I was trying to setup a Cisco IPS 4200 sensor which is connected to a Cisco switch. I have only one IPS and it has two ports connected to the same switch.. Part of setting up the IPS inline interface mode is the two interfaces on the IPS are bridged which makes a loop and spanning tree puts one end in blocking.
To pass traffic through the IPS you need to put the switch ports in differnt vlans, so in my case one port is in vlan 10 and the other in vlan 110. With this configured the switch puts the port in vlan 110 in blocking even though this is the only port thats in vlan 110.
My question is, if you have a switch with a cable plugged into itself making a loop but each port is in a differnt vlan.. will this always result in spanning tree blocking one port or is this due to STP being in the wrong mode.
I was thinking that if the switch was in PVST mode then the BPDUs originating from differnt vlans wouldn't cause the port to block but obviously not the case and was wondering if someone could explain why this happens?
thanks for reading,
Did you configure the ports on the switch as access ports? See the reference below to connecting the paired IPS ports to the same switch:
we are running this topology in our LAN (connecting an Allot box providing some QoS/load balancing).
And it works with no problem.
As Sean has pointed out, it's necessary to configure the ports as access ones, no trunks - remember Cisco is using proprietary STP features on trunks while running PVSTP including the VLAN ID inside STP BPDUs.
Did you get any error message in your syslog when the switch was blocking the port?
I used the article that Sean posted as reference and made both ports access ports with one in vlan 10 and the other in vlan 110 but the port assigned to vlan 110 blocked. In my case i created vlan 110 so i could move the vlan default gw into it and force inter vlan traffic through the IPS but with the vlan 110 port blocking, the arp who-is for the gw never reach the SVI so it never works.
Is there a specific STP mode the switch should run? I couldn't see any errors in the logs to help pin point the problem.
I wasn't sure if it would work since the the cable forms a loop and both interfaces are bridged, so bpdu's are going to be sent and received by the same switch and it will detect the loop? But if you say you have it working i guess it have some config missing to make it work.
Is there any special config you have applied to the uplinks to your Allot box or is it just a simple access port?
thanks for the help
no, nothing special.
Are you sure thois is the only point you are interconnecting both VLANs?
Don't forget STP will create a common tree from those two VLANs with one common root, so if connected in other place, too, a loop could be created here.