As you should know (simplified rule): Whenever the vPC peer link goes down the vPC secondary switch brings down all its connected vPC ports, assuming those vPCs are up in the vPC primary switch.
This means that if you have non-vPC-connected hosts on your vPC secondary switch then those ports are left up and traffic blackholing can occur (depending on your topology of course!). Those non-vPC ports are called orphan ports.
Now, you may want to configure the switch to bring down also the orphan ports on that situation, for example, because your servers are using active-standby type of teaming so you want to force a physical shutdown on the link for the teaming software to change the traffic to flow on the other link.
That can be configured with “vpc orphan-port suspend” command on the interface-level configuration. It should be configured on both vPC switches because you cannot predict which switch is the vPC secondary on some later time. The command is supported starting from NX-OS version 5.0(3)N2(1).
As told in the configuration guide:
“When a port is configured as an orphan port, the port will flap. This occurs because the system reevaluates whether the port can be brought up, given the constraints of the orphan port. For example, MCT needs to be up and election needs to be complete.”
Here is the proof:
n5k-1(config)# int e100/1/45 n5k-1(config-if)# vpc orphan-port suspend 2012 Jun 28 12:09:25 n5k-1 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet100/1/45 is down (Initializing) 2012 Jun 28 12:09:28 n5k-1 %ETHPORT-5-SPEED: Interface Ethernet100/1/45, operational speed changed to 1 Gbps 2012 Jun 28 12:09:28 n5k-1 %ETHPORT-5-IF_DUPLEX: Interface Ethernet100/1/45, operational duplex mode changed to Full 2012 Jun 28 12:09:28 n5k-1 %ETHPORT-5-IF_RX_FLOW_CONTROL: Interface Ethernet100/1/45, operational Receive Flow Control state changed to off 2012 Jun 28 12:09:28 n5k-1 %ETHPORT-5-IF_TX_FLOW_CONTROL: Interface Ethernet100/1/45, operational Transmit Flow Control state changed to on 2012 Jun 28 12:09:28 n5k-1 %ETHPORT-5-IF_UP: Interface Ethernet100/1/45 is up in mode access
So if you want to configure orphan ports to suspend, do that before deploying the ports or prepare for some maintenance time.
Nice that you put together a post for this….this is key for people with the straight-through / active-active FEX design.
Thanks Ian, and you are so right! Yes, basically these are the general rules if you are not using vPC to your end hosts:
– all ports in the straight-through (single-homed) FEXes are orphan ports
– none of the ports in active-active (dual-homed) FEXes are orphan ports.
How many of you have configured the single-homed FEX ports with “vpc orphan-port suspend” for hosts that are not connected with vPC? 😉
Again, this all depends on your topology ie. how you have connected your N5k pair to the upstream network. If you use vPC on the N5k pair for upstream connection you should really consider your orphan ports because the vPC secondary switch will lose the uplink in vPC peer link failures.
Nice post…exactly what I was looking for 🙂
Well explain… Got it 100%.
simplified answer…
I think it’s important to understand what an orphan port is. The important bit about an orphan port is that a port is only an orphan port if it’s not a member of a vPC *and* it carries a vPC VLAN. So if you have a singly-connected port that does *not* carry a vPC VLAN, that port is not an orphan port and it does *not* necessarily have the same possibility of being blackholed as an orphan port.