LDP outbound Filtering

Ok, so I've setup filtering, and it was pretty easy. However, I'm having a hard time understanding the output of certain show commands. The only way I was able to tell that it was working properly was by capturing packets and making sure there was, or was not a label present.

For example:

Garrus#show mpls ldp bindings neighbor 192.168.23.2 det 
Advertisement spec:
	Prefix acl = prefixes; Peer acl = peers

  tib entry: 1.1.1.0/24, rev 11
  tib entry: 2.2.2.0/24, rev 16
	remote binding: tsr: 2.2.2.2:0, tag: imp-null
	Advert acl(s): Prefix acl prefixes; Peer acl peers
  tib entry: 3.3.3.0/24, rev 17
	remote binding: tsr: 2.2.2.2:0, tag: 16
	Advert acl(s): Prefix acl prefixes; Peer acl peers
  tib entry: 192.168.12.0/24, rev 18
	remote binding: tsr: 2.2.2.2:0, tag: imp-null
	Advert acl(s): Prefix acl prefixes; Peer acl peers
  tib entry: 192.168.23.0/24, rev 15

By looking at that, is there an easy way to tell which prefixes were filtered? Also, why does it even show up in the lfib if I'm filtering it?

Garrus#show mpls forwarding-table 
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop    
tag    tag or VC   or Tunnel Id      switched   interface              
16     Pop tag     2.2.2.0/24        0          Fa0/0      192.168.23.2 
17     Pop tag     192.168.12.0/24   0          Fa0/0      192.168.23.2 
18     Untagged    1.1.1.0/24        0          Fa0/0      192.168.23.2

*EDIT*

Does it show up in the lfib because of it's ties with CEF? Because I can see in the CEF table that it's outgoing is untagged.

Garrus#show ip cef 1.1.1.0 255.255.255.0 det
1.1.1.0/24, version 15, epoch 0, cached adjacency 192.168.23.2
0 packets, 0 bytes
  tag information set
    local tag: 18
  via 192.168.23.2, FastEthernet0/0, 0 dependencies
    next hop 192.168.23.2, FastEthernet0/0
    valid cached adjacency
    tag rewrite with Fa0/0, 192.168.23.2, tags imposed: {}

Find more posts tagged with

Comments

networker050184

What does your config look like?

burbankmarc

networker050184 wrote: »

What does your config look like?

Well it's this lab:

MPLS Label Filtering | MPLS

I had to recreate it this morning, but now the filtering for 1.1.1.0/24 doesn't seem to work at all.

Shepard#show running-config 
Building configuration...

Current configuration : 935 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Shepard
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
no mpls ldp advertise-labels
mpls ldp advertise-labels for prefixes to peers
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
 ip ospf network point-to-point
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
no ip http server
no ip http secure-server
!
!
!
!
ip access-list standard peers
 permit any
ip access-list standard prefixes
 deny   1.1.1.0 0.0.0.255
 permit any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end

Mordin#show run
Building configuration...

Current configuration : 1030 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Mordin
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
no mpls ldp advertise-labels
mpls ldp advertise-labels for prefixes to peers
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
!
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
 ip ospf network point-to-point
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface FastEthernet1/0
 ip address 192.168.23.2 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
no ip http server
no ip http secure-server
!
!
!         
!
ip access-list standard peers
 permit any
ip access-list standard prefixes
 deny   192.168.23.0
 permit any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end

Garrus#sh run
Building configuration...

Current configuration : 929 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Garrus
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
no mpls ldp advertise-labels
mpls ldp advertise-labels for prefixes to peers
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
!
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.0
 ip ospf network point-to-point
!
interface FastEthernet0/0
 ip address 192.168.23.3 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!
no ip http server
no ip http secure-server
!
!
!
!
ip access-list standard peers
 permit any
ip access-list standard prefixes
 deny   192.168.23.0
 permit any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end

networker050184

With the configuration you are using its going to still allocate local labels which is why its in the lfib.

I'm not sure why its not working the second time though. Might try bouncing LDP.

burbankmarc

networker050184 wrote: »

With the configuration you are using its going to still allocate local labels which is why its in the lfib.

I'm not sure why its not working the second time though. Might try bouncing LDP.

Yeah, I have noticed that LDP is a little flaky in GNS3 with this IOS image. Sometimes LDP won't even come up at all until I bounce the router.

Any way to remove a local label on a particular prefix?

networker050184

Check this out.

MPLS LDP - Local Label Allocation Filtering [Cisco IOS and NX-OS Software] - Cisco Systems

tomaifauchai

I've went through this lab today and afaik the outbound prefixes announcement filtering seem to work with the advertised-label command

Shepard#sh mpls for
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Pop tag     2.2.2.0/24        0          Fa0/0      192.168.12.2
17     Untagged    192.168.23.0/24   0          Fa0/0      192.168.12.2
18     17          3.3.3.0/24        0          Fa0/0      192.168.12.2

Mordin#sh mpls for
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Untagged    1.1.1.0/24        0          Fa0/0      192.168.12.1
17     Pop tag     3.3.3.0/24        0          Fa1/0      192.168.23.3

Garrus#sh mpls for
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Pop tag     192.168.12.0/24   0          Fa0/0      192.168.23.2
17     Untagged    1.1.1.0/24        0          Fa0/0      192.168.23.2
18     Pop tag     2.2.2.0/24        0          Fa0/0      192.168.23.2
Garrus#

no mpls ldp advertise-labels
mpls ldp advertise-labels for 1 to 2
access-list 1 deny   1.1.1.0 0.0.0.255
access-list 1 deny   192.168.23.0 0.0.0.255
access-list 1 permit any
access-list 2 permit any

[B]Shepard#trace 3.3.3.3[/B]

Type escape sequence to abort.
Tracing the route to 3.3.3.3

  1 192.168.12.2 [MPLS: Label 17 Exp 0] 52 msec 56 msec 12 msec
  2 192.168.23.3 20 msec *  56 msec

[B]Shepard#trace 192.168.23.3[/B]

Type escape sequence to abort.
Tracing the route to 192.168.23.3

  1 192.168.12.2 36 msec 16 msec 4 msec
  2 192.168.23.3 16 msec *  60 msec

I got exactly the same as you regarding the outgoing advertised labels but the local assignment is still there. I think the lab fullfilments are correct though!

Networker05084 seem to have given the solution for it, have you tried it ?
Might going to sleep right now, so ill give a shot tomorrow