EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

NZ

Building Redundant VPC over VXLAN

Building Redundant VPC over VXLAN

Posted on Jan 09, 2020 (0)

Building Redundant VPC over VXLAN

VTEP redundancy is achieved by  Cisco Nexus 9300 platform switches by using a pair of virtual PortChannel (vPC) switches to work or function as a logical VTEP device and sharing an anycast VTEP address.

The vPC switches use vPC concept for redundant host connectivity while individually running Layer 3 protocols with the upstream devices or switches in the underlay network. Both VTEP will join the multicast group for the same VXLAN VNI and use the same anycast VTEP address as the source to send VXLAN encapsulated packets. To the devices in the underlay network, including the multicast rendezvous point and the remote VTEP devices, the two vPC VTEP switches appear to be one logical VTEP entity.

Below is the figure and will be used for LAB

To configure vPC VTEP, use the following steps:

Step1:  Enable the VXLAN feature.

DCLessons-VTEP-1#
Feature nv overlay
Feature vn-segment-vlan-based

Step2: Configure a loopback interface with/32 as the secondary address.

The primary address configured on a loopback interface will likely be used as the router ID by network routing protocols, such as OSPF and Border Gateway Protocol (BGP). In this case as both switches are on vPC, two switches can’t have the identical primary loopback address so vPC VTEP uses an identical secondary address configured on the loopback interface between the two switches as the anycast VTEP address. Some examples are shown here.

DCLessons-VTEP-1#
Int loopback0
no ip redirects
ip address 10.10.10.4/32
ip addess 10.10.10.100/32 secondary
ip ospf network point-to-point
ip router ospf 1 area 0
ip pim sparse-mode
!
DCLessons-VTEP-2#
Int loopback0
no ip redirects
ip address 10.10.10.5/32
ip addess 10.10.10.100/32 secondary
ip ospf network point-to-point
ip router ospf 1 area 0

Step3:  Configure VXLAN following the normal VTEP configuration steps.

DCLessons-VTEP-1#
vlan 100
vn-segment 5100
!
interface nve1
source-interface loopback0
member vni 5100 mcast-group 239.1.1.1

vPC peers must have the following identical configurations:

  • Consistent mapping of the VLAN to the virtual network segment (VN-segment)
  • Consistent NVE binding to the same loopback secondary IP address (anycast VTEP address)
  • Consistent VNI-to-group mapping.

vPC Anycast VTEP Address

Cisco Nexus 9300 vPC VTEP switches use a secondary IP address on the loopback interface bound to the VXLAN NVE tunnel as the anycast VTEP address. The two vPC switches need to have the exact same secondary loopback IP address. They both advertise this anycast VTEP address on the underlay network so that the upstream devices learn the/32 route from both vPC VTEPs and can load-share VXLAN unicast encapsulated traffic between them.

When vPC peer-link fail, the vPC operational secondary switch will shut down its loopback interface which is bound to VXLAN NVE. This shutdown of loopback interface will cause the secondary vPC switch to withdraw the anycast VTEP address from its IGP advertisement due to which the upstream devices in the underlay network will start sending all traffic to the primary vPC switch. This process is used to avoid a vPC active-active situation when the peer link is down. With this mechanism, the orphan devices connected to the secondary vPC switch will not be able to receive VXLAN traffic when the vPC peer link is down.


Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.