Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3254
Views
0
Helpful
6
Replies

Inter VRF connection to the same VPC Switch pair

tommy182
Level 1
Level 1

‎09-27-2018 11:47 AM - edited ‎03-08-2019 04:15 PM

Hello Friends!

Please give me some advice.

Is it possible to implement Transparent Failover cluster(FTD) between two VRFs on the same VPC pair(Nexus 7706)?

In general I need to do inter-VRF routing on the same pair of switches participating in VPC.

I use two VLANs(outside\inside) that connected to Transparent firewall.

I assign SVI in both VLANs to both VPC peers and put this SVI to appropriate VRFs.

Also I bound to each SVI a unique mac address.

It looks like a loop for me, each switch connects to himself(through Firewall BVI) and it looks scary for me.

But in the end all works.

There is no loop as I can see, ping between SVI in different VRFs pass through Firewall.

Maybe I need to do another tweaks for this topology?

There is strange output from spanning tree where not all BPDU sent and received accordingly, and Topology change comment I see

Looks like I missed something...

 

Logical TopologyLogical Topology

 

Physical TopologyPhysical Topology

 

There is output from one VPC member

 

nx7-1_DC2-EDGE_CORE# sh spanning-tree vlan 1031 detail
VLAN1031 is executing the rstp compatible Spanning Tree protocol
Bridge Identifier has priority 32768, sysid 1031, address 0023.04ee.beaf
Configured hello time 2, max age 20, forward delay 15
Current root has priority 33798, address 0023.04ee.beaf
Root port is 5126 (port-channel1031), cost of root path is 1
Topology change flag not set, detected flag not set
Number of topology changes 3 last change occurred 1:31:45 ago
from port-channel1031
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15 
Timers: hello 0, topology change 0, notification 0

Port 4096 (port-channel1, vPC Peer-link) of VLAN1031 is designated forwarding 
Port path cost 1, Port priority 128, Port Identifier 128.4096
Designated root has priority 33798, address 0023.04ee.beaf
Designated bridge has priority 0, address 00de.fb1e.9743
Designated port id is 128.4096, designated path cost 1
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port type is network
Link type is point-to-point by default
BPDU: sent 12294, received 12294

Port 5126 (port-channel1031, vPC) of VLAN1031 is root forwarding 
Port path cost 1, Port priority 128, Port Identifier 128.5126
Designated root has priority 33798, address 0023.04ee.beaf
Designated bridge has priority 33798, address 0023.04ee.beaf
Designated port id is 128.5126, designated path cost 0, Topology change is set
Timers: message age 15, forward delay 0, hold 0
Number of transitions to forwarding state: 2
Link type is point-to-point by default
BPDU: sent 4, received 5131

nx7-1_DC2-EDGE_CORE# sh spanning-tree vlan 1031

VLAN1031
 Spanning tree enabled protocol rstp
 Root ID Priority 33798
 Address 0023.04ee.beaf
 Cost 1
 Port 5126 (port-channel1031)
 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

 Bridge ID Priority 33799 (priority 32768 sys-id-ext 1031)
 Address 0023.04ee.beaf
 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po1    Desg FWD 1 128.4096 (vPC peer-link) Network P2p 
Po1031 Root FWD 1 128.5126 (vPC) P2p 




nx7-1_DC2-EDGE_CORE# sh spanning-tree vlan 1030 detail
VLAN1030 is executing the rstp compatible Spanning Tree protocol
Bridge Identifier has priority 32768, sysid 1030, address 0023.04ee.beaf
Configured hello time 2, max age 20, forward delay 15
We are the root of the spanning tree
Topology change flag not set, detected flag not set
Number of topology changes 4 last change occurred 1:19:20 ago
from port-channel1031
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15 
Timers: hello 0, topology change 0, notification 0

Port 4096 (port-channel1, vPC Peer-link) of VLAN1030 is designated forwarding 
Port path cost 1, Port priority 128, Port Identifier 128.4096
Designated root has priority 33798, address 0023.04ee.beaf
Designated bridge has priority 0, address 00de.fb1e.9743
Designated port id is 128.4096, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port type is network
Link type is point-to-point by default
BPDU: sent 10262, received 10263

Port 5126 (port-channel1031, vPC) of VLAN1030 is designated forwarding 
Port path cost 1, Port priority 128, Port Identifier 128.5126
Designated root has priority 33798, address 0023.04ee.beaf
Designated bridge has priority 33798, address 00de.fb1e.9743
Designated port id is 128.5126, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 2
Link type is point-to-point by default
BPDU: sent 2382, received 4

nx7-1_DC2-EDGE_CORE# sh spanning-tree vlan 1030
VLAN1030
 Spanning tree enabled protocol rstp
 Root ID Priority 33798
 Address 0023.04ee.beaf
 This bridge is the root
 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
 Bridge ID Priority 33798 (priority 32768 sys-id-ext 1030)
 Address 0023.04ee.beaf
 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
 Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po1    Desg FWD 1 128.4096 (vPC peer-link) Network P2p 
Po1031 Desg FWD 1 128.5126 (vPC) P2p

 

Thanks,

Tom

 

Labels:
0 Helpful
6 Replies 6

Georg Pauwen
VIP
VIP

‎09-27-2018 12:11 PM

Hello,

 

post the output of:

 

show spanning-tree vlan 1030

show spanning-tree vlan 1031

 

from both VPC members. Make sure the STP priority is the same for both VLANs on both VPC members...

0 Helpful

tommy182
Level 1
Level 1
In response to Georg Pauwen

‎09-27-2018 02:02 PM

Hi Georg!

 

I didn`t change any priorities.

Looks like for vlan 1031 there is some "phantom" root from vlan 1030 =), cause root priority 33798 wich derriverd from default priority + vlan id 1030.

Interesting situation when root doesn`t know that he root =)

 

There is outputs

 

nx7-1_DC2-EDGE_CORE# sh spanning-tree vlan 1030

VLAN1030
  Spanning tree enabled protocol rstp
  Root ID    Priority    33798
             Address     0023.04ee.beaf
             This bridge is the root
             Hello Time  2  sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33798  (priority 32768 sys-id-ext 1030)
             Address     0023.04ee.beaf
             Hello Time  2  sec  Max Age 20 sec  Forward Delay 15 sec

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po1              Desg FWD 1         128.4096 (vPC peer-link) Network P2p 
Po1031           Desg FWD 1         128.5126 (vPC) P2p 

nx7-1_DC2-EDGE_CORE# sh spanning-tree vlan 1031

VLAN1031
  Spanning tree enabled protocol rstp
  Root ID    Priority    33798
             Address     0023.04ee.beaf
             Cost        1
             Port        5126 (port-channel1031)
             Hello Time  2  sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33799  (priority 32768 sys-id-ext 1031)
             Address     0023.04ee.beaf
             Hello Time  2  sec  Max Age 20 sec  Forward Delay 15 sec

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po1              Desg FWD 1         128.4096 (vPC peer-link) Network P2p 
Po1031           Root FWD 1         128.5126 (vPC) P2p 

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

nx7-2_DC2-EDGE_CORE# sh spanning-tree vlan 1030

VLAN1030
  Spanning tree enabled protocol rstp
  Root ID    Priority    33798
             Address     0023.04ee.beaf
             This bridge is the root
             Hello Time  2  sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33798  (priority 32768 sys-id-ext 1030)
             Address     0023.04ee.beaf
             Hello Time  2  sec  Max Age 20 sec  Forward Delay 15 sec

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po1              Root FWD 1         128.4096 (vPC peer-link) Network P2p 
Po1031           Desg FWD 1         128.5126 (vPC) P2p 

nx7-2_DC2-EDGE_CORE# sh spanning-tree vlan 1031

VLAN1031
  Spanning tree enabled protocol rstp
  Root ID    Priority    33798
             Address     0023.04ee.beaf
             Cost        2
             Port        4096 (port-channel1)
             Hello Time  2  sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33799  (priority 32768 sys-id-ext 1031)
             Address     0023.04ee.beaf
             Hello Time  2  sec  Max Age 20 sec  Forward Delay 15 sec

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po1              Root FWD 1         128.4096 (vPC peer-link) Network P2p 
Po1031           Root FWD 1         128.5126 (vPC) P2p

 

Thanks,

Tom

0 Helpful

Georg Pauwen
VIP
VIP
In response to tommy182

‎09-27-2018 02:19 PM

Hello,

 

what happens when you manually change the priority on both VPC member switches (this is actually Cisco's recommended best practice):

 

spanning-tree vlan 1030,1031 priority 33798

0 Helpful

tommy182
Level 1
Level 1
In response to Georg Pauwen

‎09-27-2018 02:40 PM

Yep, I was trying it.

 

For some reason bpdu from vlan 1030 (32768+1030=33798 Bridge ID) passes through firewall and landing on the other side(that actually the same switch but in different vlan)

In BPDU from vlan 1030 Bridge priority always lower(preferable) as priority that the same switch have in vlan 1031

32768+1030=33798

32768+1030=33799

 

As result it doesn`t matter wether we will change default priroty for vlans or not this situation will always occurs.

In vlan that have bigger ID(1031 in my case) we found this "phantom" root from different vlan.

nx7-2_DC2-EDGE_CORE# sh spanning-tree vlan 1031
VLAN1031
  Spanning tree enabled protocol rstp
  Root ID    Priority    33798
             Address     0023.04ee.beaf
             Cost        2
             Port        4096 (port-channel1)
             Hello Time  2  sec  Max Age 20 sec  Forward Delay 15 sec
  Bridge ID  Priority    33799  (priority 32768 sys-id-ext 1031)
             Address     0023.04ee.beaf
             Hello Time  2  sec  Max Age 20 sec  Forward Delay 15 sec

Myabe when we work through firewall we need to somehow block BPDU from passed from one vlan to another..

 

I actually didn't find any good documentation about this case.

Only information about necessity of uniq mac addresses for SVI(but it regards of routing scope)

 

Thaks,

Tom

0 Helpful

Georg Pauwen
VIP
VIP
In response to tommy182

‎09-27-2018 02:54 PM

Odd. I'll look into it some more. Maybe it's a bug...which NX-OS version are you running ?

0 Helpful

tommy182
Level 1
Level 1
In response to Georg Pauwen

‎09-27-2018 03:03 PM

Yep, it looks strange at least)

 

We working on version 8.2(1)

7706 with F3 line card

 

Thanks,

Tom

0 Helpful
Customers Also Viewed These Support Documents