cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2191
Views
0
Helpful
10
Replies

6509 trunk to Nokia Checkpoint firewall

KeithN123
Level 1
Level 1

I have configured a dot1q trunk between a 6509 and a Nokia IP740, The VLANS within the trunk are running VRRP. The vrrp backup keeps switching between Master and Backup. Has anyone ever come across this problem before ? is there something I am missing which is not required when configuring a switch to switch trunk ? I have already ruled out cable or port errors by substitution.

10 Replies 10

ankurbhasin
Level 9
Level 9

Hi Keith,

The only thing I can think of is that hello packets for VRRP is not flowing properly and if trunk is properly configured and VRRP vlans are aloowd it should not be a problem but tell me something that is NOKIA IP740 has a conecpt of native vlan on its trunk because i think cisco has a concept of native vlan and bydefault vlan 1 is a native vlan on trunk port so please check what is the native vlan on Nokia switch because if Nokia is expecting all vlan as tagged and cisco is sending native van as untagged this problem can occur.

Just checked if you have not enabled dot1q all tagged on cisco switches also.

Regards,

Ankur

Ankur

The Nokia only allows the creation of vlans 2-4094, so Vlan 1 must be the default.

Ankur

is the native vlan necessary for the trunk ? I have allowed 2 vlans across the trunk but not vlan 1. I have also tried making one of the trunked vlans the native vlan which has an adverse effect. In this scenario I end up with master / master on the nokia's instead of master / backup. The link does stay up though, which would suggest that the Nokia interface isn't faulty.....i'm struggling with this one a bit.

thanks

Hello,

I found the following from Nokia, they recommend turning on the portfast feature for ports that connect to VRRP participating Nokia devices:

'The spanning tree protocol should be set to

"portfast"mode for ports that connect to VRRP participating Nokia devices. On the Catalyst series of switches the command to achieve this is simple and as follows. On a port per port basis :-

interface fa x/x

spanning-tree portfast

For Nokia devices that are running VRRP, the portfast option should be enabled for these ports and these ports only. As for the "overall"

spanning tree process and inter-switch / trunk ports, spanning tree should be left enabled or as per the design being used'

HTH,

GP

GP

many thanks for the info. I have checked and portfast is already enabled on these ports. WOuld have been nice and simple if this had been the problem.

regards

portfasting a trunk is not the same as portfasting an access port.

2950-Main(config-if)#spanning-tree portfast ?

disable Disable portfast for this interface

trunk Enable portfast on the interface even in trunk mode

2950-Main(config-if)#spanning-tree portfast trunk

Hi Keith,

Somehow I am sure there is some problem related to config for native vlan. Do me a favour just post me the config of both the switches relating to the ports connected and Will try my best to find out something.

Regards,

Ankur

Ankur

quite a straight forward config really... A pair of 6509's

switch1

set trunk mod/port on dot1q 614-615

switch2

set trunk mod/port on dot1q 614-615

although I believe the firewalls use vlan 1 as a default I don't think they have a requirement to see vlan 1 from the switches. I have configure the above vlans on the firewalls. If I debug the firewalls I can see the vrrp hello's from the primary. Seems like this is a common problem because I have seen other people logging this issue on different forums.

For what it's worth I am posting a solution to our problem.

We had two IP710 connected to two 6509 switches. Both IP710 had trouble negotiating between Master and Backup.

Since IGMP snooping is enabled by default on the 6500 platform we had to turn it off to successfully run VRRP.

thanks for the information. very useful information to remember. In our case, it turned out to be a faulty interface card in the IP740. we replaced the card and the problem is now solved.

regards

Keith

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco