02-22-2012 05:14 AM - edited 03-07-2019 05:06 AM
Hi,
I have two Cisco C2960 switches attached to each other using two ports configured as a port-channel. These are connected to two ASA5505's set up as active/standby. There are redundant connections between both switches and the firewalls. The firewalls are connected to another set of switches but by only a single link, one from one firewall to one of the switches and the other firewall to the other switch, please see the attached diagram.
There are two servers connected behind SWT03 and SWT04 which are on VLAN 47, and one server behind SWT01 and SWT02 on VLAN 47. As desired SWT01 is the root for all VLANs on it except for VLAN 47, for which SWT03 should be the root. SWT01 does see the root for VLAN 47 through the firewall it is connected to. FWL01(on top) is the primary and FWL02(on the bottom) is in standby mode, I know that the ASA5505's do not support STP but I also know that the ports on it can be used as switch ports which is why I think I am seeing the issue. The issue is that SWT02 sees its port connected to FWL02 as the best path to the root and has put the port-channel into a blocking state. Please see the config output:
SWT01#sh spanning-tree vlan 47
VLAN0047
Spanning tree enabled protocol rstp
Root ID Priority 4143
Address 0027.0cd8.3780
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24623 (priority 24576 sys-id-ext 47)
Address 8cb6.4f78.7f00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p
Fa0/6 Desg FWD 19 128.6 P2p Edge
Po1 Desg FWD 12 128.56 P2p
SWT02#sh spanning-tree vlan 47
VLAN0047
Spanning tree enabled protocol rstp
Root ID Priority 4143
Address 0027.0cd8.3780
Cost 22
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 28719 (priority 28672 sys-id-ext 47)
Address 8cb6.4f55.f600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p
Fa0/6 Desg FWD 19 128.6 P2p Edge
Po1 Altn BLK 12 128.56 P2p
FastEthernet0/1 on both switches is connected to it's respective firewall i.e. SWT01/01 is connected to FWL01 and SWT02/01 is connected to FWL02.
SWT02#sh spanning-tree blockedports
Name Blocked Interfaces List
-------------------- ------------------------------------
VLAN0047 Po1
Number of blocked ports (segments) in the system : 1
SWT02#sh run int port-channel 1
Building configuration...
Current configuration : 54 bytes
!
interface Port-channel1
switchport mode trunk
Does anyone know how I can correct this? Any help will be greatly appreciated.
Kind regards,
Chris
02-22-2012 02:53 PM
Just for clarification:
1. From swt02's perspective, is fa0/1 connected to top firewall or bottom?
2. Are you wanting swt02's root port for vlan 47 to go toward swt03?
Let's assume that swt02's f0/6 port is connected to the top firewall. F0/1 is showing to be the root port. You can just increase the cost to something abnormal on fa0/1 to get fa0/6 to be the root port. The port channel is blocking because the other side of the port channel on swt01 is the designated port for that segment. All of this is based off of cost too. If swt02 through the port channel's cost to get to the root is say (PO1 = 12, fa0/1 = 19, ASA's perspective to get to swt03 assuming 19: total 50 vs fa0/1 on swt02 cost of 19 to the asa's perspective of say 19: Total 38.)
Am I even on the right track?
03-05-2012 02:03 AM
Hi,
1. It is connected to the bottom firewall.
2. Yes, SWT03 needs to stay the root bridge. I want 'normal' behaviour from the firewalls, so, as FWL02 is the standby (I have checked), the switches should always see the root ports pointing towards the active firewall.
I hear what you are saying about increasing the path cost, but this behaviour is clearly not normal so I was hoping to correct the issue without having to alter it. If I do alter the path cost then I have the chance of FWL01 still being the root port for the switches even if the firewalls when they fail over, which will just swap the issue around.
Thanks,
Chris
02-22-2012 08:26 PM
Hello Chris,
Based on your diagram, you have a fully-meshed connectivity between SWT01, SWT02, FLW01 & FLW02. But based on your outputs of spanning-tree, i am not seeing those interfaces in there. Were the outputs omitted? Please provide me those as well.
Is it possible for you to provide me the ASA interface configs + failover configs? Also, do you see the firewalls to be really in Active-Standby as desired? basically this issue could happen when ASA feels each other as ACTIVE-ACTIVE because of a failed heart-beat.
Thanks
Vivek
03-09-2012 08:48 AM
Hi Vivek,
Sorry about the delay on this answer but here is all the information I am sure you will need:
SWT01#
interface FastEthernet0/1
description FWL01A/01
switchport trunk allowed vlan 30,40,47,48
switchport mode trunk
speed 100
duplex full
interface FastEthernet0/7
description FWL01A/03 - FAILOVER
switchport access vlan 99
switchport mode access
speed 100
duplex full
spanning-tree portfast
SWT02#
interface FastEthernet0/1
description FWL01B/01
switchport trunk allowed vlan 30,40,47,48
switchport mode trunk
speed 100
duplex full
interface FastEthernet0/7
description FWL01B/03 - FAILOVER
switchport access vlan 99
switchport mode access
speed 100
duplex full
spanning-tree portfast
FWL01#
interface Vlan47
nameif MONE-TRU01
security-level 70
ip address 192.168.47.1 255.255.255.192 standby 192.168.47.2
interface Ethernet0/1
description SWT01/01
switchport trunk allowed vlan 30,40,47-48
switchport mode trunk
speed 100
duplex full
interface Ethernet0/6
description SWT03/07
switchport trunk allowed vlan 47-48,308
switchport mode trunk
speed 100
duplex full
This host: Primary - Active
Active time: 1998585 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.0(4)) status (Up Sys)
Interface outside (10.19.48.83): Normal
Interface DMZ-2 (192.168.30.1): Normal
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.0(4)) status (Up Sys)
Interface outside (10.19.48.84): Normal
Interface DMZ-2 (192.168.30.2): Normal
SWT03#
interface GigabitEthernet0/1
description SWT04/G01
switchport trunk allowed vlan 1-57,59-4094
switchport mode trunk
speed 1000
duplex full
channel-group 1 mode on
interface GigabitEthernet0/2
description SWT04/G02
switchport trunk allowed vlan 1-57,59-4094
switchport mode trunk
speed 1000
duplex full
channel-group 1 mode on
interface GigabitEthernet0/27
description FWL01/06
switchport trunk allowed vlan 47,48,308
switchport mode trunk
speed 100
duplex full
SWT03#sh spanning-tree vlan 47
VLAN0047
Spanning tree enabled protocol rstp
Root ID Priority 4143
Address 0027.0cd8.3780
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 4143 (priority 4096 sys-id-ext 47)
Address 0027.0cd8.3780
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/6 Desg FWD 4 128.6 P2p
Gi0/21 Desg FWD 19 128.21 P2p
Gi0/22 Desg FWD 19 128.22 P2p
Gi0/27 Desg FWD 19 128.27 P2p
Po1 Desg FWD 3 128.56 P2p
Po2 Desg FWD 3 128.64 P2p
SWT04#
interface GigabitEthernet0/1
description SWT03/G01
switchport trunk allowed vlan 1-57,59-4094
switchport mode trunk
speed 1000
duplex full
channel-group 1 mode on
interface GigabitEthernet0/2
description SWT03/G02
switchport trunk allowed vlan 1-57,59-4094
switchport mode trunk
speed 1000
duplex full
channel-group 1 mode on
interface GigabitEthernet0/27
description FWL01B/06
switchport trunk allowed vlan 47,48,308
switchport mode trunk
speed 100
duplex full
SWT04#sh spanning-tree vlan 47
VLAN0047
Spanning tree enabled protocol rstp
Root ID Priority 4143
Address 0027.0cd8.3780
Cost 3
Port 56 (Port-channel1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 28719 (priority 28672 sys-id-ext 47)
Address 0027.0ce0.8f00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/5 Desg FWD 4 128.5 P2p
Gi0/21 Desg FWD 19 128.21 P2p
Gi0/22 Desg FWD 19 128.22 P2p
Gi0/27 Desg FWD 19 128.27 P2p
Po1 Root FWD 3 128.56 P2p
Po2 Desg FWD 3 128.64 P2p
I have also included a new image, sorry, when I revisted it I realized it was wrong, please note the failover VLAN is the only one allowed through the failover cable:
Thanks in advance,
Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide