Showing results for 
Search instead for 
Did you mean: 
John Naggets

Configuration for connecting a Catalyst 2960G to a Nexus 5672UP


I have an older Catalyst 2960G switch which I would like to connect redundantly to my two upstream Nexus 5672UP switches. For that purpose I would like to connect Gi0/47 of the catalyst to Eth1/33 of the first Nexus 5672UP and Gi0/48 of the catalyst to Eth1/33 of the second Nexus 5672UP switch. The two Nexus 5672UP upstream switches are already configured to form a VPC domain.

The reason why I am asking here is because I could not find and recommendations on how to achieve this, neither could I find any sample configurations...

Thank you in advance for your help.

Best regards


Mark Malone


if I read that right all you need to do is on the Nexus side both of them you create a standard vpc and on the 2960 you just create a normal IOS port-channel that's it ,obviously 2960 cant support vpc so that only goes on NK side only

This is 7k links but same concept in terms of configuration

interface Port-channel1
 switchport mode trunk

interface G0/1
 switchport mode trunk
 channel-protocol lacp
 channel-group 1 mode active
interface G0/2
 switchport mode trunk
 channel-protocol lacp
 channel-group 1 mode active

interface port-channel100
  description Link to 2960
  switchport mode trunk
  vpc 100
  speed 10000

interface Ethernet2/5
  description link to 2960
  switchport mode trunk
  channel-group 100 mode active

interface port-channel100
  description Link to 2960
  switchport mode trunk
  vpc 100
  speed 10000

interface Ethernet2/5
  description link to 2960
  switchport mode trunk
  channel-group 100 mode active


Thanks for the sample configuration. Now I was wondering why are you setting the switchport mode to trunk on both sides? Is this required?

Basically my Catalyst 2960G switch will only be serving one VLAN so I use "switchport access vlan 20" on Po1 and "switchport mode access" on Gi0/47 and Gi0/48. Then on the Nexus 5672UP side I also use "switchport mode access" and have "spanning-tree port type normal" defined.



No that's not a requirement its just usually you would have more than 1 vlan but its not a requirement to have the vpc working

don't use spanning tree type normal that's bridge assurance the 2960 cant support that so it wont form with 5ks if you do that , you can only use that when both sides support it hence why I left it out , its a nexus - nexus command I haven't come across an ios device that supports that yet im sure there is some but im nearly certain 29s cant use it

Based on the documentation [1] "spanning-tree porttype normal" is the default and as such if I omit it it should not make any differences. In that same documentation I read that bridge assurance is only enabled on porttype network.

The configuration I am actually using is in the chapter "Sample Configuration 1: Access port between core switches and access switch" of this article [2]. The problem is that as soon as I plug in the second Port Gi0/48 I get MAC address flapping error messages and after a few seconds the network become unstable.



your right sorry when I looked at that just seen network not normal my bad , the configuration above should work can you post the relevant config of what you have in place from each device and the vpc config as well the domain section

No problem, to be honest its quite confusing to me too. I've attached the relevant config parts of all 3 switches. Let me know if you need more info.

Just for best practice there's a couple of things missing on domain config that I would definitely add if you dont have 7k switches there doing this ,like the peer-gateway and peer-switch commands as that could be casuing the issue when yopu connect second link , did you get any logs when it happened


vpc domain 100
  peer-switch ------ STP Root L2 for VPC domain
  role priority 200
  system-priority 150
  peer-keepalive destination 172x.x.x. source x.x.x.x vrf heartbeat
  peer-gateway---For VPC forwarding L2
  ip arp synchronize

As well as the 2960 is layer 2 switch and trunked up I would not have an SVI for vlan 20 on it locally , I would leave the gateway as the vlan 20 interface on the 5ks , or at least shut it down until everything is working as it could be causing issues

make the port-channel active in lacp on nexus side as well --channel-group 201 mode active

could you post the show vpc brief as well please to see has everything formed correctly after that

That's right, I don't have any 7k switches just one single Catalyst 4503 (root bridge for VLAN 20) which is temporarily connected to one of the 5k via a trunk port until we migrate everything to the Nexus platform.

Thank you for the best practices tips so to resume I should add to both of my N5Ks the following to the vpc domain:

ip arp synchronize
system priority 150

Now will adding any of these commands on both of my N5ks generate any network disruptions?

And do I really need "peer gateway" as I only use my Cisco gear for L2 functionality L3 routing/firewalling is done on two Linux servers connected to my Cat4503.

The IP addresses I have defined on any Cisco devices on VLAN20 is only for management purposes. If I remove the IP address on my Cat2960 how would I access it and manage it?

I tried earlier to change "channel-group 201" to "channel-group 201 mode active" on both of my N5Ks Eth1/33 ports but then my vPC was down with an error message that there is a mismatch with the channel mode, although the Cat2960G has mode active too, really weird. So I reverted back to "channel-group 201".

I have attached a "show vpc brief" from the N5k as it is right now without having changed anything from my initial configuration provided in my previous message.

Yes adding those commands will cause a slight disruption as one will change the root for stp so there will be a slight calculation with that so I would do it in a window but these are recommended commands for vpc in the best practice docs and you will see them on all setups usually , the fact the peer-gateway is

Regarding the show vpc brief that looks correct , is the 2nd 5k showing it down currently when you run this command ?

Did you try passive instead of active on NX side incase it doesn't like being forced and wants to negotiate the lacp

usually you would use a separate vlan for mgmt. traffic as you don't want your prod traffic mixed in and source syslog,ntp,netflow etc from the vlan or where possible use the mgmt. port back to network switch to manage the device and source it in vrf so its again its isolated from prod traffic that way if you get a storm or some kind of loop that takes down prod traffic ramps up cpu and makes rem,ote access drop off you can still access the switch over the mgmt. port remotely , that's optional though not essential to get this working

I will plan to add the best-practices vPC domain parameters in a maintenance window. Now you started to answer my question about peer-gateway if it is really necessary in my setup but somehow the rest of your sentence in your first paragraph got cut.

That's correct a show vpc brief on the second 5k would show that specific vPC as down.

As suggested I now have tried to change the channel-group mode to passive, first on the N5ks with no difference, then I changed this mode also on the C2960G so both sides are passive (N5k and C2960G) again no difference. Then I went on both N5k again and change the mode to active and left passive on the C2960G, bingo with that specific configuration it finally works! So I have active mode on N5ks and passive mode on the C2960G.

I honestly do not understand why this specific combination active/passive works but it works and was able to have both links up and running. Do you maybe have any idea why it works only with this combination of modes?

By the way my VLAN20 is my management VLAN but I do not use the mgmt ports of the switches for that purpose. For example my mgmt ports of both N5ks are busy used for the peer keep-alive.

Ah very good it's up why it took that combination would really need to see the debugs of why it's being blocked first and that may not tell us everything as there could be a software issue that the 5k has to be the active side but it should have worked active/active I have switch blades in chassis set as active/active same setup vpc nx side to standard pc on blade side no issues

Main thing is its up and formed , there is a command you can check to see which side is not sending the lacp packets when the state is not formed that may indicate what side wasn't working,I'll be able to send it on later when I take a look at one of my 5ks

This is the command you can run on 5k side to see if theres a problem forming lacp , when we had an issue with one side not forming we could see who was not sending the lacp packets , even on active active turned out server side that day even though set as active was not in aggressive lacp mode so it would not form , but this output showed even as active it wasn't trying to form with far side.

N5KA1# sh lacp counters interface port-channel 1
                    LACPDUs         Marker      Marker Response    LACPDUs
Port              Sent   Recv     Sent   Recv     Sent   Recv      Pkts Err
Ethernet1/45       30475  30474    0      0        0      0        0
Ethernet1/46       30475  30475    0      0        0      0        0
Ethernet1/47       30475  30475    0      0        0      0        0
Ethernet1/48       30475  30475    0      0        0      0        0