Cisco Tech-Know Day Frankfurt 2009

Nexus Family Virtual Port Channel

Dieter Hadwiger

Systems Engineer Team Finance Germany

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

1

Agenda

Nexus 7000 vPC Feature Overview & Terminology
Building a vPC domain Layer 3 and vPC

Nexus 7000 vPC Design Guidance & Best Practices
Attaching to a vPC domain Spanning Tree Recommendations HSRP with vPC

Data Center Interconnect (& Encryption) vPC and Services ISSU

vPC latest enhancements

Nexus 7000 vPC Convergence and Scalability

Nexus 7000 vPC Roadmap and Reference Material Nexus 5000 / 2000 vPC design considerations
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

2

vPC Feature Overview & Terminology

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

3

Feature Overview & Terminology
vPC Definition
Allow a single device to use a port channel across two upstream switches Eliminate STP blocked ports Uses all available uplink bandwidth

Logical Topology without vPC

Dual-homed server operate in active-active mode

Provide fast convergence upon link/device failure Reduce CAPEX and OPEX Available on current and future hardware for M1 and D1 generation cards.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Logical Topology with vPC

4

Feature Overview & Terminology
vPC Terminology
vPC peer-keepalive link vPC peer-link CFS protocol

vPC peer – a vPC switch, one of a pair

vPC member port – one of a set of ports (port channels) that form a vPC

vPC – the combined port channel between the vPC peers and the downstream device vPC peer-link – Link used to synchronize state between vPC peer devices, must be 10GbE

vPC peer vPC vPC vPC member member port port

vPC peer-keepalive link – the keepalive link between vPC peer devices, i.e., backup to the vPC peer-link vPC VLAN – one of the VLANs carried over the peer-link and used to communicate via vPC with a peer device.

vPC

non-vPC device

non-vPC VLAN – One of the STP VLANs not carried over the peer-link

CFS – Cisco Fabric Services protocol, used for state synchronization and configuration validation between vPC peer devices
5

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

vPC Design Guidance & Best Practices

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

6

Agenda

Nexus 7000 vPC Feature Overview & Terminology
Building a vPC domain Layer 3 and vPC

Nexus 7000 vPC Design Guidance & Best Practices
Attaching to a vPC domain Spanning Tree Recommendations HSRP with vPC

Data Center Interconnect (& Encryption) vPC and Services ISSU

vPC latest enhancements

Nexus 7000 vPC Convergence and Scalability

Nexus 7000 vPC Roadmap and Reference Material Nexus 5000 / 2000 vPC design considerations
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

7

Building a vPC Domain
Following steps are needed to build a vPC (Order does Matter!)
1. Configure globally a vPC domain on both vPC devices 2. Configure a Peer-keepalive link on both vPC peer switches (make sure is operational) NOTE: When a vPC domain is configured the keepalive must be operational to allow a vPC domain to successfully form. 3. Configure (or reuse) an interconnecting port-channel between the vPC peer switches 4. Configure the inter-switch channel as Peer-link on both vPC devices (make sure is operational) 5. Configure (or reuse) Port-channels to dual-attached devices
vPC peerkeepalive link vPC peer-link

Configuration Steps

6. Configure a unique logical vPC and join port-channels across different vPC peers

vPC peer

Standalone Port-channel
© 2009 Cisco Systems, Inc. All rights reserved.

vPC
Cisco Confidential

vPC member port
8

vPC Configuration Commands
configure vPC, and start the peer-keepalive link on both peers:
(config)# feature vpc (config)# vpc domain 1

(config-vpc-domain)# peer-keepalive destination x.x.x.x source y.y.y.y vrf management (conifg)# int port-channel 10 (config-int)# vpc peer-link

Move any port-channels into appropriate vPC groups
(config)# int port-channel 20 (config-int)# vpc 20
© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

9

Building a vPC Domain
Definition:

Peer Link

Standard 802.1Q Trunk

Can Carry vPC and non vPC VLANs*

vPC peer-link

Carries Cisco Fabric Services messages (tagged as CoS=4 for reliable communication) Carries flooded traffic from a vPC peer Requirements: Carries STP BPDUs, HSRP Hellos, IGMP updates, etc.

Recommendations (strong ones!)

Peer-link are point-to-point. No other device should be inserted between the vPC peers. Minimum 2x 10GbE ports on separate cards for best resiliency. Dedicated 10GbE ports (not shared mode ports) use udld on vpc peer links

Member ports must be 10GE interfaces one of the N7KM132XP-12 modules

*It is Best Practice to split vPC and non-vPC
10

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

VLANs on different Inter-switch Port-Channels.

Building a vPC Domain

Peer Link with Single 10G Module Common Nexus 7000 configuration: 1x 10G, 7x 1G cards

vPC recommendation is 2 10G cards

Potential problem occurs if Nexus 7000 is L3 boundary with single 10G card Use Object Tracking Feature available in 4.2 More information on CCO:
http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_2/nxos/interfaces/configuration/guide/if_vPC.html#wp1529488

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

11

Building a vPC Domain
Scenario: vPC deployments with a single N7KM132XP-12 card, where core and peerlink interfaces are localized on the same card. This scenario is vulnerable to accesslayer isolation if the 10GE card fails on the primary vPC. Leverages object tracking capability in vPC (new CLI commands are added). Peer-link and Core interfaces are tracked as a list of boolean objects. L3 L2

Peer Link with Single 10G Module – Object Tracking

e1/… e1/…

e1/… e1/…

vPC PL vPC PKL

e1/… e1/… e2/…

e1/… e1/…

vPC Object Tracking Solution:

vPC Primary

e2/…

vPC Secondary

vPC object tracking suspends vPCs on the impaired device, so traffic can get diverted over the remaining vPC peer. rhs-7k-1(config-vpc-domain)# track <object>
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

12

Building a vPC Domain
Cisco Fabric Services (CFS)
Definition/Uses:
Configuration validation/comparison MAC member port synchronization vPC member port status STP Management vPC status
CFS Messaging

HSRP and IGMP snooping synchronization

Characteristics:

CFS messages encapsulated in standard Ethernet frames delivered between peers exclusively on the peer-link Cisco Fabric Services messages are tagged as CoS=4 for reliable communication. Many years in service, robust protocol
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Transparently enabled with vPC features

Based on CFS from MDS product development

13

Building a vPC Domain
Definition:

Peer-Keepalive (1 of 2)

Heartbeat between vPC peers

Active/Active (no Peer-Link) detection Messages sent on 2 second interval 3 second hold timeout on peer-link loss Packet Structure:

vPC peerkeepalive link

Fault Tolerant terminology is specific to VSS and deprecated in vPC. UDP message on port 3200, 96 bytes long (32 byte payload), includes version, time stamp, local and remote IPs, and domain ID.

Recommendations:

Keepalive messages can be captured and displayed using the onboard Wireshark Toolkit. Should be a dedicated VRF and link (1Gb is adequate) Should NOT be routed over the Peer-Link Can optionally use the mgmt0 interface (along with management traffic) As last resort, can be routed over L3 infrastructure

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

14

Building a vPC Domain
Cautions/Additional Recommendations:

Peer-Keepalive (2 of 2)

When using supervisor management interfaces to carry the vPC peerkeepalive, do not connect them back to back between the two switches. Only one management port will be active a given point in time and a supervisor switchover may break keep-alive connectivity Use the management interface only if you have an out-of-band management network (management switch in between).
Management Switch vPC_PK

Management Network
vPC_PK

Standby Management Interface Active Management Interface

vPC_PL

vPC1

vPC2
15

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Building a vPC Domain
vPC Member Port
Definition: Port-channel member of a vPC peer.

Requirements:

Configuration needs to match other vPC peer’s member port config.

In case of inconsistency a VLAN or the entire port-channel may suspend (i.e. MTU mismatch, inconsistent set of Vlans, values and config). Number of member ports on both vPC peers is not required to match.

vPC member port

Up to 8 active ports between both vPC peers (16-way port-channel can be build with multi-layer vPC)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

16

Building a vPC Domain
VDC Interaction
vPC works seamlessly in any VDC based environment. One vPC domain per VDC is supported, up to the maximum number of VDCs supported in the system. It is still necessary to have a separate vPC peer-link and vPC PeerKeepalive Link infrastructure for each VDC deployed.

Can vPC run between VDCs on the same switch?

Could be useful for Demo or hands on, but It is NOT recommended for production environments. Will consolidate redundant points on the same box with VDCs (e.g. whole aggregation layer on a box) and introduce a single point of failure. ISSU will NOT work in this configuration, because the vPC devices can NOT be independently upgraded.
Cisco Confidential

This scenario should technically work, but it is NOT officially supported and has not been extensively tested by our QA team.

© 2009 Cisco Systems, Inc. All rights reserved.

17

Agenda

Nexus 7000 vPC Feature Overview & Terminology
Building a vPC domain Layer 3 and vPC

Nexus 7000 vPC Design Guidance & Best Practices
Attaching to a vPC domain Spanning Tree Recommendations HSRP with vPC

Data Center Interconnect (& Encryption) vPC and Services ISSU

vPC latest enhancements

Nexus 7000 vPC Convergence and Scalability

Nexus 7000 vPC Roadmap and Reference Material Nexus 5000 / 2000 vPC design considerations
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

18

Attaching to a vPC domain
The One and Only Rule…

ALWAYS dual attach devices to a vPC Domain!!!
Cisco Confidential

© 2009 Cisco Systems, Inc. All rights reserved.

19

Attaching to a vPC Domain
Definition:

IEEE 802.3ad and LACP

Port-channel for devices for devices dual-attached to the vPC pair. Provides local load balancing for port-channel members

Access Device Requirements
LACP Optional

STANDARD 802.3ad port channel STANDARD 802.3ad capability

Recommendations:

vPC vPC Regular member Portport channel port

Use LACP when available for better failover and misconfiguration protection (config consistency check)

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

20

Attaching to a vPC Domain
”My device can’t be dual attached!”
Recommendations (in order of preference):
1. ALWAYS try to dual attach devices using vPC (not applicable for routed links).

CONS: None 2. If (1) is not an option – connect the device via a vPC attached access switch (could use VDC to create a “virtual access switch”). PROS: Ensures minimal disruption in case of peer-link failover and consistent behavior with vPC dualactive scenarios. Availability limited by the access switch failure. CONS: Need for an additional access switch or need to use one of the available VDCs. Additional administrative burden to configure/manage the physical/Virtual Device

PROS: Ensures minimal disruption in case of peer-link failover and consistent behavior with vPC dualactive scenarios. Ensures full redundant active/active paths through vPC.

3. If (2) is not an option – connect device directly to (primary) vPC peer in a non-vPC VLAN* and provide for a separate interconnecting port-channel between the two vPC peers. CONS: Need to configure and manage additional ports (i.e. port-channel) between the Nexus 7000 devices. 4. If (3) is not an option – connect device directly to (primary) vPC peer in a vPC VLAN PROS: Easy deployment CONS: VERY BAD. Bound to vPC roles (no role preemption in vPC) , Full Isolation on peer-link failure when attached vPC toggles to a secondary vPC role.
Cisco Confidential

PROS: Traffic diverted on a secondary path in case of peer-link failover

© 2009 Cisco Systems, Inc. All rights reserved.

* VLAN that is NOT part of any vPC and not present on vPC peer-link

21

Attaching to a vPC Domain
P

vPC and non-vPC VLANs (i.e. single attached .. )
S P S

1. Dual Attached
P S

2. Attached via VDC/Secondary Switch
Orphan Ports
P S

P S

Primary vPC

Secondary vPC

© 2009 Cisco Systems, Inc. All rights reserved.

3. Secondary ISL Port-Channel

Cisco Confidential

4. Single Attached to vPC Device

22

Attaching to a vPC Domain
”My device only does STP!”
Recommendations (in order of preference): 1. ALWAYS try dual attach devices using vPC PROS: Ensures minimal disruption in case of peer-link failover and consistent behavior with vPC dual-active scenarios. Ensures full redundant active/active paths through vPC. CONS: None

2. If (1) is not an option – connect the device via two independent links using STP. Use nonvPC VLANs ONLY on the STP switch.*

3. If (2) is not an option – connect the device via two independent links using STP. (Use vPC VLANs on this switch) PROS: Simplify VLAN provisioning and does not require allocation of an additional 10GE port-channel.

CONS: Requires an additional STP port-channel between the vPC devices. Operational burden in provisioning and configuring separate STP and vPC VLAN domains. Only Active/Standby paths on STP VLANs.

PROS: Ensures minimal disruption in case of peer-link failover and consistent behavior with vPC dual-active scenarios. Ensures full redundant Active/Active paths on vPC VLANs.

© 2009 Cisco Systems, Inc. All rights reserved.

* Run the same STP mode as the vPC domain. Enable portfast/port type edge on host facing ports
Cisco Confidential

CONS: STP and vPC devices may not be able to communicate each other in certain failure scenarios (i.e. when STP Root and vPC primary device do not overlap). All VLANs carried over the peer-link may suspend until the two adjacency forms and vPC is fully synchronized".
23

Attaching to a vPC Domain
P

vPC and non-vPC VLANs (STP/vPC Hybrid)
S P SR

Non vPC portchannel

PR

S

1. All devices Dual Attached via vPC
P SR

2. Separate vPC and STP VLANs
PR S P S PR SR Primary vPC Secondary vPC Primary STP Root Secondary STP Root

© 2009 Cisco Systems, Inc. All rights reserved.

3. Overlapping vPC and STP VLANs
Cisco Confidential

24

Attaching to a vPC Domain
16-way Port-Channel (1 of 2)
Multi-Layer vPC can join 8 active ports port-channels in a unique 16way port-channel* vPC peer side load-balancing is LOCAL to the peer
Nexus 7000 16-way port channel Nexus 5000

Each vPC peer has only 8 active links, but the pair has 16 active load balanced links

* Possible with any device supporting
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

vPC/MCEC and 8-way active port-channels
25

Attaching to a vPC Domain
16-way Port-Channel (2 of 2)
16 active ports between 8 active port-channel devices and 16 active port-channel devices?

vPC peer side load-balancing is LOCAL to the peer

Nexus 7000 16-port port-channel Nexus 5000

Each vPC peer has only 8 active links, but the pair has 16 active load balanced links to the downstream device supporting 16 active ports D-series N7000 line cards will also support 16 way active port-channel load balancing, providing for a potential 32 way vPC port channel!
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Nexus 5000 16-port port-channel support introduced in 4.1(3)N1(1a) release
26

Agenda

Nexus 7000 vPC Feature Overview & Terminology
Building a vPC domain Layer 3 and vPC

Nexus 7000 vPC Design Guidance & Best Practices
Attaching to a vPC domain Spanning Tree Recommendations HSRP with vPC

Data Center Interconnect (& Encryption) vPC and Services ISSU

vPC latest enhancements

Nexus 7000 vPC Convergence and Scalability

Nexus 7000 vPC Roadmap and Reference Material Nexus 5000 / 2000 vPC design considerations
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

27

Layer 3 and vPC
Recommendations
Use separate L3 links to hook up routers to a vPC domain is still standing. Don’t use L2 port channel to attach routers to a vPC domain unless you can statically route to HSRP address

If both, routed and bridged traffic is required, use individual L3 links for routed traffic and L2 port-channel for bridged traffic
Switch Po2 Po2 Switch

7k1 Po1

7k2

L3 ECMP

Router
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Router

28

Layer 3 and vPC
vPC view

What can happen… (1 of 3)
Layer 2 topology Layer 3 topology

7k1

7k2

7k vPC

7k1

7k2

R could be any router, L3 switch or VSS building a port-channel

R

R

R

Port-channel looks like a single L2 pipe. Hashing will decide which link to chose
Cisco Confidential

Layer 3 will use ECMP for northbound traffic

© 2009 Cisco Systems, Inc. All rights reserved.

29

Layer 3 and vPC
1) Packet arrives at R

What can happen… (2 of 3)
2) R does lookup in routing table and sees 2 equal paths going north (to 7k1 & 7k2) 3) Assume it chooses 7k1 (ECMP decision) 4) R now has rewrite information to which router it needs to go (router MAC 7k1 or 7k2) 5) L2 lookup happens and outgoing interface is port-channel 1
S

Po2

7k1 Po1

7k2

6) Hashing determines which port-channel member is chosen (say to 7k2) 7) Packet is sent to 7k2 8) 7k2 sees that it needs to send it over the peer-link to 7k1 based on MAC address
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

R

30

Layer 3 and vPC

What can happen… (3 of 3)
9) 7k1 performs lookup and sees that it needs to send to S
S

10) 7k1 performs check if the frame came over peer link & is going out on a vPC.

Po2

11) Frame will only be forwarded if outgoing interface is NOT a vPC or if outgoing vPC doesn’t have active interface on other vPC peer (in our example 7k2)

7k1 Po1

7k2

R

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

31

Agenda

Nexus 7000 vPC Feature Overview & Terminology
Building a vPC domain Layer 3 and vPC

Nexus 7000 vPC Design Guidance & Best Practices
Attaching to a vPC domain Spanning Tree Recommendations HSRP with vPC

Data Center Interconnect (& Encryption) vPC and Services ISSU

vPC latest enhancements

Nexus 7000 vPC Convergence and Scalability

Nexus 7000 vPC Roadmap and Reference Material Nexus 5000 / 2000 vPC design considerations
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

32

Spanning Tree Recommendations
Overview – STP Interoperability
STP Uses:
• Loop detection (failsafe to vPC) • Non-vPC attached device

Requirements:

• Loop management on vPC addition/removal • Needs to remain enabled, but doesn’t dictate vPC member port state • Logical ports still count, need to be aware of number of VLANs/port-channels deployed!

Best Practices:

• Not recommended to enable Bridge Assurance feature on vPC channels (i.e. no STP “network” port type) • Make sure all switches in you layer 2 domain are running with Rapid-PVST or MST (IOS default is nonrapid PVST+), to avoid slow STP convergence (30+ secs) • Remember to configure portfast (edge port-type) on host facing interfaces to avoid slow STP convergence (30+ secs)
Cisco Confidential

vPC vPC STP is running to manage loops outside of vPC’s direct domain, or before initial vPC configuration

© 2009 Cisco Systems, Inc. All rights reserved.

33

Spanning Tree Recommendations
Port Configuration Overview
Data Center Core
Primary vPC Secondary vPC
HSRP STANDBY
N E B R L

Edge or portfast port type Normal port type BPDUguard Rootguard Loopguard

Network port

Aggregation

HSRP ACTIVE Primary Root

vPC Domain
N N R

Layer 3 Layer 2 (STP + Rootguard)

Secondary Root
R

R

R

-

R

-

R

R

R

-

Access
-

L

E B

E B

E B

E B

E B

Layer 2 (STP + BPDUguard)

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

34

Spanning Tree Recommendations
STP interaction on double failure
On a peer-link and peer-keepalive symultaneous failure, Active/Active mode may occur

Both vPC peers forward BPDUs with same bridge IDs (NEW as of 4.2(x)), this resolves the need to disable the etherchannel guard feature on downstream devices

Before 4.2(x) BPDUs are beeing sent due to dual active from both N7k with different Bridge ID which results in legacy Ethernet Guard feature (enabled by default) to kick in and disabling the portchannel -> you would be needed to disable portchannel guard feature
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

35

Agenda

Nexus 7000 vPC Feature Overview & Terminology
Building a vPC domain Layer 3 and vPC

Nexus 7000 vPC Design Guidance & Best Practices
Attaching to a vPC domain Spanning Tree Recommendations HSRP with vPC

Data Center Interconnect (& Encryption) vPC and Services ISSU

vPC latest enhancements

Nexus 7000 vPC Convergence and Scalability

Nexus 7000 vPC Roadmap and Reference Material Nexus 5000 / 2000 vPC design considerations
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

36

Data Center Interconnect
Multi-layer vPC for Agg and DCI
DC 1
CORE
vPC domain 11 Long Distance
F F

N E B F R

Network port

Edge or portfast port type Normal port type BPDUguard BPDUfilter Rootguard

vPC domain 21

DC 2
CORE

N N - R N R

-

N N

-

AGGR

N -

R

-

F

F

-

R N

R

-

AGGR

N -

R

vPC domain 10

vPC domain 20

-

Key Recommendations
vPC Domain id for facing vPC layers should be different No Bridge Assurance on interconnecting vPCs BPDU Filter on the edge devices to avoid BPDU propagation No L3 peering between DCs (i.e. L3 over vPC)

R

R

ACCESS

E B

E B

ACCESS

Server Cluster
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Server Cluster

37

Data Center Interconnect
Encrypted Interconnect
Nexus 7010

DC-1

DC-2

Nexus 7010

vPC

CTS Manual Mode (802.1AE 10GE line-rate encryption) No ACS is required

vPC

Nexus 7010

Nexus 7010
38

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Data Center Interconnect
References Validated TrustSec between Nexus 7000 connected back to back.

Validated TrustSec across EoMPLS cloud with ASR 1000 routers and Catalyst 6500s terminating EoMPLS.

DCI Dark Fiber

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

39

Agenda

Nexus 7000 vPC Feature Overview & Terminology
Building a vPC domain Layer 3 and vPC

Nexus 7000 vPC Design Guidance & Best Practices
Attaching to a vPC domain Spanning Tree Recommendations HSRP with vPC

Data Center Interconnect (& Encryption) vPC and Services ISSU

vPC latest enhancements

Nexus 7000 vPC Convergence and Scalability

Nexus 7000 vPC Roadmap and Reference Material Nexus 5000 / 2000 vPC design considerations
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

40

HSRP with vPC
Support for all FHRP protocols in Active/Active mode with vPC No additional configuration required
HSRP/VRRP “Active”: Active for shared L3 MAC HSRP/VRRP “Standby”: Active for shared L3 MAC

FHRP Active/Active

Standby device communicates with vPC manager to determine if vPC peer is “Active” HSRP/VRRP peer General HSRP best practices still applies.

L3 L2

When running active/active aggressive timers can be relaxed (i.e. 2-router vPC case)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

41

HSRP with vPC
Cautions:

Do NOT use Object Tracking
Not recommended using HSRP link tracking in a vPC configuration Reason: vPC will not forward a packet back on a vPC once it has crossed the peer-link, except in the case of a remote member port failure
L3 CORE
ACTIVE HSRP GW GW
VLAN 100, 200

STANDBY HSRP GW

L2/L3 Aggregation

VLAN 100

VLAN 200 VLAN 100
Cisco Confidential

VLAN 200

© 2009 Cisco Systems, Inc. All rights reserved.

42

HSRP with vPC
Use an OSPF point-to-point adjacency (or equivalent L3 protocol) between the vPC peers to establish a L3 backup path to the Core through in case of uplinks failure A single point-to-point VLAN/SVI will suffice to establish a L3 neighborship.
OSPF OSPF

L3 Backup Routing

L3 L2

VLAN 99 OSPF
Primary vPC Secondary vPC

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

43

HSRP with vPC
Scenario:

Dual L2/L3 Pod Interconnect
Provide L2/L3 interconnect between L2 Pods, or between L2 attached Datacenters (i.e. sharing the same HSRP group).

Multi-layer vPC with single HSRP:

A vPC domain without an active HSRP instance in a group would not be able to forward traffic. Active L3 on the N7K supports Active/Active on one pair, and still allows normal HSRP behavior on other pair (even across different vPC domains we support all in one HSRP group) L3 traffic will run across Intra-pod link for non Active/Active L3 pair

Standby

Listen

Listen

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

44

Agenda

Nexus 7000 vPC Feature Overview & Terminology
Building a vPC domain Layer 3 and vPC

Nexus 7000 vPC Design Guidance & Best Practices
Attaching to a vPC domain Spanning Tree Recommendations HSRP with vPC

Data Center Interconnect (& Encryption) vPC and Services ISSU

vPC latest enhancements

Nexus 7000 vPC Convergence and Scalability

Nexus 7000 vPC Roadmap and Reference Material Nexus 5000 / 2000 vPC design considerations
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

45

vPC and Services

vPC Services Integration

Services deployed as part of Catalyst 6500 Service chassis

Investigation ongoing with standalone services (ASA, ACE)

Appliance based services that do not support port-channel may require additional peer-link connections to deal with the additional traffic forced across the peer-link More information will be posted as soon as more scenario are verified – keep in touch w/ your responsible Cisco SE
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

L3 L2

46

vPC and Services

Catalyst 6500 Services Chassis w. Services VDC Sandwich
Two Nexus 7000 Virtual Device Contexts used to “sandwich” services between virtual switching layers • Layer-2 switching in Services Chassis with transparent services

• Services Chassis provides Etherchannel capabilities for interaction with vPC

• vPC running in both VDC pairs to provide Etherchannel for both inside and outside interfaces to Services Chassis

Design considerations:

• Access switches requiring services are connected to subaggregation VDC

• Access switches not requiring services may be connected to aggregation VDC • May be extended to support multiple virtualized service contexts by using multiple VRF instances in the subaggregation VDC

• Be aware of the Layer 3 over vPC design caveat. If Peering at Layer 3 is required across the two vPC layers an alternative solution should be explored (i.e. using STP rather than vPC to attach service chassis)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Design Cautions:

47

Agenda

Nexus 7000 vPC Feature Overview & Terminology
Building a vPC domain Layer 3 and vPC

Nexus 7000 vPC Design Guidance & Best Practices
Attaching to a vPC domain Spanning Tree Recommendations HSRP with vPC

Data Center Interconnect (& Encryption) vPC and Services ISSU

vPC latest enhancements

Nexus 7000 vPC Convergence and Scalability

Nexus 7000 vPC Roadmap and Reference Material Nexus 5000 / 2000 vPC design considerations
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

48

vPC Latest Enhancements
Several enhancements to vPC: vPC Object Tracking vPC Peer-Gateway vPC Delay Restore

Summary

Multi-layer vPC with single HSRP group vPC unicast ARP handling vPC Exclude Interface-VLAN

vPC single attached device Listing vPC Convergence and Scalability For more details:

4.2 Release Notes

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_2/nx-os/release/notes/42_nxos_release_note.html#wp218085

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

49

vPC Latest Enhancements
Interoperability with non RFC compliant features of some NAS devices (i.e. NETAPP Fast-Path or EMC IPReflect) NAS device may reply to traffic using the MAC address of the sender device rather than the HSRP gateway. Scenario:

vPC Peer-Gateway for NAS interoperability

Local Routing for peer router –mac Traffic

vPC PL vPC PKL

L3 L2

Packet reaching vPC for the non local Router MAC address are sent across the peer-link and can be dropped if the final destination is behind another vPC. vPC Peer-Gateway Solution: Allows a vPC switch to act as the active gateway for packets addressed to the peer router MAC (Non disruptive CLI command added in the vPC global config)
Cisco Confidential

N7k(config-vpc-domain)# peer-gateway
50

© 2009 Cisco Systems, Inc. All rights reserved.

4.2(1) vPC Enhancements
Problem/Impact: After a vPC device reloads and come back up routing protocol needs time to reconverge. vPCs may blackhole routed traffic from access to core until layer 3 connectivity is reestablished Delays vPCs bringup after a vPC device reload (SVI bring-up timing is unchanged), L3 L2

vPC Delay Restore convergence improvement

OSPF
vPC PL vPC PKL

vPC Delay restore solution:

Allows for Layer 3 routing protocols to converge for a more graceful restoration.

vPC Primary

vPC Secondary

Enabled by default with a vPC restoration default timer of 30 seconds Timer can be tuned according to a specific layer 3 convergence baseline.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

51

4.2(1) vPC Enhancements
vPC unicast ARP handling
Problem/Impact: Lack of interoperability with BigIP (F5 devices) using Unicast ARP requests to monitor gateway liveness

vPC unicast ARP handling solution:

Due to the hashing mechanism the unicast ARP requests for the HSRP L3 L2 virtual IP may reach the secondary HSRP device. If that is the case they get punted to the Sup and dropped – due to NOT the active control plane 4.2(1) achieve interoperability forwarding unicast ARP requests via the peer-link to the active HSRP instance. No additional configuration Is required to enable the functionality.

Active HSRP

vPC PL vPC PKL

Standby HSRP

vPC Primary

vPC Secondary

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

52

4.2(1) vPC Enhancements
Problem/Impact:

vPC Exclude Interface-VLAN

When a dual active condition is detected SVIs and vPC ports on the secondary vPC peer are suspended and therefore Single homed devices on secondary peer suffer due to loss of gateway

vPC exclude interface-VLAN solution:

Only the primary vPC peer continues data L3 plane and control plane functionalities L2 The vPC exclude interface-VLAN feature ensures that a configurable list of SVIs are not suspended on the secondary vPC peer Consequently Layer 3 connectivity is maintained even in a dual active condition for a restricted selection of interfaces
vPC Primary

vPC PL

SVI

vPC PKL

vPC Secondary

Other option : configure separate VLAN(s) for single attached devices (recommended)

N7K (config-vpc-domain)# dual-active exclude interface-vlan ? <1-3967,4048-4093> Set allowed interface vlans

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

53

4.2(1) vPC Enhancements
Problem/Impact: Single attached devices that are not connected via a vPC but still carry vPC VLANs are also known as orphan ports. In case of a peer-link shut or restoration, an orphan port's connectivity may be bound to the vPC failure or restoration process.

vPC single attached device Listing

L3 L2
vPC Primary

Port #1

vPC PL

Port #2

vPC PKL

vPC Secondary

vPC single attached device listing: For this reason, NX-OS Release 4.2(1) introduces a show command to check and list single attached devices in the system along with impacted VLANs.

N7K (config-vpc-domain)# show vpc orphan-ports
54

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Agenda

Nexus 7000 vPC Feature Overview & Terminology
Building a vPC domain Layer 3 and vPC

Nexus 7000 vPC Design Guidance & Best Practices
Attaching to a vPC domain Spanning Tree Recommendations HSRP with vPC

Data Center Interconnect (& Encryption) vPC and Services ISSU

vPC latest enhancements

Nexus 7000 vPC Convergence and Scalability

Nexus 7000 vPC Roadmap and Reference Material Nexus 5000 / 2000 vPC design considerations
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

55

In-Service Software Upgrade (ISSU)
vPC System Upgrade/Downgrade
ISSU is still the recommended system upgrade in a multi-device vPC environment
4.2(1) 4.1(3) 4.2(1) 4.1(3)

vPC system can be independently upgraded with no disruption to traffic. Upgrade is serialized and must be run one at a time (i.e. config lock will prevent synchronous upgrades)

4.2(1) 4.1(3)

Configuration is locked on “other” vPC peer during ISSU. No card reloads or port flaps, even different releases during interim condition

Begin 4.1(x) 4.2(x)

4.2(x) 4.1(x)

End

None None

Caveats

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

56

vPC Convergence & Scalability

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

57

4.2(1) vPC Enhancements
Convergence Topology

20 flows @1000 pps

OSPF

L3 Core Nexus 7000
N7K-2

N7K-1

OSPF Po10

L2/L3 Aggregation Nexus 7000 vPC

16-way port-channel
Po160 Po20

4-way port-channel L2 Access Nexus 5000

vPC Peer Link LACP Channel (2x10 GigE) vPC Peer-Keepalive (GigE)
© 2009 Cisco Systems, Inc. All rights reserved.

20 flows @1000 pps
Cisco Confidential

20 flows @1000 pps
58

vPC on Nexus 7000
Failover case Failure Topology
Failure of secondary vPC peer* 4.1(4)

Convergence Numbers- Disclaimer: without engagement
Failure Convergence Time
4.1(4)

Restoration

P

S

Failure of a primary vPC peer*

4.1(4) P S

North-Bound: ~50 ms. South-Bound: ~100 ms North-Bound: ~150 ms South-Bound: ~3 sec

4.2(1)

North-Bound: ~700 ms South-Bound: ~2.5 sec

4.2(1)

North-Bound: ~3 sec South-Bound: ~3.4 sec

North-Bound: 100 – 900 ms South-Bound: 1.2 -2 s 4.1(4) North-Bound:~4.5 secs South-Bound: ~5 secs

4.2(1)

Failover of the vPC Peer Link

4.1(4) P S

North-Bound: ~50 ms South-Bound: ~100 ms

4.2(1)

4.2(1)

North-Bound: ~1.3 s South-Bound: ~1.8 s

4.1(4)

North-Bound: ~400 ms-1.5 s South-Bound: ~1.5 s

North-Bound: 100-300 ms South-Bound: 50-500 ms

4.2(1)

North-Bound: ~900 ms South-Bound: up to 10+ s (CSCsz88998)

North-Bound: 150 - 900 ms South-Bound: ~ 900 ms–1.5 s

© 2009 Cisco Systems, Inc. All rights reserved.

NOTE: Convergence numbers may vary depending on the specific configuration (i.e. scaled number of VLANs/SVIs or HSRP groups) and traffic patterns (i.e. L2 vs L3 flows).
Cisco Confidential

59

vPC on Nexus 7000
Release 4.1(5) Supported Scalability

Scalability Number Improvements
192 vPC’s (2-port) with the following,
200 VLANs 200 HSRP Groups 40K MACs & 40K ARPs 10K (S,G) w. 66 OIFs (L3 sources) 3K (S,G) w. 34 OIFs (L2 sources)

Latest Ankara 4.2(2a)

256 vPC’s (4-port) with the following,
260 VLANs 200 SVI/HSRP Groups 40k MACs & 40K ARPs 10K (S,G) w. 66 OIFs (L3 sources) 3K (S,G) w. 64 OIFs (L2 sources)

NOTE: Supported numbers of VLANs/vPCs are NOT related to an hardware or software limit but reflect what has been currently validated by our QA (data-points). The N7k BU is planning to continuously increase these numbers as soon as new data-points become available. Please contact your responsible Cisco team if you have particular VPC scaling requirements.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

60

vPC Roadmap and Reference Material

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

61

Roadmap and Reference Material
• vPC scalability, new data-point targets: 50 vPCs-2Ports and 1000 VLANs 300 vPCs-4ports and 300 VLANs • Enhanced vPC dual Active support CCd and ECd
1HCY’10
© 2009 Cisco Systems, Inc. All rights reserved.

vPC Plan of Action Disclaimer: without engagement – subject to correction
Bogota
• vPC scalability, new data-point targets: 768 vPC2ports and 300 VLANs • vPC over D1 ports • 16-port vPC on D1 modules with N5K downstream • Port-Security over vPC Not CCd
2HCY’10
Cisco Confidential

Cairo

• vPC scalability, new data-point targets: 2000 FEX hosts2ports and 300 VLANs • PVLANs over vPC • Config sync for vPC • vPC for FEX Host Ports Not CCd

Delhi

• vPC scalability, new data-point targets: 3072 FEX hosts2ports and 200 VLANs

Future

Not CCd
1HCY’11
62

Roadmap and Reference Material
vPC/VSS Interop Test Details
Physical Logical L3 Core

N7K-1

N7K-2

L2/L3 Aggregation Nexus 7000 vPC

Po10
E1/26 Te1/2/1

Po100

E1/25 Te2/2/1

Po100

6K-1

6K-2

L2 Access 6500 VSS

vPC Peer Link LACP Channel (2x10 GigE) vPC PeerKeepalive (GigE) VSS VSL Channel (2x10 GigE)

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

63

Roadmap and Reference Material
vPC/VSS Interop Test Details The following scenarios were tested:
• Dual active scenarios and behavior • VSS and vPC member failover and convergence • Best practice guidelines for STP, L3 (NSF), Multicast

Catalyst 6500/Nexus 7000 interoperability: Enterprise Solutions Engineering:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_3_0/DC-3_0_IPInfra.html

Please refer to CCO for more detailed information or refer to your CiscoSE

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

64

Datacenter designs with Nexus 5000/2000

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

65

NX-OS 4.1(3)N1(1)
Support for 512 HW (but SW allows 507 maximum) VLANs (minus number of VSANs) Supports 16 Hardware Ethernet port channels (12 Ethernet and 4 Fiber Channel supported concurrently as well as just 16 Ethernet Portchannels and zero FC port-channels) Supports the use of the GEM Supports vPC Supports 12 Fabric Extenders
Fabric Ports

5020 = 52 Fabric Ports & 16 Port Channels 5010 = 26 Fabric Ports & 16 Port Channels

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

66

Nexus 2000 Fabric Extender
Physical Topology
Core Layer

Network Topology – Physical vs. Logical

Logical Topology
Core Layer

VSS

4x10G uplinks from each rack
FE

L3 L2

VSS

L3 L2

Nexus 5020

Nexus 5020 Nexus 5020 Nexus 5020
12 FEX

FEX

FEX

FEX

FEX

FEX

FEX

12 FEX

Servers
Servers

Rack-1

Rack-N

Rack-1

Rack-N

Rack-1

Rack-2

Rack-3

Rack-4

Rack-5

Rack-12

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

67

Fabric Extended Terminology
Fabric Links: connect Nexus 5000 to Fabric Extender (switchport mode fex-fabric) Host Interfaces (HIF) FEX connectivity between Nexus 5000 and Nexus 2000 (FEX) can leverage either (static) pinning or port-channels FEX: N2148T-1GE (48x1GE + 4x10GE)
FEX100 FEX101 FEX102 n5k01

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

68

Port-Channeling
With Static Pinning if a fabric uplink port fails, the associated HIFs are beeing shut down With Port-Channeling if a fabric uplink fails then HIFs use the remaining fabric uplinks
A

N5k01 1,2,3,4
N2k01

Fabric Ports Host Ports

Port-channeling is the recommended design method

1-48 pinning max-links 1

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

69

What is Nexus 2000 Single Homed (aka Straight Through)
Nexus 2000 Straight-through deployment n5k01
n5k01

Typical Redundant straight-through deployment as of 4.0(1a)

max 4 “fabric links”

n5k02

FEX100 FEX101

FEX102

FEX120 FEX121

FEX122

FEX100 FEX101

FEX102

max 12 x 2 = 576 ports x 2

max 12 = 576 ports

Active/Standby

http://www.cisco.com/en/US/partner/products/ps9670/products_installation_and_configuration_guides_list.html
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

70

vPC Terminology (NX-OS 4.1(3))
Fault Tolerant or peer keepalive link vPC peer link

mgmt0

mgmt0
nexus5k02

mgmt0 vrf

nexus5k01

vPC member port vPC Peer Keepalive Peer Link/ MCT vPC Member Port

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

71

Virtual Port-Channel
Terminology
vPC peer keepalive link vPC peer link

vPC member port – one of a set of ports (port channels) that form a vPC vPC – the combined port channel between the vPC peers and the downstream device

vPC peer – a vPC switch, one of a pair

5k01

5k02
vPC peer

vPC

vPC member port

vPC peer keepalive link – the peer keepalive link between vPC peer switches. It is used to carry heartbeat packets

vPC peer link – Link used to synchronize state between vPC peer devices, must be 10GbE. Also carries multicast/broadcast/flooding traffic and data traffic in case of vpc member port failure

Orphan Port

CFS – Cisco Fabric Services protocol, used for state synchronization and configuration validation between vPC peer devices
72

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Virtual Port-Channel
vPC Peer Link
Peer Link carries both vPC data and control traffic between peer switches

Carries any flooded and/or orphan port traffic Carries Cisco Fabric Services messages (vPC control traffic)

Carries STP BPDUs IGMP updates, etc. Minimum 2 x 10GbE ports
5020 5020 5020 5020 5020

vPC Peer Link 5k01 5k02

(config)# interface port-channel 10 (config-if)# switchport mode trunk (config-if)# switchport trunk allowed <BETTER TO ALLOW ALL VLANS> (config-if)# vpc peer-link (config-if)# spanning-tree port type network

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

73

STP implementation
Two Nexus 5000s running vPC appear as a single STP entity vPC Role defines which of the two vPC peers processes BPDUs Role matters for the behavior with peer-link failures! Role is defined under the domain configuration

Virtual Port-Channel vPC Roles

5k01

5k02

Lower priority wins - if not, lower system MAC wins

Primary Role

Secondary Role

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

74

vPC on the Nexus 5000
4+ Ports vPCs
5k01 5k02 5k01

2-Ports vPCs
5k02

Max 16 HW-Port Channel

As many as the number of ports on the 5k

eth2/1,2/2

vPC

eth2/3,2/4

eth2/1

vPC

eth2/2

access
Peer Keepalive Peer Link vPC Member Port
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

75

vPC with FEX
Nexus 2000 Single-homed vPC mgmt network
FT link (can be routed) mgmt0 mgmt0 FT link (can be routed) mgmt0

Peer Keepalive Peer Link/ MCT vPC Member Port

Nexus 2000 active/active (or dual homed) mgmt network

5k01

primary

Peer-link

5k02
“fabric links”

secondary

primary

Peer-link

mgmt0

secondary

5k01

“fabric links”

5k02

FEX100
HIF 2 ports vPC

FEX120

vPC 1

vPC 2

HIF

FEX100

HIF

FEX120
HIF

2-GigE ports host port channel
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

76

Nexus 2000 straight-through with vPC
n5k01 n5k02

max 24 FEXes = 1152 (24 x 48GE ports) max 480 vPCs (each vPC has 2 ports)

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

77

Nexus 2000 dual-homed
5k01 5k02

vPC Primary

vPC Secondary Po10

max 12 FEXes

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

78

Host and Switch Port-channels to 5k
The 4.1(3)N1 release enables the configuration of virtual port-channels from switches connected to Nexus 5000 It also enables port-channels from servers connected redundantly to the Nexus 5000
5k01
primary

Mgmt network 5k02
secondary

It enables both 2-ports port-channels and 4+ ports port-channels

Maximum 16 4+ ports portchannels are possible (minus the number of FC portchannels) Any of the 52 ports of the 5020 or the 26 ports of the 5010 can be utilized (i.e. can also use the GEM modules)
vPC vPC member port Peer Keepalive or FT link vPC Peer Link aka MCT
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

vPC member ports

2-ports 4+ ports host host port channel port channel 2-ports switch 4+ ports port channel switch port channel
79

vPC Mixed Topology equally work
Management Network mgmt0 mgmt0

5k01 primary

5k02 secondary

FEX100

FEX120 FEX101 FEX121

2-GigE ports host port channel
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

single attached servers and/or A/S
80

Double-sided vPC between Nexus 7000 and Nexus 5000
DESIGN 1 DESIGN 2

vPC on the N7k N7k01 N7k02 N7k01 N7k02

1 2

3 4

Max 16 Ports

1

2

3

4

N5k01

N5k02

vPC on the N5k

N5k01

N5k02

1
© 2009 Cisco Systems, Inc. All rights reserved.

2

3
Cisco Confidential

1

2

3
81

Double-sided vPC between Nexus 7000 and Nexus5000 and Nexus 2000
DESIGN 3 DESIGN 4

vPC on the N7k N7k01 N7k02 N7k01 N7k02

1 2 N5k01 5 6 N2k01

3 4 N5k02 7 8 N2k02

Max 16 Ports

1 N5k01 5 6 N2k01

2

3 N5k02 7 8 N2k02

4

vPC on the N5k

© 2009 Cisco Systems, Inc. All rights reserved.

1

2

3

1
Cisco Confidential

2

3

82

Double-sided vPC between Nexus 7000 and Nexus5000 and FEX A/A
DESIGN 5 vPC on the N7k N7k01 N7k02 N7k01 N7k02 DESIGN 6

1 2

3 4

Max 16 Ports

1

2

3

4

N5k01

N5k02

vPC on the N5k

N5k01

N5k02

N2k01

N2k02

N2k01

N2k02

1
© 2009 Cisco Systems, Inc. All rights reserved.

3
Cisco Confidential

1

3

83

16-ports Port-Channel
Each vPC peer has only 8 active links, but the pair has 16 active load balanced links

16 x 10 GigE ports

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

84

You can still use TLB with FEX A/A you cannot just use 802.3ad or static port-channel with FEX A/A
5k01
primary
Peer-link

5k02
secondary

“fabric links”

vPC 1

vPC 2

FEX100
HIF

FEX120
HIF

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

85

How Many Paths?
In a typical vPC deployment, e.g. in FEX A/A you want to tune the traffic to use all the available paths. Remember that there are 3 components involved:
5k01 vPC Primary 5k02 vPC Secondary

FEX (which can only load balance based on L2/L3 information) Teaming software (which can be configured for various load balancing options e.g. tcp connections)

Nexus 5k which can load balance based on L2/L3/L4 information

Po10

TLB
86

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

vPC Forwarding Behavior
core1 core2 core1 core2

vPC peer link almost unutilized

5k01

5k02

5k01

5k02

acc1

acc2

acc3

acc1

acc2

acc3

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

87

Summary Checklist
Ensure MST region is configured for the NXOS VLAN range Use pathcost method long Assign roots/secondary roots as usual (regardless of primary/secondary roles) Create a single Port-channel leveraging LACP
N7k01 N7k02

1

2

3

4

Trim VLANs that are used for VSANs Do not forget that putting a VLAN on a vPC requires that that VLAN be on the Peer-link too Make sure the configuration is not causing Type-1 Inconsistencies
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

N5k01

N5k02

N2k01

N2k02

1

3

88

Feature Overview & Terminology
Intelligent L2 Domains POD Evolution
OTV
Inter-POD Connectivity across L3 Failure Boundary Preservation
Failure Boundary Core Aggregation
L2MP
vPC

IP Cloud

L3 L3 L2

vPC

L2

vPC

Access Servers

STP+
STP Enhancements Bridge Assurance

vPC/VSS
Simplified loop-free trees 2x Multi-pathing NIC Teaming

Cisco L2MP
Low Latency / Lossless Operational Flexibility MAC Scaling 16x ECMP

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

89

Networkers at Cisco Live 2010 - Barcelona

Registrieren Sie sich hier: www.cisco.com/go/networkersregister
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

90

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

91

Sign up to vote on this title
UsefulNot useful