RE: mpls ldp authentication question !!

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Mon Mar 19 2007 - 20:13:03 ART

• Next message: iyux2000@gmail.com: "Debug BGP Question"
• Previous message: Ian Stong: "RE: LAb Equipment ..."
• Maybe in reply to: Dishan Gamage: "mpls ldp authentication question !!"
• Next in thread: Sergey Golovanov: "RE: mpls ldp authentication question !!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

        In addition to authentication you can create an inbound
access-list that only permits LDP/TDP from the neighbors you are
authenticating. There are some examples of this in the Internetwork
Expert SP workbook such as follows:

interface GigabitEthernet0/0
 ip access-group LDP in
!
ip access-list extended LDP
 permit udp host 20.1.46.4 eq 646 host 224.0.0.2 eq 646
 permit tcp host 20.1.4.4 host 20.1.6.6 eq 646
 permit tcp host 20.1.4.4 eq 646 host 20.1.6.6
 deny udp any eq 646 host 224.0.0.2 eq 646 log
 deny tcp any any eq 646 log
 deny tcp any eq 646 any log
 permit ip any any

        R6 expects LDP hellos to come in from R4's interface address
20.1.46.4. Once they discover each other via UDP multicasts their
unicast TCP session is based off of their Loopback interfaces 20.1.4.4
and 20.1.6.6. All other attempts at LDP adjacency are denied and
logged. Of course this assumes that you can use an access-list, which
the original post says to do the config without.

HTH,

Brian McGahan, CCIE #8593 (R&S/SP)
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jian Gu
Sent: Monday, March 19, 2007 5:29 PM
To: Robert McCallum
Cc: Dishan Gamage; Cisco certification; Cisco certification
Subject: Re: mpls ldp authentication question !!

Dear senior consultatant,

You are blocking (IGP) adjacency with other one to prevent LDP session
from
forming? nice solution.

So is LDP authentication a valid solution or not?

On 3/19/07, Robert McCallum <RMcCallum@thrupoint.net> wrote:
>
> Really? Are you sure? Think about it!! Come on think about this how
can
> you stop a router forming an ADJACENCY with the other one? Who cares
> about
> LDP - stop it before ldp even has a chance to get in there.
>
> OR use the new command - bearing in mind I sat my lab over a year ago
;-)
> Robert McCallum
> Senior Consultant
> Mobile : +44(0)7818002241
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > Jian Gu
> > Sent: 19 March 2007 19:47
> > To: Robert McCallum
> > Cc: Dishan Gamage; Cisco certification; Cisco certification
> > Subject: Re: mpls ldp authentication question !!
> >
> > How does IGP global command have anything to do with LDP
authentication?
> > you
> > must be mistaken.
> >
> > On 3/19/07, Robert McCallum <RMcCallum@thrupoint.net> wrote:
> > >
> > > Hmm I thought I had replied to this. Oh well - Clue : Check your
IGP
> > > Global
> > > commands.
> > >
> > > Robert McCallum
> > > Senior Consultant
> > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> > Of
> > > > Dishan Gamage
> > > > Sent: 19 March 2007 11:44
> > > > To: Cisco certification; Cisco certification
> > > > Subject: mpls ldp authentication question !!
> > > >
> > > > Hi Group
> > > >
> > > >
> > > >
> > > > I have PE1 & PE2 configured to use md5 for LDP, working fine...
> > > >
> > > > PE1
> > > >
> > > > mpls ldp neighbor 172.16.12.2 password abcdef
> > > >
> > > >
> > > > PE2
> > > >
> > > > mpls ldp neighbor 172.16.12.1 password abcdef
> > > >
> > > >
> > > > the question says to block a new PE (eg PE3), from joining into
the
> > mpls
> > > > domain without using an ACL
> > > >
> > > > I see that when PE3 boots up it also establish ldp neighbor
> > > > relationships..................
> > > >
> > > > can someone explain how this can be done ??
> > > >
> > > > tks in advance
> > > > dishan
> > > >
> > > >
> _____________________________________________________________________
> > > > Subscription information:
> http://www.groupstudy.com/list/comserv.html
> > >
> > >
> > >
> > > Note:The information contained in this message may be privileged
and
> > > confidential and protected from disclosure . If the reader of this
> > message
> > > is not the
> > > intended recipient, or an employee or agent responsible for
delivering
> > > this message to the intended recipient, you are hereby notified
that
> any
> > > dissemination, distribution or copying of this communication is
> strictly
> > > prohibited. If you have received this communication in error,
please
> > notify
> > > us
> > > immediately by replying to the message and deleting it from your
> > computer.
> > > Thankyou. ThruPoint Ltd.
> > >
> > >
>

• Next message: iyux2000@gmail.com: "Debug BGP Question"
• Previous message: Ian Stong: "RE: LAb Equipment ..."
• Maybe in reply to: Dishan Gamage: "mpls ldp authentication question !!"
• Next in thread: Sergey Golovanov: "RE: mpls ldp authentication question !!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:51 ART