I have this topology in a client network
In the Nexus 5k I have a port-channel configured in layer 3 and it ends in the nexus 7k in layer 2 on vlan 10. This configuration is replicated the same in the other n5k.
The nexus 7k has a port-channel in vpc towards 5nk as seen in the diagram. The problem I am having is that I have the hsrp configured with 10.1.1.4 on the n5k on the left side and 10.1.1.5 on the right side and the vip is 10.1.1.1 and when I ping from .4 to .5 I do not arrive.
Using the etheranalyzer command on the controller of the n5k I see that the packet arrives and responds but I do not see it at the ping level, it is lost within the vpc.
My question is .. in this topology is this traffic allowed? I have a design error or could it be a bug?
So just to confirm:
You have a L3 interface 10.1.1.0/24 between N5K1 (L3 PO) and N7K1 (SVI10), and at the same time, 10.1.1.0/24 between N5K2 (L3 PO) and N7K2 (SVI10). The Vlan10 is also allowed over the VPCs and PeerLink (configured L2 on Nexus).
Is my understanding correct?
If yes, then I must admit this is a very strange and uncommon topology. Is it supported? Technically I do not see a problem, but definitely is on the borderline. Why not simply configuring SVI10 on Nexus, allow the vlan over PL and you have a fully supported topology.
And what is with HSRP? What are the nodes which participates in the HSRP group?
If you understood correctly
I have configured this way:
ip address 10.1.1.4/24
hsrp version 2
switchport access vlan 10
spanning-tree port type edge
spanning-tree bpduguard enable
On the other side it is the same configuration but only change the ip to 10.1.1.5
HSRP lifts perfectly and one remains as active and the other as stanby, until today I never comute them manually but you can see the mac addresses on both sides.
The only problem is that it does not arrive with ping from .4 to .5 and in Cisco I can't find anything that says that this is not supported.
Ah ok, so there is no SVI on N7K. just the vlan. Got it.
Well, even in this scenario, the topology looks very strange. I still do not understand why would you want this behavior.
And let me give you an example where this scenario is not supported:
- if the peer-link goes down, and PKA is up, then VPC secondary (let's say N5K2) will bring down all vpc enabled interfaces and also all vpc vlans, BUT since the PO4 is a L3 interface, it will keep it up. Since it has HSRP on it, the HSRP will become active on it.
- at this stage you have both N5k with HSRP active, and connectivity to N7K is UP since the interface is not affected by the PeerLink failure. This is when the connectivity within vlan10 will be affected.
In other words, this is NOT a supported scenario. My suggestion is to stick with recommended design: SVI 10 on both N5k, vlan 10 allowed ever vpc peer link and HSRP configured on the SVI.