Overview
When a LAN vni (virtual network interface) on a FlexVNF appliance is set to administratively down, it may appear unexpected that the interface IP still responds to ICMP ping requests originating from a remote SD-WAN site. This is expected behavior in VOS and is explained by how the myip table works in VOS's forwarding plane.
Symptom
- LAN vni interface is administratively down
- WAN vni interface is UP
- SD-WAN tunnels (tvi/dtvi) are UP
- Ping from a remote SD-WAN site to the admin-down LAN vni IP succeeds
Root Cause / Design Behavior
The myip Table
VOS maintains a myip table — a fast-lookup table of all IP addresses that belong to the local device. You can inspect it with:
vsh connect vsmd -c "show vunet myip table"
When a LAN vni is configured with an IP address, that IP is registered in the myip table. Setting the interface to admin-down does not remove the IP from the myip table.
Packet Flow
When an ICMP ping arrives from a remote SD-WAN site destined for the admin-down LAN vni IP:
- The packet arrives over the WAN and is decapsulated from the SD-WAN/IPSec tunnel
- VOS performs a destination lookup against the myip table
- The IP matches — it is recognized as a local device IP
- VOS responds with an ICMP echo-reply
- The admin-down state of the LAN vni is not consulted during this lookup
What Admin-Down Actually Controls
| Operation | Effect |
|---|---|
| LAN vni admin-down | Stops forwarding traffic to/from hosts behind the LAN segment |
| LAN vni admin-down | Stops the interface from sending/receiving frames on the LAN wire |
| LAN vni admin-down | Does NOT remove the IP from the myip table |
| LAN vni admin-down | Does NOT make the device's own IP unreachable from the SD-WAN overlay |
Admin-down isolates the LAN segment, not the device's identity. The appliance continues to own that IP address and will respond to traffic destined to it.
Design Rationale
This behavior is intentional. Admin-downing a LAN interface is typically used to isolate a LAN segment (e.g., during maintenance or loop prevention). If the device's own IP also became unreachable, operators would lose the ability to manage or troubleshoot the appliance over the SD-WAN overlay — which is undesirable.
How to Make the LAN IP Unreachable
If the intent is to make the LAN vni IP completely unreachable from remote SD-WAN sites, admin-down alone is insufficient. Options include:
- Remove the IP address from the LAN vni interface entirely
- Apply a security policy or ACL to explicitly drop traffic destined to that IP
- Bring down the SD-WAN tunnel (tvi/dtvi) serving that path
Verification
To confirm the IP is still present in the myip table after admin-down, run from shell:
vsh connect vsmd -c "show vunet myip table"
The LAN vni IP will still appear in the table even when the interface is admin-down, confirming the device still owns that address.
Applies To
- Versa FlexVNF
- All releases