OSPF over VPC DCI

suneq · ‎01-01-2021

Hi,

I have a topology like below:

In brief:

4 x 5672UP with NX-OS version 7.3(1)N1(1); "peer-gateway" and "layer3 peer-router" already configured

2 x Checkpoint (CP1 = Active, CP2 = Passive)

vPC between CP1 and N5K1 - N5K2

vPC between CP2 and N5K3 - N5K4

vPC between N5K1 - N5K2 and N5K3 - N5K4

Regarding the IP:

CP1 = 192.168.10.1/24

CP2 = 192.168.10.2/24

CP VIP (shared by both CP1 and CP2) = 192.168.10.3/24

SVI 10 on N5K1 = 192.168.10.101/24

SVI 10 on N5K2 = 192.168.10.102/24

SVI 10 on N5K3 = 192.168.10.103/24

SVI 10 on N5K4 = 192.168.10.104/24

Now, if I activate OSPF on the SVI 10 of 4 N5K and also on CP side, if I understand correctly, I should have something like this:

- OSPF adjacencies between N5Ks

- OSPF adjacencies between each N5K and the VIP of the CheckPoint

My 2 questions:

1. Has anyone already implemented something like this? Have I got that right?

2. If I want to remove the OSPF adjacencies between N5Ks (I only want to keep the adjacencies between N5Ks and the VIP of the Checkpoint) what is the best solution to do it? I'm thinking of authentication but I'm not sure this is a good solution.

Any advices will be highly appreciated, thanks and happy new year to all.

MHM Cisco World · ‎01-02-2021

Hi,

I would like to help you in this design,

does both nexus in each side config with vPC?

suneq · ‎01-03-2021

Hi,

Yes, N5K1 and N5K2 belong to vPC domain 10, N5K3 and N5K4 belong to vPC domain 20.

Sergiu.Daniluk · ‎01-03-2021

Hi @suneq

I do not see any reasons to remove the adj between N5Ks, but if you really want to do it, and you have some constrains which I am not aware of, one thing which I would like to highlight is that you must not remove the adjacency between vPC peers part of the same domain. You can remove it between the two vpc domains, but not between peers from same vpc domain. Since the OSPF is over vPC, the routing should be persistent between peers, so adj between the two peers is required. This would help avoiding any traffic black-holing.

Stay safe,

Sergiu

suneq · ‎01-04-2021

Hi @Sergiu.Daniluk

Thanks for your advice.

I did not want to keep the adj between the N5Ks because we have already 2 L3 links between N5K1-N5K2 and between N5K3-N5K4 on which OSPF is activated.

Now, let's forget these L3 links, I'm particularly interested in your advice that we should not remove the adjacency between vPC peers part of the same domain. Could you please give me an example in which traffic black-holing can happen if we somehow remove the adjacency between the N5K1 and N5K2?

It's pretty new for me, I have not found good documentation on this topic (I mean routing over vPC).

Thanks for your help.

MHM Cisco World · ‎01-05-2021

Sorry for late reply,
they are four vPC share same VLAN, and also the connect to CP is also use same VLAN.
now
SVI in each Nexus and IP address of CP will be use to make OSPF adj,
you will see for each OSPF peer five neighbor.
simply you can image that all these L3 "SVI & CP" is connect to one SW".
now the connection from one side to other is take path decide by SPT, if you not config the double
-sided Nexus I suspect you will have some issue in OSPF adj since the SPT will not work perfectly.

the green circle is root port,
the yellow circle is DP,
there is no BLK port because of Nexus data plane forward prevent the loop.