VPC Consistency Check and failover Scenarios
VPC Consistency Check and failover Scenarios
Cisco Fabric Services (CFS) Protocol:
Cisco Fabric Services CFS is the reliable protocol performs the following functions:
- Configure validation and comparison (consistency check)
- Synchronization of MAC addresses for vPC member ports
- vPC member port status advertisement
- Spanning Tree Protocol management
- Synchronization of HSRP and IGMP snooping
Cisco fabric Service is enabled by default as soon as vPC feature is turned on. CFS message are encapsulated in Ethernet frame and is tagged with COS 4 for reliable communication.
You can check the CFS for vPC
vPC Configuration consistency check
As soon as vPC feature is enabled, CFS starts working and after configuration is done then via CFS protocol it check and validates the configuration at both Peer device. Based on configuration Validation and comparison CFS divides the configuration and its error in to two types:
There are two types of consistency checks:
- Type 1 - Puts peer device or interface into a suspended state to prevent invalid packet forwarding behaviour. With vPC Graceful Consistency check, suspension occurs only on the secondary peer device.
- Type 2 - Peer device or Interface still forward traffic. However they are subject to undesired packet forwarding behaviour.
Type 1 and Type 2 consistency check apply both for global configuration and for vPC interface configuration.
Type-1 Consistency Check:
Once CFS starts running on both peer-devices, the CFS protocols provide a copy of the configuration on the local vPC peer device to remote vPC device. The per-interface parameters must be consistent per interface, and the global parameters must be consistent globally.
When Type 1 inconsistency is detected then following action is taken:
- For global configuration type 1 inconsistency check, all vPC member ports are set to down state.
- For vPC interface configuration type 1 inconsistency check, the misconfigured vPC is set to down state.
Use the following command to check and display the global configuration and vPC
Below lists global configuration parameters that are taken into account for type-1 consistency check.
Below lists the per vPC interface parameters that are taken into account for type-1 consistency check.
Use the following command to check and display the interface configuration and vPC
Type-2 Consistency Check
When the Type-2 inconsistency check is detected, moderate action or no action is taken.
For global configuration type 2 inconsistency check, all vPC member ports remain in up state and vPC systems trigger to protective actions.
For vPC interface configuration type 2 inconsistency check, the misconfigured vPC remains in up state. However, depending on the discrepancy type, vPC systems will trigger protective actions. The most typical one deals with allowed VLAN in vPC interface trunking configuration. In that case, vPC systems will disable from the vPC interface VLAN that do not match on both sides.
Below lists type 2 consistency check parameters.
vPC Failover Scenarios:
In vPC failover scenarios, there are various cases, and we will discuss one by one and on LAB section we will also verify the same facts:
vPC peer keepalive link failure
During a vPC peer keepalive link failure there is no impact on traffic flow. But it is recommended to restore the peer keepalive link as soon as possible to avoid a dual active scenario.
vPC peer link failure
When vPC peer-link fails and Keepalive is still up, Keepalive Hold timer is activated and secondary peer will ignore the Keepalive message for that time period and once Keepalive Timeout timer is activated, Secondary switch will perform following action:
- On Secondary Switch, It suspends the vPC member ports
- Shut down the SVI associated to vPC VLAN.
Due to this reason, All traffic from Northbound and southbound will follow the primary Switch.
If orphan ports are connected to vPC secondary peer device, they become isolated once peer-link is down. In a VXLAN + vPC implementation, when a vPC peer-link shuts down, all Layer 2 or Layer 3 orphan receivers behind the non-forwarder (shut down vPC peer-link) will not receive any traffic.
To maintain Layer 3 connectivity to these orphan ports, a command is available to prevent the SVI (associated to vPC VLAN) from being shut down: dual-active exclude interface-vlan.
Use this command to keep desired SVI in UP state when vPC peer-link goes down:
VLAN listed in the knob must be associated to vPC VLAN. Using a non-vPC VLAN has no effect since SVI associated to these VLAN are not shut down when vPC peer-link goes down.
vPC keepalive link failure followed by a peer link failure
If the vPC keepalive link fails first and then a peer link fails, vPC primary switch continues to be primary but the vPC secondary switch will becomes the operational primary switch and the vPC operational switch will keeps its vPC member ports up (this scenario is also known as dual active scenario).This situation is known as a split-brain scenario. In this scenario there is no loss of traffic for existing flows but new flows can be effected as the peer link is not available, the two vPC switches cannot synchronize the unicast MAC address and therefore they cannot maintain the complete unicast and multicast forwarding table and there may be some duplicate packet forwarding.
vPC Primary switch Failure
In a vPC topology, if a failure occurs on a primary switch, then the secondary switch becomes the operational primary switch. If the Primary switch comes back again it will take the role of vPC operational secondary.