Solved: Firepower cluster dc-dr

ashleybabajee · ‎04-07-2022

Hi Guys,

I have a firepower cluster, 2 on DC and 2 on DR connected through a nexus switch ( dark fiber) , i am getting mac flapping on the nexus , the Site ID on the chassis is both different.

Can anyone advise please

Marvin Rhoads · ‎04-18-2022

That's odd. I'd suggest opening a TAC case so that the engineer can work with you in real time to trace the root cause.

View solution in original post

Marvin Rhoads · ‎04-07-2022

Can you share a diagram of your setup?

Are the Nexus' in a VPC configuration?

ashleybabajee · ‎04-07-2022

Hi @Marvin Rhoads

Yes they are in a vpc configuration

ashleybabajee · ‎04-13-2022

Hi @Marvin Rhoads , any idea ?, i have already uploaded the diagram, grateful to advise.

Marvin Rhoads · ‎04-13-2022

Are all four firewalls in a single cluster?

Are there vPCs between the Nexus switches?

ashleybabajee · ‎04-13-2022

Hi @Marvin Rhoads ,

Yes, all the firewall are in the same cluster, and yes there's vPV between the Nexus.

Marvin Rhoads · ‎04-17-2022

If I understand it correctly you are using what Cisco calls "Split Spanned Etherchannel Cluster". They mention in Cisco Live presentation BRKSEC-3032 that filtering is required is such a use case to avoid MAC/IP conflicts.

ashleybabajee · ‎04-18-2022

I have applied mac acl on the HO nexus , but still same issue , there's a port-channel/vPC between the HO and DR Nexus, when one link is up it works fine, however when both links are up, we get the mac flap issues.

Marvin Rhoads · ‎04-18-2022

That's odd. I'd suggest opening a TAC case so that the engineer can work with you in real time to trace the root cause.

kimier1983 · ‎06-11-2024

I think I had the same problem trying to deploy the exact scenario (four clustered FPR 4100 and 2 DCs). Cluster was extended between DCs, having the control role on one DC and setting a different site-ID on every DC, that is FPRs on DC had site-ID 1 and and FPRs on the other DC had site-ID 2. Having just one DC active everything was working fine, although several MAC flapping messages are showing on the Nexus switches, from the connectivity standpoint nothing happens, however the when the second DC was added to the equation everything was impacted and degraded,

I´ve been testing in a reduced scenario setting a different site-ID (1 to 4) on every FPR, regardless the DC location and it looks like the flapping messages has gone, so I guess it´s not necessary to filter the MAC movement messages, since they´re not showing anymore

Would you mind to share what solution was offered by the TAC? I´ve engaged them to help on this matter but so so far no luck...

Thank you very much

Regards

Iván