Solved: MPLS ingress LER

pierreteddysmith · ‎07-30-2014

Hi,

How to deny packets with labels on a ingress LER?

For example, if a LER receives a labeled packet, may it refuses this packet?

If you have documents, rfc, which refers to this mechanism, I am interested

Thx

P.

Akash Agrawal · ‎07-31-2014

Hi,

If you receive labeled packet on an interface which is not MPLS interface (like PE-CE) or may be with wrong label, packet will be discarded.

http://www.faqs.org/rfcs/rfc4381.html

For security reasons, a PE router should never accept a packet with a
   label from a CE router.

http://www.faqs.org/rfcs/rfc3031.html

3.18. Invalid Incoming Labels

   What should an LSR do if it receives a labeled packet with a
   particular incoming label, but has no binding for that label?  It is
   tempting to think that the labels can just be removed, and the packet
   forwarded as an unlabeled IP packet.  However, in some cases, doing
   so could cause a loop.  If the upstream LSR thinks the label is bound
   to an explicit route, and the downstream LSR doesn't think the label
   is bound to anything, and if the hop by hop routing of the unlabeled
   IP packet brings the packet back to the upstream LSR, then a loop is
   formed.

   It is also possible that the label was intended to represent a route
   which cannot be inferred from the IP header.

   Therefore, when a labeled packet is received with an invalid incoming
   label, it MUST be discarded, UNLESS it is determined by some means
   (not within the scope of the current document) that forwarding it
   unlabeled cannot cause any harm.

View solution in original post

Akash Agrawal · ‎07-30-2014

Hi,

Please explain your requirement clearly. If a router is advertising label then only it will receive labeled packets. If you don't advertise label then you wont receive traffic. We can control advertising label for particular prefix with help of command

mpls ldp advertise-labels

To control the distribution of locally assigned (incoming) labels by means of label distribution protocol (LDP), use the mpls ldp advertise-labelscommand in global configuration mode. To disable this feature, use the no form of this command.

mpls ldp advertise-labels [ vrf vpn-name ] [ interface interface | for prefix-access-list [ to peer-access-list ] ]

no mpls ldp advertise-labels [ vrf vpn-name ] [ interface interface | for prefix-access-list [ to peer-access-list ] ]

-Akash

pierreteddysmith · ‎07-31-2014

Thank for your reply.

I would like to know if an ingress LER can accept labelled packet from a CE.

I know that normally, a CE send an IP packet (unlabelled) and the LER push a tag. But if a CE sends a labelled packet what happen?

P.

Akash Agrawal · ‎07-31-2014

Hi,

If you receive labeled packet on an interface which is not MPLS interface (like PE-CE) or may be with wrong label, packet will be discarded.

http://www.faqs.org/rfcs/rfc4381.html

For security reasons, a PE router should never accept a packet with a
   label from a CE router.

http://www.faqs.org/rfcs/rfc3031.html

3.18. Invalid Incoming Labels

   What should an LSR do if it receives a labeled packet with a
   particular incoming label, but has no binding for that label?  It is
   tempting to think that the labels can just be removed, and the packet
   forwarded as an unlabeled IP packet.  However, in some cases, doing
   so could cause a loop.  If the upstream LSR thinks the label is bound
   to an explicit route, and the downstream LSR doesn't think the label
   is bound to anything, and if the hop by hop routing of the unlabeled
   IP packet brings the packet back to the upstream LSR, then a loop is
   formed.

   It is also possible that the label was intended to represent a route
   which cannot be inferred from the IP header.

   Therefore, when a labeled packet is received with an invalid incoming
   label, it MUST be discarded, UNLESS it is determined by some means
   (not within the scope of the current document) that forwarding it
   unlabeled cannot cause any harm.

pierreteddysmith · ‎08-01-2014

Ok thx you for your answer.