Step 1 - Create file for VRF Lite

To configure VRF-Lite in your staging fabric, you will create a file named vrfs.nac.yml that contains the VRF parameters as well as the VRF attach group and the switches that will be part of that group.

touch ~/workspace/ndfclab/nac/host_vars/fabric-stage/vrfs.nac.yml
cat << EOF > ~/workspace/ndfclab/nac/host_vars/fabric-stage/vrfs.nac.yml
---
vxlan:
  overlay:
    vrfs:
      - name: NaC-VRF01
        vrf_id: 150001
        vlan_id: 2001
        vrf_attach_group: all
    vrf_attach_groups:
      - name: all
        switches:
          - hostname: staging-leaf1
          - hostname: staging-leaf2
          - hostname: staging-leaf3

EOF

Step 2 - Create file for routed interfaces

To configure the connectivity between the staging-leaf3 device and the staging-ext-rtr you will create a file named interfaces_routed.nac.yml. This file will contain the interface parameters as well as the VRF assignment to use which you created in the previous VRF-Lite step.

touch ~/workspace/ndfclab/nac/host_vars/fabric-stage/interfaces_routed.nac.yml
code-server -r ~/workspace/ndfclab/nac/host_vars/fabric-stage/interfaces_routed.nac.yml

---

vxlan:
  topology:
    switches:
      - name: staging-leaf3
        interfaces:
          - name: Ethernet1/1
            mode: routed
            description: Connected to staging-ext-rtr Ethernet1/1
            enabled: true
          - name: Ethernet1/1.2
            mode: routed_sub
            description: Connected to staging-ext-rtr Ethernet1/1.2
            enabled: true
            dot1q_id: 2
            vrf: NaC-VRF01
            ipv4_address: 10.31.0.1/30

Step 3 - Create file for VRF Lite routing

Next, you will create a file named vrf_lite.nac.yml that contains the routing parameters for VRF-Lite to establish the BGP peering with the external router as well as define a default static route towards the external router.

touch ~/workspace/ndfclab/nac/host_vars/fabric-stage/vrf_lite.nac.yml
code-server -r ~/workspace/ndfclab/nac/host_vars/fabric-stage/vrf_lite.nac.yml

---

vxlan:
  overlay_extensions:
    vrf_lites:
      - name: NaC-VRF-Lite01
        vrf: NaC-VRF01
        switches:
          - name: staging-leaf3
            router_id: 10.31.0.1
            bgp_peers:
              - address: 10.31.0.2
                remote_as: 65999
                description: Peer to staging-ext-rtr in fabric-external-stage
                address_family_ipv4_unicast:
                  send_community: true
                  send_ext_community: true
                  route_map_out: extcon-rmap-filter
            static_routes:
              static_ipv4:
                - prefix: 0.0.0.0/0
                  next_hops:
                    - ip: 10.31.0.2

Step 4 - Create file for VRF-Lite BGP Policies

Finally, you will create a file named policy.nac.yml that contains the BGP policies for the VRF-Lite configuration. In this step, the only policy you will create is a BGP network statement policy that will advertise the static default route created above pointing to the external router into the BGP process. This will allow the rest of the fabric to reach the external router and any networks behind it.

touch ~/workspace/ndfclab/nac/host_vars/fabric-stage/policy.nac.yml
code-server -r ~/workspace/ndfclab/nac/host_vars/fabric-stage/policy.nac.yml

---

vxlan:
  policy:
    policies:
      - name: BGP Network Statement Policy
        template_name: bgp_vrf_network
        template_vars:
          BGP_AS: 65001
          VRF_NAME: NaC-VRF01
          IP_PREFIX: 0.0.0.0/0
    groups:
      - name: Border Leaf
        policies:
          - name: BGP Network Statement Policy
    switches:
      - name: staging-leaf3
        groups:
          - Border Leaf

Step 5 - Execute Ansible Playbook

Make sure you are in your root Ansible directory

cd ~/workspace/ndfclab/nac

From the root Ansible project directory execute the following command:

ansible-playbook -i hosts.stage.yml vxlan.yml --tags cr_manage_vrfs_networks,cr_manage_interfaces,cr_manage_policy,role_deploy

Upon a successful run of the playbook your output should look as follows:

  PLAY RECAP ***************************************************************************************************************************************************************
  fabric-stage               : ok=218  changed=33   unreachable=0    failed=0    skipped=467  rescued=0    ignored=0   


  PLAYBOOK RECAP ***********************************************************************************************************************************************************
  Playbook run took 0 days, 0 hours, 3 minutes, 8 seconds


  TASKS RECAP **************************************************************************************************************************************************************
  Monday 19 May 2025  16:19:33 +0000 (0:00:00.169)       0:03:08.026 ************ 
  =============================================================================== 
  cisco.nac_dc_vxlan.deploy : Deploy for Fabric fabric-stage ------------------------------------------------------------------------------------------------------- 73.81s
  cisco.nac_dc_vxlan.deploy : Retrying Deploy for Fabric fabric-stage ---------------------------------------------------------------------------------------------- 12.64s
  cisco.nac_dc_vxlan.deploy : Config-Save for Fabric fabric-stage -------------------------------------------------------------------------------------------------- 11.74s
  cisco.nac_dc_vxlan.deploy : Retrying Config-Save for Fabric fabric-stage ----------------------------------------------------------------------------------------- 11.22s
  cisco.nac_dc_vxlan.create : Manage Interface Access --------------------------------------------------------------------------------------------------------------- 2.90s
  cisco.nac_dc_vxlan.common : Get POAP Data From POAP Enabled Devices ----------------------------------------------------------------------------------------------- 1.89s
  cisco.nac_dc_vxlan.create : Manage NDFC Fabric Networks ----------------------------------------------------------------------------------------------------------- 1.78s
  cisco.nac_dc_vxlan.create : Manage NDFC Fabric VRFs --------------------------------------------------------------------------------------------------------------- 1.73s
  cisco.nac_dc_vxlan.connectivity_check : Get Cisco NDFC Version ---------------------------------------------------------------------------------------------------- 1.67s
  cisco.nac_dc_vxlan.create : Manage NDFC Fabric Policies ----------------------------------------------------------------------------------------------------------- 1.66s
  cisco.nac_dc_vxlan.create : Manage Interface Routed --------------------------------------------------------------------------------------------------------------- 1.63s
  cisco.nac_dc_vxlan.create : Manage Sub-Interface Routed ----------------------------------------------------------------------------------------------------------- 1.60s
  cisco.nac_dc_vxlan.create : Manage Interface vPC ------------------------------------------------------------------------------------------------------------------ 1.40s
  cisco.nac_dc_vxlan.create : Attach Loopbacks to VRFs -------------------------------------------------------------------------------------------------------------- 1.39s
  cisco.nac_dc_vxlan.deploy : Check Switch Sync in Fabric fabric-stage ---------------------------------------------------------------------------------------------- 1.33s
  cisco.nac_dc_vxlan.create : Get Multisite Fabric Associations ----------------------------------------------------------------------------------------------------- 1.27s
  cisco.nac_dc_vxlan.common : Build Fabric Creation Parameters From Template ---------------------------------------------------------------------------------------- 0.88s
  cisco.nac_dc_vxlan.validate : Copy Service Model Data to Host ----------------------------------------------------------------------------------------------------- 0.81s
  cisco.nac_dc_vxlan.connectivity_check : Verify Authorization to NDFC 10.15.0.11 on Port 443 ----------------------------------------------------------------------- 0.72s
  cisco.nac_dc_vxlan.common : Build Interface ----------------------------------------------------------------------------------------------------------------------- 0.72s

  ROLES RECAP **************************************************************************************************************************************************************
  Monday 19 May 2025  16:19:33 +0000 (0:00:00.173)       0:03:08.028 ************ 
  =============================================================================== 
  deploy ---------------------------------------------------------------- 112.01s
  common ----------------------------------------------------------------- 42.60s
  create ----------------------------------------------------------------- 21.93s
  validate ---------------------------------------------------------------- 5.84s
  connectivity_check ------------------------------------------------------ 3.74s
  common_global ----------------------------------------------------------- 0.06s
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
  total ----------------------------------------------------------------- 186.17s  

Step 6 - Login to Nexus Dashboard and Verify Fabric-Stage VRF-Lite Configuration

In your browser, return to NDFC:

1. Click Switches in the top navigation bar



Notice your 4 switches with the correct roles should all be in-sync now.




2. Click VRFs in the top navigation bar

You've previously already verified the deployment. You just need to verify the deployment to your new switch.

3. Double-click NaC-VRF01





4. Click VRF Attachments
5. Verify deployment to your leaf3 deployment and role type
6. Click the the close button




7. Click Policies in the top navigation bar
8. In the Filter by attributes, in the drop down list select Description, then repeat and select contains, type nac and hit enter




9. Click the box beside the policy that is switch_freeform
10. Click Actions
11. In the Actions dropdown list, click Generated Config




12. Review the generated VRF-Lite configuration based on your data model inputs
13. Then, close the popup




14. Click Overview tab to review the overall health and dashboard of your staging fabric

Step 7 - Close All Open VSCode Tabs

On the keyword press Ctrl + K + W. This should close all open tabs to clear your workspace for the next section.

Step 8 - Add fabric-external-stage host to the Ansible Inventory

You will now update the the Ansible inventory file to include the fabric-external-stage host. You will notice that it is the same IP address as the fabric-stage host, but it is a different fabric name. This is because you will be using the same NDFC instance to manage both fabrics, but now they belong to different groups. Therefore, the fabric-external-stage will have a different set of host and group variables.

touch ~/workspace/ndfclab/nac/hosts.stage.yml
cat << EOF > ~/workspace/ndfclab/nac/hosts.stage.yml
---
# Inventory Information For Staging Fabric and External Fabric
ndfc:
  hosts:
    fabric-stage:
      ansible_host: 10.15.0.11
    fabric-external-stage:
      ansible_host: 10.15.0.11
EOF

Step 9 - Create Ansible Inventory File for NDFC Staging Fabric

After defining the new fabric-external-stage host in the inventory file, you will need to create the necessary host variable files for this new host. You will create a directory named host_vars/fabric-external-stage to store subsequent host variable files for this new fabric.

cd ~/workspace/ndfclab/nac
mkdir -p host_vars/fabric-external-stage

Step 10 - Create

The first file you will create under this host_vars/fabric-external-stage directory is the fabric.nac.yml file. This file will contain the fabric name and type, which in this case is an external fabric.

touch ~/workspace/ndfclab/nac/host_vars/fabric-external-stage/fabric.nac.yml
code-server -r ~/workspace/ndfclab/nac/host_vars/fabric-external-stage/fabric.nac.yml

---

vxlan:
  fabric:
    name: fabric-external-stage
    type: External

Step 11 - Create

After defining the fabric name and type, you will create a global.nac.yml file that contains the global parameters for this external fabric.

touch ~/workspace/ndfclab/nac/host_vars/fabric-external-stage/global.nac.yml
code-server -r ~/workspace/ndfclab/nac/host_vars/fabric-external-stage/global.nac.yml

---

vxlan:
  global:
    bgp_asn: "65999"

Step 12 - Create

In the previous sections, you created several YAML files that defined the fabric, global parameters, underlay, topology and overlay configurations for the fabric-stage fabric.

In this section, you are creating the YAML files that will define the external fabric, which is a separate fabric that connects to the fabric-stage fabric. This external fabric will be used to connect to an external router, which is represented by the ext-rtr device in the diagram to the right.

The end goal is to establish a connection between the fabric-stage and the external router in the fabric-external-stage, allowing for communication between the two fabrics. Once all the files have been created, you should be able to send a successful ping from a server located behind leaf1 to the external router's loopback interface.

Continue building out the fabric-external-stage fabric by creating the topology.nac.yml file, which will define the topology of the external fabric. This file will include the external router's hostname, serial number, management IP address, and the interfaces that will be used to connect to the fabric-stage fabric. The external router will be connected to the staging-leaf3 device in the fabric-stage fabric via a routed interface and a sub-interface.

touch ~/workspace/ndfclab/nac/host_vars/fabric-external-stage/topology.nac.yml
code-server -r ~/workspace/ndfclab/nac/host_vars/fabric-external-stage/topology.nac.yml

---

vxlan:
  topology:
    switches:
      - name: staging-ext-rtr
        serial_number: READ_TIMEOUT
        role: core_router
        management:
          management_ipv4_address: 10.15.1.15
          default_gateway_v4: 10.15.1.1
        interfaces:
          - name: Ethernet1/1
            mode: routed
            description: Routed Interface towards Border Leaf
            enabled: true
          - name: Ethernet1/1.2
            mode: routed_sub
            description: Routed Sub-Interface towards Border Leaf
            enabled: true
            dot1q_id: 2
            ipv4_address: 10.31.0.2/30
          - name: loopback0
            mode: loopback
            description: NaC Ping Test Loopback
            enabled: true
            ipv4_address: 172.16.1.1

Step 13 - Create

Next, you will create a policy.nac.yml file that contains the BGP policies for the external fabric. This file will define the BGP neighbor policy and the BGP network statement policy that will be used to establish the BGP peering and advertise the loopback IP address of the external router into the BGP process.

touch ~/workspace/ndfclab/nac/host_vars/fabric-external-stage/policy.nac.yml
code-server -r ~/workspace/ndfclab/nac/host_vars/fabric-external-stage/policy.nac.yml

---

vxlan:
  policy:
    policies:
      - name: BGP Neighbor Policy
        template_name: External_VRF_Lite_eBGP
        template_vars:
          asn: 65999
          vrfName: default
          NEIGHBOR_IP: 10.31.0.1
          NEIGHBOR_ASN: 65001
      - name: BGP Network Statement Policy
        template_name: bgp_network
        template_vars:
          BGP_AS: 65999
          IP_MASK: 172.16.1.1/32
    groups:
      - name: External Router
        policies:
          - name: BGP Neighbor Policy
          - name: BGP Network Statement Policy
    switches:
      - name: staging-ext-rtr
        groups:
          - External Router

Step 14 - Execute Ansible Playbook

Make sure you are in your root Ansible directory

cd ~/workspace/ndfclab/nac

From the root Ansible project directory execute the following command:

ansible-playbook -i hosts.stage.yml vxlan.yml -l fabric-external-stage

Upon a successful run of the playbook your output should look as follows:

  PLAY RECAP ***************************************************************************************************************************************************************
  fabric-external-stage      : ok=185  changed=25   unreachable=0    failed=0    skipped=744  rescued=0    ignored=0   


  PLAYBOOK RECAP ***********************************************************************************************************************************************************
  Playbook run took 0 days, 0 hours, 2 minutes, 14 seconds


  TASKS RECAP **************************************************************************************************************************************************************
  Wednesday 21 May 2025  13:12:35 +0000 (0:00:00.068)       0:02:14.695 ********* 
  =============================================================================== 
  cisco.nac_dc_vxlan.create : Add NDFC Fabric Devices fabric-external-stage ---------------------------------------------------------------------------------------- 39.40s
  cisco.nac_dc_vxlan.deploy : Deploy for Fabric fabric-external-stage ---------------------------------------------------------------------------------------------- 11.56s
  cisco.nac_dc_vxlan.deploy : Config-Save for Fabric fabric-external-stage ------------------------------------------------------------------------------------------ 3.66s
  cisco.nac_dc_vxlan.create : Manage fabric External fabric-external-stage in NDFC (POST) --------------------------------------------------------------------------- 2.53s
  cisco.nac_dc_vxlan.connectivity_check : Get Cisco NDFC Version ---------------------------------------------------------------------------------------------------- 1.73s
  cisco.nac_dc_vxlan.common : Get POAP Data From POAP Enabled Devices ----------------------------------------------------------------------------------------------- 1.68s
  cisco.nac_dc_vxlan.create : Manage NDFC Fabric Policies ----------------------------------------------------------------------------------------------------------- 1.67s
  cisco.nac_dc_vxlan.create : Manage Sub-Interface Routed ----------------------------------------------------------------------------------------------------------- 1.63s
  cisco.nac_dc_vxlan.create : Manage Interface Routed --------------------------------------------------------------------------------------------------------------- 1.48s
  cisco.nac_dc_vxlan.create : Manage Interface Loopback ------------------------------------------------------------------------------------------------------------- 1.45s
  cisco.nac_dc_vxlan.create : Build Switch Hostname Policy Payload from Data Model Update --------------------------------------------------------------------------- 1.24s
  cisco.nac_dc_vxlan.remove : Get List of Fabric Switches from NDFC ------------------------------------------------------------------------------------------------- 1.21s
  cisco.nac_dc_vxlan.create : Check if fabric External fabric-external-stage exists in NDFC ------------------------------------------------------------------------- 1.16s
  cisco.nac_dc_vxlan.common : Retrieve NDFC Device Username and Password from Group Vars and update inv_config ------------------------------------------------------ 0.74s
  cisco.nac_dc_vxlan.validate : Copy Service Model Data to Host ----------------------------------------------------------------------------------------------------- 0.73s
  cisco.nac_dc_vxlan.common : Build Interface ----------------------------------------------------------------------------------------------------------------------- 0.68s
  cisco.nac_dc_vxlan.connectivity_check : Verify Authorization to NDFC 10.15.0.11 on Port 443 ----------------------------------------------------------------------- 0.67s
  cisco.nac_dc_vxlan.common : Build Loopback Interfaces List From Template ------------------------------------------------------------------------------------------ 0.67s
  cisco.nac_dc_vxlan.common : Build Policy List From Template ------------------------------------------------------------------------------------------------------- 0.66s
  cisco.nac_dc_vxlan.common : Build Interface ----------------------------------------------------------------------------------------------------------------------- 0.66s

  ROLES RECAP **************************************************************************************************************************************************************
  Wednesday 21 May 2025  13:12:35 +0000 (0:00:00.073)       0:02:14.699 ********* 
  =============================================================================== 
  create ----------------------------------------------------------------- 59.86s
  common ----------------------------------------------------------------- 36.68s
  deploy ----------------------------------------------------------------- 16.56s
  remove ----------------------------------------------------------------- 10.22s
  validate ---------------------------------------------------------------- 5.58s
  connectivity_check ------------------------------------------------------ 3.80s
  common_global ----------------------------------------------------------- 0.05s
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
  total ----------------------------------------------------------------- 132.75s

Step 15 - Login to Nexus Dashboard and Verify Fabric Extension using VRF Lite

In your browser, return to NDFC:

1. Close your fabric-stage




2. Double-click your fabric named external-fabric-stage





3. Examine the Fabric Overview Pane For external-fabric-stage





4. Click Switches in the top navigation bar
5. Verify your external edge router

Step 16 - Login to Server1

The first device you will verify is your Site1-S1 switch. Login to your Site1-S1 switch using the copy command below and paste into your VSCode Terminal. When prompted, the password is cisco.123 .

ssh -l cisco 10.15.1.16

If prompted to accept the RSA key fingerprint like below, type or copy yes then input the password above.

cisco@10.15.27.16's password:

Step 17 - Server1: Ping External Loopback Interface

ping -c 5 172.16.1.1

Output:

PING 172.16.1.1 (172.16.1.1): 56 data bytes
64 bytes from 172.16.1.1: seq=0 ttl=253 time=11.631 ms
64 bytes from 172.16.1.1: seq=1 ttl=253 time=10.717 ms
64 bytes from 172.16.1.1: seq=2 ttl=253 time=11.234 ms
64 bytes from 172.16.1.1: seq=3 ttl=253 time=10.291 ms
64 bytes from 172.16.1.1: seq=4 ttl=253 time=11.116 ms

--- 172.16.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 10.291/10.997/11.631 ms

Step 18 - Server1: Logout

exit

Step 19 - Close All Open VSCode Tabs

On the keyword press Ctrl + K + W. This should close all open tabs to clear your workspace for the next section.