tamray_tech
asked on
Need assistance with proper switch /spanning-tree configuration
Just had what seemed to be a spanning-tree failure, or blocking occur on our HP 5400R z12 switch. We are in the process of moving all networks and vlans from a 1Gb port (A2) to a 10Gb port (F21). Both ports are active with the same vlans. The plan is to slowly move each network to the 10Gb port, but that is going to take a good amount of reconfiguring of our Fortiguard firewall and means I need a configuration that allows both ports to stay up while I make the changes.
Port A2 Vlans,
105 VLAN105 | Port-based No No
107 VLAN107 | Port-based No No
108 VLAN108 | Port-based No No
110 VLAN110 | Port-based No No
111 VLAN111 | Port-based No No
120 VLAN120 | Port-based No No
Port A2 leads to our Fortiguard device on port 17
Port F21 Vlans: (current)
1 DEFAULT_VLAN | Port-based No No
31 VLAN31 | Port-based No No
105 VLAN105 | Port-based No No
107 VLAN107 | Port-based No No
108 VLAN108 | Port-based No No
109 VLAN109 | Port-based No No
110 VLAN110 | Port-based No No
111 VLAN111 | Port-based No No
120 VLAN120 | Port-based No No
Port F21 connects to our Fortiguard device on port 33, which does not have any current TCP settings, but was up and seemed to cause an issue after 24 hrs.
All network and Internet traffic came back after disabling port 33 on the Fortiguard device.
Current path for all networks: WAN (port B21 of HP 5400) > A2 of 5400 > Port 17 of Fortiguard > Port 35 (Internet)
Future path for all networks: WAN (port B21 of HP 5400) > F21 of 5400 > Port 33 of Fortiguard > Port 35 (Internet)
Port 17 on Fortiguard will be disabled, once all changes have been made.
Need both to be active, for now and avoid cyclical routing and spanning-tree issues.
Looking for working configuration in this scenario.
Port A2 Vlans,
105 VLAN105 | Port-based No No
107 VLAN107 | Port-based No No
108 VLAN108 | Port-based No No
110 VLAN110 | Port-based No No
111 VLAN111 | Port-based No No
120 VLAN120 | Port-based No No
Port A2 leads to our Fortiguard device on port 17
Port F21 Vlans: (current)
1 DEFAULT_VLAN | Port-based No No
31 VLAN31 | Port-based No No
105 VLAN105 | Port-based No No
107 VLAN107 | Port-based No No
108 VLAN108 | Port-based No No
109 VLAN109 | Port-based No No
110 VLAN110 | Port-based No No
111 VLAN111 | Port-based No No
120 VLAN120 | Port-based No No
Port F21 connects to our Fortiguard device on port 33, which does not have any current TCP settings, but was up and seemed to cause an issue after 24 hrs.
All network and Internet traffic came back after disabling port 33 on the Fortiguard device.
Current path for all networks: WAN (port B21 of HP 5400) > A2 of 5400 > Port 17 of Fortiguard > Port 35 (Internet)
Future path for all networks: WAN (port B21 of HP 5400) > F21 of 5400 > Port 33 of Fortiguard > Port 35 (Internet)
Port 17 on Fortiguard will be disabled, once all changes have been made.
Need both to be active, for now and avoid cyclical routing and spanning-tree issues.
Looking for working configuration in this scenario.
ASKER
Did a bit of research on it, but not clear on successful administration . Found one post where the person brought their network down with the following:
Switch(config)# vlan 700
Switch(vlan-700)# name test
Switch(config)# spanning-tree instance 1 vlan 700
Here is the complete list of vlans I need on port a2 and F21, as I move vlans and networks over to F21:
31 VLAN31 | Port-based No No
105 VLAN105 | Port-based No No
107 VLAN107 | Port-based No No
108 VLAN108 | Port-based No No
110 VLAN110 | Port-based No No
111 VLAN111 | Port-based No No
120 VLAN120 | Port-based No No
301 VLAN301 | Port-based No No
391 VLAN391 | Port-based No No
392 VLAN392 | Port-based No No
393 VLAN393 | Port-based No No
394 VLAN394 | Port-based No No
601 VLAN601 | Port-based No No
650 VLAN650 | Port-based No No
660 VLAN660 | Port-based No No
670 VLAN670 | Port-based No No
701 VLAN701 | Port-based No No
708 VLAN708 | Port-based No No
709 VLAN709 | Port-based No No
750 VLAN750 | Port-based No No
755 VLAN755 | Port-based No No
760 VLAN760 | Port-based No No
801 VLAN801 | Port-based No No
802 VLAN802 | Port-based No No
803 VLAN803 | Port-based No No
804 VLAN804 | Port-based No No
805 VLAN805 | Port-based No No
806 VLAN806 | Port-based No No
807 VLAN807 | Port-based No No
808 VLAN808 | Port-based No No
809 VLAN809 | Port-based No No
820 VLAN820 | Port-based No No
Can you provide an example of the approach you would take? Currently there are 2 other switches connected to the HP 5400: An Hp 3500yl, with stp 0 priority (will be retired when I move routing) and another Procurve with stp disabled. The 5400 has the default priority of 32768 and (as described) is currently connected to the Fortiguard device via Port 17 and Port 33 (disabled for now).
I would like to make the 5400 the root
Switch(config)# vlan 700
Switch(vlan-700)# name test
Switch(config)# spanning-tree instance 1 vlan 700
Here is the complete list of vlans I need on port a2 and F21, as I move vlans and networks over to F21:
31 VLAN31 | Port-based No No
105 VLAN105 | Port-based No No
107 VLAN107 | Port-based No No
108 VLAN108 | Port-based No No
110 VLAN110 | Port-based No No
111 VLAN111 | Port-based No No
120 VLAN120 | Port-based No No
301 VLAN301 | Port-based No No
391 VLAN391 | Port-based No No
392 VLAN392 | Port-based No No
393 VLAN393 | Port-based No No
394 VLAN394 | Port-based No No
601 VLAN601 | Port-based No No
650 VLAN650 | Port-based No No
660 VLAN660 | Port-based No No
670 VLAN670 | Port-based No No
701 VLAN701 | Port-based No No
708 VLAN708 | Port-based No No
709 VLAN709 | Port-based No No
750 VLAN750 | Port-based No No
755 VLAN755 | Port-based No No
760 VLAN760 | Port-based No No
801 VLAN801 | Port-based No No
802 VLAN802 | Port-based No No
803 VLAN803 | Port-based No No
804 VLAN804 | Port-based No No
805 VLAN805 | Port-based No No
806 VLAN806 | Port-based No No
807 VLAN807 | Port-based No No
808 VLAN808 | Port-based No No
809 VLAN809 | Port-based No No
820 VLAN820 | Port-based No No
Can you provide an example of the approach you would take? Currently there are 2 other switches connected to the HP 5400: An Hp 3500yl, with stp 0 priority (will be retired when I move routing) and another Procurve with stp disabled. The 5400 has the default priority of 32768 and (as described) is currently connected to the Fortiguard device via Port 17 and Port 33 (disabled for now).
I would like to make the 5400 the root
Does the Fortiguard support MST?
ASKER
Seems to, but will need to contact support to be sure. We are using a Fortiguard 1500D
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was fortunate to connect with the right Fortinet engineer yesterday that agreed with my theory that I could edit a back up file and restore, moving all vdoms, vlans, and policies to the 10Gb port; sparring me from a laborious process. It is all working now. However, your solution will prove to be very valuable for future changes I need to make.
Thank you!!
Thank you!!
I'm guessing that you're running the default, CST (common spanning tree) on the HP. This can pose a bit of a challenge in that the switch will block one of the ports regardless of VLAN assignments. So in your scenario, once you connect the 10g link, the 1g link will go into blocking mode.
I can think of three possible work-arounds:
1) Disable spanning-tree and manage the VLAN assignments so that you don't have any loops (really not a good idea).
2) Change your SPT to 802.1s (Multi-Spanning Tree). With this, you will create spanning three instances (in your case, two would be sufficient. Then assign VLANs to the instances as needed. (this is how usually handle this situation)