Solved: SVI interface on the VPC peer

Yangjp715 · ‎11-15-2017

Hi there,

We have a project to change the existing configuration on the existing N9K VPC peers. I need to configure an interface VLAN 999 and enable OSPF p2p on one N9K. And configure an interface VLAN 1002, enable OSPF p2p on another N9K. There is VPC peer link between two N9Ks and allow VLAN 999 and 1002 to pass through. I was wondering can I configure different SVI on the VPC peer devices?

Thanks in advance,

Eric

Rick1776 · ‎11-16-2017

They would only need to match if they are going to be a VPC VLAN. If they are standard L3 routes you don't have to worry about that.

View solution in original post

Rick1776 · ‎11-15-2017

Are you going to run HSRP between the VPC pairs?

Yangjp715 · ‎11-15-2017

No. Actually, it is no-vpc vlan i used to build OSPF point to point
releationship between n9k and a down link router.

Rick1776 · ‎11-15-2017

So your answer to your question would be yes. That would be a normal implementation. You'll have an ECMP type of scenario where both routes would be in the routing table and you can use some type of hashing.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/unicast/configuration/guide/l3_cli_nxos/l3_ospfv3.html

Yangjp715 · ‎11-15-2017

The example configurations:
N9K1:
interface vlan 999
ip add 10.0.0.1/30
ip ospf 100 area 0
ip ospf network p2p

The ASR which is connected to the N9K1:
Inter g0/1
ip add 10.0.0.2/30
ip ospf 100 area 0
ip ospf network p2p

The N9K2:
interface vlan 1002
ip add 10.0.1.1/30
ip ospf 100 area 0
ip ospf network p2p

The ASR which is connected to N9K2
Interface G0/1
ip add 10.0.0.2/30
ip ospf 100 area 0
ip ospf network p2p

Allow the vlan 999, 1002 over the VPC peer link. Or have a dedicated L2 trunk for non-vpc vlan. My question is can i have two different interface VALNs with OSPF on the VPC pair?

Rick1776 · ‎11-15-2017

Yes two different VLANs with OSPF, but I wouldn't make those VPC VLANs but I would have them strictly L3 routes.

Hopefully this helps.

Rick1776 · ‎11-15-2017

Is this what you are trying to achieve?

Yangjp715 · ‎11-15-2017

Thanks Rick,

My colleague told me we cannot configure two different interface VLAN on the VPC peer. It should be the same interface VLAN on two N9Ks. Otherwise, the N9K will shutdown the interface VLAN. Could you confirm that?

We have a plan to let all traffic from the ASR to pass through the firewall. So i assign the interface on N9k-1 to vlan 998. and configure a trunk between n9k-1 and the FW, and only allow vlan 998 and 999 on the trunk. then bridge VLAN 998 and 999 on the FW. After that, create interface vlan 999 and assign a IP address which is in the same ip subnet with the interface on the ASR. So the all traffic will be forwarded to the FW. Also OSPF P2P will be established between the interface on the ASR and the SVI on the N9K-1.

Rick1776 · ‎11-15-2017

Let me do some research.

Rick1776 · ‎11-15-2017

I found this link which seems to discuss what you are trying to do.

https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/118997-technote-nexus-00.html

Yangjp715 · ‎11-16-2017

Thanks Rick, based on the document, L3-A to Nexus-A peering is always supported for L2/L3. If L3-A also directly connect to Nexus-B. Is L3-B to Nexus-B supported for L3?

Rick1776 · ‎11-16-2017

YES...

Yangjp715 · ‎11-16-2017

Hi Rick, the following comment is from my colleague. Please confirm if it is correct. Thanks a lot.

By having a unique SVI on each core N9Ks which is not defined on the adjacent device this will create a VPC consistency problem. VPC Restriction says all SVI have to match between VPC domain members.

Rick1776 · ‎11-16-2017

For VPC correct you have to have the same configuration per VPC switch. I personally don't like Layer 3 over VPC and just let the routing protocol take care of the forwarding. You get into some weird Asymmetric routing issues with VPC and L3.

Yangjp715 · ‎11-16-2017

Actually, The ASR has two links which are connected to two N9Ks with the same cost value using OSPF P2P. The interfaces in both N9Ks which are conencted to the ASR 1001 are not VPC port. I am not sure why all SVI have to match between VPC domain members.