Solved: RE: OSPF Peering on Nexus vPC Environment - Page 2

Geunyoung Park · ‎01-15-2023

I have studied that without

layter3 peer-router

command it is impossible to take ospf neighbor relationship between Nexus vPC Devices and L3 device on vPC environment.

But in my PNETLab, they peer very well without any problem(I placed 3 N9K devices, of which 2 devices are vPC Peer Device and the other is a host(just L3 device)). Host is connected with two vPC Peer Devices on vPC, and the host uses layer3 port channel on which an IP address is set. And vPC Peer Devices uses SVI on ospf peering.

Main configurations on vPC domain are these

 peer-switch, peer-gateway, ip arp synchronize, auto-recovery.

Is this an exceptional case caused by simulation environment? Or do I miss something about it?

Christopher Hart · ‎01-17-2023

Hello!

It is possible to form a unicast routing protocol adjacency between a vPC-connected router and two Cisco Nexus switches in a vPC domain without the

 layer3 peer-router

vPC domain enhancement configured. This happens when the unicast routing protocol packets (such as OSPF DBD, LSU, LSR, LSAck, etc. packets) hash to the "correct" vPC peer instead of hashing to the "incorrect" vPC peer. However, this configuration is not supported without the

layer3 peer-router

vPC domain enhancement configured because in certain failure scenarios (such as a single link of the vPC going down, or a change in the hashing algorithm of the vPC-connected router after a software upgrade), OSPF unicast packets will start hashing to the "incorrect" vPC peer and cause the OSPF adjacencies to go down (typically stuck in an EXSTART state, in the case of OSPF).

This failure scenario is described in more detail in the "Unicast Routing Protocol Adjacencies over a vPC with vPC Peer Gateway" example failure scenario section of the Understand Virtual Port Channel (vPC) Enhancements document.

In other words, just because you are able to form a unicast routing protocol adjacency over a vPC without the

layer3 peer-router

vPC domain enhancement does not mean that doing so is supported. This applies to both a virtual lab (such as the one you have here) as well as a production environment.

I hope this helps - thank you!

-Christopher

MHM Cisco World · ‎01-17-2023

I will run lab tonight and share it with you with all detail.

Geunyoung Park · ‎01-17-2023

Thanks a lot everyone.

Actually, yesterday I found the reason why the 3 devices peered well in my PNETLab. It was simply because of the limitation of virtual lab environment.

I captured a OSPF unicast message(from NXOS-Host to NXOS-01) on vPC Peer Link with Wireshark, and the message's TTL was 1. It means, the unicast message's TTL was not decremented WITHOUT

LAYER3 PEER-ROUTER

COMMAND even though it flowed

NXOS-Host" --> "NXOS-02" --> "NXOS-01.

Additionally I read a post on Reddit (https://www.reddit.com/r/networking/comments/lcgxow/nexus_9kv_ospf_works_without_the_layer3_peerrouter/). He or she experienced the same phenomenon like me, and applied the same configuration on both EVE-NG lab environment and real Nexus devices. The result was different. Devices peered well on EVE-NG without

layer3 peer-router

command, but in the real physical environment they couldn't peer as expected.

So my the conclusion is simple. There is a problem in virtual lab environment.

Thanks again.

MHM Cisco World · ‎01-17-2023

great work but, just wait me reply let see what I will get.

MHM Cisco World · ‎01-18-2023

and same as you mention before it lab problem,
I doing and check the TTL decrement, and it not
even when I run peer-gateway in both NSK vPC peer the TTL not decrement.
I also change the load balance in Port-channel to include only scr IP and same result.