Solved: Re: VSS Dual Active Detection Methods

john.pepper · ‎01-31-2017

Hi,

About 6 years ago we suffered a major DC failure on our VSS switches where they went into a split-brain situation. We were running IOS 12.33 at the time and advised by Cisco to use both PAGP – AND - Fast-Hello for Dual-Active-Detection.

We are now running 15.2 on our 6500 Sup’s and starting to decommission some legacy Access layer switches. These include the trunk port-channels we were using for the PAGP Dual-Active-Detection under the VSS domain. So we will be left with just Fast-Hello.

So my question is.. are any of the Dual-Active-Detection methods (PAGP, Fast-Hello, BFD) preferred over each other. And is using only Fast-Hello adequate protection against a split-brain scenario?

Appreciate any feedback.

Thanks

John

Mark Malone · ‎01-31-2017

Hi

as below in docs fast hello is quicker than BFD in this scenario , we use FH never had an issue with it and we have had multiple failover tests etc , we carry them out twice a year.

We have anything from 2960s right up to 6500s connected to our VSS , its our prod core user traffic

xxxxxxxxxxx#show switch virtual dual fast-hello
Fast-hello dual-active detection enabled: Yes

Fast-hello dual-active interfaces:
Port       Local State    Peer Port    Remote State
---------------------------------------------------
Gi1/7/47   Link up        Gi2/7/48     Link up
Gi1/7/48   Link up        Gi2/7/47     Link up

Dual Active

Dual-Active fast-hello employs fast-hello Layer 2 messages over a direct Ethernet connection. When the VSL goes down, the event is communicated to the peer switch. If the switch was operating as the active before the VSL went down, it goes into recovery mode upon receipt of a VSL down indication from the peer switch. This method is faster than IP BFD and ePAGP and does not require a neighboring switch.

Both PAGP and Fast Hello should protect against split brain as below

1. Enhanced PAgP
- been around the longest
- only on 3750 (12.2(46)SE, 4500, 6500 (with min software release)
- new TLV field in PAgP message with active switch ID
- sub-second convergence
- If they see two different switch-ids then feed them back up the port channel and trigger the process
2. VSLP “Fast Hello”
- Virtual Switch Link Protocol
- dedicated L2 link between the two switches
- on all the time
- sub-second hello
- can be 100M link, no sync, just there as a heartbeat mechanism

See fast hello in this doc good explanation

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/VSS30dg/campusVSS_DG/VSS-dg_ch4.html#wp1095735

View solution in original post

Mark Malone · ‎01-31-2017

Hi

as below in docs fast hello is quicker than BFD in this scenario , we use FH never had an issue with it and we have had multiple failover tests etc , we carry them out twice a year.

We have anything from 2960s right up to 6500s connected to our VSS , its our prod core user traffic

xxxxxxxxxxx#show switch virtual dual fast-hello
Fast-hello dual-active detection enabled: Yes

Fast-hello dual-active interfaces:
Port       Local State    Peer Port    Remote State
---------------------------------------------------
Gi1/7/47   Link up        Gi2/7/48     Link up
Gi1/7/48   Link up        Gi2/7/47     Link up

Dual Active

Dual-Active fast-hello employs fast-hello Layer 2 messages over a direct Ethernet connection. When the VSL goes down, the event is communicated to the peer switch. If the switch was operating as the active before the VSL went down, it goes into recovery mode upon receipt of a VSL down indication from the peer switch. This method is faster than IP BFD and ePAGP and does not require a neighboring switch.

Both PAGP and Fast Hello should protect against split brain as below

1. Enhanced PAgP
- been around the longest
- only on 3750 (12.2(46)SE, 4500, 6500 (with min software release)
- new TLV field in PAgP message with active switch ID
- sub-second convergence
- If they see two different switch-ids then feed them back up the port channel and trigger the process
2. VSLP “Fast Hello”
- Virtual Switch Link Protocol
- dedicated L2 link between the two switches
- on all the time
- sub-second hello
- can be 100M link, no sync, just there as a heartbeat mechanism

See fast hello in this doc good explanation

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/VSS30dg/campusVSS_DG/VSS-dg_ch4.html#wp1095735

john.pepper · ‎01-31-2017

Hi Mark,

Many thanks for your reply and info. That certainly answers my question.

Much appreciated.

John

s.jayaram · ‎10-15-2020

I know this posting is few yrs old, wondering anyone can comment on a situation we had with a client VSS - 4500-X stack running

Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch
Software (cat4500e-UNIVERSALK9-M), Version 03.06.00.E RELEASE SOFTWARE (fc3)
License Information for 'WS-C4500X-32'
License Level: entservices Type: Permanent
Next reboot license Level: entservices

PAGP DAD enabled for Port-channel 30, however the checks did not validate

xxxxxxx#sh pagp nei
Flags: S - Device is sending Slow hello. C - Device is in Consistent state.
A - Device is in Auto mode. P - Device learns on physical port.

Channel group 30 neighbors
Partner Partner Partner Partner Group
Port Name Device ID Port Age Flags Cap.
Te1/1/1 BHPGTESACR01 0c85.25d4.d400 Gi1/0/25 1s SC 1E0001
Te2/1/1 BHPGTESACR01 0c85.25d4.d400 Gi1/0/28 2s SC 1E0001

But the virtual switch command did not show that activation

xxxxxxx#sh sw vir dual-active pagp

Executing the command on VSS member switch role = VSS Active, id = 2

Executing the command on VSS member switch role = VSS Standby, id = 1

When both VSL links got cut , both stayed active causing dual active detection

Any reason why VSS did not detect the DAD

Thanks