Saturday, 16 January 2010

VSS Introduction

VSS stands for Virtual Switching System and is a technology for use on 6500 series switches.

It works in a similar way to stackwise on the 3750s, you have two physical devices that end up with a single logical management plane.

In a large Cisco-style network you would have two core/distribution devices for redundancy. The network topology will typically need an active/standby topology. With Spanning-tree, only one uplink is forwarding for a given VLAN. To avoid unicast flooding the network should then have HSRP/VRRP and the IGP configured so that all traffic for that VLAN is routed via the same distribution (or core) switch.

Traffic is load balanced by alternating VLANs between the two distribution switches.

This topology is shown below for a single VLAN:

The basic VSS topology is shown below, the access device still has redundant uplinks but traffic flows over all links in etherchannels:

This topology it produces is similar to a network built around Nortel kit and the Split Multi-Link Trunking (SMLT) technology. The difference being that SMLT still has two separate management planes but VSS only has one.

There are a few benefits to this system:

Simplified Network Architecture.
  • Single logical device at the core/distribution layer.
  • Behaves as a single unit for management purposes.
  • No need to fudge STP, HSRP and IGP per VLAN.
  • No need of first hop redundancy protocols (FHRP).

Simpler Routing
  • Half as many IGP neighbors.
  • Half as many IGP routes.
  • No IGP load balancing/weighting required.

  • Software upgrades carried out without risky failovers and associated downtimes during convergence.
  • Easier to roll back.

Faster Convergence.
  • No STP convergence delays.
  • Loss of redundant switch does not change logical topology, avoiding convergence entirely.

Reduced function of Spanning-Tree.
  • No blocked ports to distribution/core from access layer.
  • Reduces greatly the chance of bridging loops.
  • Can use portfast trunk on access device uplinks.

The Cisco VSS Design Guide is well worth a read for more detailed information.


3750 Stackwise Upgrades

Upgrading a Cisco switch is very easy:
  1. Copy IOS image to the flash drive on the switch.
  2. Point the boot statement at the new image.
  3. Reboot the switch.
The 3750 stack is made up of several physical devices with just a single logical management interface so Cisco has implemented the archive-sw command to make upgrading it easy. It doesn't quite work as well as it should and I wouldn't recommend using it. The method below is much easier and more reliable:

1. Copy IOS image to the flash drive on the switch
Use the same command as usual, but run it once for each switch in the stack. The flash drives are numbered flash1: flash2: flash3: etc.
copy tftp flash1:
copy tftp flash2:

Delete any old images or html files to clear space as necessary.

2. Point the boot statement at the new image
This can be done with a one liner (replace image.bin with whatever file you want to use):
boot system all flash:image.bin

3. Reboot the switch
The "reload" command will restart the entire stack.

So what's wrong with archive-sw?
The upgrade process is just the 3 simple steps above. Last time I used archive-sw I had about 45 minutes of instability while various individual processes restarted on the switch, routing went down but basic IP services stayed up so HSRP couldn't fail over and the network was unreachable until archive-sw had finished doing whatever it was doing. Maybe it was a bug in the archive-sw version I was using, maybe the config on that device triggered it, maybe it's just not very good.

Either way, I'm sticking to the old method of upgrades because it works and only causes an outage for the time it takes the switch to reboot (assuming it comes up again, which doesn't always happen with stacks!).

ISSU - In Service Software Upgrades
ISSU allows devices to be upgraded without outage. Unfortunately it is not available for 3750 stacks.
It may be possible to carry out the instructions above and then just reboot one switch at a time in the stack, if the old and new versions are similar enough then you might get away with it and the stack might re-form, allowing you to reboot the other switch while maintaining connectivity. Personally I wouldn't try it, if you want maximum uptime then you need two separate logical switches or to forget about upgrading them.

This method was worked out with our partners are Cacti Networks Ltd, network and security providers in the Ross-on-Wye area.


Monday, 11 January 2010

Rapid Spanning Tree Notes

Just been reading a bit on RSTP, there are plenty of excellent detailed resources around. Here's my summary.

PDF version available here

Rapid Spanning Tree - 802.1w
Port Roles





Path to root bridge

The port that is closest to the root bridge in terms of path cost.


Forwarding to a segment

The port that sends the best BPDU on the segment to which it is connected.


Alternative path to root

Alternate route to the root bridge. This port receives more useful BPDUs from another bridge. State blocked. Can be activated if the root port fails (RSTP equivalent to uplinkfast).


Redundant port

This port receives more useful BPDUs from the local bridge, therefore is redundant. State is blocked.



Administratively shut down.

Port States




Combines the 802.1D disabled, blocking and listening states.


Drops frames but learns MAC addresses.


Sends frames

Port Types




End host, selected when portfast is enabled.


Path to root bridge.


Designated port to another switch. Selected when non-edge port is in full duplex mode.

  • It is assumed that a non-edge port in half-duplex mode may connect to a shared medium with multiple peer switches. These ports will fall back to 802.1D compatibility mode.

  • A non-edge port transitioning to forwarding will generate a TCN.


  • All switches send BPDUs out of all ports.

  • Loss of 3 BPDUs from a neighbour is taken to mean the neighbour is down. All information on that port is aged out.

  • If an 802.1D BPDU is received then that port falls back to 802.1D mode from RSTP.


Sunday, 3 January 2010

DSL Firewalls and PPP Half Bridges

A PPP Half Bridge lets you extend the public IP address of your network into the LAN. This is useful if you have a firewall that doesn't have it's own DSL modem and want to do VPNs.

It's also known as DHCP spoofing.

Half bridging is a hack where your DSL modem makes the PPPoA connection to your ISP and is issued a public address, then advertises that same IP back on the LAN with a very short DHCP lease time. It then goes into bridging mode and forwards all traffic to the LAN host. The LAN host is effectively directly connected to the internet.

This is useful if you want to avoid NAT for any reason, e.g. to terminate VPNs.

The topology is shown below:

There's a big cost benefit to connect a firewall device to the DSL connection without requiring a built-in DSL modem.

Cisco's firewall line is the ASA which has no DSL module available so the only option is to use an external ADSL router. The low-end box is the 5505 which can be picked up from around £250 depending what software license you want.
They also have the 857W (~£300) and 877W for around £400 which include both wireless, VPN capability and DSL ports. However these are routers, not firewalls. They may be able to run the IOS firewall software but the performance of that is not likely to be great.

Juniper used to make a 5GT-ADSL with wireless that did the job nicely, but has now been replaced by the SSG 5 at around £650 with wireless but no DSL modem available. The only all-in-one option is to buy an SSG 20 (~£800) and an ADSL expansion card (~£500). The 5GT are still available from ebay for around £2-300 if you don't mind no support.

The home-brew solutions such as pfsense, Smoothwall and IPCop will also benefit from using the half-bridge option. Run it on something like a PC Engines mini system which cost under £100 and you'd have a very powerful little box.

Compatible Modems
Not all ADSL routers support half bridging, it's probably fair to assume that most don't. I use an old Origo 8400 which aren't available any more, I think that company is now called Safecom and they do pop up on ebuyer as the value range from time to time.

The Zyxel P-660R-D1 supports half bridging and is available from around £25 online.

According to certain forums the Linksys AM200 supports it as does the Netgear DG834G (but not GT). Some Draytek models also support it.