Solved: STP Interface Prio.Nbr question

AndreyPokorskiy · ‎09-21-2023

Hello Cisco Community!
Need to verify:
Two firewalls, one active and one passive, are connected to two physical ports on the core switch.
Both ports are access ports and are assigned to VLAN 4.
The inquiry is:
One port (Te2/2/1) passing no traffic at all, while the other (Te1/2/1) is connected to an active firewall and passing traffic.
Why does the traffic not use the second port?

switch_core#show spanning-tree vlan 4
VLAN0004
Spanning tree enabled protocol rstp
Root ID Priority 4100
Address xxxx.xxxxx.xxxx
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 4100 (priority 4096 sys-id-ext 4)
Address xxxx.xxxxx.xxxx
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Te1/2/1 Desg FWD 4 128.129 P2p
Te2/2/1 Desg FWD 4 128.1409 P2p

EAP-VSS-01#show interfaces Te1/2/1 | i rate
Queueing strategy: fifo
30 second input rate 92579000 bits/sec, 13119 packets/sec
30 second output rate 32886000 bits/sec, 8635 packets/sec
EAP-VSS-01#show interfaces Te2/2/1 | i rate
Queueing strategy: fifo
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec

Because the Interface cost is the same for both ports and Prio.Nbr for the port that is forwarding traffic Te1/2/1 is 128.129 and Te2/2/1 is higher 128.1409, I can infer that all traffic is solely forwarded via interface Te1/2/1.
Is that correct?
Please advise!

SIncerelly,
Andrey P.

Martin L · ‎09-21-2023

Yes, when it comes to STP operations, lower value wins and Sender value is considered; Lowest Bridge ID, lowest costs to Root, lowest Sender ID and lowest Sender Port ID wins. So, Neighboring non-root switch should make decision here after Root switch election is done. However, in your case of firewalls, I don't think Port ID and Port Priority is considered here; One, you have access link to device, not trunk. 2. device is firewall, not a switch. So, perhaps Firewall settings (active vs passive) has significant role here and makes decision on which port is used to forward traffic.

Regards, ML
**Please Rate All Helpful Responses **

View solution in original post

Martin L · ‎09-21-2023

Yes, when it comes to STP operations, lower value wins and Sender value is considered; Lowest Bridge ID, lowest costs to Root, lowest Sender ID and lowest Sender Port ID wins. So, Neighboring non-root switch should make decision here after Root switch election is done. However, in your case of firewalls, I don't think Port ID and Port Priority is considered here; One, you have access link to device, not trunk. 2. device is firewall, not a switch. So, perhaps Firewall settings (active vs passive) has significant role here and makes decision on which port is used to forward traffic.

Regards, ML
**Please Rate All Helpful Responses **

AndreyPokorskiy · ‎09-22-2023

Thank you Martin!

David Ruess · ‎09-21-2023

Hello,

Since both ports are in the forward state I'm not so sure STP has anything to do with it. I think the fact that the other firewall is passive may have something to do with it. Is your firewall passing traffic on that port?

-David

AndreyPokorskiy · ‎09-22-2023

Hello David!
However, I noticed numerous bits and packets on the interface that is facing the passive firewall even though it is not sending any data.
My ideas are that it occurs once the active firewall is offline and the passive firewall comes into play and begins passing traffic if there are any configuration issues.

Thank you David!!