Got you Fazal and thanks. Am

utawakevou · ‎12-21-2016

I have got the above setup with two 9372 and a couple of SVI's on both configured on both with OSPF and HSRP. The primary SVI interface are set to OSPF cost of 40 by default. So I set up the secondary SVI interfaces to cost 50. All SVI's OSPF are on area 0.

Current SVI subnets are seen from the neighboring routers as coming from the primary SVI ip address. To test redundancy through OSPF I shutdown an SVI on the primary and I can see from neighboring devices that it now have seen the SVI (shutdowned) subnet from the secondary Nexus. That's the scenario that I want so I can have redundancy.

As I understand with HSRP we still should see hosts on the SVI subnet that was shutdown on the primary Nexus. However this doesn't work. Is there a manual reset that has to be done or a timer setup on HSRP and OSPF ?

I have read as well that these two doesn't work properly together. Any solution to achieve redundancy with HSRP and OSPF will be really appreciated

regards

utawakevou · ‎01-02-2017

Is there somebody willing to help ?

Peter Paluch · ‎01-02-2017

Hi,

This topic is perhaps more suitable for the Data Center section of Cisco Support Community, as Nexus switches are not really LAN switches. You might want to consider moving this topic there.

Anyway, from what you have written, I understand that you have two N9Ks, advertising their SVI in OSPF to other routers in your network, and one of the N9Ks has a lower OSPF cost on this SVI than the other, allowing you to define which N9K is the primary and which one is the secondary N9K to reach the IP network in the same VLAN. I also understand that you are running HSRP on these two N9Ks for this SVI.

What I do not understand from your description is the following:

As I understand with HSRP we still should see hosts on the SVI subnet that was shutdown on the primary Nexus. However this doesn't work.

Can you try to explain this in different words, or perhaps provide an example to understand better what is the problem?

I have read as well that these two doesn't work properly together.

No, I do not think so. Combining HSRP so that end hosts are always using a working default gateway, plus advertising the network the end hosts are in using OSPF is a normal and common scenario. There is something else going on.

Best regards,
Peter

utawakevou · ‎01-02-2017

Thanks Paul for the response. Yes you understand it right and that is how its configured.

I said this "As I understand with HSRP we still should see hosts on the SVI subnet that was shutdown on the primary Nexus. However this doesn't work" because from hosts on other sub nets I couldn't see hosts on the other sub net when I shutdown the SVI on the primary N9K. I did that shutdown to test if this setup works.

My printers are on one subnet SVI 3 (vlan 3) and my clients on another subnet SVI 4 (vlan4). When shutdown SVI 3 (interface VLAN 3) on the primary N9K and since I'm using HSRP I should be able to still connect to my printers however that doesn't happen.

I believe I read it in one of the forums with someone saying that they don't work properly together in this scenario. Anyway, that could be wrong

Let me know if you need further clarification

Fazal E Rasool Khan · ‎01-12-2017

Hello utawakevou

I am also working on dual vpc design. I also noticed similar thing when tried to shutdown SVI on on switch.

When you shutdown one SVI lets say on switch 1 then this VLAN will go under type 2 inconsistency under vpc configuraiton and i feel this has something to do with this.

My printers are on one subnet SVI 3 (vlan 3) and my clients on another subnet SVI 4 (vlan4). When shutdown SVI 3 (interface VLAN 3) on the primary N9K and since I'm using HSRP I should be able to still connect to my printers however that doesn't happen.

Lets say you have full mesh connectivity between nexus switches and routers. why dont you make combine links in vPC so that it will appear single link on router and do the port channel on router. In this way only single subnet need to be used.

Have a look on below link.

https://supportforums.cisco.com/discussion/13197851/nexus-and-firewall-full-mesh-connectivity

Type 2 Inconsistency Example

============================
Below output when vlan 10 is up

CORE-SW-1# sh vpc brief
Legend:
(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 100
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 3
Peer Gateway : Enabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Enabled, timer is off.(timeout = 240s)
Delay-restore status : Timer is off.(timeout = 30s)
Delay-restore SVI status : Timer is off.(timeout = 10s)

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 Po10 up 1,10,20,200

vPC status
----------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
-- ---- ------ ----------- ------ ------------
1 Po1 up success success 1,10,20

17 Po17 up success success 200

18 Po18 up success success 200

Below output when vlan 10 is down

CORE-SW-1# sh vpc brief
Legend:
(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 100
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : failed
Type-2 inconsistency reason : SVI type-2 configuration incompatible
vPC role : primary
Number of vPCs configured : 3
Peer Gateway : Enabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Enabled, timer is off.(timeout = 240s)
Delay-restore status : Timer is off.(timeout = 30s)
Delay-restore SVI status : Timer is off.(timeout = 10s)

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 Po10 up 1,10,20,200

vPC status
----------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
-- ---- ------ ----------- ------ ------------
1 Po1 up success success 1,10,20

17 Po17 up success success 200

18 Po18 up success success 200

If you have a TAC support then discuss this issue with them.
if you have already found the solution for your problem then kindly update.

utawakevou · ‎01-16-2017

Thanks Fazaal,

I dont understand what you meant by this "Lets say you have full mesh connectivity between nexus switches and routers. why dont you make combine links in vPC so that it will appear single link on router and do the port channel on router. In this way only single subnet need to be used."

Anyway Im attaching herewith a summary of the setup

Regards

Fazal E Rasool Khan · ‎01-18-2017

Hello utawakevou

In you design there is no firewalls or routers. I was trying to explain how should be the connectivity incase nexus core switches are connecting to either redundant routers or firewalls toward internet block or LAN block.

Are you not running any layer 3 link between nexus core for ospf adjacencies (http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/)
Are you object tracking vPC port channel or ports incase vPC peer link and vPC peer keep alive link on different modules.

utawakevou · ‎01-18-2017

Got you Fazal and thanks. Am not running any layer 3 link between the Nexus (do you mean physical link ?) and am using the interface mgmt0 for vPC keep-alive

OSPF and HSRP on Nexus 9372 with VPC