VXLAN访问外部网络配置

如上网络拓扑所示，borderleaf和一台cisco的ASA防火墙互联,borderleaf通过子接口和防火墙互联，在borderleaf上对不同的VRF配置默认路由以到达外部网络，然后将默认路由导入到L2VPN路由中

SPINE配置：

================================================================

hostname SPINE
vdc SPINE id 1
limit-resource vlan minimum 16 maximum 4094
limit-resource vrf minimum 2 maximum 4096
limit-resource port-channel minimum 0 maximum 511
limit-resource u4route-mem minimum 248 maximum 248
limit-resource u6route-mem minimum 96 maximum 96
limit-resource m4route-mem minimum 58 maximum 58
limit-resource m6route-mem minimum 8 maximum 8

nv overlay evpn
feature ospf
feature bgp
feature pim
feature nv overlay

username admin password 5 $5$9xNPm16N$qQedCzklL2lHeuR6l9RGgwxsGy2s.FSO86yrJCUOsL
. role network-admin
ip domain-lookup
snmp-server user admin network-admin auth md5 0x491623bcc3af3ee723c3e7faf5da4c50
priv 0x491623bcc3af3ee723c3e7faf5da4c50 localizedkey
rmon event 1 description FATAL(1) owner PMON@FATAL
rmon event 2 description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 description ERROR(3) owner PMON@ERROR
rmon event 4 description WARNING(4) owner PMON@WARNING
rmon event 5 description INFORMATION(5) owner PMON@INFO

vlan 1
ip pim rp-address 10.255.255.1 group-list 239.0.0.0/24
ip pim log-neighbor-changes
ip pim ssm range 232.0.0.0/8

vrf context management

interface Ethernet1/1
no switchport
ip address 10.10.1.1/30
ip ospf network point-to-point
ip router ospf 100 area 0.0.0.0
ip pim sparse-mode
no shutdown

interface Ethernet1/2
no switchport
ip address 10.10.2.1/30
ip ospf network point-to-point
ip router ospf 100 area 0.0.0.0
ip pim sparse-mode
no shutdown

interface mgmt0
vrf member management

interface loopback0
ip address 10.255.255.1/32
ip router ospf 100 area 0.0.0.0
ip pim sparse-mode
line console
line vty
boot nxos bootflash:/nxos.7.0.3.I5.2.bin
router ospf 100
router-id 10.255.255.1
log-adjacency-changes
auto-cost reference-bandwidth 100 Gbps
router bgp 65001
router-id 10.255.255.1
log-neighbor-changes
address-family ipv4 unicast
address-family l2vpn evpn
retain route-target all
template peer VTEP
remote-as 65001
password 3 9125d59c18a9b015
update-source loopback0
address-family ipv4 unicast
send-community
send-community extended
route-reflector-client
address-family l2vpn evpn
send-community
send-community extended
route-reflector-client
neighbor 10.255.255.2
inherit peer VTEP
remote-as 65001
neighbor 10.255.255.3
inherit peer VTEP
remote-as 65001

LEAF配置：

================================================================

hostname LEAF

nv overlay evpn
feature ospf
feature bgp
feature pim
feature interface-vlan
feature vn-segment-vlan-based
feature nv overlay

username admin password 5 $5$GpuJ0ItU$SOKebMPONhaAUF7BGr6vTxAvKYLjPlCi8gzxnrQmJ6
6 role network-admin
ip domain-lookup
snmp-server user admin network-admin auth md5 0xe1718bdb6f8d19c41d0c56fe114ff587
priv 0xe1718bdb6f8d19c41d0c56fe114ff587 localizedkey
rmon event 1 description FATAL(1) owner PMON@FATAL
rmon event 2 description CRITICAL(2) owner PMON@CRITICAL
rmon event 3 description ERROR(3) owner PMON@ERROR
rmon event 4 description WARNING(4) owner PMON@WARNING
rmon event 5 description INFORMATION(5) owner PMON@INFO

vlan 12
vn-segment 160012
vlan 13
vn-segment 160013
vlan 14
vn-segment 160014
vlan 15
vn-segment 160015
vlan 16
vn-segment 160016
vlan 17
vn-segment 160017
vlan 18
vn-segment 160018
vlan 19
vn-segment 160019
vlan 20
vn-segment 160020
vlan 21
vn-segment 160021
vlan 22
vn-segment 160022
vlan 23
vn-segment 160023
vlan 24
vn-segment 160024
vlan 25
vn-segment 160025
vlan 26
vn-segment 160026
vlan 27
vn-segment 160027
vlan 28
vn-segment 160028
vlan 29
vn-segment 160029
vlan 30
vn-segment 160030
vlan 31
vn-segment 160031
vlan 32
vn-segment 160032
vlan 33

vlan 34
vn-segment 160034
vlan 35
vn-segment 160035
vlan 36
vn-segment 160036
vlan 37
vn-segment 160037
vlan 38
vn-segment 160038
vlan 39
vn-segment 160039
vlan 40
vn-segment 160040
vlan 41
vn-segment 160041
vlan 42
vn-segment 160042
vlan 43
vn-segment 160043
vlan 44
vn-segment 160044
vlan 45
vn-segment 160045
vlan 46
vn-segment 160046
vlan 47
vn-segment 160047
vlan 48
vn-segment 160048
vlan 49
vn-segment 160049
vlan 50
vn-segment 160050
vlan 901
vn-segment 900901
vlan 902
vn-segment 900902
vlan 903
vn-segment 900903
vlan 904
vn-segment 900904

vrf context APP
vni 900901
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
vrf context DB
vni 900903
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
vrf context NAS
vni 900904
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
vrf context VM
vni 900902
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
vrf context management

interface Vlan1

interface Vlan11
no shutdown
mtu 9192
vrf member APP
ip address 10.133.1.254/24
fabric forwarding mode anycast-gateway

interface Vlan12
no shutdown
mtu 9192
vrf member APP
ip address 10.133.2.254/24
fabric forwarding mode anycast-gateway

interface Vlan13
no shutdown
mtu 9192
vrf member APP
ip address 10.133.3.254/24
fabric forwarding mode anycast-gateway

interface Vlan14
no shutdown
mtu 9192
vrf member APP
ip address 10.133.4.254/24
fabric forwarding mode anycast-gateway

interface Vlan15
no shutdown
mtu 9192
vrf member APP
ip address 10.133.5.254/24
fabric forwarding mode anycast-gateway

interface Vlan16
no shutdown
mtu 9192
vrf member APP
ip address 10.133.6.254/24
fabric forwarding mode anycast-gateway

interface Vlan17
no shutdown
mtu 9192
vrf member APP
ip address 10.133.7.254/24
fabric forwarding mode anycast-gateway

interface Vlan18
no shutdown
mtu 9192
vrf member APP
ip address 10.133.8.254/24
fabric forwarding mode anycast-gateway

interface Vlan19
no shutdown
mtu 9192
vrf member APP
ip address 10.133.9.254/24
fabric forwarding mode anycast-gateway

interface Vlan20
no shutdown
mtu 9192
vrf member APP
ip address 10.133.10.254/24
fabric forwarding mode anycast-gateway

interface Vlan21
no shutdown
mtu 9192
vrf member VM
ip address 10.158.1.254/24
fabric forwarding mode anycast-gateway

interface Vlan22
no shutdown
mtu 9192
vrf member VM
ip address 10.158.2.254/24
fabric forwarding mode anycast-gateway

interface Vlan23
no shutdown
mtu 9192
vrf member VM
ip address 10.158.3.254/24
fabric forwarding mode anycast-gateway

interface Vlan24
no shutdown
mtu 9192
vrf member VM
ip address 10.158.4.254/24
fabric forwarding mode anycast-gateway

interface Vlan25
no shutdown
mtu 9192
vrf member VM
ip address 10.158.5.254/24
fabric forwarding mode anycast-gateway

interface Vlan26
no shutdown
mtu 9192
vrf member VM
ip address 10.158.6.254/24
fabric forwarding mode anycast-gateway

interface Vlan27
no shutdown
mtu 9192
vrf member VM
ip address 10.158.7.254/24
fabric forwarding mode anycast-gateway

interface Vlan28
no shutdown
mtu 9192
vrf member VM
ip address 10.158.8.254/24
fabric forwarding mode anycast-gateway

interface Vlan29
no shutdown
mtu 9192
vrf member VM
ip address 10.158.9.254/24
fabric forwarding mode anycast-gateway

interface Vlan30
no shutdown
mtu 9192
vrf member VM
ip address 10.158.10.254/24
fabric forwarding mode anycast-gateway

interface Vlan31
no shutdown
mtu 9192
vrf member DB
ip address 10.90.1.254/24
fabric forwarding mode anycast-gateway

interface Vlan32
no shutdown
mtu 9192
vrf member DB
ip address 10.90.2.254/24
fabric forwarding mode anycast-gateway

interface Vlan33
no shutdown
mtu 9192
vrf member DB
ip address 10.90.3.254/24
fabric forwarding mode anycast-gateway

interface Vlan34
no shutdown
mtu 9192
vrf member DB
ip address 10.90.4.254/24
fabric forwarding mode anycast-gateway

interface Vlan35
no shutdown
mtu 9192
vrf member DB
ip address 10.90.5.254/24
fabric forwarding mode anycast-gateway

interface Vlan36
no shutdown
mtu 9192
vrf member DB
ip address 10.90.6.254/24
fabric forwarding mode anycast-gateway

interface Vlan37
no shutdown
mtu 9192
vrf member DB
ip address 10.90.7.254/24
fabric forwarding mode anycast-gateway

interface Vlan38
no shutdown
mtu 9192
vrf member DB
ip address 10.90.8.254/24
fabric forwarding mode anycast-gateway

interface Vlan39
no shutdown
mtu 9192
vrf member DB
ip address 10.90.9.254/24
fabric forwarding mode anycast-gateway

interface Vlan40
no shutdown
mtu 9192
vrf member DB
ip address 10.90.10.254/24
fabric forwarding mode anycast-gateway

interface Vlan41
no shutdown
mtu 9192
vrf member NAS
ip address 10.78.1.254/24
fabric forwarding mode anycast-gateway

interface Vlan42
no shutdown
mtu 9192
vrf member NAS
ip address 10.78.2.254/24
fabric forwarding mode anycast-gateway

interface Vlan43
no shutdown
mtu 9192
vrf member NAS
ip address 10.78.3.254/24
fabric forwarding mode anycast-gateway

interface Vlan44
no shutdown
mtu 9192
vrf member NAS
ip address 10.78.4.254/24
fabric forwarding mode anycast-gateway

interface Vlan45
no shutdown
mtu 9192
vrf member NAS
ip address 10.78.5.254/24
fabric forwarding mode anycast-gateway

interface Vlan46
no shutdown
mtu 9192
vrf member NAS
ip address 10.78.6.254/24
fabric forwarding mode anycast-gateway

interface Vlan47
no shutdown
mtu 9192
vrf member NAS
ip address 10.78.7.254/24
fabric forwarding mode anycast-gateway

interface Vlan48
no shutdown
mtu 9192
vrf member NAS
ip address 10.78.8.254/24
fabric forwarding mode anycast-gateway

interface Vlan49
no shutdown
mtu 9192
vrf member NAS
ip address 10.78.9.254/24
fabric forwarding mode anycast-gateway

interface Vlan50
no shutdown
mtu 9192
vrf member NAS
ip address 10.78.10.254/24
fabric forwarding mode anycast-gateway

interface Vlan901
no shutdown
mtu 9192
vrf member APP
no ip redirects
ip forward

interface Vlan902
no shutdown
mtu 9192
vrf member VM
no ip redirects
ip forward

interface Vlan903
no shutdown
mtu 9192
vrf member DB
no ip redirects
ip forward

interface Vlan904
no shutdown
mtu 9192
vrf member NAS
no ip redirects
ip forward

interface nve1
no shutdown
source-interface loopback0
host-reachability protocol bgp
member vni 160011
mcast-group 239.1.1.1
member vni 160012
mcast-group 239.1.1.1
member vni 160013
mcast-group 239.1.1.1
member vni 160014
mcast-group 239.1.1.1
member vni 160015
mcast-group 239.1.1.1
member vni 160016
mcast-group 239.1.1.1
member vni 160017
mcast-group 239.1.1.1
member vni 160018
mcast-group 239.1.1.1
member vni 160019
mcast-group 239.1.1.1
member vni 160020
mcast-group 239.1.1.1
member vni 160021
mcast-group 239.2.2.2
member vni 160022
mcast-group 239.2.2.2
member vni 160023
mcast-group 239.2.2.2
member vni 160024
mcast-group 239.2.2.2
member vni 160025
mcast-group 239.2.2.2
member vni 160026
mcast-group 239.2.2.2
member vni 160027
mcast-group 239.2.2.2
member vni 160028
mcast-group 239.2.2.2
member vni 160029
mcast-group 239.2.2.2
member vni 160030
mcast-group 239.2.2.2
member vni 160031
mcast-group 239.3.3.3
member vni 160032
mcast-group 239.3.3.3
member vni 160033
mcast-group 239.3.3.3
member vni 160034
mcast-group 239.3.3.3
member vni 160035
mcast-group 239.3.3.3
member vni 160036
mcast-group 239.3.3.3
member vni 160037
mcast-group 239.3.3.3
member vni 160038
mcast-group 239.3.3.3
member vni 160039
mcast-group 239.3.3.3
member vni 160040
mcast-group 239.3.3.3
member vni 160041
mcast-group 239.4.4.4
member vni 160042
mcast-group 239.4.4.4
member vni 160043
mcast-group 239.4.4.4
member vni 160044
mcast-group 239.4.4.4
member vni 160045
mcast-group 239.4.4.4
member vni 160046
mcast-group 239.4.4.4
member vni 160047
mcast-group 239.4.4.4
member vni 160048
mcast-group 239.4.4.4
member vni 160049
mcast-group 239.4.4.4
member vni 160050
mcast-group 239.4.4.4
member vni 900901 associate-vrf
member vni 900902 associate-vrf
member vni 900903 associate-vrf
member vni 900904 associate-vrf

interface Ethernet1/1
no switchport
ip address 10.10.1.2/30
ip ospf network point-to-point
ip router ospf 100 area 0.0.0.0
ip pim sparse-mode
no shutdown

interface loopback0
ip address 10.255.255.2/32
ip router ospf 100 area 0.0.0.0
ip pim sparse-mode

router ospf 100
router-id 10.255.255.2
log-adjacency-changes
auto-cost reference-bandwidth 100 Gbps
router bgp 65001
router-id 10.255.255.2
log-neighbor-changes
neighbor 10.255.255.1
remote-as 65001
password 3 9125d59c18a9b015
update-source loopback0
address-family ipv4 unicast
send-community
send-community extended
address-family l2vpn evpn
send-community
send-community extended
vrf APP
address-family ipv4 unicast
advertise l2vpn evpn
maximum-paths ibgp 2
vrf DB
address-family ipv4 unicast
advertise l2vpn evpn
maximum-paths ibgp 2
vrf NAS
address-family ipv4 unicast
advertise l2vpn evpn
maximum-paths ibgp 2
vrf VM
address-family ipv4 unicast
advertise l2vpn evpn
maximum-paths ibgp 2
evpn
vni 160011 l2
rd auto
route-target import auto
route-target export auto
vni 160012 l2
rd auto
route-target import auto
route-target export auto
vni 160013 l2
rd auto
route-target import auto
route-target export auto
vni 160014 l2
rd auto
route-target import auto
route-target export auto
vni 160015 l2
rd auto
route-target import auto
route-target export auto
vni 160016 l2
rd auto
route-target import auto
route-target export auto
vni 160017 l2
rd auto
route-target import auto
route-target export auto
vni 160018 l2
rd auto
route-target import auto
route-target export auto
vni 160019 l2
rd auto
route-target import auto
route-target export auto
vni 160020 l2
rd auto
route-target import auto
route-target export auto
vni 160021 l2
rd auto
route-target import auto
route-target export auto
vni 160022 l2
rd auto
route-target import auto
route-target export auto
vni 160023 l2
rd auto
route-target import auto
route-target export auto
vni 160024 l2
rd auto
route-target import auto
route-target export auto
vni 160025 l2
rd auto
route-target import auto
route-target export auto
vni 160026 l2
rd auto
route-target import auto
route-target export auto
vni 160027 l2
rd auto
route-target import auto
route-target export auto
vni 160028 l2
rd auto
route-target import auto
route-target export auto
vni 160029 l2
rd auto
route-target import auto
route-target export auto
vni 160030 l2
rd auto
route-target import auto
route-target export auto
vni 160031 l2
rd auto
route-target import auto
route-target export auto
vni 160032 l2
rd auto
route-target import auto
route-target export auto
vni 160033 l2
rd auto
route-target import auto
route-target export auto
vni 160034 l2
rd auto
route-target import auto
route-target export auto
vni 160035 l2
rd auto
route-target import auto
route-target export auto
vni 160036 l2
rd auto
route-target import auto
route-target export auto
vni 160037 l2
rd auto
route-target import auto
route-target export auto
vni 160038 l2
rd auto
route-target import auto
route-target export auto
vni 160039 l2
rd auto
route-target import auto
route-target export auto
vni 160040 l2
rd auto
route-target import auto
route-target export auto
vni 160041 l2
rd auto
route-target import auto
route-target export auto
vni 160042 l2
rd auto
route-target import auto
route-target export auto
vni 160043 l2
rd auto
route-target import auto
route-target export auto
vni 160044 l2
rd auto
route-target import auto
route-target export auto
vni 160045 l2
rd auto
route-target import auto
route-target export auto
vni 160046 l2
rd auto
route-target import auto
route-target export auto
vni 160047 l2
rd auto
route-target import auto
route-target export auto
vni 160048 l2
rd auto
route-target import auto
route-target export auto
vni 160049 l2
rd auto
route-target import auto
route-target export auto
vni 160050 l2
rd auto
route-target import auto
route-target export auto

BORDERLEAF配置：

================================================================

hostname BORDERLEAF

nv overlay evpn
feature ospf
feature bgp
feature pim
feature interface-vlan
feature vn-segment-vlan-based
feature nv overlay

vlan 1,11-50,901-904
fabric forwarding anycast-gateway-mac 0000.1111.2222
ip pim rp-address 10.255.255.1 group-list 239.0.0.0/24
ip pim log-neighbor-changes
ip pim ssm range 232.0.0.0/8
vlan 11
vn-segment 160011
vlan 12
vn-segment 160012
vlan 13
vn-segment 160013
vlan 14
vn-segment 160014
vlan 15
vn-segment 160015
vlan 16
vn-segment 160016
vlan 17
vn-segment 160017
vlan 18
vn-segment 160018
vlan 19
vn-segment 160019
vlan 20
vn-segment 160020
vlan 21
vn-segment 160021
vlan 22
vn-segment 160022
vlan 23
vn-segment 160023
vlan 24
vn-segment 160024
vlan 25
vn-segment 160025
vlan 26
vn-segment 160026
vlan 27
vn-segment 160027
vlan 28
vn-segment 160028
vlan 29
vn-segment 160029
vlan 30
vn-segment 160030
vlan 31
vn-segment 160031
vlan 32
vn-segment 160032
vlan 33
vn-segment 160033
vlan 34
vn-segment 160034
vlan 35
vn-segment 160035
vlan 36
vn-segment 160036
vlan 37
vn-segment 160037
vlan 38
vn-segment 160038
vlan 39
vn-segment 160039
vlan 40
vn-segment 160040
vlan 41
vn-segment 160041
vlan 42
vn-segment 160042
vlan 43
vn-segment 160043
vlan 44
vn-segment 160044
vlan 45
vn-segment 160045
vlan 46
vn-segment 160046
vlan 47
vn-segment 160047

vlan 48
vn-segment 160048
vlan 49
vn-segment 160049
vlan 50
vn-segment 160050
vlan 901
vn-segment 900901
vlan 902
vn-segment 900902
vlan 903
vn-segment 900903
vlan 904
vn-segment 900904

ip prefix-list static2bgp seq 5 permit 0.0.0.0/0 le 32
route-map static2bgp permit 10
match ip address prefix-list static2bgp
vrf context APP
vni 900901
ip route 0.0.0.0/0 Ethernet1/2.110 10.20.1.2
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
vrf context DB
vni 900903
ip route 0.0.0.0/0 Ethernet1/2.130 10.20.3.2
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
vrf context NAS
vni 900904
ip route 0.0.0.0/0 Ethernet1/2.140 10.20.4.2
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
vrf context VM
vni 900902
ip route 0.0.0.0/0 Ethernet1/2.120 10.20.2.2
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
vrf context management