Hello Richard,

many thanks for your reply and help. Sorry that my confusion is still not cleared.

Scenario 1 Q1: Even though we have 2 switches as the same to the rest of the network when peer-link down, I still do not see any layer 2 loop here?

Scenario 1 Q2: I think Orphan port is also a vPC member port as vPC VLAN is carried on it. So Orphan ports will also be shutdown upon the failure of peer-link, Am I right?

Scenario 1 Q4: please also outline the specific damages when split-brain scenario is activated. so far, I do not see any as well as any layer 2 loops from STP perspective.

Thanks in advance.

to add to the nice answer from Richard 5+

when the vPC peer-link is down then both vPC peers will not be seen or acting a one virtual switch to the downstream switch and this will revert back to traditional STP and may cause a potential loop as well as the downstream switch is multi homed and this will end up to L2 loops

by deactivating the secondary vPC member/access ports you get around this loop issue

orphan ports designed for this situation where they can be excluded from being shutdown in case of vPC peerlink failure 

Hello marwanshawi,

Thanks for your input.

Why Orphan port can still work when peer-live fails? cisco book says all vPC member ports on secondary switch will be shutdown. Does Orphan port belongs to vPC member port ?

When peer-link fails, I still do not see the layer 2 loop? I do not believe that layer 2 frames that originat from downstream switch will go to vPC secondary swtich, then to vPC primary switch through keepalive link, and finally back to its origin from primary switch. Keepalive link only carries heartbeats, not MAC frames. Please clarify how the layer 2 loop is formed ?

Thanks in advance.

Put it this way regardless there will ne a loop or not the L2 will be malfunctioning

From the downstream switch you have a port channel multi homed to one virtual switch with vPC

When the peer-link down the down stream switch will see one port channel link connected to two switches which is not supported !

Hope this helps

To marwanshawi,

one port-channel multi-homed to 2 vPC peer devices is supported when peer-link is online, but not supported when peer-link goes down, What are the underlying causes for this difference please ?

To Rechard,

Sorry that, from your posted pic, I still do not discover any loops. Can you please further point out the loop path in the form of a frame sending out and coming back to its origin?

Thanks in advance.

Tian,

normally if you have one switch and pair of switch upstream ( using traditional STP ) you can not create a port channel of 2x links and more in the downstream switch and multi home it to those two switches you need to virtualize to get working e.g. vss, vPC

in case of vPC peer-link down all the vPC control messages that Handel virtualizes the two switches to area as one switch to the downstream switch will be broken and the down stream switch will see both switches as 2 no 1 which will lead abnormal behavior one of them could be a loop

hope this help

I agree with Tian, if peer-link is down, there is physically no loop. But the issue is the downstream switch will receive 2 spanning-tree hello packets instead of one, and by the protocol, the switch will think there is something wrong and err-disable both the ports in port-channel. 

peer-link makes the 2 upstream switches as one so only one hello packet sent to the downstream switch. 

Maybe you can disable spanning-tree to get around this, but it's not recommended even you use vPC. 

Another major issue is usually you need HSRP on the upstream switches. if they become active-active, the destination will receive duplicated packets. 

Considering these, Cisco won't let them happen, so shuting down all ports on the secondary switch when peer-link down is required.

If the vPC keepalive link fails first and then a peer link fails, vPC primary switch continues to be primary but the vPC secondary switch becomes the operational primary switch and keeps its vPC member ports up (this is also known as dual active scenario). This can occur when both the vPC switches are healthy but, the failure is occurred because of a connectivity issue between the switches. This situation is known as a split-brain scenario. There is no loss of traffic for existing flows but new flows can be effected as the peer link is not available, the two vPC switches cannot synchronize the unicast MAC address and the IGMP groups and therefore they cannot maintain the complete unicast and multicast forwarding table and there may be some duplicate packet forwarding.

HTH

-Vinod

Hello Marwanshawi,

Sorry that my last confusion about the l2 loop is still not cleared.

1. When peer-link is down, secondary peer switch will shut down all its vPC member port to avoid potential L2 loop. I would link to see an spicific example which demonstrate how l2 loop is formed as I still do not believe the loop can happen.

2. Regarding to Split-Brain scenario, we need to make every effort to avoid it because it can possibly cause l2 loop. Again My problem is that I do not see that possibility and want an exact example showing how l2 loop is formed.

Thanks