Hi everyone,
I have a pair of N9300 with the latest NX-OS software.
The following is the topology I'm looking to install:
Topology:
- The green links are two vPCs which connect the two N9300 switches to different VM Hypervisors.
- The grey links between the two N9300's are for vPC keepalives and peer-link. I'm assuming these will be in the same port-channel of their own. If it is necessary to physically separate the PKA and PL, I'd appreciate it if you could explain why.
- The blue uplinks connect to a pair of routers who are configured for VRRP. This means that only one uplink is active at any one time. Notice that each N9300 is connected to a different router.
- The hypervisors fully support etherchannels.
Caveats:
- No additional uplinks can be installed, that means we can't connect the other N9300 to each router.
- These routers are dumb, assume all they do is provide a default gateway and VRRP for each VLAN.
- I can't use a track to check which router is active at the moment since this is a particular box which responds to all keepalives but can only forward traffic from the active.
- The port-channels are in the "on" state, meaning no negotiation is performed.
My predicament is as follows:
Traffic from the core into this topology would travel from the active VRRP leg down to the connected N9300, and then directly to one of the legs of the hypervisor. However, the return route would likely go through either of the N9300's since it's based on hash. That could mean that the return traffic would have to cross between the grey links to reach the active router.
Is this architecture supported? Would I need to configure anything distinct for this vPC domain to support the topology?
Thanks for your time!
Hello Nadav,
Well lets start going through the vPC domain design first:
1. The grey links between the two N9300's are for vPC keepalives and peer-link. I'm assuming these will be in the same port-channel of their own. If it is necessary to physically separate the PKA and PL, I'd appreciate it if you could explain why.
Building a vPC Domain: Guidelines and Restrictions
To build a vPC domain, use the following configuration guidelines:
● You must enable feature vPC (conf t; feature vpc) before you can start configuring a vPC domain.
● You must configure peer-keepalive link before peer-link in order for vPC system to come up.
● You must configure both vPC peer devices; the configuration is not sent from one device to the other.
You need to configure a separate interface for vPC peer keepalive, below some recommendation:
Recommendations for vPC Peer-Keepalive Link Configuration
vPC peer-keepalive link is a Layer 3 link that joins one vPC peer device to the other vPC peer device,
Alright having that said, the design layout is still valid but not the most ideal due to all the possible issues that could come up that you just told us on the first post. The recommendation is to play with the load balancing protocols, so that the traffic is balanced more properly and use the first link of the vPC as well, I know IP hash will use it but some times it does not balance that properly, so you could play with round robin because usually you dont want to use the peer link to carry that traffic, below some info
Additionally you could bring the config of the routers to a VRF on the N9K itself(depending on the model, version and license) (have the gateways on the n9k)you could do that and configure HSRP, and have peer-gateway on the vPC having both n9ks as active and saving yourself the cables and the way you have it properly load balanced.
Keep us posted, please rate all helpful posts, and select the answer as validated if this answered your question,
David Castro,
