Wired Intelligent Edge

 View Only

  • 1.  VSX Square Configuration

    Posted Jan 04, 2026 08:13 AM
      |   view attached

    Dear Team,

    I am currently working on configuring VSX across two pairs of HPE Aruba 8100 switches-one Core VSX pair and one Aggregate VSX pair (total of four switches). The VSX setup is already in place on these switches, with the pairs interconnected and access switches linking to both. Additionally, the FortiGate firewalls are configured in HA mode, and I need to establish routing on the VSX pairs.

    Could you please provide guidance on interconnecting the two VSX pairs (Core and Aggregate) and the specific CLI commands required for routing configuration on the Core and Aggregate VSX pairs? I have attached the relevant diagram from the VSX Configuration Best Practices guide for reference and would greatly appreciate your assistance.





    -------------------------------------------


  • 2.  RE: VSX Square Configuration

    Posted Jan 04, 2026 10:32 PM

    Good question; VSX best practices by my team member Vincent Giles covers this topic.

    First, AOS-CX recommended architectures are simple yet compelling.

    Simple consideration:

    Active/active L2 to the access switches(IDF) using VSX LAGs.
    L3 adjacencies (OSPF recommended for campus IGP) between both members of each VSX pair and their upstream/downstream neighbors for fast convergence and ECMP.
    VSX keepalive on an independent path/VRF (ideally OOBM or a dedicated /31 mgmt VRF) to guarantee split detection even if the ISL fails.

    Interfaces & VLANs

    • ISL: 100G (or 40G) LAG between VSX peers; jumbo MTU (e.g., 9198).
    • Transit VLAN(s) between Core and Aggregate VSX pairs (if you prefer routed SVIs) or routed point‑to‑point links (recommended) with OSPF network-type point‑to‑point to avoid DR/BDR election. 
    • Active-Gateway on user VLANs at the Aggregate to provide anycast GW across the two members.

    We have two clean options. Both are documented and validated:

    L3 point‑to‑point routed links (recommended for simplicity & fast OSPF convergence)

    • Four cross‑connects: Agg‑A → Core‑A, Agg‑A → Core‑B, Agg‑B → Core‑A, Agg‑B → Core‑B.
    • OSPF area 0 is configured between the Core and Aggregation layers, ip ospf network point-to-point on all routed links.
    • ECMP will naturally load-balance north-south traffic.

    Transit VLAN(s) with SVIs

    • Use one or more dedicated Transit VLANs that carry only routing traffic; user VLANs remain at the Aggregate.
    • Works well when you want per‑VRF separation using sub‑interfaces on the upstream links.

    Either approach is fine; most campus buildings use Option 1 for lower operational overhead. (Vincent can correct me here).

    Regarding Configuration: The VSX best practice document is best; if you need quick configuration, we can share.

    Then regarding FortiGate HA touchpoints (northbound), most customers connect the FortiGate HA pair to the Core VSX on L3 point‑to‑point interfaces and run OSPF for route exchange. Keep it simple and deterministic.

    Would you like to use OSPF end‑to‑end (Aggregate↔Core and Core↔FortiGate) or do you plan to run BGP northbound to the firewalls and OSPF southbound?

    Best,

    Yash

    -------------------------------------------

    Original Message


  • 3.  RE: VSX Square Configuration

    Posted Jan 12, 2026 08:28 AM

    Dear Sir,

    Apologies for the late reply. Thank you very much for providing the solution to my post.

    I have reviewed Step #14 (OSPF configuration) from the VSX Best Practices guide. However, the guide does not mention the core switches configuration.

    I kindly request you to share the configuration steps for the CORE-VSX-PAIR and AGG-VSX-PAIR, specifically covering:

    • Transit VLAN

    • OSPF

    • Aggregate ↔ Core connectivity

    • Core ↔ FortiGate connectivity

    I Would like to use OSPF end-to-end (Aggregate ↔ Core ↔ FortiGate)

    Thank you very much for your time and support on this matter.

    -------------------------------------------

    Original Message


  • 4.  RE: VSX Square Configuration

    Posted Jan 13, 2026 06:11 AM

    you may use configuration p279. (also use p248).


    Original Message


  • 5.  RE: VSX Square Configuration

    Posted Jan 15, 2026 02:47 AM

    Dear Sir,

    Thank you very much for the information. I would like to implement the configuration mentioned on the page 279. However, I have a few doubts. Request you to please clarify them. 

    We currently have two 100G DAC cables and four 10G DAC cables available. Instead of using the four 10G DAC cables as specified on page 279, is it acceptable to use the two 100G DAC cables to interconnect the Core-VSX Pair (8100) to the Agg-VSX Pair (8100)? If feasible, could you please provide the configuration steps.

    And I assume, based on page 279, that routing is enabled on the Core Pair.

    Tank you for your help and support.

    -------------------------------------------

    Original Message


  • 6.  RE: VSX Square Configuration

    Posted Jan 15, 2026 03:32 AM

    From the proposed configuration, just remove one link from each layer-device, and keep only one link per node to interconnect to the direct upstream peer: for instance TOR-1a connected to Agg-1a only through 1/1/149 to 1/1/1. The other link 1/1/50-1/1/1 being absent. You 'll have the same VSX LAG (i.e. MCLAG) between core and TOR.

    Here it is assume TOR does not host SVI (L3 VLAN interface). In your case, if agg-VSX pair host SVI, then your links to Core can be routed port. VSX in the core is useful if you have L2 connectivity: either because agg does not L3, or because FW Act/Stb set-up makes easier to deploy interco links with VSX LAG between FW and Core.

    -------------------------------------------

    Original Message


Related Content