Loop/Broadcast Storm on VSS

leafar1988 · ‎08-24-2016

Hello, we currently run VSS at one of our sites and there was an access edge switch connected to it via layer 2. The access edge switch had two individual trunks. One was going to one physical 6800 (VSS) and one was going to the other. Since there are two boxes but they act as one logical box. Anyway, a loop was created and traffic was crawling. Those trunks were passing the data and wireless AP vlan's. Lets say vlan 2 and vlan 3 for example. This issue was causing high CPU process and our wireless voice clients were impacted the most as traffic was struggling to pass through the switch, any commands we tried were taking a long time to actually process. The issue was resolved after placing the two separate trunks on that access edge switch into a port channel going to the VSS.

I am just kinda confused because VSS is two physical switches turned into one logical switch, shouldnt spanning tree block any redundant links?

I am assuming when it comes to VSS any dual uplinks to a switch should be in a port channel/MEC, right?

Can someone clarify for me please, I think the VSS and how STP works within the VSS is throwing me off.

Mark Malone · ‎08-24-2016

Hi

Yes best practice to have port-channels unless the switch is orphan link by itself to one chassis for some reason , the switch as you see acts as one unit so like anything dual linked like that a loop will occur if one link is not blocking at L2 or bundled acting as one total link

Best practice doc VSS

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/VSS30dg/campusVSS_DG/VSS-dg_appa-configs.html

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-virtual-switching-system-1440/109547-vss-best-practices.html#vss_best

leafar1988 · ‎08-24-2016

Hello Mark, thanks for your answer and providing the links. In your opinion, why do you think it did not block originally when it was dual linked? I would think that dual links passing the same vlans, 1 link should be blocked.

Mark Malone · ‎08-24-2016

Hi

so first I have never setup a VSS without using po unless single linked so I am taking a bit of a guess here without labbing it and debugging to confirm exactly whats happening at L2, I have a few in place we always follow best practice with the pos

I would have thought as its a single logical entity that it would block the link as it would see the loop

did you not get any alerts for stp in logs ? maybe something irregular happenied with the bpdus crossing the vsl

The active chassis runs Spanning Tree Protocol (STP). The standby chassis redirects STP BPDUs across the VSL to the active chassis.

Spanning Tree Configuration Best Practices with VSS

Caution

One of the benefits of VSS-based design is that it allows the STP be active in the entire Layer-2 domain. The VSS simply offers a loop-free topology to STP. There is no inherent method to offer a topology that is loop-free, unless the topology created by a network designer is star-shaped (MEC-enabled). Spanning tree must be enabled in the VSS-enabled design in order to detect accidental loops created at the access-layer or within the VSS systems (by connecting the same cable back to back to VSS member chassis). In a non-VSS-enabled network, a set of spanning tree tools are available to protect the network from looping storms or reducing the effects of storms so that corrective actions can be taken. For further information about loop storm condition protection in a non-VSS multilayer design, refer to the following URL: http://www.cisco.com/en/US/products/hw/switches/ps700/products_white_paper09186a00801b49a4.shtml#cg5.

Rahim Halim · ‎03-24-2017

It looks like same symptom happened in my last implementation. My scenario only happened to EOL switches so I assume it is compatibility issue since there no latest firmware available to fix it.