02-25-2017 08:07 AM
Hello!
Today I was struggling a bit about configuring Cisco FTD (on ASA5506X) with a bypass.
Background:
A customer has a Cisco 886VA router with a VLAN trunk to its main switch (Cisco 3750).
The VLAN trunk carries VLAN 1 (internal LAN) and VLAN 2 (guest network).
Now I would like to place a CIsco FTD in-between but having the possibility to bypass Cisco FTD in case of an update (yes, Cisco FTD will suspend all traffic during an update).
The router has currently a VLAN trunk to the switch on Fa0.
Fa1 is a VLAN trunk which goes to Cisco FTD and from Cisco FTD we have another VLAN trunk going to the switch.
I do not want to run a native link for each VLAN to FTD but using VLAN trunk.
So there is a need to create sub-interfaces and bridge them together on FTD.
This works only if the VLAN ID is different.
To circumvent that problem, I created two bridge-groups on the router.
BVI1 contains VLAN 1 and VLAN 11 (VLAN 11 is the internal LAN link to the FTD)
BVI2 contains VLAN 2 and VLAN 12 (VLAN 12 is the guest network LAN link to FTD)
Fa0 to the switch carries only VLAN 1 and 2, Fa1 to FTD carries VLAN 1 (mandatory), VLAN 11 and VLAN 12
My default (Fa0 shutdown), Traffic vom BVI1 (internal) shall go via VLAN 11 FTD and then via VLAN 1 to the switch.
The same is valid for BVI2 (guest), via VLAN 12 to FTD and then VLAN 2 to switch.
When I shut Fa1 on the router and "no shut" Fa0, traffic is bypassed and goes directly to switch.
My question/problem:
The bypass works fine.
The traffic via FTD works fine for guest (BVi2/VLAN12/FTD/VLAN2) but not for internal (BVI1/VLAN11/FTD/VLAN1).
On the switch I can see messages that the root port changed for VLAN 2 to G1/0/23 (correct) but never for VLAN 1. VLAN 1 root port sticks always to G1/0/1 (bypass port).
Is this something specific to VLAN 1 on the switch?
If anyone can help me to find a solution for that setup, I'd be very happy.
Alternative solutions are welcome.
Transparent FTD has to be used because EzVPN on the Router required the internal LANs IP address to be present on an interface (BVI1 in my case).
Best regards,
Bernhard
12-06-2017 09:46 AM
On the trunk going from 3750 to 5506-X change your native vlan tag statement to something else. By default vlan 1 is not tagged on a cisco switch. Sorry super late response, but I just saw this. I was working through similar situation in my lab and found your post.
12-06-2017 10:03 AM
“Disk Performance Manager” = “Disk Performance Management” and make sure if that list of links in the intro to the before you begin important update notes section is not updated automatically you add a cross-reference to the new section. Otherwise, LGTM.
Sarah Ehrig
MANAGER.ENGINEERING
saragill@cisco.com<mailto:saragill@cisco.com>
Tel: +1 410 423 1991
Cisco Systems, Inc.
8135 Maple Lawn Blvd.
FULTON
20759
United States
cisco.com
Think before you print.
This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
Please click here<http://www.cisco.com/web/about/doing_business/legal/cri/index.html> for Company Registration Information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide