cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
97805
Views
63
Helpful
37
Replies

Ask the Expert: Nexus Virtual Port Channel (vPC)

ciscomoderator
Community Manager
Community Manager

With Hatim Badr and Iqbal Syed

Read the bioRead the bio

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn about design, configuration and troubleshooting of VPC with Cisco experts Hatim Badr and Iqbal Syed. Iqbal is a product manager and technical marketing engineer for the Cisco Nexus 7000 Series of switches. He is responsible for product road-mapping and marketing the Nexus 7000 line of products with a focus on virtual port channel design and training. Syed has been with Cisco for more than 8 years, which includes experience in Cisco Advanced Services and the Cisco Technical Assistance Center. His experience ranges from reactive technical support to proactive engineering, design, and optimization. He holds CCIE (Routing & Switching), CCDP, Cisco Data Center, and TOGAF (v9) certifications. Hatim is a network consulting engineer for Cisco Advanced Services in Toronto, where he supports Cisco customers across Canada as a specialist in data center architecture, design, and optimization projects. He has more than 10 years of experience in the networking industry. He holds CCIE certification #14847 in Routing and Switching and also holds TOGAF 9, VCPv4, and PMP certifications.

Remember to use the rating system to let Hatim and Iqbal know if you have received an adequate response.

Hatim and Iqbal might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the discussion forum shortly after the event. This event lasts through September 9, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

37 Replies 37

Mohamed Sobair
Level 7
Level 7

Hello Hatim,

Its Good to see you here hosting Nexus VPc, and I am proud that you as a previous teacher from my previous university as I knew you have taught some classes to students at Computer Man College.

Now, my knowledge about VPc it provides Layer-2 Multipathing and the benefit of using a Spanning-tree block port as a Forwarding port. and provides rapid convergence than STP does. I personally dont have experience with Nexus yet, The Last series of Switches I worked on are 6500 Series with VSS Technology.

With that being said, I have some questions about VPc:

1- Is a VPc is normal Layer-2 Etherchannel? and do we have VPc suuports for layer-3 forwarding just like we have layer-3 Etherchannel?

2- If we have a pair of VPc devices connected a Core/distribution layer, and we have multiple nexus switches connected at the access layer, does the Access layer see both VPc Core Peers as One logical device? does this provides the same functionality as with Cisco VSS on the 6500 Switches? what is exactly the difference?

3- Does enabling VPc provides ONLY rapid Convergence to a failure detection than Spanning-tree provides? and when enabling VPc on nexus, Do we actually eleminate the need of Spanning-tree protocol?

4- From the Access layer, if we have Nexus for example 5000 series, Can we have One VPc identifier connects to both Nexus 7000 Distrbuttion/COre VPc pair?

5- Does using VPc eleminate of using first Hop redundancy protocols like HSRP? and How frames are forwarded through the Active/Standby HSRP peers? do we have still One as Active and one as Standby , or this concept has changed with VPc?

I appreciate and Greatful for your time and answers.

Regards,

Mohamed

Its is nice to see more Ask the expert about Nexus and its technologies in CSC

for Mohamed's qoestions, answers as belllow and Hatim can correct me if any is not accurate

1- yes it is normal L2 interfaces but there are some other types of L2 interfaces required for this vPC to work such as the peer linka nd keep alive link and the ports connected to a VPC host called vPC member port 

and for L3 you can not have vPC as it is a L2 technology only however if you have two L3 interface in the upstream and downstream passing through a L2 Path with vPC then you can Pass the L3 routing for example

2-  core is L3 only,however from access to distribution there will be vPC and the vPC pairs will appear to the access switch as one logical device and from distribution to core is L3 routing with ECMP

the main difference between vPC and VSS is that the later one uses one control plane in active standby while vPC has two  differnt seperate control planes each belong to one of the vPC peers

from forwarding point of view both technologies provide you with all forwarding paths

3- vPC eliminate the need of spaning Tree ( but better to enable it as fallback method ) and there is no convergence just all forwarding paths

4- vPC identifier if you mean here "vPC domain" then yes from on side to other ( access to distribution vPC ) one domain

and ifyou need double sided then you will need tow vPC domains

5 No, HSRP for example still required but the deference here from forwarding point of view as both the active and standby will be in forwarding and the active HSRP will be responding to to ARP form forwarding prospective

i think very good questions and i wish my participation will be helpful in this discussion/session

Thanks and Regards,

Marwan Alshawi

Mohamed,

In addition to great answers by Marwan, I found this document that has a section comparing VPC to VSS.

I am looking forwrds to comments and answers form Hatim and Iqbal.

Should be a good discussion.

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572831-00_Dsgn_Nexus_vPC_DG.pdf

HTH

Reza

Hi Mohamed,

Please see your answers inline below:

1- Is a VPc is normal Layer-2 Etherchannel? and do we have VPc suuports for layer-3 forwarding just like we have layer-3 Etherchannel?

There is a very good white paper explaining VPC , Its benefits and how L3 works over VPC below:

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/white_paper_c11-516396.html

2- If we have a pair of VPc devices connected a Core/distribution layer, and we have multiple nexus switches connected at the access layer, does the Access layer see both VPc Core Peers as One logical device? does this provides the same functionality as with Cisco VSS on the 6500 Switches? what is exactly the difference?

Yes the access layer devices will see the VPC peers as one logical device .Regarding the differences between VPC and vss , just like Marwa mentioned , the major difference is the fact that VSS provides one control plane while VPC has two.For other differences , the document pointed by Reza would be a great reference.

3- Does enabling VPc provides ONLY rapid Convergence to a failure detection than Spanning-tree provides? and when enabling VPc on nexus, Do we actually eleminate the need of Spanning-tree protocol?

The main difference between a vPC configuration and a non-vPC configuration is in the forwarding behavior of the vPC peer link and the BPDU forwarding behavior of vPC member ports only.Non-vPC ports on a vPC-configured switch behave in the same way as on a regular switch ( use STP), except that the vPC peer link is always forwarding, which may require a slightly different topology.

Please refer to the document below which explains how STP works in a VPC environment along with examples:

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572834-00_STDG_NX-OS_vPC_DG.pdf

4- From the Access layer, if we have Nexus for example 5000 series, Can we have One VPc identifier connects to both Nexus 7000 Distrbuttion/COre VPc pair?

I assume by VPC identifer you mean VPC domain , if yes then jst like Marwan mentioned wou will need two VPC domains

5- Does using VPc eleminate of using first Hop redundancy protocols like HSRP? and How frames are forwarded through the Active/Standby HSRP peers? do we have still One as Active and one as Standby , or this concept has changed with VPc?

With VPC configured , HSRP is still needed however the improvement was made to the forwarding engine specifically to allow local Layer 3 forwarding at both the active HSRP peer and the standby HSRP peer. This enhancement provides, in effect, an active-active HSRP configuration with no changes to current HSRP configuration recommendations or best practices and no changes to HSRP. The HSRP control protocol still acts like an active-standby pair, so that only the active device responds to Address Resolution Protocol (ARP) requests, but a packet destined for the shared HSRP MAC address is accepted as local on either the active or standby HSRP device.

Hope that Helps,

Regards,

Iqbal Syed

habadr
Cisco Employee
Cisco Employee

Hi Mohammed, Marwan and Reza

First thank you to all of for enriching the discussion with questions and answers. I believe we will have lots of fun in the next two weeks.

Iqbal already commented on all them but let me just add my comments as well.

Q1- Is a VPc is normal Layer-2 Etherchannel? and do we have VPc suuports for layer-3 forwarding just like we have layer-3 Etherchannel?

A1- the answer is Yes and No. Mawrwan showed 1 of the scenarios however I’ll refer to Brad Hedlund paper in his blog

http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/

As you can see there are several scenarios for L3 with vPC. Some of them are supported while other are not, This is due to the most important rule for vPC duplicate frame prevention logic that drops traffic traversing the peer link (destined for a vPC member port) when there are no failed vPC ports or links.

Q2- If we have a pair of VPc devices connected a Core/distribution layer, and we have multiple nexus switches connected at the access layer, does the Access layer see both VPc Core Peers as One logical device? does this provides the same functionality as with Cisco VSS on the 6500 Switches? what is exactly the difference?

A2-  Answered by Iqbal

Q3- Does enabling VPc provides ONLY rapid Convergence to a failure detection than Spanning-tree provides? and when enabling VPc on nexus, Do we actually eleminate the need of Spanning-tree protocol?

A3 – We eliminate the Spanning-Tree blocking ports but spanning-Tree still running in the background. While still operating with two separate control planes, vPC helps ensure that the neighboring devices connected in vPC mode see the vPC peers as a single spanning-tree and LACP entity. For this to happen, the system has to perform IEEE 802.3ad control-plane operations in a slightly modified way (which is not noticeable to the neighbor switch). Please refer to the followign design docuemnt for more details

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/design_guide_c07-625857.pdf

Q4- From the Access layer, if we have Nexus for example 5000 series, Can we have One VPc identifier connects to both Nexus 7000 Distrbuttion/COre VPc pair?

A4- As Marwan and Iqbal mentioned if the Nexus 5000 will have another vPC domain and you want to create double sided vPC then you should use different domain ID.

However if you mean you just want to connect an access switch , whether Nexus 5000 switch, a Cisco catalyst switch or even 3rd party switch, then none of these switches or any other devices need to know anything about the Nexus vPC technology, all you need is to configure regular ether-channel, the intelligence is in Nexus vPC technology.

Q5- Does using VPc eleminate of using first Hop redundancy protocols like HSRP? and How frames are forwarded through the Active/Standby HSRP peers? do we have still One as Active and one as Standby , or this concept has changed with VPc?

A5 – As Marwan and Iqbal mentioned, you need HSRP since we have separate control plane for each vPC peer switch.

The most significant difference between the HSRP implementation of a non-vPC configuration and a vPC configuration is that the HSRP MAC addresses of a vPC configuration are programmed with the G (gateway) flag on both systems, compared with a non-vPC configuration, in which only the active HSRP interface can program the MAC address with the G flag.

Given this fact, routable traffic can be forwarded by both the vPC primary device (with HSRP) and the vPC secondary device (with HSRP), with no need to send this traffic to the HSRP primary device. Without this flag, traffic sent to the MAC address would not be routed.

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/design_guide_c07-625857.pdf

Thanks

Hatim Badr

Thanks Marwan and Reza for the link and explanation.

and Thanks Hatim/Iqbal for the answers, I have a couple of questions though,

1- You mentioned STP works normally for the non-vPC ports as a loop avoidance mechanism, Now this is clear, what is not clear, how is actually vPC member ports avoid loops? Does vPC by itself considered a loop avoidance mechanism? and how this is possible if all link of the vPC member ports are all forwarding?

2- You say, (but a packet destined for the shared HSRP MAC address is accepted as local on either the active or standby HSRP device) , As far as I know, the shared Mac address of the HSRP is used for the local communication between the HSRP Active and Standby devices, but it doesnt respond by itself to the ARP request by the client, I am still not sure I fully understand how both becomes Active/forwarding? and for this Scenario, is it required to have HSRP configured on a vPC member ports? if you elaborate on this, it would be better.

3- Final question, is vPC is actually configured on a layer-2 switch port? if so, that means if we have Layer-3 routed Access design with Distribution/Core also works on alayer-3, Do we still need vPC here?

Regards,

Mohamed

Thanks to every one and it looks like really will be interesting discussion

back to Mohamed questions

1- vPC has Loop prevention mechanisms where traffic/frames coming over the peer link they will not be forwarded over a vPC member port ( Duplicatre frame Prevention )

2- the Active HSRP in Nexus reply with the virtual MAC of the VIP as described by Hatim, this will be the MAC - to HSRP - VIP which will be mapped to both the active and standby from arp prospective and this way they are both in forwarding which is different from other Cisco Devices while in Nexus HSRP virtual MAC is populated into the L3 hardware forwarding tables, making local forwarding capability on the HSRP standby

3-  vPC is a L2 feature if you have routed access layer then just use equal cost multiPathing ECMP using a routing protocol no need for vPC, HSRP ..etc

Very Good questions and very interesting "Ask the expert" Discussion

HTH

Mohamed Sobair
Level 7
Level 7

Thanks Hatim for the answers, I beleive we have posted on actually the same time, I found my answers on the Blog link you have posted by Brad and the describtion of your HSRP.

Marwan,

Thanks for taking the time to answer, However, I have just a few comment. You seem to have excellent knowledge about Nexus and vPC, besides your answers and describtion are awsome/excellent. but , I wanted just to say , it would be better if we leave the answers to the original Hoster for this session. If you may for any reason find thier answer misleading or not complete or if you want to add technical point or have any related other question, you can then post your comment or question if any, it would be better approach than replying to question Immediately addresses for Hatim and Iqbal before getting thier replies.

I thank you for understanding, and you are truly expert.

Regards,

Mohamed

That is great Mohamed and thanks Marwan for the answers,

So Q1&2 are clear now but for 3rd question about routed access I just want to clarify that you do not need vPC in this case as you do not need spanning tree as well.

vPC technology is for extending L2 domain with eliminating spanning tree blocked ports hence uses all available uplink bandwidth. Utilize half the number of links for the same bandwidth, or allow more efficient use of current available ports.

Data Center applications and technologies such as virtualization require larger L2 domains. Enabling a more efficient use of L2 scaled domains is the goal of vPC

Thanks

Hatim Badr

sean_evershed
Level 7
Level 7

Hi,

My question concerns the scenario of a pair of N7K's that are deployed in geographically separate data centres.

In order to support vPC between these two devices are there any recommended SLA's for the WAN link between the two data centres? For example bandwidth, latency and packet loss?

Thanks

Sean

Hi Sean,

VPC itself doesnt  impose any distance limitations between the two geographically seperated  DCs , the limitation would depend upon the optics in use and the kind  of interconnection (WAN Link ) you have between the two DCs.

Please see the detailed document below for some of the testing performed in this area :

http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns224/ns949/ns304/ns975/data_center_interconnect_design_guide.pdf

Similarly  there are no recommendations on SLA's in regards to latency , packet  loss etc , it will depend upon the applications in use and their  sensitivity to latency and packet loss.The bandwidth requirement would  be driven by the amount of traffc between the two DCs.

As  such careful consideration should be given to these parameters and  thorough testing should be performed when designing a DCI soloution.

HTH,

Regards,

Iqbal

Dear Hatim and Iqbal

could you please confirm my reposes in the bellow discussion are accurate/up to date, about multihomed server NICs working in Active/active mode with Nexus vPC as i am not 100% sure if there is a new release that started support new vPC capability

https://supportforums.cisco.com/thread/2101678

Thanks and Regards,

Marwan

Hi Marwan,

You are right. The only un-supported vPC scenario is to have vPC between N5K--> N2K and then from N2K --> Server. You can do either of them.

Thanks

Hatim Badr

Thanks Hatim

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: