Chapter 5 — Link Aggregation, LACP, and VSX Multi-Chassis LAG

Think of a LAG like a multi-lane highway built between two cities. One lane (a single physical link) might carry the load most days, but during rush hour, or when a lane is closed for maintenance, the highway needs more capacity and redundancy. A LAG bundles multiple physical interfaces into one logical highway: bandwidth scales (close to) linearly, and a single lane closure doesn't shut down the road.

Static vs LACP

AOS-CX supports two LAG flavors:

• Static LAG — both ends are configured manually. There is no negotiation. If you wire it correctly and the configs match, traffic flows. If a member is misconfigured or the wrong port is patched, the switch happily forwards into a black hole.
• Dynamic LAG (LACP, IEEE 802.3ad) — both ends exchange LACPDUs (Link Aggregation Control Protocol Data Units) to verify the partner, agree on which member ports are eligible, and detect mis-cabling before forwarding starts.

Analogy: A static LAG is like a handshake agreement between two contractors — fast, but if either side forgets, the work doesn't line up. LACP is the same handshake plus a signed contract that's re-checked every second.

In AOS-CX, every LAG starts as static. You opt in to LACP by adding lacp mode active (or passive) under the LAG interface.

Static LAG configuration

switch# configure terminal
switch(config)# interface lag 1
switch(config-lag-if)# description "Static LAG to Peer"
switch(config-lag-if)# no shutdown
switch(config-lag-if)# exit
switch(config)# interface 1/1/1
switch(config-if)# lag 1
switch(config-if)# no shutdown
switch(config)# interface 1/1/2
switch(config-if)# lag 1
switch(config-if)# no shutdown

Convert to LACP

switch(config)# interface lag 20
switch(config-lag-if)# description "LACP LAG to Peer"
switch(config-lag-if)# lacp mode active
switch(config-lag-if)# lacp rate fast
switch(config-lag-if)# no shutdown

lacp rate fast shortens the LACPDU heartbeat from 30 s to 1 s — failure detection in roughly 3 s.

LACP Active vs Passive

The rule: at least one side must be active. Passive-on-passive is the silent-treatment failure mode.

LAG Hash Algorithms

The switch decides which member port carries each frame using a hash over packet fields (typically src/dst MAC, IP, and L4 ports). Consistency matters because reordering frames within a flow breaks TCP performance. AOS-CX uses an L2/L3/L4 hash by default. Two 10G members yield 20G aggregate but still 10G max per flow.

Member Port Consistency

• Speed and duplex — cannot mix 1G and 10G members.
• VLAN membership — all members carry the same trunk/access VLAN configuration.
• MTU and storm control — applied at the LAG level, inherited by members.
• L2 vs L3 mode — a routed LAG must have all members in routed mode.

Always configure VLAN/L3 settings on the LAG interface, never on individual members.

LACP Fallback-Static

From AOS-CX 10.02, lacp fallback-static lets one member port forward traffic if the LACP partner is unresponsive — the classic PXE-boot fix.

switch(config)# interface lag 30
switch(config-lag-if)# lacp mode active
switch(config-lag-if)# lacp fallback-static

Verification

switch# show interface lag 1
switch# show lacp interfaces

Healthy member shows flags: ALFNCD — Active, Long-timeout, Fast/slow, In-sync, Collecting, Distributing.

A LAG handles redundancy within one chassis. But what if the chassis fails? Stacking shares a single control plane (one bug, everyone falls down). VSX takes a different approach.

VSX (Virtual Switching Extension) clusters exactly two AOS-CX switches with independent control planes that synchronize state over a dedicated link. From a downstream device's perspective, the pair acts as one switch — but each peer runs its own copy of OSPF, BGP, STP, and management processes. If one peer reboots or hits a bug, the other keeps forwarding.

Analogy: Stacking is one brain controlling two bodies — efficient until the brain has a stroke. VSX is two pilots in a cockpit, each fully qualified, sharing notes constantly. If one passes out, the other already knows the plan.

ISL — Inter-Switch Link

The ISL is a multi-chassis LAG between the two VSX peers carrying:

• L2 control sync — MAC table, ARP, IGMP snooping
• Configuration sync — anything tagged vsx-sync
• Data fallback — traffic destined to a peer-only egress

Sizing rule: ISL bandwidth should equal the largest single VSX LAG capacity, or higher.

interface lag 100 multi-chassis
   description ISL
   no shutdown
   no routing
   vlan trunk native none
   vlan trunk allowed all
   lacp mode active

interface 1/1/4
   lag 100
interface 1/1/5
   lag 100

vsx
   inter-switch-link lag 100

Keepalive

The keepalive is a dedicated L3 link (not the ISL) used to detect peer aliveness. If the ISL goes down, both peers consult the keepalive: if alive but ISL-disconnected, peers enter a defined recovery state. If both ISL and keepalive are down, each assumes the partner is dead.

vrf ka

interface 1/1/6
   vrf attach ka
   ip address 192.168.0.1/30
   no shutdown

vsx
   keepalive peer 192.168.0.2 source 192.168.0.1 vrf ka

Primary vs Secondary Role

vsx
   system-mac 02:01:00:00:01:00
   inter-switch-link lag 100
   role primary
   keepalive peer ...

Both peers actively forward data. The role matters for: configuration sync direction, tie-breaking, and LSU orchestration. A shared system-mac is required so downstream LACP partners see one System ID across both chassis.

Active-Gateway and Active-Forwarding

Both peers respond to the same virtual IP and MAC on a VLAN. Any host can route locally through whichever peer it reaches first — no failover delay because there is no failover.

vlan 10
   name employee

interface vlan 10
   description employee
   vsx-sync active-gateways
   ip address 172.17.0.2/24
   active-gateway ip 172.17.0.1 mac 12:00:00:00:00:01

vsx-sync Configuration

A VSX LAG (also called MC-LAG, multi-chassis LAG) is a single logical LAG whose member ports are split across the two VSX peers. The downstream device believes it is talking to one switch with two links.

Analogy: Two phone lines from two different carriers, but a magic phone that lets you publish one number that rings on both.

Defining VSX Peers and ISL — Putting It All Together

A complete minimal VSX bring-up on the primary:

! 1. Define the ISL LAG
interface lag 100 multi-chassis
   no shutdown
   no routing
   vlan trunk native none
   vlan trunk allowed all
   lacp mode active

interface 1/1/49
   lag 100
interface 1/1/50
   lag 100

! 2. Keepalive in its own VRF
vrf ka
interface 1/1/48
   vrf attach ka
   ip address 192.168.0.1/30
   no shutdown

! 3. Bind under VSX
vsx
   system-mac 02:01:00:00:01:00
   inter-switch-link lag 100
   role primary
   keepalive peer 192.168.0.2 source 192.168.0.1 vrf ka
   linkup-delay-timer 180

The linkup-delay-timer prevents a rebooted peer from forwarding on its VSX LAG members until it has fully synced state. Without it, the rebooted peer might attract traffic and black-hole it for 30+ seconds.

Multi-Chassis LAGs — Configuring a VSX LAG

Identical config on both peers, with one member port from each peer:

interface lag 10 multi-chassis
   description "VSX LAG to ToR-1"
   no shutdown
   no routing
   vlan trunk native 1
   vlan trunk allowed 10,20,30
   lacp mode active

Then, on each peer, add a local member:

! Primary
interface 1/1/1
   description "ToR-1 link 1"
   lag 10

! Secondary
interface 1/1/1
   description "ToR-1 link 2"
   lag 10

Split-Brain Prevention

Crucial: the keepalive must ride a different physical path from the ISL.

VSX State Machine

stateDiagram-v2
    [*] --> Booting
    Booting --> LinkupDelay: chassis powers on
    LinkupDelay --> ActiveActive: timer expires; ISL up; KA up
    ActiveActive --> ISLDown_KAUp: ISL fails
    ActiveActive --> ISLUp_KADown: keepalive fails
    ISLDown_KAUp --> SecondaryShutdownVSXLAGs: secondary disables VSX LAG members
    SecondaryShutdownVSXLAGs --> ActiveActive: ISL restored
    ISLUp_KADown --> ActiveActive: keepalive restored
    ActiveActive --> SplitBrain: ISL and KA both fail
    SplitBrain --> ActiveActive: both restored; renegotiate
    ActiveActive --> [*]: graceful shutdown

Verification

switch# show vsx status
switch# show vsx brief
switch# show vsx config
switch# show vsx config keepalive
switch# show interface lag 10
switch# show lacp interfaces
switch# show lacp aggregates

A healthy show vsx status confirms ISL up, keepalive established, roles primary/secondary, configuration in-sync, and linkup-delay timer expired.

Standing up a VSX pair is the easy part. The real test is upgrading it without taking the network down.

Live Software Upgrades (LSU / ISSU)

A single-command rolling upgrade of a VSX pair, run on the primary:

switch# vsx update-software tftp://10.1.1.5/CX-10.07.swi secondary vrf mgmt

The flow:

1. Image staging — secondary downloads to its secondary partition; primary's running code is untouched.
2. Secondary reboots to the new image. Primary handles all traffic via VSX LAG redistribution and ISL (~1–3 min window).
3. Secondary rejoins with the new code, takes over forwarding.
4. Primary upgrades and reboots. Newly upgraded secondary now handles traffic.
5. Primary rejoins with the new code. Roles return to original.

Pre-flight Checklist

LSU is hardware-specific. Virtual AOS-CX (OVA distribution) cannot be live-upgraded — it requires deploying a new VM and migrating config.

VSX Restore and Recovery

1. Replace the chassis (identical model required).
2. Restore configuration from backup.
3. Reconnect ISL and keepalive cables before powering on, if possible.
4. The healthy peer detects the new chassis via keepalive and ISL.
5. vsx-sync pushes synchronized configuration to the new peer automatically.
6. Verify with show vsx status and confirm both peers are in-sync before declaring complete.

VSX vs Stacking vs VSF — Comparison

The trade-off: VSF is simpler to manage; VSX is more resilient.

Best Practices Summary

• Always use LACP between switches and to dual-homed servers — silent miswires are the #1 cause of VSX LAG outages.
• Always set linkup-delay-timer — without it, a rebooted peer can black-hole traffic for 30+ seconds.
• Keepalive on a different physical path than the ISL — same bundle = shared single point of failure.
• vsx-sync everything — VLANs, active-gateways, ACLs.
• Match models exactly — VSX requires identical hardware. A 8325 cannot peer with a 8320.
• Pre-stage images before LSU.
• Test failover in lab — pull the ISL, pull the keepalive, kill a peer.
• Document the role mapping — knowing which physical chassis is "primary" matters at 3 AM.