From 2758a4d6d066ac04688ea72688856db6ed8db2f8 Mon Sep 17 00:00:00 2001 From: Mitch Vaughan Date: Fri, 30 Aug 2024 18:30:48 +0000 Subject: [PATCH 1/8] autovpn lab polishing --- .../autovpn/zbackend-infra/act/ansible.cfg | 49 ++++--------------- .../zbackend-infra/act/config_push.yml | 10 +++- .../zbackend-infra/act/host_networking.yml | 9 ++++ .../act/inventory/group_vars/endhosts.yml | 3 ++ .../act/inventory/inventory.yml | 8 ++- .../wan/autovpn/zbackend-infra/act/test.yml | 20 ++++++++ 6 files changed, 58 insertions(+), 41 deletions(-) create mode 100644 tech-library/wan/autovpn/zbackend-infra/act/host_networking.yml create mode 100644 tech-library/wan/autovpn/zbackend-infra/act/inventory/group_vars/endhosts.yml create mode 100644 tech-library/wan/autovpn/zbackend-infra/act/test.yml diff --git a/tech-library/wan/autovpn/zbackend-infra/act/ansible.cfg b/tech-library/wan/autovpn/zbackend-infra/act/ansible.cfg index 203d1efd..5e22ca1b 100644 --- a/tech-library/wan/autovpn/zbackend-infra/act/ansible.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/act/ansible.cfg @@ -1,45 +1,16 @@ [defaults] - -# Disable host key checking by the underlying tools Ansible uses to connect to target hosts -host_key_checking = False - -# Location of inventory file containing target hosts -inventory = ./inventory/inventory.yml - -# Only gather Ansible facts if explicity directed to in a given play -gathering = explicit - -# Disable the creation of .retry files if a playbook fails -retry_files_enabled = False - -# Path(s) to search for installed Ansible Galaxy Collections -collections_paths = ~/.ansible/collections - -# Enable additional Jinja2 Extensions (https://jinja.palletsprojects.com/en/3.1.x/extensions/) +roles_path = ./roles +collections_paths = ../ansible-avd:../ansible-cvp:../ansible_collections:~/.ansible/collections:/usr/share/ansible/collections jinja2_extensions = jinja2.ext.loopcontrols,jinja2.ext.do,jinja2.ext.i18n +deprecation_warnings = False +forks = 8 +host_key_checking = False -# Enable the YAML callback plugin, providing much easier to read terminal output. (https://docs.ansible.com/ansible/latest/plugins/callback.html#callback-plugins) -# stdout_callback = yaml - -# Permit the use of callback plugins when running ad-hoc commands -bin_ansible_callbacks = True - -# List of enabled callbacks. Many callbacks shipped with Ansible are not enabled by default -callbacks_enabled = profile_roles, profile_tasks, timer - -# Maximum number of forks that Ansible will use to execute tasks on target hosts -forks = 15 - -# Disable cowsay (Why?) -nocows = True - -[paramiko_connection] -# Automatically add the keys of target hosts to known hosts -host_key_auto_add = True +vars_plugins_enabled = arista.avd.global_vars, host_group_vars [persistent_connection] -# Set the amount of time, in seconds, to wait for response from remote device before timing out persistent connection. -command_timeout = 60 +connect_timeout = 120 +command_timeout = 120 -# Set the amount of time, in seconds, that a persistent connection will remain idle before it is destroyed. -connect_timeout = 60 +[vars_global_vars] +paths = ../global_vars/evpn_vxlan, ../global_vars/avd_defaults, ../global_vars/fabric_defaults diff --git a/tech-library/wan/autovpn/zbackend-infra/act/config_push.yml b/tech-library/wan/autovpn/zbackend-infra/act/config_push.yml index 98df966a..8e6da5f4 100644 --- a/tech-library/wan/autovpn/zbackend-infra/act/config_push.yml +++ b/tech-library/wan/autovpn/zbackend-infra/act/config_push.yml @@ -11,8 +11,16 @@ tasks: - - name: "Configs from {{ config_dir }}" + - name: "Push configs to EOS nodes from {{ config_dir }}" eos_config: src: "{{ config_dir }}{{ inventory_hostname }}.cfg" replace: config save_when: changed + when: 'HOST' not in {{ inventory_hostname }} + + - name: "Configure end hosts" + eos_config: + src: "{{ config_dir }}{{ inventory_hostname }}.cfg" + replace: config + save_when: changed + when: 'HOST' in {{ inventory_hostname }} \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/act/host_networking.yml b/tech-library/wan/autovpn/zbackend-infra/act/host_networking.yml new file mode 100644 index 00000000..ecb284cd --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/act/host_networking.yml @@ -0,0 +1,9 @@ +hostnets: + HOSTA1: + int: et1 + ip: 10.10.10.101 + gw: 10.10.10.1 + HOSTA2: + int: et1 + ip: 10.20.20.101 + gw: 10.20.20.1 diff --git a/tech-library/wan/autovpn/zbackend-infra/act/inventory/group_vars/endhosts.yml b/tech-library/wan/autovpn/zbackend-infra/act/inventory/group_vars/endhosts.yml new file mode 100644 index 00000000..88ce3ff3 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/act/inventory/group_vars/endhosts.yml @@ -0,0 +1,3 @@ +ansible_user: ansible +ansible_password: ansible +ansible_python_interpreter: $(which python3) diff --git a/tech-library/wan/autovpn/zbackend-infra/act/inventory/inventory.yml b/tech-library/wan/autovpn/zbackend-infra/act/inventory/inventory.yml index 3169ee5d..9739339c 100644 --- a/tech-library/wan/autovpn/zbackend-infra/act/inventory/inventory.yml +++ b/tech-library/wan/autovpn/zbackend-infra/act/inventory/inventory.yml @@ -44,4 +44,10 @@ all: S1-R2: ansible_host: 192.168.0.24 S2-R1: - ansible_host: 192.168.0.26 \ No newline at end of file + ansible_host: 192.168.0.26 + endhosts: + hosts: + HOSTA1: + ansible_host: 192.168.0.201 + HOSTA2: + ansible_host: 192.168.0.202 diff --git a/tech-library/wan/autovpn/zbackend-infra/act/test.yml b/tech-library/wan/autovpn/zbackend-infra/act/test.yml new file mode 100644 index 00000000..72df3b1d --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/act/test.yml @@ -0,0 +1,20 @@ +--- + +- name: Push switch configs + hosts: all + gather_facts: false + + vars: + ansible_python_interpreter: /usr/bin/python3 + config_dir: "{{ playbook_dir }}/../configs/" + vars_files: + - "./host_networking.yml" + tasks: + + - name: "Configure et1 ip address" + ansible.builtin.shell: | + ip addr add {{ hostnets[inventory_hostname].ip }} dev {{ hostnets[inventory_hostname].int }} + ip route add 10.40.40.0/24 via {{ hostnets[inventory_hostname].gw }} + register: test + become: yes + when: "{{ 'HOST' in inventory_hostname }}" \ No newline at end of file From 7154a5c7c80d9c8b3fc00c3a06df47997d8bd537 Mon Sep 17 00:00:00 2001 From: Mitch Vaughan Date: Sat, 31 Aug 2024 16:08:09 +0000 Subject: [PATCH 2/8] autovpn clab build --- .../clab/configs/DC1-BORDER1.cfg | 49 +++++++++++++++++ .../clab/configs/DC1-BORDER2.cfg | 49 +++++++++++++++++ .../zbackend-infra/clab/configs/DC1-LEAF.cfg | 51 +++++++++++++++++ .../zbackend-infra/clab/configs/DC1-R1.cfg | 39 +++++++++++++ .../zbackend-infra/clab/configs/DC1-R2.cfg | 39 +++++++++++++ .../zbackend-infra/clab/configs/DC1-SPINE.cfg | 55 +++++++++++++++++++ .../clab/configs/DC2-BORDER1.cfg | 49 +++++++++++++++++ .../clab/configs/DC2-BORDER2.cfg | 49 +++++++++++++++++ .../zbackend-infra/clab/configs/DC2-LEAF.cfg | 51 +++++++++++++++++ .../zbackend-infra/clab/configs/DC2-R1.cfg | 39 +++++++++++++ .../zbackend-infra/clab/configs/DC2-R2.cfg | 39 +++++++++++++ .../zbackend-infra/clab/configs/DC2-SPINE.cfg | 55 +++++++++++++++++++ .../zbackend-infra/clab/configs/S1-R1.cfg | 39 +++++++++++++ .../zbackend-infra/clab/configs/S1-R2.cfg | 39 +++++++++++++ .../zbackend-infra/clab/configs/S1-SW1.cfg | 53 ++++++++++++++++++ .../zbackend-infra/clab/configs/S2-R1.cfg | 39 +++++++++++++ .../zbackend-infra/clab/configs/S2-SW1.cfg | 51 +++++++++++++++++ 17 files changed, 785 insertions(+) create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-BORDER1.cfg create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-BORDER2.cfg create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-LEAF.cfg create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-R1.cfg create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-R2.cfg create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-SPINE.cfg create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-BORDER1.cfg create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-BORDER2.cfg create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-LEAF.cfg create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-R1.cfg create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-R2.cfg create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-SPINE.cfg create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-R1.cfg create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-R2.cfg create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-SW1.cfg create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/S2-R1.cfg create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/S2-SW1.cfg diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-BORDER1.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-BORDER1.cfg new file mode 100644 index 00000000..67959fcd --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-BORDER1.cfg @@ -0,0 +1,49 @@ +! +no aaa root +! +username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. +! +transceiver qsfp default-mode 4x10G +! +interface defaults + mtu 9214 +! +service routing protocols model multi-agent +! +hostname DC1-BORDER1 +ip name-server vrf MGMT 8.8.8.8 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +vrf instance MGMT +! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +aaa authorization exec default local +! +interface Ethernet1 +! +interface Ethernet2 +! +interface Management0 + vrf MGMT + ip address 172.100.100.104/24 +! +ip routing +no ip routing vrf MGMT +! +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +management ssh + vrf MGMT + no shutdown +! +end diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-BORDER2.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-BORDER2.cfg new file mode 100644 index 00000000..02e1937c --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-BORDER2.cfg @@ -0,0 +1,49 @@ +! +no aaa root +! +username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. +! +transceiver qsfp default-mode 4x10G +! +interface defaults + mtu 9214 +! +service routing protocols model multi-agent +! +hostname DC1-BORDER2 +ip name-server vrf MGMT 8.8.8.8 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +vrf instance MGMT +! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +aaa authorization exec default local +! +interface Ethernet1 +! +interface Ethernet2 +! +interface Management0 + vrf MGMT + ip address 172.100.100.105/24 +! +ip routing +no ip routing vrf MGMT +! +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +management ssh + vrf MGMT + no shutdown +! +end diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-LEAF.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-LEAF.cfg new file mode 100644 index 00000000..19243333 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-LEAF.cfg @@ -0,0 +1,51 @@ +! +no aaa root +! +username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. +! +transceiver qsfp default-mode 4x10G +! +interface defaults + mtu 9214 +! +service routing protocols model multi-agent +! +hostname DC1-LEAF +ip name-server vrf MGMT 8.8.8.8 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +vrf instance MGMT +! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +aaa authorization exec default local +! +interface Ethernet1 +! +interface Ethernet2 +! +interface Ethernet3 +! +interface Management0 + vrf MGMT + ip address 172.100.100.101/24 +! +ip routing +no ip routing vrf MGMT +! +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +management ssh + vrf MGMT + no shutdown +! +end diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-R1.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-R1.cfg new file mode 100644 index 00000000..f2fb01b4 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-R1.cfg @@ -0,0 +1,39 @@ +vrf instance MGMT +! +username admin secret admin privilege 15 role network-admin +! +management api http-commands + no shutdown +! +switchport default mode routed +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' +! +no service interface inactive port-id allocation disabled +! +transceiver qsfp default-mode 4x10G +! +service routing protocols model multi-agent +! +hostname DC1-R1 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +interface Ethernet1 + no switchport +! +interface Ethernet2 + no switchport +! +ip route vrf MGMT 0/0 172.100.100.1 +! +interface Management1 + vrf MGMT + ip address 172.100.100.102/24 +! +ip routing +! diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-R2.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-R2.cfg new file mode 100644 index 00000000..897dcdd0 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-R2.cfg @@ -0,0 +1,39 @@ +vrf instance MGMT +! +username admin secret admin privilege 15 role network-admin +! +management api http-commands + no shutdown +! +switchport default mode routed +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' +! +no service interface inactive port-id allocation disabled +! +transceiver qsfp default-mode 4x10G +! +service routing protocols model multi-agent +! +hostname DC1-R2 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +interface Ethernet1 + no switchport +! +interface Ethernet2 + no switchport +! +ip route vrf MGMT 0/0 172.100.100.1 +! +interface Management1 + vrf MGMT + ip address 172.100.100.103/24 +! +ip routing +! diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-SPINE.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-SPINE.cfg new file mode 100644 index 00000000..1cfad74b --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-SPINE.cfg @@ -0,0 +1,55 @@ +! +no aaa root +! +username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. +! +transceiver qsfp default-mode 4x10G +! +interface defaults + mtu 9214 +! +service routing protocols model multi-agent +! +hostname DC1-SPINE +ip name-server vrf MGMT 8.8.8.8 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +vrf instance MGMT +! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +aaa authorization exec default local +! +interface Ethernet1 +! +interface Ethernet2 +! +interface Ethernet3 +! +interface Ethernet4 +! +interface Ethernet5 +! +interface Management0 + vrf MGMT + ip address 172.100.100.100/24 +! +ip routing +no ip routing vrf MGMT +! +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +management ssh + vrf MGMT + no shutdown +! +end diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-BORDER1.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-BORDER1.cfg new file mode 100644 index 00000000..510ea061 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-BORDER1.cfg @@ -0,0 +1,49 @@ +! +no aaa root +! +username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. +! +transceiver qsfp default-mode 4x10G +! +interface defaults + mtu 9214 +! +service routing protocols model multi-agent +! +hostname DC2-BORDER1 +ip name-server vrf MGMT 8.8.8.8 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +vrf instance MGMT +! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +aaa authorization exec default local +! +interface Ethernet1 +! +interface Ethernet2 +! +interface Management0 + vrf MGMT + ip address 172.100.100.110/24 +! +ip routing +no ip routing vrf MGMT +! +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +management ssh + vrf MGMT + no shutdown +! +end diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-BORDER2.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-BORDER2.cfg new file mode 100644 index 00000000..b14d597f --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-BORDER2.cfg @@ -0,0 +1,49 @@ +! +no aaa root +! +username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. +! +transceiver qsfp default-mode 4x10G +! +interface defaults + mtu 9214 +! +service routing protocols model multi-agent +! +hostname DC2-BORDER2 +ip name-server vrf MGMT 8.8.8.8 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +vrf instance MGMT +! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +aaa authorization exec default local +! +interface Ethernet1 +! +interface Ethernet2 +! +interface Management0 + vrf MGMT + ip address 172.100.100.111/24 +! +ip routing +no ip routing vrf MGMT +! +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +management ssh + vrf MGMT + no shutdown +! +end diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-LEAF.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-LEAF.cfg new file mode 100644 index 00000000..85a51279 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-LEAF.cfg @@ -0,0 +1,51 @@ +! +no aaa root +! +username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. +! +transceiver qsfp default-mode 4x10G +! +interface defaults + mtu 9214 +! +service routing protocols model multi-agent +! +hostname DC2-LEAF +ip name-server vrf MGMT 8.8.8.8 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +vrf instance MGMT +! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +aaa authorization exec default local +! +interface Ethernet1 +! +interface Ethernet2 +! +interface Ethernet3 +! +interface Management0 + vrf MGMT + ip address 172.100.100.107/24 +! +ip routing +no ip routing vrf MGMT +! +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +management ssh + vrf MGMT + no shutdown +! +end diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-R1.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-R1.cfg new file mode 100644 index 00000000..619e4dcd --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-R1.cfg @@ -0,0 +1,39 @@ +vrf instance MGMT +! +username admin secret admin privilege 15 role network-admin +! +management api http-commands + no shutdown +! +switchport default mode routed +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' +! +no service interface inactive port-id allocation disabled +! +transceiver qsfp default-mode 4x10G +! +service routing protocols model multi-agent +! +hostname DC2-R1 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +interface Ethernet1 + no switchport +! +interface Ethernet2 + no switchport +! +ip route vrf MGMT 0/0 172.100.100.1 +! +interface Management1 + vrf MGMT + ip address 172.100.100.108/24 +! +ip routing +! diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-R2.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-R2.cfg new file mode 100644 index 00000000..75d852c5 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-R2.cfg @@ -0,0 +1,39 @@ +vrf instance MGMT +! +username admin secret admin privilege 15 role network-admin +! +management api http-commands + no shutdown +! +switchport default mode routed +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' +! +no service interface inactive port-id allocation disabled +! +transceiver qsfp default-mode 4x10G +! +service routing protocols model multi-agent +! +hostname DC2-R2 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +interface Ethernet1 + no switchport +! +interface Ethernet2 + no switchport +! +ip route vrf MGMT 0/0 172.100.100.1 +! +interface Management1 + vrf MGMT + ip address 172.100.100.109/24 +! +ip routing +! diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-SPINE.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-SPINE.cfg new file mode 100644 index 00000000..7ffca988 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-SPINE.cfg @@ -0,0 +1,55 @@ +! +no aaa root +! +username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. +! +transceiver qsfp default-mode 4x10G +! +interface defaults + mtu 9214 +! +service routing protocols model multi-agent +! +hostname DC2-SPINE +ip name-server vrf MGMT 8.8.8.8 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +vrf instance MGMT +! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +aaa authorization exec default local +! +interface Ethernet1 +! +interface Ethernet2 +! +interface Ethernet3 +! +interface Ethernet4 +! +interface Ethernet5 +! +interface Management0 + vrf MGMT + ip address 172.100.100.106/24 +! +ip routing +no ip routing vrf MGMT +! +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +management ssh + vrf MGMT + no shutdown +! +end diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-R1.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-R1.cfg new file mode 100644 index 00000000..c12a1e64 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-R1.cfg @@ -0,0 +1,39 @@ +vrf instance MGMT +! +username admin secret admin privilege 15 role network-admin +! +management api http-commands + no shutdown +! +switchport default mode routed +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' +! +no service interface inactive port-id allocation disabled +! +transceiver qsfp default-mode 4x10G +! +service routing protocols model multi-agent +! +hostname S1-R1 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +interface Ethernet1 + no switchport +! +interface Ethernet2 + no switchport +! +ip route vrf MGMT 0/0 172.100.100.1 +! +interface Management1 + vrf MGMT + ip address 172.100.100.112/24 +! +ip routing +! diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-R2.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-R2.cfg new file mode 100644 index 00000000..58647afa --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-R2.cfg @@ -0,0 +1,39 @@ +vrf instance MGMT +! +username admin secret admin privilege 15 role network-admin +! +management api http-commands + no shutdown +! +switchport default mode routed +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' +! +no service interface inactive port-id allocation disabled +! +transceiver qsfp default-mode 4x10G +! +service routing protocols model multi-agent +! +hostname S1-R2 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +interface Ethernet1 + no switchport +! +interface Ethernet2 + no switchport +! +ip route vrf MGMT 0/0 172.100.100.1 +! +interface Management1 + vrf MGMT + ip address 172.100.100.113/24 +! +ip routing +! diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-SW1.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-SW1.cfg new file mode 100644 index 00000000..a5165e0d --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-SW1.cfg @@ -0,0 +1,53 @@ +! +no aaa root +! +username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. +! +transceiver qsfp default-mode 4x10G +! +interface defaults + mtu 9214 +! +service routing protocols model multi-agent +! +hostname S1-SW1 +ip name-server vrf MGMT 8.8.8.8 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +vrf instance MGMT +! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +aaa authorization exec default local +! +interface Ethernet1 +! +interface Ethernet2 +! +interface Ethernet3 +! +interface Ethernet4 +! +interface Management0 + vrf MGMT + ip address 172.100.100.114/24 +! +ip routing +no ip routing vrf MGMT +! +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +management ssh + vrf MGMT + no shutdown +! +end diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/S2-R1.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S2-R1.cfg new file mode 100644 index 00000000..ff108f38 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S2-R1.cfg @@ -0,0 +1,39 @@ +vrf instance MGMT +! +username admin secret admin privilege 15 role network-admin +! +management api http-commands + no shutdown +! +switchport default mode routed +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' +! +no service interface inactive port-id allocation disabled +! +transceiver qsfp default-mode 4x10G +! +service routing protocols model multi-agent +! +hostname S2-R1 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +interface Ethernet1 + no switchport +! +interface Ethernet2 + no switchport +! +ip route vrf MGMT 0/0 172.100.100.1 +! +interface Management1 + vrf MGMT + ip address 172.100.100.115/24 +! +ip routing +! diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/S2-SW1.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S2-SW1.cfg new file mode 100644 index 00000000..b9ba9879 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S2-SW1.cfg @@ -0,0 +1,51 @@ +! +no aaa root +! +username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. +! +transceiver qsfp default-mode 4x10G +! +interface defaults + mtu 9214 +! +service routing protocols model multi-agent +! +hostname S2-SW1 +ip name-server vrf MGMT 8.8.8.8 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +vrf instance MGMT +! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +aaa authorization exec default local +! +interface Ethernet1 +! +interface Ethernet2 +! +interface Ethernet3 +! +interface Management0 + vrf MGMT + ip address 172.100.100.116/24 +! +ip routing +no ip routing vrf MGMT +! +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +management ssh + vrf MGMT + no shutdown +! +end From 7e1f1501f67122043411b5791e305111edacbb29 Mon Sep 17 00:00:00 2001 From: Mitch Vaughan Date: Sat, 31 Aug 2024 16:14:41 +0000 Subject: [PATCH 3/8] autovpn clab build --- .../zbackend-infra/clab/configs/DCI-MPLS.cfg | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/DCI-MPLS.cfg diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DCI-MPLS.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DCI-MPLS.cfg new file mode 100644 index 00000000..4fd36ded --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DCI-MPLS.cfg @@ -0,0 +1,53 @@ +! +no aaa root +! +username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. +! +transceiver qsfp default-mode 4x10G +! +interface defaults + mtu 9214 +! +service routing protocols model multi-agent +! +hostname DCI-MPLS +ip name-server vrf MGMT 8.8.8.8 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +vrf instance MGMT +! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +aaa authorization exec default local +! +interface Ethernet1 +! +interface Ethernet2 +! +interface Ethernet3 +! +interface Ethernet4 +! +interface Management0 + vrf MGMT + ip address 172.100.100.119/24 +! +ip routing +no ip routing vrf MGMT +! +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +management ssh + vrf MGMT + no shutdown +! +end From d2b3808389dacc2704c2445bd1da5eee6f9d82f2 Mon Sep 17 00:00:00 2001 From: Mitch Vaughan Date: Sat, 31 Aug 2024 16:15:34 +0000 Subject: [PATCH 4/8] autovpn clab build --- .../zbackend-infra/clab/configs/INTERNET.cfg | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/configs/INTERNET.cfg diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/INTERNET.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/INTERNET.cfg new file mode 100644 index 00000000..a7d6b549 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/INTERNET.cfg @@ -0,0 +1,59 @@ +! +no aaa root +! +username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. +! +transceiver qsfp default-mode 4x10G +! +interface defaults + mtu 9214 +! +service routing protocols model multi-agent +! +hostname INTERNET +ip name-server vrf MGMT 8.8.8.8 +! +spanning-tree mode mstp +! +system l1 + unsupported speed action error + unsupported error-correction action error +! +vrf instance MGMT +! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +aaa authorization exec default local +! +interface Ethernet1 +! +interface Ethernet2 +! +interface Ethernet3 +! +interface Ethernet4 +! +interface Ethernet5 +! +interface Ethernet6 +! +interface Ethernet7 +! +interface Management0 + vrf MGMT + ip address 172.100.100.118/24 +! +ip routing +no ip routing vrf MGMT +! +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +management ssh + vrf MGMT + no shutdown +! +end From a25c39db64ba89285b234f2c33a68e31d15a489a Mon Sep 17 00:00:00 2001 From: Mitch Vaughan Date: Sat, 31 Aug 2024 20:28:39 +0000 Subject: [PATCH 5/8] autovpn clab buildout --- .gitignore | 4 +- .../clab/clab-wan-autovpn-dg.yml | 391 ++++++++++++++++++ 2 files changed, 393 insertions(+), 2 deletions(-) create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/clab-wan-autovpn-dg.yml diff --git a/.gitignore b/.gitignore index 514019f3..b33e0b0f 100644 --- a/.gitignore +++ b/.gitignore @@ -2,8 +2,8 @@ **.tok** # clab auto-created directories and files -**clab-* +**.clab-* *.yml.bak # license files -*license*.json \ No newline at end of file +*license*.json diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/clab-wan-autovpn-dg.yml b/tech-library/wan/autovpn/zbackend-infra/clab/clab-wan-autovpn-dg.yml new file mode 100644 index 00000000..0b2425d0 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/clab-wan-autovpn-dg.yml @@ -0,0 +1,391 @@ +--- + +# -------------------------------------------------------------- +# Arista AutoVPN Deployment Guide Topology +# -------------------------------------------------------------- + +name: arista-wan-autovpn-dg + +prefix: "" + +mgmt: + network: mgmt + ipv4-subnet: 172.100.100.0/24 + +topology: + + defaults: + env: + INTFTYPE: et + + kinds: + ceos: + env: + CLAB_MGMT_VRF: MGMT + image: ceos:trunk + memory: 4g + linux: + image: mitchv85/devhost + + nodes: + + ########################### + ##### DC1 + ########################### + + DC1-SPINE: + kind: ceos + mgmt-ipv4: 172.100.100.100 + startup-config: ./configs/DC1-SPINE.cfg + ports: + - '22000:22' + - '8000:80' + - '44300:443' + + DC1-LEAF: + kind: ceos + mgmt-ipv4: 172.100.100.101 + startup-config: ./configs/DC1-LEAF.cfg + ports: + - '22001:22' + - '8001:80' + - '44301:443' + + DC1-R1: + kind: ceos + image: cloudeos:latest + mgmt-ipv4: 172.100.100.102 + env: + INTFTYPE: eth + SIMULATION_SFE_DPDK_MEM: 4096 + SIMULATION_SFE_BUFFERS: 4096 + SIMULATION_SFE_MAXVRFS: 8 + startup-config: ./configs/DC1-R1.cfg + ports: + - '22002:22' + - '8002:80' + - '44302:443' + + DC1-R2: + kind: ceos + image: cloudeos:latest + mgmt-ipv4: 172.100.100.103 + env: + INTFTYPE: eth + SIMULATION_SFE_DPDK_MEM: 4096 + SIMULATION_SFE_BUFFERS: 4096 + SIMULATION_SFE_MAXVRFS: 8 + startup-config: ./configs/DC1-R2.cfg + ports: + - '22003:22' + - '8003:80' + - '44303:443' + + DC1-BORDER1: + kind: ceos + mgmt-ipv4: 172.100.100.104 + startup-config: ./configs/DC1-BORDER1.cfg + ports: + - '22004:22' + - '8004:80' + - '44304:443' + + DC1-BORDER2: + kind: ceos + mgmt-ipv4: 172.100.100.105 + startup-config: ./configs/DC1-BORDER2.cfg + ports: + - '22005:22' + - '8005:80' + - '44305:443' + + HostA1: + kind: linux + image: mitchv85/devhost + mgmt-ipv4: 172.100.100.201 + ports: + - '22201:22' + exec: + - bash /usr/local/bin/hostnetconfig.sh -i4 10.10.10.101/24 -i6 2001:db8:10:10::101/64 -g 10.10.10.1 + + HostA2: + kind: linux + image: mitchv85/devhost + mgmt-ipv4: 172.100.100.202 + ports: + - '22202:22' + exec: + - bash /usr/local/bin/hostnetconfig.sh -i4 10.20.20.101/24 -i6 2001:db8:20:20::101/64 -g 10.20.20.1 + + ########################### + ##### DC2 + ########################### + + DC2-SPINE: + kind: ceos + mgmt-ipv4: 172.100.100.106 + startup-config: ./configs/DC2-SPINE.cfg + ports: + - '22006:22' + - '8006:80' + - '44306:443' + + DC2-LEAF: + kind: ceos + mgmt-ipv4: 172.100.100.107 + startup-config: ./configs/DC2-LEAF.cfg + ports: + - '22007:22' + - '8007:80' + - '44307:443' + + DC2-R1: + kind: ceos + image: cloudeos:latest + mgmt-ipv4: 172.100.100.108 + env: + INTFTYPE: eth + SIMULATION_SFE_DPDK_MEM: 4096 + SIMULATION_SFE_BUFFERS: 4096 + SIMULATION_SFE_MAXVRFS: 8 + startup-config: ./configs/DC2-R1.cfg + ports: + - '22008:22' + - '8008:80' + - '44308:443' + + DC2-R2: + kind: ceos + image: cloudeos:latest + mgmt-ipv4: 172.100.100.109 + env: + INTFTYPE: eth + SIMULATION_SFE_DPDK_MEM: 4096 + SIMULATION_SFE_BUFFERS: 4096 + SIMULATION_SFE_MAXVRFS: 8 + startup-config: ./configs/DC2-R2.cfg + ports: + - '22009:22' + - '8009:80' + - '44309:443' + + DC2-BORDER1: + kind: ceos + mgmt-ipv4: 172.100.100.110 + startup-config: ./configs/DC2-BORDER1.cfg + ports: + - '22010:22' + - '8010:80' + - '44310:443' + + DC2-BORDER2: + kind: ceos + mgmt-ipv4: 172.100.100.111 + startup-config: ./configs/DC2-BORDER2.cfg + ports: + - '22011:22' + - '8011:80' + - '44311:443' + + HostB1: + kind: linux + image: mitchv85/devhost + mgmt-ipv4: 172.100.100.203 + ports: + - '22203:22' + exec: + - bash /usr/local/bin/hostnetconfig.sh -i4 10.10.10.102/24 -i6 2001:db8:10:10::102/64 -g 10.10.10.1 + + HostB2: + kind: linux + image: mitchv85/devhost + mgmt-ipv4: 172.100.100.204 + ports: + - '22204:22' + exec: + - bash /usr/local/bin/hostnetconfig.sh -i4 10.30.30.101/24 -i6 2001:db8:30:30::101/64 -g 10.30.30.1 + + ########################### + ##### SITE1 + ########################### + + S1-R1: + kind: ceos + image: cloudeos:latest + mgmt-ipv4: 172.100.100.112 + env: + INTFTYPE: eth + SIMULATION_SFE_DPDK_MEM: 4096 + SIMULATION_SFE_BUFFERS: 4096 + SIMULATION_SFE_MAXVRFS: 8 + startup-config: ./configs/S1-R1.cfg + ports: + - '22012:22' + - '8012:80' + - '44312:443' + + S1-R2: + kind: ceos + image: cloudeos:latest + mgmt-ipv4: 172.100.100.113 + env: + INTFTYPE: eth + SIMULATION_SFE_DPDK_MEM: 4096 + SIMULATION_SFE_BUFFERS: 4096 + SIMULATION_SFE_MAXVRFS: 8 + startup-config: ./configs/S1-R2.cfg + ports: + - '22013:22' + - '8013:80' + - '44313:443' + + S1-SW1: + kind: ceos + mgmt-ipv4: 172.100.100.114 + startup-config: ./configs/S1-SW1.cfg + ports: + - '22014:22' + - '8014:80' + - '44314:443' + + HostC1: + kind: linux + image: mitchv85/devhost + mgmt-ipv4: 172.100.100.205 + ports: + - '22205:22' + exec: + - bash /usr/local/bin/hostnetconfig.sh -i4 10.40.40.101/24 -i6 2001:db8:40:40::102/64 -g 10.40.40.1 + + HostC2: + kind: linux + image: mitchv85/devhost + mgmt-ipv4: 172.100.100.206 + ports: + - '22206:22' + exec: + - bash /usr/local/bin/hostnetconfig.sh -i4 10.50.50.101/24 -i6 2001:db8:50:50::101/64 -g 10.50.50.1 + + ########################### + ##### SITE2 + ########################### + + S2-R1: + kind: ceos + image: cloudeos:latest + mgmt-ipv4: 172.100.100.115 + env: + INTFTYPE: eth + SIMULATION_SFE_DPDK_MEM: 4096 + SIMULATION_SFE_BUFFERS: 4096 + SIMULATION_SFE_MAXVRFS: 8 + startup-config: ./configs/S2-R1.cfg + ports: + - '22015:22' + - '8015:80' + - '44315:443' + + S2-SW1: + kind: ceos + mgmt-ipv4: 172.100.100.116 + startup-config: ./configs/S2-SW1.cfg + ports: + - '22016:22' + - '8016:80' + - '44316:443' + + HostD1: + kind: linux + image: mitchv85/devhost + mgmt-ipv4: 172.100.100.207 + ports: + - '22207:22' + exec: + - bash /usr/local/bin/hostnetconfig.sh -i4 10.60.60.101/24 -i6 2001:db8:60:60::102/64 -g 10.60.60.1 + + HostD2: + kind: linux + image: mitchv85/devhost + mgmt-ipv4: 172.100.100.208 + ports: + - '22208:22' + exec: + - bash /usr/local/bin/hostnetconfig.sh -i4 10.70.70.101/24 -i6 2001:db8:70:70::101/64 -g 10.70.70.1 + + ########################### + ##### INTERNET + ########################### + + INTERNET: + kind: ceos + mgmt-ipv4: 172.100.100.118 + startup-config: ./configs/INTERNET.cfg + ports: + - '22018:22' + - '8018:80' + - '44318:443' + + ########################### + ##### DCI-MPLS + ########################### + + DCI-MPLS: + kind: ceos + mgmt-ipv4: 172.100.100.119 + startup-config: ./configs/DCI-MPLS.cfg + ports: + - '22019:22' + - '8019:80' + - '44319:443' + + links: + ##################### + ### DC1 1 + ##################### + - endpoints: ["DC1-SPINE:et1", "DC1-LEAF:et1"] + - endpoints: ["DC1-SPINE:et2", "DC1-R1:eth1"] + - endpoints: ["DC1-SPINE:et3", "DC1-R2:eth1"] + - endpoints: ["DC1-SPINE:et4", "DC1-BORDER1:et1"] + - endpoints: ["DC1-SPINE:et5", "DC1-BORDER2:et1"] + - endpoints: ["DC1-LEAF:et2", "HostA1:eth1"] + - endpoints: ["DC1-LEAF:et3", "HostA2:eth1"] + ##################### + ### DC1 2 + ##################### + - endpoints: ["DC2-SPINE:et1", "DC2-LEAF:et1"] + - endpoints: ["DC2-SPINE:et2", "DC2-R1:eth1"] + - endpoints: ["DC2-SPINE:et3", "DC2-R2:eth1"] + - endpoints: ["DC2-SPINE:et4", "DC2-BORDER1:et1"] + - endpoints: ["DC2-SPINE:et5", "DC2-BORDER2:et1"] + - endpoints: ["DC2-LEAF:et2", "HostB1:eth1"] + - endpoints: ["DC2-LEAF:et3", "HostB2:eth1"] + ##################### + ### Site1 + ##################### + - endpoints: ["S1-R1:eth1", "S1-SW1:et1"] + - endpoints: ["S1-R2:eth1", "S1-SW1:et2"] + - endpoints: ["S1-SW1:et3", "HostC1:eth1"] + - endpoints: ["S1-SW1:et4", "HostC2:eth1"] + ##################### + ### Site2 + ##################### + - endpoints: ["S2-R1:eth1", "S2-SW1:et1"] + - endpoints: ["S2-SW1:et2", "HostD1:eth1"] + - endpoints: ["S2-SW1:et3", "HostD2:eth1"] + ##################### + ### INTERNET + ##################### + - endpoints: ["INTERNET:et1", "DC1-R1:eth2"] + - endpoints: ["INTERNET:et2", "DC1-R2:eth2"] + - endpoints: ["INTERNET:et3", "DC2-R1:eth2"] + - endpoints: ["INTERNET:et4", "DC2-R2:eth2"] + - endpoints: ["INTERNET:et5", "S1-R1:eth2"] + - endpoints: ["INTERNET:et6", "S1-R2:eth2"] + - endpoints: ["INTERNET:et7", "S2-R1:eth2"] + ##################### + ### DCI-MPLS + ##################### + - endpoints: ["DCI-MPLS:et1", "DC1-BORDER1:et2"] + - endpoints: ["DCI-MPLS:et2", "DC1-BORDER2:et2"] + - endpoints: ["DCI-MPLS:et3", "DC2-BORDER1:et2"] + - endpoints: ["DCI-MPLS:et4", "DC2-BORDER2:et2"] From d429a5778b5bbb30c3b416d4424cfd4f6c42e093 Mon Sep 17 00:00:00 2001 From: Mitch Vaughan Date: Sun, 1 Sep 2024 03:45:27 +0000 Subject: [PATCH 6/8] autovpn clab setup --- .gitignore | 1 + .../autovpn/zbackend-infra/clab/ansible.cfg | 17 ++ .../clab/clab-wan-autovpn-dg.yml | 22 +- .../zbackend-infra/clab/config_grab.yml | 19 ++ .../zbackend-infra/clab/config_push.yml | 26 +++ .../clab/configs/DC1-BORDER1.cfg | 130 +++++++++++- .../clab/configs/DC1-BORDER2.cfg | 130 +++++++++++- .../zbackend-infra/clab/configs/DC1-LEAF.cfg | 137 +++++++++++- .../zbackend-infra/clab/configs/DC1-R1.cfg | 195 +++++++++++++++++- .../zbackend-infra/clab/configs/DC1-R2.cfg | 184 ++++++++++++++++- .../zbackend-infra/clab/configs/DC1-SPINE.cfg | 120 ++++++++++- .../clab/configs/DC2-BORDER1.cfg | 130 +++++++++++- .../clab/configs/DC2-BORDER2.cfg | 131 +++++++++++- .../zbackend-infra/clab/configs/DC2-LEAF.cfg | 137 +++++++++++- .../zbackend-infra/clab/configs/DC2-R1.cfg | 195 +++++++++++++++++- .../zbackend-infra/clab/configs/DC2-R2.cfg | 183 +++++++++++++++- .../zbackend-infra/clab/configs/DC2-SPINE.cfg | 118 ++++++++++- .../zbackend-infra/clab/configs/DCI-MPLS.cfg | 25 ++- .../zbackend-infra/clab/configs/INTERNET.cfg | 53 ++++- .../zbackend-infra/clab/configs/S1-R1.cfg | 168 ++++++++++++++- .../zbackend-infra/clab/configs/S1-R2.cfg | 163 ++++++++++++++- .../zbackend-infra/clab/configs/S1-SW1.cfg | 95 ++++++++- .../zbackend-infra/clab/configs/S2-R1.cfg | 167 ++++++++++++++- .../zbackend-infra/clab/configs/S2-SW1.cfg | 48 ++++- .../clab/inventory/group_vars/eos.yml | 10 + .../clab/inventory/inventory.yml | 80 +++++++ 26 files changed, 2550 insertions(+), 134 deletions(-) create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/ansible.cfg create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/config_grab.yml create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/config_push.yml create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/inventory/group_vars/eos.yml create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/inventory/inventory.yml diff --git a/.gitignore b/.gitignore index b33e0b0f..6ff04dc9 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,7 @@ # clab auto-created directories and files **.clab-* +*clab-*/ *.yml.bak # license files diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/ansible.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/ansible.cfg new file mode 100644 index 00000000..95f708fd --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/ansible.cfg @@ -0,0 +1,17 @@ +[defaults] +roles_path = ./roles +inventory = inventory/inventory.yml +collections_paths = ../ansible-avd:../ansible-cvp:../ansible_collections:~/.ansible/collections:/usr/share/ansible/collections +jinja2_extensions = jinja2.ext.loopcontrols,jinja2.ext.do,jinja2.ext.i18n +deprecation_warnings = False +forks = 8 +host_key_checking = False + +vars_plugins_enabled = arista.avd.global_vars, host_group_vars + +[persistent_connection] +connect_timeout = 120 +command_timeout = 120 + +[vars_global_vars] +paths = ../global_vars/evpn_vxlan, ../global_vars/avd_defaults, ../global_vars/fabric_defaults diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/clab-wan-autovpn-dg.yml b/tech-library/wan/autovpn/zbackend-infra/clab/clab-wan-autovpn-dg.yml index 0b2425d0..402cd595 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/clab-wan-autovpn-dg.yml +++ b/tech-library/wan/autovpn/zbackend-infra/clab/clab-wan-autovpn-dg.yml @@ -35,12 +35,12 @@ topology: DC1-SPINE: kind: ceos - mgmt-ipv4: 172.100.100.100 + mgmt-ipv4: 172.100.100.199 startup-config: ./configs/DC1-SPINE.cfg ports: - - '22000:22' - - '8000:80' - - '44300:443' + - '22099:22' + - '8099:80' + - '44399:443' DC1-LEAF: kind: ceos @@ -61,6 +61,8 @@ topology: SIMULATION_SFE_BUFFERS: 4096 SIMULATION_SFE_MAXVRFS: 8 startup-config: ./configs/DC1-R1.cfg + binds: + - ipsec-license.json:/mnt/flash/ipsec-license.json:ro ports: - '22002:22' - '8002:80' @@ -76,6 +78,8 @@ topology: SIMULATION_SFE_BUFFERS: 4096 SIMULATION_SFE_MAXVRFS: 8 startup-config: ./configs/DC1-R2.cfg + binds: + - ipsec-license.json:/mnt/flash/ipsec-license.json:ro ports: - '22003:22' - '8003:80' @@ -149,6 +153,8 @@ topology: SIMULATION_SFE_BUFFERS: 4096 SIMULATION_SFE_MAXVRFS: 8 startup-config: ./configs/DC2-R1.cfg + binds: + - ipsec-license.json:/mnt/flash/ipsec-license.json:ro ports: - '22008:22' - '8008:80' @@ -164,6 +170,8 @@ topology: SIMULATION_SFE_BUFFERS: 4096 SIMULATION_SFE_MAXVRFS: 8 startup-config: ./configs/DC2-R2.cfg + binds: + - ipsec-license.json:/mnt/flash/ipsec-license.json:ro ports: - '22009:22' - '8009:80' @@ -219,6 +227,8 @@ topology: SIMULATION_SFE_BUFFERS: 4096 SIMULATION_SFE_MAXVRFS: 8 startup-config: ./configs/S1-R1.cfg + binds: + - ipsec-license.json:/mnt/flash/ipsec-license.json:ro ports: - '22012:22' - '8012:80' @@ -234,6 +244,8 @@ topology: SIMULATION_SFE_BUFFERS: 4096 SIMULATION_SFE_MAXVRFS: 8 startup-config: ./configs/S1-R2.cfg + binds: + - ipsec-license.json:/mnt/flash/ipsec-license.json:ro ports: - '22013:22' - '8013:80' @@ -280,6 +292,8 @@ topology: SIMULATION_SFE_BUFFERS: 4096 SIMULATION_SFE_MAXVRFS: 8 startup-config: ./configs/S2-R1.cfg + binds: + - ipsec-license.json:/mnt/flash/ipsec-license.json:ro ports: - '22015:22' - '8015:80' diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/config_grab.yml b/tech-library/wan/autovpn/zbackend-infra/clab/config_grab.yml new file mode 100644 index 00000000..57173bad --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/config_grab.yml @@ -0,0 +1,19 @@ +--- + +- name: Get configs from all switches in topology + connection: httpapi + hosts: all + gather_facts: false + + vars: + ansible_python_interpreter: /usr/bin/python3 + config_dir: "{{ playbook_dir }}/configs/" + + tasks: + + - name: "Save running config to {{ config_dir }}" + eos_config: + backup: yes + backup_options: + dir_path: "{{ config_dir }}" + filename: "{{ inventory_hostname }}.cfg" diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/config_push.yml b/tech-library/wan/autovpn/zbackend-infra/clab/config_push.yml new file mode 100644 index 00000000..8e6da5f4 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/config_push.yml @@ -0,0 +1,26 @@ +--- + +- name: Push switch configs + connection: httpapi + hosts: all + gather_facts: false + + vars: + ansible_python_interpreter: /usr/bin/python3 + config_dir: "{{ playbook_dir }}/../configs/" + + tasks: + + - name: "Push configs to EOS nodes from {{ config_dir }}" + eos_config: + src: "{{ config_dir }}{{ inventory_hostname }}.cfg" + replace: config + save_when: changed + when: 'HOST' not in {{ inventory_hostname }} + + - name: "Configure end hosts" + eos_config: + src: "{{ config_dir }}{{ inventory_hostname }}.cfg" + replace: config + save_when: changed + when: 'HOST' in {{ inventory_hostname }} \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-BORDER1.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-BORDER1.cfg index 67959fcd..a6ce597c 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-BORDER1.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-BORDER1.cfg @@ -1,8 +1,24 @@ +! Command: show running-config +! device: DC1-BORDER1 (cEOSLab, EOS-4.33.0F-38377046.eostrunkceos (engineering build)) ! no aaa root ! username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. ! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +dhcp relay + tunnel requests disabled + mlag peer-link requests disabled +! +switchport default mode routed +! +no service interface inactive port-id allocation disabled +! transceiver qsfp default-mode 4x10G ! interface defaults @@ -14,36 +30,138 @@ hostname DC1-BORDER1 ip name-server vrf MGMT 8.8.8.8 ! spanning-tree mode mstp +spanning-tree edge-port bpduguard default +spanning-tree mst 0 priority 0 ! system l1 unsupported speed action error unsupported error-correction action error ! +vlan 10 + name Blue +! +vlan 20 + name Green +! vrf instance MGMT ! -management api http-commands - no shutdown - ! - vrf MGMT - no shutdown +vrf instance PROD ! aaa authorization exec default local ! interface Ethernet1 + description DC1-SPINE1 + no switchport + ip address 172.20.1.7/31 ! interface Ethernet2 + description DCI-MPLS + no switchport +! +interface Loopback0 + description Globally Unique Address + ip address 10.0.1.4/32 +! +interface Loopback1 + description Shared VTEP IP + ip address 10.1.1.4/32 ! interface Management0 vrf MGMT ip address 172.100.100.104/24 ! +interface Vlan10 + mtu 9014 + vrf PROD + ip address virtual 10.10.10.1/24 +! +interface Vlan20 + mtu 9014 + vrf PROD + ip address virtual 10.20.20.1/24 +! +interface Vxlan1 + vxlan source-interface Loopback1 + vxlan udp-port 4789 + vxlan vlan 10,20 vni 10010,10020 + vxlan vrf PROD vni 51 +! +mac address-table aging-time 1800 +! +ip virtual-router mac-address 00:1c:73:00:00:01 +! ip routing no ip routing vrf MGMT +ip routing vrf PROD +! +ip prefix-list PL-LOOPBACKS + seq 10 permit 10.0.0.0/16 eq 32 + seq 20 permit 10.1.0.0/16 eq 32 +! +ip prefix-list PL-P2P-UNDERLAY + seq 10 permit 172.20.1.0/24 le 31 ! ip route vrf MGMT 0.0.0.0/0 172.100.100.1 ! +arp aging timeout default 1500 +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS +! +route-map RM-CONN-2-BGP permit 20 + match ip address prefix-list PL-P2P-UNDERLAY +! +router bgp 65102 + router-id 10.0.1.4 + no bgp default ipv4-unicast + distance bgp 20 200 200 + graceful-restart restart-time 300 + graceful-restart + maximum-paths 4 + neighbor default send-community + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS remote-as 65100 + neighbor IPv4-UNDERLAY-PEERS password 7 t7gEXzNemRRE24Du53hBEA== + neighbor LOCAL-EVPN-PEERS peer group + neighbor LOCAL-EVPN-PEERS remote-as 65100 + neighbor LOCAL-EVPN-PEERS update-source Loopback0 + neighbor LOCAL-EVPN-PEERS ebgp-multihop 3 + neighbor LOCAL-EVPN-PEERS password 7 WzKnNSduqwPYvUePYIh40g== + neighbor 10.0.1.201 peer group LOCAL-EVPN-PEERS + neighbor 172.20.1.6 peer group IPv4-UNDERLAY-PEERS + redistribute connected route-map RM-CONN-2-BGP + ! + vlan 10 + rd 10.0.1.4:10010 + route-target both 10010:10010 + redistribute learned + ! + vlan 20 + rd 10.0.1.4:10020 + route-target both 10020:10020 + redistribute learned + ! + address-family evpn + neighbor LOCAL-EVPN-PEERS activate + route import match-failure action discard + ! + address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate + ! + vrf PROD + rd 10.0.1.4:51 + route-target import evpn 51:51 + route-target export evpn 51:51 +! +router multicast + ipv4 + software-forwarding kernel + ! + ipv6 + software-forwarding kernel +! management ssh vrf MGMT no shutdown ! -end +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-BORDER2.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-BORDER2.cfg index 02e1937c..c87447e4 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-BORDER2.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-BORDER2.cfg @@ -1,8 +1,24 @@ +! Command: show running-config +! device: DC1-BORDER2 (cEOSLab, EOS-4.33.0F-38377046.eostrunkceos (engineering build)) ! no aaa root ! username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. ! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +dhcp relay + tunnel requests disabled + mlag peer-link requests disabled +! +switchport default mode routed +! +no service interface inactive port-id allocation disabled +! transceiver qsfp default-mode 4x10G ! interface defaults @@ -14,36 +30,138 @@ hostname DC1-BORDER2 ip name-server vrf MGMT 8.8.8.8 ! spanning-tree mode mstp +spanning-tree edge-port bpduguard default +spanning-tree mst 0 priority 0 ! system l1 unsupported speed action error unsupported error-correction action error ! +vlan 10 + name Blue +! +vlan 20 + name Green +! vrf instance MGMT ! -management api http-commands - no shutdown - ! - vrf MGMT - no shutdown +vrf instance PROD ! aaa authorization exec default local ! interface Ethernet1 + description DC1-SPINE1 + no switchport + ip address 172.20.1.9/31 ! interface Ethernet2 + description DCI-MPLS + no switchport +! +interface Loopback0 + description Globally Unique Address + ip address 10.0.1.5/32 +! +interface Loopback1 + description Shared VTEP IP + ip address 10.1.1.5/32 ! interface Management0 vrf MGMT ip address 172.100.100.105/24 ! +interface Vlan10 + mtu 9014 + vrf PROD + ip address virtual 10.10.10.1/24 +! +interface Vlan20 + mtu 9014 + vrf PROD + ip address virtual 10.20.20.1/24 +! +interface Vxlan1 + vxlan source-interface Loopback1 + vxlan udp-port 4789 + vxlan vlan 10,20 vni 10010,10020 + vxlan vrf PROD vni 51 +! +mac address-table aging-time 1800 +! +ip virtual-router mac-address 00:1c:73:00:00:01 +! ip routing no ip routing vrf MGMT +ip routing vrf PROD +! +ip prefix-list PL-LOOPBACKS + seq 10 permit 10.0.0.0/16 eq 32 + seq 20 permit 10.1.0.0/16 eq 32 +! +ip prefix-list PL-P2P-UNDERLAY + seq 10 permit 172.20.1.0/24 le 31 ! ip route vrf MGMT 0.0.0.0/0 172.100.100.1 ! +arp aging timeout default 1500 +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS +! +route-map RM-CONN-2-BGP permit 20 + match ip address prefix-list PL-P2P-UNDERLAY +! +router bgp 65103 + router-id 10.0.1.5 + no bgp default ipv4-unicast + distance bgp 20 200 200 + graceful-restart restart-time 300 + graceful-restart + maximum-paths 4 + neighbor default send-community + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS remote-as 65100 + neighbor IPv4-UNDERLAY-PEERS password 7 t7gEXzNemRRE24Du53hBEA== + neighbor LOCAL-EVPN-PEERS peer group + neighbor LOCAL-EVPN-PEERS remote-as 65100 + neighbor LOCAL-EVPN-PEERS update-source Loopback0 + neighbor LOCAL-EVPN-PEERS ebgp-multihop 3 + neighbor LOCAL-EVPN-PEERS password 7 WzKnNSduqwPYvUePYIh40g== + neighbor 10.0.1.201 peer group LOCAL-EVPN-PEERS + neighbor 172.20.1.8 peer group IPv4-UNDERLAY-PEERS + redistribute connected route-map RM-CONN-2-BGP + ! + vlan 10 + rd 10.0.1.5:10010 + route-target both 10010:10010 + redistribute learned + ! + vlan 20 + rd 10.0.1.5:10020 + route-target both 10020:10020 + redistribute learned + ! + address-family evpn + neighbor LOCAL-EVPN-PEERS activate + route import match-failure action discard + ! + address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate + ! + vrf PROD + rd 10.0.1.5:51 + route-target import evpn 51:51 + route-target export evpn 51:51 +! +router multicast + ipv4 + software-forwarding kernel + ! + ipv6 + software-forwarding kernel +! management ssh vrf MGMT no shutdown ! -end +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-LEAF.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-LEAF.cfg index 19243333..2215ac93 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-LEAF.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-LEAF.cfg @@ -1,8 +1,24 @@ +! Command: show running-config +! device: DC1-LEAF (cEOSLab, EOS-4.33.0F-38377046.eostrunkceos (engineering build)) ! no aaa root ! username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. ! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +dhcp relay + tunnel requests disabled + mlag peer-link requests disabled +! +switchport default mode routed +! +no service interface inactive port-id allocation disabled +! transceiver qsfp default-mode 4x10G ! interface defaults @@ -14,38 +30,147 @@ hostname DC1-LEAF ip name-server vrf MGMT 8.8.8.8 ! spanning-tree mode mstp +spanning-tree edge-port bpduguard default +spanning-tree mst 0 priority 0 ! system l1 unsupported speed action error unsupported error-correction action error ! +vlan 10 + name Blue +! +vlan 20 + name Green +! vrf instance MGMT ! -management api http-commands - no shutdown - ! - vrf MGMT - no shutdown +vrf instance PROD ! aaa authorization exec default local ! interface Ethernet1 + description DC1-SPINE1 + no switchport + ip address 172.20.1.1/31 ! interface Ethernet2 + description HostA1 + switchport access vlan 10 + switchport + spanning-tree portfast ! interface Ethernet3 + description HostA2 + switchport access vlan 20 + switchport + spanning-tree portfast +! +interface Loopback0 + description Globally Unique Address + ip address 10.0.1.1/32 +! +interface Loopback1 + description Shared VTEP IP + ip address 10.1.1.1/32 ! interface Management0 vrf MGMT ip address 172.100.100.101/24 ! +interface Vlan10 + mtu 9014 + vrf PROD + ip address virtual 10.10.10.1/24 +! +interface Vlan20 + mtu 9014 + vrf PROD + ip address virtual 10.20.20.1/24 +! +interface Vxlan1 + vxlan source-interface Loopback1 + vxlan udp-port 4789 + vxlan vlan 10,20 vni 10010,10020 + vxlan vrf PROD vni 51 +! +mac address-table aging-time 1800 +! +ip virtual-router mac-address 00:1c:73:00:00:01 +! ip routing no ip routing vrf MGMT +ip routing vrf PROD +! +ip prefix-list PL-LOOPBACKS + seq 10 permit 10.0.0.0/16 eq 32 + seq 20 permit 10.1.0.0/16 eq 32 +! +ip prefix-list PL-P2P-UNDERLAY + seq 10 permit 172.20.1.0/24 le 31 ! ip route vrf MGMT 0.0.0.0/0 172.100.100.1 ! +arp aging timeout default 1500 +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS +! +route-map RM-CONN-2-BGP permit 20 + match ip address prefix-list PL-P2P-UNDERLAY +! +router bgp 65101 + router-id 10.0.1.1 + no bgp default ipv4-unicast + distance bgp 20 200 200 + graceful-restart restart-time 300 + graceful-restart + maximum-paths 128 + neighbor default send-community + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS remote-as 65100 + neighbor IPv4-UNDERLAY-PEERS password 7 t7gEXzNemRRE24Du53hBEA== + neighbor LOCAL-EVPN-PEERS peer group + neighbor LOCAL-EVPN-PEERS remote-as 65100 + neighbor LOCAL-EVPN-PEERS update-source Loopback0 + neighbor LOCAL-EVPN-PEERS ebgp-multihop 3 + neighbor LOCAL-EVPN-PEERS password 7 WzKnNSduqwPYvUePYIh40g== + neighbor 10.0.1.201 peer group LOCAL-EVPN-PEERS + neighbor 172.20.1.0 peer group IPv4-UNDERLAY-PEERS + redistribute connected route-map RM-CONN-2-BGP + ! + vlan 10 + rd 10.0.1.1:10010 + route-target both 10010:10010 + redistribute learned + ! + vlan 20 + rd 10.0.1.1:10020 + route-target both 10020:10020 + redistribute learned + ! + address-family evpn + neighbor LOCAL-EVPN-PEERS activate + route import match-failure action discard + ! + address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate + ! + vrf PROD + rd 10.0.1.1:51 + route-target import evpn 51:51 + route-target export evpn 51:51 + redistribute connected +! +router multicast + ipv4 + software-forwarding kernel + ! + ipv6 + software-forwarding kernel +! management ssh vrf MGMT no shutdown ! -end +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-R1.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-R1.cfg index f2fb01b4..1ef1d8bc 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-R1.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-R1.cfg @@ -1,39 +1,220 @@ -vrf instance MGMT +! Command: show running-config +! device: DC1-R1 (cEOSCloudLab, EOS-4.32.2F-37806342.jamunarel (engineering build)) +! +no aaa root ! -username admin secret admin privilege 15 role network-admin +username admin privilege 15 role network-admin secret sha512 $6$zcGFrRLW2x9QYCry$dyhEnXV9Qh54gPHJg/lq0V65LNEX3B8q.dgREB.41f3wWz9cRqA6FwZH3wvkU0eNTXRWj4b5Wvhz/bv6l5zeP/ +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' ! management api http-commands no shutdown + ! + vrf MGMT + no shutdown ! switchport default mode routed ! -agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' -! no service interface inactive port-id allocation disabled ! transceiver qsfp default-mode 4x10G ! +interface defaults + mtu 9214 +! service routing protocols model multi-agent ! hostname DC1-R1 ! -spanning-tree mode mstp +router adaptive-virtual-topology + topology role edge gateway vxlan + region REGION1 id 1 + zone REGION1-ZONE1 id 1 + site DC1 id 1 + ! + policy DEFAULT-AVT-POLICY + match application-profile default + avt profile DEFAULT-AVT-PROFILE + ! + profile DEFAULT-AVT-PROFILE + path-selection load-balance DEFAULT-LB-POLICY + ! + vrf PROD + avt policy DEFAULT-AVT-POLICY + avt profile DEFAULT-AVT-PROFILE id 1 + ! + vrf default + avt policy DEFAULT-AVT-POLICY + avt profile DEFAULT-AVT-PROFILE id 1 +! +router path-selection + tcp mss ceiling ipv4 ingress + ! + path-group INET id 1 + ipsec profile IPSEC-PROFILE + ! + local interface Ethernet2 + stun server-profile DC1-R2-Ethernet2 DC2-R2-Ethernet2 + ! + peer dynamic + ! + peer static router-ip 10.1.1.3 + name DC1-R2 + ipv4 address 192.0.2.6 + ! + peer static router-ip 10.1.2.3 + name DC2-R2 + ipv4 address 192.0.2.14 + ! + load-balance policy DEFAULT-LB-POLICY + path-group INET +! +spanning-tree mode none ! system l1 unsupported speed action error unsupported error-correction action error ! +vrf instance MGMT +! +vrf instance PROD +! +aaa authorization exec default local +! +ip security + ike policy IPSEC-IKE-POLICY + local-id 10.1.1.2 + ! + sa policy IPSEC-SA-POLICY + ! + profile IPSEC-PROFILE + ike-policy IPSEC-IKE-POLICY + sa-policy IPSEC-SA-POLICY + connection start + shared-key 7 0110100A480E0A0E231D1E + dpd 10 50 clear + mode transport + ! + flow entropy udp + ! + key controller + profile IPSEC-PROFILE +! +interface Dps1 + description TEP IP + ip address 10.1.1.2/32 +! interface Ethernet1 + description DC1-SPINE1 no switchport + ip address 172.20.1.3/31 ! interface Ethernet2 + description INTERNET no switchport + ip address 192.0.2.2/30 +! +interface Loopback0 + description Globally Unique Address + ip address 10.0.1.2/32 ! -ip route vrf MGMT 0/0 172.100.100.1 +interface Loopback101 + vrf PROD + ip address 10.1.101.2/32 ! interface Management1 vrf MGMT ip address 172.100.100.102/24 ! -ip routing +interface Vxlan1 + vxlan source-interface Dps1 + vxlan udp-port 4789 + vxlan vrf PROD vni 51 + vxlan vrf default vni 50 +! +mac address-table aging-time 1800 ! +ip routing +no ip routing vrf MGMT +ip routing vrf PROD +! +ip prefix-list PL-LOOPBACKS + seq 10 permit 10.0.0.0/16 eq 32 + seq 20 permit 10.1.0.0/16 eq 32 +! +ip prefix-list PL-P2P-UNDERLAY + seq 10 permit 172.20.1.0/24 le 31 +! +ip route 0.0.0.0/0 192.0.2.1 +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +arp aging timeout default 1500 +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS +! +route-map RM-CONN-2-BGP permit 20 + match ip address prefix-list PL-P2P-UNDERLAY +! +router bgp 65000 + router-id 10.0.1.2 + no bgp default ipv4-unicast + distance bgp 20 200 200 + graceful-restart restart-time 300 + graceful-restart + neighbor default send-community + neighbor DC1-EVPN-PEERS peer group + neighbor DC1-EVPN-PEERS remote-as 65100 + neighbor DC1-EVPN-PEERS update-source Loopback0 + neighbor DC1-EVPN-PEERS ebgp-multihop 3 + neighbor DC1-EVPN-PEERS password 7 RxqKJj2uKvzsECQR+ApqjA== + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS remote-as 65100 + neighbor IPv4-UNDERLAY-PEERS password 7 t7gEXzNemRRE24Du53hBEA== + neighbor WAN-OVERLAY-PEERS peer group + neighbor WAN-OVERLAY-PEERS remote-as 65000 + neighbor WAN-OVERLAY-PEERS update-source Dps1 + neighbor WAN-OVERLAY-PEERS bfd + neighbor WAN-OVERLAY-PEERS bfd interval 5000 min-rx 5000 multiplier 3 + neighbor WAN-OVERLAY-PEERS password 7 Jasxt4q1i1EVo3kE0U5v4w== + neighbor WAN-OVERLAY-PEERS maximum-routes 0 + neighbor 10.0.1.201 peer group DC1-EVPN-PEERS + neighbor 10.1.1.3 peer group WAN-OVERLAY-PEERS + neighbor 10.1.2.3 peer group WAN-OVERLAY-PEERS + neighbor 172.20.1.2 peer group IPv4-UNDERLAY-PEERS + redistribute connected route-map RM-CONN-2-BGP + ! + address-family evpn + neighbor DC1-EVPN-PEERS activate + neighbor DC1-EVPN-PEERS encapsulation vxlan + neighbor WAN-OVERLAY-PEERS activate + neighbor WAN-OVERLAY-PEERS encapsulation path-selection + neighbor WAN-OVERLAY-PEERS domain remote + route import match-failure action discard + ! + address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate + ! + address-family path-selection + bgp additional-paths receive + bgp additional-paths send any + neighbor WAN-OVERLAY-PEERS activate + ! + vrf PROD + rd 10.0.1.2:51 + rd evpn domain remote 10.0.1.2:51 + route-target import evpn 51:51 + route-target import evpn domain remote 51:51 + route-target export evpn 51:51 + route-target export evpn domain remote 51:51 + redistribute connected +! +stun + client + server-profile DC1-R2-Ethernet2 + ip address 192.0.2.6 + ! + server-profile DC2-R2-Ethernet2 + ip address 192.0.2.14 +! +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-R2.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-R2.cfg index 897dcdd0..4d8edfe2 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-R2.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-R2.cfg @@ -1,39 +1,209 @@ -vrf instance MGMT +! Command: show running-config +! device: DC1-R2 (cEOSCloudLab, EOS-4.32.2F-37806342.jamunarel (engineering build)) +! +no aaa root ! -username admin secret admin privilege 15 role network-admin +username admin privilege 15 role network-admin secret sha512 $6$UfCRaI6CerAMs1gp$iJHeVGrWKlVDdpDKuj09o9TVyuWKaHHd1iSfXD7YdU0gx9HPxJbs07hl0Ysybu6fvGEMa3vBeOF9wDX9O7S2b/ +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' ! management api http-commands no shutdown + ! + vrf MGMT + no shutdown ! switchport default mode routed ! -agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' -! no service interface inactive port-id allocation disabled ! transceiver qsfp default-mode 4x10G ! +interface defaults + mtu 9214 +! service routing protocols model multi-agent ! hostname DC1-R2 ! -spanning-tree mode mstp +router adaptive-virtual-topology + topology role edge gateway vxlan + region REGION1 id 1 + zone REGION1-ZONE1 id 1 + site DC1 id 1 + ! + policy DEFAULT-AVT-POLICY + match application-profile default + avt profile DEFAULT-AVT-PROFILE + ! + profile DEFAULT-AVT-PROFILE + path-selection load-balance DEFAULT-LB-POLICY + ! + vrf PROD + avt policy DEFAULT-AVT-POLICY + avt profile DEFAULT-AVT-PROFILE id 1 + ! + vrf default + avt policy DEFAULT-AVT-POLICY + avt profile DEFAULT-AVT-PROFILE id 1 +! +router path-selection + peer dynamic source stun + tcp mss ceiling ipv4 ingress + ! + path-group INET id 1 + ipsec profile IPSEC-PROFILE + ! + local interface Ethernet2 + ! + peer static router-ip 10.1.2.3 + name DC2-R2 + ipv4 address 192.0.2.14 + ! + load-balance policy DEFAULT-LB-POLICY + path-group INET +! +spanning-tree mode none ! system l1 unsupported speed action error unsupported error-correction action error ! +vrf instance MGMT +! +vrf instance PROD +! +aaa authorization exec default local +! +ip security + ike policy IPSEC-IKE-POLICY + local-id 10.1.1.3 + ! + sa policy IPSEC-SA-POLICY + ! + profile IPSEC-PROFILE + ike-policy IPSEC-IKE-POLICY + sa-policy IPSEC-SA-POLICY + connection start + shared-key 7 0110100A480E0A0E231D1E + dpd 10 50 clear + mode transport + ! + flow entropy udp +! +interface Dps1 + description TEP IP + ip address 10.1.1.3/32 +! interface Ethernet1 + description DC1-SPINE1 no switchport + ip address 172.20.1.5/31 ! interface Ethernet2 + description INTERNET no switchport + ip address 192.0.2.6/30 +! +interface Loopback0 + description Globally Unique Address + ip address 10.0.1.3/32 ! -ip route vrf MGMT 0/0 172.100.100.1 +interface Loopback101 + vrf PROD + ip address 10.1.101.3/32 ! interface Management1 vrf MGMT ip address 172.100.100.103/24 ! -ip routing +interface Vxlan1 + vxlan source-interface Dps1 + vxlan udp-port 4789 + vxlan vrf PROD vni 51 + vxlan vrf default vni 50 +! +mac address-table aging-time 1800 ! +ip routing +no ip routing vrf MGMT +ip routing vrf PROD +! +ip prefix-list PL-LOOPBACKS + seq 10 permit 10.0.0.0/16 eq 32 + seq 20 permit 10.1.0.0/16 eq 32 +! +ip prefix-list PL-P2P-UNDERLAY + seq 10 permit 172.20.1.0/24 le 31 +! +ip route 0.0.0.0/0 192.0.2.5 +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +arp aging timeout default 1500 +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS +! +route-map RM-CONN-2-BGP permit 20 + match ip address prefix-list PL-P2P-UNDERLAY +! +router bgp 65000 + router-id 10.0.1.3 + no bgp default ipv4-unicast + distance bgp 20 200 200 + graceful-restart restart-time 300 + bgp cluster-id 10.1.255.255 + graceful-restart + bgp listen range 10.0.0.0/8 peer-group WAN-OVERLAY-PEERS remote-as 65000 + neighbor default send-community + neighbor DC1-EVPN-PEERS peer group + neighbor DC1-EVPN-PEERS remote-as 65100 + neighbor DC1-EVPN-PEERS update-source Loopback0 + neighbor DC1-EVPN-PEERS ebgp-multihop 3 + neighbor DC1-EVPN-PEERS password 7 RxqKJj2uKvzsECQR+ApqjA== + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS remote-as 65100 + neighbor IPv4-UNDERLAY-PEERS password 7 t7gEXzNemRRE24Du53hBEA== + neighbor WAN-OVERLAY-PEERS peer group + neighbor WAN-OVERLAY-PEERS remote-as 65000 + neighbor WAN-OVERLAY-PEERS update-source Dps1 + neighbor WAN-OVERLAY-PEERS bfd + neighbor WAN-OVERLAY-PEERS bfd interval 5000 min-rx 5000 multiplier 3 + neighbor WAN-OVERLAY-PEERS route-reflector-client + neighbor WAN-OVERLAY-PEERS password 7 Jasxt4q1i1EVo3kE0U5v4w== + neighbor WAN-OVERLAY-PEERS maximum-routes 0 + neighbor 10.0.1.201 peer group DC1-EVPN-PEERS + neighbor 10.1.2.3 peer group WAN-OVERLAY-PEERS + neighbor 172.20.1.4 peer group IPv4-UNDERLAY-PEERS + redistribute connected route-map RM-CONN-2-BGP + ! + address-family evpn + neighbor DC1-EVPN-PEERS activate + neighbor DC1-EVPN-PEERS encapsulation vxlan + neighbor WAN-OVERLAY-PEERS activate + neighbor WAN-OVERLAY-PEERS encapsulation path-selection + neighbor WAN-OVERLAY-PEERS domain remote + route import match-failure action discard + ! + address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate + ! + address-family path-selection + bgp additional-paths receive + bgp additional-paths send any + neighbor WAN-OVERLAY-PEERS activate + ! + vrf PROD + rd 10.0.1.3:51 + rd evpn domain remote 10.0.1.3:51 + route-target import evpn 51:51 + route-target import evpn domain remote 51:51 + route-target export evpn 51:51 + route-target export evpn domain remote 51:51 + redistribute connected +! +stun + server + local-interface Ethernet2 +! +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-SPINE.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-SPINE.cfg index 1cfad74b..79e0b342 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-SPINE.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC1-SPINE.cfg @@ -1,8 +1,20 @@ +! Command: show running-config +! device: DC1-SPINE (cEOSLab, EOS-4.33.0F-38377046.eostrunkceos (engineering build)) ! no aaa root ! username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. ! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +switchport default mode routed +! +no service interface inactive port-id allocation disabled +! transceiver qsfp default-mode 4x10G ! interface defaults @@ -13,7 +25,7 @@ service routing protocols model multi-agent hostname DC1-SPINE ip name-server vrf MGMT 8.8.8.8 ! -spanning-tree mode mstp +spanning-tree mode none ! system l1 unsupported speed action error @@ -21,35 +33,125 @@ system l1 ! vrf instance MGMT ! -management api http-commands - no shutdown - ! - vrf MGMT - no shutdown -! aaa authorization exec default local ! interface Ethernet1 + description DC1-LEAF + no switchport + ip address 172.20.1.0/31 ! interface Ethernet2 + description DC1-R1 + no switchport + ip address 172.20.1.2/31 ! interface Ethernet3 + description DC1-R2 + no switchport + ip address 172.20.1.4/31 ! interface Ethernet4 + description DC1-BORDER1 + no switchport + ip address 172.20.1.6/31 ! interface Ethernet5 + description DC1-BORDER2 + no switchport + ip address 172.20.1.8/31 +! +interface Loopback0 + description Globally Unique Address + ip address 10.0.1.201/32 ! interface Management0 vrf MGMT - ip address 172.100.100.100/24 + ip address 172.100.100.199/24 +! +mac address-table aging-time 1800 ! ip routing no ip routing vrf MGMT ! +ip prefix-list PL-LOOPBACKS + seq 10 permit 10.0.0.0/16 eq 32 + seq 20 permit 10.1.0.0/16 eq 32 +! +ip prefix-list PL-P2P-UNDERLAY + seq 10 permit 172.20.0.0/16 le 31 +! ip route vrf MGMT 0.0.0.0/0 172.100.100.1 ! +arp aging timeout default 1500 +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS +! +route-map RM-CONN-2-BGP permit 20 + match ip address prefix-list PL-P2P-UNDERLAY +! +router bgp 65100 + router-id 10.0.1.201 + no bgp default ipv4-unicast + distance bgp 20 200 200 + graceful-restart restart-time 300 + graceful-restart + maximum-paths 4 + neighbor default send-community + neighbor LOCAL-EVPN-PEERS peer group + neighbor LOCAL-EVPN-PEERS next-hop-unchanged + neighbor LOCAL-EVPN-PEERS update-source Loopback0 + neighbor LOCAL-EVPN-PEERS ebgp-multihop 3 + neighbor LOCAL-EVPN-PEERS password 7 WzKnNSduqwPYvUePYIh40g== + neighbor LOCAL-IPV4-PEERS peer group + neighbor LOCAL-IPV4-PEERS password 7 DGMjRCIj8IZAFhehikpUIQ== + neighbor 10.0.1.1 peer group LOCAL-EVPN-PEERS + neighbor 10.0.1.1 remote-as 65101 + neighbor 10.0.1.1 description DC1-LEAF.EVPN + neighbor 10.0.1.2 peer group LOCAL-EVPN-PEERS + neighbor 10.0.1.2 remote-as 65000 + neighbor 10.0.1.2 description DC1-R1.EVPN + neighbor 10.0.1.3 peer group LOCAL-EVPN-PEERS + neighbor 10.0.1.3 remote-as 65000 + neighbor 10.0.1.3 description DC1-R2.EVPN + neighbor 10.0.1.4 peer group LOCAL-EVPN-PEERS + neighbor 10.0.1.4 remote-as 65102 + neighbor 10.0.1.4 description DC1-BORDER1.EVPN + neighbor 10.0.1.5 peer group LOCAL-EVPN-PEERS + neighbor 10.0.1.5 remote-as 65103 + neighbor 10.0.1.5 description DC1-BORDER2.EVPN + neighbor 172.20.1.1 peer group LOCAL-IPV4-PEERS + neighbor 172.20.1.1 remote-as 65101 + neighbor 172.20.1.1 description DC1-LEAF1.IPV4 + neighbor 172.20.1.3 peer group LOCAL-IPV4-PEERS + neighbor 172.20.1.3 remote-as 65000 + neighbor 172.20.1.3 description DC1-R1.IPV4 + neighbor 172.20.1.5 peer group LOCAL-IPV4-PEERS + neighbor 172.20.1.5 remote-as 65000 + neighbor 172.20.1.5 description DC1-R2.IPV4 + neighbor 172.20.1.7 peer group LOCAL-IPV4-PEERS + neighbor 172.20.1.7 remote-as 65102 + neighbor 172.20.1.7 description DC1-BORDER1.IPV4 + neighbor 172.20.1.9 peer group LOCAL-IPV4-PEERS + neighbor 172.20.1.9 remote-as 65103 + neighbor 172.20.1.9 description DC1-BORDER2.IPV4 + redistribute connected route-map RM-CONN-2-BGP + ! + address-family evpn + neighbor LOCAL-EVPN-PEERS activate + ! + address-family ipv4 + neighbor LOCAL-IPV4-PEERS activate +! +router multicast + ipv4 + software-forwarding kernel + ! + ipv6 + software-forwarding kernel +! management ssh vrf MGMT no shutdown ! -end +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-BORDER1.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-BORDER1.cfg index 510ea061..990b377e 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-BORDER1.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-BORDER1.cfg @@ -1,8 +1,24 @@ +! Command: show running-config +! device: DC2-BORDER1 (cEOSLab, EOS-4.33.0F-38377046.eostrunkceos (engineering build)) ! no aaa root ! username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. ! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +dhcp relay + tunnel requests disabled + mlag peer-link requests disabled +! +switchport default mode routed +! +no service interface inactive port-id allocation disabled +! transceiver qsfp default-mode 4x10G ! interface defaults @@ -14,36 +30,138 @@ hostname DC2-BORDER1 ip name-server vrf MGMT 8.8.8.8 ! spanning-tree mode mstp +spanning-tree edge-port bpduguard default +spanning-tree mst 0 priority 0 ! system l1 unsupported speed action error unsupported error-correction action error ! +vlan 10 + name Blue +! +vlan 30 + name Orange +! vrf instance MGMT ! -management api http-commands - no shutdown - ! - vrf MGMT - no shutdown +vrf instance PROD ! aaa authorization exec default local ! interface Ethernet1 + description DC2-SPINE1 + no switchport + ip address 172.20.2.7/31 ! interface Ethernet2 + description DCI-MPLS + no switchport +! +interface Loopback0 + description Globally Unique Address + ip address 10.0.2.4/32 +! +interface Loopback1 + description Shared VTEP IP + ip address 10.1.2.4/32 ! interface Management0 vrf MGMT ip address 172.100.100.110/24 ! +interface Vlan10 + mtu 9014 + vrf PROD + ip address virtual 10.10.10.1/24 +! +interface Vlan30 + mtu 9014 + vrf PROD + ip address virtual 10.30.30.1/24 +! +interface Vxlan1 + vxlan source-interface Loopback1 + vxlan udp-port 4789 + vxlan vlan 10,30 vni 10010,10030 + vxlan vrf PROD vni 51 +! +mac address-table aging-time 1800 +! +ip virtual-router mac-address 00:1c:73:00:00:01 +! ip routing no ip routing vrf MGMT +ip routing vrf PROD +! +ip prefix-list PL-LOOPBACKS + seq 10 permit 10.0.0.0/16 eq 32 + seq 20 permit 10.1.0.0/16 eq 32 +! +ip prefix-list PL-P2P-UNDERLAY + seq 10 permit 172.20.0.0/16 le 31 ! ip route vrf MGMT 0.0.0.0/0 172.100.100.1 ! +arp aging timeout default 1500 +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS +! +route-map RM-CONN-2-BGP permit 20 + match ip address prefix-list PL-P2P-UNDERLAY +! +router bgp 65202 + router-id 10.0.2.4 + no bgp default ipv4-unicast + distance bgp 20 200 200 + graceful-restart restart-time 300 + graceful-restart + maximum-paths 4 + neighbor default send-community + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS remote-as 65200 + neighbor IPv4-UNDERLAY-PEERS password 7 t7gEXzNemRRE24Du53hBEA== + neighbor LOCAL-EVPN-PEERS peer group + neighbor LOCAL-EVPN-PEERS remote-as 65200 + neighbor LOCAL-EVPN-PEERS update-source Loopback0 + neighbor LOCAL-EVPN-PEERS ebgp-multihop 3 + neighbor LOCAL-EVPN-PEERS password 7 WzKnNSduqwPYvUePYIh40g== + neighbor 10.0.2.201 peer group LOCAL-EVPN-PEERS + neighbor 172.20.2.6 peer group IPv4-UNDERLAY-PEERS + redistribute connected route-map RM-CONN-2-BGP + ! + vlan 10 + rd 10.0.2.4:10010 + route-target both 10010:10010 + redistribute learned + ! + vlan 30 + rd 10.0.2.4:10030 + route-target both 10030:10030 + redistribute learned + ! + address-family evpn + neighbor LOCAL-EVPN-PEERS activate + route import match-failure action discard + ! + address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate + ! + vrf PROD + rd 10.0.2.4:51 + route-target import evpn 51:51 + route-target export evpn 51:51 +! +router multicast + ipv4 + software-forwarding kernel + ! + ipv6 + software-forwarding kernel +! management ssh vrf MGMT no shutdown ! -end +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-BORDER2.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-BORDER2.cfg index b14d597f..3661110a 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-BORDER2.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-BORDER2.cfg @@ -1,8 +1,24 @@ +! Command: show running-config +! device: DC2-BORDER2 (cEOSLab, EOS-4.33.0F-38377046.eostrunkceos (engineering build)) ! no aaa root ! username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. ! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +dhcp relay + tunnel requests disabled + mlag peer-link requests disabled +! +switchport default mode routed +! +no service interface inactive port-id allocation disabled +! transceiver qsfp default-mode 4x10G ! interface defaults @@ -12,38 +28,141 @@ service routing protocols model multi-agent ! hostname DC2-BORDER2 ip name-server vrf MGMT 8.8.8.8 +ip name-server vrf default 169.254.169.254 ! spanning-tree mode mstp +spanning-tree edge-port bpduguard default +spanning-tree mst 0 priority 0 ! system l1 unsupported speed action error unsupported error-correction action error ! +vlan 10 + name Blue +! +vlan 30 + name Orange +! vrf instance MGMT ! -management api http-commands - no shutdown - ! - vrf MGMT - no shutdown +vrf instance PROD ! aaa authorization exec default local ! interface Ethernet1 + description DC2-SPINE1 + no switchport + ip address 172.20.2.9/31 ! interface Ethernet2 + description DCI-MPLS + no switchport +! +interface Loopback0 + description Globally Unique Address + ip address 10.0.2.5/32 +! +interface Loopback1 + description Shared VTEP IP + ip address 10.1.2.5/32 ! interface Management0 vrf MGMT ip address 172.100.100.111/24 ! +interface Vlan10 + mtu 9014 + vrf PROD + ip address virtual 10.10.10.1/24 +! +interface Vlan30 + mtu 9014 + vrf PROD + ip address virtual 10.30.30.1/24 +! +interface Vxlan1 + vxlan source-interface Loopback1 + vxlan udp-port 4789 + vxlan vlan 10,30 vni 10010,10030 + vxlan vrf PROD vni 51 +! +mac address-table aging-time 1800 +! +ip virtual-router mac-address 00:1c:73:00:00:01 +! ip routing no ip routing vrf MGMT +ip routing vrf PROD +! +ip prefix-list PL-LOOPBACKS + seq 10 permit 10.0.0.0/16 eq 32 + seq 20 permit 10.1.0.0/16 eq 32 +! +ip prefix-list PL-P2P-UNDERLAY + seq 10 permit 172.20.0.0/16 le 31 ! ip route vrf MGMT 0.0.0.0/0 172.100.100.1 ! +arp aging timeout default 1500 +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS +! +route-map RM-CONN-2-BGP permit 20 + match ip address prefix-list PL-P2P-UNDERLAY +! +router bgp 65203 + router-id 10.0.2.5 + no bgp default ipv4-unicast + distance bgp 20 200 200 + graceful-restart restart-time 300 + graceful-restart + maximum-paths 4 + neighbor default send-community + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS remote-as 65200 + neighbor IPv4-UNDERLAY-PEERS password 7 t7gEXzNemRRE24Du53hBEA== + neighbor LOCAL-EVPN-PEERS peer group + neighbor LOCAL-EVPN-PEERS remote-as 65200 + neighbor LOCAL-EVPN-PEERS update-source Loopback0 + neighbor LOCAL-EVPN-PEERS ebgp-multihop 3 + neighbor LOCAL-EVPN-PEERS password 7 WzKnNSduqwPYvUePYIh40g== + neighbor 10.0.2.201 peer group LOCAL-EVPN-PEERS + neighbor 172.20.2.8 peer group IPv4-UNDERLAY-PEERS + redistribute connected route-map RM-CONN-2-BGP + ! + vlan 10 + rd 10.0.2.5:10010 + route-target both 10010:10010 + redistribute learned + ! + vlan 30 + rd 10.0.2.5:10030 + route-target both 10030:10030 + redistribute learned + ! + address-family evpn + neighbor LOCAL-EVPN-PEERS activate + route import match-failure action discard + ! + address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate + ! + vrf PROD + rd 10.0.2.5:51 + route-target import evpn 51:51 + route-target export evpn 51:51 +! +router multicast + ipv4 + software-forwarding kernel + ! + ipv6 + software-forwarding kernel +! management ssh vrf MGMT no shutdown ! -end +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-LEAF.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-LEAF.cfg index 85a51279..8c4890bd 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-LEAF.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-LEAF.cfg @@ -1,8 +1,24 @@ +! Command: show running-config +! device: DC2-LEAF (cEOSLab, EOS-4.33.0F-38377046.eostrunkceos (engineering build)) ! no aaa root ! username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. ! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +dhcp relay + tunnel requests disabled + mlag peer-link requests disabled +! +switchport default mode routed +! +no service interface inactive port-id allocation disabled +! transceiver qsfp default-mode 4x10G ! interface defaults @@ -14,38 +30,147 @@ hostname DC2-LEAF ip name-server vrf MGMT 8.8.8.8 ! spanning-tree mode mstp +spanning-tree edge-port bpduguard default +spanning-tree mst 0 priority 0 ! system l1 unsupported speed action error unsupported error-correction action error ! +vlan 10 + name Blue +! +vlan 30 + name Orange +! vrf instance MGMT ! -management api http-commands - no shutdown - ! - vrf MGMT - no shutdown +vrf instance PROD ! aaa authorization exec default local ! interface Ethernet1 + description DC2-SPINE1 + no switchport + ip address 172.20.2.1/31 ! interface Ethernet2 + description HostB1 + switchport access vlan 10 + switchport + spanning-tree portfast ! interface Ethernet3 + description HostB2 + switchport access vlan 30 + switchport + spanning-tree portfast +! +interface Loopback0 + description Globally Unique Address + ip address 10.0.2.1/32 +! +interface Loopback1 + description Shared VTEP IP + ip address 10.1.2.1/32 ! interface Management0 vrf MGMT ip address 172.100.100.107/24 ! +interface Vlan10 + mtu 9014 + vrf PROD + ip address virtual 10.10.10.1/24 +! +interface Vlan30 + mtu 9014 + vrf PROD + ip address virtual 10.30.30.1/24 +! +interface Vxlan1 + vxlan source-interface Loopback1 + vxlan udp-port 4789 + vxlan vlan 10,30 vni 10010,10030 + vxlan vrf PROD vni 51 +! +mac address-table aging-time 1800 +! +ip virtual-router mac-address 00:1c:73:00:00:01 +! ip routing no ip routing vrf MGMT +ip routing vrf PROD +! +ip prefix-list PL-LOOPBACKS + seq 10 permit 10.0.0.0/16 eq 32 + seq 20 permit 10.1.0.0/16 eq 32 +! +ip prefix-list PL-P2P-UNDERLAY + seq 10 permit 172.20.0.0/16 le 31 ! ip route vrf MGMT 0.0.0.0/0 172.100.100.1 ! +arp aging timeout default 1500 +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS +! +route-map RM-CONN-2-BGP permit 20 + match ip address prefix-list PL-P2P-UNDERLAY +! +router bgp 65201 + router-id 10.0.2.1 + no bgp default ipv4-unicast + distance bgp 20 200 200 + graceful-restart restart-time 300 + graceful-restart + maximum-paths 4 + neighbor default send-community + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS remote-as 65200 + neighbor IPv4-UNDERLAY-PEERS password 7 t7gEXzNemRRE24Du53hBEA== + neighbor LOCAL-EVPN-PEERS peer group + neighbor LOCAL-EVPN-PEERS remote-as 65200 + neighbor LOCAL-EVPN-PEERS update-source Loopback0 + neighbor LOCAL-EVPN-PEERS ebgp-multihop 3 + neighbor LOCAL-EVPN-PEERS password 7 WzKnNSduqwPYvUePYIh40g== + neighbor 10.0.2.201 peer group LOCAL-EVPN-PEERS + neighbor 172.20.2.0 peer group IPv4-UNDERLAY-PEERS + redistribute connected route-map RM-CONN-2-BGP + ! + vlan 10 + rd 10.0.2.1:10010 + route-target both 10010:10010 + redistribute learned + ! + vlan 30 + rd 10.0.2.1:10030 + route-target both 10030:10030 + redistribute learned + ! + address-family evpn + neighbor LOCAL-EVPN-PEERS activate + route import match-failure action discard + ! + address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate + ! + vrf PROD + rd 10.0.2.1:51 + route-target import evpn 51:51 + route-target export evpn 51:51 + redistribute connected +! +router multicast + ipv4 + software-forwarding kernel + ! + ipv6 + software-forwarding kernel +! management ssh vrf MGMT no shutdown ! -end +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-R1.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-R1.cfg index 619e4dcd..fd7a8c94 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-R1.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-R1.cfg @@ -1,39 +1,220 @@ -vrf instance MGMT +! Command: show running-config +! device: DC2-R1 (cEOSCloudLab, EOS-4.32.2F-37806342.jamunarel (engineering build)) +! +no aaa root ! -username admin secret admin privilege 15 role network-admin +username admin privilege 15 role network-admin secret sha512 $6$4F/1nC87iJJKmfu1$SNK9GiTe1tDHFJsgxcewtGOtkCja6OM1ZlANykQM0xOVsHb1Irsgloh97vrkHgKCktRxr9tCSELxC1c3WD3dn. +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' ! management api http-commands no shutdown + ! + vrf MGMT + no shutdown ! switchport default mode routed ! -agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' -! no service interface inactive port-id allocation disabled ! transceiver qsfp default-mode 4x10G ! +interface defaults + mtu 9214 +! service routing protocols model multi-agent ! hostname DC2-R1 ! -spanning-tree mode mstp +router adaptive-virtual-topology + topology role edge gateway vxlan + region REGION1 id 1 + zone REGION1-ZONE1 id 1 + site DC2 id 2 + ! + policy DEFAULT-AVT-POLICY + match application-profile default + avt profile DEFAULT-AVT-PROFILE + ! + profile DEFAULT-AVT-PROFILE + path-selection load-balance DEFAULT-LB-POLICY + ! + vrf PROD + avt policy DEFAULT-AVT-POLICY + avt profile DEFAULT-AVT-PROFILE id 1 + ! + vrf default + avt policy DEFAULT-AVT-POLICY + avt profile DEFAULT-AVT-PROFILE id 1 +! +router path-selection + tcp mss ceiling ipv4 ingress + ! + path-group INET id 1 + ipsec profile IPSEC-PROFILE + ! + local interface Ethernet2 + stun server-profile DC2-R2-Ethernet2 DC1-R2-Ethernet2 + ! + peer dynamic + ! + peer static router-ip 10.1.1.3 + name DC1-R2 + ipv4 address 192.0.2.6 + ! + peer static router-ip 10.1.2.3 + name DC2-R2 + ipv4 address 192.0.2.14 + ! + load-balance policy DEFAULT-LB-POLICY + path-group INET +! +spanning-tree mode none ! system l1 unsupported speed action error unsupported error-correction action error ! +vrf instance MGMT +! +vrf instance PROD +! +aaa authorization exec default local +! +ip security + ike policy IPSEC-IKE-POLICY + local-id 10.1.2.2 + ! + sa policy IPSEC-SA-POLICY + ! + profile IPSEC-PROFILE + ike-policy IPSEC-IKE-POLICY + sa-policy IPSEC-SA-POLICY + connection start + shared-key 7 0110100A480E0A0E231D1E + dpd 10 50 clear + mode transport + ! + flow entropy udp + ! + key controller + profile IPSEC-PROFILE +! +interface Dps1 + description TEP IP + ip address 10.1.2.2/32 +! interface Ethernet1 + description DC2-SPINE1 no switchport + ip address 172.20.2.3/31 ! interface Ethernet2 + description INTERNET no switchport + ip address 192.0.2.10/30 +! +interface Loopback0 + description Globally Unique Address + ip address 10.0.2.2/32 ! -ip route vrf MGMT 0/0 172.100.100.1 +interface Loopback101 + vrf PROD + ip address 10.2.101.2/32 ! interface Management1 vrf MGMT ip address 172.100.100.108/24 ! -ip routing +interface Vxlan1 + vxlan source-interface Dps1 + vxlan udp-port 4789 + vxlan vrf PROD vni 51 + vxlan vrf default vni 50 +! +mac address-table aging-time 1800 ! +ip routing +no ip routing vrf MGMT +ip routing vrf PROD +! +ip prefix-list PL-LOOPBACKS + seq 10 permit 10.0.0.0/16 eq 32 + seq 20 permit 10.1.0.0/16 eq 32 +! +ip prefix-list PL-P2P-UNDERLAY + seq 10 permit 172.20.0.0/16 le 31 +! +ip route 0.0.0.0/0 192.0.2.9 +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +arp aging timeout default 1500 +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS +! +route-map RM-CONN-2-BGP permit 20 + match ip address prefix-list PL-P2P-UNDERLAY +! +router bgp 65000 + router-id 10.0.2.2 + no bgp default ipv4-unicast + distance bgp 20 200 200 + graceful-restart restart-time 300 + graceful-restart + neighbor default send-community + neighbor DC1-EVPN-PEERS peer group + neighbor DC1-EVPN-PEERS remote-as 65200 + neighbor DC1-EVPN-PEERS update-source Loopback0 + neighbor DC1-EVPN-PEERS ebgp-multihop 3 + neighbor DC1-EVPN-PEERS password 7 RxqKJj2uKvzsECQR+ApqjA== + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS remote-as 65200 + neighbor IPv4-UNDERLAY-PEERS password 7 t7gEXzNemRRE24Du53hBEA== + neighbor WAN-OVERLAY-PEERS peer group + neighbor WAN-OVERLAY-PEERS remote-as 65000 + neighbor WAN-OVERLAY-PEERS update-source Dps1 + neighbor WAN-OVERLAY-PEERS bfd + neighbor WAN-OVERLAY-PEERS bfd interval 5000 min-rx 5000 multiplier 3 + neighbor WAN-OVERLAY-PEERS password 7 Jasxt4q1i1EVo3kE0U5v4w== + neighbor WAN-OVERLAY-PEERS maximum-routes 0 + neighbor 10.0.2.201 peer group DC1-EVPN-PEERS + neighbor 10.1.1.3 peer group WAN-OVERLAY-PEERS + neighbor 10.1.2.3 peer group WAN-OVERLAY-PEERS + neighbor 172.20.2.2 peer group IPv4-UNDERLAY-PEERS + redistribute connected route-map RM-CONN-2-BGP + ! + address-family evpn + neighbor DC1-EVPN-PEERS activate + neighbor DC1-EVPN-PEERS encapsulation vxlan + neighbor WAN-OVERLAY-PEERS activate + neighbor WAN-OVERLAY-PEERS encapsulation path-selection + neighbor WAN-OVERLAY-PEERS domain remote + route import match-failure action discard + ! + address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate + ! + address-family path-selection + bgp additional-paths receive + bgp additional-paths send any + neighbor WAN-OVERLAY-PEERS activate + ! + vrf PROD + rd 10.0.2.2:51 + rd evpn domain remote 10.0.2.2:51 + route-target import evpn 51:51 + route-target import evpn domain remote 51:51 + route-target export evpn 51:51 + route-target export evpn domain remote 51:51 + redistribute connected +! +stun + client + server-profile DC1-R2-Ethernet2 + ip address 192.0.2.6 + ! + server-profile DC2-R2-Ethernet2 + ip address 192.0.2.14 +! +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-R2.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-R2.cfg index 75d852c5..0a55fe67 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-R2.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-R2.cfg @@ -1,39 +1,208 @@ -vrf instance MGMT +! Command: show running-config +! device: DC2-R2 (cEOSCloudLab, EOS-4.32.2F-37806342.jamunarel (engineering build)) +! +no aaa root ! -username admin secret admin privilege 15 role network-admin +username admin privilege 15 role network-admin secret sha512 $6$zsmf3EIuoKG2ACWc$FlgWuWBWsUTu6e09AIjISkV8SNM.QlgK1CQDk0ajifA0LWjDxVZF0VpMoGd0qIt82PSSWWqTgaV4kYrT.9MMK/ +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' ! management api http-commands no shutdown + ! + vrf MGMT + no shutdown ! switchport default mode routed ! -agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' -! no service interface inactive port-id allocation disabled ! transceiver qsfp default-mode 4x10G ! +interface defaults + mtu 9214 +! service routing protocols model multi-agent ! hostname DC2-R2 ! -spanning-tree mode mstp +router adaptive-virtual-topology + topology role edge gateway vxlan + region REGION1 id 1 + zone REGION1-ZONE1 id 1 + site DC2 id 2 + ! + policy DEFAULT-AVT-POLICY + match application-profile default + avt profile DEFAULT-AVT-PROFILE + ! + profile DEFAULT-AVT-PROFILE + path-selection load-balance DEFAULT-LB-POLICY + ! + vrf PROD + avt policy DEFAULT-AVT-POLICY + avt profile DEFAULT-AVT-PROFILE id 1 + ! + vrf default + avt policy DEFAULT-AVT-POLICY + avt profile DEFAULT-AVT-PROFILE id 1 +! +router path-selection + peer dynamic source stun + tcp mss ceiling ipv4 ingress + ! + path-group INET id 1 + ipsec profile IPSEC-PROFILE + ! + local interface Ethernet2 + ! + peer static router-ip 10.1.1.3 + name DC2-R2 + ipv4 address 192.0.2.6 + ! + load-balance policy DEFAULT-LB-POLICY + path-group INET +! +spanning-tree mode none ! system l1 unsupported speed action error unsupported error-correction action error ! +vrf instance MGMT +! +vrf instance PROD +! +aaa authorization exec default local +! +ip security + ike policy IPSEC-IKE-POLICY + local-id 10.1.2.3 + ! + sa policy IPSEC-SA-POLICY + ! + profile IPSEC-PROFILE + ike-policy IPSEC-IKE-POLICY + sa-policy IPSEC-SA-POLICY + connection start + shared-key 7 0110100A480E0A0E231D1E + dpd 10 50 clear + mode transport + ! + flow entropy udp +! +interface Dps1 + description TEP IP + ip address 10.1.2.3/32 +! interface Ethernet1 + description DC2-SPINE1 no switchport + ip address 172.20.2.5/31 ! interface Ethernet2 + description INTERNET no switchport + ip address 192.0.2.14/30 +! +interface Loopback0 + description Globally Unique Address + ip address 10.0.2.3/32 ! -ip route vrf MGMT 0/0 172.100.100.1 +interface Loopback101 + vrf PROD + ip address 10.2.101.3/32 ! interface Management1 vrf MGMT ip address 172.100.100.109/24 ! -ip routing +interface Vxlan1 + vxlan source-interface Dps1 + vxlan udp-port 4789 + vxlan vrf PROD vni 51 + vxlan vrf default vni 50 +! +mac address-table aging-time 1800 ! +ip routing +no ip routing vrf MGMT +ip routing vrf PROD +! +ip prefix-list PL-LOOPBACKS + seq 10 permit 10.0.0.0/16 eq 32 + seq 20 permit 10.1.0.0/16 eq 32 +! +ip prefix-list PL-P2P-UNDERLAY + seq 10 permit 172.20.0.0/16 le 31 +! +ip route 0.0.0.0/0 192.0.2.13 +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +arp aging timeout default 1500 +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS +! +route-map RM-CONN-2-BGP permit 20 + match ip address prefix-list PL-P2P-UNDERLAY +! +router bgp 65000 + router-id 10.0.2.3 + no bgp default ipv4-unicast + distance bgp 20 200 200 + graceful-restart restart-time 300 + bgp cluster-id 10.1.255.255 + graceful-restart + bgp listen range 10.0.0.0/8 peer-group WAN-OVERLAY-PEERS remote-as 65000 + neighbor default send-community + neighbor DC1-EVPN-PEERS peer group + neighbor DC1-EVPN-PEERS remote-as 65200 + neighbor DC1-EVPN-PEERS update-source Loopback0 + neighbor DC1-EVPN-PEERS ebgp-multihop 3 + neighbor DC1-EVPN-PEERS password 7 RxqKJj2uKvzsECQR+ApqjA== + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS remote-as 65200 + neighbor IPv4-UNDERLAY-PEERS password 7 t7gEXzNemRRE24Du53hBEA== + neighbor WAN-OVERLAY-PEERS peer group + neighbor WAN-OVERLAY-PEERS remote-as 65000 + neighbor WAN-OVERLAY-PEERS update-source Dps1 + neighbor WAN-OVERLAY-PEERS bfd + neighbor WAN-OVERLAY-PEERS bfd interval 5000 min-rx 5000 multiplier 3 + neighbor WAN-OVERLAY-PEERS route-reflector-client + neighbor WAN-OVERLAY-PEERS password 7 Jasxt4q1i1EVo3kE0U5v4w== + neighbor WAN-OVERLAY-PEERS maximum-routes 0 + neighbor 10.0.2.201 peer group DC1-EVPN-PEERS + neighbor 10.1.1.3 peer group WAN-OVERLAY-PEERS + neighbor 172.20.2.4 peer group IPv4-UNDERLAY-PEERS + redistribute connected route-map RM-CONN-2-BGP + ! + address-family evpn + neighbor DC1-EVPN-PEERS activate + neighbor DC1-EVPN-PEERS encapsulation vxlan + neighbor WAN-OVERLAY-PEERS activate + neighbor WAN-OVERLAY-PEERS encapsulation path-selection + neighbor WAN-OVERLAY-PEERS domain remote + route import match-failure action discard + ! + address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate + ! + address-family path-selection + bgp additional-paths receive + bgp additional-paths send any + neighbor WAN-OVERLAY-PEERS activate + ! + vrf PROD + rd evpn domain all 10.0.2.3:51 + route-target import evpn 51:51 + route-target import evpn domain remote 51:51 + route-target export evpn 51:51 + route-target export evpn domain remote 51:51 + redistribute connected +! +stun + server + local-interface Ethernet2 +! +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-SPINE.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-SPINE.cfg index 7ffca988..f9394e0e 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-SPINE.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DC2-SPINE.cfg @@ -1,8 +1,20 @@ +! Command: show running-config +! device: DC2-SPINE (cEOSLab, EOS-4.33.0F-38377046.eostrunkceos (engineering build)) ! no aaa root ! username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. ! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +switchport default mode routed +! +no service interface inactive port-id allocation disabled +! transceiver qsfp default-mode 4x10G ! interface defaults @@ -13,7 +25,7 @@ service routing protocols model multi-agent hostname DC2-SPINE ip name-server vrf MGMT 8.8.8.8 ! -spanning-tree mode mstp +spanning-tree mode none ! system l1 unsupported speed action error @@ -21,35 +33,125 @@ system l1 ! vrf instance MGMT ! -management api http-commands - no shutdown - ! - vrf MGMT - no shutdown -! aaa authorization exec default local ! interface Ethernet1 + description DC2-LEAF + no switchport + ip address 172.20.2.0/31 ! interface Ethernet2 + description DC2-R1 + no switchport + ip address 172.20.2.2/31 ! interface Ethernet3 + description DC2-R2 + no switchport + ip address 172.20.2.4/31 ! interface Ethernet4 + description DC2-BORDER1 + no switchport + ip address 172.20.2.6/31 ! interface Ethernet5 + description DC2-BORDER2 + no switchport + ip address 172.20.2.8/31 +! +interface Loopback0 + description Globally Unique Address + ip address 10.0.2.201/32 ! interface Management0 vrf MGMT ip address 172.100.100.106/24 ! +mac address-table aging-time 1800 +! ip routing no ip routing vrf MGMT ! +ip prefix-list PL-LOOPBACKS + seq 10 permit 10.0.0.0/16 eq 32 + seq 20 permit 10.1.0.0/16 eq 32 +! +ip prefix-list PL-P2P-UNDERLAY + seq 10 permit 172.20.0.0/16 le 31 +! ip route vrf MGMT 0.0.0.0/0 172.100.100.1 ! +arp aging timeout default 1500 +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS +! +route-map RM-CONN-2-BGP permit 20 + match ip address prefix-list PL-P2P-UNDERLAY +! +router bgp 65200 + router-id 10.0.2.201 + no bgp default ipv4-unicast + distance bgp 20 200 200 + graceful-restart restart-time 300 + graceful-restart + maximum-paths 4 + neighbor default send-community + neighbor LOCAL-EVPN-PEERS peer group + neighbor LOCAL-EVPN-PEERS next-hop-unchanged + neighbor LOCAL-EVPN-PEERS update-source Loopback0 + neighbor LOCAL-EVPN-PEERS ebgp-multihop 3 + neighbor LOCAL-EVPN-PEERS password 7 WzKnNSduqwPYvUePYIh40g== + neighbor LOCAL-IPV4-PEERS peer group + neighbor LOCAL-IPV4-PEERS password 7 DGMjRCIj8IZAFhehikpUIQ== + neighbor 10.0.2.1 peer group LOCAL-EVPN-PEERS + neighbor 10.0.2.1 remote-as 65201 + neighbor 10.0.2.1 description DC2-LEAF.EVPN + neighbor 10.0.2.2 peer group LOCAL-EVPN-PEERS + neighbor 10.0.2.2 remote-as 65000 + neighbor 10.0.2.2 description DC2-R1.EVPN + neighbor 10.0.2.3 peer group LOCAL-EVPN-PEERS + neighbor 10.0.2.3 remote-as 65000 + neighbor 10.0.2.3 description DC2-R2.EVPN + neighbor 10.0.2.4 peer group LOCAL-EVPN-PEERS + neighbor 10.0.2.4 remote-as 65202 + neighbor 10.0.2.4 description DC2-BORDER1.EVPN + neighbor 10.0.2.5 peer group LOCAL-EVPN-PEERS + neighbor 10.0.2.5 remote-as 65203 + neighbor 10.0.2.5 description DC2-BORDER2.EVPN + neighbor 172.20.2.1 peer group LOCAL-IPV4-PEERS + neighbor 172.20.2.1 remote-as 65201 + neighbor 172.20.2.1 description DC2-LEAF1.IPV4 + neighbor 172.20.2.3 peer group LOCAL-IPV4-PEERS + neighbor 172.20.2.3 remote-as 65000 + neighbor 172.20.2.3 description DC2-R1.IPV4 + neighbor 172.20.2.5 peer group LOCAL-IPV4-PEERS + neighbor 172.20.2.5 remote-as 65000 + neighbor 172.20.2.5 description DC2-R2.IPV4 + neighbor 172.20.2.7 peer group LOCAL-IPV4-PEERS + neighbor 172.20.2.7 remote-as 65202 + neighbor 172.20.2.7 description DC2-BORDER1.IPV4 + neighbor 172.20.2.9 peer group LOCAL-IPV4-PEERS + neighbor 172.20.2.9 remote-as 65203 + neighbor 172.20.2.9 description DC2-BORDER2.IPV4 + redistribute connected route-map RM-CONN-2-BGP + ! + address-family evpn + neighbor LOCAL-EVPN-PEERS activate + ! + address-family ipv4 + neighbor LOCAL-IPV4-PEERS activate +! +router multicast + ipv4 + software-forwarding kernel + ! + ipv6 + software-forwarding kernel +! management ssh vrf MGMT no shutdown ! -end +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DCI-MPLS.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DCI-MPLS.cfg index 4fd36ded..a4aaf68c 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/DCI-MPLS.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/DCI-MPLS.cfg @@ -1,8 +1,18 @@ +! Command: show running-config +! device: DCI-MPLS (cEOSLab, EOS-4.33.0F-38377046.eostrunkceos (engineering build)) ! no aaa root ! username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. ! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +no service interface inactive port-id allocation disabled +! transceiver qsfp default-mode 4x10G ! interface defaults @@ -21,12 +31,6 @@ system l1 ! vrf instance MGMT ! -management api http-commands - no shutdown - ! - vrf MGMT - no shutdown -! aaa authorization exec default local ! interface Ethernet1 @@ -46,8 +50,15 @@ no ip routing vrf MGMT ! ip route vrf MGMT 0.0.0.0/0 172.100.100.1 ! +router multicast + ipv4 + software-forwarding kernel + ! + ipv6 + software-forwarding kernel +! management ssh vrf MGMT no shutdown ! -end +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/INTERNET.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/INTERNET.cfg index a7d6b549..dd10fc1a 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/INTERNET.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/INTERNET.cfg @@ -1,8 +1,20 @@ +! Command: show running-config +! device: INTERNET (cEOSLab, EOS-4.33.0F-38377046.eostrunkceos (engineering build)) ! no aaa root ! username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. ! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +switchport default mode routed +! +no service interface inactive port-id allocation disabled +! transceiver qsfp default-mode 4x10G ! interface defaults @@ -13,47 +25,72 @@ service routing protocols model multi-agent hostname INTERNET ip name-server vrf MGMT 8.8.8.8 ! -spanning-tree mode mstp +spanning-tree mode none ! system l1 unsupported speed action error unsupported error-correction action error ! -vrf instance MGMT +vrf instance INET ! -management api http-commands - no shutdown - ! - vrf MGMT - no shutdown +vrf instance MGMT ! aaa authorization exec default local ! interface Ethernet1 + no switchport + vrf INET + ip address 192.0.2.1/30 ! interface Ethernet2 + no switchport + vrf INET + ip address 192.0.2.5/30 ! interface Ethernet3 + no switchport + vrf INET + ip address 192.0.2.9/30 ! interface Ethernet4 + no switchport + vrf INET + ip address 192.0.2.13/30 ! interface Ethernet5 + no switchport + vrf INET + ip address 192.0.2.17/30 ! interface Ethernet6 + no switchport + vrf INET + ip address 192.0.2.21/30 ! interface Ethernet7 + no switchport + vrf INET + ip address 192.0.2.25/30 ! interface Management0 vrf MGMT ip address 172.100.100.118/24 ! ip routing +ip routing vrf INET no ip routing vrf MGMT ! ip route vrf MGMT 0.0.0.0/0 172.100.100.1 ! +router multicast + ipv4 + software-forwarding kernel + ! + ipv6 + software-forwarding kernel +! management ssh vrf MGMT no shutdown ! -end +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-R1.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-R1.cfg index c12a1e64..8f43d021 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-R1.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-R1.cfg @@ -1,39 +1,193 @@ -vrf instance MGMT +! Command: show running-config +! device: S1-R1 (cEOSCloudLab, EOS-4.32.2F-37806342.jamunarel (engineering build)) +! +no aaa root ! -username admin secret admin privilege 15 role network-admin +username admin privilege 15 role network-admin secret sha512 $6$z0UaxvXpLJ1akR87$N11d5jWPYX2wrg9.tU8BgsWqYvyLQfU77Gdi0.twSLrtU7UDOwQ13yy.LA9jOfHN4hvkar7sIidjvMEtCwvkc/ +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' ! management api http-commands no shutdown + ! + vrf MGMT + no shutdown ! switchport default mode routed ! -agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' -! no service interface inactive port-id allocation disabled ! transceiver qsfp default-mode 4x10G ! +interface defaults + mtu 9214 +! service routing protocols model multi-agent ! hostname S1-R1 ! -spanning-tree mode mstp +router adaptive-virtual-topology + topology role edge gateway vxlan + region REGION1 id 1 + zone REGION1-ZONE1 id 1 + site SITE1 id 3 + ! + policy DEFAULT-AVT-POLICY + match application-profile default + avt profile DEFAULT-AVT-PROFILE + ! + profile DEFAULT-AVT-PROFILE + path-selection load-balance DEFAULT-LB-POLICY + ! + vrf PROD + avt policy DEFAULT-AVT-POLICY + avt profile DEFAULT-AVT-PROFILE id 1 + ! + vrf default + avt policy DEFAULT-AVT-POLICY + avt profile DEFAULT-AVT-PROFILE id 1 +! +router path-selection + tcp mss ceiling ipv4 ingress + ! + path-group INET id 1 + ipsec profile IPSEC-PROFILE + ! + local interface Ethernet2 + stun server-profile DC2-R2-Ethernet2 DC1-R2-Ethernet2 + ! + peer dynamic + ! + peer static router-ip 10.1.1.3 + name DC1-R2 + ipv4 address 192.0.2.6 + ! + peer static router-ip 10.1.2.3 + name DC2-R2 + ipv4 address 192.0.2.14 + ! + load-balance policy DEFAULT-LB-POLICY + path-group INET +! +spanning-tree mode none ! system l1 unsupported speed action error unsupported error-correction action error ! +vrf instance MGMT +! +vrf instance PROD +! +aaa authorization exec default local +! +ip security + ike policy IPSEC-IKE-POLICY + local-id 10.1.3.1 + ! + sa policy IPSEC-SA-POLICY + ! + profile IPSEC-PROFILE + ike-policy IPSEC-IKE-POLICY + sa-policy IPSEC-SA-POLICY + connection start + shared-key 7 0110100A480E0A0E231D1E + dpd 10 50 clear + mode transport + ! + flow entropy udp + ! + key controller + profile IPSEC-PROFILE +! +interface Dps1 + description TEP IP + ip address 10.1.3.1/32 +! interface Ethernet1 no switchport ! +interface Ethernet1.101 + encapsulation dot1q vlan 101 + vrf PROD + ip address 172.20.3.0/31 +! interface Ethernet2 no switchport + ip address 192.0.2.18/30 ! -ip route vrf MGMT 0/0 172.100.100.1 +interface Loopback0 + description Globally Unique Address + ip address 10.0.3.1/32 +! +interface Loopback101 + vrf PROD + ip address 10.101.3.1/32 ! interface Management1 vrf MGMT ip address 172.100.100.112/24 ! -ip routing +interface Vxlan1 + vxlan source-interface Dps1 + vxlan udp-port 4789 + vxlan vrf PROD vni 51 + vxlan vrf default vni 50 ! +mac address-table aging-time 1800 +! +ip routing +no ip routing vrf MGMT +ip routing vrf PROD +! +ip route 0.0.0.0/0 192.0.2.17 +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +arp aging timeout default 1500 +! +router bgp 65000 + router-id 10.0.3.1 + no bgp default ipv4-unicast + distance bgp 20 200 200 + graceful-restart restart-time 300 + graceful-restart + neighbor default send-community + neighbor WAN-OVERLAY-PEERS peer group + neighbor WAN-OVERLAY-PEERS remote-as 65000 + neighbor WAN-OVERLAY-PEERS update-source Dps1 + neighbor WAN-OVERLAY-PEERS bfd + neighbor WAN-OVERLAY-PEERS bfd interval 5000 min-rx 5000 multiplier 3 + neighbor WAN-OVERLAY-PEERS password 7 Jasxt4q1i1EVo3kE0U5v4w== + neighbor WAN-OVERLAY-PEERS maximum-routes 0 + neighbor 10.1.1.3 peer group WAN-OVERLAY-PEERS + neighbor 10.1.2.3 peer group WAN-OVERLAY-PEERS + ! + address-family evpn + neighbor WAN-OVERLAY-PEERS activate + neighbor WAN-OVERLAY-PEERS encapsulation path-selection + ! + address-family path-selection + bgp additional-paths receive + bgp additional-paths send any + neighbor WAN-OVERLAY-PEERS activate + ! + vrf PROD + rd 10.0.3.1:51 + rd evpn domain remote 10.0.3.1:51 + route-target import evpn 51:51 + route-target export evpn 51:51 + neighbor 172.20.3.1 remote-as 65300 + redistribute connected + ! + address-family ipv4 + neighbor 172.20.3.1 activate +! +stun + client + server-profile DC1-R2-Ethernet2 + ip address 192.0.2.6 + ! + server-profile DC2-R2-Ethernet2 + ip address 192.0.2.14 +! +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-R2.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-R2.cfg index 58647afa..2925b121 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-R2.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-R2.cfg @@ -1,39 +1,188 @@ -vrf instance MGMT +! Command: show running-config +! device: S1-R2 (cEOSCloudLab, EOS-4.32.2F-37806342.jamunarel (engineering build)) +! +no aaa root ! -username admin secret admin privilege 15 role network-admin +username admin privilege 15 role network-admin secret sha512 $6$j11k6l6abHnpSRTv$g4WF2FpxYmThbsHtHBT9Q/TeAmOycGCQH5InQZPKFtRlNMw04b7VTucfkkAjuJjgM.xsJHbYJKuGziArGyv5R1 +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' ! management api http-commands no shutdown + ! + vrf MGMT + no shutdown ! switchport default mode routed ! -agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' -! no service interface inactive port-id allocation disabled ! transceiver qsfp default-mode 4x10G ! +interface defaults + mtu 9214 +! service routing protocols model multi-agent ! hostname S1-R2 ! -spanning-tree mode mstp +router adaptive-virtual-topology + topology role edge gateway vxlan + region REGION1 id 1 + zone REGION1-ZONE1 id 1 + site SITE1 id 3 + ! + policy DEFAULT-AVT-POLICY + match application-profile default + avt profile DEFAULT-AVT-PROFILE + ! + profile DEFAULT-AVT-PROFILE + path-selection load-balance DEFAULT-LB-POLICY + ! + vrf PROD + avt policy DEFAULT-AVT-POLICY + avt profile DEFAULT-AVT-PROFILE id 1 + ! + vrf default + avt policy DEFAULT-AVT-POLICY + avt profile DEFAULT-AVT-PROFILE id 1 +! +router path-selection + tcp mss ceiling ipv4 ingress + ! + path-group INET id 1 + ipsec profile IPSEC-PROFILE + ! + local interface Ethernet2 + stun server-profile DC2-R2-Ethernet2 DC1-R2-Ethernet2 + ! + peer dynamic + ! + peer static router-ip 10.1.1.3 + name DC1-R2 + ipv4 address 192.0.2.6 + ! + peer static router-ip 10.1.2.3 + name DC2-R2 + ipv4 address 192.0.2.14 + ! + load-balance policy DEFAULT-LB-POLICY + path-group INET +! +spanning-tree mode none ! system l1 unsupported speed action error unsupported error-correction action error ! +vrf instance MGMT +! +vrf instance PROD +! +aaa authorization exec default local +! +ip security + ike policy IPSEC-IKE-POLICY + local-id 10.1.3.2 + ! + sa policy IPSEC-SA-POLICY + ! + profile IPSEC-PROFILE + ike-policy IPSEC-IKE-POLICY + sa-policy IPSEC-SA-POLICY + connection start + shared-key 7 0110100A480E0A0E231D1E + dpd 10 50 clear + mode transport + ! + flow entropy udp + ! + key controller + profile IPSEC-PROFILE +! +interface Dps1 + description TEP IP + ip address 10.1.3.2/32 +! interface Ethernet1 no switchport + ip address 172.20.3.2/31 +! +interface Ethernet1.101 + encapsulation dot1q vlan 101 + vrf PROD + ip address 172.20.3.4/31 ! interface Ethernet2 no switchport + ip address 192.0.2.22/30 ! -ip route vrf MGMT 0/0 172.100.100.1 +interface Loopback0 + description Globally Unique Address + ip address 10.0.3.2/32 +! +interface Loopback101 + vrf PROD + ip address 10.101.3.2/32 ! interface Management1 vrf MGMT ip address 172.100.100.113/24 ! -ip routing +interface Vxlan1 + vxlan source-interface Dps1 + vxlan udp-port 4789 + vxlan vrf PROD vni 51 + vxlan vrf default vni 50 ! +mac address-table aging-time 1800 +! +ip routing +no ip routing vrf MGMT +ip routing vrf PROD +! +ip route 0.0.0.0/0 192.0.2.21 +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +arp aging timeout default 1500 +! +router bgp 65000 + neighbor default send-community + neighbor WAN-OVERLAY-PEERS peer group + neighbor WAN-OVERLAY-PEERS remote-as 65000 + neighbor WAN-OVERLAY-PEERS update-source Dps1 + neighbor WAN-OVERLAY-PEERS bfd + neighbor WAN-OVERLAY-PEERS bfd interval 5000 min-rx 5000 multiplier 3 + neighbor WAN-OVERLAY-PEERS password 7 Jasxt4q1i1EVo3kE0U5v4w== + neighbor WAN-OVERLAY-PEERS maximum-routes 0 + neighbor 10.1.1.3 peer group WAN-OVERLAY-PEERS + neighbor 10.1.2.3 peer group WAN-OVERLAY-PEERS + ! + address-family evpn + neighbor WAN-OVERLAY-PEERS activate + neighbor WAN-OVERLAY-PEERS encapsulation path-selection + ! + address-family path-selection + bgp additional-paths receive + bgp additional-paths send any + neighbor WAN-OVERLAY-PEERS activate + ! + vrf PROD + rd 10.0.3.2:51 + route-target import evpn 51:51 + route-target export evpn 51:51 + neighbor 172.20.3.5 remote-as 65300 + redistribute connected + ! + address-family ipv4 + neighbor 172.20.3.5 activate +! +stun + client + server-profile DC1-R2-Ethernet2 + ip address 192.0.2.6 + ! + server-profile DC2-R2-Ethernet2 + ip address 192.0.2.14 +! +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-SW1.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-SW1.cfg index a5165e0d..546aee49 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-SW1.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S1-SW1.cfg @@ -1,8 +1,20 @@ +! Command: show running-config +! device: S1-SW1 (cEOSLab, EOS-4.33.0F-38377046.eostrunkceos (engineering build)) ! no aaa root ! username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. ! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +switchport default mode routed +! +no service interface inactive port-id allocation disabled +! transceiver qsfp default-mode 4x10G ! interface defaults @@ -14,40 +26,111 @@ hostname S1-SW1 ip name-server vrf MGMT 8.8.8.8 ! spanning-tree mode mstp +spanning-tree mst 0 priority 0 ! system l1 unsupported speed action error unsupported error-correction action error ! +vlan 40 + name Purple +! +vlan 50 + name Red +! +vrf instance DEV +! vrf instance MGMT ! -management api http-commands - no shutdown - ! - vrf MGMT - no shutdown +vrf instance PROD ! aaa authorization exec default local ! interface Ethernet1 + no switchport +! +interface Ethernet1.101 + encapsulation dot1q vlan 101 + vrf PROD + ip address 172.20.3.1/31 +! +interface Ethernet1.102 + encapsulation dot1q vlan 102 + vrf DEV + ip address 172.20.3.3/31 ! interface Ethernet2 + no switchport +! +interface Ethernet2.101 + encapsulation dot1q vlan 101 + vrf PROD + ip address 172.20.3.5/31 +! +interface Ethernet2.102 + encapsulation dot1q vlan 102 + vrf DEV + ip address 172.20.3.7/31 ! interface Ethernet3 + description HostC1 + switchport access vlan 40 + switchport ! interface Ethernet4 + description HostC2 + switchport access vlan 50 + switchport +! +interface Loopback0 + description Globally Unique Address + ip address 10.0.3.3/32 +! +interface Loopback101 + vrf PROD + ip address 10.101.3.3/32 ! interface Management0 vrf MGMT ip address 172.100.100.114/24 ! +interface Vlan40 + vrf PROD + ip address 10.40.40.1/24 +! +interface Vlan50 + vrf DEV + ip address 10.50.50.1/24 +! ip routing +ip routing vrf DEV no ip routing vrf MGMT +ip routing vrf PROD ! ip route vrf MGMT 0.0.0.0/0 172.100.100.1 ! +router bgp 65300 + router-id 10.0.3.3 + ! + vrf DEV + neighbor 172.20.3.2 remote-as 65000 + neighbor 172.20.3.6 remote-as 65000 + redistribute connected + ! + vrf PROD + neighbor 172.20.3.0 remote-as 65000 + neighbor 172.20.3.4 remote-as 65000 + redistribute connected +! +router multicast + ipv4 + software-forwarding kernel + ! + ipv6 + software-forwarding kernel +! management ssh vrf MGMT no shutdown ! -end +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/S2-R1.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S2-R1.cfg index ff108f38..b1442ff1 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/S2-R1.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S2-R1.cfg @@ -1,39 +1,192 @@ -vrf instance MGMT +! Command: show running-config +! device: S2-R1 (cEOSCloudLab, EOS-4.32.2F-37806342.jamunarel (engineering build)) +! +no aaa root ! -username admin secret admin privilege 15 role network-admin +username admin privilege 15 role network-admin secret sha512 $6$s7SiRPOsPP68Jb0p$I3I1TyAsFskFro2QkjHJk2O2FuuWWF8c8.U67Kv0ToHPIRJctIk2CQ9VrquePlviqZMPEiajQsSN3vcgaRqj8. +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' ! management api http-commands no shutdown + ! + vrf MGMT + no shutdown ! switchport default mode routed ! -agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP='true' -! no service interface inactive port-id allocation disabled ! transceiver qsfp default-mode 4x10G ! +interface defaults + mtu 9214 +! service routing protocols model multi-agent ! hostname S2-R1 ! -spanning-tree mode mstp +router adaptive-virtual-topology + topology role edge gateway vxlan + region REGION1 id 1 + zone REGION1-ZONE1 id 1 + site SITE2 id 4 + ! + policy DEFAULT-AVT-POLICY + match application-profile default + avt profile DEFAULT-AVT-PROFILE + ! + profile DEFAULT-AVT-PROFILE + path-selection load-balance DEFAULT-LB-POLICY + ! + vrf PROD + avt policy DEFAULT-AVT-POLICY + avt profile DEFAULT-AVT-PROFILE id 1 + ! + vrf default + avt policy DEFAULT-AVT-POLICY + avt profile DEFAULT-AVT-PROFILE id 1 +! +router path-selection + tcp mss ceiling ipv4 ingress + ! + path-group INET id 1 + ipsec profile IPSEC-PROFILE + ! + local interface Ethernet2 + stun server-profile DC1-R2-Ethernet2 DC2-R2-Ethernet2 + ! + peer dynamic + ! + peer static router-ip 10.1.1.3 + name DC1-R2 + ipv4 address 192.0.2.6 + ! + peer static router-ip 10.1.2.3 + name DC2-R2 + ipv4 address 192.0.2.14 + ! + load-balance policy DEFAULT-LB-POLICY + path-group INET +! +spanning-tree mode none ! system l1 unsupported speed action error unsupported error-correction action error ! +vrf instance DEV +! +vrf instance MGMT +! +vrf instance PROD +! +aaa authorization exec default local +! +ip security + ike policy IPSEC-IKE-POLICY + local-id 10.1.4.1 + ! + sa policy IPSEC-SA-POLICY + ! + profile IPSEC-PROFILE + ike-policy IPSEC-IKE-POLICY + sa-policy IPSEC-SA-POLICY + connection start + shared-key 7 0110100A480E0A0E231D1E + dpd 10 50 clear + mode transport + ! + flow entropy udp + ! + key controller + profile IPSEC-PROFILE +! +interface Dps1 + description TEP IP + ip address 10.1.4.1/32 +! interface Ethernet1 no switchport ! +interface Ethernet1.60 + encapsulation dot1q vlan 60 + vrf PROD + ip address 10.60.60.1/24 +! +interface Ethernet1.70 + encapsulation dot1q vlan 70 + vrf DEV + ip address 10.70.70.1/24 +! interface Ethernet2 + description INET no switchport + ip address 192.0.2.26/30 ! -ip route vrf MGMT 0/0 172.100.100.1 +interface Loopback0 + description Globally Unique Address + ip address 10.0.4.1/32 +! +interface Loopback101 + vrf PROD + ip address 10.101.4.1/32 ! interface Management1 vrf MGMT ip address 172.100.100.115/24 ! -ip routing +interface Vxlan1 + vxlan source-interface Dps1 + vxlan udp-port 4789 + vxlan vrf PROD vni 51 + vxlan vrf default vni 50 ! +mac address-table aging-time 1800 +! +ip routing +ip routing vrf DEV +no ip routing vrf MGMT +ip routing vrf PROD +! +ip route 0.0.0.0/0 192.0.2.25 +ip route vrf MGMT 0.0.0.0/0 172.100.100.1 +! +arp aging timeout default 1500 +! +router bgp 65000 + neighbor default send-community + neighbor WAN-OVERLAY-PEERS peer group + neighbor WAN-OVERLAY-PEERS remote-as 65000 + neighbor WAN-OVERLAY-PEERS update-source Dps1 + neighbor WAN-OVERLAY-PEERS bfd + neighbor WAN-OVERLAY-PEERS bfd interval 5000 min-rx 5000 multiplier 3 + neighbor WAN-OVERLAY-PEERS password 7 Jasxt4q1i1EVo3kE0U5v4w== + neighbor WAN-OVERLAY-PEERS maximum-routes 0 + neighbor 10.1.1.3 peer group WAN-OVERLAY-PEERS + neighbor 10.1.2.3 peer group WAN-OVERLAY-PEERS + ! + address-family evpn + neighbor WAN-OVERLAY-PEERS activate + neighbor WAN-OVERLAY-PEERS encapsulation path-selection + ! + address-family path-selection + bgp additional-paths receive + bgp additional-paths send any + neighbor WAN-OVERLAY-PEERS activate + ! + vrf PROD + rd 10.0.4.1:51 + route-target import evpn 51:51 + route-target export evpn 51:51 + redistribute connected +! +stun + client + server-profile DC1-R2-Ethernet2 + ip address 192.0.2.6 + ! + server-profile DC2-R2-Ethernet2 + ip address 192.0.2.14 +! +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/configs/S2-SW1.cfg b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S2-SW1.cfg index b9ba9879..b0bc7cb7 100644 --- a/tech-library/wan/autovpn/zbackend-infra/clab/configs/S2-SW1.cfg +++ b/tech-library/wan/autovpn/zbackend-infra/clab/configs/S2-SW1.cfg @@ -1,8 +1,20 @@ +! Command: show running-config +! device: S2-SW1 (cEOSLab, EOS-4.33.0F-38377046.eostrunkceos (engineering build)) ! no aaa root ! username admin privilege 15 role network-admin secret sha512 $6$eucN5ngreuExDgwS$xnD7T8jO..GBDX0DUlp.hn.W7yW94xTjSanqgaQGBzPIhDAsyAl9N4oScHvOMvf07uVBFI4mKMxwdVEUVKgY/. ! +management api http-commands + no shutdown + ! + vrf MGMT + no shutdown +! +switchport default mode routed +! +no service interface inactive port-id allocation disabled +! transceiver qsfp default-mode 4x10G ! interface defaults @@ -14,26 +26,41 @@ hostname S2-SW1 ip name-server vrf MGMT 8.8.8.8 ! spanning-tree mode mstp +spanning-tree mst 0 priority 0 ! system l1 unsupported speed action error unsupported error-correction action error ! -vrf instance MGMT +vlan 60 + name Brown ! -management api http-commands - no shutdown - ! - vrf MGMT - no shutdown +vlan 70 + name Pink +! +vrf instance MGMT ! aaa authorization exec default local ! interface Ethernet1 + description S2-R1 + switchport mode trunk + switchport ! interface Ethernet2 + description HostD1 + switchport access vlan 60 + switchport + spanning-tree portfast ! interface Ethernet3 + description HostD2 + switchport access vlan 70 + switchport + spanning-tree portfast +! +interface Ethernet4 + no switchport ! interface Management0 vrf MGMT @@ -44,8 +71,15 @@ no ip routing vrf MGMT ! ip route vrf MGMT 0.0.0.0/0 172.100.100.1 ! +router multicast + ipv4 + software-forwarding kernel + ! + ipv6 + software-forwarding kernel +! management ssh vrf MGMT no shutdown ! -end +end \ No newline at end of file diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/inventory/group_vars/eos.yml b/tech-library/wan/autovpn/zbackend-infra/clab/inventory/group_vars/eos.yml new file mode 100644 index 00000000..2a8a1285 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/inventory/group_vars/eos.yml @@ -0,0 +1,10 @@ +ansible_network_os: eos +ansible_connection: httpapi +ansible_user: admin +ansible_password: admin +ansible_become: true +ansible_become_method: enable +ansible_httpapi_use_ssl: true +ansible_httpapi_validate_certs: false +ansible_httpapi_ciphers: AES256-SHA:DHE-RSA-AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA +ansible_python_interpreter: $(which python3) diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/inventory/inventory.yml b/tech-library/wan/autovpn/zbackend-infra/clab/inventory/inventory.yml new file mode 100644 index 00000000..1b3e7179 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/inventory/inventory.yml @@ -0,0 +1,80 @@ +all: + children: + eos: + hosts: + DC1-BORDER1: + ansible_host: 127.0.0.1 + ansible_port: 22004 + ansible_httpapi_port: 44304 + DC1-BORDER2: + ansible_host: 127.0.0.1 + ansible_port: 22005 + ansible_httpapi_port: 44305 + DC1-LEAF: + ansible_host: 127.0.0.1 + ansible_port: 22001 + ansible_httpapi_port: 44301 + DC1-R1: + ansible_host: 127.0.0.1 + ansible_port: 22002 + ansible_httpapi_port: 44302 + DC1-R2: + ansible_host: 127.0.0.1 + ansible_port: 22003 + ansible_httpapi_port: 44303 + DC1-SPINE: + ansible_host: 127.0.0.1 + ansible_port: 22099 + ansible_httpapi_port: 44399 + DC2-BORDER1: + ansible_host: 127.0.0.1 + ansible_port: 22010 + ansible_httpapi_port: 44310 + DC2-BORDER2: + ansible_host: 127.0.0.1 + ansible_port: 22011 + ansible_httpapi_port: 44311 + DC2-LEAF: + ansible_host: 127.0.0.1 + ansible_port: 22007 + ansible_httpapi_port: 44307 + DC2-R1: + ansible_host: 127.0.0.1 + ansible_port: 22008 + ansible_httpapi_port: 44308 + DC2-R2: + ansible_host: 127.0.0.1 + ansible_port: 22009 + ansible_httpapi_port: 44309 + DC2-SPINE: + ansible_host: 127.0.0.1 + ansible_port: 22006 + ansible_httpapi_port: 44306 + DCI-MPLS: + ansible_host: 127.0.0.1 + ansible_port: 22019 + ansible_httpapi_port: 44319 + INTERNET: + ansible_host: 127.0.0.1 + ansible_port: 22018 + ansible_httpapi_port: 44318 + S1-R1: + ansible_host: 127.0.0.1 + ansible_port: 22012 + ansible_httpapi_port: 44312 + S1-R2: + ansible_host: 127.0.0.1 + ansible_port: 22013 + ansible_httpapi_port: 44313 + S1-SW1: + ansible_host: 127.0.0.1 + ansible_port: 22014 + ansible_httpapi_port: 44314 + S2-R1: + ansible_host: 127.0.0.1 + ansible_port: 22015 + ansible_httpapi_port: 44315 + S2-SW1: + ansible_host: 127.0.0.1 + ansible_port: 22016 + ansible_httpapi_port: 44316 From b3a3d1b4df68a75994bf64eb085b15c2897820f3 Mon Sep 17 00:00:00 2001 From: Mitch Vaughan Date: Mon, 2 Sep 2024 16:14:57 +0000 Subject: [PATCH 7/8] autovpn clab build --- .../zbackend-infra/clab/push_license.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/push_license.yml diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/push_license.yml b/tech-library/wan/autovpn/zbackend-infra/clab/push_license.yml new file mode 100644 index 00000000..33fd2339 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/push_license.yml @@ -0,0 +1,21 @@ +--- + +- name: Copy license file + hosts: DC*-R*:S*-R* + gather_facts: false + vars: + ansible_python_interpreter: /usr/bin/python3 + + tasks: + + - name: Copy license file to {{ inventory_hostname }} + ansible.netcommon.net_put: + src: ./ipsec-license.json + protocol: sftp + dest: /mnt/flash/ipsec-license.json + + - name: Install license + eos_command: + commands: + - "license import flash:ipsec-license.json" + - "license update" From d605df7a20f51696ae66dfc60911741f5f64112c Mon Sep 17 00:00:00 2001 From: Mitch Vaughan Date: Tue, 3 Sep 2024 12:08:41 +0000 Subject: [PATCH 8/8] makefile for autovpn clab --- .../wan/autovpn/zbackend-infra/clab/Makefile | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 tech-library/wan/autovpn/zbackend-infra/clab/Makefile diff --git a/tech-library/wan/autovpn/zbackend-infra/clab/Makefile b/tech-library/wan/autovpn/zbackend-infra/clab/Makefile new file mode 100644 index 00000000..e6d09d18 --- /dev/null +++ b/tech-library/wan/autovpn/zbackend-infra/clab/Makefile @@ -0,0 +1,16 @@ +.PHONY: help +help: ## Display help message + @grep -E '^[0-9a-zA-Z_-]+\.*[0-9a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' + +.PHONY: push-configs +push-configs: ## Push configs to lab + ansible-playbook config_push.yml + +.PHONY: grab-configs +grab-configs: ## Grab configs from the lab + ansible-playbook config_grab.yml + +.PHONY: push-license +push-license: ## Push license to CloudEOS nodes + pip3 install paramiko ansible-pylibssh + ansible-playbook push_license.yml -e ansible_connection=network_cli