Hello expert,
We have an implementation where most of the edge devices have dual links and are connected with one link per nexus switch. However, we have a few devices with a single link toward the Nexus switch (orphan port). How can I avoid having a service outage to the orphan ports during a vPC link failure?
Thank you for your question.
Indeni is aware of the severity of orphan ports to a Network design and relevant metrics have been introduced to Indeni to analyze the NX-OS config and identify orphan ports. Besides, remediation steps are provided.
Regarding your question when connecting a single-attached access (orphan) device to a vPC domain using vPC VLAN, always connect it to the vPC primary peer device. The reason is when vPC peer-link fails; any single attached device connected to secondary peer device (and using vPC VLAN) will become completely isolated with the rest of the network. To maintain Layer 3 connectivity to these orphan ports, the next command is available to prevent the SVI (associated to vPC VLAN) from being shut down: dual-active exclude interface-vlan.
In brief it is recommended by Cisco the next design for vpc orphan ports:
First to connect access/orphan devices to an intermediate switch which is dual-attached to vPC domain.
If this is not possible connect single-attached device to vPC domain using non-vPC VLAN. Create an inter-switch link between the 2 peer devices to transport non-vPC VLAN.
Last resort is to connect single-attached device to vPC domain using vPC VLAN and leveraging vPC peer-link.
For more information refer to the next Cisco vPC design and configuration guide: https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf