[c-nsp] ICMP replay from egress PE

Ivan Pepelnjak ip at ioshints.info
Wed Jun 3 08:23:17 EDT 2009 

The only reason I could see for this behavior is the per-platform specific
IP packet processing on the egress PE router.

Obviously the difference between the 7300 and the ASR is the exact moment at
which the TTL is decrememented in the switching path. Based on your
description, ASR decrements TTL before LFIB lookup is performed and thus
decrements the label TTL, whereas the 7301 decrements TTL after the LFIB
lookup causes the VPN label to be popped exposing the IP packet and thus
decrements IP TTL.

I am not sure you can get what you used to have with the ASRs.

You could still, though, ping the PE2/PE3 in-VRF IP address from CE1 to
verify that the PE-CE links are up (and I'm positive you know all this), but
obviously cannot perform end-to-end path verification if CE2/CE3 block
traceroute probes. How about inspecting the VRF routing table on PE1? Do you
have access to it?

Interesting behavior, thanks for sharing it!
Ivan
 
http://www.ioshints.info/about
http://blog.ioshints.info/
 

> -----Original Message-----
> From: Pshem Kowalczyk [mailto:pshem.k at gmail.com] 
> Sent: Wednesday, June 03, 2009 4:27 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ICMP replay from egress PE
> 
> Hi,
> 
> Recently we've upgraded some of our 7301 to ASR (1004). 
> Config remained pretty much the same (from L3VPNs 
> perspective), but it looks like the behaviour of both 
> platforms is somewhat different. I'm not sure if it's a 
> feature or a bug yet.
> 
> We have a typical setup, like this:
> CE1 --- PE1 --- P1 --- P2 --- PE2 --- CE2
>                         |              |
>                         + --- PE3 --- CE3
> 
> So customers site is multihomed via PE2 and PE3 and has 
> internal connection between CE2 and CE3
> 
> With 7301 Traceroute from CE1 used to show the IP of PE2 or 
> PE3 (egress interface from the vrf), after the upgrade to 
> ASRs - all we can see is PE1's IP and then straight CE2/CE3, 
> but since customer drops icmp packets - we can't really see 
> which way it's really going.
> Is there a way to get an ICMP reply from the egress ASR? I 
> understand it switches the packets out through the interface 
> without actually doing any lookups, but even after forcing 
> 'label-per-vrf' we can't see the last hop.
> Any ideas if this behaviour can be corrected?
> 
> kind regards
> Pshem
> 
>

More information about the cisco-nsp mailing list