For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Fabrizio_Chiava's avatar
Fabrizio_Chiava
Icon for Nimbostratus rankNimbostratus
May 21, 2010

configuring trunk with Cisco Nexus 7000

Hello everybody,

 

I need help to an issue.... I’ve a network problem about Viprion and Trunks. I configured a Trunk between a Cisco Nexus 7000 and a BIGIP Viprion with Blade 100:

 

 

Trunk Viprion config

 

Link Selection Policy Auto

 

Frame distribution hash Source/Destination MAC address

 

 

Cisco Nexus 7000 (Port Channel)

 

interface port-channel50

 

description Viprion-F5-Bil

 

shutdown

 

switchport

 

switchport mode trunk

 

switchport trunk allowed vlan 310,330,610,630

 

 

 

sh port-channel load-balance

 

 

Port Channel Load-Balancing Configuration:

 

System: source-dest-ip-vlan

 

 

Port Channel Load-Balancing Addresses Used Per-Protocol:

 

Non-IP: source-dest-mac

 

IP: source-dest-ip-vlan

 

 

 

interface Ethernet1/25

 

description Viprion

 

switchport

 

switchport mode trunk

 

switchport trunk allowed vlan 310,330,610,630

 

channel-group 50

 

no shutdown

 

 

 

The interface port-channel50 is in shutdown because it’s in a working mode and customer don’t want to configuring anything, it’s a critical environment..

 

 

So, we tested the network traffic, the trunk on Viprion goes UP and (from Nexus to Viprion) if I try to ping the self IP, it’s working, I can’t do the revert operation and I can’s see the server on server farm.

 

 

Now I would to understand if I need to setting only a LACP trunk, or it’s possible to configure in another way?

 

What’s happen on the Viprion if I configure a NO LACP Trunk? And what does happened with LACP trunk?

 

Could you help me for this?

 

 

Please tell me if you need something else.

 

 

Thanks a lot

 

Best Regards

 

Fabrizio.

 

config
design

20 Replies

Show More
  • Elias_O_16228's avatar
    Elias_O_16228
    Icon for Nimbostratus rankNimbostratus
    Mar 21, 2014

    Yes, I have vPC on Po interfaces. Though the working ports can work with/out vPC. I'm still wondering why F5 say LACP with Cisco should be set PASSIVE/short/MAC address. It's working with active/long/IP address.

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Mar 22, 2014

    The reasons for using a vPC are simply to avoid a site outage due to faiulure of >1 device... With a vPC yu can have EITHER switch or Viprion up & running.

     

    FWIW it works fine when configured correctly. All my Viprions are vPC connected to dual Nexus 7010's using vPC's.

     

    Hey Elias... You do have 1 trunk configured only on each Viprion don't you?

     

    H

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Mar 22, 2014

    OK. So my nexus config (Which works) is

    interface port-channel202
  description MAN: Viprion-1 20Gb channel
  switchport
  switchport mode trunk
  switchport trunk native vlan 1000
  switchport trunk allowed vlan 105,108,1024-1255,2005-2006,2015-2016
  switchport trunk allowed vlan add 4080,4086-4087
  vpc 202

    And then on the interfaces

    interface Ethernet4/18
  description MAN: Viprion-1 10Gb int 1.1
  switchport
  switchport mode trunk
  switchport trunk native vlan 1000
  switchport trunk allowed vlan 105,108,1024-1255,2005-2006,2015-2016
  switchport trunk allowed vlan add 4080,4086-4087
  channel-group 202 mode active
  no shutdown

    The other interface is of course connected to Nexus 2... That config is identical.

    Then the Viprion is configured with a single 'trunk' (F5 Port-Channel).

    When you do a 'sh vpc ' is it Status==Up and Consistency==Success?

  • Elias_O_16228's avatar
    Elias_O_16228
    Icon for Nimbostratus rankNimbostratus
    Apr 11, 2014

    well...well... well...

     

    I wanted to provide feedback for the resolution of my problem. Hopefully, it will help someone down the line.

     

    If you have ever resolved a problem by accident, I know I have. I found the problem to be channel-group id on port channel interface membership. The LTM channel-group number must be the same on both Nexus 7k. I was following the ASA port-group id style. I discovered by accident when one LTM was taken off, then I connected sinlge LTM to both nexus 7k, everything came up. Then I said dawn it. I brought the second LTM back and criss-crossed each everything worked fine. Solution: Each LTM must have identical channel-group number on each Nexus 7k. For ASA, this is not the case when you criss-cross connect.

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Apr 11, 2014

    LTM's don't have channel-group id's... LTM's use a NAME to refer to a trunk (BigIP trunk == Cisco port-channel/channel-group).

     

    Yeah, there's probably a cisco note somewhere that says the port-channel id has to equal the vPC ID...

     

    TBH it wouldn't occur to be to use different one... Do ASA's even do vPC's? They barely do port-channels...

     

    H

     

  • pgmacdon_188019's avatar
    pgmacdon_188019
    Icon for Nimbostratus rankNimbostratus
    Jun 18, 2015

    One thing to note it's important that the F5 is set up for MIST (multi instance spanning tree), we got hit where a 10.4 device was still running single instance spanning tree (under network->spanning tree options). This was an artifact from when the box was running 9.x (which didn't support MIST), it was still set to single instance. When we added a newly created vlan to a trunk that terminates on a Nexus VPC (running MIST by default) went blocking, listening, leanrning, forwarding for all the vlans on the trunk causing a blip.

     

    Phil

     

  • Brian_Thompson's avatar
    Brian_Thompson
    Icon for Nimbostratus rankNimbostratus
    Jun 24, 2015

    I would recommend letting your switch run span tree and leaving it disabled on the F5, have you considered that or am I missing something?