VPN
You can use the VPN template for all Viptela devices.
To configure VPNs for network segmentation using vManage templates:
- Create VPN feature templates to configure VPN parameters, as described in this article. You create a separate VPN feature template for each VPN. For example, create one feature template for VPN 0, a second for VPN 1, and a third for VPN 512.
For vManage NMSs and vSmart controllers, you can configure only VPNs 0 and 512. Create templates for these VPNs only if you want to modify the default settings for the VPN. For vEdge routers, you can create templates for these two VPNs and for additional VPN feature templates to segment service-side user networks.- VPN 0—Transport VPN, which carries control traffic via the configured WAN transport interfaces. Initially, VPN 0 contains all of a device's interfaces except for the management interface, and all interfaces are disabled.
- VPN 512—Management VPN, which carries out-of-band network management traffic among the Viptela devices in the overlay network. The interface used for management traffic resides in VPN 512. By default, VPN 512 is configured and enabled on all vEdge routers except for vEdge 100. For controller devices, by default, VPN 512 is not configured.
- VPNs 1 through 511, and 513 through 65530—VPNs on vEdge routers for service-side data traffic.
- Create interface feature templates to configure the interfaces in the VPN. See the Configuration ► Templates ►VPN-Interface-Ethernet help topic.
- For vEdge routers, create interface feature templates to configure additional interfaces in the VPN. See the Configuration ► Templates ► VPN-Interface-GRE, VPN-Interface-PPP, and VPN-Interface-PPP-Ethernet help topics.
- Create a device template that incorporates the VPN feature template and interface feature template or templates. See the Configuration ► Templates help topic.
Navigate to the Template Screen
- In vManage NMS, select the Configuration ► Templates screen.
- From the Templates title bar, select Feature.
- Click Add Template.
- In the left pane, select one or more devices. The right pane displays the available templates for the selected devices.
- Select the VPN template.
The right pane displays the VPN template form.
- The top of the form contains fields for naming the template.
- The bottom contains fields for defining parameters applicable to that template.
- A drop-down menu to the left of each parameter field defines the scope of the parameter. When you first open a feature template form, for each parameter that has a default value, the scope is set to Default. To edit a parameter field, change the scope to Global or Device Specific. Note that if a parameter's scope is Device Specific, you cannot enter a value for it in the feature template. Instead, you enter a value when you attach the template to a device.
- A plus sign (+) is displayed to the right when you can add multiple entries for the same parameter.
Minimum VPN Configuration
The following parameters are required (unless otherwise indicated) to configure a VPN on a Viptela device:
Step | Parameter Name | Description |
---|---|---|
1. | Template Name | Enter a name for the template. It can be up to 128 characters and can contain only alphanumeric characters. |
2. | Description (Template) | Enter a description for the template. It can be up to 2048 characters and can contain only alphanumeric characters. |
3. | VPN | Enter the numeric identifier of the VPN. Range for vEdge routers: 0 through 65530 |
4. | Name (optional) | Enter a name for the VPN. |
5. | Enhance ECMP keying (optional, vEdge routers only) | Click On to enable the use in the ECMP hash key of Layer 4 source and destination ports, in addition to the combination of the source IP address, destination IP address, protocol, and DSCP field, as the ECMP hash key. ECMP keying is Off by default. |
6. | Save | Click Save to save the feature template. |
To complete the configuration of the transport VPN on a vEdge router, you must configure at least one interface in VPN 0.
CLI equivalent:
vpn vpn-id ecmp-hash-key layer4 (on vEdge routers only) name text
Configure DNS and Static Hostname Mapping
To configure DNS addresses and static hostname mapping, select the DNS tab:
Parameter Name | Description |
---|---|
Primary DNS Address | Enter the address of the primary DNS server in this VPN. |
Secondary DNS Address | Enter the address of a secondary DNS server in this VPN. This field appears only if you have specified a primary DNS address. |
Hostname | Click the plus sign (+), and enter the hostname of the device. The name can be up to 128 characters. |
List of IP Addresses | Enter up to eight IP addresses to associate with the hostname. Separate the entries with a comma. |
To add another hostname, click the plus sign (+).
To delete a hostname, click the trash icon at the right side of the entry.
CLI equivalent:
vpn vpn-id dns ip-address [primary | secondary] host hostname ip ip-address
Configure Route Advertisements to OMP
To configure, for this VPN, route advertisements to OMP, select the OMP tab. Route advertisements that you configure here apply to the specific VPN. If you configure route advertisements to OMP for both the VPN and the entire vEdge router (using the OMP feature template), both configurations are applied.
Parameter Name | Description |
---|---|
BGP | Click On to advertise BGP routes from this VPN to OMP. |
Static | Click On to advertise static routes from this VPN to OMP. |
Connected | Click On to advertise connected routes from this VPN to OMP. |
OSPF | Click On to advertise OSPF routes from this VPN to OMP. By default OSPF interarea and intra-areas routes are advertised OMP. Click On again to advertise external OSPF routes. |
Network | Click Network and Click On to advertise a specific prefix to OMP. Click the plus sign (+) and enter the prefix. |
Aggregate | Click Aggregate and Click On to aggregate a prefix before advertising it to OMP. Click the plus sign (+) and enter the prefix. Click On again to advertise only the aggregated prefix. |
To add another Network or Aggregate route to advertise to OMP, click the plus sign (+).
CLI equivalent:
vpn vpn-id omp advertise (aggregate prefix [aggregate-only] | bgp | connected | network prefix | ospf type | static)
Configure IPv4 Static Routes
To configure IPv4 static routes in a VPN, select the IPv4 Route tab and click the plus sign (+):
Parameter Name | Description |
---|---|
Prefix | Enter the IPv4 address or prefix, in decimal four-point-dotted notation, and the prefix length of the IPv4 static route to configure in the VPN. |
Gateway | To configure the next hop to reach the static route, select one of the following:
Then click the plus sign (+) below the Gateway field to configure information about the next hop. |
Address | If you select Next Hop as the gateway, enter the IP address of the next-hop router and an administrative distance for the route. The distance can be a value from 1 through 255. The default is 1. To configure another next-hop address for the same prefix, click the plus sign (+) below the Gateway field. To add a next-hop address for a different prefix, click the plus sign (+) above the Gateway field. |
Enable Null0 | If you select Null0 as the gateway, click On to set the next hop to be the null interface. All packets sent to this interface are dropped without sending any ICMP messages. You can also set an administrative distance for the route. The distance can be a value from 1 through 255. The default is 1. |
Enable VPN | If you select VPN as the gateway, click On to direct packets to the transport VPN. If NAT is enabled on the WAN interface, the packets can be forwarded to an Internet destination or other destination outside of the overlay network, effectively converting the vEdge router into a local Internet exit point. You must also enable NAT on a transport interface in VPN 0. |
To add another static route for a different prefix, click the plus sign (+) above the Gateway field.
To delete a static route, click the trash icon at the right side of the entry.
CLI equivalent:
vpn vpn-id ip route ip-address/subnet next-hop-address [administrative-distance]
Configure IPv6 Static Routes
To configure IPv6 static routes in VPN 0, select the IPv6 Route tab and click the plus sign (+):
Parameter Name | Description |
---|---|
Prefix | Enter the IPv6 address or prefix, and the prefix length of the IPv6 static route to configure in VPN 0. |
Gateway | To configure the next hop to reach the static route, select one of the following:
Then click the plus sign (+) below the Gateway field to configure information about the next hop. |
Address | If you select Next Hop as the gateway, enter the IP address of the next-hop router and an administrative distance for the route. The distance can be a value from 1 through 255. The default is 1. To configure another next-hop address for the same prefix, click the plus sign (+) below the Gateway field. To add a next-hop address for a different prefix, click the plus sign (+) above the Gateway field. |
Enable Null0 | If you select Null0 as the gateway, click On to set the next hop to be the null interface. All packets sent to this interface are dropped without sending any ICMP messages. You can also set an administrative distance for the route. The distance can be a value from 1 through 255. The default is 1. |
To add another static route for a different prefix, click the plus sign (+).
To delete a static route, click the trash icon at the right side of the entry.
CLI equivalent:
vpn 0 ipv6 route ip-address/subnet next-hop-address [administrative-distance]
Configure Services
For a VPN on a vEdge router (except for VPNs 0 and 512), you can configure services that are either present on the router's local network or available on a device at a remote site that is reachable through a GRE tunnel.
To configure a service in a VPN, select the Service tab and click the plus (+) sign:
Parameter Name | Description |
---|---|
Service Type | Select the service available in the local VPN. Values: FW, IDP, IDS, TE, netsvc1, netsvc2, netsvc3, netsvc4 |
IP Address/Interfaces | Enter the location of the service:
|
To add another service, click the plus sign (+).
To delete a service, click the trash icon at the right side of the entry.
CLI equivalent:
vpn vpn-id service service-name address ip-address
Configure GRE-Specific Static Routes
To configure GRE-specific static routes in a service VPN (a VPN other than VPN 0 or VPN 512 on a vEdge router), select the GRE Route tab and click the plus sign (+):
Parameter Name | Description |
---|---|
Prefix | Enter the IP address or prefix, in decimal four-part-dotted notation, and prefix length of the GRE-specific static route |
VPN ID | Enter the number of the VPN to reach the service. This must be VPN 0. |
GRE Interface | Enter the name of the GRE tunnel or tunnels used to reach the service. |
To add another GRE route, click the plus sign (+).
To delete a GRE route, click the trash icon at the right side of the entry.
CLI equivalent:
vpn vpn-id ip gre-route prefix/length vpn 0 interface grenumber [grenumber2]
Release Information
Introduced in vManage NMS in Release 15.2.
In Release 15.4.3, add support for GRE tunnels.
In Release 16.3, add support for IPv6 in VPN 0.