If you run VSS in the Distribution tier of your network then spanning tree won't block OSI Layer2 uplinks from the Access tier. Therefore you double the bandwidth of these uplinks.
With OSI Layer3 uplinks from the Distribution to the Core you don't have this issue so the need for VSS is reduced. However you stated that you have 4948E switches in the Core. These switches don't support VSS.
You will only be able to implement VRF-Lite on the hardware you listed above. It depends on your business requirements if you need to support a full MPLS VPN network. If that is the case then you would need to look to deploying 6500s in the Distribution tier.
For redundancy I would muli-home each 2960 to each 4500X.
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...
Cisco Documents are usually accurate, but when it came to the document
on Cisco APIC Signature-Based Transactions it was slightly off the mark.
This document is for those novices to API like me who cant seem to
figure out how to go about performing signat...