[c-nsp] filter LDP bindings
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Tue Aug 12 10:54:14 EDT 2008
because this is how LDP works in frame-based MPLS networks. Every LDP
speakers independently allocates and distributes labels, so the P node
also allocates a label for the 150.0.0.0/24 and advertises it to PE2, no
matter if the upstream neighbor (PE1) sent one or not..
oli
Sergio D. <mailto:sdanelli at gmail.com> wrote on Tuesday, August 12, 2008
4:39 PM:
> Yes there is a "P" router in the middle. Why would the middle router
> be getting a binding if I am filtering from the source?
>
>
> On Tue, Aug 12, 2008 at 12:37 AM, Oliver Boehmer (oboehmer)
> <oboehmer at cisco.com> wrote:
>
>
> Sergio,
>
> is PE2 really adjacent to PE1? I don't think it is, there must
be
> some LDP speaker in the middle. If PE2 was adjacent to PE1, the
> outgoing label for 150.0.0.0/24 and 10.0.0.1/32 would be
imp-null
> (aka "pop label" as those networks are directly connected on
PE1),
> not 18 or 20, as you've indicated below.
> I would assume it is 25.25.25.25, as this LDP neighbor sends
> advertisements to both PE1 and PE2.
>
> As every speaker allocates labels independently, you need to
filter
> the LDP advertisements on *all* LDP speakers.
>
>
> oli
>
> Sergio D. <mailto:sdanelli at gmail.com> wrote on Monday, August
11,
> 2008
>
> 7:24 PM:
>
>
> > Oli,
> > from a neighbor a hop away:
> >
> > PE2#show mpls ldp bindings 10.0.0.1 32
> > tib entry: 10.0.0.1/32, rev 10
> > local binding: tag: 17
> > remote binding: tsr: 25.25.25.25:0, tag: 20
> > PE2#
> >
> > prefix I want to filter:
> >
> > PE2#show mpls forwarding-table 150.0.0.1
> > Local Outgoing Prefix Bytes tag Outgoing
Next Hop
> > tag tag or VC or Tunnel Id switched interface
> > 19 18 150.0.0.0/24 0 Se1/0
> point2point >
> > thanks,
> >
> >
> > On Mon, Aug 11, 2008 at 9:51 AM, Oliver Boehmer (oboehmer)
> > <oboehmer at cisco.com> wrote:
> >
> >
> > Sergio,
> >
> > your config looks fine, so I don't know what's
happening. Can
> you
> > show a "show mpls ldp bindings 10.0.0.1 32" on the LDP
> neighbor(s)
> > or a "show mpls forwarding interface <foo>" where <foo>
is
> the > neighbor's interface to PE1?
> > No need to specify a "to <acl>" to select which
neighbors you
> want to
> > advertise this to in your case.
> >
> > oli
> >
> > Sergio D. <mailto:sdanelli at gmail.com> wrote on Monday,
August
> 11,
> > 2008 4:52 PM:
> >
> >
> > > thanks for the response.
> > > I am using 12.3(22) and "no mpls ldp advertise-labels"
> turns into
> > "no > tag-switching advertise-tags" which I already
have.
> > > Oliver,
> > > thanks for clearing up the assignment of the label, I
guess
> thats
> > > fine as long as it doesn't get advertised which is
what I
> am trying
> > > to avoid. I did try it without the deny at the end,
and the
> result
> > > was the same.
> > > Do I need an access-list listing my peers and apply
that?
> > >
> > > TIA
> > >
> > >
> > >
> > > On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente
> <pl+list at pmacct.net <mailto:pl%2Blist at pmacct.net>
> > <mailto:pl%2Blist at pmacct.net <mailto:pl%252Blist at pmacct.net> >
> >
>
> > > <mailto:pl%2Blist at pmacct.net
> <mailto:pl%252Blist at pmacct.net> <mailto:pl%252Blist at pmacct.net
> <mailto:pl%25252Blist at pmacct.net> > >
>
> >
> > wrote: >
> > >
> > > Hi Sergio,
> > >
> > > to add to what Oliver said that you maybe want
to
> make sure
> > > you have in the configuration a "no mpls ldp
> > advertise-labels" > line. Without that, even if
you
> configure
> > a filter (which is > successfully matched as you
> shown), > labels would still be > announced to
adjacent
> LDP peers. > >
> > > Don't know if this could be your case; i did
have to
> make use
> > > out of it to verify label filtering working on a
> 12.2SR while
> > > trying to minimize exposure of our labels in an
> "Inter-AS" L2
> > > MPLS VPN scenario.
> > >
> > >
> > > no mpls ldp advertise-labels
> > >
> > > mpls ldp advertise-labels for LDP-DEST to
LDP-PEER
> > > [ ... ]
> > > mpls label protocol ldp
> > > !
> > > interface Loopback0
> > > ip address 192.168.100.4 255.255.255.255
> > > !
> > > ip access-list standard LDP-DEST
> > > permit 192.168.100.4
> > > ip access-list standard LDP-PEER
> > > permit 192.168.100.1
> > > !
> > >
> > > Cheers,
> > > Paolo
> > >
> > >
> > >
> > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio
D.
> wrote:
> > > > Hello,
> > > > I am trying to filter LDP label bindings to
only
> advertise
> > my > loopback > address(for vpnv4 traffic) but I
am
> unsure as
> > to what the
> > > requirements are. > Here is what I have:
> > > > PE1#show ip route connected | in ^C
> > > > C 1.1.1.0 is directly connected,
Serial1/0
> > > > C 10.0.0.1 is directly connected,
Loopback0
> > > > C 150.0.0.0 is directly connected,
> FastEthernet0/1
> > > >
> > > > PE1#sh run | in tag
> > > > no tag-switching advertise-tags
> > > > tag-switching advertise-tags for ldp-filter
> > > >
> > > > PE1#show access-lists ldp-filter
> > > > Standard IP access list ldp-filter
> > > > 10 permit 10.0.0.0, wildcard bits
0.0.0.255 (6
> matches)
> > > > 999 deny any (7 matches)
> > > >
> > > > matches?
> > > >
> > > > but still generates a binding for all my
connected
> > interfaces: > >
> > > > PE1#show mpls ldp bindings 150.0.0.0 24
> > > > tib entry: 150.0.0.0/24, rev 2
> > > > local binding: tag: imp-null
> > > > remote binding: tsr: 25.25.25.25:0,
tag: 18
> > > > PE1#
> > > >
> > > > And the other side tags it with a label:
> > > >
> > > > PE2#traceroute 150.0.0.1
> > > >
> > > > Type escape sequence to abort.
> > > > Tracing the route to 150.0.0.1
> > > >
> > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52
msec
> 24 msec
> > > > 2 1.1.1.1 24 msec 52 msec *
> > > >
> > > > TIA,
> > > >
> > > > --
> > > > Sergio Danelli
> > >
> > >
> > >
> > >
> > >
> > > --
> > > Sergio Danelli
> >
> >
> >
> >
> >
> > --
> > Sergio
>
>
>
>
>
> --
> Sergio
More information about the cisco-nsp
mailing list