Cisco SD-Routing Service Provider L2 L3 VPN Yang Commands

Service Provider Configuration for Layer 2 and Layer 3 VPN yang commands

Configuration example for DC1


!
! Last configuration change at 10:37:45 UTC Wed Nov 6 2024 by admin
!
version 17.15
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
platform qfp utilization monitor load 80
platform hardware throughput crypto 10G
!
hostname DC1
!
boot-start-marker
boot system bootflash:packages.conf
boot system bootflash:c8000aep-universalk9.BLD_POLARIS_DEV_LATEST_20240415_003241.SSA.bin
! Warning: Booting with bundle mode will be deprecated in the near future. Migration to install mode is required.
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
vrf definition sdroute_vrf1
 rd 8:1
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
logging buffered 512000
logging persistent size 104857600 filesize 10485760
no logging console
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local 
aaa authorization network abcd group tacacs+ 
aaa accounting send stop-record authentication failure vrf Mgmt-intf
aaa accounting send stop-record authentication failure vrf sdroute_vrf1
aaa accounting delay-start all
aaa accounting update periodic 800
!
!
aaa server radius dynamic-author
!
aaa session-id common
!
!
subscriber templating
ip arp proxy disable
!
ip host vbond1 70.70.70.125
ip name-server 72.163.128.140
no ip domain lookup
!
!
!
!
!
!
ip bootp server
!
!
!
login on-success log
!
!
!
!
!
ipv6 unicast-routing
!
!
! 
! 
! 
! 

parameter-map type inspect-global
 log flow-export v9 udp destination 10.10.10.10 8000
 log flow-export template timeout-rate 10
 log dropped-packets
 multi-tenancy
 alert on

parameter-map type inspect log-pmap_
 log flow

parameter-map type inspect param_udp
 udp idle-time 30000
 udp half-open idle-time 2147480 
 session packet 100
!
!
crypto pki trustpoint TP-self-signed-1139380136
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1139380136
 revocation-check none
 rsakeypair TP-self-signed-1139380136
 hash sha256
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
 hash sha256
!
!
crypto pki certificate chain TP-self-signed-1139380136
 certificate self-signed 01
  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31313339 33383031 3336301E 170D3233 30313132 30343132 
  33385A17 0D333330 31313130 34313233 385A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31333933 
  38303133 36308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201 
  0A028201 0100B048 7698D2C2 0DA4C147 A90CDED8 07962D1E 26CCF57F 6CB17C32 
  8C482C7E 119CBCA1 6BF5E5C3 78EAB3F2 5FC465F3 4BB492C8 33ABE8D0 3E2C9D41 
  2BDDCDC3 AC7E5F0C C332E3D3 2636B084 CC0706DD 9BBC6B43 1438490C 841DB973 
  CDC80240 6AC40A84 FC09AA03 7400FB36 B9DB11BD 5831C190 C6FE7A46 EF1150DB 
  10BD97E2 5D7C6F25 777CD49C DAAF4392 5197BCA8 B2BD21E7 4B33DACB 450B2C48 
  D05BB28E EC8A5B63 09B8F83A 846088B7 674742E9 A8C58129 D3A0855A 3BEDEC79 
  438B95EA B79E6EF8 FBC3F7D4 C2DC77BD FC1E2E92 196DBB9A 8C1D7307 F3854E4B 
  C089E454 86DAB463 9A88EA0F 8C9617AC B18DDB41 D51FA93E 34176FA9 7125AB4A 
  ECDAFEDD A81B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 
  301F0603 551D2304 18301680 1476AD7C CCA79E3C 4854D2E5 AEB2E232 8B632604 
  44301D06 03551D0E 04160414 76AD7CCC A79E3C48 54D2E5AE B2E2328B 63260444 
  300D0609 2A864886 F70D0101 05050003 82010100 24AE2912 60EDEF63 432CF65A 
  5D092637 1AC00373 B0A1D565 5F62C998 2D3A04C0 D9D25260 E54B337B 7E79991D 
  C7FEAA49 875EE478 B9A4BFAB EB5CFB8C BC37685B D2E2D0DA 6A25E44E 407B0898 
  9466A635 48731280 44002CD2 BF1BC7BD 6512FCB4 8835E45D E6C62A41 9A1A94F8 
  C6FFC239 77854A00 285A1CD3 A79760B3 0003E8FD F4466C66 1AAF2F3D 2475BA09 
  7C126D00 9B3BA2F2 0EA0B41D D82BF6B7 1F5DF584 05CFB5C9 FCCA417E F66302C8 
  3ED3BDA8 14892DE5 6E89B873 5EA7A348 2161D824 C12DF72F 2FE0A5F3 E1884B38 
  68B70DEF 7D369437 8299BBFF 06630EA1 E644A20B F94FFAB7 3F5537C4 6B6E101C 
  51B2D289 510E994C 8E37CA46 425FBAB3 FC438142
  	quit
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030 
  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363 
  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934 
  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305 
  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720 
  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 
  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D 
  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520 
  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE 
  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC 
  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188 
  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7 
  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191 
  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44 
  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201 
  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85 
  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500 
  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905 
  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B 
  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8 
  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C 
  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B 
  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678 
  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB 
  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0 
  D697DF7F 28
  	quit
!
!
!
!
!
!
!
!
!
license udi pid C8500-12X4QC sn TTM262509TW
license accept end user agreement
license boot level network-advantage
!
!
!
!
!
object-group service zbfw_svc 
 ip
!
memory free low-watermark processor 682127
hw-module subslot 0/1 mode 10G
hw-module subslot 0/2 mode 40G
hw-module subslot 0/2 breakout none port all
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
username admin privilege 15 secret 9 $9$PSlkFl7oqMoQBE$cpeqITQ6XgUkxXzR7dhCtqrXXGD/owBl/NRdvf6XZBo
username user-check privilege 15 secret 9 $9$urx8S66CWfSQXT$/C4lIY/mj1fMVKLbwvFKBPafxAVfdGQjPu/DweMKuv2
!
redundancy
 mode none
!
!
!
!
!
!
!
cdp run
!
lldp run
!
class-map type inspect match-all gs-gd-policy_9262023174528164_0-seq-Rule1-cm_
 match access-group name gs-gd-policy_9262023174528164_0-seq-Rule1-acl_
!
policy-map type inspect gs-gd-policy_9262023174528164_0
 class type inspect gs-gd-policy_9262023174528164_0-seq-Rule1-cm_
  inspect log-pmap_
 class class-default
  drop
!
!
zone security trial-zp1
zone security trial-zp2
zone-pair security ZP_trial-zp1_trial-z_-1198719209 source trial-zp1 destination trial-zp2
 service-policy type inspect gs-gd-policy_9262023174528164_0
! 
crypto keyring GS-GRE:ISAKMPKEY  
 pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
!
!
!
!
crypto isakmp policy 1
 encryption aes
 hash sha
 authentication pre-share
 group 14
!
crypto isakmp policy 10
 encryption aes 256
 hash sha
 authentication pre-share
 group 14
crypto isakmp key cisco address 0.0.0.0        
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 20 5
crypto isakmp profile GS-GRE:ISAKMP
   keyring GS-GRE:ISAKMPKEY
   match identity address 0.0.0.0 
!
crypto ipsec security-association lifetime kilobytes disable
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac 
 mode transport
crypto ipsec transform-set GS-GRE:TRANSFORMSET esp-aes 256 esp-sha-hmac 
 mode transport
!
crypto ipsec profile GS-GRE:IPSEC
 set transform-set GS-GRE:TRANSFORMSET 
 set isakmp-profile GS-GRE:ISAKMP
!
crypto ipsec profile IPSEC
 set transform-set IPSEC 
!
!
!
!
!
!
! 
! 
!
!
interface Loopback1
 ip address <removed>
!
interface Loopback10
 ip address <removed>
 ipv6 address <removed>
!
interface Port-channel10
 ip address <removed>
 ipv6 address <removed>
!
interface Tunnel13
 ip address <removed>
 load-interval 30
 ipv6 address <removed>
 tunnel source TenGigabitEthernet0/0/0
 tunnel destination 11.0.1.2
 tunnel protection ipsec profile GS-GRE:IPSEC
!
interface Tunnel15
 ip address <removed>
 load-interval 30
 tunnel source FortyGigabitEthernet0/2/0
 tunnel destination 14.1.1.1
 tunnel protection ipsec profile GS-GRE:IPSEC
!
interface Tunnel20
 ip address <removed>
 ipv6 address <removed>
 tunnel source TenGigabitEthernet0/0/4
 tunnel destination 11.20.1.2
 tunnel protection ipsec profile GS-GRE:IPSEC
!
interface Tunnel1900
 ip address <removed>
 ip access-group try-new1 in
 ip access-group try-new1 out
!
interface Tunnel2900
 ip address negotiated
 no ip redirects
 tunnel mode ipv6ip 6rd
 tunnel 6rd prefix 185:6:2::/64
!
interface TenGigabitEthernet0/0/0
 description "To 1HX-1 DUT"
 mtu 9216
 ip address <removed>
 no negotiation auto
!
interface TenGigabitEthernet0/0/1
 no ip address
 no negotiation auto
 cdp enable
 channel-group 10 mode active
!
interface TenGigabitEthernet0/0/2
 no ip address
 no negotiation auto
 cdp enable
 channel-group 10 mode active
!
interface TenGigabitEthernet0/0/3
 no ip address
 zone-member security trial-zp1
 load-interval 30
 no negotiation auto
 ipv6 address <removed>
!
interface TenGigabitEthernet0/0/4
 description "To Fry Tw0/0/10"
 mtu 9216
 ip address <removed>
 zone-member security trial-zp2
 no negotiation auto
!
interface TenGigabitEthernet0/0/5
 no ip address
 no negotiation auto
 ipv6 enable
!
interface TenGigabitEthernet0/0/6
 ip address dhcp
 no ip redirects
 ip access-group try2 in
 ip access-group try2 out
 load-interval 30
 negotiation auto
 cdp enable
 arp timeout 1200
!
interface TenGigabitEthernet0/0/7
 no ip address
 no negotiation auto
!
interface TenGigabitEthernet0/1/0
 description sample-new-new-new-new-new-new
 no ip address
 shutdown
 no negotiation auto
!
interface TenGigabitEthernet0/1/1
 description sample-new-new-new-new-new-new
 no ip address
 shutdown
 no negotiation auto
!
interface TenGigabitEthernet0/1/2
 no ip address
 shutdown
 no negotiation auto
!
interface TenGigabitEthernet0/1/3
 no ip address
 shutdown
 no negotiation auto
!
interface FortyGigabitEthernet0/2/0
 description link to DUT GD1 Fo0/2/0
 mtu 9216
 ip address <removed>
 load-interval 30
 no negotiation auto
 ipv6 address <removed> link-local
 ipv6 address <removed>
!
interface FortyGigabitEthernet0/2/4
 no ip address
 no negotiation auto
!
interface FortyGigabitEthernet0/2/8
 no ip address
 no negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address <removed>
 negotiation auto
 ipv6 enable
!
interface vasileft1
 no ip address
 ipv6 address <removed> link-local
 ipv6 address <removed>
 no keepalive
!
router bgp 65003
 bgp router-id interface Loopback10
 bgp asnotation dot
 bgp log-neighbor-changes
 neighbor 11:0:1::2 remote-as 65001
 neighbor 11:20:1::2 remote-as 65001
 neighbor 12:0:1::2 remote-as 65400
 neighbor 172:16:13::1 remote-as 64086.63111
 neighbor 172:16:13::1 password 7 <removed>
 neighbor 172:16:15::1 remote-as 64086.63115
 neighbor 172:16:15::1 password 7 <removed>
 neighbor 172:16:20::1 remote-as 64086.63111
 neighbor 172:16:20::1 password 7 <removed>
 neighbor 11.0.1.2 remote-as 65001
 neighbor 11.20.1.2 remote-as 65001
 neighbor 12.0.1.2 remote-as 65400
 neighbor 172.16.13.1 remote-as 64086.63111
 neighbor 172.16.13.1 password 7 <removed>
 neighbor 172.16.15.1 remote-as 64086.63115
 neighbor 172.16.15.1 password 7 <removed>
 neighbor 172.16.20.1 remote-as 64086.63111
 neighbor 172.16.20.1 password 7 <removed>
 !
 address-family ipv4
  network 10.255.1.4 mask 255.255.255.255
  no neighbor 11:0:1::2 activate
  no neighbor 11:20:1::2 activate
  no neighbor 12:0:1::2 activate
  no neighbor 172:16:13::1 activate
  no neighbor 172:16:15::1 activate
  no neighbor 172:16:20::1 activate
  neighbor 11.0.1.2 activate
  neighbor 11.0.1.2 default-originate
  neighbor 11.20.1.2 activate
  neighbor 11.20.1.2 default-originate
  neighbor 12.0.1.2 activate
  neighbor 172.16.13.1 activate
  neighbor 172.16.13.1 default-originate
  neighbor 172.16.15.1 activate
  neighbor 172.16.15.1 default-originate
  neighbor 172.16.20.1 activate
  neighbor 172.16.20.1 default-originate
  maximum-paths 4
 exit-address-family
 !
 address-family ipv6
  maximum-paths 4
  network 10:255:1::4/128
  network 4500:1:1::/64
  neighbor 12:0:1::2 activate
  neighbor 172:16:13::1 activate
  neighbor 172:16:13::1 default-originate
  neighbor 172:16:15::1 activate
  neighbor 172:16:15::1 default-originate
  neighbor 172:16:20::1 activate
  neighbor 172:16:20::1 default-originate
 exit-address-family
!
ip forward-protocol nd
!
ip tftp source-interface GigabitEthernet0
ip tftp blocksize 8192
no ip ftp passive
ip http server
ip http secure-server
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 60
ip ssh bulk-mode 131072
ip route 0.0.0.0 0.0.0.0 115.1.1.1
ip route 0.0.0.0 255.255.255.0 115.1.1.1
ip route 70.70.70.0 255.255.255.0 115.1.1.1
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.104.249.1
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 11.3.0.1
!
ip access-list extended gs-gd-policy_9262023174528164_0-seq-Rule1-acl_
 11 permit object-group zbfw_svc any any
ip access-list extended try-new1
 10 permit ip any any
ip access-list extended try1
 10 permit tcp any any
 20 permit ip any any
ip access-list extended try2
 50 permit tcp any any
 60 permit ip any any
ip access-list match-local-traffic
ipv6 route 3502:1:1::/64 172:16:15::1
ipv6 route 3503:1:1::/64 172:16:15::1
snmp-server engineID local 80000009766D616E59070102
snmp-server enable traps sdwan security policy system omp bfd
snmp-server enable traps bgp state-changes all backward-trans limited updown-limited
snmp-server enable traps bgp threshold prefix
snmp-server enable traps bgp cbgp2 state-changes all backward-trans limited updown-limited
snmp-server enable traps bgp cbgp2 threshold prefix
snmp-server enable traps otn
snmp-server enable traps dsp video-usage
snmp-server enable traps dsp video-out-of-resource
snmp-server enable traps sbc adj-status
snmp-server enable traps sbc blacklist
snmp-server enable traps sbc congestion-alarm
snmp-server enable traps sbc h248-ctrlr-status
snmp-server enable traps sbc media-source
snmp-server enable traps sbc radius-conn-status
snmp-server enable traps sbc sla-violation
snmp-server enable traps sbc sla-violation-rev1
snmp-server enable traps sbc svc-state
snmp-server enable traps sbc qos-statistics
snmp-server enable traps mpls rfc vpn
!
!
!
!
!
control-plane
!
!
!
!
!
banner motd  welcome to dc1
no parser cache
no parser cache
no parser cache
no parser cache
no parser cache 
no parser cache
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
line vty 0 4
 exec-timeout 0 0
 transport input ssh
line vty 5 80
 transport input ssh
!
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
nat64 translation timeout udp 300
nat64 translation timeout tcp 3700
ntp server time.google.com
!
!
time-range abc
 absolute start 09:00 30 January 2024
!
!
!
!
!
!
telemetry ietf subscription 294967232
 filter xpath /utd-ios-xe-events:utd-con
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967233
 filter xpath /red-app-events:red-event
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967234
 filter xpath /sse-ios-xe-events:sse-tunnel-params-absent
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967240
 filter xpath /crypto-pki-ios-xe-events:pki-certificate-event
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967243
 filter xpath /crypto-pki-ios-xe-events:pki-certificate-expiry
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967245
 filter xpath /ospf-ios-xe-events:ospfv3-nbr-state-change
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967246
 filter xpath /ospf-ios-xe-events:ospfv3-if-state-change
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967258
 filter xpath /ios-events-ios-xe-oper:usb-state-change
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967259
 filter xpath /ios-events-ios-xe-oper:tempsensor-state
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967260
 filter xpath /ios-events-ios-xe-oper:tempsensor-fault
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967261
 filter xpath /ios-events-ios-xe-oper:system-reboot-issued
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967262
 filter xpath /ios-events-ios-xe-oper:system-reboot-complete
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967263
 filter xpath /ios-events-ios-xe-oper:system-logout-change
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967264
 filter xpath /ios-events-ios-xe-oper:system-login-change
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967265
 filter xpath /ios-events-ios-xe-oper:system-aaa-login-fail
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967267
 filter xpath /ios-events-ios-xe-oper:sfp-state-change
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967271
 filter xpath /ios-events-ios-xe-oper:pem-state-change
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967272
 filter xpath /ios-events-ios-xe-oper:pem-fault
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967273
 filter xpath /ios-events-ios-xe-oper:ospf-neighbor-state-change
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967274
 filter xpath /ios-events-ios-xe-oper:ospf-interface-state-change
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967275
 filter xpath /ios-events-ios-xe-oper:memory-usage
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967276
 filter xpath /ios-events-ios-xe-oper:interface-state-change
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967277
 filter xpath /ios-events-ios-xe-oper:interface-admin-state-change
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967280
 filter xpath /ios-events-ios-xe-oper:fantray-fault
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967281
 filter xpath /ios-events-ios-xe-oper:fan-fault
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967283
 filter xpath /ios-events-ios-xe-oper:disk-usage
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967289
 filter xpath /ios-events-ios-xe-oper:cpu-usage
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967293
 filter xpath /ios-events-ios-xe-oper:bgp-peer-state-change
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 294967295
 filter xpath /ios-events-ios-xe-oper:aaa-admin-pwd-change
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 2094967244
 filter xpath /ios-events-ios-xe-oper:utd-file-analysis-status-event
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 2094967245
 filter xpath /ios-events-ios-xe-oper:utd-file-reputation-status-event
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 2094967246
 filter xpath /ios-events-ios-xe-oper:utd-file-analysis-file-upload-state
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 2094967247
 filter xpath /ios-events-ios-xe-oper:utd-file-reputation-retrospective-alert
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 2094967248
 filter xpath /ios-events-ios-xe-oper:utd-file-reputation-alert
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 2094967253
 filter xpath /im-events-ios-xe-oper:im-event
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 2094967255
 filter xpath /ios-events-ios-xe-oper:utd-version-mismatch
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 2094967256
 filter xpath /ios-events-ios-xe-oper:utd-update
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry ietf subscription 2094967257
 filter xpath /ios-events-ios-xe-oper:utd-ips-alert
 stream rfc5277
 update-policy on-change
 receiver name confd-rfc5277
telemetry receiver protocol confd-rfc5277
 host ip-address 0.0.0.0 0
 protocol rfc5277
netconf-yang
netconf-yang feature candidate-datastore
sd-routing
 no ipv6-strict-control
 organization-name vmng-scale-ind-gs
 site-id 46
 sp-organization-name vmng-scale-ind
 system-ip 89.7.1.2
 vbond name vbond1
 vbond port 12346
 wan-interface TenGigabitEthernet0/0/6
end

Configuration example for DC2


!
! Last configuration change at 09:33:38 UTC Tue Nov 26 2024 by admin
!
version 17.15
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service call-home
platform qfp utilization monitor load 80
platform hardware throughput crypto 10G
!
hostname DC2
!
boot-start-marker
boot system bootflash:c8000aep-universalk9.BLD_V1715_THROTTLE_LATEST_20240503_033217_V17_15_0_33.SSA.bin
! Warning: booting with bundle mode will be deprecated in the near future. Migration to install mode is required.
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
vrf definition abc
 rd 1:102
 !
 address-family ipv4
 exit-address-family
!
logging count
logging queue-limit 10000
no logging console
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local 
aaa authorization network abcd group radius 
aaa accounting send stop-record authentication failure vrf Mgmt-intf
aaa accounting delay-start all
aaa accounting update periodic 600
!
!
aaa session-id common
!
!
subscriber templating
!
ip host vbond1 70.70.70.125
!
!
!
!
!
!
!
!
!
login on-success log
!
!
!
!
!
ipv6 unicast-routing
!
!
! 
! 
! 
! 

parameter-map type inspect-global
 log flow-export v9 udp destination 10.10.10.10 5000
 log flow-export template timeout-rate 10
 log dropped-packets
 alert on

parameter-map type inspect param_udp
 udp idle-time 30000
 udp half-open idle-time 2147480 
 session packet 100
!
!
crypto pki trustpoint TP-self-signed-1968733516
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1968733516
 revocation-check none
 rsakeypair TP-self-signed-1968733516
 hash sha256
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
 hash sha256
!
crypto pki trustpoint abc
 enrollment mode ra
 revocation-check crl
 hash sha256
!
!
crypto pki certificate chain TP-self-signed-1968733516
 certificate self-signed 01
  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030 
  31312F30 2D060355 04030C26 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31393638 37333335 3136301E 170D3234 30323238 31373435 
  34385A17 0D333430 32323731 37343534 385A3031 312F302D 06035504 030C2649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39363837 
  33333531 36308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201 
  0A028201 0100A12B AF986270 60FFB615 41823589 8E4A3894 A46368EA 0705424C 
  FF0FFE36 416F0C63 8FC7F3CA 0B41212E C95B60CA 0BB76432 94EF8E4A 5BC67772 
  66E97B40 11719265 D818E587 C0DEE948 0102856A 328269B8 10A35C87 E5772AE0 
  AEC9B85A 4A0521DC EE6CFCAA 0333F949 5C55591F 71DDD9C0 5722E9B1 A67F4395 
  8A256589 9DD57A66 80728510 3472BB37 6F989BB3 780475A7 3B13667D 03F01A0C 
  34633540 04C8652E 7CFB1CB6 2F301650 61A9C91F 53A2DB17 9F4862F7 15E9DFF2 
  1DC4D85E 6D0D617E DE12ED1A E0F090AF 646B8D61 0922E051 FAA00E9C 1F1C4919 
  37CA9CFF 72BB3435 3BB3D5E7 1539D328 2281FD8F 7DA9AE0F 177FD51B 7673276A 
  9B75C222 77BD0203 010001A3 53305130 1D060355 1D0E0416 04149575 2E60249C 
  B9D5693A 9A50BC77 8C2537BC 06E5301F 0603551D 23041830 16801495 752E6024 
  9CB9D569 3A9A50BC 778C2537 BC06E530 0F060355 1D130101 FF040530 030101FF 
  300D0609 2A864886 F70D0101 0B050003 82010100 7FA15E42 FCCAC9A3 EE10510D 
  1DA40D11 6114A893 F374628B A7FA0904 0FE6FCA7 8DD207D6 70C75090 AE344A1B 
  7AE40766 648C25B0 966CDEEA 70E8C799 431A870D D5224F3F 6A36D04B 0CC323B2 
  751F079C EBB8313E D219A890 567A175B 85038D71 EE364C09 0D98B111 BE49D520 
  B5D322DB 3DECC14F A38C3661 1A83D9F8 9D87AE24 97326215 96ECFDC8 A2461EE9 
  ED5130BE 6EC8B0E1 28C0A74B C296B1F2 1D77B7E2 A321AE3B 32F51808 2AA201C4 
  8B858D6B 431BCA9A 6A9F92B9 5CF67AA3 A94433AD B3C9D7CF FBDF9C58 9371D1C9 
  6EE47A96 E22D1ED5 5F176976 426916E9 35B08A75 4873F185 87AC85E1 5D8B9F2B 
  7378E089 48C1E832 DADC85BF BDEAF5D0 FEA75FAC
  	quit
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030 
  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363 
  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934 
  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305 
  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720 
  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 
  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D 
  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520 
  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE 
  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC 
  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188 
  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7 
  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191 
  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44 
  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201 
  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85 
  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500 
  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905 
  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B 
  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8 
  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C 
  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B 
  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678 
  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB 
  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0 
  D697DF7F 28
  	quit
crypto pki certificate chain abc
!
!
!
!
!
!
!
!
!
license udi pid C8500-12X4QC sn TTM262304SQ
license boot level network-advantage
!
!
!
!
!
object-group network dest_og_10043 
 range 1.1.9.0 1.1.10.0
!
memory free low-watermark processor 682127
hw-module subslot 0/1 mode 10G
hw-module subslot 0/2 mode 40G
hw-module subslot 0/2 breakout none port all
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
username admin privilege 15 secret 9 $9$PSlkFl7oqMoQBE$cpeqITQ6XgUkxXzR7dhCtqrXXGD/owBl/NRdvf6XZBo
!
redundancy
 mode none
!
!
!
!
!
!
!
cdp holdtime 190
cdp run
!
!
class-map match-all abc
!
zone security ZBFW
! 
crypto keyring GS-GRE:ISAKMPKEY  
 pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
crypto keyring try1 vrf Mgmt-intf 
 pre-shared-key address 10.10.10.10 key iuyju
!
!
!
!
!
crypto isakmp policy 1
 encryption aes
 hash sha
 authentication pre-share
 group 14
!
crypto isakmp policy 10
 encryption aes 256
 hash sha
 authentication pre-share
 group 14
crypto isakmp key cisco address 0.0.0.0        
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 20 5
crypto isakmp profile GS-GRE:ISAKMP
   keyring GS-GRE:ISAKMPKEY
   match identity address 0.0.0.0 
!
crypto ipsec security-association lifetime kilobytes disable
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac 
 mode transport
crypto ipsec transform-set GS-GRE:TRANSFORMSET esp-aes 256 esp-sha-hmac 
 mode transport
crypto ipsec transform-set GS11 esp-aes 256 esp-sha-hmac 
 mode tunnel
no crypto ipsec transform-set default
!
crypto ipsec profile GS-GRE:IPSEC
 set transform-set GS-GRE:TRANSFORMSET 
 set isakmp-profile GS-GRE:ISAKMP
!
crypto ipsec profile IPSEC
 set transform-set IPSEC 
!
!
!
!
!
!
! 
! 
!
!
interface Loopback1
 no ip address
 ipv6 address <removed> link-local
!
interface Loopback10
 ip address <removed>
 ipv6 address <removed>
!
interface Port-channel11
 no ip address
 no negotiation auto
!
interface Port-channel11.107
 zone-member security ZBFW
!
interface Port-channel20
 ip address <removed>
 ipv6 address <removed>
!
interface Tunnel13
 ip address <removed>
 load-interval 30
 ipv6 address <removed>
 tunnel source TenGigabitEthernet0/0/0
 tunnel destination 11.0.2.2
 tunnel protection ipsec profile IPSEC
!
interface Tunnel15
 ip address <removed>
 load-interval 30
 ipv6 address <removed>
 tunnel source FortyGigabitEthernet0/2/0
 tunnel destination 13.1.1.1
 tunnel protection ipsec profile IPSEC
!
interface Tunnel1900
 ip address <removed>
 ip access-group try2 in
 ip access-group try2 out
!
interface Tunnel2900
 ip address negotiated
 no ip redirects
 tunnel mode ipv6ip 6rd
 tunnel 6rd prefix 187:1:2::/64
!
interface TenGigabitEthernet0/0/0
 ip address <removed>
 no negotiation auto
 cdp enable
!
interface TenGigabitEthernet0/0/1
 no ip address
 no negotiation auto
 cdp enable
 channel-group 20 mode active
!
interface TenGigabitEthernet0/0/2
 no ip address
 no negotiation auto
 cdp enable
 channel-group 20 mode active
!
interface TenGigabitEthernet0/0/3
 no ip address
 shutdown
 no negotiation auto
 cdp enable
!
interface TenGigabitEthernet0/0/4
 no ip address
 shutdown
 no negotiation auto
 cdp enable
!
interface TenGigabitEthernet0/0/5
 no ip address
 shutdown
 no negotiation auto
 cdp enable
 ipv6 enable
!
interface TenGigabitEthernet0/0/6
 description "Connected to GS switch Te1/10"
 ip address <removed>
 ip access-group try1 in
 ip access-group try1 out
 no negotiation auto
 cdp enable
!
interface TenGigabitEthernet0/0/7
 no ip address
 shutdown
 no negotiation auto
 cdp enable
 nat66 inside
!
interface TenGigabitEthernet0/1/0
 no ip address
 shutdown
 no negotiation auto
!
interface TenGigabitEthernet0/1/1
 no ip address
 shutdown
 no negotiation auto
!
interface TenGigabitEthernet0/1/2
 no ip address
 shutdown
 no negotiation auto
!
interface TenGigabitEthernet0/1/3
 no ip address
 shutdown
 no negotiation auto
!
interface FortyGigabitEthernet0/2/0
 ip address <removed>
 no negotiation auto
 ipv6 address <removed>
!
interface FortyGigabitEthernet0/2/4
 no ip address
 no negotiation auto
!
interface FortyGigabitEthernet0/2/8
 no ip address
 no negotiation auto
 ipv6 address <removed> link-local
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address <removed>
 negotiation auto
!
interface vasileft1
 no ip address
 ipv6 address <removed> link-local
 ipv6 address <removed>
 no keepalive
!
interface vasileft108
 no ip address
 zone-member security ZBFW
 no keepalive
!
router bgp 65120
 bgp router-id interface Loopback10
 bgp asnotation dot
 no bgp enforce-first-as
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 no bgp default route-target filter
 neighbor abc1 peer-group
 neighbor trial peer-group
 neighbor trial remote-as 1.464
 neighbor IPSEC-GRETUNNEL peer-group
 neighbor IPSEC-GRETUNNEL remote-as 65120
 neighbor 11:0:2::2 remote-as 65001
 neighbor 12:0:2::2 remote-as 65400
 neighbor 1.1.1.1 peer-group IPSEC-GRETUNNEL
 neighbor 172:16:14::1 remote-as 64086.63112
 neighbor 172:16:14::1 password 7 <removed>
 neighbor 172:16:16::1 remote-as 64086.63116
 neighbor 172:16:16::1 password 7 <removed>
 neighbor 172:16:17::1 remote-as 64086.63117
 neighbor 172:16:17::1 password 7 <removed>
 neighbor 11.0.2.2 remote-as 65001
 neighbor 12.0.2.2 remote-as 65400
 neighbor 172.16.14.1 remote-as 64086.63112
 neighbor 172.16.14.1 password 7 <removed>
 neighbor 172.16.16.1 remote-as 64086.63116
 neighbor 172.16.16.1 password 7 <removed>
 neighbor 172.16.17.1 remote-as 64086.63117
 neighbor 172.16.17.1 password 7 <removed>
 !
 address-family ipv4
  network 10.255.1.5 mask 255.255.255.255
  neighbor 11.0.2.2 activate
  neighbor 11.0.2.2 default-originate
  neighbor 12.0.2.2 activate
  neighbor 172.16.14.1 activate
  neighbor 172.16.14.1 default-originate
  neighbor 172.16.16.1 activate
  neighbor 172.16.16.1 default-originate
  neighbor 172.16.17.1 activate
  neighbor 172.16.17.1 default-originate
  maximum-paths 4
 exit-address-family
 !
 address-family ipv6
  maximum-paths 4
  network 10:255:1::5/128
  neighbor 11:0:2::2 activate
  neighbor 11:0:2::2 default-originate
  neighbor 12:0:2::2 activate
  neighbor 172:16:14::1 activate
  neighbor 172:16:14::1 default-originate
  neighbor 172:16:16::1 activate
  neighbor 172:16:16::1 default-originate
  neighbor 172:16:16::1 route-map SET_NH2_v6 out
  neighbor 172:16:17::1 activate
  neighbor 172:16:17::1 default-originate
 exit-address-family
 !
 address-family ipv4 vrf abc
  neighbor 1.1.5.5 remote-as 100
  neighbor 1.1.5.5 timers 10 20 20
  neighbor 1.1.5.5 activate
 exit-address-family
!
ip forward-protocol nd
!
ip tftp source-interface GigabitEthernet0
ip tftp blocksize 8192
ip ftp password 7 <removed>
ip http server
ip http authentication local
ip http secure-server
ip ssh bulk-mode 131072
ip route 70.70.70.0 255.255.255.0 115.1.1.1
ip route 100.100.100.0 255.255.255.0 11.0.2.2
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 11.3.0.1
!
ip access-list extended HBN-additional
 5 permit tcp any any eq bgp
 25 permit udp 0.0.0.0 255.255.255.0 range 3715 3764 any
 35 permit udp any range 3714 3735 any
 45 permit udp any any eq 16387
 55 permit udp any any eq 19678
 77 permit icmp any any echo-reply
 85 permit udp any any range 12434 22464
 95 permit icmp any any unreachable
 105 permit icmp any any packet-too-big
 115 permit icmp any any ttl-exceeded
 125 permit icmp any any traceroute
 135 permit udp any any eq 948
 143 deny icmp any any fragments
ip access-list extended try1
 10 permit tcp any any
 20 permit ip any any
ip access-list extended try2
 10 permit ip any any
ip access-list extended try9
ip access-list match-local-traffic
logging trap debugging
logging facility local1
ipv6 route vrf Mgmt-intf 8888:1111::/96 1818:1111::3 nexthop-vrf default
route-map SET_NH2_v6 permit 10 
 set ipv6 next-hop 172:16:16::2
!
snmp-server location USA-CCL-Doral(DCE)-DC
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps cpu threshold
!
!
!
!
!
ipv6 access-list fqdn abcd
 sequence 10 permit icmp any any
!
control-plane
!
!
!
!
!
alias exec util show plat hard qfp act data util sum
no parser cache
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
line vty 0 4
 exec-timeout 0 0
 transport input ssh
 transport output none
!
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
nat66 prefix inside 7777:1111::/96 outside 1818:1111::/96 vrf Mgmt-intf 
!
time-range abc
 absolute start 09:00 31 January 2025
!
wsma agent exec
 profile hello3
!
wsma agent config
 profile abc1
!
wsma agent filesys
 profile cdef
!
wsma agent notify
 profile hello3
!
!
netconf-yang
netconf-yang feature candidate-datastore
end