Re: ASA Firmware asa971-16-lfbff-k8 BVI bug?

wolfi5589 · ‎02-06-2018

Hello,

I am using a Cisco ASA 5506-X with FirePower. As of Firmware asa971-16-lfbff-k8 it is possible to bridge multiple physical interfaces to i.e. overcome the shortage of switching capabilities on the GigabitEthernet ports.

With that being said I created a bridge group "BVI1" with "nameif inside" and put the GigabitEthernet interfaces 5 to 8 into "bridge-group 1" with "nameif inside_1", "nameif inside_2", "nameif inside_3" and "nameif inside_4".
While it is possible to create access-groups pointing to one of the physical interface nameif's and to the bridge group interface nameif it is NOT possible to set "http" or "ssh"access to a configured bridge group nameif.

Is this working as intended? If yes, is there any reason for that?

I would have guessed that it is possible to set http and ssh to a bridge group nameif.

I would have as well guessed that it would not be possible anymore to set an access-group to a nameif on a physical interface which has been added to a bridge group.

Rahul Govindan · ‎02-06-2018

I believe this is a known limitation with the BVI. You cannot set management access (ssh,http etc) to the BVI interface. This is especially a problem when you want to manage this over VPN. There is an open bug for this:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve82307/?reffering_site=dumpcr

slicerpro · ‎02-07-2018

I'm curious why you are doing BVI as opposed to Port channels

wolfi5589 · ‎02-07-2018

I am intending to use multiple physical GigabitEthernet ports of the ASA 5506-X for the same network subnet to connect different clients.

As far as I have understood Port Channels would be used to increase throughput and/or redundancy to compensate for possible link failures.