more uplink from MS switch stack to MX firewall make switches unavailiable

Solved
RobHuijser
Getting noticed

more uplink from MS switch stack to MX firewall make switches unavailiable

Hi,

 

We have 2 data-centers/MER

1 MX450 every MER (warm spare)

2 MS425 every MER (4 in total)

 

Firewalls are configured as warm spare and have both connectivity to internet WAN1

HA is fine via created LIII interface and management IP addresses.

4 switches are stacked (2 with stack-cable, between DC via port 32)

1 uplink cable from MS to MX in every DC

 

This works fine so far. Everything is up but to minimum downtime we want to have uplinks from every MS to MX, but

when I connect a uplink for switch 3 to the active firewall everything went down.

 

I suppose RSTP will help to block one of the uplinks so no looping will occur.

 

MX interface have: drop untagged traffic to MS enabled

MS interface have vlan1000 as native VLAN, but no LIII exists (best practice Cisco)

 

Does anyone know the answer to use 4 cables from stack to 2 firewall without breaking everything.

 

rstp.png

 

 

 

 

1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal

is your drawing wrong? you say dropping untagged at mx but you draw it at ms

if you drop untagged traffic at mx you are dropping the stp packets. so they will not be send back to the switch

View solution in original post

3 Replies 3
jdsilva
Kind of a big deal

Since the MXs cannot do LACP generally speaking you would not connect multiple links from a single switch to a single MX. If you do do this you're subject to the rules of STP in handling loops. The MX will transparently pass BPDU's received on one link to another link (i.e. a switch may receive its own BPDU back on a different interface).

 

An alternative would be to make the links L3 instead of L2. You could create multiple transit networks, one per link, and connect those between your stack and the MX. Granted, the MS can;t do routed ports, but you can mimic the functionality with a single access port and an SVI.

ww
Kind of a big deal
Kind of a big deal

is your drawing wrong? you say dropping untagged at mx but you draw it at ms

if you drop untagged traffic at mx you are dropping the stp packets. so they will not be send back to the switch

RobHuijser
Getting noticed

Issue solved.

 

I enabled native vlan and now BPDU packets are traversing the interface. All interfaces are up and running (and some are blocked as designed)

 

thanks for helping

 

^RH

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels