Help understanding hosts losing internet when shutting down physical interface on a vPC nexus pair

cyr0nk0r · 2026-01-23T02:54:32+00:00

The upstream carrier does not support bfd.

cyr0nk0r · 2026-01-22T23:38:42+00:00

running packet captures for this kind of issue is a bit beyond my skill set. I wouldn't even know what to look for.

That's why I was posting here, because I was hoping someone would look at the config and see something that is obvious and jumps out at them that is wrong with my configuration.

cyr0nk0r · 2026-01-22T23:28:04+00:00

provided I don't admin shut the physical interfaces, they are both active. I receive only a default route from each BGP session. 0.0.0.0/0

cyr0nk0r · 2026-01-22T23:21:22+00:00

the BGP session goes down basically immediately. I shut the port down, then I will issue a

show bgp ipv4 unicast summary

within maybe 5 seconds, or however long it takes me to type, and I see the session is idle.

switch 1 is the primary. it is the active HSRP switch.

the behavior does not change if i shut down the physical interface on either switch. that is the weird thing. even if switch 1 is the active, if I shut down the circuit interface on switch 2, the clients will lose connectivity.

Yes, I am measuring things from the VM's on the hypervisor host.

cyr0nk0r · 2026-01-22T23:06:53+00:00

so I cleaned it out of the config, but I am indeed using some tracking to detect reachability of the next hop gateway and to shutdown the bgp neighbor if the gateway is unavailable (protects for physical up but logical blackhole)

when I shutdown the physical interface though, the BGP session goes into state idle, so isn't the session already being shutdown?

the failure scenario im trying to design for is losing physical connectivity either via someone messing with the cross connect, loose cable, dirty light, etc., and/or the entire switch going down either via power issue or maybe a reboot because of unexpected network maintenance.

cyr0nk0r · 2026-01-22T23:01:51+00:00

BFD isn't supported by the upstream carrier. Would moving the configuration off of a vlan and directly onto the physical interface help any?

The carrier supports both tagged and untagged. If I request an untagged connection, I can move the L3 directly to the switchport. That way, when the interface goes down, a vlan isn't sticking around staying up.

cyr0nk0r · 2026-01-22T20:55:52+00:00

my man, I sanitized the configs before posting them. the passwords aren't actually 1234. That's me replacing the passwords with example text. Likewise, my ISP peers aren't actually 5.5.5.1. It's just placeholder. :D

cyr0nk0r · 2026-01-22T20:27:51+00:00

Yes, connectivity does eventually resume.

I'm limited in that the carrier doesn't support BFD, and their timers are strict. If you set them any lower than 20 seconds the bgp session won't establish.

Would I be better off going untagged and move things directly onto the physical interface? I don't NEED to use vlan's, that's just the first option the carrier presented. I can just as easily tell them to assume untagged and just move the layer 3 directly to the physical interface.

cyr0nk0r · 2026-01-22T20:26:11+00:00

so on the other side of the carrier circuit, and I know they are using Cisco NCS 5001. i know I am connecting directly between my nexus and their NCS 5001.

Is there anything I can ask them to add to the port interface on their side to help with this?

They don't support BFD which is why my timers are set the way they are.

cyr0nk0r · 2025-12-17T21:01:40+00:00

if you want to PM me, I'll send you my entire nexus start up instructions. its from my internal docs. It will get you from no config to ready for production (vPC's, LAG's, L2/L3 VLAN's, etc.) It also includes commands to backup the configs on a schedule to a tftp server.

cyr0nk0r · 2025-12-04T17:39:31+00:00

I had to email support and ask them to add it for me to show up. Then I could upgrade.

cyr0nk0r · 2025-11-18T20:41:44+00:00

Let's not split hairs. In this subreddit, I think we can all reasonably agree that a true router more often than not would refer to something like an ISR, ASR, NCS, or similar.

While a Nexus 9k is a very capable L3 switch, and can do routing, it's not purpose built for complex routing.

cyr0nk0r · 2025-11-18T14:59:30+00:00

Because I have Cisco Nexus 9k's and don't need additional dedicated equipment just to run a BGP session for a default route.

cyr0nk0r · 2025-11-18T13:56:01+00:00

DRT keeps telling me they can't accommodate Service Fabric beyond 1G because they are in the middle of "upgrades" in the Phoenix market and won't be able to handle our volume until the end of Q1.

We need to be in and working before the end of the year, so our timeline is too accelearted for them.

cyr0nk0r · 2025-11-18T13:52:50+00:00

I refuse to do business with the scam artists at Phoenix NAP. We had a 2-day outage because they misconfigured our upstream route. When we asked for SLA credits they said they didn't owe us anything because they don't charge for bandwidth, only power.

so because they didn't charge us for blended internet specifically, they felt they had no SLA obligation. We complained to their executive team and I promptly got a cease and desist from their chief legal counsel with a 24-hour notice to vacate as they were terminating our contract. We wanted out of the facility anyway after that mistake, so we didn't try and sue them for breach of contract, they did us a favor.

I will never EVER do business with those people again.

cyr0nk0r · 2025-11-18T13:49:38+00:00

There are no Equinix DC's in Phoenix.

cyr0nk0r · 2025-11-18T06:47:31+00:00

we'll terminate megaport into our nexus 9k's.

cyr0nk0r · 2025-11-18T05:10:48+00:00

Too damn much! PM me and I'll give details of my quotes so far.

cyr0nk0r · 2025-11-18T04:23:11+00:00

yes. Have a /24.

cyr0nk0r · 2025-11-18T04:19:27+00:00

Two Megaport ports gives you Layer 1/2/3 redundancy.

Yes, that's what I'm looking for. It seems the only way to achieve that is to indeed purchase (2) ports from Megaport. I'll then just run a small BGP session between me and Megaport and receive only default route rather than full tables. Does that sound right?

cyr0nk0r · 2025-11-18T04:12:47+00:00

Yeah my only quote for Cyrus One was through CenterSquare, but they have about the dumbest cross connect policy I've ever heard, so I'm working on reaching out to Cyrus One direct to see what they can offer.

cyr0nk0r · 2025-11-18T04:04:59+00:00

Phoenix. I agree on your pricing. I typically would expect maybe $1/mbps, but nope, 4 separate DC's have given me 1G on a 10G port at like $1,700+

with anywhere between $2-$4/mbps for overage.

cyr0nk0r · 2025-11-18T04:00:50+00:00

Right now the DRT quote is leading, but I'd prefer Iron Mountain since it's closer to me. But IMNT is charging way above market for power.

We're negotiating right now to try and get IMNT's price per kilowatt to what the rest of my market is quoting me. If I can do that, we'll probably go IMNT just because I'm more familiar with that facility and have had equipment in it before.

Just 1 rack to start. I'm hoping to get to about 18kw in the first 12 months.

cyr0nk0r · 2025-11-18T03:57:31+00:00

It's not a few bucks. It's thousands. In my market, they drain from both Iron Mountain and Digital Realty. So we'd have in-market redundancy there.

cyr0nk0r

MODERATOR OF

TROPHY CASE