VPC peer-gateway on Nexus 7k

Hi, can anyone please elaborate of how packets will be forwarding if peer-gateway is NOT enable on vPC for Nexus 7k pair? can we still have active/active path forwarding?

A similar discussion is as below:
https://supportforums.cisco.com/message/3989694#3989694
As addition , basically if peer-gateway is not used, the same packet may use the peer-link and be routed by the active hsrp device, which increases the load and the number of switched hops of the packet which may be a performance consideration.  With a good design, under normal conditions peer-link is basically used for control traffic, no data traffic passes through peer-link besides non-vpc orphan links. Can't think of any scenarios where it may be more suitable not to use this command with hsrp.
https://supportforums.cisco.com/thread/2156774
Regards,

Similar Messages

  • Does VPC Peer Gateway cause downtime?

    Hello,
    I have a quick question. We recently implemented VPC based network design with few SVIs (with HSRP) on a pair of NEX 5500s, but I forgot to include the 'peer-gateway' command. I understand the benefit of that command on FHRP like HSRP. My question is, if I apply that on a production NEX 5500 switches, would that cause any downtime? Could someone please confirm? Many thanks in advance!
    Regards,
    Mark

    It shouldnt, but again we request you to kindly do it out of office hours or in MW.
    below is the detail info on Auto-recovery:-
    http://www.cisco.com/c/en/us/support/docs/switches/nexus-7000-series-switches/116187-configure-vpc-00.html#anc5

  • VPC - peer gateway and peer switch

    I understand that we need to use peer gateway on a vPC pair when HSRP is running, but why do we use peer switch if the vPC pair is not the root or seconday root of the network? Does it matter they send out different BIDs? What would be the worst case scenario when not using peer switch?

    If you read the vPC Best Practices Design Guide the peer-switch feature reduces convergence time as a result of a spanning-tree failure from 3 seconds to sub-second.

  • Duplicate address across VPC peer-link on Nexus 7010

    Just set up a VPC peer-link between two 7010 switches.  The peer-link is a port-channel of two 10Gb connections.  On both sides I'm seeing this in the log:
    2010 Jan  5 04:27:34 CRMCN7K-1 %ARP-2-DUP_SRC_IP:  arp [3069]  Source address of packet received from 0024.f716.b341 on Vlan401(port-channel10) is duplicate of local, 10.180.0.17
    and on the other
    2010 Jan  5 04:23:39 CRMCN7K-2 %ARP-2-DUP_SRC_IP:  arp [3052]  Source address of packet received from 0024.f71f.a7c1 on Vlan401(port-channel10) is duplicate of local, 10.180.0.18
    VLAN 401 is the only VLAN on them right now with a Layer 3 address.  What am I missing?  Everything looks correct.  Port-Channel10 is up and running fine..or so it seems.

    Hey Nashwj,
    What version of NX-OS are you running?
    Are the 7K in a stand alone environment (lab or similar) or connected to other production network devices?
    Are both of the VLANs carried across the vPC peer link port-channel?
    Are both of the VLANs carried across any vPC port-channel?
    Do you have HSRP setup on the VLAN 401 interfaces on each of the 7Ks?  If so, what are the real and vip IP addresses?
    If you can either provide answers to the above or configuration snapshots of the vPC and SVI interfaces for your VLANs on each of the 7Ks a solution should be reachable.

  • Nexus 7K Core Layer VDC, does it require a VPC Peer Link

    We are going to be using a pair of Cisco Nexus 7010s to act as both our data center aggregation layer and the core layer. We will accomplish this via two VDCs, one for the core layer and one for the aggregation layer.
    I know that if we are doing VPCs between the access and aggregation layers that we need a VPC Per Link (and peer keep alive link) between the two aggregation layer contexts, but if the connection between the aggregation and the core is purely layer 3 (OSPF), then I don't think we need a VPC peer link between the two core VDCs, Am I correct?

    You are on the right track
    You will use VPC if you’re designing include L2 trunk infrastructure. Since your aggregating with L3 core there is no need to add vpc I think.
    http://www.cisco.ws/en/US/docs/solutions/Enterprise/Data_Center/DC_3_0/DC-3_0_IPInfra.html
    Thx,
    Eric

  • Vpc bind-vrf on Nexus 7000/N7k to ensure forwarding of multicast traffic over peer-link?

    In previous vPC setups with N5k (or also N6k), I had to use the 'vpc bind-vrf' command to ensure the forwarding of multicast over the vpc peer-link, especially for receivers in in non-vPC VLANs and the receivers connected to Layer 3 interfaces.
    I am wondering why this command isn't available on N7k? Isn't this necessary on this platform or is it just not yet implemented?
    Any hint is welcome!
    Stephan Strack

    Hey Stephan,
    The 'vpc bind-vrf' command allocates a special internal VLAN for routing traffic over the vPC peer-link to ensure L3 connections on the vPC peer or orphan ports successfully receive multicast traffic on N5k/N6k platforms.  This workaround is not needed on the N7K because that platform implements the vPC loop prevention rule differently in hardware.
    In short, 'vpc bind-vrf' is not required on N7K.
    -Andy

  • Trunking off a switch that is connected as a vPC peer

    Hello,
    Yesterday I ran into an issue in someones environment where they wanted to trunk a 2960 switch (Lets call it SwitchA) off of another 2960 (SwitchB) switch which was a vPC peer to a set of Nexus 5k's. When he did this, he noticed his phones were unable to communicate with the voice gateway. The same VLANs were allowed across the trunk from SwitchA to SwitchB and to the Nexus5K
    When I moved SwitchA to its own port channel and vPC the voice traffic was able to communicate just fine. I am more concerned about this issue for learning/experience purposes. Has anyone run into a similar issue or know of a vPC rule that is preventing SwitchA from hanging off SwitchB? I have never seen a setup where someone wanted to do that when using vPC's but am still curious about that setup incase I run into it again in the future.
    Thanks,

    Hey Madhu,
    Thanks for your reply. 
    Yes, I was allowing the same VLAN over the peer-link also. If I wasnt then all the other IDF switches would of had downed phones. The odd thing also is when SwitchA was trunked to SwitchB desktops had connectivity but phones didnt. I then SSH'd into SwitchA and tried pinging the gateway for VLAN 120 (Voice VLAN) and was able to hit the gateway and the phone system, showing I had connectivity. For some reason though, the handsets just werent finding the router.

  • VPC Peer Link

    What is the function of the VPC peer-link? Should be the composite of all VPC links that are dual homed between switches?
    In this diagram, is it necessary to have 8 x 10G links as shown above. The links conecting the 7Ks to the 5Ks are VPC links.

    ok, so as I read your reply I would like to confirm the following:
    Hosts which are not connected to the FEX via normally trunk or vPC which need to communicate to Hosts which are on a vPC these VLANs need to be trunked on the vPC peer link.
    VLANs which communicate between devices which are not on the vPC is recommended to have a seperate link. 
    I now have an issue, where I have a Nexus 1000v deployed in vmware which we are using L3. The control (same requirements for vMotion VLAN) VLANs requires to be L2 and is trunked via the physical uplinks which also carry VLANs which have HSRP on the 5Ks. 
    As a port-channel from each hosts will terminate on each fex as part of a vPC, each will be carrying VLANs which only require L2 communication and some which have a gateway (HSRP).
    For VLANs which carry only L2 information i.e. Control VLAN or vMotion VLAN, they are required to communicate with other hosts at this point if source packet arrives one Fex 1 which is connected to N5K1 and required to communicate to destination on Fex 2 which is linked to N5K2 it would need to transit via the two Nexus 5Ks, could this be achieved by the peer link or would I need a separate link carrying these VLANs in addition to them being carried over the vPC peer link?

  • MST / vPC / peer-switch

    Hello,
    There are two N7Ks connected with peer-link (Po1). There will be some other L2 switches connected to those N7Ks with vPC. Also, there is a separate, dedicated L2 link (Po9) between N7Ks to carry VLANs for orphan ports connected on both N7Ks. Here is configuration:
    N7K-1:
    spanning-tree mst configuration
    name test
    revision 3
    instance 1 vlan 1-9,12-14,16-1005
    instance 2 vlan 10,11,15
    spanning-tree mode mst
    spanning-tree mst 0-2 priority 4096
    spanning-tree pseudo-information
    mst 0-2 designated priority 4096
    mst 0-2 root priority 4096
    vpc domain 1
    peer-keepalive destination 1.1.1.2 source 1.1.1.1 vrf peer-keepalive
    system-priority 1000
    role priority 1
    auto-recovery reload-delay 240
    peer-gateway
    peer-switch
    graceful consistency-check
    ip arp synchronize
    delay restore 30
    delay restore interface-vlan 40
    interface port-channel 1
    vpc peer-link
    switchport trunk allowed vlan remove 10,11,15
    interface port-channel 9
    switchport trunk allowed vlan 10,11,15
    spanning-tree mst 2 cost 100
    N7K-2:
    spanning-tree mst configuration
    name test
    revision 3
    instance 1 vlan 1-9,12-14,16-1005
    instance 2 vlan 10,11,15
    spanning-tree mode mst
    spanning-tree mst 0-2 priority 4096
    spanning-tree pseudo-information
    mst 0-2 designated priority 8192
    mst 0-2 root priority 8192
    vpc domain 1
    peer-keepalive destination 1.1.1.1 source 1.1.1.2 vrf peer-keepalive
    system-priority 1000
    role priority 1
    auto-recovery reload-delay 240
    peer-gateway
    peer-switch
    graceful consistency-check
    ip arp synchronize
    delay restore 30
    delay restore interface-vlan 40
    interface port-channel 1
    vpc peer-link
    switchport trunk allowed vlan remove 10,11,15
    interface port-channel 9
    switchport trunk allowed vlan 10,11,15
    spanning-tree mst 2 cost 100
    In theory, for vPC VLANs, that is those carried over peer-link, global STP configuration should be used. And, because peer-switch is used, both N7Ks will generate the same BPDU (the same Bridge ID with priority 4096), both becomming root. And, for other VLANs, carried over dedicated L2 link, the pseudo-information should be used. That is, N7K-1 should become root, and Po9 should be Designated. The N7K-2 should be backup root and Po9 should be Root port.
    Unfortunately, it's not how it works. Maybe I am missing something, but BPDUs sent over dedicated L2 Po9 are exactly the same as for VPC VLANs. N7K-1 becomes root and its Po9 becomes Designated. But, N7K-2 is also a root, and since it sees the same BPDU as it generates by itself, it treats Po9 as an alternate way to itself and places that port in Alternate/Blocking state.
    So, am I doing something wrong, or dedicated L2 link cannot co-exist with peer-link? I had no chance to test it, but it may work if I remove peer-switch feature (although it is recommended to have it)
    Best regards,
    Krzysztof

    We have filed
    CSCuc41076
    vPC Peer Switch Hybrid Topology MST blocking in non vPC Peer Link

  • Can some explain vpc peer-link vlan issues for me?

                       I remove vlan from vpn peer-link , the vpc is gonna down.
                      I know this is design ,but why.
    thank you!
    Tom

    Thanks Chad!
    Kept racking my brain on that one, and the only time it would make any sense (ie, I was trying to fit a square peg in a round hole), is if you have IGP peering to each 7K from an orphan port (ex, FW), the IGP ECMP hashes a packet to the far-end 7K, and then the traffic sent to the directly attached 7K must be sent across the vpc-peerlink -- and in theory shouldn't be dropped. This is, of course, until you add peer-gateway command, which confuses matters a bit -- especially from an IGP control-plane perspective, but also in this loop-prevention rule, since the local 7K will handle the packets destined to the other's 7K MAC.
    To complicate matters worse, the latest 5K release notes say to exclude-vlan for peer-gateway for your backup router vlan... still have to dive into that one.

  • Timers on vPC peer-keepalive link

    Hello,
    I am confused about what 2 timer parameters (Keepalive Hold Timeout and Keepalive Timeout) are used for.
    Below are the quotes, which are truely quite confusing, from Cisco official docs ( Design and Configuration Guide:
    Best Practices for Virtual Port Channels (vPC) on Cisco Nexus 7000 Series Switches)
    Keepalive Hold Timeout
    This timer gets started once the vPC peer-link goes to down state. During this time period, the secondary vPC peer
    device will ignore any peer-keepalive hello messages (or the lack of). This is to assure that network convergence
    can happen before any action is taken.
    Q1: Why vPC secenary device ignores ongoing keepalive message? As far as I know, secondary device does needs
    these keepalive messages to determine subsequent actions (shut down all its vPC memeber port or enter split-brain scenario).
    Q2: What kind of network convergence will happen here?
    Keepalive Timeout
    During this time period, the secondary vPC peer device will look for vPC peer-keepalive hello messages from the
    primary vPC peer device. If a single hello is received, the secondary vPC peer concludes that there must be a dual
    active scenario and therefore will disable all its vPC member ports (that is, all port-channels that carry the keyword
    vpc).
    Q1: When will this timer be triggered?
    Q2: If a single Hello is received, why dual active scenario (also termed split-brain scenario) is determined?
    Q3: Why all vPC member ports on secondary switch will be all disabled when dual active scenario is determined?
    Thanks in advance for your help.

    Q1:keepalive holdtimeout
    The difference between the hold-timeout and the timeout parameters is as follows:
    During the hold-timeout, the vPC secondary device does not take any action based on any keepalive messages received, which prevents the system taking action when the keepalive might be received just temporarily, such as if a supervisor fails a few seconds after the peer link goes down
    During the timeout, the vPC secondary device takes action to become the vPC primary device if no keepalive message is received by the end of the configured interval. 

  • (*) - local vPC is down, forwarding via vPC peer-link

    Hello 
    Local VPC status down what is the issue-----
    status - 
     show vpc
    Legend:
                    (*) - local vPC is down, forwarding via vPC peer-link
    vPC domain id                     : 1
    Peer status                       : peer adjacency formed ok
    vPC keep-alive status             : peer is alive
    Configuration consistency status  : success
    Per-vlan consistency status       : success
    Type-2 consistency status         : success
    vPC role                          : secondary
    Number of vPCs configured         : 2
    Peer Gateway                      : Disabled
    Dual-active excluded VLANs        : -
    Graceful Consistency Check        : Enabled
    Auto-recovery status              : Enabled (timeout = 240 seconds)
    vPC Peer-link status
    id   Port   Status Active vlans
    1    Po1    up     1,150
    vPC status
    id     Port        Status Consistency Reason                     Active vlans
    10     Po10        down*  success     success                    -
    20     Po20        down*  success     success                    -
    # show port-channel summary
    Flags:  D - Down        P - Up in port-channel (members)
            I - Individual  H - Hot-standby (LACP only)
            s - Suspended   r - Module-removed
            S - Switched    R - Routed
            U - Up (port-channel)
            M - Not in use. Min-links not met
    Group Port-       Type     Protocol  Member Ports
          Channel
    1     Po1(SU)     Eth      LACP      Eth1/1(P)    Eth1/2(P)
    10    Po10(SD)    Eth      LACP      Eth1/47(I)
    20    Po20(SD)    Eth      LACP      Eth1/48(I)

    Hi,
    What is Portchannel 10 and 20 for?  They are both down.
    Can you post the config from both switches?
    HTH

  • Vpc peer-link forwarding behavior

    Hey,
    In this cisco doc (http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572835-00_NX-OS_vPC_DG.pdf ) I come across this statement:
    One of the most important forwarding rules of vPC is the fact that a frame that entered the vPC peer switch from the peer link cannot exit the switch out of a vPC member port (except if this is coming from an orphaned port).
    This makes perfect sense up to the "except if this is coming from an orphaned port". I can't seem to figure out why traffic sourced from an orphaned port (ie, "from" an orphaned port) and ulimately destined to a vPC member port is allowed -- since it should be sent out the local vPC member port and not across the peer link.
    Would make more sense to me if it said "destined to an orphaned port", so of course it would have to cross the peer-link.
    Can anyone shed some light on this exception to the rule?
    Thanks!

    Thanks Chad!
    Kept racking my brain on that one, and the only time it would make any sense (ie, I was trying to fit a square peg in a round hole), is if you have IGP peering to each 7K from an orphan port (ex, FW), the IGP ECMP hashes a packet to the far-end 7K, and then the traffic sent to the directly attached 7K must be sent across the vpc-peerlink -- and in theory shouldn't be dropped. This is, of course, until you add peer-gateway command, which confuses matters a bit -- especially from an IGP control-plane perspective, but also in this loop-prevention rule, since the local 7K will handle the packets destined to the other's 7K MAC.
    To complicate matters worse, the latest 5K release notes say to exclude-vlan for peer-gateway for your backup router vlan... still have to dive into that one.

  • Difference between vpc peer-switch and vpc+

    Hi, I would like to understand the difference between vpc peer-switch when used in vpc and vpc+ when used in fabricapath when both are delivered to achieve the same thing i.e making the 2 nexus switches look like a 1 logical switch to an other device connected to it.

    Hi,
    vPC+ overcomes a problem we would have when connecting non FabricPath devices to the FabricPath cloud in a resilient way using port-channels.
    If you look at the first diagram below, when Host A sends traffic to Host B, it can be sent over either link of the port-channel and so can take the path via either S100 or S200. The problem with this is that from the perspective of the MAC address table on S300, the MAC address of Host A would be constantly flap between being sourced from S100 and S200.
    What happens with vPC+ is that S100 and S200 create an emulated switch that effectively becomes the point of connection of the port-channel interface. This is seen in the second diagram as S1000. Now when traffic is sent from Host A it is always seen as originating from S1000 so there's no longer any MAC flapping.
    Hope that helps.
    Regards

  • Using 40GE ports for VPC Peer Link

    Hi,
    Is it possible to use the native 40GE ports on the N7K-M206FQ-23L module for the VPC Peer Link, or do you have to break these ports out into 10GE ? I have read that 10GE ports must be used for the VPC peer link.
    Thanks in advance.

    You can use 40GE ports for VPC peer-link. No need to break those to 10G.

Maybe you are looking for