Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
728
Views
0
Helpful
4
Replies

Cisco Nexus mac-table for Active/Standby Firewalls

kashif.rana
Level 1
Level 1

‎10-14-2018 11:51 AM - edited ‎03-08-2019 04:23 PM

Hello Experts

I have core firewalls (two units) active/standby in transparent mode. Both firewalls are connected to two core Nexus 7k (in vpc) one-leg (off-path) in such as way that:

 

There is one port-channel say Po1 on Nexus with active firewall and other port-channel Po2 with standby firewall. My question is both port-channels are up and Nexus has mac-table for servers towards Po1. If I do the manual fail over to standby firewall then what will happen to mac-table for servers in Nexus? I mean mac-table entries will still be pointed towards Po1 (until server will initiate the traffic and switch will move mac-address towards Po2)?

 

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎10-14-2018 11:55 AM

Can you post your network topology ? how each ASA connected to uplinks.

 

each ASA dual homed or single homed ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

kashif.rana
Level 1
Level 1
In response to balaji.bandi

‎10-14-2018 12:08 PM

@balaji.bandi its not cisco ASA firewalls. It is PA firewalls. Both port channels are always up but passive firewall never respond.

Preview file
34 KB
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to kashif.rana

‎10-14-2018 12:26 PM

As per the topology looks ok. we need to look deep config side

Both nexus and palo side, i know its HLD diagram, you have HA links between Palo Alto right ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

kashif.rana
Level 1
Level 1
In response to balaji.bandi

‎10-14-2018 12:34 PM

Yes. HA links are there. Nexus will learn the mac-addresses of servers from Po1 with primary firewall. Once I do the manual failover (using command not reboot or shutdown the firewall) then Po1 still up and I am expecting that Nexus mac-table will still have entry for server mac-address towards Po1 not towards Po2 (new active firewall) and it will send the users to server traffic towards Po1 and got discarded by newly standby firewall. Untill and unless mac-table entry expires after 5 minutes or server initiate traffic that will update the mac-table of nexus towards Po2.

 

If I reboot the primary or shutdown the primary firewall for failover then definitely Po1 will be down and all mac-table flush for Po1 and that should be ok.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card