IANA IPv6 Special-Purpose Address Registry

 

IANA IPv6 Special-Purpose Address Registry

Address Block  Name  RFC  Allocation Date  Termination Date  Source  Destination  Forwardable  Globally Reachable  Reserved-by-Protocol 
::1/128 Loopback Address [RFC4291] 2006-02 N/A False False False False True
::/128 Unspecified Address [RFC4291] 2006-02 N/A True False False False True
::ffff:0:0/96 IPv4-mapped Address [RFC4291] 2006-02 N/A False False False False True
64:ff9b::/96 IPv4-IPv6 Translat. [RFC6052] 2010-10 N/A True True True True False
64:ff9b:1::/48 IPv4-IPv6 Translat. [RFC8215] 2017-06 N/A True True True False False
100::/64 Discard-Only Address Block [RFC6666] 2012-06 N/A True True True False False
2001::/23 IETF Protocol Assignments [RFC2928] 2000-09 N/A False [1] False [1] False [1] False [1] False
2001::/32 TEREDO [RFC4380] [RFC8190] 2006-01 N/A True True True N/A [2] False
2001:1::1/128 Port Control Protocol Anycast [RFC7723] 2015-10 N/A True True True True False
2001:1::2/128 Traversal Using Relays around NAT Anycast [RFC8155] 2017-02 N/A True True True True False
2001:1::3/128 DNS-SD Service Registration Protocol Anycast Address [RFC-ietf-dnssd-srp-25] 2024-04 N/A True True True True False
2001:2::/48 Benchmarking [RFC5180][RFC Errata 1752] 2008-04 N/A True True True False False
2001:3::/32 AMT [RFC7450] 2014-12 N/A True True True True False
2001:4:112::/48 AS112-v6 [RFC7535] 2014-12 N/A True True True True False
2001:10::/28 Deprecated (previously ORCHID) [RFC4843] 2007-03 2014-03          
2001:20::/28 ORCHIDv2 [RFC7343] 2014-07 N/A True True True True False
2001:30::/28 Drone Remote ID Protocol Entity Tags (DETs) Prefix [RFC9374] 2022-12 N/A True True True True False
2001:db8::/32 Documentation [RFC3849] 2004-07 N/A False False False False False
2002::/16 [3] 6to4 [RFC3056] 2001-02 N/A True True True N/A [3] False
2620:4f:8000::/48 Direct Delegation AS112 Service [RFC7534] 2011-05 N/A True True True True False
3fff::/20 Documentation [RFC9637] 2024-07 N/A False False False False False
5f00::/16 Segment Routing (SRv6) SIDs [RFC-ietf-6man-sids-06] 2024-04 N/A True True True False False
fc00::/7 Unique-Local [RFC4193] [RFC8190] 2005-10 N/A True True True False [4] False
fe80::/10 Link-Local Unicast [RFC4291] 2006-02 N/A True True False False True

Footnotes

[1]
Unless allowed by a more specific allocation.
[2]
See Section 5 of [RFC4380] for details.
[3]
See [RFC3056] for details.
[4]
See [RFC4193] for more details on the routability of Unique-Local addresses.  The Unique-Local prefix is 
drawn from the IPv6 Global Unicast Address range, but is specified as not globally routed.

FortiLink mode over a layer-3 network

 

In some cases, the requirement is to bring up a FortiSwitch in FortiLink mode, but the FortiSwitch is not directly connected to the FortiGate.

There is a layer 3 network between FortiGate and FortiSwitch.

 

Read the below link before starting the configuration:

https://docs.fortinet.com/document/fortiswitch/7.2.4/fortilink-guide/801182/fortilink-mode-over-a-la…

https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801182/fortilink-mod…

 

Note that the layer3 FortiLink config has changed from the 7.2.x version and above.

 

Refer to the below configuration:

FortiGate v7.2.4.

FortiSwitch v7.2.3.

 

 

sachitdas_FTNT_2-1685432383588.png

AAA – Tacacs+

AAA on IOS-XR (NCS540)

 
aaa authorization exec LOCAL local
aaa authorization exec TACACS group TACACS local

aaa authentication login LOCAL local
aaa authentication login TACACS group TACACS local

aaa accounting exec default start-stop group TACACS
aaa accounting system default start-stop group TACACS
aaa accounting commands default start-stop group TACACS

aaa group server tacacs+ TACACS
 server 10.0.0.1
 server 10.0.0.2

tacacs-server host 10.0.0.1 port 49
 key 7 xxx
!
tacacs-server host 10.0.0.2 port 49
 key 7 xxx
!
username admin
 group root-lr
 secret 10 xxx

line console
 authorization exec LOCAL
 login authentication LOCAL
 exec-timeout 12 0
!
line default
 authorization exec TACACS
 login authentication TACACS
 exec-timeout 12 0
 transport input ssh

Central Services Topology

> Question:  Have also seen comments in foreeum like. The best practice for this Hub and Spoke is to use TWO VRF in Hub site – “From-Spoke” and “To-Spoke”

 

This is immaterial implementation detail. Some shops do this, because their automation system abstracts VRF into set of import/export statements and clients share set and hubs share different set. Also if you have hub and spoke in the same PE, you’re going to need another name, if not, single name is fine, but may be more difficult to automate as name does not imply config.

 

ipv4 vrf hubs

  route-target export 42:hubs

  route-target import 42:spokes

ipv4 vrf spokes

  route-target export 42:spokes

  route-target import 42:hubs

 

Now the problem with this approach is that if you have >1 spokes in the same PE, they are able to communicate to each other. To workaround this, you’ll need ‘half duplex VRF’, where ingress and egress RIB/FIB are different.

Packets coming from spokes look at FibA, packets going to spokes look at FibB. FibA has only route to hubs, FibA has only routes to spokes.

 

ip vrf spokesIn

  route-target import 42:hubs

ip vrf spokesOut

  route-target export 42:spokes

ip vrf hubs

   route-target export 42:hubs

   route-target import 42:spokes

 

PE1:

int Spoke1

  ip vrf forwarding spokesIn downstream spokesOut int Spoke2

  ip vrf forwarding spokesIn downstream spokesOut int Hub1

  ip vrf hubs

int Hub2

  ip vrf hubs

 

Fortigate FGSP

https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD46111&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=164542366&stateId=0%200%20164540878%27

https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD46242&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=164542366&stateId=0%200%20164540878%27

Ansible – Fortigate

Ansible :

https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html
https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
https://docs.ansible.com/ansible/latest/modules/fortios_system_email_server_module.html#status

https://help.github.com/en/github/setting-up-and-managing-your-github-user-account/setting-your-commit-email-address

https://github.com/ansible/ansible/issues/48859

https://docs.ansible.com/ansible/latest/user_guide/vault.html

IOS:

https://docs.ansible.com/ansible/latest/network/user_guide/platform_ios.html
https://docs.ansible.com/ansible/latest/plugins/connection/network_cli.html

Fortigate:

Modules (overzicht)
https://ftnt-ansible-docs.readthedocs.io/en/latest/fortios_modules.html
https://docs.ansible.com/ansible/latest/modules/fortios_ipv4_policy_module.html

https://galaxy.ansible.com/fortinet/fortios
https://pypi.org/project/fortiosapi/
https://docs.ansible.com/ansible/latest/modules/fortios_alertemail_setting_module.html
https://ftnt-ansible-docs.readthedocs.io/en/latest/fortios_playbooks/fortios_alertemail_setting.html

Fortios playbooks

Policy’s

Fortigate RestAPI Config Backup – FortiOS 6.0.4

1 2 3 8