15-9
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 15 Using Failover
Understanding Failover
• Trunk failure—If the trunk between the switches fails, all communication between the FWSMs
terminates, which results in both FWSMs becoming active. Spanning Tree prevents any loops,
however, and traffic is handled successfully by one or both FWSMs until you resolve the trunk issue
(Figure 15-6).
Figure 15-6 Trunk Failure
Transparent Firewall Requirements
To avoid loops when you use failover in transparent mode, you must use switch software that supports
BPDU forwarding, and you must configure the FWSM to allow BPDUs. See the “Chassis System
Requirements” section on page 1-2 for switch software versions that allow BPDUs automatically.
To allow BPDUs through the FWSM, configure an EtherType ACL and apply it to both interfaces
according to the “Adding an EtherType Access Control List” section on page 10-16.
Loops can occur if both modules are active at the same time, such as when both modules are discovering
each other’s presence, or due to a bad failover link as described in the “Basic Failover Questions” section
on page 15-25. Because the FWSMs bridge packets between the same two VLANs, loops can occur
Active
FWSM
VLAN 200
VLAN 100
VLAN 201
Mktg
Inside
Eng
Active Switch
Active
FWSM
Active Switch
Internet
VLAN 202
VLAN 203
No Trunk
No Failover
Links
104648
To Next Page
Loading...
Need help?
General