12-21-2018 12:33 PM
I have started noticing that the MPLS VPN exit nodes respond to traceroute with the VRF address, and not the ingress address as I typically expect. From web searches I can find people mentioning this in passing. Does anyone know where this behavior is officially documented?
As an example, a traceroute through the network above produces the following output:
PE1 responds with 10.0.0.2 (ingress address)
PE2 responds with 10.0.0.9 (VRF address)
CE2 responds with 10.0.0.10 (ingress address)
I've been looking for official documentation of this behavior but can't find it.
Solved! Go to Solution.
12-21-2018 01:14 PM
Hi,
The use of Ingress interface address on remote PE will result in leaking internal network information. So it uses the VRF address.
HTH,
Nagendra
12-21-2018 01:14 PM
Hi,
The use of Ingress interface address on remote PE will result in leaking internal network information. So it uses the VRF address.
HTH,
Nagendra
12-21-2018 01:19 PM
Thanks for the reply! Any chance you know of specific documentation somewhere? I was hoping to be able to point to it when discussing this.
12-21-2018 10:19 PM
On this post you will find helpful information:-https://community.cisco.com/t5/networking-documents/mpls-and-traceroute/ta-p/3165500
This is my understanding: On the ingress PE router, the ICMP TTL-expired message is sourced from the ingress interface. Also on the P routers, the ICMP TTL-expired messages are sourced from the ingress interfaces. However, on the exit PE router, the ICMP TTL-expired message is sourced from the interface associated with the customer VRF because of the VPN Label (not the Transport Label); the traffic will be pushed to the customer VRF table where the egress interface is the available interface to respond (with ICMP TTL-expired message).
HTH,
Meheretab
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: