I'm trying to help a friend with some Nexus issues.
The topology is like this:
Cat 3750 stack -> vPC -> 2x N7k -> LACP -> Fortigate firewall cluster
The 3750 stack is running OSPF to both the Nexuses. The adjacencies are up. From what I have read this is not a supported design. Loop prevention would prevent packets that come in on one Nexus but that is destined for another and then goes across the peer link. If this traffic exits another vPC it will be blocked due to the loop prevention mechanism.
In this case though the firewalls (cluster) are not connected via vPC. Will loop prevention still kick in?
Also I'm surprised that OSPF adjacencies are up and seem to be working. All routes are present but there are still reachability issues. Some OSPF packets would probably come in over the peer link. I can see how this could be an issue for the unicast packets that need to cross peer link and then exit vPC back to the stack which not be allowed.
How will the multicast be treated. I guess that should be received correctly?
So I guess they should maybe turn up new interfaces that are routed instead. Or would it be possible to run SVI which is point-to-point between each Nexus and the stack?
Best Answer
As the firewalls aren't part of a vPC they won't be part of the normal vPC loop prevention.
The loop prevention only states that a packet cannot ingress on the peer link if it is destined to go out another vPC enabled port.
Not too sure on the multicast front as we don't use it in our environment and I haven't really looked into its behaviour on the 7K's.
Usually if you are running a routing protocol down on the switch stack the recommended design would be to not have it as a member of a vPC and just use OSPF to give you the same advantages that vPC gives you at L2.