Hi Airheads,
I had originally posted this in the security forum, but was suggested to post it here for more traction.
We are running into a strange issue with our 10K deployment, and I wanted to ask help here to see if anyone has seen anything like this before. (I do also have a TAC Case). Take the following (very simple) diagram
Currently, the VMs default gateway (192.0.2.1, and 203.0.113.1) both are on the 8325 VSX Pair. We have the firewall on the 10Ks with permit all rules. What we are trying to do, is slowly moving the VMs default gateways off the 8325 pair, to the 10K pair. We are trying to do this in a phased approach, so one VLAN at a time.
The issue is when I remove the SVI from the 8325 Core and add the configuration to the 10Ks, all OTHER VLANs "behind" the 10K lose connectivity. For example, I removed 192.0.2.1 active gateway from the 8325s and added it to the 10Ks. My client PC was able to communicate fine with the VM-1 (192.0.2.5), however, VM-2 (203.0.113.5) was completely unreachable. If I removed the SVI from the 10K and put it back onto the 8325s, both VMs became reachable again. In reality, we have hundreds of VMs, but it's the same issue
VM-2 still shows up in the MAC-Table, shows up in ARP, but nothing can reach it. The routing is updated correctly, and everything knows HOW to reach it, but it's like the traffic is just being dropped. There are no firewall logs in the PSM showing drops either.
If anyone has any ideas or things to check, I'd greatly appreciate it.
------------------------------
Chris Wickline | ACCA |
------------------------------