Solved: Mac address Issue: Nexus and 3650 Switch

SajeshB · ‎10-07-2021

Topology is attached.

I was into one activity where everything was working fine. But however after shutting down the link between Nexus Primary switch and 3650 Switch1 connected to Primary Nexus, I was not able to ping the next hop Ip of firewall from my Router 1 and 2 and also the mac address for Firewall was incomplete in R1 and R2. I was expected the mac address should get learn from R2---->Nexus Secondary----> 3650switch2---Firewall.

However after bringing the link up between Primary Nexus and 3650 Switch1 everything is working fine.

The Nexus and the 2 3650 Switch is not managed by me The router is under my countrol.

Just wanted to know where the things goes wrong, as vpc on nexus switch is causing an issue or R1 is an active Hsrp and R2 is an secondary Hsrp causing it or their is any downstream loop.

All the port in nexus and 3650 are trunk and also their is no portchannel or vpc for downstream devices just the vpc is between the primary and secondary nexus switch.

Topology....

R1(Active Hsrp) R2(Secondary Hsrp)

Nexus Primary ---vpc---Secondary Nexus.

3650 switch1-----link----3650 switch2.

Firewall (connected to switch2)

balaji.bandi · ‎10-07-2021

Has this design been tested before they go live the scenario you mentioned or are you testing now before go live?

It's like you asking, Switch off the Light and guess what is in the room, Other points you do not have any visibility on the devices and you confirmed all ok, does not make any sense here.

If all is good it should work right as expected, it was not working hence this post, until you investigate or ability to post we asked some out we can have a look to assist better.

This is some design and config issue, in terms of Layer 2 - so post nexus config and switch config

what is the outcome - you did not give an output when you shut down for testing between Cisco 3650 switch, is that works?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎10-07-2021

what is the outcome if you shut down between 3650 switches ? is that works ?

Nexus and 3650 Pure Layer 2 ?

best practice my suggestion as below :

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

SajeshB · ‎10-07-2021

Yes its a pure layer 2. And i dont think this design have any issue the one i shared becuase i dont have any control to below Nexus and 3650 switches to redesign it and even if we put redundant connectivity then we have to consider Vpc and other portchannel config into it which is not required and all the interface is trunk. By the existing diagram any suggestion where the issue can be occurred.

balaji.bandi · ‎10-07-2021

Has this design been tested before they go live the scenario you mentioned or are you testing now before go live?

It's like you asking, Switch off the Light and guess what is in the room, Other points you do not have any visibility on the devices and you confirmed all ok, does not make any sense here.

If all is good it should work right as expected, it was not working hence this post, until you investigate or ability to post we asked some out we can have a look to assist better.

This is some design and config issue, in terms of Layer 2 - so post nexus config and switch config

what is the outcome - you did not give an output when you shut down for testing between Cisco 3650 switch, is that works?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

SajeshB · ‎10-07-2021

No Actually I didn't said the design was right to them or nor such failover scenerio they carried out. After all the tshoot i did whatever the visibility i had on devices I said this is some design issue on their infra bcuz nothing was managed by me and i don't know the connectivity too after my router. Just from looking at this topology I was troubleshooting it and trying to fix while link was down.

balaji.bandi · ‎10-07-2021

Then it is a demarcation Point from your side, whoever manages those devices need to answer your questions. it was working when both link up and running, it fail to work one of the uplinks down in the path, so is the path is resilient to FW to go to north bound or north to south bound?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

SajeshB · ‎10-07-2021

I know its bit difficult to suggest without seeing the layer 2 protocol config and to figure it out by just looking this topology where the issue is. As i also dont have any control over it just wanted to know what can cause such issue.

pman · ‎10-07-2021

I guess you understand that this topology is not recommended.
The first thing I would check is that the firewall,R1,R2 VLAN was added between nexus-s and 3650-2

SajeshB · ‎10-07-2021

Right, but I Verified that with an engineer who manages this he said all the vlan is passing between NexusP--S and Sw1---2. Howerver vpc compatability parameters was okay and the vlan which we were troubleshooting from Nexus 1 the spanning tree was showing to Nexus 2 via Po1 which is vpc between Nexus.

Reza Sharifi · ‎10-07-2021

If you have HSRP running between the 2 routers and you disconnected the cable between the primary Nexus and the 3560, the HSRP is not going to failover from R1 to R2 because as far as R1 knows the physical connection to the primary Nexus is still up and running. In order for R1 to know that the logical path between it and the firewall is down, you have to configure some sort of HSRP tracking.

HTH

Georg Pauwen · ‎10-07-2021

Hello,

as Reza mentioned, with an indirect link failure as the one you describe, there most likely is no HSRP failover at all. Try and configure an IP SLA with tracking on R1. Make sure the decrement value is high enough to make R2 the HSRP active router.

ip sla monitor 1
type echo protocol ipIcmpEcho 10.0.0.1
frequency 5
ip sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability
!
interface GigabitEthernet0/0
standby 1 track 1 decrement 20