Task 4.2 LDP Filtering

Hi,

I implemented the solution in the solution guide for filtering only LDP information between R3 and R6. Using that config did not work for me. R6 was a downstream neighbor and when he would try to communicate with R3 the ACL would deny that request...here is my R3 log

*Jan 18 11:08:16.587: %SEC-6-IPACCESSLOGP: list LDP denied tcp 24.6.6.6(57608) -> 24.6.3.3(646), 15 packets


R6 was using TCP port 57608. To get this to work here is what I did. BTW, Im using my Rack 6 so that is why you see 24.6.x.x.

R3

ip access-list extended LDP
permit udp host 24.6.36.6 eq 646 host 224.0.0.2 eq 646 log
permit tcp host 24.6.6.6 host 24.6.3.3 log
deny udp any any eq 646 log
deny tcp any any eq 646 log
deny tcp any eq 646 any log
permit ip any any log

R6

ip access-list extended LDP
permit udp host 24.6.36.3 eq 646 host 224.0.0.2 eq 646 log
permit tcp host 24.6.3.3 host 24.6.6.6 log
deny udp any any eq 646 log
deny tcp any eq 646 any log
deny tcp any any eq 646 log
permit ip any any log

Would this be a correct solution?

Comments

  • Your config is correct but it ultimately depends on what your transport address is. First you need to permit the UDP multicast hello from the other end of the link. This will be from their interface address going to 224.0.0.2 at port 646. Once the neighbors discover each other then they negotiate the transport address. By default it will be the interface used for the LDP router-id, but can be changed at the interface level per the solution. In cases where you are authenticating or matching LDP/TDP traffic it's a good idea to do this just in case some new addressing gets added or changed later in the lab requirements.


    HTH,
  • Quote:


    *Jan 18 11:08:16.587: %SEC-6-IPACCESSLOGP: list LDP denied tcp 24.6.6.6(57608) -> 24.6.3.3(646), 15 packets



    This should be permitted by the solution's access-list as follows:

    R3:
    interface Ethernet0/0
    ip access-group CONTROL_LDP in
    mpls ldp discovery transport-address 24.1.3.3
    !
    ip access-list extended CONTROL_LDP
    permit udp host 24.1.36.6 eq 646 host 224.0.0.2 eq 646
    permit tcp host 24.1.6.6 eq 646 host 24.1.3.3
    permit tcp host 24.1.6.6 host 24.1.3.3 eq 646 <-------------
    deny udp any any eq 646
    deny tcp any any eq 646
    deny tcp any eq 646 any
    permit ip any any
  • Brian ,

    May be a silly questions but why can't we just use the "mpls ldp advertise-labels for " command on R3/R6 to only accept ldp from each other ?
    Rgds
    D.
Sign In or Register to comment.