Solved: Re: Tunnelled Interface prevents ping

craneman1 · ‎12-03-2020

Simple drawing attached. I have 2 regular routers and a IOS XE router. With "regular routing" I can ping 100,000 pings from 2.2.2.2 to 1.1.1.2. (without Tunneled Interface applied)

I have read that all interfaces on an IOS XE router are in VPN 0. But however whenever I apply my VPN 0 Tunneled Interface it stops the pings from 2.2.2.2 to 1.1.1.2

But what also is interesting is I can ping from 1.1.1.2 to 1.1.1.1 and also 2.2.2.1... and also from 2.2.2.2 to 2.2.2.1 and 1.1.1.1

I just cannot ping "through" the ios xe device as I did before the Tunneled interface was applied... and allow service icmp is on....

Does anyone have any ideas how I can make it ping through the device?

Thanks!

Kanan Huseynli · ‎12-05-2020

Hi,

"tunnel interface" hardens interface for SD-WAN infrastructure. So, basically if you apply "tunnel-interface" your router port, interface can't do normal-regular routing, even another interface in VPN0. If you really need this type of deployment, then you must use loopback interface option. See below doc (SDWAN CVD), sub-section "Loopback Interface Tunnels" and the 3rd option there:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#WANEdgeDeployment

If the WAN Edge router is deployed inline, and traffic needs to be routed from one interface in VPN 0 to another interface in VPN 0, this is another use case to use tunnel configurations on a loopback interface. The reason the tunnel interface has to be removed from the physical interface is because once a tunnel is applied there, it becomes a hardened interface and will only allow certain traffic in/out and can break connectivity depending on what traffic is being routed.

Regarding command "allow icmp" it is for traffic destined to router (where tunnel is activated), not for the traffic through the router.

Regards,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

Kanan Huseynli · ‎12-05-2020

Hi,

"tunnel interface" hardens interface for SD-WAN infrastructure. So, basically if you apply "tunnel-interface" your router port, interface can't do normal-regular routing, even another interface in VPN0. If you really need this type of deployment, then you must use loopback interface option. See below doc (SDWAN CVD), sub-section "Loopback Interface Tunnels" and the 3rd option there:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#WANEdgeDeployment

If the WAN Edge router is deployed inline, and traffic needs to be routed from one interface in VPN 0 to another interface in VPN 0, this is another use case to use tunnel configurations on a loopback interface. The reason the tunnel interface has to be removed from the physical interface is because once a tunnel is applied there, it becomes a hardened interface and will only allow certain traffic in/out and can break connectivity depending on what traffic is being routed.

Regarding command "allow icmp" it is for traffic destined to router (where tunnel is activated), not for the traffic through the router.

Regards,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

craneman1 · ‎12-05-2020

wow thats greta ..never woud ahve knew that it is not mentioned anywhere in the courses or other online topics ..nice!

Mike Crane

CCSI #34923, CCIEx7

Cisco Press Author

Phone: +1 410-262-8742

Email: mcrane@fireflyeducate.com

[http://smart.fireflyeducate.com/v2/imagebucket/fireflyeducate.com/FF-Horizontal-Full_Color-no_margins-01.png]

[http://smart.fireflyeducate.com/v2/imagebucket/fireflyeducate.com/FF-Facebook-Icon.png]

[http://smart.fireflyeducate.com/v2/imagebucket/fireflyeducate.com/FF-LinkedIn-Icon.png]

[http://smart.fireflyeducate.com/v2/imagebucket/fireflyeducate.com/FF-Twitter-Icon.png]

Changing the way we Learn, Evaluate and Adopt Technology