Yeah SW3 port 1 is connected to the firewall. Thanks for that, starting to get a much clearer picture here . The thing is I don't really want the switch-to-firewall links blocked by STP, ideally I want them AND the inter-switch links forwarding so that traffic destined for the Internet or other VLANs can go via the firewall but traffic between servers on different switches but in the same VLAN can just go across the switch-switch link.  From a loop point of view I think this should be doable?  I just need to figure out if we can stop the firewall acting as a switch and passing traffic from one link to the other right? ... View more

Yeah that certainly seems to be how it is behaving, again maybe this is normal but it doesn't seem optimal to me . SW1-S1RAC4#show spanning-tree vlan 50 VLAN0050   Spanning tree enabled protocol ieee   Root ID    Priority    32818              Address     2401.c72a.7c80              Cost        4              Port        2 (GigabitEthernet1/0/2)              Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec   Bridge ID  Priority    32818  (priority 32768 sys-id-ext 50)              Address     ccd5.3932.e580              Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec              Aging Time  300 sec Interface           Role Sts Cost      Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Gi1/0/1             Desg FWD 4         128.1    P2p Gi1/0/2             Root FWD 4         128.2    P2p Gi1/0/3             Altn BLK 4         128.3    P2p Gi1/0/4             Altn BLK 4         128.4    P2p SW2-S1RAC4#show spanning-tree vlan 50 VLAN0050   Spanning tree enabled protocol ieee   Root ID    Priority    32818              Address     2401.c72a.7c80              Cost        4              Port        2 (GigabitEthernet1/0/2)              Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec   Bridge ID  Priority    32818  (priority 32768 sys-id-ext 50)              Address     5897.1ee1.2700              Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec              Aging Time  300 sec Interface           Role Sts Cost      Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Gi1/0/1             Desg FWD 4         128.1    P2p Gi1/0/2             Root FWD 4         128.2    P2p Gi1/0/3             Desg FWD 4         128.3    P2p Gi1/0/4             Desg FWD 4         128.4    P2p SW3-S2RBC3#show spanning-tree vlan 50 VLAN0050   Spanning tree enabled protocol ieee   Root ID    Priority    32818              Address     2401.c72a.7c80              This bridge is the root              Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec   Bridge ID  Priority    32818  (priority 32768 sys-id-ext 50)              Address     2401.c72a.7c80              Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec              Aging Time  300 sec Interface           Role Sts Cost      Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Gi1/0/1             Desg FWD 4         128.1    P2p Gi1/0/2             Desg FWD 4         128.2    P2p Gi1/0/3             Desg FWD 4         128.3    P2p Gi1/0/4             Desg FWD 4         128.4    P2p SW4-S2RBC3#show spanning-tree vlan 50 VLAN0050   Spanning tree enabled protocol ieee   Root ID    Priority    32818              Address     2401.c72a.7c80              Cost        4              Port        1 (GigabitEthernet1/0/1)              Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec   Bridge ID  Priority    32818  (priority 32768 sys-id-ext 50)              Address     ccd5.3937.9a80              Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec              Aging Time  300 sec Interface           Role Sts Cost      Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Gi1/0/1             Root FWD 4         128.1    P2p Gi1/0/2             Desg FWD 4         128.2    P2p Gi1/0/3             Altn BLK 4         128.3    P2p Gi1/0/4             Altn BLK 4         128.4    P2p ... View more

Thanks for the reply Aninda, Here's an excerpt from the Fortigate admin guide that might help - 　 "The FortiGate unit does not participate in the Spanning Tree Protocol (STP). STP is an IEEE 802.1 protocol that ensures there are no layer-2 loops on the network. Loops are created when there is more than one route for traffic to take and that traffic is broadcast back to the original switch. This loop floods the network with traffic, reducing available bandwidth to nothing. If you use your FortiGate unit in a network topology that relies on STP for network loop protection, you need to make changes to your FortiGate configuration. Otherwise, STP recognizes your FortiGate unit as a blocked link and forwards the data to another path. By default, your FortiGate unit blocks STP as well as other non-IP protocol traffic." I've also attached a screenshot which I "think" is telling us that Switch3 is acting as the route bridge?  I looked at the four switches and all (except Switch3) are showing their Root Ports to be the physical interface that is connected to the Fortigate, but I suspect that is because the Fortigate switch is blindly forwarding on STP traffic so for instance Switch1 thinks it is talking to Switch3 through interface 2 but in reality it's going through the Fortigate on te way!       Again maybe I'm wrong to be worried about this, but it seems like if the firewall wasn't to allow communication between the four links then at least three of the inter-switch links could be enabled to create paths between them to avoid the firewall...  It's a great way to learn about STP if nothing else . ... View more

Fair enough thanks, LAN Base it is! Can I ask one more question - am I mad to be considering the 2960 (10/100 only) rather than the 2960S (10/100/1000 on all ports)?  The speed out of the datacentre is only 100MB/s and there isn't a huge amount of inter-datacentre communication but there would be some, but the datacentre Internet link will be going to gigabit in time.  My impression seems to be that lots of people still use Cisco 10/100 switches as you often don't need Gigabit, but maybe I'm mistaken here.  If I need to look at Gigabit then it looks like the WS-C2960S-24TS-L is the cheapest 24 port 2960S to go with that also has LAN Base? Thanks again all your help is truly appreciated! ... View more

That's a very good point in fairness, I have contacted Cisco to see about refurbed equipment.  I wonder if you could cast your eye down the thread to my last response at the bottom as I give some ideas about what I need the switches for there and you might be able to tell me if Lite is to be avoided or not, it would be hugely appreciated!  The firewalls that will be in the cluster are Fortigates. ... View more

Karsten, Reza those two links are exactly what I was looking for thanks! So this of course raises another question from me .  Most of the LAN Base features we will not need, the ones I would be concerned about are Flex Link and Link State Tracking which are not available in LAN Lite.  The main purpose of all this is that if a switch fails VMware can route traffic to the second switch, and if a firewall in the firewall cluster fails (in which case the passive firewall node takes over the MAC of the primary) the switches will realise that the MAC address has "moved" and route traffic there.  Now I "assume" I can do this with regular STP so don't necessarily need Flex Link or Link State Tracking but maybe you could confirm this for me if you know the answer?  My understanding is FlexLink would be faster than STP in failing-over but to be honest the speed of failover isn't a big deal, it just needs to happen within a few minutes.  Any thoughts on this?  Obviously if I cannot get this failover working there'd be no point going for multiple switches in each cabinet so I need to get this part right . Thanks VERY much for the help so far! ... View more

Hi Karsten, Those switches are interesting and they do seem VERY well spec'd for the price involved. To be honest though I think it would be better for us to go down the Catalyst route as it will give us better experience with IOS which will be valuable down the road as we scale up. Do you happen to know if the LAN Lite software will be OK for us in the Catalyst route by any chance? It's basic stuff we want to do really, some VLANing and then it just needs to be able to handle switches failing and probably using STP to figure out different routes to the firewalls. I'm literally ready to hit "order" here but can find very little that compares LAN Lite to LAN Base or figure out if we will get away with Lite for now! ... View more

Hi leo, I took a look at some but to be honest I don't mind spending the money to get the right switch and have full warranty etc etc., I just don't want to buy switches that are double or quadrulple the price I need to spend as that could be better spend on servers right now.  Do you have any thoughts on the LAN Lite OS?  I'm struggling big time to get to an answer here as I'm just not quite sure what I'm looking at. ... View more

Thanks for the reply Reza, your link doesn't seem to have come up though? The 2960's are pretty much all 10/100 anyway so I'm guessing this restriction of LAN Lite won't be an issue.  I guess what I'm concerned about is that I'll get the LAN Lite version then start trying to setup some VLANs, VLAN trunking or the failover on the firewalls and find some key feature is missing and all the money on the switches is down the drain .  Any thoughts appreciated! ... View more