Skip to main content
Cisco SD-WAN
Product Documentation
Viptela Documentation


vpn 0 interface tunnel-interface allow-service—Configure the services that are allowed to run over the WAN connection in VPN 0, which is the VPN that is reserved for control plane traffic. For other VPNs, use of these services is not restricted.

On a vEdge router, services that you configure on a tunnel interface act as implicit access lists (ACLs). If you explicitly configure ACLs on a tunnel interface, with the policy access-list command, the handling of packets matching both implicit and explict ACLs depends on the exact configuration. For more information, see the Configuring Localized Data Policy article for your software release.

vManage Feature Template

For all Viptela devices:

Configuration ► Templates ► VPN Interface Cellular (for vEdge cellular wireless routers only)
Configuration ► Templates ► VPN Interface Ethernet
Configuration ► Templates ► VPN Interface PPP

Command Hierarchy

vpn 0
  interface interface-name
      [no] allow-service service-name


Interface Type
Name of a physical interface. The services that you configure in allow-service commands apply only to physical interfaces, such as ge and eth interfaces. They do not apply to non-physical interfaces, such as loopback interfaces.
Type of Service
Type of service to allow or disallow on the WAN tunnel connection.
On vEdge routers, service-name can be all or one of more of bgp, dhcp, dns, https, icmp, netconf, ntp, ospf, sshd, and stun. By default, DHCP (for DHCPv4 and DHCPv6), DNS, HTTPS, and ICMP are enabled on a vEdge router tunnel interface.
On vSmart controllers, service-name can be all or one or more of dhcp, dns, icmp, netconf, ntp, sshd, and stun. By default, DHCP (for DHCPv4 and DHCPv6), DNS, and ICMP are enabled on a vSmart controller tunnel interface.
On vManage NMSs, service-name can be all or one or more of dhcp, dns, https, icmp, netconf, ntp, sshd, and stun. By default, DHCP (for DHCPv4 and DHCPv6), DNS, ICMP, and HTTPS are enabled on a vManage NMS tunnel interface. You cannot disallow the following services: DHCP, DNS, NTP, and STUN.
If you allow the NTP service on the WAN connection in VPN 0, you must configure the address of an NTP server with the system ntp command.
The allow-service stun command pertains to allowing or disallowing a Viptela device to generate requests to a generic STUN server so that the device can determine whether it is behind a NAT and, if so, what kind of NAT it is and what the device's public IP address and public port number are. On a vEdge router that is behind a NAT, you can also have tunnel interface to discover its public IP address and port number from the vBond controller, by configuring the vbond-as-stun-server command on the tunnel interface.
To configure more than one service, include multiple allow-service commands.
Configuring allow-service all overrides any commands that allow or disallow individual services.


Display the services that are enabled by default on the WAN connection:

vEdge# show running-config vpn 0 interface ge0/2 tunnel-interface | details 
vpn 0
 interface ge0/2
   encapsulation ipsec weight 1
   color lte
   max-controllers     2
   carrier             default
   hello-interval      1000
   hello-tolerance     12
   no allow-service all
   no allow-service bgp
   allow-service dhcp
   allow-service dns
   allow-service https
   allow-service icmp
   no allow-service sshd
   no allow-service ntp
   no allow-service ospf
   no allow-service stun

Release Information

Command introduced in Viptela Software Release 14.1.​
In Release 15.4, all, bgp, and ospf services, and support for netconf service added on vEdge routers.
In Release 16.3, add support for DHCPv6.
In Release 18.1.1, add support for https service on vEdge routers.

  • Was this article helpful?