Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Issue with routing over Nexus 7000 vpc peerlink

Hello,

I have a big issue with routing over Nexus 7000 vpc peerlink....

I am exactly in the case of the diagram 3 of the link bellow :

http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/

My question is how can I resolve my problem, I don't understand.

Also, the above link is the only one who speak about the routing over Nexus 7000 vPC peerlink, I am very frustated because cisco documentation  don't speak about detail vPC working and consequently it is very very difficult to understand side effect of vPC integration.

Thank you in advance,

Best regards,

Thibault

12 REPLIES

Issue with routing over Nexus 7000 vpc peerlink

What is the issue you have?

New Member

Issue with routing over Nexus 7000 vpc peerlink

Do you see the network diagram 3 ?

The firewalls are singly attached (no vPC) to a VLAN that is forwarded  on the Nexus 7000′s vPC peer link.  The firewalls are running OSPF and  attempting for form an adjacency with the each Nexus 7000. This design don't work.

Each firewall will form an OSPF adjacency with both Nexus 7000′s.  This  means that some OSPF routed traffic will traverse the vPC peer-link  (even when no ports or links are failed).  As a result, this traffic  will be dropped.

Do you see my problem now ?

Thank you,

Regards,

Thibault

Re: Issue with routing over Nexus 7000 vpc peerlink

Best practice:

  • Attach external routers or L3 switches with L3 routed interfaces.
  • It’s OK to use the vPC peer-link to form a routing adjacency between the two Nexus 7000′s.  Use a VLAN dedicated to the routing adjacency and only forward this VLAN on the peer-link, not on the vPC member ports.
  • Use the ‘passive-interface default’ command in your routing protocol to prevent a routing adjacency on all the other VLANs.
  • If attaching external devices on a Layer 2 port running a routing protocol with the Nexus 7000′s (e.g. firewall running OSPF), provision a new non-vPC inter-switch link, and attach the device to non-vPC VLANs.
  • Use static routes to the HSRP gateway address on external devices such as firewalls and load balancers.  Do not run routing protocols on these devices unless absolutely necessary.

****** Read the Cisco vPC best practices design guides ******

http://www.cisco.com/en/US/products/ps9670/products_implementation_design_guides_list.html

New Member

Issue with routing over Nexus 7000 vpc peerlink

Ok thank you I think I have the answer to my question. However, vPC best practice come from an unofficial documentation or I don't find it on Cisco Website.

Andrew Prince wrote:

Best practice:

  • Attach external routers or L3 switches with L3 routed interfaces.
  • It’s OK to use the vPC peer-link to form a routing adjacency between the two Nexus 7000′s.  Use a VLAN dedicated to the routing adjacency and only forward this VLAN on the peer-link, not on the vPC member ports.
  • Use the ‘passive-interface default’ command in your routing protocol to prevent a routing adjacency on all the other VLANs.
  • If attaching external devices on a Layer 2 port running a routing protocol with the Nexus 7000′s (e.g. firewall running OSPF), provision a new non-vPC inter-switch link, and attach the device to non-vPC VLANs.
  • Use static routes to the HSRP gateway address on external devices such as firewalls and load balancers.  Do not run routing protocols on these devices unless absolutely necessary.

****** Read the Cisco vPC best practices design guides ******

http://www.cisco.com/en/US/products/ps9670/products_implementation_design_guides_list.html

Thank you

New Member

Hi, I have mix between the

Hi,

 

I have mix between the two suggestion solution:

1. i have two VDCs and run ospf between them.

2. i attached cisco 6500 on of the VDC and using trunk allowed specific vlans and run OSPF over vlan.

i am confusing if i need extra link between the nexus to run ospf or i can use peer-link

 

 

what is the best practice to achieve this.

 

both will workbut if you want

both will work

but if you want to use the OSPF over the vPC peerling make sure to use a non vPC Vlan otherwise your IGP will not function correctly

 

New Member

HI Marwan thanks for your

HI Marwan

 

thanks for your replay,

 

can you give an example to do it

 

Thanks

New Member

i believe issues of Design 3

i believe issues of Design 3 are addressed in NX OS 7.2 ? any ideas?

found this.

 

Dynamic Routing over vPC

Dynamic Routing over vPC feature enables L3 routing protocols such as OPSF to form adjacency with the two vPC peer chassis. The equal routing cost matrices must be configured on applicable interface on each of the vPC peers, failure to do so can result in blocking the traffic. Asymmetric routing feature has to be implemented to address this issue and to configure Dynamic Routing over vPC. Additionally, when Dynamic Routing over vPC is enabled a warning log message is printed.

 

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/7_x/nx-os/release/notes/72_nx-os_release_note.html

New Member

Hi, i have the same query:i

Hi,

 

i have the same query:

i have two nexus divided to two VDCs (VDC-1 and VDC-2) the connection between VDC-1 and VDC-2 is L3 and run OSPF. 

On VDC-2 two ASA connected on it as showing in the network diagram. my queries are:

1. for ASA sync do i need add extra link between two nexuses only to allow sync vlan or i can use vPC peer-link in the diagram showing (state/keepalive) this is for ASA sync not for vPC keepalive. please correct me what if it is best practice ?

 

2. regarding the two VDCs since we are enabling ospf between them can i enable OSPF over peer-link in each VDC ? please advice me because i am really confusing when i check the routing over peer-link and if you can add sample configuration for each VDC 

 

Thanks

Re: Issue with routing over Nexus 7000 vpc peerlink

The recommended design is to have a separate link for ospf peering other than the vpc peer link if you are riming ospf between the firewalls and n7k

Which is described in the link you pivoted above

Hope this help

Sent from Cisco Technical Support iPhone App

New Member

Issue with routing over Nexus 7000 vpc peerlink

Hello marwanshawi,

I have two Firewall, one per Nexus and in the same Vlan. So i have to create two network to interconnect each Firewall with his nexus and an interconnect network between the two Nexus that's it ?

Thank you,

Regards,

Thibault

New Member

Issue with routing over Nexus 7000 vpc peerlink

It is ok. I create an other trunk and it work.

And if servers or switches are singly attached (orphan ports) on Nexus 1, can they ping Nexus 2 IP (in the same vlan than servers or switches) via vPC peerlink ?

Thank you in advance.

Thibault

8750
Views
0
Helpful
12
Replies