You should be able to solve this routing over the vPC problem by putting the vPC peers into an HSRP/VRRP pair, and then pointing a static default route from the downstream device (e.g. the firewall) to the VIP of the HSRP group. This way your traffic from the firewall up to the vPC pair will use the virtual MAC address in the layer 2 header, which means that it doesnb�t matter if the traffic hashes left or right in the port-channel, because both vPC peers act as if they are the active HSRP/VRRP router.
I wouldnb�t necessarily say one design is better over the other, as long as it works thatb�s really what matters. Doing two L3 links is probably a simpler design that routing over the vPC to an HSRP address, as this adds an extra step in complexity from a troubleshooting point of view if a problem does arise later.
One not on the FabricPath, if you have multiple physical links between the same leaf/spine or spine/spine you still want to group these together in a port-channel, because of how the multi-destination tree is built for broadcast and multicast traffic. You could have a fabric of 320Gbps, but all your multicast traffic gets pinned to one single 10Gbps link if your multi-destination root isnb�t placed correctly in the fabric. Using port-channels plus FP at the same time allows the multi-destination tree to forward over the port-channel (and hence its members) vs. just one physical link.
Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE #2013::13
bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>
Internetwork Expert, Inc.
http://www.INE.com<http://www.ine.com/>
From: Gilles Fabre [mailto:fabre.gilles_at_voila.fr]
Sent: Monday, April 15, 2013 4:18 AM
To: Brian McGahan; Joe Sanchez
Cc: Vibeesh S; Cisco certification
Subject: Re: VPC with ASA in L3 mode
I am jumping on this subjet since I am interested in your inputs.
We implemented recently connections between a pair of N7k vPC to Active/Passive FWs, using 20G connections to each FW.
We agreed on using 2 L3 links with classical Port-channel (not vPC) from FW1-N7k1 & FW2-N7k2 instead of vPC.
Would you agree this is the best design in that case ?
By the way, we have another customer using FP on for their L2 between all Nexus devices (2 N7k + 6 N5k); since the N7k will connect to L3 devices only, we deciced not to use any vPC configuration on them; any comments on that specific design ?
Thanks & best regards
Gilles.
> Message du 14/04/13 C 07h47
> De : "Brian McGahan"
> A : "Joe Sanchez"
> Copie C : "Vibeesh S" , "Cisco certification"
> Objet : Re: VPC with ASA in L3 mode
>
> > I do not believe L3 is the problem, the problem is routing protocols over
> > the vPC.
>
> This is really the key. There are instances where your layer 3 ECMP hashing and your layer 2 port channel hashing don't agree, in which case a layer 3 frame destined for vPC neighbor A gets layer 2 forwarded to vPC neighbor B, and it may or may not be dropped depending on whether it needs to go to a vPC member port or not. The end result is difficult to troubleshoot because packet loss will occur based on non-deterministic flow hashing.
>
> There are some ways to solve this problem depending on your design though. Post more details if you want more specific help.
>
> On Apr 14, 2013, at 12:14 AM, "Joe Sanchez" wrote:
>
> > Vibeesh,
> >
> > I do not believe L3 is the problem, the problem is routing protocols over
> > the vPC. For instance eigrp over a vPC will not work properly. However I
> > have setup MANY vPC's to for instance Fortinet Firewalls with not problems
> > well none that fortinet didn't have to write new code for, in fact Cisco
> > ASA's as well. If you try doing dynamic routing over the vPC you will
> > start pulling your hair out trying to troubleshoot why it's not working
> > properly.
> >
> > If you are vPC'ng to a None Cisco device such as firewalls with
> > Active/Standby you want to disable lacp graceful convergence. After doing
> > hours and hours of failover testing with devices other than cisco that are
> > vPC'd to Nexus 5k and 7k's, Ive found that cisco's version of LACP doesn't
> > play well with other non-cisco devices if you do not disable graceful
> > convergence. Cisco by default uses graceful convergence and if you have
> > Active/Passive firewalls and or other devices that automatically failover
> > back to the original active device you will lose packets due to the Cisco
> > side of the LACP links gracefully bringing the links back after a failure.
> >
> > On 4/13/13 9:44 PM, "Vibeesh S" wrote:
> >
> >> Cisco does not recommend having a vpc setup to a L3 device.
> >>
> >> If I use SVI on the 7K and connect it to a ASA with VPC who is also having
> >> ether channel are there any issues that we foresee pop up ?
> >> appreciate your response
> >>
> >> --
> >> CCIE - R&S
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
________________________________
Quiz TV : Vous C*tes fan de l'C)mission "Les Anges de la tC)lC)-rC)alitC)" ? 5 questions ici<http://tv.voila.fr/quiz-tv/quiz-special-les-anges-de-la-tele-realite-saison-5-3526.html>
Blogs and organic groups at http://www.ccie.net
Received on Mon Apr 15 2013 - 10:58:17 ART