Forum Discussion
NimbostratusF5 Viprion and Cisco vPC design
Hello,
We are facing an issue it seems with our data center design. The design is really simple and straight forward.
We have 2 F5 Viprion chassis connected to the access layer in the data center. The access layer is hosted on N9K. The core is N7K.
Added drawing
So chassis 1 forms a vPC with the N9K1 and N9K2, chassis 2 forms a vPC with the N9K3 and N9K4. This connection is fully LACP.
interface port-channel141
description F5 Viprion 1 - 4*10G - vPC channel
switchport mode trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 310,312,410-415
spanning-tree port type edge trunk
spanning-tree bpduguard disable
spanning-tree guard root
spanning-tree bpdufilter disable
logging event port link-status
logging event port trunk-status
storm-control broadcast level 80.00
storm-control multicast level 80.00
lacp mode delay
vpc 141
This is an example on how the port-channel towards the F5 is configured. It uses LACP mode delay so it will await the LACP negotiation from the viprion i suppose.
The problem is that when we access an application that is hosted on the F5, the throughput is really low. So for example: A remote desktop application will only achieve 5Mbps when pushed throught the F5, a remote desktop application straight to the server will achieve 70Mbps. Please note that the server is also behind another 9K ToR setup. So the problem only occurs when we push traffic through the F5. It also has an issue with a sharepoint server that is connected and only gets 40KBps of download speed.
We also see that traffic entering the physical interfaces on the F5 is experiencing some drops. Screenshot included.
My guess is that there is a problem between the F5 and the Nexus, is there documentation on how this is setup the best way? F5 only has this: https://support.f5.com/csp/article/K13142
The configuration on the trunk towards the nexus is :
LACP Enabled LACP Mode Active LACP Timeout set to log Link selection policy bandwidth Frame Distribution Hash Source/Destination IP address port
An engineer from F5 is tasked to look at the F5 but is not finding anything.
eben_259100Cirrostratus
Hi Yannick,
This should help. https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/solution-overview-c22-732522.pdf
Regards
Eben.
Yannick_Vranck1Hello,
Thanks for this document. However it does not seem to contain any information on how he Viprion is set up on the N9K.
What supposed to be the MTU size between the devices etc. I did notice that 1 viprion chassis in Active and the other one is in Standby. In our design both chassis are active active and the VCMP's are spread across the 2 chassis's.
Also we have no lldp enabled on the ports towards the F5 from the nexus.
I noticed in the CLI that the physical interface of the F5 towards the Nexus has an MTU of 9198. The Nexus has an MTU of 1500 configured on the LACP port-channel, however the vlan's that are configured on the Viprion are also 1500.
A portion of our DMZ setup is also connected with 40Gig to the Viprion with a Cisco Cat 6500 and there are no issues. It really looks like a vPC specific towards the Viprion
- eben_259100
Please clarify some things, 1. VCMPs: Is your chassis serving as an hypervisor for multiple VCMP guests? 2. Active active: are the boxes standalone or in sync in an active-active HA scenario?
make the MTUs match on the devices. nexus support Jumbo MTUs(above 9000).
- Yannick_Vranck1
Hello,
YEs the F5 are hosting multiple VCMP's, in short we host VCMP's for our corporate environment and we host VCMP's for our DMZ environment.
They had a wonderful idea to have the VCMP's on the corp to be active on 1 chassis and the VCMP's of the DMZ to be active on another chassis.
This leads me to question nr2
IF you login into the viprion, you can directly note that they are standalone mode. I think they have done for the above reason, however i am not sure why and if that will work.
ebenHi Yannick,
This should help. https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/solution-overview-c22-732522.pdf
Regards
Eben.
- Yannick_Vranck1
Hello,
Thanks for this document. However it does not seem to contain any information on how he Viprion is set up on the N9K.
What supposed to be the MTU size between the devices etc. I did notice that 1 viprion chassis in Active and the other one is in Standby. In our design both chassis are active active and the VCMP's are spread across the 2 chassis's.
Also we have no lldp enabled on the ports towards the F5 from the nexus.
I noticed in the CLI that the physical interface of the F5 towards the Nexus has an MTU of 9198. The Nexus has an MTU of 1500 configured on the LACP port-channel, however the vlan's that are configured on the Viprion are also 1500.
A portion of our DMZ setup is also connected with 40Gig to the Viprion with a Cisco Cat 6500 and there are no issues. It really looks like a vPC specific towards the Viprion
- eben
Please clarify some things, 1. VCMPs: Is your chassis serving as an hypervisor for multiple VCMP guests? 2. Active active: are the boxes standalone or in sync in an active-active HA scenario?
make the MTUs match on the devices. nexus support Jumbo MTUs(above 9000).
- Yannick_Vranck1
Hello,
YEs the F5 are hosting multiple VCMP's, in short we host VCMP's for our corporate environment and we host VCMP's for our DMZ environment.
They had a wonderful idea to have the VCMP's on the corp to be active on 1 chassis and the VCMP's of the DMZ to be active on another chassis.
This leads me to question nr2
IF you login into the viprion, you can directly note that they are standalone mode. I think they have done for the above reason, however i am not sure why and if that will work.
Munney_64889Funny...facing this same thing just now. Looks more like a bug to me...Viprion can't even be configured for MTU - it's read only. And all our VLANs are set for 1500 but the switch still keeps seeing jumbo frames. Whacked-yo.
Munney