Cisco – DHCP vrf

ip dhcp excluded-address vrf 3958 10.15.0.252 10.15.0.254
ip dhcp excluded-address vrf 3958 10.15.0.0 10.15.0.100
ip dhcp excluded-address vrf 3958 10.15.0.150 10.15.0.163
!
ip dhcp pool MERAKI-beheer
vrf 3958
network 10.15.0.0 255.255.255.0
domain-name routit.com
default-router 10.15.0.254
dns-server 213.144.235.1 213.144.235
!
interface GigabitEthernet4/1.1200
description Meraki – Management
encapsulation dot1Q 1200 native
vrf forwarding 3958
ip address 10.15.0.252 255.255.255.0
no ip redirects
no ip proxy-arp
vrrp 101 ip 10.15.0.254
vrrp 101 priority 99

Cisco

SRv6 – EVPN

net 31.0000.0000.%IPv6_location + IPv6_nodeID%.00
net 31.0000.0000.0001.0005.00

router isis 1
is-type level-2-only
net 31.0000.0000.0002.0006.00
nsr
nsf ietf
nsf lifetime 20
nsf interface-timer 15
nsf interface-expires 1
log adjacency changes
!
int Te0/0/0/8
address-family ipv6 unicast
fast-reroute per-prefix
fast-reroute per-prefix tiebreaker srlg-disjoint index 100
fast-reroute per-prefix ti-lfa
int Te0/0/0/35
address-family ipv6 unicast
fast-reroute per-prefix
fast-reroute per-prefix tiebreaker srlg-disjoint index 100
fast-reroute per-prefix ti-lfa

%IPv6_locator%

segment-routing
srv6
logging locator status
encapsulation
source-address 1::1
!
locators
locator S2
prefix fc00:700d:0:105::/64
!
!
!
!

fc00:700d:0:105::1
fc00:700d:0:206::1

router bgp 64574
nsr
bgp router-id 198.51.100.20
bgp graceful-restart
segment-routing srv6
locator S2
!
address-family vpnv4 unicast
segment-routing srv6
locator S2
!
!
address-family vpnv6 unicast
segment-routing srv6
locator S2
!
!
address-family l2vpn evpn
!
neighbor fc00:700d:0:105:1
remote-as 64574
update-source Loopback0
address-family vpnv4 unicast
!
address-family vpnv6 unicast
!
address-family l2vpn evpn
!
!
vrf A
rd 1:1
address-family ipv4 unicast
segment-routing srv6
alloc mode per-vrf
!
redistribute connected
!
!
vrf 200
rd 1:200
address-family ipv4 unicast
segment-routing srv6
alloc mode per-vrf
!
redistribute connected
!
!
!

vrf TEST
address-family ipv4 unicast
import route-target
64574:777
!
export route-target
64574:777
!
router bgp 64574
!
vrf TEST
rd 64574:777
address-family ipv4 unicast
segment-routing srv6
alloc mode per-vrf
!
redistribute connected
!
address-family ipv6 unicast
segment-routing srv6
alloc mode per-vrf
!
redistribute connected

neighbor fc00:700d:0:105:1
remote-as 64574
update-source Loopback0
address-family vpnv4 unicast
!
address-family vpnv6 unicast
!
address-family l2vpn evpn
!
interface Loopback0
address-family ipv6 unicast

call-home
service active
contact smart-licensing
profile CiscoTAC-1
active
destination transport-method email disable
destination transport-method http
!
!
interface Bundle-Ether50
description sr06-sas12ah
mtu 9000
lacp period short
lldp
!
load-interval 30
!
interface Bundle-Ether200
description ah2-prod-fg-le02 – po200
mtu 9000
lacp period short
lldp
enable
!
load-interval 30
!
interface Bundle-Ether300
description ah2-prod-fg-le03 – po300
mtu 9000
lacp period short
lldp
enable
!
load-interval 30
!

!
interface TenGigE0/0/0/11
description ah2-prod-sas-12 – te1/4
bundle id 50 mode active
lldp
!
!
interface TenGigE0/0/0/12
description ah2-prod-las-5a – te
mtu 9000
lldp
enable
!
!
interface TenGigE0/0/0/31
description ah2-prod-las-5b – te
mtu 9000
lldp
enable
!
!
interface TenGigE0/0/0/32
description ah2-prod-sas-12 – te1/17
bundle id 50 mode active
lldp
!
!

!
interface TwentyFiveGigE0/0/0/1
description ah2-prod-fg-le02 – p26
bundle id 200 mode active
lldp
enable
!
!
interface TwentyFiveGigE0/0/0/2
description ah2-prod-fg-le03 – port25
bundle id 200 mode active
lldp
enable
!
!
interface TwentyFiveGigE0/0/0/3
description ah2-prod-fg-le03 – port26
bundle id 200 mode active
lldp
enable
!
!
interface TwentyFiveGigE0/0/0/4
shutdown
!
interface TwentyFiveGigE0/0/0/5
shutdown
!
interface TwentyFiveGigE0/0/0/6
description ah2-prod-fg-le02 – p25
bundle id 200 mode active
!
interface TwentyFiveGigE0/0/0/7
shutdown
!
interface TwentyFiveGigE0/0/0/9
description ah2-prod-fg-le02 – ha1
mtu 9000
lldp
enable
!

evpn
segment-routing srv6
locator S2
!
!
!
l2vpn
xconnect group 2002
p2p 2002
interface TwentyFiveGigE0/0/0/34
neighbor evpn evi 2002 service 2002 segment-routing srv6
locator S2
!
!
!
!

EVPN based point-to-point (E-Line)
evpn
evi 2002 segment-routing srv6
advertise-mac
!
locator S2
!
interface TwentyFiveGigE0/0/0/34
!
segment-routing srv6
!
!

evpn
segment-routing srv6
locator S2

l2vpn
xconnect group 2002
p2p 2002
interface TwentyFiveGigE0/0/0/34
neighbor evpn evi 2002 service 2002 segment-routing srv6 locator S2

interface TwentyFiveGigE0/0/0/15
shutdown
!
interface TwentyFiveGigE0/0/0/16
shutdown
!
interface TwentyFiveGigE0/0/0/17
shutdown
!
interface TwentyFiveGigE0/0/0/18
shutdown
!
interface TwentyFiveGigE0/0/0/19
shutdown
!
interface TwentyFiveGigE0/0/0/20
shutdown
!
interface TwentyFiveGigE0/0/0/21
shutdown
!
interface TwentyFiveGigE0/0/0/22
shutdown
!
interface TwentyFiveGigE0/0/0/23
shutdown
!
interface HundredGigE0/0/0/24
shutdown
!
interface HundredGigE0/0/0/25
shutdown
!
interface HundredGigE0/0/0/26
shutdown
!
interface HundredGigE0/0/0/27
shutdown
!
interface TwentyFiveGigE0/0/0/28
shutdown
!
interface TwentyFiveGigE0/0/0/29
shutdown
!
interface TwentyFiveGigE0/0/0/30
shutdown
!
interface TwentyFiveGigE0/0/0/33
description ah2-prod-fg-le03 – ha2
mtu 9000
lldp
enable
!
!
interface TwentyFiveGigE0/0/0/34
description ah2-prod-fg-le02 – ha2
mtu 9000
lldp
enable
!
!
interface TwentyFiveGigE0/0/0/36
description ah2-prod-fg-le02 – p17
bundle id 200 mode active
lldp
enable
!
!
interface TwentyFiveGigE0/0/0/37
description ah2-prod-fg-le02 – p18
bundle id 200 mode active
lldp
enable
!
!
interface TwentyFiveGigE0/0/0/38
description ah2-prod-fg-le03 – p17
lldp
enable
!
!
interface TwentyFiveGigE0/0/0/39
description ah2-prod-fg-le03 – p18
bundle id 300 mode active
lldp
enable
!
!
interface preconfigure TenGigE0/0/0/33
shutdown
!
interface preconfigure TenGigE0/0/0/36
shutdown
!
interface preconfigure TwentyFiveGigE0/0/0/8
shutdown
!
interface preconfigure TwentyFiveGigE0/0/0/11
shutdown
!
interface preconfigure TwentyFiveGigE0/0/0/12
shutdown
!
interface preconfigure TwentyFiveGigE0/0/0/31
shutdown
!
interface preconfigure TwentyFiveGigE0/0/0/32
shutdown
!
interface preconfigure TwentyFiveGigE0/0/0/35
shutdown
!

RP/0/RP0/CPU0:ah2-prod-sr-06#sh int BE200.1
Tue Apr 23 14:39:36.986 CEST
Bundle-Ether200.1 is up, line protocol is up
Interface state transitions: 1
Hardware is VLAN sub-interface(s), address is 9433.d801.05d3
Internet address is 195.121.109.32/31
MTU 9004 bytes, BW 50000000 Kbit (Max: 50000000 Kbit)
reliability 255/255, txload 0/255, rxload 0/255
Encapsulation 802.1Q Virtual LAN, VLAN Id 2000, loopback not set,
Last link flapped 5d23h
ARP type ARPA, ARP timeout 04:00:00
Last input 00:00:00, output 00:00:00
Last clearing of “show interface” counters never
5 minute input rate 5000 bits/sec, 8 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
4021515 packets input, 329455046 bytes, 0 total input drops
0 drops for unrecognized upper-level protocol
Received 36 broadcast packets, 0 multicast packets
15311 packets output, 704306 bytes, 0 total output drops
Output 0 broadcast packets, 0 multicast packets

 RP/0/RP0/CPU0:ah2-prod-sr-06#sh run int BE200.1

Tue Apr 23 14:40:06.202 CEST
no int BE200.1

interface Bundle-Ether200.2000

vrf 10
ipv4 address 10.10.10.1 255.255.255.0
encapsulation dot1q 2000
!

no interface Bundle-Ether200.2000
interface BVI 2000
host-routing
vrf 10
ipv4 address 10.20.10.2 255.255.255.0
mac-address 64.574.2000
!
interface Bundle-Ether200.2000 l2transport
encapsulation dot1q 2000
rewrite ingress tag pop 1 symmetric
!
l2vpn
bridge group bg-2000
bridge-domain bd-2000
interface Bundle-Ether200.2000
!
routed interface BVI2000
!
evi 200
!
!
!
!

Cisco, SRv6

SSH server – alg

ssh server algorithms cipher aes128-gcm@openssh.com aes256-gcm@openssh.com aes256-cbc
ssh server algorithms cipher aes128-gcm@openssh.com aes256-gcm@openssh.com

ssh server algorithms host-key ecdsa-nistp256 ecdsa-nistp384 ecdsa-nistp521 ed25519
ssh server algorithms key-exchange ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256

ssh server algorithms cipher aes128-gcm@openssh.com aes256-gcm@openssh.com aes256-cbc
ssh server algorithms host-key ecdsa-nistp256 ecdsa-nistp384 ecdsa-nistp521 ed25519
ssh server algorithms key-exchange ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256

ssh server algorithms cipher aes128-gcm@openssh.com aes256-gcm@openssh.com
ssh server algorithms host-key ecdsa-nistp256 ecdsa-nistp384 ecdsa-nistp521
ssh server algorithms key-exchange ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256
ssh server v2

ssh server algorithms cipher aes256-gcm@openssh.com

Cisco, Security

SRv6 –

Router(config-evpn)# segment-routing srv6
Router(config-evpn-srv6)# locator sample
Router(config-evpn-srv6)# exit
Associate an EVI-specific locator (sample_evi_loc) with EVI 1.

Router(config-evpn)# evi 1 segment-routing srv6
Router(config-evpn-instance)# locator sample_evi_loc
Router(config-evpn-instance)# commit
Associate SRv6 with L2VPN

Associate the sub-interface to the bridge domain:

Router(config)# l2vpn
Router(config-l2vpn)# bridge group bg1
Router(config-l2vpn-bg)# bridge-domain bd1
Router(config-l2vpn-bg-bd)# interface Hu0/0/0/0.1
Router(config-l2vpn-bg-bd-ac)# exit
Enable the evi 1 segment-routing srv6 command under L2VPN bridge domain bd1.

Router(config-l2vpn-bg-bd)# evi 1 segment-routing srv6
Router(config-l2vpn-bg-bd-evi-srv6)# commit

Cisco, SRv6

PiHole

sudo podman run -d –name=pihole -e TZ=Europe/Amsterdam -e WEBPASSWORD=%password% -e SERVERIP=127.0.0.1 -v pihole:/etc/pihole -v dnsmasq:/etc/dnsmasq.d -p 80:50080 -p 53:54/tcp -p 53:53/udp –restart=unless-stopped pihole/pihole

 

 

Containers

FG – BGP toggle

execute router clear bgp ip 203.0.113.241 soft

01_asd (aspath-list) # show
config router aspath-list
edit “AS-Azure”
config rule
edit 1
set action permit
set regexp “_12076$”
next
end
next
edit “AS-AWS”
config rule
edit 1
set action permit
set regexp “_9059$”
next
end
next
end

01_asd (aspath-list) # end

01_asd (CF) # config router route-map

01_asd (route-map) # show
config router route-map
edit “RM-To-VPN1”
config rule
edit 1
set match-ip-address “To_VPN1”
next
end
next
edit “RM-To-EIC”
config rule
edit 1
set action deny
set match-ip-address “RFC1918”
next
edit 2
set action deny
set match-ip-address “DEFAULT-GATEWAY”
next
edit 3
set match-as-path “AS-AWS”
set set-aspath-action replace
set set-aspath “9059”
next
edit 4
next
end
next
edit “RM-From-EIC”
config rule
edit 1
set match-as-path “AS-Azure”
set set-aspath-action replace
set set-aspath “12076”
next
end
next
edit “RM_From_EIC”
config rule
edit 1
set action deny
set match-ip-address “RFC1918”
next
edit 2
set action deny
set match-ip-address “DEFAULT-GATEWAY”
next
edit 3
next
end
next
end

 

4200064574

router bgp 64574
!
address-family ipv4 vrf ABC
neighbor 203.0.113.254 remote-as 4200064574

!
address-family ipv4 vrf ABC
neighbor 203.0.113.246 remote-as 4200064574

get router info bgp neighbors 203.0.113.241 advertised-routes

execute router clear bgp all soft (in/out)

clear bgp vrf 29595 ipv4 unicast 203.0.113.246

sh bgp vpnv4 unicast vrf ABC| inc 10.5
sh bgp vpnv4 unicast vrf ABC neighbors 203.0.113.246 advertised-routes

config router route-map
edit “EIC_Blue”
config rule
edit 1
set match-as-path “Azure”
set set-aspath “12076”
next
end
next
end

config router aspath-list
edit “From-Azure”
config rule
edit 1
set action permit
set regexp “_12076$”
next
end
next
end

config router route-map
edit “EIC_Blue”
config rule
edit 1
set match-as-path “Azure”
set set-aspath “12076”
next
end
next
end

onfig router route-map
edit “EIC-Blue”
config rule
edit 1
set match-as-path “From-Azure”
set set-aspath-action replace
set set-aspath “12076”
next
end
next
end

Fortinet

SRv6 – Eline

WIP

RP/0/RP0/CPU0:SR01a(config-evpn-ac-es)#l2vpn

RP/0/RP0/CPU0:SR01a(config-l2vpn)# bridge group bg-1500

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg)#  bridge-domain bd-1500

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd)#   interface Bundle-Ether350.1500

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-ac)#   !

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-ac)#   routed interface BVI1500

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-bvi)#   !

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-bvi)#   evi 350

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-evi)#   !

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-evi)#  !

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-evi)# !

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-evi)#comm

Mon Oct  2 10:17:53.515 CEST

% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue ‘show configuration failed [inheritance]’ from this session to view the errors

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-evi)#show configuration failed

Mon Oct  2 10:18:00.496 CEST

!! SEMANTIC ERRORS: This configuration was rejected by

!! the system due to semantic errors. The individual

!! errors with each failed configuration command can be

!! found below.

l2vpn

bridge group bg-1500

  bridge-domain bd-1500

   evi 350

!!% Operation not supported (Success): This EVPN instance id is already in use with other EVPN services

   !

  !

!

!

end

interface Bundle-Ether350

description “Bundle to FG1K2”

lacp period short

lacp system mac 0350.0002.8685

load-interval 30

!

int gigabitEthernet 0/0/0/33

bundle id 350 mode active

!

interface Bundle-Ether350.1500 l2transport

encapsulation dot1q 1500

rewrite ingress tag pop 1 symmetric

!

interface BVI 1500

       host-routing

       vrf A

       ipv4 address 10.20.30.1 255.255.255.0

       mac-address 700d.0350.1500

evpn

evi 350 segment-routing srv6

  !

!

interface Bundle-Ether350

  ethernet-segment

   identifier type 0 28.68.50.00.03.50.00.15.00

  !

!

l2vpn

bridge group bg-1500

  bridge-domain bd-1500

   interface Bundle-Ether350.1500

   !

   routed interface BVI1500

   !

   evi 350

   !

  !

!

Cisco, SRv6

IANA IPv6 Special-Purpose Address Registry

 

IANA IPv6 Special-Purpose Address Registry

Address Block  Name  RFC  Allocation Date  Termination Date  Source  Destination  Forwardable  Globally Reachable  Reserved-by-Protocol 
::1/128 Loopback Address [RFC4291] 2006-02 N/A False False False False True
::/128 Unspecified Address [RFC4291] 2006-02 N/A True False False False True
::ffff:0:0/96 IPv4-mapped Address [RFC4291] 2006-02 N/A False False False False True
64:ff9b::/96 IPv4-IPv6 Translat. [RFC6052] 2010-10 N/A True True True True False
64:ff9b:1::/48 IPv4-IPv6 Translat. [RFC8215] 2017-06 N/A True True True False False
100::/64 Discard-Only Address Block [RFC6666] 2012-06 N/A True True True False False
2001::/23 IETF Protocol Assignments [RFC2928] 2000-09 N/A False [1] False [1] False [1] False [1] False
2001::/32 TEREDO [RFC4380] [RFC8190] 2006-01 N/A True True True N/A [2] False
2001:1::1/128 Port Control Protocol Anycast [RFC7723] 2015-10 N/A True True True True False
2001:1::2/128 Traversal Using Relays around NAT Anycast [RFC8155] 2017-02 N/A True True True True False
2001:1::3/128 DNS-SD Service Registration Protocol Anycast Address [RFC-ietf-dnssd-srp-25] 2024-04 N/A True True True True False
2001:2::/48 Benchmarking [RFC5180][RFC Errata 1752] 2008-04 N/A True True True False False
2001:3::/32 AMT [RFC7450] 2014-12 N/A True True True True False
2001:4:112::/48 AS112-v6 [RFC7535] 2014-12 N/A True True True True False
2001:10::/28 Deprecated (previously ORCHID) [RFC4843] 2007-03 2014-03          
2001:20::/28 ORCHIDv2 [RFC7343] 2014-07 N/A True True True True False
2001:30::/28 Drone Remote ID Protocol Entity Tags (DETs) Prefix [RFC9374] 2022-12 N/A True True True True False
2001:db8::/32 Documentation [RFC3849] 2004-07 N/A False False False False False
2002::/16 [3] 6to4 [RFC3056] 2001-02 N/A True True True N/A [3] False
2620:4f:8000::/48 Direct Delegation AS112 Service [RFC7534] 2011-05 N/A True True True True False
3fff::/20 Documentation [RFC9637] 2024-07 N/A False False False False False
5f00::/16 Segment Routing (SRv6) SIDs [RFC-ietf-6man-sids-06] 2024-04 N/A True True True False False
fc00::/7 Unique-Local [RFC4193] [RFC8190] 2005-10 N/A True True True False [4] False
fe80::/10 Link-Local Unicast [RFC4291] 2006-02 N/A True True False False True

Footnotes

[1] 
Unless allowed by a more specific allocation.
[2] 
See Section 5 of [RFC4380] for details.
[3] 
See [RFC3056] for details.
[4] 
See [RFC4193] for more details on the routability of Unique-Local addresses.  The Unique-Local prefix is 
drawn from the IPv6 Global Unicast Address range, but is specified as not globally routed.
Handig, IPv6
1 2 3 21