cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1539
Views
0
Helpful
9
Replies
Highlighted
Beginner

SVI is not responding to traceroute with TTL expired

I have router where the SVI interfaces are not responding with TTL expired. This includes null 0 as well.

9 REPLIES 9
Highlighted
Advisor

SVI is not responding to traceroute with TTL expired

Hi,

can you explain further please.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Highlighted
Beginner

SVI is not responding to traceroute with TTL expired

assume a scenario where i have three routers A ->B->C. OSPF is running in all the routers and all P-P interfaces are part of area 0. C's SVI interface has the IP segment 10.241.3.1/24(this is a part of area 3). C is summarising(area range command ) this as 10.241.0.0/16 and advertising. In this case when i do a trace from router A to the destination 10.241.3.1(active interface in router C) the trace gets dropped at router C. Whereas when i do a trace to a non active IP 10.241.54.1 from A it gets dropped at router B.

If the same is done replacing router C. In the 1st case where i trace 10.241.3.1 the trace gets completed at router C(in previous case it comes till here after which i get * * *). In the 2nd case where i trace 10.241.54.1 its comes till router C and gets dropped(in previous case it drops at router B).


Highlighted
VIP Mentor

SVI is not responding to traceroute with TTL expired

ashvanth

OSPF is running in all the routers and all P-P interfaces are part of area 0
C's SVI interface has the IP segment 10.241.3.1/24(this is a part of area 3

Can you post your config  for the 3 routers?

res

Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Beginner

SVI is not responding to traceroute with TTL expired

Sorry Im not allowed to share the complete configuration. Hope the below configurations help. Since rotuer 2 is PE I dont have its configuration

ROUTER 3:

!

interface Vlan4

ip address 10.241.3.1 255.255.255.0

no ip unreachables

no ip proxy-arp

end

router ospf 1

  nsf

area 3 nssa no-summary

area 3 range 10.241.0.0 255.255.0.0

network 10.241.3.0 0.0.0.255 area 3

network 117.211.128.128 0.0.0.3 area 0

!

interface GigabitEthernet3/1

ip address 117.211.128.129 255.255.255.252

no ip unreachables

no ip proxy-arp

ip ospf network point-to-point

ip ospf mtu-ignore

speed 100

duplex full

end

ROUTER 1:

router ospf 1

nsf

network 117.212.128.128 0.0.0.3 area 0

interface GigabitEthernet3/1

ip address 117.212.128.129 255.255.255.252

no ip unreachables

no ip proxy-arp

ip ospf network point-to-point

ip ospf mtu-ignore

speed 100

duplex full

end

Highlighted
Beginner

Re: SVI is not responding to traceroute with TTL expired

Traceroutes aren't working because you've disable ICMP unreachables via the "no ip unreachables" interface commands.

Highlighted

Re: SVI is not responding to traceroute with TTL expired

You have disabled ICMP unreachable, here is little information to help you understand ICMP unreachable.

This table is from IANA and shows the various types:

3 Destination Unreachable [RFC792]

Codes:


0 Net Unreachable [RFC792]
1 Host Unreachable [RFC792]
2 Protocol Unreachable [RFC792]
3 Port Unreachable [RFC792]
4 Fragmentation Needed and Don't [RFC792]
Fragment was Set [RFC792]
5 Source Route Failed [RFC792]
6 Destination Network Unknown [RFC1122]
7 Destination Host Unknown [RFC1122]
8 Source Host Isolated [RFC1122]
9 Communication with Destination [RFC1122]
Network is Administratively Prohibited
10 Communication with Destination Host is [RFC1122]
Administratively Prohibited
11 Destination Network Unreachable for Type [RFC1122]
of Service
12 Destination Host Unreachable for Type of [RFC1122]
Service
13 Communication Administratively Prohibited [RFC1812]
14 Host Precedence Violation [RFC1812]
15 Precedence cutoff in effect [RFC1812]


As you can see the Fragmentation Needed but Do Not Fragment is one of those. So yes PMTUD will be impacted when you configure no unreachables.

Also since the Cisco/Unix traceroute is based on sending UDP packets and looking for the Port Unreachable message to indicate that the probe has reached the destination, then disabling unreachables will break the traceroute.

From a security standpoint when you harden a device you want to minimize the amount of information that the device provides about itself to others and disabling unreachables helps achieve this. But from the standpoint of things that help our network work better the unreachable is helpful.

So you have two different points of view and their position on unreachables. So which is more important hardening devices with reducing information that they provide or helping the network to run better?

Best Regards,

Manouchehr

Highlighted
Beginner

SVI is not responding to traceroute with TTL expired

But if you see trace to 10.241.3.1 gets completed. Only trace to non existing segments in the 10.241.0.0/16 range get dropped.

Highlighted
Hall of Fame Cisco Employee

SVI is not responding to traceroute with TTL expired

Hello,

Can you post the exact outputs of the traceroute command? The verbal description of "what gets dropped where" is not very precise - the outputs will be hopefully more definitive.

Best regards,

Peter

Highlighted
Beginner

SVI is not responding to traceroute with TTL expired

A#traceroute 10.241.3.1

Type escape sequence to abort.

Tracing the route to 10.241.3.1

  1 117.212.128.130 4 msec 0 msec 4 msec

  2 117.211.128.129 0 msec 4 msec 0 msec

  3  *  *  *

----------------------------------------------------------------------

A#traceroute 10.241.6.1

Type escape sequence to abort.

Tracing the route to 10.241.6.1

  1 117.212.128.130 4 msec 0 msec 0 msec

  2  *

-------------------------------------------------------------