vPC HSRP Gateway Considerations – Cisco CCNP and CCIE

vPC HSRP Gateway Considerations
In normal Hot Standby Router Protocol operation, the active HSRP interface answers ARP requests, but with a vPC, both HSRP interfaces (active and standby) can forward traffic.
The most significant difference between the HSRP implementation of a non-vPC configuration and a vPC configuration is that the HSRP MAC addresses of a vPC configuration are programmed with the G (gateway) flag on both systems, compared with a non-vPC configuration, in which only the active HSRP interface can program the MAC address with the G flag.
Given this fact, routable traffic can be forwarded by both the vPC primary device (with HSRP) and the vPC secondary device (with HSRP), with no need to send this traffic to the HSRP primary device.
Without this flag, traffic sent to the MAC address would not be routed.

vPC ARP Synchronization
Layer 3 vPC peers synchronize their respective ARP tables. This feature is transparently enabled and helps ensure faster convergence time upon reload of a vPC switch. When two switches are reconnected after a failure, they use the Cisco Fabric Services protocol over Ethernet to perform bulk synchronization of the ARP table.

vPC Peer Gateway
If a host or a switch forwards a frame to the Layer 3 gateway and this Layer 3 gateway is present on a vPC pair of switches, as long as the frame ID is destined to the HSRP MAC address, everything works as expected.
If the frame that is sent to the Layer 3 gateway uses the MAC burned-in address (BIA) instead of the HSRP MAC address, the port channel hashing of the frame may forward it to the wrong vPC peer, which would then just bridge the frame to the other vPC peer.
This scenario can be problematic because if the vPC peer that owns the MAC address routes the frame to a vPC member port, this frame will not be able to leave the switch because the vPC duplicate prevention rule would apply: no frame that comes from a peer link is allowed to exit the switch on a vPC member port.
Figure 2-12 shows the case in which device A sends traffic to remote MAC (RMAC) address A with a port channel hash that forwards the traffic to switch B. The result is that the frame cannot get to server B because of the duplicate prevention rule