F5 Viprion and Cisco vPC design

Question

Hello,
We are facing an issue it seems with our data center design. The design is really simple and straight forward.
We have 2 F5 Viprion chassis connected to the access layer in the data center. The access layer is hosted on N9K. The core is N7K.
Added drawing
So chassis 1 forms a vPC with the N9K1 and N9K2, chassis 2 forms a vPC with the N9K3 and N9K4. This connection is fully LACP.
interface port-channel141
  description F5 Viprion 1 - 4*10G - vPC channel
  switchport mode trunk
  switchport trunk native vlan 999
  switchport trunk allowed vlan 310,312,410-415
  spanning-tree port type edge trunk
  spanning-tree bpduguard disable
  spanning-tree guard root
  spanning-tree bpdufilter disable
  logging event port link-status
  logging event port trunk-status
  storm-control broadcast level 80.00
  storm-control multicast level 80.00
  lacp mode delay
  vpc 141

This is an example on how the port-channel towards the F5 is configured. It uses LACP mode delay so it will await the LACP negotiation from the viprion i suppose.
The problem is that when we access an application that is hosted on the F5, the throughput is really low. So for example: A remote desktop application will only achieve 5Mbps when pushed throught the F5, a remote desktop application straight to the server will achieve 70Mbps. Please note that the server is also behind another 9K ToR setup. So the problem only occurs when we push traffic through the F5. It also has an issue with a sharepoint server that is connected and only gets 40KBps of download speed.
We also see that traffic entering the physical interfaces on the F5 is experiencing some drops. Screenshot included.

My guess is that there is a problem between the F5 and the Nexus, is there documentation on how this is setup the best way? F5 only has this: https://support.f5.com/csp/article/K13142
The configuration on the trunk towards the nexus is :
LACP Enabled
LACP Mode Active
LACP Timeout set to log
Link selection policy bandwidth
Frame Distribution Hash Source/Destination IP address port
An engineer from F5 is tasked to look at the F5 but is not finding anything.

eben_259100 · Answer

Hi Yannick,&nbsp;
This should help.
https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/solution-overview-c22-732522.pdf&nbsp;
Regards&nbsp;
Eben.&nbsp;

eben · Answer

Hi Yannick,&nbsp;
This should help.
https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/solution-overview-c22-732522.pdf&nbsp;
Regards&nbsp;
Eben.&nbsp;

yannick_vranck1 · Answer

Hello,&nbsp;
Thanks for this document. However it does not seem to contain any information on how he Viprion is set up on the N9K.&nbsp;
What supposed to be the MTU size between the devices etc. I did notice that 1 viprion chassis in Active and the other one is in Standby. 
In our design both chassis are active active and the VCMP's are spread across the 2 chassis's.&nbsp;
Also we have no lldp enabled on the ports towards the F5 from the nexus.&nbsp;
I noticed in the CLI that the physical interface of the F5 towards the Nexus has an MTU of 9198. 
The Nexus has an MTU of 1500 configured on the LACP port-channel, however the vlan's that are configured on the Viprion are also 1500.&nbsp;
A portion of our DMZ setup is also connected with 40Gig to the Viprion with a Cisco Cat 6500 and there are no issues. It really looks like a vPC specific towards the Viprion&nbsp;

yannick_vranck1 · Answer

Hello,&nbsp;
Thanks for this document. However it does not seem to contain any information on how he Viprion is set up on the N9K.&nbsp;
What supposed to be the MTU size between the devices etc. I did notice that 1 viprion chassis in Active and the other one is in Standby. 
In our design both chassis are active active and the VCMP's are spread across the 2 chassis's.&nbsp;
Also we have no lldp enabled on the ports towards the F5 from the nexus.&nbsp;
I noticed in the CLI that the physical interface of the F5 towards the Nexus has an MTU of 9198. 
The Nexus has an MTU of 1500 configured on the LACP port-channel, however the vlan's that are configured on the Viprion are also 1500.&nbsp;
A portion of our DMZ setup is also connected with 40Gig to the Viprion with a Cisco Cat 6500 and there are no issues. It really looks like a vPC specific towards the Viprion&nbsp;

eben_259100 · Answer

Please clarify some things,
1. VCMPs: Is your chassis serving as an hypervisor for multiple VCMP guests?
2. Active active: are the boxes standalone or in sync in an active-active HA scenario?&nbsp;
make the MTUs match on the devices. nexus support Jumbo MTUs(above 9000).&nbsp;

Forum Discussion

F5 Viprion and Cisco vPC design

9 Replies

Recent Discussions

Portal Access to HTTPS resources slow

HOW TO HIRE A HACKER TO RECOVER STOLEN BITCOIN. CONTACT FASTFUND RECOVERY

Big-IP Next 20.2.0-2.375.1+0.0.43 iRule count problem

rewrite Azure AD response for portal access via web portal

Azure SAML - F5 APM

Related Content

F5 BIG-IP in Cisco ACI Multi-Site and Multi-Pod - Design Options

F5 BIG-IP in Cisco ACI Multi-Site and Multi-Pod - Design Considerations

Verified Design: SSL Orchestrator with Cisco Firepower Virtual Edition-Part 1

Verified Design: SSL Orchestrator with Cisco Firepower Virtual Edition-Part 2

F5 and Cisco ACI Essentials - Design guide for a Single Pod APIC cluster