Home
Support
Product Support
Routers
Cisco SD-WAN
Configuration Guides

Cisco Catalyst SD-WAN Interfaces Configuration Guide, Releases 26.x and Later

What does a loopback TLOC interface enable across private WANs?
What traffic do implicit ACLs on loopback interfaces apply to?
Which command verifies implicit ACL configurations?

View all Saved Content

PDF

Is this content helpful?

Helpful Unhelpful

Suggestions for Improvement

Thank you for your feedback. Your response has been recorded.

Ask about this content

Cisco Catalyst SD-WAN Interfaces Configuration Guide, Releases 26.x and Later

What does a loopback TLOC interface enable across private WANs?
What traffic do implicit ACLs on loopback interfaces apply to?
Which command verifies implicit ACL configurations?

Expand all sections

About this content

Network Interfaces

Network Interfaces

Cellular Interfaces

Feature history for cellular interfaces
Cellular interfaces
Supported devices
Guidelines
Configure cellular interface
Reset the profile configuration of a cellular modem
Troubleshoot LTE modem crash

DSL IPoE

Configure DSL IPoE

DSL PPPoA

Configure DSL PPPoA

DSL PPPoE

Feature history for DSL PPPoe
Configure DSL PPPoE

Dynamic Interfaces

Feature history for dynamic interfaces
Configure dynamic interfaces

EtherChannels

Feature history for EtherChannels
EtherChannels on the service side
EtherChannels on the transport side
Monitor configured EtherChannel using CLI
Aggregate EtherChannel Quality of Service

IP Directed Broadcast

IP directed broadcast
Configure IP directed broadcast using CLI commands

Loopback Interfaces

Feature history for loopback interfaces
Loopback interfaces
Implicit ACLs on loopback interfaces
Loopback TLOC interface bound to a physical WAN interface
Loopback TLOC interface not bound to a physical WAN interface
Bind mode and unbind mode
Configure implicit ACL on loopback interfaces using CLI commands
Examples of implicit ACL configurations on loopback interfaces
Verify implicit ACL configurations on loopback interfaces

Subinterfaces

Subinterfaces
Configuration examples for subinterfaces
Verify configurations on subinterfaces

VPN Ethernet Interface

Configure VPN ethernet interface

VPN Interface Bridge

Configure VPN interface bridge

VPN Interface Ethernet PPPoE

Configure VPN interface ethernet PPPoE

VPN Interface GRE

Configure VPN interface GRE

VPN Interface IPsec

Feature history for VPN interface IPsec
Configure VPN interface IPsec
CLI configuration examples for VPN interface IPsec

VPN Interface Multilink

Configure VPN interface multilink

VPN Interface SVI

Feature history for VPN interface SVI
Configure VPN interface SVI

VPN Interface T1/E1

Configure VPN interface T1/E1

VRRP Interface Tracking

Feature history for VRRP interface tracking
VRRP
Restrictions for VRRP interface tracking
VRRP tracking use cases
Configure VRRP
Configure VRRP tracking using CLI templates
Configure VRRP tracking
Monitor VRRP configuration
Verify VRRP tracking

Loopback TLOC interface bound to a physical WAN interface

Updated: April 24, 2026

Want to summarize with AI?

Explains the configuration and use cases for loopback TLOC interfaces that are bound to physical WAN interfaces, including functional benefits and integration within network architecture.

When a loopback interface is a TLOC and is bound to a physical WAN interface, the corresponding implicit ACL rules are applied based on where the traffic is destined:

If the traffic that is destined to the loopback TLOC interface is received on a physical WAN interface, the implicit ACL rules configured on the loopback TLOC interface is applied.
If the traffic is not destined for the loopback TLOC interface, depending on whether the physical WAN interface is configured for TLOC or not, the following rules apply:
- If the physical WAN interface is not configured with a TLOC, then routing decisions apply.
- Forwarded or passthrough packets are dropped when a loopback TLOC interface is bound to a physical WAN interface—the same behavior as when a physical interface is configured as a TLOC. Therefore, an explicit ACL must be configured on the bound physical interface to forward packets.
An explicit ACL is necessary to allow passthrough packets in the following sample scenarios:
- Branch edge routers accessing controllers hosted in on-premises data centers: This scenario presumes that the branch edge routers access the controllers through the data center hub, which is configured with a loopback interface bound to a physical WAN interface.
- Branch routers accessing cloud-hosted controllers through data center internet circuits: This scenario presumes that the branch routers are connected to the data center edge using an MPLS network. Such branch routers then access the cloud-hosted controllers through the data canter edge router, which is configured with a loopback interface bound to a physical WAN interface.
If a physical WAN interface is configured with TLOC, implicit ACL rules of the physical TLOC interface apply. In both these scenarios explicit ACLs on the bound physical WAN interface are necessary to allow passthrough traffic.

Note

When a loopback interface with a public IP address is configured as a TLOC and bound to a NAT-enabled physical WAN interface, DIA forwarding works. However, strict color-based exit selection using centralized data policy local-tloc or local-tloc-list is not supported if the bound physical WAN interface is not itself configured as a TLOC.

Need help?

Open a support case

(Requires a Cisco Service Contract)

Bias-free language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.