[c-nsp] filter LDP bindings
Sergio D.
sdanelli at gmail.com
Tue Aug 12 11:52:33 EDT 2008
I see that makes sense.
I will give it a shot.
thanks for your help.
On Tue, Aug 12, 2008 at 8:54 AM, Oliver Boehmer (oboehmer) <
oboehmer at cisco.com> wrote:
> because this is how LDP works in frame-based MPLS networks. Every LDP
> speakers independently allocates and distributes labels, so the P node
> also allocates a label for the 150.0.0.0/24 and advertises it to PE2, no
> matter if the upstream neighbor (PE1) sent one or not..
>
> oli
>
> Sergio D. <mailto:sdanelli at gmail.com> wrote on Tuesday, August 12, 2008
> 4:39 PM:
>
> > Yes there is a "P" router in the middle. Why would the middle router
> > be getting a binding if I am filtering from the source?
> >
> >
> > On Tue, Aug 12, 2008 at 12:37 AM, Oliver Boehmer (oboehmer)
> > <oboehmer at cisco.com> wrote:
> >
> >
> > Sergio,
> >
> > is PE2 really adjacent to PE1? I don't think it is, there must
> be
> > some LDP speaker in the middle. If PE2 was adjacent to PE1, the
> > outgoing label for 150.0.0.0/24 and 10.0.0.1/32 would be
> imp-null
> > (aka "pop label" as those networks are directly connected on
> PE1),
> > not 18 or 20, as you've indicated below.
> > I would assume it is 25.25.25.25, as this LDP neighbor sends
> > advertisements to both PE1 and PE2.
> >
> > As every speaker allocates labels independently, you need to
> filter
> > the LDP advertisements on *all* LDP speakers.
> >
> >
> > oli
> >
> > Sergio D. <mailto:sdanelli at gmail.com> wrote on Monday, August
> 11,
> > 2008
> >
> > 7:24 PM:
> >
> >
> > > Oli,
> > > from a neighbor a hop away:
> > >
> > > PE2#show mpls ldp bindings 10.0.0.1 32
> > > tib entry: 10.0.0.1/32, rev 10
> > > local binding: tag: 17
> > > remote binding: tsr: 25.25.25.25:0, tag: 20
> > > PE2#
> > >
> > > prefix I want to filter:
> > >
> > > PE2#show mpls forwarding-table 150.0.0.1
> > > Local Outgoing Prefix Bytes tag Outgoing
> Next Hop
> > > tag tag or VC or Tunnel Id switched interface
> > > 19 18 150.0.0.0/24 0 Se1/0
> > point2point >
> > > thanks,
> > >
> > >
> > > On Mon, Aug 11, 2008 at 9:51 AM, Oliver Boehmer (oboehmer)
> > > <oboehmer at cisco.com> wrote:
> > >
> > >
> > > Sergio,
> > >
> > > your config looks fine, so I don't know what's
> happening. Can
> > you
> > > show a "show mpls ldp bindings 10.0.0.1 32" on the LDP
> > neighbor(s)
> > > or a "show mpls forwarding interface <foo>" where <foo>
> is
> > the > neighbor's interface to PE1?
> > > No need to specify a "to <acl>" to select which
> neighbors you
> > want to
> > > advertise this to in your case.
> > >
> > > oli
> > >
> > > Sergio D. <mailto:sdanelli at gmail.com> wrote on Monday,
> August
> > 11,
> > > 2008 4:52 PM:
> > >
> > >
> > > > thanks for the response.
> > > > I am using 12.3(22) and "no mpls ldp advertise-labels"
> > turns into
> > > "no > tag-switching advertise-tags" which I already
> have.
> > > > Oliver,
> > > > thanks for clearing up the assignment of the label, I
> guess
> > thats
> > > > fine as long as it doesn't get advertised which is
> what I
> > am trying
> > > > to avoid. I did try it without the deny at the end,
> and the
> > result
> > > > was the same.
> > > > Do I need an access-list listing my peers and apply
> that?
> > > >
> > > > TIA
> > > >
> > > >
> > > >
> > > > On Mon, Aug 11, 2008 at 2:24 AM, Paolo Lucente
> > <pl+list at pmacct.net <pl%2Blist at pmacct.net> <mailto:
> pl%2Blist at pmacct.net <pl%252Blist at pmacct.net>>
> > > <mailto:pl%2Blist at pmacct.net <pl%252Blist at pmacct.net> <mailto:
> pl%252Blist at pmacct.net <pl%25252Blist at pmacct.net>> >
> > >
> >
> > > > <mailto:pl%2Blist at pmacct.net <pl%252Blist at pmacct.net>
> > <mailto:pl%252Blist at pmacct.net <pl%25252Blist at pmacct.net>> <mailto:
> pl%252Blist at pmacct.net <pl%25252Blist at pmacct.net>
> > <mailto:pl%25252Blist at pmacct.net <pl%2525252Blist at pmacct.net>> > >
> >
> > >
> > > wrote: >
> > > >
> > > > Hi Sergio,
> > > >
> > > > to add to what Oliver said that you maybe want
> to
> > make sure
> > > > you have in the configuration a "no mpls ldp
> > > advertise-labels" > line. Without that, even if
> you
> > configure
> > > a filter (which is > successfully matched as you
> > shown), > labels would still be > announced to
> adjacent
> > LDP peers. > >
> > > > Don't know if this could be your case; i did
> have to
> > make use
> > > > out of it to verify label filtering working on a
> > 12.2SR while
> > > > trying to minimize exposure of our labels in an
> > "Inter-AS" L2
> > > > MPLS VPN scenario.
> > > >
> > > >
> > > > no mpls ldp advertise-labels
> > > >
> > > > mpls ldp advertise-labels for LDP-DEST to
> LDP-PEER
> > > > [ ... ]
> > > > mpls label protocol ldp
> > > > !
> > > > interface Loopback0
> > > > ip address 192.168.100.4 255.255.255.255
> > > > !
> > > > ip access-list standard LDP-DEST
> > > > permit 192.168.100.4
> > > > ip access-list standard LDP-PEER
> > > > permit 192.168.100.1
> > > > !
> > > >
> > > > Cheers,
> > > > Paolo
> > > >
> > > >
> > > >
> > > > On Sun, Aug 10, 2008 at 09:50:34PM -0600, Sergio
> D.
> > wrote:
> > > > > Hello,
> > > > > I am trying to filter LDP label bindings to
> only
> > advertise
> > > my > loopback > address(for vpnv4 traffic) but I
> am
> > unsure as
> > > to what the
> > > > requirements are. > Here is what I have:
> > > > > PE1#show ip route connected | in ^C
> > > > > C 1.1.1.0 is directly connected,
> Serial1/0
> > > > > C 10.0.0.1 is directly connected,
> Loopback0
> > > > > C 150.0.0.0 is directly connected,
> > FastEthernet0/1
> > > > >
> > > > > PE1#sh run | in tag
> > > > > no tag-switching advertise-tags
> > > > > tag-switching advertise-tags for ldp-filter
> > > > >
> > > > > PE1#show access-lists ldp-filter
> > > > > Standard IP access list ldp-filter
> > > > > 10 permit 10.0.0.0, wildcard bits
> 0.0.0.255 (6
> > matches)
> > > > > 999 deny any (7 matches)
> > > > >
> > > > > matches?
> > > > >
> > > > > but still generates a binding for all my
> connected
> > > interfaces: > >
> > > > > PE1#show mpls ldp bindings 150.0.0.0 24
> > > > > tib entry: 150.0.0.0/24, rev 2
> > > > > local binding: tag: imp-null
> > > > > remote binding: tsr: 25.25.25.25:0,
> tag: 18
> > > > > PE1#
> > > > >
> > > > > And the other side tags it with a label:
> > > > >
> > > > > PE2#traceroute 150.0.0.1
> > > > >
> > > > > Type escape sequence to abort.
> > > > > Tracing the route to 150.0.0.1
> > > > >
> > > > > 1 1.1.1.5 [MPLS: Label 18 Exp 0] 16 msec 52
> msec
> > 24 msec
> > > > > 2 1.1.1.1 24 msec 52 msec *
> > > > >
> > > > > TIA,
> > > > >
> > > > > --
> > > > > Sergio Danelli
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Sergio Danelli
> > >
> > >
> > >
> > >
> > >
> > > --
> > > Sergio
> >
> >
> >
> >
> >
> > --
> > Sergio
>
--
Sergio
More information about the cisco-nsp
mailing list