Building a vPC Domain: Guidelines and Restrictions To build a vPC domain, use the following configuration guidelines: ● You must enable feature vPC (conf t; feature vpc) before you can start configuring a vPC domain. ● You must configure peer-keepalive link before peer-link in order for vPC system to come up. ● You must configure both vPC peer devices; the configuration is not sent from one device to the other. ● To configure double-sided vPC topology, you must assign a unique vPC domain ID for each respective vPC layer. ● To use vPC in a DCI topology, you must assign a unique vPC domain ID for each respective data center. ● Check that the necessary configuration parameters are consistent on both sides of the vPC peer-link. ● We recommend that you activate the LACP feature and configure vPC member ports with LACP mode set to ACTIVE. ● All ports for a given vPC must be in the same VDC. ● Only Layer 2 port channels (switchport mode trunk or switchport mode access) can be configured on vPC member ports. ● PIM SM (Sparse Mode) is fully interoperable with vPC. The software does not support PIM BiDIR or PIM SSM (Source Specific Multicast) with vPC. ● The software does not support DAI (Dynamic ARP Inspection) or IPSG (IP Source Guard) in a vPC environment. ● DHCP relay and DHCP snooping are supported with vPC. ● The software does not support Cisco Fabric Services regions with vPC. ● Port security is not supported on vPC member ports. ● Configure a separate Layer 3 link for routing from the vPC peer device (backup routing path), rather than using vPC peer-link and SVI for this purpose. ● We recommend that you create an additional Layer 2 trunk port-channel as an interswitch link to transport

How to Attach Devices to a vPC Domain Attaching a device to a vPC domain involves creating a Layer 2 port-channel from the access device to the 2 vPC peer devices. From the access device standpoint, this is a classical port-channel. From each vPC peer device standpoint, this is a vPC member port (i.e port-channel with keyword vPC).

实际操作中应让FEX上同一port channel中的成员Port member 1连接7K_1,Port member 2连接7K_2。这样能实现绝对冗余。

7K和5K的vPC Domain ID可以不同,但7K和5K各自peer组间的Domain ID要相同,并且这对peer上的Virtual Port Channel id也要相同,也就是将Peer link的两台7K或5K看作一个实体,这个实体上的Virtual Port Channel ID相同才能视为由同一个PORT CHANNEL连接到对方的5K组或7K组,这也就是VPC的作用,让实际同时连接到两台交换机的机器以为它只连了一台。int po2中的PO2实际并不代表VPC的channel number,需要在PO2下再详细制定VPC 2实现定义此PO2代表VPC2这条线路。所以多个VPC DOMAIN间互联的时候可以有多条Port Channel,通过指定不同的VPC号来区分线路。Domain ID只在Peer link上才有意义,对于普通VPC LINK连接的实体组之间,没有意义。

配置举例 7K_1

feature udld 开启UDLD后默认所有光纤口都应用,COPER口不应用,结果show udld可以看到

vpc domain 1 role priority 1000 peer-keepalive destination 10.10.1.88 peer-gateway peer-switch port-profile default max-ports 512 peer-gateway的作用是让自己成为去往PEER的网关,以减少PEER间来回交换的流量,对于使用非ARP寻址回复信息的设备,一定要用,如果设备是使用ARP寻址回馈的,则不存在回复时回到错误的PEER上,也就不存在PEER间穿越信息的情况,可以不用。 peer-switch的作用是同步主从NEXUS PEER的STP ROOT ID。不开启的话,主和从的BID是独立的,且应设主为ROOT,只有ROOT才控制BPDU。开启后两个机器BID就合并了,0023.04ee.beXX,XX为VPC Domain ID。合并后就要求STP在PEER间都相同。对于普通设备ORPHAN单点连接到VPC PEER组中主或从的情况,不论是否开启peer-switch,都是连谁谁控制BPDU。

interface port-channel1 description VPC-Peer-Link switchport mode trunk spanning-tree port type network vpc peer-link peer link之间才用type network,普通VPC link不用,这会开启Bridge Assurance ,监控是否接口接收到BPDU,显然前提是对端口处于FWD状态,但VPC间所有口永远都是FWD状态,所以这个功能在普通VPC口上没有用。

interface port-channel2 description VPC-Peer-DMZ641 switchport mode trunk vpc 2 说明PO2为Virtual port channel 2,对家可以写int po3, vpc2来进行连接。

interface Ethernet1/1 description VPC-Peer-DMZ644/1 switchport mode trunk channel-group 1

interface Ethernet1/2 description VPC-Peer-DMZ644/2 switchport mode trunk channel-group 1

Interface Ethernet1/3 description VPC link to DMZ641 switchport mode trunk channel-group 2

如果有一个单一普通设备和Nexus vpc peer的primary或secondary进行单独连接,它的线路上传的是VPC VLAN,那这个用来连接的port就叫Orphan Port。

An orphan port has the following characteristics: ● A port on vPC peer device (primary or secondary) that is connected to a single attached device. ● A port on vPC peer device (primary or secondary) that carries vPC VLAN. If the port carries a non-vPC VLAN, it is no more defined as Orphan Port.

General Recommendation: When connecting a single-attached access device to vPC domain using vPC VLAN, always connect it to vPC primary peer device. Reason is when vPC peer-link fails down, any single attached device connected to secondary peer device (and using vPC VLAN) will become completely isolated wih the rest of the network

Strong Recommendations: ● Use separate Layer 3 links to connect L3 device (like router or firewall in routed mode for instance) to a vPC domain (Figure 50). ● Do not use a Layer 2 vPC to attach L3 device to a vPC domain unless L3 device can statically route to the HSRP address configured on vPC peer devices. ● Use individual Layer 3 links for routed traffic and a separate Layer 2 port-channel for bridged traffic if both routed and bridged traffic are required. ● Enable Layer 3 connectivity between vPC peer device by configuring a VLAN network interface for the same VLAN from both devices or by using a dedicated L3 link between the 2 peer devices (for L3 backup routing path purposes).

一个3层设备和VPC Domain相连,或多个DCI之间路由的原则是,不用VPC Peer Link传递任何三层路由信息。任何通过Peer Link传递的三层信息都会被blackhole。解决方法是VPC PEER间使用单独的一条2层(非VPC VLAN)或3层线路,传递这些路由信息。然后各NEXUS中都有这个非VPC VLAN和它的VLAN INTERFACE IP,这样就可以做OSPF。

Strong Recommendation: Always build L3 backup routed path for vPC domain in order to increase network resilience and availability. Use an OSPF point-to-point adjacency (or equivalent Layer 3 protocol) between the 2 vPC peer devices to establish a Layer 3 backup path to the core in case of uplink failures. There are several ways to implement the L3 backup routing path. Strong Recommendations: To build L3 backup routing path, use the following options listed by descending order of preference: ● Use a dedicated Layer 3 point-to-point link between the vPC peer devices to establish a Layer 3 backup path to the core. ● Use the already existing Layer 2 port-channel trunk ISL (Inter Switch Link) for non-vPC VLAN and create dedicated VLAN/SVI to establish a Layer 3 neighborship ● Use vPC peer-link and create dedicated VLAN/SVI to establish a Layer 3 neighborship (least recommended solution)

HSRP/VRRP

将SVI口设为Routing Passive模式,这样可以防止PEER间通过Peer-link建立邻接关系。

多个DCI连接时,默认的HSRP模式是上图这种,7K3或7K4接到请求后会通过VPC 2层链路传给7K1去进行路由。如果要想实现下图的HSRP,需要使用特定的ACL阻断HSRP HELLO 包。

PACL configuration to stop HSRPv1 hello messages: ip access-list HSRPv1_Filtering 10 deny udp any 224.0.0.2/32 eq 1985 20 permit ip any any

PACL configuration to stop HSRPv2 hello messages: ip access-list HSRPv2_Filtering 10 deny udp any 224.0.0.102/32 eq 1985 20 permit ip any any

PACL configuration to stop VRRP hello messages: ip access-list VRRP_Filtering 10 deny udp any 224.0.0.18/32 eq 1985 20 permit ip any any

Interface Po10 ip port access-group HSRPv1_Filtering