cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6972
Views
0
Helpful
17
Replies

FTD block traffic in same VLAN

khld.saad
Level 1
Level 1

I have Ftd  but still in test environment as  we have try to get it on production two times but it fail because it blocks the traffic in the  same vlan i know its wired but that what happened the hosted in same vlan is blocked a cant even ping its always say ping translate fail . I have upgraded to 6.2.3  and the same issues exist ..

any help to solve it 

1 Accepted Solution

Accepted Solutions

it was miss config in nat command that turn the Device as proxy arp 

View solution in original post

17 Replies 17

Marvin Rhoads
Hall of Fame
Hall of Fame

Unlike with classic ASA software, Firepower Threat Defense by default allows same-security traffic both inter- and intra-interface.

 

Can you share screenshots of your access control policy and interface settings? you might also use packet-tracer to check what's happening with a test traffic flow.

 

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200908-configuring-firepower-threat-defense-int.html#anc16

 

Also, architecturally, why would traffic within a VLAN even attempt to transit the FTD appliance? Normally a host would arp for the destination address and, finding it, send the traffic directly to the destination MAC address and not use any gateway or network-based firewall or IPS.

i know its  wired that its block traffic in L2 but that what really  happen .

 

there is the screen shot and the packet tracer output y will see it drooped 

and i have capture the L2 traffic y will see what happen 

 

access rule  policy .JPGCaptccure.JPGCapture2.JPGFTD JPG.JPGFTD.JPG

Can you share cli packet-tracer output?

 

Alos it looks like you are using custom MAC addresses all beginning with 0000.0000.000x. I wonder if this is causing any problem?

> packet-tracer input Core-Vlan tcp 192.168.0.200 111 192.168.0.201 11

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.0.201 using egress ifc Core-Vlan

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268434432 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268434432: ACCESS POLICY: default - Default
access-list CSM_FW_ACL_ remark rule-id 268434432: L4 RULE: DEFAULT ACTION RULE
Additional Information:

Result:
input-interface: Core-Vlan
input-status: up
input-line-status: up
output-interface: Core-Vlan
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

how   custom MAC addresses make problem  ?

its not duplicate 

The custom MAC addresses aren't necessarily a problem. But a basic rule is when there is a problem, we look for unusual settings.

 

Your packet-tracer shows the traffic being denied due to an ACL. Have a look at your access control and prefilter policies.

the question  now why FTD act in L2 instead of Switchs 

did you have see this  TCP wireshark ? 

 

 

Your FTD device can also be setup to do integrated routing and bridging, thus effectively acting as a switch. If so, you need a policy to permit inter-interface traffic within a given BVI group.

how to check if my FTD do integrated routing and bridging
and how can i disable it .

Have a look at the interfaces setup in FMC.

 

If there is integrated routing and bridging, there will be bridge groups and switched interfaces configured.

 

 

i have config sub interface under ether1/1 with many vlan so i think that i have Integrated Routing and Bridging but i have read alot it its control the traffic bet different vlan not in same vlan
but i ll try to remove it i use the interfaces and see if still block traffic or not
i ll check and feed you back .

could you tell me why FTD  act like this  .

 

Well you seem to have two Cisco devices configured with the IP address 192.168.0.9.

 

00:24:51 Cisco Systems, Inc
38:90:A5 Cisco Systems, Inc

 

You've not shared sufficient details of your setup to let us provide any further insight.

 

If this is under support you might just open a TAC case and the engineer can work with you in real time. If it's just a lab then why not share the full configuration?

Review Cisco Networking for a $25 gift card