|
Step 4
|
Configure the following VPN Interface DSL PPPoE parameters.
-
Configure basic VDSL controller functionality in a VPN.
If your deployment includes devices with DSL, you must include DSL interface templates in Cisco SD-WAN Manager, even if these templates are not used.
Table 10.
|
Parameter Name
|
Description
|
|
Shutdown*
|
Click No to enable the VDSL controller interface.
|
|
Controller VDSL Slot*
|
Enter the slot number of the controller VDSL interface, in the format slot/subslot/port (for example, 0/2/0).
|
|
Mode*
|
Select the operating mode of the VDSL controller from the drop-down:
-
Auto—Default mode.
-
ADSL1—Use ITU G.992.1 Annex A full-rate mode, which provides a downstream rate of 1.3 Mbps and an upstream rate of 1.8 Mbps.
-
ADSL2—Use ITU G.992.3 Annex A, Annex L, and Annex M, which provides a downstream rate of 12 Mbps and an upstream rate of 1.3 Mbps.
-
ADSL2+— Use ITU G.992.5 Annex A and Annex M, which provides a downstream rate of 24 Mbps and an upstream rate of 3.3 Mbps.
-
ANSI—Operating in ADSL2/2+ mode, as defined in ITU G.991.1, G.992.3, and G992.5, Annex A and Annex M, and in VDSL2 mode, as defined
in ITU-T G993.2.
-
VDSL2—Operate in VDSL2 mode, as defined in ITU-T G.993.2, which uses frequencies of up to 30 MHz to provide a downstream rate of
200 Mbps and an upstream rate of 100 Mbps..
|
|
VDSL Modem Configuration
|
Enter a command to send to the DSL modem in the NIM module. If the command is valid, it is executed and the results are returned
to the Cisco SD-WAN Manager NMS. If the command is not valid, it is not executed.
|
|
SRA
|
Click Yes to enable seamless rate adaptation on the interface. SRA adjusts the line rate based on current line conditions.
|
-
Configure an Ethernet interface on the VDSL controller.
Table 11.
|
Parameter Name
|
Description
|
|
Ethernet Interface Name
|
Enter a name for the Ethernet interface, in the format subslot/port (for example 2/0). You do not need to enter the slot number, because it must always be 0.
|
|
VLAN ID
|
Enter the VLAN identifier of the Ethernet interface.
|
|
Description
|
Enter a description for the interface.
|
|
Dialer Pool Member
|
Enter the number of the dialer pool to which the interface belongs. It can be a value from 1 through 255.
|
|
PPP Max Payload
|
Enter the maximum receive unit (MRU) value to be negotiated during PPP Link Control Protocol (LCP) negotiation.
Range: 64 through 1792 bytes
|
|
Dialer IP
|
Configure the IP prefix of the dialer interface. This prefix is that of the node in the destination that the interface calls.
|
-
Configure the PPP authentication protocol.
Table 12.
|
Parameter Name
|
Description
|
|
Authentication Protocol
|
Select the authentication protocol used by the MLP:
-
CHAP—Enter the hostname and password provided by your Internet Service Provider (ISP). hostname can be up to 254 characters.
-
PAP—Enter the username and password that are provided by your ISP. username can be up to 254 characters.
-
PAP and CHAP—Configure both authentication protocols. Enter the login credentials for each protocol. To use the same username and password
for both, click Same Credentials for PAP and CHAP.
|
-
Configure a tunnel interface for the multilink interface.
Table 13.
|
Parameter Name
|
Description
|
|
Tunnel Interface
|
Click On to create a tunnel interface.
|
|
Color
|
Select a color for the TLOC.
|
|
Color Description
|
Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.18.1
Enter a description associated to the TLOC color.
|
|
Control Connection
|
By default, Control Conection is set to On, which establishes a control connection for the TLOC. If the router has multiple TLOCs, click No to have the tunnel not establish control connection for the TLOC.
|
Note
|
We recommend a minimum of 650-700 Kbps bandwidth with default 1 sec hello-interval and 12 sec hello-tolerance parameters configured
to avoid any data/packet loss in connection traffic.
For each BFD session, an additional average sized BFD packet of 175 Bytes consumes 1.4 Kbps of bandwidth.
A sample calculation of the required bandwidth for bidirectional BFD packet flow is given below:
-
650 – 700 Kbps per device for control connections.
-
175 Bytes (or 1.4 Kbps) per BFD session on the device (request)
-
175 Bytes (or 1.4 Kbps) per BFD session on the device (response)
If the path MTU discovery (PMTUD) is enabled, bandwidth for send/receive BFD packets per tunnel for every 30 secs:
A 1500 Bytes BFD request packet is sent per tunnel every 30 secs:
1500 Bytes * 8 bits/1 byte * 1 packet / 30 secs = 400 bps (request)
A 147 Bytes BFD packet is sent in response:
147 Bytes * 8 bits/1 byte * 1 packet / 30 secs = 40 bps (response)
Therefore, a device with 775 BFD sessions (for example) requires a bandwidth of:
700k + (1.4k*775) + (400 *775) + (1.4k*775) + (40 *775) = ~3,5 MBps
|
-
STATE—specifies the vdaemon control state.
Last Connection—If no control connection on that WAN interface, the uptime of the device is lifted.
SPI Time Remaining—countdown to the next change in SPI for IPSec. The countdown starts at half of the rekey time.
|
|
Maximum Control Connections
|
Specify the maximum number of Cisco SD-WAN Controllers that the WAN tunnel interface can connect to. To have the tunnel establish no control connections, set the number to 0.
Range: 0 through 8
Default: 2
|
|
Cisco SD-WAN Validator As STUN Server
|
Click On to enable Session Traversal Utilities for NAT (STUN) to allow the tunnel interface to discover its public IP address and
port number when the router is located behind a NAT.
|
|
Exclude Controller Group List
|
Set the Cisco SD-WAN Controllers that the tunnel interface is not allowed to connect to.
Range: 0 through 100
|
|
Cisco SD-WAN Manager Connection Preference
|
Set the preference for using a tunnel interface to exchange control traffic with the Cisco SD-WAN Manager NMS.
Range: 0 through 8
Default: 5
|
|
Full Port Hop
|
Minimum release: Cisco Catalyst SD-WAN Manager Release 20.18.1
Enable full port hopping at the TLOC level to allow devices to establish connections with controllers by switching to the
next port if the current port is blocked or non-functional.
Default: Disabled
|
|
Port Hop
|
Click On to enable port hopping, or click Off to disable it. When a router is behind a NAT, port hopping rotates through a pool of
preselected OMP port numbers (called base ports) to establish DTLS connections with other routers when a connection attempt
is unsuccessful. The default base ports are 12346, 12366, 12386, 12406, and 12426. To modify the base ports, set a port offset
value.
Default: Enabled.
Starting from Cisco Catalyst SD-WAN Manager Release 20.18.1, this field is deprecated. Instead use the Full Port Hop option. See the Full Port Hop field.
|
|
Low-Bandwidth Link
|
Select to characterize the tunnel interface as a low-bandwidth link.
|
|
Tunnel TCP MSS
|
TCP MSS affects any packet that contains an initial TCP header that flows through the router. When configured, TCP MSS is
examined against the MSS exchanged in the three-way handshake. The MSS in the header is lowered if the configured TCP MSS
setting is lower than the MSS in the header. If the MSS header value is already lower than the TCP MSS, the packets flow through
unmodified. The host at the end of the tunnel uses the lower setting of the two hosts. If the TCP MSS is to be configured,
it should be set at 40 bytes lower than the minimum path MTU.
Specify the MSS of TPC SYN packets passing through the Cisco IOS XE Catalyst SD-WAN device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.
Range: 552 to 1460 bytes
Default: None
|
|
Clear-Dont-Fragment
|
Configure Clear-Dont-Fragment for packets that arrive at an interface that has Don't Fragment configured. If these packets are larger than what MTU allows,
they are dropped. If you clear the Don't Fragment bit, the packets are fragmented and sent.
Click On to clear the Dont Fragment bit in the IPv4 packet header for packets being transmitted out of the interface. When the Dont
Fragment bit is cleared, packets larger than the MTU of the interface are fragmented before being sent.
|
Note
|
Clear-Dont-Fragment clears the Dont Fragment bit and the Dont Fragment bit is set. For packets not requiring fragmentation, the Dont Fragment
bit is not affected.
|
|
|
Allow Service
|
Select On or On for each service to allow or disallow the service on the interface.
|
To configure additional tunnel interface parameters, click Advanced Options and configure the following parameters:
Table 14.
|
Parameter Name
|
Description
|
|
GRE
|
Use GRE encapsulation on the tunnel interface. By default, GRE is disabled.
If you select both IPsec and GRE encapsulations, two TLOCs are created for the tunnel interface that have the same IP addresses
and colors, but that differ by their encapsulation.
|
|
IPsec
|
Use IPsec encapsulation on the tunnel interface. By default, IPsec is enabled.
If you select both IPsec and GRE encapsulations, two TLOCs are created for the tunnel interface that have the same IP addresses
and colors, but that differ by their encapsulation.
|
|
IPsec Preference
|
Specify a preference value for directing traffic to the tunnel. A higher value is preferred over a lower value.
Range: 0 through 4294967295
Default: 0
|
|
IPsec Weight
|
Enter a weight to use to balance traffic across multiple TLOCs. A higher value sends more traffic to the tunnel.
Range: 1 through 255
Default: 1
|
|
Carrier
|
Select the carrier name or private network identifier to associate with the tunnel.
Values: carrier1, carrier2, carrier3, carrier4, carrier5, carrier6, carrier7, carrier8, default
Default: default
|
|
Bind Loopback Tunnel
|
Enter the name of a physical interface to bind to a loopback interface.
|
|
Last-Resort Circuit
|
Select to use the tunnel interface as the circuit of last resort.
|
Note
|
An interface configured as a circuit of last resort is expected to be down and is skipped while calculating the number of
control connections, the cellular modem becomes dormant, and no traffic is sent over the circuit.
When the configurations are activated on the edge device with cellular interfaces, then all the interfaces begin the process
of establishing control and BFD connections. When one or more of the primary interfaces establishes a BFD connection, the
circuit of last resort shuts itself down.
Only when all the primary interfaces lose their connections to remote edges, then the circuit of last resort activates itself
triggering a BFD TLOC Down alarm and a Control TLOC Down alarm on the edge device. The last resort interfaces are used as
backup circuit on edge device and are activated when all other transport links BFD sessions fail. In this mode the radio interface
is turned off, and no control or data connections exist over the cellular interface.
|
|
|
NAT Refresh Interval
|
Enter the interval between NAT refresh packets that are sent on a DTLS or TLS WAN transport connection.
Range: 1 through 60 seconds.
Default: 5 seconds.
|
|
Hello Interval
|
Enter the interval between Hello packets sent on a DTLS or TLS WAN transport connection.
Range: 100 through 10000 milliseconds.
Default: 1000 milliseconds (1 second).
|
|
Hello Tolerance
|
Enter the time to wait for a Hello packet on a DTLS or TLS WAN transport connection before declaring that transport tunnel
to be down.
Range: 12 through 60 seconds.
Default: 12 seconds.
|
-
Configure an interface to act as a NAT device for applications such as port forwarding.
|
Parameter Name
|
Description
|
|
NAT
|
Click On to have the interface act as a NAT device.
|
|
Refresh Mode
|
Select how NAT mappings are refreshed, either outbound or bidirectional (outbound and inbound).
Default: Outbound
|
|
UDP Timeout
|
Specify when NAT translations over UDP sessions time out.
Range: 1 through 65536 minutes
Default: 1 minutes
|
|
TCP Timeout
|
Specify when NAT translations over TCP sessions time out.
Range: 1 through 65536 minutes
Default: 60 minutes (1 hour)
|
|
Block ICMP
|
Select On to block inbound ICMP error messages. By default, a router acting as a NAT device receives these error messages.
Default: Off
|
|
Respond to Ping
|
Select On to have the router respond to ping requests to the NAT interface's IP address that are received from the public side of the
connection.
|
To create a port forwarding rule, click Add New Port Forwarding Rule and configure the following parameters. You can define up to 128 port-forwarding rules to allow requests from an external
network to reach devices on the internal network.
Table 15.
|
Parameter Name
|
Description
|
|
Port Start Range
|
Enter a port number to define the port or first port in the range of interest.
Range: 0 through 65535
|
|
Port End Range
|
Enter the same port number to apply port forwarding to a single port, or enter a larger number to apply it to a range of ports.
Range: 0 through 65535
|
|
Protocol
|
Select the protocol to which to apply the port-forwarding rule, either TCP or UDP. To match the same ports for both TCP and
UDP traffic, configure two rules.
|
|
VPN
|
Specify the private VPN in which the internal server resides. This VPN is one of the VPN identifiers in the overlay network.
Range: 0 through 65527
|
|
Private IP
|
Specify the IP address of the internal server to which to direct traffic that matches the port-forwarding rule.
|
-
Apply a rewrite rule, access lists, and policers to a router interface.
Table 16.
|
Parameter Name
|
Description
|
|
Shaping rate
|
Configure the aggreate traffic transmission rate on the interface to be less than line rate, in kilobits per second (kbps).
|
|
QoS map
|
Specify the name of the QoS map to apply to packets being transmitted out the interface.
|
|
Rewrite Rule
|
Click On, and specify the name of the rewrite rule to apply on the interface.
|
|
Ingress ACL – IPv4
|
Click On, and specify the name of the access list to apply to IPv4 packets being received on the interface.
|
|
Egress ACL – IPv4
|
Click On, and specify the name of the access list to apply to IPv4 packets being transmitted on the interface.
|
|
Ingress ACL – IPv6
|
Click On, and specify the name of the access list to apply to IPv6 packets being received on the interface.
|
|
Egress ACL – IPv6
|
Click On, and specify the name of the access list to apply to IPv6 packets being transmitted on the interface.
|
|
Ingress Policer
|
Click On, and specify the name of the policer to apply to packets being received on the interface.
|
|
Egress Policer
|
Click On, and specify the name of the policer to apply to packets being transmitted on the interface.
|
-
Configure other interface properties.
|
Parameter Name
|
Description
|
|
Bandwidth Upstream
|
For transmitted traffic, set the bandwidth above which to generate notifications.
Range: 1 through (232 / 2) – 1 kbps
|
|
Bandwidth Downstream
|
For received traffic, set the bandwidth above which to generate notifications.
Range: 1 through (232 / 2) – 1 kbps
|
|
IP MTU
|
Specify the maximum MTU size of packets on the interface.
Range: 576 through 1804.
Default: 1500 bytes.
|
|
TCP MSS
|
Specify the maximum segment size (MSS) of TPC SYN packets passing through the router. By default, the MSS is dynamically adjusted
based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.
Range: 552 to 1460 bytes.
Default: None.
|
|
Clear Dont Fragment
|
Click On to clear the Don't Fragment bit in the IPv4 packet header for packets being transmitted out the interface. When the DF bit
is cleared, packets larger than that interface's MTU are fragmented before being sent.
|
|
TLOC Extension
|
Enter the name of the physical interface on the same router that connects to the WAN transport circuit. This configuration
then binds this service-side interface to the WAN transport. A second router at the same site that itself has no direct connection
to the WAN (generally because the site has only a single WAN connection) and that connects to this service-side interface
is then provided with a connection to the WAN.
|
|
Tracker
|
Enter the name of a tracker to track the status of transport interfaces that connect to the internet.
|
|
Feedback