This topic describes how to configure the general properties of WAN transport and service-side network interfaces. For information
about how to configure specific interface types and properties—including cellular interfaces, DHCP, PPPoE, VRRP, and WLAN
interfaces.
VPN 0 is the WAN transport VPN. This VPN handles all control plane traffic, which is carried over OMP sessions, in the overlay
network. For a Cisco IOS XE Catalyst SD-WAN device
device to participate in the overlay network, at least one interface must be configured in VPN 0, and at least one interface
must connect to a WAN transport network, such as the Internet or an MPLS or a metro Ethernet network. This WAN transport interface
is referred to as a tunnel interface. At a minimum, for this interface, you must configure an IP address, enable the interface,
and set it to be a tunnel interface.
To configure a tunnel interface on a Cisco Catalyst SD-WAN Controller or a Cisco SD-WAN Manager, you create an interface in VPN 0, assign an IP address or configure the interface to receive an IP address from DHCP, and
mark it as a tunnel interface. The IP address can be either an IPv4 or IPv6 address. To enable dual stack, configure both
address types. You can optionally associate a color with the tunnel.
Note
|
You can configure IPv6 addresses only on transport interfaces in VPN 0 and but not supported in VPN 512.
|
Tunnel interfaces on Cisco IOS XE Catalyst SD-WAN devices must have an IP address, a color, and an
encapsulation type. The IP address can be either an IPv4 or IPv6 address. To enable
dual stack in releases before Cisco IOS XE Catalyst SD-WAN Release 17.3.2, configure both address types.
To use dual stack with
Cisco IOS XE Catalyst SD-WAN devices from Cisco IOS XE Catalyst SD-WAN Release 17.3.2, configure all controllers with both IPv4 and IPv6 addresses. In addition, configure DNS for the Cisco Catalyst SD-WAN Validator interface to resolve IPv4 and IPv6 address types so that controllers can reach the Cisco Catalyst SD-WAN Validator through either IP address type.
Note
|
Starting from Cisco vManage Release 20.6.1, in case of a dual-stack configuration, if an IPv4 address or the fully qualified domain name (FQDN) is not available, but
an IPv6 address is available, then the IPv6 address is used to connect to the Cisco Catalyst SD-WAN Validator.
|
For the tunnel interface, you can configure a static IPv4 or IPv6 address, or you can configure the interface to receive its
address from a DHCP server. To enable dual stack, configure both an IPv4 and an IPv6 address on the tunnel interface.
From Cisco IOS XE Catalyst SD-WAN Release 17.3.2, Cisco IOS XE Catalyst SD-WAN devices do not support dual stack on the same TLOC or interface. Only one address type can be provisioned for a TLOC or interface.
Using a second address type requires a second TLOC or interface on which it can be provisioned.
On Cisco Catalyst SD-WAN Controllers and Cisco Catalyst SD-WAN Controller NMSs, interface-name can be either eth
number or loopback
number. Because Cisco Catalyst SD-WAN Controllers and Cisco Catalyst SD-WAN Controller NMSs participate only in the overlay network's control plane, the VPNs that you can configure on these devices are VPN 0
and VPN 512. Hence, all interfaces are present only on these VPNs.
To enable the interface, include the no shutdown command.
Color is a Cisco Catalyst SD-WAN software construct that identifies the transport tunnel. It can be 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver. The colors metro-ethernet, mpls, and private1 through private6 are referred to as private colors, because they use private addresses to connect to the remote side Cisco IOS XE Catalyst SD-WAN device in a private network. You can use these colors in a public network provided that there is no NAT device between the local
and remote Cisco IOS XE Catalyst SD-WAN devices.
To limit the remote TLOCs that the local TLOC can establish BFD sessions with, mark the TLOC with the restrict option. When a TLOC is marked as restricted, a TLOC on the local router establishes tunnel connections with a remote TLOC
only if the remote TLOC has the same color.
Note
|
When a WAN edge device is configured with two IPv6 TLOCs, one with static default route and the other one with IPv6 address
autoconfig default which is the IPv6 neighbor discovery default route, the IPv6 neighbor discovery default route is not installed
in the routing table. In this case, the IPv6 TLOC with IPv6 neighbor discovery default route does not work.
For IPv6 TLOC with IPv6 neighbor discovery default route to work, you can configure the static route for TLOC with IPv6 neighbor
discovery to overwrite the IPv6 neighbor discovery default route and ensure that both the static routes are installed into
the routing table. You can also use the IPv6 neighbor discovery default route on all interfaces.
|
On a Cisco Catalyst SD-WAN Controller or Cisco Catalyst SD-WAN Controller NMS, you can configure one tunnel interface. On a Cisco IOS XE Catalyst SD-WAN device, you can configure up to eight tunnel interfaces.
On Cisco IOS XE Catalyst SD-WAN devices, you must configure the tunnel encapsulation. The encapsulation can be either IPsec or GRE. For IPsec encapsulation, the
default MTU is 1442 bytes, and for GRE it is 1468 bytes, These values are a function of overhead required for BFD path MTU
discovery, which is enabled by default on all TLOCs. (For more information, see Configuring Control Plane and Data Plane High
Availability Parameters.) You can configure both IPsec and GRE encapsulation by including two encapsulation commands under the same tunnel-interface command. On the remote Cisco IOS XE Catalyst SD-WAN device, you must configure the same tunnel encapsulation type or types so that the two routers can exchange data traffic. Data transmitted
out of an IPsec tunnel can be received only by an IPsec tunnel, and data sent on a GRE tunnel can be received only by a GRE
tunnel. The Cisco Catalyst SD-WAN software automatically selects the correct tunnel on the destination Cisco IOS XE Catalyst SD-WAN device.
A tunnel interface allows only DTLS, TLS, and, for Cisco IOS XE Catalyst SD-WAN devices, IPsec traffic to pass through the tunnel. To allow additional traffic to pass without having to create explicit policies
or access lists, enable them by including one allow-service command for each service. You can also explicitly disallow services by including the no allow-service command. Note that services affect only physical interfaces. You can allow or disallow these services on a tunnel interface:
Service
|
Cisco Catalyst SD-WAN Controller
|
Cisco Catalyst SD-WAN Controller
|
all (Overrides any commands that allow or disallow individual services)
|
X
|
X
|
bgp
|
—
|
—
|
dhcp (for DHCPv4 and DHCPv6)
|
—
|
—
|
dns
|
—
|
—
|
https
|
X
|
—
|
icmp
|
X
|
X
|
netconf
|
X
|
—
|
ntp
|
—
|
—
|
ospf
|
—
|
—
|
sshd
|
X
|
X
|
stun
|
X
|
X
|
The allow-service stun command pertains to allowing or disallowing a Cisco IOS XE Catalyst SD-WAN device to generate requests to a generic STUN server so that the device can determine whether it is behind a NAT and, if so, what
kind of NAT it is and what the device's public IP address and public port number are. On a Cisco IOS XE Catalyst SD-WAN device that is behind a NAT, you can also have tunnel interface to discover its public IP address and port number from the Cisco Catalyst SD-WAN Validator.
With this configuration, the Cisco IOS XE Catalyst SD-WAN device uses the Cisco Catalyst SD-WAN Validator as a STUN server, so the router can determine its public IP address and public port number. (With this configuration, the
router cannot learn the type of NAT that it is behind.) No overlay network control traffic is sent and no keys are exchanged
over tunnel interface configured to the the Cisco Catalyst SD-WAN Validator as a STUN server. However, BFD does come up on the tunnel, and data traffic can be sent on it. Because no control traffic
is sent over a tunnel interface that is configured to use the Cisco Catalyst SD-WAN Validator as a STUN server, you must configure at least one other tunnel interface on the Cisco IOS XE Catalyst SD-WAN device so that it can exchange control traffic with the Cisco Catalyst SD-WAN Controller and the Cisco Catalyst SD-WAN Controller NMS.
You can log the headers of all packets that are dropped because they do not match a service configured with an allow-service command. You can use these logs for security purposes, for example, to monitor the flows that are being directed to a WAN
interface and to determine, in the case of a DDoS attack, which IP addresses to block.