Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
742
Views
0
Helpful
0
Replies

Transparent Mode Clustered Deployment with Multiple Bridge Groups and Dynamic Routing Protocols

Tymofii Dmytrenko
Level 1
Level 1

‎07-21-2019 05:54 AM - edited ‎02-21-2020 09:19 AM

Hi all

 

Would you be so kind to advise on the following. We are trying to deploy our FTDs in as a cluster in a transparent mode. The intention is to have TWO BVIs configured on them to run dynamic routing protocols over these BVI to establish EIGRP adjacency between Layer 3 devices that sit on eaither end of a transparent FW. The diagram looks like this

 

 

FTD-Layer2.png

For the avoidance of doubts

  • C9Ks are NOT in VSS - they are two separate logical entities, hence the complexity of routing layer
    • There's a reason we go for this deployment, so please don't question WHY. I know that SWV can simplify it.
  • C9K-1 establishes EIGRP adjacency with both N5K-1 and N5K-2 via BVIx
  • C9K-2 establishes EIGRP adjacency with both N5K-1 and N5K-2 via BVIy
  • Both N5Ks are stub routers and only advertise summaries and directly attached networks
  • Both N5Ks are neighbors via VLAN1801 and VLAN1802 (corresponding BVIs), but also VLAN1800 (P2P, not shown). Bacause SVI1801 and SVI1802 advertise summaries only (towards C9Ks), we need a P2P interface where both N5Ks will advertise directly attached (non summarized) networks to each other to avoid black holing of the traffic (rare case of DATA SVIa to be in a shut state on N5K-1, but not on N5K-2)

All good, with exception that BVIy has to look WORSE from a routing perspective (that is, adjusted delay on C9K and N5Ks on SVIs that are bridged via BVIy - SVI1802 and SVI1812 delay 100). These are two separate bridge groups. Packet that entered N5K-1 via BVIx has to leave via BVIx. Without tuning the metric to make one BVI passive, it can be returned via BVIy and FTD will drop it as it expects it on BVIx

 

So, the question is... how to group multiple bridge groups into zones? Such as VLANs 1801 and 1802 are in different bridge groups, but in the same zone (inside), while VLANs 1811 and 1812 are in the same zone as well (outside)

 

Thanks

P.S. I hope my intentions are clear :)

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card