Cisco Cisco 1700 2600 3600 3700 Series VPN Module White Paper
© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 40 of 55
The control protocols managing the Cisco EtherChannel link (PAgP or LACP) continue to originate from the active
supervisor engine and are sent out of the standby virtual switch ports through the VSL. The endpoint (host, switch,
router, etc.) on the other end of the multichassis Cisco EtherChannel link detects the link failure and adjusts its
load-balancing algorithms to avoid the failed link.
Availability is not affected for those data flows that do not use the failed link. For those traffic flows that use the
failed link, the effect consists of the time it takes to detect the link failure and reprogram the indices within the
system.
Complete VSL Failure (Dual Active)
The active supervisor engine discovers the failure of the VSL either through a link-down event or through the failure
of the periodic VSLP messages sent across the member links to check the VSL link status. From the perspective of
the active virtual switch chassis, the standby virtual switch is lost. The standby virtual switch chassis also views the
active virtual switch chassis as failed and transitions to active virtual switch state through an SSO switchover. This
scenario is known as a dual-active scenario (Figure 25).
Figure 25. Complete VSL Failure
In this case, each virtual switch assumes the role as the active virtual switch, and each virtual switch controls only
its local ports. However, there will most likely be some global Layer 2 and Layer 3 configuration, and the interface
configuration for the multichassis Cisco EtherChannel links will be applied to both chassis. Duplication of this
configuration can possibly have adverse effects to the network topology and traffic.
At Layer 3, any virtual interfaces (for example, port channels, SVIs, loopbacks, etc.) are duplicated on both
chassis, causing duplicate IP addresses on the network. Any secure communications such as SSH and the
cryptography feature set have the same set of keys on both chassis. At Layer 2, the spanning tree has the same
bridge ID in both switches, possibly causing conflict. In general, this condition causes the same effect as when two
routers or switches within a network contain the same configuration file.
To avoid this disruptive scenario, you should configure the VSL as a multiple-link port channel and spread it across
all the available supervisor engines and modules within the chassis. You should also run the individual members of
the VSL across separate physical paths when possible.