Cisco 数据中心之 HSRP, vPC 以及 vPC Peer-Gateway 介绍

思科数据中心虚拟化vPC技术和配置最近在研究数据中心功能时发现CISCO有一个虚拟化技术叫vPC的技术,今天就把我研究的成果分享出来。

什么是 vPC（virtual port channel）？研究了大半天，其实它就是一个可以跨不同设备的port-channel技术。

它的作用：可以实现网络冗余，可以跨设备进行端口聚合，增加链路带宽，当链路故障时比生成树协议收敛时间还快。

下面我们就说说为什么会出现vPC技术。

="WIDOWS: 2; TEXT-TRANSFORM: none; TEXT-INDENT: 0px; LETTER-SPACING: normal; BORDER-COLLAPSE: separate; FONT: 16px Simsun; WHITE-SPACE: normal; ORPHANS: 2; COLOR: rgb(0,0,0); WORD-SPACING: 0px;-webkit-border-horizontal-spacing: 0px;-webkit-border-vertical-spacing: 0px;-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px" class=Apple-style-span>如上图所示，在传统的网络拓扑中要实现网络的冗余，一般都会使用双链路上连的方式，而这种方式明显有一个环路，在这种拓扑下都会开起生成树协议，这时就会有一种链路是block 状态的。

所以这种方式实现冗余，并不会增加网络带宽。

如果想用链路聚合方式来做双链路上连到两台不同的设备，port- channel功能又不支持跨设备聚合。

所以在这种背景下就出现了vPC 的概念，和port-channel功能相比区别是：vPC功能解决了传统聚合端口不能跨设备的问题。

这部分的讲解要结合幻灯片高可用性：1.HSRP（Hot Standby Routing Protocol）：热备份路由协议2.VRRP（Virtual Router Redundancy Protocol）：虚拟路由器冗余协议3.GLBP（Gateway load Balancing Protocol）：网关负载均衡协议这3个协议都是用来保证网关的备份的HSRP1.思科私有的2.一个虚拟IP地址，一个虚拟MAC地址虚拟IP地址不能和真实IP地址相同虚拟MAC地址：0000.0c07.acXX，其中XX是组号3.一主一辅4.HSRP默认优先级是100，被跟踪的接口不可用后优先级默认降低105.HSRP的6种状态（1）Initial：初始状态，修改配置或接口刚启动时处于这个状态（2）Learn：学习状态，等待活跃路由器发送Hello 消息，收到后就进入监听状态（3）Listen：监听状态，在HSRP组中，除活跃路由器和备用路由器外，其他路由器都处于这种状态。

说白了，这个状态就是用来选举的，如果被选举是备用状态或者是活跃状态，就进入speak状态（4）speak：发言状态，处于发言状态的路由器定期地发送Hello消息，如果在speak状态发现了更优秀的Hello包，此时就转化成listen状态（5）Standby：备用状态，定期发送Hello消息（6）Active：活跃状态，定期发送Hello消息HSRP使用的包：hello，辞职和政变6.配置的时候一定要禁用定向广播命令是：no ip redirects7.关于HSRP的实验（1）路由器上基本配置（2）交换机上基本配置（3）跟踪（4）负载均衡8配置主设备配置3句话standby 1 ip 虚拟IP地址standby 1 preempt //让设备支持抢占功能standby 1 priority 优先级备份设备配置2句话standby 1 ip 虚拟IP地址standby 1 preemptVRRP1.公有的2.一个虚拟IP地址，一个虚拟MAC地址虚拟IP地址可以和真实IP地址相同虚拟MAC地址：0000.5e00.01XX，其中XX是组号3.一主多辅4.VRRP默认优先级是100，不支持跟踪5.协议号112，组播地址224.0.0.18，默认通告间隔1s6.VRRP默认有抢占机制7.关于VRRP的实验（1）路由器上基本配置（2）交换机上基本配置（3）负载均衡HSRP与VRRP之间的区别：1.HSRP是私有的，VRRP是共有的2.HSRP是一主一辅，VRRP是一主多辅3.HSRP支持跟踪，VRRP没有跟踪机制4.HSRP的虚拟IP地址不能和真实IP地址相同，VRRP的虚拟IP地址和真实的IP地址相同5.HSRP中主、辅设备都发送Hello包，VRRP中只有主设备发送Hello包GLBP1.思科私有的2.一个虚拟IP地址，多个虚拟MAC地址3.GLBP和HSRP，VRRP的最大不同在于：可以提供负载均衡4.两个术语：（1）AVF：active virtual forwarder（2）AVG：active virtual gateway5.GLBP的工作原理：（1）GLBP组选举一个AVG,所有组成员都叫做AVF （2）AVG给整个组分配虚拟MAC地址，即每个AVF分配到一个虚拟MAC地址（3）AVG负责回复用户的ARP请求，每次给的虚拟MAC 地址不同，以这种方式实现负载均衡（4）每个AVF负责转发自己负责的那个虚拟MAC的数据6.GLBP支持3种负载均衡的模式（1）host-dependent：确保主机始终使用同一个虚拟MAC地址（2）round-robin：每次轮流地分配AVF的虚拟MAC地址（3）weighted：前往AVF的流量取决于AVF的权重7.关于GLBP的实验（1）路由器上基本配置（2）交换机上基本配置。

CiscoN3KVPC+HSRP+ospf 配置VPC 概念VPC ：vpc 是指vpc 对等体设备和下游设备之间的组合PortChannel 。

vpc 对等交换：就是组成vpc 功能的两个nexus 系列交换机，⼀个设备为主，⼀个为备。

vpc 对等连接：⽤于同步vpc 对等设备之间状态的连接。

vpc 对等链路在两个vpc 交换机之间携带控制通信量，还有组播、⼴播数据通信量。

在某些链路故障场景中，还携带单播通信量。

对等链路⾄少是两个10GE 接⼝。

vpc 域：该域包括vpc 对等设备、vpc 对等保持活动连接和连接到下游设备的vpc 中的所有PortChannels 。

同时，所有关于vpc 的全局配置都关联到vpc 域下。

vpc 对等保持活动连接（⼼跳线）：对等保持活动连接监视vpc 对等交换机的⽣命⼒。

在vpc 对等设备之间发送周期性的保持活动连接。

vpc 对等活动连接可以是管理接⼝（MGMT ）或交换机虚拟接⼝（SVI ），但不可以使⽤物理接⼝。

没有数据或同步流量在vpc 登对保持活动连接上移动；该连接上的唯⼀通信量是表明交换机正在操作和运⾏vpc 的消息。

⼀、背景需求Cisco 两台交换机需要虚拟成⼀台交换机使⽤（类似 交换机堆叠），去链接⼆层接⼊交换机，提供⽹络链路⾼可⽤。

如下图： 对于⼆层交换 2960x 需要看到 上层的两台 N3k 交换为⼀台设备，中间连接链路做链路聚合。

⼆、配置详解 N3K_1和 N3K2 配置保持⼀致 1、全局下开启 VPC + HSRP+ospf 2、配置 VPC 域ID 3、VPC peer-link 接⼝配置 4、下联接⼝配置feature vpcfeature hsrpfeature ospfvpc domain 30role priority 8192 # N3K_1:8192 N3K_2:16384 设置⾓⾊优先级peer -keepalive destination 10.8.240.21 source 10.8.240.20 #IP 为MGMT 地址peer -gatewayauto -recoveryinterface Ethernet1/49switchport mode trunkchannel -group 49 mode activeinterface Ethernet1/50switchport mode trunkchannel -group 49 mode activeinterface port-channel49speed 40000description vPc peer -linkswitchport mode trunkspanning -tree port type networkvpc peer-linkinterface Ethernet1/51/1speed 10000switchport mode trunkchannel -group 50 mode activeno shutdowninterface port-channel50speed 10000switchport mode trunkvpc 50#两台N3K 的VPC ID 必须⼀致 2960X交换机配置　1:、接⼝配置（和普通链路聚合配置⼀样）interface TenGigabitEthernet1/0/1switchport mode trunkchannel-group 24 mode activeinterface TenGigabitEthernet1/0/2switchport mode trunkchannel-group 24 mode activeinterface Port-channel24switchport mode trunk三、hsrp+ospf 配置N3k_1:interface Vlan10no shutdownip address 192.168.0.2/24ip router ospf 10 area 0.0.0.20 #ospf 路由发布hsrp version 2hsrp 10preemptpriority 105ip 192.168.0.1track 1track 1interface Ethernet1/48 line-protocolN3k_2:interface Vlan10no shutdownip address 192.168.0.3/24ip router ospf 10 area 0.0.0.20hsrp version 2hsrp 10ip 192.168.0.1track 1track 1interface Ethernet1/48 line-protocol四、查看配置N3k-core-01# show vpcLegend:(*) - local vPC is down, forwarding via vPC peer-link vPC domain id : 30Peer status : peer adjacency formed okvPC keep-alive status : peer is alive Configuration consistency status : successPer-vlan consistency status : successType-2 consistency status : successvPC role : primary, operational secondary Number of vPCs configured : 6Peer Gateway : EnabledPeer gateway excluded VLANs : -Dual-active excluded VLANs : -Graceful Consistency Check : EnabledAuto-recovery status : Enabled (timeout = 240 seconds)vPC Peer-link status---------------------------------------------------------------------id Port Status Active vlans-- ---- ------ --------------------------------------------------1 Po49 up allvPC status----------------------------------------------------------------------------id Port Status Consistency Reason Active vlans------ ----------- ------ ----------- -------------------------- -----------50 Po50 up success success all51 Po51 up success success all52 Po52 up success success all53 Po53 up success success allN3k-core-01# show vpc statistics peer-linkport-channel49 is upHardware: Port-Channel, address: 0062.ecef.8e5c (bia 0062.ecef.8e5c)Description: vPc peer-linkMTU 9216 bytes, BW 80000000 Kbit, DLY 10 usecreliability 255/255, txload 1/255, rxload 1/255Encapsulation ARPAPort mode is trunkfull-duplex, 40 Gb/sInput flow-control is off, output flow-control is offSwitchport monitor is offEtherType is0x8100Members in this channel: Eth1/49, Eth1/50Last clearing of "show interface" counters never1interface resetsLoad-Interval #1: 30 seconds30 seconds input rate 13194296 bits/sec, 5755 packets/sec30 seconds output rate 1558864 bits/sec, 802 packets/secLoad-Interval #2: 5 minute (300 seconds)input rate 11.66 Mbps, 5.24 Kpps; output rate 1.49 Mbps, 625 ppsRX53092855268 unicast packets 943847523 multicast packets 37779519 broadcast packets 54074482310 input packets 12067581932262 bytes3615421391 jumbo packets 0 storm suppression packets0 runts 0 giants 0 CRC 0 no buffer0 input error 0short frame 0 overrun 0 underrun 0 ignored0 watchdog 0 bad etype drop 0 bad proto drop 0if down drop0 input with dribble 0 input discard0 Rx pauseTX27613649710 unicast packets 1107185465 multicast packets 48743817 broadcast packets 28769578992 output packets 4953197509995 bytes1283510513 jumbo packets0 output errors 0 collision 0 deferred 0 late collision0 lost carrier 0 no carrier 0 babble 0 output discard0 Tx pauseN3k-core-01# show hsrp briefP indicates configured to preempt.|Interface Grp Prio P State Active addr Standby addr Group addrVlan10 10105 P Active local 192.168.0.3192.168.0.1 (conf)Vlan11 11105 P Active local 1921.68.1.3192.168.1.1 (conf)。

How HSRP WorksHot Standby Routing Protocol is a well-known feature of Cisco IOS. The goal of HSRP is to provide a resilient default-gateway to hosts on a LAN. This is accomplished by configuring two or more routers to share the same IP address and MAC address. Hosts on the LAN are configured with a single default-gateway (either statically or via DHCP ).Upon sending its first packet to another subnet, the host ARP s for the MAC address of the default gateway. It receives an ARP reply with the virtual MAC of the HSRP group. The IP packet is encapsulated in an Ethernet frame with a destination MAC address of the default gateway. If the primary router fails, HSRP keepalives are lost, and the standby HSRP router takes over the virtual IP address and MAC address. The host does not need to know that anything has changed.In the diagram above, the user (10.1.1.100) is configured with a default-gateway of 10.1.1.1. When the user sends its first packet to 10.5.5.5, it ARPs for 10.1.1.1. In my example, Router A is the HSRP primary router, so it sends an ARP reply with the virtual MAC address of 0000.0c07.AC05. The User PC then encapsulates the IP packet(destination IP=10.5.5.5) in an Ethernet frame with a destination MAC address of 0000.0c07.AC05. Router A accepts the frame and routes the packet.The above paragraphs tell the story of packets coming from theHSRP-enabled LAN. But what happens to reply packets coming from10.5.5.5 to 10.1.1.100? The answer is simple, and intuitive if you follow step-by-step. First, the Server creates an IP packet with a destination of 10.1.1.100. It encapsulates it in an Ethernet frame and forwards it to its default gateway (for this example, let’s say it is Router A). Router A strips the Ethernet framing and determines the next hop is on the local subnet 10.1.1.0/24. It encapsulates the packet in an Ethernet frame with a MAC address of 0021.6a98.1952. The source MAC address is the physical MAC address of Router A(0024.F71E.3343). Router A does not use the virtual MAC address for packets it routes onto the local subnet.So What is vPC ?Now that we’ve covered HSRP, let’s talk about Virtual P ort Channeling ( vPC ). vPC allows two NX-OS devices to share aport-channel. Attached devices believe that they are connected to a single device via an etherchannel bundle. This is great because it eliminates spanning-tree blocking along parallel paths.To allow this to work, the paired NX-OS devices use two vpc-specific communication channels. The first is a vpc peer-keepalivemessage. This heartbeat lets one switch detect when the other has gone off-line, to prevent traffic from being dropped during a failure. These are lightweight hello packets.The second communication channel is the vpc peer-link . This is a high-speed connection between the two NX-OS switches that is used to stitch together the two sides of the port-channel. If a frame arrives on switch A, but is destined for a host on switch B, it is forwarded across the peer-link for delivery. All things being equal, it is undesirable to forward frames across a vpc peer-link. It is much better for the frame to be sent to the correct switch in the first place. Of course, there’s no way for the attached device to know which path is more appropriate.In the above example, the User PC is sending an Ethernet frame to the Server. It creates a frame with a destination MAC address of0033.9328.12A1 and sends it to the L2 Switch. The L2 switch has an entry in his forwarding table indicating that the destination MAC is accessible via the Port-Channel 100 interface. It uses its etherchannel load balancing hash algorithm to determine which physical interface to forward the frame onto. It is equally likely that it will choose the link to Nexus B, even though the more efficient path is to Nexus A (someday TRILL will help us, but for now there is no solution). If the frame is sent to Nexus B, it will forward the frame over the vPC peer-link to Nexus A.Cisco’s current recommendation is to build the vPC peer-link with multiple dedicated 10GE connections for performance reasons. Cisco also recommends that all devices in a vPC-enabled VLAN be connected to both Nexus switches. In the diagram above, the Server is considered tobe a vpc orphan port. This is undesirable, since it requires usage of the vpc peer-link. It also has implications with multicast traffic forwarding.vPC and HSRP TogetherNow we’ve arrived at the point where we can pull all this information together. In the following diagram, the User PC has been moved to a new VLAN. The user is again trying to communicate with the server.The User PC ARPs for his default gateway. Nexus A (the HSRP primary) replies with the virtual MAC address of 000.0C07.AC05. The user createsan Ethernet frame with a destination address of the virtual MAC. It then forwards the frame to the L2 Switch. The L2 Switch uses its etherchannel load balancing algorithm to determine the physical link to use. The difference is now that it doesn’t matter which link it uses. The NX-OS switch on the other end will accept and route the packet. In effect, both Nexus switches are HSRP active at the same time. This is eliminates the need to forward Ethernet frames across the vPC peer-link for packets that are destined for other subnets.What Does “vpc peer-gateway” Do?If we left everything alone, the story would be complete. Unfortunately, storage vendors thought it would be a good idea to optimize their handling of Ethernet frames. Some NetApp and EMC equipment ignores the ARP reply given by the HSRP primary and instead forwards Ethernet frames to whichever MAC address it receives frames from. This is nonstandard behavior.Using the diagram above, let‘s assume say that the User PC is now a EMC Celera storage device. The Server sends its packets (IP destination 10.1.1.100) to Nexus B, which routes them to the Ethernet LAN. All IP packets with source IP 10.5.5.5 will be encapsulated in Ethernet frames with a source MAC address of 0022.5579.F643. The EMC Celera will cache the source MAC address of these frames, and when it has IP packets to send to 10.5.5.5, it will encapsulate them in Ethernet frames with a destination MAC of 0022.5579.F643. It is choosing to ignore its default gateway for these outbound packets.I suppose the theory behind this feature was to eliminate the extra hop within the LAN. When HSRP is enabled, it is necessary to disable ICMP redirects. This means that the routers will not inform hosts on the LAN that a better default-gateway is available for a particular destination IP address. This storage feature saves a LAN hop.Unfortunately, this optimization does not work well with vPC. vPC relies on virtual MAC address sharing to reduce utilization across the vPC peer-link. If hosts insist on addressing their frames to a specific router, suboptimal packet forwarding can occur. According to Cisco , “Packets reaching a vPC device for the non-local router MAC address are sent across the peer-link and could be dropped by the built in vPC loop avoidance mechanism if the final destination is behind another vPC.” At the application level we saw very poor performance due to these dropped packets. Enough of the packets got through to allow accessto the storage device, but file load times were measured in the tens of seconds, rather than milliseconds.The “vpc peer-gateway” allows HSRP routers to accept frames destined for their vPC peers. This feature extends the virtual MAC address functionality to the paired router’s MAC address. By enabling this feature, NX-OS effectively disables the storage vendors’ optimization.ConclusionIf you are running vPC and HSRP, and you have EMC or NetApp storage equipment, you probably need to add the “peer-gatew ay” command under your vpc configuration. The only caveat to peer-gateway is the following (from NX-OS 5.0 – Configuring vPC ):Packets arriving at the peer-gateway vPC device will have their TTL decremented, so packets carrying TTL = 1 may be dropped in transit due to TTL expire. This needs to be taken into account when the peer-gateway feature is enabled and particular network protocols sourcing packets with TTL = 1 operate on a vPC VLAN.I have yet to face this issue, so my recommendation is to add this to your vpc configuration as a default.。

VPC学习笔记（包含配置）_vpc话题：vpcVirtual Port Channels用途：扩展port-channel，将连接不同设备链路汇聚成一条逻辑的链路。

（个人理解）支持设备：N5K、N7K、N2K优势：设备级别冗余，收敛速度比STP快（无STP）去除了STP BLOCK端口，提供无环路网络更好的带宽利用（线路能负载均衡）注意：VPC只能用于二层，VPC端口不能运行路由协议。

实现方式：将2个nexus设备关联到VPC domain。

两台设备通过2条特殊链路实现信息交换：vPC peer-keepalive link：心跳链路，确保两台VPC设备在线。

避险A/A或者split-brain情况导致VPC拓扑环路。

VPC端口可以是1G或者10G端口vPC peer link：VPC邻居之间交换状态信息，提供而外的机制发现和防止split-brain情况split-brain是什么？关于peer-keepalive端口MGT可以作为vPC peer-keepalive link接口。

在N7K上如果引擎切换或者在线服务升级（ISSU）管理端口会改变，导致keepalive中断。

如果使用MGT口，保证所有MGT口接入到网管交换机。

可以使用数据接口的port-channel接口提高更高级别的冗余。

配置：1、开启VPC特性Congo(config)# feature vpcEgypt(config)# feature vpc2、创建用于VPC的VRF创建VRFCongo(config-if)# vrf context vpc-keepaliveEgypt(config)# vrf context vpc-keepalive3、创建VPC keeplive链路Congo(config)# int ethernet 2/47Congo(config-if)#no switchportCongo(config-if)# vrf member vpc-keepaliveCongo(config-if)# ip address 1.1.1.1 255.255.255.252 Egypt(config)# interface ethernet 2/48Egypt(config-if)# no switchportEgypt(config-if)# vrf member vpc-keepaliveEgypt(config-if)# ip address 1.1.1.2 255.255.255.252测试连通性：Congo# ping 1.1.1.2 vrf vpc-keepalive 查看：Congo# sho vpcLegend:(*) - local vPC is down, forwarding via vPC peer-link vPC domain id : 1Peer status : peer link not configuredvPC keep-alive status : peer is aliveConfiguration consistency status: failedConfiguration consistency reason: vPC peer-link does not existsvPC role : none establishedNumber of vPCs configured : 0Peer Gateway : DisabledDual-active excluded VLANs : -可以看到keepalive已经OK,但vpc peer没有起来4、建立VPC-domainCongo(config)# vpc domain 1Congo(config-vpc-domain)# peer-keepalive destination 1.1.1.2 source1.1.1.1 vrf vpc-keepalive Egypt(config)# vpc domain 1Egypt(config-vpc-domain)# peer-keepalive destination 1.1.1.1 source1.1.1.2 vrf vpc-keepalive 5、配置VPC peer链路(NEXUS交换机互联）必须使用10G端口，并且指定速率。

这份文档我只是总结性质的，大部分还是其他人写的，感谢为这份文档付出努力的人北京-小小Cisco Catalyst 6500 VSS系统概述1)Cisco Catalyst 6500系列虚拟交换系统1440初始版本可以整合两台物理的Cisco catalyst 6500系列交换机成为一台单一逻辑上的虚拟交换机。

图5介绍了VSS的工作模式，两台Cisco Catalyst 6509交换机配置虚拟交换系统后，就可以当作一台单独的Cisco Catalyst 6509交换机进行管理。

图 5. Cisco Virtual Switching System启用虚拟交换系统技术是通过一条特殊的链路来绑定两个机架成为一个虚拟的交换系统，这个特殊的链路称之为虚拟交换机链路（Virtual Switch Link,VSL）。

VSL承载特殊的控制信息并使用一个头部封装每个数据帧穿过这条链路。

2) Cisco Catalyst 6500 虚拟交换系统1440架构体系Cisco Catalyst 6500虚拟交换系统允许合并两个交换机成为一台无论是从网络控制层面和管理视图上在网络上都是一个单独的设备实体。

对于邻居，这个虚拟交换系统相当于一台单独的交换机或者路由器。

在虚拟交换系统中，其中一个机箱指定为活跃交换机，另一台被指定为备份虚拟交换机。

所有的控制层面的功能，包括管理（SNMP，Telnet，SSH等），二层协议（BPDU,PDUs，LACP等），三层协议（路由协议等），以及软件数据等，都是由活跃交换机的引擎进行管理。

在活跃交换机上的超级引擎与备份交换机引擎上的PFC负责响应处理硬件转发信息到分布式转发卡（DFC）之上贯穿整个虚拟交换系统。

图6. Components of Cisco Virtual Switching System从数据层面和流量转发图上来看，在虚拟交换系统1440中的所有交换机都参与流量转发。

在活跃虚拟交换机超级引擎上的PFC执行为所有进入活跃虚拟交换机的流量转发查找，位于备份状态的交换机引擎上的PFC执行为所有进入备份状态交换机流量转发查找。