VPC Configuration Best Practices

VPC Configuration Best Practices

Posted on Jan 24, 2020 (0)

VPC Configuration Best Practices

vPC Configuration steps:

To configure vPC in Datacenter, following are the steps described. We will take these steps one by one and will discuss all best practices associated to it.

  • Configure vPC Domain
  • Configure vPC Peer-Keepalive Link
  • Configure vPC Peer-Link
  • Configure vPC member Port (vPC)

Configuring vPC domain and Peer-keepalive Link

A vPC domain contains maximum two nexus switch which are grouped together to participates in vPC. A vPC domain can be configured by entering following commands in nexus CLI:  vpc domain <id>

N7K1)# vpc domain 10

The Id is identifier and should be same on both vPC peer devices.

Following are the steps to configure vPC domain:

  • Configure vpc domain < id > globally on both peer-switch
  • Configure vPC peer-keep alive link on both peer and ensure this link is operational else vPC domain will not be formed successfully.

Peer-link can be configured by following system command:

N7K1)# vpc domain 10
N7K1)# peer-keepalive destination < IP of Second Peer switch > source < IP of First Peer > vrf management

Now vPC domain identifier must be same on both peer switch, when the vPC domain ID is same on both peer switch, the vPC system will generate the Virtual vPC system MAC address which is same on both Peer device.

vPC system MAC address is generated by following standard MAC : 00:23:04:ee:be:<vPC domain ID in hexadecimal >

Let’s suppose we have configured vpc domain 10, so hexadecimal of 10 is ‘0a’ than the VPC system MAC would be:  00:23:04: ee: be: 0a

Having same vPC system MAC address on both peer switch makes the access-device which is going to attached to vpc with both peer-switch and access device will see the both different switch as a logical same switch through which it is going to connect via vPC and will form the Port-channel successfully.

vPC system MAC address can also be configured manually via command “ system-mac < MAC > inside vPC domain.

There is also another MAC called vPC Local System-MAC which is burn in MAC address of switch and this MAC is used for all another communication in Layer -2 domain like STP etc. This Local system MAC address is derived from system or VDC mac address.

N7K1# sh vpc role
vPC Role                                      status
vPC role :                                    secondary
Dual Active Detection Status :         0
vPC system-mac :                      00:23:04:ee:be:0a
vPC system-priority :                      32667
vPC local system-mac :             00:22:44:23:aa:b2
vPC local role-priority :                    65534

There is also another important feature which should be configured inside vPC domain is vPC role. Let’s understand this.

vPC Role:

When we configure vPC there are two defined vPC role: Primary and secondary.The Peer-switch which has lower priority will assume role primary and another will be secondary and if the priority are equal then vPC system Local MAC address will comes in to picture.

We can configure priority manually:

  • Role priority < Value >
  • Value = between 1 to 65535.

The vPC role defines which one among the two peer-switch will be processing the BPDU and respond to the ARP requests.

N7K2# sh vpc role
vPC Role                                   status
vPC role :                                    secondary
Dual Active Detection Status :        0
vPC system-mac :                     00:23:04:ee:be:0a
vPC system-priority :                      32667
vPC local system-mac :            00:22:44:14:aa:a2
vPC local role-priority :                   65534

These vPC Primary and secondary is also very much used in case of vPC Peer-link failure which we will discuss in detail later in another section. But for overview, whenever peer-link goes down then on secondary peer switch, vPC shuts the vPC member ports and in addition to all SVI configured on that secondary peer- switch associated to vPC VLAN.

There is also concepts of operational role: Operational Primary and Operational Secondary.The Operational Primary and Operational Secondary role is driven by the real time behavior of peer-device.When the vPC domain is configured and is made operational, vPC role is always equal to operational role. And if in case of any event Secondary can become the Operational Primary in case Primary goes down and comes UP.

vPC role is non-preemptive so to preempt manually operational primary for a vPC peer device two things can be tried: Log in to device to which you want to make it Operational Primary:

  1. Configure Role-priority with a lower value than the other peer- device
  2. Bounce the Peer-link (shut and no shut) to force the change.

vPC VLAN Configuration:

Before configuring vPC one should configure vPC VLAN and allow it on Peer-link once peer-link is configured.

VPC Peer-Keepalive Link:

This link is configured to send the Periodic Keepalive message to both Peer-device per second. Peer-Keepalive timer is 1 Sec. This Link is used at boot up of the vPC systems and make sure that both Peer-device are UP before forming vPC domain.

This link is also used to protect or prevent the Dual-Active or Split Brain scenario. Which we will discuss later in another sections.

Peer-Keepalive message is a UDP message on port 3200 and is 96 bytes long with 32 byte payload.Following are the Timers used on vPC Peer-Keepalive:

  • Keepalive Interval: 1 Sec
  • Keepalive Hold Time Out: 3 Sec
  • Keepalive Timeout: 5 Sec

  • Keepalive Hold Timeout: As soon as peer-link goes down, this timer activates and during this time period the secondary vPC peer will ignore any keep-alive message.
  • Keepalive Timeout: During this period, the secondary device will look for any keepalive message from vPC primary device and if single hello is received, the secondary concludes that there must be dual –active scenario and then it disable the vPC member ports.

N7k(config-vpc-domain)# peer-keepalive destination ipaddress [source ipaddress | hold-timeout secs | interval msecs {timeout secs}]

7K1# sh vpc peer-keepalive
vPC keep-alive status :   peer is alive
--Peer is alive for :      (22) seconds, (255) msec
--Send status :            Success
--Last send at :           2011.06.07 15:24:28 339 ms
--Sent on interface :   Eth1/24
--Receive status :      Success
--Last receive at :      2011.06.07 15:24:27 597 ms
--Received on interface : Eth1/24
--Last update from peer :        (0) seconds, (857) msec
vPC Keep-alive parameters
--Destination :              
--Keepalive interval :              1000 msec
--Keepalive timeout :              5 seconds
--Keepalive hold timeout :      3 seconds
--Keepalive vrf :                     peerkeepalive
--Keepalive udp port :            3200
--Keepalive tos :                     192

Strong Recommendations: When building a vPC peer-keepalive link, use the following in descending order of preference:

  1. Dedicated link(s) (1-Gigabit Ethernet port is enough) configured as L3. Port-channel with 2 X 1G port is even better.
  2. Mgmt0 interface (along with management traffic)
  3. As a last resort, route the peer-keepalive link over the Layer 3 infrastructure

vPC Peer-Keepalive Using mgmt0 with dual supervisor on each Nexus 7000

 Here is a strong recommendation that whenever you are using the dual supervisor in Nexus 7000 and using mgmt0 for peer-keepalive, never do the point to point connectivity like this:

  • Mgmt0 of SUP 1 (Active) of Nexus 7000 Primary to Mgmt0 of SUP 1 (Active) of Nexus 7000 Secondary
  • Mgmt0 of SUP 1 (Standby) of Nexus 7000 Primary to Mgmt0 of SUP 1 (Standby) of Nexus 7000 Secondary

Because if the Active SUP of Nexus Secondary  goes does down its Standby will take Active Role and Keepalive will not reach from Nexus Primary SUP Active to Secondary Second SUP which is ACTIVE now, thus Keep-alive connectivity may be broken, So In order to provide connectivity use best practice like shown in below figure:

When using mgmt0 port for vPC peer-keepalive link in a dual supervisor configuration, always use an intermediate L2 switch to interconnect the different supervisors together.

Peer-Keepalive Link & VRF:

  • By default if you are using mgmt0 for keep-alive link than it is placed in management VRF.
  • If you need to put keep-alive link in separate VRF then following command can be used:

N7k(config-vpc-domain) # peer-keepalive destination <destination IP> source <source IP> vrf <VRF name>

vPC Peer-Link Configuration and Guidelines:

vPC Peer-link is 802.1q trunk port-channel interface used for following: It is used to carry vPC and non-vPC VLANs.

  • Carry Cisco CFS message which are tagged to COS 4
  • It is used to carry flooded traffic from vPC peer device
  • It is used to carry STP BPDUs, HSRP hello Message, IGMP updates.

To Configure Peer-link following commands are to be used:

interface port-channel10
switchport mode trunk
switchport trunk allowed vlan 1000-1100
spanning-tree port type network
vpc peer-link

For vPC peer-link, you should use only 10 Gig Ethernet port. vPC peer-link is supported on all shipping 10G line cards. Some of the supported Line-cards are:

  • N7K-M132XP-12
  • N7K-M132XP-12L
  • N7K-M108X2-12L
  • N7K-F132XP-15
  • N7K-F248XP-25
  • N7K-F248XP-25E
  • N7K-M224XP-23L
  • N7K-M206FQ-23L
  • N7K-M202CF-22L

Some of the Supported and unsupported topology for Peer-link is given below:

It is not possible to mix different port-type inside same vPC Peer-link because each port-type has different forwarding, queuing and security.

vPC Object Tracking:

In Some Nexus 7000 Series switch may have only one M1 10G module and several another 1 G module. It may be problem of this card is used for both layer 2 peer-link and Layer 3 boundary when the same M module goes down, then the vPC peer-link and its L3 boundary goes down and as the servers are connected to another several 1 G module they will send traffic to Nexus Switch but it will drop as both both Peer-link and L3 link is down due to M module issue.

In this unique scenario use object tracking. vPC object tracking is used to track failure of all modules on a Cisco Nexus 7000/7700 Series switch on which peer-link and uplinks are hosted. It is also used when the L3 core links and vPC peer-link interfaces are localised on the same module and it fails.

Without the vPC object tracking feature enabled, if the module/modules fails on the vPC primary device that hosts the peer-link and uplinks, it will lead to a complete traffic blackhole even though the vPC secondary device is up and running.

The vPC Object Tracking feature suspends the vPCs on the impaired device so that traffic can be diverted over the remaining vPC peer.

To use vPC object tracking, track both Peer-link interfaces and L3 core interfaces as a list of Boolean objects. Note that the Boolean AND operation is not supported with vPC object tracking.

The vPC object tracking configuration must be applied on both vPC peer devices.

! Track the vpc peer link
track 1 interface port-channel11 line-protocol
! Track the uplinks to the core
track 2 interface Ethernet1/1 line-protocol
track 3 interface Ethernet1/2 line-protocol
! Combine all tracked objects into one.
! “OR” means if ALL objects are down, this object will go down
! ==> we have lost all connectivity to the L3 core and the peer link
track 10 list boolean OR
object 1
object 2
object 3
! If object 10 goes down on the primary vPC peer,
! system will switch over to other vPC peer and disable all local vPCs
vpc domain 1 track 10

vPC Member-port Configuration:

 vPC member port is the port which are used to connect to access switch, or server and is configured as port-channel in vPC via vPC < vPC id > command under port-channel.

These Port-channel member may contains 1 or up to 8 (M1 card) and 16 ports for (F1/F2 card). These port-channel is L2 trunk port or access port and when it used as trunk port then multiple VLAN traffic can be allowed and when it is used as access port then only one VLAN traffic can be allowed.

Note: Whenever a vPC VLAN is defined on vPC member port, it MUST be defined also on vPC peer-link. Not defining a vPC VLAN on vPC peer-link will make the VLAN not operational.

interface port-channel10
switchport mode trunk
switchport trunk allowed vlan 10-1000
vpc 10
interface port-channel10
switchport mode trunk
switchport trunk allowed vlan 10-1000
vpc 10

Following is the supported design and non-supported topology


  • Super Duper Like


Please login here to comment.