Skip to main content
Viptela is now part of Cisco.
Support
Product Documentation
Viptela Documentation

VPN Interface Ethernet

Use the VPN-Interface-Ethernet template for all Viptela devices.

To configure the Ethernet interfaces in a VPN using vManage templates:

  1. Create a VPN-Interface-Ethernet feature template to configure Ethernet interface parameters, as described in this article.
  2. Create a VPN feature template to configure VPN parameters. See the VPN help topic.
  3. Optionally, on vEdge routers, to enable DHCP server functionality on the interface, create a DHCP-Server feature template. See the DHCP-Server help topic.

Navigate to the Template Screen and Name the Template

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. In the Device tab, click Create Template.
  3. From the Create Template drop-down, select From Feature Template.
  4. From the Device Model drop-down, select the type of device for which you are creating the template.
  5. To create a template for VPN 0 or VPN 512:
    1. Click the Transport & Management VPN tab located directly beneath the Description field, or scroll to the Transport & Management VPN section.
    2. Under Additional VPN 0 Templates, located to the right of the screen, click VPN Interface.
    3. From the VPN Interface drop-down, click Create Template. The VPN-Interface-Ethernet template form is displayed. The top of the form contains fields for naming the template, and the bottom contains fields for defining VPN Interface Ethernet parameters.
  6. To create a template for VPNs 1 through 511, and 513 through 65530:
    1. Click the Service VPN tab located directly beneath the Description field, or scroll to the Service VPN section.
    2. Click the Service VPN drop-down.
    3. Under Additional VPN templates, located to the right of the screen, click VPN Interface.
    4. From the VPN Interface drop-down, click Create Template. The VPN-Interface-Ethernet template form is displayed. The top of the form contains fields for naming the template, and the bottom contains fields for defining VPN Interface Ethernet parameters.
  7. In the Template Name field, enter a name for the template. The name can be up to 128 characters and can contain only alphanumeric characters.
  8. In the Template Description field, enter a description of the template. The description can be up to 2048 characters and can contain only alphanumeric characters.

When you first open a feature template, for each parameter that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and select one of the following:

Parameter Scope

Scope Description

Device Specific (indicated by a host icon)

Use a device-specific value for the parameter. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Viptela device to a device template.

When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a Viptela device to a device template. For more information, see Create a Template Variables Spreadsheet.

To change the default key, type a new string and move the cursor out of the Enter Key box.

Examples of device-specific parameters are system IP address, hostname, GPS location, and site ID.

Global (indicated by a globe icon)

Enter a value for the parameter, and apply that value to all devices.

Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

Configure Basic Interface Functionality

To configure basic interface functionality in a VPN, select the Basic Configuration tab and configure the following parameters. Parameters marked with an asterisk are required to configure an interface.

Parameter Name Description
Shutdown* Click No to enable the interface.
Interface name* Enter a name for the interface
Description Enter a description for the interface.
IPv4 Configuration*

To configure a static address, click Static and enter an IPv4 address.

To set the interface as a DHCP client so that the interface to receive its IP address from a DHCP server, click Dynamic. You can optionally set the DHCP distance to specify the administrative distance of routes learned from a DHCP server. The default DHCP distance is 1.

IPv6 Address*

To configure a static address for an interface in VPN 0, click Static and enter an IPv6 address.

To set the interface as a DHCP client so that the interface to receive its IP address from a DHCP server, click Dynamic.You can optionally set the DHCP distance to specify the administrative distance of routes learned from a DHCP server. The default DHCP distance is 1. You can optionally enable DHCP rapid commit, to speed up the assignment of IP addresses.

DHCP Helper (on vEdge routers)

Enter up to eight IP addresses for DHCP servers in the network, separated by commas, to have the interface be a DHCP helper. A DHCP helper interface forwards BOOTP (Broadcast) DHCP requests that it receives from the specified DHCP servers.

Block Non-Source IP (on vEdge routers) Click Yes to have the interface forward traffic only if the source IP address of the traffic matches the interface's IP prefix range.
Bandwidth Upstream (on vEdge routers and vManage NMSs) For transmitted traffic, set the bandwidth above which to generate notifications.
Range: 1 through (232 / 2) – 1 kbps
Bandwidth Downstream (on vEdge routers and vManage NMSs) For received traffic, set the bandwidth above which to generate notifications.
Range: 1 through (232 / 2) – 1 kbps
Secondary IP Address (on vEdge routers) Click Add to configure up to four secondary IPv4 addresses for a service-side interface.

To save the feature template, click Save.

CLI equivalent:

vpn vpn-id 
  interface interface-name
    bandwidth-downstream kbps
    bandwidth-upstream kbps
    block-non-source-ip
    description text   
    dhcp-helper ip-address (on vEdge routers only)
    (ip address ipv4-prefix/length| ip dhcp-client [dhcp-distance number])
    (ipv6 address ipv6-prefix/length | ipv6 dhcp-client [dhcp-distance number] [dhcp-rapid-commit])
    secondary-address ipv4-address
    [no] shutdown

Create a Tunnel Interface

On vEdge routers, you can configure up to four tunnel interfaces. This means that each vEdge router can have up to four TLOCs.

On vSmart controllers and vManage NMSs, you can configure one tunnel interface.

For the control plane to establish itself so that the overlay network can function, you must configure WAN transport interfaces in VPN 0.

To configure a tunnel interface, select the Interface Tunnel tab and configure the following parameters:

Parameter Name Description
Tunnel Interface Click On to create a tunnel interface.
Color Select a color for the TLOC.
Control Connection (on vEdge routers) If the vEdge router has multiple TLOCs, click No to have the tunnel not establish a TLOC. The default is On, which establishes a control connection for the TLOC.
Maximum Control Connections (on vEdge routers)

Specify the maximum number of vSmart controllers that the WAN tunnel interface can connect to. To have the tunnel establish no control connections, set the number to 0.

Range: 0 through 8
Default: 2

vBond As Stun Server (on vEdge routers) Click On to enable Session Traversal Utilities for NAT (STUN) to allow the tunnel interface to discover its public IP address and port number when the vEdge router is located behind a NAT.
Exclude Controller Group List (on vEdge routers) Set the vSmart controllers that the tunnel interface is not allowed to connect to.
Range: 0 through 100
vManage Connection Preference (on vEdge routers) Set the preference for using a tunnel interface to exchange control traffic with the vManage NMS.
Range: 0 through 8
Default: 5
Port Hop Click On to enable port hopping, or click Off to disable it. If port hopping is enabled globally, you can disable it on an individual TLOC (tunnel interface). To control port hopping on a global level, use the System configuration template.
Default: Enabled (on vEdge routers); disabled (on vManage NMSs and vSmart controllers)
Low-Bandwidth Link (on vEdge routers) Select to characterize the tunnel interface as a low-bandwidth link.
Allow Service Select On or Off for each service to allow or disallow the service on the interface.

To configure additional tunnel interface parameters, click Advanced Options:

Parameter Name Description
Encapsulation (on vEdge routers)

Select the encapsulation type to use on the tunnel interface, either IPsec or GRE. The default is IPsec.

If you select both IPsec and GRE encapsulations, two TLOCs are created for the tunnel interface that have the same IP addresses and colors, but that differ by their encapsulation.

IPsec Preference (on vEdge routers)

Specify a preference value for directing traffic to the tunnel. A higher value is preferred over a lower value.

Range: 0 through 4294967295
Default: 0

IPsec Weight (on vEdge routers)

Enter a weight to use to balance traffic across multiple TLOCs. A higher value sends more traffic to the tunnel.

Range: 1 through 255
Default: 1

Carrier

Select the carrier name or private network identifier to associate with the tunnel.

Values: carrier1, carrier2, carrier3, carrier4, carrier5, carrier6, carrier7, carrier8, default
Default: default

Bind Loopback Tunnel (on vEdge routers) Enter the name of a physical interface to bind to a loopback interface.
Last-Resort Circuit (on vEdge routers) Select to use the tunnel interface as the circuit of last resort.
NAT Refresh Interval Enter the interval between NAT refresh packets sent on a DTLS or TLS WAN transport connection.
Range: 1 through 60 seconds
Default: 5 seconds
Hello Interval (on vSmart and vManage devices)

Enter the interval between Hello packets sent on a DTLS or TLS WAN transport connection.
Range: 100 through 10000 milliseconds
Default: 1000 milliseconds (1 second)

Hello Tolerance (on vSmart and vManage devices)

Enter the time to wait for a Hello packet on a DTLS or TLS WAN transport connection before declaring that transport tunnel to be down.

Range: 12 through 60 seconds
Default: 12 seconds

To save the feature template, click Save.

CLI equivalent:

vpn 0
  interface interface-name
    tunnel-interface
      allow-service service-name
      bind interface-name (on vEdge routers only)
      carrier carrier-name
color color
      encapsulation (gre | ipsec) (on vEdge routers only)
        preference number
        weight number
      exclude-controller-group-list number (on vEdge routers only)
      hello-interval milliseconds (on vSmart and vManage devices only)
      hello-tolerance seconds (on vSmart and vManage devices only)
      last-resort-circuit (on vEdge routers only)
      low-bandwidth-link (on vEdge routers only)
      max-control-connections number (on vEdge routers only)
      nat-refresh-interval seconds
      vbond-as-stun-server
      vmanage-connection-preference number (on vEdge routers only)

Configure the Interface as a NAT Device (on vEdge Routers)

To configure an interface to act as a NAT device for applications such as port forwarding, select the NAT tab, click On and configure the following parameters:

Parameter Name Description
NAT Click On to have the interface act as a NAT device.
Refresh Mode

Select how NAT mappings are refreshed, either outbound or bidirectional (outbound and inbound).
Default: Outbound

UDP Timeout

Specify when NAT translations over UDP sessions time out.
Range: 1 through 65536 minutes
Default: 1 minutes

TCP Timeout

Specify when NAT translations over TCP sessions time out.
Range: 1 through 65536 minutes
Default: 60 minutes (1 hour)

Block ICMP

Select On to block inbound ICMP error messages. By default, a vEdge router acting as a NAT device receives these error messages.
Default: Off

Respond to Ping Select On to have the vEdge router respond to ping requests to the NAT interface's IP address that are received from the public side of the connection.

To create a port forwarding rule, click Add New Port Forwarding Rule and configure the following parameters. You can define up to 128 port-forwarding rules to allow requests from an external network to reach devices on the internal network.

Parameter Name Description
Port Start Range

Enter a port number to define the port or first port in the range of interest.
Range: 0 through 65535

Port End Range Enter the same port number to apply port forwarding to a single port, or enter a larger number to apply it to a range of ports.
Range: 0 through 65535
Protocol Select the protocol to which to apply the port-forwarding rule, either TCP or UDP. To match the same ports for both TCP and UDP traffic, configure two rules.
VPN Specify the private VPN in which the internal server resides. This VPN is one of the VPN identifiers in the overlay network.
Range: 0 through 65530
Private IP Specify the IP address of the internal server to which to direct traffic that matches the port-forwarding rule.

To save a port forwarding rule, click Add.

To save the feature template, click Save.

CLI equivalent:

vpn vpn-id
  interface interface-name
    nat
      block-icmp-error
      port-forward port-start port-number1 port-end port-number2 proto (tcp | udp) 
        private-ip-address ip-address private-vpn vpn-id
      refresh (bi-directional | outbound)
      respond-to-ping
      tcp-timeout minutes
      udp-timeout minutes

Configure VRRP (on vEdge Routers)

To have an interface run the Virtual Router Redundancy Protocol (VRRP), which allows multiple routers to share a common virtual IP address for default gateway redundancy, select the VRRP tab. Then click Add New VRRP and configure the following parameters:

Parameter Name Description
Group ID

Enter the virtual router ID, which is a numeric identifier of the virtual router.
Range: 1 through 255

Priority

Enter the priority level of the router. There router with the highest priority is elected as master. If two vEdge routers have the same priority, the one with the higher IP address is elected as master.
Range: 1 through 254
Default: 100

Timer

Specify how often the VRRP master sends VRRP advertisement messages. If slave routers miss three consecutive VRRP advertisements, they elect a new master.
Range: 1 through 3600 seconds
Default: 1 second

Track OMP
​Track Prefix List

By default, VRRP uses of the state of the service (LAN) interface on which it is running to determine which vEdge router is the master virtual router. if a vEdge router loses all its WAN control connections, the LAN interface still indicates that it is up even though the router is functionally unable to participate in VRRP. To take WAN side connectivity into account for VRRP, configure one of the following:

Track OMP—Click On for VRRP to track the Overlay Management Protocol (OMP) session running on the WAN connection. If the master VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session.

Track Prefix List—Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the master VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if reachability to one of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic is dropped while the vEdge routers determine the VRRP master.

IP Address Enter the IP address of the virtual router. This address must be different from the configured interface IP addresses of both the local vEdge router and the peer running VRRP.

CLI equivalent:

vpn vpn-id
  interface geslot/port[.subinterface]
    vrrp group-number
      ipv4 ip-address    
      priority number
      timer seconds
      (track-omp | track-prefix-list list-name)

Apply Access Lists and QoS Parameters (on vEdge Routers)

To configure a shaping rate to a router interface and to apply a QoS map, a rewrite rule, access lists, and policers to a router interface, select the ACL/QoS tab and configure the following parameters:

Parameter Name Description
Shaping rate Configure the aggregate traffic transmission rate on the interface to be less than line rate, in kilobits per second (kbps).
QoS Map Specify the name of the QoS map to apply to packets being transmitted out the interface.
Rewrite Rule Click On, and specify the name of the rewrite rule to apply on the interface.
Ingress ACL – IPv4

Click On, and specify the name of the access list to apply to IPv4 packets being received on the interface.

Egress ACL – IPv4 Click On, and specify the name of the access list to apply to IPv4 packets being transmitted on the interface.
Ingress ACL – IPv6

Click On, and specify the name of the access list to apply to IPv6 packets being received on the interface.

Egress ACL – IPv6 Click On, and specify the name of the access list to apply to IPv6 packets being transmitted on the interface.
Ingress Policer Click On, and specify the name of the policer to apply to packets received on the interface.
Egress Policer Click On, and specify the name of the policer to apply to packets being transmitted on the interface.

To save the feature template, click Save.

CLI equivalent:

vpn vpn-id
  interface interface-name
    access-list acl-list (in | out) 
    policer policer-name (in |out)
    qos-map name
    rewrite-rule name
    shaping-rate name

Add ARP Table Entries

To configure static Address Resolution Protocol (ARP) table entries on the interface, select the ARP tab. Then click Add New ARP and configure the following parameters:

Parameter Name Description
IP Address Enter the IP address for the ARP entry in dotted decimal notation or as a fully qualified host name.
MAC Address Enter the MAC address in colon-separated hexadecimal notation.

To save the ARP configuration, click Add.

To save the feature template, click Save.

CLI equivalent:

vpn vpn-id 
  interface interface-name    
    arp 
      ip ip-address mac mac-address    

Configure IEEE 802.1X Authentication for WANs

To configure IEEE 802.1X authentication for WANs on the interface, select the 802.1X tab, and click On:

Parameter Name Description
802.1X Click On to enable IEEE 802.1X on the interface.
RADIUS Server Enter the tag of the RADIUS server to use for 802.1X authentication. It can be from 4 through 16 characters long. You configure the tag in the AAA feature template.
Account Interim Interval Enter how often to send 802.1X interim accounting updates to the RADIUS server.
Range: 0 through 7200 seconds
Default: 0 (no interim accounting updates are sent)
NAS Identifier Enter the NAS identifier of the local router. It can be a string from 1 to 255 characters long. This identifier is sent to the RADIUS server.
NAS IP Enter the NAS IP address of the local router. This address is sent to the RADIUS server.
Wake On LAN Enable a client to be powered up when the vEdge router receives an Ethernet magic packet frame.
Control Direction

Select how an 802.1X interface that is using wake on LAN handles packets from unauthorized clients:

  • In and Out—Send and receive packets with unauthorized clients. This is the default
  • In Only—Send but do not receive packets with unauthorized clients.
Reauthentication Enter how often to reauthenticate 802.1X clients. By default, no reauthentication attempts are made after the initial LAN access request.
Range: 0 through 1440 minutes
Inactivity Enter how long to wait before revoking an 802.1X client's network access.
Range: 0 through 1440 minutes (24 hours)
Default: 60 minutes (1 hour)
Host Mode

Select whether an 802.1X interface grants access to a single client or to multiple clients:

  • Multi Auth—Grant access to one client on a voice VLAN and multiple clients on data VLANs.
  • Multi Host—Grant access to multiple clients
  • Single Host—Grant access only to the first authenticated client. This is the default.

To configure other IEEE 802.1X authentication properties, click Advanced Options and configure the following parameters:

Parameter Name Description
Authentication Order Set the order of authentication methods to use when authenticating devices for connection to the 802.1X WAN. The default authentication order is RADIUS, then MAC authentication bypass (MAB).
VLAN
Authentication Fail VLAN Configure network access when RADIUS authentication or the RADIUS server fails. An authentication-fail VLAN is similar to a critical VLAN.
Guest VLAN Configure a guest VLAN to provide limited services 50 802.1X–compliant clients.
Authentication Reject VLAN Configure limited services to 802.1X–compliant clients that failed RADIUS authentication. An authentication-reject VLAN is similar to a restricted VLAN.
Default VLAN Configure network access for 802.1X–compliant clients that are successfully authenticated by the RADIUS server. If you do not configure a default VLAN on the vEdge router, successfully authenticated clients are placed into VLAN 0, which is the VLAN associated with an untagged bridge.
Dynamic Authentication Server
DAS Port Configure the UDP port number to listen for CoA requests from the RADIUS server.
Range: 1 through 65535
Default: 3799
Client Set the IP address of the RADIUS or other authentication server from which to accept CoA requests.
Secret Key Set the password that the RADIUS or other authentication server uses to access the router's 802.1X interface.
Time Window Set how long a CoA request is valid.
Range: 0 through 1000 seconds
Default: 300 seconds (5 minutes)
Require Timestamp Enable to require the DAS client to timestamp CoA messages.
VPN Set the VPN through which the RADIUS or other authentication server is reachable.
MAC Authentication Bypass
Server Select to enable MAC authentication bypass (MAB) on the RADIUS server and to authentication non-802.1X–compliant clients using a RADIUS server.
Allow Specify the MAC addresses of one or more devices so that authentication checks for these devices are performed using the RADIUS server.
Request Attributes
Authentication

Click Authentication, then click Add New Authentication Entry to configure RADIUS authentication attribute–value (AV) pairs to send to the RADIUS server during an 802.1X session.

To save the entry, click Add.

Accounting

Click Accounting, then click Add New Accounting Entry to configure RADIUS accounting attribute–value (AV) pairs to send to the RADIUS server during an 802.1X session.

To save the entry, click Add.

To save the feature template, click Save.

CLI equivalent:

vpn 0
  interface interface-name
    dot1x
      accounting-interval minutes
      acct-req-attr attribute-number (integer integer | octet octet | string string)
      auth-fail-vlan vlan-id
      auth-order (mab | radius)
      auth-reject-vlan vlan-id
      auth-req-attr attribute-number (integer integer | octet octet | string string)
      control-direction direction
      das
        client ip-address
        port port-number
        require-timestamp
        secret-key password
        time-window seconds
        vpn vpn-id
      default-vlan vlan-id
      guest-vlan vlan-id
      host-mode (multi-auth | multi-host | single-host)
      mac-authentication-bypass
        allow mac-addresses
        server
      nas-identifier string
      nas-ip-address ip-address
      radius-servers tag
      reauthentication minutes
      timeout 
        inactivity minutes
      wake-on-lan

Configure Other Interface Properties

To configure other interface properties, select the Advanced tab and configure the following parameters:

Parameter Name Description
Duplex

Choose full or half to specify whether the interface runs in full-duplex or half-duplex mode.
Default: full

MAC Address Specify a MAC address to associate with the interface, in colon-separated hexadecimal notation.
IP MTU Specify the maximum MTU size of packets on the interface.
Range: 576 through 1804
Default: 1500 bytes
PMTU Discovery Click On to enable path MTU discovery on the interface. PMTU determines the largest MTU size that the interface supports so that packet fragmentation does not occur.
Flow Control

Select a setting for bidirectional flow control, which is a mechanism for temporarily stopping the transmission of data on the interface.
Values: autonet, both, egress, ingress, none
Default: autoneg

TCP MSS Specify the maximum segment size (MSS) of TPC SYN packets passing through the vEdge router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.
Range: 552 to 1460 bytes
Default: None
Speed

Specify the speed of the interface, for use when the remote end of the connection does not support autonegotiation.
Values: 10, 100, or 1000 Mbps
Default: Autonegotiate (10/100/1000 Mbps)

Clear-Dont-Fragment

Click On to clear the Don't Fragment (DF) bit in the IPv4 packet header for packets being transmitted out the interface. When the DF bit is cleared, packets larger than that interface's MTU are fragmented before being sent.

Static Ingress QoS (on vEdge routers)

Specify a queue number to use for incoming traffic.
Range: 0 through 7

ARP Timeout (on vEdge routers)

Specify how long it takes for a dynamically learned ARP entry to time out.
Range: 0 through 2678400 seconds (744 hours)
Default: 1200 (20 minutes)

Autonegotiation Click Off to turn off autonegotiation. By default, an interface runs in autonegotiation mode.
TLOC Extension (on vEdge routers) Enter the name of a physical interface on the same router that connects to the WAN transport. This configuration then binds this service-side interface to the WAN transport. A second vEdge router at the same site that itself has no direct connection to the WAN (generally because the site has only a single WAN connection) and that connects to this service-side interface is then provided with a connection to the WAN.
Power over Ethernet (on vEdge 100m and vEdge 100wm routers) Click On to enable PoE on the interface.
Tracker (on vEdge routers) Enter the name of a tracker to track the status of transport interfaces that connect to the internet.

CLI equivalent:

vpn vpn-id 
  interface interface-name
    arp-timeout seconds (on vEdge routers only)
    [no] autonegotiate
    clear-dont-fragment
    duplex (full | half)
    flow-control control   
    mac-address mac-address    
    mtu bytes 
    pmtu
    pppoe-client (on vEdge 100m and vEdge 100wm routers only)
      ppp-interface pppnumber
    speed speed
    static-ingress-qos number (on vEdge routers only)
    tcp-mss-adjust bytes
    tloc-extension interface-name (on vEdge routers only)
    tracker tracker-name (on vEdge routers only)

Release Information

Introduced in vManage NMS Release 15.2.
In Release 17.2.2, add support for tracker interface status.

  • Was this article helpful?