Inter-Vlan Routing in vPC topology

Anuoluwapo Fatokun · ‎07-21-2015

Hi all,

i am just laying around with two nexus switches and testing some features. I config vPC between the two switches and also did a member port to a catalyst switch. Everythg works fine. I decided to do inter-vlan routing.

I connected a catalyst switch to the two nexus switches and did vPC with it and make it a trunk port
Everything is fine.
I created vl 10,20 on the three switches.
on N9K1....SVI for int Vl 10 = 10.234.100.1
SVI for int Vl 20 = 10.234.200.1

on N9K2 SVI for int Vl 10 = 10.234.100.2
SVI for int Vl 20 = 10.234.200.2

I created two access port on the catalyst switcht, one to vl 10 and the other to vl 20
I plugged in two systems and want to test inter vlan routing.

PC1: 10.234.100.4
GW: 10.234.100.1

PC2: 10.234.200.4
GW:10.234.200.1

To my greastest surprise, they cant ping each other.

After so much trying to figure out what was wrong

i changed PC2 GW to 10.234.200.2

and ping started going.

PLS WHAT EXACTLY IS HAPPENING. IS THERE A KNOWLEDGE GAP AS REGARD NEXUS I AM MISSING.

PLS HELP!!!

thanks

Madhukrishnan Gopinathan Nair · ‎07-21-2015

Hello ,

Are you able to ping 10.234.200.1 while it was not working?

Also are you allowing these vlan in the Peer-link.

Thanks,

Madhu

Anuoluwapo Fatokun · ‎07-21-2015

On the PC with this IP addressing 10.234.200.4 & gw of 10.234.200.1, I can ping all the svi but on the PC with this I'll addressing 10.234.100.4 & gw of 10.234.100.1 I can't only 10.234.200.2. I can ping all other svi.

Madhukrishnan Gopinathan Nair · ‎07-21-2015

I agree with Steve.

+5

Madhu

Steve Fuller · ‎07-21-2015

Hi,

This is possibly due to the loop avoidance mechansim built into vPC. Essentially a Nexus device running vPC will not forward trafifc on a vPC member port if the traffic has crossed the peer link.

When the traffic is sent from the PC attached to the Catalyst switch, that switch will make a hashing decision at Layer-2 to decide which physical link of the port-channel to use. If the traffic destined to the IP address 10.234.100.1 takes the physical path to N9K2, it will then have to cross the peer-link to get to N9K1. That's OK, but consider the return traffic.

The MAC address table on N9K1 knows the MAC for the PC via the peer-link and will forward the return traffic on that link. Now, based on the loop avoidance mechansim i.e., a switch will not forward traffic on any vPC member port if that traffic has crossed the peer-link, N9K2 will drop the return traffic.

You may also be able to solve the problem by adding the peer-gateway command within the vpc domain <domain-id> context. For example:

!
vpc domain 1
  [..]
  peer-gateway
  [..]
!

This commands allows a switch to route traffic destined to the MAC address of the peer i.e., N9K1 can route traffic destined to the MAC address of N9K2. This is actually considered a best practice anyway for vPC.

In reality you probably wouldn't have this configuration, but instead use a First Hop Router Procotocol such as HSRP which would be your default gateway IP. In a vPC environment both routers are active from a data plane perspective and so you'd avoid this issue. The use of HSRP with vPC is explained in the HSRP/VRRP active/active with vPC section on page 78 of the Design and Configuration Guide: Best Practices for Virtual Port Channels (vPC) on Cisco Nexus 7000 Series Switches.

The above design guide is a good source of information, but a long read. If you're new to vPC then an excellent starting point is the Quick Start :: Virtual Port Channel (vPC) guide. This shows typical configurations, but also has a number of recomendations and best practices documented.

Regards

Anuoluwapo Fatokun · ‎07-21-2015

Thanks for your response, quiet elaborate. Pls can you help with a best practice config to achieve this setup. If you don't mind I can share the complete topology of the project. Thanks