Forum Discussion
l00k3r_53179
Nimbostratus
NimbostratusMSTP issue with Cisco switch
Good morning everybody,
After months of passive reading, the time has come for my first forum post.
Hope this is the right section for this topic.To simplify my topology, I have an F5 3600 equipped with TMOS 10.2.4-build577, connected to a Cisco 2960 switch with two dot1q links: the former (VLAN 603) communicates with the public firewall, the latter (VLAN 600) with the private firewall.
I need Spanning tree because, actually, there are two LTM appliances in Active/Passive mode connected to the same switch stack.
Both F5's suffer the very same condition.
I previously tried with RSTP, but switched to MSTP hoping that separated instances would help.
On the surface, the second cable is blocking.
Some data might help:
- F5:
root@F5(Standby)(tmos) list net stp-globals
net stp-globals {
config-name MSTP-PFQ-PUB
config-revision 1
mode mstp
}
root@F5(Standby)(tmos) show running-config net stp
net stp 0 {
priority 49152
}
net stp 1 {
interfaces {
1.5 {
external-path-cost 20000
internal-path-cost 20000
}
}
priority 49152
vlans {
600
}
}
net stp 2 {
interfaces {
1.7 {
external-path-cost 20000
internal-path-cost 20000
}
}
priority 49152
vlans {
603
}
}
[root@F5:Standby] config bigpipe stp
STP MODE mstp
| Forward delay 15 Hello time 2 Max age 20 Transmit hold 6
| Max hops 20 Revision 1 ID MSTP-PFQ-PUB
+-> STP INSTANCE 0 priority 49152 root bridge 04:DA:D2:CC:B0:00
| | regional root bridge 00:01:D7:BE:E5:40
| | No topology changes
none+-> STP INSTANCE 1 priority 49152 regional root bridge 00:01:D7:BE:E5:40
| | No topology changes
| +-> STP VLAN 1/Int_Interco_Pub
| +-> STP INTERFACE 1/1.5
| | path cost 20000 priority 128 role master
| | state forward (forward) link p2p not edge - auto
+-> STP INSTANCE 2 priority 49152 regional root bridge 00:01:D7:BE:E5:40
| No topology changes
+-> STP VLAN 2/Ext_Interco_Pub3
+-> STP INTERFACE 2/1.7
| path cost 20000 priority 128 role alternate
| state block (block) link p2p not edge - auto
Switchshow version
Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
Switchshow spanning-tree mst configuration
Name [MSTP-PFQ-PUB]
Revision 1 Instances configured 3
Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-400,402-510,512-599,601-602,604-4094
1 401,511,600
2 603
-------------------------------------------------------------------------------
Switchshow spanning-tree vlan 600
MST1
Spanning tree enabled protocol mstp
Root ID Priority 1
Address 04da.d2cc.b000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 1 (priority 0 sys-id-ext 1)
Address 04da.d2cc.b000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1 Desg FWD 20000 128.1 P2p
Po3 Desg FWD 20000 128.240 P2p
Gi2/0/2 Desg FWD 20000 128.56 P2p
Note: g1/0/1 is connected to F5 n.1, g2/0/2 to F5 n. 2 and po3 to the private firewall
Switchshow spanning-tree vlan 603
MST2
Spanning tree enabled protocol mstp
Root ID Priority 2
Address 04da.d2cc.b000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 2 (priority 0 sys-id-ext 2)
Address 04da.d2cc.b000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/7 Desg FWD 20000 128.7 P2p
Po5 Desg FWD 20000 128.256 P2p
Po6 Desg FWD 20000 128.264 P2p
Gi2/0/8 Desg FWD 20000 128.62 P2p
Note: g1/0/7 is connected to F5 n. 1, g2/0/8 to F5 n. 2 and po5-6 to the public firewall.
Maybe I misconfigured anything?
Did anybody ever face a similar issue? Thanks in advance.18 Replies
What_Lies_Bene1Cirrostratus
I think you may be misreading the F5's output, the correct root bridge is listed on line four of this output;STP MODE mstp | Forward delay 15 Hello time 2 Max age 20 Transmit hold 6 | Max hops 20 Revision 1 ID MSTP-PFQ-PUB +-> STP INSTANCE 0 priority 49152 root bridge 04:DA:D2:CC:B0:00 | | regional root bridge 00:01:D7:BE:E5:40 | | No topology changes none+-> STP INSTANCE 1 priority 49152 regional root bridge 00:01:D7:BE:E5:40- What_Lies_Bene1Can you provide the bigpipe stp ouput for the active F5 please. So far it's all looking OK to me.
l00k3r_53179Thanks What Lies Beneath for your quick response.
Well, yes I must have misunderstood F5's output. The fact is that for instances 1 and 2, the regional root bridge MAC address listed by F5 is itself, so I was confused:root@F5(Standby)(tmos) show net vlan Net::Vlan: 603 ------------------------------- Interface Name 603 Mac Address 0:1:d7:be:e5:44 Net::Interface Name Status Bits Bits Errs Errs Drops Drops Colli In Out In Out In Out sions ---------------------------------------------------------- 1.7 up 2.4G 1.4M 0 0 880.8K 0 0 Net::Vlan: 600 ------------------------------- Interface Name 600 Mac Address 0:1:d7:be:e5:45 Net::Interface Name Status Bits Bits Errs Errs Drops Drops Colli In Out In Out In Out sions --------------------------------------------------------- 1.5 up 8.5G 2.6G 0 0 1.9M 0 0As per the active F5... well at the moment they are both standby because I configured VLAN failsafe on both vlans.
This is the second F5's output:root@F5-2(Standby)(tmos) show net vlan Net::Vlan: 600 ------------------------------- Interface Name 600 Mac Address 0:1:d7:d4:77:85 Net::Interface Name Status Bits Bits Errs Errs Drops Drops Colli In Out In Out In Out sions ------------------------------------------------------------ 1.6 up 3.3G 536.7M 0 0 305.2K 0 0 Net::Vlan: 603 ------------------------------- Interface Name 603 Mac Address 0:1:d7:d4:77:84 Net::Interface Name Status Bits Bits Errs Errs Drops Drops Colli In Out In Out In Out sions ----------------------------------------------------------- 1.8 up 1.4G 12.0K 0 0 426.6K 0 0 [root@F5-2:Standby] config b stp STP MODE mstp | Forward delay 15 Hello time 2 Max age 20 Transmit hold 6 | Max hops 20 Revision 1 ID MSTP-PFQ-PUB +-> STP INSTANCE 0 priority 49152 root bridge 04:DA:D2:CC:B0:00 | | regional root bridge 00:01:D7:D4:77:80 | | No topology changes none+-> STP INSTANCE 1 priority 49152 regional root bridge 00:01:D7:D4:77:80 | | No topology changes | +-> STP VLAN 1/600 | +-> STP INTERFACE 1/1.6 | | path cost 20000 priority 128 role master | | state forward (forward) link p2p not edge - auto +-> STP INSTANCE 2 priority 49152 regional root bridge 00:01:D7:D4:77:80 | No topology changes +-> STP VLAN 2/603 +-> STP INTERFACE 2/1.8 | path cost 20000 priority 128 role alternate | state block (block) link p2p not edge - autoThe configuration is the same.
- What_Lies_Bene1Hmmm. Thanks for the outputs. The confusion is understandable. The fact you've used different ports on each F5 makes this harder to understand - is there a reason you didn't use 1.5 and 1.7 on both F5's?
Regardless, despite being more familiar with PVST and RSTP I find the output a bit odd. It would appear both devices are blocking on the VLAN603 interface and not at all on VLAN600. That would suggest no VLAN603 traffic is reaching the F5's and that there's possible a STP loop on VLAN600.
Could you paste the actual Cisco and F5 interface configurations please? - l00k3r_53179
Yes the truth is all the cables are in use: we are testing many different combinations.
Currently, ports 1.5 and 1.7 on both F5's are connected to physical switch n.1, while ports 1.6 and 1.8 to switch n.2. The unused interfaces are disabled/shutdown. Cisco interface configuration:
F5 interface configuration:interface GigabitEthernet1/0/1 description to F5-1:1.5 switchport trunk allowed vlan 600 switchport mode trunk switchport nonegotiate power inline never speed 1000 duplex full spanning-tree link-type point-to-point end ! interface GigabitEthernet2/0/2 description to F5-2:1.6 switchport trunk allowed vlan 600 switchport mode trunk switchport nonegotiate power inline never speed 1000 duplex full spanning-tree link-type point-to-point end ! ! interface GigabitEthernet1/0/7 description "to F5-1:1.7" switchport trunk allowed vlan 603 switchport mode trunk switchport nonegotiate power inline never speed 1000 duplex full spanning-tree link-type point-to-point end ! interface GigabitEthernet2/0/8 description "to F5-2:1.8" switchport trunk allowed vlan 603 switchport mode trunk switchport nonegotiate power inline never speed 1000 duplex full spanning-tree link-type point-to-point endroot@F5-1(Standby)(tmos) list net interface 1.5 net interface 1.5 { mac-address 0:1:d7:be:e5:48 media-active 1000T-FD media-max 1000T-FD stp-edge-port false stp-link-type p2p } root@F5-2(Standby)(tmos) list net interface 1.6 net interface 1.6 { mac-address 0:1:d7:d4:77:89 media-active 1000T-FD media-max 1000T-FD stp-edge-port false stp-link-type p2p } root@F5-1(Standby)(tmos) list net interface 1.7 net interface 1.7 { mac-address 0:1:d7:be:e5:4a media-active 1000T-FD media-max 1000T-FD stp-edge-port false stp-link-type p2p } root@F5-2(Standby)(tmos) list net interface 1.8 net interface 1.8 { mac-address 0:1:d7:d4:77:8b media-active 1000T-FD media-max 1000T-FD stp-edge-port false stp-link-type p2p } - What_Lies_Bene1OK, I'm totally confused now. So, there are two switches not one, OK. And 1.5 and 1.7 on both F5s go to SW1, 1.6 and 1.8 on both F5's go to SW2. That being the case why do the outputs that you are posting only show two interfaces in the bigpipe stp output? Surely it should be four per device?
- l00k3r_53179
Sorry, I am having problems with the editor's tags.
Anyway, yes, there are two F5's and two switches, but the switches are in stack so they actually behave as one, which is the reason why I mentioned one at the beginning.
I sort of fixed the above output's tags so the output should be readable now.
The two interfaces per physical switch and two interfaces per F5 are listed.
The disabled/shutdown links are not displayed.
BTW, while the editor is loading, I see HTML tags along with the text. Is there a way to use the editor in text mode, so I can edit the tags properly? - What_Lies_Bene1No idea regarding the editor I'm afraid, I normally just put everything in code tags. I'm still unclear, is this statement true or not as your outputs do not support it?
Currently, ports 1.5 and 1.7 on both F5's are connected to physical switch n.1, while ports 1.6 and 1.8 to switch n.2. - l00k3r_53179
Yes, I confirm: as per the physical topology, the interfaces between the F5's and the Cisco switches are as follows:
F5 n. 1
1.5 ----> switch n. 1 g1/0/1 UP
1.6 ----> switch n. 2 g2/0/1 SHUTDOWN
1.7 ----> switch n. 1 g1/0/7 UP
1.8 ----> switch n. 2 g2/07 SHUTDOWN
F5 n. 2
1.5 ----> switch n. 1 g1/0/2 SHUTDOWN
1.6 ----> switch n. 2 g2/0/2 UP
1.7 ----> switch n. 1 g1/0/8 SHUTDOWN
1.8 ----> switch n. 2 g2/0/8 UP
However, I fear this complicates things in vain, because said ports are disabled/shutdown, so they are not doing any harm. - What_Lies_Bene1OK, that finally makes sense. So, we're back to where I started, with both the interface in VLAN603 blocking on each F5 and apparently no ports blocking for VLAN600 anywhere. That possibly makes sense for VLAN 600 as there are no loops that I can tell based on what you've told me.
For VLAN603 I see there are two port channels to the external firewall, why is that? Is the firewall participating in STP in any way? Are there any other L2 devices involved?
