A quick design question (hopefully) regarding vPC orphan ports. We have a pair of Nexus 5K switches that are configured in a vPC domain that need to provide connectivity to a couple of access switches. The access switches only have single uplink at present (due to available fibre cores) so they can only be attached to one of the 5k switches.
I understand that if the vPC peer-link fails, the secondary peer can disable all of its vPC resulting in traffic loss. Based on this, it would make sense to connect both access switches to the vPC primary to prevent any issues if the vPC peer link is lost, however, if the primary peer is rebooted or breaks, I lose connectivity to both access switches. Alternatively I split the access switches across the 5ks but run the risk of isolating one of the access switches in the event of a peer-link failure.
Is there a general recommendation for the connectivity to Orphan ports in this scenario?
Single homed devices always have this risk. i know the constrains you mentioned in related to fibre. but that is limitation as of as i think of your problem.
Let me clarify something here, if the vpc peer-link goes down only the vPCs on the secondary switch will be disabled, the vPC orphan port will remain up since it is not a vPC member, now if would bring down all of the SVIs that are shared in the peer-link, so if you have for instance the VLANs of the orphan ports going through the peer-link, then those will go down, so you would require a separate trunk on the N5Ks with the VLANs, but I would not recommend this. Check the information below:
vPC Peer-Link Failure
To prevent problems caused by dual-active devices, vPC shuts down vPC member ports on the secondary switch when the peer link is lost but the peer keepalive is still present.
When the peer link fails, the vPC peers verify their reachability over the peer-keepalive link, and if they can communicate they take the following actions:
● The operational secondary vPC peer (which may not match the configured secondary because vPC is nonpreemptive) brings down the vPC member ports, including the vPC member ports located on the fabric extenders in the case of a Cisco Nexus 5000 Series design with fabric extenders in straight-through mode.
● The secondary vPC peer brings down the vPC VLAN SVIs: that is, all SVIs for the VLANs that happen to be configured on the vPC peer link, whether or not they are used on a vPC member port.
Note: To keep the SVI interface up when a peer link fails, use the command dual-active exclude interface-vlan.
At the time of this writing, if the peer link is lost first, the vPC secondary shuts down the vPC member ports. If this failure is followed by a vPC peer-keepalive failure, the vPC secondary keeps the interfaces shut down. This behavior may change in the future with the introduction of the autorecovery feature, which will allow the secondary device to bring up the vPC ports as a result of this sequence of events.
It is recommended that the vPC orphan port go down as well just for a prevention mechanism regarding duplicate frames only if this coming from a stack of switches with the same VLANs, the command to force the shutdown of the orphan port on the secondary N5k would be:
N7K-2 (config) # int eth 2/32
N7K-2 (config-if) # vpc orphan-port suspend
It is still fine to connect both links to the primary N5K, but as you stated if any failure, upgrade or else would force you to have a downtime,
Let me know if this clarifies your question,
Please rate all of the helpful answers!