12-03-2020 09:47 AM
Simple drawing attached. I have 2 regular routers and a IOS XE router. With "regular routing" I can ping 100,000 pings from 2.2.2.2 to 1.1.1.2. (without Tunneled Interface applied)
I have read that all interfaces on an IOS XE router are in VPN 0. But however whenever I apply my VPN 0 Tunneled Interface it stops the pings from 2.2.2.2 to 1.1.1.2
But what also is interesting is I can ping from 1.1.1.2 to 1.1.1.1 and also 2.2.2.1... and also from 2.2.2.2 to 2.2.2.1 and 1.1.1.1
I just cannot ping "through" the ios xe device as I did before the Tunneled interface was applied... and allow service icmp is on....
Does anyone have any ideas how I can make it ping through the device?
Thanks!
Solved! Go to Solution.
12-05-2020 07:08 AM
Hi,
"tunnel interface" hardens interface for SD-WAN infrastructure. So, basically if you apply "tunnel-interface" your router port, interface can't do normal-regular routing, even another interface in VPN0. If you really need this type of deployment, then you must use loopback interface option. See below doc (SDWAN CVD), sub-section "Loopback Interface Tunnels" and the 3rd option there:
If the WAN Edge router is deployed inline, and traffic needs to be routed from one interface in VPN 0 to another interface in VPN 0, this is another use case to use tunnel configurations on a loopback interface. The reason the tunnel interface has to be removed from the physical interface is because once a tunnel is applied there, it becomes a hardened interface and will only allow certain traffic in/out and can break connectivity depending on what traffic is being routed.
Regarding command "allow icmp" it is for traffic destined to router (where tunnel is activated), not for the traffic through the router.
Regards,
12-05-2020 07:08 AM
Hi,
"tunnel interface" hardens interface for SD-WAN infrastructure. So, basically if you apply "tunnel-interface" your router port, interface can't do normal-regular routing, even another interface in VPN0. If you really need this type of deployment, then you must use loopback interface option. See below doc (SDWAN CVD), sub-section "Loopback Interface Tunnels" and the 3rd option there:
If the WAN Edge router is deployed inline, and traffic needs to be routed from one interface in VPN 0 to another interface in VPN 0, this is another use case to use tunnel configurations on a loopback interface. The reason the tunnel interface has to be removed from the physical interface is because once a tunnel is applied there, it becomes a hardened interface and will only allow certain traffic in/out and can break connectivity depending on what traffic is being routed.
Regarding command "allow icmp" it is for traffic destined to router (where tunnel is activated), not for the traffic through the router.
Regards,
12-05-2020 08:02 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide