Enable AAA Authentication

Enable authentication parameters.

Accounting Group

Enable accounting parameters.

Add AAA User

Name

Enter a name for the user. It can be 1 to 128 characters long, and it must start with a letter. The name can contain only lowercase letters, the digits 0 through 9, hyphens (-), underscores (_), and periods (.). The name cannot contain any uppercase letters.

The following usernames are reserved, so you cannot configure them: backup, basic, bin, daemon, games, gnats, irc, list, lp, mail, man, news, nobody, proxy, quagga, root, sshd, sync, sys, uucp, and www-data. Also, names that start with viptela-reserved are reserved.

Password

Enter a password for the user. The password is an MD5 digest string, and it can contain any characters, including tabs, carriage returns, and linefeeds. For more information, see Section 9.4 in RFC 7950, The YANG 1.1 Data Modeling Language.

Each username must have a password. Users are allowed to change their own passwords.

The default password for the admin user is admin. We strongly recommended that you change this password.

Confirm Password

Re-enter the password for the user.

Privilege

Select between privilege level 1 or 15.

• Level 1: User EXEC mode. Read-only, and access to limited commands, such as the ping command.

• Level 15: Privileged EXEC mode. Full access to all commands, such as the reload command, and the ability to make configuration changes. By default, the EXEC commands at privilege level 15 are a superset of those available at privilege level 1.

Add Public Key Chain

Key String*

Enter the authentication string for a key.

Key Type

Choose ssh-rsa.

Add Radius Server

Address*

Enter the IP address of the RADIUS server host.

Acct Port

Enter the UDP port to use to send 802.1X and 802.11i accounting information to the RADIUS server.

Range: 0 through 65535.

Default: 1813

Auth Port

Enter the UDP destination port to use for authentication requests to the RADIUS server. If the server is not used for authentication, configure the port number to be 0.

Default: 1812

Retransmit

Enter the number of times the device transmits each RADIUS request to the server before giving up.

Default: 3 seconds

Timeout

Enter the number of seconds a device waits for a reply to a RADIUS request before retransmitting the request.

Default: 5 seconds

Range: 1 through 1000

Key*

Enter the key the Cisco IOS XE Catalyst SD-WAN device passes to the RADIUS server for authentication and encryption.

Key Type

Choose Protected Access Credential (PAC) or key type.

Add TACACS Server

Address*

Enter the IP address of the TACACS+ server host.

Port

Enter the UDP destination port to use for authentication requests to the TACACS+ server. If the server is not used for authentication, configure the port number to be 0.

Default: 49

Timeout

Enter the number of seconds a device waits for a reply to a TACACS+ request before retransmitting the request.

Default: 5 seconds

Range: 1 through 1000

Key*

Enter the key the Cisco IOS XE Catalyst SD-WAN device passes to the TACACS+ server for authentication and encryption. You can type the key as a text string from 1 to 31 characters long, and it is immediately encrypted, or you can type an AES 128-bit encrypted key. The key must match the AES encryption key used on the TACACS+ server.

Add Accounting Rule

Rule Id*

Enter the accounting rule ID.

Method*

Specifies the accounting method list. Choose one of the following:

• commands: Provides accounting information about specific, individual EXEC commands associated with a specific privilege level.

• exec: Provides accounting records about user EXEC terminal sessions on the network access server, including username, date, and start and stop times.

• network: Runs accounting for all network-related service requests.

• system: Performs accounting for all system-level events not associated with users, such as reloads.

  Note	When system accounting is used and the accounting server is unreachable at system startup time, the system will not be accessible for approximately two minutes.

Level

Choose the privilege level (1 or 15). Accounting records are generated only for commands entered by users with this privilege level.

Start Stop

Enable this option to if you want the system to send a start accounting notice at the beginning of an event and a stop record notice at the end of the event.

Use Server-group*

Choose a previously configured TACACS group. The parameters that this accounting rule defines are used by the TACACS servers that are associated with this group.

Server Auth Order*

Choose the authentication order. It dictates the order in which authentication methods are tried when verifying user access to a Cisco IOS XE Catalyst SD-WAN device through an SSH session or a console port.

Authorization Console

Enable this option to perform authorization for console access commands.

Authorization Config Commands

Enable this option to perform authorization for configuration commands.

Add Authorization Rule

Rule Id*

Enter the authorization rule ID.

Method*

Choose Commands, which causes commands that a user enters to be authorized.

Level

Choose the privilege level (1 or 15) for commands to be authorized. Authorization is provided for commands entered by users with this privilege level.

If Authenticated

Enable this option to apply the authorization rule parameters only to the authenticated users. If you do not enable this option, the rule is applied to all users.

Use Server-group*

Choose a previously configured TACACS group. The parameters that this authorization rule defines are used by the TACACS servers that are associated with this group.

Time Zone

Choose the time zone to use on the device.

Device Groups

Enter the names of one or more groups to which the device belongs, separated by commas.

Location

Enter a description of the location of the device. It can be up to 128 characters.

Description

Enter any additional descriptive information about the device.

Transport Gateway

(Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.13.1)

Enable transport gateway functionality for the device.

A transport gateway connects routers that may or may not have direct connectivity. One common use case for transport gateways is to provide connectivity between routers in disjoint networks, such as between public and private WANs. Another use case for transport gateway functionality is to use a transport gateway as the hub in a hub-and-spoke topology.

Console Baud Rate(bps)

Choose the baud rate of the console connection on the router.

Values: 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200 baud or bits per second (bps).

Default: 9600

Overlay ID

Specifies the overlay ID of a device in the Cisco Catalyst SD-WAN overlay network.

Range: 0 - 4294967295 (2³² – 1)

Default: 1

Controller Group

List the Cisco Catalyst SD-WAN Controller groups to which the router belongs.

Max OMP Sessions

Set the maximum number of OMP sessions that a router can establish to a Cisco SD-WAN Controller.

Range: 1 through 100

Affinity Group Number

(Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.13.1)

Enter an affinity group number.

Range: 1 through 63

Affinity Group Number for VRFs

and

Range of VRFs

(Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, Cisco Catalyst SD-WAN Manager Release 20.13.1)

Enter an affinity group number for a specific range of VRFs. You can click + to configure an affinity group number for additional VRF ranges.

Range for affinity group: 1 through 63

Range for VRFs: 1 through 65531

Affinity Group Preference Auto

(Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, Cisco Catalyst SD-WAN Manager Release 20.13.1)

Configure automatic affinity preference order. When you use this, a device prefers routes with a lower affinity group number. In this case affinity group numbers are not treated as arbitrary tags, but instead signify route priority, where a lower affinity group number means higher priority.

Affinity Group Preference

(Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, Cisco Catalyst SD-WAN Manager Release 20.13.1)

Enter a comma-separated list of affinity group numbers.

In a Multi-Region Fabric scenario, this determines the order of preference for connecting to a gateway.

Affinity group preference also used for path filtering when using the filter route outbound affinity-group preference command on a Cisco SD-WAN Controller.

Range for affinity groups: 1 through 63

GPS Latitude

Enter the latitude of the device, in the format decimal-degrees.

GPS Longitude

Enter the longitude of the device, in the format decimal-degrees.

Track Transport

Enable this option to regularly check whether the DTLS connection between the device and a Cisco SD-WAN Validator is up.

Default: Enabled

Track Default Gateway

Enable or disable tracking of default gateway. Gateway tracking determines, for static routes, whether the next hop is reachable before adding that route to the route table of the device.

Default: Enabled

Track Interface Tag

Set the tag string to include in routes associated with a network that is connected to a non-operational interface.

Range: 1 through 4294967295

Tracker DIA Stabilize Status

Enable this option to stabilize interface flaps by using the multiplier to update HTTP or ICMP tracker status from DOWN to UP.

Port Hopping

Enable or disable port hopping. When a Cisco Catalyst SD-WAN device is behind a NAT, port hopping rotates through a pool of preselected OMP port numbers (called base ports) to establish DTLS connections with other Cisco Catalyst SD-WAN devices when a connection attempt is unsuccessful. The default base ports are 12346, 12366, 12386, 12406, and 12426. To modify the base ports, set a port offset value.

Default: Enabled

Port Offset

Enter a number by which to offset the base port number. Configure this option when multiple Cisco Catalyst SD-WAN devices are behind a single NAT device, to ensure that each device uses a unique base port for DTLS connections.

Values: 0 through 19

On Demand Tunnel

Enable dynamic on-demand tunnels between any two Cisco Catalyst SD-WAN spoke devices.

On Demand Tunnel Idle Timeout (In Minute)

Enter the on-demand tunnel idle timeout time. After the configured time, the tunnel between the spoke devices is removed.

Range: 1 to 65535 minutes

Default: 10 minutes

Control Session PPS

Enter a maximum rate of DTLS control session traffic to police the flow of control traffic.

Range: 1 through 65535 pps

Default: 300 pps

Multi Tenant

Enable this option to specify the device as multitenant.

Admin Tech On Failure

Enable this option to collect admin-tech information when the device reboots.

Default: Enabled

Type

Choose a feature from the drop-down list.

Feature Name

Enter a name for the feature. The name can be up to 128 characters and can contain only alphanumeric characters.

Description

Enter a description of the feature. The description can be up to 2048 characters and can contain only alphanumeric characters.

Profile ID

Enter the identification number of the profile to use on the router.

Range: 1 through 15

Access Point Name

Enter the name of the gateway between the service provider network and the public internet. It can be up to 32 characters long.

Authentication

Choose the authentication method used for the connection to the cellular network. It can be none, pap, chap, or pap_chap.

Profile Username

Enter the username to use when making cellular connections for web services. It can be 1 to 32 characters. It can contain any alphanumeric characters, including spaces.

Profile Password

Enter the user password to use when making cellular connections for web services. The password is case-sensitive and can be clear text, or an AES-encrypted key.

From Cisco Catalyst SD-WAN Manager Release 20.15.1, when you enter the password as clear text, Cisco SD-WAN Manager encrypts the password. When you view the configuration preview, the password appears in its encrypted form.

Packet Data Network Type

Choose the packet data network (PDN) type of the cellular network. It can be IPv4, IPv6, or IPv4v6.

No Overwrite

Enable this option to overwrite the profile on the cellular modem. By default, this option is disabled.

Type

Choose a feature from the drop-down list.

Feature Name

Enter a name for the feature. The name can be up to 128 characters and can contain only alphanumeric characters.

Description

Enter a description of the feature. The description can be up to 2048 characters and can contain only alphanumeric characters.

Cellular ID

Enter the interface slot and port number in which the cellular NIM card is installed. Currently, it can be 0/1/0 or 0/2/0.

Primary SIM slot

Enter the number of the primary SIM slot. It can be 0 or 1. The other slot is automatically set to be the secondary. If there is a single SIM slot, this parameter is not applicable.

SIM Failover Retries

Specify the maximum number of times to retry connecting to the secondary SIM when service on the primary SIM becomes unavailable. If there is a single SIM slot, this parameter is not applicable.

Range: 0 through 65535

Default: 10

SIM Failover Timeout

Specify how long to wait before switching from the primary SIM to the secondary SIM if service on the primary SIM becomes unavailable. If there is a single SIM slot, this parameter is not applicable.

Range: 3 to 7 minutes

Default: 3 minutes

Firmware Auto Sim

By default, this option is enabled. AutoSIM analyzes any active SIM card and determines which service provider network is associated with that SIM. Based on that analysis, AutoSIM automatically loads the appropriate firmware.

Type

Choose a feature from the drop-down list.

Feature Name*

Enter a name for the feature.

Description

Enter a description of the feature. The description can contain any characters and spaces.

Associated VPN

VPN 0 or the WAN transport VPN.

Associated Tracker

Choose a tracker.

Shutdown*

Enable or disable the interface.

Interface Name*

Enter the name of the interface.

Description*

Enter a description of the cellular interface.

DHCP Helper

Enter up to four IP addresses for DHCP servers in the network, separated by commas, to have the interface be a DHCP helper. A DHCP helper interface forwards BOOTP (Broadcast) DHCP requests that it receives from the specified DHCP servers.

Tunnel Interface

Enable this option to create a tunnel interface.

Carrier

Choose the carrier name or private network identifier to associate with the tunnel.

Values: carrier1, carrier2, carrier3, carrier4, carrier5, carrier6, carrier7, carrier8, default

Default: default

Color

Choose a color for the TLOC.

Hello Interval

Enter the interval between Hello packets sent on a DTLS or TLS WAN transport connection.

Range: 100 through 600000 milliseconds

Default: 1000 milliseconds (1 second)

Hello Tolerance

Enter the time to wait for a Hello packet on a DTLS or TLS WAN transport connection before declaring that transport tunnel to be down.

Range: 12 through 6000 seconds

Default: 12 seconds

Last-Resort Circuit

Enable this option to use the tunnel interface as the circuit of last resort.

Restrict

Enable this option to limit the remote TLOCs that the local TLOC can establish BFD sessions with. When a TLOC is marked as restricted, a TLOC on the local router establishes tunnel connections with a remote TLOC only if the remote TLOC has the same color.

Group

Enter a group number.

Range: 1 through 4294967295

Border

Enable this option to set the TLOC as a border TLOC.

Maximum Control Connections

Specify the maximum number of Cisco SD-WAN Controllers that the WAN tunnel interface can connect to. To have the tunnel establish no control connections, set the number to 0.

Range: 0 through 100

Default: 2

NAT Refresh Interval

Enter the interval between NAT refresh packets sent on a DTLS or TLS WAN transport connection.

Range: 1 through 60 seconds

Default: 5 seconds

Validator As Stun Server

Enable Session Traversal Utilities for NAT (STUN) to allow the tunnel interface to discover its public IP address and port number when the Cisco IOS XE Catalyst SD-WAN device is located behind a NAT.

Exclude Controller Group List

Set the identifiers of one or more Cisco SD-WAN Controller groups that this tunnel is not allowed to connect to.

Range: 1 through 100

Manager Connection Preference

Set the preference for using a tunnel interface to exchange control traffic with Cisco SD-WAN Manager.

Range: 0 through 8

Default: 5

Port Hop

Enable port hopping. When a router is behind a NAT, port hopping rotates through a pool of preselected OMP port numbers (called base ports) to establish DTLS connections with other routers when a connection attempt is unsuccessful. The default base ports are 12346, 12366, 12386, 12406, and 12426. To modify the base ports, set a port offset value.

Default: Enabled

Low-Bandwidth Link

Enable this option to characterize the tunnel interface as a low-bandwidth link.

Tunnel TCP MSS

Specify the maximum segment size (MSS) of TPC SYN packets passing through the router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 500 to 1460 bytes

Default: None

Clear-Dont-Fragment

Enable this option to clear the Don't Fragment (DF) bit in the IPv4 packet header for packets being transmitted out the interface. When the DF bit is cleared, packets larger than the MTU of the interface are fragmented before being sent.

Network Broadcast

Enable this option to accept and respond to network-prefix-directed broadcasts.

Allow Service

Allow or disallow the following services on the interface:

• All

• BGP

• DHCP

• NTP

• SSH

• DNS

• ICMP

• HTTPS

• OSPF

• STUN

• SNMP

• NETCONF

• BFD

Encapsulation

GRE

Use GRE encapsulation on the tunnel interface. By default, GRE is disabled.

If you select both IPsec and GRE encapsulations, two TLOCs are created for the tunnel interface that have the same IP addresses and colors, but that differ by their encapsulation.

GRE Preference

Specify a preference value for directing traffic to the tunnel. A higher value is preferred over a lower value.

Range: 0 through 4294967295

Default: 0

GRE Weight

Enter a weight to use to balance traffic across multiple TLOCs. A higher value sends more traffic to the tunnel.

Range: 1 through 255

Default: 1

IPsec

Use IPsec encapsulation on the tunnel interface. By default, IPsec is enabled.

If you select both IPsec and GRE encapsulations, two TLOCs are created for the tunnel interface that have the same IP addresses and colors, but that differ by their encapsulation.

IPsec Preference

Specify a preference value for directing traffic to the tunnel. A higher value is preferred over a lower value.

Range: 0 through 4294967295

Default: 0

IPsec Weight

Enter a weight to use to balance traffic across multiple TLOCs. A higher value sends more traffic to the tunnel.

Range: 1 through 255

Default: 1

NAT

Enable this option to have the interface act as a NAT device.

UDP Timeout*

Specify when NAT translations over UDP sessions time out.

Range: 1 through 8947 minutes

Default: 1 minutes

TCP Timeout*

Specify when NAT translations over TCP sessions time out.

Range: 1 through 8947 minutes

Default: 60 minutes (1 hour)

IP Address*

Enter the IP address for the ARP entry in dotted decimal notation or as a fully qualified host name.

MAC Address*

Enter the MAC address in colon-separated hexadecimal notation.

MAC Address

Specify a MAC address to associate with the interface, in colon-separated hexadecimal notation.

IP MTU

Specify the maximum MTU size of packets on the interface.

Range: 576 through 9216

Default: 1500 bytes

Interface MTU

Enter the maximum transmission unit size for frames received and transmitted on the interface.

Range: 1500 through 9216

Default: 1500 bytes

TCP MSS

Specify the maximum segment size (MSS) of TPC SYN packets passing through the router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 500 to 1460 bytes

Default: None

TLOC Extension

Enter the name of a physical interface on the same router that connects to the WAN transport. This configuration then binds this service-side interface to the WAN transport. A second router at the same site that itself has no direct connection to the WAN (generally because the site has only a single WAN connection) and that connects to this service-side interface is then provided with a connection to the WAN.

Tracker

Tracking the interface status is useful when you enable NAT on a transport interface in VPN 0 to allow data traffic from the router to exit directly to the internet rather than having to first go to a router in a data center. In this situation, enabling NAT on the transport interface splits the TLOC between the local router and the data center into two, with one going to the remote router and the other going to the internet.

When you enable transport tunnel tracking, Cisco Catalyst SD-WAN periodically probes the path to the internet to determine whether it is up. If Cisco Catalyst SD-WAN detects that this path is down, it withdraws the route to the internet destination, and traffic destined to the internet is then routed through the data center router. When Cisco Catalyst SD-WAN detects that the path to the internet is again functioning, the route to the internet is reinstalled.

Enter the name of a tracker to track the status of transport interfaces that connect to the internet.

IP Directed-Broadcast

An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet but which originates from a node that is not itself part of that destination subnet.

A device that is not directly connected to its destination subnet forwards an IP directed broadcast in the same way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet reaches a device that is directly connected to its destination subnet, that packet is broadcast on the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a link-layer broadcast.

If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as directed broadcasts intended for the subnet to which that interface is attached are broadcast on that subnet.

Type

Choose a feature from the drop-down list.

Feature Name*

Enter a name for the feature.

Description

Enter a description of the feature. The description can contain any characters and spaces.

Associated VPN

The service VPN.

Shutdown

Enable or disable the interface.

Interface Name

Enter a name for the interface. Spell out the interface names completely (for example, GigabitEthernet0/0/0).

Configure all the interfaces of the router, even if you are not using them, so that they are configured in the shutdown state and so that all default values for them are configured.

Description

Enter a description for the interface.

IPv4 Settings

Configure an IPv4 VPN interface.

• Dynamic: Choose Dynamic to set the interface as a Dynamic Host Configuration Protocol (DHCP) client so that the interface receives its IP address from a DHCP server.

• Static: Choose Static to enter an IP address that doesn't change.

Dynamic DHCP Distance

Enter an administrative distance value for routes learned from a DHCP server. This option is available when you choose Dynamic.

Default: 1

IP Address

Enter a static IPv4 address. This option is available when you choose Static.

Subnet Mask

Add Secondary IP Address

Enter up to four secondary IPv4 addresses for a service-side interface.

• IP Address*: Enter the IP address.

• Subnet Mask: Enter the subnet mask.

DHCP Helper

To designate the interface as a DHCP helper on a router, enter up to eight IP addresses, separated by commas, for DHCP servers in the network. A DHCP helper interface forwards BOOTP (broadcast) DHCP requests that it receives from the specified DHCP servers.

IPv6 Settings

Configure an IPv6 VPN interface.

• Dynamic: Choose Dynamic to set the interface as a Dynamic Host Configuration Protocol (DHCP) client so that the interface receives its IP address from a DHCP server.

• Static: Choose Static to enter an IP address that doesn't change.

• None

IPv6 Address Primary

Enter a static IPv6 address. This option is available when you choose Static.

Add Secondary Ipv6

Enter up to two secondary IPv6 addresses for a service-side interface.

Add DHCP Helper

DHCPv6 Helper*

To designate the interface as a DHCP helper on a router, enter up to eight IP addresses for DHCP servers in the network. A DHCP helper interface forwards BOOTP (broadcast) DHCP requests that it receives from the specified DHCP servers.

DHCPv6 Helper VPN

Enter the VPN ID of the VPN source interface for the DHCP helper.

IPv4 Settings

NAT

Enable this option to have the interface act as a NAT device.

NAT Type*

Choose the NAT translation type for IPv4:

• pool

• loopback

Default: pool

Range Start

Enter a starting IP address for the NAT pool.

Range End

Enter a closing IP address for the NAT pool.

Prefix Length

Enter the NAT pool prefix length.

Overload

Enable this option to configure per-port translation. If this option is disabled, only dynamic NAT is configured on the end device. Per-port NAT is not configured.

Default: Enabled

NAT Loopback

Enter the IP address of the loopback interface.

UDP Timeout

Specify when NAT translations over UDP sessions time out.

Range: 1 through 8947 minutes

Default: 1 minutes

TCP Timeout

Specify when NAT translations over TCP sessions time out.

Range: 1 through 8947 minutes

Default: 60 minutes (1 hour)

Add New Static NAT

Source IP*

Enter the source IP address to be translated.

Translate IP*

Enter the translated source IP address.

Direction

Choose the direction in which to perform network address translation.

• inside: Translates the IP address of packets that are coming from the service side of the device and that are destined for the transport side of the router.

• outside: Translates the IP address of packets that are coming to the device from the transport side device and that are destined for a service-side device.

Source VPN*

Enter the source VPN ID.

IPv6 Settings

NAT

Enable this option to have the interface act as a NAT device.

Select NAT

Choose NAT64 or NAT66. When you choose NAT66 and click Add Static NAT66, the following fields appear:

• Source Prefix*: Enter the source IPv6 prefix.

• Translated Source Prefix*: Enter the translated source prefix.

• Source VPN ID*: Enter the source VPN ID.

IPv4 Settings

Add Vrrp Ipv4

Group ID*

Enter the virtual router ID, which is a numeric identifier of the virtual router. You can configure a maximum of 24 groups.

Range: 1 through 255

Priority*

Enter the priority level of the router. The router with the highest priority is elected as the primary router. If two routers have the same priority, the one with the higher IP address is elected as the primary router.

Range: 1 through 254

Default: 100

Timer*

Specify how often the primary VRRP router sends VRRP advertisement messages. If secondary routers miss three consecutive VRRP advertisements, they elect a new primary router .

Range: 100 through 40950 seconds

Default: 100 seconds

Track OMP*

When you enable this option, VRRP tracks the Overlay Management Protocol (OMP) session running on the WAN connection. If the primary VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session.

Prefix List

Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the primary VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if the reachability to one of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic while the Cisco IOS XE Catalyst SD-WAN device determines the primary VRRP router.

IP Address*

Enter the IP address of the virtual router. This address must be different from the configured interface IP addresses of both the local router and the peer running VRRP.

Tloc Prefix Change*

Enable or disable this option to set whether the TLOC preference can be changed or not.

Tloc Prefix Change Value

Enter the TLOC preference change value.

Range: 100 to 4294967295

Add VRRP IP Address Secondary

IP Address*

Enter an IP address for the secondary VRRP router.

Subnet Mask

Enter the subnet mask.

Add VRRP Tracking Object

Tracker ID*

Enter the interface object ID or object group tracker ID.

Tracker Action*

Choose one of the options:

• decrement

• shutdown

Decrement Value*

Enter a decrement value.

Range: 1-255

IPv6 Settings

Add Vrrp Ipv6

Group ID*

Enter the virtual router ID, which is a numeric identifier of the virtual router. You can configure a maximum of 24 groups.

Range: 1 through 255

Priority*

Enter the priority level of the router. The router with the highest priority is elected as the primary router. If two routers have the same priority, the one with the higher IP address is elected as the primary router.

Range: 1 through 254

Default: 100

Timer*

Specify how often the primary VRRP router sends VRRP advertisement messages. If secondary routers miss three consecutive VRRP advertisements, they elect a new primary router .

Range: 100 through 40950 seconds

Default: 100 seconds

Track OMP*

When you enable this option, VRRP tracks the Overlay Management Protocol (OMP) session running on the WAN connection. If the primary VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session.

Track Prefix List

Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the primary VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if the reachability to one of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic while the Cisco IOS XE Catalyst SD-WAN device determines the primary VRRP router.

Link Local IPv6 Address*

Enter a virtual link local IPv6 address, which represents the link local address of the group. The address should be in standard link local address format. For example, FE80::AB8.

Global IPv6 Prefix

Enter a virtual global unicast IPv6 address, which represents the global address of the group. The address should be an IPv6 global prefix address that has the same mask as the interface forwarding address on which the VRRP group is configured. For example, 2001::2/124.

You can configure up to three global IPv6 addresses.

Add ARP

IP Address*

Enter the IP address for the ARP entry in dotted decimal notation or as a fully qualified host name.

MAC Address*

Enter the MAC address in colon-separated hexadecimal notation.

Enable SGTPropogation

Enable this option to use the Cisco TrustSec Security Group Tag (SGT) propagation feature.

Propagate

Enable this option to propagate SGT in Cisco Catalyst SD-WAN.

Security Group Tag

Enter a value that can be used as a tag.

Enable Enforced Propagation

Enable this option to start SGT enforcement on the interface.

Enforced Security Group Tag

Enter a value that can be used as a tag for enforcement.

Duplex

Specify whether the interface runs in full-duplex or half-duplex mode.

Default: full

MAC Address

Specify a MAC address to associate with the interface, in colon-separated hexadecimal notation.

IP MTU

Specify the maximum MTU size of packets on the interface.

Range: 576 through 9216

Default: 1500 bytes

Interface MTU

Enter the maximum transmission unit size for frames received and transmitted on the interface.

Range: 1500 through 1518 (GigabitEthernet0), 1500 through 9216 (other GigabitEthernet)

Default: 1500 bytes

TCP MSS

Specify the maximum segment size (MSS) of TPC SYN packets passing through the router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 500 to 1460 bytes

Default: None

Speed

Specify the speed of the interface, for use when the remote end of the connection does not support autonegotiation.

Values: 10, 100, 1000, 2500, or 10000 Mbps

ARP Timeout

ARP timeout controls how long we maintain the ARP cache on a router. Specify how long it takes for a dynamically learned ARP entry to time out.

Range: 0 through 2147483 seconds

Default: 1200 seconds

Autonegotiate

Enable this option to turn on autonegotiation.

Media Type

Specify the physical media connection type on the interface. Choose one of the following:

• auto-select: A connection is automatically selected.

• rj45: Specifies an RJ-45 physical connection.

• sfp: Specifies a small-form factor pluggable (SFP) physical connection for fiber media.

Load Interval

Enter an interval value for interface load calculation.

Tracker

Static-route tracking for service VPNs enables you to track the availability of the configured endpoint address to determine if the static route can be included in the routing table of a device. Enter the name of the gateway tracker to determine whether the next hop is reachable before adding that route to the route table of the device.

ICMP Redirect Disable

ICMP redirects are sent by a router to the sender of an IP packet when a packet is being routed sub-optimally. The ICMP redirect informs the sending host to forward subsequent packets to that same destination through a different gateway.

By default, an interface allows ICMP redirect messages.

XConnect

Enter the name of a physical interface on the same router that connects to the WAN transport.

IP Directed Broadcast

An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet but which originates from a node that is not itself part of that destination subnet.

A device that is not directly connected to its destination subnet forwards an IP directed broadcast in the same way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet reaches a device that is directly connected to its destination subnet, that packet is broadcast on the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a link-layer broadcast.

If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as directed broadcasts intended for the subnet to which that interface is attached are broadcast on that subnet.

Type

Choose a feature from the drop-down list.

Associated VPN

Choose a VPN.

Associated Tracker/Trackergroup

Choose a tracker or tracker group.

Associated IPv6- Tracker/IPv6-Trackergroup

Choose an IPv6- tracker or tracker group.

Shutdown

Enable or disable the interface.

Interface Name*

Enter a name for the interface. Spell out the interface names completely (for example, GigabitEthernet0/0/0).

Configure all the interfaces of the router, even if you are not using them, so that they are configured in the shutdown state and so that all default values for them are configured.

Description

Enter a description for the interface.

Auto Detect Bandwidth

Enable this option to automatically detect the bandwidth for WAN interfaces. The device detects the bandwidth by contacting an iPerf3 server to perform a speed test.

IPv4 Settings

Configure an IPv4 VPN interface.

• Dynamic: Choose Dynamic to set the interface as a Dynamic Host Configuration Protocol (DHCP) client so that the interface receives its IP address from a DHCP server.

• Static: Choose Static to enter an IP address that doesn't change.

Dynamic DHCP Distance

Enter an administrative distance value for routes learned from a DHCP server. This option is available when you choose Dynamic.

Default: 1

IP Address

Enter a static IPv4 address. This option is available when you choose Static.

Subnet Mask

Configure Secondary IP Address

Enter up to four secondary IPv4 addresses for a service-side interface.

• IP Address: Enter the IP address.

• Subnet Mask: Enter the subnet mask.

DHCP Helper

To designate the interface as a DHCP helper on a router, enter up to eight IP addresses, separated by commas, for DHCP servers in the network. A DHCP helper interface forwards BOOTP (broadcast) DHCP requests that it receives from the specified DHCP servers.

IPv6 Settings

Configure an IPv6 VPN interface.

• Dynamic: Choose Dynamic to set the interface as a Dynamic Host Configuration Protocol (DHCP) client so that the interface receives its IP address from a DHCP server.

• Static: Choose Static to enter an IP address that doesn't change.

• None

IPv6 Address Primary

Enter a static IPv6 address. This option is available when you choose Static.

Add Secondary Ipv6

IP Address

Enter up to two secondary IPv6 addresses for a service-side interface.

Tunnel Interface

Enable this option to create a tunnel interface.

Per-tunnel QoS

Enable this option to apply a Quality of Service (QoS) policy on individual tunnels.

Color

Choose a color for the TLOC.

Restrict

Enable this option to limit the remote TLOCs that the local TLOC can establish BFD sessions with. When a TLOC is marked as restricted, a TLOC on the local router establishes tunnel connections with a remote TLOC only if the remote TLOC has the same color.

Groups

Enter a group number.

Range: 1 through 4294967295

Border

Enable this option to set the TLOC as a border TLOC.

Maximum Control Connections

Specify the maximum number of Cisco SD-WAN Controllers that the WAN tunnel interface can connect to. To have the tunnel establish no control connections, set the number to 0.

Range: 0 through 100

Default: 2

Validator As Stun Server

Enable Session Traversal Utilities for NAT (STUN) to allow the tunnel interface to discover its public IP address and port number when the Cisco IOS XE Catalyst SD-WAN device is located behind a NAT.

Exclude Controller Group List

Set the identifiers of one or more Cisco SD-WAN Controller groups that this tunnel is not allowed to connect to.

Range: 1 through 100

Manager Connection Preference

Set the preference for using a tunnel interface to exchange control traffic with Cisco SD-WAN Manager.

Range: 0 through 8

Default: 5

Port Hop

Enable port hopping. If port hopping is enabled globally, you can disable it on an individual TLOC (tunnel interface).

Default: Enabled

Low-Bandwidth Link

Enable this option to characterize the tunnel interface as a low-bandwidth link.

Tunnel TCP MSS

Specify the maximum segment size (MSS) of TPC SYN packets passing through the router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 500 to 1460 bytes

Default: None

Clear-Dont-Fragment

Enable this option to clear the Don't Fragment (DF) bit in the IPv4 packet header for packets being transmitted out the interface. When the DF bit is cleared, packets larger than the MTU of the interface are fragmented before being sent.

CTS SGT Propagation

Enable CTS SGT propagation on an interface.

Network Broadcast

Enable this option to accept and respond to network-prefix-directed broadcasts.

Allow Service

Allow or disallow the following services on the interface:

• All

• BGP

• DHCP

• NTP

• SSH

• DNS

• ICMP

• HTTPS

• OSPF

• STUN

• SNMP

• NETCONF

• BFD

Encapsulation

Encapsulation*

Choose an encapsulation type:

• gre: Use GRE encapsulation on the tunnel interface.

• ipsec: Use IPsec encapsulation on the tunnel interface.

  Note	If you select both IPsec and GRE encapsulations, two TLOCs are created for the tunnel interface that have the same IP addresses and colors, but that differ by their encapsulation.

When you choose gre, the following fields appear:

• GRE Preference: Enter a preference value for directing traffic to the tunnel. A higher value is preferred over a lower value.

  Range: 0 through 4294967295

  Default: 0

• GRE Weight: Enter a weight to use to balance traffic across multiple TLOCs. A higher value sends more traffic to the tunnel.

  Range: 1 through 255

  Default: 1

When you choose ipsec, the following fields appear:

• IPSEC Preference: Enter a preference value for directing traffic to the tunnel. A higher value is preferred over a lower value.

  Range: 0 through 4294967295

  Default: 0

• IPSEC Weight: Enter a weight to use to balance traffic across multiple TLOCs. A higher value sends more traffic to the tunnel.

  Range: 1 through 255

  Default: 1

Multi-Region Fabric

Connect to Core Region

(Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.13.1)

(Applicable to a border router only) In a Multi-Region Fabric scenario, enable this option to specify how to use the Ethernet interface:

• Share Interface with Access Region: Share the interface between the access region and core region.

• Keep Exclusive to Core Region: Use the interface only for the core region.

Connect to Secondary Region

(Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.13.1)

(Applicable to an edge router only) In a Multi-Region Fabric scenario, enable this option to specify how to use the Ethernet interface:

• Share Interface with Access Region: Share the interface between the primary and secondary regions.

• Keep Exclusive to Secondary Region: Use the interface only for the secondary region.

IPv4 Settings

NAT

Enable this option to have the interface act as a NAT device.

NAT Type

Choose the NAT translation type for IPv4:

• interface

• pool

• loopback

Default: interface. It is supported for NAT64.

UDP Timeout

Specify when NAT translations over UDP sessions time out.

Range: 1 through 8947 minutes

Default: 1 minute

TCP Timeout

Specify when NAT translations over TCP sessions time out.

Range: 1 through 8947 minutes

Default: 60 minutes (1 hour)

Choose the NAT type:

• Interface: This is the default value.

• Pool: Configure the following:

  • Pool ID: Enter a NAT pool number configured in the centralized data policy. The NAT pool name must be unique across VPNs and VRFs. You can configure up to 31 (1–32) NAT pools per router.

  • Range Start: Enter a starting IP address for the NAT pool.

  • Range End: Enter a closing IP address for the NAT pool.

  • Prefix length: Specify the maximum number of source IP addresses that can be NATed in the NAT pool.

  • Overload: Enable this option to configure per-port translation. If this option is disabled, only dynamic NAT is configured on the end device. Per-port NAT is not configured.

    Default: Disabled

• Loopback: Provide a value for the NAT inside source loopback interface.

Configure New Static NAT

Add a static NAT mapping

Source IP

Enter the source IP address to be translated.

Translate IP

Enter the translated source IP address.

Direction

Choose the direction in which to perform network address translation.

• inside: Translates the IP address of packets that are coming from the service side of the device and that are destined for the transport side of the router.

• outside: Translates the IP address of packets that are coming to the device from the transport side device and that are destined for a service-side device.

Source VPN

Enter the source VPN ID.

IPv6 Settings

IPv6 NAT

Enable this option to have the interface act as a NAT device.

Select NAT

Choose NAT64 or NAT66. When you choose NAT66, the following fields appear:

• Source Prefix: Enter the source IPv6 prefix.

• Translated Source Prefix: Enter the translated source prefix.

• Source VPN ID: Enter the source VPN ID.

• Egress Interface: Enable this option to have the interface act as an egress interface.

IP Address

Enter the IP address for the ARP entry in dotted decimal notation or as a fully qualified host name.

MAC Address

Enter the MAC address in colon-separated hexadecimal notation.

Duplex

Specify whether the interface runs in full-duplex or half-duplex mode.

Default: full

MAC Address

Specify a MAC address to associate with the interface, in colon-separated hexadecimal notation.

IP MTU

Specify the maximum MTU size of packets on the interface.

Range: 576 through 9216

Default: 1500 bytes

Interface MTU

Enter the maximum transmission unit size for frames received and transmitted on the interface.

Range: 1500 through 1518 (GigabitEthernet0), 1500 through 9216 (other GigabitEthernet)

Default: 1500 bytes

TCP MSS

Specify the maximum segment size (MSS) of TPC SYN packets passing through the router. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 500 to 1460 bytes

Default: None

Speed

Specify the speed of the interface, for use when the remote end of the connection does not support autonegotiation.

Values: 10, 100, 1000, 2500, or 10000 Mbps

ARP Timeout

ARP timeout controls how long we maintain the ARP cache on a router. Specify how long it takes for a dynamically learned ARP entry to time out.

Range: 0 through 2147483 seconds

Default: 1200 seconds

Autonegotiate

Enable this option to turn on autonegotiation.

Media Type

Specify the physical media connection type on the interface. Choose one of the following:

• auto-select: A connection is automatically selected.

• rj45: Specifies an RJ-45 physical connection.

• sfp: Specifies a small-form factor pluggable (SFP) physical connection for fiber media.

TLOC Extension

Enter the name of a physical interface on the same router that connects to the WAN transport. This configuration then binds this service-side interface to the WAN transport. A second router at the same site that itself has no direct connection to the WAN (generally because the site has only a single WAN connection) and that connects to this service-side interface is then provided with a connection to the WAN.

GRE tunnel source IP

Enter the IP address of the extended WAN interface.

XConnect

Enter the name of a physical interface on the same router that connects to the WAN transport.

Load Interval

Enter an interval value for interface load calculation.

IP Directed Broadcast

An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet, but which originates from a node that is not itself part of that destination subnet.

A device that is not directly connected to its destination subnet forwards an IP directed broadcast in the same way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet reaches a device that is directly connected to its destination subnet, that packet is broadcast on the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a link-layer broadcast.

If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as directed broadcasts intended for the subnet to which that interface is attached are broadcast on that subnet.

ICMP Redirect Disable

ICMP redirects are sent by a router to the sender of an IP packet when a packet is being routed sub-optimally. The ICMP redirect informs the sending host to forward subsequent packets to that same destination through a different gateway.

By default, an interface allows ICMP redirect messages.

Enable Disc

Enable this option to allow syslog messages to be saved in a file on the local hard disk, or disable this option to disallow it. By default, logging to a local disk file is enabled on all Cisco IOS XE Catalyst SD-WAN devices.

Max File Size(In Megabytes)

Enter the maximum size of syslog files. The syslog files are rotated on an hourly basis based on the file size. When the file size exceeds the configured value, the file is rotated and the syslog process is notified.

Range: 1 to 20 MB

Default: 10 MB

Rotations

Enter the number of syslog files to create before discarding the oldest files.

Range: 1 to 10

Default: 10

Add TLS Profile

TLS Profile Name*

Enter the name of the TLS profile.

TLS Version

Choose a TLS version:

• TLSv1.1

• TLSv1.2

Authentication Type*

Choose Server.

Cipher Suite List

Choose groups of cipher suites (encryption algorithm) based on the TLS version.

The following is the list of cipher suites.

• aes-128-cbc-sha: Encryption type tls_rsa_with_aes_cbc_128_sha

• aes-256-cbc-sha: Encryption type tls_rsa_with_aes_cbc_256_sha

• dhe-aes-cbc-sha2: Encryption type tls_dhe_rsa_with_aes_cbc_sha2 (TLS1.2 and above)

• dhe-aes-gcm-sha2: Encryption type tls_dhe_rsa_with_aes_gcm_sha2 (TLS1.2 and above)

• ecdhe-ecdsa-aes-gcm-sha2: Encryption type tls_ecdhe_ecdsa_aes_gcm_sha2 (TLS1.2 and above) SuiteB

• ecdhe-rsa-aes-cbc-sha2: Encryption type tls_ecdhe_rsa_aes_cbc_sha2 (TLS1.2 and above)

• ecdhe-rsa-aes-gcm-sha2: Encryption type tls_ecdhe_rsa_aes_gcm_sha2 (TLS1.2 and above)

• rsa-aes-cbc-sha2: Encryption type tls_rsa_with_aes_cbc_sha2 (TLS1.2 and above)

• rsa-aes-gcm-sha2: Encryption type tls_rsa_with_aes_gcm_sha2 (TLS1.2 and above)

Add Server

Hostname/IPv4 Address*

Enter the DNS name, hostname, or IP address of the system on which to store syslog messages.

To add another syslog server, click the plus sign (+). To delete a syslog server, click the trash icon to the right of the entry.

VPN*

Enter the identifier of the VPN in which the syslog server is located or through which the syslog server can be reached.

Range: 0 through 65530

Source Interface

Enter the specific interface to use for outgoing system log messages. The interface must be located in the same VPN as the syslog server. Otherwise, the configuration is ignored. If you configure multiple syslog servers, the source interface must be the same for all of them.

Priority

Select the severity of the syslog message to save. The severity indicates the seriousness of the event that generated the message. Priority can be one of the following:

• informational: Routine condition (the default) (corresponds to syslog severity 6)

• debugging: Prints additional logs to help debugging the issue.

• notice: A normal, but significant condition (corresponds to syslog severity 5)

• warn: A minor error condition (corresponds to syslog severity 4)

• error: An error condition that does not fully impair system usability (corresponds to syslog severity 3)

• critical: A serious condition (corresponds to syslog severity 2)

• alert: Action must be taken immediately (corresponds to syslog severity 1)

• emergency: System is unusable (corresponds to syslog severity 0)

TLS Enable*

Enable this option to allow syslog over TLS. When you enable this option, the following field appears:

TLS Properties Custom Profile: Enable this option to choose a TLS profile. When you enable this option, the following field appears:

TLS Properties Profile: Choose a TLS profile that you have created for server or mutual authentication in the IPv4 server configuration.

Add IPv6 Server

Hostname/IPv6 Address*

Enter the DNS name, hostname, or IP address of the system on which to store syslog messages.

To add another syslog server, click the plus sign (+). To delete a syslog server, click the trash icon to the right of the entry.

VPN*

Enter the identifier of the VPN in which the syslog server is located or through which the syslog server can be reached.

Range: 0 through 65530

Source Interface

Enter the specific interface to use for outgoing system log messages. The interface must be located in the same VPN as the syslog server. Otherwise, the configuration is ignored. If you configure multiple syslog servers, the source interface must be the same for all of them.

Priority

Select the severity of the syslog message to save. The severity indicates the seriousness of the event that generated the message. Priority can be one of the following:

• informational: Routine condition (the default) (corresponds to syslog severity 6)

• debugging: Prints additional logs to help debugging the issue.

• notice: A normal, but significant condition (corresponds to syslog severity 5)

• warn: A minor error condition (corresponds to syslog severity 4)

• error: An error condition that does not fully impair system usability (corresponds to syslog severity 3)

• critical: A serious condition (corresponds to syslog severity 2)

• alert: Action must be taken immediately (corresponds to syslog severity 1)

• emergency: System is unusable (corresponds to syslog severity 0)

TLS Enable*

Enable this option to allow syslog over TLS.

TLS Properties Custom Profile*

Enable this option to choose a TLS profile.

TLS Properties Profile

Choose a TLS profile that you have created for server or mutual authentication in the IPv6 server configuration.

Add Server

Hostname/IP address*

Enter the IP address of an NTP server, or a DNS server that knows how to reach the NTP server.

VPN to reach NTP Server*

Enter the number of the VPN that should be used to reach the NTP server, or the VPN in which the NTP server is located. If you have configured multiple NTP servers, they must all be located or be reachable in the same VPN.

Range: 0 to 65530

Set authentication key for the server

Specify the MD5 key associated with the NTP server, to enable MD5 authentication.

For the key to work, you must mark it as trusted in the Trusted Key field under Authentication.

Set NTP version*

Enter the version number of the NTP protocol software.

Range: 1 to 4

Default: 4

Set interface to use to reach NTP server

Enter the name of a specific interface to use for outgoing NTP packets. The interface must be located in the same VPN as the NTP server. If it is not, the configuration is ignored.

Prefer this NTP server*

Enable this option if multiple NTP servers are at the same stratum level and you want one to be preferred. For servers at different stratum levels, Cisco Catalyst SD-WAN chooses the one at the highest stratum level.

Add Authentication Keys

Key Id*

Enter an MD5 authentication key ID.

Range: 1 to 65535

MD5 Value*

Enter an MD5 authentication key. Enter either a cleartext key or an AES-encrypted key.

Trusted Key

Enter the MD5 authentication key to designate the key as trustworthy. To associate this key with a server, enter the same value that you entered for the Set authentication key for the server field under Server.

Authoritative NTP Server

Choose Global from the drop-down list, and enable this option if you want to configure one or more supported routers as a primary NTP router.

When you enable this option, the following field appears:

Stratum: Enter the stratum value for the primary NTP router. The stratum value defines the hierarchical distance of the router from its reference clock.

Valid values: Integers 1 to 15. If you do not enter a value, the system uses the router internal clock default stratum value, which is 8.

Source

Enter the name of the exit interface for NTP communication. If configured, the system sends NTP traffic to this interface.

For example, enter GigabitEthernet1 or Loopback0.

Rekey Time (seconds)

Specify how often a device changes the AES key. Before Cisco IOS XE Catalyst SD-WAN devices and Cisco vEdge devices can exchange data traffic, they set up a secure authenticated communications channel between them. The routers use IPSec tunnels between them as the channel, and the AES-256 cipher to perform encryption. Each router generates a new AES key for its data path periodically.

Range: 10 through 1209600 seconds (14 days)

Default: 86400 seconds (24 hours)

Extended AR Window

Enabling an extended AR window causes a router to add a time stamp to each packet using the IPsec tunnel. This prevents valid packets from being dropped if they arrive out of sequence.

This option is turned off by default. Click On to enable it.

Enabling the feature displays the Extended Anti-Replay Window field.

Range: 10 ms to 2048 ms

Default: 256 ms

Replay Window

Specify the size of the sliding replay window.

Values: 64, 128, 256, 512, 1024, 2048, 4096, 8192 packets.

Default: 512 packets

This option is turned off by default. Click On to enable it.

Integrity Type

Choose one of the following integrity types:

• esp: Enables Encapsulating Security Payload (ESP) encryption and integrity checking on the ESP header.

• ip-udp-esp: Enables ESP encryption. In addition to the integrity checks on the ESP header and payload, the checks include the outer IP and UDP headers.

• ip-udp-esp-no-id: Ignores the ID field in the IP header so that Cisco Catalyst SD-WAN can work with the non-Cisco devices.

• none: Turns integrity checking off on IPSec packets. We don't recommend using this option.

Add Key Chain

Key ID*

Select a key chain ID.

Key Chain Name*

Select a key chain name.

Add Key ID

ID*

Select a key chain ID.

Name*

Include TCP Options

This field indicates whether a TCP option other than TCP Authentication Option (TCP-AO) is used to calculate Message Authentication Codes (MACs).

A MAC is computed for a TCP segment using a configured MAC algorithm, relevant traffic keys, and the TCP segment data prefixed with a pseudoheader.

When options are included, the content of all options is included in the MAC with TCP-AO's MAC field is filled with zeroes.

When the options aren’t included, all options other than TCP-AO are excluded from all MAC calculations.

Key String

Specify the master key for deriving the traffic keys.

The master keys must be identical on both the peers. If the master keys do not match, authentication fails and segments may be rejected by the receiver. Range: 0 through 80 characters.

Receiver ID*

Range: 0 through 255.

Specify the send identifier for the key.

Range: 0 through 255.

Specify the algorithm to compute MACs for TCP segments. You can choose one of the following:

• aes-128-cmac

• hmac-sha-1

• hmac-sha-256

This field indicates whether the receiver must accept the segments for which the MAC in the incoming TCP-AO does not match the MAC that is generated on the receiver.

• Accept Local: This option is disabled by default. Click On to enable it.

• Accept Start Epoch: Specify the time in seconds that is entered in Cisco SD-WAN Manager for which the key to be accepted for TCP-AO authentication is valid. Specify the start time in the local time zone. By default, the start time corresponds to UTC time.

• End Time Format: You can specify the end time in three ways—infinite (no expiry), duration (1 through 2147483646 sec), or exact (either UTC or local).

• Send Local: This option is disabled by default. Click On to enable it.

• Send Start Epoch: Specify the time in seconds that is entered in Cisco SD-WAN Manager for which the key to be used in TCP-AO authentication is valid. Specify the start time in the local time zone. By default, the start time corresponds to UTC time.

• End Time Format: You can specify the end time in three ways—infinite (no expiry), duration (1 through 2147483646 sec), or exact time (either UTC or local).

Interface Name (1..255)*

Range: 1 through 255.

Interface Description

Choose from one of the following GRE tunnel modes:

• ipv4 underlay: GRE tunnel with IPv4 underlay. IPv4 underlay is the default value.

• ipv6 underlay: GRE tunnel with IPv6 underlay.

Multiplexing

Choose Yes to enable multiplexing, in case of a tunnel in the transport VPN.

Default: No

Source

Enter the source of the GRE interface:

• IP Address: Enter the source IP address of the GRE tunnel interface. Based on the option you selected in the Tunnel Mode drop-down list, enter an IPv4 or an IPv6 address. This address is on the local router.

• Interface: Enter the egress interface name for the GRE tunnel.

• Tunnel Route Via*: Specify the tunnel route details to steer the GRE tunnel traffic through.

  Note	If the Tunnel Source Interface type is a loopback interface, enter the interface for traffic to be routed to. You cannot use the tunnel route via option to configure IPSec tunnels on a cellular interface because cellular interfaces do not include a next hop IP address for the default route.

Destination

• GRE Destination IP Address*: Enter the destination IP address of the GRE tunnel interface. This address is on a remote device.

• IP Address: Based on the option you selected in the Tunnel Mode drop-down list, enter an IPv4 or an IPv6 address for the GRE tunnel.

  • Mask*: Enter the subnet mask.

• IPv6 Address: Enter the destination IPv6 or address for the GRE tunnel.

IKE Version

Enter 1 to choose IKEv1.

Enter 2 to choose IKEv2.

Default: IKEv1

IKE Integrity Protocol

• Main: Establishes an IKE SA session before starting IPsec negotiations.

• Aggressive: Negotiation is quicker, and the initiator and responder ID pass in the clear. Aggressive mode does not provide identity protection for communicating parties.

Default: Main mode

IKE Rekey Interval

Range: 3600 through 1209600 seconds (1 hour through 14 days)

Default: 14400 seconds (4 hours)

IKE Cipher Suite

Values: aes128-cbc-sha1, aes128-cbc-sha2, aes256-cbc-sha1, aes256-cbc-sha2

Default: aes256-cbc-sha1

IKE Diffie-Hellman Group

Values: 2, 14, 15, 16, 19, 20, 21, 24

Default: 16

IKE ID for Local End Point

Range: 1 through 64 characters

Default: Source IP address of the tunnel

IKE ID for Remote End Point

Range: 1 through 64 characters

Default: Destination IP address of the tunnel

There is no default option if you have chosen IKEv2.

IPsec Rekey Interval

Range: 3600 through 1209600 seconds (1 hour through 14 days)

Default: 3600 seconds

IPsec Replay Window

Values: 64, 128, 256, 512, 1024, 2048, 4096, 8192 bytes

Default: 512 bytes

IPsec Cipher Suite

Values: aes256-cbc-sha1, aes256-gcm, null-sha1

Default: aes256-gcm

Perfect Forward Secrecy

• group-2: Use the 1024-bit Diffie-Hellman prime modulus group

• group-14: Use the 2048-bit Diffie-Hellman prime modulus group

• group-15: Use the 3072-bit Diffie-Hellman prime modulus group

• group-16: Use the 4096-bit Diffie-Hellman prime modulus group

• none: Disable PFS

Default: group-16

DPD Interval

Range: 10 through 3600 seconds (1 hour)

Default: 10 seconds

DPD Retries

Range: 2 through 60

Default: 3

Application

Choose an application from the drop-down list:

• None

• Sig

Shutdown

IP MTU

Based on your choice in the Tunnel Mode option, specify the maximum MTU size of the IPv6 packets on the interface.

Range: 576 through 9216

Default: 1500 bytes

TCP MSS

Based on your choice in the Tunnel Mode option, specify the maximum segment size (MSS) of TPC SYN packets passing through the Cisco IOS XE Catalyst SD-WAN device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 552 through 1460 bytes

Default: None

Clear-Dont-Fragment

Tunnel Protection

Choose Yes to enable tunnel protection.

Default: No

Minimum Bandwidth(Kbps)*

Enter the minimum bandwidth allocated to each VPN or each group of VPNs.

Input value must be an integer. The minimum input value is 8.

QoS Map*

Specify the name of the QoS map to apply to packets being transmitted out the interface.

Apply the Qos Map to each VPN or each group of VPNs based on the QoS Map configuration.

Shaping Rate(Kbps)

Specify the value of the maximum bandwidth in kilobits per second (kbps), allocated to each VPN or each group of VPNs.

Input value must be an integer. The minimum input value is 8.

VPN Group*

Choose a VPN group from the dropdown list.

Interface Name

Enter the name of the multilink interface.

Multilink Group Number *

Enter the number of the multilink group. It must be the same as the number you enter in the multilink interface name parameter.

Range: 1 through 65535

PPP Authentication Protocol

Select the authentication protocol used by the multilink interface:

• CHAP: Enter the hostname and password provided by your Internet Service Provider (ISP). hostname can be up to 255 characters.

• PAP: Enter the username and password provided by your ISP. username can be up to 255 characters.

• PAP and CHAP: Configure both authentication protocols. Enter the login credentials for each protocol. To use the same username and password for both, click Same Credentials for PAP and CHAP.

Hostname *

Enter hostname for PPP CHAP Authentication.

CHAP Password *

Enter password for PPP CHAP Authentication.

IPv4 Address *

To configure a static address, click Static and enter an IPv4 address.

To set the interface as a DHCP client so that the interface to receive its IP address from a DHCP server, click Dynamic. You can optionally set the DHCP distance to specify the administrative distance of routes learned from a DHCP server.

Default: 1

Mask

Choose a value for the subnet mask.

IPv6 Address *

To configure a static address for an interface in VPN 0, click Static and enter an IPv6 address.

To set the interface as a DHCP client so that the interface to receive its IP address from a DHCP server, click Dynamic. You can optionally set the DHCP distance to specify the administrative distance of routes learned from a DHCP server. The default DHCP distance is 1. You can optionally enable DHCP rapid commit, to speed up the assignment of IP addresses.

Add T1/E1 Interface

T1

Description

Enter a description for the T1controller.

Slot*

Enter the number of the slot in slot/subslot/port format, where the T1 NIM is installed. For example, 0/1/0.

Framing

Enter the T1 frame type:

• esf: Send T1 frames as extended superframes. This is the default.

• sf: Send T1 frames as superframes. Superframing is sometimes called D4 framing.

Clock Source

Select the clock source:

• line: Use phase-locked loop (PLL) on the interface. This is the default. When both T1 ports use line clocking and neither port is configured as the primary, by default, port 0 is the primary clock source and port 1 is the secondary clock source.

• internal: Use the controller framer as the primary clock.

Line Code

Select the line encoding to use to send T1 frames:

• ami: Use alternate mark inversion (AMI) as the linecode. AMI signaling uses frames grouped into superframes.

• b8zs: Use bipolar 8-zero substitution as the linecode. This is the default. B8ZS uses frames that are grouped into extended superframes.

Cable Length

Select the cable length to configure the attenuation

• short: Set the transmission attenuation for cables that are 660 feet or shorter.

• long: Attenuate the pulse from the transmitter using pulse equalization and line buildout. You can configure a long cable length for cables longer that 660 feet.

There is no default length.

E1

Description

Enter a description for the E1 controller.

Slot*

Enter the number of the slot in slot/subslot/port format, where the E1 NIM is installed. For example, 0/1/0.

Framing

Enter the E1 frame type:

• crc4: Use cyclic redundancy check 4 (CRC4). This is the default.

• no-crc4: Do no use CRC4.

Clock Source

Select the clock source:

• line: Use phase-locked loop (PLL) on the interface. This is the default. When both E1 ports use line clocking and neither port is configured as the primary, by default, port 0 is the primary clock source and port 1 is the secondary clock source.

• internal: Use the controller framer as the primary clock.

Line Code

Select the line encoding to use to send E1 frames:

• ami: Use alternate mark inversion (AMI) as the linecode.

• hdb3: Use high-density bipolar 3 as the linecode. This is the default.

Add Channel Group

Channel Group

To configure the serial WAN on the interface, enter a channel group number.

Range: 0 through 30

Time Slot

To configure the serial WAN on the interface, enter a value for the timeslot.

Range: 0 through 31

Add New A/S Serial Interface

Interface Name

Enter the name of the serial interface.

Description

Enter a description for the serial interface.

Bandwidth

For transmitted traffic, set the bandwidth above which to generate notifications.

Clock Rate

Specify a value for the clock rate.

Range: 1200 through 800000

Color

Choose a color for the TLOC.

Restrict

Enable this option to drop packets when a tunnel to the service is unreachable.

Groups

Enter the list of groups in the field.

Border

From the drop-down list, select Global. Click On to set TLOC as border TLOC.

Maximum Control Connections

Specify the maximum number of Cisco SD-WAN Controllers that the WAN tunnel interface can connect to. To have the tunnel establish no control connections, set the number to 0.

Range: 0 through 8

Default: 2

Validator As Stun Server

Click On to enable Session Traversal Utilities for NAT (STUN) to allow the tunnel interface to discover its public IP address and port number when the router is located behind a NAT.

Exclude Controller Group List

Set the Cisco SD-WAN Controllers that the tunnel interface is not allowed to connect to.

Range: 0 through 100

Cisco SD-WAN Manager Connection Preference

Set the preference for using a tunnel interface to exchange control traffic with Cisco SD-WAN Manager.

Range: 0 through 8

Default: 5

Port Hop

From the drop-down list, select Global. Click Off to allow port hopping on tunnel interface.

Default: On, which disallows port hopping on tunnel interface

Low-Bandwidth Link

Click On to set the tunnel interface as a low-bandwidth link.

Default: Off

Network Broadcast

From the drop-down list, select Global. Click On to accept and respond to network-prefix-directed broadcasts. Enable this parameter only if the Directed Broadcast is enabled on the LAN interface feature template.

Default: Off

Tunnel TCP MSS

TCP MSS affects any packet that contains an initial TCP header that flows through the router. When configured, TCP MSS is examined against the MSS exchanged in the three-way handshake. The MSS in the header is lowered if the configured TCP MSS setting is lower than the MSS in the header. If the MSS header value is already lower than the TCP MSS, the packets flow through unmodified. The host at the end of the tunnel uses the lower setting of the two hosts. To configure TCP MSS, provide a value that is 40 bytes lower than the minimum path MTU.

Specify the MSS of TPC SYN packets passing through the Cisco IOS XE Catalyst SD-WAN. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 552 through 1460 bytes

Ingress ACL - IPv4

Enter the name of an IPv4 access list to packets being received on the interface.

Egress ACL - IPv4

Enter the name of an IPv4 access list to packets being transmitted on the interface.

Igress ACL - IPv6

Enter the name of an IPv6 access list to packets being received on the interface.

Egress ACL - IPv6

Enter the name of an IPv6 access list to packets being transmitted on the interface.

Shutdown

Click No to enable the multilink interface.

Description

Enter a description for the multilink interface.

PPP Authentication Type

Select the type authentication from one of the following options.:

• Unidirectional: The server initiates the authentication.

• Bidirectional: Both the client and the server can initiate the authentication.

TCP MSS

Specify the maximum segment size (MSS) of TPC SYN packets passing through the Cisco Catalyst SD-WAN device. By default, the MSS is dynamically adjusted based on the interface or tunnel MTU such that TCP SYN packets are never fragmented.

Range: 500 through 1460 bytes

Default: 536

Disable Fragmentation

Click On to disable fragmentation for PPP Multilink Protocol data units (PDUs).

Fragment Max Delay

Configure the delay between the transmission of fragments in a PPP Multilink Protocol link.

Range: 0 through 1000

Default: No CLI Command

Interleaving Fragments

Enable interleave fragmentation for PPP Multilink Protocol data units (PDUs).

TLOC Extension

Enter the name of a physical interface on the same router that connects to the WAN transport. This configuration binds the service-side interface to the WAN transport by enabling a device to access the opposite WAN transport connected to the neighbouring device using a TLOC-extension interface.

IP MTU

Specify the maximum MTU size of packets on the interface. MLP encapsulation adds 6 extra bytes (4 header, 2 checksum) to each outbound packet. These overhead bytes reduce the effective bandwidth on the connection; therefore, the throughput for an MLP bundle is slightly less than an equivalent bandwidth connection that is not using MLP.

Range: 576 through 1804

Default: 1500 bytes

IP Directed-Broadcast

Enable the translation of a directed broadcast to physical broadcasts.

Shaping Rate (Kbps)

Configure the aggregate traffic transmission rate on the interface to be less than line rate, in kilobits per second (kbps).

Enable 2.4G*

Disable this option to shut down the radio type of 2.4 GHz.

Default: Enabled

Enable 5G*

Disable this option to shut down the radio type of 5 GHz.

Default: Enabled

Country*

Choose the country where the router is installed.

Username*

Specify the username of Cisco Mobility Express.

Password*

Specify the password of Cisco Mobility Express.

ME Dynamic IP*

Enable this option so that the interface receives its IP address dynamically from a DHCP server.

ME IP Address

Specify the IP address of Cisco Mobility Express.

Subnet Mask

Specify the subnet mask of Cisco Mobility Express.

Default Gateway

Specify the default gateway address of Cisco Mobility Express.

Add SSID

SSID Name*

Enter a name for the wireless SSID.

It can be a string from 4 to 32 characters. The SSID must be unique.

Admin State*

Enable this option to indicate that the interface has been configured.

Broadcast SSID*

Enable this option if you want to broadcast the SSID. Disable this option if you do not want the SSID to be visible to all the wireless clients.

VLAN (Range 1-4094)*

Enter a VLAN ID for the wireless LAN traffic.

Radio Type

Choose one of the following radio types:

• 2.4GHz

• 5GHz

• All

Security Type*

Choose a security type:

• WPA2 Enterprise: Choose this option for an enterprise where you authenticate and authorize network users with a remote RADIUS server.

• WPA2 Personal: Choose this option to authenticate users who want to access the wireless network using a passphrase.

• Open: Choose this option to allow access to the wireless network without authentication.

Passphrase*

This field is available if you choose WPA2 Personal as the security type. Set a pass phrase. This pass phrase provides users access to the wireless network.

QoS Profile

Choose a QoS profile.