Solved: he is already allowed

magedis0383 · ‎03-04-2015

Hello,

We have the topology in Attachement. and we have problem with SVI and VPC

The configuration:

N5K1:

vpc domain 100
peer-switch
role priority 100
system-priority 1024
peer-keepalive destination 192.168.21.1
peer-config-check-bypass
delay restore 150
peer-gateway
auto-recovery
ip arp synchronize

vlan 801
name DEV_WAN

interface Vlan801
description IP DEV
no shutdown
no ip redirects

interface Vlan1000
no shutdown
no ip redirects
ip address 192.168.22.5/30

interface port-channel1000
switchport mode trunk
spanning-tree port type network
spanning-tree guard loop
vpc peer-link

interface port-channel401
description LACP-SRV1

switchport mode trunk
speed 1000
duplex full
vpc 401

interface Ethernet1/1
description "TRUNK VPC"
no cdp enable
switchport mode trunk
spanning-tree port type network
spanning-tree bpdufilter enable
channel-group 1000 mode active

interface Ethernet1/2
description "TRUNK VPC"
switchport mode trunk
spanning-tree port type network
channel-group 1000 mode active

interface Ethernet1/5
description SRV1_GB2
switchport mode trunk
speed 1000
duplex full
channel-group 401 mode active

interface Ethernet1/29
description Uplink N5K3
switchport mode trunk

N5K2:

vpc domain 100
peer-switch
role priority 110
system-priority 1024
peer-keepalive destination 192.168.21.2
peer-config-check-bypass
delay restore 150
peer-gateway
auto-recovery
ip arp synchronize

vlan 801
name DEV_WAN

interface Vlan801
no shutdown
ip address 202.168.72.1/29

interface Vlan1000
description VPC-N5K
no shutdown
no ip redirects
ip address 192.168.22.6/30

interface port-channel1000
switchport mode trunk
spanning-tree port type network
spanning-tree guard loop
vpc peer-link

interface port-channel401
description LACP-SRV1
switchport mode trunk
speed 1000
duplex full
vpc 401

interface Ethernet1/1
description "TRUNK VPC"
switchport mode trunk
spanning-tree port type network
channel-group 1000 mode active

interface Ethernet1/2
description "TRUNK VPC"
switchport mode trunk
spanning-tree port type network

channel-group 1000 mode active

interface Ethernet1/5
description SRV1_GB4
switchport mode trunk
speed 1000
duplex full
channel-group 401 mode active

SRV1 IP: 202.168.72.2/29

When i plug the cable from SRV1 to N5K1 and N5K2 i can't ping SRV1 from ADM

when i unplug the cable from SRV1 to N5K2 i can't ping SRV1 from ADM

when i unplug the cable from SRV1 to N5K1 i CAN ping SRV1 from ADM

between N5K1, N5K2 and N5K3 we have OSPF

Thks !

Bilal Nawaz · ‎03-06-2015

No ARP sync improves convergence times for L3 flows. When a vpc peer link fails and then recovers the vpc arp sync performs arp bulk sync over cfs from the vpc primary peer device to secondary peer device.

The Juniper world of virtual chassis can only be compared with VSS of Cisco, or stack-wise technology. These both are completely different the way they behave in comparison with vPC.

The loop prevention happens like this, a frame comes in over the vpc peer link destined to switch / route down a vpc member port. At that point once the frame traverses the vpc peer link, the receiving N5K will drop the frame, rule being, the vpc memeber port of the originating N5K from where the frame reached first should have forwarded the frame on to the host or down its own vpc member port since it was UP and functional.

Hope this helps

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

Jon Marshall · ‎03-06-2015

What I was saying was if you peer N5K3 to N5K2 on a non vPC vlan you should be able to connect SRV1 with a vPC to both N5Ks.

Having N5K3 peer with N5K1 is not giving you redundancy because it is only connected to N5K2.

So it is more an illusion of redundancy.

From my last post you can see I am still trying to understand the exact loop it is seeing but Bilal knows this better than me so I'm hoping he can explain.

If you do connect N5K3 to both don't use a vPC otherwise you will see the very problems Bilal has mentioned.

Jon

View solution in original post

Keith Nelson · ‎03-04-2015

I think you might need to allow VLAN 801 on the peer-link.

-Keith

magedis0383 · ‎03-05-2015

he is already allowed

magedis0383 · ‎03-05-2015

In fact when i make a traceroute from adm to srv1

the packet do:

ADM

N5K3

N5K2

N5K1

SRV1

because N5K1 "has" the vlan interface with the IP

Jon Marshall · ‎03-05-2015

because N5K1 "has" the vlan interface with the IP

That is not what your configuration says or perhaps I misunderstand what you mean by "has".

Jon

magedis0383 · ‎03-05-2015

Yes sorry there is a mistake on the schema

N5K2 has the vlan interface with the IP

Jon Marshall · ‎03-05-2015

What vlan is the ADM in and where is the SVI for that vlan ?

Jon

magedis0383 · ‎03-05-2015

In fact we have the problem with ADM or with any server which are outside our network.

For ADM the SVI is on N5K3, between N5K3 ans N5K1/2 we have OSPF too

Jon Marshall · ‎03-05-2015

What do traceroutes show when you have both connections plugged in on the server and when you are only connected to N5K2 ?

N5K3 is shown only connecting to N5K2, is that the way it is ie. there is no vPC from N5K3 to both N5K1 and 2 ?

When you did the traceroute from the ADM to the server you said it went via N5K1. What was the IP address of the hop on N5K1 ?

Jon

magedis0383 · ‎03-05-2015

From srv1 with the both câble connected i can't ping the svi

from Adm i stop at n5k2

Between n5k3 and n5k2 no vpc

and from srv1 with the both câble connected i can ping the svi without problem evenif i unplug the câble from n5k2

Jon Marshall · ‎03-05-2015

Can you post a "sh vpc brief" ?

Jon

magedis0383 · ‎03-05-2015

n5k01# sh vpc brief
Legend:
(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 100
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 8
Peer Gateway : Enabled
Peer gateway excluded VLANs : -
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Enabled (timeout = 240 seconds)

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 Po1000 up 1-3,101-102,110,700-703,705,710,730,801,803,1000,3
001-3008,3400-3401

vPC status
----------------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
------ ----------- ------ ----------- -------------------------- -----------
1 Po1 up success success 1-3,101-102
,110,700-70
3,705,710,7
30,801,803,
1000,300....

401 Po401 down* success success -

(The cable is unplug)

n5K02# sh vpc brief
Legend:
(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 100
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : secondary
Number of vPCs configured : 8
Peer Gateway : Enabled
Peer gateway excluded VLANs : -
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Enabled (timeout = 240 seconds)

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 Po1000 up 1-3,101-102,110,700-703,705,710,730,801,803,1000,3
001-3008,3400-3401

vPC status
----------------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
------ ----------- ------ ----------- -------------------------- -----------
1 Po1 up success success 1-3,101-102
,110,700-70
3,705,710,7
30,801,803,
1000,300....

401 Po401 up success success 1-3,101-102
,110,700-70
3,705,710,7
30,801,803,
1000,300....

Jon Marshall · ‎03-05-2015

From srv1 with the both câble connected i can't ping the svi

and from srv1 with the both câble connected i can ping the svi without problem evenif i unplug the câble from n5k2

The above two statements contradict each other ?

Also you said that from the ADM a traceroute gets to N5K1 in an earlier post and in this one you are saying it stops at N5K2 ?

Can you clarify exactly what the issue is ?

Jon

magedis0383 · ‎03-05-2015

Erf sorry

from srv1 with the both cable connected or with only one connected i CAN ping the svi

from ADM1 with the both cable connect i CAN'T ping the SRV1

and from ADM1 a traceroute when the both cable is connected i stop at N5K2

whereas when there is only the cable connected to N5K2 the traceroute do:

ADM1

N5K3

N5K2

SRV1

when the cable is only connected to N5K1

ADM1

N5K3

N5K2

STOP

Bilal Nawaz · ‎03-06-2015

Does the N5K3 have a point to point OSPF neighborship with N5K2? Please describe to us how your ospf is configured.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

VPC + SVI problem