Information about the Service profile
This section describes the features available in the Service profile.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This section describes the features available in the Service profile.
See Configure ACLs Using a Configuration Group.
In the Add Feature window, choose ACL IPv4 from the drop-down list.
Enter the Feature Name and the Description for the ACL feature.
Click Add ACL Sequence. The Add ACL Sequence window appears.
Enter the name in the ACL Sequence Name field.
Select the required condition from the Condition drop-down list.
Select the action types Accept or Reject from the Action Type drop-down list.
For the Accept action type, choose the accept condition from the Accept Condition drop-down list.
Click Save.
To copy, delete, or rename the ACL policy sequence rule, click ... next to the rule's name and select the desired option.
If no packets match any of the ACL policy sequence rules, the default action is to drop the packets. To change the default action:
Click Default Action in the left pane.
Click the Pencil icon.
Change the default action to Accept.
Click Save.
Click Save ACL IPv4 Policy.
The following table describe the options for configuring the ACL IPv4 feature.
Field |
Description |
---|---|
ACL Sequence Name |
Specifies the name of the ACL sequence. |
Condition |
Specifies the ACL condition. The options are:
|
Action Type |
Specifies the action type. The options are: Accept or Reject. |
Accept Condition |
Specifies the accept condition type. The options are:
|
You can select the specific ACL sequence in the ACL Policy window to edit, delete or add.
![]() Note |
You can also configure ACL Policy features from Transport and Service Profile configuration groups. |
See Configure ACLs Using a Configuration Group.
In the Add Feature window, choose ACL IPv6 from the drop-down list.
Enter the Feature Name and the Description for the ACL feature.
Click Add ACL Sequence. The Add ACL Sequence window appears.
Enter the name in the ACL Sequence Name field.
Select the required condition from the Condition drop-down list.
Select the action types Accept or Reject from the Action Type drop-down list.
For the Accept action type, choose the accept condition from the Accept Condition drop-down list.
Click Save.
To copy, delete, or rename the ACL policy sequence rule, click ... next to the rule's name and select the desired option.
If no packets match any of the route policy sequence rules, the default action is to drop the packets. To change the default action:
Click Default Action in the left pane.
Click the Pencil icon.
Change the default action to Accept.
Click Save.
Click Save ACL IPv6 Policy.
The following table describe the options for configuring the ACL IPv6 feature.
Field |
Description |
---|---|
ACL Sequence Name |
Specifies the name of the ACL sequence. |
Condition |
Specifies the ACL condition. The options are:
|
Action Type |
Specifies the action type. The options are: Accept or Reject. |
Accept Condition |
Specifies the accept condition type. The options are:
|
You can select the specific ACL sequence in the ACL Policy window to edit, delete or add.
![]() Note |
You can also configure ACL Policy features from Transport and Service Profile configuration groups. |
Use the AppQoE feature to deploy and manage your SD-WAN network more efficiently by optimizing traffic based on sites and applications.
The following table describes the options for configuring the AppQoE feature.
Field |
Description |
||
---|---|---|---|
Device AppQoE Role * |
|||
Service Node |
Choose the Service Node option if you want to configure the device as a service node.
|
||
Forwarder: |
Choose Forwarder if you want to configure the device as a forwarder. The forwarder redirects traffic to other service nodes.
|
Field |
Description |
---|---|
DRE Optimisation |
Enable DRE optimisation |
Resource Profile |
Choose Global to choose a profile size from the options available in the drop-down list. Choose Defaultto apply the default DRE profile size for the device. Choose Device Specific to enter a value for the profile. |
Use the Border Gateway Protocol (BGP) feature for service-side routing to provide reachability to networks at the local site.
See Configure BGP Routing in a Service Profile Using a Configuration Group.
Field |
Description |
---|---|
AS Number |
Enter the local AS number. |
Router ID |
Enter the BGP router ID, in decimal four-part dotted notation. |
Propagate AS Path |
Enable this option to carry BGP AS path information into OMP. |
Propagate Community |
Enable this option to propagate BGP communities between Cisco Catalyst SD-WAN sites, across VPNs using OMP redistribution. |
External Routes Distance |
Specify the BGP route administrative distance for routes learned from other sites in the overlay network. Range: 1 through 255 Default: 20 |
Internal Routes Distance |
Enter a value to apply as the BGP route administrative distance for routes coming from one AS into another. Range: 1 through 255 Default: 200 |
Local Routes Distance |
Specify the BGP route administrative distance for routes within the local AS. By default, a route received locally from BGP is preferred over a route received from OMP. Range: 1 through 255 Default: 20 |
Field |
Description |
---|---|
IPv4 Settings |
|
Maximum Paths |
Specify the maximum number of parallel internal BGP paths that can be installed into a route table to enable internal BGP multipath load sharing. Range: 0 to 32 |
Originate |
Enable this option to allow the default route to be artificially generated and injected into the BGP Route Information Base (RIB), regardless of whether it is present in the routing table. The newly injected default is advertised to all the BGP peers. |
Redistribute |
|
Protocol* |
Choose the protocols from which to redistribute routes into BGP, for all BGP sessions. Options are static, connected, ospf, omp, eigrp, and nat. At a minimum, choose omp. By default, OMP routes are not redistributed into BGP. |
Route Policy |
Enter the name of the route policy to apply to redistributed routes. Route policy is not supported in Cisco vManage Release 20.9.1. |
Network |
|
Network Prefix* |
Enter a network prefix to be advertised by BGP. The network prefix is composed of the IPv4 subnet and the mask. For example, 192.0.2.0 and 255.255.255.0. |
Aggregate Address |
|
Aggregate Prefix* |
Enter the prefix of the addresses to aggregate for all BGP sessions. The aggregate prefix is composed of the IPv4 subnet and the mask. For example, 192.0.2.0 and 255.255.255.0. |
AS Set Path |
Enable this option to generate set path information for the aggregated prefixes. |
Summary Only |
Enable this option to filter out more specific routes from BGP updates. |
Table Map |
|
Policy Name |
Enter the route map that controls the downloading of routes. Route policy is not supported in Cisco vManage Release 20.9.1. |
Filter |
When you enable this option, the route map specified in the Policy Name field controls whether a BGP route is to be downloaded to the Route Information Base (RIB). A BGP route is not downloaded to the RIB if it is denied by the route map. When you disable this option, the route map specified in the Policy Name field is used to set certain properties, such as the traffic index, of the routes for installation into the RIB. The route is always downloaded, regardless of whether it is permitted or denied by the route map. |
IPv6 Settings |
|
Maximum Paths |
Specify the maximum number of parallel internal BGP paths that can be installed into a route table to enable internal BGP multipath load sharing. Range: 0 to 32 |
Originate |
Enable this option to allow the default route to be artificially generated and injected into the BGP RIB, regardless of whether it is present in the routing table. The newly injected default is advertised to all the BGP peers. |
Redistribute |
|
Protocol* |
Choose the protocols from which to redistribute routes into BGP, for all BGP sessions. Options are static, connected, ospf, omp, and eigrp. At a minimum, choose omp. By default, OMP routes are not redistributed into BGP. |
Route Policy |
Enter the name of the route policy to apply to redistributed routes. Route policy is not supported in Cisco vManage Release 20.9.1. |
Network |
|
Network Prefix* |
Enter a network prefix to be advertised by BGP. The IPv6 network prefix is composed of the IPv6 address and the prefix length (1-128). For example, the IPv6 subnet is 2001:DB8:0000:0000:: and the prefix length is 64. |
Aggregate Address |
|
Aggregate Prefix* |
Enter the prefix of the addresses to aggregate for all BGP sessions. The IPv6 aggregate prefix is composed of the IPv6 address and the prefix length (1-128). For example, the IPv6 subnet is 2001:DB8:0000:0000:: and the prefix length is 64. |
AS Set Path |
Enable this option to generate set path information for the aggregated prefixes. |
Summary Only |
Enable this option to filter out more specific routes from BGP updates. |
Table Map |
|
Policy Name* |
Enter the route map that controls the downloading of routes. Route policy is not supported in Cisco vManage Release 20.9.1. |
Filter |
When you enable this option, the route map specified in the Policy Name field controls whether a BGP route is to be downloaded to the Route Information Base (RIB). A BGP route is not downloaded to the RIB if it is denied by the route map. When you disable this option, the route map specified in the Policy Name field is used to set certain properties, such as the traffic index, of the routes for installation into the RIB. The route is always downloaded, regardless of whether it is permitted or denied by the route map. |
Field |
Description |
---|---|
IPv4 Settings |
|
Address* |
Specify the IP address of the BGP neighbor. |
Description |
Enter a description of the BGP neighbor. |
Remote AS* |
Enter the AS number of the remote BGP peer. |
Interface Name |
Enter the interface name. This interface is used as the source of the TCP session when establishing neighborship. We recommend that you use a loopback interface. |
Allowas in Number |
Enter the number of times to allow the advertisement of the autonomous system number (ASN) of a provider edge (PE) device. The range is 1 to 10. If no number is specified, the default value of three times is used. |
AS Override |
Enable this option to replace the AS number of the originating router with the AS number of the sending BGP router. |
Shutdown |
Disable this option to enable BGP for the VPN. |
Advanced Options |
|
Next-Hop Self |
Enable this option to configure the router to be the next hop for routes advertised to the BGP neighbor. |
Send Community |
Enable this option to send the BGP community attribute of the local router to the BGP neighbor. |
Send Extended Community |
Enable this option to send the BGP extended community attribute of the local router to the BGP neighbor. |
EBGP Multihop |
Set the time to live (TTL) for BGP connections to external peers. Range: 1 to 255 Default: 1 |
Password |
Enter a password to use to generate an MD5 message digest. Configuring the password enables MD5 authentication on the TCP connection with the BGP peer. The password is case-sensitive and can be up to 25 characters long. It can contain any alphanumeric characters, including spaces. The first character cannot be a number. |
Keepalive Time (seconds) |
Specify the frequency at which keepalive messages are advertised to a BGP peer. These messages indicate to the peer that the local router is still active and should be considered to be available. Specify the keepalive time for the neighbor, to override the global keepalive time. Range: 0 through 65535 seconds Default: 60 seconds (one-third the hold-time value) |
Hold Time (seconds) |
Specify the interval after not receiving a keepalive message that the local BGP session considers its peer to be unavailable. The local router then terminates the BGP session to that peer. Specify the hold time for the neighbor, to override the global hold time. Range: 0 through 65535 seconds Default: 180 seconds (three times the keepalive time) |
Send Label |
Enable this option to allow the routers advertise to each other so that they can send MPLS labels with the routes. If the routers successfully negotiate their ability to send MPLS labels, the routers add MPLS labels to all the outgoing BGP updates. |
Add Neighbor Address Family |
|
Family Type* |
Choose the BGP IPv4 unicast address family. |
In Route Policy |
Specify the name of a route policy to apply to prefixes received from the neighbor. Route policy is not supported in Cisco vManage Release 20.9.1. |
Out Route Policy |
Specify the name of a route policy to apply to prefixes sent to the neighbor. Route policy is not supported in Cisco vManage Release 20.9.1. |
Maximum Prefix Reach Policy* |
Choose one of the following options:
|
IPv6 Settings |
|
Address* |
Specify the IP address of the BGP neighbor. |
Description |
Enter a description of the BGP neighbor. |
Remote AS* |
Enter the AS number of the remote BGP peer. |
Interface Name |
Enter the interface name. This interface is used as the source of the TCP session when establishing neighborship. We recommend that you use a loopback interface. |
Allowas in Number |
Enter the number of times to allow the advertisement of the autonomous system number (ASN) of a provider edge (PE) device. The range is 1 to 10. If no number is specified, the default value of three times is used. |
AS Override |
Enable this option to replace the AS number of the originating router with the AS number of the sending BGP router. |
Shutdown |
Disable this option to enable BGP for the VPN. |
Advanced Options |
|
Next-Hop Self |
Enable this option to configure the router to be the next hop for routes advertised to the BGP neighbor. |
Send Community |
Enable this option to send the BGP community attribute of the local router to the BGP neighbor. |
Send Extended Community |
Enable this option to send the BGP extended community attribute of the local router to the BGP neighbor. |
EBGP Multihop |
Set the time to live (TTL) for BGP connections to external peers. Range: 1 to 255 Default: 1 |
Password |
Enter a password to use to generate an MD5 message digest. Configuring the password enables MD5 authentication on the TCP connection with the BGP peer. The password is case-sensitive and can be up to 25 characters long. It can contain any alphanumeric characters, including spaces. The first character cannot be a number. |
Keepalive Time (seconds) |
Specify the frequency at which keepalive messages are advertised to a BGP peer. These messages indicate to the peer that the local router is still active and should be considered to be available. Specify the keepalive time for the neighbor, to override the global keepalive time. Range: 0 through 65535 seconds Default: 60 seconds (one-third the hold-time value) |
Hold Time (seconds) |
Specify the interval after not receiving a keepalive message that the local BGP session considers its peer to be unavailable. The local router then terminates the BGP session to that peer. Specify the hold time for the neighbor, to override the global hold time. Range: 0 through 65535 seconds Default: 180 seconds (three times the keepalive time) |
Add IPv6 Neighbor Address Family |
|
Family Type* |
Choose the BGP IPv6 unicast address family. |
In Route Policy |
Specify the name of a route policy to apply to prefixes received from the neighbor. Route policy is not supported in Cisco vManage Release 20.9.1. |
Out Route Policy |
Specify the name of a route policy to apply to prefixes sent to the neighbor. Route policy is not supported in Cisco vManage Release 20.9.1. |
Maximum Prefix Reach Policy* |
Choose one of the following options:
|
See Configure BGP Routing in a Transport Profile Using a Configuration Group.
This feature helps you configure the Border Gateway Protocol (BGP) routing in VPN 0 or the WAN VPN.
For each parameter of the feature that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and choose one of the following:
Field |
Description |
---|---|
AS Number |
Enter the local AS number. |
Router ID |
Enter the BGP router ID, in decimal four-part dotted notation. |
Propagate AS Path |
Enable this option to carry BGP AS path information into OMP. |
Propagate Community |
Enable this option to propagate BGP communities between Cisco Catalyst SD-WAN sites, across VPNs using OMP redistribution. |
External Routes Distance |
Specify the BGP route administrative distance for routes learned from other sites in the overlay network. Range: 1 through 255 Default: 20 |
Internal Routes Distance |
Enter a value to apply as the BGP route administrative distance for routes coming from one AS into another. Range: 1 through 255 Default: 200 |
Local Routes Distance |
Specify the BGP route administrative distance for routes within the local AS. By default, a route received locally from BGP is preferred over a route received from OMP. Range: 1 through 255 Default: 20 |
Field |
Description |
---|---|
IPv4 Settings |
|
Maximum Paths |
Specify the maximum number of parallel internal BGP paths that can be installed into a route table to enable internal BGP multipath load sharing. Range: 0 to 32 |
Originate |
Enable this option to allow the default route to be artificially generated and injected into the BGP Route Information Base (RIB), regardless of whether it is present in the routing table. The newly injected default is advertised to all the BGP peers. |
Redistribute |
|
Protocol* |
Choose the protocols from which to redistribute routes into BGP, for all BGP sessions. Options are static, connected, ospf, omp, eigrp, and nat. At a minimum, choose connected, and then under Route Policy, specify a route policy that has BGP advertise the loopback interface address to its neighbors. Route policy is not supported in Cisco vManage Release 20.9.1. |
Route Policy |
Enter the name of the route policy to apply to redistributed routes. Route policy is not supported in Cisco vManage Release 20.9.1. |
Network |
|
Network Prefix* |
Enter a network prefix to be advertised by BGP. The network prefix is composed of the IPv4 subnet and the mask. For example, 192.0.2.0 and 255.255.255.0. |
Aggregate Address |
|
Aggregate Prefix* |
Enter the prefix of the addresses to aggregate for all BGP sessions. The aggregate prefix is composed of the IPv4 subnet and the mask. For example, 192.0.2.0 and 255.255.255.0. |
AS Set Path |
Enable this option to generate set path information for the aggregated prefixes. |
Summary Only |
Enable this option to filter out more specific routes from BGP updates. |
Table Map |
|
Policy Name |
Enter the route map that controls the downloading of routes. Route policy is not supported in Cisco vManage Release 20.9.1. |
Filter |
When you enable this option, the route map specified in the Policy Name field controls whether a BGP route is to be downloaded to the Route Information Base (RIB). A BGP route is not downloaded to the RIB if it is denied by the route map. When you disable this option, the route map specified in the Policy Name field is used to set certain properties, such as the traffic index, of the routes for installation into the RIB. The route is always downloaded, regardless of whether it is permitted or denied by the route map. |
IPv6 Settings |
|
Maximum Paths |
Specify the maximum number of parallel internal BGP paths that can be installed into a route table to enable internal BGP multipath load sharing. Range: 0 to 32 |
Originate |
Enable this option to allow the default route to be artificially generated and injected into the BGP Route Information Base (RIB), regardless of whether it is present in the routing table. The newly injected default is advertised to all the BGP peers. |
Redistribute |
|
Protocol* |
Choose the protocols from which to redistribute routes into BGP, for all BGP sessions. Options are static, connected, ospf, omp, and eigrp. At a minimum, choose connected, and then under Route Policy, specify a route policy that has BGP advertise the loopback interface address to its neighbors. Route policy is not supported in Cisco vManage Release 20.9.1. |
Route Policy |
Enter the name of the route policy to apply to redistributed routes. Route policy is not supported in Cisco vManage Release 20.9.1. |
Network |
|
Network Prefix* |
Enter a network prefix to be advertised by BGP. The IPv6 network prefix is composed of the IPv6 address and the prefix length (1-128). For example, the IPv6 subnet is 2001:DB8:0000:0000:: and the prefix length is 64. |
Aggregate Address |
|
Aggregate Prefix* |
Enter the prefix of the addresses to aggregate for all BGP sessions. The IPv6 aggregate prefix is composed of the IPv6 address and the prefix length (1-128). For example, the IPv6 subnet is 2001:DB8:0000:0000:: and the prefix length is 64. |
AS Set Path |
Enable this option to generate set path information for the aggregated prefixes. |
Summary Only |
Enable this option to filter out more specific routes from BGP updates. |
Table Map |
|
Policy Name |
Enter the route map that controls the downloading of routes. Route policy is not supported in Cisco vManage Release 20.9.1. |
Filter |
When you enable this option, the route map specified in the Policy Name field controls whether a BGP route is to be downloaded to the Route Information Base (RIB). A BGP route is not downloaded to the RIB if it is denied by the route map. When you disable this option, the route map specified in the Policy Name field is used to set certain properties, such as the traffic index, of the routes for installation into the RIB. The route is always downloaded, regardless of whether it is permitted or denied by the route map. |
Field |
Description |
---|---|
Interface Name* |
Enter a name for the MPLS interface. |
Field |
Description |
---|---|
IPv4 Settings |
|
Address* |
Specify the IP address of the BGP neighbor. |
Description |
Enter a description of the BGP neighbor. |
Remote AS* |
Enter the AS number of the remote BGP peer. |
Interface Name |
Enter the interface name. This interface is used as the source of the TCP session when establishing neighborship. We recommend that you use a loopback interface. |
Allows in Number |
Enter the number of times to allow the advertisement of the autonomous system number (ASN) of a provider edge (PE) device. The range is 1 to 10. If no number is specified, the default value of three times is used. |
AS Override |
Enable this option to replace the AS number of the originating router with the AS number of the sending BGP router. |
Shutdown |
Disable this option to enable BGP for the VPN. |
Advanced Options |
|
Next-Hop Self |
Enable this option to configure the router to be the next hop for routes advertised to the BGP neighbor. |
Send Community |
Enable this option to send the BGP community attribute of the local router to the BGP neighbor. |
Send Extended Community |
Enable this option to send the BGP extended community attribute of the local router to the BGP neighbor. |
EBGP Multihop |
Set the time to live (TTL) for BGP connections to external peers. Range: 1 to 255 Default: 1 |
Password |
Enter a password to use to generate an MD5 message digest. Configuring the password enables MD5 authentication on the TCP connection with the BGP peer. The password is case-sensitive and can be up to 25 characters long. It can contain any alphanumeric characters, including spaces. The first character cannot be a number. |
Keepalive Time (seconds) |
Specify the frequency at which keepalive messages are advertised to a BGP peer. These messages indicate to the peer that the local router is still active and should be considered to be available. Specify the keepalive time for the neighbor, to override the global keepalive time. Range: 0 through 65535 seconds Default: 60 seconds (one-third the hold-time value) |
Hold Time (seconds) |
Specify the interval after not receiving a keepalive message that the local BGP session considers its peer to be unavailable. The local router then terminates the BGP session to that peer. Specify the hold time for the neighbor, to override the global hold time. Range: 0 through 65535 seconds Default: 180 seconds (three times the keepalive time) |
Send Label |
Enable this option to allow the routers advertise to each other so that they can send MPLS labels with the routes. If the routers successfully negotiate their ability to send MPLS labels, the routers add MPLS labels to all the outgoing BGP updates. |
Add Neighbor Address Family |
|
Family Type* |
Choose the BGP IPv4 unicast address family. |
In Route Policy |
Specify the name of a route policy to apply to prefixes received from the neighbor. Route policy is not supported in Cisco vManage Release 20.9.1. |
Out Route Policy |
Specify the name of a route policy to apply to prefixes sent to the neighbor. Route policy is not supported in Cisco vManage Release 20.9.1. |
Maximum Prefix Reach Policy* |
Choose one of the following options:
|
IPv6 Settings |
|
Address* |
Specify the IP address of the BGP neighbor. |
Description |
Enter a description of the BGP neighbor. |
Remote AS* |
Enter the AS number of the remote BGP peer. |
Interface Name |
Enter the interface name. This interface is used as the source of the TCP session when establishing neighborship. We recommend that you use a loopback interface. |
Allowas in Number |
Enter the number of times to allow the advertisement of the autonomous system number (ASN) of a provider edge (PE) device. The range is 1 to 10. If no number is specified, the default value of three times is used. |
AS Override |
Enable this option to replace the AS number of the originating router with the AS number of the sending BGP router. |
Shutdown |
Disable this option to enable BGP for the VPN. |
Advanced Options |
|
Next-Hop Self |
Enable this option to configure the router to be the next hop for routes advertised to the BGP neighbor. |
Send Community |
Enable this option to send the BGP community attribute of the local router to the BGP neighbor. |
Send Extended Community |
Enable this option to send the BGP extended community attribute of the local router to the BGP neighbor. |
EBGP Multihop |
Set the time to live (TTL) for BGP connections to external peers. Range: 1 to 255 Default: 1 |
Password |
Enter a password to use to generate an MD5 message digest. Configuring the password enables MD5 authentication on the TCP connection with the BGP peer. The password is case-sensitive and can be up to 25 characters long. It can contain any alphanumeric characters, including spaces. The first character cannot be a number. |
Keepalive Time (seconds) |
Specify the frequency at which keepalive messages are advertised to a BGP peer. These messages indicate to the peer that the local router is still active and should be considered to be available. Specify the keepalive time for the neighbor, to override the global keepalive time. Range: 0 through 65535 seconds Default: 60 seconds (one-third the hold-time value) |
Hold Time (seconds) |
Specify the interval after not receiving a keepalive message that the local BGP session considers its peer to be unavailable. The local router then terminates the BGP session to that peer. Specify the hold time for the neighbor, to override the global hold time. Range: 0 through 65535 seconds Default: 180 seconds (three times the keepalive time) |
Add IPv6 Neighbor Address Family |
|
Family Type* |
Choose the BGP IPv6 unicast address family. |
In Route Policy |
Specify the name of a route policy to apply to prefixes received from the neighbor. Route policy is not supported in Cisco vManage Release 20.9.1. |
Out Route Policy |
Specify the name of a route policy to apply to prefixes sent to the neighbor. Route policy is not supported in Cisco vManage Release 20.9.1. |
Maximum Prefix Reach Policy* |
Choose one of the following options:
|
Field |
Description |
---|---|
Keepalive (seconds) |
Specify the frequency at which keepalive messages are advertised to a BGP peer. These messages indicate to the peer that the local router is still active and should be considered to be available. This keepalive time is the global keepalive time. Range: 0 through 65535 seconds Default: 60 seconds (one-third the hold-time value) |
Hold Time (seconds) |
Specify the interval after not receiving a keepalive message that the local BGP session considers its peer to be unavailable. The local router then terminates the BGP session to that peer. This hold time is the global hold time. Range: 0 through 65535 seconds Default: 180 seconds (three times the keepalive time) |
Compare MED |
Enable this option to compare the router IDs among BGP paths to determine the active path. |
Deterministic MED |
Enable this option to compare MEDs from all routes received from the same AS regardless of when the route was received. |
Missing MED as Worst |
Enable this option to consider a path as the worst path if the path is missing a MED attribute. |
Compare Router ID |
Enable this option to always compare MEDs regardless of whether the peer ASs of the compared routes are the same. |
Multipath Relax |
Enable this option to have the BGP best-path process select from routes in different ASs. By default, when you are using BGP multipath, the BGP best-path process selects from routes in the same AS to load-balance across multiple paths. |
This feature allows an interface to be configured as a DHCP helper so that it forwards the broadcast DHCP requests that it receives from the DHCP servers.
For each parameter of the feature that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and choose one of the following:
Field |
Description |
---|---|
Address Pool* |
Enter the IPv4 prefix range, in the format prefix/length, for the pool of addresses in the service-side network for which the router interface acts as the DHCP server. |
Exclude |
Enter one or more IP addresses to exclude from the DHCP address pool. To specify multiple individual addresses, list them separated by a comma. To specify a range of addresses, separate them with a hyphen. |
Lease Time(seconds) |
Specify how long a DHCP-assigned IP address is valid. Range: 60 through 31536000 seconds Default: 86400 |
Field |
Description |
---|---|
Add Static Lease |
|
MAC Address* |
Enter the MAC address of the client to which the static IP address is being assigned. |
IP* |
Enter the static IP address to assign to the client. |
Field |
Description |
---|---|
Add Option Code |
|
Code* |
Configure the option code. Range: 1-254 |
Type |
Choose one of the three types:
|
Field |
Description |
---|---|
Interface MTU |
Specify the maximum MTU size of packets on the interface. Range: 68 to 65535 bytes |
Domain Name |
Specify the domain name that the DHCP client uses to resolve hostnames. |
Default Gateway |
Enter the IP address of a default gateway in the service-side network. |
DNS Servers |
Enter one or more IP address for a DNS server in the service-side network. Separate multiple entries with a comma. You can specify up to eight addresses. |
TFTP Servers |
Enter the IP address of a TFTP server in the service-side network. You can specify one or two addresses. If two, separate them with a comma. |
This feature helps you configure the high-availability feature in Cisco Catalyst SD-WAN using the Cisco IOS XE Catalyst SD-WAN devices.
See Configure Dual Router High Availability Using a Configuration Group
The following table describes the options for configuring the high-availability feature on Cisco IOS XE Catalyst SD-WAN devices.
Field |
Description |
---|---|
Name |
Enter a name for the high availability feature profile. |
Description |
Enter a description for the high availability feature profile. |
VPN |
Displays all available service-side VPNs. |
EdgeDevice_01 |
When selected, the Cisco IOS XE Catalyst SD-WAN device is set as active for the specific VPN, while the other corresponding device is configured as standby. |
EdgeDevice_02 |
When selected, the Cisco IOS XE Catalyst SD-WAN device is set as active for the specific VPN, while the other corresponding device is configured as standby. |
None |
Set the status to None for VPNs that are not configured for High Availability. |
Preempt to home router |
Click to allow the configured active Cisco IOS XE Catalyst SD-WAN device to automatically reclaim the active role upon recovery from a failure. |
Optimize paths after switchover |
Click to enable OMP Affinity to optimize routing paths after a failover. |
Use the EIGRP routing feature to configure a routing process and specify which networks the protocol should run over.
See Configure EIGRP Routing Using a Configuration Group
Parameter Name |
Description |
---|---|
Autonomous System ID * |
Enter the local autonomous system (AS) number. Range: 1 through 65535 Default: None |
Network |
|
IP Address* |
Enter the IPv4 address. |
Mask* |
Enter the subnet mask. |
Interface |
|
Add Interface |
Provide values for the following fields:
|
Parameter Name |
Description |
||
---|---|---|---|
Protocol * |
Select one of the protocols from which to redistribute routes into EIGRP, for all EIGRP sessions:
|
||
Route Policy * |
Enter the name of the route policy to apply to redistributed routes. |
Parameter |
Description |
|
---|---|---|
MD5* |
MD5 Key ID: Enter an MD5 key ID to compute an MD5 hash over the contents of the EIGRP packet using that value. |
|
MD5 Authentication Key: Enter an MD5 authentication key to use an encoded MD5 checksum in the transmitted packet. |
||
Authentication Key: A 256-byte unique key that is used to compute the Hashed Message Authentication Code (HMAC) and is known both by the sender and the receiver of the message. |
||
HMAC-SHA-256 |
Authentication Key: A 256-byte unique key that is used to compute the HMAC and is known both by the sender and the receiver of the message. |
Parameter Name |
Description |
---|---|
Hold Time (seconds) |
Set the interval after which EIGRP considers a neighbor to be down. The local router then terminates the EIGRP session to that peer. This acts as the global hold time. Range: 0 through 65535 Default: 15 seconds |
Hello Interval (seconds) |
Set the interval at which the router sends EIGRP hello packets. Range: 0 through 65535 Default: 5 seconds |
Route Policy |
Enter the name of an EIGRP route policy. |
Filter |
Toggle ON to filter routes that do not match the policy. |
Use the EIGRP routing feature to configure a routing process and specify which networks the protocol should run over.
Parameter Name |
Description |
---|---|
Autonomous System ID * |
Enter the local autonomous system (AS) number. Range: 1 through 65535 Default: None |
Network |
|
IP Address* |
Enter the IPv4 address. |
Mask* |
Enter the subnet mask. |
Interface |
|
Add Interface |
Provide values for the following fields:
|
Parameter Name |
Description |
||
---|---|---|---|
Protocol * |
Select one of the protocols from which to redistribute routes into EIGRP, for all EIGRP sessions:
|
||
Route Policy * |
Enter the name of the route policy to apply to redistributed routes. |
Parameter |
Description |
|
---|---|---|
MD5* |
MD5 Key ID: Enter an MD5 key ID to compute an MD5 hash over the contents of the EIGRP packet using that value. |
|
MD5 Authentication Key: Enter an MD5 authentication key to use an encoded MD5 checksum in the transmitted packet. |
||
Authentication Key: A 256-byte unique key that is used to compute the Hashed Message Authentication Code (HMAC) and is known both by the sender and the receiver of the message. |
||
HMAC-SHA-256 |
Authentication Key: A 256-byte unique key that is used to compute the HMAC and is known both by the sender and the receiver of the message. |
Parameter Name |
Description |
---|---|
Hold Time (seconds) |
Set the interval after which EIGRP considers a neighbor to be down. The local router then terminates the EIGRP session to that peer. This acts as the global hold time. Range: 0 through 65535 Default: 15 seconds |
Hello Interval (seconds) |
Set the interval at which the router sends EIGRP hello packets. Range: 0 through 65535 Default: 5 seconds |
Route Policy |
Enter the name of an EIGRP route policy. |
Filter |
Toggle ON to filter routes that do not match the policy. |
This feature helps you configure the Ethernet interface on a service VPN (range 1 – 65527, except 512).
The following table describes the options for configuring the Ethernet Interface feature.
Field |
Description |
---|---|
Type |
Choose a feature from the drop-down list. |
Feature Name* |
Enter a name for the feature. |
Description |
Enter a description of the feature. The description can contain any characters and spaces. |
Associated VPN |
The service VPN. |
Field |
Description |
---|---|
Shutdown |
Enable or disable the interface. |
Interface Name |
Enter a name for the interface. Spell out the interface names completely (for example, GigabitEthernet0/0/0). Configure all the interfaces of the router, even if you are not using them, so that they are configured in the shutdown state and so that all default values for them are configured. |
Description |
Enter a description for the interface. |
IPv4 Settings |
Configure an IPv4 VPN interface.
|
Dynamic DHCP Distance |
Enter an administrative distance value for routes learned from a DHCP server. This option is available when you choose Dynamic. Default: 1 |
IP Address |
Enter a static IPv4 address. This option is available when you choose Static. |
Subnet Mask |
Enter the subnet mask. |
Add Secondary IP Address |
Enter up to four secondary IPv4 addresses for a service-side interface.
|
DHCP Helper |
To designate the interface as a DHCP helper on a router, enter up to eight IP addresses, separated by commas, for DHCP servers in the network. A DHCP helper interface forwards BOOTP (broadcast) DHCP requests that it receives from the specified DHCP servers. |
IPv6 Settings |
Configure an IPv6 VPN interface.
|
IPv6 Address Primary |
Enter a static IPv6 address. This option is available when you choose Static. |
Add Secondary Ipv6 |
Enter up to two secondary IPv6 addresses for a service-side interface. |
Add DHCP Helper |
|
DHCPv6 Helper* |
To designate the interface as a DHCP helper on a router, enter up to eight IP addresses for DHCP servers in the network. A DHCP helper interface forwards BOOTP (broadcast) DHCP requests that it receives from the specified DHCP servers. |
DHCPv6 Helper VPN |
Enter the VPN ID of the VPN source interface for the DHCP helper. |
Field |
Description |
||
---|---|---|---|
IPv4 Settings |
|||
Add Vrrp Ipv4 |
|||
Group ID* |
Enter the virtual router ID, which is a numeric identifier of the virtual router. You can configure a maximum of 24 groups. Range: 1 through 255 |
||
Priority* |
Enter the priority level of the router. The router with the highest priority is elected as the primary router. If two routers have the same priority, the one with the higher IP address is elected as the primary router. Range: 1 through 254 Default: 100 |
||
Timer* |
Specify how often the primary VRRP router sends VRRP advertisement messages. If secondary routers miss three consecutive VRRP advertisements, they elect a new primary router . Range: 100 through 40950 seconds Default: 100 seconds |
||
Track OMP* |
When you enable this option, VRRP tracks the Overlay Management Protocol (OMP) session running on the WAN connection. If the primary VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session.
|
||
Prefix List |
Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the primary VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if the reachability to one of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic while the Cisco IOS XE Catalyst SD-WAN device determines the primary VRRP router. |
||
IP Address* |
Enter the IP address of the virtual router. This address must be different from the configured interface IP addresses of both the local router and the peer running VRRP. |
||
Tloc Prefix Change* |
Enable or disable this option to set whether the TLOC preference can be changed or not. |
||
Tloc Prefix Change Value |
Enter the TLOC preference change value. Range: 100 to 4294967295 |
||
Add VRRP IP Address Secondary |
|||
IP Address* |
Enter an IP address for the secondary VRRP router. |
||
Subnet Mask |
Enter the subnet mask. |
||
Add VRRP Tracking Object |
|||
Tracker ID* |
Enter the interface object ID or object group tracker ID. |
||
Tracker Action* |
Choose one of the options:
|
||
Decrement Value* |
Enter a decrement value. Range: 1-255 |
||
IPv6 Settings |
|||
Add Vrrp Ipv6 |
|||
Group ID* |
Enter the virtual router ID, which is a numeric identifier of the virtual router. You can configure a maximum of 24 groups. Range: 1 through 255 |
||
Priority* |
Enter the priority level of the router. The router with the highest priority is elected as the primary router. If two routers have the same priority, the one with the higher IP address is elected as the primary router. Range: 1 through 254 Default: 100 |
||
Timer* |
Specify how often the primary VRRP router sends VRRP advertisement messages. If secondary routers miss three consecutive VRRP advertisements, they elect a new primary router . Range: 100 through 40950 seconds Default: 100 seconds |
||
Track OMP* |
When you enable this option, VRRP tracks the Overlay Management Protocol (OMP) session running on the WAN connection. If the primary VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session. |
||
Track Prefix List |
Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the primary VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if the reachability to one of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic while the Cisco IOS XE Catalyst SD-WAN device determines the primary VRRP router. |
||
Link Local IPv6 Address* |
Enter a virtual link local IPv6 address, which represents the link local address of the group. The address should be in standard link local address format. For example, FE80::AB8. |
||
Global IPv6 Prefix |
Enter a virtual global unicast IPv6 address, which represents the global address of the group. The address should be an IPv6 global prefix address that has the same mask as the interface forwarding address on which the VRRP group is configured. For example, 2001::2/124. You can configure up to three global IPv6 addresses. |
Field |
Description |
---|---|
Add ARP |
|
IP Address* |
Enter the IP address for the ARP entry in dotted decimal notation or as a fully qualified host name. |
MAC Address* |
Enter the MAC address in colon-separated hexadecimal notation. |
Field |
Description |
---|---|
Enable SGT Propogation |
Enable this option to use the Cisco TrustSec Security Group Tag (SGT) propagation feature. |
Propagate |
Enable this option to propagate SGT in Cisco Catalyst SD-WAN. |
Security Group Tag |
Enter a value that can be used as a tag. Range: 2 to 65519 |
Trusted |
Enable the trusted option. When you enable this option, the SGT value received in the Ethernet packet on this interface is trusted and is used by the device for any security group aware policy enforcement. |
Enable Enforcement |
Enable this option to start SGT enforcement on the interface. |
Enforced Security Group Tag |
Enter a value that can be used as a tag for enforcement. Range: 2 to 65519 |
Field |
Description |
---|---|
Duplex |
Specify whether the interface runs in full-duplex or half-duplex mode. Default: full |
MAC Address |
Specify a MAC address to associate with the interface, in colon-separated hexadecimal notation. |
IP MTU |
Specify the maximum MTU size of packets on the interface. Range: 576 through 9216 Default: 1500 bytes |
Interface MTU |
Enter the maximum transmission unit size for frames received and transmitted on the interface. Range: 1500 through 1518 (GigabitEthernet0), 1500 through 9216 (other GigabitEthernet) Default: 1500 bytes |
TCP MSS |
Specify the maximum segment size (MSS) of TPC SYN packets passing through the router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented. Range: 500 to 1460 bytes Default: None |
Speed |
Specify the speed of the interface, for use when the remote end of the connection does not support autonegotiation. Values: 10, 100, 1000, 2500, or 10000 Mbps |
ARP Timeout |
ARP timeout controls how long we maintain the ARP cache on a router. Specify how long it takes for a dynamically learned ARP entry to time out. Range: 0 through 2147483 seconds Default: 1200 seconds |
Autonegotiate |
Enable this option to turn on autonegotiation. |
Media Type |
Specify the physical media connection type on the interface. Choose one of the following:
|
Load Interval |
Enter an interval value for interface load calculation. |
Tracker |
Static-route tracking for service VPNs enables you to track the availability of the configured endpoint address to determine if the static route can be included in the routing table of a device. Enter the name of the gateway tracker to determine whether the next hop is reachable before adding that route to the route table of the device. |
ICMP Redirect Disable |
ICMP redirects are sent by a router to the sender of an IP packet when a packet is being routed sub-optimally. The ICMP redirect informs the sending host to forward subsequent packets to that same destination through a different gateway. By default, an interface allows ICMP redirect messages. |
XConnect |
Enter the name of a physical interface on the same router that connects to the WAN transport. |
IP Directed Broadcast |
An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet but which originates from a node that is not itself part of that destination subnet. A device that is not directly connected to its destination subnet forwards an IP directed broadcast in the same way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet reaches a device that is directly connected to its destination subnet, that packet is broadcast on the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a link-layer broadcast. If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as directed broadcasts intended for the subnet to which that interface is attached are broadcast on that subnet. |
Use the service VPN Interface GRE feature for all Cisco vEdge Cloud and Cisco vEdge router devices.
See Configure GRE on Service Side Using a Configuration Group
The following tables describe the options for configuring the service VPN Interface GRE feature.
Field |
Description |
---|---|
Interface Name (1..255)* |
Enter the name of the GRE interface, in the format grenumber. The value for number can be from 1 through 255. |
Interface Description |
Enter a description of the GRE interface. |
Tunnel Mode |
Choose from one of the following GRE tunnel modes:
|
Preshared Key for IKE | Enter the preshared key (PSK) for authentication. |
Field |
Description |
||
---|---|---|---|
Source |
Enter the source of the GRE interface:
|
||
Destination |
Enter the source of the GRE interface:
|
Field |
Description |
---|---|
IKE Version |
Enter 1 to choose IKEv1. Enter 2 to choose IKEv2. Default: IKEv1 |
IKE Integrity Protocol |
Choose one of the following modes for the exchange of keying information and setting up IKE security associations:
Default: Main mode |
IKE Rekey Interval |
Specify the interval for refreshing IKE keys.
Range: 3600 through 1209600 seconds (1 hour through 14 days) Default: 14400 seconds (4 hours) |
IKE Cipher Suite |
Specify the type of authentication and encryption to use during IKE key exchange.
Values: aes128-cbc-sha1, aes128-cbc-sha2, aes256-cbc-sha1, aes256-cbc-sha2 Default: aes256-cbc-sha1 |
IKE Diffie-Hellman Group |
Specify the Diffie-Hellman group to use in IKE key exchanges.
Values: 2, 14, 15, 16, 19, 20, 21, 24 Default: 16 |
IKE ID for Local End Point |
If the remote IKE peer requires a local endpoint identifier, specify it.
Range: 1 through 64 characters Default: Source IP address of the tunnel |
IKE ID for Remote End Point |
If the remote IKE peer requires a remote end point identifier, specify it.
Range: 1 through 64 characters Default: Destination IP address of the tunnel There is no default option if you have chosen IKEv2. |
Field |
Description |
---|---|
IPsec Rekey Interval (Seconds) |
Specify the interval for refreshing IKE keys.
Range: 3600 through 1209600 seconds (1 hour through 14 days) Default: 3600 seconds |
IPsec Replay Window |
Specify the replay window size for the IPsec tunnel.
Values: 64, 128, 256, 512, 1024, 2048, 4096, 8192 bytes Default: 512 bytes |
IPsec Cipher Suite |
Specify the authentication and encryption to use on the IPsec tunnel.
Values: aes256-cbc-sha1, aes256-gcm, null-sha1 Default: aes256-gcm |
Perfect Forward Secrecy |
Specify the PFS settings to use on the IPsec tunnel by choosing one of the following values:
Default: group-16 |
DPD Interval |
Specify the interval for IKE to send Hello packets on the connection.
Range: 10 through 3600 seconds (1 hour) Default: 10 seconds |
DPD Retries |
Specify how many unacknowledged packets to accept before declaring an IKE peer to be dead and then removing the tunnel to
the peer.
Range: 2 through 60 Default: 3 |
Application |
Choose an application from the drop-down list:
|
Field |
Description |
---|---|
Shutdown |
Click Off to enable the interface. |
IP MTU |
Based on your choice in the Tunnel Mode option, specify the maximum MTU size of the IPv4 or IPv6 packets on the interface. Range: 576 through 9216 Default: 1500 bytes |
TCP MSS |
Specify the maximum segment size (MSS) of the IPv4 TPC SYN packets passing through the Cisco vEdge device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented. Range: 552 through 1460 bytes Default: None |
IPv6 TCP MSS |
Specify the maximum segment size (MSS) of the IPv6 TPC SYN packets passing through the Cisco vEdge device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented. Range: 552 through 1460 bytes Default: None |
Clear-Dont-Fragment |
Click On to clear the Don't Fragment bit in the IPv4 packet header for packets being transmitted out the interface. |
Tunnel Protection |
Choose Yes to enable tunnel protection. Default: No |
Use the IPsec feature to configure IPsec tunnels on Cisco IOS XE Catalyst SD-WAN devices, used for Internet Key Exchange (IKE) sessions.
See Configure IPSEC on Service Side Using a Configuration Group
Some parameters have a scope drop-down list that enables you to choose Global, Device Specific, or Default for the parameter value. Choose one of the following options, as described in the table below:
Parameter Scope |
Scope Description |
---|---|
Global (Indicated by a globe icon) |
Enter a value for the parameter and apply that value to all devices. Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs. |
Device Specific (Indicated by a host icon) |
Use a device-specific value for the parameter. Choose Device Specific to provide a value for the key in the field. The key is a unique string that helps identify the parameter. To change the default key, type a new string in the field. Examples of device-specific parameters are system IP address, host name, GPS location, and site ID. |
Default (indicated by a check mark) |
The default value is shown for parameters that have a default setting. |
The following tables describe the options for configuring the VPN Interface IPsec feature.
Field |
Description |
---|---|
Type |
Choose a feature from the drop-down list. |
Feature Name* |
Enter a name for the feature. |
Description |
Enter a description of the feature. The description can contain any characters and spaces. |
Field |
Description |
---|---|
Interface Name |
Enter the name of the IPsec interface. |
Description |
Enter a description of the IPsec interface. |
Tunnel Mode |
Choose from one of the following IPsec tunnel modes:
|
Interface Address |
Enter the IPv4 or IPv6 address of the IPsec interface, based on your choice from the Tunnel Mode drop-down list. |
Mask |
Enter the subnet mask. |
Tunnel Source |
Enter the source of the IPsec interface:
|
Tunnel Destination |
Enter the destination of the IPsec interface:
|
TCP MSS |
Specify the maximum segment size (MSS) of TPC SYN packets passing through the vEdge router. By default, the MSS is dynamically
adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.
Range: 552 through 1460 bytes Default: None |
Clear-Dont-Fragment |
Click On to clear the Don't Fragment bit in the IPv4 packet header for packets being transmitted out the interface. |
IP MTU |
Specify the maximum MTU size of packets on the interface.
Range: 576 through 1804 Default: 1500 bytes |
Field |
Description |
---|---|
IKE Version |
Enter 1 to choose IKEv1. Enter 2 to choose IKEv2. Default: IKEv1 |
IKE Integrity Protocol |
Choose one of the following modes for the exchange of keying information and setting up IKE security associations:
Default: Main mode |
IPsec Rekey Interval (Seconds) |
Specify the interval for refreshing IKE keys.
Range: 3600 through 1209600 seconds (1 hour through 14 days) Default: 14400 seconds (4 hours) |
IKE Cipher Suite |
Specify the type of authentication and encryption to use during IKE key exchange.
Values: aes128-cbc-sha1, aes128-cbc-sha2, aes256-cbc-sha1, aes256-cbc-sha2 Default: aes256-cbc-sha1 |
IKE Diffie-Hellman Group |
Specify the Diffie-Hellman group to use in IKE key exchanges.
Values: 2, 14, 15, 16, 19, 20, 21, 24 Default: 16 |
IKE ID for Local End Point |
If the remote IKE peer requires a local endpoint identifier, specify it.
Range: 1 through 64 characters Default: Source IP address of the tunnel |
IKE ID for Remote End Point |
If the remote IKE peer requires a remote end point identifier, specify it.
Range: 1 through 64 characters Default: Destination IP address of the tunnel There is no default option if you have chosen IKEv2. |
Field |
Description |
---|---|
IPsec Rekey Interval |
Specify the interval for refreshing IKE keys.
Range: 3600 through 1209600 seconds (1 hour through 14 days) Default: 3600 seconds |
IPsec Replay Window |
Specify the replay window size for the IPsec tunnel.
Values: 64, 128, 256, 512, 1024, 2048, 4096, 8192 bytes Default: 512 bytes |
IPsec Cipher Suite |
Specify the authentication and encryption to use on the IPsec tunnel.
Values: aes256-cbc-sha1, aes256-gcm, null-sha1 Default: aes256-gcm |
Perfect Forward Secrecy |
Specify the PFS settings to use on the IPsec tunnel by choosing one of the following values:
Default: group-16 |
Field |
Description |
||
---|---|---|---|
Associated VPN |
Select a VPN from the drop-down list to associate with the IPsec tunnel. |
||
Tunnel Route Via |
Specify the tunnel route details to steer the application traffic through.
|
||
DPD Interval |
Specify the interval for IKE to send Hello packets on the connection.
Range: 10 through 3600 seconds (1 hour) Default: 10 seconds |
||
DPD Retries |
Specify how many unacknowledged packets to accept before declaring an IKE peer to be dead and then removing the tunnel to
the peer.
Range: 2 through 60 Default: 3 |
||
TCP MSS |
Specify the maximum segment size (MSS) of TPC SYN packets passing through the Cisco vEdge device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented. Range: 552 through 1460 bytes Default: None |
||
Clear-Dont-Fragment |
Click On to clear the Don't Fragment bit in the IPv4 packet header for packets being transmitted out the interface. | ||
IP MTU |
Based on your choice in the Tunnel Mode option, specify the maximum MTU size of the IPv4 or IPv4 packets on the interface. Range: 576 through 9216 Default: 1500 bytes |
||
Shutdown |
Click Off to enable the interface. |
The Cisco IOS XE Catalyst SD-WAN multicast overlay software extends Protocol Independent Multicast Source-Specific Multicast (PIM-SSM) over the Cisco Catalyst SD-WAN overlay using Overlay Management Protocol (OMP). Protocol Independent Multicast Sparse-Mode (PIM-SM) is deployed in the customer VPNs, and the Cisco IOS XE MVPN is used to integrate PIM in customer VPNs and OMP in the overlay. The OMP replicator is used in overlay multicast to optimize the multicast distribution tree across the overlay topology. The Cisco IOS XE Catalyst SD-WAN router supports IGMPv2 and IGMPv3 reports and advertises receiver's multicast interest to remote Cisco Catalyst SD-WAN routers using OMP. Depending on the level of optimization required, the Cisco Catalyst SD-WAN routers join or prune to or from the replicators, and replicators use OMP to relay the join or prune to the Cisco Catalyst SD-WAN router providing overlay connectivity to the PIM-RP or source.
The Cisco IOS XE Catalyst SD-WAN overlay multicast network supports the following protocols:
Protocol Independent Multicast (PIM)
Internet Group Management Protocol (IGMP)
MSDP
See Configure Multicast Using Configuration Groups.
Some parameters have a scope drop-down list that enables you to choose Global, Device Specific, or Default for the parameter value. Choose one of the following options, as described in the table below:
Parameter Scope |
Scope Description |
---|---|
Global (Indicated by a globe icon) |
Enter a value for the parameter and apply that value to all devices. Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs. |
Device Specific (Indicated by a host icon) |
Use a device-specific value for the parameter. Choose Device Specific to provide a value for the key in the Enter Key field. The key is a unique string that helps identify the parameter. To change the default key, type a new string in the Enter Key field. Examples of device-specific parameters are system IP address, host name, GPS location, and site ID. |
Default (indicated by a check mark) |
The default value is shown for parameters that have a default setting. |
The following tables describe the options for configuring the Multicast feature.
Field |
Description |
---|---|
Type |
Choose a feature from the drop-down list. |
Feature Name* |
Enter a name for the feature. |
Description |
Enter a description of the feature. The description can contain any characters and spaces. |
Field |
Description |
---|---|
SPT Only |
Enable this option to ensure that the Rendezvous Points (RPs) can communicate with each other using the shortest-path tree. |
Local Replicator |
Enable this option to configure the Cisco IOS XE Catalyst SD-WAN device as a multicast replicator. |
Threshold |
Specify a value. Optional, keep it set to the default value if you are not configuring a replicator. |
Field |
Description |
||
---|---|---|---|
Source Specific Multicast (SSM) |
Enable this option to configure SSM. |
||
ACL |
Specify an access control list value. An access control list allows you to filter multicast traffic streams using the group and sometimes source IPv4 or IPv6 addresses. Configure an IPv4 access control list using a standard or extended access list and attach it to your device before enabling PIM. You must have created a valid standard or extended ACL before using the ACL in your multicast configuration.
|
||
SPT Threshold |
Specify the traffic rate, in kbps, at which to switch from the shared tree to the shortest-path tree (SPT). Configuring this value forces traffic to remain on the shared tree and travel via the RP instead of via the SPT. |
||
Add Interface |
|||
Interface Name |
Enter the name of an interface that participates in the PIM domain, in the format ge slot /port. | ||
Query Interval(sec) |
Specify how often the interface sends PIM query messages. Query messages advertise that PIM is enabled on the router. |
||
Join/Prune Interval(sec) |
Specify how often PIM multicast traffic can join or be removed from a rendezvous point tree (RPT) or shortest-path tree (SPT). Cisco IOS XE Catalyst SD-WAN device send join and prune messages to their upstream RPF neighbor. |
||
How do you want to configure your Rendezvous Point (RP) Cisco IOS XE SD-WAN supports the following modes: |
|||
Static |
Click this check box to a specify the static IP address of a rendezvous point (RP). |
||
Add Static RP |
|||
IP Address |
Specify the static IP address of a rendezvous point (RP). |
||
ACL |
Specify an ACL value. |
||
Override |
Enable this option for cases when dynamic and static group-to-RP mappings are used together and there is an RP address conflict. In this case, the RP address configured for a static group-to-RP mapping takes precedence. If you do not enable this option, and there is RP address conflict, dynamic group-to-RP mappings will take precedence over static group-to-RP mappings. |
||
Auto RP |
Click this check box to enable reception of PIM group-to-RP mapping updates. This enables reception on the Auto-RP multicast groups, 224.0.1.39 and 224.0.1.40. |
||
RP Announce |
Click this check box to enable transmission of Auto-RP multicast messages. |
||
RP Discovery |
Click this check box to enable Auto-RP automatic discovery of rendezvous points (RPs) in the PIM network so that the router can serve as an Auto-RP mapping agent. An Auto-RP mapping receives all the RPs and their respective multicast groups and advertise consistent group-to-RP mapping updates. |
||
Interface |
Specify the source interface for Auto-RP RP Announcements or RP Discovery messages. |
||
Scope |
Specify the IP header Time-to-Live (TTL) for Auto-RP RP Announcements or RP Discovery messages. |
||
PIM-BSR |
Configure a PIM BSR. |
||
RP Candidate | |||
Interface Name |
Choose the interface that you used for configuring the PIM feature template. |
||
Access List |
Add an access list value if you have configured the access list with a value. |
||
Interval |
Add an interval value if you have configured the interval with a value. |
||
Priority |
Specify a higher priority on the Cisco IOS XE SD-WAN device than on the service-side device. |
||
BSR Candidate (Maximum: 1) |
|||
Interface Name |
Chose the same interface from the drop-down list that you used for configuring the PIM feature template. |
||
Hash Mask Length |
Specify the hash mask length. Valid values for hash mask length are 0–32. |
||
Priority |
Specify a higher priority on the Cisco IOS XE Catalyst SD-WAN device than on the service-side device. |
||
RP Candidate Access List |
Add a value if you have configured the RP candidate access list with a value. An RP candidate uses a standard ACL where you can enter the name for the access list. |
Field |
Description |
---|---|
Add IGMP |
|
Interface |
Enter the name of the interface to use for IGMP. To add another interface, click Add. |
Version |
Specify a version number. Optional, keep it set to the default version number. |
Group Address |
Enter a group address to join a multicast group. |
Source Address |
Enter a source address to join a multicast group. |
Add |
Click Add to add the IGMP for the group. |
Field |
Description |
||
---|---|---|---|
Originator-ID |
Specify the ID of the originating device. This ID is the IP address of the interface that is used as the RP address. |
||
Connection Retry Interval |
Configure an interval at which MSDP peers will wait after peering sessions are reset before attempting to re-establish the peering sessions. |
||
Mesh Group |
|||
Mesh Group Name |
Enter a mesh group name. This configures an MSDP mesh group and indicates that an MSDP peer belongs to that mesh group.
|
||
Peer-IP |
Configure an MSDP peer specified by an IP address. |
||
Advanced Settings |
|||
Connect-Source Interface |
Enter the primary address of a specified local interface that is used as the source IP address for the TCP connection. |
||
Peer Authentication Password |
Enables MD5 password encryption for a TCP connection between two MSDP peers.
|
||
Keep Alive |
Configure an interval at which an MSDP peer will send keepalive messages. |
||
Hold-Time |
Configure an interval at which the MSDP peer will wait for keepalive messages from other peers before declaring them as down. |
||
Remote AS |
Specifies the autonomous system number of the MSDP peer. This keyword and argument are used for display purposes only. |
||
SA Limit |
Limits the number of SA messages allowed in the SA cache from the specified MSDP. |
||
Default Peer |
Configure a default peer from which to accept all MSDP SA messages. |
Open Shortest Path First (OSPF) is a routing protocol for IP networks. It can be used for service-side routing to provide reachability to networks at the local site.
For each parameter of the feature that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown.
Field |
Description |
---|---|
Router ID |
Enter the OSPF router ID, in decimal four-part dotted notation. This is the IP address associated with the router for OSPF adjacencies. |
Distance for External Routes |
Specify the OSPF route administration distance for routes learned from other domains. Range: 1 through 255 Default: 110 |
Distance for Inter-Area Routes |
Specify the OSPF route administration distance for routes coming from one area into another. Range: 1 through 255 Default: 110 |
Distance for Intra-Area Routes |
Specify the OSPF route administration distance for routes within an area. Range: 0 through 255 Default: 110 |
Field |
Description |
---|---|
Add Redistribute |
|
Protocol |
Choose the protocol from which to redistribute routes into OSPF.
|
Field |
Description |
---|---|
Add Router LSA |
|
Type |
Configure OSPF to advertise a maximum metric so that other routers do not prefer this router as an intermediate hop in their Shortest Path First (SPF) calculation. Choose a type:
|
Field |
Description |
---|---|
Add Area |
|
Area Number* |
Enter the number of the OSPF area. Range: 32-bit number |
Set the area type |
Choose the type of OSPF area:
|
Add Interface |
Configure the properties of an interface in an OSPF area. |
Name* |
Enter the name of the interface, in the format geslot/port or loopback number. |
Hello Interval (seconds)* |
Specify how often the router sends OSPF hello packets. Range: 1 through 65535 seconds Default: 10 seconds |
Dead Interval (seconds)* |
Specify how often the router must receive an OSPF hello packet from its neighbor. If no packet is received, the router assumes that the neighbor is down. Range: 1 through 65535 seconds Default: 40 seconds (four times the default hello interval) |
LSA Retransmission Interval (seconds)* |
Specify how often the OSPF protocol retransmits LSAs to its neighbors. Range: 1 through 65535 seconds Default: 5 seconds |
Interface Cost |
Specify the cost of the OSPF interface. Range: 1 through 65535 |
Designated Router Priority* |
Set the priority of the router to be elected as the designated router (DR). The router with the highest priority becomes the DR. If the priorities are equal, the node with the highest router ID becomes the DR or the backup DR. Range: 0 through 255 Default: 1 |
OSPF Network Type |
Choose the OSPF network type to which the interface is to connect:
|
Passive Interface* |
Specify whether to set the OSPF interface to be passive. A passive interface advertises its address, but does not actively run the OSPF protocol. Default: Disabled |
Authentication Type |
Choose the authentication type:
|
Message Digest Key |
Enter the MD5 authentication key, in clear text or as an AES-encrypted key. It can be from 1 to 255 characters. |
md5 |
Enter the key ID for message digest (MD5 authentication). It can be 1 to 32 characters. |
Add Range |
Configure the area range of an interface in an OSPF area. |
IP Address* |
Enter the IP address. |
Subnet Mask* |
Enter the subnet mask. |
Cost |
Specify a number for the Type 3 summary LSA. OSPF uses this metric during its SPF calculation to determine the shortest path to a destination. Range: 0 through 16777214 |
No-advertise* |
Enable this option to not advertise the Type 3 summary LSAs. |
Field |
Description |
---|---|
Reference Bandwidth (Mbps) |
Specify the reference bandwidth for the OSPF auto-cost calculation for the interface. Range: 1 through 4294967 Mbps Default: 100 Mbps |
RFC 1583 Compatible |
By default, the OSPF calculation is done per RFC 1583. Disable this option to calculate the cost of summary routes based on RFC 2328. |
Originate |
Enable this option to generate a default external route into an OSPF routing domain. When you enable this option, the following fields appear:
|
SPF Calculation Delay (milliseconds) |
Specify the amount of time between when the first change to a topology is received until performing the SPF calculation. Range: 1 through 600000 milliseconds (60 seconds) Default: 200 milliseconds |
Initial Hold Time (milliseconds) |
Specify the amount of time between consecutive SPF calculations. Range: 1 through 600000 milliseconds (60 seconds) Default: 1000 milliseconds |
Maximum Hold Time (milliseconds) |
Specify the longest time between consecutive SPF calculations. Range: 1 through 600000 Default: 10000 milliseconds (60 seconds) |
Use this feature to configure the Open Shortest Path First version 3 (OSPFv3) IPv4 link-state routing protocol for IPv4 unicast address families.
The following tables describe the options for configuring the OSPFv3 IPv4 Routing feature.
Field |
Description |
---|---|
Router ID |
Enter the OSPF router ID, in decimal four-part dotted notation. This value is the IP address that is associated with the router for OSPF adjacencies. Default: No Router ID is configured. |
Add Redistribute |
|
Protocol |
Choose the protocol from which to redistribute routes into OSPFv3, for all OSPFv3 sessions.
|
Select Route Policy |
Enter the name of a localized control policy to apply to routes before they are redistributed into OSPF. |
Field |
Description |
||
---|---|---|---|
Area Number* |
Enter the number of the OSPFv3 area. Allowed value: Any 32-bit integer |
||
Area Type |
Choose the type of OSPFv3 area:
|
||
Interface |
|||
Add Interface |
Configure the properties of an interface in an OSPFv3 area. |
||
Name* |
Enter the name of the interface. Examples of interface names: GigabitEthernet0/0/1, GigabitEthernet0/1/2.1, GigabitEthernet0, or Loopback1. |
||
Cost |
Specify a number for the Type 3 summary link-state advertisement (LSA). OSPFv3 uses this metric during its SPF calculation to determine the shortest path to a destination. Range: 0 through 16777215 |
||
Authentication Type |
Specify the SPI and authentication key if you use IPSec SHA1 authentication type.
|
||
SPI |
Specifies the Security Policy Index (SPI) value. Range: 256 through 4294967295 |
||
Authentication Key |
Provide a value for the authentication key. When IPSEC SHA-1 authentication is used, the key must be 40 hex digits long. |
||
Passive Interface |
Specify whether to set the OSPFv3 interface to be passive. A passive interface advertises its address, but does not actively run the OSPFv3 protocol. Default: Disabled |
||
IPv4 Range |
|||
Add IPv4 Range |
Configure the area range of an interface in an OSPFv3 area. |
||
Network Address* |
Enter the IPv4 address. |
||
Subnet Mask* |
Enter the subnet mask. |
||
No Advertise* |
Enable this option to not advertise the Type 3 summary LSAs. |
||
Cost |
Specify the cost of the OSPFv3 interface. Range: 1 through 65535 |
Field |
Description |
---|---|
Route Policy |
Enter the name of a localized control policy to apply to routes coming from OSPFv3 neighbors. |
Reference Bandwidth (Mbps) |
Specify the reference bandwidth for the OSPFv3 autocost calculation for the interface. Range: 1 through 4294967 Mbps Default: 100 Mbps |
RFC 1583 Compatible |
By default, the OSPFv3 calculation is done per RFC 1583. Disable this option to calculate the cost of summary routes based on RFC 2328. |
Originate |
Enable this option to generate a default external route into an OSPF routing domain. When you enable this option, the following fields appear:
|
Distance |
Define the OSPFv3 route administration distance based on route type. Default: 100 |
Distance for External Routes |
Set the OSPFv3 distance for routes learned from other domains. Range: 0 through 255 Default: 110 |
Distance for Inter-Area Routes |
Set the distance for routes coming from one area into another. Range: 0 through 255 Default: 110 |
Distance for Intra-Area Routes |
Set the distance for routes within an area. Range: 0 through 255 Default: 110 |
SPF Calculation Timers |
Configure the amount of time between when OSPFv3 detects a topology and when it runs its SPF algorithm. |
SPF Calculation Delay (milliseconds) |
Specify the amount of time between when the first change to a topology is received until performing the SPF calculation. Range: 1 through 600000 ms (600 seconds) Default: 200 ms |
Initial Hold Time (milliseconds) |
Specify the amount of time between consecutive SPF calculations. Range: 1 through 600000 ms (600 seconds) Default: 1000 ms |
Maximum Hold Time (milliseconds) |
Specify the longest time between consecutive SPF calculations. Range: 1 through 600000 ms (600 seconds) Default: 10000 ms (10 seconds) |
Maximum Metric (Router LSA) |
Configure OSPFv3 to advertise a maximum metric so that other routers do not prefer this vEdge router as an intermediate hop in their Shortest Path First (SPF) calculation.
Maximum metric is disabled by default. |
Use this feature to configure the Open Shortest Path First version 3 (OSPFv3) IPv6 link-state routing protocol for IPv6 unicast address families.
The following tables describe the options for configuring the OSPFv3 IPv6 Routing feature.
Field |
Description |
---|---|
Router ID |
Enter the OSPF router ID, in decimal four-part dotted notation. This value is the IP address that is associated with the router for OSPF adjacencies. Default: No Router ID is configured. |
Add Redistribute |
|
Protocol |
Choose the protocol from which to redistribute routes into OSPFv3, for all OSPFv3 sessions.
|
Select Route Policy |
Enter the name of a localized control policy to apply to routes before they are redistributed into OSPF. |
Field |
Description |
||
---|---|---|---|
Area Number* |
Enter the number of the OSPFv3 area. Allowed value: Any 32-bit integer |
||
Area Type |
Choose the type of OSPFv3 area:
|
||
Interface |
|||
Add Interface |
Configure the properties of an interface in an OSPFv3 area. |
||
Name* |
Enter the name of the interface. Examples of interface names: GigabitEthernet0/0/1, GigabitEthernet0/1/2.1, GigabitEthernet0, or Loopback1. |
||
Cost |
Specify a number for the Type 3 summary link-state advertisement (LSA). OSPFv3 uses this metric during its SPF calculation to determine the shortest path to a destination. Range: 0 through 16777215 |
||
Authentication Type |
Specify the SPI and authentication key if you use IPSec SHA1.
|
||
SPI |
Specifies the Security Policy Index (SPI) value. Range: 256 through 4294967295 |
||
Authentication Key |
Provide a value for the authentication key. When IPSEC SHA-1 authentication is used, the key must be 40 hex digits long. |
||
Passive Interface |
Specify whether to set the OSPFv3 interface to be passive. A passive interface advertises its address, but does not actively run the OSPFv3 protocol. Default: Disabled |
||
IPv6 Range |
|||
Add IPv6 Range |
Configure the area range of an interface in an OSPFv3 area. |
||
Network Address* |
Enter the IPv6 address. |
||
Subnet Mask* |
Enter the subnet mask. |
||
No Advertise* |
Enable this option to not advertise the Type 3 summary LSAs. |
||
Cost |
Specify the cost of the OSPFv3 interface. Range: 1 through 65535 |
Field |
Description |
---|---|
Route Policy |
Enter the name of a localized control policy to apply to routes coming from OSPFv3 neighbors. |
Reference Bandwidth (Mbps) |
Specify the reference bandwidth for the OSPFv3 autocost calculation for the interface. Range: 1 through 4294967 Mbps Default: 100 Mbps |
RFC 1583 Compatible |
By default, the OSPFv3 calculation is done per RFC 1583. Disable this option to calculate the cost of summary routes based on RFC 2328. |
Originate |
Enable this option to generate a default external route into an OSPF routing domain. When you enable this option, the following fields appear:
|
Distance |
Define the OSPFv3 route administration distance based on route type. Default: 100 |
Distance for External Routes |
Set the OSPFv3 distance for routes learned from other domains. Range: 0 through 255 Default: 110 |
Distance for Inter-Area Routes |
Set the distance for routes coming from one area into another. Range: 0 through 255 Default: 110 |
Distance for Intra-Area Routes |
Set the distance for routes within an area. Range: 0 through 255 Default: 110 |
SPF Calculation Timers |
Configure the amount of time between when OSPFv3 detects a topology and when it runs its SPF algorithm. |
SPF Calculation Delay (milliseconds) |
Specify the amount of time between when the first change to a topology is received until performing the SPF calculation. Range: 1 through 600000 ms (600 seconds) Default: 200 ms |
Initial Hold Time (milliseconds) |
Specify the amount of time between consecutive SPF calculations. Range: 1 through 600000 ms (600 seconds) Default: 1000 ms |
Maximum Hold Time (milliseconds) |
Specify the longest time between consecutive SPF calculations. Range: 1 through 600000 ms (600 seconds) Default: 10000 ms (10 seconds) |
Maximum Metric (Router LSA) |
Configure OSPFv3 to advertise a maximum metric so that other routers do not prefer this vEdge router as an intermediate hop in their Shortest Path First (SPF) calculation.
Maximum metric is disabled by default. |
Use the object tracker feature to configure an object tracker.
See Configure Object Tracker Using a Configuration Group
Parameter Name |
Description |
---|---|
Tracker Type* |
|
Interface |
Configure the following interface values:
|
SIG |
Object tracker ID*: Enter the object tracker ID number. |
Route |
Configure the route details:
|
Use this feature to configure an object tracker group. To ensure accurate tracking, add at least two object trackers before creating an object tracker group.
Parameter Name |
Description |
---|---|
Object tracker ID * |
Enter an ID for the object tracker group. Range: 1 through 1000 |
Object tracker * |
Select a minimum of two previously created object trackers from the drop-down list. |
Reachable * |
Choose one of the following values:
|
Use the Raw Socket feature to configure a raw socket with VRF.
See Configure Raw Socket with VRF using a Configuration Group.
Field |
Description |
---|---|
Loopback configuration |
You can enable or disable the loopback configuration. Note that loopback is supported only on Cisco Catalyst IR8340 rugged series routers. |
Interface name |
Enter a name for the interface. |
Packet length |
Specify the length of the packet. |
Packet time |
Define the time duration to send packets. |
Special character |
Defines a specific character that triggers the router to send all buffered data to the raw socket peer. |
Encapsulation |
Choose TCP or UDP as the protocol to encapsulate and transport serial data. If you select TCP, configure the following options:
If you select UDP, configure the relevant UDP connection fields. |
You can configure quality of service (QoS) to classify data packets and control how traffic flows out of and in to the interfaces and on the interface queues. With access lists, you can provision QoS which allows you to classify data traffic by importance, spread it across different interface queues, and control the rate at which different classes of traffic are transmitted.
In Add Feature window, choose Route Policy from the drop-down list.
Enter a name and description for the route policy.
Click Add Routing Sequence. The Add Route Sequence window displays.
Enter Routing Sequence Name.
Select a desired protocol from the Protocol drop-down list. The options are: IPv4, IPv6, or both.
Select a condition from the Condition drop-down list.
Select the action types Accept or Reject from the Action Type drop-down list.
For the Accept action type, choose the accept condition from the Accept Condition drop-down list.
Click Save.
To copy, delete, or rename the route policy sequence rule, click ... next to the rule's name and select the desired option.
If no packets match any of the route policy sequence rules, the default action is to drop the packets. To change the default action:
Click Default Action in the left pane.
Click the Pencil icon.
Change the default action to Accept.
Click Save.
Click Save Route Policy.
The following table describe the options for configuring the QoS Map feature.
Field |
Description |
---|---|
Routing Sequence Name |
Specifies the name of the routing sequence. |
Protocol |
Specifies the internet protocol. The options are IPv4, IPv6, or Both. |
Condition |
Specifies the routing condition. The options are:
|
Action Type |
Specifies the action type. The options are: Accept or Reject. |
Accept Condition |
Specifies the accept condition type. The options are:
|
You can select the specific route sequence in the Route Policy window to edit, delete or add.
This feature helps you configure a service VPN (range 1 – 65527, except 512) or the LAN VPN.
The following table describes the options for configuring the Service VPN feature.
Field |
Description |
---|---|
VPN* |
Enter the numeric identifier of the VPN. |
Name* |
Enter a name for the VPN. |
OMP Admin Distance IPv4 |
Administrative distance for OMP routes. The Cisco SD-WAN Controllers learn the topology of the overlay network and the services available in the network using OMP routes. The distance can be a value between 1–255. |
OMP Admin Distance IPv6 |
Administrative distance for OMP routes. The Cisco SD-WAN Controllers learn the topology of the overlay network and the services available in the network using OMP routes. The distance can be a value between 1–255. |
Field |
Description |
---|---|
Add DNS IPv4 |
|
Primary DNS Address (IPv4) |
Enter the IP address of the primary IPv4 DNS server in this VPN. |
Secondary DNS Address (IPv4) |
Enter the IP address of a secondary IPv4 DNS server in this VPN. |
Add DNS IPv6 |
|
Primary DNS Address (IPv6) |
Enter the IP address of the primary IPv6 DNS server in this VPN. |
Secondary DNS Address (IPv6) |
Enter the IP address of a secondary IPv6 DNS server in this VPN. |
Field |
Description |
---|---|
Add New Host Mapping |
|
Hostname* |
Enter the hostname of the DNS server. The name can be up to 128 characters. |
List of IP* |
Enter up to eight IP addresses to associate with the hostname. Separate the entries with commas. |
Field |
Description |
---|---|
Add OMP Advertise IPv4 |
|
Protocol |
Choose a protocol to configure route advertisements to OMP, for this VPN:
|
Select Route Policy |
Enter the name of the route policy. Route policy is not supported in Cisco vManage Release 20.9.1. |
Add OMP Advertise IPv6 |
|
Protocol |
Choose a protocol to configure route advertisements to OMP, for this VPN:
|
Select Route Policy |
Enter the name of the route policy. Route policy is not supported in Cisco vManage Release 20.9.1. |
Protocol Sub Type |
When you choose the OSPF protocol, specify the sub type as external. |
Field |
Description |
---|---|
Add IPv4 Static Route |
|
Network Address* |
Enter the IPv4 address or prefix, in decimal four-point-dotted notation, and the prefix length of the IPv4 static route to configure in the VPN. |
Subnet Mask* |
Enter the subnet mask. |
Next Hop/Null 0/VPN/DHCP |
Choose one of the following options to configure the next hop to reach the static route:
|
Add BGP Routing |
Choose a BGP route. |
Add OSPF Routing |
Choose an OSPF route. |
Add IPv6 Static Route |
|
Prefix* |
Enter the IPv6 address or prefix, in decimal four-point-dotted notation, and the prefix length of the IPv6 static route to configure in the VPN. |
Next Hop/Null 0/NAT |
Choose one of the following options to configure the next hop to reach the static route:
|
Field |
Description |
---|---|
Add Service |
|
Service Type |
Choose a service available at the local site and in the VPN. Values: FW, IDS, IDP, netsvc1, netsvc2, netsvc3, netsvc4, TE, SIG |
IPv4 Addresses (Maximum: 4)* |
Enter up to four IP address, separated by commas. The service is advertised to the Cisco SD-WAN Controller only if one of the addresses can be resolved locally, at the local site, not via routes learned through OMP. You can configure up to four IP addresses. |
Tracking* |
Cisco Catalyst SD-WAN tests each service device periodically to check whether it is operational. Tracking saves the results of the periodic tests in a service log. Tracking is enabled by default. |
Field |
Description |
---|---|
Add Service Route |
|
Prefix* |
Enter the IP address or prefix. For Umbrella SIG, use any RFC 1918 subnet for Service IP addresses. |
Service* |
Configure routes pointing to any service. Values: FW, IDS, IDP, netsvc1, netsvc2, netsvc3, netsvc4. |
VPN* |
Destination VPN to resolve the prefix. |
Field |
Description |
---|---|
Add GRE Route |
|
Prefix* |
Enter the IP address or prefix, in decimal four-part-dotted notation, and prefix length of the GRE-specific static route. |
Interface* |
Enter the name of one or two GRE tunnels to use to reach the service. |
VPN* |
Enter the number of the VPN to reach the service. This must be VPN 0. |
Field |
Description |
---|---|
Add ipSec Route |
|
Prefix* |
Enter the IP address or prefix, in decimal four-part-dotted notation, and prefix length of the IPsec-specific static route. |
Interface* |
Enter the name of one or two IPsec tunnel interfaces. If you configure two interfaces, the first is the primary IPsec tunnel, and the second is the backup. All packets are sent only to the primary tunnel. If that tunnel fails, all packets are then sent to the secondary tunnel. If the primary tunnel comes back up, all traffic is moved back to the primary IPsec tunnel. |
Field |
Description |
---|---|
Nat Pool |
|
NatPool Name* |
Enter a NAT pool number configured in the centralized data policy. The NAT pool name must be unique across VPNs and VRFs. You can configure up to 31 (1–32) NAT pools per router. |
Prefix Length* |
Enter the NAT pool prefix length. |
Range Start* |
Enter a starting IP address for the NAT pool. |
Range End* |
Enter a closing IP address for the NAT pool. |
Overload* |
Enable this option to configure per-port translation. If this option is disabled, only dynamic NAT is configured on the end device. Per-port NAT is not configured. Default: Enabled |
Direction* |
Choose the NAT direction. |
Nat64 V4 Pool |
|
Nat64 V4 Pool Name* |
Enter a NAT pool number configured in the centralized data policy. The NAT pool name must be unique across VPNs and VRFs. You can configure up to 31 (1–32) NAT pools per router. |
Nat 64 V4 Pool Range Start* |
Enter a starting IP address for the NAT pool. |
Nat 64 V4 Pool Range End* |
Enter a closing IP address for the NAT pool. |
Overload* |
Enable this option to configure per-port translation. If this option is disabled, only dynamic NAT is configured on the end device. Per-port NAT is not configured. Default: Disabled |
Field |
Description |
---|---|
Route Protocol* |
Choose a protocol to configure leak routes from global VPN to the service VPN that you are configuring:
|
Select Route Policy |
Choose a route policy from the drop-down list. |
Redistribution (in service VPN) |
|
Protocol* |
Choose a protocol from the available options to redistribute the leaked routes:
|
Select Route Policy |
Choose a route policy from the drop-down list. |
Field |
Description |
---|---|
Route Protocol* |
Choose a protocol to leak routes from the service VPN that you are configuring to the global VPN:
|
Select Route Policy |
Choose a route policy from the drop-down list. |
Redistribution (in global VPN) |
|
Protocol* |
Choose a protocol from the available options to redistribute the leaked routes:
|
Select Route Policy |
Enter the name of the route policy. |
Select Route Policy |
Choose a route policy from the drop-down list. |
Field |
Description |
---|---|
Source VPN | Enter a value of the source VPN. |
Route Protocol* |
Choose a protocol from the available options to leak routes from the source service VPN to the service VPN that you are configuring:
|
Select Route Policy |
Choose a route policy from the drop-down list. |
Redistribution (in Service VPN) |
|
Protocol* |
Choose a protocol from the available options to redistribute the leaked routes:
|
Select Route Policy |
Choose a route policy from the drop-down list. |
Field |
Description |
---|---|
IPv4 Settings |
|
Import Route Target List: Route Target* |
Configure a route target for IPv4 interfaces. It imports routing information from the target VPN extended community. |
Export Route Target List: Route Target* |
Configure a route target for IPv4 interfaces. It exports routing information to the target VPN extended community. |
IPv6 Settings |
|
Import Route Target List: Route Target* |
Configure a route target for IPv6 interfaces. It imports routing information from the target VPN extended community. |
Export Route Target List: Route Target* |
Configure a route target for IPv6 interfaces. It exports routing information to the target VPN extended community. |
This feature helps you configure a switch virtual interface (SVI) to configure a VLAN interface.
See Configure SVI Interface Using a Configuration Group
For each parameter of the feature that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and choose one of the following:
Parameter Scope |
Scope Description |
---|---|
Device Specific (indicated by a host icon) |
Use a device-specific value for the parameter. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Cisco Catalyst SD-WAN device to a device template. When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a Cisco Catalyst SD-WAN device to a device template. To change the default key, type a new string and move the cursor out of the Enter Key box. Examples of device-specific parameters are system IP address, host name, GPS location, and site ID. |
Global (indicated by a globe icon) |
Enter a value for the parameter, and apply that value to all devices. Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs. |
The following tables describe the options for configuring the SVI Interface feature.
Field |
Description |
---|---|
Type |
Choose a feature from the drop-down list. |
Feature Name* |
Enter a name for the feature. |
Description |
Enter a description of the feature. The description can contain any characters and spaces. |
Associated VPN: VPN* |
Choose a VPN. |
Field |
Description |
---|---|
Shutdown |
Enable or disable the VLAN interface. |
VLAN Interface Name* |
Enter a name for the VLAN interface. The name must contain a minimum of five characters. The name must be in the following format: ^Vlan(([1-9]\d|\d)/){0,2}(0|[1-9]\d*)([:|\.][1-9]\d*)? |
Interface Description |
Enter a description for the interface. |
Interface MTU |
Enter the maximum transmission unit size for frames received and transmitted on the interface. Range: 1500 through 9216 Default: 1500 bytes |
IP MTU |
Enter the maximum transmission unit (MTU) size of IP packets sent on an interface. Range: 576 through 9216 Default: 1500 bytes |
Configure IPV4 Address |
|
IPv4 Address Prefix* |
Enter the IPv4 address for the interface. |
List of DHCP helper addresses* |
Enter up to eight IP addresses for DHCP servers in the network to have the interface be a DHCP helper. Separate each address with a comma. A DHCP helper interface forwards BOOTP (Broadcast) DHCP requests that it receives from the specified DHCP servers. |
Configure IPV4 Secondary Address |
|
Secondary IP Address* |
Enter up to four secondary IP addresses. |
Configure IPV6 Address |
|
IPV6 address* |
Enter the IPv6 address for the interface. |
Configure IPV6 Secondary Address |
|
Address* |
Enter up to four secondary IP addresses. |
Configure IPV6 DHCP Helper |
|
Address* |
Enter an IP address for DHCP servers in the network to have the interface be a DHCP helper. A DHCP helper interface forwards BOOTP (Broadcast) DHCP requests that it receives from the specified DHCP servers. |
VPN |
VPN ID for the DHCP helper address. |
Field |
Description |
---|---|
Configure Access List V4 |
|
Direction* |
Choose a direction of the ACL: in or out. |
Name of ACL* |
Enter the name of the access list. |
Configure Access List V6 |
|
Direction* |
Choose a direction of the ACL: in or out. |
Name of ACL* |
Enter the name of the access list. |
Field |
Description |
---|---|
Configure VRRP |
|
Group ID* |
Enter the virtual router ID, which is a numeric identifier of the virtual router. You can configure a maximum of 24 groups. Range: 1 through 255 |
Priority* |
Enter the priority level of the router. The router with the highest priority is elected as the primary router. If two routers have the same priority, the one with the higher IP address is elected as the primary router. Range: 1 through 254 Default: 100 |
Timer* |
Specify how often the primary VRRP router sends VRRP advertisement messages. If secondary routers miss three consecutive VRRP advertisements, they elect a new primary router . Range: 100 through 40950 seconds Default: 100 seconds |
Track OMP |
When you enable this option, VRRP tracks the Overlay Management Protocol (OMP) session running on the WAN connection. If the primary VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session. |
Prefix List* |
Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the primary VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if the reachability to one of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic while the Cisco IOS XE Catalyst SD-WAN device determines the primary VRRP router. |
IP Address |
Enter the IP address of the virtual router. This address must be different from the configured interface IP addresses of both the local router and the peer running VRRP. |
Add VRRP IP Address Secondary |
|
Address* |
Enter an IP address for the secondary VRRP router. |
TLOC Preference Change |
Enable or disable this option to set whether the TLOC preference can be changed or not. |
Add VRRP Tracking Object |
|
Tracker Id* |
Enter the interface object ID or object group tracker ID. |
Track Action* |
Choose one of the options:
|
Decrement Value |
Enter a decrement value. Range: 1-255 From Cisco vManage Release 20.10.1, this option is enabled only when you choose decrement in Track Action. |
Configure VRRP IPv6 |
|
Group ID* |
Enter the virtual router ID, which is a numeric identifier of the virtual router. You can configure a maximum of 24 groups. Range: 1 through 255 |
Priority* |
Enter the priority level of the router. The router with the highest priority is elected as the primary router. If two routers have the same priority, the one with the higher IP address is elected as the primary router. Range: 1 through 254 Default: 100 |
Timer* |
Specify how often the primary VRRP router sends VRRP advertisement messages. If secondary routers miss three consecutive VRRP advertisements, they elect a new primary router . Range: 100 through 40950 seconds Default: 100 seconds |
Track OMP* |
When you enable this option, VRRP tracks the Overlay Management Protocol (OMP) session running on the WAN connection. If the primary VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session. |
Track Prefix List |
Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the primary VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if the reachability to one of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic while the Cisco IOS XE Catalyst SD-WAN device determines the primary VRRP router. |
Add VRRP IPv6 Primary |
|
IPv6 Link Local* |
Enter a virtual link local IPv6 address, which represents the link local address of the group. The address should be in standard link local address format. For example, FE80::AB8. |
Prefix |
Enter the IPv6 address of the primary VRRP router. |
Field |
Description |
---|---|
Configure ARP |
|
IP Address* |
Enter the IP address for the ARP entry in dotted decimal notation or as a fully qualified host name. |
MAC Address* |
Enter the MAC address in colon-separated hexadecimal notation. |
Field |
Description |
---|---|
TCP MSS |
Specify the maximum segment size (MSS) of TPC SYN packets passing through the router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented. Range: 552 to 1960 bytes Default: None |
ARP Timeout |
Specify how long it takes for a dynamically learned ARP entry to time out. Range: 0 through 2678400 seconds (744 hours) Default: 1200 (20 minutes) |
IP Directed-Broadcast |
An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet but which originates from a node that is not itself part of that destination subnet. A device that is not directly connected to its destination subnet forwards an IP directed broadcast in the same way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet reaches a device that is directly connected to its destination subnet, that packet is broadcast on the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a link-layer broadcast. If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as directed broadcasts intended for the subnet to which that interface is attached are broadcast on that subnet. |
ICMP/ICMPv6 Redirect Disable |
ICMP redirects are sent by a router to the sender of an IP packet when a packet is being routed sub-optimally. The ICMP redirect informs the sending host to forward subsequent packets to that same destination through a different gateway. By default, an interface allows ICMP redirect messages. |
Use the Switch Port feature to configure bridging for Cisco Catalyst SD-WAN.
The following table describes the options for configuring the Switch Port feature.
Field |
Description |
---|---|
Age Out Time |
Enter how long an entry is in the MAC table before it ages out. Set the value to 0 to prevent entries from timing out. Range: 0, 10 through 1000000 seconds Default: 300 seconds |
Configure Interface |
|
Interface Name |
Enter the name of the interface to associate with the bridging domain, in the format geslot/port. |
Mode |
Choose the switch port mode.
|
Shutdown |
Enable the interface. By default, an interface is disabled. |
Speed |
Enter the speed of the interface. |
Duplex |
Choose full or half to specify whether the interface runs in full-duplex or half-duplex mode. |
Port Control |
Choose the port control mode to enable IEEE 802.1X port-based authentication on the interface.
|
Voice VLAN |
Enter the Voice VLAN ID. |
Pae Enable |
The Cisco Catalyst SD-WAN device acts as a port access entity (PAE), allowing authorized network traffic and preventing unauthorized network traffic ingressing to and egressing from the controlled port. |
MAC Authentication Bypass |
Enable this option to allow MAC authentication bypass (MAB) on the RADIUS server and to authenticate non-IEEE 802.1X–compliant clients using a RADIUS server. |
Host Mode |
Choose whether an IEEE 802.1X interface grants access to a single host (client) or to multiple hosts (clients).
|
Enable Periodic Reauth |
Enable periodic re-authentication. By default, this option is enabled. |
Inactivity |
Enter the inactivity timeout time in seconds. Default: 60 seconds |
Reauthentication |
Enter the re-authentication interval in seconds. |
Control Direction |
Choose both (bidirectional) or in (unidirectional) authorization mode. |
Restricted VLAN |
Enter the restricted VLAN (or authentication-failed VLAN) for IEEE 802.1x-compliant clients. Configure limited services to IEEE 802.1X-compliant clients that failed RADIUS authentication. |
Guest VLAN |
Enter the guest VLAN to drop non-IEEE 802.1X enabled clients, if the client is not in the MAB list. |
Critical VLAN |
Enter the critical VLAN (or authentication-failed VLAN) for IEEE 802.1x-compliant clients. Configure network access when RADIUS authentication or the RADIUS server fails. |
Enable Voice |
Enable the critical voice VLAN. |
Configure Static Mac Address |
|
MAC Address |
Enter the static MAC address to map to the switch port interface. |
Interface Name |
Enter the name of the switch port interface. |
VLAN ID |
Enter the number of the VLAN for the switch port. |
This feature helps you configure the tracker for the VPN interface.
For each parameter of the feature that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and choose one of the following:
The following table describes the options for configuring the Tracker feature.
Field |
Description |
---|---|
Tracker Name* |
Name of the tracker. The name can be up to 128 alphanumeric characters. |
Endpoint Tracker Type* |
Choose a tracker type to configure endpoint trackers:
|
Endpoint |
Choose an endpoint type:
|
Interval |
Time interval between probes to determine the status of the configured endpoint. Range: 20 to 600 seconds Default: 60 seconds (1 minute). |
Multiplier |
Number of times probes are sent before declaring that the endpoint is down. Range: 1 to 10 Default: 3 |
Threshold |
Wait time for the probe to return a response before declaring that the configured endpoint is down. Range: 100 to 1000 milliseconds Default: 300 milliseconds |
Use the Tracker Group feature to track the status of service interfaces.
![]() Note |
Ensure that you have created two trackers to form a tracker group. |
The following tables describe the options for configuring the Tracker Group feature.
Field |
Description |
---|---|
Tracker Elements* |
This field is displayed only if you chose Tracker-group as the tracker type. Add the existing interface tracker names, separated by a space. When you add this tracker to the template, the tracker group is associated with these individual trackers, and you can then associate the tracker group to a static route. The tracker name must not contain capital letters and special characters. |
Tracker Boolean |
From the drop-down list, choose Global. This field is displayed only if you chose tracker-group as the Tracker Type. By default, the OR option is selected. Choose AND or OR. OR ensures that the static route status is reported as active if either one of the associated trackers of the tracker group report that the route is active. If you select AND, the static route status is reported as active if both the associated trackers of the tracker group report that the route is active. |
This feature helps you configure a wireless controller.
The following tables describe the options for configuring the Wireless LAN feature.
Field |
Description |
---|---|
Enable 2.4G* |
Disable this option to shut down the radio type of 2.4 GHz. Default: Enabled |
Enable 5G* |
Disable this option to shut down the radio type of 5 GHz. Default: Enabled |
Country* |
Choose the country where the router is installed. |
Username* |
Specify the username of Cisco Mobility Express. |
Password* |
Specify the password of Cisco Mobility Express. |
Field |
Description |
---|---|
ME Dynamic IP* |
Enable this option so that the interface receives its IP address dynamically from a DHCP server. |
ME IP Address |
Specify the IP address of Cisco Mobility Express. |
Subnet Mask |
Specify the subnet mask of Cisco Mobility Express. |
Default Gateway |
Specify the default gateway address of Cisco Mobility Express. |
Field |
Description |
---|---|
Add SSID |
|
SSID Name* |
Enter a name for the wireless SSID. It can be a string from 4 to 32 characters. The SSID must be unique. |
Admin State* |
Enable this option to indicate that the interface has been configured. |
Broadcast SSID* |
Enable this option if you want to broadcast the SSID. Disable this option if you do not want the SSID to be visible to all the wireless clients. |
VLAN (Range 1-4094)* |
Enter a VLAN ID for the wireless LAN traffic. |
Radio Type |
Choose one of the following radio types:
|
Security Type* |
Choose a security type:
|
Passphrase* |
This field is available if you choose WPA2 Personal as the security type. Set a pass phrase. This pass phrase provides users access to the wireless network. |
QoS Profile |
Choose a QoS profile. |
Use the VPN Interface Multilink feature to configure multilink interface properties for Cisco IOS XE Catalyst SD-WAN devices.
See Configure VPN Interface Multilink Using a Configuration Group
Parameter Name |
Description |
---|---|
Interface Name |
Enter the name of the multilink interface. |
Multilink Group Number * |
Enter the number of the multilink group. It must be the same as the number you enter in the multilink interface name parameter. Range: 1 through 65535 |
PPP Authentication Protocol |
Select the authentication protocol used by the multilink interface:
|
Hostname * |
Enter hostname for PPP CHAP Authentication. |
CHAP Password * |
Enter password for PPP CHAP Authentication. |
IPv4 Address * |
To configure a static address, click Static and enter an IPv4 address. To set the interface as a DHCP client so that the interface to receive its IP address from a DHCP server, click Dynamic. You can optionally set the DHCP distance to specify the administrative distance of routes learned from a DHCP server. Default: 1 |
Mask |
Choose a value for the subnet mask. |
IPv6 Address * |
To configure a static address for an interface in VPN 0, click Static and enter an IPv6 address. To set the interface as a DHCP client so that the interface to receive its IP address from a DHCP server, click Dynamic. You can optionally set the DHCP distance to specify the administrative distance of routes learned from a DHCP server. The default DHCP distance is 1. You can optionally enable DHCP rapid commit, to speed up the assignment of IP addresses. |
Parameter Name |
Description |
---|---|
Add T1/E1 Interface |
|
T1 |
|
Description |
Enter a description for the T1controller. |
Slot* |
Enter the number of the slot in slot/subslot/port format, where the T1 NIM is installed. For example, 0/1/0. |
Framing |
Enter the T1 frame type:
|
Clock Source |
Select the clock source:
|
Line Code |
Select the line encoding to use to send T1 frames:
|
Cable Length |
Select the cable length to configure the attenuation
There is no default length. |
E1 |
|
Description |
Enter a description for the E1 controller. |
Slot* |
Enter the number of the slot in slot/subslot/port format, where the E1 NIM is installed. For example, 0/1/0. |
Framing |
Enter the E1 frame type:
|
Clock Source |
Select the clock source:
|
Line Code |
Select the line encoding to use to send E1 frames:
|
Add Channel Group |
|
Channel Group |
To configure the serial WAN on the interface, enter a channel group number. Range: 0 through 30 |
Time Slot |
To configure the serial WAN on the interface, enter a value for the timeslot. Range: 0 through 31 |
Add New A/S Serial Interface |
|
Interface Name |
Enter the name of the serial interface. |
Description |
Enter a description for the serial interface. |
Bandwidth |
For transmitted traffic, set the bandwidth above which to generate notifications. |
Clock Rate |
Specify a value for the clock rate. Range: 1200 through 800000 |
Parameter Name |
Description |
---|---|
Color |
Choose a color for the TLOC. |
Color Description |
Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.18.1 Enter a description associated to the TLOC color. |
Restrict |
Enable this option to drop packets when a tunnel to the service is unreachable. |
Groups |
Enter the list of groups in the field. |
Border |
From the drop-down list, select Global. Click On to set TLOC as border TLOC. |
Maximum Control Connections |
Specify the maximum number of Cisco SD-WAN Controllers that the WAN tunnel interface can connect to. To have the tunnel establish no control connections, set the number to 0. Range: 0 through 8 Default: 2 |
Validator As Stun Server |
Click On to enable Session Traversal Utilities for NAT (STUN) to allow the tunnel interface to discover its public IP address and port number when the router is located behind a NAT. |
Exclude Controller Group List |
Set the Cisco SD-WAN Controllers that the tunnel interface is not allowed to connect to. Range: 0 through 100 |
Cisco SD-WAN Manager Connection Preference |
Set the preference for using a tunnel interface to exchange control traffic with Cisco SD-WAN Manager. Range: 0 through 8 Default: 5 |
Full Port Hop |
Minimum release: Cisco IOS XE Catalyst SD-WAN Release 17.18.1a Enable full port hopping at the TLOC level to allow devices to establish connections with controllers by switching to the next port if the current port is blocked or non-functional. Default: Disabled |
Port Hop |
From the drop-down list, select Global. Click Off to allow port hopping on tunnel interface. Default: On, which disallows port hopping on tunnel interface Starting from Cisco IOS XE Catalyst SD-WAN Release 17.18.1a, this field is deprecated. Instead use the Full Port Hop option. See the Full Port Hop field. |
Low-Bandwidth Link |
Click On to set the tunnel interface as a low-bandwidth link. Default: Off |
Network Broadcast |
From the drop-down list, select Global. Click On to accept and respond to network-prefix-directed broadcasts. Enable this parameter only if the Directed Broadcast is enabled on the LAN interface feature template. Default: Off |
Tunnel TCP MSS |
TCP MSS affects any packet that contains an initial TCP header that flows through the router. When configured, TCP MSS is examined against the MSS exchanged in the three-way handshake. The MSS in the header is lowered if the configured TCP MSS setting is lower than the MSS in the header. If the MSS header value is already lower than the TCP MSS, the packets flow through unmodified. The host at the end of the tunnel uses the lower setting of the two hosts. To configure TCP MSS, provide a value that is 40 bytes lower than the minimum path MTU. Specify the MSS of TPC SYN packets passing through the Cisco IOS XE Catalyst SD-WAN. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented. Range: 552 through 1460 bytes |
Parameter Name |
Description |
---|---|
Ingress ACL - IPv4 |
Enter the name of an IPv4 access list to packets being received on the interface. |
Egress ACL - IPv4 |
Enter the name of an IPv4 access list to packets being transmitted on the interface. |
Igress ACL - IPv6 |
Enter the name of an IPv6 access list to packets being received on the interface. |
Egress ACL - IPv6 |
Enter the name of an IPv6 access list to packets being transmitted on the interface. |
Parameter Name |
Description |
---|---|
Shutdown |
Click No to enable the multilink interface. |
Description |
Enter a description for the multilink interface. |
PPP Authentication Type |
Select the type authentication from one of the following options.:
|
TCP MSS |
Specify the maximum segment size (MSS) of TPC SYN packets passing through the Cisco Catalyst SD-WAN device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented. Range: 500 through 1460 bytes Default: 536 |
Disable Fragmentation |
Click On to disable fragmentation for PPP Multilink Protocol data units (PDUs). |
Fragment Max Delay |
Configure the delay between the transmission of fragments in a PPP Multilink Protocol link. Range: 0 through 1000 Default: No CLI Command |
Interleaving Fragments |
Enable interleave fragmentation for PPP Multilink Protocol data units (PDUs). |
TLOC Extension |
Enter the name of a physical interface on the same router that connects to the WAN transport. This configuration binds the service-side interface to the WAN transport by enabling a device to access the opposite WAN transport connected to the neighbouring device using a TLOC-extension interface. |
IP MTU |
Specify the maximum MTU size of packets on the interface. MLP encapsulation adds 6 extra bytes (4 header, 2 checksum) to each outbound packet. These overhead bytes reduce the effective bandwidth on the connection; therefore, the throughput for an MLP bundle is slightly less than an equivalent bandwidth connection that is not using MLP. Range: 576 through 1804 Default: 1500 bytes |
IP Directed-Broadcast |
Enable the translation of a directed broadcast to physical broadcasts. |
Shaping Rate (Kbps) |
Configure the aggregate traffic transmission rate on the interface to be less than line rate, in kilobits per second (kbps). |