[c-nsp] HSRP + RPF
Eric Gauthier
eric at roxanne.org
Thu Jan 27 11:10:03 EST 2011
Hello,
I have a subnet spanning two 6500s which are running GLBP as well
as uRFP checking on their SVI. Our monitoring server happens
to be connected to one of the routers on a different subnet:
Monitor --> Router A (x.y.z.2) --> Network Core
|
(GBLB subnet x.y.z.0/24)
|
Router B (x.y.z.3) --> Network Core
Our monitoring system can ping the virtual address (.1) and the
local real address (.2), but it can not ping the other router's
real address (.3). From what we can tell, Router B is dropping
the ICMP request due to its uRPF check as the source IP of the
packet is from the monitoring server which is not part of the
GLBP network.
I know that I can add an exemption ACL to the uRPF check, but
my impression is that this will cause all traffic flowing through
the SVI to be punted up to the CPU. Is there another way to
configure this so that we can ping the real IP and enforce
the uRPF check in hardware?
The routers are 6509's with Sup720-3C's running modular 12.2(33)SXH4.
The SVI configuration currently is:
interface Vlan1201
ip address x.y.z.2 255.255.255.0
ip access-group 110 in
ip verify unicast source reachable-via rx allow-default allow-self-ping
no ip unreachables
no ip proxy-arp
ip flow ingress
glbp 201 ip x.y.z.1
glbp 201 priority 110
glbp 201 preempt
glbp 201 load-balancing host-dependent
glbp 201 authentication md5 key-string 7 XXXXXX
end
Eric :)
More information about the cisco-nsp
mailing list