You can use the VPN-Interface-Cellular feature template to configure cellular module parameters on vEdge routers.
To configure cellular interfaces using vManage templates:
- Create a VPN-Interface-Cellular feature template to configure cellular module parameters, as described in this article.
- Create a Cellular-Profile template to configure the profiles used by the cellular modem. See Configure Cellular Profiles.
- Create a VPN feature template to configure VPN parameters. See Configure Segmentation (VPNs) on vEdge Routers.
- Create a device template that incorporates the two cellular feature templates and the VPN feature template. See Create Configuration Templates for a vEdge Router.
Navigate to the Template Screen
- In vManage NMS, select the Configuration ► Templates screen.
- From the Templates title bar, select Feature.
- Click Add Template.
- In the left pane, select one or more devices. The right pane displays the available templates for the selected devices.
- Select the VPN-Interface-Cellular template.
The right pane displays the VPN-Interface-Cellular template form.
- The top of the form contains fields for naming the template.
- The bottom contains fields for defining parameters applicable to that template.
- A drop-down menu to the left of each parameter field defines the scope of the parameter. When you first open a feature template from, for each parameter that has a default value, the scope is set to Default. To edit a parameter, change the scope to Global or Device Specific. Note that if a parameter's scope is Device Specific, you cannot enter a value for it in the feature template. Instead, you enter a value when you attach the template to a device.
- A plus sign (+) is displayed to the right when you can add multiple entries for the same parameter.
Minimum Cellular Interface Configuration
The following parameters are required (unless otherwise indicated) to create a cellular interface:
|1.||Template Name||Enter the template name. It can contain only alphanumeric characters.|
|2.||Description (Template)||Enter a description for the template. It can contain only alphanumeric characters.|
|3.||Technology||Enter the radio access technology (RAT) with the cellular interface. The default is lte. It can also be auto and cdma. (In Releases 16.3.2 and later.)|
|4.||Shutdown||Click No to enable the interface.|
|5.||Interface Name||Enter the name of the interface. It must be cellular0.|
|6.||Profile ID||Enter the identification number of the cellular profile. This is the profile identifier that you configure in the Cellular-Profile template.
Range: 1 through 15
|7.||Description (optional)||Enter a description of the cellular interface.|
|8.||IPv4 Configuration (optional)||
For an interface in VPN 0, you can select Dynamic to set the interface as a DHCP client in order to allow it to receive its IPv4 address from a DHCP server. If you select Dynamic, you can also optionally set the DHCP distance to specify the administrative distance of routes learned from a DHCP server. The default DHCP distance is 1.
|9.||IPv4 Address (optional)||Enter the IPv4 address for the interface.|
|10.||IPv6 Configuration (optional)||
For an interface in VPN 0, you can select Dynamic to set the interface as a DHCP client in order to allow it to receive its IPv6 address from a DHCP server. If you select Dynamic, you can also optionally set the DHCP distance to specify the administrative distance of routes learned from a DHCP server. The default DHCP distance is 1.
|11.||IPv6 Address (optional)||Enter the IPv6 address for the interface.|
|12.||DHCP helper (optional)||
To set the interface as a DHCP helper interface, enter up to four IP addresses for DHCP servers in the network, separated by commas. A DHCP helper interface forwards broadcast DHCP requests that it receives from the specified DHCP servers.
|13.||Interface tunnel||Under the Tunnel Interface tab, set Tunnel Interface to On and select a Color.|
|14.||IP MTU||Under the Advanced tab, enter 1428 for the IP MTU. You cannot use a different value.|
|15.||Save||Click Save to save the feature template.|
vpn 0 interface cellular0 ip dhcp-client (ip address ip-address/length | ip dhcp-client [dhcp-distance number]) (ipv6 address ipv6-prefix/length | ipv6 dhcp-client [dhcp-distance number] [dhcp-rapid-comit]) technology technology tunnel-interface color color mtu 1428 profile number no shutdown
Create a Tunnel Interface
To configure an interface in VPN 0 to be a WAN transport connection, you must configure a tunnel interface on the cellular interface. The tunnel, which provides security from attacks, is used to send the phone number. At a minimum, select On and select a color for the interface, as described in the previous section. You can generally accept the system defaults for the remainder of the tunnel interface settings.
To configure the tunnel interface parameters, select the Interface Tunnel tab:
|Tunnel Interface||Click On to create a tunnel interface.|
|Color||Select a color for the TLOC. The color typically used for cellular interface tunnels is lte.|
|Control Connection||The default is On, which establishes a control connection for the TLOC. If the vEdge router has multiple TLOCs, click No to have a tunnel not establish a TLOC.|
|Max Control Connections|| |
Set the maximum number of vSmart controllers that the WAN tunnel interface can connect to. To have the tunnel establish no control connections, set the number to 0.
|vBond As STUN Server||Click On to enable Session Traversal Utilities for NAT (STUN) to allow the tunnel interface to discover its public IP address and port number when the vEdge router is located behind a NAT.|
|Exclude Control Group List||Set the identifiers of one or more vSmart controller groups that this tunnel is not allows to establish control connections with. |
Range: 0 through 100
|vManage Connection Preference||Set the preference for using the tunnel to exchange control traffic with the vManage NMS. |
Range: 0 through 9
|Low-Bandwidth Link||Click On to set the tunnel interface as a low-bandwidth link.|
|Allow Service||Click On or Off for each service to allow or disallow the service on the cellular interface.|
To configure additional tunnel interface parameters, click Advanced Options:
Select the encapsulation to use on the tunnel interface. The default is IPsec.
You can select both IPsec and GRE encapsulation. In this case, two TLOCs are created for the tunnel interface, and they have the same IP address and color, but they have different encapsulations.
Enter a value to set the preference for directing traffic to the tunnel. A higher value is preferred over a lower value.
Enter a weight to use to balance traffic across multiple TLOCs. A higher value sends more traffic to the tunnel.
Select the carrier name or private network identifier to associate with the tunnel.
|Bind loopback tunnel||Enter the name of a physical interface to bind to a loopback interface. The interface name has the format geslot/port.|
|Last resort circuit||Use the tunnel interface as the circuit of last resort|
|NAT refresh interval||Set the interval between NAT refresh packets sent on a DTLS or TLS WAN transport connection. |
Range: 1 through 60 seconds
Default: 5 seconds
|Hello interval||Enter the interval between Hello packets sent on a DTLS or TLS WAN transport connection. |
Range: 100 through 10000 milliseconds
Default: 1000 milliseconds (1 second)
|Hello tolerance|| |
Enter the time to wait for a Hello packet on a DTLS or TLS WAN transport connection before declaring that transport tunnel to be down.
Range: 12 through 60 seconds
vpn 0 interface cellular0 tunnel-interface allow-service service-name bind interface-name carrier carrier-name color color encapsulation (gre | ipsec) preference number weight number exclude-controller-group-list number hello-interval milliseconds hello-tolerance seconds hold-time milliseconds low-bandwidth-link max-control-connections number last-resort-circuit nat-refresh-interval seconds vbond-as-stun-server (on vEdge routers only) vmanage-connection-preference number
Configure the Cellular Interface as a NAT Device
To configure a cellular interface to act as a NAT device, select the NAT tab, click On, and click the plus sign (+) to add a port forwarding rule:
|Port Forward||Define up to 128 port-forwarding rules to allow requests from an external network to reach devices on the internal network.|
|Port Start Range|| |
Enter the port name to define the port or first port in the range of interest.
|Port End Range|| |
Enter the same port name to apply port forwarding to a single port, or enter a larger number to apply it to a range of ports.
|Protocol||Select the protocol to which to apply the port-forwarding rule, either TCP or UDP traffic for the port forward rule. To match the same ports for both TCP and UDP traffic, configure two rules.|
|VPN||Specify the private VPN in which the internal server resides. This VPN is one of the VPN identifiers in the overlay network. |
Range: 0 through 65530
|Private IP||Specify the IP address of the internal server to which to direct traffic that matches the port-forwarding rule.|
To configure other NAT parameters, click Advanced Options:
|Refresh mode|| |
Select how NAT mappings are refreshed, either outbound or bidirectional (outbound and inbound).
|UDP timeout|| |
Specify when NAT translations over UDP sessions time out.
|TCP timeout|| |
Specify when NAT translations over TCP sessions time out.
|Block ICMP|| |
Select On to block inbound ICMP error messages. By default a vEdge router acting as a NAT device receives these error messages.
|Respond to Ping||Select On to have the vEdge router respond to ping requests to the NAT interface's IP address that are received from the public side of the connection.|
vpn 0 interface cellular0 nat block-icmp-error port-forward port-start port-number1 port-end port-number2 proto (tcp | udp) private-ip-address ip address private-vpn vpn-id refresh (bi-directional | outbound) respond-to-ping tcp-timeout minutes udp-timeout minutes
Apply Access Lists
To apply access lists (ACLs) to cellular interfaces, select the ACL/QoS tab:
|Shaping rate|| |
Configure the aggreate traffic transmission rate on the interface to be less than line rate, in kilobits per second (kbps).
|QoS map||Specify the name of the QoS map to apply to packets being transmitted out the interface.|
|Rewrite rule||Click On, and specify the name of the rewrite rule to apply on the interface.|
|Ingress ACL – IPv4|| |
Click On, and specify the name of an IPv4 access list to packets being received on the interface.
|Egress ACL– IPv4||Click On, and specify the name of an IPv4 access list to packets being transmitted on the interface.|
|Ingress ACL – IPv6|| |
Click On, and specify the name of an IPv6 access list to packets being received on the interface.
|Egress ACL– IPv6||Click On, and specify the name of an IPv6 access list to packets being transmitted on the interface.|
|Ingress policer||Click On, and specify the name of the policer to apply to packets being received on the interface.|
|Egress policer||Click On, and specify the name of the policer to apply to packets being transmitted on the interface.|
vpn 0 interface cellularnumber access-list acl-name (in | out) ipv6 access-list acl-name (in | out) policer policer-name (in |out) qos-map name rewrite-rule name shaping-rate name
Add ARP Table Entries
To configure static Address Resolution Protocol (ARP) table entries on the interface, select the ARP tab and click the plus sign (+):
|IP Address||Enter the IP address for the ARP entry in dotted decimal notation or as a fully qualified host name.|
|MAC Address||Enter the MAC address in colon-separated hexadecimal notation.|
To add another ARP table entry, click the plus sign (+).
To delete an ARP table entry, click the trash icon on the right side of the entry.
Configure Other Interface Properties
To configure other interface properties, select the Advanced tab:
|IP MTU|| |
Enter 1428 to set the MTU size, in bytes. This value must be 1428. You cannot use a different value.
|PMTU discovery||Click On to enable path MTU discovery on the interface, to allow the router to determine the largest MTU size supported without requiring packet fragmentation.|
|TCP MSS|| |
Specify the maximum segment size (MSS) of TPC SYN packets passing through the vEdge router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.
|Clear-Dont-Fragment||Click On to clear the Don't Fragment (DF) bit in the IPv4 packet header for packets being transmitted out the interface. When the DF bit is cleared, packets larger than that interface's MTU are fragmented before being sent.|
|Static ingress QoS||Select a queue number to use for incoming traffic. |
Range: 0 through 7
|ARP timeout||Specify how long it takes for a dynamically learned ARP entry to time out. |
Range: 0 through 2678400 seconds (744 hours)
Default: 1200 seconds (20 minutes)
|Autonegotiate||Click Off to turn off autonegotiation. By default, an interface runs in autonegotiation mode.|
|TLOC extension|| |
Enter the name of a physical interface on the same router that connects to the WAN transport. This configuration then binds this service-side interface to the WAN transport. A second vEdge router at the same site that itself has no direct connection to the WAN (generally because the site has only a single WAN connection) and that connects to this service-side interface is then provided with a connection to the WAN.
vpn 0 interface cellular0 arp-timeout seconds [no] autonegotiate clear-dont-fragment mtu 1428 pmtu static-ingress-qos number tcp-mss-adjust bytes tloc-extension interface-name
Introduced in vManage NMS in Release 16.1.
In Release 16.2, add circuit of last resort and its associated hold time.
In Release 16.3, add support for IPv6.
In Release 16.3.2, add support for configuration RAT.