Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPC issue with OSPF between NX5K and Juniper SRX FW

Hi,

I have deployed a new NEXUS plateforme based on two 5596UP switchs connected in a VPC Domaine. this paire of NX5K is connected throught to point to point L3 links to Juniper SRX FW formed with OSPF L3 adjancy. The both SRX are configured as actif/actif throught is distributed Reth interfaces. 

The issue is we experience a network access issue from outside FW to the Datacenter throught the FW and NX5K VPC Domaine. Some traffic flape and report duplicate response from servers into the Datacenter VLans.

The NX5K Vpc domaine use HSRP actif standby and peer gatewar enabled. We have implemented a deticated L3 link beetwen two NX5K for L3 adjancy out of VPC Peer link.

Datacenter switch are using L2 legacy switch connected with VPC distributed L2 link to both NX5K using LACP agregration protocole.

When we shut the second L3 link connecting the second NX5K to second Reth for Juniper SRX. the traffic flow normaly form outside to the datacenter.

Regarding this issue what are your recomendations to prevent this issue?

N.B : design in attachement.

Regards.

 

 

11 REPLIES
VIP Super Bronze

Hi,Are your SRX clustered? I

Hi,

Are your SRX clustered? I have done the same but with active/passive and the firewalls are clustered.

Once it is clustered, you put all 4 interfaces facing the 5500s in one reth. Then on 5500, you create 2 Portchannels with VPCs and put one interface from each 5k in a different Portchannel Then use /29 to span among both 5ks and the firewall cluster.

HTH

 

 

New Member

Hi Reza,Yes, SRX are clustred

Hi Reza,

Yes, SRX are clustred. We use two distributed reth 0 and 1 connected to each NX5K. and we use a direct L3 peering with OSPF. At NX5K we use Two port channels with SVI and P2P subnet /30 for adjency.

The 
VPC Role at the NX5K A is : 

vPC Role status
----------------------------------------------------
vPC role                        : primary, operational secondary
Dual Active Detection Status    : 0
vPC system-mac                  : 00:23:04:ee:be:01
vPC system-priority             : 32667
vPC local system-mac            : 54:7f:ee:80:59:41
vPC local role-priority         : 32667

and VPC Role at the NX5K B is : 


vPC Role status
----------------------------------------------------
vPC role                        : secondary, operational primary
Dual Active Detection Status    : 0
vPC system-mac                  : 00:23:04:ee:be:01
vPC system-priority             : 32667
vPC local system-mac            : 54:7f:ee:8f:48:c1
vPC local role-priority         : 32667

for HSRP peering, NXKA is root bridge and actif for all SVI.

When we traceroute from DC to outside, the trafic flow alway from the secondary VPC Memeber.

 

Is normal to get the status for VPC?

 

Regards

VIP Super Bronze

Hi,The VPC status is correct.

Hi,

The VPC status is correct.  You should also make sure to match the root bridge and HSRP primary/active with your VPC primary device.

 

HTH

New Member

Please note that operational

Please note that operational mode are in crossever mode beetwen the vpc role and vpc operational mode.

This can impact the traffic flow sens that the actual VPC primary is the root bridge and HSRP active, but itsn't the operatinal primary. so the flow can carrier the vpc peerlink.

Please would share with me you topologie that you have implement so to do a comparasion?

Please i need also to know how you have configure the two port channel for both NX5K for adjency with Reth on SRX?

 

Regards.

Silver

Reza, do you useLayer3 reth

Reza, do you use

Layer3 reth link aggregation group, 2x2 links, 1 IP address       on Juniper SRX

Layer2 vPC Port-channel, 2x2 links, 2 SVIs, 2 IP addresses         on Cisco Nexus 5500

and a common /29 subnet?

I've read in vPC design guides that mixing L2 and L3 is bad. Why not create one Layer3 (non-vPC) Port-channel from each Nexus 5500 to the SRX cluster and use them with ECMP (2 ECMP links, not 4)

New Member

Hi Reza,On SRX side, we use

Hi Reza,

On SRX side, we use two reths, 0 and 1,  both of them use distributed physical links from both SRX chassis (actif/actif) : Reth 0 using x1/0/0 and x15/0/0 to one NX5K_A and reth 1 using x1/0/1 and x15/0/1 to NX5K_B.

On both NX5K we use L3 SVI for P2P L3 link to SRX cluster.

Two ports on the same L3 Vlan from NX5K_A to Reth0 and two ports on the same other L3 Vlan from NX5K_B to Reth 1.

both of vlans are not truked on vpc peer link.

We use OSPF L3 adjency for.

The real issue discovered is any host connected from a FEX or L2 Switch throught a dual homed VPC drop response (pings) to outside datacenter.

When we drop vpc dual homed (use only one link) the ping reponse get correct.

Peer gateway is configured on both NX5K. no ip redirect is configured only on the local SVIs not on the SVI used for L3 OSPF links.

 

Regards

New Member

You cannot create L3 routing

You cannot create L3 routing protocol adjacencies on vPC. This is a well-known restriction for vPC design.

 

You have either to use regular PtP links with routing protocol on each of the Nexus boxes (1 PtP to Nexus#1, and another PtP to Nexus#2), with no vPC 

 

OR

 

Use HSRP and static routes (on top of a vPC).

 

The reason it will not work is that L3 ECMP on a vPC might select L3 next-hop on the opposite box, and thus the peer link will be traversed. When a packet comes from the peer-link, is not allowed to exit a non-degraded vPC interface (that is for allowing the redundancy of the vPC). This rule is used to prevent loops.

 

Ciao,

A.

 

Silver

That's very interesting,

That's very interesting, makes me think hard (-:

 

Could you please link the source documents of the restriction you explained?

Silver

And what about my suggested

And what about my suggested setup that is two non-vPC port-channels, one from each Nexus?

Silver

                And what

 
               And what about my suggested setup that is two non-vPC port-channels, one from each Nexus?

 

I've realized it is a bad design as ae1/Port-channel1 LAG ports must be on the same SRX. The LAG cannot have a port from SRX A and SRX B as only one of them is active.

 

To be clear, the restriction

To be clear, the restriction for routing over vPC is a Nexus 7000 restriction only. See Adam Raffe's blog post L3 over vPC: Nexus 7000 vs 5000 for details.

In terms of the Nexus 7000, there is no longer a restriction since NX-OS 7.2. See Dynamic Routing over vPC possible in 7.2 NX-OS? and Routing over VPC Link? for recent discussion on this.

Regards

964
Views
5
Helpful
11
Replies
CreatePlease to create content