dual 6500 with fwsm

Unanswered Question
Aug 7th, 2008

we have dual 6500 switches with FWSM installed. We have configured rapid spanning tree as well. Two VLANs were created within FWSM. Everyghing woirks fine with single switch.

But soon sfter second switch is connected, the ping traffic between VLANs are not disturbed, but telnet sessions between them got interrupted intermitantly.

What could be the possible reason?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Farrukh Haroon Thu, 08/07/2008 - 11:26

Have you set spanning-tree priority on the first core to zero and 4096 on the second core?

Also can you post the output of 'show failover' from both FWSMs?

Regards

Farrukh

nkariyawasam Thu, 08/07/2008 - 20:44

Thanks for the reply.

I have "spanning-tree vlan 10 priority 8192" in core switch A and "spanning-tree vlan 10 priority 16384" in the second switch.

sh failover said " other host failed" , but I couldn't do much troubleshoting becase we had to remove the interswitch link ASAP to restore the traffic disruption in live network. We need to take a downtime to test this. As far as the FWSM config, there has been addition of new ACLs in the Core A which has not reflected in Core B.

a. Can this be happened due to non-synchronized confings in FWSM ?

b. We have rapid pvst enabled on th ecore. Some acces switches are still not enabled this feature. cane this also be a problem ?

Farrukh Haroon Fri, 08/08/2008 - 02:50

Run a spanning tree type that can be supported in the whole network (all switches). Otherwise what is the use of it?

Secondly try to make sure that your failover VLAN is present on 'both' core switches and is in 'ACTIVE' state. Then before enabling failover try to ping the secondary failover IP (of failover interface) from active/primary Unit and vice versa. Then only 'enable' failover. If failover link is not working, buth devices will become active and start replying to ARP request for active IP address.

Regards

Farrukh

Jon Marshall Fri, 08/08/2008 - 03:14

Farrukh

Just for info, there can be quite valid reasons why you might run RSTP and PVST+ on your switched network.

For example if all your core/distro and access-layer switches can run RSTP but you have a couple of other access-layer switches that don't support RSTP.

If you can isolate the vlans that are on the non-RSTP switches to just those switches + the switches they uplink to you still get the benefits of RSTP for all other vlans.

If however your non-RSTP switches have all vlans present then all vlans in your switched infrastructure would revert to PVST+ timings and you don't benefit much.

It really depends on how many non-RSTP switches you have and the distribution of the vlans but there may be occasions where it can be useful to run both, altho obviously the ideal is to have all RSTP enabled switches.

Jon

Farrukh Haroon Fri, 08/08/2008 - 05:40

Thank you for the detailed explanation Jon.

All I just meant with 'same' was compatible spanning tree. SPT that works :). Since this is not a part of Netpro that deals with switching, I opted not to go into switching details.

Regards

Farrukh

Farrukh Haroon Fri, 08/08/2008 - 05:41

Thank you for the detailed explanation Jon.

All I just meant with 'same' was compatible spanning tree. SPT that works :). Since this is not a part of Netpro that deals with switching, I opted not to go into switching details. Anyway thanks for the useful info :)

Regards

Farrukh

Jon Marshall Fri, 08/08/2008 - 05:48

"Since this is not a part of Netpro that deals with switching, I opted not to go into switching details"

Good point, I spend so much time in the Lan Switching and Routing Forum i sometimes forget where i am :-).

Jon

nkariyawasam Mon, 08/11/2008 - 02:11

Thanks for valuable answerss;

Pleasew excuse me to ask this STP qustion here, becase my situation is combined with FWSM, and since we have gone long on this thread, pls let me ask one more question;

1. I have VLAN 10 on FWSM. It is present in both switches. All failover VLANs and Status VLANs are also active in both switches.

2. I have VLAN 20 and 30 on MSFC.

3. One access switch has ports congfigured for VLAN 10. RPVST also enabled.

4. Other access switch has ports for VLAN 20 and 30, but only PVST configured.But its VLAN database contains all VLANs inclusing VLAN 10.

Can this mix of swithces cause traffic on VLAN 10 to be disturbed ?

In actual scenario, we are experiencing traffic disturbance. it is something to be STP or can it be something wrong in FWSM ?

(Pleas also note that even failover and status VLANs are active, the "show failover" command says "other host failed".)

Farrukh Haroon Mon, 08/11/2008 - 02:19

Can you ping the failover interface IP for the secondary unit?

Do you see its MAC in the 'show arp' output?

Are you running the firewall in single context mode or multiple?

Regards

Farrukh

Actions

This Discussion