10-25-2012 05:57 AM - edited 03-07-2019 09:40 AM
I am just trying to understand what is going on here... In attachment you find a simple scenario... The vlans 5 to 10 are the DMZ Vlans which are the sub-interfaces in ASA Firewall. The point that I don't understand is that why for all these Vlans, switch1 and switch DMZ are both root bridge! I understand that a device such as ASA which is not able to manage the BPDU filters them, but in this scenario I have a trunk between the switch1 and DMZ.
Can somebody please explain me why both Switch1 and DMZ are root bridges for these Vlans?
Here is some show command outputs:
DMZ#sh spanning-tree vlan 5
VLAN0005
Spanning tree enabled protocol ieee
Root ID Priority 32773
Address ec30.9173.5100
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32773 (priority 32768 sys-id-ext 5)
Address ec30.9173.5100
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Desg FWD 4 128.1 P2p
Gi0/22 Desg FWD 4 128.22 P2p
Switch1#sh spanning-tree vlan 5
VLAN0005
Spanning tree enabled protocol rstp
Root ID Priority 32773
Address 5475.d0d0.3a80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32773 (priority 32768 sys-id-ext 5)
Address 5475.d0d0.3a80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi2/0/20 Desg FWD 4 128.74 P2p
10-25-2012 06:51 AM
Hi,
can you post the config from both switches?
Regards.
Alain
Don't forget to rate helpful posts.
10-25-2012 07:03 AM
Here is Spanning-tree related config:
DMZ#
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
interface GigabitEthernet0/1
description Uplink ASA
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree bpdufilter disable
spanning-tree bpduguard disable
!
interface GigabitEthernet0/22
description Switch1
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
spanning-tree bpdufilter enable
!
Switch1#
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
interface GigabitEthernet2/0/20
description Uplink - SW-DMZ
switchport trunk encapsulation dot1q
switchport mode trunk
end
!
I think I found the source of issue! I have "spanning-tree bpdufilter enable" which filtering the BPDUs on the port Gi0/22 on DMZ switch. Is that the reason?
10-26-2012 02:33 AM
Hi,
you are probably right, the "spanning-tree bpdufilter enable" is filtering the BPDUs.
As both switches believe to be roots, they should be advertising their BPDUs on all ports.
Using "sh spanning-tree int Gix/y/z detail" command you should be able to see how many BPDUs were sent/received.
You are also using different STP modes (rapid-pvst/pvst) on your switches, but they shouldbe compatible.
HTH,
Milan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide