Transparent Mode Clustered Deployment with Multiple Bridge Groups and Dynamic Routing Protocols
Would you be so kind to advise on the following. We are trying to deploy our FTDs in as a cluster in a transparent mode. The intention is to have TWO BVIs configured on them to run dynamic routing protocols over these BVI to establish EIGRP adjacency between Layer 3 devices that sit on eaither end of a transparent FW. The diagram looks like this
For the avoidance of doubts
C9Ks are NOT in VSS - they are two separate logical entities, hence the complexity of routing layer
There's a reason we go for this deployment, so please don't question WHY. I know that SWV can simplify it.
C9K-1 establishes EIGRP adjacency with both N5K-1 and N5K-2 via BVIx
C9K-2 establishes EIGRP adjacency with both N5K-1 and N5K-2 via BVIy
Both N5Ks are stub routers and only advertise summaries and directly attached networks
Both N5Ks are neighbors via VLAN1801 and VLAN1802 (corresponding BVIs), but also VLAN1800 (P2P, not shown). Bacause SVI1801 and SVI1802 advertise summaries only (towards C9Ks), we need a P2P interface where both N5Ks will advertise directly attached (non summarized) networks to each other to avoid black holing of the traffic (rare case of DATA SVIa to be in a shut state on N5K-1, but not on N5K-2)
All good, with exception that BVIy has to look WORSE from a routing perspective (that is, adjusted delay on C9K and N5Ks on SVIs that are bridged via BVIy - SVI1802 and SVI1812 delay 100). These are two separate bridge groups. Packet that entered N5K-1 via BVIx has to leave via BVIx. Without tuning the metric to make one BVI passive, it can be returned via BVIy and FTD will drop it as it expects it on BVIx
So, the question is... how to group multiple bridge groups into zones? Such as VLANs 1801 and 1802 are in different bridge groups, but in the same zone (inside), while VLANs 1811 and 1812 are in the same zone as well (outside)
We are happy to share changes to the Cisco Threat Grid support experience! Our customers have spoken, and we have listened! You want a single, streamlined, easy to access tool to open, view, and update your cases across Cisco Services. That tool is Cisco’...
Where can I find out how to integrate my Cisco products with Threat Response?
There are quick start guides and instructional videos to help you get set up with your Cisco products and the Cisco Threat Response platform.
Inviting all Security & Networking professionals! We want you to tell us what devices you use to do your work and its screen resolution. Your response will help us improve network and security management tools.
Click here to take the 5-minute s...
This guide is intended to show some nifty and powerful use cases that a lot of customers either want or don’t know they want. There are tons of other content out there for specific knobs or capabilities, but this is looking to be a more complete...