Nexus 9K Version 7.0(3)I1(3) - vPC - Type-2 consistency status: failed

Hans Martinez · ‎10-18-2018

I have a Type-2 consistency status: failed, on my implementation of vPC Domain.

I understand that I need the same resources about VLANs and SVIs configured on both switches, but I implemented OSPF with different SVIs, and I understand that this is my issue of the SVI type-2 configuration incompatible message.

My question is if I have an alternative to fix the issue of the different SVI configuration at OSPF.

sh vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 1
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : failed
Type-2 inconsistency reason : SVI type-2 configuration incompatible
vPC role : primary
Number of vPCs configured : 2
Peer Gateway : Enabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
Delay-restore status : Timer is off.(timeout = 30s)
Delay-restore SVI status : Timer is off.(timeout = 10s)
Operational Layer3 Peer-router : Disabled

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ -------------------------------------------------
1 Po1 up 1-11,13-31,33-34,39-44,50-57,59-63,70,77,80-83,85

-89,93-96,98,100-139,150-157,170,180-181,199,201-

238,240,300-303,325,333-334,400,409,888,898,900-9

03,909-915,1000,1003,2003,2500

vPC status
----------------------------------------------------------------------------
Id Port Status Consistency Reason Active vlans
-- ------------ ------ ----------- ------ ---------------
47 Po47 up success success 1-11,13-31,33-

34,39-44,50-57

,59-63,70,77,8

0-83,85-89,93-

96,98,100-139,

150-157,170,...

61 Po61 up success success 1-11,13-31,33-

34,39-44,50-57

,59-63,70,77,8

0-83,85-89,93-

96,98,100-139,

150-157,170,...

Please check "show vpc consistency-parameters vpc <vpc-num>" for the
consistency reason of down vpc and for type-2 consistency reasons for
any vpc.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

sh vpc consistency-parameters global

Legend:
Type 1 : vPC will be suspended in case of mismatch

Name Type Local Value Peer Value
------------- ---- ---------------------- -----------------------
QoS (Cos) 2 ([0-7], [], [], [], ([0-7], [], [], [],
[], []) [], [])
Network QoS (MTU) 2 (1500, 1500, 1500, (1500, 1500, 1500,
1500, 1500, 1500) 1500, 1500, 1500)
Network Qos (Pause: 2 (F, F, F, F, F, F) (F, F, F, F, F, F)
T->Enabled, F->Disabled)
Input Queuing (Bandwidth) 2 (0, 0, 0, 0, 0, 0) (0, 0, 0, 0, 0, 0)
Input Queuing (Absolute 2 (F, F, F, F, F, F) (F, F, F, F, F, F)
Priority: T->Enabled,
F->Disabled)
Output Queuing (Bandwidth 2 (0, 0, 0, 0, 0, 0) (0, 0, 0, 0, 0, 0)
Remaining)
Output Queuing (Absolute 2 (T, F, F, F, F, F) (T, F, F, F, F, F)
Priority: T->Enabled,
F->Disabled)
Vlan to Vn-segment Map 1 No Relevant Maps No Relevant Maps
STP Mode 1 MST MST
STP Disabled 1 None None
STP MST Region Name 1 GT GT
STP MST Region Revision 1 1 1
STP MST Region Instance to 1
VLAN Mapping
STP Loopguard 1 Disabled Disabled
STP Bridge Assurance 1 Enabled Enabled
STP Port Type, Edge 1 Normal, Disabled, Normal, Disabled,
BPDUFilter, Edge BPDUGuard Disabled Disabled
STP MST Simulate PVST 1 Enabled Enabled
Nve Admin State, Src Admin 1 None None
State, Secondary IP, Host
Reach Mode
Nve Vni Configuration 1 None None
VTP domain 2 GT GT
VTP version 2 2 2
VTP mode 2 Transparent Transparent
VTP password 2
VTP pruning status 2 Disabled Disabled
Interface-vlan admin up 2 10,93,95,98 10,95-96
Interface-vlan routing 2 1,10,93,95,98 1,10,95-96
capability
Allowed VLANs - 1-11,13-31,33-34,39-44 1-11,13-31,33-34,39-44
,50-57,59-63,70,77,80- ,50-57,59-63,70,77,80-
83,85-89,93-96,98,100- 83,85-89,93-96,98,100-
139,150-157,170,180-18 139,150-157,170,180-18
1,199,201-238,240,300- 1,199,201-238,240,300-
303,325,333-334,400,40 303,325,333-334,400,40
9,888,898,900-903,909- 9,888,898,900-903,909-
915,1000,1003,2003,250 915,1000,1003,2003,250
0 0
Local suspended VLANs - - -

brdewal2 · ‎10-18-2018

Hi Hans,

A Type-2 inconsistency won't actually cause any issues with vPC it is more just a warning that your config differs between vPC peers.

The only way to clear this would be to have the same SVIs in up state on both. If SVIs are only be used for hosts/routers that exist off one switch, this configuration is ok. However, these SVIs that exist on only one peer should not be allowed over the peer-link. Example of a NON-supported scenario would be to have SVI 100 only on N9k-1 but a host off N9k-2 in Vlan100.

Another alternative instead of using a SVI you can use a routed link or sub-interfaces on a routed link if you are just using this to connect to a router.

Also, to note that if you are wanting to do OSPF to a router over vPC this is supported starting in 7.0(3)I5(1)

Finally, I wanted to note that 7.0(3)I1(3) is now end of life and you should consider upgrading to the current recommended release of 7.0(3)I4(8a) at minimum.

Hans Martinez · ‎10-19-2018

Hi, thanks a lot for your comments, I upload my topology for a better reference.

On the topology I did deployed OSPF like show on the pic; this works fine on adjacencies of the neighbors and the RIB is full with all the networks on all the routers. I have conectivity from the Campus Lan to the end serven into the DC LAN, but I discovered a issue, the issue is that when I try con give a ping or telnet dependig of the destination and source, the conectivity is lost.

Example1:
Source 10.20.20.3 Destination 10.20.20.6
Route OSPF Path: .58 -> .66
Trance: .... - time out...

Example2:
Source 10.20.20.3 Destination 10.20.20.5
Route OSPF Path: .58
Trance: .58 - ok

Example3:
Source 10.20.20.4 Destination 10.20.20.6
Route OSPF Path: .62 -> .65
Trance: .... - time out...

Example4:
Source 10.20.20.3 Destination 10.20.20.5
Route OSPF Path: .62
Trance: .62 , ok

Example5:
Source 10.20.20.1 Destination 10.20.20.6
Route OSPF Path: .38 -> .58 -> .66
Trance: .... - time out...

Example6:
Source 10.20.20.1 Destination 10.20.20.5
Route OSPF Path: .38 -> .58
Trance: .38 ->.58 - ok

I think is a problem with the Peer link - trunk.

The peer link are like spanning tree network, and the vPC back2back are spanning tree normal.

What you think about the behavior of de connectivity, you need consider that the connectivity host end-to-end all is fine.

I want to know your opinion of the issue before to proceed with an upgrade of NX-OS.

Best regards.

brdewal2 · ‎10-22-2018

Hi Hans,

When you do your pings/tracroutes between switches are you actually sourcing them from the loopback IP? If not, this behavior may be expected if the reply hashes to the vPC peer as they can share MAC addresses.

However, if you are sourcing from the loopback then something else might be happening. In particular, I'm looking at your Example3. If you are pinging .6 from .4, why would it go to N9k-9372PX-A at all? You may want to check how the routing table looks. To me it seems that N9k-9372PX-B doesn't even seem to know it owns .6 if the ping is just going through it.

Regardless, I would recommended upgrading the NXOS as stated before this is an old version.

Hans Martinez · ‎10-23-2018

Hi brdewal2,

Here my answer about your questions.

yes, I use like source the interface loopback, for both of them ping and traceroute.

With the other question, you are right I made a mistake when writing, the correct example are this.

Example3:
Source 10.20.20.4 Destination 10.20.20.5
Route OSPF Path: .62 -> .65
Trance: .... - time out...

Example4:
Source 10.20.20.4 Destination 10.20.20.6
Route OSPF Path: .62
Trance: .62 , ok

I'm going to programming a maintenance window to do the upgrade of NX-OS.

Thanks with your support.

Hans Martinez · ‎10-29-2018

Hi, I proceed with the upgrade to the version 7.0(3)I6(1) on all devices, after that I tested the connectivity and saw the same issue on ping and traceroute.

I found this link:
http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/

Later of read the post, I understood that I can't enable OSPF over an over pvc-peer-link.
To fix the issue of the connectivity, I enabled OSPF over two new links layer 3 between the peers of the vPC Domain.

The new topology implemented is:

Best Regards.

nazimkha · ‎10-29-2018

Did you enable the Dynamic routing over vPC configs i.e you need to configure

layer-3 peer router under vpc domain alongwith with vpc peer-gateway

Please see the configuration guide :

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/nx-os/interfaces/configuration/guide/b-Cisco-Nexus-7000-Series-NX-OS-Interfaces-Configuration-Guide-Book/configuring-vpcs.html#task_E034B3298DC945D1A33AB27AF73AE88C

Hans Martinez · ‎10-30-2018

Hi Nazimkha:

Yes, I have both commands applied under vpc domain.

When I use OSPF over SVI to form a adjacency under trunk-peer-link; the adjacency is established, but the packet with other destiny are dropped like the example in the last post. I resolve the issue form a full layer 3 between both vPC Domain peers.

Thanks for asked.

Best regards.

Hans Martinez · ‎10-19-2018