N7K Peer-switch Konfiguration

Similar Messages

• MST / vPC / peer-switch

  Hello,
  There are two N7Ks connected with peer-link (Po1). There will be some other L2 switches connected to those N7Ks with vPC. Also, there is a separate, dedicated L2 link (Po9) between N7Ks to carry VLANs for orphan ports connected on both N7Ks. Here is configuration:
  N7K-1:
  spanning-tree mst configuration
  name test
  revision 3
  instance 1 vlan 1-9,12-14,16-1005
  instance 2 vlan 10,11,15
  spanning-tree mode mst
  spanning-tree mst 0-2 priority 4096
  spanning-tree pseudo-information
  mst 0-2 designated priority 4096
  mst 0-2 root priority 4096
  vpc domain 1
  peer-keepalive destination 1.1.1.2 source 1.1.1.1 vrf peer-keepalive
  system-priority 1000
  role priority 1
  auto-recovery reload-delay 240
  peer-gateway
  peer-switch
  graceful consistency-check
  ip arp synchronize
  delay restore 30
  delay restore interface-vlan 40
  interface port-channel 1
  vpc peer-link
  switchport trunk allowed vlan remove 10,11,15
  interface port-channel 9
  switchport trunk allowed vlan 10,11,15
  spanning-tree mst 2 cost 100
  N7K-2:
  spanning-tree mst configuration
  name test
  revision 3
  instance 1 vlan 1-9,12-14,16-1005
  instance 2 vlan 10,11,15
  spanning-tree mode mst
  spanning-tree mst 0-2 priority 4096
  spanning-tree pseudo-information
  mst 0-2 designated priority 8192
  mst 0-2 root priority 8192
  vpc domain 1
  peer-keepalive destination 1.1.1.1 source 1.1.1.2 vrf peer-keepalive
  system-priority 1000
  role priority 1
  auto-recovery reload-delay 240
  peer-gateway
  peer-switch
  graceful consistency-check
  ip arp synchronize
  delay restore 30
  delay restore interface-vlan 40
  interface port-channel 1
  vpc peer-link
  switchport trunk allowed vlan remove 10,11,15
  interface port-channel 9
  switchport trunk allowed vlan 10,11,15
  spanning-tree mst 2 cost 100
  In theory, for vPC VLANs, that is those carried over peer-link, global STP configuration should be used. And, because peer-switch is used, both N7Ks will generate the same BPDU (the same Bridge ID with priority 4096), both becomming root. And, for other VLANs, carried over dedicated L2 link, the pseudo-information should be used. That is, N7K-1 should become root, and Po9 should be Designated. The N7K-2 should be backup root and Po9 should be Root port.
  Unfortunately, it's not how it works. Maybe I am missing something, but BPDUs sent over dedicated L2 Po9 are exactly the same as for VPC VLANs. N7K-1 becomes root and its Po9 becomes Designated. But, N7K-2 is also a root, and since it sees the same BPDU as it generates by itself, it treats Po9 as an alternate way to itself and places that port in Alternate/Blocking state.
  So, am I doing something wrong, or dedicated L2 link cannot co-exist with peer-link? I had no chance to test it, but it may work if I remove peer-switch feature (although it is recommended to have it)
  Best regards,
  Krzysztof

  We have filed
  CSCuc41076
  vPC Peer Switch Hybrid Topology MST blocking in non vPC Peer Link

• "Peer-switch" command on vPC domain and spanning-tree priority interaction

  Hi guy,
  We have 2 N7K (N7KA and N7KB) which will be running vPC in hybird and pure vPC environment.
  I have a question about the Hybird and pure vPC environment. With the "peer-switch" command enable, should i tune the spanning-tree priority to be the same for all the vlan running on vPC on both N7KA and N7KB? This way, when i enter the "sh spanning-tree vlan X(vPC vlan) detail" command on N7K, it will list both N7K announc itself as "We are the root of the spanning tree".Also the switch running spanning-tree with N7K vPC vlan (Hybird), will see both N7K has the same priority (4096), and it is not desirable for a spanning-tree environment. Therefore, i used the "spanning-tree pseudo-information" on N7KB to tune the spanning-tree priority to "8192" and the switch running spanning-tree with N7K will list N7KB has a priority of 8192(perfect).
  However, I notice some strange "show" output on the switch running Port-channel with the N7KA and N7KB. The "Designated bridge" priority is flapping as show on the switch. It is constantly changing between "4096 and 8192" with the same vPC system wide mac address.
  Entering the "sh spanning-tree vlan X detail" command repeatly on switch with port-channel toward N7KA and N7KB.
  >>sh spanning-tree vlan 10 detail
  Port 65 (Port-channel1) of VLAN10 is root forwarding
  Port path cost 3, Port priority 128, Port Identifier 128.65.
  Designated root has priority 4106, address 0013.05ee.bac8
  Designated bridge has priority 4106, address 0013.05ee.bac8
  Designated port id is 144.2999, designated path cost 0
  Timers: message age 15, forward delay 0, hold 0
  Number of transitions to forwarding state: 1
  Link type is point-to-point by default
  BPDU: sent 5, received 603
  one sec later.
  >>sh spanning-tree vlan 10 detail
  Port 65 (Port-channel1) of VLAN10 is root forwarding Port path cost 3, Port priority 128, Port Identifier 128.65. Designated root has priority 4106, address 0013.05ee.bac8 Designated bridge has priority 8202, address 0013.05ee.bac8 Designated port id is 144.2999, designated path cost 0 Timers: message age 15, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 5, received 603
  Configuration:
  N7KA
  spanning-tree vlan 1-10 priority 4096
  vpc domain 200
  peer-switch
  N7KB
  spanning-tree vlan 1-10 priority 4096spanning-tree pseudo-information vlan 1-10 designated priority 8192
  vpc domain 200
  peer-switch

  We have a issue similar to this in our environment. I am trying to upgrade the existing 3750 stack router with 2 Nexus 5596 running VPC between them. For the transition I have planned to create a channel between 3750 stack and 5596's. Once this environment is set, my plan is to migrate all the access switches to N5k.
  The issue is when I connect the 3750 port channel to both N5Ks, all the Vlans on 3750 started to flap. If I connect the port channel to only one N5K everything is normal; but when I connect the port channel to both N5K running VPC, vlans are flapping. Any idea what is going wrong here? Am I missing something?

• VPC - peer gateway and peer switch

  I understand that we need to use peer gateway on a vPC pair when HSRP is running, but why do we use peer switch if the vPC pair is not the root or seconday root of the network? Does it matter they send out different BIDs? What would be the worst case scenario when not using peer switch?

  If you read the vPC Best Practices Design Guide the peer-switch feature reduces convergence time as a result of a spanning-tree failure from 3 seconds to sub-second.

• Peer switch feature for L2 legacy switch

  Hi,
  Please i'm looking for the practical usage of peer-switch feature enable on both NX5K parent switch specialy when we have a mixed access layer build with FEXs and L2 LAN switch uplinked with LACP etherchannel.
  Is there any recommendation when we use the peer-switch and peer-gateway on the both NX5K parent switch performing L3/FRHP with HSRP and L2 root bridge role for the Legacy LAN.
  Thanks. 

  Greets,
  That is a really well thought out question, took me a couple of reads to realise what you were asking.
  Both switches generate BPDUs with the same Priority/MAC for vPC interfaces, however the behaviour is not the same on non-vPC interfaces.  The reason is pretty simple, the edge switch WILL block one of the two links, if it has to come down to Port ID as the descriminator it will happily do so.  So if both switches send identical BPDUs, the one with the lowest port ID will always end up being the root, while the second port is blocking.  If this behaviour is replicated for all VLANs, you have one link taking all traffic from the edge switch.
  To avoid this we have a concept of "psuedo information" that means on vPC interfaces we advertise the same priority, however on non-vPC interfaces we can advertise two different priorities (on a per instance/VLAN basis).  So you can have the link to SW1 being the root for VLAN X, while SW2 the root for VLAN Y.  So while peer-switch provides additional flexibility to load balance per STP instance over the two links, it will not really help you in this failure scenario.
  The problem with having your host dual homed but using standalone links, is from a logical perspective it is still an orphan port (as we will always block on one of the two ports).  Although I can't see any situation where you would have a dual homed host, but it not be in a vPC, so it is kind of a corner case.
  HTH
  Chris

• Peer-Switch with vPC and non-vPC Vlan Port-Channels

  Hi,                 
  in a design guide i have noticed that it is best practice to split vPC and non-vPC vlans on different inter-switch port-channels. Now, if i want to use the Peer-Switch function, but the port-channel interface of the non-vPC-vlan channel moves into blocking state. The option spanning-tree pseudo-information has no influence. Is peer-switch possible in my kind of topology?
  Greeting,
  Stephan

  I believe absolutly possible. specifically coz peer-switch and spt pseudo-info are specific and local to cisco fabric services running as part of  vpc technology. Personally me has lab with vpc-domain compounded of 2 N5Ks. They are peer-switches with spt-pseudoinfo and they have MST running on non VPC links independantly from vpc.

• Difference between vpc peer-switch and vpc+

  Hi, I would like to understand the difference between vpc peer-switch when used in vpc and vpc+ when used in fabricapath when both are delivered to achieve the same thing i.e making the 2 nexus switches look like a 1 logical switch to an other device connected to it.

  Hi,
  vPC+ overcomes a problem we would have when connecting non FabricPath devices to the FabricPath cloud in a resilient way using port-channels.
  If you look at the first diagram below, when Host A sends traffic to Host B, it can be sent over either link of the port-channel and so can take the path via either S100 or S200. The problem with this is that from the perspective of the MAC address table on S300, the MAC address of Host A would be constantly flap between being sourced from S100 and S200.
  What happens with vPC+ is that S100 and S200 create an emulated switch that effectively becomes the point of connection of the port-channel interface. This is seen in the second diagram as S1000. Now when traffic is sent from Host A it is always seen as originating from S1000 so there's no longer any MAC flapping.
  Hope that helps.
  Regards

• Nexus 7000 - unexpected shutdown of vPC-Ports during reload of the primary vPC Switch

  Dear Community,
  We experienced an unusual behavior of two Nexus 7000 switches within a vPC domain.
  According to the attached sketch, we have four N7Ks in two data centers - two Nexus 7Ks are in a vPC domain for each data center.
  Both data centers are connected via a Multilayer-vPC.
  We had to reload one of these switches and I expected the other N7K in this vPC domain to continue forwarding over its vPC-Member-ports.
  Actually, all vPC ports have been disabled on the secondary switch until the reload of the first N7K (vPC-Role: primary) finished.
  Logging on Switch B:
  20:11:51 <Switch B> %VPC-2-VPC_SUSP_ALL_VPC: Peer-link going down, suspending all vPCs on secondary
  20:12:01 <Switch B> %VPC-2-PEER_KEEP_ALIVE_RECV_FAIL: In domain 1, VPC peer keep-alive receive has failed
  In case of a Peer-link failure, I would expect this behavior if the other switch is still reachable via the Peer-Keepalive-Link (via the Mgmt-Port), but since we reloaded the whole switch, the vPCs should continue forwarding. 
  Could this be a bug or are there any timers to be tuned?
  All N7K switches are running on NX-OS 6.2(8)
  Switch A:
  vpc domain 1
    peer-switch
    role priority 2048
    system-priority 1024
    peer-keepalive destination <Mgmt-IP-Switch-B>
    delay restore 360
    peer-gateway
    auto-recovery reload-delay 360
    ip arp synchronize
  interface port-channel1
    switchport mode trunk
    switchport trunk allowed vlan <x-y>
    spanning-tree port type network
    vpc peer-link
  Switch B:
  vpc domain 1
    peer-switch
    role priority 1024
    system-priority 1024
    peer-keepalive destination <Mgmt-IP-Switch-A>
    delay restore 360
    peer-gateway
    auto-recovery reload-delay 360
    ip arp synchronize
  interface port-channel1
    switchport mode trunk
    switchport trunk allowed vlan <x-y>
    spanning-tree port type network
    vpc peer-link
  Best regards

  Problem solved:
  During the reload of the Nexus 7K, the linecards were powerd off a short time earlier than the Mgmt-Interface. As a result of this behavior, the secondary Nexus 7K received at least one vPC-Peer-Keepalive Message while its peer-link was already powerd off. To avoid a split brain scenario, the VPC-member-ports have been shut down.
  Now we are using dedicated interfaces on the linecards for the VPC-Peer-Keepalive-Link and a reload of one N7K won't result in a total network outage any more.

• N7k Interconnection between Multiple VDCs .

  Hi
  I have 2 N7Ks
  N7K-1 have 2 VDCs,  D1 and D2
  N7K-2 have 2 VDCc  S1 and S2
  D1&D2 have vPC configured between them  and S1&S2 also have vPCs b/w them.
  What is the best practice to interconnect D1&D2 to S1&S2 with redundancy ?  I am yet to see a Cisco Doc that discusses this design, Please let me know your suggestions.
  TIA.

  Hello, So then you could do this:
  Physically:
  D1 to S1
  D1 to S2
  D2 to S1
  D2 to S2
  (not including the VPC peer or keepalives)
  1)
  From N7K1 and 2 Core VDC's
  Have 1 VPC to N7K1-Access VDC
  Have 1 VPC to N7K2-Access VDC
  This means that your core will have VPC's but your access will have port-channels to your core and not vpc's.
  And then have your N7K2's / FEX attached to this access layer.
  D1 and 2 to S1 - VPC 1 on CORE
  D1 and 2 to S2 - VPC 2 on CORE
  or
  2)
  The other way, which I haven't quite tried before, but no reason why it shouldn't work...
  You have D1 and D2 provide one VPC (a) to S1 and S2
  You have D1 and D2 provide one VPC (b) to S1 and S2
  In this scenario you would have x2 VPC's on the core, and x2 VPC's on the access.
  D1 to S2 - VPC1 - both sides
  D2 to S1 - VPC1 - both sides
  D1 to S1 - VPC2 - both sides
  D2 to S2 - VPC2 - both sides
  Just be sure to enable peer-switch, peer-gateway, ip arp synchronize for the VPC domain for efficiency
  hth.

• VPC Peer-Link Failure

  Hello,
  In the case I have two N5k acting as a vPC peers and I lose the vPC peer-link between two of them, but I do not lose the vPC peer-keepalive link, what would happen when the vPC peer-link comes back again?
  As I understand in the case of vPC peer-link failure all vPC member ports on the secondary N5k will be shut down. When the vPC peer-link comes back again what would happen?
  I have read that in that case the vPC member ports will not come back automatically, but they will remain disabled until you do manual recovery. Is that really so?
  Is there some way that we can automate the process upon recovery?
  Thanks

  The reload restore command has been removed/replaced and the new feature is
  now called auto recovery. Auto recovery covers the use case that reload
  restore addressed, plus more.
  If both switches reload, and only one switch boots up, auto-recovery allows
  that switch to assume the role of the primary switch. The vPC links come up
  after a configurable period of time if the vPC peer-link and the
  peer-keepalive fail to become operational within that time. If the peer-link
  comes up but the peer-keepalive does not come up, both peer switches keep
  the vPC links down. This feature is similar to the reload restore feature in
  Cisco NX-OS Release 5.0(2)N1(1) and earlier releases. The reload delay
  period can range from 240 to 3600 seconds.
  When you disable vPCs on a secondary vPC switch because of a peer-link
  failure and then the primary vPC switch fails, the secondary switch
  reenables the vPCs. In this scenario, the vPC waits for three consecutive
  keepalive failures before recovering the vPC links.
  The vPC consistency check cannot be performed when the peer link is lost.
  When the vPC peer link is lost, the operational secondary switch suspends
  all of its vPC member ports while the vPC member ports remain on the
  operational primary switch. If the vPC member ports on the primary switch
  flaps afterwards (for example, when the switch or server that connects to
  the vPC primary switch is reloaded), the ports remain down due to the vPC
  consistency check and you cannot add or bring up more vPCs.
  For more information, please refer to the Operations Guide: As a best practice,
  auto-recovery should be enabled in vPC.
  HTH,
  Alex

• N7K Can´t add or remove Layer 2 Vlans

  Hello,
  we have a vpc domain of 2 N7K with each with 2 N7K-SUP1 . When i want to add a vlan i´get the following message. It happens only at one of the N7K.
  Switch(config)# vlan 1408
  Service not responding
  Any idea?
  Regards Horst

  Hi Madhu
  system image file is:    bootflash:///n7000-s1-dk9.6.2.10.bin
  Switch# sh mac address-table dynamic | in 1308
  * 1308     0026.982e.9543    dynamic     ~~~      F    F  Po20
  * 1308     18ef.63e6.6cc3    dynamic     ~~~      F    F  Po20
  * 1308     a229.0000.0194    dynamic     ~~~      F    F  Po137

• Vpc peer-link forwarding behavior

  Hey,
  In this cisco doc (http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572835-00_NX-OS_vPC_DG.pdf ) I come across this statement:
  One of the most important forwarding rules of vPC is the fact that a frame that entered the vPC peer switch from the peer link cannot exit the switch out of a vPC member port (except if this is coming from an orphaned port).
  This makes perfect sense up to the "except if this is coming from an orphaned port". I can't seem to figure out why traffic sourced from an orphaned port (ie, "from" an orphaned port) and ulimately destined to a vPC member port is allowed -- since it should be sent out the local vPC member port and not across the peer link.
  Would make more sense to me if it said "destined to an orphaned port", so of course it would have to cross the peer-link.
  Can anyone shed some light on this exception to the rule?
  Thanks!

  Thanks Chad!
  Kept racking my brain on that one, and the only time it would make any sense (ie, I was trying to fit a square peg in a round hole), is if you have IGP peering to each 7K from an orphan port (ex, FW), the IGP ECMP hashes a packet to the far-end 7K, and then the traffic sent to the directly attached 7K must be sent across the vpc-peerlink -- and in theory shouldn't be dropped. This is, of course, until you add peer-gateway command, which confuses matters a bit -- especially from an IGP control-plane perspective, but also in this loop-prevention rule, since the local 7K will handle the packets destined to the other's 7K MAC.
  To complicate matters worse, the latest 5K release notes say to exclude-vlan for peer-gateway for your backup router vlan... still have to dive into that one.

• Ask the Expert: Scaling Data Center Networks with Cisco FabricPath

  With Hatim Badr and Iqbal Syed
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Cisco FabricPath with Cisco technical support experts Hatim Badr and Iqbal Syed. Cisco FabricPath is a Cisco NX-OS Software innovation combining the plug-and-play simplicity of Ethernet with the reliability and scalability of Layer 3 routing. Cisco FabricPath uses many of the best characteristics of traditional Layer 2 and Layer 3 technologies, combining them into a new control-plane and data-plane implementation that combines the immediately operational "plug-and-play" deployment model of a bridged spanning-tree environment with the stability, re-convergence characteristics, and ability to use multiple parallel paths typical of a Layer 3 routed environment. The result is a scalable, flexible, and highly available Ethernet fabric suitable for even the most demanding data center environments. Using FabricPath, you can build highly scalable Layer 2 multipath networks without the Spanning Tree Protocol. Such networks are particularly suitable for large virtualization deployments, private clouds, and high-performance computing (HPC) environments.
  This event will focus on technical support questions related to the benefits of Cisco FabricPath over STP or VPC based architectures, design options with FabricPath, migration to FabricPath from STP/VPC based networks and FabricPath design and implementation best practices.
  Hatim Badr is a Solutions Architect for Cisco Advanced Services in Toronto, where he supports Cisco customers across Canada as a specialist in Data Center architecture, design, and optimization projects. He has more than 12 years of experience in the networking industry. He holds CCIE (#14847) in Routing & Switching, CCDP and Cisco Data Center certifications.
  Iqbal Syed is a Technical Marketing Engineer for the Cisco Nexus 7000 Series of switches. He is responsible for product road-mapping and marketing the Nexus 7000 line of products with a focus on L2 technologies such as VPC & Cisco FabricPath and also helps customers with DC design and training. He also focuses on SP customers worldwide and helps promote N7K business within different SP segments. Syed has been with Cisco for more than 10 years, which includes experience in Cisco Advanced Services and the Cisco Technical Assistance Center. His experience ranges from reactive technical support to proactive engineering, design, and optimization. He holds CCIE (#24192) in Routing & Switching, CCDP, Cisco Data Center, and TOGAF (v9) certifications.
  Remember to use the rating system to let Hatim and Iqbal know if you have received an adequate response.  
  They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community Unified Computing discussion forum shortly after the event. This event lasts through Dec 7, 2012.. Visit this support forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hi Sarah,
  Thank you for your question.
  Spanning Tree Protocol is used to build a loop-free topology. Although Spanning Tree Protocol serves a critical function in these Layer 2 networks, it is also frequently the cause of a variety of problems, both operational and architectural.
  One important aspect of Spanning Tree Protocol behavior is its inability to use parallel forwarding paths. Spanning Tree Protocol forms a forwarding tree, rooted at a single device, along which all data-plane traffic must flow. The addition of parallel paths serves as a redundancy mechanism, but adding more than one such path has little benefit because Spanning Tree Protocol blocks any additional paths
  In addition, rooting the forwarding path at a single device results in suboptimal forwarding paths, as shown below, Although a direct connection may exist, it cannot be used because only one active forwarding path is allowed.
  Virtual PortChannel (vPC) technology partially mitigates the limitations of Spanning Tree Protocol. vPC allows a single Ethernet device to connect simultaneously to two discrete Cisco Nexus switches while treating these parallel connections as a single logical PortChannel interface. The result is active-active forwarding paths and the removal of Spanning Tree Protocol blocked links, delivering an effective way to use two parallel paths in the typical Layer 2 topologies used with Spanning Tree Protocol.
  vPC provides several benefits over a standard Spanning Tree Protocol such as elimination of blocker ports and both vPC switches can behave as active default gateway for first-hop redundancy protocols such as Hot Standby Router Protocol (HSRP): that is, traffic can be routed by either vPC peer switch.
  At the same time, however, many of the overall design constraints of a Spanning Tree Protocol network remain even when you deploy vPC such as
  1.     Although vPC provides active-active forwarding, only two active parallel paths are possible.
  2.     vPC offers no means by which VLANs can be extended, a critical limitation of traditional Spanning Tree Protocol designs.
  With Cisco FabricPath, you can create a flexible Ethernet fabric that eliminates many of the constraints of Spanning Tree Protocol. At the control plane, Cisco FabricPath uses a Shortest-Path First (SPF) routing protocol to determine reachability and selects the best path or paths to any given destination in the Cisco FabricPath domain. In addition, the Cisco FabricPath data plane introduces capabilities that help ensure that the network remains stable, and it provides scalable, hardware-based learning and forwarding capabilities not bound by software or CPU capacity.
  Benefits of deploying an Ethernet fabric based on Cisco FabricPath include:
  • Simplicity, reducing operating expenses
  – Cisco FabricPath is extremely simple to configure. In fact, the only necessary configuration consists of distinguishing the core ports, which link the switches, from the edge ports, where end devices are attached. There is no need to tune any parameter to get an optimal configuration, and switch addresses are assigned automatically.
  – A single control protocol is used for unicast forwarding, multicast forwarding, and VLAN pruning. The Cisco FabricPath solution requires less combined configuration than an equivalent Spanning Tree Protocol-based network, further reducing the overall management cost.
  – A device that does not support Cisco FabricPath can be attached redundantly to two separate Cisco FabricPath bridges with enhanced virtual PortChannel (vPC+) technology, providing an easy migration path. Just like vPC, vPC+ relies on PortChannel technology to provide multipathing and redundancy without resorting to Spanning Tree Protocol.
  Scalability based on proven technology
  – Cisco FabricPath uses a control protocol built on top of the powerful Intermediate System-to-Intermediate System (IS-IS) routing protocol, an industry standard that provides fast convergence and that has been proven to scale up to the largest service provider environments. Nevertheless, no specific knowledge of IS-IS is required in order to operate a Cisco FabricPath network.
  – Loop prevention and mitigation is available in the data plane, helping ensure safe forwarding that cannot be matched by any transparent bridging technology. The Cisco FabricPath frames include a time-to-live (TTL) field similar to the one used in IP, and a Reverse Path Forwarding (RPF) check is also applied.
  • Efficiency and high performance
  – Because equal-cost multipath (ECMP) can be used the data plane, the network can use all the links available between any two devices. The first-generation hardware supporting Cisco FabricPath can perform 16-way ECMP, which, when combined with 16-port 10-Gbps port channels, represents a potential bandwidth of 2.56 terabits per second (Tbps) between switches.
  – Frames are forwarded along the shortest path to their destination, reducing the latency of the exchanges between end stations compared to a spanning tree-based solution.
      – MAC addresses are learned selectively at the edge, allowing to scale the network beyond the limits of the MAC addr

• Firewall Connections to vPC Domain

  Hi all,
  What is the best way to connect a Firewall cluster (Checkpoint FW cluster) to a vPC Domain ?
  Current Topology is like as below. We are gonna replace Cat6Ks with N7Ks.
  FW#1(Active)  ----- keepalive for amongt FWs -------- FW#2 (Standby)
       I                                                                               I
       I                                                                               I
       I                                                                               I
       I                 VLAN 100 HSRP on Cat6K Side               I
       I                                                                               I
       I                                                                               I
    Cat6K#2 -------------------peer keepalive------------------------------Cat6K#2
             --------------------- peer link-----------------------------------
  I know my options are :
  Connect the FWs to an edge switch which supports etherchannel and connects to vPC domain through that port channel.
  Connect the FWs through two ports (LACP config) to both N7Ks.
  Setup a seperate STP link between N7Ks, configure VLAN 100 on this link and then keep running HSRP on VLAN 100 on both N7ks on this non vPC VLAN.
  Setup the links between N7Ks and FWs as routed links and run a dynamic routing protocol in between.
  Thanks in advance.
  Dumlu

  Hello all,
  How about the option 1?
  Our scenario is as below:
                     DMZ switch ----- PC
                      |             |
                      |             |
                      |             |
                    FW         FW   (Checkpoint with VRRP connecting to N7k using VLAN 16)
                      |             |
                      L2 Switch
                      | |           | |
                  N7k-1 ----  N7k-2   (Peer Link Between N7k)
                      | |           | |
                      | |           | |
                     Inside switch ---- Server (VLAN16)
  When user ping from DMZ switch PC to Server in the Inside switch, the packet loss and long response time happen intermittently.
  But when we ping from Inside switch with another VLAN (VLAN12) to the server, it's okay. VLAN12 and VLAN16's  gateway are on N7k with HSRP.
  So N7k's inter-vlan routing seems to be okay, but through FW has problem.
  L2 switch and Inside switch connect to N7k with vPC. ALL the PC/Server are in VLAN 16 and their default gateway is to N7k.
  When user ping from inside to DMZ we can see a icmp redirect message, and I don't know whether it could be the problem to cause the intermittent packet loss?
  Thanks.
  Peter

• Double sided VPC/enhanced VPC and MST

  Hello,
  I have some doubts/clarifications regarding MST with VPC--
  There are two N7K core switches and four N5K switches and eight N2K.
  there will be double sided VPC between N5K and N7K.
  there will be enhanced vpn between N5k and n2k.
  N7Ks will be connected to fifteen 4500.
  Each 4500 will be in a VPC with N7k.
  Each 4500 is single homed to 15 catalyst edge switches
  Assume MST needs be configured in this network.
  1) On MST instance  - on N7K as per cisco design guide
  2) Map all vlans (1-3967,4048-4093) in this instance N7K as per cisco design guide
  3) No need to hard code root as peer switch command will be used
  Now the concern that i have is regarding MSt configuration on all 4500.
  1) 4500 number 1 may have vlans 2,3,4,5,6,7 and 4500 number 2 may have vlans 2,11,12,13,14,15,16
  so can i just map all vlans to the single instance like instance 1 vlan 1-4094 on all catalysts 4500?
  2) catalyst edge switches all run PVST+, i believe 4500 mst will interoperate with edge switch pvst+.
  Is there any othe things that need tobe taken care of in this scenario?
  Regards

  1) If you are using MST with single region, I don't see the point. It can be done with RPVST+ without any interop worries.
  2) Same as 1.
  3) This is not true, with peer-switch feature, it is a BP to hard code the N7K as STP root with the same priority value, otherwise, the smallest switch ID will be the root. In you case, most likely the oldest switch will become the root if you don't hard code it.
  To your second set of questions:
  1) Yes, you need to match all your region(s) with the same VLANs, otherwise, you will have MST inconsistency.
  2) Yes.
  HTH,
  jerry