Involved Products and Versions
S9300 V200R008
Networking
In Figure 1-1, the Switch is uplink connected to two CE switches, and the two CE switches are uplink connected to two NE routers. The Switch, CE switches, and NE routers communicate using OSPF routes. Two equal-cost default routes destined for the Switch are configured on the downstream user-side Router.
Figure 1-1 Interface address of a downstream router unable to be pinged remotely
Symptom
IP address 60.18.223.82 of the uplink interface (connected to GE3/0/24 of the Switch) on the user-side Router cannot be pinged (from a remote IP address 111.203.45.3), but the IP address of another uplink interface (connected to GE3/0/0 of the Switch) can be pinged normally.
Cause Analysis
The urpf strict allow-default-route command has been configured on the downlink interfaces of the Switch.
Procedure
Step 1 When the ping operation fails, run the following command to collect traffic statistics on the Switch. The command output shows that the Switch received packets replied by the Router but uplink interfaces of the Switch did not send packets out.
[Switch] display traffic policy
statistics interface GigabitEthernet 3/0/24 outbound verbose rule-base class tj
Interface: GigabitEthernet3/0/24
Traffic policy outbound: tj
Rule number: 4
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Classifier: tj operator or
Behavior: tj
Board : 3
rule 5 permit icmp source 111.203.45.3 0 destination 60.18.223.82 0
(match-counter 0)
---------------------------------------------------------------------
Passed | Packets: 218
Bytes: 17,004
Rate(pps): 0
Rate(bps): 120
---------------------------------------------------------------------
Dropped Packets: 0
Bytes: 0
Rate(pps): 0
Rate(bps): 0
---------------------------------------------------------------------
[Switch] display traffic policy
statistics interface GigabitEthernet 3/0/0 inbound verbose rule-base class tj
Interface: GigabitEthernet3/0/0
Traffic policy inbound: tj
Rule number: 4
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Classifier: tj operator or
Behavior: tj
Board : 3
rule 5 permit icmp source 111.203.45.3 0 destination 60.18.223.82 0
(match-counter 0)
---------------------------------------------------------------------
Passed | Packets: 0
Bytes: 0
Rate(pps): 0
Rate(bps): 0
---------------------------------------------------------------------
Dropped Packets: 0
Bytes: 0
Rate(pps): 0
Rate(bps): 0
---------------------------------------------------------------------
rule 10 permit icmp source 60.18.223.82 0 destination 111.203.45.3 0
(match-counter 0)
---------------------------------------------------------------------
Passed Packets: 113
Bytes: 8,814
Rate(pps): 0
Rate(bps): 120
---------------------------------------------------------------------
Dropped Packets: 0
Bytes: 0
Step 2 Check configurations of GE3/0/24 and GE3/0/0.
The following configuration includes the urpf strict allow-default-route command. During ARP learning on GE3/0/24 and the ping from 111.203.45.3 to 60.18.223.82, an ICMP reply packet was received from GE3/0/0. URPF detects that the source IP address of the packet in the routing table and ARP table does not match the source interface of the packet, and drops the packet. Therefore, the ping failed.
#
interface GigabitEthernet3/0/0
description description2
port link-type access
port default vlan 600
traffic-policy tj inbound
traffic-policy tj outbound
urpf strict allow-default-route
#
interface GigabitEthernet3/0/24
description description1
port link-type access
port default vlan 607
traffic-policy tj inbound
traffic-policy tj outbound
urpf strict allow-default-route
This problem is solved after the urpf strict allow-default-route command configuration is deleted from GE3/0/0 and GE3/0/24.
----End