arp/cam behaviour Cat 6500

csco10387876 · ‎04-25-2007

Good moring,

I have ? strange question

I have 2 firewalls configured as a cluster in ? lab, both firewalls are connected to a different catalyst 6500.

the is a port channel between the catalyst.

normal situation :

FW1 -(a) Cat1 -(b) Cat2 -(c) Cat2

FW1 is cluster master

Cat 1 sees mac of Firewall cluster on link a

Cat 2 sees mac of firewall cluster on link b

-> all good ;-)

if we move the cluster master from Fw1 to Fw2 ->

we start loosing more and more connexion to the point where nothing is available.

what I have seen on the switch when we move the cluster master to Fw2

Cat 1 sees mac of Firewall cluster on link a

Cat 2 sees mac of firewall cluster on link c

-> Cat2 sees the change, cat1 doesn't and stays on the previous.

If I issue a clear mac-address-table dyn -> the switch learn the mac address on link b and all is then good.

What could It be ?

Any comment greatly appreciated.

mohammedmahmoud · ‎05-02-2007

Hi,

Check this document:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00807347ab.shtml

HTH, please rate if it does help,

Mohammed Mahmoud.

Danilo Dy · ‎05-02-2007

Hi,

If your firewall is cluster (not HA) that means there is a virtual IP address with multicast MAC Address.

You need to hardcode the multicast MAC address of the firewall virtua IP address to the switch.

Check the three docs from StoneSoft especially SGSB-TECNSwitches2.pdf and SGSB-TECNSwitches3.pdf, it applies to other vendor cluster firewall with multicast MAC address.

http://www.stonesoft.cn/s285.html

Dandy