Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpc peer-link forwarding behavior


In this cisco doc ( ) I come across this statement:

One of the most important forwarding rules of vPC is the fact that a frame that entered the vPC peer switch from the peer link cannot exit the switch out of a vPC member port (except if this is coming from an orphaned port).

This makes perfect sense up to the "except if this is coming from an orphaned port". I can't seem to figure out why traffic sourced from an orphaned port (ie, "from" an orphaned port) and ulimately destined to a vPC member port is allowed -- since it should be sent out the local vPC member port and not across the peer link.

Would make more sense to me if it said "destined to an orphaned port", so of course it would have to cross the peer-link.

Can anyone shed some light on this exception to the rule?


Cisco Employee

vpc peer-link forwarding behavior

You are correct.  I think it SHOULD say "destined to an orphaned port".  If traffic ingress at an orphan port and needs to egress a vpc member should not need to cross the vPC peer link.

In fact if it does and then needs to be sent to a vPC member port it will be dropped.  I ran into this situtaion just last week and know its a problem.

I'll see if we can update the document to get it corrected in future versions.

Thank you for pointing this error out.


New Member

vpc peer-link forwarding behavior

Thanks Chad!

Kept racking my brain on that one, and the only time it would make any sense (ie, I was trying to fit a square peg in a round hole), is if you have IGP peering to each 7K from an orphan port (ex, FW), the IGP ECMP hashes a packet to the far-end 7K, and then the traffic sent to the directly attached 7K must be sent across the vpc-peerlink -- and in theory shouldn't be dropped. This is, of course, until you add peer-gateway command, which confuses matters a bit -- especially from an IGP control-plane perspective, but also in this loop-prevention rule, since the local 7K will handle the packets destined to the other's 7K MAC.

To complicate matters worse, the latest 5K release notes say to exclude-vlan for peer-gateway for your backup router vlan... still have to dive into that one.

CreatePlease to create content