MD5 adds a digest to every TCP segment sent out. This digest can be verified only by both LDP peers that are configured with the correct password. If one LSR has MD5 configured for LDP and the other not, the following message is logged:
%TCP-6-BADAUTH: No MD5 digest from 10.200.254.4(11092) to 10.200.254.3(646)
If both LDP peers have a password configured for MD5 but the passwords do not match, the following message is logged:
%TCP-6-BADAUTH: Invalid MD5 digest from 10.200.254.4(11093) to 10.200.254.3(646)
Controlling the Advertisement of Labels via LDP
LDP lets you control the advertisement of labels. You can configure LDP to advertise or not to advertise certain labels to certain LDP peers. You can then use the locally assigned labels that are advertised to the LDP peers as outgoing label on those LSRs. The syntax for this command is as follows:
mmm
mppppllsllsss llllddddpp pp aadaadddvvvveeeerrrrttittiiissesseee----llllaaaabbebbeeellsllsss [vvvvrrfrrfff vpn-name] [iiniinnnttetteeerrfrrfffaaaacccceeee interface | ffffooroorrr prefix-access-list [ttttoooo peer-access-list]]
Theprefix-access-listis a standard numbered access list (1–99) or named access list that lets you specify which prefixes should have a label advertised. The peer-access-listis a standard numbered access list (1–99) or named access list that lets you specify which LDP peers should receive the label advertisements. The LDP peers are matched by this access list if the first 4 bytes of the LDP router ID are covered by the prefixes listed in that access list. The usage of this command is to restrict in many cases the number of labels advertised to the prefixes that are really used for forwarding traffic through the MPLS network. For instance, in the case of MPLS VPN, the important prefixes to get the customer VPN traffic through the MPLS network are the BGP next-hop prefixes, which are usually the loopback interfaces on the PE routers. In that case, you can choose not to advertise the label bindings for the prefixes belonging to the other interfaces on the PE or P routers.
You cannot control the LDP advertisement of labels for LC-ATM networks with LDP deployed with the mpls ldp advertise-labels command. That is because LC-ATM networks use DoD instead of UD label advertisement mode. DoD has its own command to limit LDP label advertisement. The command mpls ldp request-labels is used instead of mpls ldp advertise-labelsfor LC-ATM interfaces.
NOTE You do not have to clear the LDP neighbor to which you apply the mpls ldp advertise-labels command for it to take effect.
In Figure 4-7, you can see the sample network again. Router sydney only advertises its own loopback 0 prefix and the one from router rome (prefixes 10.200.254.4/32 and 10.200.254.3/32) toward LDP peer madrid (LDP router ID 10.200.254.5).
Figure 4-7 Controlling LDP Advertisement
The needed configuration for this is printed in Example 4-17. Do not forget to configure no mpls ldp labels, too. If you forget this command and only configure the mpls ldp advertise-labels for prefix-access-listtopeer-access-listcommand, the LSR sydney still sends labels for all prefixes via LDP.
Example 4-17 Controlling LDP Advertisement: Configuration
!
Controlling the Advertisement of Labels via LDP 89
Only prefixes 10.200.254.3/32 and 10.200.254.4/32 are advertised to LDP peer 10.200.254.5 (router madrid). Example 4-18 shows the bindings on router sydney as a result of this filtering on label bindings.
Notice in Example 4-19 that all the other prefixes advertised from the router sydney to the router madrid have no more remote binding associated with them.
In the LFIB of router madrid, the two prefixes 10.200.254.3/32 and 10.200.254.4/32 have a valid outgoing label, whereas the other prefixes have ‘No label’ associated with them as outgoing labels.
You can see the LFIB on router madrid in Example 4-20.
Example 4-18 Controlling LDP Advertisement
sydney#sssshhhhooooww ww mmpmmpppllllssss lldlldddpp pp bbbbiiiinnnnddiddiiinngnngggssss aaaaddvddvvveereerrrttttiiiisssseemeemmmeeneennntttt----aaaacclcclllss ss Advertisement spec:
Prefix acl = 1; Peer acl = 2
lib entry: 10.10.100.33/32, rev 28 lib entry: 10.200.211.0/24, rev 15 lib entry: 10.200.254.3/32, rev 21
Advert acl(s): Prefix acl 1; Peer acl 2 lib entry: 10.200.254.4/32, rev 2
Advert acl(s): Prefix acl 1; Peer acl 2 lib entry: 10.200.254.5/32, rev 23
lib entry: 10.200.254.6/32, rev 25
…
Example 4-19 Bindings on LSR Madrid for Neighbor 10.200.254.4
madrid#sssshhhhooooww ww mmpmmpppllllssss lldlldddpp pp bbbbiiiinnnnddiddiiinngnngggssss nnnneeieeiiigghgghhhbbbboooorrrr 111100.00...222200000000..2..22255455444....4444 ddeddeeettattaaaiiiillll lib entry: 10.200.210.0/24, rev 34
lib entry: 10.200.211.0/24, rev 14
lib entry: 10.200.254.3/32, rev 24, chkpt: none remote binding: lsr: 10.200.254.4:0, label: 21 lib entry: 10.200.254.4/32, rev 26, chkpt: none
remote binding: lsr: 10.200.254.4:0, label: imp-null lib entry: 10.200.254.5/32, rev 7
lib entry: 10.200.254.6/32, rev 28
…
Example 4-20 LFIB on LSR Madrid
madrid#sssshhhhooooww ww mmpmmpppllllssss ffoffooorrwrrwwwaaaarrrrddddiiniinnngg-gg---ttttaaaabbbbllelleee
Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 16 No Label 10.200.218.0/24 0 Se4/0 point2point 17 No Label 10.200.211.0/24 0 Se4/0 point2point
continues
The Cisco IOS LDP implementation allows you to specify more than one mpls ldp advertise-labels forprefix-access-listtopeer-access-listcommand. This brings greater flexibility when you are deciding which label bindings to send to which LDP peers.
Example 4-21 is the same as the previous one, with the addition of another mpls ldp advertise-labels forprefix-access-listtopeer-access-list command in the configuration of the router. Now the router sydney advertises only the label bindings for the two prefixes to 10.200.254.5 and all label bindings for all prefixes to all the other LDP peers.