01-10-2024 09:08 AM - edited 01-10-2024 05:15 PM
Scenario - 3850 Fiber Distribution switch that feeds 5 locations. Ports TE3/0/1-TE3/0/5 go to buildings 1-5. Port TE3/0/12 is the uplink to the Core switch which then connects to my router. This is a flat network topology with a subnet of 172.16.0.0/16 (Vlan 16) and Management network of 10.1.254.0/24 (Vlan 254). From the 3850 switch all links are trunks with both networks (Vlan 16 & Vlan 254). At all 5 locations I've installed an FTD 1010 in transparent mode. Interface vlans have been created as well as the BVI's and all looks good at the FTDs in the FMC, etc.
On my 3850 I'm seeing MAC Address flapping between any of the TE3/0/1-5 ports and the TE3/0/12 port with the mac address of my router. I'm also seeing spanning-tree port blocking on these ports TE3/0/1-5, but not on all of them all of the time.
There are no network loops, this is a very simple topology. If I physically remove the FTD's from the topology all goes back to normal and works...no MAC address flapping or spanning-tree blocks.
I've done a bit of research but haven't come up with a solid solution. Anyone have any thoughts here?
Thanks in advance,
Mark
01-10-2024 01:40 PM
sorry can you draw the topology 
thanks 
MHM
01-10-2024 05:16 PM
Hello MHM,
I edited my post and added a diagram. Please take a look and let me know if you have any questions.
Mark
01-11-2024 03:23 AM - edited 01-11-2024 03:24 AM
what is vlan between FTD and SW and between FTD and core SW 
MHM
01-11-2024 06:57 AM
Both are trunks with VLAN 16 and VLAN 254.
01-11-2024 07:02 AM - edited 01-11-2024 07:45 AM
but the FTD is transparent mode and the VLAN need to be different 
the INside VLANx the OUTside VLANy
the FTD change the NAT tag when frame pass through the FTD 
I think this make loop in your network. 
MHM
01-11-2024 07:22 AM
It is running in transparent mode.. there is no NAT running on the FTD.  I configured the interfaces in the following manner.  
01-11-2024 08:14 AM
I know friend you already reply to my Q 
but that wrong 
you need to specify the VLAN different  
01-11-2024 08:28 AM
Ok, so let me see if I understand what you are saying.
My understand is that one of the benefits of using FTD in transparent mode is that you can insert it into the network without having to make changes to your current network.
Are you saying I need to change the vlan on the INSIDE switch to a different VLAN or just from the INSIDE/OUTSIDE interface on the FTD? I'm not quite following you here. If I have to make changes to my inside network switches then this isn't a good solution.
01-11-2024 08:23 AM
@MHM Cisco World is correct here, you need to decide which interface goes to the building and which goes towards core and remove then on the Building interface you have only the VLANs specific for the building and remove the VLAN that is for the core. Then do the opposite for the interface connected to core, remove the building VLANs and keep the core VLANs.
01-11-2024 08:30 AM
I'm not following what you are saying here... I need both VLANs going to the core and to the building. VLAN 16 is my data for the building and VLAN 254 is my management VLAN.
01-11-2024 10:18 AM
You dont need to make changes to the IP subnet setup is what is meant with not needing to make changes. There does need to be some L2 changes, but that is minor compaired to having to setup new subnets.
OK so if you need both then you would need separate VLANs for each on the building side.
for example. If VLAN 16 (data) and VLAN 254 (MGMT) are in the core you would need to "map" them to separate VLANs on the building side, lets say VLAN 15 (data) and VLAN 253 (MGMT) for this example. This is done by assigning each interface a separate VLAN but binding them to the same BVI interface.
So on core switch side of the FTD you would have VLAN 16 and VLAN 254, then on the building side you would have VLAN 15 and VLAN 253.
01-11-2024 10:29 AM
Ok, so if I am understanding you correctly, I'd leave the following as is since I already have interface vlans for 16 and 254 bound to the BVI and e1/1 (Outside) is set as a trunk with vlan 16, 254 coming from the CORE.
On the FTD I'd add interface vlans for 15 and 253, then add those to the BVI. Also make sure to change e1/8 (Inside) from trunk with vlan 16 and 254 to trunk with vlan 15,253. I assume I'd have to change the trunk at the building switch to allow 15 and 253 and then change the ports on the switch to access for 15 or 253 respectively. Am I missing anything? So the FTD would map the vlans correctly within the BVI based on the subnet?
01-11-2024 10:37 AM - edited 01-11-2024 10:38 AM
you can use any VLAN in trunk between the AccessSW and FTD 
but you must use one BVI for each two VLAN 
i.e. VLAN16 and VLAN15 use BVI1 
VLAN254 and VLAN253 use BVI2
here the Access SW send frame tag with VLAN15 and FTD remove this tag (after inspect) and tag again with VLAN16 and forward it to CoreSW
MHM
01-11-2024 10:42 AM
Ok, this make sense now. 
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide