Routing
Reply
Contributor
SPxious
Posts: 22
Registered: ‎06-15-2011
0
Accepted Solution

MPLS layer3 VPN Questions

Hi all,                            

        I have set MPLS layer3 VPN and I can ping 2 computers through the MPLS VPN but when I traced route, it happened like this

 

tracert 192.168.1.2 (Destination Computer)

 

                         1                 6ms                    6ms                   6ms         172.20.23.1  (Gateway IP)

                         2                 *                           *                          *                Request time out

                         3                 *                           *                          *                Request time out

                         4                 7ms                    5ms                   2ms          192.168.1.2

 

The point is,Is this suppose to happen? (the time out in the middle) How should I fix this?

the topology :

 

                                                                    (CE)PE*-------P-----P------PE(CE)*

 

*I used PE and CE in same router

 

Configuration on ingress router:

 

   Protocol bgp {

                local address 10.200.90.1;

                family inet-vpn {unicast;}

                group BGP1 {

                               type internal;

                               local address 10.200.90.1

                               neighbor 10.200.90.2

                               neighbor 10.200.90.3

                               neighbor 10.200.90.4

                                       }

                            }

 

   Routing-instances 

               L3VPN-1 {

                                     instances type vrf;

                                     interface fe-0/0/0.0; (Interface that connect to PC)

                                     route distinguisher 100:1;

                                     vrf-import import_VPN;

                                     vrf-export export_VPN;

                                     vrf-target target:100:1;

                                     vrf-table-label;

                               }

 

   Policy-options

            policy-statement export_VPN {

                      term1 {

                               from protocol direct;

                               then {    community add L3VPN-1;

                                             accept;

                                        }

                                    }                           }

           policy-statement import_VPN {

                     term 1 {

                               from {  portocol bgp;

                                            community L3VPN-1; }

                              then accept';

                                 }

          community L3VPN-1 members target:100:1

 

 

 

THANK YOU

                   

Recognized Expert
mhariry
Posts: 344
Registered: ‎06-01-2011
0

Re: MPLS layer3 VPN Questions

Dear

 

The time-out on the second hop is expected due to the fact that the P routers does not carry any VPN routes, and so can not route the TTL expired message back to the CE. It should be noted that an E-FPC equipped router copies the TTL value present in the IP header into both the inner and outer MPLS labels when handling traffic received from the attached CE. However, for traffic that is generated locally, an E-FPC PE sets the TTL in the outer MPLS label TTL to the maximum value (255) to avoid P router time-outs so if you have E-FPC PE and tried to do same trace from the PE router you shouldn't face similar issue

 

also check this post may help you

 

http://forums.juniper.net/t5/Routing/traceroute-thru-mpls/td-p/29354

 

Thanks,

 

Mohamed Elhariry

JNCIE-M/T # 1059, CCNP & CCIP

 

 

 

Regards,
Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: MPLS layer3 VPN Questions

Hi

 

Its good to know the operation of traceroute. The source sends the udp packets having invalid ports one after one with increamental TTL value.

Case1: When the router recieves the packet not destined to it then it will first check the TTL value of packet. If recieved packet has TTL value 1 then it will drop the packet and sends the ICMP TTL expired packet (code 11) back to source.

Case2:When the router recieves the packet destined to itself but invalid UDP port (like above 32000) then it would drop the packet sends the ICMP port uncreachable packet (code 3) back to source.

Case3: When router recieves the packet not desinted to it and having TTL more than 1 then it will just do the routing and will not drop the packet

 

The source first sends the UDP packet  to actual destination with TTL 1. The immediate nexthop router found case1 and sends ICMP TTL expired packet (code 11) back to source using its own IP as source of packet. So source knows the first hop in the traceroute. Now source sends the UDP packet with TTL 2 and second hop drops the packet and it continours till the last hop (actuall destination) recieve the UDP packet with TTL 1 and using case 1 drop the packet. So in this way source knows all the hops in the path to destination.

 

NOTE:

If any hop does not have route back to source then it cannot send the ICMP TTL expired packet (code 11) to source and timeout will be shown instead of its IP in the traceroute output. Similarly if the router recieves the traceroute packet with TTL greater than 1 then it will not drop the packet and will not appear in the traceroute

 

This theory also applies to IP/MPLS L3VPN. All P routers does not have route for source (VPN routes only exist on PE routers) so their IP will not appear in the traceroute output.

 

If you do not want to see "timeout for P routers", you can use icmp-tunneling OR no-propogate-ttl/no-decreament-ttl knobs of MPLS.

- Due to no-propogate-ttl/no-decreament-ttl knob, the ingress PE will not copy the TTL value of IP packet in to MPLS label header and TTL value in MPLS header will be 255. So the traceroute packet from source (CE) will not be dropped by any P router using case 3 So whole IP/MPLS network will not appear in the traceroute output

 

- Due to icmp-tunneling, the first P router will drop the traceroute packet with TTL 1 BUT will not send the ICMP TTL expired message to source, instead all P routers will keep doing the label switching for this ICMP TTL expired message untill it reaches to CE router and CE router sends back this ICMP TTL expired message, so ingress CE will see only the remote CE and whole IP/MPLS network will not be shown in the traceroute output.

 

HTH

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.