Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

VPN Interface PPP

  1. Last updated
  2. Save as PDF

Use the VPN-Interface-PPP template for vEdge Cloud and vEdge router devices.

Point-to-Point Protocol (PPP) is a data link protocol used to establish a direct connection between two nodes. PPP properties are associated with a PPPoE-enabled interface on vEdge routers to connect multiple users over an Ethernet link.

To configure PPPoE on vEdge routers using vManage templates:

  1. Create a VPN-Interface-PPP feature template to configure PPP parameters for the PPP virtual interface, as described in this article.
  2. Create a VPN-Interface-PPP-Ethernet feature template to configure a PPPoE-enabled interface. See the VPN-Interface-PPP-Ethernet help topic.
  3. Optionally, create a VPN feature template to modify the default configuration of VPN 0. See the VPN help topic.

Navigate to the Template Screen and Name the Template

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. In the Device tab, click Create Template.
  3. From the Create Template drop-down, select From Feature Template.
  4. From the Device Model drop-down, select the type of device for which you are creating the template.
  5. Click the Transport & Management VPN tab located directly beneath the Description field, or scroll to the Transport & Management VPN section.
  6. Under Additional VPN 0 Templates, located to the right of the screen, click VPN Interface PPP.
  7. From the VPN Interface PPP drop-down, click Create Template. The VPN-Interface-PPP template form is displayed. The top of the form contains fields for naming the template, and the bottom contains fields for defining VPN Interface PPP parameters.
  8. In the Template Name field, enter a name for the template. The name can be up to 128 characters and can contain only alphanumeric characters.
  9. In the Template Description field, enter a description of the template. The description can be up to 2048 characters and can contain only alphanumeric characters.

When you first open a feature template, for each parameter that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and select one of the following:

Parameter Scope

Scope Description

Device Specific (indicated by a host icon)

Use a device-specific value for the parameter. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Viptela device to a device template.

When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a Viptela device to a device template. For more information, see Create a Template Variables Spreadsheet.

To change the default key, type a new string and move the cursor out of the Enter Key box.

Examples of device-specific parameters are system IP address, hostname, GPS location, and site ID.

Global (indicated by a globe icon)

Enter a value for the parameter, and apply that value to all devices.

Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

Configure a PPP Virtual Interface

To configure a PPP virtual interface, select the Basic Configuration tab and configure the following parameters. Parameters marked with an asterisk are required to configure the interface. You must also configure an authentication protocol and a tunnel interface for the PPP interface, and you must ensure that the maximum MTU for the PPP interface is 1492 bytes.

Parameter Name Description
Shutdown* Click No to enable the PPP virtual interface.
PPP Interface Name* Enter the number of the PPP interface. It can be a number from 1 through 31.
Description Enter a description for the PPP virtual interface.
Bandwidth Upstream For transmitted traffic, set the bandwidth above which to generate notifications.
Range: 1 through (232 / 2) – 1 kbps
Bandwidth Downstream For received traffic, set the bandwidth above which to generate notifications.
Range: 1 through (232 / 2) – 1 kbps
Block Non-Source IP Click Yes to have the interface forward traffic only if the source IP address of the traffic matches the interface's IP prefix range.

To save the feature template, click Save.

CLI equivalent:

vpn 0
  interface pppnumber
    banddwidth-downstream kbps
    bandwidth-upstream kbps
    block-non-source-ip
    ppp
      no shutdown

​Configure the Access Concentrator Name and Authentication Protocol

To configure the access concentrator name, select the PPP tab and configure the following parameters:

Parameter Name Description
AC Name Name of the access concentrator used by PPPoE to route connections to the Internet.
Authentication Protocol

In the PPP tab, select the authentication protocol used by PPPoE:

  • CHAP—Enter the hostname and password provided by your Internet Service Provider (ISP). hostname can be up to 255 characters.
  • PAP—Enter the username and password provided by your ISP. username can be up to 255 characters.
  • PAP and CHAP—Configure both authentication protocols. Enter the login credentials for each protocol. To use the same username and password for both, click Same Credentials for PAP and CHAP.

To save the feature template, click Save.

CLI equivalent:

vpn 0
  interface pppnumber
    ppp
      ac-name name
      authentication
        chap hostname name password password
        pap password password sent-username name

Create a Tunnel Interface

On vEdge routers, you can configure up to four tunnel interfaces. This means that each vEdge router can have up to four TLOCs.

For the control plane to establish itself so that the overlay network can function, you must configure WAN transport interfaces in VPN 0.

To configure a tunnel interface for the PPP interface, select the Tunnel Interface tab and configure the following parameters:

Parameter Name Description
Tunnel Interface Click On to create a tunnel interface.
Color Select a color for the TLOC.
Control Connection If the vEdge router has multiple TLOCs, click No to have the tunnel not establish a TLOC. The default is On, which establishes a control connection for the TLOC.
Maximum Control Connections

Specify the maximum number of vSmart controllers that the WAN tunnel interface can connect to. To have the tunnel establish no control connections, set the number to 0.

Range: 0 through 8
Default: 2
vBond As STUN Server Click On to enable Session Traversal Utilities for NAT (STUN) to allow the tunnel interface to discover its public IP address and port number when the vEdge router is located behind a NAT.
Exclude Controller Group List Set the vSmart controllers that the tunnel interface is not allowed to connect to.
Range: 0 through 100
vManage Connection Preference Set the preference for using a tunnel interface to exchange control traffic with the vManage NMS.
Range: 0 through 8
Default: 5
Low-Bandwidth Link Select to characterize the tunnel interface as a low-bandwidth link.
Allow Service Select On or Off for each service to allow or disallow the service on the interface.

To configure additional tunnel interface parameters, click Advanced Options and configure the following parameters:

Parameter Name Description
Encapsulation

Select the encapsulation type to use on the tunnel interface, either IPsec or GRE. The default is IPsec.

If you select both IPsec and GRE encapsulations, two TLOCs are created for the tunnel interface that have the same IP addresses and colors, but that differ by their encapsulation.
Preference

Specify a preference value for directing traffic to the tunnel. A higher value is preferred over a lower value.

Range: 0 through 4294967295
Default: 0
Weight

Enter a weight to use to balance traffic across multiple TLOCs. A higher value sends more traffic to the tunnel.

Range: 1 through 255
Default: 1
Carrier

Select the carrier name or private network identifier to associate with the tunnel.

Values: carrier1, carrier2, carrier3, carrier4, carrier5, carrier6, carrier7, carrier8, default
Default: default
Bind Loopback Tunnel Enter the name of a physical interface to bind to a loopback interface.
Last-Resort Circuit Select to use the tunnel interface as the circuit of last resort.
NAT Refresh Interval Enter the interval between NAT refresh packets sent on a DTLS or TLS WAN transport connection.
Range: 1 through 60 seconds
Default: 5 seconds
Hello Interval Enter the interval between Hello packets sent on a DTLS or TLS WAN transport connection.
Range: 100 through 10000 milliseconds
Default: 1000 milliseconds (1 second)
Hello Tolerance

Enter the time to wait for a Hello packet on a DTLS or TLS WAN transport connection before declaring that transport tunnel to be down.

Range: 12 through 60 seconds
Default: 12 seconds

CLI equivalent:

vpn 0
  interface interface-name
    tunnel-interface
      allow-service service-name
      bind interface-name
      carrier carrier-name
color color
      encapsulation (gre | ipsec)
        preference number
        weight number
      hello-interval milliseconds
      hello-tolerance seconds
      last-resort-circuit
      max-control-connections number
      nat-refresh-interval seconds
      vbond-as-stun-server

Configure the Interface as a NAT Device

To configure an interface to act as a NAT device, select the NAT tab and configure the following parameters:

Parameter Name Description
NAT Click On to have the interface act as a NAT device.
Refresh Mode

Select how NAT mappings are refreshed, either outbound or bidirectional (outbound and inbound).

Default: Outbound
UDP Timeout

Specify when NAT translations over UDP sessions time out.

Range: 1 through 65536 minutes

Default: 1 minutes
TCP Timeout

Specify when NAT translations over TCP sessions time out.

Range: 1 through 65536 minutes

Default: 60 minutes (1 hour)
Block ICMP

Select On to block inbound ICMP error messages. By default, a vEdge router acting as a NAT device receives these error messages.

Default: Off
Respond to Ping Select On to have the vEdge router respond to ping requests to the NAT interface's IP address that are received from the public side of the connection.

To create a port forwarding rule, click Add New Port Forwarding Rule and configure the following parameters. You can define up to 128 port-forwarding rules to allow requests from an external network to reach devices on the internal network.

Parameter Name Description
Port Start Range

Enter a port number to define the port or first port in the range of interest.

Range: 0 through 65535
Port End Range Enter the same port number to apply port forwarding to a single port, or enter the larger number to apply it to a range or ports.
Range: 0 through 65535
Protocol Select the protocol to whcih to apply the port-forwarding rule, either TCP or UDP. To match the same ports for both TCP and UDP traffic, configure two rules.
VPN Specify the private VPN in which the internal server resides. This VPN is one of the VPN identifiers in the overlay network.
Range: 0 through 65535
Private IP Specify the IP address of the internal server to which to direct traffic that matches the port-forwarding rule.

To save a port forwarding rule, click Add.

To save the feature template, click Save.

CLI equivalent:

vpn vpn-id
  interface interface-name
    nat
      block-icmp-error
      port-forward port-start port-number1 port-end port-number2 proto (tcp | udp) 
        private-ip-address ip-address private-vpn vpn-id
      refresh (bi-directional | outbound)
      respond-to-ping
      tcp-timeout minutes
      udp-timeout minutes

Apply Access Lists

To apply a rewrite rule, access lists, and policers to a router interface, select the ACL tab and configure the following parameters:

Parameter Name Description
Rewrite Rule Click On, and specify the name of the rewrite rule to apply on the interface.
Ingress ACL – IPv4

Click On, and specify the name of the access list to apply to IPv4 packets being received on the interface.
Egress ACL – IPv4 Click On, and specify the name of the access list to apply to IPv4 packets being transmitted on the interface.
Ingress ACL – IPv6

Click On, and specify the name of the access list to apply to IPv6 packets being received on the interface.
Egress ACL – IPv6 Click On, and specify the name of the access list to apply to IPv6 packets being transmitted on the interface.
Ingress Policer Click On, and specify the name of the policer to apply to packets being received on the interface.
Egress Policer Click On, and specify the name of the policer to apply to packets being transmitted on the interface.

To save the feature template, click Save.

CLI equivalent:

vpn 0
  interface pppnumber
    access-list acl-name (in | out)
    ipv6 access-list acl-name (in | out)
    policer policer-name (in |out)
    rewrite-rule name

Configure Other Interface Properties​

To configure other interface properties, select the Advanced tab and configure the following properties:

Parameter Name Description
MAC Address Specify a MAC address to associate with the interface, in colon-separated hexadecimal notation.
IP MTU Specify the maximum MTU size of packets on the interface.
Range: 576 through 1804
Default: 1500 bytes
TCP MSS Specify the maximum segment size (MSS) of TPC SYN packets passing through the vEdge router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.
Range: 552 to 1460 bytes
Default: None
Clear Dont Fragment Click On to clear the Don't Fragment bit in the IPv4 packet header for packets being transmitted out the interface. When the DF bit is cleared, packets larger than that interface's MTU are fragmented before being sent.
TLOC Extension

Enter the name of the physical interface on the same router that connects to the WAN transport circuit. This configuration then binds this service-side interface to the WAN transport. A second vEdge router at the same site that itself has no direct connection to the WAN (generally because the site has only a single WAN connection) and that connects to this service-side interface is then provided with a connection to the WAN.
Tracker Enter the name of a tracker to track the status of transport interfaces that connect to the internet.

To save the feature template, click Save.

CLI equivalent:

vpn vpn-id 
  interface interface-name
    clear-dont-fragment
    mac-address mac-address    
    mtu bytes 
    tcp-mss-adjust bytes
    tloc-extension interface-name
    tracker tracker-name

Release Information

Introduced in vManage NMS in Release 15.3.
In Release 16.3, add support for IPv6.
In Release 17.1, support ability to configure both CHAP and PAP authentication on a PPP interface.
In Release 17.2.2, add support for interface status tracking.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.