- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Re: STP disconnect firewall LAN port
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-20-2016 07:57 AM
тАО02-20-2016 07:57 AM
STP disconnect firewall LAN port
Hello,
We have a firewall connected in one HP procurve 2610 switch port
and another to an internal switch procurve HP 2910. In the first switch (2610) we have
connected the router and in 2910 HP the servers and other final client PCs switches (stacked 2610)
Among all the switches is enabled MRSTP.
It's happened a few times a very strange effect is that LAN firewall port (connected to
2910) stops working and the light from port of the internal switch is turned off.
Removing and reconnecting the cable to the switch will fix the problem, which seems rather odd.
The firewall is a Dell PowerEdge Linux Lince and Ethernet Dual Port Broadcom 5720 NetStreme 100 Mbps card.
The logs of HP2910 shows the following sequences of these events repeated several times:
- Port X is now off-line
- Port X is Blocked by STP
- Port X is now on-line
-ffi: Port X-Excessive Broadcasts. See help.
- Port X is now off-line
- Port X is Blocked by STP
where X is the LAN port on the firewall, ie the STP blocking port.
I checked cables between switches that the firewall is connected
and there is no physical loop.
On the other hand the situation, using switches commands, is characterized by:
-there is no change of STP topology
-topology changes counter doesn't increase
-STP on the switch blocks LAN firewall port
Software releases are: W.14.03 for 2910 and R.11.25 for 2610. I checked fixes but I
couldn't find any related with MRSTP or Broadcom NICs. Does anybody what's happening?
Best Regards and thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-22-2016 08:31 AM
тАО02-22-2016 08:31 AM
Re: STP disconnect firewall LAN port
Hi there,
have you have setup the spanning tree priorities on all of the switches?
Dom
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-22-2016 11:34 AM
тАО02-22-2016 11:34 AM
Re: STP disconnect firewall LAN port
No,
Priorities are all by default, ie 32768 in all switches. Firewall port is in 2910 tandem switch (I mean there are two witches, one of them is connected to LAN port firewall and the other to serves, they are connected both together) and the other WAN port in 2610 switch where router is connected. The root is one of the switches of the tandem, where the firewall isn't connected. All the switches have the same priority, default priority. The strange question is despite of STP blocks LAN port, you don't see a topology change and the counter isn't increased. On the other hand this problem has happened four times with the same effects.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-23-2016 05:41 AM - edited тАО02-23-2016 05:43 AM
тАО02-23-2016 05:41 AM - edited тАО02-23-2016 05:43 AM
Re: STP disconnect firewall LAN port
You should definitly think about setting up the priorities, unless your tandem switches are in a stack, do you manage them both from 1 IP address?
For spanning tree on our switches, we tag the switch which has the primary route with the lower number, for example
There is a site with 3 switches: all switches are connected, switch 1 is connected to both 2+3, switch 2 is connected to both 1+3 and switch 3 is connected to 1+2.
Switch 1: has our Primary Router attached, we give that switch a priority of 0 (CLI code "spanning-tree priority 0")
Switch 2: has our Backup Router attached, this switch is given a priority of 2 (CLI code "spanning-tree priority 2")
Switch 3: no router, this switch is given a priority of 15 (CLI code "spanning-tree priority 15")
From what you have said I would suggest the switch with the firewall having a priority of 0.
A colleague also suggested that you look into setting a spanning tree edge port, if your switch will let you do this, that would be setup on the interface that connects to the firewall. This will stop it blocking the port in the event of finding a loop, we only set these up on interfaces we know will not get a loop.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-23-2016 07:08 AM
тАО02-23-2016 07:08 AM
Re: STP disconnect firewall LAN port
Maybe this isn't a STP problem: STP won't bring down the link when blocking a port.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-23-2016 01:40 PM
тАО02-23-2016 01:40 PM
Re: STP disconnect firewall LAN port
Hello DDgrus,
Thanks for answering. tandem switches are in a stack and they are managed them both from 1 IP address.
"A colleague also suggested that you look into setting a spanning tree edge port, if your switch will let you do this, that would be setup on the interface that connects to the firewall. This will stop it blocking the port in the event of finding a loop, we only set these up on interfaces we know will not get a loop."
It is a possibility, but why a loop, there aren't physical cables between them doing lopps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-23-2016 01:42 PM - edited тАО02-23-2016 01:43 PM
тАО02-23-2016 01:42 PM - edited тАО02-23-2016 01:43 PM
Re: STP disconnect firewall LAN port
Hello 16again,
What do you suggest? Any idea that could produce this situation?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-23-2016 02:04 PM
тАО02-23-2016 02:04 PM
Re: STP disconnect firewall LAN port
If you manually unplug a port, you'll also end up with "blocked by STP" message, but STP isn't the cause , just the result
Try forcing speed/duplex settings on both sides of trouble link.
Look into error counters on port (on both sides)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-23-2016 02:51 PM
тАО02-23-2016 02:51 PM
Re: STP disconnect firewall LAN port
Hi 16again,
Any other situation that can show the same STP effects without physical unplugging cables?
With counters, what can you see?. For example in this case for X port blocked by STP
Totals (Since boot or last clear) :
Bytes Rx : 2,948,646,096 Bytes Tx : 1,937,188,467
Unicast Rx : 3,501,949,778 Unicast Tx : 2,725,757,392
Bcast/Mcast Rx : 2,407,356 Bcast/Mcast Tx : 96,320,597
Errors (Since boot or last clear) :
FCS Rx : 1 Drops Tx : 34,918
Alignment Rx : 0 Collisions Tx : 0
Runts Rx : 0 Late Colln Tx : 0
Giants Rx : 0 Excessive Colln : 0
Total Rx Errors : 1 Deferred Tx : 0
Others (Since boot or last clear) :
Discard Rx : 0 Out Queue Len : 0
Unknown Protos : 0
Rates (5 minute weighted average) :
Total Rx (bps) : 0 Total Tx (bps) : 0
Unicast Rx (Pkts/sec) : 0 Unicast Tx (Pkts/sec) : 0
B/Mcast Rx (Pkts/sec) : 0 B/Mcast Tx (Pkts/sec) : 0
Utilization Rx : 0 % Utilization Tx : 0 %
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-23-2016 10:50 PM
тАО02-23-2016 10:50 PM
Re: STP disconnect firewall LAN port
FCS counters look suspicious:
"FCS Rx : 1 Drops Tx : 34,918"
Just try forcing link duplex/speed on both sides, and replace the UTP cable by a brand new CAT6