[c-nsp] DFZ-in-a-VRF: ASR1k per-ce label TTL troubles

Adam Vitkovsky Adam.Vitkovsky at gamma.co.uk
Wed Mar 18 18:11:10 EDT 2015 

Hi Lukas,

That is an interesting "feature"
I would expect the same behaviour in both cases i.e. with per-vrf label the router pops the VPN label and founds a packet with TTL 1 decreases and sends to CE. 
And in case of the per-NH label the packet should be switched out the egress interface based on the VPN label and again the TTL in IP header is decreased and packet sent to CE that generates the ttl expired msg upon receipt.     

It might be that there's a bug on the code you are running and the "no mpls ip propagate-ttl forwarded" does not work and you need to use just the "no mpls ip propagate-ttl" instead (happened on MEs).
Or something in the production network triggers this so that it just happens that the PHP node sends a packet with MPLS TTL=0 forcing the egress PE to respond from the core interface IP address which is the standard behaviour.


adam
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Lukas Tribus
> Sent: 12 March 2015 14:15
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] DFZ-in-a-VRF: ASR1k per-ce label TTL troubles
> 
> Hey guys,
> 
> 
> I hope someone could comment on the following behavior I recently
> encountered:
> 
> I'm running the DFZ in an MPLS VPN on ASR1k as PEs, and recently
> upgraded from 03.09.00S to 03.10.04.S and switched from per-vrf label
> allocation mode (= egress LER has to do an IP lookup) to the new
> per-ce label allocation mode (which basically means per next-hop label
> allocation, avoiding IP lookups on the egress PE).
> 
> I also have "no mpls ip propagate-ttl forwarded" on all boxes, to hide
> the MPLS topology (which is using RFC1918 addressing).
> 
> 
> Since the upgrade and with prefixes covered by a per-ce label (basically
> EBGP sessions with our transits/peers), the egress LER shows up in the
> traceroutes across the MPLS VPN:
> 
> - with "* * *" when uRPF loose mode is enabled on the egressing IP
>   interface
> - with the private IP from the ingress MPLS core link when uRPF is
>   disabled on the egress interface
> 
> Previsouly (with per-vrf label allocation) the egress LER never showed
> up in the traceroute (which is what I want, or at least it would have to
> use a source IP belonging to that VRF, instead of my RFC1918 core IP).
> 
> Also, when tracerouting to prefixes not covered by the per-ce label
> ("connected" or BGP aggregates for example), the LER correctly doesn't
> show up.
> 
> 
> 
> Why would the egress LER show up when using per-ce label allocation?
> I don't think this behavior is expected, is it?
> 
> 
> Strangly I was not able to reproduce this in a quick lab session, even
> though I used the same platform, code and per-ce label allocation. Not
> sure what I missed there, but I can realiably reproduce this on multiple
> production PE's.
> 
> 
> 
> Regards,
> 
> Lukas
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
---------------------------------------------------------------------------------------
 This email has been scanned for email related threats and delivered safely by Mimecast.
 For more information please visit http://www.mimecast.com
---------------------------------------------------------------------------------------

More information about the cisco-nsp mailing list