[c-nsp] filter LDP bindings

Sergio D. sdanelli at gmail.com
Tue Aug 12 10:39:01 EDT 2008


Yes there is a "P" router in the middle. Why would the middle router be
getting a binding if I am filtering from the source?

On Tue, Aug 12, 2008 at 12:37 AM, Oliver Boehmer (oboehmer) <
oboehmer at cisco.com> wrote:

> Sergio,
>
> is PE2 really adjacent to PE1? I don't think it is, there must be some
> LDP speaker in the middle. If PE2 was adjacent to PE1, the outgoing
> label for 150.0.0.0/24 and 10.0.0.1/32 would be imp-null (aka "pop
> label" as those networks are directly connected on PE1), not 18 or 20,
> as you've indicated below.
> I would assume it is 25.25.25.25, as this LDP neighbor sends
> advertisements to both PE1 and PE2.
>
> As every speaker allocates labels independently, you need to filter the
> LDP advertisements on *all* LDP speakers.
>
>        oli
>
> Sergio D. <mailto:sdanelli at gmail.com> wrote on Monday, August 11, 2008
> 7:24 PM:
>
> > Oli,
> > from a neighbor a hop away:
> >
> > PE2#show mpls ldp bindings 10.0.0.1 32
> >   tib entry: 10.0.0.1/32, rev 10
> >         local binding:  tag: 17
> >         remote binding: tsr: 25.25.25.25:0, tag: 20
> > PE2#
> >
> > prefix I want to filter:
> >
> > PE2#show mpls forwarding-table 150.0.0.1
> > Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
> > tag    tag or VC   or Tunnel Id      switched   interface
> > 19     18          150.0.0.0/24      0          Se1/0      point2point
> >
> > thanks,
> >
> >
> > On Mon, Aug 11, 2008 at 9:51 AM, Oliver Boehmer (oboehmer)
> > <oboehmer at cisco.com> wrote:
> >
> >
> >       Sergio,
> >
> >       your config looks fine, so I don't know what's happening. Can
> you
> >       show a "show mpls ldp bindings 10.0.0.1 32" on the LDP
> neighbor(s)
> >       or a "show mpls forwarding interface <foo>" where <foo> is the
> >       neighbor's interface to PE1?
> >       No need to specify a "to <acl>" to select which neighbors you
> want to
> >       advertise this to in your case.
> >
> >              oli
> >
> >       Sergio D. <mailto:sdanelli at gmail.com> wrote on Monday, August
> 11,
> >       2008 4:52 PM:
> >
> >
> >       > thanks for the response.
> >       > I am using 12.3(22) and "no mpls ldp advertise-labels" turns
> into
> >       "no > tag-switching advertise-tags" which I already have.
> >       > Oliver,
> >       > thanks for clearing up the assignment of the label, I guess
> thats
> >       > fine as long as it doesn't get advertised which is what I am
> trying
> >       > to avoid. I did try it without the deny at the end, and the
> result
> >       > was the same.
> >       > Do I need an access-list listing my peers and apply that?
> >       >
> >       > TIA
> >       >
> >       >
> >       >
> >       > On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente
> <pl+list at pmacct.net <pl%2Blist at pmacct.net>
> > <mailto:pl%2Blist at pmacct.net <pl%252Blist at pmacct.net>>
> >
> >       > <mailto:pl%2Blist at pmacct.net <pl%252Blist at pmacct.net> <mailto:
> pl%252Blist at pmacct.net <pl%25252Blist at pmacct.net>> >
> >
> >       wrote: >
> >       >
> >       >       Hi Sergio,
> >       >
> >       >       to add to what Oliver said that you maybe want to make
> sure
> >       >       you have in the configuration a "no mpls ldp
> >       advertise-labels" >       line. Without that, even if you
> configure
> >       a filter (which is >       successfully matched as you shown),
> >       labels would still be >       announced to adjacent LDP peers.
> >       >
> >       >       Don't know if this could be your case; i did have to
> make use
> >       >       out of it to verify label filtering working on a 12.2SR
> while
> >       >       trying to minimize exposure of our labels in an
> "Inter-AS" L2
> >       >       MPLS VPN scenario.
> >       >
> >       >
> >       >       no mpls ldp advertise-labels
> >       >
> >       >       mpls ldp advertise-labels for LDP-DEST to LDP-PEER
> >       >       [ ... ]
> >       >       mpls label protocol ldp
> >       >       !
> >       >       interface Loopback0
> >       >        ip address 192.168.100.4 255.255.255.255
> >       >       !
> >       >       ip access-list standard LDP-DEST
> >       >        permit 192.168.100.4
> >       >       ip access-list standard LDP-PEER
> >       >        permit 192.168.100.1
> >       >       !
> >       >
> >       >       Cheers,
> >       >       Paolo
> >       >
> >       >
> >       >
> >       >       On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio D.
> wrote:
> >       >       > Hello,
> >       >       > I am trying to filter LDP label bindings to only
> advertise
> >       my >       loopback > address(for vpnv4 traffic) but I am unsure
> as
> >       to what the
> >       >       requirements are. > Here is what I have:
> >       >       > PE1#show ip route connected | in ^C
> >       >       > C       1.1.1.0 is directly connected, Serial1/0
> >       >       > C       10.0.0.1 is directly connected, Loopback0
> >       >       > C       150.0.0.0 is directly connected,
> FastEthernet0/1
> >       >       >
> >       >       > PE1#sh run | in tag
> >       >       > no tag-switching advertise-tags
> >       >       > tag-switching advertise-tags for ldp-filter
> >       >       >
> >       >       > PE1#show access-lists ldp-filter
> >       >       > Standard IP access list ldp-filter
> >       >       >     10 permit 10.0.0.0, wildcard bits 0.0.0.255 (6
> matches)
> >       >       >     999 deny   any (7 matches)
> >       >       >
> >       >       > matches?
> >       >       >
> >       >       > but still generates a binding for all my connected
> >       interfaces: >       >
> >       >       > PE1#show mpls ldp bindings 150.0.0.0 24
> >       >       >   tib entry: 150.0.0.0/24, rev 2
> >       >       >         local binding:  tag: imp-null
> >       >       >         remote binding: tsr: 25.25.25.25:0, tag: 18
> >       >       > PE1#
> >       >       >
> >       >       > And the other side tags it with a label:
> >       >       >
> >       >       > PE2#traceroute 150.0.0.1
> >       >       >
> >       >       > Type escape sequence to abort.
> >       >       > Tracing the route to 150.0.0.1
> >       >       >
> >       >       >   1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52 msec 24
> msec
> >       >       >   2 1.1.1.1 24 msec 52 msec *
> >       >       >
> >       >       > TIA,
> >       >       >
> >       >       > --
> >       >       > Sergio Danelli
> >       >
> >       >
> >       >
> >       >
> >       >
> >       > --
> >       > Sergio Danelli
> >
> >
> >
> >
> >
> > --
> > Sergio
>



-- 
Sergio


More information about the cisco-nsp mailing list