Solved: Nexus 7K port channel to F5 LTM load balancer

josephsmar · ‎01-29-2015

I am hoping some has set this up already, but I have not been able to find any examples in this forum or on the internet. What we are trying to do is setup a port channel from our nexus 7k to a F5 LTM load balancer. The links are two 10gig. One thing I found was the when applying the channel group to the interface you need to use the following command:

channel-group XX mode active

This is for the lacp portion of the interface. We set that and setup the LTM, but still cannot get traffic to pass.

Bilal Nawaz · ‎01-30-2015

Hello, I have configured N7Ks with F5 5200v's before, here is what I do. This design is probably a little more complex than yours since we use vCMPs on the F5 and vPCs on the N7Ks, but never the less, it should be more or less similar/same.

Config on F5:

N7K-1 Config:

DC1-N7K1# show port-channel summary interface port-channel 10
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
10 Po10(SU) Eth LACP Eth3/41(P)
DC1-N7K1#
DC1-N7K1#
DC1-N7K1# show run int po10

!Command: show running-config interface port-channel10
!Time: Fri Jan 30 08:24:46 2015

version 6.2(8a)

interface port-channel10
description ## Uplink to DC1-F5LTM-PROD01 ##
switchport mode trunk
switchport trunk native vlan 1103
switchport trunk allowed vlan 18,24,1103
spanning-tree port type edge trunk
spanning-tree bpduguard enable
logging event port link-status
logging event port trunk-status
vpc 10

DC1-N7K1# show run int e3/41

!Command: show running-config interface Ethernet3/41
!Time: Fri Jan 30 08:24:52 2015

version 6.2(8a)

interface Ethernet3/41
description ## Uplink to DC1-F5LTM-PROD01 ##
switchport mode trunk
switchport trunk native vlan 1103
switchport trunk allowed vlan 18,24,1103
spanning-tree port type edge trunk
spanning-tree bpduguard enable
logging event port link-status
logging event port trunk-status
channel-group 10 mode active
no shutdown

DC1-N7K1#

DC1-N7K2

DC1-N7K2# show port-channel summary interface port-channel 10
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
10 Po10(SU) Eth LACP Eth3/41(P)
DC1-N7K2#
DC1-N7K2#
DC1-N7K2# show run int po10

!Command: show running-config interface port-channel10
!Time: Fri Jan 30 08:26:11 2015

version 6.2(8a)

interface port-channel10
description ## Uplink to DC1-F5LTM-PROD01 ##
switchport mode trunk
switchport trunk native vlan 1103
switchport trunk allowed vlan 18,24,1103
spanning-tree port type edge trunk
spanning-tree bpduguard enable
logging event port link-status
logging event port trunk-status
vpc 10

DC1-N7K2#
DC1-N7K2#
DC1-N7K2#
DC1-N7K2# show run int e3/41

!Command: show running-config interface Ethernet3/41
!Time: Fri Jan 30 08:26:21 2015

version 6.2(8a)

interface Ethernet3/41
description ## Uplink to DC1-F5LTM-PROD01 ##
switchport mode trunk
switchport trunk native vlan 1103
switchport trunk allowed vlan 18,24,1103
spanning-tree port type edge trunk
spanning-tree bpduguard enable
logging event port link-status
logging event port trunk-status
channel-group 10 mode active
no shutdown

DC1-N7K2#

I usually set them up with 2 N7Ks with vPC, but you can ignore the vPC config.

In case anyone is interested at vpc, and what is shown on N7Ks with this setup:

Same for these on both sides N7Ks.

DC1-N7K2# show vpc consistency-parameters interface port-channel 10

Legend:
Type 1 : vPC will be suspended in case of mismatch

Name Type Local Value Peer Value
------------- ---- ---------------------- -----------------------
STP Port Type 1 Edge Trunk Port Edge Trunk Port
STP Port Guard 1 Default Default
STP MST Simulate PVST 1 Default Default
lag-id 1 [(2000, [(2000,
0-23-4-ee-be-1, 800a, 0-23-4-ee-be-1, 800a,
0, 0), (c9c0, 0, 0), (c9c0,
0-23-e9-88-c9-c0, 3, 0-23-e9-88-c9-c0, 3,
0, 0)] 0, 0)]
mode 1 active active
Speed 1 10 Gb/s 10 Gb/s
Duplex 1 full full
Port Mode 1 trunk trunk
Native Vlan 1 1103 1103
MTU 1 1500 1500
LACP Mode 1 on on
Interface type 1 port-channel port-channel
Admin port mode 1 trunk trunk
vPC card type 1 Clipper Clipper
Allowed VLANs - 18,24,1103 18,24,1103
Local error VLANs - - -
DC1-N7K2#
DC1-N7K2# show vpc 10

vPC status
----------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
-- ---- ------ ----------- ------ ------------
10 Po10 up success success 18,24,1103

Hope this helps.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

Reza Sharifi · ‎01-29-2015

Do you have 2 7ks or just 1?

Can you post the config from the 7k?

also can you post:

sh port-channel summary interface port-channel x/x (x/x is the po that connects to F5.

Are you running vrrp on the F5s?

josephsmar · ‎01-29-2015

We are running only 1 7K.

I cannot post the whole config. The F5 is not runnning vrrp.

XX PoXX(SD) Eth NONE Ethx/x(D) Ethx/x(D)

interface port-channelXX
description -----
switchport access vlan X
switchport trunk native vlan X
switchport trunk allowed vlan X,X,X,X
spanning-tree port type normal

interface Ethernet8/12
switchport mode trunk
switchport access vlan x
switchport trunk native vlan x
switchport trunk allowed vlan x,x,x,x,x
spanning-tree port type normal
channel-group 2012 mode active
no shutdown

interface Ethernet8/13
switchport mode trunk
switchport access vlan x
switchport trunk native vlan x
switchport trunk allowed vlan x,x,x,x,x
spanning-tree port type normal
channel-group 2012 mode active
no shutdown

Reza Sharifi · ‎01-29-2015

SD indicate that the po is in suspended mode and down.

What is the output of sh int poxx?

try this

config t

no int poxx

interface Ethernet8/12

switchport mode trunk

switchport trunk native vlan x
switchport trunk allowed vlan x,x,x,x,x
channel-group xx mode active
no shutdow

interface Ethernet8/13

switchport mode trunk
switchport trunk native vlan x
switchport trunk allowed vlan x,x,x,x,x
channel-group xx mode active
no shutdow

int po xx

switchport trunk native vlan x
switchport trunk allowed vlan x,x,x,x,x

no sh

and test again with "sh int poxx"

HTH

josephsmar · ‎01-29-2015

It is shut down right now, we had to resort to setting up a single trunk interface and a single switchport access interface so we could test connectivity.

Reza Sharifi · ‎01-29-2015

oh ok, understand. When you have time and a maintenance window you can try the above. When building a layer-2 port-channel, there is no need to build the po itself first. When you add the physical interfaces to the po id you want, the switch will create that po id for you but keep it in "sh" mode until you issue "no sh". From that point you add all the configs to the po interface only and the physical interfaces will inherit the configs.

Good Luck

josephsmar · ‎01-29-2015

So basically you want me to set it up that same way it is now, leave out the

switchport access vlan x command?

Reza Sharifi · ‎01-29-2015

Correct.

the "switchport access vlan x" command does not have any effect as the port mode is already trunk. So, there is no need for it.

HTH

josephsmar · ‎01-29-2015

Would it keep the port channel from passing traffic?

Reza Sharifi · ‎01-29-2015

No, it will not have any effect on the port-channel.

Jon Marshall · ‎01-29-2015

As Reza says it should have no effect on the links.

You should add a "switchport mode trunk" to your port channel configuration.

I haven't done what you are trying to do but from the Cisco end it is fairly straightforward.

When it was not passing traffic was the etherchannel actually showing as up on the Cisco end ?

You are using LACP on the etherchannel, have you selected that on the LTM as well ?

I did a quick search and there seems to be differing opinions on what the LTM should use ie. LACP active or passive as both have been reported to work.

As long as it one or the other then that should be okay.

Jon

josephsmar · ‎01-29-2015

Yeah, we have lacp set on the LTM and I found the same thing active passive. There was one thread on F5s forum that said to set the uldl value on the interface.

Reza Sharifi · ‎01-29-2015

You shouldn't need to. As long as the load balancer side is passive you are good.

josephsmar · ‎01-29-2015

We do have the load balancer set to passive and the nexus set to active. Still no traffic will pass. What I would love to find is someone who has configured this exact setup and get a sample configuration from them. Also what was setup on the F5 as well.

Bilal Nawaz · ‎01-30-2015

Hello, I have configured N7Ks with F5 5200v's before, here is what I do. This design is probably a little more complex than yours since we use vCMPs on the F5 and vPCs on the N7Ks, but never the less, it should be more or less similar/same.

Config on F5:

N7K-1 Config:

DC1-N7K1# show port-channel summary interface port-channel 10
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
10 Po10(SU) Eth LACP Eth3/41(P)
DC1-N7K1#
DC1-N7K1#
DC1-N7K1# show run int po10

!Command: show running-config interface port-channel10
!Time: Fri Jan 30 08:24:46 2015

version 6.2(8a)

interface port-channel10
description ## Uplink to DC1-F5LTM-PROD01 ##
switchport mode trunk
switchport trunk native vlan 1103
switchport trunk allowed vlan 18,24,1103
spanning-tree port type edge trunk
spanning-tree bpduguard enable
logging event port link-status
logging event port trunk-status
vpc 10

DC1-N7K1# show run int e3/41

!Command: show running-config interface Ethernet3/41
!Time: Fri Jan 30 08:24:52 2015

version 6.2(8a)

interface Ethernet3/41
description ## Uplink to DC1-F5LTM-PROD01 ##
switchport mode trunk
switchport trunk native vlan 1103
switchport trunk allowed vlan 18,24,1103
spanning-tree port type edge trunk
spanning-tree bpduguard enable
logging event port link-status
logging event port trunk-status
channel-group 10 mode active
no shutdown

DC1-N7K1#

DC1-N7K2

DC1-N7K2# show port-channel summary interface port-channel 10
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
10 Po10(SU) Eth LACP Eth3/41(P)
DC1-N7K2#
DC1-N7K2#
DC1-N7K2# show run int po10

!Command: show running-config interface port-channel10
!Time: Fri Jan 30 08:26:11 2015

version 6.2(8a)

interface port-channel10
description ## Uplink to DC1-F5LTM-PROD01 ##
switchport mode trunk
switchport trunk native vlan 1103
switchport trunk allowed vlan 18,24,1103
spanning-tree port type edge trunk
spanning-tree bpduguard enable
logging event port link-status
logging event port trunk-status
vpc 10

DC1-N7K2#
DC1-N7K2#
DC1-N7K2#
DC1-N7K2# show run int e3/41

!Command: show running-config interface Ethernet3/41
!Time: Fri Jan 30 08:26:21 2015

version 6.2(8a)

interface Ethernet3/41
description ## Uplink to DC1-F5LTM-PROD01 ##
switchport mode trunk
switchport trunk native vlan 1103
switchport trunk allowed vlan 18,24,1103
spanning-tree port type edge trunk
spanning-tree bpduguard enable
logging event port link-status
logging event port trunk-status
channel-group 10 mode active
no shutdown

DC1-N7K2#

I usually set them up with 2 N7Ks with vPC, but you can ignore the vPC config.

In case anyone is interested at vpc, and what is shown on N7Ks with this setup:

Same for these on both sides N7Ks.

DC1-N7K2# show vpc consistency-parameters interface port-channel 10

Legend:
Type 1 : vPC will be suspended in case of mismatch

Name Type Local Value Peer Value
------------- ---- ---------------------- -----------------------
STP Port Type 1 Edge Trunk Port Edge Trunk Port
STP Port Guard 1 Default Default
STP MST Simulate PVST 1 Default Default
lag-id 1 [(2000, [(2000,
0-23-4-ee-be-1, 800a, 0-23-4-ee-be-1, 800a,
0, 0), (c9c0, 0, 0), (c9c0,
0-23-e9-88-c9-c0, 3, 0-23-e9-88-c9-c0, 3,
0, 0)] 0, 0)]
mode 1 active active
Speed 1 10 Gb/s 10 Gb/s
Duplex 1 full full
Port Mode 1 trunk trunk
Native Vlan 1 1103 1103
MTU 1 1500 1500
LACP Mode 1 on on
Interface type 1 port-channel port-channel
Admin port mode 1 trunk trunk
vPC card type 1 Clipper Clipper
Allowed VLANs - 18,24,1103 18,24,1103
Local error VLANs - - -
DC1-N7K2#
DC1-N7K2# show vpc 10

vPC status
----------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
-- ---- ------ ----------- ------ ------------
10 Po10 up success success 18,24,1103

Hope this helps.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.