On 27/01/11 16:10, Eric Gauthier wrote:
Hello,
I have a subnet spanning two 6500s which are running GLBP as well
as uRFP checking on their SVI. Our monitoring server happens
to be connected to one of the routers on a different subnet:
Monitor --> Router A (x.y.z.2) --> Network Core
|
(GBLB subnet x.y.z.0/24)
|
Router B (x.y.z.3) --> Network Core
Our monitoring system can ping the virtual address (.1) and the
local real address (.2), but it can not ping the other router's
real address (.3). From what we can tell, Router B is dropping
the ICMP request due to its uRPF check as the source IP of the
packet is from the monitoring server which is not part of the
GLBP network.
Yes. This is expected.
I know that I can add an exemption ACL to the uRPF check, but
my impression is that this will cause all traffic flowing through
the SVI to be punted up to the CPU. Is there another way to
configure this so that we can ping the real IP and enforce
the uRPF check in hardware?
The defaults are that uRPF ACL permits are done in hardware, with denies
punted to CPU. You can swap this with:
mls ip cef rpf hw-enable-rpf-acl
Personally we just avoid talking to the IPs inside subnets.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/