Imagine 2 L3 switches, C1 and C2, in an HSRP group config.
C1 is the HSRP primary for all vlans because I need it that way. Cant have asymmetric routing. Why is not important now -- I just do.
Now, directly attached to C1 and C2 are NIC-teamed servers, each with ONE active NIC, but (here is the kicker) some of those active NICs face the HSRP secondary.
So, imagine I need to maintain symmetric routing and there is stateful traffic coming into a server from C1. Imagine the server is an LDAP server responding to an LDAP client.
If that LDAP server has its active NIC facing C2, it will have to forward its response to C2. The response, of course, will have the vMAC owned by C1 in its destination MAC header info, so C2 will forward it to C1.
Now, here is the question:
Will C2 re-write the source MAC address info before forwarding it to C1? If so, then is the symmetric routing requirement broken? I think the answer is yes to both questions. Yes, the MAC address will be re-written and yes, the symmetric routing requirement will be violated, since C1 will receive return traffic for a stateful connection on an interface OTHER than the one it is expecting to receive it on.
I think the key is that the traffic does not come back in on a different interface than the one it went out on or more specifically
it may go and back in on a different L2 interface but it is definitely going out and back in on the same L3 interface ie. the server vlan interface and since state is really tied to IP address/TCP flags then the statefulness is not broken.
If L2 interfaces could maintain state, and we would need to define state in this case because i'm not sure what it could be, then yes traffic would go out on the server port and back in on the L2 trunk port connecting C1 & C2.
Note i'm assuming a L2 trunk between C1 & C2 as i can't see how else it would work.
Edit - i'm also assuming the LDAP client is on a different subnet.
Edit again - sorry Victor !
C2 will not rewrite the destination mac-address because it does not route the packet to C1 so there is no mac-address rewrite, it simply switches it across the trunk.