01-10-2024 09:08 AM - edited 01-10-2024 05:15 PM
Scenario - 3850 Fiber Distribution switch that feeds 5 locations. Ports TE3/0/1-TE3/0/5 go to buildings 1-5. Port TE3/0/12 is the uplink to the Core switch which then connects to my router. This is a flat network topology with a subnet of 172.16.0.0/16 (Vlan 16) and Management network of 10.1.254.0/24 (Vlan 254). From the 3850 switch all links are trunks with both networks (Vlan 16 & Vlan 254). At all 5 locations I've installed an FTD 1010 in transparent mode. Interface vlans have been created as well as the BVI's and all looks good at the FTDs in the FMC, etc.
On my 3850 I'm seeing MAC Address flapping between any of the TE3/0/1-5 ports and the TE3/0/12 port with the mac address of my router. I'm also seeing spanning-tree port blocking on these ports TE3/0/1-5, but not on all of them all of the time.
There are no network loops, this is a very simple topology. If I physically remove the FTD's from the topology all goes back to normal and works...no MAC address flapping or spanning-tree blocks.
I've done a bit of research but haven't come up with a solid solution. Anyone have any thoughts here?
Thanks in advance,
Mark
01-11-2024 10:44 AM
friend do this in one ftd and then in two ftd and check the STP and Loop
good luck friend
MHM
01-11-2024 10:53 AM
Do i need an ip on each BVI within the respective subnet?
01-11-2024 11:06 AM
I've updated the interface, vlan, and bvi configuration for one FTD. If I am understanding correctly, then this should be right. I'll need to go to the building site to configure the switch real quick then I can test. BVI 1 has vlan 15,16 and bvi 2 has vlan 253,254.
01-11-2024 11:20 AM
Yes that looks correct, and yes you will need to amend the switch configuration to allow for the new VLANs.
As for the BVIs you do not need IPs on them for them to work. I have always had IPs on the BVIs as it helps me read and understand the traffic flow better.
01-11-2024 11:24 AM - edited 01-11-2024 11:24 AM
As for the BVIs you do not need IPs on them for them to work. I have always had IPs on the BVIs as it helps me read and understand the traffic flow better. <<- totally correct we give BVI IP only for monitor, it not effect BVI status
MHM
01-12-2024 06:49 AM
@Marius Gunnerud @MHM Cisco World Its going to take me a couple of days to get this all done and tested. I tried to do a quick update to the configuration and switches yesterday and the FTD did not pass any traffic, so I need to dig in a bit more and see what is going on. I hope to have all of this setup in my lab and tested by the end of the weekend.
01-12-2024 06:53 AM
Take your time friend
Have a nice weekend
MHM
01-11-2024 11:34 AM
and a note on the IP for the BVI groups, if you need to source traffic from the FTD within the subnet attached to a BVI, then that BVI interface will need an IP address.
01-11-2024 10:24 AM
CoreSW-trunk allow vlan 16,254-OUTside_FTD_INside-trunk allow vlan 116,354-accessSW
only change the vlan in access SW NOT Change the Subnet.
the accessSW subnet x.x.x.x for vlan 116 is same subnet of vlan 16 in CoreSW and etc.
this way the FTD not (So change) your network.
only do this in one FTD and check it.
MHM
01-10-2024 11:35 PM
Have you verified the spanning-tree topology, that the siwtch in core is the root bridge and no other switch is trying to take over the role of root?
01-11-2024 07:11 AM
CORE_SW config and output.
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1,16-17,25,99-100,190,254,999 priority 24576
only spanning tree configuration on ports are "spanning-tree portfast" where an end device like a workstation is connected.
Here is the output for: show spanning-tree summary
CORE_SW#show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VLAN0001, VLAN0016-VLAN0017, VLAN0025, VLAN0100, VLAN0190
VLAN0254, VLAN0999
EtherChannel misconfig guard is enabled
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 0 0 0 3 3
VLAN0016 0 0 0 42 42
VLAN0017 0 0 0 2 2
VLAN0025 0 0 0 3 3
VLAN0100 0 0 0 2 2
VLAN0190 0 0 0 3 3
VLAN0254 0 0 0 3 3
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0999 0 0 0 1 1
---------------------- -------- --------- -------- ---------- ----------
8 vlans 0 0 0 59 59
Fiber_Dist_SW config and output.
spanning-tree mode rapid-pvst
spanning-tree extend system-id
no configuration on ports for spanning-tree.
Here is the output for: show spanning-tree summary
Fiber_Dist_SW#show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: none
EtherChannel misconfig guard is enabled
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 0 0 0 2 2
VLAN0016 0 0 0 5 5
VLAN0025 0 0 0 2 2
VLAN0190 0 0 0 3 3
VLAN0254 0 0 0 3 3
---------------------- -------- --------- -------- ---------- ----------
5 vlans 0 0 0 15 15
The ports with FTD's connected are currently shut. If I enable more than 1 of those ports all heck breaks loose and spanning-tree blocks ports and vlans. It seems to be something coming from the FTD's... perhaps the bridge BVI? Since its mimicking a switch might there be some BPDUs coming from the FTDs that are causing the issue?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide