1-15
Cisco ASA Series CLI Configuration Guide
Chapter 1 Information About Failover
Transparent Firewall Mode Requirements
If the entire switch fails, as well as the ASASM (such as in a power failure), then both the switch and
the ASASM fail over to their secondary units (Figure 1-11).
Figure 1-11 Switch Failure
Transparent Firewall Mode Requirements
When the active unit fails over to the standby unit, the connected switch port running Spanning Tree
Protocol (STP) can go into a blocking state for 30 to 50 seconds when it senses the topology change. To
avoid traffic loss while the port is in a blocking state, you can configure one of the following
workarounds depending on the switch port mode:
• Access mode—Enable the STP PortFast feature on the switch:
interface interface_id
spanning-tree portfast
The PortFast feature immediately transitions the port into STP forwarding mode upon linkup. The
port still participates in STP. So if the port is to be a part of the loop, the port eventually transitions
into STP blocking mode.
• Trunk mode—Block BPDUs on the ASA on both the inside and outside interfaces:
access-list id ethertype deny bpdu
access-group id in interface inside_name
access-group id in interface outside_name
Failed
ASA SM
VLAN 200
VLAN 100
VLAN 201
Mktg
Inside
Eng
Active
ASA SM
Internet
VLAN 202
VLAN 203
Trunk
255222
To Next Page
Loading...
Need help?
General