Hi.

I  changed configuartion and configurated mstp at 3 switches and connected ips's to that switches. Ips at vlan pair mode and default sig0.

when i connect one ips all them are ok and when i connect second ips this error is made up at root switches. when i disable second ips  all them is ok.

error at root sw:

00:49:09.275: %SW_MATM-4-MACFLAP_NOTIF: Host 0021.70ba.dd6e in vlan 50 is flapping between port Fa0/12 and port Fa0/24

*Mar  1 00:49:14.274: %SW_MATM-4-MACFLAP_NOTIF: Host 0012.3fd0.862c in vlan 60 is flapping between port Fa0/10 and port Fa0/24

*Mar  1 00:49:14.341: %SW_MATM-4-MACFLAP_NOTIF: Host 0021.70ba.dd6e in vlan 60 is flapping between port Fa0/24 and port Fa0/11

*Mar  1 00:49:14.375: %SW_MATM-4-MACFLAP_NOTIF: Host 0012.3fd0.862c in vlan 50 is flapping between port Fa0/24 and port Fa0/11

*Mar  1 00:49:24.240: %SW_MATM-4-MACFLAP_NOTIF: Host 0021.70ba.dd6e in vlan 60 is flapping between port Fa0/24 and port Fa0/11

*Mar  1 00:49:24.240: %SW_MATM-4-MACFLAP_NOTIF: Host 0012.3fd0.862c in vlan 50 is flapping between port Fa0/11 and port Fa0/24

*Mar  1 00:49:31.093: %SW_MATM-4-MACFLAP_NOTIF: Host 0021.70ba.dd6e in vlan 50 is flapping between port Fa0/11 and port Fa0/24

i attached my topology.

is this rigth application??? why two ips is not working at the same time? is it normal that two ips is not working at the same time when the switches configurated at mstp/? how i solve this issue???

please write your comment.

thanks

this is my switches brief configuartion:

root sw:

mst config:

spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
name teymur
revision 10
instance 1 vlan 50,60

!
spanning-tree mst 1 root primary

interface FastEthernet0/10
description connect to secondary sw
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface FastEthernet0/11
description connect to IPS1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/12
description connect to Pc1
switchport access vlan 50
switchport mode access
spanning-tree portfast

interface FastEthernet0/24
description connect to Sw3
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate

-----------------------------------------------------------
secondary switch:

spanning-tree mode mst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
spanning-tree mst configuration
name teymur
revision 10
instance 1 vlan 50,60

!
spanning-tree mst 1 root secondary

interface FastEthernet0/1
description connect to root sw
switchport mode trunk
switchport nonegotiate
!
interface FastEthernet0/2
description connect to Sw3 
switchport mode trunk
switchport nonegotiate
!
interface FastEthernet0/3
description connect to Pc2
switchport access vlan 60
switchport mode access
spanning-tree portfast

-------------------------------------------------------------
SW3

spanning-tree mode mst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
spanning-tree mst configuration
name teymur
revision 10
instance 1 vlan 50,60

interface FastEthernet0/1
description connect to Secondary sw
switchport mode trunk
switchport nonegotiate
!
interface FastEthernet0/2
description connect to root sw
switchport mode trunk
switchport nonegotiate
!
interface FastEthernet0/3
description connect to IPS 2
switchport mode trunk
switchport nonegotiate

when two ips connected the flapping start at root switche, when i disable one of ips all af them is ok.

is it deployment problem at ips?? is it wrong configuartion at switches??? what is that? i can not solve this.

Why to you have your IPS Sensors hanging off the ends of your two switches?

Typically IPS sensors are placed in line BETWEEN switches.

yes you are rigth but in our customer network need that we do ips at inline vlan pair mode.because traffic size is very big.

but now i tested this application  in my lab. can you say me  at this application is rigth or not? can two ips work at mstp configuration???

i want to know:

1. is this ips deployment problem?

2.is this mstp problem??

3.are two ips are not work at the same time at mstp configuration?

in my application when i connect two ips both of interface are forward state at switch so the flapping is occur

if one of ips is block state and one of them is forward it is work and if active ips is down the second ips is change state from block state to forward state(at rstp configuartion work like that).

thanks you for help me.

i

I can not tell you if your configuration is correct.

It is hard for me to determine how your traffic is routed thru your three switches and in and out of your two IPS sensors.

If bandwidth was a problem, putting the IPS sensor on a single trunk will further limit the available bandwidth of that connection (traffic to and from the sensors have to share the same link). If the sensor had two connections to your switches, this would not limit traffic flow.

The flapping message is due to teh same switch seeing the same frame on different ports. This is normal because frames leave and re-enter the same switch on different VLANS after passing thru the sensor.

- Bob

yes i aggree with you. the same frame on different port cause flapping at switch.

i want you suggest me which deployment mode i put my ips's on this application.

you also say other way to change my switches configuration(for example change to mstp to rstp)

you say your recomendation i try to test it at my lab.

thank your help.

I can not make an effective recommendation without knowing all the design parameters and limitations you have in your network. (I also am not getting paid to do your design work for you).

If I was building this, I would try to put the Sensors, in line, using interface pair mode.

- Bob

Hi. thank you very much  again to help me.

thank your recomendation. i try to test it inline mode.

thank you again.