03-31-2022 02:26 PM
Hello,
I am trying to understand the use of 'mpls ldp password required' command. If I configure just the 'fallback' command but not the 'required' command ldp authentication still works. then what is the use of the 'required' command?
Thanks,
Sachin
Solved! Go to Solution.
03-31-2022 05:03 PM
That should not be the case. What router and OS are you using?
I just spun up a very basic network. R1 connects to R2 on G0/0. These are vIOS images running 15.8(3)M2
Here are the router configs with R1 setup to have fallback password only - R2 does not have any password config setup.
R1 config
R1#sh run int g0/0 interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.0 duplex auto speed auto media-type rj45 mpls ip end R1#sh run | i mpls ldp mpls ldp password fallback cisco R1#sh mpls ldp neigh det Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0 TCP connection: 10.0.0.2.54779 - 10.0.0.1.646 Password: not required, fallback, stale State: Oper; Msgs sent/rcvd: 14/14; Downstream; Last TIB rev sent 2 Up time: 00:09:09; UID: 1; Peer Id 0; LDP discovery sources: GigabitEthernet0/0; Src IP addr: 10.0.0.2 holdtime: 15000 ms, hello interval: 5000 ms Addresses bound to peer LDP Ident: 10.0.0.2 Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab Capabilities Sent: [Dynamic Announcement (0x0506)] [Typed Wildcard (0x050B)] Capabilities Received: [Dynamic Announcement (0x0506)] [Typed Wildcard (0x050B)] R1#
R2 config
R2#sh run int g0/0 Building configuration... Current configuration : 122 bytes ! interface GigabitEthernet0/0 ip address 10.0.0.2 255.255.255.0 duplex auto speed auto media-type rj45 mpls ip end R2#sh run | i mpls ldp R2#sh mpls ldp neigh det Peer LDP Ident: 10.0.0.1:0; Local LDP Ident 10.0.0.2:0 TCP connection: 10.0.0.1.646 - 10.0.0.2.54779 Password: not required, none, in use State: Oper; Msgs sent/rcvd: 20/20; Downstream; Last TIB rev sent 2 Up time: 00:14:42; UID: 1; Peer Id 0; LDP discovery sources: GigabitEthernet0/0; Src IP addr: 10.0.0.1 holdtime: 15000 ms, hello interval: 5000 ms Addresses bound to peer LDP Ident: 10.0.0.1 Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab Capabilities Sent: [Dynamic Announcement (0x0506)] [Typed Wildcard (0x050B)] Capabilities Received: [Dynamic Announcement (0x0506)] [Typed Wildcard (0x050B)] R2#
As you can see in R1 config, I have configure the fallback command globally but the neighborship is up and the password is not required.
Here is the result of me adding the 'required' command globally on R1 (R2 still does not have any mpls ldp password config). As you can see, the neighborship instantly goes down.
R1 config (NOTE: the syslog message will continue to show up until I either configure the password on R2 or set R1 to not require password)
R1(config)#mpls ldp password required R1(config)# *Mar 31 23:58:01.712: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.2:0 (1) is DOWN (Session's MD5 password changed) *Mar 31 23:58:03.217: %TCP-6-BADAUTH: No MD5 digest from 10.0.0.2(30589) to 10.0.0.1(646) tableid - 0 *Mar 31 23:58:05.216: %TCP-6-BADAUTH: No MD5 digest from 10.0.0.2(30589) to 10.0.0.1(646) tableid - 0 *Mar 31 23:58:09.216: %TCP-6-BADAUTH: No MD5 digest from 10.0.0.2(30589) to 10.0.0.1(646) tableid - 0 R1# R1#
R2 config
R2# *Mar 31 23:58:02.117: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.1:0 (1) is DOWN (Received error notification from peer: Holddown time expired) R2#
03-31-2022 03:43 PM
Reference link: https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/12_2sba/feature/guide/sba_md5.html#wp1046236
Command | Description |
mpls ldp password fallback | Configures an MD5 password for LDP sessions with peers. |
mpls ldp password option | Configures an MD5 password for LDP sessions with neighbors whose LDP router IDs are permitted by a specified access list. |
mpls ldp password required | Specifies that LDP must use a password when establishing a session between LDP peers. |
03-31-2022 03:54 PM
Hi Anthony,
Thanks for responding.
If I configure 'mpls ldp password fallback <password>' command on a router then all its peers need 'mpls ldp password fallback <>' command configured. Then what is the use of the 'required' command? Do I need to configure 'required' command too?
Thanks,
Sachin
03-31-2022 05:03 PM
That should not be the case. What router and OS are you using?
I just spun up a very basic network. R1 connects to R2 on G0/0. These are vIOS images running 15.8(3)M2
Here are the router configs with R1 setup to have fallback password only - R2 does not have any password config setup.
R1 config
R1#sh run int g0/0 interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.0 duplex auto speed auto media-type rj45 mpls ip end R1#sh run | i mpls ldp mpls ldp password fallback cisco R1#sh mpls ldp neigh det Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0 TCP connection: 10.0.0.2.54779 - 10.0.0.1.646 Password: not required, fallback, stale State: Oper; Msgs sent/rcvd: 14/14; Downstream; Last TIB rev sent 2 Up time: 00:09:09; UID: 1; Peer Id 0; LDP discovery sources: GigabitEthernet0/0; Src IP addr: 10.0.0.2 holdtime: 15000 ms, hello interval: 5000 ms Addresses bound to peer LDP Ident: 10.0.0.2 Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab Capabilities Sent: [Dynamic Announcement (0x0506)] [Typed Wildcard (0x050B)] Capabilities Received: [Dynamic Announcement (0x0506)] [Typed Wildcard (0x050B)] R1#
R2 config
R2#sh run int g0/0 Building configuration... Current configuration : 122 bytes ! interface GigabitEthernet0/0 ip address 10.0.0.2 255.255.255.0 duplex auto speed auto media-type rj45 mpls ip end R2#sh run | i mpls ldp R2#sh mpls ldp neigh det Peer LDP Ident: 10.0.0.1:0; Local LDP Ident 10.0.0.2:0 TCP connection: 10.0.0.1.646 - 10.0.0.2.54779 Password: not required, none, in use State: Oper; Msgs sent/rcvd: 20/20; Downstream; Last TIB rev sent 2 Up time: 00:14:42; UID: 1; Peer Id 0; LDP discovery sources: GigabitEthernet0/0; Src IP addr: 10.0.0.1 holdtime: 15000 ms, hello interval: 5000 ms Addresses bound to peer LDP Ident: 10.0.0.1 Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab Capabilities Sent: [Dynamic Announcement (0x0506)] [Typed Wildcard (0x050B)] Capabilities Received: [Dynamic Announcement (0x0506)] [Typed Wildcard (0x050B)] R2#
As you can see in R1 config, I have configure the fallback command globally but the neighborship is up and the password is not required.
Here is the result of me adding the 'required' command globally on R1 (R2 still does not have any mpls ldp password config). As you can see, the neighborship instantly goes down.
R1 config (NOTE: the syslog message will continue to show up until I either configure the password on R2 or set R1 to not require password)
R1(config)#mpls ldp password required R1(config)# *Mar 31 23:58:01.712: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.2:0 (1) is DOWN (Session's MD5 password changed) *Mar 31 23:58:03.217: %TCP-6-BADAUTH: No MD5 digest from 10.0.0.2(30589) to 10.0.0.1(646) tableid - 0 *Mar 31 23:58:05.216: %TCP-6-BADAUTH: No MD5 digest from 10.0.0.2(30589) to 10.0.0.1(646) tableid - 0 *Mar 31 23:58:09.216: %TCP-6-BADAUTH: No MD5 digest from 10.0.0.2(30589) to 10.0.0.1(646) tableid - 0 R1# R1#
R2 config
R2# *Mar 31 23:58:02.117: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.1:0 (1) is DOWN (Received error notification from peer: Holddown time expired) R2#
03-31-2022 07:59 PM
One question, you added the 'mpls ldp password fallback cisco' to the router after the ldp neighborship was established right? But if you add the command on R1 first then try to establish the neighborship then routers throw an authentication error right? But with the 'required' command we are forcing the routers to authenticate first and then establish the neighborship without clearing the LDP process. Right?
04-01-2022 12:15 PM
Hey Sachin,
Yes you are 100% correct.
03-31-2022 05:16 PM
The Password config
1- per-neighbor <- this is manual and must be match and manual enter in both Peer
2- global
in global you config many neighbor and forget one ??
here the fallback password use.
01-07-2024 11:28 PM
Can you please explain in other words? Thanks in advance.
01-07-2024 11:34 PM
make new post and I will build lab for this cases
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide