[nsp] Antwort: Re: Antwort: Re: [MPLS-OPS]: traceroute question

Yves at Fauser.de Yves at Fauser.de
Tue Feb 18 20:25:18 EST 2003 

Hi,
it took me some time to answer because I had to build up a test bed first. 
I did not want to do anything in the production network. I have some more 
details now.
Here's what happens :

TTL=2 : -- The P Device sends the "icmp time exceeded" up the LSP to the 
PE2 Device :
1d02h: TAG: GE3/1: recvd: CoS=0, TTL=1, Tag(s)=4114
1d02h: TAG: GE3/3: xmit: CoS=6, TTL=255, Tag(s)=4112
1d02h: ICMP: time exceeded (time to live) sent to 10.10.110.2 (dest was 
10.10.90.1)
1d02h: TAG: GE3/1: recvd: CoS=0, TTL=1, Tag(s)=4114
1d02h: TAG: GE3/3: xmit: CoS=6, TTL=255, Tag(s)=4112
1d02h: ICMP: time exceeded (time to live) sent to 10.10.110.2 (dest was 
10.10.90.1)
1d02h: TAG: GE3/1: recvd: CoS=0, TTL=1, Tag(s)=4114
1d02h: TAG: GE3/3: xmit: CoS=6, TTL=255, Tag(s)=4112
1d02h: ICMP: timeexceeded (time to live) sent to 10.10.110.2 (dest was 
10.10.90.1)

TTL =3 : -- The PE Device sends the "icmp time exceeded" to the next-hop 
of the static route (out of GE2/2.123) :
01:38:22: TAG: GE2/3: recvd: CoS=0, TTL=1, Tag(s)=4112
01:38:22: TAG: GE2/2.123: xmit: (no tag)
01:38:22: ICMP: time exceeded (time to live) sent to 10.10.110.2 (dest was 
10.10.90.1)
01:38:27: TAG: GE2/3: recvd: CoS=0, TTL=1, Tag(s)=4112
01:38:27: TAG: GE2/2.123: xmit: (no tag)
01:38:27: ICMP: time exceeded (time to live) sent to 10.10.110.2 (dest was 
10.10.90.1)
01:38:31: TAG: GE2/3: recvd: CoS=0, TTL=1, Tag(s)=4112
01:38:31: TAG: GE2/2.123: xmit: (no tag)
01:38:31: ICMP: time exceeded (time to live) sent to 10.10.110.2 (dest was 
10.10.90.1)

Here's the Setup of the test bed :

Laptop -- 10.10.110.0/24 -- PE1 (c7204) ----- P (cat6509) ---- PE2 
(cat6513) --10.10.90.0/24 --- Laptop (Fake CE router)  --- "non existend 
subnet 10.10.90.0/24"

We have also put a Sniffer between the P and PE2, and we saw the pakets 
send to PE2 by the P Device, but there was no debug output on PE2 for 
that.
Still I'm not sure if this is what I should expect to see, or is there 
something wrong here ?
Another thing which we found out in the test bed is, that there is a 
difference between a static route pointing to an external (E2) network, 
and an internal network.If we include the transit subnet to which the 
static route is pointing to in the OSPF network command range, then PHP is 
done on the P device. If we redistribute the transit subnet via 
redistribute connected, no PHP is done. Is there any wider sense in doing 
so ? 

Cheers, Yves





"M. ELK" <elkou141061 at hotmail.com>
18.02.2003 14:22

 
        An:     Yves at Fauser.de
        Kopie: 
        Thema:  Re: Antwort: Re: [MPLS-OPS]: traceroute question



Yves

Is it possible to run "debug tag packet " and "debug ip icmp"
at P and PE2 ?

Guess that P is forwarding an expired Label packet using
the global routing table while PE2 is doing it using the original
label stack . Have a look to "mpls ip ttl-expiration pop " cmd .

In other word :
For TTL=2 from the WS . it reach P with TTL=1 .
P remove the top label ,detect SA=WS destaddr = EXT netw
create a ICMP time exceeded msg with SA=P and DA=WS and use the
global routin table to route to destination WS so it forward the
ICMP IP packet to PE1 .

For TTL=3 from the WS , it reach PE2 with TTL=1
it create ICMP time exceeded packet with SA=PE2 and DA=WS
and use the original label stack (which is just none) and forward
toward the Firewall .

Pls cfm this guess with the debug .

Brgds







>From: Yves at Fauser.de
>To: "M. ELK" <elkou141061 at hotmail.com>
>CC: cisco-nsp at puck.nether.net, mpls-ops at mplsrc.com
>Subject: Antwort: Re: [MPLS-OPS]: traceroute question
>Date: Tue, 18 Feb 2003 10:47:27 +0100
>
>1- Quote : I read this in the Cisco Pepelnjak / Guichard Book "MPLS and
>VPN Architektures" in the Note on Page 41.
>---- SNIP -----
>Pelnultimate Hop Popping is used only for directly connected subnets or
>aggregate routes. In the case of directly connected interface, a Layer3
>lookup is necessary to obtain the correct next-hop information for a
>packet that is sent toward a directly connected destination. If the 
prefix
>is an aggregate, a Layer3 lookup also is necessary to find a more 
specific
>route that then is used to route the packet toward its correct
>destination. In all other cases, the Layer2 outbound packet information 
is
>available within the LFIB and, therfore, a Layer3 lookup is not necessary
>and the packet can be label switched."
>---- SNIP ----
>I did not find any other dokument yet, which states the same. Therefore
>this may be cisco specific.
>
>2- Quote : Your right in your doubt, I thought the same. I thought maybe
>this is because PE2 has an LFIB entry, maybe it switches the packet
>directly outbound to the FireWall without doing any lookup as stated in
>Quote 1 by pepelnjak. But anyhow I would still expect to see the "TTL
>Exceed" from the P Device also.
>
>3 --
>PE2#sh tag forwarding-table tags 4731 detail
>Local  Outgoing    Prefix              Bytes tag  Outgoing   Next Hop
>tag    tag or VC   or Tunnel Id        switched   interface
>4731   Untagged    xxx.xxx.211.0/26    13571135   GE2/2.200 
xxx.xxx.244.14
>         MAC/Encaps=0/0, MTU=1504, Tag Stack{}
>     Per-packet load-sharing
>
>PE2#sh ip cef xxx.xxx.211.0 int
>134.247.211.0/26, version 732, epoch 0, cached adjacency 134.247.244.14
>0 packets, 0 bytes
>   tag information set, unshareable
>     local tag: 4731
>   via xxx.xxx.244.14, 0 dependencies, recursive
>     next hop xxx.xxx.244.14, GE-WAN2/2.200 via xxx.xxx.244.14/32
>     valid cached adjacency
>     tag rewrite with GE2/2.200, xxx.xxx.244.14, tags imposed: {}
>
>I only x out the first 2 Bytes, the rest came directly from the device
>(PE2).
>
>Cheers, Yves
>
>
>
>
>
>"M. ELK" <elkou141061 at hotmail.com>
>18.02.2003 07:54
>
>
>         An:     Yves at Fauser.de, mpls-ops at mplsrc.com
>         Kopie:  cisco-nsp at puck.nether.net
>         Thema:  Re: [MPLS-OPS]: traceroute question
>
>
>Yves
>
>1- Quote
>The external network is learned via static (E2) from PE2. Since the 
prefix
>
>is learned via static, there is no PHP on the P device
>Unquote
>
>Is it an observation specific to the setup U are using or it is
>according to well know rule .
>If the later , pls let me know the reference .
>
>2- quote
>this, since PE2 is sending the "TTL exceeded" message up the LSP to the
>FireWall, which sends it back, as described in RFCs and in various books.
>Unquote
>
>the LSP end at PE2 . The PE2 is the edge of the MPLS domain and not the
>Firewall .
>
>3- Assume the prefix of the external netw is 10.0.0/8 ,
>     PE2 advertise label L1 to P for such prefix .
>     On PE2 , What is the action associated with incoming label L1 ?
>     In other word ,what is the output of "sh tag f tags L1 details" .
>
>Brgds
>
>
>
>
>
> >From: Yves at Fauser.de
> >To: mpls-ops at mplsrc.com
> >CC: cisco-nsp at puck.nether.net
> >Subject: [MPLS-OPS]: traceroute question
> >Date: Mon, 17 Feb 2003 21:50:21 +0100
> >
> >Hi Folks,
> >
> >I have a question which might be an implementation specific issue, or 
an
> >misunderstanding of some concepts from my part. here's the setup : - We
> >have a small MPLS Network with 25 PEs and 5 Ps. All of them are 
Cisco7600
> >(Catalyst6500) with 4-GE-WAN OSMs. We are still in the migration phase,
>so
> >our Global-Routing-Table is still used for a bunch of prefixes. We use
> >OSPF in a single area as IGP and TDP.
> >
> >Test WS  ---- PE1  -----  P  ----- PE2 ----|Sniffer|----- FireWall 
-----
> >External Network
> >
> >The external network is learned via static (E2) from PE2. Since the
>prefix
> >is learned via static, there is no PHP on the P device.
> >Now if we do a traceroute from the Test WS (Global RT) to a host in the
> >external network, we get an answer from every hop. What I don't
>understand
> >is what we see in the Sniffer trace.
> >In the trace the first thing we see is an "ICMP time exceeded" sourced 
by
> >PE2 and send to the FireWall with the destination "Test WS". I 
understand
> >this, since PE2 is sending the "TTL exceeded" message up the LSP to the
> >FireWall, which sends it back, as described in RFCs and in various 
books.
> >What I don't get is why we don't see the "ICMP Time Exceeded" send from
> >the P device. If I understood the concepts right, we should see this in
> >the trace, but we don't. Unfortunatly I didn't get the chance to do a
> >Sniffer trace between the P and PE2 (lack of a Gigabit-Sniffer). Since 
we
> >get a response from the P device in the traceroute output, either PE2 
or
>P
> >sends the "ICMP TTL Exceed" from the P device back to the workstation.
> >
> >So my main question is : - Should we see a "TTL Exceeded" with a source
> >address of the P device and the workstation as destination in the 
Sniffer
> >trace, or did I miss something in the concept.
> >
> >Thanks, Yves
>
>
>_________________________________________________________________
>Add photos to your e-mail with MSN 8. Get 2 months FREE*.
>http://join.msn.com/?page=features/featuredemail
>
>-------
>The MPLS-OPS Mailing List
>Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
>Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
>
>


_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://puck.nether.net/pipermail/cisco-nsp/attachments/20030218/76bb08ec/attachment.htm

More information about the cisco-nsp mailing list