Step 1

From the Cisco SD-WAN Manager menu, choose Configuration > Configuration Groups.

Step 2

Create and configure a Ethernet PPPoE feature under Transport VPN in a Transport and Management profile.

1. Configure basic PPPoE functionality.

   Parameter Name	Description
   Ethernet Interface Name *	Enter the name of an ethernet interface. For IOS XE routers, you must spell out the interface names completely (for example, GigabitEthernet0/0/0).
   Description	Enter a description for the ethernet interface.
   VLAN ID	Enter the VLAN identifier of the Ethernet interface.
   Dialer Pool Member *	Enter the number of the dialer pool to which the interface belongs. Range: 1 through 255

2. Configure the PPP Authentication Protocol.

   Parameter Name	Description
   PPP Authentication Protocol*	Select the authentication protocol used by the MLP: PAP: Enter the username and password that are provided by your ISP. username can be up to 254 characters. CHAP: Enter the hostname and password provided by your Internet Service Provider (ISP). hostname can be up to 254 characters. PAP and CHAP: Configure both authentication protocols. Enter the login credentials for each protocol.
   Authentication Type	Select the type authentication from one of the following options.: Unidirectional: Only the side receiving the call (NAS) authenticates the remote side (client). The remote client does not authenticate the server. Bidirectional: Each side independently sends an Authenticate-Request (AUTH-REQ) and receives either an Authenticate-Acknowledge (AUTH-ACK) or Authenticate-Not Acknowledged (AUTH-NAK).
   CHAP Hostname*	Enter the CHAP hostname.
   CHAP Password*	Enter the CHAP password.
   PAP Hostname*	Enter the PAP hostname.
   PAP Password*	Enter the PAP password.

3. Configure a tunnel interface for the multilink interface.

   Parameter Name	Description
   Tunnel Interface
   Per Tunnel QoS	Enable per tunnel QoS and choose Spoke to configure the spoke network topology
   Color	Select a color for the TLOC.
   Color Description	Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.18.1 Enter a description associated to the TLOC color.
   Groups	Enter the list of groups in the field.
   Exclude Controller Group List	Set the Cisco SD-WAN Controllers that the tunnel interface is not allowed to connect to. Range: 0 through 100
   Maximum Control Connections	Specify the maximum number of Cisco SD-WAN Controllers that the WAN tunnel interface can connect to. To have the tunnel establish no control connections, set the number to 0. Range: 0 through 8
   Cisco SD-WAN Manager Connection Preference	Set the preference for using a tunnel interface to exchange control traffic with Cisco SD-WAN Manager. Range: 0 through 8 Default: 5
   Tunnel TCP MSS	TCP MSS affects any packet that contains an initial TCP header that flows through the router. When configured, TCP MSS is examined against the MSS exchanged in the three-way handshake. The MSS in the header is lowered if the configured TCP MSS setting is lower than the MSS in the header. If the MSS header value is already lower than the TCP MSS, the packets flow through unmodified. The host at the end of the tunnel uses the lower setting of the two hosts. To configure TCP MSS, provide a value that is 40 bytes lower than the minimum path MTU. Specify the MSS of TPC SYN packets passing through the Cisco IOS XE Catalyst SD-WAN. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented. Range: 552 through 1460 bytes Default: None
   Border	From the drop-down list, select Global. Click On to set TLOC as border TLOC.
   Validator As Stun Server	Click On to enable Session Traversal Utilities for NAT (STUN) to allow the tunnel interface to discover its public IP address and port number when the router is located behind a NAT.
   Full Port Hop	Minimum release: Cisco IOS XE Catalyst SD-WAN Release 17.18.1a Enable full port hopping at the TLOC level to allow devices to establish connections with controllers by switching to the next port if the current port is blocked or non-functional. Default: Disabled
   Port Hop	From the drop-down list, select Global. Click Off to allow port hopping on tunnel interface. Default: On, which disallows port hopping on tunnel interface. Starting from Cisco IOS XE Catalyst SD-WAN Release 17.18.1a, this field is deprecated. Instead use the Full Port Hop option. See the Full Port Hop field.
   Low-Bandwidth Link	Click On to set the tunnel interface as a low-bandwidth link. Default: Off
   Clear-Dont-Fragment	Configure Clear-Dont-Fragment for packets that arrive at an interface that has Don't Fragment configured. If these packets are larger than what MTU allows, they are dropped. If you clear the Don't Fragment bit, the packets are fragmented and sent. Click On to clear the Dont Fragment bit in the IPv4 packet header for packets being transmitted out of the interface. When the Dont Fragment bit is cleared, the router fragments packets larger than the MTU of the interface before sending the packets. Note   Clear-Dont-Fragment clears the Dont Fragment bit and the Dont Fragment bit is set. For packets not requiring fragmentation, the Dont Fragment bit is not affected.
   Network Broadcast	From the drop-down list, select Global. Click On to accept and respond to network-prefix-directed broadcasts. Enable this parameter only if the Directed Broadcast is enabled on the LAN interface feature template. Default: Off
   Carrier	From the drop-down list, select Globaland select the carrier name or private network identifier to associate with the tunnel. Values: carrier1, carrier2, carrier3, carrier4, carrier5, carrier6, carrier7, carrier8, default. Default: default
   Bind Loopback Tunnel	Enter the name of a physical interface to bind to a loopback interface. The interface name has the following format: ge slot/port
   NAT Refresh Interval	Set the interval between NAT refresh packets sent on a DTLS or TLS WAN transport connection. Range: 1 through 60 seconds Default: 5 seconds
   Hello Interval	Enter the interval between Hello packets sent on a DTLS or TLS WAN transport connection. Range: 100 through 10000 milliseconds Default: 1000 milliseconds (1 second)
   Hello Tolerance	Enter the time to wait for a Hello packet on a DTLS or TLS WAN transport connection before declaring that transport tunnel to be down. Range: 12 through 60 seconds Default: 12 seconds The default hello interval is 1000 milliseconds, and it can be a time in the range 100 through 600000 milliseconds (10 minutes). The default hello tolerance is 12 seconds, and it can be a time in the range 12 through 600 seconds (10 minutes). To reduce outgoing control packets on a TLOC, it is recommended that on the tunnel interface you set the hello interval to 60000 milliseconds (10 minutes) and the hello tolerance to 600 seconds (10 minutes) and include the no track-transport disable regular checking of the DTLS connection between the edge device and the controller. For a tunnel connection between a edge device and any controller device, the tunnel uses the hello interval and tolerance times configured on the edge device. This choice is made to minimize the traffic sent over the tunnel, to allow for situations where the cost of a link is a function of the amount of traffic traversing the link. The hello interval and tolerance times are chosen separately for each tunnel between a edge device and a controller device. Another step taken to minimize the amount of control plane traffic is to not send or receive OMP control traffic over a cellular interface when other interfaces are available. This behavior is inherent in the software and is not configurable.
   Last Resort Circuit	Select to use the tunnel interface as the circuit of last resort. Note   It is assumed that an interface configured as a circuit of last resort is unavailable and is skipped while calculating the number of control connections. As a result, the cellular modem becomes dormant, and no traffic is sent over the circuit. When the configurations are activated on the edge device with cellular interfaces, all the interfaces begin the process of establishing control and BFD connections. When one or more of the primary interfaces establishes a BFD connection, the circuit of last resort shuts itself down. If the primary interfaces lose their connections to remote edges, the circuit of last resort activates itself, triggering a BFD TLOC Down alarm and a Control TLOC Down alarm on the edge device. The last resort interfaces are a backup circuit on edge device and are activated when all other transport links BFD sessions fail. In this mode, the radio interface is turned off, and no control or data connections exist over the cellular interface.
   Allow Services	Click On or Off for each service to allow or disallow the service on the cellular interface.
   Encapsulation
   Encapsulation	Enable at least one of the following encapsulation methods: IPsec: Enter a value to set the preference for directing traffic to the tunnel. A higher value is preferred over a lower value. Range: 0 through 4294967295 Default: 0 IPsec Preference: From the drop-down list, select Global and enter a value to set the preference for directing traffic to the tunnel. A higher value is preferred over a lower value. Range: 0 through 4294967295 Default: 0 IPsec Weight: From the drop-down list, select Global and enter a value to set weight for balancing traffic across multiple TLOCs. A higher value sends more traffic to the tunnel. Range: 1 through 255 Default: 1 GRE: Enter a value to set GRE preference for TLOC. Range: 0 through 4294967295 GRE Preference: From the drop-down list, select Global and enter a value to set the preference for directing traffic to the tunnel. A higher value is preferred over a lower value. Range: 0 through 4294967295 Default: 0 GRE Weight: From the drop-down list, select Global and enter a value to set weight for balancing traffic across multiple TLOCs. A higher value sends more traffic to the tunnel. Range: 1 through 255 Default: 1

4. Configure an interface to act as a NAT device for applications such as port forwarding.

   Parameter Name	Description
   UDP Timeout (Minutes)	Specify when NAT translations over UDP sessions time out. Range: 1 through 8947 minutes Default: 1 minute
   TCP Timeout (Minutes)	Specify when NAT translations over TCP sessions time out. Range: 1 through 8947 minutes Default: 60 minutes (1 hour)

5. Configure QoS.

   Parameter Name	Description
   Adaptive QoS	Enter adaptive QoS parameters. You can leave the additional details at as default or specify your values. Adapt Period (Minutes): Choose Global from the drop-down list, click On, and enter the period in minutes. Shaping Rate Upstream: Choose Global from the drop-down list, click On, and enter the minimum, maximum, and default upstream bandwidth in Kbps. Shaping Rate Downstream: Choose Global from the drop-down list, click On, and enter the minimum, maximum, downstream, and upstream bandwidth in Kbps.
   Shaping Rate (kbps)	Choose Global from the drop-down list and configure the aggreate traffic transmission rate on the interface to be less than line rate, in kilobits per second (kbps). Range: 8 through 100000000

6. Configure ACL.

   Parameter Name	Description
   IPv4 Ingress Access List	Enter the name of an IPv4 access list to packets being received on the interface.
   IPv4 Egress Access List	Enter the name of an IPv4 access list to packets being transmitted on the interface.
   IPv6 Ingress Access List	Enter the name of an IPv6 access list to packets being received on the interface.
   IPv6 Egress Access List	Enter the name of an IPv6 access list to packets being transmitted on the interface.

7. Configure additional tunnel interface parameters.

   Parameter Name	Description
   Shutdown	Choose No to enable the interface.
   Tracker / Tracker Group	Enter the name of a tracker or tracker group to track the status of transport interfaces that connect to the internet.
   Maximum Payload	Enter the maximum receive unit (MRU) value to be negotiated during PPP-over-Ethernet negotiation. Range: 64 through 1792 bytes
   IP MTU	Enter the maximum MTU size of packets on the interface. Range: 576 through 1804 Default: 1500
   TCP MSS	Enter the maximum segment size (MSS) of TPC SYN packets passing through the router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented. Range: 552 through 1460 bytes Default: 1500
   TLOC Extension	Enter the name of a physical interface on the same router that connects to the WAN transport. This configuration binds the service-side interface to the WAN transport by enabling a device to access the opposite WAN transport connected to the neighbouring device using a TLOC-extension interface.
   IP Directed Broadcast	From the drop-down list, select Global to enable IP Directed Broadcast. An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet but which originates from a node that is not itself part of that destination subnet.
   Tracker / Tracker Group	Enter the name of a tracker or tracker group to track the status of transport interfaces that connect to the internet.

Step 1

From the Cisco SD-WAN Manager menu, choose Configuration > Templates.

Step 2

Click Device Templates.

Step 3

From the Create Template drop-down list, select From Feature Template.

1. From the Device Model drop-down list, select the type of device for which you are creating the template.

2. Click Transport & Management VPN or scroll to the Transport & Management VPN section.

3. Under Additional VPN 0 Templates, click VPN Interface Ethernet PPPoE.

4. From the VPN Interface Ethernet PPPoE drop-down list, click Create Template. The VPN Interface Ethernet PPPoE template form is displayed.

5. In Template Name, enter a name for the template. The name can be up to 128 characters and can contain only alphanumeric characters.

6. In Template Description, enter a description of the template. The description can be up to 2048 characters and can contain only alphanumeric characters.

Step 4

Configure the following parameters in the VPN interface ethernet PPPoE template.

1. Configure the basic PPPoE functionality.

   Table 1.

   Parameter Name	Description
   Shutdown*	Click No to enable the GigabitEthernet interface.
   Ethernet Interface Name	Enter the name of a GigabitEthernet interface. For IOS XE routers, you must spell out the interface names completely (for example, GigabitEthernet0/0/0).
   VLAN ID	VLAN tag of the sub-interface.
   Description	Enter a description of the Ethernet-PPPoE-enabled interface.
   Dialer Pool Member	Enter the number of the dialer pool to which the interface belongs. Range: 100 to 255.
   PPP Maximum Payload	Enter the maximum receive unit (MRU) value to be negotiated during PPP Link Control Protocol (LCP) negotiation. Range: 64 through 1792 bytes

2. Configure the PPP Authentication Protocol.

   Table 2.

   Parameter Name

   Description

   PPP Authentication Protocol

   Select the authentication protocol used by the MLP: CHAP—Enter the hostname and password provided by your Internet Service Provider (ISP). hostname can be up to 254 characters. PAP—Enter the username and password provided by your ISP. username can be up to 254 characters. PAP and CHAP—Configure both authentication protocols. Enter the login credentials for each protocol. To use the same username and password for both, click Same Credentials for PAP and CHAP.

3. Configure a tunnel interface for the multilink interface.

   Table 3.

   Parameter Name	Description
   Tunnel Interface	Click On to create a tunnel interface.
   Color	Select a color for the TLOC.
   Color Description	Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.18.1 Enter a description associated to the TLOC color.
   Control Connection	By default, Control Conection is set to On, which establishes a control connection for the TLOC. If the router has multiple TLOCs, click No to have the tunnel not establish control connection for the TLOC. Note   We recommend a minimum of 650-700 Kbps bandwidth with default 1 sec hello-interval and 12 sec hello-tolerance parameters configured to avoid any data/packet loss in connection traffic. For each BFD session, an additional average sized BFD packet of 175 Bytes consumes 1.4 Kbps of bandwidth. A sample calculation of the required bandwidth for bidirectional BFD packet flow is given below: 650 – 700 Kbps per device for control connections. 175 Bytes (or 1.4 Kbps) per BFD session on the device (request) 175 Bytes (or 1.4 Kbps) per BFD session on the device (response) If the path MTU discovery (PMTUD) is enabled, bandwidth for send/receive BFD packets per tunnel for every 30 secs: A 1500 Bytes BFD request packet is sent per tunnel every 30 secs: 1500 Bytes * 8 bits/1 byte * 1 packet / 30 secs = 400 bps (request) A 147 Bytes BFD packet is sent in response: 147 Bytes * 8 bits/1 byte * 1 packet / 30 secs = 40 bps (response) Therefore, a device with 775 BFD sessions (for example) requires a bandwidth of: 700k + (1.4k*775) + (400 *775) + (1.4k*775) + (40 *775) = ~3,5 MBps
   Maximum Control Connections	Specify the maximum number of Cisco SD-WAN Controllers that the WAN tunnel interface can connect to. To have the tunnel establish no control connections, set the number to 0. Range: 0 through 8 Default: 2
   Cisco SD-WAN Validator As STUN Server	Click On to enable Session Traversal Utilities for NAT (STUN) to allow the tunnel interface to discover its public IP address and port number when the router is located behind a NAT.
   Exclude Controller Group List	Set the Cisco SD-WAN Controllers that the tunnel interface is not allowed to connect to. Range: 0 through 100
   Cisco SD-WAN Manager Connection Preference	Set the preference for using a tunnel interface to exchange control traffic with the Cisco SD-WAN Manager NMS. Range: 0 through 8 Default: 5
   Full Port Hop	Minimum release: Cisco Catalyst SD-WAN Manager Release 20.18.1 Enable full port hopping at the TLOC level to allow devices to establish connections with controllers by switching to the next port if the current port is blocked or non-functional. Default: Disabled
   Port Hop	Click On to enable port hopping, or click Off to disable it. When a router is behind a NAT, port hopping rotates through a pool of preselected OMP port numbers (called base ports) to establish DTLS connections with other routers when a connection attempt is unsuccessful. The default base ports are 12346, 12366, 12386, 12406, and 12426. To modify the base ports, set a port offset value. Default: Enabled Starting from Cisco Catalyst SD-WAN Manager Release 20.18.1, this field is deprecated. Instead use the Full Port Hop option. See the Full Port Hop field.
   Low-Bandwidth Link	Select to characterize the tunnel interface as a low-bandwidth link.
   Allow Service	Select On or Off for each service to allow or disallow the service on the interface.

   To configure additional tunnel interface parameters, click Advanced Options and configure the following parameters:

   Table 4.

   Parameter Name	Description
   GRE	Use GRE encapsulation on the tunnel interface. By default, GRE is disabled. If you select both IPsec and GRE encapsulations, two TLOCs are created for the tunnel interface that have the same IP addresses and colors, but that differ by their encapsulation.
   IPsec	Use IPsec encapsulation on the tunnel interface. By default, IPsec is enabled. If you select both IPsec and GRE encapsulations, two TLOCs are created for the tunnel interface that have the same IP addresses and colors, but that differ by their encapsulation.
   IPsec Preference	Specify a preference value for directing traffic to the tunnel. A higher value is preferred over a lower value. Range: 0 through 4294967295. Default: 0
   IPsec Weight	Enter a weight to use to balance traffic across multiple TLOCs. A higher value sends more traffic to the tunnel. Range: 1 through 255. Default: 1
   Carrier	Select the carrier name or private network identifier to associate with the tunnel. Values: carrier1, carrier2, carrier3, carrier4, carrier5, carrier6, carrier7, carrier8, default. Default: default
   Bind Loopback Tunnel	Enter the name of a physical interface to bind to a loopback interface.
   Last-Resort Circuit	Select to use the tunnel interface as the circuit of last resort. Note   An interface configured as a circuit of last resort is expected to be down and is skipped while calculating the number of control connections, the cellular modem becomes dormant, and no traffic is sent over the circuit. When the configurations are activated on the edge device with cellular interfaces, then all the interfaces begin the process of establishing control and BFD connections. When one or more of the primary interfaces establishes a BFD connection, the circuit of last resort shuts itself down. Only when all the primary interfaces lose their connections to remote edges, then the circuit of last resort activates itself triggering a BFD TLOC Down alarm and a Control TLOC Down alarm on the edge device. The last resort interfaces are used as backup circuit on edge device and are activated when all other transport links BFD sessions fail. In this mode the radio interface is turned off, and no control or data connections exist over the cellular interface. Note   Configuring administrative distance values on primary interface routes is not supported.
   NAT Refresh Interval	Enter the interval between NAT refresh packets sent on a DTLS or TLS WAN transport connection. Range: 1 through 60 seconds. Default: 5 seconds
   Hello Interval	Enter the interval between Hello packets sent on a DTLS or TLS WAN transport connection. Range: 100 through 10000 milliseconds. Default: 1000 milliseconds (1 second)
   Hello Tolerance	Enter the time to wait for a Hello packet on a DTLS or TLS WAN transport connection before declaring that transport tunnel to be down. Range: 12 through 60 seconds. Default: 12 seconds

4. Configure an interface to act as a NAT device for applications such as port forwarding.

   Table 5.

   Parameter Name	Description
   NAT	Click On to have the interface act as a NAT device.
   Refresh Mode	Select how NAT mappings are refreshed, either outbound or bidirectional (outbound and inbound). Default: Outbound
   UDP Timeout	Specify when NAT translations over UDP sessions time out. Range: 1 through 65536 minutes. Default: 1 minutes
   TCP Timeout	Specify when NAT translations over TCP sessions time out. Range: 1 through 65536 minutes. Default: 60 minutes (1 hour)
   Block ICMP	Select On to block inbound ICMP error messages. By default, a router acting as a NAT device receives these error messages. Default: Off
   Respond to Ping	Select On to have the router respond to ping requests to the NAT interface's IP address that are received from the public side of the connection.

   To create a port forwarding rule, click Add New Port Forwarding Rule and configure the following parameters. You can define up to 128 port-forwarding rules to allow requests from an external network to reach devices on the internal network.

   Table 6.

   Parameter Name	Description
   Port Start Range	Enter a port number to define the port or first port in the range of interest. Range: 0 through 65535
   Port End Range	Enter the same port number to apply port forwarding to a single port, or enter a larger number to apply it to a range of ports. Range: 0 through 65535
   Protocol	Select the protocol to which to apply the port-forwarding rule, either TCP or UDP. To match the same ports for both TCP and UDP traffic, configure two rules.
   VPN	Specify the private VPN in which the internal server resides. This VPN is one of the VPN identifiers in the overlay network. Range: 0 through 65527
   Private IP	Specify the IP address of the internal server to which to direct traffic that matches the port-forwarding rule.

5. Apply a rewrite rule, access lists, and policers to a router interface.

   Table 7.

   Parameter Name	Description
   Shaping rate	Configure the aggreate traffic transmission rate on the interface to be less than line rate, in kilobits per second (kbps).
   QoS map	Specify the name of the QoS map to apply to packets being transmitted out the interface.
   Rewrite Rule	Click On, and specify the name of the rewrite rule to apply on the interface.
   Ingress ACL – IPv4	Click On, and specify the name of the access list to apply to IPv4 packets being received on the interface.
   Egress ACL – IPv4	Click On, and specify the name of the access list to apply to IPv4 packets being transmitted on the interface.
   Ingress ACL – IPv6	Click On, and specify the name of the access list to apply to IPv6 packets being received on the interface.
   Egress ACL – IPv6	Click On, and specify the name of the access list to apply to IPv6 packets being transmitted on the interface.
   Ingress Policer	Click On, and specify the name of the policer to apply to packets being received on the interface.
   Egress Policer	Click On, and specify the name of the policer to apply to packets being transmitted on the interface.

6. Configure other interface properties.

   Table 8.

   Parameter Name	Description
   Bandwidth Upstream	For transmitted traffic, set the bandwidth above which to generate notifications. Range: 1 through (232 / 2) – 1 kbps
   Bandwidth Downstream	For received traffic, set the bandwidth above which to generate notifications. Range: 1 through (232 / 2) – 1 kbps
   IP MTU	Specify the maximum MTU size of packets on the interface. Range: 576 through 1804. Default: 1500 bytes
   TCP MSS	Specify the maximum segment size (MSS) of TPC SYN packets passing through the router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented. Range: 552 to 1460 bytes. Default: None
   TLOC Extension	Enter the name of the physical interface on the same router that connects to the WAN transport circuit. This configuration then binds this service-side interface to the WAN transport. A second router at the same site that itself has no direct connection to the WAN (generally because the site has only a single WAN connection) and that connects to this service-side interface is then provided with a connection to the WAN.
   Tracker	Enter the name of a tracker to track the status of transport interfaces that connect to the internet.
   IP Directed-Broadcast	Enables translation of a directed broadcast to physical broadcasts. An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet but which originates from a node that is not itself part of that destination subnet.