i have a strange issue with an HSRP Setup.
I have two (S1+S2) 3560 as Core/Distribution Layer. Inter-vlan routing are enabled on both Switches. S1 and S2 are connected with an etherchannel over four fibre ports. S3 -S5 are the (L2) access layer.
Gi0/1 on S1 and S2 are L3 ports, connect to a Linux Firewall.
HSRP is enabled, S1 is the active router and the STP root bridge.
But, my monitoring via cacti show me, that the Gi0/1 on S2 is active, too! But it should not be active? Only if S1 fails, should S2 the active switch.
A client from the access ports on S3 - 5 gets traffic from the internet via Gi0/1 from S2. Gi0/1 on S1 is active too, but will send mostly traffic to the internet.
Why is S2 active and why route it traffic from the internet to the client?
Thank you for the additional information. I believe that it confirms my guess in my recent post that the firewall does not have a route for the 10.2/16 network but is using ARP for every address in the network that it attempts to reach. In this case both of the switches receive the ARP request, both respond, and the firewall chooses one (typically the first one to respond), and this explains why you see the amount of traffic inbound on the interface of switch 2.
I believe that we now understand the problem. I am not a Linux expert so I can not tell you the details of how to fix the problem. But it would probably involve configuring a route on the firewall for the 10.2.0.0/16 network. And in this context it may make sense to go back to the question of running HSRP on the switch Gi0/1 interfaces. I now suggest that it would be a good thing to configure the switch Gi0/1 interfaces for HSRP and to use the virtual address that they share as the next hop of the route in the firewall. This would allow the firewall to continue to forward traffic through switch 2 if there were a problem with switch 1.