Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1036
Views
10
Helpful
3
Replies

Active/Standby Pair - How does traffic flow

Go to solution
GRANT3779
Spotlight
Spotlight

‎11-11-2015 09:24 AM - edited ‎03-11-2019 11:52 PM

Hi All,

If we have an active/standby in transparent mode setup similar to the attached diagram (the 2 FW have a direct cable also for the heartbeat). When one of the FW is active - does spanning tree block a port so that traffic only goes through one FW for example?

I have a setup similar to the attached, bridging VLANs through the FW. 

If I have traffic coming in from a PC on the LAN, it will hit its DG/SVI on the Core device and depending on the routing table the Core Device will ARP for the WAN1 or WAN2 MAC - Is one of the FW ports LAN side in some sort of blocking state so that the ARP Request/Reply only goes through the active one? trying to understand how the traffic knows to only go through the active FW when in transparent mode. From what I can see, no ports are being blocked.

Thanks

Labels:
Preview file
35 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-11-2015 11:18 AM

My understanding has always been that the standby firewall simply doesn't pass traffic so you can't a get a loop.

In your case when the core device sends an arp for the WAN IP (whichever it is) the broadcast will only be passed by the active firewall so all the mac addresses will only be seen on that link.

So as far as I know STP does not need to block any ports.

But you should use STP just in case both firewalls become active.

Jon

View solution in original post

3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-11-2015 11:18 AM

My understanding has always been that the standby firewall simply doesn't pass traffic so you can't a get a loop.

In your case when the core device sends an arp for the WAN IP (whichever it is) the broadcast will only be passed by the active firewall so all the mac addresses will only be seen on that link.

So as far as I know STP does not need to block any ports.

But you should use STP just in case both firewalls become active.

Jon

Go to solution
GRANT3779
Spotlight
Spotlight
In response to Jon Marshall

‎11-12-2015 01:10 AM

Hi Jon,

Thanks for the info, so would it be safe to say that in the case above - when the Core sends ARP for the WAN it would go out to both FW but only the active would process it (and same for traffic going in opposite direction - from WAN to Core)

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to GRANT3779

‎11-13-2015 04:41 AM

If you have no blocking ports on the switches then yes I believe that is exactly what happens.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card