Hello again,I've been reading

danailpetrov · ‎12-27-2014

Hello,

I have some quick quiets ion with regards to DCI links. If I have L2 between two data centres and want to use MPLS + OTV + MACSec - will that work? I remember there was some limitations where OTV join interface cannot be SVI but must be physical instead (or l3 port-channel). In which case I am not sure will the 802.1ae work as well as the MPLS (needed for layer 3 VPNs across both DCs)

Many thanks in advance!

danailpetrov · ‎12-29-2014

Hello again,

I've been reading for last few days and here is what I found.

According to this article, using CTS + OTV should not be a problem at all (and I hope the same applies for MPLS too :-)).

However, I have yet another question with regards to OTV - is the following topology supported?

My thinking is that if we have DC1-OTV-A device authoritative for VLAN10, but at the same time having vPC peer DC1-OTV-B secondary EAD for VLAN20, neither the vPC rule will allow this VLAN over the peer link nor the OTV will be (currently) able to send it across the overlay as it is not authoritative for this vlan. Ive been reading alot and everything I managed to find is >> this <<

"The vPC peer-link is leveraged in the initial release to steer the traffic to the AED device. In future releases where the edge device does not play the AED role, a given VLAN will be allowed to forward unicast traffic to the remote sites via the OTV overlay, providing a desired per-flow load-balancing behavior."

This is a bit vague. Is that mean that the vPC check rule will basically allow the traffic to traverse via peer-link if an OTV feature is being used? I couldn't find anything else so any thoughts will be much appreciated!

Thanks!

P.s. I know that I can make it the other way around - e.g. CORE-A/B being vPC members and OTV L2 links being configured as standard Port-channels, but in my case I don't have separate VDC for OTV and need to have both - vPC and OTV running in same VDC. Which leads to another question - is it still a limitation that SVI interfaces are not allowed in VDC where OTV is used or this applies for extended VLANs only? (Because I read different documentation, stating both :|)

MARK BAKER · ‎02-18-2015

I just recently configured OTV to run over MPLS VPNs between two data centers with MACSec configured links between them. At each DC, I have the OTV connected to a l3 port-channel on 6800 VSS switches that belong to the VPN vrf. The OTV to 6800 link is not running MACSec. Only the links between the 6800 core switches (WAN).

Additional information:

1. I have mulitple 10G links between the DCs that are running MACSec and tied to an MPLS enabled l3 port-channel. MACSec is configured on the physical member interfaces and not on the l3 port-channel interface. MACSec needs to be configured on the physical interface before assigning it to the port-channel.

2. The MPLS VPN is multicast enabled with mLDP. It is running PIM dense-mode and SSM to support OTV in multicast mode. This does not require an multicast enabled core.

3. DC1 is running vPC and HSRP and DC2 and future DCs are running fabricpath and anycast HSRP. FHRP is filtered between the DCs on the OTV devices.

4. Not related to your quesiton, but ASA clustering is used in individual-interface mode at each data center supporting an active-active deployment. The cluster-control link is running over OTV which does kind of relate it to this question. This works very well.

Hope this helps,

Mark

MPLS + OTV + MACSec/802.1AE