Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12312
Views
5
Helpful
4
Replies

BGP adjacency over a VPC peer link

Go to solution
Lim Victor
Level 1
Level 1

‎07-03-2012 05:09 PM - edited ‎03-01-2019 07:07 AM

Hi all,

I would like to check on a few things on BGP adjacency over a VPC peer link.

I have 2 nexus 7k acting as the gateway for a number of SVIs(vlan 10,20,30).there is another SVI(eg 200) meant for bgp peering. All the vlans are trunk across the vpc peer link with a number of vpc created and joined to the nexus 5ks.

Physically it will be something like this.

ISP router 1 --- nexus 7K 1 --- nexus 7k2 --- ISP router 2

No vpc connection from the nexus 7ks to the each of the ISP routers.

Logically, they will be forming bgp neighborship thru the same ip subnet(vlan 200 on nexus). The ISP routers will form neighborship with both the nexus 7ks using ebgp and the nexus 7ks will form neighborship with each other using ibgp across the vpc peer-link.

My concern is

1) would it hit the "no l3 routing over vpc peerlink" ruling in bradhedlund's article? I think it does.

http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/

2) besides configuring a non-vpc peer link(just a normal l2 link) for vlan 200, any workaround?

3) would disallowing the vlan 200 from the vpc to the nexus 5ks help if I do not use a non vpc peer link and still use the vpc peer link to form the adjacent?

Thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Oleksandr Nesterov
Cisco Employee
Cisco Employee

‎07-04-2012 01:43 AM

Hi Victor

From the article you can see that idea is to not to yse routing over VPC links (not vpc peer-link)

So you'r n7k can form adjacency via peer-link, but using separate l3 link between n7ks is more recommended option.

But you need to remember that you cannot peer with any device which is connecter via VPC to your n7k cluster.

Also in your design both ISP routers are orphan, which means that in case of failure of the peer-link one router will become unavailabe for all vpc members. And in case of failure both - vps peer-link and keep-alive link both routers will forward traffic for your AS.

This is your design:

http://bradhedlund.s3.amazonaws.com/2010/L3-over-vpc/L3-over-peer-link-3-2.png

HTH,

Alex

View solution in original post

Go to solution
answanso
Cisco Employee
Cisco Employee
In response to Lim Victor

‎07-12-2012 05:23 AM

Hi Lim,

You are correct. That is why there is a recommendation to create an adjacency across a seperate link or non-vPC port-channel because it does not share the same loop prevention mechanisms. Anytime a packet crosses a vPC peer-link, the loop prevention mechanism prevents the packet from then being forwarded back onto a vPC. Configuring Vlan10 in the trunk allowed list of the vPC peer-link and then allowing BGP to form a neighbor relationship across it will result in routes with next-hops that require utilizing the peer-link to forward traffic. This is a no-no if your traffics destination sits behind a vPC.

HTH

Anthony

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Oleksandr Nesterov
Cisco Employee
Cisco Employee

‎07-04-2012 01:43 AM

Hi Victor

From the article you can see that idea is to not to yse routing over VPC links (not vpc peer-link)

So you'r n7k can form adjacency via peer-link, but using separate l3 link between n7ks is more recommended option.

But you need to remember that you cannot peer with any device which is connecter via VPC to your n7k cluster.

Also in your design both ISP routers are orphan, which means that in case of failure of the peer-link one router will become unavailabe for all vpc members. And in case of failure both - vps peer-link and keep-alive link both routers will forward traffic for your AS.

This is your design:

http://bradhedlund.s3.amazonaws.com/2010/L3-over-vpc/L3-over-peer-link-3-2.png

HTH,

Alex

Go to solution
Lim Victor
Level 1
Level 1
In response to Oleksandr Nesterov

‎07-04-2012 11:54 AM

Hi Alex,

I agree that a separate L3 link may be better for my case.

I feel that both my n7K can form BGP adjacency with both the ISP routers via the VPC peer link but traffic from ISP router 1 to nexus 7K2(thru the VPC peer link) will still be dropped due to the loop prevention logic in Nexus 7K.

Quote from brad hedlund's website

-------------------------------------------------------------------------------------------------------------------------------------------

Let’s look at Diagram #3 below.  Here’s another example of an external  device building a routing protocol adjacency with the Nexus 7000′s, this  time its firewalls.  The firewalls are singly attached (no vPC) to a  VLAN that is forwarded on the Nexus 7000′s vPC peer link.  The firewalls  are running OSPF and attempting for form an adjacency with the each  Nexus 7000.  This design too does NOT work.

-------------------------------------------------------------------------------------------------------------------------------------------

ISP router 1 ----------------------- nexus 7K 1 ----------------- nexus 7k2 ----------------------- ISP router 2

                         Access                         Peer-Link                            Access

                     Port (Vlan 200)                    (Trunk)                         Port (Vlan 200)

If traffic from ISP router 1 is meant for a port on VLAN 10, it should not traverse the VPC peer-link to Nexus 7K2.

Am i right to say that the above reason is why my design will face problems?

Thanks.

0 Helpful

Go to solution
answanso
Cisco Employee
Cisco Employee
In response to Lim Victor

‎07-12-2012 05:23 AM

Hi Lim,

You are correct. That is why there is a recommendation to create an adjacency across a seperate link or non-vPC port-channel because it does not share the same loop prevention mechanisms. Anytime a packet crosses a vPC peer-link, the loop prevention mechanism prevents the packet from then being forwarded back onto a vPC. Configuring Vlan10 in the trunk allowed list of the vPC peer-link and then allowing BGP to form a neighbor relationship across it will result in routes with next-hops that require utilizing the peer-link to forward traffic. This is a no-no if your traffics destination sits behind a vPC.

HTH

Anthony

0 Helpful

Go to solution
Lim Victor
Level 1
Level 1
In response to answanso

‎07-16-2012 05:10 PM

Thanks Anthony.

U just helped to clear me doubts :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents