Read from the doc that the VPC peer link only carry multicast/broadcast traffic under normal circumstances ->
The vPC peer link carries control traffic between two vPC switches and also multicast, broadcast data traffic.
If I have a primary FW connected to peer switchA as shown below , can a workstation/server connected to peer switchB reach the primaryFW through the peer link ?
If not, how can the workstation reach the Primary FW then ?
If there is an additional switch which is connected by VPC, will the traffic from the workstation to the Primary F5/firewall go through the peer link or down the vPC and up again ? (as shown below)
How does the Nexus switch choose which path to use (the red or blue path) ?
Best Answer
The Nexus switch will use the vPC link as a normal layer 2 trunk if it's the only way to get the traffic to the destination. Cisco has made the Nexus with the intent to prevent bridge forwarding looping and duplicate packets, to make Layer 2 work correctly without needing Spanning Tree Protocol (STP) to do so.
The exception is, if the end hosts are individually connected to either one of the Nexus switches without any redundancy. In your case, if the primary firewall is only connected to one of the Nexus switches, then it will utilize the vPC link to carry traffic to it.
vPC technology provides sharing of: Control plane, configuration and consistency check, vPC advertisements, Spanning-tree, HSRP, IGMP and MAC address tables. All this information is encapsulated in standard Ethernet frames and only sent out on the vPC link. All frames are tagged CoS = 4 for reliable communication.
Good read: https://www.netcraftsmen.com/how-vpc-works/
Cisco official vPC design guide document for all Nexus switches: https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf