vPC Peer-Switch with KeepAlive on dedicated SVI


Hi Folks,  well in
my labs and practice, I have come across something quite interesting today,
which I feel warrants a decent blog post (I hope so anyway).  You may want to sit with a coffee for this
one!!

 So here is the scenario: 
Standard VPC setup, and at this stage without any vPC’s other than the
peer-link.  The keepalive is via an SVI
on VLAN 70.  VLAN70 is also pruned off
the vPC peer-link.  It is also in it’s
own vrf (int vlan 70).  Here is the
config – note the lack of the ‘peer-switch
command’
this is the important
bit!

 vpc domain 70

  role priority 110

  system-priority 1

  peer-keepalive
destination 10.0.70.77 source 10.0.70.78 vrf keepalive

  delay restore 60

  dual-active
exclude interface-vlan 70

  peer-gateway
exclude-vlan 70

  auto-recovery
reload-delay 300

  delay restore
interface-vlan 60

 

so is everything working? 
Well indeed it is, here is my vpc:

 

N7K8(config)# sh vpc

Legend:

                (*)
- local vPC is down, forwarding via vPC peer-link

 

vPC domain id                     : 70 

Peer status                       : peer adjacency formed
ok     

vPC keep-alive status             : peer is alive                

Configuration consistency status  : success

Per-vlan consistency status       : success                      

Type-2 consistency status         : success

vPC role                          : secondary                    

Number of vPCs configured         : 0  

Peer Gateway                      : Enabled

Peer gateway excluded VLANs       : 70

Dual-active excluded VLANs        : 70

Graceful Consistency Check        : Enabled

Auto-recovery status              : Enabled (timeout = 300 seconds)

 

vPC Peer-link status

---------------------------------------------------------------------

id   Port   Status Active vlans   

--   ----   ------
--------------------------------------------------

1    Po70   up    
10,20                                                                                              

 

But what about spanning-tree?  Here we go:

 

VLAN0010

 

Interface       
Role Sts Cost      Prio.Nbr Type

---------------- ---- --- --------- --------
--------------------------------

Po70            
Root FWD 1         128.4165 (vPC
peer-link) Network P2p

 

 

VLAN0020

 

Interface       
Role Sts Cost      Prio.Nbr Type

---------------- ---- --- --------- --------
--------------------------------

Po70            
Root FWD 1         128.4165 (vPC
peer-link) Network P2p

 

 

VLAN0070

 

Interface       
Role Sts Cost      Prio.Nbr Type

---------------- ---- --- --------- --------
--------------------------------

Eth1/25         
Root FWD 2         128.153  P2p

 

as you can see, it is going over the peer-link and
dedicated keepalive to see the stp root bridge.



Hang on a minute ‘lightbulb moment’, can’t we use ‘peer-switch’
for optimal traffic-forwarding?



So here is our vpc config with peer switch added:

 vpc domain 70

  peer-switch

  role priority 100

  system-priority 1

  peer-keepalive
destination 10.0.70.78 source 10.0.70.77 vrf keepalive

  delay restore 60

  dual-active
exclude interface-vlan 70

  peer-gateway
exclude-vlan 70

  auto-recovery
reload-delay 300

  delay restore
interface-vlan 60

 

Let’s check our vpc:

 

N7K7(config-vpc-domain)# sh vpc

Legend:

                (*)
- local vPC is down, forwarding via vPC peer-link

 

vPC domain id                     : 70 

Peer status                       : peer adjacency formed
ok     

vPC keep-alive
status             : peer is not
reachable through peer-keepalive

Configuration consistency status  : success

Per-vlan consistency status       : success                      

Type-2 consistency status         : success

vPC role                          : primary                      

Number of vPCs configured         : 0  

Peer Gateway                      : Enabled

Peer gateway excluded VLANs       : 70

Dual-active excluded VLANs        : 70

Graceful Consistency Check        : Enabled

Auto-recovery status              : Enabled (timeout = 300 seconds)

 

Uh!  What’s
happened, our keepalive just went down….



Let’s look at spanning tree for vlan 70:

 

Interface       
Role Sts Cost      Prio.Nbr Type

---------------- ---- --- --------- --------
--------------------------------

Eth1/25         
Back BLK 2         128.153  P2p

 

Eh – what’s going on?



Okay, so here it is. 
We now have (well actually we always DID have) a hybrid stp
environment.  However, with no
peer-switch the normal rules of stp apply, and we can happily forward traffic,
our vpc stays up, but it is not OPTIMAL.



So how do we fix this? 
We don’t want the keepalive vlan being a vPC VLAN, that’s a definite
no-no, but we want a vPC environment that has optimal traffic forwarding.



<Drumroll for Superman music, as stp, complete with
pants on outside comes to our rescue>



Yes, folks.  You
probably will have seen this documented under ‘fabric-path’ but the feature ‘spanning-tree
pseudo information’ comes into play and is the saviour of the day.  Here is a good thread:



https://supportforums.cisco.com/thread/2177350



This basically allows you to configure your vPC vlans as
primary on each vPC peer, but (and this is the key part), allows non-vpc vlans
(or in the case of fabric-path, non-fp vlans)  to continue to adhere to normal stp rules
(i.e. a root and backup-root bridge).



So, in order to fix my problem, this is the config I
applied:

 

N7K7:

spanning-tree pseudo-information

  vlan 10,20,70
root priority 4096

 

N7K8:

spanning-tree pseudo-information

  vlan 10,20 root
priority 4096

  vlan 70 root
priority 8192

 

and lo-and-behold, we’re back to where we were before:

 

N7K8(config)# sh vpc

Legend:

                (*)
- local vPC is down, forwarding via vPC peer-link

 

vPC domain id                     : 70 

Peer status                       : peer adjacency formed
ok     

vPC keep-alive status             : peer is alive                

Configuration consistency status  : success

Per-vlan consistency status       : success                      

Type-2 consistency status         : success

vPC role                          : secondary                    

Number of vPCs configured         : 0  

Peer Gateway                      : Enabled

Peer gateway excluded VLANs       : 70

Dual-active excluded VLANs        : 70

Graceful Consistency Check        : Enabled

Auto-recovery status              : Enabled (timeout = 300 seconds)

 

vPC Peer-link status

---------------------------------------------------------------------

id   Port   Status Active vlans   

--   ----   ------
--------------------------------------------------

1    Po70   up    
10,20                                        

 

Unfortunately, just I was taking dumps of stp verification my INE rack time ran out.  So I will leave up to you to test also and perhaps post those stp results.

HTH

Rgds

Dominic

 

Comments

  • Hi,

    I actually had this problem today, but my way of solving it was to convert the VPC Peer-keepalive from SVI to a L3 interface, so only no switchport on the interfaces and moved the interface VLAn config to the interfaces and it came up.
    The thing is for now the VPC Peer-Link cannnot have a list of allowed VLANs.

Sign In or Register to comment.