The Nexus 7000 switch supports 4096 VLANs per Virtual Device Context (VDC) for a system total of ~16k VLANs. Some of these VLANs are used by system-level functions and are not user-configurable.
Bridge Assurance is a new feature that can eliminate issues caused by a malfunctioning bridge. With Bridge Assurance, all ports send and receive BPDUs on all VLANs regardless of their state.
This creates a bidirectional keepalive using BPDUs, and if a bridge stops receiving BPDUs, these ports are placed into an inconsistent state. This functionality can prevent loops that can be introduced as a result of a malfunctioning bridge. Bridge Assurance is enabled by default on any port that is configured with a spanningtree port type network but can be disabled globally with the following command:
(config)# no spanning-tree bridge assurance
To enable Bridge Assurance by setting the spanning-tree port type, enter the following commands:
(config)# int port-channel 1
(config-if)# spanning-tree port type network
An interesting side effect of Bridge Assurance is an automatic pruning function.
In the topology, if a VLAN is defined on but not on , Bridge Assurance puts that VLAN into a blocking state because it is not receiving BPDUs for that VLAN.
(config)# port-profile COMMUNITY1
(config-ppm)# switchport
(config-ppm)# switchport mode access
(config-ppm)# switchport private-vlan host-association 100 102
(config-ppm)# spanning-tree port type edge
(config-ppm)# spanning-tree bpdufilter enable
(config-ppm)# spanning-tree bpduguard enable
(config-ppm)# no shutdown
(config-ppm)# state enabled
(config)# interface ethernet 2/28
(config-if)# inherit port-profile COMMUNITY1
The vPC peer-keepalive link can be either 1 Gbps or 10 Gbps.
vPC peer link:Used to exchange state information between the vPC peers and also provides additional mechanisms that can detect and prevent split-brain scenarios.
Note:The mgmt0 interface can be used as the vPC peer-keepalive link but should be avoided if at all possible.
On the Nexus 7000, the mgmt0 is actually a logical interface representing the physical management port of the active supervisor.
During processes such as supervisor switchover during hardware failure or In-Service Software Upgrades (ISSU), the physical link
supporting the mgmt0 interface might change, causing a disruption of the keepalive messages. By using normal switch interfaces, additionallevels of redundnancy in the port-channels can be used.
If the mgmt0 interface is used as the peer-keepalive link, it is critical to ensure thatall physical management ports are connected to an external device, such as a management switch.
Create VRF for the VPC keepalive link:
(config-if)# vrf context vpc-keepalive
(config)# vrf context vpc-keepalive
(config)# int ethernet 2/47
(config-if)# vrf member vpc-keepalive
(config-if)# ip address 1.1.1.1 255.255.255.252
(config)# interface ethernet 2/48
(config-if)# no switchport
(config-if)# vrf member vpc-keepalive
(config-if)# ip address 1.1.1.2 255.255.255.252
(config-if)# vrf context vpc-keepalive
(config)# vrf context vpc-keepalive
(config)# vpc domain 1
(config-vpc-domain)# peer-keepalive destination 1.1.1.2 source 1.1.1.1 vrf vpckeepalive
(config)# vpc domain 1
(config-vpc-domain)# peer-keepalive destination 1.1.1.1 source 1.1.1.2 vrf vpc-keepalive
(config)# interface port-channel 100
(config-if)# vpc peer-link
Please note that spanning tree port type is changed to “network” port type on vPC peerlink. This will enable spanning tree Bridge Assurance on vPC peer-link provided the STP Bridge Assurance (which is enabled by default) is not disabled.
(config-if)# switchport mode trunk
(config)# interface port-channel 100
(config-if)# vpc peer-link
(config)# interface ethernet 2/1
(config-if)# channel-group 1 mode active
(config)# interface port-channel 1
(config-if)# switchport
(config-if)# switchport mode trunk
(config-if)# vpc 1
VPC Peer-Gateway
This feature is designed to enable certain storage, application servers or load balancers to implement fast-path functionality.
This causes nodes to send return traffic to a specific MAC address of the sender rather than HSRP address.
By default, this traffic might be dropped as VPC loop avoidance does not allow traffic received on a VPC peer-link to be forwarded out a VPC interface (loop avoidance).
A VPC Peer-Gateway enables the VPC peer device to forward packets destined for its peer router MAC locally. To enable the peer-gateway, enter the following command:
(config-vpc-domain)# peer-gateway
(config)# power redundancy-mode ?
combined Configure power supply redundancy mode as combined
insrc-redundant Configure power supply redundancy mode as grid/AC input source redundant
vPC Concepts
The following list defines critical vPC concepts:
vPC: vPC refers to the combined PortChannel between the vPC peer devices and the downstream device.
vPC peer switch: The vPC peer switch is one of a pair of switches that are connected to the special PortChannel known as the vPC peer link. One device will be selected as the primary device, and the other will be the secondary device.
vPC peer link: The vPC peer link is the link used to synchronize states between the vPC peer devices. The vPC peer link carries control traffic between two vPC switches and also multicast, broadcast data traffic. In some link failure scenarios, it also carries unicast traffic. You should have at least two 10 Gigabit Ethernet interfaces for peer links.
vPC domain: This domain includes both vPC peer devices, the vPC peer keepalive link, and all the PortChannels in the vPC connected to the downstream devices. It is also associated with the configuration mode that you must use to assign vPC global parameters.
vPC peer keepalive link: The peer keepalive link monitors the vitality of a vPC peer switch. The peer keepalive link sends periodic keepalive messages between vPC peer devices. The vPC peer keepalive link can be a management interface or switched virtual interface (SVI). No data or synchronization traffic moves over the vPC peer keepalive link; the only traffic on this link is a message that indicates that the originating switch is operating and running vPC.
vPC member port: vPC member ports are interfaces that belong to the vPCs.
No comments:
Post a Comment