I just installed two switches connected with a NEXUS 5506UP vPC link consists of two links 10Gigabits. I configured in both HSRP NX5K for managing redundant routing local VLANs.
Both NX5K are connected to a firewall via two links Etherchannels in L3 mode via P2P links.
I configured OSPF networking segment of Datacenter servers (2x NX5K and FEXS) to the back of the firewall DC.
DC Firewall gets to see the Datacenter NX5K segment via two links through NX5K cost equal.
Each FEX I set up multiple VLANs that are towers L3 active role or the HSRP standby level.
Spanning Tree is configured mode rpvst +
The problem I have is the level of routing traffic from the FEX through NX5K to the DC firewall.
When connecting the two links via FEX mode dual homed via vPC traffic is switched on only one link. when I remove the redundant link the traffic stop.
The status of the vPC between FEX and NX5K is up and success
The link Fex link blocking traffic is logged on NX5K standby mode compared to HSRP.
This problem occurs even crossing the role of HSRP. ie the traffic that must cross the HSRP Standby NX5K always crashes.
This problem is the same with conventional switches connected to both Etherchannel NX5K.
Please do u have any idea about this issue?
NX5K run 5.1.21 release.
I have shearching on all documentations availible on the Cisco Website and other forums. and i have seen that:
The only case where we can provide a full redendante dynamic routing (OSPF) between the two NX5K and the DC Firewall is to use in addition of the two L3 links between each NX5K and FW another L3 links between the two NX5K on the same OSPF area. a this case i can how a full redendante L3 dynamic routing from the Datacenter Unified fabric : NX5K/FEX and the frontal DC firewall.
I have trying to do this adjancy with just L3 SVI with a one VLAN trunked on the VPC peer link. but i have not get this adjency suching that this VLAN is forwaded by STP on the peer link and the SVIs can ping each other.
In attachement config of NX5K_A and NX5B and Topology.
N.B : One VPC peer link port is seen down because i have disconnect this link for other usage.
The FW cluster is configured as Virtual chassis that we can make a MEC.
What our comments.
Seems you are facing one split brain situation in your vPC topology, make sure the vPC works well to try create a adjacency with your firewall.
Make sure the OSPF created there are conection with the area 0.
The vpc keep-alive link must be active and pinging the peer always, before try to start the peer-link, and vpc member ports.
When you use FHRP together with vpc topology the concept of active-standby doesn't exist, because the both routers changes itself behavior to be active-active, the both reply as a gateway.
the issue with your inital design is it is not supported design
because the problem happens when the firewalls start peering ospf over the vPC peer link which is not going to work and not supported
you have 2 optioins here
add a L3 link between the vPC peer devices for OSPF routing and not to peer OSPF over the vPC peer link
add vlan/SVI for ospf routing in both N5K and exclude this vlan from passing over the vPC peer link
or you can use this specific VLAN for L3 routing over the vPC peer link but it must be excluded from being vPC vlan ( not assigned to any vPC member port )
you can not multi home the firewalls in the way you did if the links are in L3, this can work only if it is L3 LACP and you using static route in the firewalls
hope this help