It's that time of the year again. Register for GetNetCrafty 2019! Register

1/25
2010
Netcraftsmen

Cisco VSS Dual-Active Detection

Cisco VSS Dual-Active Detection – In my last blog, I explained how to configure VSS. In this article I’ll explain how to configure Dual-Active Detection. This is an important function of VSS because it prevents both supervisors from becoming active in event of a VSL link failure.

A VSS pair is connected by a VSL (virtual switch link). If the standby switch detects a complete loss of the VSL, it assumes the active chassis has failed and will take over as the active chassis. However, if the link has failed but the active chassis is still functioning, this can result in both chassis being in the active state.  With both chassis routing packets and connected to upstream or downstream  switches, black holes can occur.

Dual-Active Detection can be configured to prevent this from happening. (Highly recommended.) To accomplish this, a means of communication between both VSS chassis outside the VSL link is established. If the standby switch were to go active (typically by loss of the VSL), the active switch will be informed and will go into recovery mode. In this mode, all ports except the VSL ports are shut down. Upon seeing the VSL ports come active again, the switch will reload and come back as the standby chassis with all its ports up. (Note: while in recovery mode it is possible to have some ports excluded from being shut down. However, we won’t be covering that feature.)

In release 12.2(33)SXI there are 3 different forms of Dual-Active Detection.

  • Enhanced PAgP
  • IP BFD
  • Dual-Active Fast Hello Packets (This was not available in prior releases)

I will be covering Enhanced PAgP and Fast Hello. Having only worked with releases that support Fast Hello, I’ve never had a need to configure IP BFD.

Enhanced PAgP

Take a look at the following diagram. The VSS pair would be a Data Center pair to which servers are dual connected (not shown). The top switches are a distribution pair which is not running VSS.

Each distribution switch is connected to both VSS chassis using an etherchannel. From the perspective of the distribution switch, it is a standard etherchannel. However, on the VSS pair it is a MEC (Multichassis Etherchannel) since it spans both chassis.

As mentioned earlier, Dual-Active Detection needs to speak with both chassis “outside” the VSL. A MEC connected to an upstream switch can provide that connectivity.

 

An enhanced version of PAgP is used on the etherchannel and provides the Dual-Active Detection. Note: the IOS on the upstream switch must support enhanced PAgP such as the 6500 12.2(33)SHX or SHI for this to work.

A Cisco doc referred me to  Release Notes for Cisco IOS Release 12.2(33)SXH and Later Releases:
for other products that support enhanced PAgP, but a quick search of that doc did not show anything related to  enhanced PAgP.

Enhanced PAgP Dual-Active Configuration
! Once a MEC is operational, PAgP Dual-Active Configuration is quite simple.
! Identify the PortChannel between the VSS switch pair and Upstream switch
! The port channel should be a MEC and include a port from both switch 1 and switch 2.
! Dual Active Detection in enabled by default on the etherchannel with enhanced PAgGP.
! However, it does not provide the functionality until the port channel is put in trust mode
! under the switch virtual domain.

! Note: The port channel must be shutdown first before it can be trusted or an error occurs.
! Of course, remember to do a no shut afterwards.

interface port channel 10
shutdown

switch virtual domain 9
dual-active detection pagp
dual-active trust channel-group port channel 10

interface port channel 10
no shutdown

That’s it! You’ve got PAgP Dual-Active Detection Configured.

FYI – In the example above, you’d want to configure it on both etherchannels for redundancy.

To display the PAgP status and Dual-Active state, issue either of the follow commands. Both give the same output.

show switch virtual dual-active pagp
show pagp dual-active

Here is an example/excerpt from
Cisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases

show switch virtual dual-active pagp

Channel group 10 dual-active detect capability w/nbrs Dual-Active trusted group: Yes

Dual-Active

Partner

Partner

Partner

Port

Detect Capable

Name

Port

Version

Gi1/6/1

Yes

partner-1

Gi1/5/1

1.1

Gi2/5/1

Yes

partner-1

Gi1/5/2

1.1

Channel group 11 dual-active detect capability w/nbrs Dual-Active trusted group: No

Dual-Active

Partner

Partner

Partner

Port

Detect Capable

Name

Port

Version

Gi1/6/2

Yes

partner-1

Gi1/3/1

1.1

Gi2/5/2

Yes

partner-1

Gi1/3/2

1.1

 

Take note in this example, Channelgroup 11 is not trusted and would not be providing Dual-Active Detection.

Fast Hello Dual-Active Detection

When a PAgP etherchannel is not available or for Dual-Active Detection redundancy, Fast Hello Dual-Active Detection can be configured on any pair of ports connected to each of the 2 VSS chassis. For the purpose of my example, I show an RJ45 connection between (2) Gig ports at G1/9/48 and G2/9/48.

Fast Hello Dual-Active Detection Configuration

! With the Fast hello configuration, we start by telling the switch virtual domain dual-active detection is fast-hello.
! Then we configure the ports being used for fast-hello.

switch virtual domain 9
dual-active detection fast-hello
exit

interface GigabitEthernet1/9/48
shutdown
dual-active fast-hello
no shutdown
exit

interface GigabitEthernet2/9/48
shutdown
dual-active fast-hello
no shutdown
exit

And that’s it. Fast Hello Dual-Active Detection is configured.

Something worth mentioning. Any pair of ports can be used, up to 4 on each chassis, including fiber. Although I’m not sure it would be practical to waste 10G X2 ports on dual-active detection but I suppose there might be a reason to use 1G fiber. If fiber is used, UDLD is disabled.

When a port is configured as a fast hello port, it cannot be used for anything else. In fact, no other commands are available per the docs, although I didn’t personally confirm it.

To display the Fast Hello  Dual-Active state, issue  the follow command

show switch virtual dual fast-hello

Fast-hello dual-active detection enabled: Yes

Fast-hello dual-active interfaces:

Port       Local State    Peer Port    Remote State

—————————————————

Gi1/9/48    Link up        Gi2/9/48      Link up

——————————————————————————————————————————————————–

As mentioned in the last blog, here are some Cisco docs that will prove helpful.

Catalyst 6500 Release 12.2SXH and Later Software Configuration Guide http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html

Cisco Catalyst 6500 Virtual Switching System Deployment Best Practices
http://www.cisco.com/en/US/products/ps9336/products_tech_note09186a0080a7c837.shtml

Replace Supervisor Module in Cisco Catalyst 6500 Virtual Switching System 1440
http://www.cisco.com/en/US/products/ps9336/products_configuration_example09186a0080a64891.shtml

For all documentation, go to the Documentation area of Cisco’s Web site Documentation.

Follow the selections for Products – LAN Switches – Cisco Catalyst 6500 Virtual Switching System 1440.

View more Posts

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.