11-Mar-25
Stub Switch Reference Configuration
hostname HERCP-CR1-STB1-1
user admin group administrators password ciphertext ******
profile aggregation-leaf
vrf Corporate
rd 10.10.1.2:20000
route-target export 65001:20000 evpn
route-target import 65001:20000 evpn
vrf Guest
rd 10.10.1.2:30000
route-target export 65001:30000 evpn
route-target import 65001:30000 evpn
vrf Infrastructure
rd 10.10.1.2:10000
route-target export 65001:10000 evpn
route-target import 65001:10000 evpn
vrf VSX_KEEPALIVE
ntp server 10.2.120.98 minpoll 4 maxpoll 4 iburst
ntp server 10.2.120.99 minpoll 4 maxpoll 4 iburst
ntp enable
ssh server vrf mgmt
gbp enable
gbp role intranet 4
gbp role internet 3
gbp role isl 5
gbp role infra 2
gbp role EMPLOYEE 100
gbp role IT-ADMIN 200
gbp role CONTRACTOR 201
gbp role IT-SUPP 300
gbp role VISITOR 400
gbp role PRINTER 500
gbp role IOT-NO-INET 600
gbp role IOT-INTERNAL 700
gbp role IOT-LMT-INET 800
gbp role REJECT 900
gbp role QUARANTINE 1000
gbp role CRITICAL 1100
gbp role SECURITY 1200
class gbp-ip CONTRACTOR_ALLOW
1 match any CONTRACTOR CONTRACTOR
2 match any EMPLOYEE CONTRACTOR
4 match any IT-SUPP CONTRACTOR
10000 match any default CONTRACTOR count
class gbp-ip CRITICAL_ALLOW
1 match any IT-ADMIN CRITICAL
class gbp-ip EMPLOYEE_ALLOW
2 match any IT-ADMIN EMPLOYEE
3 match any IT-SUPP EMPLOYEE
5 match any CONTRACTOR EMPLOYEE
class gbp-ip IOT-INTERNAL_ALLOW
1 match any IT-ADMIN IOT-INTERNAL
2 match any IT-SUPP IOT-INTERNAL
class gbp-ip IOT-LMT-INET_ALLOW
1 match any IT-ADMIN IOT-LMT-INET
2 match any IT-SUPP IOT-LMT-INET
class gbp-ip IOT-NO-INET_ALLOW
1 match any IOT-NO-INET IOT-NO-INET
2 match any IT-SUPP IOT-NO-INET
class gbp-ip IT-ADMIN_ALLOW
1 match any IT-ADMIN IT-ADMIN
12 match any IT-SUPP IT-ADMIN
class gbp-ip IT-SUPP_ALLOW
1 match any IT-ADMIN IT-SUPP
10 match any CONTRACTOR IT-SUPP
class gbp-ip PRINTER_ALLOW
1 match any EMPLOYEE PRINTER
2 match any IT-ADMIN PRINTER
3 match any IT-SUPP PRINTER
class gbp-ip QUARANTINE_ALLOW
1 match any IT-ADMIN QUARANTINE
class gbp-ip REJECT_ALLOW
1 match any IT-ADMIN REJECT
2 match any IT-SUPP REJECT
class gbp-ip SECURITY_ALLOW
1 match any IT-ADMIN SECURITY
class gbp-ip VISITOR_ALLOW
1 match any IT-ADMIN VISITOR
class gbp-ipv6 CONTRACTOR_ALLOW
1 match any CONTRACTOR CONTRACTOR
2 match any EMPLOYEE CONTRACTOR
4 match any IT-SUPP CONTRACTOR
10000 match any default CONTRACTOR count
class gbp-ipv6 CRITICAL_ALLOW
1 match any IT-ADMIN CRITICAL
class gbp-ipv6 EMPLOYEE_ALLOW
2 match any IT-ADMIN EMPLOYEE
3 match any IT-SUPP EMPLOYEE
5 match any CONTRACTOR EMPLOYEE
class gbp-ipv6 IOT-INTERNAL_ALLOW
1 match any IT-ADMIN IOT-INTERNAL
2 match any IT-SUPP IOT-INTERNAL
class gbp-ipv6 IOT-LMT-INET_ALLOW
1 match any IT-ADMIN IOT-LMT-INET
2 match any IT-SUPP IOT-LMT-INET
class gbp-ipv6 IOT-NO-INET_ALLOW
1 match any IOT-NO-INET IOT-NO-INET
2 match any IT-SUPP IOT-NO-INET
class gbp-ipv6 IT-ADMIN_ALLOW
1 match any IT-ADMIN IT-ADMIN
12 match any IT-SUPP IT-ADMIN
class gbp-ipv6 IT-SUPP_ALLOW
1 match any IT-ADMIN IT-SUPP
10 match any CONTRACTOR IT-SUPP
class gbp-ipv6 PRINTER_ALLOW
1 match any EMPLOYEE PRINTER
2 match any IT-ADMIN PRINTER
3 match any IT-SUPP PRINTER
class gbp-ipv6 QUARANTINE_ALLOW
1 match any IT-ADMIN QUARANTINE
class gbp-ipv6 REJECT_ALLOW
1 match any IT-ADMIN REJECT
2 match any IT-SUPP REJECT
class gbp-ipv6 SECURITY_ALLOW
1 match any IT-ADMIN SECURITY
class gbp-ipv6 VISITOR_ALLOW
1 match any IT-ADMIN VISITOR
class gbp-mac CONTRACTOR_ALLOW
1 match CONTRACTOR CONTRACTOR any
2 match EMPLOYEE CONTRACTOR any
4 match IT-SUPP CONTRACTOR any
10000 match default CONTRACTOR any count
10001 match any CONTRACTOR arp count
class gbp-mac CRITICAL_ALLOW
1 match IT-ADMIN CRITICAL any
class gbp-mac EMPLOYEE_ALLOW
2 match IT-ADMIN EMPLOYEE any
3 match IT-SUPP EMPLOYEE any
5 match CONTRACTOR EMPLOYEE any
class gbp-mac IOT-INTERNAL_ALLOW
1 match IT-ADMIN IOT-INTERNAL any
2 match IT-SUPP IOT-INTERNAL any
class gbp-mac IOT-LMT-INET_ALLOW
1 match IT-ADMIN IOT-LMT-INET any
2 match IT-SUPP IOT-LMT-INET any
class gbp-mac IOT-NO-INET_ALLOW
1 match IOT-NO-INET IOT-NO-INET any
2 match IT-SUPP IOT-NO-INET any
class gbp-mac IT-ADMIN_ALLOW
1 match IT-ADMIN IT-ADMIN any
12 match IT-SUPP IT-ADMIN any
class gbp-mac IT-SUPP_ALLOW
1 match IT-ADMIN IT-SUPP any
10 match CONTRACTOR IT-SUPP any
class gbp-mac PRINTER_ALLOW
1 match EMPLOYEE PRINTER any
2 match IT-ADMIN PRINTER any
3 match IT-SUPP PRINTER any
class gbp-mac QUARANTINE_ALLOW
1 match IT-ADMIN QUARANTINE any
class gbp-mac REJECT_ALLOW
1 match IT-ADMIN REJECT any
2 match IT-SUPP REJECT any
class gbp-mac SECURITY_ALLOW
1 match IT-ADMIN SECURITY any
class gbp-mac VISITOR_ALLOW
1 match IT-ADMIN VISITOR any
vlan 1,15
vlan 102
name Overlay Fabric Wireless
vlan 201
name Overlay Fabric Wireless -Guest
vlan 301
name Gateway Management
vlan 4000
virtual-mac 02:00:00:00:00:35
evpn
arp-suppression
vlan 102
rd auto
route-target export auto
route-target import auto
redistribute host-route
vlan 201
rd auto
route-target export auto
route-target import auto
redistribute host-route
vlan 301
rd auto
route-target export auto
route-target import auto
redistribute host-route
spanning-tree
interface mgmt
no shutdown
ip dhcp
no dhcp-relay l2vpn-clients
dhcp-relay option 82 replace
dhcp-relay option 82 source-interface
port-access gbp CONTRACTOR_r2r_policy
10 class gbp-ip CONTRACTOR_ALLOW
20 class gbp-ipv6 CONTRACTOR_ALLOW
30 class gbp-mac CONTRACTOR_ALLOW
port-access gbp CRITICAL_r2r_policy
10 class gbp-ip CRITICAL_ALLOW
20 class gbp-ipv6 CRITICAL_ALLOW
30 class gbp-mac CRITICAL_ALLOW
port-access gbp EMPLOYEE_r2r_policy
10 class gbp-ip EMPLOYEE_ALLOW
20 class gbp-ipv6 EMPLOYEE_ALLOW
30 class gbp-mac EMPLOYEE_ALLOW
port-access gbp IOT-INTERNAL_r2r_policy
10 class gbp-ip IOT-INTERNAL_ALLOW
20 class gbp-ipv6 IOT-INTERNAL_ALLOW
30 class gbp-mac IOT-INTERNAL_ALLOW
port-access gbp IOT-LMT-INET_r2r_policy
10 class gbp-ip IOT-LMT-INET_ALLOW
20 class gbp-ipv6 IOT-LMT-INET_ALLOW
30 class gbp-mac IOT-LMT-INET_ALLOW
port-access gbp IOT-NO-INET_r2r_policy
10 class gbp-ip IOT-NO-INET_ALLOW
20 class gbp-ipv6 IOT-NO-INET_ALLOW
30 class gbp-mac IOT-NO-INET_ALLOW
port-access gbp IT-ADMIN_r2r_policy
10 class gbp-ip IT-ADMIN_ALLOW
20 class gbp-ipv6 IT-ADMIN_ALLOW
30 class gbp-mac IT-ADMIN_ALLOW
port-access gbp IT-SUPP_r2r_policy
10 class gbp-ip IT-SUPP_ALLOW
20 class gbp-ipv6 IT-SUPP_ALLOW
30 class gbp-mac IT-SUPP_ALLOW
port-access gbp PRINTER_r2r_policy
10 class gbp-ip PRINTER_ALLOW
20 class gbp-ipv6 PRINTER_ALLOW
30 class gbp-mac PRINTER_ALLOW
port-access gbp QUARANTINE_r2r_policy
10 class gbp-ip QUARANTINE_ALLOW
20 class gbp-ipv6 QUARANTINE_ALLOW
30 class gbp-mac QUARANTINE_ALLOW
port-access gbp REJECT_r2r_policy
10 class gbp-ip REJECT_ALLOW
20 class gbp-ipv6 REJECT_ALLOW
30 class gbp-mac REJECT_ALLOW
port-access gbp SECURITY_r2r_policy
10 class gbp-ip SECURITY_ALLOW
20 class gbp-ipv6 SECURITY_ALLOW
30 class gbp-mac SECURITY_ALLOW
port-access gbp VISITOR_r2r_policy
10 class gbp-ip VISITOR_ALLOW
20 class gbp-ipv6 VISITOR_ALLOW
30 class gbp-mac VISITOR_ALLOW
port-access role CONTRACTOR
associate gbp CONTRACTOR_r2r_policy
port-access role CRITICAL
associate gbp CRITICAL_r2r_policy
port-access role EMPLOYEE
associate gbp EMPLOYEE_r2r_policy
port-access role IOT-INTERNAL
associate gbp IOT-INTERNAL_r2r_policy
port-access role IOT-LMT-INET
associate gbp IOT-LMT-INET_r2r_policy
port-access role IOT-NO-INET
associate gbp IOT-NO-INET_r2r_policy
port-access role IT-ADMIN
associate gbp IT-ADMIN_r2r_policy
port-access role IT-SUPP
associate gbp IT-SUPP_r2r_policy
port-access role PRINTER
associate gbp PRINTER_r2r_policy
port-access role QUARANTINE
associate gbp QUARANTINE_r2r_policy
port-access role REJECT
associate gbp REJECT_r2r_policy
port-access role SECURITY
associate gbp SECURITY_r2r_policy
port-access role VISITOR
associate gbp VISITOR_r2r_policy
interface lag 11 multi-chassis
no shutdown
description Stub-GW-1
no routing
vlan trunk native 15
vlan trunk allowed 1,15,301
lacp mode active
lacp fallback
interface lag 12 multi-chassis
no shutdown
description Stub-GW-2
no routing
vlan trunk native 15
vlan trunk allowed 1,15,301
lacp mode active
lacp fallback
interface lag 256
no shutdown
description ISL
no routing
vlan trunk native 1
vlan trunk allowed all
lacp mode active
interface 1/1/1
no shutdown
interface 1/1/2
no shutdown
interface 1/1/3
no shutdown
interface 1/1/4
no shutdown
interface 1/1/5
no shutdown
mtu 9198
description HERCP-GW
lag 11
interface 1/1/6
no shutdown
mtu 9198
description HERCP-GW
lag 12
interface 1/1/7
no shutdown
interface 1/1/8
no shutdown
interface 1/1/9
no shutdown
no routing
vlan access 1
interface 1/1/10
no shutdown
no routing
vlan access 1
interface 1/1/11
no shutdown
no routing
vlan access 1
interface 1/1/12
no shutdown
no routing
vlan access 1
interface 1/1/13
no shutdown
no routing
vlan access 1
interface 1/1/14
no shutdown
no routing
vlan access 1
interface 1/1/15
no shutdown
no routing
vlan access 1
interface 1/1/16
no shutdown
no routing
vlan access 1
interface 1/1/17
no shutdown
no routing
vlan access 1
interface 1/1/18
no shutdown
no routing
vlan access 1
interface 1/1/19
no shutdown
no routing
vlan access 1
interface 1/1/20
no shutdown
no routing
vlan access 1
interface 1/1/21
no shutdown
no routing
vlan access 1
interface 1/1/22
no shutdown
no routing
vlan access 1
interface 1/1/23
no shutdown
no routing
vlan access 1
interface 1/1/24
no shutdown
no routing
vlan access 1
interface 1/1/25
no shutdown
no routing
vlan access 1
interface 1/1/26
no shutdown
no routing
vlan access 1
interface 1/1/27
no shutdown
interface 1/1/28
no shutdown
interface 1/1/29
no shutdown
interface 1/1/30
no shutdown
no routing
vlan access 1
interface 1/1/31
no shutdown
mtu 9198
description wlanServiceAgg core ROP to Peer Switch
ip mtu 9198
ip address 10.10.0.33/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
no ip ospf passive
interface 1/1/32
no shutdown
mtu 9198
description wlanServiceAgg core ROP to Peer Switch
ip mtu 9198
ip address 10.10.0.17/31
ip ospf 1 area 0.0.0.0
ip ospf network point-to-point
no ip ospf passive
interface 1/1/33
no shutdown
mtu 9198
description ISL Connectivity
lag 256
interface 1/1/34
no shutdown
mtu 9198
description ISL Connectivity
lag 256
interface 1/1/35
no shutdown
mtu 9198
description VSX Keepalive
vrf attach VSX_KEEPALIVE
ip mtu 9198
ip address 10.10.0.2/31
interface 1/1/36
no shutdown
no routing
vlan access 1
interface loopback 0
description OSPF Underlay
ip address 10.10.1.2/32
interface loopback 1
description VTEP Source
ip address 10.10.1.15/32
interface vlan 15
description UNDERLAY BETWEEN GATEWAY AND STUB
ip mtu 9198
ip address 10.10.9.2/28
active-gateway ip mac a2:01:00:a2:a2:a2
active-gateway ip 10.10.9.1
ip helper-address 10.2.120.98
ip helper-address 10.2.120.99
ip ospf 1 area 0.0.0.0
interface vlan 102
vrf attach Corporate
ip mtu 9198
ip address 10.10.6.1/24
active-gateway ip mac 00:00:00:00:00:01
active-gateway ip 10.10.6.1
ip helper-address 10.2.120.98 vrf default
ip helper-address 10.2.120.99 vrf default
interface vlan 201
vrf attach Guest
ip mtu 9198
ip address 10.10.8.1/24
active-gateway ip mac 00:00:00:00:00:01
active-gateway ip 10.10.8.1
ip helper-address 10.2.120.98 vrf default
ip helper-address 10.2.120.99 vrf default
interface vlan 301
vrf attach Infrastructure
ip mtu 9198
ip address 10.10.2.1/24
active-gateway ip mac 00:00:00:00:00:01
active-gateway ip 10.10.2.1
interface vlan 4000
description Transit VLAN
ip mtu 9198
ip address 10.10.0.70/31
ip ospf 1 area 0.0.0.0
ip ospf cost 1
ip ospf network point-to-point
no ip ospf passive
interface vxlan 1
source ip 10.10.1.15
inter-vxlan-bridging-mode static-all
no shutdown
vni 102
vlan 102
vtep-peer 10.10.9.4
vtep-peer 10.10.9.5
vni 201
vlan 201
vtep-peer 10.10.9.4
vtep-peer 10.10.9.5
vni 301
vlan 301
vni 10000
vrf Infrastructure
routing
vni 20000
vrf Corporate
routing
vni 30000
vrf Guest
routing
snmp-server system-location Seattle
snmp-server system-contact rpn
vsx
system-mac 02:00:00:00:00:35
inter-switch-link lag 256
role primary
keepalive peer 10.10.0.3 source 10.10.0.2 vrf VSX_KEEPALIVE
vsx-sync vsx-global
ip dns server-address 10.2.120.98
ip dns server-address 10.2.120.99
router ospf 1
router-id 10.10.1.2
max-metric router-lsa include-stub on-startup 300
passive-interface default
redistribute local loopback
area 0.0.0.0
router bgp 65001
bgp router-id 10.10.1.2
neighbor Herndon_Fabric peer-group
neighbor Herndon_Fabric remote-as 65001
neighbor Herndon_Fabric fall-over
neighbor Herndon_Fabric update-source loopback 0
neighbor 10.10.1.0 peer-group Herndon_Fabric
neighbor 10.10.1.1 peer-group Herndon_Fabric
address-family l2vpn evpn
neighbor 10.10.1.0 activate
neighbor 10.10.1.0 send-community extended
neighbor 10.10.1.1 activate
neighbor 10.10.1.1 send-community extended
vrf Corporate
address-family ipv4 unicast
redistribute connected
redistribute local loopback
address-family ipv6 unicast
redistribute connected
vrf Guest
address-family ipv4 unicast
redistribute connected
redistribute local loopback
address-family ipv6 unicast
redistribute connected
vrf Infrastructure
address-family ipv4 unicast
redistribute connected
redistribute local loopback
address-family ipv6 unicast
redistribute connected
ip source-interface dhcp_relay interface loopback1
https-server vrf mgmt
configuration-lockout central managed