In the old days of Cisco ASA transparent firewalls, there was an option to allow BPDU frames in access list. Therefore, bpdu frames were passing through the firewall even some rule later could overide it.

ASA ACL looked something like this.

access-list acl-bpdu ethertype permit bpdu
access-group acl-bpdu in interface inside


In the FTD there is no way to allow this using Access control policies. By default BPDUs are forwarded for advanced inspection, which is unnecessary for this type of packet,and which can cause problems if they are blocked due to an inspection restart or snort restart during deployment.

However you can exempt BPDUs from advanced inspection using FlexConfig policies and implement the same ASA config.

access-list acl-bpdu ethertype trust bpdu
access-group acl-bpdu in interface {interface}


You should apply this to every bvi member interface of transparent firewall. If you want to do it automatically, you can use flexconfig variables. Following FlexConfig objects applies the acl-bpdu on every interface starting with the “dc” in name.

access-list acl-bpdu ethertype trust bpdu
#foreach ( $interface in $SYS_FW_INTERFACE_NAME_LIST)
 #if ($interface.matches(“^dc.*”))
access-group acl-bpdu in interface $interface
 #end
#end