Quick Start Guide Virtual Port Channel (vPC) Architecture & Solutions Group US Public Sector Advanced Services Mark Stinnette, CCIE Data Center #39151 Date 13 August 2013 Version 1.8.2

This Quick Start Guide (QSG) is a Cookbook style guide to Deploying Data Center technologies with end-to-end configurations for several commonly deployed architectures. This presentation will provide end-to-end configurations mapped directly to commonly deployed data center architecture topologies. In this cookbook style; quick start guide; configurations are broken down in an animated step by step process to a complete end-to-end good clean configuration based on Cisco best practices and strong recommendations. Each QSG will contain set the stage content, technology component definitions, recommended best practices, and more importantly different scenario data center topologies mapped directly to complete end-to-end configurations. This QSG is geared for network engineers, network operators, and data center architects to allow them to quickly and effectively deploy these technologies in their data center infrastructure based on proven commonly deployed designs.

vPC Configuration Commonly Deployed Designs :: Single-Sided vPC A single-sided vPC topology. In single-sided vPC, access devices are directly dual-attached to pair of Cisco Nexus 7000 Series Switches forming the vPC domain. ---------------- The access device can be any endpoint equipement (L2 switch, rack-mount server, blade server, firewall, load balancer, network attached storage [NAS] device). Only prerequisite for the access device is to support portchanneling (or link aggregation) technology: • LACP mode active • LACP mode passive • Static bundling (mode ON) Strong Recommendation: Use LACP protocol when connecting access device to vPC domain. ----------------- Depending on type of line card used for vPC member ports, maximum number of port-channel member ports can vary from 16 to 32: – vPC with Cisco Nexus M1 Series module line-card: 16 active member ports (8 on peer device 1 and 8 on peer device 2) – vPC with Cisco Nexus F1/F2 Series module line card: 32 active member ports (16 on peer device 1 and 16 on peer device 2)

vPC Configuration Commonly Deployed Designs :: Double-Sided vPC Dual-Layer vPC This topology superposes two layers of vPC domain and the bundle between vPC domain 1 and vPC domain 2 is by itself a vPC. vPC domain at the bottom is used for active/active connectivity from enpoint devices to network access layer. vPC domain at the top is used for active/active FHRP in the L2/L3 boundary aggregation layer. --------------- Benefits of double-sided vPC over single-sided vPC topology are listed below : • Enables a larger Layer 2 domain. • Provides a higher resilient architecture. In double-sided vPC, two access switches are connected to two aggregation switches whereas in single-sided vPC, one access switch is connected to two aggregation switches. • Provides more bandwidth from the access to aggregation layer. Using a Cisco Nexus F1 or F2 Series modules line card for vPC and Cisco Nexus 5000 Series Switches with Release 4.1(3)N1(1a) or later, a vPC with 32 active member ports (that is, 320 Gbps) can be instantiated.

Illustration Purposes Only vPC Configuration Illustration Purposes Only Commonly Deployed Designs :: Hierarchical vPC This is an example only …

vPC Configuration Commonly Deployed Designs :: Enhanced vPC (EvPC) eVPC (enhanced vPC) is the configuration where FEX is vPC-attached to 2 different parent switches and server is vPC-attached to the 2 FEX (this design is also called 2-layer vPC). This is not supported on FEX with NEXUS 7000 series switches in vPC mode.

vPC Peer-Keepalive Link Dedicated Layer 3 Infrastructure vPC Configuration Terminology & Components vPC Peer-Keepalive Link vPC Peer-Link Dedicated Layer 3 Infrastructure vPC Peer Device vPC Member Port vPC vPC Domain Orphan Port vPC vPC The combined port-channel between the vPC peers and the downstream device. A vPC is a L2 port type : switchport mode trunk or switchport mode access vPC peer device A vPC switch (one of a Cisco Nexus 7000 Series pair). vPC domain Domain containing the 2 peer devices. Only 2 peer devices max can be part of same vPC domain. vPC member port One of a set of ports (that is, port-channels) that form a vPC (or port-channel member of a vPC). vPC peer-link Link used to synchronize the state between vPC peer devices. It must be a 10-Gigabit Ethernet link. vPC peer-link is a L2 trunk carrying vPC VLAN. vPC peer-keepalive link The keepalive link between vPC peer devices; this link is used to monitor the liveness of the peer device. vPC VLAN VLAN carried over the vPC peer-link and used to communicate via vPC with a third device. As soon as a VLAN is defined on vPC peer-link, it becomes a vPC VLAN non-vPC VLAN A VLAN that is not part of any vPC and not present on vPC peer-link. Orphan port A port that belong to a single attached device. vPC VLAN is typically used on this port. Cisco Fabric Services (CFS) protocol Underlying protocol running on top of vPC peer-link providing reliable synchronization and consistency check mechanisms between the 2 peer devices. vPC VLAN :: VLAN(s) carried over the vPC peer-link and used to communicate via a vPC; As soon as a VLAN is defined on vPC peer-link it becomes a vPC VLAN non-vPC VLAN :: VLAN(s) that is not part of any vPC and not present on the vPC Peer-Link

vPC Configuration Benefits Overview vPC is a virtualization technology that presents paired or two Nexus devices as a unique Layer 2 logical node to the access layer devices or endpoints. vPC belongs to Multichassis EtherChannel [MCEC] family of technology. A virtual port channel (vPC) allows links that are physically connected to two different Cisco Nexus 7000 or 5000 Series devices to appear as a single port channel to a third device. The third device can be a switch, server, firewall, load balancer or any other networking device that supports link aggregation technology. vPC provides the following technical benefits: • Eliminates Spanning Tree Protocol (STP) blocked ports • Uses all available uplink bandwidth; Layer 2 hashing algorithm • Allows dual-homed servers to operate in active-active mode • Provides fast convergence upon link or device failure • Offers dual active/active FHRP (default gateways) for servers • Each peer device in the vPC domain runs its own control plane, and both devices work independently Using vPC; you gain immediate operational and architectural advantages: • Simplifies network design • Build highly resilient and robust Layer 2 network • Enables seamless virtual machine mobility and server high-availability clusters • Scales available Layer 2 bandwidth, increasing bisectional bandwidth • Grows the size of the Layer 2 network • vPC feature is included in the base NX-OS software license vPC also leverages native split horizon/loop management provided by port-channeling technology; meaning a packet entering a port-channel cannot immediately exit that same port-channel.

vPC Configuration vPC Spanning-Tree :: Recommendations

vPC Configuration vPC Feature Configuration Feature Benefit Overview vPC auto-recovery (reload restore) Increase High-Availability (1) Provides a backup mechanism in case a vPC peer-link failure followed by a vPC primary peer device failure; (2) Both vPC peer devices reload or DC power outage; but only one vPC peer comes up - this allows one vPC device to assume STP / vPC primary role and bring up all local vPCs in case (auto-recovery reload-delay) vPC Peer-Gateway Service Continuity Allows a vPC switch to act as the active gateway for packets addressed to the peer router MAC (ie. NAS) vPC orphan-ports suspend When vPC peer-links go down, vPC secondary shuts down all the vPC member ports as well as orphan ports. It avoids single attached devices like FW, LB or NIC teamed devices when isolated during vPC peer-link failure vPC ARP SYNC Improve Convergence Time Improve Convergence for Layer 3 flows after vPC peer-link is UP or recovers from a failure vPC Peer-Switch Virtualize both vPC peer devices so they appear as a unique STP root bridge vPC Role & System Priority Manually set vPC system priority to ensure vPC peer devices are the primary devices on LACP. Manually set the vPC role as primary and secondary – deterministic vPC Peer-keepalive Option 1 :: use SUP mgmt int on dedicated OOB Option 2 :: use separate L3 Po in dedicated VRF vPC Delay Restore Delays vPCs member links from bring up on the recovering vPC peer device. This allows for the Layer 3 routing protocols to converge before allowing any traffic on vPC member links; resulting in a more graceful restoration and zero packet loss during the recovery phase. (This feature is enabled by default – 30 seconds)

vPC Configuration Building a vPC Peer-Keepalive Link :: Nexus 7000 Best Practices Option 1 Dedicated link(s) in a Layer 3 Port-Channel in its own dedicated VRF (ie. PKAL VRF) Use separate line cards & 1Gig ports are enough, else you burn 10Gig interfaces Option 2 Use Mgmt0 interfaces off Supervisors to dedicated routable OOB network + use management VRF Peer-Keepalive traffic along with management traffic Option 3 As a last resort, route the peer-keepalive traffic over the Layer 3 infrastructure + use default VRF

vPC Configuration Building a vPC Peer-Keepalive Link :: Nexus 5000/6000 Best Practices Option 1 Use Mgmt0 interfaces to dedicated routable OOB network + use management VRF Peer-Keepalive traffic along with management traffic Option 2 (Nexus 5000 with L3 module) Dedicated link(s) in a Layer 3 Port-Channel in its own dedicated VRF (ie. PKAL VRF) Use separate interfaces & will burn 10Gig interfaces Option 2 (Nexus 5000 without L3 module) Dedicated link(s) in a separate Layer 2 Port-Channel , have the peer-keepalive peer across to the SVI’s, manually prune those VLANs off the peer-link making those VLANs (non-vPC VLANs), only trunk the peer-keepalive VLAN across this Layer 2 Port-Channel Due to ISSU checks via the show spanning issue-impact, ISSU will fail, workaround is to disable STP on this dedicated Layer 2 Port-Channel via the spanning-tree port type edge trunk command, assuming you have the global command spanning-tree port type edge bpdufilter default enabled Will burn 10Gig interfaces

Animation vPC Configuration Build Peer-Keepalive & Peer-Link Infrastructure feature lacp vlan 1 – 200 vrf context PKAL interface port-channel 1 vrf member PKAL ip address [….]/30 interface e1/1 , e2/1 channel-group 1 mode active ------------------------------------------------------ interface port-channel 2 switchport switchport mode trunk interface e3/1 , e4/1 channel-group 2 force mode active feature lacp vlan 1 – 200 vrf context PKAL interface port-channel 1 vrf member PKAL ip address [….]/30 interface e1/1 , e2/1 channel-group 1 mode active ------------------------------------------------------ interface port-channel 2 switchport switchport mode trunk interface e3/1 , e4/1 channel-group 2 force mode active 7K-1 7K-2 Po1 1/1 1/1 2/1 2/1 3/1 3/1 4/1 4/1 Animation Po2 5K-1 5K-2 Create a dedicated VRF for the vPC peer-keepalive link (best practice) Step 1 :: turn on LACP feature Step 2 :: define your vlans Step 3 :: build peer-keepalive Step 4 :: build L2 port channel for peer-link Building a vPC peer-link, follow these guidelines :: (1) Must have Peer-keepalive link up first; ensure the peer-link member ports are 10 Gig interfaces (2) Use a minimum of two 10 Gig ports (M1 up to 8 member ports & F1/F2 up to 16 member ports) (3) Use at least two different line cards to increase high availability of peer-link

Animation vPC Configuration Build STP & vPC Domain Configuration (Optional Config) – when using vPC peer-switch in a ‘hybrid’ environment use the spanning-tree pseudo-information to load balance VLANs across the 2 peer devices feature vpc vlan 1 – 200 spanning-tree pathcost method long spanning-tree port type edge bpduguard default spanning-tree port type edge bpdufilter default no spanning-tree loopguard default spanning-tree vlan 1-200 priority 0 spanning-tree pseudo-information vlan 1-200 root priority 4096 vlan 1-100 designated priority 8192 vlan 101-200 designated priority 16384 vpc domain 1 role priority 1 system-priority 4096 peer-keepalive destination [….] source [….] vrf PKAL peer-switch peer-gateway auto-recovery auto-recovery reload-delay delay restore 30 ip arp synchronize feature vpc vlan 1 – 200 spanning-tree pathcost method long spanning-tree port type edge bpduguard default spanning-tree port type edge bpdufilter default no spanning-tree loopguard default spanning-tree vlan 1-200 priority 0 spanning-tree pseudo-information vlan 1-200 root priority 4096 vlan 1-100 designated priority 16384 vlan 101-200 designated priority 8192 vpc domain 1 role priority 2 system-priority 4096 peer-keepalive destination [….] source [….] vrf PKAL peer-switch peer-gateway auto-recovery auto-recovery reload-delay delay restore 30 ip arp synchronize 7K-1 7K-2 Animation 5K-1 5K-2 Step 1 :: turn on vpc feature Step 2 :: configure spanning-tree defaults Step 3 :: configure spanning-tree vlan root priorities Step 4 :: configure vpc domain (per best practices) Hard set the Nexus 7K on the left vPC role primary and Nexus 7K on the right vPC role secondary (deterministic) Enable peer-switch; when activated both vPC peer devices must have the same STP priority set for all vPC VLANs – making them appear as a unique STP root bridge Make the Nexus 7Ks control LACP establishment for all port-channels; (lowest) vpc domain id + system priority Enable peer-gateway, auto-recovery, delay restore, and ip arp synchronize (per best practice) … see Strong Recommendations & Key Notes sections Setup the peer-keepalive; use the correct VRF accordingly

Animation vPC Configuration Complete the Peer-Link Configuration feature lacp feature vpc vlan 1 – 200 vrf context PKAL interface port-channel 1 vrf member PKAL ip address [….]/30 interface e1/1 , e2/1 channel-group 1 mode active ------------------------------------------------------ interface port-channel 2 switchport switchport mode trunk switchport trunk allowed vlan 1-200 spanning-tree port type network vpc peer-link interface e3/1 , e4/1 channel-group 2 force mode active feature lacp feature vpc vlan 1 – 200 vrf context PKAL interface port-channel 1 vrf member PKAL ip address [….]/30 interface e1/1 , e2/1 channel-group 1 mode active ------------------------------------------------------ interface port-channel 2 switchport switchport mode trunk switchport trunk allowed vlan 1-200 spanning-tree port type network vpc peer-link interface e3/1 , e4/1 channel-group 2 force mode active 7K-1 7K-2 Animation peer-link 5K-1 5K-2 Step 1 :: enable vPC peer-link on the L2 port channel Always perform VLAN pruning on vPC peer-link with the allowed list of vPC VLANs; vPC VLANs must also be pruned on the vPC member port s as well Bridge Assurance is enabled by default when configuring vPC peer-link (spanning-tree port type network); Do NOT disable it on the vPC peer-link

Animation vPC Configuration Build Peer-Keepalive & Peer-Link :: Access Layer 7K-1 7K-2 peer-keepalive link Use Mgmt0 interfaces to dedicated routable OOB network + use management VRF (configured during initial device setup); includes Peer-Keepalive traffic along with management traffic Animation feature lacp vlan 1 – 200 vrf context management ip route 0.0.0.0/0 [….] interface mgmt0 ip address [….]/24 interface port-channel 1 switchport switchport mode trunk interface e1/1 - 2 channel-group 1 force mode active feature lacp vlan 1 – 200 vrf context management ip route 0.0.0.0/0 [….] interface mgmt0 ip address [….]/24 interface port-channel 1 switchport switchport mode trunk interface e1/1 - 2 channel-group 1 force mode active 1/1 1/1 1/2 1/2 mgmt0 mgmt0 5K-1 5K-2 OOB Step 1 :: turn on LACP feature Step 2 :: define your vlans Step 3 :: build L2 port channel for peer-link

Animation vPC Configuration Build vPC Configuration :: Access Layer Always use a different domain ID in a double-sided vPC topology; once configured, both peer devices use the vPC domain ID to automatically assign a unique vPC system MAC address; which is used as part of the LACP protocol vpc domain 1 role priority 1 system-priority 4096 peer-keepalive destination [….] source [….] vrf management peer-switch peer-gateway auto-recovery auto-recovery reload-delay delay restore 30 ip arp synchronize vpc domain 1 role priority 2 system-priority 4096 peer-keepalive destination [….] source [….] vrf management peer-switch peer-gateway auto-recovery auto-recovery reload-delay delay restore 30 ip arp synchronize 7K-1 7K-2 Animation feature lacp feature vpc vlan 1 – 200 spanning-tree pathcost method long spanning-tree port type edge bpduguard default spanning-tree port type edge bpdufilter default no spanning-tree loopguard default vpc domain 10 role priority 1 system-priority 8096 peer-keepalive destination [….] source [….] vrf management auto-recovery auto-recovery reload-delay delay restore 30 ip arp synchronize feature lacp feature vpc vlan 1 – 200 spanning-tree pathcost method long spanning-tree port type edge bpduguard default spanning-tree port type edge bpdufilter default no spanning-tree loopguard default vpc domain 10 role priority 2 system-priority 8096 peer-keepalive destination [….] source [….] vrf management auto-recovery auto-recovery reload-delay delay restore 30 ip arp synchronize 5K-1 5K-2 OOB Manually set vPC system priority to ensure vPC peer devices are the primary devices on LACP at the aggregation layer or not the primary devices on LACP at the access layer Step 1 :: turn on vpc feature Step 2 :: configure spanning-tree defaults Step 3 :: configure vpc domain (per best practices)

Animation vPC Configuration Complete Peer-Link Configuration :: Access Layer 7K-1 7K-2 Animation feature lacp feature vpc vlan 1 – 200 interface port-channel 1 switchport switchport mode trunk switchport trunk allowed vlan 1-200 spanning-tree port type network vpc peer-link interface e1/1 - 2 channel-group 1 force mode active feature lacp feature vpc vlan 1 – 200 interface port-channel 1 switchport switchport mode trunk switchport trunk allowed vlan 1-200 spanning-tree port type network vpc peer-link interface e1/1 - 2 channel-group 1 force mode active peer-link 5K-1 5K-2 OOB Step 1 :: enable vPC peer-link on the L2 port channel Always perform VLAN pruning on vPC peer-link with the allowed list of vPC VLANs; vPC VLANs must also be pruned on the vPC member port s as well Bridge Assurance is enabled by default when configuring vPC peer-link (spanning-tree port type network); Do NOT disable it on the vPC peer-link

Animation vPC Configuration Build Double-Sided vPC Configure vPC member port as spanning-tree port type normal Keep Spanning Tree protocol root function on the aggregation layer of the network; For each vPC peer device, configure root guard on ports connected to access devices interface port-channel 10 switchport switchport mode trunk switchport trunk allowed vlan 1-200 spanning-tree port type normal spanning-tree guard root vpc 10 interface e1/13 , e2/13 channel-group 10 force mode active port-channel load-balance src-dst ip-l4port-vlan interface port-channel 10 switchport switchport mode trunk switchport trunk allowed vlan 1-200 spanning-tree port type normal spanning-tree guard root vpc 10 interface e1/13 , e2/13 channel-group 10 force mode active port-channel load-balance src-dst ip-l4port-vlan 7K-1 7K-2 Animation 1/13 2/13 1/13 2/13 vPC 10 interface port-channel 10 switchport switchport mode trunk switchport trunk allowed vlan 1-200 spanning-tree port type normal vpc 10 interface e1/9 , e1/10 channel-group 10 force mode active port-channel load-balance src-dst ip-l4port-vlan interface port-channel 10 switchport switchport mode trunk switchport trunk allowed vlan 1-200 spanning-tree port type normal vpc 10 interface e1/9 , e1/10 channel-group 10 force mode active port-channel load-balance src-dst ip-l4port-vlan 1/9 1/10 1/9 1/10 5K-1 5K-2 Step 1 :: enable vPC on the member ports Step 2 :: enable spanning-tree port configurations Step 3 :: change port channel load balancing method The configuration of the vPC member port must match on both vPC peer devices. If there is a inconsistency, a VLAN or the entire port channel may suspend (depending on type-1 or type-2 consistency check for the vPC member port). Use the same vPC ID as the port channel ID for ease of configuration, monitoring, and troubleshooting Use source-destination, IP, L4 port and VLAN as fields for the port channel load balancing hashing algorithm; this improves fair usage of all member ports forming in the port channel

Animation vPC Configuration Build vPC :: Standalone Switch & LACP Enabled Server interface port-channel 20 switchport switchport mode trunk switchport trunk allowed vlan 1-200 spanning-tree port type normal spanning-tree port guard root vpc 20 interface e3/13 channel-group 20 force mode active interface port-channel 30 spanning-tree port type edge trunk vpc 30 interface e3/14 channel-group 30 force mode active interface port-channel 20 switchport switchport mode trunk switchport trunk allowed vlan 1-200 spanning-tree port type normal spanning-tree port guard root vpc 20 interface e3/13 channel-group 20 force mode active interface port-channel 30 spanning-tree port type edge trunk vpc 30 interface e3/14 channel-group 30 force mode active 7K-1 7K-2 Animation 3/13 3/14 3/13 3/14 vPC 20 vPC 30 1/25 1/26 interface port-channel 20 switchport switchport mode trunk switchport trunk allowed vlan 1-200 interface e1/25 , e1/26 channel-group 20 force mode active Step 1 :: enable vPC on the member ports + enable spanning-tree port configurations accordingly

Animation vPC Configuration Build Enhanced vPC :: Nexus 5000 & Nexus 2000 FEX feature lacp feature fex fex 100 pinning max-links 1 fex 199 interface port-channel 100 switchport mode fex-fabric vpc 100 fex associate 100 interface port-channel 199 vpc 199 fex associate 199 interface e1/28 channel-group 100 interface e1/29 channel-group 199 interface port-channel 1000 switchport mode trunk switchport trunk allowed vlan 10, 20 spanning-tree port type edge trunk interface e100/1/1 , e199/1/1 channel-group 1000 force mode active Notice in the 5k/2k EvPC topology you DON’T need the vPC command under the port channel towards the server feature lacp feature fex fex 100 pinning max-links 1 fex 199 interface port-channel 100 switchport mode fex-fabric vpc 100 fex associate 100 interface port-channel 199 vpc 199 fex associate 199 interface e1/28 channel-group 100 interface e1/29 channel-group 199 interface port-channel 1000 switchport mode trunk switchport trunk allowed vlan 10, 20 spanning-tree port type edge trunk interface e100/1/1 , e199/1/1 channel-group 1000 force mode active 7K-1 7K-2 Animation vPC 10 5K-1 5K-2 1/28 1/29 1/28 1/29 vPC 100 vPC 199 FEX 100 FEX 199 100/1/1 Po 1000 199/1/1

Animation vPC Configuration Build Straight-Through vPC :: Nexus 7000 & Nexus 2000 FEX install feature-set fex feature lacp feature-set fex fex 199 pinning max-links 1 interface port-channel 199 switchport mode fex-fabric fex associate 199 interface e5/28, e6/28 channel-group 199 interface port-channel 1000 switchport mode trunk switchport trunk allowed vlan 10, 20 spanning-tree port type edge trunk vpc 1000 interface e199/1/1 channel-group 1000 force mode active Straight-Through Topology (only supported topology between 7k & 2k FEX) Default VDC Only install feature-set fex feature lacp feature-set fex fex 199 pinning max-links 1 interface port-channel 199 switchport mode fex-fabric fex associate 199 interface e5/28, e6/28 channel-group 199 interface port-channel 1000 switchport mode trunk switchport trunk allowed vlan 10, 20 spanning-tree port type edge trunk vpc 1000 interface e199/1/1 channel-group 1000 force mode active Default VDC Only 7K-1 7K-2 Animation 5/28 6/28 5/28 6/28 Po 199 Po 199 FEX 199 FEX 199 199/1/1 199/1/1 vPC 1000 Notice in the 7k/2k Straight-through topology you need the vPC command under the port channel towards the server FET is an optical transceiver that provides a highly cost-effective solution for connecting FEX to its parent switch (7k, 5k, 6k). Note that FET can only be used to connect Fabric links between the Fabric Extender and the parent switch; FET-10G must be connected to another FET-10G)

Animation vPC Configuration Build a vPC :: ASA Firewall Appliance feature interface-vlan feature hsrp interface port-channel 80 switchport mode trunk switchport trunk allowed vlan 100, 200 spanning-tree port type edge trunk vpc 80 interface e6/13 channel-group 80 force mode active interface vlan 200 ip address 20.20.20.6/24 no ip redirect hsrp 200 preempt ip 20.20.20.254 ip route 10.10.10.0/24 20.20.20.1 feature interface-vlan feature hsrp interface port-channel 80 switchport mode trunk switchport trunk allowed vlan 100, 200 spanning-tree port type edge trunk vpc 80 interface e6/13 channel-group 80 force mode active interface vlan 200 ip address 20.20.20.5/24 no ip redirect hsrp 200 preempt priority 110 ip 20.20.20.254 ip route 10.10.10.0/24 20.20.20.1 7K-1 7K-2 Animation 6/13 6/13 vPC 80 0/0 0/1 ASA-5585-X interface port-channel 80.100 vlan 100 nameif inside secruity-level 99 ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2 interface port-channel 80.200 vlan 200 nameif outside secruity-level 1 ip address 20.20.20.1 255.255.255.0 standby 20.20.20.2 route outside 0.0.0.0 0.0.0.0 20.20.20.254 interface GigabitEthernet0/0, Ge0/1 channel-group 80 mode active no nameif no secruity-level no ip address interface port-channel 80 port-channel load-balance vlan-src-dst-ip Subnet 10.10.10.0 /24 is serviced by the ASA in this example See VMDC Architecture for more virtual firewall configuration use cases and best practices

Animation vPC Configuration vPC Layer 2 & Layer 3 Separation :: Designs Animation Separate Layer 3 (routed traffic) and Layer 2 (bridged traffic) infrastructure. Use dedicated Layer 3 point-to-point link between the vPC peer devices for backup path to core CAN’T Dynamically route over a vPC – road mapped in version 7.x Use a dedicated Layer 2 port-channel trunk for non-vPC VLAN and create dedicated VLAN/SVI to established a Layer 3 relationship (note those VLANS are not on the peer-link – manually pruned off) Firewalls attached in a vPC; use static routing ASA static route to HSRP on Nexus Nexus static route to ASA VIP Firewalls attached in a VRF sandwich; separate vPC attachment

Animation vPC Configuration Build Layer 3 Routing & FHRP :: Dedicated Layer 3 Infrastructure featue lacp feature ospf feature interface-vlan feature hsrp vlan 1 – 200 interface loopback0 ip address [….]/32 router ospf 1 router-id [….] log-adjacency-changes detail auto-cost reference-bandwidth 100Gbps interface port-channel 5 ip address [….]/30 ip router ospf 1 area 0.0.0.0 ip ospf network point-to-point interface e1/32, e2/32 channel-group 5 force mode active interface e3/32 interface vlan 100 ip address [10.10.10.2]/24 no ip redirects ip router ospf 1 area 0.0.0.10 ip ospf passive-interface hsrp 100 preempt priority 110 ip [10.10.10.1] featue lacp feature ospf feature interface-vlan feature hsrp vlan 1 – 200 interface loopback0 ip address [….]/32 router ospf 1 router-id [….] log-adjacency-changes detail auto-cost reference-bandwidth 100Gbps interface port-channel 5 ip address [….]/30 ip router ospf 1 area 0.0.0.0 ip ospf network point-to-point interface e1/32, e2/32 channel-group 5 force mode active interface e3/32 interface vlan 100 ip address [10.10.10.3]/24 no ip redirects ip router ospf 1 area 0.0.0.10 ip ospf passive-interface hsrp 100 preempt ip [10.10.10.1] 7K-1 7K-2 3/32 1/32 1/32 3/32 2/32 2/32 Animation vPC 10 5K-1 5K-2 Use dedicated Layer 3 point-to-point link between the vPC peer devices for backup path to core Define the SVI associated with HSRP as passive routing interface in order to avoid forming routing adjacency over vPC peer-link Define vPC primary peer device as the active HSRP instance and vPC secondary peer device as the standby HSRP (from control plane standpoint) for ease of operations Disable ip redirect (no ip redirect) on the interface VLAN where HSRP is configured

Animation vPC Configuration vPC Failure Scenarios :: 7k & 5k Failure 1 :: Peer-Keepalive fails Failure 2 :: Peer-Link fails on Aggregation Failure 3 :: Peer-Link fails on Access Layer Failure 4 :: Peer-Keepalive fails + Peer-Link fails (Split Brain) nothing happens – no traffic loss Role Primary Role Operational Primary Role Secondary Animation vPC member ports are shut down and all the vPC VLAN interfaces (SVIs) are shut down; meaning no more L3 advertisements – all this happens on the secondary vPC peer device When PKL link fails and PL fails ( in this order ) , you have a dual active situation , while both links are down , the primary vPC peer device remains primary and your secondary vPC device becomes operational primary In a vPC environment only operational primary switch behaves as STP root and processes BPDU and your secondary switch do not process BPDUs ( this is regardless of whichever switch is configured as STP root ) Existing flows continue to be forwarded as before the failure; but new flows learning are impaired and uncertain forwarding (or broken state) for new flows will be observed. So when the links comes back up, the originally primary switch will see that, there is an existing operational primary switch (originally secondary) which is behaving like an STP root and processing BPDUs If the originally primary switch tries to reclaim the primary role at this point, that would mean more convergence time while operational root role is being switched, hence we do not try to reclaim the vpc primary (and acting STP root ) role back to avoid more convergence times Role Primary Role Secondary Black hole traffic to single attached devices connected to vPC Peer device with secondary role

Animation vPC Configuration vPC Failure Scenarios :: 5k & 2k FEX Failure 1 :: Peer-Link fails on FEX Parent Switch at Access Layer Failure 2 :: Single FEX Fails or Power Loss Role Primary Role Secondary No traffic loss – Only the vPC members are shut down northbound facing the Aggregation Layer and the NIF interfaces are lost on the FEX facing the secondary vPC peer device – all traffic will be forward from both FEXs to the primary vPC peer device Single Attached hosts connected to the FEX are unaffected Animation Role Primary Role Secondary 5K Parent switches have lost communication to the failed FEX; resulting all host traffic will forward out the secondary FEX. Minimal to no traffic loss when hosts are dual attached in LACP; Active / Standby NIC teaming will failover over to the secondary FEX Black hole traffic to devices connected to single FEX Active / Standby NIC teaming will failover over to the secondary FEX

Without Bridge Assurance vPC Configuration vPC Bridge Assurance Without Bridge Assurance Bridge Assurance prevents a spanning-tree domain from failing in an “open” state. When a port configured for Bridge Assurance stops receiving BPDU’s, the port transitions into a “blocking” state as opposed to remaining in a “forwarding” state. This “closed” state reduces the likelihood for mis-configured devices from creating STP loops. ‘spanning-tree bridge assurance’ is enabled by default for all ‘network’ port types Specifies bi-directional transmission of BPDUs on all ports of type “network”. Protects against unidirectional links and peer switch software issues Provides IGP like hello-dead timer behavior for Spanning Tree In all versions of NX-OS, available in IOS on the Catalyst 6500 beginning 12.2(33) SXI Recommended in STP topologies Not recommend in vPC topologies; only on the peer-link (default) With Bridge Assurance

vPC Configuration Checking vPC Configuration Consistency :: Type 1 & Type 2 There are two types of consistency checks : Type-1 :: Puts peer device or interface into a suspended state to prevent invalid packet forwarding behavior. With vPC Graceful Consistency check, suspension occurs only on the secondary peer device. Type-2 :: Peer device or Interface still forward traffic; however they are subject to undesired packet forwarding behavior. Type 1 and Type 2 consistency check apply both for global configuration and for vPC interface configuration. show vpc consistency-parameters global – (displays global type-1 consistency parameters) Parameter Name Value Spanning Tree Protocol (STP) mode RPVST or MST STP Enable/Disable state per VLAN Yes / No STP region configuration for MST Region name, revision, instance to VLAN mapping STP global settings Bridge Assurance settings Port type settings Loop guard settings BPDU filter settings MST simulate PVST enable / disable show vpc consistency-parameters interface port-channel [id] – (displays interface type-1 consistency parameters) Parameter Name Value Port channel LACP mode ON, ACTIVE, PASSIVE Link speed & duplex per port channel Speed in mpbs & Half / Full duplex Switchport mode per port channel Trunk / Access, native VLAN STP interface settings Port type setting Loop Guard Root Guard MST Simulate PVS Enable / Disable MTU per port channel Maximum transmission Unit (MTU) value

vPC Configuration Checking vPC Configuration Consistency :: Type 1 & Type 2

vPC Configuration Checking vPC Configuration Consistency :: Type 1 & Type 2 If any of the vPC Type-2 parameters listed in the table below are not configured identically on both vPC peer devices, the inconsistent configuration can cause undesirable behavior in the traffic flow Type-2 consistency check parameters Parameter Name Value MAC aging timers MAC aging timer for a particular VLAN should be the same on both vPC peer devices Static MAC entries Static MAC entries in a particular VLAN should be applied on both vPC peer devices VLAN interface (switch virtual interface [SVI]) Each peer device must have a VLAN interface configured for the same VLAN on both ends, and this VLAN interface must be in the same operational state ACL Configuration and parameters ACL configuration should be identical on both vPC peer devices QoS Configuration and parameters QoS configuration should be identical on both vPC peer devices STP interface settings BPDU filter, Link type (auto, point-to-point, shared), Cost, Port-priority, STP interface setting should be identical on both vPC peer devices VLAN Database You must create all VLANs on both the primary and secondary vPC peer devices, or the VLAN will be suspended. Those VLANs configured on only one peer device do not pass traffic using the vPC or vPC peer-link Port security NAC, Dynamic ARP Inspection, IP source guard, port security must be identical on both vPC peer devices Cisco TrustSec Cisco TrustSec configuration should be identical on both vPC peer devices DHCP snooping DHCP snooping configuration should be identical on both vPC peer devices IGMP snooping IGMP snooping configuration should be identical on both vPC peer devices HSRP HSRP configuration should be identical on both vPC peer devices PIM PIM configuration should be identical on both vPC peer devices GLBP GLBPconfiguration should be identical on both vPC peer devices All routing protocol configurations Routing configuration should be consistent on both vPC peer devices

vPC Configuration Strong Recommendation and Key Notes Always use different domain ID in double-sided vPC topology Operations perspective, define vPC primary on the left Nexus and vPC secondary on the right Nexus (role priority) When configuring large number of VLANs in a vPC environment, use the range command (vlan x-z) vs. individually configuring one at a time Create a dedicated VRF for the vPC peer-keepalive link (ie. vrf context PKAL) When building a vPC peer-link, follow these guidelines Must have Peer-keepalive link up first; ensure the peer-link member ports are 10 Gig interfaces Use a minimum of two 10 Gig ports (M1 up to 8 member ports & F1/F2 up to 16 member ports) Use at least two different line cards to increase high availability of peer-link Use dedicated mode 10 Gig ports with M1 32 line card vs. shared mode ports Split vPC and non-vPC VLANs on different interswitch port channels Don’t insert any device between vPC peers; a peer-link is a point-to-point link Any vPC VLAN allowed on the vPC member port MUST be allowed on the vPC peer-link Always perform VLAN pruning on vPC peer-link with allowed list of vPC VLAN; vPC VLAN must have been pruned on the vPC member port previously If the M1 32 is used for both the vPC peer-link and L3 uplinks to L3 Core, use vPC object tracking feature When building a vPC member port, follow these guidelines The configuration of the vPC member port must match on both vPC peer devices If there is a inconsistency, a VLAN or the entire port channel may suspend (depending on type-1 or type-2 consistency check for the vPC member port) Use the same vPC ID as port channel ID for ease of configuration, monitoring, and troubleshooting With the M1 Series line card :: there can be up to 8 active ports bundled – resulting a 16-way port channel to be built for the whole vPC With the F1/F2 Series line card :: there can be up to 16 active ports bundled – resulting a 32-way port channel to be built for the whole vPC Do not mix different port types (M1, F1, F2) in the same vPC member port; this is not allowed by the software Both sides of the vPC member ports must be of the same port type

vPC Configuration Strong Recommendation and Key Notes The vPC peer-keepalive link carries periodic heartbeat (UDP 3200) between vPC peer devices. It is used at the boot up of the vPC systems to guarantee both peer devices are up before forming vPC domain and also when vPC peer-link fails to down state; in the latter case, vPC peer-keepalive link is leveraged to detect split brain scenario (both vPC peer devices are active–active) [when vPC peer-link is down, there is no more real time synchronization between the 2 peer devices so vPC systems must react to this active-active situation; this is done by shutting down vPC member ports on secondary peer device]. The vPC peer-keepalive link is a pre-requisite for the vPC domain to form initially (ie. prior to the vPC peer-link configuration + if peer-link is initial up before peer-keepalive is up) vPC has 3 timers; hold-timeout (default 3 sec), timeout (default 5s), hello interval (default 1s). The hold-timeout starts once the vPC peer link goes to a down state; during this time period the secondary vPC peer will ignore any peer-keepalive hello messages. During the timeout period, the secondary vPC peer device will look for vPC peer-keepalive hello messages from the primary vPC peer device. If a single hello is received, the secondary vPC peer concludes that there must be a dual active scenario and therefore will disable all its vPC member ports (that is, all port-channels that carry the keyword vpc). Command line configuration to modify vPC timers is (under vPC domain configuration context): peer-keepalive destination ipaddress [source ipaddress | hold-timeout secs | interval msecs {timeout secs}] The default values are ok in most situations. vPC peer link is down ! Keepalive Hold Timeout Keepalive Timeout

vPC Configuration Strong Recommendation and Key Notes Always enable vPC peer-gateway in the vPC domain (on both peer devices), even if there is no end device using this feature (devices that don’t perform standard ARP request for their default IP gateway), there is no side effect enabling it (Corner Case) always use vPC peer-gateway exclude-vlan when a transit VLAN (over vPC peer-link) is used in the vPC domain, this is applicable only for mixed chassis mode (M1/F1) with peer-link on F1 ints; note only static routing supported Always enable vPC ARP sync on both vPC peers; performs a bulk ARP sync, improves convergence time for L3 flows Always enable vPC delay restore on both vPC peer devices and tune the timer according based on the network profile Always enable vPC graceful type-1 check on both vPC peer devices; graceful consistency-check; (enabled by default) Always enable vPC auto-recovery on both vPC peer devices Always enable vPC auto-recovery reload-delay on both vPC peer devices (note the vPC auto-recovery reload-delay deprecates the previous feature called vPC reload restore) Use vPC orphan port suspend when single-attached devices connected to a vPC domain need to be disconnected from the network when vPC peer-link fails Always use a different domain ID in a double-sided vPC topology; once configured, both peer devices use the vPC domain ID to automatically assign a unique vPC system MAC address; which is used as part of the LACP protocol vPC role is non-preemptive so vPC operational role is the most relevant of the information per table below With NX-OS 6.1 and prior releases, always use identical line cards on either side of the vPC Peer Link and vPC member ports (legs to downstream device) Starting in NX-OS 6.2, always use identical line cards on either side of the vPC Peer Link and vPC member ports (legs to downstream device) when M1/M2 & F2E Starting in NX-OS 6.2, VDC type must match between the 2 vPC peer devices when F2 & F2E are used in same VDC; meaning its ok to have F2 on vPC peer device 1 and F2E on vPC peer device 2 for the vPC Peer Link or vPC member ports. Note: in a F2 & F2E type of design; only features related to F2 apply (lowest common denominator)

vPC Configuration Strong Recommendation and Key Notes Use LACP protocol when connecting access devices to vPC domain (channel-group [x] mode active Use LACP when available for graceful failover and misconfiguration protection LACP mode active on both sides of the port channel If access device does not support LACP, use manual bundling (channel-group [x] mode on) If the downstream access switch is a Cisco Nexus device, enable LACP graceful-convergence (its on by default) If the downstream access switch is NOT is a Cisco Nexus device, disable LACP graceful-convergence Use source-destination, IP, L4 port and VLAN as fields for the port channel load balancing hashing algorithm; this improves fair usage of all member ports forming in the port channel When possible, always dual-attach access devices to a vPC domain using a port channel When connecting a single-attached access device to a vPC domain using a vPC VLAN, always connect it to the vPC primary peer device; reason is when if the vPC peer-link fails down any single attached device connected to the secondary peer device (and using vPC VLAN) will become completely isolated with the rest of the network Single Attached Recommendations (descending order of priority): Connect access device to an intermediate switch which is dual-attached to a vPC domain Connect single-attached device to a vPC domain using non-vPC VLAN (must also create an inter-switch link between the 2 peer devices to transport non-vPC VLAN Connect single-attached device to a vPC domain using vPC VLAN and leveraging vPC peer-link In a double-sided vPC topology, all interconnect links between the 2 vPC domains MUST belong to the same vPC ID; all links form a unique vPC (on both sides of the 2 vPC domains) LACP port suspend :: By default, LACP sets a port to the suspended state if it does not receive an LACP PDU from the peer (ie a server or host). In some cases, although this feature helps in preventing loops created due to misconfigurations, it can cause servers to fail to boot up because they require LACP to logically bring up the port. You can put a port into an individual state by using the lacp suspend-individual command. On the Nexus 5000 this feature is disabled (no lacp suspend-individual) for servers connecting via LACP; on the Nexus 7000 this feature is enabled by default (lacp suspend-individual)

vPC Configuration Strong Recommendation and Key Notes Recommended Spanning Tree Protocol Configuration with vPC Spanning Tree protocol must remain enabled for all VLANs (even if all access devices are vPC attached to the vPC domain); Do NOT disable spanning-tree protocol Use MST with vPC if you need to build a large L2 domain; Plan ahead to avoid future configuration changes that can trigger vPC type-1 consistency failure Implement consistent STP mode in the same L2 domain, ensure that all switch in your L2 domain are running with Rapid-PVST+ (default) or MST to avoid slow Spanning Tree convergence (30 seconds or more) Perform VLAN pruning on vPC member ports to reduce internal resource consumption Keep Spanning Tree protocol root function on the aggregation layer of the network (aggregation vPC domain) For each vPC peer device, configure root guard on ports connected to access devices Bridge Assurance is enabled by default when configuring vPC peer-link (spanning-tree port type network); Do NOT disable it on the vPC peer-link It is not necessary to enable Bridge Assurance on the vPC (members ports in the vPC) – configure vPC member port as spanning-tree port type normal Configure port fast (edge or edge trunk port type) on the host facing interfaces to avoid slow Spanning Tree protocol convergence (30 seconds or more) when port transitions to an up state Configure BPDU guard on host facing interfaces to block any BPDU sent from the host (access switch port receiving the BPDU will be put in errdisable mode) – enable BPDU guard globally Always define the vPC domain as the STP root for all VLANs in that domain (configure aggregation vPC peer devices as the STP root primary and STP root secondary) – enforce this rule with root guard on vPC peer device ports connected to another L2 switch IF the vPC peer-switch is activated, both vPC peer devices MUST have the SAME spanning tree configuration (same priority for all vPC VLANs) – recommendation to activate vPC peer-switch in the environment Do not enable Loop guard on vPC (disabled by default) When using vPC peer-switch in a hybrid environment use the spanning-tree pseudo-information to load balance VLANs across the 2 peer devices Enable UDLD in normal mode on vPC peer-link and vPC member ports

vPC Configuration Strong Recommendation and Key Notes Layer 3 and vPC Guidelines and Recommendations Use separate Layer 3 link(s) to connect to L3 devices (like a router or firewall in routed mode) to a vPC domain; use individual Layer 3 links for routed traffic and a separate Layer 2 port-channel for bridged traffic if both routed and bridged traffic are required Always build a Layer 3 backup routed path for the vPC domain in order to increase network resilience and availability; use an OSPF point-to-point adjacency (or equivalent L3 protocol) between the 2 vPC peer devices to establish a L3 backup path to the core in case of uplink failure Do NOT use a Layer 2 vPC to attach Layer 3 devices to a vPC domain unless the Layer 3 device can statically route to the HSRP address configured on the vPC peer devices You can’t dynamically route over a vPC Layer 3 backup routing path options (descending order of preference) Use dedicated Layer 3 point-to-point link between the vPC peer devices for backup path to core Use a dedicated Layer 2 port-channel trunk for non-vPC VLAN and create dedicated VLAN/SVI to established a Layer 3 relationship (note those VLANS are not on the peer-link) HSRP / VRRP Guidelines and Recommendations When running HSRP/VRRP in active-active mode (data plane standpoint), aggressive timers can be relaxed; use the default HSRP/VRRP timers Define the SVI associated with HSRP/VRRP as passive routing interface in order to avoid forming routing adjacency over vPC peer-link Define vPC primary peer device as the active HSRP/VRRP instance and vPC secondary peer device as the standby HSRP/VRRP (from control plane standpoint) for ease of operations Disable ip redirect (no ip redirect) on the interface VLAN where HSRP/VRRP is configured. Do NOT use HSRP/VRRP object tracking in a vPC domain

vPC Configuration Strong Recommendation and Key Notes Recommendations for Multilayer vPC for DCI Solution Use different vPC domain-id for each vPC domain (DC1: vPC domain for aggregation, vPC for DCI. DC2: vPC domain for aggregation, vPC for DCI) For each data center, interconnect the aggregation vPC domain to the DCI vPC domain using a vPC (double-sided topology) Interconnect the 2 data centers using a vPC (vPC between DCI vPC domain in site 1 and site 2) Enable BPDU filter on the vPC used for DCI (under the port-channel configuration, activate the following command: spanning-tree bpdufilter enable) to avoid BPDU propagation Configure the vPC used for DCI as spanning-tree port type edge (i.e port fast) to fasten port state forwarding mode when port is operationally up Remember by default vPC peer-link runs in spanning-tree port type network i.e bridge assurance is activated on the link Configure root guard on aggregation vPC domain (more exactly on vPC between this vPC domain and DCI vPC domain). STP root must remain on aggregation vPC domain on each side of the data center No loop must exist outside the vPC domains. Do not use Layer 3 peering between data centers (in other words, there is no Layer 3 over vPC). Do not use bridge assurance for interconnect vPC (DCI vPC) – use spanning-tree port type edge trunk Use M1 ports for DCI vPC if flows between the 2 data centers need to be encrypted using 802.1ae MACsec

vPC Configuration Strong Recommendation and Key Notes Best Practices for Network Services / Appliances and vPC Configure vPC to the inside and outside interfaces for ASA firewalls – use spanning-tree port type edge trunk If needed, use multiple VRF instances for the inside interfaces – intra data center nets (see VMDC architecture) Be aware of the following Layer 3 over vPC design caveat Use dedicated Layer 2 port-channel for the service appliances state and keepalive VLANs (recommend don’t use the vPC peer-link) Recommended the ASA port channel hashing algorithm and the Nexus vPC hashing algorithm are the same Connect ASA in routed mode to a vPC – must use static routing ASA static route to HSRP on Nexus Nexus static route to ASA VIP If Connected ASA in routed mode and use dynamic routing Single attach ASA to vPC domain Create separate non-vPC interswitch link Peer with non-vPC VLAN/SVIs SLB attached via vPC SLB attached via Po with orphan port suspend Firewall attached via vPC & Static Routes Firewall attached via non-vPC Po & Dynamic Routing Bandwidth reduced during certain failure scenarios Bandwidth maintained during certain failure scenarios

vPC Configuration Mixed Chassis Mode :: Supported Topologies Interop F2 & F2E VDC With NX-OS 6.1 and Prior Releases :: Always use identical line cards on either side of the vPC Peer Link and vPC member ports (legs to downstream device) The F1-series line cards can mix with M-series line cards The F2-series line cards have to be in their own VDC; VDC type [F2] meaning they can’t mix with F1 or the M-series in the same VDC

vPC Configuration Mixed Chassis Mode :: Supported Topologies Starting in NX-OS 6.2 and Later Releases :: VDC type [F2, F2E, F2 F2E] must match between the 2 vPC peer devices when F2 & F2E are used in same VDC; meaning its ok to have F2 on vPC peer device 1 and F2E on vPC peer device 2 for the vPC Peer Link or vPC member ports Note: in a F2 & F2E type of design; only features related to F2 apply (lowest common denominator) Always use identical line cards on either side of the vPC Peer Link and vPC member ports when M1, M1-XL, M2 & F2E in same VDC [M-F2E] or system When F2E is placed in a chassis with M-series it will operate in Layer 2 mode only leveraging the M for Layer 3 (proxy L3 forwarding)

Great External Resource vPC Configuration Additional Resources & Further Reading Great External Resource External (public) Nexus vPC best practices design guide http://www.cisco.com/en/US/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf Nexus 7000/6000/5000 Configuration Guides http://www.cisco.com/en/US/products/ps9402/products_installation_and_configuration_guides_list.html http://www.cisco.com/en/US/products/ps9670/products_installation_and_configuration_guides_list.html http://www.cisco.com/en/US/partner/products/ps12806/products_installation_and_configuration_guides_list.html Nexus 5000 Enhanced vPC Configuration Guide http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/mkt_ops_guides/513_n1_1/n5k_enhanced_vpc.html