CCIE Blog

In this post we will look at what happens to the TTL value of a packet when it enters the MPLS VPN. We will also see how we can change that behavior to hide the provider network from customers.

R4(CE)—R5(PE)—R9(P)—R8(P)—R6(PE)

R4 is a CE router communicating with a VRF on R6.

R6 is a PE but has a loopback in the VRF.

Scenario #1: Default

By default, TTL is propagated and R4 will see each device along the path to R6.

R4’s trace:

1 100.5.4.5 [AS 100] 56 msec

2 100.9.5.9 [MPLS: Labels 901/605 Exp 0] 76 msec

3 100.9.8.8 [MPLS: Labels 800/605 Exp 0] 52 msec

4 192.168.6.6 [AS 100] 44 msec

Summary:

R4 sends packet with TTL of 1.

R5 receives this, decrements the TTL to 0 and sends TTL exceeded back.

R4 sends packet with TTL of 2.

R5 decrements this to 1 and copies the value of 1 to both MPLS label headers.

R9 sends a TTL exceeded message back with MPLS extension field that describes the labels that were on the packet at the time it was received.

R8 does the same as R9.

Finally R6 responds with port unreachable messages.

Scenario #2: TTL Propagation disabled on ingress LSR R5

R5(config)#no mpls ip propagate-ttl

R4’s trace:

1 100.5.4.5 [AS 100] 48 msec

2 192.168.6.6 [AS 100] 72 msec

Summary:

R4 sends packet with TTL of 1.

R5 receives this, decrements the TTL to 0 and sends TTL exceeded back.

R4 sends packet with TTL of 2.

R5 decrements this to 1 and imposes 2 labels but puts the TTL at 255.

The packet makes it through the entire MPLS network before expiring this time at R6.

Scenario #3: TTL Propagation allowed for traffic generated from LSR

In Scenario 2 we prevented the TTL from the IP header from being copied to the MPLS TTL field. This hides the provider network from the customer but also from us on the PE devices!

R5#trace vrf VPNA 192.168.6.6

Type escape sequence to abort.

Tracing the route to 192.168.6.6

1 192.168.6.6 88 msec * 64 msec

R5#

We have another option that allows the ingress LSR to copy the IP TTL field if it is the router generating the packet.

R5(config)#no mpls ip propagate-ttl ?

forwarded Propagate IP TTL for forwarded traffic

local Propagate IP TTL for locally originated traffic

<cr>

R5(config)#mpl ip propagate-ttl

R5(config)#no mpls ip propagate-ttl forwarded

Notice we have to enable it globally, then disable the forwarded option. Now let’s look at put traces.

R4 doesn’t see the P routers:

R4#trace 192.168.6.6

Type escape sequence to abort.

Tracing the route to 192.168.6.6

1 100.5.4.5 [AS 100] 16 msec 84 msec 36 msec

2 192.168.6.6 [AS 100] 40 msec * 56 msec

R4#

R5 does:

R5#trace vrf VPNA 192.168.6.6

Type escape sequence to abort.

Tracing the route to 192.168.6.6

1 100.9.5.9 [MPLS: Labels 901/605 Exp 0] 80 msec 76 msec 28 msec

2 100.9.8.8 [MPLS: Labels 801/605 Exp 0] 40 msec 28 msec 28 msec

3 192.168.6.6 48 msec

R5#

Hope this gives you a little more insight into how we can hide the provider network from VPN customers.

Good luck,

Bryan Bartik
CCIE #23707 (R&S, SP), CCNP
Sr. Support Engineer – IPexpert, Inc.
URL: http://www.IPexpert.com