password-policy min-password-length length

The minimum allowed length of a password. You can specify between 8 to 32 characters.

password-policy num-lower-case-characters number-of-lower-case-characters

The minimum number of lower case characters. You can specify between 1 to 128 characters.

password-policy num-numeric-characters number-of-numeric-characters

The minimum number of numeric characters. You can specify between 1 to 128 characters.

password-policy num-special-characters number-of-special-characters

The minimum number of special characters. You can specify between 1 to 128 characters.

password-policy num-upper-case-characters number-of-upper-case-characters

The minimum number of upper case characters. You can specify between 1 to 128 characters.

task "name"

The name of an authorization task.

accept "xpath"

The XPath string for a configuration command that the authorization feature allows a user to execute.

deny "xpath"

The XPath string for a configuration command that the authorization feature does not allow a user to execute.

accept "command"

An operational command that the authorization feature allows a user to execute.

deny "command"

An operational command that the authorization feature does not allow a user to execute.

task authorization_task

The name of a configured authorization task.

Cisco SD-WAN Release 14.1

Command introduced.

Cisco SD-WAN Release 20.4.1

password-policy commands introduced.

Cisco SD-WAN Release 20.5.1

accounting command introduced.

task commands introduced.

authorization_task argument introduced.

Access List Name:

Name of the access list to configure or to apply to the interface. acl-name can be up to 32 characters long.

Direction in which to Apply Access List:

Direction in which to apply the access list. Applying it in the inbound direction (in) affects packets being received on the interface. Applying it in the outbound direction (out) affects packets being transmitted on the interface.

16.3

Command introduced.

Access List Name:

Name of the access list to configure or to apply to the interface.

Direction in which to Apply Access List:

Direction in which to apply the access list. Applying it in the inbound direction (in) affects packets being received on the interface. Applying it in the outbound direction (out) affects packets being transmitted on the interface.

14.1

Command introduced.

Accounting Update Interval:

How often to send 802.1X interim accounting updates to the RADIUS server.

Range:

0 through 7200 seconds

Default:

0 (no interim accounting updates are sent)

16.3

Command introduced.

Accounting Attribute Number:

RADIUS accounting attribute number.

Range:

1 through 64

Attribute Value:

Value of the attribute. Specify the value as an integer, octet, or string, depending on the accounting attribute itself.

16.3

Command introduced.

Count of Matching Items

Count the packets or bytes that match the application-aware routing policy, saving the information to the specified filename.

Log Packets:

Place a sampled set of packets that match the SLA class rule into the vsyslog and messages system logging (syslog) files.

Tunnel To Send Data Traffic:

Direct data packets that match the parameters in the match portion of the policy app-route-policy configuration to a tunnel interface that meets the SLA characteristics in the SLA class sla-class-name. Configure the SLA class with the policy sla-class command.

• sla-class sla-class-name—When you specify an SLA class with no additional parameters, data traffic that matches the SLA is forwarded as long as one tunnel interface is available. The software first tries to send the traffic through a tunnel that matches the SLA. If a single tunnel matches the SLA, data traffic is sent through that tunnel. If two or more tunnels match, traffic is distributed among them. If no tunnel matches the SLA, data traffic is sent through one of the available tunnels.

• sla-class sla-class-name preferred-color color—To set a specific tunnel to use when data traffic matches an SLA class, include the preferred-color option, specifying the color of the preferred tunnel. If more than one tunnel matches the SLA, traffic is sent to the preferred tunnel. If a tunnel of the preferred color is not available, traffic is sent through any tunnel that matches the SLA class. If no tunnel matches the SLA, data traffic is sent through any available tunnel. In this sense, color preference is considered to be a loose matching, not a strict matching, because data traffic is always forwarded, whether a tunnel of the preferred color is available or not.

• sla-class sla-class-name preferred-color colors—To set multiple tunnels to use when data traffic matches an SLA class, include the preferred-color option, specifying two or more tunnel colors. Traffic is load-balanced across all tunnels. If no tunnel matches the SLA, data traffic is sent through any available tunnel. In this sense, color preference is considered to be a loose matching, not a strict matching, because data traffic is always forwarded, whether a tunnel of the preferred color is available or not. When no tunnel matches the SLA, you can choose how to handle the data traffic:

• strict—Drop the data traffic.

• backup-sla-preferred-color—Direct the data traffic to a specific tunnel. Data traffic is sent out the configured tunnel if that tunnel interface is available; if that tunnel is unavailable, traffic is sent out another available tunnel. You can specify one or more tunnel colors. As with the preferred-color option, the backup SLA preferred color is loose matching.

In a single action configuration, you cannot include both the strict and backup-sla-preferred-color options. In these options, color can be one of 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.

Accept or Reject:

By default, all items that match the parameters in the match portion of the policy control-policy configuration are rejected. Include reject to explicitly reject matching items. Include accept to accept matching items and to perform any specified actions.

OMP Tag:

Set the tag string that is included in accepted OMP routes.

Preference Value:

Set the preference value that is included in accepted OMP routes.

Range:

1 through 256

Send to VPN:

Direct matching routes to the specified VPN or VPN list. You can configure this option only with match route match conditions.

Service:

Direct matching routes to the named service. service-name can be FW, IDS, IDP, netsvc1, netsvc2, netsvc3, and netsvc4. The IP address of one TLOC or list of TLOCs identifies the TLOCs to which the traffic should be directed to reach the service. If the list contains multiple TLOCs, the traffic is load-balanced among them. The VPN identifier is where the service is located. Configure the services themselves on the vEdge routers that are collocated with the service devices, using the vpn service configuration command.

TLOC Action:

Direct matching routes or TLOCs using the mechanism specified by action, and enable end-to-end tracking of whether the ultimate destination is reachable. Setting a TLOC action is useful when traffic is first directed, via policy, to an intermediate destination, which then forwards the traffic to its ultimate destination. For example, for traffic from vEdge-A destined for vEdge-D, a policy might direct traffic from vEdge-A first to vEdge-B (the intermediate destination), and vEdge-B then sends it to the final destination, vEdge-D.action can be one of the following:

• ecmp—Equally direct matching control traffic between the intermediate destination and the ultimate destination. In our example, traffic would be sent to vEdge-B (which would then send it to vEdge-D) and directly to vEdge-D. With this action, if the intermediate destination is down, all traffic reaches the ultimate destination.

• primary—First direct matching traffic to the intermediate destination. If that router is not reachable, then direct it to the final destination. In our example, traffic would first be sent to vEdge-B. If this router is down, it is sent directly to vEdge-D. With this action, if the intermediate destination is down, all traffic reaches the final destination.

• backup—First direct matching traffic to the final destination. If that router is not reachable, then direct it to the intermediate destination. In our example, traffic would first be sent directly to vEdge-D. If the vEdge-A is not able to reach vEdge-D, traffic is sent to vEdge-B, which might have an operational path to reach vEdge-D. With this action, if the source is unable to reach the final destination directly, it is possible for all traffic to reach the final destination via the intermediate destination.

• strict—Direct matching traffic only to the intermediate destination. In our example, traffic is sent only to vEdge-B, regardless of whether it is reachable. With this action, if the intermediate destination is down, no traffic reaches the final destination. If you do not configure a set tloc-action action in a centralized control policy, strict is the default behavior.

Setting the TLOC action option enables the vSmart controller to perform end-to-end tracking of the path to the ultimate destination router. In our example, matching traffic goes from vEdge-A to vEdge-B and then, in a single hop, goes to vEdge-D. If the tunnel between vEdge-B and vEdge-D goes down, the vSmart controller relays this information to vEdge-A, and vEdge-A removes its route to vEdge-D from its local route table. End-to-end tracking works here only because traffic goes from vEdge-B to vEdge-D in a single hop, via a single tunnel. If the traffic from vEdge-A went first to vEdge-B, then to vEdge-C, and finally to vEdge-D, the vSmart controller is unable to perform end-to-end tracking and is thus unable to keep vEdge-A informed about whether full path between it and vEdge-D is up.

TLOC List:

Direct matching routes or TLOCs to the TLOC or TLOCs in the named TLOC list . If the list contains multiple TLOCs, the traffic is load-balanced amont them. Changing an OMP route's TLOC is one way to use policy to effect traffic engineering, which directs packets to specific vEdge routers. The color configured in the TLOC list provides a means to separate streams of traffic.

Accept or Drop:

By default, all packets that match the parameters in the match portion of the policy data-policy configuration are dropped. Include drop to explicitly reject matching packets. Include accept to accept matching packets and to perform any specified actions.

Count Packets:

Count the packets that match the match criteria, saving the information to the specified filename.

Log Packets:

Place a sampled set of packets that match the match conditions into the vsyslog and messages system logging (syslog) files.

NAT Functionality:

Direct matching traffic to the NAT functionality so that it can be directed directly to the Internet or other external destination. In Releases 16.2 and earlier, you cannot use NAT with deep packet inspection.

nat fallback

This command attempts to route traffic through an alternate route, typically through a data center route, in the following conditions:

• The nat use-vpn 0 command is routing traffic through a NAT direct internet access (DIA) interface.

• The NAT DIA interface is not available or is inactive.

Without this command, when the nat use-vpn 0 command is used and the NAT DIA interface is not available or is inactive, the traffic is dropped.

Use nat use-vpn 0 and nat fallback with the match command to operate when specific criteria are met.

Example:

from-vsmart data-policy service-side-nat-policy
direction from-service
vpn-list vpn-1
sequence 91
   match
    source-data-prefix-list RFC1918
   action accept
    nat use-vpn 0
    nat fallback
exit

Next-Hop Address:

Set the next-hop address in accepted packets.

Optimize TCP Traffic:

Fine-tune TCP to decrease round-trip latency and improve throughout for TCP traffic.

Policer:

Policy the packets using the specified policer.

Service:

Direct matching packets to the named service. service-name can be FW, IDS, IDP, netsvc1, netsvc2, netsvc3, and netsvc4. The TLOC address or list of TLOCs identifies the TLOCs to which the traffic should be directed to reach the service. In the case of multiple TLOCs, the traffic is load-balanced among them. The VPN identifier is where the service is located. Configure the services themselves on the vEdge routers that are collocated with the service devices, using the vpn service configuration command.

Service via GRE Tunnel:

Direct matching packets to the named service that is reachable via a GRE tunnel whose source is in the transport VPN (VPN 0). If the GRE tunnel used to reach the service is down, packet routing falls back to using standard routing. To drop packets when a GRE tunnel to the service is unreachable, include the restrict option. In the service VPN, you must also advertise the service using the service command. You configure the GRE interface or interfaces in the transport VPN (VPN 0).

Split DNS Server:

For a policy that enables split DNS (that is, when the match condition specifies dns-app-list and dns), specify how to direct matching packets. For DNS queries (dns request), specify the IP address of the DNS server to use to resolve the DNS query. For DNS responses (dns response), specify host so that the response from the DNS server is properly forwarded to the requesting service VPN.

TLOC from a List of TLOCs:

Direct matching packets to one of the TLOCs is the list defined with a policy lists tloc-list list. When the list contains multiple TLOCs that are available and that satisfy the match conditions, the TLOC with the lowest preference value is used. If two or more of TLOCs have the lowest preference value, traffic is sent among them in an ECMP fashion.

TLOC Identified by Color:

Direct matching packets to a TLOC identified by its color and, optionally, its encapsulation.color​ can be 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.

By default, encapsulation is ipsec. It can also be gre. By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC. To drop traffic if the TLOC is unavailable, include the restrict option.

TLOC Identified IP Address and Color:

Direct matching packets to a TLOC identified by its IP address and color, and optionally, by its encapsulation.color​ can be 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.

By default, encapsulation is ipsec. It can also be gre.

VPN:

Set the VPN Identifier that is included in accepted packets.

Accept or Reject:

By default, all items that match the parameters in the match portion of the policy data-policy configuration are rejected. Include reject to explicitly reject matching items. Include accept to accept matching items and to perform any specified actions.

Enable Packet Collection:

Collect packets for traffic monitoring.

Accept or Reject:

By default, all items that match the parameters in the match portion of the policy control-policy configuration are rejected. Include reject to explicitly reject matching items. Include accept to accept matching items and to perform any specified actions.

Aggregator:

Set the AS number in which a route aggregator is located and the IP address of the route aggregator. as-number can be a value from 1 through 65535.

AS Path:

Exclude or append one or more AS numbers at the beginning of the AS path. Each as-number can be a value from 1 through 65535. If you specify more than one AS number, include the numbers in quotation marks.

Atomic Aggregate:

Set the BGP atomic aggregate attribute.

Community:

Set the BGP community value. It can be aa:nn, internal, local-as, no-advertise, and no-export. In aa:nn, aa is the AS community number and nn is a two-byte number.

Local Preference:

Set the BGP local preference value. number can be a value from 0 through 4294967295.

Metric:

Set the metric. number can be a value from 0 through 4294967295.

Metric Type:

Set the metric type. type can be type1 or type2.

Next-Hop Address:

Set the next-hop address.

OMP Tag Value:

Set the OMP tag value. number can be a value from 0 through 4294967295.

Origin Code:

Set the BGP origin code. origin can be egp, igp (default), and incomplete.

Originator:

Set the IP address from which the route was learned.

OSPF Tag Value:

Set the OSPF tag value. number can be a value from 0 through 4294967295.

Weight:

Set the BGP weight. number can be a value from 0 through 4294967295.

Accept or Drop:

By default, all packets that match the parameters in the match portion of the policy access-list configuration are dropped. Include drop to explicitly reject matching packets. Include accept to accept matching packets and to perform any specified actions.

Count Packets

Count the packets that match the match criteria, saving the information to the specified filename. If you configure a counter and additional actions, such as policing, the data packets are counted before the other actions are performed, regardless of the order in which you enter the commands in the configuration.

Class

Assign the packets to the specified QoS class name.

DSCP;

For QoS, set or overwrite the DSCP value in the packet. value can be a number from 0 through 63.

Log Packet Headers:

Log the packet headers into the vsyslog and messages system logging (syslog) files.

Mirroring:

Mirror the packets to the specified mirror.

Next-Hop Address:

Set the next-hop address. The address must be an IPv4 address.

Policing:

Police the packets using the specified policer.

Drop:

Discard the data traffic.

Inspect:

Inspect the packet's header to determine its source address and port. The address and port are used by the NAT device to allow traffic to be returned from the destination to the sender.

Log Packet Headers:

Log the packet headers into the vsyslog and messages system logging (syslog) files.

Pass Through:

Allow the packet to pass through to the destination zone without inspecting the packet's header at all. With this action, the NAT device blocks return traffic that is addressed to the sender.

14.1

Command introduced.

14.2

Added application-aware routing policy.

14.3

Added Cflowd traffic monitoring.

15.2

Added setting GRE encapsulation and preferred color for an SLA class.

15.4

Added match condition for localized control policy.

16.1

Added log option to application-aware policy action.

16.3

Added backup-sla-preferred-color option for application-aware routing.

17.1

Added load-balancing among multiple colors for application-aware routing.

17.2

Added redirect-dns option for centralized data policy.

18.2

Added zone-based firewall policy.

Cisco IOS XE Catalyst SD-WAN Release 17.2.1r

Added support to Cisco IOS XE Catalyst SD-WAN devices for selecting one or more local TLOCs for an action.

Cisco IOS XE Release 17.4.1

Cisco SD-WAN Release 20.4.1

Added support for Cisco IOS XE Catalyst SD-WAN devices for redirecting application traffic to a Secure Internet Gateway (SIG).

Accept or Drop:

By default, all packets that match the parameters in the match portion of the policy access-list configuration are dropped. Include drop to explicitly reject matching packets. Include accept to accept matching packets and to perform any specified actions.

Count Packets:

Count the packets that match the match criteria, saving the information to the specified filename. If you configure a counter and additional actions, such as policing, the data packets are counted before the other actions are performed, regardless of the order in which you enter the commands in the configuration.

Class:

Assign the packets to the specified QoS class name.

Log Packet Headers:

Log the packet headers into system logging (syslog) files.

Mirroring:

Mirror the packets to the specified mirror.

Policing:

Police the packets using the specified policer.

Traffic Class:

For QoS, set or overwrite the traffic class value in the packet. value can be a number from 0 through 63.

14.1

16.3

Command introduced.

Command modified for IPv6.

Address Family:

Currently, Cisco SD-WAN software supports only the BGP IPv4 unicast address family.

Aggregate Prefixes:

For all BGP sessions, aggregate the specified prefixes. To generate set path information, include the as-set option. To filter out more specific routes from BGP updates, include the summary-only option.

IBGP and EBGP Multipath Load Sharing:

For all BGP sessions, enable multipath load sharing, and configure the maximum number of parallel paths that can be installed into a route table.

Range:

0 to 32

Networks To Advertise:

Networks to be advertised by BGP. Identify the networks by their prefix and length.

Prefixes Received from a Neighbor:

Configure how to handle prefixes received from the BGP neighbor:

number is the maximum number of prefixes that can be received from the neighbor.

Range:

1 through 4294967295

Default:

0 (there is no limit to the number of prefixes received)

Treshold is the percentage of the maximum number of prefixes at which to either generate a warning message or restart the BGP peering session.

Range:

1 through 100 percent

Default:

0 (no warning message is generated)

restart minutes is how long to wait after the maximum number of prefixes has been exceeded before restarting the BGP peering session with the neighbor.

Range:

0 through 65535 minutes (approximately 1092 hours, or 45 days)

Default:

None

warning-only displays a warning message only when the maximum prefix limit is exceeded.

Policy to Apply to Received Prefixes:

Apply the specified policy, policy-name, to prefixes received from the neighbor. You can apply the policy inbound (in) as the prefixes are received from the neighbor or outbound (out) as they are send to the neighbor.

Redistribute Routes into BGP:

For all BGP sessions, redistribute routes learned from other protocols into BGP. Optionally, apply a route policy to the redistributed routes.

14.1

16.3

Command introduced.

Added redistribute natpool-outside option.

Address Pool:

IPv4 prefix range of the DHCP address pool.

14.3

Command introduced.

16.2

17.2

Command introduced.

Modified for supporting authentication order process for console connections.

Disable DHCP Server Functionality:

By default, DHCP server functionality is disabled on a vEdge router interface.

Enable DHCP Server Functionality:

Allow the vEdge router to act as a DHCP server for the local site networks accessible through this interface.

14.3

Command introduced.

17.1

Command introduced.

Aggregate Routes:

Aggregate routes from the specified prefix before advertising them into OMP. By default, the aggregated prefixes and all individual prefixes are advertised. To advertise only the aggregated prefix, include the aggregate-only option.

BGP Routes:

Advertise all BGP routes learned by the Cisco vEdge device or Cisco IOS XE SD-WAN device to OMP.

Connected Routes:

Advertise all connected routes on the Cisco vEdge device or Cisco IOS XE SD-WAN device to OMP. Connected routes are advertised by default. To disable advertisement, use the no advertise connected command.

Network Routes:

Advertise a specific route learned by the Cisco vEdge device or Cisco IOS XE SD-WAN device to OMP. This route must be in the device route table for the VPN. Use this option to advertise a specific route instead of advertising all routes for a protocol.

OSPF Routes:

Advertise all OSPF routes learned by the local Cisco vEdge device or Cisco IOS XE SD-WAN device to OMP. For the global OMP configuration, type can be external, to advertise routes learned from external ASs. For the VPN-specific OMP configuration, type can be external, to advertise routes learned from the local AS. For the global OMP configuration, OSPF external routes are advertised by default.

Static Routes:

Advertise all static routes configured on the Cisco vEdge device or Cisco IOS XE SD-WAN device to OMP. Static routes are advertised by default. To disable advertisement, use the no advertise static command.

IS-IS Routes

Advertise both Level 1 and Level 2 IS-IS routes for Software Defined Access (SDA) for both the IPv4 and IPv6 address families.

route-map

(Optional) Specifies the route map that should be interrogated to filter the importation of routes from this source routing protocol to the current routing protocol. If not specified, all routes are redistributed. If this keyword is specified, but no route map tags are listed, no routes will be imported.

14.1

Command introduced.

Added route-map.

MAC Table Entry Aging Time:

How long an entry is in the MAC table before it ages out.

Default:

300 seconds (5 minutes)

Range:

10 through 4096 seconds

15.3

Command introduced.

16.3

Command introduced.

15.4

Command introduced.

Interface Type:

Name of a physical interface. The services that you configure in allow-service commands apply only to physical interfaces, such as ge and eth interfaces. They do not apply to non-physical interfaces, such as loopback interfaces.

Type of Service:

Type of service to allow or disallow on the WAN tunnel connection.

On vEdge routers, service-name can be all or one of more of bgp, dhcp, dns, https, icmp, netconf, ntp, ospf, sshd, and stun. By default, DHCP (for DHCPv4 and DHCPv6), DNS, HTTPS, and ICMP are enabled on a vEdge router tunnel interface. On vSmart controllers, service-name can be all or one or more of dhcp, dns, icmp, netconf, ntp, sshd, and stun. By default, DHCP (for DHCPv4 and DHCPv6), DNS, and ICMP are enabled on a vSmart controller tunnel interface. On vManage NMSs, service-name can be all or one or more of dhcp, dns, https, icmp, netconf, ntp, sshd, and stun. By default, DHCP (for DHCPv4 and DHCPv6), DNS, ICMP, and HTTPS are enabled on a vManage NMS tunnel interface. You cannot disallow the following services: DHCP, DNS, NTP, and STUN. If you allow the NTP service on the WAN connection in VPN 0, you must configure the address of an NTP server with the system ntp command. The allow-service stun command pertains to allowing or disallowing a Cisco vEdge device to generate requests to a generic STUN server so that the device can determine whether it is behind a NAT and, if so, what kind of NAT it is and what the device's public IP address and public port number are. On a vEdge router that is behind a NAT, you can also have tunnel interface to discover its public IP address and port number from the vBond controller, by configuring the vbond-as-stun-server command on the tunnel interface.

To configure more than one service, include multiple allow-service commands.

Configuring allow-service all overrides any commands that allow or disallow individual services.

14.1

15.4

16.3

18.1.1

Command introduced.

BGP, OSPF services and support for netconf added on vEdge routers.

Added support for DHCPv6.

Added support for https service on vEdge routers.

api-key

API key (hexadecimal).

Cisco IOS XE Catalyst SD-WAN Release 17.2.1r

This command was introduced.

Application-Aware Routing Policy Name:

Name of the application-aware routing policy to configure or to apply to a list of sites in the overlay network. policy-name can be up to 32 characters long.

14.2

Command introduced.

15.2

Command introduced.

Interface Node Type:

List of applications.

Values:

amazon_aws, box_net, concur, dropbox, google_apps, gotomeeting, intuit, office365, oracle, salesforce, sugar_crm, zendesk, zoho_crm   

Default:

none

16.3

Command introduced.

Cflowd Template:

For a centralized data policy that applies to cflowd flow collection, associate a flow collection template with the data policy.

Policy Name:

app-route-policy policy-name control-policy policy-name (in| out)data-policy policy-name (all | from-service | from-tunnel)vpn-membership policy-name Name of the policy to apply to the specified sites. policy-name must match that which you specified in the control-policy, data-policy, or vpn-membership configuration command. For centralized control policy, specify the direction in which to apply the policy. The in option applies the policy to packets before they are placed in the vSmart controller's RIB, so the specified actions affect the OMP routes stored in the RIB. The out option applies the policy to packets after they are exported from the RIB. For centralized data policy, specify the direction in which to apply the policy. The all option (which is the default) applies to all data traffic passing through the vEdge router: the policy evaluates all data traffic going from the local site (that is, from the service side of the router) into the tunnel interface, and it evaluates all traffic entering to the local site through the tunnel interface. To apply the data policy only to policy exiting from the local site, use the from-service option. To apply the policy only to incoming traffic, use the from-tunnel option. You can apply different data policies in each of the two traffic directions.

Site List:

List of sites to which to apply the policy. list-name must match a list name that you configured in the policy lists site-list portion of the configuration. For the same type of policy, when you apply policies with apply-policy commands, the site IDs across all the site lists must be unique. That is, the site lists must not contain overlapping site IDs. An example of overlapping site IDs are those in the two site lists site-list 1 site-id 1-100 and site-list 2 site-id 70-130. Here, sites 70 through 100 are in both lists. If you were to apply these two site lists to two different control-policy policies, for example, the attempt to commit the configuration on the vSmart controller would fail. You can, however, apply one of these sites lists to a control-policy policy and the other to a data-policy policy. The restriction regarding overlapping site IDs applies to the following types of policies:

• Application-aware routing policy (app-route-policy)

• Centralized control policy (control-policy)

• Centralized data policy (data-policy)

• Centralized data policy used for cflowd flow monitoring (a data-policy that includes a cflowd action and an apply-policy that includes a cflowd-template command)

14.1

14.2

14.3

15.2

15.4

16.3

Command introduced.

Added app-route-policy.

Added cflowd-template.

Added all, from-service, and from-tunnel options

Added restrictions so that you cannot apply the same type of policy.

Added support for overlapping sites in different site lists.

Archival Time Interval:

How often to archive the full running configuration. In addition, the running configuration is archived each time you issue the commit command on a Cisco vEdge device.

Range:

5 minutes through 525600 minutes (about one year)

Default:

10080 minutes (7 days)

Location of Archival File:

Path to the directory in which to store the archival file and the base name of the file. file-path can be one of the following:

• ftp: file-path—Path to a file on an FTP server.

• scp: user @ host : file-path

• / file-path / filename—Path to a file on the local Cisco vEdge device.

A separate file is created for each archiving operation. To distinguish the files, a timestamp is appended to the filename. The timestamp has the format yyyy-mm-dd_hh-mm-ss.

SSH Key File

Name of the SSH private key file on the local Cisco vEdge device. This file is used to SCP into a remote file server. The Cisco SD-WAN software automatically generates a public and a private key and places the public key in the SSH key file archive_id_rsa.pub, which is located in /home/admin directory on the Cisco vEdge device. If you do not include the ssh-id-file option in the configuration, the software uses the automatically generated private key. You can also manually generate and upload an SSH private key file.

VPN:

VPN in which the archival file server is located or through which the server can be reached. On vEdge routers, vpn-id can be a value from 0 through 65530. On vSmart controllers, vpn-id can be either 0 or 512.

14.2

Command introduced.

Area Number:

Number of the OSPF area.

Range:

 The area is a 32-bit number.

14.1

Command introduced.

Add a Permanent ARP Table Entry:

Configure a permanent (static) ARP table entry. Enter the IP address for the ARP entry in dotted decimal notation or as a fully qualified host name. Enter the MAC address in colon-separated hexadecimal notation.

Disable ARP:

Remove a static ARP mapping address.

14.1

Command introduced.

Timeout Time

Time before a dynamically learned ARP entry times out.

Range:

0 through 2678400 seconds (744 hours)

Default:

1200 seconds (20 minutes)

14.1

Command introduced.

VLAN Identifier:

Identifier of the VLAN to be the restricted VLAN.

Range:

1 through 4094

16.3

Command introduced.

15.2.8

17.2

Command introduced.

Added support for authentication order process for console connections.

Default Authentication Order:

The default authentication order is local, then radius, and then tacacs​.

Locally Configured Username and Password:

Verify users based on the username and password configured on the local overlay network device. If you specify only one authentication method, it must be local.

RADIUS Authentication:

Verify users based on usernames and passwords configured on a RADIUS server. RADIUS authentication is performed only if a RADIUS server is configured with the system radius server command.

TACACS+ Authentication:

Verify users based on usernames and passwords configured on a RADIUS server. RADIUS authentication is performed only if a RADIUS server is configured with the system tacacs server command.

14.1

17.2

Command introduced.

Added authentication order process for console connections.

VLAN Identifier:

Identifier of VLAN into which to place 802.1x-enabled clients if authentication for the clients is rejected by the RADIUS servers.

Range:

1 through 4094

16.3

Command introduced.

Authentication Attribute Number:

RADIUS authentication attribute number.

Range:

1 through 64

Attribute Value:

(integer integer | octet octet | string string) Value of the attribute. Specify the value as an integer, octet, or string, depending on the authentication attribute itself.

16.3

Command introduced.

14.1

Command introduced.

17.2

Command introduced.

Authentication Type:

Type of authentication to use on IPsec tunnel connections. You can configure multiple authentication types. Configure each type with a separate security ipsec authentication-type command. The order in which these commands appear in the configuration does not matter. Each pair of vEdge routers advertise their configured authentications in their TLOC properties, and then the two routers negotiate the authentication to use on the IPsec tunnel connection between them. They use the strongest authentication type configured on each router. For example, if vEdge-1 advertises AH-HMAC-SHA1, ESP HMAC-SHA1, and none and vEdge-2 advertises ESP HMAC-SHA1 and none, the two routers negotiate to use ESP HMAC-SHA1 as the integrity method between them.

type can be one of the following options, which are listed in order from most strong to least strong:

• ah-sha1-hmac enables AH-SHA1 HMAC and ESP HMAC-SHA1. With the authentication type, ESP encrypts the inner header, packet payload, ESP trailer, and MPLS label (if applicable), and AH authenticates these fields, as well as the non-mutable fields in the outer header. AH creates an HMAC-SHA1 hash and places it in the last field of the data packet.

• ah-no-id enables a modified version of AH-SHA1 HMAC and ESP HMAC-SHA1 that ignores the ID field in the packet's outer IP header. This option accommodates some non-Cisco-vEdge devices, including the Apple AirPort Express NAT, that have a bug that causes the ID field in the IP header, a non-mutable field, to be modified. Configure the ah-no-id option in the list of authentication types to have the Cisco SD-WAN AH software ignore the ID field in the IP header so that the Cisco SD-WAN software can work in conjunction with these devices.

• sha1-hmac enables ESP HMAC-SHA1. With this authentication type, ESP encrypts the inner header, packet payload, ESP trailer, and MPLS label (if applicable). ESP then creates an HMAC-SHA1 hash and places it in the last field of the data packet.

• none maps to no authentication. With this authentication type, ESP encrypts the inner header, packet payload, ESP trailer, and MPLS label (if applicable), but no HMAC-SHA1 hash is calculated. You can choose this option in situations where data plane authentication and integrity are not a concern.

For information about which data packet fields are affected by these authentication types, see the "Data Plane Integrity" section in the Data Plane Security Overview article for your software release.

For Releases 16.2 and later, the encryption algorithm on IPsec tunnel connections is either AES-256-GCM or AES-256-CBC. For unicast traffic, if the remote side supports AES-256-GCM, that encryption algorithm is used. Otherwise, AES-256-CBC is used. For multicast traffic, the encryption algorithm is AES-256-CBC. For Releases 16.1 and earlier, the encryption algorithm on IPsec tunnel connections is AES-256-CBC. You cannot modify the encryption algorithm choice made by the software.

When you change the IPsec authentication, the AES key for the data path is changed.

Default: ah-sha1-hmac and sha1-hmac

14.2

Command introduced.

Cisco SD-WAN Release 20.6.1

This command was deprecated. Starting from Cisco SD-WAN Release 20.6.1, use the command integrity-type instead.

Reference Bandwidth:

Interface speed.

Range:

1 through 4294967 Mbps

Default:

100 Mbps

14.1

Command introduced.

14.2

Command introduced.

15.3

17.1

Command introduced.

Disable this command for IRB interfaces.

Interface Transmission Bandwidth:

Maximum transmitted traffic on a physical interface to allow before generating a notification. When the transmission rates exceeds 85 percent of this rate, an SNMP trap is generated.

Range:

1 through 2147483647 (2³² / 2) – 1 kbps

16.2

Command introduced.

Login Banner Text:

Text string for the login banner. The string can be from 1 to 2048 characters long. If the string contains spaces, enclose it in quotation marks. To insert a line break, type \n.

For Cisco IOS XE SD-WAN Release 16.12.1r, to insert a line break, type \x0a.

From Cisco IOS XE Catalyst SD-WAN Release 17.3.1a onwards, to insert a line break, type \n and delimiters like double-quotes ("") are not required in the banner string.

14.1

Command introduced.

15.1.1

Changed maximum banner length to 2048 characters.

Cisco IOS XE SD-WAN 16.12.1r

Changed the value for inserting a line break for the banner string.

Cisco IOS XE Catalyst SD-WAN Release 17.3.1a

Changed the value for inserting a line break to \n for the banner string.

Login Banner Text:

Text string for the login banner. The string can be from 1 to 2048 characters long. If the string contains spaces, enclose it in quotation marks. To insert a line break, type \n.

For Cisco IOS XE SD-WAN Release 16.12.1r, to insert a line break, type \x0a.

From Cisco IOS XE Catalyst SD-WAN Release 17.3.1a onwards, to insert a line break, type \n and delimiters like double-quotes ("") are not required in the banner string.

14.1

15.1.1

Command introduced.

Chnaged maximum banner length to 2048 characters.

Cisco IOS XE SD-WAN 16.12.1r

Changed the value for inserting a line break for the banner string.

Cisco IOS XE Catalyst SD-WAN Release 17.3.1a

Changed the value for inserting a line break to \n for the banner string.

Select Routes with BGP Multipath:

By default, when you are using BGP multipath, the BGP best path process selects from routes in the same AS to load-balance across multiple paths. If you configure the as-path multipath-relax option, the BGP best path process selects from routes in different ASs.

Use the MED to Select the Active BGP Path:

Compare the specified multi-exit discriminator (MED) parameter to determine the active path. The MED parameter can be one of:

always-compare: Always compare MEDs regardless of whether the peer ASs of the compared routes are the same.

deterministic: Compare MEDs from all routes received from the same AS regardless of when the route was received.

missing-as-worst: If a path is missing a MED attribute, consider it to be the worst path.

Use the Router ID to Select the Active BGP Path:

Compare the router IDs among BGP paths to determine the active path. The system prefers the router with the lowest router ID. If the received route contains an ORIGINATOR_ID attribute (through iBGP reflection), the system uses that router ID; if the attribute is not present, the system uses the router ID of the peer that route was received from.

14.1

Command introduced.

Multiplier for the Polling Interval:

Value to multiply the poll interval by to set how often application-aware routing acts on the data plane tunnel statistics to figure out the loss and latency and to calculate new tunnels if the loss and latency times do not meet configured SLAs.

Range: 1 through 6

Default: 6

Polling Interval:

How often BFD polls all data plane tunnels on a vEdge router to collect packet latency, loss, and other statistics to be used by application-aware routing.

Range: 

1 through 4,294,967,295 (2³² – 1) milliseconds

Default: 

600,000 milliseconds (10 minutes)

14.2

Command introduced.

Hello Packet Interval:

For the transport tunnel, how often BFD sends Hello packets. BFD uses these packets to detect the liveness of the tunnel connection and to detect faults on the tunnel.

Range:

100 through 300000 milliseconds (5 minutes)

Default:

1000 milliseconds (1 second)

Identifier for the Transport Tunnel:

Transport tunnel for data traffic moving between vEdge routers. The color identifies a specific WAN transport provider.

Values:

3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, silver

Default:

default

Multiplier for the Hello Packet Interval:

How many Hello packet intervals BFD waits before declaring that a tunnel has failed. BFD declares that the tunnel has failed when, during all these intervals, BFD has received no Hello packets on the tunnel. This interval is a multiplier of the Hello packet interval time. For example, with the default Hello packet interval of 1000 milliseconds (1 second) and the default multiplier of 7, if BFD has not received a Hello packet after 7 seconds, it considers that the tunnel has failed and implements its redundancy plan.

Range:

1 through 60

Default:

7 (for hardware vEdge routers), 20 (for vEdge Cloud software routers)

Path MTU Discovery:

Control BFD path MTU discovery on the transport tunnel. By default, BFD PMTU discovery is enabled, and it is recommended that you do not modify this behavior. With PMTU discovery enabled, the path MTU for the tunnel connection is checked periodically, about once per minute, and it is updated dynamically. With PMTU discovery enabled, 16 bytes might be required by PMTU discovery, so the effective tunnel MTU might be as low as 1452 bytes. From an encapsulation point of view, the default IP MTU for GRE is 1468 bytes, and for IPsec it is 1442 bytes because of the larger overhead. Enabling PMTU discovery adds to the overhead of the BFD packets that are sent between the vEdge routers, but does not add any overhead to normal data traffic. If PMTU discovery is disabled, the expected tunnel MTU is 1472 bytes (tunnel MTU of 1500 bytes less 4 bytes for the GRE header, 20 bytes for the outer IP header, and 4 bytes for the MPLS header). However, the effective tunnel MTU might be 1468 bytes, because the software might sometimes erroneously add 4 bytes to the header.

Default: Enabled

14.1

15.1

15.1.1

15.2

15.3.2

16.1

16.2

20.5

Command introduced.

Added pmtu-discovery option, renamed interval option to hello-interval, and changed Hello interval units from seconds to milliseconds.

Changed default multiplier from 3 to 7.

Added colors private3, private4, private5, and private6.

Enabled path MTU discovery by default.

Added default multiplier for vEdge Cloud routers.

Changed maximum hello interval from 60 seconds to 5 minutes.

Added the sla-damp-multiplier keyword for Cisco vEdge devices.

Specifies an identifier for the transport tunnel for data traffic moving between vEdge routers. The color identifies a specific WAN transport provider.

The following are the color values:

3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, silver

Default:

default

20.5.1

This command is introduced.

Local AS Number:

AS number of the local BGP site. You can specify the AS number in 2-byte asdot notation (1 through 65535) or in 4-byte asdot notation (1.0 through 65535.65535).

14.1

Command introduced.

Interface Name

Physical WAN interface to bind to a loopback interface. interface-name has the format ge slot/port. Both the loopback and physical WAN interfaces must be in VPN 0.

14.2

Command introduced.

Cisco SD-WAN Release 19.2

Cisco IOS XE SD-WAN Release 16.12.1

Added support for Cisco XE SD-WAN routers.

14.2

Command introduced.

17.1.1

Command introduced.

Bridging Domain Description:

Text description of the bridging domain. If text contains spaces, enclose it in quotation marks.

Bridging Domain Identifier:

Number that identifies the bridging domain.

Range:

1 through 63

14.1

Command introduced.

Private Network Identifier:

Carrier name to associate with a tunnel interface.

Values:

carrier1, carrier2, carrier3, carrier4, carrier5, carrier6, carrier7, carrier8, default

Default:

default

14.2

Command introduced.

Cellular Interface Name:

Name of the cellular interface. It must be cellular0.

16.1

Command introduced.

Template Name:

Name of the template.

14.3

Command introduced.

Automatic Channel Selection:

Have the router automatically select the best channel to use from among all channels or from among all channels except for those with dynamic frequency selection (DFS) capabilities. Airport radar uses frequencies that overlap DFS channels. If you are using a 5-GHz radio band, and if your installation is near an airport, it is recommended that you configure auto-no-dfs, to remove DFS channels from the list of available channels.

Default:

auto

Channel for 2.4-GHz WLANs:

Use a 2.4-GHz radio band. This band supports IEEE 802.11b, 802.11g, and 802.11n clients.

Range:

1 through 13, depending on the country configuration.

Channel for 5-GHz WLANs:

Use a 5-GHz radio band. This band supports IEEE 802.11a, 802.11n, and 802.11ac clients. You can configure channels for standard or for DFS capabilities.Channels available for 5-GHz, including DFS: 36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 144, 149, 153, 157, 161, and 165, depending on the country configuration

16.3

Command introduced.

Channel Bandwidth

Bandwidth available on the WLAN channel.

Values:

20, 40, 80 MHz

Default:

20 MHz (for 2.4 GHz); 80 MHz (for 5 GHz)

Authentication and Encryption Type for IKE Key Exchange:

Type of authentication and integrity checking to use during IKE key exchange. It can be one of the following:

• aes128-cbc-sha1—Use the AES-128 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity.

• aes128-cbc-sha2—Use the AES-128 advanced encryption standard CBC encryption with the HMAC-SHA256 keyed-hash message authentication code algorithm for integrity.

• aes256-cbc-sha1—Use the AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for integrity. This is the default.

• aes256-cbc-sha2—Use the AES-256 advanced encryption standard CBC encryption with the HMAC-SHA256 keyed-hash message authentication code algorithm for integrity.

Encryption Type for IPsec Tunnel:

Type of encryption to use on an IPsec tunnel that is being used for IKE key exchange. It can be one of the following:

• aes256-cbc-sha1—Calculate message encryption using the AES-256 cipher in CBC (cipher block chaining) mode and using HMAC-SHA1-96 keyed-hash message authentication.

• aes256-gcm—Calculate message encryption using the AES-256 algorithm in GCM (Galois/counter mode). This is the default.

• null-sha1—Do not encrypt the IPsec tunnel that is being used for IKE key exchange traffic.

17.2

18.2

Command introduced.

Added support for SHA2-based ciphers for IKE.

Class Mapping to Output Queue:

Map a class name to an interface queue number. The class name can be a text string from 1 to 32 characters long. On hardware vEdge routers and Cloud vEdge virtualized routers, each interface has eight queues, numbered from 0 through 7. Queues 1 through 7 are available for data traffic, and the default scheduling method for these seven queues is weighted round-robin (WRR). Queue 0 is reserved, and is used for both control traffic and low-latency queuing (LLQ). For LLQ, any class that is mapped to queue 0 must also be configured to use LLQ; 100 percent of control traffic is transmitted. In Releases 17.2 and earlier, on Cloud vEdge virtualized routers, each interface has four queues, numbered from 0 through 3. Queue 0 is reserved for control traffic, and queues 1, 2, and 3 are available for data traffic. The scheduling method for all four queues is WRR. LLQ is not supported.

14.1

14.2

16.3

17.2.2

Command introduced.

Changed the LLQ queue from queue 1 to queue 0. The software supports only one queue for LLQ, and it must be queue 0.

Added support for multicast traffic and for vEdge Cloud routers.

vEdge Cloud routers support eight queues, with queue 0 reserved for LLQ

timezone timezone

Set the timezone on the device. timezone is one of the timezones in the tz database (also called tzdata, the zoneinfo database, or the IANA timezone database). timezone has the format area/location. area is the name of a continent (Africa, America, Antarctica, Asia, Australia, or Europe), an ocean (Arctic, Atlantic, Indian, or Pacific), or Etc (such as Etc/UTC and Etc/GMT). location is the name of a specific location within the area, usually a city or small island. For more information, see the IANA Time Zone Database.

Default: UTC

14.1

Command introduced.

15.2

Support for the IANA timezone database added .

16.3

Command introduced.

16.3

Command introduced.

16.3

Command introduced.

Address and Port of the Collector:

IP address of the collector and port number to use. The default collector port is 4739.

Interface to Reach Collector:

Interface to use to send flows to the collector. interface-name can be a Gigabit Ethernet or 10-Gigabit Ethernet interface (ge) or a loopback interface (loopback number).

Transport Protocol

Transport protocol used to reach the collector. transport-type can be transport_tcp or transport_udp.

VPN:

Number of the VPN in which the collector is located.

14.3

16.2.2

Command introduced.

Added source-interface option.

Color:

Identify an individual WAN transport tunnel by assigning it a color. The color is one of the TLOC parameters associated with the tunnel. (While the CLI on a vSmart controller allows you to configure a color, the color has no meaning because vSmart controllers have no TLOCs.) On a vEdge router, you can configure only one tunnel interface that has the color default. The colors metro-ethernet, mpls, and private1 through private6 are private colors. They use private addresses to connect to the remote side vEdge router in a private network. You can use these colors in a public network provided that there is no NAT device between the local and remote vEdge routers.

Values:

3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1, private2, private3, private4, private5, private6, public-internet, red, and silver

Default:

default

Restrict WAN Transport Tunnel:

Allow the local WAN transport tunnel to be created and a BFD session for the tunnel to established to the remote vEdge router only if a tunnel of the same color exists on the remote router. If, for a tunnel, you change the color only, the restrict option remains configured. To remove the restriction on a color, first issue the no color command and then configure the new color.

14.1

15.1

15.2

15.2

Command introduced.

Added restrict option.

Added colors private3, private4, private5, and private6.

Supporeted application of restrict option to any color.

Authorization Level:

Set the access authorization level for SNMP Get, GetNext, and GetBulk requests. The MIBs supported by the Cisco SD-WAN software do not allow write operations, so you can configure only read-only authorization (which is the default authorization).

Community String:

Define the name an SNMP community, which authorizes SNMP clients based on the source IP address of incoming packets. The community name can be a maximum of 32 characters. If it includes spaces, enclose it in quotation marks (" "). The name can include angle brackets (< and >).

Specify the MIB Objects an SNMP Manager Can Access:

Configure the view, or MIB objects, that the SNMP manager can access for this community. You define the view name with the snmp view configuration command. The view name can be a maximum of 255 characters. If it includes spaces, enclose the name in quotation marks (" ").

14.1

16.3

Command introduced.

Allowed angle brackets in the community string.

RFC 2328 Compliance:

Per RFC 1583, RFC 1583 compliance is enabled by default, and no configuration is necessary. To calculate the cost of OSPF summary routes based on RFC 2328, include the no compatible rfc1583 configuration command.

14.1

Command introduced.

Number of HTTPS Connections:

Set the maximum number of HTTPS connections to a vManage application server.

Range:

1 through 512

Default:

50

16.1.1

Command introduced.

Baud Rate:

Set the baud rate, in baud or bits per second (bps). Each signal carries only one bit, so the baud rate is equal to the bits-per-second rate.

Values:

1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200

Default:

115200

14.2

Command introduced.

Name of Contact:

Name of the contact person in charge of managing the Cisco vEdge device. The string can be a maximum of 255 characters. If it contains spaces, enclose the string in quotation marks (" ").

14.1

Command introduced.

Protocol for Control-Plane Connections:

Protocol to use for control plane connections.

Default:

DTLS

TLS Port Number:

For TLS tunnels only, port number to use for TLS control plane connections.

Range:

1025 through 65535

Default:

23456

14.3

Command introduced.

Do Not Establish a Control Connection for a TLOC:

Do not attempt to establish a control connection for a TLOC. You can configure this option only on a vEdge router that has multiple TLOCs. One of the TLOCs must attempt to establish a DTLS or TLS control connection so that the router learns overlay network routing information from the Cisco Catalyst SD-WAN Controllers. This routing information is shared across all the TLOCs on the router.

15.1

15.3.3

15.4

Command introduced.

Supported a vEdge router establishes only one control connection to Cisco SD-WAN Manager.

This command is deprecated. Use the max-control-connections command instead.

Send and Receive Packets:

Set the 802.1x interface to send packets to and receive packets from unauthorized clients. Bidirectionality is the default behavior.

Send Packets Only:

Set the 802.1x interface to send packets to unauthorized clients, but not to receive them.

16.3

Command introduced.

14.2

Command introduced.

Flow Rate

Set the maximum rate of DTLS control session traffic, in packets per second (pps).

Range:

1 through 65535 pps

Default:

300 pps

14.2

Command introduced.