Cisco Nexus EVPN VXLAN Fabric Ansible Automation

Ansible, Automation, Cisco Networking, Lab, Networking /

This is a post that takes the previous Nexus EVPN VXLAN Fabric post, and uses Ansible to build the topology. This is based off this Cisco developer document.

General Info

This project is located in my GitLab. In order to run the Ansible playbook navigate to the nexus_evpn, and run ansible-playbook -i inventory/DC_inv.ini site.yml

Setup

I have used a Python virtual environment and installed Ansible inside the virtual environment.

0
1
2
3
4
5
 
python3.9 -m venv myenv
source myenv/bin/activate
 
python -m pip install ansible
 
0
1
2
3
4
5
6
7
8
9
10
11
 
(myenv) stefankelly@Stefans-MacBook-Pro nexusansible % ansible --version
ansible [core 2.15.1]
  config file = None
  configured module search path = ['/Users/stefankelly/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/stefankelly/Scripts/myenv/lib/python3.9/site-packages/ansible
  ansible collection location = /Users/stefankelly/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/stefankelly/Scripts/myenv/bin/ansible
  python version = 3.9.17 (main, Jun 15 2023, 07:48:58) [Clang 14.0.0 (clang-1400.0.29.202)] (/Users/stefankelly/Scripts/myenv/bin/python)
  jinja version = 3.1.2
  libyaml = True
 

I have created a directory for this project named nexus_evpn.

0
1
2
3
 
mkdir nexus_evpn
cd nexus_evpn
 

I have created two more directories that are for; group_vars, host_vars and roles

0
1
2
3
4
 
mkdir group_vars
mkdir host_vars
mkdir roles
 

According to the Cisco document, Ansible Galaxy can be used to create the spine and leaf directories inside the roles directory. This isn’t exactly needed as it creates a lot of extra files that are not required for this lab, but it faster than creating the structure manually.

The only important directories and files in this are the tasks, vars directories, and the main.yml inside each of these. The rest of these directories/files inside the tree output is not used.

0
1
2
3
4
 
cd roles
ansible-galaxy init spine
ansible-galaxy init leaf
 
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
 
(myenv) stefankelly@Stefans-MacBook-Pro roles % tree
.
├── leaf
   ├── README.md
   ├── defaults
      └── main.yml
   ├── files
   ├── handlers
      └── main.yml
   ├── meta
      └── main.yml
   ├── tasks
      └── main.yml
   ├── templates
   ├── tests
      ├── inventory
      └── test.yml
   └── vars
       └── main.yml
└── spine
    ├── README.md
    ├── defaults
       └── main.yml
    ├── files
    ├── handlers
       └── main.yml
    ├── meta
       └── main.yml
    ├── tasks
       └── main.yml
    ├── templates
    ├── tests
       ├── inventory
       └── test.yml
    └── vars
        └── main.yml
 

Ansible Configuration

First, the configuration of Ansible needs to be taken care of. Without this, the playbook may not run at all. Below is the output for the complete structure of this project. There is a .ansible.cfg file that contains important parameters for Ansible when running the playbook.

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
 
# add to the bottom of the /etc/ansible/ansible.cfg file
 
[defaults]
inventory = /home/stef/ansible_projects/inventory/DC_inv.ini
stdout_callback=debug
stderr_callback=debug
host_key_checking = False
 
[ssh_connection]
ssh_args = -oKexAlgorithms=diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
 
[paramiko_connection]
host_key_auto_add = True
 

The inventory file is also important and referenced in the .ansible.cfg file. This example is a .ini file, this is just for simplicity. If the inventory file was a .yml there is more flexibility.

0
1
2
3
4
5
6
7
8
 
[spine]
172.16.1.101
172.16.1.102
 
[leaf]
172.16.1.103
172.16.1.104
 
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
 
(myenv) stefankelly@Stefans-MacBook-Pro nexus_evpn % tree -a
.
├── .ansible.cfg
├── group_vars
   └── all.yml
├── host_vars
   ├── 172.16.1.101.yml
   ├── 172.16.1.102.yml
   ├── 172.16.1.103.yml
   └── 172.16.1.104.yml
├── inventory
   └── DC_inv.ini
├── roles
   ├── leaf
      ├── README.md
      ├── defaults
         └── main.yml
      ├── files
      ├── handlers
         └── main.yml
      ├── meta
         └── main.yml
      ├── tasks
         └── main.yml
      ├── templates
      ├── tests
         ├── inventory
         └── test.yml
      └── vars
          └── main.yml
   └── spine
       ├── README.md
       ├── defaults
          └── main.yml
       ├── files
       ├── handlers
          └── main.yml
       ├── meta
          └── main.yml
       ├── tasks
          └── main.yml
       ├── templates
       ├── tests
          ├── inventory
          └── test.yml
       └── vars
           └── main.yml
└── site.yml
 

Group and Host Vars

The files inside these directories are for all the hosts or the individual hosts (switches). If it is not clear, anything in the group_vars/all.yml file contains variable for all the hosts, and anything in host_vars/ are for the hosts defined in the inventory. These file names reference the names in the inventory file.

For all the files, please see the GitLab project.

group_vars/all.yml

0
1
2
3
4
5
6
7
 
ansible_connection: httpapi
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_network_os: nxos
ansible_user: admin
ansible_httpapi_pass: 123abc
 

host_vars/172.16.1.101.yml

0
1
2
3
4
5
6
7
8
9
10
11
12
13
 
---
# vars file for DC1
 
router_id: 10.10.10.11
 
loopbacks:
  - { interface: loopback0, addr: 10.10.10.11, mask: 32 }
  - { interface: loopback1, addr: 1.1.1.1, mask: 32 }
 
l3_interfaces:
  - { interface: ethernet1/1, addr: 10.1.1.0, mask: 31 }
  - { interface: Ethernet1/2, addr: 10.1.1.2, mask: 31 }
 

Roles

Inside the roles directory are the spine/leaf vars and tasks directories. The files nexusansible/nexus_evpn/roles/spine/vars/main.yml and nexusansible/nexus_evpn/roles/leaf/vars/main.yml contain all the variables that are shared for the switch type.

Spine Vars

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 
---
# vars file for spine
 
features:
  - { feature: bgp }
  - { feature: pim }
  - { feature: ospf }
 
ospf_process_id: UNDERLAY
 
ospf_area: 0
 
asn: 65001
 
address_families:
  - { afi: l2vpn, safi: evpn }
 
bgp_neighbors:
  - { remote_as: 65001, neighbor: 10.10.10.21, update_source: Loopback0 }
  - { remote_as: 65001, neighbor: 10.10.10.22, update_source: Loopback0 }
 
rp_address: 1.1.1.1
 

Leaf Vars

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
 
---
# vars file for leaf
 
features:
  - { feature: bgp }
  - { feature: interface-vlan }
  - { feature: ospf }
  - { feature: pim }
  - { feature: vnseg_vlan }
 
ospf_process_id: UNDERLAY
 
ospf_area: 0
 
asn: 65001
 
address_families:
  - { afi: l2vpn, safi: evpn }
  - { afi: ipv4, safi: unicast }
 
bgp_neighbors:
  - { remote_as: 65001, neighbor: 10.10.10.11, update_source: Loopback0 }
 
rp_address: 1.1.1.1
 
vlans_l2vni:
  - { vlan_id: 11, vni_id: 10011, addr: 10.0.11.1, mask: 24, mcast_grp: 239.0.0.11, vrf: Tenant-1 }
  - { vlan_id: 12, vni_id: 10012, addr: 10.0.12.1, mask: 24, mcast_grp: 239.0.0.12, vrf: Tenant-1 }
  - { vlan_id: 13, vni_id: 10013, addr: 10.0.13.1, mask: 24, mcast_grp: 239.0.0.13, vrf: Tenant-1 }
  - { vlan_id: 14, vni_id: 10014, addr: 10.0.14.1, mask: 24, mcast_grp: 239.0.0.14, vrf: Tenant-1 }
  - { vlan_id: 15, vni_id: 10015, addr: 10.0.15.1, mask: 24, mcast_grp: 239.0.1.2, vrf: Tenant-1 }
 
vlans_l3vni:
  - { vlan_id: 10, vni_id: 10000, vrf: Tenant-1 }
 
vrfs:
  - { vrf: Tenant-1, vni_id: 10000, afi: ipv4, safi: unicast }
 

The tasks files define the tasks that will be in each play of the playbook. There are two plays, one is the spine and the other is the leaf.
nexusansible/nexus_evpn/roles/spine/tasks/main.yml
nexusansible/nexus_evpn/roles/leaf/tasks/main.yml

Spine Tasks

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
 
---
# tasks file for spine
 
-   name: ENABLE FEATURES
    cisco.nxos.nxos_feature:
        feature: "{{item.feature }}"
    loop: "{{ features }}"
 
-   name: ENABLE FEATURES
    cisco.nxos.nxos_config:
        lines: "feature nv overlay"
 
-   name: CONFIGURE LOOPBACK INTERFACES
    cisco.nxos.nxos_interfaces:
        config:
        -   name: "{{ item.interface }}"
            enabled: true
    loop: "{{ loopbacks }}"
 
-   name: CONFIGURE INTERFACE AS ROUTED & MTU
    cisco.nxos.nxos_interfaces:
      config:
      - name: "{{ item.interface }}"
        mode: "layer3"
        enabled: true
        mtu: 9216
    loop: "{{ l3_interfaces }}"
 
 
-   name: CONFIGURE INTERFACE IP ADDR
    cisco.nxos.nxos_l3_interfaces:
        config:
        -   name: "{{ item.interface }}"
            ipv4:
            -   address: "{{ item.addr }}/{{ item.mask }}"
    loop: "{{ loopbacks + l3_interfaces }}"
 
 
-   name: ENABLE OSPF
    cisco.nxos.nxos_ospfv2:
        config:
          processes:
          -   process_id: "{{ ospf_process_id }}"
              router_id: "{{ router_id }}"
 
    
-   name: ASSOCIATE INTERFACES WITH OSPF PROCESS
    cisco.nxos.nxos_ospf_interfaces:
        config:
        -   name: "{{ item.interface }}"
            address_family:
            -   afi: ipv4
                processes:
                -   process_id: "{{ ospf_process_id }}"
                    area:
                        area_id: "{{ ospf_area }}"
    loop: "{{ loopbacks + l3_interfaces }}"
 
 
-   name: CONFIGURE PIM INTERFACES
    cisco.nxos.nxos_pim_interface:
        interface: "{{ item.interface }}"
        sparse: true
    loop: "{{ loopbacks + l3_interfaces }}"
 
-   name: CONFIGURE SSM_RANGE, DISABLE BFD
    cisco.nxos.nxos_pim:
        bfd: disable
        ssm_range: 224.0.0.0/8
 
-   name: PIM RP
    cisco.nxos.nxos_config:
        lines:
            - "ip pim rp-address 1.1.1.1 group-list 224.0.0.0/4"
 
 
-   name: ENABLE NV OVERLAY EVPN
    cisco.nxos.nxos_evpn_global:
        nv_overlay_evpn: true
 
-   name: CONFIGURE BGP ASN AND ROUTER ID
    cisco.nxos.nxos_bgp_global:
        config:
            as_number: "{{ asn }}"
            router_id: "{{ router_id }}"
            neighbors:
            -   neighbor_address: "{{ item.neighbor }}"
                remote_as: "{{ item.remote_as }}"
                update_source: "{{ item.update_source }}"
        state: merged
    loop: "{{ bgp_neighbors }}"
 
-   name: CONFIGURE BGP NEIGHBORS
    cisco.nxos.nxos_bgp_neighbor_address_family:
        config:
            as_number: "{{ asn }}"
            neighbors:
            -   neighbor_address: "{{ item.neighbor }}"
                address_family:
                -   afi: l2vpn
                    safi: evpn
                    send_community:
                        both: true
                    route_reflector_client: true
    loop: "{{ bgp_neighbors }}"
 
# -   name: SAVE RUN CONFIG TO STARTUP CONFIG
#     cisco.nxos.nxos_config:
#         save_when: always
 

Leaf Tasks

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
 
---
# tasks file for leaf
 
-   name: ENABLE FEATURES
    cisco.nxos.nxos_feature:
        feature: "{{item.feature }}"
    loop: "{{ features }}"
 
-   name: ENABLE FEATURES
    cisco.nxos.nxos_config:
        lines: "feature nv overlay"
 
-   name: CONFIGURE LOOPBACK INTERFACES
    cisco.nxos.nxos_interfaces:
        config:
        -   name: "{{ item.interface }}"
            enabled: true
    loop: "{{ loopbacks }}"
 
-   name: CONFIGURE INTERFACE AS ROUTED & MTU
    cisco.nxos.nxos_interfaces:
      config:
      - name: "{{ item.interface }}"
        mode: "layer3"
        enabled: true
        mtu: 9216
    loop: "{{ l3_interfaces }}"
 
-   name: CONFIGURE INTERFACE IP ADDR
    cisco.nxos.nxos_l3_interfaces:
        config:
        -   name: "{{ item.interface }}"
            ipv4:
            -   address: "{{ item.addr }}/{{ item.mask }}"
    loop: "{{ loopbacks + l3_interfaces }}"
 
-   name: ENABLE OSPF
    cisco.nxos.nxos_ospfv2:
        config:
          processes:
          -   process_id: "{{ ospf_process_id }}"
              router_id: "{{ router_id }}"
        
-   name: ASSOCIATE INTERFACES WITH OSPF PROCESS
    cisco.nxos.nxos_ospf_interfaces:
        config:
        -   name: "{{ item.interface }}"
            address_family:
            -   afi: ipv4
                processes:
                -   process_id: "{{ ospf_process_id }}"
                    area:
                        area_id: "{{ ospf_area }}"
    loop: "{{ loopbacks + l3_interfaces }}"
 
 
-   name: CONFIGURE PIM INTERFACES
    cisco.nxos.nxos_pim_interface:
        interface: "{{ item.interface }}"
        sparse: true
    loop: "{{ loopbacks + l3_interfaces }}"
 
-   name: CONFIGURE SSM_RANGE, DISABLE BFD
    cisco.nxos.nxos_pim:
        bfd: disable
        ssm_range: 224.0.0.0/8
 
-   name: PIM RP
    cisco.nxos.nxos_config:
        lines:
            - "ip pim rp-address 1.1.1.1 group-list 224.0.0.0/4"
 
-   name: ENABLE NV OVERLAY EVPN
    cisco.nxos.nxos_evpn_global:
        nv_overlay_evpn: true
 
-   name: CONFIGURE BGP ASN, ROUTER ID, AND NEIGHBORS
    cisco.nxos.nxos_bgp_global:
        config:
            as_number: "{{ asn }}"
            router_id: "{{ router_id }}"
            neighbors:
            -   neighbor_address: "{{ item.neighbor }}"
                remote_as: "{{ item.remote_as }}"
                update_source: "{{ item.update_source }}"
        state: merged
    loop: "{{ bgp_neighbors }}"
 
-   name: CONFIGURE BGP NEIGHBOR AFI, SAFI, COMMUNITY, and RR
    cisco.nxos.nxos_bgp_neighbor_address_family:
        config:
            as_number: "{{ asn }}"
            neighbors:
            -   neighbor_address: "{{ item.neighbor }}"
                address_family:
                -   afi: l2vpn
                    safi: evpn
                    send_community:
                        both: true
                    route_reflector_client: true
    loop: "{{ bgp_neighbors }}"
 
 
-   name: CONFIGURE VXLAN VTEP NVE INTERFACE
    cisco.nxos.nxos_interfaces:
        config:
        -   name: nve1
            enabled: true
        state: merged
 
-   name: CONFIGURE VXLAN VTEP NVE INTERFACE FOR EVPN CONTROL PLANE
    cisco.nxos.nxos_vxlan_vtep:
        interface: nve1
        host_reachability: true
        source_interface: Loopback1
        state: present
 
-   name: CONFIGURE VLAN TO VNI MAPPING
    cisco.nxos.nxos_vlans:
        config:
        -   vlan_id: "{{ item.vlan_id }}"
            mapped_vni: "{{ item.vni_id }}"
    with_items:
    - "{{ vlans_l2vni }}"
    - "{{ vlans_l3vni }}"
 
-   name: CONFIGURE TENANT VRFs
    cisco.nxos.nxos_vrf:
        vrf: "{{ item.vrf }}"
        vni: "{{ item.vni_id }}"
        rd: auto
        state: present
    loop: "{{ vrfs }}"
 
-   name: CONFIGURE TENANT VRFs (cont'd)
    cisco.nxos.nxos_vrf_af:
        vrf: "{{ item.vrf }}"
        afi: ipv4
        route_target_both_auto_evpn: true
        state: present
    loop: "{{ vrfs }}"
 
 
-   name: CONFIGURE VXLAN VTEP NVE INTERFACE L2VNI MAPPING
    cisco.nxos.nxos_vxlan_vtep_vni:
        interface: nve1
        vni: "{{ item.vni_id }}"
        #ingress_replication: bgp
        multicast_group: "{{ item.mcast_grp }}"
        #suppress_arp: true
    loop: "{{ vlans_l2vni }}"
 
-   name: CONFIGURE VXLAN VTEP NVE INTERFACE L3VNI MAPPING
    cisco.nxos.nxos_vxlan_vtep_vni:
        interface: nve1
        vni: "{{ item.vni_id }}"
        assoc_vrf: true
    loop: "{{ vlans_l3vni }}"
 
-   name: CONFIGURE L2 EVPN VRFs
    cisco.nxos.nxos_evpn_vni:
        vni: "{{ item.vni_id }}"
        route_distinguisher: auto
        route_target_both: auto
    loop: "{{ vlans_l2vni }}"
 
-   name: CONFIGURE TENANT VRFs UNDER BGP PROCESS
    cisco.nxos.nxos_bgp_address_family:
        config:
            as_number: "{{ asn }}"
            address_family:
            -   afi: "{{ item.afi }}"
                safi: "{{ item.safi }}"
                vrf: "{{ item.vrf }}"
                advertise_l2vpn_evpn: true
    loop: "{{ vrfs }}"
 
-   name: CONFIGURE ANYCAST GW MAC
    cisco.nxos.nxos_overlay_global:
        anycast_gateway_mac: "1234.5678.9000"
 
-   name: CONFIGURE SVIs THAT ARE MAPPED TO VNIs
    cisco.nxos.nxos_interfaces:
        config:
        -   name: "Vlan{{ item.vlan_id }}"
            enabled: true
    with_items:
    - "{{ vlans_l2vni }}"
    - "{{ vlans_l3vni }}"
 
-   name: ASSOCIATE INTERFACES TO TENANT VRF
    cisco.nxos.nxos_vrf_interface:
        vrf: "{{ item.vrf }}"
        interface: "vlan{{ item.vlan_id }}"
    with_items:
    - "{{ vlans_l2vni }}"
    - "{{ vlans_l3vni }}"
 
-   name: ENABLE ANYCAST GW UNDER L2VNI SVI
    cisco.nxos.nxos_interfaces:
        config:
        -   name: "Vlan{{ item.vlan_id }}"
            fabric_forwarding_anycast_gateway: true
    loop: "{{ vlans_l2vni }}"
 
-   name: CONFIGURE IP FORWARD UNDER L3VNI SVI
    cisco.nxos.nxos_interfaces:
        config:
        -   name: "vlan{{ item.vlan_id }}"
            ip_forward: true
    loop: "{{ vlans_l3vni }}"
 
-   name: CONFIGURE IP ADDRESS TO L2VNI SVI
    cisco.nxos.nxos_l3_interfaces:
        config:
        -   name: "Vlan{{ item.vlan_id }}"
            ipv4:
            -   address: "{{ item.addr }}/{{ item.mask }}"
    loop: "{{ vlans_l2vni }}"
 
 
-   name: CONFIGURE ACCESS INTERFACES
    cisco.nxos.nxos_l2_interfaces:
        config:
        -   name: "{{ item.interface}}"
            access:
                vlan: "{{ item.vlan }}"
    loop: "{{ access_interfaces }}"
 
 
# -   name: SAVE RUN CONFIG TO STARTUP CONFIG
#     cisco.nxos.nxos_config:
#         save_when: always
 

Playbook – site.yml

This file is the main playbook file. It will call the role tasks which intern call all the variables from the various files.

0
1
2
3
4
5
6
7
8
9
10
11
 
---
# main playbook
 
- hosts: spine
  roles:
    - role: spine
 
- hosts: leaf
  roles:
    - role: leaf
 

Verification – Show Commands

These show commands are all lifted from the show commands from the previous post

Show Commands

As there are multiple stages to this configuration, there are lots of show commands. Some of them overlap by showing the same information.

OSPF

OSPF is configured as point to point networks between each physical interface. All Ethernet and loopback interfaces are taking part in OSPF.

Spine1
Leaf1

PIM

PIM is active on all interfaces on the fabric, and each switch will have two PIM neighbours.

Spine1
Leaf1

Tenant

The tenant is the single business unit, organisation or customer that will reside in this single overlay. There can be multiple overlay networks for multiple tenants. All of them can have overlapping networks, but no communication between them.
The tenants will only be on the leaf switches.

Leaf1

NVE

The NVE will only be on the leaf switches. It is the virtual interface that is responsible for the VXLAN encaps/decaps. The idea of BGP EVPN is that when the leaf switch that is connected to the endpoints learns of the client, it will forward that over to the other leaf switches, Leaf2 in this case.

The output below shows the MAC addresses for the endpoint that have been learnt on the network. This will only work if traffic has been received by the leaf switch the endpoints are connected to.

The next command is similar to the previous, but contains the IP and MAC of the endpoints.

BGP

BGP or iBGP to be precise is the overlay network. It is responsible for the leaf switches to be able to form the VXLAN tunnels between one another, which allows the endpoints learnt on each leaf switch to be shared.

Leave a Comment

Your email address will not be published. Required fields are marked *