Nexus - PBR over vPC and VRRP and DUP! pings

Chris_78 · ‎08-09-2018

Hi Guys

We have the following topology (screenshot below) 2 x Nexus 3k switches connected with vPC link towards Palo Alto firewall. We have 2 x VLANs 100 and 200. I'm routing all the traffic from the VLANs via PBR to the Palo Alto firewall by tracking the firewall interface. If the firewall interface is down then the Inter-VLAN is routed on the switch. Both VLANs have VRRP setup under the SVI.

I'm connecting Windows client to VLAN 100 and i'm pinging directly from the switch and i'm getting 5 pings and 5 DUP! packets.

I'm connecting another Windows device on the VLAN 200 and i'm pinging directly from the switch and i'm getting 5 pings and 5 DUP! packets.

However - when I connect to the secondary switch and I ping both machines - pings are coming just fine without DUP!s.

I have ESXI connected via static vPC towards both switches and Window server vm machine behind it and when I ping it from the main/master switch I don't get DUP!s but if I ping it from the secondary switch - i'm getting 5 pings and 5 DUP! packets.

STP is in RSTP mode and the main/master switch is root bridge for all VLANs.. Please tell me what i'm doing wrong or the DUP! should be expected in this topology

nazimkha · ‎08-14-2018

What is the PBR you are using ? Where it is being applied ?

Chris_78 · ‎08-15-2018

I have access list for any IP to any destination
then 2 route-maps

route-map PBR-VLAN100
ip next-hop verify-availability 10.0.0.1 track 1

route-map PBR-VLAN200
ip next-hop verify-availability 10.0.0.5 track 1

These both apply on the switch SVIs
int VLAN100
ip policy route-map PBR-VLAN100
int VLAN200
ip policy route-map PBR-VLAN200

Then on the Firewall I have some static route from one subnet to another. Today I shut off the port channel towards the FW and the dup! pings are gone - so I assume something with the routing on the FW.... should I go OSPF instead of static...?