Control plane traffic filtering for LDP on PE routers

Unanswered Question
Jul 4th, 2008
User Badges:

Hi,


Do I really need to have ACL for LDP ( 646) on PE to allow LDP from valid PE only as part of control plane traffic filetering because I don't really really it is possible for CE to inject LDP traffic on PE interface ??


Regards,

Chintan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Harold Ritter Tue, 07/08/2008 - 04:54
User Badges:
  • Cisco Employee,

Chintan,


The PE would not establish an LDP session with the CE if the interface to the CE is not configured for it (mpls ip).


Regards,

chintan-shah Tue, 07/08/2008 - 04:58
User Badges:

Hi,


Yes but if CE just send packet on TCP/UDP 646 on PE , can still have DoS attack and may impact PE performance. So Is it worth to have ACL for port 646 to allow only core Network loopback ( PE &P)....


Please suggest.


Regards,

Chintan

Giuseppe Larosa Wed, 07/23/2008 - 13:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Chintan,

the VRF access link where the CE is connected is part of the VRF and isn't a member of the Global Routing Table anymore.

So any possible attempt to build an LDP session cannot impact on the backbone MPLS control plane.


If you want to specify all the acceptable LDP sources in a receive-ACL or in Control plane policing as part of a security plan that will be another matter.

Only on Carrier Supporting Carrier scenario you have an MPLS LDP or BGPv4 with labels session between PE and CE.


Hope to help

Giuseppe



Actions

This Discussion