Configuration Examples for vPCs

Step 1 Enable vPC and LACP.

switch# configure terminal
switch(config)# feature vPC
switch(config)# feature lacp
Step 2 (Optional) Configure one of the interfaces that you want to be peer
link in dedicated mode.
switch(config)# interface ethernet 7/1, ethernet 7/3, ethernet 7/5. ethernet
7/7
switch(config-if)# shutdown
switch(config-if)# exit
switch(config)# interface ethernet 7/1
switch(config-if)# rate-mode dedicated
switch(config-if)# no shutdown
switch(config-if)# exit
switch(config)#
Step 3 (Optional) Configure the second, redundant interface that you want
to be peer link in dedicated mode.
switch(config)# interface ethernet 7/2, ethernet 7/4, ethernet 7/6. ethernet
7/8
switch(config-if)# shutdown

switch(config-if)# exit
switch(config)# interface ethernet 7/2
switch(config-if)# rate-mode dedicated
switch(config-if)# no shutdown
switch(config-if)# exit
switch(config)#
Step 4 Configure the two interfaces (for redundancy) that you want to be in
the peer link to be an active Layer 2 LACP port channel.
switch(config)# interface ethernet 7/1-2
switch(config-if)# switchport
switch(config-if)# switchport mode trunk
switch(config-if)# switchport trunk allowed vlan 1-50
switch(config-if)# switchport trunk native vlan 20
switch(config-if)# channel-group 20 mode active
switch(config-if)# exit
Step 5 Create and enable the VLANs.
switch(config)# vlan 1-50
switch(config-vlan)# no shutdown
switch(config-vlan)# exit
Step 6 Create a separate VRF for the vPC peer-keepalive link and add a
Layer 3 interface to that VRF.
switch(config)# vrf context pkal
switch(config-vrf)# exit
switch(config)# interface ethernet 8/1
switch(config-if)# vrf member pkal
switch(config-if)# ip address 172.23.145.218/24
switch(config-if)# no shutdown
switch(config-if)# exit
Step 7 Create the vPC domain and add the vPC peer-keepalive link.
switch(config)# vpc domain 1
switch(config-vpc-domain)# peer-keepalive destination 172.23.145.217
source 172.23.145.218 vrf pkal
switch(config-vpc-domain)# exit
Step 8 Configure the vPC peer link.
switch(config)# interface port-channel 20
switch(config-if)# switchport mode trunk
switch(config-if)# switchport trunk allowed vlan 1-50
switch(config-if)# vpc peer-link
switch(config-if)# exit
switch(config)#

Step 9 Configure the interface for the port channel to the downstream
device of the vPC.
switch(config)# interface ethernet 7/9
switch(config-if)# switchport mode trunk
switch(config-if)# allowed vlan 1-50
switch(config-if)# native vlan 20
switch(config-if)# channel-group 50 mode active
switch(config-if)# exit
switch(config)# interface port-channel 50
switch(config-if)# vpc 50
switch(config-if)# exit
switch(config)#
Step 10 Save the configuration.
switch(config)# copy running-config startup-config
Nexus Line card Naming Conventions
This post is a brief explaination about knowing the specification of Nexus
series switches M and F series line modules ( or I/O modules) from its name
.
I am taking example of F-Series I/O module (N7K-F248XP-25) and similarly M
series can also b read.
Example:
N7K-F2 48 X P - 2 5
Below is the explanation of each field and explained with other option you
may see in different line cards:
N7k
is self explanatory, it indicates the type of chassis,
F2
it is the series, family or generation of F series line cards. This one is 2nd
generation, means F2 family. Similarly M1, M2, F3 and so on.
48
No. of ports on the card.
X Or F or C or G
G means ports are 1 Gig ports
X means 10 Gig ports
F means 40 Gig ports (Ex: N7K-F312FQ-25).
C indicates 100 G (Ex: N77-F312CK-26)
P or S or T or Q or Kor 2
it is interface type,
S means SFP

P means SFP+ .
T means RJ45(Ex: N7K-F248XT-25E)
Q means QSFP+(Ex: N7K-F312FQ-25) ,
K means Cisco CPAK( Ex: N77-F312CK-26)
2 means X2 (ex. N7K-M108X2-12L)

Nexus 5548P vs 5548UP vs 5596UP Switch

I am often asked what is difference between Nexus 5548P and 5548UP
switch? In this post i am going to explain the differences between these two
and will also include 5596UP into the discussion.
First of all, all these 3 models are Nexus 5k Switches and basically 5500
series models.
"U" stands for "Unified" ports, so what does that "unified port" mean? Unified
means a port is capable of running into either "Ethernet" or "FC" (Fibre
Channel).
For those who are not aware of SAN protocols, i would like to inform you that
term "Fibre" here does not mean the "Fiber" Media ( ie. copper vs fiber)
which people refer in terms of cable, [ please note the difference in spelling,
Fibre vs Fiber).
Fibre Channel or FC is a protocol stack in SAN, similar to what TCP/IP is to
Networks. SAN switches run on FC protocol standards, not Ethernet or TCP/IP.
(Just a highlevel overview)
So coming back to 5500 series models, all ports of 5548UP and 5596UP
models of Nexus 5k, can be used in ether Ethernet or FC mode,however,
ports on 5548P do not work in FC mode. But the ****important thing to note
is that this difference is valid for "In-built fixed" ports only******. That means,
both 5548P and 5548UP switch comes with 32-port "in-built"or Fixed ports,
plus one expansion module capable of 16 ports.
So, basicaly 5548P support Unified Port (Ethernet or native FC ) on the
expansion module only,however, in 5548UP, all ports are unified ports.
5596UP comes with built-in 48 Ports, plus we can use 3 expansion slots for
additional ports depending on our requirement.
That was the main difference, other differences are:
- 5548P and UP switch are 1 RU,however, 5596 is 2 RU switch
-Switching capacity of 5548 series are 960Gbps ,however, 5596 is 1.92 Tbps
-5548P only supports front-back airflow,however, 5548UP and 5596 supports

both front-back and back-front.

-a Seperate Layer 3 Daughter card can also be ordered/used to get 160 Gbps
of Layer 3 routing capability in 5548P and 5548UP switches, however,
5596UP can support L3 routing engine through an Expansion Module.

Overview to vPC
A virtual PortChannel (vPC) allows links that are physically connected to two
different Cisco Nexus 7000 or 5000 Series devices to appear as a single
PortChannel to a third device. The third device can be a Cisco Nexus 2000
Series Fabric Extender or a switch, server, or any other networking device. A
vPC can provide Layer 2 multipathing, which allows you to create
redundancy by increasing bandwidth, enabling multiple parallel paths
between nodes and load-balancing traffic where alternative paths exist.
After you enable the vPC function, you create a peer keepalive link, which
sends heartbeat messages between the two vPC peer devices.
The vPC domain includes both vPC peer devices, the vPC peer keepalive link,
the vPC peer link, and all the PortChannels in the vPC domain connected to
the downstream device. You can have only one vPC domain ID on each
device.
A vPC provides the following benefits:
Allows a single device to use a PortChannel across two upstream devices
Eliminates Spanning Tree Protocol blocked ports
Provides a loop-free topology
Uses all available uplink bandwidth
Provides fast convergence if either the link or a device fails
Provides link-level resiliency
Helps ensure high availability
The vPC not only allows you to create a PortChannel from a switch or server
that is dual-homed to a pair of Cisco Nexus 7000 or 5000 Series Switches,
but it can also be deployed along with Cisco Nexus 2000 Series Fabric
Extenders.
The following list defines critical vPC concepts:
vPC: vPC refers to the combined PortChannel between the vPC peer
devices and the downstream device.
vPC peer switch: The vPC peer switch is one of a pair of switches that are
connected to the special PortChannel known as the vPC peer link. One device
will be selected as the primary device, and the other will be the secondary
device.
vPC peer link: The vPC peer link is the link used to synchronize states
between the vPC peer devices. The vPC peer link carries control traffic
between two vPC switches and also multicast, broadcast data traffic. In some

link failure scenarios, it also carries unicast traffic. You should have at least
two 10 Gigabit Ethernet interfaces for peer links.
vPC domain: This domain includes both vPC peer devices, the vPC peer
keepalive link, and all the PortChannels in the vPC connected to the
downstream devices. It is also associated with the configuration mode that
you must use to assign vPC global parameters.
vPC peer keepalive link: The peer keepalive link monitors the vitality of a
vPC peer switch. The peer keepalive link sends periodic keepalive messages
between vPC peer devices. The vPC peer keepalive link can be a
management interface or switched virtual interface (SVI). No data or
synchronization traffic moves over the vPC peer keepalive link; the only
traffic on this link is a message that indicates that the originating switch is
operating and running vPC.
vPC member port: vPC member ports are interfaces that belong to the
vPCs.
vPC configuration on the Cisco Nexus 5000 Series includes these steps:
Enable the vPC feature.
Create a vPC domain and enter vpc-domain mode.
Configure the vPC peer keepalive link.
(Optional) Configure system priority.
(Optional) Configure vPC role priority.
Create the vPC peer link.
Move the PortChannel to vPC.
Intro to OTV
Lets say, we have 3 switches (A,B,C). Switch A is connectec to B and Switch
B is connected to Switch C. and Switch A has 2 vlans created on it, vlan 10
and 20. What if we want the the vlan 10 and 20 to be extended to Switch C
over Switch B, We will have to simply create vlan 10 and 20 on both switch B
and C and allow both the vlans on trunks connecting the switches, right? and
its simple!!
If you look at this pic, we have two Datacenters, DC1 and DC2 which are
geographicaly far away from each other, lets say one in Newyork and
another one in Los Angles and there are some server which are there in both
data centers,however, they sync their hearbeat over layer 2 only and doesnt
work on layer 3. So,we have a requirment that we have to extend vlan 10
and 20 from DC1 to another data center, DC2!! You may call it Datacenter
Interconnect (DCI).

can we do the same thing which we did to extend vlan from switch A to
switch C in above example? Ofcourse Not!!, so what the are the solutions to
achieve this?
Until OTV came into picture, we had few of the below options to achieve this:
-VPLS
-Dark Fiber (CWDM or DWDM)
-AToM
-L2TPv3
These are the services provided by Service Providers and they work on
different mechanisms but basicaly what they do is, they provide you a layer
2 path between DC1 to DC2 similar to a trunk link between Switch A and
Switch B. So what does that mean? If a broadcast is sent or a ARP request is
sent, that will travel across the service provider to another data center in
that VLAN? Ofcourse YES!! Your STP domain will also get extended over DCI.
So, if a device in vlan 10 in DC1 is trying to communicate with another
device which is also in DC1 but the ARP request will go all the way to DC2
switches on which that particular vlan is configured.
So, to avoid such problems, Cisco introduced OTV (Overlay Transport
Virtualization) which is basicaly a DCI (data center interconnect) technology
to be configured on Nexus Switches. Using OTV, we can extend Layer 2
between two or more datacenters over traditional L3 infrastructure provided
by Service Provider, and we dont need a seperate L2 link for layer 2
extension and we will still be able to limit STP domain and unnecessary
broadcast over WAN links. It can overlay multiple VLAN with a simple design.
Basically what it does is that, Datacenters will be able to advertise their MAC
addresses to each other(its called
Mac in IP" routing) and a decision can be made on the basis of MAC
addresses whether that MAC address is local or in another data center and
based on that, frame can be forwarded or limited to a particular data center
only. OTV uses a control protocol to map MAC address destinations to IP next
hops that are reachable through the normal L3 network core.
So, in Cisco's language "OTV can be thought of as MAC routing in which the
destination is a MAC address, the next hop is an IP address, and traffic is
encapsulated in IP so it can simply be carried to its MAC routing next hop
over the core IP network. Thus a flow between source and destination host
MAC addresses is translated in the overlay into an IP flow between the source

and destination IP addresses of the relevant edge devices. This process is

called encapsulation rather than tunneling as the encapsulation is imposed
dynamically and tunnels are not maintained"

How this is implemented, that i will show in another simplified post!!Thank

you!!
Fex Identity-Mismatch (identity-mismatch error on nexus 5k)
While checking fex links, we got the " Identity-Mismatch" error as
shown below in "sh int fex" output:
Nexus-5k-1# sh int fex-fabric
Fabric
Fabric
Fex
FEX
Fex Port
Port State Uplink Model
Serial
--------------------------------------------------------------103 Eth1/17
Active
1 N2K-C2248TP-1GE JAX1122AAA
103 Eth1/18
Active
2 N2K-C2248TP-1GE JAX1122AAA
103 Eth1/19
Active
3 N2K-C2248TP-1GE JAX1122AAA
103 Eth1/20
Active
4 N2K-C2248TP-1GE JAX1122AAA
105 Eth1/23
Active
1 N2K-C2248TP-1GE MLX1122BBB
105 Eth1/24
Active
2 N2K-C2248TP-1GE MLX1122BBB
105 Eth1/25 Identity-Mismatch
4 N2K-C2248TP-1GE PQR3344DDD
<<<Notice this
105 Eth1/26
Active
4 N2K-C2248TP-1GE MLX1122BBB
Nexus-5k-2# sh int fex-fabric
Fabric
Fabric
Fex
FEX
Fex Port
Port State Uplink Model
Serial
--------------------------------------------------------------102 Eth1/17
Active
1 N2K-C2248TP-1GE LMN2244CCC
102 Eth1/18
Active
2 N2K-C2248TP-1GE LMN2244CCC
102 Eth1/19
Active
3 N2K-C2248TP-1GE LMN2244CCC
102 Eth1/20
Active
4 N2K-C2248TP-1GE LMN2244CCC
104 Eth1/23
Active
1 N2K-C2248TP-1GE PQR3344DDD

104 Eth1/24
Active
2 N2K-C2248TP-1GE PQR3344DDD
104 Eth1/25
Active
3 N2K-C2248TP-1GE PQR3344DDD
104 Eth1/26 Identity-Mismatch
3 N2K-C2248TP-1GE MLX1122BBB
<<<Notice this
Basically this error is related to incorrect cabling..
As we know that a nexus 2k switch or FEX is connected to its parent Nexus
5k over fex links.
One Fex (2k) can be dual homed to two Nexus 5k switches. and when a
nexus 2k is connected to Nexus 5k, a unique fex associate number is
assigned to that particular 2k to identify it uniquely.
So, i had four nexus 2k switches whose serial numbers
are JAX1122AAA,MLX1122BBB, PQR3344DDD and LMN2244CCC.
JAX1122AAA and ,MLX1122BBB are FEX switches for Nexus5k1. and
PQR3344DDD and LMN2244CCC are part of Nexus-5k-2. JAX1122AAA has
been given FEX associate number 103 and MLX1122BBB has been given
105,LMN2244CCC is assigned 102 and PQR3344DDD is assigned 104. Each
fex is connected to its parent switch via 4 fex links.
Idealy, all 4 fex links which are under same FEX ASSOCIATE NUMBER should
be going to same 2k,however, one of our onsite engineer incorrectly cabled
one of the fex link from 103 on Nexus-5k-1 to another 2k which was part of
FEX number 104 on Nexus-5k-2 and we started getting identity mismatch. As
you can see in above output,under FEX 105 on Nexus-5k-1, the Eth1/25 is
showing PQR3344DDD serial number,however, all other interfaces
showing MLX1122BBB and vice versa on Nexus-5k-2 for Eth1/26.
In order to verify cabling and make sure right fex or 2k is connected to
correct parent 5k switch with respective to its FEX associate number, we can
use "show interface fex-fabric" command and verify the same using serial
number that all are correct switches.
once the cable were swapped, we started getting right serial number for
Eth1/25.
Nexus-5k-1# sh int fex-fabric
Fabric
Fabric
Fex
FEX
Fex Port
Port State Uplink Model
Serial
--------------------------------------------------------------103 Eth1/17
Active
1 N2K-C2248TP-1GE JAX1122AAA
103 Eth1/18
Active
2 N2K-C2248TP-1GE JAX1122AAA
103 Eth1/19
Active
3 N2K-C2248TP-1GE JAX1122AAA
103 Eth1/20
Active
4 N2K-C2248TP-1GE JAX1122AAA
105 Eth1/23
Active
1 N2K-C2248TP-1GE MLX1122BBB
105 Eth1/24
Active
2 N2K-C2248TP-1GE MLX1122BBB

105 Eth1/25
Active
>>>>Correct now
105 Eth1/26
Active

N2K-C2248TP-1GE MLX1122BBB ----

N2K-C2248TP-1GE MLX1122BBB

Command Difference in Nexus Devices

sh ip int brief doesn't work on Nexus series switches (7000,5000) like any
other IOS based switch.
this command only shows Layer 3 interfaces that too with specific to vrf only.
for example if you have to see management vrf interface, then you need to
do a " sh ip int brief vrf management"
If you do not specify any vrf, then Nexus will only show default vrf interfaces
as shown below
Nexus7k# sh ip int brief
IP Interface Status for VRF "default"(1)
Interface

IP Address

Interface Status

Nexus7k# sh ip int brief vrf management

IP Interface Status for VRF "management"
Interface
IP Address
Interface Status
mgmt0
10.7.6.5
protocol-up/link-up/admin-up
if you want to see all the interfaces for their status, then you need to do a
"sh int brief" instead of "sh ip int brief".
switch# show interface brief
-------------------------------------------------------------------------------Ethernet VLAN Type Mode Status Reason Speed Port
Interface Ch #
-------------------------------------------------------------------------------Eth1/1 1 eth trunk up none 10G(D) 4000
Eth1/2 1 eth trunk up none 10G(D) 4000
Eth1/3 1 eth trunk up none 10G(D) 4000
Eth1/4 1 eth trunk up none 10G(D) 4000
Eth1/5 1 eth access down SFP not inserted 10G(D) -Eth1/6 1 eth access down SFP not inserted 10G(D) -Eth1/7 1 eth trunk up none 10G(D) 10