okay here's an interesting question (I think).
If you have a layer3 switch which has mutiple VRF's customers. Two of the VRF customers are operating firewalls in a HA setup using VRRP and are using the standard VRRP Virtual MAC address.
Now on the layer3 side of things that's fine. show arp is specific to each VRF 'show arp vrf customer1'
What isn't seperated however would be the CAM table. If I do 'show arp vrf Customer1' and 'show arp vrf customer2' they each show the correct MAC address which is the standard virtual mac and therefore the same.
Now surely at a point the layer3 switch will use the CAM table instead to forward the frame and as the mac address is shared it will have two entries going out of two seperate ports.
How does the layer3 switch distinguish which mac belongs to which at the layer2 level?
I have this scenario at the moment and neither customer is having issues but I'm scracthing my head as to how both their firewalls are not receiving traffic not intended for them.
I've asked them to change the VRRP MAC to a none standard mac just in case.
Thanks
No comments:
Post a Comment