1、 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential1vPCvPC技术原理介绍技术原理介绍 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential2Agenda vPC基本原理 vPC概述 vPC组件与原理 vPC基本业务流 vPC网络设计和最佳实践 Attaching to a vPC domain Layer 3 and vPC STP 建议 HSRP with vPC ISSU 2007 Cisco Systems,Inc.All rights re
2、served.Cisco Confidential3vPC概述概述 vPC:Virtual Port-Channel 允许跨设备链路捆绑 消除 STP 环路 快速收敛 提高链路利用率 HSRP/VRRP 双活 NX-OS 平台支持 vPC 功能(Nexus 7000、Nexus 5000)接入层交换机不需要特殊的要求,只要支持802.3ad/LACP 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential4Agenda vPC基本原理 vPC概述 vPC组件与原理 vPC基本业务流 vPC网络设计和最佳实践 Attaching
3、 to a vPC domain Layer 3 and vPC STP 建议 HSRP with vPC ISSU 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential5vPC组件与原理组件与原理 vPC Domain-包含 vPC peer、peer link、keepalive-link、下联 port-channel 等。vPC peer-vPC 交换机,成对出现的。vPC member port-组成vPC的一组 port-channel 端口。vPC-连接下联交换机与两个 vPC peer 之间的port-cha
4、nnel 链路。vPC peer-link-vPC peer 之间的链路,用于状态和信息的同步,必须为10GE链路。vPC peer-keepalive link-vPC peer 之间的心跳线,用于监控 peer device 。vPC VLAN-通过 vPC 链路和 peer-link 承载的VLAN。Non-vPC VLAN-不通过 vPC 承载的 VLAN。CFS-Cisco Fabric Services 协议,用于vPC peer 之间的状态同步、配置验证。vPCvPC peernon-vPC devicevPC peer-keepalive linkvPC member port
5、vPCvPC member portCFS protocolvPC peer-link 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential6vPC Domain vPC peer 双方均需要定义 vPC Domain,建议两边的 Domain ID 一致。在Domain mode 下定义 vPC 的全局参数角色优先级(低值优先)、keepalive等。vPC peer 设备使用Domain ID 自动产生一个唯一的 vPC System-MAC。vPC Domain 2007 Cisco Systems,Inc.All r
6、ights reserved.Cisco Confidential7vPC Peer Link 用途 标准 802.1Q Trunk 承载 vPC VLAN 和 non-vPC VLAN CFS协议 FHRP 第一跳泛洪报文 STP BPDUs、HSRP hellos、IGMP updates 等 特殊情况下需要承载业务流量 使用建议 至少两个 10GE 端口,并且分布在不同板卡上 10GE 端口均设置为独占模式vPC peer-link 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential8vPC peer-keepali
7、ve link (1 of 2)用途 vPC peer 之间的心跳 Active/Active(peer-link 失效)检测 使用建议 至必须为一个独立的3层链路(1Gbps带宽足够),3层可达即可,独立的VRF 不能通过 peer-link 路由 可以使用引擎上的管理端口,但不建议vPC peer-keepalive link 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential9 当使用引擎管理口作为 peer-keepalive link 端口时,不建议采用 back-to-back 方式连接。一台设备的两个引擎的两
8、个管理口不能同时active,可能由于引擎切换导致 keepalive 失效。如果使用引擎上的端口作为 peer-keepalive link 端口,必须连接到带外管理网络上。vPC peer-keepalive link (2 of 2)vPC1vPC2vPC_PLManagement NetworkStandby Management InterfaceActive Management InterfaceManagement SwitchvPC_PKvPC_PK 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential10
9、Cisco Fabric Services(CFS)协议)协议 用途 配置验证/比较 STP 管理,STP BPDU 抑制 MAC 地址同步 vPC 成员端口状态 IGMP snooping 同步 HSRP 双活CFS MessagingSTP does send BPDUsIGMP updatesMAC updatesSTP doesnt send BPDUsHSRP Standby-ActiveL3IGMP updatesMAC updates 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential11vPC 成员端口成员
10、端口 用途 vPC peer 之间对 port-channel 进行终结 使用建议 至vPC peer 之间属于同一个 vPC 组的成员端口配置必须一致 下联交换机和两个 vPC peer 之间最多可以捆绑 16条链路vPC member portvPC member port 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential12Virtual Port Channel 用途 接入设备与两个 vPC Peer 建立的port-channel 流量可以在接入层设备的所有上联链路上进行负载分担 准备的 802.3ad por
11、t-channel 使用建议 接入设备必须支持 802.3ad或者LACPvPC member portvPCNormal Port-channel port 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential13Agenda vPC基本原理 vPC概述 vPC组件与原理 vPC基本业务流 vPC网络设计和最佳实践 Attaching to a vPC domain Layer 3 and vPC STP 建议 HSRP with vPC ISSU 2007 Cisco Systems,Inc.All rights res
12、erved.Cisco Confidential14 MAC-A to MAC-B MAC_AMAC_BSW3SW2SW4SW1vPC1vPC2vPC_PLL2L3ECMPPacket SendECMPPort channel path selectionPacket FloodingPacket FloodingPacket(s)blocked on vPC member ports,vPC peer-link traversedvPC PK-LinkCFS MAC table update message 2007 Cisco Systems,Inc.All rights reserved
13、.Cisco Confidential15MAC-B to MAC-AMAC_AMAC_BSW3SW2SW4SW1vPC1vPC2vPC_PLL2L3ECMPPacket SendECMPPort channel path selectionLocal forwarding,previously learned destinationvPC PK-Link 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential16Agenda vPC基本原理 vPC概述 vPC组件与原理 vPC基本业务流 vPC网络设计和最佳实践 Attac
14、hing to a vPC domain Layer 3 and vPC STP 建议 HSRP with vPC ISSU 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential17Attaching to a vPC domain The One and Only RuleALWAYSdual attach devices to a vPC Domain!2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential18Attaching to a vPC Dom
15、ain vPC and non-vPC VLANs(i.e.single attached.)Orphan PortsOrphan PortsSSSSPPPP1.Dual Attached2.Attached via VDC/Secondary Switch3.Secondary ISL Port-Channel4.Single Attached to vPC DevicePrimary vPCSecondary vPCSP 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential19vPC Design principlesA
16、ttaching to a vPC Domain-vPC and non-vPC VLANs(STP/vPC Hybrid)SSSPPP1.All devices Dual Attached via vPC 2.Separate vPC and STP VLANs3.Overlapping vPC and STP VLANsPrimary vPCSecondary vPCPrimary STP RootSecondary STP RootSPSRPRPRSRSRPRNon vPC port-channel 2007 Cisco Systems,Inc.All rights reserved.C
17、isco Confidential20Agenda vPC基本原理 vPC概述 vPC组件与原理 vPC基本业务流 vPC网络设计和最佳实践 Attaching to a vPC domain Layer 3 and vPC STP 建议 HSRP with vPC ISSU 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential21Layer 3 and vPC RecommendationsRouter7k17k2SwitchPo1Po2RouterSwitchL3 ECMPPo2 不要使用2层 port-channel
18、连接路由器与一个 vPC domain,除非用静态路由指向 HSRP 地址。如果有需要,建议采用独立3层链路来转发流量。2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential22Layer 3 and vPC What can happen(1 of 3)vPC viewLayer 2 topologyLayer 3 topologyPort-channel looks like a single L2 pipe.Hashing will decide which link to choseLayer 3 will use E
19、CMP for northbound traffic7k17k2R7k17k2R7k vPCRR could be any router,L3 switch or VSS building a port-channel 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential231)数据包到达 R。2)R 节点查询路由表,有两条等价路径(to 7k1&7k2)。3)假设选择7k1(ECMP 决定)。4)R 节点现在需要重写2层包头转发出去(router MAC 7k1 or 7k2)。5)2层查找 MAC 地址发现目标地址在 p
20、ort-channel 1。6)Hashing 决定选择 port-channel 中的哪条链路(say to 7k2)。7)数据包被转发到 7k2。8)7k2 查看到 MAC 地址,必须从 peer-link 转发到 7k1。R7k17k2SPo1Po2Layer 3 and vPC What can happen(2 of 3)2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential249)7k1 进行查找,发现需要转发到 S 上。10)7k1 执行验证,验证这个 frame 是否来至于peer link 并且需要vPC转发
21、。11)如果出方向端口不是 vPC 或者这个 vPC 端口的 peer device 没有active,这个Frame 将会被转发出去。R7k17k2SPo1Po2Layer 3 and vPC What can happen(3 of 3)2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential25Agenda vPC基本原理 vPC概述 vPC组件与原理 vPC基本业务流 vPC网络设计和最佳实践 Attaching to a vPC domain Layer 3 and vPC STP 建议 HSRP with vPC I
22、SSU 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential26Spanning Tree Recommendations Port Configuration OverviewAggregationAccessData Center CoreBLRNEBPDUguardLoopguardRootguardNetwork portEdge or portfast port type-Normal port typeBRRNN-RRRRRR-BEBBEBELayer 3Layer 2(STP+Rootguard)Layer 2
23、(STP+BPDUguard)LESecondaryRootHSRPSTANDBYPrimaryRootHSRPACTIVEE-PrimaryvPCSecondaryvPCvPCDomain 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential27Agenda vPC基本原理 vPC概述 vPC组件与原理 vPC基本业务流 vPC网络设计和最佳实践 Attaching to a vPC domain Layer 3 and vPC STP 建议 HSRP with vPC ISSU 2007 Cisco Systems,In
24、c.All rights reserved.Cisco Confidential28 vPC 支持所有 FHRP 协议的Active/Active 模式 不需要增加额外的配置 不改变 HSRP 的控制行为 网关Mac 地址信息通过 CFS 自动同步到“Standby”HSRP 路由器上 Primary vPC 设备 与“Active”HSRP 路由器可以是不同的设备L3L2HSRP/VRRP“Standby”:Active for shared L3 MACHSRP/VRRP“Active”:Active for shared L3 MACHSRP with vPC FHRP Active/A
25、ctive 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential29L2/L3 AggregationACTIVE HSRPSTANDBY HSRPGWGWGWVLAN 100VLAN 200VLAN 100,200L3 CORE 在 vPC 环境中,不建议使用 HSRP link tracking。Reason:路由器将不会转发通过 peer-link 传送过来并且转发到 vPC 端口上的数据包。HSRP with vPC Do NOT use HSRP Object Tracking 2007 Cisco Systems
26、,Inc.All rights reserved.Cisco Confidential30 在 vPC peers 之间使用 OSPF 的 point-to-point adjacency(或者其他 L3 protocol)建立3层路由查找路径,用于备份到核心网链路故障数据无法转发。使用一个 point-to-point VLAN/SVI 将可以建立3层邻居关系。L3L2OSPFPrimaryvPCSecondaryvPCOSPFOSPFVLAN 99HSRP with vPC L3 Backup Routing 2007 Cisco Systems,Inc.All rights reserv
27、ed.Cisco Confidential31Agenda vPC基本原理 vPC概述 vPC组件与原理 vPC基本业务流 vPC网络设计和最佳实践 Attaching to a vPC domain Layer 3 and vPC STP 建议 HSRP with vPC ISSU 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential32 ISSU is still the recommended system upgrade in a multi-device vPC environment vPC system can
28、 be independently upgraded with no disruption to traffic.Upgrade is serialized and must be run one at the time(i.e.config lock will prevent synchronous upgrades)Configuration is locked on“other”vPC peer during ISSU.BeginEndCaveats4.1(x)4.2(x)None4.2(x)4.1(x)None4.1(3)4.1(3)4.2(1)4.1(3)4.2(1)4.2(1)In-Service Software Upgrade(ISSU)vPC System Upgrade/Downgrade 2007 Cisco Systems,Inc.All rights reserved.Cisco Confidential33