L2 redundancy configuration and validation for the End points connected to leaf switches

Thiyagarajan K · ‎12-15-2016

Hi Team,

I'm working to fix the L2 redundancy issue to the end points connected to the leaf switch. End points are connected to both leaf 1 and leaf 2 switches and we have a layer 3 interface configured on the upstream Firewall for all the Layer 2 VLANs on ACI.

The issue scenario is when the firewall failed over from the Active to standby firewall then we are unable to access the endpoints connected to the leaf switches.

The end points are having connectivity to both the leaf switches using virtual port-channel.

Could you please guide me to troubleshoot this issue and is there any standard design to follow to have the complete redundancy to end points when the upstream devices connected to leaf switches fails?

Any of your help would be appreciable.

Regards,

Thiyagu

jiyonmathew · ‎12-15-2016

Do you have arp flooding and garp based detection enabled? Below document has the configurations required for this type of scenarios covered

http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-737909.html

dpita · ‎12-15-2016

Hello

Thanks for using SupportForums

This issue you are running into is better suited for a TAC case. Please considering opening one for faster resolution

To answer your question, since ACI is purely L2 here, i suggest you try to confirm the standby firewall ports have the appropriate VLANs for the L3 gateways. To do so, on the leaf issue the following commands:

show vlan ex

show int eX/X switchport

Also, i would like to confirm if ACI is learning the MAC addresses of the Standby Firewall SVIs

show endpoint interface (firewall ports)

hope that helps! Keep in mind, since ACI is L2, the commands might be a little different but troubleshooting does not change! an L2 network is an L2 network.