mpls ip propagate-ttl

Answered Question
Nov 17th, 2008

Hi all,

should i use mpls ip propagate-ttl "forwarded" or "local" if i want to hide traceroute result in the PE cloud.

meaning, only lan/CE traceroute and the internet GW will be shown, and any PE router will be hide. please advice.

Attachment: 
I have this problem too.
0 votes
Correct Answer by marikakis about 8 years 3 weeks ago

Hello,

I would say that you need the "forwarded" option, but it is not clear to me if you intend the traceroute result to be hidden for customer initiated traceroute's only.

Please have a look at the following "mpls ip propagate-ttl" documentation, which at the end includes traceroute examples for every possible configured option:

http://www.cisco.com/en/US/docs/ios/12_0st/12_0st14/feature/guide/rtr_14st.html#wp1067919

Kind Regards,

M.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
Loading.
lejoe.thomas Mon, 11/17/2008 - 02:29

Hasmurizal

For configuring PE(ingress E-LSR) to disable TTL propagation for forwarded packets (packets received from Customer (CE)) , preventing customer from learning IP addresses in MPLS cloud use

no mpls ip ttl-propgation forwarded

Likewise,if you wish to disable traceroute results for packets originating from PE itself, use

no mpls ip ttl-propgation local

HTH

Lejoe

Correct Answer
marikakis Mon, 11/17/2008 - 02:36

Hello,

I would say that you need the "forwarded" option, but it is not clear to me if you intend the traceroute result to be hidden for customer initiated traceroute's only.

Please have a look at the following "mpls ip propagate-ttl" documentation, which at the end includes traceroute examples for every possible configured option:

http://www.cisco.com/en/US/docs/ios/12_0st/12_0st14/feature/guide/rtr_14st.html#wp1067919

Kind Regards,

M.

hasmurizal Mon, 11/17/2008 - 17:27

Hi M,

thank you for the documentaion given. i have tested by executing "mpls ip propagate-ttl" with "no mpls ip propagate-ttl local" and i believe i'm able to achieve my target.

but still need to discuss further interms of security wise, as i'm able to see my P router (vlan int before firewall). anyway, thanks

marikakis Tue, 11/18/2008 - 01:07

Hello,

Disabling "local" TTL propagation on a PE will hide the network structure in traceroute issued from that PE. The "local" option might be useful when troubleshooting broken LSP issues (enabling/disabling it on a PE). The "forward" option is the most common. Have you tested the "local" option with traceroute from various devices? Note that in the very last example of the documentation, the only reason for the IP address 1.0.0.4 not showing in the output is because it is an address of PE1 and trace is issued from PE1.

While looking at the diagram in your initial post, I can't decide which one is the P router you mentioned earlier. Are you refering to a router within the MPLS cloud not actually shown in the diagram? Or did you mean the PE connected to the firewall at the edge? If you would like to discuss this further, it would be useful if you could provide more details about your setup (which device connects to what, which interfaces have mpls enabled) and traceroute output (indicating from which device it was initiated and which part of the output is an issue for you).

Kind Regards,

M.

chintan-shah Tue, 12/09/2008 - 09:12

Hi,

Do you know how to diable forward option in case of IOS-XR ?

I see below in IOS-XR

IOS: no tag-switching ip propagate-ttl forwarded

IOS-XR: mpls ip-ttl-propagate disable

The difference is the key word "forwarded". So if you start the traceroute from an IOS-XR PE router all hops are hidden too.

Reagards,

Chintan

hasmurizal Tue, 12/09/2008 - 17:13

Hi Chintan,

i am not fully understand your question, kindly explain a little bit further?

chintan-shah Tue, 12/09/2008 - 21:25

Hi,

we have our standard config "no tag-switching ip propagate-ttl forwarded" so that we can see all core routers when do traceroute from PE.

But now when we see IOS-XR it has CLI "mpls ip-ttl-propagate disable" no option for local or forwarded. So, My question was we can't do traceroute from PE (IOS-XR) , i mean all core will be still hidden... Is there any alternative way ?

REgards,

Chintan

Harold Ritter Tue, 12/09/2008 - 18:49

Chintan,

The behavior is applied equally to the forwarded and locally generated traffic when you use this command.

You should use the mpls traceroute functionality instead when tracing connectivity in your mpls core.

traceroute mpls ipv4

Regards

chintan-shah Tue, 12/09/2008 - 21:30

Hi,

Is this also true when i am tracing connectivity to Customer CPE from PE ?

REgards,

Chintan

chintan-shah Tue, 12/09/2008 - 22:24

I am looking for IOS-XR with same feature of IOS for ttl propogation disabled, if any .

Chintan

hasmurizal Tue, 12/09/2008 - 22:29

In this case i would suggest you would open a new thread. Specified all your info and scenarios, and asked any experts out there that could help you.

chintan-shah Tue, 12/09/2008 - 22:32

Hi ,

I tried to run CLI traceroute mpls ipv4 on IOS-XR router , it gives me below error to enable MPLS OAM capability.

RP/0/RP0/CPU0:R1.LAB#traceroute mpls ipv4 10.74.90.0/32

% MPLS Embedded Management Subsystem is not running.

To enable, use 'mpls oam' global config command.

RP/0/RP0/CPU0:R1.LAB#

REgards,

Chintan

Harold Ritter Wed, 12/10/2008 - 05:26

Chintan,

As Hasmurizal mentioned, it is generally a good idea to open a new thread for a new question, even though it might be related to an already open thread.

Regards,

Harold Ritter Wed, 12/10/2008 - 05:21

Chintan,

you have to enable "mpls oam" indeed in order to use mpls traceroute.

Regards

Actions

This Discussion