Host behind vPC not responding - Page 3

Kemal Zuko · ‎03-11-2015

Hello Again,

On our new test network that consists of two Nexus 6004's and two Nexus 9372's that run vPC between the two. The network VLANs live on the Nexus 6004's and extend down to 9K's via vPC links

On one of our 9K's we have a host in

switchport access vlan 680

Simple right? :) well there is nothing simple about this network. From the nexus 6004 we can ping the host that sits behind vlan 680 but when we try to ping from the Nexus 9372 (leaf switch) that is directly connected to the host we get the following:

NExus9K# ping 172.16.8.199
PING 172.16.8.199 (172.16.8.199): 56 data bytes
ping: sendto 172.16.8.199 64 chars, No route to host
Request 0 timed out
ping: sendto 172.16.8.199 64 chars, No route to host
Request 1 timed out
ping: sendto 172.16.8.199 64 chars, No route to host
Request 2 timed out
ping: sendto 172.16.8.199 64 chars, No route to host
Request 3 timed out
ping: sendto 172.16.8.199 64 chars, No route to host
Request 4 timed out

--- 172.16.8.199 ping statistics ---
5 packets transmitted, 0 packets received, 100.00% packet loss

This switch is strictly L2

here is some config for reference

Nexus 6004 Primary

vlan 450
name P2P_VRF_SVI_DMZ
vlan 451
name P2P_VRF_SVI_Inside
vlan 600
name DMZ
vlan 652
name Management
vlan 680
name Inside
vrf context DMZ
vrf context Inside
vrf context management
ip route 0.0.0.0/0 172.16.52.1
vrf context peer-keepalive
vpc domain 99
role priority 1
peer-keepalive destination 10.200.50.2 source 10.200.50.1 vrf peer-keepalive
delay restore 120

interface Vlan1

interface Vlan450
description DMZ P2P to ASA
no shutdown
vrf member DMZ
ip address 172.16.230.1/29
ip router eigrp 100
no ip passive-interface eigrp 100

interface Vlan451
description Inside p2p to ASA
no shutdown
vrf member Inside
ip address 172.16.230.9/29
ip router eigrp 100
no ip passive-interface eigrp 100

interface Vlan600
description DMZ
no shutdown
vrf member DMZ
ip address 172.16.0.2/22
ip router eigrp 100
hsrp 2
authentication text test1
preempt
priority 250
ip 172.16.0.1

interface Vlan651

interface Vlan680
description Inside Network
no shutdown
vrf member Inside
ip address 172.16.8.2/22
ip router eigrp 100
hsrp 1
authentication text test
preempt
priority 250
ip 172.16.8.1

interface port-channel99
description vPC Etherchannel
switchport mode trunk
switchport trunk allowed vlan 600,680
spanning-tree port type network
vpc peer-link

interface port-channel102
description vPC to Nexus 9372
switchport mode trunk
switchport trunk allowed vlan 600,680
vpc 102

interface Ethernet1/1
description vPC Peer Link 1.1
switchport mode trunk
switchport trunk allowed vlan 600,680
speed auto
channel-group 99 mode active

interface Ethernet1/7
description vPC Peer Link 1.7 to Nexus 9372 PRI
switchport mode trunk
switchport trunk allowed vlan 600,680
speed auto
channel-group 102 mode active

interface Ethernet2/1
description vPC Peer Link 2.1
switchport mode trunk
switchport trunk allowed vlan 600,680
speed auto
channel-group 99 mode active

interface Ethernet2/7
description vPC Peer Link 2.1 to Nexus SEC
switchport mode trunk
switchport trunk allowed vlan 600,680
speed auto
channel-group 102 mode active

interface Ethernet8/1
description keep-alive peer-link to ALNSWI02
no switchport
vrf member peer-keepalive
ip address 10.200.50.1/30

interface Ethernet8/2
description Uplink to ASA
switchport mode trunk
switchport trunk allowed vlan 450-451

interface Ethernet8/9
description EIGRP PORT
switchport mode trunk
switchport trunk allowed vlan 450-451

interface mgmt0
vrf member management
ip address 172.16.52.3/23
line console
line vty
boot kickstart bootflash:/n6000-uk9-kickstart.7.0.1.N1.1.bin
boot system bootflash:/n6000-uk9.7.0.1.N1.1.bin
router eigrp 100
autonomous-system 100
vrf DMZ
autonomous-system 100
router-id 172.16.0.1
default-information originate
vrf Inside
autonomous-system 100
router-id 172.16.230.9
default-information originate
poap transit

---------------------

Primary Leaf Nexus 9372

vlan 1,600,652,680
vlan 600
name DMZ
vlan 652
name Managment
vlan 680
name Inside

vrf context management
ip route 0.0.0.0/0 172.16.52.1
vrf context peer-keepalive
vpc domain 101
role priority 1
peer-keepalive destination 10.200.50.6 source 10.200.50.5 vrf peer-keepalive

interface Vlan1

interface Vlan652
no shutdown

interface port-channel101
switchport mode trunk
switchport trunk allowed vlan 600,680
spanning-tree port type network
vpc peer-link

interface port-channel102
switchport mode trunk
switchport trunk allowed vlan 600,680
vpc 102

sh vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 99
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 1
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 Po99 up 600,680

vPC status
----------------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
------ ----------- ------ ----------- -------------------------- -----------
102 Po102 up success success 600,680

interface Ethernet1/16
description HOST <<<<<<<<<<<<<<<<<<<<<<<<<<<< This is the host that we cant reach<<<<<<
switchport access vlan 680

interface Ethernet1/17
description SERVER1
switchport mode trunk
switchport trunk allowed vlan 600,680

interface Ethernet1/46
description keep-alive peer-link to ALNSWI04
no switchport
vrf member peer-keepalive
ip address 10.200.50.5/30
no shutdown

interface Ethernet1/47
description vPC Peer Link 1.47
switchport mode trunk
switchport trunk allowed vlan 600,680
channel-group 101 mode active

interface Ethernet1/48
description vPC Peer Link 2.48
switchport mode trunk
switchport trunk allowed vlan 600,680
channel-group 101 mode active

interface Ethernet1/49
description vPC Link 1.49 to Nexus 6004 PRI
switchport mode trunk
switchport trunk allowed vlan 600,680
channel-group 102 mode active

interface Ethernet1/50

interface Ethernet1/51

interface Ethernet1/52

interface Ethernet1/53
description vPC Link 1.53 to Nexus 6004 SEC
switchport mode trunk
switchport trunk allowed vlan 600,680
channel-group 102 mode active

interface Ethernet1/54

interface mgmt0
vrf member management
ip address 172.16.52.5/23
line console
line vty
boot nxos bootflash:/n9000-dk9.6.1.2.I3.1.bin

sh vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 101
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 1
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 Po101 up 600,680

vPC status
----------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
-- ---- ------ ----------- ------ ------------
102 Po102 up success success 600,680

----------------------------------------------------------------------------------------------------------------

So I confused on the ping status from the Leaf switch when it says "no route to host"

Any help is appreciated

Thank you

Madhukrishnan Gopinathan Nair · ‎03-12-2015

I am not sure how this helps in troubleshooting since if you create a static route back to n6k to reach hosts which are directly connected behind this switch.

in case of troubleshooting only, identify a free ip address in vlan 680 and create an SVI locally in n9k (interface vlan 680)so that it can resolve ARP for the hosts in vlan 680 and you can ping directly.

HTH

M

Bilal Nawaz · ‎03-12-2015

Creating another svi is not the point nor adding additional routes unless required for completing the flow. It's layer two switch so we should leave it at layer two. It had occurred to me that management is dedicated over a VRF (management vrf) which its gateway is the ASA FW. So from this point we know that the ASA can route and get to all subnets required.

I have put it down to an ASA being the point where things stop working.

as I said in my previous post I don't see any point, there is disadvantage using this way as troubleshooting approach, we are better off with the svi's on the N6K, but this is my own humble opinion.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.