Link Search Menu Expand Document
calendar_month 07-Mar-24

Overlay Fabric Orchestration

This section describes how to deploy a NetConductor EVPN-VXLAN overlay on top of an existing large campus underlay.

A three-tier network identified as Seattle is used to illustrate this process.

Some steps require manual CLI configuration of switches. Complete these steps using the MultiEdit feature of Central UI groups.

Table of contents

Review the Underlay

Best practice uses the NetConductor Underlay Orchestration workflow to create an OSPF underlay. When all requirements the Fabric workflow are met, the EVPN-VXLAN overlay can be built.

Network Review

The fabric deployment procedures assume that a large campus underlay was created using the VSG Campus Wired Connectivity procedures or was deployed using the Underlay Orchestration workflow.

The following illustration shows a Layer 2 access and a Layer 3 access configuration along with the fabric personas used during the EVPN configuration. Device fabric personas to be assigned are shown in bold. The access aggregation switches perform only underlay functions and do not have fabric personas.

The following table lists the IP subnets of the underlay networks.

DescriptionIP Subnet
Underlay Transit Networks (VLAN 901/902)172.18.110.0/24
Underlay Loopback IPs10.0.10.0/24
Underlay AP Management VLAN 10 (Agg1-Acess1)10.10.0.128/28
Underlay AP Management VLAN 10 (Agg1-Acess2)10.10.0.144/28
Underlay AP Management VLAN 10 (Agg2-Acess1)10.10.0.160/28
Underlay AP Management VLAN 10 (Agg2-Acess1)10.10.0.176/28
Underlay Gateway VLAN 10 (Service Agg)10.10.0.80/28

The following table lists the IP subnets used to deploy the distributed overlay. Best practice is to segment wired and wireless traffic onto separate networks.

DescriptionIP Subnet
Fabric Wired VLAN 10010.10.1.0/24
Fabric Wireless VLAN 400 - Internal10.10.4.0/24

Brownfield Considerations

A NetConductor fabric can be deployed over an existing OSPF underlay using the Fabric workflow. This is supported on underlays with either a Layer 2 or a Layer 3 configuration to the access layer. Certain requirements must be met in order for successful deployment.

Step 1 All Aruba CX switches to be included in the fabric must be in the same Central UI group. Gateways and access points do not need to be in the same group.

Step 2 Migrate underlay configured switches to the fabric group in Central using the Retain CX-switch configuration option to preserve the existing underlay.

Step 3 Configure loopback0 as the interface for OSPF routers. Create loopback1 to be used by the VXLAN configuration of the Fabric workflow.

Step 4 When deploying the EVPN fabric over an existing Layer 2 access deployment, create a transit VLAN from aggregation to access switches for running OSPF and enabling Layer 3 access to the loopback interfaces of the access layer switches.

Step 5 Configure all underlay switch interfaces for an MTU of 9198 bytes to ensure unfragmented transport of VXLAN packets through the network.

Configure Role Policy

Note: Customers must contact their Aruba Account Manager to be added to the allow-list for the Global Policy Manager feature.

Roles and role policies are provisioned at a global level and apply to all fabrics. This procedure uses the example roles:

  • EMPLOYEE
  • CONTRACTOR

The following example role-to-role policy prevents employees and contractors from communicating.

Create Roles

Use this procedure to create the employee and contractor roles:

Step 1 In the filter dropdown, select Global, if it is not already selected. On the left menu, select Security.

Step 2 Select the Client Roles page.

Step 3 Create a new role by clicking the + (plus sign) in the upper right corner of the table.

Step 4 In the Create new role window, assign the following settings, then click Save.

  • Name : EMPLOYEE
  • Description: <insert optional role description>
  • Policy Identifier: <use default value>
  • Allow default role to source role permissions for wired clients: <selected>

Note: The Allow default role to source role permissions for wired clients option creates policy rules that allow clients assigned the role to send and receive ARP packets and traffic from outside the fabric.

Step 5 Repeat steps 3 and 4 to create the CONTRACTOR role and enter an optional description.

Define Role-to-Role Policy

Use this procedure to create a policy to prevent the EMPLOYEE and CONTRACTOR roles from communicating.

Step 1 Mouse-over the CONTRACTOR row and click the edit icon (pencil) on the right.

Step 2 In the PERMISSIONS edit window for the CONTRACTOR role, click the edit icon (pencil) at the top right of the PERMISSIONS table. The Assign Permissions window appears.

Step 3 In the Assign Permissions window, assign the following settings and click Save.

  • CONTRACTOR (self):
    • Allow Source to Destination: Checked
    • Allow Destination to Source: Checked
  • EMPLOYEE:
    • Allow Source to Destination: Unchecked
    • Allow Destination to Source: Unchecked

Step 4 Repeat steps 1 to 3 for the EMPLOYEE role using the following settings.

  • CONTRACTOR
    • Allow Source to Destination: Unchecked
    • Allow Destination to Source: Unchecked

    • EMPLOYEE (self):
      • Allow Source to Destination: Checked
      • Allow Destination to Source: Checked

Configure Wireless Integration

Wireless gateways form static VXLAN tunnels with the stub border to provide connectivity to the fabric and map the VLANs to VNIs. Jumbo frames are enabled on the gateway interfaces, static VXLAN tunnels are configured, and roles are created.

Prepare Gateway

Refer to Configuring Wireless Group Settings to assist with:

  • Enabling jumbo frame processing.

Refer to Configure Gateway VLANs to assist with:

  • Creating VLAN 400
  • Verifying jumbo frames on the port channel.

Create Fabric SSID

Refer to Configuring Wireless Access to assist with:

  • Creating an SSID named SSID-SEACP-01 that authenticates to ClearPass.

Configure Static VXLAN Tunnel

Use the following procedure to configure stub VXLAN tunnels between the gateway(s) and stub switches:

Step 1 In the Global dropdown, select the switch group. In this example, the group is CP-SEA-FAB.

  1. On the left menu, select Devices.

  2. Select Gateways, then select Config.

  3. Click the Interface tab and click VXLAN Tunnels. Click the + (plus sign) at the lower left.

  4. On the Add VXLAN Tunnel page, assign the following settings:

    • IP Version: IPv4

    • VXLAN Tunnel Source: VLAN

    • VLAN Interface: 10

    • Virtual tunnel end point (vtep) peer IP: 10.10.10.105

    • Enable tunnel admin state: Checked

    • Enable global policy identifier (gpid): Checked

Note: The 10.10.10.105 IP address above is the loopback1 IP address shared between the VSX pair devices acting as stub VTEPs.

Step 5 Click the + (plus sign) in VLAN/VNI mapping, assign the following settings, and click OK.

  • VLAN ID: 400

  • Virtual network identifier: 400

Deploy the Fabric

Use the fabric wizard to deploy an overlay fabric. Follow the procedures below to provision the VXLAN tunnels, EVPN control plane, VRFs, fabric VLANs, and Anycast Gateways.

Note: All Aruba CX switches to be included in the fabric must be in the same Central UI group.

Create The Fabric

Step 1 In the Global dropdown, select the switch group. In this example, the group is CP-SEA-FAB.

Step 2 On the left menu, select Devices.

Step 3 Select Switches, then select Config.

Step 4 Under Routing, select Fabrics.

Step 5 On the Fabrics table, click the + (plus sign) at the top right.

Step 6 In the Create a New Fabric workflow, click Name Fabric, assign the following settings, and click Next.

  • Fabric Name: Seattle

  • BGP AS Number: Use default

Step 7 On the Add Devices page, select each access switch and use the Assign selected devices to window to assign the Edge persona. Click Apply.

Step 8 Repeat steps 6 and 7 for the RR, Border, and Stub device personas, then click Next.

DevicePersona
SW-SEACP-CORE-01RR
SW-SEACP-CORE-02RR
SW-SEACP-STUB-01Stub
SW-SEACP-STUB-02Stub
SW-SEACP-BORDER-01Border
SW-SEACP-AGG01-ACC01Edge
SW-SEACP-AGG01-ACC02Edge
SW-SEACP-AGG02-ACC01Edge
SW-SEACP-AGG02-ACC02Edge

Note: You must click Apply after each persona selection or to apply the assignment.

Step 9 On the Add Overlay Network page, leave the default overlay network. Click Next.

Step 10 On the Stub Tunnels to Gateway page, click the + (plus sign) at the top right of the table.

Step 11 In the Tunnels table, assign the following settings. Click outside the new row to continue.

  • Switch: SW-SEACP-STUB-01
  • Gateway List IP: 10.10.0.68, 10.10.0.70

Note: Gateway IPs must match the VXLAN Tunnel Source configured on the AOS-10 Gateways.

Step 12 Repeat steps 10 and 11 for additional stub switches. Click Next.

Step 13 Review the Summary page for accuracy. Return to previous pages and make corrections, if needed. Click Save.

Create the Fabric Segments

Use this procedure to create VLAN associated segments within the fabric. In the following example, a wired segment is applied to all Edge devices and a wireless segment is applied to the Stub devices.

Step 1 Expand the Seattle fabric, then click the New Segment icon.

Step 1 On the Overlay Network & VLAN page of the New Segment workflow, assign the following settings, using the + (plus sign) to add DHCP servers, and click Next.

  • Overlay Network: overlay_network
  • VLAN Name: Users
  • VLAN ID: 100
  • DHCP Server: 10.2.120.98, 10.2.120.99
  • DHCP Server VRF: default, default
  • IPv4 Version: IPv4
  • Default Gateway IP: 10.10.1.1
  • Subnet Mask: 24

Step 3 On the Roles page, select both roles, then click Next.

Step 4 On the Devices page, select the Edge devices, then click Next.

This segment is for wired clients only and deployed only to Edge devices.

Step 5 Review the Summary page for accuracy, then click Save.

Step 6 Repeat steps 1 to 5 to create a wireless VLAN, on stub devices only, using the values listed below.

  • Overlay Network: overlay_network

  • VLAN Name: Users

  • VLAN ID: 400

  • DHCP Server: 10.2.120.98

  • IPv4 Version: IPv4

  • Default Gateway IP: 10.10.4.1

  • Subnet Mask: 24

Note: Fabric DHCP requests are sourced from loopback1.

Configure External Connectivity

After a fabric is provisioned, it is typically connected to an external network via the border leaf switches. There are multiple approaches to creating this connection. The following procedure establishes Layer 3 connectivity between a VRF on a border leaf and an upstream device using OSPF.

Apply the following configuration to the border leaf:

Step 1 Configure a prefix-list that to match the /32 host routes.

   ip prefix-list HOST_ROUTES seq 10 permit 0.0.0.0/0 ge 32

Step 2 Configure a route-map that denies /32 route advertisements. This prevents EVPN type-2 host prefixes from being propagated outside the fabric.

   route-map BORDER_ROUTING deny seq 10
        match ip address prefix-list HOST_ROUTES
   route-map BORDER_ROUTING permit seq 20

Step 3 Configure a new OSPF process in the overlay VRF using a unique router-id.

   router ospf 2 vrf overlay_network
       router-id 10.10.10.254
       redistribute bgp route-map BORDER_ROUTING
       area 0.0.0.0

Note: The router-id in the new OSPF process must be different from the router-id used in the OSPF process for the underlay. Fabric routes from the BGP process on the border leaf are redistributed into the new OSPF process, which advertises the routes to the upstream neighbor. Apply the route-map to the redistribution statement to block host routes from being advertised.

Step 4 Add a VLAN in the overlay VRF to support an OSPF adjacency with the upstream device.

   vlan 600
       name OVERLAY-TRANSIT
   interface vlan 600
       vrf attach overlay_network
       description OVERLAY-TRANSIT
       ip mtu 9198
       ip address 172.18.110.60/31
       ip ospf 2 area 0.0.0.0
       ip ospf network point-to-point

Step 5 Add the new VLAN to the trunk from the border leaf to the upstream device.

   interface 1/1/11
       vlan trunk allowed 600

Step 6 Create a static route on the border with a next hop IP address of the upstream device.

   ip route 0.0.0.0/0 172.18.110.45 vrf overlay_network

Step 7 Redistribute the static route into the overlay EVPN.

   router bgp 65001
   !
       vrf overlay_network
           address-family ipv4 unicast
               redistribute static

ClearPass Integration

RADIUS-based authentication is required on all edge ports participating in the fabric. ClearPass is the recommended solution.

Modify the services as needed to ensure that ClearPass returns a role.

For more information on configuring Radius on switches, refer to the Configure RADIUS and UBT section.

Verification

The steps below illustrate how to verify the functionality of a distributed fabric deployment. Central provides a remote console that enables CLI access on any managed switch. Refer to the Verify OSPF Operation section for a more detailed overview.

Verify Underlay

Step 1 In a Remote Console window, type the command show ip ospf neighbors, and press ENTER. Confirm that the state is FULL with all appropriate OSPF peers.

Step 2 In a Remote Console window, type the command show ip route, and press ENTER. Confirm that all loopback0 and 1 /32 routes are listed.

Verify Overlay

The EVPN verification below is recommended for all fabric switches. VXLAN verification is recommended for the Edge, Border, and Stub devices. Endpoint verification is recommended for Edge switches.

Step 1 In a Remote Console window, type the command show bgp all summary, and press ENTER. Confirm that BGP peering is active between the route reflectors and all fabric devices.

Step 2 In a Remote Console window, type the commandshow evpn evi, and press ENTER. Verify the EVPN configuration and operational state.

Step 3 In a Remote Console window, type the command show bgp l2vpn evpn, and press ENTER. Verify EVPN overlay routes.

Step 3 In a Remote Console window, type the command show bgp l2vpn evpn, and press ENTER.

Step 5 In a Remote Console window, type the command show evpn mac-ip, and press ENTER. Verify that overlay MAC/IP address information is learned from EVPN

Step 6 In a Remote Console window, type the command show interface vxlan 1, and press ENTER. Verify VXLAN tunnels are established.

Step 6 In a Remote Console window, type the command show port-access clients, and press ENTER. Verify the authentication state of an endpoint and confirm proper role assignment.

Step 7 In a Remote Console window, type the command show port-access gbp, and press ENTER. Verify that configured GBP policies are applied.

Verify Gateways

The VXLAN verification below confirms the operational state of the static VXLAN tunnel. It is recommended for all gateways.

Step 1 In the Global dropdown, select the switch group. In this example, the group is CP-SEA-FAB.

Step 2 On the left menu, select Devices.

Step 3 Select Gateways, then select Clusters.

Step 4 In the Name column, click the name of the fabric connected cluster.

Step 5 Select the Tunnels page.

Step 6 In the Tunnels table, find the stub switch VTEP address in the Destination Device column, and confirm that the Status column indicates “Up”.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.