I have a SSL decrypter and IPS with the SSL device plugged into a Cisco 6xxx Switch. The decrypter has two interfaces (call them Net-1 and Net-2) connected to the switch and two interfaces that connect the IPS to the decrypter. The decrypter is doing VLAN bridging so VLAN 501, 502, 503 exist on Net-1. Net-1 plugs into trunk port te1/1. Net-2 bridges VLANS 601, 602, 603 and is plugged into trunk port te1/2.
So basically I have something similar to a looped wire from te1/1 to te1/2 and am passing BPDUs. I'm not the network engineer but the security guy. I did a tcpdump from the IPS and watched the STP/BPDU packets flow.
Let me step back a bit. I also run an older Cisco IPS on a stick which is also doing VLAN bridging for these same VLANs. The packet capture I did on the Cisco IPS did not seem to show the passing of STP packets.
I'm replacing the Cisco IPS with the new SSL decryption and IPS solution. When the network engineer activated the ports for my new SSL/IPS solution he did not remove the VLANs from the existing Cisco IPS on a stick which caused some very unstable communications for all devices and VLANs connected to the 6xxx switch besides the ones I was bridging, and it did so in a very insidious way that was not or did not seem to be easily diagnosed. Anyway, that was resolved.
However, this environment has two 6xxx switches for redundancy including trunk link between the two for all the VLANs, interconnected links for state, etc...only one is active and the other sits idly waiting. I installed my secondary SSL/IPS system - configured identically - to trunk ports te1/1 and 1/2 on the secondary switch and the VLANs were removed from the secondary Cisco IPS on a stick (learned my lesson), however, within five minutes of enabling the secondary SSL/IPS system, communications were failing, systems unavailable, the SSL decrypter no longer processed packets, etc.
Why?
I'm arguing that the switch ports my SSL/IPS system connect to should not participate in STP. I believe we are running PVSTP+ and thus with only one SSL/IPS in place the BPDUs seen on te1/1 and 1/2 on the primary switch were not alarming and did not cause spanning tree issues because 1/1 were tagged 5xx and the BPDUs seen on 1/2 were tagged 6xx. Excuse my terminology and/or ignorance, I'm trying to define/explain the system, architecture, behavior as best I can.
But when the secondary SSL/IPS on the secondary switch was enabled and passing BPDUs, I think the two 6xxx switches spanning tree started going nuts because I assume the BPDUs seen on te1/1 of each switch appeared identical in the sense of indicating a loop as did those on te1/2 of each switch. The behavior was virtually identical to what we saw previously when the VLANs had not been removed from the old Cisco IPS on a stick and I activated the SSL/IPS solution on the primary switch.
The SSL/IPS solution cannot create a true switching loop because it is like a single wire connecting two switch ports. Yet to spanning tree it could appear that way if allowed to pass BPDUs. Or am I just so ignorant of spanning tree operation that I'm in right field so to speak? So if it is a spanning tree issue on the part of my VLAN bridging SSL/IPS system, how should the switch ports be configured to eliminate the passing of BPDUs? Am I asking the right question regarding STP? Any conceptual and real world understanding someone knowledgeable about this could pass along, I would really appreciate.
