Internet Over MPLS Network

Unanswered Question
Feb 20th, 2008

I have configured internet access via the mpls by creating separate Internet VRF. The same VRF is applied on the interface facing the Internet Gateway.Iam using Cisco 7606 with a 48 switchports to connect to the CE routers.

My problem is that we cannot browse via th internet. From the CE end devices we can ping the internet sites but cannot browse. We can use Google to search for information on the net but cannot browse to these web sites.

I need a solution to this problem as its affecting myservices to our clients.

I attach typical configurations on the PE router to help in getting a quick solution

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 3 (1 ratings)
mheusing Wed, 02/20/2008 - 07:24

Hi,

This could be a MTU related issue, as you can ping but not surf. successful ping means routing works, so the problem is somewhere else.

Please check the mtu to the web sites under question (extended ping with DF bit set, packet size 1472).

In case large packets are not going through, make sure your MPLS enabled interfaces are configured to allow for the additional bytes taken by the labels (at least 2 labels for L3VPN, i.e. 8 Bytes).

To adjust the MTU use either

interface Serial0/0

mtu 1508

ip mtu 1500

OR

interface Serial0/0

mpls mtu 1508

Which option you can configure depends on your IOS and hardware.

Repeat the extended ping check until 1500 byte packets are going through and then test the Web sites again. In case the problem persists, please provide the results of your tests.

Hope this helps! Please use the rating system.

Regards, Martin

ikeodo Wed, 02/20/2008 - 11:33

Hi Martin,

Thanks for your mail and good suggestions. I have carried out the configurations and test as suggested[see attahed]. I can browse some sites like www.google.com,http://support.mbs-worldwide.ac.uk,http://www.nigeriansecurities.com/ but cannot open sites like www.cisco.com, www.yahoo.com, etc. I can ping effectively well both via the extended and normal ping.

Is there any other thing you would like me to check?

Please note that I am using private IPs on core and running internet services off an PE. [see design attached].

Any further suggestions will be welcome.

sam.crooks@expe... Wed, 02/20/2008 - 11:53

sounds MTU related to me.... sounds like packets with DF bit set are coming and they are larger than the path MTU when the MPLS overhead is taken away....

you don't specify any of the interface configs, so it is hard to see what is going on MTU... ping with various sizes above and below the MTU is helpful in diagnozing the condition... setting DF-bit clearing on the PE routers could help in temporarily alleviating the condition or testing the MTU theory out...

ikeodo Thu, 02/21/2008 - 11:56

I have tried the MTU configurations - MPLS MTU 1508, and the IP MTU 1500 applied on the MPLS enabled interface yet i am not able to browse via the mpls network. Ping result i perfect. I can pwww.yahoo.com, so the DNS is working fine.

Does anybody have an alternative solution or is there anything I need to twick on the configurations again?

Pls see the config on the interfaces on the PE facing the P router. All the interfaces on the core have been configured the same way.

interface GigabitEthernet5/2

description Connection to P_Router

ip address 192.168.252.18 255.255.255.252

media-type rj45

speed 10

duplex full

mpls mtu 1508

mpls label protocol ldp

mpls ip

swaroop.potdar Thu, 02/21/2008 - 12:08

Hi,

Can you pls also try doing an extended ping from the hosts where you are trying to browse as below, and post the results for all.

ping yahoo.com -f -l 1470 (.+2..till..1500)

HTH-Cheers,

Swaroop

mounir.mohamed Fri, 02/22/2008 - 00:42

Ok, could you remove the MTU changes that you had applied before, and start with this test from the ingress PE till the internet PE.

Router#ping

Protocol [ip]:

Target IP address: x.x.x.x

Repeat count [5]:

Datagram size [100]: 1500

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface:

Type of service [0]:

Set DF bit in IP header? [no]: y

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 1500-byte ICMP Echos to x.x.x.x, timeout is 2 seconds:

Packet sent with the DF bit set

Keep ping with this packet size, but i don't think all PE's will sucessfully pinging the internet destinations, i beleive one hop will fail this test and so this is the hop that have or connected to the main source of this issue.

ikeodo Fri, 02/22/2008 - 06:53

I have carriedout the ping tests and below is a summary of the result.

1. From the Laptop:

- can ping internet with packet size of 1464 bytes

- cannot ping with higher than 1464 bytes

- cannot ping the direclty connected PE with pacet size more than 1473 bytes

3. From the PE directly connected to the Laptop:

- can ping internet with packet size of 1492 bytes

- Cannot ping with packet size beyound 1492 bytes.

4. From Last hop PE facing the Internet Gateway router

- can ping internet with packet size of 1500 bytes

Please see attached for details of the test results and design for the traffic path.

Do let me know if there is any further thing I need to do. The problem seems to located on the ingress PE. But note also that I have Cisco 7200 router as P router connecting to and GSR 12000 P router.

paul-ledwidge Fri, 02/22/2008 - 07:29

You could try using a route map to reset the DF bit on TCP traffic on the PE ingress port facing the CE.

Example:

!

route-map Clear-DF permit 10

match ip address Clear-DF

set ip df 0

!

ip access-list extended clear-DF

permit tcp any any

apply the route-map policy to the Ingress port closest to the CE or on the CE it's self thus ensuring that all tcp traffic gets its DF bit set to 0. hence it will then be fragmentable.

rgds

Paul

swaroop.potdar Fri, 02/22/2008 - 09:46

The problem seems to lie with your 7204 which has ethernet and FE interfaces for label switching. If I can recollect right you may not be able to configure physical mtu of more than 1500 on these interfaces.

So the way out would be to set layer 2 mtu of 1508 or more on the 7204 and on other devices unifromly. But this may not be possible with 7204 and the interface types.

So you can replace the 7204 with another device which has gig links supporting MTU higher than 1508 or reduce the MTU from all hosts perspective by 8 bytes. The former option of replacing the 7204 would be more easier though.

HTH-Cheers,

Swaroop

olorunloba Sat, 02/23/2008 - 19:08

Are you running the S train IOS on the 7200. I have heard reports that the MTu issue of PA-2FE was fixed on some of the 12.2S releases. However, I have doubts for your ethernet interface.

Try and change the IOS to a recent 12.2S and see what you get.

You could also try and swap the Fast Ethernet with the Etherner interface. In this way, the fast ethernet will be in the downlink direction, with respect to MTU.

Please keep us updated.

ikeodo Tue, 02/26/2008 - 06:43

Hi All,

I had changed the MPLS/IP MTUs to 1520 on all the MPLS enabled interfaces. I had to eliminate the Cisco 7200 router since i was not able to increase the MTU beyound 1500

I am now able to broswe via the mpls network after the changes.

This is thanking everyone who has contributed to the solution of this porblem. I cannot but priase your immense technical abilities.

Any ideas what I can do with the Cisco 7200 MTU's? I currently have the following IOS image on the router, c7200-js-mz.123-1.bin, should i chage this ios to something else, like the 12.2s as earlier suggested in this forum?

Best Regards,

Francis Odo CCIE[R&S]

olorunloba Tue, 02/26/2008 - 11:39

I will suggest the 12.2S. I have also seen 12.4T (sp services feature set) work well on the 7200.

Regards.

Actions

Login or Register to take actions

This Discussion

Posted February 20, 2008 at 5:42 AM
Stats:
Replies:12 Avg. Rating:3
Views:473 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard