Hoping this is the right place for this, if not, apologies. This might be a long one, but as a first post here, I'm trying to follow the rules and provide as much detail as is relevant/possible.
I'm not an incredibly experienced network admin, but was recently tasked with replacing our infrastructures core switch (A single WS-C3750X-24 ) with two 93180YC-FXs in a VPC configuration.
I was only assigned to this after the hardware had already been decided on and purchased and have since been communicating with the team that sold us the equipment in an attempt to make this work.
The intention was to have a redundant connection between this VPC domain and two Meraki MX400's (in HA using VRRP/Warm Standby/Active/Passive/Whatnot) acting as an gateway to our ISP - however I found that the Mx400's do not support LACP, which killed that idea shortly after. (LACP being a requirement to participate in connecting to a VPC as a member port, to my understanding.)
In an attempt to salvage the redundancy, it was suggested by our partner that we rely on spanning tree to properly block a portion of the connections between all four devices, with each uplink being an orphan port in the VPC.
It was discovered shortly after this that the MX400s do not actively participate in spanning tree - not having a lot of experience in this level of networking, it appears that they pass BPDUs but do not participate in the election process? (I'm sure this is incorrect to some level, but having trouble determining details.)
At this point, we decided to move forward with the replacement, but to only provide a single Nexus 9k with an uplink to the two MX400s at this time. This was an attempt to see if spanning tree from the switch could properly deal with the potential loop Between MXA, MXB, and 9kA.
This is where things got a bit odd.
I could see PVST+/RST frames coming across the LAN 2 port on the MX400-A and B, but both ports on the Nexus 9k were still listed as BKN* under a "show spanning-tree".
So we trimmed everything back to just a single link between the MX400-A and the Nexus 9300-A.
At this point, connectivity was still not up and the same spanning tree frames were showing up in a packet capture off of the MX400's LAN port and the Nexus 9k port still shown as broken.
During all of this, the VPC keep-alive and peer links were up and functioning, but not applied. (Just noting in case it's relevant)
"spanning-tree vlan [vlan-ids] root primary" was used to try and ensure that the switch was set as the root bridge.
Since this was my first attempt working with an NX-OS device, I'm sure it's something in the STP options on the 9300 that I'm missing, but I'm having trouble narrowing down what to do with these switches to make this uplink possible.
Copying some portions of the config below -
interface Ethernet1/47
description **Datacenter MX A**
switchport mode trunk
spanning-tree port type normal
no shutdown
interface Ethernet1/48
description **Datacenter MX B**
switchport mode trunk
spanning-tree port type normal
no shutdown
Core_9300_A# show spanning-tree summary
Switch is in rapid-pvst mode
L2 Gateway STP is disabled
Port Type Default is network
Edge Port [PortFast] BPDU Guard Default is disabled
Edge Port [PortFast] BPDU Filter Default is disabled
Bridge Assurance is enabled
Loopguard Default is disabled
Pathcost method used is short
STP-Lite is disabled
At the moment everything has been rolled back to the 3750, so I'm unable to gather live information for troubleshooting any further.
Are there any other portions of the nx-os config that may help with troubleshooting before attempting another migration?
If anyone can offer any assistance or insight into this on either the Meraki MX or Nexus side it would be greatly appreciated.
Thanks
No comments:
Post a Comment