Nexus 6004 EIGRP Relationship between the two switches

Kemal Zuko · ‎03-10-2015

Hi All,

I will try to explain this as best as I can. In our current TEST LAB we have a Pair of Cisco ASA5585x running in Active/Passive mode. We use a VRF transit to connect the 10 GB interface to a Pair of Cisco Nexus 6004 (L3) switches running vPC between them. Downstream we also have a pair of Cisco 9372 switches (L2) also running vPC between the two.

As of right now we have EIGRP neighbor relationship formed between the two N6K's and the ASA.

ASA

ciscoasa# sh eigrp neighbors
EIGRP-IPv4 neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.230.9 Te0/8.451 12 01:30:25 1 200 0 52
0 172.16.230.10 Te0/8.451 12 01:30:25 1 200 0 48

The ASA formed relationship with both N6K's

SWITCH1

Nexus6-1# sh ip eigrp neighbors vrf inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.8.3 Vlan680 11 01:28:28 1 50 0 45
1 172.16.230.10 Vlan451 13 01:28:28 1 50 0 46
2 172.16.230.11 Vlan451 10 01:28:00 4 50 0 13
Nexus6-1#

SWITCH2

Nexus6-2# sh ip eigrp neighbors vrf Inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 172.16.8.2 Vlan680 14 01:30:11 23 138 0 48
0 172.16.230.9 Vlan451 13 01:30:11 480 2880 0 50
1 172.16.230.11 Vlan451 13 01:29:48 1598 5000 0 13
Nexus6-2#

Both Nexus Switches formed EIGRP neighbors using the vPC Peer-Link. There is enough documentation out there that strongly suggest not to use vPC Peer-Links for EIGRP anything.

We do have additional interfaces available on the 6K's that we can use as a cross connect for EIGRP. What we are having trouble understanding how we can force EIGRP traffic over those ports?

Here is a complete Switch config:

Switch1

Nexus6-1# sh run

feature telnet
cfs eth distribute
feature eigrp
feature interface-vlan
feature lacp
feature vpc
feature lldp

vlan 1
vlan 451
name P2P_VRF_SVI
vlan 652
name Management
vlan 680
name Inside
vrf context Inside
vrf context management
ip route 0.0.0.0/0 172.16.52.1
vrf context peer-keepalive
vpc domain 99
role priority 1
peer-keepalive destination 10.200.50.2 source 10.200.50.1 vrf peer-keepalive
delay restore 120

interface Vlan1

interface Vlan451
description Inside p2p to ASA
no shutdown
vrf member Inside
ip address 172.16.230.9/29
ip router eigrp 100
no ip passive-interface eigrp 100

interface Vlan651

interface Vlan680
description Inside Network
no shutdown
vrf member Inside
ip address 172.16.8.2/22
ip router eigrp 100

interface port-channel99
switchport mode trunk
spanning-tree port type network
vpc peer-link

interface port-channel102
switchport mode trunk
vpc 102

interface Ethernet1/1
description vPC Peer Link 1.1
switchport mode trunk
speed auto
channel-group 99

interface Ethernet1/6

interface Ethernet1/7
description vPC Peer Link 1.7 to Nexus 9372 PRI
switchport mode trunk
speed auto
channel-group 102 mode active

interface Ethernet1/8

interface Ethernet1/9

interface Ethernet2/1
description vPC Peer Link 2.1
switchport mode trunk
speed auto
channel-group 99

interface Ethernet2/2

interface Ethernet2/7
description vPC Peer Link 2.1 to Nexus SEC
switchport mode trunk
speed auto
channel-group 102 mode active

interface Ethernet2/8

interface Ethernet8/1
description keep-alive peer-link to ALNSWI02
no switchport
vrf member peer-keepalive
ip address 10.200.50.1/30

interface Ethernet8/2
description Uplink to ASA
switchport mode trunk

interface Ethernet8/3

interface mgmt0
vrf member management
ip address 172.16.52.3/23
line console
line vty
boot kickstart bootflash:/n6000-uk9-kickstart.7.0.1.N1.1.bin
boot system bootflash:/n6000-uk9.7.0.1.N1.1.bin
router eigrp 100
passive-interface default
default-information originate
vrf Inside
autonomous-system 100
default-information originate
poap transit

Nexus6-1#

Nexus6-1# sh ip eigrp neighbors vrf inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.8.3 Vlan680 11 01:28:28 1 50 0 45
1 172.16.230.10 Vlan451 13 01:28:28 1 50 0 46
2 172.16.230.11 Vlan451 10 01:28:00 4 50 0 13
Nexus6-1#

Nexus6-1# sh ip eigrp topology vrf Inside
IP-EIGRP Topology Table for AS(100)/ID(172.16.8.2) VRF Inside

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 172.16.8.0/22, 1 successors, FD is 2816
via Connected, Vlan680
P 172.16.230.8/29, 1 successors, FD is 2816
via Connected, Vlan451

Nexus6-1# sh vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 99
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 1
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 Po99 up 1,451,652,680

vPC status
----------------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
------ ----------- ------ ----------- -------------------------- -----------
102 Po102 up success success 1,451,652,6
80
Nexus6-1# sh spanning-tree

VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 1005.caf5.88ff
Cost 2
Port 4197 (port-channel102)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
Eth8/3 Desg FWD 2 128.1027 P2p

VLAN0451
Spanning tree enabled protocol rstp
Root ID Priority 33219
Address 8c60.4f2d.2ffc
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33219 (priority 32768 sys-id-ext 451)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Desg FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p

VLAN0652
Spanning tree enabled protocol rstp
Root ID Priority 33420
Address 1005.caf5.88ff
Cost 2
Port 4197 (port-channel102)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33420 (priority 32768 sys-id-ext 652)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p

VLAN0680
Spanning tree enabled protocol rstp
Root ID Priority 33448
Address 1005.caf5.88ff
Cost 2
Port 4197 (port-channel102)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33448 (priority 32768 sys-id-ext 680)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p

Nexus6-1#

Switch2

Nexus6-2# sh run

!Command: show running-config
!Time: Sat Feb 12 19:02:44 2011

version 7.0(1)N1(1)
hostname Nexus6-2

feature telnet
cfs eth distribute
feature eigrp
feature interface-vlan
feature lacp
feature vpc
feature lldp

vlan 1
vlan 451
name P2P_VRF_SVI
vlan 652
name Management
vlan 680
name Inside
vrf context Inside
vrf context P2P_Inside_VRF
vrf context management
ip route 0.0.0.0/0 172.16.52.1
vrf context peer-keepalive
vpc domain 99
role priority 2
peer-keepalive destination 10.200.50.1 source 10.200.50.2 vrf peer-keepalive
delay restore 120

interface Vlan1

interface Vlan451
description Inside p2p to ASA
no shutdown
vrf member Inside
ip address 172.16.230.10/29
ip router eigrp 100
no ip passive-interface eigrp 100

interface Vlan680
description Inside Network
no shutdown
vrf member Inside
ip address 172.16.8.3/22
ip router eigrp 100

interface port-channel99
switchport mode trunk
spanning-tree port type network
vpc peer-link

interface port-channel102
switchport mode trunk
vpc 102

interface Ethernet1/1
description vPC Peer Link 1.1
switchport mode trunk
speed auto
channel-group 99

interface Ethernet1/2

interface Ethernet1/6

interface Ethernet1/7
description vPC Link 1.7 to Nexus 9372 SEC
switchport mode trunk
speed auto
channel-group 102 mode active

interface Ethernet1/8

interface Ethernet1/12

interface Ethernet2/1
description vPC Peer Link 2.1
switchport mode trunk
speed auto
channel-group 99

interface Ethernet2/2

interface Ethernet2/6

interface Ethernet2/7
description vPC Link 2.1 to Nexus PRI
switchport mode trunk
speed auto
channel-group 102 mode active

interface Ethernet2/8

interface Ethernet2/12

interface Ethernet8/1
description keep-alive peer-link to ALNSWI01
no switchport
vrf member peer-keepalive
ip address 10.200.50.2/30

interface Ethernet8/2
description Uplink to ASA
switchport mode trunk
switchport trunk allowed vlan 1,451,652,680

interface Ethernet8/3

interface Ethernet8/20

interface mgmt0
vrf member management
ip address 172.16.52.4/23
line console
line vty
boot kickstart bootflash:/n6000-uk9-kickstart.7.0.1.N1.1.bin
boot system bootflash:/n6000-uk9.7.0.1.N1.1.bin
router eigrp 100
vrf Inside
autonomous-system 100
default-information originate
poap transit
logging logfile messages 6

Nexus6-2#
Nexus6-2#
Nexus6-2# sh ip eigrp neighbors vrf Inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 172.16.8.2 Vlan680 14 01:30:11 23 138 0 48
0 172.16.230.9 Vlan451 13 01:30:11 480 2880 0 50
1 172.16.230.11 Vlan451 13 01:29:48 1598 5000 0 13
Nexus6-2#

Nexus6-2# sh ip eigrp topology vrf Inside
IP-EIGRP Topology Table for AS(100)/ID(172.16.8.3) VRF Inside

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 172.16.8.0/22, 1 successors, FD is 2816
via Connected, Vlan680
P 172.16.230.8/29, 1 successors, FD is 2816
via Connected, Vlan451
Nexus6-2#
Nexus6-2#
Nexus6-2# sh vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 99
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : secondary
Number of vPCs configured : 1
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 Po99 up 1,451,652,680

vPC status
----------------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
------ ----------- ------ ----------- -------------------------- -----------
102 Po102 up success success 1,451,652,6
80
Nexus6-2#
Nexus6-2#
Nexus6-2# sh spanning-tree

VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 1005.caf5.88ff
Cost 3
Port 4194 (port-channel99)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 8c60.4f2d.777c
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po99 Root FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
Eth8/3 Desg FWD 2 128.1027 P2p

VLAN0451
Spanning tree enabled protocol rstp
Root ID Priority 33219
Address 8c60.4f2d.2ffc
Cost 1
Port 4194 (port-channel99)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33219 (priority 32768 sys-id-ext 451)
Address 8c60.4f2d.777c
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po99 Root FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Desg FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p

VLAN0652
Spanning tree enabled protocol rstp
Root ID Priority 33420
Address 1005.caf5.88ff
Cost 3
Port 4194 (port-channel99)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33420 (priority 32768 sys-id-ext 652)
Address 8c60.4f2d.777c
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po99 Root FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p

VLAN0680
Spanning tree enabled protocol rstp
Root ID Priority 33448
Address 1005.caf5.88ff
Cost 3
Port 4194 (port-channel99)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33448 (priority 32768 sys-id-ext 680)
Address 8c60.4f2d.777c
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po99 Root FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p

Nexus6-2#

Because we run DMVPN in our network we need to be able to advertise the EIGRP networks on our core switch (Nexus 6004's). This technology is very new to us so any help, direction, and advice will be greatly appreciated.

Thank you in advance

Reza Sharifi · ‎03-10-2015

Hi,

So, you probably have one or 2 links in a Portchannel that you are using for your VPC peer-link.

You also need a separate link (Could be 10 or 40Gig) for your EIGRP peering. You then put the firewalls and 2 6ks in a /28 subnet (all in one vlan), and than exclude this vlan from your VPC peer-link.

HTH

Kemal Zuko · ‎03-10-2015

Hi Reza,

Correct, I have two 40GB interfaces participating in vPC over a portchannel 99

Yes, I can have a link between the two Nexus Platforms for my EIGRP. This is where it will get a little confusing.

Eventually we will have a bunch of VRF's going upstream to the ASA for inspection.

VRF's:

DMZ

Inside

VPN

Accounting

IT

Each VRF will be put in a transit vlan that will go up to the ASA for inspection. Each transit vlan consists of seperate /29 networks.

When you say" You then put the firewalls and 2 6ks in a /28 subnet (all in one vlan), and than exclude this vlan from your VPC peer-link." how can I accomplish this with the design that we have proposed?

Thank you

Reza Sharifi · ‎03-10-2015

Hi,

Have not done vrf on 6ks. So, if I and saying something that is not correct, you can ignore it. Since you will have multiple vrfs that need to transit to the firewalls, you probably need to have a vlan with a corresponding /28 subnet per VRF.

So, for example for vrf DMZ, you use one vlan (20) and ip address 192.168.1.0/29. This vlan would span across the 6ks and the firewalls and the vlan interface belong to vrf DMZ.

For VRF inside you create another vlan (30) and IP address 192.168.2.0/29. This vlan would span across the 6ks and the firewalls and the vlan interface belong to vrf DMZ.

You than exclude vlan 20 and 30 from the VPC peer-link.

Does it make sense?

HTH

Kemal Zuko · ‎03-10-2015

Hello,

That is correct

We would have something like this in place

DMZ -----

vlan 450
name Peer-to-Peer-VLAN

vlan 600
name DMZ
vrf contect DMZ

interface Vlan450
description DMZ p2p to ASA
no shutdown
vrf member DMZ
ip address 172.16.230.1/29
ip router eigrp 100

interface Vlan600
description DMZ Network
no shutdown
vrf member DMZ
ip address 172.16.0.2/22
ip router eigrp 100

INSIDE -----

vlan 451
name Peer-to-Peer-VLAN

vlan 680
name Inside
vrf context Inside

interface Vlan451
description Inside p2p to ASA
no shutdown
vrf member Inside
ip address 172.16.230.9/29
ip router eigrp 100

interface Vlan680
description Inside Network
no shutdown
vrf member Inside
ip address 172.16.8.2/22
ip router eigrp 100

My only confusion is I cant find an example of how to exclude these vlans from vPC to save my life

Reza Sharifi · ‎03-10-2015

I am assuming all vlans are allowed (and should be) in your VPC peer-link.

So, if this is the case, you simply go to the portchannel 90 and remove these vlans.

config t

inter po90

switchport trunk allow vlan remove 20, 30

verify with "sh run int po90" that these vlans do not exist.

HTH

Kemal Zuko · ‎03-10-2015

Raza,

That is correct the PO99 is configured for switchport mode trunk allowing all vlans through. I will have to run the cable tomorrow between the two devices and I can then configure the suggested commands.

Thank you for the help. I will let you know how it went.

Jon Marshall · ‎03-10-2015

Just to clarify this does mean you need to change the connection to your firewalls as well.

If the vlans are transit vlans to the firewalls then you cannot use a vPC to connect the firewalls if those vlans are being removed off the vPC peer link.

Apologies if you already knew this but just wanted to make sure.

Jon

Kemal Zuko · ‎03-10-2015

Jon,

Thanks for bringing that up. I did not know that. We just got the new hardware and I never worked on a nexus platform before.

Can you clarify what you mean by your statement that I need to change my connection to the Firewalls as well?

As of right now we have a tenGigabit interface going down to the Nexus that will carry all transit vlans for inspection. Just to clarify, we are not running vPC between the Nexus and the ASA's

Sorry if this sounds all confusing..

Jon Marshall · ‎03-11-2015

My mistake.

I thought you had connected the firewalls to the Nexus switches using a vPC or where using a vPC vlan to make the connection.

If you aren't using a vPC then you just need to make sure as Reza says that you use a different link for the vlans you want to send to the firewalls ie. they cannot be vPC vlans.

Jon

Kemal Zuko · ‎03-11-2015

Jon,

No worries, I am glad you brought it up. It does not hurt to know additional information on what if's.

We will implement today and will let you know :)

Appreciate the help from both of you!!!!

Kemal Zuko · ‎03-11-2015

I also have one more question. We have been doing some research and came across one article where it mentions if we do HSRP on the Nexus 6000 then we will force all traffic via one switch and would not need to worry about L3 traversing the vPC link for EIGRP.

Any take on that?

Jon Marshall · ‎03-11-2015

Do you mean traffic from the ASA ?

Can you point to the article because my understanding is it does not force traffic to one switch or the other.

I'm not sure what the question is in relation to ie. is it about traffic to and from the firewalls ?

Jon

Kemal Zuko · ‎03-11-2015

Yes,

the traffic from ASA after inspection.

http://www.netcraftsmen.com/designing-vpc-and-routing/

is you go down to DRILLING DOWN ON VPC ROUTING it talks about FHRP

Jon Marshall · ‎03-11-2015

Can you just clarify.

You have pointed to a document about vPC. Are you proposing to connect each firewall with a vPC or the active firewall to one Nexus switch and the passive firewall to the other.

And in addition, even if you aren't going to be using a vPC are you saying that you want to allow vPC vlans to the ASAs ?

Jon