SVI in VPC

Hello All,
If i am running HSRP in VPC on SVI's. Like interface vlan 9 both sides having virtual IP address on HSRP.
In vpc both acting as a active active as gateway for downhost to mitigate the traffic on VPC peer link.
My concern is if i manually shutdown down the Primary switch SVI. Not on secondary Peer in VPC.
"interface vlan 9"
"Shutdown"
But another side SVI is UP(Secondary). Now my question is from Downhost prespective if somebody chooses primary switch link by loadbalancing mechanism and thier Actual SVI is down and then my whole traffic will be blackholed.
Because from downhost prespective link is UP but SVI is down on switch. So it will choose any path from load balancing either towards Primary Switch or Secondary Switch. If it choose secondary switch then it's ok. if it chooses Primary switch path then what will happen?
Wil traffic be blackholed or any magic happens here?

Hello,
There won't be any traffic loss since the other switch will take it over.
Thanks,
Madhu

Similar Messages

VPC + SVI problem

Hello,
We have the topology in Attachement. and we have problem with SVI and VPC
The configuration:
N5K1:
vpc domain 100
peer-switch
role priority 100
system-priority 1024
peer-keepalive destination 192.168.21.1
peer-config-check-bypass
delay restore 150
peer-gateway
auto-recovery
ip arp synchronize
vlan 801
name DEV_WAN
interface Vlan801
description IP DEV
no shutdown
no ip redirects
interface Vlan1000
no shutdown
no ip redirects
ip address 192.168.22.5/30
interface port-channel1000
switchport mode trunk
spanning-tree port type network
spanning-tree guard loop
vpc peer-link
interface port-channel401
description LACP-SRV1
switchport mode trunk
speed 1000
duplex full
vpc 401
interface Ethernet1/1
description "TRUNK VPC"
no cdp enable
switchport mode trunk
spanning-tree port type network
spanning-tree bpdufilter enable
channel-group 1000 mode active
interface Ethernet1/2
description "TRUNK VPC"
switchport mode trunk
spanning-tree port type network
channel-group 1000 mode active
interface Ethernet1/5
description SRV1_GB2
switchport mode trunk
speed 1000
duplex full
channel-group 401 mode active
interface Ethernet1/29
description Uplink N5K3
switchport mode trunk
N5K2:
vpc domain 100
peer-switch
role priority 110
system-priority 1024
peer-keepalive destination 192.168.21.2
peer-config-check-bypass
delay restore 150
peer-gateway
auto-recovery
ip arp synchronize
vlan 801
name DEV_WAN
interface Vlan801
no shutdown
ip address 202.168.72.1/29
interface Vlan1000
description VPC-N5K
no shutdown
no ip redirects
ip address 192.168.22.6/30
interface port-channel1000
switchport mode trunk
spanning-tree port type network
spanning-tree guard loop
vpc peer-link
interface port-channel401
description LACP-SRV1
switchport mode trunk
speed 1000
duplex full
vpc 401
interface Ethernet1/1
description "TRUNK VPC"
switchport mode trunk
spanning-tree port type network
channel-group 1000 mode active
interface Ethernet1/2
description "TRUNK VPC"
switchport mode trunk
spanning-tree port type network
channel-group 1000 mode active
interface Ethernet1/5
description SRV1_GB4
switchport mode trunk
speed 1000
duplex full
channel-group 401 mode active
SRV1 IP: 202.168.72.2/29
When i plug the cable from SRV1 to N5K1 and N5K2 i can't ping SRV1 from ADM
when i unplug the cable from SRV1 to N5K2 i can't ping SRV1 from ADM
when i unplug the cable from SRV1 to N5K1 i CAN ping SRV1 from ADM
between N5K1, N5K2 and N5K3 we have OSPF
Thks !

n5k01# sh vpc brief
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 100
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 8
Peer Gateway : Enabled
Peer gateway excluded VLANs : -
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Enabled (timeout = 240 seconds)
vPC Peer-link status
id Port Status Active vlans
1 Po1000 up 1-3,101-102,110,700-703,705,710,730,801,803,1000,3
001-3008,3400-3401
vPC status
id Port Status Consistency Reason Active vlans
1 Po1 up success success 1-3,101-102
,110,700-70
3,705,710,7
30,801,803,
1000,300....
401 Po401 down* success success -
(The cable is unplug)
n5K02# sh vpc brief
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 100
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : secondary
Number of vPCs configured : 8
Peer Gateway : Enabled
Peer gateway excluded VLANs : -
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Enabled (timeout = 240 seconds)
vPC Peer-link status
id Port Status Active vlans
1 Po1000 up 1-3,101-102,110,700-703,705,710,730,801,803,1000,3
001-3008,3400-3401
vPC status
id Port Status Consistency Reason Active vlans
1 Po1 up success success 1-3,101-102
,110,700-70
3,705,710,7
30,801,803,
1000,300....
401 Po401 up success success 1-3,101-102
,110,700-70
3,705,710,7
30,801,803,
1000,300....

Routing issue in Nexus 7009 due to vPC or hsrp

we have two site's, on first site we have two nexus 7009 switches (Nexus A & Nexus B) and other site is remote site having two 6500 switches. (design attached)
we are using hsrp on nexus switches and Active is Nexus A for all vlan’s
From one of my remote site user's (user's are in vlan 30 ) are not able to communicate with nexus site vlan 20 specially if host in vlan 20 take forwarding path from nexus switch B,
I can ping the vlan 20 both physical address's and gateway (vlan 20 configured in both nexus switch and using HSRP) from vlan 30 which configured on remote site 6500 switch
ospf with area 0 is the routing protocol running between both site.
vlan 10 we are using as a management vlan on both nexus switch that building neighbore ship with WAN router, it's means wan router have two neighbors nexus A and nexus B, but nexus B building the neigbhorship via a Nexus A because from WAN router we have single link which is terminated on Nexus A,
there is one layer 2 switch between nexus A and WAN router, nexus A site that switch port in vPC because we are planning to pull second link later to nexus B.
All user's are connected with edge switch and edge switch have a redundant uplink to nexus A and B with vPC configured
After troubleshooting we observe that if user in vlan 20 wants to communicate with vlan 30 (remote site), traffic is taking Nexus B is forwarding path, then gets drops.
I run the tracert from pc its showing route till SVI on Nexus B after that seems packets not finding route. Even vlan 30 routes are available in the routing table of Nexus B. we don’t have any access-list and Firewall between this path.

Hi,
I suspect in your scenario that traffic is being dropped due to the characteristics of vPC, the routing table on Nexus-B may reflect the next-hop address for the destination IP, however if that next-hop address is the address of the Nexus-A off of VLAN 20 then it will be forwarded across the vPC peer-link, this breaks the convention.
When you attach a Layer 3 device to a vPC domain, the peering of routing protocols using a VLAN also carried on the vPC peer-link is not supported. If routing protocol adjacencies are needed between vPC peer devices and a generic Layer 3 device, you must use physical routed interfaces for the interconnection.
You can configure VLAN Interfaces for Layer 3 connectivity on the vPC peer devices to link to Layer 3 of the network for such applications as HSRP and PIM. However, Cisco recommend that you configure a separate Layer 3 link for routing from the vPC peer devices, rather than using a VLAN network interface for this purpose.
Take a look at the following URL, this article helps to explain the characteristics of vPC and routing over the peer-link:
http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/
Regards
Allan.
Hope you find this is helpful.
Sent from Cisco Technical Support iPad App

Nexus 5000 vpc and fabricpath considerations

Hello community,
I'm currently in the process of implementing a fabricpath environment which includes Nexus 5548UP as well Nexus 7009
NX OS on N5K is 6.0(2)N1(2)
Regarding the FP config on the N5K I wonder what is the best practice for the peer-link. Is it necessary to configure the Portchannel like below:
interface port-channel2
description VPC+ Peer Link
switchport mode fabricpath
spanning-tree port type network
vpc peer-link
There are several VLANs configured as FP.
As I understand we can remove the command:
spanning-tree port type network
Can anyone confirm this ?
Also I noticed a "cosmetic" problem. On two port 1/9 and 1/10 on both N5K it isn't possible to execute the command "speed"?!
When the command speed is executed I receive the following error:
ERROR: Ethernet1/9: Configuration does not match the port capability
Also please notice after the vPC and FP configuration we don't do a reload!
Thanks
Udo

Hi Simon -
Have done some testings in the lab on ISSU with FEXes either in Active/Active and Straight-through fashion, and it works.
Disabling BA on N5K(except the vPC peer link) is one of the requirements for ISSU .
In a lately lab testing with the following topo, BA is configured on the vpc 101 between the N5Ks and Cat6k. We have a repeated regular ping between the SVI interfaces of c3750 and Cat6K.
                      c3750
                         ||
                      vPC
                         ||
    N5K =====vPC====== N5K
                          ||
                     vpc 101
                          ||
                     Cat6k
When we changed the network type to disable BA, we observed some ping drops, which around 20-30.
I am not sure what your network looks like, hopefully this will give you some ideas about the ISSU. As a general recommendation, schedule a change window for some changes or even ISSU.
regards,
Michael

Does VPC Peer Gateway cause downtime?

Hello,
I have a quick question. We recently implemented VPC based network design with few SVIs (with HSRP) on a pair of NEX 5500s, but I forgot to include the 'peer-gateway' command. I understand the benefit of that command on FHRP like HSRP. My question is, if I apply that on a production NEX 5500 switches, would that cause any downtime? Could someone please confirm? Many thanks in advance!
Regards,
Mark

It shouldnt, but again we request you to kindly do it out of office hours or in MW.
below is the detail info on Auto-recovery:-
http://www.cisco.com/c/en/us/support/docs/switches/nexus-7000-series-switches/116187-configure-vpc-00.html#anc5

Data Center Interconnect - Layer 2 Extension using vPC

Hi, I wanna if possible try to validate the design to connect 4 nexus 7010 to permit data center interconnect and layer 2 extension using the same vpc and the same port channel number and only 2 links between them as showed in the attach ppt
Is anybody using a design like that ??

this will work if it is *only* layer2 between the two pairs of N7K. You cannot create a L3 SVI and attempt to route it via the vpc port channel. It won't work. If you need both L3 and L2, one option will be to use OTV. Rgds Eng Wee

Nexus 5K OSPF with vPC

Hi,
I know it is well documented using IGP's, more specifically OSPF with 7K's and vPC's but when it comes to the same thing on 5K's I am still a little confused.
My topology is:
5K01 and 5K02 are connected and are vPC peers, I currently have a management network on VLAN 114, both 5k's have SVI's on this and are currently OSPF neighbors over their vPC using this vlan.
I have an MPLS router (service provider PE) which is 2 routers but clustered so logically in this instance it is one router, the 5 k's will be conecting to this PE router via some switches over a vPC and needs to become a OSPF neighbor to both the 5K's.
Looking at this post:
http://adamraffe.com/2013/03/08/l3-over-vpc-nexus-7000-vs-5000/
It suggests that I can just add VLAN 114 to the vPC up to tyhe PE and turn OSPF on on the interface on the PE, although this will not support Multicast and I don't really want to restrict myself as this may be a future requirement.
What I thought might be a better solution would be to designate a new vlan and allow it on the vPC up to the PE and use that for the OSPF neighborships between the 5K's and the PE and not allowing it over the vPC peer link - leaving the 5K's neighborship over vlan 114.
Can someone tell me what the best practice/supported topology is here and maybe provide some cisco links?
Thanks a lot in advance.

You have to be very careful when configuring L3 services and interfaces while using VPC.
Take a look at this document:
http://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf
Also, take a look at this post:
http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/
You can create a vlan used exclusively for Nexus-to-Nexus iBGP peering. Use a new 'access' link between the two switches and place them on the new vlan. Make sure that this VLAN does not traverse the VPC peer link. Then, create SVIs on each switch for that VLAN and peer over that link. Then, you can create a L3 link on each nexus to peer with your eBGP neighbors.
The point you want to make sure you understand is the VPC loop prevention mechanism that says "If a packet is received on a VPC port, traverses the VPC peer link, it is not allowed to egress on a VPC port."

Nexus5500 vPC InterDC (2 Site vPC-vPC) - with L3 VLAN

Hello to all,
I was wondering about a design issue with a vPC interconnecting two different Datacenter based on Nexus5500. Scenario is the following:
Datacenter1 has 2 Nexus5K belonging to vPC DomainA
These Nexus5K are connected to Core1 (Stack based) using a L3 GEC (using SVI) per each Nexus5K running EIGRP.
Datacenter2 has 2 Nexus5K belonging to vPC DomainB.
These Nexus5K are connected to Core2 (Stack based) using a L3 GEC (using SVI) per each Nexus5K running EIGRP.
Datacenter1 Nexus5K are connected with a vPC (L2 transporting Hosts VLANs) to Datacenter2 Nexus5K.
L3 Redundancy is configured with HSRP Active/Passive with tracking (in case GEC to the Core are going down), preemption and preemption delay of 300sec. Usually HSRP Active is in Datacenter1 and Standby is in Datacenter2.
Each Datacenter Nexus5K is receiving the routes via EIGRP from the Core GEC links directly connected.
Is it working if I configure a L3 VLAN on the vPC between Datacenters so that routes are also learned, with a less preferred distance, via Datacenters Nexus5K? I'm not sure if it's working the packet forwarding ==> vPC rules
Thanks a lot for any ideas or advice
BR
O.G

Hi Klei,
Thanks for you answer.
If I understand correctly, keeping L2 and L3 on the peer link would be beneficial for multicast as it would force the use of the peer link's loop prevention mechanism. Since the peer link's multicast replication behaviour prevents the L3 node from doing an RPF check as the traffic appears local, If we had pim-sm enabled on a L3 link outside of the peer link, we would encounter loops that would last as long as TTL > 0.
1) Can you confirm that this potential issue goes away by disabling pim-sm on the L3 link outside the peer link?
2) Why is this design supported with N7K? Do they perform additional verification to prevent loops?
Thanks,
Eric Lauriault, CCIE 27521

Inter-dc VPC with L2 and L3

See diagram. I need Layer 2 extended a couple of VLANs between two data centers (Let's say SVI lives in one Data Center only), but I also want to do Layer 3 between two Data Centers for regular inter-DC routing. What are my options to route between N5K's on the left and N7K's on the right? I only have two links, and I have no support for OTV. Can I just create one non-VPC VLAN on the top link with a /30 SVI on two sides, and another non-VPC VLAN on the bottom link with a /30 SVI on two sides, and just EIGRP load balance across those two SVIs between DCs?

Steve,
Do you already have VPCs between the set of 5Ks and also 7Ks set up? I have the same setup, but between the 5Ks and 7Ks there are cross connects (fully meshed) and layer-2 only with all SVIs only on the 7Ks.
So, I have one Portchannel between all of them. I can not configure IP on the Portchannel because layer-3 VPC is not supported, but If I create a vlan with SVIs on each side and add the IPs to EIGRP or OSPF, that should work. I am just not sure how will it work in your situation when there is no cross connects between the 5Ks and 7Ks, because VPC comes to play when you connect one device to 2 other devices. Unfortunately, I can't test this since I don't have daughter cards in the 5Ks.
HTH

VPC Keep-alive link in F1 series Linecards

Hi.
Can we use N7K F1 linecards for vpc keepalive link?
Configure layer 2 portchannel and a point-to-point vlan interface?
thanks

Hi,
This is supported, but as per page 28 of the Best Practices for Virtual Port Channels (vPC) on Cisco Nexus 7000 Series Switches:
Note: If you are using a pure Cisco Nexus F1 Series system or VDC (that is, only F1 line cards used in the chassis or only F1 ports in the VDC), the peer-keepalive link can be formed with mgmt0 interface or 10-Gigabit Ethernet front panel port. In the latter case, use the management command under the SVI to enable it for inband management (otherwise, the SVI is brought down because no M1 modules exist in the system or VDC).
It's probably worth noting the recommendations as to how the peer-keepalive link should be configured:
Strong Recommendations:
When building a vPC peer-keepalive link, use the following in descending order of preference:
1. Dedicated link(s) (1-Gigabit Ethernet port is enough) configured as L3. Port-channel with 2 X 1G port is even better.
2. Mgmt0 interface (along with management traffic)
3. As a last resort, route the peer-keepalive link over the Layer 3 infrastructure
Regards

Duplicate address across VPC peer-link on Nexus 7010

Just set up a VPC peer-link between two 7010 switches. The peer-link is a port-channel of two 10Gb connections. On both sides I'm seeing this in the log:
2010 Jan 5 04:27:34 CRMCN7K-1 %ARP-2-DUP_SRC_IP: arp [3069] Source address of packet received from 0024.f716.b341 on Vlan401(port-channel10) is duplicate of local, 10.180.0.17
and on the other
2010 Jan 5 04:23:39 CRMCN7K-2 %ARP-2-DUP_SRC_IP: arp [3052] Source address of packet received from 0024.f71f.a7c1 on Vlan401(port-channel10) is duplicate of local, 10.180.0.18
VLAN 401 is the only VLAN on them right now with a Layer 3 address. What am I missing? Everything looks correct. Port-Channel10 is up and running fine..or so it seems.

Hey Nashwj,
What version of NX-OS are you running?
Are the 7K in a stand alone environment (lab or similar) or connected to other production network devices?
Are both of the VLANs carried across the vPC peer link port-channel?
Are both of the VLANs carried across any vPC port-channel?
Do you have HSRP setup on the VLAN 401 interfaces on each of the 7Ks? If so, what are the real and vip IP addresses?
If you can either provide answers to the above or configuration snapshots of the vPC and SVI interfaces for your VLANs on each of the 7Ks a solution should be reachable.

Back to Back vPC - Why is it not possible?

Good Evening!
I'm studying for CCDP and am currently sitting on page 271 for those of you that have the official book (642-874).
Similar topology to book here.
If I understand correctly, in an Active/Active FEX design two Cisco Nexus 5000s plug into two Cisco Nexus 2000s which in turn plug into the server. There is a two way vPC between the 2000s and 5000s (it doesn't look like that's shown in the picture though). However, because there is a vPC between the FEXs and the Nexus 5000 you cannot have a vPC between the FEXs and the servers. Why is this? Any clarification on at a conceptual level of how an Active/Active FEX configuration works is also appreciated. I've read the section, but since I haven't had hands on with any of this equipment I'm having some trouble conceptualizing everything. Thanks for your time.
Grant

Question:
=======
However, because there is a vPC between the FEXs and the Nexus 5000 you cannot have a vPC between the FEXs and the servers. Why is this?
Answer: No you can have VPC between the Fex and the servers.
https://communities.cisco.com/thread/21567?tstart=0
2)
good document on VPC:
http://www.cisco.com/c/en/us/products/collateral/switches/nexus-5000-series-switches/configuration_guide_c07-543563.html
Video on the same:
http://www.ine.com/all-access-pass/training/playlist/ccie-data-center-nexus/vpc---active-100121202.html
HTH

NAV is not installing on my VPC 7.0

When I start installing Norton Antivirus 2006 on VPC 7.0, the installer crashes. Has anyone else run into this problem? If so how do I fix it?
eMac Mac OS X (10.4.3)

Hi James,
While re-installing Muse try to change the install location and see if that makes a difference.
- Abhishek Maurya

Routing issue: SVI vs Firewall interface

Greetings
I have several switches interconnected in my network and multiple VLANs configured with SVI assigned to each. InterVLAN routing works just fine. The switchport connected to corporate firewall is the first port on the main switch (interface GigabitEthernet1/0/1 I recon).
The firewall is VLAN unaware and it is managed by third party; I do not have access to it. The firewall is configured to route below two ranges only, and that is fine:
155.111.215.254/25 (servers)
10.15.245.254/24 (end users)
In my network, these ranges are broken down to sub-ranges and assigned VLAN ip address. Other ranges that I have in my network (192.168.x.x) are used by peripheral devices within LAN only and do not need to reach the firewall (neither internet).
So here is the problem I have:
If I point end user machines and servers to corresponding firewall interfaces (assign default gateway accordingly), they can reach each other and have access to internet. But they would not be able to reach peripheral devices in 192.168.x.x range which are pointed to respective VLAN IP address (SVI).
If I point end user machines and servers to respective VLAN IP address, they would reach peripheral devices, but there would be no connection to the internet. So what I need is access to internet for computers with ip address within firewall configured range, but with SVI as the default gateway rather than the firewall interfaces.
My request to add each VLAN to the firewall was rejected because it would cost money.
For a workaround, I wonder whether there is something to do with the switchport connected to the firewall, or it is adding some rules on the firewall I need (like NAT). If it is the latter, then how to make a proper request to the firewall management team.
I would appreciate a suggestion on how to deal with this. Many thanks.
PS: Attaching main switch config file just in case.

Hi,
You can tweak something in the firewall to make this work... you can have the firewall has the gateway for all VLAN's.... you can do NAT exemption in the firewall to reach those pheripheral devices.... and you should have the route from the firewall to reach that and access-list should allow that......
same-security-traffic permit intra interface - to permit access to flow through same interface......
Make sure you are able to reach those pheripheral vlan from ASA 1st... then do setp by step.... acl's, NAT exemption, same-sec., route... route shouwld be pointed to core devices, since that has the direct connectviity from pheripheral devices VLAN...
Regards
Karthik

Is it possible to Configure VPC Between N5010 and 6513

Hello Gents,
Please let me know if we can configure VPC Between N5010 and 6513(coreswitch).
IF Yes, Does it have any loops or abnormal traiffc behaviour ?
Please refer the attached mail for current network diagram
1) I would like to establish VPC Between N5010 and Cisco 6513 switch
2) if yes, Does the upstream devices above 6513 core switch will forward the traffic from all the
6513 ports connected to N5000 ports or 6513 will send traffic from one up link and block other
uplink ports as part of STP.
3) Is VSS on 6513 is required for Point #1
Please refer some links on this as well.
Appreciate your quick response.
Thanks and Regards,
KA.

Hi Karim ,
You can use this one - you can consider your 6k the FEX as in this example
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/configuration_guide_c07-543563.html
On the portchannel to 6k will not configure :
"switchport mode fex-fabric"
"fex associate 100"
This configuration in indended to be used with FEX.
Regards
Dan

SVI in VPC

Similar Messages

Maybe you are looking for