You can use the VPN-Interface-Ethernet template for all Viptela devices.
To configure the Ethernet interfaces in a VPN using vManage templates:
- Create a VPN-Interface-Ethernet feature template to configure Ethernet interface parameters, as described in this article.
- Create a VPN feature template to configure VPN parameters. See the Configuration ► Templates ► VPN help topic.
- Optionally, on vEdge routers, to enable DHCP server functionality on the interface, create a DHCP-Server feature template. See the Configuration ► Templates ► DHCP-Server help topic.
- Create a device template that incorporates the VPN-Interface-Ethernet, VPN, and DHCP-Server feature templates. See the Configuration ► Templates help topic.
Navigate to the Template Screen
- In vManage NMS, select the Configuration ► Templates screen.
- From the Templates title bar, select Feature.
- Click Add Template.
- In the left pane, select one or more devices. The right pane displays the available templates for the selected devices.
- Select the VPN-Interface-Ethernet template.
The right pane displays the VPN-Interface-Ethernet template form.
- The top of the form contains fields for naming the template.
- The bottom contains fields for defining parameters applicable to that template.
- A drop-down menu to the left of each parameter field defines the scope of the parameter. When you first open a feature template form, for each parameter that has a default value, the scope is set to Default. To edit a parameter field, change the scope to Global or Device Specific. Note that if a parameter's scope is Device Specific, you cannot enter a value for it in the feature template. Instead, you enter a value when you attach the template to a device.
- A plus sign (+) is displayed to the right when you can add multiple entries for the same parameter.
Minimum Interface Configuration
The following parameters are required (unless otherwise indicated) to configure a VPN interface on a vEdge router:
|1.||Template Name||Enter a name forthe template. It can be up to 128 characters and can contain only alphanumeric characters.|
|2.||Description (Template)||Enter a description for the template. It can be up to 2048 characters and can contain only alphanumeric characters.|
|3.||Shutdown||Click No to enable the interface.|
|4.||Interface name||Enter a name for the interface|
|5.||Description (optional)||Enter a description for the interface.|
|6.||IP configuration|| |
For an interface in VPN 0, you can select Dynamic to set the interface as a DHCP client, to allow the interface to receive its IP address from a DHCP server. If you select Dynamic, you can set the DHCP distance to specify the administrative distance of routes learned from a DHCP server. The default administrative distance is 1.
|7.||IP address|| |
Enter the IPv4 address of the interface if the interface is not receiving its IP address from a DHCP server.
|8.||DHCP helper (optional, on vEdge routers)|| |
Enter up to four IP addresses for DHCP servers in the network, separated by commas, to have the interface be a DHCP helper. A DHCP helper interface forwards BOOTP (Broadcast) DHCP requests that it receives from the specified DHCP servers.
|9.||Save||Click Save to save the feature template.|
vpn vpn-id interface interface-name description text dhcp-helper ip-address (on vEdge routers only) (ip address address/subnet | ip dhcp-client [dhcp-distance number]) [no] shutdown
Create a Tunnel Interface
On vEdge routers, you can configure up to four tunnel interfaces. This means that each vEdge router can have up to four TLOCs.
On vSmart controllers and vManage NMSs, you can configure one tunnel interface.
For the control plane to establish itself so that the overlay network can function, you must configure WAN transport interfaces in VPN 0.
To configure a tunnel interface, select the Interface Tunnel tab:
|Tunnel Interface||Click On to create a tunnel interface.|
|Color||Select a color for the TLOC.|
|Control Connection (on vEdge routers)||If the vEdge router has multiple TLOCs, click No to have the tunnel not establish a TLOC. The default is On, which establishes a control connection for the TLOC.|
|Max Control Connections (on vEdge routers)|| |
Specify the maximum number of vSmart controllers that the WAN tunnel interface can connect to. To have the tunnel establish no control connections, set the number to 0.
Range: 0 through 8
|Allow Service||Select On or Off for each service to allow or disallow the service on the interface.|
To configure additional tunnel interface parameters, click Advanced Options:
|Encapsulation (on vEdge routers)|| |
Select the encapsulation type to use on the tunnel interface, either IPsec or GRE. The default is IPsec.
If you select both IPsec and GRE encapsulations, two TLOCs are created for the tunnel interface that have the same IP addresses and colors, but that differ by their encapsulation.
|Preference (on vEdge routers)|| |
Specify a preference value for directing traffic to the tunnel. A higher value is preferred over a lower value.
Range: 0 through 4294967295
|Weight (on vEdge routers)|| |
Enter a weight to use to balance traffic across multiple TLOCs. A higher value sends more traffic to the tunnel.
Range: 1 through 255
Select the carrier name or private network identifier to associate with the tunnel.
Values: carrier1, carrier2, carrier3, carrier4, carrier5, carrier6, carrier7, carrier8, default
|Bind loopback tunnel (on vEdge routers)||Enter the name of a physical interface to bind to a loopback interface.|
|Hello interval (on vSmart and vManage devices)|| |
Set the interval between Hello packets sent on a DTLS or TLS WAN transport connection.
|Hello tolerance (on vSmart and vManage devices)|| |
Set how long to wait for a Hello packet on a DTLS or TLS WAN transport connection before declaring that transport tunnel to be down.
Range: 12 through 60 seconds
vpn 0 interface interface-name tunnel-interface allow-service service-name bind interface-name (on vEdge routers only) carrier carrier-name color color encapsulation (gre | ipsec) (on vEdge routers only) preference number weight number hello-interval milliseconds (on vSmart and vManage devices only) hello-tolerance seconds (on vSmart and vManage devices only) max-control-connections number (on vEdge routers only)
Configure the Interface as a NAT Device (on vEdge Routers)
To configure an interface to act as a NAT device, select the NAT tab, click On, and click the plus sign (+) to add a port forwarding rule:
|Port Forward||Define up to 128 port-forwarding rules to allow requests from an external network to reach devices on the internal network.|
|Port Start Range|| |
Enter a port number to define the port or first port in the range of interest.
|Port End Range||Enter the same port number to apply port forwarding to a single port, or enter a larger number to apply it to a range of ports. |
Range: 0 through 65535
|Protocol||Select the protocol to which to apply the port-forwarding rule, either TCP or UDP. To match the same ports for both TCP and UDP traffic, configure two rules.|
|VPN||Specify the private VPN in which the internal server resides. This VPN is one of the VPN identifiers in the overlay network. |
Range: 0 through 65530
|Private IP||Specify the IP address of the internal server to which to direct traffic that matches the port-forwarding rule.|
To configure other NAT parameters, click Advanced Options:
|Refresh mode|| |
Select how NAT mappings are refreshed, either outbound or bidirectional (outbound and inbound).
|UDP timeout|| |
Specify when NAT translations over UDP sessions time out.
|TCP timeout|| |
Specify when NAT translations over TCP sessions time out.
|Block ICMP|| |
Select On to block inbound ICMP error messages. By default, a vEdge router acting as a NAT device receives these error messages.
|Respond to Ping||Select On to have the vEdge router respond to ping requests to the NAT interface's IP address that are received from the public side of the connection.|
vpn vpn-id interface interface-name nat block-icmp-error port-forward port-start port-number1 port-end port-number2 proto (tcp | udp) private-ip-address ip-address private-vpn vpn-id refresh (bi-directional | outbound) respond-to-ping tcp-timeout minutes udp-timeout minutes
Configure VRRP (on vEdge Routers)
To have an interface run the Virtual Router Redundancy Protocol (VRRP), which allows multiple routers to share a common virtual IP address for default gateway redundancy, select the VRRP tab and click the plus sign (+) to add a VRRP group:
|Group ID|| |
Enter the virtual router ID, which is a numeric identifier of the virtual router.
Enter the priority level of the router. There router with the highest priority is elected as master. If two vEdge routers have the same priority, the one with the higher IP address is elected as master.
Specify how often the VRRP master sends VRRP advertisement messages. If slave routers miss three consecutive VRRP advertisements, they elect a new master.
|Track OMP |
Track Prefix List
By default, VRRP uses of the state of the service (LAN) interface on which it is running to determine which vEdge router is the master virtual router. if a vEdge router loses all its WAN control connections, the LAN interface still indicates that it is up even though the router is functionally unable to participate in VRRP. To take WAN side connectivity into account for VRRP, configure one of the following:
Track OMP—Click On for VRRP to track the Overlay Management Protocol (OMP) session running on the WAN connection. If the master VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session.
Track Prefix List—Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the master VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if reachability to one of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic is dropped while the vEdge routers determine the VRRP master.
|IP Address||Enter the IP address of the virtual router. This address must be different from the configured interface IP addresses of both the local vEdge router and the peer running VRRP.|
Apply Access Lists (on vEdge Routers)
To configure a shaping rate to a router interface and to apply a QoS map, a rewrite rule, access lists, and policers to a router interface, select the ACL tab:
|Shaping rate||Configure the aggregate traffic transmission rate on the interface to be less than line rate, in kilobits per second (kbps).|
|QoS map||Specify the name of the QoS map to apply to packets being transmitted out the interface.|
|Rewrite rule||Click On, and specify the name of the rewrite rule to apply on the interface.|
|Ingress ACL|| |
Click On, and specify the name of the access list to apply to packets being received on the interface.
|Egress ACL||Click On, and specify the name of the access list to apply to packets being transmitted on the interface.|
|Ingress policer||Click On, and specify the name of the policer to apply to packets being received on the interface.|
|Egress policer||Click On, and specify the name of the policer to apply to packets being transmitted on the interface.|
vpn vpn-id interface interface-name access-list acl-list (in | out) policer policer-name (in |out) qos-map name rewrite-rule name shaping-rate name
Add ARP Table Entries
To configure static Address Resolution Protocol (ARP) table entries on the interface, select the ARP tab and click the plus sign (+):
|IP Address||Enter the IP address for the ARP entry in dotted decimal notation or as a fully qualified host name.|
|MAC Address||Enter the MAC address in colon-separated hexadecimal notation.|
To add another ARP table entry, click the plus signe (+).
To delete an ARP table entry, click the trash icon on the right side of the entry.
Configure Other Interface Properties
To configure other interface properties, select the Advanced tab:
Choose full or half to specify whether the interface runs in full-duplex or half-duplex mode.
|MAC Address||Specify a MAC address to associate with the interface, in colon-separated hexadecimal notation.|
|IP MTU||Specify the maximum MTU size of packets on the interface. |
Range: 576 through 1804
Default: 1500 bytes
|PMTU discovery||Click On to enable path MTU discovery on the interface. PMTU determines the largest MTU size that the interface supports so that packet fragmentation does not occur.|
|Flow control|| |
Select a setting for bidirectional flow control, which is a mechanism for temporarily stopping the transmission of data on the interface.
|TCP MSS||Specify the maximum segment size (MSS) of TPC SYN packets passing through the vEdge router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented. |
Range: 552 to 1460 bytes
Specify the speed of the interface, for use when the remote end of the connection does not support autonegotiation.
Click On to clear the Don't Fragment (DF) bit in the IPv4 packet header for packets being transmitted out the interface. When the DF bit is cleared, packets larger than that interface's MTU are fragmented before being sent.
|Static ingress QoS (on vEdge routers)|| |
Specify a queue number to use for incoming traffic.
|ARP timeout (on vEdge routers)|| |
Specify how long it takes for a dynamically learned ARP entry to time out.
|Autonegotiate||Click Off to turn off autonegotiation. By default, an interface runs in autonegotiation mode.|
|TLOC Extension (on vEdge routers)||Enter the name of a physical interface on the same router that connects to the WAN transport. This configuration then binds this service-side interface to the WAN transport. A second vEdge router at the same site that itself has no direct connection to the WAN (generally because the site has only a single WAN connection) and that connects to this service-side interface is then provided with a connection to the WAN.|
vpn vpn-id interface interface-name arp-timeout seconds (on vEdge routers only) [no] autonegotiate clear-dont-fragment duplex (full | half) flow-control control mac-address mac-address mtu bytes pmtu speed speed static-ingress-qos number (on vEdge routers only) tcp-mss-adjust bytes tloc-extension interface-name (on vEdge routers only)
Introduced in vManage NMS Release 15.2.