It’s very common practice to have all three interfaces connected to the same router, have VRF configured on router to segment the three interfaces. As you may recall in my previous blog: Direct Connect to Aviatrix Transit \u2013 Option 3<\/a>. The WAN\/LAN\/MGMT(not in the diagram) can connect to the same router as show below.<\/p>\n\n\n\n After we have CloudN inline with traffic, when customer tried to do a traceroute from on-premises towards cloud, they discovered that the CloudN hop was responded by the management interface IP, rather than LAN interface IP. <\/p>\n\n\n\n Customer is rightfully concerning that if the data traffic is actually going through MGMT interface instead of from LAN interface.<\/strong><\/span><\/p>\n\n\n\n\n\n\n\n (Following test is done in Windows, Linux\/MAC command line may vary)<\/p>\n\n\n\n When we issue an command to ping google DNS server 8.8.8.8, windows ping issues 4 ICMP ECHO Request towards 8.8.8.8<\/p>\n\n\n\n Each router would pass this ICMP to next hop until it reaches 8.8.8.8. 8.8.8.8 itself then send ICMP ECHO reply back directly to the client.<\/p>\n\n\n\n Packet capture shows:<\/p>\n\n\n\n When we tell ping to use Time to Live (TTL) switch, each router on it’s path will deduct TTL value by 1, and forward towards next hop if TTL-1 didn’t reach zero yet. On the first router where TTL-1 reaches 0, that specific router would return ICMP Time to Live Exceeded directly to client, and the packet is no longer forwarded to next hop.<\/p>\n\n\n\n Following example using TTL = 1, when trying to ping 8.8.8.8. The first hop (default gateway) received the packet and deduct TTL by 1 and reached to 0, then the first hop router responded back TTL expired in transit message<\/p>\n\n\n\n Packet capture shows:<\/p>\n\n\n\n Now we try TTL = 2. First hop router deduct TTL by 1, it’s not zero yet. So it forward to second router, which also deduct TTL by 1 reached 0. The second router responded TTL expired in transit with it’s own IP.<\/p>\n\n\n\n Packet capture shows:<\/p>\n\n\n\n <\/p>\n\n\n\n In the capture, you can see TTL start from 1 and increases by 1 every 3 requests. Also notice the responding IP matches what you see in tracert output.<\/p>\n\n\n\n According to RFC1812<\/a><\/p>\n\n\n\n Except where this document specifies otherwise, the IP source address in an ICMP message originated by the router MUST be one of the IP addresses associated with the physical interface over which the ICMP message is transmitted. If the interface has no IP addresses associated with it, the router’s router-id (see Section [5.2.5]) is used instead.<\/p>\n\n\n\n For folks with Windows background, there is only one route table in OS. When I was at Microsoft Support, dual default gateways always was a No No. This article is still in effect since Windows NT: Multiple default gateways can cause connectivity problems<\/a><\/p>\n\n\n\n In Linux, multiple route tables co-exists. This made VRF (Virtual Routing and Forwarding) possible.<\/p>\n\n\n\n If you obtain diagnostics logs from CloudN, you can find following IP rules:<\/p>\n\n\n\n In the exclude_gateway route table, the only match is the default route, which will be sent via eth2, MTMT interface.<\/p>\n\n\n\n Another mystery solved \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":" We are using traceroute very often and sometimes take it for granted, until an very interesting question hit me and we have do dive a little deeper to get the answer. Here’s the full story: Aviatrix CloudN is an appliance … Continue reading ![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/10\/image-138-595x1024.png\")
<\/figure>\n\n\n\nBefore understanding traceroute, we need to understand what is Time to Live or TTL<\/h2>\n\n\n\n
ping 8.8.8.8\n\nPinging 8.8.8.8 with 32 bytes of data:\nReply from 8.8.8.8<\/mark>: bytes=32 time=27ms TTL=116\nReply from 8.8.8.8: bytes=32 time=23ms TTL=116\nReply from 8.8.8.8: bytes=32 time=26ms TTL=116\nReply from 8.8.8.8: bytes=32 time=23ms TTL=116\n\nPing statistics for 8.8.8.8:\n Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),\nApproximate round trip times in milli-seconds:\n Minimum = 23ms, Maximum = 27ms, Average = 24ms<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/10\/traceroute-icmp.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/10\/image-139-1024x561.png\")
<\/figure>\n\n\n\n ping -i 1 8.8.8.8\n\nPinging 8.8.8.8 with 32 bytes of data:\nReply from 192.168.68.1<\/mark>: TTL expired in transit.\nReply from 192.168.68.1: TTL expired in transit.\nReply from 192.168.68.1: TTL expired in transit.\nReply from 192.168.68.1: TTL expired in transit.\n\nPing statistics for 8.8.8.8:\n Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),\n<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/10\/traceroute-icmp-TTL-1-1-1024x273.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/10\/image-140-1024x562.png\")
<\/figure>\n\n\n\nping -i 2 8.8.8.8\n\nPinging 8.8.8.8 with 32 bytes of data:\nReply from 192.168.1.1<\/mark>: TTL expired in transit.\nReply from 192.168.1.1: TTL expired in transit.\nReply from 192.168.1.1: TTL expired in transit.\nReply from 192.168.1.1: TTL expired in transit.\n\nPing statistics for 8.8.8.8:\n Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/10\/traceroute-icmp-TTL-2-1024x309.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/10\/image-141-1024x563.png\")
<\/figure>\n\n\n\nTraceroute does 3 ICMP request with TTL start from 1, next 3 ICMP request TTL set to 2, then it repeat this process until TTL reaches default 30<\/h2>\n\n\n\n
tracert 8.8.8.8\n\nTracing route to dns.google [8.8.8.8]\nover a maximum of 30 hops:\n\n 1 6 ms 4 ms 4 ms 192.168.68.1\n 2 8 ms 6 ms 6 ms 192.168.1.1\n 3 22 ms 22 ms 21 ms 69.194.50.2\n 4 24 ms 24 ms 23 ms 69.194.50.1\n 5 25 ms 22 ms 24 ms\n\nctrl + c canceled at this point<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/10\/image-144-1024x467.png\")
<\/figure>\n\n\n\nOk, we established trace route response came from the router, where TTL-1 gets to 0. Then why it get out from MGMT interface instead of LAN interface?<\/h2>\n\n\n\n
\"ip rule\": [\n \"0:\\tfrom all lookup local \",\n \"5:\\tfrom all fwmark 0xf4240 lookup mgmt \",\n \"10:\\tfrom all iif lo lookup exclude_gateway \",\n \"32766:\\tfrom all lookup main \",\n \"32767:\\tfrom all lookup default\"\n ],\n<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/10\/image-146.png\")
<\/figure>\n\n\n\nConclusion: Trace Route responses is originated directly from the responding router itself, it doesn’t represent actual path data will be going through, as the actual data will be subjecting to different routing tables.<\/h2>\n\n\n\n