Cisco NX-OS: VXLAN - vPC - Anycast

VxLAN and vPC Anycast VTEP

Problem with VXLAN and vPC:

in a vPC both vPC peers duplicate EVPN MAC/IP routes to spine RRs
with other attributes equal, one vPC peer is always preferred for dual attached hosts (based on the normal BGP Best path selection)

Result: egress traffic from vPC Member is load-balanced, but return ingress traffic is polarized

Solution: Anycast VTEP address - Loopback 0 ip address secondary, the same on both vPC peers:

conf t  
interface Loopbak 0_  
ip address 1.1.1.111/32 secondary

BGP automatically sets the next-hop to the secondary IP address.

From the Spines (NXOS1 and NXOS2) and another leaf (NXOS7)

In my lab, I even was not able to bring up vPC without a secondary IP address on the loopback interface. There was an inconsistency: “Configuration inconsistency reason: Secondary IP address does not match”, but the configuration on both switches was identical.

Distributed Anycast Layer 3 Gateway

The distributed IP anycast gateway allows you to configure the default gateway of a subnet across multiple Leafs using the same IP and MAC address.

NXOS3

conf t

fabric forwarding anycast-gateway-mac 1234.1234.1234

interface Vlan10  
    no shutdown  
    vrf member CUSTOMER1  
    ip address 10.10.10.1/24**  
    fabric forwarding mode anycast-gateway

NXOS4

conf t

fabric forwarding anycast-gateway-mac 1234.1234.1234

interface Vlan10  
    no shutdown  
    vrf member CUSTOMER1  
    ip address 10.10.10.1/24
    fabric forwarding mode anycast-gateway

No need the HSRP configuration

VxLAN and vPC Anycast VTEP#

Distributed Anycast Layer 3 Gateway#

VxLAN and vPC Anycast VTEP

Distributed Anycast Layer 3 Gateway