04-26-2016 12:21 AM - edited 03-08-2019 05:29 AM
Hello,
I have an older Catalyst 2960G switch which I would like to connect redundantly to my two upstream Nexus 5672UP switches. For that purpose I would like to connect Gi0/47 of the catalyst to Eth1/33 of the first Nexus 5672UP and Gi0/48 of the catalyst to Eth1/33 of the second Nexus 5672UP switch. The two Nexus 5672UP upstream switches are already configured to form a VPC domain.
The reason why I am asking here is because I could not find and recommendations on how to achieve this, neither could I find any sample configurations...
Thank you in advance for your help.
Best regards
John
04-26-2016 12:54 AM
Hi
if I read that right all you need to do is on the Nexus side both of them you create a standard vpc and on the 2960 you just create a normal IOS port-channel that's it ,obviously 2960 cant support vpc so that only goes on NK side only
This is 7k links but same concept in terms of configuration
http://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-installation-and-configuration-guides-list.html
interface Port-channel1
switchport mode trunk
interface G0/1
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
!
interface G0/2
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
5KA
interface port-channel100
description Link to 2960
switchport mode trunk
vpc 100
speed 10000
interface Ethernet2/5
description link to 2960
switchport mode trunk
channel-group 100 mode active
5KB
interface port-channel100
description Link to 2960
switchport mode trunk
vpc 100
speed 10000
interface Ethernet2/5
description link to 2960
switchport mode trunk
channel-group 100 mode active
04-26-2016 01:27 AM
Hi,
Thanks for the sample configuration. Now I was wondering why are you setting the switchport mode to trunk on both sides? Is this required?
Basically my Catalyst 2960G switch will only be serving one VLAN so I use "switchport access vlan 20" on Po1 and "switchport mode access" on Gi0/47 and Gi0/48. Then on the Nexus 5672UP side I also use "switchport mode access" and have "spanning-tree port type normal" defined.
Regards,
J.
04-26-2016 01:32 AM
No that's not a requirement its just usually you would have more than 1 vlan but its not a requirement to have the vpc working
don't use spanning tree type normal that's bridge assurance the 2960 cant support that so it wont form with 5ks if you do that , you can only use that when both sides support it hence why I left it out , its a nexus - nexus command I haven't come across an ios device that supports that yet im sure there is some but im nearly certain 29s cant use it
04-26-2016 02:01 AM
Based on the documentation [1] "spanning-tree porttype normal" is the default and as such if I omit it it should not make any differences. In that same documentation I read that bridge assurance is only enabled on porttype network.
The configuration I am actually using is in the chapter "Sample Configuration 1: Access port between core switches and access switch" of this article [2]. The problem is that as soon as I plug in the second Port Gi0/48 I get MAC address flapping error messages and after a few seconds the network become unstable.
[1] http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/SpanningEnhanced.html
[2] http://www.dslreports.com/faq/17830
04-26-2016 03:46 AM
your right sorry when I looked at that just seen network not normal my bad , the configuration above should work can you post the relevant config of what you have in place from each device and the vpc config as well the domain section
04-26-2016 04:26 AM
04-26-2016 05:10 AM
Just for best practice there's a couple of things missing on domain config that I would definitely add if you dont have 7k switches there doing this ,like the peer-gateway and peer-switch commands as that could be casuing the issue when yopu connect second link , did you get any logs when it happened
Example
vpc domain 100
peer-switch ------ STP Root L2 for VPC domain
role priority 200
system-priority 150
peer-keepalive destination 172x.x.x. source x.x.x.x vrf heartbeat
peer-gateway---For VPC forwarding L2
ip arp synchronize
As well as the 2960 is layer 2 switch and trunked up I would not have an SVI for vlan 20 on it locally , I would leave the gateway as the vlan 20 interface on the 5ks , or at least shut it down until everything is working as it could be causing issues
make the port-channel active in lacp on nexus side as well --channel-group 201 mode active
could you post the show vpc brief as well please to see has everything formed correctly after that
04-26-2016 06:15 AM
That's right, I don't have any 7k switches just one single Catalyst 4503 (root bridge for VLAN 20) which is temporarily connected to one of the 5k via a trunk port until we migrate everything to the Nexus platform.
Thank you for the best practices tips so to resume I should add to both of my N5Ks the following to the vpc domain:
peer-switch
peer-gateway
ip arp synchronize
system priority 150
Now will adding any of these commands on both of my N5ks generate any network disruptions?
And do I really need "peer gateway" as I only use my Cisco gear for L2 functionality L3 routing/firewalling is done on two Linux servers connected to my Cat4503.
The IP addresses I have defined on any Cisco devices on VLAN20 is only for management purposes. If I remove the IP address on my Cat2960 how would I access it and manage it?
I tried earlier to change "channel-group 201" to "channel-group 201 mode active" on both of my N5Ks Eth1/33 ports but then my vPC was down with an error message that there is a mismatch with the channel mode, although the Cat2960G has mode active too, really weird. So I reverted back to "channel-group 201".
I have attached a "show vpc brief" from the N5k as it is right now without having changed anything from my initial configuration provided in my previous message.
04-26-2016 07:34 AM
Yes adding those commands will cause a slight disruption as one will change the root for stp so there will be a slight calculation with that so I would do it in a window but these are recommended commands for vpc in the best practice docs and you will see them on all setups usually , the fact the peer-gateway is
Regarding the show vpc brief that looks correct , is the 2nd 5k showing it down currently when you run this command ?
Did you try passive instead of active on NX side incase it doesn't like being forced and wants to negotiate the lacp
usually you would use a separate vlan for mgmt. traffic as you don't want your prod traffic mixed in and source syslog,ntp,netflow etc from the vlan or where possible use the mgmt. port back to network switch to manage the device and source it in vrf so its again its isolated from prod traffic that way if you get a storm or some kind of loop that takes down prod traffic ramps up cpu and makes rem,ote access drop off you can still access the switch over the mgmt. port remotely , that's optional though not essential to get this working
04-27-2016 03:39 AM
I will plan to add the best-practices vPC domain parameters in a maintenance window. Now you started to answer my question about peer-gateway if it is really necessary in my setup but somehow the rest of your sentence in your first paragraph got cut.
That's correct a show vpc brief on the second 5k would show that specific vPC as down.
As suggested I now have tried to change the channel-group mode to passive, first on the N5ks with no difference, then I changed this mode also on the C2960G so both sides are passive (N5k and C2960G) again no difference. Then I went on both N5k again and change the mode to active and left passive on the C2960G, bingo with that specific configuration it finally works! So I have active mode on N5ks and passive mode on the C2960G.
I honestly do not understand why this specific combination active/passive works but it works and was able to have both links up and running. Do you maybe have any idea why it works only with this combination of modes?
By the way my VLAN20 is my management VLAN but I do not use the mgmt ports of the switches for that purpose. For example my mgmt ports of both N5ks are busy used for the peer keep-alive.
04-27-2016 04:03 AM
Ah very good it's up why it took that combination would really need to see the debugs of why it's being blocked first and that may not tell us everything as there could be a software issue that the 5k has to be the active side but it should have worked active/active I have switch blades in chassis set as active/active same setup vpc nx side to standard pc on blade side no issues
Main thing is its up and formed , there is a command you can check to see which side is not sending the lacp packets when the state is not formed that may indicate what side wasn't working,I'll be able to send it on later when I take a look at one of my 5ks
04-28-2016 03:02 AM
This is the command you can run on 5k side to see if theres a problem forming lacp , when we had an issue with one side not forming we could see who was not sending the lacp packets , even on active active turned out server side that day even though set as active was not in aggressive lacp mode so it would not form , but this output showed even as active it wasn't trying to form with far side.
N5KA1# sh lacp counters interface port-channel 1
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
port-channel1
Ethernet1/45 30475 30474 0 0 0 0 0
Ethernet1/46 30475 30475 0 0 0 0 0
Ethernet1/47 30475 30475 0 0 0 0 0
Ethernet1/48 30475 30475 0 0 0 0 0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide