No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The S12708 Working in URPF Strict Mode Discards Valid Packets

Publication Date:  2019-03-26 Views:  41 Downloads:  0
Issue Description
1. Networking diagram



 


OSPF is run between two core switches. The OSPF cost values of the two links between aggregation switch A and core switch A are changed, so that the link on the left carries services and the link on the right acts as the backup.


2. Problem: The IP address of G1/0/1 (default VLANIF 134) on the aggregation switch cannot be pinged on PCA.



Handling Process

Step 1. On the core switch, ping the IP address of G1/0/1 on the aggregation switch. The ping succeeds, indicating that the interfaces on the core and aggregation switches and the intermediate links are normal.

Step 2. Check routes on the aggregation switch. It has a route to the network segment 19.106.130.0, with the next hop being 192.168.248.113.

Step 3. Check the configuration on the aggregation switch. No forwarding restriction or filtering policy is found.

Step 4. Check the configuration on the core switch. It is found that the URPF strict mode is configured on G1/1/0/1 and XG1/6/0/3.

Root Cause

When PCA pings the IP address (192.168.246.2) of G1/0/1 on the aggregation switch, XG1/6/0/3 (with IP address 192.168.246.1) on the core switch directly forwards the ICMP Request packet to G1/0/1 because the two interfaces are directly connected (this route has a higher priority). The ICMP Response packet is sent from G1/0/0 on the aggregation switch to PCA through G1/1/0/1 on the core switch. This is because the link between G1/0/0 and G1/1/0/1 has a lower OSPF cost value than the link between G1/0/1 and XG1/6/0/3. In normal cases, the ping can succeed. However, the URPF strict mode is configured on G1/1/0/1 and XG1/6/0/3 of the core switch. In URPF strict mode, a packet passes the check only when the device has a route to the source IP address of the packet in the routing table, and the inbound interface of the packet should be the same as the outbound interface of the route. Otherwise, the packet is discarded.Since the ICMP packets exchanged between PCA and G1/0/1 (with IP address 192.168.246.2) are transmitted along different paths, the ping fails.

Solution

Disable URPF check for the flows transmitted between PCA and G1/0/0 of the aggregation switch.

acl number 3000

rule 5 permit ip source 192.168.246.2 0 destination 19.106.130.100 0 0

traffic classifier a

if-match acl 3000

traffic behavior a

ip urpf disable

traffic policy a

classifier a  behavior  a

interface GigabitEthernet1/1/0/1

traffic-policy a inbound

END