Cisco Catalyst SD-WAN Interfaces Configuration Guide, Releases 26.x and Later

PDF

Configure VPN interface bridge

Updated: April 24, 2026

Want to summarize with AI?

Log in

Provides step-by-step instructions for configuring VPN interface bridges, detailing the required processes and considerations to enable secure and efficient connectivity.

To configure a bridge interface using Cisco SD-WAN Manager templates:

  1. Create a VPN Interface Bridge feature template to configure parameters for logical IRB interfaces.

  2. Create a Bridge feature template for each bridging domain, to configure the bridging domain parameters.

Integrated routing and bridging (IRB) allows Cisco IOS XE Catalyst SD-WAN devices in different bridge domains to communicate with each other. To enable IRB, create logical IRB interfaces to connect a bridge domain to a VPN. The VPN provides the Layer 3 routing services necessary so that traffic can be exchanged between different VLANs. Each bridge domain can have a single IRB interface and can connect to a single VPN, and a single VPN can connect to multiple bridge domains on a Cisco IOS XE Catalyst SD-WAN device.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Templates.
2.

Click Device Templates.

In Cisco vManage Release 20.7.x and earlier releases, Device Templates is titled Device.

  1. From the Create Template drop-down list, select From Feature Template.

  2. From the Device Model drop-down list, select the type of device for which you are creating the template.

  3. Click Service VPN or scroll to the Service VPN section.

  4. Click the Service VPN drop-down list.

  5. From Additional VPN Templates, click VPN Interface Bridge.

  6. From the VPN Interface Bridge drop-down list, click Create Template.

    The VPN Interface Bridge template form is displayed. The top of the form contains fields for naming the template, and the bottom contains fields for defining VPN Interface Bridge parameters.

  7. In Template Name, enter a name for the template. The name can be up to 128 characters and can contain only alphanumeric characters.

  8. In Template Description, enter a description of the template. The description can be up to 2048 characters and can contain only alphanumeric characters.
3.

Configure an interface to use for bridging servers.

Table 1.

Parameter Name

Description

Shutdown*

Click No to enable the interface.

Interface name*

Enter the name of the interface, in the format irb number . The IRB interface number can be from 1 through 63, and must be the same as the VPN identifier configured in the Bridge feature template for the bridging domain that the IRB is connected to.

Description

Enter a description for the interface.

IPv4 Address*

Enter the IPv4 address of the router.

DHCP Helper

Enter up to eight IP addresses for DHCP servers in the network, separated by commas, to have the interface be a DHCP helper. A DHCP helper interface forwards BOOTP (Broadcast) DHCP requests that it receives from the specified DHCP servers.

Block Non-Source IP

Click Yes to have the interface forward traffic only if the source IP address of the traffic matches the interface's IP prefix range.

Secondary IP Address (on Cisco IOS XE Catalyst SD-WAN devices)

Click Add to configure up to four secondary IPv4 addresses for a service-side interface.
4.

Apply access lists to IRB interfaces, select the ACL tab and configure the following parameters. The ACL filter determines what is allowed in or out of a bridging domain.

Table 2.

Parameter Name

Description

Ingress ACL – IPv4

Click On, and specify the name of an IPv4 access list to packets being received on the interface.

Egress ACL– IPv4

Click On, and specify the name of an IPv4 access list to packets being transmitted on the interface.
5.

To have an interface run the Virtual Router Redundancy Protocol (VRRP), which allows multiple routers to share a common virtual IP address for default gateway redundancy, choose VRRP. Then click Add New VRRP and configure the following parameters:

Table 3.

Parameter Name

Description

Group ID

Enter the virtual router ID, which is a numeric identifier of the virtual router. You can configure a maximum of 24 groups.

Range: 1 through 255

Priority

Enter the priority level of the router. There router with the highest priority is elected as primary VRRP router. If two Cisco IOS XE Catalyst SD-WAN devices have the same priority, the one with the higher IP address is elected as primary VRRP router.

Range: 1 through 254

Default: 100

Timer (milliseconds)

Specify how often the primary VRRP router sends VRRP advertisement messages. If subordinate routers miss three consecutive VRRP advertisements, they elect a new primary VRRP router.

Range: 100 through 40950 milliseconds

Default: 1000 msecs

Note

When the timer is 100 ms for the VRRP feature template on Cisco IOS XE Catalyst SD-WAN devices, the VRRP fails if the traffic is high on LAN interface.

Use the 100 msec timer only if the Cisco IOS XE Catalyst SD-WAN device platform supports it, and if there are fewer tunnel groups.

Track OMP ​Track Prefix List

By default, VRRP uses of the state of the service (LAN) interface on which it is running to determine which Cisco IOS XE Catalyst SD-WAN device is the primary virtual router. if a Cisco IOS XE Catalyst SD-WAN device loses all its WAN control connections, the LAN interface still indicates that it is up even though the router is functionally unable to participate in VRRP. To take WAN side connectivity into account for VRRP, configure one of the following:

Track OMP—Click On for VRRP to track the Overlay Management Protocol (OMP) session running on the WAN connection. If the primary VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session.

Track Prefix List—Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the primary VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if reachability to all of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic is dropped while the Cisco IOS XE Catalyst SD-WAN devices determine the primary VRRP router.

IP Address

Enter the IP address of the virtual router. This address must be different from the configured interface IP addresses of both the local Cisco IOS XE Catalyst SD-WAN device and the peer running VRRP.
6.

Configure static Address Resolution Protocol (ARP) table entries on the interface.

Table 4.

Parameter Name

Description

IP Address

Enter the IP address for the ARP entry in dotted decimal notation or as a fully qualified host name.

MAC Address

Enter the MAC address in colon-separated hexadecimal notation.
7.

Configure other interface properties.

Table 5.

Parameter Name

Description

MAC Address

MAC addresses can be static or dynamic. A static MAC address is manually configured as opposed to a dynamic MAC address that is one learned via an ARP request. You can configure a static MAC on a router's interface or indicate a static MAC that identifies a router's interface.

Specify a MAC address to associate with the interface, in colon-separated hexadecimal notation.

IP MTU

Similar to MTU, IP MTU only affects IP packets. If an IP packet exceeds the IP MTU, then the packet will be fragmented.

Specify the maximum MTU size of packets on the interface.

Range: 576 through 1804

Default: 1500 bytes

TCP MSS

TCP MSS will affect any packet that contains an initial TCP header that flows through the router. When configured, TCP MSS will be examined against the MSS exchanged in the three-way handshake. The MSS in the header will be lowered if the configured setting is lower than what is in the header. If the header value is already lower, it will flow through unmodified. The end hosts will use the lower setting of the two hosts. If the TCP MSS is to be configured, it should be set it at 40 bytes lower than the minimum path MTU.

Specify the maximum segment size (MSS) of TPC SYN packets passing through the Cisco IOS XE Catalyst SD-WAN device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 552 to 1460 bytes

Default: None

Clear-Dont-Fragment

Configure Clear-Dont-Fragment if there are packets arriving on an interface with the DF bit set. If these packets are larger than the MTU will allow, they are dropped. If you clear the df-bit, the packets will be fragmented and sent.

Click On to clear the Dont Fragment (DF) bit in the IPv4 packet header for packets being transmitted out the interface. When the DF bit is cleared, packets larger than that interface's MTU are fragmented before being sent.

Note

Clear-Dont-Fragment clears the DF bit when there is fragmentation needed and the DF bit is set. For packets not requiring fragmentation, the DF bit is not affected.

ARP Timeout

ARP Timeout controls how long we maintain the ARP cache on a router.

Specify how long it takes for a dynamically learned ARP entry to time out.

Range: 0 through 2678400 seconds (744 hours)

Default: 1200 seconds (20 minutes)

ICMP Redirect

ICMP Redirects are sent by a router to the sender of an IP packet when a packet is being routed sub-optimally.

The ICMP Redirect informs the sending host to forward subsequent packets to that same destination through a different gateway.

To disable ICMP redirect messages on the interface, click Disable. By default, an interface allows ICMP redirect messages.