Damien/arista-evpn-vxlan-clab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
35fdaba993c24cdc6b56e391758c42cd7e05d9f2
arista-evpn-vxlan-clab/evpn-lab.clab.yml
Damien 35fdaba993 Add dot1x and wpa_supplicant for 802.1X authentication 
- Configure dot1x on access switch host-facing ports (Et3/Et4) with
  RADIUS dynamic VLAN assignment
- Switch host-facing port-channels to access mode (from trunk) to
  align with dot1x dynamic VLAN behavior
- Add wpa_supplicant configs and binds for all hosts
- Remove VLAN subinterfaces from hosts, assign IPs directly to bond0
  (untagged traffic for dot1x access ports)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-01 08:58:07 +00:00

259 lines
9.6 KiB
YAML
Raw Blame History

name: arista-evpn-fabric
mgmt:
network: evpn-mgmt
ipv4-subnet: 172.16.0.0/24
ipv4-gw: 172.16.0.254
topology:
kinds:
arista_ceos:
image: ceos:4.35.0F
nodes:
# Spine Switches
spine1:
kind: arista_ceos
mgmt-ipv4: 172.16.0.1
startup-config: configs/spine1.cfg
spine2:
kind: arista_ceos
mgmt-ipv4: 172.16.0.2
startup-config: configs/spine2.cfg
# Leaf Switches - VTEP1 (AS 65001)
leaf1:
kind: arista_ceos
mgmt-ipv4: 172.16.0.25
startup-config: configs/leaf1.cfg
leaf2:
kind: arista_ceos
mgmt-ipv4: 172.16.0.50
startup-config: configs/leaf2.cfg
# Leaf Switches - VTEP2 (AS 65002)
leaf3:
kind: arista_ceos
mgmt-ipv4: 172.16.0.27
startup-config: configs/leaf3.cfg
leaf4:
kind: arista_ceos
mgmt-ipv4: 172.16.0.28
startup-config: configs/leaf4.cfg
# Leaf Switches - VTEP3 (AS 65003)
leaf5:
kind: arista_ceos
mgmt-ipv4: 172.16.0.29
startup-config: configs/leaf5.cfg
leaf6:
kind: arista_ceos
mgmt-ipv4: 172.16.0.30
startup-config: configs/leaf6.cfg
# Leaf Switches - VTEP4 (AS 65004)
leaf7:
kind: arista_ceos
mgmt-ipv4: 172.16.0.31
startup-config: configs/leaf7.cfg
leaf8:
kind: arista_ceos
mgmt-ipv4: 172.16.0.32
startup-config: configs/leaf8.cfg
# Access Switches - L2 only
access1:
kind: arista_ceos
mgmt-ipv4: 172.16.0.41
startup-config: configs/access1.cfg
access2:
kind: arista_ceos
mgmt-ipv4: 172.16.0.42
startup-config: configs/access2.cfg
access3:
kind: arista_ceos
mgmt-ipv4: 172.16.0.43
startup-config: configs/access3.cfg
access4:
kind: arista_ceos
mgmt-ipv4: 172.16.0.44
startup-config: configs/access4.cfg
# Host devices - DUAL-HOMED with LACP bonding to access switches
host1:
kind: linux
mgmt-ipv4: 172.16.0.101
image: ghcr.io/hellt/network-multitool
cap-add:
- NET_ADMIN
binds:
- hosts/freeradius/wpa_supplicant_host1.conf:/etc/wpa_supplicant/wpa_supplicant.conf
exec:
- ip link add bond0 type bond mode 802.3ad
- ip link set dev bond0 type bond xmit_hash_policy layer3+4
- ip link set dev eth1 down
- ip link set dev eth2 down
- ip link set eth1 master bond0
- ip link set eth2 master bond0
- ip link set dev eth1 up
- ip link set dev eth2 up
- ip link set dev bond0 type bond lacp_rate fast
- ip link set dev bond0 up
- ip addr add 10.40.40.101/24 dev bond0
- apk add --no-cache wpa_supplicant
- wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
- wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
host2:
kind: linux
mgmt-ipv4: 172.16.0.102
image: ghcr.io/hellt/network-multitool
cap-add:
- NET_ADMIN
binds:
- hosts/freeradius/wpa_supplicant_host2.conf:/etc/wpa_supplicant/wpa_supplicant.conf
exec:
- ip link add bond0 type bond mode 802.3ad
- ip link set dev bond0 type bond xmit_hash_policy layer3+4
- ip link set dev eth1 down
- ip link set dev eth2 down
- ip link set eth1 master bond0
- ip link set eth2 master bond0
- ip link set dev eth1 up
- ip link set dev eth2 up
- ip link set dev bond0 type bond lacp_rate fast
- ip link set dev bond0 up
- ip addr add 10.34.34.102/24 dev bond0
- ip route add 10.78.78.0/24 via 10.34.34.1
- apk add --no-cache wpa_supplicant
- wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
- wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
host3:
kind: linux
mgmt-ipv4: 172.16.0.103
image: ghcr.io/hellt/network-multitool
cap-add:
- NET_ADMIN
binds:
- hosts/freeradius/wpa_supplicant_host3.conf:/etc/wpa_supplicant/wpa_supplicant.conf
exec:
- ip link add bond0 type bond mode 802.3ad
- ip link set dev bond0 type bond xmit_hash_policy layer3+4
- ip link set dev eth1 down
- ip link set dev eth2 down
- ip link set eth1 master bond0
- ip link set eth2 master bond0
- ip link set dev eth1 up
- ip link set dev eth2 up
- ip link set dev bond0 type bond lacp_rate fast
- ip link set dev bond0 up
- ip addr add 10.40.40.103/24 dev bond0
- apk add --no-cache wpa_supplicant
- wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
- wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
host4:
kind: linux
mgmt-ipv4: 172.16.0.104
image: ghcr.io/hellt/network-multitool
cap-add:
- NET_ADMIN
binds:
- hosts/host4_interfaces:/etc/network/interfaces
- hosts/freeradius/wpa_supplicant_host4.conf:/etc/wpa_supplicant/wpa_supplicant.conf
exec:
- ip link add bond0 type bond mode 802.3ad
- ip link set dev bond0 type bond xmit_hash_policy layer3+4
- ip link set dev eth1 down
- ip link set dev eth2 down
- ip link set eth1 master bond0
- ip link set eth2 master bond0
- ip link set dev eth1 up
- ip link set dev eth2 up
- ip link set dev bond0 type bond lacp_rate fast
- ip link set dev bond0 up
- ip addr add 10.78.78.104/24 dev bond0
- ip route add 10.34.34.0/24 via 10.78.78.1
- apk add --no-cache wpa_supplicant
- wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
- wpa_supplicant -i eth2 -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -B
# FreeRADIUS server for dynamic VLAN assignment
freeradius:
kind: linux
mgmt-ipv4: 172.16.0.200
image: freeradius/freeradius-server:latest
binds:
- hosts/freeradius/clients.conf:/etc/raddb/clients.conf
- hosts/freeradius/authorize:/etc/raddb/mods-config/files/authorize
links:
# Spine1 to Leaf connections (underlay fabric)
- endpoints: ["spine1:eth1", "leaf1:eth11"]
- endpoints: ["spine1:eth2", "leaf2:eth11"]
- endpoints: ["spine1:eth3", "leaf3:eth11"]
- endpoints: ["spine1:eth4", "leaf4:eth11"]
- endpoints: ["spine1:eth5", "leaf5:eth11"]
- endpoints: ["spine1:eth6", "leaf6:eth11"]
- endpoints: ["spine1:eth7", "leaf7:eth11"]
- endpoints: ["spine1:eth8", "leaf8:eth11"]
# Spine2 to Leaf connections (underlay fabric)
- endpoints: ["spine2:eth1", "leaf1:eth12"]
- endpoints: ["spine2:eth2", "leaf2:eth12"]
- endpoints: ["spine2:eth3", "leaf3:eth12"]
- endpoints: ["spine2:eth4", "leaf4:eth12"]
- endpoints: ["spine2:eth5", "leaf5:eth12"]
- endpoints: ["spine2:eth6", "leaf6:eth12"]
- endpoints: ["spine2:eth7", "leaf7:eth12"]
- endpoints: ["spine2:eth8", "leaf8:eth12"]
# MLAG Peer Links (leaf pairs)
- endpoints: ["leaf1:eth10", "leaf2:eth10"]
- endpoints: ["leaf3:eth10", "leaf4:eth10"]
- endpoints: ["leaf5:eth10", "leaf6:eth10"]
- endpoints: ["leaf7:eth10", "leaf8:eth10"]
# Access switch uplinks to leaf MLAG pairs (dual-homed via LACP)
# access1 dual-homed to leaf1 + leaf2
- endpoints: ["leaf1:eth1", "access1:eth1"]
- endpoints: ["leaf2:eth1", "access1:eth2"]
# access2 dual-homed to leaf3 + leaf4
- endpoints: ["leaf3:eth1", "access2:eth1"]
- endpoints: ["leaf4:eth1", "access2:eth2"]
# access3 dual-homed to leaf5 + leaf6
- endpoints: ["leaf5:eth1", "access3:eth1"]
- endpoints: ["leaf6:eth1", "access3:eth2"]
# access4 dual-homed to leaf7 + leaf8
- endpoints: ["leaf7:eth1", "access4:eth1"]
- endpoints: ["leaf8:eth1", "access4:eth2"]
# Host connections to access switches (dual-homed via LACP)
# host1 dual-homed to access1
- endpoints: ["access1:eth3", "host1:eth1"]
- endpoints: ["access1:eth4", "host1:eth2"]
# host2 dual-homed to access2
- endpoints: ["access2:eth3", "host2:eth1"]
- endpoints: ["access2:eth4", "host2:eth2"]
# host3 dual-homed to access3
- endpoints: ["access3:eth3", "host3:eth1"]
- endpoints: ["access3:eth4", "host3:eth2"]
# host4 dual-homed to access4
- endpoints: ["access4:eth3", "host4:eth1"]
- endpoints: ["access4:eth4", "host4:eth2"]
Reference in New Issue View Git Blame Copy Permalink