© 2013 Cisco and/or its affiliates. All rights reserved. 1 Architecture & Solutions Group US Public Sector Advanced Services Mark Stinnette, CCIE Data.

© 2013 Cisco and/or its affiliates. All rights reserved. 1

Quick Start Guide

FabricPath

Architecture & Solutions GroupUS Public Sector Advanced ServicesMark Stinnette, CCIE Data Center #39151

Date 9 September 2013Version 1.13.2


This presentation will provide end-to-end configurations mapped directly to commonly deployed data center architecture topologies. In this cookbook style; quick start guide; configurations are broken down in an animated step by step process to a complete end-to-end good clean configuration based on Cisco best practices and strong recommendations. Each QSG will contain set the stage content, technology component definitions, recommended best practices, and more importantly different scenario data center topologies mapped directly to complete end-to-end configurations. This QSG is geared for network engineers, network operators, and data center architects to allow them to quickly and effectively deploy these technologies in their data center infrastructure based on proven commonly deployed designs.

This Quick Start Guide (QSG) is a Cookbook style guide to Deploying Data Center technologies with end-to-end configurations for several commonly deployed architectures.


Natural Evolution of the vPC Design

• Simplest design option :: traditional Aggregation / Access designs• Simplified configuration• Removal of STP• Traffic distribution over all uplinks without vPC port-channels

• Active / Active gateways (via vPC+ or Anycast HSRP)• VLAN anywhere (no trunk ports)• Option for vPC+ for legacy access switches and computer connectivity• Easily deploy L4-7 services

FabricPath ConfigurationFabricPath Design :: 2 SPINE (Routing at Aggregation)


• Scale out; n-way Active HSRP in FabricPath (up to 4 today)• No longer need vPC+ at SPINE for active/active HSRP

• No peer-link or peer-keepalive link required • Leaf software needs to understand Anycast HSRP in FabricPath

FabricPath ConfigurationFabricPath Design :: 4 SPINE (Routing at Aggregation w/ Anycast HSRP)


FabricPath ConfigurationFabricPath Design :: Dedicated SPINE (Centralized Routing)


FabricPath Deployment in Preparation For Dynamic Fabric Automation (DFA)

• Paradigm shift with respect to typical designs (CLOS Fabric topology)• Simplifies SPINE design• Traditional “Aggregation” layer becomes pure FabricPath SPINE• Design helps ensure that any application node are at most only two hops away• FabricPath LEAF switches provide server connectivity like traditional designs• FabricPath LEAF switches also provide L2/L3 boundary, inter-VLAN routing, North South routing

FabricPath ConfigurationFabricPath Design :: Dedicated SPINE (Centralized Routing)

Alternative View


NX-OS 6.2

• Provides DC wide vs. POD local VLAN segmentation / isolationCan support VLAN ID reuse in multiple PODs

• Define FabricPath VLANs :: map VLANs to topology :: map topology to FabricPath core ports

• Optional design for “disconnected” PODsEach POD can use same non-default FP topology; don’t need FabricPath Core since each POD is on its own island

• Where to place DC wide L2/L3 boundary (vPC+ or Anycast HSRP)FabricPath CorePick a any Aggregation PODRouted Sub-interfaces on Routed Core / WAN Edge via CE edge ports

• Default topology always includes all FabricPath core portsMap DC Wide VLANs to default topology

• POD local core ports also mapped to POD local topology Map POD local VLANs to POD local topology

FabricPath ConfigurationFabricPath Design :: Multi POD (w/ FP Multi-Topology)


FabricPath ConfigurationFabricPath Terminology


FabricPath ConfigurationFabricPath Encapsulation


FabricPath is a next generation Layer 2 technology from Cisco that provides multi-path Ethernet capabilities in L2 switching networks. FabricPath combines the benefits of L2 switching such as easy configuration and workload flexibility with greater scalability and availability. Specifically, FabricPath adds to L2 switching some routing type capabilities such as all active links, fast convergence, and loop avoidance mechanisms in the data plane. It allows Layer 2 networking without Spanning Tree Protocol.

FabricPath provides the following benefits:• Eliminates Spanning Tree Protocol (STP) with built-in loop prevention and mitigation (TTL & RPF)• Single control plane for unknown unicast, unicast, broadcast, and multicast traffic• VLAN anywhere• FP is transparent to L3 protocols• Easy to configure• Easy to manage• Flexibility

• Create arbitrary any topology • Multiple designs to integrate L2/L3 boundaries • Start small and expand as needed (bandwidth growth)

• Efficient and Scalable • Layer 3 availability similar features • Leverage parallel paths• Expanding available bandwidth at L2/L3 Default Gateway level• MAC address table scale (conversational learning) :: all FabricPath VLANs use conversation MAC address learning• Fast Convergence and low latency

• Enhances mobility and virtualization in the FabricPath network• Capable of running vPC (called vPC+) to connect devices to the edge in a port channel• Multi-tenant support, traffic engineering, meet security separation requirements via FabricPath topologies

FabricPath ConfigurationBenefits Overview


Feature Benefit Overview

fabricpath VLAN mode & switchport mode

Eliminate STP protocol from the infrastructure fabric

The FabricPath ports carry traffic only for those VLANs configured as FabricPath VLANs. It is mandatory to enable the same FP mode VLAN EVERYWHERE on all switches in the FP fabric (otherwise, FP multidestination trees will be incorrectly built). VLAN pruning is performed automatically on FP core ports for FP traffic only.

fabricpath forwarding tables

Service Continuity FabricPath uses 3 HW forwarding tables to switch frames (1) MAC address table, (2) Switch-ID table, (3) Multidestination tree table

fabricpath switch IDs Service Continuity Each switch in the FP fabric is allocated with a global switch ID value; this is allocated automatically or manually set (recommended). The switch ID information will be used in the MAC address-table for L2 forwarding. The vPC+ system also uses an emulated switch ID; which you assign on both peer devices.

fabricpah IS-IS link metric

Increase High-Availability

FP will always take the path with the lowest metric. Its recommended to use the default reference bandwidth.

fabricpath timers Improve Convergence Time

On a case by case basis, if convergence time needs to be improved upon switch reload, modify lsp-gen-interval and spf-interval timers.

fabricpath root priority

Service Continuity FP uses two Multi destination Trees, Tree 1 (ftag 1) for broadcast, unknown unicast, multicast & Tree 2 (ftag 2) –multicast. Recommend to use on SPINE switches for primary and secondary root.

STP for Classical Ethernet (CE)

Service Continuity The FP fabric must be the root of the L2 domain when connected to other legacy L2 domains / switches. Make sure STP priority is the lowest for the entire FP fabric.

vPC+ Increase High-Availability

FabricPath & vPC+ combined provides two main purposes, (1) dual attach a host to the FP fabric, (2) Leverage Active/Active HSRP capability

FabricPath ConfigurationFeature Configuration



FabricPath multicast load-balance

Service Continuity Cisco NX-OS provides a way to control two peers to be partial designated forwarders when both vPC paths are up. When this control is enabled, each peer can be the designated forwarder for multi destination southbound packets for a disjoint set of RBHs/FTAGs (depending on the hardware). The designated forwarder is negotiated on a per-vPC basis.

There are three designated forwarder states for a vPC port: All—If the local vPC leg is up and the peer vPC is not configured or down, the

local switch is the designated forwarder for all RBHs/FTAGs for that vPC. Partial—If the vPC path is up on both sides, each peer is the designated

forwarder for half the RBHs or FTags. For the latter, the vPC port allows only the active FTags on that peer. This mode is used in a FEX with vPC+ topology.

None—If the local vPC path is down or not configured, the local switch does not forward any multi destination packets from this vPC path.

The fabricpath multicast load-balance command is required for configuring vPC+ with FEX ports.




Overload Bit Improve Convergence Time

RFC 3277 based Overload bit is advertised in updates to prevent a corner case when a single switch restarts causing temporary loops or traffic black holing. This feature also prevents neighbors from using a switch as a transit during initial convergence as well as lowering impact insertion or removal of a switch to the FP domain.

Multiple Topologies Design Separation With multiple topologies, we can create up to 16 topologies where a subset of VLANs are mapped to a particular topology; allowing more design possibilities.

Anycast HSRP Increase High-Availability

Provides up to 4 active Default Gateways for the network which lowers the risk of disruption for routed and Inter-VLAN traffic and provides bandwidth capacity at L2/L3 boundaries. The Anycast HSRP feature removes the reliance on vPC+ to provide the Active/Active HSRP feature at the L2/L3 boundary.

fabricpath static routes

Traffic Engineering The static route feature gives users capabilities to enter routes directly in the forwarding tables, ensuring predictable operation of the network.Certain uses cases where users want to override the routes computed by IS-IS. Users might want to route traffic to a particular switch using a particular link, better load balancing or routing traffic through a firewall (policing) in the network.



feature lacpinstall feature-set fabricpathfeature-set fabricpath

vlan 1 – 200 mode fabricpath

interface po2 switchport mode fabricpath

interface e3/1, e4/1 channel-group 2 mode active

interface e5/1, e5/2 switchport mode fabricpath






Step 1 :: install | validate Enhanced L2 LicenseStep 2 :: install FabricPathStep 3 :: enable FabricPathStep 4 :: configure FabricPath VLANsStep 5 :: configure FabricPath core ports

Install license bootflash:///enchanced_layer2_pkg.lic

show license usage

Default / Admin VDC Only

Default / Admin VDC Only










interface e1/3, e1/4 switchport mode fabricpathBeginning with the Cisco NX-OS Release 5.1 and when you

use an F Series modules and NX-OS Release 5.1(3) N1(1) with 5500 you can use the FabricPath feature

FabricPath ConfigurationInitial Baseline (Only 4 Commands !!)


fabricpath switch-id 10

fabricpath domain default root-priority 255



Step 1 :: set the FP Switch-IDStep 2 :: set the FP Root

fabricpath switch-id 100 fabricpath switch-id 101

Root for FTAG 1 Root for FTAG 2

Each peer devices will have a unique global switch ID value – make the FP network more deterministic

Suggested switch ID scheme:SPINE :: 2 digit IDLEAF :: 3 digit IDEmulated Switch (vPC+) :: 4 digit ID

Multi destination Tree 1 (ftag 1) – broadcast, unknown unicast, multicastMulti destination Tree 2 (ftag 2) –multicast

Recommend to use on SPINE switches

Higher Number the better !!

(start at 255 and go backwards)-or-(start at 200 in case you need to introduce another MDT at a later time; ie expanded SPINE x 4)

F2/F2E uses both trees for UU/Bcast/Mcast

F1 uses MDT 2 for Mcast only

SW 10 SW 11

SW 100 SW 101

FabricPath ConfigurationManually Set the FabricPath Switch-ID & Root



spanning-tree pseudo-information vlan 1 – 200 root priority 0



Step 1 :: set FP domain to be root bridge





The entire FabricPath domain will look like one virtual bridge to the CE domain – set best (lowest) STP root priority on the vPC+ peers (recommended at least at the access edge leaf switches); just make sure the priority is lower than anything else in the network (classical Ethernet)

FP will use the same bridge ID c84c.75fa.6000

optional optional

vlan 20, 40

spanning-tree vlan 20, 40 priority 8192

Note that the spanning-tree priority command would also work; however, it would change the priority for the spanning tree regardless of whether the switch were sending regular BPDUs (when Cisco FabricPath is not running) or sending BPDUs with the pseudo-information (when Cisco FabricPath is operational on the switch). In some scenarios, this change can have undesirable side effects.

The root and sender bridge MAC addresses of this pseudo-information are the same on every switch in the Cisco FabricPath domain

All ports at the edge of a Cisco FabricPath network are configured with the equivalent of root guard (don’t need to configure this feature), a feature that would block a port should it receive superior Spanning Tree Protocol BPDUs

FabricPath ConfigurationManually Set the Spanning-Tree :: Single Virtual Root Bridge)


fabricpath domain default spf-interval 50 50 50 lsp-gen-interval 50 50 50

fabricpath timers linkup-delay 60



Step 1 :: tune the IS-IS timers in FabricPathStep 2 :: (optional) tune the FabricPath linkup-delay





To achieve fast convergence during node failures and recovery scenarios, it is recommended to tune the IS-IS timers in Cisco FabricPath. This tuning is particularly important when a switch is inserted in the topology.

This configuration is recommended for all switches in the network

Note: Future enhancements such as Layer 2 IS-IS overload bit support in 6.2 will help to improve unicast and multicast convergence during FabricPath node failure scenarios when default IS-IS timers are used.

Problem Set: The IS-IS adjacency is established and the access-edge started sending traffic to aggregation-edge, but the control plane was not ready to forward the traffic to the next hop. The default spf and lsp-gen intervals are 8sec (default) and it attributes to the long convergence. To address this issue, the default spf and lsp-gen intervals of {max-wait, initial-wait, second-wait} are brought down to 50msec, with this configuration, the aggregation-edge restoration will yield sub-second convergence for Layer 2 traffic

Optional, to provide better network convergence upon a Cisco FabricPath switch restart, you should set a Cisco FabricPath linkup-delay timer to 60

FabricPath ConfigurationTune Timers for Fast Convergence


Step 1 :: enable vPC+Step 2 :: set the emulated switch-idStep 3 :: enable dual-active exclude for vPC SVIs

vPC+ is an extension of vPC for FabricPath. It allows dual-homed connections from Classical Ethernet (CE) switches and hosts capable of port channels. It also provides for active-active HSRP.

The configuration of peer-link and peer-keepalive links are required – as traditional vPC

Enable IP ARP Synchronization of ARP entries between vPC Peers improves convergence for North-South and East-West Layer 3 traffic when one of the vPC+ peers is brought back up

In a vPC environment, the Secondary vPC switch will bring down the SVIs by default when the peer-link is brought down. This behavior is fine in CE environment as the vPC legs are also brought down on the secondary vPC switch. However in the vPC+ environment, the down links to the Access-Edge switches are FabricPath Core ports; in the absence of the vPC+ peer-link, the SVIs can still communicate through the FabricPath core ports.

The vPC dual-active exclude vlan command helps to configure a VLAN list such that the SVI can continue to stay up on the secondary vPC switch even if the vPC+ peer-link is down.

Note: Since FabricPath does not rely on Spanning Tree Protocol, and the vPC+ peer link is a FabricPath Core port, so the peer-switch command is not needed under the vpc domain [x] configuration

SW 1000SW 1000

vPC+

feature vpc

vpc domain 1 role priority 2 peer-keepalive destination [….] source [….] …. ip arp synchronize fabricpath multicast load-balance fabricpath switch-id 1000 dual-active exclude interface vlan 20

interface po2 switchport mode fabricpath vpc peer-link

feature vpc

vpc domain 1 role priority 1 peer-keepalive destination [….] source [….] …. ip arp synchronize fabricpath multicast load-balance fabricpath switch-id 1000 dual-active exclude interface vlan 20


With vPC+, a FabricPath switch is emulated between the CE and FabricPath domain. All packets originating behind the Emulated Switch will be marked with the source Switch ID of the emulated switch

Assign the same emulated switch ID on both vPC peers; but the emulated switch ID must be unique between different vPC domains

FabricPath ConfigurationEnable vPC+ :: Dual Attachment & Active/Active HSRP


Step 1 :: enable vPC+Step 2 :: set the emulated switch-idStep 3 :: enable dual-active exclude for vPC+ SVIs

interface vlan 20 ip address 20.20.20.5/24 no ip redirect hsrp 20 ip 20.20.20.254

interface vlan 20 ip address 20.20.20.6/24 no ip redirect hsrp 20 ip 20.20.20.254

feature interface-vlanfeature hsrpfeature lacpfeature vpc



------------------------

vpc domain 1 role priority 2 system-priority 4096 peer-keepalive destination [….] source [….] peer-gateway auto-recovery auto-recovery reload-delay delay restore 30 ip arp synchronize fabricpath multicast load-balance fabricpath switch-id 1000 dual-active exclude interface vlan 20



feature interface-vlanfeature hsrpfeature lacpfeature vpc



------------------------

vpc domain 1 role priority 1 system-priority 4096 peer-keepalive destination [….] source [….] peer-gateway auto-recovery auto-recovery reload-delay delay restore 30 ip arp synchronize fabricpath multicast load-balance fabricpath switch-id 1000 dual-active exclude interface vlan 20



SW 1000SW 1000

vPC+

Note: In a FabricPath vPC+ environment both HSRP peers are actively forwarding, there is no need to configure preemption, different priorities, and fast hello timers.FabricPath Configuration

Enable vPC+ :: Active/Active HSRP @ SPINE (Full Configuration)


Step 1 :: enable vPC+Step 2 :: set the emulated switch-idStep 3 :: add devices redundantly with vPC+

vPC+

vPC 20

SW 1000SW 1000

vPC+

feature lacpfeature vpc



vpc domain 10 role priority 1 peer-keepalive destination [….] source [….] …. ip arp synchronize fabricpath multicast load-balance fabricpath switch-id 1001



interface port-channel 20 switchport switchport mode trunk switchport trunk allowed vlan 20 – 40 vpc 20 interface e1/5 channel-group 20 force mode active

feature lacpfeature vpc



vpc domain 10 role priority 2 peer-keepalive destination [….] source [….] …. ip arp synchronize fabricpath multicast load-balance fabricpath switch-id 1001



interface port-channel 20 switchport switchport mode trunk switchport trunk allowed vlan 20 – 40 vpc 20 interface e1/5 channel-group 20 force mode active

SW 1000SW 1001

VLANs carried on vPC+ member ports must be FabricPath mode VLANs

FabricPath ConfigurationEnable vPC+ :: Dual Attachment @ LEAF


Step 1 :: configure the key chainStep 2 :: configure global FabricPath authenticationStep 3 :: configure FabricPath core port authentication

FabricPath provides 2 levels of authentication1. Authentication at the interfaces level2. Authentication at the global level

The Key chain is used in both forms of authentication

Supported combinations:

interface port-channel2 switchport mode fabricpath fabricpath isis authentication-type md5 fabricpath isis authentication key-chain FP-KEYS

fabricpath domain default authentication-type md5 authentication key-chain FP-KEYS

key chain FP-KEYS key 0 key-string Cisc0! accept-lifetime 00:00:00 Sep 1 2012 infinite send-lifetime 00:00:00 Sep 1 2012 infinite

interface port-channel2 switchport mode fabricpath fabricpath isis authentication-type md5 fabricpath isis authentication key-chain FP-KEYS

fabricpath domain default authentication-type md5 authentication key-chain FP-KEYS

key chain FP-KEYS key 0 key-string Cisc0! accept-lifetime 00:00:00 Sep 1 2012 infinite send-lifetime 00:00:00 Sep 1 2012 infinite

global level authentication ::authenticates and controls the FP LSPs and PSNPsinterfaces level authentication ::authenticates the HELLO; the FP ISIS adjacency

You can configure the accept lifetime and send lifetime for a key. By default, accept and send lifetimes for a key are infinite, which means that the key is always valid.

accept-lifetime [local] start-time duration duration-value | infinite | end-time]send-lifetime [local] start-time duration duration-value | infinite | end-time]

FabricPath ConfigurationFabricPath Authentication


Step 1 :: enable required features Step 2 :: configure SVIStep 3 :: configure hsrpStep 4 :: configure anycast bundle Step 5 :: associate anycast switch idStep 6 :: associate a set vlansStep 7 :: designate active HSRP router

feature-set fabricpathfeature interface-vlanfeature hsrp





hsrp anycast 100 ipv4 switch-id 1000 vlan 20

interface vlan20 ip address 20.20.20.3/24 ip router ospf 1 area 0.0.0.0 ip ospf passive-interface no ip redirect hsrp version 2 hsrp 100 ip 20.20.20.1







hsrp anycast 100 ipv4 switch-id 1000 vlan 20 priority 110



FabricPath ConfigurationAnyCast HSRP

You don’t need to enable vPC+ to achieve active/active HSRPNo vPC domain configuration required No peer-link required

The FabricPath feature-set has to be enabled before configuring HSRP anycast 4 gateways are supported in an HSRP Anycast bundle for a common VLAN HSRPv2 is required (IPv4/IPv6 address-families supported) An Anycast bundle can reference multiple VLANs

Downstream switches use the virtual FP-ID to equal cost route traffic destined to all HSRP anycast devices; the active HSRP router advertises the anycast switch ID as the source switch ID in FabricPath IS-IS

All Leaf devices need to support and be aware of the Anycast functionalityNexus 7000 :: NX-OS 6.2(2) and later releasesNexus 5500 & 6000 :: NX-OS 6.0(2)N2(1) and later releases

Nexus 5500 & 6000 can support Anycast HSRP Gateway functionality in 6.0(2)N3(1) and later releases

NX-OS 6.2(2)

HSRP CP

HSRP DP HSRP DP

HSRPCP :: Control PlaneDP :: Data Plane

Active

ActiveSW 10 SW 11

Virtual FP-ID 1000

SW 100 SW 101


SPINE 7k-4SPINE 7k-3SPINE 7k-2SPINE 7k-1

Common Configuration



hsrp anycast 100 ipv4 switch-id 1000 vlan 20, 100-120 priority 110


FabricPath ConfigurationAnyCast HSRP :: 4 SPINE

NX-OS 6.2(2)

HSRP CP

HSRP DP HSRP DP

HSRPCP :: Control PlaneDP :: Data Plane

SW 10

Virtual FP-ID 1000

SW 100 SW 101

HSRP DP HSRP DP

SW 11 SW 12 SW 13







hsrp anycast 100 ipv4 switch-id 1000 vlan 20, 100-120










Anycast HSRP Capable:: A FP switch can work as an Anycast HSRP Router / GatewayAnycast HSRP Aware:: Same as "Anycast HSRP Leaf". Can send traffic to multiple Anycast HSRP capable switchesCan recognize Anycast TLV sent from Anycast HSRP capable switches N7K is Anycast HSRP Capable & Aware :: 6.2(2)N6K/N5K is Anycast HSRP Aware :: 6.0(2)N2(1)-----------------N6K/N5K is Anycast HSRP Capable & Aware :: 6.0(2)N3(1)


SPINE 7k-4SPINE 7k-3SPINE 7k-2SPINE 7k-1




fabricpath domain default set-overload-bit on-startup [sec] vlan pruning enabled

FabricPath ConfigurationOptional :: Overload Bit & VLAN Pruning

NX-OS 6.2(2)

SW 10

Virtual FP-ID 1000

SW 100 SW 101

SW 11 SW 12 SW 13














Overload bit :: You can configure the overload bit for FabricPath IS-IS. You achieve consistent routing behavior in conditions where a node reboots or gets overloaded. always—The overload bit is always on; out of service. on-startup—The overload bit is set upon system startup and remains set for the specified number of seconds.

VLAN pruning :: The switch will only attract data traffic for the VLANs that have active Classic Ethernet (CE) ports on an F1 Series module, F2 Series module, or switch virtual interfaces (SVIs) for those VLANs. Optional command and is only mentioned for informational purposes only; use appropriately.


SPINE 7k-1




interface e5/3 switchport mode fabricpath

fabricpath route switch-id 100 e5/3

------------------------

fabricpath topology 1 fabricpath route switch-id 100 e5/4

FabricPath ConfigurationFabricPath Static Routes :: Traffic Engineering

NX-OS 6.2(2)

SW 10

Virtual FP-ID 1000

SW 100 SW 101

SW 11 SW 12 SW 13




FabricPath uses Layer 2 Integrated Intermediate System-to-System (IS-IS) as a link state protocol to compute unicast topologies. You can configure unicast static routes in the forwarding tables to ensure a predictable operation of the network or to override the routes computed by dynamic protocols such as IS-IS in FabricPath. For example, you might want to route traffic to a particular device using a specific link to ensure better load balancing or to route traffic through a firewall in the network.


SPINE 7k-2SPINE 7k-1


vlan 10 – 20, 50 – 60, 100 – 200 mode fabricpath


fabricpath domain default topology 1 root-priority 255 topology 2 root-primary 255

fabricpath topology 1 member vlan 10 – 20


interface e5/1, e5/2switchport mode fabricpath

interface e6/1 fabricpath topology-member 1 switchport mode fabricpath


FabricPath ConfigurationMultiple Topologies

SW 10

Virtual FP-ID 1100

SW 100 SW 102

SW 11 SW 12 SW 13feature-set fabricpathfeature interface-vlanfeature hsrp

vlan 10 – 20, 50 – 60, 100 – 200 mode fabricpath


fabricpath domain default topology 1 root-priority 254 topology 2 root-primary 254






The FabricPath domain can now consist of multiple logical topologies. By default all VLANs belong to Topology 0, which consisted of a single pair of multi-destination trees. Now with NX-OS 6.2(2) a total of 16 FabricPath topologies can be configured and assigned to a FabricPath domain; allowing VLANs to be assigned to different topologies.

All VLANs by default belong to topology 0 (VLANs anywhere)

A VLAN can only belong to a one topology All interfaces by default belong to topology 0 An interface can belong to multiple topologies

Virtual FP-ID 1101

SW 101

SW 1 SW 2

Virtual FP-ID 1000

SPINE 7k-5





interface e5/1, e5/2, e5/3, e5/4switchport mode fabricpath

SPINE 7k-6





interface e5/1, e5/2, e5/3, e5/4switchport mode fabricpath

NX-OS 6.2(2)


SPINE 7k-4SPINE 7k-3


vlan 80 – 90, 100 – 200 mode fabricpath


fabricpath domain default topology 1 root-priority 255




FabricPath ConfigurationMultiple Topologies

SW 10

Virtual FP-ID 1100

SW 102

SW 11 SW 12 SW 13feature-set fabricpathfeature interface-vlanfeature hsrp



fabricpath domain default topology 1 root-priority 254 fabricpath topology 1 member vlan 80 – 90



The FabricPath domain can now consist of multiple logical topologies. By default all VLANs belong to Topology 0, which consisted of a single pair of multi-destination trees. Now with NX-OS 6.2(2) a total of 16 FabricPath topologies can be configured and assigned to a FabricPath domain; allowing VLANs to be assigned to different topologies.

All VLANs by default belong to topology 0 (VLANs anywhere)

A VLAN can only belong to a one topology All interfaces by default belong to topology 0 An interface can belong to multiple topologies

Virtual FP-ID 1101

SW 101

SW 1 SW 2

Virtual FP-ID 1000

LEAF 5k-3

feature-set fabricpath




interface e1/3, e1/4 fabricpath topology 1 switchport mode fabricpath

spanning-tree pseudo-information vlan 80 – 90, 100 – 200 root priority 0

NX-OS 6.2(2)

SW 100

Be aware of the FabricPath topology scaling limits across the different NX-OS versions on the Nexus 5000 & 6000 switching platforms.


VPC Configuration

e1/1-2

e3/1-2

e2/1-2

e1/3 e2/3

VPC

e2/5e1/5

interface e2/5 ip address 192.168.1.2/24 vrf membership vpc-keepalivevpc domain 1 peer-keepalive destination 192.168.1.1 source 192.168.1.2 vrf vpc-keepaliveinterface port-channel 1000 switchport mode trunk vpc peer-linkinterface e2/1-2 switchport mode trunk channel-group 1000 mode activeinterface e2/3 switchport mode trunk channel-group 1 mode activeinterface port-channel1 vpc 1

interface e1/5 ip address 192.168.1.1/24 vrf membership vpc-keepalivevpc domain 1 peer-keepalive destination 192.168.1.2 source 192.168.1.1 vrf vpc-keepaliveinterface port-channel 1000 switchport mode trunk vpc peer-linkinterface e1/1-2 switchport mode trunk channel-group 1000 mode activeinterface e1/3 switchport mode trunk channel-group 1 mode activeinterface port-channel1 vpc 1

interface e3/1-2 switchport mode trunk channel-group 1 mode passive

FabricPath Configuration

FabricPath

e1/1-2

e3/1-2

e2/1-2

e1/3 e2/3

interface e3/1-2 switchport mode fabricpath



vPC FabricPath + vPC+

AdvantagesActive/active path at L2Active/active for HSRPWorks with all LC

AdvantagesActive/active path at L2Active/active for HSRPEase of configurationNo more STPExtensibility

DrawbacksNeed dedicated infrastructure (PL, PKL)Configuration on both peer devicesConsistency check to care aboutSTP still here (but runs as fail safe mechanism)

DrawbacksNeed dedicated infrastructure (PL, PKL)Need F1 (+M1) or F2

FabricPath ConfigurationFabricPath is Easy & Simple !!


Common Design Migration Starting Point 7k – Aggregation5k/2k – Access PodsDual Layer vPCMix F1 / M1 line cards

After Migration Completion 7k – SPINE role 5k – LEAF rolevPC converted to FabricPath core portsPeer-Link also FP core port = vPC+ (only F1/F2 support FabricPath)

Additional Reading Here :: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/white_paper_c11-709336.html

vPC to FabricPath Migration

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/white_paper_c11-709336.html




• FabricPath VLANs must be configured on all switches in the FP domain

• It is recommended to configure the switch ID manually on all FabricPath switches

• For Active-Active HSRP capability, it is recommended to configure vPC+ on the Aggregation-Edge switches even if there are no vPC legs. Note: subject to vPC rules; so no dynamic routing over vPC to firewalls, Core layer, WAN edge

• The Nexus 6000 will supports a routing protocol over vPC+ with the 6.0(2)N2(1) release

• Implement Layer 3 routing backup pathSeparate L3 port channel; point-to-point linksSeparate L2 port channel; use dedicated VLAN in Classical Ethernet (CE) mode as transit VLAN inside this L2 trunk

• Disable IP redirects on SVIs and configure passive interface to avoid any routing adjacency over SVIs

• ARP sync feature with vPC+ is recommended for improved traffic convergence during Aggregation-Edge failure and restoration

• It is recommended to configure highest and second highest MDT root priority on the Aggregation-Edge switches

• Have option of choosing single links or port-channels between Aggregation-Edge and Access-Edge for ECMP. If port channels are used, configuring IS-IS metric is preferred. With path costing, member link failure is transparent to IS-IS protocol so that the traffic would continue to use the same path

FabricPath ConfigurationStrong Recommendations and Key Notes


• It is recommended to have lowest path cost for the links between Aggregation devices so the multicast hello packets always take the peer-link which is direct link between the AGG devices

• It is recommended to tune Layer 2 IS-IS SPF and LSP generation timers to achieve better convergence during failure and restoration scenarios. These timers should be tuned to 50 msec with 50msec initial wait and second wait. This is a requirement until the overload bit support is available with Layer 2 IS-IS

• Use default reference BW (its 400 Gbps default) fabricpath domain default

reference-bandwidth ?

• IS-IS metric cost (1Gb = cost 400, 10Gb = cost 40, 20Gb = cost 20)

• IS-IS link metric for port-channel depends on NX-OS versionUp to NX-OS 6.0: IS-IS metric for port-channel is calculated based on number of configured member ports; meaning you may need to use LACP min-link feature to tear down port-channel if number of active member ports goes below a specific limit

Since NX-OS 6.1: IS-IS metric for port-channel is calculated based on number of active ports

• Dual-active exclude VLAN configuration is recommended so that the SVIs can continue to be active on the secondary vPC+ peer in the event of peer-link failure. This also helps to stay with default HSRP timers there by reducing control plane load associated with aggressive HSRP timers

• Do not use dual-active exclude command for VLANs if you have vPC attached devices, for example at the access (leaf)



• In typical vPC deployments it is not necessary to tune the HSRP hello timers from the defaults (3/10s). In a Classic Ethernet environment, in which in a single VLAN only one HSRP gateway can be active at a time, fast failover between the remaining peers is essential. Typically, fast hello timers and preemption is configured to enforce the required behavior. But in a Cisco FabricPath vPC+ environment, both HSRP peers are actively forwarding, fast hello timers and preemption is no longer required, and configurations can be left at their defaults.

• In CE-FabricPath hybrid networks, it is recommended to configure the lowest Spanning-tree root priority on all FabricPath Edge switches

• The MAC timer should be consistent on all devices in the Layer 2 topology. The MAC and ARP aging timers can be left at defaults, 1800sec & 1500sec respectively

• The M1/F1 mixed VDC currently supports up to 16K MAC/ARP entries. This limitation will be lifted with the Layer 2 proxy learning feature in the upcoming NX-OS release

• The M1, M1-XL, M2 & F2E in a mixed VDC topology; meaning when F2E is placed in a chassis with M-series it will operate in Layer 2 mode only leveraging the M for Layer 3 (proxy L3 forwarding); this will enable 128K MAC/ARP scale.

• If an ASA cluster is attached to the Nexus 7000 series Aggregation-edge switches, source-dest-ip or src-dst ip-l4port is the recommended load balance algorithm if the ASA cluster is in single context mode or if the VLANs are fewer in multi-context mode. This is to prevent traffic polarization on links towards ASA cluster member



• Better use port-channel instead of individual links for the 2 following reasonsDecrease the number of direct IS-IS adjacency (1 for the whole port-channel instead of X IS-IS adjacencies if X individual links are used between the 2 switches)

Allows to use the whole port-channel capacity for multidestination tree #1 or #2 (if multiple parallel individual links exist between 2 switches, only 1 link will be selected for tree #1 and potentially 1 another link for tree #2)

• ECMP vs. Port ChannelCan use ECMP, port-channel, or both simultaneously

Port-channels have one main advantage over ECMP – treated as single logical link in FabricPath IS-IS. Individual link failure invisible to upper layer protocols. Also allows more bandwidth for branches of Multidestination trees

With 4 member port channel, whole interface becomes single branch of tree with 40G BWWith 4 parallel ECMP paths, only one of the 4 interfaces becomes part of the tree

ECMP with port-channel : 2 levels of load-balancing decision :First level : FP Core Link selection (based on L3/L4 fields by default)Second level : Port-Channel member selection (based on src-dst ip by default)



• Do not use UDLD with FabricPathUDLD (normal or aggressive) does not bring any benefits on single physical link and port channels with FP enabled (for port channel, activate LACP instead of relying on UDLD to detect member port issues)Physical link level protection and the bi-directional IS-IS hellos should take care of all (or near all) potentially link level issue

• HSRP preemption does not add any value but may hurt at large VLAN scale, when you need to maintain HSRP adjacency for each of the VLANs. Control plane will just be burning cycles with no efficient and positive impact on data path. Consider not using HSRP preemption in the FabricPath design.

• FabricPath and Jumbo MTU Interoperability with N5k/N6k and N7k; its recommended to disable ISIS hello padding on N7k with the “no fabricpath isis hello-padding always” command when jumbo MTU is enabled



Step 1 :: Enable FabricPath on desired interfacesStep 2 :: L2 IS-IS hello are sent out on all FabricPath PortsStep 3 :: Establish L2 IS-IS AdjacencyStep 4 :: Send L2 IS-IS updates to exchange local link-statesStep 5 :: All FabricPath switches calculate unicast paths to all other switches in

the L2 fabric and create the ‘FabricPath Routing Table’ based on the results

FabricPath Routing Table on S10

Switch IF

S10 -

S11 L1,L3,L5

S100 L1

S101 L3

S140 L5


Switch IF

S10 L1

S11 L2

S100 -

S101 L1,L2

S140 L1,L2


Switch IF

S10 L2,L4,L6

S11 -

S100 L2

S101 L4

S140 L6


Switch IF

S10 L5

S11 L6

S100 L5,L6

S101 L5,L6

S140 -

Forwarding path selection based on destination Switch-ID Switch Table basically contains (Switch-ID, Output Interface) Up to 16 ‘Next-Hop’ Interfaces (ECMP) per Switch-ID

FabricPath ConfigurationBuilding FabricPath Routing Tables :: Control Plane Operation


Step 1 :: Host A communicates to Host B for the first time – Sends ARP request to BStep 2 :: S100 adds A into MAC table as the result of new source learning on CE portStep 3 :: Since destination MAC is all ‘F’; S100 floods this frame out all CE ports

[Learn MACs of directly-connected devices unconditionally]Step 4 :: Meanwhile, S100 selects ‘Tree 1’, marks this in the FabricPath header and floods this frame out all FabricPath ports (L1, L2) that are part of Tree 1Step 5 :: S10 floods this frame further, out (L3, L5) based on local info about Tree 1Step 6 :: S101 and S140 remove the FabricPath header and flood the frame out all local CE ports.

DMAC→FF

SMAC→A

Payload

FabricPath MAC Table on S100

Switch IF

Multidestination Trees on S100

Tree IF

1 L1,L2

2 L2


Switch IF

DMAC→FF

SMAC→A

Payload


Tree IF

1 L5

2 L5,L6

DMAC→FF

SMAC→A

Payload

DSID→FFFtag→1

SSID→100

decap

Root for Tree 1 Root for Tree 2

Switch IF

A e1/1 (local)

Broadcast


Tree IF

1 L1,L3,L5

2 L5

DMAC→FF

SMAC→A

Payload

DSID→FFFtag→1

SSID→100

encap

ftag

ftag

Don’t Learn Remote MAC since DMAC is unknown / is a

Flooded Frame

FTAG/tree 2 handles multicast only

FTAG/tree 1 handles unknown unicast,

broadcast and some multicast

FabricPath ConfigurationFabricPath Forwarding :: Broadcast (ARP Request)


Step 1 :: Host B sends ARP Reply back to Host AStep 2 :: S140 adds B into the MAC Table from source learning on CE portStep 3 :: Since A is unknown, S140 floods the frame out all CE portsStep 4 :: Meanwhile, S140 selects Tree 1, marks this in the FabricPath header and floods this frame out all FabricPath ports (L5) that are part of Tree 1Step 5 :: S10 floods this frame further (L1, L3) along Tree 1Step 6 :: S100 floods this frame further (L2) along Tree 1. Also, upon removing the FabricPath header, S100 finds host A was learned locally. Therefore adds B to the MAC Table as remote, associated with S140

DMAC→A

SMAC→B

Payload



Tree IF

1 L1,L2

2 L2


Switch IF

DMAC→A

SMAC→B

Payload


Tree IF

1 L5

2 L5,L6

DMAC→A

SMAC→B

Payload

DSID→MC1Ftag→1

SSID→140

encap

Root for Tree 1 Root for Tree 2

Switch IF

A e1/1 (local)

ftag


Tree IF

1 L1,L3,L5

2 L5

DMAC→A

SMAC→B

Payload

DSID→MC1Ftag→1

SSID→140

decap

ftag

Unknown

FTAG/tree 2 handles multicast only

FTAG/tree 1 handles unknown unicast,

broadcast and some multicast

Switch IF

B e2/2 (local)

A

MAC A is Unknown

Switch IF

A e1/1 (local)

BS140

(remote)

If DMAC is Known then Learn Remote MAC

FabricPath ConfigurationFabricPath Forwarding :: Unknown Unicast (ARP Reply)


Step 1 :: Host A starts sending traffic to Host B after ARP resolutionStep 2 :: S100 finds B was learned as remote; associated with S140, encap all subsequent frames to B with S140 as destination in FP headerStep 3 :: S100 Routing Table indicates multiple paths to S140; runs ECMP hash and this time S100 selects L2 as next-hopStep 4 :: Routing Table lookup at S11 indicates L6 as next hop for S140Step 5 :: S140 finds itself as destination in FabricPath header and B is also known locally; decaps FP header, adds A as remote & associates with S100


Switch IF

S10 L2,L4,L6

S11 -

S100 L2

S101 L4

S140 L6

Hash L1,L2

DMAC→B

SMAC→A

Payload


Switch IF

A e1/1 (local)

BS140

(remote)


Switch IF

S10 L1

S11 L2

S100 -

S101 L1,L2

S140 L1,L2


Switch IF

B e2/2 (local)

DMAC→B

SMAC→A

Payload


Switch IF

S10 L5

S11 L6

S100 L5,L6

S101 L5,L6

S140 -

DMAC→B

SMAC→A

Payload

DSID→140Ftag→1

SSID→100

encap

DMAC→B

SMAC→A

Payload

DSID→140Ftag→1

SSID→100

decap

Destination Switch ID is used to make routing decisions through the FabricPath core & no MAC

learning or lookups required inside the FP core

Switch IF

AS100

(remote)

B e2/2 (local)

FabricPath ConfigurationFabricPath Forwarding :: Known Unicast (Data)


Loop prevention and mitigation is available in the data plane, helping ensure safe forwarding unmatched by any transparent bridging technology. Cisco FabricPath frames include a time-to-live (TTL) field similar to the one used in IP, and an applied reverse-path forwarding (RPF) check for multicast based on ‘Tree’ information

TTL=3

TTL=2 TTL=1

TTL=0

When the frame is originally encapsulated, the system sets the TTL to 32; on each hop through the FabricPath network, each switch decrements the TTL by 1. If the TTL reaches 0, that frame is discarded. This feature prevents the continuation of any loops that may form in the network.

FabricPath ConfigurationFabricPath Loop Mitigation


Interop F2 & F2E VDC

With NX-OS 6.1 and Prior Releases ::

• Always use identical line cards on either side of the vPC+ Peer Link, vPC member ports, and FabricPath core member ports (legs to downstream device)

• The F1-series line cards can mix with M-series line cards• The F2-series line cards have to be in their own VDC; VDC type [F2] meaning

they can’t mix with F1 or the M-series in the same VDC

FabricPath ConfigurationMixed Chassis Mode :: Supported Topologies


Starting in NX-OS 6.2 and Later Releases ::

• VDC type [F2, F2E, F2 F2E] must match between the 2 vPC+ peer devices when F2 & F2E are used in same VDC; meaning its ok to have F2 on vPC peer device 1 and F2E on vPC peer device 2 for the vPC Peer Link, vPC member ports, or FabricPath core member ports

• Note: in a F2 & F2E type of design; only features related to F2 apply (lowest common denominator)

• Always use identical line cards on either side of the vPC Peer Link, vPC member ports, and FabricPath core member ports when M1, M1-XL, M2 & F2E in same VDC [M-F2E] or system

• When F2E is placed in a chassis with M-series it will operate in Layer 2 mode only leveraging the M for Layer 3 (proxy L3 forwarding); this will provide 128K MAC scale

FabricPath ConfigurationMixed Chassis Mode :: Supported Topologies


FabricPath vs. TRILL


External (public)

Cisco FabricPath Best Practiceshttp://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/white_paper_c07-728188.pdf Scale Data Centers with Cisco FabricPathhttp://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/white_paper_c11-605488.html Cisco FabricPath for Cisco Nexus 7000 Series Switcheshttp://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/white_paper_c11-687554.html

Nexus 7000/6000/5000 Configuration Guideshttp://www.cisco.com/en/US/products/ps9402/products_installation_and_configuration_guides_list.htmlhttp://www.cisco.com/en/US/products/ps9670/products_installation_and_configuration_guides_list.html http://www.cisco.com/en/US/partner/products/ps12806/products_installation_and_configuration_guides_list.html

FabricPath Scaling limits http://www.cisco.com/en/US/docs/switches/datacenter/sw/verified_scalability/b_Cisco_Nexus_7000_Series_NX-OS_Verified_Scalability_Guide.html#reference_3AD0536C32FF4B499A0936409729951D http://www.cisco.com/en/US/docs/switches/datacenter/nexus5500/sw/configuration_limits/b_N5500_Config_Limits_602N11_chapter_01.html

FabricPath ConfigurationAdditional Resources & Further Reading

Great External Resources

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/white_paper_c07-728188.pdf

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/white_paper_c07-728188.pdf




http://www.cisco.com/en/US/products/ps9402/products_installation_and_configuration_guides_list.html




http://www.cisco.com/en/US/partner/products/ps12806/products_installation_and_configuration_guides_list.html

http://www.cisco.com/en/US/partner/products/ps12806/products_installation_and_configuration_guides_list.html

http://www.cisco.com/en/US/docs/switches/datacenter/sw/verified_scalability/b_Cisco_Nexus_7000_Series_NX-OS_Verified_Scalability_Guide.html#reference_3AD0536C32FF4B499A0936409729951D




http://www.cisco.com/en/US/docs/switches/datacenter/nexus5500/sw/configuration_limits/b_N5500_Config_Limits_602N11_chapter_01.html




Quick Start Guide :: Virtual Port Channel (vPC)https://communities.cisco.com/docs/DOC-35728

FabricPath ConfigurationAdditional Resources & Further Reading

https://communities.cisco.com/docs/DOC-35728

https://communities.cisco.com/docs/DOC-35728


© 2013 Cisco and/or its affiliates. All rights reserved. 1 Architecture & Solutions Group US Public Sector Advanced Services Mark Stinnette, CCIE Data.

Documents

fabricpath fabricpath

fabricpath deployment

services fabricpath

fabricpath terminology

fabricpath encapsulation

cisco andor

pure fabricpath spine

topology slide