Based on the explanation provided by Engineering, this is the expected behavior with MLAG/VRRP setup.
Per the below topology, switch1 and switch2 are MLAG peers where sw1 is VRRP Master and sw2 is VRRP Backup. All the traffic will be routed through VRRP master. All the Egress traffic will be forwarded via VRRP master switch (i.e. sw1). Now sw1 and sw2 have an entry to reach the destination since both have FDB entries. By Default, If VRRP Switch knows the path to reach the destination, then the packet will be forwarded directly to destination and it won't go via VRRP Backup. If suppose server1 switch MLAG port goes down, then server1 switch will show FDB entry towards sw2 MLAG peer switch and then the packet will be forwarded to destination. That is, FDB entry will switch path from MLAG port to ISC port. Additional Clarification on Expected Behavior for MLAG Layer-3 Unicast The MLAG feature requires users to configure VRRP or ESRP on the peer switches for L3 unicast forwarding to work correctly. When VRRP is used the server is configured with the default gateway set to the VRRP virtual router IP address. ARP requests emanating from the server can hash to any of the links in its LAG group. Consider the topology shown above, The trivial case is ARP requests from the server being sent out on the link that is directly connected to Switch1 which is the VRRP master in our example. Switch1 will respond back directly to the server over the P1 link. The more interesting case is when the ARP request is sent over the Server to Switch2 link. The ARP request is both L2 flooded over the ISC and is also examined by the CPU on Switch2. Since Switch2 is VRRP standby, it does not respond to the ARP but learns the binding of the Server’s IP address to MAC. When the VRRP master (Switch1) receives the ARP packet, it can:
Note that there is no learning on the ISC link hence the ARP request will not result in an FDB entry (pointing to the ISC port) for the server MAC being created.
- Send the ARP response over P1 if it has an FDB entry present for the server’s MAC (learnt directly or through FDB check-pointing from Switch2) or
- For a transient period of time (till check-pointing messages are received from Switch2) flood the response back.
L3 traffic from this point on can be sent on any of the LAG links from the server with the MAC DA set to the VRRP virtual MAC. Since Switch2 never installs the virtual MAC in hardware, it L2 forwards the traffic to Switch1, which takes care of L3 forwarding.