Solved: L3 packet forwarding with VSS

pwmsonpbs · ‎01-27-2014

Hi,

I'm trying to make sure I understand how packets are forwarded by VSS. Below is a comment from the XE3.5.0E config guide. I want to make sure I understand the part in italics and how redundant VLANs and their SVIs are handled.

Packet Handling

The VSS Active supervisor engine runs the Layer 2 and Layer 3 protocols and features for the VSS and manages all ports on both switches. The VSS uses VSL to communicate protocol and system information between the peer switches and to carry data traffic between the switches when required. Both switches perform packet forwarding for ingress traffic on their interfaces. If possible, ingress traffic is forwarded to an outgoing interface on the same switch to minimize data traffic that must traverse the VSL.

If I have VLANs 100 and 200 and SVIs 100 and 200

!

interface vlan 100

ip address 10.1.100.0 255.255.255.0

interface vlan 200

ip address 10.1.200.0 255.255.255.0

!

Do I configure the SVIs on both SWITCH-1 and SWITCH-2 - ie duplicate IP address - and then only the active supervisor's VSS handles packet forwarding?

Thanks,

Phil

Ankur Arora · ‎01-27-2014

Hi Phil,

The basic requirment of a VSS setup is to have exact same config on both the peer switches... So before converting 2 standalone chassis to vss you will have a config where you will have both the SVIs configured with ip address... You just have transfer this config to bith the switches.

And consider the two switches in the VSS setup as one single entity because in VSS the active switch handles all the control traffic and the data traffic is shared among the two peer switches.

Thanks

Ankur

"Please rate the post if found useful"

View solution in original post

Ankur Arora · ‎01-27-2014

Phil

Below is a prety neat config guide for VSS you might wank to go through

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html

View solution in original post

Ankur Arora · ‎01-27-2014

Hi Phil,

The basic requirment of a VSS setup is to have exact same config on both the peer switches... So before converting 2 standalone chassis to vss you will have a config where you will have both the SVIs configured with ip address... You just have transfer this config to bith the switches.

And consider the two switches in the VSS setup as one single entity because in VSS the active switch handles all the control traffic and the data traffic is shared among the two peer switches.

Thanks

Ankur

"Please rate the post if found useful"

Ankur Arora · ‎01-27-2014

Phil

Below is a prety neat config guide for VSS you might wank to go through

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html

pwmsonpbs · ‎01-28-2014

Ankur,

Thanks for the clarification. This is what I have understood, but have never seen it explained exactly as I posed the question. I am replacing two 3650G which had all the STP, blocked links, HSRP considerations with a 4507 VSS pair. The plan is to do MEC with links from 5 to 8 IBM blade chassis.

Ankur Arora · ‎01-28-2014

Phil,

MEC with a IBM blade chassis or MEC with a VSS pair both are good options. Using an MEC also gives us redundancy and rules out spanning tree.

Explaination for the below lines:

"Both switches perform packet forwarding for ingress traffic on their interfaces. If possible, ingress traffic is forwarded to an outgoing interface on the same switch to minimize data traffic that must traverse the VSL."

from the VSS document is as follows:

If traffic enters the VSS active chassis, the VSS will select an MEC link from the VSS active chassis. This MEC capability ensures that data traffic does not unnecessarily traverse the VSL.

Each MEC can optionally be configured to support either PAgP or LACP. These protocols run only on the VSS active chassis. PAgP or LACP control packets destined for an MEC link on the VSS standby chassis are sent across VSL.

An MEC can support up to eight VSS active physical links, which can be distributed in any proportion between the VSS active and VSS standby chassis.

Thanks

Ankur

"Please rate the post if found useful"

Jon Marshall · ‎01-28-2014

Ankur

Csn you confirm that when you create the SVIs on the VSS switches you only need to configure the active switch with an SVI ie. no need to configure an SVI for the same vlan on the standby switch ?

My understanding is that the active switch is responsible for building the RIB and then from this it builds the FIB which is downloaded to the standby PFC (and any DFC linecards in both chassis). So both supervisors can forward traffic.

So if vlan 10 and vlan 11 both have SVIs configured on the active switch and a packet comes into the standby supervisor from vlan 10 going to vlan 11 the standby supervisor simply uses it's own FIB to forward the packet ie. it does not need to send it to the active supervisor to be routed.

Is that correct or have i misunderstood how it works.

Jon

Ankur Arora · ‎01-28-2014

Jon,

In the VSS setup the Control Plane functionalities (building RIB, FIB) are done only by the active chassis and the standby doesnot play any role in that.

That is the reason we say:

In VSS we have only 1 control plane and 2 data planes.

So for example if we already have a VSS setup, and i create an new SVI for vlan 10, this new SVI will be automatically populated into the config of the standby switch(as both the switches have exactly same config).

Once the FIB is built up and the information has been populated by the control plane on the active to the data plane on the standby about this new SVI, the standby will automatically forward all received packets for this vlan 10 without sending them to the Active switch.

Thanks

Ankur

"Please rate the post if found useful"

Jon Marshall · ‎01-28-2014

Ankur

Thanks, that is the way i understood it as well, just wanted to make sure i understood it correctly.

Jon

Joseph W. Doherty · ‎01-28-2014

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

A VSS device appears and is managed as one logical device. Chassis modules are prefixed with a unit number so you can distinguish, for example, between interfaces on the two physical chassis.

For items like VLANs and SVIs, there's only one logical instance on the (single) VSS logical device.

In many ways, a VSS logical device is configured/managed like a 3750 stack. However, VSS setups usually have much, proportionally, less bandwidth between VSS members than a 3750 stack. So, that's where/why your italicized statement is very important. VSS trys to avoid using the VSL link by, if possible, sending ingress traffic to an egress port on the same physical chassis as the ingress port's chassis.

This VSS preference is important to VSS designs. Unless everything is dual pathed, you may have transit traffic using the VSL link. Even when everything is dual pathed, a line card failure might cause much VSL transit traffic. (BTW, if transit traffic overwhelms your VSL's bandwidth, you're [still?] unable to define your own QoS policy on the VSL link.)