4 40.1.1.2 150 ms Egress
<U-PE1> tracert vc vlan 100 control-word remote 200
TTL Replier Time Type Downstream
0 Ingress 10.1.1.2/[1025 ]
2 20.1.1.2 60 ms Transit
4 40.1.1.2 110 ms Egress
If the S-PE is disabled from responding to an MPLS Echo Request packet, the configuration on
the S-PE is as follows:
[S-PE] undo lspv mpls-lsp-ping echo enable
Run the tracert vc command on the U-PE to collect information about LSRs and egress PE, the
U-PE displays the timeout information because it does not receive the reply packet. Take the
display on U-PE1 for example.
<U-PE1> tracert vc vlan 100 control-word remote 200 full-lsp-path
TTL Replier Time Type Downstream
0 Ingress 10.1.1.2/[1025 ]
1 10.1.1.2 130 ms Transit 20.1.1.2/[3 ]
2 Request time out
3 30.1.1.2 80 ms Transit 40.1.1.2/[3 ]
4 40.1.1.2 100 ms Egress
<U-PE1> tracert vc vlan 100 control-word remote 200
TTL Replier Time Type Downstream
0 Ingress 10.1.1.2/[1025 ]
2 Request time out
4 40.1.1.2 130 ms Egress
To prevent PWE3 tracert attacks, you can configure the U-PE to filter the MPLS Echo Request
packets according to the MAC addresses. The filtering rules can be specified in the ACL. For
example, you can configure the ACL on U-PE2 that prevents U-PE1 from obtaining the path
information about U-PE2 by running the tracert vc command. The configuration is as follows:
[U-PE2] acl 3001
[U-PE2-acl-adv-3001] rule deny udp source 1.1.1.9 0
[U-PE2-acl-adv-3001] quit
[U-PE2] lspv packet-filter 3001
Run the tracert vc command on U-PE1, and then U-PE1 cannot collect information about the
egress PE of the PW. Take the display on U-PE1 for example.
<U-PE1> tracert vc vlan 100 control-word remote 200 full-lsp-path
TTL Replier Time Type Downstream
0 Ingress 10.1.1.2/[1025 ]
1 10.1.1.2 110 ms Transit 20.1.1.2/[3 ]
2 Request time out
3 30.1.1.2 60 ms Transit 40.1.1.2/[3 ]
4 Request time out
5 Request time out
6 Request time out
7 Request time out
<U-PE1> tracert vc vlan 100 control-word remote 200
TTL Replier Time Type Downstream
0 Ingress 10.1.1.2/[1025 ]
2 Request time out
4 Request time out
5 Request time out
6 Request time out
7 Request time out
By running the tracert vc command on U-PE2, however, you can collect information about the
LSRs where the PW passes through from U-PE2 to U-PE1 and information about the egress PE.
[U-PE2] tracert vc vlan 200 control-word remote 100 full-lsp-path
TTL Replier Time Type Downstream
Quidway S9300 Terabit Routing Switch
Configuration Guide - VPN 5 PWE3 Configuration
Issue 03 (2009-08-20) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
5-61
To Next Page
Loading...
