You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Note: From discussion on the mailing list, this happens on sonic-vs - not physical hardware. Likely because the VXLAN tunnel is emulated and hits the control plane ACLs.
Description
I created a P2P Vxlan tunnel between 2 sonic switches using the Loopback interfaces as SRC and DST, but it didn't work.
I found out it was because Sonic by default creates iptables rule to DROP INPUT traffic for Loopbacks.
I added a specific allow rule to ACCEPT INPUT DST UDP port 4789, then vxlan traffic worked.
Why does Sonic add those DROP rules ?
Steps to reproduce the issue:
config vxlan add vtep 172.16.66.1 172.16.66.2
config vxlan evpn_nvo add nvo vtep
config vxlan map add vtep 10 10
config vxlan add vtep 172.16.66.2 172.16.66.1
config vxlan evpn_nvo add nvo vtep
config vxlan map add vtep 10 10
Describe the results you received:
The vxlan tunnel is created, however we cannot ping over the tunnel
In order to make the tunnel work, I have to add specific INPUT UDP DST PORT 4789 to overcome the default DROP rule created by SONIC for all Loopbacks
root@sonic:~# iptables -I INPUT 10 -p udp -m udp --dport 4789 -j ACCEPT
After that I can ping from host 1 to host 2 over the tunnel
Describe the results you expected:
I should have ping working, and I should not DROP all incoming traffic for the Loopback
Output of
show version
:Output of
show techsupport
:Additional information you deem important (e.g. issue happens only occasionally):
NOTE: I made a small change in the CLI to enable to add the remote ip address when the Vxlan is created.
The text was updated successfully, but these errors were encountered: