Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

VPN

  1. Last updated
  2. Save as PDF

You can use the VPN template for all Viptela devices.

To configure VPNs for network segmentation using vManage templates:

  1. Create VPN feature templates to configure VPN parameters, as described in this article. You create a separate VPN feature template for each VPN. For example, create one feature template for VPN 0, a second for VPN 1, and a third for VPN 512.
    For vManage NMSs and vSmart controllers, you can configure only VPNs 0 and 512. Create templates for these VPNs only if you want to modify the default settings for the VPN. For vEdge routers, you can create templates for these two VPNs and for additional VPN feature templates to segment service-side user networks.
    • VPN 0—Transport VPN, which carries control traffic via the configured WAN transport interfaces. Initially, VPN 0 contains all of a device's interfaces except for the management interface, and all interfaces are disabled.
    • VPN 512—Management VPN, which carries out-of-band network management traffic among the Viptela devices in the overlay network. The interface used for management traffic resides in VPN 512. By default, VPN 512 is configured and enabled on all vEdge routers except for vEdge 100. For controller devices, by default, VPN 512 is not configured.
    • VPNs 1 through 511, and 513 through 65530—VPNs on vEdge routers for service-side data traffic.
  2. Create interface feature templates to configure the interfaces in the VPN. See the Configuration ► Templates ►VPN-Interface-Ethernet help topic.
  3. For vEdge routers, create interface feature templates to configure additional interfaces in the VPN. See the Configuration ► Templates ► VPN-Interface-GRE, VPN-Interface-PPP, and VPN-Interface-PPP-Ethernet help topics.
  4. Create a device template that incorporates the VPN feature template and interface feature template or templates. See the Configuration ► Templates help topic.​

Navigate to the Template Screen

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. From the Templates title bar, select Feature.
  3. Click Add Template.
  4. In the left pane, select one or more devices. The right pane displays the available templates for the selected devices.
  5. Select the VPN template.

The right pane displays the VPN template form.

  • The top of the form contains fields for naming the template.
  • The bottom contains fields for defining parameters applicable to that template.
  • A drop-down menu to the left of each parameter field defines the scope of the parameter. When you first open a feature template form, for each parameter that has a default value, the scope is set to Default. To edit a parameter field, change the scope to Global or Device Specific. Note that if a parameter's scope is Device Specific, you cannot enter a value for it in the feature template. Instead, you enter a value when you attach the template to a device.
  • A plus sign (+) is displayed to the right when you can add multiple entries for the same parameter.

Minimum VPN Configuration

The following parameters are required (unless otherwise indicated) to configure a VPN on a Viptela device:

Step Parameter Name Description
 1. Template Name Enter a name for the template. It can be up to 128 characters and can contain only alphanumeric characters.
 2. Description (Template) Enter a description for the template. It can be up to 2048 characters and can contain only alphanumeric characters.
 3. VPN

Enter the numeric identifier of the VPN.

Range for vEdge routers: 0 through 65530
Values for vSmart and vManage devices: 0, 512
 4. Name (optional) Enter a name for the VPN.
 5. Enhance ECMP keying (optional, vEdge routers only)

Click On to enable the use in the ECMP hash key of Layer 4 source and destination ports, in addition to the combination of the source IP address, destination IP address, protocol, and DSCP field​, as the ECMP hash key. ECMP keying is Off by default.
 6. Save Click Save to save the feature template.

To complete the configuration of the transport VPN on a vEdge router, you must configure at least one interface in VPN 0.

CLI equivalent:

vpn vpn-id
  ecmp-hash-key layer4 (on vEdge routers only)
  name text

Configure DNS and Static Hostname Mapping

To configure DNS addresses and static hostname mapping, select the DNS tab:

Parameter Name Description
Primary DNS Address Enter the address of the primary DNS server in this VPN.
Secondary DNS Address Enter the address of a secondary DNS server in this VPN. This field appears only if you have specified a primary DNS address.
Hostname Click the plus sign (+), and enter the hostname of the device. The name can be up to 128 characters.
List of IP Addresses Enter up to eight IP addresses to associate with the hostname. Separate the entries with a comma.

To add another hostname, click the plus sign (+).

To delete a hostname, click the trash icon at the right side of the entry.

CLI equivalent:

vpn vpn-id
  dns ip-address [primary | secondary]
  ​host hostname ip ip-address

Configure Route Advertisements to OMP

To configure, for this VPN, route advertisements to OMP, select the OMP tab. Route advertisements that you configure here apply to the specific VPN. If you configure route advertisements to OMP for both the VPN and the entire vEdge router (using the OMP feature template), both configurations are applied.

Parameter Name Description
BGP Click On to advertise BGP routes from this VPN to OMP.
Static Click On to advertise static routes from this VPN to OMP.
Connected Click On to advertise connected routes from this VPN to OMP.
OSPF Click On to advertise OSPF routes from this VPN to OMP. By default OSPF interarea and intra-areas routes are advertised OMP. Click On again to advertise external OSPF routes.
Network Click Network and Click On to advertise a specific prefix to OMP. Click the plus sign (+) and enter the prefix.
Aggregate Click Aggregate and Click On to aggregate a prefix before advertising it to OMP. Click the plus sign (+) and enter the prefix. Click On again to advertise only the aggregated prefix.

To add another Network or Aggregate route to advertise to OMP, click the plus sign (+).

CLI equivalent:

vpn vpn-id
  omp
    advertise (aggregate prefix [aggregate-only] | bgp | connected | network prefix | ospf type | static)

Configure IPv4 Static Routes

To configure IPv4 static routes in a VPN, select the IPv4 Route tab and click the plus sign (+):

Parameter Name Description
Prefix Enter the IPv4 address or prefix, in decimal four-point-dotted notation, and the prefix length of the IPv4 static route to configure in the VPN.
Gateway

To configure the next hop to reach the static route, select one of the following:

  • Next Hop—Specify the IPv4 address of the next-hop router to use to reach the static route.
  • Null0—Specify that the next hop is the null interface.
  • VPN0—Direct packets to the transport VPN.

Then click the plus sign (+) below the Gateway field to configure information about the next hop.
Address

If you select Next Hop as the gateway, enter the IP address of the next-hop router and an administrative distance for the route. The distance can be a value from 1 through 255. The default is 1.

To configure another next-hop address for the same prefix, click the plus sign (+) below the Gateway field.

To add a next-hop address for a different prefix, click the plus sign (+) above the Gateway field.
Enable Null0 If you select Null0 as the gateway, click On to set the next hop to be the null interface. All packets sent to this interface are dropped without sending any ICMP messages. You can also set an administrative distance for the route. The distance can be a value from 1 through 255. The default is 1.
Enable VPN If you select VPN as the gateway, click On to direct packets to the transport VPN. If NAT is enabled on the WAN interface, the packets can be forwarded to an Internet destination or other destination outside of the overlay network, effectively converting the vEdge router into a local Internet exit point. You must also enable NAT on a transport interface in VPN 0.

To add another static route for a different prefix, click the plus sign (+) above the Gateway field.

To delete a static route, click the trash icon at the right side of the entry.

CLI equivalent:

vpn vpn-id
  ip route ip-address/subnet next-hop-address [administrative-distance]

Configure IPv6 Static Routes

To configure IPv6 static routes in VPN 0, select the IPv6 Route tab and click the plus sign (+):

Parameter Name Description
Prefix Enter the IPv6 address or prefix, and the prefix length of the IPv6 static route to configure in VPN 0.
Gateway

To configure the next hop to reach the static route, select one of the following:

  • Next Hop—Specify the IPv6 address of the next-hop router to use to reach the static route.
  • Null0—Specify that the next hop is the null interface.

Then click the plus sign (+) below the Gateway field to configure information about the next hop.
Address

If you select Next Hop as the gateway, enter the IP address of the next-hop router and an administrative distance for the route. The distance can be a value from 1 through 255. The default is 1.

To configure another next-hop address for the same prefix, click the plus sign (+) below the Gateway field.

To add a next-hop address for a different prefix, click the plus sign (+) above the Gateway field.
Enable Null0 If you select Null0 as the gateway, click On to set the next hop to be the null interface. All packets sent to this interface are dropped without sending any ICMP messages. You can also set an administrative distance for the route. The distance can be a value from 1 through 255. The default is 1.

To add another static route for a different prefix, click the plus sign (+).

To delete a static route, click the trash icon at the right side of the entry.

CLI equivalent:

vpn 0
  ipv6 route ip-address/subnet next-hop-address [administrative-distance]

Configure Services

For a VPN on a vEdge router (except for VPNs 0 and 512), you can configure services that are either present on the router's local network or available on a device at a remote site that is reachable through a GRE tunnel.

To configure a service in a VPN, select the Service tab and click the plus (+) sign:

Parameter Name Description
Service Type Select the service available in the local VPN.
Values: FW, IDP, IDS, TE, netsvc1, netsvc2, netsvc3, netsvc4
IP Address/Interfaces

Enter the location of the service:

  • If you select IP address, specify up to four IP address, separated by commas. The service is advertised to the vSmart controller only if one of the addresses can be resolved locally, at the local site, not via routes learned through OMP.
  • If you select Interface, specify one or two GRE interfaces. If you configure two, the first interface is the primary GRE tunnel, and the second is the backup tunnel.

To add another service, click the plus sign (+).

To delete a service, click the trash icon at the right side of the entry.

CLI equivalent:

vpn vpn-id
   service service-name address ip-address

Configure GRE-Specific Static Routes

To configure GRE-specific static routes in a service VPN (a VPN other than VPN 0 or VPN 512 on a vEdge router), select the GRE Route tab and click the plus sign (+):

Parameter Name Description
Prefix Enter the IP address or prefix, in decimal four-part-dotted notation, and prefix length of the GRE-specific static route
VPN ID Enter the number of the VPN to reach the service. This must be VPN 0.
GRE Interface

Enter the name of the GRE tunnel or tunnels used to reach the service.

To add another GRE route, click the plus sign (+).

To delete a GRE route, click the trash icon at the right side of the entry.

CLI equivalent:

vpn vpn-id
  ip gre-route prefix/length vpn 0 interface grenumber [grenumber2]

​Release Information

Introduced in vManage NMS in Release 15.2.
In Release 15.4.3, add support for GRE tunnels.
In Release 16.3, add support for IPv6 in VPN 0.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. There are no recommended articles.
  1. Article type
    Topic
  2. Tags
    This page has no tags.