Solved: Re: Firepower cluster dc-dr

ashleybabajee · ‎04-07-2022

Hi Guys,

I have a firepower cluster, 2 on DC and 2 on DR connected through a nexus switch ( dark fiber) , i am getting mac flapping on the nexus , the Site ID on the chassis is both different.

Can anyone advise please

Marvin Rhoads · ‎04-18-2022

That's odd. I'd suggest opening a TAC case so that the engineer can work with you in real time to trace the root cause.

View solution in original post

Marvin Rhoads · ‎04-07-2022

Can you share a diagram of your setup?

Are the Nexus' in a VPC configuration?

ashleybabajee · ‎04-07-2022

Hi @Marvin Rhoads

Yes they are in a vpc configuration

ashleybabajee · ‎04-13-2022

Hi @Marvin Rhoads , any idea ?, i have already uploaded the diagram, grateful to advise.

Marvin Rhoads · ‎04-13-2022

Are all four firewalls in a single cluster?

Are there vPCs between the Nexus switches?

ashleybabajee · ‎04-13-2022

Hi @Marvin Rhoads ,

Yes, all the firewall are in the same cluster, and yes there's vPV between the Nexus.

Marvin Rhoads · ‎04-17-2022

If I understand it correctly you are using what Cisco calls "Split Spanned Etherchannel Cluster". They mention in Cisco Live presentation BRKSEC-3032 that filtering is required is such a use case to avoid MAC/IP conflicts.

ashleybabajee · ‎04-18-2022

I have applied mac acl on the HO nexus , but still same issue , there's a port-channel/vPC between the HO and DR Nexus, when one link is up it works fine, however when both links are up, we get the mac flap issues.

Marvin Rhoads · ‎04-18-2022

That's odd. I'd suggest opening a TAC case so that the engineer can work with you in real time to trace the root cause.