Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

VPN

Use the VPN template for all Viptela (Cisco SD-WAN? Cisco vEdge?) devices.

To configure VPNs for network segmentation using vManage templates:

  1. Create VPN feature templates to configure VPN parameters, as described in this article. You create a separate VPN feature template for each VPN. For example, create one feature template for VPN 0, a second for VPN 1, and a third for VPN 512.
    For vManage NMSs and vSmart controllers, you can configure only VPNs 0 and 512. Create templates for these VPNs only if you want to modify the default settings for the VPN. For vEdge routers, you can create templates for these two VPNs and for additional VPN feature templates to segment service-side user networks.
    • VPN 0—Transport VPN, which carries control traffic via the configured WAN transport interfaces. Initially, VPN 0 contains all of a device's interfaces except for the management interface, and all interfaces are disabled.
    • VPN 512—Management VPN, which carries out-of-band network management traffic among the Viptela devices in the overlay network. The interface used for management traffic resides in VPN 512. By default, VPN 512 is configured and enabled on all vEdge routers except for vEdge 100. For controller devices, by default, VPN 512 is not configured.
    • VPNs 1511, 51365530—Service VPNs, for service-side data traffic on vEdge routers.
  2. Create interface feature templates to configure the interfaces in the VPN. See VPN-Interface-Ethernet.
  3. For vEdge routers, create interface feature templates to configure additional interfaces in the VPN. See VPN-Interface-GRE, VPN-Interface-PPP, and VPN-Interface-PPP-Ethernet.

Navigate to the Template Screen and Name the Template

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. In the Device tab, click Create Template.
  3. From the Create Template drop-down, select From Feature Template.
  4. From the Device Model drop-down, select the type of device for which you are creating the template.
  5. To create a template for VPN 0 or VPN 512:
    1. Click the Transport & Management VPN tab located directly beneath the Description field, or scroll to the Transport & Management VPN section.
    2. From the VPN 0 or VPN 512 drop-down, click Create Template. The VPN template form displays. The top of the form contains fields for naming the template, and the bottom contains fields for defining VPN parameters.
  6. To create a template for VPNs 1 through 511, and 513 through 65530:
    1. Click the Service VPN tab located directly beneath the Description field, or scroll to the Service VPN section.
    2. Click the Service VPN drop-down.
    3. From the VPN drop-down, click Create Template. The VPN template form displays. The top of the form contains fields for naming the template, and the bottom contains fields for defining VPN parameters.

      G00503.png
  7. In the Template Name field, enter a name for the template. The name can be up to 128 characters and can contain only alphanumeric characters.
  8. In the Template Description field, enter a description of the template. The description can be up to 2048 characters and can contain only alphanumeric characters.

When you first open a feature template, for each parameter that has a default value, the scope is set to template_default_icon.png Default, and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and select one of the following:

Parameter Scope

Scope Description

template_device_icon.png Device Specific 

Use a device-specific value for the parameter. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Viptela device to a device template.

When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a Viptela device to a device template. For more information, see Create a Template Variables Spreadsheet.

To change the default key, type a new string and move the cursor out of the Enter Key box.

Examples of device-specific parameters are system IP address, hostname, GPS location, and site ID.

template_global_icon.png Global 

Enter a value for the parameter, and apply that value to all devices.

Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

Configure Basic VPN Parameters

To configure basic VPN parameters, select the Basic Configuration tab and then configure the following parameters. Parameters marked with an asterisk are required to configure a VPN.

Parameter Name Description
VPN*

Enter the numeric identifier of the VPN.

Range for vEdge routers: 0 through 65530
Values for vSmart and vManage devices: 0, 512

Name Enter a name for the VPN.

Enhance ECMP keying

(vEdge routers only)

Click On to enable the use in the ECMP hash key of Layer 4 source and destination ports, in addition to the combination of the source IP address, destination IP address, protocol, and DSCP field​, as the ECMP hash key. ECMP keying is Off by default.

Enable TCP Optimization

(vEdge routers only)

Click On to enable TCP optimization for a service-side VPN (a VPN other than VPN 0 and VPN 512). TCP optimization fine-tunes TCP to decrease round-trip latency and improve throughput for TCP traffic.

Note: To complete the configuration of the transport VPN on a vEdge router, you must configure at least one interface in VPN 0.

To save the feature template, click Save.

CLI Equivalent

vpn vpn-id
  ecmp-hash-key layer4 (vEdge routers only)
  name text
  tcp-optimization (vEdge routers only)

Configure DNS and Static Hostname Mapping

To configure DNS addresses and static hostname mapping, select the DNS tab and configure the following parameters:

Parameter Name Options Description
Primary DNS Address Select either IPv4 or IPv6, and enter the IP address of the primary DNS server in this VPN.
New DNS Address Click New DNS Address and enter the IP address of a secondary DNS server in this VPN. This field appears only if you have specified a primary DNS address.
Mark as Optional Row Check Mark as Optional Row to mark this configuration as device-specific. To include this configuration for a device, enter the requested variable values when you attach a device template to a device, or create a template variables spreadsheet to apply the variables. See Create a Template Variables Spreadsheet.
Hostname Enter the hostname of the DNS server. The name can be up to 128 characters.
List of IP Addresses Enter up to eight IP addresses to associate with the hostname. Separate the entries with commas.
To save the DNS server configuration, click Add.

To save the feature template, click Save.

CLI Equivalent

vpn vpn-id
  dns ip-address (primary | secondary)
  ​host hostname ip ip-address  

Configure Route Advertisements to OMP

To configure route advertisements to OMP for this VPN, select the Advertise OMP tab and configure the parameters listed below. Route advertisements that you configure here apply to the specific VPN. If you configure route advertisements to OMP for both the VPN and the entire vEdge router (using the OMP feature template), both configurations are applied.

Parameter Name Options   Description
IPv4 / IPv6 Click IPv4  or IPv6 to select the address type.
BGP Click On to advertise BGP routes from this VPN to OMP.
Static Click On to advertise static routes from this VPN to OMP.
Connected Click On to advertise connected routes from this VPN to OMP.
OSPF External
(IPv4 only)
Click On to advertise OSPF routes from this VPN to OMP. By default OSPF interarea and intra-areas routes are advertised to OMP. Click On again to advertise external OSPF routes.
Network (IPv4) Click the Network tab and click On to advertise a specific prefix to OMP.
New Network Click New Network to configure a new IPv4 network prefix.
Mark as Optional Row Check Mark as Optional Row to mark this configuration as device-specific. To include this configuration for a device, enter the requested variable values when you attach a device template to a device, or create a template variables spreadsheet to apply the variables. See Create a Template Variables Spreadsheet.
Prefix Enter the new IP prefix and click Add to add the prefix.

Aggregate (IPv4)

Click the Aggregate tab and click On to aggregate a prefix before advertising it to OMP.
New Aggregate Click New Aggregate to add another prefix.
Mark as Optional Row Check Mark as Optional Row to mark this configuration as device-specific. To include this configuration for a device, enter the requested variable values when you attach a device template to a device, or create a template variables spreadsheet to apply the variables. See Create a Template Variables Spreadsheet.
Prefix Enter the new IP prefix and click Add to add the prefix.
Aggregate Only Click On to advertise only the aggregated prefix, and click Add.

To save the feature template, click Save.

CLI equivalent

vpn vpn-id
  omp
    advertise (aggregate prefix [aggregate-only] | bgp | connected | network prefix | ospf type | static)

Configure IPv4 and IPv6 Static Routes

  • To configure IPv4 static routes in a VPN, select the IPv4 Route tab. Then click New IPv4 Route, and configure the following parameters:
  • To configure IPv6 static routes in a VPN, select the IPv6 Route tab. Then click New IPv6 Route, and configure the following parameters:
Parameter Name Options More Options   Description
Mark as Optional Row Check Mark as Optional Row to mark this configuration as device-specific. To include this configuration for a device, enter the requested variable values when you attach a device template to a device, or create a template variables spreadsheet to apply the variables. See Create a Template Variables Spreadsheet.
Prefix Enter the address or prefix, in decimal four-point-dotted notation, and the prefix length of the static route to configure in the VPN.
Gateway

Select one of the following options to configure the next hop to reach the static route. 

Next Hop

Configure next hops for the route. Click Add Next Hop. If you have no existing Next Hops, click Add Next Hop again.

Address

Enter the IP address of the next-hop router to use to reach the static route.

Distance 1-255 Enter the administrative distance for the route. Default is 1.
Add Next Hop Open another pair of Next Hop Address and Distance fields.
Click Add to add the Next Hops.
Null0 Configure a Null0 gateway.
Gateway (cont.)   Enable Null0

To enable the Null0 gateway (off by default), change the scope from default (template_default_icon.png) to global (template_global_icon.png). 

Click On to set the next hop to be the null interface. All packets sent to this interface are dropped without sending any ICMP messages.

  Distance 1-255

Enter the administrative distance for the route. Default is 1.

Click Add to add the null gateway.
Gateway (cont.) VPN Configure a VPN gateway
  Enable VPN

To enable a VPN gateway (off by default), change the scope from default (template_default_icon.png) to global (template_global_icon.png).

Click On to direct packets to the transport VPN. If NAT is enabled on the WAN interface, the packets can be forwarded to an Internet destination or other destination outside of the overlay network, effectively converting the vEdge router into a local Internet exit point. You must also enable NAT on a transport interface in VPN 0.

Click Add to add the VPN gateway.
To save the configured static routes, click Add.

To save the feature template, click Save.

CLI equivalent (IPv4):

vpn vpn-id
  ip route ip-address/subnet next-hop-address [administrative-distance]

CLI equivalent (IPv6)

vpn 0
  ipv6 route ip-address/subnet next-hop-address [administrative-distance]

Configure Services

For VPNs other than VPN 0 and VPN 512 (service VPNs), you can configure services that are either present on the router's local network or available on a device at a remote site that is reachable through a Generic Routing Encapsulation (GRE) tunnel.

To configure a service in a VPN, select the Service tab. Then click New Service, and configure the following parameters:

Parameter Name Options Description
Service Type Select the service available in the local VPN.
FW Firewall service.
IDP Intrusion detection and prevention service.

netsvc1netsvc2netsvc3netsvc4

Net services 1 through 4.

TE

Traffic engineering service.
IP Address or Interface

Enter the location of the service.

IP Address

Enter up to four IP addresses, separated by commas. The service is advertised to the vSmart controller only if one of the addresses can be resolved locally, at the local site, not via routes learned through OMP.
Interface Enter one or two GRE interfaces. If you configure two, the first interface is the primary GRE tunnel, and the second is the backup tunnel.
To save the service configuration, click Add.

To save the feature template, click Save.

CLI Equivalent

vpn vpn-id
  service service-name address ip-address

Configure GRE-Specific Static Routes

To create a Generic Routing Encapsulation (GRE)-specific static route for a service VPN on a vEdge router, select the GRE Route tab. Then click New GRE Route and configure the following parameters:

Parameter Name Description
Mark as Optional Row Check Mark as Optional Row to mark this configuration as device-specific. To include this configuration for a device, enter the requested variable values when you attach a device template to a device, or create a template variables spreadsheet to apply the variables. See Create a Template Variables Spreadsheet.
Prefix Enter the IP address or prefix, in decimal four-part-dotted notation, and prefix length of the GRE-specific static route.
VPN Enter the number of the VPN to reach the service. This must be VPN 0.
GRE Interface

Enter the name of one or two GRE tunnels to use to reach the service.

To save a GRE-specific static route, click Add.

To save the feature template, click Save.

CLI equivalent

vpn vpn-id
  ip gre-route prefix/length vpn 0 interface grenumber [grenumber2]

Configure IPsec-Specific Static Routes

To configure IPsec-specific static routes in a service VPN (any VPN except VPN 0 and VPN 512 on a vEdge router), select the IPsec Route tab. Then click Add New IPsec Route, and configure the following parameters:

Parameter Name Description
Mark as Optional Row Check Mark as Optional Row to mark this configuration as device-specific. To include this configuration for a device, enter the requested variable values when you attach a device template to a device, or create a template variables spreadsheet to apply the variables. See Create a Template Variables Spreadsheet.
Prefix Enter the IP address or prefix, in decimal four-part-dotted notation, and prefix length of the IPsec-specific static route.
VPN ID Enter the number of the VPN to reach the IPsec tunnel. This must be VPN 0.
IPsec Interface

Enter the name of one or two IPsec tunnel interfaces. If you configure two interfaces, the first is the primary IPsec tunnel, and the second is the backup. All packets are sent only to the primary tunnel. If that tunnel fails, all packets are then sent to the secondary tunnel. If the primary tunnel comes back up, all traffic is moved back to the primary IPsec tunnel.

To save an IPsec-specific static route, click Add.

To save the feature template, click Save.

CLI equivalent

vpn vpn-id
  ip ipsec-route prefix/length vpn 0 interface ipsecnumber [ipsecnumber2]

​Release Information

Introduced in vManage NMS in Release 15.2.
In Release 15.4.3, add support for GRE tunnels.
In Release 16.3, add support for IPv6 in VPN 0.
In Release 17.2.0, add support for TE service.
In Release 18.2.0 add support for static routes to IPsec tunnels.
In Release 19.1 add support for NAT64 on Cisco IOS-XE routers

  • Was this article helpful?