VXLAN Part XIII: Firewall Implementation to VXLAN Fabric

Now you can also download my VXLAN book from the Leanpub.com 
"Virtual Extensible LAN VXLAN - A Practical guide to VXLAN Solution Part 1. (373 pages)

In this post, I am going to show how to implement Active/Standby FW Cluster into VXLAN Fabric. Figure 13-1 shows the logical view of example setup, where we have two server networks: 192.168.30.0/24 (VLAN30 - protected) and 192.168.11.0/24 (VLAN10 - non-protected). We also have an Active/Standby FW Cluster connected to dedicated Service Leaf vPC Cluster (Leaf-102 and Leaf-103). Anycast Gateway (AGW) for the network 192.168.11.0/24 resides in the Server Leaf-101 while the Gateway for the protected network 192.168.30.0/24 resides in the Firewall (Inside Zone). Protected hosts in VLAN 30 use the VXLAN Fabric only as an L2 transport network. For simplicity, the Spine switch is not shown in the figure 13-1.

Figure 13-1: Example Topology and IP addressing

Note! Instead of using actual Firewalls devices in this lab, I am using two Layer3 switches to simulate Firewall functions. To achieve Active/Standby redundancy model, I am using HSRP and for the stateful filtering, I am using reflective access-list between vlan 20 and vlan 30. There are no state synchronizations between “Firewalls”.

Figure 13-1 at the beginning of the post shows the overall picture of the solution. Now we are going to build it step by step.

Protected segment

Server Leaf-101, where host Abba is connected to, has a VLAN 30 mapped to L2VNI 30000. BGP EVPN is used as a Control plane protocol to advertise host MAC/IP information. The same configuration is also added to Server Leaf-102 but as we can see in the figure 13-2, neither switch has Anycast Gateway configured to VLAN 30. The Default Gateway for VLAN 30 is configured on the FW-1. This is one way to create a protected segment on VXLAN fabric.

Figure 13-2: Protected network

The L2 configuration of Leaf switches form protected network perspective is shown in example 13-1. First, we map VLAN 30 to L2VNI 30000, and then we add it under EVPN configuration. since we need to advertise MAC/IP reachability information to other Leaf switches with BGP EVPN. Under NVE1 interface, we define the L2VNI specific settings such as ARP suppression and multicast group for BUM traffic.

vlan 30   name L2VNI-for-VLAN30   vn-segment 30000 ! evpn    vni 30000 l2     rd auto     route-target import auto     route-target export auto ! interface nve1   member vni 30000    suppress-arp    mcast-group 238.0.0.10 !

Example13-1: Leaf switches L2 configurations.

The FW-1 configuration related to VLAN 30 can be seen in the example 13-2. Note that I have already configured HSRP related parameters such as virtual IP address for VLAN 30.

vlan 30  name ** Inside ** ! interface Vlan30  description ** Inside **  ip address 192.168.30.11 255.255.255.0  standby 30 ip 192.168.30.1  standby 30 priority 110  standby 30 timers 1 3  standby 30 preempt !

Example13-2: FW-1 configurations.

Non-Protected segment

The configuration for the non-protected segment in Leaf-101 is shown in example 13-3. First, we create VLAN 10 and then we map it to L2VNI 10000 and create Anycast Gateway for network 192.168.11.0/24. Then we add the L2VNI 10000 under the EVPN configuration. Under the NVE1 interface, we define the L2VNI specific settings such as ARP suppression and multicast group for BUM traffic just like we did with the protected network. 

Figure 13-3: Non-protected network

Configuration related to the non-protected segment in Leaf-101 can be seen in example 13-3.

vlan 10   name L2VNI-for-VLAN10   vn-segment 10000 ! interface Vlan10   no shutdown   vrf member TENANT77   ip address 192.168.11.1/24   fabric forwarding mode anycast-gateway ! evpn   vni 10000 l2     rd auto     route-target import auto     route-target export auto ! interface nve1   member vni 10000     suppress-arp     mcast-group 238.0.0.10

Example13-3: Server Leaf-101 configuration for the non-protected network.

If we compare segment between the FW-1 and Service Leaf-102 we can see that it follows exactly the same design principles than non-protected segment 192.168.11.0/24 in Server Leaf-101. We have vlan 20, which has vni-id 20000, it has Anycast Gateway and it uses EVPN Control Plane and optional parameters are defined under NVE 1 interface. So from the VXLAN fabric perspective, FW-1 is a same kind of host than Abba. Example 13-4 shows the Server Leaf-102 configuration and example 13-5 shows the FW-1 configuration. Note that the configurations of the physical interfaces are excluded from both examples (but can be found from Appendix 1 at the end of the post).

vlan 20   name L2VNI-for-VLAN20   vn-segment 20000 ! interface Vlan20   no shutdown   vrf member TENANT77   no ip redirects   ip address 192.168.12.1/24   no ipv6 redirects   fabric forwarding mode anycast-gateway ! interface nve1   member vni 20000     suppress-arp     mcast-group 238.0.0.10 ! evpn   vni 20000 l2     rd auto     route-target import auto     route-target export auto

Example13-4: Service Leaf-102 configuration for the FW-1 Leaf-102 segment.

vlan 20  name ** Outside ** ! interface Vlan20  description ** Outside **  ip address 192.168.12.11 255.255.255.0  standby 20 ip 192.168.12.2  standby 20 priority 110  standby 20 preempt  standby 20 timers 1 3

Example13-5: FW-1 configuration for the FW-1 Leaf-102 segment.

Now we have defined two networks, segment 192.168.11.0/24 is only located on Server Leaf-101 and subnet between FW-1 and Server Leaf-102 is located in Server Leaf-102 and FW-1. The data path between these two segments goes through the SVI 77, which is used for inter-VN routing in vrf context TENANT77. Configuration related to inter-VNI routing can be seen in example 13-6.

vlan 77   name TENANT77   vn-segment 10077 ! interface Vlan77   no shutdown   vrf member TENANT77   ip forward ! vrf context TENANT77   vni 10077   rd auto   address-family ipv4 unicast     route-target both auto     route-target both auto evpn ! interface nve1   host-reachability protocol bgp   member vni 10077 associate-vrf ! router bgp 65000    vrf TENANT77     address-family ipv4 unicast       advertise l2vpn evpn

Example13-6: inter-VNI routing configuration.

Figure 13-4 show what we have done so far. We now should have connectivity from host Abba to FW-1 Inside interface IP address 192.168.30.1. We also should have connectivity from host Beef to FW-1 Outside interface IP address 192.168.12.2.

Figure 13-4: Logical view

We can verify IP connectivity by using ping.

Beef#ping 192.168.12.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/33/66 ms

Example13-7: Connectivity verification from Beef to FW-1 Outside interface.

Abba#ping 192.168.30.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/24 ms

Example13-8: Connectivity verification from Abba to FW-1 Inside interface.

If we test the connection between Abba and Beef, we can see that something is still missing.

Beef#ping 192.168.30.30 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)

Example13-9: Connectivity verification from Beef to Abba.

If we take a look at the BRIB on Leaf-101, the route to network 192.168.30.0/0 is missing. It though has BGP route-type 2 information about MAC/IP addresses of all hosts in the segment (Abba, FW-1 virtual IP, and physical IP). This means that we do have intra-VN connectivity (which was tested by pinging from Abba to inside interface of FW-1) but we do not have IP connection between the network 192.168.11.0/24 and 102.168.30.0/24.

Leaf-101# sh bgp l2vpn evpn BGP routing table information for VRF default, address family L2VPN EVPN BGP table version is 198, Local Router ID is 192.168.77.101 Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-i njected Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup    Network            Next Hop            Metric     LocPrf     Weight Path Route Distinguisher: 192.168.77.101:32777    (L2VNI 10000) *>l[2]:[0]:[0]:[48]:[1000.0010.beef]:[0]:[0.0.0.0]/216                       192.168.100.101                   100      32768 i *>l[2]:[0]:[0]:[48]:[1000.0010.beef]:[32]:[192.168.11.12]/272                       192.168.100.101                   100      32768 i Route Distinguisher: 192.168.77.101:32787    (L2VNI 20000) *>i[2]:[0]:[0]:[48]:[0000.0c07.ac14]:[0]:[0.0.0.0]/216                       192.168.100.23                    100          0 i *>i[2]:[0]:[0]:[48]:[0000.0c07.ac14]:[32]:[192.168.12.2]/272                       192.168.100.23                    100          0 i Route Distinguisher: 192.168.77.101:32797    (L2VNI 30000) *>i[2]:[0]:[0]:[48]:[0000.0c07.ac1e]:[0]:[0.0.0.0]/216                       192.168.100.23                    100          0 i *>l[2]:[0]:[0]:[48]:[2000.0020.abba]:[0]:[0.0.0.0]/216                       192.168.100.101                   100      32768 i *>i[2]:[0]:[0]:[48]:[5e00.0006.801e]:[0]:[0.0.0.0]/216                       192.168.100.23                    100          0 i *>i[2]:[0]:[0]:[48]:[0000.0c07.ac1e]:[32]:[192.168.30.1]/248                       192.168.100.23                    100          0 i *>l[2]:[0]:[0]:[48]:[2000.0020.abba]:[32]:[192.168.30.30]/248                       192.168.100.101                   100      32768 i *>i[2]:[0]:[0]:[48]:[5e00.0006.801e]:[32]:[192.168.30.11]/248                       192.168.100.23                    100          0 i Route Distinguisher: 192.168.77.102:3 *>i[2]:[0]:[0]:[48]:[5e00.0005.0007]:[0]:[0.0.0.0]/216                       192.168.100.23                    100          0 i Route Distinguisher: 192.168.77.102:32787 *>i[2]:[0]:[0]:[48]:[0000.0c07.ac14]:[0]:[0.0.0.0]/216                       192.168.100.23                    100          0 i *>i[2]:[0]:[0]:[48]:[0000.0c07.ac14]:[32]:[192.168.12.2]/272                       192.168.100.23                    100          0 i Route Distinguisher: 192.168.77.102:32797 *>i[2]:[0]:[0]:[48]:[0000.0c07.ac1e]:[0]:[0.0.0.0]/216                       192.168.100.23                    100          0 i *>i[2]:[0]:[0]:[48]:[5e00.0006.801e]:[0]:[0.0.0.0]/216                       192.168.100.23                    100          0 i *>i[2]:[0]:[0]:[48]:[0000.0c07.ac1e]:[32]:[192.168.30.1]/248                       192.168.100.23                    100          0 i *>i[2]:[0]:[0]:[48]:[5e00.0006.801e]:[32]:[192.168.30.11]/248                       192.168.100.23                    100          0 i Route Distinguisher: 192.168.77.101:3    (L3VNI 10077) *>i[2]:[0]:[0]:[48]:[5e00.0005.0007]:[0]:[0.0.0.0]/216                       192.168.100.23                    100          0 i *>i[2]:[0]:[0]:[48]:[0000.0c07.ac14]:[32]:[192.168.12.2]/272                       192.168.100.23                    100          0 i

Example13-10: BRIB from Leaf-101

To fix this, we need to tell the Server Leaf-102 where the network 192.168.30.0/24 is located and then we need to redistribute this information to BGP. This way Server Leaf-101 also gets the routing information. We could, of course, use dynamic routing instead of a static route but for simplicity, I am using static route towards outside interface VIP address.

First, we add static route under vrf context TENANT77 on Server Leaf-102.

vrf context TENANT77   vni 10077   ip route 192.168.30.0/24 192.168.12.2   rd auto   address-family ipv4 unicast     route-target both auto     route-target both auto evpn

Example13-11: static route on Server Leaf-102

Then we advertise static routes defined in access-list through the route-map to BGP on Server Leaf-102.

ip access-list PROTECTED_SEGMENTS   10 permit ip 192.168.30.0/24 any ! route-map PROTECTED_SEGMENTS permit 10   match ip address PROTECTED_SEGMENTS !   vrf TENANT77     address-family ipv4 unicast       advertise l2vpn evpn       redistribute static route-map PROTECTED_SEGMENTS

Example13-12: redistribution of the static route in Server Leaf-102.

Now Server Leaf-101 has information on how to reach the network 192.168.30.0/24 as can be seen from the figure 13-13.

Leaf-101# sh bgp l2vpn evpn vni-id 10077 <snipped>    Network            Next Hop            Metric     LocPrf     Weight Path Route Distinguisher: 192.168.77.101:3    (L3VNI 10077) *>i[2]:[0]:[0]:[48]:[5e00.0005.0007]:[0]:[0.0.0.0]/216                       192.168.100.23                    100          0 i *>i[2]:[0]:[0]:[48]:[0000.0c07.ac14]:[32]:[192.168.12.2]/272                       192.168.100.23                    100          0 i *>i[5]:[0]:[0]:[24]:[192.168.30.0]:[0.0.0.0]/224                       192.168.100.102          0        100          0 ?

Example13-13: BRIB on Leaf-101

Note! In this phase, I have already configured vPC configuration in Service Leaf-102. I am using a model where external routes are advertised by using switch Physical IP address (PIP) while fabric internal routes are advertised by using Virtual IP address (VIP). In our example Server Leaf-102 VTEP PIP is 192.168.100.102 (IP associated with NVE1) and VIP is 192.168.100.23. This is why the next-hop is different compared to FW-1 outside interface IP address 192.168.12.2 to network 192.168.30.0/24.

Now we have IP connectivity between host Beef and Abba.

Beef#ping 192.168.30.30 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 30/35/40 ms

Example13-14: Connectivity verification from Beef to Abba.

As a final step, we add a filter between VLAN 30 and VLAN 20, which permits ping to Abba from any source. I am using reflective ACL that is kind of stateful ACL, whenever there is a hit for ACL entry, it reflected/mirrored so that return traffic is allowed without static ACL. The “show ip access-list” command shows that there is reflected ACL IN-OUT-Mirror-ACL without any permit/deny statements on it since there has not been any traffic yet.

ip access-list extended OUT-IN-Acl  remark ***************************  remark ** ICMP ECHO/ECHO-REPLY  **  permit icmp any host 192.168.30.30 echo reflect IN-OUT-Mirror-ACL  permit icmp any host 192.168.30.30 echo-reply reflect IN-OUT-Mirror-ACL interface Vlan30  description ** Inside **  ip address 192.168.30.11 255.255.255.0  ip access-group OUT-IN-Acl out  standby 30 ip 192.168.30.1  standby 30 priority 110  standby 30 preempt FW-1#sh ip access-lists                    Reflexive IP access list IN-OUT-Mirror-ACL Extended IP access list OUT-IN-Acl     10 permit icmp any host 192.168.30.30 echo reflect IN-OUT-Mirror-ACL     20 permit icmp any host 192.168.30.30 echo-reply reflect IN-OUT-Mirror-ACL

Example13-15: reflective ACL on FW-1.

Now we ping from Beef to Abba.

Beef#ping 192.168.30.30 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 37/49/62 m

Example13-16: reflective ACL on FW-1.

And from FW-1 we can see that there is five hit in both access-lists.

FW-1#sh ip access-lists Reflexive IP access list IN-OUT-Mirror-ACL      permit icmp host 192.168.30.30 host 192.168.11.12  (5 matches) (time left 269) Extended IP access list OUT-IN-Acl     10 permit icmp any host 192.168.30.30 echo reflect IN-OUT-Mirror-ACL (5 matches)     20 permit icmp any host 192.168.30.30 echo-reply reflect IN-OUT-Mirror-ACL

Example13-17: reflective ACL on FW-1.

So far we have built non-redundant setup. Figure 13-5 shows the complete, redundant setup where we have Active FW-1 and Passive FW-2 connected to Service Leaf switches Leaf-102 and Leaf 103 by using HSRP as an FW redundancy and vPC domain for Leaf switch redundancy. Physical connections are made over Port-channels between FWs and vPC Leaf switches (figure 13-6 shows physical topology).

Figure 13-5: Complete logical view

Figure 13-6 shows the physical structure of example topology. Complete configuration of both Server Leaf switches and Firewalls can be found from Appendix 1 at the end of the post.

Figure 13-6: Physical topology

Figure 13-7 shows a simplified topology view.

Figure 13-7: Simplified Topology

Now we are going to do a simple ping tests to make sure that we actually have a redundant setup. First, we are going to shut down the link between FW-1 and Leaf-102. Then we restrict FW-1 totally by shutting down also the link between FW-1 and Leaf-103 (Po 10 down), which should cause the HSRP state change from Standby to Active in Leaf-103. As the last test, we are going to shut down the link between FW-2 and Leaf-102.

 Test 1. Link FW-1 to Leaf-102 down – Ok.

Beef#ping 192.168.30.30 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds: !!!!!

Example13-18: Test 1- Link between FW-1 and Leaf-102 down.

Test 2. Link FW-1 to Leaf-103 down – Ok.

Beef#ping 192.168.30.30 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds: !!!!!

Example13-19: Test 1- Link between FW-1 and Leaf-103 down.

As can be seen from the example 13-20, the restriction of FW-1 from the network cause HSRP state change from Standby to Active in FW-2.

FW-2# *Oct 18 09:39:38.361: %HSRP-5-STATECHANGE: Vlan30 Grp 30 state Standby -> Active *Oct 18 09:39:39.357: %HSRP-5-STATECHANGE: Vlan20 Grp 20 state Standby -> Active FW-2#

Example13-20: HSRP state change in FW-2 when connection to FW-1 is down

Test 3. Link FW-2 to Leaf-102 down – Ok.

Beef#ping 192.168.30.30 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds: !!!!!

Example13-21: Test 1- Link between FW-1 and Leaf-103 down.

Test conclusion: Network react as expected and we are done.

Author: Toni Pasanen CCIE#28158

Published: 18.10.2018

-------------------------------------------------

References:

Building Data Center with VXLAN BGP EVPN – A Cisco NX-OS Perspective

ISBN-10: 1-58714-467-0 – Krattiger Lukas, Shyam Kapadia, and Jansen Davis

Deploy Firewalls in Cisco Programmable Fabric https://www.cisco.com/c/dam/en/us/products/collateral/switches/nexus-7000-series-switches/white-paper-c11-736585.pdf

Appendix 1

Device configurations

Note that there is also some configurations that are related to this lab!

Leaf-102

Leaf-102# sh run !Command: show running-config !Time: Thu Oct 18 10:23:25 2018 version 7.0(3)I7(1) hostname Leaf-102 vdc Leaf-102 id 1   limit-resource vlan minimum 16 maximum 4094   limit-resource vrf minimum 2 maximum 4096   limit-resource port-channel minimum 0 maximum 511   limit-resource u4route-mem minimum 248 maximum 248   limit-resource u6route-mem minimum 96 maximum 96   limit-resource m4route-mem minimum 58 maximum 58   limit-resource m6route-mem minimum 8 maximum 8 cfs eth distribute nv overlay evpn feature ospf feature bgp feature pim feature fabric forwarding feature interface-vlan feature vn-segment-vlan-based feature lacp feature vpc feature nv overlay no password strength-check username admin password 5 $5$L1jp9NYN$AeODuNL83oxntUITgugxxy0QksdqPZgEhAjEjksexx 5  role network-admin ip domain-lookup ip host Spine-11 192.168.0.11 ip access-list PROTECTED_SEGMENTS   10 permit ip 192.168.30.0/24 any snmp-server user admin network-admin auth md5 0x7f693b750cc7550144b8410e07eecf1d  priv 0x7f693b750cc7550144b8410e07eecf1d localizedkey rmon event 1 description FATAL(1) owner PMON@FATAL rmon event 2 description CRITICAL(2) owner PMON@CRITICAL rmon event 3 description ERROR(3) owner PMON@ERROR rmon event 4 description WARNING(4) owner PMON@WARNING rmon event 5 description INFORMATION(5) owner PMON@INFO fabric forwarding anycast-gateway-mac 0001.0001.0001 ip pim rp-address 192.168.238.1 group-list 238.0.0.0/24 bidir ip pim ssm range 232.0.0.0/8 vlan 1,10,20,30,77 vlan 10   name L2VNI-for-VLAN10   vn-segment 10000 vlan 20   name L2VNI-for-VLAN20   vn-segment 20000 vlan 30   name L2VNI-for-VLAN30   vn-segment 30000 vlan 77   name TENANT77   vn-segment 10077 spanning-tree vlan 1-3967 priority 4096 route-map PROTECTED_SEGMENTS permit 10   match ip address PROTECTED_SEGMENTS vrf context TENANT77   vni 10077   ip route 192.168.30.0/24 192.168.12.2   rd auto   address-family ipv4 unicast     route-target both auto     route-target both auto evpn vrf context VPC-Peer-Keepalive vrf context management hardware access-list tcam region racl 512 hardware access-list tcam region arp-ether 256 double-wide vpc domain 23   peer-switch   peer-keepalive destination 10.102.103.103 source 10.102.103.102 vrf VPC-Peer-Keepalive   delay restore 240   peer-gateway   delay restore interface-vlan 80   ip arp synchronize interface Vlan1   no shutdown   no ip redirects   no ipv6 redirects interface Vlan10   no shutdown   vrf member TENANT77   no ip redirects   ip address 192.168.11.1/24   no ipv6 redirects   fabric forwarding mode anycast-gateway interface Vlan20   no shutdown   vrf member TENANT77   no ip redirects   ip address 192.168.12.1/24   no ipv6 redirects   fabric forwarding mode anycast-gateway interface Vlan77   no shutdown   vrf member TENANT77   no ip redirects   ip forward   no ipv6 redirects interface port-channel10   switchport mode trunk   vpc 10 interface port-channel20   switchport mode trunk   vpc 20 interface port-channel23   switchport mode trunk   spanning-tree port type network   vpc peer-link interface nve1   no shutdown   host-reachability protocol bgp   advertise virtual-rmac   source-interface loopback100   member vni 10000     suppress-arp     mcast-group 238.0.0.10   member vni 10077 associate-vrf   member vni 20000     suppress-arp     mcast-group 238.0.0.10   member vni 30000     suppress-arp     mcast-group 238.0.0.10 interface Ethernet1/1   no switchport   medium p2p   ip unnumbered loopback0   ip ospf network point-to-point   ip router ospf UNDERLAY-NET area 0.0.0.0   ip pim sparse-mode   no shutdown interface Ethernet1/2   no switchport   medium p2p   vrf member VPC-Peer-Keepalive   ip address 10.102.103.102/24   no shutdown interface Ethernet1/3   description ** Po23 member - vPC PEER-link **   switchport mode trunk   channel-group 23 mode active interface Ethernet1/4   description ** Po23 member - vPC PEER-link **   switchport mode trunk   channel-group 23 mode active interface Ethernet1/5   description ** Link to FW-1**   switchport mode trunk   channel-group 10 interface Ethernet1/6   description ** Link to FW-2**   switchport mode trunk   channel-group 20 interface Ethernet1/7 <snipped> interface mgmt0   vrf member management interface loopback0   description ** RID/Underlay **   ip address 192.168.0.102/32   ip router ospf UNDERLAY-NET area 0.0.0.0   ip pim sparse-mode interface loopback77   description ** BGP peering **   ip address 192.168.77.102/32   ip router ospf UNDERLAY-NET area 0.0.0.0 interface loopback100   description ** VTEP/Overlay **   ip address 192.168.100.102/32   ip address 192.168.100.23/32 secondary   ip router ospf UNDERLAY-NET area 0.0.0.0   ip pim sparse-mode line console line vty router ospf UNDERLAY-NET   router-id 192.168.0.102   name-lookup router bgp 65000   router-id 192.168.77.102   address-family ipv4 unicast   address-family l2vpn evpn     advertise-pip   neighbor 192.168.77.11     remote-as 65000     description ** Spine-11 BGP-RR **     update-source loopback77     address-family l2vpn evpn       send-community extended   vrf TENANT77     address-family ipv4 unicast       advertise l2vpn evpn       redistribute static route-map PROTECTED_SEGMENTS evpn   vni 10000 l2     rd auto     route-target import auto     route-target export auto   vni 20000 l2     rd auto     route-target import auto     route-target export auto   vni 30000 l2     rd auto     route-target import auto     route-target export auto Leaf-102#

Leaf-103

Leaf-103# sh run !Command: show running-config !Time: Thu Oct 18 10:24:36 2018 version 7.0(3)I7(1) hostname Leaf-103 vdc Leaf-103 id 1   limit-resource vlan minimum 16 maximum 4094   limit-resource vrf minimum 2 maximum 4096   limit-resource port-channel minimum 0 maximum 511   limit-resource u4route-mem minimum 248 maximum 248   limit-resource u6route-mem minimum 96 maximum 96   limit-resource m4route-mem minimum 58 maximum 58   limit-resource m6route-mem minimum 8 maximum 8 cfs eth distribute nv overlay evpn feature ospf feature bgp feature pim feature fabric forwarding feature interface-vlan feature vn-segment-vlan-based feature lacp feature vpc feature nv overlay no password strength-check username admin password 5 $5$XYynpOKA$1s1Y/xDSWW1x48yz8ky//ZYUpjN1Xbkstu5Rzoqkxp 0  role network-admin ip domain-lookup ip access-list PROTECTED_SEGMENTS   10 permit ip 192.168.30.0/24 any configure maintenance profile normal-mode   vpc domain 23     no shutdown   router ospf UNDERLAY-NET     no isolate   router bgp 65000     no isolate   no ip pim isolate configure maintenance profile maintenance-mode   ip pim isolate   router bgp 65000     isolate   router ospf UNDERLAY-NET     isolate   vpc domain 23     shutdown configure terminal snmp-server user admin network-admin auth md5 0x3f07dbb8731ae864dbafa9286555828d  priv 0x3f07dbb8731ae864dbafa9286555828d localizedkey rmon event 1 description FATAL(1) owner PMON@FATAL rmon event 2 description CRITICAL(2) owner PMON@CRITICAL rmon event 3 description ERROR(3) owner PMON@ERROR rmon event 4 description WARNING(4) owner PMON@WARNING rmon event 5 description INFORMATION(5) owner PMON@INFO fabric forwarding anycast-gateway-mac 0001.0001.0001 ip pim rp-address 192.168.238.1 group-list 238.0.0.0/24 bidir ip pim ssm range 232.0.0.0/8 vlan 1,10,20,30,77 vlan 10   name L2VNI-for-VLAN10   vn-segment 10000 vlan 20   name L2VNI-for-VLAN20   vn-segment 20000 vlan 30   name L2VNI-for-VLAN30   vn-segment 30000 vlan 77   name TENANT77   vn-segment 10077 spanning-tree vlan 1-3967 priority 4096 route-map PROTECTED_SEGMENTS permit 10   match ip address PROTECTED_SEGMENTS vrf context TENANT77   vni 10077   ip route 192.168.30.0/24 192.168.12.2   rd auto   address-family ipv4 unicast     route-target export 65000:10077     route-target both auto evpn vrf context VPC-Peer-Keepalive vrf context management hardware access-list tcam region racl 512 hardware access-list tcam region arp-ether 256 double-wide vpc domain 23   peer-switch   peer-keepalive destination 10.102.103.102 source 10.102.103.103 vrf VPC-Peer-Keepalive   delay restore 240   peer-gateway   delay restore interface-vlan 80   ip arp synchronize interface Vlan1   no shutdown   no ip redirects   no ipv6 redirects interface Vlan10   no shutdown   vrf member TENANT77   no ip redirects   ip address 192.168.11.1/24   no ipv6 redirects   fabric forwarding mode anycast-gateway interface Vlan20   no shutdown   vrf member TENANT77   no ip redirects   ip address 192.168.12.1/24   no ipv6 redirects   fabric forwarding mode anycast-gateway interface Vlan77   no shutdown   vrf member TENANT77   no ip redirects   ip forward   no ipv6 redirects interface port-channel10   switchport mode trunk   vpc 10 interface port-channel20   switchport mode trunk   vpc 20 interface port-channel23   switchport mode trunk   spanning-tree port type network   vpc peer-link interface nve1   no shutdown   host-reachability protocol bgp   advertise virtual-rmac   source-interface loopback100   member vni 10000     suppress-arp     mcast-group 238.0.0.10   member vni 10077 associate-vrf   member vni 20000     suppress-arp     mcast-group 238.0.0.10   member vni 30000     suppress-arp     mcast-group 238.0.0.10 interface Ethernet1/1   no switchport   medium p2p   ip unnumbered loopback0   ip ospf network point-to-point   ip router ospf UNDERLAY-NET area 0.0.0.0   ip pim sparse-mode   no shutdown interface Ethernet1/2   no switchport   medium p2p   vrf member VPC-Peer-Keepalive   ip address 10.102.103.103/24   no shutdown interface Ethernet1/3   description ** Po23 member - vPC PEER-link **   switchport mode trunk   channel-group 23 mode active interface Ethernet1/4   description ** Po23 member - vPC PEER-link **   switchport mode trunk   channel-group 23 mode active interface Ethernet1/5   description ** Link to FW-1**   switchport mode trunk   channel-group 10 interface Ethernet1/6   description ** Link to FW-2**   switchport mode trunk   channel-group 20 interface Ethernet1/7   shutdown interface Ethernet1/8 <snipped> interface Ethernet1/64 interface mgmt0   vrf member management interface loopback0   description ** RID/Underlay **   ip address 192.168.0.103/32   ip router ospf UNDERLAY-NET area 0.0.0.0   ip pim sparse-mode interface loopback77   description ** BGP peering **   ip address 192.168.77.103/32   ip router ospf UNDERLAY-NET area 0.0.0.0 interface loopback100   description ** VTEP/Overlay **   ip address 192.168.100.103/32   ip address 192.168.100.23/32 secondary   ip router ospf UNDERLAY-NET area 0.0.0.0   ip pim sparse-mode line console line vty router ospf UNDERLAY-NET   router-id 192.168.0.103   name-lookup router bgp 65000   router-id 192.168.77.103   timers bgp 3 9   address-family ipv4 unicast   address-family vpnv4 unicast   address-family l2vpn evpn     advertise-pip   neighbor 192.168.77.11     remote-as 65000     description ** Spine-11 BGP-RR **     update-source loopback77     address-family l2vpn evpn       send-community extended   vrf TENANT   vrf TENANT77     address-family ipv4 unicast       advertise l2vpn evpn       redistribute static route-map PROTECTED_SEGMENTS       aggregate-address 192.168.11.0/24 summary-only evpn   vni 10000 l2     rd auto     route-target import auto     route-target export auto   vni 20000 l2     rd auto     route-target import auto     route-target export auto   vni 30000 l2     rd auto     route-target import auto     route-target export auto Leaf-103#

FW-1

FW-1#sh run Building configuration... Current configuration : 3699 bytes ! ! Last configuration change at 09:58:30 UTC Thu Oct 18 2018 ! version 15.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service compress-config ! hostname FW-1 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! ! ! ! !         vtp mode transparent ! ! ! ip cef no ipv6 cef ! ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 20  name ** Outside ** ! vlan 30  name ** Inside ** ! ! ! interface Port-channel10  switchport trunk encapsulation dot1q  switchport mode trunk ! interface GigabitEthernet0/0  media-type rj45  negotiation auto ! interface GigabitEthernet0/1  description ** Link to Fabric **  switchport trunk encapsulation dot1q  switchport mode trunk  media-type rj45  negotiation auto  channel-group 10 mode on ! interface GigabitEthernet0/2  description ** Link to Fabric **  switchport trunk encapsulation dot1q  switchport mode trunk  media-type rj45  negotiation auto  channel-group 10 mode on ! interface Vlan20  description ** Outside **  ip address 192.168.12.11 255.255.255.0  standby 20 ip 192.168.12.2  standby 20 priority 110  standby 20 preempt ! interface Vlan30  description ** Inside **  ip address 192.168.30.11 255.255.255.0  ip access-group OUT-IN-Acl out  standby 30 ip 192.168.30.1  standby 30 priority 110  standby 30 preempt ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 192.168.12.1 ! ip access-list extended OUT-IN-Acl  remark ***************************  remark ** ICMP ECHO/ECHO-REPLY  **  permit icmp any host 192.168.30.30 echo reflect IN-OUT-Mirror-ACL  permit icmp any host 192.168.30.30 echo-reply reflect IN-OUT-Mirror-ACL ! ! ! ! control-plane ! line con 0 line aux 0 line vty 0 4  login ! ! end FW-1#

FW-2

FW-2#sh run Building configuration... Current configuration : 3697 bytes ! ! Last configuration change at 09:48:03 UTC Thu Oct 18 2018 ! version 15.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service compress-config ! hostname FW-2 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! ! ! ! !         vtp mode transparent ! ! ! ip cef no ipv6 cef ! ! ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 20  name ** Outside ** ! vlan 30  name ** Inside ** ! ! interface Port-channel20  switchport trunk encapsulation dot1q  switchport mode trunk ! interface GigabitEthernet0/0  media-type rj45  negotiation auto ! interface GigabitEthernet0/1  description ** Link to Fabric **  switchport trunk encapsulation dot1q  switchport mode trunk  media-type rj45  negotiation auto  channel-group 20 mode on ! interface GigabitEthernet0/2  description ** Link to Fabric **  switchport trunk encapsulation dot1q  switchport mode trunk  media-type rj45  negotiation auto  channel-group 20 mode on ! interface Vlan20  description ** Outside **  ip address 192.168.12.12 255.255.255.0  standby 20 ip 192.168.12.2  standby 20 priority 90  standby 20 preempt ! interface Vlan30  description ** Inside **  ip address 192.168.30.12 255.255.255.0  ip access-group OUT-IN-Acl out  standby 30 ip 192.168.30.1  standby 30 priority 90  standby 30 preempt ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 192.168.12.1 ! ip access-list extended OUT-IN-Acl  remark ***************************  remark ** ICMP ECHO/ECHO-REPLY  **  permit icmp any host 192.168.30.30 echo reflect IN-OUT-Mirror-ACL  permit icmp any host 192.168.30.30 echo-reply reflect IN-OUT-Mirror-ACL ! ! ! ! control-plane C ! line con 0 line aux 0 line vty 0 4  login ! ! end FW-2#