02-25-2020 06:23 AM - edited 02-25-2020 06:52 AM
Hi everyone,
I have a pair of N9300 with the latest NX-OS software.
The following is the topology I'm looking to install:
Topology:
Caveats:
My predicament is as follows:
Traffic from the core into this topology would travel from the active VRRP leg down to the connected N9300, and then directly to one of the legs of the hypervisor. However, the return route would likely go through either of the N9300's since it's based on hash. That could mean that the return traffic would have to cross between the grey links to reach the active router.
Is this architecture supported? Would I need to configure anything distinct for this vPC domain to support the topology?
Thanks for your time!
03-06-2020 03:11 PM
Hello Nadav,
Well lets start going through the vPC domain design first:
1. The grey links between the two N9300's are for vPC keepalives and peer-link. I'm assuming these will be in the same port-channel of their own. If it is necessary to physically separate the PKA and PL, I'd appreciate it if you could explain why.
Building a vPC Domain: Guidelines and Restrictions
To build a vPC domain, use the following configuration guidelines:
● You must enable feature vPC (conf t; feature vpc) before you can start configuring a vPC domain.
● You must configure peer-keepalive link before peer-link in order for vPC system to come up.
● You must configure both vPC peer devices; the configuration is not sent from one device to the other.
You need to configure a separate interface for vPC peer keepalive, below some recommendation:
Recommendations for vPC Peer-Keepalive Link Configuration
vPC peer-keepalive link is a Layer 3 link that joins one vPC peer device to the other vPC peer device,
Alright having that said, the design layout is still valid but not the most ideal due to all the possible issues that could come up that you just told us on the first post. The recommendation is to play with the load balancing protocols, so that the traffic is balanced more properly and use the first link of the vPC as well, I know IP hash will use it but some times it does not balance that properly, so you could play with round robin because usually you dont want to use the peer link to carry that traffic, below some info
Additionally you could bring the config of the routers to a VRF on the N9K itself(depending on the model, version and license) (have the gateways on the n9k)you could do that and configure HSRP, and have peer-gateway on the vPC having both n9ks as active and saving yourself the cables and the way you have it properly load balanced.
Keep us posted, please rate all helpful posts, and select the answer as validated if this answered your question,
David Castro,
03-06-2020 03:15 PM
Forgot to mention, please use this PDF for best practices when designing and creating the vPC:
David Castro,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide