[c-nsp] asr9k dhcp relay + ipv4 verify unicast
Florian Lohoff
f at zz.de
Tue May 24 03:12:25 EDT 2016
On Mon, May 23, 2016 at 06:02:10PM +0300, Tarko Tikan wrote:
> hey,
>
> > interface BVI60004
> > ipv4 address 10.4.5.1 255.255.255.0
> > ipv4 verify unicast source reachable-via rx allow-self-ping
>
> Is this actual config or simplified? If simplified, is there
> VRRP/HSRP involved?
>
> If there is, it can be explained by DHCP return packet hitting other
> router (because it's sent to GIADDR but you only announce your
> connected prefix). Other router then fails to send packet to
> original router via connected interface because from other routers
> POV it fails RPF (saddr: dhcp-server, daddr: giaddr).
Thanks - thats it ... hsrp + ipv4 verify bit me again ...
Its simplyfied - there is HSRP but the giaddr is the interfaces address
not the HSRP address - so it would get routed back to the original
partner - But indeed that might be the reason the OFFER gets dropped.
And yes - hitting the HSRP partner first so it'l be put on that
L3 domain as its connected and the partner will drop it - bah.
Now looking for a workaround - announcing the HSRP partners interface
addresses as /32 seems to be the only real solution.
Flo
--
Florian Lohoff f at zz.de
UTF-8 Test: The 🐈 ran after a 🐁, but the 🐁 ran away
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20160524/bd853b7a/attachment.sig>
More information about the cisco-nsp
mailing list