Configuration Area
|
Sample
Configuration
|
Device
Type
|
Device
Role
|
Note
|
Prerequisite: You should enable the following configuration for
the device configuration to work.
|
|
feature telnet
feature nxapi
feature ospf
feature bgp
feature pim
feature udld
feature interface-vlan
feature vn-segment-vlan-based
feature hsrp
feature lacp
feature vpc
feature lldp
feature nv overlay
feature pbr
feature sla sender
feature sla responder
feature vrrpv3
feature bfd
|
|
|
UNDERLAY
IGP ROUTING OSPF routing process
|
router ospf 10
|
N9K
|
Leaf
|
|
router ospf 10
|
ASR9K
|
DCI
|
OSPF Area
|
interface ethernet 1/5
ip ospf router 10 area 0.0.0.0
|
N9K
|
Leaf
|
|
interface ethernet 1/5
ip ospf router 10 area 0.0.0.0
|
N9K
|
Leaf
|
|
router ospf 10
area 0
|
ASR9K
|
DCI
|
OSPF
router-id
|
router ospf 10
router-id 10.218.20.15
|
N9K
|
Leaf
|
|
router ospf 10
router-id 10.218.20.15
|
ASR9K
|
DCI
|
OSPF
auto-cost reference
|
router ospf 10
!
auto-cost reference-bandwidth 800000
|
ASR9K
|
DCI
|
OSPF
Network type
|
interface ethernet1/5
ip ospf network point-to-point
|
N9K
|
Leaf
|
|
interface vlan10
ip ospf network point-to-point
|
N9K
|
Leaf
|
|
router ospf 10
area 0
interface GigabitEthernet0/0/1/3
network point-to-point
|
ASR9K
|
DCI
|
OSPF
Authentication
|
interface Ethernet1/5
ip ospf authentication message-digest
|
N9K
|
Leaf
|
|
interface Ethernet1/5
ip ospf message-digest-key 1 md5 0 xxx
|
N9K
|
Leaf
|
|
router ospf 10
area 0
interface <Fabric Interface>
authentication message-digest
message-digest-key 1 md5 encrypted 202cb962ac59075b964b07152d234b70
|
ASR9K
|
DCI
|
OSPF
Passive-interface
|
interface loopback3
ip router ospf 100 area 0.0.0.0
|
N9K
|
Leaf
|
|
router ospf 10
area 0
interface Loopback10
passive enable
|
ASR9K
|
DCI
|
OSPF
Convergence
|
router ospf 10
timers lsa arrival 15
timers throttle lsa 0 20 5000
timers throttle spf 50 100 5000
|
N9K
|
Leaf
|
|
router ospf 10
timers throttle lsa all 0 20 5000
timers throttle spf 50 100 5000
timers lsa min-arrival 15
|
ASR9K
|
DCI
|
OSPF
BFD (per-link)
|
feature bfd
router ospf 10
bfd
|
N9K
|
Leaf
|
|
interface Ethernet1/5
no ip redirects
|
N9K
|
Leaf
|
|
router ospf 10
bfd minimum-interval 150
bfd multiplier 3
area 0
interface TenGigE0/0/2/1
bfd fast-detect
|
ASR9K
|
DCI
|
|
interface vlan 10
no bfd echo
|
N9K
|
Leaf
|
Multicast Routing
|
feature pim
|
N9K
|
Leaf
|
|
interface loopback1
ip address 10.10.10.10/24
ip router ospf 10 area 0.0.0.0
ip pim sparse-mode
|
N9K
|
Spine
|
|
ip pim rp-address 10.218.20.250 group-list 239.255.0.0/16 override
|
N9K
|
Spine
|
|
ip pim anycast-rp 10.218.20.250 10.218.20.249
ip pim anycast-rp 10.218.20.250 10.218.20.248
|
N9K
|
Spine
|
|
feature pim
|
N9K
|
Leaf
|
|
ip pim rp-address 10.218.20.250 group-list 239.255.0.0/16 override
|
N9K
|
Leaf
|
|
interface Vlan10
ip pim sparse-mode
|
N9K
|
Leaf
|
|
interface loopback0
ip pim sparse-mode
|
N9K
|
Leaf
|
|
interface Ethernet2/1
ip pim sparse-mode
|
N9K
|
Leaf
|
|
interface Ethernet2/2
ip pim sparse-mode
|
N9K
|
Leaf
|
L2
Technologies
|
interface Ethernet 1/10
switchport mode trunk
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
switchport trunk allowed vlan none
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
spanning-tree port type edge trunk
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
spanning-tree bpduguard enable
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
spanning-tree bpdufilter enable
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
storm-control broadcast level 20.0
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
storm-control multicast level 30.0
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
storm-control unicast level 50.0
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
storm-control action shutdown
|
N9K
|
Spine
|
vPC
Role and Priority
|
vpc domain 1
role priority 100
|
N9K
|
Leaf
|
|
vpc domain 1
role priority 200
|
N9K
|
Leaf
|
vPC
Peer Keep-alive Link
|
vrf context management
|
N9K
|
Leaf
|
|
interface mgmt 0
vrf member management
|
N9K
|
Leaf
|
|
interface mgmt 0
ip address 10.10.10.10/24
no shutdown
|
N9K
|
Leaf
|
|
vpc domain 1
peer-keepalive destination 172.20.118.20
|
N9K
|
Leaf
|
vPC
Peer-Link
|
interface Ethernet 1/1
spanning-tree port type network
channel-group 1 mode active no shutdown
|
N9K
|
Leaf
|
|
interface Ethernet 1/2
spanning-tree port type network
channel-group 1 mode active no shutdown
|
N9K
|
Leaf
|
|
interface port-channel1
switchport
switchport mode trunk
spanning-tree port type network
vpc peer-link
|
N9K
|
Leaf
|
vPC
Port
|
interface Ethernet 2/9
channel-group mode active id 51
|
N9K
|
Leaf
|
|
interface port-channel 51
switchport
|
N9K
|
Leaf
|
|
interface port-channel 51
switchport
vpc 51
|
N9K
|
Spine
|
vPC
Peer-Switch Option
|
vpc domain 1
peer-switch
|
N9K
|
Leaf
|
vPC ARP
Synchronization
|
vpc domain 1
ip arp synchronize
|
N9K
|
Leaf
|
vPC in
VXLAN environment adjustment
|
vpc domain 10
peer-switch
system-priority 100 ( could not find this option)
peer-keepalive destination 172.20.118.120
delay restore 200
peer-gateway
ip arp synchronize
|
N9K
|
Leaf
|
|
interface port-channel1
description vPC peer-link
|
N9K
|
Spine
|
|
interface port-channel1
description vPC switchport mode trunk
|
N9K
|
Leaf
|
|
interface port-channel 1
description vPC switchport mode trunk
|
N9K
|
|
|
interface port-channel 1
description vPC spanning-tree port type network
|
N9K
|
|
|
interface port-channel 1
vpc peer-link
|
N9K
|
|
|
interface port-channel 10
switchport trunk allowed vlan
|
N9K
|
|
|
interface port-channel 10
spanning-tree port type edge trunk
|
N9K
|
|
|
interface port-channel 10
spanning-tree bpdufilter enable
|
N9K
|
|
|
interface port-channel 10
spanning-tree bpduguard enable
|
N9K
|
|
|
interface port-channel 10
vpc 10
|
N9K
|
Spine
|
|
interface Ethernet 1/10
switchport trunk allowed vlan none
|
N9K
|
Spine
|
|
interface Ethernet 1/10
spanning-tree port type edge trunk
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
spanning-tree bpduguard enable
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
spanning-tree bpdufilter enable
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
channel-group 10 mode active
|
N9K
|
Leaf
|
|
interface loopback 0
ip address 10.10.10.10/24
|
N9K
|
Leaf
|
|
interface loopback 0
ip address 10.10.10.10/24 secondary
|
N9K
|
Leaf
|
|
interface loopback 0
ip router ospf 100 area 0.0.0.0
|
N9K
|
Leaf
|
|
interface loopback 0
ip pim sparse-mode
|
N9K
|
Leaf
|
|
interface Vlan 10
ip address 10.10.10.10/24
|
N9K
|
Leaf
|
|
interface Vlan 10
description Underlay vPC Backup link
no shutdown
no bfd echo
|
N9K
|
Spine
|
|
interface Vlan 10
ip ospf network point-to-point
|
N9K
|
Leaf
|
|
interface Vlan 10
ip router ospf 100 area 0.0.0.0
|
N9K
|
Leaf
|
|
interface Vlan10
ip pim sparse-mode
|
N9K
|
Leaf
|
STP
|
interface Ethernet 1/10
switchport mode trunk
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
switchport mode trunk allowed vlan 10
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
spanning-tree port type edge trunk
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
spanning-tree bpduguard enable
|
N9K
|
Leaf
|
|
nx:interface Ethernet 1/10
spanning-tree bpdufilter enable
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
no shutdown
|
N9K
|
|
|
interface port-channel 10
switchport mode trunk
|
N9K
|
Leaf
|
|
interface port-channel 10
switchport mode trunk trunk allowed vlan ids 1
|
N9K
|
Leaf
|
|
interface port-channel 10
spanning-tree port type edge
|
N9K
|
Leaf
|
|
interface port-channel 10
spanning-tree bpduguard enable
|
N9K
|
Leaf
|
|
interface port-channel 10
spanning-tree bpdufilter enable
|
N9K
|
Leaf
|
|
interface port-channel 10
no shutdown
|
N9K
|
Leaf
|
|
interface port-channel 10
vpc port-channel-number 10
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
switchport mode trunk
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
switchport mode trunk allowed vlan 10
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
spanning-tree port type edge trunk
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
spanning-tre guard root
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
no shutdown
|
N9K
|
Leaf
|
|
interface ethernet <xxxx>
description <leaf/Spine Fabric> ip address
|
N9K
|
Leaf
|
|
interface Ethernet 1/10
description leaf mtu 9216
|
N9K
|
Leaf
|
|
interface Vlan 1
description <attachment/border facing intf>
|
N9K
|
Leaf
|
|
interface Vlan 1
description ip address <addr>
|
N9K
|
Leaf
|
|
interface Vlan 1
description ip address mtu 1500
|
N9K
|
Leaf
|
|
interface <To Spine>
mtu 9214
|
N9K
|
Leaf
|
|
interface <To Border Leaf>
mtu 1518
|
N9K
|
Leaf
|
|
interface GigabitEthernet0/0/1/5
mtu 9214
|
ASR9K
|
DCI
|
Nexus
9500 QOS
|
system qos
service-policy type queuing output default-out-policy
|
N9K
|
Leaf
|
|
policy-map type network-qos Jumbo-nq-policy
class type network-qos c-nq3
|
N9K
|
Leaf
|
|
policy-map type network-qos Jumbo-nq-policy
class type network-qos c-nq3
match qos-group 3
|
N9K
|
Leaf
|
|
policy-map type network-qos Jumbo-nq-policy
class type network-qos c-nq3
mtu 9216
|
N9K
|
Leaf
|
|
class type network-qos c-nq3
match qos-group 3
mtu 9216
class type network-qos c-nq2
match qos-group 2
mtu 9216
class type network-qos c-nq1
match qos-group 1
mtu 9216
class type network-qos c-nq-default
match qos-group 0
mtu 9216
|
N9K
|
Leaf
|
|
system qos
service-policy type network-qos Jumbo-nq-policy
|
N9K
|
Leaf
|
QoS
Hardware resources configuration
|
"hardware access-list tcam region racl 0
hardware access-list tcam region e-racl 0
hardware access-list tcam region span 0
hardware access-list tcam region vqos 256
hardware access-list tcam region e-qos 256
hardware access-list tcam region arp-ether 256"
|
N9K
|
Leaf
|
N 9500
QoS
|
system qos
service-policy type queuing output default-out-policy
|
N9K
|
Leaf
|
|
system qos
service-policy type network-qos Jumbo-nq-policy
|
N9K
|
Leaf
|
N 9500
QoS Queuing policy
|
policy-map type queuing default-out-policy
class type queuing c-out-q3
priority level 1
class type queuing c-out-q2
bandwidth remaining percent 0
class type queuing c-out-q1
bandwidth remaining percent 0
class type queuing c-out-q-default
bandwidth remaining percent 100
|
N9K
|
Leaf
|
|
System qos
Service-policy type queuing out default-out-policy
|
N9K
|
Leaf
|
N 9500
QoS Queuing Policy
|
policy-map type queuing default-out-policy
class type queuing c-out-q3
priority level 1
class type queuing c-out-q2
bandwidth remaining percent 0
class type queuing c-out-q1
bandwidth remaining percent 0
class type queuing c-out-q-default
bandwidth remaining percent 100
|
N9K
|
Leaf
|
|
System qos
Service-policy type queuing out default-out-policy
|
N9K
|
Leaf
|
Network
Management Ethernet (Mgmt0)
|
interface mgmt0
ip address 10.10.10.10/24
|
N9K
|
Leaf
|
|
vrf context management
ip route 0.0.0.0/0 10.218.23.254
|
N9K
|
Leaf
|
Configuring Hostname on Nexus 9000
|
hostname nw_lf_cnx9_001.41gebz_o01_s01
|
N9K
|
Leaf
|
Time
Zone and day-light saving
|
clock timezone EET 2 0
clock summer-time EEST 4 Sunday March 02:00 4 Sunday October 03:00 60
|
N9K
|
Leaf
|
DNS
|
ip domain-name <cust_name>
no ip domain-lookup
|
N9K
|
Leaf
|
SNMP
|
snmp-server contact <contact_name>
snmp-server location <location_name>
|
N9K
|
Leaf
|
|
snmp-server host 85.29.26.36 traps version 2c <SNMP_Community_1>
snmp-server host 85.29.56.136 traps version 2c <SNMP_Community_1>
snmp-server host 85.29.60.191 traps version 2c <SNMP_Community_1>
snmp-server host 85.29.60.235 traps version 2c <SNMP_Community_1>
snmp-server host 213.74.189.232 traps version 2c <SNMP_Community_1>
snmp-server host 213.74.189.233 traps version 2c <SNMP_Community_1>
|
N9K
|
Leaf
|
|
snmp-server host 85.29.26.36 use-vrf management
snmp-server host 85.29.56.136 use-vrf management
snmp-server host 85.29.60.191 use-vrf management
snmp-server host 85.29.60.235 use-vrf management
snmp-server host 213.74.189.232 use-vrf management
snmp-server host 213.74.189.233 use-vrf management
|
N9K
|
Leaf
|
|
snmp-server source-interface trap mgmt0
|
N9K
|
Leaf
|
|
snmp-server community <community> group network-admin
|
N9K
|
Leaf
|
|
15 permit ip host 213.74.197.43 any
...
390 permit ip host 176.43.250.25 any
|
N9K
|
Leaf
|
LLDP on
Nexus 9000
|
feature lldp
|
N9K
|
Leaf
|
Network
Security Disable IP Redirects
|
interface Ethernet slot#/port#
no ip redirects
no ipv6 redirects
|
N9K
|
Leaf
|
Device
Access Security
|
NX-OS(config)#no ssh server enable
NX-OS(config)#ssh key {dsa [force] | rsa [bits [force]]}
NX-OS(config)#ssh server enable
NX-OS#show ssh key
**************************************
rsa Keys generated:Fri Apr 10 20:13:21 2010
<clipped> !
|
N9K
|
Leaf
|
AAA-N
|
NX-OS(config)#feature tacacs+
NX-OS(config)#tacacs-server host {ipv4-address | ipv6-address | host-name}
NX-OS(config)#tacacs-server key [0 | 7] key-value
NX-OS(config)#aaa group server tacacs+ group-name
server {ipv4-address | ipv6-address | host-name}
deadtime minutes
use-vrf <demo_name>
NX-OS(config)#tacacs-server timeout seconds
NX-OS(config)#tacacs-server host {ipv4-address | ipv6-address | host-name} port
tcp-port
NX-OS(config)#tacacs-server deadtime minutes
|
N9K
|
Leaf
|
|
feature tacacs+
aaa group server tacacs+ TacacsGroup
use-vrf management
server 10.35.175.1
aaa authentication login console group TacacsGroup
aaa authentication login default group TacacsGroup
aaa authentication login error-enable
!
tacacs-server host 10.35.175.1 key <shared-key> port 49
tacacs-server directed-request
ip tacacs source-interface mgmt 0
!
! Device Login Authorisation with AAA
!
|
N9K
|
Leaf
|
|
aaa authorization config-commands default group TacacsGroup local
aaa authorization commands default group TacacsGroup local
!
! Device Login Accounting with AAA
!
aaa accounting default group TacacsGroup
!
! Local User Configuration
!
username admin Pword <Pword> role network-admin
|
N9K
|
Leaf
|
Device
Hardening 3.9.9.4 COPP policy and class maps
|
policy-map type control-plane copp-system-p-policy-strict
class copp-system-p-class-l3uc-data
set cos 1
police cir 250 pps bc 32 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-critical
set cos 7
police cir 19000 pps bc 128 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-important
set cos 6
police cir 3000 pps bc 128 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-multicast-router
set cos 6
police cir 3000 pps bc 128 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-management
set cos 2
police cir 3000 pps bc 32 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-multicast-host
set cos 1
police cir 2000 pps bc 128 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-l3mc-data
set cos 1
police cir 3000 pps bc 32 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-normal
set cos 1
police cir 1500 pps bc 32 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-ndp
set cos 6
police cir 1500 pps bc 32 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-normal-dhcp
set cos 1
police cir 300 pps bc 32 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-normal-dhcp-relay-response
set cos 1
police cir 400 pps bc 64 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-normal-igmp
set cos 3
police cir 6000 pps bc 64 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-redirect
set cos 1
police cir 1500 pps bc 32 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-exception
set cos 1
police cir 50 pps bc 32 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-exception-diag
set cos 1
police cir 50 pps bc 32 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-monitoring
set cos 1
police cir 300 pps bc 128 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-l2-unpoliced
set cos 7
police cir 20000 pps bc 8192 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-undesirable
set cos 0
police cir 15 pps bc 32 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-fcoe
set cos 6
police cir 1500 pps bc 128 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-nat-flow
set cos 7
police cir 100 pps bc 64 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class copp-system-p-class-l2-default
set cos 0
police cir 50 pps bc 32 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
class class-default
set cos 0
police cir 50 pps bc 32 packets conform transmit violate drop
|
N9K
|
Leaf
|
|
N9k-ST-Leaf-01# sh copp status
Last Config Operation: None
Last Config Operation Timestamp: None
Last Config Operation Status: None
Policy-map attached to the control-plane: copp-system-p-policy-strict
|
N9K
|
Leaf
|
|
N9k-ST-Leaf-01# sh copp profile ?
dense Display dense profile
lenient Display lenient profile
moderate Display moderate profile
strict Display strict profile
|
N9K
|
Leaf
|
BFD
|
feature bfd
bfd interval 50 min_rx 50 multiplier 3
|
N9K
|
Leaf
|
|
router ospf UNDERLAY
bfd
|
N9K
|
Leaf
|
|
router bgp 65539
vrf <demo_name>
address-family ipv4 unicast
|
N9K
|
Leaf
|
|
router bgp 65539
vrf <demo_name>
local-as 65539
|
N9K
|
Leaf
|
|
router bgp 65539
vrf <demo_name>
neighbor 10.23.65.0 remote-as 65541
bfd
|
N9K
|
Leaf
|
OSPF
Routing Process
|
feature ospf
!
router ospf UNDERLAY
log-adjacency-changes detail
bfd
|
N9K
|
Leaf
|
OSPF
Router ID
|
router ospf UNDERLAY
log-adjacency-changes detail
bfd
router-id <loopback17-ip-address>
|
N9K
|
Leaf
|
Enabling OSPF on interfaces
|
router ospf UNDERLAY
passive-interface default
|
N9K
|
Leaf
|
|
continue from the above...
interface Ethernet1/5
ip router ospf UNDERLAY area 0.0.0.1
ip ospf bfd
ip ospf network point-to-point
no ip ospf passive-interface
|
N9K
|
Leaf
|
|
interface loopback<id>
ip router ospf UNDERLAY area 0.0.0.1
|
N9K
|
Leaf
|
OSPF
Authentication
|
interface eth <slot>/<port>
ip ospf authentication message-digest
ip ospf message-digest-key <key-id> md5 0 <clear-text-key>
|
N9K
|
Leaf
|
OSPF
Reference-Bandwidth
|
router ospf UNDERLAY
auto-cost reference bandwidth 100Gbps
|
N9K
|
Leaf
|
Underlay OSPF Configuration on Leaf Underlay OSPF Configuration on Spine
|
interface loopback17
ip router ospf UNDERLAY area 0.0.0.1
|
N9K
|
Leaf
|
|
interface eth<slot>/<port>
ip router ospf UNDERLAY area 0.0.0.1
ip ospf network point-to-point
no ip ospf passive-interface
ip ospf bfd
ip ospf authentication message-digest
ip ospf message-digest-key <key-id> md5 0 <clear-text-key>
|
N9K
|
Leaf /
Spine
|
Enabling Multicast Routing - PIM
|
feature pim
|
N9K
|
Leaf
|
|
ip pim long-neighbor-changes
|
N9K
|
Spine
|
|
interface ethernet 1/10
ip pim sparse-mode
|
N9K
|
Spine
|
|
interface ethernet 1/10
ip pim bfd-instance
|
N9K
|
Spine
|
|
interface loopback<id>
ip pim sparse-mode
|
N9K
|
Leaf
|
Mapping
Layer 2 VNI VXLAN segment to ASM group
|
interface nve<id>
member vni <L2-VNID>
mcast-group 239.239.0.1
member vni <L2-VNID>
mcast-group 239.239.0.2
|
N9K
|
Leaf
|
PIM
Anycast RP (RFC 4610)
|
interface loopback18
ip pim sparse-mode
|
N9K
|
Leaf
|
|
interface loopback17
ip pim sparse-mode
|
N9K
|
Leaf
|
|
ip pim rp-address <loopback18> group-list 239.239.0.0/16
|
N9K
|
Leaf
|
Multicast configuration for Leaf
|
ip pim rp-address <anycast-loopback> group-list 239.239.0.0/16
|
N9K
|
Leaf
|
|
feature pim
ip pim log-neighbor-changes
|
N9K
|
Leaf
|
|
interface loopback17
ip pim sparse-mode
|
N9K
|
Leaf
|
|
interface ethernet<slot>/<port>
ip pim sparse-mode
ip pim bfd-instance
|
N9K
|
Leaf
|
|
interface nve1
member vni <L2-VNID>
mcast-group 239.64.64.1
member vni <L2-VNID>
mcast-group 239.64.64.2
|
N9K
|
Leaf
|
|
ip pim rp-address <anycast-loopback> group-list 239.239.0.0/16
|
N9K
|
Leaf
|
Multicast configuration for Spine
|
feature pim
ip pim log-neighbor-changes
|
N9K
|
Spine
|
|
interface ethernet 1/10
ip pim sparse-mode
|
N9K
|
Spine
|
|
interface ethernet 1/10
ip pim bfd-instance
|
N9K
|
Spine
|
|
interface loopback17
ip pim sparse-mode
|
N9K
|
Spine
|
|
interface loopback18
ip pim sparse-mode
|
N9K
|
Spine
|
|
ip pim rp-address <loopback18> group-list 239.239.0.0/16
|
N9K
|
Spine
|
|
ip pim anycast-rp <loopback18> <loopback17>
|
N9K
|
Spine
|
Service
Extensions for OSPF routing
|
vlan 17
vn-segment 10019
|
N9K
|
|
|
interface Vlan17
mtu 9216
vrf member <demo_name>
ip ospf cost 10
ip ospf passive-interface
ip router ospf 1 area 0.0.0.0
|
N9K
|
|
Service
Extensions for Static routing
|
vrf context <demo_name>
ip route 0.0.0.0/0 Vlan1605 11.0.23.30
|
N9K
|
|
Service
Extension for default route injection on N9K BL/redistribute mode.
|
router bgp 65542
vrf <demo_name>
address-family ipv4 unicast
network 0.0.0.0/0
|
N9K
|
|
route-map
|
route-map RM-IN-S2 permit 10
match tag 1000
route-map RM-IN-S3 permit 10
match tag 1000
|
N9K
|
|
|
route-map RM-S-to-O permit 10
match tag 131 132 133 139 134 135
set metric-type type-1
|
N9K
|
|
vrf
context <demo_name>
|
vrf context <demo_name>
ip route 9.59.207.0/24 Vlan1603 11.0.34.30 name <test_name> tag 1000 50
|
N9K
|
|
|
vrf context <demo_name>
ip route 9.59.207.0/24 Ethernet1/46.2 11.0.40.142 name <test_name> tag 1000 10
|
N9K
|
|
|
vrf context <demo_name>
ip route 10.0.0.0/12 Vlan1603 11.0.34.30 tag 1000 50
|
N9K
|
|
|
vrf context <demo_name>
ip route 10.0.0.0/12 Ethernet1/46.2 11.0.40.142 tag 1000 10
|
N9K
|
|
|
vrf context <demo_name>
ip route 10.2.52.0/24 Vlan6 10.2.42.3 tag 1000
|
N9K
|
|
|
vrf context <demo_name>
ip route 192.168.0.0/16 Vlan1603 11.0.34.30 name <test_name> tag 1000
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
|
N9K
|
|
vrf
context <demo_name>
|
vrf context <demo_name>
ip route 10.2.0.0/19 Vlan1607 11.0.34.14 tag 131 50
|
N9K
|
|
|
vrf context <demo_name>
ip route 10.2.0.0/19 Ethernet1/45.1 11.0.40.145 tag 131 10
|
N9K
|
|
|
vrf context <demo_name>
ip route 10.2.96.0/19 Vlan3203 11.0.39.14 tag 134
|
N9K
|
|
interface Vlan1601
|
interface Vlan1601
no shutdown
vrf member <demo_name>
no ip redirects
ip address 10.10.10.10/24
no ipv6 redirects
hsrp version 2
hsrp 1601
preempt
priority 110
ip 11.0.34.33
|
N9K
|
|
interface Vlanxx
|
interface Vlan1602
no shutdown
vrf member <demo_name>
no ip redirects
no ipv6 redirects
ip ospf cost 10
ip ospf passive-interface
ip router ospf 100 area 0.0.0.0
|
N9K
|
|
interface Ethernet
(IPv4 and
IPv6)
|
interface ex/y
mac aaaa.bbbb.cccc
vrf member <demo_name>
ip address x.x.x.x/31
ipv6 address x:x:x::x
ip policy route-map TO_VPER_OR_FW
ipv6 policy route-map TO_VPER_OR_FW_v6
no shut
|
N7K
|
|
interface Ethernet1/46.1
|
interface Ethernet1/36.1
mtu 1500
|
N9K
|
|
|
interface Ethernet1/36.1
encapsulation dot1q 1602
mac-address 0000.0000.2222
vrf member <demo_name>
no ip redirects
ip address 10.10.10.10/24
|
N9K
|
|
interface Ethernet1/47.1
|
interface Ethernet1/37.1
mtu 1500
encapsulation dot1q 1608
vrf member <demo_name>
no ip redirects
ip address 10.10.10.10/24
ip ospf dead-interval 20
ip ospf hello-interval 5
ip ospf network point-to-point
ip router ospf 100 area 0.0.0.0
|
N9K
|
|
router
ospf 1
|
router ospf 1
vrf <demo_name>
router-id 55.2.32.5
vrf <demo_name>
router-id 55.2.32.5
vrf <demo_name>
router-id 55.2.32.5
redistribute static route-map RM-S-to-O
|
N9K
|
|
router
bgp 65543
|
router bgp 65543
vrf <demo_name>
address-family ipv4 unicast
advertise l2vpn evpn
redistribute direct route-map vts-subnet-policy
redistribute static route-map RM-IN-S2
|
N9K
|
|
|
nv overlay evpn
|
N9K
|
|
|
clock protocol ntp vdc 1
|
N9K
|
|
role
name nsdcheck
|
role name nsdcheck
rule 4 permit command show *
rule 3 permit command terminal length *
rule 2 permit command ping *
rule 1 permit read
|
N9K
|
|
|
role name devcheck
rule 8 permit command tac-pac *
rule 7 permit command dir *
rule 6 permit command ssh *
rule 5 permit command traceroute *
rule 4 permit command ping *
|
N9K
|
|
|
role name devopera
rule 1 permit read-write
|
N9K
|
|
ip
name-server 55.6.8.73 55.22.8.3
|
ip name-server 55.6.8.73 55.22.8.3
|
N9K
|
|
username
|
username user password 5 $1$lDuqR.60$eNzZ5I22WxJT58gdEm88N0 role network-operator
|
N9K
|
|
|
username vtsadmin password 5 $5$MmpswImI$vbZhP/52dNjHY5KWj4yBvmiDvuOZZ9gd2vo2oZc61b4 role network-admin
|
N9K
|
|
|
username nsdcheck password 5 $5$dpIXMjZs$jDIZVf6grMu1yq79vTts2mcgPlt0QWp5z3tDnw3N5W8 role nsdcheck
|
N9K
|
|
snmp-server
|
snmp-server source-interface trap loopback1
|
N9K
|
|
|
snmp-server user user network-operator auth md5 0x3eaa4221f6bbf8722cbdea7ea6bf2f11 priv 0x3eaa4221f6bbf8722cbdea7ea6bf2f11 localizedkey
|
N9K
|
|
|
snmp-server host 55.6.8.1 traps version 2c COMMUNITY1
snmp-server host 55.6.8.1 use-vrf default
|
N9K
|
|
|
snmp-server enable traps bgp
snmp-server enable traps ospf
snmp-server enable traps callhome event-notify
snmp-server enable traps callhome smtp-send-fail
snmp-server enable traps cfs state-change-notif
snmp-server enable traps lldp lldpRemTablesChange
snmp-server enable traps aaa server-state-change
snmp-server enable traps hsrp state-change
snmp-server enable traps feature-control FeatureOpStatusChange
snmp-server enable traps sysmgr cseFailSwCoreNotifyExtended
snmp-server enable traps config ccmCLIRunningConfigChanged
snmp-server enable traps snmp authentication
snmp-server enable traps link cisco-xcvr-mon-status-chg
snmp-server enable traps vtp notifs
snmp-server enable traps vtp vlancreate
snmp-server enable traps vtp vlandelete
snmp-server enable traps bridge newroot
snmp-server enable traps bridge topologychange
snmp-server enable traps stpx inconsistency
snmp-server enable traps stpx root-inconsistency
snmp-server enable traps system Clock-change-notification
snmp-server enable traps feature-control ciscoFeatOpStatusChange
|
N9K
|
|
|
snmp-server community COMMUNITY1 group network-operator
|
N9K
|
|
ntp
|
ntp source-interface loopback0
ntp logging
|
N9K
|
|
ip pim
|
ip pim ssm range 232.0.0.0/8
|
N9K
|
|
spanning-tree
|
spanning-tree pathcost method long
spanning-tree mst 1 priority 4096
spanning-tree mst configuration
name CFG01
revision 1
instance 1 vlan 1-4094
|
N9K
|
|
hardware
|
hardware access-list tcam region qos 0
|
N9K
|
|
vpc
domain
|
vpc domain 151
peer-keepalive destination 55.2.34.2 source 55.2.34.1 vrf default
|
N9K
|
|
|
vpc domain 151
auto-recovery
|
N9K
|
|
interface vlan
|
interface Vlan1602
no shutdown
vrf member <demo_name>
no ip redirects
fabric forwarding mode anycast-gateway
|
N9K
|
|
interface port-channel
|
interface port-channel101
no switchport
mtu 9216
no ip redirects
ip address 10.10.10.10/24
ip ospf cost 10
ip ospf dead-interval 20
ip ospf hello-interval 5
ip ospf network point-to-point
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
|
N9K
|
|
interface Ethernet
|
interface Ethernet1/45
no switchport
mtu 9216
mac-address 0000.0000.1111
|
N9K
|
|
|
interface Ethernet1/47
no switchport
mtu 9216
udld enable
|
N9K
|
|
|
interface Ethernet2/5
switchport mode trunk
switchport trunk allowed vlan 2-4094
channel-group 21 mode active
|
N9K
|
|
interface mgmt0
|
interface mgmt0
no lldp transmit
no lldp receive
|
N9K
|
|
clock
timezone
|
clock timezone PRC 8 0
|
N9K
|
|
ip
route
|
ip route 0.0.0.0/0 Ethernet1/46.452 55.6.34.198 tag 1000 10
ip route 0.0.0.0/0 Vlan3903 55.6.40.14 tag 1000 50
|
N9K
|
|
router
ospf
|
router ospf 1
redistribute static route-map RM-S-to-O
|
N9K
|
|
router
bgp
|
router bgp 65543
router-id 55.2.32.5
address-family ipv4 unicast
address-family l2vpn evpn
neighbor 55.2.32.1
remote-as 65543
update-source loopback1
address-family ipv4 unicast
address-family l2vpn evpn
send-community extended
|
N9K
|
|
router
bgp
(IPv4
only)
|
router bgp 65539
router-id 192.168.0.25
log-neighbor-changes
address-family ipv4 unicast
maximum-paths 32
maximum-paths ibgp 32
address-family ipv6 unicast
maximum-paths 32
maximum-paths ibgp 32
address-family l2vpn evpn
neighbor 192.168.0.3
remote-as 65539
password 3 2b7cf4643b66b222
update-source loopback17
address-family l2vpn evpn
send-community
send-community extended
|
N9K and
N7K
|
|
Event
manager config
(IPv4 and
IPv6)
|
event manager applet TRACK-PING-FOR-BGP-DOWN
event track 1 state down
action 1.0 syslog msg CANNOT PING FW. GOING TO SHUTDOWN BGP PEER
action 2.0 cli config term
action 3.0 cli router bgp 65539
action 4.0 cli vrf <demo_name>
action 5.0 cli neighbor 175.175.175.175
action 6.0 cli shutdown
event manager applet TRACK-PING-FOR-BGP-UP
event track 1 state up
action 1.0 syslog msg CAN PING FW. GOING TO NO SHUTDOWN BGP PEER
action 2.0 cli config term
action 3.0 cli router bgp 65539
action 4.0 cli vrf <demo_name>
action 5.0 cli neighbor 175.175.175.175
action 6.0 cli no shutdown
|
N9K
|
|
IP sla
config
(IPv4 only
for N9K)
(IPv4 and
IPv6 for N7K)
|
!On BL-1 Track the local VPER-1
ip sla 1
icmp-echo 69.83.32.36 source-interface vlan 2400
vrf <demo_name> forward reference to VRF
threshold 500
timeout 500
frequency 1
! Start the SLAs
ip sla schedule 1 life forever start-time now
! Setup a track object for sla 1
track 1 ip sla 1 reachability
delay up 180 down 3
! Set up a track open that returns a DOWN only if both objects 1 and 2 are down.
track 111 list boolean or
object 1
|
N9K and
N7K
|
|
Track
config
(IPv4 and
IPv6)
|
track 10 ip route 0.0.0.0/0 reachability
vrf member <demo_name>
|
N9K and
N7K
|
|
Interface port channel
(IPv4 and
IPv6)
|
interface port-channel 110.2511
encapsulation dot1q 2511
vrf member <demo_name>
ip address 10.10.10.10/24
no shut
interface port-channel 110.2575
encapsulation dot1q 2575
vrf member <demo_name>
ipv6 address 10:10:10:10:10:10:10:10/64
|
N9K and
N7K
|
|
|
interface port-channel 110.2577
ip policy route-map FROM_VPER
interface port-channel 110.2577
ipv6 policy route-map FROM_VPERv6
! EEM to track both VPERs, when one is up restore traffic
event manager applet VPER_TRACK_UP
event track 111 state up
action 1.0 syslog msg "BOTH VPERS ARE UP. REMOVING BYPASS!"
action 2.0 cli command "config t"
action 3.0 cli command "route-map TO_VPER_OR_FW permit 20"
action 4.0 cli command "no continue 30"
action 5.0 cli command "exit"
action 6.0 cli command "route-map TO_VPER_OR_FWv6 permit 20"
action 7.0 cli command "no continue 30"
action 8.0 cli command "exit"
action 9.0 cli command "route-map FROM_FW_TO_VPER_OR_MOBILE permit 10"
action 10.0 cli command "no continue 20"
action 11.0 cli command "end"
action 12.0 cli command "route-map FROM_FW_TO_VPER_OR_MOBILEv6 permit 10"
action 13.0 cli command "no continue 20"
action 14.0 cli command "end"
action 15.0 syslog msg "TRAFFIC HAS BEEN RESTORED TO VPER"
|
N7K
|
|
|
! EEM to track both VPERs, when one is up restore traffic
event manager applet VPER_TRACK_UP
event track 111 state up
action 1.0 syslog msg BOTH VPERS ARE UP. REMOVING BYPASS
action 2.0 cli command "config t"
action 3.0 cli command "route-map TO_VPER_OR_FW permit 20"
action 4.0 cli command "no continue 30"
action 5.0 cli command "exit"
action 6.0 cli command "route-map TO_VPER_OR_FWv6 permit 20"
action 7.0 cli command "no continue 30"
action 8.0 cli command "exit"
action 9.0 cli command "route-map FROM_FW_TO_VPER_OR_MOBILE permit 10"
action 10.0 cli command "no continue 20"
action 11.0 cli command "end"
action 12.0 cli command "route-map FROM_FW_TO_VPER_OR_MOBILEv6 permit 10"
action 13.0 cli command "no continue 20"
action 14.0 cli command "end"
action 15.0 syslog msg TRAFFIC HAS BEEN RESTORED TO VPER
|
N9K
|
|
IP
access list
(IPv4 and
IPv6)
|
ip access-list ALL_POOLS
10 permit ip 1.0.0.0/8 any
20 permit ip any 1.0.0.0/8
30 permit ip 2.0.0.0/8 any
40 permit ip any 2.0.0.0/8
! Need to configure a ACL for all All POOLS
ipv6 access-list ALL_POOLSv6
10 permit ipv6 2001:1::/32 any
20 permit ipv6 any 2001:1::/32
30 permit ipv6 2001:2::/32 any
40 permit ipv6 any 2001:2::/32
|
N9K and
N7K
|
|
Route-map
(IPv4 and
IPv6)
|
set ip next-hop verify-availability 69.83.32.35 track 2
route-map TO_VPER_OR_FW permit 30
match ip address ALL_POOLS
! Set the ip next-hop to the FW VIP
set ip next-hop 69.83.136.129
route-map TO_VPER_OR_FW_v6 permit 10
! Leave room here for the pilot packets
route-map TO_VPER_OR_FW_v6 permit 20
match ipv6 address VPER_POOLSv6
set ipv6 next-hop verify-availability 2001:4888:16:2078:1e1:210:: track 1
set ipv6 next-hop verify-availability 2001:4888:16:207a:1e1:210:: track 2
route-map TO_VPER_OR_FW_v6 permit 30
match ipv6 address ALL_POOLSv6
! Set the ipv6 next-hop to the FW VIP
set ipv6 next-hop 2001:4888:39:3080:308:25::
|
N9K and
N7K
|
|
|
route-map FROM_FW_TO_VPER_OR_MOBILE permit 10
match ip address VPER_POOLS
set vrf <demo_name>_VPER
|
N7K
|
|
Monitor
erspan
|
monitor session 1 type erspan-source
erspan-id 5
vrf <demo_name>
ip ttl 25
ip dscp 42
monitor erspan origin ip-address 10.0.0.1 global
|
N9K and
N7K
|
|
QOS-
class-map
|
class-map type qos match-any TEST1
match packet length 5
|
N9K and
N7K
|
|
QOS
class-map policy-map
|
class-map type control-plane match-any cust1-copp-system-p-class-exception
match exception ip option
match exception ip icmp unreachable
match exception ipv6 option
match exception ipv6 icmp unreachable
class-map type control-plane match-any cust1-copp-system-p-class-fcoe
match access-group name cust1-copp-system-p-acl-mac-fcoe
policy-map type control-plane cust1-copp-system-p-policy-strict
class cust1-copp-system-p-class-exception
set cos 1
police cir 360 kbps bc 250 ms conform transmit violate drop
class cust1-copp-system-p-class-fcoe
set cos 6
police cir 1060 kbps bc 1000 ms conform transmit violate drop
|
|
|
Tunnel
Interface
|
interface Tunnel1
vrf member <demo_name>
ip address 10.10.10.10/24
tunnel source 1.1.1.201
tunnel destination 1.1.1.200
no shutdown
|
N9K and
N7K
|
|