02-10-2017 06:59 AM - edited 03-01-2019 08:29 AM
Hello.
I have two cisco Nexus 9372 in vPC domain and have four switches 3 com 5500G EI in XRN stack (common control and data plane).
See the attached shemes.
Trying to understand what the best way to connect them with each other? What to use vPC, L3 interface Port-channel, HSRP, SVI?
1) If I will use L3 interface for Port-channel in the Nexus side
Do I need in the interface Port-channel 300 apply the command #vpc 300?
N9k A |
N9k B |
The DC1sw1 is XRN stack and Logically operate like one device (common control and data plane)
configured with Interface vlan 300
interface TenGigabitEthernet4/1/1 |
interface TenGigabitEthernet4/1/2 |
interface Vlan-interface300 |
Is it all will work?
2) Or maybe need to use vPC and HSRP?
N9k A switchport access vlan 300 vpc 300 channel-group 300
Interface vlan 300 Ip address 10.20.255.250/29 HSRP group 300 with virtual ip address 10.20.255.253/29 |
N9k B switchport access vlan 300 vpc 300
channel-group 300
Interface vlan 300 Ip address 10.20.255.251/29 HSRP group 300 with virtual ip address 10.20.255.253/29 |
And DC1SW1 (3com) with interface vlan 300 and ip address 10.20.255.254/29
3) What will be the best scheme if in future I plan use OSPF dynamic routing ?
Solved! Go to Solution.
02-10-2017 10:43 AM
Actually apologies but the following statement I made was incorrect.
"When you plan to use OSPF, you will just need to remove the HSRP configuration from the N9Ks as it will no longer be required. The 3com switch will establish an OSPF adjacency with both N9Ks SVI interfaces"
Routing protocol adjacencies will not be supported between the 3com switch and Nexus 9K switches over the vPC VLAN. In this instance, you will need to use the 2nd recommendation of using L3 point-to-point links between the 3Com switch and each vPC peer device. The following link explains the supported topologies.
https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/118997-technote-nexus-00.html
02-10-2017 07:53 AM
Hi,
As far as I'm aware vPC only supports layer 2 port-channels and not layer 3 port-channels (port-channel configured as a routed interface) so option 1 will not be possible.
Option 2 will be one option. Note that VLAN 300 will need to be added to the vPC peer-link and the ports connecting to the 3com switch will need to be configured with 'spanning-tree port type normal' to prevent the port from using Bridge Assurance and being unexpectedly blocked by STP.
When you plan to use OSPF, you will just need to remove the HSRP configuration from the N9Ks as it will no longer be required. The 3com switch will establish an OSPF adjacency with both N9Ks SVI interfaces.
Another option to support OSPF is to remove the vPC configuration and configure the N9K and 3com switch interfaces as routed point-to-point links and then establish OSPF adjacencies over these links.
Hope this helps
02-10-2017 08:34 AM
Hi,
Thanks willwetherman.
But.
Ok. But, for what purpose the N9k can be configured with Layer 3 Port-channel interface?
Hm.
02-10-2017 10:09 AM
Layer 3 port channels can be used if the members interfaces are both connected to the same N9K switch
See the following link that states that vPC only support Layer 2 port channels.
"You can use only Layer 2 port channels in the vPC"
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/interfaces/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_chapter_0111.html
02-10-2017 10:43 AM
Actually apologies but the following statement I made was incorrect.
"When you plan to use OSPF, you will just need to remove the HSRP configuration from the N9Ks as it will no longer be required. The 3com switch will establish an OSPF adjacency with both N9Ks SVI interfaces"
Routing protocol adjacencies will not be supported between the 3com switch and Nexus 9K switches over the vPC VLAN. In this instance, you will need to use the 2nd recommendation of using L3 point-to-point links between the 3Com switch and each vPC peer device. The following link explains the supported topologies.
https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/118997-technote-nexus-00.html
02-14-2017 12:31 AM
Hi,
As I understood Cisco Nexuses operates like one device on Layer 2 and like two devices on Layer 3.
or another case make routing on the DC2ASA1 firewall (if we have some routes only).
Well.
And for example We have VMWare ESXi hosts that must be connected to Nexus and license on vSphere only with standard vSwitches. We have 3 subnets for servers. In this case as I understand I need to use vPC between Nexus and ESXi host. On the Nexus-A configure SVI with ip 10.20.0.2/24, on the Nexus-B configure SVI with ip 10.20.0.3/24 and HSRP group with vIP 10.20.0.1/24 that will be a default GW for Servers in VLAN A. ANd so on for other subnets VLAN B (10.20.1.0/24) and VLAN C (10.20.2.0/24).
Or the second case is configure without HSRP but all routing betwen different subnetns must do the DC2ASA1
but when we have too many subnets we will have too many subinterfaces with different (nameif, ACL's, NAT and so on) on the ASA.
02-14-2017 12:59 AM
Hi,
You only need to use vPCs between the Nexus switches and the VMware ESXi hosts if you are using Route based on IP hash load balancing on the standard vSwitches. If you have configured load balancing to use Route based on the originating virtual port ID, also known as vSwitch port-based load balancing, then vPC is not required.
Correct, you can either use the Nexus switches to act as the default gateway for your VLANs with HSRP to provide first hop redundancy, or remove the Layer 3 configuration from the Nexus switches and configure it on the Cisco ASA firewall, the ASA firewall will then be responsible for inter-vlan routing. As you have noted, configuring the ASA to handle the inter-vlan routing for all of your VLANs will have a greater admin overhead and could also become a bottleneck depending on its throughput capabilities.
In a large number of my deployments I would typically configure the Nexus switches to act as the default gateway for internal trusted networks, such as server networks, management networks etc. and then configure the Cisco ASA to act as the default gateway for untrusted networks such as a DMZ. The ASA then provides inter-vlan routing between trusted and untrusted networks with strict filtering in place.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide