Thursday, 18 October 2018

VXLAN Part XIII: Firewall Implementation to VXLAN Fabric

Now you can also download my VXLAN book from the Leanpub.com 
"Virtual Extensible LAN VXLAN - A Practical guide to VXLAN Solution Part 1. (373 pages)

In this post, I am going to show how to implement Active/Standby FW Cluster into VXLAN Fabric. Figure 13-1 shows the logical view of example setup, where we have two server networks: 192.168.30.0/24 (VLAN30 - protected) and 192.168.11.0/24 (VLAN10 - non-protected). We also have an Active/Standby FW Cluster connected to dedicated Service Leaf vPC Cluster (Leaf-102 and Leaf-103). Anycast Gateway (AGW) for the network 192.168.11.0/24 resides in the Server Leaf-101 while the Gateway for the protected network 192.168.30.0/24 resides in the Firewall (Inside Zone). Protected hosts in VLAN 30 use the VXLAN Fabric only as an L2 transport network. For simplicity, the Spine switch is not shown in the figure 13-1.

Figure 13-1: Example Topology and IP addressing


Note! Instead of using actual Firewalls devices in this lab, I am using two Layer3 switches to simulate Firewall functions. To achieve Active/Standby redundancy model, I am using HSRP and for the stateful filtering, I am using reflective access-list between vlan 20 and vlan 30. There are no state synchronizations between “Firewalls”.

Figure 13-1 at the beginning of the post shows the overall picture of the solution. Now we are going to build it step by step.

Protected segment

Server Leaf-101, where host Abba is connected to, has a VLAN 30 mapped to L2VNI 30000. BGP EVPN is used as a Control plane protocol to advertise host MAC/IP information. The same configuration is also added to Server Leaf-102 but as we can see in the figure 13-2, neither switch has Anycast Gateway configured to VLAN 30. The Default Gateway for VLAN 30 is configured on the FW-1. This is one way to create a protected segment on VXLAN fabric.

Figure 13-2: Protected network

The L2 configuration of Leaf switches form protected network perspective is shown in example 13-1. First, we map VLAN 30 to L2VNI 30000, and then we add it under EVPN configuration. since we need to advertise MAC/IP reachability information to other Leaf switches with BGP EVPN. Under NVE1 interface, we define the L2VNI specific settings such as ARP suppression and multicast group for BUM traffic.

vlan 30
  name L2VNI-for-VLAN30
  vn-segment 30000
!
evpn 
  vni 30000 l2
    rd auto
    route-target import auto
    route-target export auto
!
interface nve1
  member vni 30000
   suppress-arp
   mcast-group 238.0.0.10
!
Example13-1: Leaf switches L2 configurations.

The FW-1 configuration related to VLAN 30 can be seen in the example 13-2. Note that I have already configured HSRP related parameters such as virtual IP address for VLAN 30.

vlan 30
 name ** Inside **
!
interface Vlan30
 description ** Inside **
 ip address 192.168.30.11 255.255.255.0
 standby 30 ip 192.168.30.1
 standby 30 priority 110
 standby 30 timers 1 3
 standby 30 preempt
!
Example13-2: FW-1 configurations.

Non-Protected segment

The configuration for the non-protected segment in Leaf-101 is shown in example 13-3. First, we create VLAN 10 and then we map it to L2VNI 10000 and create Anycast Gateway for network 192.168.11.0/24. Then we add the L2VNI 10000 under the EVPN configuration. Under the NVE1 interface, we define the L2VNI specific settings such as ARP suppression and multicast group for BUM traffic just like we did with the protected network. 

Figure 13-3: Non-protected network
Configuration related to the non-protected segment in Leaf-101 can be seen in example 13-3.

vlan 10
  name L2VNI-for-VLAN10
  vn-segment 10000
!
interface Vlan10
  no shutdown
  vrf member TENANT77
  ip address 192.168.11.1/24
  fabric forwarding mode anycast-gateway
!
evpn
  vni 10000 l2
    rd auto
    route-target import auto
    route-target export auto
!
interface nve1
  member vni 10000
    suppress-arp
    mcast-group 238.0.0.10

Example13-3: Server Leaf-101 configuration for the non-protected network.

If we compare segment between the FW-1 and Service Leaf-102 we can see that it follows exactly the same design principles than non-protected segment 192.168.11.0/24 in Server Leaf-101. We have vlan 20, which has vni-id 20000, it has Anycast Gateway and it uses EVPN Control Plane and optional parameters are defined under NVE 1 interface. So from the VXLAN fabric perspective, FW-1 is a same kind of host than Abba. Example 13-4 shows the Server Leaf-102 configuration and example 13-5 shows the FW-1 configuration. Note that the configurations of the physical interfaces are excluded from both examples (but can be found from Appendix 1 at the end of the post).

vlan 20
  name L2VNI-for-VLAN20
  vn-segment 20000
!
interface Vlan20
  no shutdown
  vrf member TENANT77
  no ip redirects
  ip address 192.168.12.1/24
  no ipv6 redirects
  fabric forwarding mode anycast-gateway
!
interface nve1
  member vni 20000
    suppress-arp
    mcast-group 238.0.0.10
!
evpn
  vni 20000 l2
    rd auto
    route-target import auto
    route-target export auto
Example13-4: Service Leaf-102 configuration for the FW-1 Leaf-102 segment.

vlan 20
 name ** Outside **
!
interface Vlan20
 description ** Outside **
 ip address 192.168.12.11 255.255.255.0
 standby 20 ip 192.168.12.2
 standby 20 priority 110
 standby 20 preempt
 standby 20 timers 1 3
Example13-5: FW-1 configuration for the FW-1 Leaf-102 segment.

Now we have defined two networks, segment 192.168.11.0/24 is only located on Server Leaf-101 and subnet between FW-1 and Server Leaf-102 is located in Server Leaf-102 and FW-1. The data path between these two segments goes through the SVI 77, which is used for inter-VN routing in vrf context TENANT77. Configuration related to inter-VNI routing can be seen in example 13-6.

vlan 77
  name TENANT77
  vn-segment 10077
!
interface Vlan77
  no shutdown
  vrf member TENANT77
  ip forward
!
vrf context TENANT77
  vni 10077
  rd auto
  address-family ipv4 unicast
    route-target both auto
    route-target both auto evpn
!
interface nve1
  host-reachability protocol bgp
  member vni 10077 associate-vrf
!
router bgp 65000
   vrf TENANT77
    address-family ipv4 unicast
      advertise l2vpn evpn
Example13-6: inter-VNI routing configuration.

Figure 13-4 show what we have done so far. We now should have connectivity from host Abba to FW-1 Inside interface IP address 192.168.30.1. We also should have connectivity from host Beef to FW-1 Outside interface IP address 192.168.12.2.

Figure 13-4: Logical view

We can verify IP connectivity by using ping.

Beef#ping 192.168.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/33/66 ms
Example13-7: Connectivity verification from Beef to FW-1 Outside interface.

Abba#ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/24 ms
Example13-8: Connectivity verification from Abba to FW-1 Inside interface.

If we test the connection between Abba and Beef, we can see that something is still missing.

Beef#ping 192.168.30.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Example13-9: Connectivity verification from Beef to Abba.

If we take a look at the BRIB on Leaf-101, the route to network 192.168.30.0/0 is missing. It though has BGP route-type 2 information about MAC/IP addresses of all hosts in the segment (Abba, FW-1 virtual IP, and physical IP). This means that we do have intra-VN connectivity (which was tested by pinging from Abba to inside interface of FW-1) but we do not have IP connection between the network 192.168.11.0/24 and 102.168.30.0/24.
Leaf-101# sh bgp l2vpn evpn
BGP routing table information for VRF default, address family L2VPN EVPN
BGP table version is 198, Local Router ID is 192.168.77.101
Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best
Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-i
njected
Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup

   Network            Next Hop            Metric     LocPrf     Weight Path
Route Distinguisher: 192.168.77.101:32777    (L2VNI 10000)
*>l[2]:[0]:[0]:[48]:[1000.0010.beef]:[0]:[0.0.0.0]/216
                      192.168.100.101                   100      32768 i
*>l[2]:[0]:[0]:[48]:[1000.0010.beef]:[32]:[192.168.11.12]/272
                      192.168.100.101                   100      32768 i

Route Distinguisher: 192.168.77.101:32787    (L2VNI 20000)
*>i[2]:[0]:[0]:[48]:[0000.0c07.ac14]:[0]:[0.0.0.0]/216
                      192.168.100.23                    100          0 i
*>i[2]:[0]:[0]:[48]:[0000.0c07.ac14]:[32]:[192.168.12.2]/272
                      192.168.100.23                    100          0 i

Route Distinguisher: 192.168.77.101:32797    (L2VNI 30000)
*>i[2]:[0]:[0]:[48]:[0000.0c07.ac1e]:[0]:[0.0.0.0]/216
                      192.168.100.23                    100          0 i
*>l[2]:[0]:[0]:[48]:[2000.0020.abba]:[0]:[0.0.0.0]/216
                      192.168.100.101                   100      32768 i
*>i[2]:[0]:[0]:[48]:[5e00.0006.801e]:[0]:[0.0.0.0]/216
                      192.168.100.23                    100          0 i
*>i[2]:[0]:[0]:[48]:[0000.0c07.ac1e]:[32]:[192.168.30.1]/248
                      192.168.100.23                    100          0 i
*>l[2]:[0]:[0]:[48]:[2000.0020.abba]:[32]:[192.168.30.30]/248
                      192.168.100.101                   100      32768 i
*>i[2]:[0]:[0]:[48]:[5e00.0006.801e]:[32]:[192.168.30.11]/248
                      192.168.100.23                    100          0 i

Route Distinguisher: 192.168.77.102:3
*>i[2]:[0]:[0]:[48]:[5e00.0005.0007]:[0]:[0.0.0.0]/216
                      192.168.100.23                    100          0 i

Route Distinguisher: 192.168.77.102:32787
*>i[2]:[0]:[0]:[48]:[0000.0c07.ac14]:[0]:[0.0.0.0]/216
                      192.168.100.23                    100          0 i
*>i[2]:[0]:[0]:[48]:[0000.0c07.ac14]:[32]:[192.168.12.2]/272
                      192.168.100.23                    100          0 i

Route Distinguisher: 192.168.77.102:32797
*>i[2]:[0]:[0]:[48]:[0000.0c07.ac1e]:[0]:[0.0.0.0]/216
                      192.168.100.23                    100          0 i
*>i[2]:[0]:[0]:[48]:[5e00.0006.801e]:[0]:[0.0.0.0]/216
                      192.168.100.23                    100          0 i
*>i[2]:[0]:[0]:[48]:[0000.0c07.ac1e]:[32]:[192.168.30.1]/248
                      192.168.100.23                    100          0 i
*>i[2]:[0]:[0]:[48]:[5e00.0006.801e]:[32]:[192.168.30.11]/248
                      192.168.100.23                    100          0 i

Route Distinguisher: 192.168.77.101:3    (L3VNI 10077)
*>i[2]:[0]:[0]:[48]:[5e00.0005.0007]:[0]:[0.0.0.0]/216
                      192.168.100.23                    100          0 i
*>i[2]:[0]:[0]:[48]:[0000.0c07.ac14]:[32]:[192.168.12.2]/272
                      192.168.100.23                    100          0 i
Example13-10: BRIB from Leaf-101

To fix this, we need to tell the Server Leaf-102 where the network 192.168.30.0/24 is located and then we need to redistribute this information to BGP. This way Server Leaf-101 also gets the routing information. We could, of course, use dynamic routing instead of a static route but for simplicity, I am using static route towards outside interface VIP address.

First, we add static route under vrf context TENANT77 on Server Leaf-102.

vrf context TENANT77
  vni 10077
  ip route 192.168.30.0/24 192.168.12.2
  rd auto
  address-family ipv4 unicast
    route-target both auto
    route-target both auto evpn
Example13-11: static route on Server Leaf-102

Then we advertise static routes defined in access-list through the route-map to BGP on Server Leaf-102.

ip access-list PROTECTED_SEGMENTS
  10 permit ip 192.168.30.0/24 any
!
route-map PROTECTED_SEGMENTS permit 10
  match ip address PROTECTED_SEGMENTS
!
  vrf TENANT77
    address-family ipv4 unicast
      advertise l2vpn evpn
      redistribute static route-map PROTECTED_SEGMENTS
Example13-12: redistribution of the static route in Server Leaf-102.

Now Server Leaf-101 has information on how to reach the network 192.168.30.0/24 as can be seen from the figure 13-13.

Leaf-101# sh bgp l2vpn evpn vni-id 10077
<snipped>
   Network            Next Hop            Metric     LocPrf     Weight Path
Route Distinguisher: 192.168.77.101:3    (L3VNI 10077)
*>i[2]:[0]:[0]:[48]:[5e00.0005.0007]:[0]:[0.0.0.0]/216
                      192.168.100.23                    100          0 i
*>i[2]:[0]:[0]:[48]:[0000.0c07.ac14]:[32]:[192.168.12.2]/272
                      192.168.100.23                    100          0 i
*>i[5]:[0]:[0]:[24]:[192.168.30.0]:[0.0.0.0]/224
                      192.168.100.102          0        100          0 ?
Example13-13: BRIB on Leaf-101

Note! In this phase, I have already configured vPC configuration in Service Leaf-102. I am using a model where external routes are advertised by using switch Physical IP address (PIP) while fabric internal routes are advertised by using Virtual IP address (VIP). In our example Server Leaf-102 VTEP PIP is 192.168.100.102 (IP associated with NVE1) and VIP is 192.168.100.23. This is why the next-hop is different compared to FW-1 outside interface IP address 192.168.12.2 to network 192.168.30.0/24.

Now we have IP connectivity between host Beef and Abba.

Beef#ping 192.168.30.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/35/40 ms
Example13-14: Connectivity verification from Beef to Abba.

As a final step, we add a filter between VLAN 30 and VLAN 20, which permits ping to Abba from any source. I am using reflective ACL that is kind of stateful ACL, whenever there is a hit for ACL entry, it reflected/mirrored so that return traffic is allowed without static ACL. The “show ip access-list” command shows that there is reflected ACL IN-OUT-Mirror-ACL without any permit/deny statements on it since there has not been any traffic yet.

ip access-list extended OUT-IN-Acl
 remark ***************************
 remark ** ICMP ECHO/ECHO-REPLY  **
 permit icmp any host 192.168.30.30 echo reflect IN-OUT-Mirror-ACL
 permit icmp any host 192.168.30.30 echo-reply reflect IN-OUT-Mirror-ACL

interface Vlan30
 description ** Inside **
 ip address 192.168.30.11 255.255.255.0
 ip access-group OUT-IN-Acl out
 standby 30 ip 192.168.30.1
 standby 30 priority 110
 standby 30 preempt

FW-1#sh ip access-lists                   
Reflexive IP access list IN-OUT-Mirror-ACL
Extended IP access list OUT-IN-Acl
    10 permit icmp any host 192.168.30.30 echo reflect IN-OUT-Mirror-ACL
    20 permit icmp any host 192.168.30.30 echo-reply reflect IN-OUT-Mirror-ACL
Example13-15: reflective ACL on FW-1.

Now we ping from Beef to Abba.

Beef#ping 192.168.30.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 37/49/62 m
Example13-16: reflective ACL on FW-1.

And from FW-1 we can see that there is five hit in both access-lists.

FW-1#sh ip access-lists
Reflexive IP access list IN-OUT-Mirror-ACL
     permit icmp host 192.168.30.30 host 192.168.11.12  (5 matches) (time left 269)
Extended IP access list OUT-IN-Acl
    10 permit icmp any host 192.168.30.30 echo reflect IN-OUT-Mirror-ACL (5 matches)
    20 permit icmp any host 192.168.30.30 echo-reply reflect IN-OUT-Mirror-ACL
Example13-17: reflective ACL on FW-1.

So far we have built non-redundant setup. Figure 13-5 shows the complete, redundant setup where we have Active FW-1 and Passive FW-2 connected to Service Leaf switches Leaf-102 and Leaf 103 by using HSRP as an FW redundancy and vPC domain for Leaf switch redundancy. Physical connections are made over Port-channels between FWs and vPC Leaf switches (figure 13-6 shows physical topology).

Figure 13-5: Complete logical view

Figure 13-6 shows the physical structure of example topology. Complete configuration of both Server Leaf switches and Firewalls can be found from Appendix 1 at the end of the post.

Figure 13-6: Physical topology

Figure 13-7 shows a simplified topology view.


Figure 13-7: Simplified Topology

Now we are going to do a simple ping tests to make sure that we actually have a redundant setup. First, we are going to shut down the link between FW-1 and Leaf-102. Then we restrict FW-1 totally by shutting down also the link between FW-1 and Leaf-103 (Po 10 down), which should cause the HSRP state change from Standby to Active in Leaf-103. As the last test, we are going to shut down the link between FW-2 and Leaf-102.

 Test 1. Link FW-1 to Leaf-102 down – Ok.

Beef#ping 192.168.30.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds:
!!!!!
Example13-18: Test 1- Link between FW-1 and Leaf-102 down.

Test 2. Link FW-1 to Leaf-103 down – Ok.

Beef#ping 192.168.30.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds:
!!!!!
Example13-19: Test 1- Link between FW-1 and Leaf-103 down.

As can be seen from the example 13-20, the restriction of FW-1 from the network cause HSRP state change from Standby to Active in FW-2.

FW-2#
*Oct 18 09:39:38.361: %HSRP-5-STATECHANGE: Vlan30 Grp 30 state Standby -> Active
*Oct 18 09:39:39.357: %HSRP-5-STATECHANGE: Vlan20 Grp 20 state Standby -> Active
FW-2#
Example13-20: HSRP state change in FW-2 when connection to FW-1 is down

Test 3. Link FW-2 to Leaf-102 down – Ok.

Beef#ping 192.168.30.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds:
!!!!!
Example13-21: Test 1- Link between FW-1 and Leaf-103 down.

Test conclusion: Network react as expected and we are done.


Author: Toni Pasanen CCIE#28158
Published: 18.10.2018

-------------------------------------------------
References:

Building Data Center with VXLAN BGP EVPN – A Cisco NX-OS Perspective
ISBN-10: 1-58714-467-0 – Krattiger Lukas, Shyam Kapadia, and Jansen Davis

Deploy Firewalls in Cisco Programmable Fabric https://www.cisco.com/c/dam/en/us/products/collateral/switches/nexus-7000-series-switches/white-paper-c11-736585.pdf


Appendix 1
Device configurations
Note that there is also some configurations that are related to this lab!

Leaf-102
Leaf-102# sh run

!Command: show running-config
!Time: Thu Oct 18 10:23:25 2018

version 7.0(3)I7(1)
hostname Leaf-102
vdc Leaf-102 id 1
  limit-resource vlan minimum 16 maximum 4094
  limit-resource vrf minimum 2 maximum 4096
  limit-resource port-channel minimum 0 maximum 511
  limit-resource u4route-mem minimum 248 maximum 248
  limit-resource u6route-mem minimum 96 maximum 96
  limit-resource m4route-mem minimum 58 maximum 58
  limit-resource m6route-mem minimum 8 maximum 8

cfs eth distribute
nv overlay evpn
feature ospf
feature bgp
feature pim
feature fabric forwarding
feature interface-vlan
feature vn-segment-vlan-based
feature lacp
feature vpc
feature nv overlay

no password strength-check
username admin password 5 $5$L1jp9NYN$AeODuNL83oxntUITgugxxy0QksdqPZgEhAjEjksexx
5  role network-admin
ip domain-lookup
ip host Spine-11 192.168.0.11
ip access-list PROTECTED_SEGMENTS
  10 permit ip 192.168.30.0/24 any
snmp-server user admin network-admin auth md5 0x7f693b750cc7550144b8410e07eecf1d
 priv 0x7f693b750cc7550144b8410e07eecf1d localizedkey
rmon event 1 description FATAL(1) owner PMON@FATAL
rmon event 2 description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 description ERROR(3) owner PMON@ERROR
rmon event 4 description WARNING(4) owner PMON@WARNING
rmon event 5 description INFORMATION(5) owner PMON@INFO

fabric forwarding anycast-gateway-mac 0001.0001.0001
ip pim rp-address 192.168.238.1 group-list 238.0.0.0/24 bidir
ip pim ssm range 232.0.0.0/8
vlan 1,10,20,30,77
vlan 10
  name L2VNI-for-VLAN10
  vn-segment 10000
vlan 20
  name L2VNI-for-VLAN20
  vn-segment 20000
vlan 30
  name L2VNI-for-VLAN30
  vn-segment 30000
vlan 77
  name TENANT77
  vn-segment 10077

spanning-tree vlan 1-3967 priority 4096
route-map PROTECTED_SEGMENTS permit 10
  match ip address PROTECTED_SEGMENTS
vrf context TENANT77
  vni 10077
  ip route 192.168.30.0/24 192.168.12.2
  rd auto
  address-family ipv4 unicast
    route-target both auto
    route-target both auto evpn
vrf context VPC-Peer-Keepalive
vrf context management
hardware access-list tcam region racl 512
hardware access-list tcam region arp-ether 256 double-wide
vpc domain 23
  peer-switch
  peer-keepalive destination 10.102.103.103 source 10.102.103.102 vrf VPC-Peer-Keepalive
  delay restore 240
  peer-gateway
  delay restore interface-vlan 80
  ip arp synchronize


interface Vlan1
  no shutdown
  no ip redirects
  no ipv6 redirects

interface Vlan10
  no shutdown
  vrf member TENANT77
  no ip redirects
  ip address 192.168.11.1/24
  no ipv6 redirects
  fabric forwarding mode anycast-gateway

interface Vlan20
  no shutdown
  vrf member TENANT77
  no ip redirects
  ip address 192.168.12.1/24
  no ipv6 redirects
  fabric forwarding mode anycast-gateway

interface Vlan77
  no shutdown
  vrf member TENANT77
  no ip redirects
  ip forward
  no ipv6 redirects

interface port-channel10
  switchport mode trunk
  vpc 10

interface port-channel20
  switchport mode trunk
  vpc 20

interface port-channel23
  switchport mode trunk
  spanning-tree port type network
  vpc peer-link

interface nve1
  no shutdown
  host-reachability protocol bgp
  advertise virtual-rmac
  source-interface loopback100
  member vni 10000
    suppress-arp
    mcast-group 238.0.0.10
  member vni 10077 associate-vrf
  member vni 20000
    suppress-arp
    mcast-group 238.0.0.10
  member vni 30000
    suppress-arp
    mcast-group 238.0.0.10

interface Ethernet1/1
  no switchport
  medium p2p
  ip unnumbered loopback0
  ip ospf network point-to-point
  ip router ospf UNDERLAY-NET area 0.0.0.0
  ip pim sparse-mode
  no shutdown

interface Ethernet1/2
  no switchport
  medium p2p
  vrf member VPC-Peer-Keepalive
  ip address 10.102.103.102/24
  no shutdown

interface Ethernet1/3
  description ** Po23 member - vPC PEER-link **
  switchport mode trunk
  channel-group 23 mode active

interface Ethernet1/4
  description ** Po23 member - vPC PEER-link **
  switchport mode trunk
  channel-group 23 mode active

interface Ethernet1/5
  description ** Link to FW-1**
  switchport mode trunk
  channel-group 10

interface Ethernet1/6
  description ** Link to FW-2**
  switchport mode trunk
  channel-group 20

interface Ethernet1/7

<snipped>

interface mgmt0
  vrf member management

interface loopback0
  description ** RID/Underlay **
  ip address 192.168.0.102/32
  ip router ospf UNDERLAY-NET area 0.0.0.0
  ip pim sparse-mode

interface loopback77
  description ** BGP peering **
  ip address 192.168.77.102/32
  ip router ospf UNDERLAY-NET area 0.0.0.0

interface loopback100
  description ** VTEP/Overlay **
  ip address 192.168.100.102/32
  ip address 192.168.100.23/32 secondary
  ip router ospf UNDERLAY-NET area 0.0.0.0
  ip pim sparse-mode
line console
line vty
router ospf UNDERLAY-NET
  router-id 192.168.0.102
  name-lookup
router bgp 65000
  router-id 192.168.77.102
  address-family ipv4 unicast
  address-family l2vpn evpn
    advertise-pip
  neighbor 192.168.77.11
    remote-as 65000
    description ** Spine-11 BGP-RR **
    update-source loopback77
    address-family l2vpn evpn
      send-community extended
  vrf TENANT77
    address-family ipv4 unicast
      advertise l2vpn evpn
      redistribute static route-map PROTECTED_SEGMENTS
evpn
  vni 10000 l2
    rd auto
    route-target import auto
    route-target export auto
  vni 20000 l2
    rd auto
    route-target import auto
    route-target export auto
  vni 30000 l2
    rd auto
    route-target import auto
    route-target export auto


Leaf-102#

Leaf-103
Leaf-103# sh run

!Command: show running-config
!Time: Thu Oct 18 10:24:36 2018

version 7.0(3)I7(1)
hostname Leaf-103
vdc Leaf-103 id 1
  limit-resource vlan minimum 16 maximum 4094
  limit-resource vrf minimum 2 maximum 4096
  limit-resource port-channel minimum 0 maximum 511
  limit-resource u4route-mem minimum 248 maximum 248
  limit-resource u6route-mem minimum 96 maximum 96
  limit-resource m4route-mem minimum 58 maximum 58
  limit-resource m6route-mem minimum 8 maximum 8

cfs eth distribute
nv overlay evpn
feature ospf
feature bgp
feature pim
feature fabric forwarding
feature interface-vlan
feature vn-segment-vlan-based
feature lacp
feature vpc
feature nv overlay

no password strength-check
username admin password 5 $5$XYynpOKA$1s1Y/xDSWW1x48yz8ky//ZYUpjN1Xbkstu5Rzoqkxp
0  role network-admin
ip domain-lookup
ip access-list PROTECTED_SEGMENTS
  10 permit ip 192.168.30.0/24 any
configure maintenance profile normal-mode
  vpc domain 23
    no shutdown
  router ospf UNDERLAY-NET
    no isolate
  router bgp 65000
    no isolate
  no ip pim isolate
configure maintenance profile maintenance-mode
  ip pim isolate
  router bgp 65000
    isolate
  router ospf UNDERLAY-NET
    isolate
  vpc domain 23
    shutdown
configure terminal
snmp-server user admin network-admin auth md5 0x3f07dbb8731ae864dbafa9286555828d
 priv 0x3f07dbb8731ae864dbafa9286555828d localizedkey
rmon event 1 description FATAL(1) owner PMON@FATAL
rmon event 2 description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 description ERROR(3) owner PMON@ERROR
rmon event 4 description WARNING(4) owner PMON@WARNING
rmon event 5 description INFORMATION(5) owner PMON@INFO

fabric forwarding anycast-gateway-mac 0001.0001.0001
ip pim rp-address 192.168.238.1 group-list 238.0.0.0/24 bidir
ip pim ssm range 232.0.0.0/8
vlan 1,10,20,30,77
vlan 10
  name L2VNI-for-VLAN10
  vn-segment 10000
vlan 20
  name L2VNI-for-VLAN20
  vn-segment 20000
vlan 30
  name L2VNI-for-VLAN30
  vn-segment 30000
vlan 77
  name TENANT77
  vn-segment 10077

spanning-tree vlan 1-3967 priority 4096
route-map PROTECTED_SEGMENTS permit 10
  match ip address PROTECTED_SEGMENTS
vrf context TENANT77
  vni 10077
  ip route 192.168.30.0/24 192.168.12.2
  rd auto
  address-family ipv4 unicast
    route-target export 65000:10077
    route-target both auto evpn
vrf context VPC-Peer-Keepalive
vrf context management
hardware access-list tcam region racl 512
hardware access-list tcam region arp-ether 256 double-wide
vpc domain 23
  peer-switch
  peer-keepalive destination 10.102.103.102 source 10.102.103.103 vrf VPC-Peer-Keepalive
  delay restore 240
  peer-gateway
  delay restore interface-vlan 80
  ip arp synchronize


interface Vlan1
  no shutdown
  no ip redirects
  no ipv6 redirects

interface Vlan10
  no shutdown
  vrf member TENANT77
  no ip redirects
  ip address 192.168.11.1/24
  no ipv6 redirects
  fabric forwarding mode anycast-gateway

interface Vlan20
  no shutdown
  vrf member TENANT77
  no ip redirects
  ip address 192.168.12.1/24
  no ipv6 redirects
  fabric forwarding mode anycast-gateway

interface Vlan77
  no shutdown
  vrf member TENANT77
  no ip redirects
  ip forward
  no ipv6 redirects

interface port-channel10
  switchport mode trunk
  vpc 10

interface port-channel20
  switchport mode trunk
  vpc 20

interface port-channel23
  switchport mode trunk
  spanning-tree port type network
  vpc peer-link

interface nve1
  no shutdown
  host-reachability protocol bgp
  advertise virtual-rmac
  source-interface loopback100
  member vni 10000
    suppress-arp
    mcast-group 238.0.0.10
  member vni 10077 associate-vrf
  member vni 20000
    suppress-arp
    mcast-group 238.0.0.10
  member vni 30000
    suppress-arp
    mcast-group 238.0.0.10

interface Ethernet1/1
  no switchport
  medium p2p
  ip unnumbered loopback0
  ip ospf network point-to-point
  ip router ospf UNDERLAY-NET area 0.0.0.0
  ip pim sparse-mode
  no shutdown

interface Ethernet1/2
  no switchport
  medium p2p
  vrf member VPC-Peer-Keepalive
  ip address 10.102.103.103/24
  no shutdown

interface Ethernet1/3
  description ** Po23 member - vPC PEER-link **
  switchport mode trunk
  channel-group 23 mode active

interface Ethernet1/4
  description ** Po23 member - vPC PEER-link **
  switchport mode trunk
  channel-group 23 mode active

interface Ethernet1/5
  description ** Link to FW-1**
  switchport mode trunk
  channel-group 10

interface Ethernet1/6
  description ** Link to FW-2**
  switchport mode trunk
  channel-group 20

interface Ethernet1/7
  shutdown

interface Ethernet1/8

<snipped>

interface Ethernet1/64

interface mgmt0
  vrf member management

interface loopback0
  description ** RID/Underlay **
  ip address 192.168.0.103/32
  ip router ospf UNDERLAY-NET area 0.0.0.0
  ip pim sparse-mode

interface loopback77
  description ** BGP peering **
  ip address 192.168.77.103/32
  ip router ospf UNDERLAY-NET area 0.0.0.0

interface loopback100
  description ** VTEP/Overlay **
  ip address 192.168.100.103/32
  ip address 192.168.100.23/32 secondary
  ip router ospf UNDERLAY-NET area 0.0.0.0
  ip pim sparse-mode
line console
line vty
router ospf UNDERLAY-NET
  router-id 192.168.0.103
  name-lookup
router bgp 65000
  router-id 192.168.77.103
  timers bgp 3 9
  address-family ipv4 unicast
  address-family vpnv4 unicast
  address-family l2vpn evpn
    advertise-pip
  neighbor 192.168.77.11
    remote-as 65000
    description ** Spine-11 BGP-RR **
    update-source loopback77
    address-family l2vpn evpn
      send-community extended
  vrf TENANT
  vrf TENANT77
    address-family ipv4 unicast
      advertise l2vpn evpn
      redistribute static route-map PROTECTED_SEGMENTS
      aggregate-address 192.168.11.0/24 summary-only
evpn
  vni 10000 l2
    rd auto
    route-target import auto
    route-target export auto
  vni 20000 l2
    rd auto
    route-target import auto
    route-target export auto
  vni 30000 l2
    rd auto
    route-target import auto
    route-target export auto


Leaf-103# 

FW-1
FW-1#sh run
Building configuration...

Current configuration : 3699 bytes
!
! Last configuration change at 09:58:30 UTC Thu Oct 18 2018
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname FW-1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!        
vtp mode transparent
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 20
 name ** Outside **
!
vlan 30
 name ** Inside **
!
!
!
interface Port-channel10
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/0
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/1
 description ** Link to Fabric **
 switchport trunk encapsulation dot1q
 switchport mode trunk
 media-type rj45
 negotiation auto
 channel-group 10 mode on
!
interface GigabitEthernet0/2
 description ** Link to Fabric **
 switchport trunk encapsulation dot1q
 switchport mode trunk
 media-type rj45
 negotiation auto
 channel-group 10 mode on
!
interface Vlan20
 description ** Outside **
 ip address 192.168.12.11 255.255.255.0
 standby 20 ip 192.168.12.2
 standby 20 priority 110
 standby 20 preempt
!
interface Vlan30
 description ** Inside **
 ip address 192.168.30.11 255.255.255.0
 ip access-group OUT-IN-Acl out
 standby 30 ip 192.168.30.1
 standby 30 priority 110
 standby 30 preempt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.12.1
!
ip access-list extended OUT-IN-Acl
 remark ***************************
 remark ** ICMP ECHO/ECHO-REPLY  **
 permit icmp any host 192.168.30.30 echo reflect IN-OUT-Mirror-ACL
 permit icmp any host 192.168.30.30 echo-reply reflect IN-OUT-Mirror-ACL
!
!
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

FW-1#

FW-2
FW-2#sh run
Building configuration...

Current configuration : 3697 bytes
!
! Last configuration change at 09:48:03 UTC Thu Oct 18 2018
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname FW-2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!        
vtp mode transparent
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 20
 name ** Outside **
!
vlan 30
 name ** Inside **
!
!
interface Port-channel20
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/0
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/1
 description ** Link to Fabric **
 switchport trunk encapsulation dot1q
 switchport mode trunk
 media-type rj45
 negotiation auto
 channel-group 20 mode on
!
interface GigabitEthernet0/2
 description ** Link to Fabric **
 switchport trunk encapsulation dot1q
 switchport mode trunk
 media-type rj45
 negotiation auto
 channel-group 20 mode on
!
interface Vlan20
 description ** Outside **
 ip address 192.168.12.12 255.255.255.0
 standby 20 ip 192.168.12.2
 standby 20 priority 90
 standby 20 preempt
!
interface Vlan30
 description ** Inside **
 ip address 192.168.30.12 255.255.255.0
 ip access-group OUT-IN-Acl out
 standby 30 ip 192.168.30.1
 standby 30 priority 90
 standby 30 preempt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.12.1
!
ip access-list extended OUT-IN-Acl
 remark ***************************
 remark ** ICMP ECHO/ECHO-REPLY  **
 permit icmp any host 192.168.30.30 echo reflect IN-OUT-Mirror-ACL
 permit icmp any host 192.168.30.30 echo-reply reflect IN-OUT-Mirror-ACL
!
!
!
!
control-plane
C
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

FW-2#

31 comments:

  1. This is an excellent post. Extremely helpful.. Thanks !!

    ReplyDelete
  2. Thanks Leke, I am glad that you liked it!

    ReplyDelete
  3. Hi. Very good write up. What are the stencils you are using for your topologies? I really liked them. Would it be possible to post some of those? Thanks

    ReplyDelete
  4. Thanks Luri. I have done icons with MS PowerPoint. I can share the icon set by LinkedIn message or by email.

    ReplyDelete
    Replies
    1. Couldn't find your email. If you don't mind, here is my email: lurikri94@gmail.com. If you could send one of those as an example. Thank you so much and looking forward for your next posts. They are all great!

      Delete
    2. Hi Luri, I just sent an email to you where you can find icons. I am happy that you liked my posts :) Next post will be out soon...

      Delete
    3. Can I also get copies of the icons used here? kawong@wongph.com is my email address.

      Delete
  5. Hi, Toni.
    Thank you for your post.
    I was trying to implement almost the same setup (without vPC, one Border Leaf only and I'm using OSPF between Leaf 102 and FW/SW) but my server in vlan 30 can't reach anything if connected to Leaf 101. If I connect it to Leaf 102 ( which has direct link to FW/SW), it works. Not sure what am I doing wrong, I would appreciate if you could give me a hand here to understand why it's not working.
    Thank you

    ReplyDelete
    Replies
    1. Hi,
      Does the ping works from the server to FW vlan30 interface when the server is connected to Leaf-101? Make sure that you do not have SVI + anycast GW configured in Leaf-101. If you have arp-suppression configured under VNI EVI instance, try to remove it from both switches. From the Leaf-101 you could verify if MAC route is received from Leaf-102 to Leaf-101 (show bgp l2vpn evpn vni-id 30000). From BGP table it should be installed into L2RIB (show l2route evpn mac evi 30). Verify also that MAC can be found from MAC table (show mac address-table or sh system internal l2fwder mac). If this does not work you could contact me via Linkedin and we can check the configuration files.

      Cheers - Toni

      Delete
    2. Unknown16 November 2018 at 23:36
      A little update: I was missing ip pim rp-address [anycast_rp_addr] on Spines.
      All is working perfectly now.

      Delete
    3. Great that you managed to fix it!

      Delete
    4. HI Could you please share your config , with OSPF between Nexus and FW?

      Delete
  6. Thank you, Toni.
    No, server can't ping anything.
    Will double check everything.

    ReplyDelete
  7. Hello Toni,

    Thank you very much for your sharing. It is really a great article :)
    Hope you are doing well !

    I have one question.
    Do we have to do below things?
    - Span VLAN20 and its VNI to Server-Leaf and
    - Span VLAN10 & its VNI to Service-Leaf
    - Create AGW of VLAN20 on Server-Leaf
    - Create AGW of VLAN10 on Service-Leaf
    - Add VNIs member above to NVE interface & EVPN instance

    Btw, I didn't see the configuration file of Server-Leaf in this post. Could you please double check?

    Thank you once again,
    Minh

    ReplyDelete
    Replies
    1. Hi Minh,
      VLAN 20 is used for FW connection which is an external network. All of its resources (L2VNI/L3VNI/SVI/VLAN) are only needed locally on the Service leaf. VLAN 10 is client VLAN and it is not needed in service leaf. Data between the VLAN 10 and 20 are routed, if host Beef sends data to host Abba, Server leaf route is over the SVI 77 and use L3VNI 10077 in VXLAN header. So the answers for all of your questions is ”no”. The complete config appendix includes unnecessary configurations, sorry for that...
      Unfortunately, I do not have any more te Server Leaf configuration file.

      Delete
    2. Hi Toni,

      Thank you for your quick reply. I followed your suggestion on below:

      - VLAN 20 is located only on Service-Leaf.
      - VLAN 10 is located only on Server-Leaf.
      - No AGW of VLAN10 on Service-Leaf.
      - No AGW of VLAN20 on Server-Leaf.
      - Not add respective VNIs to NVE interface & EVPN instance.

      But I'm facing with issue that is Beef cannot ping AGW of VLAN20 and Outside IP of FW (FW already had route entry 192.168.10.0/24 point to 192.168.12.1.

      Any further suggestions?

      Thank you, Toni.
      Minh

      Delete
    3. The directly connected network(s) has to be redistributed into BGP in order to Beef (192.168.11.12) to ping AGW of VLAN 20 and another way around.

      ip access-list CONN
      10 permit ip 192.168.100.1/32 any
      !
      route-map CONN permit 10
      match ip address CONN
      !
      router bgp 65000

      vrf TENANT77
      address-family ipv4 unicast
      redistribute direct route-map CONN

      In addition, do not to forget to add a static default route pointing to VLAN 11 AGW into Beef RIB.

      Leaf-101 BGP table before redistribution
      Leaf-101# sh ip bgp vrf TENANT77

      Network Next Hop Metric LocPrf Weight Path
      *>i192.168.30.30/32 192.168.100.102 100 0 i

      Leaf-101 BGP table after redistribution

      Network Next Hop Metric LocPrf Weight Path
      *>i192.168.12.0/24 192.168.100.102 0 100 0 ?
      *>i192.168.30.0/24 192.168.100.102 0 100 0 ?
      *>i192.168.30.30/32 192.168.100.102 100 0 i

      Delete
    4. Thank you, Toni. The issue has been solved.

      Delete
  8. Hi Tony,
    This my first visit, very Clean the way it is presented, Thank you!.
    I like your diagrams; tiny icons allows you to add fair amount of details. Where did you get your icons. ?
    I just downloaded your book. Looking forward to it.
    Cheers, PushpaKumar

    ReplyDelete
    Replies
    1. Icons are self made. Sometimes I think that there are a bit too much information included in figures...

      Delete
  9. Hi Tony,
    Just note that the diagrams are black and white in the book. I wish if kept the colours, it does really help.
    Cheers,
    PushpaKumar

    ReplyDelete
    Replies
    1. If I write a new book, I consider to use colours in figures. Though it affect printing costs and which slightly increase price. If you have questions abou book, you can reach me via Linkedin. Link to my profile is added in upper right corner.

      Delete
  10. Wow! Such an amazing and helpful post . thanks for sharing. i really love it.

    www.avg.com/retail
    avg.com/retail

    read this blog

    ReplyDelete
  11. Could you let me know why the Traffic from beef on VLAN 10 is routed through SVI 77 to VLAN 20.
    Would it not be possible to configure 'ip forward' under 'interface vlan 10' to route it to VLAN 20.
    Thanks for the wonderful explanation Toni.

    ReplyDelete
    Replies
    1. Inter-VN traffic is routed using symmetric-IRB which in our case means that the data between vlan 10 and 20 is routed over VLAN77 (tenant L3VN). This can be seen in figure 13-13.

      Delete
  12. Hello Toni one question, i have a case where im just installing 2 nexus to each data center they are going as BGW and i will pass the L3 to them.

    Im thinking in VPC in each site with BGW-VPC or do you have other recomendation?

    Your book is really handy.

    ReplyDelete
    Replies
    1. Hi, You can find the design scenarios from this document.
      https://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/white-paper-c11-739942.html
      I'm happy that you liked my book :)

      Delete
    2. Hi Toni, very great post.
      What if we want to run bgp between the firewalls and the border-leafs?
      I have a similar setup but border-leaf are also BGW (vpc BGW) what is the recommendation to run BGP between the firewalls and the BGW?

      Delete
    3. Hi Altoman,
      I have do this in varius ways if you have them in a VPC-BGW the ones i have try are the following:

      1-SUB-INTERFACES
      Use a FIREWALL with 1 interface to each of the VPC-BGW and on each conection have to sub interfaces 1 for the inside traffic and one for the outside traffic.
      Also if you using a Cisco ASA for example be sure that you have ZONEs and each pair of sub interfaces that goes to the inside in one zone and the other 2 on an outside zone and remember that both interfaces on a zone should use the same ACL for the access-group.


      2-PORT-CHANNEL
      you can use this cisco link for reference on using a portchannel VPC from the BGW to the FIREWALLS.
      https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/92x/vxlan-92x/configuration/guide/b-cisco-nexus-9000-series-nx-os-vxlan-configuration-guide-92x/b_Cisco_Nexus_9000_Series_NX-OS_VXLAN_Configuration_Guide_9x_appendix_010110.html

      Does are the 2 ways i have validated on virl and with real Nexus and 2 asa(Active-Stand by).
      and th first question was mine XD.

      ALSO in my case i have to pass the traffic through the firewall to give the DC a layer of security,
      the inside is one VRF SRV and the other one is the VRF CORE or the one that connects to the other equipment.

      Saludos desde Honduras.
      Feliz Navidad

      Delete
  13. Hi Altoman,
    I have do this in varius ways if you have them in a VPC-BGW the ones i have try are the following:

    1-SUB-INTERFACES
    Use a FIREWALL with 1 interface to each of the VPC-BGW and on each conection have to sub interfaces 1 for the inside traffic and one for the outside traffic.
    Also if you using a Cisco ASA for example be sure that you have ZONEs and each pair of sub interfaces that goes to the inside in one zone and the other 2 on an outside zone and remember that both interfaces on a zone should use the same ACL for the access-group.


    2-PORT-CHANNEL
    you can use this cisco link for reference on using a portchannel VPC from the BGW to the FIREWALLS.
    https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/92x/vxlan-92x/configuration/guide/b-cisco-nexus-9000-series-nx-os-vxlan-configuration-guide-92x/b_Cisco_Nexus_9000_Series_NX-OS_VXLAN_Configuration_Guide_9x_appendix_010110.html

    Does are the 2 ways i have validated on virl and with real Nexus and 2 asa(Active-Stand by).
    and th first question was mine XD.

    ALSO in my case i have to pass the traffic through the firewall to give the DC a layer of security,
    the inside is one VRF SRV and the other one is the VRF CORE or the one that connects to the other equipment.

    Saludos desde Honduras.
    Feliz Navidad

    ReplyDelete