Wired Intelligent Edge

 View Only
  • 1.  VSX setup, 1 member only

    Posted Oct 27, 2021 10:20 AM

    We ordered 4x 8325 in April (Two for core and two for a new office build)  and we received 3 of them this month. The fourth got lost (screw you purolater) and the replacement has a date of February 2022

    New office move in is planned for November 2021, so October was tight enough as is.

    Obviously not pleased, and it's not ideal.. but if I configured VSX sync,Multichassis lags, isl, etc exactly as planned in a redundant fashion now… would be simple to plug-in once we get the second member, or would I have to essentially scrap and wipe entirely?

    This is my first big engagement with Aruba so experience with the platform is still growing



    ------------------------------
    Kyle Spooner
    ------------------------------


  • 2.  RE: VSX setup, 1 member only

    Posted Oct 27, 2021 10:42 AM
    Hi Kyle!

    I see absolutely no issue to start VSX configuration with one member, especially in this case when getting the second pair member is only a matter of time. I mean that you already know that the currently available switch will be VSX member and won't work as standalone device ('standalone' in this case means a switch without any plans to use VSX).
    You can safely start with planning your VSX setup - which ports will be used for ISL, which ports will participate in multi-chassis LAGs etc etc. When you will get a strict plan, you can start configuring your switch as VSX member:

    - assign it a hostname
    - create VLANs needed
    - create ISL interface (preferrably a LAG). It doesn't matter that it will stay down at this stage, better have it configured prior to receiving the second device.
    - enable keepalive interface. Same story here - it will stay down so far, but it is handy to have it pre-configured.
    - assign the swtich primary VSX role
    - create multi-chassis LAGs and assign ports on this switch to those LAGs. While secondary device is not connected, your LAGs will work with half capacity, but still they will be LAGs. Even a single-port LAG still a LAG, e.g. it uses LACP and is fully prepared to be expanded with additionally added ports if needed. It is easier than to configure standalone port facing your server and then convert the port to a LAG when second VSX switch arrives.
    - create active gateway SVI for VLANs that will be routed by this VSX pair.

    In other words make the configuration to look as it is a full VSX pair, but secondary member failed, was removed from the stack and will be replaced soon. At the end of the day when (or if) one of your VSX switches will fail, you will end up in the same temporary situation - VSX config with single device. This is not very different from your current situation when you have only one VSX member thanks to logistics company :-) When your secondary switch will finally arrive, you will just configure it accordingly to join the VSX pair, set it to the rack and connect network cables. If configuration is correct, the VSX pair will be created and both switches will start operating as VSX.

    ------------------------------
    Ivan Bondar
    ------------------------------



  • 3.  RE: VSX setup, 1 member only

    Posted Oct 28, 2021 03:09 AM
    We just tried this, all the ports ended up in "Blocked by VSX" state. Shut & no shut didn't bring these ports back up and we had to revert configurations as there was already some users affected. Not sure what caused this or what would have been the proper way to restore the ports from blocking state?


  • 4.  RE: VSX setup, 1 member only

    Posted Oct 28, 2021 05:12 AM
    It seems the 'VSX shutdown-on-split' kicked in. In general VSX primary shouldn't shutdown its ports during the split... The proper way to resume interfaces from this shutdown is:
    switch(config)# interface <interface_number> 
    switch(config-if-vlan)# no vsx shutdown-on-split​
    Could you let me know the software version installed on your switch, so I can check?

    ------------------------------
    Ivan Bondar
    ------------------------------



  • 5.  RE: VSX setup, 1 member only

    Posted Oct 28, 2021 05:16 AM
    It's still in the original 10.05.0030 as we've been waiting for the VSX pair so we could do hitless upgrade...


  • 6.  RE: VSX setup, 1 member only

    Posted Oct 28, 2021 08:41 AM
    IIRC shut-on-split was introduced since AOS-CX 10.07...

    ------------------------------
    Davide Poletto
    ------------------------------



  • 7.  RE: VSX setup, 1 member only

    Posted Oct 28, 2021 10:55 AM
    @parnassus you are absolutely right, on 10.05 this feature did not exist. At the time I assumed that shut-on-split feature blocked the ports I didn't know the exact version ;-)

    I'm curious to check it with 10.05 what could cause single VSX member to block its ports with "Blocked by VSX" error...

    ------------------------------
    Ivan Bondar
    ------------------------------



  • 8.  RE: VSX setup, 1 member only

    Posted Nov 08, 2021 09:19 AM
    Was the problem seen after waiting 15minutes (hard timer on VSX primary if no secondary joins).

    ------------------------------
    Vincent Giles
    ------------------------------



  • 9.  RE: VSX setup, 1 member only

    Posted Oct 29, 2021 03:37 AM
    VSX shutdown-on-split command is for non-VSX-LAGed interface.
    Clarification for its usage here if necessary (@5:00) https://www.youtube.com/watch?v=U4a9tzTQTQ4

    ------------------------------
    Vincent Giles
    ------------------------------



  • 10.  RE: VSX setup, 1 member only

    Posted Oct 28, 2021 06:44 AM
    No problem running one VSX member alone waiting for the second to be installed. I have done it without issue.

    This is my basic setup : 

    vrf KA
    !
    vlan 1
    vlan X
        vsx-sync
    vlan 1000
        vsx-sync
        description TRANSIT VLAN
    interface lag 1 multi-chassis
        no shutdown
        description --- TO USERS SWITCHES ---
        no routing
        vlan trunk native 1
        vlan trunk allowed all
        lacp mode active
        spanning-tree root-guard                                
    interface lag 256
        no shutdown
        description --- ISL Link BETWEEN VSX ---
        no routing
        vlan trunk native 1 tag
        vlan trunk allowed all
        lacp mode active
    interface 1/1/1
        no shutdown
        description --- TO SWITCH-XXX ---
        lag 1
    interface 1/1/22
        no shutdown
        vrf attach KA
        description --- VSX keepalive ---
        ip address 192.168.0.0/31
    interface 1/1/23                                               
        no shutdown
        description --- ISL physical Link ---
        lag 256
    interface 1/1/24
        no shutdown
        description --- ISL physical Link ---
        lag 256
    interface vlan 1
        vsx-sync active-gateways
        description --- LOCAL NETWORK ---
        ip address y.y.y.y/20
        active-gateway ip mac 12:01:00:00:01:00
        active-gateway ip y.y.y.254
        ip ospf 1 area x.x.x.x
    interface vlan 1000
        description --- OSPF EXCHANGE BETWEEN VSX ---
        ip address 192.168.1.1/30
        ip ospf 1 area x.x.x.x
        no ip ospf passive
        ip ospf network point-to-point
        ip ospf authentication message-digest
        ip ospf message-digest-key 1 md5 ciphertext xxxxxxxxxxxxxxxxxxxxxxxx
    vsx
        system-mac 02:01:00:00:01:00
        inter-switch-link lag 256
        role primary
        keepalive peer 192.168.0.1 source 192.168.0.0 vrf KA
        vsx-sync acl-log-timer bfd-global bgp copp-policy dhcp-relay dhcp-server dns icmp-tcp lldp loop-protect-global mac-lockout mclag-interfaces neighbor ospf qos-global route-map sflow-global snmp ssh stp-global time vsx-global
    !
    router ospf 1
        router-id x.x.x.x
        passive-interface default
        area x.x.x.x stub​


    ------------------------------
    Laurent from Brest / France
    Network Engineer
    ------------------------------