!
!Version ArubaOS-CX GL.10.11.1050
!export-password: default
hostname RSVCO-FB2-LF1-2
user admin group administrators password ciphertext AQBapfZDYCxZJWGdGDGnH1sB9JCa4ssmwYvjURzzNbJK3rSSYgAAAMxLAPMVf0pKQuxRzY71UmOlO1uq5HSDNo+ls+wepjvwKkZ39WuSjZcGwMbRHV6a8icno+5g8uc+L6mZTroN+iQkCeqEu7t3f65lObHgUiKWE0425LiR0Q81N6AEF0AEt5Sg
user afc_admin group administrators password ciphertext AQBapXqro++rS0IAzJPx7+i5WUEb3H/kFLN6pkdQ+32Ah6nbYgAAAACMXxbaCerh+mga+sY6JNx/yaeD3ZUf1RmPuN2gyVw/PhdaxNXTFiuECf44Xux4Z0cHlVggsaSoF2DKjhqV1qyYPfOqQ8JkjvP9XJpp6rW9/4HwzfEYtUgMoUuhaiIela0S
clock timezone america/los_angeles
bfd
profile leaf
vrf PROD-DC-VRF
rd 10.250.4.1:14
route-target export 1:100001 evpn
route-target export 65002:100001 evpn
route-target import 1:100001 evpn
route-target import 65002:100001 evpn
ntp server 10.2.120.98 prefer
ntp server 10.2.120.99 prefer
ntp enable
ntp vrf mgmt
cli-session
timeout 0
!
!
!
!
!
!
ssh server vrf mgmt
system internal-vlan-range 4039-4094
vlan 1
vlan 101
description AFC-created VLAN
vlan 102
description AFC-created VLAN
vlan 2021
description AFC-created VLAN
vlan 3999
virtual-mac 02:00:02:00:00:01
evpn
arp-suppression
dyn-vxlan-tunnel-bridging-mode ibgp-ebgp
vlan 101
rd auto
route-target export auto
route-target export 1:10101
route-target import auto
route-target import 1:10101
redistribute host-route
vlan 102
rd auto
route-target export auto
route-target export 1:10102
route-target import auto
route-target import 1:10102
redistribute host-route
interface mgmt
no shutdown
ip dhcp
system interface-group 1 speed 10g
!interface group 1 contains ports 1/1/1-1/1/12
system interface-group 2 speed 10g
!interface group 2 contains ports 1/1/13-1/1/24
interface lag 1 multi-chassis
description MC-LAG for ESXi host 21
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1,101-102
lacp mode active
lacp fallback
lacp rate slow
interface lag 2 multi-chassis
description MC-LAG for ESXi host 22
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1,101-102
lacp mode active
lacp fallback
lacp rate slow
interface lag 251 multi-chassis
description MC-LAG from border leaf switch to FW1 in firewall cluster
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1,2021
lacp mode active
lacp fallback
lacp rate slow
interface lag 252 multi-chassis
description MC-LAG from border leaf switches to FW2 in firewall cluster
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1,2021
lacp mode active
lacp fallback
lacp rate slow
interface lag 256
description ISL
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
lacp mode active
lacp rate slow
interface 1/1/1
no shutdown
mtu 9198
lag 1
interface 1/1/2
no shutdown
mtu 9198
lag 2
interface 1/1/3
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/4
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/5
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/6
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/7
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/8
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/9
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/10
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/11
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/12
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/13
description WAN IP address for multifabric on RSVCO-LF1-2
no shutdown
mtu 9198
ip mtu 9198
ip address 10.255.6.4/29
interface 1/1/14
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/15
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/16
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/17
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/18
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/19
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/20
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/21
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/22
no shutdown
mtu 9198
lag 251
interface 1/1/23
no shutdown
mtu 9198
lag 252
interface 1/1/24
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/25
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/26
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/27
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/28
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/29
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/30
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/31
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/32
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/33
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/34
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/35
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/36
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/37
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/38
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/39
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/40
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/41
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/42
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/43
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/44
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/45
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/46
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/47
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/48
description Keep alive Interface RSVCO-FB2-LF1-2
no shutdown
mtu 9198
ip mtu 9198
ip address 10.250.3.0/31
interface 1/1/49
no shutdown
mtu 9198
lag 256
interface 1/1/50
no shutdown
mtu 9198
lag 256
interface 1/1/51
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/52
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/53
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/54
no shutdown
mtu 9198
ip mtu 9198
interface 1/1/55
description Leaf Spine RPI to RSVCO-FB2-SP1
no shutdown
mtu 9198
ip mtu 9198
ip address 10.255.4.3/31
ip ospf 1 area 0.0.0.0
no ip ospf passive
ip ospf network point-to-point
interface 1/1/56
description Leaf Spine RPI to RSVCO-FB2-SP2
no shutdown
mtu 9198
ip mtu 9198
ip address 10.255.4.11/31
ip ospf 1 area 0.0.0.0
no ip ospf passive
ip ospf network point-to-point
interface loopback 0
description BGP/OSPF underlay
ip address 10.250.3.5/32
interface loopback 1
description BGP VXLAN overlay
ip address 10.250.4.1/32
interface vlan 101
description Production web app SVI/VLAN 101 in DC overlay
vrf attach PROD-DC-VRF
ip mtu 9198
ip address 10.5.101.1/24
active-gateway ip mac 02:00:0a:05:00:01
active-gateway ip 10.5.101.1
interface vlan 102
description Production database SVI/VLAN 102 DC overlay
vrf attach PROD-DC-VRF
ip mtu 9198
ip address 10.5.102.1/24
active-gateway ip mac 02:00:0a:05:00:01
active-gateway ip 10.5.102.1
interface vlan 2021
description Border leaf PROD-DC-VRF uplink to colo FW cluster
vrf attach PROD-DC-VRF
ip mtu 9198
ip address 10.255.5.2/29
interface vlan 3999
description Transit VLAN
ip mtu 9198
ip address 10.250.3.8/31
ip ospf 1 area 0.0.0.0
no ip ospf passive
ip ospf cost 1
ip ospf network point-to-point
interface vxlan 1
source ip 10.250.4.1
no shutdown
vni 10101
vlan 101
vni 10102
vlan 102
vni 100001
vrf PROD-DC-VRF
routing
vsx
system-mac 02:00:00:00:20:00
inter-switch-link lag 256
role primary
keepalive peer 10.250.3.1 source 10.250.3.0
vsx-sync vsx-global
ip dns domain-name example.local vrf mgmt
ip dns server-address 10.2.120.98 vrf mgmt
ip dns server-address 10.2.120.99 vrf mgmt
ip prefix-list PL-ALLOW-DEFAULT description Allow default route
ip prefix-list PL-ALLOW-DEFAULT seq 10 permit 0.0.0.0/0
ip prefix-list PL-HOST-P2P description Match /31 and /32 routes
ip prefix-list PL-HOST-P2P seq 10 permit 0.0.0.0/0 ge 31
!
!
!
ip aspath-list local-fabric description local fabric
ip aspath-list local-fabric seq 10 permit ^$
!
route-map BGP-OSPF deny seq 10
match tag 1000
route-map BGP-OSPF permit seq 20
route-map OSPF-BGP permit seq 10
match tag 1000
route-map RM-ALLOW-DEFAULT permit seq 10
match ip address prefix-list PL-ALLOW-DEFAULT
route-map RM-ALLOW-DEFAULT deny seq 20
route-map RM-COLO-DEFAULT permit seq 10
match ip address prefix-list PL-ALLOW-DEFAULT
set local-preference 200
route-map RM-COLO-DEFAULT deny seq 20
route-map RM-EXT-OUT deny seq 10
description filter host and P2P prefixes
match ip address prefix-list PL-HOST-P2P
route-map RM-EXT-OUT permit seq 20
route-map connected-ospf permit seq 10
set tag 1000
route-map to-border-leaders permit seq 10
match aspath-list local-fabric
!
router ospf 1
router-id 10.250.3.5
max-metric router-lsa include-stub on-startup 300
passive-interface default
maximum-paths 8
redistribute bgp route-map BGP-OSPF
redistribute local loopback route-map connected-ospf
area 0.0.0.0
router bgp 65002
bgp router-id 10.250.3.5
maximum-paths 8
bgp log-neighbor-changes
bgp deterministic-med
bgp always-compare-med
bgp bestpath as-path multipath-relax
neighbor RSVCO-FB2-RR peer-group
neighbor RSVCO-FB2-RR remote-as 65002
neighbor RSVCO-FB2-RR description Spine and RR peer-group
neighbor RSVCO-FB2-RR fall-over
neighbor RSVCO-FB2-RR update-source loopback 0
neighbor border-leaders peer-group
neighbor border-leaders description peering with remote-Fabrics
neighbor border-leaders fall-over
neighbor border-leaders update-source loopback 0
neighbor 10.250.0.7 remote-as 65001
neighbor 10.250.0.7 peer-group border-leaders
neighbor 10.250.0.7 ebgp-multihop 10
neighbor 10.250.0.11 remote-as 65001
neighbor 10.250.0.11 peer-group border-leaders
neighbor 10.250.0.11 ebgp-multihop 10
neighbor 10.250.3.2 peer-group RSVCO-FB2-RR
neighbor 10.250.3.3 peer-group RSVCO-FB2-RR
neighbor 10.255.6.1 remote-as 65001
neighbor 10.255.6.1 description Underlay BGP between RSVCO-LF1-2 and RSVDC-LF1-1
neighbor 10.255.6.1 fall-over bfd
neighbor 10.255.6.2 remote-as 65001
neighbor 10.255.6.2 description Underlay BGP between RSVCO-LF1-2 and RSVDC-LF1-2
neighbor 10.255.6.2 fall-over bfd
address-family ipv4 unicast
neighbor 10.255.6.1 activate
neighbor 10.255.6.2 activate
redistribute connected
redistribute local loopback
redistribute ospf 1 route-map OSPF-BGP
exit-address-family
address-family l2vpn evpn
neighbor RSVCO-FB2-RR next-hop-self
neighbor RSVCO-FB2-RR send-community both
neighbor border-leaders route-map to-border-leaders out
neighbor border-leaders send-community both
neighbor 10.250.0.7 activate
neighbor 10.250.0.11 activate
neighbor 10.250.3.2 activate
neighbor 10.250.3.3 activate
exit-address-family
!
vrf PROD-DC-VRF
bgp router-id 10.250.3.5
maximum-paths 8
bgp log-neighbor-changes
bgp deterministic-med
bgp always-compare-med
bgp bestpath as-path multipath-relax
neighbor 10.255.5.1 remote-as 65002
neighbor 10.255.5.1 description PROD VRF peering between border leaf switches
neighbor 10.255.5.3 remote-as 65502
neighbor 10.255.5.3 fall-over
address-family ipv4 unicast
neighbor 10.255.5.1 activate
neighbor 10.255.5.1 route-map RM-ALLOW-DEFAULT out
neighbor 10.255.5.3 activate
neighbor 10.255.5.3 route-map RM-COLO-DEFAULT in
neighbor 10.255.5.3 route-map RM-EXT-OUT out
redistribute connected
exit-address-family
!
https-server vrf mgmt