[c-nsp] filter LDP bindings

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Tue Aug 12 02:37:20 EDT 2008 

Sergio,

is PE2 really adjacent to PE1? I don't think it is, there must be some
LDP speaker in the middle. If PE2 was adjacent to PE1, the outgoing
label for 150.0.0.0/24 and 10.0.0.1/32 would be imp-null (aka "pop
label" as those networks are directly connected on PE1), not 18 or 20,
as you've indicated below.
I would assume it is 25.25.25.25, as this LDP neighbor sends
advertisements to both PE1 and PE2.

As every speaker allocates labels independently, you need to filter the
LDP advertisements on *all* LDP speakers.

	oli

Sergio D. <mailto:sdanelli at gmail.com> wrote on Monday, August 11, 2008
7:24 PM:

> Oli,
> from a neighbor a hop away:
> 
> PE2#show mpls ldp bindings 10.0.0.1 32
>   tib entry: 10.0.0.1/32, rev 10
>         local binding:  tag: 17
>         remote binding: tsr: 25.25.25.25:0, tag: 20
> PE2#
> 
> prefix I want to filter:
> 
> PE2#show mpls forwarding-table 150.0.0.1
> Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
> tag    tag or VC   or Tunnel Id      switched   interface
> 19     18          150.0.0.0/24      0          Se1/0      point2point
> 
> thanks,
> 
> 
> On Mon, Aug 11, 2008 at 9:51 AM, Oliver Boehmer (oboehmer)
> <oboehmer at cisco.com> wrote: 
> 
> 
> 	Sergio,
> 
> 	your config looks fine, so I don't know what's happening. Can
you
> 	show a "show mpls ldp bindings 10.0.0.1 32" on the LDP
neighbor(s)
> 	or a "show mpls forwarding interface <foo>" where <foo> is the
> 	neighbor's interface to PE1?
> 	No need to specify a "to <acl>" to select which neighbors you
want to
> 	advertise this to in your case.
> 
> 	       oli
> 
> 	Sergio D. <mailto:sdanelli at gmail.com> wrote on Monday, August
11,
> 	2008 4:52 PM:
> 
> 
> 	> thanks for the response.
> 	> I am using 12.3(22) and "no mpls ldp advertise-labels" turns
into
> 	"no > tag-switching advertise-tags" which I already have.
> 	> Oliver,
> 	> thanks for clearing up the assignment of the label, I guess
thats
> 	> fine as long as it doesn't get advertised which is what I am
trying
> 	> to avoid. I did try it without the deny at the end, and the
result
> 	> was the same.
> 	> Do I need an access-list listing my peers and apply that?
> 	>
> 	> TIA
> 	>
> 	>
> 	>
> 	> On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente
<pl+list at pmacct.net
> <mailto:pl%2Blist at pmacct.net> 
> 
> 	> <mailto:pl%2Blist at pmacct.net <mailto:pl%252Blist at pmacct.net> >
>
> 	wrote: >
> 	>
> 	>       Hi Sergio,
> 	>
> 	>       to add to what Oliver said that you maybe want to make
sure
> 	>       you have in the configuration a "no mpls ldp
> 	advertise-labels" >       line. Without that, even if you
configure
> 	a filter (which is >       successfully matched as you shown),
> 	labels would still be >       announced to adjacent LDP peers.
> 	>
> 	>       Don't know if this could be your case; i did have to
make use
> 	>       out of it to verify label filtering working on a 12.2SR
while
> 	>       trying to minimize exposure of our labels in an
"Inter-AS" L2
> 	>       MPLS VPN scenario.
> 	>
> 	>
> 	>       no mpls ldp advertise-labels
> 	>
> 	>       mpls ldp advertise-labels for LDP-DEST to LDP-PEER
> 	>       [ ... ]
> 	>       mpls label protocol ldp
> 	>       !
> 	>       interface Loopback0
> 	>        ip address 192.168.100.4 255.255.255.255
> 	>       !
> 	>       ip access-list standard LDP-DEST
> 	>        permit 192.168.100.4
> 	>       ip access-list standard LDP-PEER
> 	>        permit 192.168.100.1
> 	>       !
> 	>
> 	>       Cheers,
> 	>       Paolo
> 	>
> 	>
> 	>
> 	>       On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D.
wrote:
> 	>       > Hello,
> 	>       > I am trying to filter LDP label bindings to only
advertise
> 	my >       loopback > address(for vpnv4 traffic) but I am unsure
as
> 	to what the
> 	>       requirements are. > Here is what I have:
> 	>       > PE1#show ip route connected | in ^C
> 	>       > C       1.1.1.0 is directly connected, Serial1/0
> 	>       > C       10.0.0.1 is directly connected, Loopback0
> 	>       > C       150.0.0.0 is directly connected,
FastEthernet0/1
> 	>       >
> 	>       > PE1#sh run | in tag
> 	>       > no tag-switching advertise-tags
> 	>       > tag-switching advertise-tags for ldp-filter
> 	>       >
> 	>       > PE1#show access-lists ldp-filter
> 	>       > Standard IP access list ldp-filter
> 	>       >     10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6
matches)
> 	>       >     999 deny   any (7 matches)
> 	>       >
> 	>       > matches?
> 	>       >
> 	>       > but still generates a binding for all my connected
> 	interfaces: >       >
> 	>       > PE1#show mpls ldp bindings 150.0.0.0 24
> 	>       >   tib entry: 150.0.0.0/24, rev 2
> 	>       >         local binding:  tag: imp-null
> 	>       >         remote binding: tsr: 25.25.25.25:0, tag: 18
> 	>       > PE1#
> 	>       >
> 	>       > And the other side tags it with a label:
> 	>       >
> 	>       > PE2#traceroute 150.0.0.1
> 	>       >
> 	>       > Type escape sequence to abort.
> 	>       > Tracing the route to 150.0.0.1
> 	>       >
> 	>       >   1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24
msec
> 	>       >   2 1.1.1.1 24 msec 52 msec *
> 	>       >
> 	>       > TIA,
> 	>       >
> 	>       > --
> 	>       > Sergio Danelli
> 	>
> 	>
> 	>
> 	>
> 	>
> 	> --
> 	> Sergio Danelli
> 
> 
> 
> 
> 
> --
> Sergio

More information about the cisco-nsp mailing list