Cray System Management Documentation > Cray System Management (CSM) Administration Guide > network > Management Network User Guide > Management Network 1.0 (1.2 Preconfig) to 1.2

Management Network 1.0 (`1.2 Preconfig`) to 1.2

Prerequisites

System is already running with CANU-generated 1.0 configurations (1.2 Preconfig).
Generated switch configurations for 1.2.
- Generate Switch Configurations
CANU installed with version 1.1.11 or greater.
- Run canu --version to see version.
- If doing a CSM install or upgrade, a CANU RPM is located in the release tarball. For more information, see Update CANU From CSM Tarball

Be sure that the current connection to the system is not through the Spine switches.

If it is, then performing this upgrade will cause the connection to the system to be lost.

Check the default route from the NCN that has the site connection.

ncn-m001# ip r
  default via 10.102.3.1 dev vlan007

If the default route is out through the site connection, then skip the rest of the procedure. A default route going out through the site connection looks similar to the following:

  default via 172.30.48.1 dev lan0

If the default route is through dev vlan007 or the CAN VLAN, this needs to change in order to prevent the connection loss when moving this VLAN to the Customer VRF on the switches.

In this example the site connection is on lan0

ncn-m001# ip a show lan0
  29: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether b4:2e:99:3a:26:08 brd ff:ff:ff:ff:ff:ff
    inet 172.30.52.183/20 brd 172.30.63.255 scope global lan0
       valid_lft forever preferred_lft forever
    inet6 fe80::b62e:99ff:fe3a:2608/64 scope link
       valid_lft forever preferred_lft forever

The default route needs to replaced to route out lan0 Replace the default route with the correct next-hop router for this network.

ncn-m001# ip route replace default via 172.30.48.1

Mellanox

Use CANU Validate to see the differences between the 1.0 and 1.2 switch configurations.

ncn-m001# canu validate switch config --running ./1.0/sw-spine-002.cfg --generated ./1.2/sw-spine-002.cfg --vendor mellanox --remediation

Output

- vlan 7 name "CAN"
- route-map ncn-w003 permit 10 match ip address pl-can
- route-map ncn-w002 permit 10 match ip address pl-can
- route-map ncn-w001 permit 10 match ip address pl-can
- ip prefix-list pl-can seq 10 permit 10.102.3.0 /25 ge 25
- ip prefix-list pl-can
- interface vlan 7 ip dhcp relay instance 2 downstream
- interface vlan 7 ip address 10.102.3.3/25 primary
- interface vlan 7
- banner motd "
###############################################################################
# CSM version:  1.0
# CANU version: 1.1.11
###############################################################################
"
+ vrf definition Customer rd 7:7
+ vrf definition Customer
+ vlan 7 name "CMN"
+ vlan 6 name "CAN"
+ vlan 6
+ router ospf 2 vrf Customer router-id 10.2.0.3
+ router ospf 2 vrf Customer default-information originate
+ router ospf 2 vrf Customer
+ router bgp 65533 vrf Customer router-id 10.2.0.3 force
+ router bgp 65533 vrf Customer neighbor 10.102.3.9 transport connection-mode passive
+ router bgp 65533 vrf Customer neighbor 10.102.3.9 timers 1 3
+ router bgp 65533 vrf Customer neighbor 10.102.3.9 remote-as 65534
+ router bgp 65533 vrf Customer neighbor 10.102.3.8 transport connection-mode passive
+ router bgp 65533 vrf Customer neighbor 10.102.3.8 timers 1 3
+ router bgp 65533 vrf Customer neighbor 10.102.3.8 remote-as 65534
+ router bgp 65533 vrf Customer neighbor 10.102.3.10 transport connection-mode passive
+ router bgp 65533 vrf Customer neighbor 10.102.3.10 timers 1 3
+ router bgp 65533 vrf Customer neighbor 10.102.3.10 remote-as 65534
+ router bgp 65533 vrf Customer maximum-paths ibgp 32
+ router bgp 65533 vrf Customer maximum-paths 32
+ router bgp 65533 vrf Customer distance 20 70 20
+ router bgp 65533 vrf Customer
+ route-map ncn-w003 permit 10 match ip address pl-cmn
+ route-map ncn-w002 permit 10 match ip address pl-cmn
+ route-map ncn-w001 permit 10 match ip address pl-cmn
+ ipv4 access-list cmn-can seq-number 30 permit ip any any
+ ipv4 access-list cmn-can seq-number 20 deny ip 10.102.3.128 mask 255.255.255.192 10.102.3.0 mask 255.255.255.128
+ ipv4 access-list cmn-can seq-number 10 deny ip 10.102.3.0 mask 255.255.255.128 10.102.3.128 mask 255.255.255.192
+ ipv4 access-list cmn-can bind-point rif
+ ipv4 access-list cmn-can
+ ip routing vrf Customer
+ ip prefix-list pl-cmn seq 10 permit 10.102.3.0 /25 ge 25
+ ip prefix-list pl-cmn
+ interface vlan 7 vrf forwarding Customer
+ interface vlan 7 ipv4 port access-group cmn-can
+ interface vlan 7 ip ospf area 0.0.0.0
+ interface vlan 7 ip address 10.102.3.99/25 primary
+ interface vlan 6 vrf forwarding Customer
+ interface vlan 6 mtu 9184
+ interface vlan 6 magp 5 ip virtual-router mac-address 00:00:5E:00:01:05
+ interface vlan 6 magp 5 ip virtual-router address 10.102.3.129
+ interface vlan 6 magp 5
+ interface vlan 6 ipv4 port access-group cmn-can
+ interface vlan 6 ip address 10.102.3.131/26 primary
+ interface mlag-port-channel 9 switchport hybrid allowed-vlan add 6
+ interface mlag-port-channel 8 switchport hybrid allowed-vlan add 6
+ interface mlag-port-channel 7 switchport hybrid allowed-vlan add 6
+ interface mlag-port-channel 6 switchport hybrid allowed-vlan add 6
+ interface mlag-port-channel 5 switchport hybrid allowed-vlan add 6
+ interface mlag-port-channel 4 switchport hybrid allowed-vlan add 6
+ interface mlag-port-channel 3 switchport hybrid allowed-vlan add 6
+ interface mlag-port-channel 2 switchport hybrid allowed-vlan add 6
+ interface mlag-port-channel 151 switchport hybrid allowed-vlan add 7
+ interface mlag-port-channel 10 switchport hybrid allowed-vlan add 7
+ interface mlag-port-channel 1 switchport hybrid allowed-vlan add 6
+ banner motd "
###############################################################################
# CSM version:  1.2
# CANU version: 1.1.11
###############################################################################
"
-------------------------------------------------------------------------

Config differences between running config and generated config


lines that start with a minus "-" and RED: Config that is present in running config but not in generated config
lines that start with a plus "+" and GREEN: Config that is present in generated config but not in running config.

-------------------------------------------------------------------------

Remediation Config

-------------------------------------------------------------------------

banner motd "
###############################################################################
# CSM version:  1.2
# CANU version: 1.1.11
###############################################################################
"
vlan 6
vlan 7 name "CMN"
vlan 6 name "CAN"
interface mlag-port-channel 1 switchport hybrid allowed-vlan add 6
interface mlag-port-channel 2 switchport hybrid allowed-vlan add 6
interface mlag-port-channel 3 switchport hybrid allowed-vlan add 6
interface mlag-port-channel 4 switchport hybrid allowed-vlan add 6
interface mlag-port-channel 5 switchport hybrid allowed-vlan add 6
interface mlag-port-channel 6 switchport hybrid allowed-vlan add 6
interface mlag-port-channel 7 switchport hybrid allowed-vlan add 6
interface mlag-port-channel 8 switchport hybrid allowed-vlan add 6
interface mlag-port-channel 9 switchport hybrid allowed-vlan add 6
interface mlag-port-channel 10 switchport hybrid allowed-vlan add 7
interface mlag-port-channel 151 switchport hybrid allowed-vlan add 7
vrf definition Customer
vrf definition Customer rd 7:7
ip routing vrf Customer
interface vlan 7 vrf forwarding Customer
interface vlan 6 vrf forwarding Customer
interface vlan 7 ip address 10.102.3.99/25 primary
interface vlan 6 ip address 10.102.3.131/26 primary
no interface vlan 6 ip icmp redirect
interface vlan 6 mtu 9184
ipv4 access-list cmn-can
ipv4 access-list cmn-can bind-point rif
ipv4 access-list cmn-can seq-number 10 deny ip 10.102.3.0 mask 255.255.255.128 10.102.3.128 mask 255.255.255.192
ipv4 access-list cmn-can seq-number 20 deny ip 10.102.3.128 mask 255.255.255.192 10.102.3.0 mask 255.255.255.128
ipv4 access-list cmn-can seq-number 30 permit ip any any
interface vlan 7 ipv4 port access-group cmn-can
interface vlan 6 ipv4 port access-group cmn-can
router ospf 2 vrf Customer
router ospf 2 vrf Customer router-id 10.2.0.3
router ospf 2 vrf Customer default-information originate
interface vlan 7 ip ospf area 0.0.0.0
interface vlan 6 magp 5
interface vlan 6 magp 5 ip virtual-router address 10.102.3.129
interface vlan 6 magp 5 ip virtual-router mac-address 00:00:5E:00:01:05
ip prefix-list pl-cmn
ip prefix-list pl-cmn seq 10 permit 10.102.3.0 /25 ge 25
route-map ncn-w001 permit 10 match ip address pl-cmn
route-map ncn-w002 permit 10 match ip address pl-cmn
route-map ncn-w003 permit 10 match ip address pl-cmn
router bgp 65533 vrf Customer
router bgp 65533 vrf Customer router-id 10.2.0.3 force
router bgp 65533 vrf Customer distance 20 70 20
router bgp 65533 vrf Customer maximum-paths ibgp 32
router bgp 65533 vrf Customer maximum-paths 32
router bgp 65533 vrf Customer neighbor 10.102.3.8 remote-as 65534
router bgp 65533 vrf Customer neighbor 10.102.3.9 remote-as 65534
router bgp 65533 vrf Customer neighbor 10.102.3.10 remote-as 65534
router bgp 65533 vrf Customer neighbor 10.102.3.8 timers 1 3
router bgp 65533 vrf Customer neighbor 10.102.3.9 timers 1 3
router bgp 65533 vrf Customer neighbor 10.102.3.10 timers 1 3
router bgp 65533 vrf Customer neighbor 10.102.3.8 transport connection-mode passive
router bgp 65533 vrf Customer neighbor 10.102.3.9 transport connection-mode passive
router bgp 65533 vrf Customer neighbor 10.102.3.10 transport connection-mode passive

Take a close look at the output of this, make sure that all the changes are understood.
Copy the remediation configuration into the terminal.

sw-spine-002 [mlag-domain: master] (config) # banner motd "
> ###############################################################################
> # CSM version:  1.2
> # CANU version: 1.1.11
> ###############################################################################
> "
sw-spine-002 [mlag-domain: master] (config) # vlan 6
sw-spine-002 [mlag-domain: master] (config) # vlan 7 name "CMN"
sw-spine-002 [mlag-domain: master] (config) # vlan 6 name "CAN"
sw-spine-002 [mlag-domain: master] (config) # interface mlag-port-channel 1 switchport hybrid allowed-vlan add 6
sw-spine-002 [mlag-domain: master] (config) # interface mlag-port-channel 2 switchport hybrid allowed-vlan add 6
sw-spine-002 [mlag-domain: master] (config) # interface mlag-port-channel 3 switchport hybrid allowed-vlan add 6
sw-spine-002 [mlag-domain: master] (config) # interface mlag-port-channel 4 switchport hybrid allowed-vlan add 6
sw-spine-002 [mlag-domain: master] (config) # interface mlag-port-channel 5 switchport hybrid allowed-vlan add 6
sw-spine-002 [mlag-domain: master] (config) # interface mlag-port-channel 6 switchport hybrid allowed-vlan add 6
sw-spine-002 [mlag-domain: master] (config) # interface mlag-port-channel 7 switchport hybrid allowed-vlan add 6
sw-spine-002 [mlag-domain: master] (config) # interface mlag-port-channel 8 switchport hybrid allowed-vlan add 6
sw-spine-002 [mlag-domain: master] (config) # interface mlag-port-channel 9 switchport hybrid allowed-vlan add 6
sw-spine-002 [mlag-domain: master] (config) # interface mlag-port-channel 10 switchport hybrid allowed-vlan add 7
sw-spine-002 [mlag-domain: master] (config) # interface mlag-port-channel 151 switchport hybrid allowed-vlan add 7
sw-spine-002 [mlag-domain: master] (config) # vrf definition Customer
sw-spine-002 [mlag-domain: master] (config) # vrf definition Customer rd 7:7
sw-spine-002 [mlag-domain: master] (config) # ip routing vrf Customer
sw-spine-002 [mlag-domain: master] (config) # interface vlan 7 vrf forwarding Customer
sw-spine-002 [mlag-domain: master] (config) # interface vlan 6 vrf forwarding Customer
sw-spine-002 [mlag-domain: master] (config) # interface vlan 7 ip address 10.102.3.99/25 primary
sw-spine-002 [mlag-domain: master] (config) # interface vlan 6 ip address 10.102.3.131/26 primary
sw-spine-002 [mlag-domain: master] (config) # no interface vlan 6 ip icmp redirect
sw-spine-002 [mlag-domain: master] (config) # interface vlan 6 mtu 9184
sw-spine-002 [mlag-domain: master] (config) # ipv4 access-list cmn-can
sw-spine-002 [mlag-domain: master] (config) # ipv4 access-list cmn-can bind-point rif
sw-spine-002 [mlag-domain: master] (config) # ipv4 access-list cmn-can seq-number 10 deny ip 10.102.3.0 mask 255.255.255.128 10.102.3.128 mask 255.255.255.192
sw-spine-002 [mlag-domain: master] (config) # ipv4 access-list cmn-can seq-number 20 deny ip 10.102.3.128 mask 255.255.255.192 10.102.3.0 mask 255.255.255.128
sw-spine-002 [mlag-domain: master] (config) # ipv4 access-list cmn-can seq-number 30 permit ip any any
sw-spine-002 [mlag-domain: master] (config) # interface vlan 7 ipv4 port access-group cmn-can
sw-spine-002 [mlag-domain: master] (config) # interface vlan 6 ipv4 port access-group cmn-can
sw-spine-002 [mlag-domain: master] (config) # router ospf 2 vrf Customer
sw-spine-002 [mlag-domain: master] (config) # router ospf 2 vrf Customer router-id 10.2.0.3
sw-spine-002 [mlag-domain: master] (config) # router ospf 2 vrf Customer default-information originate
sw-spine-002 [mlag-domain: master] (config) # interface vlan 7 ip ospf area 0.0.0.0
sw-spine-002 [mlag-domain: master] (config) # interface vlan 6 magp 5
sw-spine-002 [mlag-domain: master] (config) # interface vlan 6 magp 5 ip virtual-router address 10.102.3.129
sw-spine-002 [mlag-domain: master] (config) # interface vlan 6 magp 5 ip virtual-router mac-address 00:00:5E:00:01:05
sw-spine-002 [mlag-domain: master] (config) # ip prefix-list pl-cmn
sw-spine-002 [mlag-domain: master] (config) # ip prefix-list pl-cmn seq 10 permit 10.102.3.0 /25 ge 25
sw-spine-002 [mlag-domain: master] (config) # route-map ncn-w001 permit 10 match ip address pl-cmn
sw-spine-002 [mlag-domain: master] (config) # route-map ncn-w002 permit 10 match ip address pl-cmn
sw-spine-002 [mlag-domain: master] (config) # route-map ncn-w003 permit 10 match ip address pl-cmn
sw-spine-002 [mlag-domain: master] (config) # router bgp 65533 vrf Customer
sw-spine-002 [mlag-domain: master] (config) # router bgp 65533 vrf Customer router-id 10.2.0.3 force
sw-spine-002 [mlag-domain: master] (config) # router bgp 65533 vrf Customer distance 20 70 20
sw-spine-002 [mlag-domain: master] (config) # router bgp 65533 vrf Customer maximum-paths ibgp 32
sw-spine-002 [mlag-domain: master] (config) # router bgp 65533 vrf Customer maximum-paths 32
sw-spine-002 [mlag-domain: master] (config) # router bgp 65533 vrf Customer neighbor 10.102.3.8 remote-as 65534
sw-spine-002 [mlag-domain: master] (config) # router bgp 65533 vrf Customer neighbor 10.102.3.9 remote-as 65534
sw-spine-002 [mlag-domain: master] (config) # router bgp 65533 vrf Customer neighbor 10.102.3.10 remote-as 65534
sw-spine-002 [mlag-domain: master] (config) # router bgp 65533 vrf Customer neighbor 10.102.3.8 timers 1 3
sw-spine-002 [mlag-domain: master] (config) # router bgp 65533 vrf Customer neighbor 10.102.3.9 timers 1 3
sw-spine-002 [mlag-domain: master] (config) # router bgp 65533 vrf Customer neighbor 10.102.3.10 timers 1 3
sw-spine-002 [mlag-domain: master] (config) # router bgp 65533 vrf Customer neighbor 10.102.3.8 transport connection-mode passive
sw-spine-002 [mlag-domain: master] (config) # router bgp 65533 vrf Customer neighbor 10.102.3.9 transport connection-mode passive
sw-spine-002 [mlag-domain: master] (config) # router bgp 65533 vrf Customer neighbor 10.102.3.10 transport connection-mode passive

This should copy into the terminal without any errors, if there are errors stop here and make sure that the generated configuration gets applied correctly.

Mellanox Manual Configuration

Because we add the vlan7 interface to the Customer VRF, it removes all previous configuration. This will need to be fixed.

ncn-m001# cat sw-spine-002.cfg| grep "interface vlan 7"
interface vlan 7 vrf forwarding Customer
interface vlan 7 ip address 10.102.4.51/25 primary
no interface vlan 7 ip icmp redirect
interface vlan 7 mtu 9184
interface vlan 7 ipv4 port access-group cmn-can
interface vlan 7 ip ospf area 0.0.0.0
interface vlan 7 magp 4
interface vlan 7 magp 4 ip virtual-router address 10.102.4.1
interface vlan 7 magp 4 ip virtual-router mac-address 00:00:5E:00:01:04

sw-spine-002 [mlag-domain: master] (config) # interface vlan 7 vrf forwarding Customer
sw-spine-002 [mlag-domain: master] (config) # interface vlan 7 ip address 10.102.4.51/25 primary
sw-spine-002 [mlag-domain: master] (config) # no interface vlan 7 ip icmp redirect
sw-spine-002 [mlag-domain: master] (config) # interface vlan 7 mtu 9184
sw-spine-002 [mlag-domain: master] (config) # interface vlan 7 ipv4 port access-group cmn-can
sw-spine-002 [mlag-domain: master] (config) # interface vlan 7 ip ospf area 0.0.0.0
sw-spine-002 [mlag-domain: master] (config) # interface vlan 7 magp 4
sw-spine-002 [mlag-domain: master] (config) # interface vlan 7 magp 4 ip virtual-router address 10.102.4.1
sw-spine-002 [mlag-domain: master] (config) # interface vlan 7 magp 4 ip virtual-router mac-address 00:00:5E:00:01:04

Add site connections to Customer VRF.

The site connections are found in the SHCD.

CAN switch  cfcanb6s1           -   31  sw-25g01    x3000   u39 -   j16
CAN switch  cfcanb6s1           -   46  sw-25g02    x3000   u40 -   j16

This example has the site connections on port 16 on both spine switches.

Get the current configuration from port 16 on both switches.
This needs to be done on both Spine switches.

sw-spine-001 [mlag-domain: master] # show run int ethernet 1/16
interface ethernet 1/16 speed 10G force
interface ethernet 1/16 mtu 1500 force
interface ethernet 1/16 no switchport force
interface ethernet 1/16 ip address 10.102.255.10/30 primary

Attach the interface to the Customer VRF.
The IP address will need to be added back, because that configuration is wiped when a VRF gets attached to an interface.

sw-spine-001 [mlag-domain: master] (config) # int ethernet 1/16 vrf forwarding Customer
sw-spine-001 [mlag-domain: master] (config) # interface ethernet 1/16 ip address 10.102.255.10/30 primary

Add the default route to the Customer VRF and delete the old one.

sw-spine-001 [mlag-domain: master] (config) # show run | include "ip route"
   ip route vrf default 0.0.0.0/0 10.102.255.9
sw-spine-001 [mlag-domain: master] (config) # no ip route vrf default 0.0.0.0/0
sw-spine-001 [mlag-domain: master] (config) # ip route vrf Customer 0.0.0.0/0 10.102.255.9

Save this configuration to a new configuration file with the CSM and CANU versions.

sw-spine-001 [mlag-domain: master] (config) # show banner

Banners:
  Message of the Day (MOTD):

    ###############################################################################
    # CSM version:  1.2
    # CANU version: 1.1.11
    ###############################################################################


  Login:
    NVIDIA Onyx Switch Management

  Logout:


sw-spine-001 [mlag-domain: master] (config) # configuration write to csm1.2-canu1.1.11

Dell

Use canu validate to see the differences between the 1.0 and 1.2 switch configurations.

ncn-m001# canu validate switch config --running 1.0/sw-leaf-bmc-001.cfg --generated 1.2/sw-leaf-bmc-001.cfg --vendor dell --remediation
+ ip vrf Customer
+ interface vlan7
+   description CMN
+   no shutdown
+   ip vrf forwarding Customer
+   mtu 9216
+   ip address 10.102.3.100/25
+   ip access-group cmn-can in
+   ip access-group cmn-can out
+   ip ospf 2 area 0.0.0.0
  interface port-channel100
-   switchport trunk allowed vlan 2,4
+   switchport trunk allowed vlan 2,4,7
+ ip access-list cmn-can
+   seq 10 deny ip 10.102.3.0/25 10.102.3.128/26
+   seq 20 deny ip 10.102.3.128/26 10.102.3.0/25
+   seq 30 permit ip any any
+ router ospf 2 vrf Customer
+   router-id 10.2.0.4
- banner motd ^
###############################################################################
# CSM version:  1.0
# CANU version: 1.1.11
###############################################################################
^
+ banner motd ^
###############################################################################
# CSM version:  1.2
# CANU version: 1.1.11
###############################################################################
^
-------------------------------------------------------------------------

Config differences between running config and generated config


lines that start with a minus "-" and RED: Config that is present in running config but not in generated config
lines that start with a plus "+" and GREEN: Config that is present in generated config but not in running config.

-------------------------------------------------------------------------

Remediation Config

-------------------------------------------------------------------------
no banner motd
ip vrf Customer
interface vlan7
  description CMN
  no shutdown
  ip vrf forwarding Customer
  mtu 9216
  ip address 10.102.3.100/25
  ip access-group cmn-can in
  ip access-group cmn-can out
  ip ospf 2 area 0.0.0.0
interface port-channel100
  switchport trunk allowed vlan 2,4,7
ip access-list cmn-can
  seq 10 deny ip 10.102.3.0/25 10.102.3.128/26
  seq 20 deny ip 10.102.3.128/26 10.102.3.0/25
  seq 30 permit ip any any
router ospf 2 vrf Customer
  router-id 10.2.0.4
banner motd ^
###############################################################################
# CSM version:  1.2
# CANU version: 1.1.11
###############################################################################
^

Dell Manual Configuration

Exit the ip vrf Customer sub-menu.

sw-leaf-bmc-001(config)# ip vrf Customer
sw-leaf-bmc-001(conf-vrf)# exit

banner motd will need to be applied manually.

Example:

sw-leaf-bmc-001(config)# no banner motd
sw-leaf-bmc-001(config)# ip vrf Customer
sw-leaf-bmc-001(conf-vrf)# exit
sw-leaf-bmc-001(config)# interface vlan7
sw-leaf-bmc-001(conf-if-vl-7)# description CMN
sw-leaf-bmc-001(conf-if-vl-7)# no shutdown
sw-leaf-bmc-001(conf-if-vl-7)# ip vrf forwarding Customer
sw-leaf-bmc-001(conf-if-vl-7)# mtu 9216
sw-leaf-bmc-001(conf-if-vl-7)# ip address 10.102.3.100/25
sw-leaf-bmc-001(conf-if-vl-7)# ip access-group cmn-can in
sw-leaf-bmc-001(conf-if-vl-7)# ip access-group cmn-can out
sw-leaf-bmc-001(conf-if-vl-7)# ip ospf 2 area 0.0.0.0
sw-leaf-bmc-001(conf-if-vl-7)# interface port-channel100
sw-leaf-bmc-001(conf-if-po-100)# switchport trunk allowed vlan 2,4,7
sw-leaf-bmc-001(conf-if-po-100)# ip access-list cmn-can
sw-leaf-bmc-001(config-ipv4-acl)# seq 10 deny ip 10.102.3.0/25 10.102.3.128/26
sw-leaf-bmc-001(config-ipv4-acl)# seq 20 deny ip 10.102.3.128/26 10.102.3.0/25
sw-leaf-bmc-001(config-ipv4-acl)# seq 30 permit ip any any
sw-leaf-bmc-001(config-ipv4-acl)# router ospf 2 vrf Customer
sw-leaf-bmc-001(config-router-ospf-2)# router-id 10.2.0.4
sw-leaf-bmc-001(config-router-ospf-2)# banner motd ^
Enter TEXT message. End with the character '^'.
###############################################################################
# CSM version:  1.2
# CANU version: 1.1.11
###############################################################################
^

Save configuration.

sw-leaf-bmc-001(config)# copy config://startup.xml config://csm1.2-canu1.1.11
Copy completed

Aruba Spine

Use canu validate to see the differences between the 1.0 and 1.2 switch configurations.

ncn-m001# canu validate switch config --running ./1.0/sw-spine-002.cfg --generated ./1.2/sw-spine-002.cfg --vendor aruba --remediation
+ vrf Customer
+ ssh server vrf Customer
  access-list ip mgmt
-   10 comment ALLOW SSH, HTTPS, AND SNMP ON HMN SUBNET
+   10 comment ALLOW SSH, HTTPS, AND SNMP ON HMN SUBNET and CMN
+   60 permit tcp 10.103.11.0/255.255.255.128 any eq ssh
+   70 permit tcp 10.103.11.0/255.255.255.128 any eq https
+   80 permit udp 10.103.11.0/255.255.255.128 any eq snmp
+   90 permit udp 10.103.11.0/255.255.255.128 any eq snmp-trap
-   60 comment ALLOW SNMP FROM HMN METALLB SUBNET
+   100 comment ALLOW SNMP FROM HMN METALLB SUBNET
-   70 permit udp 10.94.100.0/255.255.255.0 any eq snmp
+   110 permit udp 10.94.100.0/255.255.255.0 any eq snmp
-   80 permit udp 10.94.100.0/255.255.255.0 any eq snmp-trap
+   120 permit udp 10.94.100.0/255.255.255.0 any eq snmp-trap
-   90 comment BLOCK SSH, HTTPS, AND SNMP FROM EVERYWHERE ELSE
+   130 comment BLOCK SSH, HTTPS, AND SNMP FROM EVERYWHERE ELSE
-   100 deny tcp any any eq ssh
+   140 deny tcp any any eq ssh
-   110 deny tcp any any eq https
+   150 deny tcp any any eq https
-   120 deny udp any any eq snmp
+   160 deny udp any any eq snmp
-   130 deny udp any any eq snmp-trap
+   170 deny udp any any eq snmp-trap
-   140 comment ALLOW ANYTHING ELSE
+   180 comment ALLOW ANYTHING ELSE
-   150 permit any any any
+   190 permit any any any
+ access-list ip cmn-can
+   10 deny any 10.103.11.0/255.255.255.128 10.103.11.128/255.255.255.192
+   20 deny any 10.103.11.128/255.255.255.192 10.103.11.0/255.255.255.128
+   30 permit any any any
  vlan 7
+   name CMN
+   apply access-list ip cmn-can in
+   apply access-list ip cmn-can out
+ vlan 6
    name CAN
+   apply access-list ip cmn-can in
+   apply access-list ip cmn-can out
  interface lag 1 multi-chassis
+   vlan trunk allowed 1-2,4,6-7
+ interface lag 3 multi-chassis
+   vlan trunk allowed 1-2,4,6-7
+ interface lag 5 multi-chassis
+   vlan trunk allowed 1-2,4,6-7
+ interface lag 7 multi-chassis
+   vlan trunk allowed 1-2,4,6-7
+ interface lag 8 multi-chassis
+   vlan trunk allowed 1-2,4,6-7
+ interface lag 9 multi-chassis
+   vlan trunk allowed 1-2,4,6-7
+ interface lag 11 multi-chassis
+   vlan trunk allowed 1-2,4,6-7
+ interface lag 13 multi-chassis
+   vlan trunk allowed 1-2,4,6-7
+ interface lag 15 multi-chassis
+   vlan trunk allowed 1-2,4,6-7
+ interface lag 151 multi-chassis
    vlan trunk allowed 1-2,4,7
- interface lag 3 multi-chassis
-   vlan trunk allowed 1-2,4,7
- interface lag 5 multi-chassis
-   vlan trunk allowed 1-2,4,7
- interface lag 7 multi-chassis
-   vlan trunk allowed 1-2,4,7
- interface lag 8 multi-chassis
-   vlan trunk allowed 1-2,4,7
- interface lag 9 multi-chassis
-   vlan trunk allowed 1-2,4,7
- interface lag 11 multi-chassis
-   vlan trunk allowed 1-2,4,7
- interface lag 13 multi-chassis
-   vlan trunk allowed 1-2,4,7
- interface lag 15 multi-chassis
-   vlan trunk allowed 1-2,4,7
- interface lag 151 multi-chassis
-   vlan trunk allowed 1-2,4
- banner motd ^
###############################################################################
# CSM version:  1.0
# CANU version: 1.1.20~develop
###############################################################################
^
+ banner motd ^
###############################################################################
# CSM version:  1.2
# CANU version: 1.1.11
###############################################################################
^
  route-map ncn-w003 permit seq 40
-   match ip address prefix-list pl-can
+   match ip address prefix-list pl-cmn
-   set ip next-hop 10.103.11.8
+   set ip next-hop 10.103.11.39
  route-map ncn-w002 permit seq 40
-   match ip address prefix-list pl-can
+   match ip address prefix-list pl-cmn
-   set ip next-hop 10.103.11.9
+   set ip next-hop 10.103.11.40
  route-map ncn-w001 permit seq 40
-   match ip address prefix-list pl-can
+   match ip address prefix-list pl-cmn
-   set ip next-hop 10.103.11.10
+   set ip next-hop 10.103.11.41
  interface vlan 7
+   vrf attach Customer
+   description CMN
+   ip ospf 2 area 0.0.0.0
+ interface vlan 6
+   vrf attach Customer
    description CAN
-   ip helper-address 10.92.100.222
+   ip mtu 9198
+   ip address 10.103.11.131/26
+   active-gateway ip mac 12:00:00:00:6b:00
+   active-gateway ip 10.103.11.129
- ip dns server-address 10.92.100.74
+ ip dns server-address 10.92.100.225
- ip prefix-list pl-can seq 10 permit 10.103.11.0/25 ge 25
+ ip prefix-list pl-cmn seq 10 permit 10.103.11.0/25 ge 25
+ router ospf 2 vrf Customer
+   router-id 10.2.0.3
+   default-information originate
+   area 0.0.0.0
+ router bgp 65533
+   vrf Customer
+     bgp router-id 10.2.0.3
+     maximum-paths 8
+     timers bgp 1 3
+     distance bgp 20 70
+     neighbor 10.103.11.2 remote-as 65533
+     neighbor 10.103.11.39 remote-as 65532
+     neighbor 10.103.11.39 passive
+     neighbor 10.103.11.40 remote-as 65532
+     neighbor 10.103.11.40 passive
+     neighbor 10.103.11.41 remote-as 65532
+     neighbor 10.103.11.41 passive
+     address-family ipv4 unicast
+       neighbor 10.103.11.2 activate
+       neighbor 10.103.11.39 activate
+       neighbor 10.103.11.40 activate
+       neighbor 10.103.11.41 activate
+ https-server vrf Customer
-------------------------------------------------------------------------

Config differences between running config and generated config


lines that start with a minus "-" and RED: Config that is present in running config but not in generated config
lines that start with a plus "+" and GREEN: Config that is present in generated config but not in running config.

-------------------------------------------------------------------------

Remediation Config

no ip dns server-address 10.92.100.74
no ip prefix-list pl-can seq 10 permit 10.103.11.0/25 ge 25
banner motd ^
###############################################################################
# CSM version:  1.2
# CANU version: 1.1.11
###############################################################################
^
vrf Customer
ssh server vrf Customer
access-list ip mgmt
  no 10 comment ALLOW SSH, HTTPS, AND SNMP ON HMN SUBNET
  no 60 comment ALLOW SNMP FROM HMN METALLB SUBNET
  no 70 permit udp 10.94.100.0/255.255.255.0 any eq snmp
  no 80 permit udp 10.94.100.0/255.255.255.0 any eq snmp-trap
  no 90 comment BLOCK SSH, HTTPS, AND SNMP FROM EVERYWHERE ELSE
  no 100 deny tcp any any eq ssh
  no 110 deny tcp any any eq https
  no 120 deny udp any any eq snmp
  no 130 deny udp any any eq snmp-trap
  no 140 comment ALLOW ANYTHING ELSE
  no 150 permit any any any
  10 comment ALLOW SSH, HTTPS, AND SNMP ON HMN SUBNET and CMN
  60 permit tcp 10.103.11.0/255.255.255.128 any eq ssh
  70 permit tcp 10.103.11.0/255.255.255.128 any eq https
  80 permit udp 10.103.11.0/255.255.255.128 any eq snmp
  90 permit udp 10.103.11.0/255.255.255.128 any eq snmp-trap
  100 comment ALLOW SNMP FROM HMN METALLB SUBNET
  110 permit udp 10.94.100.0/255.255.255.0 any eq snmp
  120 permit udp 10.94.100.0/255.255.255.0 any eq snmp-trap
  130 comment BLOCK SSH, HTTPS, AND SNMP FROM EVERYWHERE ELSE
  140 deny tcp any any eq ssh
  150 deny tcp any any eq https
  160 deny udp any any eq snmp
  170 deny udp any any eq snmp-trap
  180 comment ALLOW ANYTHING ELSE
  190 permit any any any
access-list ip cmn-can
  10 deny any 10.103.11.0/255.255.255.128 10.103.11.128/255.255.255.192
  20 deny any 10.103.11.128/255.255.255.192 10.103.11.0/255.255.255.128
  30 permit any any any
vlan 7
  name CMN
  apply access-list ip cmn-can in
  apply access-list ip cmn-can out
vlan 6
  name CAN
  apply access-list ip cmn-can in
  apply access-list ip cmn-can out
interface lag 1 multi-chassis
  no vlan trunk allowed 1-2,4,7
  vlan trunk allowed 1-2,4,6-7
interface lag 3 multi-chassis
  no vlan trunk allowed 1-2,4,7
  vlan trunk allowed 1-2,4,6-7
interface lag 5 multi-chassis
  no vlan trunk allowed 1-2,4,7
  vlan trunk allowed 1-2,4,6-7
interface lag 7 multi-chassis
  no vlan trunk allowed 1-2,4,7
  vlan trunk allowed 1-2,4,6-7
interface lag 8 multi-chassis
  no vlan trunk allowed 1-2,4,7
  vlan trunk allowed 1-2,4,6-7
interface lag 9 multi-chassis
  no vlan trunk allowed 1-2,4,7
  vlan trunk allowed 1-2,4,6-7
interface lag 11 multi-chassis
  no vlan trunk allowed 1-2,4,7
  vlan trunk allowed 1-2,4,6-7
interface lag 13 multi-chassis
  no vlan trunk allowed 1-2,4,7
  vlan trunk allowed 1-2,4,6-7
interface lag 15 multi-chassis
  no vlan trunk allowed 1-2,4,7
  vlan trunk allowed 1-2,4,6-7
interface lag 151 multi-chassis
  no vlan trunk allowed 1-2,4
  vlan trunk allowed 1-2,4,7
interface vlan 7
  no ip helper-address 10.92.100.222
  vrf attach Customer
  description CMN
  ip ospf 2 area 0.0.0.0
interface vlan 6
  vrf attach Customer
  description CAN
  ip mtu 9198
  ip address 10.103.11.131/26
  active-gateway ip mac 12:00:00:00:6b:00
  active-gateway ip 10.103.11.129
ip dns server-address 10.92.100.225
ip prefix-list pl-cmn seq 10 permit 10.103.11.0/25 ge 25
route-map ncn-w003 permit seq 40
  no match ip address prefix-list pl-can
  no set ip next-hop 10.103.11.8
  match ip address prefix-list pl-cmn
  set ip next-hop 10.103.11.39
route-map ncn-w002 permit seq 40
  no match ip address prefix-list pl-can
  no set ip next-hop 10.103.11.9
  match ip address prefix-list pl-cmn
  set ip next-hop 10.103.11.40
route-map ncn-w001 permit seq 40
  no match ip address prefix-list pl-can
  no set ip next-hop 10.103.11.10
  match ip address prefix-list pl-cmn
  set ip next-hop 10.103.11.41
router ospf 2 vrf Customer
  router-id 10.2.0.3
  default-information originate
  area 0.0.0.0
router bgp 65533
  vrf Customer
    bgp router-id 10.2.0.3
    maximum-paths 8
    timers bgp 1 3
    distance bgp 20 70
    neighbor 10.103.11.2 remote-as 65533
    neighbor 10.103.11.39 remote-as 65532
    neighbor 10.103.11.39 passive
    neighbor 10.103.11.40 remote-as 65532
    neighbor 10.103.11.40 passive
    neighbor 10.103.11.41 remote-as 65532
    neighbor 10.103.11.41 passive
    address-family ipv4 unicast
      neighbor 10.103.11.2 activate
      neighbor 10.103.11.39 activate
      neighbor 10.103.11.40 activate
      neighbor 10.103.11.41 activate
https-server vrf Customer

Using the remediation config, apply prefix-list and route-maps first.

sw-spine-002(config)# ip prefix-list pl-cmn seq 10 permit 10.103.11.0/25 ge 25
sw-spine-002(config)# route-map ncn-w003 permit seq 40
sw-spine-002(config-route-map-ncn-w003-40)#   no match ip address prefix-list pl-can
sw-spine-002(config-route-map-ncn-w003-40)#   no set ip next-hop 10.103.11.8
sw-spine-002(config-route-map-ncn-w003-40)#   match ip address prefix-list pl-cmn
sw-spine-002(config-route-map-ncn-w003-40)#   set ip next-hop 10.103.11.39
sw-spine-002(config-route-map-ncn-w003-40)# route-map ncn-w002 permit seq 40
sw-spine-002(config-route-map-ncn-w002-40)#   no match ip address prefix-list pl-can
sw-spine-002(config-route-map-ncn-w002-40)#   no set ip next-hop 10.103.11.9
sw-spine-002(config-route-map-ncn-w002-40)#   match ip address prefix-list pl-cmn
sw-spine-002(config-route-map-ncn-w002-40)#   set ip next-hop 10.103.11.40
sw-spine-002(config-route-map-ncn-w002-40)# route-map ncn-w001 permit seq 40
sw-spine-002(config-route-map-ncn-w001-40)#   no match ip address prefix-list pl-can
sw-spine-002(config-route-map-ncn-w001-40)#   no set ip next-hop 10.103.11.10
sw-spine-002(config-route-map-ncn-w001-40)#   match ip address prefix-list pl-cmn
sw-spine-002(config-route-map-ncn-w001-40)#   set ip next-hop 10.103.11.41

Copy in the remaining configuration.

sw-spine-002(config-route-map-ncn-w001-40)# no ip dns server-address 10.92.100.74
sw-spine-002(config)# no ip prefix-list pl-can seq 10 permit 10.103.11.0/25 ge 25
sw-spine-002(config)# banner motd ^
sw-spine-002(config-banner-motd)# ###############################################################################
sw-spine-002(config-banner-motd)# # CSM version:  1.2
sw-spine-002(config-banner-motd)# # CANU version: 1.1.11
sw-spine-002(config-banner-motd)# ###############################################################################
sw-spine-002(config-banner-motd)# ^
sw-spine-002(config)# vrf Customer
sw-spine-002(config-vrf)# ssh server vrf Customer
sw-spine-002(config)# access-list ip mgmt
sw-spine-002(config-acl-ip)#   no 10 comment ALLOW SSH, HTTPS, AND SNMP ON HMN SUBNET
sw-spine-002(config-acl-ip)#   no 60 comment ALLOW SNMP FROM HMN METALLB SUBNET
sw-spine-002(config-acl-ip)#   no 70 permit udp 10.94.100.0/255.255.255.0 any eq snmp
sw-spine-002(config-acl-ip)#   no 80 permit udp 10.94.100.0/255.255.255.0 any eq snmp-trap
sw-spine-002(config-acl-ip)#   no 90 comment BLOCK SSH, HTTPS, AND SNMP FROM EVERYWHERE ELSE
sw-spine-002(config-acl-ip)#   no 100 deny tcp any any eq ssh
sw-spine-002(config-acl-ip)#   no 110 deny tcp any any eq https
sw-spine-002(config-acl-ip)#   no 120 deny udp any any eq snmp
sw-spine-002(config-acl-ip)#   no 130 deny udp any any eq snmp-trap
sw-spine-002(config-acl-ip)#   no 140 comment ALLOW ANYTHING ELSE
sw-spine-002(config-acl-ip)#   no 150 permit any any any
sw-spine-002(config-acl-ip)#   10 comment ALLOW SSH, HTTPS, AND SNMP ON HMN SUBNET and CMN
sw-spine-002(config-acl-ip)#   60 permit tcp 10.103.11.0/255.255.255.128 any eq ssh
sw-spine-002(config-acl-ip)#   70 permit tcp 10.103.11.0/255.255.255.128 any eq https
sw-spine-002(config-acl-ip)#   80 permit udp 10.103.11.0/255.255.255.128 any eq snmp
sw-spine-002(config-acl-ip)#   90 permit udp 10.103.11.0/255.255.255.128 any eq snmp-trap
sw-spine-002(config-acl-ip)#   100 comment ALLOW SNMP FROM HMN METALLB SUBNET
sw-spine-002(config-acl-ip)#   110 permit udp 10.94.100.0/255.255.255.0 any eq snmp
sw-spine-002(config-acl-ip)#   120 permit udp 10.94.100.0/255.255.255.0 any eq snmp-trap
sw-spine-002(config-acl-ip)#   130 comment BLOCK SSH, HTTPS, AND SNMP FROM EVERYWHERE ELSE
sw-spine-002(config-acl-ip)#   140 deny tcp any any eq ssh
sw-spine-002(config-acl-ip)#   150 deny tcp any any eq https
sw-spine-002(config-acl-ip)#   160 deny udp any any eq snmp
sw-spine-002(config-acl-ip)#   170 deny udp any any eq snmp-trap
sw-spine-002(config-acl-ip)#   180 comment ALLOW ANYTHING ELSE
sw-spine-002(config-acl-ip)#   190 permit any any any
sw-spine-002(config-acl-ip)# access-list ip cmn-can
sw-spine-002(config-acl-ip)#   10 deny any 10.103.11.0/255.255.255.128 10.103.11.128/255.255.255.192
sw-spine-002(config-acl-ip)#   20 deny any 10.103.11.128/255.255.255.192 10.103.11.0/255.255.255.128
sw-spine-002(config-acl-ip)#   30 permit any any any
sw-spine-002(config-acl-ip)# vlan 7
sw-spine-002(config-vlan-7)#   name CMN
sw-spine-002(config-vlan-7)#   apply access-list ip cmn-can in
sw-spine-002(config-vlan-7)#   apply access-list ip cmn-can out
sw-spine-002(config-vlan-7)# vlan 6
sw-spine-002(config-vlan-6)#   name CAN
sw-spine-002(config-vlan-6)#   apply access-list ip cmn-can in
sw-spine-002(config-vlan-6)#   apply access-list ip cmn-can out
sw-spine-002(config-vlan-6)# interface lag 1 multi-chassis
sw-spine-002(config-lag-if)#   vlan trunk allowed 1-2,4,6-7
sw-spine-002(config-lag-if)# interface lag 3 multi-chassis
sw-spine-002(config-lag-if)#   vlan trunk allowed 1-2,4,6-7
sw-spine-002(config-lag-if)# interface lag 5 multi-chassis
sw-spine-002(config-lag-if)#   vlan trunk allowed 1-2,4,6-7
sw-spine-002(config-lag-if)# interface lag 7 multi-chassis
sw-spine-002(config-lag-if)#   vlan trunk allowed 1-2,4,6-7
sw-spine-002(config-lag-if)# interface lag 8 multi-chassis
sw-spine-002(config-lag-if)#   vlan trunk allowed 1-2,4,6-7
sw-spine-002(config-lag-if)# interface lag 9 multi-chassis
sw-spine-002(config-lag-if)#   vlan trunk allowed 1-2,4,6-7
sw-spine-002(config-lag-if)# interface lag 11 multi-chassis
sw-spine-002(config-lag-if)#   vlan trunk allowed 1-2,4,6-7
sw-spine-002(config-lag-if)# interface lag 13 multi-chassis
sw-spine-002(config-lag-if)#   vlan trunk allowed 1-2,4,6-7
sw-spine-002(config-lag-if)# interface lag 15 multi-chassis
sw-spine-002(config-lag-if)#   vlan trunk allowed 1-2,4,6-7
sw-spine-002(config-lag-if)# interface lag 151 multi-chassis
sw-spine-002(config-lag-if)#   vlan trunk allowed 1-2,4,7
sw-spine-002(config-lag-if)# interface vlan 7
sw-spine-002(config-if-vlan)#   no ip helper-address 10.92.100.222
sw-spine-002(config-if-vlan)#   vrf attach Customer
sw-spine-002(config-if-vlan)#   description CMN
sw-spine-002(config-if-vlan)#   ip ospf 2 area 0.0.0.0
sw-spine-002(config-if-vlan)# interface vlan 6
sw-spine-002(config-if-vlan)#   vrf attach Customer
sw-spine-002(config-if-vlan)#   description CAN
sw-spine-002(config-if-vlan)#   ip mtu 9198
sw-spine-002(config-if-vlan)#   ip address 10.103.11.131/26
sw-spine-002(config-if-vlan)#   active-gateway ip mac 12:00:00:00:6b:00
sw-spine-002(config-if-vlan)#   active-gateway ip 10.103.11.129
sw-spine-002(config-if-vlan)# router ospf 2 vrf Customer
sw-spine-002(config-ospf-2)#   router-id 10.2.0.3
sw-spine-002(config-ospf-2)#   default-information originate
sw-spine-002(config-ospf-2)#   area 0.0.0.0
sw-spine-002(config-ospf-2)# router bgp 65533
sw-spine-002(config-bgp)#   vrf Customer
sw-spine-002(config-bgp-vrf)#     bgp router-id 10.2.0.3
sw-spine-002(config-bgp-vrf)#     maximum-paths 8
sw-spine-002(config-bgp-vrf)#     timers bgp 1 3
sw-spine-002(config-bgp-vrf)#     distance bgp 20 70
sw-spine-002(config-bgp-vrf)#     neighbor 10.103.11.2 remote-as 65533
sw-spine-002(config-bgp-vrf)#     neighbor 10.103.11.39 remote-as 65532
sw-spine-002(config-bgp-vrf)#     neighbor 10.103.11.39 passive
sw-spine-002(config-bgp-vrf)#     neighbor 10.103.11.40 remote-as 65532
sw-spine-002(config-bgp-vrf)#     neighbor 10.103.11.40 passive
sw-spine-002(config-bgp-vrf)#     neighbor 10.103.11.41 remote-as 65532
sw-spine-002(config-bgp-vrf)#     neighbor 10.103.11.41 passive
sw-spine-002(config-bgp-vrf)#     address-family ipv4 unicast
sw-spine-002(config-bgp-vrf-ipv4-uc)#       neighbor 10.103.11.2 activate
sw-spine-002(config-bgp-vrf-ipv4-uc)#       neighbor 10.103.11.39 activate
sw-spine-002(config-bgp-vrf-ipv4-uc)#       neighbor 10.103.11.40 activate
sw-spine-002(config-bgp-vrf-ipv4-uc)#       neighbor 10.103.11.41 activate
sw-spine-002(config-bgp-vrf-ipv4-uc)# https-server vrf Customer

Paste in the vlan 7 interface information.

Aruba Manual Configuration

Because we add the vlan7 interface to the Customer VRF, it removes all previous configuration. This will need to be fixed.

Get the interface vlan 7 configuration

ncn-m001# grep -A 7 "interface vlan 7" sw-spine-002.cfg
interface vlan 7
    vrf attach Customer
    description CMN
    ip mtu 9198
    ip address 10.103.11.3/25
    active-gateway ip mac 12:00:00:00:6b:00
    active-gateway ip 10.103.11.1
    ip ospf 2 area 0.0.0.0

Apply VLAN interface configuration to the switch.

sw-spine-002(config)# interface vlan 7
sw-spine-002(config-if-vlan)#     vrf attach Customer
sw-spine-002(config-if-vlan)#     description CMN
sw-spine-002(config-if-vlan)#     ip mtu 9198
sw-spine-002(config-if-vlan)#     ip address 10.103.11.3/25
sw-spine-002(config-if-vlan)#     active-gateway ip mac 12:00:00:00:6b:00
sw-spine-002(config-if-vlan)#     active-gateway ip 10.103.11.1
sw-spine-002(config-if-vlan)#     ip ospf 2 area 0.0.0.0

Add site connections to Customer VRF.

The site connections are in the SHCD.

CAN switch  cfcanb6s1           -   31  sw-25g01    x3000   u39 -   j36
CAN switch  cfcanb6s1           -   46  sw-25g02    x3000   u40 -   j36

This example has the site connections on port 36 on both spine switches.

Add the interface to the Customer VRF and re-add the IP address.

sw-spine-002(config)# show run interface 1/1/36
interface 1/1/36
    no shutdown
    ip address 10.103.15.190/30
    exit
sw-spine-002(config)# int 1/1/36
sw-spine-002(config-if)# vrf attach Customer
sw-spine-002(config-if)# ip address 10.103.15.190/30

Move the default route to the Customer VRF.

sw-spine-002(config)# show run | include "ip route"
ip route 0.0.0.0/0 10.103.15.189
sw-spine-002(config)# no ip route 0.0.0.0/0 10.103.15.189
sw-spine-002(config)# ip route 0.0.0.0/0 10.103.15.189 vrf Customer

Save the configuration and create a checkpoint using the CSM version and the CANU version

sw-spine-002(config)# show banner motd
###############################################################################
# CSM version:  1.2
# CANU version: 1.1.11
###############################################################################
sw-spine-002(config)# write mem
Copying configuration: [Success]
sw-spine-002(config)# copy running-config checkpoint CSM1_2_CANU_1_1_11

Aruba Leaf and Leaf BMC

Use CANU Validate to see the differences between the 1.0 and 1.2 switch configurations.

ncn-m001# canu validate switch config --running surtur/1.0/sw-leaf-bmc-001.cfg --generated surtur/1.2/sw-leaf-bmc-001.cfg --vendor aruba --remediation
Remediation Config
This feature is experimental and has limited testing.
banner motd ^
###############################################################################
# CSM version:  1.2
# CANU version: 1.1.11
###############################################################################
^
vrf Customer
ssh server vrf Customer
access-list ip mgmt
  no 10 comment ALLOW SSH, HTTPS, AND SNMP ON HMN SUBNET
  no 60 comment ALLOW SNMP FROM HMN METALLB SUBNET
  no 70 permit udp 10.94.100.0/255.255.255.0 any eq snmp
  no 80 permit udp 10.94.100.0/255.255.255.0 any eq snmp-trap
  no 90 comment BLOCK SSH, HTTPS, AND SNMP FROM EVERYWHERE ELSE
  no 100 deny tcp any any eq ssh
  no 110 deny tcp any any eq https
  no 120 deny udp any any eq snmp
  no 130 deny udp any any eq snmp-trap
  no 140 comment ALLOW ANYTHING ELSE
  no 150 permit any any any
  10 comment ALLOW SSH, HTTPS, AND SNMP ON HMN SUBNET and CMN
  60 permit tcp 10.103.11.0/255.255.255.128 any eq ssh
  70 permit tcp 10.103.11.0/255.255.255.128 any eq https
  80 permit udp 10.103.11.0/255.255.255.128 any eq snmp
  90 permit udp 10.103.11.0/255.255.255.128 any eq snmp-trap
  100 comment ALLOW SNMP FROM HMN METALLB SUBNET
  110 permit udp 10.94.100.0/255.255.255.0 any eq snmp
  120 permit udp 10.94.100.0/255.255.255.0 any eq snmp-trap
  130 comment BLOCK SSH, HTTPS, AND SNMP FROM EVERYWHERE ELSE
  140 deny tcp any any eq ssh
  150 deny tcp any any eq https
  160 deny udp any any eq snmp
  170 deny udp any any eq snmp-trap
  180 comment ALLOW ANYTHING ELSE
  190 permit any any any
access-list ip cmn-can
  10 deny any 10.103.11.0/255.255.255.128 10.103.11.128/255.255.255.192
  20 deny any 10.103.11.128/255.255.255.192 10.103.11.0/255.255.255.128
  30 permit any any any
vlan 7
  name CMN
  apply access-list ip cmn-can in
  apply access-list ip cmn-can out
interface lag 255
  vlan trunk allowed 1-2,4,7
interface vlan 7
  vrf attach Customer
  description CMN
  ip mtu 9198
  ip address 10.103.11.4/25
  ip ospf 2 area 0.0.0.0
router ospf 2 vrf Customer
  router-id 10.2.0.4
  area 0.0.0.0
https-server vrf Customer

Copy in the entire remediation configuration block.

sw-leaf-bmc-001(config)# banner motd ^
sw-leaf-bmc-001(config-banner-motd)# ###############################################################################
sw-leaf-bmc-001(config-banner-motd)# # CSM version:  1.2
sw-leaf-bmc-001(config-banner-motd)# # CANU version: 1.1.11
sw-leaf-bmc-001(config-banner-motd)# ###############################################################################
sw-leaf-bmc-001(config-banner-motd)# ^
sw-leaf-bmc-001(config)# vrf Customer
sw-leaf-bmc-001(config-vrf)# ssh server vrf Customer
sw-leaf-bmc-001(config)# access-list ip mgmt
sw-leaf-bmc-001(config-acl-ip)#   no 10 comment ALLOW SSH, HTTPS, AND SNMP ON HMN SUBNET
sw-leaf-bmc-001(config-acl-ip)#   no 60 comment ALLOW SNMP FROM HMN METALLB SUBNET
sw-leaf-bmc-001(config-acl-ip)#   no 70 permit udp 10.94.100.0/255.255.255.0 any eq snmp
sw-leaf-bmc-001(config-acl-ip)#   no 80 permit udp 10.94.100.0/255.255.255.0 any eq snmp-trap
sw-leaf-bmc-001(config-acl-ip)#   no 90 comment BLOCK SSH, HTTPS, AND SNMP FROM EVERYWHERE ELSE
sw-leaf-bmc-001(config-acl-ip)#   no 100 deny tcp any any eq ssh
sw-leaf-bmc-001(config-acl-ip)#   no 110 deny tcp any any eq https
sw-leaf-bmc-001(config-acl-ip)#   no 120 deny udp any any eq snmp
sw-leaf-bmc-001(config-acl-ip)#   no 130 deny udp any any eq snmp-trap
sw-leaf-bmc-001(config-acl-ip)#   no 140 comment ALLOW ANYTHING ELSE
sw-leaf-bmc-001(config-acl-ip)#   no 150 permit any any any
sw-leaf-bmc-001(config-acl-ip)#   10 comment ALLOW SSH, HTTPS, AND SNMP ON HMN SUBNET and CMN
sw-leaf-bmc-001(config-acl-ip)#   60 permit tcp 10.103.11.0/255.255.255.128 any eq ssh
sw-leaf-bmc-001(config-acl-ip)#   70 permit tcp 10.103.11.0/255.255.255.128 any eq https
sw-leaf-bmc-001(config-acl-ip)#   80 permit udp 10.103.11.0/255.255.255.128 any eq snmp
sw-leaf-bmc-001(config-acl-ip)#   90 permit udp 10.103.11.0/255.255.255.128 any eq snmp-trap
sw-leaf-bmc-001(config-acl-ip)#   100 comment ALLOW SNMP FROM HMN METALLB SUBNET
sw-leaf-bmc-001(config-acl-ip)#   110 permit udp 10.94.100.0/255.255.255.0 any eq snmp
sw-leaf-bmc-001(config-acl-ip)#   120 permit udp 10.94.100.0/255.255.255.0 any eq snmp-trap
sw-leaf-bmc-001(config-acl-ip)#   130 comment BLOCK SSH, HTTPS, AND SNMP FROM EVERYWHERE ELSE
sw-leaf-bmc-001(config-acl-ip)#   140 deny tcp any any eq ssh
sw-leaf-bmc-001(config-acl-ip)#   150 deny tcp any any eq https
sw-leaf-bmc-001(config-acl-ip)#   160 deny udp any any eq snmp
sw-leaf-bmc-001(config-acl-ip)#   170 deny udp any any eq snmp-trap
sw-leaf-bmc-001(config-acl-ip)#   180 comment ALLOW ANYTHING ELSE
sw-leaf-bmc-001(config-acl-ip)#   190 permit any any any
sw-leaf-bmc-001(config-acl-ip)# access-list ip cmn-can
sw-leaf-bmc-001(config-acl-ip)#   10 deny any 10.103.11.0/255.255.255.128 10.103.11.128/255.255.255.192
sw-leaf-bmc-001(config-acl-ip)#   20 deny any 10.103.11.128/255.255.255.192 10.103.11.0/255.255.255.128
sw-leaf-bmc-001(config-acl-ip)#   30 permit any any any
sw-leaf-bmc-001(config-acl-ip)# vlan 7
sw-leaf-bmc-001(config-vlan-7)#   name CMN
sw-leaf-bmc-001(config-vlan-7)#   apply access-list ip cmn-can in
sw-leaf-bmc-001(config-vlan-7)#   apply access-list ip cmn-can out
sw-leaf-bmc-001(config-vlan-7)# interface lag 255
sw-leaf-bmc-001(config-lag-if)#   vlan trunk allowed 1-2,4,7
sw-leaf-bmc-001(config-lag-if)# interface vlan 7
sw-leaf-bmc-001(config-if-vlan)#   vrf attach Customer
sw-leaf-bmc-001(config-if-vlan)#   description CMN
sw-leaf-bmc-001(config-if-vlan)#   ip mtu 9198
sw-leaf-bmc-001(config-if-vlan)#   ip address 10.103.11.4/25
sw-leaf-bmc-001(config-if-vlan)#   ip ospf 2 area 0.0.0.0
sw-leaf-bmc-001(config-if-vlan)# router ospf 2 vrf Customer
sw-leaf-bmc-001(config-ospf-2)#   router-id 10.2.0.4
sw-leaf-bmc-001(config-ospf-2)#   area 0.0.0.0
sw-leaf-bmc-001(config-ospf-2)# https-server vrf Customer

This should copy into the terminal without any errors, if there are errors stop here and make sure that the generated configuration gets applied correctly.

Save the running configuration and create a checkpoint using the CSM version and the CANU version.

sw-leaf-bmc-001(config)# show banner motd
###############################################################################
# CSM version:  1.2
# CANU version: 1.1.11
###############################################################################
sw-leaf-bmc-001(config)# write mem
Copying configuration: [Success]
sw-leaf-bmc-001(config)# copy running-config checkpoint CSM1_2_CANU_1_1_11