You can use the VPN template for all Viptela devices.
To configure VPNs for network segmentation using vManage templates:
- Create VPN feature templates to configure VPN parameters, as described in this article. You create a separate VPN feature template for each VPN. For example, create one feature template for VPN 0, a second for VPN 1, and a third for VPN 512.
For vManage NMSs and vSmart controllers, you can configure only VPNs 0 and 512. Create templates for these VPNs only if you want to modify the default settings for the VPN. For vEdge routers, you can create templates for these two VPNs and for additional VPN feature templates to segment service-side user networks.
- VPN 0—Transport VPN, which carries control traffic via the configured WAN transport interfaces. Initially, VPN 0 contains all of a device's interfaces except for the management interface, and all interfaces are disabled.
- VPN 512—Management VPN, which carries out-of-band network management traffic among the Viptela devices in the overlay network. The interface used for management traffic resides in VPN 512. By default, VPN 512 is configured and enabled on all vEdge routers except for vEdge 100. For controller devices, by default, VPN 512 is not configured.
- VPNs 1 through 511, and 513 through 65530—VPNs on vEdge routers for service-side data traffic.
- Create interface feature templates to configure the interfaces in the VPN. See the Configuration ► Templates ►VPN-Interface-Ethernet help topic.
- For vEdge routers, create interface feature templates to configure additional interfaces in the VPN. See the Configuration ► Templates ► VPN-Interface-GRE, VPN-Interface-PPP, and VPN-Interface-PPP-Ethernet help topics.
- Create a device template that incorporates the VPN feature template and interface feature template or templates. See the Configuration ► Templates help topic.
Navigate to the Template Screen
- In vManage NMS, select the Configuration ► Templates screen.
- From the Templates title bar, select Feature.
- Click Add Template.
- In the left pane, select one or more devices. The right pane displays the available templates for the selected devices.
- Select the VPN template.
The right pane displays the VPN template form.
- The top of the form contains fields for naming the template.
- The bottom contains fields for defining parameters applicable to that template.
- A drop-down menu to the left of each parameter field defines the scope of the parameter. When you first open a feature template form, for each parameter that has a default value, the scope is set to Default. To edit a parameter field, change the scope to Global or Device Specific. Note that if a parameter's scope is Device Specific, you cannot enter a value for it in the feature template. Instead, you enter a value when you attach the template to a device.
- A plus sign (+) is displayed to the right when you can add multiple entries for the same parameter.
Minimum VPN Configuration
The following parameters are required (unless otherwise indicated) to configure a VPN on a Viptela device:
|1.||Template Name||Enter a name for the template. It can be up to 128 characters and can contain only alphanumeric characters.|
|2.||Description (Template)||Enter a description for the template. It can be up to 2048 characters and can contain only alphanumeric characters.|
|3.||VPN identifier|| |
Enter the numeric identifier of the VPN.
Range for vEdge routers: 0 through 65530
|4.||Name (optional)||Enter a name for the VPN.|
|5.||Enhance ECMP keying (optional, vEdge routers only)|| |
Click On to enable the use in the ECMP hash key of Layer 4 source and destination ports, in addition to the combination of the source IP address, destination IP address, protocol, and DSCP field, as the ECMP hash key. ECMP keying is Off by default.
|6.||Save||Click Save to save the feature template.|
To complete the configuration of the transport VPN on a vEdge router, you must configure at least one interface in VPN 0.
vpn vpn-id ecmp-hash-key layer4 (on vEdge routers only) name text
Configure DNS and Static Hostname Mapping
To configure DNS addresses and static hostname mapping, select the DNS tab:
|Primary DNS Address||Enter the address of the primary DNS server in this VPN.|
|Secondary DNS Address||Enter the address of a secondary DNS server in this VPN. This field appears only if you have specified a primary DNS address.|
|Hostname||Click the plus sign (+), and enter the hostname of the device. The name can be up to 128 characters.|
|List of IP Addresses||Enter up to eight IP addresses to associate with the hostname. Separate the entries with a comma.|
To add another hostname, click the plus sign (+).
To delete a hostname, click the trash icon at the right side of the entry.
Configure Static Routes
To configure static routes in a VPN, select the Route tab and click the plus sign (+):
|Prefix||Enter the IP address or prefix, in decimal four-point-dotted notation, and the prefix length of the static route to configure in the VPN.|
|Next Hop|| |
To configure the next hop for the static route, click Next Hop and select one of the following:
To add another static route, click the plus sign (+).
To delete a static route, click the trash icon at the right side of the entry.
For a VPN on a vEdge router (except for VPNs 0 and 512), you can configure services that are either present on the router's local network or available on a device at a remote site that is reachable through a GRE tunnel.
To configure a service in a VPN, select the Service tab and click the plus (+) sign:
|Service Type||Select the service available in the local VPN. |
Values: FW, IDP, IDS, netsvc1, netsvc2, netsvc3, netsvc4
|IP Address or Interface|| |
Enter the location of the service:
To add another service, click the plus sign (+).
To delete a service, click the trash icon at the right side of the entry.
Configure GRE-Specific Static Routes
To configure GRE-specific static routes in a service VPN (a VPN other than VPN 0 or VPN 512 on a vEdge router), select the GRE Route tab and click the plus sign (+):
|Prefix||Enter the IP address or prefix, in decimal four-part-dotted notation, and prefix length of the GRE-specific static route|
|VPN ID||Enter the number of the VPN to reach the service. This must be VPN 0.|
|GRE Interface|| |
Enter the name of the GRE tunnel or tunnels used to reach the service.
To add another GRE route, click the plus sign (+).
To delete a GRE route, click the trash icon at the right side of the entry.
vpn vpn-id ip gre-route prefix/length vpn 0 interface grenumber [grenumber2]
Introduced in vManage NMS in Release 15.2.
Support for GRE tunnels added in Release 15.4.3.