Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5269
Views
23
Helpful
15
Replies

Firewall Failover and ARP

visitor68
Level 5
Level 5

‎03-25-2009 12:48 PM - edited ‎03-06-2019 04:48 AM

Hello All:

I'll try to be succinct.

A router's fastethernet interface and two firewalls' outside interfaces all sit on the same subnet - R1, FW1 and FW2.

Interconnecting them are 2 L2 switches with a trunk between them - SW1 and SW2.

So, R1 connects to SW1.

FW1 also connects to switch 1.

Sw1 has a trunk to SW2.

FW2 connects to SW2.

Imagine R1 has a static route to network 1.1.1.0 with a next hop that points to the firewall failover IP.

This means that Sw1's MAC address table will have an entry for the FW failover MAC in its table.

I don't know if SW2 will have a MAC address entry for the failover IP, too, but thats not the real question I have.

Anyway, what happens when FW1 fails and fails over to FW2?

SW1 has an entry for the failover MAC thats bound to the interface to which FW1 is connected, because FW1 was the active FW and responded to the ARP request put out by R1. Now that FW2 is the active FW, does it send out a gratuitous ARP to inform the switch fabric that the failover MAC can now be found on another switch and switchport?

If not, does R1 have to wait for an ARP timeout before it sends out another ARP request to get a response from FW2?

I hope I am being clear.

Thank you

Labels:
0 Helpful
15 Replies 15

visitor68
Level 5
Level 5
In response to Giuseppe Larosa

‎03-26-2009 07:26 AM

Mr Giuseppe:

Im sorry I havent gotten back to you, but Jon and I are in deep thought. :-)

Thank you for your input and help.

0 Helpful
Customers Also Viewed These Support Documents