There’s a particular kind of frustration in troubleshooting a problem that looks like it’s working.
I was deep into building out Mad Miller Labs (my home lab enterprise merger simulation) and I’d just finished configuring my management VLAN. Devices were getting IP addresses. I could ping in. Everything looked fine, right up until I tried to actually do anything from a guest VM. No outbound traffic. No ARP resolution. MAC address nowhere to be found on the switch.
RX was fine. TX was zero. Every time.
What was happening
My management network was sitting on VLAN 99. Seemed like a reasonable choice at the time. I’d used it in prior environments, it was clean, nothing else was on it. I’d assigned it to my Nutanix AHV cluster, configured the switch trunk, set up pfSense. Everything looked right on paper.
What I didn’t know (and what Nutanix doesn’t exactly advertise prominently) is that AHV reserves VLAN 99 internally for CVM traffic. Not partially. Not sometimes. Completely. Guest VM transmit traffic on VLAN 99 is silently dropped by OVS (Open vSwitch) at the hypervisor layer before it ever hits the wire.
The insidious part is that receive works fine. So your VM gets an IP via DHCP, responds to pings from the physical network, looks healthy in every inbound direction. It just can’t send anything out. TX stays at zero. The MAC never shows up in the switch CAM table. ARP never resolves from the VM’s perspective.
It doesn’t throw an error. It doesn’t log anything obvious. It just… doesn’t work.
How I found it
My first instinct was the switch. I pulled up show mac address-table on the Catalyst 2960X and noticed the VM’s MAC was just absent. Not on the wrong VLAN, not bouncing, just not there. That told me the frame was never making it out of the hypervisor.
The key clue came when I tested a physical device on a VLAN 99 access port. That worked perfectly. So the switch config was fine, pfSense was fine, the physical path was fine. The problem was isolated to guest VMs on AHV.
From there it was a quick trip through Nutanix documentation and community posts to find the answer: VLAN 99 is reserved. Has been for a while. It’s just not something that comes up unless you happen to pick that number.
The fix
Move off VLAN 99. That’s it.
I migrated my management network to VLAN 77: updated the switch trunk config, reconfigured pfSense, reassigned VM network adapters, updated my IP scheme. Everything came up cleanly.
The migration itself took less than an hour. The troubleshooting that preceded it took considerably longer.
What to watch for
- Guest VM receives traffic fine (DHCP works, inbound pings work)
- Guest VM TX is always zero
- VM MAC never appears in
show mac address-table - ARP never resolves from the VM side
- Physical devices on the same VLAN ID work fine
Nutanix uses VLAN 99 internally for CVM-to-AHV communication via OVS. It doesn’t expose this as an error. It just quietly drops guest TX frames. Physical switch ports in VLAN 99 access mode are unaffected because that traffic never passes through OVS.
The fix takes five minutes. Finding it the first time takes considerably longer.
This came up during the build-out of Mad Miller Labs, a home lab enterprise merger simulation running Nutanix CE 6.8.1 on a Dell PowerEdge R640. More posts from the build as the lab grows.