I am having trouble wrapping my brain around a VRF concept and why two switches are communicating with each other on a particular VLAN when I don't think they should.
switch1 & switch2 are independent core switches with a port channel between them. However, none of the VLANs that are configured with SVIs in the VRF are configured on the port channel.
I have vlan 920 (L2) configured on switch1 and switch2. I also have SVI vlan920 (L3) configured on both switches. The SVI vlan920 is configured inside VRF extwan as are several others.
vlan920 on switch1 is 10.146.64.130 & 10.146.64.131 on switch2.
If I issue a 'ping vrf extwan 10.146.64.131' on switch1, I get a reply.
If I do a 'sh ip arp vrf extwan' on switch1 there's an entry pointing .131 to vlan920 & a MAC address on switch2 that is the same for every SVI on that switch. I assume it represents the MSFC.
So, there is no physical L3 connection set up yet between the switches and the existing L2 channel does not include these VLANs, how am I getting ARP entries in the VRF for the other switch?
The VRF is connected to a set of ASAs on another SVI (also in the VRF) so maybe it's going through that?
Another possibility is that these switches are connected to access switches but STP is blocking one of the links on each VLAN.
Best Answer
At first I thought this might be working as designed or some artifact of L2 communication I didn't understand. However, I did some deeper digging and found another path between switch1 and switch2 on vlan 920...
I found that switch1 was learning switch2's SVI MAC address for vlan 920 through another port channel which led to one of the access switches.
I took a look at this access switch and for reasons I don't yet understand, it has STP turned off (no spanning-tree vlan 550, 920, 930, 940) for the VLANs I added for this project. I think this happened automatically as VTP is enabled on this network and the config changed on the same day the vlan.dat file changed.
So communication on VAN 920 is going from switch1, to this access switch and then switch2 because STP isn't being blocked on either of the port channels to the access switch.
I'll close this question out and will probably post a new question on how this would happen. I haven't found the answer via google yet.