Multisite

Diagram

Classes

vxlan

Name	Type	Constraint	Mandatory	Default Value
multisite	Class	`[multisite]`	No

multisite (vxlan)

Name	Type	Constraint	Mandatory	Default Value
child_fabrics	List	`[child_fabrics]`	No
layer2_vni_range	Class	`[layer2_vni_range]`	No
layer3_vni_range	Class	`[layer3_vni_range]`	No
overlay	Class	`[overlay]`	No
anycast_gateway_mac	Any	String[Regex: `^[a-f0-9]{1}\.[a-f0-9]{1}\.[a-f0-9]{1}$`] or String[Regex: `^[a-f0-9]{4}\.[a-f0-9]{4}\.[a-f0-9]{4}$`] or String[Regex: `^[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}$`] or String[Regex: `^[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}$`]	No	`20:20:00:00:00:aa`
vtep_loopback_id	Integer	min: `0`, max: `1023`	No	`100`
bgw_ip_tag	Integer	min: `0`, max: `4294967295`	No	`54321`
overlay_dci	Class	`[overlay_dci]`	No
ipv4_vtep_loopback_range	IP		No	`10.10.0.0/24`
isn	Class	`[isn]`	No

child_fabrics (vxlan.multisite)

Name	Type	Mandatory
name	String	Yes
bgw_anycast_vip_ipv4	IP	No
cluster	String	No

layer2_vni_range (vxlan.multisite)

Name	Type	Constraint	Mandatory	Default Value
from	Integer	min: `1`, max: `16777214`	Yes	`30000`
to	Integer	min: `1`, max: `16777214`	No	`49000`

overlay (vxlan.multisite)

Name	Type	Constraint	Mandatory
vrfs	List	`[vrfs]`	No
networks	List	`[networks]`	No
vrf_attach_groups	List	`[vrf_attach_groups]`	No
network_attach_groups	List	`[network_attach_groups]`	No

overlay_dci (vxlan.multisite)

Name	Type	Constraint	Mandatory	Default Value
deployment_method	Choice	`Manual`, `Centralized_To_Route_Server`, `Direct_To_BGWS`	No	`Direct_To_BGWS`
ipv4_dci_subnet_range	IP		No	`10.10.1.0/24`
ipv4_dci_subnet_mask	Integer	min: `8`, max: `31`	No	`30`
route_server	Class	`[route_server]`	No
underlay_autoconfig	Boolean	`true`, `false`	No	`true`
enable_bgp_send_community	Boolean	`true`, `false`	No	`false`
enable_bgp_log_neighbor_change	Boolean	`true`, `false`	No	`false`
enable_bgp_bfd	Boolean	`true`, `false`	No	`false`
delay_restore	Integer	min: `30`, max: `1000`	No	`300`
enable_ebgp_password	Boolean	`true`, `false`	No	`false`
ebgp_password	String		No
ebgp_password_encryption_type	Choice	`3`, `7`	No
enable_trm	Boolean	`true`, `false`	No	`false`

isn (vxlan.multisite)

Name	Type	Constraint	Mandatory	Default Value
bgp_asn	String	Regex: `^(?:\d{1,10}\|\d{1,5}\.\d{1,5})$`	Yes
auth_proto	Choice	`MD5`, `SHA`, `MD5_DES`, `MD5_AES`, `SHA_DES`, `SHA_AES`	No	`MD5`
sub_int_range	String		No	`2-511`
enable_nxapi_http	Boolean	`true`, `false`	No	`false`
nxapi_http_port	Integer		No	`80`
enable_nxapi_https	Boolean	`true`, `false`	No	`true`
nxapi_https_port	Integer		No	`443`
ptp	Class	`[ptp]`	No
netflow	Class	`[netflow]`	No
bootstrap	Class	`[bootstrap]`	No

vrfs (vxlan.multisite.overlay)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
vrf_id	Integer	min: `1`, max: `16777214`	No
vlan_id	Integer	min: `1`, max: `4094`	No
vrf_vlan_name	String		No
vrf_intf_desc	String		No	`Configured by Ansible NetAsCode`
vrf_description	String		No	`Configured by Ansible NetAsCode`
vrf_int_mtu	Integer	min: `1500`, max: `9216`	No	`9216`
loopback_route_tag	Integer	min: `0`, max: `4294967295`	No	`12345`
max_bgp_paths	Integer	min: `1`, max: `128`	No	`1`
max_ibgp_paths	Integer	min: `1`, max: `128`	No	`2`
ipv6_linklocal_enable	Boolean	`true`, `false`	No	`true`
disable_rt_auto	Boolean	`true`, `false`	No	`false`
export_evpn_rt	String		No
export_vpn_rt	String		No
import_evpn_rt	String		No
import_vpn_rt	String		No
redist_direct_routemap	String		No	`FABRIC-RMAP-REDIST-SUBNET`
ipv6_redist_direct_routemap	String		No	`FABRIC-RMAP-REDIST-SUBNET`
child_fabrics	List	`[child_fabrics]`	No
vrf_attach_group	String		No

networks (vxlan.multisite.overlay)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
is_l2_only	Boolean	`true`, `false`	No	`false`
vrf_name	String		No
net_id	Integer	min: `1`, max: `16777214`	No
vlan_id	Integer	min: `1`, max: `4094`	No
vlan_name	String		No
int_desc	String		No
gw_ip_address	IP		No
gw_ipv6_address	String		No
secondary_ip_addresses	List	`[secondary_ip_addresses]`	No
mtu_l3intf	Integer		No	`9216`
route_tag	Integer	min: `0`, max: `4294967295`	No	`12345`
arp_suppress	Boolean	`true`, `false`	No	`false`
route_target_both	Boolean	`true`, `false`	No	`false`
child_fabrics	List	`[child_fabrics]`	No
network_attach_group	String		No

vrf_attach_groups (vxlan.multisite.overlay)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
switches	List	`[switches]`	No

network_attach_groups (vxlan.multisite.overlay)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
switches	List	`[switches]`	No

route_server (vxlan.multisite.overlay_dci)

Name	Type	Constraint	Mandatory	Default Value
peers	List	`[peers]`	No
redistribute_direct	Boolean	`true`, `false`	No	`false`
ip_tag	Integer	min: `0`, max: `4294967295`	No	`54321`

ptp (vxlan.multisite.isn)

Name	Type	Constraint	Mandatory	Default Value
enable	Boolean	`true`, `false`	No	`false`
domain_id	Integer	min: `0`, max: `127`	No	0
lb_id	Integer	min: `0`, max: `1023`	No	0
vlan_id	Integer	min: `2`, max: `3967`	No

netflow (vxlan.multisite.isn)

Name	Type	Constraint	Mandatory	Default Value
enable	Boolean	`true`, `false`	No	`false`
exporter	List	`[exporter]`	No
record	List	`[record]`	No
monitor	List	`[monitor]`	No

bootstrap (vxlan.multisite.isn)

Name	Type	Constraint	Mandatory	Default Value
enable_bootstrap	Boolean	`true`, `false`	No	`false`
enable_local_dhcp_server	Boolean	`true`, `false`	No	`false`
dhcp_version	Choice	`DHCPv4`, `DHCPv6`	No
dhcp_v4	Class	`[dhcp_v4]`	No
dhcp_v6	Class	`[dhcp_v6]`	No
enable_cdp_mgmt	Boolean	`true`, `false`	No
bootstrap_freeform	String		No

child_fabrics (vxlan.multisite.overlay.vrfs)

Name	Type	Constraint	Mandatory
name	String		Yes
adv_host_routes	Boolean	`true`, `false`	No
adv_default_routes	Boolean	`true`, `false`	No
static_default_route	Boolean	`true`, `false`	No
bgp_password	String		No
bgp_password_encryption_type	Choice	`3`, `7`	No
netflow_enable	Boolean	`true`, `false`	No
netflow_monitor	String		No
trm_enable	Boolean	`true`, `false`	No
trm_bgw_msite	Boolean	`true`, `false`	No
enable_l3_vni_no_vlan	Boolean	`true`, `false`	No
no_rp	Boolean	`true`, `false`	No
rp_external	Boolean	`true`, `false`	No
rp_address	IP		No
rp_loopback_id	Integer	min: `0`, max: `1023`	No
underlay_mcast_ip	IP		No
overlay_multicast_group	String		No
import_mvpn_rt	String		No
export_mvpn_rt	String		No

secondary_ip_addresses (vxlan.multisite.overlay.networks)

Name	Type	Constraint	Mandatory	Default Value
ip_address	IP		Yes
route_tag	Integer	min: `0`, max: `4294967295`	No

child_fabrics (vxlan.multisite.overlay.networks)

Name	Type	Constraint	Mandatory
name	String		Yes
dhcp_loopback_id	Integer	min: `0`, max: `1023`	No
dhcp_servers	List	`[dhcp_servers]`	No
multicast_group_address	IP		No
trm_enable	Boolean	`true`, `false`	No
netflow_enable	Boolean	`true`, `false`	No
vlan_netflow_monitor	String		No
l3gw_on_border	Boolean	`true`, `false`	No

switches (vxlan.multisite.overlay.vrf_attach_groups)

Name	Type	Constraint	Mandatory
hostname	String		Yes
loopback_id	Integer	min: `0`, max: `1023`	No
loopback_ipv4	IP		No
loopback_ipv6	IP		No
freeform_config	String		No

switches (vxlan.multisite.overlay.network_attach_groups)

Name	Type	Constraint	Mandatory	Default Value
hostname	String		Yes
ports	List	String[Regex: `(?i)^(?:e\|eth(?:ernet)?)((\d)/\d{1,3})$\|^(?:po\|port-channel)([1-9]\|[1-9][0-9]{1,2}\|[1-3][0-9]{3}\|40[0-8][0-9]\|409[0-6])$`]	No

peers (vxlan.multisite.overlay_dci.route_server)

Name	Type	Constraint	Mandatory	Default Value
ip_address	IP		Yes
bgp_asn	String	Regex: `^(?:\d{1,10}\|\d{1,5}\.\d{1,5})$`	Yes

exporter (vxlan.multisite.isn.netflow)

Name	Type	Constraint	Mandatory
name	String		Yes
ip_address	IP		Yes
vrf	String		No
source_interface	String	Regex: `(?i)^(?:e\|eth(?:ernet)?)\d(?:\/\d+){1,2}(\.\d{1,4})?$`	Yes
udp_port	Integer	min: `1`, max: `65535`	Yes

record (vxlan.multisite.isn.netflow)

Name	Type	Constraint	Mandatory
name	String		Yes
template	Choice	`netflow_ipv4_record`, `netflow_l2_record`	Yes
layer2	Boolean	`true`, `false`	No

monitor (vxlan.multisite.isn.netflow)

Name	Type	Mandatory
name	String	Yes
record	String	Yes
exporter1	String	Yes
exporter2	String	No

dhcp_v4 (vxlan.multisite.isn.bootstrap)

Name	Type	Constraint	Mandatory
scope_start_address	IP		Yes
scope_end_address	IP		Yes
switch_mgmt_default_gw	IP		Yes
mgmt_prefix	Integer	min: `8`, max: `30`	Yes
multi_subnet_scope	String		No
domain_name	String		No

dhcp_v6 (vxlan.multisite.isn.bootstrap)

Name	Type	Constraint	Mandatory
scope_start_address	IP		Yes
scope_end_address	IP		Yes
switch_mgmt_default_gw	IP		Yes
mgmt_prefix	Integer	min: `64`, max: `126`	Yes
multi_subnet_scope	String		No
domain_name	String		No

dhcp_servers (vxlan.multisite.overlay.networks.child_fabrics)

Name	Type	Constraint	Mandatory	Default Value
ip_address	IP		Yes
vrf	String		Yes

Workflow

To manage an MSD Fabric, you need to follow this process:

Step 1 - Create your child fabrics. In this example, we have four (4) childs fabrics:

nac-ndfc1
nac-ndfc2
nac-ndfc3
nac-isn

Each fabric has their own data source under host_vars.

❯ tree -L1  host_vars
host_vars
├── nac-isn
├── nac-msd
├── nac-ndfc1
├── nac-ndfc2
└── nac-ndfc3

❯ cat inventory.yaml
---
all:
  children:
    ndfc:
      hosts:
        nac-isn:
          ansible_host: 10.x.x.x
        nac-msd:
          ansible_host: 10.x.x.x
        nac-ndfc1:
          ansible_host: 10.x.x.x
        nac-ndfc2:
          ansible_host: 10.x.x.x
        nac-ndfc3:
          ansible_host: 10.x.x.x

Step 2 - Create the MSD fabric, which includes child fabrics.

MSD Example

Figure: MultiSite topology overview

In this example, we have a fabric named nac-msd. In this MSD fabric, all fabrics use the same anycast gateway mac: DE:AD:BE:EF:FE:ED. The loopback ID used for the Anycast IP configured on each Border Gateway is: 100 and the subnet used to allocate an IP is: 10.10.0.0/24.

This configuration uses external ISN devices as the Route Server. In this configuration there are four (4) IP addresses:

100.64.0.1
100.64.0.2
100.64.0.3
100.64.0.4

Each IP will be associated to an Autonomous System (ASN), which can be different for each Route Server. In this example, all Route Servers will use the ASN 65000.100. When underlay_autoconfig is true, you need to provide a subnet for the DCI point-to-point (p2p) connection(s). Here we used the subnet 10.10.1.0/24. Each p2p will used CIDR /30.

The value in bgp_asn should between double quotes. Example:

global:
    bgp_asn: "6512"

global:
  bgp_asn: "65000.1"

---
vxlan:
  fabric:
    name: nac-msd
    type: MSD
  multisite:
    child_fabrics:
      - name: nac-ndfc1
      - name: nac-ndfc2
      - name: nac-ndfc3
      - name: nac-isn
    anycast_gateway_mac: de:ad:be:ef:fe:ed
    bgw_ip_tag: 54321
    vtep_loopback_id: 100
    ipv4_vtep_loopback_range: 10.10.0.0/24
    overlay_dci:
      underlay_autoconfig: true
      deployment_method: 'Centralized_To_Route_Server'
      ipv4_dci_subnet_range: 10.10.1.0/24
      ipv4_dci_subnet_mask: 30
      route_server:
        peers:
          - ip_address: 100.64.0.1
            bgp_asn: "65000.100"  # Use quotes
          - ip_address: 100.64.0.2
            bgp_asn: "65000.100"  # Use quotes
          - ip_address: 100.64.0.3
            bgp_asn: "65000.100"  # Use quotes
          - ip_address: 100.64.0.4
            bgp_asn: "65000.100"  # Use quotes
        redistribute_direct: false
        ip_tag: 54321
      enable_bgp_bfd: false
      enable_bgp_log_neighbor_change: true
      enable_bgp_send_community: true
      enable_ebgp_password: false
      enable_trm: false
      delay_restore: 300

Starting with release 0.4.3, we are introducing a new key, vxlan.multisite.child_fabrics.bgw_anycast_vip_ipv4, which allows you to configure a custom Virtual IP (VIP) address or anycast IP for the Border Gateway. This key is utilized only when vxlan.underlay.general.manual_underlay_allocation is set to true for at least one child fabric.

---
vxlan:
  fabric:
    name: nac-msd
    type: MSD
  multisite:
    child_fabrics:
      - name: nac-ndfc1
        bgw_anycast_vip_ipv4: 100.66.1.1
      - name: nac-ndfc2
        bgw_anycast_vip_ipv4: 100.66.1.2
      - name: nac-ndfc3
        bgw_anycast_vip_ipv4: 100.66.1.3
      - name: nac-isn

ISN Example

This fabric named nac-isn, uses a fabric type: ISN. Here, we must configure an ASN. In addition we can add a range of vlan for sub-interface.

---
vxlan:
  fabric:
    name: nac-isn
    type: ISN
  multisite:
   isn:
    bgp_asn: "65000.100"    # Use quotes
    sub_int_range: 2-511

Multisite Overlays

VRF multisite

Example 1:

vxlan:
  multisite:
    overlay:
      vrfs:
        # simple example
        - vrf_name: NetAsCodeVrf1
          vrf_id: 150001
          vlan_id: 2001
          attach_group: NetAsCodeVrf1_AttachGroup
      vrf_attach_groups:
        - name: NetAsCodeVrf1_AttachGroup
          switches:
            - hostname: dc1-leaf1
            - hostname: dc1-leaf2

Network multisite

Example 1 - Layer2 network:

vxlan:
  multisite:
    overlay:
      networks:
          # simple example
        - name: NetworkDMZ
          is_l2_only: true
          net_id: 33100
          vlan_id: 3100
          attach_group: dmz
      network_attach_groups:
        - name: dmz
          switches:
            - hostname: dc1-leaf1
              ports:
                - Ethernet1/23
                - Ethernet1/24
            - hostname: dc1-leaf2
              ports:
                - Ethernet1/23
                - Ethernet1/24

Example 2 - Layer3 network:

This section defines a Layer 3 network with IPv4 and IPv6 gateway addresses that spans multiple child fabrics in a Multi-Site deployment. The Network_53001 configuration establishes a distributed SVI (Switch Virtual Interface) across both nac-ndfc1 and nac-ndfc2 fabrics, associated with NaC-VRF1. Each child fabric is configured with the same multicast group address for BUM (Broadcast, Unknown unicast, Multicast) traffic handling, and the l3gw_on_border: true parameter enables Layer 3 gateway functionality on the border leaf switches. This creates a stretched Layer 3 network where the gateway IP addresses (10.0.1.1/24 for IPv4 and 2001:0db8:0001:0000:0000:0000:0000:0001/64 for IPv6) are active on border devices in both data centers, providing localized gateway services and optimal traffic flow for hosts connected to this network segment.

---
vxlan:
  multisite:
    overlay:
      networks:
        - name: Network_53001
          vrf_name: NaC-VRF1
          vlan_name: Network_530001_vlan3001_VRF-NaC-VRF1-Subnet_10.0.1.0_24
          int_desc: "SVI_Net_53001_VRF-NaC-VRF1-Subnet_10.0.1.0_24"
          net_id: 53001
          vlan_id: 3001
          gw_ip_address: "10.0.1.1/24"
          gw_ipv6_address: "2001:0db8:0001:0000:0000:0000:0000:0001/64"
          child_fabrics:
            - name: nac-ndfc1
              multicast_group_address: 239.2.1.0
              l3gw_on_border: true
            - name: nac-ndfc2
              multicast_group_address: 239.2.1.0
              l3gw_on_border: true
          network_attach_group: Network_53001_AttGrp

MCFG Example

Managing Multi-Cluster Fabrics Groups (MCFG) follow the same steps of managing an MSD Fabric. Additional keys and value must be defined in the data model and on the inventory file. In this example we have a fabric named nac-mcfg. This fabric is similar as the MSD example, the main difference is that nac-ndfc1 and nac-ndfc2 child fabrics are managed by nd-cluster-1 while nac-ndfc3 and nac-isn are managed by nd-cluster-2.

---
vxlan:
  fabric:
    name: nac-mcfg
    type: MCFG
  multisite:
    child_fabrics:
      - name: nac-ndfc1
        cluster: nd-cluster-1
      - name: nac-ndfc2
        cluster: nd-cluster-1
      - name: nac-ndfc3
        cluster: nd-cluster-2
      - name: nac-isn
        cluster: nd-cluster-2
    anycast_gateway_mac: de:ad:be:ef:fe:ed

MCFG uses a feature called One Manage. This features requires remote authentication, which means that the inventory file must be updated to reflect the multiple clusters.

For detailed information about One Manage, refer to the Cisco NDFC One Manage Documentation.

❯ cat inventory.yaml
---
all:
  children:
    ndfc:
      hosts:
        nac-ndfc1:
          ansible_host: 10.x.x.x
        nac-ndfc2:
          ansible_host: 10.x.x.x
        nac-ndfc3:
          ansible_host: 10.y.y.y
        nac-isn:
          ansible_host: 10.y.y.y
        nac-mcfg:
          ansible_host: 10.x.x.x
          ansible_httpapi_login_domain: LOGIN_DOMAIN