cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15054
Views
15
Helpful
14
Replies

Issue with routing over Nexus 7000 vpc peerlink

Thibault BRISSE
Level 1
Level 1

Hello,

I have a big issue with routing over Nexus 7000 vpc peerlink....

I am exactly in the case of the diagram 3 of the link bellow :

http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/

My question is how can I resolve my problem, I don't understand.

Also, the above link is the only one who speak about the routing over Nexus 7000 vPC peerlink, I am very frustated because cisco documentation  don't speak about detail vPC working and consequently it is very very difficult to understand side effect of vPC integration.

Thank you in advance,

Best regards,

Thibault

14 Replies 14

andrew.prince
Level 10
Level 10

What is the issue you have?

Do you see the network diagram 3 ?

The firewalls are singly attached (no vPC) to a VLAN that is forwarded  on the Nexus 7000′s vPC peer link.  The firewalls are running OSPF and  attempting for form an adjacency with the each Nexus 7000. This design don't work.

Each firewall will form an OSPF adjacency with both Nexus 7000′s.  This  means that some OSPF routed traffic will traverse the vPC peer-link  (even when no ports or links are failed).  As a result, this traffic  will be dropped.

Do you see my problem now ?

Thank you,

Regards,

Thibault

Best practice:

  • Attach external routers or L3 switches with L3 routed interfaces.
  • It’s OK to use the vPC peer-link to form a routing adjacency between the two Nexus 7000′s.  Use a VLAN dedicated to the routing adjacency and only forward this VLAN on the peer-link, not on the vPC member ports.
  • Use the ‘passive-interface default’ command in your routing protocol to prevent a routing adjacency on all the other VLANs.
  • If attaching external devices on a Layer 2 port running a routing protocol with the Nexus 7000′s (e.g. firewall running OSPF), provision a new non-vPC inter-switch link, and attach the device to non-vPC VLANs.
  • Use static routes to the HSRP gateway address on external devices such as firewalls and load balancers.  Do not run routing protocols on these devices unless absolutely necessary.

****** Read the Cisco vPC best practices design guides ******

http://www.cisco.com/en/US/products/ps9670/products_implementation_design_guides_list.html

Ok thank you I think I have the answer to my question. However, vPC best practice come from an unofficial documentation or I don't find it on Cisco Website.

Andrew Prince wrote:

Best practice:

  • Attach external routers or L3 switches with L3 routed interfaces.
  • It’s OK to use the vPC peer-link to form a routing adjacency between the two Nexus 7000′s.  Use a VLAN dedicated to the routing adjacency and only forward this VLAN on the peer-link, not on the vPC member ports.
  • Use the ‘passive-interface default’ command in your routing protocol to prevent a routing adjacency on all the other VLANs.
  • If attaching external devices on a Layer 2 port running a routing protocol with the Nexus 7000′s (e.g. firewall running OSPF), provision a new non-vPC inter-switch link, and attach the device to non-vPC VLANs.
  • Use static routes to the HSRP gateway address on external devices such as firewalls and load balancers.  Do not run routing protocols on these devices unless absolutely necessary.

****** Read the Cisco vPC best practices design guides ******

http://www.cisco.com/en/US/products/ps9670/products_implementation_design_guides_list.html

Thank you

Hi,

 

I have mix between the two suggestion solution:

1. i have two VDCs and run ospf between them.

2. i attached cisco 6500 on of the VDC and using trunk allowed specific vlans and run OSPF over vlan.

i am confusing if i need extra link between the nexus to run ospf or i can use peer-link

 

 

what is the best practice to achieve this.

 

both will work

but if you want to use the OSPF over the vPC peerling make sure to use a non vPC Vlan otherwise your IGP will not function correctly

 

HI Marwan

 

thanks for your replay,

 

can you give an example to do it

 

Thanks

i believe issues of Design 3 are addressed in NX OS 7.2 ? any ideas?

found this.

 

Dynamic Routing over vPC

Dynamic Routing over vPC feature enables L3 routing protocols such as OPSF to form adjacency with the two vPC peer chassis. The equal routing cost matrices must be configured on applicable interface on each of the vPC peers, failure to do so can result in blocking the traffic. Asymmetric routing feature has to be implemented to address this issue and to configure Dynamic Routing over vPC. Additionally, when Dynamic Routing over vPC is enabled a warning log message is printed.

 

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/7_x/nx-os/release/notes/72_nx-os_release_note.html

Hi,

 

i have the same query:

i have two nexus divided to two VDCs (VDC-1 and VDC-2) the connection between VDC-1 and VDC-2 is L3 and run OSPF. 

On VDC-2 two ASA connected on it as showing in the network diagram. my queries are:

1. for ASA sync do i need add extra link between two nexuses only to allow sync vlan or i can use vPC peer-link in the diagram showing (state/keepalive) this is for ASA sync not for vPC keepalive. please correct me what if it is best practice ?

 

2. regarding the two VDCs since we are enabling ospf between them can i enable OSPF over peer-link in each VDC ? please advice me because i am really confusing when i check the routing over peer-link and if you can add sample configuration for each VDC 

 

Thanks

Running into a similar issue and thank you for guidance.  However do you know exactly where it talks about these points specifically related to routing protocols ?

Dynamic routing over vPC is now supported on F2E, F3 and M3 line cards.
Check this out
https://www.ciscolive.com/global/on-demand-library/?search=vpc#/session/14479207929320017eHp

Marwan ALshawi
VIP Alumni
VIP Alumni

The recommended design is to have a separate link for ospf peering other than the vpc peer link if you are riming ospf between the firewalls and n7k

Which is described in the link you pivoted above

Hope this help

Sent from Cisco Technical Support iPhone App

Hello marwanshawi,

I have two Firewall, one per Nexus and in the same Vlan. So i have to create two network to interconnect each Firewall with his nexus and an interconnect network between the two Nexus that's it ?

Thank you,

Regards,

Thibault

It is ok. I create an other trunk and it work.

And if servers or switches are singly attached (orphan ports) on Nexus 1, can they ping Nexus 2 IP (in the same vlan than servers or switches) via vPC peerlink ?

Thank you in advance.

Thibault

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco