Cisco VSS Dual-Active Detection - In my last blog, I explained how to configure VSS. In this article I’ll explain how to configure Dual-Active Detection. This is an important function of VSS because it prevents both supervisors from becoming active in event of a VSL link failure.
A VSS pair is connected by a VSL (virtual switch link). If the standby switch detects a complete loss of the VSL, it assumes the active chassis has failed and will take over as the active chassis. However, if the link has failed but the active chassis is still functioning, this can result in both chassis being in the active state. With both chassis routing packets and connected to upstream or downstream switches, black holes can occur.
Dual-Active Detection can be configured to prevent this from happening. (Highly recommended.) To accomplish this, a means of communication between both VSS chassis outside the VSL link is established. If the standby switch were to go active (typically by loss of the VSL), the active switch will be informed and will go into recovery mode. In this mode, all ports except the VSL ports are shut down. Upon seeing the VSL ports come active again, the switch will reload and come back as the standby chassis with all its ports up. (Note: while in recovery mode it is possible to have some ports excluded from being shut down. However, we won’t be covering that feature.)
In release 12.2(33)SXI there are 3 different forms of Dual-Active Detection.
- Enhanced PAgP
- IP BFD
- Dual-Active Fast Hello Packets (This was not available in prior releases)
I will be covering Enhanced PAgP and Fast Hello. Having only worked with releases that support Fast Hello, I’ve never had a need to configure IP BFD.
Enhanced PAgP
Take a look at the following diagram. The VSS pair would be a Data Center pair to which servers are dual connected (not shown). The top switches are a distribution pair which is not running VSS.
Each distribution switch is connected to both VSS chassis using an etherchannel. From the perspective of the distribution switch, it is a standard etherchannel. However, on the VSS pair it is a MEC (Multichassis Etherchannel) since it spans both chassis.
As mentioned earlier, Dual-Active Detection needs to speak with both chassis “outside” the VSL. A MEC connected to an upstream switch can provide that connectivity.
An enhanced version of PAgP is used on the etherchannel and provides the Dual-Active Detection. Note: the IOS on the upstream switch must support enhanced PAgP such as the 6500 12.2(33)SHX or SHI for this to work.
A Cisco doc referred me to Release Notes for Cisco IOS Release 12.2(33)SXH and Later Releases:
for other products that support enhanced PAgP, but a quick search of that doc did not show anything related to enhanced PAgP.
Enhanced PAgP Dual-Active Configuration
! Once a MEC is operational, PAgP Dual-Active Configuration is quite simple.
! Identify the PortChannel between the VSS switch pair and Upstream switch
! The port channel should be a MEC and include a port from both switch 1 and switch 2.
! Dual Active Detection in enabled by default on the etherchannel with enhanced PAgGP.
! However, it does not provide the functionality until the port channel is put in trust mode
! under the switch virtual domain.
! Note: The port channel must be shutdown first before it can be trusted or an error occurs.
! Of course, remember to do a no shut afterwards.
interface port channel 10
shutdown
switch virtual domain 9
dual-active detection pagp
dual-active trust channel-group port channel 10
interface port channel 10
no shutdown
That’s it! You’ve got PAgP Dual-Active Detection Configured.
FYI - In the example above, you’d want to configure it on both etherchannels for redundancy.
To display the PAgP status and Dual-Active state, issue either of the follow commands. Both give the same output.
show switch virtual dual-active pagp
show pagp dual-active
Here is an example/excerpt from
Cisco IOS Software Configuration Guide, Release 12.2(33)SXH and Later Releases
show switch virtual dual-active pagp
Channel group 10 dual-active detect capability w/nbrs Dual-Active trusted group: Yes | ||||
Dual-Active | Partner | Partner | Partner | |
Port | Detect Capable | Name | Port | Version |
Gi1/6/1 | Yes | partner-1 | Gi1/5/1 | 1.1 |
Gi2/5/1 | Yes | partner-1 | Gi1/5/2 | 1.1 |
Channel group 11 dual-active detect capability w/nbrs Dual-Active trusted group: No | ||||
Dual-Active | Partner | Partner | Partner | |
Port | Detect Capable | Name | Port | Version |
Gi1/6/2 | Yes | partner-1 | Gi1/3/1 | 1.1 |
Gi2/5/2 | Yes | partner-1 | Gi1/3/2 | 1.1 |
Take note in this example, Channelgroup 11 is not trusted and would not be providing Dual-Active Detection.
Fast Hello Dual-Active Detection
When a PAgP etherchannel is not available or for Dual-Active Detection redundancy, Fast Hello Dual-Active Detection can be configured on any pair of ports connected to each of the 2 VSS chassis. For the purpose of my example, I show an RJ45 connection between (2) Gig ports at G1/9/48 and G2/9/48.
Fast Hello Dual-Active Detection Configuration
! With the Fast hello configuration, we start by telling the switch virtual domain dual-active detection is fast-hello.
! Then we configure the ports being used for fast-hello.
switch virtual domain 9
dual-active detection fast-hello
exit
interface GigabitEthernet1/9/48
shutdown
dual-active fast-hello
no shutdown
exit
interface GigabitEthernet2/9/48
shutdown
dual-active fast-hello
no shutdown
exit
And that’s it. Fast Hello Dual-Active Detection is configured.
Something worth mentioning. Any pair of ports can be used, up to 4 on each chassis, including fiber. Although I’m not sure it would be practical to waste 10G X2 ports on dual-active detection but I suppose there might be a reason to use 1G fiber. If fiber is used, UDLD is disabled.
When a port is configured as a fast hello port, it cannot be used for anything else. In fact, no other commands are available per the docs, although I didn’t personally confirm it.
To display the Fast Hello Dual-Active state, issue the follow command
show switch virtual dual fast-hello
Fast-hello dual-active detection enabled: Yes
Fast-hello dual-active interfaces:
Port Local State Peer Port Remote State
---------------------------------------------------
Gi1/9/48 Link up Gi2/9/48 Link up
--------------------------------------------------------------------------------------------------------------------------------------------------------
As mentioned in the last blog, here are some Cisco docs that will prove helpful.
Catalyst 6500 Release 12.2SXH and Later Software Configuration Guide http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html
Cisco Catalyst 6500 Virtual Switching System Deployment Best Practices
http://www.cisco.com/en/US/products/ps9336/products_tech_note09186a0080a7c837.shtml
Replace Supervisor Module in Cisco Catalyst 6500 Virtual Switching System 1440
http://www.cisco.com/en/US/products/ps9336/products_configuration_example09186a0080a64891.shtml
For all documentation, go to the Documentation area of Cisco’s Web site Documentation.