[c-nsp] HSRP + RPF

[Eric Gauthier]

Hello,

I have a subnet spanning two 6500s which are running GLBP as well
as uRFP checking on their SVI.  Our monitoring server happens
to be connected to one of the routers on a different subnet:


Monitor --> Router A (x.y.z.2) --> Network Core
               |
       (GBLB subnet x.y.z.0/24)
               |
           Router B (x.y.z.3) --> Network Core


Our monitoring system can ping the virtual address (.1) and the
local real address (.2), but it can not ping the other router's
real address (.3).  From what we can tell, Router B is dropping
the ICMP request due to its uRPF check as the source IP of the 
packet is from the monitoring server which is not part of the 
GLBP network.

I know that I can add an exemption ACL to the uRPF check, but 
my impression is that this will cause all traffic flowing through
the SVI to be punted up to the CPU.  Is there another way to 
configure this so that we can ping the real IP and enforce
the uRPF check in hardware?

The routers are 6509's with Sup720-3C's running modular 12.2(33)SXH4.
The SVI configuration currently is:

interface Vlan1201
 ip address x.y.z.2 255.255.255.0
 ip access-group 110 in
 ip verify unicast source reachable-via rx allow-default allow-self-ping
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 glbp 201 ip x.y.z.1
 glbp 201 priority 110
 glbp 201 preempt
 glbp 201 load-balancing host-dependent
 glbp 201 authentication md5 key-string 7 XXXXXX
end

Eric :)