Content filters configured as transparent bridges and spanning tree

spfister336 · ‎06-24-2011

I've got a situation where I need to connect two switches, a 4507R (our core switch) to a 3560, using two devices which are functioning as transparent bridges, connected in parallel. The devices are actually content filters (they're Lightspeed Rocket appliances if that makes any difference), and we'd like to have one online as a standby unit in case the first one fails. The only other thing connected to the 3560 is two PIX firewalls (active/standby) which are in a vlan from the core network. The two switch are EIGRP neighbors.

I was hoping that spanning-tree would take care of selecting one device for production use and the other as a standby. When we tried it, there was no connectivity at all. It seemed like the switches were not agreeing on which device to use. Is there any way to maybe have the 4507R take care of the forwarding/blocking decisions and turn off spanning-tree on the 3560?

Giuseppe Larosa · ‎06-29-2011

Hello Spfister336,

you need to verify if the content filters support STP or they are transparent to STP BPDUs

if the links are configured as access links cisco switches send IEEE compliant ( to 802.1D) STP BPDUs, if the links are tagged , configured as trunks cisco switches probably send proprietary PVST BPDUs.

I would suggest to connect only one content flter to one port on SW1 and one port on SW1

you can use show spanning-tree interface to verify what happens:

look for the designated port role and for the designated port MAC address

if there is communication between the two switches they should agree on DP MAC address one side will be the DP on the link.

if the content filter blocks the BPDUs the two switches may elect their own port as DP and DP MAC address will be different.

if the content filter speaks IEEE 802.1D and the link is in access mode ( untagged) it cannot pass the BPDUs but rather it will process them taking part in the STP topology

Hope to help

Giuseppe