Nexus 5000 vPC Peer Keepalive Options and Config-Sync Issue | Lab M... http://www.labminutes.com/blog/2012/08/nexus-5000-vpc-peer-keepaliv...

0 Items | Total: US$0.00 Welcome, Login Register

Home Store Blog Forum Partner Contact Us FAQ

Routing & Switching Security Service Provider Wireless

Home » Blog » Nexus 5000 vPC Peer Keepalive Options and Config-Sync Issue

Nexus 5000 vPC Peer Keepalive Options and Config‐Sync Issue

Submitted by admin on Fri, 08/31/2012 - 22:33
Rating:
No votes yet

When you configure vPC on Cisco Nexus switches, vPC

keepalive link is used by the two vPC peers to detect the Blog Topics
liveliness of each other. The vPC keepalive plays a critical role
Datacenter (7)
of resolving a dual-active (aka split brain) scenario when the
Nexus (4)
vPC peer link is down. This article presents different interface
Nexus 1000V (2)
options of configuring vPC keepalive link on Nexus 5000 and discusses their pros and cons. Product (1)
Please note that some behaviors may or may not hold true on Nexus 7000 as we have not tested them. Any additional VNMC (1)
test results are welcome in the comment section.
Routing & Switching (10)
Option 1: Management Interface ASR 9000 (1)
BGP (1)
- Two Nexus switches can be connected together using the Mgmt0 interface. The interface is a Layer 3 routed copper Product (4)
port and is a member of management VRF. A /30 IP subnet is sufficed to provide IP connectivity. This is the most Upgrade (1)
recommended configuration if the switches are within the limiting distance of Ethernet over copper. VSS (3)
Windows Server (1)

! Security (10)
interface mgmt0 ACS (1)
vrf member management ASA (2)
Certificate (1)
ip address 192.168.0.1/30
DMVPN (1)
! ISE (6)
vpc domain 1
Wireless (2)
peer-keepalive destination 192.168.0.2 source 192.168.0.1 vrf management
QoS (1)
!
vWLC (1)

Option 2: Routed Interface

- Given the switches have L3 daughter card installed, you can connect the two switches through routed interfaces (ie.
‘no switchport’). The benefit is that now you can use fiber cable, which allows much longer distance if there is a
requirement to extend beyond what copper Ethernet supports. The link can also be 10G, although there is not much
reason to, plus it is an added cost to use 10G SFP+. It is still recommend placing the interfaces under its own VRF.
Note that they cannot be added to the management VRF as it is reserved for mgmt0 and console. If you plan to use
any non-management VRF for the vPC keepalive, including the ‘default’ VRF, do not forget to define it on the ‘peer-
keepalive’ command under ‘vpc domain’.

!
vrf conext KEEPALIVE
!
interface ethernet1/1
no switchport
vrf member KEEPALIVE
ip address 192.168.0.1/30
!
vpc domain 1
peer-keepalive destination 192.168.0.2 source 192.168.0.1 vrf KEEPALIVE
!

1 of 3 16-09-19, 4:09 PM
Nexus 5000 vPC Peer Keepalive Options and Config-Sync Issue | Lab M... http://www.labminutes.com/blog/2012/08/nexus-5000-vpc-peer-keepaliv...

Option 3: Switch Virtual Interface (SVI)

- If you need the distance of fiber but do not have the L3 daughter card, you can create a dedicated VLAN and use the
SVI for the vPC keepalive. This is similar to Option2 so the separate VRF recommendation still holds. The interfaces
can be the dot1q trunk or access port, but why use a trunk if it carries just one VLAN, right?

!
vlan 10
name KEEPALIVE
!
vrf context KEEPALIVE
!
interface Ethernet 1/1
switchport access vlan 10
spanning-tree port type network
!
802.1x anyconnect asa bgp byod
interface Vlan10 certificate eap-tls firepower flexvpn ftd
no shutdown
vrf member KEEPALIVE
guest ikev2 ipsec ISE ise 1.3 ise 2.0 ise 2.2
ip address 192.168.0.1/30 mpls NAT ngfw pi 3.1 prime radius routing
!
sourcefire vpn wired wireless
vpc domain 1
peer-keepalive destination 192.168.0.2 source 192.168.0.1 vrf KEEPALIVE wireshark wlc
More
!

Issue with Configuration Synchronization

Any of the three options should works fine until you need to
enable config-sync. According to Cisco documentation, config-
sync traffic is carried over mgmt0 interface (see balow). If you
cannot use mgmt0 for vPC keepalive, you probably cannot use
it for config-sync neither. If you attempt to configure switch-
profile peer with any non-mgmt0 IP, the switch will show ‘Peer
not Reachable’, even though the IP is pingable. You probably
need to resort to some form of media converter to convert fiber to copper at both ends, if config-sync feature is
mandatory.

Q. Which interface carries config-sync traffic?

A. Config-sync messages are carried only over the mgmt0 interface. They cannot currently be carried over the in-band
switch virtual interfaces (SVIs).

With SVI

switch# sh switch-p peer

switch-profile : SP
----------------------------------------------------------
Peer-IP-address : 192.168.0.2
Peer-sync-status : Not yet merged
Merge Flags: pending_merge:1 rcv_merge:0 pending_validate:0
Peer-status : Peer not reachable
Peer-error(s) :

With mgmt0

switch# sh switch-p peer

switch-profile : SP
----------------------------------------------------------
Peer-IP-address : 192.168.0.2
Peer-sync-status : In sync
Peer-status : Verify Success
Peer-error(s) :

References: Cisco Nexus 5548P Switch Q&A

2 of 3 16-09-19, 4:09 PM
Nexus 5000 vPC Peer Keepalive Options and Config-Sync Issue | Lab M... http://www.labminutes.com/blog/2012/08/nexus-5000-vpc-peer-keepaliv...

Tags: vpc config-sync keepalive

About Author
Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of
experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a
founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new
Cisco technologies.

http://www.linkedin.com/in/methachiewanichakorn

Log in or register to post comments

ABOUT US ACCOUNT HELP Other Services

About Login Contact Us Store
Lab Minutes Main Website Register FAQ Advertising
Lab Minutes Classifieds Reset Password Site Map
Disclaimer

Copyright © Lab Minutes 2012-2016. All rights reserved.

3 of 3 16-09-19, 4:09 PM