@Alek5942 wrote:
@Joseph W. Doherty please ignore replies from @MHM Cisco World because he didn't get my question.
Possibly he didn't, but he is very knowledgeable. What he might have in mind, that a Campus Core and DC Core should be connected via vPC, using a dedicated VLAN, not directly sharing DC VLANs.(?) And/or trying to convey a warning about something we're overlooking.
It's been some time (many years) since I've touched a Nexus, and I recall, it seemed, every time there was a NX-OS version release, vPC features where "enhanced". Also features seem to vary between Nexus platforms. Doing a quick search I found TechNote Create Topologies for Routing over Virtual Port Channel, interesting information, including its referenced links.
@Alek5942 wrote:
Sorry, but I still didn't get your FEX reference: "As you mention using Nexus in your DC, are you using FEXs? If so, consider the logical L2 and L3 topologies, and why they are." May I ask to clarify it again?
What I was trying to convey, a large DC, before Nexus, due to its L2 and L3 needs, was a bit of a mess. The Nexus/FEX, eased L2/L3 DCs, but if you start to actually extend DC VLANs, into the campus, you're bringing back such issues. (In my case, my experience predates Nexus, and to me, I wouldn't want to recreate a pre-Nexus/FEX environment.)
@Alek5942 wrote:
Regarding "But is it extending DC VLANs to campus core? - If it does work, it would be like settling up a L2 port channel but routing across it using SVIs or not." - I think in case of L2 port channel it extends VLANs to campus core, but in case of L3 port channel it won't extend. So, potentially to use L3 link between Nexus and Catalyst, we can use vPC with HSRP on Nexus side and L3 port-channel on Catalyst side, but maybe I'm wrong.
I'm not completely sure, which is how I found the reference I did. Nexus always a bit odd in that it's still two distinct physical devices except for vPC. VSS and/or stacks, much simpler, as multiple physical devices become just one logical device.
@Alek5942 wrote:
As for why they need L2 between DC Core and Campus Core, one of the reason might be that they're testing scenario when use and the server is in the same VLAN and it's for "security" reason. They want to have one VLAN for the users and server and those users will not be able to reach anything, except that server and nobody can reach that server from other VLANs. Default gateway for both users and servers will be the Firewall. Personally I think it's not correct way to accomplish what they want, it looks like ugly design.
Well, firstly, would question placing user host and server host in same VLAN, as doubtful that would be a final production implementation. Many things you can do for security without placing both hosts into same VLAN, across campus/DC, some of which might still be desired for production. But, if you really, really needed to have a campus test host and server test host in same VLAN, for testing, there are other methods to interconnect L2 across L3 without doing it generally.
One final point, you cannot, of course, have a L3 connection without L2. So, if you're routing on a campus core, and routing on a DC core, you build L2 between them, and usually then route between them. But, if you're trying to bypass L3 between the two cores, what does that exactly mean? Extending the same VLAN(s) between users and servers?
Modern network designs generally try to constrain L2 domains.
