Solved: Extended L2 with black fiber, vpc and avoinding loops

ANAKIN_TN · ‎04-20-2020

Hello everyone,

Im plannig to deploy a stack of cisco catalyst on my client site, those switches will be connected with 2 black fiber.

i created a vlan fot interconnection the firewall on my datacenter and the firewall on the client side, my questions are:

It's possible de do it over black fiber like on the picture ? if yes how vpc is ok ?

the interconnection vlan can be trunked to the cisco stack or i can create the vlan on on the nexus switches and configure the ports on access mode for connection the catalyst?

How can i avoid spanning tree loops to impact my cisco nexus 5K ?

If a loop happend on the cisco catalyst stack it can impact my nexus ?

can configure it to fail over instead of load balancing ?

Thank you in advance for your help

Sergiu.Daniluk · ‎04-20-2020

No my cisco nexus switch are not the STP root, but how can avoid the nexus to be root and trigger the calculate of the spanning tree table ?

That's ok. If your Nexus switches are not root, do not enable peer-switch. The STP will function normally. Check this article on how the vPC peer switches will function in respect to STP with and without peer-switch: https://www.cisco.com/c/en/us/support/docs/routers/7000-series-routers/116140-config-nexus-peer-00.html

Should i configure those options on the nexus too

I strongly recommend you to enable mac move notification. This will help you in RCAs in case something happens in the network. Regarding storm control.. well. This feature requires some network analysis before enabling it. More specifically you need to know the expected percentage of unicast/broadcast/multicast traffic in your network. If you do not know that, I would not recommend to enable it.

Can you give me please an configuration exemple, suppose that i create the port channel on each 5K switch and then on my 5k-1/port 1 i configure channel group xx mode active, but on my 5k-2/port 1 i dont configure any channel group just a switch port mode trunk with allowed vlans this is an orphan port ? and it will be fail overing ?

Yes. Orphan port means a non-vpc configured interface. Basically, if you do not configure vpc, you will have 2 different interfaces/port-channels between N5K and catalyst stack.

Example with vPC:

N5K1:
interface po10
  switchport mode trunk
  vpc 10

interface e1/1
  channel-group 10

N5K2:
interface po10
  switchport mode trunk
  vpc 10

interface e1/1
  channel-group 10

Non-vpc example

N5K1:
interface e1/1
  switchport mode trunk

N5K2:
interface e1/1
  switchport mode trunk

Note: in non-vpc example, if you configure port-channel, make sure you have different port-channel number on the two N5K switches. But again, there is literally no advantage of having this config. Quite the opposite.

Cheers,

Sergiu

View solution in original post

Sergiu.Daniluk · ‎04-20-2020

Hi,

It's possible de do it over black fiber like on the picture ? if yes how vpc is ok ?

Yes, you can configure vPC over dark fiber. vPC is just a Layer 2 virtualization technology, so it will work normally as it should.

the interconnection vlan can be trunked to the cisco stack or i can create the vlan on on the nexus switches and configure the ports on access mode for connection the catalyst?

Better go with the trunk between the Catalyst and Nexus.

How can i avoid spanning tree loops to impact my cisco nexus 5K ?

vPC has built-in loop prevention mechanisms, so you do not have to worry about this. You can however improve the convergence in the network through the use of vPC peer-switch features (in case your Nexus switch is the STP root).

If a loop happend on the cisco catalyst stack it can impact my nexus ?

If there is a layer2 loop in the network, there are a couple of features which can minimize the impact:

- disable mac learning if mac is flapping on high rate between different ports:

https://www.cisco.com/c/en/us/support/docs/switches/nexus-5000-series-switches/116200-qanda-nexus5000-00.html

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/nx-os-software/213906-nexus-9000-mac-move-troubleshooting-and.html

- storm control:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/traffstorm.html

can configure it to fail over instead of load balancing ?

You can leave the ports configured as normal orphan ports, and STP will take care of the loop/fail over, BUT there is NO reason nor advantage to do this. vPC is one of the most mature and stable feature on Nexus switches. You should go for it.

Cheers,

Sergiu

ANAKIN_TN · ‎04-20-2020

Hello msdaniluk,

Im happpy and honored that you reply so fast and effectively to my question thank you man so :

Hi,

It's possible de do it over black fiber like on the picture ? if yes how vpc is ok ?

Yes, you can configure vPC over dark fiber. vPC is just a Layer 2 virtualization technology, so it will work normally as it should.

the interconnection vlan can be trunked to the cisco stack or i can create the vlan on on the nexus switches and configure the ports on access mode for connection the catalyst?

Better go with the trunk between the Catalyst and Nexus.

How can i avoid spanning tree loops to impact my cisco nexus 5K ?

vPC has built-in loop prevention mechanisms, so you do not have to worry about this. You can however improve the convergence in the network through the use of vPC peer-switch features (in case your Nexus switch is the STP root).

No my cisco nexus switch are not the STP root, but how can avoid the nexus to be root and trigger the calculate of the spanning tree table ?

If a loop happend on the cisco catalyst stack it can impact my nexus ?

If there is a layer2 loop in the network, there are a couple of features which can minimize the impact:

- disable mac learning if mac is flapping on high rate between different ports:

https://www.cisco.com/c/en/us/support/docs/switches/nexus-5000-series-switches/116200-qanda-nexus5000-00.html

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/nx-os-software/213906-nexus-9000-mac-move-troubleshooting-and.html

- storm control:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/traffstorm.html

Should i configure those options on the nexus too

can configure it to fail over instead of load balancing ?

You can leave the ports configured as normal orphan ports, and STP will take care of the loop/fail over, BUT there is NO reason nor advantage to do this. vPC is one of the most mature and stable feature on Nexus switches. You should go for it.

Can you give me please an configuration exemple, suppose that i create the port channel on each 5K switch and then on my 5k-1/port 1 i configure channel group xx mode active, but on my 5k-2/port 1 i dont configure any channel group just a switch port mode trunk with allowed vlans this is an orphan port ? and it will be fail overing ?

Cheers,

Cheers

Sergiu.Daniluk · ‎04-20-2020

No my cisco nexus switch are not the STP root, but how can avoid the nexus to be root and trigger the calculate of the spanning tree table ?

That's ok. If your Nexus switches are not root, do not enable peer-switch. The STP will function normally. Check this article on how the vPC peer switches will function in respect to STP with and without peer-switch: https://www.cisco.com/c/en/us/support/docs/routers/7000-series-routers/116140-config-nexus-peer-00.html

Should i configure those options on the nexus too

I strongly recommend you to enable mac move notification. This will help you in RCAs in case something happens in the network. Regarding storm control.. well. This feature requires some network analysis before enabling it. More specifically you need to know the expected percentage of unicast/broadcast/multicast traffic in your network. If you do not know that, I would not recommend to enable it.

Can you give me please an configuration exemple, suppose that i create the port channel on each 5K switch and then on my 5k-1/port 1 i configure channel group xx mode active, but on my 5k-2/port 1 i dont configure any channel group just a switch port mode trunk with allowed vlans this is an orphan port ? and it will be fail overing ?

Yes. Orphan port means a non-vpc configured interface. Basically, if you do not configure vpc, you will have 2 different interfaces/port-channels between N5K and catalyst stack.

Example with vPC:

N5K1:
interface po10
  switchport mode trunk
  vpc 10

interface e1/1
  channel-group 10

N5K2:
interface po10
  switchport mode trunk
  vpc 10

interface e1/1
  channel-group 10

Non-vpc example

N5K1:
interface e1/1
  switchport mode trunk

N5K2:
interface e1/1
  switchport mode trunk

Note: in non-vpc example, if you configure port-channel, make sure you have different port-channel number on the two N5K switches. But again, there is literally no advantage of having this config. Quite the opposite.

Cheers,

Sergiu