Source/Destination Check on viptela 8000 ( EC2 instance )

Question

I have a v8000 running in an AWS EC2 instance, which is peered with the TGW and is receiving routes from the Viptela fabric. In parallel, I have set up new AWS Cloud WAN and connected the same v8000 to Cloud WAN via a Connect peer (tunnel-less).

The issue is that traffic from the new Cloud WAN VPCs is being dropped at the v8000’s outside ENI – I cannot ping the VPCs attached to Cloud WAN, whereas TGW traffic is working fine.

My question is: if I disable the Source/Destination check, will it impact any of the existing running traffic? Thanks!

Neven Vrenko · Accepted Answer

Hello,

disabling the Source/Destination check on your v8000's ENI *should* not impact your existing TGW traffic. Here's why:

What Source/Destination Check Does:

* When enabled (default), AWS drops packets where the EC2 instance isn't the source or destination
* This prevents the instance from forwarding traffic between networks
* It's a security feature that needs to be disabled for routers, NAT instances, and similar network appliances

Impact on existing TGW Traffic:

* No negative impact expected - your working TGW traffic should continue functioning normally
* Disabling the check only removes restrictions rather than changing routing behavior
* The TGW peering and routes that work now will continue to work

However, if you make this change, it's off utter importance to monitor both TGW and Cloud WAN connectivity to spot early any unwanted behavior.

Best regards,
Neven

P.S. The Cisco recommends disabling Source/Destination Check as well:
https://www.cisco.com/c/en/us/td/docs/routers/C8000V/AWS/deploying-c8000v-on-amazon-web-services/overview.html

Source/Destination Check on viptela 8000 ( EC2 instance )

Add your answer

Relevant content