The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This appendix provides the configurations per tenant type.
•Configuration Template for Gold Service Class
•Configuration Template for Silver Service Class
•Configuration Template for Bronze Service Class
•Configuration Template for Copper Service Class
•Configuration Template for Nexus 5548 ICS switch
This section presents the configuration templates for the Gold service class.
•Aggregation Nexus 7000 Gold Configuration
•ASR 1000 PE Gold Tenant Configuration
•Nexus 1000V Gold Configuration
This section provides an aggregation Nexus 7000 Gold configuration.
vrf context customer_gold1_priv
ip route 0.0.0.0/0 10.1.6.11
vrf context customer_gold1_pub
ip route 11.1.0.0/16 10.1.5.11
interface Vlan201
no shutdown
ip flow monitor fm_vmdc23 input sampler sp_vmdc23
vrf member customer_gold1_priv
no ip redirects
ip address 11.1.1.2/24
no ipv6 redirects
no ip arp gratuitous hsrp duplicate
hsrp version 2
hsrp 201
preempt
priority 150
ip 11.1.1.1
interface Vlan301
no shutdown
ip flow monitor fm_vmdc23 input sampler sp_vmdc23
vrf member customer_gold1_priv
no ip redirects
ip address 11.1.2.2/24
no ipv6 redirects
hsrp version 2
hsrp 301
preempt
priority 150
ip 11.1.2.1
interface Vlan401
no shutdown
ip flow monitor fm_vmdc23 input sampler sp_vmdc23
vrf member customer_gold1_priv
no ip redirects
ip address 11.1.3.2/24
no ipv6 redirects
hsrp version 2
hsrp 401
preempt
priority 150
ip 11.1.3.1
interface Vlan1201
no shutdown
ip flow monitor fm_vmdc23 input sampler sp_vmdc23
vrf member customer_gold1_priv
no ip redirects
ip address 10.1.6.2/24
no ipv6 redirects
hsrp version 2
hsrp 1201
preempt
priority 150
ip 10.1.6.1
interface Vlan1301
no shutdown
ip flow monitor fm_vmdc23 input sampler sp_vmdc23
vrf member customer_gold1_pub
no ip redirects
ip address 10.1.5.2/24
no ipv6 redirects
hsrp version 2
hsrp 1301
preempt
priority 150
ip 10.1.5.1
interface port-channel343.201
vrf member customer_gold1_pub
ip address 10.1.34.3/24
interface Ethernet3/9.201
vrf member customer_gold1_pub
ip address 10.1.1.2/24
no ip arp gratuitous hsrp duplicate
interface Ethernet4/9.201
vrf member customer_gold1_pub
ip address 10.1.3.2/24
no ip arp gratuitous hsrp duplicate
router bgp 65501
vrf customer_gold1_pub
log-neighbor-changes
address-family ipv4 unicast
redistribute static route-map SET-COMM
additional-paths send
additional-paths receive
neighbor 10.1.1.1
remote-as 109
address-family ipv4 unicast
inherit peer-policy PREFER->PE1 1
neighbor 10.1.3.1
remote-as 109
address-family ipv4 unicast
send-community
neighbor 10.1.34.4
remote-as 65501
address-family ipv4 unicast
inherit peer-policy ibgp-policy 1
no send-community
next-hop-self
This section provided templates for ASA Gold configurations.
•ASA Gold Tenant Perimeter Firewall Configuration
•ASA Gold Tenant DMZ Firewall Configuration
•ASA Gold Tenant SSL and IPSec VPN Configuration
This section provides an ASA Gold tenant perimeter firewall configuration.
dc02-asa-fw1/admin# changeto c customer-gold1
dc02-asa-fw1/customer-gold1# sh run
: Saved
:
ASA Version 9.0(1) <context>
!
terminal width 511
hostname customer-gold1
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Management0/0
management-only
nameif mgmt
security-level 100
ip address 192.168.50.201 255.255.255.0 standby 192.168.50.202
!
interface Port-channel1.1201
dc02-asa-fw1/customer-gold1# ter
dc02-asa-fw1/customer-gold1# terminal ?
monitor Syslog monitor
no Turn off syslogging to this terminal
pager Control page length for pagination. The page length set here is not saved to configuration.
dc02-asa-fw1/customer-gold1# terminal pa
dc02-asa-fw1/customer-gold1# terminal pager ?
<0-2147483647> Pager lines, 0 means no page-limit
lines The number following this keyword determines the number of lines in a page before ---more--- prompt appears, default is 24
dc02-asa-fw1/customer-gold1# terminal pager 0
dc02-asa-fw1/customer-gold1# sh run
: Saved
:
ASA Version 9.0(1) <context>
!
terminal width 511
hostname customer-gold1
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Management0/0
management-only
nameif mgmt
security-level 100
ip address 192.168.50.201 255.255.255.0 standby 192.168.50.202
!
interface Port-channel1.1201
nameif inside
security-level 100
ip address 10.1.6.11 255.255.255.0 standby 10.1.6.12
!
interface Port-channel1.1301
nameif outside
security-level 0
ip address 10.1.5.11 255.255.255.0 standby 10.1.5.12
!
interface Port-channel1.1401
nameif dmz
security-level 80
ip address 10.1.8.21 255.255.255.0 standby 10.1.8.22
!
object network SP-CLIENTS-POOL
range 51.1.1.1 51.1.1.254
object network SP-CLIENTS->DMZ
range 0.0.0.0 255.255.255.255
object network test1
range 51.1.2.1 51.1.2.254
object-group network SP-CLIENTS-NETWORK
network-object 40.1.0.0 255.255.0.0
network-object 10.1.0.0 255.255.0.0
network-object 131.0.0.0 255.0.0.0
network-object 51.1.2.0 255.255.255.0
object-group service SP-CLIENTS-PROTOCOLS-TCP tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ssh
port-object eq domain
object-group service SP-CLIENTS-PROTOCOLS-UDP udp
port-object eq tftp
port-object eq domain
port-object range 10000 30000
object-group network DMZ-VPN-NETWORK
network-object 11.1.4.0 255.255.255.0
network-object 11.255.0.0 255.255.0.0
object-group service DMZ-VPN-PROTOCOLS-TCP tcp
port-object eq www
port-object eq https
port-object eq ssh
port-object eq ftp
object-group service DMZ-VPN-PROTOCOLS-UDP udp
port-object eq tftp
port-object eq domain
port-object range 10000 30000
access-list DMZ-VPN extended permit tcp object-group DMZ-VPN-NETWORK any object-group DMZ-VPN-PROTOCOLS-TCP
access-list DMZ-VPN extended permit udp object-group DMZ-VPN-NETWORK any object-group DMZ-VPN-PROTOCOLS-UDP
access-list DMZ-VPN extended permit icmp object-group DMZ-VPN-NETWORK any
access-list OUTSIDE extended permit tcp object-group SP-CLIENTS-NETWORK any object-group SP-CLIENTS-PROTOCOLS-TCP
access-list OUTSIDE extended permit udp object-group SP-CLIENTS-NETWORK any object-group SP-CLIENTS-PROTOCOLS-UDP
access-list OUTSIDE extended permit icmp object-group SP-CLIENTS-NETWORK any
pager lines 24
logging enable
logging timestamp
logging standby
logging monitor debugging
logging buffered debugging
logging trap errors
logging asdm informational
logging facility 17
logging device-id context-name
logging host mgmt 192.168.11.100
no logging message 713167
no logging message 713123
no logging message 313001
no logging message 725001
no logging message 725002
no logging message 710005
no logging message 113009
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 602303
no logging message 609001
no logging message 715007
no logging message 302016
mtu mgmt 1500
mtu inside 1500
mtu outside 1500
mtu dmz 1500
monitor-interface inside
monitor-interface outside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network SP-CLIENTS->DMZ
nat (outside,dmz) dynamic SP-CLIENTS-POOL
object network test1
nat (outside,inside) dynamic test1
access-group OUTSIDE in interface outside
access-group DMZ-VPN in interface dmz
route outside 0.0.0.0 0.0.0.0 10.1.5.1 1
route inside 11.0.0.0 255.0.0.0 10.1.6.1 1
route dmz 11.1.4.0 255.255.255.0 10.1.8.11 1
route dmz 11.255.0.0 255.255.0.0 10.1.8.11 1
route inside 111.0.0.0 255.0.0.0 10.1.6.1 1
route mgmt 192.168.0.0 255.255.0.0 192.168.50.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
snmp-server host mgmt 192.168.11.12 community ***** version 2c
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh timeout 5
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
!
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
dc02-asa-fw1/customer-gold1
This section provides an ASA Gold tenantDMZ firewall configuration.
dc02-asa-fw1/customer-gold1# changeto c customer-gold1-dmz
dc02-asa-fw1/customer-gold1-dmz# ter
dc02-asa-fw1/customer-gold1-dmz# terminal p 0
dc02-asa-fw1/customer-gold1-dmz# sh run
: Saved
:
ASA Version 9.0(1) <context>
!
terminal width 511
hostname customer-gold1-dmz
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Management0/0
management-only
nameif mgmt
security-level 100
ip address 192.168.50.221 255.255.255.0 standby 192.168.50.222
!
interface Port-channel1.1401
nameif inside
security-level 100
ip address 10.1.8.11 255.255.255.0 standby 10.1.8.12
!
interface Port-channel1.1501
nameif dmz
security-level 80
ip address 10.1.7.11 255.255.255.0 standby 10.1.7.22
!
interface Port-channel1.1701
nameif vpn
security-level 50
ip address 11.255.1.251 255.255.255.0 standby 11.255.1.252
!
interface Port-channel1.2000
nameif internet
security-level 0
ip address 100.200.1.11 255.255.255.0 standby 100.200.1.12
!
object network SERVER1
host 11.1.4.11
object network SERVER3
host 11.1.4.13
object network SERVER2
host 11.1.4.12
object network WEB-VIP
host 11.1.4.111
object network t1
object network SERVER8
host 11.1.4.100
object network SERVER7
host 11.1.4.151
object-group service INTERNET-PROTOCOLS-TCP tcp
port-object eq www
port-object eq https
port-object eq ssh
object-group service VPN-PROTOCOLS-TCP tcp
port-object eq www
port-object eq https
port-object eq ssh
object-group service INTERNET-PROTOCOLS-UDP udp
port-object eq tftp
port-object range 10000 30000
access-list INTERNET extended permit tcp any any object-group INTERNET-PROTOCOLS-TCP
access-list INTERNET extended permit icmp any any
access-list INTERNET extended permit udp any any object-group INTERNET-PROTOCOLS-UDP
access-list VPN extended permit tcp any any object-group INTERNET-PROTOCOLS-TCP
access-list VPN extended permit icmp any any
access-list DMZ extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging standby
logging monitor debugging
logging buffered debugging
logging trap errors
logging asdm informational
logging facility 17
logging device-id context-name
logging host mgmt 192.168.11.100
no logging message 713167
no logging message 713123
no logging message 313001
no logging message 725001
no logging message 725002
no logging message 710005
no logging message 113009
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 602303
no logging message 609001
no logging message 715007
no logging message 302016
mtu mgmt 1500
This section provides an ASA Gold tenant SSL and IPSec VPN configuration.
rypto ipsec ikev1 transform-set ipsec-tz esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map ipsec-cm 1 set ikev1 transform-set ipsec-tz
crypto dynamic-map ipsec-cm 1 set security-association lifetime seconds 7200
crypto map ipsec-cm 1 ipsec-isakmp dynamic ipsec-cm
crypto map ipsec-cm interface internet
crypto ca trustpool policy
crypto ikev1 enable internet
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
tunnel-group customer_gold1-ipsec type remote-access
tunnel-group customer_gold1-ipsec general-attributes
address-pool customer_gold1
authentication-server-group (internet) LOCAL
authorization-server-group (internet) LOCAL
tunnel-group customer_gold1-ipsec ipsec-attributes
ikev1 pre-shared-key *****
group-policy customer_gold1-ipsec internal
group-policy customer_gold1-ipsec attributes
vpn-simultaneous-logins 200
vpn-tunnel-protocol ikev1
group-lock value customer_gold1-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value customer_gold1
vlan 1701
username ipsec1 password S8ZObXJyIluJKbJX encrypted
username ipsec1 attributes
vpn-group-policy customer_gold1-ipsec
webvpn
enable internet
no anyconnect-essentials
csd image disk0:/csd_3.6.6210-k9.pkg
anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 1
anyconnect profiles anyconnect-profile disk0:/RDP.xml
anyconnect enable
tunnel-group-preference group-url
tunnel-group customer_gold1-ssl type remote-access
tunnel-group customer_gold1-ssl general-attributes
address-pool customer_gold1
authentication-server-group (internet) LOCAL
authorization-server-group (internet) LOCAL
tunnel-group customer_gold1-ssl webvpn-attributes
group-url https://100.200.1.51/customer_gold1 enable
dc02-asa5555-1# sh run group-policy customer_gold1-ssl
group-policy customer_gold1-ssl internal
group-policy customer_gold1-ssl attributes
vpn-simultaneous-logins 200
vpn-tunnel-protocol ssl-client ssl-clientless
group-lock value customer_gold1-ssl
split-tunnel-policy tunnelspecified
split-tunnel-network-list value customer_gold1
vlan 1701
webvpn
anyconnect profiles value anyconnect-profile type user
dc02-asa5555-1# sh run username ssl1
username ssl1 password JSKNK4oromgGd3D9 encrypted
username ssl1 attributes
vpn-group-policy customer_gold1-ssl
dc02-asa5555-1#
This section provides an ACE Gold configuration.
dc02-ace-1/Admin# changeto customer_gold1
dc02-ace-1/customer_gold1# terminal length 0
dc02-ace-1/customer_gold1# sh run
Generating configuration....
logging enable
logging standby
logging timestamp
logging trap 6
logging buffered 7
logging monitor 6
logging facility 17
logging device-id context-name
logging host 192.168.11.100 udp/514
no logging message 251008
no logging message 302022
no logging message 302023
no logging message 302024
no logging message 302025
no logging message 106023
arp interval 1440
access-list app-acl line 8 extended permit ip any any
access-list db-acl line 8 extended permit ip any any
access-list t1 line 8 extended permit tcp 11.1.1.0 255.255.255.0 11.1.2.0 255.255.255.0
access-list web-acl line 8 extended deny udp 11.0.0.0 255.0.0.0 eq tftp any
access-list web-acl line 16 extended deny udp 11.0.0.0 255.0.0.0 eq 30000 any
access-list web-acl line 24 extended permit ip any any
probe ftp ftp-probe
interval 2
faildetect 5
passdetect interval 2
passdetect count 5
receive 1
expect status 200 400
connection term forced
probe http http-probe
interval 2
faildetect 5
passdetect interval 2
passdetect count 5
receive 1
expect status 200 400
connection term forced
rserver host app-server1
ip address 11.1.2.11
inservice
rserver host app-server2
ip address 11.1.2.12
inservice
rserver host app-server3
ip address 11.1.2.13
inservice
rserver host db-server1
ip address 11.1.3.11
inservice
rserver host db-server2
ip address 11.1.3.12
inservice
rserver host db-server3
ip address 11.1.3.13
inservice
rserver host udp-host
ip address 11.1.1.100
inservice
rserver host udp-host:30000
ip address 11.1.1.101
inservice
rserver host web-server1
ip address 11.1.1.11
inservice
rserver host web-server2
ip address 11.1.1.12
inservice
rserver host web-server3
ip address 11.1.1.13
inservice
rserver host web-spirent
ip address 11.1.1.151
inservice
serverfarm host app-serverfarm
rserver app-server1
inservice
rserver app-server2
inservice
rserver app-server3
inservice
serverfarm host db-serverfarm
rserver db-server1
inservice
rserver db-server2
inservice
rserver db-server3
inservice
serverfarm host udp-serverfarm
rserver udp-host
inservice
serverfarm host udp-serverfarm:30000
rserver udp-host:30000
inservice
serverfarm host web-serverfarm
rserver web-server1
inservice
rserver web-server2
rserver web-server3
rserver web-spirent
inservice
parameter-map type connection tcp_pm
set tcp wan-optimization rtt 0
parameter-map type connection udp_pm
set timeout inactivity 300
sticky http-cookie customer_gold1-http-cookie customer_gold1-http
cookie insert browser-expire
serverfarm web-serverfarm
timeout 10
replicate sticky
sticky http-cookie customer_gold1-web-app-cookie customer_gold1-web->app
cookie insert browser-expire
serverfarm app-serverfarm
timeout 10
replicate sticky
sticky ip-netmask 255.255.255.255 address both customer_gold1-app->db
serverfarm db-serverfarm
timeout 10
replicate sticky
class-map type http loadbalance match-any cm-app-subnet
2 match source-address 11.1.2.0 255.255.255.0
class-map type http loadbalance match-any cm-http
2 match http url /.*.txt
3 match http url /.*.html
class-map type http loadbalance match-any cm-web-subnet
2 match source-address 11.1.1.0 255.255.255.0
class-map match-all app->db-vip
2 match virtual-address 11.1.3.111 tcp eq www
class-map type http loadbalance match-all cm-app->db
2 match class-map cm-http
3 match class-map cm-app-subnet
class-map type http loadbalance match-all cm-web->app
2 match class-map cm-http
3 match class-map cm-web-subnet
class-map type management match-any management-traffic
2 match protocol ssh any
3 match protocol http any
4 match protocol https any
5 match protocol icmp any
6 match protocol telnet any
7 match protocol snmp source-address 192.168.0.0 255.255.0.0
class-map match-all udp-vip
2 match virtual-address 11.1.1.111 udp eq 69
class-map match-all udp-vip:30000
2 match virtual-address 11.1.1.111 udp eq 30000
class-map match-all web->app-vip
2 match virtual-address 11.1.2.111 tcp eq www
class-map match-all web-vip
2 match virtual-address 11.1.1.111 tcp eq www
policy-map type management first-match management-traffic
class management-traffic
permit
policy-map type loadbalance first-match app->db-lb-policy
class cm-app->db
sticky-serverfarm customer_gold1-app->db
policy-map type loadbalance first-match udp-lb-policy
class class-default
serverfarm udp-serverfarm
policy-map type loadbalance first-match udp-lb-policy:30000
class class-default
serverfarm udp-serverfarm:30000
policy-map type loadbalance first-match web->app-lb-policy
class cm-web->app
sticky-serverfarm customer_gold1-web->app
policy-map type loadbalance first-match web-lb-policy
class cm-http
sticky-serverfarm customer_gold1-http
policy-map multi-match app->db-lb
class app->db-vip
loadbalance vip inservice
loadbalance policy app->db-lb-policy
loadbalance vip icmp-reply active
nat dynamic 3 vlan 401
policy-map multi-match lb-policy
class web-vip
loadbalance vip inservice
loadbalance policy web-lb-policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 201
connection advanced-options tcp_pm
class udp-vip
loadbalance vip inservice
loadbalance policy udp-lb-policy
loadbalance vip icmp-reply
nat dynamic 11 vlan 201
connection advanced-options udp_pm
class udp-vip:30000
loadbalance vip inservice
loadbalance policy udp-lb-policy:30000
loadbalance vip icmp-reply active
nat dynamic 12 vlan 201
connection advanced-options udp_pm
policy-map multi-match web->app-lb
class web->app-vip
loadbalance vip inservice
loadbalance policy web->app-lb-policy
loadbalance vip icmp-reply active
nat dynamic 2 vlan 301
service-policy input management-traffic
interface vlan 60
description mgmt
ip address 192.168.60.21 255.255.255.0
peer ip address 192.168.60.22 255.255.255.0
no shutdown
interface vlan 201
description web tier
ip address 11.1.1.22 255.255.255.0
alias 11.1.1.21 255.255.255.0
peer ip address 11.1.1.23 255.255.255.0
access-group input web-acl
nat-pool 1 11.1.1.24 11.1.1.30 netmask 255.255.255.0 pat
nat-pool 11 11.1.1.41 11.1.1.41 netmask 255.255.255.255
nat-pool 12 11.1.1.42 11.1.1.42 netmask 255.255.255.255
service-policy input lb-policy
no shutdown
interface vlan 301
description app tier
ip address 11.1.2.22 255.255.255.0
alias 11.1.2.21 255.255.255.0
peer ip address 11.1.2.23 255.255.255.0
access-group input app-acl
nat-pool 2 11.1.2.24 11.1.2.30 netmask 255.255.255.0 pat
service-policy input web->app-lb
no shutdown
interface vlan 401
description db tier
ip address 11.1.3.22 255.255.255.0
alias 11.1.3.21 255.255.255.0
peer ip address 11.1.3.23 255.255.255.0
access-group input db-acl
nat-pool 3 11.1.3.24 11.1.3.30 netmask 255.255.255.0 pat
service-policy input app->db-lb
no shutdown
interface vlan 501
no normalization
ft track host 1
ip route 0.0.0.0 0.0.0.0 11.1.1.1
ip route 192.168.0.0 255.255.0.0 192.168.60.1
snmp-server community public group Network-Monitor
snmp-server host 192.168.11.39 traps version 2c public
snmp-server host 192.168.11.41 traps version 2c public
snmp-server trap-source vlan 60
snmp-server enable traps rate-limit bandwidth
snmp-server enable traps slb serverfarm
snmp-server enable traps slb vserver
snmp-server enable traps slb real
snmp-server enable traps syslog
snmp-server enable traps snmp authentication
snmp-server enable traps snmp linkup
snmp-server enable traps snmp linkdown
username admin password 5 $1$d0VCV53d$J1bjlQoaSO8xhAoYReeh90 role Admin domain default-domain
dc02-ace-1/customer_gold1#
This section provides an ASR 1000 PE Gold tenant configuration.
dc02-asr1k-pe1#sh run vrf customer_gold1
Building configuration...
Current configuration : 1386 bytes
vrf definition customer_gold1
rd 21:1
route-target export 21:1
route-target import 31:1
!
address-family ipv4
exit-address-family
!
!
interface TenGigabitEthernet0/2/0
no ip address
load-interval 30
carrier-delay up 60
cdp enable
!
interface TenGigabitEthernet0/2/0.201
encapsulation dot1Q 201
vrf forwarding customer_gold1
ip address 10.1.1.1 255.255.255.0
ip flow monitor input_monitor input
ip flow monitor output_monitor output
plim qos input map cos 5 queue strict-priority
service-policy input gold-in
service-policy output gold-out-parent
!
interface TenGigabitEthernet0/3/0
no ip address
load-interval 30
carrier-delay up 60
cdp enable
!
interface TenGigabitEthernet0/3/0.201
encapsulation dot1Q 201
vrf forwarding customer_gold1
ip address 10.1.4.1 255.255.255.0
ip flow monitor input_monitor input
ip flow monitor output_monitor output
plim qos input map cos 5 queue strict-priority
service-policy input gold-in
service-policy output gold-out-parent
!
router bgp 109
!
address-family ipv4 vrf customer_gold1
neighbor 10.1.1.2 remote-as 65501
neighbor 10.1.1.2 activate
neighbor 10.1.1.2 inherit peer-policy DC2_PEER_POLICY
neighbor 10.1.4.2 remote-as 65501
neighbor 10.1.4.2 activate
neighbor 10.1.4.2 inherit peer-policy DC2_PEER_POLICY
exit-address-family
!
ip route vrf customer_gold1 169.0.0.0 255.0.0.0 Null0 track 1
end
This section provides a Nexus 1000V Gold configuration.
#---- one time config
class-map type qos match-all gold-ef
match dscp 46
policy-map type qos gold
class gold-ef
set cos 5
police cir 50 mbps bc 200 ms conform set-cos-transmit 5 violate drop
set dscp 40
class class-default
police cir 250 mbps bc 200 ms conform set-cos-transmit 2 violate set dscp dscp table pir-markdown-map
set qos-group 88
set dscp 16
port-profile type vethernet gold-profile
switchport mode access
service-policy input gold
pinning id 2
no shutdown
state enabled
#--- once for each tenant
vlan 201,301,401,1601
vservice node gold001-vsg01 type vsg
ip address 192.168.54.51
adjacency l3
fail-mode open
vservice node gold001-vsg02 type vsg
ip address 192.168.54.61
adjacency l3
fail-mode open
vservice path gold001-tier1
node gold001-vsg01 profile gold-tier1 order 10
vservice path gold001-tier2
node gold001-vsg01 profile gold-tier2 order 10
vservice path gold001-tier3
node gold001-vsg01 profile gold-tier3 order 10
vservice path gold001-dmz
node gold001-vsg02 profile gold-dmz order 10
port-profile type ethernet system-data-uplink
switchport trunk allowed vlan add 201,301,401,1601
port-profile type vethernet gold001-v0201
vmware port-group
inherit port-profile gold-profile
switchport access vlan 201
state enabled
org root/gold001
vservice path gold001-tier1
port-profile type vethernet gold001-v0301
vmware port-group
inherit port-profile gold-profile
switchport access vlan 301
state enabled
org root/gold001
vservice path gold001-tier2
port-profile type vethernet gold001-v0401
vmware port-group
inherit port-profile gold-profile
switchport access vlan 401
state enabled
org root/gold001
vservice path gold001-tier3
port-profile type vethernet gold001-v1601
vmware port-group
inherit port-profile gold-profile
switchport access vlan 1601
state enabled
org root/gold001
vservice path gold001-dmz
This section presents the configuration templates for the Silver service class.
•Aggregation Nexus 7000 Silver Configuration
•ACE Silver Tenant Configuration
•ASR 1000 PE Silver Tenant Configuration
•Nexus 1000V Silver Configuration
vrf context customer_silver1
interface Vlan501
no shutdown
ip flow monitor fm_vmdc23 input sampler sp_vmdc23
vrf member customer_silver1
no ip redirects
ip address 11.2.1.2/24
no ipv6 redirects
no ip arp gratuitous hsrp duplicate
hsrp version 2
hsrp 501
preempt
priority 150
ip 11.2.1.1
interface Vlan601
no shutdown
ip flow monitor fm_vmdc23 input sampler sp_vmdc23
vrf member customer_silver1
no ip redirects
ip address 11.2.2.2/24
no ipv6 redirects
hsrp version 2
hsrp 601
preempt
priority 150
ip 11.2.2.1
interface Vlan701
no shutdown
ip flow monitor fm_vmdc23 input sampler sp_vmdc23
vrf member customer_silver1
no ip redirects
ip address 11.2.3.2/24
no ipv6 redirects
hsrp version 2
hsrp 701
preempt
priority 150
ip 11.2.3.1
interface port-channel343.501
encapsulation dot1q 501
service-policy type qos input ingress-qos-policy
vrf member customer_silver1
ip address 10.2.34.3/24
no shutdown
interface Ethernet3/9.501
encapsulation dot1q 501
service-policy type qos input ingress-qos-policy
vrf member customer_silver1
ip address 10.2.1.2/24
no ip arp gratuitous hsrp duplicate
no shutdown
interface Ethernet4/9.501
encapsulation dot1q 501
service-policy type qos input ingress-qos-policy no-stats
vrf member customer_silver1
ip address 10.2.3.2/24
no ip arp gratuitous hsrp duplicate
no shutdown
router bgp 65501
vrf customer_silver1
graceful-restart-helper
log-neighbor-changes
address-family ipv4 unicast
redistribute direct route-map SERVER-NET-SET-COMM
additional-paths send
additional-paths receive
neighbor 10.2.1.1
remote-as 109
address-family ipv4 unicast
inherit peer-policy PREFER->PE1 1
neighbor 10.2.3.1
remote-as 109
address-family ipv4 unicast
send-community
neighbor 10.2.34.4
remote-as 65501
address-family ipv4 unicast
inherit peer-policy ibgp-policy 1
no send-community
This section provides an ACE Silver tenant configuration.
dc02-ace-3/customer_silver1# sh run
Generating configuration....
logging enable
logging standby
logging timestamp
logging trap 6
logging facility 17
logging device-id context-name
logging host 192.168.11.100 udp/514
no logging message 106023
arp interval 1440
access-list app-acl line 8 extended permit ip any any
access-list capture-list line 8 extended permit ip any any
access-list db-acl line 8 extended permit ip any any
access-list web-acl line 8 extended deny udp 11.0.0.0 255.0.0.0 eq tftp any
access-list web-acl line 16 extended deny udp 11.0.0.0 255.0.0.0 eq 30000 any
access-list web-acl line 24 extended permit ip any any
probe ftp ftp-probe
interval 2
faildetect 5
passdetect interval 2
passdetect count 5
receive 1
expect status 200 400
connection term forced
probe http http-probe
interval 2
faildetect 5
passdetect interval 2
passdetect count 5
receive 1
expect status 200 400
connection term forced
rserver host app-server1
ip address 11.2.2.11
inservice
rserver host app-server2
ip address 11.2.2.12
inservice
rserver host app-server3
ip address 11.2.2.13
inservice
rserver host db-server1
ip address 11.2.3.11
inservice
rserver host db-server2
ip address 11.2.3.12
inservice
rserver host db-server3
ip address 11.2.3.13
inservice
rserver host udp-host
ip address 11.2.1.100
inservice
rserver host web-server1
ip address 11.2.1.11
inservice
rserver host web-server2
ip address 11.2.1.12
inservice
rserver host web-server3
ip address 11.2.1.13
inservice
rserver host web-spirent
ip address 11.2.1.151
inservice
serverfarm host app-serverfarm
rserver app-server1
inservice
rserver app-server2
inservice
rserver app-server3
inservice
serverfarm host db-serverfarm
rserver db-server1
inservice
rserver db-server2
inservice
rserver db-server3
inservice
serverfarm host udp-serverfarm
rserver udp-host
inservice
serverfarm host web-serverfarm
rserver web-server1
rserver web-server2
rserver web-server3
rserver web-spirent
inservice
parameter-map type connection tcp_pm
set tcp wan-optimization rtt 0
parameter-map type connection udp_pm
set timeout inactivity 300
sticky http-cookie customer_gold1-http-cookie customer_gold1-http
cookie insert browser-expire
serverfarm web-serverfarm
timeout 10
replicate sticky
sticky http-cookie customer_gold1-web-app-cookie customer_gold1-web->app
cookie insert browser-expire
serverfarm app-serverfarm
timeout 10
replicate sticky
sticky ip-netmask 255.255.255.255 address both customer_gold1-app->db
serverfarm db-serverfarm
timeout 10
replicate sticky
class-map type http loadbalance match-any cm-app-subnet
2 match source-address 11.2.2.0 255.255.255.0
class-map type http loadbalance match-any cm-http
2 match http url /.*.txt
3 match http url /.*.html
class-map type http loadbalance match-any cm-web-subnet
2 match source-address 11.2.1.0 255.255.255.0
class-map match-all app->db-vip
2 match virtual-address 11.2.3.111 tcp eq www
class-map type http loadbalance match-all cm-app->db
2 match class-map cm-http
3 match class-map cm-app-subnet
class-map type http loadbalance match-all cm-web->app
2 match class-map cm-http
3 match class-map cm-web-subnet
class-map type management match-any management-traffic
2 match protocol ssh any
3 match protocol http any
4 match protocol https any
5 match protocol icmp any
6 match protocol telnet any
7 match protocol snmp source-address 192.168.0.0 255.255.0.0
class-map match-all udp-vip
2 match virtual-address 11.2.1.111 udp eq 69
class-map match-all web->app-vip
2 match virtual-address 11.2.2.111 tcp eq www
class-map match-all web-vip
2 match virtual-address 11.2.1.111 tcp eq www
policy-map type management first-match management-traffic
class management-traffic
permit
policy-map type loadbalance first-match app->db-lb-policy
class cm-app->db
sticky-serverfarm customer_gold1-app->db
policy-map type loadbalance first-match udp-lb-policy
class class-default
serverfarm udp-serverfarm
policy-map type loadbalance first-match web->app-lb-policy
class cm-web->app
sticky-serverfarm customer_gold1-web->app
policy-map type loadbalance first-match web-lb-policy
class cm-http
sticky-serverfarm customer_gold1-http
policy-map multi-match app->db-lb
class app->db-vip
loadbalance vip inservice
loadbalance policy app->db-lb-policy
loadbalance vip icmp-reply active
nat dynamic 3 vlan 701
class udp-vip
policy-map multi-match lb-policy
class web-vip
loadbalance vip inservice
loadbalance policy web-lb-policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 501
connection advanced-options tcp_pm
class udp-vip
loadbalance vip inservice
loadbalance policy udp-lb-policy
loadbalance vip icmp-reply
nat dynamic 11 vlan 501
connection advanced-options udp_pm
policy-map multi-match web->app-lb
class web->app-vip
loadbalance vip inservice
loadbalance policy web->app-lb-policy
loadbalance vip icmp-reply active
nat dynamic 2 vlan 601
service-policy input management-traffic
interface vlan 60
description mgmt
ip address 192.168.60.61 255.255.255.0
peer ip address 192.168.60.62 255.255.255.0
no shutdown
interface vlan 501
description web tier
ip address 11.2.1.22 255.255.255.0
alias 11.2.1.21 255.255.255.0
peer ip address 11.2.1.23 255.255.255.0
access-group input web-acl
nat-pool 1 11.2.1.24 11.2.1.30 netmask 255.255.255.0 pat
nat-pool 11 11.2.1.41 11.2.1.41 netmask 255.255.255.0
service-policy input lb-policy
no shutdown
interface vlan 601
description app tier
ip address 11.2.2.22 255.255.255.0
alias 11.2.2.21 255.255.255.0
peer ip address 11.2.2.23 255.255.255.0
access-group input app-acl
nat-pool 2 11.2.2.24 11.2.2.30 netmask 255.255.255.0 pat
service-policy input web->app-lb
no shutdown
interface vlan 701
description db tier
ip address 11.2.3.22 255.255.255.0
alias 11.2.3.21 255.255.255.0
peer ip address 11.2.3.23 255.255.255.0
access-group input db-acl
nat-pool 3 11.2.3.24 11.2.3.30 netmask 255.255.255.0 pat
service-policy input app->db-lb
no shutdown
ip route 0.0.0.0 0.0.0.0 11.2.1.1
ip route 192.168.0.0 255.255.0.0 192.168.60.1
dc02-ace-3/customer_silver1
This section provides an ASR 1000 PE CE Silver tenant configuration.
vrf definition customer_silver1
rd 22:1
route-target export 22:1
route-target import 32:1
!
address-family ipv4
exit-address-family
!
!
interface TenGigabitEthernet0/2/0
no ip address
load-interval 30
carrier-delay up 60
cdp enable
!
interface TenGigabitEthernet0/2/0.501
encapsulation dot1Q 501
vrf forwarding customer_silver1
ip address 10.2.1.1 255.255.255.0
ip flow monitor input_monitor input
ip flow monitor output_monitor output
plim qos input map cos 5 queue strict-priority
service-policy input silver-in
service-policy output silver-out-parent
!
interface TenGigabitEthernet0/3/0
no ip address
load-interval 30
carrier-delay up 60
cdp enable
!
interface TenGigabitEthernet0/3/0.501
encapsulation dot1Q 501
vrf forwarding customer_silver1
ip address 10.2.4.1 255.255.255.0
ip flow monitor input_monitor input
ip flow monitor output_monitor output
plim qos input map cos 5 queue strict-priority
service-policy input silver-in
service-policy output silver-out-parent
!
router bgp 109
!
address-family ipv4 vrf customer_silver1
import path selection all
import path limit 10
bgp advertise-best-external
neighbor 10.2.1.2 remote-as 65501
neighbor 10.2.1.2 activate
neighbor 10.2.1.2 inherit peer-policy DC2_PEER_POLICY
neighbor 10.2.4.2 remote-as 65501
neighbor 10.2.4.2 activate
neighbor 10.2.4.2 inherit peer-policy DC2_PEER_POLICY
exit-address-family
!
ip route vrf customer_silver1 169.0.0.0 255.0.0.0 Null0 track 1
end
This section provides a Nexus 1000v Silver configuration.
#---- one time config
policy-map type qos silver
class class-default
set qos-group 89
police cir 62500 kbps bc 200 ms conform set-cos-transmit 2 violate set dscp dscp table pir-markdown-map
set dscp 16
port-profile type vethernet silver-profile
switchport mode access
service-policy input silver
pinning id 3
no shutdown
state enabled
#--- once for each tenant
vlan 501,601,701
vservice node silver001-vsg01 type vsg
ip address 192.168.54.101
adjacency l3
fail-mode open
vservice path silver001-tier1
node silver001-vsg01 profile silver-tier1 order 10
vservice path silver001-tier2
node silver001-vsg01 profile silver-tier2 order 10
vservice path silver001-tier3
node silver001-vsg01 profile silver-tier3 order 10
port-profile type ethernet system-data-uplink
switchport trunk allowed vlan add 501,601,701
port-profile type vethernet silver001-v0501
vmware port-group
inherit port-profile silver-profile
switchport access vlan 501
state enabled
org root/silver001
vservice path silver001-tier1
port-profile type vethernet silver001-v0601
vmware port-group
inherit port-profile silver-profile
switchport access vlan 601
state enabled
org root/silver001
vservice path silver001-tier2
port-profile type vethernet silver001-v0701
vmware port-group
inherit port-profile silver-profile
switchport access vlan 701
state enabled
org root/silver001
vservice path silver001-tier3
This section presents the configuration templates for the Bronze service class.
•Aggregation Nexus 7000 Bronze Configuration
•ASR 1000 PE Bronze Configuration
•Nexus 1000V Bronze Configuration
This section provides an aggregation Nexus 7000 Bronze configuration.
interface Vlan801
no shutdown
ip flow monitor fm_vmdc23 input sampler sp_vmdc23
vrf member customer_bronze1
no ip redirects
ip address 11.3.1.2/24
no ipv6 redirects
no ip arp gratuitous hsrp duplicate
hsrp version 2
hsrp 801
preempt
priority 150
ip 11.3.1.1
interface port-channel343.801
encapsulation dot1q 801
service-policy type qos input ingress-qos-policy no-stats
vrf member customer_bronze1
ip address 10.3.34.3/24
no shutdown
interface Ethernet3/9.801
encapsulation dot1q 801
service-policy type qos input ingress-qos-policy no-stats
vrf member customer_bronze1
ip address 10.3.1.2/24
no ip arp gratuitous hsrp duplicate
no shutdown
interface Ethernet4/9.801
encapsulation dot1q 801
service-policy type qos input ingress-qos-policy no-stats
vrf member customer_bronze1
ip address 10.3.3.2/24
no ip arp gratuitous hsrp duplicate
no shutdown
vrf context customer_bronze1
router bgp 65501
vrf customer_bronze1
log-neighbor-changes
address-family ipv4 unicast
redistribute direct route-map SERVER-NET-SET-COMM
nexthop trigger-delay critical 100 non-critical 300
neighbor 10.3.1.1
remote-as 109
address-family ipv4 unicast
inherit peer-policy PREFER->PE1 1
neighbor 10.3.3.1
remote-as 109
address-family ipv4 unicast
send-community
neighbor 10.3.34.4
remote-as 65501
address-family ipv4 unicast
This section provides an ASR 1000 PE Bronze configuration.
vrf definition customer_bronze1
rd 23:1
route-target export 23:1
route-target import 33:1
!
address-family ipv4
exit-address-family
!
!
interface TenGigabitEthernet0/2/0
no ip address
load-interval 30
carrier-delay up 60
cdp enable
!
interface TenGigabitEthernet0/2/0.801
encapsulation dot1Q 801
vrf forwarding customer_bronze1
ip address 10.3.1.1 255.255.255.0
ip flow monitor input_monitor input
ip flow monitor output_monitor output
plim qos input map cos 5 queue strict-priority
service-policy output bronze-out-parent
!
interface TenGigabitEthernet0/3/0
no ip address
load-interval 30
carrier-delay up 60
cdp enable
!
interface TenGigabitEthernet0/3/0.801
encapsulation dot1Q 801
vrf forwarding customer_bronze1
ip address 10.3.4.1 255.255.255.0
ip flow monitor input_monitor input
ip flow monitor output_monitor output
plim qos input map cos 5 queue strict-priority
service-policy output bronze-out-parent
!
router bgp 109
!
address-family ipv4 vrf customer_bronze1
neighbor 10.3.1.2 remote-as 65501
neighbor 10.3.1.2 activate
neighbor 10.3.1.2 inherit peer-policy DC2_PEER_POLICY
neighbor 10.3.4.2 remote-as 65501
neighbor 10.3.4.2 activate
neighbor 10.3.4.2 inherit peer-policy DC2_PEER_POLICY
exit-address-family
!
ip route vrf customer_bronze1 169.0.0.0 255.0.0.0 Null0 track 1
This section provides a Nexus 1000V Bronze configuration.
#---- one time config
policy-map type qos bronze
class class-default
set cos 0
police cir 500 mbps bc 200 ms conform transmit violate drop
set dscp 0
port-profile type vethernet bronze-profile
switchport mode access
service-policy input bronze
pinning id 3
no shutdown
state enabled
#--- once for each tenant
vlan 801
vservice node bronze001-vsg01 type vsg
ip address 192.168.54.201
adjacency l3
fail-mode open
vservice path bronze001-vmdc
node bronze001-vsg01 profile bronze order 10
port-profile type ethernet system-data-uplink
switchport trunk allowed vlan add 801
port-profile type vethernet bronze001-v0801
vmware port-group
inherit port-profile bronze-profile
switchport access vlan 801
state enabled
org root/vbronze001
vservice path bronze001-vmdc
This section presents the configuration templates for the Copper service class.
•Aggregation Nexus 7000 Copper Configuration
•ASR 1000 PE Copper Configuration
•Nexus 1000V Copper Configuration
This section provides an aggregation Nexus 7000 Copper configuration.
ip route 100.201.1.0/24 100.200.1.61 tag 1111
interface Vlan2000
no shutdown
no ip redirects
ip address 100.200.1.2/24
no ipv6 redirects
hsrp version 2
hsrp 2000
preempt
priority 110
ip 100.200.1.1
interface Vlan2001
description test for snmptrap
no shutdown
ip flow monitor fm_vmdc23 input sampler sp_vmdc23
vrf member customer_smb1
no ip redirects
ip address 11.4.1.2/24
no ipv6 redirects
hsrp version 2
hsrp 2001
preempt
priority 110
ip 11.4.1.1
interface Vlan3001
no shutdown
ip flow monitor fm_vmdc23 input sampler sp_vmdc23
vrf member customer_smb1
no ip redirects
ip address 10.9.1.2/24
no ipv6 redirects
hsrp version 2
hsrp 3001
preempt
priority 110
ip 10.9.1.1
interface port-channel343
service-policy type qos input ingress-qos-policy
service-policy type queuing output vmdc23-8e-4q4q-out
ip address 100.200.0.17/30
interface Ethernet3/9.2000
description PC-to-PE1
encapsulation dot1q 2000
service-policy type qos input ingress-qos-policy
ip address 100.200.0.2/30
no shutdown
interface Ethernet4/9.2000
encapsulation dot1q 2000
service-policy type qos input ingress-qos-policy no-stats
ip address 100.200.0.10/30
no shutdown
router bgp 65501
address-family ipv4 unicast
redistribute direct route-map DC2-INTERNET-SUBNET
redistribute static route-map SERVICED-PREFIXES-SET-COMM
nexthop trigger-delay critical 100 non-critical 300
neighbor 100.200.0.1
remote-as 109
address-family ipv4 unicast
send-community
weight 60000
next-hop-self
neighbor 100.200.0.9
remote-as 109
address-family ipv4 unicast
send-community
next-hop-self
neighbor 100.200.0.18 remote-as 65501
address-family ipv4 unicast
route-map filter-100.200.1.61 out
next-hop-self
This section provides an ASA Copper configuration.
interface Port-channel1.2000
nameif outside
security-level 0
ip address 100.200.1.61 255.255.255.0 standby 100.200.1.62
!
interface Port-channel1.3001
nameif smb1
security-level 100
ip address 10.9.1.61 255.255.255.0 standby 10.9.1.62
!
object network smb1-mapped
range 100.201.1.1 100.201.1.10
object network smb1-real
subnet 11.4.1.0 255.255.255.0
object network smb-1-server1
host 11.4.1.11
object network smb-1-server2
host 11.4.1.12
object network smb-1-server3
host 11.4.1.13
object network smb-1-server21
host 11.4.1.21
object network smb-1-server22
host 11.4.1.22
object network smb-1-server23
host 11.4.1.23
object network smb-1-server24
host 11.4.1.24
object network smb-1-server25
host 11.4.1.25
object network smb-1-server26
host 11.4.1.26
object network smb-1-server27
host 11.4.1.27
object network smb-1-server28
host 11.4.1.28
object network smb-1-server29
host 11.4.1.29
object network smb-1-server30
host 11.4.1.30
mtu smb1 1500
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network smb1-real
nat (smb1,outside) dynamic smb1-mapped
object network smb-1-server1
nat (smb1,outside) static 100.201.1.11
object network smb-1-server2
nat (smb1,outside) static 100.201.1.12
object network smb-1-server3
nat (smb1,outside) static 100.201.1.13
object network smb-1-server21
nat (smb1,outside) static 100.201.1.21
object network smb-1-server22
nat (smb1,outside) static 100.201.1.22
object network smb-1-server23
nat (smb1,outside) static 100.201.1.23
object network smb-1-server24
nat (smb1,outside) static 100.201.1.24
object network smb-1-server25
nat (smb1,outside) static 100.201.1.25
object network smb-1-server26
nat (smb1,outside) static 100.201.1.26
object network smb-1-server27
nat (smb1,outside) static 100.201.1.27
object network smb-1-server28
nat (smb1,outside) static 100.201.1.28
object network smb-1-server29
nat (smb1,outside) static 100.201.1.29
object network smb-1-server30
nat (smb1,outside) static 100.201.1.30
route outside 0.0.0.0 0.0.0.0 100.200.1.1 1
route smb1 11.4.1.0 255.255.255.0 10.9.1.1 1
Note The configuration above is for the private ip address server tenants, if public ip address server tenants, remove all the nat configurations.
This section provides an ASR 1000 PE Copper configuration.
interface TenGigabitEthernet0/2/0.2000
encapsulation dot1Q 2000
ip address 100.200.0.1 255.255.255.252
cdp enable
service-policy input internet-in
service-policy output internet-out-parent
interface TenGigabitEthernet0/3/0.2000
encapsulation dot1Q 2000
ip address 100.200.0.13 255.255.255.252
cdp enable
service-policy input internet-in
service-policy output internet-out-parent
router bgp 109
template peer-policy DC2_PEER_POLICY
route-map DC2_PATH_PREFERENCE in
route-map default out
default-originate route-map default-condition
send-community both
exit-peer-policy
!
bgp log-neighbor-changes
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
neighbor 100.200.0.2 remote-as 65501
neighbor 100.200.0.14 remote-as 65501
!
address-family ipv4
bgp additional-paths install
redistribute connected
redistribute static
neighbor 100.200.0.2 activate
neighbor 100.200.0.2 route-map DC2_INT_PREFER in
neighbor 100.200.0.14 activate
neighbor 100.200.0.14 route-map DC2_INT_PREFER in
maximum-paths 2
maximum-paths ibgp 2
exit-address-family
This section provides a Nexus 1000V Copper configuration.
#---- one time config
policy-map type qos bronze
class class-default
set cos 0
police cir 500 mbps bc 200 ms conform transmit violate drop
set dscp 0
port-profile type vethernet smb-profile
switchport mode access
service-policy input bronze
pinning id 3
no shutdown
state enabled
#--- once for each tenant
vlan 2001
vservice node smb001-vsg01 type vsg
ip address 192.168.54.151
adjacency l3
fail-mode open
vservice path smb001-vmdc
node smb001-vsg01 profile smb order 10
port-profile type ethernet system-data-uplink
switchport trunk allowed vlan add 2001
port-profile type vethernet smb001-v2001
vmware port-group
inherit port-profile smb-profile
switchport access vlan 2001
state enabled
org root/smb001
vservice path smb001-vmdc
The Nexus 5000 ICS switch does not have any per-tenant configurations, other than the VLANs to be allowed. The data VLANs used by tenants can be added on the Nexus 5000 ICS switch, but this should be planned and configured in advance for different ranges needed. Further modifications and updates can be done as tenants are added and deleted as required.
LAN Configuration
The following configuration shows the port-channel configuration between the Nexus 5548 ICS switch and Nexus 7004 Aggregation switches:
#Portchannel between dc02-n5k-ics1 and dc02-n7k-agg1
interface port-channel534
description vPC to N7K-Aggs
switchport mode trunk
spanning-tree port type network
speed 10000
vpc 4000
The following configuration shows the port-channel configuration between the Nexus 5548 ICS switch and the UCS Fabric Interconnect 6248. There are two port-channels, 88 and 89, that carry all LAN data traffic in the data network.
interface port-channel88
description vPC to dc02-ucs01-a
switchport mode trunk
switchport trunk allowed vlan 201-210,301-310,401-410,501-520,601-620,701-720,801-820,1601-1610,1801-1860,1990,2001- 2010
spanning-tree port type edge trunk
vpc 88
interface port-channel89
description vPC to dc02-ucs01-b
switchport mode trunk
switchport trunk allowed vlan 201-210,301-310,401-410,501-520,601-620,701-720,801-820,1601-1610,1801-1860,1990,2001- 2010
spanning-tree port type edge trunk
vpc 89
Only the VLANs that carry the LAN data traffic for all the tenants (Gold, Silver, Bronze, and Copper) are allowed on the port-channels going to the UCS. A list of all data VLANs is obtained from the above configuration.
The following configuration shows the port-channel between the Nexus 5548 ICS switch and NetApp Filers 6040. This port-channel carries only the NFS traffic, and hence only the NFS VLAN (1990) is allowed on the port-channel. There are two port-channels with one going to each of the filers (Filer-A and Filer-B).
interface port-channel26
description vPC to netapp -A
switchport mode trunk
switchport trunk allowed vlan 1990
service-policy type queuing input vmdc-nas-in-policy
service-policy type queuing output vmdc-nas-out-policy
vpc 26
interface port-channel28
description vPC to netapp -B
switchport mode trunk
switchport trunk allowed vlan 1990
service-policy type queuing input vmdc-nas-in-policy
service-policy type queuing output vmdc-nas-out-policy
vpc 28
SAN Configuration
The following configuration shows the port-channel between Nexus 5548 ICS switch and NetApp Filers and/or UCS Fabric Interconnect for FCP connectivity:
interface san-port-channel 2
channel mode active
switchport mode F
switchport description Port-channel UCS FI/Filers & 5k ICS switch
interface fc2/10
switchport mode F
switchport description to_UCS_fi
channel-group 2 force
no shutdown
interface fc2/12
switchport mode F
switchport description to netapp filer
no shutdown