Re: Nexus 9K route peering over vPC Peer Link from orphan port (inconsistent documentation).

Vin Daniell · ‎03-14-2019

I have two N9k-c9336c-fx2 that will become cores in NX-OS mode. I have an HA pair of ASAs that will form EIGRP with them. We all know since the ASAs need to be layer 2 adjacent on their inside interfaces, they can't be connected to L3 ports on the 9Ks.

This is where routing over vPC comes in using "layer3 peer-router" command. Can the primary ASA form EIGRP neighborships with both SVIs on both cores (one across the peer link)? From what I'm reading, this isn't supported on Nexus 9Ks. (Or is it?)

This doc shows you can peer with a N9K from an orphan port. (Nexus 9K, 7.x, interface config guide) https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/interfaces/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x_chapter_0100...

Figure 19 from that doc shows this:

(Now I don't know if the port channel is the peer link or not.)

Now the discrepancy. This document says you cannot do that with Nexus 9Ks.

https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/118997-technote-nexus-00.html

So which is it Cisco?

Jason Leschnik · ‎03-18-2019

Your scenario is the "L3-A to Nexus B" but the "L2 link" variant which is supported. You would need to configure an "L2 Link" between the 9k's, the VLAN you're using for peering should not be trunked across the vPC peer-link (prune them off with `trunk allowed`) this will make those VLANs non-vPC VLANs. Also based on the "*" you would need to configure user defined MAC addresses on all the SVIs in those non-vPC VLANs. Be aware that there is currently a limitation of 16 user-defined MACs [1] on 9k (8 in our case if using vPC with peer-gateway enabled).

[1] - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuq68188/?rfs=iqvred

HTH - Regards, Jason.