4

I have a problem with a couple of Dell PowerConnect 6248 switches (latest firmware) connected to a pair of external (3rd party) switches providing Internet connectivity via HSRP.

I'll post more detailed configuration when I get time, but briefly this is what the setup looks like:

ISP SW1                  ISP SW2
  |                         |
  |                         * (disconnected)
  |                         |
6248 SW1                 6248 SW2
(VLAN 10)                (VLAN 10)
  |                         |
Firewall 1               Firewall 2
  |                         |
6248 SW1                  6248 SW2
(VLANs 20, 30, 40)         (VLANs 20, 30 ,40)
  |                         |
  |                         |
   ----- Port Channel -------
   (Trunking VLANs 20,30,40)

Now, the only things connected to the switchports for VLAN 10 are the ISP switch uplinks and the public interface of the firewall HA pair. Currently VLAN 10 on each switch are not connected together, I'll come to that in a second.

Only one firewall node is active at any one time, therefore all WAN traffic goes through a single firewall.

The remaining backend VLANs are connected to their own interfaces on the firewalls, so the firewalls handles all traffic routing between VLANs. For the backend VLANs, there is a Port Channel that trunks all of them between the switches (so, everything except VLAN 10).

Now, as you can see one of the WAN feeds is currently disconnected. The problem I'm seeing is that if I connect that WAN feed, STP puts the whole Port Channel on SW2 into discarding mode. So it appears to be seeing a loop somewhere, but I can't figure out where. There are no other ports that are members of VLAN 10, and the port channel isn't trunking VLAN 10 traffic, so why is STP choosing to block the channel?

Thanks for the feedback regarding MSTP - We will need to look at this. However, there is one thing that still doesn't make sense. These two 6248 switches are replacements for a pair of old 5324 switches. The old switches did not have this issue, but I've double-checked their configuration and they do not have MSTP explicitly enabled. Could MSTP have been enabled by default on the old switches and not the new?

UPDATE:

I have confirmed that MSTP was not enabled on the old switches. They were configured for RSTP, same as the replacements. No other specific configuration was in place. I'd like to understand why things used to work before I go about enabling MSTP

One thing I have noticed, and I guess it's due to the difference in firmwares, is that the Port Channel on the older switch appears to be trunking VLAN1 and allowing untagged frames by default. The new switch does not. Here's the config from one of the old switches:

# sh interfaces switchport port-channel 1
Port : ch1
Port Mode: Trunk
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 1

Port is member in:


Vlan               Name               Egress rule Port Membership Type
---- -------------------------------- ----------- --------------------
 1                  1                  Untagged          System
20                 20                   Tagged           Static
30                 30                   Tagged           Static
40                 40                   Tagged           Static

And the config from one of the new switches:

#show interfaces switchport port-channel 1

Port: ch1
VLAN Membership mode:Trunk Mode

Operating parameters:
PVID: 1
Ingress Filtering: Enabled
Acceptable Frame Type: VLAN Only
Default Priority: 0
GVRP status:Disabled

Port ch1 is member in:

VLAN    Name                              Egress rule   Type
----    --------------------------------- -----------   --------
20      20                                Tagged        Static
30      30                                Tagged        Static
40      40                                Tagged        Static
Chris McKeown
  • 7,128
  • 1
  • 17
  • 25
  • 1
    Check if `show vlan` shows what you expect. Is sure your spanning-tree mode `mstp`? Do you have any spanning-tree `guard` statements? – David Schwartz Jan 15 '13 at 10:27
  • I know you're sure that port 10 isn't being trunked, but I'd probably try changing VLAN 10 on SW2 to, say, VLAN 11, just as a test to make sure it wasn't some kind of trunking bleed. – MadHatter Jan 15 '13 at 10:33
  • 1
    As David indirectly said: The standard STP settings/modes on switches mostly *ignore* VLANs, so you will have to set up mstp/pvstp if supported or selectively take ports off stp (not suitable for redundancy setups, KWYAD!). – rackandboneman Jan 15 '13 at 11:05
  • `mstp` looks to be a likely suspect - I'll check and follow up after I've managed to make the change. – Chris McKeown Jan 15 '13 at 11:18
  • Are your firewalls in layer2 mode? If so, that is contributing to this problem... – Mike Pennington Jan 15 '13 at 11:34
  • @MikePennington The firewalls are operating at Layer 3 – Chris McKeown Jan 15 '13 at 11:45
  • 1
    One caution: If your spanning tree mode is not `mstp`, be aware that changing the spanning tree mode on this switch (or at least some versions of it) can induce long outages. Other things to think about are using [portfast](http://en.community.dell.com/support-forums/network-switches/f/866/t/19334207.aspx) and making sure you don't have ports that cycle up and down repeatedly and introduce spurious topology changes. Also, don't use `switchport voice detect` unless you really need it. – David Schwartz Jan 15 '13 at 11:50
  • 1
    We're actually going to be changing our topology to remove the transit VLAN on our side, since the ISP provides us two links a transit VLAN on their side. @DavidSchwartz, I'm pretty sure that your recommendation to check `mstp` would have resolved the problem with the network in it's current state. Post an answer and I'll accept it. – Chris McKeown Jan 28 '13 at 09:14

0 Answers0