Spanning Tree Protocol

Disable Spanning Tree Protocol (STP) on the switch ports, where VRRP is running, if at all possible. On many switches, you can only disable STP across the entire switch and not on a port-by-port basis. Please be careful that this will not introduce a bridging loop on other ports.

What we discovered in testing is that the STP affects the VRRP negotiation. For a very short period of time, the switch will see the same VRRP 'VMAC' address being broadcast from two ports. The switch identifies this as a "loop". Loops and Layer2 networks are not compatible, so the switch will disable both ports to kill the loop. Then, it will bring the ports back on line, only to see the same condition once again. Under these circumstances, it can take as long as 15 minutes to fail back to the primary firewall.

If Spanning Tree cannot be disabled on the switch ports, you can enable 'PortFast' Mode, which speeds up the Spanning Tree algorithm on the ports.

Note: By default, PortFast Mode is disabled. This can leave switch ports listening (not transmitting) for approximately 30 seconds, when a switch port fails over. This is Spanning Tree's mechanism to prevent bridging loops.

The syntax for turning on Portfast mode is:

config# set spantree portfast 3/1-2 enable

Where 3/1-2 refers to slot 3 ports 1 and 2.

Disable Trunking

Trunking provides the ability to run multiple VLANs across a single physical link. There are two recognized trunking protocols in the industry:

• 802.1q (IEEE)
• ISL (Cisco proprietary)

Cisco switches support this protocol on certain Ethernet blades. It is normally used to connect routers and switches together in an effort to save physical cabling and interfaces (with one link, a router can look like it has 5 or 10 different interfaces in a different VLAN). Cisco switch blades that support trunking by default are set to "auto-detect" trunking at link activation. This 'auto-detect' is what appears to have been disrupting the connection between the Nokia IP Appliances and the switch. The connection problem was resolved by disabling trunking on the Ethernet interfaces connecting the Nokia IP Appliances.

Turn off port list

With Catalyst switches, it is recommended you disable the "port list" feature with the following command:

config# set port channel "port list" off

This will allow port convergence time low enough for VRRP to work, without sending ICMP Destination Unreachable packets.

VRRP Flapping

Nokia has seen a problem with a Cisco box sending out a broadcast to learn routes on the VRRP_MCAST address (224.0.0.18). This causes VRRP to get into an unstable state. You can run the following command:

config# set port channel [port#] mode desirable silent

Where [port#]is the port number on the switch the firewall is plugged into. This command stops the machine from sending multicasts for the purpose of "channelizing" during its bootup.

Some interfaces in VRRP master, some in backup

Ensure your Catalyst switch has the latest firmware and that port fast is enabled, as described above.