Basically I want to separate VSS from the rest.  I want the 2 1GB links to only be used for VSS traffic, and all other traffic use the 10 GB links.  Back when we were first researching these switches, it was stated to use 1 1GB for VSS and 2 10GB for the trunks, but I can't seem to find that document now that I actually have the switches.

I found the doc I was referring to. https://heggel4.wordpress.com/2014/11/18/vss-on-cisco-4500-x/

"The VSS switches are connected by an VSL (Virtual Switch Link), which is normally build as an etherchannel. The VSL serves as logical connection that carries critical system control information such as hot-standby supervisor programming, line card status, Distributed Forwarding Card (DFC) card programming, system management, diagnostics, and more. In addition, VSL is also capable of carrying user data traffic when necessary."

So from reading that, the links uses, whether it is a single 1GB link or a Etherchannel of two 1GB links, then only the  VSL traffic is passed, so my two 10GB links should pass the user data, and the VSL may pass some user data if the 10GB becomes saturated. 

Not sure what you are referring to when you sat "VSS traffic" and "1GB for VSS and 2 10GB for the trunks".  The technology is called VSS which includes both switch.

Now, the connectivity between the 2 switches is called VSL link. For this connectivity, it is recommended to use 2 10Gig links, but you can also use 1Gig links.

All Access switches and trunk ports will connect to both switches (VSS).

I edited my above post with the information I was going off of, I found the link I used. There is some misinformation on it though, one person asked if you can use the same port channel on both switches, and he answered yes, but in reality it is no. Since these are two individual switches linked as one, you need two port channels, one for each physical switch in order for them to pass traffic between them.  If configuring MEC, then both switches can use the same port channel for those links, so a bit misleading.

However, back to my OP, it appears that traffic is going over both, the VSL shows 34-44K of traffic, the 10GB LACP is showing 6K of traffic. These are in a lab at the moment so no real traffic other than OPSF hellos and BGP hellos are passing. Looks like, without a wireshark to verify, that the answer is yes, VSL traffic is over the virtual switch links, and everything else over the LACP.

Which would be better, PAGP or LACP for this?  They are going to a colo with a pair of ASR 1K connected to them, and some trunks elsewhere, but not to other switches. These will be strictly Layer2 switches. Most of the traffic will be between the upstream trunk and the connected router, but if the link on the router fails, need to be able to send 10GB to the other switch to the other router. They will also load balance.

Yep, nailed it

 spanning-tree blockedports

Name                 Blocked Interfaces List
-------------------- ------------------------------------
VLAN0001             Po2
VLAN0510             Po2
VLAN0516             Po2
VLAN0520             Po2
VLAN0521             Po2
VLAN0522             Po2
VLAN0523             Po2
VLAN0526             Po2
VLAN0530             Po2
VLAN0564             Po2

Number of blocked ports (segments) in the system : 10

OK, that settles it then, doesn't work the way I imagined it does. I believe I am thinking of how Nexus works, and thinking this works the same way. 

So looks like just making them individual switches and a port channel between them is a better solution than this, or just ditch the 1GB sfp for the 10GB sfp and clear the configuration off the other interfaces.

Hi -

Don't get me wrong, I think that VSS is a good thing, even with your asymmetric connection of your ASR.  It will allow you to do MEC, much like vPC.  If you have 2 or more switches in your DC that are connected this way, the traffic will be locally switched on the VSS member it arrives on and pushed to a link on the same switch if possible.  The primary traffic that will be crossing the VSL will be your WAN traffic.  VSS is likely still the right solution for you.  Just use the 2x10Gb for your VSL and everything will be good.

PSC

I just flipped the SFP's and removed the other configurations. If I need to add more bandwidth I can just add two more 10GB sfps. I have been watching them and since we only have 11GB max going through both routers, that 20GB VSL should work fine.  I just got them confused with Nexus.  IIRC that is how I had setup a pair of 5K's with ASA 5515X, 3750 stacks, and USC chassis. One link was the virtual connection between them, the rest were the etherchannels. That was 2 years ago though, so fuzzy memory. :)  

The new setup will work just fine.

Agree with Reza, not clear what you mean.

It sounds like what you are saying is you want a VSL with 2 x 1Gbps and then a separate 2 x 10Gbps between the two chassis for user traffic but you don't do it this way.

VSS is designed to keep traffic local so the VSL should not be used for user traffic.

Only if you are connecting devices to one or other of the chassis would you need to worry about this and you should not be doing that ie. each device should be connected to both chassis in the VSS.

So you just need a VSL and you scale this based on the fact that it may be needed to pass user traffic if for example a device that is connected to both chassis has one of it's links go down in which case you would see user traffic across the VSL.

Is that what you are referring to ?

Jon

Sort of. We have 2 10GB WAN links back to our main site, and a 10 GB link to a cloud provider. We have 2 ASR 1K connected to the 10 GB links, which then connect to a pair of 4500-X switches. Since the 1001 has only 2 10GB interfaces, we can't connect to them to both switches and the 10GB link back to us, so one connect to one switch, and the other to the second switch. BGP connects the cloud to the routers and load balances.

From what I am reading here, a better solution would be to remove VSL and just do a 20GB LAG between them instead.  In either case I plan to run a lab test with iperf tomorrow to verify traffic flow.  This is my only thing left to test and verify, everything else is working in full redundancy mode in case a link fails or a device fails, except the single 10GB to the cloud, can't fix that one if it goes down, but thats what VPN is for. :)