6

I have stacked 2960X switches trunked to a single ASA 5515X in routed mode, and I've captured the drops with capture voip type asp-drop l2_acl after seeing the l2_acl counter incrementing in show asp drop.

Does the ASA support spanning-tree in routed mode? Should spanning-tree be disabled on the port-channel on the switch going to the firewall? Should I add bpdu rootguard to be safe? I either want the ASA to handle/ignore the BPDUs silently from the 2960X's or stop the switches from sending them, but add some loop protection.

ASA asp drop capture -- first three packets shown matching BPDU MAC:

   1: 23:54:32.662502 5ca4.8a10.5e31 0100.0ccc.cccd 0x8100 Length: 68
      802.1Q vlan#11 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
   2: 23:54:32.662715 5ca4.8a10.5e31 0100.0ccc.cccd 0x8100 Length: 68
      802.1Q vlan#120 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
   3: 23:54:33.665386 5ca4.8a10.5e31 0100.0ccc.cccd 0x8100 Length: 68
      802.1Q vlan#10 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
   4: 23:54:33.666087 5ca4.8a10.5e31 0100.0ccc.cccd 0x8100 Length: 68
      802.1Q vlan#910 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

Switchport relevant interface config:

interface GigabitEthernet1/0/49
 switchport access vlan 99
 switchport trunk native vlan 99
 switchport trunk allowed vlan 10-99,120,910,911
 switchport mode trunk
 ip arp inspection trust
 logging event trunk-status
 logging event bundle-status
 logging event spanning-tree
 queue-set 2
 priority-queue out
 mls qos trust cos
 no lldp transmit
 no lldp receive
 channel-protocol lacp
 channel-group 10 mode active
 ip dhcp snooping trust
... [other phy int not shown] ...
interface Port-channel10
 description in.fw-kop-105-1
 switchport access vlan 99
 switchport trunk native vlan 99
 switchport trunk allowed vlan 10-99,120,910,911
 switchport mode trunk
 ip arp inspection trust
 spanning-tree portfast trunk
 ip dhcp snooping trust

ASA relevant interface config:

interface GigabitEthernet0/2
 description g1-0-49.s-kop-105-1
 channel-group 10 mode active
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 description g2-0-49.s-kop-105-2
 channel-group 10 mode active
 no nameif
 no security-level
 no ip address
!
interface Port-channel10
 description gec10.s-kop-105-s1
 no nameif
 no security-level
 no ip address
!
interface Port-channel10.10
 vlan 10
 nameif Inside-am.data
 security-level 100
 ip address 10.x.1.1 255.255.255.0
... [remaining subint's not shown] ...
Improve this question

2 Answers 2

Reset to default
6

If you can be sure of your cabling then I would recommend implementing spanning-tree bpdufilter on the interface towards the firewall since you have already configured the interface as an edge port. This does not provide any loop protection, but the ASA (non-5505 as indicated) is incapable of creating a L2 loop and your stated goal is to remove BPDU's from the interface.

Configuring root-guard on the interface will not be useful since the ASA can never send any BPDU, and especially not a superior BPDU. If you do not choose to configure BPDU filtering, then BPDU-Guard should be configured either by default (spanning-tree portfast bpduguard default) or specifically on the interface. This will prevent any other spanning-tree capable device from being connected to that interface.

Further, if you do not have an untagged (native) interface on the firewall, allowing the native vlan on the trunk is not required and your allowed vlan list could be shortened to exclude 99. Also you could set the interface to not negotiate the access/trunking mode with switchport nonegotiate and remove the configured access vlan.

Improve this answer
1
  • Bpdufilter answers the question most closely though I'd probably avoid it with the loop protection that is lost unless bpduguard can be used in conjunction in case something else gets plugged into that interface and creates a loop.
    – generalnetworkerror
    Commented Apr 21, 2015 at 9:09
6

Cisco ASA doesn't partipate in spanning-tree therefore won't response or handle the BPDU's

Exception to this is Cisco ASA5505 whereby I think it allows STP to traverse the interfaces in the same VLAN.. because the 5505 has L2 switch ports rather than "L3 Routed Ports"

If you want to protect somebody plugging into your switch interface and obtaining root-bridge why don't you simply enable STP BPDUGUARD on your interface?

if it receives a BPDU it will simply disable the interface You could also protect yourself by applying ether-channel guard so if it doesn't detect the other device is running a Ether-Channel then it will also disable the interface.

This won't stop STP BPDU's been sent out of the interface but then again why would you want to disable? ( What do you think all your hosts do when it receives a BDPU packet) - Simply discard it

Hope the above gives you something to work on / look into

Luke

Improve this answer
2
  • Hosts don't increment drop counters for this to my knowledge like the ASA, making it difficult to discern real ssues from the noise. I'm definitely planning to add bpduguard as we both agree on that.
    – generalnetworkerror
    Commented Apr 16, 2015 at 16:36
  • Take what you need and discard the rest. Bit like what your firewall is doing :-). Glad could help on something
    – Smithy2k3
    Commented Apr 16, 2015 at 21:47

Not the answer you're looking for? Browse other questions tagged or ask your own question.