We're currently designing a testbed simulating an internal enterprise network and we use Cisco ASA as the firewalls. The topology looks like: https://imgur.com/p3t9Ov8. Every link is configured as 802.1Q trunk with 3 VLAN IDs. Native VLAN (VLAN 1) is shutted down on all devices. The version of the ASA software is 9.8(1).
Since the ASA firewalls does not support L2 switching, which means that the VLAN interfaces cannot span across multiple physical ports, so we used bridge groups and BVIs to bridge between SVIs. We noticed that there was a switching loop in the network caused by the ASA firewalls. The firewalls do not support STP and forward the packets to all the bridged interfaces.
After some research, we found two ways of solving the problem. One is setting all the firewall-facing interfaces to PortFast and enabling BPDU guard, which doesn't work for us because it needs the interfaces to be not in trunk mode. Though we may use several access links instead of the trunk link, the ASA firewalls do not have that many ports for us to use. The other solution that we used is somewhat more expedient, we simply shutted down the SVIs that may cause switching loops for the link between the two firewalls.
I wonder if there are some common solutions to this problem and what you guys think.
No comments:
Post a Comment