On 27/01/11 16:10, Eric Gauthier wrote:
Hello,I have a subnet spanning two 6500s which are running GLBP as well as uRFP checking on their SVI. Our monitoring server happens to be connected to one of the routers on a different subnet: Monitor --> Router A (x.y.z.2) --> Network Core | (GBLB subnet x.y.z.0/24) | Router B (x.y.z.3) --> Network Core Our monitoring system can ping the virtual address (.1) and the local real address (.2), but it can not ping the other router's real address (.3). From what we can tell, Router B is dropping the ICMP request due to its uRPF check as the source IP of the packet is from the monitoring server which is not part of the GLBP network.
Yes. This is expected.
I know that I can add an exemption ACL to the uRPF check, but my impression is that this will cause all traffic flowing through the SVI to be punted up to the CPU. Is there another way to configure this so that we can ping the real IP and enforce the uRPF check in hardware?
The defaults are that uRPF ACL permits are done in hardware, with denies punted to CPU. You can swap this with:
mls ip cef rpf hw-enable-rpf-acl Personally we just avoid talking to the IPs inside subnets. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
