Validated Reference Design Guide
Deploying a L2 VXLAN EVPN
Network with Palo Alto Networks
Firewalls
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Contents
Introduction ....................................................................................................................................................... 3
Architecture and Use Case ............................................................................................................................... 3
AOS-CX INITIAL SETUP (OOB, INITIAL CONFIGS) ........................................................................................ 5
Sample Initial Configuration ............................................................................................................ 5
Modify Change Validation Settings In NetEdit ................................................................................................... 6
Spine/Leaf Configuration And Verification ......................................................................................................... 7
NetEdit Plan For “Spine” Switches ................................................................................................... 7
Verify Change Validation ............................................................................................................... 13
NetEdit Plan For “Leaf” Switches ................................................................................................... 14
Verify Change Validation ............................................................................................................... 25
Palo Alto Networks Configuration and Verification .......................................................................................... 28
Appendix......................................................................................................................................................... 31
Sample AOS-CX Spine Configuration ............................................................................................ 31
Sample AOS-CX 8325 Leaf Configuration ...................................................................................... 32
Sample AOS-CX 6300 Leaf Configuration (With Colorless Ports) .................................................... 34
2
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Introduction
This document provides guidance on deploying an AOS-CX powered L2 EVPN VXLAN network with Palo Alto Networks
Firewalls.
The AOS-CX switches to be deployed will depend on interfaces, scale and features required. Aruba networks provides a
diverse product portfolio to meet different customer requirements.
The L2 EVPN VXLAN deployment shown in this guide utilizes NetEdit. NetEdit empowers IT teams to orchestrate multiple
AOS-CX switch configurations with intelligent capabilities including search, edit, validation (including conformance checking),
deployment and audit. Using NetEdit, the network admin can configure and validate multiple switches simultaneously, while
specifying unique settings for each switch.
Palo Alto Networks Next-Generation Firewalls inspect all traffic, including all applications, threats, and content, and ties that
traffic to the user, regardless of location or device type.
Architecture and Use Case
The use case shown in Figure 1 is focused on mid-sized Campus deployments with an on-premise Data Center.
As shown, the solution consists of a pair of independent spines switches which provide Layer 3 connectivity between the
various buildings, aggregations switches, as well as the attached pair of CX 8325 switches which provide access to local
servers and Palo Alto firewalls.
This use case assumes all inter-VLAN traffic needs inspection. To that end, the Palo Alto NGFWs will act as gateways for all
inter-VLAN traffic so the traffic can be inspected in detail.
Figure 1. Campus Leaf & Spine architecture with Palo Alto Networks Firewall
The L3 Spine/Leaf IBGP EVPN/VXLAN fabric with L2 overlay network and Palo Alto Networks Firewalls architecture provides
the following benefits:
•
Provides a loop free L3 underlay network fabric and overlay network for East-West L2/L3 connectivity between buildings
with all links active
3
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
•
Supports colorless ports on AOS-CX 6300/6400, it doesn’t matter what connects to the port as roles and policies are
assigned per device, authentication takes place at the access port level and successful authentication enforces VLAN
and ACL assignments as configured in ClearPass
•
With dynamic VLAN assignments on colorless ports, devices can be placed into VXLAN tunnels
•
Non VXLAN access switches can be attached to AOS-CX 8325 aggregate leaf switches if AOS-CX 6300/6400 access
switches cannot be deployed, however this will not support colorless ports
•
Provides the capability to add more spine switches in future to provide additional fabric bandwidth
•
Distributed scale out control plane using MP-BGP EVPN
•
Virtual Switching Extension (VSX) and VSX live upgrade is recommended for multi chassis link aggregation deployments
that require high availability, e.g. Data Center
•
Network Analytics Engine is available natively on each AOS-CX switch
•
Supports multi-tenancy and traffic isolation via VXLAN
•
Provides a centralized firewall inspection point for traffic between subnets or leaving a subnet
•
The Palo Alto Networks NGFW will provide L3 default gateway functionality for all VLANs/subnets
•
Redundant Palo Alto Firewalls can be located in different buildings if desired for high availability
•
Palo Alto Networks NGFW will provide Threat Prevention capabilities for all transit traffic. Threat Prevention automatically
stops vulnerability exploits with IPS capabilities, offers in-line malware protection, and blocks outbound command-and
control-traffic. When combined with WildFire and URL Filtering, organizations are protected at every stage of the attack
lifecycle, including both known and zero-day threats.
In the EVPN/VXLAN fabric:
•
OSPF is enabled within the fabric on the leaf and spine switches for underlay routing, all loopbacks and /31 links are
advertised via OSPF
•
IBGP EVPN using AS#65001 is enabled between leaf and spine switches
o IBGP EVPN peering uses Lo0
o
Each leaf would only peer to both spines
o
Spine switches function as EVPN route reflectors (RRs)
o
Leaf switches do not peer to other leaf switches
•
Leaf switches only function only as L2 VTEPs
•
L2 connectivity between buildings is achieved via direct VXLAN tunnels
•
VSX switches should utilize redundant VSX ISL links in a LAG for maximum VSX high availability
•
A dedicated VSX Keepalive link is recommended between VSX switches in a rack
•
VSX system-mac is enabled so that LACP peers think they are connected to the same remote switch
•
VSX VTEPs share an anycast Lo1 IP address to create a logical VTEP
•
Split-recovery is disabled for VSX to ensure only the primary VSX switch will keep the logical VTEP up during a VSX split
•
Single homed servers should only be connected to the primary VSX switch
•
Should uplinks fail on a VSX leaf switch, VLAN4000 and OSPF will be used as the transit link to reroute traffic to the
redundant leaf switch
•
Large MTU is enabled to support applications that require it
•
In the Data Center, the server/firewall facing ports should be set to maximum MTU supported by the server (e.g. 9000) if
large MTU applications need to be transported across the VSX switches
4
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
In the Palo Alto Networks solution:
•
Palo Alto Networks NGFW will act as the L3 Gateway where Inter-VLAN routing would happen
•
An aggregate interface group can be created on the NGFW to aggregate multiple ethernet interfaces into a single entity
with corresponding settings on the switch side as well
•
These interfaces are added to a virtual router for appropriate inter-vlan/subnet routing
•
Appropriate Zones are defined for the incoming and outgoing interfaces which are used to define relevant security
•
Threat Prevention is applied for preventing advanced threats traversing the NGFW
policies
AOS-CX INITIAL SETUP (OOB, INITIAL CONFIGS)
We recommend the DC and spine switches connect their management ports to a separate Out Of Band (OOB) management
network as shown in Figure 2, this allows the switches to be manageable if there is an issue with in-band network
connectivity. The building switches can be managed by NetEdit via the in-band network since these are less critical.
Figure 2. OOB connectivity
In order for NetEdit to manage each switch, initial configs should be added via one of these options:
•
Aruba CX mobile app
•
Console cable
•
Zero Touch Provisioning (ZTP)
Sample Initial Configuration
hostname 8325-1
user admin group administrators password ciphertext AQBapUz+
!
!
ssh server vrf mgmt
!
!
!
!
interface mgmt.
no shutdown
ip static 10.5.6.5/24
default-gateway 10.5.6.1
!
! Only required for 8325 to change ports from 25G to 10G
! interface group 1 contains ports 1/1/1-1/1/12
5
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
system interface-group 1 speed 10g
! interface group 4 contains ports 1/1/37-1/1/48
system interface-group 4 speed 10g
!
https-server rest access-mode read-write
https-server vrf mgmt
Once the switches are configured and physically connected, ensure NetEdit has IP connectivity to switch management IPs
and add all devices into NetEdit [Devices -> Action -> Discover Devices]
Figure 3. Devices -> Action -> Discover Devices
Modify Change Validation Settings In NetEdit
To help with change validation, you can add or modify the change validation commands used by NetEdit.
This is done in NetEdit [Settings -> Validation -> Change Validation -> Command Scripts]
The screenshots below showcase the verification commands used in this guide.
Figure 4. Settings -> Validation -> Change Validation -> Command Scripts
6
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Figure 5. Settings -> Validation -> Change Validation -> Command Scripts (cont)
Spine/Leaf Configuration And Verification
NetEdit Plan For “Spine” Switches
Create a plan for the “Spine” switches in NetEdit [Devices -> select “desired switches” -> Action -> Edit Config]
Figure 6. Selecting Spine switches for Plan
7
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Give the plan a name and “Create”.
Figure 7. Naming the plan
You should see the initial configs for your “Spine” switches in NetEdit.
The common configs across the switches are shown as “white” while the “blue” variables such as “HOSTNAME” and
“A.B.C.D/M” have unique settings/values.
Figure 8. NetEdit view of Spines
8
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
If you hover over “HOSTNAME” or “A.B.C.D/M” config (in blue), you can view the unique settings assigned to each switch.
Figure 9. Hover over areas for more information
If you right click “HOSTNAME” or “A.B.C.D/M” (in blue), you will be able to modify the settings.
Figure 10. Right Click variables
9
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Start by adding OSPF and loopbacks
router ospf 1
router-id 192.168.1.11
area 0.0.0.0
interface loopback 0
ip address 192.168.1.11/32
ip ospf 1 area 0.0.0.0
And right click to modify loopbacks and router-ids assigned to each switch
Figure 11. Adding loopbacks and router-ids assigned to each switch
Figure 12. When ready click apply
10
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Configure downlinks towards leaf switches
interface 1/1/50
no shutdown
mtu 9198
description 8325-3A
ip mtu 9198
ip address 192.168.2.1/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
interface 1/1/51
no shutdown
mtu 9198
description 8325-3B
ip mtu 9198
ip address 192.168.2.3/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
interface 1/1/3
no shutdown
mtu 9198
description 6300-4
ip mtu 9198
ip address 192.168.2.5/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
interface 1/1/49
no shutdown
mtu 9198
description 8325-5
ip mtu 9198
ip address 192.168.2.7/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
And right click to modify IPs assigned to each switch
Figure 13. Modifying IP addresses
11
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Configure IBGP EVPN towards leaf switches
router bgp 65001
bgp router-id 192.168.1.11
neighbor 192.168.1.31 remote-as 65001
neighbor 192.168.1.31 update-source loopback 0
neighbor 192.168.1.32 remote-as 65001
neighbor 192.168.1.32 update-source loopback 0
neighbor 192.168.1.4 remote-as 65001
neighbor 192.168.1.4 update-source loopback 0
neighbor 192.168.1.5 remote-as 65001
neighbor 192.168.1.5 update-source loopback 0
address-family l2vpn evpn
neighbor 192.168.1.31 activate
neighbor 192.168.1.31 route-reflector-client
neighbor 192.168.1.31 send-community extended
neighbor 192.168.1.32 activate
neighbor 192.168.1.32 route-reflector-client
neighbor 192.168.1.32 send-community extended
neighbor 192.168.1.4 activate
neighbor 192.168.1.4 route-reflector-client
neighbor 192.168.1.4 send-community extended
neighbor 192.168.1.5 activate
neighbor 192.168.1.5 route-reflector-client
neighbor 192.168.1.5 send-community extended
And right click to modify router-ids assigned to each switch
Figure 14. Modifying router-ids
12
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Select “RETURN TO PLAN” -> “DEPLOY” to push down configs.
Figure 15. Deploy to complete
Verify Change Validation
You can click on “Change Validation” to compare configs.
As the leaf switches are not connected, you will not be able to validate OSPF or BGP neighbor adjacency.
Figure 16. Change Validation view
13
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
After validation, you can choose to “COMMIT” to save the desired configs or “ROLLBACK” to revert configs before the configs
were deployed to make further desired changes.
NetEdit Plan For “Leaf” Switches
Create a plan for the “Leaf” switches in NetEdit [Devices -> select “desired switches” -> Action -> Edit Config]
Figure 17. NetEdit Plan For “Leaf” Switches
Give the plan a name and “Create”.
Figure 18. Plan name
Start by adding VSX KeepAlive (KA) for the Leaf switches that require VSX, select only the desired switches on the left
interface 1/1/55
no shutdown
description VSX KA
ip address 10.1.2.0/31
14
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Figure 19. Adding KA
And right click to modify IPs assigned to each switch
Add VSX ISL
interface lag 1
no shutdown
description VSX ISL LAG
no routing
vlan trunk native 1 tag
vlan trunk allowed all
lacp mode active
interface 1/1/56
no shutdown
mtu 9198
description VSX ISL
lag 1
15
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Figure 20. Adding VSX ISL
Add VSX (select 1 pair at a time if there is more than 1 VSX pair)
vsx
system-mac 00:00:00:00:02:12
inter-switch-link lag 1
role primary
keepalive peer 10.1.2.1 source 10.1.2.0
no split-recovery
Figure 21. Adding VSX Config
16
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
And right click to modify roles and IPs assigned to each switch
Figure 22. Modifying IPs
After the specific values are modified, these should be updated
Figure 23. Reviewing new settings for variables
Add OSPF and loopbacks (select all desired leaf switches)
router ospf 1
router-id 192.168.1.31
area 0.0.0.0
interface loopback 0
ip address 192.168.1.31/32
ip ospf 1 area 0.0.0.0
interface loopback 1
description Logical VTEP
ip address 192.168.1.33/32
ip ospf 1 area 0.0.0.0
17
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
And right click to modify loopbacks and router-ids assigned to each switch, non VSX switches do not require “interface
loopback 1”
Figure 24. Modifying loopbacks and router-ids
Configure uplinks towards spine switches (it will be easier if you select switches with similar uplinks together)
interface 1/1/49
no shutdown
routing
mtu 9198
description 8325-1
ip mtu 9198
ip address 192.168.2.0/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
interface 1/1/50
no shutdown
routing
mtu 9198
description 8325-2
ip mtu 9198
ip address 192.168.2.8/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
18
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
And right click to modify IPs assigned to each switch
Figure 25. Modifying IPs
Add desired VLANs to all Leaf switches and configure transit VLAN (4000) between VSX Leaf switches
vlan 101-103,4000
!
interface vlan4000
description Transit VLAN
ip mtu 9198
ip address 192.168.3.0/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
19
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
And right click to modify IPs assigned to each switch
Figure 26. Modifying IPs
If you hover over the value shown on the right, it will display which switches only have that specific config
Figure 27. Hover for more details
20
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Configure IBGP EVPN towards Spine RRs
router bgp 65001
bgp router-id 192.168.1.31
neighbor 192.168.1.11 remote-as 65001
neighbor 192.168.1.11 update-source loopback 0
neighbor 192.168.1.12 remote-as 65001
neighbor 192.168.1.12 update-source loopback 0
address-family l2vpn evpn
neighbor 192.168.1.11 activate
neighbor 192.168.1.11 send-community extended
neighbor 192.168.1.12 activate
neighbor 192.168.1.12 send-community extended
And right click to modify router-id assigned to each switch
Figure 28. Modifying router-ids
Configure EVPN VLANs with RD/RT auto towards Spine RRs
evpn
vlan 101
rd auto
route-target
route-target
vlan 102
rd auto
route-target
route-target
vlan 103
rd auto
route-target
route-target
export auto
import auto
export auto
import auto
export auto
import auto
21
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Figure 29. Configuring EVPN VLANs
Configure VXLAN and VNI to VLAN mapping
interface vxlan 1
source ip 192.168.1.33
no shutdown
vni 101
vlan 101
vni 102
vlan 102
vni 103
vlan 103
And right click to modify tunnel source IP assigned to each Leaf switch.
For the VSX pair, this should be the Lo1 anycast IP. For a standalone switch, Lo0 can be used.
22
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Figure 30. Modify tunnel source IP
Configure links and LAGs towards the Firewall
interface lag 10 multi-chassis
no shutdown
description Firewall
no routing
vlan trunk native 1
vlan trunk allowed 101-103
lacp mode active
!
interface 1/1/1
no shutdown
description Firewall
lag 10
23
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Figure 31. Configuring links and LAGs towards the Firewall
On the building leaf switches, configure links towards clients
interface 1/1/10
no shutdown
no routing
vlan access 101
Finally, select “RETURN TO PLAN” -> “DEPLOY” to push down configs.
Figure 32. Deploy when ready
24
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Verify Change Validation
You can click on “Change Validation” to verify if VSX works as expected.
Figure 33. Verifying Configuration via Change Validation
Check if OSPF adjacency works as expected
Figure 34. Verifying Configuration via Change Validation - OSPF adjacency
Check if BGP peers are up as expected
25
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Figure 35. Verifying Configuration via Change Validation - BGP peers
Check if routing works as expected, there should be ECMP paths to the other Leaf switches
Figure 36. Verifying Configuration via Change Validation - ECMP
If you have traffic flowing through the fabric, you can check that EVPN MAC learning works as expected from the “show bgp
l2vpn evpn” and “show mac-address” output.
26
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Check VSX LAG
Figure 37. Verifying Configuration via Change Validation - VSX LAG
And to validate config changes.
Figure 38. Verifying Configuration via Change Validation - differences
27
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
After validation, you can choose to “COMMIT” to save the desired configs or “ROLLBACK” to revert configs before the configs
were deployed to make further desired changes.
Figure 39. Commit to write to startup config
Palo Alto Networks Configuration and Verification
Create Aggregate Interfaces:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/configure-an-aggregateinterface-group.html
Figure 40. Agg interfaces config
28
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Figure 41. Agg interfaces LACP
Figure 42. Agg interfaces - link speed
Create L3 Sub-Interfaces of the Aggregate Interfaces to Map Specific VLAN Traffic
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-interfaces/layer-3-subinterface.html
Figure 43. Agg interfaces - sub interfaces
29
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Create a Virtual Router for routing all transit traffic appropriately
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/virtual-routers.html
Figure 44. Palo Alto config – virtual router
Create Security Policies to Inspect all Transit Traffic
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/security-policy.html
Figure 45. Palo Alto FW - security policies
30
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
Appendix
Sample AOS-CX Spine Configuration
8325-1# sh run
Current configuration:
!
!Version ArubaOS-CX GL.10.04.0020
!export-password: default
hostname 8325-1
user admin group administrators password ciphertext AQBap!snip
!
!
!
ssh server vrf mgmt
!
!
!
!
!
router ospf 1
router-id 192.168.1.11
area 0.0.0.0
vlan 1
interface mgmt
no shutdown
ip static 10.5.6.5/24
default-gateway 10.5.6.1
system interface-group 1 speed 10g
!interface group 1 contains ports 1/1/1-1/1/12
system interface-group 2 speed 10g
!interface group 2 contains ports 1/1/13-1/1/24
system interface-group 3 speed 10g
!interface group 3 contains ports 1/1/25-1/1/36
system interface-group 4 speed 10g
!interface group 4 contains ports 1/1/37-1/1/48
interface 1/1/3
no shutdown
mtu 9198
description 6300-4
ip mtu 9198
ip address 192.168.2.5/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
interface 1/1/49
no shutdown
mtu 9198
description 8325-5
ip mtu 9198
ip address 192.168.2.7/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
interface 1/1/50
no shutdown
mtu 9198
description 8325-3A
ip mtu 9198
ip address 192.168.2.1/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
31
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
interface 1/1/51
no shutdown
mtu 9198
description 8325-3B
ip mtu 9198
ip address 192.168.2.3/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
interface loopback 0
ip address 192.168.1.11/32
ip ospf 1 area 0.0.0.0
router bgp 65001
bgp router-id 192.168.1.11
neighbor 192.168.1.4 remote-as 65001
neighbor 192.168.1.4 update-source loopback 0
neighbor 192.168.1.5 remote-as 65001
neighbor 192.168.1.5 update-source loopback 0
neighbor 192.168.1.31 remote-as 65001
neighbor 192.168.1.31 update-source loopback 0
neighbor 192.168.1.32 remote-as 65001
neighbor 192.168.1.32 update-source loopback 0
address-family l2vpn evpn
neighbor 192.168.1.4 activate
neighbor 192.168.1.4 route-reflector-client
neighbor 192.168.1.4 send-community extended
neighbor 192.168.1.5 activate
neighbor 192.168.1.5 route-reflector-client
neighbor 192.168.1.5 send-community extended
neighbor 192.168.1.31 activate
neighbor 192.168.1.31 route-reflector-client
neighbor 192.168.1.31 send-community extended
neighbor 192.168.1.32 activate
neighbor 192.168.1.32 route-reflector-client
neighbor 192.168.1.32 send-community extended
exit-address-family
!
https-server rest access-mode read-write
https-server vrf mgmt
Sample AOS-CX 8325 Leaf Configuration
8325-3A# sh run
Current configuration:
!
!Version ArubaOS-CX GL.10.04.0030
!export-password: default
hostname 8325-3A
user admin group administrators password ciphertext AQBap!snip
!
!
!
ssh server vrf mgmt
!
!
!
!
!
32
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
router ospf 1
router-id 192.168.1.31
area 0.0.0.0
vlan 1,101-103,4000
evpn
vlan 101
rd auto
route-target export auto
route-target import auto
vlan 102
rd auto
route-target export auto
route-target import auto
vlan 103
rd auto
route-target export auto
route-target import auto
interface mgmt
no shutdown
ip static 10.5.6.11/24
default-gateway 10.5.6.1
system interface-group 1 speed 10g
!interface group 1 contains ports 1/1/1-1/1/12
system interface-group 4 speed 10g
!interface group 4 contains ports 1/1/37-1/1/48
interface lag 1
no shutdown
description VSX ISL LAG
no routing
vlan trunk native 1 tag
vlan trunk allowed all
lacp mode active
interface lag 10 multi-chassis
no shutdown
description Firewall
no routing
vlan trunk native 1
vlan trunk allowed 101-103
lacp mode active
interface 1/1/1
no shutdown
description Firewall
lag 10
interface 1/1/49
no shutdown
mtu 9198
description 8325-1
ip mtu 9198
ip address 192.168.2.0/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
interface 1/1/50
no shutdown
mtu 9198
description 8325-2
ip mtu 9198
ip address 192.168.2.8/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
interface 1/1/55
33
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
no shutdown
description VSX KA
ip address 10.1.2.0/31
interface 1/1/56
no shutdown
mtu 9198
description VSX ISL
lag 1
interface loopback 0
ip address 192.168.1.31/32
ip ospf 1 area 0.0.0.0
interface loopback 1
description Logical VTEP
ip address 192.168.1.33/32
ip ospf 1 area 0.0.0.0
interface vlan4000
description Transit VLAN
ip mtu 9198
ip address 192.168.3.0/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
interface vxlan 1
source ip 192.168.1.33
no shutdown
vni 101
vlan 101
vni 102
vlan 102
vni 103
vlan 103
vsx
system-mac 00:00:00:00:02:12
inter-switch-link lag 1
role primary
keepalive peer 10.1.2.1 source 10.1.2.0
no split-recovery
router bgp 65001
bgp router-id 192.168.1.31
neighbor 192.168.1.11 remote-as 65001
neighbor 192.168.1.11 update-source loopback 0
neighbor 192.168.1.12 remote-as 65001
neighbor 192.168.1.12 update-source loopback 0
address-family l2vpn evpn
neighbor 192.168.1.11 activate
neighbor 192.168.1.11 send-community extended
neighbor 192.168.1.12 activate
neighbor 192.168.1.12 send-community extended
exit-address-family
!
https-server rest access-mode read-write
https-server vrf mgmt
Sample AOS-CX 6300 Leaf Configuration (With Colorless Ports)
6300-4# sh run
Current configuration:
!
!Version ArubaOS-CX FL.10.04.0040
34
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
!export-password: default
hostname 6300-4
user admin group administrators password ciphertext AQBap!snip
crypto pki ta-profile cppm
ta-certificate
-----BEGIN CERTIFICATE----MIIDYz!snip
-----END CERTIFICATE----END_OF_CERTIFICATE
!
!
!
!
radius-server host cec-cp.cectme.net key ciphertext AQBap!snip clearpass-username dur
clearpass-password ciphertext AQBap!snip
!
ssh server vrf default
ssh server vrf mgmt
!
!
!
!
!
router ospf 1
router-id 192.168.1.4
area 0.0.0.0
vlan 1,101-103
evpn
vlan 101
rd auto
route-target export auto
route-target import auto
vlan 102
rd auto
route-target export auto
route-target import auto
vlan 103
rd auto
route-target export auto
route-target import auto
spanning-tree
interface mgmt
no shutdown
ip static 10.5.6.13/24
default-gateway 10.5.6.1
port-access role role101
vlan access 101
port-access role role102
vlan access 102
port-access role role103
vlan access 103
aaa authentication port-access mac-auth
enable
interface 1/1/1
no shutdown
no routing
vlan access 1
aaa authentication port-access client-limit 10
aaa authentication port-access mac-auth
enable
35
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
interface 1/1/2
no shutdown
no routing
vlan access 1
aaa authentication port-access
aaa authentication port-access
enable
interface 1/1/3
no shutdown
no routing
vlan access 1
interface 1/1/4
no shutdown
no routing
vlan access 1
aaa authentication port-access
aaa authentication port-access
enable
interface 1/1/27
no shutdown
mtu 9198
routing
description 8325-1
ip mtu 9198
ip address 192.168.2.4/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
interface 1/1/28
no shutdown
mtu 9198
routing
description 8325-2
ip mtu 9198
ip address 192.168.2.12/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
! snip
interface 2/1/1
no shutdown
no routing
vlan access 1
aaa authentication port-access
aaa authentication port-access
enable
interface 2/1/2
no shutdown
no routing
vlan access 1
interface 2/1/3
no shutdown
no routing
vlan access 50
! snip
interface 3/1/1
no shutdown
no routing
vlan access 1
interface 3/1/2
no shutdown
no routing
client-limit 10
mac-auth
client-limit 5
mac-auth
client-limit 5
mac-auth
36
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
vlan access 1
interface 3/1/3
no shutdown
no routing
vlan access 1
! snip
interface loopback 0
ip address 192.168.1.4/32
ip ospf 1 area 0.0.0.0
interface vxlan 1
source ip 192.168.1.4
no shutdown
vni 101
vlan 101
vni 102
vlan 102
vni 103
vlan 103
ip dns server-address 192.168.8.100
ip dns server-address 10.80.2.219 vrf mgmt
router bgp 65001
bgp router-id 192.168.1.4
neighbor 192.168.1.11 remote-as 65001
neighbor 192.168.1.11 update-source loopback 0
neighbor 192.168.1.12 remote-as 65001
neighbor 192.168.1.12 update-source loopback 0
address-family l2vpn evpn
neighbor 192.168.1.11 activate
neighbor 192.168.1.11 send-community extended
neighbor 192.168.1.12 activate
neighbor 192.168.1.12 send-community extended
exit-address-family
!
ip source-interface radius 192.168.2.4
ip source-interface dns 192.168.2.4
https-server vrf default
https-server vrf mgmt
vsf secondary-member 2
vsf member 1
type jl668a
link 1 1/1/25
link 2 1/1/26
vsf member 2
type jl660a
link 1 2/1/25
link 2 2/1/26
vsf member 3
type jl668a
link 1 3/1/25
link 2 3/1/26
37
Validated Reference Design Guide
Deploying a L2 VXLAN EVPN Network with Palo Alto Networks Firewalls
www.arubanetworks.com
3333 Scott Blvd. Santa Clara, CA 95054
1.844.472.2782 | T: 1.408.227.4500 | FAX: 1.408.227.4550 | info@arubanetworks.com