Transparent Mode Clustered Deployment with Multiple Bridge Groups and Dynamic Routing Protocols
Would you be so kind to advise on the following. We are trying to deploy our FTDs in as a cluster in a transparent mode. The intention is to have TWO BVIs configured on them to run dynamic routing protocols over these BVI to establish EIGRP adjacency between Layer 3 devices that sit on eaither end of a transparent FW. The diagram looks like this
For the avoidance of doubts
C9Ks are NOT in VSS - they are two separate logical entities, hence the complexity of routing layer
There's a reason we go for this deployment, so please don't question WHY. I know that SWV can simplify it.
C9K-1 establishes EIGRP adjacency with both N5K-1 and N5K-2 via BVIx
C9K-2 establishes EIGRP adjacency with both N5K-1 and N5K-2 via BVIy
Both N5Ks are stub routers and only advertise summaries and directly attached networks
Both N5Ks are neighbors via VLAN1801 and VLAN1802 (corresponding BVIs), but also VLAN1800 (P2P, not shown). Bacause SVI1801 and SVI1802 advertise summaries only (towards C9Ks), we need a P2P interface where both N5Ks will advertise directly attached (non summarized) networks to each other to avoid black holing of the traffic (rare case of DATA SVIa to be in a shut state on N5K-1, but not on N5K-2)
All good, with exception that BVIy has to look WORSE from a routing perspective (that is, adjusted delay on C9K and N5Ks on SVIs that are bridged via BVIy - SVI1802 and SVI1812 delay 100). These are two separate bridge groups. Packet that entered N5K-1 via BVIx has to leave via BVIx. Without tuning the metric to make one BVI passive, it can be returned via BVIy and FTD will drop it as it expects it on BVIx
So, the question is... how to group multiple bridge groups into zones? Such as VLANs 1801 and 1802 are in different bridge groups, but in the same zone (inside), while VLANs 1811 and 1812 are in the same zone as well (outside)
Meet the Authors Event - CCIE Security in a Remote and Cloud Driven Network: SASE and Beyond
(Live event – Thursday, 29th, 2021 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 7:00 p.m. Paris)
This event will have place on Thursday 29th, April 2021 at 10...
Application Protection, Availability & Security
Join our webinar May 6th to gain valuable industry insights into the most recent application cyber attacks and to understand the potential impact bot traffic is having on your business.
The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of IS...
For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b...