Hi experts,

I recently encountered a strange spanning-tree behavior, the topology is as below.

SW1 -------(vlan2)FWSM1(vlan10)----------Core SW3

   -                                                                     -

   -                                                                     -

   -                                                                     -

   -                                                                     -

SW2--------(vlan2)FWSM1(vlan10)---------- Core SW4

FWSM is on SW3 and SW4, running in transparent mode with vlan 2 being outside interface and vlan 10 being inside interface.

SW1 and SW2 servers as access switch.

FWSM permits the BPDU packet and HSRP keepalive to pass through.

The trunk between SW1&SW2 only allow vlan2, and trunk between SW3&SW4 only allow vlan10.

For vlan 2, the root is on SW1 where it configures priority 0.

For vlan 10, it's not configured on SW12 (only on SW34), and priority is the default value on SW3&SW4

Since BPDU is allowed on FWSM, we can see the root of vlan 10 is SW1 vlan 2. (the root port is the port-channel facing FWSM).Is this correct?

Also HSRP packet are allowed on FWSM, so it seems the HSRP keepalive packet will also be sent from both trunk between SW3&SWS4 and through FWSM and back.?

I do see from below link, it's suggested to enable BPDU packet to avoid loop in case both FWSM are active, but it seems a bit strange with L2 spanning-tree topology.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/failover.html

Any feedback will be appreciated.

Thanks

Xie