Documente Academic
Documente Profesional
Documente Cultură
CONTENTS
CONTENTS 2
INTRODUCTION 4
CONCLUSION 26
cumulusnetworks.com 2
DOCUMENT: VALIDATED DESIGN GUIDE
cumulusnetworks.com 3
DOCUMENT: VALIDATED DESIGN GUIDE
INTRODUCTION
As containers and microservices become increasingly popular, many developers and network
managers are deploying them in their networks. The application of containers, including their use
in the development of distributed microservices, is described in the whitepaper Introduction to
Containers: Where Linux Host Networking Meets Network Infrastructure. Also described in that
paper are overviews of a variety of deployment options.
Some container deployments use a traditional layer 2 overlay on top of the layer 3 network fabric.
Additionally, Network Address Translation (NAT) is often used on the host to allow containers
access outside the environment. A native layer 3 deployment, however, in which all containers
are advertised within the routing protocol itself, will likely become the “gold standard” as
containers become more broadly deployed. An all-layer 3 design increases flexibility and scale
and reduces the domain (or blast radius) of an outage should one ever occur. A Layer 3 design
without NAT increases performance and simplifies troubleshooting. Further, Layer 3 designs also
enable application teams and networking teams to largely avoid troubleshooting spanning tree
and multi-chassis link aggregation (MLAG) issues as well.
In this validated design guide, we will explore one way to extend the benefits of layer 3
networking through the rack to the hosts/containers with Cumulus Networks. Cumulus Host Pack
can be used to provide layer 3 connectivity and enable key advantages that contribute to
web-scale efficiency at any network size.
This solution uses a web-scale architecture, which enables the spine/leaf or Clos network. First,
we discuss how to set up the spine/leaf architecture using eBGP unnumbered and then explore
the individual solution building on top of this architecture.
1
Note: The solution was tested virtually using Cumulus VX 3.3.2, Vagrant, Ubuntu 16.04 and Docker CE 17.05.0-ce.
Actual setup with hardware may behave differently depending on server hardware and software used.
cumulusnetworks.com 4
DOCUMENT: VALIDATED DESIGN GUIDE
As seen above, this solution requires and out-of-band management network that has out of band
connectivity to all servers and switches.
The following steps are assembled sequentially such that each step builds on the previous step
and only includes the portions of the configuration that are relevant for the given step. If at any
point it is unclear what configuration should be present, Appendix A includes the complete
configurations for all the leaves, spines, and hosts; you can use these configurations directly to a
test environment or download the ansible playbook from github. The build steps demonstrate why
each piece of configuration is necessary.
BUILD ORDER
STEP TASKS
1. Set up physical network and Rack and cable all network switches and hosts
basic configuration of switches Install Cumulus Linux and license if not already installed
Configure out-of-band management
Configure the management VRF
Set hostname
Configure DNS
Configure NTP
Configure MTU if desired
Bring up interfaces and verify connectivity
3. Install ifupdown2 on servers Install ifupdown2 on all the Ubuntu servers for easy configuration and troubleshooting
4. Install docker-ce on servers Install docker-ce on all the Linux servers that will host containers
cumulusnetworks.com 5
DOCUMENT: VALIDATED DESIGN GUIDE
In a greenfield environment, the order of configuring spine or leaf switches does not matter, so
step 2 can be done in any order. However, it is recommended to configure the spines first, so
BGP peering can be checked as the leafs come up. In a brownfield environment, start with leaf
switches for minimal network service disruptions. The build order is further explained in the
following steps.
1. Set up the physical network and basic configuration of all switches.
After racking and cabling all switches on the data plane and to the out-of-band management
network, install the Cumulus Linux OS and license on each switch. Refer to the Cumulus Linux
documentation for more information.
Our example network is wired per the Tables 1 and 2 below; you may need to adjust the
instructions if your network is wired differently:
SPINE01 SPINE02
iface Connected to iface Connected to iface Connected to: iface Connected to
cumulusnetworks.com 6
DOCUMENT: VALIDATED DESIGN GUIDE
Next, configure out-of-band management. By default, Cumulus Linux configures the eth0
interface as DHCP. All switches and servers eth0 interface should be connected to the out of
band management switch
Configure the management VRF on all of the switches. The below command will configure the
management VRF and put the eth0 interface into the management VRF. Performing the net
commit after this command activates the VRF which causes your ssh session to disconnect. More
information on the management VRF can be found in the Cumulus Linux user’s guide.
et a
cumulus@cumulus:~$ n dd vrf mgmt
cumulus@cumulus:~$ n et c ommit
After reconnecting to the switch, set the hostname of each switch using the following command,
replacing <hostname> with the proper hostname. You must log out of the switch and back in to
see the prompt change:
cumulus@cumulus:mgmt-vrf:~$ n
et a dd hostname <hostname>
cumulus@cumulus:mgmt-vrf:~$ n et c ommit
Configure the IP address of the domain name server (DNS) if desired. In our example, we use a
server at 192.168.0.254 for DNS:
cumulus@leaf01:mgmt-vrf:~$ n
et a dd dns nameserver 192.168.0.254
cumulus@leaf01:mgmt-vrf:~$ n et c ommit
Cumulus Linux provides Network Time Protocol (NTP) on by default and provides time servers by
default. However, the server and/or the source can be changed if needed. More information
configuring NTP can be found in the Cumulus Linux technical documentation. If the NTP server is
located via the mgmt-vrf, the NTP daemon must be moved to the mgmt vrf context. Instructions
are located in the Cumulus Linux User Guide.
To configure a different NTP server than the default, perform the following command. In our
example, we use an internal server at 192.168.0.254 for the NTP server:
cumulusnetworks.com 7
DOCUMENT: VALIDATED DESIGN GUIDE
By default, NTP sources from eth0. If your NTP server is reachable over the switch ports, you will
need to change the source. Use the following command to change the source if necessary,
replacing swpx with the appropriate interface.
cumulus@leaf01:mgmt-vrf:~$ n
et a
dd time ntp source <swpx>
cumulus@leaf01:mgmt-vrf:~$ net c ommit
Create the interfaces to be used. The loopback us up by default. Use the following command to
enable the switch ports to check connectivity in the next step. We are using the leaf as an
example. In a case of a spine, add interfaces swp1-4:
cumulus@leaf01:mgmt-vrf:~$ n
et a dd interface swp1-2,swp51-52
cumulus@leaf01:mgmt-vrf:~$ n et c ommit
To verify all cables are connected and functional, check the link state. To check the link state of a
switch port, run the net show interface command, which displays the physical link, administrative
state, and LLDP neighbor of the interface. An example from leaf01 is below after all the switch
interfaces in the network are brought up.
cumulusnetworks.com 8
DOCUMENT: VALIDATED DESIGN GUIDE
An example from spine01 is shown below after all network interfaces have been brought up:
Name Master Speed MTU Mode Remote Host Remote Port Summary
----- ------- -------- ------- ----- ------------- --------------- ------------- -------------------------
UP lo None N/A 65536 Loopback IP: 127.0.0.1/8, ::1/128
UP eth0 None 1G 1500 Mgmt oob-mgmt-switch swp10 IP: 192.168.0.21/24(DHCP)
Look for:
● The correct switch ports to be in the UP state. Refer to the Interface Configuration and
Management chapter of the Cumulus Linux documentation for more information.
● Cables that are properly connected according to your network topology diagram
Alternatively, Cumulus Prescriptive Topology Manager (PTM) can be used to easily verify the
entire topology. More information on PTM can be found in the Cumulus Linux User’s Guide.
The MTU on the interfaces should be at least as large as the docker bridge MTU to prevent
fragmentation. By default, the MTU on the switch ports is 1500. To change the interface MTU on
the switches to 9216 bytes, configure the following command. We show an example on a leaf
switch and a spine switch.
cumulus@leaf01:mgmt-vrf:~$ n
et a dd interface swp1-2,51-52 mtu 9216
cumulus@leaf01:mgmt-vrf:~$ n et c ommit
cumulus@spine01:mgmt-vrf:~$ n
et a dd interface swp1-4 mtu 9216
cumulus@spine01:mgmt-vrf:~$ n et c ommit
2. Configure IP addresses and BGP on leaf and spine switches.
cumulusnetworks.com 9
DOCUMENT: VALIDATED DESIGN GUIDE
Table 3 below depicts the IP addresses and BGP autonomous system used for each switch in
this example.
First, configure a unique loopback IP address on each switch, replacing the IP address with the
appropriate one found in Table 3:
cumulus@leaf01:mgmt-vrf:~$ n
et a dd loopback lo ip address 10.0.0.11/32
cumulus@leaf01:mgmt-vrf:~$ n et c ommit
Next, configure BGP unnumbered on each of the spine or leaf-facing interfaces. Using the
topology in Figure 1 and referencing Table 3, leaf01’s spine-facing interfaces are swp51 and
swp52. In the case of the spines, the leaf-facing interfaces are swp1-4. Table 3 identifies the BGP
Autonomous systems in our example. The below shows the leaf01 configuration in our example
network.
In our example, the spine switches neighbors are on swp1-4. The configuration in our example is
shown below:
cumulusnetworks.com 10
DOCUMENT: VALIDATED DESIGN GUIDE
Note that BGP peer groups can also be used for simplicity and optimization if additional BGP
commands are required.
Check the BGP peering. We use a spine01 as an example:
Neighbor V AS MsgRcvd MsgSent T blVer InQ OutQ U p/Down State/PfxRcd
leaf01(swp1)
4 65011 293 294 0 0 0 00:14:23 1
leaf02(swp2)
4 65012 156 158 0 0 0 00:07:31 1
leaf03(swp3)
4 65013 79 81 0 0 0 00:03:40 1
leaf04(swp4)
4 65014 6 8 0 0 0 00:00:00 1
Check the routing table. Reachability should exist to all the leaf loopback addresses from the
spine switches. In our example, spine01 routing table is shown below:
cumulusnetworks.com 11
DOCUMENT: VALIDATED DESIGN GUIDE
cumulusnetworks.com 12
DOCUMENT: VALIDATED DESIGN GUIDE
applications are in the repositories, and install Docker CE. An example of this procedure on
Ubuntu is shown below.
Container Networking with the Cumulus Host Pack Advertising the Docker Bridge
Subnet
In this solution, a user-defined Docker bridge within the server is used to communicate between
local containers and the outside world. The containers running applications on the bridge use a
public IP address to eliminate the performance impact and complexity of NAT on the server.
In addition to the specific application containers, the Cumulus Host Pack layer 3 connectivity is
also run in a container on each server. The subnet on the user-defined docker bridge is
advertised via eBGP unnumbered directly from the residing server into the leaf layer and beyond.
This gives layer 3 connectivity throughout the entire data center, adding redundancy to the
containers and eliminating all the issues when deploying a layer 2 network.
The containerized version of the Host Pack Layer 3 connectivity must be configured in privileged
mode with access to Docker’s host network, which means the container shares the host kernel’s
network namespace and has deep level access and capability to affect the host’s running kernel.
This allows the routes learned within the container to pass directly into the kernel for use by other
applications and containers.
Figure 2 depicts the solution architecture and a demo is available virtually at the Host Pack
Redistributing Docker Bridges. Actual configurations for this solution are available in Appendix A.
cumulusnetworks.com 13
DOCUMENT: VALIDATED DESIGN GUIDE
Our example is configured with the following server loopback IP addresses and BGP ASs as
outlined in Table 4.
Table 5 depicts the IP addresses used within the servers in our example:
cumulusnetworks.com 14
DOCUMENT: VALIDATED DESIGN GUIDE
SERVER BRIDGE GATEWAY IP CONTAINER SUBNET CONTAINER DEFAULT IP ASSIGNMENTS
Build Steps for a Container Network with Host Pack Advertising Bridge Subnet
Follow the build steps for the generic spine/leaf architecture as denoted in the Building a
Spine/Leaf Architecture section. The final steps for building out a containerized network with the
Host Pack are as follows.
BUILD STEPS
TASKS
Per-leaf switch
Per-server
cumulusnetworks.com 15
DOCUMENT: VALIDATED DESIGN GUIDE
1. Configure a BGP neighbor on the leaf's server-facing interfaces.
Add the following commands to each leaf switch, assuming swp1 and swp2 are server-facing
switch ports. Note the neighbor does not come up until BGP is configured on the server:
cumulus@leaf01:mgmt-vrf:~$ n
et a dd bgp neighbor swp1-2 interface remote-as external
cumulus@leaf01:mgmt-vrf:~$ n et c ommit
Edit the server's /etc/network/interfaces file to add a static loopback address and Ethernet
interfaces if not already configured. If the MTU of the leaf’s server facing switch port was changed
to 9216, change the server’s MTU as well. The configuration below has ifupdown2 installed:
auto lo
iface lo inet loopback
address <loopback IP>/32
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1
mtu 9216
auto eth2
iface eth2
mtu 9216
Bring up the loopback interface and Ethernet interfaces by executing the following ifup
commands:
cumulusnetworks.com 16
DOCUMENT: VALIDATED DESIGN GUIDE
cumulus@server01:~$ s
udo i fup l o
cumulus@server01:~$ s udo i fup e th1
cumulus@server01:~$ s udo i fup e th2
Verify the interfaces are up by performing the following commands for all the server interfaces:
If the interfaces are not up, perform the following command, replacing “eth1” with the appropriate
interface:
By default, Docker enables masquerade (NAT/PAT). Masquerade needs to be disabled since the
reachable IP will be advertised directly from the server, and we will set the mtu equal to the host's
physical interfaces. The gateway and subnet settings are unique to the host and are based on
Table 5.
cumulusnetworks.com 17
DOCUMENT: VALIDATED DESIGN GUIDE
cumulusnetworks.com 18
DOCUMENT: VALIDATED DESIGN GUIDE
The Quagga configuration file configures eBGP unnumbered and configures a route-map to
advertise only the container subnet and the loopback address into the BGP network. The
LOCAL_ROUTES route-map is applied to the redistribute connected command. The as-path
access-list HOST_ORIGINATED_ROUTES option allows only routes from this server to be
advertised into the domain to eliminate the server acting as a transit router.
!
!
interface eth1
ipv6 nd ra-interval 10
no ipv6 nd suppress-ra
!
interface eth2
ipv6 nd ra-interval 10
no ipv6 nd suppress-ra
!
router bgp 65031
bgp router-id 10.0.0.31
bgp bestpath as-path multipath-relax
neighbor eth1 interface remote-as external
neighbor eth2 interface remote-as external
!
address-family ipv4 unicast
redistribute connected route-map LOCAL_ROUTES
neighbor eth1 filter-list HOST_ORIGINATED_ROUTES o ut
neighbor eth2 filter-list HOST_ORIGINATED_ROUTES o ut
exit-address-family
!
cumulusnetworks.com 19
DOCUMENT: VALIDATED DESIGN GUIDE
Save this file on the local server01, as Quagga_server01.conf for example. We will apply this
configuration to the container during container boot up in the next step.
cumulusnetworks.com 20
DOCUMENT: VALIDATED DESIGN GUIDE
If the values are “1”, they can be changed by the following. You must be logged in as root user to
perform this command:
Install containerized Host Pack layer 3 connectivity as seen below. We create a privileged
container on the host network. The container is named cumulus-roh. During installation, we apply
the configuration created in Step 4. By applying the configuration upon running the container, we
will not need to configure it manually and we will save and re-apply the configuration should the
switch be rebooted. Since the image is not found locally, Docker automatically downloads it from
Dockerhub.
cumulus@server01:~$ sudo docker run -t -d --net=host --privileged --name cumulus-roh \
> --restart unless-stopped \
> -v /home/cumulus/Quagga_server01.conf:/etc/quagga/Quagga.conf \
> cumulusnetworks/quagga:latest
Check to be sure the container is installed and active:
cumulusnetworks.com 21
DOCUMENT: VALIDATED DESIGN GUIDE
The procedures for installing Containerized Host Pack layer 3 connectivity are found in the
Installing the Cumulus Quagga package in a Docker Container section of the Cumulus Linux
technical documentation.
After all servers are configured, check a leaf switch to be sure the server BGP neighbors are up.
Neighbor V AS MsgRcvd MsgSent T blVer InQ OutQ U p/Down State/PfxRcd
server01(swp1) 4 65031 1147 1165 0 0 0 00:16:25 1
server02(swp2) 4 65032 1245 1257 0 0 0 01:02:08 1
spine01(swp51) 4 65020 1419 1421 0 0 0 01:10:22 6
spine02(swp52) 4 65020 1419 1421 0 0 0 01:10:22 6
Cumulus Networks recommends configuring a prefix list to allow only a default route in. Care
must be taken to ensure the host does not act as a transit router. More information on the prefix
list recommendations can be found in the BGP chapter of the Cumulus Linux technical
documentation.
The pre-built 5.6 apache container is used. To test that the correct container is accessed, create
some short HTML files. Later, these files will be copied into the appropriate container upon
container bootup.
cumulusnetworks.com 22
DOCUMENT: VALIDATED DESIGN GUIDE
cumulus@server01:~$ e
cho " This i s s erver01 c ontainer1." > / home/cumulus/container1.html
cumulus@server01:~$ e cho " This i s s erver01 c ontainer2." > / home/cumulus/container2.html
cumulus@server01:~$ e cho " This i s s erver01 c ontainer3." > / home/cumulus/container3.html
Run the same command three times, changing the name of the container and the HTML file.
Next, add three containers running apache to the bridge apache_network. Perform the following
step three times, changing the html file.
More information about the options in a docker run command can be found in the Docker run
reference.
Note how Docker has changed the iptables to allow specific access to the containers running
Apache. For example, if you send data on port 80 to the IP address 172.16.1.1, iptables will map
that to the server’s internal port 32771, which is then mapped to a specific container on the host.
cumulusnetworks.com 23
DOCUMENT: VALIDATED DESIGN GUIDE
-A DOCKER ! -i apache_network -p tcp -m tcp --dport 32772 -j DNAT --to-destination
172.16.1.2:80
-A DOCKER ! -i apache_network -p tcp -m tcp --dport 32773 -j DNAT --to-destination
172.16.1.3:80
COMMIT
# Completed on Wed Aug 9 00:08:16 2017
# Generated by iptables-save v1.6.0 on Wed Aug 9 00:08:16 2017
*filter
:INPUT ACCEPT [119:7660]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [75:11576]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o apache_network -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o apache_network -j DOCKER
-A FORWARD -i apache_network ! -o apache_network -j ACCEPT
-A FORWARD -i apache_network -o apache_network -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.16.1.1/32 ! -i apache_network -o apache_network -p tcp -m tcp --dport 8
0 - j
ACCEPT
-A DOCKER -d 172.16.1.2/32 ! -i apache_network -o apache_network -p tcp -m tcp --dport 8 0 - j
ACCEPT
-A DOCKER -d 172.16.1.3/32 ! -i apache_network -o apache_network -p tcp -m tcp --dport 8 0 - j
ACCEPT
-A DOCKER-ISOLATION -i docker0 -o apache_network -j DROP
-A DOCKER-ISOLATION -i apache_network -o docker0 -j DROP
-A DOCKER-ISOLATION -j RETURN
COMMIT
cumulusnetworks.com 24
DOCUMENT: VALIDATED DESIGN GUIDE
cumulusnetworks.com 25
DOCUMENT: VALIDATED DESIGN GUIDE
Curl to a remote container on server01 from a container on server02:
Here is the local ARP table on server01 with the containers running:
cumulus@server01:~$ arp
Address HWtype HWaddress F lags Mask I face
169.254.0.1 ether 44:38:39:00:00:15 CM eth2
oob-mgmt-server ether 44:38:39:00:00:57 C eth0
172.16.1.2 ether 02:42:ac:10:01:02 C apache_network
169.254.0.1 ether 44:38:39:00:00:03 CM eth1
172.16.1.3 ether 02:42:ac:10:01:03 C apache_network
172.16.1.1 ether 02:42:ac:10:01:01 C apache_network
In summary, The Container Networking with the Host Pack Advertising the Bridge subnet
advertises docker bridge directly into the routing domain without use of NAT. In addition, this
scenario can also be deployed with multiple bridges, each bridge hosting an application for
example. Each bridge would then need to be advertised via Quagga.
CONCLUSION
Container networking is vital in any modern containerized data center. The infrastructure needs to
support large amounts of traffic and reachability between containers. Cumulus Linux is in a
unique position to offer optimal reachability with our offerings such as Host Pack.
This document outlined a solution to provide an ideal environment for container networking. Try it
out for yourself on a laptop using Cumulus VX with Vagrant or Cumulus in the Cloud.
cumulusnetworks.com 26
DOCUMENT: VALIDATED DESIGN GUIDE
This appendix includes the configurations for Host Pack connectivity, along with advertising
Docker’s user-defined bridge subnet.
Spine Switches
Spine01 Configuration
NCLU Commands:
cumulusnetworks.com 27
DOCUMENT: VALIDATED DESIGN GUIDE
interface l o
address 1 0.0.0.21/32
interface eth0
vrf mgmt
address dhcp
interface swp2
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp3
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp1
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp4
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface mgmt
address 127.0.0.1/8
vrf-table auto
hostname spine01
service integrated-vtysh-config
log syslog
cumulusnetworks.com 28
DOCUMENT: VALIDATED DESIGN GUIDE
line vty
dot1x
mab-activation-delay 30
eap-reauth-period 0
r adius
accounting-port 1813
shared-secret
authentication-port 1812
time
z one
Etc/UTC
ntp
s ervers
192.168.0.254 iburst
s ource
eth0
dns
n ameserver
192.168.0.254 # vrf mgmt
cumulusnetworks.com 29
DOCUMENT: VALIDATED DESIGN GUIDE
Spine02 Configuration
NCLU commands:
cumulusnetworks.com 30
DOCUMENT: VALIDATED DESIGN GUIDE
interface l o
address 1 0.0.0.22/32
interface eth0
vrf mgmt
address dhcp
interface swp2
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp3
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp1
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp4
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface mgmt
address 127.0.0.1/8
vrf-table auto
hostname spine02
service integrated-vtysh-config
log syslog
cumulusnetworks.com 31
DOCUMENT: VALIDATED DESIGN GUIDE
line vty
dot1x
mab-activation-delay 30
eap-reauth-period 0
r adius
accounting-port 1813
shared-secret
authentication-port 1812
time
z one
Etc/UTC
ntp
s ervers
192.168.0.254 iburst
s ource
eth0
dns
n ameserver
192.168.0.254 # vrf mgmt
cumulusnetworks.com 32
DOCUMENT: VALIDATED DESIGN GUIDE
Leaf Switches
Leaf01 Configuration
NCLU Commands:
cumulusnetworks.com 33
DOCUMENT: VALIDATED DESIGN GUIDE
interface l o
address 1 0.0.0.11/32
interface eth0
vrf mgmt
address dhcp
interface swp2
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp1
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp51
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp52
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface mgmt
address 127.0.0.1/8
vrf-table auto
hostname leaf01
service integrated-vtysh-config
log syslog
cumulusnetworks.com 34
DOCUMENT: VALIDATED DESIGN GUIDE
line vty
dot1x
mab-activation-delay 30
eap-reauth-period 0
r adius
accounting-port 1813
shared-secret
authentication-port 1812
time
z one
Etc/UTC
ntp
s ervers
192.168.0.254 iburst
s ource
eth0
dns
n ameserver
192.168.0.254 # vrf mgmt
cumulusnetworks.com 35
DOCUMENT: VALIDATED DESIGN GUIDE
Leaf02 Configuration
NCLU Commands:
cumulusnetworks.com 36
DOCUMENT: VALIDATED DESIGN GUIDE
interface l o
address 1 0.0.0.12/32
interface eth0
vrf mgmt
address dhcp
interface swp2
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp1
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp51
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp52
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface mgmt
address 127.0.0.1/8
vrf-table auto
hostname leaf02
service integrated-vtysh-config
log syslog
cumulusnetworks.com 37
DOCUMENT: VALIDATED DESIGN GUIDE
n eighbor s
wp51 i nterface r emote-as e xternal
neighbor s wp52 i nterface r emote-as e xternal
line vty
dot1x
mab-activation-delay 30
eap-reauth-period 0
r adius
accounting-port 1813
shared-secret
authentication-port 1812
time
z one
Etc/UTC
ntp
s ervers
192.168.0.254 iburst
s ource
eth0
dns
n ameserver
192.168.0.254 # vrf mgmt
cumulusnetworks.com 38
DOCUMENT: VALIDATED DESIGN GUIDE
Leaf03 Configuration
NCLU Commands:
cumulusnetworks.com 39
DOCUMENT: VALIDATED DESIGN GUIDE
interface l o
address 1 0.0.0.13/32
interface eth0
vrf mgmt
address dhcp
interface swp2
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp1
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp51
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp52
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface mgmt
address 127.0.0.1/8
vrf-table auto
hostname leaf03
service integrated-vtysh-config
log syslog
cumulusnetworks.com 40
DOCUMENT: VALIDATED DESIGN GUIDE
line vty
dot1x
mab-activation-delay 30
eap-reauth-period 0
r adius
accounting-port 1813
shared-secret
authentication-port 1812
time
z one
Etc/UTC
ntp
s ervers
192.168.0.254 iburst
s ource
eth0
dns
n ameserver
192.168.0.254 # vrf mgmt
cumulusnetworks.com 41
DOCUMENT: VALIDATED DESIGN GUIDE
Leaf04 Configuration
NCLU Commands:
cumulusnetworks.com 42
DOCUMENT: VALIDATED DESIGN GUIDE
interface l o
address 1 0.0.0.14/32
interface eth0
vrf mgmt
address dhcp
interface swp2
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp1
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp51
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface swp52
ipv6 nd ra-interval 10
mtu 9216
no ipv6 nd suppress-ra
interface mgmt
address 127.0.0.1/8
vrf-table auto
hostname leaf04
service integrated-vtysh-config
log syslog
cumulusnetworks.com 43
DOCUMENT: VALIDATED DESIGN GUIDE
n eighbor s
wp51 i nterface r emote-as e xternal
neighbor s wp52 i nterface r emote-as e xternal
line vty
dot1x
mab-activation-delay 30
eap-reauth-period 0
r adius
accounting-port 1813
shared-secret
authentication-port 1812
time
z one
Etc/UTC
ntp
s ervers
192.168.0.254 iburst
s ource
eth0
dns
n ameserver
192.168.0.254 # vrf mgmt
cumulusnetworks.com 44
DOCUMENT: VALIDATED DESIGN GUIDE
Servers
Server01 Configuration
etc/network/interfaces
auto lo
iface lo inet loopback
address 10.0.0.31/32
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1
mtu 9216
auto eth2
iface eth2
mtu 9216
cumulusnetworks.com 45
DOCUMENT: VALIDATED DESIGN GUIDE
Current configuration:
!
no ipv6 forwarding
username cumulus nopassword
!
service integrated-vtysh-config
!
log file /var/log/quagga/quagga.log
!
log timestamp precision 6
!
interface eth1
ipv6 nd ra-interval 10
no ipv6 nd suppress-ra
!
interface eth2
ipv6 nd ra-interval 10
no ipv6 nd suppress-ra
!
router bgp 65032
bgp router-id 10.0.0.31
bgp bestpath as-path multipath-relax
neighbor eth1 interface remote-as external
neighbor eth2 interface remote-as external
!
address-family ipv4 unicast
redistribute connected route-map LOCAL_ROUTES
neighbor eth1 filter-list HOST_ORIGINATED_ROUTES out
neighbor eth2 filter-list HOST_ORIGINATED_ROUTES out
Exit-address-family
!
ip as-path access-list HOST_ORIGINATED_ROUTES permit ^$
!
route-map LOCAL_ROUTES permit 10
match interface lo
!
route-map LOCAL_ROUTES permit 20
match interface apache_network
!
line vty
!
end
cumulusnetworks.com 46
DOCUMENT: VALIDATED DESIGN GUIDE
Server02 Configuration
/etc/network/interfaces
auto lo
iface lo inet loopback
address 10.0.0.32/32
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1
mtu 9216
auto eth2
iface eth2
mtu 9216
cumulusnetworks.com 47
DOCUMENT: VALIDATED DESIGN GUIDE
Current configuration:
!
no ipv6 forwarding
username cumulus nopassword
!
service integrated-vtysh-config
!
log file /var/log/quagga/quagga.log
!
log timestamp precision 6
!
interface eth1
ipv6 nd ra-interval 10
no ipv6 nd suppress-ra
!
interface eth2
ipv6 nd ra-interval 10
no ipv6 nd suppress-ra
!
router bgp 65032
bgp router-id 10.0.0.32
bgp bestpath as-path multipath-relax
neighbor eth1 interface remote-as external
neighbor eth2 interface remote-as external
!
address-family ipv4 unicast
redistribute connected route-map LOCAL_ROUTES
neighbor eth1 filter-list HOST_ORIGINATED_ROUTES o ut
neighbor eth2 filter-list HOST_ORIGINATED_ROUTES o ut
e xit-address-family
!
ip as-path access-list HOST_ORIGINATED_ROUTES permit ^$
!
route-map LOCAL_ROUTES permit 10
match interface lo
!
route-map LOCAL_ROUTES permit 20
match interface apache_network
!
line vty
!
end
cumulusnetworks.com 48
DOCUMENT: VALIDATED DESIGN GUIDE
Server03 Configuration
/etc/network/interfaces
auto lo
iface lo inet loopback
address 10.0.0.33/32
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1
mtu 9216
auto eth2
iface eth2
mtu 9216
cumulusnetworks.com 49
DOCUMENT: VALIDATED DESIGN GUIDE
Current configuration:
!
no ipv6 forwarding
username cumulus nopassword
!
service integrated-vtysh-config
!
log file /var/log/quagga/quagga.log
!
log timestamp precision 6
!
interface eth1
ipv6 nd ra-interval 10
no ipv6 nd suppress-ra
!
interface eth2
ipv6 nd ra-interval 10
no ipv6 nd suppress-ra
!
router bgp 65032
bgp router-id 10.0.0.33
bgp bestpath as-path multipath-relax
neighbor eth1 interface remote-as external
neighbor eth2 interface remote-as external
!
address-family ipv4 unicast
redistribute connected route-map LOCAL_ROUTES
neighbor eth1 filter-list HOST_ORIGINATED_ROUTES out
neighbor eth2 filter-list HOST_ORIGINATED_ROUTES out
exit-address-family
!
ip as-path access-list HOST_ORIGINATED_ROUTES permit ^$
!
route-map LOCAL_ROUTES permit 10
match interface lo
!
route-map LOCAL_ROUTES permit 20
match interface apache_network
!
line vty
!
end
cumulusnetworks.com 50
DOCUMENT: VALIDATED DESIGN GUIDE
Server04 Configuration
etc/network/interfaces:
auto lo
iface lo inet loopback
address 10.0.0.34/32
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1
mtu 9216
auto eth2
iface eth2
mtu 9216
cumulusnetworks.com 51
DOCUMENT: VALIDATED DESIGN GUIDE
Current configuration:
!
no ipv6 forwarding
username cumulus nopassword
!
service integrated-vtysh-config
!
log file /var/log/quagga/quagga.log
!
log timestamp precision 6
!
interface eth1
ipv6 nd ra-interval 10
no ipv6 nd suppress-ra
!
interface eth2
ipv6 nd ra-interval 10
no ipv6 nd suppress-ra
!
router bgp 65032
bgp router-id 10.0.0.34
bgp bestpath as-path multipath-relax
neighbor eth1 interface remote-as external
neighbor eth2 interface remote-as external
!
address-family ipv4 unicast
redistribute connected route-map LOCAL_ROUTES
neighbor eth1 filter-list HOST_ORIGINATED_ROUTES o ut
neighbor eth2 filter-list HOST_ORIGINATED_ROUTES o ut
e
xit-address-family
!
ip as-path access-list HOST_ORIGINATED_ROUTES permit ^$
cumulusnetworks.com 52
DOCUMENT: VALIDATED DESIGN GUIDE
CUMULUS, the Cumulus Logo, CUMULUS NETWORKS, and the Rocket Turtle Logo (the “Marks”) are trademarks and service marks of
Cumulus Networks, Inc. in the U.S. and other countries. You are not permitted to use the Marks without the prior written consent of
Cumulus Networks. The registered trademark Linux® is used pursuant to a sublicense from LMI, the exclusive licensee of Linus Torvalds,
owner of the mark on a worldwide basis. All other marks are used under fair use or license from their respective owners.
cumulusnetworks.com 53