Cisco Catalyst Virtual Switching System (VSS)

BRKCRS-3468

Cisco Catalyst Virtual Switching System

2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2

Cisco Live & Networkers VirtualSpecial Offer Save $100Cisco Live has a well deserved reputation as one the industrys best educational values. With hundreds of sessions spanning foureducational programs Networkers, Developer Networker, Service Provider, IT Management, you can build a custom curriculum that can make you a more valuable asset to your workplace and advance your career goals. Cisco Live and Networkers Virtual immerses you in all facets of Cisco Live, from participating in live keynotes and Super Sessions events to accessing session content to networking with your peers.Visit www.ciscolivevirtual.com and register for Cisco Live and Networkers Virtual. To get $100 USD off the Premier pass, which provides access to hundreds of technical sessions, enter slideshareFY11.


Agenda Topics VSS Introduction Architecture Hardware Requirements Migration to VSS High Availability Quad Sup Uplink Forwarding Software Upgrades Deployment Considerations & Best Practices Summary

Appendix Topics Operational Management Quality of Service Service Module Integration Deploying VSS with Server Virtualization Data Center L2 Interconnect via VSS


VSS Introduction

44

Agenda Topics


Current Network ChallengesEnterprise CampusTraditional Enterprise Campus deployments have been designed in such a way that allows for scalability, differentiated services and

high availability. However they also face many challenges, some of which are listed in the below diagram

Access

L2/L3 Distribution

L3 Core

FHRP, STP, Asymmetric routing,Policy Management

Extensive routing topology, Routing reconvergence

Single active uplink per VLAN (PVST), L2 reconvergence


Current Network ChallengesData Center

Traditional Data Center designs are increasingly requiring Layer 2 adjacencies between Server nodes due to the use of Server Virtualization technology. However, these designs are pushing the limits of Layer 2 networks, placing

more burden on loop-detection protocols such as Spanning Tree

L2/L3 Core

L2 Access

Dual-Homed Servers to single switch, Single active uplink per VLAN

(PVST), L2 reconvergence

Single active uplink per VLAN (PVST), L2 reconvergence, excessive BPDUs

FHRP, HSRP, VRRPSpanning Tree

Policy Management


VSS (Physical View)VSS (Physical View)

SiSi

Access Switch orToR or Blades

Server Server Server

10GE 10GE



802.3ad

Today (Today)Today (Today) VSS (Logical View)VSS (Logical View)

802.3ador

PagP802.3ad

orPagP 802.3ad

Simplifies operational Manageability via Single point of Management, Elimination of STP, FHRP etc

Doubles bandwidth utilization with Active-Active Multi-Chassis Etherchannel (802.3ad/PagP) Reduce Latency

Minimizes traffic disruption from switch or uplink failure with Deterministic subsecond Stateful and Graceful Recovery (SSO/NSF)

Catalyst 6500 Virtual Switching SystemOverview

SiSi SiSi SiSiSiSi


Virtual Switching System Enterprise CampusA Virtual Switching System-enabled Enterprise Campus network takes on multiple benefits including simplified management &

administration, facilitating greater high availability, while maintaining a flexible and scalable architecture

Access

L2/L3 Distribution

L3 Core

No FHRPsNo Looped topologyPolicy Management

Reduced routing neighbors, Minimal L3 reconvergence

Multiple active uplinks per VLAN, No STP convergence


Virtual Switching System Data CenterA Virtual Switching System-enabled Data Center allows for maximum

scalability so bandwidth can be added when required, but still providing a larger Layer 2 hierarchical architecture free of reliance on Spanning Tree

L2/L3 Core

L2 Distribution

L2 Access

Dual-Homed Servers, Single active uplink per VLAN (PVST), Fast L2 convergence

Dual Active Uplinks, Fast L2 convergence, minimized L2 Control

Plane, Scalable

Single router node, Fast L2 convergence, Scalable architecture


VSS Architecture

1010

Agenda Topics


Introduction to Virtual Switching SystemConcepts


Virtual Switching System ArchitectureVirtual Switch Link (VSL)The Virtual Switch Link joins the two physical switch together - it

provides the mechanism to keep both the chassis in sync

A Virtual Switch Link bundle can consist of up

to 8 x 10GE linksAll traffic traversing the VSL link is encapsulated with a 32 byte Virtual Switch Header containing ingress and egress switchport indexes, class of service (COS), VLAN number, other important information from the layer 2 and layer 3 header

Control plane uses the VSL for CPU to CPU communications while the data plane uses the VSL to extend the internal chassis fabric to the remote chassis

Virtual Switch Active

Virtual Switch Standby

Virtual Switch Link

VS HeaderVS Header L2 HdrL2 Hdr L3 HdrL3 Hdr Data Data CRCCRC


Virtual Switching System ArchitectureInitialization

Before the Virtual Switching System domain can become active, the Virtual Switch Link must be brought online to determine Active and Standby roles.

The initialization process essentially consists of 3 steps:

Role Resolution Protocol (RRP) used to determine compatible Hardware and Software versions to form the VSL as well as determine which switch becomes

Active and Hot Standby from a control plane perspective

Role Resolution Protocol (RRP) used to determine compatible Hardware and Software versions to form the VSL as well as determine which switch becomes

Active and Hot Standby from a control plane perspective

LMPLMPRRPRRP

Link Management Protocol (LMP) used to track and reject Unidirectional Links, Exchange Chassis ID and other information between the 2 switches

Link Management Protocol (LMP) used to track and reject Unidirectional Links, Exchange Chassis ID and other information between the 2 switches

Link Bringup to determine which ports form the VSLLink Bringup to determine which ports form the VSL1

2

3

LMPLMPRRPRRP


Virtual Switching System ArchitectureVSLP PingA new ping mechanism has been implemented in VSS mode to allow

the user to objectively verify the health of the VSL itself. This is implemented as a VSLP Ping

VSL

Switch1 Switch2VSLP PingVSLP Ping

vss#ping vslp output interface tenGigabitEthernet 1/5/4 Type escape sequence to abort.Sending 5, 100-byte VSLP ping to peer-sup via output port 1/5/4, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/16 ms

The VSLP Ping operates on a per-physical interface basis and parameters such as COUNT, DESTINATION, SIZE, TIMEOUT may also be specified

VSLP PingVSLP Ping

VSLP PingVSLP PingVSLP PingVSLP Ping


Virtual Switching System ArchitectureVSL Configuration Consistency Check

After the roles have been resolved through RRP, a Configuration Consistency Check is performed across the VSL switches to ensure proper VSL operation.

The following items are checked for consistency:

Switch Virtual Domain IDSwitch Virtual Domain IDSwitch Virtual Switch IDSwitch Virtual Switch ID

Switch PrioritySwitch PrioritySwitch PreemptSwitch Preempt

VSL Port Channel Link IDVSL Port Channel Link IDVSL Port state, interfacesVSL Port state, interfacesPower Redundancy modePower Redundancy modePower Enable on VSL cardsPower Enable on VSL cards

Note that if configurations do not match, the Hot-Standby Supervisor will revert to RPR mode, disabling all non-VSL interfaces

Note that if configurations do not match, the Hot-Standby Supervisor will revert to RPR mode, disabling all non-VSL interfaces

Virtual Switch


Virtual Switching SystemUnified Control Plane One supervisor in each chassis with inter-chassis Stateful Switchover (SSO) method in with one supervisor is ACTIVE and other in HOT_STANDBY mode

Active/Standby supervisors run in synchronized mode (boot-env, running-configuration, protocol state, and line cards status gets synchronized)

Active supervisor manages the control plane functions such as protocols (routing, EtherChannel, SNMP, telnet, etc.) and hardware control (Online Insertion Removal, port management)

Active SupervisorSF RP PFC

CFC or DFC Line Cards



CFC or DFC Line CardsCFC or DFC Line CardsStandby HOT Supervisor

SF RP PFCVSL





CFC or DFC Line CardsCFC or DFC Line Cards


SSO Synchronization


Virtual Switching SystemDual Active Forwarding Planes

Both forwarding planes are active Standby supervisor and all linecards including DFCs are actively forwardingVSS# show switch virtual redundancyMy Switch Id = 1 Peer Switch Id = 2

Switch 1 Slot 5 Processor Information :-----------------------------------------------Current Software state = ACTIVE Fabric State = ACTIVEControl Plane State = ACTIVESwitch 2 Slot 5 Processor Information :-----------------------------------------------

Current Software state = STANDBY HOT (switchover target) Fabric State = ACTIVEControl Plane State = STANDBY

Data PlaneActive

Data Plane Active

SiSiSiSi

Switch1 Switch2


Virtual Switching System ArchitectureVirtual Switch Domain

A Virtual Switch Domain ID is allocated during the conversion process and represents the logical grouping the 2 physical chassis within a VSS. It is

possible to have multiple VS Domains throughout the network

Use a UNIQUE VSS Domain-ID for each VSS Domain throughout the network.Various protocols use Domain-IDs to uniquely identify each pair.

Use a UNIQUE VSS Domain-ID for each VSS Domain throughout the network.Various protocols use Domain-IDs to uniquely identify each pair.

VSS Domain 10

VSS Domain 30VSS Domain 20


Virtual Switching System ArchitectureRouter MAC Address AssignmentIn a Virtual Switching System, there is only one router MAC address

to represent both physical chassis as a single logical device.

Router MAC = burnt-in or virtual mac-address

By default, the MAC address allocated to the Virtual Switching System is taken from the first Active Switch burnt-in MAC-address, which is negotiated at system initialization. Regardless of either switch being brought down or up in the future, the same MAC address will be retained such that neighboring network nodes and hosts do not need to re-learn a new address.

Recommendation is to use the virtual mac-address option. This eliminates the possibility of a duplicate MAC address in case the original Supervisor is ever reused within the same network.

Recommendation is to use the virtual mac-address option. This eliminates the possibility of a duplicate MAC address in case the original Supervisor is ever reused within the same network.


Virtual Switching System ArchitectureVirtual Router MAC Address Assignment

Instead of using default chassis mac-address assignment, from 12.2(33)SXH2 onwards virtual mac-address can be specified as shown below

VSS(config-vs-domain)#switch virtual domain 10VSS(config-vs-domain)#mac-address use-virtual Configured Router mac address is different from operational value. Change will take effect after config is saved and the entire Virtual Switching System (Active and Standby) is reloaded.

The use-Virtual MAC address is assigned from a reserved pool of MAC addresses appended with the VSS domain id. The reserved pool is 0008.e3ff.fc00 to 0008.e3ff.ffff.

The use-Virtual MAC address is assigned from a reserved pool of MAC addresses appended with the VSS domain id. The reserved pool is 0008.e3ff.fc00 to 0008.e3ff.ffff.

VSS# show interface vlan 1Vlan1 is up, line protocol is up

Hardware is EtherSVI, address is 0008.e3ff.fc0a (bia 0008.e3ff.fc0a)


Virtual Switching System ArchitectureMultichassis EtherChannel (MEC)

Prior to the Virtual Switching System, Etherchannels were restricted to reside within the same physical switch. In a Virtual Switching environment, the two

physical switches form a single logical network entity - therefore Etherchannels can now be extended across the two physical chassis

Regular Etherchannel on single chassis

Multichassis EtherChannel across 2 VSS-enabled chassis

VSS

Both LACP and PAGP Etherchannel protocols and Manual ON modes are

supported

Both LACP and PAGP Etherchannel protocols and Manual ON modes are

supported

Standalone


Virtual Switching System ArchitectureEtherChannel Hash for MEC

Link 1 Link 2

Etherchannel hashing algorithms are modified in VSS to always favor locally attached interfaces

Etherchannel hashing algorithms are modified in VSS to always favor locally attached interfaces

Blue Traffic destined for the Server will

result in Link 1 in the MEC link bundle being

chosen as the destination path

Orange Trafficdestined for the Server will result in Link 2 in the MEC link bundle being chosen as the destination path


Etherchannel ConceptsEtherchannel Hash Distribution

The default hashing algorithm will redistribute all the Result Bit Hash values across the available ports when there is a change. This affects all traffic traversing the Etherchannel

RBH (for MEC)2 Link Bundle ExampleLink 1 Link 2Flow 1Flow 1 Flow 2Flow 2Flow 3Flow 3 Flow 4Flow 4Flow 5Flow 5 Flow 6Flow 6Flow 7Flow 7 Flow 8Flow 8

RBH (for MEC)3 Link Bundle Example

Flow 1Flow 1 Flow 2Flow 2Flow 4Flow 4 Flow 5Flow 5Flow 7Flow 7 Flow 8Flow 8

Flow 3Flow 3Flow 6Flow 6

Link 1 Link 2 Link 3

Links 1,2 Links 3,4Links 1,2,3 Links 4,5,6


Etherchannel ConceptsEtherchannel Hash Distribution Adaptive

Adaptive Hash Distribution Enhancement allows for the addition or removal of links in a bundle without affecting all of the traffic in an Etherchannel. Note in the below example, only Flow 7 and 8 are affected by the addition of an extra link to the Channel



Flow 1Flow 1 Flow 2Flow 2Flow 3Flow 3 Flow 4Flow 4Flow 5Flow 5 Flow 6Flow 6

Flow 7Flow 8Flow 8

Link 1 Link 2Flow 1Flow 1 Flow 2Flow 2Flow 3Flow 3 Flow 4Flow 4Flow 5Flow 5 Flow 6Flow 6Flow 7Flow 7 Flow 8Flow 8

Link 1 Link 2 Link 3

vss#conf tEnter configuration commands, one per line. End with CNTL/Z.vss(config)#port-channel hash-distribution adaptivevss(config)# ^Zvss#

vss#conf tEnter configuration commands, one per line. End with CNTL/Z.vss(config)#port-channel hash-distribution adaptivevss(config)# ^Zvss#

Available in 12.2(33)SXHAvailable in 12.2(33)SXH

2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 25 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

EtherChannel ConceptsEtherChannel Hash

vss#show etherchannel load-balance hash-result interface port-channel 120 switch 1 ip 192.168.220.10 192.168.10.10

Computed RBH: 0x4Would select Gi1/2/1 of Po120

A command can be invoked to assist in determining which link in the bundle will be used - it can use various hash inputs to yield an 8-bucket RBH value

that will correspond to one of the port channel members

Note: specify switch when using hash result command, if not VSS assumes switch while commuting hash results from the hardware.


Virtual Switching System Architecture MEC Load-Balance Schemes

VSS(config)#port-channel load-balance ?dst-ip Dst IP Addrdst-mac Dst Mac Addrdst-mixed-ip-port Dst IP Addr and TCP/UDP Portdst-port Dst TCP/UDP Portmpls Load Balancing for MPLS packetssrc-dst-ip Src XOR Dst IP Addrsrc-dst-mac Src XOR Dst Mac Addrsrc-dst-mixed-ip-port Src XOR Dst IP Addr and TCP/UDP Portsrc-dst-port Src XOR Dst TCP/UDP Portsrc-ip Src IP Addrsrc-mac Src Mac Addrsrc-mixed-ip-port Src IP Addr and TCP/UDP Portsrc-port Src TCP/UDP Port


VSS Hardware and Software Requirements

2727

Agenda Topics


In order to enable the Virtual Switching System feature and configure the Virtual Switch Links (VSL) between 2 Catalyst 6500chassis, the new Catalyst 6500 Virtual Switching Supervisor 720 is required to be used. It is the only Supervisor that will support VSS

as it supports both the new PFC3C/XL forwarding engine

The PFC3C/XL contains new hardware to support the extra LTL indices and mappings required to forward traffic across

multiple physical chassis, lookup enhancements as well as MAC address table handling enhancementsVS-S720-10G-3C/XL

12.2(33)SXH1 or later

VSS RequirementsHardware


Hardware RequirementsVSL-Capable Interfaces

The VSL requires new port ASICs that exist only on the 10 GigabitEthernet interfaces on the following modules:

These interfaces are based off the new port ASIC, allowing for frames across the VSL to be encapsulated / de-encapsulated

with the VSH

These interfaces are based off the new port ASIC, allowing for frames across the VSL to be encapsulated / de-encapsulated

with the VSH

WS-X6708-10G-3C/XL

VS-S720-10G-3C/XLWS-X6716-10G-3C/XL *

* Support for VSL from 12.2(33)SXI onwards

Note: These interfaces may also be used as standard network interfaces


VSS Hardware RequirementsVSS Supported Ethernet ModulesModule Descripiton Status

WS-X6704-10G-3C/XL 10GE Linecard 12.2(33)SXH1WS-X6708-10G-3C/XL 10GE Linecard 12.2(33)SXH1

WS-X6716-10G-3C/XL 10GE Linecard 12.2(33)SXH1

WS-X6724-SFP 1000BASE-X Linecard 12.2(33)SXH1

WS-X6748-SFP 1000BASE-X Linecard 12.2(33)SXH1

WS-X6748-GE-TX 10/100/1000 BASE-TX Linecard 12.2(33)SXH1

7600-SIP-400 SIP 400 with Ethernet & PoS SPA Interfaces

12.2(33)SXI4


VSS Hardware RequirementsService Module Support

Module Description VSS Minimum Software

Service Module Minimum Software

ACE10/ACE 20-6500-K9 Application Control Engine (ACE) 12.2(33)SXI A2(1.2)WS-SVC-FWSM-1-K9 Firewall Services Module (FWSM) 12.2(33)SXI 4.0(4)

WS-SVC-IDSM2-K9 Intrusion Detection System Services Module (IDSM-2)

12.2(33)SXI 6.0(2)E1

WS-SVC-NAM-1WS-SVC-NAM-2

Network Analysis Module (NAM1)Network Analysis Module (NAM2)

12.2(33)SXH1 3.6(1a)

WS-SVC-WISM-1-K9 Wireless Services Module (WiSM) 12.2(33)SXI 3.2.171.6

WS-SVC-FWM-1-K9

Firewall Services Module (FWSM)Application Control Engine (ACE)

ACE10/ACE 20-6500-K9

WS-SVC-NAM-1 WS-SVC-NAM-2

Network Analysis Module (NAM 1&2)WS-SVC-WISM-1-K9

Wireless Services Module (WiSM)

WS-SVC-IDSM2-K9

Intrusion Detection System Services Module (IDSM-2)


Hardware RequirementsSup720-10G-VSS PFC3C Interoperability With DFC

Sup720-10G-VSS Non-VSS Mode System wide PFC

Mode

Sup720-10G-VSS VSS Mode

System wide PFC Mode

DFC3C PFC3C PFC3CDFC3B PFC3B* Not SupportedDFC3A PFC3A* Not SupportedDFC2 Not Supported Not SupportedCFC PFC3C PFC3C

Classic PFC3C Not supported* Non-VSS mode, inserting DFC3A or DFC3B will be powered down

until a reload, Up on reload systems runs in lowest common denominator DFC mode.


Supported with 12.2(33)SXI1 (CCO 03/31/09) Supported with 12.2(33)SXI1 (CCO 03/31/09)

Please refer to the SXI1 product bulletin for more informationhttp://www.cisco.com/en/US/products/ps9336/prod_bulletins_list.html

Before12.2(33)SXI1Before12.2(33)SXI1

VSS 1440 Mode Not SupportedVSS 1440 Mode Not SupportedIOS IP Base(available with bundles only)

IOS IP Base(available with bundles only)

12.2(33)SXI1And newer12.2(33)SXI1And newer

IOS IP Servicesand AboveIOS IP Servicesand Above

VSS 1440 Mode SupportedVSS 1440 Mode Supported

VSS 1440 ModeSupportedVSS 1440 ModeSupported

VSS 1440 ModeSupportedVSS 1440 ModeSupported

Software RequirementsVSS Packaging


Migration to VSS

3434

Agenda Topics


Migration Steps between Distribution and Access-layer

1. Modify FHRP Configuration2. Configure Multichassis

Etherchannel3. Move L2 Trunk configuration to

MEC interfaces 4. Move Policies to MEC if needed5. Keep Spanning-Tree Enabled

Migration Steps between Distribution and Access-layer

1. Modify FHRP Configuration2. Configure Multichassis

Etherchannel3. Move L2 Trunk configuration to

MEC interfaces 4. Move Policies to MEC if needed5. Keep Spanning-Tree Enabled

Migration Steps between Distribution and core

1. Configure MEC2. Remove Routing Statements

which are not needed.

Migration Steps between Distribution and core

1. Configure MEC2. Remove Routing Statements

which are not needed.

Access

L2/L3 Distribution

L3 Core

Expect Network Disruption During Conversion Process Prepare in advance to minimize downtime

Expect Network Disruption During Conversion Process Prepare in advance to minimize downtime

Migration to VSSOverview


Migration to VSSConversion Process

The conversion process requires configuration steps on both switches that will form part of the Virtual Switch Domain and requires a reboot of

both switches during the conversion

Standalone VSS



For the purposes of this explanation - lets assume the following setup is required

Virtual Switch LinkT5/4

T5/5

T5/4

T5/5

Port-Channel 1 Port-Channel 2

Switch Virtual Domain #100

Switch1 Switch2


Migration to VSS Conversion Process

Configuration for the conversion takes the following pathSwitch2

Router(config)#host VSSVSS(config)#switch virtual domain 100 Domain ID 10 config will take effect onlyafter the exec command 'switch convert mode virtual' is issued

VSS(config-vs-domain)#switch 1VSS(config-vs-domain)#exitVSS(config)#interface port-channel 1VSS(config-if)#switch virtual link 1VSS(config-if)#interface range tenG 5/4 - 5 VSS(config-if-range)#channel-group 1 mode on

Router(config)#host VSSVSS(config)#switch virtual domain 100Domain ID 10 config will take effect onlyafter the exec command 'switch convert mode virtual' is issued

VSS(config-vs-domain)#switch 2VSS(config-vs-domain)#exitVSS(config)#interface port-channel 2VSS(config-if)#switch virtual link 2VSS(config-if)#interface range tenG 5/4 - 5 VSS(config-if-range)#channel-group 2 mode on

Switch1

1

2

3


Configuration for the conversion takes the following path

vss#switch convert mode virtualThis command will convert all interface names to naming convention "interface-type switch-number/slot/port", save the running config to startup-config and reload the switch.Do you want to proceed? [yes/no]: yesConverting interface namesBuilding configuration...[OK]Saving converted configuration to bootflash: ...Destination filename [startup-config.converted_vs-20071031-150039]?

AT THIS POINT THE SWITCH WILL REBOOT

Switch2

vss#switch convert mode virtualThis command will convert all interface names to naming convention "interface-type switch-number/slot/port", save the running config to startup-config and reload the switch.Do you want to proceed? [yes/no]: yesConverting interface namesBuilding configuration...[OK]Saving converted configuration to bootflash: ...Destination filename [startup-config.converted_vs-20071031-150039]?

AT THIS POINT THE SWITCH WILL REBOOT

Switch1


4


Configuration for the conversion takes the following pathSWITCH CONSOLE OUTPUT

System detected Virtual Switch configuration...Interface TenGigabitEthernet 1/5/4 is member of PortChannel 1 Interface TenGigabitEthernet 1/5/5 is member of PortChannel 1

00:00:26: %PFREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switchInitializing as Virtual Switch ACTIVE processor

00:01:19: %VSLP-5-RRP_ROLE_RESOLVED: Role resolved as ACTIVE by VSLP

00:01:19: %VSL-5-VSL_CNTRL_LINK: New VSL Control Link 5/4

SWITCH CONSOLE OUTPUT


00:00:26: %PFREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switchInitializing as Virtual Switch STANDBY processor

00:01:02: %VSLP-5-RRP_ROLE_RESOLVED: Role resolved as STANDBY by VSLP00:01:02: %VSL-5-VSL_CNTRL_LINK: New VSL Control Link 5/4

Switch1 Switch2




vss-demo# switch accept mode virtualinterface Port-channel2switch virtual link 2no shutdowninterface TenGigabitEthernet2/5/4channel-group 2 mode onno shutdowninterface TenGigabitEthernet2/5/5channel-group 2 mode onno shutdown

This command will populate the above VSL configuration from the standby switch into the running configuration.The startup configuration will also be updated with the new merged configuration if merging is successful.Do you want to proceed? [yes/no]: yesMerging the standby VSL configuration...Building configuration...00:11:33: %PFINIT-SW1_SP-5-CONFIG_SYNC: Sync'ing the startup configuration to the standby Router. [OK]


Copyright (c) 1986-2007 by Cisco Systems, Inc.Compiled Wed 10-Oct-07 01:02 by chrisvan00:02:42: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF00:02:42: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFFvss-sdby>Standby console disabledvss-sdby>

Switch2Switch1

Migration to VSSConversion Process Last Critical Step(No Longer required in SXI3 or newer)

5



vss-demo# switch accept mode virtualThis command is no longer required since standby VSL configuration merge is done automatically.vss-demo#


Copyright (c) 1986-2007 by Cisco Systems, Inc.Compiled Wed 10-Oct-07 01:02 by chrisvan00:02:42: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF00:02:42: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFFvss-sdby>Standby console disabled

vss-sdby>

Switch2Switch1

Migration to VSSConversion Process Last Critical Step is Automated in SXI3 or newer

5


Configuration for the conversion takes the following path

Both switches are now converted with Switch1 - VSS Active

Switch2 - VSS Hot standby

Switch 2 console is now disabled for normal console activity

vss-sdby>enableStandby console disabledvss-sdby>

Switch2Switch1

vss# sh switch virtual Switch mode : Virtual SwitchVirtual switch domain number : 10Local switch number : 1Local switch operational role: Virtual Switch ActivePeer switch number : 2Peer switch operational role : Virtual Switch Standbyvss#



Virtual Switching System ArchitectureVSL Initialization

Sup720-10GESF RP PFC





Sup720-10GESF RP PFC

VSLCFC or DFC Line Cards






Initialization1 Initialization1Pre-Parse Config2 Pre-Parse Config2

Bring up VSL Linecards and VSL Ports3

Bring up VSL Linecards and VSL Ports3

Run VSLP4 Run VSLP4Run RRP5 Run RRP5

Inter-chassis SSO6 Inter-chassis SSO6Continue System Bootup7 Continue System Bootup7

VSLPRRPACTIVE Standby Hot


VS-S720-10GArchitecture: VSL Inband ConnectionAllows for the VSL ports to be brought online very early in the boot process


High Availability

4646

Agenda Topics


High AvailabilityRedundancy Schemes

Default redundancy mechanism between the two VSS chassis and their associated supervisors is NSF/SSO

VSL

If a mismatch of information occur between the Active & Standby, the Standby will revert to RPR modeStarting 12.2(33)SXI, minor mis-match in software will be still keep the switch in SSO mode

Switch112.2(33)SXH1

Switch212.2(33)SXH1

Switch112.2(33)SXH1

Switch212.2(33)SXH2

Switch112.2(33)SXI

Switch212.2(33)SXI1

Active Standby

Active

Active

Standby

Standby

VSL

VSL

RPR

NSF/SSO

NSF/SSO


Virtual Switch Hot Standby

Virtual Switch Active

Virtual Switching System

Virtual Switch ActiveSwitch Is down

Virtual Switch Active incurs a supervisor outage1

2 Standby Supervisor takes over as Virtual switch ActiveVirtual Switch Standby initiates

graceful restart Non Stop forwarding of packets will

continue using hardware entries as Switch-2 assumes active role

NSF aware neighbors exchangeupdates with Virtual Switch Active

Switch1 Switch2

Switch2Switch1Virtual Switching System

Virtual Switching SystemInter Chassis NSF/SSO


VSL

Switch112.2(33)SXH1Active

Switch212.2(33)SXH1Hot Standby

NSF feature with SSO minimizes the amount of traffic loss following supervisor switchover while continuing to forward traffic using hardware entries. In VSS

environment this feature is required to minimize traffic disruption in the event such as supervisor failure that causes supervisor switchover.

VSS#config tVSS(config)#router ospf 1VSS(config-router)#nsfVSS#show ip ospf Routing Process "ospf 10" with ID 192.168.2.1Start time: 00:15:29.344, Time elapsed: 23:12:03.484Supports only single TOS(TOS0) routesExternal flood list length 0Non-Stop Forwarding enabledIETF NSF helper support enabledCisco NSF helper support enabledReference bandwidth unit is 100 mbps

NSF is supported by the BGP, EIGRP, OSPF & IS-IS

NSF/SSO

High AvailabilityNSF/SSO


High AvailabilityNSF/SSO Requirements

After the roles have been resolved through RRP, a Configuration Consistency Check is performed across the VSS switches to ensure proper VSL operation.

The following items are checked for consistency:

Switch Virtual Domain IDSwitch Virtual Domain IDSwitch Virtual Switch IDSwitch Virtual Switch ID

Switch PrioritySwitch PrioritySwitch PreemptSwitch Preempt

VSL Port Channel Link IDVSL Port Channel Link IDVSL Port state, interfacesVSL Port state, interfacesPower Redundancy modePower Redundancy modePower Enable on VSL cardsPower Enable on VSL cards

Additionally, software version, installed patches and PFC modes also need to be consistent for NSF/SSO mode to be entered

Additionally, software version, installed patches and PFC modes also need to be consistent for NSF/SSO mode to be entered


High AvailabilityFailure of MEC member Upstream Traffic

SiSi SiSi

SiSi SiSi

Convergence is determined by Access device Etherchannel

convergence - typically 200ms Typically only the flows

on the failed link are effected


High AvailabilityFailure of MEC member Downstream Traffic

SiSi SiSi

SiSi SiSi

Convergence is determined by VSS VSS Etherchannel

convergence Typically Sub - 200ms Only the flows on the

failed link are effected


High AvailabilityDual-Active Detection

In a Virtual Switching System Domain, one switch is elected as Active and the other is

elected as Standby during boot up by VSLP. Since the VSL is always configured as a Port Channel, the possibility of the

entire VSL bundle going down is remote, however it is a possibility

Recommendation is to deploy the VSL with two or more links and distribute those interfaces across multiple modules to ensure the highest redundancy

Recommendation is to deploy the VSL with two or more links and distribute those interfaces across multiple modules to ensure the highest redundancy

Active Hot Standby

Switch1 Switch2

VSL


Active

Switch1 Switch2

VSL

High AvailabilityDual-Active Detection

If the entire VSL bundle should happen to go down, the Virtual Switching System Domain will enter a Dual Active scenario where both switches transition to Active state and share the same network configuration (IP

addresses, MAC address, Router IDs, etc) potentially causing communication problems through the network

3 Step Process Dual-Active detection using the detection

method enabled in the system. 1

Dual-Active recovery, when VSL recovers , the switch that has all its interfaces brought down in the previous step will reload to boot in a preferred standby state

Further network disruption is avoided by disabling previous VSS active switch interfaces connected to neighboring devices .

2

3 Active


Enhanced PAgPP AG P+ TL V

P AG P+ TL V

P A GP + TLV

P A GP + TLV

Hot StandbyActive

Switch 1 Switch 2

IP-BFD

Switch 1

VSLPVSLP VSLPVSLP BFDBFD BFDBFD

Switch 2

Hot StandbyActive

Switch 1 Switch 2

Hot StandbyActive

VSLP Fast Hello

Requires ePagP capable neighbor :

3750: 12.2(46)SE 4500: 12.2(44)SE 6500: 12.2(33)SXH1

Direct L2 Connection Requires 12.2(33)SXI

Direct L3 Connection Requires 12.2(33)SXH1

Sub-second convergence Sub-second convergence Seconds of convergence*

High AvailabilityDual-Active Protocols


VSL

%DUAL_ACTIVE-SW1_SP-1-DETECTION: Dual-active condition detected: all non-VSL and non-excluded interfaces have been shut down

VSS#show switch virtual dual-active summary Pagp dual-active detection enabled: YesBfd dual-active detection enabled: YesNo interfaces excluded from shutdown in recovery modeIn dual-active recovery mode: Yes

Triggered by: Pagp detectionTriggered on interface: Gi1/2/3

Dual-Active Detected

Active Standby

High AvailabilityDual-Active: Recovery Mode

ActiveRecovery


High AvailabilityDual Active: Recovery Mode

Important ! Do not make any configuration changes while in the Dual Active Recovery mode. Important ! Do not make any configuration changes while in the Dual Active Recovery mode.

Switch 1 Switch 2

VSLRecovery Active

If the config is changed the system will not automatically recover once the VSL becomes active againOne must issue the write memory command and then reload the switch in recovery mode using the reload shelfcommand


High AvailabilityDual-Active Detection Exclude Interfaces

Upon detection of a Dual Active scenario, all interfaces on the previous-Active switch will be brought down so as not to disrupt

the functioning of the remainder of the network. The exclude interfaces include VSL port members as well as any pre-configured ports which may be used for management

purposes

vs-vsl#conf tEnter configuration commands, one per line. End with CNTL/Z.vs-vsl(config)#switch virtual domain 100vs-vsl(config-vs-domain)#dual-active exclude interface Gig 1/5/1vs-vsl(config-vs-domain)#dual-active exclude interface Gig 2/5/1vs-vsl(config-vs-domain)# ^Zvs-vsl#


High AvailabilityDual-Active: Restoration

Upon the restoration of one or more VSL interfaces, VSLP will detect this and will proceed to reload Switch 1 so that it will be able to bootup in preferred Hot Standby role after bootup

Switch 1 Switch 2

VSLActiveRecovery

Switch-1 shutdown all active interfaces *Switch-1 shutdown all active interfaces *

RecoveryRecovery

R

Switch-1 will reload and boot up in Hot

standby roleSwitch-1 will reload and boot up in Hot

standby role

Hot Standby

Switch 1 Switch 2

VSLActive

RestorationRestoration


Quad-Sup Uplink Forwarding

6060

Agenda Topics


VSS Redundant Supervisor Support

A Supervisor failure event will down the affected chassis decreasing the VSS bandwidth by 50%

Certain devices may only single-attach to the VSS for various reasons

Service Modules/ServersGeographic separation of VSS chassisCosts $$

Supervisor failure events therefore require manual intervention for recovery of the affected chassis

Uplinks are not active when the Supervisor is in ROMMON modeUndeterministic outage timeRelies on manual process to install and convert the new Supervisor with current VSS configuration

Why Redundant Supervisors Are Needed

SiSiSiSi


VSS Quad-Sup Uplink Forwarding

In the initial VSS release a redundant In-Chassis Supervisor is not supported

Will stop its boot process at the ROMMON stage

Quad-Sup Uplink ForwardingA Second Supervisor installed in the chassis will boot as a Linecard with all of its ports activeNew in 12.2(33)SXI4

If the active Supervisor in the chassis should fail the In-Chassis Standby will reload and then take over the chassis Supervisor functions without human intervention

Provides Active Uplinks in the Standby Supervisor with Deterministic Recovery From a Supervisor Failure

SiSiSiSi

R = Reload

R

1. Supervisor Failure event 2. Chassis reloads3. In-chassis Standby now

becomes VSS standby and chassis dataplane is active again


STANDBY COLD

SiSi SiSiSSO ActiveSSO Active SSO HotSSO Hot--StandbyStandby

RPR RPR --WarmWarm RPR RPR --WarmWarmVSLVSL

SwitchSwitch--11 SwitchSwitch--22

Virtual Switching System (VSS)Quad-Sup Control Plane Redundant supervisors fully boot Cisco IOS to RPR-WARM redundancy mode


STANDBY COLD

SiSi SiSiActiveActive ActiveActive

ActiveActive ActiveActiveVSLVSL


Virtual Switching System (VSS)Quad-Sup- Data plane

From data plane perspective the RPR-Warm supervisor operates similarly to a DFC-enabled line card. Forwarding tables are in sync and data plane is active for module uplinks


Virtual Switching System (VSS)All Uplinks Active in RPR-WARM Redundancy Mode

SiSi

Standby HOT Supervisor

SF RP PFC

SiSi

Active Supervisor

SF RP PFC

Standby HOT Supervisor

VSLVSL


SF PFC

RPR-WARM

= Uplinks

SiSiSiSi

SF PFC

RPR-WARM

PFC and crossbar fabric of the In-chassis standby supervisor are active. Use at least one of the ten gigabit interfaces from each supervisor to build the

VSL. Remaining ports can be used for other purposes including uplinks.


100%

50%

Switch-2

= Line Cards Active

STANDBY COLD

SiSi SiSiSSO ActiveRPR-Warm RPR-Warm

VSLVSL

Switch-1

Virtual Switching System (VSS)Active Supervisor Hardware Failure

SSO Hot Standby

1Active VSS supervisor

incurs a hardware failure

Duration

AvailableBandwidth

SSO

SW1

SW2 SW2


100%

50%

Switch-2

= Line Cards Active

SSO = SSO Switchover

STANDBY COLD

SiSi SiSiRPR-WarmVSLVSL

Switch-1

SW1


SSO Active

21. SSO failover to the

hot-standby supervisor in switch-2

2. Switch-1 reloads and comes back online.

3. 50% bandwidth is available during switch-1 reload

SSO

SW2

2

R

R = Reload

Duration

AvailableBandwidth

SW2 SW2


100%

50%

Switch-2

= Line Cards Active

R = Reload

STANDBY COLD

SiSi SiSiRPR WarmVSLVSL

Switch-1


SSO Active

1. Switch-1 comes online2. Previous RPR warm

supervisor resumes SSO hot standby state

3. The failed supervisor boots up in RPR warm mode.

4. 100% Bandwidth is available leveraging both switches

SSO Hot StandbyRPR Warm

32

3

Duration

AvailableBandwidth

SW2

SW1

SW2 SW2

SW1

SW2


The following graph illustrates the aggregate traffic for the VSS system during the active supervisor failover with and without dual supervisor support.

Deterministic supervisor failure recovery

Virtual Switching System (VSS)Active Supervisor Failover

100%

50%SW2 SW2

1 2 3

100%

50%SW2 SW2

1 2 3

Un-deterministic supervisor failure recovery

SW2

Pre SXI4

12.2(33)SXI4

Duration

AvailableBandwidth

AvailableBandwidth

Duration

SW1

SW1 SW1


VSS Quad-Sup Uplink Forwarding Redundancy Mode

VSS DomainVSS Switch 1(SSO Active)In-Chassis Active

In-Chassis Standby

(RPR- WARM)

VSS Switch 2(SSO Hot Standby)In-Chassis Active

In-Chassis Standby

(RPR- WARM)

RPR-Warm is a new redundancy mode created for the VSS In-chassis Standby Supervisor RPR-Warm mode allows the Supervisor to operate primarily as a linecard, but with some synchronization with the In-Chassis Active Supervisor (Synchronization does not occur across chassis)Supervisor uplink ports are operational and active just like on a linecard


VSS In-Chassis Standby RPR-WARM Redundancy Mode

In-Chassis Standby SupervisorDownloads and boots new image file Sup720-LCSP runs the Sup720-LC imageRP is in ROMMONOperates mostly as a DFC enabled line cardSome Supervisor subsystems are synched between In-Chassis Active and Standby

Subsystems synched includeStartup-configVlan.datBOOT ROMMON variableCONFIG_FILE ROMMON variableBOOTLDR ROMMON variableDIAG ROMMON variableSWITCH_NUMBER ROMMON variable

VSS Chassis with Dual SupervisorsRunning Quad-Sup Forwarding


VSS In-Chassis Standby Boot Process

Standby

Yes

No

Active

Begin Boot Sup720-LC

image

Begin Boot Sup720-LC

image

In-Chassis Role

Negotiation

In-Chassis Role

Negotiation

Virtual SwitchVirtual Switch

Boot as Line Card(RPR-WARM)

Boot as Line Card(RPR-WARM)

ReloadReload

Standby

Active

Yes

No

Boot Sup720 image

(Initialize)

Boot Sup720 image

(Initialize)

In-Chassis Role

Negotiation

In-Chassis Role

Negotiation

Virtual SwitchVirtual Switch

Existing process for SSO mode

Existing process for SSO mode

Warm Upgrade to Sup720-LC

image

Warm Upgrade to Sup720-LC

image

Start


In-Chasss Standby Booting to Sup-LC Image


*Apr 5 20:27:50.747: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output.Firmware compiled 02-Mar-10 17:41 by integ Build [100]*Apr 5 20:27:50.747: %PFREDUN-6-STANDBY: Initializing as STANDBY processor for this switch!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Decompressing the image : ################################################################################################################################################################################# [OK]Launching the SPLC image!

Restricted Rights Legend


Virtual Switching System (VSS)Dual Supervisor Redundancy LED

SSO Active SSO Standby RPR Warm

Redundancy Led status

Blinking OrangeOrange (amber)Green


Virtual Switching System (VSS)Quad Supervisor Uplink Forwarding Redundancy

CLI Verification Router#sh mod Mod Ports Card Type Model Serial No.--- ----- -------------------------------------- ------------------ -----------

5 5 Supervisor Engine 720 10GE (Active) VS-S720-10G SAD1205069Y6 5 Supervisor Engine 720 10GE (RPR-Warm) VS-S720-10G SAD1205065B

Mod MAC addresses Hw Fw Sw Status--- ---------------------------------- ------ ------------ ------------ -------

5 001e.4aaa.ee70 to 001e.4aaa.ee77 2.0 8.5(2) 12.2(2009050 Ok6 001e.4aaa.ed58 to 001e.4aaa.ed5f 2.0 8.5(2) 12.2(2009042 Ok

Mod Sub-Module Model Serial Hw Status---- --------------------------- ------------------ ----------- ------- -------

5 Policy Feature Card 3 VS-F6K-PFC3C SAD120504EB 1.0 Ok5 MSFC3 Daughterboard VS-F6K-MSFC3 SAD120301PL 1.0 Ok6 Policy Feature Card 3 VS-F6K-PFC3C SAD1203057R 1.0 Ok6 MSFC3 Daughterboard VS-F6K-MSFC3 SAD120301PL 1.0 Ok

Mod Online Diag Status---- -------------------5 Pass6 Pass


Virtual Switching System (VSS)Quad Supervisor Uplink Forwarding Redundancy Monitoring

Cli Verification Router#sh switch virtual redundancy

My Switch Id = 1Peer Switch Id = 2

Last switchover reason = user forcedConfigured Redundancy Mode = ssoOperating Redundancy Mode = sso

Switch 1 Slot 5 Processor Information :-----------------------------------------------

Current Software state = ACTIVEImage Version = Cisco IOS Software, s72033_rp Software (BOOTLDR =

Configuration register = 0x2Fabric State = ACTIVE

Control Plane State = ACTIVE

Switch 1 Slot 6 Processor Information :-----------------------------------------------

Current Software state = RPR-Warm Uptime in current state = 4 days, 17 hours, 36 minutes

Image Version = >BOOT = disk0:mz-rbh,12;

CONFIG_FILE =BOOTLDR =

Configuration register = 0x2Fabric State = RPR-Warm

Control Plane State = RPR-Warm


Virtual Switching System (VSS)Quad Supervisor Uplink Forwarding Redundancy Monitoring


VSS Quad Supervisor Uplink Forwarding Key Points

Quad Supervisor Uplink Forwarding feature is scheduled for release in 12.2(33)SXI4 Quad Supervisor Uplink Forwarding allows for

deterministic recovery from a Supervisor failure event In-Chassis Standby Uplinks are active and operational

under normal conditions In-Chassis Standby Supervisor runs in new redundancy

mode called RPR-WARM Switchover to the In-Chassis Supervisor does require a

reload of the chassis Supervisor role negotiation occurs first within the

chassis, then the winning In-Chassis active Supervisor performs VSS role negotiation between chassis


Software Upgrades

7979

Agenda Topics


2. Reset the standby Supervisor and ensure it boots successfully to RPR mode (STANDBY COLD). Hot Standby modules are power down and not forwarding traffic at this point, forwarding capacity will be down to 50%

3. Force a Supervisor switchover, forwarding capacity drops to 0%. Standby Supervisor continue to boot and become the new ACTIVE. Old active Supervisor will reset and load the old image and boot to STANDBY COLD (RPR) state

STANDBY COLD

1. Preparation Steps a) Ensure the old image and new image files

are installed to the local file systems on both Supervisor modules

b) Configure the boot register to auto-load the specified software image file

c) Configure the boot string to load the new software image

P

r

e

p

a

r

a

t

i

o

n

S

t

e

p

s

E

x

e

c

u

t

e

U

p

g

r

a

d

e

SiSi SiSiVSS Active VSS Standby Hot

WS-X6708-10G WS-X6708-10GVSLVSL

VSS Standby Cold

1 2 3

100%

50%

4 5

RVSS Standby ColdVSS ActiveVSS Standby COLD

4. Trial Phase5. Modify boot variable on Switch-1 and reload switch-

1 such that it boots up with new software image. Forwarding capacity will resume back to 100%

VSS Standby HOTR

Switch-1 Switch-2

= Old Version= New Version

R = Reset

SO = Switchover

SO

SW2

SW1/SW2

SW1

VSS Software UpgradePre 12.2(33)SXI Fast Software Upgrade (FSU)


1. Before ISSU software upgrade, VSS Switch-1 and Switch-2 will be running the old software image.

2. Install the new image to the same location on the file systems of both Supervisors

3. Make sure the boot register is configured for auto boot 0x2102

STANDBY COLD

SiSi SiSiVSS Active VSS Standby Hot

WS-X6708-10G WS-X6708-10G

VSLVSL

R

VSS Standby HOT

VSS Standby Hot

1 2 3

100%

50%

4 5

4. ISSU Acceptversion

5. ISSU Commitversion

VSS Active


R = Reset

SO = Switchover

SO

SW2 SW1 SW1

3. ISSU runversion

2. ISSU loadversion

Switch-1 Switch-2

P

r

e

p

a

r

a

t

i

o

n

S

t

e

p

s

E

x

e

c

u

t

e

U

p

g

r

a

d

e

VSS Software Upgrade12.2(33)SXI Enhanced Fast Software Upgrade (EFSU)

R


VSS Software Upgrade Full Image Upgrade Bandwidth Availability Graph

The following graphs illustrate the aggregate bandwidth available to the VSS

1 2 3

100%

50%

4 5

100%

50%

1 2 3 4 5

Fast Software Upgrade bandwidth availability

Enhanced Fast Software Upgrade bandwidth availability

With EFSU, a minimum of 50% bandwidth is available throughout the software upgrade process

At step 3 during RPR switchover, bandwidth will be dropped to 0% for 1-2 minutes

SW2 SW1 SW1SW2 SW1/SW2 SW1


EFSUInitializing Standby With New Software

After entering the issu loadversion command, the standby chassis will reload to boot the new software image. ..

VSS# issu loadversion sup-bootdisk:New_imageVSS# show issu state

Slot = 22RP State = Active

ISSU State = Load VersionBoot Variable = bootdisk:Old_image,12

Slot = 40RP State = Standby

ISSU State = Load VersionBoot Variable = bootdisk:New_image,12;sup-bootdisk:Old_image,12

issu loadversion active-switch-id/slot active-image-new standby-switch-id/slot standby-image-new


After entering the issu runversion command the Active Supervisor will reload thus causing the Standby to go Active

VSS# issu runversionThis command will reload the Active unit. Proceed ? [confirm]

VSS# show issu state Slot = 40

RP State = ActiveISSU State = Run Version

Boot Variable = New_image,12;bootdisk:Old_image,12


ISSU State = Run VersionBoot Variable = bootdisk:Old_image,12

Switch# issu runversion standby-switch-id / slot [standby-image-new]

EFSUSwitchover to Standby to Run New Software


EFSU Rollback Timer

VSS# show issu rollback-timerRollback Process State = In progressConfigured Rollback Time = 45:00Automatic Rollback Time = 42:02

VSS(config)# issu set rollback-timer ?WORD Rollback timer in hh:mm:ss or format

Rollback timers gets activated as soon as issu runversion command is issued. It provides a window of time to verify the new software functionality. Users issues issu acceptversion to proceed with new software image or

issu abortversion to go back to previous version.

Rollback timer can be set between zero seconds and two hours. Setting the rollback to zero effectively

disables the timer


EFSU Process Accept New Software Version

Enter the issu acceptversion command to stop the rollback timer. This allows a trail period where the system can be tested with the

new software image.

VSS# issu acceptversion% Rollback timer stopped. Please issue the commitversion command.VSS# show issu state

Slot = 40RP State = Active

ISSU State = Run VersionBoot Variable = bootdisk:New_image,12;bootdisk:Old_image,12


ISSU State = Run VersionBoot Variable = bootdisk:Old_image,12

Switch# issu acceptversion active-switch-id / slot [active-image-new]

Important: Only features that are common to both software versions will be enabled during the ISSU Run Version stage


EFSU ProcessReset Old Active to Load New SoftwareEnter the issu commitversion command to commit the new software image, the standby supervisor will reload to boot new software image

VSS# issu commitversion10:54:37: %PFINIT-SP-5-CONFIG_SYNC: Sync'ing the startup configuration to the standby Router. [OK]

00:32:35: %SYS-SW1_SPSTBY-5-RELOAD: Reload requested - From Active Switch (Reload peer unit).

VSS# show issu stateSlot = 40

RP State = ActiveISSU State = Init

Boot Variable = bootdisk:New_image12; Old_image,12


ISSU State = InitBoot Variable = bootdisk:New_image,12; Old_image,12

Switch# issu commitversion standby-switch-id / slot-number [standby-image-new]


EFSU ProcessFull Image Upgrade Process

Switch-1 Switch-2

StandbyActive ISSU loadVersion

LC

LCLC

Switch-1 Switch-2

Switch-1 Switch-2Switch-1 Switch-2

ISSU RunVersion

ISSU CommitVersion

Following picture illustrates the EFSU steps

StandbyLC

LCLC

Standby

Active

ActiveLC

LC

ActiveLC

LCStandby

LC

LC


LC

LC

LC

LC


1. Before ISSU software upgrade, VSS all sups will be running old software image. Make sure all 4 sups have a new image copied to their local flash memory.

STANDBY COLD

SiSi SiSiActive Hot--standby

RPR Warm RPR Warm

VSLVSL

R

VSS Standby Cold

VSS Standby HOT

R

P

r

e

p

a

r

a

t

i

o

n

S

t

e

p

s

E

x

e

c

u

t

e

U

p

g

r

a

d

e

Hot-standby

1 2 3

100%

50%

4 5

4. ISSU acceptversion If network is stable issue ISSU acceptversion which stops the rollback timer, otherwise ISSU process will aborted intermediately.

5. ISSU commitversion Once the image is tested and ready to be rolled out .. ISSU commit version will reload the standby switch (active and standby sups) to boot up with new software version

Switch-1 Switch-2

Active


R = Reset

SO = Switchover

SO

SW2 SW1 SW1

3. ISSU runversion Standby takes over as active and old active switch (active and standby sups) reloads and comes up as standby with old image.

2. ISSU loadversion Standby chassis (active and standby sups) reloads and comes up with new image

Virtual Switching System (VSS)QuadSup & eFSU

AvailableBandwidth

Duration


VSS & EFSU Important Points Dual-homed connectivity is required for minimal traffic disruption

Single-homed devices will experience an outage when the attached chassis reloads

Software images files must be ISSU compatible (these are not VSS specific requirements)

EFSU support begins in the SXI trainMust be the same image types, meaning Native to Native or Modular to ModularFor Modular images, both images must use the same installation method, therefore installed mode or binary modeThe software feature sets must be the same between the two software image files


Deployment Considerations and Best Practices

9191

Agenda Topics


Virtual Switching SystemDeployment Considerations

Dual-attach connected devices whenever possible

Etherchannel and L3 ECMP hash algorithms have been modified so that local links will always have preference over remote linksMinimal traffic expected to cross VSL link in dual-homed scenario


VSL Bandwidth Sizing & Considerations

The VSL is an Etherchannelcan include up to eight links

VSL bandwidth should be greater than or equal to the largest bandwidth connection to a single attached device (downlink)Consider the bandwidth on a per VSS chassis basis

Consider the bandwidth for any Service Modules and SPAN sessions Distribute the VSL interfaces across multiple modules for added resiliency Include at least one VSL interface from the Supervisor module for faster VSL bring-up during reloads

SiSi SiSi

SiSi SiSi


VSS High Availability NSF Configuration and Monitoring

Router# sh ip ospfRouting Process "ospf 100" with ID

10.120.250.4Start time: 00:01:37.484, Time elapsed: 3w2dSupports Link-local Signaling (LLS)

Non-Stop Forwarding enabled, last NSF

restart 3w2d ago (took 31 secs)

Router# sh ip protocol*** IP Routing is NSF aware ***Routing Protocol is "eigrp 100 100"

EIGRP NSF-aware route hold timer is 240s

EIGRP NSF enabled

Recommendation: Non-Stop Forwarding is required for sub-sec supervisor switchover convergence with L3 Routing Protocols

Recommendation: Non-Stop Forwarding is required for sub-sec supervisor switchover convergence with L3 Routing Protocols

EIGRP OSPFSwitch(config)#router ospf 100Switch(config-router#nsf

Switch(config)#router eigrp 100Switch(config-router#nsf


Operational ManagementReloading the VSS

Should there be a requirement to reload the entire Virtual Switching System (both chassis), the command reload can be used to accomplish this task

vss#reloadWarning: This command will reload the entire Virtual Switching System (Active and Standby Switch).Proceed with reload? [confirm]1d04h: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.

****** --- SHUTDOWN NOW ---***

1d04h: %SYS-SP-5-RELOAD: Reload requestedSystem Bootstrap, Version 8.5(1)Copyright (c) 1994-2006 by cisco Systems, Inc.Cat6k-Sup720/SP processor with 1048576 Kbytes of main memory

Virtual Switch


Operational ManagementReloading a Member of the VSS

vss# redundancy reload ?peershelf

vss# redundancy reload shelf 2Reload the entire remote shelf[confirm]Preparing to reload remote shelf

vss#

Switch1 Switch2

Active Hot Standby

vss# redundancy force-switchover

This will reload the active unit andForce switchover to standby [confirm]

vss#

VSL

NEW command has been introduced to reload a SINGLE VSS member switch

NEW


VSS High Availability OOB-Mac-Synchronization

Dist-VSS# sh mac-address-table synchronize statistics MAC Entry Out-of-band Synchronization Feature Statistics:---------------------------------------------------------

Switch [1] Module [4]-----------------------Module Status:

Statistics collected from Switch/Module : 1/4Number of L2 asics in this module : 1Global Status:Status of feature enabled on the switch : onDefault activity time : 160Configured current activity time : 480

Recommendation: Enable Out-Of-Band Mac-Synchronization.It is used for synchronizing mac-address tables across forwarding engines.

If WS-6708-10G is present in the VSS system, mac-synchronization is turned on automatically. If not it has to be enabled manually.

Recommendation: Enable Out-Of-Band Mac-Synchronization.It is used for synchronizing mac-address tables across forwarding engines.

If WS-6708-10G is present in the VSS system, mac-synchronization is turned on automatically. If not it has to be enabled manually.

If this feature is not enabled, mac-address-table across different forwarding engines could go out-of-sync and may cause unicast flooding.

If this feature is not enabled, mac-address-table across different forwarding engines could go out-of-sync and may cause unicast flooding.

Dist-VSS#(config)# mac-address-table synchronize % Current activity time is [160] seconds % Recommended aging time for all vlans is at least three times the activity interval


Dual-Active DetectionMultiple Mechanisms and Recommendations

Recommendations: Use MEC with ePAgP or MEC with VSLP Fast Hello for faster VSL link loss convergence results.

Enable BOTH ePAgP and direct heart-beat link based VSLP Fast Hello methods (if possible )

Enable ePAgP to core (if access-layer is not ePAgP capable

SiSiSiSi

VSLP Fast-Helloor BFD

RedundantVSL Fiber

ePAgP

ePAgP


DO Configure Switch accept-mode virtual Use unique VSS domain-id within the same network Save backup configuration file in both active & hot-standby bootdisk: Use a minimum of one Supervisor uplink for the VSL, this provides for faster VSL bring up. Enable out-of-band MAC sync mac-address-table synchronize Dual-home connected devices whenever possible, use L2 or L3 Multi-Chassis Etherchannel, L3 ECMP Use ePAgP and VSLP Fast Hello Dual Active Protocol. Enable NSF under routing protocols

VSS Deployment Best Practices


DO NOT . Tune default VSLP timers unless recommended by cisco Use preemption Issue shutdown for VSL failure, it creates config mismatch. Disconnect cables to create a realistic failure scenario Change VSL hashing algorithm in production. It requires a shut/no shut on PO. Shutting down VSL will cause traffic disruption and dual-active scenario. Write-erase to reset the VSS configuration. Write-erase will erase startup-configuration and rommon variables. VSS bring-up process requires switch-id to be present in rommon variable to boot in VSS mode. Use erase-nvram instead.

VSS Deployment Best Practices Cont


Summary

101101

Agenda Topics


Benefit 1: Simplifies Network Designs Build redundant topology without First Hop Redundancy Protocols No Spanning Tree blocking ports Single control plane and management interface Reduces the number of L3 routing protocol peers


Benefit 2: Scales System Capacity Groups resources together and activates all available bandwidth across redundant Cisco Catalyst 6500 switches Enables standards-based link aggregation for server NIC teaming, maximizing server bandwidth


Benefit 3: Boost Network Availability Inter-chassis Stateful Failover enables real time applications to continue without disruption Etherchannel based link resiliency provides sub-second recovery Simplifies network designs reducing human error in network operations


Recommended Literature

www.cisco.com/go/vsswww.cisco.com/go/vss

VSS TroubleshootingVSS Troubleshooting

Migration from Standalone to VSSMigration from Standalone to VSS

RMA ProcedureRMA ProcedureVSS FAQVSS FAQVSS White PaperVSS White Paper

Whats New BulletinWhats New BulletinService Module IntegrationService Module IntegrationVSS Design GuidesVSS Design Guides

Best PracticesBest Practices

www.cisco.com/go/supportwww.cisco.com/go/support


Operational Management

107107

Agenda Topics


CiscoView is designed to show the view of both Active and Hot Standby chassis side by side within one page.

CiscoWorks LMS 3.0.1 supports VSS in the RME and CiscoView tool.

Operational ManagementCiscoWorks LAN Management Solution Support

Each chassis is identified by a label indicating whether it is

Active or Standby

Each chassis is identified by a label indicating whether it is

Active or Standby


Multiple console interfaces exist within a Virtual Switch Domain, but only the active switch console is enabled for command interaction

Virtual Switch Active Virtual Switch Hot Standby

Operational ManagementVirtual Switching System CLI


vss#show module switch 1Switch Number: 1 Role: Virtual Switch Active

---------------------- -----------------------------Mod Ports Card Type Model Serial No.--- ----- -------------------------------------- ------------------ -----------1 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAD074303JX5 5 Supervisor Engine 720 10GE (Hot) WS-S720-10G SAD1047078P7 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL0943435M8 24 CEF720 24 port 1000mb SFP WS-X6724-SFP SAL09158Y0L

vss#sh module switch 2Switch Number: 2 Role: Virtual Switch Standby

---------------------- -----------------------------Mod Ports Card Type Model Serial No.--- ----- -------------------------------------- ------------------ -----------1 8 CEF720 8 port 10GE with DFC WS-X6708-10GE SAL1101D5EP5 5 Supervisor Engine 720 10GE (Active) WS-S720-10G SAD104306WW7 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL09391NZM8 24 CEF720 24 port 1000mb SFP WS-X6724-SFP SAL09158ZZT

Switch1 Switch2


After conversion, port definitions for switches within the Virtual Switch Domain inherit the Chassis ID as part of their naming convention

VSS#show ip interface briefInterface IP-Address OK? Method Status ProtocolVlan1 unassigned YES NVRAM up up Port-channel1 unassigned YES NVRAM up up Te1/1/1 10.1.1.1 YES unset up up Te1/1/2 192.168.1.2 YES unset up up Te1/1/3 unassigned YES unset up up Te1/1/4 unassigned YES unset up up GigabitEthernet1/2/1 10.10.10.1 YES unset up up GigabitEthernet1/2/2 10.10.11.1 YES unset up up GigabitEthernet2/1/1 unassigned YES unset up up GigabitEthernet2/1/2 unassigned YES TFTP up up GigabitEthernet2/1/3 unassigned YES TFTP up up Te2/1/4 unassigned YES TFTP up up Te2/1/5 unassigned YES TFTP up up

VSS#show ip interface briefInterface IP-Address OK? Method Status ProtocolVlan1 unassigned YES NVRAM up up Port-channel1 unassigned YES NVRAM up up Te1/1/1 10.1.1.1 YES unset up up Te1/1/2 192.168.1.2 YES unset up up Te1/1/3 unassigned YES unset up up Te1/1/4 unassigned YES unset up up GigabitEthernet1/2/1 10.10.10.1 YES unset up up GigabitEthernet1/2/2 10.10.11.1 YES unset up up GigabitEthernet2/1/1 unassigned YES unset up up GigabitEthernet2/1/2 unassigned YES TFTP up up GigabitEthernet2/1/3 unassigned YES TFTP up up Te2/1/4 unassigned YES TFTP up up Te2/1/5 unassigned YES TFTP up up

PORT NUMBERING: PORT NUMBERING:

Chassis-ID WILL ALWAYS be either a 1 or a 2

Operational ManagementSingle Point of Management: Slot/Port Numbering


Operational ManagementFile System Naming

After the conversion to a Virtual Switching System, some of the File System naming conventions have changed to accommodate the new setup - an

example of the new setup is shown below

Active Supervisor - Slot 5 Hot Standby Supervisor - Slot 5

Virtual Switch Domain

e.g.OLD: disk0:

NEW: sw1-slot5-disk0:

Switch1 Switch2

e.g.OLD: slavedisk0:

NEW: sw2-slot5-disk0:

SWSLOTFILESYSTEMSWSLOTFILESYSTEM


Operational ManagementFile System NamingSome filenames have remained the same - others have changed -

some examples of file system names in a Virtual Switching System include the following

Virtual Switching SystemVirtual Switching Systemswslotdisk0:swslotdisk0:

Standalone with Dual supStandalone with Dual supdisk0:disk0:

swslotbootflash:swslotbootflash:bootflash:bootflash:

swslotsup-bootdisk:swslotsup-bootdisk:sup-bootdisk:sup-bootdisk:

swslotnvram:swslotnvram:nvram:nvram:

swslotdisk0:swslotdisk0:slavedisk0:slavedisk0:

swslotbootflash:swslotbootflash:slavebootflash:slavebootflash:

swslotsup-bootdisk:swslotsup-bootdisk:slavesup-bootdisk:slavesup-bootdisk:

swslotconst_nvram:swslotconst_nvram:const_nvram:const_nvram:

Virtual Switch


Operational Management SNMP Support for VSSThe SNMP process for a VSS necessitates support for Puts and Gets across 2 physical chassis, changes to existing MIBs and

support for a new MIB


Switch 1 - Active Switch 2 Hot Standby

SNMP Process Active SNMP Process Inactive

SNMP Server

SNMP GetsSNMP Puts

SNMP Modified MIBs

SNMP Modified MIBs

SNMP New MIBs

SNMP New MIBs


Operational Management New Virtual Switching System MIB

CISCO-VIRTUAL-SWITCH-MIB has been defined to support SNMP access to the Virtual Switching System Configuration - the following MIB variables are

accessible to an SNMP manager

cvsGlobalObjects - Domain #, Switch #, Switch Mode

cvsCoreSwitchConfig - Switch Priority and Preempt

cvsChassisTable - Chassis Role and Uptime

cvsVSLConnectionTable - VSL Port Count, Operational State

cvsVSLStatsTable - Total Packets, Total Error Packets

cvsVSLPortStatsTable - TX/RX Good, Bad, Bi-dir and Uni-dir Packets

This MIB will be the main vehicle though which Network Management stations access information relevant to the operation of the Virtual Switching System

CISCO-VIRTUAL-SWITCH-MIBCISCO-VIRTUAL-SWITCH-MIB


VSLNetflowData

NetflowData

NetflowData

NetflowData

Netflow Collector NetflowExport

WS-X6748-GE-TX-3C/XLWS-X6708-10GE-3C/XL

Netflow Collection: ActiveNetflow Export: Active

Netflow Collection: ActiveNetflow Export: In-Active

VSS State : ActiveNetflow Collection: ActiveNetflow Export: Active

VSS State : Hot StandbyNetflow Collection: ActiveNetflow Export: In-Active

WS-X6708-10GE-3C/3CXL and WS-X6716-10GE-3C/3CXL has capability to perform direct export from the line card itselfWS-X6708-10GE-3C/3CXL and WS-X6716-10GE-3C/3CXL has capability to perform direct export from the line card itself

Operational ManagementNetflow Export


Operational ManagementSPAN

In a Virtual Switching System, the number of SPAN sessions is limited to what the VSS Active Supervisor can provide. SPAN capacity on the VSS Hot

Standby is not factored into available SPAN sessionsVirtual Switch Domain

VSS State : ActiveSPAN Management: ActiveReplication: Active

VSS State : Hot StandbySPAN Management: In-ActiveReplication: Active

VSL

Switch 1 Supervisor Switch 2 Supervisor

Virtual Switching System is supported in 12(33)SXH1 which introduces the following SPAN capabilities per Virtual Switching System Domain

TX SPAN Sessions RX/Both SPAN Sessions Total SPAN SessionsVirtual Switch Domain 14 2 16


Operational ManagementSetting the System-wide PFC Mode

A NEW CLI has been implemented to allow the user to pre-configure the system PFC mode. Any DFC module that does not match the system PFC

mode will not be powered up. This configuration will ensure a system runs in PFC3CXL mode and is not accidentally reverted to PFC3C mode

vss#conf tEnter configuration commands, one per line. End with CNTL/Z.vss(config)#platform hardware vsl pfc mode pfc3cvss(config)#^Zvss#

vsssh platform hardware pfc modePFC operating mode : PFC3CConfigured PFC operating mode : PFC3Cvss#


Quality of Service

118118

Agenda Topics


Quality of ServiceClassification and PolicingBoth Classification and Policing functions are handled by PFC QoS, and is executed by either the PFC on the Active and Hot Standby Supervisor, or the ingress linecard DFC. There are 2 important caveats which must be understood

whilst implementing these functionsPolicies can either be applied on L3 interfaces (SVIs or Physical interfaces), or Port

Channels, or L2 interfaces*1

policy-map CLASSIFYclass class-defaultset ip dscp 40

interface GigabitEthernet 2/3/48switchportservice-policy input CLASSIFY

policy-map CLASSIFYclass class-defaultset ip dscp 40

interface PortChannel 10switchportservice-policy input CLASSIFY

* Qos policies on L2 interfaces are supported beginning in 12.2(33)SXI


Quality of ServiceClassification and Policing

Aggregate policers that are applied on SVIs or Port Channels that have interfaces distributed across multiple forwarding engines are

subject to Distributed Policing caveats

2

policy-map POLICEclass class-defaultpolice average 10000000

Interface GigabitEthernet 1/2/10channel-group 20 mode desireable


interface PortChannel 20service-policy input POLICE

policy-map POLICEclass class-defaultpolice average 10000000



interface PortChannel 20service-policy input POLICE


Quality of ServiceQoS on the VSL

A few important aspects relating to VSL QoS are as follows:

VSLP and other Control frames are always marked as Priority packets and are always queued and classified as such

1

VSL is always configured as Trust CoS and hence ingress queuing is enabled

2Service Policies are not supported on the VSL3

VSL

Switch1 Switch2

VSLPVSLPFTPFTPHTTPHTTP

CoS Maps, Thresholds and Queues on the VSL are not configurable4


VSS & Service Module Integration

122122

Agenda Topics


VSS Hardware RequirementsService Module Support

Module Description VSS Minimum Software

Service Module Minimum Software

ACE10/ACE 20-6500-K9 Application Control Engine (ACE) 12.2(33)SXI A2(1.2)WS-SVC-FWSM-1-K9 Firewall Services Module (FWSM) 12.2(33)SXI 4.0(4)

WS-SVC-IDSM2-K9 Intrusion Detection System Services Module (IDSM-2)

12.2(33)SXI 6.0(2)E1

WS-SVC-NAM-1WS-SVC-NAM-2

Network Analysis Module (NAM1)Network Analysis Module (NAM2)

12.2(33)SXH1 3.6(1a)

WS-SVC-WISM-1-K9 Wireless Services Module (WiSM) 12.2(33)SXI 3.2.171.6

WS-SVC-FWM-1-K9

Firewall Services Module (FWSM)Application Control Engine (ACE)

ACE10/ACE 20-6500-K9

WS-SVC-NAM-1 WS-SVC-NAM-2

Network Analysis Module (NAM 1&2)WS-SVC-WISM-1-K9

Wireless Services Module (WiSM)

WS-SVC-IDSM2-K9

Intrusion Detection System Services Module (IDSM-2)


VSS Service Module Integration

Four standalone Service Modules are supported per VSS chassis (eight total service modules for the VSS) VSL bandwidth considerations

Service Module redirected traffic, state sync, and failover traffic. VSL will carry traffic destined to the Service Modules under normal conditions. Design an appropriate number of links for the VSL


Switch-1(VSS Active)

Switch-2(VSS Standby)


Data Plane Active

Control Plane Active

Service Module1 Active

Service Module2 Standby

Data Plane Active

Control Plane Hot Standby

Service Module1 Standby

Service Module2 Active

VSL

Failover/State sync Vlan

FWSM & ACE Module HA Modes: Active-Standby per module, One of the service modules in a VSS system will be Active and another one will be standby.

FWSM & ACE Redundancy ModesActive-Standby Per Module

2010 Cisco and/or its af

Technology

Cisco Catalyst Virtual Switching System (VSS)