VSS Virtual Switching Systems

Content

What is VSS
Advantages of VSS
Deployment areas for VSS
VSS Terminology
o Virtual Switch Domain
o Switch Identifier
o Virtual Switch Link (VSL
Link Management Protocol (LMP)
What is Control Link
LMP Heart Beat
Role Resolution Protocol
What happens when you create VSS or reload both the chassis
What is Capacity Planning for the VSL Bundle
o Is additional capacity planning for VSL links required
Redundancy and software upgrade of VSS
o Can we have redundant supervisor modules within a sigle chassis for VSS
How are the in-chassis active (ICA) and in-chassis standby (ICS) elected
o What happens when the Active VSS Chassis fails
o What happens if the VSL link fails or what is dual-active scenario
o What is Route Processor Redundancy (RPR)
o What is Route Processor Redundancy+ (RPR+)
o What is meant by (Stateful Switch Over) SSO
o What is Non Stop Forwarding (NSF) with Stateful Switch Over (SSO)
o What is Fast Software Upgrade (FSU) of a VSS
o What is Enhanced Fast Software Upgrade (eFSU) of a VSS
STP Operation with VSS
o BPDU
o Root Switch
o Loop Guard
o Port Fast on Trunks
o PortFast and BPDU Guard
o BPDU Filter
VSS Hardware Requirements - Chassis and Modules

What is VSS
Virtual Switching System (VSS) is a method to combine two physical switches into one logical switch to
achieve physical redundancy, Spanning-Tree blocking elimination, and increased bandwidth. VSS was
first available in Cisco 6500 but it has recently been introduced to Cisco 4500 and 4500X.

Advantages of VSS

Loop-free topology with the use of MEC and unified control plane
CiscoWorks LAN Management System (LMS) 3.0 can be used to centrally manage a Cisco
Catalyst 6500 virtual switch as a single entity.
VSS increases operational efficiency by simplifying the network, reducing switch management
overhead by at least 50 percent.
VSS eliminates L2/L3 protocol reconvergence if a virtual switch member fails, resulting in
deterministic subsecond virtual switch recovery.
Eliminating unicast flooding caused by asymmetrical routing in traditional campus designs.
Elimination of FHRP Configuration - default gateway is now replaced by a single logical node
where the interface VLAN IP address is available in both the physical chassis.

Deployment areas for VSS

Campus or data center core/distribution layer

Data center access (server connectivity)

VSS Terminology

Virtual Switch Domain - A unique domain ID identifies two switches that are intended to be part
of the same VSS pair that defines the VSS domain. The domain ID can have a value ranging from
1 to 255 and must be unique when multiple VSS pairs are connected together

Switch Identifier - A VSS comprises of pair of physical switches and requires a switch ID to
identify each chassis with a unique number. The switch ID can be either 1 or 2 and must be
unique on each member chassis. This number is used as part of the interface naming to ensure
that the interface name remains the same regardless of the virtual switch role (active or hotstandby switch).

Virtual Switch Link (VSL) - The VSL serves as logical connection that carries critical system
control information such as hot-standby supervisor programming, line card status, Distributed
Forwarding Card (DFC) card programming, system management, diagnostics, and more. The VSL
link is treated as a systems control link and encapsulates all traffic into a special system header
called the Virtual Switch Header (VSH).VSL link initialization and maintenance are done through
the VSL Protocol (VSLP) framework, which consists of two protocols: Link Management Protocol

(LMP) and Role Resolution Protocol (RRP). LMP manages link integrity, while RRP determines
the role of each switch member in the virtual switch domain.

Link Management Protocol (LMP) - LMP operates independently on each member

switch in the same Virtual Switch Domain (VSD). When all VSL interfaces are down, LMP
destroys the peer group and notifies RRP to take an appropriate action.The active switch
will detach all the interfaces associated with the hot-standby switch. At the same time
the hot-standby switch performs switchover, assumes the active role, and detaches all
interfaces associated with the previously active switch. During the bootup process, the
first VSL link that establishes LMP relationship (state-machine) will be selected as the
control link.
What is Control Link- The VSL bundle is special purpose EtherChannel that can
have up to eight members. Only one link out of a configured member is
selected as the control link and that control link is the only link that can carry
the inter-chassis control plane.The control link carries the inter-switch External
Out-of-Band Channel (EOBC) control traffic that includes the Switch Control
Packet (SCP) for line card communication, Inter-process Communication Packets
(IPC), and Inter-Card Communication (ICC) for communicating the protocol
database and stateas well as updates to the hot-standby supervisor.
LMP Heart Beat - The LMP heart beatalso referred as the LMP hello timer
plays a key role in maintaining the integrity of VSS by checking peer switch
availability and connectivity. Both VSS members execute independent,
deterministic SSO switchover actions if they fail to detect the LMP hello
message within configured hold-timer settings on the last bundled VSL link.

Role Resolution Protocol - RRP protocol is used to determine the SSO role (active, hotstandby, or RPR), and to negotiate switch priority and preemption of virtual switch. RRP
also checks the software version on each switch which must be the same in order to
form a VSS. The RRP protocol is initialized once Link Management Protocol (LMP) is fully
established on at least one VSL port. The LMP control link is selected by RRP protocol to
negotiate the SSO role and switch priority. Each switch member forms local RRP peer
group instance and communicate over the control link of the VSL bundle instead
running on every VSL lTink

What happens when you create VSS or reload both the chassis
When you create or restart a VSS, the peer chassis negotiate their roles. One chassis becomes the VSS
active chassis, and the other chassis becomes the VSS standby. The VSS active chassis controls the VSS. It
runs the Layer 2 and Layer 3 control protocols for the switching modules on both chassis. The VSS active
chassis also provides management functions for the VSS, such as module online insertion and removal
(OIR) and the console interface.
The VSS active and VSS standby chassis perform packet forwarding for ingress data traffic on their locally
hosted interfaces. However, the VSS standby chassis sends all control traffic to the VSS active chassis for
processing.

What is Capacity Planning for the VSL Bundle

In normal condition, the traffic load over the VSL bundle consist of network control-plane and interchassis control-plane traffic. In normal condition, both types of the traffic loads are very light and are
sent with strict priority. Capacity planning and link sizing for VSS is almost identical to a traditional
multilayer design in which the link(s) between two nodes should be able to carry traffic load equivalent
of planned capacity during failure conditions
Failure of all uplinks connected to a member of VSS to the core . In this failure, all upstream traffic
traverses the VSL bundle.
Failure of all downstream link(s) to access-layer switches from one switch member In this failure all
downstream and the inter-access traffic traverses the VSL bundle. The minimum VSL bundle bandwidth
should be at least equal to the uplinks connected to a single physical switch.
Additional capacity planning for VSL links is required due to following considerations:

Designing the network with single-homed devices connectivity (no MEC) will force at least half
of the downstream traffic to flow over the VSL link.
Remote SPAN from one switch member to other.
If the VSS is carrying the services hardware, such as FWSM, WiSM, IDS, and so on, then all traffic
that is intended to pass via the services blades may be carried over the VSL.

Redundancy and software upgrade of VSS

Can we have redundant supervisor modules within a sigle chassis for VSS
With VS4O the VSS is configured with two supervisor modules per chassis. The second supervisor
module within the chassis can be described as an in-chassis standby supervisor (ICS) and the active one
is called as in-chassis active supervisor (ICA). Within each local chassis the two supervisor modules use
Stateful Switchover (SSO) technology to establish an SSO active and SSO standby hot control plane
redundancy relationship.

How are the in-chassis active (ICA) and in-chassis standby (ICS) elected

During a normal bootup sequence, the supervisor module in the lowest slot number will become the
ICA. If a supervisor module is inserted after a previous supervisor module has already established itself
as the ICA, then the second supervisor module will assume the ICS role..

What happens when the Active VSS Chassis fails

The VSS standby chassis monitors the VSS active chassis using the VSL. If it detects failure, the VSS
standby chassis initiates a switchover and takes on the VSS active role. When the failed chassis recovers,
it takes on the VSS standby role.

What happens if the VSL link fails or what is dual-active scenario

If the VSL fails, the VSS standby chassis cannot determine the state of the VSS active chassis. To ensure
that switchover occurs without delay, the VSS standby chassis assumes the VSS active chassis has failed
and initiates switchover to take over the VSS active role.If the original VSS active chassis is still

operational, both chassis are now VSS active. This situation is called a dual-active scenario.The VSS must
detect a dual-active scenario and take recovery action or it can have adverse affects on network
stability, because both chassis use the same IP addresses, SSH keys, and STP bridge ID.
Three ways in which you can detect dual-active scenario

Enhanced PagP
IP Bidirectional forwarding detection
Dual active fast hellos

What is Route Processor Redundancy (RPR)

If a VSS does not meet the requirements for SSO redundancy, the VSS will use route processor
redundancy (RPR). In RPR mode, the VSS active supervisor engine does not synchronize configuration
changes or state information with the VSS standby. The VSS standby supervisor engine is only partially
initialized and the switching modules on the VSS standby supervisor are not powered up. If a switchover
occurs, the VSS standby supervisor engine completes its initialization and powers up the switching
modules. Traffic is disrupted for the normal reboot time of the chassis. The RPR switchover time is 1 or
more minutes.

What is Route Processor Redundancy+ (RPR+)

RPR+ is an enhancement to RPR in which the standby supervisor is completely booted and line cards do
not reload upon switchover. The running configuration is synchronized between the active and the
standby supervisors. The RPR+ switchover time is 30 or more seconds.

What is meant by (Stateful Switch Over) SSO

SSO expands the RPR+ capabilities to provide transparent failover of certain Layer 2 protocols and
certain Cisco IOS Software applications when a supervisor switchover occurs. SSO technology is
essentially a group of Cisco IOS Software processes that provide for supervisor module redundancy. The
VSS uses a dedicated physical link, called the Virtual Switch Link (VSL), between the two chassis to
synchronize the supervisor modules in each chassis.VS4O enables the supervisor module to maintain
two different redundancy relationships: one primary redundancy relationship, which is always across
chassis and is maintained for the overall VSS, and a secondary redundancy relationship maintained
within the local chassis.

What is Non Stop Forwarding (NSF) with Stateful Switch Over (SSO)
NSF works in conjunction with SSO to help ensure Layer 3 integrity following a switchover. It allows a
router experiencing the failure of an active supervisor to continue forwarding data packets along known
routes while the routing protocol information is recovered and validated. Data-plane forwarding can
continue to occur even though peering arrangements with neighbor routers have been lost on the
restarting router. The main purpose of NSF is to continue forwarding IP packets following a supervisor
engine switchover. Cisco NSF is supported by the BGP, OSPF, EIGRP, and IS-IS protocols for routing and is
supported by Cisco Express Forwarding (CEF) for forwarding. Cisco NSF always runs with SSO and
provides redundancy for Layer 3 traffic. NSF works with SSO to minimize the amount of time that a
network is unavailable to its users following a switchover.
What is Fast Software Upgrade (FSU) of a VSS
The FSU of a VSS is similar to the RPR-based standalone chassis. While the standalone chassis upgrade is
initiated by reloading the standby supervisor engine, the VSS upgrade is initiated by reloading the
standby chassis. During the FSU procedure, a software version mismatch between the active and the
standby chassis causes the system to boot in RPR redundancy mode, which is stateless and causes a
hard reset of the all modules. As a result, the FSU procedure requires system downtime corresponding
to the RPR switchover time.

What is Enhanced Fast Software Upgrade (eFSU) of a VSS

eFSU is an enhanced software upgrade procedure.eFSU enables an increase in network availability by
reducing the downtime caused by software upgrades. During an eFSU, the VSS standby chassis,
including the supervisor engine and modules, is upgraded and brought up in a stateful switchover (SSO)
mode. The eFSU process then forces a switchover and performs the same upgrade on the other chassis,
which becomes the new VSS standby.

STP Operation with VSS

One of the benefits of VSS-based design is that it allows the STP be active in the entire Layer-2 domain.
The VSS simply offers a loop-free topology to STP.

BPDU - The active switch is responsible for generating the BPDU. The source MAC address of
every BPDU frame is derived from a line card upon which the STP port (MEC) is terminated. This
source MAC address can change dynamically due to a node/line or card/port failure.However,
this failure does not cause STP topology recomputation in the network because the network is
loop-free and the STP bridge-ID/priority remains the same.
Root Switch - The root of the STP should always be the VSS. Use Root Guard on a link of VSSfacing access-layer switch
Loop Guard - The VSS-enabled with MEC design does not offer a looped topology to STP
protocol. As a result, Loop Guard might not be a particularly useful feature in the VSS-enabled
network because all ports are forwarding and none are blocking.
Port Fast on Trunks - In the VSS-enabled design, the use of the port-fast capability on trunks is
safe because VSS topologies are inherently loop free, thereby eliminating the possibility of
temporary loops being created by port-fast feature on a trunk.
PortFast and BPDU Guard - it is critically important to keep the edge port from participating in
the STP.
BPDU Filter - The improper use of the BPDU Filter feature can cause loops in the network. Just
as in a traditional multilayer design, avoid using BPDU filtering in VSS-enabled network. Instead,
use BPDU Guard.

VSS Hardware Requirements - Chassis and Modules

Table 4-1 describes the hardware requirements for the VSS chassis and modules.

VSS Hardware
Requirements
Count
Chassis

Requirements
The VSS is available on chassis that support VS-S720-10G supervisor engines
and WS-X6708-10G switching modules.
Note The two chassis need not be identical.

Supervisor Engines

The VSS requires Supervisor Engine 720 with 10-Gigabit Ethernet ports. You
must use either two VS-S720-10G-3C or two VS-S720-10G-3CXL supervisor
engine modules.
The two supervisor engines must match exactly.

Switching Modules

2+

The VSS requires 67xx series switching modules.

The VSS does not support classic, CEF256, or dCEF256 switching modules. In
virtual switch mode, unsupported switching modules remain powered off.

VSL Hardware Requirements

The VSL EtherChannel supports only 10-Gigabit Ethernet ports. The 10-Gigabit Ethernet port can be
located on the supervisor engine module or on one of the following switching modules:

WS-X6708-10G-3C or WS-X6708-10G-3CXL

WS-X6716-10G-3C or WS-X6716-10G-3CXL

WS-X6716-10T-3C or WS-X6716-10T-3CXL