Yes, this made no sense to me - Page 3

Kemal Zuko · ‎03-10-2015

Hi All,

I will try to explain this as best as I can. In our current TEST LAB we have a Pair of Cisco ASA5585x running in Active/Passive mode. We use a VRF transit to connect the 10 GB interface to a Pair of Cisco Nexus 6004 (L3) switches running vPC between them. Downstream we also have a pair of Cisco 9372 switches (L2) also running vPC between the two.

As of right now we have EIGRP neighbor relationship formed between the two N6K's and the ASA.

ASA

ciscoasa# sh eigrp neighbors
EIGRP-IPv4 neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.230.9 Te0/8.451 12 01:30:25 1 200 0 52
0 172.16.230.10 Te0/8.451 12 01:30:25 1 200 0 48

The ASA formed relationship with both N6K's

SWITCH1

Nexus6-1# sh ip eigrp neighbors vrf inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.8.3 Vlan680 11 01:28:28 1 50 0 45
1 172.16.230.10 Vlan451 13 01:28:28 1 50 0 46
2 172.16.230.11 Vlan451 10 01:28:00 4 50 0 13
Nexus6-1#

SWITCH2

Nexus6-2# sh ip eigrp neighbors vrf Inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 172.16.8.2 Vlan680 14 01:30:11 23 138 0 48
0 172.16.230.9 Vlan451 13 01:30:11 480 2880 0 50
1 172.16.230.11 Vlan451 13 01:29:48 1598 5000 0 13
Nexus6-2#

Both Nexus Switches formed EIGRP neighbors using the vPC Peer-Link. There is enough documentation out there that strongly suggest not to use vPC Peer-Links for EIGRP anything.

We do have additional interfaces available on the 6K's that we can use as a cross connect for EIGRP. What we are having trouble understanding how we can force EIGRP traffic over those ports?

Here is a complete Switch config:

Switch1

Nexus6-1# sh run

feature telnet
cfs eth distribute
feature eigrp
feature interface-vlan
feature lacp
feature vpc
feature lldp

vlan 1
vlan 451
name P2P_VRF_SVI
vlan 652
name Management
vlan 680
name Inside
vrf context Inside
vrf context management
ip route 0.0.0.0/0 172.16.52.1
vrf context peer-keepalive
vpc domain 99
role priority 1
peer-keepalive destination 10.200.50.2 source 10.200.50.1 vrf peer-keepalive
delay restore 120

interface Vlan1

interface Vlan451
description Inside p2p to ASA
no shutdown
vrf member Inside
ip address 172.16.230.9/29
ip router eigrp 100
no ip passive-interface eigrp 100

interface Vlan651

interface Vlan680
description Inside Network
no shutdown
vrf member Inside
ip address 172.16.8.2/22
ip router eigrp 100

interface port-channel99
switchport mode trunk
spanning-tree port type network
vpc peer-link

interface port-channel102
switchport mode trunk
vpc 102

interface Ethernet1/1
description vPC Peer Link 1.1
switchport mode trunk
speed auto
channel-group 99

interface Ethernet1/6

interface Ethernet1/7
description vPC Peer Link 1.7 to Nexus 9372 PRI
switchport mode trunk
speed auto
channel-group 102 mode active

interface Ethernet1/8

interface Ethernet1/9

interface Ethernet2/1
description vPC Peer Link 2.1
switchport mode trunk
speed auto
channel-group 99

interface Ethernet2/2

interface Ethernet2/7
description vPC Peer Link 2.1 to Nexus SEC
switchport mode trunk
speed auto
channel-group 102 mode active

interface Ethernet2/8

interface Ethernet8/1
description keep-alive peer-link to ALNSWI02
no switchport
vrf member peer-keepalive
ip address 10.200.50.1/30

interface Ethernet8/2
description Uplink to ASA
switchport mode trunk

interface Ethernet8/3

interface mgmt0
vrf member management
ip address 172.16.52.3/23
line console
line vty
boot kickstart bootflash:/n6000-uk9-kickstart.7.0.1.N1.1.bin
boot system bootflash:/n6000-uk9.7.0.1.N1.1.bin
router eigrp 100
passive-interface default
default-information originate
vrf Inside
autonomous-system 100
default-information originate
poap transit

Nexus6-1#

Nexus6-1# sh ip eigrp neighbors vrf inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.8.3 Vlan680 11 01:28:28 1 50 0 45
1 172.16.230.10 Vlan451 13 01:28:28 1 50 0 46
2 172.16.230.11 Vlan451 10 01:28:00 4 50 0 13
Nexus6-1#

Nexus6-1# sh ip eigrp topology vrf Inside
IP-EIGRP Topology Table for AS(100)/ID(172.16.8.2) VRF Inside

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 172.16.8.0/22, 1 successors, FD is 2816
via Connected, Vlan680
P 172.16.230.8/29, 1 successors, FD is 2816
via Connected, Vlan451

Nexus6-1# sh vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 99
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 1
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 Po99 up 1,451,652,680

vPC status
----------------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
------ ----------- ------ ----------- -------------------------- -----------
102 Po102 up success success 1,451,652,6
80
Nexus6-1# sh spanning-tree

VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 1005.caf5.88ff
Cost 2
Port 4197 (port-channel102)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
Eth8/3 Desg FWD 2 128.1027 P2p

VLAN0451
Spanning tree enabled protocol rstp
Root ID Priority 33219
Address 8c60.4f2d.2ffc
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33219 (priority 32768 sys-id-ext 451)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Desg FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p

VLAN0652
Spanning tree enabled protocol rstp
Root ID Priority 33420
Address 1005.caf5.88ff
Cost 2
Port 4197 (port-channel102)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33420 (priority 32768 sys-id-ext 652)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p

VLAN0680
Spanning tree enabled protocol rstp
Root ID Priority 33448
Address 1005.caf5.88ff
Cost 2
Port 4197 (port-channel102)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33448 (priority 32768 sys-id-ext 680)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p

Nexus6-1#

Switch2

Nexus6-2# sh run

!Command: show running-config
!Time: Sat Feb 12 19:02:44 2011

version 7.0(1)N1(1)
hostname Nexus6-2

feature telnet
cfs eth distribute
feature eigrp
feature interface-vlan
feature lacp
feature vpc
feature lldp

vlan 1
vlan 451
name P2P_VRF_SVI
vlan 652
name Management
vlan 680
name Inside
vrf context Inside
vrf context P2P_Inside_VRF
vrf context management
ip route 0.0.0.0/0 172.16.52.1
vrf context peer-keepalive
vpc domain 99
role priority 2
peer-keepalive destination 10.200.50.1 source 10.200.50.2 vrf peer-keepalive
delay restore 120

interface Vlan1

interface Vlan451
description Inside p2p to ASA
no shutdown
vrf member Inside
ip address 172.16.230.10/29
ip router eigrp 100
no ip passive-interface eigrp 100

interface Vlan680
description Inside Network
no shutdown
vrf member Inside
ip address 172.16.8.3/22
ip router eigrp 100

interface port-channel99
switchport mode trunk
spanning-tree port type network
vpc peer-link

interface port-channel102
switchport mode trunk
vpc 102

interface Ethernet1/1
description vPC Peer Link 1.1
switchport mode trunk
speed auto
channel-group 99

interface Ethernet1/2

interface Ethernet1/6

interface Ethernet1/7
description vPC Link 1.7 to Nexus 9372 SEC
switchport mode trunk
speed auto
channel-group 102 mode active

interface Ethernet1/8

interface Ethernet1/12

interface Ethernet2/1
description vPC Peer Link 2.1
switchport mode trunk
speed auto
channel-group 99

interface Ethernet2/2

interface Ethernet2/6

interface Ethernet2/7
description vPC Link 2.1 to Nexus PRI
switchport mode trunk
speed auto
channel-group 102 mode active

interface Ethernet2/8

interface Ethernet2/12

interface Ethernet8/1
description keep-alive peer-link to ALNSWI01
no switchport
vrf member peer-keepalive
ip address 10.200.50.2/30

interface Ethernet8/2
description Uplink to ASA
switchport mode trunk
switchport trunk allowed vlan 1,451,652,680

interface Ethernet8/3

interface Ethernet8/20

interface mgmt0
vrf member management
ip address 172.16.52.4/23
line console
line vty
boot kickstart bootflash:/n6000-uk9-kickstart.7.0.1.N1.1.bin
boot system bootflash:/n6000-uk9.7.0.1.N1.1.bin
router eigrp 100
vrf Inside
autonomous-system 100
default-information originate
poap transit
logging logfile messages 6

Nexus6-2#
Nexus6-2#
Nexus6-2# sh ip eigrp neighbors vrf Inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 172.16.8.2 Vlan680 14 01:30:11 23 138 0 48
0 172.16.230.9 Vlan451 13 01:30:11 480 2880 0 50
1 172.16.230.11 Vlan451 13 01:29:48 1598 5000 0 13
Nexus6-2#

Nexus6-2# sh ip eigrp topology vrf Inside
IP-EIGRP Topology Table for AS(100)/ID(172.16.8.3) VRF Inside

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 172.16.8.0/22, 1 successors, FD is 2816
via Connected, Vlan680
P 172.16.230.8/29, 1 successors, FD is 2816
via Connected, Vlan451
Nexus6-2#
Nexus6-2#
Nexus6-2# sh vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 99
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : secondary
Number of vPCs configured : 1
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 Po99 up 1,451,652,680

vPC status
----------------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
------ ----------- ------ ----------- -------------------------- -----------
102 Po102 up success success 1,451,652,6
80
Nexus6-2#
Nexus6-2#
Nexus6-2# sh spanning-tree

VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 1005.caf5.88ff
Cost 3
Port 4194 (port-channel99)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 8c60.4f2d.777c
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po99 Root FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
Eth8/3 Desg FWD 2 128.1027 P2p

VLAN0451
Spanning tree enabled protocol rstp
Root ID Priority 33219
Address 8c60.4f2d.2ffc
Cost 1
Port 4194 (port-channel99)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33219 (priority 32768 sys-id-ext 451)
Address 8c60.4f2d.777c
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po99 Root FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Desg FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p

VLAN0652
Spanning tree enabled protocol rstp
Root ID Priority 33420
Address 1005.caf5.88ff
Cost 3
Port 4194 (port-channel99)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33420 (priority 32768 sys-id-ext 652)
Address 8c60.4f2d.777c
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po99 Root FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p

VLAN0680
Spanning tree enabled protocol rstp
Root ID Priority 33448
Address 1005.caf5.88ff
Cost 3
Port 4194 (port-channel99)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33448 (priority 32768 sys-id-ext 680)
Address 8c60.4f2d.777c
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po99 Root FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p

Nexus6-2#

Because we run DMVPN in our network we need to be able to advertise the EIGRP networks on our core switch (Nexus 6004's). This technology is very new to us so any help, direction, and advice will be greatly appreciated.

Thank you in advance

Kemal Zuko · ‎03-12-2015

Thanks Reza.

We can definitely move that over that is not an issue.

Jon Marshall · ‎03-12-2015

So one question regarding the EIGRP. The link between the two Nexus switches which is plugged in ports eth8/9 on each switch, I wont see a neighbor relationship between the two because of the L2 on those interfaces. Is that normal

You should see EIGRP peerings.

It is a trunk but you must have SVIs for vlans 450 and 451 and you should see peerings.

Have you configured EIGRP with an address family because those vlans are in a VRF.

Jon

Kemal Zuko · ‎03-12-2015

Jon,

here are the SVI's

interface Vlan450
description DMZ P2P to ASA
no shutdown
vrf member DMZ
ip address 172.16.230.1/29
ip router eigrp 100
no ip passive-interface eigrp 100

interface Vlan451
description Inside p2p to ASA
no shutdown
vrf member Inside
ip address 172.16.230.9/29
ip router eigrp 100
no ip passive-interface eigrp 100

and here is the interface that I am using for EIGRP peering

interface Ethernet8/9
description EIGRP PORT PEERING
switchport mode trunk
switchport trunk allowed vlan 450-451

Jon Marshall · ‎03-12-2015

Are you seeing any EIGRP neighbors ie. "sh ip eigrp neighbor"

Have you enabled EIGRP ie.

"router eigrp 100"

Jon

Kemal Zuko · ‎03-12-2015

Jon,

I have no EIGRP neighbors.

yes, I do have EIGRP enabled

router eigrp 100
autonomous-system 100
vrf DMZ
autonomous-system 100
router-id 172.16.0.1
default-information originate
vrf Inside
autonomous-system 100
router-id 172.16.230.9
default-information originate
poap transit

Jon Marshall · ‎03-12-2015

Apologies for the delay in getting back.

Are you still having problems with this ?

Jon

Kemal Zuko · ‎03-12-2015

Hi Jon,

Not a problem.

Soo I am not sure if we have a problem or not.

the EIGRP link between the two Nexus 6004's I am not seeing neighbor relationship and I think I wont be able to see it unless those interfaces are L3, but then we wont be able to carry the VLAN's across it.

Also something interesting is when we traceroute from the ASA to 172.16.8.199 the ASA uses the PRIMARY nexus as the next hop. When we traceroute to another server on the same subnet 172.16.8.89 the ASA uses the Secondary Nexus as the next hop.

Jon Marshall · ‎03-12-2015

If the ASA is using the Nexus switches as next hops then you must have EIGRP peerings between the Nexus switches and the ASA but you said there were no EIGRP peerings ?

I'm confused because the link is a trunk and you must have SVIs for each vlan on each Nexus so they should be peering on the SVIs. And they must be using those SVIs in terms of traffic flow for the ASAs.

The traceroute is expected and is explained by those documents. The ASA is in the same vlan(s) as the Nexus switches ie. 450 and 451. So the ASA sees two next hops, one via the directly connected Nexus switch and one via the other switch.

So it will use both if it sees them as equal cost paths.

That's what I was explaining in one of my earlier posts.

However what you have written is very confusing ie. "sh ip eigrp neighbor" shows nothing from your previous post and yet the ASAs are receiving routes and are able to traceroute.

Can you clarify ?

Jon

Kemal Zuko · ‎03-12-2015

Jon,

Are you ready for the mass confusion?

when Looking at the ASA EIGRP neighbors output here is what I see.

ASA# sh eigrp neighbors

EIGRP-IPv4 neighbors for process 100

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

3 172.16.230.1 Te0/8.450 13 16:45:14 1 200 0 64

2 172.16.230.2 Te0/8.450 11 16:45:14 1 200 0 84

1 172.16.230.10 Te0/8.451 11 16:45:20 1 200 0 178

0 172.16.230.9 Te0/8.451 13 16:45:20 1 200 0 148

For simplicity sake lets just concetrate on Interface TenGigabit0/8.451 which is the SVI on the Nexus switch that is VLAN451

From the Nexus Switch 6004 that is directly connected to the ASA here is what I see

SWI01# sh ip eigrp neighbors vrf Inside

IP-EIGRP neighbors for process 100 VRF Inside

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 172.16.8.3 Vlan680 10 17:04:30 54 324 0 177

1 172.16.230.10 Vlan451 11 16:59:10 819 4914 0 178

2 172.16.230.11 Vlan451 14 16:53:48 24 144 0 20

The Inside VRF that is tied to both SVI's on the Switch vlans 451 and 680 is in EIGRP 100 on the switch

SWI01# sh run int vlan 451

interface Vlan451

description Inside p2p to ASA

no shutdown

vrf member Inside

ip address 172.16.230.9/29

ip router eigrp 100

no ip passive-interface eigrp 100

SWI01# sh run int vlan 680

interface Vlan680

description Inside Network

no shutdown

vrf member Inside

ip address 172.16.8.2/22

ip router eigrp 100

hsrp 1

authentication text test

preempt

priority 250

ip 172.16.8.1

so you with me so far?

If you are you have noticed that on the ASA neighbors the ASA sees 172.16.230.11 as a neighbor which is the Secondary Nexus SW. That is becauise they all share the same subnet.

172.16.230.8/29

Brakedown:

PRI Nexus 6004 - 172.16.230.9

SEC NEXUS 6004 - 172.16.230.10

PRI ASA 5585x - 172.16.230.11

SEC ASA 5585x - 172.16.230.12

Because the ASA EIGRP network is a /29 it learns the Secondary Nexus via the Primary Nexus.

I am not sure that the link we created between the two Nexus Switches is doing anything but consuming ports right now.

SWI01# sh run int ethernet 8/9

interface Ethernet8/9

description EIGRP PORT to Secondary Nexus

switchport mode trunk

switchport trunk allowed vlan 450-451

SWI02# sh run int ethernet 8/9

interface Ethernet8/9

description EIGRP PORT to Primary Nexus

switchport mode trunk

switchport trunk allowed vlan 450-451

So the SVI's that go up to the ASA for inspection are 450 and 451. The network SVI's are 600 and 680 all of them live on the switch, and 680, and 600 are extended over the peer links down to the 9372's.

I think that we are breaking the golden rule of vPC BUT.. I am not 100% sure. Some of the documents read that we should not be allowing network vlans over peer links, but then how do you extend the vlans down to the leaf switch?

This is giving me nightmares at the moment…

does this make sense?

Jon Marshall · ‎03-12-2015

I don't understand the confusion.

This is exactly what you should see. The ASA sees 4 neighborships ie. two per vlan, one for each Nexus.

The Nexus switches are peeing over vlan 451 and presumably 450 as well but you didn't show that.

There is no vPC loop avoidance problem because vlans 450 and 451 are not vPC vlans and are on their own link.

The dedicated link is not just consuming ports it is being used for the vlan traffic for vlans 450 and 451 ie. when you did a traceoute from the ASA and it used the Nexus it is not directly connected to it had to have gone over that dedicated link because that is the only path to get to it.

There is nothing in the output that I wouldn;t have expected to see.

What traffic isn't working to make you think it is a vPC issue ?

Jon

Kemal Zuko · ‎03-12-2015

Jon,

Sorry it took so long for me to respond. I guess my confusion was from reading all the different vPC best practices. We did some testing and it turns out that the extra link between the two nexus switches is passing a lot of traffic when we ping and traceroute from the ASA.

now since we have two 40GB links for vPC between the two Nexus switches, it would make sense to use those two 40GB links for EIGRP and two 10GB links for vPC?

To address your other post about not running EIGRP, that is still a strong possibility. it would definetley make things easier.

We still have some non EIGRP issues that we need to iron out in order to decide on the final Dater Center design.

Thank you for your help

Jon Marshall · ‎03-12-2015

Yes, to be honest when I first read all about the vPCs and peerig issues it took a while to sink in but the outputs you posted do look like what I would expect to.

Don't really know about which links to use for vPC and which for the dedicated link.

The issue is that two of the VRF vlans are on the peer link and two are on the dedicated link so I would have thought you would get roughly the same amount of traffic.

Depends if you have other vlans you want to pass on the peer link in which case you may want more bandwidth there.

At least all the EIGRP neighbors are up and traffic is passing from and to the ASA so that is progress.

Let me know how you get on.

Jon

Kemal Zuko · ‎03-13-2015

Yes, this made no sense to me at first, I wish I myself did little more research and recommended Fabric Path over vPC which makes things little easier and eliminates STP 100%.

Yes we will have more vlans anywhere from 5-7 all together. We will have to preform some more tests but will definitely let you know which way this goes..

Jon Marshall · ‎03-12-2015

If you don't want the ASA peering to both switches you could always not run EIGRP.

You could setup HSRP for vlans 450 and 451 and then have static routes on the ASA pointing to the HSRP VIP.

This may mean traffic only goes to the connected switch from the ASA if that is the HSRP VIP but return traffic from the 9372s could still go via either Nexus.

It's up to you and either EIGRP or HSRP should work but you need that dedicated link or else you will have loop issues.

Jon

Nexus 6004 EIGRP Relationship between the two switches