This topic describes how to configure the general properties of WAN transport and service-side network interfaces. For information
about how to configure specific interface types and properties—including cellular interfaces, DHCP, PPPoE, VRRP, and WLAN
interfaces.
VPN 0 is the WAN transport VPN. This VPN handles all control plane traffic, which is carried over OMP sessions, in the overlay
network. For a Cisco IOS XE SD-WAN device
device to participate in the overlay network, at least one interface must be configured in VPN 0, and at least one interface
must connect to a WAN transport network, such as the Internet or an MPLS or a metro Ethernet network. This WAN transport interface
is referred to as a tunnel interface. At a minimum, for this interface, you must configure an IP address, enable the interface,
and set it to be a tunnel interface.
To configure a tunnel interface on a Cisco vSmart Controller or a Cisco vManage NMS, you create an interface in VPN 0, assign an IP address or configure the interface to receive an IP address from DHCP,
and mark it as a tunnel interface. The IP address can be either an IPv4 or IPv6 address. To enable dual stack, configure both
address types. You can optionally associate a color with the tunnel.
Note |
You can configure IPv6 addresses only on transport interfaces, that is, only in VPN 0.
|
Tunnel interfaces on Cisco IOS XE SD-WAN devices must have an IP address, a color, and an encapsulation type. The IP address can be either an IPv4 or IPv6 address. To enable
dual stack, configure both address types.
On Cisco vSmart Controllers and Cisco vSmart Controller NMSs, interface-name can be either eth
number or loopback
number. Because Cisco vSmart Controllers and Cisco vSmart Controller NMSs participate only in the overlay network's control plane, the VPNs that you can configure on these devices are VPN 0
and VPN 512. Hence, all interfaces are present only on these VPNs.
To enable the interface, include the no shutdown command.
For the tunnel interface, you can configure a static IPv4 or IPv6 address, or you can configure the interface to receive its
address from a DHCP server. To enable dual stack, configure both an IPv4 and an IPv6 address on the tunnel interface.
Color is a Cisco SD-WAN software construct that identifies the transport tunnel. It can be 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver. The colors metro-ethernet, mpls, and private1 through private6 are referred to as private colors, because they use private addresses to connect to the remote side Cisco IOS XE SD-WAN device in a private network. You can use these colors in a public network provided that there is no NAT device between the local
and remote Cisco IOS XE SD-WAN devices.
To limit the remote TLOCs that the local TLOC can establish BFD sessions with, mark the TLOC with the restrict option. When a TLOC is marked as restricted, a TLOC on the local router establishes tunnel connections with a remote TLOC
only if the remote TLOC has the same color.
On a Cisco vSmart Controller or Cisco vSmart Controller NMS, you can configure one tunnel interface. On a Cisco IOS XE SD-WAN device, you can configure up to eight tunnel interfaces.
On Cisco IOS XE SD-WAN devices, you must configure the tunnel encapsulation. The encapsulation can be either IPsec or GRE. For IPsec encapsulation, the
default MTU is 1442 bytes, and for GRE it is 1468 bytes, These values are a function of overhead required for BFD path MTU
discovery, which is enabled by default on all TLOCs. (For more information, see Configuring Control Plane and Data Plane High
Availability Parameters .) You can configure both IPsec and GRE encapsulation by including two encapsulation commands under the same tunnel-interface command. On the remote Cisco IOS XE SD-WAN device, you must configure the same tunnel encapsulation type or types so that the two routers can exchange data traffic. Data transmitted
out an IPsec tunnel can be received only by an IPsec tunnel, and data sent on a GRE tunnel can be received only by a GRE tunnel.
The Cisco SD-WAN software automatically selects the correct tunnel on the destination Cisco IOS XE SD-WAN device.
A tunnel interface allows only DTLS, TLS, and, for Cisco IOS XE SD-WAN devices, IPsec traffic to pass through the tunnel. To allow additional traffic to pass without having to create explicit policies
or access lists, enable them by including one allow-service command for each service. You can also explicitly disallow services by including the no allow-service command. Note that services affect only physical interfaces. You can allow or disallow these services on a tunnel interface:
Service
|
Cisco vSmart Controller
|
Cisco vSmart Controller
|
all (Overrides any commands that allow or disallow individual services)
|
X
|
X
|
bgp
|
—
|
—
|
dhcp (for DHCPv4 and DHCPv6)
|
—
|
—
|
dns
|
—
|
—
|
https
|
X
|
—
|
icmp
|
X
|
X
|
netconf
|
X
|
—
|
ntp
|
—
|
—
|
ospf
|
—
|
—
|
sshd
|
X
|
X
|
stun
|
X
|
X
|
The allow-service stun command pertains to allowing or disallowing a Cisco IOS XE SD-WAN device to generate requests to a generic STUN server so that the device can determine whether it is behind a NAT and, if so, what
kind of NAT it is and what the device's public IP address and public port number are. On a Cisco IOS XE SD-WAN device that is behind a NAT, you can also have tunnel interface to discover its public IP address and port number from the Cisco vBond Orchestrator.
With this configuration, the Cisco IOS XE SD-WAN device uses the Cisco vBond Orchestrator as a STUN server, so the router can determine its public IP address and public port number. (With this configuration, the
router cannot learn the type of NAT that it is behind.) No overlay network control traffic is sent and no keys are exchanged
over tunnel interface configured to the the Cisco vBond Orchestrator as a STUN server. However, BFD does come up on the tunnel, and data traffic can be sent on it. Because no control traffic
is sent over a tunnel interface that is configured to use the Cisco vBond Orchestrator as a STUN server, you must configure at least one other tunnel interface on the Cisco IOS XE SD-WAN device so that it can exchange control traffic with the Cisco vSmart Controller and the Cisco vSmart Controller NMS.
You can log the headers of all packets that are dropped because they do not match a service configured with an allow-service command. You can use these logs for security purposes, for example, to monitor the flows that are being directed to a WAN
interface and to determine, in the case of a DDoS attack, which IP addresses to block.