@sdavids5670

So I have been doing my reading, and you mention 'vlans'. PVST+ has a spanning tree database per vlan; however, documentation says STP cannot work on TRUNKS. What does that mean exactly - I cannot get away with STP to have a conman path for the entire switch even when I have 20 vlans, since I do not need to detail different path topology for each vlan?

"..documentation says STP cannot work on TRUNKS. What does that mean exactly "

Without more context I cannot say for sure.  Spanning tree protocol generally operates on all switchports whether they are operational as access or trunk.  The primary purpose of STP is to run on trunks because its main job is to converge to a loop-free tree among a collection of switches interconnected by inter-switch links (which are usually trunk links).

It would really help to see a diagram.  I will tell you that STP typically is confined to the access layer and the most common type of deployment at the access layer, in which tweaking is required, is when there are two distribution switches and each access closet uplinks to each of the distribution switches in essentially an inverted triangle (this is commonly known as the looped design).  In this scenario, you tweak the STP configuration so that each distribution switch is the root bridge of some of the VLANs and roughly 50% of the traffic rides the uplink to each distribution switch.  In practice it doesn't work this way because in practice people usually do not try to figure out what set of VLANs would result in an even split of traffic.  Usually you'll just say something like "odd VLANs to switch one and even VLANs to switch two" or "data to switch one and voice to switch two". 

Here is a topology I am trying to build. North of the switch to the Firewalls, should see one link in Blocking state. I am reading through the STP chapters; however, been on other projects, so should be coming back to this build.

In this topology, how you have it wired, STP doesn't really even come into play because there are two completely separate switches and all of the connected devices are edge devices.  You still need STP enabled but all ports will be forwarding. There's never going to be a blocking decision to be made.  It would be different if you had the two Cisco switches connected via a trunk link.

How do these firewall clusters present an IP address when they have two separate network connections into the switch infrastructure?  That looks a little odd to me.

Only one side is up at a time, so the IP is only assigned to the active unit. It is a Fortigate N+1 cluster in A/P deployment.

Since the two interfaces connected at the 'cluster' will be UP/UP I was worried that the lower switch would see the same MAC address on two different interfaces and why I would need STP. I could totally be wrong.

I'm not familiar with the details of how Fortinet does clustering but I'd be surprised if the mac used for the VIP is actively getting sent by both the primary and standby firewall.  Of course all of the ports on the switch would have to be able to pass traffic between the primary and active firewall if those interfaces are also used to maintain the heartbeat/clustering protocol(s) to allow them to know which is primary.  It would make sense for that traffic to use the physical (unique) mac addresses that belong to each firewall's interface(s).  Otherwise that would be problematic for the switch as it would constantly have to update the mac address table (which wouldn't make any sense).

Is there a dedicated interface between the primary/secondary firewalls to pass heartbeat/clustering traffic or is it all done inband?