LDP Conditional Label Advertisement
Load isis.cfg
Configure LDP using IGP autoconfig on all routers
Configure R2 to only advertise labels for /32 routes to R1
Configure XR1 to only advertise labels for /32 routes to XR2
Answer
Explanation
LDP Conditional label advertisement is very confusing. First, on any router we want to implement outbound advertisement filtering, we must disable the default advertisement which is for all prefixes. Without doing this, we will always advertise all label bindings to all neighbors, no matter what additional filters we add.
This posses a big problem when we go to advertise labels to only certain peers. For example, if we implement the following filter on R2 towards R1, we are also at the same time not advertising any label bindings towards R3 or R4. (This is due to no mpls ldp advertise-labels command).
So instead, we must advertise the host routes to all peers, and then advertise all prefixes to not R1.
Unfortunately, this logic does not work on XR1. On XR1, if we try this, XR1 will seem to match the SACL_PERMIT_ANY entry first, and not advertise any label bindings to XR2. So instead, we implement something even more complicated. We have a second ACL which is ACL_NOT_HOST_ROUTES which individually denies the loopback prefixes.
The above label advertisement indentifies two separate ACLs for advertisement:
ACL_HOST_ROUTES to any neighbors
ACL_NOT_HOST_ROUTES (anything not to a loopback) to any neighbors besides XR2
Verification
On R3, verify that R2 is still advertising a label binding for every prefix:
On R1, verify that R2 is only advertising a label binding for host routes:
On R6, we should likewise see all label bindings advertised from XR1:
On XR2, we should only see bindings for /32 prefixes:
On R2, we can see each LIB entry and the ACL it matches using the following command:
We can see the same on XR1:
Using this command, we can see why the logic we are doing on R2 didn’t work on XR1. Let’s move the XR1 advertisement filtering back to:
ACL_HOST_ROUTES to all neighbors
ACL_PERMIT_ANY to all neighbors besides XR2
Above, the ACL_HOST_ROUTES never gets matched. This appears to be because the ACL entries get re-ordered in the config:
On R2, the SACL_HOST_ROUTES is first in the config, which might explain why it works. This actually seems very fragile. Could a router reload change the ACL order and break this on R2?
Summary
Outbound LDP label advertisement filtering is very complex. You are limited to using an ACL which makes it difficult to scale as well. In this lab, we would have to manually add ACL entries for every new router’s loopback that is added to the topology.
Additionally, there is the complexity of having to completely disable outbound label advertisements altogether, and create new outbound policies to re-advertise all label bindings to all other neighbors. So in this situation, using local allocating filtering is much better than trying to achieve a similar result using outbound label filtering.
I can see this feature only working well perhaps for a Unified MPLS type of setup, where the ABR is advertising label bindings for the “other” IGP. You could do outbound label filtering in that case. If, for example, you use 10/8 and 20/8 for each separate IGP, that might help scale the ACL management. However, it doesn’t matter if the ABR advertises these bindings, because the router will not have IGP routes for those bindings, and simply won’t use them. But perhaps a lab task could be to implement this feature for scalability. (You’re doing Unified MPLS to scale anyways, so why advertise all those label bindings unnecessarily too?)
Last updated
