Service Profile

ACL IPv4

  1. In the Add Feature window, choose ACL IPv4 from the drop-down list.

  2. Enter the Feature Name and the Description for the ACL feature.

  3. Click Add ACL Sequence. The Add ACL Sequence window appears.

  4. Enter the name in the ACL Sequence Name field.

  5. Select the required condition from the Condition drop-down list.

  6. Select the action types Accept or Reject from the Action Type drop-down list.

  7. For the Accept action type, choose the accept condition from the Accept Condition drop-down list.

  8. Click Save.

    To copy, delete, or rename the ACL policy sequence rule, click ... next to the rule's name and select the desired option.

  9. If no packets match any of the ACL policy sequence rules, the default action is to drop the packets. To change the default action:

    1. Click Default Action in the left pane.

    2. Click the Pencil icon.

    3. Change the default action to Accept.

    4. Click Save.

  10. Click Save ACL IPv4 Policy.

The following table describe the options for configuring the ACL IPv4 feature.

Field

Description

ACL Sequence Name

Specifies the name of the ACL sequence.

Condition

Specifies the ACL condition. The options are:

  • DSCP

  • Packet Length

  • PLP

  • Protocol

  • Source Data Prefix

  • Source Port

  • Destination Data Prefix

  • Destination Port

  • TCP

  • Class

  • Peer

Action Type

Specifies the action type. The options are: Accept or Reject.

Accept Condition

Specifies the accept condition type. The options are:

  • Counter

  • DSCP

  • Log

  • Next Hop

  • Mirror List

  • Class

  • Policer

You can select the specific ACL sequence in the ACL Policy window to edit, delete or add.


Note


You can also configure ACL Policy features from Transport and Service Profile configuration groups.


ACL IPv6

  1. In the Add Feature window, choose ACL IPv6 from the drop-down list.

  2. Enter the Feature Name and the Description for the ACL feature.

  3. Click Add ACL Sequence. The Add ACL Sequence window appears.

  4. Enter the name in the ACL Sequence Name field.

  5. Select the required condition from the Condition drop-down list.

  6. Select the action types Accept or Reject from the Action Type drop-down list.

  7. For the Accept action type, choose the accept condition from the Accept Condition drop-down list.

  8. Click Save.

    To copy, delete, or rename the ACL policy sequence rule, click ... next to the rule's name and select the desired option.

  9. If no packets match any of the route policy sequence rules, the default action is to drop the packets. To change the default action:

    1. Click Default Action in the left pane.

    2. Click the Pencil icon.

    3. Change the default action to Accept.

    4. Click Save.

  10. Click Save ACL IPv6 Policy.

The following table describe the options for configuring the ACL IPv6 feature.

Field

Description

ACL Sequence Name

Specifies the name of the ACL sequence.

Condition

Specifies the ACL condition. The options are:

  • Next Header

  • Packet Length

  • PLP

  • Protocol

  • Source Data Prefix

  • Source Port

  • Destination Data Prefix

  • Destination Port

  • TCP

  • Class

  • Traffic Class

Action Type

Specifies the action type. The options are: Accept or Reject.

Accept Condition

Specifies the accept condition type. The options are:

  • Counter

  • Log

  • Next Hop

  • Traffic Class

  • Mirror List

  • Class

  • Policer

You can select the specific ACL sequence in the ACL Policy window to edit, delete or add.


Note


You can also configure ACL Policy features from Transport and Service Profile configuration groups.


AppQoE

Use the AppQoE feature to deploy and manage your SD-WAN network more efficiently by optimizing traffic based on sites and applications.

The following table describes the options for configuring the AppQoE feature.

Basic Configuration

Field

Description

Device AppQoE Role *

Service Node

Choose the Service Node option if you want to configure the device as a service node.

Note

 

Service Node is the default option.

Choose both the Service Node and Forwarder options if you want to configure the device as an integrated service node.

Forwarder:

Choose Forwarder if you want to configure the device as a forwarder. The forwarder redirects traffic to other service nodes.

Note

 

From Cisco IOS XE Catalyst SD-WAN Release 17.14.1a, an AppQoE cluster can either operate on IPv4 protocol or IPv6 protocol in the control plane.

  • Forwarder IP Address*: IP address of the device you've configured as a forwarder.

  • AppQoE Service VPN*: Choose the service VPN attached to the interface of the forwarder.

  • Service Node Group: Click Add Service Node Group and enter the following details for the service node group:

    • Group Name: Select the AppQoe group name.

    • Add Service Node: Click Add Service Node and enter the IP address of the service nodes to enable the service controllers to communicate with the service nodes.

      Click the + icon to add up to 32 service nodes for the group. The starting value for the service node is SNG-APPQOE, following which, you can provide a value in the range SNG-APPQOE1 to SNG-APPQOE31.

Advanced

Field

Description

DRE Optimisation

Enable DRE optimisation

Resource Profile

Choose Global to choose a profile size from the options available in the drop-down list.

Choose Defaultto apply the default DRE profile size for the device.

Choose Device Specific to enter a value for the profile.

BGP Routing

Use the Border Gateway Protocol (BGP) feature for service-side routing to provide reachability to networks at the local site.

Table 1. Basic Configuration

Field

Description

AS Number

Enter the local AS number.

Router ID

Enter the BGP router ID, in decimal four-part dotted notation.

Propagate AS Path

Enable this option to carry BGP AS path information into OMP.

Propagate Community

Enable this option to propagate BGP communities between Cisco Catalyst SD-WAN sites, across VPNs using OMP redistribution.

External Routes Distance

Specify the BGP route administrative distance for routes learned from other sites in the overlay network.

Range: 1 through 255

Default: 20

Internal Routes Distance

Enter a value to apply as the BGP route administrative distance for routes coming from one AS into another.

Range: 1 through 255

Default: 200

Local Routes Distance

Specify the BGP route administrative distance for routes within the local AS. By default, a route received locally from BGP is preferred over a route received from OMP.

Range: 1 through 255

Default: 20

Table 2. Unicast Address Family

Field

Description

IPv4 Settings

Maximum Paths

Specify the maximum number of parallel internal BGP paths that can be installed into a route table to enable internal BGP multipath load sharing.

Range: 0 to 32

Originate

Enable this option to allow the default route to be artificially generated and injected into the BGP Route Information Base (RIB), regardless of whether it is present in the routing table. The newly injected default is advertised to all the BGP peers.

Redistribute

Protocol*

Choose the protocols from which to redistribute routes into BGP, for all BGP sessions. Options are static, connected, ospf, omp, eigrp, and nat.

At a minimum, choose omp. By default, OMP routes are not redistributed into BGP.

Route Policy

Enter the name of the route policy to apply to redistributed routes.

Route policy is not supported in Cisco vManage Release 20.9.1.

Network

Network Prefix*

Enter a network prefix to be advertised by BGP. The network prefix is composed of the IPv4 subnet and the mask. For example, 192.0.2.0 and 255.255.255.0.

Aggregate Address

Aggregate Prefix*

Enter the prefix of the addresses to aggregate for all BGP sessions. The aggregate prefix is composed of the IPv4 subnet and the mask. For example, 192.0.2.0 and 255.255.255.0.

AS Set Path

Enable this option to generate set path information for the aggregated prefixes.

Summary Only

Enable this option to filter out more specific routes from BGP updates.

Table Map

Policy Name

Enter the route map that controls the downloading of routes.

Route policy is not supported in Cisco vManage Release 20.9.1.

Filter

When you enable this option, the route map specified in the Policy Name field controls whether a BGP route is to be downloaded to the Route Information Base (RIB). A BGP route is not downloaded to the RIB if it is denied by the route map.

When you disable this option, the route map specified in the Policy Name field is used to set certain properties, such as the traffic index, of the routes for installation into the RIB. The route is always downloaded, regardless of whether it is permitted or denied by the route map.

IPv6 Settings

Maximum Paths

Specify the maximum number of parallel internal BGP paths that can be installed into a route table to enable internal BGP multipath load sharing.

Range: 0 to 32

Originate

Enable this option to allow the default route to be artificially generated and injected into the BGP RIB, regardless of whether it is present in the routing table. The newly injected default is advertised to all the BGP peers.

Redistribute

Protocol*

Choose the protocols from which to redistribute routes into BGP, for all BGP sessions. Options are static, connected, ospf, omp, and eigrp.

At a minimum, choose omp. By default, OMP routes are not redistributed into BGP.

Route Policy

Enter the name of the route policy to apply to redistributed routes.

Route policy is not supported in Cisco vManage Release 20.9.1.

Network

Network Prefix*

Enter a network prefix to be advertised by BGP. The IPv6 network prefix is composed of the IPv6 address and the prefix length (1-128). For example, the IPv6 subnet is 2001:DB8:0000:0000:: and the prefix length is 64.

Aggregate Address

Aggregate Prefix*

Enter the prefix of the addresses to aggregate for all BGP sessions. The IPv6 aggregate prefix is composed of the IPv6 address and the prefix length (1-128). For example, the IPv6 subnet is 2001:DB8:0000:0000:: and the prefix length is 64.

AS Set Path

Enable this option to generate set path information for the aggregated prefixes.

Summary Only

Enable this option to filter out more specific routes from BGP updates.

Table Map

Policy Name*

Enter the route map that controls the downloading of routes.

Route policy is not supported in Cisco vManage Release 20.9.1.

Filter

When you enable this option, the route map specified in the Policy Name field controls whether a BGP route is to be downloaded to the Route Information Base (RIB). A BGP route is not downloaded to the RIB if it is denied by the route map.

When you disable this option, the route map specified in the Policy Name field is used to set certain properties, such as the traffic index, of the routes for installation into the RIB. The route is always downloaded, regardless of whether it is permitted or denied by the route map.

Table 3. Neighbor

Field

Description

IPv4 Settings

Address*

Specify the IP address of the BGP neighbor.

Description

Enter a description of the BGP neighbor.

Remote AS*

Enter the AS number of the remote BGP peer.

Interface Name

Enter the interface name. This interface is used as the source of the TCP session when establishing neighborship. We recommend that you use a loopback interface.

Allowas in Number

Enter the number of times to allow the advertisement of the autonomous system number (ASN) of a provider edge (PE) device. The range is 1 to 10. If no number is specified, the default value of three times is used.

AS Override

Enable this option to replace the AS number of the originating router with the AS number of the sending BGP router.

Shutdown

Disable this option to enable BGP for the VPN.

Advanced Options

Next-Hop Self

Enable this option to configure the router to be the next hop for routes advertised to the BGP neighbor.

Send Community

Enable this option to send the BGP community attribute of the local router to the BGP neighbor.

Send Extended Community

Enable this option to send the BGP extended community attribute of the local router to the BGP neighbor.

EBGP Multihop

Set the time to live (TTL) for BGP connections to external peers.

Range: 1 to 255

Default: 1

Password

Enter a password to use to generate an MD5 message digest. Configuring the password enables MD5 authentication on the TCP connection with the BGP peer. The password is case-sensitive and can be up to 25 characters long. It can contain any alphanumeric characters, including spaces. The first character cannot be a number.

Keepalive Time (seconds)

Specify the frequency at which keepalive messages are advertised to a BGP peer. These messages indicate to the peer that the local router is still active and should be considered to be available. Specify the keepalive time for the neighbor, to override the global keepalive time.

Range: 0 through 65535 seconds

Default: 60 seconds (one-third the hold-time value)

Hold Time (seconds)

Specify the interval after not receiving a keepalive message that the local BGP session considers its peer to be unavailable. The local router then terminates the BGP session to that peer. Specify the hold time for the neighbor, to override the global hold time.

Range: 0 through 65535 seconds

Default: 180 seconds (three times the keepalive time)

Send Label

Enable this option to allow the routers advertise to each other so that they can send MPLS labels with the routes. If the routers successfully negotiate their ability to send MPLS labels, the routers add MPLS labels to all the outgoing BGP updates.

Add Neighbor Address Family

Family Type*

Choose the BGP IPv4 unicast address family.

In Route Policy

Specify the name of a route policy to apply to prefixes received from the neighbor.

Route policy is not supported in Cisco vManage Release 20.9.1.

Out Route Policy

Specify the name of a route policy to apply to prefixes sent to the neighbor.

Route policy is not supported in Cisco vManage Release 20.9.1.

Maximum Prefix Reach Policy*

Choose one of the following options:

  • Policy Off: Policy is off.

  • Policy On - Restart: Configure the time interval at which a peering session is re-established by a device when the number of prefixes that have been received from a peer has exceeded the maximum prefix limit.

    When you choose this option, the following fields appear:

    • Maximum Number of Prefixes*: Enter the maximum prefix limit.

      Range: 1 to 4294967295

    • Threshold (percentage): Enter the threshold value:

      Range: 1 to 100

      Default: 75

    • Restart Interval (minutes)*: Enter the time interval.

      Range: 1 to 65535 minutes

  • Policy On - Warning message: Configure the device to disable the restart capability to allow you to adjust a peer that is sending too many prefixes.

  • Policy On - Disable Peer Neighbor: When the device receives too many prefixes from a peer, and the maximum prefix limit is exceeded, the peering session is disabled or brought down.

IPv6 Settings

Address*

Specify the IP address of the BGP neighbor.

Description

Enter a description of the BGP neighbor.

Remote AS*

Enter the AS number of the remote BGP peer.

Interface Name

Enter the interface name. This interface is used as the source of the TCP session when establishing neighborship. We recommend that you use a loopback interface.

Allowas in Number

Enter the number of times to allow the advertisement of the autonomous system number (ASN) of a provider edge (PE) device. The range is 1 to 10. If no number is specified, the default value of three times is used.

AS Override

Enable this option to replace the AS number of the originating router with the AS number of the sending BGP router.

Shutdown

Disable this option to enable BGP for the VPN.

Advanced Options

Next-Hop Self

Enable this option to configure the router to be the next hop for routes advertised to the BGP neighbor.

Send Community

Enable this option to send the BGP community attribute of the local router to the BGP neighbor.

Send Extended Community

Enable this option to send the BGP extended community attribute of the local router to the BGP neighbor.

EBGP Multihop

Set the time to live (TTL) for BGP connections to external peers.

Range: 1 to 255

Default: 1

Password

Enter a password to use to generate an MD5 message digest. Configuring the password enables MD5 authentication on the TCP connection with the BGP peer. The password is case-sensitive and can be up to 25 characters long. It can contain any alphanumeric characters, including spaces. The first character cannot be a number.

Keepalive Time (seconds)

Specify the frequency at which keepalive messages are advertised to a BGP peer. These messages indicate to the peer that the local router is still active and should be considered to be available. Specify the keepalive time for the neighbor, to override the global keepalive time.

Range: 0 through 65535 seconds

Default: 60 seconds (one-third the hold-time value)

Hold Time (seconds)

Specify the interval after not receiving a keepalive message that the local BGP session considers its peer to be unavailable. The local router then terminates the BGP session to that peer. Specify the hold time for the neighbor, to override the global hold time.

Range: 0 through 65535 seconds

Default: 180 seconds (three times the keepalive time)

Add IPv6 Neighbor Address Family

Family Type*

Choose the BGP IPv6 unicast address family.

In Route Policy

Specify the name of a route policy to apply to prefixes received from the neighbor.

Route policy is not supported in Cisco vManage Release 20.9.1.

Out Route Policy

Specify the name of a route policy to apply to prefixes sent to the neighbor.

Route policy is not supported in Cisco vManage Release 20.9.1.

Maximum Prefix Reach Policy*

Choose one of the following options:

  • Policy Off: Policy is off.

  • Policy On - Restart: Configure the time interval at which a peering session is re-established by a device when the number of prefixes that have been received from a peer has exceeded the maximum prefix limit.

    When you choose this option, the following fields appear:

    • Maximum Number of Prefixes*: Enter the maximum prefix limit.

      Range: 1 to 4294967295

    • Threshold (percentage): Enter the threshold value:

      Range: 1 to 100

      Default: 75

    • Restart Interval (minutes)*: Enter the time interval.

      Range: 1 to 65535 minutes

  • Policy On - Warning message: Configure the device to disable the restart capability to allow you to adjust a peer that is sending too many prefixes.

  • Policy On - Disable Peer Neighbor: When the device receives too many prefixes from a peer, and the maximum prefix limit is exceeded, the peering session is disabled or brought down.

BGP Routing

This feature helps you configure the Border Gateway Protocol (BGP) routing in VPN 0 or the WAN VPN.

For each parameter of the feature that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and choose one of the following:

Basic Configuration

Field

Description

AS Number

Enter the local AS number.

Router ID

Enter the BGP router ID, in decimal four-part dotted notation.

Propagate AS Path

Enable this option to carry BGP AS path information into OMP.

Propagate Community

Enable this option to propagate BGP communities between Cisco Catalyst SD-WAN sites, across VPNs using OMP redistribution.

External Routes Distance

Specify the BGP route administrative distance for routes learned from other sites in the overlay network.

Range: 1 through 255

Default: 20

Internal Routes Distance

Enter a value to apply as the BGP route administrative distance for routes coming from one AS into another.

Range: 1 through 255

Default: 200

Local Routes Distance

Specify the BGP route administrative distance for routes within the local AS. By default, a route received locally from BGP is preferred over a route received from OMP.

Range: 1 through 255

Default: 20

Unicast Address Family

Field

Description

IPv4 Settings

Maximum Paths

Specify the maximum number of parallel internal BGP paths that can be installed into a route table to enable internal BGP multipath load sharing.

Range: 0 to 32

Originate

Enable this option to allow the default route to be artificially generated and injected into the BGP Route Information Base (RIB), regardless of whether it is present in the routing table. The newly injected default is advertised to all the BGP peers.

Redistribute

Protocol*

Choose the protocols from which to redistribute routes into BGP, for all BGP sessions. Options are static, connected, ospf, omp, eigrp, and nat.

At a minimum, choose connected, and then under Route Policy, specify a route policy that has BGP advertise the loopback interface address to its neighbors.

Route policy is not supported in Cisco vManage Release 20.9.1.

Route Policy

Enter the name of the route policy to apply to redistributed routes.

Route policy is not supported in Cisco vManage Release 20.9.1.

Network

Network Prefix*

Enter a network prefix to be advertised by BGP. The network prefix is composed of the IPv4 subnet and the mask. For example, 192.0.2.0 and 255.255.255.0.

Aggregate Address

Aggregate Prefix*

Enter the prefix of the addresses to aggregate for all BGP sessions. The aggregate prefix is composed of the IPv4 subnet and the mask. For example, 192.0.2.0 and 255.255.255.0.

AS Set Path

Enable this option to generate set path information for the aggregated prefixes.

Summary Only

Enable this option to filter out more specific routes from BGP updates.

Table Map

Policy Name

Enter the route map that controls the downloading of routes.

Route policy is not supported in Cisco vManage Release 20.9.1.

Filter

When you enable this option, the route map specified in the Policy Name field controls whether a BGP route is to be downloaded to the Route Information Base (RIB). A BGP route is not downloaded to the RIB if it is denied by the route map.

When you disable this option, the route map specified in the Policy Name field is used to set certain properties, such as the traffic index, of the routes for installation into the RIB. The route is always downloaded, regardless of whether it is permitted or denied by the route map.

IPv6 Settings

Maximum Paths

Specify the maximum number of parallel internal BGP paths that can be installed into a route table to enable internal BGP multipath load sharing.

Range: 0 to 32

Originate

Enable this option to allow the default route to be artificially generated and injected into the BGP Route Information Base (RIB), regardless of whether it is present in the routing table. The newly injected default is advertised to all the BGP peers.

Redistribute

Protocol*

Choose the protocols from which to redistribute routes into BGP, for all BGP sessions. Options are static, connected, ospf, omp, and eigrp.

At a minimum, choose connected, and then under Route Policy, specify a route policy that has BGP advertise the loopback interface address to its neighbors.

Route policy is not supported in Cisco vManage Release 20.9.1.

Route Policy

Enter the name of the route policy to apply to redistributed routes.

Route policy is not supported in Cisco vManage Release 20.9.1.

Network

Network Prefix*

Enter a network prefix to be advertised by BGP. The IPv6 network prefix is composed of the IPv6 address and the prefix length (1-128). For example, the IPv6 subnet is 2001:DB8:0000:0000:: and the prefix length is 64.

Aggregate Address

Aggregate Prefix*

Enter the prefix of the addresses to aggregate for all BGP sessions. The IPv6 aggregate prefix is composed of the IPv6 address and the prefix length (1-128). For example, the IPv6 subnet is 2001:DB8:0000:0000:: and the prefix length is 64.

AS Set Path

Enable this option to generate set path information for the aggregated prefixes.

Summary Only

Enable this option to filter out more specific routes from BGP updates.

Table Map

Policy Name

Enter the route map that controls the downloading of routes.

Route policy is not supported in Cisco vManage Release 20.9.1.

Filter

When you enable this option, the route map specified in the Policy Name field controls whether a BGP route is to be downloaded to the Route Information Base (RIB). A BGP route is not downloaded to the RIB if it is denied by the route map.

When you disable this option, the route map specified in the Policy Name field is used to set certain properties, such as the traffic index, of the routes for installation into the RIB. The route is always downloaded, regardless of whether it is permitted or denied by the route map.

MPLS Interface

Field

Description

Interface Name*

Enter a name for the MPLS interface.

Neighbor

Field

Description

IPv4 Settings

Address*

Specify the IP address of the BGP neighbor.

Description

Enter a description of the BGP neighbor.

Remote AS*

Enter the AS number of the remote BGP peer.

Interface Name

Enter the interface name. This interface is used as the source of the TCP session when establishing neighborship. We recommend that you use a loopback interface.

Allows in Number

Enter the number of times to allow the advertisement of the autonomous system number (ASN) of a provider edge (PE) device. The range is 1 to 10. If no number is specified, the default value of three times is used.

AS Override

Enable this option to replace the AS number of the originating router with the AS number of the sending BGP router.

Shutdown

Disable this option to enable BGP for the VPN.

Advanced Options

Next-Hop Self

Enable this option to configure the router to be the next hop for routes advertised to the BGP neighbor.

Send Community

Enable this option to send the BGP community attribute of the local router to the BGP neighbor.

Send Extended Community

Enable this option to send the BGP extended community attribute of the local router to the BGP neighbor.

EBGP Multihop

Set the time to live (TTL) for BGP connections to external peers.

Range: 1 to 255

Default: 1

Password

Enter a password to use to generate an MD5 message digest. Configuring the password enables MD5 authentication on the TCP connection with the BGP peer. The password is case-sensitive and can be up to 25 characters long. It can contain any alphanumeric characters, including spaces. The first character cannot be a number.

Keepalive Time (seconds)

Specify the frequency at which keepalive messages are advertised to a BGP peer. These messages indicate to the peer that the local router is still active and should be considered to be available. Specify the keepalive time for the neighbor, to override the global keepalive time.

Range: 0 through 65535 seconds

Default: 60 seconds (one-third the hold-time value)

Hold Time (seconds)

Specify the interval after not receiving a keepalive message that the local BGP session considers its peer to be unavailable. The local router then terminates the BGP session to that peer. Specify the hold time for the neighbor, to override the global hold time.

Range: 0 through 65535 seconds

Default: 180 seconds (three times the keepalive time)

Send Label

Enable this option to allow the routers advertise to each other so that they can send MPLS labels with the routes. If the routers successfully negotiate their ability to send MPLS labels, the routers add MPLS labels to all the outgoing BGP updates.

Add Neighbor Address Family

Family Type*

Choose the BGP IPv4 unicast address family.

In Route Policy

Specify the name of a route policy to apply to prefixes received from the neighbor.

Route policy is not supported in Cisco vManage Release 20.9.1.

Out Route Policy

Specify the name of a route policy to apply to prefixes sent to the neighbor.

Route policy is not supported in Cisco vManage Release 20.9.1.

Maximum Prefix Reach Policy*

Choose one of the following options:

  • Policy Off: Policy is off.

  • Policy On - Restart: Configure the time interval at which a peering session is re-established by a device when the number of prefixes that have been received from a peer has exceeded the maximum prefix limit.

    When you choose this option, the following fields appear:

    • Maximum Number of Prefixes*: Enter the maximum prefix limit.

      Range: 1 to 4294967295

    • Threshold (percentage): Enter the threshold value:

      Range: 1 to 100

      Default: 75

    • Restart Interval (minutes)*: Enter the time interval.

      Range: 1 to 65535 minutes

  • Policy On - Warning message: Configure the device to disable the restart capability to allow you to adjust a peer that is sending too many prefixes.

  • Policy On - Disable Peer Neighbor: When the device receives too many prefixes from a peer, and the maximum prefix limit is exceeded, the peering session is disabled or brought down.

IPv6 Settings

Address*

Specify the IP address of the BGP neighbor.

Description

Enter a description of the BGP neighbor.

Remote AS*

Enter the AS number of the remote BGP peer.

Interface Name

Enter the interface name. This interface is used as the source of the TCP session when establishing neighborship. We recommend that you use a loopback interface.

Allowas in Number

Enter the number of times to allow the advertisement of the autonomous system number (ASN) of a provider edge (PE) device. The range is 1 to 10. If no number is specified, the default value of three times is used.

AS Override

Enable this option to replace the AS number of the originating router with the AS number of the sending BGP router.

Shutdown

Disable this option to enable BGP for the VPN.

Advanced Options

Next-Hop Self

Enable this option to configure the router to be the next hop for routes advertised to the BGP neighbor.

Send Community

Enable this option to send the BGP community attribute of the local router to the BGP neighbor.

Send Extended Community

Enable this option to send the BGP extended community attribute of the local router to the BGP neighbor.

EBGP Multihop

Set the time to live (TTL) for BGP connections to external peers.

Range: 1 to 255

Default: 1

Password

Enter a password to use to generate an MD5 message digest. Configuring the password enables MD5 authentication on the TCP connection with the BGP peer. The password is case-sensitive and can be up to 25 characters long. It can contain any alphanumeric characters, including spaces. The first character cannot be a number.

Keepalive Time (seconds)

Specify the frequency at which keepalive messages are advertised to a BGP peer. These messages indicate to the peer that the local router is still active and should be considered to be available. Specify the keepalive time for the neighbor, to override the global keepalive time.

Range: 0 through 65535 seconds

Default: 60 seconds (one-third the hold-time value)

Hold Time (seconds)

Specify the interval after not receiving a keepalive message that the local BGP session considers its peer to be unavailable. The local router then terminates the BGP session to that peer. Specify the hold time for the neighbor, to override the global hold time.

Range: 0 through 65535 seconds

Default: 180 seconds (three times the keepalive time)

Add IPv6 Neighbor Address Family

Family Type*

Choose the BGP IPv6 unicast address family.

In Route Policy

Specify the name of a route policy to apply to prefixes received from the neighbor.

Route policy is not supported in Cisco vManage Release 20.9.1.

Out Route Policy

Specify the name of a route policy to apply to prefixes sent to the neighbor.

Route policy is not supported in Cisco vManage Release 20.9.1.

Maximum Prefix Reach Policy*

Choose one of the following options:

  • Policy Off: Policy is off.

  • Policy On - Restart: Configure the time interval at which a peering session is re-established by a device when the number of prefixes that have been received from a peer has exceeded the maximum prefix limit.

    When you choose this option, the following fields appear:

    • Maximum Number of Prefixes*: Enter the maximum prefix limit.

      Range: 1 to 4294967295

    • Threshold (percentage): Enter the threshold value:

      Range: 1 to 100

      Default: 75

    • Restart Interval (minutes)*: Enter the time interval.

      Range: 1 to 65535 minutes

  • Policy On - Warning message: Configure the device to disable the restart capability to allow you to adjust a peer that is sending too many prefixes.

  • Policy On - Disable Peer Neighbor: When the device receives too many prefixes from a peer, and the maximum prefix limit is exceeded, the peering session is disabled or brought down.

Advanced

Field

Description

Keepalive (seconds)

Specify the frequency at which keepalive messages are advertised to a BGP peer. These messages indicate to the peer that the local router is still active and should be considered to be available. This keepalive time is the global keepalive time.

Range: 0 through 65535 seconds

Default: 60 seconds (one-third the hold-time value)

Hold Time (seconds)

Specify the interval after not receiving a keepalive message that the local BGP session considers its peer to be unavailable. The local router then terminates the BGP session to that peer. This hold time is the global hold time.

Range: 0 through 65535 seconds

Default: 180 seconds (three times the keepalive time)

Compare MED

Enable this option to compare the router IDs among BGP paths to determine the active path.

Deterministic MED

Enable this option to compare MEDs from all routes received from the same AS regardless of when the route was received.

Missing MED as Worst

Enable this option to consider a path as the worst path if the path is missing a MED attribute.

Compare Router ID

Enable this option to always compare MEDs regardless of whether the peer ASs of the compared routes are the same.

Multipath Relax

Enable this option to have the BGP best-path process select from routes in different ASs. By default, when you are using BGP multipath, the BGP best-path process selects from routes in the same AS to load-balance across multiple paths.

DHCP Server

This feature allows an interface to be configured as a DHCP helper so that it forwards the broadcast DHCP requests that it receives from the DHCP servers.

For each parameter of the feature that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and choose one of the following:

Basic Configuration

Field

Description

Address Pool*

Enter the IPv4 prefix range, in the format prefix/length, for the pool of addresses in the service-side network for which the router interface acts as the DHCP server.

Exclude

Enter one or more IP addresses to exclude from the DHCP address pool. To specify multiple individual addresses, list them separated by a comma. To specify a range of addresses, separate them with a hyphen.

Lease Time(seconds)

Specify how long a DHCP-assigned IP address is valid.

Range: 60 through 31536000 seconds

Default: 86400

Static Lease

Field

Description

Add Static Lease

MAC Address*

Enter the MAC address of the client to which the static IP address is being assigned.

IP*

Enter the static IP address to assign to the client.

DHCP Options

Field

Description

Add Option Code

Code*

Configure the option code.

Range: 1-254

Type

Choose one of the three types:

  • ASCII: Specify an ASCII value.

  • Hex: Specify a hex value.

  • IP: Specify IP addresses. You can specify up to eight IP addresses.

Advanced

Field

Description

Interface MTU

Specify the maximum MTU size of packets on the interface.

Range: 68 to 65535 bytes

Domain Name

Specify the domain name that the DHCP client uses to resolve hostnames.

Default Gateway

Enter the IP address of a default gateway in the service-side network.

DNS Servers

Enter one or more IP address for a DNS server in the service-side network. Separate multiple entries with a comma. You can specify up to eight addresses.

TFTP Servers

Enter the IP address of a TFTP server in the service-side network. You can specify one or two addresses. If two, separate them with a comma.

Dual Router High Availability

This feature helps you configure the high-availability feature in Cisco Catalyst SD-WAN using the Cisco IOS XE Catalyst SD-WAN devices.

The following table describes the options for configuring the high-availability feature on Cisco IOS XE Catalyst SD-WAN devices.

Basic Configuration

Field

Description

Name

Enter a name for the high availability feature profile.

Description

Enter a description for the high availability feature profile.

VPN

Displays all available service-side VPNs.

EdgeDevice_01

When selected, the Cisco IOS XE Catalyst SD-WAN device is set as active for the specific VPN, while the other corresponding device is configured as standby.

EdgeDevice_02

When selected, the Cisco IOS XE Catalyst SD-WAN device is set as active for the specific VPN, while the other corresponding device is configured as standby.

None

Set the status to None for VPNs that are not configured for High Availability.

Preempt to home router

Click to allow the configured active Cisco IOS XE Catalyst SD-WAN device to automatically reclaim the active role upon recovery from a failure.

Optimize paths after switchover

Click to enable OMP Affinity to optimize routing paths after a failover.

EIGRP Routing

Use the EIGRP routing feature to configure a routing process and specify which networks the protocol should run over.

Basic Configuration

Parameter Name

Description

Autonomous System ID *

Enter the local autonomous system (AS) number.

Range: 1 through 65535

Default: None

Network

IP Address*

Enter the IPv4 address.

Mask*

Enter the subnet mask.

Interface

Add Interface

Provide values for the following fields:

  • AF Interface: Enter a value for the Address Family (AF) interface.

  • Shutdown: Enables the interface to run EIGRP by default.

    Toggle ON to disable the interface.

  • Add Summary Address: Enter an IPv4 address and choose a subnet mask.

IPv4 Unicast Address Family

Parameter Name

Description

Protocol *

Select one of the protocols from which to redistribute routes into EIGRP, for all EIGRP sessions:

  • bgp: Redistribute Border Gateway Protocol (BGP) routes into EIGRP.

  • connected: Redistribute connected routes into EIGRP.

  • nat-route: Redistribute network address translation (NAT) routes into EIGRP.

  • omp: Redistribute Overlay Management Protocol (OMP) routes into EIGRP.

  • ospf: Redistribute Open Shortest Path First (OSPF) routes into EIGRP.

    Note

     

    From Cisco IOS XE Catalyst SD-WAN Release 16.12.1b and later, you can set metric values for redistribution by using the CLI add-on feature template. Use the following command:

    redistribute ospf 1 metric 1000000 1 1 1 1500

    For more information, see CLI Add-on Feature Templates.

  • ospfv3: OSPFv3 routes into EIGRP.

  • static: Redistribute static routes into EIGRP.

Route Policy *

Enter the name of the route policy to apply to redistributed routes.

Authentication

Parameter

Description

MD5*

MD5 Key ID: Enter an MD5 key ID to compute an MD5 hash over the contents of the EIGRP packet using that value.

MD5 Authentication Key: Enter an MD5 authentication key to use an encoded MD5 checksum in the transmitted packet.

Authentication Key: A 256-byte unique key that is used to compute the Hashed Message Authentication Code (HMAC) and is known both by the sender and the receiver of the message.

HMAC-SHA-256

Authentication Key: A 256-byte unique key that is used to compute the HMAC and is known both by the sender and the receiver of the message.

Advanced

Parameter Name

Description

Hold Time (seconds)

Set the interval after which EIGRP considers a neighbor to be down. The local router then terminates the EIGRP session to that peer. This acts as the global hold time.

Range: 0 through 65535

Default: 15 seconds

Hello Interval (seconds)

Set the interval at which the router sends EIGRP hello packets.

Range: 0 through 65535

Default: 5 seconds

Route Policy

Enter the name of an EIGRP route policy.

Filter

Toggle ON to filter routes that do not match the policy.

EIGRP Routing

Use the EIGRP routing feature to configure a routing process and specify which networks the protocol should run over.

Basic Configuration

Parameter Name

Description

Autonomous System ID *

Enter the local autonomous system (AS) number.

Range: 1 through 65535

Default: None

Network

IP Address*

Enter the IPv4 address.

Mask*

Enter the subnet mask.

Interface

Add Interface

Provide values for the following fields:

  • AF Interface: Enter a value for the Address Family (AF) interface.

  • Shutdown: Enables the interface to run EIGRP by default.

    Toggle ON to disable the interface.

  • Add Summary Address: Enter an IPv4 address and choose a subnet mask.

IPv4 Unicast Address Family

Parameter Name

Description

Protocol *

Select one of the protocols from which to redistribute routes into EIGRP, for all EIGRP sessions:

  • bgp: Redistribute Border Gateway Protocol (BGP) routes into EIGRP.

  • connected: Redistribute connected routes into EIGRP.

  • nat-route: Redistribute network address translation (NAT) routes into EIGRP.

  • omp: Redistribute Overlay Management Protocol (OMP) routes into EIGRP.

  • ospf: Redistribute Open Shortest Path First (OSPF) routes into EIGRP.

    Note

     

    From Cisco IOS XE Catalyst SD-WAN Release 16.12.1b and later, you can set metric values for redistribution using the CLI add-on feature template. Use the following command:

    redistribute ospf 1 metric 1000000 1 1 1 1500

    For more information, see CLI Add-on Feature Templates.

  • ospfv3: OSPFv3 routes into EIGRP.

  • static: Redistribute static routes into EIGRP.

Route Policy *

Enter the name of the route policy to apply to redistributed routes.

Authentication

Parameter

Description

MD5*

MD5 Key ID: Enter an MD5 key ID to compute an MD5 hash over the contents of the EIGRP packet using that value.

MD5 Authentication Key: Enter an MD5 authentication key to use an encoded MD5 checksum in the transmitted packet.

Authentication Key: A 256-byte unique key that is used to compute the Hashed Message Authentication Code (HMAC) and is known both by the sender and the receiver of the message.

HMAC-SHA-256

Authentication Key: A 256-byte unique key that is used to compute the HMAC and is known both by the sender and the receiver of the message.

Advanced

Parameter Name

Description

Hold Time (seconds)

Set the interval after which EIGRP considers a neighbor to be down. The local router then terminates the EIGRP session to that peer. This acts as the global hold time.

Range: 0 through 65535

Default: 15 seconds

Hello Interval (seconds)

Set the interval at which the router sends EIGRP hello packets.

Range: 0 through 65535

Default: 5 seconds

Route Policy

Enter the name of an EIGRP route policy.

Filter

Toggle ON to filter routes that do not match the policy.

Ethernet Interface

This feature helps you configure the Ethernet interface on a service VPN (range 1 – 65527, except 512).

The following table describes the options for configuring the Ethernet Interface feature.

Field

Description

Type

Choose a feature from the drop-down list.

Feature Name*

Enter a name for the feature.

Description

Enter a description of the feature. The description can contain any characters and spaces.

Associated VPN

The service VPN.

Basic Configuration

Field

Description

Shutdown

Enable or disable the interface.

Interface Name

Enter a name for the interface. Spell out the interface names completely (for example, GigabitEthernet0/0/0).

Configure all the interfaces of the router, even if you are not using them, so that they are configured in the shutdown state and so that all default values for them are configured.

Description

Enter a description for the interface.

IPv4 Settings

Configure an IPv4 VPN interface.

  • Dynamic: Choose Dynamic to set the interface as a Dynamic Host Configuration Protocol (DHCP) client so that the interface receives its IP address from a DHCP server.

  • Static: Choose Static to enter an IP address that doesn't change.

Dynamic DHCP Distance

Enter an administrative distance value for routes learned from a DHCP server. This option is available when you choose Dynamic.

Default: 1

IP Address

Enter a static IPv4 address. This option is available when you choose Static.

Subnet Mask

Enter the subnet mask.

Add Secondary IP Address

Enter up to four secondary IPv4 addresses for a service-side interface.

  • IP Address*: Enter the IP address.

  • Subnet Mask: Enter the subnet mask.

DHCP Helper

To designate the interface as a DHCP helper on a router, enter up to eight IP addresses, separated by commas, for DHCP servers in the network. A DHCP helper interface forwards BOOTP (broadcast) DHCP requests that it receives from the specified DHCP servers.

IPv6 Settings

Configure an IPv6 VPN interface.

  • Dynamic: Choose Dynamic to set the interface as a Dynamic Host Configuration Protocol (DHCP) client so that the interface receives its IP address from a DHCP server.

  • Static: Choose Static to enter an IP address that doesn't change.

  • None

IPv6 Address Primary

Enter a static IPv6 address. This option is available when you choose Static.

Add Secondary Ipv6

Enter up to two secondary IPv6 addresses for a service-side interface.

Add DHCP Helper

DHCPv6 Helper*

To designate the interface as a DHCP helper on a router, enter up to eight IP addresses for DHCP servers in the network. A DHCP helper interface forwards BOOTP (broadcast) DHCP requests that it receives from the specified DHCP servers.

DHCPv6 Helper VPN

Enter the VPN ID of the VPN source interface for the DHCP helper.

VRRP

Field

Description

IPv4 Settings

Add Vrrp Ipv4

Group ID*

Enter the virtual router ID, which is a numeric identifier of the virtual router. You can configure a maximum of 24 groups.

Range: 1 through 255

Priority*

Enter the priority level of the router. The router with the highest priority is elected as the primary router. If two routers have the same priority, the one with the higher IP address is elected as the primary router.

Range: 1 through 254

Default: 100

Timer*

Specify how often the primary VRRP router sends VRRP advertisement messages. If secondary routers miss three consecutive VRRP advertisements, they elect a new primary router .

Range: 100 through 40950 seconds

Default: 100 seconds

Track OMP*

When you enable this option, VRRP tracks the Overlay Management Protocol (OMP) session running on the WAN connection. If the primary VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session.

Prefix List

Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the primary VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if the reachability to one of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic while the Cisco IOS XE Catalyst SD-WAN device determines the primary VRRP router.

IP Address*

Enter the IP address of the virtual router. This address must be different from the configured interface IP addresses of both the local router and the peer running VRRP.

Tloc Prefix Change*

Enable or disable this option to set whether the TLOC preference can be changed or not.

Tloc Prefix Change Value

Enter the TLOC preference change value.

Range: 100 to 4294967295

Add VRRP IP Address Secondary

IP Address*

Enter an IP address for the secondary VRRP router.

Subnet Mask

Enter the subnet mask.

Add VRRP Tracking Object

Tracker ID*

Enter the interface object ID or object group tracker ID.

Tracker Action*

Choose one of the options:

  • decrement

  • shutdown

Decrement Value*

Enter a decrement value.

Range: 1-255

IPv6 Settings

Add Vrrp Ipv6

Group ID*

Enter the virtual router ID, which is a numeric identifier of the virtual router. You can configure a maximum of 24 groups.

Range: 1 through 255

Priority*

Enter the priority level of the router. The router with the highest priority is elected as the primary router. If two routers have the same priority, the one with the higher IP address is elected as the primary router.

Range: 1 through 254

Default: 100

Timer*

Specify how often the primary VRRP router sends VRRP advertisement messages. If secondary routers miss three consecutive VRRP advertisements, they elect a new primary router .

Range: 100 through 40950 seconds

Default: 100 seconds

Track OMP*

When you enable this option, VRRP tracks the Overlay Management Protocol (OMP) session running on the WAN connection. If the primary VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session.

Track Prefix List

Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the primary VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if the reachability to one of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic while the Cisco IOS XE Catalyst SD-WAN device determines the primary VRRP router.

Link Local IPv6 Address*

Enter a virtual link local IPv6 address, which represents the link local address of the group. The address should be in standard link local address format. For example, FE80::AB8.

Global IPv6 Prefix

Enter a virtual global unicast IPv6 address, which represents the global address of the group. The address should be an IPv6 global prefix address that has the same mask as the interface forwarding address on which the VRRP group is configured. For example, 2001::2/124.

You can configure up to three global IPv6 addresses.

ARP

Field

Description

Add ARP

IP Address*

Enter the IP address for the ARP entry in dotted decimal notation or as a fully qualified host name.

MAC Address*

Enter the MAC address in colon-separated hexadecimal notation.

TrustSec

Field

Description

Enable SGTPropogation

Enable this option to use the Cisco TrustSec Security Group Tag (SGT) propagation feature.

Propagate

Enable this option to propagate SGT in Cisco Catalyst SD-WAN.

Security Group Tag

Enter a value that can be used as a tag.

Enable Enforced Propagation

Enable this option to start SGT enforcement on the interface.

Enforced Security Group Tag

Enter a value that can be used as a tag for enforcement.

Advanced

Field

Description

Duplex

Specify whether the interface runs in full-duplex or half-duplex mode.

Default: full

MAC Address

Specify a MAC address to associate with the interface, in colon-separated hexadecimal notation.

IP MTU

Specify the maximum MTU size of packets on the interface.

Range: 576 through 9216

Default: 1500 bytes

Interface MTU

Enter the maximum transmission unit size for frames received and transmitted on the interface.

Range: 1500 through 1518 (GigabitEthernet0), 1500 through 9216 (other GigabitEthernet)

Default: 1500 bytes

TCP MSS

Specify the maximum segment size (MSS) of TPC SYN packets passing through the router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 500 to 1460 bytes

Default: None

Speed

Specify the speed of the interface, for use when the remote end of the connection does not support autonegotiation.

Values: 10, 100, 1000, 2500, or 10000 Mbps

ARP Timeout

ARP timeout controls how long we maintain the ARP cache on a router. Specify how long it takes for a dynamically learned ARP entry to time out.

Range: 0 through 2147483 seconds

Default: 1200 seconds

Autonegotiate

Enable this option to turn on autonegotiation.

Media Type

Specify the physical media connection type on the interface. Choose one of the following:

  • auto-select: A connection is automatically selected.

  • rj45: Specifies an RJ-45 physical connection.

  • sfp: Specifies a small-form factor pluggable (SFP) physical connection for fiber media.

Load Interval

Enter an interval value for interface load calculation.

Tracker

Static-route tracking for service VPNs enables you to track the availability of the configured endpoint address to determine if the static route can be included in the routing table of a device. Enter the name of the gateway tracker to determine whether the next hop is reachable before adding that route to the route table of the device.

ICMP Redirect Disable

ICMP redirects are sent by a router to the sender of an IP packet when a packet is being routed sub-optimally. The ICMP redirect informs the sending host to forward subsequent packets to that same destination through a different gateway.

By default, an interface allows ICMP redirect messages.

XConnect

Enter the name of a physical interface on the same router that connects to the WAN transport.

IP Directed Broadcast

An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet but which originates from a node that is not itself part of that destination subnet.

A device that is not directly connected to its destination subnet forwards an IP directed broadcast in the same way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet reaches a device that is directly connected to its destination subnet, that packet is broadcast on the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a link-layer broadcast.

If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as directed broadcasts intended for the subnet to which that interface is attached are broadcast on that subnet.

GRE

Use the service VPN Interface GRE feature for all Cisco vEdge Cloud and Cisco vEdge router devices.

The following tables describe the options for configuring the service VPN Interface GRE feature.

Basic Configuration

Field

Description

Interface Name (1..255)*

Enter the name of the GRE interface, in the format grenumber. The value for number can be from 1 through 255.

Interface Description

Enter a description of the GRE interface.
Tunnel Mode

Choose from one of the following GRE tunnel modes:

  • ipv4 underlay: GRE tunnel with IPv4 underlay. IPv4 underlay is the default value.

  • ipv6 underlay: GRE tunnel with IPv6 underlay.

Preshared Key for IKE Enter the preshared key (PSK) for authentication.

Tunnel

Field

Description

Source

Enter the source of the GRE interface:

  • IP Address: Enter the source IP address of the GRE tunnel interface. Based on the option you selected in the Tunnel Mode drop-down list, enter an IPv4 or an IPv6 address. This address is on the local router.

  • Interface: Enter the egress interface name for the GRE tunnel.

  • Tunnel Route Via*: Specify the tunnel route details to steer the GRE tunnel traffic through.

    Note

     

    If the Tunnel Source Interface type is a loopback interface, enter the interface for traffic to be routed to. You cannot use the tunnel route via option to configure IPSec tunnels on a cellular interface because cellular interfaces do not include a next hop IP address for the default route.

Destination

Enter the source of the GRE interface:
  • GRE Destination IP Address*: Enter the destination IP address of the GRE tunnel interface. This address is on a remote device.

  • IP Address: Based on the option you selected in the Tunnel Mode drop-down list, enter an IPv4 or an IPv6 address for the GRE tunnel.

    • Mask*: Enter the subnet mask.

  • IPv6 Address: Enter the destination IPv6 or address for the GRE tunnel.

IKE

Field

Description

IKE Version

Enter 1 to choose IKEv1.

Enter 2 to choose IKEv2.

Default: IKEv1

IKE Integrity Protocol

Choose one of the following modes for the exchange of keying information and setting up IKE security associations:
  • Main: Establishes an IKE SA session before starting IPsec negotiations.

  • Aggressive: Negotiation is quicker, and the initiator and responder ID pass in the clear. Aggressive mode does not provide identity protection for communicating parties.

Default: Main mode

IKE Rekey Interval

Specify the interval for refreshing IKE keys.

Range: 3600 through 1209600 seconds (1 hour through 14 days)

Default: 14400 seconds (4 hours)

IKE Cipher Suite

Specify the type of authentication and encryption to use during IKE key exchange.

Values: aes128-cbc-sha1, aes128-cbc-sha2, aes256-cbc-sha1, aes256-cbc-sha2

Default: aes256-cbc-sha1

IKE Diffie-Hellman Group

Specify the Diffie-Hellman group to use in IKE key exchanges.

Values: 2, 14, 15, 16, 19, 20, 21, 24

Default: 16

IKE ID for Local End Point

If the remote IKE peer requires a local endpoint identifier, specify it.

Range: 1 through 64 characters

Default: Source IP address of the tunnel

IKE ID for Remote End Point

If the remote IKE peer requires a remote end point identifier, specify it.

Range: 1 through 64 characters

Default: Destination IP address of the tunnel

There is no default option if you have chosen IKEv2.

IPSEC

Field

Description

IPsec Rekey Interval (Seconds)

Specify the interval for refreshing IKE keys.

Range: 3600 through 1209600 seconds (1 hour through 14 days)

Default: 3600 seconds

IPsec Replay Window

Specify the replay window size for the IPsec tunnel.

Values: 64, 128, 256, 512, 1024, 2048, 4096, 8192 bytes

Default: 512 bytes

IPsec Cipher Suite

Specify the authentication and encryption to use on the IPsec tunnel.

Values: aes256-cbc-sha1, aes256-gcm, null-sha1

Default: aes256-gcm

Perfect Forward Secrecy

Specify the PFS settings to use on the IPsec tunnel by choosing one of the following values:
  • group-2: Use the 1024-bit Diffie-Hellman prime modulus group

  • group-14: Use the 2048-bit Diffie-Hellman prime modulus group

  • group-15: Use the 3072-bit Diffie-Hellman prime modulus group

  • group-16: Use the 4096-bit Diffie-Hellman prime modulus group

  • none: Disable PFS

Default: group-16

DPD Interval

Specify the interval for IKE to send Hello packets on the connection.

Range: 10 through 3600 seconds (1 hour)

Default: 10 seconds

DPD Retries

Specify how many unacknowledged packets to accept before declaring an IKE peer to be dead and then removing the tunnel to the peer.

Range: 2 through 60

Default: 3

Application

Choose an application from the drop-down list:

  • None

  • Sig

Advanced

Field

Description

Shutdown

Click Off to enable the interface.

IP MTU

Based on your choice in the Tunnel Mode option, specify the maximum MTU size of the IPv4 or IPv6 packets on the interface.

Range: 576 through 9216

Default: 1500 bytes

TCP MSS

Specify the maximum segment size (MSS) of the IPv4 TPC SYN packets passing through the Cisco vEdge device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 552 through 1460 bytes

Default: None

IPv6 TCP MSS

Specify the maximum segment size (MSS) of the IPv6 TPC SYN packets passing through the Cisco vEdge device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 552 through 1460 bytes

Default: None

Clear-Dont-Fragment

Click On to clear the Don't Fragment bit in the IPv4 packet header for packets being transmitted out the interface.

Tunnel Protection

Choose Yes to enable tunnel protection.

Default: No

IPSEC

Use the IPsec feature to configure IPsec tunnels on Cisco IOS XE Catalyst SD-WAN devices, used for Internet Key Exchange (IKE) sessions.

Some parameters have a scope drop-down list that enables you to choose Global, Device Specific, or Default for the parameter value. Choose one of the following options, as described in the table below:

Parameter Scope

Scope Description

Global (Indicated by a globe icon)

Enter a value for the parameter and apply that value to all devices.

Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

Device Specific (Indicated by a host icon)

Use a device-specific value for the parameter.

Choose Device Specific to provide a value for the key in the field. The key is a unique string that helps identify the parameter. To change the default key, type a new string in the field.

Examples of device-specific parameters are system IP address, host name, GPS location, and site ID.

Default (indicated by a check mark)

The default value is shown for parameters that have a default setting.

The following tables describe the options for configuring the VPN Interface IPsec feature.

Field

Description

Type

Choose a feature from the drop-down list.

Feature Name*

Enter a name for the feature.

Description

Enter a description of the feature. The description can contain any characters and spaces.

Basic Configuration

Field

Description

Interface Name

Enter the name of the IPsec interface.

Description

Enter a description of the IPsec interface.
Tunnel Mode

Choose from one of the following IPsec tunnel modes:

  • ipv4: IPsec tunnel with IPv4 overlay and IPv4 underlay. IPv4 underlay is the default value.

  • ipv6: IPsec tunnel with IPv6 overlay and IPv6 underlay.

  • ipv4-v6overlay: IPsec tunnel with IPv6 overlay and IPv4 underlay.

Interface Address

Enter the IPv4 or IPv6 address of the IPsec interface, based on your choice from the Tunnel Mode drop-down list.

Mask

Enter the subnet mask.

Tunnel Source

Enter the source of the IPsec interface:

  • IP Address: Enter the IPv4 or IPv6 address of the IPsec interface, based on your choice from the Tunnel Mode drop-down list.. This address is on the local router.

  • Interface: Enter the physical interface that is the source of the IPsec tunnel.

Tunnel Destination

Enter the destination of the IPsec interface:

  • Address: Enter the destination IPv4 or IPv6 address of the IPsec interface, based on your choice from the Tunnel Mode drop-down list. This address is on a remote device.

  • Application: Choose an application from the drop-down list.

  • None

  • Sig

TCP MSS

Specify the maximum segment size (MSS) of TPC SYN packets passing through the vEdge router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 552 through 1460 bytes

Default: None

Clear-Dont-Fragment

Click On to clear the Don't Fragment bit in the IPv4 packet header for packets being transmitted out the interface.

IP MTU

Specify the maximum MTU size of packets on the interface.

Range: 576 through 1804

Default: 1500 bytes

Internet Key Exchange

Field

Description

IKE Version

Enter 1 to choose IKEv1.

Enter 2 to choose IKEv2.

Default: IKEv1

IKE Integrity Protocol

Choose one of the following modes for the exchange of keying information and setting up IKE security associations:
  • Main: Establishes an IKE SA session before starting IPsec negotiations.

  • Aggressive: Negotiation is quicker, and the initiator and responder ID pass in the clear. Aggressive mode does not provide identity protection for communicating parties.

Default: Main mode

IPsec Rekey Interval (Seconds)

Specify the interval for refreshing IKE keys.

Range: 3600 through 1209600 seconds (1 hour through 14 days)

Default: 14400 seconds (4 hours)

IKE Cipher Suite

Specify the type of authentication and encryption to use during IKE key exchange.

Values: aes128-cbc-sha1, aes128-cbc-sha2, aes256-cbc-sha1, aes256-cbc-sha2

Default: aes256-cbc-sha1

IKE Diffie-Hellman Group

Specify the Diffie-Hellman group to use in IKE key exchanges.

Values: 2, 14, 15, 16, 19, 20, 21, 24

Default: 16

IKE ID for Local End Point

If the remote IKE peer requires a local endpoint identifier, specify it.

Range: 1 through 64 characters

Default: Source IP address of the tunnel

IKE ID for Remote End Point

If the remote IKE peer requires a remote end point identifier, specify it.

Range: 1 through 64 characters

Default: Destination IP address of the tunnel

There is no default option if you have chosen IKEv2.

IPSEC

Field

Description

IPsec Rekey Interval

Specify the interval for refreshing IKE keys.

Range: 3600 through 1209600 seconds (1 hour through 14 days)

Default: 3600 seconds

IPsec Replay Window

Specify the replay window size for the IPsec tunnel.

Values: 64, 128, 256, 512, 1024, 2048, 4096, 8192 bytes

Default: 512 bytes

IPsec Cipher Suite

Specify the authentication and encryption to use on the IPsec tunnel.

Values: aes256-cbc-sha1, aes256-gcm, null-sha1

Default: aes256-gcm

Perfect Forward Secrecy

Specify the PFS settings to use on the IPsec tunnel by choosing one of the following values:
  • group-2: Use the 1024-bit Diffie-Hellman prime modulus group

  • group-14: Use the 2048-bit Diffie-Hellman prime modulus group

  • group-15: Use the 3072-bit Diffie-Hellman prime modulus group

  • group-16: Use the 4096-bit Diffie-Hellman prime modulus group

  • none: Disable PFS

Default: group-16

Advanced

Field

Description

Associated VPN

Select a VPN from the drop-down list to associate with the IPsec tunnel.

Tunnel Route Via

Specify the tunnel route details to steer the application traffic through.

Note

 

You cannot use the tunnel route via option to configure IPSec tunnels on a cellular interface because cellular interfaces do not include a next hop IP address for the default route.

DPD Interval

Specify the interval for IKE to send Hello packets on the connection.

Range: 10 through 3600 seconds (1 hour)

Default: 10 seconds

DPD Retries

Specify how many unacknowledged packets to accept before declaring an IKE peer to be dead and then removing the tunnel to the peer.

Range: 2 through 60

Default: 3

TCP MSS

Specify the maximum segment size (MSS) of TPC SYN packets passing through the Cisco vEdge device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 552 through 1460 bytes

Default: None

Clear-Dont-Fragment

Click On to clear the Don't Fragment bit in the IPv4 packet header for packets being transmitted out the interface.

IP MTU

Based on your choice in the Tunnel Mode option, specify the maximum MTU size of the IPv4 or IPv4 packets on the interface.

Range: 576 through 9216

Default: 1500 bytes

Shutdown

Click Off to enable the interface.

Multicast

The Cisco IOS XE Catalyst SD-WAN multicast overlay software extends Protocol Independent Multicast Source-Specific Multicast (PIM-SSM) over the Cisco Catalyst SD-WAN overlay using Overlay Management Protocol (OMP). Protocol Independent Multicast Sparse-Mode (PIM-SM) is deployed in the customer VPNs, and the Cisco IOS XE MVPN is used to integrate PIM in customer VPNs and OMP in the overlay. The OMP replicator is used in overlay multicast to optimize the multicast distribution tree across the overlay topology. The Cisco IOS XE Catalyst SD-WAN router supports IGMPv2 and IGMPv3 reports and advertises receiver's multicast interest to remote Cisco Catalyst SD-WAN routers using OMP. Depending on the level of optimization required, the Cisco Catalyst SD-WAN routers join or prune to or from the replicators, and replicators use OMP to relay the join or prune to the Cisco Catalyst SD-WAN router providing overlay connectivity to the PIM-RP or source.

The Cisco IOS XE Catalyst SD-WAN overlay multicast network supports the following protocols:

  • Protocol Independent Multicast (PIM)

  • Internet Group Management Protocol (IGMP)

  • MSDP

Some parameters have a scope drop-down list that enables you to choose Global, Device Specific, or Default for the parameter value. Choose one of the following options, as described in the table below:

Parameter Scope

Scope Description

Global (Indicated by a globe icon)

Enter a value for the parameter and apply that value to all devices.

Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

Device Specific (Indicated by a host icon)

Use a device-specific value for the parameter.

Choose Device Specific to provide a value for the key in the Enter Key field. The key is a unique string that helps identify the parameter. To change the default key, type a new string in the Enter Key field.

Examples of device-specific parameters are system IP address, host name, GPS location, and site ID.

Default (indicated by a check mark)

The default value is shown for parameters that have a default setting.

The following tables describe the options for configuring the Multicast feature.

Field

Description

Type

Choose a feature from the drop-down list.

Feature Name*

Enter a name for the feature.

Description

Enter a description of the feature. The description can contain any characters and spaces.

Table 4. Basic Configuration

Field

Description

SPT Only

Enable this option to ensure that the Rendezvous Points (RPs) can communicate with each other using the shortest-path tree.

Local Replicator

Enable this option to configure the Cisco IOS XE Catalyst SD-WAN device as a multicast replicator.

Threshold

Specify a value.

Optional, keep it set to the default value if you are not configuring a replicator.

Table 5. PIM

Field

Description

Source Specific Multicast (SSM)

Enable this option to configure SSM.

ACL

Specify an access control list value. An access control list allows you to filter multicast traffic streams using the group and sometimes source IPv4 or IPv6 addresses.

Configure an IPv4 access control list using a standard or extended access list and attach it to your device before enabling PIM. You must have created a valid standard or extended ACL before using the ACL in your multicast configuration.

Note

 

You cannot configure an ACL for a PIM feature template using Cisco SD-WAN Manager. You must configure the ACL using a CLI add-on template. For information on configuring ACL using the CLI add-on template, see the section Configure an ACL for Multicast Using a CLI Add-On Template in chapter Multicast Overlay Routing of the Cisco Catalyst SD-WAN Routing Configuration Guide.

SPT Threshold

Specify the traffic rate, in kbps, at which to switch from the shared tree to the shortest-path tree (SPT). Configuring this value forces traffic to remain on the shared tree and travel via the RP instead of via the SPT.

Add Interface

Interface Name

Enter the name of an interface that participates in the PIM domain, in the format ge slot /port.

Query Interval(sec)

Specify how often the interface sends PIM query messages. Query messages advertise that PIM is enabled on the router.

Join/Prune Interval(sec)

Specify how often PIM multicast traffic can join or be removed from a rendezvous point tree (RPT) or shortest-path tree (SPT). Cisco IOS XE Catalyst SD-WAN device send join and prune messages to their upstream RPF neighbor.

How do you want to configure your Rendezvous Point (RP)

Cisco IOS XE SD-WAN supports the following modes:

Static

Click this check box to a specify the static IP address of a rendezvous point (RP).

Add Static RP

IP Address

Specify the static IP address of a rendezvous point (RP).

ACL

Specify an ACL value.

Override

Enable this option for cases when dynamic and static group-to-RP mappings are used together and there is an RP address conflict. In this case, the RP address configured for a static group-to-RP mapping takes precedence.

If you do not enable this option, and there is RP address conflict, dynamic group-to-RP mappings will take precedence over static group-to-RP mappings.

Auto RP

Click this check box to enable reception of PIM group-to-RP mapping updates. This enables reception on the Auto-RP multicast groups, 224.0.1.39 and 224.0.1.40.

RP Announce

Click this check box to enable transmission of Auto-RP multicast messages.

RP Discovery

Click this check box to enable Auto-RP automatic discovery of rendezvous points (RPs) in the PIM network so that the router can serve as an Auto-RP mapping agent. An Auto-RP mapping receives all the RPs and their respective multicast groups and advertise consistent group-to-RP mapping updates.

Interface

Specify the source interface for Auto-RP RP Announcements or RP Discovery messages.

Scope

Specify the IP header Time-to-Live (TTL) for Auto-RP RP Announcements or RP Discovery messages.

PIM-BSR

Configure a PIM BSR.

RP Candidate

Interface Name

Choose the interface that you used for configuring the PIM feature template.

Access List

Add an access list value if you have configured the access list with a value.

Interval

Add an interval value if you have configured the interval with a value.

Priority

Specify a higher priority on the Cisco IOS XE Catalyst SD-WAN device than on the service-side device.

BSR Candidate (Maximum: 1)

Interface Name

Chose the same interface from the drop-down list that you used for configuring the PIM feature template.

Hash Mask Length

Specify the hash mask length. Valid values for hash mask length are 0–32.

Priority

Specify a higher priority on the Cisco IOS XE Catalyst SD-WAN device than on the service-side device.

RP Candidate Access List

Add a value if you have configured the RP candidate access list with a value.

An RP candidate uses a standard ACL where you can enter the name for the access list.

Table 6. IGMP

Field

Description

Add IGMP

Interface

Enter the name of the interface to use for IGMP. To add another interface, click Add.

Version

Specify a version number.

Optional, keep it set to the default version number.

Group Address

Enter a group address to join a multicast group.

Source Address

Enter a source address to join a multicast group.

Add

Click Add to add the IGMP for the group.

Table 7. MSDP

Field

Description

Originator-ID

Specify the ID of the originating device. This ID is the IP address of the interface that is used as the RP address.

Connection Retry Interval

Configure an interval at which MSDP peers will wait after peering sessions are reset before attempting to re-establish the peering sessions.

Mesh Group

Mesh Group Name

Enter a mesh group name. This configures an MSDP mesh group and indicates that an MSDP peer belongs to that mesh group.

Note

 

All MSDP peers present on a device that participate in a mesh group must be in a full mesh with all other MSDP peers in the group. Each MSDP peer on each device must be configured as a peer using the ip msdp peer command, and as a member of the mesh group using the ip msdp mesh-group command.

Peer-IP

Configure an MSDP peer specified by an IP address.

Advanced Settings

Connect-Source Interface

Enter the primary address of a specified local interface that is used as the source IP address for the TCP connection.

Peer Authentication Password

Enables MD5 password encryption for a TCP connection between two MSDP peers.

Note

 

MD5 authentication must be configured with the same password on both MSDP peers. Otherwise, a connection between them cannot be established.

Keep Alive

Configure an interval at which an MSDP peer will send keepalive messages.

Hold-Time

Configure an interval at which the MSDP peer will wait for keepalive messages from other peers before declaring them as down.

Remote AS

Specifies the autonomous system number of the MSDP peer. This keyword and argument are used for display purposes only.

SA Limit

Limits the number of SA messages allowed in the SA cache from the specified MSDP.

Default Peer

Configure a default peer from which to accept all MSDP SA messages.

OSPF Routing

Open Shortest Path First (OSPF) is a routing protocol for IP networks. It can be used for service-side routing to provide reachability to networks at the local site.

For each parameter of the feature that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown.

Basic Configuration

Field

Description

Router ID

Enter the OSPF router ID, in decimal four-part dotted notation. This is the IP address associated with the router for OSPF adjacencies.

Distance for External Routes

Specify the OSPF route administration distance for routes learned from other domains.

Range: 1 through 255

Default: 110

Distance for Inter-Area Routes

Specify the OSPF route administration distance for routes coming from one area into another.

Range: 1 through 255

Default: 110

Distance for Intra-Area Routes

Specify the OSPF route administration distance for routes within an area.

Range: 0 through 255

Default: 110

Redistribute

Field

Description

Add Redistribute

Protocol

Choose the protocol from which to redistribute routes into OSPF.

  • Static

  • Connected

  • BGP

  • OMP

  • NAT

  • EIGRP

Maximum Metric (Router LSA)

Field

Description

Add Router LSA

Type

Configure OSPF to advertise a maximum metric so that other routers do not prefer this router as an intermediate hop in their Shortest Path First (SPF) calculation.

Choose a type:

  • administrative: Force the maximum metric to take effect immediately, through operator intervention.

  • on-startup: Advertise the maximum metric for the specified time.

Area

Field

Description

Add Area

Area Number*

Enter the number of the OSPF area.

Range: 32-bit number

Set the area type

Choose the type of OSPF area:

  • Stub

  • NSSA

Add Interface

Configure the properties of an interface in an OSPF area.

Name*

Enter the name of the interface, in the format geslot/port or loopback number.

Hello Interval (seconds)*

Specify how often the router sends OSPF hello packets.

Range: 1 through 65535 seconds

Default: 10 seconds

Dead Interval (seconds)*

Specify how often the router must receive an OSPF hello packet from its neighbor. If no packet is received, the router assumes that the neighbor is down.

Range: 1 through 65535 seconds

Default: 40 seconds (four times the default hello interval)

LSA Retransmission Interval (seconds)*

Specify how often the OSPF protocol retransmits LSAs to its neighbors.

Range: 1 through 65535 seconds

Default: 5 seconds

Interface Cost

Specify the cost of the OSPF interface.

Range: 1 through 65535

Designated Router Priority*

Set the priority of the router to be elected as the designated router (DR). The router with the highest priority becomes the DR. If the priorities are equal, the node with the highest router ID becomes the DR or the backup DR.

Range: 0 through 255

Default: 1

OSPF Network Type

Choose the OSPF network type to which the interface is to connect:

  • Broadcast network

  • Point-to-point network

  • Non-broadcast network

  • Point-to-multipoint network

Passive Interface*

Specify whether to set the OSPF interface to be passive. A passive interface advertises its address, but does not actively run the OSPF protocol.

Default: Disabled

Authentication Type

Choose the authentication type:

  • simple: Password is sent in clear text.

  • message-digest: MD5 algorithm generates the password.

Message Digest Key

Enter the MD5 authentication key, in clear text or as an AES-encrypted key. It can be from 1 to 255 characters.

md5

Enter the key ID for message digest (MD5 authentication). It can be 1 to 32 characters.

Add Range

Configure the area range of an interface in an OSPF area.

IP Address*

Enter the IP address.

Subnet Mask*

Enter the subnet mask.

Cost

Specify a number for the Type 3 summary LSA. OSPF uses this metric during its SPF calculation to determine the shortest path to a destination.

Range: 0 through 16777214

No-advertise*

Enable this option to not advertise the Type 3 summary LSAs.

Advanced

Field

Description

Reference Bandwidth (Mbps)

Specify the reference bandwidth for the OSPF auto-cost calculation for the interface.

Range: 1 through 4294967 Mbps

Default: 100 Mbps

RFC 1583 Compatible

By default, the OSPF calculation is done per RFC 1583. Disable this option to calculate the cost of summary routes based on RFC 2328.

Originate

Enable this option to generate a default external route into an OSPF routing domain. When you enable this option, the following fields appear:

  • Always: Enable this option to always advertise the default route in an OSPF routing domain.

  • Default Metric: Set the metric used to generate the default route.

    Range: 0 through 16777214

    Default: 10

  • Metric Type: Choose to advertise the default route as an OSPF Type 1 external route or an OSPF Type 2 external route.

SPF Calculation Delay (milliseconds)

Specify the amount of time between when the first change to a topology is received until performing the SPF calculation.

Range: 1 through 600000 milliseconds (60 seconds)

Default: 200 milliseconds

Initial Hold Time (milliseconds)

Specify the amount of time between consecutive SPF calculations.

Range: 1 through 600000 milliseconds (60 seconds)

Default: 1000 milliseconds

Maximum Hold Time (milliseconds)

Specify the longest time between consecutive SPF calculations.

Range: 1 through 600000

Default: 10000 milliseconds (60 seconds)

OSPFv3 IPv4 Routing

Use this feature to configure the Open Shortest Path First version 3 (OSPFv3) IPv4 link-state routing protocol for IPv4 unicast address families.

The following tables describe the options for configuring the OSPFv3 IPv4 Routing feature.

Basic Settings

Field

Description

Router ID

Enter the OSPF router ID, in decimal four-part dotted notation. This value is the IP address that is associated with the router for OSPF adjacencies. Default: No Router ID is configured.

Add Redistribute

Protocol

Choose the protocol from which to redistribute routes into OSPFv3, for all OSPFv3 sessions.

  • Connected

  • Static

  • Nat-route

  • BGP

Select Route Policy

Enter the name of a localized control policy to apply to routes before they are redistributed into OSPF.

Area

Field

Description

Area Number*

Enter the number of the OSPFv3 area.

Allowed value: Any 32-bit integer

Area Type

Choose the type of OSPFv3 area:

  • Stub: No external routes

  • NSSA: Not-so-stubby area, allows external routes

  • Normal

Note

 

You can't enter a value for Area type if you have entered 0 as a value for Area Number.

Interface

Add Interface

Configure the properties of an interface in an OSPFv3 area.

Name*

Enter the name of the interface. Examples of interface names: GigabitEthernet0/0/1, GigabitEthernet0/1/2.1, GigabitEthernet0, or Loopback1.

Cost

Specify a number for the Type 3 summary link-state advertisement (LSA). OSPFv3 uses this metric during its SPF calculation to determine the shortest path to a destination.

Range: 0 through 16777215

Authentication Type

Specify the SPI and authentication key if you use IPSec SHA1 authentication type.

  • no-auth: Select no authentication.

  • ipsec-sha1: Enter the value for the IPSEC Secure Hash Algorithm 1 (SHA-1) authentication.

SPI

Specifies the Security Policy Index (SPI) value.

Range: 256 through 4294967295

Authentication Key

Provide a value for the authentication key. When IPSEC SHA-1 authentication is used, the key must be 40 hex digits long.

Passive Interface

Specify whether to set the OSPFv3 interface to be passive. A passive interface advertises its address, but does not actively run the OSPFv3 protocol.

Default: Disabled

IPv4 Range

Add IPv4 Range

Configure the area range of an interface in an OSPFv3 area.

Network Address*

Enter the IPv4 address.

Subnet Mask*

Enter the subnet mask.

No Advertise*

Enable this option to not advertise the Type 3 summary LSAs.

Cost

Specify the cost of the OSPFv3 interface.

Range: 1 through 65535

Advanced

Field

Description

Route Policy

Enter the name of a localized control policy to apply to routes coming from OSPFv3 neighbors.

Reference Bandwidth (Mbps)

Specify the reference bandwidth for the OSPFv3 autocost calculation for the interface.

Range: 1 through 4294967 Mbps

Default: 100 Mbps

RFC 1583 Compatible

By default, the OSPFv3 calculation is done per RFC 1583. Disable this option to calculate the cost of summary routes based on RFC 2328.

Originate

Enable this option to generate a default external route into an OSPF routing domain. When you enable this option, the following fields appear:

  • Always: Enable this option to always advertise the default route in an OSPF routing domain.

  • Default Metric: Set the metric used to generate the default route.

    Range: 0 through 16777214

    Default: 10

  • Metric Type: Choose to advertise the default route as an OSPF Type 1 external route or an OSPF Type 2 external route.

Distance

Define the OSPFv3 route administration distance based on route type.

Default: 100

Distance for External Routes

Set the OSPFv3 distance for routes learned from other domains.

Range: 0 through 255

Default: 110

Distance for Inter-Area Routes

Set the distance for routes coming from one area into another.

Range: 0 through 255

Default: 110

Distance for Intra-Area Routes

Set the distance for routes within an area.

Range: 0 through 255

Default: 110

SPF Calculation Timers

Configure the amount of time between when OSPFv3 detects a topology and when it runs its SPF algorithm.

SPF Calculation Delay (milliseconds)

Specify the amount of time between when the first change to a topology is received until performing the SPF calculation.

Range: 1 through 600000 ms (600 seconds)

Default: 200 ms

Initial Hold Time (milliseconds)

Specify the amount of time between consecutive SPF calculations.

Range: 1 through 600000 ms (600 seconds)

Default: 1000 ms

Maximum Hold Time (milliseconds)

Specify the longest time between consecutive SPF calculations.

Range: 1 through 600000 ms (600 seconds)

Default: 10000 ms (10 seconds)

Maximum Metric (Router LSA)

Configure OSPFv3 to advertise a maximum metric so that other routers do not prefer this vEdge router as an intermediate hop in their Shortest Path First (SPF) calculation.

  • Immediately: Force the maximum metric to take effect immediately, through operator intervention.

  • On-startup: Advertise the maximum metric for the specified number of seconds after the router starts up.

    Range: 5 through 86400 seconds

Maximum metric is disabled by default.

OSPFv3 IPv6 Routing

Use this feature to configure the Open Shortest Path First version 3 (OSPFv3) IPv6 link-state routing protocol for IPv6 unicast address families.

The following tables describe the options for configuring the OSPFv3 IPv6 Routing feature.

Basic Settings

Field

Description

Router ID

Enter the OSPF router ID, in decimal four-part dotted notation. This value is the IP address that is associated with the router for OSPF adjacencies. Default: No Router ID is configured.

Add Redistribute

Protocol

Choose the protocol from which to redistribute routes into OSPFv3, for all OSPFv3 sessions.

  • Connected

  • Static

  • BGP

Select Route Policy

Enter the name of a localized control policy to apply to routes before they are redistributed into OSPF.

Area

Field

Description

Area Number*

Enter the number of the OSPFv3 area.

Allowed value: Any 32-bit integer

Area Type

Choose the type of OSPFv3 area:

  • Stub: No external routes

  • NSSA: Not-so-stubby area, allows external routes

  • Normal

Note

 

You can't enter a value for Area type if you have entered 0 as a value for Area Number.

Interface

Add Interface

Configure the properties of an interface in an OSPFv3 area.

Name*

Enter the name of the interface. Examples of interface names: GigabitEthernet0/0/1, GigabitEthernet0/1/2.1, GigabitEthernet0, or Loopback1.

Cost

Specify a number for the Type 3 summary link-state advertisement (LSA). OSPFv3 uses this metric during its SPF calculation to determine the shortest path to a destination.

Range: 0 through 16777215

Authentication Type

Specify the SPI and authentication key if you use IPSec SHA1.

  • no-auth: Select no authentication.

  • ipsec-sha1: Enter the value for the IPSEC Secure Hash Algorithm 1 (SHA-1) authentication.

SPI

Specifies the Security Policy Index (SPI) value.

Range: 256 through 4294967295

Authentication Key

Provide a value for the authentication key. When IPSEC SHA-1 authentication is used, the key must be 40 hex digits long.

Passive Interface

Specify whether to set the OSPFv3 interface to be passive. A passive interface advertises its address, but does not actively run the OSPFv3 protocol.

Default: Disabled

IPv6 Range

Add IPv6 Range

Configure the area range of an interface in an OSPFv3 area.

Network Address*

Enter the IPv6 address.

Subnet Mask*

Enter the subnet mask.

No Advertise*

Enable this option to not advertise the Type 3 summary LSAs.

Cost

Specify the cost of the OSPFv3 interface.

Range: 1 through 65535

Advanced

Field

Description

Route Policy

Enter the name of a localized control policy to apply to routes coming from OSPFv3 neighbors.

Reference Bandwidth (Mbps)

Specify the reference bandwidth for the OSPFv3 autocost calculation for the interface.

Range: 1 through 4294967 Mbps

Default: 100 Mbps

RFC 1583 Compatible

By default, the OSPFv3 calculation is done per RFC 1583. Disable this option to calculate the cost of summary routes based on RFC 2328.

Originate

Enable this option to generate a default external route into an OSPF routing domain. When you enable this option, the following fields appear:

  • Always: Enable this option to always advertise the default route in an OSPF routing domain.

  • Default Metric: Set the metric used to generate the default route.

    Range: 0 through 16777214

    Default: 10

  • Metric Type: Choose to advertise the default route as an OSPF Type 1 external route or an OSPF Type 2 external route.

Distance

Define the OSPFv3 route administration distance based on route type.

Default: 100

Distance for External Routes

Set the OSPFv3 distance for routes learned from other domains.

Range: 0 through 255

Default: 110

Distance for Inter-Area Routes

Set the distance for routes coming from one area into another.

Range: 0 through 255

Default: 110

Distance for Intra-Area Routes

Set the distance for routes within an area.

Range: 0 through 255

Default: 110

SPF Calculation Timers

Configure the amount of time between when OSPFv3 detects a topology and when it runs its SPF algorithm.

SPF Calculation Delay (milliseconds)

Specify the amount of time between when the first change to a topology is received until performing the SPF calculation.

Range: 1 through 600000 ms (600 seconds)

Default: 200 ms

Initial Hold Time (milliseconds)

Specify the amount of time between consecutive SPF calculations.

Range: 1 through 600000 ms (600 seconds)

Default: 1000 ms

Maximum Hold Time (milliseconds)

Specify the longest time between consecutive SPF calculations.

Range: 1 through 600000 ms (600 seconds)

Default: 10000 ms (10 seconds)

Maximum Metric (Router LSA)

Configure OSPFv3 to advertise a maximum metric so that other routers do not prefer this vEdge router as an intermediate hop in their Shortest Path First (SPF) calculation.

  • Immediately: Force the maximum metric to take effect immediately, through operator intervention.

  • On-startup: Advertise the maximum metric for the specified number of seconds after the router starts up.

    Range: 5 through 86400 seconds

Maximum metric is disabled by default.

Object Tracker

Use the object tracker feature to configure an object tracker.

Basic Settings

Parameter Name

Description

Tracker Type*

Interface

Configure the following interface values:

  • Object tracker ID*: Enter the object tracker ID number.

    Range: 1-1000

  • Interface name*: Enter the global or device-specific tracker interface name. For example, Gigabitethernet1 or Gigabitethernet2.

SIG

Object tracker ID*: Enter the object tracker ID number.

Route

Configure the route details:

  • Object tracker ID*: Enter the object tracker ID number.

    Range: 1-1000

  • Route IP*: Enter the IPv4 address of the route.

  • Route IP Mask*: Select a value for the subnet mask.

  • VPN: Enter a value for the VPN.

Object Tracker Group

Use this feature to configure an object tracker group. To ensure accurate tracking, add at least two object trackers before creating an object tracker group.

Basic Settings

Parameter Name

Description

Object tracker ID *

Enter an ID for the object tracker group.

Range: 1 through 1000

Object tracker *

Select a minimum of two previously created object trackers from the drop-down list.

Reachable *

Choose one of the following values:

  • Either: Ensures that the transport interface status is reported as active if either one of the associated trackers of the tracker group reports that the route is active.

  • Both: Ensures that the transport interface status is reported as active if both the associated trackers of the tracker group report that the route is active.

Route Policy

You can configure quality of service (QoS) to classify data packets and control how traffic flows out of and in to the interfaces and on the interface queues. With access lists, you can provision QoS which allows you to classify data traffic by importance, spread it across different interface queues, and control the rate at which different classes of traffic are transmitted.

  1. In Add Feature window, choose Route Policy from the drop-down list.

  2. Enter a name and description for the route policy.

  3. Click Add Routing Sequence. The Add Route Sequence window displays.

  4. Enter Routing Sequence Name.

  5. Select a desired protocol from the Protocol drop-down list. The options are: IPv4, IPv6, or both.

  6. Select a condition from the Condition drop-down list.

  7. Select the action types Accept or Reject from the Action Type drop-down list.

  8. For the Accept action type, choose the accept condition from the Accept Condition drop-down list.

  9. Click Save.

    To copy, delete, or rename the route policy sequence rule, click ... next to the rule's name and select the desired option.

  10. If no packets match any of the route policy sequence rules, the default action is to drop the packets. To change the default action:

    1. Click Default Action in the left pane.

    2. Click the Pencil icon.

    3. Change the default action to Accept.

    4. Click Save.

  11. Click Save Route Policy.

The following table describe the options for configuring the QoS Map feature.

Field

Description

Routing Sequence Name

Specifies the name of the routing sequence.

Protocol

Specifies the internet protocol. The options are IPv4, IPv6, or Both.

Condition

Specifies the routing condition. The options are:

  • Address

  • AS Path List

  • Community List

  • Extended Community List

  • BGP Local Preference

  • Metric

  • Next Hop

  • OMP Tag

  • Origin

  • OSPF Tag

  • Peer

Action Type

Specifies the action type. The options are: Accept or Reject.

Accept Condition

Specifies the accept condition type. The options are:

  • Aggregator

  • AS Path

  • Atomic Aggregate

  • Community

  • Local Preference

  • Metric

  • Metric Type

  • Next Hop

  • OMP Tag

  • Origin

  • Originator

  • OSPF Tag

  • Weight

You can select the specific route sequence in the Route Policy window to edit, delete or add.

Service VPN

This feature helps you configure a service VPN (range 1 – 65527, except 512) or the LAN VPN.

The following table describes the options for configuring the Service VPN feature.

Basic Configuration

Field

Description

VPN*

Enter the numeric identifier of the VPN.

Name*

Enter a name for the VPN.

OMP Admin Distance IPv4

Administrative distance for OMP routes. The Cisco SD-WAN Controllers learn the topology of the overlay network and the services available in the network using OMP routes. The distance can be a value between 1–255.

OMP Admin Distance IPv6

Administrative distance for OMP routes. The Cisco SD-WAN Controllers learn the topology of the overlay network and the services available in the network using OMP routes. The distance can be a value between 1–255.

DNS

Field

Description

Add DNS IPv4

Primary DNS Address (IPv4)

Enter the IP address of the primary IPv4 DNS server in this VPN.

Secondary DNS Address (IPv4)

Enter the IP address of a secondary IPv4 DNS server in this VPN.

Add DNS IPv6

Primary DNS Address (IPv6)

Enter the IP address of the primary IPv6 DNS server in this VPN.

Secondary DNS Address (IPv6)

Enter the IP address of a secondary IPv6 DNS server in this VPN.

Host Mapping

Field

Description

Add New Host Mapping

Hostname*

Enter the hostname of the DNS server. The name can be up to 128 characters.

List of IP*

Enter up to eight IP addresses to associate with the hostname. Separate the entries with commas.

Advertise OMP

Field

Description

Add OMP Advertise IPv4

Protocol

Choose a protocol to configure route advertisements to OMP, for this VPN:

  • bgp

  • ospf

  • ospfv3

  • connected

  • static

  • network

  • aggregate

    Applied to Region: (Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.13.1) In a Multi-Region Fabric scenario, route aggregation is a method for reducing the number of entries that routers in a network must maintain in routing tables, for better scaling. Choose core, access, or core-and-access, to apply route aggregation only to access regions, the core region, or both.

    This option is applicable only to a Multi-Region Fabric border router, not an edge router or a transport gateway.

  • eigrp

  • lisp

  • isis

Select Route Policy

Enter the name of the route policy.

Route policy is not supported in Cisco vManage Release 20.9.1.

Add OMP Advertise IPv6

Protocol

Choose a protocol to configure route advertisements to OMP, for this VPN:

  • BGP

  • OSPF

  • Connected

  • Static

  • Network

  • Aggregate

    Applied to Region: (Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.13.1) In a Multi-Region Fabric scenario, route aggregation is a method for reducing the number of entries that routers in a network must maintain in routing tables, for better scaling. Choose core, access, or core-and-access, to apply route aggregation only to access regions, the core region, or both.

    This option is applicable only to a Multi-Region Fabric border router, not an edge router or a transport gateway.

Select Route Policy

Enter the name of the route policy.

Route policy is not supported in Cisco vManage Release 20.9.1.

Protocol Sub Type

When you choose the OSPF protocol, specify the sub type as external.

Route

Field

Description

Add IPv4 Static Route

Network Address*

Enter the IPv4 address or prefix, in decimal four-point-dotted notation, and the prefix length of the IPv4 static route to configure in the VPN.

Subnet Mask*

Enter the subnet mask.

Next Hop/Null 0/VPN/DHCP

Choose one of the following options to configure the next hop to reach the static route:

  • Next Hop: When you choose this option, the IPv4 Route Gateway Next Hop field appears. Enable this option to add the next hop. You can add a hop with and without a tracker.

    When you click Add Next Hop, the following fields appear:

    • Address*: Enter the next-hop IPv4 address.

    • Administrative Distance*: Enter the administrative distance for the route.

    When you click Add Next Hop with Tracker, the following fields appear:

    • Address*: Enter the next-hop IPv4 address.

    • Administrative Distance*: Enter the administrative distance for the route.

    • Tracker*: Enter the name of the gateway tracker to determine whether the next hop is reachable before adding that route to the route table of the device.

  • Null 0: When you choose this option, the following field appears:

    • IPv4 Route Null 0*: Enable this option to set the next hop to be the null interface. All packets sent to this interface are dropped without sending any ICMP messages.

  • VPN: When you choose this option, the following field appears:

    • IPv4 Route VPN*: Selects VPN as the gateway to direct packets to the transport VPN.

  • DHCP: When you choose this option, the following field appears:

    • IPv4 Route Gateway DHCP*: Assigns a static route for the default next-hop router when the DHCP server is accessed for an IP address.

Add BGP Routing

Choose a BGP route.

Add OSPF Routing

Choose an OSPF route.

Add IPv6 Static Route

Prefix*

Enter the IPv6 address or prefix, in decimal four-point-dotted notation, and the prefix length of the IPv6 static route to configure in the VPN.

Next Hop/Null 0/NAT

Choose one of the following options to configure the next hop to reach the static route:

  • Next Hop: When you choose this option and click Add Next Hop, the following fields appear:

    • Address*: Enter the next-hop IPv6 address.

    • Administrative distance*: Enter the administrative distance for the route.

  • Null 0: When you choose this option, the following field appears:

    • IPv6 Route Null 0*: Enable this option to set the next hop to be the null interface. All packets sent to this interface are dropped without sending any ICMP messages.

  • NAT: When you choose this option, the following field appears:

    • IPv6 NAT*: Choose NAT64 or NAT66.

  • Interface: When you choose this option, the following fields appear:

    • Interface Name: Choose IPv6 interface name for the IPsec tunnel.

    • Next Hop: Enter the IPv6 address and the administrative distance for the next hop.

Service

Field

Description

Add Service

Service Type

Choose a service available at the local site and in the VPN.

Values: FW, IDS, IDP, netsvc1, netsvc2, netsvc3, netsvc4, TE, SIG

IPv4 Addresses (Maximum: 4)*

Enter up to four IP address, separated by commas. The service is advertised to the Cisco SD-WAN Controller only if one of the addresses can be resolved locally, at the local site, not via routes learned through OMP. You can configure up to four IP addresses.

Tracking*

Cisco Catalyst SD-WAN tests each service device periodically to check whether it is operational. Tracking saves the results of the periodic tests in a service log.

Tracking is enabled by default.

Service Route

Field

Description

Add Service Route

Prefix*

Enter the IP address or prefix. Use any RFC 1918 subnet for Service IP addresses.

Service*

Configure routes pointing to any service.

Values: FW, IDS, IDP, netsvc1, netsvc2, netsvc3, netsvc4.

VPN*

Destination VPN to resolve the prefix.

GRE Route

Field

Description

Add GRE Route

Prefix*

Enter the IP address or prefix, in decimal four-part-dotted notation, and prefix length of the GRE-specific static route.

Interface*

Enter the name of one or two GRE tunnels to use to reach the service.

VPN*

Enter the number of the VPN to reach the service. This must be VPN 0.

IPSEC Route

Field

Description

Add ipSec Route

Prefix*

Enter the IP address or prefix, in decimal four-part-dotted notation, and prefix length of the IPsec-specific static route.

Interface*

Enter the name of one or two IPsec tunnel interfaces. If you configure two interfaces, the first is the primary IPsec tunnel, and the second is the backup. All packets are sent only to the primary tunnel. If that tunnel fails, all packets are then sent to the secondary tunnel. If the primary tunnel comes back up, all traffic is moved back to the primary IPsec tunnel.

NAT

Field

Description

Nat Pool

NatPool Name*

Enter a NAT pool number configured in the centralized data policy. The NAT pool name must be unique across VPNs and VRFs. You can configure up to 31 (1–32) NAT pools per router.

Prefix Length*

Enter the NAT pool prefix length.

Range Start*

Enter a starting IP address for the NAT pool.

Range End*

Enter a closing IP address for the NAT pool.

Overload*

Enable this option to configure per-port translation. If this option is disabled, only dynamic NAT is configured on the end device. Per-port NAT is not configured.

Default: Enabled

Direction*

Choose the NAT direction.

Nat64 V4 Pool

Nat64 V4 Pool Name*

Enter a NAT pool number configured in the centralized data policy. The NAT pool name must be unique across VPNs and VRFs. You can configure up to 31 (1–32) NAT pools per router.

Nat 64 V4 Pool Range Start*

Enter a starting IP address for the NAT pool.

Nat 64 V4 Pool Range End*

Enter a closing IP address for the NAT pool.

Overload*

Enable this option to configure per-port translation. If this option is disabled, only dynamic NAT is configured on the end device. Per-port NAT is not configured.

Default: Disabled

Route Leak

Field

Description

Route leak from Global VPN

Route Protocol*

Choose a protocol from the available options to leak routes from global VPN to the service VPN that you are configuring.

Select Route Policy

Choose a route policy from the drop-down list.

Redistribution (in service VPN)

Protocol*

Choose a protocol from the available options to redistribute the leaked routes.

Select Route Policy

Choose a route policy from the drop-down list.

Route leak to Global VPN

Route Protocol*

Choose a protocol from the available options to leak routes from the service VPN that you are configuring to the global VPN.

Select Route Policy

Choose a route policy from the drop-down list.

Redistribution (in global VPN)

Protocol*

Choose a protocol from the available options to redistribute the leaked routes.

Select Route Policy

Enter the name of the route policy.

Route leak from other Service VPN(s)

Source VPN Enter a value of the source VPN.

Route Protocol*

Choose a protocol from the available options to leak routes from the source service VPN to the service VPN that you are configuring.

Select Route Policy

Choose a route policy from the drop-down list.

Redistribution (in Service VPN)

Protocol*

Choose a protocol from the available options to redistribute the leaked routes.

Select Route Policy

Choose a route policy from the drop-down list.

Route Target

Field

Description

IPv4 Settings

Import Route Target List: Route Target*

Configure a route target for IPv4 interfaces. It imports routing information from the target VPN extended community.

Export Route Target List: Route Target*

Configure a route target for IPv4 interfaces. It exports routing information to the target VPN extended community.

IPv6 Settings

Import Route Target List: Route Target*

Configure a route target for IPv6 interfaces. It imports routing information from the target VPN extended community.

Export Route Target List: Route Target*

Configure a route target for IPv6 interfaces. It exports routing information to the target VPN extended community.

SVI Interface

This feature helps you configure a switch virtual interface (SVI) to configure a VLAN interface.

For each parameter of the feature that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and choose one of the following:

Parameter Scope

Scope Description

Device Specific (indicated by a host icon)

Use a device-specific value for the parameter. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Cisco Catalyst SD-WAN device to a device template.

When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a Cisco Catalyst SD-WAN device to a device template.

To change the default key, type a new string and move the cursor out of the Enter Key box.

Examples of device-specific parameters are system IP address, host name, GPS location, and site ID.

Global (indicated by a globe icon)

Enter a value for the parameter, and apply that value to all devices.

Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

The following tables describe the options for configuring the SVI Interface feature.

Field

Description

Type

Choose a feature from the drop-down list.

Feature Name*

Enter a name for the feature.

Description

Enter a description of the feature. The description can contain any characters and spaces.

Associated VPN: VPN*

Choose a VPN.

Basic Configuration

Field

Description

Shutdown

Enable or disable the VLAN interface.

VLAN Interface Name*

Enter a name for the VLAN interface.

The name must contain a minimum of five characters. The name must be in the following format: ^Vlan(([1-9]\d|\d)/){0,2}(0|[1-9]\d*)([:|\.][1-9]\d*)?

Interface Description

Enter a description for the interface.

Interface MTU

Enter the maximum transmission unit size for frames received and transmitted on the interface.

Range: 1500 through 9216

Default: 1500 bytes

IP MTU

Enter the maximum transmission unit (MTU) size of IP packets sent on an interface.

Range: 576 through 9216

Default: 1500 bytes

Configure IPV4 Address

IPv4 Address Prefix*

Enter the IPv4 address for the interface.

List of DHCP helper addresses*

Enter up to eight IP addresses for DHCP servers in the network to have the interface be a DHCP helper. Separate each address with a comma. A DHCP helper interface forwards BOOTP (Broadcast) DHCP requests that it receives from the specified DHCP servers.

Configure IPV4 Secondary Address

Secondary IP Address*

Enter up to four secondary IP addresses.

Configure IPV6 Address

IPV6 address*

Enter the IPv6 address for the interface.

Configure IPV6 Secondary Address

Address*

Enter up to four secondary IP addresses.

Configure IPV6 DHCP Helper

Address*

Enter an IP address for DHCP servers in the network to have the interface be a DHCP helper. A DHCP helper interface forwards BOOTP (Broadcast) DHCP requests that it receives from the specified DHCP servers.

VPN

VPN ID for the DHCP helper address.

ACL

Field

Description

Configure Access List V4

Direction*

Choose a direction of the ACL: in or out.

Name of ACL*

Enter the name of the access list.

Configure Access List V6

Direction*

Choose a direction of the ACL: in or out.

Name of ACL*

Enter the name of the access list.

VRRP

Field

Description

Configure VRRP

Group ID*

Enter the virtual router ID, which is a numeric identifier of the virtual router. You can configure a maximum of 24 groups.

Range: 1 through 255

Priority*

Enter the priority level of the router. The router with the highest priority is elected as the primary router. If two routers have the same priority, the one with the higher IP address is elected as the primary router.

Range: 1 through 254

Default: 100

Timer*

Specify how often the primary VRRP router sends VRRP advertisement messages. If secondary routers miss three consecutive VRRP advertisements, they elect a new primary router .

Range: 100 through 40950 seconds

Default: 100 seconds

Track OMP

When you enable this option, VRRP tracks the Overlay Management Protocol (OMP) session running on the WAN connection. If the primary VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session.

Prefix List*

Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the primary VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if the reachability to one of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic while the Cisco IOS XE Catalyst SD-WAN device determines the primary VRRP router.

IP Address

Enter the IP address of the virtual router. This address must be different from the configured interface IP addresses of both the local router and the peer running VRRP.

Add VRRP IP Address Secondary

Address*

Enter an IP address for the secondary VRRP router.

TLOC Preference Change

Enable or disable this option to set whether the TLOC preference can be changed or not.

Add VRRP Tracking Object

Tracker Id*

Enter the interface object ID or object group tracker ID.

Track Action*

Choose one of the options:

  • decrement

  • shutdown

Decrement Value

Enter a decrement value.

Range: 1-255

From Cisco vManage Release 20.10.1, this option is enabled only when you choose decrement in Track Action.

Configure VRRP IPv6

Group ID*

Enter the virtual router ID, which is a numeric identifier of the virtual router. You can configure a maximum of 24 groups.

Range: 1 through 255

Priority*

Enter the priority level of the router. The router with the highest priority is elected as the primary router. If two routers have the same priority, the one with the higher IP address is elected as the primary router.

Range: 1 through 254

Default: 100

Timer*

Specify how often the primary VRRP router sends VRRP advertisement messages. If secondary routers miss three consecutive VRRP advertisements, they elect a new primary router .

Range: 100 through 40950 seconds

Default: 100 seconds

Track OMP*

When you enable this option, VRRP tracks the Overlay Management Protocol (OMP) session running on the WAN connection. If the primary VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session.

Track Prefix List

Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the primary VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if the reachability to one of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic while the Cisco IOS XE Catalyst SD-WAN device determines the primary VRRP router.

Add VRRP IPv6 Primary

IPv6 Link Local*

Enter a virtual link local IPv6 address, which represents the link local address of the group. The address should be in standard link local address format. For example, FE80::AB8.

Prefix

Enter the IPv6 address of the primary VRRP router.

ARP

Field

Description

Configure ARP

IP Address*

Enter the IP address for the ARP entry in dotted decimal notation or as a fully qualified host name.

MAC Address*

Enter the MAC address in colon-separated hexadecimal notation.

Advanced

Field

Description

TCP MSS

Specify the maximum segment size (MSS) of TPC SYN packets passing through the router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 552 to 1960 bytes

Default: None

ARP Timeout

Specify how long it takes for a dynamically learned ARP entry to time out.

Range: 0 through 2678400 seconds (744 hours)

Default: 1200 (20 minutes)

IP Directed-Broadcast

An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet but which originates from a node that is not itself part of that destination subnet.

A device that is not directly connected to its destination subnet forwards an IP directed broadcast in the same way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet reaches a device that is directly connected to its destination subnet, that packet is broadcast on the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a link-layer broadcast.

If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as directed broadcasts intended for the subnet to which that interface is attached are broadcast on that subnet.

ICMP/ICMPv6 Redirect Disable

ICMP redirects are sent by a router to the sender of an IP packet when a packet is being routed sub-optimally. The ICMP redirect informs the sending host to forward subsequent packets to that same destination through a different gateway.

By default, an interface allows ICMP redirect messages.

Switch Port

Use the Switch Port feature to configure bridging for Cisco Catalyst SD-WAN.

The following table describes the options for configuring the Switch Port feature.

Field

Description

Age Out Time

Enter how long an entry is in the MAC table before it ages out. Set the value to 0 to prevent entries from timing out.

Range: 0, 10 through 1000000 seconds

Default: 300 seconds

Configure Interface

Interface Name

Enter the name of the interface to associate with the bridging domain, in the format geslot/port.

Mode

Choose the switch port mode.

  • access: Configure the interface as an access port. You can configure only one VLAN on an access port, and the port can carry traffic only for one VLAN. When you choose access, the following field appears:

    Switchport Access Vlan: Enter the VLAN number, which can be a value from 1 through 4094.

  • trunk: Configure the interface as a trunk port. You can configure one or more VLANs on a trunk port, and the port can carry traffic for multiple VLANs. When you choose trunk, the following fields appear:

    • Allowed Vlans: Enter the number of the VLANs for which the trunk can carry traffic and a description for the VLAN.

    • Switchport Trunk Native Vlan: Enter the number of the VLAN allowed to carry untagged traffic.

Shutdown

Enable the interface. By default, an interface is disabled.

Speed

Enter the speed of the interface.

Duplex

Choose full or half to specify whether the interface runs in full-duplex or half-duplex mode.

Port Control

Choose the port control mode to enable IEEE 802.1X port-based authentication on the interface.

  • auto: Enables IEEE 802.1X authentication and starts the port in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port changes from down to up or when an EAPOL-start frame is received. The device requests the identity of the supplicant and starts relaying authentication messages between the supplicant and the authentication server. Each supplicant attempting to access the network is uniquely identified by the device by using the supplicant MAC address.

  • force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the supplicant to authenticate. The device cannot provide authentication services to the supplicant through the port.

  • force-authorized: Disables IEEE 802.1X authentication and causes the port to change to the authorized state without any authentication exchange required. The port sends and receives normal traffic without IEEE 802.1X-based authentication of the client.

Voice VLAN

Enter the Voice VLAN ID.

Pae Enable

The Cisco Catalyst SD-WAN device acts as a port access entity (PAE), allowing authorized network traffic and preventing unauthorized network traffic ingressing to and egressing from the controlled port.

MAC Authentication Bypass

Enable this option to allow MAC authentication bypass (MAB) on the RADIUS server and to authenticate non-IEEE 802.1X–compliant clients using a RADIUS server.

Host Mode

Choose whether an IEEE 802.1X interface grants access to a single host (client) or to multiple hosts (clients).

  • single-host: Grant access only to the first authenticated host. This is the default.

  • multi-auth: Grant access to one host on a voice VLAN and multiple hosts on data VLANs.

  • multi-host: Grant access to multiple hosts.

  • multi-domain: Grant access to both a host and a voice device, such as an IP phone on the same switch port.

Enable Periodic Reauth

Enable periodic re-authentication. By default, this option is enabled.

Inactivity

Enter the inactivity timeout time in seconds.

Default: 60 seconds

Reauthentication

Enter the re-authentication interval in seconds.

Control Direction

Choose both (bidirectional) or in (unidirectional) authorization mode.

Restricted VLAN

Enter the restricted VLAN (or authentication-failed VLAN) for IEEE 802.1x-compliant clients. Configure limited services to IEEE 802.1X-compliant clients that failed RADIUS authentication.

Guest VLAN

Enter the guest VLAN to drop non-IEEE 802.1X enabled clients, if the client is not in the MAB list.

Critical VLAN

Enter the critical VLAN (or authentication-failed VLAN) for IEEE 802.1x-compliant clients. Configure network access when RADIUS authentication or the RADIUS server fails.

Enable Voice

Enable the critical voice VLAN.

Configure Static Mac Address

MAC Address

Enter the static MAC address to map to the switch port interface.

Interface Name

Enter the name of the switch port interface.

VLAN ID

Enter the number of the VLAN for the switch port.

Tracker

This feature helps you configure the tracker for the VPN interface.

For each parameter of the feature that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and choose one of the following:

The following table describes the options for configuring the Tracker feature.

Field

Description

Tracker Name*

Name of the tracker. The name can be up to 128 alphanumeric characters.

Endpoint Tracker Type*

Choose a tracker type to configure endpoint trackers:

  • http

Endpoint

Choose an endpoint type:

  • Endpoint IP: When you choose this option, the following field appears:

    Endpoint IP: IP address of the endpoint. This is the destination on the internet to which the probes are sent to determine the status of an endpoint.

  • Endpoint DNS Name: When you choose this option, the following field appears:

    Endpoint DNS Name: DNS name of the endpoint. This is the destination on the internet to which probes are sent to determine the status of the endpoint. The DNS name can contain a minimum of one character and a maximum of 253 characters.

  • Endpoint API URL:

    When you choose this option, the following field appears:

    API URL of endpoint*: API URL for the endpoint of the tunnel. This is the destination on the internet to which probes are sent to determine the status of the endpoint.

Interval

Time interval between probes to determine the status of the configured endpoint.

Range: 20 to 600 seconds

Default: 60 seconds (1 minute).

Multiplier

Number of times probes are sent before declaring that the endpoint is down.

Range: 1 to 10

Default: 3

Threshold

Wait time for the probe to return a response before declaring that the configured endpoint is down.

Range: 100 to 1000 milliseconds

Default: 300 milliseconds

Tracker Group

Use the Tracker Group feature to track the status of service interfaces.


Note


Ensure that you have created two trackers to form a tracker group.


The following tables describe the options for configuring the Tracker Group feature.

Field

Description

Tracker Elements*

This field is displayed only if you chose Tracker-group as the tracker type. Add the existing interface tracker names, separated by a space. When you add this tracker to the template, the tracker group is associated with these individual trackers, and you can then associate the tracker group to a static route.

The tracker name must not contain capital letters and special characters.

Tracker Boolean

From the drop-down list, choose Global. This field is displayed only if you chose tracker-group as the Tracker Type. By default, the OR option is selected. Choose AND or OR.

OR ensures that the static route status is reported as active if either one of the associated trackers of the tracker group report that the route is active.

If you select AND, the static route status is reported as active if both the associated trackers of the tracker group report that the route is active.

Wireless LAN

This feature helps you configure a wireless controller.

The following tables describe the options for configuring the Wireless LAN feature.

Basic Configuration

Field

Description

Enable 2.4G*

Disable this option to shut down the radio type of 2.4 GHz.

Default: Enabled

Enable 5G*

Disable this option to shut down the radio type of 5 GHz.

Default: Enabled

Country*

Choose the country where the router is installed.

Username*

Specify the username of Cisco Mobility Express.

Password*

Specify the password of Cisco Mobility Express.

ME IP Config

Field

Description

ME Dynamic IP*

Enable this option so that the interface receives its IP address dynamically from a DHCP server.

ME IP Address

Specify the IP address of Cisco Mobility Express.

Subnet Mask

Specify the subnet mask of Cisco Mobility Express.

Default Gateway

Specify the default gateway address of Cisco Mobility Express.

SSID

Field

Description

Add SSID

SSID Name*

Enter a name for the wireless SSID.

It can be a string from 4 to 32 characters. The SSID must be unique.

Admin State*

Enable this option to indicate that the interface has been configured.

Broadcast SSID*

Enable this option if you want to broadcast the SSID. Disable this option if you do not want the SSID to be visible to all the wireless clients.

VLAN (Range 1-4094)*

Enter a VLAN ID for the wireless LAN traffic.

Radio Type

Choose one of the following radio types:

  • 2.4GHz

  • 5GHz

  • All

Security Type*

Choose a security type:

  • WPA2 Enterprise: Choose this option for an enterprise where you authenticate and authorize network users with a remote RADIUS server.

  • WPA2 Personal: Choose this option to authenticate users who want to access the wireless network using a passphrase.

  • Open: Choose this option to allow access to the wireless network without authentication.

Passphrase*

This field is available if you choose WPA2 Personal as the security type. Set a pass phrase. This pass phrase provides users access to the wireless network.

QoS Profile

Choose a QoS profile.