Re: Rule to allow L2 multicast IEC61850 Goose on transparent mode FTD

s.limchareon · ‎01-10-2023

I'm trying to set up a transparent mode FTD on the FMC to allow L2 multicast IEC61850 goose packets with a VLAN tag to pass between inside and outside sub-interfaces.

1. I created a BVI to bind inside and outside sub-interfaces but have no IP address. Not sure how it works as the IEC61850 is L2 packet with no IP overhead. However, the IEC61850 always tag a VLAN to its packets as a mean to isolate their traffic from other VLANs traffic.

2. There is no access-rule for Ethernet (EtherType) packets in FMC like in ASA. The manual is telling me to use FlexConfig but can't find a proper example to set it.

3. Is the BVI IP address really required? What is the mechanism of this address? I know that it's used for monitor the BVI and for generating a traffic from BVI. But if I just need to pass any VLAN tag traffic between inside and outside, it doesn't seem to be necessary.

I can't make it to work. Packet captures on the FMC can't be used on L2 packets. I have to use SSH and capture command. It shows L2 multicast arrived at the inside interface. But the FTD dropped them, not shown on the outside.

Anyone has an experience with L2 access-rule and BVI on the transparent mode firewall?

Divya Jain · ‎03-28-2023

Hello,

To implement transparent firewall, we have to configure bridge group and add interfaces in bridge group. Each bridge group is like one isolated switch. For each bridge group we have to configure a Bridge Virtual Interface (BVI). Firewall uses BVI IP address as the source address for packets originating from the bridge group. The BVI IP address must be on the same subnet as the bridge group member interfaces. you can create up to 250 bridge groups, with 4 interfaces per bridge group

To troubleshoot you will have to collect logs to check what is happening. packet captures should show L2 traffic, logs will tell you what is the issue with packet at device level.

felX config refer to this guide

And kindly include below message at the bottom of your reply, to promote the ATXs session:

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Regards,
Divya Jain

s.limchareon · ‎03-28-2023

Hi,

I created a TACS ticket. It took them a month to get back to me with a guy that seemed to know about L2 transparent firewall and FlexConfig. He quoted something from the instruction manual that is not related to Access List EtherType and assumed that the FTD cannot pass the L2 packets and bla bla bla, the same thing you are explaining above that we need an IP for BVI interface. I told him to get back to his manager to verify and he told me that his manager verified his statement that this feature is NOT supported in the FMC.

*** However, I did more research in FlexConfig and I know that the FMC can set to pass EtherType packet without IP. ****

1. The BVI interface does NOT require IP address in case there is no need to pass the ARP which is in IEC-61850 L2 network case. Because it's a layer 2 using MAC, no IP.

2. With FlexConfig in FMC, we can write a script to add Access List EtherType to the FTD.

3. I tried it and got it working perfectly.

Sira