|
6. |
Configure the VPN ethernet interface parameters.
-
Configure basic interface functionality in a VPN.
| Parameter Name |
IPv4 or IPv6 |
Options |
Description |
| Shutdown* |
Click No to enable the interface. |
| Interface name* |
Enter a name for the interface. For Cisco IOS XE Catalyst SD-WAN devices, you must:
-
Spell out the interface names completely (for example, GigabitEthernet0/0/0).
-
Configure all the router's interfaces, even if you are not using them, so that they are configured in the shutdown state and so that all default values for them are configured.
|
| Description |
Enter a description for the interface. |
| IPv4 / IPv6 |
Click IPv4 to configure an IPv4 VPN interface. Click IPv6 to configure an IPv6 interface. |
| Dynamic |
Click Dynamic to set the interface as a Dynamic Host Configuration Protocol (DHCP) client, so that the interface receives its IP address from a DHCP server. |
| Both |
DHCP Distance |
Optionally, enter an administrative distance value for routes learned from a DHCP server. Default is 1. |
| IPv6 |
DHCP Rapid Commit |
Optionally, configure the DHCP IPv6 local server to support DHCP Rapid Commit, to enable faster client configuration and confirmation in busy environments. Click On to enable DHCP rapid commit. Click Off to continue using the regular commit process. |
| Static |
Click Static to enter an IP address that doesn't change. |
| IPv4 |
IPv4 Address |
Enter a static IPv4 address. |
| IPv6 |
IPv6 Address |
Enter a static IPv6 address. |
| Secondary IP Address |
IPv4 |
Click Add to enter up to four secondary IPv4 addresses for a service-side interface. |
| IPv6 Address |
IPv6 |
Click Add to enter up to two secondary IPv6 addresses for a service-side interface. |
| DHCP Helper |
Both |
To designate the interface as a DHCP helper on a router, enter up to eight IP addresses, separated by commas, for DHCP servers in the network. A DHCP helper interface forwards BootP (broadcast) DHCP requests that it receives from the specified DHCP servers. |
| Block Non-Source IP |
Yes / No |
Click Yes to have the interface forward traffic only if the source IP address of the traffic matches the interface's IP prefix range. Click No to allow other traffic. |
-
Configure a tunnel interface.
| Parameter Name |
Description |
| Tunnel Interface |
Click On to create a tunnel interface. |
| Color |
Select a color for the TLOC. |
| Color Description |
Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.18.1 Enter a description associated to the TLOC color. |
| Full Port Hop |
Minimum release: Cisco Catalyst SD-WAN Manager Release 20.18.1 Enable full port hopping at the TLOC level to allow devices to establish connections with controllers by switching to the next port if the current port is blocked or non-functional. Default: Disabled |
| Port Hop |
Click On to enable port hopping, or click Off to disable it. If port hopping is enabled globally, you can disable it on an individual TLOC (tunnel interface). To control port hopping on a global level, use the System configuration template. Default: Enabled Cisco SD-WAN Manager and Cisco SD-WAN Controller default: Disabled Starting from Cisco Catalyst SD-WAN Manager Release 20.18.1, this field is deprecated. Instead use the Full Port Hop option. See the Full Port Hop field. |
| TCP MSS |
TCP MSS affects any packet that contains an initial TCP header that flows through the router. When configured, TCP MSS is examined against the MSS exchanged in the three-way handshake. The MSS in the header is lowered if the configured TCP MSS setting is lower than the MSS in the header. If the MSS header value is already lower than the TCP MSS, the packets flow through unmodified. The host at the end of the tunnel uses the lower setting of the two hosts. If the TCP MSS is to be configured, it should be set at 40 bytes lower than the minimum path MTU. Specify the MSS of TPC SYN packets passing through the Cisco IOS XE Catalyst SD-WAN device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented. Range: 552 to 1460 bytes Default: None |
| Clear-Dont-Fragment |
Configure Clear-Dont-Fragment for packets that arrive at an interface that has Don't Fragment configured. If these packets are larger than what MTU allows, they are dropped. If you clear the Don't Fragment bit, the packets are fragmented and sent. Click On to clear the Dont Fragment bit in the IPv4 packet header for packets being transmitted out of the interface. When the Dont Fragment bit is cleared, packets larger than the MTU of the interface are fragmented before being sent.
Note
Clear-Dont-Fragment clears the Dont Fragment bit and the Dont Fragment bit is set. For packets not requiring fragmentation, the Dont Fragment bit is not affected.
|
| Allow Service |
Select On or Off for each service to allow or disallow the service on the interface. |
To configure additional tunnel interface parameters, click Advanced Options:
| Parameter Name |
Description |
| Carrier |
Select the carrier name or private network identifier to associate with the tunnel. Values: carrier1, carrier2, carrier3, carrier4, carrier5, carrier6, carrier7, carrier8, default Default: default |
| NAT Refresh Interval |
Enter the interval between NAT refresh packets sent on a DTLS or TLS WAN transport connection. Range: 1 through 60 seconds Default: 5 seconds |
| Hello Interval |
Enter the interval between Hello packets sent on a DTLS or TLS WAN transport connection. Range: 100 through 10000 milliseconds Default: 1000 milliseconds (1 second) |
| Hello Tolerance |
Enter the time to wait for a Hello packet on a DTLS or TLS WAN transport connection before declaring that transport tunnel to be down. Range: 12 through 60 seconds Default: 12 seconds |
-
Configure an interface as a NAT device.
For information on how to configure NAT, see the Cisco Catalyst SD-WAN NAT Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x.
-
Configure the shaping rate for an interface and apply QoS map, rewrite rules, access lists, and policers to an interface.
| Parameter Name |
Description |
| Shaping rate |
Configure the aggregate traffic transmission rate on the interface to be less than line rate, in kilobits per second (kbps). |
| QoS Map |
Specify the name of the QoS map to apply to packets being transmitted out the interface. |
| Rewrite Rule |
Click On, and specify the name of the rewrite rule to apply on the interface. |
| Ingress ACL – IPv4 |
Click On, and specify the name of the access list to apply to IPv4 packets being received on the interface. |
| Egress ACL – IPv4 |
Click On, and specify the name of the access list to apply to IPv4 packets being transmitted on the interface. |
| Ingress ACL – IPv6 |
Click On, and specify the name of the access list to apply to IPv6 packets being received on the interface. |
| Egress ACL – IPv6 |
Click On, and specify the name of the access list to apply to IPv6 packets being transmitted on the interface. |
| Ingress Policer |
Click On, and specify the name of the policer to apply to packets received on the interface. |
| Egress Policer |
Click On, and specify the name of the policer to apply to packets being transmitted on the interface. |
-
Configure static ARP table entries on the interface.
| Parameter Name |
Description |
| IP Address |
Enter the IP address for the ARP entry in dotted decimal notation or as a fully qualified host name. |
| MAC Address |
Enter the MAC address in colon-separated hexadecimal notation. |
-
Configure VRRP to allow multiple routers to share a common virtual IP address for default gateway redundancy.
| Parameter Name |
Description |
| Group ID |
Enter the virtual router ID, which is a numeric identifier of the virtual router. You can configure a maximum of 24 groups. Range: 1 through 255 |
| Priority |
Enter the priority level of the router. There router with the highest priority is elected as primary VRRP router. If two routers have the same priority, the one with the higher IP address is elected as primary VRRP router. Range: 1 through 254 Default: 100 |
| Timer (milliseconds) |
Specify how often the primary VRRP router sends VRRP advertisement messages. If subordinate routers miss three consecutive VRRP advertisements, they elect a new primary VRRP routers. Range: 100 through 40950 milliseconds Default: 1000 msecs
Note
When the timer is 100 ms for the VRRP feature template on Cisco IOS XE Catalyst SD-WAN devices, the VRRP fails if the traffic is high on LAN interface.
Use the 100 msec timer only if the Cisco IOS XE Catalyst SD-WAN device platform supports it, and if there are fewer tunnel groups.
|
| Track OMP Track Prefix List |
By default, VRRP uses of the state of the service (LAN) interface on which it is running to determine which router is the primary virtual router. if a router loses all its WAN control connections, the LAN interface still indicates that it is up even though the router is functionally unable to participate in VRRP. To take WAN side connectivity into account for VRRP, configure one of the following: Track OMP—Click On for VRRP to track the Overlay Management Protocol (OMP) session running on the WAN connection. If the primary VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session.
Note
From Cisco Catalyst SD-WAN Manager Release 20.18.1, enabling Track OMP changes the device CLI command from vrrp track omp shutdown to vrrp track omp decrement 10 .
Track Prefix List—Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the primary VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if reachability to all of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic is dropped while the routers determine the primary VRRP router. |
| IP Address |
Enter the IP address of the virtual router. This address must be different from the configured interface IP addresses of both the local router and the peer running VRRP. |
-
Configure other advanced interface properties.
| Parameter Name |
Description |
| Duplex |
Choose full or half to specify whether the interface runs in full-duplex or half-duplex mode. Default: full |
| MAC Address |
Specify a MAC address to associate with the interface, in colon-separated hexadecimal notation. |
| IP MTU |
Specify the maximum MTU size of packets on the interface. Range: 576 through 1804 Default: 1500 bytes |
| PMTU Discovery |
Click On to enable path MTU discovery on the interface. PMTU determines the largest MTU size that the interface supports so that packet fragmentation does not occur. |
| Flow Control |
Select a setting for bidirectional flow control, which is a mechanism for temporarily stopping the transmission of data on the interface. Values: autonet, both, egress, ingress, none Default: autoneg |
| TCP MSS |
Specify the maximum segment size (MSS) of TPC SYN packets passing through the router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented. Range: 552 to 1460 bytes Default: None |
| Speed |
Specify the speed of the interface for use when the remote end of the connection does not support autonegotiation. Values: 10, 100, 1000, or 10000 Mbps |
| Clear-Dont-Fragment |
Click On to clear the Don't Fragment (DF) bit in the IPv4 packet header for packets being transmitted out the interface. When the DF bit is cleared, packets larger than that interface's MTU are fragmented before being sent.
Note
Clear-Dont-Fragment clears the DF bit when there is fragmentation needed and the DF bit is set. For packets not requiring fragmentation, the DF bit is not affected.
|
| Autonegotiation |
Note
For releases before Cisco vManage Release 20.6.1, the default value of the field is On. To turn autonegotiation off, click Off.
From Cisco vManage Release 20.6.1, the default behavior of the field is as follows:
-
For the Gigabit Ethernet interface type, the Autonegotiation field is blank by default. However, the autonegotiation is set to On when the field is left blank.
-
For other interface types such as Ten Gigabit Ethernet and Hundred Gigabit Ethernet, the Autonegotiation field is blank by default. To turn autonegotiation on or off, click On or Off respectively.
From Cisco SD-WAN Manager Release 20.12.4:
In the Cisco Catalyst 8300 Series devices, for the TenGigabitEthernet interface type, do not leave the Autonegotiation field blank.
|
| TLOC Extension |
Enter the name of a physical interface on the same router that connects to the WAN transport. This configuration then binds this service-side interface to the WAN transport. A second router at the same site that itself has no direct connection to the WAN (generally because the site has only a single WAN connection) and that connects to this service-side interface is then provided with a connection to the WAN. Note that TLOC extension over L3 is only supported for Cisco IOS XE routers. If configuring TLOC extension over L3 for a Cisco IOS XE router, enter the IP address of the L3 interface. |
| GRE Tunnel Source IP |
Enter the IP address of the extended WAN interface. |
| Xconnect (on IOS XE routers) |
Enter the name of a physical interface on the same router that connects to the WAN transport. |
|