[c-nsp] allow self ping

Phil Mayers p.mayers at imperial.ac.uk
Tue Aug 28 04:51:03 EDT 2007


On Tue, 2007-08-28 at 09:33 +0200, Gert Doering wrote:
> Hi,
> 
> On Fri, Aug 24, 2007 at 02:14:56PM -0500, Zhao, Wenmei (Sarah) wrote:
> > I have a MultiLinkPPP session up. Everything is working,
> > traffic is flowing and I am able to ping the remote side of the link, 
> 
> If you have anti-spoofing filters (or uRPF) configured, this is intentional.
> 
> Reason: on a self-ping, the router sends out the packet via the link
> in question (you can use that to test the link), and when the packet comes
> *back* from the other end, it fails the anti-spoofing test.

Interesting. I'd always assumed that such a packet didn't actually
physically egress anything, and was never entirely certain how the
"allow self ping" did what it does (it plainly does it - you need it to
ping yourself)

So if I have:

6500 [g8/1] --- l2switch --- (lots of hosts)

int g8/1
 switchport mode access
 switchport access vlan 10
int vl10
 ip address 10.1.1.1 255.255.255.0
 ip verify unicast source reachable-via rx

...and I do "ping ip 10.1.1.1 sourve vl10", what are the source/dest
ethernet MACs of the packet leaving g8/1 in order to make it come back
to the router? Or does it not actually leave the gig port, but gets
looped back inside the chassis somehow?

Just curious.



More information about the cisco-nsp mailing list