Virtual Connect is an additional add-on option for Cloud Connectivity to Dedicated Instance for Webex Calling (Dedicated Instance). Virtual Connect enables Customers to securely extend their Private Network over the internet using point-to-point IP VPN Tunnels. This connectivity option provides a quick establishment of Private Network connection by using the existing Customer Premise Equipment (CPE) and internet connectivity.

Cisco hosts, manages, and assures redundant IP VPN Tunnels and the required Internet access in the Cisco’s Dedicated Instance datacenter region(s) where the service is required. Similarly, Administrator is responsible for their corresponding CPE and Internet services which is required for Virtual Connect establishment.

Each Virtual Connect order in a particular Dedicated Instance region would include two generic routing encapsulation (GRE) tunnels protected by IPSec encryption (GRE over IPSec), one to each Cisco’s datacentre in the Region selected.

Virtual Connect has a bandwidth limit of 250 Mbps per tunnel and is recommended for smaller deployments. Since two point-to-point VPN tunnels are used all traffic to the cloud has to go through the customer headend CPE, and therefore it may not be suitable where there are a lot of remote sites. For other alternative peering options, refer Cloud Connectivity.


The prerequisites for establishing Virtual Connect include:

  • Customer provides

    • Internet connection with enough available bandwidth to support the deployment

    • Public IP address(es) for two IPSec tunnels

    • Customer side GRE transport IP addresses for the two GRE tunnels

  • Partner and Customer

    • Work together to evaluate bandwidth requirements

    • Ensure network device(s) support Border Gateway Protocol (BGP) routing and a GRE over IPSec tunnel design

  • Partner or Customer provides

    • Network team with knowledge of site-to-site VPN tunnel technologies

    • Network team with knowledge of BGP, eBGP and general routing principles

  • Cisco

    • Cisco assigned private autonoumous system numbers (ASNs) and transient IP addressing for GRE tunnel interfaces

    • Cisco assigned public but not Internet routable Class C (/24) network for Dedicated Instance Cloud addressing

If a customer has only 1 CPE device, then the 2 tunnels towards Cisco’s datacenters (DC1 and DC2) in each region, will be from that CPE device. The customer also has an option for 2 CPE devices, then each CPE device should connect to 1 tunnel only towards Cisco’s Datacenters (DC1 and DC2) in each region. Additional redundancy can be achieved by terminating each tunnel in a separate physical site/location within the Customer’s infrastructure.

Technical Details

Deployment Model

Virtual Connect uses a dual tier headend architecture, where the routing and GRE control planes are provided by one device and the IPSec control plane is provided by another.

Upon completion of the Virtual Connect connectivity, two GRE over IPSec tunnels will be created between the Customer’s enterprise network and Dedicated Instance Cisco’s datacenters. One to each redundant datacenter within the respective Region. Additional networking elements required for the peering are exchanged by the Partner or Customer to Cisco via the Control Hub Virtual Connect activation form.

Figure 1 shows an example of the Virtual Connect deployment model for the 2-concentrator option on the customer side.

Virtual Connect - VPN is a Hub design, where the Customer’s Hub Sites are connected to DC1 and DC2 of Dedicated Instance’s datacenters within a particular region.

Two Hub sites are recommended for better redundancy, but One Hub site with two tunnels is also a supported deployment model.

The bandwidth per tunnel is limited to 250 Mbps.

The Customer’s remote sites within the same region, would need to connect back to the Hub site(s) over the Customer’s WAN and it is not Cisco’s responsibility for that connectivity.

Partners are expected to work closely with the Customers, ensuring the most optimal path is chosen for the ‘Virtual Connect’ service region.

Figure 2 shows the Dedicated Instance Cloud Connectivity peering Regions.


Routing for Virtual Connect add-on is implemented using external BGP (eBGP) between Dedicated Instance and the Customer Premise Equipment (CPE). Cisco will advertise their respective network for each redundant DC within a region to the Customer’s CPE and the CPE is required to advertise a default route to Cisco.

  • Cisco maintains and assigns

    • Tunnel Interface IP addressing (transient link for routing) Cisco assigns from a designated Shared Address Space (non-publicly routable)

    • Tunnel transport desitination address (Cisco's side)

    • Private autonomous system numbers (ASNs) for customer BGP routing configuration

      • Cisco assigns from the designated private use range: 64512 through 65534

  • eBGP used to exchange routes between Dedicated Instance and CPE

    • Cisco will split the assigned /24 network into 2 /25 one for each DC in the respective region

    • In Virtual Connect each /25 network is advertised back to CPE by Cisco over the respective point-to-point VPN tunnels (transient link)

    • CPE must be configured with the appropriate eBGP neighbors. If using one CPE, two eBGP neighbors will be used, one pointing to each remote tunnel. If using two CPE, then each CPE will have one eBGP neighbor poniting to the single remote tunnel for the CPE.

    • Cisco side of each GRE tunnel (tunnel interface IP) is configured as the BGP neighbor on the CPE

    • CPE is required to advertise a default route over each of the tunnels

    • CPE is responisible for redistributing, as required, the learned routes within the cutomer's enterprise network.

  • Under non-failure link failure condition, a single CPE will have two active/active tunnels. For two CPE nodes, each CPE will have one active tunnel and both CPE nodes should be active and passing traffic. Under non-failure scenario, traffic must split in two tunnels going to the correct /25 destinations, if one of the tunnel goes down, the remaining tunnel can carry the traffic for both. Under such a failure scenario, when the /25 network is down then the /24 network is used as a backup route. Cisco will send customer traffic via its internal WAN towards the DC which lost connectivity.

Connectivity Process

The following high-level steps describe how to establish connectivity with virtual Connect for Dedicated Instance.


Place an order in Cisco CCW


Activate Virtual Connect from Control Hub


Cisco performs Network Configuration


Customer performs Network Configuration

Step 1: CCW Order

Virtual Connect is an add-on for Dedicated Instance in CCW.


Navigate to the CCW ordering site and then click Login to sign on to the site:


Create Estimate.


Add "A-FLEX-3" SKU.


Select Edit options.


In the subscription tab that appears, Select Options and Add-ons.


Under Additional Add-ons, select the check box beside "Virtual Connect for Dedicated Instance". The SKU name is "A-FLEX-DI-VC".


Enter the quantity and number of regions in which Virtual Connect is required.

The Virtual Connect quantity should not exceed the total number of regions purchased for Dedicated Instance. Also, only one Virtual Connect order is allowed per region.

When you are satisfied with your selections, Click Verify and Save in the upper right portion of the page.


Click Save and Continue to finalize your order. Your finalized order now appers in the order grid.

Step 2: Activation of Virtual Connect in Control Hub


Sign in to Control Hub


In the Services section, navigate to Calling > Dedicated Instacnce > Cloud Connectivity.


In the Virtual Connect card, the purchased Virtual Connect quantity is listed. The administrator can now click on Activate to initiate the Virtual Connect activation.

The activation process can be triggered only by Administrators with “Customer Full admin” Role. Whereas, an administrator with “Customer read-only admin” Role can only view the status.

On clicking the Activate button, Activate Virtual Connect form is displayed for the administrator to provide the Virtual Connect technical details required for the peering configurations on the Cisco’s side.

The form also provides static information on Cisco’s side, based on the Region selected. This information will be useful for Customer administrators to configure the CPE on their side to establish the Connectivity.
  1. GRE Tunnel Transport IP address: The customer is required to provide the customer's side Tunnel Transport IP addresses and Cisco will dynamically allocate the IP addresses once the activation is completed. The IPSec ACL for Interesting Traffic should allow local Tunnel Transport IP/32 to remote Tunnel Transport IP/32. The ACL should also specify only the GRE IP protocol.

    The IP address provided by the customer can be private or public.
  2. IPSec peers: The customer is required to provide the IPSec Tunnel’s source IP addresses and Cisco allocates the IPSec destination IP address. Performing NAT translation of an internal IPSEC tunnel address to a public address is also supported if required.​


    The IP address provided by the customer should be public.

    All the other static information provided in the activation screen is the Cisco’s side security and encryption standards followed. This static configuration is not customizable or modifiable. For any further assistance regarding the static configurations on Cisco’s side, the customer would need to reach out to TAC.

Click on the Activate button once all the mandatory fields are filled.


After the Virtual Connect Activation form is completed for a particluar region, the customer can Export the activation form from Control Hub, Calling > Dedicated Instance > Cloud Connectivity tab and click on Export settings.

Due to security reasons the Authentication and BGP Password will not be available in the Exported document, but the administrator can view the same in Control Hub by clicking on View Settings under Control Hub, Calling > Dedicated Instance > Cloud Connectivity tab.

Step 3: Cisco performs Network Configuration


Once the Virtual Connect Activation form is completed, the status will be updated to Activation In-Progress in Calling > Dedicated Instance > Cloud Connectivity Virtual Connect card.


Cisco will complete the required configurations on the Cisco’s side equipment within 4 business days. On successful completion, the status will be updated to “Activated” for that particular region in Control Hub.

Step 4: Customer performs Network Configuration

The status is changed to "Activated" to notify the Customer adminstrator that the Cisco's side of configurations for the IP VPN connectivity has ben completed based on the inputs provided by the Customer. But, the customer administrator is expected to complete their side of the configurations on the CPEs and test the connectivity routes for the Virtual Connect tunnel to be Online. In case of any issues faced at the time of configuration or connectivity, the customer can reach out to Cisco TAC for assistance.