[All About Switches] The Interface Address of a Downstream Router Cannot Be Pinged Remotely

Created Mar 08, 2018 10:24:44Latest reply Mar 09, 2018 08:38:20 821 1 1 0

Involved Products and Versions

S9300 V200R008

Networking

In Figure 1-1, the Switch is uplink connected to two CE switches, and the two CE switches are uplink connected to two NE routers. The Switch, CE switches, and NE routers communicate using OSPF routes. Two equal-cost default routes destined for the Switch are configured on the downstream user-side Router.

Figure 1-1 Interface address of a downstream router unable to be pinged remotely

20180308102420977001.png

 

Symptom

IP address 60.18.223.82 of the uplink interface (connected to GE3/0/24 of the Switch) on the user-side Router cannot be pinged (from a remote IP address 111.203.45.3), but the IP address of another uplink interface (connected to GE3/0/0 of the Switch) can be pinged normally.

Cause Analysis

The urpf strict allow-default-route command has been configured on the downlink interfaces of the Switch.

Procedure

                          Step 1     When the ping operation fails, run the following command to collect traffic statistics on the Switch. The command output shows that the Switch received packets replied by the Router but uplink interfaces of the Switch did not send packets out.

[Switch] display traffic policy statistics interface GigabitEthernet 3/0/24 outbound verbose rule-base class tj
 
Interface: GigabitEthernet3/0/24
Traffic policy outbound: tj
Rule number: 4
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Classifier: tj operator or
Behavior: tj
Board : 3
rule 5 permit icmp source 111.203.45.3 0 destination 60.18.223.82 0 (match-counter 0)
---------------------------------------------------------------------
Passed | Packets: 218
 
Bytes: 17,004 
Rate(pps): 0 
Rate(bps): 120
---------------------------------------------------------------------
Dropped  Packets: 0 
Bytes: 0 
Rate(pps): 0 
Rate(bps): 0
---------------------------------------------------------------------

[Switch] display traffic policy statistics interface GigabitEthernet 3/0/0 inbound verbose rule-base class tj
 
Interface: GigabitEthernet3/0/0
Traffic policy inbound: tj
Rule number: 4
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Classifier: tj operator or
Behavior: tj
Board : 3
rule 5 permit icmp source 111.203.45.3 0 destination 60.18.223.82 0 (match-counter 0)
---------------------------------------------------------------------
Passed | Packets: 0
 
Bytes: 0 
Rate(pps): 0 
Rate(bps): 0
---------------------------------------------------------------------
Dropped  Packets: 0 
Bytes: 0 
Rate(pps): 0 
Rate(bps): 0
---------------------------------------------------------------------
rule 10 permit icmp source 60.18.223.82 0 destination 111.203.45.3 0 (match-counter 0)
---------------------------------------------------------------------
Passed  Packets: 113 
Bytes: 8,814 
Rate(pps): 0 
Rate(bps): 120
---------------------------------------------------------------------
Dropped  Packets: 0 
Bytes: 0

                          Step 2     Check configurations of GE3/0/24 and GE3/0/0.

The following configuration includes the urpf strict allow-default-route command. During ARP learning on GE3/0/24 and the ping from 111.203.45.3 to 60.18.223.82, an ICMP reply packet was received from GE3/0/0. URPF detects that the source IP address of the packet in the routing table and ARP table does not match the source interface of the packet, and drops the packet. Therefore, the ping failed.

#
interface GigabitEthernet3/0/0
 description description2
 port link-type access
 port default vlan 600
 traffic-policy tj inbound
 traffic-policy tj outbound
 urpf strict allow-default-route
#
interface GigabitEthernet3/0/24
 description description1
 port link-type access
 port default vlan 607
 traffic-policy tj inbound
 traffic-policy tj outbound
 urpf strict allow-default-route

This problem is solved after the urpf strict allow-default-route command configuration is deleted from GE3/0/0 and GE3/0/24.

----End

  • x
  • convention:

gululu  Admin   Created Mar 09, 2018 08:38:20 Helpful(0) Helpful(0)

thanks for your sharing!
  • x
  • convention:

Come on!

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top