====== Cisco Catalyst 9500 Series Manual ====== **[[https://www.cisco.com/c/en/us/support/switches/catalyst-9500-series-switches/products-installation-and-configuration-guides-list.html|Configuration Guides]]** **[[https://www.manualslib.com/products/Cisco-Catalyst-9500-Series-8759103.html|Cisco Catalyst 9500 Series Switches Manuals]]** ---- Switch#show running-config interface Port-channel2 Switch#show interfaces status Switch#show mac address-table Switch#show ip igmp snooping Switch#show lldp Switch#show lldp neighbors Switch#show lldp neighbors detail Switch#show system mtu Switch#show platform hardware capacity Switch#show interfaces | include MTU Switch#show running-config | begin TwentyFiveGigE1/0/1 ---- On the **Cisco switch**, you need to edit the interface, then use the command -**fec off** On the **Aruba switch**, you need to edit the interface, then use the command -**error-control none** ---- **{{ :cisco:switch:9500:1dc4bfad-7c8a-4b86-aa6e-bd3bd2d46fbe.pdf |Cisco Catalyst 9500 Series Switches Hardware Installation Guide}}** {{pdfjs 46em >:cisco:switch:9500:1dc4bfad-7c8a-4b86-aa6e-bd3bd2d46fbe.pdf }} ---- **{{ :cisco:switch:9500:baef5d19-ac34-49f0-a5fa-76969121fd01.pdf |CommandReference, Cisco IOS XE 17.15.x (Catalyst 9500 Switches)}}** {{pdfjs 46em >:cisco:switch:9500:baef5d19-ac34-49f0-a5fa-76969121fd01.pdf }} ---- ---- **Password** enable configure terminal enable password NEW_PASSWORD enable secret NEW_PASSWORD exit configure terminal line console 0 password NEW_PASSWORD login exit configure terminal username USERNAME password NEW_PASSWORD exit write mem show running-config | include username Note:For enhanced security, enable password encryption on the switch: **service password-encryption** ---- ---- **Basic cli** Switch# configure terminal Switch(config)# Switch(config)#hostname Switch(config)#hostname Cisco_switch_x Switch(config)#interface vlan1 Switch(config)#no shutdown Switch(config-if)#ip address Switch(config-if)#ip address 172.16.29.10 255.255.0.0 Switch(config)#enable secret Switch(config)#enable secret P@$$w0^d Switch(config)# username admin privilege 15 password Switch(config)# username admin privilege 15 password P@$$w0^d Switch(config)# ip default-gateway Switch(config)# ip default-gateway 172.16.29.1 Switch# show ip route Switch(config)# line con 0 Switch(config-line)# password p@$$w0^d Switch(config-line)# login Switch(config)# exit Switch(config)# line vty 0 4 Switch(config-line)# password p@$$w0^d Switch(config-line)# login Switch(config)# exit Switch(config)# line aux 0 Switch(config-line)# password p@$$w0^d Switch(config-line)# login Switch(config)# exit Switch(config)# ip route Switch(config)# ip route 172.16.29.59 255.255.0.0 Switch# show running-config Switch(config)#interface fastethernet 0/1 Switch(config-if)#description Development VLAN Switch(config-if)#duplex full Switch#write memory Building configuration... [OK] Switch# ---- ---- **Allow IP Forwarding Globally** configure terminal ip routing ip forward-protocol udp interface Vlan10 ip address 192.168.1.1 255.255.255.0 no shutdown interface Vlan20 ip address 192.168.2.1 255.255.255.0 no shutdown ---- ---- **Enable Multicast Routing** enable configure terminal ip multicast-routing ip pim sparse-mode interface INTERFACE_ID ip pim sparse-mode ip pim rp-address RP_IP_ADDRESS ip pim send-rp-announce INTERFACE scope TTL ip pim send-rp-discovery INTERFACE scope TTL ip igmp snooping vlan VLAN_ID ip igmp snooping exit show ip mroute show ip pim neighbor show ip pim rp show ip igmp groups Example Configuration Scenario: Multicast source: 192.168.1.10 RP: 192.168.1.1 VLAN 10 and VLAN 20 are participating in multicast. Configuration: ip multicast-routing ip pim rp-address 192.168.1.1 interface Vlan10 ip address 192.168.1.1 255.255.255.0 ip pim sparse-mode interface Vlan20 ip address 192.168.2.1 255.255.255.0 ip pim sparse-mode **Example** enable configure terminal ip igmp snooping vlan 1 ip igmp snooping vlan 500 ip igmp snooping vlan 501 ip igmp snooping vlan 502 ip igmp snooping vlan 503 ip igmp snooping vlan 504 ip igmp snooping vlan 505 ip igmp snooping vlan 506 ip igmp snooping vlan 507 ip igmp snooping vlan 508 ip igmp snooping vlan 509 ip igmp snooping vlan 510 ip igmp snooping vlan 511 ip igmp snooping vlan 512 ip igmp snooping vlan 513 ip igmp snooping vlan 514 ip igmp snooping vlan 515 ip igmp snooping vlan 516 ip igmp snooping vlan 517 ip igmp snooping vlan 518 ip igmp snooping vlan 519 ip igmp snooping vlan 520 ip igmp snooping vlan 521 ip igmp snooping vlan 522 ip igmp snooping vlan 523 ip igmp snooping vlan 524 ip igmp snooping vlan 525 ip igmp snooping vlan 526 ip igmp snooping vlan 527 ip igmp snooping ---- ---- **Enable LLDP Globally** enable configure terminal lldp run interface INTERFACE_ID lldp transmit lldp receive exit show lldp show lldp neighbors show lldp neighbors detail lldp timer 60 lldp holdtime 180 write memory **Example** configure terminal lldp run lldp timer 60 lldp holdtime 180 interface GigabitEthernet1/0/1 lldp transmit lldp receive interface GigabitEthernet1/0/2 lldp transmit lldp receive write memory **Example** enable configure terminal lldp run interface TwentyFiveGigE1/0/1 lldp transmit lldp receive interface TwentyFiveGigE1/0/2 lldp transmit lldp receive interface TwentyFiveGigE1/0/3 lldp transmit lldp receive interface TwentyFiveGigE1/0/4 lldp transmit lldp receive interface TwentyFiveGigE1/0/5 lldp transmit lldp receive interface TwentyFiveGigE1/0/6 lldp transmit lldp receive interface TwentyFiveGigE1/0/7 lldp transmit lldp receive interface TwentyFiveGigE1/0/8 lldp transmit lldp receive interface TwentyFiveGigE1/0/9 lldp transmit lldp receive interface TwentyFiveGigE1/0/10 lldp transmit lldp receive interface TwentyFiveGigE1/0/11 lldp transmit lldp receive interface TwentyFiveGigE1/0/12 lldp transmit lldp receive interface TwentyFiveGigE1/0/13 lldp transmit lldp receive interface TwentyFiveGigE1/0/14 lldp transmit lldp receive interface TwentyFiveGigE1/0/15 lldp transmit lldp receive interface TwentyFiveGigE1/0/16 lldp transmit lldp receive interface TwentyFiveGigE1/0/17 lldp transmit lldp receive interface TwentyFiveGigE1/0/18 lldp transmit lldp receive interface TwentyFiveGigE1/0/19 lldp transmit lldp receive interface TwentyFiveGigE1/0/20 lldp transmit lldp receive interface TwentyFiveGigE1/0/21 lldp transmit lldp receive interface TwentyFiveGigE1/0/22 lldp transmit lldp receive interface TwentyFiveGigE1/0/23 lldp transmit lldp receive interface TwentyFiveGigE1/0/24 lldp transmit lldp receive interface HundredGigE1/0/25 lldp transmit lldp receive interface HundredGigE1/0/26 lldp transmit lldp receive interface HundredGigE1/0/27 lldp transmit lldp receive interface HundredGigE1/0/28 lldp transmit lldp receive ---- ---- **Verify MTU Support** show system mtu show platform hardware capacity configure terminal system mtu jumbo 9100 exit write memory reload show system mtu show interfaces | include MTU interface INTERFACE_ID mtu 9100 exit **Example** configure terminal system mtu jumbo 9100 system mtu 9100 interface GigabitEthernet1/0/1 mtu 9100 exit write memory reload ---- ---- If you don't see VLAN information in the running configuration on a Cisco switch, it could be because the default **VTP mode** //is causing the VLAN database information to appear in another file//. To force the configuration to appear in the running configuration, you can use the command **vtp mode transparent**. **Explanation** To display VLAN information on a Cisco switch, you can use the show switch vlan command in privileged EXEC mode. The **show run** command displays the complete configuration of a Cisco router or switch, which can be very long and have thousands of lines. The default VTP mode causes VLAN database information to appear in the **vlan.dat** file ---- ---- **Port-channel** enable configure terminal interface range GigabitEthernet1/0/1 - 2 channel-group 1 mode active interface Port-channel1 switchport switchport mode trunk switchport trunk allowed vlan 10,20,30 For Layer 3 (used for routing): no switchport ip address 192.168.1.1 255.255.255.0 exit show etherchannel summary show lacp neighbor show running-config interface Port-channel1 **Port-channel Example 1** interface range GigabitEthernet1/0/1 - 2 channel-group 1 mode active interface Port-channel1 switchport switchport mode trunk switchport trunk allowed vlan 10,20,30 ---- **Port-channel Example 2** ! interface Port-channel1 description *** Port-Channel to XYZ*** switchport switchport mode trunk switchport nonegotiate logging event bundle-status ! ! interface TwentyFiveGigE1/0/5 description *** Port-Channel to XYZ*** switchport switchport mode trunk switchport nonegotiate logging event link-status logging event trunk-status logging event bundle-status udld port aggressive channel-protocol lacp channel-group 1 mode active service-policy input AutoQos-4.0-Trust-Cos-Input-Policy service-policy output AutoQos-4.0-Output-Policy ! **Port-channel Example 3** interface Port-channel1 description Link to Juniper Networks EX2300-24P switchport mode trunk mtu 9100 logging event bundle-status ! interface TwentyFiveGigE1/0/1 description Link to Juniper Networks EX2300-24P switchport mode trunk mtu 9100 logging event trunk-status logging event bundle-status udld port aggressive channel-protocol lacp channel-group 1 mode active ! interface TwentyFiveGigE1/0/2 description Link to Juniper Networks EX2300-24P switchport mode trunk mtu 9100 logging event trunk-status logging event bundle-status udld port aggressive channel-protocol lacp channel-group 1 mode active ! ---- **Basic cli example** configure terminal hostname cisco_switch_x interface vlan ip address 172.16.29.10 255.255.0.0 no shutdown exit enable secret P@$$w0^d username admin privilege 15 password P@$$w0^d ip default-gateway 172.16.29.1 show ip route ip route 172.16.29.59 255.255.0.0 show running-config interface fastethernet 0/1 description Development VLAN duplex full exit write memory ---- **Stop Cisco console messages** enable configure terminal terminal no monitor no logging console logging console warnings show logging write memory ---- **Disable STP on a Specific VLAN** configure terminal vlan VLAN_ID no spanning-tree vlan VLAN_ID write memory show spanning-tree vlan VLAN_ID show spanning-tree no spanning-tree vlan 1-4094 interface INTERFACE_ID spanning-tree portfast **Example** no spanning-tree vlan 1 no spanning-tree vlan 500 no spanning-tree vlan 501 no spanning-tree vlan 502 no spanning-tree vlan 503 no spanning-tree vlan 504 no spanning-tree vlan 505 no spanning-tree vlan 506 no spanning-tree vlan 507 no spanning-tree vlan 508 no spanning-tree vlan 509 no spanning-tree vlan 510 no spanning-tree vlan 511 no spanning-tree vlan 512 no spanning-tree vlan 513 no spanning-tree vlan 514 no spanning-tree vlan 515 no spanning-tree vlan 516 no spanning-tree vlan 517 no spanning-tree vlan 518 no spanning-tree vlan 519 no spanning-tree vlan 520 no spanning-tree vlan 521 no spanning-tree vlan 522 no spanning-tree vlan 523 no spanning-tree vlan 524 no spanning-tree vlan 525 no spanning-tree vlan 526 no spanning-tree vlan 527 ---- ---- **FEC** on an SFP port refers to **Forward Error Correction (FEC)**, which is a technique used in fiber optic and Ethernet networks to enhance data transmission reliability by detecting and correcting errors without the need for retransmission. **FEC (Forward Error Correction)**: FEC is a mechanism that adds redundant information to the transmitted data. This redundancy allows the receiving end to detect and correct errors caused by signal degradation or noise during transmission. Purpose: FEC is essential for high-speed data links (e.g., 10G, 25G, 40G, 100G Ethernet) to improve link quality and performance. Types: Different FEC modes can be used depending on the standard and speed of the connection (e.g., Reed-Solomon FEC). * **auto** Enable FEC Auto-Neg * **cl108** Enable clause108 with 25G * **cl74** Enable clause74 with 25G * **off** Turn FEC off, FEC is mandatory for speeds 50G or higher ---- ---- **Benefits of FEC on SFP Ports**: * Error Correction: FEC can correct errors due to signal attenuation or interference. * Better Link Performance: Allows for longer cable runs or higher speeds by improving signal integrity. * No Retransmissions: Unlike other error correction methods, FEC works proactively without needing retransmissions, which is important for low-latency environments. ---- **C9500 Cisco Catalyst** C9500-N#**show ver** Cisco IOS XE Software, **Version 17.12.03** Cisco IOS Software [Dublin], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 17.12.3, RELEASE SOFTWARE (fc7) interface TwentyFiveGigE1/0/3 description VLAN 526 PTP A.B.C.D/EF X30 switchport access vlan 526 switchport mode access mtu 9100 logging event trunk-status logging event bundle-status udld port aggressive fec cl74 C9500-N(config-if)#interface TwentyFiveGigE1/0/3 C9500-N(config-if)#fec ? auto Enable FEC Auto-Neg cl108 Enable clause108 with 25G cl74 Enable clause74 with 25G off Turn FEC off, FEC is mandatory for speeds 50G or higher ---- ---- ====== SSH ====== **SSH Configuration on Cisco IOS XE 17.12.03** configure terminal hostname MyRouter ip domain-name mynetwork.local crypto key generate rsa modulus 2048 username admin privilege 15 secret MyStrongPassword ip ssh version 2 line vty 0 4 transport input ssh exec-timeout 10 0 ! 10 minutes, 0 seconds login local exit configure terminal ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr end write memory show ip ssh show run | include ssh ---- ---- ! ip access-list extended OSPF-MULTICAST 10 permit ospf any any 20 permit ip any host 224.0.0.5 30 permit ip any host 224.0.0.6 40 permit ip any any ! interface Port-channel1 description Link to Juniper Networks EX2300-24P switchport mode trunk mtu 9100 ip access-group OSPF-MULTICAST in logging event bundle-status ! interface Port-channel2 description Link to Core Aruba 6400 switch connection IP: 172.16.28.1 switchport mode trunk mtu 9100 ip access-group OSPF-MULTICAST in logging event bundle-status speed nonegotiate ! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto ! interface TwentyFiveGigE1/0/1 description Link to Juniper Networks EX2300-24P switchport mode trunk mtu 9100 logging event trunk-status logging event bundle-status udld port aggressive channel-protocol lacp channel-group 1 mode active ! interface TwentyFiveGigE1/0/2 description Link to Juniper Networks EX2300-24P switchport mode trunk mtu 9100 logging event trunk-status logging event bundle-status udld port aggressive channel-protocol lacp channel-group 1 mode active ! interface TwentyFiveGigE1/0/3 description VLAN 1019 PTP A.B.C.D/EF X30 switchport access vlan 1019 switchport mode access mtu 9100 fec cl74 ! interface TwentyFiveGigE1/0/4 mtu 9100 ! interface TwentyFiveGigE1/0/5 description VLAN 517 GUEST A.B.C.D/EF X28 switchport access vlan 517 switchport mode access mtu 9100 fec cl74 ! interface TwentyFiveGigE1/0/6 mtu 9100 ! interface TwentyFiveGigE1/0/7 description VLAN 1015 ISP1 A.B.C.D/EF X26 switchport access vlan 1015 switchport mode access mtu 9100 fec cl74 ! interface TwentyFiveGigE1/0/8 mtu 9100 ! interface TwentyFiveGigE1/0/9 description VLAN 505 LAN-UTM 172.16.32.4/29 X24 switchport access vlan 505 switchport mode access mtu 9100 fec cl74 ! interface TwentyFiveGigE1/0/10 mtu 9100 ! interface TwentyFiveGigE1/0/11 description Link to Juniper Networks EX2300-24P switchport access vlan 1015 switchport mode access mtu 9100 ! interface TwentyFiveGigE1/0/12 mtu 9100 ! interface TwentyFiveGigE1/0/13 description Link to Port Wan Arista UTM switchport access vlan 1015 switchport mode access mtu 9100 fec cl74 ! interface TwentyFiveGigE1/0/14 mtu 9100 ! interface TwentyFiveGigE1/0/15 mtu 9100 ! interface TwentyFiveGigE1/0/16 mtu 9100 ! interface TwentyFiveGigE1/0/17 mtu 9100 ! interface TwentyFiveGigE1/0/18 mtu 9100 ! interface TwentyFiveGigE1/0/19 mtu 9100 ! interface TwentyFiveGigE1/0/20 mtu 9100 ! interface TwentyFiveGigE1/0/21 mtu 9100 ! interface TwentyFiveGigE1/0/22 mtu 9100 ! interface TwentyFiveGigE1/0/23 description Link to Core Aruba 6400 switch connection IP: 172.16.28.1 switchport mode trunk mtu 9100 logging event trunk-status logging event bundle-status udld port aggressive channel-protocol lacp channel-group 2 mode active ! interface TwentyFiveGigE1/0/24 description Link to Core Aruba 6400 switch connection IP: 172.16.28.1 switchport mode trunk mtu 9100 logging event trunk-status logging event bundle-status udld port aggressive channel-protocol lacp channel-group 2 mode active ! interface HundredGigE1/0/25 mtu 9100 ! interface HundredGigE1/0/26 mtu 9100 ! interface HundredGigE1/0/27 mtu 9100 ! interface HundredGigE1/0/28 mtu 9100 ---- ---- ====== Troubleshooting PVST Inconsistency between Cisco 9500 and Aruba 6400 ====== === 🧭 Context === Connectivity issue between: * **Cisco Catalyst 9500** β†’ IP: `172.20.28.37` * **Aruba 6400** β†’ IP: `172.20.28.1` Connected via: **Port-channel 2 (Po2)** === ⚠️ Symptom on Cisco === Output from `show spanning-tree mst`: Po2 Root BKN*400 P2p Bound(PVST) *PVST_Inc **Meaning:** * ''BKN'' β†’ Port is blocked (Broken) * ''*PVST_Inc'' β†’ PVST Inconsistency (STP mismatch detected) Cisco is running **MST**, but receives BPDUs from **PVST+ or RSTP** on the peer β†’ risk of loop β†’ port auto-blocked. === πŸ” Root Cause === Cisco MST expects MST BPDUs. If a non-MST BPDU (e.g., PVST+ or RSTP) is received: * Cisco sees it as a protocol mismatch. * The port is blocked to prevent potential Layer 2 loops. === βœ… Solution: Switched to RSTP === == On Cisco 9500 == conf t spanning-tree mode rapid-pvst end write memory == On Aruba 6400 == conf t spanning-tree mode rstp write memory **Result:** Port moved to ''FWD'' (Forwarding) state. Connectivity restored. === πŸ”§ Verification Commands on Cisco === ^ Command ^ Description ^ | `show spanning-tree mst` | View STP mode, port roles, and state | | `**show spanning-tree inconsistentports**` | **Detect ports blocked due to PVST_Inc** | | `show spanning-tree detail` | STP root path and BPDU info | | `show interfaces status` | Verify port operational state | === πŸ› οΈ Key Recommendations === * Prefer **RSTP** for mixed-vendor environments. * If using **MST**: * Ensure identical: * `name` * `revision` * `VLAN-to-instance mapping` * Avoid mixing PVST and MST without boundary configuration. * Always verify port status using: * `**show spanning-tree inconsistentports**` ---- ---- ===== Comparison: Static VXLAN vs VXLAN EVPN ===== The difference between **Static VXLAN** and **VXLAN EVPN (Ethernet VPN)** lies primarily in **how MAC–VTEP (VXLAN Tunnel Endpoint) mappings are learned and distributed**, and the **scalability** of the design. Here's a breakdown of key points: ==== πŸ” Static VXLAN ==== **πŸ“Œ Definition:** VXLAN using manually defined tunnels (VTEP-to-VTEP), with no control plane. All forwarding information (MAC–VNI–VTEP bindings) is learned locally or manually configured. **πŸ›  Key Features:** ^ Feature ^ Static VXLAN ^ | Control Plane | ❌ None | | MAC Learning | 🌐 Flooding-based | | Configuration | πŸ›  Manual | | Scalability | πŸ”» Limited | | BUM Traffic Handling| 🌊 Multicast or static flooding | | Typical Use Case | πŸ§ͺ Labs, small campuses | ---- ==== 🌐 VXLAN EVPN ==== **πŸ“Œ Definition:** VXLAN with a **BGP EVPN-based control plane**, which dynamically distributes MAC–VNI–VTEP bindings across VTEPs. **πŸ›  Key Features:** ^ Feature ^ VXLAN EVPN ^ | Control Plane | βœ… BGP EVPN | | MAC Learning | πŸ“‘ Control-plane based (BGP) | | Configuration | βš™οΈ Dynamic and scalable | | Scalability | πŸ”Ί High | | BUM Traffic Handling| 🚫 Minimized by control-plane | | Typical Use Case | 🏒 Data centers, cloud, multi-site | ---- ^ Summary ^ Static VXLAN ^ VXLAN EVPN ^ | Control Plane | ❌ Manual / flood-based | βœ… Distributed via BGP EVPN | | MAC Distribution | Locally flooded | Learned and advertised via BGP | | Scalability | Low | High (multi-tenant, multi-site) | | Complexity | Simple but static | Complex but automated | | Use Cases | Simple links, PtP, lab networks | Large-scale DCs, EVPN fabrics | ---- ===== VXLAN EVPN L2VPN – CONTROL PLANE (Cisco) ===== ==== ❓ What is EVPN L2VPN Control Plane? ==== EVPN (Ethernet VPN) is a BGP-based control plane protocol that enables: * Dynamic distribution of MAC ↔ VNI ↔ VTEP bindings * Elimination of unnecessary BUM flooding * Improved scalability, mobility, and segmentation In Cisco platforms, EVPN functionality depends on hardware, software version (IOS-XE or NX-OS), and system roles. ---- ==== βœ… Platforms that **Support EVPN Control Plane** ==== ^ Platform ^ OS ^ EVPN Control Plane Support ^ Notes ^ | Nexus 9000 | NX-OS | βœ… Yes | Full L2/L3 EVPN support via BGP | | Nexus 7000/7700 | NX-OS | βœ… Yes (F3/M3 modules) | EVPN requires supported linecards | | ASR 9000 | IOS XR | βœ… Yes | Carrier-grade EVPN | | Catalyst 9500X | IOS-XE | βœ… Yes | Requires SDM `vxlan-routing` template | | Catalyst 9600 | IOS-XE | βœ… Yes | Requires advanced config | ---- ==== 🚫 Platforms with **Limited or No EVPN Support** ==== ^ Platform ^ OS ^ EVPN Control Plane Support ^ Notes ^ | Catalyst 9500 | IOS-XE | ❌ No | Only static VXLAN supported | | Catalyst 9400 | IOS-XE | ❌ No | No EVPN | | Catalyst 9300 | IOS-XE | ❌ No | No VXLAN / EVPN support | | Catalyst 9200 | IOS-XE | ❌ No | No VXLAN | | Catalyst 3850 | IOS-XE | ❌ No | VXLAN and EVPN not supported | ---- ==== ⚠️ EVPN Requirements on Catalyst Platforms (when applicable) ==== * Minimum IOS-XE version: **17.9.1** * Required licenses: * `network-advantage` * `dna-advantage` * SDM Template: * Must be set to `vxlan-routing` (not available on non-X models) * Configuration method: * `l2vpn evpn`, `vni`, `rd`, `route-target`, `bridge-domain` ---- ==== 🧱 Alternative: Static VXLAN (No Control Plane) ==== For platforms without EVPN, VXLAN can be deployed in **static mode**: * Define `interface nve1` * Assign `source-interface` (Loopback) * Configure `member vni XXXX` * Use `ingress-replication protocol static` * Add `peer-ip A.B.C.D` for each remote VTEP Requires manual mapping and tunnel definition between all VTEPs. ---- ==== πŸ“ Useful Show Commands (Catalyst) ==== Check software version: `show version` Check license status: `show license summary` Check SDM template: `show sdm prefer` ---- ==== πŸ“Œ Typical Error When EVPN Not Supported ==== Trying to configure: `l2vpn evpn` `vni XXXX l2` `rd auto` Returns: `% Invalid input detected at '^' marker.` πŸ“Œ This indicates the command is **not supported** in this platform or SDM template. ---- ==== βœ… Recommendation ==== To deploy EVPN-based VXLAN in Cisco networks: * Use **Nexus (e.g., 9300, 9500)** or **C9500X with `vxlan-routing`** * Confirm licensing and SDM support * Use **Static VXLAN** on Catalyst platforms without EVPN capability ---- ===== VXLAN – Core Terminology and Nomenclature ===== VXLAN (Virtual Extensible LAN) is a tunneling technology that enables Layer 2 overlay networks over Layer 3 IP infrastructures. Below is the essential terminology you need to master: ---- ==== πŸ”‘ 1. VNI – VXLAN Network Identifier ==== * **Definition:** A 24-bit identifier that replaces the traditional VLAN ID. * **Range:** 0 to 16,777,215 (2^24 - 1) * **Purpose:** Uniquely identifies a VXLAN segment (like a VLAN but in overlay). * **Example:** VLAN 700 β†’ VNI 10700 ---- ==== πŸ”‘ 2. VTEP – VXLAN Tunnel Endpoint ==== * **Definition:** The device that encapsulates/decapsulates VXLAN traffic. * **Purpose:** Acts as the entry/exit point of VXLAN tunnels. * **Key Point:** Each VTEP has a loopback or logical IP (used as tunnel endpoint). * **Example:** Cisco VTEP IP = `172.18.32.33` ---- ==== πŸ”‘ 3. NVE – Network Virtualization Edge ==== * **Definition:** The logical interface that represents VXLAN capability. * **Command Example (IOS-XE):** ```bash interface nve1 source-interface Loopback0 member vni 10700 ``` * **Note:** In NX-OS, you must use `feature nv overlay`; in IOS-XE it’s implicit. ---- ==== πŸ”‘ 4. Bridge Domain (BD) ==== * **Definition:** A broadcast domain, equivalent to a VLAN at the overlay level. * **In IOS-XE:** Binding is done via: ```bash l2 vni 10700 vlan 700 ``` * **In NX-OS:** It’s tied to a `bridge-domain` with its own config space. ---- ==== πŸ”‘ 5. Ingress Replication ==== * **Purpose:** Defines how BUM (Broadcast, Unknown unicast, Multicast) traffic is replicated. * **Modes:** - `static`: manual peer definition - `multicast`: uses multicast groups in the underlay ---- ==== πŸ”‘ 6. Underlay vs Overlay ==== * **Underlay:** - The physical IP network that connects VTEPs (e.g., `172.18.32.0/30`) - Uses IGP or static routing * **Overlay:** - The logical L2 network created by VXLAN - Carries tenant VLANs across routed core ---- ==== πŸ”‘ 7. BUM – Broadcast, Unknown Unicast, Multicast ==== * **Definition:** Types of traffic replicated across all members in a segment. * **Handled in VXLAN by:** - Static `ingress-replication` - Multicast (if supported by underlay) ---- ==== 🧾 Summary Table ==== ^ Element ^ Description ^ Example ^ | VLAN | Traditional L2 segment | 700 | | VNI | VXLAN segment identifier | 10700 | | VTEP (Local) | Source tunnel endpoint | 172.18.32.33 (Cisco C9500)| | VTEP (Remote) | Destination tunnel endpoint | 172.18.32.34 (Aruba 6300) | | NVE Interface | VXLAN-capable logical interface | `interface nve1` | | Underlay | Physical routed IP network | `172.18.32.32/30` | | Overlay | Virtual network over VXLAN | VNIs mapped to VLANs | ---- ==== βœ… VXLAN overlays ==== allow to: * Stretch VLANs across L3 boundaries * Enable mobility and segmentation * Scale beyond 4094 VLAN limit using 16 million VNIs ---- ---- ====== VXLAN Static Configuration – Cisco 9500 ⇄ Aruba 6300 ====== === πŸ“˜ Architecture Summary === ^ Parameter ^ Cisco 9500 (C9500SP1) ^ Aruba 6300M (6300SP2) ^ | VTEP Loopback IP | 172.22.32.1 | 172.22.32.2 | | Transport IP | 172.18.32.33 (To Aruba) | 172.18.32.34 (To Cisco) | | Transport Interface | Routed PtP /30 via TenG | Routed PtP /30 via 1/1/12 | | OSPF Area | 0 | 0 | | VXLAN Mode | Static VXLAN | Static VXLAN | | VXLAN Interface | `nve1` | `vxlan 1` | | VNIs | 10001, 10700–10732 | 10001, 10700–10732 | | Inter-VXLAN Bridging | Not applicable | `static-all` or `static-evpn` | ---- === πŸš€ Cisco 9500 Configuration === ==== πŸ”Ή 1. VTEP Loopback ==== interface Loopback0 ip address 172.22.32.1 255.255.255.255 ==== πŸ”Ή 2. Transport Interface ==== interface TenGigabitEthernet1/0/12 description Link to Aruba 6300 ip address 172.18.32.33 255.255.255.252 no shutdown ==== πŸ”Ή 3. OSPF ==== router ospf 100 router-id 1.1.1.1 network 172.18.32.32 0.0.0.3 area 0 network 172.22.32.1 0.0.0.0 area 0 ==== πŸ”Ή 4. Static Route ==== ip route 172.22.32.2 255.255.255.255 172.18.32.34 ==== πŸ”Ή 5. NVE Interface ==== interface nve1 no shutdown source-interface Loopback0 member vni 10001 ingress-replication 172.22.32.2 member vni 10700 ingress-replication 172.22.32.2 member vni 10712 ingress-replication 172.22.32.2 member vni 10730 ingress-replication 172.22.32.2 member vni 10732 ingress-replication 172.22.32.2 ==== πŸ”Ή 6. Bridge Domains ==== bridge-domain 1 member vni 10001 bridge-domain 700 member vni 10700 bridge-domain 712 member vni 10712 bridge-domain 730 member vni 10730 bridge-domain 732 member vni 10732 ---- === 🧩 Aruba 6300 Configuration === ==== πŸ”Ή 1. Loopback Interface ==== interface loopback 0 ip address 172.22.32.2/32 ==== πŸ”Ή 2. Transport Interface ==== interface 1/1/12 description Link to Cisco 9500 ip address 172.18.32.34/30 no shutdown ==== πŸ”Ή 3. OSPF ==== router ospf router-id 2.2.2.2 area 0.0.0.0 interface 1/1/12 interface loopback 0 ==== πŸ”Ή 4. Static Route ==== ip route 172.22.32.1/32 172.18.32.33 ==== πŸ”Ή 5. VXLAN Interface ==== interface vxlan 1 source 172.22.32.2 inter-vxlan-bridging-mode static-all ==== πŸ”Ή 6. VNI to VLAN Mapping ==== vxlan vlan 1 vni 10001 vxlan vtep 172.22.32.1 vxlan vlan 700 vni 10700 vxlan vtep 172.22.32.1 vxlan vlan 712 vni 10712 vxlan vtep 172.22.32.1 vxlan vlan 730 vni 10730 vxlan vtep 172.22.32.1 vxlan vlan 732 vni 10732 vxlan vtep 172.22.32.1 ---- === πŸ§ͺ Validation Commands === ==== πŸ”Έ Cisco 9500 ==== show nve interface nve1 show nve vni summary show nve vni interface nve 1 show nve peers ping 172.22.32.2 source 172.22.32.1 show mac address-table vlan 712 ==== πŸ”Έ Aruba 6300 ==== show interface vxlan 1 show interface vxlan vni vteps ping 172.22.32.1 source 172.22.32.2 show mac-address-table vlan 712 === βœ… Notes === * The VXLAN tunnels use **static replication** for simplicity and full control. * Ensure **Loopback reachability** via static route or OSPF in both directions. * For production EVPN deployment, BGP configuration will be required. ---- ---- {{ :aruba_networks:switch:6400:vxlan_cli_ap.pdf |}} {{pdfjs 46em >:aruba_networks:switch:6400:vxlan_cli_ap.pdf}} ---- ---- {{ :cisco:switch:9500:mtu_utm_switch_6400_9500.pdf |}} {{pdfjs 46em >:cisco:switch:9500:mtu_utm_switch_6400_9500.pdf}} ---- ----