Appendix
The configuration of roles are given below.
Leaf Node Configuration
This is a configuration example for leaf brought up by POAP using FUJI2 leaf template. This example shows two route reflectors and LDAP configuration for auto-configuration.
 Note |
This is not a complete configuration, but only an illustration of configuration for unicast forwarding shown in Fabric Control Segment and BGP Control Plane. |
The following is an example for BGP and FabricPath IS-IS:
install feature-set fabricpath
install feature-set fabric
feature-set fabricpath
feature-set fabric
feature fabric forwarding
feature bgp
ip access-list HOSTS
10 permit ip any any
ipv6 access-list V6HOSTS
10 permit ipv6 any any
ip prefix-list control-subnet seq 100 permit 44.2.0.0/22
route-map ALL-PATHS permit 10
set path-selection all advertise
route-map FABRIC-RMAP-REDIST-HOST deny 10
match interface Vlan1
route-map FABRIC-RMAP-REDIST-HOST permit 20
match ip address HOSTS
route-map FABRIC-RMAP-REDIST-SUBNET permit 10
match tag 12345
route-map FABRIC-RMAP-REDIST-V6HOST deny 10
match interface Vlan1
route-map FABRIC-RMAP-REDIST-V6HOST permit 20
match ip address V6HOSTS
route-map bgpMap permit 10
match route-type internal
route-map bgp_next_hop_filter deny 100
match ip address prefix-list control-subnet
route-map bgp_next_hop_filter permit 200
match ip address HOSTS
!control SVI
vlan 2
mode fabricpath
interface Vlan1
no shutdown
mtu 9192
ip address 44.2.3.33/22
ipv6 forward
fabric forwarding control-segment
router bgp 100
!Generally the SVI address of the local control subnet
router-id 44.2.3.33
address-family ipv4 unicast
redistribute hmm route-map FABRIC-RMAP-REDIST-HOST
maximum-paths ibgp 2
nexthop trigger-delay critical 250 non-critical 10000
nexthop route-map bgp_next_hop_filter
additional-paths receive
additional-paths selection route-map ALL-PATHS
address-family ipv6 unicast
redistribute hmm route-map FABRIC-RMAP-REDIST-V6HOST
maximum-paths ibgp 2
nexthop trigger-delay critical 250 non-critical 10000
additional-paths receive
additional-paths selection route-map ALL-PATHS
address-family vpnv4 unicast
nexthop trigger-delay critical 250 non-critical 10000
additional-paths receive
address-family vpnv6 unicast
nexthop trigger-delay critical 250 non-critical 10000
additional-paths receive
address-family ipv4 mvpn
nexthop trigger-delay critical 250 non-critical 10000
additional-paths receive
additional-paths selection route-map ALL-PATHS
address-family ipv6 mvpn
nexthop trigger-delay critical 250 non-critical 10000
additional-paths receive
additional-paths selection route-map ALL-PATHS
!First RR
neighbor 44.2.0.101 remote-as 100
address-family ipv4 unicast
send-community both
address-family ipv6 unicast
send-community both
address-family vpnv4 unicast
send-community both
address-family vpnv6 unicast
send-community both
address-family ipv4 mvpn
send-community both
address-family ipv6 mvpn
send-community both
!Second RR
neighbor 44.2.0.144 remote-as 100
address-family ipv4 unicast
send-community both
address-family ipv6 unicast
send-community both
address-family vpnv4 unicast
send-community both
address-family vpnv6 unicast
send-community both
address-family ipv4 mvpn
send-community both
address-family ipv6 mvpn
send-community both
LDAP configuration with a backup LDAP. It is not mandatory to have second LDAP but we recommend.
fabric database type network
server protocol ldap host ldap-server1.cisco.com vrf management enable-ssl
db-table ou=networks,dc=cisco,dc=com key-type 1
db-security user admin password cisco123
server protocol ldap host ldap-server2.cisco.com vrf management enable-ssl
db-table ou=networks,dc=cisco,dc=com key-type 1
db-security user admin password cisco123
fabric database type profile
server protocol ldap host ldap-server1.cisco.com vrf management enable-ssl
db-table ou=profiles,dc=cisco,dc=com
db-security user admin password cisco123
server protocol ldap host ldap-server2.cisco.com vrf management enable-ssl
db-table ou=profiles,dc=cisco,dc=com
db-security user admin password cisco123
fabric database type partition
server protocol ldap host ldap-server1.cisco.com vrf management enable-ssl
db-table ou=partitions,dc=cisco,dc=com
db-security user admin password cisco123
server protocol ldap host ldap-server2.cisco.com vrf management enable-ssl
db-table ou=partitions,dc=cisco,dc=com
db-security user admin password cisco123
Route Reflector Configuration
The following is an example for BGP:
router bgp 100
!Generally the SVI address of the local control subnet
router-id 44.2.0.101
address-family ipv4 unicast
maximum-paths ibgp 2
nexthop trigger-delay critical 250 non-critical 10000
additional-paths send
additional-paths selection route-map ALL-PATHS
address-family ipv6 unicast
maximum-paths ibgp 2
nexthop trigger-delay critical 250 non-critical 10000
additional-paths send
additional-paths selection route-map ALL-PATHS
address-family vpnv4 unicast
nexthop trigger-delay critical 250 non-critical 10000
additional-paths send
additional-paths receive
additional-paths selection route-map ALL-PATHS
address-family vpnv6 unicast
nexthop trigger-delay critical 250 non-critical 10000
additional-paths send
additional-paths receive
additional-paths selection route-map ALL-PATHS
address-family ipv4 mvpn
nexthop trigger-delay critical 250 non-critical 10000
additional-paths send
additional-paths receive
additional-paths selection route-map ALL-PATHS
address-family ipv6 mvpn
nexthop trigger-delay critical 250 non-critical 10000
additional-paths send
additional-paths receive
additional-paths selection route-map ALL-PATHS
neighbor 44.2.0.0/22 remote-as 100
address-family ipv4 unicast
send-community both
route-reflector-client
address-family ipv6 unicast
send-community both
route-reflector-client
address-family vpnv4 unicast
send-community both
route-reflector-client
address-family vpnv6 unicast
send-community both
route-reflector-client
address-family ipv4 mvpn
send-community both
route-reflector-client
address-family ipv6 mvpn
send-community both
route-reflector-client
Border Leaf Node Configuration
The example shows the border leaf configuration. The border leaf specific configuration is in bold and the rest is common to interior leaf. A tenant configuration and its neighbor ship to DCI Edge router is also shown in this example.
The following is an example for BGP:
!One tenant which is extended to DC Edge box
vrf context CiscoLive:Part4
vni 65004
rd auto
address-family ipv4 unicast
route-target both auto
!Sub interface towards DC Edge box
interface port-channel400.1004
encapsulation dot1q 1004
vrf member CiscoLive:Part4
ip address 4.1.1.2/24
!!Border leaf specific policy:
!Deny the default route received from within fabric by other border leaf(s) Permit any other route
ip prefix-list default-route seq 5 permit 0.0.0.0/0 le 1
route-map deny-default-route deny 100
match ip address prefix-list default-route
route-map deny-default-route permit 200
match ip address HOSTS
router bgp 100
!Generally the SVI address of the local control subnet
router-id 44.2.3.63
fabric-soo 100:1
address-family ipv4 unicast
redistribute hmm route-map FABRIC-RMAP-REDIST-HOST
maximum-paths ibgp 2
nexthop trigger-delay critical 250 non-critical 10000
nexthop route-map bgp_next_hop_filter
default-information originate
additional-paths receive
additional-paths selection route-map ALL-PATHS
address-family ipv6 unicast
redistribute hmm route-map FABRIC-RMAP-REDIST-V6HOST
maximum-paths ibgp 2
nexthop trigger-delay critical 250 non-critical 10000
default-information originate
additional-paths receive
additional-paths selection route-map ALL-PATHS
address-family vpnv4 unicast
nexthop trigger-delay critical 250 non-critical 10000
!optional configuration: use when all tenants are on all Border Leafs
default-information originate always rd 44.2.3.63:100 route-target 100:9999
additional-paths receive
address-family vpnv6 unicast
nexthop trigger-delay critical 250 non-critical 10000
!optional configuration: use when all tenants are on all Border Leafs
default-information originate always rd 44.2.3.63:100 route-target 100:9999
additional-paths receive
address-family ipv4 mvpn
nexthop trigger-delay critical 250 non-critical 10000
additional-paths receive
additional-paths selection route-map ALL-PATHS
address-family ipv6 mvpn
nexthop trigger-delay critical 250 non-critical 10000
additional-paths receive
additional-paths selection route-map ALL-PATHS
!First RR
neighbor 44.2.0.101 remote-as 100
address-family ipv4 unicast
send-community both
route-map deny-default-route in
next-hop-self
address-family ipv6 unicast
send-community both
address-family vpnv4 unicast
send-community both
route-map deny-default-route in
address-family vpnv6 unicast
send-community both
address-family ipv4 mvpn
send-community both
address-family ipv6 mvpn
send-community both
!Second RR
neighbor 44.2.0.144 remote-as 100
address-family ipv4 unicast
send-community both
route-map deny-default-route in
next-hop-self
address-family ipv6 unicast
send-community both
address-family vpnv4 unicast
send-community both
route-map deny-default-route in
address-family vpnv6 unicast
send-community both
address-family ipv4 mvpn
send-community both
address-family ipv6 mvpn
send-community both
!BGP session for tenant towards Border Leaf
vrf CiscoLive:Part4
address-family ipv4 unicast
maximum-paths 2
maximum-paths ibgp 2
additional-paths send
additional-paths receive
additional-paths selection route-map ALL-PATHS
!For Border Leaf to DC Edge tenant extension auto-configuration
fabric database override-vrf-profile vrf-common-universal-bl
server protocol ldap host ldap-server1.cisco.com vrf management enable-ssl
db-table ou=profiles,dc=cisco,dc=com
db-security user admin password cisco123
server protocol ldap host ldap-server2.cisco.com vrf management enable-ssl
db-table ou=profiles,dc=cisco,dc=com
db-security user admin password cisco123
fabric database type partition
server protocol ldap host ldap-server1.cisco.com vrf management enable-ssl
db-table ou=partitions,dc=cisco,dc=com
db-security user admin password cisco123
server protocol ldap host ldap-server2.cisco.com vrf management enable-ssl
db-table ou=partitions,dc=cisco,dc=com
db-security user admin password cisco123
!For Border Leaf to DC Edge tenant extension auto-configuration feature
fabric database type bl-dci
server protocol ldap host ldap-server1.cisco.com vrf management enable-ssl
db-table ou=bl-dcis,dc=cisco,dc=com
db-security user admin password cisco123
server protocol ldap host ldap-server2.cisco.com vrf management enable-ssl
db-table ou=bl-dcis,dc=cisco,dc=com
db-security user admin password cisco123
DC Edge Router
Example of tenant session towards border leaf for Cisco Nexus 7000 Series Switches running on 6.2 image.
!Sub interface towards border leaf
interface port-channel400.1004
encapsulation dot1q 1004
vrf member CiscoLive:Part4
ip address 4.1.1.1/24
no shutdown
!External RD and RT
vrf context CiscoLive:Part4
rd 65500:1604
address-family ipv4 unicast
route-target import 65500:1604
route-target export 65500:1604
router bgp 400
!BGP session towards border leaf
vrf CiscoLive:Part4
neighbor 4.1.1.2 remote-as 100
address-family ipv4 unicast
send-community both
default-originate
Feedback