topic Re: FTD block traffic in same VLAN in Network Security

FTD block traffic in same VLAN

khld.saad — Fri, 21 Feb 2020 15:40:27 GMT

I have Ftd but still in test environment as we have try to get it on production two times but it fail because it blocks the traffic in the same vlan i know its wired but that what happened the hosted in same vlan is blocked a cant even ping its always say ping translate fail . I have upgraded to 6.2.3 and the same issues exist ..

any help to solve it

Re: FTD block traffic in same VLAN

Marvin Rhoads — Thu, 26 Apr 2018 13:24:39 GMT

Unlike with classic ASA software, Firepower Threat Defense by default allows same-security traffic both inter- and intra-interface.

Can you share screenshots of your access control policy and interface settings? you might also use packet-tracer to check what's happening with a test traffic flow.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200908-configuring-firepower-threat-defense-int.html#anc16

Also, architecturally, why would traffic within a VLAN even attempt to transit the FTD appliance? Normally a host would arp for the destination address and, finding it, send the traffic directly to the destination MAC address and not use any gateway or network-based firewall or IPS.

Re: FTD block traffic in same VLAN

khld.saad — Sun, 29 Apr 2018 14:06:14 GMT

i know its wired that its block traffic in L2 but that what really happen .

there is the screen shot and the packet tracer output y will see it drooped

and i have capture the L2 traffic y will see what happen

Re: FTD block traffic in same VLAN

Marvin Rhoads — Sun, 29 Apr 2018 14:18:47 GMT

Can you share cli packet-tracer output?

Alos it looks like you are using custom MAC addresses all beginning with 0000.0000.000x. I wonder if this is causing any problem?

Re: FTD block traffic in same VLAN

khld.saad — Sun, 29 Apr 2018 14:52:57 GMT

> packet-tracer input Core-Vlan tcp 192.168.0.200 111 192.168.0.201 11

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.0.201 using egress ifc Core-Vlan

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268434432 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268434432: ACCESS POLICY: default - Default
access-list CSM_FW_ACL_ remark rule-id 268434432: L4 RULE: DEFAULT ACTION RULE
Additional Information:

Result:
input-interface: Core-Vlan
input-status: up
input-line-status: up
output-interface: Core-Vlan
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: FTD block traffic in same VLAN

khld.saad — Sun, 29 Apr 2018 14:54:58 GMT

how custom MAC addresses make problem ?

its not duplicate

Re: FTD block traffic in same VLAN

Marvin Rhoads — Sun, 29 Apr 2018 15:00:43 GMT

The custom MAC addresses aren't necessarily a problem. But a basic rule is when there is a problem, we look for unusual settings.

Your packet-tracer shows the traffic being denied due to an ACL. Have a look at your access control and prefilter policies.

Re: FTD block traffic in same VLAN

khld.saad — Mon, 30 Apr 2018 09:15:07 GMT

the question now why FTD act in L2 instead of Switchs

Re: FTD block traffic in same VLAN

khld.saad — Sun, 06 May 2018 13:16:09 GMT

did you have see this TCP wireshark ?

Re: FTD block traffic in same VLAN

Marvin Rhoads — Wed, 09 May 2018 15:02:20 GMT

Your FTD device can also be setup to do integrated routing and bridging, thus effectively acting as a switch. If so, you need a policy to permit inter-interface traffic within a given BVI group.

Re: FTD block traffic in same VLAN

khld.saad — Tue, 15 May 2018 10:32:20 GMT

how to check if my FTD do integrated routing and bridging
and how can i disable it .

Re: FTD block traffic in same VLAN

Marvin Rhoads — Tue, 15 May 2018 10:52:20 GMT

Have a look at the interfaces setup in FMC.

If there is integrated routing and bridging, there will be bridge groups and switched interfaces configured.

Re: FTD block traffic in same VLAN

khld.saad — Tue, 15 May 2018 20:55:59 GMT

i have config sub interface under ether1/1 with many vlan so i think that i have Integrated Routing and Bridging but i have read alot it its control the traffic bet different vlan not in same vlan
but i ll try to remove it i use the interfaces and see if still block traffic or not
i ll check and feed you back .

Re: FTD block traffic in same VLAN

khld.saad — Sun, 20 May 2018 07:59:28 GMT

could you tell me why FTD act like this .

Re: FTD block traffic in same VLAN

Marvin Rhoads — Sun, 20 May 2018 13:06:10 GMT

Well you seem to have two Cisco devices configured with the IP address 192.168.0.9.

00:24:51 Cisco Systems, Inc
38:90:A5 Cisco Systems, Inc

You've not shared sufficient details of your setup to let us provide any further insight.

If this is under support you might just open a TAC case and the engineer can work with you in real time. If it's just a lab then why not share the full configuration?

Re: FTD block traffic in same VLAN

khld.saad — Mon, 21 May 2018 08:22:10 GMT

00:24:51 Cisco Systems, Inc >>>> is a layer two Switch has Vlan interface with IP 192.168.0.9
38:90:A5 Cisco Systems, Inc>>>>> the FTD and its have a sub interface with 192.168.0.254

there is no duplicaion in IPs

but always the FTD do this issuse and that why the traffic is blocked in Layer 2 .

this scenario was a going to be a production but after a lot of failure downtime its become a lab to test and insure that will run in production with no issues.

Re: FTD block traffic in same VLAN

Marvin Rhoads — Mon, 21 May 2018 11:47:56 GMT

I recommend opening a TAC case spo the engineer can work with you in real time.

Re: FTD block traffic in same VLAN

khld.saad — Tue, 16 Oct 2018 09:52:46 GMT

it was miss config in nat command that turn the Device as proxy arp