Routing
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Contributor
Posts: 37
Registered: ‎08-15-2012
0 Kudos

Limiting LDP targetted Sessions

I have been looking at a way of limiting the IP address from which the router will accept a targeted LDP session.

 

on IOS-XR I have the following:

 

mpls ldp

   address-family ipv4

        discovery targeted-hello accept from  x.x.x.x/y

 

I cant find anything under the [protocols ldp] or firewall filters for the loopback interface?

 

suggestions please.

Super Contributor
Posts: 65
Registered: ‎10-12-2009
0 Kudos

Re: Limiting LDP targetted Sessions

Enable Strict Targeted Hellos

http://www.juniper.net/documentation/en_US/junos13.2/topics/usage-guidelines/mpls-configuring-ldp-st...

 

You can also protect ldp sessions through tcp md5:

http://www.juniper.net/techpubs/en_US/junos13.1/topics/usage-guidelines/mpls-configuring-miscellaneo...

 

As last resort you can apply RE protection filter to lo0 interface, accepting ldp control packets only from predefined neighbors:

.........

            term Permited-LDP-Neighbor {

                from {

                    source-prefix-list {

                        LDP_Neighbors;

                        LDP_Neighbor_L2Circuits;

                    }

                    protocol [tcp udp];

                    destination-port ldp;

                }

                then accept;

            }

.......

 

Note that you can built prefix list dynamically (for example if you enable tcp md5):

.....

prefix-list LDP_Neighbors {

        apply-path "protocols ldp session <*>";

    }

    prefix-list LDP_Neighbor_L2Circuits {

        apply-path "protocols l2circuit neighbor <*>";

    }

.....

 

Regards,

Krasi