Showing results for 
Search instead for 
Did you mean: 

Spaning-Tree Blocking Ports Problem

Dean Romanelli
Level 4
Level 4

Hi All,

I have a location with two Cisco SG300 switches (28 port and 52 port), which both connect to my ASA 5505, which then connects to the ISP. I have a guest and staff subnet and since my ASA only has a base license, I can't do trunk ports, so from each switch I have two lines running to ASA 5505 from each switch (one on staff vlan, one on guest vlan). The root switch is the 28 port switch. Please see attached drawing for topology.

What is happening is I am able to connect 2 ports on the 28 port STP root switch to two ports on the ASA on vlan 1 (staff) and vlan 22 (guest) respectively without a problem. On the 52 port switch I am able to connect the port on vlan 1 to the respective vlan 1 port on the ASA, but as soon as I try to connect the port set to vlan 22 on the 52 port switch to the vlan 22 port on the ASA, spanning-tree starts blocking the port on vlan 1, which in turn brings down the staff network. I have to remove the cable on vlan 22 from the 52 port to restore service to the staff network.  See logs below for evidence of attempt and rollback:

06-Aug-2014 17:14:53 :%LINK-W-Down:  gi47
06-Aug-2014 17:14:53 :%STP-W-PORTSTATUS: gi48: STP status Forwarding
06-Aug-2014 17:10:46 :%STP-W-PORTSTATUS: gi8: STP status Forwarding, aggregated (1)
06-Aug-2014 17:01:20 :%STP-W-PORTSTATUS: gi47: STP status Forwarding
06-Aug-2014 17:01:20 :%STP-W-PORTSTATUS: gi48: STP status Blocking

Not sure why this is happening, as no loop is created.  Only thing I can think of is since SG300's don't do per VLAN spanning-tree and since the 28 port switch is the root the 52 port switch is blocking one of the ports to create the designated port to the root switch, even though in this design I don't need traffic to hit the root switch before going to the gateway.  Any help is appreciated.

2 Replies 2

Level 5
Level 5

Hi there, 

did you make sure that switch ports are configured as access ports and not trunk? 


Yes, all 4 are set to access mode.


Review Cisco Networking for a $25 gift card