Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1147
Views
10
Helpful
3
Replies

MPLS VPN Traceroute

Go to solution
amarder
Level 1
Level 1

‎12-21-2018 12:33 PM

I have started noticing that the MPLS VPN exit nodes respond to traceroute with the VRF address, and not the ingress address as I typically expect. From web searches I can find people mentioning this in passing. Does anyone know where this behavior is officially documented?

 

mpls.png

 

As an example, a traceroute through the network above produces the following output:

PE1 responds with 10.0.0.2 (ingress address)

PE2 responds with 10.0.0.9 (VRF address)

CE2 responds with 10.0.0.10 (ingress address)

 

I've been looking for official documentation of this behavior but can't find it.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nagendra Kumar Nainar
Cisco Employee
Cisco Employee

‎12-21-2018 01:14 PM

Hi,

 

The use of Ingress interface address on remote PE will result in leaking internal network information. So it uses the VRF address.

 

HTH,

Nagendra

View solution in original post

3 Replies 3

Go to solution
Nagendra Kumar Nainar
Cisco Employee
Cisco Employee

‎12-21-2018 01:14 PM

Hi,

 

The use of Ingress interface address on remote PE will result in leaking internal network information. So it uses the VRF address.

 

HTH,

Nagendra

Go to solution
amarder
Level 1
Level 1
In response to Nagendra Kumar Nainar

‎12-21-2018 01:19 PM

Thanks for the reply! Any chance you know of specific documentation somewhere? I was hoping to be able to point to it when discussing this.

0 Helpful

Go to solution
Meheretab Mengistu
Level 7
Level 7
In response to amarder

‎12-21-2018 10:19 PM

 

On this post you will find helpful information:-https://community.cisco.com/t5/networking-documents/mpls-and-traceroute/ta-p/3165500

 

This is my understanding: On the ingress PE router, the ICMP TTL-expired message is sourced from the ingress interface. Also on the P routers, the ICMP TTL-expired messages are sourced from the ingress interfaces. However, on the exit PE router, the ICMP TTL-expired message is sourced from the interface associated with the customer VRF because of the VPN Label (not the Transport Label); the traffic will be pushed to the customer VRF table where the egress interface is the available interface to respond (with ICMP TTL-expired message).

 

HTH,

Meheretab

HTH,
Meheretab
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card