03-04-2015 10:18 AM - edited 03-05-2019 12:56 AM
Hello,
We have the topology in Attachement. and we have problem with SVI and VPC
The configuration:
N5K1:
vpc domain 100
peer-switch
role priority 100
system-priority 1024
peer-keepalive destination 192.168.21.1
peer-config-check-bypass
delay restore 150
peer-gateway
auto-recovery
ip arp synchronize
vlan 801
name DEV_WAN
interface Vlan801
description IP DEV
no shutdown
no ip redirects
interface Vlan1000
no shutdown
no ip redirects
ip address 192.168.22.5/30
interface port-channel1000
switchport mode trunk
spanning-tree port type network
spanning-tree guard loop
vpc peer-link
interface port-channel401
description LACP-SRV1
switchport mode trunk
speed 1000
duplex full
vpc 401
interface Ethernet1/1
description "TRUNK VPC"
no cdp enable
switchport mode trunk
spanning-tree port type network
spanning-tree bpdufilter enable
channel-group 1000 mode active
interface Ethernet1/2
description "TRUNK VPC"
switchport mode trunk
spanning-tree port type network
channel-group 1000 mode active
interface Ethernet1/5
description SRV1_GB2
switchport mode trunk
speed 1000
duplex full
channel-group 401 mode active
interface Ethernet1/29
description Uplink N5K3
switchport mode trunk
N5K2:
vpc domain 100
peer-switch
role priority 110
system-priority 1024
peer-keepalive destination 192.168.21.2
peer-config-check-bypass
delay restore 150
peer-gateway
auto-recovery
ip arp synchronize
vlan 801
name DEV_WAN
interface Vlan801
no shutdown
ip address 202.168.72.1/29
interface Vlan1000
description VPC-N5K
no shutdown
no ip redirects
ip address 192.168.22.6/30
interface port-channel1000
switchport mode trunk
spanning-tree port type network
spanning-tree guard loop
vpc peer-link
interface port-channel401
description LACP-SRV1
switchport mode trunk
speed 1000
duplex full
vpc 401
interface Ethernet1/1
description "TRUNK VPC"
switchport mode trunk
spanning-tree port type network
channel-group 1000 mode active
interface Ethernet1/2
description "TRUNK VPC"
switchport mode trunk
spanning-tree port type network
channel-group 1000 mode active
interface Ethernet1/5
description SRV1_GB4
switchport mode trunk
speed 1000
duplex full
channel-group 401 mode active
SRV1 IP: 202.168.72.2/29
When i plug the cable from SRV1 to N5K1 and N5K2 i can't ping SRV1 from ADM
when i unplug the cable from SRV1 to N5K2 i can't ping SRV1 from ADM
when i unplug the cable from SRV1 to N5K1 i CAN ping SRV1 from ADM
between N5K1, N5K2 and N5K3 we have OSPF
Thks !
Solved! Go to Solution.
03-06-2015 01:56 AM
Hi,
Yes N5K3 has a p-t-p OSPF with N5K2 in a dedicate VLAN
N5K3 has an OSPF connection with N5K1 in a dedicate VLAN
OSPF configuration for N5K1:
router ospf 1
router-id 202.168.72.140
network 202.168.72.0/24 area 0.0.0.0
default-information originate
redistribute direct route-map connec
area 0.0.0.0 range 202.168.72.0/24
log-adjacency-changes detail
auto-cost reference-bandwidth 1000000
ip ospf event-history adjacency size large
N5K2:
router ospf 1
router-id 202.168.72.141
network 202.168.72.0/24 area 0.0.0.0
default-information originate
redistribute direct route-map connec
area 0.0.0.0 range 202.168.72.0/24
log-adjacency-changes
auto-cost reference-bandwidth 1000000
ip ospf event-history adjacency size large
03-06-2015 01:58 AM
You mean N5K3 has an adjacency via the vpc peer link to N5K1?
03-06-2015 02:00 AM
Yes because N5K3 has only one attachement to N5K2 and not to N5K1
03-06-2015 02:04 AM
Well, thats why your ping breaks (I think). Traffic is being routed via the VPC peer link to N5K1, and the frames are being dropped at N5K1. This is a loop prevention mechanism, and the design must be changed for this to work.
Try adding a link between N5K1 and N5K3 directly, move the point to point VLAN used for OSPF for N5K1 and have direct with 5K3. Same as you have already with N5K2 and N5K3.
03-06-2015 02:09 AM
that's what i was thinking about the "loop" ...
I can't add a direct connection between N5K1 and N5K3 :(
Thks.
03-06-2015 02:20 AM
Do you understand why the "loop" and the rule with vPC? If not, happy to explain.
03-06-2015 02:28 AM
Yes.
But i was thinking that Nexus sync ARP and "routing".
We have Juniper QFX that are configurated as a "virtual chassis" and the link between the switch can send paquet evenf if a paquet come from the first switch
In our topoly a paquet can arrive at N5K2 and after go N5K1 and finally go to SRV1
but the VPC can do N5K2-> N5K1 because the SVI is ONLY on N5K2
03-06-2015 02:49 AM
No ARP sync improves convergence times for L3 flows. When a vpc peer link fails and then recovers the vpc arp sync performs arp bulk sync over cfs from the vpc primary peer device to secondary peer device.
The Juniper world of virtual chassis can only be compared with VSS of Cisco, or stack-wise technology. These both are completely different the way they behave in comparison with vPC.
The loop prevention happens like this, a frame comes in over the vpc peer link destined to switch / route down a vpc member port. At that point once the frame traverses the vpc peer link, the receiving N5K will drop the frame, rule being, the vpc memeber port of the originating N5K from where the frame reached first should have forwarded the frame on to the host or down its own vpc member port since it was UP and functional.
Hope this helps
Bilal
03-06-2015 03:09 AM
Hi Bilal
I thought it might be loop prevention but here is the bit don't understand.
N5K1 does not have an IP address for vlan 801.
So any routes for vlan 801 that N5K3 has would be better via N5K2.
And why is N5K2 sending it to N5K1 because it should route the packet locally and send it via the vPC.
I could understand if N5K1 had an IP on that vlan because then with a shared vlan N5K3 would see two equal cost paths but it doesn't.
Any ideas ?
Jon
03-06-2015 05:23 AM
no IP for vlan 801 on N5K1 because we use the SVI as the first hop for SRV1
We are going to had HSRP between the 2 N5K1/N5K2 on the SVI 801
03-06-2015 05:45 AM
Yes, that's the slightly confusing bit about all this ie. there is no IP on vlan 801 on N5K1 so I'm not sure why N5K3 is using N5K1 as a next hop IP.
What does a "sh ip route 202.168.72.0 255.255.255.248" on N5K3 show ?
Jon
03-06-2015 06:04 AM
I see the route from N5K1 and N5K2
Evenif i had an IP on the SVI 801 N5K1 it will not work because has default gw with the IP of N5K2
03-06-2015 06:16 AM
Can you post a "sh ip ospf neigh" from all three switches ?
Jon
03-06-2015 06:20 AM
If you see the route via both N5K1 and N5K2 then Bilal is spot on (no surprise there !).
But I can't see why it is seeing equal cost paths as N5K1 should not be advertising an LSA for that link.
What does the "sh ip route" for that network look like on N5K3 and what are the LSA type 1's in the OSPF database on N5K3 for that network.
Jon
03-06-2015 06:07 AM
Hey Jon,
Ok, so from what I gathered, and this is to my understanding of what the OP has described, "logically - L3", things look like this
Nothing wrong with this so far, it seems fine, and is a possibility why N5K3 may have been routing to N5K1, highly likely. But this is where the problem is. Lets take a look at the L2/L1
When routed from N5K3 to N5K1, in terms of layer 2, N5K1 knows that 5K2's vpc member port is OK, Vlan X is forwarding normally over the vpc. When traffic is routed at N5K1 for this host off of vlan x, it traverses the vPC peer link, the N5K1 stops things there "it shouldnt be coming to me, N5K2's path is perfectly fine!", look at the blue demarc point dotted out downwards this bit is key, no matter what you do in this scenario, routing at N5K1 will just not work. Only when N5K2's link to the server in vlan x goes down, only then frames will be forwarded by N5K1.
Not sure if I explained that well. But thought the illustrations are worth the effort.
Bilal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide