Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

vpn

vpn— Configure VPNs to use for segmentation of the Viptela overlay network.

vManage Feature Template

Configuration ► Templates ► VPN Interface Bridge
Configuration ► Templates ► VPN Interface Cellular (for vEdge cellular wireless routers only)
Configuration ► Templates ► VPN Interface Ethernet
Configuration ► Templates ► VPN Interface GRE
Configuration ► Templates ► VPN Interface IPsec
Configuration ► Templates ► VPN Interface NAT Pool
Configuration ► Templates ► VPN Interface PPP
Configuration ► Templates ► VPN Interface PPP Ethernet

Command Hierarchy

vpn vpn-id
  bandwidth-downstream kbps (on vEdge routers and vManage NMSs only)
  bandwidth-upstream kbps (on vEdge routers and vManage NMSs only)
  dns ip-address [primary | secondary]
  ecmp-hash-key layer4 (on vEdge routers only)
  ​host hostname ip ip-address  
  interface interface-name    
    access-list acl-list (on vEdge routers only)
    arp 
      ip ip-address mac mac-address    
    arp-timeout seconds (on vEdge routers only)
    autonegotiate (on vEdge routers only)
    block-non-source-ip (on vEdge routers only)
    clear-dont-fragment
    dead-peer-detection interval seconds retries number
    description text
    dhcp-helper ip-address (on vEdge routers only)
    dhcp-server (on vEdge routers only)
      address-pool prefix/length
      exclude ip-address
      lease-time seconds
      max-leases number
      offer-time minutes
      options
        default-gateway ip-address
        dns-servers ip-address
        domain-name domain-name
        interface-mtu mtu
        tftp-servers ip-address
      static-lease mac-address ip ip-address host-name hostname
    dot1x
      accounting-interval seconds
      acct-req-attr attribute-number (integer integer | octet octet | string string)
      auth-fail-vlan vlan-id
      auth-order (mab | radius)
      auth-reject-vlan vlan-id
      auth-req-attr attribute-number (integer integer | octet octet | string string)
      control-direction direction
      das
        client ip-address
        port port-number
        require-timestamp
        secret-key password
        time-window seconds
        vpn vpn-id
      default-vlan vlan-id
      guest-vlan vlan-id
      host-mode (multi-auth | multi-host | single-host)
      mac-authentication-bypass
        allow mac-addresses
        server
      nas-identifier string
      nas-ip-address ip-address
      radius-servers tag
      reauthentication minutes
      timeout 
        inactivity minutes
      wake-on-landuplex (full | half) 
    flow-control (bidirectional | egress | ingress) 
    ike (on vEdge routers only)
      authentication-type type
        local-id id
        pre-shared-secret password
        remote-id id
      cipher-suite suite
      group number
      mode mode
      rekey seconds
      version number
    (ip address prefix/length | ip dhcp-client [dhcp-distance number])
    (ipv6 address prefix/length | ipv6 dhcp-client [dhcp-distance number] [dhcp-rapid-commit])
    ip address-list prefix/length (on vSmart controller containers only)
    ip secondary-address ipv4-address (on vEdge routers only)
    ipsec (on vEdge routers only)
      cipher-suite suite
      perfect-forward-secrecy pfs-setting
      rekey seconds
      replay-window number
    keepalive seconds retries (on vEdge routers only)
    mac-address mac-address    
    mtu bytes 
    nat (on vEdge routers only)
      block-icmp-error     
      direction (inside | outside)
      log-translations
      [no] overload 
      port-forward port-start port-number1 port-end port-number2
        proto (tcp | udp) private-ip-address ip address private-vpn vpn-id
      refresh (bi-directional | outbound)
      respond-to-ping
      static source-ip ip-address1 translate-ip ip-address2 (inside | outside)
      static source-ip ip-address1 translate-ip ip-address2 source-vpn vpn-id protocol (tcp | udp) source-port number translate-port number
      tcp-timeout minutes
      udp-timeout minutes
    pmtu (on vEdge routers only)
    policer policer-name (on vEdge routers only)
    ppp (on vEdge routers only)
      ac-name name
      authentication (chap | pap) hostname name password password 
    pppoe-client (on vEdge routers only)
      ppp-interface name 
    profile profile-id (on vEdge routers only)
    qos-map name (on vEdge routers only)
    rewrite-rule name (on vEdge routers only)
    shaping-rate name (on vEdge routers only)
    [no] shutdown
    speed speed 
    static-ingress-qos number (on vEdge routers only)
    tcp-mss-adjust bytes
    technology technology (on vEdge routers only)
    tloc-extension interface-name (on vEdge routers only)
    tracker tracker-name (on vEdge routers only)
    tunnel-interface 
      allow-service service-name
      bind geslot/port (on vEdge routers only)
      carrier carrier-name 
      color color [restrict]
      connections-limit number (on vManage NMSs only)
      encapsulation (gre | ipsec) (on vEdge routers only)
        preference number     
        weight number
      exclude-controller-group-list number (on vEdge routers only)
      hello-interval milliseconds
      hello-tolerance seconds
      last-resort-circuit (on vEdge routers only)
      low-bandwidth-link (on vEdge routers only)
      max-control-connections number (on vEdge routers only)
      nat-refresh-interval seconds
      vbond-as-stun-server (on vEdge routers only)
      vmanage-connection-preference number (on vEdge routers only)
    tunnel-destination ip-address (GRE interfaces; on vEdge routers only)
    tunnel-destination (dns-name | ipv4-address) (IPsec interfaces; on vEdge routers only)
    (tunnel-source ip-address | tunnel-source-interface interface-name) (GRE interfaces; on vEdge routers only)
    (tunnel-source ip-address | tunnel-source-interface interface-name) (IPsec interfaces; on vEdge routers only)
    upgrade-confirm minutes
    vrrp group-name (on vEdge routers only)
      priority number
      timer seconds
      track-omp
  ! end vpn interface
  ip route ip-address/subnet next-hop-address
  name text
  omp
    advertise (aggregate prefix [aggregate-only] | bgp | connected | network prefix | ospf type | static) (on vEdge routers only)
  router (on vEdge routers only)
    bgp ... 
    igmp ...
    multicast-replicator local
      threshold number 
    ospf ...
    pim ...
  service service-name address ip-address (on vEdge routers only)

Options

VPN Identifier
vpn-id
Numeric identifier of the VPN. VPN 0 is the transport VPN and is reserved for control plane traffic. VPN 512 is reserved for out-of-band management traffic.
Values: On vEdge routers: 0 through 65530
On Viptela controller devices: 0, 512

Operational Commands

show bgp commands (on vEdge routers only)
show interface commands
show multicast commands (on vEdge routers only)
show ospf commands (on vEdge routers only)
show pim commands (on vEdge routers only)

Example

Configure VPN 0, which is the transport VPN used to reach the WAN. Here, the vEdge router connects to the WAN over interface ge0/1.

vpn 0
 interface ge0/1
   ip address 10.2.6.11/24
     color default
     preference 10
     weight 10
   !
   no shutdown
   !
 ip route 0.0.0.0/0 10.2.6.12
!

Release Information

Command introduced in Viptela Software Release 14.1.​

Additional Information

See the System and Interfaces, Routing, and Segmentation articles for your software release.

  • Was this article helpful?