No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Ping Fails Because URPF Is Enabled on the Interface

Publication Date:  2013-01-07 Views:  43 Downloads:  0
Issue Description

Three routers A, B, and C are connected in a triangle topology. OSPF is running on the three routers. Unicast reverse path forwarding (URPF) is configured on each interface through which every two routers are connected. The cost of the link between Router A and Router B is 800. The cost of the link between Router C and Router A and between Router C and Router B is 1000. Router A pings the address of the interface through which Router C and Router B are connected. The ping operation fails sometimes.

Handling Process

Check the OSPF routing table and find that the entries are correct.

Use Router B to ping the address of the interface through which Router C and Router A are connected. The ping operation fails sometimes, but the routers function well.

Generally, upon receiving a packet, a URPF-enabled router first obtains the destination IP address of the packet and then searches the forwarding table for the route to the destination. If the router finds such a route, it forwards the packet; otherwise, it discards the packet. URPF, however, obtains the source IP address and the inbound interface of the packet and checks whether the inbound interface corresponding to the source IP address in the forwarding table match the actual inbound interface of the packet. If they do not match, URPF considers the source IP address as a pseudo address, and discards the packet. In this way, URPF can effectively protect against malicious attacks that are launched by changing the source address.

Analyze the path along which the packets are exchanged in the ping process based on the URPF principles. When Router A pings the address of the interface through which Router C and Router B are connected, the path of the outgoing packets is A -> B -> C and the link cost is 1800, or A -> C and the link cost is 2000. As a result, the former path is selected preferentially. The path of the returning packets is C -> A or C -> B -> A. The total cost of each link is 1800. Therefore, the two routes are equal cost.

When the path of returning packets and the path of sending packets are the same (both traverse C, B, and A), the packets can pass the URPF check and the ping operation succeeds.

When the path of returning packets and the path of sending packets are different (one is A -> B -> C and the other is C -> A), the packets fail the URPF check and the ping operation fails.

Root Cause

Failure to pass the URPF check causes the ping failure.

Solution

Configure URPF on the access side or the network side instead of the interface through which two routers are connected.

END