Cisco Catalyst Virtual Switching System (VSS)palo/Rozne/cisco-expo-2009/Presentation... · Cisco Catalyst Virtual Switching System ... BRKRST-3468 © 2009 Cisco Systems, Inc

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialISR G2 TDM © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Tomáš Kelemen

[email protected] Systems Engineer

CCIE #24395

Cisco Catalyst Virtual Switching System (VSS)

mailto:[email protected]

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKRST-3468 2

Agenda

Introduction

Architecture

Hardware Requirements

High Availability

Summary


Agenda

Introduction

Architecture


High Availability

Summary


Current Network ChallengesEnterprise Campus

Traditional Enterprise Campus deployments have been designed in

such a way that allows for scalability, differentiated services and

high availability. However they also face many challenges, some of

which are listed in the below diagram…

Access

L2/L3

Distribution

L3 Core

FHRP, STP,

Asymmetric routing,

Policy Management

Extensive routing

topology, Routing

reconvergence

Single active uplink

per VLAN (PVST), L2

reconvergence


Current Network ChallengesData Center

Traditional Data Center designs are requiring ever increasing Layer 2

adjacencies between Server nodes due to prevalence of Virtualization

technology. However, they are pushing the limits of Layer 2 networks, placing

more burden on loop-detection protocols such as Spanning Tree…

L2/L3 Core

L2

Distribution

L2 Access

Dual-Homed Servers to

single switch, Single

active uplink per VLAN

(PVST), L2

reconvergence

Single active uplink per

VLAN (PVST), L2

reconvergence,

excessive BPDUs

FHRP, HSRP, VRRP

Spanning Tree

Policy Management


VSS (Physical View)

SiSi SiSi SiSi SiSi

Access Switch orToR or Blades

ServerServer Server

10GE 10GE



802.3ad

Today (Today) VSS (Logical View)

802.3ador

PagP

802.3ador

PagP 802.3ad

Simplifies operational Manageability via Single point of Management, Elimination of STP,

FHRP etc

Doubles bandwidth utilization with Active-Active Multi-Chassis Etherchannel

(802.3ad/PagP) Reduce Latency

Minimizes traffic disruption from switch or uplink failure with Deterministic subsecond

Stateful and Graceful Recovery (SSO/NSF)

Catalyst 6500 Virtual Switching System 1440Overview


Introduction to Virtual Switching SystemConcepts


Virtual Switching System Enterprise Campus

A Virtual Switching System-enabled Enterprise Campus network

takes on multiple benefits including simplified management &

administration, facilitating greater high availability, while maintaining

a flexible and scalable architecture…

Access

L2/L3

Distribution

L3 Core

No FHRPs

No Looped topology

Policy Management

Reduced routing

neighbors, Minimal

L3 reconvergence

Multiple active

uplinks per VLAN, No

STP convergence


Virtual Switching System Data Center

A Virtual Switching System-enabled Data Center allows for maximum

scalability so bandwidth can be added when required, but still providing a

larger Layer 2 hierarchical architecture free of reliance on Spanning Tree…

L2/L3 Core

L2

Distribution

L2 Access

Dual-Homed

Servers, Single

active uplink per

VLAN (PVST), Fast

L2 convergence

Dual Active Uplinks,

Fast L2 convergence,

minimized L2 Control

Plane, Scalable

Single router node,

Fast L2 convergence,

Scalable architecture


Agenda

Introduction

Architecture


High Availability

Summary


Virtual Switching System ArchitectureVirtual Switch Link

The Virtual Switch Link joins the two physical switch together - it

provides the mechanism to keep both the chassis in sync

A Virtual Switch Link bundle can consist of up

to 8 x 10GE links

All traffic traversing the VSL link is encapsulatedwith 32 byte “Virtual Switch Header” containingingress and egress switchport indexes, class ofservice (COS), VLAN number, other importantinformation from the layer 2 and layer 3 header

Control plane uses VSL CPUto CPU communications whilethe data plane uses VSL toextend the internal chassisfabric to the remote chassis

Virtual Switch Active

Virtual Switch Standby

Virtual Switch Link

VS Header L2 Hdr L3 Hdr Data CRC


Virtual Switching System ArchitectureVSL Initialization

Before the Virtual Switching System domain can become active, the Virtual

Switch Link (VSL) must be brought online to determine Active and Standby

roles. The initialization process essentially consists of 3 steps:

Role Resolution Protocol (RRP) used to determine compatible Hardware and

Software versions to form the VSL as well as determine which switch becomes

Active and Hot Standby from a control plane perspective

LMP

RRP

Link Management Protocol (LMP) used to track and reject Unidirectional Links,

Exchange Chassis ID and other information between the 2 switches

Link Bringup to determine which ports form the VSL1

2

3

LMP

RRP


Virtual Switching System ArchitectureVSL Configuration Consistency Check

After the roles have been resolved through RRP, a Configuration Consistency

Check is performed across the VSL switches to ensure proper VSL operation.

The following items are checked for consistency:

Switch Virtual Domain ID

Switch Virtual Switch ID

Switch Priority

Switch Preempt

VSL Port Channel Link ID

VSL Port state, interfaces…

Power Redundancy mode

Power Enable on VSL cards

Note that if configurations do not match, the Hot-Standby Supervisor will

revert to RPR mode, disabling all non-VSL interfaces…

Virtual Switch


Virtual Switching System ArchitectureVSLP Ping

A new ping mechanism has been implemented in VSS mode to allow

the user to objectively verify the health of the VSL itself. This is

implemented as a VSLP Ping

VSL

Switch1 Switch2

VSLP Ping

vss#ping vslp output interface tenGigabitEthernet 1/5/4

Type escape sequence to abort.

Sending 5, 100-byte VSLP ping to peer-sup via output port 1/5/4, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/16 ms

The VSLP Ping operates on a per-physical interface basis and parameters such as COUNT,

DESTINATION, SIZE, TIMEOUT may also be specified…

VSLP Ping

VSLP PingVSLP Ping


Virtual Switching SystemUnified Control Plane

One supervisor in each chassis with inter-chassis Stateful Switchover (SSO) method in with one supervisor is ACTIVE and other in HOT_STANDBY mode

Active/standby supervisors run in synchronized mode (boot-env, running-configuration, protocol state, and line cards status gets synchronized)

ACTIVE supervisor manages the control plane functions such as protocols (routing, EtherChannel, SNMP, telnet, etc.) and hardware control (OIR, port management)

Active Supervisor

SF RP PFC

CFC or DFC Line Cards





Standby HOT Supervisor

SF RP PFC

VSLCFC or DFC Line Cards







Synchronization


Virtual Switching SystemDual Active Forwarding Planes

DUAL active forwarding planes & SINGLE control plane

Standby supervisor and all linecards including DFC’s are actively forwarding

VSS#show switch virtual redundancy

My Switch Id = 1

Peer Switch Id = 2<snip>

Switch 1 Slot 5 Processor Information :

-----------------------------------------------

Current Software state = ACTIVE

<snip>

Fabric State = ACTIVE

Control Plane State = ACTIVE

Switch 2 Slot 5 Processor Information :

-----------------------------------------------

Current Software state = STANDBY HOT (switchover target)

<snip>

Fabric State = ACTIVE

Control Plane State = STANDBY

Data PlaneActive

Data Plane Active

SiSiSiSi

Switch1 Switch2


Virtual Switching System ArchitectureVirtual Switch Domain

A Virtual Switch Domain ID is allocated during the conversion process and

represents the logical grouping the 2 physical chassis within a VSS. It is

possible to have multiple VS Domains throughout the network…

Use a UNIQUE VSS Domain-ID for each VSS Domain throughout the network.

Various protocols use Domain-IDs to uniquely identify each pair.

VSS Domain 10

VSS Domain 30VSS Domain 20


Virtual Switching System ArchitectureRouter MAC Address Assignment

In a Virtual Switching System, there is only ONE router MAC address

to represent both physical chassis as one logical device.

Router MAC = burnt-in or virtual mac-address

By default, the MAC address allocated to the Virtual Switching System is Active Switch burnt-in

MAC-address, which is negotiated at system initialization. Regardless of either switch being

brought down or up, the same MAC address will be retained such that neighboring network

nodes and hosts do NOT need to re-learn a new address.

virtual mac-address is recommended configuration for VSS environment


Virtual Switching System ArchitectureVirtual Router MAC Address Assignment

Instead of using default chassis mac-address assignment, from 12.2(33)SXH2 onwards virtual mac-address can be specified as shown below

VSS(config-vs-domain)#switch virtual domain 10

VSS(config-vs-domain)#mac-address use-virtual

Configured Router mac address is different from operational value. Change

will take effect after config is saved and the entire Virtual Switching

System (Active and Standby) is reloaded.

The router MAC address is assigned from a reserved pool (0008.e3ff.fc00 to 0008.e3ff.ffff) of VSS domain-based addresses

VSS#show interface vlan 1

Vlan1 is up, line protocol is up

Hardware is EtherSVI, address is 0008.e3ff.fc0a (bia 0008.e3ff.fc0a)


Virtual Switching System ArchitectureMultichassis EtherChannel (MEC)

Prior to Virtual Switching System, Etherchannels were restricted to reside

within the same physical switch. In a Virtual Switching environment, the 2

physical switches form a single logical network entity - therefore

Etherchannels can now also be extended across the 2 physical chassis…

Regular Etherchannel on single

chassis

Multichassis EtherChannel across 2

VSS-enabled chassis

VSS

Both LACP and PAGP Etherchannel

protocols and Manual ON modes are

supported…

Standalone


Virtual Switching System ArchitectureEtherChannel Hash for MEC

Deciding on which link of a Multi-chassis Etherchannel to use in a

Virtual Switch is skewed in favor towards local links in the bundle -

this is done to avoid overloading the Virtual Switch Link (VSL) with

unnecessary traffic loads…

Link 1 Link 2

Blue Traffic destined

for the Server will

result in Link 1 in the

MEC link bundle being

chosen as the

destination path…

Orange Traffic

destined for the Server

will result in Link 2 in

the MEC link bundle

being chosen as the

destination path…

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKRST-3468 22© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

EtherChannel ConceptsEtherChannel Hash

vss#show etherchannel load-balance hash-result interface port-

channel 120 switch 1 ip 192.168.220.10 192.168.10.10

Computed RBH: 0x4

Would select Gi1/2/1 of Po120

A command can be invoked to assist in determining which link in the bundle

will be used - it can use various hash inputs to yield an 8-bucket RBH value

that will correspond to one of the port channel members…

Note: specify switch <id> when using hash result command, if not VSS assumes switch <1> while commuting hash results from the hardware.


Agenda

Introduction

Architecture


High Availability

Summary


In order to enable the Virtual Switching System feature and

configure the Virtual Switch Links (VSL) between 2 Catalyst 6500

chassis, the new Catalyst 6500 Virtual Switching Supervisor 720 is

required to be used. It is the only Supervisor that will support VSS

as it supports both the new PFC3C/XL forwarding engine…

The PFC3C/XL contains new

hardware to support the

extra LTL indices and

mappings required to

forward traffic across

multiple physical chassis,

lookup enhancements as

well as MAC address table

handling enhancements…

VS-S720-10G-3C/XL

12.2(33)SXH1 or later

VSS RequirementsHardware


Hardware RequirementsVSL-Capable Interfaces

The VSL requires new port ASICs that exist only on the 10

GigabitEthernet interfaces on the following modules:

These interfaces are based off

the new port ASIC, allowing for

frames across the VSL to be

encapsulated / de-encapsulated

with the VSH…

WS-X6708-10G-3C/XL

VS-S720-10G-3C/XL

WS-X6716-10G-3C/XL *

* Support for VSL from 12.2(33)SXI onwards

Note: These interfaces may also be used as

standard network interfaces


Hardware RequirementsSupported LAN Modules

Only WS-X67xx-series LAN modules are supported in a VSS

LAN Modules

12.2(33)SXH1

WS-X6708-10G-3C/XL

WS-X6704-10G-3C/XL

WS-X6748-GE-TX

WS-X6716-10G-3C/XL

WS-X6724-SFPWS-X6748-SFP

Support in 12.2(33)SXI


Service

Modules

12.2(33)SXI

Application Control Engine (ACE)

ACE10/ACE 20-6500-K9

WS-SVC-IDSM2-K9

Intrusion Detection System Services Module (IDSM-2)

WS-SVC-WISM-1-K9

Wireless Services Module (WiSM)

WS-SVC-FWM-1-K9

Firewall Services Module (FWSM)

WS-SVC-NAM-1WS-SVC-NAM-2

Network Analysis Module (NAM 1&2)

Support in 12.2(33)SXH1

Hardware RequirementsSupported Service Modules


Hardware RequirementsService Modules Integration

4 Standalone Service Modules are supported per VSS chassis.

VSL will carry service module redirected, state sync, and failover traffic.

Service Module Software version

WS-SVC-FWM-1-K9 4.0.4

ACE10/ACE 20-6500-K9 A2(1.2)

WS-SVC-WISM-1-K9 6.0(2)E1

WS-SVC-IDSM2-K9 3.2.171.6

VSL bandwidth must be engineered accordingly


Switch-1

(VSS Active)Switch-2

(VSS Standby)

Virtual Switch Domain

Data Plane Active

Control Plane Active

Service Module1 Active

Service Module2 Standby

Data Plane Active

Control Plane Hot Standby

Service Module1 Standby

Service Module2 Active

VSL

Failover/State sync Vlan

FWSM & ACE Module HA Modes: Active-Standby per module, One of the service modules in a VSS system will be Active and another one will be standby.



Switch-1

(VSS Active)Switch-2

(VSS Standby)


Data Plane Active


Service module

Service module active

Data Plane Active


Service module

Service module active

VSL

Failover/State sync Vlan

Context A Context B

Context C

Context A Context B

Context C

Context 1 Context 2

Context 3

Context 1 Context 2

Context 3

FWSM & ACE Module HA Modes: Active-Active per context , both Service Modules are active and act as a back up for each other per context



Packet Flow: Based upon the neighbor device’s ether-channel load-

balancing configuration, it is expected to have traffic

transmitted across all interfaces of MEC

Switch1(VSS Active)

Switch2(VSS Standby)

VSL

Service Module Active Service Module Standby


Data Plane Active

Supervisor Active

Data Plane Active

Supervisor Hot Standby



Packet Flow: ingress traffic will be redirected to the Active Service module of a context Therefore it is expected to have services traffic traversing VSL link.

VSL

Service Module Active Service Module Standby


Data Plane Active

Supervisor Active

Data Plane Active

Supervisor Hot Standby

Recommendation: Size the VSL link based on expected

services bandwidth requirement.

Switch1(VSS Active)





Data Plane Active


FWSM Service module

Data Plane Active


FWSM Service module

VSL

1-2Gbps

Recommendation: Service module stateful failover traffic should be considered for VSL capacity planning

FWSM Fail

FWSM State


Switch1(VSS Active)



Supported with 12.2(33)SXI1 (CCO 03/31/09)

Please refer to the SXI1 product bulletin for more informationhttp://www.cisco.com/en/US/products/ps9336/prod_bulletins_list.html

Before

12.2(33)SXI1

VSS 1440 Mode Not Supported

IOS IP Base(available with bundles only)

After

12.2(33)SXI1

IOS IP Services

and Above

VSS 1440 Mode Supported

VSS 1440 Mode

Supported

VSS 1440 Mode

Supported

New

Software RequirementsVSS Packaging

http://www.cisco.com/en/US/products/ps9336/prod_bulletins_list.html


Agenda

Introduction

Architecture


High Availability

Summary


High AvailabilityRedundancy Schemes

Default redundancy mechanism between the two VSS chassis

and their associated supervisors is NSF/SSO

VSL

If a mismatch of information occur between the Active & Standby, the Standby will revert to RPR mode

Starting 12.2(33)SXI, minor mis-match in software will be still keep the switch in SSO mode

Switch1

12.2(33)SXH1

Switch2

12.2(33)SXH1

Switch1

12.2(33)SXH1

Switch2

12.2(33)SXH2

Switch1

12.2(33)SXISwitch2

12.2(33)SXI1

Active Standby

Active

Active

Standby

Standby

VSL

VSL

RPR

NSF/SSO

NSF/SSO


VSL

Switch1

12.2(33)SXH1

Active

Switch2

12.2(33)SXH1

Hot Standby

NSF feature with SSO minimizes the amount of traffic loss following supervisor switchover while continuing to forward traffic using hardware entries. In VSS

environment this feature is required to minimize traffic disruption in the event such as supervisor failure that causes supervisor switchover.

VSS#config t

VSS(config)#router ospf 1

VSS(config-router)#nsf

VSS#show ip ospf

Routing Process "ospf 10" with ID 192.168.2.1

Start time: 00:15:29.344, Time elapsed: 23:12:03.484

Supports only single TOS(TOS0) routes

External flood list length 0

Non-Stop Forwarding enabledIETF NSF helper support enabled

Cisco NSF helper support enabled

Reference bandwidth unit is 100 mbps

NSF is supported by the BGP, EIGRP, OSPF & IS-IS

NSF/SSO

High AvailabilityNSF/SSO


Virtual Switch Hot Standby


Virtual Switching System


Switch Is down

Virtual Switch Active incurs a supervisor outage

1

2Standby Supervisor takes over as

Virtual switch Active

Virtual Switch Standby initiates graceful restart

Non Stop forwarding of packets will continue using hardware entries as Switch-2 assumes active role

NSF aware neighbors exchange updates with Virtual Switch Active

Switch1 Switch2

Switch2Switch1

Virtual Switching System

Virtual Switching SystemInter Chassis NSF/SSO


SiSi SiSi SiSi SiSi

High AvailabilityFailure of MEC member

Operational State Failure of Link A

A

Flow A Flow B

Convergence is determined by neighbor device


SiSi SiSi SiSi SiSi

Failure of Link B Failure of Link C & D

B

C

High AvailabilityFailure of MEC member

D

Convergence is determined by neighbor device

Convergence is determined by VSS device


High AvailabilityDual-Active Detection

In a Virtual Switching System Domain, one

switch is elected as Active and the other is

elected as Standby during boot up by VSLP.

Since the VSL is always configured as a Port

Channel, the possibility of the entire VSL

bundle going down is remote,

however it is a possibility…

It is always recommended to deploy the VSL with 2 or more links and distribute those

interfaces across multiple modules to ensure the greatest redundancy

Active Hot Standby

Switch1 Switch2

VSL


Active

Switch1 Switch2

VSL

High AvailabilityDual-Active Detection

If the entire VSL bundle should happen to go down, the Virtual Switching

System Domain will enter a Dual Active scenario where both switches

transition to Active state and share the same network configuration (IP

addresses, MAC address, Router IDs, etc…) potentially causing

communication problems through the network…

3 Step Process

Dual-Active detection using the detection method enabled in the system.

1

Dual-Active recovery, when VSL recovers , the switch that has all it’s interfaces brought down in the previous step will reload to boot in a preferred standby state

Further network disruption is avoided by disabling previous VSS active switch interfaces

connected to neighboring devices .2

3 Active


Enhanced PAgP

Hot StandbyActive

Switch 1 Switch 2

IP-BFD

Switch 1

VSLP VSLP BFD BFD

Switch 2

Hot StandbyActive

Switch 1 Switch 2

Hot StandbyActive

VSLP Fast Hello

NEW12.2(33)SXI

Requires ePagP capable

neighbor : 3750: 12.2(46)SE

4500: 12.2(44)SE

6500: 12.2(33)SXH1

Direct L2 Connection

Requires 12.2(33)SXI

Direct L3 Connection

Requires 12.2(33)SXH1

Sub-second convergence Sub-second convergence Seconds of convergence*

High AvailabilityDual-Active Protocols


High AvailabilityDual-Active: Detection and Recovery

Upon the restoration of one or more VSL interfaces, VSLP will detect this and will proceed to reload Switch 1 so that it will be

able to bootup in preferred Hot Standby role after bootup…

After role has been resolved and SSO Hot Standby mode is possible, interfaces will be brought up

and traffic will resume back to 100% capacity…

Dual Active Detection

Switch 1 Switch 2

Switch-1 will reload and boot up in Hot

standby role

Hot Standby

VSL

ActiveActive

Switch 1 Switch 2

VSL

Active

Dual Active Recovery

Switch-1 will shutdown all active

interfaces *


%DUAL_ACTIVE-SW1_SP-1-DETECTION: Dual-active condition detected:

all non-VSL and non-excluded interfaces have been shut down

VSS#show switch virtual dual-active summary

Pagp dual-active detection enabled: Yes

Bfd dual-active detection enabled: Yes

No interfaces excluded from shutdown in recovery

mode

In dual-active recovery mode: Yes

Triggered by: Pagp detection

Triggered on interface: Gi1/2/3

Switch 1 Switch 2

VSL

Dual-Active

Active Active

High AvailabilityDual-Active Recovery: Verification


High AvailabilityDual-Active Detection – Exclude Interfaces

Upon detection of a Dual Active scenario, all interfaces on the

previous-Active switch will be brought down so as not to disrupt

the functioning of the remainder of the network. The exception

interfaces include VSL members as well as pre-determined interfaces

which may be used for management purposes…

vs-vsl#conf t

Enter configuration commands, one per line. End with CNTL/Z.

vs-vsl(config)#switch virtual domain 100

vs-vsl(config-vs-domain)#dual-active exclude interface Gig 1/5/1

vs-vsl(config-vs-domain)#dual-active exclude interface Gig 2/5/1

vs-vsl(config-vs-domain)# ^Z

vs-vsl#


Agenda

Introduction

Architecture


High Availability

Summary


Benefit 1: Enables Virtualization


Benefit 2: Empowers Collaboration


Benefit 3: Improves Operations


Recommended Literature

www.cisco.com/go/vss

VSS Troubleshooting

Migration from Standalone to VSS

RMA Procedure

VSS FAQ

VSS White Paper

What’s New BulletinService Module Integration

VSS Design Guides

Best Practices

www.cisco.com/go/support


© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 53

Data Center Interconnect (DCI) via VSS


Point-to-Point Dark Fiber Transport

• 6500 VSS with Integrated DWDM optics

Leverage VSS/MEC for:

Loop Prevention

VLAN Load Balancing

Redundancy

Scalability

Site A Site B

DC Interconnect

WAN

Dark Fiber

DC Interconnect LAN ExtensionVSS Dark Fiber – 2 DC’s

BRKRST-2033 Deploying a Virtualized Campus Network Infrastructure


Site A

Site D

Site B

Site C* DWDM X2 availability 12.2(33)SXI

DC Interconnect LAN ExtensionVSS Over Dark Fiber – Multiple DC’s

Assumes dark fiber between sites

Distance limitations are given by DWDM

Number of sites can be 2 or more

Add 2 switches in main data centers

Switches use separate lambda to interconnect

These switches will form a VSS

VSL is 10Gbps


A B

Site A

Site D

Site B

Site C

DC Interconnect LAN Extension

From a layer 2 perspective this is a star topology

Etherchannel is used to provide load balancing

Use 8 Lambda


L2

L2

MPLS

• MPLS feature parity between VSS and standalone systems

• Leverage MPLS LDP, IGP and MP-BGP graceful-restart to offer

sub-second network recovery during VSS member failure

• MPLS deployment with VSS brings advantages both for L2

VPNs and L3 VPNs deployment scenarios:

L3 VPNs – MPLS VPN

• Operational simplification

• 50% reduction in number of PE devices (VRF definition, MP-iBGP configuration, …)

• No additional configuration required to provide load-balancing for VPN traffic

L2 VPNs – EoMPLS (P2P). VPLS (multpoint)

• Operational simplification

• Simpler PW redundancy solution with doubled forwarding capacity

* MPLS with VSS is only supported in 12.2(33)SXI2

PE

P

PE

L3L2

L2

DC Interconnect LAN ExtensionVSS with MPLS

Documents

Cisco Catalyst Virtual Switching System (VSS)palo/Rozne/cisco-expo-2009/Presentation... · Cisco Catalyst Virtual Switching System ... BRKRST-3468 © 2009 Cisco Systems, Inc