Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

VPN

You can use the VPN template for all Viptela devices.

To configure VPNs for network segmentation using vManage templates:

  1. Create VPN feature templates to configure VPN parameters, as described in this article. You create a separate VPN feature template for each VPN. For example, create one feature template for VPN 0, a second for VPN 1, and a third for VPN 512.
    For vManage NMSs and vSmart controllers, you can configure only VPNs 0 and 512. Create templates for these VPNs only if you want to modify the default settings for the VPN. For vEdge routers, you can create templates for these two VPNs and for additional VPN feature templates to segment service-side user networks.
    • VPN 0—Transport VPN, which carries control traffic via the configured WAN transport interfaces. Initially, VPN 0 contains all of a device's interfaces except for the management interface, and all interfaces are disabled.
    • VPN 512—Management VPN, which carries out-of-band network management traffic among the Viptela devices in the overlay network. The interface used for management traffic resides in VPN 512. By default, VPN 512 is configured and enabled on all vEdge routers except for vEdge 100. For controller devices, by default, VPN 512 is not configured.
    • VPNs 1 through 511, and 513 through 65530—VPNs on vEdge routers for service-side data traffic.
  2. Create interface feature templates to configure the interfaces in the VPN. See the Configuration ► Templates ►VPN-Interface-Ethernet help topic.
  3. For vEdge routers, create interface feature templates to configure additional interfaces in the VPN. See the Configuration ► Templates ► VPN-Interface-GRE, VPN-Interface-PPP, and VPN-Interface-PPP-Ethernet help topics.
  4. Create a device template that incorporates the VPN feature template and interface feature template or templates. See the Configuration ► Templates help topic.​

Navigate to the Template Screen

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. From the Templates title bar, select Feature.
  3. Click Add Template.
  4. In the left pane, select one or more devices. The right pane displays the available templates for the selected devices.
  5. Select the VPN template.

The right pane displays the VPN template form.

  • The top of the form contains fields for naming the template.
  • The bottom contains fields for defining parameters applicable to that template.
  • A drop-down menu to the left of each parameter field defines the scope of the parameter. When you first open a feature template form, for each parameter that has a default value, the scope is set to Default. To edit a parameter field, change the scope to Global or Device Specific. Note that if a parameter's scope is Device Specific, you cannot enter a value for it in the feature template. Instead, you enter a value when you attach the template to a device.
  • A plus sign (+) is displayed to the right when you can add multiple entries for the same parameter.

Minimum VPN Configuration

The following parameters are required (unless otherwise indicated) to configure a VPN on a Viptela device:

Step Parameter Name Description
 1. Template Name Enter a name for the template. It can be up to 128 characters and can contain only alphanumeric characters.
 2. Description (Template) Enter a description for the template. It can be up to 2048 characters and can contain only alphanumeric characters.
 3. VPN identifier

Enter the numeric identifier of the VPN.

Range for vEdge routers: 0 through 65530
Values for vSmart and vManage devices: 0, 512

 4. Name (optional) Enter a name for the VPN.
 5. Enhance ECMP keying (optional, vEdge routers only)

Click On to enable the use in the ECMP hash key of Layer 4 source and destination ports, in addition to the combination of the source IP address, destination IP address, protocol, and DSCP field​, as the ECMP hash key. ECMP keying is Off by default.

 6. Save Click Save to save the feature template.

To complete the configuration of the transport VPN on a vEdge router, you must configure at least one interface in VPN 0.

CLI equivalent:

vpn vpn-id
  ecmp-hash-key layer4 (on vEdge routers only)
  name text  

Configure DNS and Static Hostname Mapping

To configure DNS addresses and static hostname mapping, select the DNS tab:

Parameter Name Description
Primary DNS Address Enter the address of the primary DNS server in this VPN.
Secondary DNS Address Enter the address of a secondary DNS server in this VPN. This field appears only if you have specified a primary DNS address.
Hostname Click the plus sign (+), and enter the hostname of the device. The name can be up to 128 characters.
List of IP Addresses Enter up to eight IP addresses to associate with the hostname. Separate the entries with a comma.

To add another hostname, click the plus sign (+).

To delete a hostname, click the trash icon at the right side of the entry.

CLI equivalent:

vpn vpn-id
  dns ip-address [primary | secondary]
  ​host hostname ip ip-address  

Configure Static Routes

To configure static routes in a VPN, select the Route tab and click the plus sign (+):

Parameter Name Description
Prefix Enter the IP address or prefix, in decimal four-point-dotted notation, and the prefix length of the static route to configure in the VPN.
Next Hop

To configure the next hop for the static route, click Next Hop and select one of the following:

  • Address—Enter the IP address of the next-hop router to use to reach the static route. You can also enter an administrative distance.
  • Null0—Select Null0 to specify that the next hop is the null interface. All packets sent to this interface are dropped without sending any ICMP messages. You can also enter an administrative distance.
  • VPN0—Select VPN0 to direct packets to the transport VPN. If NAT is enabled on the WAN interface, the packets can be forwarded to an Internet destination or other destination outside of the overlay network, effectively converting the vEdge router into a local Internet exit point. You must also enable NAT on a transport interface in VPN 0.

To add another static route, click the plus sign (+).

To delete a static route, click the trash icon at the right side of the entry.

CLI equivalent:

vpn vpn-id
  ip route ip-address/subnet next-hop-address

Configure Services

For a VPN on a vEdge router (except for VPNs 0 and 512), you can configure services that are either present on the router's local network or available on a device at a remote site that is reachable through a GRE tunnel.

To configure a service in a VPN, select the Service tab and click the plus (+) sign:

Parameter Name Description
Service Type Select the service available in the local VPN.
Values: FW, IDP, IDS, netsvc1, netsvc2, netsvc3, netsvc4
IP Address or Interface

Enter the location of the service:

  • If you select IP address, specify up to four IP address, separated by commas. The service is advertised to the vSmart controller only if one of the addresses can be resolved locally, at the local site, not via routes learned through OMP.
  • If you select Interface, specify one or two GRE interfaces. If you configure two, the first interface is the primary GRE tunnel, and the second is the backup tunnel.

To add another service, click the plus sign (+).

To delete a service, click the trash icon at the right side of the entry.

CLI equivalent:

vpn vpn-id
   service service-name address ip-address

Configure GRE-Specific Static Routes

To configure GRE-specific static routes in a service VPN (a VPN other than VPN 0 or VPN 512 on a vEdge router), select the GRE Route tab and click the plus sign (+):

Parameter Name Description
Prefix Enter the IP address or prefix, in decimal four-part-dotted notation, and prefix length of the GRE-specific static route
VPN ID Enter the number of the VPN to reach the service. This must be VPN 0.
GRE Interface

Enter the name of the GRE tunnel or tunnels used to reach the service.

To add another GRE route, click the plus sign (+).

To delete a GRE route, click the trash icon at the right side of the entry.

CLI equivalent:

vpn vpn-id
  ip gre-route prefix/length vpn 0 interface grenumber [grenumber2]

​Release Information

Introduced in vManage NMS in Release 15.2.
Support for GRE tunnels added in Release 15.4.3.

  • Was this article helpful?