[c-nsp] Weird VRF problem

De Houwer, Wim Wim.DeHouwer at scarlet.biz
Tue Aug 2 09:47:40 EDT 2005


Hi all,

I have a found a nice *feature*
 
A short sketch of the situation:

RouterA has a one Route-processor and a 4 port GE linecard. 

On Gigabit port 1/0 we have several subinterfaces: Gig1/0.1 and Gig1/0.2

Gig 1/0.1 is member of VRF1 and Gig1/0.2 is member of VRF2

Gig1/0.1 has ip address 192.168.0.1
Gig 1/0.2 has ip address 62.235.2.1

Gig1/0.1 is connected to a customer lan with a watchguard firewall which
is the default gateway for VRF1.
Gig1/0.2 is the vrf in which internet resides.

At certain times for some reason RouterA sends out an "ICMP destination
unreachable" on interface Gig1/0.1 to ip address A.B.C.D (also internet
address) with source 62.235.2.1

Which ends up on the customer firewall (as it's the default gateway in
that vrf).

As you can see, the source used by RouterA is from a different vrf (no
connection between VRF1 & VRF2 !!) That source address shouldn't ever
reply inside VRF1 ...

RouterB is the same software version, same config, same hardware, and is
the counterpart of RouterA for some HSRP groups living on the GigE
subinterfaces.

RouterB has the same problem.

Anyone who has seen this behaviour before ?  Is this a known bug ?

RouterA is running 12.0(28)S1

Kind Regards,

Wim



More information about the cisco-nsp mailing list