Re: Automating vPC state enable/disable

Asam Saeed · ‎03-07-2022

I was thinking if we can automate a vPCs to enable/disable based on a trigger.

For Example, I have 4 ports under 2 vPC

vPC no.1

Leaf_101: Eth1/1

Leaf_102: Eth1/1

vPC no.2

Leaf_101: Eth1/2

Leaf_102: Eth1/2

But at one single time one of the vPCs should stay up, the other one should remain down.

If any physical layer issue happens, then the state of vPC no.1 should go to disable and vPC no.2 should change its state to enable.

Kindly assist me in achieving the same.

balaji.bandi · ‎03-07-2022

When you enable and disable, the traffic will distrub right to change the path ? instead why not use any other routing mechanish or priority to fix this issue ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Asam Saeed · ‎03-07-2022

There is no Layer 3 involved in my scenario, its only Layer 2 link between ACI Leafs and Catalyst layer switch.

The links get impacted due to a fiber cut so that is why i have two vPC links, one of which I will use as a backup.

Hence, at a time one vPC link shut be up.

MHM Cisco World · ‎03-07-2022

you can config multi port in same NSK to be include the vPC port channel this instead of config two vPC for each port.

Sergiu.Daniluk · ‎03-07-2022

I support this idea. Why not configuring all 4 interfaces part of the same vPC?

balaji.bandi · ‎03-07-2022

an you draw small diagram how they connected : example as below :

https://unofficialaciguide.com/2018/04/10/aci-vpc-in-aci/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Robert Burns · ‎03-07-2022

I'd love to hear more about the use case for this scenario. Can you elaborate what you're trying to accomplish? Then we might be able to advise on the best course of action to accomplish the goal.

Robert

RedNectar · ‎03-07-2022

Hi @Asam Saeed ,

Looks like you trying are trying to do (A)

But others have suggested you do (B)

Which is a better design in most situations.

BUT it is not clear form you explanation what your topology is. It may be (C)

At the end of the day, there is not much difference between A & C as far as the logic goes.

The $64000 question is, why do you want to shut down either vPC?

ACI has several mechanisms to support cable failures:

MCP (Mis-cabling protocol) which needs to be turned on globally to be activated.
Fabric > Access Policies >> Policies > Global > MCP Instance Policy default
LACP (particularly in design (B) above)
STP/BPDU passthrough.
Yes - goood old STP will prevent loops by disabling ONE of the VPCs in design (A) or (C), provided it is configured correctly.
- If the "Catalyst layer switch" is running Cisco PVST, where BPDUs are sent with VLAN tags, then the BPDUs will traverse the ACI fabric and the "Catalyst layer switch" will disable one of the Port Channels
- If the "Catalyst layer switch" is running 802.1 standards based MST, where BPDUs are sent untagged, you need to create an EPG (possibly in the common tenant) and statically map that EPG to the two VPCs on VLAN 1 with 802.1p encapsulation, then the BPDUs will traverse the ACI fabric and the "Catalyst layer switch" will disable one of the Port Channels. You will need to make sure VLAN 1 is included in the VLAN pool that is in the Access Policy Chain where the two VPCs exist as well.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Asam Saeed · ‎03-07-2022

Thank you for the detailed explanation.

Please find below a rough sketch of the design. The use case is that the international carrier takes both the links internationally from Asia to Europe passing through land and sea! So the carrier uses a different path to reach Europe, and my end goal is to have reachability to Europe at all times.

Below are some clarification points:

1. any submarine cut in the carriers network, will require me to manually shut the link to London and unshut the link to Frankfurt.
2. I would always want the Port-Channel between the two catalyst switch to remain up.

3. MCP is enabled on my fabric as well.

4. LACP is Active as well.

One of the suggested solutions above in this thread was very interesting to have all four ports run under one vPC. However, the question is if i want to maintain the link between London and Frankfurt, wont that cause a possible loop in the network?

RedNectar · ‎03-08-2022

Hi @Asam Saeed ,

All I can say is WOW

My humble experience is limited to L2 being within a data centre, or stretched between two data centres about 40Km apart is as big as I've dealt with - and that was direct dark fibre connections.

My first instinct is to say that if you have confidence in the underlying carrier network, then the principles should still apply (i.e. my Option B is the best approach) and so the answer to...

However, the question is if i want to maintain the link between London and Frankfurt, wont that cause a possible loop in the network?

...is "No - not if spanning tree is configured correctly."

But...

Actually, there are several "buts"

But with design (A) some ME traffic destined to London will traverse via Frankfurt, and some ME traffic destined to Frankfurt will traverse via London because at L2 Spanning tree (for each STP instance) will block the PC at either London OR Frankfurt.
But even with design (B) - you'll have the same balancing problem because LACP will hash the traffic across all four links.
But I'm worried about the distances involved and the reliability of LACP and other L1/L2 convergence protocols to operate over these distances.
But my old-school training tells me that a better approach would be a L3 design that sends London traffic to London and Frankfurt traffic to Frankfurt unless you loose one of the links, at which point London traffic goes to London via Frankfurt, OR Frankfurt traffic goes to Frankfurt via London

Given that your design is over much larger distances than I imagined, I have to say I am unable to suggest anything

I'm sorry I can't give you more expert advise - this question just goes way beyond my experience.

Not sure if the other contributors ( @balaji.bandi , @Sergiu.Daniluk @Robert Burns @MHM Cisco World ) have any more to add.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Robert Burns · ‎03-08-2022

I'd agree this needs a proper design review to really select the best option. Generally an L3 extension would be appropriate in most circumstances like this to avoid STP issues, especially if you're not confident in the reliability of the circuit/carrier. L3 connections offer far better convergence & failover capabilities than L2. Keep in mind with your current design you're sending quite a bit of BUM traffic over your (typically expensive & latency-prone) International link.

If you're adamant on extending L2, then I would consider doing a double sided VPC. This would require that the Cat9300s be stacked, but then you could have a single logical L2 extension with multiple links (4) and no STP to worry about blocking the link between your Cat9300s.

Can you elaborate on why you require L2 extensions from ME to Europe? Is this another DC? Remote Site? We have many more elegant design options such as remote leaf that may offer a better solution.

Robert

Asam Saeed · ‎03-09-2022

Dear All,

Thank you for your input and great discussions. Apparently, I will discuss internally of these points.

However, as per my current design, I have to keep both the Leafs connected to the two sites in Europe. Hence, if we can automate the ports enabling or disabling from the ACI either through a script or TCL that would be great... As there is physical layer involved between the three international sites.