I have the following scenario, two nexus 9K are configured as vPC peers with HSRP, the upstream is connected to active/standby firewall with OSPF configured.
below is the configuration;
SW1 & SW2
router ospf 1
area 0.0.0.4 nssa no-summary
ip ospf dead-interval 3
ip ospf hello-interval 1
ip ospf network point-to-point
ip router ospf 1 area 0.0.0.4
ip ospf bfd
vpc domain 10
role priority 100
peer-keepalive destination 10.10.10.2 source 10.10.10.1 vrf vpcvrf
ip arp synchronize
Switch one neighbor is flapping between EXSTART and EXCHANG
Neighbor ID Pri State Up Time Address Interface
10.10.10.5 1 FULL/ - 00:25:17 18.104.22.168 Vlan20
10.20.10.10 1 EXCHANGE/ - 0.065025 22.214.171.124 Vlan20
Please advice if the above configuration is correct.
Solved! Go to Solution.
You are right, your setup is valid and supported assuming you have the required minimum software version on the N9K.
However within your vlan20 you have 3 OSPF neighbors so this is obviously no P2P network. As such the "ip ospf network point-to-point" configuration needs to be removed.
And you don't need hsrp there, it is just cluttering your configuration.
What is the physical connectivity look like?
Are both Nexus switches connected to both firewalls?
Do you have OSPF running between the switches?
You would need a vlan with a /28 subnet to span between the 2 switches and both firewalls.
Thanks for your reply, I have the following scenario;
The links from the FWs are aggregated links with a vPC, currently for testing only one VLAN in this trunk, used on both NEXUS and FWs for OSPF. HSRP is configured from the NEXUS side.
The physical diagram looks correct. What is the vlan that spans between the firewalls and the switches? Is that a /28 subnet with one IP on each switch and one IP on the firewall? Also, is OSPF running between the 2 switches? What type of Firewall are these?
You don't need HSRP for this subnet. So, try deleting the HSRP config and test. Make sure you have ospf running between the 2 switches.
It doesn't look correct - However you can check the vpc consistency for type1/2 errors
sh vpc peer-keepalive
sh vpc consistency-check global
sh vpc consistency-check vpc xx
As for the physical connectivity, you'll need at a minimum of 4 ports for a valid vpc domain creation.
Each vpc switch.
1x routed port p2p connection in a vrf for peer-keep-alive link ( not to traverse the peer-link)
1x routed port p2p connection for routing backup path between vpc switches ( this could run over the peer-link via svi however a better way would to have its own physical routered port)
2x aggregated trunk l2 interfaces for peer-link
Thanks for your response, what's wrong with the posted configuration please?
I've checked the status of the vPC everything just looks fine and identical between both vPC peers.
What i meant was i didn’t see any separate routed interface for your ospf , So your routed backup path between vpc switches seems to be running over the peer link which isnt ideal (recommended to be separate routed port)
Also you have a routed vpc towards each fw which if am not mistaken isnt supported in vPC due to vpc loop avoidance ( vpc FW1<-> vpcswitch1<->vpcswitch2<-x->FW1) these links should not be in any vPC
I managed to dig out ciscos best practice design relates to the 7ks which actually states what i am trying to explain.
Attaching a L3 device (router or firewall configured in routed mode for instance) to vPC domain using a vPC is not a supported design because of vPC loop avoidance rule.
To connect a L3 device to vPC domain, simply use L3 links from L3 device to each vPC peer device.