Virtual Port Channel (vPC) Basic concepts Explained

This post basically notes from the Cisco document.

Related post:

I- What is vPC (Virtual Port Channel)

A virtual port channel (vPC) allows links that are physically connected to two different Cisco Nexus switches to appear as a single port channel to a third device. The third device can be a switch, server, or any other networking device that supports link aggregation technology.

• Eliminates Spanning Tree Protocol (STP) blocked ports
• Uses all available uplink bandwidth
• Allows dual-homed servers to operate in active-active mode
• Provides fast convergence upon link or device failure

II- vPC Basics

vPC Components:

• vPC domain: Domain containing the 2 peer devices.
• vPC member port: One of a set of ports (that is, port-channels) that form a vPC (or port-channel member of a vPC)
• vPC peer-link: Link used to synchronize the state between vPC peer devices. It must be a 10-Gigabit Ethernet link. vPC peer-link is a L2 trunk carrying vPC VLAN.

• vPC peer-keepalive link: The keepalive link between vPC peer devices, this link is used to monitor the liveness of the peer device (leverages UDP port 3200)

vPC provides Hardware and software Redundancy:

• vPC uses all port-channel member links available so that in case an individual link fails, hashing algorithm will redirect all flows to the remaining links.
• vPC domain is composed of two peer devices. Each peer device processes half of the traffic coming from the access layer. In case a peer device fails, the other peer device will absorb all the traffic with minimal convergence time impact.
• Each peer device in the vPC domain runs its own control plane, and both devices work independently. Any potential control plane issues stay local to the peer device and do not propagate or impact the other peer device.

vPC Loop avoidance:

vPC performs loop avoidance at data-plane. vPC peer devices always forward traffic locally when possible.

vPC peer-link does not typically forward data packets and it is usually considered as a control plane extension in a steady state network (vPC peer-link used to synchronize information between the 2 peer devices as mac address, vPC member state information, IGMP).

vPC system MAC:

vPC system mac is identical on both peer devices. This is the foundation for Layer 2 virtualization technique with vPC: when vPC systems need to present itself as a unique logical device, it will use this unique and shared information across the 2 peer devices.

vPC system-mac = 00:23:04:ee:be:{vpc domain in Hexa}

Example: vPC domain 10 will result in vPC system-mac of 00:23:04:ee:be:0a

To modify the vPC system MAC, we can use the following command under vpc Domain configuration:

vpc domain 10
  system-mac 00:23:04:ee:be:1b

vPC local system-mac: is unique for each device, it is used whenever vPC systems do not need to present itself as a unique logical device: the case with orphan ports.

vPC Role:

vPC role basically defines which of the two vPC peer devices processes Bridge Protocol Data Units (BPDUs) and responds to Address Resolution Protocol (ARP).

vPC device can be primary and secondary, the ranges is from 1 to 65535 and the lowest value will dictate the primary peer device:

• To configure vPC role priority:

vpc domain 10
  role priority <value>

Note: In case of equal priority value, the lowest system mac (local) will dictate the primary peer device.

• To verify the switch vPC role:

sh vpc role

Cisco Fabric Services (CFS) Protocol

Cisco Fabric Services (CFS) protocol provides reliable synchronization and consistency check mechanisms
between the 2 peer devices and runs on top of the vPC peer-link. CFS is enabled by default.

Cisco Fabric Services (CFS) protocol performs the following functions:

• Configuration validation and comparison (consistency check)
• Synchronization of MAC addresses for vPC member ports
• vPC member port status advertisement
• Spanning Tree Protocol management
• Synchronization of HSRP and IGMP snooping

vPC consistency checks

There 2 types of vPC consistency checks:

• Type 1: Puts peer device or interface into a suspended state to prevent invalid packet forwarding behavior. With vPC Graceful Consistency check, suspension occurs only on the secondary peer device.
• Type 2: Peer device or Interface still forward traffic. However they are subject to undesired packet
  forwarding behavior.

Type 1 Consistency checks, must be identical of both devices:

After you enable the vPC feature and configure the vPC peer-link on both peer devices, Cisco Fabric Services messages provide a copy of the configuration on the local vPC peer device to the remote vPC peer device. The system then determines whether any of the crucial configuration parameters differ on the two devices.

When Type 1 inconsistency check is detected, the following actions are taken:

• For global configuration type 1 inconsistency check, all vPC member ports are set to down state.
• For vPC interface configuration type 1 inconsistency check, the misconfigured vPC is set to down state.

Note: Since NX-OS version 5.2, In case of type 1 inconsistency, only vPC member ports on secondary peer device are set to down state.

• The verify the vPC consistency parameters:

show vpc consistency-parameters
show vpc consistency-parameters global
show vpc consistency-parameters interface port-channel <id>

Some examples of interface consistency parameters type 1 are Port-channel LACP mode, Link speed and Duplex per port-channel, and Switchport mode per port-channel.

Type 2 Consistency checks:

For vPC interface configuration type 2 inconsistency check, the misconfigured vPC remains in up state. However, depending on the discrepancy type, vPC systems will trigger protective actions.

The most typical one deals with allowed VLAN in vPC interface trunking configuration. In that case, vPC systems will disable from the vPC interface VLAN that do not match on both sides.

If there is an inconsistency, a VLAN may be suspended

Any vPC VLAN allowed on vPC member port MUST be allowed on vPC peer-link.