VPC Protection Group issue

guidov2 · ‎12-10-2020

Hello,

a strange issue is happening:

deployment has 2 VPC: 101 with leaf 101 and 102 and 106 with leaf 106 and 107.

Now I have to add another VPC Protection Group (104) for VPC between leaf 104 and 105.

The strange issue is the autogenerated virtual ip address is created with the same ip of VPC 101.

This issue interrupted services that were using vpc 101 obviously ....

Infact after the deletion of VPC 104 the services on VPC 101 were restored.

I double check and every time I create a new VPC Protection Group for leaf 104 and 105 the Virtual ip is the same of first VPC Protection Group.

How can I resolve the issue ?

had someone got the same issue ?

Thanks and regards

Robert Burns · ‎12-10-2020

Going to need more info - firstly which version are you running?

This definitely sounds like a bug, can you also provide the outputs of:
moquery -c dhcpPool | egrep 'className|dn|startIp|endIp'

moquery -c dhcpClient | egrep 'dn|ip|nodeRole'

Robert

guidov2 · ‎12-10-2020

Version 3.2(2l)

apic1# moquery -c dhcpPool | egrep 'className|dn|startIp|endIp'
className : vip
dn : prov-1/net-[11.0.0.0/16]/pool-1
endIp : 11.0.144.95
startIp : 11.0.144.64
className : pod
dn : prov-1/net-[11.0.0.0/16]/pool-2
endIp : 11.0.128.95
startIp : 11.0.128.64
className : protectionchain
dn : prov-1/net-[11.0.0.0/16]/pool-3
endIp : 11.0.144.127
startIp : 11.0.144.96
className : vip
dn : prov-1/net-[11.0.0.0/16]/pool-4
endIp : 11.0.152.95
startIp : 11.0.152.64
className : vip
dn : prov-3/net-[11.0.0.0/16]/pool-1
endIp : 11.0.144.95
startIp : 11.0.144.64
className : pod
dn : prov-3/net-[11.0.0.0/16]/pool-2
endIp : 11.0.128.95
startIp : 11.0.128.64
className : vip
dn : prov-3/net-[11.0.0.0/16]/pool-3
endIp : 11.0.152.95
startIp : 11.0.152.64

guidov2 · ‎12-10-2020

and here the other information:

apic1# moquery -c dhcpClient | egrep 'dn|ip|nodeRole'
No handlers could be found for logger "root"
dn : client-[uni/fabric/macprotp-default/macexpg-default]
ip : 11.0.144.65/32
model : vip
nodeRole : vip
id : uni/fabric/ipv4protp-default/ipv4expg-default
dn : client-[uni/fabric/ipv4protp-default/ipv4expg-default]
ip : 11.0.144.66/32
model : vip
nodeRole : vip
rn : client-[uni/fabric/ipv4protp-default/ipv4expg-default]
id : uni/fabric/ipv6protp-default/ipv6expg-default
dn : client-[uni/fabric/ipv6protp-default/ipv6expg-default]
ip : 11.0.144.64/32
model : vip
nodeRole : vip
rn : client-[uni/fabric/ipv6protp-default/ipv6expg-default]
dn : client-[FDO2138253V]
ip : 11.0.128.64/32
nodeRole : leaf
dn : client-[FDO221719Y8]
ip : 11.0.128.65/32
nodeRole : spine
dn : client-[FDO22211Q8Z]
ip : 11.0.128.66/32
nodeRole : spine
dn : client-[FDO21400TAP]
ip : 11.0.128.71/32
nodeRole : leaf
dn : client-[FDO21422NT6]
ip : 11.0.128.69/32
nodeRole : leaf
dn : client-[FDO21422N6Q]
ip : 11.0.128.67/32
nodeRole : leaf
dn : client-[FDO21422P08]
ip : 11.0.128.70/32
nodeRole : leaf
dn : client-[FDO213826KH]
ip : 11.0.128.72/32
nodeRole : leaf
dn : client-[FDO21422NCF]
ip : 11.0.128.68/32
nodeRole : leaf

Thanks

Robert Burns · ‎12-10-2020

Also need the other output from the original response (moquery -c dhcpClient | egrep 'dn|ip|nodeRole'). From this output see if you have a dhcpClient record for the VPC TEP address assigned to 101_102 protection group.

What's likely happened is the original VPC TEP Address doesn't have a dhcpClient object record, so it's re-allocating that original VPC TEP Address. Simple fix is to remove the original VPC Protection Group for 101 and 102, wait 5mins, then re-create it. After you create it, we should see a dhcpClient record for that address (recheck previous command).
This is bug CSCvi66563.

Robert

guidov2 · ‎12-10-2020

Hello,

sorry for delay,

I sent the second command in my last email.

question:

Doing : "remove the original VPC Protection Group for 101 and 102" we will lost the vpc and any services using that ...

We will have also to redo all the static port association for any EPG using that vpc ... is it correct ?

thanks and regards

Guido

Robert Burns · ‎12-10-2020

This will be disruptive - yes, I should have mentioned that. Do it during a maintenance period. Only devices using VPC Policy Groups on these VPC Pairs would be impacted, any single connected (non-VPC) Endpoints will not be impacted. You will not have to recreate any Static Paths, as this is independent of the switch VPC Policies.

Robert

guidov2 · ‎12-10-2020

Thanks Robert.
Just to repup:
I only need to remove the original protection group 101 102
Wait about 5 minutes
And then recreate the protection group 101 102
No other action has to be done: I mean all vpc using that protection group will restart to work as I will recreate the protection group.
Is it correct ?
Thanks and regards for you help

Robert Burns · ‎12-10-2020

What is the current VIP assigned to the VPC TEP for 101_102? Want to be sure the dhcpClient entry is indeed missing from the CLI outputs.

Robert

guidov2 · ‎12-10-2020

Hello,
Sorry for delay,
Virtual ip for logical pair id 101 is 11.0.152.64/32
Virtual ip for logical pair id 106 is 11.0.152.65/32

If I create a new pair it obtain 11.0.152.64/32 as 101 pair

Thanks and regards
Guido

Robert Burns · ‎12-10-2020

And if you re-run that command to look at dhcpClient records - do you see this address assigned?

Robert

guidov2 · ‎12-10-2020

Hello Robert,

do you mean:

I create a new pair it obtain 11.0.152.64/32 as 101 pair

and then re-run that command to look at dhcpClient records ?

If you need It will take a lot as I have to request a maintenance window.

else if I run now (without re-create a new pair) the command ,You can see it is not assigned:

apic1# moquery -c dhcpClient | egrep 'dn|ip|nodeRole'
No handlers could be found for logger "root"
dn : client-[uni/fabric/macprotp-default/macexpg-default]
ip : 11.0.144.65/32
model : vip
nodeRole : vip
id : uni/fabric/ipv4protp-default/ipv4expg-default
dn : client-[uni/fabric/ipv4protp-default/ipv4expg-default]
ip : 11.0.144.66/32
model : vip
nodeRole : vip
rn : client-[uni/fabric/ipv4protp-default/ipv4expg-default]
id : uni/fabric/ipv6protp-default/ipv6expg-default
dn : client-[uni/fabric/ipv6protp-default/ipv6expg-default]
ip : 11.0.144.64/32
model : vip
nodeRole : vip
rn : client-[uni/fabric/ipv6protp-default/ipv6expg-default]
dn : client-[FDO2138253V]
ip : 11.0.128.64/32
nodeRole : leaf
dn : client-[FDO221719Y8]
ip : 11.0.128.65/32
nodeRole : spine
dn : client-[FDO22211Q8Z]
ip : 11.0.128.66/32
nodeRole : spine
dn : client-[FDO21400TAP]
ip : 11.0.128.71/32
nodeRole : leaf
dn : client-[FDO21422NT6]
ip : 11.0.128.69/32
nodeRole : leaf
dn : client-[FDO21422N6Q]
ip : 11.0.128.67/32
nodeRole : leaf
dn : client-[FDO21422P08]
ip : 11.0.128.70/32
nodeRole : leaf
dn : client-[FDO213826KH]
ip : 11.0.128.72/32
nodeRole : leaf
dn : client-[FDO21422NCF]
ip : 11.0.128.68/32
nodeRole : leaf
apic1#

Thanks and regards

Guido