Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Supported Platforms

Example: Troubleshooting Layer 3 VPNs

This example shows how to use the ping command to check the accessibility of various routers in a VPN topology, and how to use the traceroute command to check the path that packets travel between the VPN routers.

Requirements

This example uses the following hardware and software components:

  • M Series routers
  • Junos OS Release 10.0R1 and later

Overview

Topology

The topology shown in Figure 1 illustrates the network used in this example to demonstrate how to employ the ping and traceroute commands to test connectivity between the routers participating in a Layer 3 VPN.

Figure 1: Layer 3 VPN Topology for ping and traceroute Examples

Layer 3 VPN Topology for ping and traceroute Examples

Pinging the CE Router from Another CE Router

Step-by-Step Procedure

The following describes how to use the ping and traceroute commands to troubleshoot Layer 3 VPN topologies. You can ping one CE router from the other by specifying the other CE router’s loopback address as the IP address in the ping command. This ping command succeeds if the loopback addresses have been announced by the CE routers to their directly connected PE routers. The success of these ping commands also means that Router CE1 can ping any network devices beyond Router CE2, and vice versa. Figure 1 shows the topology referenced in the following steps:

  1. Ping Router CE2 (VPN5) from Router CE1 (VPN4):
    user@vpn4> ping 10.255.10.5 local 10.255.10.4 count 3
    PING 10.255.10.5 (10.255.10.5): 56 data bytes
64 bytes from 10.255.10.5: icmp_seq=0 ttl=253 time=1.086 ms
64 bytes from 10.255.10.5: icmp_seq=1 ttl=253 time=0.998 ms
64 bytes from 10.255.10.5: icmp_seq=2 ttl=253 time=1.140 ms
--- 10.255.10.5 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.998/1.075/1.140/0.059 ms
  2. To determine the path from Router CE1’s loopback interface to Router CE2’s loopback interface, use the traceroute command:
    user@vpn4> traceroute 10.255.10.5 source 10.255.10.4
    traceroute to 10.255.10.5 (10.255.10.5) from 10.255.10.4, 30 hops max, 40 byte packets
 1  vpn1-fe-110.isp-core.net (192.168.192.1)  0.680 ms  0.491 ms  0.456 ms
 2  vpn2-t3-001.isp-core.net (192.168.192.110)  0.857 ms  0.766 ms  0.754 ms
     MPLS Label=100005 CoS=0 TTL=1 S=1
 3  vpn5.isp-core.net (10.255.10.5)  0.825 ms  0.886 ms  0.732 ms
  3. When you use the traceroute command to examine the path used by a Layer 3 VPN, the provider (P) routers in the service provider’s network are not displayed. As shown above, the jump from Router VPN1 to Router VPN2 is displayed as a single hop. The P router (VPN3) shown in Figure 1 is not displayed.
  4. Ping Router CE1 (VPN4) from Router CE2 (VPN5):
    user@vpn5> ping 10.255.10.4 local 10.255.10.5 count 3
    PING 10.255.10.4 (10.255.10.4): 56 data bytes
64 bytes from 10.255.10.4: icmp_seq=0 ttl=253 time=1.042 ms
64 bytes from 10.255.10.4: icmp_seq=1 ttl=253 time=0.998 ms
64 bytes from 10.255.10.4: icmp_seq=2 ttl=253 time=0.954 ms
--- 10.255.10.4 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.954/0.998/1.042/0.036 ms
  5. To determine the path from Router CE2 to Router CE1, use the traceroute command:
    user@vpn5> traceroute 10.255.10.4 source 10.255.10.5
    traceroute to 10.255.10.4 (10.255.10.4) from 10.255.10.5, 30 hops max, 40 byte packets
 1  vpn-08-t3-003.isp-core.net (192.168.193.2)  0.686 ms  0.519 ms  0.548 ms
 2  vpn1-so-100.isp-core.net (192.168.192.100)  0.918 ms  0.869 ms  0.859 ms
     MPLS Label=100021 CoS=0 TTL=1 S=1
 3  vpn4.isp-core.net (10.255.10.4)  0.878 ms  0.760 ms  0.739 ms

Pinging the Remote PE and CE Routers from the Local CE Router

Step-by-Step Procedure

From the local CE router, you can ping the VPN interfaces on the remote PE and CE routers, which are point-to-point interfaces. Figure 1 shows the topology referenced in the following examples:

  1. Ping router CE2 from router CE1.
    user@vpn4> ping 192.168.193.5 local 10.255.10.4 count 3
    PING 192.168.193.5 (192.168.193.5): 56 data bytes
64 bytes from 192.168.193.5: icmp_seq=0 ttl=253 time=1.040 ms
64 bytes from 192.168.193.5: icmp_seq=1 ttl=253 time=0.891 ms
64 bytes from 192.168.193.5: icmp_seq=2 ttl=253 time=0.944 ms
--- 192.168.193.5 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.891/0.958/1.040/0.062 ms
  2. To determine the path from Router CE1’s loopback interface to Router CE2’s directly connected interface, use the traceroute command:
    user@vpn4> traceroute 192.168.193.5 source 10.255.10.4
    traceroute to 192.168.193.5 (192.168.193.5) from 10.255.10.4, 30 hops max, 40 byte packets
 1  vpn1-fe-110.isp-core.net (192.168.192.1)  0.669 ms  0.508 ms  0.457 ms
 2  vpn2-t3-001.isp-core.net (192.168.192.110)  0.851 ms  0.769 ms  0.750 ms
     MPLS Label=100000 CoS=0 TTL=1 S=1
 3  vpn5-t3-003.isp-core.net (192.168.193.5)  0.829 ms  0.838 ms  0.731 ms
  3. Ping Router PE2 (VPN2) from Router CE1 (VPN4). In this case, packets that originate at Router CE1 go to Router PE2, then to Router CE2, and back to Router PE2 before Router PE2 can respond to Internet Control Message Protocol (ICMP) requests. You can verify this by using the traceroute command.
    user@vpn4> ping 192.168.193.2 local 10.255.10.4 count 3
    PING 192.168.193.2 (192.168.193.2): 56 data bytes
64 bytes from 192.168.193.2: icmp_seq=0 ttl=254 time=1.080 ms
64 bytes from 192.168.193.2: icmp_seq=1 ttl=254 time=0.967 ms
64 bytes from 192.168.193.2: icmp_seq=2 ttl=254 time=0.983 ms
--- 192.168.193.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.967/1.010/1.080/0.050 ms
  4. To determine the path from Router CE1 to Router PE2, use the traceroute command:
    user@vpn4> traceroute 192.168.193.2 source 10.255.10.4
    traceroute to 192.168.193.2 (192.168.193.2) from 10.255.10.4, 30 hops max, 40 byte packets
 1  vpn1-fe-110.isp-core.net (192.168.192.1)  0.690 ms  0.490 ms  0.458 ms
 2  vpn2-t3-003.isp-core.net (192.168.193.2)  0.846 ms  0.768 ms  0.749 ms
     MPLS Label=100000 CoS=0 TTL=1 S=1
 3  vpn5-t3-003.isp-core.net (192.168.193.5)  0.643 ms  0.703 ms  0.600 ms
 4  vpn-08-t3-003.isp-core.net (192.168.193.2)  0.810 ms  0.739 ms  0.729 ms

Pinging a CE Router from a Multiaccess Interface

Step-by-Step Procedure

You cannot ping one CE router from the other if the VPN interface is a multiaccess interface, such as the fe-1/1/2.0 interface on Router CE1. To ping Router CE1 from Router CE2, you must either include the vrf-table-label statement at the [edit routing-instances routing-instance-name] hierarchy level on Router PE1 or configure a static route on Router PE1 to the VPN interface of Router CE1. If you include the vrf-table-label statement to ping a router, you cannot configure a static route.

  1. If you configure a static route on Router PE1 to the VPN interface of Router CE1, its next hop must point to Router CE1 (at the [edit routing-instance routing-instance-name] hierarchy level), and this route must be announced from Router PE1 to Router PE2 as shown in the following configuration:
    [edit]routing-instances {direct-multipoint {instance-type vrf;interface fe-1/1/0.0;route-distinguisher 69:1;vrf-import direct-import;vrf-export direct-export;routing-options {static {route 192.168.192.4/32 next-hop 192.168.192.4;}}protocols {bgp {group to-vpn4 {peer-as 1;neighbor 192.168.192.4;}}}}policy-options {policy-statement direct-export {term a {from protocol bgp;then {community add direct-comm;accept;}}term b {from {protocol static;route-filter 192.168.192.4/32 exact;}then {community add direct-comm;accept;}}term d {then reject;}}}}
  2. Now you can ping Router CE1 from Router CE2:
    user@vpn5> ping 192.168.192.4 local 10.255.10.5 count 3
    PING 192.168.192.4 (192.168.192.4): 56 data bytes
64 bytes from 192.168.192.4: icmp_seq=0 ttl=253 time=1.092 ms
64 bytes from 192.168.192.4: icmp_seq=1 ttl=253 time=1.019 ms
64 bytes from 192.168.192.4: icmp_seq=2 ttl=253 time=1.031 ms
--- 192.168.192.4 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.019/1.047/1.092/0.032 ms
  3. To determine the path between these two interfaces, use the traceroute command:
    user@vpn5> traceroute 192.168.192.4 source 10.255.10.5
    traceroute to 192.168.192.4 (192.168.192.4) from 10.255.10.5, 30 hops max, 40 byte packets
 1  vpn-08-t3003.isp-core.net (192.168.193.2)  0.678 ms  0.549 ms  0.494 ms
 2  vpn1-so-100.isp-core.net (192.168.192.100)  0.873 ms  0.847 ms  0.844 ms
     MPLS Label=100021 CoS=0 TTL=1 S=1
 3  vpn4-fe-112.isp-core.net (192.168.192.4)  0.825 ms  0.743 ms  0.764 ms

Pinging the Directly Connected PE Routers from the CE Routers

Step-by-Step Procedure

From the loopback interfaces on the CE routers, you can ping the VPN interface on the directly connected PE router. Figure 1 shows the topology referenced in this procedure:

  1. From the loopback interface on Router CE1 (VPN4), ping the VPN interface, fe-1/1/0.0, on Router PE1:
    user@vpn4> ping 192.168.192.1 local 10.255.10.4 count 3
    PING 192.168.192.1 (192.168.192.1): 56 data bytes
64 bytes from 192.168.192.1: icmp_seq=0 ttl=255 time=0.885 ms
64 bytes from 192.168.192.1: icmp_seq=1 ttl=255 time=0.757 ms
64 bytes from 192.168.192.1: icmp_seq=2 ttl=255 time=0.734 ms
--- 192.168.192.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.734/0.792/0.885/0.066 ms
  2. From the loopback interface on Router CE2 (VPN5), ping the VPN interface, t3-0/0/3.0, on Router PE2:
    user@vpn5> ping 192.168.193.2 local 10.255.10.5 count 3
    PING 192.168.193.2 (192.168.193.2): 56 data bytes
64 bytes from 192.168.193.2: icmp_seq=0 ttl=255 time=0.998 ms
64 bytes from 192.168.193.2: icmp_seq=1 ttl=255 time=0.834 ms
64 bytes from 192.168.193.2: icmp_seq=2 ttl=255 time=0.819 ms
--- 192.168.193.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.819/0.884/0.998/0.081 ms
  3. From the loopback interface on Router CE2 (VPN5), ping the VPN interface, t3-0/0/3.0, on Router PE2:
    user@vpn5> ping 192.168.193.2 local 10.255.10.5 count 3
    PING 192.168.193.2 (192.168.193.2): 56 data bytes
64 bytes from 192.168.193.2: icmp_seq=0 ttl=255 time=0.998 ms
64 bytes from 192.168.193.2: icmp_seq=1 ttl=255 time=0.834 ms
64 bytes from 192.168.193.2: icmp_seq=2 ttl=255 time=0.819 ms
--- 192.168.193.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.819/0.884/0.998/0.081 ms
  4. To determine the path from the loopback interface on Router CE2 to the VPN interfaces on Router PE2, use the traceroute command:
    user@vpn5> traceroute 192.168.193.2 source 10.255.10.5
    traceroute to 192.168.193.2 (192.168.193.2) from 10.255.10.5, 30 hops max, 40 byte packets
 1  vpn-08-t3003.isp-core.net (192.168.193.2)  0.852 ms  0.670 ms  0.656 ms

Pinging the Directly Connected CE Routers from the PE Routers

Step-by-Step Procedure

From the VPN and loopback interfaces on the PE routers, you can ping the VPN interface on the directly connected CE router. Figure 1 shows the topology referenced in this procedure:

  1. From the VPN interface on the PE router (router PE1), you can ping the VPN or loopback interface on the directly connected CE router (router CE1).

    From the VPN interface on Router PE1 (VPN1), ping the VPN interface, fe-1/1/0.0, on Router CE1:

    user@vpn1> ping 192.168.192.4 interface fe-1/1/0.0 local 192.168.192.1 count 3
    PING 192.168.192.4 (192.168.192.4): 56 data bytes
64 bytes from 192.168.192.4: icmp_seq=0 ttl=255 time=0.866 ms
64 bytes from 192.168.192.4: icmp_seq=1 ttl=255 time=0.728 ms
64 bytes from 192.168.192.4: icmp_seq=2 ttl=255 time=0.753 ms
--- 192.168.192.4 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.728/0.782/0.866/0.060 ms
  2. From the VPN interface on Router PE1 (VPN1), ping the loopback interface, 10.255.10.4, on Router CE1:
    user@vpn1> ping 10.255.10.4 interface fe-1/1/0.0 local 192.168.192.1 count 3
    PING 10.255.10.4 (10.255.10.4): 56 data bytes
64 bytes from 10.255.10.4: icmp_seq=0 ttl=255 time=0.838 ms
64 bytes from 10.255.10.4: icmp_seq=1 ttl=255 time=0.760 ms
64 bytes from 10.255.10.4: icmp_seq=2 ttl=255 time=0.771 ms
--- 10.255.10.4 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.760/0.790/0.838/0.034 ms
  3. To determine the path from the VPN interface on Router PE1 to the VPN and loopback interfaces on Router CE1, respectively, use the following traceroute commands:
    user@vpn1> traceroute 10.255.10.4 interface fe-1/1/0.0 source 192.168.192.1
    traceroute to 10.255.10.4 (10.255.10.4) from 192.168.192.1, 30 hops max, 40 byte packets
 1  vpn4.isp-core.net (10.255.10.4)  0.842 ms  0.659 ms  0.621 ms
user@vpn1>  traceroute 192.168.192.4 interface fe-1/1/0.0 source 192.168.192.1    
traceroute to 192.168.192.4 (192.168.192.4) from 192.168.192.1, 30 hops max, 40 byte packets
 1  vpn4-fe-112.isp-core.net (192.168.192.4)  0.810 ms  0.662 ms  0.640 ms
  4. From the VPN interface on Router PE2 (VPN2), ping the VPN interface, t3-0/0/3.0, on Router CE2:
    user@vpn2> ping 192.168.193.5 interface t3-0/0/3.0 local 192.168.193.2 count 3
    PING 192.168.193.5 (192.168.193.5): 56 data bytes
64 bytes from 192.168.193.5: icmp_seq=0 ttl=255 time=0.852 ms
64 bytes from 192.168.193.5: icmp_seq=1 ttl=255 time=0.909 ms
64 bytes from 192.168.193.5: icmp_seq=2 ttl=255 time=0.793 ms
--- 192.168.193.5 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.793/0.851/0.909/0.047 ms
  5. From the VPN interface on Router PE2 (VPN2), ping the loopback interface, 10.255.10.5, on Router CE2:
    user@vpn2> ping 10.255.10.5 interface t3-0/0/3.0 local 192.168.193.2 count 3
    PING 10.255.10.5 (10.255.10.5): 56 data bytes
64 bytes from 10.255.10.5: icmp_seq=0 ttl=255 time=0.914 ms
64 bytes from 10.255.10.5: icmp_seq=1 ttl=255 time=0.888 ms
64 bytes from 10.255.10.5: icmp_seq=2 ttl=255 time=1.066 ms
--- 10.255.10.5 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.888/0.956/1.066/0.079 ms
  6. To determine the path from the VPN interface on Router PE2 to the VPN and loopback interfaces on Router CE2, respectively, use the following traceroute commands:
    user@vpn2> traceroute 10.255.10.5 interface t3-0/0/3.0 source 192.168.193.2
    traceroute to 10.255.10.5 (10.255.10.5) from 192.168.193.2, 30 hops max, 40 byte packets
 1  vpn5.isp-core.net (10.255.10.5)  1.009 ms  0.677 ms  0.633 ms
user@vpn2>  traceroute 192.168.193.5 interface t3-0/0/3.0 source 192.168.193.2  
traceroute to 192.168.193.5 (192.168.193.5) from 192.168.193.2, 30 hops max, 40 byte packets
 1  vpn5-t3-003.isp-core.net (192.168.193.5)  0.974 ms  0.665 ms  0.619 ms

Pinging the Remote CE Router from the Local PE Router

Step-by-Step Procedure

The following procedure is effective for Layer 3 VPNs only. To ping a remote CE router from a local PE router in a Layer 3 VPN, you need to configure the following interfaces:

  1. Configure a logical unit for the loopback interface.

    To configure an additional logical unit on the loopback interface of the PE router, configure the unit statement at the [edit interfaces lo0] hierarchy level:

    [edit interfaces]lo0 {unit number {family inet {address address;}}}
  2. Configure the loopback interface for the Layer 3 VPN routing instance on the local PE router. You can associate one logical loopback interface with each Layer 3 VPN routing instance, enabling you to ping a specific routing instance on a router.

    Specify the loopback interface you configured in Step 1 using the interface statement at the [edit routing-instances routing-instance-name] hierarchy level:

    [edit routing-instances routing-instance-name]interface interface-name;

    The interface-name is the logical unit on the loopback interface (for example, lo0.1).

  3. From the VPN interface on PE router, you can now ping the logical unit on the loopback interface on the remote CE router:
    user@host> ping interface interface host

    Use interface to specify the new logical unit on the loopback interface (for example, lo0.1). For more information about how to use the ping interface command, see the Junos Interfaces Command Reference.

Troubleshooting Inconsistently Advertised Routes from Gigabit Ethernet Interfaces

Step-by-Step Procedure

For direct routes on a LAN in a Layer 3 VPN, the Junos OS attempts to locate a CE router that can be designated as the next hop. If this cannot be done, advertised routes from Gigabit Ethernet interfaces are dropped.

In such instances:

  1. Use the static statement at the [edit routing-options] or [edit logical-systems logical-system-name routing-options] hierarchy levels in the VRF routing instance to a CE router on the LAN subnet, configuring the CE router as the next hop. All traffic to directly destinations on this LAN will go to the CE router. You can add two static routes to two CE routers on the LAN for redundancy.
  2. Configure the vrf-table-label statement at the [edit routing-instances routing-instance-name] hierarchy levels to map the inner label of a packet to a specific VRF routing table. This allows the examination of the encapsulated IP header to force IP lookups on the VRF routing instance for all traffic.

    Note: The vrf-table-label statement is not available for every core-facing interface; for example, channelized interfaces are not supported. See Filtering Packets in Layer 3 VPNs Based on IP Headers for information about support for the vrf-table-label statement over Ethernet and SONET/SDH interfaces.

Published: 2012-11-29

Supported Platforms

Published: 2012-11-29

Previous Page Next Page