Service Provider Configuration for Layer 2 and Layer 3 VPN yang commands
Configuration example for DC1
!
! Last configuration change at 10:37:45 UTC Wed Nov 6 2024 by admin
!
version 17.15
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
platform qfp utilization monitor load 80
platform hardware throughput crypto 10G
!
hostname DC1
!
boot-start-marker
boot system bootflash:packages.conf
boot system bootflash:c8000aep-universalk9.BLD_POLARIS_DEV_LATEST_20240415_003241.SSA.bin
! Warning: Booting with bundle mode will be deprecated in the near future. Migration to install mode is required.
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
vrf definition sdroute_vrf1
rd 8:1
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 512000
logging persistent size 104857600 filesize 10485760
no logging console
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local
aaa authorization network abcd group tacacs+
aaa accounting send stop-record authentication failure vrf Mgmt-intf
aaa accounting send stop-record authentication failure vrf sdroute_vrf1
aaa accounting delay-start all
aaa accounting update periodic 800
!
!
aaa server radius dynamic-author
!
aaa session-id common
!
!
subscriber templating
ip arp proxy disable
!
ip host vbond1 70.70.70.125
ip name-server 72.163.128.140
no ip domain lookup
!
!
!
!
!
!
ip bootp server
!
!
!
login on-success log
!
!
!
!
!
ipv6 unicast-routing
!
!
!
!
!
!
parameter-map type inspect-global
log flow-export v9 udp destination 10.10.10.10 8000
log flow-export template timeout-rate 10
log dropped-packets
multi-tenancy
alert on
parameter-map type inspect log-pmap_
log flow
parameter-map type inspect param_udp
udp idle-time 30000
udp half-open idle-time 2147480
session packet 100
!
!
crypto pki trustpoint TP-self-signed-1139380136
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1139380136
revocation-check none
rsakeypair TP-self-signed-1139380136
hash sha256
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
hash sha256
!
!
crypto pki certificate chain TP-self-signed-1139380136
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313339 33383031 3336301E 170D3233 30313132 30343132
33385A17 0D333330 31313130 34313233 385A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31333933
38303133 36308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100B048 7698D2C2 0DA4C147 A90CDED8 07962D1E 26CCF57F 6CB17C32
8C482C7E 119CBCA1 6BF5E5C3 78EAB3F2 5FC465F3 4BB492C8 33ABE8D0 3E2C9D41
2BDDCDC3 AC7E5F0C C332E3D3 2636B084 CC0706DD 9BBC6B43 1438490C 841DB973
CDC80240 6AC40A84 FC09AA03 7400FB36 B9DB11BD 5831C190 C6FE7A46 EF1150DB
10BD97E2 5D7C6F25 777CD49C DAAF4392 5197BCA8 B2BD21E7 4B33DACB 450B2C48
D05BB28E EC8A5B63 09B8F83A 846088B7 674742E9 A8C58129 D3A0855A 3BEDEC79
438B95EA B79E6EF8 FBC3F7D4 C2DC77BD FC1E2E92 196DBB9A 8C1D7307 F3854E4B
C089E454 86DAB463 9A88EA0F 8C9617AC B18DDB41 D51FA93E 34176FA9 7125AB4A
ECDAFEDD A81B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 1476AD7C CCA79E3C 4854D2E5 AEB2E232 8B632604
44301D06 03551D0E 04160414 76AD7CCC A79E3C48 54D2E5AE B2E2328B 63260444
300D0609 2A864886 F70D0101 05050003 82010100 24AE2912 60EDEF63 432CF65A
5D092637 1AC00373 B0A1D565 5F62C998 2D3A04C0 D9D25260 E54B337B 7E79991D
C7FEAA49 875EE478 B9A4BFAB EB5CFB8C BC37685B D2E2D0DA 6A25E44E 407B0898
9466A635 48731280 44002CD2 BF1BC7BD 6512FCB4 8835E45D E6C62A41 9A1A94F8
C6FFC239 77854A00 285A1CD3 A79760B3 0003E8FD F4466C66 1AAF2F3D 2475BA09
7C126D00 9B3BA2F2 0EA0B41D D82BF6B7 1F5DF584 05CFB5C9 FCCA417E F66302C8
3ED3BDA8 14892DE5 6E89B873 5EA7A348 2161D824 C12DF72F 2FE0A5F3 E1884B38
68B70DEF 7D369437 8299BBFF 06630EA1 E644A20B F94FFAB7 3F5537C4 6B6E101C
51B2D289 510E994C 8E37CA46 425FBAB3 FC438142
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
!
!
!
!
!
!
!
!
!
license udi pid C8500-12X4QC sn TTM262509TW
license accept end user agreement
license boot level network-advantage
!
!
!
!
!
object-group service zbfw_svc
ip
!
memory free low-watermark processor 682127
hw-module subslot 0/1 mode 10G
hw-module subslot 0/2 mode 40G
hw-module subslot 0/2 breakout none port all
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
username admin privilege 15 secret 9 $9$PSlkFl7oqMoQBE$cpeqITQ6XgUkxXzR7dhCtqrXXGD/owBl/NRdvf6XZBo
username user-check privilege 15 secret 9 $9$urx8S66CWfSQXT$/C4lIY/mj1fMVKLbwvFKBPafxAVfdGQjPu/DweMKuv2
!
redundancy
mode none
!
!
!
!
!
!
!
cdp run
!
lldp run
!
class-map type inspect match-all gs-gd-policy_9262023174528164_0-seq-Rule1-cm_
match access-group name gs-gd-policy_9262023174528164_0-seq-Rule1-acl_
!
policy-map type inspect gs-gd-policy_9262023174528164_0
class type inspect gs-gd-policy_9262023174528164_0-seq-Rule1-cm_
inspect log-pmap_
class class-default
drop
!
!
zone security trial-zp1
zone security trial-zp2
zone-pair security ZP_trial-zp1_trial-z_-1198719209 source trial-zp1 destination trial-zp2
service-policy type inspect gs-gd-policy_9262023174528164_0
!
crypto keyring GS-GRE:ISAKMPKEY
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
!
!
!
!
crypto isakmp policy 1
encryption aes
hash sha
authentication pre-share
group 14
!
crypto isakmp policy 10
encryption aes 256
hash sha
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 20 5
crypto isakmp profile GS-GRE:ISAKMP
keyring GS-GRE:ISAKMPKEY
match identity address 0.0.0.0
!
crypto ipsec security-association lifetime kilobytes disable
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set GS-GRE:TRANSFORMSET esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile GS-GRE:IPSEC
set transform-set GS-GRE:TRANSFORMSET
set isakmp-profile GS-GRE:ISAKMP
!
crypto ipsec profile IPSEC
set transform-set IPSEC
!
!
!
!
!
!
!
!
!
!
interface Loopback1
ip address <removed>
!
interface Loopback10
ip address <removed>
ipv6 address <removed>
!
interface Port-channel10
ip address <removed>
ipv6 address <removed>
!
interface Tunnel13
ip address <removed>
load-interval 30
ipv6 address <removed>
tunnel source TenGigabitEthernet0/0/0
tunnel destination 11.0.1.2
tunnel protection ipsec profile GS-GRE:IPSEC
!
interface Tunnel15
ip address <removed>
load-interval 30
tunnel source FortyGigabitEthernet0/2/0
tunnel destination 14.1.1.1
tunnel protection ipsec profile GS-GRE:IPSEC
!
interface Tunnel20
ip address <removed>
ipv6 address <removed>
tunnel source TenGigabitEthernet0/0/4
tunnel destination 11.20.1.2
tunnel protection ipsec profile GS-GRE:IPSEC
!
interface Tunnel1900
ip address <removed>
ip access-group try-new1 in
ip access-group try-new1 out
!
interface Tunnel2900
ip address negotiated
no ip redirects
tunnel mode ipv6ip 6rd
tunnel 6rd prefix 185:6:2::/64
!
interface TenGigabitEthernet0/0/0
description "To 1HX-1 DUT"
mtu 9216
ip address <removed>
no negotiation auto
!
interface TenGigabitEthernet0/0/1
no ip address
no negotiation auto
cdp enable
channel-group 10 mode active
!
interface TenGigabitEthernet0/0/2
no ip address
no negotiation auto
cdp enable
channel-group 10 mode active
!
interface TenGigabitEthernet0/0/3
no ip address
zone-member security trial-zp1
load-interval 30
no negotiation auto
ipv6 address <removed>
!
interface TenGigabitEthernet0/0/4
description "To Fry Tw0/0/10"
mtu 9216
ip address <removed>
zone-member security trial-zp2
no negotiation auto
!
interface TenGigabitEthernet0/0/5
no ip address
no negotiation auto
ipv6 enable
!
interface TenGigabitEthernet0/0/6
ip address dhcp
no ip redirects
ip access-group try2 in
ip access-group try2 out
load-interval 30
negotiation auto
cdp enable
arp timeout 1200
!
interface TenGigabitEthernet0/0/7
no ip address
no negotiation auto
!
interface TenGigabitEthernet0/1/0
description sample-new-new-new-new-new-new
no ip address
shutdown
no negotiation auto
!
interface TenGigabitEthernet0/1/1
description sample-new-new-new-new-new-new
no ip address
shutdown
no negotiation auto
!
interface TenGigabitEthernet0/1/2
no ip address
shutdown
no negotiation auto
!
interface TenGigabitEthernet0/1/3
no ip address
shutdown
no negotiation auto
!
interface FortyGigabitEthernet0/2/0
description link to DUT GD1 Fo0/2/0
mtu 9216
ip address <removed>
load-interval 30
no negotiation auto
ipv6 address <removed> link-local
ipv6 address <removed>
!
interface FortyGigabitEthernet0/2/4
no ip address
no negotiation auto
!
interface FortyGigabitEthernet0/2/8
no ip address
no negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address <removed>
negotiation auto
ipv6 enable
!
interface vasileft1
no ip address
ipv6 address <removed> link-local
ipv6 address <removed>
no keepalive
!
router bgp 65003
bgp router-id interface Loopback10
bgp asnotation dot
bgp log-neighbor-changes
neighbor 11:0:1::2 remote-as 65001
neighbor 11:20:1::2 remote-as 65001
neighbor 12:0:1::2 remote-as 65400
neighbor 172:16:13::1 remote-as 64086.63111
neighbor 172:16:13::1 password 7 <removed>
neighbor 172:16:15::1 remote-as 64086.63115
neighbor 172:16:15::1 password 7 <removed>
neighbor 172:16:20::1 remote-as 64086.63111
neighbor 172:16:20::1 password 7 <removed>
neighbor 11.0.1.2 remote-as 65001
neighbor 11.20.1.2 remote-as 65001
neighbor 12.0.1.2 remote-as 65400
neighbor 172.16.13.1 remote-as 64086.63111
neighbor 172.16.13.1 password 7 <removed>
neighbor 172.16.15.1 remote-as 64086.63115
neighbor 172.16.15.1 password 7 <removed>
neighbor 172.16.20.1 remote-as 64086.63111
neighbor 172.16.20.1 password 7 <removed>
!
address-family ipv4
network 10.255.1.4 mask 255.255.255.255
no neighbor 11:0:1::2 activate
no neighbor 11:20:1::2 activate
no neighbor 12:0:1::2 activate
no neighbor 172:16:13::1 activate
no neighbor 172:16:15::1 activate
no neighbor 172:16:20::1 activate
neighbor 11.0.1.2 activate
neighbor 11.0.1.2 default-originate
neighbor 11.20.1.2 activate
neighbor 11.20.1.2 default-originate
neighbor 12.0.1.2 activate
neighbor 172.16.13.1 activate
neighbor 172.16.13.1 default-originate
neighbor 172.16.15.1 activate
neighbor 172.16.15.1 default-originate
neighbor 172.16.20.1 activate
neighbor 172.16.20.1 default-originate
maximum-paths 4
exit-address-family
!
address-family ipv6
maximum-paths 4
network 10:255:1::4/128
network 4500:1:1::/64
neighbor 12:0:1::2 activate
neighbor 172:16:13::1 activate
neighbor 172:16:13::1 default-originate
neighbor 172:16:15::1 activate
neighbor 172:16:15::1 default-originate
neighbor 172:16:20::1 activate
neighbor 172:16:20::1 default-originate
exit-address-family
!
ip forward-protocol nd
!
ip tftp source-interface GigabitEthernet0
ip tftp blocksize 8192
no ip ftp passive
ip http server
ip http secure-server
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 60
ip ssh bulk-mode 131072
ip route 0.0.0.0 0.0.0.0 115.1.1.1
ip route 0.0.0.0 255.255.255.0 115.1.1.1
ip route 70.70.70.0 255.255.255.0 115.1.1.1
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.104.249.1
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 11.3.0.1
!
ip access-list extended gs-gd-policy_9262023174528164_0-seq-Rule1-acl_
11 permit object-group zbfw_svc any any
ip access-list extended try-new1
10 permit ip any any
ip access-list extended try1
10 permit tcp any any
20 permit ip any any
ip access-list extended try2
50 permit tcp any any
60 permit ip any any
ip access-list match-local-traffic
ipv6 route 3502:1:1::/64 172:16:15::1
ipv6 route 3503:1:1::/64 172:16:15::1
snmp-server engineID local 80000009766D616E59070102
snmp-server enable traps sdwan security policy system omp bfd
snmp-server enable traps bgp state-changes all backward-trans limited updown-limited
snmp-server enable traps bgp threshold prefix
snmp-server enable traps bgp cbgp2 state-changes all backward-trans limited updown-limited
snmp-server enable traps bgp cbgp2 threshold prefix
snmp-server enable traps otn
snmp-server enable traps dsp video-usage
snmp-server enable traps dsp video-out-of-resource
snmp-server enable traps sbc adj-status
snmp-server enable traps sbc blacklist
snmp-server enable traps sbc congestion-alarm
snmp-server enable traps sbc h248-ctrlr-status
snmp-server enable traps sbc media-source
snmp-server enable traps sbc radius-conn-status
snmp-server enable traps sbc sla-violation
snmp-server enable traps sbc sla-violation-rev1
snmp-server enable traps sbc svc-state
snmp-server enable traps sbc qos-statistics
snmp-server enable traps mpls rfc vpn
!
!
!
!
!
control-plane
!
!
!
!
!
banner motd welcome to dc1
no parser cache
no parser cache
no parser cache
no parser cache
no parser cache
no parser cache
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 80
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
nat64 translation timeout udp 300
nat64 translation timeout tcp 3700
ntp server time.google.com
!
!
time-range abc
absolute start 09:00 30 January 2024
!
!
!
!
!
!
telemetry ietf subscription 294967232
filter xpath /utd-ios-xe-events:utd-con
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967233
filter xpath /red-app-events:red-event
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967234
filter xpath /sse-ios-xe-events:sse-tunnel-params-absent
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967240
filter xpath /crypto-pki-ios-xe-events:pki-certificate-event
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967243
filter xpath /crypto-pki-ios-xe-events:pki-certificate-expiry
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967245
filter xpath /ospf-ios-xe-events:ospfv3-nbr-state-change
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967246
filter xpath /ospf-ios-xe-events:ospfv3-if-state-change
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967258
filter xpath /ios-events-ios-xe-oper:usb-state-change
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967259
filter xpath /ios-events-ios-xe-oper:tempsensor-state
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967260
filter xpath /ios-events-ios-xe-oper:tempsensor-fault
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967261
filter xpath /ios-events-ios-xe-oper:system-reboot-issued
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967262
filter xpath /ios-events-ios-xe-oper:system-reboot-complete
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967263
filter xpath /ios-events-ios-xe-oper:system-logout-change
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967264
filter xpath /ios-events-ios-xe-oper:system-login-change
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967265
filter xpath /ios-events-ios-xe-oper:system-aaa-login-fail
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967267
filter xpath /ios-events-ios-xe-oper:sfp-state-change
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967271
filter xpath /ios-events-ios-xe-oper:pem-state-change
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967272
filter xpath /ios-events-ios-xe-oper:pem-fault
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967273
filter xpath /ios-events-ios-xe-oper:ospf-neighbor-state-change
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967274
filter xpath /ios-events-ios-xe-oper:ospf-interface-state-change
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967275
filter xpath /ios-events-ios-xe-oper:memory-usage
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967276
filter xpath /ios-events-ios-xe-oper:interface-state-change
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967277
filter xpath /ios-events-ios-xe-oper:interface-admin-state-change
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967280
filter xpath /ios-events-ios-xe-oper:fantray-fault
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967281
filter xpath /ios-events-ios-xe-oper:fan-fault
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967283
filter xpath /ios-events-ios-xe-oper:disk-usage
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967289
filter xpath /ios-events-ios-xe-oper:cpu-usage
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967293
filter xpath /ios-events-ios-xe-oper:bgp-peer-state-change
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 294967295
filter xpath /ios-events-ios-xe-oper:aaa-admin-pwd-change
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 2094967244
filter xpath /ios-events-ios-xe-oper:utd-file-analysis-status-event
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 2094967245
filter xpath /ios-events-ios-xe-oper:utd-file-reputation-status-event
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 2094967246
filter xpath /ios-events-ios-xe-oper:utd-file-analysis-file-upload-state
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 2094967247
filter xpath /ios-events-ios-xe-oper:utd-file-reputation-retrospective-alert
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 2094967248
filter xpath /ios-events-ios-xe-oper:utd-file-reputation-alert
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 2094967253
filter xpath /im-events-ios-xe-oper:im-event
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 2094967255
filter xpath /ios-events-ios-xe-oper:utd-version-mismatch
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 2094967256
filter xpath /ios-events-ios-xe-oper:utd-update
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry ietf subscription 2094967257
filter xpath /ios-events-ios-xe-oper:utd-ips-alert
stream rfc5277
update-policy on-change
receiver name confd-rfc5277
telemetry receiver protocol confd-rfc5277
host ip-address 0.0.0.0 0
protocol rfc5277
netconf-yang
netconf-yang feature candidate-datastore
sd-routing
no ipv6-strict-control
organization-name vmng-scale-ind-gs
site-id 46
sp-organization-name vmng-scale-ind
system-ip 89.7.1.2
vbond name vbond1
vbond port 12346
wan-interface TenGigabitEthernet0/0/6
end
Configuration example for DC2
!
! Last configuration change at 09:33:38 UTC Tue Nov 26 2024 by admin
!
version 17.15
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service call-home
platform qfp utilization monitor load 80
platform hardware throughput crypto 10G
!
hostname DC2
!
boot-start-marker
boot system bootflash:c8000aep-universalk9.BLD_V1715_THROTTLE_LATEST_20240503_033217_V17_15_0_33.SSA.bin
! Warning: booting with bundle mode will be deprecated in the near future. Migration to install mode is required.
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
vrf definition abc
rd 1:102
!
address-family ipv4
exit-address-family
!
logging count
logging queue-limit 10000
no logging console
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local
aaa authorization network abcd group radius
aaa accounting send stop-record authentication failure vrf Mgmt-intf
aaa accounting delay-start all
aaa accounting update periodic 600
!
!
aaa session-id common
!
!
subscriber templating
!
ip host vbond1 70.70.70.125
!
!
!
!
!
!
!
!
!
login on-success log
!
!
!
!
!
ipv6 unicast-routing
!
!
!
!
!
!
parameter-map type inspect-global
log flow-export v9 udp destination 10.10.10.10 5000
log flow-export template timeout-rate 10
log dropped-packets
alert on
parameter-map type inspect param_udp
udp idle-time 30000
udp half-open idle-time 2147480
session packet 100
!
!
crypto pki trustpoint TP-self-signed-1968733516
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1968733516
revocation-check none
rsakeypair TP-self-signed-1968733516
hash sha256
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
hash sha256
!
crypto pki trustpoint abc
enrollment mode ra
revocation-check crl
hash sha256
!
!
crypto pki certificate chain TP-self-signed-1968733516
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
31312F30 2D060355 04030C26 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393638 37333335 3136301E 170D3234 30323238 31373435
34385A17 0D333430 32323731 37343534 385A3031 312F302D 06035504 030C2649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39363837
33333531 36308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100A12B AF986270 60FFB615 41823589 8E4A3894 A46368EA 0705424C
FF0FFE36 416F0C63 8FC7F3CA 0B41212E C95B60CA 0BB76432 94EF8E4A 5BC67772
66E97B40 11719265 D818E587 C0DEE948 0102856A 328269B8 10A35C87 E5772AE0
AEC9B85A 4A0521DC EE6CFCAA 0333F949 5C55591F 71DDD9C0 5722E9B1 A67F4395
8A256589 9DD57A66 80728510 3472BB37 6F989BB3 780475A7 3B13667D 03F01A0C
34633540 04C8652E 7CFB1CB6 2F301650 61A9C91F 53A2DB17 9F4862F7 15E9DFF2
1DC4D85E 6D0D617E DE12ED1A E0F090AF 646B8D61 0922E051 FAA00E9C 1F1C4919
37CA9CFF 72BB3435 3BB3D5E7 1539D328 2281FD8F 7DA9AE0F 177FD51B 7673276A
9B75C222 77BD0203 010001A3 53305130 1D060355 1D0E0416 04149575 2E60249C
B9D5693A 9A50BC77 8C2537BC 06E5301F 0603551D 23041830 16801495 752E6024
9CB9D569 3A9A50BC 778C2537 BC06E530 0F060355 1D130101 FF040530 030101FF
300D0609 2A864886 F70D0101 0B050003 82010100 7FA15E42 FCCAC9A3 EE10510D
1DA40D11 6114A893 F374628B A7FA0904 0FE6FCA7 8DD207D6 70C75090 AE344A1B
7AE40766 648C25B0 966CDEEA 70E8C799 431A870D D5224F3F 6A36D04B 0CC323B2
751F079C EBB8313E D219A890 567A175B 85038D71 EE364C09 0D98B111 BE49D520
B5D322DB 3DECC14F A38C3661 1A83D9F8 9D87AE24 97326215 96ECFDC8 A2461EE9
ED5130BE 6EC8B0E1 28C0A74B C296B1F2 1D77B7E2 A321AE3B 32F51808 2AA201C4
8B858D6B 431BCA9A 6A9F92B9 5CF67AA3 A94433AD B3C9D7CF FBDF9C58 9371D1C9
6EE47A96 E22D1ED5 5F176976 426916E9 35B08A75 4873F185 87AC85E1 5D8B9F2B
7378E089 48C1E832 DADC85BF BDEAF5D0 FEA75FAC
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
crypto pki certificate chain abc
!
!
!
!
!
!
!
!
!
license udi pid C8500-12X4QC sn TTM262304SQ
license boot level network-advantage
!
!
!
!
!
object-group network dest_og_10043
range 1.1.9.0 1.1.10.0
!
memory free low-watermark processor 682127
hw-module subslot 0/1 mode 10G
hw-module subslot 0/2 mode 40G
hw-module subslot 0/2 breakout none port all
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
username admin privilege 15 secret 9 $9$PSlkFl7oqMoQBE$cpeqITQ6XgUkxXzR7dhCtqrXXGD/owBl/NRdvf6XZBo
!
redundancy
mode none
!
!
!
!
!
!
!
cdp holdtime 190
cdp run
!
!
class-map match-all abc
!
zone security ZBFW
!
crypto keyring GS-GRE:ISAKMPKEY
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
crypto keyring try1 vrf Mgmt-intf
pre-shared-key address 10.10.10.10 key iuyju
!
!
!
!
!
crypto isakmp policy 1
encryption aes
hash sha
authentication pre-share
group 14
!
crypto isakmp policy 10
encryption aes 256
hash sha
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 20 5
crypto isakmp profile GS-GRE:ISAKMP
keyring GS-GRE:ISAKMPKEY
match identity address 0.0.0.0
!
crypto ipsec security-association lifetime kilobytes disable
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set GS-GRE:TRANSFORMSET esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set GS11 esp-aes 256 esp-sha-hmac
mode tunnel
no crypto ipsec transform-set default
!
crypto ipsec profile GS-GRE:IPSEC
set transform-set GS-GRE:TRANSFORMSET
set isakmp-profile GS-GRE:ISAKMP
!
crypto ipsec profile IPSEC
set transform-set IPSEC
!
!
!
!
!
!
!
!
!
!
interface Loopback1
no ip address
ipv6 address <removed> link-local
!
interface Loopback10
ip address <removed>
ipv6 address <removed>
!
interface Port-channel11
no ip address
no negotiation auto
!
interface Port-channel11.107
zone-member security ZBFW
!
interface Port-channel20
ip address <removed>
ipv6 address <removed>
!
interface Tunnel13
ip address <removed>
load-interval 30
ipv6 address <removed>
tunnel source TenGigabitEthernet0/0/0
tunnel destination 11.0.2.2
tunnel protection ipsec profile IPSEC
!
interface Tunnel15
ip address <removed>
load-interval 30
ipv6 address <removed>
tunnel source FortyGigabitEthernet0/2/0
tunnel destination 13.1.1.1
tunnel protection ipsec profile IPSEC
!
interface Tunnel1900
ip address <removed>
ip access-group try2 in
ip access-group try2 out
!
interface Tunnel2900
ip address negotiated
no ip redirects
tunnel mode ipv6ip 6rd
tunnel 6rd prefix 187:1:2::/64
!
interface TenGigabitEthernet0/0/0
ip address <removed>
no negotiation auto
cdp enable
!
interface TenGigabitEthernet0/0/1
no ip address
no negotiation auto
cdp enable
channel-group 20 mode active
!
interface TenGigabitEthernet0/0/2
no ip address
no negotiation auto
cdp enable
channel-group 20 mode active
!
interface TenGigabitEthernet0/0/3
no ip address
shutdown
no negotiation auto
cdp enable
!
interface TenGigabitEthernet0/0/4
no ip address
shutdown
no negotiation auto
cdp enable
!
interface TenGigabitEthernet0/0/5
no ip address
shutdown
no negotiation auto
cdp enable
ipv6 enable
!
interface TenGigabitEthernet0/0/6
description "Connected to GS switch Te1/10"
ip address <removed>
ip access-group try1 in
ip access-group try1 out
no negotiation auto
cdp enable
!
interface TenGigabitEthernet0/0/7
no ip address
shutdown
no negotiation auto
cdp enable
nat66 inside
!
interface TenGigabitEthernet0/1/0
no ip address
shutdown
no negotiation auto
!
interface TenGigabitEthernet0/1/1
no ip address
shutdown
no negotiation auto
!
interface TenGigabitEthernet0/1/2
no ip address
shutdown
no negotiation auto
!
interface TenGigabitEthernet0/1/3
no ip address
shutdown
no negotiation auto
!
interface FortyGigabitEthernet0/2/0
ip address <removed>
no negotiation auto
ipv6 address <removed>
!
interface FortyGigabitEthernet0/2/4
no ip address
no negotiation auto
!
interface FortyGigabitEthernet0/2/8
no ip address
no negotiation auto
ipv6 address <removed> link-local
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address <removed>
negotiation auto
!
interface vasileft1
no ip address
ipv6 address <removed> link-local
ipv6 address <removed>
no keepalive
!
interface vasileft108
no ip address
zone-member security ZBFW
no keepalive
!
router bgp 65120
bgp router-id interface Loopback10
bgp asnotation dot
no bgp enforce-first-as
bgp log-neighbor-changes
no bgp default ipv4-unicast
no bgp default route-target filter
neighbor abc1 peer-group
neighbor trial peer-group
neighbor trial remote-as 1.464
neighbor IPSEC-GRETUNNEL peer-group
neighbor IPSEC-GRETUNNEL remote-as 65120
neighbor 11:0:2::2 remote-as 65001
neighbor 12:0:2::2 remote-as 65400
neighbor 1.1.1.1 peer-group IPSEC-GRETUNNEL
neighbor 172:16:14::1 remote-as 64086.63112
neighbor 172:16:14::1 password 7 <removed>
neighbor 172:16:16::1 remote-as 64086.63116
neighbor 172:16:16::1 password 7 <removed>
neighbor 172:16:17::1 remote-as 64086.63117
neighbor 172:16:17::1 password 7 <removed>
neighbor 11.0.2.2 remote-as 65001
neighbor 12.0.2.2 remote-as 65400
neighbor 172.16.14.1 remote-as 64086.63112
neighbor 172.16.14.1 password 7 <removed>
neighbor 172.16.16.1 remote-as 64086.63116
neighbor 172.16.16.1 password 7 <removed>
neighbor 172.16.17.1 remote-as 64086.63117
neighbor 172.16.17.1 password 7 <removed>
!
address-family ipv4
network 10.255.1.5 mask 255.255.255.255
neighbor 11.0.2.2 activate
neighbor 11.0.2.2 default-originate
neighbor 12.0.2.2 activate
neighbor 172.16.14.1 activate
neighbor 172.16.14.1 default-originate
neighbor 172.16.16.1 activate
neighbor 172.16.16.1 default-originate
neighbor 172.16.17.1 activate
neighbor 172.16.17.1 default-originate
maximum-paths 4
exit-address-family
!
address-family ipv6
maximum-paths 4
network 10:255:1::5/128
neighbor 11:0:2::2 activate
neighbor 11:0:2::2 default-originate
neighbor 12:0:2::2 activate
neighbor 172:16:14::1 activate
neighbor 172:16:14::1 default-originate
neighbor 172:16:16::1 activate
neighbor 172:16:16::1 default-originate
neighbor 172:16:16::1 route-map SET_NH2_v6 out
neighbor 172:16:17::1 activate
neighbor 172:16:17::1 default-originate
exit-address-family
!
address-family ipv4 vrf abc
neighbor 1.1.5.5 remote-as 100
neighbor 1.1.5.5 timers 10 20 20
neighbor 1.1.5.5 activate
exit-address-family
!
ip forward-protocol nd
!
ip tftp source-interface GigabitEthernet0
ip tftp blocksize 8192
ip ftp password 7 <removed>
ip http server
ip http authentication local
ip http secure-server
ip ssh bulk-mode 131072
ip route 70.70.70.0 255.255.255.0 115.1.1.1
ip route 100.100.100.0 255.255.255.0 11.0.2.2
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 11.3.0.1
!
ip access-list extended HBN-additional
5 permit tcp any any eq bgp
25 permit udp 0.0.0.0 255.255.255.0 range 3715 3764 any
35 permit udp any range 3714 3735 any
45 permit udp any any eq 16387
55 permit udp any any eq 19678
77 permit icmp any any echo-reply
85 permit udp any any range 12434 22464
95 permit icmp any any unreachable
105 permit icmp any any packet-too-big
115 permit icmp any any ttl-exceeded
125 permit icmp any any traceroute
135 permit udp any any eq 948
143 deny icmp any any fragments
ip access-list extended try1
10 permit tcp any any
20 permit ip any any
ip access-list extended try2
10 permit ip any any
ip access-list extended try9
ip access-list match-local-traffic
logging trap debugging
logging facility local1
ipv6 route vrf Mgmt-intf 8888:1111::/96 1818:1111::3 nexthop-vrf default
route-map SET_NH2_v6 permit 10
set ipv6 next-hop 172:16:16::2
!
snmp-server location USA-CCL-Doral(DCE)-DC
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps cpu threshold
!
!
!
!
!
ipv6 access-list fqdn abcd
sequence 10 permit icmp any any
!
control-plane
!
!
!
!
!
alias exec util show plat hard qfp act data util sum
no parser cache
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
line vty 0 4
exec-timeout 0 0
transport input ssh
transport output none
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
nat66 prefix inside 7777:1111::/96 outside 1818:1111::/96 vrf Mgmt-intf
!
time-range abc
absolute start 09:00 31 January 2025
!
wsma agent exec
profile hello3
!
wsma agent config
profile abc1
!
wsma agent filesys
profile cdef
!
wsma agent notify
profile hello3
!
!
netconf-yang
netconf-yang feature candidate-datastore
end
Feedback