Forum Discussion

l00k3r_53179

Nimbostratus

Apr 23, 2013

MSTP issue with Cisco switch

Good morning everybody,

After months of passive reading, the time has come for my first forum post.

Hope this is the right section for this topic.

To simplify my topology, I have an F5 3600 equipped with TMOS 10.2.4-build577, connected to a Cisco 2960 switch with two dot1q links: the former (VLAN 603) communicates with the public firewall, the latter (VLAN 600) with the private firewall.

I need Spanning tree because, actually, there are two LTM appliances in Active/Passive mode connected to the same switch stack.

Both F5's suffer the very same condition.

I previously tried with RSTP, but switched to MSTP hoping that separated instances would help.

On the surface, the second cable is blocking.

Some data might help:

- F5:


root@F5(Standby)(tmos) list net stp-globals
net stp-globals {
    config-name MSTP-PFQ-PUB
    config-revision 1
    mode mstp
}


root@F5(Standby)(tmos) show running-config net stp
net stp 0 {
    priority 49152
}
net stp 1 {
    interfaces {
        1.5 {
            external-path-cost 20000
            internal-path-cost 20000
        }
    }
    priority 49152
    vlans {
        600
    }
}
net stp 2 {
    interfaces {
        1.7 {
            external-path-cost 20000
            internal-path-cost 20000
        }
    }
    priority 49152
    vlans {
        603
    }
}
 
[root@F5:Standby] config  bigpipe stp
STP   MODE mstp
|     Forward delay 15   Hello time 2   Max age 20   Transmit hold 6
|     Max hops 20   Revision 1   ID MSTP-PFQ-PUB
+-> STP INSTANCE 0   priority 49152   root bridge 04:DA:D2:CC:B0:00
|   |     regional root bridge 00:01:D7:BE:E5:40
|   |     No topology changes
none+-> STP INSTANCE 1   priority 49152   regional root bridge 00:01:D7:BE:E5:40
|   |     No topology changes
|   +-> STP VLAN 1/Int_Interco_Pub
|       +-> STP INTERFACE 1/1.5
|           |     path cost 20000   priority 128   role master
|           |     state forward (forward)   link p2p   not edge - auto
+-> STP INSTANCE 2   priority 49152   regional root bridge 00:01:D7:BE:E5:40
    |     No topology changes
    +-> STP VLAN 2/Ext_Interco_Pub3
        +-> STP INTERFACE 2/1.7
            |     path cost 20000   priority 128   role alternate
            |     state block (block)   link p2p   not edge - auto

- Cisco:


Switchshow version
Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
 
Switchshow spanning-tree mst configuration
Name      [MSTP-PFQ-PUB]
Revision  1     Instances configured 3

Instance  Vlans mapped
--------  ---------------------------------------------------------------------
0         1-400,402-510,512-599,601-602,604-4094
1         401,511,600
2         603
-------------------------------------------------------------------------------

Switchshow spanning-tree vlan 600

MST1
  Spanning tree enabled protocol mstp
  Root ID    Priority    1
             Address     04da.d2cc.b000
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    1      (priority 0 sys-id-ext 1)
             Address     04da.d2cc.b000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1             Desg FWD 20000     128.1    P2p
Po3                 Desg FWD 20000     128.240  P2p
Gi2/0/2             Desg FWD 20000     128.56   P2p

Note: g1/0/1 is connected to F5 n.1, g2/0/2 to F5 n. 2 and po3 to the private firewall


Switchshow spanning-tree vlan 603

MST2
  Spanning tree enabled protocol mstp
  Root ID    Priority    2
             Address     04da.d2cc.b000
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    2      (priority 0 sys-id-ext 2)
             Address     04da.d2cc.b000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/7             Desg FWD 20000     128.7    P2p
Po5                 Desg FWD 20000     128.256  P2p
Po6                 Desg FWD 20000     128.264  P2p
Gi2/0/8             Desg FWD 20000     128.62   P2p
 
Note: g1/0/7 is connected to F5 n. 1, g2/0/8 to F5 n. 2 and po5-6 to the public firewall.

The thing that really confuses me is that it seems to me that both devices think to be root bridge, but the switch has the lowest priority.

The same does not happen in an almost identical topology with Juniper switch.

Maybe I misconfigured anything?

Did anybody ever face a similar issue?

Thanks in advance.

config

design

18 Replies

What_Lies_Bene1

Cirrostratus

Apr 23, 2013

I think you may be misreading the F5's output, the correct root bridge is listed on line four of this output;


STP   MODE mstp
|     Forward delay 15   Hello time 2   Max age 20   Transmit hold 6
|     Max hops 20   Revision 1   ID MSTP-PFQ-PUB
+-> STP INSTANCE 0   priority 49152   root bridge 04:DA:D2:CC:B0:00
|   |     regional root bridge 00:01:D7:BE:E5:40
|   |     No topology changes
none+-> STP INSTANCE 1   priority 49152   regional root bridge 00:01:D7:BE:E5:40

What_Lies_Bene1
Cirrostratus
Apr 23, 2013
Can you provide the bigpipe stp ouput for the active F5 please. So far it's all looking OK to me.

l00k3r_53179

Nimbostratus

Apr 23, 2013

Thanks What Lies Beneath for your quick response.

Well, yes I must have misunderstood F5's output. The fact is that for instances 1 and 2, the regional root bridge MAC address listed by F5 is itself, so I was confused:

root@F5(Standby)(tmos) show net vlan

Net::Vlan: 603
-------------------------------
Interface Name  603
Mac Address     0:1:d7:be:e5:44

Net::Interface
Name  Status  Bits  Bits  Errs  Errs   Drops  Drops  Colli
                In   Out    In   Out      In    Out  sions
----------------------------------------------------------
1.7       up  2.4G  1.4M     0     0  880.8K      0      0


Net::Vlan: 600
-------------------------------
Interface Name  600
Mac Address     0:1:d7:be:e5:45

Net::Interface
Name  Status  Bits  Bits  Errs  Errs  Drops  Drops  Colli
                In   Out    In   Out     In    Out  sions
---------------------------------------------------------
1.5       up  8.5G  2.6G     0     0   1.9M      0      0

As per the active F5... well at the moment they are both standby because I configured VLAN failsafe on both vlans.

This is the second F5's output:

root@F5-2(Standby)(tmos) show net vlan

Net::Vlan: 600
-------------------------------
Interface Name  600
Mac Address     0:1:d7:d4:77:85

Net::Interface
Name  Status  Bits    Bits  Errs  Errs   Drops  Drops  Colli
                In     Out    In   Out      In    Out  sions
------------------------------------------------------------
1.6       up  3.3G  536.7M     0     0  305.2K      0      0

Net::Vlan: 603
-------------------------------
Interface Name  603
Mac Address     0:1:d7:d4:77:84

Net::Interface
Name  Status  Bits   Bits  Errs  Errs   Drops  Drops  Colli
                In    Out    In   Out      In    Out  sions
-----------------------------------------------------------
1.8       up  1.4G  12.0K     0     0  426.6K      0      0


[root@F5-2:Standby] config  b stp
STP   MODE mstp
|     Forward delay 15   Hello time 2   Max age 20   Transmit hold 6
|     Max hops 20   Revision 1   ID MSTP-PFQ-PUB
+-> STP INSTANCE 0   priority 49152   root bridge 04:DA:D2:CC:B0:00
|   |     regional root bridge 00:01:D7:D4:77:80
|   |     No topology changes
none+-> STP INSTANCE 1   priority 49152   regional root bridge 00:01:D7:D4:77:80
|   |     No topology changes
|   +-> STP VLAN 1/600
|       +-> STP INTERFACE 1/1.6
|           |     path cost 20000   priority 128   role master
|           |     state forward (forward)   link p2p   not edge - auto
+-> STP INSTANCE 2   priority 49152   regional root bridge 00:01:D7:D4:77:80
    |     No topology changes
    +-> STP VLAN 2/603
        +-> STP INTERFACE 2/1.8
            |     path cost 20000   priority 128   role alternate
            |     state block (block)   link p2p   not edge - auto

The configuration is the same.

What_Lies_Bene1
Cirrostratus
Apr 23, 2013
Hmmm. Thanks for the outputs. The confusion is understandable. The fact you've used different ports on each F5 makes this harder to understand - is there a reason you didn't use 1.5 and 1.7 on both F5's?

Regardless, despite being more familiar with PVST and RSTP I find the output a bit odd. It would appear both devices are blocking on the VLAN603 interface and not at all on VLAN600. That would suggest no VLAN603 traffic is reaching the F5's and that there's possible a STP loop on VLAN600.

Could you paste the actual Cisco and F5 interface configurations please?

l00k3r_53179

Nimbostratus

Apr 23, 2013

Yes the truth is all the cables are in use: we are testing many different combinations.

Currently, ports 1.5 and 1.7 on both F5's are connected to physical switch n.1, while ports 1.6 and 1.8 to switch n.2.

The unused interfaces are disabled/shutdown.

Cisco interface configuration:


interface GigabitEthernet1/0/1
description to F5-1:1.5
switchport trunk allowed vlan 600
switchport mode trunk
switchport nonegotiate
power inline never
speed 1000
duplex full
spanning-tree link-type point-to-point
end
!
interface GigabitEthernet2/0/2
  description to F5-2:1.6
  switchport trunk allowed vlan 600
 switchport mode trunk
 switchport nonegotiate
 power inline never
 speed 1000
 duplex full
 spanning-tree link-type point-to-point
end
!
!
interface GigabitEthernet1/0/7
 description "to F5-1:1.7"
 switchport trunk allowed vlan 603
 switchport mode trunk
 switchport nonegotiate
 power inline never
  speed 1000
 duplex full
 spanning-tree link-type point-to-point
end
!
interface GigabitEthernet2/0/8
 description "to F5-2:1.8"
 switchport trunk allowed vlan 603
 switchport mode trunk
 switchport nonegotiate
 power inline never
 speed 1000
 duplex full
 spanning-tree link-type point-to-point
end

F5 interface configuration:


root@F5-1(Standby)(tmos) list net interface 1.5
net interface 1.5 {
    mac-address 0:1:d7:be:e5:48
    media-active 1000T-FD
    media-max 1000T-FD
    stp-edge-port false
    stp-link-type p2p
}
 root@F5-2(Standby)(tmos) list net interface 1.6
net interface 1.6 {
    mac-address 0:1:d7:d4:77:89
    media-active 1000T-FD
    media-max 1000T-FD
    stp-edge-port false
    stp-link-type p2p
}


root@F5-1(Standby)(tmos) list net interface 1.7
net interface 1.7 {
    mac-address 0:1:d7:be:e5:4a
    media-active 1000T-FD
    media-max 1000T-FD
    stp-edge-port false
    stp-link-type p2p
}

root@F5-2(Standby)(tmos) list net interface 1.8
net interface 1.8 {
    mac-address 0:1:d7:d4:77:8b
    media-active 1000T-FD
    media-max 1000T-FD
    stp-edge-port false
    stp-link-type p2p
}

What_Lies_Bene1
Cirrostratus
Apr 23, 2013
OK, I'm totally confused now. So, there are two switches not one, OK. And 1.5 and 1.7 on both F5s go to SW1, 1.6 and 1.8 on both F5's go to SW2. That being the case why do the outputs that you are posting only show two interfaces in the bigpipe stp output? Surely it should be four per device?
l00k3r_53179
Nimbostratus
Apr 23, 2013
Sorry, I am having problems with the editor's tags.

Anyway, yes, there are two F5's and two switches, but the switches are in stack so they actually behave as one, which is the reason why I mentioned one at the beginning.

I sort of fixed the above output's tags so the output should be readable now.

The two interfaces per physical switch and two interfaces per F5 are listed.

The disabled/shutdown links are not displayed.

BTW, while the editor is loading, I see HTML tags along with the text. Is there a way to use the editor in text mode, so I can edit the tags properly?
What_Lies_Bene1
Cirrostratus
Apr 23, 2013
No idea regarding the editor I'm afraid, I normally just put everything in code tags. I'm still unclear, is this statement true or not as your outputs do not support it?

Currently, ports 1.5 and 1.7 on both F5's are connected to physical switch n.1, while ports 1.6 and 1.8 to switch n.2.
l00k3r_53179
Nimbostratus
Apr 23, 2013
Yes, I confirm: as per the physical topology, the interfaces between the F5's and the Cisco switches are as follows:

F5 n. 1

1.5 ----> switch n. 1 g1/0/1 UP

1.6 ----> switch n. 2 g2/0/1 SHUTDOWN

1.7 ----> switch n. 1 g1/0/7 UP

1.8 ----> switch n. 2 g2/07 SHUTDOWN

F5 n. 2

1.5 ----> switch n. 1 g1/0/2 SHUTDOWN

1.6 ----> switch n. 2 g2/0/2 UP

1.7 ----> switch n. 1 g1/0/8 SHUTDOWN

1.8 ----> switch n. 2 g2/0/8 UP

However, I fear this complicates things in vain, because said ports are disabled/shutdown, so they are not doing any harm.
What_Lies_Bene1
Cirrostratus
Apr 23, 2013
OK, that finally makes sense. So, we're back to where I started, with both the interface in VLAN603 blocking on each F5 and apparently no ports blocking for VLAN600 anywhere. That possibly makes sense for VLAN 600 as there are no loops that I can tell based on what you've told me.

For VLAN603 I see there are two port channels to the external firewall, why is that? Is the firewall participating in STP in any way? Are there any other L2 devices involved?

Forum Discussion

MSTP issue with Cisco switch

18 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Deploying F5 Distributed Cloud (XC) Services in Cisco ACI - Layer Three Attached Deployment

Cisco ACI Endpoint Learning with a BIG-IP HA Failover

Deploying F5 Distributed Cloud (XC) Services in Cisco ACI - Layer Two Attached Deployment

Integrating SSL Orchestrator with Cisco WSA Virtual Edition

F5 BIG-IP in Cisco ACI Multi-Site and Multi-Pod - Design Options