Routing
Highlighted
Routing

Limiting LDP targetted Sessions

11.04.14   |  
‎11-04-2014 02:00 AM

I have been looking at a way of limiting the IP address from which the router will accept a targeted LDP session.

 

on IOS-XR I have the following:

 

mpls ldp

   address-family ipv4

        discovery targeted-hello accept from  x.x.x.x/y

 

I cant find anything under the [protocols ldp] or firewall filters for the loopback interface?

 

suggestions please.

1 REPLY
Routing

Re: Limiting LDP targetted Sessions

11.06.14   |  
‎11-06-2014 01:09 AM

Enable Strict Targeted Hellos

http://www.juniper.net/documentation/en_US/junos13.2/topics/usage-guidelines/mpls-configuring-ldp-st...

 

You can also protect ldp sessions through tcp md5:

http://www.juniper.net/techpubs/en_US/junos13.1/topics/usage-guidelines/mpls-configuring-miscellaneo...

 

As last resort you can apply RE protection filter to lo0 interface, accepting ldp control packets only from predefined neighbors:

.........

            term Permited-LDP-Neighbor {

                from {

                    source-prefix-list {

                        LDP_Neighbors;

                        LDP_Neighbor_L2Circuits;

                    }

                    protocol [tcp udp];

                    destination-port ldp;

                }

                then accept;

            }

.......

 

Note that you can built prefix list dynamically (for example if you enable tcp md5):

.....

prefix-list LDP_Neighbors {

        apply-path "protocols ldp session <*>";

    }

    prefix-list LDP_Neighbor_L2Circuits {

        apply-path "protocols l2circuit neighbor <*>";

    }

.....

 

Regards,

Krasi