Last week I converted our new distribution to VSS. If you haven’t heard anything about Cisco VSS yet, you should check it out. VSS is used on the 6500 chassis if you have the new VS-S720-10G-3C supervisor. The concept of VSS is pretty easy to understand. If you are familiar with stacking 3750 switches, you will understand VSS. Basically, you take two 6500s and make them look like only a single switch to anything that connects to them.
Some reasons to use VSS are to get rid of spanning-tree between the distribution and access layers. You also no longer need to use HSRP. For example, an access switch connecting to your distribution would usually be dual-homed, meaning connecting to two separate distribution switches. With spanning-tree, in most cases, one of the uplinks will be unused for a given vlan. That means if you use 10 Gig uplinks, one is unused and only for redundancy (you can balance vlans to even things out, but that has to be configured). With VSS your access switch would have only one port channel that would actually connect to both distribution switches. From the perspective of the access switch, it’s only connecting to a single switch (even though it’s physically two separate switches). Since we only have one port-channel to the distribution, HSRP or VRRP is not needed. One vlan IP is assigned to the VSS distribution switch, and clients use that as default gw. Load balancing across links is done using the traditional etherchannel hashing algorithm.
Check out http://cisco.com/go/vss
Converting the two switches to VSS is pretty easy actually. The Cisco config guide is a good reference.
Here’s a high-level diagram of VSS being connected to core using multi-chassis etherchannel (MEC).
I’m using the latest IOS available for the VSS supervisor (SXI release). I’m using the two 10 gig connections between supervisor modules for the VSL link. You can combine that with additional ports on the 10gig line cards as well. I decided to stay with two connections because we have 16 port 10 gig line cards (6716). If you choose to use the 16 port line cards for VSL links, there are some caveats. First, you have to be running the module in performance mode, meaning it now becomes an 8 port card (no over subscription of ports for VSL). Secondly, you have to be running the new SXI code.
The other thing to configure after converting to VSS is the Dual-active protection. Dual-active protection prevents a condition where both switches think they are active. This could happen as a result of a complete VSL link failure. There are three things you can configure for dual-active protection, and I only see the need for two of them. The first is enhanced PAGP, which is enabled by default. This allows the two switches to see each other over a port channel in the event of VSL failure (the device the VSS is connected to via a port channel becomes the pass through device in a sense). The other option is dual-active fast hello packets. To configure this, you can use up to four directly connected links between switches (links become dedicated for this feature).
Here is a screen output of a walk-through for converting the two switches to VSS, using dual-active protection, and creating a MEC between VSS and core1.
CCIE No. 21785