cisco 3750 config

Answered Question
Jun 29th, 2010
User Badges:

Hi All,


I have a pair of cisco 3750 stacked. They are connected to 2 different firewalls  via each switch. The firewalls are running on a active-active setup.


The configuration on the ports level on the switches is as below:


interface GigabitEthernet1/0/51
switchport access vlan 2
switchport mode access
end


interface GigabitEthernet2/0/51
  switchport access vlan 2
  switchport mode access
end


The default route is

ip route 0.0.0.0 0.0.0.0 10.0.0.1 // 10.0.0.1 is the VIP on the firewall


When I plug out a cable from either of the ports, the connectivity between the firewalls and switches goes down. Is there any issue with the configurations on the switches?

Correct Answer by gatlin007 about 7 years 21 hours ago

Try 'spanning-tree portfast' on each of the access switchports.



Chris

Correct Answer by John Blakley about 7 years 1 day ago

The config looks fine on the switch. Are you using virtual mac addresses too, or can you?


John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
John Blakley Tue, 06/29/2010 - 12:00
User Badges:
  • Purple, 4500 points or more

Do you have a cable between the firewalls for failover, or do you only have one cable from each firewall into the switch? What is the physical layout of the firewalls and switchs, and can you post your failover config of the ASA?



HTH,

John

noobieee7 Tue, 06/29/2010 - 12:09
User Badges:

Hi John,


There is a cable between the firewalls for fail over.


The layout is as below:


Switch 1 ----- FW 1

   |                  |

stacked        failover cable

   |                  |

Switch 2 ----- FW 2


The firewall is not ASA.


May I know if there is any issue with the config on the switches end?

Correct Answer
John Blakley Tue, 06/29/2010 - 12:12
User Badges:
  • Purple, 4500 points or more

The config looks fine on the switch. Are you using virtual mac addresses too, or can you?


John

noobieee7 Tue, 06/29/2010 - 12:19
User Badges:

Hi John,


I am not using virtual mac address. I just wanted to make sure the config are fine on the switches so that I can verify with my SP that everything is set correctly on the FW.


Regards

Correct Answer
gatlin007 Tue, 06/29/2010 - 15:35
User Badges:
  • Silver, 250 points or more

Try 'spanning-tree portfast' on each of the access switchports.



Chris

noobieee7 Wed, 06/30/2010 - 01:42
User Badges:

Hi Chris,


Thanks for the advice, but I believe that the command only allow the STP to skip the listening and learning stage. During the redundancy test, I have waited quite sometime but the traffic does not go through the active port.

hobbe Wed, 06/30/2010 - 02:36
User Badges:
  • Gold, 750 points or more

Hi

Yes the switches as far as I can see looks just fine.



interface GigabitEthernet1/0/51
switchport access vlan 2
switchport mode access
end


interface GigabitEthernet2/0/51
  switchport access vlan 2
  switchport mode access
end



What this does is setting the ports 1/0/51 and 2/0/51 into VLAN 2 and that the link from those ports talks to an endpoint device.

ie no trunking or multiple vlans is possible on those ports.

That is as far as we know it just fine. no problems there. This is Layer2 only no routing or anything fancy.


What you can do for your own benefit is to add a description

go to the port 1/0/51 and add fx

description firewall alpha internal interface

and to the port 2/0/51

description firewall beta internal interface

or whatever you want to call your firewalls.

This makes it easier for you with documentation issues and stuff and it is easier to locate problems at a glance.

its just a good practice i have learned over the years.


so now to the other part.

You state that when you unplug a cable from the internal network between one of the firewalls and the switches, they all go down.

This behaviour I would actually state that it must come from the firewalls themselves.

The switch does not shutdown a link to an endpoint device (server/router/firewall/pc/and so on) just because you remove a cable on another port.

There is no connection like that. link up yes, but not link down.


My guess is that both of the firewalls tries to re-initiate contact on the internal ports and fails to find its peer.(the cable is disconnected and the link between them is broken on one side)


Now here is a question, does it resolve itself after a while ? ie the remaining connected firewall link turns yellow and turns green after 30 sec and it then starts to work again ?

IF this is the case then I would state that you are running spanning-tree and this is the normal behaviour of spanning tree for a link up event (disconnecting and  connecting a network cable/shutdown/up NIC/switchport).


IF it starts to work, you can shorten the 30 sec delay in 2 ways, you can either start using PVST+ and use portfast.

this is what I personally would do, since you have loads of other benefits too.

Or

you can use Portfast on the ports directly.

What you do when you set the ports to portfast in normal spanning tree is basically, you are telling the switch that there will never be a switch connected to this port and you do not have to check for a loop.

same command in pvst+ does actually check for loops but its a lot faster.


However IF it still does not work after a while, ie the firewalls still does not pass traffic I would come to the conclusion that there is a problem with the firewall setup.


Good luck


HTH

noobieee7 Fri, 07/02/2010 - 06:22
User Badges:

Hi Hobbe,


Thanks for your advice. STP is not the issue here. I am waiting for my Service Provider to get back to me. I suspect that might have terminated my fiber connection via media converter hence resulting in the issue of returning traffic not getting through as the firewall is seeing a "up" state between the media converter and itself while in actual fact the link is down.

Actions

This Discussion