cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7188
Views
25
Helpful
48
Replies

VPC + SVI problem

magedis0383
Level 1
Level 1

Hello,

 

We have the topology in Attachement. and we have problem with SVI and VPC

The configuration:

N5K1:

vpc domain 100
  peer-switch
  role priority 100
  system-priority 1024
  peer-keepalive destination 192.168.21.1
  peer-config-check-bypass
  delay restore 150
  peer-gateway
  auto-recovery
  ip arp synchronize

vlan 801
  name DEV_WAN

interface Vlan801
  description IP DEV
  no shutdown
  no ip redirects

interface Vlan1000
  no shutdown
  no ip redirects
  ip address 192.168.22.5/30

interface port-channel1000
  switchport mode trunk
  spanning-tree port type network
  spanning-tree guard loop
  vpc peer-link

interface port-channel401
  description LACP-SRV1


  switchport mode trunk
  speed 1000
  duplex full
  vpc 401

interface Ethernet1/1
  description "TRUNK VPC"
  no cdp enable
  switchport mode trunk
  spanning-tree port type network
  spanning-tree bpdufilter enable
  channel-group 1000 mode active

interface Ethernet1/2
  description "TRUNK VPC"
  switchport mode trunk
  spanning-tree port type network
  channel-group 1000 mode active

interface Ethernet1/5
  description SRV1_GB2
  switchport mode trunk
  speed 1000
  duplex full
  channel-group 401 mode active

interface Ethernet1/29
  description Uplink N5K3
  switchport mode trunk

 

N5K2:

vpc domain 100
  peer-switch
  role priority 110
  system-priority 1024
  peer-keepalive destination 192.168.21.2
  peer-config-check-bypass
  delay restore 150
  peer-gateway
  auto-recovery
  ip arp synchronize

vlan 801
  name DEV_WAN

interface Vlan801
  no shutdown
  ip address 202.168.72.1/29

interface Vlan1000
  description VPC-N5K
  no shutdown
  no ip redirects
  ip address 192.168.22.6/30

interface port-channel1000
  switchport mode trunk
  spanning-tree port type network
  spanning-tree guard loop
  vpc peer-link

interface port-channel401
  description LACP-SRV1
  switchport mode trunk
  speed 1000
  duplex full
  vpc 401

interface Ethernet1/1
  description "TRUNK VPC"
  switchport mode trunk
  spanning-tree port type network
  channel-group 1000 mode active

interface Ethernet1/2
  description "TRUNK VPC"
  switchport mode trunk
  spanning-tree port type network

  channel-group 1000 mode active

interface Ethernet1/5
  description SRV1_GB4
  switchport mode trunk
  speed 1000
  duplex full
  channel-group 401 mode active

 

SRV1 IP: 202.168.72.2/29

 

When i plug the cable from SRV1 to N5K1 and N5K2 i can't ping SRV1 from ADM

when i unplug the cable from SRV1 to N5K2 i can't ping SRV1 from ADM

when i unplug the cable from SRV1 to N5K1 i CAN ping SRV1 from ADM

between N5K1, N5K2 and N5K3 we have OSPF

Thks !

 

 

 

48 Replies 48

Hi,

 

Yes N5K3 has a p-t-p OSPF with N5K2 in a dedicate VLAN

N5K3 has an OSPF connection with N5K1 in a dedicate VLAN

OSPF configuration for N5K1:

router ospf 1
  router-id 202.168.72.140
  network 202.168.72.0/24 area 0.0.0.0

  default-information originate
  redistribute direct route-map connec
  area 0.0.0.0 range 202.168.72.0/24
  log-adjacency-changes detail
  auto-cost reference-bandwidth 1000000
  ip ospf event-history adjacency size large

N5K2:

router ospf 1
  router-id 202.168.72.141
  network 202.168.72.0/24 area 0.0.0.0
  default-information originate
  redistribute direct route-map connec
  area 0.0.0.0 range 202.168.72.0/24
  log-adjacency-changes
  auto-cost reference-bandwidth 1000000
  ip ospf event-history adjacency size large

 

You mean N5K3 has an adjacency via the vpc peer link to N5K1?

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Yes because N5K3 has only one attachement to N5K2 and not to N5K1

Well, thats why your ping breaks (I think). Traffic is being routed via the VPC peer link to N5K1, and the frames are being dropped at N5K1. This is a loop prevention mechanism, and the design must be changed for this to work.

Try adding a link between N5K1 and N5K3 directly, move the point to point VLAN used for OSPF for N5K1 and have direct with 5K3. Same as you have already with N5K2 and N5K3.

 

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

that's what i was thinking about the "loop" ...

I can't add a direct connection between N5K1 and N5K3 :(

Thks.

 

Do you understand why the "loop" and the rule with vPC? If not, happy to explain.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Yes.

But i was thinking that Nexus sync ARP and "routing".

We have Juniper QFX that are configurated as a "virtual chassis" and the link between the switch can send paquet evenf if a paquet come from the first switch

In our topoly a paquet can arrive at N5K2 and after go N5K1 and finally go to SRV1 

but the VPC can do N5K2-> N5K1 because the SVI is ONLY on N5K2

 

 

No ARP sync improves convergence times for L3 flows. When a vpc peer link fails and then recovers the vpc arp sync performs arp bulk sync over cfs from the vpc primary peer device to secondary peer device.

The Juniper world of virtual chassis can only be compared with VSS of Cisco, or stack-wise technology. These both are completely different the way they behave in comparison with vPC.

The loop prevention happens like this, a frame comes in over the vpc peer link destined to switch / route down a vpc member port. At that point once the frame traverses the vpc peer link, the receiving N5K will drop the frame, rule being, the vpc memeber port of the originating N5K from where the frame reached first should have forwarded the frame on to the host or down its own vpc member port since it was UP and functional.

Hope this helps

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hi Bilal

I thought it might be loop prevention but here is the bit don't understand.

N5K1 does not have an IP address for vlan 801.

So any routes for vlan 801 that N5K3 has would be better via N5K2. 

And why is N5K2 sending it to N5K1 because it should route the packet locally and send it via the vPC.

I could understand if N5K1 had an IP on that vlan because then with a shared vlan N5K3 would see two equal cost paths but it doesn't.

Any ideas ?

Jon

no IP for vlan 801 on N5K1 because we use the SVI as the first hop for SRV1

We are going to had HSRP between the 2 N5K1/N5K2 on the SVI 801

 

Yes, that's the slightly confusing bit about all this ie. there is no IP on vlan 801 on N5K1 so I'm not sure why N5K3 is using N5K1 as a next hop IP.

What does a "sh ip route 202.168.72.0 255.255.255.248" on N5K3 show ?

Jon

I see the route from N5K1 and N5K2

Evenif i had an IP on the SVI 801 N5K1 it will not work because has default gw with the IP of N5K2

Can you post a "sh ip ospf neigh" from all three switches ?

Jon

If you see the route via both N5K1 and N5K2 then Bilal is spot on (no surprise there !).

But I can't see why it is seeing equal cost paths as N5K1 should not be advertising an LSA for that link.

What does the "sh ip route" for that network look like on N5K3 and what are the LSA type 1's in the OSPF database on N5K3 for that network.

Jon

Hey Jon,

Ok, so from what I gathered, and this is to my understanding of what the OP has described, "logically - L3", things look like this

ospf

Nothing wrong with this so far, it seems fine, and is a possibility why N5K3 may have been routing to N5K1, highly likely. But this is where the problem is. Lets take a look at the L2/L1

L2

When routed from N5K3 to N5K1, in terms of layer 2, N5K1 knows that 5K2's vpc member port is OK, Vlan X is forwarding normally over the vpc. When traffic is routed at N5K1 for this host off of vlan x, it traverses the vPC peer link, the N5K1 stops things there "it shouldnt be coming to me, N5K2's path is perfectly fine!", look at the blue demarc point dotted out downwards this bit is key, no matter what you do in this scenario, routing at N5K1 will just not work. Only when N5K2's link to the server in vlan x goes down, only then frames will be forwarded by N5K1.

Not sure if I explained that well. But thought the illustrations are worth the effort.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco