cisco 3750 config

Answered Question
Jun 29th, 2010

Hi All,

I have a pair of cisco 3750 stacked. They are connected to 2 different firewalls  via each switch. The firewalls are running on a active-active setup.

The configuration on the ports level on the switches is as below:

interface GigabitEthernet1/0/51
switchport access vlan 2
switchport mode access
end

interface GigabitEthernet2/0/51
  switchport access vlan 2
  switchport mode access
end

The default route is

ip route 0.0.0.0 0.0.0.0 10.0.0.1 // 10.0.0.1 is the VIP on the firewall

When I plug out a cable from either of the ports, the connectivity between the firewalls and switches goes down. Is there any issue with the configurations on the switches?

Correct Answer by gatlin007 about 6 years 7 months ago

Try 'spanning-tree portfast' on each of the access switchports.



Chris

Correct Answer by John Blakley about 6 years 7 months ago

The config looks fine on the switch. Are you using virtual mac addresses too, or can you?

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
John Blakley Tue, 06/29/2010 - 12:00

Do you have a cable between the firewalls for failover, or do you only have one cable from each firewall into the switch? What is the physical layout of the firewalls and switchs, and can you post your failover config of the ASA?

HTH,

John

noobieee7 Tue, 06/29/2010 - 12:09

Hi John,

There is a cable between the firewalls for fail over.

The layout is as below:

Switch 1 ----- FW 1

   |                  |

stacked        failover cable

   |                  |

Switch 2 ----- FW 2

The firewall is not ASA.

May I know if there is any issue with the config on the switches end?

Correct Answer
John Blakley Tue, 06/29/2010 - 12:12

The config looks fine on the switch. Are you using virtual mac addresses too, or can you?

John

noobieee7 Tue, 06/29/2010 - 12:19

Hi John,

I am not using virtual mac address. I just wanted to make sure the config are fine on the switches so that I can verify with my SP that everything is set correctly on the FW.

Regards

Correct Answer
gatlin007 Tue, 06/29/2010 - 15:35

Try 'spanning-tree portfast' on each of the access switchports.



Chris

noobieee7 Wed, 06/30/2010 - 01:42

Hi Chris,

Thanks for the advice, but I believe that the command only allow the STP to skip the listening and learning stage. During the redundancy test, I have waited quite sometime but the traffic does not go through the active port.

hobbe Wed, 06/30/2010 - 02:36

Hi

Yes the switches as far as I can see looks just fine.

interface GigabitEthernet1/0/51
switchport access vlan 2
switchport mode access
end

interface GigabitEthernet2/0/51
  switchport access vlan 2
  switchport mode access
end

What this does is setting the ports 1/0/51 and 2/0/51 into VLAN 2 and that the link from those ports talks to an endpoint device.

ie no trunking or multiple vlans is possible on those ports.

That is as far as we know it just fine. no problems there. This is Layer2 only no routing or anything fancy.

What you can do for your own benefit is to add a description

go to the port 1/0/51 and add fx

description firewall alpha internal interface

and to the port 2/0/51

description firewall beta internal interface

or whatever you want to call your firewalls.

This makes it easier for you with documentation issues and stuff and it is easier to locate problems at a glance.

its just a good practice i have learned over the years.

so now to the other part.

You state that when you unplug a cable from the internal network between one of the firewalls and the switches, they all go down.

This behaviour I would actually state that it must come from the firewalls themselves.

The switch does not shutdown a link to an endpoint device (server/router/firewall/pc/and so on) just because you remove a cable on another port.

There is no connection like that. link up yes, but not link down.

My guess is that both of the firewalls tries to re-initiate contact on the internal ports and fails to find its peer.(the cable is disconnected and the link between them is broken on one side)

Now here is a question, does it resolve itself after a while ? ie the remaining connected firewall link turns yellow and turns green after 30 sec and it then starts to work again ?

IF this is the case then I would state that you are running spanning-tree and this is the normal behaviour of spanning tree for a link up event (disconnecting and  connecting a network cable/shutdown/up NIC/switchport).

IF it starts to work, you can shorten the 30 sec delay in 2 ways, you can either start using PVST+ and use portfast.

this is what I personally would do, since you have loads of other benefits too.

Or

you can use Portfast on the ports directly.

What you do when you set the ports to portfast in normal spanning tree is basically, you are telling the switch that there will never be a switch connected to this port and you do not have to check for a loop.

same command in pvst+ does actually check for loops but its a lot faster.

However IF it still does not work after a while, ie the firewalls still does not pass traffic I would come to the conclusion that there is a problem with the firewall setup.

Good luck

HTH

noobieee7 Fri, 07/02/2010 - 06:22

Hi Hobbe,

Thanks for your advice. STP is not the issue here. I am waiting for my Service Provider to get back to me. I suspect that might have terminated my fiber connection via media converter hence resulting in the issue of returning traffic not getting through as the firewall is seeing a "up" state between the media converter and itself while in actual fact the link is down.

Actions

This Discussion