PIX&Cat3750 trunk connection - RUNTS

lysov · ‎04-16-2004

Hi all together!

I have abnormal stattistic of runts errors on ethernet of C3750 (both GE MM, FE UTP) in case I connected PIX firewall ports in trunk mode. LED on C3750 port blink yellow. All other errors counters in order. Total statistic is 1 runts per 2-3 totoal pockets.

(I mean GE ports, than I use PIX 535 with MM optic connection, FE - PIX 525 with ordinary UTP connetctions. Some fact - then I changed "mode auto" on FE ports C3750 to fixed value, statistic RUNTS|TotalPackets changed from 1/1 òî 1/3)

At the same time i havn't problem with throughtput or interface resets.

What does it matter?

ehirsel · ‎04-16-2004

Are you only having the problem on the FE ports that that pix 525 is connected to? Or the GE ports that the pix 535 is connect to as well?

Regarding the pix 525, make sure that line speed and duplex settings on the firewall config and the switch port config match exactly.

With regards to both pix 525 and 535 - you mentioned that the pix/switch interface is in trunk mode. Make sure that the switch port is configured in portfast mode and that PaGP and etherchannel negotiaion is turned off. Also as a security measure insure that the native vlan on the switch port config does not match that of the pix's native vlan (the one assigned to the phy interface).

The pix will not send bpdu's so config portfast is possible on the c3750; this is what I do on the cat 2950 and 3500 models.

What info do you get in your switch logs regarding the ports?

lysov · ‎04-16-2004

1) In both cases - PIX525<->FE UTP<->C3750 & PIX535<->GE MM <->C3750(SFP)

2) With pix525 speed and duplex mode configured exactly (with no auto). In this case number of RUNTS/totalPacet little decrease

3) Yep, I tryed portfast mode (but I think, this important only for Failover configuration). All step you adviced influence only on sending information from C3750 ports, but I have RUNTS and amber blinking only on Catalyst unterface (it receive something wrong) not on PIX.

There is simple config from PIX:

interface ethernet0 100full

interface ethernet0 vlan2 physical

interface ethernet0 vlan5 logical

interface ethernet1 100full

interface ethernet1 vlan3 physical

nameif ethernet0 uplink security1

nameif ethernet1 common security50

nameif vlan5 outside security0

4) I amn't receiving any alert or error informations neither from C3750 nor PIX. Simple say, I don't like then the LED blinking amber and strange RUNTs error appearing

Thank you, for your attention

ehirsel · ‎04-19-2004

According to the Cisco cat 3750 hardware install manual, see http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12114ea1/3750hig/3750hg.pdf for details, blinking amber means that spanning tree is blocking the port and that frames are being sent or received. However a green-to-amber constant color change indicates a link layer problem. Are you seeing flashing amber only or a green-amber change?

Constant amber means the port is blocked by stp and that no packets are being forwarded.

However in the blinking amber case I do not know if stp is blocking for some and forwarding for others, due to per vlan stp. This may be normal to see, again I do not know for certain.

Is the cat 3750 setup to prune certain vlans from certain ports? And what is the native vlan configured on the cat ports to the pix?

As far as the runts are concerned, I would have all cables checked that run between the pix and the 3750 to insure there are not link layer issues. As a prevention step, have new cables tested and used and see if you still get the error.

Yes, portfast is important to be configured when running pixes in failover mode.

Let me know how the cables test out.