Content
What is VSS
Advantages of VSS
Deployment areas for VSS
VSS Terminology
o Virtual Switch Domain
o Switch Identifier
o Virtual Switch Link (VSL
Link Management Protocol (LMP)
What is Control Link
LMP Heart Beat
Role Resolution Protocol
What happens when you create VSS or reload both the chassis
What is Capacity Planning for the VSL Bundle
o Is additional capacity planning for VSL links required
Redundancy and software upgrade of VSS
o Can we have redundant supervisor modules within a sigle chassis for VSS
How are the in-chassis active (ICA) and in-chassis standby (ICS) elected
o What happens when the Active VSS Chassis fails
o What happens if the VSL link fails or what is dual-active scenario
o What is Route Processor Redundancy (RPR)
o What is Route Processor Redundancy+ (RPR+)
o What is meant by (Stateful Switch Over) SSO
o What is Non Stop Forwarding (NSF) with Stateful Switch Over (SSO)
o What is Fast Software Upgrade (FSU) of a VSS
o What is Enhanced Fast Software Upgrade (eFSU) of a VSS
STP Operation with VSS
o BPDU
o Root Switch
o Loop Guard
o Port Fast on Trunks
o PortFast and BPDU Guard
o BPDU Filter
VSS Hardware Requirements - Chassis and Modules
What is VSS
Virtual Switching System (VSS) is a method to combine two physical switches into one logical switch to
achieve physical redundancy, Spanning-Tree blocking elimination, and increased bandwidth. VSS was
first available in Cisco 6500 but it has recently been introduced to Cisco 4500 and 4500X.
Advantages of VSS
Loop-free topology with the use of MEC and unified control plane
CiscoWorks LAN Management System (LMS) 3.0 can be used to centrally manage a Cisco
Catalyst 6500 virtual switch as a single entity.
VSS increases operational efficiency by simplifying the network, reducing switch management
overhead by at least 50 percent.
VSS eliminates L2/L3 protocol reconvergence if a virtual switch member fails, resulting in
deterministic subsecond virtual switch recovery.
Eliminating unicast flooding caused by asymmetrical routing in traditional campus designs.
Elimination of FHRP Configuration - default gateway is now replaced by a single logical node
where the interface VLAN IP address is available in both the physical chassis.
VSS Terminology
Virtual Switch Domain - A unique domain ID identifies two switches that are intended to be part
of the same VSS pair that defines the VSS domain. The domain ID can have a value ranging from
1 to 255 and must be unique when multiple VSS pairs are connected together
Switch Identifier - A VSS comprises of pair of physical switches and requires a switch ID to
identify each chassis with a unique number. The switch ID can be either 1 or 2 and must be
unique on each member chassis. This number is used as part of the interface naming to ensure
that the interface name remains the same regardless of the virtual switch role (active or hotstandby switch).
Virtual Switch Link (VSL) - The VSL serves as logical connection that carries critical system
control information such as hot-standby supervisor programming, line card status, Distributed
Forwarding Card (DFC) card programming, system management, diagnostics, and more. The VSL
link is treated as a systems control link and encapsulates all traffic into a special system header
called the Virtual Switch Header (VSH).VSL link initialization and maintenance are done through
the VSL Protocol (VSLP) framework, which consists of two protocols: Link Management Protocol
(LMP) and Role Resolution Protocol (RRP). LMP manages link integrity, while RRP determines
the role of each switch member in the virtual switch domain.
Role Resolution Protocol - RRP protocol is used to determine the SSO role (active, hotstandby, or RPR), and to negotiate switch priority and preemption of virtual switch. RRP
also checks the software version on each switch which must be the same in order to
form a VSS. The RRP protocol is initialized once Link Management Protocol (LMP) is fully
established on at least one VSL port. The LMP control link is selected by RRP protocol to
negotiate the SSO role and switch priority. Each switch member forms local RRP peer
group instance and communicate over the control link of the VSL bundle instead
running on every VSL lTink
What happens when you create VSS or reload both the chassis
When you create or restart a VSS, the peer chassis negotiate their roles. One chassis becomes the VSS
active chassis, and the other chassis becomes the VSS standby. The VSS active chassis controls the VSS. It
runs the Layer 2 and Layer 3 control protocols for the switching modules on both chassis. The VSS active
chassis also provides management functions for the VSS, such as module online insertion and removal
(OIR) and the console interface.
The VSS active and VSS standby chassis perform packet forwarding for ingress data traffic on their locally
hosted interfaces. However, the VSS standby chassis sends all control traffic to the VSS active chassis for
processing.
Designing the network with single-homed devices connectivity (no MEC) will force at least half
of the downstream traffic to flow over the VSL link.
Remote SPAN from one switch member to other.
If the VSS is carrying the services hardware, such as FWSM, WiSM, IDS, and so on, then all traffic
that is intended to pass via the services blades may be carried over the VSL.
Can we have redundant supervisor modules within a sigle chassis for VSS
With VS4O the VSS is configured with two supervisor modules per chassis. The second supervisor
module within the chassis can be described as an in-chassis standby supervisor (ICS) and the active one
is called as in-chassis active supervisor (ICA). Within each local chassis the two supervisor modules use
Stateful Switchover (SSO) technology to establish an SSO active and SSO standby hot control plane
redundancy relationship.
How are the in-chassis active (ICA) and in-chassis standby (ICS) elected
During a normal bootup sequence, the supervisor module in the lowest slot number will become the
ICA. If a supervisor module is inserted after a previous supervisor module has already established itself
as the ICA, then the second supervisor module will assume the ICS role..
operational, both chassis are now VSS active. This situation is called a dual-active scenario.The VSS must
detect a dual-active scenario and take recovery action or it can have adverse affects on network
stability, because both chassis use the same IP addresses, SSH keys, and STP bridge ID.
Three ways in which you can detect dual-active scenario
Enhanced PagP
IP Bidirectional forwarding detection
Dual active fast hellos
What is Non Stop Forwarding (NSF) with Stateful Switch Over (SSO)
NSF works in conjunction with SSO to help ensure Layer 3 integrity following a switchover. It allows a
router experiencing the failure of an active supervisor to continue forwarding data packets along known
routes while the routing protocol information is recovered and validated. Data-plane forwarding can
continue to occur even though peering arrangements with neighbor routers have been lost on the
restarting router. The main purpose of NSF is to continue forwarding IP packets following a supervisor
engine switchover. Cisco NSF is supported by the BGP, OSPF, EIGRP, and IS-IS protocols for routing and is
supported by Cisco Express Forwarding (CEF) for forwarding. Cisco NSF always runs with SSO and
provides redundancy for Layer 3 traffic. NSF works with SSO to minimize the amount of time that a
network is unavailable to its users following a switchover.
What is Fast Software Upgrade (FSU) of a VSS
The FSU of a VSS is similar to the RPR-based standalone chassis. While the standalone chassis upgrade is
initiated by reloading the standby supervisor engine, the VSS upgrade is initiated by reloading the
standby chassis. During the FSU procedure, a software version mismatch between the active and the
standby chassis causes the system to boot in RPR redundancy mode, which is stateless and causes a
hard reset of the all modules. As a result, the FSU procedure requires system downtime corresponding
to the RPR switchover time.
BPDU - The active switch is responsible for generating the BPDU. The source MAC address of
every BPDU frame is derived from a line card upon which the STP port (MEC) is terminated. This
source MAC address can change dynamically due to a node/line or card/port failure.However,
this failure does not cause STP topology recomputation in the network because the network is
loop-free and the STP bridge-ID/priority remains the same.
Root Switch - The root of the STP should always be the VSS. Use Root Guard on a link of VSSfacing access-layer switch
Loop Guard - The VSS-enabled with MEC design does not offer a looped topology to STP
protocol. As a result, Loop Guard might not be a particularly useful feature in the VSS-enabled
network because all ports are forwarding and none are blocking.
Port Fast on Trunks - In the VSS-enabled design, the use of the port-fast capability on trunks is
safe because VSS topologies are inherently loop free, thereby eliminating the possibility of
temporary loops being created by port-fast feature on a trunk.
PortFast and BPDU Guard - it is critically important to keep the edge port from participating in
the STP.
BPDU Filter - The improper use of the BPDU Filter feature can cause loops in the network. Just
as in a traditional multilayer design, avoid using BPDU filtering in VSS-enabled network. Instead,
use BPDU Guard.
Table 4-1 describes the hardware requirements for the VSS chassis and modules.
VSS Hardware
Requirements
Count
Chassis
Requirements
The VSS is available on chassis that support VS-S720-10G supervisor engines
and WS-X6708-10G switching modules.
Note The two chassis need not be identical.
Supervisor Engines
The VSS requires Supervisor Engine 720 with 10-Gigabit Ethernet ports. You
must use either two VS-S720-10G-3C or two VS-S720-10G-3CXL supervisor
engine modules.
The two supervisor engines must match exactly.
Switching Modules
2+
WS-X6708-10G-3C or WS-X6708-10G-3CXL
WS-X6716-10G-3C or WS-X6716-10G-3CXL
WS-X6716-10T-3C or WS-X6716-10T-3CXL