This document provides information on how Content Addressable Memory(CAM)/ MAC address tables are updated on switches/layer 2 devices during a Transparent firewall failover
ASA/FWSM Transparent firewall in failover configuration
Purpose of this Document
Transparent firewall is a feature introduced in both ASA and FWSM firewalls. A transparent firewall, is a Layer 2 firewall that acts like a "bump in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices. This document provides the user information on how CAM tables are updated during a High Availability(HA) failover.
Transparent firewalls in failover Switches
There may be a concern about CAM table entries not being properly updated with the correct port information during a transparent firewall failover.
The process of a transparent firewall happens as followed:
1) The new Active firewall will send a (Gratutious ARP)GARP for its Layer 3 interfaces
2) The new active firewall will then send a Layer2 UplinkFast multicast packet for each entry in its MAC address table.
All layer 2 Cisco and Non-Cisco devices will flood Layer 2 Multicast packets as required by the Multicast Ehternet spec.
The UplinkFast packet is sent with a MAC destination of 01.00.0c.cd.cd.cd and the source MAC will be a MAC entry from the mac address table(CAM table). You may already be familiar with UplinkFast on the Switches which works in exactly the same way.
To view the MAC address table of a Transparent firewall, use the 'show mac-address-table' command:
Below is a packet capture taken from an ASA showing the actual GARP and UplinkFast packets sent by a Transparent ASA once it becomes Active.