Nexus 5600: Packets to peer SVI are not forwarded over vPC peer link
Packets with destination IP and MAC address of the SVI on a vPC peer switch are not forwarded over the Peer-link when received on the other switch on a Nexus 5600 running NX/OS 7.0(2)N1(1). Regardless of the "peer-gateway" setting in the VPC domain.
Since the new 5600 platform only has two NX/OS releases available: 7.0(1)N1(1) and 7.0(2)N1(1), down-grading is not an option.
Two Nexus 5600 switches with layer-3 configuration as a vPC cluster using two 40G interfaces as peer-link vPC and peer-keepalive via dedicated isolated 1G cross-link. There is no out-of-bound management network available. Management needs to be in-band.
Uplink to the core network is a Layer-2 (dot1x trunk) vPC with one link per Nexus connected to two ports on a catalyst core switch that acts as a Layer-2+3 core router/switch. The catalyst is the gateway and HSRP active router in all VLANs. All VLANs are trunked on the vPC peer link and the virtual port-channel to the catalyst.
Both Nexus 5600 have a Layer-3 config with SVI in some of the VLAN.
Problem: SVI addresses of the Nexus are not reachable when the packet is forwarded to the peer Nexus due to port-channel load-balancing (src-dst-ip on the catalyst).
This can be verified by shutting down one of the uplink vPC ports to force all traffic to one Nexus: All SVI addresses on the Nexus with the active link work while all addresses on the peer Nexus switch are dropped.
The Packets are not forwarded over the Peer-link. The "peer-gatway" setting in the vpc domain has no effect on this behaviour!
This bug is quite severe because it makes in-band management of Nexus 5600 series switches impossible.
As a workaround we have connected the mgmt0 ports to the front side, but that is not an acceptable solution (both by design and due to the high port-costs per SFP+ port on the Nexus 5600 and all SVI addresses must be reachable for monitoring).
Game on! As a part of Cisco Live US auxiliary programs, we invite you to learn new technologies and obtain hands-on experience in a fun way by playing Capture the Flag (CTF).
Your mission: solve interesting challenges based on use-cases, technologies and ...
Hi,I'm trying to setup a cellular connection on my Cisco 1111 router.The interface is UP and it gets a private IPv4 and a public IPv6 address.If I try to send something on IPv4 through the cellular interface it works fine.But there seems to be an issue wi...
For an offline or printed copy of this document, simply choose ⋮ Options > Printer Friendly Page. You may then Print, Print to PDF or copy and paste to any other document format you like.
Is your WAN ready for a multicloud transformation?
Network Insider Live Webinar
Tuesday, July 21, 2020 10:00 am Pacific Time (San Francisco, GMT-08:00)
This webinar will show how convergence between SD-WAN and Security is emerging as important new SASE a...