cisco live - vss breakout session - brkcrs-3468

Cisco Catalyst Virtual Switching SystemBRKCRS-3468

Cisco Live & Networkers VirtualSpecial Offer Save $100Cisco Live has a well deserved reputation as one the industrys best educational values. With hundreds of sessions spanning four educational programs Networkers, Developer Networker, Service Provider, IT Management, you can build a custom curriculum that can make you a more valuable asset to your workplace and advance your career goals. Cisco Live and Networkers Virtual immerses you in all facets of Cisco Live, from participating in live keynotes and Super Sessions events to accessing session content to networking with your peers. Visit www.ciscolivevirtual.com and register for Cisco Live and Networkers Virtual. To get $100 USD off the Premier pass, which provides access to hundreds of technical sessions, enter slideshareFY11.

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

2

Agenda TopicsVSS Introduction Architecture Hardware Requirements Migration to VSS High Availability Quad Sup Uplink Forwarding Software Upgrades Deployment Considerations & Best Practices SummaryPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved.

Appendix Topics Operational Management Quality of Service Service Module Integration Deploying VSS with Server Virtualization Data Center L2 Interconnect via VSS

Cisco Public

3

Agenda Topics

VSS Introduction

Presentation_ID


Cisco Public

4

Current Network ChallengesEnterprise CampusTraditional Enterprise Campus deployments have been designed in such a way that allows for scalability, differentiated services and high availability. However they also face many challenges, some of which are listed in the below diagramExtensive routing topology, Routing reconvergence

L3 Core

L2/L3 Distribution

FHRP, STP, Asymmetric routing, Policy Management

AccessPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

Single active uplink per VLAN (PVST), L2 reconvergence5

Current Network ChallengesTraditional Data Center designs are increasingly requiring Layer 2 adjacencies between Server nodes due to the use of Server Virtualization technology. However, these designs are pushing the limits of Layer 2 networks, placing more burden on loop-detection protocols such as Spanning TreeFHRP, HSRP, VRRP Spanning Tree Policy Management

Data Center

L2/L3 Core

Single active uplink per VLAN (PVST), L2 reconvergence, excessive BPDUs Dual-Homed Servers to single switch, Single active uplink per VLAN (PVST), L2 reconvergence L2 AccessPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

6

Catalyst 6500 Virtual Switching SystemToday (Today)10GESi Si Si

Overview

VSS (Physical View)10GESi

VSS (Logical View)

802.3ad or PagP

802.3ad

802.3ad or PagP

802.3ad

Access Switch or ToR or Blades

Server


Server


Server

Simplifies operational Manageability via Single point of Management, Elimination of STP,FHRP etc

Doubles bandwidth utilization with Active-Active Multi-Chassis Etherchannel(802.3ad/PagP) Reduce Latency

Minimizes traffic disruption from switch or uplink failure with Deterministic subsecondPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved.

Stateful and Graceful Recovery (SSO/NSF) Cisco Public

7

Virtual Switching SystemEnterprise CampusA Virtual Switching System-enabled Enterprise Campus network takes on multiple benefits including simplified management & administration, facilitating greater high availability, while maintaining a flexible and scalable architectureReduced routing neighbors, Minimal L3 reconvergence

L3 Core

L2/L3 Distribution

No FHRPs No Looped topology Policy Management

AccessPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

Multiple active uplinks per VLAN, No STP convergence

8

Virtual Switching SystemData CenterA Virtual Switching System-enabled Data Center allows for maximum scalability so bandwidth can be added when required, but still providing a larger Layer 2 hierarchical architecture free of reliance on Spanning TreeSingle router node, Fast L2 convergence, Scalable architecture Dual Active Uplinks, Fast L2 convergence, minimized L2 Control Plane, Scalable Dual-Homed Servers, Single active uplink per VLAN (PVST), Fast L2 convergence

L2/L3 Core

L2 Distribution

L2 Access

Presentation_ID


Cisco Public

9

Agenda Topics

VSS Architecture

Presentation_ID


Cisco Public

10

Introduction to Virtual Switching SystemConcepts

Presentation_ID


Cisco Public

11

Virtual Switching System ArchitectureVirtual Switch Link (VSL)The Virtual Switch Link joins the two physical switch together - it provides the mechanism to keep both the chassis in syncAll traffic traversing the VSL link is encapsulated with a 32 byte Virtual Switch Header containing ingress and egress switchport indexes, class of service (COS), VLAN number, other important information from the layer 2 and layer 3 headerVS Header L2 Hdr L3 Hdr Data

A Virtual Switch Link bundle can consist of up to 8 x 10GE links

Control plane uses the VSL for CPU to CPU communications while the data plane uses the VSL to extend the internal chassis fabric to the remote chassis

CRC

Virtual Switch Link Virtual Switch ActivePresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

Virtual Switch Standby12

Virtual Switching System ArchitectureBefore the Virtual Switching System domain can become active, the Virtual Switch Link must be brought online to determine Active and Standby roles. The initialization process essentially consists of 3 steps: 1 2Link Bringup to determine which ports form the VSL Link Bringup to determine which ports form the VSL Link Management Protocol (LMP) used to track and reject Unidirectional Links, Link Management Protocol (LMP) used to track and reject Unidirectional Links, Exchange Chassis ID and other information between the 2 switches Exchange Chassis ID and other information between the 2 switches

Initialization

LMP LMP RRP RRP

LMP LMP RRP RRP

3

Role Resolution Protocol (RRP) used to determine compatible Hardware and Role Resolution Protocol (RRP) used to determine compatible Hardware and Software versions to form the VSL as well as determine which switch becomes Software versions to form the VSL as well as determine which switch becomes Active and Hot Standby from a control plane perspective Active and Hot Standby from a control plane perspectivePresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

13

Virtual Switching System ArchitectureA new ping mechanism has been implemented in VSS mode to allow the user to objectively verify the health of the VSL itself. This is implemented as a VSLP PingVSLP Ping VSLP Ping VSLP Ping VSLP Ping

VSLP Ping

VSL

VSLP Ping VSLP Ping

Switch1

VSLP Ping VSLP Ping

Switch2

The VSLP Ping operates on a per-physical interface basis and parameters such as COUNT, DESTINATION, SIZE, TIMEOUT may also be specifiedvss#ping vslp output interface tenGigabitEthernet 1/5/4 Type escape sequence to abort. Sending 5, 100-byte VSLP ping to peer-sup via output port 1/5/4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/16 ms

Presentation_ID


Cisco Public

14

Virtual Switching System ArchitectureVSL Configuration Consistency CheckAfter the roles have been resolved through RRP, a Configuration Consistency Check is performed across the VSL switches to ensure proper VSL operation. The following items are checked for consistency:Switch Virtual Domain ID Switch Virtual Domain ID Switch Virtual Switch ID Switch Virtual Switch ID Switch Preempt Switch Preempt Switch Priority Switch Priority

Virtual Switch

VSL Port state, interfaces VSL Port state, interfaces Power Enable on VSL cards Power Enable on VSL cards Note that if configurations do not match, the Hot-Standby Supervisor will revert to RPR mode, disabling all non-VSL interfacesPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

VSL Port Channel Link ID VSL Port Channel Link ID

Power Redundancy mode Power Redundancy mode

15

Virtual Switching SystemUnified Control PlaneOne supervisor in each chassis with inter-chassis Stateful Switchover (SSO) method in with one supervisor is ACTIVE and other in HOT_STANDBY mode Active/Standby supervisors run in synchronized mode (boot-env, running-configuration, protocol state, and line cards status gets synchronized) Active supervisor manages the control plane functions such as protocols (routing, EtherChannel, SNMP, telnet, etc.) and hardware control (Online Insertion Removal, port management)

CFC or DFC Line Cards CFC or DFC Line Cards

CFC or DFC Line Cards


Active SupervisorCFC or DFC Line Cards CFC or DFC Line Cards CFC or DFC Line Cards

SF

RP

PFC

VSL SSO Synchronization



Standby HOT SupervisorCFC or DFC Line Cards CFC or DFC Line Cards CFC or DFC Line Cards

SF

RP

PFC

Presentation_ID


Cisco Public

16

Virtual Switching SystemDual Active Forwarding PlanesBoth forwarding planes are active

Standby supervisor and all linecards including DFCs are actively forwardingVSS#

My Switch Id = 1 Peer Switch Id = 2

show switch virtual redundancySi Si

Switch 1 Slot 5 Processor Information : ---------------------------------------------Current Software state = ACTIVE Switch 2 Slot 5 Processor Information : ---------------------------------------------Current Software state = STANDBY HOT (switchover target)

Data Plane Active

Data Plane Active

Fabric State = ACTIVE Control Plane State = ACTIVE

Fabric State = ACTIVE Control Plane State = STANDBY

Switch1

Switch2

Presentation_ID


Cisco Public

17

Virtual Switching System ArchitectureVirtual Switch DomainA Virtual Switch Domain ID is allocated during the conversion process and represents the logical grouping the 2 physical chassis within a VSS. It is possible to have multiple VS Domains throughout the network

VSS Domain 10

VSS Domain 20

VSS Domain 30

Use a UNIQUE VSS Domain-ID for each VSS Domain throughout the network. Various protocols use Domain-IDs to uniquely identify each pair.Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

18

Virtual Switching System ArchitectureRouter MAC Address AssignmentIn a Virtual Switching System, there is only one router MAC address to represent both physical chassis as a single logical device.By default, the MAC address allocated to the Virtual Switching System is taken from the first Active Switch burnt-in MAC-address, which is negotiated at system initialization. Regardless of either switch being brought down or up in the future, the same MAC address will be retained such that neighboring network nodes and hosts do not need to re-learn a new address.

Router MAC = burnt-in or virtual mac-addressRecommendation is to use the virtual mac-address option. This eliminates the possibility of a duplicate MAC address in case the original Supervisor is ever reused within the same network.Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

19

Virtual Switching System ArchitectureVirtual Router MAC Address AssignmentInstead of using default chassis mac-address assignment, from 12.2(33)SXH2 onwards virtual mac-address can be specified as shown belowVSS(config-vs-domain)#switch virtual domain 10 VSS(config-vs-domain)#mac-address use-virtual Configured Router mac address is different from operational value. Change will take effect after config is saved and the entire Virtual Switching System (Active and Standby) is reloaded.

VSS# show interface vlan 1 Vlan1 is up, line protocol is up Hardware is EtherSVI, address is 0008.e3ff.fc0a (bia 0008.e3ff.fc0a)

The use-Virtual MAC address is assigned from a reserved pool of MAC addresses appended with the VSS domain id. The reserved pool is 0008.e3ff.fc00 to 0008.e3ff.ffff.Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

20

Virtual Switching System ArchitectureMultichassis EtherChannel (MEC)Prior to the Virtual Switching System, Etherchannels were restricted to reside within the same physical switch. In a Virtual Switching environment, the two physical switches form a single logical network entity - therefore Etherchannels can now be extended across the two physical chassisStandalone VSS

Both LACP and PAGP Etherchannel protocols and Manual ON modes are supported

Regular Etherchannel on single chassisPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

Multichassis EtherChannel across 2 VSS-enabled chassis21

Virtual Switching System ArchitectureEtherChannel Hash for MECEtherchannel hashing algorithms are modified in VSS to always favor locally attached interfaces

Blue Traffic destined for the Server will result in Link 1 in the MEC link bundle being chosen as the destination path

Link 1

Link 2

Orange Traffic destined for the Server will result in Link 2 in the MEC link bundle being chosen as the destination path

Presentation_ID


Cisco Public

22

Etherchannel Concepts

The default hashing algorithm will redistribute all the Result Bit Hash values across the available ports when there is a change. This affects all traffic traversing the EtherchannelRBH (for MEC) 2 Link Bundle Example Link 1 Link 2 Flow 1 Flow 1 Flow 3 Flow 3 Flow 5 Flow 5 Flow 7 Flow 7 Flow 2 Flow 2 Flow 4 Flow 4 Flow 6 Flow 6 Flow 8 Flow 8

Etherchannel Hash Distribution

Links 1,2 Links 1,2,3

Links 3,4 Links 4,5,6

Flow 1 Flow 1 Flow 4 Flow 4 Flow 7 Flow 7

RBH (for MEC) 3 Link Bundle Example Link 1 Link 2 Link 3 Flow 2 Flow 2 Flow 5 Flow 5 Flow 8 Flow 8

Flow 3 Flow 3 Flow 6 Flow 6

Presentation_ID


Cisco Public

23

Etherchannel Concepts

Adaptive Hash Distribution Enhancement allows for the addition or removal of links in a bundle without affecting all of the traffic in an Etherchannel. Note in the below example, only Flow 7 and 8 are affected by the addition of an extra link to the ChannelRBH (for MEC) 2 Link Bundle Example Link 1 Link 2 Flow 1 Flow 1 Flow 3 Flow 3 Flow 5 Flow 5 Flow 7 Flow 7 Flow 2 Flow 2 Flow 4 Flow 4 Flow 6 Flow 6 Flow 8 Flow 8 RBH (for MEC) 3 Link Bundle Example Link 1 Link 2 Link 3 Flow 2 Flow 2 Flow 4 Flow 4 Flow 6 Flow 6

Etherchannel Hash Distribution Adaptive

Flow 1 Flow 1 Flow 3 Flow 3 Flow 5 Flow 5

Flow 7 Flow 8 Flow 8

vss#conf t vss#conf t Enter configuration commands, one per line. End with CNTL/Z. Enter configuration commands, one per line. End with CNTL/Z. vss(config)#port-channel hash-distribution adaptive vss(config)#port-channel hash-distribution adaptive vss(config)# ^Z vss(config)# ^Z vss# vss#

Available in 12.2(33)SXHPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

24

EtherChannel ConceptsEtherChannel HashA command can be invoked to assist in determining which link in the bundle will be used - it can use various hash inputs to yield an 8-bucket RBH value that will correspond to one of the port channel members

vss#show etherchannel load-balance hash-result interface portchannel 120 switch 1 ip 192.168.220.10 192.168.10.10 Computed RBH: 0x4 Would select Gi1/2/1 of Po120Note: specify switch when using hash result command, if not VSS assumes switch while commuting hash results from the hardware.

Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Cisco Public

25

Virtual Switching System ArchitectureVSS(config)#port-channel load-balance ? dst-ip dst-mac dst-mixed-ip-port dst-port mpls src-dst-ip src-dst-mac src-dst-mixed-ip-port src-dst-port src-ip src-mac src-mixed-ip-port src-portPresentation_ID

MEC Load-Balance SchemesDst IP Addr Dst Mac Addr

Dst IP Addr and TCP/UDP Port Dst TCP/UDP Port Load Balancing for MPLS packets Src XOR Dst IP Addr Src XOR Dst Mac Addr Src XOR Dst IP Addr and TCP/UDP Port Src XOR Dst TCP/UDP Port Src IP Addr Src Mac Addr Src IP Addr and TCP/UDP Port Src TCP/UDP Port


Cisco Public

26

Agenda Topics

VSS Hardware and Software Requirements

Presentation_ID


Cisco Public

27

VSS RequirementsHardwareIn order to enable the Virtual Switching System feature and configure the Virtual Switch Links (VSL) between 2 Catalyst 6500 chassis, the new Catalyst 6500 Virtual Switching Supervisor 720 is required to be used. It is the only Supervisor that will support VSS as it supports both the new PFC3C/XL forwarding engine

12.2(33)SXH1 or laterThe PFC3C/XL contains new hardware to support the extra LTL indices and mappings required to forward traffic across multiple physical chassis, lookup enhancements as well as MAC address table handling enhancements

VS-S720-10G-3C/XLPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

28

Hardware RequirementsVSL-Capable InterfacesThe VSL requires new port ASICs that exist only on the 10 GigabitEthernet interfaces on the following modules:Note: These interfaces may also be used as standard network interfacesWS-X6708-10G-3C/XL

VS-S720-10G-3C/XL These interfaces are based off the new port ASIC, allowing for frames across the VSL to be encapsulated / de-encapsulated with the VSHWS-X6716-10G-3C/XL * * Support for VSL from 12.2(33)SXI onwards

Presentation_ID


Cisco Public

29

VSS Hardware RequirementsVSS Supported Ethernet ModulesModule WS-X6704-10G-3C/XL WS-X6708-10G-3C/XL WS-X6716-10G-3C/XL WS-X6724-SFP WS-X6748-SFP WS-X6748-GE-TX 7600-SIP-400 Descripiton 10GE Linecard 10GE Linecard 10GE Linecard 1000BASE-X Linecard 1000BASE-X Linecard 10/100/1000 BASE-TX Linecard SIP 400 with Ethernet & PoS SPA Interfaces Status 12.2(33)SXH1 12.2(33)SXH1 12.2(33)SXH1 12.2(33)SXH1 12.2(33)SXH1 12.2(33)SXH1 12.2(33)SXI4

Presentation_ID


Cisco Public

30

VSS Hardware RequirementsService Module SupportModuleACE10/ACE 20-6500-K9 WS-SVC-FWSM-1-K9 WS-SVC-IDSM2-K9 WS-SVC-NAM-1 WS-SVC-NAM-2

DescriptionApplication Control Engine (ACE) Firewall Services Module (FWSM) Intrusion Detection System Services Module (IDSM-2) Network Analysis Module (NAM1) Network Analysis Module (NAM2)

VSS Minimum Software12.2(33)SXI 12.2(33)SXI 12.2(33)SXI 12.2(33)SXH1 12.2(33)SXI

Service Module Minimum SoftwareA2(1.2) 4.0(4) 6.0(2)E1 3.6(1a) 3.2.171.6

WS-SVC-WISM-1-K9Application Control Engine (ACE)

Wireless Services Module (WiSM)Firewall Services Module (FWSM)

Wireless Services Module (WiSM)

ACE10/ACE 20-6500-K9Network Analysis Module (NAM 1&2)

WS-SVC-FWM-1-K9

WS-SVC-WISM-1-K9 Intrusion Detection System Services Module (IDSM-2)

Presentation_ID

WS-SVC-NAM-1 WS-SVC-NAM-2


Cisco Public

WS-SVC-IDSM2-K9

31

Hardware Requirements

Sup720-10G-VSS PFC3C Interoperability With DFCSup720-10G-VSS Non-VSS Mode System wide PFC Mode PFC3B* Not Supported PFC3C PFC3C PFC3A* PFC3C Sup720-10G-VSS VSS Mode System wide PFC Mode Not Supported Not Supported Not Supported Not supported PFC3C PFC3C

DFC3C DFC3B DFC3A DFC2 CFC

Classic

* Non-VSS mode, inserting DFC3A or DFC3B will be powered down until a reload, Up on reload systems runs in lowest common denominator DFC mode.Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

32

Software RequirementsVSS PackagingSupported with 12.2(33)SXI1 (CCO 03/31/09) Before 12.2(33)SXI1 IOS IP Base VSS 1440 Mode Not Supported VSS 1440 Mode Supported 12.2(33)SXI1 And newer VSS 1440 Mode Supported VSS 1440 Mode Supported

(available with bundles only)

IOS IP Services and Above

Please refer to the SXI1 product bulletin for more information http://www.cisco.com/en/US/products/ps9336/prod_bulletins_list.htm lPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

33

Agenda Topics

Migration to VSS

Presentation_ID


Cisco Public

34

Migration to VSSOverviewL3 Core Migration Steps between

1. 2.

Distribution and core Configure MEC Remove Routing Statements which are not needed.

L2/L3 Distribution

Access

Migration Steps between Distribution and Access-layer 1. Modify FHRP Configuration 2. Configure Multichassis Etherchannel 3. Move L2 Trunk configuration to MEC interfaces 4. Move Policies to MEC if needed 5. Keep Spanning-Tree Enabled

Expect Network Disruption During Conversion Process Prepare in advance to minimize downtimePresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

35

Migration to VSSConversion ProcessThe conversion process requires configuration steps on both switches that will form part of the Virtual Switch Domain and requires a reboot of both switches during the conversion

Standalone

VSS

Presentation_ID


Cisco Public

36

Migration to VSSConversion ProcessFor the purposes of this explanation - lets assume the following setup is required Switch1T5/4 T5/5 Port-Channel 1 T5/4 T5/5 Port-Channel 2

Switch2

Virtual Switch Link

Switch Virtual Domain #100

Presentation_ID


Cisco Public

37

Migration to VSSConversion ProcessConfiguration for the conversion takes the following path Switch1Router(config)#host VSS VSS(config)#switch virtual domain 100 Domain ID 10 config will take effect only after the exec command 'switch convert mode virtual' is issued VSS(config-vs-domain)#switch 1 VSS(config-vs-domain)#exit VSS(config)#interface port-channel 1 VSS(config-if)#switch virtual link 1 2 1

Switch2Router(config)#host VSS VSS(config)#switch virtual domain 100 Domain ID 10 config will take effect only after the exec command 'switch convert mode virtual' is issued VSS(config-vs-domain)#switch 2 VSS(config-vs-domain)#exit VSS(config)#interface port-channel 2 VSS(config-if)#switch virtual link 2 VSS(config-if)#interface range tenG 5/4 - 5 VSS(config-if-range)#channel-group 2 mode on

3

VSS(config-if)#interface range tenG 5/4 - 5 VSS(config-if-range)#channel-group 1 mode on

Presentation_ID


Cisco Public

38

Migration to VSSConversion ProcessConfiguration for the conversion takes the following path Switch1vss#switch convert mode virtual 4 This command will convert all interface names to naming convention "interface-type switch-number/slot/port", save the running config to startup-config and reload the switch. Do you want to proceed? [yes/no]: yes Converting interface names Building configuration... [OK] Saving converted configuration to bootflash: ... Destination filename [startupconfig.converted_vs-20071031-150039]?

Switch2vss#switch convert mode virtual This command will convert all interface names to naming convention "interface-type switch-number/slot/port", save the running config to startup-config and reload the switch. Do you want to proceed? [yes/no]: yes Converting interface names Building configuration... [OK] Saving converted configuration to bootflash: ... Destination filename [startupconfig.converted_vs-20071031-150039]?

AT THIS POINT THE SWITCH WILL REBOOT

AT THIS POINT THE SWITCH WILL REBOOT

Presentation_ID


Cisco Public

39

Migration to VSSConversion ProcessSWITCH CONSOLE OUTPUT

Configuration for the conversion takes the following path Switch1SWITCH CONSOLE OUTPUT

Switch2

System detected Virtual Switch configuration... Interface TenGigabitEthernet 1/5/4 is member of PortChannel 1 Interface TenGigabitEthernet 1/5/5 is member of PortChannel 1 00:00:26: %PFREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch Initializing as Virtual Switch ACTIVE processor 00:01:19: %VSLP-5-RRP_ROLE_RESOLVED: Role resolved as ACTIVE by VSLP

System detected Virtual Switch configuration... Interface TenGigabitEthernet 2/5/4 is member of PortChannel 2 Interface TenGigabitEthernet 2/5/5 is member of PortChannel 2 00:00:26: %PFREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch Initializing as Virtual Switch STANDBY processor 00:01:02: %VSLP-5-RRP_ROLE_RESOLVED: Role resolved as STANDBY by VSLP

00:01:19: %VSL-5-VSL_CNTRL_LINK: Control Link 5/4

New VSL

00:01:02: %VSL-5-VSL_CNTRL_LINK: Control Link 5/4

New VSL

Presentation_ID


Cisco Public

40

Migration to VSS

Conversion Process Last Critical Step(No Longer required in SXI3 or newer)SWITCH CONSOLE OUTPUT vss-demo# switch accept mode interface Port-channel2 switch virtual link 2 no shutdown interface TenGigabitEthernet2/5/4 channel-group 2 mode on no shutdown interface TenGigabitEthernet2/5/5 channel-group 2 mode on no shutdown

Configuration for the conversion takes the following path Switch1virtual5SWITCH CONSOLE OUTPUT Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 10-Oct-07 01:02 by chrisvan 00:02:42: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF 00:02:42: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF vss-sdby>

Switch2

Standby console disabled vss-sdby>

This command will populate the above VSL configuration from the standby switch into the running configuration. The startup configuration will also be updated with the new merged configuration if merging is successful. Do you want to proceed? [yes/no]: yes Merging the standby VSL configuration... Building configuration... 00:11:33: %PFINIT-SW1_SP-5-CONFIG_SYNC: Sync'ing the startup configuration to the standby Router. [OK]

Presentation_ID


Cisco Public

41

Migration to VSS

Conversion Process Last Critical Step is Automated in SXI3 or newerConfiguration for the conversion takes the following path Switch1SWITCH CONSOLE OUTPUT Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 10-Oct-07 01:02 by chrisvan 00:02:42: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF 00:02:42: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF vss-sdby> SWITCH CONSOLE OUTPUT vss-demo#

Switch2

This command is no longer required since standby VSL configuration merge is done 5 automatically. vss-demo#

switch accept mode virtual

Standby console disabled vss-sdby>

Presentation_ID


Cisco Public

42

Migration to VSSConversion ProcessConfiguration for the conversion takes the following path Switch1vss# sh switch virtual Switch mode : Virtual Switch Virtual switch domain number : 10 Local switch number : 1 Local switch operational role: Virtual Switch Active Peer switch number : 2 Peer switch operational role : Virtual Switch Standby vss#vss-sdby>enable

Switch2Standby console disabled vss-sdby>

Both switches are now converted with Switch1 - VSS Active Switch2 - VSS Hot standby Switch 2 console is now disabled for normal console activity

Presentation_ID


Cisco Public

43

Virtual Switching System Architecture1 2 3 4 5 6 7

VSL InitializationInitialization Bring up VSL Linecards and VSL Ports Run VSLP Run RRP Inter-chassis SSO Continue System Bootup Pre-Parse Config

1 2 3 4 5 6 7

Initialization Bring up VSL Linecards and VSL Ports Run VSLP Run RRP Inter-chassis SSO Continue System Bootup Pre-Parse Config

CFC or DFC Line Cards CFC or DFC Line Cards CFC or DFC Line Cards


SF


Sup720-10GE ACTIVE

RP

PFC

VSLP RRP

VSL

CFC or DFC Line Cards CFC or DFC Line Cards

SF


Sup720-10GE Standby Hot

RP

PFC

Presentation_ID


Cisco Public

44

VS-S720-10G

Architecture: VSL Inband Connection

Allows for the VSL ports to be brought online very early in the boot process

Presentation_ID


Cisco Public

45

Agenda Topics

High Availability

Presentation_ID


Cisco Public

46

High Availability

Redundancy SchemesDefault redundancy mechanism between the two VSS chassis and their associated supervisors is NSF/SSOSwitch1 12.2(33)SXH1VSL

Switch2 12.2(33)SXH1

Active

NSF/SSO

Standby

If a mismatch of information occur between the Active & Standby, the Standby will revert to RPR mode Starting 12.2(33)SXI, minor mis-match in software will be still keep the switch in SSO mode Switch1 12.2(33)SXH1VSL

Switch2 12.2(33)SXH2

Active

RPRVSL

Standby

Switch1 12.2(33)SXI

Switch2 12.2(33)SXI1

Presentation_ID


Active

NSF/SSO

Cisco Public

Standby

47

Virtual Switching SystemInter Chassis NSF/SSO2Standby Supervisor takes over as Virtual switch Active Virtual Switch Standby initiates graceful restart Virtual Switching System Non Stop forwarding of packets will continue using hardware entries as Switch-2 assumes active role NSF aware neighbors exchange updates with Virtual Switch Active

Virtual Switch Active

Virtual Switch Hot Standby

Switch1

Switch2Switch Is down Virtual Switch Active

1

Virtual Switch Active incurs a supervisor outagePresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

Switch1

Virtual Switching System

Switch248

High AvailabilityNSF feature with SSO minimizes the amount of traffic loss following supervisor switchover while continuing to forward traffic using hardware entries. In VSS environment this feature is required to minimize traffic disruption in the event such as supervisor failure that causes supervisor switchover.Switch1 12.2(33)SXH1 ActiveNSF/SSO

NSF/SSO

Switch2 12.2(33)SXH1 Hot Standby

VSLVSS#config t VSS(config)#router ospf 1 VSS(config-router)#nsf

NSF is supported by the BGP, EIGRP, OSPF & IS-IS

VSS#show ip ospf Routing Process "ospf 10" with ID 192.168.2.1 Start time: 00:15:29.344, Time elapsed: 23:12:03.484 Supports only single TOS(TOS0) routes External flood list length 0 IETF NSF helper support enabled Cisco NSF helper support enabled Reference bandwidth unit is 100 mbps

Non-Stop Forwarding enabled

Presentation_ID


Cisco Public

49

High Availability

After the roles have been resolved through RRP, a Configuration Consistency Check is performed across the VSS switches to ensure proper VSL operation. The following items are checked for consistency:Switch Virtual Domain ID Switch Virtual Domain ID Switch Virtual Switch ID Switch Virtual Switch ID Switch Preempt Switch Preempt Switch Priority Switch Priority

NSF/SSO Requirements

VSL Port state, interfaces VSL Port state, interfaces Power Enable on VSL cards Power Enable on VSL cards Additionally, software version, installed patches and PFC modes also need to be consistent for NSF/SSO mode to be enteredPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

VSL Port Channel Link ID VSL Port Channel Link ID

Power Redundancy mode Power Redundancy mode

50

High Availability

Failure of MEC member Upstream Traffic Convergence is determined by Access device

Si

Si

Etherchannel convergence - typically 200ms

Typically only the flows on the failed link are effected

Si

Si

Presentation_ID


Cisco Public

51

High AvailabilityConvergence is determined by VSS VSS Etherchannel convergence

Failure of MEC member Downstream Traffic

Si

Si

Typically Sub - 200ms Only the flows on the failed link are effected

Si

Si

Presentation_ID


Cisco Public

52

High AvailabilityDual-Active DetectionIn a Virtual Switching System Domain, one switch is elected as Active and the other is elected as Standby during boot up by VSLP. Since the VSL is always configured as a Port Channel, the possibility of the entire VSL bundle going down is remote, however it is a possibility

Switch1 VSL Active

Switch2

Hot Standby

Recommendation is to deploy the VSL with two or more links and distribute those interfaces across multiple modules to ensure the highest redundancy

Presentation_ID


Cisco Public

53

High AvailabilityDual-Active DetectionIf the entire VSL bundle should happen to go down, the Virtual Switching System Domain will enter a Dual Active scenario where both switches transition to Active state and share the same network configuration (IP addresses, MAC address, Router IDs, etc) potentially causing communication problems through the network 3 Step Process 1 2 3Dual-Active detection using the detection method enabled in the system. Further network disruption is avoided by disabling previous VSS active switch interfaces connected to neighboring devices . Dual-Active recovery, when VSL recovers , the switch that has all its interfaces brought down in the previous step will reload to boot in a preferred standby state

Switch1

Switch2

Active

VSL

Active

Presentation_ID


Cisco Public

54

High AvailabilityDual-Active ProtocolsEnhanced PAgP VSLP Fast Hello IP-BFD

P PA A G G PP ++

P PA

TTL V LV

Switch 1

A GP GP + +TT LL VV

Switch 2

Switch 1

Switch 2

Switch 1

Switch 2

Active

Hot Standby

Active

VSLP VSLP

VSLP VSLP

Hot Standby

Active

BFD BFD

BFD BFD

Hot Standby

Requires ePagP capable neighbor :3750: 12.2(46)SE 4500: 12.2(44)SE 6500: 12.2(33)SXH1

Direct L2 Connection Requires 12.2(33)SXI

Direct L3 Connection Requires 12.2(33)SXH1

Sub-second convergencePresentation_ID

Sub-second convergenceCisco Public

Seconds of convergence*55


High Availability

Dual-Active: Recovery Mode%DUAL_ACTIVE-SW1_SP-1-DETECTION: Dual-active condition detected: all non-VSL and non-excluded interfaces have been shut down

Active Recovery

VSL

Standby Active

VSS#show switch virtual dual-active summary Pagp dual-active detection enabled: Yes Bfd dual-active detection enabled: Yes No interfaces excluded from shutdown in recovery mode In dual-active recovery mode: Yes Triggered by: Pagp detection Triggered on interface: Gi1/2/3Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

Dual-Active Detected

56

High Availability

Dual Active: Recovery ModeImportant ! Do not make any configuration changes while in the Dual Active Recovery mode. If the config is changed the system will not automatically recover once the VSL becomes active again One must issue the write memory command and then reload the switch in recovery mode using the reload shelf command

Switch 1 VSL Recovery

Switch 2

Active

Presentation_ID


Cisco Public

57

High Availability

Dual-Active Detection Exclude InterfacesUpon detection of a Dual Active scenario, all interfaces on the previous-Active switch will be brought down so as not to disrupt the functioning of the remainder of the network. The exclude interfaces include VSL port members as well as any pre-configured ports which may be used for management purposesvs-vsl#conf t Enter configuration commands, one per line. End with CNTL/Z. vs-vsl(config)#switch virtual domain 100 vs-vsl(config-vs-domain)#dual-active exclude interface Gig 1/5/1 vs-vsl(config-vs-domain)#dual-active exclude interface Gig 2/5/1 vs-vsl(config-vs-domain)# ^Z vs-vsl#

Presentation_ID


Cisco Public

58

High Availability

Dual-Active: RestorationUpon the restoration of one or more VSL interfaces, VSLP will detect this and will proceed to reload Switch 1 so that it will be able to bootup in preferred Hot Standby role after bootupRecoverySwitch 1 VSL Switch 2

RestorationSwitch 1 VSL Hot StandbyR

Switch 2

Recovery Switch-1 shutdown all active interfaces *

Active

Active

Switch-1 will reload and boot up in Hot standby role

Presentation_ID


Cisco Public

59

Agenda Topics

Quad-Sup Uplink Forwarding

Presentation_ID


Cisco Public

60

VSS Redundant Supervisor SupportWhy Redundant Supervisors Are NeededA Supervisor failure event will down the affected chassis decreasing the VSS bandwidth by 50% Certain devices may only single-attach to the VSS for various reasonsService Modules/Servers Costs $$ Geographic separation of VSS chassis

Si

Si

Supervisor failure events therefore require manual intervention for recovery of the affected chassisUndeterministic outage time

Uplinks are not active when the Supervisor is in ROMMON mode Relies on manual process to install and convert the new Supervisor with current VSS configuration

Presentation_ID


Cisco Public

61

Provides Active Uplinks in the Standby Supervisor with Deterministic Recovery From a Supervisor FailureIn the initial VSS release a redundant In-Chassis Supervisor is not supportedWill stop its boot process at the ROMMON stageSi Si

VSS Quad-Sup Uplink Forwarding

Quad-Sup Uplink ForwardingNew in 12.2(33)SXI4

A Second Supervisor installed in the chassis will boot as a Linecard with all of its ports active

If the active Supervisor in the chassis should fail the In-Chassis Standby will reload and then take over the chassis Supervisor functions without human intervention 1. 2. 3. Supervisor Failure event Chassis reloads In-chassis Standby now becomes VSS standby and chassis dataplane is active again 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

R

R

= Reload 62

Presentation_ID

Virtual Switching System (VSS)Redundant supervisors fully boot Cisco IOS to RPR-WARM redundancy mode Switch-1 Switch-2

Quad-Sup Control Plane

RPR -Warm

SSO Active

Si

STANDBY COLD

SSO Hot-Standby RPR -Warm

VSL

Si

Presentation_ID


Cisco Public

63

From data plane perspective the RPR-Warm supervisor operates similarly to a DFC-enabled line card. Forwarding tables are in sync and data plane is active for module uplinks Switch-1 Switch-2

Virtual Switching System (VSS) Quad-Sup- Data plane

Active

Active

STANDBY COLD

Si

VSL

Active Active

Si

Presentation_ID


Cisco Public

64

Virtual Switching System (VSS)

All Uplinks Active in RPR-WARM Redundancy ModeUse at least one of the ten gigabit interfaces from each supervisor to build the VSL. Remaining ports can be used for other purposes including uplinks. PFC and crossbar fabric of the In-chassis standby supervisor are active.

Si

Si

Switch-1 SwitchSF RP PFC

Switch-2 SwitchSF RP PFC

Standby HOT Supervisor Active Supervisor

Standby HOT Supervisor

SF

Si

PFC

SF

Si

PFC

RPR-WARM

VSL

RPR-WARM

= UplinksPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

65

Virtual Switching System (VSS)Active Supervisor Hardware FailureActive VSS supervisor incurs a hardware failureSSO ActiveRPR-Warm

1

Switch-1

Switch-2

SSO

Si

STANDBY COLD

SSO Hot Standby RPR-Warm

VSL

Si

Available Bandwidth= Line Cards ActivePresentation_ID 2010 Cisco and/or its affiliates. All rights reserved.

100 % 50%

SW1

SW2

SW2

Cisco Public

1

Duration

66

Virtual Switching System (VSS)Active Supervisor Hardware Failure1.

2

Switch-1

Switch-2

2. 3.

SSO failover to the hot-standby supervisor in switch-2 Switch-1 reloads and comes back online. 50% bandwidth is available during switch-1 reload

R

SSO

Si

STANDBY COLD

RPR-WarmVSL

SSO Active

Si

R SSO

= Reload

Available Bandwidth

100 % 50%

SW1

= SSO Switchover = Line Cards Active

SW2

SW2

SW2

Presentation_ID


Cisco Public

1

2

Duration

67

Virtual Switching System (VSS) Active Supervisor Hardware Failure1. Switch-1 comes online

3

Switch-1

Switch-2

2. Previous RPR warm supervisor resumes SSO hot standby state

3. The failed supervisor boots up in RPR warm mode. 4. 100% Bandwidth is available leveraging both switches

RPR Warm SSO Hot Standby

Si

STANDBY COLD

VSL

SSO Active RPR Warm

Si

Available BandwidthR

100 % 50%

SW1

SW1

= Reload = Line Cards Active

SW2

SW2

SW2

SW2

Presentation_ID


Cisco Public

1

2

3

Duration

68

The following graph illustrates the aggregate traffic for the VSS system during the active supervisor failover with and without dual supervisor support.

Virtual Switching System (VSS) Active Supervisor FailoverPre SXI4

100 % 50%

12.2(33)SXI4SW1 SW2 SW2 SW2

Available Bandwidth 1 2 3 Duration

100 % 50%

SW1 SW2 SW2

SW1

Un-deterministic supervisor failure recovery

Available Bandwidth 1

2

3

Duration

Deterministic supervisor failure recoveryPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

69

VSS Quad-Sup Uplink Forwarding Redundancy ModeVSS DomainVSS Switch 1 (SSO Active) In-Chassis Active VSS Switch 2 (SSO Hot Standby) In-Chassis Active

In-Chassis Standby (RPR- WARM)

In-Chassis Standby (RPR- WARM)

RPR-Warm is a new redundancy mode created for the VSS In-chassis Standby Supervisor RPR-Warm mode allows the Supervisor to operate primarily as a linecard, but with some synchronization with the In-Chassis Active Supervisor (Synchronization does not occur across chassis) Supervisor uplink ports are operational and active just like on a linecardPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

70

VSS In-Chassis Standby RPR-WARM Redundancy ModeIn-Chassis Standby SupervisorDownloads and boots new image file Sup720-LC SP runs the Sup720-LC image RP is in ROMMON Operates mostly as a DFC enabled line card Some Supervisor subsystems are synched between In-Chassis Active and Standby Startup-config Vlan.dat BOOT ROMMON variable CONFIG_FILE ROMMON variable BOOTLDR ROMMON variable DIAG ROMMON variable SWITCH_NUMBER ROMMON variable71

Subsystems synched includeVSS Chassis with Dual Supervisors Running Quad-Sup Forwarding

Presentation_ID


Cisco Public

VSS In-Chassis Standby Boot ProcessStartBoot Sup720 image (Initialize)

Begin Boot Sup720-LC image

Existing process for SSO mode

Active

In-Chassis Role Negotiation

In-Chassis Role Negotiation

Active

Reload

Standby

Standby

No

Virtual Switch

Virtual Switch

No

YesWarm Upgrade to Sup720-LC imagePresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

YesBoot as Line Card (RPRWARM)72

In-Chasss Standby Booting to Sup-LC ImageSystem detected Virtual Switch configuration... Interface TenGigabitEthernet 2/5/4 is member of PortChannel 2 Interface TenGigabitEthernet 2/5/5 is member of PortChannel 2 *Apr 5 20:27:50.747: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. Firmware compiled 02-Mar-10 17:41 by integ Build [100] *Apr 5 20:27:50.747: %PFREDUN-6-STANDBY: Initializing as STANDBY processor for this switch!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Decompressing the image : ####################################################################################### ####################################################################################### ### [OK] Launching the SPLC image! Restricted Rights Legend

Presentation_ID


Cisco Public

73

Virtual Switching System (VSS)Dual Supervisor Redundancy LEDSSO Active Redundancy Led status SSO Standby RPR Warm

Green

Orange (amber)

Blinking Orange

Presentation_ID


Cisco Public

74

Virtual Switching System (VSS)CLI VerificationRouter#sh mod Mod Ports Card Type Model Serial No. --- ----- ----------------------------------------------------------------5 5 Supervisor Engine 720 10GE (Active) VS-S720-10G SAD1205069Y 6 5 Supervisor Engine 720 10GE (RPR-Warm) VS-S720-10G SAD1205065B Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------5 001e.4aaa.ee70 to 001e.4aaa.ee77 2.0 8.5(2) 12.2(2009050 Ok 6 001e.4aaa.ed58 to 001e.4aaa.ed5f 2.0 8.5(2) 12.2(2009042 Ok Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------5 Policy Feature Card 3 VS-F6K-PFC3C SAD120504EB 1.0 Ok 5 MSFC3 Daughterboard VS-F6K-MSFC3 SAD120301PL 1.0 Ok 6 Policy Feature Card 3 VS-F6K-PFC3C SAD1203057R 1.0 Ok 6 MSFC3 Daughterboard VS-F6K-MSFC3 SAD120301PL 1.0 Ok Mod Online Diag Status ---- ------------------5 Pass 6 Pass

Quad Supervisor Uplink Forwarding Redundancy

Presentation_ID


Cisco Public

75

Virtual Switching System (VSS)Cli VerificationRouter#sh switch virtual redundancy My Switch Id = 1 Peer Switch Id = 2 Last switchover reason = user forced Configured Redundancy Mode = sso Operating Redundancy Mode = sso Switch 1 Slot 5 Processor Information : ----------------------------------------------Current Software state = ACTIVE Image Version = Cisco IOS Software, s72033_rp Software (BOOTLDR = Configuration register = 0x2 Fabric State = ACTIVE Control Plane State = ACTIVE Switch 1 Slot 6 Processor Information : ----------------------------------------------Current Software state = RPR-Warm Uptime in current state = 4 days, 17 hours, 36 minutes Image Version = > BOOT = disk0:mz-rbh,12; CONFIG_FILE = BOOTLDR = Configuration register = 0x2 Fabric State = RPR-Warm Control Plane State = RPR-WarmPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

Quad Supervisor Uplink Forwarding Redundancy Monitoring

76

Virtual Switching System (VSS)

Quad Supervisor Uplink Forwarding Redundancy Monitoring

Presentation_ID


Cisco Public

77

VSS Quad Supervisor Uplink ForwardingKey PointsQuad Supervisor Uplink Forwarding feature is scheduled for release in 12.2(33)SXI4 Quad Supervisor Uplink Forwarding allows for deterministic recovery from a Supervisor failure event In-Chassis Standby Uplinks are active and operational under normal conditions

In-Chassis Standby Supervisor runs in new redundancy mode called RPR-WARM Switchover to the In-Chassis Supervisor does require a reload of the chassis Supervisor role negotiation occurs first within the chassis, then the winning In-Chassis active Supervisor performs VSS role negotiation between chassisPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

78

Agenda Topics

Software Upgrades

Presentation_ID


Cisco Public

79

VSS Software UpgradePreparation Steps1. Preparation Steps a) Ensure the old image and new image files are installed to the local file systems on both Supervisor modules b) Configure the boot register to auto-load the specified software image file c) Configure the boot string to load the new software image 2. Reset the standby Supervisor and ensure it boots successfully to RPR mode (STANDBY COLD). Hot Standby modules are power down and not forwarding traffic at this point, forwarding capacity will be down to 50% 3. Force a Supervisor switchover, forwarding capacity drops to 0%. Standby Supervisor continue to boot and become the new ACTIVE. Old active Supervisor will reset and load the old image and boot to STANDBY COLD (RPR) state 4. Trial Phase 5. Modify boot variable on Switch-1 and reload switch1 such that it boots up with new software image. Forwarding capacity will resume back to 100%R SOPresentation_ID

Pre 12.2(33)SXI Fast Software Upgrade (FSU)Switch-1 Switch-2

SO R

VSS Standby COLD VSS Active VSS Standby HOT WS-X6708-10G

Si

STANDBY COLD VSS Standby Cold VSS Standby Hot VSS Active VSL WS-X6708-10G

Si

R

Execute Upgrade

100%

VSS Standby Cold

50%

SW2

SW1

= Reset = Switchover

= Old Version = New VersionCisco Public

1

2


3 4 SW1/SW2

5 80

VSS Software UpgradePreparation Steps1. Before ISSU software upgrade, VSS Switch-1 and Switch-2 will be running the old software image. 2. Install the new image to the same location on the file systems of both Supervisors 3. Make sure the boot register is configured for auto boot 0x2102

12.2(33)SXI Enhanced Fast Software Upgrade (EFSU)Switch-1 Switch-2

SO R

VSS Standby Hot VSS Active WS-X6708-10G

2. ISSU loadversion

Si

STANDBY COLD VSS VSS Active Standby Hot WS-X6708-10G

R

VSL

Si

Execute Upgrade

3. ISSU runversion 4. ISSU AcceptversionVSS Standby HOT 100%

5. ISSU Commitversion

50%

SW2

SW1

SW1

= Old Version = New VersionPresentation_ID

R SO

= Reset = Switchover 1Cisco Public

2

3

4

5 81


VSS Software Upgrade

Full Image Upgrade Bandwidth Availability GraphThe following graphs illustrate the aggregate bandwidth available to the VSSFast Software Upgrade bandwidth availability Enhanced Fast Software Upgrade bandwidth availability

100%

100%

50%

50%

1

SW2

2

3

SW1/SW2

4

At step 3 during RPR switchover, bandwidth will be dropped to 0% for 1-2 minutesPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved.

SW1

5

1

2

SW2

3

SW1

4 SW1

5

With EFSU, a minimum of 50% bandwidth is available throughout the software upgrade processCisco Public

82

EFSU

Initializing Standby With New SoftwareAfter entering the issu loadversion command, the standby chassis will reload to boot the new software image. ..issu loadversion active-switch-id/slot active-image-new standby-switch-id/slot standby-image-newVSS# issu loadversion sup-bootdisk:New_image VSS# show issu state Slot = 22 RP State = Active ISSU State = Load Version Boot Variable = bootdisk:Old_image,12 Slot RP State ISSU State Boot Variable = = = = 40 Standby Load Version bootdisk:New_image,12;sup-bootdisk:Old_image,12

Presentation_ID


Cisco Public

83

EFSU

Switchover to Standby to Run New Software

After entering the issu runversion command the Active Supervisor will reload thus causing the Standby to go Active

Switch# issu runversion standby-switch-id / slot [standby-image-new]

VSS# issu runversion This command will reload the Active unit. VSS# show issu state Slot RP State ISSU State Boot Variable Slot RP State ISSU State Boot Variable = = = = = = = =

Proceed ? [confirm]

40 Active Run Version New_image,12;bootdisk:Old_image,12 22 Standby Run Version bootdisk:Old_image,12

Presentation_ID


Cisco Public

84

EFSU

Rollback TimerRollback timers gets activated as soon as issu runversion command is issued. It provides a window of time to verify the new software functionality. Users issues issu acceptversion to proceed with new software image or issu abortversion to go back to previous version.VSS# show issu rollback-timer Rollback Process State = In progress Configured Rollback Time = 45:00 Automatic Rollback Time = 42:02 VSS(config)# issu set rollback-timer ? WORD Rollback timer in hh:mm:ss or format

Rollback timer can be set between zero seconds and two hours. Setting the rollback to zero effectively disables the timer

Presentation_ID


Cisco Public

85

EFSU Process

Accept New Software VersionEnter the issu acceptversion command to stop the rollback timer. This allows a trail period where the system can be tested with the new software image.Switch# issu acceptversion active-switch-id / slot [active-image-new]VSS# issu acceptversion % Rollback timer stopped. Please issue the commitversion command. VSS# show issu state Slot RP State ISSU State Boot Variable Slot RP State ISSU State Boot Variable = = = = = = = = 40 Active Run Version bootdisk:New_image,12;bootdisk:Old_image,12 22 Standby Run Version bootdisk:Old_image,12

Important: Only features that are common to both software versions will be enabled during the ISSU Run Version stagePresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

86

EFSU Process

Reset Old Active to Load New SoftwareEnter the issu commitversion command to commit the new software image, the standby supervisor will reload to boot new software imageSwitch# issu commitversion standby-switch-id / slot-number [standby-image-new]VSS# issu commitversion 10:54:37: %PFINIT-SP-5-CONFIG_SYNC: Sync'ing the startup configuration to the standby Router. [OK] 00:32:35: %SYS-SW1_SPSTBY-5-RELOAD: Reload requested - From Active Switch (Reload peer unit). VSS# show issu state Slot RP State ISSU State Boot Variable Slot RP State ISSU State Boot Variable = = = = = = = = 40 Active Init bootdisk:New_image12; Old_image,12 22 Standby Init bootdisk:New_image,12; Old_image,12

Presentation_ID


Cisco Public

87

EFSU Process

Full Image Upgrade ProcessFollowing picture illustrates the EFSU stepsLC Active LC Switch-1 LC Standby LC Switch-2 ISSU loadVersion LC LC Switch-1 LC Standby LC Switch-2 ISSU RunVersion

Active

Standby LC Switch-1

LC

Active LC Switch-2

LC

ISSU CommitVersion

Standby LC

LC

LC Active LC Switch-2

= Old Version = New VersionCisco Public

Switch-1

Presentation_ID


88

Virtual Switching System (VSS) QuadSup & eFSUPreparation Steps 1. Before ISSU software upgrade, VSS all sups will be running old software image. Make sure all 4 sups have a new image copied to their local flash memory. ISSU loadversion Standby chassis (active and standby sups) reloads and comes up with new image ISSU runversion Standby takes over as active and old active switch (active and standby sups) reloads and comes up as standby with old image. ISSU acceptversion If network is stable issue ISSU acceptversion which stops the rollback timer, otherwise ISSU process will aborted intermediately.VSS Standby Cold

Switch-1

Switch-2

2.

SO R

Execute Upgrade

3.

Hot-standby Active RPR Warm

Si

STANDBY COLD Hot--standby Active RPR Warm

R

VSL

Si

4.

VSS Standby HOT 100 % 50%

5.

ISSU commitversion Once the image is tested and ready to be rolled out .. ISSU commit version will reload the standby switch (active and standby sups) to boot up with new software version= Old Version = New VersionR SO

= Reset

Available Bandwidth1Cisco Public

SW2

SW1

SW1

Presentation_ID


= Switchover

2

3

4

5

Duration

89

VSS & EFSU Important PointsDual-homed connectivity is required for minimal traffic disruptionSingle-homed devices will experience an outage when the attached chassis reloads

Software images files must be ISSU compatible (these are not VSS specific requirements)Must be the same image types, meaning Native to Native or Modular to Modular For Modular images, both images must use the same installation method, therefore installed mode or binary mode EFSU support begins in the SXI train

The software feature sets must be the same between the two software image files

Presentation_ID


Cisco Public

90

Agenda Topics

Deployment Considerations and Best Practices

Presentation_ID


Cisco Public

91

Virtual Switching SystemDeployment ConsiderationsDual-attach connected devices whenever possibleEtherchannel and L3 ECMP hash algorithms have been modified so that local links will always have preference over remote links Minimal traffic expected to cross VSL link in dual-homed scenario

Presentation_ID


Cisco Public

92

VSL Bandwidth Sizing & ConsiderationsSi Si

The VSL is an Etherchannel VSL bandwidth should be greater than or equal to the largest bandwidth connection to a single attached device (downlink)can include up to eight links

Si

Si

Consider the bandwidth for any Service Modules and SPAN sessions Distribute the VSL interfaces across multiple modules for added resiliency Include at least one VSL interface from the Supervisor module for faster VSL bring-up during reloads

Consider the bandwidth on a per VSS chassis basis

Presentation_ID


Cisco Public

93

VSS High AvailabilityEIGRPSwitch(config)#router eigrp 100 Switch(config-router#nsf Router# sh ip protocol *** IP Routing is NSF aware *** Routing Protocol is "eigrp 100 100" EIGRP NSF-aware route hold timer is 240s EIGRP NSF enabled

NSF Configuration and MonitoringOSPFSwitch(config)#router ospf 100 Switch(config-router#nsf Router# sh ip ospf Routing Process "ospf 100" with ID 10.120.250.4 Start time: 00:01:37.484, Time elapsed: 3w2d Supports Link-local Signaling (LLS) Non-Stop Forwarding enabled, last NSF restart 3w2d ago (took 31 secs)

Recommendation: Non-Stop Forwarding is required for sub-sec supervisor switchover convergence with L3 Routing Protocols

Presentation_ID


Cisco Public

94

Operational ManagementShould there be a requirement to reload the entire Virtual Switching System (both chassis), the command reload can be used to accomplish this task

Reloading the VSS

Virtual Switch

vss#reload

Warning: This command will reload the entire Virtual Switching System (Active and Standby Switch). Proceed with reload? [confirm]

1d04h: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command. *** *** --- SHUTDOWN NOW --*** 1d04h: %SYS-SP-5-RELOAD: Reload requested System Bootstrap, Version 8.5(1) Copyright (c) 1994-2006 by cisco Systems, Inc. Cat6k-Sup720/SP processor with 1048576 Kbytes of main memory Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

95

Operational ManagementReloading a Member of the VSSNEW command has been introduced to reload a SINGLE VSS member switchSwitch1 Switch2

VSL

Activevss# redundancy reload ? peer shelf

Hot Standbyvss# redundancy force-switchover This will reload the active unit and Force switchover to standby [confirm]

NEW

vss# redundancy reload shelf 2 Reload the entire remote shelf[confirm] Preparing to reload remote shelf vss#Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved.

vss#Cisco Public

96

VSS High AvailabilityOOB-Mac-SynchronizationIt is used for synchronizing mac-address tables across forwarding engines. If WS-6708-10G is present in the VSS system, mac-synchronization is turned on automatically. If not it has to be enabled manually. Dist-VSS#(config)# mac-address-table synchronize % Current activity time is [160] seconds % Recommended aging time for all vlans is at least three times the activity intervalDist-VSS# sh mac-address-table synchronize statistics MAC Entry Out-of-band Synchronization Feature Statistics: --------------------------------------------------------Switch [1] Module [4] ----------------------Module Status: Statistics collected from Switch/Module : 1/4 Number of L2 asics in this module : 1 Global Status: Status of feature enabled on the switch Default activity time Configured current activity time : on : 160

Recommendation: Enable Out-Of-Band Mac-Synchronization.

: 480

If this feature is not enabled, mac-address-table across different forwarding engines could go out-of-sync and may cause unicast flooding.Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

97

Dual-Active DetectionRecommendations:Use MEC with ePAgP or MEC with VSLP Fast Hello for faster VSL link loss convergence results.

Multiple Mechanisms and Recommendations

Si

Si

ePAgP

Enable BOTH ePAgP and direct heart-beat link based VSLP Fast Hello methods (if possible )

Redundant VSL Fiber

Enable ePAgP to core (if accesslayer is not ePAgP capable

VSLP Fast-Hello or BFD ePAgP

Presentation_ID


Cisco Public

98

VSS Deployment Best PracticesDOConfigure Switch accept-mode virtual Use unique VSS domain-id within the same network

Save backup configuration file in both active & hot-standby bootdisk: Use a minimum of one Supervisor uplink for the VSL, this provides for faster VSL bring up. Enable out-of-band MAC sync mac-address-table synchronize

Dual-home connected devices whenever possible, use L2 or L3 Multi-Chassis Etherchannel, L3 ECMP Use ePAgP and VSLP Fast Hello Dual Active Protocol. Enable NSF under routing protocolsPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

99

VSS Deployment Best Practices ContDO NOT . Tune default VSLP timers unless recommended by cisco Use preemption Issue shutdown for VSL failure, it creates config mismatch. Disconnect cables to create a realistic failure scenario

Change VSL hashing algorithm in production. It requires a shut/no shut on PO. Shutting down VSL will cause traffic disruption and dualactive scenario.

Write-erase to reset the VSS configuration. Write-erase will erase startup-configuration and rommon variables. VSS bring-up process requires switch-id to be present in rommon variable to boot in VSS mode. Use erase-nvram instead.

Presentation_ID


Cisco Public

100

Agenda Topics

Summary

Presentation_ID


Cisco Public

101

Benefit 1: Simplifies Network DesignsBuild redundant topology without First Hop Redundancy Protocols No Spanning Tree blocking ports

Single control plane and management interface

Reduces the number of L3 routing protocol peers

Presentation_ID


Cisco Public

102

Benefit 2: Scales System CapacityGroups resources together and activates all available bandwidth across redundant Cisco Catalyst 6500 switches

Enables standardsbased link aggregation for server NIC teaming, maximizing server bandwidthPresentation_ID


Cisco Public

103

Benefit 3: Boost Network AvailabilityInter-chassis Stateful Failover enables real time applications to continue without disruption

Etherchannel based link resiliency provides sub-second recovery Simplifies network designs reducing human error in network operationsPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

104

Recommended Literature

www.cisco.com/go/vss

www.cisco.com/go/supportVSS Troubleshooting Best Practices Migration from Standalone to VSS VSS Design Guides Whats New BulletinCisco Public

RMA Procedure VSS FAQ VSS White PaperPresentation_ID

Service Module Integration 2010 Cisco and/or its affiliates. All rights reserved.

105

Agenda Topics

Operational Management

Presentation_ID


Cisco Public

107


CiscoWorks LAN Management Solution SupportCiscoWorks LMS 3.0.1 supports VSS in the RME and CiscoView tool. CiscoView is designed to show the view of both Active and Hot Standby chassis side by side within one page.Each chassis is identified by a Each chassis is identified by a label indicating whether it is label indicating whether it is Active or Standby Active or Standby

Presentation_ID


Cisco Public

108

Operational ManagementMultiple console interfaces exist within a Virtual Switch Domain, but only the active switch console is enabled for command interaction

Virtual Switching System CLI

Virtual Switch Active

Switch1

Switch2

Virtual Switch Hot Standby

SWITCH CONSOLE OUTPUT vss#

---------------------- ----------------------------Mod Ports Card Type Model --- ----- -------------------------------------- -----------------1 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE 5 5 Supervisor Engine 720 10GE (Hot) WS-S720-10G 7 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX 8 24 CEF720 24 port 1000mb SFP WS-X6724-SFP vss#

show module switch 1 Switch Number: 1 Role:

Virtual Switch ActiveSerial No. ----------SAD074303JX SAD1047078P SAL0943435M SAL09158Y0L

---------------------- ----------------------------Mod Ports Card Type Model --- ----- -------------------------------------- -----------------1 8 CEF720 8 port 10GE with DFC WS-X6708-10GE 5 5 Supervisor Engine 720 10GE (Active) WS-S720-10G 7 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX 8 24 CEF720 24 port 1000mb SFP WS-X6724-SFP Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

sh module switch 2 Switch Number: 2

Role:

Virtual Switch StandbySerial No. ----------SAL1101D5EP SAD104306WW SAL09391NZM SAL09158ZZT

109


Single Point of Management: Slot/Port NumberingAfter conversion, port definitions for switches within the Virtual Switch Domain inherit the Chassis ID as part of their naming convention PORT NUMBERING: PORT NUMBERING:

Chassis-ID WILL ALWAYS be either a 1 or a 2VSS#show ip interface brief VSS#show ip interface brief Interface IP-Address Interface IP-Address Vlan1 unassigned Vlan1 unassigned Port-channel1 unassigned Port-channel1 unassigned Te1/1/1 10.1.1.1 Te1/1/1 10.1.1.1 Te1/1/2 192.168.1.2 Te1/1/2 192.168.1.2 Te1/1/3 unassigned Te1/1/3 unassigned Te1/1/4 unassigned Te1/1/4 unassigned GigabitEthernet1/2/1 10.10.10.1 GigabitEthernet1/2/1 10.10.10.1 GigabitEthernet1/2/2 10.10.11.1 GigabitEthernet1/2/2 10.10.11.1 GigabitEthernet2/1/1 unassigned GigabitEthernet2/1/1 unassigned GigabitEthernet2/1/2 unassigned GigabitEthernet2/1/2 unassigned GigabitEthernet2/1/3 unassigned GigabitEthernet2/1/3 unassigned Te2/1/4 unassigned Te2/1/4 unassigned Te2/1/5 unassigned Te2/1/5 unassigned Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved.

OK? OK? YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES YES

Method Method NVRAM NVRAM NVRAM NVRAM unset unset unset unset unset unset unset unset unset unset unset unset unset unset TFTP TFTP TFTP TFTP TFTP TFTP TFTP TFTPCisco Public

Status Status up up up up up up up up up up up up up up up up up up up up up up up up up up

Protocol Protocol up up up up up up up up up up up up up up up up up up up up up up up up up up110

Operational ManagementFile System NamingAfter the conversion to a Virtual Switching System, some of the File System naming conventions have changed to accommodate the new setup - an example of the new setup is shown belowe.g. OLD: disk0: NEW: sw1-slot5-disk0:

SWSLOTFILESYSTEM SWSLOTFILESYSTEM

Virtual Switch Domain

e.g. OLD: slavedisk0: NEW: sw2-slot5-disk0:

Active Supervisor - Slot 5

Switch1

Hot Standby Supervisor - Slot 5

Switch2

Presentation_ID


Cisco Public

111

Operational ManagementFile System NamingSome filenames have remained the same - others have changed some examples of file system names in a Virtual Switching System include the followingVirtual Switch

Standalone with Dual sup Standalone with Dual supdisk0: disk0: slavedisk0: slavedisk0: bootflash: bootflash: slavebootflash: slavebootflash: sup-bootdisk: sup-bootdisk: slavesup-bootdisk: slavesup-bootdisk: nvram: nvram: const_nvram: const_nvram:Presentation_ID

Virtual Switching System Virtual Switching Systemswslotdisk0: swslotdisk0: swslotdisk0: swslotdisk0: swslotbootflash: swslotbootflash: swslotbootflash: swslotbootflash: swslotsup-bootdisk: swslotsup-bootdisk: swslotsup-bootdisk: swslotsup-bootdisk: swslotnvram: swslotnvram: swslotconst_nvram: swslotconst_nvram:Cisco Public


112

Operational ManagementSNMP Support for VSSThe SNMP process for a VSS necessitates support for Puts and Gets across 2 physical chassis, changes to existing MIBs and support for a new MIBSNMP Server

SNMP Puts SNMP Modified SNMP Modified MIBs MIBs Switch 1 - Active

SNMP Gets Switch 2 Hot Standby

SNMP New SNMP NewMIBs MIBs

Virtual Switch Domain 2010 Cisco and/or its affiliates. All rights reserved.

SNMP Process Active

SNMP Process Inactive

Presentation_ID

Cisco Public

113


New Virtual Switching System MIBCISCO-VIRTUAL-SWITCH-MIB has been defined to support SNMP access to the Virtual Switching System Configuration - the following MIB variables are accessible to an SNMP managercvsGlobalObjects - Domain #, Switch #, Switch Mode cvsCoreSwitchConfig - Switch Priority and Preempt

CISCO-VIRTUAL-SWITCH-MIB CISCO-VIRTUAL-SWITCH-MIB

cvsChassisTable - Chassis Role and Uptime cvsVSLConnectionTable - VSL Port Count, Operational State cvsVSLStatsTable - Total Packets, Total Error Packets cvsVSLPortStatsTable - TX/RX Good, Bad, Bi-dir and Uni-dir Packets

This MIB will be the main vehicle though which Network Management stations access information relevant to the operation of the Virtual Switching SystemPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

114

Operational ManagementNetflow ExportWS-X6708-10GE-3C/3CXL and WS-X6716-10GE-3C/3CXL WS-X6708-10GE-3C/3CXL and WS-X6716-10GE-3C/3CXL has capability to perform direct export from the line card itself has capability to perform direct export from the line card itself Netflow Collector Netflow ExportVSS State : Active Netflow Collection: Active Netflow Export: Active VSS State : Hot Standby Netflow Collection: Active Netflow Export: In-Active

Netflow Data

VSL WS-X6708-10GE-3C/XLNetflow Data Netflow Collection: Active Netflow Export: ActivePresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

Netflow Data

WS-X6748-GE-TX-3C/XLNetflow Data Netflow Collection: Active Netflow Export: In-Active115

Operational ManagementSPANIn a Virtual Switching System, the number of SPAN sessions is limited to what the VSS Active Supervisor can provide. SPAN capacity on the VSS Hot Standby is not factored into available SPAN sessionsSwitch 1 Supervisor Virtual Switch Domain Switch 2 Supervisor

VSL

VSS State : Active SPAN Management: Active Replication: Active

VSS State : Hot Standby SPAN Management: In-Active Replication: Active

Virtual Switching System is supported in 12(33)SXH1 which introduces the following SPAN capabilities per Virtual Switching System Domain TX SPAN Sessions 14 RX/Both SPAN Sessions 2 Total SPAN Sessions 16

Virtual Switch DomainPresentation_ID


Cisco Public

116


Setting the System-wide PFC ModeA NEW CLI has been implemented to allow the user to pre-configure the system PFC mode. Any DFC module that does not match the system PFC mode will not be powered up. This configuration will ensure a system runs in PFC3CXL mode and is not accidentally reverted to PFC3C mode

vss#conf t Enter configuration commands, one per line. End with CNTL/Z. vss(config)#platform hardware vsl pfc mode pfc3c vss(config)#^Z vss# vsssh platform hardware pfc mode PFC operating mode : PFC3C Configured PFC operating mode : PFC3C vss#Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

117

Agenda Topics

Quality of Service

Presentation_ID


Cisco Public

118

Quality of Service

Classification and PolicingBoth Classification and Policing functions are handled by PFC QoS, and is executed by either the PFC on the Active and Hot Standby Supervisor, or the ingress linecard DFC. There are 2 important caveats which must be understood whilst implementing these functions1

Policies can either be applied on L3 interfaces (SVIs or Physical interfaces), or Port Channels, or L2 interfaces*policy-map CLASSIFY class class-default set ip dscp 40 interface GigabitEthernet 2/3/48 switchport service-policy input CLASSIFY policy-map CLASSIFY class class-default set ip dscp 40 interface PortChannel 10 switchport service-policy input CLASSIFY

* Qos policies on L2 interfaces are supported beginning in 12.2(33)SXIPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

119

Quality of Service2

Classification and PolicingAggregate policers that are applied on SVIs or Port Channels that have interfaces distributed across multiple forwarding engines are subject to Distributed Policing caveats

policy-map POLICE policy-map POLICE class class-default class class-default police average 10000000 police average 10000000 Interface GigabitEthernet 1/2/10 Interface GigabitEthernet 1/2/10 channel-group 20 mode desireable channel-group 20 mode desireable Interface GigabitEthernet 2/2/10 Interface GigabitEthernet 2/2/10 channel-group 20 mode desireable channel-group 20 mode desireable interface PortChannel interface PortChannel service-policy input service-policy input 20 20 POLICE POLICE

Presentation_ID


Cisco Public

120

Quality of ServiceQoS on the VSLA few important aspects relating to VSL QoS are as follows: 1 VSLP and other Control frames are always marked as Priority packets and are 2 VSL is always configured as Trust CoS and hence ingress queuing isenabled 3 Service Policies are not supported on the VSL always queued and classified as such

4 CoS Maps, Thresholds and Queues on the VSL are not configurableVSLHTTP HTTP FTP FTP VSLP VSLP

Switch1

Switch2

Presentation_ID


Cisco Public

121

Agenda Topics

VSS & Service Module Integration

Presentation_ID


Cisco Public

122

VSS Hardware RequirementsService Module SupportModuleACE10/ACE 20-6500-K9 WS-SVC-FWSM-1-K9 WS-SVC-IDSM2-K9 WS-SVC-NAM-1 WS-SVC-NAM-2

DescriptionApplication Control Engine (ACE) Firewall Services Module (FWSM) Intrusion Detection System Services Module (IDSM-2) Network Analysis Module (NAM1) Network Analysis Module (NAM2)

VSS Minimum Software12.2(33)SXI 12.2(33)SXI 12.2(33)SXI 12.2(33)SXH1 12.2(33)SXI

Service Module Minimum SoftwareA2(1.2) 4.0(4) 6.0(2)E1 3.6(1a) 3.2.171.6

WS-SVC-WISM-1-K9Application Control Engine (ACE)

Wireless Services Module (WiSM)Firewall Services Module (FWSM)

Wireless Services Module (WiSM)

ACE10/ACE 20-6500-K9Network Analysis Module (NAM 1&2)

WS-SVC-FWM-1-K9

WS-SVC-WISM-1-K9 Intrusion Detection System Services Module (IDSM-2)

Presentation_ID

WS-SVC-NAM-1 WS-SVC-NAM-2


Cisco Public

WS-SVC-IDSM2-K9

123

VSS Service Module IntegrationFour standalone Service Modules are supported per VSS chassis (eight total service modules for the VSS)Service Module redirected traffic, state sync, and failover traffic.

VSL bandwidth considerationsVSL will carry traffic destined to the Service Modules under normal conditions. Design an appropriate number of links for the VSL

Presentation_ID


Cisco Public

124

FWSM & ACE Redundancy ModesFWSM & ACE Module HA Modes: Active-Standby per module, One of the service modules in a VSS system will be Active and another one will be standby.

Active-Standby Per Module

(VSS Active) Control Plane Active Data Plane Active Service Module1 Active Service Module2 StandbyPresentation_ID

Switch-1


(VSS Standby) Control Plane Hot Standby Data Plane Active Service Module1 Standby Service Module2 Active

Switch-2

VSL

Failover/State sync Vlan


Cisco Public

125

FWSM and ACE Redundancy ModelsFWSM & ACE Module HA Modes: Active-Active per context , both Service Modules are active and act as a back up for each other per context

Active-Active Per Context

(VSS Active) Control Plane Active Data Plane ActiveContext 1

Switch-1


(VSS Standby) Control Plane Hot Standby Data Plane ActiveContext 1

Switch-2

VSL

Failover/State sync Vlan

Service moduleContext 3

Context 2

Service moduleContext 3

Context 2

Context A

Context B

Service module activeContext CPresentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

Context A

Service module activeContext C

Context B

126

Hardware RequirementsService Modules Integration


Packet Flow: Based upon the neighbor devices ether-channel loadbalancing configuration, it is expected to have traffic transmitted across all interfaces of MEC

Switch1 (VSS Active) Supervisor Active Data Plane Active Service Module Active VSL

Switch2 (VSS Standby) Supervisor Hot Standby Data Plane Active Service Module Standby

Presentation_ID


Cisco Public

127



Packet Flow: ingress traffic will be redirected to the Active Service module of a context Therefore it is expected to have services traffic traversing VSL link.



Recommendation: Size the VSL link based on expected services bandwidth requirement.

Presentation_ID


Cisco Public

128



Packet Flow: ingress traffic will be redirected to the Active Service module of a context Therefore it is expected to have services traffic traversing VSL link.



Recommendation: Size the VSL link based on expected services bandwidth requirement.

Presentation_ID


Cisco Public

129

Hardware RequirementsService Modules IntegrationRecommendation: Service module stateful failover traffic should be considered for VSL capacity planning

Switch1 (VSS Active)


Switch2 (VSS Standby)

Control Plane Active Data Plane Active FWSM Service module

VSL

Control Plane Hot Standby Data Plane Active FWSM Service module

FWSM Fail FWSM State

Presentation_ID


1-2Gbps

Cisco Public

130

VSS Service Module Integration IDSM2 Service Module High Availability

IDSM2 does not support Active-Standby however more than one IDSM2 are supported in the same chassis of a Virtual Switching System. Traffic Load-balancing and failover among multiple IDSM2s can be achieved using an Etherchannel configuration.Switch-1 Virtual Switch Domain Switch-2

(VSS Active)

(VSS Standby)

Control Plane Active Data Plane Active IDSM Active IDSM Active

VSL

Control Plane Hot Standby Data Plane Active Line Card Active

Presentation_ID


Cisco Public

131

Similar to IDSM support available in Standalone Cat6500 system, Promiscuous, In-Line and On-A-Stick modes of operations are supported with VSS as well. If more than one IDSM is installed in a VSS system, etherchannel configuration can be leveraged to load-balance traffic across IDSMsSwitch-1(VSS Active)

VSS Service Module Integration IDSM2 Modes of Operation

Virtual Switch Domain Switch-2

(VSS Standby)

Control Plane Active Data Plane Active Data port IDSM Active Data port IDSM Active

VSL

Control Plane Hot Standby Data Plane Active

Line Card Active

Presentation_ID

Traffic is load-balanced across IDSMs can be achieved by configuring Data ports of two or more IDSMs are part of a porthannel 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

132

VSS Service Module Integration IDSM2 Integration: Packet Flow1

With Configuration of Multi Chassis EtherChannel traffic will be load-balanced across all uplink interfaces

Virtual Switch Domain Switch-1(VSS Active)

Switch-2

(VSS Standby)

Supervisor Active Data Plane Active IDSM Active Line Card

VSL

Supervisor Hot Standby

Data Plane Active Line Card Line Card

v

Presentation_ID


Cisco Public

133

2

VSS Service Module Integration IDSM2 Integration: Packet Flow

Traffic that needs special attention is copied to IDSM in hardware using Catalyst features such as SPAN ad VLAN capture

Virtual Switch DomainSwitch-1 (VSS Active) Switch-2 (VSS Standby)


VSL

Supervisor Hot Standby Data Plane Active Line Card Line Card

v

Presentation_ID


Cisco Public

134

3

VSS Service Module Integration IDSM2 Integration: Packet Flow

Traffic is processed by the IDSM and decision is made to either forward or drop the packets or generate TCN RST to break the connection .



VSL

Supervisor Hot Standby Data Plane Active Line Card Line Card

v

Presentation_ID


Cisco Public

135

VSS Service Module Integration WiSM Integration

WiSM in VSS works same as in standalone , for redundancy purpose it is recommended to place a WiSM in each chassis .


Supervisor Active Data Plane Active WiSM Active Line Card

VSL

Supervisor Hot Standby Data Plane Active WiSM Standby Line Card

v

Presentation_ID


Cisco Public

136

VSS Service Module Integration WiSM Integration

Similar to packet flow of other service modules described in the previous slides, traffic that is arrived on switch-2 will traverse the VSL link


Supervisor Active Data Plane Active WiSM Active Line Card

VSL

Supervisor Hot Standby Data Plane Active WiSM Standby Line Card

v

Presentation_ID


Cisco Public

1

cisco live - vss breakout session - brkcrs-3468

Documents