ACL Sequence Name

Specifies the name of the ACL sequence.

Condition

Specifies the ACL condition. The options are:

• DSCP

• Packet Length

• PLP

• Protocol

• Source Data Prefix

• Source Port

• Destination Data Prefix

• Destination Port

• TCP

• Class

• Peer

Action Type

Specifies the action type. The options are: Accept or Reject.

Accept Condition

Specifies the accept condition type. The options are:

• Counter

• DSCP

• Log

• Next Hop

• Mirror List

• Class

• Policer

ACL Sequence Name

Specifies the name of the ACL sequence.

Condition

Specifies the ACL condition. The options are:

• Next Header

• Packet Length

• PLP

• Protocol

• Source Data Prefix

• Source Port

• Destination Data Prefix

• Destination Port

• TCP

• Class

• Traffic Class

Action Type

Specifies the action type. The options are: Accept or Reject.

Accept Condition

Specifies the accept condition type. The options are:

• Counter

• Log

• Next Hop

• Traffic Class

• Mirror List

• Class

• Policer

Device AppQoE Role *

Service Node

Choose the Service Node option if you want to configure the device as a service node.

Forwarder:

Choose Forwarder if you want to configure the device as a forwarder. The forwarder redirects traffic to other service nodes.

• Forwarder IP Address*: IP address of the device you've configured as a forwarder.

• AppQoE Service VPN*: Choose the service VPN attached to the interface of the forwarder.

• Service Node Group: Click Add Service Node Group and enter the following details for the service node group:

  • Group Name: Select the AppQoe group name.

  • Add Service Node: Click Add Service Node and enter the IP address of the service nodes to enable the service controllers to communicate with the service nodes.

    Click the + icon to add up to 32 service nodes for the group. The starting value for the service node is SNG-APPQOE, following which, you can provide a value in the range SNG-APPQOE1 to SNG-APPQOE31.

DRE Optimisation

Enable DRE optimisation

Resource Profile

Choose Global to choose a profile size from the options available in the drop-down list.

Choose Defaultto apply the default DRE profile size for the device.

Choose Device Specific to enter a value for the profile.

AS Number

Enter the local AS number.

Router ID

Enter the BGP router ID, in decimal four-part dotted notation.

Propagate AS Path

Enable this option to carry BGP AS path information into OMP.

Propagate Community

Enable this option to propagate BGP communities between Cisco Catalyst SD-WAN sites, across VPNs using OMP redistribution.

External Routes Distance

Specify the BGP route administrative distance for routes learned from other sites in the overlay network.

Range: 1 through 255

Default: 20

Internal Routes Distance

Enter a value to apply as the BGP route administrative distance for routes coming from one AS into another.

Range: 1 through 255

Default: 200

Local Routes Distance

Specify the BGP route administrative distance for routes within the local AS. By default, a route received locally from BGP is preferred over a route received from OMP.

Range: 1 through 255

Default: 20

IPv4 Settings

Maximum Paths

Specify the maximum number of parallel internal BGP paths that can be installed into a route table to enable internal BGP multipath load sharing.

Range: 0 to 32

Originate

Enable this option to allow the default route to be artificially generated and injected into the BGP Route Information Base (RIB), regardless of whether it is present in the routing table. The newly injected default is advertised to all the BGP peers.

Redistribute

Protocol*

Choose the protocols from which to redistribute routes into BGP, for all BGP sessions. Options are static, connected, ospf, omp, eigrp, and nat.

At a minimum, choose omp. By default, OMP routes are not redistributed into BGP.

Route Policy

Enter the name of the route policy to apply to redistributed routes.

Route policy is not supported in Cisco vManage Release 20.9.1.

Network

Network Prefix*

Enter a network prefix to be advertised by BGP. The network prefix is composed of the IPv4 subnet and the mask. For example, 192.0.2.0 and 255.255.255.0.

Aggregate Address

Aggregate Prefix*

Enter the prefix of the addresses to aggregate for all BGP sessions. The aggregate prefix is composed of the IPv4 subnet and the mask. For example, 192.0.2.0 and 255.255.255.0.

AS Set Path

Enable this option to generate set path information for the aggregated prefixes.

Summary Only

Enable this option to filter out more specific routes from BGP updates.

Table Map

Policy Name

Enter the route map that controls the downloading of routes.

Route policy is not supported in Cisco vManage Release 20.9.1.

When you enable this option, the route map specified in the Policy Name field controls whether a BGP route is to be downloaded to the Route Information Base (RIB). A BGP route is not downloaded to the RIB if it is denied by the route map.

When you disable this option, the route map specified in the Policy Name field is used to set certain properties, such as the traffic index, of the routes for installation into the RIB. The route is always downloaded, regardless of whether it is permitted or denied by the route map.

IPv6 Settings

Maximum Paths

Specify the maximum number of parallel internal BGP paths that can be installed into a route table to enable internal BGP multipath load sharing.

Range: 0 to 32

Originate

Enable this option to allow the default route to be artificially generated and injected into the BGP RIB, regardless of whether it is present in the routing table. The newly injected default is advertised to all the BGP peers.

Redistribute

Protocol*

Choose the protocols from which to redistribute routes into BGP, for all BGP sessions. Options are static, connected, ospf, omp, and eigrp.

At a minimum, choose omp. By default, OMP routes are not redistributed into BGP.

Route Policy

Enter the name of the route policy to apply to redistributed routes.

Route policy is not supported in Cisco vManage Release 20.9.1.

Network

Network Prefix*

Enter a network prefix to be advertised by BGP. The IPv6 network prefix is composed of the IPv6 address and the prefix length (1-128). For example, the IPv6 subnet is 2001:DB8:0000:0000:: and the prefix length is 64.

Aggregate Address

Aggregate Prefix*

Enter the prefix of the addresses to aggregate for all BGP sessions. The IPv6 aggregate prefix is composed of the IPv6 address and the prefix length (1-128). For example, the IPv6 subnet is 2001:DB8:0000:0000:: and the prefix length is 64.

AS Set Path

Enable this option to generate set path information for the aggregated prefixes.

Summary Only

Enable this option to filter out more specific routes from BGP updates.

Table Map

Policy Name*

Enter the route map that controls the downloading of routes.

Route policy is not supported in Cisco vManage Release 20.9.1.

When you enable this option, the route map specified in the Policy Name field controls whether a BGP route is to be downloaded to the Route Information Base (RIB). A BGP route is not downloaded to the RIB if it is denied by the route map.

When you disable this option, the route map specified in the Policy Name field is used to set certain properties, such as the traffic index, of the routes for installation into the RIB. The route is always downloaded, regardless of whether it is permitted or denied by the route map.

IPv4 Settings

Address*

Specify the IP address of the BGP neighbor.

Description

Enter a description of the BGP neighbor.

Remote AS*

Enter the AS number of the remote BGP peer.

Interface Name

Enter the interface name. This interface is used as the source of the TCP session when establishing neighborship. We recommend that you use a loopback interface.

Allowas in Number

Enter the number of times to allow the advertisement of the autonomous system number (ASN) of a provider edge (PE) device. The range is 1 to 10. If no number is specified, the default value of three times is used.

AS Override

Enable this option to replace the AS number of the originating router with the AS number of the sending BGP router.

Shutdown

Disable this option to enable BGP for the VPN.

Advanced Options

Next-Hop Self

Enable this option to configure the router to be the next hop for routes advertised to the BGP neighbor.

Send Community

Enable this option to send the BGP community attribute of the local router to the BGP neighbor.

Send Extended Community

Enable this option to send the BGP extended community attribute of the local router to the BGP neighbor.

EBGP Multihop

Set the time to live (TTL) for BGP connections to external peers.

Range: 1 to 255

Default: 1

Password

Enter a password to use to generate an MD5 message digest. Configuring the password enables MD5 authentication on the TCP connection with the BGP peer. The password is case-sensitive and can be up to 25 characters long. It can contain any alphanumeric characters, including spaces. The first character cannot be a number.

Keepalive Time (seconds)

Specify the frequency at which keepalive messages are advertised to a BGP peer. These messages indicate to the peer that the local router is still active and should be considered to be available. Specify the keepalive time for the neighbor, to override the global keepalive time.

Range: 0 through 65535 seconds

Default: 60 seconds (one-third the hold-time value)

Hold Time (seconds)

Specify the interval after not receiving a keepalive message that the local BGP session considers its peer to be unavailable. The local router then terminates the BGP session to that peer. Specify the hold time for the neighbor, to override the global hold time.

Range: 0 through 65535 seconds

Default: 180 seconds (three times the keepalive time)

Send Label

Enable this option to allow the routers advertise to each other so that they can send MPLS labels with the routes. If the routers successfully negotiate their ability to send MPLS labels, the routers add MPLS labels to all the outgoing BGP updates.

Add Neighbor Address Family

Family Type*

Choose the BGP IPv4 unicast address family.

In Route Policy

Specify the name of a route policy to apply to prefixes received from the neighbor.

Route policy is not supported in Cisco vManage Release 20.9.1.

Out Route Policy

Specify the name of a route policy to apply to prefixes sent to the neighbor.

Route policy is not supported in Cisco vManage Release 20.9.1.

Maximum Prefix Reach Policy*

Choose one of the following options:

• Policy Off: Policy is off.

• Policy On - Restart: Configure the time interval at which a peering session is re-established by a device when the number of prefixes that have been received from a peer has exceeded the maximum prefix limit.

  When you choose this option, the following fields appear:

  • Maximum Number of Prefixes*: Enter the maximum prefix limit.

    Range: 1 to 4294967295

  • Threshold (percentage): Enter the threshold value:

    Range: 1 to 100

    Default: 75

  • Restart Interval (minutes)*: Enter the time interval.

    Range: 1 to 65535 minutes

• Policy On - Warning message: Configure the device to disable the restart capability to allow you to adjust a peer that is sending too many prefixes.

• Policy On - Disable Peer Neighbor: When the device receives too many prefixes from a peer, and the maximum prefix limit is exceeded, the peering session is disabled or brought down.

IPv6 Settings

Address*

Specify the IP address of the BGP neighbor.

Description

Enter a description of the BGP neighbor.

Remote AS*

Enter the AS number of the remote BGP peer.

Interface Name

Enter the interface name. This interface is used as the source of the TCP session when establishing neighborship. We recommend that you use a loopback interface.

Allowas in Number

Enter the number of times to allow the advertisement of the autonomous system number (ASN) of a provider edge (PE) device. The range is 1 to 10. If no number is specified, the default value of three times is used.

AS Override

Enable this option to replace the AS number of the originating router with the AS number of the sending BGP router.

Shutdown

Disable this option to enable BGP for the VPN.

Advanced Options

Next-Hop Self

Enable this option to configure the router to be the next hop for routes advertised to the BGP neighbor.

Send Community

Enable this option to send the BGP community attribute of the local router to the BGP neighbor.

Send Extended Community

Enable this option to send the BGP extended community attribute of the local router to the BGP neighbor.

EBGP Multihop

Set the time to live (TTL) for BGP connections to external peers.

Range: 1 to 255

Default: 1

Password

Enter a password to use to generate an MD5 message digest. Configuring the password enables MD5 authentication on the TCP connection with the BGP peer. The password is case-sensitive and can be up to 25 characters long. It can contain any alphanumeric characters, including spaces. The first character cannot be a number.

Keepalive Time (seconds)

Specify the frequency at which keepalive messages are advertised to a BGP peer. These messages indicate to the peer that the local router is still active and should be considered to be available. Specify the keepalive time for the neighbor, to override the global keepalive time.

Range: 0 through 65535 seconds

Default: 60 seconds (one-third the hold-time value)

Hold Time (seconds)

Specify the interval after not receiving a keepalive message that the local BGP session considers its peer to be unavailable. The local router then terminates the BGP session to that peer. Specify the hold time for the neighbor, to override the global hold time.

Range: 0 through 65535 seconds

Default: 180 seconds (three times the keepalive time)

Add IPv6 Neighbor Address Family

Family Type*

Choose the BGP IPv6 unicast address family.

In Route Policy

Specify the name of a route policy to apply to prefixes received from the neighbor.

Route policy is not supported in Cisco vManage Release 20.9.1.

Out Route Policy

Specify the name of a route policy to apply to prefixes sent to the neighbor.

Route policy is not supported in Cisco vManage Release 20.9.1.

Maximum Prefix Reach Policy*

Choose one of the following options:

• Policy Off: Policy is off.

• Policy On - Restart: Configure the time interval at which a peering session is re-established by a device when the number of prefixes that have been received from a peer has exceeded the maximum prefix limit.

  When you choose this option, the following fields appear:

  • Maximum Number of Prefixes*: Enter the maximum prefix limit.

    Range: 1 to 4294967295

  • Threshold (percentage): Enter the threshold value:

    Range: 1 to 100

    Default: 75

  • Restart Interval (minutes)*: Enter the time interval.

    Range: 1 to 65535 minutes

• Policy On - Warning message: Configure the device to disable the restart capability to allow you to adjust a peer that is sending too many prefixes.

• Policy On - Disable Peer Neighbor: When the device receives too many prefixes from a peer, and the maximum prefix limit is exceeded, the peering session is disabled or brought down.

AS Number

Enter the local AS number.

Router ID

Enter the BGP router ID, in decimal four-part dotted notation.

Propagate AS Path

Enable this option to carry BGP AS path information into OMP.

Propagate Community

Enable this option to propagate BGP communities between Cisco Catalyst SD-WAN sites, across VPNs using OMP redistribution.

External Routes Distance

Specify the BGP route administrative distance for routes learned from other sites in the overlay network.

Range: 1 through 255

Default: 20

Internal Routes Distance

Enter a value to apply as the BGP route administrative distance for routes coming from one AS into another.

Range: 1 through 255

Default: 200

Local Routes Distance

Specify the BGP route administrative distance for routes within the local AS. By default, a route received locally from BGP is preferred over a route received from OMP.

Range: 1 through 255

Default: 20

IPv4 Settings

Maximum Paths

Specify the maximum number of parallel internal BGP paths that can be installed into a route table to enable internal BGP multipath load sharing.

Range: 0 to 32

Originate

Enable this option to allow the default route to be artificially generated and injected into the BGP Route Information Base (RIB), regardless of whether it is present in the routing table. The newly injected default is advertised to all the BGP peers.

Redistribute

Protocol*

Choose the protocols from which to redistribute routes into BGP, for all BGP sessions. Options are static, connected, ospf, omp, eigrp, and nat.

At a minimum, choose connected, and then under Route Policy, specify a route policy that has BGP advertise the loopback interface address to its neighbors.

Route policy is not supported in Cisco vManage Release 20.9.1.

Route Policy

Enter the name of the route policy to apply to redistributed routes.

Route policy is not supported in Cisco vManage Release 20.9.1.

Network

Network Prefix*

Enter a network prefix to be advertised by BGP. The network prefix is composed of the IPv4 subnet and the mask. For example, 192.0.2.0 and 255.255.255.0.

Aggregate Address

Aggregate Prefix*

Enter the prefix of the addresses to aggregate for all BGP sessions. The aggregate prefix is composed of the IPv4 subnet and the mask. For example, 192.0.2.0 and 255.255.255.0.

AS Set Path

Enable this option to generate set path information for the aggregated prefixes.

Summary Only

Enable this option to filter out more specific routes from BGP updates.

Table Map

Policy Name

Enter the route map that controls the downloading of routes.

Route policy is not supported in Cisco vManage Release 20.9.1.

When you enable this option, the route map specified in the Policy Name field controls whether a BGP route is to be downloaded to the Route Information Base (RIB). A BGP route is not downloaded to the RIB if it is denied by the route map.

When you disable this option, the route map specified in the Policy Name field is used to set certain properties, such as the traffic index, of the routes for installation into the RIB. The route is always downloaded, regardless of whether it is permitted or denied by the route map.

IPv6 Settings

Maximum Paths

Specify the maximum number of parallel internal BGP paths that can be installed into a route table to enable internal BGP multipath load sharing.

Range: 0 to 32

Originate

Enable this option to allow the default route to be artificially generated and injected into the BGP Route Information Base (RIB), regardless of whether it is present in the routing table. The newly injected default is advertised to all the BGP peers.

Redistribute

Protocol*

Choose the protocols from which to redistribute routes into BGP, for all BGP sessions. Options are static, connected, ospf, omp, and eigrp.

At a minimum, choose connected, and then under Route Policy, specify a route policy that has BGP advertise the loopback interface address to its neighbors.

Route policy is not supported in Cisco vManage Release 20.9.1.

Route Policy

Enter the name of the route policy to apply to redistributed routes.

Route policy is not supported in Cisco vManage Release 20.9.1.

Network

Network Prefix*

Enter a network prefix to be advertised by BGP. The IPv6 network prefix is composed of the IPv6 address and the prefix length (1-128). For example, the IPv6 subnet is 2001:DB8:0000:0000:: and the prefix length is 64.

Aggregate Address

Aggregate Prefix*

Enter the prefix of the addresses to aggregate for all BGP sessions. The IPv6 aggregate prefix is composed of the IPv6 address and the prefix length (1-128). For example, the IPv6 subnet is 2001:DB8:0000:0000:: and the prefix length is 64.

AS Set Path

Enable this option to generate set path information for the aggregated prefixes.

Summary Only

Enable this option to filter out more specific routes from BGP updates.

Table Map

Policy Name

Enter the route map that controls the downloading of routes.

Route policy is not supported in Cisco vManage Release 20.9.1.

When you enable this option, the route map specified in the Policy Name field controls whether a BGP route is to be downloaded to the Route Information Base (RIB). A BGP route is not downloaded to the RIB if it is denied by the route map.

When you disable this option, the route map specified in the Policy Name field is used to set certain properties, such as the traffic index, of the routes for installation into the RIB. The route is always downloaded, regardless of whether it is permitted or denied by the route map.

Interface Name*

Enter a name for the MPLS interface.

IPv4 Settings

Address*

Specify the IP address of the BGP neighbor.

Description

Enter a description of the BGP neighbor.

Remote AS*

Enter the AS number of the remote BGP peer.

Interface Name

Enter the interface name. This interface is used as the source of the TCP session when establishing neighborship. We recommend that you use a loopback interface.

Allows in Number

Enter the number of times to allow the advertisement of the autonomous system number (ASN) of a provider edge (PE) device. The range is 1 to 10. If no number is specified, the default value of three times is used.

AS Override

Enable this option to replace the AS number of the originating router with the AS number of the sending BGP router.

Shutdown

Disable this option to enable BGP for the VPN.

Advanced Options

Next-Hop Self

Enable this option to configure the router to be the next hop for routes advertised to the BGP neighbor.

Send Community

Enable this option to send the BGP community attribute of the local router to the BGP neighbor.

Send Extended Community

Enable this option to send the BGP extended community attribute of the local router to the BGP neighbor.

EBGP Multihop

Set the time to live (TTL) for BGP connections to external peers.

Range: 1 to 255

Default: 1

Password

Enter a password to use to generate an MD5 message digest. Configuring the password enables MD5 authentication on the TCP connection with the BGP peer. The password is case-sensitive and can be up to 25 characters long. It can contain any alphanumeric characters, including spaces. The first character cannot be a number.

Keepalive Time (seconds)

Specify the frequency at which keepalive messages are advertised to a BGP peer. These messages indicate to the peer that the local router is still active and should be considered to be available. Specify the keepalive time for the neighbor, to override the global keepalive time.

Range: 0 through 65535 seconds

Default: 60 seconds (one-third the hold-time value)

Hold Time (seconds)

Specify the interval after not receiving a keepalive message that the local BGP session considers its peer to be unavailable. The local router then terminates the BGP session to that peer. Specify the hold time for the neighbor, to override the global hold time.

Range: 0 through 65535 seconds

Default: 180 seconds (three times the keepalive time)

Send Label

Enable this option to allow the routers advertise to each other so that they can send MPLS labels with the routes. If the routers successfully negotiate their ability to send MPLS labels, the routers add MPLS labels to all the outgoing BGP updates.

Add Neighbor Address Family

Family Type*

Choose the BGP IPv4 unicast address family.

In Route Policy

Specify the name of a route policy to apply to prefixes received from the neighbor.

Route policy is not supported in Cisco vManage Release 20.9.1.

Out Route Policy

Specify the name of a route policy to apply to prefixes sent to the neighbor.

Route policy is not supported in Cisco vManage Release 20.9.1.

Maximum Prefix Reach Policy*

Choose one of the following options:

• Policy Off: Policy is off.

• Policy On - Restart: Configure the time interval at which a peering session is re-established by a device when the number of prefixes that have been received from a peer has exceeded the maximum prefix limit.

  When you choose this option, the following fields appear:

  • Maximum Number of Prefixes*: Enter the maximum prefix limit.

    Range: 1 to 4294967295

  • Threshold (percentage): Enter the threshold value:

    Range: 1 to 100

    Default: 75

  • Restart Interval (minutes)*: Enter the time interval.

    Range: 1 to 65535 minutes

• Policy On - Warning message: Configure the device to disable the restart capability to allow you to adjust a peer that is sending too many prefixes.

• Policy On - Disable Peer Neighbor: When the device receives too many prefixes from a peer, and the maximum prefix limit is exceeded, the peering session is disabled or brought down.

IPv6 Settings

Address*

Specify the IP address of the BGP neighbor.

Description

Enter a description of the BGP neighbor.

Remote AS*

Enter the AS number of the remote BGP peer.

Interface Name

Enter the interface name. This interface is used as the source of the TCP session when establishing neighborship. We recommend that you use a loopback interface.

Allowas in Number

Enter the number of times to allow the advertisement of the autonomous system number (ASN) of a provider edge (PE) device. The range is 1 to 10. If no number is specified, the default value of three times is used.

AS Override

Enable this option to replace the AS number of the originating router with the AS number of the sending BGP router.

Shutdown

Disable this option to enable BGP for the VPN.

Advanced Options

Next-Hop Self

Enable this option to configure the router to be the next hop for routes advertised to the BGP neighbor.

Send Community

Enable this option to send the BGP community attribute of the local router to the BGP neighbor.

Send Extended Community

Enable this option to send the BGP extended community attribute of the local router to the BGP neighbor.

EBGP Multihop

Set the time to live (TTL) for BGP connections to external peers.

Range: 1 to 255

Default: 1

Password

Enter a password to use to generate an MD5 message digest. Configuring the password enables MD5 authentication on the TCP connection with the BGP peer. The password is case-sensitive and can be up to 25 characters long. It can contain any alphanumeric characters, including spaces. The first character cannot be a number.

Keepalive Time (seconds)

Specify the frequency at which keepalive messages are advertised to a BGP peer. These messages indicate to the peer that the local router is still active and should be considered to be available. Specify the keepalive time for the neighbor, to override the global keepalive time.

Range: 0 through 65535 seconds

Default: 60 seconds (one-third the hold-time value)

Hold Time (seconds)

Specify the interval after not receiving a keepalive message that the local BGP session considers its peer to be unavailable. The local router then terminates the BGP session to that peer. Specify the hold time for the neighbor, to override the global hold time.

Range: 0 through 65535 seconds

Default: 180 seconds (three times the keepalive time)

Add IPv6 Neighbor Address Family

Family Type*

Choose the BGP IPv6 unicast address family.

In Route Policy

Specify the name of a route policy to apply to prefixes received from the neighbor.

Route policy is not supported in Cisco vManage Release 20.9.1.

Out Route Policy

Specify the name of a route policy to apply to prefixes sent to the neighbor.

Route policy is not supported in Cisco vManage Release 20.9.1.

Maximum Prefix Reach Policy*

Choose one of the following options:

• Policy Off: Policy is off.

• Policy On - Restart: Configure the time interval at which a peering session is re-established by a device when the number of prefixes that have been received from a peer has exceeded the maximum prefix limit.

  When you choose this option, the following fields appear:

  • Maximum Number of Prefixes*: Enter the maximum prefix limit.

    Range: 1 to 4294967295

  • Threshold (percentage): Enter the threshold value:

    Range: 1 to 100

    Default: 75

  • Restart Interval (minutes)*: Enter the time interval.

    Range: 1 to 65535 minutes

• Policy On - Warning message: Configure the device to disable the restart capability to allow you to adjust a peer that is sending too many prefixes.

• Policy On - Disable Peer Neighbor: When the device receives too many prefixes from a peer, and the maximum prefix limit is exceeded, the peering session is disabled or brought down.

Keepalive (seconds)

Specify the frequency at which keepalive messages are advertised to a BGP peer. These messages indicate to the peer that the local router is still active and should be considered to be available. This keepalive time is the global keepalive time.

Range: 0 through 65535 seconds

Default: 60 seconds (one-third the hold-time value)

Hold Time (seconds)

Specify the interval after not receiving a keepalive message that the local BGP session considers its peer to be unavailable. The local router then terminates the BGP session to that peer. This hold time is the global hold time.

Range: 0 through 65535 seconds

Default: 180 seconds (three times the keepalive time)

Compare MED

Enable this option to compare the router IDs among BGP paths to determine the active path.

Deterministic MED

Enable this option to compare MEDs from all routes received from the same AS regardless of when the route was received.

Missing MED as Worst

Enable this option to consider a path as the worst path if the path is missing a MED attribute.

Compare Router ID

Enable this option to always compare MEDs regardless of whether the peer ASs of the compared routes are the same.

Multipath Relax

Enable this option to have the BGP best-path process select from routes in different ASs. By default, when you are using BGP multipath, the BGP best-path process selects from routes in the same AS to load-balance across multiple paths.

Address Pool*

Enter the IPv4 prefix range, in the format prefix/length, for the pool of addresses in the service-side network for which the router interface acts as the DHCP server.

Exclude

Enter one or more IP addresses to exclude from the DHCP address pool. To specify multiple individual addresses, list them separated by a comma. To specify a range of addresses, separate them with a hyphen.

Lease Time(seconds)

Specify how long a DHCP-assigned IP address is valid.

Range: 60 through 31536000 seconds

Default: 86400

Add Static Lease

MAC Address*

Enter the MAC address of the client to which the static IP address is being assigned.

IP*

Enter the static IP address to assign to the client.

Add Option Code

Code*

Configure the option code.

Range: 1-254

Type

Choose one of the three types:

• ASCII: Specify an ASCII value.

• Hex: Specify a hex value.

• IP: Specify IP addresses. You can specify up to eight IP addresses.

Interface MTU

Specify the maximum MTU size of packets on the interface.

Range: 68 to 65535 bytes

Domain Name

Specify the domain name that the DHCP client uses to resolve hostnames.

Default Gateway

Enter the IP address of a default gateway in the service-side network.

DNS Servers

Enter one or more IP address for a DNS server in the service-side network. Separate multiple entries with a comma. You can specify up to eight addresses.

TFTP Servers

Enter the IP address of a TFTP server in the service-side network. You can specify one or two addresses. If two, separate them with a comma.

Name

Enter a name for the high availability feature profile.

Description

Enter a description for the high availability feature profile.

VPN

EdgeDevice_01

When selected, the Cisco IOS XE Catalyst SD-WAN device is set as active for the specific VPN, while the other corresponding device is configured as standby.

EdgeDevice_02

When selected, the Cisco IOS XE Catalyst SD-WAN device is set as active for the specific VPN, while the other corresponding device is configured as standby.

None

Set the status to None for VPNs that are not configured for High Availability.

Preempt to home router

Click to allow the configured active Cisco IOS XE Catalyst SD-WAN device to automatically reclaim the active role upon recovery from a failure.

Optimize paths after switchover

Click to enable OMP Affinity to optimize routing paths after a failover.

Autonomous System ID *

Enter the local autonomous system (AS) number.

Range: 1 through 65535

Default: None

Network

IP Address*

Enter the IPv4 address.

Mask*

Enter the subnet mask.

Interface

Add Interface

Provide values for the following fields:

• AF Interface: Enter a value for the Address Family (AF) interface.

• Shutdown: Enables the interface to run EIGRP by default.

  Toggle ON to disable the interface.

• Add Summary Address: Enter an IPv4 address and choose a subnet mask.

Autonomous System ID *

Enter the local autonomous system (AS) number.

Range: 1 through 65535

Default: None

Network

IP Address*

Enter the IPv4 address.

Mask*

Enter the subnet mask.

Interface

Add Interface

Provide values for the following fields:

• AF Interface: Enter a value for the Address Family (AF) interface.

• Shutdown: Enables the interface to run EIGRP by default.

  Toggle ON to disable the interface.

• Add Summary Address: Enter an IPv4 address and choose a subnet mask.

Type

Choose a feature from the drop-down list.

Feature Name*

Enter a name for the feature.

Description

Enter a description of the feature. The description can contain any characters and spaces.

Associated VPN

The service VPN.

Shutdown

Enable or disable the interface.

Interface Name

Enter a name for the interface. Spell out the interface names completely (for example, GigabitEthernet0/0/0).

Configure all the interfaces of the router, even if you are not using them, so that they are configured in the shutdown state and so that all default values for them are configured.

Description

Enter a description for the interface.

IPv4 Settings

Configure an IPv4 VPN interface.

• Dynamic: Choose Dynamic to set the interface as a Dynamic Host Configuration Protocol (DHCP) client so that the interface receives its IP address from a DHCP server.

• Static: Choose Static to enter an IP address that doesn't change.

Dynamic DHCP Distance

Enter an administrative distance value for routes learned from a DHCP server. This option is available when you choose Dynamic.

Default: 1

IP Address

Enter a static IPv4 address. This option is available when you choose Static.

Subnet Mask

Add Secondary IP Address

Enter up to four secondary IPv4 addresses for a service-side interface.

• IP Address*: Enter the IP address.

• Subnet Mask: Enter the subnet mask.

DHCP Helper

To designate the interface as a DHCP helper on a router, enter up to eight IP addresses, separated by commas, for DHCP servers in the network. A DHCP helper interface forwards BOOTP (broadcast) DHCP requests that it receives from the specified DHCP servers.

IPv6 Settings

Configure an IPv6 VPN interface.

• Dynamic: Choose Dynamic to set the interface as a Dynamic Host Configuration Protocol (DHCP) client so that the interface receives its IP address from a DHCP server.

• Static: Choose Static to enter an IP address that doesn't change.

• None

IPv6 Address Primary

Enter a static IPv6 address. This option is available when you choose Static.

Add Secondary Ipv6

Enter up to two secondary IPv6 addresses for a service-side interface.

Add DHCP Helper

DHCPv6 Helper*

To designate the interface as a DHCP helper on a router, enter up to eight IP addresses for DHCP servers in the network. A DHCP helper interface forwards BOOTP (broadcast) DHCP requests that it receives from the specified DHCP servers.

DHCPv6 Helper VPN

Enter the VPN ID of the VPN source interface for the DHCP helper.

IPv4 Settings

Add Vrrp Ipv4

Group ID*

Enter the virtual router ID, which is a numeric identifier of the virtual router. You can configure a maximum of 24 groups.

Range: 1 through 255

Priority*

Enter the priority level of the router. The router with the highest priority is elected as the primary router. If two routers have the same priority, the one with the higher IP address is elected as the primary router.

Range: 1 through 254

Default: 100

Timer*

Specify how often the primary VRRP router sends VRRP advertisement messages. If secondary routers miss three consecutive VRRP advertisements, they elect a new primary router .

Range: 100 through 40950 seconds

Default: 100 seconds

Track OMP*

When you enable this option, VRRP tracks the Overlay Management Protocol (OMP) session running on the WAN connection. If the primary VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session.

Prefix List

Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the primary VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if the reachability to one of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic while the Cisco IOS XE Catalyst SD-WAN device determines the primary VRRP router.

IP Address*

Enter the IP address of the virtual router. This address must be different from the configured interface IP addresses of both the local router and the peer running VRRP.

Tloc Prefix Change*

Enable or disable this option to set whether the TLOC preference can be changed or not.

Tloc Prefix Change Value

Enter the TLOC preference change value.

Range: 100 to 4294967295

Add VRRP IP Address Secondary

IP Address*

Enter an IP address for the secondary VRRP router.

Subnet Mask

Enter the subnet mask.

Add VRRP Tracking Object

Tracker ID*

Enter the interface object ID or object group tracker ID.

Tracker Action*

Choose one of the options:

• decrement

• shutdown

Decrement Value*

Enter a decrement value.

Range: 1-255

IPv6 Settings

Add Vrrp Ipv6

Group ID*

Enter the virtual router ID, which is a numeric identifier of the virtual router. You can configure a maximum of 24 groups.

Range: 1 through 255

Priority*

Enter the priority level of the router. The router with the highest priority is elected as the primary router. If two routers have the same priority, the one with the higher IP address is elected as the primary router.

Range: 1 through 254

Default: 100

Timer*

Specify how often the primary VRRP router sends VRRP advertisement messages. If secondary routers miss three consecutive VRRP advertisements, they elect a new primary router .

Range: 100 through 40950 seconds

Default: 100 seconds

Track OMP*

When you enable this option, VRRP tracks the Overlay Management Protocol (OMP) session running on the WAN connection. If the primary VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session.

Track Prefix List

Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the primary VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if the reachability to one of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic while the Cisco IOS XE Catalyst SD-WAN device determines the primary VRRP router.

Link Local IPv6 Address*

Enter a virtual link local IPv6 address, which represents the link local address of the group. The address should be in standard link local address format. For example, FE80::AB8.

Global IPv6 Prefix

Enter a virtual global unicast IPv6 address, which represents the global address of the group. The address should be an IPv6 global prefix address that has the same mask as the interface forwarding address on which the VRRP group is configured. For example, 2001::2/124.

You can configure up to three global IPv6 addresses.

Add ARP

IP Address*

Enter the IP address for the ARP entry in dotted decimal notation or as a fully qualified host name.

MAC Address*

Enter the MAC address in colon-separated hexadecimal notation.

Enable SGT Propogation

Enable this option to use the Cisco TrustSec Security Group Tag (SGT) propagation feature.

Propagate

Enable this option to propagate SGT in Cisco Catalyst SD-WAN.

Security Group Tag

Enter a value that can be used as a tag.

Range: 2 to 65519

Trusted

Enable the trusted option.

When you enable this option, the SGT value received in the Ethernet packet on this interface is trusted and is used by the device for any security group aware policy enforcement.

Enable Enforcement

Enable this option to start SGT enforcement on the interface.

Enforced Security Group Tag

Enter a value that can be used as a tag for enforcement.

Range: 2 to 65519

Duplex

Specify whether the interface runs in full-duplex or half-duplex mode.

Default: full

MAC Address

Specify a MAC address to associate with the interface, in colon-separated hexadecimal notation.

IP MTU

Specify the maximum MTU size of packets on the interface.

Range: 576 through 9216

Default: 1500 bytes

Interface MTU

Enter the maximum transmission unit size for frames received and transmitted on the interface.

Range: 1500 through 1518 (GigabitEthernet0), 1500 through 9216 (other GigabitEthernet)

Default: 1500 bytes

TCP MSS

Specify the maximum segment size (MSS) of TPC SYN packets passing through the router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 500 to 1460 bytes

Default: None

Speed

Specify the speed of the interface, for use when the remote end of the connection does not support autonegotiation.

Values: 10, 100, 1000, 2500, or 10000 Mbps

ARP Timeout

ARP timeout controls how long we maintain the ARP cache on a router. Specify how long it takes for a dynamically learned ARP entry to time out.

Range: 0 through 2147483 seconds

Default: 1200 seconds

Autonegotiate

Enable this option to turn on autonegotiation.

Media Type

Specify the physical media connection type on the interface. Choose one of the following:

• auto-select: A connection is automatically selected.

• rj45: Specifies an RJ-45 physical connection.

• sfp: Specifies a small-form factor pluggable (SFP) physical connection for fiber media.

Load Interval

Enter an interval value for interface load calculation.

Tracker

Static-route tracking for service VPNs enables you to track the availability of the configured endpoint address to determine if the static route can be included in the routing table of a device. Enter the name of the gateway tracker to determine whether the next hop is reachable before adding that route to the route table of the device.

ICMP Redirect Disable

ICMP redirects are sent by a router to the sender of an IP packet when a packet is being routed sub-optimally. The ICMP redirect informs the sending host to forward subsequent packets to that same destination through a different gateway.

By default, an interface allows ICMP redirect messages.

XConnect

Enter the name of a physical interface on the same router that connects to the WAN transport.

IP Directed Broadcast

An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet but which originates from a node that is not itself part of that destination subnet.

A device that is not directly connected to its destination subnet forwards an IP directed broadcast in the same way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet reaches a device that is directly connected to its destination subnet, that packet is broadcast on the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a link-layer broadcast.

If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as directed broadcasts intended for the subnet to which that interface is attached are broadcast on that subnet.

Interface Name (1..255)*

Interface Description

Choose from one of the following GRE tunnel modes:

• ipv4 underlay: GRE tunnel with IPv4 underlay. IPv4 underlay is the default value.

• ipv6 underlay: GRE tunnel with IPv6 underlay.

Source

Enter the source of the GRE interface:

• IP Address: Enter the source IP address of the GRE tunnel interface. Based on the option you selected in the Tunnel Mode drop-down list, enter an IPv4 or an IPv6 address. This address is on the local router.

• Interface: Enter the egress interface name for the GRE tunnel.

• Tunnel Route Via*: Specify the tunnel route details to steer the GRE tunnel traffic through.

  Note	If the Tunnel Source Interface type is a loopback interface, enter the interface for traffic to be routed to. You cannot use the tunnel route via option to configure IPSec tunnels on a cellular interface because cellular interfaces do not include a next hop IP address for the default route.

Destination

• GRE Destination IP Address*: Enter the destination IP address of the GRE tunnel interface. This address is on a remote device.

• IP Address: Based on the option you selected in the Tunnel Mode drop-down list, enter an IPv4 or an IPv6 address for the GRE tunnel.

  • Mask*: Enter the subnet mask.

• IPv6 Address: Enter the destination IPv6 or address for the GRE tunnel.

IKE Version

Enter 1 to choose IKEv1.

Enter 2 to choose IKEv2.

Default: IKEv1

IKE Integrity Protocol

• Main: Establishes an IKE SA session before starting IPsec negotiations.

• Aggressive: Negotiation is quicker, and the initiator and responder ID pass in the clear. Aggressive mode does not provide identity protection for communicating parties.

Default: Main mode

IKE Rekey Interval

Range: 3600 through 1209600 seconds (1 hour through 14 days)

Default: 14400 seconds (4 hours)

IKE Cipher Suite

Values: aes128-cbc-sha1, aes128-cbc-sha2, aes256-cbc-sha1, aes256-cbc-sha2

Default: aes256-cbc-sha1

IKE Diffie-Hellman Group

Values: 2, 14, 15, 16, 19, 20, 21, 24

Default: 16

IKE ID for Local End Point

Range: 1 through 64 characters

Default: Source IP address of the tunnel

IKE ID for Remote End Point

Range: 1 through 64 characters

Default: Destination IP address of the tunnel

There is no default option if you have chosen IKEv2.

IPsec Rekey Interval (Seconds)

Range: 3600 through 1209600 seconds (1 hour through 14 days)

Default: 3600 seconds

IPsec Replay Window

Values: 64, 128, 256, 512, 1024, 2048, 4096, 8192 bytes

Default: 512 bytes

IPsec Cipher Suite

Values: aes256-cbc-sha1, aes256-gcm, null-sha1

Default: aes256-gcm

Perfect Forward Secrecy

• group-2: Use the 1024-bit Diffie-Hellman prime modulus group

• group-14: Use the 2048-bit Diffie-Hellman prime modulus group

• group-15: Use the 3072-bit Diffie-Hellman prime modulus group

• group-16: Use the 4096-bit Diffie-Hellman prime modulus group

• none: Disable PFS

Default: group-16

DPD Interval

Range: 10 through 3600 seconds (1 hour)

Default: 10 seconds

DPD Retries

Range: 2 through 60

Default: 3

Application

Choose an application from the drop-down list:

• None

• Sig

Shutdown

IP MTU

Based on your choice in the Tunnel Mode option, specify the maximum MTU size of the IPv4 or IPv6 packets on the interface.

Range: 576 through 9216

Default: 1500 bytes

TCP MSS

Specify the maximum segment size (MSS) of the IPv4 TPC SYN packets passing through the Cisco vEdge device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 552 through 1460 bytes

Default: None

IPv6 TCP MSS

Specify the maximum segment size (MSS) of the IPv6 TPC SYN packets passing through the Cisco vEdge device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 552 through 1460 bytes

Default: None

Clear-Dont-Fragment

Tunnel Protection

Choose Yes to enable tunnel protection.

Default: No

Type

Choose a feature from the drop-down list.

Feature Name*

Enter a name for the feature.

Description

Enter a description of the feature. The description can contain any characters and spaces.

Interface Name

Description

Choose from one of the following IPsec tunnel modes:

• ipv4: IPsec tunnel with IPv4 overlay and IPv4 underlay. IPv4 underlay is the default value.

• ipv6: IPsec tunnel with IPv6 overlay and IPv6 underlay.

• ipv4-v6overlay: IPsec tunnel with IPv6 overlay and IPv4 underlay.

Interface Address

Enter the IPv4 or IPv6 address of the IPsec interface, based on your choice from the Tunnel Mode drop-down list.

Mask

Enter the subnet mask.

Tunnel Source

Enter the source of the IPsec interface:

• IP Address: Enter the IPv4 or IPv6 address of the IPsec interface, based on your choice from the Tunnel Mode drop-down list.. This address is on the local router.

• Interface: Enter the physical interface that is the source of the IPsec tunnel.

Tunnel Destination

Enter the destination of the IPsec interface:

• Address: Enter the destination IPv4 or IPv6 address of the IPsec interface, based on your choice from the Tunnel Mode drop-down list. This address is on a remote device.

• Application: Choose an application from the drop-down list.

• None

• Sig

TCP MSS

Range: 552 through 1460 bytes

Default: None

Clear-Dont-Fragment

IP MTU

Range: 576 through 1804

Default: 1500 bytes

IKE Version

Enter 1 to choose IKEv1.

Enter 2 to choose IKEv2.

Default: IKEv1

IKE Integrity Protocol

• Main: Establishes an IKE SA session before starting IPsec negotiations.

• Aggressive: Negotiation is quicker, and the initiator and responder ID pass in the clear. Aggressive mode does not provide identity protection for communicating parties.

Default: Main mode

IPsec Rekey Interval (Seconds)

Range: 3600 through 1209600 seconds (1 hour through 14 days)

Default: 14400 seconds (4 hours)

IKE Cipher Suite

Values: aes128-cbc-sha1, aes128-cbc-sha2, aes256-cbc-sha1, aes256-cbc-sha2

Default: aes256-cbc-sha1

IKE Diffie-Hellman Group

Values: 2, 14, 15, 16, 19, 20, 21, 24

Default: 16

IKE ID for Local End Point

Range: 1 through 64 characters

Default: Source IP address of the tunnel

IKE ID for Remote End Point

Range: 1 through 64 characters

Default: Destination IP address of the tunnel

There is no default option if you have chosen IKEv2.

IPsec Rekey Interval

Range: 3600 through 1209600 seconds (1 hour through 14 days)

Default: 3600 seconds

IPsec Replay Window

Values: 64, 128, 256, 512, 1024, 2048, 4096, 8192 bytes

Default: 512 bytes

IPsec Cipher Suite

Values: aes256-cbc-sha1, aes256-gcm, null-sha1

Default: aes256-gcm

Perfect Forward Secrecy

• group-2: Use the 1024-bit Diffie-Hellman prime modulus group

• group-14: Use the 2048-bit Diffie-Hellman prime modulus group

• group-15: Use the 3072-bit Diffie-Hellman prime modulus group

• group-16: Use the 4096-bit Diffie-Hellman prime modulus group

• none: Disable PFS

Default: group-16

Associated VPN

Select a VPN from the drop-down list to associate with the IPsec tunnel.

Tunnel Route Via

Specify the tunnel route details to steer the application traffic through.

DPD Interval

Range: 10 through 3600 seconds (1 hour)

Default: 10 seconds

DPD Retries

Range: 2 through 60

Default: 3

TCP MSS

Specify the maximum segment size (MSS) of TPC SYN packets passing through the Cisco vEdge device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 552 through 1460 bytes

Default: None

Clear-Dont-Fragment

IP MTU

Based on your choice in the Tunnel Mode option, specify the maximum MTU size of the IPv4 or IPv4 packets on the interface.

Range: 576 through 9216

Default: 1500 bytes

Shutdown

Type

Choose a feature from the drop-down list.

Feature Name*

Enter a name for the feature.

Description

Enter a description of the feature. The description can contain any characters and spaces.

SPT Only

Enable this option to ensure that the Rendezvous Points (RPs) can communicate with each other using the shortest-path tree.

Local Replicator

Enable this option to configure the Cisco IOS XE Catalyst SD-WAN device as a multicast replicator.

Threshold

Specify a value.

Optional, keep it set to the default value if you are not configuring a replicator.

Source Specific Multicast (SSM)

Enable this option to configure SSM.

ACL

Specify an access control list value. An access control list allows you to filter multicast traffic streams using the group and sometimes source IPv4 or IPv6 addresses.

Configure an IPv4 access control list using a standard or extended access list and attach it to your device before enabling PIM. You must have created a valid standard or extended ACL before using the ACL in your multicast configuration.

SPT Threshold

Specify the traffic rate, in kbps, at which to switch from the shared tree to the shortest-path tree (SPT). Configuring this value forces traffic to remain on the shared tree and travel via the RP instead of via the SPT.

Add Interface

Interface Name

Query Interval(sec)

Specify how often the interface sends PIM query messages. Query messages advertise that PIM is enabled on the router.

Join/Prune Interval(sec)

Specify how often PIM multicast traffic can join or be removed from a rendezvous point tree (RPT) or shortest-path tree (SPT). Cisco IOS XE Catalyst SD-WAN device send join and prune messages to their upstream RPF neighbor.

How do you want to configure your Rendezvous Point (RP)

Cisco IOS XE SD-WAN supports the following modes:

Static

Click this check box to a specify the static IP address of a rendezvous point (RP).

Add Static RP

IP Address

Specify the static IP address of a rendezvous point (RP).

ACL

Specify an ACL value.

Override

Enable this option for cases when dynamic and static group-to-RP mappings are used together and there is an RP address conflict. In this case, the RP address configured for a static group-to-RP mapping takes precedence.

If you do not enable this option, and there is RP address conflict, dynamic group-to-RP mappings will take precedence over static group-to-RP mappings.

Auto RP

Click this check box to enable reception of PIM group-to-RP mapping updates. This enables reception on the Auto-RP multicast groups, 224.0.1.39 and 224.0.1.40.

RP Announce

Click this check box to enable transmission of Auto-RP multicast messages.

RP Discovery

Click this check box to enable Auto-RP automatic discovery of rendezvous points (RPs) in the PIM network so that the router can serve as an Auto-RP mapping agent. An Auto-RP mapping receives all the RPs and their respective multicast groups and advertise consistent group-to-RP mapping updates.

Interface

Specify the source interface for Auto-RP RP Announcements or RP Discovery messages.

Scope

Specify the IP header Time-to-Live (TTL) for Auto-RP RP Announcements or RP Discovery messages.

PIM-BSR

Configure a PIM BSR.

Interface Name

Choose the interface that you used for configuring the PIM feature template.

Access List

Add an access list value if you have configured the access list with a value.

Interval

Add an interval value if you have configured the interval with a value.

Priority

Specify a higher priority on the Cisco IOS XE SD-WAN device than on the service-side device.

BSR Candidate (Maximum: 1)

Interface Name

Chose the same interface from the drop-down list that you used for configuring the PIM feature template.

Hash Mask Length

Specify the hash mask length. Valid values for hash mask length are 0–32.

Priority

Specify a higher priority on the Cisco IOS XE Catalyst SD-WAN device than on the service-side device.

RP Candidate Access List

Add a value if you have configured the RP candidate access list with a value.

An RP candidate uses a standard ACL where you can enter the name for the access list.

Add IGMP

Interface

Enter the name of the interface to use for IGMP. To add another interface, click Add.

Version

Specify a version number.

Optional, keep it set to the default version number.

Group Address

Enter a group address to join a multicast group.

Source Address

Enter a source address to join a multicast group.

Add

Click Add to add the IGMP for the group.

Originator-ID

Specify the ID of the originating device. This ID is the IP address of the interface that is used as the RP address.

Connection Retry Interval

Configure an interval at which MSDP peers will wait after peering sessions are reset before attempting to re-establish the peering sessions.

Mesh Group

Mesh Group Name

Enter a mesh group name. This configures an MSDP mesh group and indicates that an MSDP peer belongs to that mesh group.

Peer-IP

Configure an MSDP peer specified by an IP address.

Advanced Settings

Connect-Source Interface

Enter the primary address of a specified local interface that is used as the source IP address for the TCP connection.

Peer Authentication Password

Enables MD5 password encryption for a TCP connection between two MSDP peers.

Keep Alive

Configure an interval at which an MSDP peer will send keepalive messages.

Hold-Time

Configure an interval at which the MSDP peer will wait for keepalive messages from other peers before declaring them as down.

Remote AS

Specifies the autonomous system number of the MSDP peer. This keyword and argument are used for display purposes only.

SA Limit

Limits the number of SA messages allowed in the SA cache from the specified MSDP.

Default Peer

Configure a default peer from which to accept all MSDP SA messages.

Router ID

Enter the OSPF router ID, in decimal four-part dotted notation. This is the IP address associated with the router for OSPF adjacencies.

Distance for External Routes

Specify the OSPF route administration distance for routes learned from other domains.

Range: 1 through 255

Default: 110

Distance for Inter-Area Routes

Specify the OSPF route administration distance for routes coming from one area into another.

Range: 1 through 255

Default: 110

Distance for Intra-Area Routes

Specify the OSPF route administration distance for routes within an area.

Range: 0 through 255

Default: 110

Add Redistribute

Protocol

Choose the protocol from which to redistribute routes into OSPF.

• Static

• Connected

• BGP

• OMP

• NAT

• EIGRP

Add Router LSA

Type

Configure OSPF to advertise a maximum metric so that other routers do not prefer this router as an intermediate hop in their Shortest Path First (SPF) calculation.

Choose a type:

• administrative: Force the maximum metric to take effect immediately, through operator intervention.

• on-startup: Advertise the maximum metric for the specified time.

Add Area

Area Number*

Enter the number of the OSPF area.

Range: 32-bit number

Set the area type

Choose the type of OSPF area:

• Stub

• NSSA

Add Interface

Configure the properties of an interface in an OSPF area.

Name*

Enter the name of the interface, in the format geslot/port or loopback number.

Hello Interval (seconds)*

Specify how often the router sends OSPF hello packets.

Range: 1 through 65535 seconds

Default: 10 seconds

Dead Interval (seconds)*

Specify how often the router must receive an OSPF hello packet from its neighbor. If no packet is received, the router assumes that the neighbor is down.

Range: 1 through 65535 seconds

Default: 40 seconds (four times the default hello interval)

LSA Retransmission Interval (seconds)*

Specify how often the OSPF protocol retransmits LSAs to its neighbors.

Range: 1 through 65535 seconds

Default: 5 seconds

Interface Cost

Specify the cost of the OSPF interface.

Range: 1 through 65535

Designated Router Priority*

Set the priority of the router to be elected as the designated router (DR). The router with the highest priority becomes the DR. If the priorities are equal, the node with the highest router ID becomes the DR or the backup DR.

Range: 0 through 255

Default: 1

OSPF Network Type

Choose the OSPF network type to which the interface is to connect:

• Broadcast network

• Point-to-point network

• Non-broadcast network

• Point-to-multipoint network

Passive Interface*

Specify whether to set the OSPF interface to be passive. A passive interface advertises its address, but does not actively run the OSPF protocol.

Default: Disabled

Authentication Type

Choose the authentication type:

• simple: Password is sent in clear text.

• message-digest: MD5 algorithm generates the password.

Message Digest Key

Enter the MD5 authentication key, in clear text or as an AES-encrypted key. It can be from 1 to 255 characters.

md5

Enter the key ID for message digest (MD5 authentication). It can be 1 to 32 characters.

Add Range

Configure the area range of an interface in an OSPF area.

IP Address*

Enter the IP address.

Subnet Mask*

Enter the subnet mask.

Cost

Specify a number for the Type 3 summary LSA. OSPF uses this metric during its SPF calculation to determine the shortest path to a destination.

Range: 0 through 16777214

No-advertise*

Enable this option to not advertise the Type 3 summary LSAs.

Reference Bandwidth (Mbps)

Specify the reference bandwidth for the OSPF auto-cost calculation for the interface.

Range: 1 through 4294967 Mbps

Default: 100 Mbps

RFC 1583 Compatible

By default, the OSPF calculation is done per RFC 1583. Disable this option to calculate the cost of summary routes based on RFC 2328.

Originate

Enable this option to generate a default external route into an OSPF routing domain. When you enable this option, the following fields appear:

• Always: Enable this option to always advertise the default route in an OSPF routing domain.

• Default Metric: Set the metric used to generate the default route.

  Range: 0 through 16777214

  Default: 10

• Metric Type: Choose to advertise the default route as an OSPF Type 1 external route or an OSPF Type 2 external route.

SPF Calculation Delay (milliseconds)

Specify the amount of time between when the first change to a topology is received until performing the SPF calculation.

Range: 1 through 600000 milliseconds (60 seconds)

Default: 200 milliseconds

Initial Hold Time (milliseconds)

Specify the amount of time between consecutive SPF calculations.

Range: 1 through 600000 milliseconds (60 seconds)

Default: 1000 milliseconds

Maximum Hold Time (milliseconds)

Specify the longest time between consecutive SPF calculations.

Range: 1 through 600000

Default: 10000 milliseconds (60 seconds)

Router ID

Enter the OSPF router ID, in decimal four-part dotted notation. This value is the IP address that is associated with the router for OSPF adjacencies. Default: No Router ID is configured.

Add Redistribute

Protocol

Choose the protocol from which to redistribute routes into OSPFv3, for all OSPFv3 sessions.

• Connected

• Static

• Nat-route

• BGP

Enter the name of a localized control policy to apply to routes before they are redistributed into OSPF.

Area Number*

Enter the number of the OSPFv3 area.

Allowed value: Any 32-bit integer

Area Type

Choose the type of OSPFv3 area:

• Stub: No external routes

• NSSA: Not-so-stubby area, allows external routes

• Normal

Interface

Add Interface

Configure the properties of an interface in an OSPFv3 area.

Name*

Enter the name of the interface. Examples of interface names: GigabitEthernet0/0/1, GigabitEthernet0/1/2.1, GigabitEthernet0, or Loopback1.

Cost

Specify a number for the Type 3 summary link-state advertisement (LSA). OSPFv3 uses this metric during its SPF calculation to determine the shortest path to a destination.

Range: 0 through 16777215

Authentication Type

Specify the SPI and authentication key if you use IPSec SHA1 authentication type.

• no-auth: Select no authentication.

• ipsec-sha1: Enter the value for the IPSEC Secure Hash Algorithm 1 (SHA-1) authentication.

SPI

Specifies the Security Policy Index (SPI) value.

Range: 256 through 4294967295

Authentication Key

Provide a value for the authentication key. When IPSEC SHA-1 authentication is used, the key must be 40 hex digits long.

Passive Interface

Specify whether to set the OSPFv3 interface to be passive. A passive interface advertises its address, but does not actively run the OSPFv3 protocol.

Default: Disabled

IPv4 Range

Add IPv4 Range

Configure the area range of an interface in an OSPFv3 area.

Network Address*

Enter the IPv4 address.

Subnet Mask*

Enter the subnet mask.

No Advertise*

Enable this option to not advertise the Type 3 summary LSAs.

Cost

Specify the cost of the OSPFv3 interface.

Range: 1 through 65535

Enter the name of a localized control policy to apply to routes coming from OSPFv3 neighbors.

Reference Bandwidth (Mbps)

Specify the reference bandwidth for the OSPFv3 autocost calculation for the interface.

Range: 1 through 4294967 Mbps

Default: 100 Mbps

RFC 1583 Compatible

By default, the OSPFv3 calculation is done per RFC 1583. Disable this option to calculate the cost of summary routes based on RFC 2328.

Originate

Enable this option to generate a default external route into an OSPF routing domain. When you enable this option, the following fields appear:

• Always: Enable this option to always advertise the default route in an OSPF routing domain.

• Default Metric: Set the metric used to generate the default route.

  Range: 0 through 16777214

  Default: 10

• Metric Type: Choose to advertise the default route as an OSPF Type 1 external route or an OSPF Type 2 external route.

Distance

Define the OSPFv3 route administration distance based on route type.

Default: 100

Distance for External Routes

Set the OSPFv3 distance for routes learned from other domains.

Range: 0 through 255

Default: 110

Distance for Inter-Area Routes

Set the distance for routes coming from one area into another.

Range: 0 through 255

Default: 110

Distance for Intra-Area Routes

Set the distance for routes within an area.

Range: 0 through 255

Default: 110

SPF Calculation Timers

SPF Calculation Delay (milliseconds)

Specify the amount of time between when the first change to a topology is received until performing the SPF calculation.

Range: 1 through 600000 ms (600 seconds)

Default: 200 ms

Initial Hold Time (milliseconds)

Specify the amount of time between consecutive SPF calculations.

Range: 1 through 600000 ms (600 seconds)

Default: 1000 ms

Maximum Hold Time (milliseconds)

Specify the longest time between consecutive SPF calculations.

Range: 1 through 600000 ms (600 seconds)

Default: 10000 ms (10 seconds)

Maximum Metric (Router LSA)

Configure OSPFv3 to advertise a maximum metric so that other routers do not prefer this vEdge router as an intermediate hop in their Shortest Path First (SPF) calculation.

• Immediately: Force the maximum metric to take effect immediately, through operator intervention.

• On-startup: Advertise the maximum metric for the specified number of seconds after the router starts up.

  Range: 5 through 86400 seconds

Maximum metric is disabled by default.

Router ID

Enter the OSPF router ID, in decimal four-part dotted notation. This value is the IP address that is associated with the router for OSPF adjacencies. Default: No Router ID is configured.

Add Redistribute

Protocol

Choose the protocol from which to redistribute routes into OSPFv3, for all OSPFv3 sessions.

• Connected

• Static

• BGP

Enter the name of a localized control policy to apply to routes before they are redistributed into OSPF.

Area Number*

Enter the number of the OSPFv3 area.

Allowed value: Any 32-bit integer

Area Type

Choose the type of OSPFv3 area:

• Stub: No external routes

• NSSA: Not-so-stubby area, allows external routes

• Normal

Interface

Add Interface

Configure the properties of an interface in an OSPFv3 area.

Name*

Enter the name of the interface. Examples of interface names: GigabitEthernet0/0/1, GigabitEthernet0/1/2.1, GigabitEthernet0, or Loopback1.

Cost

Specify a number for the Type 3 summary link-state advertisement (LSA). OSPFv3 uses this metric during its SPF calculation to determine the shortest path to a destination.

Range: 0 through 16777215

Authentication Type

Specify the SPI and authentication key if you use IPSec SHA1.

• no-auth: Select no authentication.

• ipsec-sha1: Enter the value for the IPSEC Secure Hash Algorithm 1 (SHA-1) authentication.

SPI

Specifies the Security Policy Index (SPI) value.

Range: 256 through 4294967295

Authentication Key

Provide a value for the authentication key. When IPSEC SHA-1 authentication is used, the key must be 40 hex digits long.

Passive Interface

Specify whether to set the OSPFv3 interface to be passive. A passive interface advertises its address, but does not actively run the OSPFv3 protocol.

Default: Disabled

IPv6 Range

Add IPv6 Range

Configure the area range of an interface in an OSPFv3 area.

Network Address*

Enter the IPv6 address.

Subnet Mask*

Enter the subnet mask.

No Advertise*

Enable this option to not advertise the Type 3 summary LSAs.

Cost

Specify the cost of the OSPFv3 interface.

Range: 1 through 65535

Enter the name of a localized control policy to apply to routes coming from OSPFv3 neighbors.

Reference Bandwidth (Mbps)

Specify the reference bandwidth for the OSPFv3 autocost calculation for the interface.

Range: 1 through 4294967 Mbps

Default: 100 Mbps

RFC 1583 Compatible

By default, the OSPFv3 calculation is done per RFC 1583. Disable this option to calculate the cost of summary routes based on RFC 2328.

Originate

Enable this option to generate a default external route into an OSPF routing domain. When you enable this option, the following fields appear:

• Always: Enable this option to always advertise the default route in an OSPF routing domain.

• Default Metric: Set the metric used to generate the default route.

  Range: 0 through 16777214

  Default: 10

• Metric Type: Choose to advertise the default route as an OSPF Type 1 external route or an OSPF Type 2 external route.

Distance

Define the OSPFv3 route administration distance based on route type.

Default: 100

Distance for External Routes

Set the OSPFv3 distance for routes learned from other domains.

Range: 0 through 255

Default: 110

Distance for Inter-Area Routes

Set the distance for routes coming from one area into another.

Range: 0 through 255

Default: 110

Distance for Intra-Area Routes

Set the distance for routes within an area.

Range: 0 through 255

Default: 110

SPF Calculation Timers

SPF Calculation Delay (milliseconds)

Specify the amount of time between when the first change to a topology is received until performing the SPF calculation.

Range: 1 through 600000 ms (600 seconds)

Default: 200 ms

Initial Hold Time (milliseconds)

Specify the amount of time between consecutive SPF calculations.

Range: 1 through 600000 ms (600 seconds)

Default: 1000 ms

Maximum Hold Time (milliseconds)

Specify the longest time between consecutive SPF calculations.

Range: 1 through 600000 ms (600 seconds)

Default: 10000 ms (10 seconds)

Maximum Metric (Router LSA)

Configure OSPFv3 to advertise a maximum metric so that other routers do not prefer this vEdge router as an intermediate hop in their Shortest Path First (SPF) calculation.

• Immediately: Force the maximum metric to take effect immediately, through operator intervention.

• On-startup: Advertise the maximum metric for the specified number of seconds after the router starts up.

  Range: 5 through 86400 seconds

Maximum metric is disabled by default.

Tracker Type*

Interface

Configure the following interface values:

• Object tracker ID*: Enter the object tracker ID number.

  Range: 1-1000

• Interface name*: Enter the global or device-specific tracker interface name. For example, Gigabitethernet1 or Gigabitethernet2.

SIG

Object tracker ID*: Enter the object tracker ID number.

Route

Configure the route details:

• Object tracker ID*: Enter the object tracker ID number.

  Range: 1-1000

• Route IP*: Enter the IPv4 address of the route.

• Route IP Mask*: Select a value for the subnet mask.

• VPN: Enter a value for the VPN.

Object tracker ID *

Enter an ID for the object tracker group.

Range: 1 through 1000

Object tracker *

Select a minimum of two previously created object trackers from the drop-down list.

Reachable *

Choose one of the following values:

• Either: Ensures that the transport interface status is reported as active if either one of the associated trackers of the tracker group reports that the route is active.

• Both: Ensures that the transport interface status is reported as active if both the associated trackers of the tracker group report that the route is active.

Routing Sequence Name

Specifies the name of the routing sequence.

Protocol

Specifies the internet protocol. The options are IPv4, IPv6, or Both.

Condition

Specifies the routing condition. The options are:

• Address

• AS Path List

• Community List

• Extended Community List

• BGP Local Preference

• Metric

• Next Hop

• OMP Tag

• Origin

• OSPF Tag

• Peer

Action Type

Specifies the action type. The options are: Accept or Reject.

Accept Condition

Specifies the accept condition type. The options are:

• Aggregator

• AS Path

• Atomic Aggregate

• Community

• Local Preference

• Metric

• Metric Type

• Next Hop

• OMP Tag

• Origin

• Originator

• OSPF Tag

• Weight

VPN*

Enter the numeric identifier of the VPN.

Name*

Enter a name for the VPN.

OMP Admin Distance IPv4

Administrative distance for OMP routes. The Cisco SD-WAN Controllers learn the topology of the overlay network and the services available in the network using OMP routes. The distance can be a value between 1–255.

OMP Admin Distance IPv6

Administrative distance for OMP routes. The Cisco SD-WAN Controllers learn the topology of the overlay network and the services available in the network using OMP routes. The distance can be a value between 1–255.

Add DNS IPv4

Primary DNS Address (IPv4)

Enter the IP address of the primary IPv4 DNS server in this VPN.

Secondary DNS Address (IPv4)

Enter the IP address of a secondary IPv4 DNS server in this VPN.

Add DNS IPv6

Primary DNS Address (IPv6)

Enter the IP address of the primary IPv6 DNS server in this VPN.

Secondary DNS Address (IPv6)

Enter the IP address of a secondary IPv6 DNS server in this VPN.

Add New Host Mapping

Hostname*

Enter the hostname of the DNS server. The name can be up to 128 characters.

List of IP*

Enter up to eight IP addresses to associate with the hostname. Separate the entries with commas.

Add OMP Advertise IPv4

Protocol

Choose a protocol to configure route advertisements to OMP, for this VPN:

• bgp

• ospf

• ospfv3

• connected

• static

• network

• aggregate

  Applied to Region: (Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.13.1) In a Multi-Region Fabric scenario, route aggregation is a method for reducing the number of entries that routers in a network must maintain in routing tables, for better scaling. Choose core, access, or core-and-access, to apply route aggregation only to access regions, the core region, or both.

  This option is applicable only to a Multi-Region Fabric border router, not an edge router or a transport gateway.

• eigrp

• lisp

• isis

Select Route Policy

Enter the name of the route policy.

Route policy is not supported in Cisco vManage Release 20.9.1.

Add OMP Advertise IPv6

Protocol

Choose a protocol to configure route advertisements to OMP, for this VPN:

• BGP

• OSPF

• Connected

• Static

• Network

• Aggregate

  Applied to Region: (Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.13.1) In a Multi-Region Fabric scenario, route aggregation is a method for reducing the number of entries that routers in a network must maintain in routing tables, for better scaling. Choose core, access, or core-and-access, to apply route aggregation only to access regions, the core region, or both.

  This option is applicable only to a Multi-Region Fabric border router, not an edge router or a transport gateway.

Select Route Policy

Enter the name of the route policy.

Route policy is not supported in Cisco vManage Release 20.9.1.

Protocol Sub Type

When you choose the OSPF protocol, specify the sub type as external.

Add IPv4 Static Route

Network Address*

Enter the IPv4 address or prefix, in decimal four-point-dotted notation, and the prefix length of the IPv4 static route to configure in the VPN.

Subnet Mask*

Enter the subnet mask.

Next Hop/Null 0/VPN/DHCP

Choose one of the following options to configure the next hop to reach the static route:

• Next Hop: When you choose this option, the IPv4 Route Gateway Next Hop field appears. Enable this option to add the next hop. You can add a hop with and without a tracker.

  When you click Add Next Hop, the following fields appear:

  • Address*: Enter the next-hop IPv4 address.

  • Administrative Distance*: Enter the administrative distance for the route.

  When you click Add Next Hop with Tracker, the following fields appear:

  • Address*: Enter the next-hop IPv4 address.

  • Administrative Distance*: Enter the administrative distance for the route.

  • Tracker*: Enter the name of the gateway tracker to determine whether the next hop is reachable before adding that route to the route table of the device.

• Null 0: When you choose this option, the following field appears:

  • IPv4 Route Null 0*: Enable this option to set the next hop to be the null interface. All packets sent to this interface are dropped without sending any ICMP messages.

• VPN: When you choose this option, the following field appears:

  • IPv4 Route VPN*: Selects VPN as the gateway to direct packets to the transport VPN.

• DHCP: When you choose this option, the following field appears:

  • IPv4 Route Gateway DHCP*: Assigns a static route for the default next-hop router when the DHCP server is accessed for an IP address.

Add BGP Routing

Choose a BGP route.

Add OSPF Routing

Choose an OSPF route.

Add IPv6 Static Route

Prefix*

Enter the IPv6 address or prefix, in decimal four-point-dotted notation, and the prefix length of the IPv6 static route to configure in the VPN.

Next Hop/Null 0/NAT

Choose one of the following options to configure the next hop to reach the static route:

• Next Hop: When you choose this option and click Add Next Hop, the following fields appear:

  • Address*: Enter the next-hop IPv6 address.

  • Administrative distance*: Enter the administrative distance for the route.

• Null 0: When you choose this option, the following field appears:

  • IPv6 Route Null 0*: Enable this option to set the next hop to be the null interface. All packets sent to this interface are dropped without sending any ICMP messages.

• NAT: When you choose this option, the following field appears:

  • IPv6 NAT*: Choose NAT64 or NAT66.

• Interface: When you choose this option, the following fields appear:

  • Interface Name: Choose IPv6 interface name for the IPsec tunnel.

  • Next Hop: Enter the IPv6 address and the administrative distance for the next hop.

Add Service

Service Type

Choose a service available at the local site and in the VPN.

Values: FW, IDS, IDP, netsvc1, netsvc2, netsvc3, netsvc4, TE, SIG

IPv4 Addresses (Maximum: 4)*

Enter up to four IP address, separated by commas. The service is advertised to the Cisco SD-WAN Controller only if one of the addresses can be resolved locally, at the local site, not via routes learned through OMP. You can configure up to four IP addresses.

Tracking*

Cisco Catalyst SD-WAN tests each service device periodically to check whether it is operational. Tracking saves the results of the periodic tests in a service log.

Tracking is enabled by default.

Add Service Route

Prefix*

Enter the IP address or prefix. For Umbrella SIG, use any RFC 1918 subnet for Service IP addresses.

Service*

Configure routes pointing to any service.

Values: FW, IDS, IDP, netsvc1, netsvc2, netsvc3, netsvc4.

VPN*

Destination VPN to resolve the prefix.

Add GRE Route

Prefix*

Enter the IP address or prefix, in decimal four-part-dotted notation, and prefix length of the GRE-specific static route.

Interface*

Enter the name of one or two GRE tunnels to use to reach the service.

VPN*

Enter the number of the VPN to reach the service. This must be VPN 0.

Add ipSec Route

Prefix*

Enter the IP address or prefix, in decimal four-part-dotted notation, and prefix length of the IPsec-specific static route.

Interface*

Enter the name of one or two IPsec tunnel interfaces. If you configure two interfaces, the first is the primary IPsec tunnel, and the second is the backup. All packets are sent only to the primary tunnel. If that tunnel fails, all packets are then sent to the secondary tunnel. If the primary tunnel comes back up, all traffic is moved back to the primary IPsec tunnel.

Nat Pool

NatPool Name*

Enter a NAT pool number configured in the centralized data policy. The NAT pool name must be unique across VPNs and VRFs. You can configure up to 31 (1–32) NAT pools per router.

Prefix Length*

Enter the NAT pool prefix length.

Range Start*

Enter a starting IP address for the NAT pool.

Range End*

Enter a closing IP address for the NAT pool.

Overload*

Enable this option to configure per-port translation. If this option is disabled, only dynamic NAT is configured on the end device. Per-port NAT is not configured.

Default: Enabled

Direction*

Choose the NAT direction.

Nat64 V4 Pool

Nat64 V4 Pool Name*

Enter a NAT pool number configured in the centralized data policy. The NAT pool name must be unique across VPNs and VRFs. You can configure up to 31 (1–32) NAT pools per router.

Nat 64 V4 Pool Range Start*

Enter a starting IP address for the NAT pool.

Nat 64 V4 Pool Range End*

Enter a closing IP address for the NAT pool.

Overload*

Enable this option to configure per-port translation. If this option is disabled, only dynamic NAT is configured on the end device. Per-port NAT is not configured.

Default: Disabled

Route Protocol*

Choose a protocol to configure leak routes from global VPN to the service VPN that you are configuring:

• static

• connected

• bgp

• ospf

Select Route Policy

Choose a route policy from the drop-down list.

Redistribution (in service VPN)

Protocol*

Choose a protocol from the available options to redistribute the leaked routes:

• bgp

• ospf

• (Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.18.1)

  eigrp

Select Route Policy

Choose a route policy from the drop-down list.

Route Protocol*

Choose a protocol to leak routes from the service VPN that you are configuring to the global VPN:

• static

• connected

• bgp

• ospf

• (Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.18.1)

  eigrp

Select Route Policy

Choose a route policy from the drop-down list.

Redistribution (in global VPN)

Protocol*

Choose a protocol from the available options to redistribute the leaked routes:

• bgp

• ospf

Select Route Policy

Enter the name of the route policy.

Select Route Policy

Choose a route policy from the drop-down list.

Route Protocol*

Choose a protocol from the available options to leak routes from the source service VPN to the service VPN that you are configuring:

• static

• connected

• bgp

• ospf

• (Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.18.1)

  eigrp

Select Route Policy

Choose a route policy from the drop-down list.

Redistribution (in Service VPN)

Protocol*

Choose a protocol from the available options to redistribute the leaked routes:

• bgp

• ospf

• (Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.18.1)

  eigrp

Select Route Policy

Choose a route policy from the drop-down list.

IPv4 Settings

Import Route Target List: Route Target*

Configure a route target for IPv4 interfaces. It imports routing information from the target VPN extended community.

Export Route Target List: Route Target*

Configure a route target for IPv4 interfaces. It exports routing information to the target VPN extended community.

IPv6 Settings

Import Route Target List: Route Target*

Configure a route target for IPv6 interfaces. It imports routing information from the target VPN extended community.

Export Route Target List: Route Target*

Configure a route target for IPv6 interfaces. It exports routing information to the target VPN extended community.

Type

Choose a feature from the drop-down list.

Feature Name*

Enter a name for the feature.

Description

Enter a description of the feature. The description can contain any characters and spaces.

Associated VPN: VPN*

Choose a VPN.

Shutdown

Enable or disable the VLAN interface.

VLAN Interface Name*

Enter a name for the VLAN interface.

The name must contain a minimum of five characters. The name must be in the following format: ^Vlan(([1-9]\d|\d)/){0,2}(0|[1-9]\d*)([:|\.][1-9]\d*)?

Interface Description

Enter a description for the interface.

Interface MTU

Enter the maximum transmission unit size for frames received and transmitted on the interface.

Range: 1500 through 9216

Default: 1500 bytes

IP MTU

Enter the maximum transmission unit (MTU) size of IP packets sent on an interface.

Range: 576 through 9216

Default: 1500 bytes

Configure IPV4 Address

IPv4 Address Prefix*

Enter the IPv4 address for the interface.

List of DHCP helper addresses*

Enter up to eight IP addresses for DHCP servers in the network to have the interface be a DHCP helper. Separate each address with a comma. A DHCP helper interface forwards BOOTP (Broadcast) DHCP requests that it receives from the specified DHCP servers.

Configure IPV4 Secondary Address

Secondary IP Address*

Enter up to four secondary IP addresses.

Configure IPV6 Address

IPV6 address*

Enter the IPv6 address for the interface.

Configure IPV6 Secondary Address

Address*

Enter up to four secondary IP addresses.

Configure IPV6 DHCP Helper

Address*

Enter an IP address for DHCP servers in the network to have the interface be a DHCP helper. A DHCP helper interface forwards BOOTP (Broadcast) DHCP requests that it receives from the specified DHCP servers.

VPN

VPN ID for the DHCP helper address.

Configure Access List V4

Direction*

Choose a direction of the ACL: in or out.

Name of ACL*

Enter the name of the access list.

Configure Access List V6

Direction*

Choose a direction of the ACL: in or out.

Name of ACL*

Enter the name of the access list.

Configure VRRP

Group ID*

Enter the virtual router ID, which is a numeric identifier of the virtual router. You can configure a maximum of 24 groups.

Range: 1 through 255

Priority*

Enter the priority level of the router. The router with the highest priority is elected as the primary router. If two routers have the same priority, the one with the higher IP address is elected as the primary router.

Range: 1 through 254

Default: 100

Timer*

Specify how often the primary VRRP router sends VRRP advertisement messages. If secondary routers miss three consecutive VRRP advertisements, they elect a new primary router .

Range: 100 through 40950 seconds

Default: 100 seconds

Track OMP

When you enable this option, VRRP tracks the Overlay Management Protocol (OMP) session running on the WAN connection. If the primary VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session.

Prefix List*

Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the primary VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if the reachability to one of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic while the Cisco IOS XE Catalyst SD-WAN device determines the primary VRRP router.

IP Address

Enter the IP address of the virtual router. This address must be different from the configured interface IP addresses of both the local router and the peer running VRRP.

Add VRRP IP Address Secondary

Address*

Enter an IP address for the secondary VRRP router.

TLOC Preference Change

Enable or disable this option to set whether the TLOC preference can be changed or not.

Add VRRP Tracking Object

Tracker Id*

Enter the interface object ID or object group tracker ID.

Track Action*

Choose one of the options:

• decrement

• shutdown

Decrement Value

Enter a decrement value.

Range: 1-255

From Cisco vManage Release 20.10.1, this option is enabled only when you choose decrement in Track Action.

Configure VRRP IPv6

Group ID*

Enter the virtual router ID, which is a numeric identifier of the virtual router. You can configure a maximum of 24 groups.

Range: 1 through 255

Priority*

Enter the priority level of the router. The router with the highest priority is elected as the primary router. If two routers have the same priority, the one with the higher IP address is elected as the primary router.

Range: 1 through 254

Default: 100

Timer*

Specify how often the primary VRRP router sends VRRP advertisement messages. If secondary routers miss three consecutive VRRP advertisements, they elect a new primary router .

Range: 100 through 40950 seconds

Default: 100 seconds

Track OMP*

When you enable this option, VRRP tracks the Overlay Management Protocol (OMP) session running on the WAN connection. If the primary VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session.

Track Prefix List

Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the primary VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if the reachability to one of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic while the Cisco IOS XE Catalyst SD-WAN device determines the primary VRRP router.

Add VRRP IPv6 Primary

IPv6 Link Local*

Enter a virtual link local IPv6 address, which represents the link local address of the group. The address should be in standard link local address format. For example, FE80::AB8.

Prefix

Enter the IPv6 address of the primary VRRP router.

Configure ARP

IP Address*

Enter the IP address for the ARP entry in dotted decimal notation or as a fully qualified host name.

MAC Address*

Enter the MAC address in colon-separated hexadecimal notation.

TCP MSS

Specify the maximum segment size (MSS) of TPC SYN packets passing through the router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 552 to 1960 bytes

Default: None

ARP Timeout

Specify how long it takes for a dynamically learned ARP entry to time out.

Range: 0 through 2678400 seconds (744 hours)

Default: 1200 (20 minutes)

IP Directed-Broadcast

An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet but which originates from a node that is not itself part of that destination subnet.

A device that is not directly connected to its destination subnet forwards an IP directed broadcast in the same way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet reaches a device that is directly connected to its destination subnet, that packet is broadcast on the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a link-layer broadcast.

If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as directed broadcasts intended for the subnet to which that interface is attached are broadcast on that subnet.

ICMP/ICMPv6 Redirect Disable

ICMP redirects are sent by a router to the sender of an IP packet when a packet is being routed sub-optimally. The ICMP redirect informs the sending host to forward subsequent packets to that same destination through a different gateway.

By default, an interface allows ICMP redirect messages.

Age Out Time

Enter how long an entry is in the MAC table before it ages out. Set the value to 0 to prevent entries from timing out.

Range: 0, 10 through 1000000 seconds

Default: 300 seconds

Configure Interface

Interface Name

Enter the name of the interface to associate with the bridging domain, in the format geslot/port.

Mode

Choose the switch port mode.

• access: Configure the interface as an access port. You can configure only one VLAN on an access port, and the port can carry traffic only for one VLAN. When you choose access, the following field appears:

  Switchport Access Vlan: Enter the VLAN number, which can be a value from 1 through 4094.

• trunk: Configure the interface as a trunk port. You can configure one or more VLANs on a trunk port, and the port can carry traffic for multiple VLANs. When you choose trunk, the following fields appear:

  • Allowed Vlans: Enter the number of the VLANs for which the trunk can carry traffic and a description for the VLAN.

  • Switchport Trunk Native Vlan: Enter the number of the VLAN allowed to carry untagged traffic.

Shutdown

Enable the interface. By default, an interface is disabled.

Speed

Enter the speed of the interface.

Duplex

Choose full or half to specify whether the interface runs in full-duplex or half-duplex mode.

Port Control

Choose the port control mode to enable IEEE 802.1X port-based authentication on the interface.

• auto: Enables IEEE 802.1X authentication and starts the port in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port changes from down to up or when an EAPOL-start frame is received. The device requests the identity of the supplicant and starts relaying authentication messages between the supplicant and the authentication server. Each supplicant attempting to access the network is uniquely identified by the device by using the supplicant MAC address.

• force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the supplicant to authenticate. The device cannot provide authentication services to the supplicant through the port.

• force-authorized: Disables IEEE 802.1X authentication and causes the port to change to the authorized state without any authentication exchange required. The port sends and receives normal traffic without IEEE 802.1X-based authentication of the client.

Voice VLAN

Enter the Voice VLAN ID.

Pae Enable

The Cisco Catalyst SD-WAN device acts as a port access entity (PAE), allowing authorized network traffic and preventing unauthorized network traffic ingressing to and egressing from the controlled port.

MAC Authentication Bypass

Enable this option to allow MAC authentication bypass (MAB) on the RADIUS server and to authenticate non-IEEE 802.1X–compliant clients using a RADIUS server.

Host Mode

Choose whether an IEEE 802.1X interface grants access to a single host (client) or to multiple hosts (clients).

• single-host: Grant access only to the first authenticated host. This is the default.

• multi-auth: Grant access to one host on a voice VLAN and multiple hosts on data VLANs.

• multi-host: Grant access to multiple hosts.

• multi-domain: Grant access to both a host and a voice device, such as an IP phone on the same switch port.

Enable Periodic Reauth

Enable periodic re-authentication. By default, this option is enabled.

Inactivity

Enter the inactivity timeout time in seconds.

Default: 60 seconds

Reauthentication

Enter the re-authentication interval in seconds.

Control Direction

Choose both (bidirectional) or in (unidirectional) authorization mode.

Restricted VLAN

Enter the restricted VLAN (or authentication-failed VLAN) for IEEE 802.1x-compliant clients. Configure limited services to IEEE 802.1X-compliant clients that failed RADIUS authentication.

Guest VLAN

Enter the guest VLAN to drop non-IEEE 802.1X enabled clients, if the client is not in the MAB list.

Critical VLAN

Enter the critical VLAN (or authentication-failed VLAN) for IEEE 802.1x-compliant clients. Configure network access when RADIUS authentication or the RADIUS server fails.

Enable Voice

Enable the critical voice VLAN.

Configure Static Mac Address

MAC Address

Enter the static MAC address to map to the switch port interface.

Interface Name

Enter the name of the switch port interface.

VLAN ID

Enter the number of the VLAN for the switch port.

Tracker Name*

Name of the tracker. The name can be up to 128 alphanumeric characters.

Endpoint Tracker Type*

Choose a tracker type to configure endpoint trackers:

• http

Endpoint

Choose an endpoint type:

• Endpoint IP: When you choose this option, the following field appears:

  Endpoint IP: IP address of the endpoint. This is the destination on the internet to which the probes are sent to determine the status of an endpoint.

• Endpoint DNS Name: When you choose this option, the following field appears:

  Endpoint DNS Name: DNS name of the endpoint. This is the destination on the internet to which probes are sent to determine the status of the endpoint. The DNS name can contain a minimum of one character and a maximum of 253 characters.

• Endpoint API URL:

  When you choose this option, the following field appears:

  API URL of endpoint*: API URL for the endpoint of the tunnel. This is the destination on the internet to which probes are sent to determine the status of the endpoint.

Interval

Time interval between probes to determine the status of the configured endpoint.

Range: 20 to 600 seconds

Default: 60 seconds (1 minute).

Multiplier

Number of times probes are sent before declaring that the endpoint is down.

Range: 1 to 10

Default: 3

Threshold

Wait time for the probe to return a response before declaring that the configured endpoint is down.

Range: 100 to 1000 milliseconds

Default: 300 milliseconds

Tracker Elements*

This field is displayed only if you chose Tracker-group as the tracker type. Add the existing interface tracker names, separated by a space. When you add this tracker to the template, the tracker group is associated with these individual trackers, and you can then associate the tracker group to a static route.

The tracker name must not contain capital letters and special characters.

Tracker Boolean

From the drop-down list, choose Global. This field is displayed only if you chose tracker-group as the Tracker Type. By default, the OR option is selected. Choose AND or OR.

OR ensures that the static route status is reported as active if either one of the associated trackers of the tracker group report that the route is active.

If you select AND, the static route status is reported as active if both the associated trackers of the tracker group report that the route is active.

Enable 2.4G*

Disable this option to shut down the radio type of 2.4 GHz.

Default: Enabled

Enable 5G*

Disable this option to shut down the radio type of 5 GHz.

Default: Enabled

Country*

Choose the country where the router is installed.

Username*

Specify the username of Cisco Mobility Express.

Password*

Specify the password of Cisco Mobility Express.

ME Dynamic IP*

Enable this option so that the interface receives its IP address dynamically from a DHCP server.

ME IP Address

Specify the IP address of Cisco Mobility Express.

Subnet Mask

Specify the subnet mask of Cisco Mobility Express.

Default Gateway

Specify the default gateway address of Cisco Mobility Express.

Add SSID

SSID Name*

Enter a name for the wireless SSID.

It can be a string from 4 to 32 characters. The SSID must be unique.

Admin State*

Enable this option to indicate that the interface has been configured.

Broadcast SSID*

Enable this option if you want to broadcast the SSID. Disable this option if you do not want the SSID to be visible to all the wireless clients.

VLAN (Range 1-4094)*

Enter a VLAN ID for the wireless LAN traffic.

Radio Type

Choose one of the following radio types:

• 2.4GHz

• 5GHz

• All

Security Type*

Choose a security type:

• WPA2 Enterprise: Choose this option for an enterprise where you authenticate and authorize network users with a remote RADIUS server.

• WPA2 Personal: Choose this option to authenticate users who want to access the wireless network using a passphrase.

• Open: Choose this option to allow access to the wireless network without authentication.

Passphrase*

This field is available if you choose WPA2 Personal as the security type. Set a pass phrase. This pass phrase provides users access to the wireless network.

QoS Profile

Choose a QoS profile.

Interface Name

Enter the name of the multilink interface.

Multilink Group Number *

Enter the number of the multilink group. It must be the same as the number you enter in the multilink interface name parameter.

Range: 1 through 65535

PPP Authentication Protocol

Select the authentication protocol used by the multilink interface:

• CHAP: Enter the hostname and password provided by your Internet Service Provider (ISP). hostname can be up to 255 characters.

• PAP: Enter the username and password provided by your ISP. username can be up to 255 characters.

• PAP and CHAP: Configure both authentication protocols. Enter the login credentials for each protocol. To use the same username and password for both, click Same Credentials for PAP and CHAP.

Hostname *

Enter hostname for PPP CHAP Authentication.

CHAP Password *

Enter password for PPP CHAP Authentication.

IPv4 Address *

To configure a static address, click Static and enter an IPv4 address.

To set the interface as a DHCP client so that the interface to receive its IP address from a DHCP server, click Dynamic. You can optionally set the DHCP distance to specify the administrative distance of routes learned from a DHCP server.

Default: 1

Mask

Choose a value for the subnet mask.

IPv6 Address *

To configure a static address for an interface in VPN 0, click Static and enter an IPv6 address.

To set the interface as a DHCP client so that the interface to receive its IP address from a DHCP server, click Dynamic. You can optionally set the DHCP distance to specify the administrative distance of routes learned from a DHCP server. The default DHCP distance is 1. You can optionally enable DHCP rapid commit, to speed up the assignment of IP addresses.

Add T1/E1 Interface

T1

Description

Enter a description for the T1controller.

Slot*

Enter the number of the slot in slot/subslot/port format, where the T1 NIM is installed. For example, 0/1/0.

Framing

Enter the T1 frame type:

• esf: Send T1 frames as extended superframes. This is the default.

• sf: Send T1 frames as superframes. Superframing is sometimes called D4 framing.

Clock Source

Select the clock source:

• line: Use phase-locked loop (PLL) on the interface. This is the default. When both T1 ports use line clocking and neither port is configured as the primary, by default, port 0 is the primary clock source and port 1 is the secondary clock source.

• internal: Use the controller framer as the primary clock.

Line Code

Select the line encoding to use to send T1 frames:

• ami: Use alternate mark inversion (AMI) as the linecode. AMI signaling uses frames grouped into superframes.

• b8zs: Use bipolar 8-zero substitution as the linecode. This is the default. B8ZS uses frames that are grouped into extended superframes.

Cable Length

Select the cable length to configure the attenuation

• short: Set the transmission attenuation for cables that are 660 feet or shorter.

• long: Attenuate the pulse from the transmitter using pulse equalization and line buildout. You can configure a long cable length for cables longer that 660 feet.

There is no default length.

E1

Description

Enter a description for the E1 controller.

Slot*

Enter the number of the slot in slot/subslot/port format, where the E1 NIM is installed. For example, 0/1/0.

Framing

Enter the E1 frame type:

• crc4: Use cyclic redundancy check 4 (CRC4). This is the default.

• no-crc4: Do no use CRC4.

Clock Source

Select the clock source:

• line: Use phase-locked loop (PLL) on the interface. This is the default. When both E1 ports use line clocking and neither port is configured as the primary, by default, port 0 is the primary clock source and port 1 is the secondary clock source.

• internal: Use the controller framer as the primary clock.

Line Code

Select the line encoding to use to send E1 frames:

• ami: Use alternate mark inversion (AMI) as the linecode.

• hdb3: Use high-density bipolar 3 as the linecode. This is the default.

Add Channel Group

Channel Group

To configure the serial WAN on the interface, enter a channel group number.

Range: 0 through 30

Time Slot

To configure the serial WAN on the interface, enter a value for the timeslot.

Range: 0 through 31

Add New A/S Serial Interface

Interface Name

Enter the name of the serial interface.

Description

Enter a description for the serial interface.

Bandwidth

For transmitted traffic, set the bandwidth above which to generate notifications.

Clock Rate

Specify a value for the clock rate.

Range: 1200 through 800000

Color

Choose a color for the TLOC.

Color Description

Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.18.1

Enter a description associated to the TLOC color.

Restrict

Enable this option to drop packets when a tunnel to the service is unreachable.

Groups

Enter the list of groups in the field.

Border

From the drop-down list, select Global. Click On to set TLOC as border TLOC.

Maximum Control Connections

Specify the maximum number of Cisco SD-WAN Controllers that the WAN tunnel interface can connect to. To have the tunnel establish no control connections, set the number to 0.

Range: 0 through 8

Default: 2

Validator As Stun Server

Click On to enable Session Traversal Utilities for NAT (STUN) to allow the tunnel interface to discover its public IP address and port number when the router is located behind a NAT.

Exclude Controller Group List

Set the Cisco SD-WAN Controllers that the tunnel interface is not allowed to connect to.

Range: 0 through 100

Cisco SD-WAN Manager Connection Preference

Set the preference for using a tunnel interface to exchange control traffic with Cisco SD-WAN Manager.

Range: 0 through 8

Default: 5

Full Port Hop

Minimum release: Cisco IOS XE Catalyst SD-WAN Release 17.18.1a

Enable full port hopping at the TLOC level to allow devices to establish connections with controllers by switching to the next port if the current port is blocked or non-functional.

Default: Disabled

Port Hop

From the drop-down list, select Global. Click Off to allow port hopping on tunnel interface.

Default: On, which disallows port hopping on tunnel interface

Starting from Cisco IOS XE Catalyst SD-WAN Release 17.18.1a, this field is deprecated. Instead use the Full Port Hop option. See the Full Port Hop field.

Low-Bandwidth Link

Click On to set the tunnel interface as a low-bandwidth link.

Default: Off

Network Broadcast

From the drop-down list, select Global. Click On to accept and respond to network-prefix-directed broadcasts. Enable this parameter only if the Directed Broadcast is enabled on the LAN interface feature template.

Default: Off

Tunnel TCP MSS

TCP MSS affects any packet that contains an initial TCP header that flows through the router. When configured, TCP MSS is examined against the MSS exchanged in the three-way handshake. The MSS in the header is lowered if the configured TCP MSS setting is lower than the MSS in the header. If the MSS header value is already lower than the TCP MSS, the packets flow through unmodified. The host at the end of the tunnel uses the lower setting of the two hosts. To configure TCP MSS, provide a value that is 40 bytes lower than the minimum path MTU.

Specify the MSS of TPC SYN packets passing through the Cisco IOS XE Catalyst SD-WAN. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 552 through 1460 bytes

Ingress ACL - IPv4

Enter the name of an IPv4 access list to packets being received on the interface.

Egress ACL - IPv4

Enter the name of an IPv4 access list to packets being transmitted on the interface.

Igress ACL - IPv6

Enter the name of an IPv6 access list to packets being received on the interface.

Egress ACL - IPv6

Enter the name of an IPv6 access list to packets being transmitted on the interface.

Shutdown

Click No to enable the multilink interface.

Description

Enter a description for the multilink interface.

PPP Authentication Type

Select the type authentication from one of the following options.:

• Unidirectional: The server initiates the authentication.

• Bidirectional: Both the client and the server can initiate the authentication.

TCP MSS

Specify the maximum segment size (MSS) of TPC SYN packets passing through the Cisco Catalyst SD-WAN device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 500 through 1460 bytes

Default: 536

Disable Fragmentation

Click On to disable fragmentation for PPP Multilink Protocol data units (PDUs).

Fragment Max Delay

Configure the delay between the transmission of fragments in a PPP Multilink Protocol link.

Range: 0 through 1000

Default: No CLI Command

Interleaving Fragments

Enable interleave fragmentation for PPP Multilink Protocol data units (PDUs).

TLOC Extension

Enter the name of a physical interface on the same router that connects to the WAN transport. This configuration binds the service-side interface to the WAN transport by enabling a device to access the opposite WAN transport connected to the neighbouring device using a TLOC-extension interface.

IP MTU

Specify the maximum MTU size of packets on the interface. MLP encapsulation adds 6 extra bytes (4 header, 2 checksum) to each outbound packet. These overhead bytes reduce the effective bandwidth on the connection; therefore, the throughput for an MLP bundle is slightly less than an equivalent bandwidth connection that is not using MLP.

Range: 576 through 1804

Default: 1500 bytes

IP Directed-Broadcast

Enable the translation of a directed broadcast to physical broadcasts.

Shaping Rate (Kbps)

Configure the aggregate traffic transmission rate on the interface to be less than line rate, in kilobits per second (kbps).