I'm running into a little issue on a Catalyst 6500 with a Supervisor 720-10G which previously used to work when I configured this on a Supervisor 720. We have an IPS module installed within a Catalyst 6500 and I would like to route traffic through the IPS. If the IPS fails the routing protocol will redirect traffic a different way. The IPS is configured to bridge between a VLAN pair. One of the VLAN is configured as an SVI in the global routing table and the other SVI is configured as part of the VRF. Both VLANS are given an IP address within the same IP subnet. EIGRP is then run between two EIGRP processes one defined in the global routing table and one defined within the vrf.
The problem I normally run into is that as two VLANS are bridged together, both with defined SVI interface. The interfaces cannot speak to each other as they have the same MAC address (as do all SVI interfaces on a 6500). I normally change the mac address assigned to the SVI within the VRF to be a little different and everything works. The ARP table and mac-address table all show the changed has worked but no communication. EIGRP will not form an adjacency and you cannot ping between the two interfaces. The IPS works fine as if I put a PC in the VLAN protected by the IPS (the VLAN with an SVI defined as part of the vrf) I can ping all the interfaces.
Does anybody have any idea why the two SVI interfaces cannot ping each other and why EIGRP will not come up. I'm convinced it's something to do with the way the mac address is assigned to the SVI.
Quick config snipit
ip vrf IPS
description unprotected vlan
ip address 192.168.0.1 255.255.255.0
description IPS protected vlan
ip vrf forwarding IPS
ip address 192.168.0.2 255.255.255.0
router eigrp 100
address-family ipv4 vrf IPS
If you are trying to ping the SVI of Switch from another Switch then enable "ip routing" on the Switch.
your configuration looks like correct.
We have a similar setup with the following differences:
both SVIs are in two different VRFs
device in the middle is a FWSM context in transparent mode.
And it works with one SVI with a modified MAC as you did
you could also add an eigrp router-id command under the AF vrf to be sure they are different but you should at least be able to ping.
Notice that in your case when you ping from VRF you need to use ping vrf IPS.
To be noted : the ips is working as a switch or it has different ip addresses on its interfaces ?
you say :
The IPS works fine as if I put a PC in the VLAN protected by the IPS (the VLAN with an SVI defined as part of the vrf) I can ping all the interfaces.
Do you mean the PC can ping 192.168.0.1 and 192.168.0.2 or you are referring to ip addresses on the IPS ?
Hope to help
I agree with Giuseppe that 0.1 and 0.2 should be able to ping each other. Does "sh ip arp ' show the manually configured MAC for 192.168.0.2? If this was working with Sup720, everything points to Sup720-10G. Did you have a chance to open a case with the TAC ?