Re: FTD - BPDU & MAC Address Flapping - Page 2

MarkNode17 · ‎01-10-2024

Scenario - 3850 Fiber Distribution switch that feeds 5 locations. Ports TE3/0/1-TE3/0/5 go to buildings 1-5. Port TE3/0/12 is the uplink to the Core switch which then connects to my router. This is a flat network topology with a subnet of 172.16.0.0/16 (Vlan 16) and Management network of 10.1.254.0/24 (Vlan 254). From the 3850 switch all links are trunks with both networks (Vlan 16 & Vlan 254). At all 5 locations I've installed an FTD 1010 in transparent mode. Interface vlans have been created as well as the BVI's and all looks good at the FTDs in the FMC, etc.

On my 3850 I'm seeing MAC Address flapping between any of the TE3/0/1-5 ports and the TE3/0/12 port with the mac address of my router. I'm also seeing spanning-tree port blocking on these ports TE3/0/1-5, but not on all of them all of the time.

There are no network loops, this is a very simple topology. If I physically remove the FTD's from the topology all goes back to normal and works...no MAC address flapping or spanning-tree blocks.

I've done a bit of research but haven't come up with a solid solution. Anyone have any thoughts here?

Thanks in advance,

Mark

MHM Cisco World · ‎01-11-2024

friend do this in one ftd and then in two ftd and check the STP and Loop
good luck friend
MHM

MarkNode17 · ‎01-11-2024

Do i need an ip on each BVI within the respective subnet?

MarkNode17 · ‎01-11-2024

I've updated the interface, vlan, and bvi configuration for one FTD. If I am understanding correctly, then this should be right. I'll need to go to the building site to configure the switch real quick then I can test. BVI 1 has vlan 15,16 and bvi 2 has vlan 253,254.

Marius Gunnerud · ‎01-11-2024

Yes that looks correct, and yes you will need to amend the switch configuration to allow for the new VLANs.

As for the BVIs you do not need IPs on them for them to work. I have always had IPs on the BVIs as it helps me read and understand the traffic flow better.

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World · ‎01-11-2024

As for the BVIs you do not need IPs on them for them to work. I have always had IPs on the BVIs as it helps me read and understand the traffic flow better. <<- totally correct we give BVI IP only for monitor, it not effect BVI status
MHM

MarkNode17 · ‎01-12-2024

@Marius Gunnerud @MHM Cisco World Its going to take me a couple of days to get this all done and tested. I tried to do a quick update to the configuration and switches yesterday and the FTD did not pass any traffic, so I need to dig in a bit more and see what is going on. I hope to have all of this setup in my lab and tested by the end of the weekend.

MHM Cisco World · ‎01-12-2024

Take your time friend

Have a nice weekend

MHM

Marius Gunnerud · ‎01-11-2024

and a note on the IP for the BVI groups, if you need to source traffic from the FTD within the subnet attached to a BVI, then that BVI interface will need an IP address.

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World · ‎01-11-2024

CoreSW-trunk allow vlan 16,254-OUTside_FTD_INside-trunk allow vlan 116,354-accessSW
only change the vlan in access SW NOT Change the Subnet.
the accessSW subnet x.x.x.x for vlan 116 is same subnet of vlan 16 in CoreSW and etc.
this way the FTD not (So change) your network.
only do this in one FTD and check it.
MHM

Marius Gunnerud · ‎01-10-2024

Have you verified the spanning-tree topology, that the siwtch in core is the root bridge and no other switch is trying to take over the role of root?

--
Please remember to select a correct answer and rate helpful posts

MarkNode17 · ‎01-11-2024

CORE_SW config and output.

spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1,16-17,25,99-100,190,254,999 priority 24576

only spanning tree configuration on ports are "spanning-tree portfast" where an end device like a workstation is connected.

Here is the output for: show spanning-tree summary

CORE_SW#show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VLAN0001, VLAN0016-VLAN0017, VLAN0025, VLAN0100, VLAN0190
VLAN0254, VLAN0999
EtherChannel misconfig guard is enabled
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 0 0 0 3 3
VLAN0016 0 0 0 42 42
VLAN0017 0 0 0 2 2
VLAN0025 0 0 0 3 3
VLAN0100 0 0 0 2 2
VLAN0190 0 0 0 3 3
VLAN0254 0 0 0 3 3

Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0999 0 0 0 1 1
---------------------- -------- --------- -------- ---------- ----------
8 vlans 0 0 0 59 59

Fiber_Dist_SW config and output.

spanning-tree mode rapid-pvst
spanning-tree extend system-id

no configuration on ports for spanning-tree.

Here is the output for: show spanning-tree summary

Fiber_Dist_SW#show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: none
EtherChannel misconfig guard is enabled
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 0 0 0 2 2
VLAN0016 0 0 0 5 5
VLAN0025 0 0 0 2 2
VLAN0190 0 0 0 3 3
VLAN0254 0 0 0 3 3
---------------------- -------- --------- -------- ---------- ----------
5 vlans 0 0 0 15 15

The ports with FTD's connected are currently shut. If I enable more than 1 of those ports all heck breaks loose and spanning-tree blocks ports and vlans. It seems to be something coming from the FTD's... perhaps the bridge BVI? Since its mimicking a switch might there be some BPDUs coming from the FTDs that are causing the issue?