Solved: Nexus 9372 vPC and L3 connection

Artem Grigoryev · ‎02-10-2017

Hello.

I have two cisco Nexus 9372 in vPC domain and have four switches 3 com 5500G EI in XRN stack (common control and data plane).

See the attached shemes.

Trying to understand what the best way to connect them with each other? What to use vPC, L3 interface Port-channel, HSRP, SVI?

1) If I will use L3 interface for Port-channel in the Nexus side

Do I need in the interface Port-channel 300 apply the command #vpc 300?

N9k A
interface port-channel300
description DC-TRANSIT
no switchport
ip address 10.20.255.253/30
interface Ethernet1/54
no switchport
channel-group 300

N9k B
interface port-channel300
description DC-TRANSIT
no switchport
ip address 10.20.255.253/30
interface Ethernet1/54
no switchport
channel-group 300

The DC1sw1 is XRN stack and Logically operate like one device (common control and data plane)

configured with Interface vlan 300

interface TenGigabitEthernet4/1/1
broadcast-suppression pps 1500
port access vlan 300
lacp enable
port link-aggregation group 300

interface TenGigabitEthernet4/1/2
broadcast-suppression pps 1500
port access vlan 300
lacp enable
port link-aggregation group 300

interface Vlan-interface300
description MOW1-MOW2_DC-Transit
ip address 10.20.255.254 255.255.255.252

Is it all will work?

2) Or maybe need to use vPC and HSRP?

N9k A
interface port-channel300
description DC-TRANSIT
switchport mode access

switchport access vlan 300

vpc 300

interface Ethernet1/54
switchport mode access

channel-group 300

Interface vlan 300

Ip address 10.20.255.250/29

HSRP group 300 with virtual ip address 10.20.255.253/29

N9k B
interface port-channel300
description DC-TRANSIT
switchport mode access

switchport access vlan 300

vpc 300

interface Ethernet1/54
switchport mode access

channel-group 300

Interface vlan 300

Ip address 10.20.255.251/29

HSRP group 300 with virtual ip address 10.20.255.253/29

And DC1SW1 (3com) with interface vlan 300 and ip address 10.20.255.254/29

3) What will be the best scheme if in future I plan use OSPF dynamic routing ?

willwetherman · ‎02-10-2017

Actually apologies but the following statement I made was incorrect.

"When you plan to use OSPF, you will just need to remove the HSRP configuration from the N9Ks as it will no longer be required. The 3com switch will establish an OSPF adjacency with both N9Ks SVI interfaces"

Routing protocol adjacencies will not be supported between the 3com switch and Nexus 9K switches over the vPC VLAN. In this instance, you will need to use the 2nd recommendation of using L3 point-to-point links between the 3Com switch and each vPC peer device. The following link explains the supported topologies.

https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/118997-technote-nexus-00.html

View solution in original post

willwetherman · ‎02-10-2017

Hi,

As far as I'm aware vPC only supports layer 2 port-channels and not layer 3 port-channels (port-channel configured as a routed interface) so option 1 will not be possible.

Option 2 will be one option. Note that VLAN 300 will need to be added to the vPC peer-link and the ports connecting to the 3com switch will need to be configured with 'spanning-tree port type normal' to prevent the port from using Bridge Assurance and being unexpectedly blocked by STP.

When you plan to use OSPF, you will just need to remove the HSRP configuration from the N9Ks as it will no longer be required. The 3com switch will establish an OSPF adjacency with both N9Ks SVI interfaces.

Another option to support OSPF is to remove the vPC configuration and configure the N9K and 3com switch interfaces as routed point-to-point links and then establish OSPF adjacencies over these links.

Hope this helps

Artem Grigoryev · ‎02-10-2017

Hi,

Thanks willwetherman.

But.
Ok. But, for what purpose the N9k can be configured with Layer 3 Port-channel interface?

Hm.

willwetherman · ‎02-10-2017

Layer 3 port channels can be used if the members interfaces are both connected to the same N9K switch

See the following link that states that vPC only support Layer 2 port channels.

"You can use only Layer 2 port channels in the vPC"

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/interfaces/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_chapter_0111.html

willwetherman · ‎02-10-2017

Actually apologies but the following statement I made was incorrect.

"When you plan to use OSPF, you will just need to remove the HSRP configuration from the N9Ks as it will no longer be required. The 3com switch will establish an OSPF adjacency with both N9Ks SVI interfaces"

Routing protocol adjacencies will not be supported between the 3com switch and Nexus 9K switches over the vPC VLAN. In this instance, you will need to use the 2nd recommendation of using L3 point-to-point links between the 3Com switch and each vPC peer device. The following link explains the supported topologies.

https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/118997-technote-nexus-00.html

Artem Grigoryev · ‎02-14-2017

Hi,

As I understood Cisco Nexuses operates like one device on Layer 2 and like two devices on Layer 3.

or another case make routing on the DC2ASA1 firewall (if we have some routes only).

Well.
And for example We have VMWare ESXi hosts that must be connected to Nexus and license on vSphere only with standard vSwitches. We have 3 subnets for servers. In this case as I understand I need to use vPC between Nexus and ESXi host. On the Nexus-A configure SVI with ip 10.20.0.2/24, on the Nexus-B configure SVI with ip 10.20.0.3/24 and HSRP group with vIP 10.20.0.1/24 that will be a default GW for Servers in VLAN A. ANd so on for other subnets VLAN B (10.20.1.0/24) and VLAN C (10.20.2.0/24).

Or the second case is configure without HSRP but all routing betwen different subnetns must do the DC2ASA1

but when we have too many subnets we will have too many subinterfaces with different (nameif, ACL's, NAT and so on) on the ASA.

willwetherman · ‎02-14-2017

Hi,

You only need to use vPCs between the Nexus switches and the VMware ESXi hosts if you are using Route based on IP hash load balancing on the standard vSwitches. If you have configured load balancing to use Route based on the originating virtual port ID, also known as vSwitch port-based load balancing, then vPC is not required.

Correct, you can either use the Nexus switches to act as the default gateway for your VLANs with HSRP to provide first hop redundancy, or remove the Layer 3 configuration from the Nexus switches and configure it on the Cisco ASA firewall, the ASA firewall will then be responsible for inter-vlan routing. As you have noted, configuring the ASA to handle the inter-vlan routing for all of your VLANs will have a greater admin overhead and could also become a bottleneck depending on its throughput capabilities.

In a large number of my deployments I would typically configure the Nexus switches to act as the default gateway for internal trusted networks, such as server networks, management networks etc. and then configure the Cisco ASA to act as the default gateway for untrusted networks such as a DMZ. The ASA then provides inter-vlan routing between trusted and untrusted networks with strict filtering in place.

Hope this helps.