Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Control plane traffic filtering for LDP on PE routers

Hi,

Do I really need to have ACL for LDP ( 646) on PE to allow LDP from valid PE only as part of control plane traffic filetering because I don't really really it is possible for CE to inject LDP traffic on PE interface ??

Regards,

Chintan

3 REPLIES
Cisco Employee

Re: Control plane traffic filtering for LDP on PE routers

Chintan,

The PE would not establish an LDP session with the CE if the interface to the CE is not configured for it (mpls ip).

Regards,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: Control plane traffic filtering for LDP on PE routers

Hi,

Yes but if CE just send packet on TCP/UDP 646 on PE , can still have DoS attack and may impact PE performance. So Is it worth to have ACL for port 646 to allow only core Network loopback ( PE &P)....

Please suggest.

Regards,

Chintan

Hall of Fame Super Silver

Re: Control plane traffic filtering for LDP on PE routers

Hello Chintan,

the VRF access link where the CE is connected is part of the VRF and isn't a member of the Global Routing Table anymore.

So any possible attempt to build an LDP session cannot impact on the backbone MPLS control plane.

If you want to specify all the acceptable LDP sources in a receive-ACL or in Control plane policing as part of a security plan that will be another matter.

Only on Carrier Supporting Carrier scenario you have an MPLS LDP or BGPv4 with labels session between PE and CE.

Hope to help

Giuseppe

204
Views
0
Helpful
3
Replies