Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How CAM tables are updated during a Transparent Firewall failover

 

 

Introduction

 

This document provides information on how Content Addressable Memory(CAM)/ MAC address tables are updated on switches/layer 2 devices during a Transparent firewall failover


Prerequisites

 

ASA/FWSM Transparent firewall in failover configuration

 

Purpose of this Document

 

Transparent firewall is a feature introduced in both ASA and FWSM firewalls. A transparent firewall, is a Layer 2 firewall that acts like a "bump in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices. This document provides the user information on how CAM tables are updated during a High Availability(HA) failover.

 

Components Used

 

Transparent firewalls in failover
Switches

 

There may be a concern about CAM table entries not being properly updated with the correct port information during a transparent firewall failover.

 

The process of a transparent firewall happens as followed:

 

1) The new Active firewall will send a (Gratutious ARP)GARP for its Layer 3 interfaces

2) The new active firewall will then send a Layer2 UplinkFast multicast packet for each entry in its MAC address table.

 

All layer 2 Cisco and Non-Cisco devices will flood Layer 2 Multicast packets as required by the Multicast Ehternet spec.

The UplinkFast packet is sent with a MAC destination of 01.00.0c.cd.cd.cd and the source MAC will be a MAC entry from the mac address table(CAM table). You may already be familiar with UplinkFast on the Switches which works in exactly the same way.

 

Verify

 

To view the MAC address table of a Transparent firewall, use the 'show mac-address-table' command:

 

putty.jpg

 

 

Below is a packet capture taken from an ASA showing the actual GARP and UplinkFast packets sent by a Transparent ASA once it becomes Active.

 

Tfire.jpg

1454
Views
0
Helpful
0
Comments