Re: Layer2 Symmetric Load-Balancing

elahe · ‎10-19-2025

Hello everyone,

For a scenario like the diagram uploaded, what is the cisco solution to symmetrically load balance traffic between servers and the switches work in active-active HA mode?

I have used nexus 9k switches.
I used vPC but it sends same flows (same ip and port number) to different servers which is not accepted in my scenario. Any guidance is appreciated.

Kind regards

Enes Simnica · ‎10-19-2025

gDay @elahe I can see that the issue is that vPC load-balances flows independently on each Nexus, so a server might get a request from one switch but the reply goes out the other, causing packets to be dropped.

So try these:

vPC Peer-Gateway (best fix) – lets each switch act as the gateway for the other, keeping traffic symmetric.

conf t
vpc domain <id>
 peer-gateway

Policy-Based Routing (PBR) and if needed, force return traffic to the same switch it came from.
Consistent hashing , so u need to tweak vPC load-balance to src-dst IP + L4 port for predictable flows:

port-channel load-balance src-dst-ip-l4port

AND start with peer-gateway cause usually that’s enough...... (at least it is for me 99% of my scenarios....)

hope it helps, and enjoy ur weekend (cause im NOT LOOOOOOOOOOOL)

-Enes

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

elahe · ‎10-19-2025

Dear Enes,
I used peer-gateway and also port-channel load-balance src-dst ip symmetric or port-channel load-balance src-dst ip-l4port symmetric.
None has solved the issue. Unfortunately I cannot force traffic come and return from the same switch. (it is out of my network. I cannot change their config.)

Enes Simnica · ‎10-19-2025

also @elahe

check these: https://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/218333-understand-and-configure-nexus-9000-vpc.html

https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

balaji.bandi · ‎10-20-2025

Looking at diagrams PO11 and PO22, which are wrongly configured, I do not believe Linux supports enhanced VPC, which only promotes node-to-node.

So, make separate port-channels, that is my suggestion.

We need to look at the end-to-end configuration of how these are configured. How about the 7206VXR configuration?

How about Linux side configuration for the PO Load-balance mechanism?

This is not only switching sides, but you need to look at various parts of your network to meet the requirement.

For testing (as I suggested, change the PO to Linux), connect your test system directly to Nexus and test and note the outcome before you add the complexity of testing.

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

elahe · ‎10-20-2025

The linux servers are just a simple bridge. they are not seen in the network. They do not even change mac address of packets. I only need them to monitor traffic and test my configuration effects.

All the configs can be seen in this link:
https://community.cisco.com/t5/switching/symmetric-load-balancing-in-portchannel/m-p/5228167#M573666