Just for update.

Err-disable is gone after shut and un shut the interface te1/0/2 in Switch 1.

but Link State still showing down at both switches. I am using straight cable to connect two switches.

any advise?

Thanks.

Thanks Daniel.

it's working after enabling the #ip vrrp in Switch 2

VLAN5 is become backup in switch 2 now. But the trunk interface between two switches are showing down.

i am configuring interface te1/0/2 as trunk and connecting two switch. configure #switchport mode trunk on both switch interfaces.

Switch 1 ( link status showing err-disable/none )

Te1/0/2                   Full   1000    Off  D-Down Off   T  (1),2-4096

Interface Name................................. Te1/0/2
SOC Hardware Info.............................. BCM56842_A1
Link Status.................................... Err-disable/None
Keepalive Enabled.............................. TRUE
Err-disable Cause.............................. loop-protect
VLAN Membership Mode........................... Trunk Mode
VLAN Membership................................ (1),2-4096
MTU Size....................................... 1518
Port Mode [Duplex]............................. Full
Port Speed..................................... 1000
Link Debounce Flaps............................ 0
Auto-Negotation Status......................... Off

Switch 2

Te1/0/2                   Full   1000    Off  Down   Off   T  (1),2-4096

Interface Name................................. Te1/0/2
SOC Hardware Info.............................. BCM56842_A1
Link Status.................................... Down   /None
Keepalive Enabled.............................. TRUE
Err-disable Cause.............................. None
VLAN Membership Mode........................... Trunk Mode
VLAN Membership................................ (1),2-4096
MTU Size....................................... 1518
Port Mode [Duplex]............................. Full
Port Speed..................................... 1000
Link Debounce Flaps............................ 0
Auto-Negotation Status......................... Off

it is showing Err-disable/None in Switch 1. is it due to the cable faulty?

Thanks.

Hi Daniel,

Thanks for your reply.

This is the topology. I configured the VRRP in master switch1(high priority)  and backup switch2 and pointing virtual ip as gateway in server vlans. currently all the traffics are passing thru master switch1 now. trunk port(te1/0/3) is working fine for multiple server vlans in esx1. the idea is when master switch1 down, the backup switch2 will take over the traffic and thus we have the two physical connection from esx1 to two switches. there is layer 2 standard virtual switch in esx1.

all the vlan vrrp are currently Master state in master switch1.

But only vlan 5 is backup state in backup switch2 and other vlans are Initialize sate. I only open the port te1/0/1 and te1/0/2 in backup switch2 now. so vlan 5 vrrp is valid with upstream layer2 switch and thus become backup state.

so, I am thinking,

1) wrong topology as we don't need the trunk port te1/0/2 between two switches?

2) open the te1/0/3 trunk port in backup switch2 and test the vrrp from esx1 vlans?

Thanks a lot Daniel.

Those two steps sound good. 

Hi Josh,

Thank for your comment.

I have tested this scenario, connect the L2-unmanaged switch to Master switch vlan 10, and then plug the laptop and traffic is passing thru. but when the cable from the Backup switch vlan 10 connect to L2-unmanaged switch, the traffic is not passing. but it shows vlan 10 as backup in Backup switch vrrp.

the port in master switch which is connected to L2-unmanaged port change to blocking state when the cable from backup switch is connected to L2-unmanaged switch. thats why the laptop traffic is not passing.

below is the updated the diagram. The two ports from each switch vlan 10 connected to L2-unmanaged switch is access port. I assumed that should work as vlan 5 between switches and firewalls are working fine with just access port.

Please advise. thanks.

Hi Daniel,

Thanks for your reply. I need to sort it out as another maintenance windows is coming soon.

I think the loop is happening in the network. May I know what is the command to check the current running spanning protocol in switch and what are the command to make the master switch as the root switch for all vlans. I would like to run the rapid spanning tree which can converge as quickly as possible to take backup switch as the root when master switch down.

Thanks.

Hi Daniel,

It's showing

Mode: rstp in both switch when I type #show spanning-tree

currently Slave switch is the Root.

But it shows " Neither PVST nor Rapid-PVST is enabled" when I type the #show spanning-tree vlan 1 and #show spanning-tree vlan all in both switch. Do I need to change the mode to pvst or rapid-pvst to do the load balancing or traffic engineering for per vlan?

Thanks.

Hi Daniel,

Thanks a lot for your reply and explanation.

I am going to make switch 1 to be root bridge of all vlan and running rstp mode. vrrp master will be the switch 1 for all the vlan as well.

is this below vrrp config is correct? SW1 will be the vrrp master for that vlan and root bridge will be for all vlan. can I run this with rstp mode?

SW1-VLAN ( vrrp master )

interface vlan 2
ip address 10.255.2.2 255.255.255.0
vrrp 2
vrrp 2 mode
vrrp 2 ip 10.255.2.1
vrrp 2 priority 110
vrrp 2 accept-mode

SW2-VLAN

interface vlan  2
ip address 10.255.2.3 255.255.255.0
vrrp 2
vrrp 2 mode
vrrp 2 ip 10.255.2.1
vrrp 2 accept-mode

Thanks.

Hi Daniel,

You are great and appreciate for this.
can we set the switch priority to be 0 in root switch and set the 4096 to backup switch? this is referring your contribution on 12 Sept reply here.

Thanks.

Hi Daniel,

Thanks you so much and appreciate for helping me this far.  I think we can close this ticket after this query :)

Currently there is single point of failure as I put the L2 unmanaged switch between router and firewall, also between firewall and L3 switch as well. these are sw3 and sw4.

In current diagram, all the traffic are passing thru firewall-active(fw1) and vrrp master switch(sw1).between firewall and switch using vlan 5 and firewall route to vip of vlan5(master switch).
all the servers vlans also pointing to vip and passing thru master switch(sw1) now. server also has the backup cable connecting to backup switch(sw2) but shutdown as need to fix the root bridge in (sw1).
But there is single point of failure as the either of sw3 or sw4 down, the whole network will be down.


So, In new diagram,we will configure the port channel between two L3 switch using two interface via this command.

int range ten1/0/5-6
channel-group 1 mode active
!
int po1
switchport mode trunk

and we will remove sw3 between router and firewall as we will configure the bridge mode in router for two ports(fast0/0 and fast0/1)and will be connecting directly to two firewalls.

But, if I remove the sw4 between firewalls and L3 switches, and then connect the single cable from each firewall to two L3 switch as per diagram.

(a) when the sw1 interface te1/0/1 or (fw1) port1 down , passive firewall(fw2) will become as active, but remain the master switch(sw1) as master for all vrrp and stp root bridge

will the traffic go thru from passive firewall(fw2) to backup switch(sw2) and to master switch(sw1) and then reach to servers? and servers traffic also will go thru to master switch(sw1), and then backup switch(sw2) and to passive firewall(fw2)?
cause master switch is still remain the master vrrp for all vlans.
so the traffic flow is like this below and is it possible?
for inbound traffic .. (fw2)  --> (sw2) --> (sw1) --> servers
for outbound traffic .. servers --> (sw1) --> (sw2) --> (fw2)

(b) should we connect the two cable from each firewall to two core switch? there is one function in fortigate firewall to make two ports as redundant interface.

(c) when the active firewall(fw1) down, should we swing the vrrp master to backup switch(sw2) as well? assume if (a) doesn't work. so fw2 and sw2 will take all traffic and server traffic will pass thru sw2 from backup link.

(d) if none of the links are down, will fw1 able to ping the actual ip of the sw2 vlan interfaces? although fw1 connected to sw1 only. same happened to fw2 take over as active and will reach sw1 thru sw2? I am a little lost here. or connect the cables as (b)

sorry for my bad english.

Thanks.

Hi Daniel,

The purpose of this setup with two firewalls and two switches are for the redundancy. the left side devices such as sw1 and fw1 will be forwarding the traffic in normal operation. and when any devices from left side down, sw1 or fw1, the traffic must flow from the backup devices such as sw2 or fw2.

fw1 link is not down yet and its assuming only.

There is setting to track interface in the firewall, so when fw1 up link down(fw2 will become active) so will sw1 know that link is down (may be need to do tracking in sw1 vrrp also, right?) then we should let the sw2 to take over. so the traffic will flow from fw2 and sw2. servers traffic will go thru from sw2 as there is another back up link at esx and vrrp will become master at sw2.

that's definitely we need to do the testing on implementation as current setup(with unmanage switches) is already on live. we will test for the redundancy link on firewall as well.

Thanks.

Thanks Daniel,

we will do the migration on this coming Saturday morning. will keep you posted and post here if there is some more doubt before the migration.

Thanks again.