Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Network failure with Passport IST

Status
Not open for further replies.

edard

Technical User
Oct 26, 2005
1
FR
Hello,

I have a two passport 8600 and some 450 stacks with SMLT (and so, a IST between the two passport).

I want to plug a new gateway antivirus product (aladdin esafe 2 server cluster in bridge mode). I have to plug one network card of each server on the LAN(passport), and the others on a specific switch where the firewall gateway is pluged. Normally, the cluster act as a tranparent bridge.

But when i do that, my network has a general failure: the IST go down on the second passport with two message:
_[10/25/05 11:34:57] smltIstSessionDown
_[10/25/05 11:34:57] WARNING Task=tMainTask Shutdown port 1/34 due to excessive control frames multicast 2, broadcast 11474 packet per second


Of course, the 1/34 is the IST port. When i unpluged my esafe cluster, the network remain disturb during few hours.

I know that to do load balancing, the esafe cluster us switch flood, that hide mac address of the firewall gateway behind cluster mac adress, to prevent the learning process of the switch, and force broadcast of frame for the gateway.

Does this mechanism can disturb the passport?


I also saw that sometine the esafe cluster send a lot of frame in short period of time(unicast or broadcast), maybe it can disturb the network, but i can't understand why after unplugged cluster, it 's still disturbed for few hours. Does specific command can force reset some tables manually, in order to avoid the reboot.

Thanks for help
 
I'm guessing you IST is over a single port MLT and you've got CP Limit enabled for broadcast & multicast. The error message says you are exceeding the threshold value and the CPU shows that port down - also killing your IST.

Either this appliance is generating a broadcast storm or when its connected to both IST cores it is in some sort of bridge loop.

To restore, remove appliance dual core connection, disable and enable port 1/34.

I'd rethink the bridge mode since best results would be if the appliance forwarded the BPDU's and one port goes into spanning tree block mode - assuming you have the appliance connected to STG enabled core switch ports.
 
I'll second and add to goodingsd's comments.

In an IST design you want to make the IST part of a multi-port, multi-blade MLT bundle using the fastest links you can. You also want to disable STP, CP-Limit, and any other automatic shutdown features that could activate because having your IST go down is a horrible situation to be in.

But that's not the real problem here, if the cluster is really acting as a bridge then your creating a network layer 2 loop which will cause problems even if you force the IST link to stay up and endure the load. Your best bet would be to explore the clusters settings and find a configuration that doesn't act as a bridge.
 
Also as an added FYI just to toss in $0.02, you want to turn auto-neg off on all switch to switch MLT's, irregardless of type. This was per Nortel with an issue that we were having.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top