Deploying Virtual Port Channel In NX-OS - Alcatron PDF Free Download

1y ago

22 Views

1 Downloads

5.38 MB

96 Pages

Report/dmca

Download PDF

Transcription

Deploying Virtual Port Channel in NX-OSBRKDCT-2048Gerard ChamiCustomer Support Engineer

Session Abstract This session is targeted to Network Engineers, Network Architects and ITadministrators who have deployed or are considering the deployment of vPC toimprove Layer 2 scalability and the network operational efficiency. Session introduces basic concepts and terminology of the virtual Port-Channeltechnology & also covers actual designs and best practices of the vPCtechnology. Designs are targeted for aggregation/access layer and also forData-Centre Interconnect. VPC will be briefly covered in this session Nexus 2000 (FEX) will only be addressed from vPC standpoint. vPC troubleshooting will not be covered in this sessionFor Your The presentation includes hidden and reference slidesReferenceBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public

Agenda Feature Overview–––––vPC Concept & BenefitsHow does vPC help with STP?vPC TerminologyData-Plane Loop Avoidance with vPCvPC vs vPC vPC Design Guidance and Best Practices vPC Enhancements ConvergenceBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public5

VPC Feature Overview6

Feature OverviewHow does vPC help with STP? (1 of 2)PrimaryRoot Before vPCSecondaryRootSTP blocks redundant uplinksVLAN based load balancingLoop Resolution relies on STPProtocol Failure With vPCNo blocked uplinksEtherChannel load balancing (hash)Loop Free TopologyLower oversubscriptionBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

Feature OverviewvPC Terminology (1 of 2)vPC Peerkeepalivelink vPC Domain - A pair of vPC switches in a vpc system vPC Peer - A vPC switch, one of a pairvPC DomainvPC peer-link vPC member port - one of a setof ports (port channels) that form a vPC vPC - the port channel between thevPC peer and the downstream devicevPC peervPCvPCvPCmembermemberportport vPC peer-link - Link used to synchronise statebetween vPC peer devices, must be 10GE vPC peer-keepalive link - The keep-alive link betweenvPC peer devicesBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.vPCvPCmemberportCisco Public11

Feature OverviewvPC Terminology (2 of 2) vPC VLAN - Any of the VLANs carried over thepeer-link and used to communicate via vPC with apeer deviceCFS protocol Non-vPC VLAN - Any of the STP VLANs not carriedover the peer-link CFS - Cisco Fabric Services protocol, used for statesynchronisation and configuration validation between peer devicesOrphan PortOrphanDevice Orphan Device – An orphan device is a device which is on a VPCvlan but only connected to one VPC peer and not to both Orphan Port – An orphan port is a interface which connects to anorphan deviceBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public12

Feature OverviewData-Plane Loop Avoidance with vPC (1 of 2)Data-Plane vs. Control-Plane Loop control- vPC peers can forward all traffic locally- Peer-link does not typically forward data packets (control plane extension)- Traffic on the Peer-link is marked and not allowed to egress on a vPCSTP DomainvPC DomainSTP Failure BRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public13

Feature OverviewData-Plane Loop Avoidance with vPC (2 of 2) Exception for single-sided vPC failures Peer-link used as Backup path for optimal resiliencyvPC DomainBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public14

Technical ChallengesvPC vs vPC S10S20S30A BS100S200S40S100 S300S200FabricPathS3001/11/2S300: CE MACAddress TableA Mac address flapping on S300 Single path to AMACIFB1/2AS100S100S200BClassical EthernetBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public16

VPC Virtual SwitchvPC vs vPC S10S20S30A BS100S200S40S1 S300FabricPathS3001/2S300: CE MACAddress TableAS1virtual A consistently associated to S1 Multipathing to AMACIFB1/2AS1BClassical EthernetBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public17

VPC Design Guidance & Best PracticesVPC Benefits :High-availability, Redundancy, Low convergence & Full use of available bandwidth18

Agenda Feature Overview vPC Design Guidance and Best Practices– Building a vPC Domain– Mixed Chassis Mode– Attaching to a vPC Domain– Layer 3 and vPC– Spanning Tree Recommendations– Data Centre Interconnect– HSRP with vPC– vPC / FEX Supported Topologies vPC Enhancements Convergence and Scalability Reference MaterialBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public19

Building a vPC DomainConfiguration StepsFollowing steps are needed to build a vPC(Order does Matter!)Define domains*Establish Peer Keepalive connectivityCreate a Peer linkReuse port-channels and Create vPCsMake Sure Configurations are ConsistentvPC memberRouted InterfaceHost PortBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public20

Building a vPC DomainvPC DomainsvPC Domain 10 vPC Domain defines the grouping of switchesparticipating in the vPC Provides for definition of global vPC system parameters The vPC peer devices use the vPC domain ID toautomatically assign a unique vPC system MAC addressvPC Domain 20 You MUST utilise unique Domain id’s for all vPCpairs defined in a contiguous layer 2 domain! Configure the vPC Domain ID – It should be unique within the layer 2 domainNX-1(config)# vpc domain 20! Check the vPC system MAC addressNX-1# show vpc role snip vPC system-mac: 00:23:04:ee:be:14BRKDCT-2048vPC System MAC identifies the LogicalSwitch in the network topology 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public21

Building a vPC DomainIndependent Control Plane Synchronised L2 State LACP neighbour sees the same System ID from both vPC peers The vPC ‘system-mac’ is used by both vPC peers7K 1# sh vpc role snip vPC system-macvPC system-priorityvPC local system-macvPC local 53:3c10247K 17K 2Regular (non vPC)Port Channel1/45K 2#sh lacp neighbor snip LACP portPortFlagsPriority Dev 145K c326671/21/11/5dc11-4948-1BRKDCT-20487K 2 # sh vpc role snip vPC system-macvPC system-priorityvPC local system-macvPC local role-priorityMCEC (vPC)EtherChannelAdmin OperPortPortkeyKeyNumber State0x00x801E 0x4104 0x3D0x00x801E 0x1040x3D 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public22

Building a vPC DomainIndependent Control Plane Synchronised L2 State vPC peers function as independent devices as well as peers Local ‘system-mac’is used for all non vPC PDUs (LACP, STP, )7k 1 # sh vpc role snip vPC system-macvPC system-priorityvPC local system-macvPC local role-priority7K 1::::7K 200:23:04:ee:be:14102400:0d:ec:a4:53:3c1024MCEC (vPC)EtherChannelRegular (non vPC)Port ChannelG1/41/1G1/5dc11-4948--2dc11-4948-2#sh lacp neighbor snip LACP portPortFlagsPriority Dev 533cBRKDCT-2048Age8s8sAdminkey0x00x0 2014 Cisco and/or its affiliates. All rights reserved.OperKey0x1D0x1D1/25K 2PortNumber0x1080x108PortState0x3D0x3DCisco Public23

Building a vPC DomainvPC RolesvPC Domain 10 vPC primary switch election is based on role priority Lower priority wins if not, lower system mac winsDual Layer VPC Role is non-preemptive, So operational role is whatmatters and not configured role Operational role may different from the prioritiesconfigured under the domain vPC role defines which of the two vPC peersprocesses BPDUsPrimary (but maybe OperationalSecondary)vPC Domain 20Secondary (but maybe OperationalPrimary) Role matters for the behaviour with peer-link failures!dc11-5020-3(config-vpc-domain)# role priority ? 1-65535 Specify priority valuedc11-5020-3# sh vpc snip vPC roleBRKDCT-2048: secondary, operational primary 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public24

Building a vPC DomainvPC Peer-Link ( aka VPC PL aka MCT) Definition:vPC peer-link‒ Standard 802.1Q Trunk which carries CFS (Cisco Fabric Services)messages‒ Carries flooded traffic from the vPC peer , STP BPDUs, HSRP Hellos,IGMP updates, etc. Peer-Link member ports must be 10/40/100GE interfaces Peer-Link must be a point-to-point linkRecommendations (strong ones!) Minimum 2x 10GE portsUse 2 separate cards for best resiliency)10GE ports in dedicated mode for oversubscribed modulesBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.The peer link is alwaysforwarding for any VLAN that isa member !Cisco Public25

vPC PKL messages shouldNOTbe routed over the vPC PL !Building a vPC DomainvPC Peer-Keepalive link (aka VPC PKL) Definition:vPC peerkeepalive link‒ Heartbeat between vPC peers‒ Active/Active detection (in case vPC Peer-Link is down) Packet Structure:‒ UDP message on port 3200, 96 bytes long (32 byte payload), includesversion, time stamp, local and remote IPs, and domain ID‒ Default timers : interval 1 sec / timeout 5secRecommendations(in order of preference):BRKDCT-2048NEXUS 7000 /Nexus 7700NEXUS 5000/5500/Nexus 60001- Dedicated link(s) (1GE/10GE LC)1- mgmt0 interface(along with management traffic)2- mgmt0 interface(along with management traffic)2- Dedicated link(s)(1/10GE front panel ports)3- As last resort, can be routed over L3infrastructure3 - As last resort, can be routed over L3infrastructure 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public26

Building a vPC DomainvPC Peer-Keepalive link – Dual Supervisors on Nexus 7000Management SwitchManagement NetworkvPC PKLvPC PKLDo NOT use back to back mgt0connections on Nexus 7000 withDual SupervisorsvPC PLvPC1vPC2Standby Management InterfaceActive Management InterfaceBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public27

vPC Failure ScenariovPC Peer-Keepalive Link up & vPC Peer-Link downPvPC Peer-keepaliveSPPrimary vPC SwitchSSecondary vPC SwitchvPC Peer LinkSuspend secondaryvPC Member PortsvPC1SW3BRKDCT-2048Keepalive HeartbeatvPC2SW4 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public28

vPC Failure ScenariovPC Peer-Keepalive Link up & vPC Peer-Link downPvPC Peer-keepalivePSPPrimary vPC SwitchSSecondary vPC SwitchvPC Peer LinkTraffic Loss / Uncertain Traffic BehaviourvPC1SW3BRKDCT-2048vPC2SW4 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public29

vPC Configuration ConsistencyvPC Control Plane - Consistency Check Both switches in the vPC Domain maintain distinct control planesvPC Domain 10 CFS provides for protocol state sync between both peers (MACAddress table, IGMP state, ) System configuration must also be kept in sync Two types of interface consistency checksvPC Domain 20 Type 1 – Will put interfaces into suspend state to preventincorrect forwarding of packets. With Graceful Consistencycheck (5.2 & later), we only suspend on secondary peer Type 2 – Error messages to indicate potential for undesiredforwarding behaviourBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public30

vPC Configuration ConsistencyvPC Control Plane – Type 1 Consistency Check Type 1 Consistency Checks are intended to prevent network failures Incorrect forwarding of traffic Physical network incompatibilitiesdc11-5020-1# sh run int po 201dc11-5020-2# sh run int po 201interface port-channel201switchport mode trunkswitchport trunk native vlan 100switchport trunk allowed vlan 100-105vpc 201spanning-tree port type networkinterface port-channel201switchport mode trunkswitchport trunk native vlan 100switchport trunk allowed vlan 100-105vpc 201spanning-tree port type networkspanning-tree guard rootdc11-5020-2# show vpc briefLegend:(*) - local vPC is down, forwarding via vPC peer-link snip vPC ---idPortStatusConsistency ReasonActive vlans------ ----------- ------ ----------- -------------------------- C type-1 configurationincompatible – STP interfaceport guard - Root or loop guardinconsistentBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public“vPC will besuspended”31

vPC Configuration ConsistencyvPC Control Plane – Type 2 Consistency Check Type 2 Consistency Checks are intended to prevent undesiredforwarding vPC will be modified in certain cases (e.g. VLAN mismatch)dc11-5020-1# sh run int po 201version 4.1(3)N1(1)dc11-5020-2# sh run int po 201version 4.1(3)N1(1)interface port-channel201switchport mode trunkswitchport trunk native vlan 100switchport trunk allowed vlan 100-105vpc 201spanning-tree port type networkinterface port-channel201switchport mode trunkswitchport trunk native vlan 100switchport trunk allowed vlan 100-104vpc 201spanning-tree port type network“Inconsistentconfig will bedisabled”dc11-5020-1# show vpc brief vpc 201vPC -------------------------------idPortStatus Consistency ReasonActive vlans------ ----------- ------ ----------- -------------------------- ----------201Po201upsuccesssuccess100-1042009 May 17 21:56:28 dc11-5020-1 %ETHPORT-5-IF ERROR VLANS SUSPENDED: VLANs 105 on Interface portchannel201 are being suspended. (Reason: Vlan is not configured on remote vPC interface)BRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public32

Virtual Port Channel (vPC)vPC Member Port Definition:‒ Port-channel member of a vPC RequirementsNX7K-1NX7K-2‒ Configuration needs to match other vPC peer member‒ In case of inconsistency a VLAN or the entire port-channel may besuspended (e.g. MTU mismatch)vPC 201‒ Up to 16 active ports between both vPC peers with M series LC.‒ Up to 32 active ports between both vPC peers with F series LCNX7K-1 :interface port-channel201switchport mode trunkswitchport trunk native vlan 100switchport trunk allowed vlan 100105vpc 201BRKDCT-2048NX7K-2 :interface port-channel201switchport mode trunkswitchport trunk native vlan 100switchport trunk allowed vlan 100105vpc 201 2014 Cisco and/or its affiliates. All rights reserved.Cisco PublicvPCmemberport33

Mixed Chassis ModeRule of Thumb!Always use identical line cards on either sides of the peer link and VPC legs !ExamplesvPC PrimaryvPC SecondaryvPC Peer-linkS1N7000F2ES2N7700F2EF3vPC Peer-linkS1S2M2M1F3vPCBRKDCT-2048vPC SecondaryvPC PrimaryvPC 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public35

F2/F2E VDC – NX-OS 6.2(2) and OnwardsvPC PrimaryvPC SecondaryvPC PrimaryvPC Peer-linkS1VDC type:F2 F2EF2eF2eF2F2eAlways use identicalVDC type on both vPCpeer devicesF2VDC type:F2 F2EvPCS1F2evPC Peer-linkF2F2F2vPC 2014 Cisco and/or its affiliates. All rights reserved.F2vPCvPC SecondaryF2eF2eF2eF2eF2eVDC type:F2 F2EvPC PrimaryVDC type:F2EBRKDCT-2048S1S2F2vPC SecondaryvPC Peer-linkSF2F2S2VDC type:F2Cisco Public2VDC type:F2 F2E

Attaching to a vPC DomainDual Homed vs. Single AttachedPSP1. Dual AttachedSPPrimary vPCSSecondary vPC2. Attached via VDC/Secondary SwitchOrphanPortsPSPSOrphan device connected tostandby N7k is isolated asSVIs for VPC vlans onStandby 7k are downalthough the uplink is upOrphan device connected toprimary N7K will have fullconnectivity3. Secondary inter switch Port-Channel (non-vPC VLAN)BRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.4. Single Attached to vPC DeviceCisco Public38

Layer 3 and vPC InteractionsRouter Interconnection: Forwarding Sequence1) Packet arrives at R with a destination address of SS2) R does lookup in routing table and sees 2 equal paths goingnorth (to 7k1 & 7k2)Po23) Assume it chooses 7k1 (ECMP decision)4) R now has rewrite information to which router it needs togo (router MAC 7k1 or 7k2)5) L2 lookup happens and outgoing interface is port-channel 17k17k26) Hashing determines which port-channel member ischosen (say to 7k2)Po17) Packet is sent to 7k28) 7k2 sees that it needs to send it over the peer-link tobased on MAC addressBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.RCisco Public7k139

Layer 3 and vPC InteractionsRouter Interconnection: Forwarding Sequence (continued)9.7k1 performs lookup and sees that it needs to send to S10. 7k1 performs check if the frame came over peer link & is going out on a vPC.SPo2 Frame will ONLY be forwarded if:– Outgoing interface is NOT a vPC or– Outgoing vPC doesn’t have active interface on other vPC peer(in our example 7k2)7k17k2Po1RBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public40

N7K Layer 3 and vPC DesignsLayer 3 and vPC Design Recommendation Use L3 links to hook up routers and peer with a vPC domain Don’t use L2 port channel to attach routers to a vPC domain unless you statically route to HSRP address If both, routed and bridged traffic is required, use individual L3 links for routed traffic and L2 port-channelfor bridged ng Protocol PeerDynamic Peering RelationshipRouterPBRKDCT-2048PLayer 3 Link 2014 Cisco and/or its affiliates. All rights reserved.PPRouterCisco Public41

Spanning Tree with vPCvPC and STP BPDUs STP for vPCs is controlled by the vPC operationallyprimary switch and only such device sendsout BPDUs on STP designated portsPrimaryvPCSecondaryvPC This happens irrespectively of where the designatedSTP Root is located The vPC operationally secondary device proxies STP BPDUmessages from access switches toward the primary vPCswitchBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco PublicBPDUs42

STP RecommendationsFor YourReferencePort Configuration OverviewData Centre gationNPrimaryRoot---RRRNetwork portEEdge or portfast port type-Normal port typeBBPDUguardRRootguardLayer 3--UDLD (recommendation : NORMAL mode)HSRPSTANDBYSecondaryRootNRN--RRR--Layer 2 (STP Rootguard)RBA (Bridge Assurance) not recommended with vPC(except for VPC peer-link)Access-----EEEEEBBBBB-Layer 2 (STP BPDUguard)43BRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public

Data Centre InterconnectMulti-layer vPC for Aggregation and DCIDC 1DC 2E F-vPC domain 21Long DistanceDark FibreFECORECOREvPC domain 11-NNNNNNetwork portEEdge or portfast-Normal port typeBBPDUguardFBPDUfilterRRootguard802.1AE (Optional)E F--ERR- R--NN-NRREBvPC domain 10vPC domain 20-RBest Practice Checklist: vPC Domain id for facing vPC layers should be differentBPDU Filter on the edge devices to avoid BPDU propagationSTP Edge Mode to provide fast Failover timesNo Loop must exist outside the vPC domainNo L3 peering between Nexus 7000 devices (i.e. pure layer 2)Server er Cluster 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public44

FHRP with vPCHSRP / VRRP/ GLBP Active/Active Support for all FHRP protocols in Active/Active mode with vPC No additional configuration required Standby device communicates with vPC managerto determine if vPC peer is “Active” FHRP peerFHRP“Active”:Active forshared L3 MAC When running active/active, aggressive timers can berelaxed (i.e. 2-router vPC case) ‘peer-gateway’ command allows a vPC peer to respond both theFHRP virtual and the real MAC address of both itself and it’s peerFHRP“Standby”:Active forshared L3 MACL3L2 Recommendation is to use default FHRP timers as both switchesare activeBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public45

Use one transit vlan to establish L3 routingbackup path over the VPC peerlink in case L3uplinks were to fail, all other SVIs can usepassive-interfacesFHRP with vPCBackup Routing Path Point-to-point dynamic routing protocoladjacency between the vPC peers to establisha L3 backup path to the core through PL incase of uplinks failure Define SVIs associated with FHRP as routingpassive-interfaces in order to avoid routingadjacencies over vPC peer-linkPPOSPF/EIGRPL3L2PVLAN 99 A single point-to-point VLAN/SVI (aka transitvlan) will suffice to establish a L3 neighbour Alternatively, use an L3 point-to-point linkbetween the vPC peers to establish a L3backup pathOSPF/EIGRPPrimaryvPCPBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.PSecondaryvPCRouting Protocol PeerCisco Public46

Proxy Routing Design ConsiderationsDual Proxy Line Card for Redundancy When M1/M2 LC fails down on one of the N7Ks:OK1.Inter-VLAN traffic (vPC - FHRP - vPC) :traffic gets dropped because of vPC loop avoidance rule2.Upstream traffic (vPC - FHRP - L3) :traffic gets bridged on vPC peer-link to other NEXUS 7000FHRP vMAC and then routed to L3 pointL3M1/M2M1/M2FFL2Recommendation is to use at least 2 M1/M2 LC inmixed mode chassis (M/F) in order to provideredundancy for Proxy L3 Routing.NOTOKBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Chassis withChassis withM-Series LC only F-Series LConlyCisco PublicMixed ChassisMode (M/F)47

For YourReferencevPC Supported TopologiesNexus 7000 and 5000/550021active35activestandbyserver: active/standbyNIC teaming4standbyactiveserver: active/standbyNIC teaming6activeserver: active/activeno NIC teaming78Port-Channel on HIF(Host Interfaces supported)LocalFEXportChannelserver:NIC teaming(active-active)BRKDCT-2048-vPC to Host supportedactiveactiveactivestandbyserver: active/standbyNIC teaming 2014 Cisco and/or its affiliates. All rights reserved.server: NIC teaming(active-active)Cisco Public48

vPC Supported TopologiesFor YourReferenceNexus 5000 / 5500 / 6000 med FEXw/ A-S nhanced vPCN5500 /6000 only 2014 Cisco and/or its affiliates. All rights reserved.Dual-homed FEXw/ Single NIC ServerCisco Public49

vPC Enhancements52

Redundancy with Enhanced vPCSuited for all types of serversData, Control and Management Plane RedundancyNew vPC Option — Port-channel connectivity to dual-homed FEXs‒From the server perspective a single access switch with port-channel support – each line card supported by redundantsupervisors‒Full redundancy for supervisor, linecard, fabric via vPC and cable or NIC failure via Port-channeling‒Logically a similar HA model to that currently provided by dual supervisor based modular switch.Dual supervisormodular chassis clusteredFabric Extender dual homed toredundant Nexus 5000BRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public53

NX-OSN7K - 5.2N5K - 5.0(3)N1(1)vPC Graceful Type-1 Check KeepalivevPC member ports on S1 and S2 shouldhave identical parameters (MTU, speed, )S1 -PrimaryS2-SecondaryvPC peer-linkAny inconsistency in such parameters isType 1 all vlans on both vpc legs arebrought down in such InconsistencyType-1InconsistencyvPC 1po1With graceful type-1 check, only SecondaryvPC members are brought down.vPC member ports on primary peer deviceremain upCE-1 S1(config-vpc-domain)# graceful consistency-check S2(config-vpc-domain)# graceful consistency-check Graceful Type-1 check enabled by default.BRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public54

NX-OSN7K - 5.2N5K - 5.0(3)N2Orphan-Port SuspendvPC Active / Standby NIC Teaming SupportPrimary A vPC orphan port is an non-vPC interface on a switch where otherports in the same VLAN are configured as vPC interfaces *vPC vPC orphan ports have historically been problematic formixed server topologies Prior to release 5.0(3)N2 on Nexus 5000/5500 and 5.2 on Nexus 7000an orphan port was ‘not’ shut down on loss of vPC peer-links With the supported release the orphan ports on the vPC secondarypeer can (configurable) also be shut down triggering NIC teamingrecovery for all teaming configurations Configuration is applied to the physical port*N5K-2(config)# int eth 100/1/1N5K-2(config-if)# vpc orphan-port suspendSecondaryeth 100/1/1vPC SupportedServer fails overcorrectlyActive/Standby Serverdoes not fail overcorrectly since orphanport is still activeprior to 6.1.2 release, ‘VPC orphan-port suspend’ command may not work with FEX interface for a FEX connected to N7K due to CSCua35190prior to 6.2 release, ‘VPC orphan-port suspend’ command may not be applied to port-channel interface due to CSCua37491BRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public55

VPC / FP Config SimplificationN7K - 6.2VPC Config MacroNew knob to enable VPC /FP Best practice featureswith a single CLI commandSimplifies the configuration and improves userexperienceAutomates the configuration tasks using a macroApplies only to enabled features , the disabledfeatures commands are ignored– Single command enables /disables the bestpractices features–Switch(config-vpc-domain)#mode autoThe following commands are executed:peer-gateway;auto-recovery;fabricpath multicast load-balance;ip arp synchronize;ipv6 nd synchronize;– ‘Mode auto’ command does not show up inthe configuration ( just a macro !)ie if only vpc is enabled on the switch FP and IPv6 commands are ignoredBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public56

Convergence57

N7K - 5.2 , 6.0 & 6.1vPC ConvergenceFor YourReferencevPC Convergence Results Measured Unicast vPC failover and recovery time Converge time is measured in the following scenarios* vPC link member failure Sub-second vPC port-channel failover Sub-Second vPC Peer-link Failure Sub-Second vPC peer-keep-alive Failure Hitless vPC primary/secondary device failure Sub-Second vPC Supervisor Failover/Switchover Hitless vPC ISSU device Upgrade/Downgrade Hitless*NOTE: Convergence numbers may vary depending on the specific configuration (i.e. scaled number ofVLANs/SVIs or HSRP groups) and traffic patterns (i.e. L2 vs. L3 flows).BRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public59

Key TakeawaysNX-OS vPC Key Takeaways vPC is a very popular feature which makes it possible to use all available bandwidthwhile providing redundancy in L2 environments. Leverage vPC technology to get the benefits of high availability and avoidconvergence in Layer 2 Networks. Follow the design guidelines and best Practices to successfully deploy your vPCarchitecture. Use recent vPC enhancements to optimise the vPC behaviour Use recommended NX-OS release to leverage convergence, scalability & stabilityoptimizations. Cisco N7K NX-OS recommended release page er/sw/nxos/recommended releases/recommended nx-os releases.htmlBRKDCT-2048 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public60

Q&A

Complete Your Online Session EvaluationGive us your feedback and receive aCisco Live 2014 Polo Shirt!Complete your Overall Event Survey and 5 SessionEvaluations. Directly from your mobile device on the Cisco LiveMobile App By visiting the Cisco Live Mobile Sitewww.ciscoliveaustralia.com/mobile Visit any Cisco Live Internet Station locatedthroughout the venuePolo Shirts can be collected in the World of Solutionson Friday 21 March 12:00pm - 2:00pmBRKDCT-2048Learn online with Cisco Live!Visit us online after the conference for full accessto session videos and presentations.www.CiscoLiveAPAC.com 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public

AppendixM1/M2 - F1/F2/F2e LC Design Considerations

M/F2E – NX-OS 6.2(2) and OnwardsvPC PrimaryvPC SecondaryvPC Peer-linkF2eF2eS1MF2eF2eMvPC PrimaryvPC SecondaryvPC Peer-linkS1S2vPCvPCvPC SecondaryvPC PrimaryS1Always use identical linecards on either sides of thevPC Peer Link and vPC legs!BRKDCT-2048F2eF2eF2eF2eF2eF2eF2eF2evPC Peer-linkF2eF2eF2eMS2vPC 2014 Cisco and/or its affiliates. All rights reserved.Cisco PublicS2

M1/M2 - F1/F2/F2e LC Design Consider

VLAN based load balancing Loop Resolution relies on STP Protocol Failure Primary Root Secondary Root With vPC No blocked uplinks EtherChannel load balancing (hash) Loop Free Topology Lower oversubscription How does vPC help with STP? (1 of 2)