(*) - local vPC is down, forwarding via vPC peer-link

Similar Messages

• Vpc peer-link forwarding behavior

  Hey,
  In this cisco doc (http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572835-00_NX-OS_vPC_DG.pdf ) I come across this statement:
  One of the most important forwarding rules of vPC is the fact that a frame that entered the vPC peer switch from the peer link cannot exit the switch out of a vPC member port (except if this is coming from an orphaned port).
  This makes perfect sense up to the "except if this is coming from an orphaned port". I can't seem to figure out why traffic sourced from an orphaned port (ie, "from" an orphaned port) and ulimately destined to a vPC member port is allowed -- since it should be sent out the local vPC member port and not across the peer link.
  Would make more sense to me if it said "destined to an orphaned port", so of course it would have to cross the peer-link.
  Can anyone shed some light on this exception to the rule?
  Thanks!

  Thanks Chad!
  Kept racking my brain on that one, and the only time it would make any sense (ie, I was trying to fit a square peg in a round hole), is if you have IGP peering to each 7K from an orphan port (ex, FW), the IGP ECMP hashes a packet to the far-end 7K, and then the traffic sent to the directly attached 7K must be sent across the vpc-peerlink -- and in theory shouldn't be dropped. This is, of course, until you add peer-gateway command, which confuses matters a bit -- especially from an IGP control-plane perspective, but also in this loop-prevention rule, since the local 7K will handle the packets destined to the other's 7K MAC.
  To complicate matters worse, the latest 5K release notes say to exclude-vlan for peer-gateway for your backup router vlan... still have to dive into that one.

• Vpc bind-vrf on Nexus 7000/N7k to ensure forwarding of multicast traffic over peer-link?

  In previous vPC setups with N5k (or also N6k), I had to use the 'vpc bind-vrf' command to ensure the forwarding of multicast over the vpc peer-link, especially for receivers in in non-vPC VLANs and the receivers connected to Layer 3 interfaces.
  I am wondering why this command isn't available on N7k? Isn't this necessary on this platform or is it just not yet implemented?
  Any hint is welcome!
  Stephan Strack

  Hey Stephan,
  The 'vpc bind-vrf' command allocates a special internal VLAN for routing traffic over the vPC peer-link to ensure L3 connections on the vPC peer or orphan ports successfully receive multicast traffic on N5k/N6k platforms.  This workaround is not needed on the N7K because that platform implements the vPC loop prevention rule differently in hardware.
  In short, 'vpc bind-vrf' is not required on N7K.
  -Andy

• Can some explain vpc peer-link vlan issues for me?

                     I remove vlan from vpn peer-link , the vpc is gonna down.
                    I know this is design ,but why.
  thank you!
  Tom

  Thanks Chad!
  Kept racking my brain on that one, and the only time it would make any sense (ie, I was trying to fit a square peg in a round hole), is if you have IGP peering to each 7K from an orphan port (ex, FW), the IGP ECMP hashes a packet to the far-end 7K, and then the traffic sent to the directly attached 7K must be sent across the vpc-peerlink -- and in theory shouldn't be dropped. This is, of course, until you add peer-gateway command, which confuses matters a bit -- especially from an IGP control-plane perspective, but also in this loop-prevention rule, since the local 7K will handle the packets destined to the other's 7K MAC.
  To complicate matters worse, the latest 5K release notes say to exclude-vlan for peer-gateway for your backup router vlan... still have to dive into that one.

• VPC Peer-Link Failure

  Hello,
  In the case I have two N5k acting as a vPC peers and I lose the vPC peer-link between two of them, but I do not lose the vPC peer-keepalive link, what would happen when the vPC peer-link comes back again?
  As I understand in the case of vPC peer-link failure all vPC member ports on the secondary N5k will be shut down. When the vPC peer-link comes back again what would happen?
  I have read that in that case the vPC member ports will not come back automatically, but they will remain disabled until you do manual recovery. Is that really so?
  Is there some way that we can automate the process upon recovery?
  Thanks

  The reload restore command has been removed/replaced and the new feature is
  now called auto recovery. Auto recovery covers the use case that reload
  restore addressed, plus more.
  If both switches reload, and only one switch boots up, auto-recovery allows
  that switch to assume the role of the primary switch. The vPC links come up
  after a configurable period of time if the vPC peer-link and the
  peer-keepalive fail to become operational within that time. If the peer-link
  comes up but the peer-keepalive does not come up, both peer switches keep
  the vPC links down. This feature is similar to the reload restore feature in
  Cisco NX-OS Release 5.0(2)N1(1) and earlier releases. The reload delay
  period can range from 240 to 3600 seconds.
  When you disable vPCs on a secondary vPC switch because of a peer-link
  failure and then the primary vPC switch fails, the secondary switch
  reenables the vPCs. In this scenario, the vPC waits for three consecutive
  keepalive failures before recovering the vPC links.
  The vPC consistency check cannot be performed when the peer link is lost.
  When the vPC peer link is lost, the operational secondary switch suspends
  all of its vPC member ports while the vPC member ports remain on the
  operational primary switch. If the vPC member ports on the primary switch
  flaps afterwards (for example, when the switch or server that connects to
  the vPC primary switch is reloaded), the ports remain down due to the vPC
  consistency check and you cannot add or bring up more vPCs.
  For more information, please refer to the Operations Guide: As a best practice,
  auto-recovery should be enabled in vPC.
  HTH,
  Alex

• VPC Peer Link

  What is the function of the VPC peer-link? Should be the composite of all VPC links that are dual homed between switches?
  In this diagram, is it necessary to have 8 x 10G links as shown above. The links conecting the 7Ks to the 5Ks are VPC links.

  ok, so as I read your reply I would like to confirm the following:
  Hosts which are not connected to the FEX via normally trunk or vPC which need to communicate to Hosts which are on a vPC these VLANs need to be trunked on the vPC peer link.
  VLANs which communicate between devices which are not on the vPC is recommended to have a seperate link. 
  I now have an issue, where I have a Nexus 1000v deployed in vmware which we are using L3. The control (same requirements for vMotion VLAN) VLANs requires to be L2 and is trunked via the physical uplinks which also carry VLANs which have HSRP on the 5Ks. 
  As a port-channel from each hosts will terminate on each fex as part of a vPC, each will be carrying VLANs which only require L2 communication and some which have a gateway (HSRP).
  For VLANs which carry only L2 information i.e. Control VLAN or vMotion VLAN, they are required to communicate with other hosts at this point if source packet arrives one Fex 1 which is connected to N5K1 and required to communicate to destination on Fex 2 which is linked to N5K2 it would need to transit via the two Nexus 5Ks, could this be achieved by the peer link or would I need a separate link carrying these VLANs in addition to them being carried over the vPC peer link?

• Nexus 7K Core Layer VDC, does it require a VPC Peer Link

  We are going to be using a pair of Cisco Nexus 7010s to act as both our data center aggregation layer and the core layer. We will accomplish this via two VDCs, one for the core layer and one for the aggregation layer.
  I know that if we are doing VPCs between the access and aggregation layers that we need a VPC Per Link (and peer keep alive link) between the two aggregation layer contexts, but if the connection between the aggregation and the core is purely layer 3 (OSPF), then I don't think we need a VPC peer link between the two core VDCs, Am I correct?

  You are on the right track
  You will use VPC if you’re designing include L2 trunk infrastructure. Since your aggregating with L3 core there is no need to add vpc I think.
  http://www.cisco.ws/en/US/docs/solutions/Enterprise/Data_Center/DC_3_0/DC-3_0_IPInfra.html
  Thx,
  Eric

• Duplicate address across VPC peer-link on Nexus 7010

  Just set up a VPC peer-link between two 7010 switches.  The peer-link is a port-channel of two 10Gb connections.  On both sides I'm seeing this in the log:
  2010 Jan  5 04:27:34 CRMCN7K-1 %ARP-2-DUP_SRC_IP:  arp [3069]  Source address of packet received from 0024.f716.b341 on Vlan401(port-channel10) is duplicate of local, 10.180.0.17
  and on the other
  2010 Jan  5 04:23:39 CRMCN7K-2 %ARP-2-DUP_SRC_IP:  arp [3052]  Source address of packet received from 0024.f71f.a7c1 on Vlan401(port-channel10) is duplicate of local, 10.180.0.18
  VLAN 401 is the only VLAN on them right now with a Layer 3 address.  What am I missing?  Everything looks correct.  Port-Channel10 is up and running fine..or so it seems.

  Hey Nashwj,
  What version of NX-OS are you running?
  Are the 7K in a stand alone environment (lab or similar) or connected to other production network devices?
  Are both of the VLANs carried across the vPC peer link port-channel?
  Are both of the VLANs carried across any vPC port-channel?
  Do you have HSRP setup on the VLAN 401 interfaces on each of the 7Ks?  If so, what are the real and vip IP addresses?
  If you can either provide answers to the above or configuration snapshots of the vPC and SVI interfaces for your VLANs on each of the 7Ks a solution should be reachable.

• Using 40GE ports for VPC Peer Link

  Hi,
  Is it possible to use the native 40GE ports on the N7K-M206FQ-23L module for the VPC Peer Link, or do you have to break these ports out into 10GE ? I have read that 10GE ports must be used for the VPC peer link.
  Thanks in advance.

  You can use 40GE ports for VPC peer-link. No need to break those to 10G.

• VPC, VPC Peer-links and VDC

  I have 2 7Ks and will run VPC and multiple VDCs.
  Should it be a separete VPC Peer-link and keep-alive link per VDC?
  I am not sure but I guess yes since a physical interface should be allocated to a VDC.
  I just need confirmation.
  thanks

  Yes, if you are having 4 VDCs with vPC, you will need 4 separate vPC peer-links. VDC is a physical separation (even though it is the same box) and it cannot communicate across VDC.
  HTH,
  jerry

• VPC Peer-Link In Different VPC/Portchannel

  Hi all,
  Can we make 2 different port-channel as vpc peer-link.
  Example:
  interface port-channel 10
  vpc peer-link
  interface port-channel 20
  vpc peer-link
  Is this working as vpc peer-link

  I have an issue with mac-table full in F1 linecard..Just got idea to do like the title, situation as below:
  Vlan : 1 until 4000
  interface : 4 x 10G
  I want to separate the Vlan into 2 group:
  1) 1-2000
  2) 2001-4000
  This link is for VPC peer-link.
  I will create 2 VPC group and combine it as 1 peer-link.
  Can be done?

• VPC peer-link on N7k's 1Gig link?

  We are in process of setting up vPC peer between 2 N7ks over a 1Gig link, has anybody done this before? Couldn't find any documents in cisco site which talks about this. All of the documents points to setting up using 10G links.
  Cheers
  Raja

  Hello Raja,
  The vPC peer link must be 10Gb Ethernet otherwise it will not form. It is also mentioned here. 
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_2/nx-os/interfaces/configuration/guide/if_nxos/if_vPC.html
  https://books.google.co.uk/books?id=o3jeY1SwOYcC&pg=PA114&lpg=PA114&dq=peer+link+must+be+10&source=bl&ots=cZSAvLRMto&sig=YviMepi0thKtqUA2P2n3r2JkWnc&hl=en&sa=X&ei=-GauVNXwIs_waMzcgvAG&ved=0CFQQ6AEwCQ#v=onepage&q=peer%20link%20must%20be%2010&f=false
  The vPC peer keep alive link by all means can be 1Gb.
  HTH
  Bilal

• Using SNMP is it possible to find the vPC peer link of a Nexus 5K?

  I'm trying to use SNMP to get the Peer Link pair...

  hi,
  You can include 0calyear characteristic before the structure in the column and set it to no display and show result row.
  regards,
  Arvind.

• If I add a vlan to a vpc peer link does this cause an outage?

  We have 2 Nexus 5548's. We have a trunked peer link between with only certain vlan's between them. My understanding is that if we change that and add a vlan to the peer link trunk it will cause a brief outage. Am I wrong in my understanding?

  We have 2 Nexus 5548's. We have a trunked peer link between with only certain vlan's between them. My understanding is that if we change that and add a vlan to the peer link trunk it will cause a brief outage. Am I wrong in my understanding?

• Bug between JRockit and X11 forwarding via ssh

  I have encountered what appears to be a bug in the interaction of JRockit with X11 ssh forwarding.
  When running any Java GUI application on a remote machine using X11 forwarding via ssh, a variety of problems occur. For example:
  --- cut here ---
  % mitrion-ide
  The program '' received an X Window System error.
  This probably reflects a bug in the program.
  The error was 'BadAtom (invalid Atom parameter)'.
    (Details: serial 189 error_code 5 request_code 20 minor_code 0)
    (Note to programmers: normally, X errors are reported asynchronously;
     that is, you will receive the error a while after causing it.
     To debug your program, run it with the --sync command line
     option to change this behavior. You can then get a meaningful
     backtrace from your debugger if you break on the gdk_x_error() function.)
  --- cut here ---That's the good case. When running the rmmlite application (available at https://rmml.dev.java.net/servlets/ProjectDocumentList?folderID=437&expandFolder=437&folderID=438 ), I experience what appears to be a near-lockup of my local workstation.
  Neither of these problems occur if I set my DISPLAY to not use ssh X11 forwarding. Likewise, non-Java applications work just fine with ssh X11 forwarding. Therefore the problem seems to be limited to the Java + ssh X11 forwarding combination.
  I have a suitable workaround (i.e. setting the DISPLAY variable to avoid ssh X11 forwarding), but I thought this was worth bringing to BEA's attention. I'd also be curious to know if others have run into similar difficulties.
  Here are the configuration details:
  Remote X11 client (where applications are hosted)
  =================================================
  % java -version
  java version "1.4.2_12"
  Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_12-b03)
  BEA JRockit(R) (build R27.1.0-109-73164-1.4.2_12-20061129-1418-linux-ia32, compiled mode)
  % uname -a
  Linux earthling 2.6.9-34.ELsmp #1 SMP Fri Feb 24 16:54:53 EST 2006 i686 athlon i386 GNU/Linux
  % rpm -qa | grep openssh-server
  openssh-server-3.9p1-8.RHEL4.12
  This is a vanilla RedHat Linux RHEL 4 Update 3 system, with all other versions of Java removed.
  Local workstation (i.e. X11 server)
  ===================================
  % uname -a
  FreeBSD somewhere.sgi.com 6.2-RELEASE FreeBSD 6.2-RELEASE #5: Mon Jan 15 08:41:01 CST 2007 [email protected]:/usr/obj/usr/src/sys/somewhere i386
  % ssh -v
  OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.7e-p1 25 Oct 2004
  % pkg_info -Ix xorg-server
  xorg-server-6.9.0_3 X.Org X server and related programs
  Thank you,
  Brent Casavant

  Brent,
  it would be nice to know if this problem is specific to the JRockit JDK or
  if you also can reproduce it using the corresponding Sun JDK 1.4.2. Please
  do also try with a later version such as latest JRockit JDK 5.0.
  Thanks
  /Robert
  <Brent Casavant> wrote in message news:[email protected]...
  I have encountered what appears to be a bug in the interaction of JRockit
  with X11 ssh forwarding.
  When running any Java GUI application on a remote machine using X11
  forwarding via ssh, a variety of problems occur. For example:
  --- cut here ---
  % mitrion-ide
  The program '' received an X Window System error.
  This probably reflects a bug in the program.
  The error was 'BadAtom (invalid Atom parameter)'.
    (Details: serial 189 error_code 5 request_code 20 minor_code 0)
    (Note to programmers: normally, X errors are reported asynchronously;
     that is, you will receive the error a while after causing it.
     To debug your program, run it with the --sync command line
     option to change this behavior. You can then get a meaningful
     backtrace from your debugger if you break on the gdk_x_error() function.)
  --- cut here ---That's the good case. When running the rmmlite application (available at
  https://rmml.dev.java.net/servlets/ProjectDocumentList?folderID=437&expandFolder=437&folderID=438 )
  , I experience what appears to be a near-lockup of my local workstation.
  Neither of these problems occur if I set my DISPLAY to not use ssh X11
  forwarding. Likewise, non-Java applications work just fine with ssh X11
  forwarding. Therefore the problem seems to be limited to the Java + ssh X11
  forwarding combination.
  I have a suitable workaround (i.e. setting the DISPLAY variable to avoid ssh
  X11 forwarding), but I thought this was worth bringing to BEA's attention.
  I'd also be curious to know if others have run into similar difficulties.
  Here are the configuration details:
  Remote X11 client (where applications are hosted)
  =================================================
  % java -version
  java version "1.4.2_12"
  Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_12-b03)
  BEA JRockit(R) (build R27.1.0-109-73164-1.4.2_12-20061129-1418-linux-ia32,
  compiled mode)
  % uname -a
  Linux earthling 2.6.9-34.ELsmp #1 SMP Fri Feb 24 16:54:53 EST 2006 i686
  athlon i386 GNU/Linux
  % rpm -qa | grep openssh-server
  openssh-server-3.9p1-8.RHEL4.12
  This is a vanilla RedHat Linux RHEL 4 Update 3 system, with all other
  versions of Java removed.
  Local workstation (i.e. X11 server)
  ===================================
  % uname -a
  FreeBSD somewhere.sgi.com 6.2-RELEASE FreeBSD 6.2-RELEASE #5: Mon Jan 15
  08:41:01 CST 2007
  [email protected]:/usr/obj/usr/src/sys/somewhere i386
  % ssh -v
  OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.7e-p1 25 Oct 2004
  % pkg_info -Ix xorg-server
  xorg-server-6.9.0_3 X.Org X server and related programs
  Thank you,
  Brent Casavant