Solved: nexus 5K with N2K layer 2 mode with vPC

rajesh.kumar · ‎03-20-2012

Hi

N5K will be running on Layer 2 mode.

vPC configured between N5K and N2K

Servers are part of Vlan 10, 20, 30 and Juniper SRX firewall is the gateway for all the servers.

SRK firewall is Active/Standby mode.

Questions are

1) Is there any non-vPC link required between N5K in this scenario?

2) N5K will pass in/out traffic to juniper SRX firewall durining SRX failover as well as normal operation

Dan-Ciprian Cicioiu · ‎03-21-2012

non-vPC - a single equipment with a single/multimple connections to only one of the 5k

Any of your Firewall or Loadbalancer : each one has only one connection to the 5K. Even if they had multiple connections to the same 5k will not be part of the vpc domain.

You will use vPC ,if you have a single equipment ( fex , other switch , server , etc ) with two connections to both 5k , and those links you want them bundled as a portchannel.

Regards

Dan

View solution in original post

sean_evershed · ‎03-21-2012

Hi, Have you consulted this doucment?

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572835-00_NX-OS_vPC_DG.pdf

Yes, a non-VPC or Peer-Keepalive Link is required to resolve dual-active failures.

I'm not a Juniper expert so I can't comment on question 2.

rajesh.kumar · ‎03-21-2012

Dear Sean evershed

Peer-KA link is and dual 10Gig link exisits between N5K

For normal operation, without considering dual-active failure, do we need non-vPC link for the attached scenario ?

Consider Cisco ASA instead of Juniper, If firewall fails, (Active/Standby) can traffic still reach primary IP address of firewall on other N5K right? Just want to know, other than dual-active failures situation, do we need non-vPC link here?

N5K is confiured as Layer2 and Firewall IP address is GW for all the servers connected to N2K.

Rgds

Rajesh

Dan-Ciprian Cicioiu · ‎03-21-2012

Hi Rajesh ,

If you want to configure your network as in you diagram you will not need vPC.

You will need vPC if you want to

- create a portchannel between each of your 2k and both 5k - 1 logical link - with 4 phisical links

- create a portchannel between servers links and both 5k. - 1 logical link - with 2 phisical links

vPC will allow you to create a multichassis etherchannel, having a greater redundancy without the use of the STP.

Regards

Dan

rajesh.kumar · ‎03-21-2012

Dear Dan-Ciprian

Reason we choosen for vPC is there are servers with Teaming configured.

Each server will connect both N2K with portchannel.

I think we need vPC in this case, pls. clarify.

Question is, is there any non-vPC link required in this scenario between the N5K ?

Rgds

Rajesh

Dan-Ciprian Cicioiu · ‎03-21-2012

Hi Rajesh,

First of all , look at you FEX setup, I do not know if you are able to connect one FEX to two 5K without vPC :

"Cisco Nexus 2000 Series Fabric Extenders dual-connected to two upstream Cisco Nexus 5000 Series Switches (vPC): In this deployment scenario, access-layer redundancy is achieved through a combination of Cisco Nexus 2000 Series Fabric Extenders dual-connected to an upstream parent switch and server NIC teaming."

If the servers are connected to both 2K via Portchannel , you will need vPC.

Beside the two links between the 5k which will be in portchannel and configured as vpc peer-link, there will be no need for other links between them.

What model of Nexus2000 do you have ? Dual homed FEX is not supported on 2148T

Regards

Dan

rajesh.kumar · ‎03-21-2012

Dear Dan

Nexus model is : N2K-C2248TF-1GE

Need clarification not on whether go with vPC or not.

With attached design, if N5K is running on Layer2 mode and downward servers Gateway is upward Firewall virtual IP.

Firewall is on Active/Standby mode, do I need any non-vPC link required between two N5K?

Servers are part of Vlan 10, 20, 30. and Firewall will have subinterface with vlan 10, 20, 30.

Appreciate your feedback.

Rgds

Rajesh

Dan-Ciprian Cicioiu · ‎03-21-2012

vPC has nothing to do with the Acitve/Standby Firewall. So those firewall links will not be part of the vpc domain, they will be purely access ports.

Also the loadbalancers will not be part of the vPC domain

Regards

Dan

rajesh.kumar · ‎03-21-2012

Dear Dan

Thanks a lot. Before marking Question Asswered, can you pls. brief, why usually we need to consider non-vPC link?

Which scenario we should consider having non-vPC link between two N5K ?

Rgds

Rajesh

Dan-Ciprian Cicioiu · ‎03-21-2012

non-vPC - a single equipment with a single/multimple connections to only one of the 5k

Any of your Firewall or Loadbalancer : each one has only one connection to the 5K. Even if they had multiple connections to the same 5k will not be part of the vpc domain.

You will use vPC ,if you have a single equipment ( fex , other switch , server , etc ) with two connections to both 5k , and those links you want them bundled as a portchannel.

Regards

Dan