Forum Discussion
l00k3r_53179
Nimbostratus
NimbostratusMSTP issue with Cisco switch
Good morning everybody,
After months of passive reading, the time has come for my first forum post.
Hope this is the right section for this topic.To simplify my topology, I have an F5 3600 equipped with TMOS 10.2.4-build577, connected to a Cisco 2960 switch with two dot1q links: the former (VLAN 603) communicates with the public firewall, the latter (VLAN 600) with the private firewall.
I need Spanning tree because, actually, there are two LTM appliances in Active/Passive mode connected to the same switch stack.
Both F5's suffer the very same condition.
I previously tried with RSTP, but switched to MSTP hoping that separated instances would help.
On the surface, the second cable is blocking.
Some data might help:
- F5:
root@F5(Standby)(tmos) list net stp-globals
net stp-globals {
config-name MSTP-PFQ-PUB
config-revision 1
mode mstp
}
root@F5(Standby)(tmos) show running-config net stp
net stp 0 {
priority 49152
}
net stp 1 {
interfaces {
1.5 {
external-path-cost 20000
internal-path-cost 20000
}
}
priority 49152
vlans {
600
}
}
net stp 2 {
interfaces {
1.7 {
external-path-cost 20000
internal-path-cost 20000
}
}
priority 49152
vlans {
603
}
}
[root@F5:Standby] config bigpipe stp
STP MODE mstp
| Forward delay 15 Hello time 2 Max age 20 Transmit hold 6
| Max hops 20 Revision 1 ID MSTP-PFQ-PUB
+-> STP INSTANCE 0 priority 49152 root bridge 04:DA:D2:CC:B0:00
| | regional root bridge 00:01:D7:BE:E5:40
| | No topology changes
none+-> STP INSTANCE 1 priority 49152 regional root bridge 00:01:D7:BE:E5:40
| | No topology changes
| +-> STP VLAN 1/Int_Interco_Pub
| +-> STP INTERFACE 1/1.5
| | path cost 20000 priority 128 role master
| | state forward (forward) link p2p not edge - auto
+-> STP INSTANCE 2 priority 49152 regional root bridge 00:01:D7:BE:E5:40
| No topology changes
+-> STP VLAN 2/Ext_Interco_Pub3
+-> STP INTERFACE 2/1.7
| path cost 20000 priority 128 role alternate
| state block (block) link p2p not edge - auto
Switchshow version
Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
Switchshow spanning-tree mst configuration
Name [MSTP-PFQ-PUB]
Revision 1 Instances configured 3
Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-400,402-510,512-599,601-602,604-4094
1 401,511,600
2 603
-------------------------------------------------------------------------------
Switchshow spanning-tree vlan 600
MST1
Spanning tree enabled protocol mstp
Root ID Priority 1
Address 04da.d2cc.b000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 1 (priority 0 sys-id-ext 1)
Address 04da.d2cc.b000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1 Desg FWD 20000 128.1 P2p
Po3 Desg FWD 20000 128.240 P2p
Gi2/0/2 Desg FWD 20000 128.56 P2p
Note: g1/0/1 is connected to F5 n.1, g2/0/2 to F5 n. 2 and po3 to the private firewall
Switchshow spanning-tree vlan 603
MST2
Spanning tree enabled protocol mstp
Root ID Priority 2
Address 04da.d2cc.b000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 2 (priority 0 sys-id-ext 2)
Address 04da.d2cc.b000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/7 Desg FWD 20000 128.7 P2p
Po5 Desg FWD 20000 128.256 P2p
Po6 Desg FWD 20000 128.264 P2p
Gi2/0/8 Desg FWD 20000 128.62 P2p
Note: g1/0/7 is connected to F5 n. 1, g2/0/8 to F5 n. 2 and po5-6 to the public firewall.
Maybe I misconfigured anything?
Did anybody ever face a similar issue? Thanks in advance.18 Replies
l00k3r_53179Also the firewalls are configured in active/passive cluster, and they use dot1q subinterfaces.
No [m]stp-related commands available there, but they behave as expected, all their interfaces are up, and respective active/passive failover is working properly.
No other switches involved in this part of the network.
What_Lies_Bene1Cirrostratus
OK, it's interesting that it's the higher numbered interfaces that are both blocking. Can you provide the output of this command from the switch please;show spanning-tree mst- l00k3r_53179Here is the switch output:
Switchshow spanning-tree mst MST0 vlans mapped: 1-400,402-510,512-599,601-602,604-4094 Bridge address 04da.d2cc.b000 priority 0 (0 sysid 0) Root this switch for the CIST Operational hello time 2 , forward delay 15, max age 20, txholdcount 6 Configured hello time 2 , forward delay 15, max age 20, max hops 20 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi1/0/1 Desg FWD 20000 128.1 P2p Gi1/0/7 Desg FWD 20000 128.7 P2p Gi1/0/37 Desg FWD 20000 128.37 P2p Gi1/0/38 Desg FWD 20000 128.38 P2p Edge Gi1/0/39 Desg FWD 20000 128.39 P2p Edge Gi1/0/45 Desg FWD 20000 128.45 P2p Edge Gi1/0/48 Desg FWD 20000 128.48 P2p Edge Po1 Desg FWD 20000 128.224 P2p Po2 Desg FWD 20000 128.232 P2p Po3 Desg FWD 20000 128.240 P2p Po5 Desg FWD 20000 128.256 P2p Po6 Desg FWD 20000 128.264 P2p Gi2/0/2 Desg FWD 20000 128.56 P2p Gi2/0/4 Desg FWD 20000 128.58 P2p Gi2/0/8 Desg FWD 20000 128.62 P2p Gi2/0/37 Desg FWD 20000 128.91 P2p Gi2/0/38 Desg FWD 20000 128.92 P2p Edge Gi2/0/39 Desg FWD 20000 128.93 P2p Edge Gi2/0/45 Desg FWD 20000 128.99 P2p Edge Gi2/0/48 Desg FWD 20000 128.102 P2p Edge MST1 vlans mapped: 401,511,600 Bridge address 04da.d2cc.b000 priority 1 (0 sysid 1) Root this switch for MST1 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi1/0/1 Desg FWD 20000 128.1 P2p Gi1/0/39 Desg FWD 20000 128.39 P2p Edge Po1 Desg FWD 20000 128.224 P2p Po2 Desg FWD 20000 128.232 P2p Po3 Desg FWD 20000 128.240 P2p Po5 Desg FWD 20000 128.256 P2p Po6 Desg FWD 20000 128.264 P2p Gi2/0/2 Desg FWD 20000 128.56 P2p Gi2/0/4 Desg FWD 20000 128.58 P2p Gi2/0/39 Desg FWD 20000 128.93 P2p Edge MST2 vlans mapped: 603 Bridge address 04da.d2cc.b000 priority 2 (0 sysid 2) Root this switch for MST2 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi1/0/7 Desg FWD 20000 128.7 P2p Po5 Desg FWD 20000 128.256 P2p Po6 Desg FWD 20000 128.264 P2p Gi2/0/4 Desg FWD 20000 128.58 P2p Gi2/0/8 Desg FWD 20000 128.62 P2p - What_Lies_Bene1Thanks. I see Po5 and 6 are configured in both instance 1 and 2, is there a reason for that? Also, shouldn't Po3, 5 and 6 be configured as edge ports?
- l00k3r_53179Po5 and 6 are connected to public firewall and they both carry vlan 511 and 603.
Po3 connected to private firewall instead with vlans 511, 600.
Since the firewall interfaces forward dot1q tagged frames, I did not configure them as edge.
Thank you very much for your endurance. - What_Lies_Bene1As long as the far end isn't participating in STP then you can enabled edge; this might converge quicker if you do.
Do you actually have L3 connectivity between the ext firewall and the F5s over VLAN 603. I can't see why it's blocking on both F5s but perhaps it's not an issue anyway? - l00k3r_53179Yes the public firewall is using dot1q subinterfaces with IP address, and the same is true for F5.
At the end, I have removed STP from the F5.
Right now it is working properly, since the cluster is active/passive and accidental loops should be avoided in case of failover issues because active role preemption is not configured.
I am performing several tests, I will post back in case of problems.
Thanks again for the support. - What_Lies_Bene1OK, probably a good choice. You're welcome.
