Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ip verify unicast source reachable-via rx allow-self-ping disallow ping VIP

Hi Team

I find the command ?ip verify unicast source reachable-via rx allow-self-ping? disallowed the ping to the HSRP VIP. Could you please check if it?s normal behavior ?the partial config is below:

interface Vlan10

mtu 9216

ip address 172.16.128.193 255.255.255.0

ip verify unicast source reachable-via rx allow-self-ping

no ip redirects

ip pim dr-priority 200

ip pim query-interval 500 msec

ip pim sparse-mode

no ip mroute-cache

load-interval 30

standby delay minimum 30 reload 120

standby 200 ip 172.16.128.195

standby 200 timers msec 500 msec 1500

standby 200 priority 105

standby 200 preempt

standby 201 ip 172.16.128.196

standby 201 timers msec 500 msec 1500

standby 201 preempt

platform cisco WS-C6509-E (R7000),IOS 12.2(18)SXE5.

Thank you very much for your help.

Tony

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: ip verify unicast source reachable-via rx allow-self-ping di

Tony

I see that behavior in networks that I work with and believe that it is normal behavior. I believe that what is happening is that someone attempts to ping the VIP, the ping packet is received on the switch that is not active for that HSRP group and forwards it over the VLAN to the active switch. But the switch sees a packet incoming with a remote source address and RPF rejects the packet. We have addressed this issue by using the optional access list in the verify unicast which can supply over-rides to the RFP check. If the optional access list permits ping to the VIP then things should work as you want them.

HTH

Rick

3 REPLIES
Hall of Fame Super Silver

Re: ip verify unicast source reachable-via rx allow-self-ping di

Tony

I see that behavior in networks that I work with and believe that it is normal behavior. I believe that what is happening is that someone attempts to ping the VIP, the ping packet is received on the switch that is not active for that HSRP group and forwards it over the VLAN to the active switch. But the switch sees a packet incoming with a remote source address and RPF rejects the packet. We have addressed this issue by using the optional access list in the verify unicast which can supply over-rides to the RFP check. If the optional access list permits ping to the VIP then things should work as you want them.

HTH

Rick

New Member

Re: ip verify unicast source reachable-via rx allow-self-ping di

Hi Rick

Thank you so much for your excellent explanation.Much appreciated!

Have a nice weekend!

Tony

Hall of Fame Super Silver

Re: ip verify unicast source reachable-via rx allow-self-ping di

Tony

You are quite welcome.

Thanks for rating the response and markig the issue as resolved. It makes the forum more useful when people can read about an issue and know that the answer did resolve the issue.

I encourage you to continue your participation in the forum.

HTH

Rick

2743
Views
0
Helpful
3
Replies
CreatePlease login to create content