trunk. It works fine since for a while ago. We had issues intialy like the MAC adress table got flodding on the L2/L3 switches, belive me we came out of that after enabling 'portfast' on the CSS ports and on the connected L2/L3 SW ports, I know its foolish but for some reason it works fine now.

Server1

/ \---->NIC Teaming

/ \

Sw1---Etherch---Sw2

/ \

master>CSS---isc---CSS

\

Switch

|

Public

if the primary CSS goes down completely, the backup will take over and it will have access to all servers through the switch it is connected to.

This is the easiest solution and a good solution.

I spent too many hours trying to explain to some people why their highly redundant network failed because of spanning-tree.

The solution I suggest will provide good redundancy and is quite simple so avoiding problems.

Gilles.

i'm posting a drawing just to be clear on what you've said. if i'm incorrect please modify it beacuse these stick lettering is killing me..lol

could you resend as jpeg ?

THanks,

Gilles.

not a prob

so you use 2 vlans on the public side and 2 vlans on the private side ?

This is ok, just more complex.

You'll need routes pointing to each vlan ip address for the vips.

All I can suggest is to find a solution where you can turn off spanning-tree on the CSS and avoid any routing protocols.

If you can do this, you will avoid potentially a lot of trouble.

Gilles.

"so you use 2 vlans on the public side and 2 vlans on the private side ? "

i believe i will have to due to the use of terminal services used to manage servers. so i would have to have an internal vip address for terminal svc to access the servers directly. bypassing the public 'www'vip that outside users would use to access the stuff.

now when creating that internal vip setting to a vlan it.

would have to a redundant interface?

is there no command to turn off spanning-tree on css?

thanks for all the help

i will try the spanning-tree command if after adding the extra switches creates a problem

the ISC port is not used to detect if the master is active or not.

It is just used to send stateful information.

The CSS will use VRRP on each link to establish mastership and detect that devices are alive or not.

Gilles.