Many thanks Brian & Joe for your answers.
Thanks for the note concerning FabricPath & broadcast/multicast traffic.
In my understanding, configuring port-channels for multiple links increase the
number of possible equal paths of FP by combining Port-Channel hashing (16
ports max) in addition to IS-IS ECMP (16 Path)... what would be something like
16*16=256 possible path.
On the other way, since the IS-IS cost is only based on the number of links on
the port-channel & not the number of ACTIVE links, some suboptimal paths can
be used in the case where only some interfaces of a port-channel go down (a
work-around could be configuring lacp min-links for the Port-Channel)
> Message du 15/04/13 C 17h58
> De : "Brian McGahan"
> A : "Gilles Fabre" , "Joe Sanchez"
> Copie C : "Vibeesh S" , "Cisco certification"
> Objet : RE: VPC with ASA in L3 mode
>
> You should be able to solve this routing over the vPC problem by putting the
vPC peers into an HSRP/VRRP pair, and then pointing a static default route
from the downstream device (e.g. the firewall) to the VIP of the HSRP group.
This way your traffic from the firewall up to the vPC pair will use the
virtual MAC address in the layer 2 header, which means that it doesnb�t
matter if the traffic hashes left or right in the port-channel, because both
vPC peers act as if they are the active HSRP/VRRP router. I wouldnb�t
necessarily say one design is better over the other, as long as it works
thatb�s really what matters. Doing two L3 links is probably a simpler design
that routing over the vPC to an HSRP address, as this adds an extra step in
complexity from a troubleshooting point of view if a problem does arise later.
One not on the FabricPath, if you have multiple physical links between the
same leaf/spine or spine/spine you still want to group these together in a
port-channel, because of how the multi-destination tree is built for broadcast
and multicast traffic. You could have a fabric of 320Gbps, but all your
multicast traffic gets pinned to one single 10Gbps link if your
multi-destination root isnb�t placed correctly in the fabric. Using
port-channels plus FP at the same time allows the multi-destination tree to
forward over the port-channel (and hence its members) vs. just one physical
link. Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE
#2013::13bmcgahan@INE.com Internetwork Expert, Inc.http://www.INE.com From:
Gilles Fabre [mailto:fabre.gilles_at_voila.fr]
> Sent: Monday, April 15, 2013 4:18 AM
> To: Brian McGahan; Joe Sanchez
> Cc: Vibeesh S; Cisco certification
> Subject: Re: VPC with ASA in L3 mode
> I am jumping on this subjet since I am interested in your inputs.
>
> We implemented recently connections between a pair of N7k vPC to
Active/Passive FWs, using 20G connections to each FW.
> We agreed on using 2 L3 links with classical Port-channel (not vPC) from
FW1-N7k1 & FW2-N7k2 instead of vPC.
> Would you agree this is the best design in that case ?
>
> By the way, we have another customer using FP on for their L2 between all
Nexus devices (2 N7k + 6 N5k); since the N7k will connect to L3 devices only,
we deciced not to use any vPC configuration on them; any comments on that
specific design ?
>
> Thanks & best regards
> Gilles.
>
> > Message du 14/04/13 C 07h47
> > De : "Brian McGahan"
> > A : "Joe Sanchez"
> > Copie C : "Vibeesh S" , "Cisco certification"
> > Objet : Re: VPC with ASA in L3 mode
> >
> > > I do not believe L3 is the problem, the problem is routing protocols
over
> > > the vPC.
> >
> > This is really the key. There are instances where your layer 3 ECMP
hashing and your layer 2 port channel hashing don't agree, in which case a
layer 3 frame destined for vPC neighbor A gets layer 2 forwarded to vPC
neighbor B, and it may or may not be dropped depending on whether it needs to
go to a vPC member port or not. The end result is difficult to troubleshoot
because packet loss will occur based on non-deterministic flow hashing.
> >
> > There are some ways to solve this problem depending on your design though.
Post more details if you want more specific help.
> >
> > On Apr 14, 2013, at 12:14 AM, "Joe Sanchez" wrote:
> >
> > > Vibeesh,
> > >
> > > I do not believe L3 is the problem, the problem is routing protocols
over
> > > the vPC. For instance eigrp over a vPC will not work properly. However
I
> > > have setup MANY vPC's to for instance Fortinet Firewalls with not
problems
> > > well none that fortinet didn't have to write new code for, in fact
Cisco
> > > ASA's as well. If you try doing dynamic routing over the vPC you will
> > > start pulling your hair out trying to troubleshoot why it's not working
> > > properly.
> > >
> > > If you are vPC'ng to a None Cisco device such as firewalls with
> > > Active/Standby you want to disable lacp graceful convergence. After
doing
> > > hours and hours of failover testing with devices other than cisco that
are
> > > vPC'd to Nexus 5k and 7k's, Ive found that cisco's version of LACP
doesn't
> > > play well with other non-cisco devices if you do not disable graceful
> > > convergence. Cisco by default uses graceful convergence and if you have
> > > Active/Passive firewalls and or other devices that automatically
failover
> > > back to the original active device you will lose packets due to the
Cisco
> > > side of the LACP links gracefully bringing the links back after a
failure.
> > >
> > > On 4/13/13 9:44 PM, "Vibeesh S" wrote:
> > >
> > >> Cisco does not recommend having a vpc setup to a L3 device.
> > >>
> > >> If I use SVI on the 7K and connect it to a ASA with VPC who is also
having
> > >> ether channel are there any issues that we foresee pop up ?
> > >> appreciate your response
> > >>
> > >> --
> > >> CCIE - R&S
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >>
Received on Tue Apr 16 2013 - 10:31:41 ART