VDC High Availability
The Cisco NX-OS software platform incorporates a high-availability feature set that helps ensure minimal or no effect on the data plane should the control plane fail. Different high-availability service levels are provided, from service restart to stateful supervisor switchover to ISSU without affecting data traffic.
Should a control plane failure occur, the administrator has a set of options that can be configured on a per-VDC basis defining what action will be taken regarding that VDC. Three actions can be configured: restart, bringdown, and reset. The restart option will delete the VDC and then re-create it with the running configuration. This configured action will occur regardless of whether there are dual supervisors or a single supervisor present in the chassis. The bringdown option will simply delete the VDC. The reset option will issue a reset for the active supervisor when there is only a single supervisor in the chassis. If dual supervisors are present, the reset option will force a supervisor switchover.
The default VDC always has a high-availability option of reset assigned to it. Subsequent VDCs created will have a default value of bringdown assigned to them. This value can be changed under configuration control.
Stateful switchover is supported with dual supervisors in the chassis. During the course of normal operation, the primary supervisor will constantly exchange and synchronize its state with the redundant supervisor. A software process (watchdog) is used to monitor the responsiveness of the active (primary) supervisor. Should the primary supervisor fail, a fast switchover is enacted by the system. Failover occurs at both the control plane and data plane layers. At supervisor switchover, the data plane continues to use the Layer 2– and Layer 3–derived forwarding entries simply by maintaining the state written into the hardware. For the control plane, the graceful restart process that is part of nonstop forwarding (NSF) is used to provide failover for Layer 3. For Layer 2, the control plane is maintained by locally stateful PSS mechanisms. This process provides for the following:
- Uninterrupted forwarding during a failover
- Rapid recovery from the failure to a stable operating state
- A nondisruptive recovery mechanism that will not render the network unstable during the recovery process
Table 5-6 shows the result of various policy configurations, depending on single-supervisor or dual-supervisor module configuration.
Table 5-6 Single-Supervisor vs. Dual-Supervisor Policy Implications
Module Configuration | Policy | Result |
Single supervisor | Bringdown | This policy puts the VDC in the failed state. |
Restart | This policy takes down the VDC processes and interfaces and restarts them using the startup configuration (default policy for nondefault VDC). | |
Reload | This policy reloads the supervisor module (default policy for default VDC). | |
Dual supervisor | Bringdown | This policy puts the VDC in the failed state. |
Restart | This policy takes down the VDC processes and interfaces and restarts them using the startup configuration. | |
Switchover | This policy initiates a supervisor module switchover (default policy for default and nondefault VDC). |
ISSU is another important aspect of high availability that has a direct effect on VDCs. ISSU allows the administrator to install and activate a new version of software in a chassis that is running two supervisors. The software upgrade can be applied to the backup supervisor, and then a switchover to that upgraded supervisor is invoked. The other supervisor is then upgraded with the same new set of software; all the while the system maintains data flow without interruption. ISSU cannot be applied on a per-VDC basis. The installed software on the chassis is applicable for all active VDCs.