Routing

last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  MPLS layer3 VPN Questions

    Posted 01-20-2012 00:37

    Hi all,                            

            I have set MPLS layer3 VPN and I can ping 2 computers through the MPLS VPN but when I traced route, it happened like this

     

    tracert 192.168.1.2 (Destination Computer)

     

                             1                 6ms                    6ms                   6ms         172.20.23.1  (Gateway IP)

                             2                 *                           *                          *                Request time out

                             3                 *                           *                          *                Request time out

                             4                 7ms                    5ms                   2ms          192.168.1.2

     

    The point is,Is this suppose to happen? (the time out in the middle) How should I fix this?

    the topology :

     

                                                                        (CE)PE*-------P-----P------PE(CE)*

     

    *I used PE and CE in same router

     

    Configuration on ingress router:

     

       Protocol bgp {

                    local address 10.200.90.1;

                    family inet-vpn {unicast;}

                    group BGP1 {

                                   type internal;

                                   local address 10.200.90.1

                                   neighbor 10.200.90.2

                                   neighbor 10.200.90.3

                                   neighbor 10.200.90.4

                                           }

                                }

     

       Routing-instances 

                   L3VPN-1 {

                                         instances type vrf;

                                         interface fe-0/0/0.0; (Interface that connect to PC)

                                         route distinguisher 100:1;

                                         vrf-import import_VPN;

                                         vrf-export export_VPN;

                                         vrf-target target:100:1;

                                         vrf-table-label;

                                   }

     

       Policy-options

                policy-statement export_VPN {

                          term1 {

                                   from protocol direct;

                                   then {    community add L3VPN-1;

                                                 accept;

                                            }

                                        }                           }

               policy-statement import_VPN {

                         term 1 {

                                   from {  portocol bgp;

                                                community L3VPN-1; }

                                  then accept';

                                     }

              community L3VPN-1 members target:100:1

     

     

     

    THANK YOU

                       



  • 2.  RE: MPLS layer3 VPN Questions

    Posted 01-20-2012 03:03

    Dear

     

    The time-out on the second hop is expected due to the fact that the P routers does not carry any VPN routes, and so can not route the TTL expired message back to the CE. It should be noted that an E-FPC equipped router copies the TTL value present in the IP header into both the inner and outer MPLS labels when handling traffic received from the attached CE. However, for traffic that is generated locally, an E-FPC PE sets the TTL in the outer MPLS label TTL to the maximum value (255) to avoid P router time-outs so if you have E-FPC PE and tried to do same trace from the PE router you shouldn't face similar issue

     

    also check this post may help you

     

    http://forums.juniper.net/t5/Routing/traceroute-thru-mpls/td-p/29354

     

    Thanks,

     

    Mohamed Elhariry

    JNCIE-M/T # 1059, CCNP & CCIP

     

     

     



  • 3.  RE: MPLS layer3 VPN Questions
    Best Answer

    Posted 01-20-2012 14:14

    Hi

     

    Its good to know the operation of traceroute. The source sends the udp packets having invalid ports one after one with increamental TTL value.

    Case1: When the router recieves the packet not destined to it then it will first check the TTL value of packet. If recieved packet has TTL value 1 then it will drop the packet and sends the ICMP TTL expired packet (code 11) back to source.

    Case2:When the router recieves the packet destined to itself but invalid UDP port (like above 32000) then it would drop the packet sends the ICMP port uncreachable packet (code 3) back to source.

    Case3: When router recieves the packet not desinted to it and having TTL more than 1 then it will just do the routing and will not drop the packet

     

    The source first sends the UDP packet  to actual destination with TTL 1. The immediate nexthop router found case1 and sends ICMP TTL expired packet (code 11) back to source using its own IP as source of packet. So source knows the first hop in the traceroute. Now source sends the UDP packet with TTL 2 and second hop drops the packet and it continours till the last hop (actuall destination) recieve the UDP packet with TTL 1 and using case 1 drop the packet. So in this way source knows all the hops in the path to destination.

     

    NOTE:

    If any hop does not have route back to source then it cannot send the ICMP TTL expired packet (code 11) to source and timeout will be shown instead of its IP in the traceroute output. Similarly if the router recieves the traceroute packet with TTL greater than 1 then it will not drop the packet and will not appear in the traceroute

     

    This theory also applies to IP/MPLS L3VPN. All P routers does not have route for source (VPN routes only exist on PE routers) so their IP will not appear in the traceroute output.

     

    If you do not want to see "timeout for P routers", you can use icmp-tunneling OR no-propogate-ttl/no-decreament-ttl knobs of MPLS.

    - Due to no-propogate-ttl/no-decreament-ttl knob, the ingress PE will not copy the TTL value of IP packet in to MPLS label header and TTL value in MPLS header will be 255. So the traceroute packet from source (CE) will not be dropped by any P router using case 3 So whole IP/MPLS network will not appear in the traceroute output

     

    - Due to icmp-tunneling, the first P router will drop the traceroute packet with TTL 1 BUT will not send the ICMP TTL expired message to source, instead all P routers will keep doing the label switching for this ICMP TTL expired message untill it reaches to CE router and CE router sends back this ICMP TTL expired message, so ingress CE will see only the remote CE and whole IP/MPLS network will not be shown in the traceroute output.

     

    HTH