[c-nsp] HSRP + RPF

[Phil Mayers]

On 27/01/11 16:10, Eric Gauthier wrote:
> Hello,
>
> I have a subnet spanning two 6500s which are running GLBP as well
> as uRFP checking on their SVI.  Our monitoring server happens
> to be connected to one of the routers on a different subnet:
>
>
> Monitor -->  Router A (x.y.z.2) -->  Network Core
>                 |
>         (GBLB subnet x.y.z.0/24)
>                 |
>             Router B (x.y.z.3) -->  Network Core
>
>
> Our monitoring system can ping the virtual address (.1) and the
> local real address (.2), but it can not ping the other router's
> real address (.3).  From what we can tell, Router B is dropping
> the ICMP request due to its uRPF check as the source IP of the
> packet is from the monitoring server which is not part of the
> GLBP network.

Yes. This is expected.

>
> I know that I can add an exemption ACL to the uRPF check, but
> my impression is that this will cause all traffic flowing through
> the SVI to be punted up to the CPU.  Is there another way to
> configure this so that we can ping the real IP and enforce
> the uRPF check in hardware?

The defaults are that uRPF ACL permits are done in hardware, with denies 
punted to CPU. You can swap this with:

mls ip cef rpf hw-enable-rpf-acl

Personally we just avoid talking to the IPs inside subnets.