Configure Transport VPN on a vEdge Router
On a vEdge router, the interfaces in VPN 0 connect to a WAN transport network. You must configure at least one tunnel interface
on a vEdge router so that it can join the control plane and be part of the overlay network. If is not configured, that router
cannot participate in the overlay network.
For a tunnel connection on a vEdge router, you must configure the three components of a TLOC—the interface's IP address and
the tunnel's color and encapsulation. An OMP session runs over each tunnel connection, and it is OMP that distributes the
device TLOCs to vSmart controllers. The controllers use the TLOCs to determine the overlay network topology and to determine
the best routing paths across the overlay network. A vEdge router can have up to four TLOCs, so you can configure more than
one tunnel connection.
In the transport VPN (VPN 0), vEdge routers support dual stack. To enable dual stack, configure an IPv4 address and an IPv6
address on the tunnel interface. The vEdge router learns from the vSmart controller whether a destination supports IPv4 or
IPv6 addresses. When forwarding traffic, the router chooses either the IPv4 or the IPv6 TLOC based on the destination address.
To configure VPN 0 on a vEdge router:
-
Configure the WAN transport interface:
vEdge(config)# vpn 0 interface interface-name
vEdge(config-interface)#
In the most common cases, interface-name is the name of a physical Gigabit Ethernet interface (ge
port
/
slot). The interface name can also be gre
number, ipsec
number, loopback
string, natpool
number, or ppp
number.
-
Configure a static IPv4 address for the interface:
vEdge(config-interface)# ip address prefix/length
vEdge(config-interface) #
Or you can enable DHCP on the interface so that the interface learn its IP address dynamically:vEdge(config-interface)# ip dhcp-client [dhcp-distance number]
vEdge(config-interface)#
When an interface learns its IPv4 address from a DHCP server, it can also learn routes from the server. By default, these
routes have an administrative distance of 1, which is the same as static routes. To change the default value, include the
dhcp-distance option, specifying a distance from 1 through 255.
-
To enable dual stack, configure a static IPv6 address for the interface:
vEdge(config-interface)# ipv6 address prefix/length
vEdge(config-interface)#
Or you can enable DHCPv6 on the interface so that the interface learn its IP address dynamically:vEdge(config-interface)# ipv6 dhcp-client [dhcp-distance number] [dhcp-rapid-commit]
vEdge(config-interface)#
When an interface learns its IPv6 address from a DHCPv6 server, it can also learn routes from the server. By default, these
routes have an administrative distance of 1, which is the same as static routes. To change the default value, include the
dhcp-distance option, specifying a distance from 1 through 255. To speed up the assignment of IPv6 addresses, include the dhcp-rapid-commit option.
-
Enable the interface:
vEdge(config-interface)# no shutdown
-
Configure the WAN transport tunnel connection:
vEdge(config-interface)# tunnel-interface
vEdge(config-tunnel-interface)#
-
Configure a color for the tunnel connection as an identifier for the tunnel:
vEdge(config-tunnel-interface)# color color
vEdge(config-tunnel-interface)#
color can be 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver. The default color is default. The colors metro-ethernet, mpls, and private1 through private6 are referred to as private colors, because they use private addresses to connect to the remote side vEdge router in a private network. You can use these colors
in a public network provided that there is no NAT device between the local and remote vEdge routers.
-
Configure the encapsulation to use on tunnel connection:
vEdge(config-tunnel-interface)# encapsulation (gre | ipsec)
vEdge(config-tunnel-interface)#
To configure both IPsec and GRE encapsulation, include two encapsulation commands. Note that if you do this, you are creating two TLOCs that have the same IP addresses and colors, but that have
different encapsulation.
-
Configure any other properties specific to the tunnel interface, the interface, or VPN 0.
-
If you have a multi-TLOC environment, configure additional tunnel interfaces.
-
Enable DNS service in the VPN by configuring the IP address of a DNS server reachable from VPN 0:
vEdge(config-vpn-0)# dns ip-address (primary | secondary)
The address can be either an IPv4 or IPv6 address. By default, the IP address is for the primary DNS server.
-
If desired, configure IPv4 and IPv6 static routes in VPN 0:
vEdge(config-vpn-0)# ip route prefix/length next-hop [administrative-distance]
vEdge(config-vpn-0)# ipv6 route prefix/length next-hop [administrative-distance]
-
Activate the configuration:
vEdge(config)# commit
To display interface information, use the show interface command for IPv4 interfaces and show ipv6 interfaces for IPv6 interfaces. To display information about DHCP and DHCPv6 servers, use the show dhcp interface and show ipv6 dhcp interface commands.
When you are troubleshooting routing and forwarding problems on a vEdge router, you can configure the router to perform route
consistency checks, to determine whether the routes in the router's route and forwarding tables are consistent:
vEdge(config-system)#route-consistency-check
This command checks only IPv4 routes. Route consistency checking requires a large amount of device CPU, so it is recommended
that you enable it only when you trouble shooting an issue and that you disable it at other times.
Here is an example of a VPN 0 configuration, where interface ge0/0 is the WAN transport interface. This example shows that dual stack is enabled on the router, because the tunnel interface
has both an IPv4 and an IPv6 address. Notice that the remaining seven device interfaces are part of VPN 0, because we have
not yet configured any other VPNs. Also notice that the management interface is not present in VPN 0.
vpn 0
interface ge0/0
ip address 10.0.0.8/24
ipv6 address fd00:1234::/16
tunnel-interface
color biz-internet
encapslation ipsec
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service ntp
no allow-service stun
!
no shutdown
!
interface ge0/1
shutdown
!
interface ge0/2
shutdown
!
interface ge0/3
shutdown
!
interface ge0/4
shutdown
!
interface ge0/5
shutdown
!
interface ge0/6
shutdown
!
interface ge0/7
shutdown
!
!
An interface can participate only in one VPN. So in an initial configuration, when VPN 0 is the only VPN that is configured,
all the device's interfaces are present, by default, in VPN 0 (as shown in the output above). Then, when you create other
VPNs to carry data traffic and configure interfaces in those VPNs, the interfaces used in the other VPNs are automatically
removed from VPN 0. Here is an example in which interface ge0/3 is used for VPN 1, so it has been automatically removed from the configuration of VPN 0:
vpn 0
interface ge0/0
ip address 10.0.0.8/24
tunnel-interface
color biz-internet
encapsulation ipsec
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service ntp
no allow-service stun
!
no shutdown
!
interface ge0/1
shutdown
!
interface ge0/2
shutdown
!
interface ge0/4
shutdown
!
interface ge0/5
shutdown
!
interface ge0/6
shutdown
!
interface ge0/7
shutdown
!
!
vpn 1
router
ospf
redistribute omp route-policy test-policy
area 0
interface ge0/3
exit
exit
!
!
interface ge0/3
ip address 10.10.10.1/24
no shutdown
!
!
When you configure subinterfaces in a VPN that carries data traffic (that is, not VPN 0 and not VPN 512), the main interface
must be configured with the no shutdown command so that it is enabled, and the main interface remains in VPN 0 once you configure the subinterface. For example,
if in the VPN 1 configuration, you were to configure OSPF on VLAN 1, you can see that interface ge0/3 remains present in VPN 0, while the subinterface interface ge0/3.1 is used in VPN1:
vpn 0
dns 1.2.3.4 primary
interface ge0/0
address 10.0.0.8/24
tunnel-interface
preference 100
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
allow-service ntp
allow-service stun
!
no shutdown
!
interface ge0/1
shutdown
!
interface ge0/2
shutdown
!
interface ge0/3
no shutdown
!
interface ge0/4
shutdown
!
interface ge0/5
shutdown
!
interface ge0/6
shutdown
!
interface ge0/7
shutdown
!
!
vpn 1
router
ospf
redistribute omp route-policy test-policy
area 0
interface ge0/3.1
exit
exit
!
!
interface ge0/3.1
ip address 10.10.10.1/24
no shutdown
!
!
Configure the Transport VPN on a vSmart Controller
Because vSmart controllers are responsible for determining the best routes through the overlay network (based on the TLOCs
it learns and based on centralized policies), they handle only control plane traffic, in VPN 0. A vSmart controller can have
only one interface in VPN 0, for which you set an IP address and you create a tunnel connection. This tunnel connection acts
a control plane tunnel termination point.
In the transport VPN (VPN 0), vEdge routers support dual stack. To enable dual stack, configure an IPv4 address and an IPv6
address on the tunnel interface. The vEdge router learns from the vSmart controller whether a destination supports IPv4 or
IPv6 addresses. When forwarding traffic, the router chooses either the IPv4 or the IPv6 TLOC based on the destination address.
To configure VPN 0 on a vSmart controller:
-
Configure the WAN transport interface:
vSmart(config)# vpn 0 interface interface-name
vSmart(config-interface)#
interface-name is the name of a virtual Ethernet interface (eth
number).
-
Configure a static IPv4 address for the interface:
vSmart(config-interface)# ip address prefix/length
vSmart(config-interface)#
Or you can enable DHCP on the interface so that the interface learn its IP address dynamically:vSmart(config-interface)# ip dhcp-client [dhcp-distancenumber]
vSmart(config-interface)#
When an interface learns its IPv4 address from a DHCP server, it can also learn routes from the server. By default, these
routes have an administrative distance of 1, which is the same as static routes. To change the default value, include the dhcp-distance option, specifying a distance from 1 through 255.
-
To enable dual stack, configure a static Pv6 address for the interface:
vSmart(config-interface)# ipv6 address prefix/length
vSmart(config-interface)#
Or you can enable DHCPv6 on the interface so that the interface learn its IP address dynamically:vSmart(config-interface)# ipv6 dhcp-client [dhcp-distance number] [dhcp-rapid-commit]
vSmart(config-interface)#
When an interface learns its IPv6 address from a DHCPv6 server, it can also learn routes from the server. By default, these
routes have an administrative distance of 1, which is the same as static routes. To change the default value, include the dhcp-distance option, specifying a distance from 1 through 255. To speed up the assignment of IPv6 addresses, include the dhcp-rapid-commit option.
-
Enable the interface:
vSmart(config-interface)# no shutdown
-
Enable DNS service in the VPN by configuring the IP address of a DNS server reachable from VPN 0:
vSmart(config-vpn-0)# dns ip-address (primary | secondary)
The address can be either an IPv4 or IPv6 address. By default, the IP address is for the primary DNS server.
-
If desired, configure IPv4 and IPv6 static routes in VPN 0:
vSmart(config-vpn-0)# ip route prefix/length next-hop [administrative-distance]
vSmart(config-vpn-0)# ipv6 route prefix/length next-hop [administrative-distance]
-
Configure any other properties specific to the tunnel interface, the interface, or VPN 0.
-
Activate the configuration:
vSmart(config)# commit
To display interface information, use the show interface command for IPv4 interfaces and show ipv6 interfaces for IPv6 interfaces. To display information about DHCP and DHCPv6 servers, use the show dhcp interface and show ipv6 dhcp interface commands.
Here is an example of a VPN 0 configuration on a vSmart controller:
vSmart# show running-config vpn 0
vpn 0
dns 1.2.3.4 primary
interface eth0
ip dhcp-client
no shutdown
!
interface eth1
ip address 10.0.5.19/24
tunnel-interface
allow-ssh
allow-icmp
!
no shutdown
!
ip route 0.0.0.0/0 10.0.5.13
!
Configure Data Traffic Exchange across Private WANs
When a vEdge router is connected to a private WAN, such as an MPLS or a metro Ethernet network, the carrier hosting the private
network does not advertise the IP address of that vEdge router over the internet. (This IP address is associated with the
TLOC on that vEdge router.) This means that remote vEdge routers are not able to learn how to reach that router and hence
are not able to exchange data traffic with it directly over the private network.
To allow the vEdge router behind the private network to communicate directly over the private WAN with other vEdge routers,
you direct the data traffic to a loopback interface rather than to the actual physical WAN interface. The overlay network
can then advertise that the local router is reachable via its loopback address. To make it possible for the data traffic to
actually be transmitted out the WAN interface, you bind the loopback interface to the physical WAN interface to the private
network.
To configure VPN 0 so that it carries data traffic across private WANs:
-
Configure the loopback interface, assigning it an IP address:
vEdge(config)# vpn 0 loopback
number ip address prefix/length
vEdge(config-loopback)# no shutdown
-
Configure the loopback interface to be a transport interface:
vEdge(config-loopback)# tunnel-interface
-
Set the color of the loopback interface to be one of the primatel colors—metro-ethernet, mpls, and private1 through private6. You must configure this same color on the loopback interfaces of all vEdge routers in the same private LAN.
vEdge(config-tunnel-interface)# color color
Use the show interface command to check that the loopback interface in configured properly, as a transport interface with the proper IP address
and color.
If a single vEdge router is connected to two (or more) different private networks, create a loopback interface for each private
network, associate a carrier name with the interface so that the router can distinguish between the two private WANs, and
"bind" the loopback interface to the physical interface that connects to the appropriate private WAN:
-
Configure the loopback interface, assigning it an IP address:
vEdge(config)# vpn 0
loopback
number
ip address prefix/length
vEdge(config-loopback)# no shutdown
-
Configure the loopback interface to be a transport interface and bind it to a physical interface:
vEdge(config-loopback)# tunnel-interface bind
ge
slot/port
-
Configure a carrier name and TLOC color on the loopback interface:
vEdge(config-tunnel-interface)# carrier carrier-name
vEdge(config-tunnel-interface)# color color
-
On the physical interface, configure its IP address, and enable it:
vEdge(config)# vpn 0 interface
ge
slot/port
ip address prefix/length
vEdge(config-ge)# no shutdown
Configure the Management VPN (VPN 512)
In the Cisco SD-WAN overlay network, VPN 512 is the network management VPN. It carries out-of-band management traffic in the
overlay network. VPN 512 is configured and enabled by default on all Cisco SD-WAN devices. It contains the interface used
for management traffic. For vEdge routers, this interface is generally a Gigabit Ethernet (ge) interface, and for other Cisco SD-WAN devices it is an eth interface. DHCP is enabled by default on the management interface. The default configuration for VPN 512 on a vEdge router
looks like this:
vpn 512
interface ge0/0
ip dhcp-client
no shutdown
!
!
VPN 512 must be present on all Cisco SD-WAN devices so that they are always reachable on the network. You can configure additional
parameters for VPN 512 if you choose.
Configure VPNs To Carry Data Traffic
VPNs other than VPN 0 and VPN 512 are used to carry data traffic across the overlay network. These VPNs are sometimes referred
to as service-side VPNs. For these VPNs to operate, each one must have an operational interface (or subinterface). The remainder of what you configure
in these VPNs depends on your network needs. You configure features specific for the user segment, such as BGP and OSPF routing,
VRRP, QoS, traffic shaping, and policing.
To create a data traffic VPN:
-
Configure the VPN:
vEdge(config)# vpn
number
vEdge(config-vpn)#
The VPN number can be in the range 1 through 511, and 513 through 65535.
-
Configure at least one interface in the VPN and its IP address:
vEdge(config-vpn)# interface
interface-name
ip address
address/prefix
vEdge(config-interface)#
The interface name has the format ge
slot/port, where the slot is generally 0 through 7 (depending on the device) and the port is 0 through 8. If you are configuring VLANs,
specify a subinterface name in the format ge
slot/port
.
vlan, where the VLAN number can be in the range 1 through 4094. (VLAN numbers 0 and 4095 are reserved.) The interface name can
also be gre
number, ipsec
number, loopback
string, natpool
number, or ppp
number.
-
Activate the interface:
vEdge(config-interface)# no shutdown
-
Enable DNS service in the VPN by configuring the IP address of a DNS server reachable from that VPN:
vEdge(config-vpn)# dns ip-address
-
If desired, configure IPv4 static routes in the VPN:
vEdge(config-vpn)# ip route prefix
/
length next-hop [administrative-distance]
-
Configure any other properties specific to the interface or to VPN.
-
Activate the configuration:
vEdge(config)# commit
Here is an example of a configuration for VPN 1:
vpn 1
dns 1.2.3.4 primary
router
ospf
redistribute omp route-policy test-policy
area 0
interface ge0/3
exit
exit
!
!
interface ge0/3
ip address 10.10.10.1/24
no shutdown
!
!
Dual-Stack Operation
When a Cisco SD-WAN device establishes an IPsec tunnel for control traffic between a local TLOC and a remote TLOC, or when
a device establishes a BFD tunnel for data plane traffic between a local and a remote TLOC, an IPv6 tunnel is established
in the following situations:
-
The local device has only an IPv6 address, and the remote device has an IPv6 address.
-
The remote device has only an IPv6 address, and the local device has an IPv6 address.
If both the local and remote devices have IPv4 addresses, IPsec and BFD always establish an IPv4 tunnel.