Configuring The Switch For Failover; Assigning Vlans To The Secondary Firewall Services Module; Adding A Trunk Between A Primary Switch And Secondary Switch; Ensuring Compatibility With Transparent Firewall Mode - Cisco 7604 Configuration Manual

Chapter 2 Configuring the Switch for the Firewall Services Module

Configuring the Switch for Failover

To configure the switch for failover, see the following topics:
•
•
•
•

Assigning VLANs to the Secondary Firewall Services Module

Because both units require the same access to the inside and outside networks, you must assign the same
VLANs to both FWSMs on the switch(es). See the
section on page

Adding a Trunk Between a Primary Switch and Secondary Switch

If you are using inter-switch failover (see the
page
failover and state links. The trunk should have QoS enabled so that failover VLAN packets, which have
the CoS value of 5 (higher priority), are treated with higher priority in these ports.
To configure the EtherChannel and trunk, see the documentation for your switch.

Ensuring Compatibility with Transparent Firewall Mode

To avoid loops when you use failover in transparent mode, use switch software that supports BPDU
forwarding. See the
information about switch support for transparent firewall mode.
Do not enable LoopGuard globally on the switch if the FWSM is in transparent mode. LoopGuard is
automatically applied to the internal EtherChannel between the switch and the FWSM, so after a failover
and a failback, LoopGuard causes the secondary unit to be disconnected because the EtherChannel goes
into the err-disable state.

Enabling Autostate Messaging for Rapid Link Failure Detection

Using Cisco IOS software Release 12.2(18)SXF5 and higher, the supervisor engine can send autostate
messages to the FWSM about the status of physical interfaces associated with FWSM VLANs. For
example, when all physical interfaces associated with a VLAN go down, the autostate message tells the
FWSM that the VLAN is down. This information lets the FWSM declare the VLAN as down, bypassing
the interface monitoring tests normally required for determining which side suffered a link failure.
Autostate messaging provides a dramatic improvement in the time the FWSM takes to detect a link
failure (a few milliseconds as compared to up to 45 seconds without autostate support).
The switch supervisor sends an autostate message to the FWSM when:
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Assigning VLANs to the Secondary Firewall Services Module, page 2-9
Adding a Trunk Between a Primary Switch and Secondary Switch, page 2-9
Ensuring Compatibility with Transparent Firewall Mode, page 2-9
Enabling Autostate Messaging for Rapid Link Failure Detection, page 2-9
2-2.
14-3), then you should configure an 802.1Q VLAN trunk between the two switches to carry the
"Switch Hardware and Software Compatibility" section on page A-1
The last interface belonging to a VLAN goes down.
The first interface belonging to a VLAN comes up.
"Assigning VLANs to the Firewall Services Module"
"Intra- and Inter-Chassis Module Placement" section on
Configuring the Switch for Failover
for more
2-9