cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2993
Views
0
Helpful
6
Replies

Inter VRF connection to the same VPC Switch pair

tommy182
Level 1
Level 1

Hello Friends!

Please give me some advice.

Is it possible to implement Transparent Failover cluster(FTD) between two VRFs on the same VPC pair(Nexus 7706)?

In general I need to do inter-VRF routing on the same pair of switches participating in VPC.

I use two VLANs(outside\inside) that connected to Transparent firewall.

I assign SVI in both VLANs to both VPC peers and put this SVI to appropriate VRFs.

Also I bound to each SVI a unique mac address.

It looks like a loop for me, each switch connects to himself(through Firewall BVI) and it looks scary for me.

But in the end all works.

There is no loop as I can see, ping between SVI in different VRFs pass through Firewall.

Maybe I need to do another tweaks for this topology?

There is strange output from spanning tree where not all BPDU sent and received accordingly, and Topology change comment I see

Looks like I missed something...

 

Logical TopologyLogical Topology

 

Physical TopologyPhysical Topology

 

There is output from one VPC member

 

nx7-1_DC2-EDGE_CORE# sh spanning-tree vlan 1031 detail
VLAN1031 is executing the rstp compatible Spanning Tree protocol
Bridge Identifier has priority 32768, sysid 1031, address 0023.04ee.beaf
Configured hello time 2, max age 20, forward delay 15
Current root has priority 33798, address 0023.04ee.beaf
Root port is 5126 (port-channel1031), cost of root path is 1
Topology change flag not set, detected flag not set
Number of topology changes 3 last change occurred 1:31:45 ago
from port-channel1031
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15 
Timers: hello 0, topology change 0, notification 0

Port 4096 (port-channel1, vPC Peer-link) of VLAN1031 is designated forwarding 
Port path cost 1, Port priority 128, Port Identifier 128.4096
Designated root has priority 33798, address 0023.04ee.beaf
Designated bridge has priority 0, address 00de.fb1e.9743
Designated port id is 128.4096, designated path cost 1
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port type is network
Link type is point-to-point by default
BPDU: sent 12294, received 12294

Port 5126 (port-channel1031, vPC) of VLAN1031 is root forwarding 
Port path cost 1, Port priority 128, Port Identifier 128.5126
Designated root has priority 33798, address 0023.04ee.beaf
Designated bridge has priority 33798, address 0023.04ee.beaf
Designated port id is 128.5126, designated path cost 0, Topology change is set
Timers: message age 15, forward delay 0, hold 0
Number of transitions to forwarding state: 2
Link type is point-to-point by default
BPDU: sent 4, received 5131

nx7-1_DC2-EDGE_CORE# sh spanning-tree vlan 1031

VLAN1031
Spanning tree enabled protocol rstp
Root ID Priority 33798
Address 0023.04ee.beaf
Cost 1
Port 5126 (port-channel1031)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33799 (priority 32768 sys-id-ext 1031)
Address 0023.04ee.beaf
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po1 Desg FWD 1 128.4096 (vPC peer-link) Network P2p
Po1031 Root FWD 1 128.5126 (vPC) P2p

nx7-1_DC2-EDGE_CORE# sh spanning-tree vlan 1030 detail VLAN1030 is executing the rstp compatible Spanning Tree protocol Bridge Identifier has priority 32768, sysid 1030, address 0023.04ee.beaf Configured hello time 2, max age 20, forward delay 15 We are the root of the spanning tree Topology change flag not set, detected flag not set Number of topology changes 4 last change occurred 1:19:20 ago from port-channel1031 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0 Port 4096 (port-channel1, vPC Peer-link) of VLAN1030 is designated forwarding Port path cost 1, Port priority 128, Port Identifier 128.4096 Designated root has priority 33798, address 0023.04ee.beaf Designated bridge has priority 0, address 00de.fb1e.9743 Designated port id is 128.4096, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 The port type is network Link type is point-to-point by default BPDU: sent 10262, received 10263 Port 5126 (port-channel1031, vPC) of VLAN1030 is designated forwarding Port path cost 1, Port priority 128, Port Identifier 128.5126 Designated root has priority 33798, address 0023.04ee.beaf Designated bridge has priority 33798, address 00de.fb1e.9743 Designated port id is 128.5126, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 2 Link type is point-to-point by default BPDU: sent 2382, received 4

nx7-1_DC2-EDGE_CORE# sh spanning-tree vlan 1030
VLAN1030
Spanning tree enabled protocol rstp
Root ID Priority 33798
Address 0023.04ee.beaf
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33798 (priority 32768 sys-id-ext 1030)
Address 0023.04ee.beaf
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po1 Desg FWD 1 128.4096 (vPC peer-link) Network P2p
Po1031 Desg FWD 1 128.5126 (vPC) P2p

 

Thanks,

Tom

 

6 Replies 6

Hello,

 

post the output of:

 

show spanning-tree vlan 1030

show spanning-tree vlan 1031

 

from both VPC members. Make sure the STP priority is the same for both VLANs on both VPC members...

Hi Georg!

 

I didn`t change any priorities.

Looks like for vlan 1031 there is some "phantom" root from vlan 1030 =), cause root priority 33798 wich derriverd from default priority + vlan id 1030.

Interesting situation when root doesn`t know that he root =)

 

There is outputs

 

nx7-1_DC2-EDGE_CORE# sh spanning-tree vlan 1030

VLAN1030
  Spanning tree enabled protocol rstp
  Root ID    Priority    33798
             Address     0023.04ee.beaf
             This bridge is the root
             Hello Time  2  sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33798  (priority 32768 sys-id-ext 1030)
             Address     0023.04ee.beaf
             Hello Time  2  sec  Max Age 20 sec  Forward Delay 15 sec

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po1              Desg FWD 1         128.4096 (vPC peer-link) Network P2p 
Po1031           Desg FWD 1         128.5126 (vPC) P2p 

nx7-1_DC2-EDGE_CORE# sh spanning-tree vlan 1031

VLAN1031
  Spanning tree enabled protocol rstp
  Root ID    Priority    33798
             Address     0023.04ee.beaf
             Cost        1
             Port        5126 (port-channel1031)
             Hello Time  2  sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33799  (priority 32768 sys-id-ext 1031)
             Address     0023.04ee.beaf
             Hello Time  2  sec  Max Age 20 sec  Forward Delay 15 sec

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po1              Desg FWD 1         128.4096 (vPC peer-link) Network P2p 
Po1031           Root FWD 1         128.5126 (vPC) P2p 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ nx7-2_DC2-EDGE_CORE# sh spanning-tree vlan 1030 VLAN1030 Spanning tree enabled protocol rstp Root ID Priority 33798 Address 0023.04ee.beaf This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 33798 (priority 32768 sys-id-ext 1030) Address 0023.04ee.beaf Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Po1 Root FWD 1 128.4096 (vPC peer-link) Network P2p Po1031 Desg FWD 1 128.5126 (vPC) P2p nx7-2_DC2-EDGE_CORE# sh spanning-tree vlan 1031 VLAN1031 Spanning tree enabled protocol rstp Root ID Priority 33798 Address 0023.04ee.beaf Cost 2 Port 4096 (port-channel1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 33799 (priority 32768 sys-id-ext 1031) Address 0023.04ee.beaf Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Po1 Root FWD 1 128.4096 (vPC peer-link) Network P2p Po1031 Root FWD 1 128.5126 (vPC) P2p

 

Thanks,

Tom

Hello,

 

what happens when you manually change the priority on both VPC member switches (this is actually Cisco's recommended best practice):

 

spanning-tree vlan 1030,1031 priority 33798

Yep, I was trying it.

 

For some reason bpdu from vlan 1030 (32768+1030=33798 Bridge ID) passes through firewall and landing on the other side(that actually the same switch but in different vlan)

In BPDU from vlan 1030 Bridge priority always lower(preferable) as priority that the same switch have in vlan 1031

32768+1030=33798

32768+1030=33799

 

As result it doesn`t matter wether we will change default priroty for vlans or not this situation will always occurs.

In vlan that have bigger ID(1031 in my case) we found this "phantom" root from different vlan.

nx7-2_DC2-EDGE_CORE# sh spanning-tree vlan 1031
VLAN1031
  Spanning tree enabled protocol rstp
  Root ID    Priority    33798
             Address     0023.04ee.beaf
             Cost        2
             Port        4096 (port-channel1)
             Hello Time  2  sec  Max Age 20 sec  Forward Delay 15 sec
  Bridge ID  Priority    33799  (priority 32768 sys-id-ext 1031)
             Address     0023.04ee.beaf
             Hello Time  2  sec  Max Age 20 sec  Forward Delay 15 sec

Myabe when we work through firewall we need to somehow block BPDU from passed from one vlan to another..

 

I actually didn't find any good documentation about this case.

Only information about necessity of uniq mac addresses for SVI(but it regards of routing scope)

 

Thaks,

Tom

Odd. I'll look into it some more. Maybe it's a bug...which NX-OS version are you running ?

Yep, it looks strange at least)

 

We working on version 8.2(1)

7706 with F3 line card

 

Thanks,

Tom

Review Cisco Networking for a $25 gift card