Control plane traffic filtering for LDP on PE routers

chintan-shah · ‎07-04-2008

Hi,

Do I really need to have ACL for LDP ( 646) on PE to allow LDP from valid PE only as part of control plane traffic filetering because I don't really really it is possible for CE to inject LDP traffic on PE interface ??

Regards,

Chintan

Harold Ritter · ‎07-08-2008

Chintan,

The PE would not establish an LDP session with the CE if the interface to the CE is not configured for it (mpls ip).

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

chintan-shah · ‎07-08-2008

Hi,

Yes but if CE just send packet on TCP/UDP 646 on PE , can still have DoS attack and may impact PE performance. So Is it worth to have ACL for port 646 to allow only core Network loopback ( PE &P)....

Please suggest.

Regards,

Chintan

Giuseppe Larosa · ‎07-23-2008

Hello Chintan,

the VRF access link where the CE is connected is part of the VRF and isn't a member of the Global Routing Table anymore.

So any possible attempt to build an LDP session cannot impact on the backbone MPLS control plane.

If you want to specify all the acceptable LDP sources in a receive-ACL or in Control plane policing as part of a security plan that will be another matter.

Only on Carrier Supporting Carrier scenario you have an MPLS LDP or BGPv4 with labels session between PE and CE.

Hope to help

Giuseppe