Hi
Its good to know the operation of traceroute. The source sends the udp packets having invalid ports one after one with increamental TTL value.
Case1: When the router recieves the packet not destined to it then it will first check the TTL value of packet. If recieved packet has TTL value 1 then it will drop the packet and sends the ICMP TTL expired packet (code 11) back to source.
Case2:When the router recieves the packet destined to itself but invalid UDP port (like above 32000) then it would drop the packet sends the ICMP port uncreachable packet (code 3) back to source.
Case3: When router recieves the packet not desinted to it and having TTL more than 1 then it will just do the routing and will not drop the packet
The source first sends the UDP packet to actual destination with TTL 1. The immediate nexthop router found case1 and sends ICMP TTL expired packet (code 11) back to source using its own IP as source of packet. So source knows the first hop in the traceroute. Now source sends the UDP packet with TTL 2 and second hop drops the packet and it continours till the last hop (actuall destination) recieve the UDP packet with TTL 1 and using case 1 drop the packet. So in this way source knows all the hops in the path to destination.
NOTE:
If any hop does not have route back to source then it cannot send the ICMP TTL expired packet (code 11) to source and timeout will be shown instead of its IP in the traceroute output. Similarly if the router recieves the traceroute packet with TTL greater than 1 then it will not drop the packet and will not appear in the traceroute
This theory also applies to IP/MPLS L3VPN. All P routers does not have route for source (VPN routes only exist on PE routers) so their IP will not appear in the traceroute output.
If you do not want to see "timeout for P routers", you can use icmp-tunneling OR no-propogate-ttl/no-decreament-ttl knobs of MPLS.
- Due to no-propogate-ttl/no-decreament-ttl knob, the ingress PE will not copy the TTL value of IP packet in to MPLS label header and TTL value in MPLS header will be 255. So the traceroute packet from source (CE) will not be dropped by any P router using case 3 So whole IP/MPLS network will not appear in the traceroute output
- Due to icmp-tunneling, the first P router will drop the traceroute packet with TTL 1 BUT will not send the ICMP TTL expired message to source, instead all P routers will keep doing the label switching for this ICMP TTL expired message untill it reaches to CE router and CE router sends back this ICMP TTL expired message, so ingress CE will see only the remote CE and whole IP/MPLS network will not be shown in the traceroute output.
HTH