Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
583
Views
2
Helpful
10
Replies

LDP Discovery targeted-hello ACL

Sunil_06
Level 1
Level 1

‎07-30-2024 04:15 AM

hi Team, 

i have configured an ACL to reject the targeted Hello from LDP neighbor, but despite of applying ACL, why LDP session TLDP session is showing up. 

 

RP/0/RSP0/CPU0:R1#show access-lists UDP                                            
Tue Jul 30 16:28:26.728 IST
ipv4 access-list UDP
 54 deny ipv4 host 2.2.2.2 any (95242 matches)
 56 deny ipv4 host 3.3.3.3 any (95246 matches)
 100 permit ipv4 any any (364286203 matches)
RP/0/RSP0/CPU0:R1#
 
 
 
RP/0/RSP0/CPU0:R1#show  run formal mpls ldp | include UDP
Tue Jul 30 16:29:06.012 IST
mpls ldp address-family ipv4 discovery targeted-hello accept from UDP
RP/0/RSP0/CPU0:R1# 
 
 
RP/0/RSP0/CPU0:R1#show mpls ldp discovery 2.2.2.2 
Mon Jul 29 14:26:29.906 IST
 
Local LDP Identifier: 1.1.1.1:0
Discovery Sources:
  Interfaces:
    Bundle-Ether11.100 : xmit/recv
      VRF: 'default' (0x60000000)
      LDP Id: 2.2.2.2:0, Transport address: 2.2.2.2
          Hold time: 15 sec (local:15 sec, peer:15 sec)
          Established: Jul 10 01:17:17.489 (2w5d ago)
 
    TenGigE0/4/1/7 : xmit/recv
      VRF: 'default' (0x60000000)
      LDP Id: 2.2.2.2:0, Transport address: 2.2.2.2
          Hold time: 15 sec (local:15 sec, peer:15 sec)
          Established: Sep 19 03:17:05.555 (44w6d ago)
  Targeted Hellos:
    1.1.1.1 -> 2.2.2.2 (active), xmit/recv
      LDP Id: 2.2.2.2:0
          Hold time: 45 sec (local:90 sec, peer:45 sec)
          Established: Apr 13 02:00:05.688 (15w2d ago)
RP/0/RSP0/CPU0:R1#
 
 
 
RP/0/RSP0/CPU0:R1#show  mpls ldp neighbor   2.2.2.2
Tue Jul 30 16:37:57.975 IST
 
Peer LDP Identifier: 2.2.2.2:0
  TCP connection: 2.2.2.2:646 - 1.1.1.1:22156
  Graceful Restart: No
  Session Holdtime: 30 sec
  State: Oper; Msgs sent/rcvd: 11156540/16079469; Downstream-Unsolicited
  Up time: 45w0d
  LDP Discovery Sources:
    IPv4: (3)
      TenGigE0/4/1/7
      Targeted Hello (1.1.1.1 -> 2.2.2.2, active)
      Bundle-Ether11.100
    IPv6: (0)
  Addresses bound to this peer:
 
RP/0/RSP0/CPU0:R1#
 
BR:
Sunil Kumar

 

0 Helpful
10 Replies 10

MHM Cisco World
VIP
VIP

‎07-30-2024 04:20 AM

First target ldp use tcp not udp

Second check direction of ACL with LO IP ypu use in acl

MHM

0 Helpful

Sunil_06
Level 1
Level 1
In response to MHM Cisco World

‎07-30-2024 04:35 AM - edited ‎07-30-2024 04:35 AM

Hi , 

Thanks for your reply, its just ACL Name "UDP" , i'm not specifying any L4 Protocol TCP/UDP in ACL . 

ACL is applied in incoming direction. 

Source >>>> Neighbors' Transport address /Targeted Hello source address 
Destination >> Any

Targeted Hello also use UDP for LDP hello packets. 

 

BR:
Sunil Kumar

MHM Cisco World
VIP
VIP
In response to Sunil_06

‎07-30-2024 04:38 AM - edited ‎07-30-2024 04:39 AM

Apply to LO you use as MPLS router-ID 1.1.1.1?

MHM

0 Helpful

Sunil_06
Level 1
Level 1
In response to MHM Cisco World

‎07-30-2024 05:04 AM

Hi MHM , 

can you please confirm what is the behavior of below command when applied to LDP and why TLDP is showing up. 

 

mpls ldp address-family ipv4 discovery targeted-hello accept from xxxxxx

 

BR://

Sunil Kumar

MHM Cisco World
VIP
VIP
In response to Sunil_06

‎07-30-2024 05:15 AM - edited ‎07-30-2024 05:48 AM

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to Sunil_06

‎07-30-2024 05:46 AM

this for you to explain some point here 
in R3 I use LO 3.3.3.3 as LDP router-id 
I use ACL under the LO 3.3.3.3 to prevent target ldp between R2 (LO 2.2.2.2) and R3 and it not effect 
why ?
to prevent traffic to LO not only LDP you need to use CoPP or use ACL in interface LO use as egress 
and that what I do 
I apply same ACL to the interface f1/1 and it work 

you need to check 
xmit/recv <<- if you dont see recv or xmit  then there is ACL drop the target  hello 

for command you share 

mpls ldp address-family ipv4 discovery targeted-hello accept from xxxxxx <<-

I dont find some detail about it I will make double check and inform you 
BUT 
this command if available in your router is more better than use ACL under egress or LO interface 

Screenshot (801).png

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎07-30-2024 05:48 AM

The default behavior of an LSR is to ignore requests from other LSRs that send targeted Hello messages. You can configure an LSR to respond to requests for targeted Hello messages by issuing the mpls ldp discovery targeted-hello accept command.
MHM

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Sunil_06

‎07-30-2024 12:49 PM

Hello @Sunil_06 ,

I would expect the command to use a standard ACL and not an extended ACL if all you need to define is the denied and allowed LDP peers LDP router-IDs  .

I would suggest you to try to use a standard ACL instead of your named extended ACL.

Hope to help

Giuseppe

 

0 Helpful

Sunil_06
Level 1
Level 1
In response to Giuseppe Larosa

‎08-04-2024 03:52 AM

Hi , 

as we can see in the output, counters are increasing it means LDP Hello's are hitting on ACL . 

but not sure why it's not denying it.

 

RP/0/RSP0/CPU0:R1#show access-lists UDP                                            
Tue Jul 30 16:28:26.728 IST
ipv4 access-list UDP
 54 deny ipv4 host 2.2.2.2 any (95290 matches)
 56 deny ipv4 host 3.3.3.3 any (95395 matches)
 100 permit ipv4 any any (364286203 matches)
RP/0/RSP0/CPU0:R1#
 
 
BR://
Sunil
0 Helpful

MHM Cisco World
VIP
VIP
In response to Sunil_06

‎08-04-2024 04:04 AM

Add deny tcp port 646 to see if target drop or ACL hit for other traffic 

And did ypu use target discovery command??

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card