Solved: Re: mpls ldp password required vs fallback

sachin30720041 · ‎03-31-2022

Hello,

I am trying to understand the use of 'mpls ldp password required' command. If I configure just the 'fallback' command but not the 'required' command ldp authentication still works. then what is the use of the 'required' command?

Thanks,

Sachin

AnthonySylvester · ‎03-31-2022

That should not be the case. What router and OS are you using?

I just spun up a very basic network. R1 connects to R2 on G0/0. These are vIOS images running 15.8(3)M2

Here are the router configs with R1 setup to have fallback password only - R2 does not have any password config setup.

R1 config

R1#sh run int g0/0
interface GigabitEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 mpls ip
end

R1#sh run | i mpls ldp
mpls ldp password fallback cisco

R1#sh mpls ldp neigh det
    Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0
        TCP connection: 10.0.0.2.54779 - 10.0.0.1.646
        Password: not required, fallback, stale
        State: Oper; Msgs sent/rcvd: 14/14; Downstream; Last TIB rev sent 2
        Up time: 00:09:09; UID: 1; Peer Id 0;
        LDP discovery sources:
          GigabitEthernet0/0; Src IP addr: 10.0.0.2 
            holdtime: 15000 ms, hello interval: 5000 ms
        Addresses bound to peer LDP Ident:
          10.0.0.2        
        Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
        Capabilities Sent:
          [Dynamic Announcement (0x0506)]
          [Typed Wildcard (0x050B)]
        Capabilities Received:
          [Dynamic Announcement (0x0506)]
          [Typed Wildcard (0x050B)]
R1#

R2 config

R2#sh run int g0/0
Building configuration...

Current configuration : 122 bytes
!
interface GigabitEthernet0/0
 ip address 10.0.0.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 mpls ip
end

R2#sh run | i mpls ldp

R2#sh mpls ldp neigh det
    Peer LDP Ident: 10.0.0.1:0; Local LDP Ident 10.0.0.2:0
        TCP connection: 10.0.0.1.646 - 10.0.0.2.54779
        Password: not required, none, in use
        State: Oper; Msgs sent/rcvd: 20/20; Downstream; Last TIB rev sent 2
        Up time: 00:14:42; UID: 1; Peer Id 0;
        LDP discovery sources:
          GigabitEthernet0/0; Src IP addr: 10.0.0.1 
            holdtime: 15000 ms, hello interval: 5000 ms
        Addresses bound to peer LDP Ident:
          10.0.0.1        
        Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
        Capabilities Sent:
          [Dynamic Announcement (0x0506)]
          [Typed Wildcard (0x050B)]
        Capabilities Received:
          [Dynamic Announcement (0x0506)]
          [Typed Wildcard (0x050B)]
R2#

As you can see in R1 config, I have configure the fallback command globally but the neighborship is up and the password is not required.

Here is the result of me adding the 'required' command globally on R1 (R2 still does not have any mpls ldp password config). As you can see, the neighborship instantly goes down.

R1 config (NOTE: the syslog message will continue to show up until I either configure the password on R2 or set R1 to not require password)

R1(config)#mpls ldp password required 
R1(config)#
*Mar 31 23:58:01.712: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.2:0 (1) is DOWN (Session's MD5 password changed)
*Mar 31 23:58:03.217: %TCP-6-BADAUTH: No MD5 digest from 10.0.0.2(30589) to 10.0.0.1(646) tableid - 0
*Mar 31 23:58:05.216: %TCP-6-BADAUTH: No MD5 digest from 10.0.0.2(30589) to 10.0.0.1(646) tableid - 0
*Mar 31 23:58:09.216: %TCP-6-BADAUTH: No MD5 digest from 10.0.0.2(30589) to 10.0.0.1(646) tableid - 0
R1#
R1#

R2 config

R2#
*Mar 31 23:58:02.117: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.1:0 (1) is DOWN (Received error notification from peer: Holddown time expired)
R2#

** Please remember to mark this post if it was helpful. **
Anthony Sylvester

View solution in original post

AnthonySylvester · ‎03-31-2022

Reference link: https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/12_2sba/feature/guide/sba_md5.html#wp1046236

Command	Description
mpls ldp password fallback	Configures an MD5 password for LDP sessions with peers.
mpls ldp password option	Configures an MD5 password for LDP sessions with neighbors whose LDP router IDs are permitted by a specified access list.
mpls ldp password required	Specifies that LDP must use a password when establishing a session between LDP peers.

** Please remember to mark this post if it was helpful. **
Anthony Sylvester

sachin30720041 · ‎03-31-2022

Hi Anthony,

Thanks for responding.

If I configure 'mpls ldp password fallback <password>' command on a router then all its peers need 'mpls ldp password fallback <>' command configured. Then what is the use of the 'required' command? Do I need to configure 'required' command too?

Thanks,

Sachin

AnthonySylvester · ‎03-31-2022

That should not be the case. What router and OS are you using?

I just spun up a very basic network. R1 connects to R2 on G0/0. These are vIOS images running 15.8(3)M2

Here are the router configs with R1 setup to have fallback password only - R2 does not have any password config setup.

R1 config

R1#sh run int g0/0
interface GigabitEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 mpls ip
end

R1#sh run | i mpls ldp
mpls ldp password fallback cisco

R1#sh mpls ldp neigh det
    Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0
        TCP connection: 10.0.0.2.54779 - 10.0.0.1.646
        Password: not required, fallback, stale
        State: Oper; Msgs sent/rcvd: 14/14; Downstream; Last TIB rev sent 2
        Up time: 00:09:09; UID: 1; Peer Id 0;
        LDP discovery sources:
          GigabitEthernet0/0; Src IP addr: 10.0.0.2 
            holdtime: 15000 ms, hello interval: 5000 ms
        Addresses bound to peer LDP Ident:
          10.0.0.2        
        Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
        Capabilities Sent:
          [Dynamic Announcement (0x0506)]
          [Typed Wildcard (0x050B)]
        Capabilities Received:
          [Dynamic Announcement (0x0506)]
          [Typed Wildcard (0x050B)]
R1#

R2 config

R2#sh run int g0/0
Building configuration...

Current configuration : 122 bytes
!
interface GigabitEthernet0/0
 ip address 10.0.0.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 mpls ip
end

R2#sh run | i mpls ldp

R2#sh mpls ldp neigh det
    Peer LDP Ident: 10.0.0.1:0; Local LDP Ident 10.0.0.2:0
        TCP connection: 10.0.0.1.646 - 10.0.0.2.54779
        Password: not required, none, in use
        State: Oper; Msgs sent/rcvd: 20/20; Downstream; Last TIB rev sent 2
        Up time: 00:14:42; UID: 1; Peer Id 0;
        LDP discovery sources:
          GigabitEthernet0/0; Src IP addr: 10.0.0.1 
            holdtime: 15000 ms, hello interval: 5000 ms
        Addresses bound to peer LDP Ident:
          10.0.0.1        
        Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
        Capabilities Sent:
          [Dynamic Announcement (0x0506)]
          [Typed Wildcard (0x050B)]
        Capabilities Received:
          [Dynamic Announcement (0x0506)]
          [Typed Wildcard (0x050B)]
R2#

As you can see in R1 config, I have configure the fallback command globally but the neighborship is up and the password is not required.

Here is the result of me adding the 'required' command globally on R1 (R2 still does not have any mpls ldp password config). As you can see, the neighborship instantly goes down.

R1 config (NOTE: the syslog message will continue to show up until I either configure the password on R2 or set R1 to not require password)

R1(config)#mpls ldp password required 
R1(config)#
*Mar 31 23:58:01.712: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.2:0 (1) is DOWN (Session's MD5 password changed)
*Mar 31 23:58:03.217: %TCP-6-BADAUTH: No MD5 digest from 10.0.0.2(30589) to 10.0.0.1(646) tableid - 0
*Mar 31 23:58:05.216: %TCP-6-BADAUTH: No MD5 digest from 10.0.0.2(30589) to 10.0.0.1(646) tableid - 0
*Mar 31 23:58:09.216: %TCP-6-BADAUTH: No MD5 digest from 10.0.0.2(30589) to 10.0.0.1(646) tableid - 0
R1#
R1#

R2 config

R2#
*Mar 31 23:58:02.117: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.1:0 (1) is DOWN (Received error notification from peer: Holddown time expired)
R2#

** Please remember to mark this post if it was helpful. **
Anthony Sylvester

sachin30720041 · ‎03-31-2022

One question, you added the 'mpls ldp password fallback cisco' to the router after the ldp neighborship was established right? But if you add the command on R1 first then try to establish the neighborship then routers throw an authentication error right? But with the 'required' command we are forcing the routers to authenticate first and then establish the neighborship without clearing the LDP process. Right?

AnthonySylvester · ‎04-01-2022

Hey Sachin,

Yes you are 100% correct.

** Please remember to mark this post if it was helpful. **
Anthony Sylvester

MHM Cisco World · ‎03-31-2022

The Password config

1- per-neighbor <- this is manual and must be match and manual enter in both Peer
2- global

in global you config many neighbor and forget one ??
here the fallback password use.

Wassamba Muyengu · ‎01-07-2024

Can you please explain in other words? Thanks in advance.

MHM Cisco World · ‎01-07-2024

make new post and I will build lab for this cases
MHM