No mpls ip propagatettl

When the IP packet first becomes labeled on the ingress PE router, the following rule is observed:

■ When an IP packet is first labeled, the TTL field is copied from the IP header to the TTL fields of all the labels in the label stack after being decremented by 1.

You can change that default behavior with the command no mpls ip propagate-ttl [forwarded | local]. The command no mpls ip propagate-ttl stops the copying of the IP TTL to the TTL fields in the MPLS labels. In that case, the TTL fields in the labels are set to 255. The result of this is that for a traceroute on the local CE router to the remote CE router, the topology of the MPLS network is hidden from the customer because the MPLS routers (except the ingress PE) are skipped. By default, the traceroute from the local CE router to the remote CE router looks like the output in Example 13-5.

Example 13-5 Example of Traceroute in MPLS VPN Network

london-

ce#traceroute 10.1.2.1

Type escape sequence to abort.

Tracing

the route to 10.1.2.1

1 10.

1.1.2 4 msec 0 msec 4 msec

ingress PE

© CNJ

200.200.2 28 msec 28 msec 32 msec

P

<s m

200.201.2 28 msec 28 msec 28 msec

P

4 10.

1.3.2 16 msec 20 msec 16 msec

egress PE

5 10.

1.3.1 12 msec 12 msec 12 msec

remote CE

If you configure no mpls ip propagate-ttl on the PE routers, the output of the traceroute looks like Example 13-6. The P routers and egress PE router are removed from the traceroute. As such, the customer in the VPN cannot see the P routers when tracerouting through the MPLS network.

Example 13-6 Example of Traceroute in MPLS VPN Network with no mpls ip propagate-ttl

london-ce#traceroute 10.1.2.1

Type escape sequence to abort.

Tracing the route to 10.1.2.1

1 10.1.1.2 4 msec 4 msec 0 msec

ingress PE

2 10.1.3.1 16 msec 12 msec 12 msec

remote CE

The TTL propagates throughout the MPLS network in the labels, as shown in Figure 13-9.

Figure 13-9 Tracerouting in an MPLS VPN Network: no mpls propagate-ttl: Probe 2

Probe 2

No MPLS IP Propagate-TTL

Dest IP Addr = 10.1.2.1 Source IP Addr = 10.1.1.1 TTL = 2

Dest UDP Port = 35678

No Copy of TTL from Label to TTL in IP Header Because MPLS TTL > IP TTL

Dest IP Addr = 10.1.2.1 Source IP Addr = 10.1.1.1 TTL = 1

Dest UDP Port = 35678

Dest IP Addr = 10.1.2.1 Source IP Addr = 10.1.1.1 TTL = 1

Dest UDP Port = 35678

UDP

Dest IP Addr =

10.1.2.1

Source IP Addr

= 10.1.1.1

TTL = 1

Dest UDP Port

UDP Port 35678?

10.200.200.2

10.200.201.2

Loopback 0 10.1.2.1

ICMP

Dest IP Addr = 10.1.1.1 Source IP Addr = 10.1.3.1 TTL = 251 Port Unreachable

ICMP

Dest IP Addr = 10.1.1.1 Source IP Addr = 10.1.3.1 TTL = 254 Port Unreachable

ICMP

Dest IP Addr = 10.1.1.1 Source IP Addr = 10.1.3.1 TTL = 254 Port Unreachable

ICMP

Dest IP Addr = 10.1.1.1 Source IP Addr = 10.1.3.1 TTL = 254 Port Unreachable

ICMP

Dest IP Addr = 10.1.1.1 Source IP Addr = 10.1.3.1 TTL = 255 Port Unreachable

IGP Label

GP Label

VPN Label

VPN Label

VPN Label

IGP Label

IGP Label

VPN Label

VPN Label

You can see now that the second probe already triggers an ICMP message "port unreachable" on the remote CE router. This causes the traceroute to terminate after sending the second probe.

NOTE You can see in Example 13-6 that the egress PE is not shown in the CE-to-CE traceroute, when no mpls ip propagate-ttl is configured on the ingress PE router. Since Cisco IOS 12.3(13), 12.3(13)T, and 12.0(31)S, the egress PE router is shown even when no mpls ip propagate-ttl is configured on the ingress PE router. When the egress PE router has the preceding Cisco IOS and the MPLS TTL is greater than or equal to the IP TTL, the egress PE checks the TTL value of the IP packet even when the outgoing label is "No Label." If the IP TLL is 1 or 0, the egress PE generates the ICMP TTL expired message. If the IP TTL is greater than 1, the IP TTL is decremented by 1, and the packet is forwarded.

The result is basically that the customer in his VPN sees the MPLS cloud as only one hop when tracerouting through it. In Figure 13-9, you can also see that the TTL value from the label is not copied into the TTL field of the IP header on the egress PE router. That is because the MPLS TTL value is greater than the TTL value in the IP header. Imagine that the MPLS TTL value is copied into the IP header on the egress PE router. In that case, the IP TTL value becomes 252. If that packet again arrives on the ingress PE router because of a routing loop, the MPLS TTL value is set to 255 again. That packet loops forever because neither the MPLS TTL nor the IP TTL ever reaches 0, and the packet is never dropped.

A drawback of this command is that when the service provider performs a traceroute in his network (from ingress PE to egress PE), he has the same result and sees his own network as only one hop. This obviously makes troubleshooting a bit painful. Therefore, it might be better for the service provider to configure no mpls ip propagate-ttl forwarded on his PE routers. Disabling TTL propagation of forwarded packets allows only the structure of the MPLS network to be hidden from customers, but not the service provider in an MPLS VPN network. If no mpls ip propagate-ttl forwarded is used, the TTL value from the IP header is not copied into the TTL fields of the labels for the packets that are switched through the ingress LSR. The TTL value is, however, copied for the locally generated packets on the ingress LSR. An illustrative example of the latter case is an MPLS VPN network with no mpls ip propagate-ttl forwarded configured on the ingress PE. The TTL value is not copied for packets that are received from the CE router, but it is copied into the labels for packets that are locally generated on the ingress PE router, such as for a traceroute in the VRF on the ingress PE router. Example 13-7 illustrates this. The first traceroute is what the customer sees from the CE router, and the second traceroute is what the service provider sees from the PE router.

Example 13-7 Example of Traceroute in an MPLS VPN Network with no mpls ip propagate-ttl forwarded london(config)#no mpls ip propagate-ttl forwarded london-ce#traceroute 10.1.2.1

Type escape sequence to abort. Tracing the route to 10.1.2.1

2 10.1.3.1 12 msec 12 msec 12 msec london#traceroute vrf cust-one 10.1.2.1

Type escape sequence to abort. Tracing the route to 10.1.2.1

1

10

0 0 2

.200.2 [MPLS: Labels 19/28 Exp 0]

28

msec

28

msec

28 msec

2

10

.200,

.203.2 [MPLS: Labels 16/28 Exp 0]

32

msec

28

msec

28 msec

3

10

.1.3.

.2 [MPLS: Label 28 Exp 0] 16 msec

20

msec

16

msec

4

10

.1.3.

1 12 msec 12 msec 12 msec

NOTE The command mpls ip propagate-ttl really only makes sense on edge LSRs or PE routers, because the command only affects copying the IP TTL to the TTL field in the labels. The label imposition of customer IP packets happens only on edge LSRs, so configuring this command on all your P routers is not really beneficial.

The IP address that you notice in the output of the traceroute command is the source IP address of the ICMP packet. The router that generates the ICMP message uses the IP address of the interface on which the original packet was received as the source IP address of the ICMP message. An exception to this rule occurs when performing a traceroute from within a VRF. The egress PE router does not use the IP address of the incoming interface because this IP address is in the global routing table. Rather, the egress PE router uses an IP address of the VRF as the source IP address of the ICMP message. This means that the output of the traceroute does not show IP addresses from inside the MPLS cloud if a traceroute is performed from a CE router through the MPLS cloud and the PE routers have no mpls ip propagate-ttl or no mpls ip propagate-ttl forwarded configured.

Micro Expression Master

Micro Expression Master

If You Could Read Everyone Life A Book You Can Have Better Career, Great Relationships And Become Successful. This Book Is One Of The Most Valuable Resources In The World When It Comes To Reading the smallest and tiniest body Language and know what people are thinking about.

Get My Free Ebook


Post a comment