A virtual port channel (vPC) allows links that are physically connected to two different Cisco Nexus 7000 Series devices to appear as a single port channel to a third device. The third device can be a switch, server, or any other networking device that supports link aggregation technology.

 

vPC provides the following technical benefits:

​

● Eliminates Spanning Tree Protocol (STP) blocked ports

● Uses all available uplink bandwidth

● Allows dual-homed servers to operate in active-active mode

● Provides fast convergence upon link or device failure

● Offers dual active/active default gateways for servers

​

vPC uses all port-channel member links available so that in case an individual link fails, hashing algorithm will redirect all flows to the remaining links.

vPC domain is composed of two peer devices. Each peer device processes half of the traffic coming from the access layer. In case a peer device fails, the other peer device will absorb all the traffic with minimal convergence time impact.

Each peer device in the vPC domain runs its own control plane, and both devices work independently. Any potential control plane issues stay local to the peer device and does not propagate or impact the other peer device.

 

 

From a Spanning-Tree standpoint, vPC eliminates STP blocked ports and uses all available uplink bandwidth. Spanning-Tree is used as a fail safe mechanism and does not dictate L2 path for vPC-attached devices.

Withing a vPC domain, user can connect access devices in multiple ways: vPC-attached connections leveraging active/active behavior with port-channel, active/standby connectivity using spanning-tree, single attachment without spanning-tree running on the access device.

​

vPC technology is supported since NX-OS 4.1.3

NX-OS appropriate version depends on line cards configuration (M1, F1 or F2), chassis type (7010, 7018 or 7009) and Fabric Module generation (FM generation 1 [46Gbps per module] or generation 2 [110Gbps per module]. 

 

 

https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf

 

 

 

KEY TERMS

 

 

vPC :: The combined port-channel between the vPC peers and the downstream device. A vPC is a L2 port type: switchport mode trunk or switchport mode access

​

vPC peer device :: A vPC switch (one of a Cisco Nexus 7000 Series pair).

​

vPC domain :: Domain containing the 2 peer devices. Only 2 peer devices max can be part of same vPC domain.

​

vPC member port :: One of a set of ports (that is, port-channels) that form a vPC (or port-channel member of a vPC).

​

vPC peer-link :: Link used to synchronize the state between vPC peer devices. It must be a 10-Gigabit Ethernet link. vPC peer-link is a L2 trunk carrying vPC VLAN.

​

vPC peer-keepalive link :: The keepalive link between vPC peer devices; this link is used to monitor the liveness of the peer device.

​

vPC VLAN :: VLAN carried over the vPC peer-link and used to communicate via vPC with a third device. As soon as a VLAN is defined on vPC peer-link, it becomes a vPC VLAN

​

non-vPC VLAN :: A VLAN that is not part of any vPC and not present on vPC peer-link

​

Orphan port  :: A port that belong to a single attached device. vPC VLAN is typically used on this port.

​

Cisco Fabric Services (CFS) protocol  :: Underlying protocol running on top of vPC peer-link providing reliable synchronization and consistency check mechanisms between the 2 peer devices.

​

​

​

​

vPC Data-Plane Loop Avoidance

 

 

vPC performs loop avoidance at data-plane layer instead of control plane layer for Spanning Tree Protocol.

All logics are implemented directly in hardware on vPC peer-link ports, avoiding any dependancy to CPU utilization.

vPC peer devices always forward traffic locally when possible.

vPC peer-link does not typically forward data packets and it is usually considered as a control plane extension in a steady state network (vPC peer-link used to synchronize information between the 2 peer devices as mac address, vPC member state information, IGMP).

vPC loop avoidance rule states that traffic coming from vPC member port, then crossing vPC peer-link is NOT allowed to egress any vPC member port; however it can egress any other type of port (L3 port, orphan port, …).

The only exception to this rule occurs when vPC member port goes down.

vPC peer devices exchange memberport states and reprogram in hardware the vPC loop avoidance logic for that particular vPC.

The peer-link is then used as backup path for optimal resiliency. Traffic need not ingress a vPC member port for this rule to be applicable.

​

​

​

vPC Deployment Scenarios

​

vPC is typically used at the access or aggregation layer of the data center. At access layer, it is used for active/active connectivity from network endpoint (server, switch, NAS storage device.) to vPC domain. At aggregation layer, it is used for both active/active connectivity from network endpoint to vPC domain and active/active default gateway for L2/L3 boundary.

​

The 2 common deployment scenarios using vPC technology are listed as below:

​

​

● Inside Data Center:

​

◦ Single-sided vPC (access layer or aggregation layer)

◦ Double-sided vPC, also called multilayer vPC (access layer using vPC interconnected to aggregation layer using vPC)

​

​

● Across Data Center i.e vPC for Data Center Interconnect (DCI):

​

◦ Multilayer vPC for Aggregation and DCI

◦ Dual Layer 2 /Layer 3 Pod Interconnect

​

​

​

​

INSIDE DATA CENTRE

​

​

Single-Sided vPC .

 

In single-sided vPC, access devices are directly dual-attached to pair of Cisco Nexus 7000 Series Switches forming the vPC domain.

​

The access device can be any endpoint equipement (L2 switch, rack-mount server, blade server, firewall, load balancer, network attached storage [NAS] device). Only prerequisite for the access device is to support portchanneling (or link aggregation) technology:

​

● LACP mode active

● LACP mode passive

● Static bundling (mode ON)

​

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

​

Double-Sided vPC  

​

This topology superposes two layers of vPC domain and the bundle between vPC domain 1 and vPC domain 2 is by itself a vPC. vPC domain at the bottom is used for active/active connectivity from enpoint devices to network access layer. vPC domain at the top is used for active/active FHRP in the L2/L3 boundary aggregation layer.

 

Benefits of double-sided vPC over single-sided vPC topology are listed below: ● Enables a larger Layer 2 domain. ● Provides a higher resilient architecture. In double-sided vPC, two access switches are connected to two aggregation switches whereas in single-sided vPC, one access switch is connected to two aggregation switches.

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

 

​

​

​

​

Building a vPC Domain

​

A vPC domain defines the grouping of switches participating in the vPC. As of today, only two Cisco NEXUS 7000 Series Switches can form a vPC domain.

From a configuration standpoint, vPC domain provides context to define global vPC system parameters. User enters into vPC domain sub-commands to configure vPC options and features like peer-gateway, peer-swtich and so on.

​

​

The process of building a vPC domain involves multiple steps that should be completed in the following order:

​

1.Globally configure a vPC domain identifier on both vPC devices. The domain ID must be the same on both peer devices.

2. Configure vPC peer-keepalive link on both peer devices and ensure that the vPC peer-keepalive link is operational. If not, vPC domain cannot successfully be formed.

3. Configure the port-channel as a vPC peer-link on both peer devices and ensure that the port-channel is operational.

​

​

​

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

​

​

​