06-29-2010 11:28 AM - edited 03-04-2019 08:55 AM
Hi All,
I have a pair of cisco 3750 stacked. They are connected to 2 different firewalls via each switch. The firewalls are running on a active-active setup.
The configuration on the ports level on the switches is as below:
interface GigabitEthernet1/0/51
switchport access vlan 2
switchport mode access
end
interface GigabitEthernet2/0/51
switchport access vlan 2
switchport mode access
end
The default route is
ip route 0.0.0.0 0.0.0.0 10.0.0.1 // 10.0.0.1 is the VIP on the firewall
When I plug out a cable from either of the ports, the connectivity between the firewalls and switches goes down. Is there any issue with the configurations on the switches?
Solved! Go to Solution.
06-29-2010 12:12 PM
The config looks fine on the switch. Are you using virtual mac addresses too, or can you?
John
06-29-2010 03:35 PM
06-29-2010 12:00 PM
Do you have a cable between the firewalls for failover, or do you only have one cable from each firewall into the switch? What is the physical layout of the firewalls and switchs, and can you post your failover config of the ASA?
HTH,
John
06-29-2010 12:09 PM
Hi John,
There is a cable between the firewalls for fail over.
The layout is as below:
Switch 1 ----- FW 1
| |
stacked failover cable
| |
Switch 2 ----- FW 2
The firewall is not ASA.
May I know if there is any issue with the config on the switches end?
06-29-2010 12:12 PM
The config looks fine on the switch. Are you using virtual mac addresses too, or can you?
John
06-29-2010 12:19 PM
Hi John,
I am not using virtual mac address. I just wanted to make sure the config are fine on the switches so that I can verify with my SP that everything is set correctly on the FW.
Regards
06-29-2010 03:35 PM
Try 'spanning-tree portfast' on each of the access switchports.
Chris
06-30-2010 01:42 AM
Hi Chris,
Thanks for the advice, but I believe that the command only allow the STP to skip the listening and learning stage. During the redundancy test, I have waited quite sometime but the traffic does not go through the active port.
06-30-2010 02:36 AM
Hi
Yes the switches as far as I can see looks just fine.
interface GigabitEthernet1/0/51
switchport access vlan 2
switchport mode access
end
interface GigabitEthernet2/0/51
switchport access vlan 2
switchport mode access
end
What this does is setting the ports 1/0/51 and 2/0/51 into VLAN 2 and that the link from those ports talks to an endpoint device.
ie no trunking or multiple vlans is possible on those ports.
That is as far as we know it just fine. no problems there. This is Layer2 only no routing or anything fancy.
What you can do for your own benefit is to add a description
go to the port 1/0/51 and add fx
description firewall alpha internal interface
and to the port 2/0/51
description firewall beta internal interface
or whatever you want to call your firewalls.
This makes it easier for you with documentation issues and stuff and it is easier to locate problems at a glance.
its just a good practice i have learned over the years.
so now to the other part.
You state that when you unplug a cable from the internal network between one of the firewalls and the switches, they all go down.
This behaviour I would actually state that it must come from the firewalls themselves.
The switch does not shutdown a link to an endpoint device (server/router/firewall/pc/and so on) just because you remove a cable on another port.
There is no connection like that. link up yes, but not link down.
My guess is that both of the firewalls tries to re-initiate contact on the internal ports and fails to find its peer.(the cable is disconnected and the link between them is broken on one side)
Now here is a question, does it resolve itself after a while ? ie the remaining connected firewall link turns yellow and turns green after 30 sec and it then starts to work again ?
IF this is the case then I would state that you are running spanning-tree and this is the normal behaviour of spanning tree for a link up event (disconnecting and connecting a network cable/shutdown/up NIC/switchport).
IF it starts to work, you can shorten the 30 sec delay in 2 ways, you can either start using PVST+ and use portfast.
this is what I personally would do, since you have loads of other benefits too.
Or
you can use Portfast on the ports directly.
What you do when you set the ports to portfast in normal spanning tree is basically, you are telling the switch that there will never be a switch connected to this port and you do not have to check for a loop.
same command in pvst+ does actually check for loops but its a lot faster.
However IF it still does not work after a while, ie the firewalls still does not pass traffic I would come to the conclusion that there is a problem with the firewall setup.
Good luck
HTH
07-02-2010 06:22 AM
Hi Hobbe,
Thanks for your advice. STP is not the issue here. I am waiting for my Service Provider to get back to me. I suspect that might have terminated my fiber connection via media converter hence resulting in the issue of returning traffic not getting through as the firewall is seeing a "up" state between the media converter and itself while in actual fact the link is down.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: