Attaching Devices to VPC domain

Attaching Devices to VPC domain

Posted on Jan 24, 2020 (0)

Attaching Devices to VPC Domain

How to connect the device with vPC domain:

A device can be connected to vPC domain by creating the Layer2 port-channel from access device to VPC peer device. The below figure briefly explain the topology and its component involved.

Layer-3 Port channel is not supported with vPC topology.

Following are the requirement for access device to properly connect to vPC domain:

  • Device should support 802.3ad LACP capability
  • Device also support static port-channel (Channel-group mode on)

Cisco Nexus 7000 series switch does not support Port-aggregation protocols (PAgP). If the downstream access switch is a Cisco Nexus device, enable the LACP graceful-convergence option (this option is ON by default).

If the downstream access switch is a not a Cisco Nexus device, disable the LACP graceful-convergence option.

Use source-destination IP, L4 port and VLAN as fields for port-channel load-balancing hashing algorithm. This improves fair usage of all member ports forming the port-channel.

Access device dual attached to vPC domain:

In order to attach the access device to vPC domain, following topology can be used as a sample:

But there are two major topology to design vPC system. We have already discussed these topology:

  • Singe sided vPC
  • Double sided vPC

In single sided vPC a access device can be dual attached to vPC domain by 16 ports (8 ports to one vPC peer and another 8 ports to another vPC peer)

In Double sided vPC maximum 32 ports can be used to connect the access device to vPC domain.

Double-sided vPC is a configuration where 2 access layer switches forming vPC domain are connected to 2 aggregation layer switches forming another vPC domain through a big fat vPC (up to 32 member ports). 

Upper vPC domain is usually used as aggregation layer (L2/L3 boundary).Down vPC domain is usually used as access layer (L2 only).

In the double sided vPC following important notes must be taken in to consideration.

  • All ports from access layer vPC peer device to aggregation layer vPC domain belong to same port-channel.
  • All ports from aggregation layer vPC peer device to access layer vPC domain belong to same port-channel.
  • For ease of configuration and operations, best practice is to use same port-channel id and same vPC id on both vPC domains for the interconnect link (i.e. vPC in the middle of the 2 vPC domains).

Access Device Single Attached to vPC domain

When for any reason any access devices are not able to dual connect to vPC system then there are three options available and this should be used in order of preference.

Option1: Connect the access device to any switch which is already in vPC as per below dig:

The advantage of this approach is it ensure minimum disruption in case of the peer-link failover and also provides the consistence behaviour in dual active scenarios.

The disadvantage are:

Need for any external or another switch

  • Additional burden in order to configure and manage the physical device
  • You need to configure and manage additional port channels between the Cisco Nexus 7000 Series devices.

 Option2: Second best option is to connect the device to vPC peer device using non-vPC VLAN and create the dedicated inter-switch port-channel to carry these non-vPC VLAN.

By using this scenario access device can be attached to primary or secondary peer switch because the VLAN associated to it is not vPC VLAN and even if Peer link goes down the vPC VLAN will go down not these non-vPC VLAN and traffic can flow smoothly and traffic will be smoothly diverted to secondary path.

Communications from non-vPC VLAN to vPC VLAN must be done through inter-VLAN routing as the 2 VLAN belong to different bridging domain.

Option3: In case you don’t want to connect the access device to non-vPC VLAN than you can connect the access device to Primary switch using vPC VLAN.

This will work fine but in case of role switch over let’s say if the Primary switch becomes the operational secondary switch then the access switch connected to Peer-device will acts as orphan ports and will be completely isolated in case of peer-link failure.

Let’s understand the concept of Orphan Ports:

Orphan Ports:

Any Cisco 7000/5000 vPC peer switch ports which are single attached to access device using vPC VLAN is called Orphan Ports.

A orphan Ports has following characteristics:

  • A port on vPC peer device (primary or secondary) that is connected to a single attached device.
  • A port on vPC peer device (primary or secondary) that carries vPC VLAN. If the port carries a non-vPC VLAN, it is no more defined as Orphan Port.

Use sh vpc orphan-ports command to see how many orphan ports are there in vPC system.

When connecting a single-attached access device to vPC domain using vPC VLAN, always connect it to vPC primary peer device. Reason is when vPC peer-link fails down, any single attached device connected to secondary peer device (and using vPC VLAN) will become completely isolated with the rest of the network.

General Recommendations (by descending order of priority):

  • Connect access device to an intermediate switch which is dual-attached to vPC domain
  • Connect single-attached device to vPC domain using non-vPC VLAN. Create an inter-switch link between the 2 peer devices to transport non-vPC VLAN.
  • Connect single-attached device to vPC domain using vPC VLAN and leveraging vPC peer-link.


  • Super Duper Explanation


Please login here to comment.