Nexus vPC


Building a vPC Domain: Guidelines and Restrictions
To build a vPC domain, use the following configuration guidelines:
● You must enable feature vPC (conf t; feature vpc) before you can start configuring a vPC domain.
You must configure peer-keepalive link before peer-link in order for vPC system to come up.
● You must configure both vPC peer devices; the configuration is not sent from one device to the other.
To configure double-sided vPC topology, you must assign a unique vPC domain ID for each respective vPC layer.
● To use vPC in a DCI topology, you must assign a unique vPC domain ID for each respective data center.
● Check that the necessary configuration parameters are consistent on both sides of the vPC peer-link.
● We recommend that you activate the LACP feature and configure vPC member ports with LACP mode set to ACTIVE.
● All ports for a given vPC must be in the same VDC.
Only Layer 2 port channels (switchport mode trunk or switchport mode access) can be configured on vPC member ports.
● PIM SM (Sparse Mode) is fully interoperable with vPC. The software does not support PIM BiDIR or PIM SSM (Source Specific Multicast) with vPC.
● The software does not support DAI (Dynamic ARP Inspection) or IPSG (IP Source Guard) in a vPC environment.
● DHCP relay and DHCP snooping are supported with vPC.
● The software does not support Cisco Fabric Services regions with vPC.
● Port security is not supported on vPC member ports.
● Configure a separate Layer 3 link for routing from the vPC peer device (backup routing path), rather than using vPC peer-link and SVI for this purpose.
We recommend that you create an additional Layer 2 trunk port-channel as an interswitch link to transport

vpc_topology

默认用MGMT口做peer link alive监测口

Strong Recommendations:
When building a vPC peer-link, follow these guidelines:
Ensure that member ports are 10-Gigabit Ethernet interfaces.
Use a minimum of two 10-Gigabit Ethernet ports. vPC peer-link member ports can be scaled up to line card capacity in regards to port-channel (M1 line card supports up to 8 members ports while F1 and F2 support up to 16 member ports).
● Use at least 2 different line cards to increase high availability of peer-link.
● Use dedicated 10-Gigabit Ethernet ports with M1 32 10G line card. Do not use shared mode ports.

vpc_topology1

如果vPC Link坏了,但peer-keepalive还活着,那么全部信息都转交到vpc 大的主Nexus上。

如果因为这个DOWN掉了副Nexus和它上面的所有SVI连接,可能 会是用户不想出现的情况,他们可能会想要某些VLAN在副Nexus上依然可以工作,那么就会用到下面的语句。
Use this command to keep desired SVI in UP state when vPC peer-link goes down:
N7k(config-vpc-domain)# dual-active exclude interface-vlan

How to Attach Devices to a vPC Domain
Attaching a device to a vPC domain involves creating a Layer 2 port-channel from the access device to the 2 vPC peer devices. From the access device standpoint, this is a classical port-channel. From each vPC peer device standpoint, this is a vPC member port (i.e port-channel with keyword vPC).

vpc_topology2

Note: The Layer 3 port-channel is not supported with vPC technology

应理解用VPC LINK把FEX冗余的加到VPC Peer组中和将FEX作为一个VPC组中一台机器的接口扩展,这两种理念是不同的。

实际操作中应让FEX上同一port channel中的成员Port member 1连接7K_1,Port member 2连接7K_2。这样能实现绝对冗余。

nexus4

两个Nexus Peer组之间用VPC连接的方法

In a double-sided vPC topology, all interconnect links between the 2 vPC domains MUST belong to the same vPC. All links form a unique vPC (on both sides of the 2 vPC domains). VPC id can be different across the 2 vPC domains. However, vPC id must be the same across the 2 peer devices of the same domain.

7K和5K的vPC Domain ID可以不同,但7K和5K各自peer组间的Domain ID要相同,并且这对peer上的Virtual Port Channel id也要相同,也就是将Peer link的两台7K或5K看作一个实体,这个实体上的Virtual Port Channel ID相同才能视为由同一个PORT CHANNEL连接到对方的5K组或7K组,这也就是VPC的作用,让实际同时连接到两台交换机的机器以为它只连了一台。int po2中的PO2实际并不代表VPC的channel number,需要在PO2下再详细制定VPC 2实现定义此PO2代表VPC2这条线路。所以多个VPC DOMAIN间互联的时候可以有多条Port Channel,通过指定不同的VPC号来区分线路。Domain ID只在Peer link上才有意义,对于普通VPC LINK连接的实体组之间,没有意义。

配置举例
7K_1

feature udld
开启UDLD后默认所有光纤口都应用,COPER口不应用,结果show udld可以看到

vpc domain 1
role priority 1000
peer-keepalive destination 10.10.1.88
peer-gateway
peer-switch
port-profile default max-ports 512
peer-gateway的作用是让自己成为去往PEER的网关,以减少PEER间来回交换的流量,对于使用非ARP寻址回复信息的设备,一定要用,如果设备是使用ARP寻址回馈的,则不存在回复时回到错误的PEER上,也就不存在PEER间穿越信息的情况,可以不用。
peer-switch的作用是同步主从NEXUS PEER的STP ROOT ID。不开启的话,主和从的BID是独立的,且应设主为ROOT,只有ROOT才控制BPDU。开启后两个机器BID就合并了,0023.04ee.beXX,XX为VPC Domain ID。合并后就要求STP在PEER间都相同。对于普通设备ORPHAN单点连接到VPC PEER组中主或从的情况,不论是否开启peer-switch,都是连谁谁控制BPDU。

interface port-channel1
description VPC-Peer-Link
switchport mode trunk
spanning-tree port type network
vpc peer-link
peer link之间才用type network,普通VPC link不用,这会开启Bridge Assurance ,监控是否接口接收到BPDU,显然前提是对端口处于FWD状态,但VPC间所有口永远都是FWD状态,所以这个功能在普通VPC口上没有用。

interface port-channel2
description VPC-Peer-DMZ641
switchport mode trunk
vpc 2
说明PO2为Virtual port channel 2,对家可以写int po3, vpc2来进行连接。

interface Ethernet1/1
description VPC-Peer-DMZ644/1
switchport mode trunk
channel-group 1

interface Ethernet1/2
description VPC-Peer-DMZ644/2
switchport mode trunk
channel-group 1

Interface Ethernet1/3
description VPC link to DMZ641
switchport mode trunk
channel-group 2

Non-vPC Vlan and Orphan Ports

如果两个vpc peer之间的VLAN不同步(A上有VLAN20,B上没有),那么show int trunk就会显示vlan err-disabled,show vpc中也不会有VLAN20。这时VLAN20就叫做non-vpc vlan。这种情况就需要在peer间再练一条用于传输这个未在PEER LINK上定义的VLAN,达到一个坏了还可以走另一个的目的。

如果有一个单一普通设备和Nexus vpc peer的primary或secondary进行单独连接,它的线路上传的是VPC VLAN,那这个用来连接的port就叫Orphan Port。

nexus5

An orphan port has the following characteristics:
● A port on vPC peer device (primary or secondary) that is connected to a single attached device.
● A port on vPC peer device (primary or secondary) that carries vPC VLAN. If the port carries a non-vPC VLAN, it is no more defined as Orphan Port.

General Recommendation:
When connecting a single-attached access device to vPC domain using vPC VLAN, always connect it to vPC primary peer device. Reason is when vPC peer-link fails down, any single attached device connected to secondary peer device (and using vPC VLAN) will become completely isolated wih the rest of the network

Connect a Layer 3 device to vPC Domain

当一个三层设备通过VPC和VPC DOMAIN连接时,在2层上它只认为自己连到一台设备,但3层上它会看到主和从NEXUS的IP。实际应用中并不支持以VPC口连接三层设备,除非手动指定了VPC上的HSRP地址,否则3层设备路由表会混乱。最好的办法是直接用普通三层口将3层设备和主与从NEXUS同时相连。

Strong Recommendations:
● Use separate Layer 3 links to connect L3 device (like router or firewall in routed mode for instance) to a vPC domain (Figure 50).
Do not use a Layer 2 vPC to attach L3 device to a vPC domain unless L3 device can statically route to the HSRP address configured on vPC peer devices.
● Use individual Layer 3 links for routed traffic and a separate Layer 2 port-channel for bridged traffic if both routed and bridged traffic are required.
● Enable Layer 3 connectivity between vPC peer device by configuring a VLAN network interface for the same VLAN from both devices or by using a dedicated L3 link between the 2 peer devices (for L3 backup routing path purposes).

一个3层设备和VPC Domain相连,或多个DCI之间路由的原则是,不用VPC Peer Link传递任何三层路由信息。任何通过Peer Link传递的三层信息都会被blackhole。解决方法是VPC PEER间使用单独的一条2层(非VPC VLAN)或3层线路,传递这些路由信息。然后各NEXUS中都有这个非VPC VLAN和它的VLAN INTERFACE IP,这样就可以做OSPF。

vPC Backup Routing Path

备用路由链路用于在主链路都DOWN掉后提供辅助。

nexus6

Strong Recommendation:
Always build L3 backup routed path for vPC domain in order to increase network resilience and availability. Use an OSPF point-to-point adjacency (or equivalent Layer 3 protocol) between the 2 vPC peer devices to establish a Layer 3 backup path to the core in case of uplink failures.
There are several ways to implement the L3 backup routing path.
Strong Recommendations:
To build L3 backup routing path, use the following options listed by descending order of preference:
Use a dedicated Layer 3 point-to-point link between the vPC peer devices to establish a Layer 3 backup path to the core.
● Use the already existing Layer 2 port-channel trunk ISL (Inter Switch Link) for non-vPC VLAN and create dedicated VLAN/SVI to establish a Layer 3 neighborship
● Use vPC peer-link and create dedicated VLAN/SVI to establish a Layer 3 neighborship (least recommended solution)

HSRP/VRRP

将SVI口设为Routing Passive模式,这样可以防止PEER间通过Peer-link建立邻接关系。

nexus7

多个DCI连接时,默认的HSRP模式是上图这种,7K3或7K4接到请求后会通过VPC 2层链路传给7K1去进行路由。如果要想实现下图的HSRP,需要使用特定的ACL阻断HSRP HELLO 包。

nexus8

PACL configuration to stop HSRPv1 hello messages:
ip access-list HSRPv1_Filtering
10 deny udp any 224.0.0.2/32 eq 1985
20 permit ip any any

PACL configuration to stop HSRPv2 hello messages:
ip access-list HSRPv2_Filtering
10 deny udp any 224.0.0.102/32 eq 1985
20 permit ip any any

PACL configuration to stop VRRP hello messages:
ip access-list VRRP_Filtering
10 deny udp any 224.0.0.18/32 eq 1985
20 permit ip any any

Interface Po10
ip port access-group HSRPv1_Filtering

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s