VPN Tunnel IP addresses

What’s best practice when IPing VTI or DMVPN tunnel interfaces, Private or Public?

I saw an environment yesterday that was using public IP address space (that did not belong to them) for their tunnel IPs… Isn’t the tunnel IP encapsulated anyways, so it really doesn’t matter what you use…?

Hello Edwin

Although it is true that you can use public IP addresses to address the tunnel IPs. Since this is encapsulated, it will not affect the devices on the internet that actually use those addresses. However, it could cause problems when the routers themselves are communicating between them because such communications don’t occur within the tunnel but outside of it. This communication includes protocol control information and other such traffic. If data just happens to be destined for a public IP address that is the same as those used for the tunnel, it could cause connectivity issues.

Although such a situation is rare, it is not entirely impossible. Best practice dictates that private IP addresses should be used.

I hope this has been helpful!


Hi Laz,

My thoughts exactly. Thanks for the info!


1 Like