Cisco 7604 Configuration Manual page 263

Chapter 14 Configuring Failover
Active/Standby Failover Overview
Active/Standby failover lets you use a standby FWSM to take over the functionality of a failed unit.
When the active unit fails, it changes to the standby state while the standby unit changes to the active
state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the
management IP address) and the MAC address of the failed unit and begins passing traffic. The unit that
is now in standby state takes over the standby IP addresses and MAC address. Because network devices
see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the
network.
For multiple context mode, FWSM can fail over the entire unit (including all contexts) but cannot fail
Note
over individual contexts separately.
Primary/Secondary Status and Active/Standby Status
The main difference between the two units in a failover pair is related to which unit is active and which
unit is standby, namely which IP addresses are used and which unit actively passes traffic. However, a
few differences also exist between the units based on which unit is primary (as specified in the
configuration) and which unit is secondary.
•
•
•
•
In Case 1 above, if the primary FWSM is replaced, then as soon as it becomes part of the failover set,
the secondary/active FWSM changes the MAC addresses to those of the new primary FWSM.
In Case 2 above, if the secondary FWSM boots without knowing the Burned-in MAC address of the
primary FWSM, then it uses its own Burned-in MAC address until it hears from the primary, at which
time it swaps the MAC addresses.
Any time the secondary/active FWSM applies new MAC addresses, it sends out gratuitous ARPS for the
interface IP addresses but not for the other IP addresses that it owns. These other IP addresses consist of
global IP addresses in static and global statements. Therefore, if the Burned-in MAC address of the
secondary/active FWSM changes, you must clear the ARP table on the devices that Layer 2 adjacent to
the FWSM. Otherwise, the ARP entries for the global IP addresses on those devices will be old and
invalid.
Device Initialization and Configuration Synchronization
Configuration synchronization occurs when one or both devices in the failover pair boot. Configurations
are always synchronized from the active unit to the standby unit. When the standby unit completes its
initial startup, it clears its running configuration (except for the failover commands needed to
communicate with the active unit), and the active unit sends its entire configuration to the standby unit.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
The primary unit always becomes the active unit if both units start up at the same time (and are of
equal operational health).
The primary unit MAC address is always coupled with the active IP addresses.
By default, the MAC address used for the active FWSM comes from the Burned-in MAC address of
the primary FWSM.
Under certain circumstances, MAC addresses used for the active FWSMs are changed, such as in
the following cases:
– Case 1—The primary FWSM in a failover pair is replaced with a new FWSM.
– Case 2—The secondary FWSM boots and becomes active because it did not detect the primary
FWSM.
Understanding Failover
14-9