Nexus 7000 Virtual Portchannel Part 2

Wow, last week I was swamped preparing for a domestic MPLS migration in India (more on that later). I wanted to post this sooner…

In Part 1 of configuring virtual port channels on the Nexus, I talked about what may be needed to enable the vpc feature. Here’s a continuation of the process.

Between your two nexus boxes, you’re going to have a vpc peer link and a vpc peer keep-alive link. Without the keep-alive link, your vpc peer link wont come up.

Cisco vpc config guide

See Diagram

Nexus

! Again, the first thing you want to do is enable vpc

Nexus1(config)# feature vpc

The vpc peer link between switches is going to be your traditional layer 2 trunk. There are some other minor configurations you will need regarding your vpc peer link.

! Define your vpc domain

Nexus1(config)# vpc domain 1

Now for the layer 2 trunk, I recommend at least 2 ten gig ports in an etherchannel (that’s what I’m using currently). You need to make sure the ports you choose to use are in “dedicated” mode. Your N7K-M132XP-12 module allocates 10 Gb to groups of 4 ports, so technically it’s oversubscribed or 4 ports share 10 Gb bandwidth. By using dedicated mode, 3 of the four ports in the group cannot be used and will be shutdown. See the following link on what ports this applies to.

Nexus 7000 dedicated mode link

! Define vpc peer link interface parameters (use separate modules for each link!)

! enable udld
Nexus1(config)#feature udld
! enable lacp
Nexus1(config)#feature lacp

Nexus1(config)# inter ethernet 1/9, ethernet 2/9
Nexus1 (config-if-range)# description VPC Peer Link
Nexus1 (config-if-range)# switchport
Nexus1 (config-if-range)# switchport mode trunk
Nexus1 (config-if-range)# spanning-tree port type network
Nexus1 (config-if-range)# rate-mode dedicated
Nexus1 (config-if-range)# udld aggressive
Nexus1 (config-if-range)# channel-group 1 mode active
Nexus1 (config-if-range)# no shut

Nexus1 (config-if-range)# interface port 1
Nexus1 (config-if)# no shut

! Repeat the above config for Nexus 2

Now you have to define some other global parameters per config doc. Choose one Nexus box and make it the root for all vlans, and the other can be the secondary root.

Nexus1 (config)# spanning-tree vlan 1-4093 root primary
Nexus1 (config)# spanning-tree vlan 1-4093 hello-time 4

Nexus2 (config)# spanning-tree vlan 1-4093 root secondary
Nexus2 (config)# spanning-tree vlan 1-4093 hello-time 4

Define other vpc parameters. The one thing I found which kept my vpc links from coming up was the fact that I used a different “system-priority” on each nexus. The system-priority must be the same on both Nexus boxes. The system-priority is kept high to keep it the primary active lacp device when you start adding access switch trunks via lacp.

I gave Nexus1 a lower (better) role priority of 5000 meaning it is the primary on the vpc link.

Nexus1 (config-vpc-domain)# vpc domain 1
Nexus1 (config-vpc-domain)# system-priority 4000
Nexus1 (config-vpc-domain)# role priority 5000

Nexus2 (config-vpc-domain)# vpc domain 1
Nexus2 (config-vpc-domain)# system-priority 4000
Nexus2 (config-vpc-domain)# role priority 6000

Below are some vpc show outputs from Nexus 1 for what we have configured so far.

Nexus1 (config-vpc-domain)# sho vpc brief
Legend:
(*) – local vPC is down, forwarding via vPC peer-link

vPC domain id : 1
Peer status : peer link not configured
vPC keep-alive status : Disabled
Configuration consistency status: failed
Configuration consistency reason: vPC peer-link does not exists
vPC role : none established

Nexus1 (config-vpc-domain)# sho vpc peer-keepalive

vPC keep-alive status : Disabled
–Destination : N/A
–Send status : Success
–Receive status : Success
–Last update from peer : (-n-a-) seconds, (-n-a-) msec

Nexus1 (config-vpc-domain)# sho vpc role

vPC Role status
—————————————————-
vPC role : none established
Dual Active Detection Status : 0
vPC system-mac : 00:00:00:00:00:00
vPC system-priority : 32667
vPC local system-mac : 00:xx:xx:xx:xx:xx
vPC local role-priority : 0

As you can see from the above output, the VPC configuration is not completed.

Now we can go into portchannel 1 which is our traditional trunk between switches and see if we can tell it to be a vpc peer link. Remember, the trunk between switches still carries traffic as we would expect, but it’s also being tasked with vpc responsibilities.

Nexus1 (config)# interface port 1
Nexus1 (config-if)# vpc peer-link
ERROR: Operation failed: [peer-keepalive not configured]

Ok, so we need to configure our vpc peer keep-alive link now. This is where the Cisco config guide has a lot to be desired. The peer keep-alive link has to be in its own VRF (routing table). So we are going to define another port channel with 2-4 ports (I used 2). We then assign it to the VRF we create and assign an IP address. If you use 2 ports, use them on separate modules. The ports don’t need to be in “dedicated” mode either.

! create the vrf
Nexus1 (config)# vrf context VPC_KEEPALIVE

! put your ports in an etherchannel
Nexus1 (config)# interface ethernet 1/6, ethernet 2/6
Nexus1 (config-if-range)# channel-group 2 mode active
Nexus1 (config-if-range)# udld enable
Nexus1 (config-if-range)# description VPC Peer-keepalive link
Nexus1 (config-if-range)# no shut
! Repeat the above on Nexus2

Nexus1 (config-if-range)# inter port 2
Nexus1 (config-if)# vrf member VPC_KEEPALIVE
Nexus1 (config-if)# ip address 1.1.1.1/30
Nexus1 (config-if)# no shut

Nexus2 (config-if-range)# inter port 2
Nexus2 (config-if)# vrf member VPC_KEEPALIVE
Nexus2 (config-if)# ip address 1.1.1.2/30
Nexus2 (config-if)# no shut

Nexus1 (config-vpc-domain)#vpc domain 1
Nexus1 (config-vpc-domain)#peer-keepalive destination 1.1.1.2 source 1.1.1.1 vrf VPC_KEEPALIVE

Nexus2 (config-vpc-domain)#vpc domain 1
Nexus2 (config-vpc-domain)#peer-keepalive destination 1.1.1.1 source 1.1.1.2 vrf VPC_KEEPALIVE

! enable VPC peer link on portchannel 1

Nexus1 (config)# interface port 1
Nexus1 (config-if)# vpc peer-link

Nexus2 (config)# interface port 1
Nexus2 (config-if)# vpc peer-link

At this point, you can use your “show vpc” commands and both the peer link and keep-alive should be up and running.

Look out for Part 3 where I cover the configuration for provisioning an access layer switch to take advantage of vpc.

Ted Romer
CCIE No. 21785

2 Responses to “Nexus 7000 Virtual Portchannel Part 2”

  1. shivlu jain says:

    good blog.

    regards
    shivlu jain

  2. ted says:

    Thanks a lot.

    Ted

Leave a Reply

You must be logged in to post a comment.