Nexus 5000 vPC Peer Keepalive Options and Config-Sync Issue

When you configure vPC on Cisco Nexus switches, vPC keepalive link is used by the two vPC peers to detect the liveliness of each other. The vPC keepalive plays a critical role of resolving a dual-active (aka split brain) scenario when the vPC peer link is down. This article presents different interface options of configuring vPC keepalive link on Nexus 5000 and discusses their pros and cons.
Please note that some behaviors may or may not hold true on Nexus 7000 as we have not tested them. Any additional test results are welcome in the comment section.

Option 1: Management Interface

 - Two Nexus switches can be connected together using the Mgmt0 interface. The interface is a Layer 3 routed copper port and is a member of management VRF. A /30 IP subnet is sufficed to provide IP connectivity. This is the most recommended configuration if the switches are within the limiting distance of Ethernet over copper.

Option 2: Routed Interface

- Given the switches have L3 daughter card installed, you can connect the two switches through routed interfaces (ie. ‘no switchport’). The benefit is that now you can use fiber cable, which allows much longer distance if there is a requirement to extend beyond what copper Ethernet supports. The link can also be 10G, although there is not much reason to, plus it is an added cost to use 10G SFP+. It is still recommend placing the interfaces under its own VRF. Note that they cannot be added to the management VRF as it is reserved for mgmt0 and console. If you plan to use any non-management VRF for the vPC keepalive, including the ‘default’ VRF, do not forget to define it on the ‘peer-keepalive’ command under ‘vpc domain’.

Option 3: Switch Virtual Interface (SVI)

- If you need the distance of fiber but do not have the L3 daughter card, you can create a dedicated VLAN and use the SVI for the vPC keepalive. This is similar to Option2 so the separate VRF recommendation still holds. The interfaces can be the dot1q trunk or access port, but why use a trunk if it carries just one VLAN, right?

Issue with Configuration Synchronization

Any of the three options should works fine until you need to enable config-sync. According to Cisco documentation, config-sync traffic is carried over mgmt0 interface (see balow). If you cannot use mgmt0 for vPC keepalive, you probably cannot use it for config-sync neither. If you attempt to configure switch-profile peer with any non-mgmt0 IP, the switch will show ‘Peer not Reachable’, even though the IP is pingable. You probably need to resort to some form of media converter to convert fiber to copper at both ends, if config-sync feature is mandatory.

Q. Which interface carries config-sync traffic?
A. Config-sync messages are carried only over the mgmt0 interface. They cannot currently be carried over the in-band switch virtual interfaces (SVIs).

With SVI

With mgmt0

References: Cisco Nexus 5548P Switch Q&A