vPC Peer-Link VLANs Question

marioderosa2008 · ‎05-21-2015

Hi all,

I am confused about the best practices for vPC peer-links. In this document... http://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf ... it advises that a vPC peer link can carry vPC AND non-vPC traffic.

Then, a paragraph later, it says that you should split vPC & non-vPC traffic on seperate port-channels.

Which statement is correct, or have i mis-read the document?

I have a connectivity issue, and I want to make sure that we have our vPC domain set up properly.

Currently, I have a non-vPC VLAN where where the root port for that VLAN is the Port-Channel used as the vPC peer-link...

Any guidance on this would be great.

thanks

Mario

Bilal Nawaz · ‎05-21-2015

vPC traffic should not really traverse the vPC peer-links, if ever, unless there is a failure or the case of going from or to a non vpc device. Non vpc traffic may use the peer-link just like normal layer 2 trunk. If you could share with us the configurations and explain a little more on the scenario. Which switch is the non-vpc host connected to, where is the connectivity issue, between which devices, if they are in vpc or not.

Thank you

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

marioderosa2008 · ‎05-21-2015

Hi Bilal, thanks for confirming that it is OK for non-vPC traffic to use the vPC peer-link.

I will do some more investigation on the issue and then come back to you if i get stuck.

thanks

Mario

marioderosa2008 · ‎05-21-2015

OK... we have a switch which cannot access a TACACS server, not even ping it. I believe the traffic is black holed.

The distro switch 2 is connected via a L3 port to core switch 2... Core switch 2 routes the packets destined for the TACACS server to Core switch 1 via an interconnect VLAN on the vPC peer link.

The MAC address of the TACACS server is learned via a vPC.

Core switch 1 & 2 are part of the same vPC domain.

So, I feel that one major issue here is that the core switch 2 is routing the packet to core switch 1 even though core switch 2 is part of the same vPC domain and has vPC member ports in the vPC which the TACACS server sits in.

Looking at Core switch2's config, it does not have a L3 SVI interface for the VLAN that the TACACS server sits in, thats why its routing the packet to core sw 1 instead of switching it to the local vPC...

So thinking about packet flow, i think that when the packet reaches Core 1, maybe it is trying to forward the packet back to core 2's vPC member port???? And for some reason this is not allowed and gets dropped.

Hopefully ive explained it well... let me know your thoughts.

thanks

Mario

Bilal Nawaz · ‎05-21-2015

Yes Mario, explained well and absolutely correct, your access will only work if you have L3 SVI with a FHRP like HSRP, advised to put vpc peer-gateway command under vpc domain config.

Since you have a VPC to the switch, the rule is frames/packets should NOT traverse the vpc peer link because both member ports are UP.

Hope this helps

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.