了解Nexus VPC环路避免
简介
本文档介绍在基于Nexus的第3层网络设计中,vPC环路抑制可能影响流量转发的情况。
先决条件
要求
Cisco 建议您了解以下主题:
- Nexus操作系统CLI
- vPC概念
使用的组件
本文档中的信息基于以下软件和硬件版本:
- 软件10.4(4)
- 硬件N9K-C9364C-GX
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
背景信息
在当今的数据中心环境中,Cisco Nexus虚拟端口通道(vPC)技术对于实现冗余和负载均衡必不可少。vPC允许连接到两个单独的Nexus交换机作为单个逻辑端口通道,从而简化了网络架构,并提高了下游设备的可靠性。但是,某些配置详细信息可能会带来操作复杂性。
本文档探讨了vPC环路避免变得重要的一些场景,并检查了它对流量转发的影响。对于希望在基于Nexus的基础设施中设计和维护强大、高效的第3层连接的网络工程师来说,清楚地了解此机制至关重要,有助于防止流量中断并保持最佳的网络性能。
问题
在使用vPC的Cisco Nexus环境中,网络操作员可以观察由vPC环路规避规则引起的意外流量转发行为。当流量通过vPC对等链路从一个vPC对等设备传输到另一个vPC对等设备时,它不能通过两台交换机上处于活动状态的任何vPC端口通道退出。因此,依赖此连接路径的设备可能会遇到数据包丢失或连接中断的情况,即使所有物理链路似乎都处于启用状态。
了解并记录vPC环路规避规则对于设计和排除恢复能力强的网络拓扑故障至关重要,因为忽略此行为可能会导致意外的服务中断,并使网络问题的诊断更具挑战性。
网络图
在此拓扑中,vPC域由N9K-C9364C-1和N9K-C9364C-2构成。两台交换机均将VLAN 100和200配置为vPC VLAN,并为每个VLAN设置SVI。vPC域负责这些VLAN之间的VLAN间路由。除非另行指定,否则拓扑中的其他交换机将使用vPC对等交换机之间共享的HSRP虚拟IP(VIP)作为默认路由的下一跳。
- N9K-C9364C-1 SVI配置
interface Vlan100
no shutdown
no ip redirects
ip address 192.168.100.1/24
no ipv6 redirects
hsrp 100
ip 192.168.100.254
interface Vlan200
no shutdown
no ip redirects
ip address 192.168.200.1/24
no ipv6 redirects
hsrp 200
ip 192.168.200.254
- N9K-C9364C-2 SVI配置
interface Vlan100
no shutdown
no ip redirects
ip address 192.168.100.2/24
no ipv6 redirects
hsrp 100
ip 192.168.100.254
interface Vlan200
no ip redirects
ip address 192.168.200.2/24
no ipv6 redirects
hsrp 200
ip 192.168.200.254
场景
情形 1:vPC VLAN的SVI在vPC对等上管理性关闭
a)从vPC到vPC的路由流量受到影响
在工作场景中,N9K-C9504-4(VLAN 200)可以成功ping通N9K-C9364C-3(VLAN 100)。 Traceroute表示连接路径通过192.168.200.2,该路径分配给N9K-C9364C-2。
N9K-C9504-4# ping 192.168.100.10
PING 192.168.100.10 (192.168.100.10): 56 data bytes
64 bytes from 192.168.100.10: icmp_seq=0 ttl=253 time=8.48 ms
64 bytes from 192.168.100.10: icmp_seq=1 ttl=253 time=0.618 ms
64 bytes from 192.168.100.10: icmp_seq=2 ttl=253 time=0.582 ms
64 bytes from 192.168.100.10: icmp_seq=3 ttl=253 time=0.567 ms
64 bytes from 192.168.100.10: icmp_seq=4 ttl=253 time=0.55 ms
--- 192.168.100.10 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.55/2.159/8.48 ms
N9K-C9504-4#
N9K-C9504-4# traceroute 192.168.100.10
traceroute to 192.168.100.10 (192.168.100.10), 30 hops max, 40 byte packets
1 192.168.200.2 (192.168.200.2) 1.129 ms 0.602 ms 0.724 ms <<<---- SVI 200 on N9K-C9364C-2
2 192.168.100.10 (192.168.100.10) 1.001 ms 0.657 ms 0.588 ms
此时,流量按以下方式运行:
- N9K-C9364C-2接收从192.168.200.20发往192.168.100.10的流量,其中目标MAC地址设置为vPC域中的共享HSRP虚拟MAC(VMAC)。
- 由于HSRP在vPC上从数据平面的角度运行在主用 — 主用模式下,因此N9K-C9364C-2将流量从VLAN 200路由到VLAN 100并通过vPC 10转发出去。
假设在N9K-C9364C-2上关闭SVI 200,但在N9K-C9364C-1上保持活动状态:
N9K-C9364C-1# show ip interface brief
IP Interface Status for VRF "default"(1)
Interface IP Address Interface Status
Vlan100 192.168.100.1 protocol-up/link-up/admin-up
Vlan200 192.168.200.1 protocol-up/link-up/admin-up <<<---- SVI 200 is up
N9K-C9364C-1#
N9K-C9364C-2# show ip interface brief
IP Interface Status for VRF "default"(1)
Interface IP Address Interface Status
Vlan100 192.168.100.2 protocol-up/link-up/admin-up
Vlan200 192.168.200.2 protocol-down/link-down/admin-down <<<---- SVI 200 is down
N9K-C9364C-2#
由于vPC对等体之间SVI的运行状态不同,在vPC域内检测到第2类不一致:
N9K-C9364C-1# show vPC
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 100
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : failed
Type-2 inconsistency reason : SVI type-2 configuration incompatible
vPC role : primary
Number of vPCs configured : 2
Peer Gateway : Enabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
Delay-restore status : Timer is off.(timeout = 30s)
Delay-restore SVI status : Timer is off.(timeout = 10s)
Delay-restore Orphan-port status : Timer is off.(timeout = 0s)
Operational Layer3 Peer-router : Disabled
Virtual-peerlink mode : Disabled
vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ -------------------------------------------------
1 Po100 up 1,100,200
vPC status
----------------------------------------------------------------------------
Id Port Status Consistency Reason Active vlans
-- ------------ ------ ----------- ------ ---------------
10 Po10 up success success 1,100,200
20 Po20 up success success 1,100,200
N9K-C9364C-1#
N9K-C9364C-2# show vPC
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 100
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : failed
Type-2 inconsistency reason : SVI type-2 configuration incompatible
vPC role : secondary
Number of vPCs configured : 2
Peer Gateway : Enabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
Delay-restore status : Timer is off.(timeout = 30s)
Delay-restore SVI status : Timer is off.(timeout = 10s)
Operational Layer3 Peer-router : Disabled
Virtual-peerlink mode : Disabled
vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ -------------------------------------------------
1 Po100 up 1,100,200
vPC status
----------------------------------------------------------------------------
Id Port Status Consistency Reason Active vlans
-- ------------ ------ ----------- ------ ---------------
10 Po10 up success success 1,100,200
20 Po20 up success success 1,100,200
N9K-C9364C-2#
在此阶段,从192.168.200.20到192.168.100.10的流量不再成功:
N9K-C9504-4# ping 192.168.100.10
PING 192.168.100.10 (192.168.100.10): 56 data bytes
Request 0 timed out
Request 1 timed out
Request 2 timed out
Request 3 timed out
Request 4 timed out
--- 192.168.100.10 ping statistics ---
5 packets transmitted, 0 packets received, 100.00% packet loss
N9K-C9504-4#
有色ping(具有指定MTU大小的ping)用于跟踪此流量采用的路径:
N9K-C9504-4# ping 192.168.100.10 count 100 timeout 0 packet-size 1030
PING 192.168.100.10 (192.168.100.10): 1030 data bytes
Request 0 timed out
Request 1 timed out
---- snip -----
Request 98 timed out
Request 99 timed out
--- 192.168.100.10 ping statistics ---
100 packets transmitted, 0 packets received, 100.00% packet loss
N9K-C9504-4# ^C
N9K-C9504-4#
根据N9K-C9364C-2上的接口计数器,此流量在port-channel 20上接收并转发到port-channel 100(vPC对等链路):
N9K-C9364C-2# show interface port-channel 20 counters detailed all | i "1024 to|po" ; sh int port-channel 10 counters detailed all | i "1024 to|po" ; sh int port-channel 100 counters detailed all | i "1024 to|po"
port-channel20
52. Rx Packets from 1024 to 1518 bytes: = 100 <<<----- Ingress vPC po20
60. Tx Packets from 1024 to 1518 bytes: = 0
port-channel10
52. Rx Packets from 1024 to 1518 bytes: = 0
60. Tx Packets from 1024 to 1518 bytes: = 0
port-channel100
52. Rx Packets from 1024 to 1518 bytes: = 0
60. Tx Packets from 1024 to 1518 bytes: = 100 <<<----- Egress po100 (vPC peer-link)
N9K-C9364C-2#
出现此行为的原因是SVI 200在N9K-C9364C-2上关闭,从而阻止了VLAN 200流量的本地路由。在此场景中,流量通过vPC对等链路桥接到N9K-C9364C-1,以便设备执行VLAN间路由。
查看N9K-C9364C-1上的接口计数器,可以确认数据包是通过vPC对等链路到达该设备的,但是,在连接到192.168.100.10的vPC端口通道10上没有观察到传出数据包。
N9K-C9364C-1# show interface port-channel 20 counters detailed all | i "1024 to|po" ; sh int port-channel 10 counters detailed all | i "1024 to|po" ; sh int port-channel 100 counters detailed all | i "1024 to|po"
port-channel20
52. Rx Packets from 1024 to 1518 bytes: = 0
60. Tx Packets from 1024 to 1518 bytes: = 0
port-channel10
52. Rx Packets from 1024 to 1518 bytes: = 0
60. Tx Packets from 1024 to 1518 bytes: = 0 <<<----- Expected egress vPC po10. No packets!!!
port-channel100
52. Rx Packets from 1024 to 1518 bytes: = 100 <<<----- Ingress po100 (vPC peer-link)
60. Tx Packets from 1024 to 1518 bytes: = 0
N9K-C9364C-1#
即使流量通过vPC对等链路到达N9K-C9364C-1,它也不会转发到vPC端口通道10。这是因为此vPC的egress_vsl_drop位设置为1,当同一vPC端口通道在对等交换机上运行时(在本例中为N9K-C9364C-2)会发生这种情况。
N9K-C9364C-1# show system internal eltm info interface Po10 | i i vsl
egress_vsl_drop = 1
N9K-C9364C-1#
N9K-C9364C-1# show system internal vPCm info interface Po10 | i "Peer stat|Inform|vPC sta"
IF Elem Information:
MCECM DB Information:
vPC state: Up Old Compat Status: Pass
vPC Peer Information:
Peer state: Up <<<------------- vPC 10 up on peer
PSS Information:
vPC state: Up Old Compat Status: Pass
vPC Peer Information:
Peer state: Up <<<------------- vPC 10 up on peer
Shared Database Information:
Application database Information:
Lock Information:
N9K-C9364C-1#
展示流量和丢弃流量的点的拓扑:
结论:
由于vPC环路规避规则,N9K-C9364C-1丢弃流量:通过vPC对等链路接收的流量不能从两台交换机上处于活动状态的任何vPC端口通道转发出去。”为避免此问题,请确保两台交换机上SVI的管理状态一致且其配置对称。
b)从孤立到vPC主机的路由流量受到影响
考虑在N9K-C9364C-2上关闭SVI 200,但在N9K-C9364C-1上保持活动状态的相同场景。从N9K-C9504-6(VLAN 200)对N9K-C9364C-3(VLAN 100)执行ping操作不成功。
N9K-C9504-6# ping 192.168.100.10 packet-size 1030 count 100 timeout 0
PING 192.168.100.10 (192.168.100.10): 1030 data bytes
Request 0 timed out
Request 1 timed out
Request 2 timed out
---- snip -----
Request 97 timed out
Request 98 timed out
Request 99 timed out
--- 192.168.100.10 ping statistics ---
100 packets transmitted, 0 packets received, 100.00% packet loss
N9K-C9504-6#
有色ping(具有指定MTU大小的ping)用于跟踪此流量采用的路径:
N9K-C9364C-2# show interface eth1/59 counters detailed all | i "1024 to|Eth" ; sh int port-channel 10 counters detailed all | i "1024 to|po" ; sh int port-channel 100 counters detailed all | i "1024 to|po"
Ethernet1/59
52. Rx Packets from 1024 to 1518 bytes: = 100 <<<----- Ingress port to N9K-C9504-6
60. Tx Packets from 1024 to 1518 bytes: = 0
port-channel10
52. Rx Packets from 1024 to 1518 bytes: = 0
60. Tx Packets from 1024 to 1518 bytes: = 0
port-channel100
52. Rx Packets from 1024 to 1518 bytes: = 0
60. Tx Packets from 1024 to 1518 bytes: = 100 <<<----- Egress po100 (vPC peer-link)
N9K-C9364C-2#
N9K-C9364C-1# show interface port-channel 10 counters detailed all | i "1024 to|po" ; sh int port-channel 100 counters detailed all | i "1024 to|po"
port-channel10
52. Rx Packets from 1024 to 1518 bytes: = 0
60. Tx Packets from 1024 to 1518 bytes: = 0 <<<----- Expected egress vPC po10. No packets!!!
port-channel100
52. Rx Packets from 1024 to 1518 bytes: = 100 <<<----- Ingress po100 (vPC peer-link)
60. Tx Packets from 1024 to 1518 bytes: = 0
N9K-C9364C-1#
即使流量通过vPC对等链路到达N9K-C9364C-1,它也不会转发到vPC端口通道10。这是因为此vPC的egress_vsl_drop位设置为1,当同一vPC端口通道在对等交换机上运行时(在本例中为N9K-C9364C-2)会发生这种情况。
N9K-C9364C-1# show system internal eltm info interface Po10 | i i vsl
egress_vsl_drop = 1
N9K-C9364C-1#
N9K-C9364C-1# show system internal vpcm info interface Po10 | i "Peer stat|Inform|vPC sta"
IF Elem Information:
MCECM DB Information:
vPC state: Up Old Compat Status: Pass
vPC Peer Information:
Peer state: Up <<<------------- vPC 10 up on peer
PSS Information:
vPC state: Up Old Compat Status: Pass
vPC Peer Information:
Peer state: Up <<<------------- vPC 10 up on peer
Shared Database Information:
Application database Information:
Lock Information:
N9K-C9364C-1#
展示流量及其丢弃点的拓扑:
结论:
即使流量来自连接到N9K-C9364C-2的孤立主机,由于vPC环路规避规则,流量也会被N9K-C9364C-1丢弃:通过vPC对等链路接收的流量不能从两台交换机上处于活动状态的任何vPC端口通道转发出去。对等交换机上的入口端口是vPC还是孤立端口无关紧要;重要的是,流量通过vPC对等链路进入,并且流向两台交换机上均处于活动状态的vPC。为避免此问题,请确保两台交换机上的SVI管理状态一致且其配置对称。
场景2:所有vPC和SVI均开启 — 指向vPC对等体的下一跳点
在此场景中,vPC域中的所有SVI和vPC端口通道均处于启用状态。但是,通过第3层接口连接到N9K-C9364C-1的N9K-C9504-5无法ping通N9K-C9364C-3上的Loopback 0。
来自N9K-C9504-5的traceroute表示数据包首先到达192.168.1.2的下一跳,然后继续到192.168.100.2(与N9K-C9364C-2关联)。
N9K-C9504-5# traceroute 172.16.100.10
traceroute to 172.16.100.10 (172.16.100.10), 30 hops max, 40 byte packets
1 192.168.1.2 (192.168.1.2) 1.338 ms 0.912 ms 0.707 ms
2 192.168.100.2 (192.168.100.2) 0.948 ms 0.751 ms 0.731 ms
3 * * *
4 * * *
N9K-C9504-5#
从N9K-C9364C-1(此流量的初始跳)进行的下一跳验证显示,通过192.168.100.2可以到达目的地,该地址对应于N9K-C9364C-2上的SVI 100。
N9K-C9364C-1# show ip route 172.16.100.10
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
172.16.100.0/24, ubest/mbest: 1/0
*via 192.168.100.2, [1/0], 00:05:05, static
N9K-C9364C-1#
有色ping(具有指定MTU大小的ping)用于跟踪此流量采用的路径:
N9K-C9364C-1# show interface e1/58 counters detailed all | i "1024 to|Eth" ; sh int port-channel 100 counters detailed all | i "1024 to|po" ; sh int port-channel 10 counters detailed all | i "1024 to|po"
Ethernet1/58
52. Rx Packets from 1024 to 1518 bytes: = 100 <<<----- Ingress Eth1/58
60. Tx Packets from 1024 to 1518 bytes: = 0
port-channel100
52. Rx Packets from 1024 to 1518 bytes: = 0
60. Tx Packets from 1024 to 1518 bytes: = 100 <<<----- Egress po100 (vPC peer-link)
port-channel10
52. Rx Packets from 1024 to 1518 bytes: = 0
60. Tx Packets from 1024 to 1518 bytes: = 0
N9K-C9364C-1#
N9K-C9364C-2# sh int port-channel 100 counters detailed all | i "1024 to|po" ; sh int port-channel 10 counters detailed all | i "1024 to|po"
port-channel100
52. Rx Packets from 1024 to 1518 bytes: = 100 <<<----- Ingress po100 (vPC peer-link)
60. Tx Packets from 1024 to 1518 bytes: = 0
port-channel10
52. Rx Packets from 1024 to 1518 bytes: = 0
60. Tx Packets from 1024 to 1518 bytes: = 0 <<<----- Egress vPC po10, no packets!!!
N9K-C9364C-2#
即使流量通过vPC对等链路到达N9K-C9364C-2,它也不会转发到vPC端口通道10。这是因为此vPC的egress_vsl_drop位设置为1,这种情况发生在对等交换机上同一vPC端口通道运行正常时(在本例中为N9K-C9364C-1)。
N9K-C9364C-2# show system internal eltm info interface Po10 | i i vsl
egress_vsl_drop = 1
N9K-C9364C-2# N9K-C9364C-2# show system internal vPCm info interface Po10 | i "Peer stat|Inform|vPC sta"
IF Elem Information:
MCECM DB Information:
vPC state: Up Old Compat Status: Pass
vPC Peer Information:
Peer state: Up <<<------------- vPC 10 up on peer
PSS Information:
vPC state: Up Old Compat Status: Pass
vPC Peer Information:
Peer state: Up <<<------------- vPC 10 up on peer
Shared Database Information:
Application database Information:
Lock Information:
N9K-C9364C-2#
展示流量及其丢弃点的拓扑:
结论:
发现此问题的原因是N9K-C9364C-1使用N9K-C9364C-2作为下一跳,在流量尝试通过vPC 10退出之前通过vPC对等链路发送流量。由于vPC环路避免规则,流量被丢弃:通过vPC对等链路接收的流量不能从两台交换机上处于活动状态的任何vPC端口通道转发。若要避免此问题,请确保在两个vPC对等交换机上配置具有通过vPC端口通道的下一跳的路由(动态或静态),以便流量不需要通过vPC对等链路和通过vPC出口。
场景3:所有vPC和SVI均开启 — VPC对等网关功能关闭
在此场景中,所有SVI和vPC端口通道在vPC域上均处于启用状态;但是,vPC对等网关功能已关闭。此时,N9K-C9504-4(VLAN 200)无法ping通N9K-C9364C-3(VLAN 100)。
N9K-C9504-4# ping 192.168.100.10
PING 192.168.100.10 (192.168.100.10): 56 data bytes
Request 0 timed out
Request 1 timed out
Request 2 timed out
Request 3 timed out
Request 4 timed out
--- 192.168.100.10 ping statistics ---
5 packets transmitted, 0 packets received, 100.00% packet loss
N9K-C9504-4#来自N9K-C9504-4的下一跳验证显示,通过192.168.200.2可以到达目的地,该地址对应于N9K-C9364C-2上的SVI 200,并通过vPC port-channel 20连接。
N9K-C9504-4# show ip route 192.168.100.10
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
0.0.0.0/0, ubest/mbest: 1/0
*via 192.168.200.2, [1/0], 01:22:46, static
N9K-C9504-4#
N9K-C9504-4# show ip arp detail | i 192.168.200.2
192.168.200.2 00:08:05 a478.06de.7edb Vlan200 port-channel20 default
有色ping(具有指定MTU大小的ping)用于跟踪此流量采用的路径。此处接口计数器显示,N9K-C9364C-1通过port-channel 20接收从192.168.200.20到192.168.100.10的流量,并将其发送到vPC对等链路(port-channel100)
N9K-C9364C-1# show interface port-channel 20 counters detailed all | i "1024 to|po" ; sh int port-channel 10 counters detailed all | i "1024 to|po" ; sh int port-channel 100 counters detailed all | i "1024 to|po"
port-channel20
52. Rx Packets from 1024 to 1518 bytes: = 100 <<<----- Ingress vPC 20
60. Tx Packets from 1024 to 1518 bytes: = 0
port-channel10
52. Rx Packets from 1024 to 1518 bytes: = 0
60. Tx Packets from 1024 to 1518 bytes: = 0
port-channel100
52. Rx Packets from 1024 to 1518 bytes: = 0
60. Tx Packets from 1024 to 1518 bytes: = 100 <<<----- Egress po100 (vPC peer-link)
N9K-C9364C-1#
N9K-C9364C-2通过vPC对等链路(port-channel100)接收流量,但不会将其转发到vPC端口通道10。
N9K-C9364C-2# show int port-channel 20 counters detailed all | i "1024 to|po" ; sh int port-channel 10 counters detailed all | i "1024 to|po" ; sh int port-channel 100 counters detailed all | i "1024 to|po"
port-channel20
52. Rx Packets from 1024 to 1518 bytes: = 0
60. Tx Packets from 1024 to 1518 bytes: = 0
port-channel10
52. Rx Packets from 1024 to 1518 bytes: = 0
60. Tx Packets from 1024 to 1518 bytes: = 0 <<<----- Egress vPC po10, no packets!!!
port-channel100
52. Rx Packets from 1024 to 1518 bytes: = 100 <<<----- Ingress po100 (vPC peer-link)
60. Tx Packets from 1024 to 1518 bytes: = 0
N9K-C9364C-2#
即使流量通过vPC对等链路到达N9K-C9364C-2,它也不会转发到vPC端口通道10。这是因为此vPC的egress_vsl_drop位设置为1,当同一vPC端口通道在对等交换机上运行时(在本例中为N9K-C9364C-1)会发生这种情况。
由于对等网关被禁用,N9K-C9364C-1只能路由发往其本地MAC地址的数据包。因此,发往a478.06de.7edb(来自N9K-C9364C-2的MAC)的数据包由N9K-C9364C-1通过vPC对等链路转发。
N9K-C9364C-1# show mac address-table add a478.06de.7edb
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link,
(T) - True, (F) - False, C - ControlPlane MAC, ~ - vsan
VLAN MAC Address Type age Secure NTFY Ports
---------+-----------------+--------+---------+------+----+------------------
* 100 a478.06de.7edb static - F F vPC Peer-Link(R)
* 200 a478.06de.7edb static - F F vPC Peer-Link(R)
N9K-C9364C-1# 展示流量及其丢弃点的拓扑:
结论:
如果启用了对等网关,则通过将对等MAC编程为网关,本地处理发往vPC对等设备的MAC地址的路由流量。这可防止在流量路径中使用vPC对等链路,并避免由vPC环路规避规则引起的丢弃。要防止此类问题,请确保在vPC域上启用vPC对等网关功能。
解决方案概述
- 在vPC VLAN上保持SVI配置一致。
vPC对等交换机之间的非对称交换虚拟接口(SVI)配置可能导致重要的流量转发问题,包括流量黑洞。造成这种情况的一个常见但不受支持的做法是通过在一端关闭SVI来测试vPC对等设备之间的故障切换。此方法会创建Nexus vPC架构不支持的非对称SVI状态,从而导致流量黑洞和转发故障。确保需要路由的所有vPC VLAN上的SVI配置始终一致。
- 在vPC域上启用对等网关。
对等网关功能是Cisco Nexus vPC部署的关键增强功能。在vPC域上启用时,它允许每个vPC对等交换机接受和处理发往vPC对等设备的虚拟MAC地址的数据包。这意味着,无论最初接收数据包的是哪台交换机,任一vPC对等设备都可以响应网关绑定的流量。 如果没有启用对等网关,某些类型的流量(例如发送到默认网关MAC地址的数据包)在到达一个对等体时可能会被丢弃,否则将需要通过对等链路并退出vPC成员端口。确保在vPC域上配置了vPC对等网关。
相关信息
修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
1.0 |
14-Oct-2025
|
初始版本 |
反馈