Wireless Access

For traffic coming from the VIP of a Master Redundancy VRRP, what should the source mac address be?  My understanding is that it should be sourced from the VRRP virtual mac address and the VRRP virtual IP address.

But when i take a packet capture, that's not what i see.  Traffic from the VRRP IP address is sourced via the physical mac address.

So either my understanding of VRRP is incorrect, or the Aruba controller is not responding sourced from the correct mac address.  I do see it sending VRRP packets sourced from the VRRP virtual mac, but not packets destined towards APs.

Thoughts?

So traffic from the controller to the AP should not be sourced via the VRRP address?  That doesn't seem right.

It is not.  It comes from the controller's controller-ip.  VRRP is a standard protocol for incoming traffic, not outgoing traffic.

Listen, VRRP is not a receive only protocol. If that was the case, all TCP transactions to the VIP would fail.  As you can see in the screenshot, they very well do work as this is a packet FROM the VRRP IP Address.

If what you are saying regarding AP communication is correct, then there would be 2 seperate GRE tunnels to the controller.  One from the AP to the VIP, and one from the controllers mgmt IP to the AP.  Which is also not the case.  See the following:

Amazing that the firwall shows that the controller does indeed build a GRE tunnel from the VIP to the AP.

So now back to my original question, why are packets SENT from the VIP IP address not sent via the VRRP virtual mac?  Doesn't this lead to issues where we have to do unicast flooding since we aren't learning the mac address on that port? (also behavior described in the RFC).