07-04-2008 04:04 AM
Hi,
Do I really need to have ACL for LDP ( 646) on PE to allow LDP from valid PE only as part of control plane traffic filetering because I don't really really it is possible for CE to inject LDP traffic on PE interface ??
Regards,
Chintan
07-08-2008 04:54 AM
Chintan,
The PE would not establish an LDP session with the CE if the interface to the CE is not configured for it (mpls ip).
Regards,
07-08-2008 04:58 AM
Hi,
Yes but if CE just send packet on TCP/UDP 646 on PE , can still have DoS attack and may impact PE performance. So Is it worth to have ACL for port 646 to allow only core Network loopback ( PE &P)....
Please suggest.
Regards,
Chintan
07-23-2008 01:42 PM
Hello Chintan,
the VRF access link where the CE is connected is part of the VRF and isn't a member of the Global Routing Table anymore.
So any possible attempt to build an LDP session cannot impact on the backbone MPLS control plane.
If you want to specify all the acceptable LDP sources in a receive-ACL or in Control plane policing as part of a security plan that will be another matter.
Only on Carrier Supporting Carrier scenario you have an MPLS LDP or BGPv4 with labels session between PE and CE.
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: