Exactly - Large Interstate Highway with 16 lanes, but only 1 Highway
On Tue, Apr 16, 2013 at 9:38 AM, Brian McGahan <bmcgahan_at_ine.com> wrote:
> In my understanding, configuring port-channels for multiple links increase
> the number of possible equal paths of FP by combining Port-Channel hashing
> (16 ports max) in addition to IS-IS ECMP (16 Path)... what would be
> something like 16*16=256 possible path.
>
>
> It actually decreases the number of equal cost paths and simplifies the
> IS-IS database. Think of it like two routers connected together by two
> routed links. You can configure ip subnets on both links and route on both
> links, which will give you two equal cost layer 3 paths. You can also
> channel them together and then route over the channel. This gives you only
> one layer 3 path but still two layer 2 paths.
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE 2013::13
>
> bmcgahan_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com <http://www.ine.com/>
>
> On Apr 16, 2013, at 3:31 AM, "Gilles Fabre" <fabre.gilles_at_voila.fr> wrote:
>
>
> Many thanks Brian & Joe for your answers.
>
> Thanks for the note concerning FabricPath & broadcast/multicast traffic.
> In my understanding, configuring port-channels for multiple links increase
> the number of possible equal paths of FP by combining Port-Channel hashing
> (16 ports max) in addition to IS-IS ECMP (16 Path)... what would be
> something like 16*16=256 possible path.
>
> On the other way, since the IS-IS cost is only based on the number of
> links on the port-channel & not the number of ACTIVE links, some suboptimal
> paths can be used in the case where only some interfaces of a port-channel
> go down (a work-around could be configuring lacp min-links for the
> Port-Channel)
>
>
>
>
>
>
> > Message du 15/04/13 ` 17h58
> > De : "Brian McGahan"
> > A : "Gilles Fabre" , "Joe Sanchez"
> > Copie ` : "Vibeesh S" , "Cisco certification"
> > Objet : RE: VPC with ASA in L3 mode
> >
> >
>
> You should be able to solve this routing over the vPC problem by putting
> the vPC peers into an HSRP/VRRP pair, and then pointing a static default
> route from the downstream device (e.g. the firewall) to the VIP of the HSRP
> group. This way your traffic from the firewall up to the vPC pair will use
> the virtual MAC address in the layer 2 header, which means that it doesn�t
> matter if the traffic hashes left or right in the port-channel, because
> both vPC peers act as if they are the active HSRP/VRRP router. I wouldn�t
> necessarily say one design is better over the other, as long as it works
> that�s really what matters. Doing two L3 links is probably a simpler
> design that routing over the vPC to an HSRP address, as this adds an extra
> step in complexity from a troubleshooting point of view if a problem does
> arise later. One not on the FabricPath, if you have multiple physical
> links between the same leaf/spine or spine/spine you still want to group
> these together in a port-channel, because of how the multi-destination tree
> is built for broadcast and multicast traffic. You could have a fabric of
> 320Gbps, but all your multicast traffic gets pinned to one single 10Gbps
> link if your multi-destination root isn�t placed correctly in the fabric.
> Using port-channels plus FP at the same time allows the multi-destination
> tree to forward over the port-channel (and hence its members) vs. just one
> physical link. Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE #2013::13
> bmcgahan_at_INE.com Internetwork Expert,
Inc.http://www.INE.com<http://www.ine.com/>
> *From:* Gilles Fabre [mailto:fabre.gilles_at_voila.fr<fabre.gilles_at_voila.fr>]
>
> > *Sent:* Monday, April 15, 2013 4:18 AM
> > *To:* Brian McGahan; Joe Sanchez
> > *Cc:* Vibeesh S; Cisco certification
> > *Subject:* Re: VPC with ASA in L3 mode
> > I am jumping on this subjet since I am interested in your inputs.
> >
> > We implemented recently connections between a pair of N7k vPC to
> Active/Passive FWs, using 20G connections to each FW.
> > We agreed on using 2 L3 links with classical Port-channel (not vPC) from
> FW1-N7k1 & FW2-N7k2 instead of vPC.
> > Would you agree this is the best design in that case ?
> >
> > By the way, we have another customer using FP on for their L2 between
> all Nexus devices (2 N7k + 6 N5k); since the N7k will connect to L3 devices
> only, we deciced not to use any vPC configuration on them; any comments on
> that specific design ?
> >
> > Thanks & best regards
> > Gilles.
> >
> > > Message du 14/04/13 ` 07h47
> > > De : "Brian McGahan"
> > > A : "Joe Sanchez"
> > > Copie ` : "Vibeesh S" , "Cisco certification"
> > > Objet : Re: VPC with ASA in L3 mode
> > >
> > > > I do not believe L3 is the problem, the problem is routing protocols
> over
> > > > the vPC.
> > >
> > > This is really the key. There are instances where your layer 3 ECMP
> hashing and your layer 2 port channel hashing don't agree, in which case a
> layer 3 frame destined for vPC neighbor A gets layer 2 forwarded to vPC
> neighbor B, and it may or may not be dropped depending on whether it needs
> to go to a vPC member port or not. The end result is difficult to
> troubleshoot because packet loss will occur based on non-deterministic flow
> hashing.
> > >
> > > There are some ways to solve this problem depending on your design
> though. Post more details if you want more specific help.
> > >
> > > On Apr 14, 2013, at 12:14 AM, "Joe Sanchez" wrote:
> > >
> > > > Vibeesh,
> > > >
> > > > I do not believe L3 is the problem, the problem is routing protocols
> over
> > > > the vPC. For instance eigrp over a vPC will not work properly.
> However I
> > > > have setup MANY vPC's to for instance Fortinet Firewalls with not
> problems
> > > > well none that fortinet didn't have to write new code for, in fact
> Cisco
> > > > ASA's as well. If you try doing dynamic routing over the vPC you will
> > > > start pulling your hair out trying to troubleshoot why it's not
> working
> > > > properly.
> > > >
> > > > If you are vPC'ng to a None Cisco device such as firewalls with
> > > > Active/Standby you want to disable lacp graceful convergence. After
> doing
> > > > hours and hours of failover testing with devices other than cisco
> that are
> > > > vPC'd to Nexus 5k and 7k's, Ive found that cisco's version of LACP
> doesn't
> > > > play well with other non-cisco devices if you do not disable graceful
> > > > convergence. Cisco by default uses graceful convergence and if you
> have
> > > > Active/Passive firewalls and or other devices that automatically
> failover
> > > > back to the original active device you will lose packets due to the
> Cisco
> > > > side of the LACP links gracefully bringing the links back after a
> failure.
> > > >
> > > > On 4/13/13 9:44 PM, "Vibeesh S" wrote:
> > > >
> > > >> Cisco does not recommend having a vpc setup to a L3 device.
> > > >>
> > > >> If I use SVI on the 7K and connect it to a ASA with VPC who is also
> having
> > > >> ether channel are there any issues that we foresee pop up ?
> > > >> appreciate your response
> > > >>
> > > >> --
> > > >> CCIE - R&S
> > > >>
> > > >>
> > > >> Blogs and organic groups at http://www.ccie.net
> > > >>
> > > >>
> _______________________________________________________________________
> > > >> Subscription information may be found at:
> > > >> http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > > Blogs and organic groups at http://www.ccie.net
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
>
> ------------------------------
>
> Quiz TV : Vous jtes fan de l'imission "Les Anges de la tili-rialiti" ? 5
> questions
ici<http://tv.voila.fr/quiz-tv/quiz-special-les-anges-de-la-tele-realite-sais
on-5-3526.html>
>
>
>
>
>
>
> ------------------------------
> Quiz TV : Vous jtes fan de l'imission "Les Anges de la tili-rialiti" ? 5
> questions
ici<http://tv.voila.fr/quiz-tv/quiz-special-les-anges-de-la-tele-realite-sais
on-5-3526.html>
Blogs and organic groups at http://www.ccie.net
Received on Tue Apr 16 2013 - 09:58:01 ART