Wednesday 12 March 2014

A step back and a leap forward

I've decided to take a step back before proceeding to FabricPath, instead I am reading and watching videos of Nexus Hardware Architecture again just to familiarise myself with this new (to me, at least) platform. 

I was lost in documents, articles, discussion forums about Nexus and it's caveats. Lots to remember, so many information but so far it's been pretty exciting stuff. I've also drafted my FabricPath post but I've decided to skip FabricPath for now and leap forward to Layer 3 (and redundancy protocol) configuration of Nexus.

Coming from Routing-Switching experiences, layer 3 routing protocols probably doesn't change much between IOS and NX-OS. The second reason for this is, NX-OS book that I am reading does not have much content on FabricPath, and I intend to fully tackle that subject cautiously. I wanted to know more about it, means more videos watching, more documentations reading and all those fun stuff.

Meanwhile, when I read back about VDC, I quickly whipped up Excel and wrote down the interface allocation rules in VDC:


Monday 10 March 2014

vPC peer-switch and spanning-tree pseudo-information

By default, when we create a vPC domain, it will automatically primary and secondary vPC device. Since I am one of those "don't leave anything automatically" engineers, it's usually a good idea to manually assign the priority value (lower is better). Default value is 32667.

Configuration:

NX-DC1# configure terminal
NX-DC1(config)# vpc domain 10
NX-DC1(config-vpc-domain)# role priority 3000

Also, bear in mind there is no role preemption in vPC. If the primary fails, secondary vPC takes over as primary even after primary vPC comes back up.

vPC peer-switch allows a pair of NX-OS device to be viewed as a single STP point. 
This avoids STP problem if there's convergence between vPC devices. Remember to set the same spanning tree priority (for vPC VLANs only) in both NX-OS devices.


Configuration:

NX-DC1# configure terminal 
NX-DC1(config)# vpc domain 10
NX-DC1(config-vpc-domain)# peer-switch
NX-DC1(config-vpc-domain)# spanning-tree vlan 1-200 priority value 4096 


Spanning-tree pseudo-information is only required when we mix usual STP with vPC, I believe the cool term is hybrid peer switch topology.

Two sub commands inside: root priority and designated priority.

NX-DC1(config)#spanning-tree pseudo-information
NX-DC1(config-pseudo)#vlan 1-100 root priority 4096

Root priority is for the benefit of vPC-enabled devices. Cisco recommends this value to be lower than the 'normal' STP root priority value to avoid topology changes during failures of vPC. 

The logic is, if peer-link becomes inactive due to whatever reason (eg: rebooted),  other vPC peer would use it's own local MAC Address (default of STP behaviour) and participates in STP. If it's local MAC Address is better than the normal STP root bridge, STP will recalculate and all hell breaks loose.

The root priority (set with same value on both vPC peers) address this issue. It ensures vPC peers are using this value instead of using it's own local MAC Address.  

NX-DC1(config)#spanning-tree pseudo-information
NX-DC1(config-pseudo)#vlan 99 designated priority 8192
NX-DC1(config-pseudo)#vlan 100 designated priority 12288

NX-DC2(config)#spanning-tree pseudo-information
NX-DC2(config-pseudo)#vlan 99 designated priority 12288
NX-DC2(config-pseudo)#vlan 100 designated priority 8192

Designated priority is for the benefit of non-vPC-enabled device, it's purpose is to do manual load balancing.

A very good explanatory documentation here:
Title: Nexus 7000 Peer-Switch Configuration (Hybrid Setup)
http://www.cisco.com/c/en/us/support/docs/routers/7000-series-routers/116140-config-nexus-peer-00.html




Friday 7 March 2014

vPC peer-gateway

Basically vPC doesn't like if the traffic passes by the vPC peer-link. By default, this kind of traffic might be dropped as a loop avoidance mechanism in NX-OS. Loop avoidance does not enable traffic received on a vPC peer-link to be forwarded out a vPC interface. 

vPC peer-gateway allows the active router to forward packets destined for a destination MAC address of the peer router, instead of passing it through the peer-link to the non active router.

Some load balancers do not always follow the routing table, for example, F5, upon checking F5 website and looks like it's called "Auto Last Hop" feature. Taken from F5 website 
(http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13876.html):

Auto Last Hop is a setting that allows the BIG-IP system to track the source MAC address of incoming connections and return traffic from pools to the source MAC address, regardless of the routing table.

So in layman terms, it would seem that F5 simply swap source and destination MAC address with this feature enabled.

Apparently other vendor is using similar technology (with different names), eg EMC though I don't use EMC in my day work.

Configuration:

NX-DC1(config)#vpc domain 1
NX-DC1(config-vpc-domain)# peer-gateway

Introduction to VDC and vPC

So I've decided to start reading an NX-OS book (http://www.amazon.com/NX-OS-Cisco-Nexus-Switching-Next-Generation/dp/1587143046). Considering the company I work for intends to overhaul our data centre, I thought it would be a great idea to start reading some of this stuff.

I am following CCIE Data Centre book recommendation list, which means a long list of books that need to be covered. Started this book two days ago, and though I am uncertain that I'll ever pursue CCIE DC, I am excited to go through new technologies I am not familiar with. 

Since I am not feeling well today, I couldn't even get my eyes to read 3 pages of vPC, I'd like to gather my thoughts on what I read so far, also as a summary so I can quickly glance through my own post if I need to check something.

NX-OS is not so different than IOS in terms of networking technologies. Most of it are still the same (with the exception of syntax, of course). STP is still the same ol' STP, private VLAN, VTP, LACP, Etherchannel (or new fancy name Port channel) have the same concept with IOS.

Difference in technology comes with VDC and vPC (so far about 15% completed on the book).

VDC allows us to have multiple virtual switch inside one physical switch and those VDCs are isolated one another. 

vPC is a virtual port channel which allows us to share a port channel between two different NX-OS devices. It relies on these two configuration:

1. vPC keepalive, which basically is assigning an IP address to and interface (for each NX-OS devices participating in vpc), put it in vrf member vpc-keepalive and ensure they can ping each other. In short, it's a Layer 3 heartbeat link.

Messages are UDP port 3200, with 96 bytes long (32 bytes of it are payload).

2. vPC peer-link, in easier sentence to understand (at least for me), is to tell an NX-OS device who is it's neighbor. This is used to exchange state information between vPC peers.

vPC peer-link is a Layer 2 trunk acts to sync MAC Address, vPC state, CFS (Cisco Fabric Service), IGMP, etc. 

Minimum connection is 10G Ethernet.

Steps to configure vPC:

1. Enable feature vpc
2. Create a vrf context [keepalive-test]
3. Assign IP address to an interface on each NX-OS device
4. Assign the created vrf to this interface on each NX-OS device
5. Ensure the NX-OS devices can ping each other
6. Configure peer-keepalive destination [peer keepalive IP address] source [own keepalive IP address] vrf [keepalive-test]. This is configured in vpc domain level.
7. Configure vpc peer-link in the port channel between NX-OS devices
8. Add port channels to the vPC.



Next I would read about vpc peer-gateway, vpc peer-switch and FabricPath.