AVD example for a single data center using L3LS¶
Introduction¶
This example is meant to be used as the logical second step in introducing AVD to new users, directly following the Introduction to Ansible and AVD section. New users with access to virtual switches (using Arista vEOS-lab or cEOS) can learn how to generate configuration and documentation for a complete fabric environment. Users with access to physical switches will have to adapt a few settings. This is all documented inline in the comments included in the YAML files. If a lab with virtual or physical switches is not accessible, this example can be used only to generate the output from AVD if required.
The example includes and describes all the AVD files and their content used to build an L3LS EVPN/VXLAN Symmetric IRB network covering a single DC using the following:
- Two (virtual) spine switches.
- Two sets of (virtual) leaf switches, serving endpoints such as servers.
- Two (virtual) layer2-only switches, often used for server management connectivity.
Ansible playbooks are included to show the following:
- Building the intended configuration and documentation
- Deploying the configuration directly to the switches using eAPI
- Deploying the configuration via CloudVision to the switches, including a full change-based workflow with rollback capability etc.
Installation¶
Requirements to use this example:
- Follow the installation guide for AVD
- Run the following playbook to copy the AVD examples to your current working directory, for example
ansible-avd-examples
:
This will show the following:
~/ansible-avd-examples# ansible-playbook arista.avd.install_examples
PLAY [Install Examples]**********************************************************************************************
TASK [Copy all examples to ~/ansible-avd-examples]*******************************************************************
changed: [localhost]
PLAY RECAP
*********************************************************************************************************************
localhost : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Info
If the content of any file is modified and the playbook is rerun, the file will not be overwritten. However, if any file in the example is deleted and the playbook is rerun, Ansible will re-create the file.
After the playbook has run successfully, the directory structure of the example should look like below, the contents of which will be covered in later sections:
ansible-avd-examples/ (or wherever the playbook was run)
|── single-dc-l3ls
├── ansible.cfg
├── documentation
├── group_vars
├── images
├── intended
├── inventory.yml
├── build.yml
├── deploy.yml
├── deploy-cvp.yml
├── README.md
└── switch-basic-configurations
Overall design overview¶
Physical topology¶
The drawing below shows the physical topology used in this example. The interface assignment shown here are referenced across the entire example, so keep that in mind if this example must be adapted to a different topology. Finally, the Ansible host is connected to the dedicated out-of-band management port (Ethernet0 when using vEOS-lab):
IP ranges used¶
Out-of-band management IP allocation for DC1 | 172.16.1.0/24 |
---|---|
Default gateway | 172.16.1.1 |
dc1-spine1 | 172.16.1.11 |
dc1-spine2 | 172.16.1.12 |
dc1-leaf1a | 172.16.1.101 |
dc1-leaf1b | 172.16.1.102 |
dc1-leaf2a | 172.16.1.103 |
dc1-leaf2b | 172.16.1.104 |
dc1-leaf1c | 172.16.1.151 |
dc1-leaf2c | 172.16.1.152 |
Point-to-point links between leaf and spine | (Underlay) |
DC1 | 10.255.255.0/26 |
Loopback0 interfaces used for EVPN peering | 10.255.0.0/27 |
Loopback1 interfaces used for VTEP | (Leaf switches) |
DC1 | 10.255.1.0/27 |
VTEP Loopbacks used for diagnostics | (Leaf switches) |
VRF10 | 10.255.10.0/27 |
VRF11 | 10.255.11.0/27 |
SVIs (interface vlan…) | 10.10.<VLAN-ID> .0/24 |
For example interface VLAN11 has the IP address: |
10.10.11.1 |
MLAG Peer-link (interface vlan 4094) | (Leaf switches) |
DC1 | 10.255.1.64/27 |
MLAG iBGP Peering (interface vlan 4093) | (Leaf switches) |
DC1 | 10.255.1.96/27 |
CloudVision Portal | |
cvp | 192.168.1.12 |
BGP design¶
Basic EOS config¶
Basic connectivity between the Ansible host and the switches must be established before Ansible can be used to push configurations. You must configure the following on all switches:
- A hostname configured purely for ease of understanding.
- An IP enabled interface - in this example, the dedicated out-of-band management interface is used.
- A username and password with the proper access privileges.
Below is the basic configuration file for dc1-leaf1a
:
! ansible-avd-examples/single-dc-l3ls/switch-basic-configurations/dc1-leaf1a-basic-configuration.txt
! Basic EOS config
!
! Hostname of the device
hostname dc1-leaf1a
!
! Configures username and password for the ansible user
username ansible privilege 15 role network-admin secret sha512 $6$7u4j1rkb3VELgcZE$EJt2Qff8kd/TapRoci0XaIZsL4tFzgq1YZBLD9c6f/knXzvcYY0NcMKndZeCv0T268knGKhOEwZAxqKjlMm920
!
! Defines the VRF for MGMT
vrf instance MGMT
!
! Defines the settings for the Management1 interface through which Ansible reaches the device
interface Management1
description OOB_MANAGEMENT
no shutdown
vrf MGMT
! IP address - must be set uniquely per device
ip address 172.16.1.101/24
!
! Static default route for VRF MGMT
ip route vrf MGMT 0.0.0.0/0 172.16.1.1
!
! Enables API access in VRF MGMT
management api http-commands
protocol https
no shutdown
!
vrf MGMT
no shutdown
!
end
!
! Save configuration to flash
copy running-config startup-config
Note
The folder single-dc-l3ls/switch-basic-configurations/
contains a file per device for the initial configurations.
Ansible inventory, group vars, and naming scheme¶
The following drawing shows a graphic overview of the Ansible inventory, group variables, and naming scheme used in this example:
Note
The two servers dc1-leaf1-server1
and dc1-leaf2-server1
at the bottom are not configured by AVD, but the switch ports used to connect to the servers are.
Group names use uppercase and underscore syntax:
- CLOUDVISION
- FABRIC
- DC1
- DC1_SPINES
- DC1_L3_LEAVES
- DC1_L2_LEAVES
All hostnames use lowercase and dashes, for example:
- cvp
- dc1-spine1
- dc1-leaf1a
- dc1-leaf2c
The drawing also shows the relationships between groups and their children:
- For example,
dc1-spine1
anddc1-spine2
are both children of the group calledDC1_SPINES
.
Additionally, groups themselves can be children of another group, for example:
DC1_L3_LEAVES
is a group consisting of the groupsDC1_LEAF1
andDC1_LEAF2
DC1_L3_LEAVES
is also a child of the groupDC1
.
This naming convention makes it possible to extend anything easily, but as always, this can be changed based on your preferences. Just ensure that the names of all groups and hosts are unique.
Content of the inventory.yml file¶
This section describes the entire ansible-avd-examples/single-dc-l3ls/inventory.yml
file used to represent the above topology.
It is important that the hostnames specified in the inventory exist either in DNS or in the hosts file on your Ansible host to allow successful name lookup and be able to reach the switches directly. A successful ping from the Ansible host to each inventory host verifies name resolution(e.g., ping dc1-spine1
).
Alternatively, if there is no DNS available, or if devices need to be reached using a fully qualified domain name (FQDN), define ansible_host
to be an IP address or FQDN for each device - see below for an example:
---
all:
children:
CLOUDVISION:
hosts:
cvp:
# Ansible variables used by the ansible_avd and ansible_cvp roles to push configuration to devices via CVP
ansible_host: 192.168.1.12
ansible_user: ansible
ansible_password: ansible
ansible_connection: httpapi
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
ansible_network_os: eos
FABRIC:
children:
DC1:
children:
DC1_SPINES:
hosts:
dc1-spine1:
ansible_host: 172.16.1.11
dc1-spine2:
ansible_host: 172.16.1.12
DC1_L3_LEAVES:
hosts:
dc1-leaf1a:
ansible_host: 172.16.1.101
dc1-leaf1b:
ansible_host: 172.16.1.102
dc1-leaf2a:
ansible_host: 172.16.1.103
dc1-leaf2b:
ansible_host: 172.16.1.104
DC1_L2_LEAVES:
hosts:
dc1-leaf1c:
ansible_host: 172.16.1.151
dc1-leaf2c:
ansible_host: 172.16.1.152
NETWORK_SERVICES:
children:
DC1_L3_LEAVES:
DC1_L2_LEAVES:
CONNECTED_ENDPOINTS:
children:
DC1_L3_LEAVES:
DC1_L2_LEAVES:
The above is what is included in this example, purely to make it as simple as possible to get started. However, in the future, please do not carry over this practice to a production environment, where an inventory file for an identical topology should look as follows when using DNS:
---
all:
children:
CLOUDVISION: # (1)!
hosts:
cvp:
# Ansible variables used by the ansible_avd and ansible_cvp roles to push configuration to devices via CVP
ansible_httpapi_host: cvp
ansible_host: cvp
ansible_user: ansible
ansible_password: ansible
ansible_connection: httpapi
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
ansible_network_os: eos
# Configuration to get Virtual Env information
ansible_python_interpreter: $(which python3)
FABRIC:
children:
DC1:
children:
DC1_SPINES:
hosts:
dc1-spine1:
dc1-spine2:
DC1_L3_LEAVES:
hosts:
dc1-leaf1a:
dc1-leaf1b:
dc1-leaf2a:
dc1-leaf2b:
DC1_L2_LEAVES:
hosts:
dc1-leaf1c:
dc1-leaf2c:
NETWORK_SERVICES: # (2)!
children:
DC1_L3_LEAVES:
DC1_L2_LEAVES:
CONNECTED_ENDPOINTS: # (3)!
children:
DC1_L3_LEAVES:
DC1_L2_LEAVES:
-
CLOUDVISION
- Defines the relevant values required to enable communication with CloudVision.
- Specifically the hostname (
cvp
) of the CloudVision Portal server used, the username (ansible
) and password (ansible
), connection method (httpapi
), SSL and certificate settings.
- Please note that the username (
ansible
) and password (ansible
) defined here must exist in CloudVision.
- More information is available here
-
NETWORK_SERVICES
- Creates a group named
NETWORK_SERVICES
. Ansible variable resolution resolves this group name to the identically named group_vars file (ansible-avd-examples/single-dc-l3ls/group_vars/NETWORK_SERVICES.yml
).- The file’s contents, which in this case are specifications of VRFs and VLANs, are then applied to the group’s children. In this case, the two groups
DC1_L3_LEAVES
andDC1_L2_LEAVES
. -
CONNECTED_ENDPOINTS
- Creates a group named
CONNECTED_ENDPOINTS
. Ansible variable resolution resolves this group name to the identically named group_vars file (ansible-avd-examples/single-dc-l3ls/group_vars/CONNECTED_ENDPOINTS.yml
).- The file’s contents, which in this case are specifications of connected endpoints (typically servers), are then applied to the children of the group, in this case, the two groups
DC1_L3_LEAVES
andDC1_L2_LEAVES
.
Defining device types¶
Since this example covers building an L3LS network, AVD must know about the device types, for example, spines, L3 leaves, L2 leaves, etc. The devices are already grouped in the inventory, so the device types are specified in the group variable files with the following names and content:
For example, all switches that are children of the DC1_SPINES group defined in the inventory will be of type spine
.
Setting fabric-wide configuration parameters¶
The ansible-avd-examples/single-dc-l3ls/group_vars/FABRIC.yml
file defines generic settings that apply to all children of the FABRIC
group as specified in the inventory described earlier.
The first section defines how the Ansible host connects to the devices:
ansible_connection: ansible.netcommon.httpapi # (1)!
ansible_network_os: arista.eos.eos # (2)!
ansible_user: ansible # (3)!
ansible_password: ansible
ansible_become: true
ansible_become_method: enable # (4)!
ansible_httpapi_use_ssl: true # (5)!
ansible_httpapi_validate_certs: false # (6)!
- The Ansible host must use eAPI
- Network OS which in this case is Arista EOS
- The username/password combo
- How to escalate privileges to get write access
- Use SSL
- Do not validate SSL certificates
The following section specifies variables that generate configuration to be applied to all devices in the fabric:
fabric_name: FABRIC # (1)!
underlay_routing_protocol: ebgp
overlay_routing_protocol: ebgp
local_users: # (2)!
- name: ansible
privilege: 15
role: network-admin
sha512_password: $6$7u4j1rkb3VELgcZE$EJt2Qff8kd/TapRoci0XaIZsL4tFzgq1YZBLD9c6f/knXzvcYY0NcMKndZeCv0T268knGKhOEwZAxqKjlMm920
- name: admin
privilege: 15
role: network-admin
no_password: true
bgp_peer_groups: # (3)!
evpn_overlay_peers:
password: Q4fqtbqcZ7oQuKfuWtNGRQ==
ipv4_underlay_peers:
password: 7x4B4rnJhZB438m9+BrBfQ==
mlag_ipv4_underlay_peer:
password: 4b21pAdCvWeAqpcKDFMdWw==
p2p_uplinks_mtu: 1500 # (4)!
default_interfaces: # (5)!
- types: [ spine ]
platforms: [ default ]
uplink_interfaces: [ Ethernet1-2 ]
downlink_interfaces: [ Ethernet1-8 ]
- types: [ l3leaf ]
platforms: [ default ]
uplink_interfaces: [ Ethernet1-2 ]
mlag_interfaces: [ Ethernet3-4 ]
downlink_interfaces: [ Ethernet8 ]
- types: [ l2leaf ]
platforms: [ default ]
uplink_interfaces: [ Ethernet1-2 ]
cvp_instance_ips:
- 192.168.1.12 # (6)!
terminattr_smashexcludes: "ale,flexCounter,hardware,kni,pulse,strata"
terminattr_ingestexclude: "/Sysdb/cell/1/agent,/Sysdb/cell/2/agent"
terminattr_disable_aaa: true
name_servers: # (7)!
- 192.168.1.1
ntp_settings: # (8)!
server_vrf: use_mgmt_interface_vrf
servers:
- name: 192.168.200.5
- The name of the fabric for internal AVD use. This name must match the name of an Ansible Group (and therefore a corresponding group_vars file) covering all network devices.
- Local users/passwords and their privilege levels. In this case, the
ansible
user is set with the passwordansible
and anadmin
user is set with no password. - BGP peer groups and their passwords (all passwords are “arista”).
- Point-to-point interface MTU, in this case, is set to 1500 since the example uses vEOS, but when using hardware, this should be set to 9214 instead.
- Defines which interfaces to use for uplinks, MLAG peer-links and downlinks. In this example they are specified per node type.
uplink_interfaces
specify which local interfaces connect to an upstream device.mlag_interfaces
specify which local interfaces connect to an MLAG peer.downlink_interfaces
specify which local interfaces connect to a downstream device.
- Relevant settings for the
TerminAttr
software agent on EOS, responsible for streaming telemetry back to CloudVision Portal. - DNS Server specification. Used in this example primarily to resolve the IP address of the NTP server.
- NTP server settings. Correct and synchronized time on EOS is required for proper connectivity to CloudVision Portal.
Setting device specific configuration parameters¶
The ansible-avd-examples/single-dc-l3ls/group_vars/DC1.yml
file defines settings that apply to all children of the DC1
group as specified in the inventory described earlier. However, this time the settings defined are no longer fabric-wide but are limited to DC1. This example is of limited benefit with only a single data center. Still, it allows us to scale the configuration to a scenario with multiple data centers in the future.
---
mgmt_gateway: 172.16.1.1 # (1)!
spine:
defaults:
platform: vEOS-lab # (2)!
loopback_ipv4_pool: 10.255.0.0/27 # (3)!
bgp_as: 65100 # (4)!
nodes: # (5)!
- name: dc1-spine1
id: 1 # (6)!
mgmt_ip: 172.16.1.11/24 # (7)!
- name: dc1-spine2
id: 2
mgmt_ip: 172.16.1.12/24
- The default gateway for the management interface of all devices in DC1 is defined.
platform
references default settings defined in AVD specific to certain switch platforms.loopback_ipv4_pool
defines the IP scope from which AVD assigns IPv4 addresses for Loopback0.bgp_as
defines the BGP AS number.nodes
defines the actual spine switches, using the hostnames defined in the inventory.id
is used to calculate the various IP addresses, for example, the IPv4 address for the Loopback0 interface. In this case, dc1-spine1 will get the IPv4 address 10.255.0.1/27 assigned to the Loopback0 interface.mgmt_ip
defines the IPv4 address of the management interface. As stated earlier, Ansible will perform name lookups using the hostnames specified in the inventory unless using theansible_host
option. However, there is no automatic mechanism to grab the result of the name lookup and use that to generate the management interface configuration.
The following section covers the L3 leaf switches. Significantly more settings need to be set compared to the spine switches:
l3leaf:
defaults:
platform: vEOS-lab # (1)!
loopback_ipv4_pool: 10.255.0.0/27 # (2)!
loopback_ipv4_offset: 2 # (3)!
vtep_loopback_ipv4_pool: 10.255.1.0/27 # (4)!
uplink_interfaces: ['Ethernet1', 'Ethernet2'] # (5)!
uplink_switches: ['dc1-spine1', 'dc1-spine2'] # (6)!
uplink_ipv4_pool: 10.255.255.0/26 # (7)!
mlag_interfaces: ['Ethernet3', 'Ethernet4'] # (8)!
mlag_peer_ipv4_pool: 10.255.1.64/27 # (9)!
mlag_peer_l3_ipv4_pool: 10.255.1.96/27 # (10)!
virtual_router_mac_address: 00:1c:73:00:00:99 # (11)!
spanning_tree_priority: 4096 # (12)!
spanning_tree_mode: mstp # (13)!
node_groups: # (14)!
- group: DC1_L3_LEAF1
bgp_as: 65101 # (15)!
nodes:
- name: dc1-leaf1a
id: 1
mgmt_ip: 172.16.1.101/24
uplink_switch_interfaces: # (16)!
- Ethernet1
- Ethernet1
- name: dc1-leaf1b
id: 2
mgmt_ip: 172.16.1.102/24
uplink_switch_interfaces:
- Ethernet2
- Ethernet2
DC1_L3_LEAF2:
bgp_as: 65102
nodes:
- name: dc1-leaf2a
id: 3
mgmt_ip: 172.16.1.103/24
uplink_switch_interfaces:
- Ethernet3
- Ethernet3
- name: dc1-leaf2b
id: 4
mgmt_ip: 172.16.1.104/24
uplink_switch_interfaces:
- Ethernet4
- Ethernet4
platform
references default settings defined in AVD specific to certain switch platforms.loopback_ipv4_pool
defines the IP scope from which AVD assigns IPv4 addresses for Loopback0. Please note that this IP pool is identical to the one used for the spine switches in this example. To avoid setting the same IP addresses for several devices, we define the optionloopback_ipv4_offset
.loopback_ipv4_offset
offsets all assigned loopback IP addresses counting from the beginning of the IP scope. This is required to avoid overlapping IPs when the same IP pool is used for two different node_types (like spine and l3leaf in this example). The offset is “2” because each spine switch uses one loopback address.vtep_loopback_ipv4_pool
defines the IP scope from which AVD assigns IPv4 addresses for the VTEP (Loopback1).uplink_interfaces
used by thel3leaf
nodes to connect to the spine switches.uplink_switches
defines the uplink switches, which are dc1-spine1 and dc1-spine2. Note that theuplink_interfaces
anduplink_switches
are paired vertically.uplink_ipv4_pool
defines the IP scope from which AVD assigns IPv4 addresses for the uplink interfaces that were just defined.mlag_interfaces
defines the MLAG interfaces used on each leaf switch.mlag_peer_ipv4_pool
defines the IP scope from which AVD assigns IPv4 addresses for the MLAG peer link interface VLAN4094.mlag_peer_l3_ipv4_pool
defines the IP scope from which AVD assigns IPv4 addresses for the iBGP peering established between the two leaf switches via the SVI/IRB interface VLAN4093.virtual_router_mac_address
defines the MAC address used for the anycast gateway on the various subnets. This is the MAC address connected endpoints will learn when ARPing for their default gateway.spanning_tree_priority
sets the spanning tree priority. Since spanning tree in an L3LS network is effectively only running locally on the switch, the same priority across all L3 leaf switches can be re-used.spanning_tree_mode
defines the spanning tree mode. In this case, we are using MSTP, which is the default. However, other modes are supported should they be required, for example, for connectivity to legacy or third-party vendor environments.node_groups
defines settings common to more than one node. For example, when exactly two nodes are part of a node group for leaf switches, AVD will, by default, automatically generate MLAG configuration.bgp_as
is defined once since an MLAG pair shares a single BGP AS number.uplink_switch_interfaces
defines the interfaces used on the uplink switches (Ethernet1 on dc1-spine1 and dc1-spine2 in this example).
Finally, more of the same, but this time for the L2 leaf switches:
l2leaf:
defaults:
platform: vEOS-lab
spanning_tree_mode: mstp
node_groups:
- group: DC1_L2_LEAF1
uplink_switches: ['dc1-leaf1a', 'dc1-leaf1b']
nodes:
- name: dc1-leaf1c
id: 1
mgmt_ip: 172.16.1.151/24
uplink_switch_interfaces:
- Ethernet8
- Ethernet8
- group: DC1_L2_LEAF2
uplink_switches: ['dc1-leaf2a', 'dc1-leaf2b']
nodes:
- name: dc1-leaf2c
id: 2
mgmt_ip: 172.16.1.152/24
uplink_switch_interfaces:
- Ethernet8
- Ethernet8
An L2 leaf switch is more simple than an L3 switch. Hence there are fewer settings to define.
Specifying network services (VRFs and VLANs) in the EVPN/VXLAN fabric¶
The ansible-avd-examples/single-dc-l3ls/group_vars/NETWORK_SERVICES.yml
file defines All VRF and VLANs. This means that regardless of where a given VRF or VLAN must exist, its existence is defined in this file, but it does not indicate where in the fabric it exists. That was done at the bottom of the inventory file previously described in the Inventory section.
tenants: # (1)!
- name: TENANT1
mac_vrf_vni_base: 10000 # (2)!
vrfs: # (3)!
- name: VRF10
vrf_vni: 10 # (4)!
vtep_diagnostic: # (5)!
loopback: 10 # (6)!
loopback_ip_range: 10.255.10.0/27 # (7)!
svis: # (8)!
- id: 11
name: VRF10_VLAN11 # (9)!
enabled: true
ip_address_virtual: 10.10.11.1/24 # (10)!
- id: 12
name: VRF10_VLAN12
enabled: true
ip_address_virtual: 10.10.12.1/24
- name: VRF11
vrf_vni: 11
vtep_diagnostic:
loopback: 11
loopback_ip_range: 10.255.11.0/27
svis:
- id: 21
name: VRF11_VLAN21
enabled: true
ip_address_virtual: 10.10.21.1/24
- name: 22
name: VRF11_VLAN22
enabled: true
ip_address_virtual: 10.10.22.1/24
l2vlans: # (11)!
- id: 3401
name: L2_VLAN3401
- id: 3402
name: L2_VLAN3402
- Definition of tenants. Additional level of abstraction in addition to VRFs. In this example just one tenant named
TENANT1
is specified. - The base number (
10000
) used to generate the L2VNI numbers automatically,L2VNI = base number + VLAN-id
. For example, L2VNI for VLAN11 = 10000 + 11 = 10011. - VRF definitions inside the tenant.
- VRF VNI definition.
-
Enable VTEP Network diagnostics. This will create a loopback with virtual source-nat enable to perform diagnostics from the switch:
-
Loopback interface number.
- Loopback IP range, a unique IP is derived from this range and assigned to each l3 leaf based on its unique id.
- SVI Definitions for all SVIs within this tenant.
- SVI Description.
- IP anycast gateway to be used in the SVI in every leaf across the fabric.
- These are pure L2 VLANs. They do not have an SVI defined in the l3leafs and they will be bridged inside the VXLAN fabric.
AVD offers granular control of where Tenants and VLANs are configured using tags
and filter
. Those areas are not covered in this basic example.
Specifying endpoint connectivity in the EVPN/VXLAN fabric¶
After the previous section, all VRFs and VLANs across the fabric are now defined. The ansible-avd-examples/single-dc-l3ls/group_vars/CONNECTED_ENDPOINTS.yml
file specifies the connectivity for all endpoints in the fabric (typically servers):
---
# Definition of connected endpoints in the fabric.
servers:
# Name of the defined server.
- name: dc1-leaf1-server1
# Definition of adapters on the server.
adapters:
# Name of the server interfaces that will be used in the description of each interface
- endpoint_ports: [ PCI1, PCI2 ]
# Device ports where the server ports are connected.
switch_ports: [ Ethernet5, Ethernet5 ]
# Device names where the server ports are connected.
switches: [ dc1-leaf1a, dc1-leaf1b ]
# VLANs that will be configured on these ports.
vlans: 11-12,21-22
# Native VLAN to be used on these ports.
native_vlan: 4092
# L2 mode of the port.
mode: trunk
# Spanning tree portfast configuration on this port.
spanning_tree_portfast: edge
# Definition of the pair of ports as port channel.
port_channel:
# The port-channel name on the endpoint that will be used in the port-channel description.
endpoint_port_channel: Bond1
# Port channel mode for LACP.
mode: active
- endpoint_ports: [ iLO ]
switch_ports: [ Ethernet5 ]
switches: [ dc1-leaf1c ]
vlans: 11
mode: access
spanning_tree_portfast: edge
- name: dc1-leaf2-server1
adapters:
- endpoint_ports: [ PCI1, PCI2 ]
switch_ports: [ Ethernet5, Ethernet5 ]
switches: [ dc1-leaf2a, dc1-leaf2b ]
vlans: 11-12,21-22
native_vlan: 4092
mode: trunk
spanning_tree_portfast: edge
port_channel:
mode: active
- endpoint_ports: [ iLO ]
switch_ports: [ Ethernet5 ]
switches: [ dc1-leaf2c ]
vlans: 11
mode: access
spanning_tree_portfast: edge
This defines the settings for the relevant switch ports to which the endpoints connect, in this case the two servers dc1-leaf1-server1
and dc1-leaf2-server1
.
As an example, here is the configuration for dc1-leaf1-server1
:
dc1-leaf1-server1:
adapters: # (1)!
- endpoint_ports: [ PCI1, PCI2 ] # (2)!
switch_ports: [ Ethernet5, Ethernet5 ] # (3)!
switches: [ dc1-leaf1a, dc1-leaf1b ] # (4)!
vlans: 11-12,21-22 # (5)!
native_vlan: 4092 # (6)!
mode: trunk # (7)!
spanning_tree_portfast: edge # (8)!
port_channel: # (9)!
endpoint_port_channel: Bond1
mode: active
- endpoint_ports: [ iLO ]
switch_ports: [ Ethernet5 ]
switches: [ dc1-leaf1c ]
vlans: 11
mode: access
spanning_tree_portfast: edge
- The relevant
adapters
are defined. For example, thetype
set toserver
andilo
is purely for documentation and readability. It has no operational significance. endpoint_ports
are defined for use in the interface descriptions on the switch. This does not configure anything on the server.switch_ports
defines the interfaces used in the switches. In this example the server is dual-connected to Ethernet5 and Ethernet5. These two ports exist on switch dc1-leaf1a and dc1-leaf1b defined in the following line.switches
defines the switches used, in this case dc1-leaf1a and dc1-leaf1b. Note that theendpoint_ports
,switch_ports
andswitches
definitions are paired vertically.vlans
defines which VLANs are allowed on the switch_ports, in this case it is two ranges, VLAN11-12 and VLAN21-22 for the dual-attached server ports and VLAN11 for the iLO port.native_vlan
specifies the native VLAN when the switch port mode is set to trunk.mode
is set to trunk for the dual-attached server ports and access for the iLO port.spanning_tree_portfast
defines whether the switch port should be a spanning tree edge or network port.port_channel
defines the port-channel name on the endpoint that will be used in the port-channel description and mode for the port-channel.
The playbooks¶
In this example, three playbooks are included, of which two must be used:
- The first playbook
build.yml
is mandatory and is used to build the structured configuration, documentation and finally the actual EOS CLI configuration. - The second playbook is a choice between:
deploy.yml
to deploy the configurations generated bybuild.yml
directly to the Arista switches using eAPI.deploy-cvp.yml
to deploy the configurations generated bybuild.yml
to the Arista switches using CloudVision.
The build.yml
playbook looks like the following:
---
# build.yml
- name: Build Configurations and Documentation # (1)!
hosts: FABRIC
gather_facts: false
tasks:
- name: Generate AVD Structured Configurations and Fabric Documentation # (2)!
ansible.builtin.import_role:
name: arista.avd.eos_designs
- name: Generate Device Configurations and Documentation # (3)!
ansible.builtin.import_role:
name: arista.avd.eos_cli_config_gen
- At the highest level, the name and scope of the playbook are set, which in this example is the entire fabric. For instance,
FABRIC
is a group name defined in the inventory. If the playbook should only apply to a subset of devices, it can be changed here. - This task uses the role
arista.avd.eos_designs
, which generates structured configuration for each device. This structured configuration can be found in theansible-avd-examples/single-dc-l3ls/intended/structured_configs
folder. - This task uses the role
arista.avd.eos_cli_config_gen
, which generates the Arista EOS CLI configurations found in theansible-avd-examples/single-dc-l3ls/intended/configs
folder, along with the device-specific and fabric wide documentation found in theansible-avd-examples/single-dc-l3ls/documentation/
folder. In addition, it relies on the structured configuration generated byarista.avd.eos_designs
.
The deploy.yml
playbook looks like the following:
---
# deploy.yml
- name: Deploy Configurations to Devices using eAPI # (1)!
hosts: FABRIC
gather_facts: false
tasks:
- name: Deploy Configurations to Devices # (2)!
ansible.builtin.import_role:
name: arista.avd.eos_config_deploy_eapi
- At the highest level, the name and scope of the playbook are set, which in this example is the entire fabric. For instance,
FABRIC
is a group name defined in the inventory. If the playbook should only apply to a subset of devices, it can be changed here. - This task uses the
arista.avd.eos_config_deploy_eapi
role to deploy the configurations directly to EOS nodes that were generated by thearista.avd.eos_cli_config_gen
role.
The deploy-cvp.yml
playbook looks like the following:
---
- name: Deploy Configurations to Devices Using CloudVision Portal # (1)!
hosts: CLOUDVISION
gather_facts: false
connection: local
tasks:
- name: Deploy Configurations to CloudVision # (2)!
ansible.builtin.import_role:
name: arista.avd.eos_config_deploy_cvp
vars:
cv_collection: v3 # (3)!
fabric_name: FABRIC # (4)!
- At the highest level, the name and scope of the playbook are set, which in this example is the CloudVision server named
CLOUDVISION
. - This task uses the
arista.avd.eos_config_deploy_cvp
role to deploy and manage the Fabric with CloudVision. - Sets
v3
as the version of the collection to use (default in AVD 4.x). fabric_name
is used to specify the container root in CVP (must match a group name).
In addition, the arista.avd.eos_config_deploy_cvp
collection performs the following actions:
- Reads the AVD inventory and builds the container topology in CloudVision
- Looks for configuration previously generated by arista.avd.eos_cli_config_gen and builds configlets list, one per device
- Looks for additional configlets to attach to either devices or containers
- Build configlets on CVP
- Create containers topology
- Move devices to the container
- Bind configlet to device
- Deploy Fabric configuration by running all pending tasks (optional, if execute_tasks == true)
Testing AVD output without a lab¶
Using the build.yml
playbook without any actual devices is possible. The playbook will generate all the output (variables, configurations, documentation) but will not attempt to communicate with devices.
Please look through the folders and files described above to learn more about the output generated by AVD.
Playbook Run¶
To build the configuration files, run the playbook called build.yml
.
After the playbook run finishes, EOS CLI intended configuration files were written to intended/configs
.
To build and deploy the configurations to your switches directly, using eAPI, run the playbook called deploy.yml
. This assumes that your Ansible host has access and authentication rights to the switches. Those auth variables are defined in FABRIC.yml.
To build and deploy the configurations to your switches using CloudVision Portal, run the playbook called deploy-cvp.yml
. This assumes that your CloudVision Portal server has access and authentication rights to the switches. Those auth variables are defined in FABRIC.yml.
### Deploy Configurations to Devices Using CloudVision Portal
ansible-playbook playbooks/deploy-cvp.yml
EOS Intended Configurations¶
Your configuration files should be similar to these.
!
no enable password
no aaa root
!
username admin privilege 15 role network-admin nopassword
username ansible privilege 15 role network-admin secret sha512 $6$7u4j1rkb3VELgcZE$EJt2Qff8kd/TapRoci0XaIZsL4tFzgq1YZBLD9c6f/knXzvcYY0NcMKndZeCv0T268knGKhOEwZAxqKjlMm920
!
daemon TerminAttr
exec /usr/bin/TerminAttr -cvaddr=192.168.1.12:9910 -cvauth=token,/tmp/token -cvvrf=MGMT -disableaaa -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -taillogs
no shutdown
!
vlan internal order ascending range 1006 1199
!
transceiver qsfp default-mode 4x10G
!
service routing protocols model multi-agent
!
hostname dc1-spine1
ip name-server vrf MGMT 192.168.1.1
!
spanning-tree mode none
!
vrf instance MGMT
!
management api http-commands
protocol https
no shutdown
!
vrf MGMT
no shutdown
!
interface Ethernet1
description P2P_dc1-leaf1a_Ethernet1
no shutdown
mtu 1500
no switchport
ip address 10.255.255.0/31
!
interface Ethernet2
description P2P_dc1-leaf1b_Ethernet1
no shutdown
mtu 1500
no switchport
ip address 10.255.255.4/31
!
interface Ethernet3
description P2P_dc1-leaf2a_Ethernet1
no shutdown
mtu 1500
no switchport
ip address 10.255.255.8/31
!
interface Ethernet4
description P2P_dc1-leaf2b_Ethernet1
no shutdown
mtu 1500
no switchport
ip address 10.255.255.12/31
!
interface Loopback0
description ROUTER_ID
no shutdown
ip address 10.255.0.1/32
!
interface Management1
description OOB_MANAGEMENT
no shutdown
vrf MGMT
ip address 172.16.1.11/24
!
ip routing
no ip routing vrf MGMT
!
ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY
seq 10 permit 10.255.0.0/27 eq 32
!
ip route vrf MGMT 0.0.0.0/0 172.16.1.1
!
ntp local-interface vrf MGMT Management1
ntp server vrf MGMT 0.pool.ntp.org prefer
!
route-map RM-CONN-2-BGP permit 10
match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
!
router bfd
multihop interval 300 min-rx 300 multiplier 3
!
router bgp 65100
router-id 10.255.0.1
no bgp default ipv4-unicast
maximum-paths 4 ecmp 4
neighbor EVPN-OVERLAY-PEERS peer group
neighbor EVPN-OVERLAY-PEERS next-hop-unchanged
neighbor EVPN-OVERLAY-PEERS update-source Loopback0
neighbor EVPN-OVERLAY-PEERS bfd
neighbor EVPN-OVERLAY-PEERS ebgp-multihop 3
neighbor EVPN-OVERLAY-PEERS password 7 Q4fqtbqcZ7oQuKfuWtNGRQ==
neighbor EVPN-OVERLAY-PEERS send-community
neighbor EVPN-OVERLAY-PEERS maximum-routes 0
neighbor IPv4-UNDERLAY-PEERS peer group
neighbor IPv4-UNDERLAY-PEERS password 7 7x4B4rnJhZB438m9+BrBfQ==
neighbor IPv4-UNDERLAY-PEERS send-community
neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000
neighbor 10.255.0.3 peer group EVPN-OVERLAY-PEERS
neighbor 10.255.0.3 remote-as 65101
neighbor 10.255.0.3 description dc1-leaf1a_Loopback0
neighbor 10.255.0.4 peer group EVPN-OVERLAY-PEERS
neighbor 10.255.0.4 remote-as 65101
neighbor 10.255.0.4 description dc1-leaf1b_Loopback0
neighbor 10.255.0.5 peer group EVPN-OVERLAY-PEERS
neighbor 10.255.0.5 remote-as 65102
neighbor 10.255.0.5 description dc1-leaf2a_Loopback0
neighbor 10.255.0.6 peer group EVPN-OVERLAY-PEERS
neighbor 10.255.0.6 remote-as 65102
neighbor 10.255.0.6 description dc1-leaf2b_Loopback0
neighbor 10.255.255.1 peer group IPv4-UNDERLAY-PEERS
neighbor 10.255.255.1 remote-as 65101
neighbor 10.255.255.1 description dc1-leaf1a_Ethernet1
neighbor 10.255.255.5 peer group IPv4-UNDERLAY-PEERS
neighbor 10.255.255.5 remote-as 65101
neighbor 10.255.255.5 description dc1-leaf1b_Ethernet1
neighbor 10.255.255.9 peer group IPv4-UNDERLAY-PEERS
neighbor 10.255.255.9 remote-as 65102
neighbor 10.255.255.9 description dc1-leaf2a_Ethernet1
neighbor 10.255.255.13 peer group IPv4-UNDERLAY-PEERS
neighbor 10.255.255.13 remote-as 65102
neighbor 10.255.255.13 description dc1-leaf2b_Ethernet1
redistribute connected route-map RM-CONN-2-BGP
!
address-family evpn
neighbor EVPN-OVERLAY-PEERS activate
!
address-family ipv4
no neighbor EVPN-OVERLAY-PEERS activate
neighbor IPv4-UNDERLAY-PEERS activate
!
end
!
no enable password
no aaa root
!
username admin privilege 15 role network-admin nopassword
username ansible privilege 15 role network-admin secret sha512 $6$7u4j1rkb3VELgcZE$EJt2Qff8kd/TapRoci0XaIZsL4tFzgq1YZBLD9c6f/knXzvcYY0NcMKndZeCv0T268knGKhOEwZAxqKjlMm920
!
daemon TerminAttr
exec /usr/bin/TerminAttr -cvaddr=192.168.1.12:9910 -cvauth=token,/tmp/token -cvvrf=MGMT -disableaaa -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -taillogs
no shutdown
!
vlan internal order ascending range 1006 1199
!
transceiver qsfp default-mode 4x10G
!
service routing protocols model multi-agent
!
hostname dc1-spine2
ip name-server vrf MGMT 192.168.1.1
!
spanning-tree mode none
!
vrf instance MGMT
!
management api http-commands
protocol https
no shutdown
!
vrf MGMT
no shutdown
!
interface Ethernet1
description P2P_dc1-leaf1a_Ethernet2
no shutdown
mtu 1500
no switchport
ip address 10.255.255.2/31
!
interface Ethernet2
description P2P_dc1-leaf1b_Ethernet2
no shutdown
mtu 1500
no switchport
ip address 10.255.255.6/31
!
interface Ethernet3
description P2P_dc1-leaf2a_Ethernet2
no shutdown
mtu 1500
no switchport
ip address 10.255.255.10/31
!
interface Ethernet4
description P2P_dc1-leaf2b_Ethernet2
no shutdown
mtu 1500
no switchport
ip address 10.255.255.14/31
!
interface Loopback0
description ROUTER_ID
no shutdown
ip address 10.255.0.2/32
!
interface Management1
description OOB_MANAGEMENT
no shutdown
vrf MGMT
ip address 172.16.1.12/24
!
ip routing
no ip routing vrf MGMT
!
ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY
seq 10 permit 10.255.0.0/27 eq 32
!
ip route vrf MGMT 0.0.0.0/0 172.16.1.1
!
ntp local-interface vrf MGMT Management1
ntp server vrf MGMT 0.pool.ntp.org prefer
!
route-map RM-CONN-2-BGP permit 10
match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
!
router bfd
multihop interval 300 min-rx 300 multiplier 3
!
router bgp 65100
router-id 10.255.0.2
no bgp default ipv4-unicast
maximum-paths 4 ecmp 4
neighbor EVPN-OVERLAY-PEERS peer group
neighbor EVPN-OVERLAY-PEERS next-hop-unchanged
neighbor EVPN-OVERLAY-PEERS update-source Loopback0
neighbor EVPN-OVERLAY-PEERS bfd
neighbor EVPN-OVERLAY-PEERS ebgp-multihop 3
neighbor EVPN-OVERLAY-PEERS password 7 Q4fqtbqcZ7oQuKfuWtNGRQ==
neighbor EVPN-OVERLAY-PEERS send-community
neighbor EVPN-OVERLAY-PEERS maximum-routes 0
neighbor IPv4-UNDERLAY-PEERS peer group
neighbor IPv4-UNDERLAY-PEERS password 7 7x4B4rnJhZB438m9+BrBfQ==
neighbor IPv4-UNDERLAY-PEERS send-community
neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000
neighbor 10.255.0.3 peer group EVPN-OVERLAY-PEERS
neighbor 10.255.0.3 remote-as 65101
neighbor 10.255.0.3 description dc1-leaf1a_Loopback0
neighbor 10.255.0.4 peer group EVPN-OVERLAY-PEERS
neighbor 10.255.0.4 remote-as 65101
neighbor 10.255.0.4 description dc1-leaf1b_Loopback0
neighbor 10.255.0.5 peer group EVPN-OVERLAY-PEERS
neighbor 10.255.0.5 remote-as 65102
neighbor 10.255.0.5 description dc1-leaf2a_Loopback0
neighbor 10.255.0.6 peer group EVPN-OVERLAY-PEERS
neighbor 10.255.0.6 remote-as 65102
neighbor 10.255.0.6 description dc1-leaf2b_Loopback0
neighbor 10.255.255.3 peer group IPv4-UNDERLAY-PEERS
neighbor 10.255.255.3 remote-as 65101
neighbor 10.255.255.3 description dc1-leaf1a_Ethernet2
neighbor 10.255.255.7 peer group IPv4-UNDERLAY-PEERS
neighbor 10.255.255.7 remote-as 65101
neighbor 10.255.255.7 description dc1-leaf1b_Ethernet2
neighbor 10.255.255.11 peer group IPv4-UNDERLAY-PEERS
neighbor 10.255.255.11 remote-as 65102
neighbor 10.255.255.11 description dc1-leaf2a_Ethernet2
neighbor 10.255.255.15 peer group IPv4-UNDERLAY-PEERS
neighbor 10.255.255.15 remote-as 65102
neighbor 10.255.255.15 description dc1-leaf2b_Ethernet2
redistribute connected route-map RM-CONN-2-BGP
!
address-family evpn
neighbor EVPN-OVERLAY-PEERS activate
!
address-family ipv4
no neighbor EVPN-OVERLAY-PEERS activate
neighbor IPv4-UNDERLAY-PEERS activate
!
end
!
no enable password
no aaa root
!
username admin privilege 15 role network-admin nopassword
username ansible privilege 15 role network-admin secret sha512 $6$7u4j1rkb3VELgcZE$EJt2Qff8kd/TapRoci0XaIZsL4tFzgq1YZBLD9c6f/knXzvcYY0NcMKndZeCv0T268knGKhOEwZAxqKjlMm920
!
daemon TerminAttr
exec /usr/bin/TerminAttr -cvaddr=192.168.1.12:9910 -cvauth=token,/tmp/token -cvvrf=MGMT -disableaaa -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -taillogs
no shutdown
!
vlan internal order ascending range 1006 1199
!
transceiver qsfp default-mode 4x10G
!
service routing protocols model multi-agent
!
hostname dc1-leaf1a
ip name-server vrf MGMT 192.168.1.1
!
spanning-tree mode mstp
no spanning-tree vlan-id 4093-4094
spanning-tree mst 0 priority 4096
!
vlan 11
name VRF10_VLAN11
!
vlan 12
name VRF10_VLAN12
!
vlan 21
name VRF11_VLAN21
!
vlan 22
name VRF11_VLAN22
!
vlan 3009
name MLAG_L3_VRF_VRF10
trunk group MLAG
!
vlan 3010
name MLAG_L3_VRF_VRF11
trunk group MLAG
!
vlan 3401
name L2_VLAN3401
!
vlan 3402
name L2_VLAN3402
!
vlan 4093
name MLAG_L3
trunk group MLAG
!
vlan 4094
name MLAG
trunk group MLAG
!
vrf instance MGMT
!
vrf instance VRF10
!
vrf instance VRF11
!
management api http-commands
protocol https
no shutdown
!
vrf MGMT
no shutdown
!
interface Port-Channel3
description MLAG_dc1-leaf1b_Port-Channel3
no shutdown
switchport mode trunk
switchport trunk group MLAG
switchport
!
interface Port-Channel5
description SERVER_dc1-leaf1-server1_Bond1
no shutdown
switchport trunk native vlan 4092
switchport trunk allowed vlan 11-12,21-22
switchport mode trunk
switchport
mlag 5
spanning-tree portfast
!
interface Port-Channel8
description L2_dc1-leaf1c_Port-Channel1
no shutdown
switchport trunk allowed vlan 11-12,21-22,3401-3402
switchport mode trunk
switchport
mlag 8
!
interface Ethernet1
description P2P_dc1-spine1_Ethernet1
no shutdown
mtu 1500
no switchport
ip address 10.255.255.1/31
!
interface Ethernet2
description P2P_dc1-spine2_Ethernet1
no shutdown
mtu 1500
no switchport
ip address 10.255.255.3/31
!
interface Ethernet3
description MLAG_dc1-leaf1b_Ethernet3
no shutdown
channel-group 3 mode active
!
interface Ethernet4
description MLAG_dc1-leaf1b_Ethernet4
no shutdown
channel-group 3 mode active
!
interface Ethernet5
description SERVER_dc1-leaf1-server1_PCI1
no shutdown
channel-group 5 mode active
!
interface Ethernet8
description L2_dc1-leaf1c_Ethernet1
no shutdown
channel-group 8 mode active
!
interface Loopback0
description ROUTER_ID
no shutdown
ip address 10.255.0.3/32
!
interface Loopback1
description VXLAN_TUNNEL_SOURCE
no shutdown
ip address 10.255.1.3/32
!
interface Loopback10
description DIAG_VRF_VRF10
no shutdown
vrf VRF10
ip address 10.255.10.3/32
!
interface Loopback11
description DIAG_VRF_VRF11
no shutdown
vrf VRF11
ip address 10.255.11.3/32
!
interface Management1
description OOB_MANAGEMENT
no shutdown
vrf MGMT
ip address 172.16.1.101/24
!
interface Vlan11
description VRF10_VLAN11
no shutdown
vrf VRF10
ip address virtual 10.10.11.1/24
!
interface Vlan12
description VRF10_VLAN12
no shutdown
vrf VRF10
ip address virtual 10.10.12.1/24
!
interface Vlan21
description VRF11_VLAN21
no shutdown
vrf VRF11
ip address virtual 10.10.21.1/24
!
interface Vlan22
description VRF11_VLAN22
no shutdown
vrf VRF11
ip address virtual 10.10.22.1/24
!
interface Vlan3009
description MLAG_L3_VRF_VRF10
no shutdown
mtu 1500
vrf VRF10
ip address 10.255.1.96/31
!
interface Vlan3010
description MLAG_L3_VRF_VRF11
no shutdown
mtu 1500
vrf VRF11
ip address 10.255.1.96/31
!
interface Vlan4093
description MLAG_L3
no shutdown
mtu 1500
ip address 10.255.1.96/31
!
interface Vlan4094
description MLAG
no shutdown
mtu 1500
no autostate
ip address 10.255.1.64/31
!
interface Vxlan1
description dc1-leaf1a_VTEP
vxlan source-interface Loopback1
vxlan virtual-router encapsulation mac-address mlag-system-id
vxlan udp-port 4789
vxlan vlan 11 vni 10011
vxlan vlan 12 vni 10012
vxlan vlan 21 vni 10021
vxlan vlan 22 vni 10022
vxlan vlan 3401 vni 13401
vxlan vlan 3402 vni 13402
vxlan vrf VRF10 vni 10
vxlan vrf VRF11 vni 11
!
ip virtual-router mac-address 00:1c:73:00:00:99
!
ip address virtual source-nat vrf VRF10 address 10.255.10.3
ip address virtual source-nat vrf VRF11 address 10.255.11.3
!
ip routing
no ip routing vrf MGMT
ip routing vrf VRF10
ip routing vrf VRF11
!
ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY
seq 10 permit 10.255.0.0/27 eq 32
seq 20 permit 10.255.1.0/27 eq 32
!
ip prefix-list PL-MLAG-PEER-VRFS
seq 10 permit 10.255.1.96/31
!
mlag configuration
domain-id DC1_L3_LEAF1
local-interface Vlan4094
peer-address 10.255.1.65
peer-link Port-Channel3
reload-delay mlag 300
reload-delay non-mlag 330
!
ip route vrf MGMT 0.0.0.0/0 172.16.1.1
!
ntp local-interface vrf MGMT Management1
ntp server vrf MGMT 0.pool.ntp.org prefer
!
route-map RM-CONN-2-BGP permit 10
match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
!
route-map RM-CONN-2-BGP-VRFS deny 10
match ip address prefix-list PL-MLAG-PEER-VRFS
!
route-map RM-CONN-2-BGP-VRFS permit 20
!
route-map RM-MLAG-PEER-IN permit 10
description Make routes learned over MLAG Peer-link less preferred on spines to ensure optimal routing
set origin incomplete
!
router bfd
multihop interval 300 min-rx 300 multiplier 3
!
router bgp 65101
router-id 10.255.0.3
no bgp default ipv4-unicast
maximum-paths 4 ecmp 4
neighbor EVPN-OVERLAY-PEERS peer group
neighbor EVPN-OVERLAY-PEERS update-source Loopback0
neighbor EVPN-OVERLAY-PEERS bfd
neighbor EVPN-OVERLAY-PEERS ebgp-multihop 3
neighbor EVPN-OVERLAY-PEERS password 7 Q4fqtbqcZ7oQuKfuWtNGRQ==
neighbor EVPN-OVERLAY-PEERS send-community
neighbor EVPN-OVERLAY-PEERS maximum-routes 0
neighbor IPv4-UNDERLAY-PEERS peer group
neighbor IPv4-UNDERLAY-PEERS password 7 7x4B4rnJhZB438m9+BrBfQ==
neighbor IPv4-UNDERLAY-PEERS send-community
neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000
neighbor MLAG-IPv4-UNDERLAY-PEER peer group
neighbor MLAG-IPv4-UNDERLAY-PEER remote-as 65101
neighbor MLAG-IPv4-UNDERLAY-PEER next-hop-self
neighbor MLAG-IPv4-UNDERLAY-PEER description dc1-leaf1b
neighbor MLAG-IPv4-UNDERLAY-PEER route-map RM-MLAG-PEER-IN in
neighbor MLAG-IPv4-UNDERLAY-PEER password 7 4b21pAdCvWeAqpcKDFMdWw==
neighbor MLAG-IPv4-UNDERLAY-PEER send-community
neighbor MLAG-IPv4-UNDERLAY-PEER maximum-routes 12000
neighbor 10.255.0.1 peer group EVPN-OVERLAY-PEERS
neighbor 10.255.0.1 remote-as 65100
neighbor 10.255.0.1 description dc1-spine1_Loopback0
neighbor 10.255.0.2 peer group EVPN-OVERLAY-PEERS
neighbor 10.255.0.2 remote-as 65100
neighbor 10.255.0.2 description dc1-spine2_Loopback0
neighbor 10.255.1.97 peer group MLAG-IPv4-UNDERLAY-PEER
neighbor 10.255.1.97 description dc1-leaf1b_Vlan4093
neighbor 10.255.255.0 peer group IPv4-UNDERLAY-PEERS
neighbor 10.255.255.0 remote-as 65100
neighbor 10.255.255.0 description dc1-spine1_Ethernet1
neighbor 10.255.255.2 peer group IPv4-UNDERLAY-PEERS
neighbor 10.255.255.2 remote-as 65100
neighbor 10.255.255.2 description dc1-spine2_Ethernet1
redistribute connected route-map RM-CONN-2-BGP
!
vlan 11
rd 10.255.0.3:10011
route-target both 10011:10011
redistribute learned
!
vlan 12
rd 10.255.0.3:10012
route-target both 10012:10012
redistribute learned
!
vlan 21
rd 10.255.0.3:10021
route-target both 10021:10021
redistribute learned
!
vlan 22
rd 10.255.0.3:10022
route-target both 10022:10022
redistribute learned
!
vlan 3401
rd 10.255.0.3:13401
route-target both 13401:13401
redistribute learned
!
vlan 3402
rd 10.255.0.3:13402
route-target both 13402:13402
redistribute learned
!
address-family evpn
neighbor EVPN-OVERLAY-PEERS activate
!
address-family ipv4
no neighbor EVPN-OVERLAY-PEERS activate
neighbor IPv4-UNDERLAY-PEERS activate
neighbor MLAG-IPv4-UNDERLAY-PEER activate
!
vrf VRF10
rd 10.255.0.3:10
route-target import evpn 10:10
route-target export evpn 10:10
router-id 10.255.0.3
neighbor 10.255.1.97 peer group MLAG-IPv4-UNDERLAY-PEER
neighbor 10.255.1.97 description dc1-leaf1b_Vlan3009
redistribute connected route-map RM-CONN-2-BGP-VRFS
!
vrf VRF11
rd 10.255.0.3:11
route-target import evpn 11:11
route-target export evpn 11:11
router-id 10.255.0.3
neighbor 10.255.1.97 peer group MLAG-IPv4-UNDERLAY-PEER
neighbor 10.255.1.97 description dc1-leaf1b_Vlan3010
redistribute connected route-map RM-CONN-2-BGP-VRFS
!
end
!
no enable password
no aaa root
!
username admin privilege 15 role network-admin nopassword
username ansible privilege 15 role network-admin secret sha512 $6$7u4j1rkb3VELgcZE$EJt2Qff8kd/TapRoci0XaIZsL4tFzgq1YZBLD9c6f/knXzvcYY0NcMKndZeCv0T268knGKhOEwZAxqKjlMm920
!
daemon TerminAttr
exec /usr/bin/TerminAttr -cvaddr=192.168.1.12:9910 -cvauth=token,/tmp/token -cvvrf=MGMT -disableaaa -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -taillogs
no shutdown
!
vlan internal order ascending range 1006 1199
!
transceiver qsfp default-mode 4x10G
!
service routing protocols model multi-agent
!
hostname dc1-leaf1b
ip name-server vrf MGMT 192.168.1.1
!
spanning-tree mode mstp
no spanning-tree vlan-id 4093-4094
spanning-tree mst 0 priority 4096
!
vlan 11
name VRF10_VLAN11
!
vlan 12
name VRF10_VLAN12
!
vlan 21
name VRF11_VLAN21
!
vlan 22
name VRF11_VLAN22
!
vlan 3009
name MLAG_L3_VRF_VRF10
trunk group MLAG
!
vlan 3010
name MLAG_L3_VRF_VRF11
trunk group MLAG
!
vlan 3401
name L2_VLAN3401
!
vlan 3402
name L2_VLAN3402
!
vlan 4093
name MLAG_L3
trunk group MLAG
!
vlan 4094
name MLAG
trunk group MLAG
!
vrf instance MGMT
!
vrf instance VRF10
!
vrf instance VRF11
!
management api http-commands
protocol https
no shutdown
!
vrf MGMT
no shutdown
!
interface Port-Channel3
description MLAG_dc1-leaf1a_Port-Channel3
no shutdown
switchport mode trunk
switchport trunk group MLAG
switchport
!
interface Port-Channel5
description SERVER_dc1-leaf1-server1_Bond1
no shutdown
switchport trunk native vlan 4092
switchport trunk allowed vlan 11-12,21-22
switchport mode trunk
switchport
mlag 5
spanning-tree portfast
!
interface Port-Channel8
description L2_dc1-leaf1c_Port-Channel1
no shutdown
switchport trunk allowed vlan 11-12,21-22,3401-3402
switchport mode trunk
switchport
mlag 8
!
interface Ethernet1
description P2P_dc1-spine1_Ethernet2
no shutdown
mtu 1500
no switchport
ip address 10.255.255.5/31
!
interface Ethernet2
description P2P_dc1-spine2_Ethernet2
no shutdown
mtu 1500
no switchport
ip address 10.255.255.7/31
!
interface Ethernet3
description MLAG_dc1-leaf1a_Ethernet3
no shutdown
channel-group 3 mode active
!
interface Ethernet4
description MLAG_dc1-leaf1a_Ethernet4
no shutdown
channel-group 3 mode active
!
interface Ethernet5
description SERVER_dc1-leaf1-server1_PCI2
no shutdown
channel-group 5 mode active
!
interface Ethernet8
description L2_dc1-leaf1c_Ethernet2
no shutdown
channel-group 8 mode active
!
interface Loopback0
description ROUTER_ID
no shutdown
ip address 10.255.0.4/32
!
interface Loopback1
description VXLAN_TUNNEL_SOURCE
no shutdown
ip address 10.255.1.3/32
!
interface Loopback10
description DIAG_VRF_VRF10
no shutdown
vrf VRF10
ip address 10.255.10.4/32
!
interface Loopback11
description DIAG_VRF_VRF11
no shutdown
vrf VRF11
ip address 10.255.11.4/32
!
interface Management1
description OOB_MANAGEMENT
no shutdown
vrf MGMT
ip address 172.16.1.102/24
!
interface Vlan11
description VRF10_VLAN11
no shutdown
vrf VRF10
ip address virtual 10.10.11.1/24
!
interface Vlan12
description VRF10_VLAN12
no shutdown
vrf VRF10
ip address virtual 10.10.12.1/24
!
interface Vlan21
description VRF11_VLAN21
no shutdown
vrf VRF11
ip address virtual 10.10.21.1/24
!
interface Vlan22
description VRF11_VLAN22
no shutdown
vrf VRF11
ip address virtual 10.10.22.1/24
!
interface Vlan3009
description MLAG_L3_VRF_VRF10
no shutdown
mtu 1500
vrf VRF10
ip address 10.255.1.97/31
!
interface Vlan3010
description MLAG_L3_VRF_VRF11
no shutdown
mtu 1500
vrf VRF11
ip address 10.255.1.97/31
!
interface Vlan4093
description MLAG_L3
no shutdown
mtu 1500
ip address 10.255.1.97/31
!
interface Vlan4094
description MLAG
no shutdown
mtu 1500
no autostate
ip address 10.255.1.65/31
!
interface Vxlan1
description dc1-leaf1b_VTEP
vxlan source-interface Loopback1
vxlan virtual-router encapsulation mac-address mlag-system-id
vxlan udp-port 4789
vxlan vlan 11 vni 10011
vxlan vlan 12 vni 10012
vxlan vlan 21 vni 10021
vxlan vlan 22 vni 10022
vxlan vlan 3401 vni 13401
vxlan vlan 3402 vni 13402
vxlan vrf VRF10 vni 10
vxlan vrf VRF11 vni 11
!
ip virtual-router mac-address 00:1c:73:00:00:99
!
ip address virtual source-nat vrf VRF10 address 10.255.10.4
ip address virtual source-nat vrf VRF11 address 10.255.11.4
!
ip routing
no ip routing vrf MGMT
ip routing vrf VRF10
ip routing vrf VRF11
!
ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY
seq 10 permit 10.255.0.0/27 eq 32
seq 20 permit 10.255.1.0/27 eq 32
!
ip prefix-list PL-MLAG-PEER-VRFS
seq 10 permit 10.255.1.96/31
!
mlag configuration
domain-id DC1_L3_LEAF1
local-interface Vlan4094
peer-address 10.255.1.64
peer-link Port-Channel3
reload-delay mlag 300
reload-delay non-mlag 330
!
ip route vrf MGMT 0.0.0.0/0 172.16.1.1
!
ntp local-interface vrf MGMT Management1
ntp server vrf MGMT 0.pool.ntp.org prefer
!
route-map RM-CONN-2-BGP permit 10
match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
!
route-map RM-CONN-2-BGP-VRFS deny 10
match ip address prefix-list PL-MLAG-PEER-VRFS
!
route-map RM-CONN-2-BGP-VRFS permit 20
!
route-map RM-MLAG-PEER-IN permit 10
description Make routes learned over MLAG Peer-link less preferred on spines to ensure optimal routing
set origin incomplete
!
router bfd
multihop interval 300 min-rx 300 multiplier 3
!
router bgp 65101
router-id 10.255.0.4
no bgp default ipv4-unicast
maximum-paths 4 ecmp 4
neighbor EVPN-OVERLAY-PEERS peer group
neighbor EVPN-OVERLAY-PEERS update-source Loopback0
neighbor EVPN-OVERLAY-PEERS bfd
neighbor EVPN-OVERLAY-PEERS ebgp-multihop 3
neighbor EVPN-OVERLAY-PEERS password 7 Q4fqtbqcZ7oQuKfuWtNGRQ==
neighbor EVPN-OVERLAY-PEERS send-community
neighbor EVPN-OVERLAY-PEERS maximum-routes 0
neighbor IPv4-UNDERLAY-PEERS peer group
neighbor IPv4-UNDERLAY-PEERS password 7 7x4B4rnJhZB438m9+BrBfQ==
neighbor IPv4-UNDERLAY-PEERS send-community
neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000
neighbor MLAG-IPv4-UNDERLAY-PEER peer group
neighbor MLAG-IPv4-UNDERLAY-PEER remote-as 65101
neighbor MLAG-IPv4-UNDERLAY-PEER next-hop-self
neighbor MLAG-IPv4-UNDERLAY-PEER description dc1-leaf1a
neighbor MLAG-IPv4-UNDERLAY-PEER route-map RM-MLAG-PEER-IN in
neighbor MLAG-IPv4-UNDERLAY-PEER password 7 4b21pAdCvWeAqpcKDFMdWw==
neighbor MLAG-IPv4-UNDERLAY-PEER send-community
neighbor MLAG-IPv4-UNDERLAY-PEER maximum-routes 12000
neighbor 10.255.0.1 peer group EVPN-OVERLAY-PEERS
neighbor 10.255.0.1 remote-as 65100
neighbor 10.255.0.1 description dc1-spine1_Loopback0
neighbor 10.255.0.2 peer group EVPN-OVERLAY-PEERS
neighbor 10.255.0.2 remote-as 65100
neighbor 10.255.0.2 description dc1-spine2_Loopback0
neighbor 10.255.1.96 peer group MLAG-IPv4-UNDERLAY-PEER
neighbor 10.255.1.96 description dc1-leaf1a_Vlan4093
neighbor 10.255.255.4 peer group IPv4-UNDERLAY-PEERS
neighbor 10.255.255.4 remote-as 65100
neighbor 10.255.255.4 description dc1-spine1_Ethernet2
neighbor 10.255.255.6 peer group IPv4-UNDERLAY-PEERS
neighbor 10.255.255.6 remote-as 65100
neighbor 10.255.255.6 description dc1-spine2_Ethernet2
redistribute connected route-map RM-CONN-2-BGP
!
vlan 11
rd 10.255.0.4:10011
route-target both 10011:10011
redistribute learned
!
vlan 12
rd 10.255.0.4:10012
route-target both 10012:10012
redistribute learned
!
vlan 21
rd 10.255.0.4:10021
route-target both 10021:10021
redistribute learned
!
vlan 22
rd 10.255.0.4:10022
route-target both 10022:10022
redistribute learned
!
vlan 3401
rd 10.255.0.4:13401
route-target both 13401:13401
redistribute learned
!
vlan 3402
rd 10.255.0.4:13402
route-target both 13402:13402
redistribute learned
!
address-family evpn
neighbor EVPN-OVERLAY-PEERS activate
!
address-family ipv4
no neighbor EVPN-OVERLAY-PEERS activate
neighbor IPv4-UNDERLAY-PEERS activate
neighbor MLAG-IPv4-UNDERLAY-PEER activate
!
vrf VRF10
rd 10.255.0.4:10
route-target import evpn 10:10
route-target export evpn 10:10
router-id 10.255.0.4
neighbor 10.255.1.96 peer group MLAG-IPv4-UNDERLAY-PEER
neighbor 10.255.1.96 description dc1-leaf1a_Vlan3009
redistribute connected route-map RM-CONN-2-BGP-VRFS
!
vrf VRF11
rd 10.255.0.4:11
route-target import evpn 11:11
route-target export evpn 11:11
router-id 10.255.0.4
neighbor 10.255.1.96 peer group MLAG-IPv4-UNDERLAY-PEER
neighbor 10.255.1.96 description dc1-leaf1a_Vlan3010
redistribute connected route-map RM-CONN-2-BGP-VRFS
!
end
!
no enable password
no aaa root
!
username admin privilege 15 role network-admin nopassword
username ansible privilege 15 role network-admin secret sha512 $6$7u4j1rkb3VELgcZE$EJt2Qff8kd/TapRoci0XaIZsL4tFzgq1YZBLD9c6f/knXzvcYY0NcMKndZeCv0T268knGKhOEwZAxqKjlMm920
!
daemon TerminAttr
exec /usr/bin/TerminAttr -cvaddr=192.168.1.12:9910 -cvauth=token,/tmp/token -cvvrf=MGMT -disableaaa -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -taillogs
no shutdown
!
vlan internal order ascending range 1006 1199
!
transceiver qsfp default-mode 4x10G
!
service routing protocols model multi-agent
!
hostname dc1-leaf1c
ip name-server vrf MGMT 192.168.1.1
!
spanning-tree mode mstp
spanning-tree mst 0 priority 32768
!
vlan 11
name VRF10_VLAN11
!
vlan 12
name VRF10_VLAN12
!
vlan 21
name VRF11_VLAN21
!
vlan 22
name VRF11_VLAN22
!
vlan 3401
name L2_VLAN3401
!
vlan 3402
name L2_VLAN3402
!
vrf instance MGMT
!
management api http-commands
protocol https
no shutdown
!
vrf MGMT
no shutdown
!
interface Port-Channel1
description L2_DC1_L3_LEAF1_Port-Channel8
no shutdown
switchport trunk allowed vlan 11-12,21-22,3401-3402
switchport mode trunk
switchport
!
interface Ethernet1
description L2_dc1-leaf1a_Ethernet8
no shutdown
channel-group 1 mode active
!
interface Ethernet2
description L2_dc1-leaf1b_Ethernet8
no shutdown
channel-group 1 mode active
!
interface Ethernet5
description SERVER_dc1-leaf1-server1_iLO
no shutdown
switchport access vlan 11
switchport mode access
switchport
spanning-tree portfast
!
interface Management1
description OOB_MANAGEMENT
no shutdown
vrf MGMT
ip address 172.16.1.151/24
no ip routing vrf MGMT
!
ip route vrf MGMT 0.0.0.0/0 172.16.1.1
!
ntp local-interface vrf MGMT Management1
ntp server vrf MGMT 0.pool.ntp.org prefer
!
end
!
no enable password
no aaa root
!
username admin privilege 15 role network-admin nopassword
username ansible privilege 15 role network-admin secret sha512 $6$7u4j1rkb3VELgcZE$EJt2Qff8kd/TapRoci0XaIZsL4tFzgq1YZBLD9c6f/knXzvcYY0NcMKndZeCv0T268knGKhOEwZAxqKjlMm920
!
daemon TerminAttr
exec /usr/bin/TerminAttr -cvaddr=192.168.1.12:9910 -cvauth=token,/tmp/token -cvvrf=MGMT -disableaaa -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -taillogs
no shutdown
!
vlan internal order ascending range 1006 1199
!
transceiver qsfp default-mode 4x10G
!
service routing protocols model multi-agent
!
hostname dc1-leaf2a
ip name-server vrf MGMT 192.168.1.1
!
spanning-tree mode mstp
no spanning-tree vlan-id 4093-4094
spanning-tree mst 0 priority 4096
!
vlan 11
name VRF10_VLAN11
!
vlan 12
name VRF10_VLAN12
!
vlan 21
name VRF11_VLAN21
!
vlan 22
name VRF11_VLAN22
!
vlan 3009
name MLAG_L3_VRF_VRF10
trunk group MLAG
!
vlan 3010
name MLAG_L3_VRF_VRF11
trunk group MLAG
!
vlan 3401
name L2_VLAN3401
!
vlan 3402
name L2_VLAN3402
!
vlan 4093
name MLAG_L3
trunk group MLAG
!
vlan 4094
name MLAG
trunk group MLAG
!
vrf instance MGMT
!
vrf instance VRF10
!
vrf instance VRF11
!
management api http-commands
protocol https
no shutdown
!
vrf MGMT
no shutdown
!
interface Port-Channel3
description MLAG_dc1-leaf2b_Port-Channel3
no shutdown
switchport mode trunk
switchport trunk group MLAG
switchport
!
interface Port-Channel5
description SERVER_dc1-leaf2-server1
no shutdown
switchport trunk native vlan 4092
switchport trunk allowed vlan 11-12,21-22
switchport mode trunk
switchport
mlag 5
spanning-tree portfast
!
interface Port-Channel8
description L2_dc1-leaf2c_Port-Channel1
no shutdown
switchport trunk allowed vlan 11-12,21-22,3401-3402
switchport mode trunk
switchport
mlag 8
!
interface Ethernet1
description P2P_dc1-spine1_Ethernet3
no shutdown
mtu 1500
no switchport
ip address 10.255.255.9/31
!
interface Ethernet2
description P2P_dc1-spine2_Ethernet3
no shutdown
mtu 1500
no switchport
ip address 10.255.255.11/31
!
interface Ethernet3
description MLAG_dc1-leaf2b_Ethernet3
no shutdown
channel-group 3 mode active
!
interface Ethernet4
description MLAG_dc1-leaf2b_Ethernet4
no shutdown
channel-group 3 mode active
!
interface Ethernet5
description SERVER_dc1-leaf2-server1_PCI1
no shutdown
channel-group 5 mode active
!
interface Ethernet8
description L2_dc1-leaf2c_Ethernet1
no shutdown
channel-group 8 mode active
!
interface Loopback0
description ROUTER_ID
no shutdown
ip address 10.255.0.5/32
!
interface Loopback1
description VXLAN_TUNNEL_SOURCE
no shutdown
ip address 10.255.1.5/32
!
interface Loopback10
description DIAG_VRF_VRF10
no shutdown
vrf VRF10
ip address 10.255.10.5/32
!
interface Loopback11
description DIAG_VRF_VRF11
no shutdown
vrf VRF11
ip address 10.255.11.5/32
!
interface Management1
description OOB_MANAGEMENT
no shutdown
vrf MGMT
ip address 172.16.1.103/24
!
interface Vlan11
description VRF10_VLAN11
no shutdown
vrf VRF10
ip address virtual 10.10.11.1/24
!
interface Vlan12
description VRF10_VLAN12
no shutdown
vrf VRF10
ip address virtual 10.10.12.1/24
!
interface Vlan21
description VRF11_VLAN21
no shutdown
vrf VRF11
ip address virtual 10.10.21.1/24
!
interface Vlan22
description VRF11_VLAN22
no shutdown
vrf VRF11
ip address virtual 10.10.22.1/24
!
interface Vlan3009
description MLAG_L3_VRF_VRF10
no shutdown
mtu 1500
vrf VRF10
ip address 10.255.1.100/31
!
interface Vlan3010
description MLAG_L3_VRF_VRF11
no shutdown
mtu 1500
vrf VRF11
ip address 10.255.1.100/31
!
interface Vlan4093
description MLAG_L3
no shutdown
mtu 1500
ip address 10.255.1.100/31
!
interface Vlan4094
description MLAG
no shutdown
mtu 1500
no autostate
ip address 10.255.1.68/31
!
interface Vxlan1
description dc1-leaf2a_VTEP
vxlan source-interface Loopback1
vxlan virtual-router encapsulation mac-address mlag-system-id
vxlan udp-port 4789
vxlan vlan 11 vni 10011
vxlan vlan 12 vni 10012
vxlan vlan 21 vni 10021
vxlan vlan 22 vni 10022
vxlan vlan 3401 vni 13401
vxlan vlan 3402 vni 13402
vxlan vrf VRF10 vni 10
vxlan vrf VRF11 vni 11
!
ip virtual-router mac-address 00:1c:73:00:00:99
!
ip address virtual source-nat vrf VRF10 address 10.255.10.5
ip address virtual source-nat vrf VRF11 address 10.255.11.5
!
ip routing
no ip routing vrf MGMT
ip routing vrf VRF10
ip routing vrf VRF11
!
ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY
seq 10 permit 10.255.0.0/27 eq 32
seq 20 permit 10.255.1.0/27 eq 32
!
ip prefix-list PL-MLAG-PEER-VRFS
seq 10 permit 10.255.1.100/31
!
mlag configuration
domain-id DC1_L3_LEAF2
local-interface Vlan4094
peer-address 10.255.1.69
peer-link Port-Channel3
reload-delay mlag 300
reload-delay non-mlag 330
!
ip route vrf MGMT 0.0.0.0/0 172.16.1.1
!
ntp local-interface vrf MGMT Management1
ntp server vrf MGMT 0.pool.ntp.org prefer
!
route-map RM-CONN-2-BGP permit 10
match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
!
route-map RM-CONN-2-BGP-VRFS deny 10
match ip address prefix-list PL-MLAG-PEER-VRFS
!
route-map RM-CONN-2-BGP-VRFS permit 20
!
route-map RM-MLAG-PEER-IN permit 10
description Make routes learned over MLAG Peer-link less preferred on spines to ensure optimal routing
set origin incomplete
!
router bfd
multihop interval 300 min-rx 300 multiplier 3
!
router bgp 65102
router-id 10.255.0.5
no bgp default ipv4-unicast
maximum-paths 4 ecmp 4
neighbor EVPN-OVERLAY-PEERS peer group
neighbor EVPN-OVERLAY-PEERS update-source Loopback0
neighbor EVPN-OVERLAY-PEERS bfd
neighbor EVPN-OVERLAY-PEERS ebgp-multihop 3
neighbor EVPN-OVERLAY-PEERS password 7 Q4fqtbqcZ7oQuKfuWtNGRQ==
neighbor EVPN-OVERLAY-PEERS send-community
neighbor EVPN-OVERLAY-PEERS maximum-routes 0
neighbor IPv4-UNDERLAY-PEERS peer group
neighbor IPv4-UNDERLAY-PEERS password 7 7x4B4rnJhZB438m9+BrBfQ==
neighbor IPv4-UNDERLAY-PEERS send-community
neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000
neighbor MLAG-IPv4-UNDERLAY-PEER peer group
neighbor MLAG-IPv4-UNDERLAY-PEER remote-as 65102
neighbor MLAG-IPv4-UNDERLAY-PEER next-hop-self
neighbor MLAG-IPv4-UNDERLAY-PEER description dc1-leaf2b
neighbor MLAG-IPv4-UNDERLAY-PEER route-map RM-MLAG-PEER-IN in
neighbor MLAG-IPv4-UNDERLAY-PEER password 7 4b21pAdCvWeAqpcKDFMdWw==
neighbor MLAG-IPv4-UNDERLAY-PEER send-community
neighbor MLAG-IPv4-UNDERLAY-PEER maximum-routes 12000
neighbor 10.255.0.1 peer group EVPN-OVERLAY-PEERS
neighbor 10.255.0.1 remote-as 65100
neighbor 10.255.0.1 description dc1-spine1_Loopback0
neighbor 10.255.0.2 peer group EVPN-OVERLAY-PEERS
neighbor 10.255.0.2 remote-as 65100
neighbor 10.255.0.2 description dc1-spine2_Loopback0
neighbor 10.255.1.101 peer group MLAG-IPv4-UNDERLAY-PEER
neighbor 10.255.1.101 description dc1-leaf2b_Vlan4093
neighbor 10.255.255.8 peer group IPv4-UNDERLAY-PEERS
neighbor 10.255.255.8 remote-as 65100
neighbor 10.255.255.8 description dc1-spine1_Ethernet3
neighbor 10.255.255.10 peer group IPv4-UNDERLAY-PEERS
neighbor 10.255.255.10 remote-as 65100
neighbor 10.255.255.10 description dc1-spine2_Ethernet3
redistribute connected route-map RM-CONN-2-BGP
!
vlan 11
rd 10.255.0.5:10011
route-target both 10011:10011
redistribute learned
!
vlan 12
rd 10.255.0.5:10012
route-target both 10012:10012
redistribute learned
!
vlan 21
rd 10.255.0.5:10021
route-target both 10021:10021
redistribute learned
!
vlan 22
rd 10.255.0.5:10022
route-target both 10022:10022
redistribute learned
!
vlan 3401
rd 10.255.0.5:13401
route-target both 13401:13401
redistribute learned
!
vlan 3402
rd 10.255.0.5:13402
route-target both 13402:13402
redistribute learned
!
address-family evpn
neighbor EVPN-OVERLAY-PEERS activate
!
address-family ipv4
no neighbor EVPN-OVERLAY-PEERS activate
neighbor IPv4-UNDERLAY-PEERS activate
neighbor MLAG-IPv4-UNDERLAY-PEER activate
!
vrf VRF10
rd 10.255.0.5:10
route-target import evpn 10:10
route-target export evpn 10:10
router-id 10.255.0.5
neighbor 10.255.1.101 peer group MLAG-IPv4-UNDERLAY-PEER
neighbor 10.255.1.101 description dc1-leaf2b_Vlan3009
redistribute connected route-map RM-CONN-2-BGP-VRFS
!
vrf VRF11
rd 10.255.0.5:11
route-target import evpn 11:11
route-target export evpn 11:11
router-id 10.255.0.5
neighbor 10.255.1.101 peer group MLAG-IPv4-UNDERLAY-PEER
neighbor 10.255.1.101 description dc1-leaf2b_Vlan3010
redistribute connected route-map RM-CONN-2-BGP-VRFS
!
end
!
no enable password
no aaa root
!
username admin privilege 15 role network-admin nopassword
username ansible privilege 15 role network-admin secret sha512 $6$7u4j1rkb3VELgcZE$EJt2Qff8kd/TapRoci0XaIZsL4tFzgq1YZBLD9c6f/knXzvcYY0NcMKndZeCv0T268knGKhOEwZAxqKjlMm920
!
daemon TerminAttr
exec /usr/bin/TerminAttr -cvaddr=192.168.1.12:9910 -cvauth=token,/tmp/token -cvvrf=MGMT -disableaaa -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -taillogs
no shutdown
!
vlan internal order ascending range 1006 1199
!
transceiver qsfp default-mode 4x10G
!
service routing protocols model multi-agent
!
hostname dc1-leaf2b
ip name-server vrf MGMT 192.168.1.1
!
spanning-tree mode mstp
no spanning-tree vlan-id 4093-4094
spanning-tree mst 0 priority 4096
!
vlan 11
name VRF10_VLAN11
!
vlan 12
name VRF10_VLAN12
!
vlan 21
name VRF11_VLAN21
!
vlan 22
name VRF11_VLAN22
!
vlan 3009
name MLAG_L3_VRF_VRF10
trunk group MLAG
!
vlan 3010
name MLAG_L3_VRF_VRF11
trunk group MLAG
!
vlan 3401
name L2_VLAN3401
!
vlan 3402
name L2_VLAN3402
!
vlan 4093
name MLAG_L3
trunk group MLAG
!
vlan 4094
name MLAG
trunk group MLAG
!
vrf instance MGMT
!
vrf instance VRF10
!
vrf instance VRF11
!
management api http-commands
protocol https
no shutdown
!
vrf MGMT
no shutdown
!
interface Port-Channel3
description MLAG_dc1-leaf2a_Port-Channel3
no shutdown
switchport mode trunk
switchport trunk group MLAG
switchport
!
interface Port-Channel5
description SERVER_dc1-leaf2-server1
no shutdown
switchport trunk native vlan 4092
switchport trunk allowed vlan 11-12,21-22
switchport mode trunk
switchport
mlag 5
spanning-tree portfast
!
interface Port-Channel8
description L2_dc1-leaf2c_Port-Channel1
no shutdown
switchport trunk allowed vlan 11-12,21-22,3401-3402
switchport mode trunk
switchport
mlag 8
!
interface Ethernet1
description P2P_dc1-spine1_Ethernet4
no shutdown
mtu 1500
no switchport
ip address 10.255.255.13/31
!
interface Ethernet2
description P2P_dc1-spine2_Ethernet4
no shutdown
mtu 1500
no switchport
ip address 10.255.255.15/31
!
interface Ethernet3
description MLAG_dc1-leaf2a_Ethernet3
no shutdown
channel-group 3 mode active
!
interface Ethernet4
description MLAG_dc1-leaf2a_Ethernet4
no shutdown
channel-group 3 mode active
!
interface Ethernet5
description SERVER_dc1-leaf2-server1_PCI2
no shutdown
channel-group 5 mode active
!
interface Ethernet8
description L2_dc1-leaf2c_Ethernet2
no shutdown
channel-group 8 mode active
!
interface Loopback0
description ROUTER_ID
no shutdown
ip address 10.255.0.6/32
!
interface Loopback1
description VXLAN_TUNNEL_SOURCE
no shutdown
ip address 10.255.1.5/32
!
interface Loopback10
description DIAG_VRF_VRF10
no shutdown
vrf VRF10
ip address 10.255.10.6/32
!
interface Loopback11
description DIAG_VRF_VRF11
no shutdown
vrf VRF11
ip address 10.255.11.6/32
!
interface Management1
description OOB_MANAGEMENT
no shutdown
vrf MGMT
ip address 172.16.1.104/24
!
interface Vlan11
description VRF10_VLAN11
no shutdown
vrf VRF10
ip address virtual 10.10.11.1/24
!
interface Vlan12
description VRF10_VLAN12
no shutdown
vrf VRF10
ip address virtual 10.10.12.1/24
!
interface Vlan21
description VRF11_VLAN21
no shutdown
vrf VRF11
ip address virtual 10.10.21.1/24
!
interface Vlan22
description VRF11_VLAN22
no shutdown
vrf VRF11
ip address virtual 10.10.22.1/24
!
interface Vlan3009
description MLAG_L3_VRF_VRF10
no shutdown
mtu 1500
vrf VRF10
ip address 10.255.1.101/31
!
interface Vlan3010
description MLAG_L3_VRF_VRF11
no shutdown
mtu 1500
vrf VRF11
ip address 10.255.1.101/31
!
interface Vlan4093
description MLAG_L3
no shutdown
mtu 1500
ip address 10.255.1.101/31
!
interface Vlan4094
description MLAG
no shutdown
mtu 1500
no autostate
ip address 10.255.1.69/31
!
interface Vxlan1
description dc1-leaf2b_VTEP
vxlan source-interface Loopback1
vxlan virtual-router encapsulation mac-address mlag-system-id
vxlan udp-port 4789
vxlan vlan 11 vni 10011
vxlan vlan 12 vni 10012
vxlan vlan 21 vni 10021
vxlan vlan 22 vni 10022
vxlan vlan 3401 vni 13401
vxlan vlan 3402 vni 13402
vxlan vrf VRF10 vni 10
vxlan vrf VRF11 vni 11
!
ip virtual-router mac-address 00:1c:73:00:00:99
!
ip address virtual source-nat vrf VRF10 address 10.255.10.6
ip address virtual source-nat vrf VRF11 address 10.255.11.6
!
ip routing
no ip routing vrf MGMT
ip routing vrf VRF10
ip routing vrf VRF11
!
ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY
seq 10 permit 10.255.0.0/27 eq 32
seq 20 permit 10.255.1.0/27 eq 32
!
ip prefix-list PL-MLAG-PEER-VRFS
seq 10 permit 10.255.1.100/31
!
mlag configuration
domain-id DC1_L3_LEAF2
local-interface Vlan4094
peer-address 10.255.1.68
peer-link Port-Channel3
reload-delay mlag 300
reload-delay non-mlag 330
!
ip route vrf MGMT 0.0.0.0/0 172.16.1.1
!
ntp local-interface vrf MGMT Management1
ntp server vrf MGMT 0.pool.ntp.org prefer
!
route-map RM-CONN-2-BGP permit 10
match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
!
route-map RM-CONN-2-BGP-VRFS deny 10
match ip address prefix-list PL-MLAG-PEER-VRFS
!
route-map RM-CONN-2-BGP-VRFS permit 20
!
route-map RM-MLAG-PEER-IN permit 10
description Make routes learned over MLAG Peer-link less preferred on spines to ensure optimal routing
set origin incomplete
!
router bfd
multihop interval 300 min-rx 300 multiplier 3
!
router bgp 65102
router-id 10.255.0.6
no bgp default ipv4-unicast
maximum-paths 4 ecmp 4
neighbor EVPN-OVERLAY-PEERS peer group
neighbor EVPN-OVERLAY-PEERS update-source Loopback0
neighbor EVPN-OVERLAY-PEERS bfd
neighbor EVPN-OVERLAY-PEERS ebgp-multihop 3
neighbor EVPN-OVERLAY-PEERS password 7 Q4fqtbqcZ7oQuKfuWtNGRQ==
neighbor EVPN-OVERLAY-PEERS send-community
neighbor EVPN-OVERLAY-PEERS maximum-routes 0
neighbor IPv4-UNDERLAY-PEERS peer group
neighbor IPv4-UNDERLAY-PEERS password 7 7x4B4rnJhZB438m9+BrBfQ==
neighbor IPv4-UNDERLAY-PEERS send-community
neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000
neighbor MLAG-IPv4-UNDERLAY-PEER peer group
neighbor MLAG-IPv4-UNDERLAY-PEER remote-as 65102
neighbor MLAG-IPv4-UNDERLAY-PEER next-hop-self
neighbor MLAG-IPv4-UNDERLAY-PEER description dc1-leaf2a
neighbor MLAG-IPv4-UNDERLAY-PEER route-map RM-MLAG-PEER-IN in
neighbor MLAG-IPv4-UNDERLAY-PEER password 7 4b21pAdCvWeAqpcKDFMdWw==
neighbor MLAG-IPv4-UNDERLAY-PEER send-community
neighbor MLAG-IPv4-UNDERLAY-PEER maximum-routes 12000
neighbor 10.255.0.1 peer group EVPN-OVERLAY-PEERS
neighbor 10.255.0.1 remote-as 65100
neighbor 10.255.0.1 description dc1-spine1_Loopback0
neighbor 10.255.0.2 peer group EVPN-OVERLAY-PEERS
neighbor 10.255.0.2 remote-as 65100
neighbor 10.255.0.2 description dc1-spine2_Loopback0
neighbor 10.255.1.100 peer group MLAG-IPv4-UNDERLAY-PEER
neighbor 10.255.1.100 description dc1-leaf2a_Vlan4093
neighbor 10.255.255.12 peer group IPv4-UNDERLAY-PEERS
neighbor 10.255.255.12 remote-as 65100
neighbor 10.255.255.12 description dc1-spine1_Ethernet4
neighbor 10.255.255.14 peer group IPv4-UNDERLAY-PEERS
neighbor 10.255.255.14 remote-as 65100
neighbor 10.255.255.14 description dc1-spine2_Ethernet4
redistribute connected route-map RM-CONN-2-BGP
!
vlan 11
rd 10.255.0.6:10011
route-target both 10011:10011
redistribute learned
!
vlan 12
rd 10.255.0.6:10012
route-target both 10012:10012
redistribute learned
!
vlan 21
rd 10.255.0.6:10021
route-target both 10021:10021
redistribute learned
!
vlan 22
rd 10.255.0.6:10022
route-target both 10022:10022
redistribute learned
!
vlan 3401
rd 10.255.0.6:13401
route-target both 13401:13401
redistribute learned
!
vlan 3402
rd 10.255.0.6:13402
route-target both 13402:13402
redistribute learned
!
address-family evpn
neighbor EVPN-OVERLAY-PEERS activate
!
address-family ipv4
no neighbor EVPN-OVERLAY-PEERS activate
neighbor IPv4-UNDERLAY-PEERS activate
neighbor MLAG-IPv4-UNDERLAY-PEER activate
!
vrf VRF10
rd 10.255.0.6:10
route-target import evpn 10:10
route-target export evpn 10:10
router-id 10.255.0.6
neighbor 10.255.1.100 peer group MLAG-IPv4-UNDERLAY-PEER
neighbor 10.255.1.100 description dc1-leaf2a_Vlan3009
redistribute connected route-map RM-CONN-2-BGP-VRFS
!
vrf VRF11
rd 10.255.0.6:11
route-target import evpn 11:11
route-target export evpn 11:11
router-id 10.255.0.6
neighbor 10.255.1.100 peer group MLAG-IPv4-UNDERLAY-PEER
neighbor 10.255.1.100 description dc1-leaf2a_Vlan3010
redistribute connected route-map RM-CONN-2-BGP-VRFS
!
end
!
no enable password
no aaa root
!
username admin privilege 15 role network-admin nopassword
username ansible privilege 15 role network-admin secret sha512 $6$7u4j1rkb3VELgcZE$EJt2Qff8kd/TapRoci0XaIZsL4tFzgq1YZBLD9c6f/knXzvcYY0NcMKndZeCv0T268knGKhOEwZAxqKjlMm920
!
daemon TerminAttr
exec /usr/bin/TerminAttr -cvaddr=192.168.1.12:9910 -cvauth=token,/tmp/token -cvvrf=MGMT -disableaaa -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -taillogs
no shutdown
!
vlan internal order ascending range 1006 1199
!
transceiver qsfp default-mode 4x10G
!
service routing protocols model multi-agent
!
hostname dc1-leaf2c
ip name-server vrf MGMT 192.168.1.1
!
spanning-tree mode mstp
spanning-tree mst 0 priority 32768
!
vlan 11
name VRF10_VLAN11
!
vlan 12
name VRF10_VLAN12
!
vlan 21
name VRF11_VLAN21
!
vlan 22
name VRF11_VLAN22
!
vlan 3401
name L2_VLAN3401
!
vlan 3402
name L2_VLAN3402
!
vrf instance MGMT
!
management api http-commands
protocol https
no shutdown
!
vrf MGMT
no shutdown
!
interface Port-Channel1
description L2_DC1_L3_LEAF2_Port-Channel8
no shutdown
switchport trunk allowed vlan 11-12,21-22,3401-3402
switchport mode trunk
switchport
!
interface Ethernet1
description L2_dc1-leaf2a_Ethernet8
no shutdown
channel-group 1 mode active
!
interface Ethernet2
description L2_dc1-leaf2b_Ethernet8
no shutdown
channel-group 1 mode active
!
interface Ethernet5
description SERVER_dc1-leaf2-server1_iLO
no shutdown
switchport access vlan 11
switchport mode access
switchport
spanning-tree portfast
!
interface Management1
description OOB_MANAGEMENT
no shutdown
vrf MGMT
ip address 172.16.1.152/24
no ip routing vrf MGMT
!
ip route vrf MGMT 0.0.0.0/0 172.16.1.1
!
ntp local-interface vrf MGMT Management1
ntp server vrf MGMT 0.pool.ntp.org prefer
!
end
The execution of the playbook should produce the following output:
user@ubuntu:~/ansible-avd-examples/single-dc-l3ls$ ansible-playbook build.yml
PLAY [Run AVD] *****************************************************************************************************************************************************************************
TASK [arista.avd.eos_designs : Collection arista.avd version 4.0.0 loaded from /home/user/.ansible/collections/ansible_collections] ******************************************************
ok: [dc1-leaf1a]
TASK [arista.avd.eos_designs : Create required output directories if not present] **********************************************************************************************************
ok: [dc1-leaf1a -> localhost] => (item=/home/user/Documents/git_projects/ansible-avd-examples/single-dc-l3ls/intended/structured_configs)
ok: [dc1-leaf1a -> localhost] => (item=/home/user/Documents/git_projects/ansible-avd-examples/single-dc-l3ls/documentation/fabric)
(...)
If similar output is not shown, make sure:
- The documented requirements are met.
- The latest
arista.avd
collection is installed.
Troubleshooting¶
EVPN not working¶
If after doing the following steps:
- Manually copy/paste the switch-basic-configuration to the devices.
- Run the playbook and push the generated configuration to the fabric.
- Log in to a leaf device, for example, dc1-leaf1a and run the command
show bgp evpn summary
to view EVPN routes.
The following error message is shown:
This is caused by AVD pushing the configuration line service routing protocols model multi-agent
, which enables the multi-agent routing process supporting EVPN. This change requires a reboot of the device.