[c-nsp] Content filters configured as transparent bridges and spanning tree

Pete Lumbis alumbis at gmail.com
Sun Jun 26 00:37:49 EDT 2011 

What do you mean by "weren't agreeing"?

My only experience is with transparent firewalls which don't pass BPDUs, but
act in actual active/standby. The standby doesn't pass any traffic so there
is no mac learning over those ports.

When there is a firewall failover BPDUs are suddenly received on a port that
the switches never heard BPDUs on before and they see this as an STP event
and things should settle out correctly.

If these filters don't act in an active/backup scenario by themselves and
you are hoping to have STP do it for you then they have to pass BPDUs. If
they don't pass BPDUs then STP will never detect a potential loop and will
never put any ports into blocking state.

-Pete

On Fri, Jun 24, 2011 at 10:58 AM, Steven Pfister <SPfister at dps.k12.oh.us>wrote:

> I've got a situation where I need to connect two switches, a 4507R (our
> core switch) to a 3560, using two devices which are functioning as
> transparent bridges, connected in parallel. The devices are actually
> content filters (they're Lightspeed Rocket appliances if that makes any
> difference), and we'd like to have one online as a standby unit in case
> the first one fails. The only other thing connected to the 3560 is two
> PIX firewalls (active/standby) which are in a vlan from the core
> network. The two switch are EIGRP neighbors.
>
> I was hoping that spanning-tree would take care of selecting one device
> for production use and the other as a standby. When we tried it, there
> was no connectivity at all. It seemed like the switches were not
> agreeing on which device to use. Is there any way to maybe have the
> 4507R take care of the forwarding/blocking decisions and turn off
> spanning-tree on the 3560?
>
>
> Steve Pfister
> Network Engineer
> Office of Information Technology
> Dayton Public Schools
> 115 S Ludlow St
> Dayton, OH 45402-1812
> Phone: 937-542-3149
> Cell: 937-673-6779
> spfister at dps.k12.oh.us ( mailto:spfister at dps.k12.oh.us )
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list