Posts: 22
Registered: ‎06-15-2011
Accepted Solution

MPLS layer3 VPN Questions

Hi all,                            

        I have set MPLS layer3 VPN and I can ping 2 computers through the MPLS VPN but when I traced route, it happened like this


tracert (Destination Computer)


                         1                 6ms                    6ms                   6ms  (Gateway IP)

                         2                 *                           *                          *                Request time out

                         3                 *                           *                          *                Request time out

                         4                 7ms                    5ms                   2ms


The point is,Is this suppose to happen? (the time out in the middle) How should I fix this?

the topology :




*I used PE and CE in same router


Configuration on ingress router:


   Protocol bgp {

                local address;

                family inet-vpn {unicast;}

                group BGP1 {

                               type internal;

                               local address








               L3VPN-1 {

                                     instances type vrf;

                                     interface fe-0/0/0.0; (Interface that connect to PC)

                                     route distinguisher 100:1;

                                     vrf-import import_VPN;

                                     vrf-export export_VPN;

                                     vrf-target target:100:1;





            policy-statement export_VPN {

                      term1 {

                               from protocol direct;

                               then {    community add L3VPN-1;



                                    }                           }

           policy-statement import_VPN {

                     term 1 {

                               from {  portocol bgp;

                                            community L3VPN-1; }

                              then accept';


          community L3VPN-1 members target:100:1






Recognized Expert
Posts: 369
Registered: ‎06-01-2011

Re: MPLS layer3 VPN Questions



The time-out on the second hop is expected due to the fact that the P routers does not carry any VPN routes, and so can not route the TTL expired message back to the CE. It should be noted that an E-FPC equipped router copies the TTL value present in the IP header into both the inner and outer MPLS labels when handling traffic received from the attached CE. However, for traffic that is generated locally, an E-FPC PE sets the TTL in the outer MPLS label TTL to the maximum value (255) to avoid P router time-outs so if you have E-FPC PE and tried to do same trace from the PE router you shouldn't face similar issue


also check this post may help you




Mohamed Elhariry





Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Trusted Expert
Posts: 417
Registered: ‎01-29-2008

Re: MPLS layer3 VPN Questions



Its good to know the operation of traceroute. The source sends the udp packets having invalid ports one after one with increamental TTL value.

Case1: When the router recieves the packet not destined to it then it will first check the TTL value of packet. If recieved packet has TTL value 1 then it will drop the packet and sends the ICMP TTL expired packet (code 11) back to source.

Case2:When the router recieves the packet destined to itself but invalid UDP port (like above 32000) then it would drop the packet sends the ICMP port uncreachable packet (code 3) back to source.

Case3: When router recieves the packet not desinted to it and having TTL more than 1 then it will just do the routing and will not drop the packet


The source first sends the UDP packet  to actual destination with TTL 1. The immediate nexthop router found case1 and sends ICMP TTL expired packet (code 11) back to source using its own IP as source of packet. So source knows the first hop in the traceroute. Now source sends the UDP packet with TTL 2 and second hop drops the packet and it continours till the last hop (actuall destination) recieve the UDP packet with TTL 1 and using case 1 drop the packet. So in this way source knows all the hops in the path to destination.



If any hop does not have route back to source then it cannot send the ICMP TTL expired packet (code 11) to source and timeout will be shown instead of its IP in the traceroute output. Similarly if the router recieves the traceroute packet with TTL greater than 1 then it will not drop the packet and will not appear in the traceroute


This theory also applies to IP/MPLS L3VPN. All P routers does not have route for source (VPN routes only exist on PE routers) so their IP will not appear in the traceroute output.


If you do not want to see "timeout for P routers", you can use icmp-tunneling OR no-propogate-ttl/no-decreament-ttl knobs of MPLS.

- Due to no-propogate-ttl/no-decreament-ttl knob, the ingress PE will not copy the TTL value of IP packet in to MPLS label header and TTL value in MPLS header will be 255. So the traceroute packet from source (CE) will not be dropped by any P router using case 3 So whole IP/MPLS network will not appear in the traceroute output


- Due to icmp-tunneling, the first P router will drop the traceroute packet with TTL 1 BUT will not send the ICMP TTL expired message to source, instead all P routers will keep doing the label switching for this ICMP TTL expired message untill it reaches to CE router and CE router sends back this ICMP TTL expired message, so ingress CE will see only the remote CE and whole IP/MPLS network will not be shown in the traceroute output.



Kashif Rana

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Copyright© 1999-2015 Juniper Networks, Inc. All rights reserved.