Hello, I have a subnet spanning two 6500s which are running GLBP as well as uRFP checking on their SVI. Our monitoring server happens to be connected to one of the routers on a different subnet:
Monitor --> Router A (x.y.z.2) --> Network Core | (GBLB subnet x.y.z.0/24) | Router B (x.y.z.3) --> Network Core Our monitoring system can ping the virtual address (.1) and the local real address (.2), but it can not ping the other router's real address (.3). From what we can tell, Router B is dropping the ICMP request due to its uRPF check as the source IP of the packet is from the monitoring server which is not part of the GLBP network. I know that I can add an exemption ACL to the uRPF check, but my impression is that this will cause all traffic flowing through the SVI to be punted up to the CPU. Is there another way to configure this so that we can ping the real IP and enforce the uRPF check in hardware? The routers are 6509's with Sup720-3C's running modular 12.2(33)SXH4. The SVI configuration currently is: interface Vlan1201 ip address x.y.z.2 255.255.255.0 ip access-group 110 in ip verify unicast source reachable-via rx allow-default allow-self-ping no ip unreachables no ip proxy-arp ip flow ingress glbp 201 ip x.y.z.1 glbp 201 priority 110 glbp 201 preempt glbp 201 load-balancing host-dependent glbp 201 authentication md5 key-string 7 XXXXXX end Eric :) _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/