Categorie: Cisco

NCS – stuff

upgrade hw-module location all fpd all

username beheer
group root-lr
group cisco-support
secret
!
hostname C02
!
vrf M2-DLP
address-family ipv4 unicast
!
interface MgmtEth0/RP0/CPU0/0
no shutdown
vrf M2
ipv4 address 10.10.10.10 255.255.255.0
!
router static
vrf M2-DLP
address-family ipv4 unicast
0.0.0.0/0 10.10.10.254
!
!
!
domain name winfred.eu

ssh client source-interface MgmtEth0/RP0/CPU0/0
ssh server enable cipher aes-cbc
ssh server disable hmac hmac-sha1
ssh server v2
ssh server vrf M2-DLP
!
fpd auto-upgrade enable

interface TwentyFiveGigE0/0/0/2
no shutdown
description P01
!
interface TwentyFiveGigE0/0/0/3
no shutdown
description P02

show media
dir disk2:
copy disk2:ncs540l-x64-7.8.1.iso harddisk:
show install upgrade-matrix iso /harddisk:/ncs540l-x64-7.8.1.iso

! RP/0/RP0/CPU0:P01#show install upgrade-matrix iso /harddisk:/ncs540l-x64-7.8.1$
! Fri Jan 6 15:53:47.724 UTC
! ———————————————————–
! Upgrade matrix information for system upgrade: 7.5.2->7.8.1
! ———————————————————–

XR system upgrade is supported with no additional restrictions
install package replace /harddisk:/ncs540l-x64-7.8.1.iso
install replace harddisk:/ncs540l-x64-7.8.1.iso noprompt
! install source harddisk:/ncs540l-x64-7.8.1.iso
! install package upgrade harddisk:/ncs540l-x64-7.8.1.iso
install apply reload
install commit

Cisco

CSR – PPP

!
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname CSR
!
boot-start-marker
boot-end-marker
!
!
logging count
logging snmp-authfail
logging userinfo
logging buffered 512000
logging console informational
!
ppp unique address access-accept
aaa new-model
!
!
aaa group server radius Net-Services
server-private 192.168.1.253 auth-port 1812 acct-port 1813 timeout 3 retransmit 3
ip radius source-interface GigabitEthernet1
attribute nas-port format c
!
aaa authentication login default local
aaa authentication ppp default group Net-Services
aaa authorization config-commands
aaa authorization network default group Net-Services
aaa accounting network default
action-type start-stop
group Net-Services
!
!
!
!
!
aaa server radius dynamic-author
client 192.168.1.253
!
aaa session-id common
aaa policy interface-config allow-subinterface
!
!
!
!
!
!
!
no ip domain lookup
ip domain name winfred.eu
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
ipv6 unicast-routing
ipv6 dhcp binding track ppp
ipv6 dhcp pool PPP-Radius
prefix-delegation aaa method-list Net-Services lifetime 7200 300
dns-server F00D::1
domain-name winfred.nl
!
multilink bundle-name authenticated
!
spanning-tree extend system-id
!
bba-group pppoe global
virtual-template 10
vendor-tag remote-id service
nas-port-id format c
sessions max limit 10
sessions per-mac limit 5
sessions per-mac iwf limit 5
sessions per-vlan limit 4
sessions auto cleanup
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
ipv6 address F00D:FFFF::1/128
!
interface Loopback2
no ip address
!
interface GigabitEthernet1
ip address 192.168.1.247 255.255.255.0
negotiation auto
pppoe enable group global
no mop enabled
no mop sysid
!
interface Virtual-Template5
ip unnumbered Loopback2
ip tcp adjust-mss 1452
load-interval 30
ipv6 unnumbered Loopback1
no snmp trap link-status
keepalive 60
ppp mtu adaptive
ppp mtu pppoe unlimited
ppp authentication pap
ppp ipcp address required
!
interface Virtual-Template10
ip unnumbered Loopback2
no ip split-horizon
ip tcp adjust-mss 1452
load-interval 30
ipv6 unnumbered Loopback1
ipv6 enable
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
no ipv6 nd ra suppress
ipv6 nd ra dns server 2001:4860:4860::4444
ipv6 dhcp server PPP-Radius
no ipv6 redirects
no ipv6 unreachables
no snmp trap link-status
keepalive 60
ppp mtu adaptive
ppp mtu pppoe unlimited
ppp authentication pap
ppp ipcp address required
!
ip forward-protocol nd
!
ip ssh version 2

!
radius-server timeout 1
radius-server deadtime 1
!
!
control-plane
!
call admission new-model
call admission limit 6
call admission cpu-limit 65
call admission pppoe 10 1
!
!
!

Cisco

Cisco – VPLS

no service slave-log
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service counters max age 10
no service dhcp
!
hostname SAS-A
!
boot-start-marker
boot-end-marker
!
!
vrf definition SYNC
description SYNC
rd 64574:1
route-target export 64574:1
route-target import 64574:1
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
vrf definition TEST
description TEST
rd 65001:1
route-target export 65001:1
route-target import 65001:1
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging count
logging snmp-authfail
logging userinfo
logging queue-limit 100
logging buffered 512000
logging console informational
!
aaa new-model
!
aaa session-id common
process cpu threshold type total rising 80 interval 5 falling 20 interval 5
platform ip cef load-sharing ip-only
clock timezone CET 1 0
clock summer-time SUM recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
!
!
!
fhrp version vrrp v3
!
ip vrf management
!
!
no ip bootp server
no ip domain-lookup
ip domain-name migratie.test

ipv6 unicast-routing
vtp mode off
!
flow monitor copp-fnf-cef-receive
record platform-original ipv4 full
!
!
!
mpls label protocol ldp
mpls ldp graceful-restart
mpls ldp session protection for backbone
mpls ldp label
allocate global prefix-list local-label-alloc
no mpls ldp advertise-labels
mpls ldp advertise-labels for backbone
!
!
!
!
!
!
!
!
!
!
!
!
!
!
logging event link-status default
!
!
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
file prompt quiet
!
spanning-tree mode rapid-pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
port-channel load-balance src-mixed-ip-port
!
redundancy
main-cpu
auto-sync running-config
mode sso
!

vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
lldp run
!
ip tcp path-mtu-discovery
!
class-map match-any class-copp-icmp-redirect-unreachable
class-map match-all class-copp-glean
class-map match-all class-copp-receive
class-map match-all class-copp-options
class-map match-all class-copp-broadcast
class-map match-all class-copp-mcast-acl-bridged
class-map match-all class-copp-slb
class-map match-all class-copp-mtu-fail
class-map match-all class-copp-ttl-fail
class-map match-all class-copp-arp-snooping
class-map match-any class-copp-mcast-copy
class-map match-any class-copp-ip-connected
class-map match-any class-copp-match-igmp
match access-group name acl-copp-match-igmp
class-map match-all class-copp-unknown-protocol
class-map match-any class-copp-vacl-log
class-map match-all class-copp-mcast-ipv6-control
class-map match-any class-copp-match-pimv6-data
match access-group name acl-copp-match-pimv6-data
class-map match-any class-copp-mcast-punt
class-map match-all class-copp-unsupp-rewrite
class-map match-all class-copp-ucast-egress-acl-bridged
class-map match-all class-copp-ip-admission
class-map match-any class-copp-dpss-divert
class-map match-all class-copp-service-insertion
class-map match-all class-copp-mac-pbf
class-map match-any class-copp-match-mld
match access-group name acl-copp-match-mld
class-map match-all class-copp-ucast-ingress-acl-bridged
class-map match-all class-copp-dhcp-snooping
class-map match-all class-copp-wccp
class-map match-all class-copp-nd
class-map match-any class-copp-ipv6-connected
class-map match-all class-copp-mcast-rpf-fail
class-map match-any class-copp-match-ndv6hl
match access-group name acl-copp-match-ndv6hl
class-map match-any class-copp-ucast-rpf-fail
class-map match-all class-copp-mcast-ip-control
class-map match-any class-copp-match-pim-data
match access-group name acl-copp-match-pim-data
class-map match-any class-copp-match-ndv6
match access-group name acl-copp-match-ndv6
class-map match-any class-copp-mcast-v4-data-on-routedPort
class-map match-any class-copp-mcast-v6-data-on-routedPort
!
policy-map policy-default-autocopp
class class-copp-mcast-v4-data-on-routedPort
police rate 10 pps burst 1 packets conform-action drop exceed-action drop
class class-copp-mcast-v6-data-on-routedPort
police rate 10 pps burst 1 packets conform-action drop exceed-action drop
class class-copp-dpss-divert
police rate 1000 pps burst 1000 packets conform-action transmit exceed-action drop
class class-copp-match-mld
police rate 5000 pps burst 5000 packets conform-action set-discard-class-transmit 48 exceed-action drop
class class-copp-match-igmp
police rate 5000 pps burst 5000 packets conform-action set-discard-class-transmit 48 exceed-action drop
class class-copp-icmp-redirect-unreachable
police rate 100 pps burst 10 packets conform-action transmit exceed-action drop
class class-copp-ucast-rpf-fail
police rate 100 pps burst 10 packets conform-action transmit exceed-action drop
class class-copp-vacl-log
police rate 2000 pps burst 1 packets conform-action transmit exceed-action drop
class class-copp-mcast-punt
police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop
class class-copp-mcast-copy
police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop
class class-copp-ip-connected
police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop
class class-copp-ipv6-connected
police rate 1000 pps burst 256 packets conform-action transmit exceed-action drop
class class-copp-match-pim-data
police rate 1000 pps burst 1000 packets conform-action transmit exceed-action drop
class class-copp-match-pimv6-data
police rate 1000 pps burst 1000 packets conform-action transmit exceed-action drop
class class-copp-match-ndv6hl
police rate 10 pps burst 1 packets conform-action drop exceed-action drop
class class-copp-match-ndv6
police rate 1000 pps burst 1000 packets conform-action set-discard-class-transmit 48 exceed-action drop
!
pseudowire-class VPLS
encapsulation mpls
load-balance flow
flow-label enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Loopback0
vrf forwarding SYNC
ip address 10.31.160.126 255.255.255.248
!
interface Loopback1
vrf forwarding TEST
ip address 10.1.1.1 255.255.255.255
!
!
interface Port-channel20.53
encapsulation dot1Q 53
vrf forwarding SYNC
ip address 192.0.1.0 255.255.255.254
!
interface Tunnel1
ip address 192.0.2.1 255.255.255.252
no ip redirects
ip ospf authentication message-digest
ip ospf network point-to-point
ip ospf cost 20
mpls ip
tunnel source 192.0.1.0
tunnel destination 192.0.1.1
tunnel vrf SYNC
!
interface Vlan1
no ip address
shutdown
!
interface Vlan3050
no ip address
!
interface Vlan3051
no ip address
!
interface Vlan3052
no ip address
!
interface Vlan3053
no ip address
!
interface Vlan3054
no ip address
!
interface Vlan3055
no ip address
!
interface Vlan3056
no ip address
!
interface Vlan3057
no ip address
!
interface Vlan3058
no ip address
!
interface Vlan3059
no ip address
!
interface Vlan3500
no ip address
!
interface Vlan3501
no ip address
!
interface Vlan3502
no ip address
!
interface Vlan3503
no ip address
!
interface Vlan3504
no ip address
!
interface Vlan3505
no ip address
!
interface Vlan3506
no ip address
!
interface Vlan3507
no ip address
!
interface Vlan3508
no ip address
!
interface Vlan3509
no ip address
!
interface Vlan3510
no ip address
!
interface Vlan3511
no ip address
!
interface Vlan3512
no ip address
!
interface Vlan3513
no ip address
!
interface Vlan3514
no ip address
!
interface Vlan3515
no ip address
!
interface Vlan3516
no ip address
!
interface Vlan3517
no ip address
!
interface Vlan3518
no ip address
!
interface Vlan3519
no ip address
!
interface Vlan3520
no ip address
!
interface Vlan3521
no ip address
!
interface Vlan3522
no ip address
!
interface Vlan3523
no ip address
!
interface Vlan3524
no ip address
!
interface Vlan3525
no ip address
!
interface Vlan3526
no ip address
!
interface Vlan3527
no ip address
!
interface Vlan3528
no ip address
!
interface Vlan3529
no ip address
!
interface Vlan3530
no ip address
!
interface Vlan3531
no ip address
!
interface Vlan3532
no ip address
!
interface Vlan3533
no ip address
!
interface Vlan3534
no ip address
!
interface Vlan3535
no ip address
!
interface Vlan3536
no ip address
!
interface Vlan3537
no ip address
!
interface Vlan3538
no ip address
!
interface Vlan3539
no ip address
!
interface Vlan3540
no ip address
!
interface Vlan3541
no ip address
!
interface Vlan3542
no ip address
!
interface Vlan3543
no ip address
!
interface Vlan3544
no ip address
!
interface Vlan3545
no ip address
!
interface Vlan3546
no ip address
!
interface Vlan3547
no ip address
!
interface Vlan3548
no ip address
!
interface Vlan3549
no ip address
!
interface Vlan3550
no ip address
!
interface Vlan3551
no ip address
!
interface Vlan3552
no ip address
!
interface Vlan3553
no ip address
!
interface Vlan3554
no ip address
!
interface Vlan3555
no ip address
!
interface Vlan3556
no ip address
!
interface Vlan3557
no ip address
!
interface Vlan3558
no ip address
!
interface Vlan3559
no ip address
!
interface Vlan3560
no ip address
!
interface Vlan3561
no ip address
!
interface Vlan3562
no ip address
!
interface Vlan3563
no ip address
!
interface Vlan3564
no ip address
!
interface Vlan3565
no ip address
!
interface Vlan3566
no ip address
!
interface Vlan3567
no ip address
!
interface Vlan3568
no ip address
!
interface Vlan3569
no ip address
!
interface Vlan3570
no ip address
!
interface Vlan3571
no ip address
!
interface Vlan3572
no ip address
!
interface Vlan3573
no ip address
!
interface Vlan3574
no ip address
!
interface Vlan3575
no ip address
!
interface Vlan3576
no ip address
!
interface Vlan3577
no ip address
!
interface Vlan3578
no ip address
!
interface Vlan3579
no ip address
!
interface Vlan3580
no ip address
!
interface Vlan3581
no ip address
!
interface Vlan3582
no ip address
!
interface Vlan3583
no ip address
!
interface Vlan3584
no ip address
!
interface Vlan3585
no ip address
!
interface Vlan3586
no ip address
!
interface Vlan3587
no ip address
!
interface Vlan3588
no ip address
!
interface Vlan3589
no ip address
!
interface Vlan3590
no ip address
!
interface Vlan3591
no ip address
!
interface Vlan3592
no ip address
!
interface Vlan3593
no ip address
!
interface Vlan3594
no ip address
!
interface Vlan3595
no ip address
!
interface Vlan3596
no ip address
!
interface Vlan3597
no ip address
!
interface Vlan3598
no ip address
!
interface Vlan3599
no ip address
!
interface Virtual-Ethernet1
switchport
switchport mode trunk
switchport trunk allowed vlan 3050-3059,3500-3599
transport vpls mesh
neighbor 192.0.2.2 pw-class VPLS
!
router ospf 1
router-id 192.0.2.1
auto-cost reference-bandwidth 10000
redistribute connected subnets
passive-interface default
no passive-interface Tunnel1
network 192.0.2.0 0.0.0.255 area 0
!
router bgp 65001
bgp router-id 192.0.0.1
bgp log-neighbor-changes
bgp graceful-restart extended
bgp sso route-refresh-enable
neighbor 192.0.2.2 remote-as 65001
neighbor 192.0.2.2 update-source Tunnel1
!
address-family ipv4
redistribute connected
neighbor 192.0.2.2 activate
exit-address-family
!
address-family vpnv4
neighbor 192.0.2.2 activate
neighbor 192.0.2.2 send-community extended
exit-address-family
!
address-family ipv6
exit-address-family
!
address-family vpnv6
neighbor 192.0.2.2 activate
neighbor 192.0.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf TEST
redistribute connected
exit-address-family
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route vrf SYNC 10.31.160.96 255.255.255.248 192.0.1.1 name FNB-SAS-B
ip ssh time-out 60
ip ssh source-interface mgmt0
ip ssh version 2
ip ssh server algorithm mac hmac-sha1
ip ssh server algorithm encryption aes256-cbc
!
ip access-list standard backbone
permit 192.0.2.0 0.0.0.255
!
ip access-list extended acl-copp-match-igmp
permit igmp any any
ip access-list extended acl-copp-match-pim-data
deny pim any host 224.0.0.13
permit pim any any
!
!
!
!
!
!
ipv6 access-list acl-copp-match-mld
permit icmp any any mld-report
permit icmp any any mld-query
permit icmp any any mld-reduction
permit icmp any any 143
!
ipv6 access-list acl-copp-match-ndv6
permit icmp any any nd-na
permit icmp any any nd-ns
permit icmp any any router-advertisement
permit icmp any any router-solicitation
permit icmp any any redirect
!
ipv6 access-list acl-copp-match-ndv6hl
permit icmp any any nd-na hoplimit
permit icmp any any nd-ns hoplimit
permit icmp any any router-advertisement hoplimit
permit icmp any any router-solicitation hoplimit
permit icmp any any redirect hoplimit
!
ipv6 access-list acl-copp-match-pimv6-data
deny 103 any host FF02::D
permit 103 any any
!
control-plane
service-policy input policy-default-autocopp
!
!
vstack
!
line con 0
media-type rj45
line aux 0
line vty 0 4
transport input ssh
line vty 5 1509
transport input ssh
!
diagnostic bootup level minimal
end

Cisco

Cisco – DHCP vrf

ip dhcp excluded-address vrf 3958 10.15.0.252 10.15.0.254
ip dhcp excluded-address vrf 3958 10.15.0.0 10.15.0.100
ip dhcp excluded-address vrf 3958 10.15.0.150 10.15.0.163
!
ip dhcp pool MERAKI-beheer
vrf 3958
network 10.15.0.0 255.255.255.0
domain-name routit.com
default-router 10.15.0.254
dns-server 213.144.235.1 213.144.235
!
interface GigabitEthernet4/1.1200
description Meraki – Management
encapsulation dot1Q 1200 native
vrf forwarding 3958
ip address 10.15.0.252 255.255.255.0
no ip redirects
no ip proxy-arp
vrrp 101 ip 10.15.0.254
vrrp 101 priority 99

Cisco

SRv6 – EVPN

net 31.0000.0000.%IPv6_location + IPv6_nodeID%.00
net 31.0000.0000.0001.0005.00

router isis 1
is-type level-2-only
net 31.0000.0000.0002.0006.00
nsr
nsf ietf
nsf lifetime 20
nsf interface-timer 15
nsf interface-expires 1
log adjacency changes
!
int Te0/0/0/8
address-family ipv6 unicast
fast-reroute per-prefix
fast-reroute per-prefix tiebreaker srlg-disjoint index 100
fast-reroute per-prefix ti-lfa
int Te0/0/0/35
address-family ipv6 unicast
fast-reroute per-prefix
fast-reroute per-prefix tiebreaker srlg-disjoint index 100
fast-reroute per-prefix ti-lfa

%IPv6_locator%

segment-routing
srv6
logging locator status
encapsulation
source-address 1::1
!
locators
locator S2
prefix fc00:700d:0:105::/64
!
!
!
!

fc00:700d:0:105::1
fc00:700d:0:206::1

router bgp 64574
nsr
bgp router-id 198.51.100.20
bgp graceful-restart
segment-routing srv6
locator S2
!
address-family vpnv4 unicast
segment-routing srv6
locator S2
!
!
address-family vpnv6 unicast
segment-routing srv6
locator S2
!
!
address-family l2vpn evpn
!
neighbor fc00:700d:0:105:1
remote-as 64574
update-source Loopback0
address-family vpnv4 unicast
!
address-family vpnv6 unicast
!
address-family l2vpn evpn
!
!
vrf A
rd 1:1
address-family ipv4 unicast
segment-routing srv6
alloc mode per-vrf
!
redistribute connected
!
!
vrf 200
rd 1:200
address-family ipv4 unicast
segment-routing srv6
alloc mode per-vrf
!
redistribute connected
!
!
!

vrf TEST
address-family ipv4 unicast
import route-target
64574:777
!
export route-target
64574:777
!
router bgp 64574
!
vrf TEST
rd 64574:777
address-family ipv4 unicast
segment-routing srv6
alloc mode per-vrf
!
redistribute connected
!
address-family ipv6 unicast
segment-routing srv6
alloc mode per-vrf
!
redistribute connected

neighbor fc00:700d:0:105:1
remote-as 64574
update-source Loopback0
address-family vpnv4 unicast
!
address-family vpnv6 unicast
!
address-family l2vpn evpn
!
interface Loopback0
address-family ipv6 unicast

call-home
service active
contact smart-licensing
profile CiscoTAC-1
active
destination transport-method email disable
destination transport-method http
!
!
interface Bundle-Ether50
description sr06
mtu 9000
lacp period short
lldp
!
load-interval 30
!
interface Bundle-Ether200
description – po200
mtu 9000
lacp period short
lldp
enable
!
load-interval 30
!
interface Bundle-Ether300
description – po300
mtu 9000
lacp period short
lldp
enable
!
load-interval 30
!

!
interface TenGigE0/0/0/11
description 2 – te1/4
bundle id 50 mode active
lldp
!
!
interface TenGigE0/0/0/12
description a5a – te
mtu 9000
lldp
enable
!
!
interface TenGigE0/0/0/31
description a5b – te
mtu 9000
lldp
enable
!
!
interface TenGigE0/0/0/32
description a- te1/17
bundle id 50 mode active
lldp
!
!


!
interface TwentyFiveGigE0/0/0/4
shutdown
!
interface TwentyFiveGigE0/0/0/5
shutdown
!
interface TwentyFiveGigE0/0/0/6
description ah2-prod-fg-le02 – p25
bundle id 200 mode active
!
interface TwentyFiveGigE0/0/0/7
shutdown
!
interface TwentyFiveGigE0/0/0/9
description ah2-prod-fg-le02 – ha1
mtu 9000
lldp
enable
!

evpn
segment-routing srv6
locator S2
!
!
!
l2vpn
xconnect group 2002
p2p 2002
interface TwentyFiveGigE0/0/0/34
neighbor evpn evi 2002 service 2002 segment-routing srv6
locator S2
!
!
!
!

EVPN based point-to-point (E-Line)
evpn
evi 2002 segment-routing srv6
advertise-mac
!
locator S2
!
interface TwentyFiveGigE0/0/0/34
!
segment-routing srv6
!
!

evpn
segment-routing srv6
locator S2

l2vpn
xconnect group 2002
p2p 2002
interface TwentyFiveGigE0/0/0/34
neighbor evpn evi 2002 service 2002 segment-routing srv6 locator S2

interface TwentyFiveGigE0/0/0/15
shutdown
!
interface TwentyFiveGigE0/0/0/16
shutdown
!
interface TwentyFiveGigE0/0/0/17
shutdown
!
interface TwentyFiveGigE0/0/0/18
shutdown
!
interface TwentyFiveGigE0/0/0/19
shutdown
!
interface TwentyFiveGigE0/0/0/20
shutdown
!
interface TwentyFiveGigE0/0/0/21
shutdown
!
interface TwentyFiveGigE0/0/0/22
shutdown
!
interface TwentyFiveGigE0/0/0/23
shutdown
!
interface HundredGigE0/0/0/24
shutdown
!
interface HundredGigE0/0/0/25
shutdown
!
interface HundredGigE0/0/0/26
shutdown
!
interface HundredGigE0/0/0/27
shutdown
!
interface TwentyFiveGigE0/0/0/28
shutdown
!
interface TwentyFiveGigE0/0/0/29
shutdown
!

interface preconfigure TenGigE0/0/0/36
shutdown
!
interface preconfigure TwentyFiveGigE0/0/0/8
shutdown
!
interface preconfigure TwentyFiveGigE0/0/0/11
shutdown
!
interface preconfigure TwentyFiveGigE0/0/0/12
shutdown
!
interface preconfigure TwentyFiveGigE0/0/0/31
shutdown
!
interface preconfigure TwentyFiveGigE0/0/0/32
shutdown
!
interface preconfigure TwentyFiveGigE0/0/0/35
shutdown
!

RP/0/RP0/CPU0:ah2-prod-sr-06#sh int BE200.1
Tue Apr 23 14:39:36.986 CEST
Bundle-Ether200.1 is up, line protocol is up
Interface state transitions: 1
Hardware is VLAN sub-interface(s), address is 9433.d801.05d3
Internet address is /31
MTU 9004 bytes, BW 50000000 Kbit (Max: 50000000 Kbit)
reliability 255/255, txload 0/255, rxload 0/255
Encapsulation 802.1Q Virtual LAN, VLAN Id 2000, loopback not set,
Last link flapped 5d23h
ARP type ARPA, ARP timeout 04:00:00
Last input 00:00:00, output 00:00:00
Last clearing of “show interface” counters never
5 minute input rate 5000 bits/sec, 8 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
4021515 packets input, 329455046 bytes, 0 total input drops
0 drops for unrecognized upper-level protocol
Received 36 broadcast packets, 0 multicast packets
15311 packets output, 704306 bytes, 0 total output drops
Output 0 broadcast packets, 0 multicast packets

 RP/0/RP0/CPU0:ah2-prod-sr-06#sh run int BE200.1

Tue Apr 23 14:40:06.202 CEST
no int BE200.1

interface Bundle-Ether200.2000

vrf 10
ipv4 address 10.10.10.1 255.255.255.0
encapsulation dot1q 2000
!

no interface Bundle-Ether200.2000
interface BVI 2000
host-routing
vrf 10
ipv4 address 10.20.10.2 255.255.255.0
mac-address 64.574.2000
!
interface Bundle-Ether200.2000 l2transport
encapsulation dot1q 2000
rewrite ingress tag pop 1 symmetric
!
l2vpn
bridge group bg-2000
bridge-domain bd-2000
interface Bundle-Ether200.2000
!
routed interface BVI2000
!
evi 200
!
!
!
!

Cisco, SRv6

SSH server – alg

ssh server algorithms cipher aes128-gcm@openssh.com aes256-gcm@openssh.com aes256-cbc
ssh server algorithms cipher aes128-gcm@openssh.com aes256-gcm@openssh.com

ssh server algorithms host-key ecdsa-nistp256 ecdsa-nistp384 ecdsa-nistp521 ed25519
ssh server algorithms key-exchange ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256

ssh server algorithms cipher aes128-gcm@openssh.com aes256-gcm@openssh.com aes256-cbc
ssh server algorithms host-key ecdsa-nistp256 ecdsa-nistp384 ecdsa-nistp521 ed25519
ssh server algorithms key-exchange ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256

ssh server algorithms cipher aes128-gcm@openssh.com aes256-gcm@openssh.com
ssh server algorithms host-key ecdsa-nistp256 ecdsa-nistp384 ecdsa-nistp521
ssh server algorithms key-exchange ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256
ssh server v2

ssh server algorithms cipher aes256-gcm@openssh.com

Cisco, Security

SRv6 –

Router(config-evpn)# segment-routing srv6
Router(config-evpn-srv6)# locator sample
Router(config-evpn-srv6)# exit
Associate an EVI-specific locator (sample_evi_loc) with EVI 1.

Router(config-evpn)# evi 1 segment-routing srv6
Router(config-evpn-instance)# locator sample_evi_loc
Router(config-evpn-instance)# commit
Associate SRv6 with L2VPN

Associate the sub-interface to the bridge domain:

Router(config)# l2vpn
Router(config-l2vpn)# bridge group bg1
Router(config-l2vpn-bg)# bridge-domain bd1
Router(config-l2vpn-bg-bd)# interface Hu0/0/0/0.1
Router(config-l2vpn-bg-bd-ac)# exit
Enable the evi 1 segment-routing srv6 command under L2VPN bridge domain bd1.

Router(config-l2vpn-bg-bd)# evi 1 segment-routing srv6
Router(config-l2vpn-bg-bd-evi-srv6)# commit

Cisco, SRv6

SRv6 – Eline

WIP

RP/0/RP0/CPU0:SR01a(config-evpn-ac-es)#l2vpn

RP/0/RP0/CPU0:SR01a(config-l2vpn)# bridge group bg-1500

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg)#  bridge-domain bd-1500

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd)#   interface Bundle-Ether350.1500

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-ac)#   !

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-ac)#   routed interface BVI1500

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-bvi)#   !

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-bvi)#   evi 350

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-evi)#   !

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-evi)#  !

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-evi)# !

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-evi)#comm

Mon Oct  2 10:17:53.515 CEST

% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue ‘show configuration failed [inheritance]’ from this session to view the errors

RP/0/RP0/CPU0:SR01a(config-l2vpn-bg-bd-evi)#show configuration failed

Mon Oct  2 10:18:00.496 CEST

!! SEMANTIC ERRORS: This configuration was rejected by

!! the system due to semantic errors. The individual

!! errors with each failed configuration command can be

!! found below.

l2vpn

bridge group bg-1500

  bridge-domain bd-1500

   evi 350

!!% Operation not supported (Success): This EVPN instance id is already in use with other EVPN services

   !

  !

!

!

end

interface Bundle-Ether350

description “Bundle to FG1K2”

lacp period short

lacp system mac 0350.0002.8685

load-interval 30

!

int gigabitEthernet 0/0/0/33

bundle id 350 mode active

!

interface Bundle-Ether350.1500 l2transport

encapsulation dot1q 1500

rewrite ingress tag pop 1 symmetric

!

interface BVI 1500

       host-routing

       vrf A

       ipv4 address 10.20.30.1 255.255.255.0

       mac-address 700d.0350.1500

evpn

evi 350 segment-routing srv6

  !

!

interface Bundle-Ether350

  ethernet-segment

   identifier type 0 28.68.50.00.03.50.00.15.00

  !

!

l2vpn

bridge group bg-1500

  bridge-domain bd-1500

   interface Bundle-Ether350.1500

   !

   routed interface BVI1500

   !

   evi 350

   !

  !

!

Cisco, SRv6

Central Services Topology

> Question:  Have also seen comments in foreeum like. The best practice for this Hub and Spoke is to use TWO VRF in Hub site – “From-Spoke” and “To-Spoke”

 

This is immaterial implementation detail. Some shops do this, because their automation system abstracts VRF into set of import/export statements and clients share set and hubs share different set. Also if you have hub and spoke in the same PE, you’re going to need another name, if not, single name is fine, but may be more difficult to automate as name does not imply config.

 

ipv4 vrf hubs

  route-target export 42:hubs

  route-target import 42:spokes

ipv4 vrf spokes

  route-target export 42:spokes

  route-target import 42:hubs

 

Now the problem with this approach is that if you have >1 spokes in the same PE, they are able to communicate to each other. To workaround this, you’ll need ‘half duplex VRF’, where ingress and egress RIB/FIB are different.

Packets coming from spokes look at FibA, packets going to spokes look at FibB. FibA has only route to hubs, FibA has only routes to spokes.

 

ip vrf spokesIn

  route-target import 42:hubs

ip vrf spokesOut

  route-target export 42:spokes

ip vrf hubs

   route-target export 42:hubs

   route-target import 42:spokes

 

PE1:

int Spoke1

  ip vrf forwarding spokesIn downstream spokesOut int Spoke2

  ip vrf forwarding spokesIn downstream spokesOut int Hub1

  ip vrf hubs

int Hub2

  ip vrf hubs

 

Cisco, Netwerk (C-NSP)
1 2 3 14