You are on page 1of 26

NX/OS vPC N7K 4.2(1) N5K 4.

1(5)

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-1

Overview of vPC

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-2

2009 FastLane, All rights reserved.

vPC overview

A virtual port channel (vPC) allows links that are physically connected to two different Cisco Nexus 7000 Series devices to appear as a standard single port channel by a third device

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-3

Differences between VSS and vPC


VSS (Cat6500) Single control plane
Configuration on one device Control plane crash affects both chassis Two supervisor engines max (active/standby)

vPC (Nexus) Two independent control planes


Two configurations to manage Up to 4 Supervisors (two in each chassis) offering maximum HA

LACP/static

Static/PAgP/PAgP+/LACP

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-4

2009 FastLane, All rights reserved.

vPC overview
The third device can be a switch, server, or any other networking device. You can configure up to 192 vPCs per device. A vPC can provide Layer 2 multipathing, which allows you to create redundancy by increasing bisectional bandwidth by enabling multiple parallel paths between nodes and load balancing traffic where alternative paths exist.

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-5

vPC Benefits
Allows a single device to use a port channel across two upstream devices Eliminates Spanning Tree Protocol (STP) blocked ports Provides a loop-free topology Uses all available uplink bandwidth Provides fast convergence if either the link or a device fails Provides link-level resiliency Assures high availability

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-6

2009 FastLane, All rights reserved.

vPC limitations
You can use only Layer 2 port channels in the vPC. All members in a single vPC on each device must belong to a single VDC on the device. The vPC peer link must use 10-Gigabit Ethernet ports Each VDC must be configured individually Separate Peer links are required Building a vPC between two VDCs on the same chassis is not supported To ensure that you have the correct hardware to enable and run vPC beginning with Cisco NX-OS Release 4.1(5), enter the show hardware feature-capability command. If you see an X across from vPC, your hardware cannot enable the vPC feature. (an EPLD update may be required)
2008 Cisco Systems, Inc. All rights reserved. Course acronym vx.x#-7

vPC configuration
You configure the port channels by using one of the following: No protocol - When you configure the port channels without using LACP, each device can have up to eight active links in a single port channel. Link Aggregation Control Protocol (LACP) - When you configure the port channels in a vPC using LACP, each device can have eight active links and eight standby links in a single port channel.

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-8

2009 FastLane, All rights reserved.

vPC links
Peer-keepalive link - sends heartbeat messages between the two vPC peer devices. Peer link makes two linked Nexus devices to appear as one device to a third device. Port channel recommended to use two or more of the 10Gigabit Ethernet ports in dedicated mode. (on at least two different N7K-M132XP-12 modules) Recommend: you configure the Layer 2 port channels as a trunks

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-9

vPC Domain
vPC domain includes: both vPC peer devices vPC peer-keepalive link the vPC peer link all of the port channels in the vPC domain connected to the downstream device vPC domain limitations: You can have only one vPC domain ID on each device. In this version, you can connect each downstream device to a single vPC domain ID using a separate port channel.

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-10

2009 FastLane, All rights reserved.

vPC Interfaces in one VDC

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-11

vPC Terminology
vPCThe combined port channel between the vPC peer devices and the downstream device. vPC peer device One of a pair of devices that are connected with the special port channel known as the vPC peer link. vPC peer link The link used to synchronize states between the vPC peer devices. Both ends must be on 10-Gigabit Ethernet interfaces. vPC domain This domain is formed by the two vPC peer link devices. It is also a configuration mode for configuring some of the vPC peer link parameters. vPC peer-keepalive link The peer-keepalive link between vPC peer devices to ensure that both devices are up. (IP connectivity) vPC member port Interfaces that belong to the vPCs.

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-12

2009 FastLane, All rights reserved.

Invalid vPC Configurations

You can have only two devices as vPC peers Each device/VDC can serve as a vPC peer to only one other vPC peer. Note: The vPC peer devices can also have non-vPC links to other devices.
2008 Cisco Systems, Inc. All rights reserved. Course acronym vx.x#-13

vPC peer link Primary / Secondary

When you configure the vPC peer link, the vPC peer devices negotiate that one of the connected devices is the primary device and the other connected device is the secondary device. The NX-OS software uses the lowest MAC address to elect the primary device. If the primary device fails, the secondary device becomes the new primary when the system recovers and the previously primary device is now the secondary device. You can also configure which of the vPC devices is primary. (Changing the priority of the vPC peer devices can cause link flap.)

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-14

2009 FastLane, All rights reserved.

vPC traffic flow known destination

The software keeps all traffic forwarding across the vPC peer devices local. That is, a packet ingressing the port channel uses one of the local links rather than moving across the vPC peer link.

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-15

vPC traffic flow unknown destination

Unknown unicast, multicast, and broadcast traffic (including STP BPDUs) are flooded across the vPC peer link.

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-16

2009 FastLane, All rights reserved.

vPC synchronization
CFSoE

The software keeps the multicast forwarding state synchronized on both of the vPC peer devices. All MAC addresses for those VLANs configured on both devices are synchronized between vPC peer devices. The software uses CFSoE for these synchronizations.
2008 Cisco Systems, Inc. All rights reserved. Course acronym vx.x#-17

Traffic flows in a vPC environment

An artificial "peer link traffic filter" was introduced between the lower vPC member ports and the upper non-vPC ports (of course, this filter is just a logical representation that has no relation with the real hardware implementation.) Traffic that has crossed the peer link is tagged internally and will not be allowed to be forwarded through the filter. This mechanism will allow the traffic received from the vPC member port to be locally forwarded, while still providing connectivity to the ports that are not part of a vPC.
2008 Cisco Systems, Inc. All rights reserved. Course acronym vx.x#-18

2009 FastLane, All rights reserved.

Traffic Flows in a vPC environment

When switch B sends a frame to switch D, the destination address for switch D is unknown and the traffic must be flooded. Again, all the devices belonging to a vPC can be reached directly and S1 replicates the frame to the vPC member ports leading to switches C and D. However, the frame must also be flooded to the non-vPC members. When it is sent on the peer link, an internal header carrying a special bit is added to the frame in order to specify that this traffic has already been sent to the vPC members. As a result, when vPC peer S2 receives the frame, the filter prevents it from being duplicated to its local vPC members and it is only forwarded to switch E. At the same time, a software update carried by CFS advertises to S2 that MAC address B was learnt on vPC. This information will allow S2 to send the reply from switch D to switch B directly on its local vPC member port, even if S2 never received traffic from switch B on this port.

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-19

vPC Spanning Tree implementation

During the vPC domain setup, a vPC peer is elected as primary. The primary peer will be responsible for running STP on all the vPC ports of the vPC domain. So logically, a vPC is a simple channel located on the primary vPC peer switch from the perspective of STP. The state of the vPC member ports located on the secondary peer is controlled remotely by the primary. Still, BPDUs can be exchanged on all the physical links belonging to a vPC. Primary switch S1 can send and receive BPDUs on both paths available to bridge C. Switches S1 and S2 are programmed so that the BPDUs can be switched in hardware toward their final destination.
2008 Cisco Systems, Inc. All rights reserved. Course acronym vx.x#-20

2009 FastLane, All rights reserved.

vPC / HSRP integration


An improvement was made to the forwarding engine to allow local Layer 3 forwarding at both the active HSRP peer and at the standby HSRP peer. This provides in effect an active/active HSRP configuration with no changes to current HSRP configuration recommendations or best practices and no changes to the HSRP protocol either. The HSRP control protocol still acts like an active/standby pair, such that only the active device responds to ARP requests, but a packet destined to the shared HSRP MAC address is accepted as local on either the active or standby HSRP device.
2008 Cisco Systems, Inc. All rights reserved. Course acronym vx.x#-21

vPC peer link failure


keepalive

If the switch A vPC peer link fails ( ), the software checks the status of the remote vPC peer B using the peer-keepalive link. If the vPC peer B is up, the secondary vPC A disables all vPC ports on its device, ( ) to prevent loops and blackholing or flooding traffic. The data then forwards down the remaining active links of the port channel.
2008 Cisco Systems, Inc. All rights reserved. Course acronym vx.x#-22

2009 FastLane, All rights reserved.

vPC peer failure


keepalive

The software learns of a vPC peer device failure when the keepalive messages are not returned over the peer-keepalive link You use a separate link (vPC peer-keepalive link) to send configurable keepalive messages between the vPC peer devices. The keepalive messages on the vPC peer-keepalive link determines whether a failure is on the vPC peer link only or on the vPC peer device. The keepalive messages are used only when all the links in the peer link fail.
2008 Cisco Systems, Inc. All rights reserved. Course acronym vx.x#-23

Features That You Must Manually Configure on the Primary and Secondary Devices STP root Configure the primary vPC peer device as the highest STP root priority, and configure the secondary device with a lower root priority. STP hello time Configure the STP hello time on both the primary and secondary root switch to 4 seconds. Layer 3 VLAN network interface Configure Layer 3 connectivity from each vPC peer device by configuring a VLAN network interface for the same VLAN from both devices. HSRP active If you want to use HSRP and VLAN interfaces on the vPC peer devices, configure the primary vPC peer device with the HSRP active highest priority. Configure the secondary device to be the HSRP standby. And ensure that you have VLAN interfaces on each vPC device. Configure Unidirectional Link Detection (UDLD) on both sides of the vPC peer link.

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-24

2009 FastLane, All rights reserved.

Peer-Keepalive Link and Messages


The Cisco NX-OS software uses the peer-keepalive link between the vPC peers to transmit periodic, configurable keepalive messages. You must use a Layer 3 link between the peer devices to transmit these messages System cannot bring up the vPC peer link unless the peer-keepalive link is configured Configure a separate VRF and put a Layer 3 port from each vPC peer device into that VRF for the vPC peer-keepalive link. If you do not configure a separate VRF, the system used the management VRF and management ports by default The default keepalive interval time is 1 second ( b/w 400 and 10000 ms) The default timeout value is 5 seconds ( b/w 3 and 20 seconds)

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-25

vPC Domain
You can use the vPC domain ID to identify the vPC peer links and the ports that are connected to the vPC downstream devices. The vPC domain is also a configuration mode that you use to configure the keepalive messages, and configure other vPC peer link parameters. To create a vPC domain, you must first create a vPC domain ID on each vPC peer device using a number from 1 to 1000. You can have only one vPC domain per VDC. You must explicitly configure the port channel that you want to act as the peer link on each device. You associate the port channel that you made a peer link on each device with the same vPC domain ID to form a single vPC domain. Within this domain, the system provides a loop-free topology and Layer 2 multipathing. You can only configure port channels and vPC peer links statically.

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-26

2009 FastLane, All rights reserved.

Compatibility Parameters for vPC Peer Links that MUST match 1/4
Port-channel mode: on (static), passive or active (LACP) Link speed per channel Duplex mode per channel Trunk mode per channel: Native VLAN Tagging of native VLAN traffic Spanning Tree Protocol (STP) mode STP region configuration for Multiple Spanning Tree Enable/disable state per VLAN

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-27

Compatibility Parameters for vPC Peer Links that MUST match (cont.) 2/4
STP global settings: Bridge Assurance setting Port type settingWe recommend that you set all vPC interfaces as network ports. Loop Guard settings STP interface settings: Port type setting Loop Guard Root Guard Maximum Transmission Unit (MTU)

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-28

2009 FastLane, All rights reserved.

Compatibility Parameters for vPC Peer Links that SHOULD match 3/4
MAC aging timers Static MAC entries VLAN interfaceEach device on the end of the vPC peer link must have a VLAN interface configured for the same VLAN on both ends and they must be in the same administrative and operational mode. Those VLANs configured on only one device of the peer link do not pass traffic using the vPC or peer link. You must create all VLANs on both the primary and secondary vPC devices, or the VLAN will be suspended. All ACL configurations and parameters Quality of Service (QoS) configuration and parameters STP interface settings: BPDU Filter BPDU Guard Cost Link type Priority VLANs (Rapid PVST+)
2008 Cisco Systems, Inc. All rights reserved. Course acronym vx.x#-29

Compatibility Parameters for vPC Peer Links that SHOULD match (cont.) 4/4
VLANs allowed on trunk Port security Cisco Trusted Security (CTS) Network Access Control (NAC) Internet Group Management Protocol (IGMP) snooping Hot Standby Routing Protocol (HSRP) Protocol Independent Multicast (PIM) Gateway Load-Balancing Protocol (GLBP) All routing protocol configurations

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-30

2009 FastLane, All rights reserved.

Features NOT compatible with vPC


PIM SSM PIM BIDR DHCP snooping DAI IPSG Port security on port channel

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-31

vPC and LACP


LACP uses the system MAC address of the vPC domain to form the LACP Aggregation Group (LAG) ID for the vPC. Configure LACP with active mode on the interfaces on each port channel on the vPC peer devices. The vPC peer link supports 16 LACP interfaces: 8 active links and 8 hot standby links. If you configure the port channels without using LACP, you can have only 8 links in each channel Manually configure the system priority on the vPC peer-link devices to ensure that the vPC peer-link devices have a higher LACP priority than the downstream connected devices. A lower numerical value system priority means a higher LACP priority.

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-32

2009 FastLane, All rights reserved.

vPC Peer Links and STP


When you first bring up vPC, STP reconverges. STP treats vPC as a special link and always includes vPCs in the STP active topology. Set all the vPC peer link interfaces to the STP network port type so that Bridge Assurance is automatically enabled on all vPC peer links. Do not enable any of the STP enhancement features on VPC peer links. Configure the STP hello time on both the primary and secondary root devices to be 4 seconds. STP is distributed; the protocol continues running on both vPC peer devices. However, the configuration on the vPC peer device elected as the primary device controls the STP process for the vPC interfaces on the secondary vPC peer device. The primary vPC device synchronizes the STP state on the vPC secondary peer device using Cisco Fabric Services over Ethernet (CFSoE).

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-33

CFSoE
The Cisco Fabric Services over Ethernet (CFSoE) is a reliable state transport mechanism that is used to synchronize the actions of the vPC peer devices. CFSoE carries messages and packets for many features linked with vPC, such as STP and IGMP. When you enable the vPC feature, the device automatically enables CFSoE, and you do not have to configure anything. The CFSoE transport is local to each VDC. Cisco Fabric Services can also be used data over IP or IPv6 (both unicast or multicast).

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-34

2009 FastLane, All rights reserved.

Virtualization Support
All ports in a given vPC must be in the same VDC. This version of the software supports only one vPC per VDC. You can use the numbers from 1 to 4096 in each VDC to number the vPC and you can reuse these vPC numbers in a different VDC.

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-35

Guidelines and Limitations


All ports for a given vPC must be in the same VDC. You must enable vPCs before you can configure them. You must configure the peer-keepalive link and messages before the system can form the vPC peer link. Only Layer 2 port channels can be in vPCs. You must configure both vPC peer devices; the configuration is not sent from one device to the other. Check that the necessary configuration parameters are compatible on both sides of the vPC peer link. You may experience minimal traffic disruption while configuring vPCs. Configure all the port channels in the vPC using LACP with the interfaces in active mode.

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-36

2009 FastLane, All rights reserved.

Configuring vPC

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-37

Enabling vPC
SwitchX(config)#

feature vpc

Enables vPCs on the device.


SwitchX(config)#

no feature vpc

Disables vPCs on the device.

You must enable the vPC functionality before you can configure and use vPCs. Ensure that you are in the correct VDC (or use the switchto vdc command).
2008 Cisco Systems, Inc. All rights reserved. Course acronym vx.x#-38

2009 FastLane, All rights reserved.

Creating a vPC Domain and Entering the vpc-domain Mode


SwitchX(config)#

vpc domain domain-id

Creates a vPC domain on the device and enters the vpc-domain configuration mode for configuration purposes. There is no default; the range is 1 to 1000

This example shows how to create or enter a vPC domain: switch# config t switch(config)# vpc domain 5 switch(config-vpc-domain)#

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-39

Configuring the vPC Keepalive Link


SwitchX(config-vpc-domain)#

peer-keepalive destination ip [hold-timeout secs | interval msecs {timeout secs} | {precedence {prec-value | network | internet | critical | flash-override | flash | immediate priority | routine}} | tos {tos-value | max-reliability | max-throughput | min-delay | min-monetary-cost | normal}} |tos-byte tos-byte-value} | source ip | vrf {name | management vpc-keepalive}]

Configures the IPv4 address for the remote end of the vPC peerkeepalive link.
This example shows how to configure the destination IP address for the link: switch# config t switch(config)# feature vpc switch(config)# vpc domain 100 switch(config-vpc-domain)# peer-keepalive destination 10.1.152.91

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-40

2009 FastLane, All rights reserved.

Creating the vPC Peer Link


SwitchX(config-if)#

vpc peer-link

Configures the selected port channel as the vPC peer link and enters the vpc-domain configuration mode.

This example shows how to configure a vPC peer link: switch# config t switch(config)# interface port-channel 20 switch(config-if)# vpc peer-link switch(config-vpc-domain)#

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-41

Configuration Compatibility on a vPC Peer Link


SwitchX(config)#
show vpc consistency-parameters {global | interface port-channel channel-number}

Displays the status of those parameters that must be consistent across all vPC interfaces.

After you have configured the vPC peer link on both vPC peer devices, check that the configurations are consistent on all vPC interfaces.

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-42

2009 FastLane, All rights reserved.

Moving Other Port Channels into a vPC


switch# config t switch(config)# interface port-channel 20 switch(config-if)# vpc 5

To connect to the downstream device, you create a port channel from the downstream device to the primary vPC peer device and you create another port channel from the downstream device to the secondary peer device. Finally, working on each vPC peer device, you assign a vPC number to the port channel that connects to the downstream device. You will experience minimal traffic disruption when you are creating vPCs. The vPC number that you assign to the port channel connecting to the downstream device from the vPC peer device must be identical on both vPC peer devices.

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-43

Verifying the vPC Configuration

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-44

2009 FastLane, All rights reserved.

vPC Example Configuration


Step 1 Enable vPC. switch# config t switch(config)# feature vPC Step 2(Optional) Configure interface that you want to be peer link to dedicated mode. switch(config)# interface ethernet 7/1, 7/3, 7/5, 7/7 switch(config-if)# shutdown switch(config-if)# exit switch(config)# interface ethernet 7/1 switch(config-if)# rate-mode dedicated switch(config-if)# no shutdown Step 3 Configure interface that you want to be peer link to be an active Layer 2 LACP port channel and create the vPC domain.
switch(config)# interface ethernet 7/1 switch(config-if)# switchport mode trunk switch(config-if)# allowed vlan 1-50 switch(config-if)# native vlan 20 switch(config-if)# channel-group 20 mode active
2008 Cisco Systems, Inc. All rights reserved. Course acronym vx.x#-45

vPC Example Configuration (cont.)


Step 4 Configure the vPC domain and keepalive link. switch(config)# vpc domain 77 switch(config-if)# peer keepalive destination ip 1.1.1.1 Step 5 Configure the vPC peer link. switch(config)# interface port-channel 20 switch(config-if)# vpc peer-link Step 6 Add the port channels that connect to the downstream device to the vPC. switch(config)# interface port-channel 50 switch(config-if)# vpc 3 Step 7 Save the configuration ;) switch(config)# copy running-config startup-config

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-46

2009 FastLane, All rights reserved.

Default Settings

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-47

I part
NX 8B NX 6B

NX 9A

NX 5A

vPC 9

vPC 5

NX 8A

NX 6A

vPC Domain 8

vPC Domain 6

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-52

2009 FastLane, All rights reserved.

II part

NX 8B 1/1 1/25 9/25

vPC 61 9/9 9/1

NX 6B 1/1

1/25 2/25

10/1 10/2 NX 9A 9/25 10/25 9/1 1/25 2/25 1/1

1/1 1/2 NX 5A

vPC 9

vPC 5

NX 8A vPC Domain 8

vPC 62

NX 6A vPC Domain 6

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-53

III part

NX 8B 1/1

9/9 1/17

1/9 2/17

NX 6B 1/1

1/25 9/25

1/25 2/25

vPC 8

10/1 10/2 NX 9A 9/25 10/25 9/1 10/17 9/9 NX 8A vPC Domain 8

1/2 1/1 NX 5A 1/25 2/25 1/2 2/17 1/9 NX 6A vPC Domain 6

vPC 6

vPC 9

vPC 5

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-54

2009 FastLane, All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

Course acronym vx.x#-55

2009 FastLane, All rights reserved.