12-12-2019 10:08 PM
Hello,
I have the following scenario, two nexus 9K are configured as vPC peers with HSRP, the upstream is connected to active/standby firewall with OSPF configured.
below is the configuration;
SW1 & SW2
----
router ospf 1
bfd
router-id 10.10.10.4
area 0.0.0.4 nssa no-summary
interface Vlan20
ip ospf dead-interval 3
ip ospf hello-interval 1
ip ospf network point-to-point
ip router ospf 1 area 0.0.0.4
ip ospf bfd
interface Vlan20
hsrp 20
ip 20.20.20.1
vpc domain 10
peer-switch
role priority 100
peer-keepalive destination 10.10.10.2 source 10.10.10.1 vrf vpcvrf
peer-gateway
layer3 peer-router
auto-recovery
ip arp synchronize
interface port-channel1
vpc peer-link
Switch one neighbor is flapping between EXSTART and EXCHANG
Neighbor ID Pri State Up Time Address Interface
10.10.10.5 1 FULL/ - 00:25:17 20.20.20.3 Vlan20
10.20.10.10 1 EXCHANGE/ - 0.065025 20.20.20.6 Vlan20
Please advice if the above configuration is correct.
Solved! Go to Solution.
12-21-2019 05:52 AM
You are right, your setup is valid and supported assuming you have the required minimum software version on the N9K.
However within your vlan20 you have 3 OSPF neighbors so this is obviously no P2P network. As such the "ip ospf network point-to-point" configuration needs to be removed.
And you don't need hsrp there, it is just cluttering your configuration.
12-13-2019 06:53 AM
Hi,
What is the physical connectivity look like?
Are both Nexus switches connected to both firewalls?
Do you have OSPF running between the switches?
You would need a vlan with a /28 subnet to span between the 2 switches and both firewalls.
HTH
12-13-2019 11:51 AM
Hello,
Thanks for your reply, I have the following scenario;
The links from the FWs are aggregated links with a vPC, currently for testing only one VLAN in this trunk, used on both NEXUS and FWs for OSPF. HSRP is configured from the NEXUS side.
12-13-2019 12:13 PM
Hi,
The physical diagram looks correct. What is the vlan that spans between the firewalls and the switches? Is that a /28 subnet with one IP on each switch and one IP on the firewall? Also, is OSPF running between the 2 switches? What type of Firewall are these?
HTH
12-13-2019 12:31 PM
12-13-2019 12:41 PM
Hi,
You don't need HSRP for this subnet. So, try deleting the HSRP config and test. Make sure you have ospf running between the 2 switches.
HTH
12-13-2019 01:03 PM
12-14-2019 01:50 PM
12-14-2019 01:53 PM
12-13-2019 10:50 AM - edited 12-13-2019 10:54 AM
Hello
It doesn't look correct - However you can check the vpc consistency for type1/2 errors
sh vpc
sh vpc peer-keepalive
sh vpc consistency-check global
sh vpc consistency-check vpc xx
As for the physical connectivity, you'll need at a minimum of 4 ports for a valid vpc domain creation.
Each vpc switch.
1x routed port p2p connection in a vrf for peer-keep-alive link ( not to traverse the peer-link)
1x routed port p2p connection for routing backup path between vpc switches ( this could run over the peer-link via svi however a better way would to have its own physical routered port)
2x aggregated trunk l2 interfaces for peer-link
12-13-2019 11:52 AM
Hello,
Thanks for your response, what's wrong with the posted configuration please?
I've checked the status of the vPC everything just looks fine and identical between both vPC peers.
12-14-2019 06:31 AM - edited 12-14-2019 06:37 AM
Hello
What i meant was i didn’t see any separate routed interface for your ospf , So your routed backup path between vpc switches seems to be running over the peer link which isnt ideal (recommended to be separate routed port)
Also you have a routed vpc towards each fw which if am not mistaken isnt supported in vPC due to vpc loop avoidance ( vpc FW1<-> vpcswitch1<->vpcswitch2<-x->FW1) these links should not be in any vPC
12-14-2019 06:46 AM - edited 12-14-2019 01:10 PM
Hello
I managed to dig out ciscos best practice design relates to the 7ks which actually states what i am trying to explain.
Layer 3 and vPC: Guidelines and Restrictions
Attaching a L3 device (router or firewall configured in routed mode for instance) to vPC domain using a vPC is not a supported design because of vPC loop avoidance rule.
To connect a L3 device to vPC domain, simply use L3 links from L3 device to each vPC peer device.
12-14-2019 12:26 PM
12-14-2019 12:41 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide