Hi,

rayon.man · ‎01-20-2017

Hi All,

I have a scenario that Two ISRs are connected to a Firewall Cluster. I want to connect the internet routers directly to the Firewall Cluster so that I can save two un-trusted network switches. Bridge Domain Interfaces (BDI) are enabled on each ISR so that Firewall A and B can communicate via service instance 100 and they can reach internet via BDI interface.

However, spanning loop happened when the second ISR is added on the network (shown in the diagram). My question is that any spanning tree protocol can be run on the ISR so that the redundant link can be blocked on the ISR? Thanks!

Here is my lab configuration on 1 of the ISR.

interface GigabitEthernet0/0/0
description To Untrusted interface of Firewall A
no ip address
negotiation auto
service instance 100 ethernet
encapsulation untagged
l2protocol peer stp
bridge-domain 100
!
interface GigabitEthernet0/0/1
description To Untrusted interface of Firewall B
no ip address
negotiation auto
service instance 100 ethernet
encapsulation untagged
l2protocol peer stp
bridge-domain 100
!

interface BDI100
description Untrusted Subnet
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
!

Leonardo Gama · ‎01-24-2017

Hi,

Are you deploying the firewalls in transparent mode?

What firewall are you using?

Cheers.

rayon.man · ‎02-15-2017

It is FortiGate firewall configured as Layer 3 firewall

9sobey · ‎07-03-2019

Hi,

Did you ever to get this resolved, I am having some issues with connecting SRX firewalls in a cluster to two ASR 1001 routers.

Thanks

Spanning Tree with Bridge Domain Interfaces (BDI) on ISR 4331 router