! ============================================================================ ! VantagePoint Networks - Cisco Nexus 9300 Data Center Spine Configuration ! ============================================================================ ! Template Version: 2.1 ! Platform: Cisco Nexus 9300 Series (NX-OS 10.2+) ! Purpose: VXLAN EVPN fabric spine with eBGP underlay ! License: VantagePoint Networks Commercial Template ! ============================================================================ ! ! VARIABLES - Replace before deployment: ! - Spine hostname (e.g., DC1-SPINE-01) ! - Spine BGP ASN (e.g., 65000) ! - Leaf-1 BGP ASN (e.g., 65001) ! - Leaf-2 BGP ASN (e.g., 65002) ! - Leaf-3 BGP ASN (e.g., 65003) ! - Leaf-4 BGP ASN (e.g., 65004) ! - Loopback0 /32 (e.g., 10.100.0.1) ! - Loopback1 /32 for VTEP peering (e.g., 10.100.1.1) ! - Spine-facing IP to Leaf-1 (e.g., 10.100.10.0) ! - Leaf-1-facing IP to Spine (e.g., 10.100.10.1) ! - Spine-facing IP to Leaf-2 (e.g., 10.100.10.2) ! - Leaf-2-facing IP to Spine (e.g., 10.100.10.3) ! - Spine-facing IP to Leaf-3 (e.g., 10.100.10.4) ! - Leaf-3-facing IP to Spine (e.g., 10.100.10.5) ! - Spine-facing IP to Leaf-4 (e.g., 10.100.10.6) ! - Leaf-4-facing IP to Spine (e.g., 10.100.10.7) ! - Leaf-1 Loopback0 IP ! - Leaf-2 Loopback0 IP ! - Leaf-3 Loopback0 IP ! - Leaf-4 Loopback0 IP ! - Leaf-1 Loopback1 IP (VTEP) ! - Leaf-2 Loopback1 IP (VTEP) ! - Leaf-3 Loopback1 IP (VTEP) ! - Leaf-4 Loopback1 IP (VTEP) ! - VPC domain ID (e.g., 100) ! - VPC keepalive source IP ! - VPC keepalive destination IP ! - VPC peer-link VLAN (e.g., 3600) ! - Management IP ! - Management mask ! - Management gateway ! - Primary NTP server ! - Secondary NTP server ! - Syslog server IP ! - SNMPv3 username ! - SNMPv3 auth passphrase ! - SNMPv3 priv passphrase ! - SNMP management station IP ! - Enable secret ! - Local admin password ! - OSPF area for underlay (e.g., 0.0.0.0) ! - OSPF authentication key ! - Multicast group base (e.g., 239.1.1.0) ! ============================================================================ ! --- System Identity --- hostname ! --- Banner --- banner motd # ========================================================================== VantagePoint Networks - Data Center Fabric Spine AUTHORIZED ACCESS ONLY This system is the property of VantagePoint Networks. Unauthorized access is prohibited. All activity is monitored and logged. Disconnect immediately if you are not an authorized user. ========================================================================== # ! ============================================================================ ! FEATURE ENABLEMENT ! ============================================================================ feature nxapi feature bash-shell feature scp-server feature sftp-server feature tacacs+ feature scheduler feature interface-vlan feature lacp feature vpc feature lldp feature bfd feature nv overlay feature vn-segment-vlan-based feature bgp feature ospf feature pim feature fabric forwarding feature hmm nv overlay evpn ! ============================================================================ ! SYSTEM SETTINGS ! ============================================================================ clock timezone UTC 0 0 ntp server prefer use-vrf management ntp server use-vrf management ntp source-interface mgmt0 system jumbomtu 9216 hardware access-list tcam region racl 512 hardware access-list tcam region arp-ether 256 double-wide copp profile strict ! --- Spanning Tree --- spanning-tree mode mst spanning-tree port type edge bpduguard default no spanning-tree vlan 1-4094 ! ============================================================================ ! USER AND AAA ! ============================================================================ username admin password role network-admin no password strength-check ! ============================================================================ ! MANAGEMENT INTERFACE ! ============================================================================ interface mgmt0 description VantagePoint Management vrf member management ip address / no shutdown vrf context management ip route 0.0.0.0/0 ! ============================================================================ ! SSH AND CONSOLE HARDENING ! ============================================================================ feature ssh ssh key rsa 4096 ssh login-attempts 3 no feature telnet no ip http server line console exec-timeout 5 line vty exec-timeout 15 transport input ssh access-class ACL-VTY-ACCESS ip access-list ACL-VTY-ACCESS 10 permit ip /24 any 20 deny ip any any log ! ============================================================================ ! LOGGING AND SYSLOG ! ============================================================================ logging server 5 use-vrf management facility local7 logging source-interface mgmt0 logging level local7 5 logging timestamp milliseconds logging monitor 5 logging logfile messages 6 size 4194304 ! ============================================================================ ! SNMPv3 ! ============================================================================ snmp-server user network-admin auth sha priv aes-128 snmp-server host traps version 3 priv use-vrf management snmp-server enable traps link cisco-xcvr-mon snmp-server enable traps bgp snmp-server enable traps ospf snmp-server enable traps snmp snmp-server enable traps vtp ! ============================================================================ ! LOOPBACK INTERFACES ! ============================================================================ interface loopback0 description VantagePoint Spine Router-ID / OSPF ip address /32 ip router ospf UNDERLAY area ip pim sparse-mode no shutdown interface loopback1 description VantagePoint Spine RP / Anycast ip address /32 ip router ospf UNDERLAY area ip pim sparse-mode no shutdown ! ============================================================================ ! OSPF UNDERLAY ! ============================================================================ router ospf UNDERLAY router-id log-adjacency-changes detail auto-cost reference-bandwidth 100000 timers throttle spf 50 200 5000 timers throttle lsa 50 200 5000 passive-interface default area authentication message-digest ! ============================================================================ ! PIM MULTICAST (for BUM traffic replication) ! ============================================================================ ip pim rp-address group-list 239.0.0.0/8 ip pim ssm range 232.0.0.0/8 ip pim anycast-rp ! ============================================================================ ! LEAF-FACING L3 INTERFACES (/31 point-to-point) ! ============================================================================ interface Ethernet1/1 description VantagePoint to LEAF-1 Eth1/49 no switchport mtu 9216 medium p2p ip unnumbered loopback0 ip address /31 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 ip ospf network point-to-point ip router ospf UNDERLAY area ip pim sparse-mode no ip ospf passive-interface no shutdown interface Ethernet1/2 description VantagePoint to LEAF-2 Eth1/49 no switchport mtu 9216 medium p2p ip address /31 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 ip ospf network point-to-point ip router ospf UNDERLAY area ip pim sparse-mode no ip ospf passive-interface no shutdown interface Ethernet1/3 description VantagePoint to LEAF-3 Eth1/49 no switchport mtu 9216 medium p2p ip address /31 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 ip ospf network point-to-point ip router ospf UNDERLAY area ip pim sparse-mode no ip ospf passive-interface no shutdown interface Ethernet1/4 description VantagePoint to LEAF-4 Eth1/49 no switchport mtu 9216 medium p2p ip address /31 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 ip ospf network point-to-point ip router ospf UNDERLAY area ip pim sparse-mode no ip ospf passive-interface no shutdown ! ============================================================================ ! BGP EVPN OVERLAY (eBGP) ! ============================================================================ route-map PERMIT-ALL permit 10 route-map NEXT-HOP-UNCHANGED permit 10 set ip next-hop unchanged route-map REDISTRIBUTE-HOST-SVI permit 10 match tag 12345 router bgp router-id bestpath as-path multipath-relax address-family ipv4 unicast redistribute direct route-map PERMIT-ALL maximum-paths 64 address-family l2vpn evpn retain route-target all ! --- Leaf-1 Peering --- neighbor remote-as description VantagePoint LEAF-1 eBGP EVPN update-source loopback0 ebgp-multihop 3 address-family ipv4 unicast send-community send-community extended route-map PERMIT-ALL out address-family l2vpn evpn send-community send-community extended route-map NEXT-HOP-UNCHANGED out ! --- Leaf-2 Peering --- neighbor remote-as description VantagePoint LEAF-2 eBGP EVPN update-source loopback0 ebgp-multihop 3 address-family ipv4 unicast send-community send-community extended route-map PERMIT-ALL out address-family l2vpn evpn send-community send-community extended route-map NEXT-HOP-UNCHANGED out ! --- Leaf-3 Peering --- neighbor remote-as description VantagePoint LEAF-3 eBGP EVPN update-source loopback0 ebgp-multihop 3 address-family ipv4 unicast send-community send-community extended route-map PERMIT-ALL out address-family l2vpn evpn send-community send-community extended route-map NEXT-HOP-UNCHANGED out ! --- Leaf-4 Peering --- neighbor remote-as description VantagePoint LEAF-4 eBGP EVPN update-source loopback0 ebgp-multihop 3 address-family ipv4 unicast send-community send-community extended route-map PERMIT-ALL out address-family l2vpn evpn send-community send-community extended route-map NEXT-HOP-UNCHANGED out ! ============================================================================ ! VPC DOMAIN (for dual-homed leaf pairs) ! ============================================================================ vpc domain role priority 10 peer-keepalive destination source vrf management peer-switch peer-gateway layer3 peer-router ip arp synchronize ipv6 nd synchronize auto-recovery delay restore 150 delay restore interface-vlan 60 graceful consistency-check ! ============================================================================ ! VPC PEER LINK ! ============================================================================ interface Ethernet1/53 description VantagePoint VPC Peer-Link Member 1 switchport switchport mode trunk switchport trunk allowed vlan channel-group 1 mode active no shutdown interface Ethernet1/54 description VantagePoint VPC Peer-Link Member 2 switchport switchport mode trunk switchport trunk allowed vlan channel-group 1 mode active no shutdown interface port-channel1 description VantagePoint VPC Peer-Link switchport switchport mode trunk switchport trunk allowed vlan spanning-tree port type network vpc peer-link ! ============================================================================ ! VXLAN NVE INTERFACE (Reference - typically on leaves) ! ============================================================================ ! NOTE: Spines in an eBGP EVPN fabric typically act as route reflectors ! and do NOT have NVE interfaces. The below is included as reference ! for symmetric IRB designs where spine also participates as VTEP. ! interface nve1 ! description VantagePoint VXLAN VTEP ! no shutdown ! host-reachability protocol bgp ! source-interface loopback1 ! member vni 10010 ! suppress-arp ! mcast-group ! member vni 10020 ! suppress-arp ! mcast-group ! member vni 10030 ! suppress-arp ! mcast-group ! member vni 100000 associate-vrf ! ============================================================================ ! EXAMPLE VLAN-TO-VNI MAPPING (Reference - deploy on leaves) ! ============================================================================ ! vlan 10 ! name VXLAN-TENANT-A ! vn-segment 10010 ! vlan 20 ! name VXLAN-TENANT-B ! vn-segment 10020 ! vlan 30 ! name VXLAN-TENANT-C ! vn-segment 10030 ! ============================================================================ ! CONTROL PLANE POLICING (CoPP) ! ============================================================================ copp profile strict ! --- Custom CoPP adjustments --- class-map type control-plane match-any copp-system-p-class-l3uc-data match access-group name copp-system-p-acl-bgp match access-group name copp-system-p-acl-ospf policy-map type control-plane copp-system-p-policy-strict class copp-system-p-class-critical set cos 7 police cir 36000 kbps bc 1280000 bytes conform transmit violate drop class copp-system-p-class-important set cos 6 police cir 2048 kbps bc 128000 bytes conform transmit violate drop class copp-system-p-class-management police cir 10000 kbps bc 500000 bytes conform transmit violate drop class copp-system-p-class-monitoring police cir 2048 kbps bc 128000 bytes conform transmit violate drop class copp-system-p-class-l3uc-data police cir 2048 kbps bc 128000 bytes conform transmit violate drop class copp-system-p-class-undesirable police cir 200 kbps bc 16000 bytes conform transmit violate drop class class-default police cir 400 kbps bc 32000 bytes conform transmit violate drop control-plane service-policy input copp-system-p-policy-strict ! ============================================================================ ! BFD (Bidirectional Forwarding Detection) ! ============================================================================ feature bfd bfd interval 150 min_rx 150 multiplier 3 bfd echo-interface loopback0 router ospf UNDERLAY bfd router bgp neighbor bfd neighbor bfd neighbor bfd neighbor bfd ! ============================================================================ ! INTERFACE SHUTDOWN (Unused Ports) ! ============================================================================ interface Ethernet1/5-48 description VantagePoint UNUSED - administratively down shutdown ! ============================================================================ ! SCHEDULER FOR CONFIG BACKUP ! ============================================================================ feature scheduler scheduler job name BACKUP-CONFIG copy running-config startup-config scheduler schedule name DAILY-BACKUP job name BACKUP-CONFIG time daily 02:00 ! ============================================================================ ! ADDITIONAL HARDENING ! ============================================================================ ! --- Disable unused features --- no feature telnet no cdp enable ! --- Rate limiting --- hardware rate-limiter layer-3 multicast 500 hardware rate-limiter layer-3 glean 500 ! --- System resource monitoring --- system memory-thresholds minor 85 severe 90 critical 95 ! ============================================================================ ! VantagePoint Networks - End of Nexus 9300 Spine Configuration ! Deployment Checklist: ! 1. Replace ALL placeholders ! 2. Verify ASN numbering plan across fabric ! 3. Confirm /31 addressing on all leaf links ! 4. Validate OSPF adjacencies before enabling BGP ! 5. Test multicast replication for BUM traffic ! 6. Verify CoPP is not dropping legitimate traffic ! 7. Confirm VPC peer-link and keepalive health ! 8. Run 'show nve peers' after leaf deployment ! 9. Validate BGP EVPN route tables ! 10. Archive baseline with 'show running-config' ! ============================================================================