Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

interface

vpn interface—Configure an interface within a VPN.

vManage Feature Template

For all Viptela devices:

Configuration ► Templates ► VPN Interface Bridge
Configuration ► Templates ► VPN Interface Cellular (for vEdge cellular wireless routers only)
Configuration ► Templates ► VPN Interface Ethernet
Configuration ► Templates ► VPN Interface GRE
Configuration ► Templates ► VPN Interface IPsec
Configuration ► Templates ► VPN Interface NAT Pool
Configuration ► Templates ► VPN Interface PPP
Configuration ► Templates ► VPN Interface PPP Ethernet

Command Hierarchy

vpn vpn-id 
  interface interface-name    
    access-list acl-list (on vEdge routers only)
    arp (on vEdge routers only)
      ip ip-address mac mac-address    
    arp-timeout seconds (on vEdge routers only)
    autonegotiate (on vEdge routers only)
    bandwidth-downstream kbps (on vEdge routers and vManage NMSs only)
    bandwidth-upstream kpbs (on vEdge routers and vManage NMSs only)
    block-non-source-ip (on vEdge routers only)
    clear-dont-fragment
    dead-peer-detection interval seconds retries number
    description text
    dhcp-helper ip-address (on vEdge routers only)
    dhcp-server (on vEdge routers only)
      address-pool prefix/length
      exclude ip-address
      lease-time seconds
      max-leases number
      offer-time minutes
      options
        default-gateway ip-address
        dns-servers ip-address
        domain-name domain-name
        interface-mtu mtu
        tftp-servers ip-address
      static-lease mac-address ip ip-address host-name hostname
    dot1x
      accounting-interval seconds
      acct-req-attr attribute-number (integer integer | octet octet | string string)
      auth-fail-vlan vlan-id
      auth-order (mab | radius)
      auth-reject-vlan vlan-id
      auth-req-attr attribute-number (integer integer | octet octet | string string)
      control-direction direction
      das
        client ip-address
        port port-number
        require-timestamp
        secret-key password
        time-window seconds
        vpn vpn-id
      default-vlan vlan-id
      guest-vlan vlan-id
      host-mode (multi-auth | multi-host | single-host)
      mac-authentication-bypass
        allow mac-addresses
        server
      nas-identifier string
      nas-ip-address ip-address
      radius-servers tag
      reauthentication minutes
      timeout 
        inactivity minutes
      wake-on-landuplex (full | half) 
    flow-control (bidirectional | egress | ingress)
    icmp-redirect-disable
    ike
      authentication-type type
        local-id id
        pre-shared-secret password 
        remote-id id
      cipher-suite suite
      group number
      mode mode
      rekey-interval seconds
      version number
    (ip address prefix/length | ip dhcp-client [dhcp-distance number])
    (ipv6 address prefix/length | ipv6 dhcp-client [dhcp-distance number] [dhcp-rapid-commit])
    ip address-list prefix/length (on vSmart containers only)
    ip secondary-address ipv4-address (on vEdge routers only)
    ipsec 
      cipher-suite suite
      perfect-forward-secrecy pfs-setting      
      rekey-interval seconds
      replay-window number
    keepalive seconds retries (on vEdge routers only)
    mac-address mac-address    
    mtu bytes 
    nat (on vEdge routers only)
      block-icmp-error
      direction (inside | outside)
      log-translations
      [no] overload 
      port-forward port-start port-number1 port-end port-number2
        proto (tcp | udp) private-ip-address ip address private-vpn vpn-id
      refresh (bi-directional | outbound)
      respond-to-ping
      static source-ip ip-address1 translate-ip ip-address2 (inside | outside)
      static source-ip ip-address1 translate-ip ip-address2 source-vpn vpn-id protocol (tcp | udp) source-port number translate-port number
      tcp-timeout minutes
      udp-timeout minutes
    pmtu (on vEdge routers only)
    policer policer-name (on vEdge routers only)
    ppp (on vEdge routers only)
      ac-name name
      authentication (chap | pap) hostname name password password 
    pppoe-client (on vEdge routers only)
      ppp-interface name 
    profile profile-id (on vEdge routers only)
    qos-map name (on vEdge routers only)
    rewrite-rule name (on vEdge routers only)
    shaping-rate name (on vEdge routers only)
    shutdown
    speed speed 
    static-ingress-qos number (on vEdge routers only)
    tcp-mss-adjust bytes
    technology technology (on vEdge routers only)
    tloc-extension interface-name (on vEdge routers only)
    tracker tracker-name (on vEdge routers only)
    tunnel-interface 
      allow-service service-name
      bind geslot/port (on vEdge routers only)
      carrier carrier-name 
      color color [restrict]
      connections-limit number
      encapsulation (gre | ipsec) (on vEdge routers only)
        preference number     
        weight number
      hello-interval milliseconds
      hello-tolerance seconds
      low-bandwidth-link (on vEdge routers only)
      max-control-connections number (on vEdge routers only)
      nat-refresh-interval seconds
      vmanage-connection-preference number (on vEdge routers only)
    tunnel-destination ip-address (GRE interfaces; on vEdge routers only)
    tunnel-destination (dns-name | ipv4-address) (IPsec interfaces; on vEdge routers only)
    (tunnel-source ip-address | tunnel-source-interface interface-name) (GRE interfaces; on vEdge routers only)
    (tunnel-source ip-address | tunnel-source-interface interface-name) (IPsec interfaces; on vEdge routers only)
    upgrade-confirm minutes
    vrrp group-name (on vEdge routers only)
      priority number
      timer seconds
      track-omp

Options

Interface Name
interface-name
Name of the interface.
On vSmart controllers, interface-name can have one of the following formats: ethslot/port​, loopbackstring, or mgmt​number. If you specify the interface name in any other format, the CLI reports a failure when you issue the validate or commit command. No error is reported as you are typing the interface configuration command.
On vEdge routers, interface-name can have one of the following formats: geslot/portgrenumberipsecnumberloopbackstring, mgmtnumber, natpoolnumber, or pppnumber. If you specify the interface name in any other format, the CLI reports a failure when you issue the validate or commit command. No error is reported as you are typing the interface configuration command.
For GRE interfaces, number can be 1 through 255.
For IPsec interfaces, number can be 1 through 255.
For loopback interfaces, string can be any alphanumeric value and can include underscores (_) and hyphens (–). The total interface name can be a maximum of 16 characters long (including the string "loopback").
For NAT pool interfaces, number can be 1 through 31.
For IEEE 802.1Q VLANs, interface-name can have the format geslot/port.vlan-number, where vlan-number can be in the range 1 through 4094. To enable VLAN interfaces, activate the physical interface in VPN 0, and then enable the VLAN in the desired VPN. You can place the VLANs associated with a physical interface into multiple VPNs.
You can configure up to 512 interfaces on a Viptela device. This number includes physical interfaces, loopback interfaces, and subinterfaces.
A particular interface can be present only in one VPN.

Example

Configure a tunnel interface in VPN 0 on a vEdge router:

vEdge# show running-config vpn 0
vpn 0
 interface ge0/0
  ip address 10.1.15.15/24
  tunnel-interface
   color lte
   allow-service dhcp
   allow-service dns
   allow-service icmp
   no allow-service sshd
   no allow-service ntp
   no allow-service stun
  !
  speed        100
  no shutdown
  shaping-rate 100000
 !
!

Configure an interface in VPN 0 on a vEdge router with the PPPoE client:

vpn 0
 interface ge0/1
  pppoe-client ppp-interface ppp1
  no shutdown
 !
!

Release Information

Command introduced in Viptela Software Release 14.1​.
In Release 15.3, add support for natpool interface type.
In Release 15.3.3, add support for ppp interfaces.
In Release 15.4.1, add support for GRE interfaces.
In Release 17.1, add support for IPsec interfaces.

Additional Information

See the Configuring Interfaces article for your software release.

  • Was this article helpful?