[c-nsp] allow self ping

Sukumar Subburayan sukumars at cisco.com
Tue Aug 28 18:15:34 EDT 2007 

comments inline..

sukumar



On Tue, 28 Aug 2007, Phil Mayers wrote:

> On Tue, 2007-08-28 at 09:33 +0200, Gert Doering wrote:
>> Hi,
>>
>> On Fri, Aug 24, 2007 at 02:14:56PM -0500, Zhao, Wenmei (Sarah) wrote:
>>> I have a MultiLinkPPP session up. Everything is working,
>>> traffic is flowing and I am able to ping the remote side of the link,
>>
>> If you have anti-spoofing filters (or uRPF) configured, this is intentional.
>>
>> Reason: on a self-ping, the router sends out the packet via the link
>> in question (you can use that to test the link), and when the packet comes
>> *back* from the other end, it fails the anti-spoofing test.
>
> Interesting. I'd always assumed that such a packet didn't actually
> physically egress anything, and was never entirely certain how the
> "allow self ping" did what it does (it plainly does it - you need it to
> ping yourself)
>
> So if I have:
>
> 6500 [g8/1] --- l2switch --- (lots of hosts)
>
> int g8/1
> switchport mode access
> switchport access vlan 10
> int vl10
> ip address 10.1.1.1 255.255.255.0
> ip verify unicast source reachable-via rx
>
> ...and I do "ping ip 10.1.1.1 sourve vl10", what are the source/dest
> ethernet MACs of the packet leaving g8/1 in order to make it come back
> to the router? Or does it not actually leave the gig port, but gets
> looped back inside the chassis somehow?

The packet actually has the sa/da mac-address as the same (ie the 
mac-address of the SVI interface). However, the packet never leaves the 
router.

The packet is looked up and routed back via RIB, and as part of that it 
will fail uRPF check (with the above config without 'allow-self-ping').

2-4-bot-720#show int vlan 10
Vlan10 is up, line protocol is up
   Hardware is EtherSVI, address is 000f.35b1.7940 (bia 000f.35b1.7940)
   Internet address is 172.16.174.109/24


2-4-bot-720#show run int vlan 10
Building configuration...

Current configuration : 108 bytes
!
interface Vlan10
  ip address 172.16.174.109 255.255.255.0
  ip verify unicast source reachable-via rx
end


2-4-bot-720#show run int f13/48
Building configuration...

Current configuration : 113 bytes
!
interface FastEthernet13/48
  switchport
  switchport access vlan 10
  switchport mode access
  no ip address
end

2-4-bot-720#ping ip 172.16.174.109 source vlan10

2-4-bot-720#show ip traffic | incl RPF
          155061777 no route, 10 unicast RPF, 0 forced drop



2w6d: IP: s=172.16.174.109 (local), d=172.16.174.109 (Vlan10), len 100, 
sending
08053C40:                   45000064 00750000          E..d.u..
08053C50: FF010628 AC10AE6D AC10AE6D 08007611  ...(,..m,..m..v.
08053C60: 00180000 00000000 675CA0C4 ABCDABCD  ........g\ D+M+M
08053C70: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
08053C80: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
08053C90: ABCDABCD ABCDABCD ABCDABCD ABCDABCD  +M+M+M+M+M+M+M+M
08053CA0: ABCDABCD ABCDABCD ABCDABCD           +M+M+M+M+M+M
2w6d: IP: s=172.16.174.109 (Vlan10), d=172.16.174.109, len 100, unicast 
rpf failed


  >
> Just curious.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list