Hi there,
I would imagine in your Nexus setup, it's SVIs that are configured with HSRP as opposed to physical L3 interfaces, correct?
If so, if your connection between the Nexus pair and the firewall is in L2 - The Nexus will be flooding HSRP Multicast Hellos on the allowed VLANs for said switchport for which it has a corresponding SVI in HSRP. This is normal and expected behavior.
To illustrate:
+----------+
| FW |
+----+-----+
|
| L2
|
+----+-----+ VPC Peer-L +----------+
| Nexus 1 +-------------+ Nexus 2 |
+----+-----+ +----------+
|
| L2 Trunk
|
+----+-----+
| Catalyst |
+----------+
In the above setup, if I have "interface vlan 10" configured on both Nexus, and HSRP group 10 under this SVI's configuration - The Nexus will send the HSRP Multicast Hello looking for other HSRP routers in VLAN 10 out of all Layer 2 ports which are in an STP Forwarding State for VLAN 10. This means that both the Firewall and the Catalyst will receive these HSRP Hello as well as the other Nexus peer.
Hope that helps.
- Andrea
- Andrea, CCIE #56739 R&S