[j-nsp] M7i and M10i problems - TRACE ROUTE
GIULIANO (UOL)
giulianocm at uol.com.br
Wed Apr 25 07:02:37 EDT 2007
People,
Thanks a lot for your answer, but in our case, we are not in a MPLS/VPN
environment.
The juniper M10i router is in a border location in our network and it
establishes network peering along with 5 different telecom operator
companies.
Because we are a cable TV operator, our clients and partners ever try to
use TRACEROUTE to see the state of the path. When they try this ... the
border router drops almost 70% of the packets ... only for trace.
Taka a look in the Juniper J-TAC answer:
12/14/06 06:02:47
The drops which you see is a default behavior of the router. When a
packet with TTL of 1 hits our router it should send out
"host-unreachable ttl expired" back. But the above message being sent
out is not reaching back and that is why you observe the drops. The
traceroute is an exception traffic and not a transit traffic. Exception
traffic is handled by the routing engine and it sends out the
"host-unreachable" back to the source. But in our router it is
rate-limited to protect the routing engine. So what you observe is a
perfectly a normal behaviour
So, like you said it looks like a common security procedure to don't let
it happen. We will need to adapt this situation. Its ok.
Thanks a lot,
Giuliano
> agree with alex & paulo, allowing propagate and decriment ttl allows
> your users to see hops in the network and in MPLS LSP deployment why
> allow them to shoot you with bullets of your own making. IMHO Best
> common practice no-propagate/ detriment TTL
>
> BTW found this is a useful guide
> http://checklists.nist.gov/repository/1022.html porves a good pointer in
> setting up your router
>
>
>
> */Paulo Estante <estantep at gmail.com>/* wrote:
>
> Hi Giuliano,
>
> Is this a MPLS-VPN environment?
>
> I think you may be looking for the functionality from RFC4379. If that
> is the case, have a look at Junos 8.1:
> http://www.juniper.net/techpubs/software/junos/junos81/rn-sw-81/rn-new-features.html
> on the "MPLS LSP traceroute supported on transit router" section.
>
> regards,
>
> Paulo Estante
> JNCIE #185
>
>
> On 4/22/07, Alex wrote:
> > Giuliano,
> > AFAIK, the answer is no. On the other hand, if you are using MPLS
> L3VPN, why
> > would you want your customers to be able to traceroute Your network?
> > Have a look into "no-propagate-ttl" and/or "no-decrement-ttl"
> knobs, they
> > might be applicable to your situation.
> > Rgds
> > Alex
> >
> > ----- Original Message -----
> > From: "Giuliano Cardozo Medalha"
> > To: "Alex"
> > Cc:
> > Sent: Saturday, April 21, 2007 10:17 PM
> > Subject: Re: [j-nsp] M7i and M10i problems - TRACE ROUTE
> >
> >
> > > Alex,
> > >
> > > Is there some way to avoid or to change this default value ?
> > >
> > > It is possible to configure a firewall-filter to increase these
> values ?
> > >
> > > The problem is that when our customers start TRACES outside ...
> they think
> > > our network as problems.
> > >
> > > Thanks a lot,
> > >
> > > Giuliano
> > >> Giuliano,
> > >> On Juniper M-series, there is an ICMP TTL-exceeded rate-limit
> in place:
> > >> 50 pps per logical interface and 500 pps per box.
> > >> See
> http://puck.nether.net/pipermail/cisco-nsp/2006-June/031717.html
> > >> Rgds
> > >> Alex
> > >>
> > >> ----- Original Message ----- From: "Giuliano Cardozo Medalha"
> > >>
> > >> To:
> > >> Sent: Saturday, April 21, 2007 8:51 PM
> > >> Subject: [j-nsp] M7i and M10i problems - TRACE ROUTE
> > >>
> > >>
> > >>> People,
> > >>>
> > >>> We have a Juniper M10i border router.
> > >>>
> > >>> When we install this router on our network ... we are having
> problems
> > >>> with MTR and traceroute programs.
> > >>>
> > >>> Basically ... every trace that pass trough the router lose
> 70% of the
> > >>> packets.
> > >>>
> > >>> PING just works fine ... but TRACE and MTR not.
> > >>>
> > >>> Juniper saids in J-TAC that this is a default config (FACTORY
> DEFAULT)
> > >>> from the router.
> > >>>
> > >>> There is some command or way to change this behavior ?
> > >>>
> > >>> Thanks a lot,
> > >>>
> > >>> Giuliano
> > >>>
> > >>> _______________________________________________
> > >>> juniper-nsp mailing list juniper-nsp at puck.nether.net
> > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> > >>
> > >>
> > >
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
More information about the juniper-nsp
mailing list