Skip to main content
Viptela is now part of Cisco.
Support
Product Documentation
Viptela Documentation

VPN

Use the VPN template for all Viptela devices.

To configure VPNs for network segmentation using vManage templates:

  1. Create VPN feature templates to configure VPN parameters, as described in this article. You create a separate VPN feature template for each VPN. For example, create one feature template for VPN 0, a second for VPN 1, and a third for VPN 512.
    For vManage NMSs and vSmart controllers, you can configure only VPNs 0 and 512. Create templates for these VPNs only if you want to modify the default settings for the VPN. For vEdge routers, you can create templates for these two VPNs and for additional VPN feature templates to segment service-side user networks.
    • VPN 0—Transport VPN, which carries control traffic via the configured WAN transport interfaces. Initially, VPN 0 contains all of a device's interfaces except for the management interface, and all interfaces are disabled.
    • VPN 512—Management VPN, which carries out-of-band network management traffic among the Viptela devices in the overlay network. The interface used for management traffic resides in VPN 512. By default, VPN 512 is configured and enabled on all vEdge routers except for vEdge 100. For controller devices, by default, VPN 512 is not configured.
    • VPNs 1 through 511, and 513 through 65530—VPNs on vEdge routers for service-side data traffic.
  2. Create interface feature templates to configure the interfaces in the VPN. See the VPN-Interface-Ethernet help topic.
  3. For vEdge routers, create interface feature templates to configure additional interfaces in the VPN. See the VPN-Interface-GRE, VPN-Interface-PPP, and VPN-Interface-PPP-Ethernet help topics.

Navigate to the Template Screen and Name the Template

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. In the Device tab, click Create Template.
  3. From the Create Template drop-down, select From Feature Template.
  4. From the Device Model drop-down, select the type of device for which you are creating the template.
  5. To create a template for VPN 0 or VPN 512:
    1. Click the Transport & Management VPN tab located directly beneath the Description field, or scroll to the Transport & Management VPN section.
    2. From the VPN 0 or VPN 512 drop-down, click Create Template. The VPN template form is displayed. The top of the form contains fields for naming the template, and the bottom contains fields for defining VPN parameters.
  6. To create a template for VPNs 1 through 511, and 513 through 65530:
    1. Click the Service VPN tab located directly beneath the Description field, or scroll to the Service VPN section.
    2. Click the Service VPN drop-down.
    3. From the VPN drop-down, click Create Template. The VPN template form is displayed. The top of the form contains fields for naming the template, and the bottom contains fields for defining VPN parameters.
  7. In the Template Name field, enter a name for the template. The name can be up to 128 characters and can contain only alphanumeric characters.
  8. In the Template Description field, enter a description of the template. The description can be up to 2048 characters and can contain only alphanumeric characters.

When you first open a feature template, for each parameter that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and select one of the following:

Parameter Scope

Scope Description

Device Specific (indicated by a host icon)

Use a device-specific value for the parameter. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Viptela device to a device template.

When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a Viptela device to a device template. For more information, see Create a Template Variables Spreadsheet.

To change the default key, type a new string and move the cursor out of the Enter Key box.

Examples of device-specific parameters are system IP address, hostname, GPS location, and site ID.

Global (indicated by a globe icon)

Enter a value for the parameter, and apply that value to all devices.

Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

Configure Basic VPN Parameters

To configure basic VPN parameters, select the Basic Configuration tab and then configure the following parameters. Parameters marked with an asterisk are required to configure a VPN.

Parameter Name Description
VPN*

Enter the numeric identifier of the VPN.

Range for vEdge routers: 0 through 65530
Values for vSmart and vManage devices: 0, 512

Name Enter a name for the VPN.
Enhance ECMP keying on vEdge routers only)

Click On to enable the use in the ECMP hash key of Layer 4 source and destination ports, in addition to the combination of the source IP address, destination IP address, protocol, and DSCP field​, as the ECMP hash key. ECMP keying is Off by default.

Enable TCP Optimization ( on vEdge routers only) Click On to enable TCP optimization for a service-side VPN (a VPN other than VPN 0 and VPN 512). TCP optimization fine-tunes TCP to decrease round-trip latency and improve throughput for TCP traffic.
Save Click Save to save the feature template.

To complete the configuration of the transport VPN on a vEdge router, you must configure at least one interface in VPN 0.

To save the feature template, click Save.

CLI equivalent:

vpn vpn-id
  ecmp-hash-key layer4 (on vEdge routers only)
  name text
  tcp-optimization (on vEdge routers only)

Configure DNS and Static Hostname Mapping

To configure DNS addresses and static hostname mapping, select the DNS tab and configure the following parameters:

Parameter Name Description
Primary DNS Address Enter the IP address of the primary DNS server in this VPN.
Secondary DNS Address Enter the IP address of a secondary DNS server in this VPN. This field appears only if you have specified a primary DNS address.
Hostname Click Add New DNS, and enter the hostname of the DNS server. The name can be up to 128 characters.
List of IP Addresses Enter up to eight IP addresses to associate with the hostname. Separate the entries with commas.

To save the DNS server configuration, click Add.

To save the feature template, click Save.

CLI equivalent:

vpn vpn-id
  dns ip-address (primary | secondary)
  ​host hostname ip ip-address  

Configure Route Advertisements to OMP

To configure, for this VPN, route advertisements to OMP, select the Advertise OMP tab and configure the parameters listed below. Route advertisements that you configure here apply to the specific VPN. If you configure route advertisements to OMP for both the VPN and the entire vEdge router (using the OMP feature template), both configurations are applied.

Parameter Name Description
BGP Click On to advertise BGP routes from this VPN to OMP.
Static Click On to advertise static routes from this VPN to OMP.
Connected Click On to advertise connected routes from this VPN to OMP.
OSPF Click On to advertise OSPF routes from this VPN to OMP. By default OSPF interarea and intra-areas routes are advertised OMP. Click On again to advertise external OSPF routes.
Network Click the Network tab and click On to advertise a specific prefix to OMP. Click Add New Prefix, enter the prefix, and click Add
Aggregate Click the Aggregate tab and click On to aggregate a prefix before advertising it to OMP. Click Add New Aggregate, enter the prefix, click On again to advertise only the aggregated prefix, and click Add.

To save the route advertisement configuration, click Add.

To save the feature template, click Save.

CLI equivalent:

vpn vpn-id
  omp
    advertise (aggregate prefix [aggregate-only] | bgp | connected | network prefix | ospf type | static)

Configure IPv4 Static Routes

To configure IPv4 static routes in a VPN, select the IPv4 Route tab. Then click Add New IPv4 Route, and configure the following parameters:

Parameter Name Description
Prefix Enter the IPv4 address or prefix, in decimal four-point-dotted notation, and the prefix length of the IPv4 static route to configure in the VPN.
Gateway

To configure the next hop to reach the static route, select one of the following:

  • Next Hop—Specify the IPv4 address of the next-hop router to use to reach the static route.
  • Null0—Specify that the next hop is the null interface.
  • VPN0—Direct packets to the transport VPN.

Then click the plus sign (+) below the Gateway field to configure information about the next hop.

Address

If you select Next Hop as the gateway, click Add Next Hop. Then enter the IP address of the next-hop router and an administrative distance for the route. The distance can be a value from 1 through 255. The default is 1. Then click Save.

Enable Null0 If you select Null0 as the gateway, in Enable Null0, click On to set the next hop to be the null interface. All packets sent to this interface are dropped without sending any ICMP messages. You can also set an administrative distance for the route. The distance can be a value from 1 through 255. The default is 1.
Enable VPN If you select VPN as the gateway, in Enable VPN, click On to direct packets to the transport VPN. If NAT is enabled on the WAN interface, the packets can be forwarded to an Internet destination or other destination outside of the overlay network, effectively converting the vEdge router into a local Internet exit point. You must also enable NAT on a transport interface in VPN 0.

To save the configured IPv4 static routes, click Add.

To save the feature template, click Save.

CLI equivalent:

vpn vpn-id
  ip route ip-address/subnet next-hop-address [administrative-distance]

Configure IPv6 Static Routes

To configure IPv6 static routes in VPN 0, select the IPv6 Route tab. Then click Add New IPv6 Route, and configure the following parameters:

Parameter Name Description
Prefix Enter the IPv6 address or prefix, and the prefix length of the IPv6 static route to configure in VPN 0.
Gateway

To configure the next hop to reach the static route, select one of the following:

  • Next Hop—Specify the IPv6 address of the next-hop router to use to reach the static route.
  • Null0—Specify that the next hop is the null interface.
  • VPN—Direct packets to the transport VPN.
Address

If you select Next Hop as the gateway, click Add Next Hop. Then enter the IP address of the next-hop router and an administrative distance for the route. The distance can be a value from 1 through 255. The default is 1.

To save the address, click Save

Enable Null0 If you select Null0 as the gateway, in Enable Null0, click On to set the next hop to be the null interface. All packets sent to this interface are dropped without sending any ICMP messages. You can also set an administrative distance for the route. The distance can be a value from 1 through 255. The default is 1.
Enable VPN If you select VPN as the gateway, in Enable VPN, click On to direct packets to the transport VPN. If NAT is enabled on the WAN interface, the packets can be forwarded to an Internet destination or other destination outside of the overlay network, effectively converting the vEdge router into a local Internet exit point. You must also enable NAT on a transport interface in VPN 0.

To save the configured IPv6 static routes, click Add.

To save the feature template, click Save.

CLI equivalent:

vpn 0
  ipv6 route ip-address/subnet next-hop-address [administrative-distance]

Configure Services

For a server VPN on a vEdge router (any VPN except VPN 0 and VPN 512), you can configure services that are either present on the router's local network or available on a device at a remote site that is reachable through a GRE tunnel.

To configure a service in a VPN, select the Service tab. Then click Add New Service, and configure the following parameters:

Parameter Name Description
Service Type Select the service available in the local VPN.
Values: FW, IDP, IDS, netsvc1, netsvc2, netsvc3, netsvc4, TE
IP Address or Interface

Enter the location of the service:

  • If you select IP address, specify up to four IP address, separated by commas. The service is advertised to the vSmart controller only if one of the addresses can be resolved locally, at the local site, not via routes learned through OMP. You can configure up to four IP addresses.
  • If you select Interface, specify one or two GRE interfaces. If you configure two, the first interface is the primary GRE tunnel, and the second is the backup tunnel.

To save the service configuration, click Add.

To save the feature template, click Save.

CLI equivalent:

vpn vpn-id
  service service-name address ip-address

Configure GRE-Specific Static Routes

To configure GRE-specific static routes in a service VPN (any VPN except VPN 0 and VPN 512 on a vEdge router), select the GRE Route tab. Then click Add New GRE Route, and configure the following parameters:

Parameter Name Description
Prefix Enter the IP address or prefix, in decimal four-part-dotted notation, and prefix length of the GRE-specific static route
VPN ID Enter the number of the VPN to reach the service. This must be VPN 0.
GRE Interface

Enter the name of one or two GRE tunnels to use to reach the service.

To save a GRE route, click Add.

To save the feature template, click Save.

CLI equivalent:

vpn vpn-id
  ip gre-route prefix/length vpn 0 interface grenumber [grenumber2]

​Release Information

Introduced in vManage NMS in Release 15.2.
In Release 15.4.3, add support for GRE tunnels.
In Release 16.3, add support for IPv6 in VPN 0.
In Release 17.2.0, add support for TE service.

  • Was this article helpful?