ALWAYS dual attach devices to a vPC Domain!!!
Roberts, Jack, Executive Producer has reference to this Academic Journal, PHwiki organized this Journal Roberto Mari Technical Marketing EngineerData Center Business UnitNovember 2009 version 1.1Nexus 7000 virtual Port-Channel Best Practices & Design Guidelines AgendaFeature Overview & TerminologyvPC Design Guidance & Best PracticesBuilding a vPC domainAttaching to a vPC domainLayer 3 in addition to vPCSpanning Tree RecommendationsData Center Interconnect (& Encryption)HSRP with vPCvPC in addition to ServicesvPC latest enhancementsISSUConvergence in addition to ScalabilityvPC H in addition to s-on Lab In as long as mationReference MaterialL2L3L3L2vPCCoreAggregationAccessServersvPCSTP+vPCCisco L2MPSTP EnhancementsBridge AssuranceNIC TeamingSimplified loop-free trees2x Multi-pathingInter-POD Connectivity across L3(Failure Boundary Preservation)16x ECMPLow Latency / LosslessMAC ScalingOperational FlexibilityFailure BoundaryFeature Overview & Terminology Intelligent L2 Domains POD Evolution
This Particular University is Related to this Particular Journal
Allow a single device to use a port channel across two upstream switchesEliminate STP blocked portsUses all available uplink b in addition to widthDual-homed server operate in active-active modeProvide fast convergence upon link/device failureReduce CAPEX in addition to OPEXAvailable on current in addition to future hardware as long as M1 in addition to D1 generation cards.Logical Topology without vPCLogical Topology with vPCFeature Overview & Terminology vPC Definition vPC peer a vPC switch, one of a pairvPC member port one of a set of ports (port channels) that as long as m a vPCvPC the combined port channel between the vPC peers in addition to the downstream devicevPC peer-link Link used to synchronize state between vPC peer devices, must be 10GbEvPC peer-keepalive link the keepalive link between vPC peer devices, i.e., backup to the vPC peer-linkvPC VLAN one of the VLANs carried over the peer-link in addition to used to communicate via vPC with a peer device. non-vPC VLAN One of the STP VLANs not carried over the peer-linkCFS Cisco Fabric Services protocol, used as long as state synchronization in addition to configuration validation between vPC peer devicesvPCvPC peernon-vPC devicevPC peer-keepalive linkvPC member portvPCvPC member portCFS protocolvPC peer-linkFeature Overview & Terminology vPC TerminologyBuilding a vPC Domain Configuration StepsFollowing steps are needed to build a vPC (Order does Matter!)Configure globally a vPC domain on both vPC devicesConfigure a Peer-keepalive link on both vPC peer switches (make sure is operational) NOTE: When a vPC domain is configured the keepalive must be operational to allow a vPC domain to successfully as long as m.Configure (or reuse) an interconnecting port-channel between the vPC peer switchesConfigure the inter-switch channel as Peer-link on both vPC devices (make sure is operational)Configure (or reuse) Port-channels to dual-attached devicesConfigure a unique logical vPC in addition to join port-channels across different vPC peers vPCvPC member portvPC peer-keepalive linkvPC peer-linkSt in addition to alone Port-channelvPC peer
Building a vPC Domain Peer LinkDefinition:St in addition to ard 802.1Q TrunkCan Carry vPC in addition to non vPC VLANsCarries Cisco Fabric Services messages (tagged as CoS=4 as long as reliable communication)Carries flooded traffic from a vPC peerCarries STP BPDUs, HSRP Hellos, IGMP updates, etc.Requirements: Member ports must be 10GE interfaces one of the N7K-M132XP-12 modulesPeer-link are point-to-point. No other device should be inserted between the vPC peers.Recommendations (strong ones!)Minimum 2x 10GbE ports on separate cards as long as best resiliency.Dedicated 10GbE ports (not shared mode ports)It is Best Practice to split vPC in addition to non-vPC VLANs on different Inter-switch Port-Channels.vPC peer-linkCommon Nexus 7000 configuration: 1x 10G, 7x 1G cardsvPC recommendation is 2 10G cardsPotential problem occurs if Nexus 7000 is L3 boundary with single 10G cardUse Object Tracking Feature available in 4.2More in as long as mation from CCO: http://www.cisco.com/en/US/docs/switches/datacenter/sw/4-2/nx-os/interfaces/configuration/guide/if-vPC.html wp1529488Building a vPC Domain Peer Link with Single 10G ModuleScenario:vPC deployments with a single N7K-M132XP-12 card, where core in addition to peer-link interfaces are localized on the same card. This scenario is vulnerable to access-layer isolation if the 10GE card fails on the primary vPC.vPC Object Tracking Solution:Leverages object tracking capability in vPC (new CLI comm in addition to s are added).Peer-link in addition to Core interfaces are tracked as a list of boolean objects.vPC object tracking suspends vPCs on the impaired device, so traffic can get diverted over the remaining vPC peer.e1/ e1/ e1/ e1/ e1/ e1/ e1/ e1/ vPCPrimarye2/ e2/ vPCSecondaryvPC PLvPC PKL L3L2rhs-7k-1(config-vpc-domain) track
Building a vPC Domain Cisco Fabric Services (CFS)Definition/Uses:Configuration validation/comparisonMAC member port synchronizationvPC member port statusSTP ManagementHSRP in addition to IGMP snooping synchronizationvPC statusCharacteristics:Transparently enabled with vPC featuresCFS messages encapsulated in st in addition to ard Ethernet frames delivered between peers exclusively on the peer-linkCisco Fabric Services messages are tagged as CoS=4 as long as reliable communication.Based on CFS from MDS product developmentMany years in service, robust protocolCFS MessagingBuilding a vPC Domain Peer-Keepalive (1 of 2)Definition:Heartbeat between vPC peersActive/Active (no Peer-Link) detectionMessages sent on 2 second interval3 second hold timeout on peer-link lossFault Tolerant terminology is specific to VSS in addition to deprecated in vPC.Packet Structure:UDP message on port 3200, 96 bytes long (32 byte payload), includes version, time stamp, local in addition to remote IPs, in addition to domain ID.Keepalive messages can be captured in addition to displayed using the onboard Wireshark Toolkit.Recommendations:Should be a dedicated link (1Gb is adequate)Should NOT be routed over the Peer-LinkCan optionally use the mgmt0 interface (along with management traffic)As last resort, can be routed over L3 infrastructurevPC peer-keepalive linkBuilding a vPC Domain Peer-Keepalive (2 of 2)Cautions/Additional Recommendations:When using supervisor management interfaces to carry the vPC peer-keepalive, do not connect them back to back between the two switches.Only one management port will be active a given point in time in addition to a supervisor switchover may break keep-alive connectivityUse the management interface only if you have an out-of-b in addition to management network (management switch in between).
Definition:Port-channel member of a vPC peer.Requirements:Configuration needs to match other vPC peers member port config. In case of inconsistency a VLAN or the entire port-channel may suspend (i.e. MTU mismatch).Number of member ports on both vPC peers is not required to match.Up to 8 active ports between both vPC peers (16-way port-channel can be build with multi-layer vPC)vPC member portvPC member portBuilding a vPC Domain vPC Member PortvPC works seamlessly in any VDC based environment. One vPC domain per VDC is supported, up to the maximum number of VDCs supported in the system. It is still necessary to have a separate vPC peer-link in addition to vPC Peer-Keepalive Link infrastructure as long as each VDC deployed.Can vPC run between VDCs on the same switchThis scenario should technically work, but it is NOT officially supported in addition to has not been extensively tested by our QA team. Could be useful as long as Demo or h in addition to s on, but It is NOT recommended as long as production environments. Will consolidate redundant points on the same box with VDCs (e.g. whole aggregation layer on a box) in addition to introduce a single point of failure.ISSU will NOT work in this configuration, because the vPC devices can NOT be independently upgraded.Building a vPC Domain VDC InteractionAgendaFeature Overview & TerminologyvPC Design Guidance & Best PracticesBuilding a vPC domainAttaching to a vPC domainLayer 3 in addition to vPCSpanning Tree RecommendationsData Center Interconnect (& Encryption)HSRP with vPCvPC in addition to ServicesvPC latest enhancementsISSUConvergence in addition to ScalabilityvPC H in addition to s-on Lab In as long as mationReference Material
Attaching to a vPC domain The One in addition to Only Rule ALWAYS dual attach devices to a vPC Domain!!!Definition:Port-channel as long as devices as long as devices dual-attached to the vPC pair.Provides local load balancing as long as port-channel membersSTANDARD 802.3ad port channelAccess Device RequirementsSTANDARD 802.3ad capabilityLACP OptionalRecommendations: Use LACP when available as long as better failover in addition to mis-configuration protectionvPC member portvPCRegularPort-channel portAttaching to a vPC Domain IEEE 802.3ad in addition to LACP VLAN that is NOT part of any vPC in addition to not present on vPC peer-linkAttaching to a vPC Domain My device cant be dual attached!Recommendations (in order of preference): ALWAYS try to dual attach devices using vPC (not applicable as long as routed links). PROS: Ensures minimal disruption in case of peer-link failover in addition to consistent behavior with vPC dual-active scenarios. Ensures full redundant active/active paths through vPC. CONS: NoneIf (1) is not an option connect the device via a vPC attached access switch (could use VDC to create a virtual access switch). PROS: Ensures minimal disruption in case of peer-link failover in addition to consistent behavior with vPC dual-active scenarios. Availability limited by the access switch failure. CONS: Need as long as an additional access switch or need to use one of the available VDCs. Additional administrative burden to configure/manage the physical/Virtual DeviceIf (2) is not an option connect device directly to (primary) vPC peer in a non-vPC VLAN in addition to provide as long as a separate interconnecting port-channel between the two vPC peers. PROS: Traffic diverted on a secondary path in case of peer-link failover CONS: Need to configure in addition to manage additional ports (i.e. port-channel) between the Nexus 7000 devices. If (3) is not an option connect device directly to (primary) vPC peer in a vPC VLAN PROS: Easy deployment CONS: VERY BAD. Bound to vPC roles (no role preemption in vPC) , Full Isolation on peer-link failure when attached vPC toggles to a secondary vPC role.
Attaching to a vPC Domain vPC in addition to non-vPC VLANs (i.e. single attached )Orphan PortsOrphan PortsSSSSPPPP1. Dual Attached2. Attached via VDC/Secondary Switch3. Secondary ISL Port-Channel4. Single Attached to vPC DevicePrimary vPCSecondary vPCSP Run the same STP mode as the vPC domain. Enable portfast/port type edge on host facing portsAttaching to a vPC Domain My device only does STP!Recommendations (in order of preference): ALWAYS try dual attach devices using vPC PROS: Ensures minimal disruption in case of peer-link failover in addition to consistent behavior with vPC dual-active scenarios. Ensures full redundant active/active paths through vPC. CONS: NoneIf (1) is not an option connect the device via two independent links using STP. Use non-vPC VLANs ONLY on the STP switch. PROS: Ensures minimal disruption in case of peer-link failover in addition to consistent behavior with vPC dual-active scenarios. Ensures full redundant Active/Active paths on vPC VLANs. CONS: Requires an additional STP port-channel between the vPC devices. Operational burden in provisioning in addition to configuring separate STP in addition to vPC VLAN domains. Only Active/St in addition to by paths on STP VLANs.If (2) is not an option connect the device via two independent links using STP. (Use vPC VLANs on this switch) PROS: Simplify VLAN provisioning in addition to does not require allocation of an additional 10GE port-channel. CONS: STP in addition to vPC devices may not be able to communicate each other in certain failure scenarios (i.e. when STP Root in addition to vPC primary device do not overlap). All VLANs carried over the peer-link may suspend until the two adjacency as long as ms in addition to vPC is fully synchronized”. SSSPPP1. All devices Dual Attached via vPC 2. Separate vPC in addition to STP VLANs3. Overlapping vPC in addition to STP VLANsPrimary vPCSecondary vPCPrimary STP RootSecondary STP RootSPSRPRPRSRSRPRvPC Design principles Attaching to a vPC Domain – vPC in addition to non-vPC VLANs (STP/vPC Hybrid)Non vPC port-channel
Multi-Layer vPC can join 8 active ports port-channels in a unique 16-way port-channelvPC peer side load-balancing is LOCAL to the peerEach vPC peer has only 8 active links, but the pair has 16 active load balanced linksNexus 7000Nexus 5000 Possible with any device supporting vPC/MCEC in addition to 8-way active port-channels16-way port channelAttaching to a vPC Domain 16-way Port-Channel (1 of 2)16 active ports between 8 active port-channel devices in addition to 16 active port-channel devicesvPC peer side load-balancing is LOCAL to the peerEach vPC peer has only 8 active links, but the pair has 16 active load balanced links to the downstream device supporting 16 active portsD-series N7000 line cards will also support 16 way active port-channel load balancing, providing as long as a potential 32 way vPC port channel! Nexus 7000Nexus 5000Nexus 5000 16-port port-channel support introduced in 4.1(3)N1(1a) release16-port port-channelAttaching to a vPC Domain 16-way Port-Channel (2 of 2)AgendaFeature Overview & TerminologyvPC Design Guidance & Best PracticesBuilding a vPC domainAttaching to a vPC domainLayer 3 in addition to vPCSpanning Tree RecommendationsData Center Interconnect (& Encryption)HSRP with vPCvPC in addition to ServicesvPC latest enhancementsISSUConvergence in addition to ScalabilityvPC H in addition to s-on Lab In as long as mationReference Material
Router7k17k2SwitchPo1Po2Use separate L3 links to hook up routers to a vPC domain is still st in addition to ing.Dont use L2 port channel to attach routers to a vPC domain unless you can statically route to HSRP addressIf both, routed in addition to bridged traffic is required, use individual L3 links as long as routed traffic in addition to L2 port-channel as long as bridged trafficLayer 3 in addition to vPC RecommendationsvPC viewLayer 2 topologyLayer 3 topologyPort-channel looks like a single L2 pipe. Hashing will decide which link to choseLayer 3 will use ECMP as long as northbound traffic7k17k2R7k17k2R7k vPCRR could be any router, L3 switch or VSS building a port-channelLayer 3 in addition to vPC What can happen (1 of 3)Packet arrives at RR does lookup in routing table in addition to sees 2 equal paths going north (to 7k1 & 7k2)Assume it chooses 7k1 (ECMP decision)R now has rewrite in as long as mation to which router it needs to go (router MAC 7k1 or 7k2)L2 lookup happens in addition to outgoing interface is port-channel 1Hashing determines which port-channel member is chosen (say to 7k2)Packet is sent to 7k27k2 sees that it needs to send it over the peer-link to 7k1 based on MAC addressR7k17k2SPo1Po2Layer 3 in addition to vPC What can happen (2 of 3)
7k1 per as long as ms lookup in addition to sees that it needs to send to S7k1 per as long as ms check if the frame came over peer link & is going out on a vPC.Frame will only be as long as warded if outgoing interface is NOT a vPC or if outgoing vPC doesnt have active interface on other vPC peer (in our example 7k2)R7k17k2SPo1Po2Layer 3 in addition to vPC What can happen (3 of 3)AgendaFeature Overview & TerminologyvPC Design Guidance & Best PracticesBuilding a vPC domainAttaching to a vPC domainLayer 3 in addition to vPCSpanning Tree RecommendationsData Center Interconnect (& Encryption)HSRP with vPCvPC in addition to ServicesvPC latest enhancementsISSUConvergence in addition to ScalabilityvPC H in addition to s-on Lab In as long as mationReference MaterialSpanning Tree Recommendations Overview STP InteroperabilitySTP Uses:Loop detection (failsafe to vPC)Non-vPC attached deviceLoop management on vPC addition/removalRequirements:Needs to remain enabled, but doesnt dictate vPC member port stateLogical ports still count, need to be aware of number of VLANs/port-channels deployed!Best Practices:Not recommended to enable Bridge Assurance feature on vPC channels (i.e. no STP network port type). Tracked by CSCsz76892.Make sure all switches in you layer 2 domain are running with Rapid-PVST or MST (IOS default is non-rapid PVST+), to avoid slow STP convergence (30+ secs)Remember to configure portfast (edge port-type) on host facing interfaces to avoid slow STP convergence (30+ secs)vPCvPCSTP is running to manage loops outside of vPCs direct domain, or be as long as e initial vPC configuration
L2/L3 AggregationNexus 7000 vPCL3 CoreL2 Access6500 VSSE1/26E1/25Te2/2/1E1/25E1/26Te1/2/1Te1/2/2Te2/2/2Po10vPC Peer Link LACP Channel (2×10 GigE)vPC Peer-Keepalive (GigE)E2/14E2/14Po100VSS VSL Channel (2×10 GigE)N7K-1N7K-26K-26K-1Po100PhysicalLogicalReference Material vPC/VSS Interop Test DetailsThe following scenarios were tested:VSS in addition to vPC member failover in addition to convergenceDual active scenarios in addition to behaviorBest practice guidelines as long as STP, L3 (NSF), MulticastCatalyst 6500/Nexus 7000 interoperability:Multiple ports per chassis act as one larger ether-channelReference Material vPC/VSS Interop Test DetailsEnterprise Solutions Engineering:http://www.cisco.com/en/US/docs/solutions/Enterprise/Data-Center/DC-3-0/DC-3-0-IPInfra.htmlImplementing Nexus 7000 in the Data Center Aggregation Layer with Services:https://www.cisco.com/en/US/docs/solutions/Enterprise/Data-Center/nx-7000-dc.htmlConfiguration Guide as long as Object Tracking Feature: http://www.cisco.com/en/US/partner/docs/switches/datacenter/sw/4-2/nx-os/interfaces/configuration/guide/if-vPC.html wp1530133vPC white Paper: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/white-paper-c11-516396.htmlReference Material Other Solution Tests in addition to Recent vPC Documentation
Roberts, Jack Executive Producer
Roberts, Jack is from United States and they belong to What’s Cookin’ – Cable Radio Network and they are from Sunland, United States got related to this Particular Journal. and Roberts, Jack deal with the subjects like Cooking; Federal Government and Politics; Food
Journal Ratings by Aviation Institute of Maintenance-Las Vegas
This Particular Journal got reviewed and rated by Aviation Institute of Maintenance-Las Vegas and short form of this particular Institution is NV and gave this Journal an Excellent Rating.