# LDP Conditional Label Advertisement Load **isis.cfg** ``` #IOS-XE config replace flash:isis.cfg #IOS-XR configure load bootflash:isis.cfg commit replace y ``` * Configure LDP using IGP autoconfig on all routers * Configure R2 to only advertise labels for /32 routes to R1 * Configure XR1 to only advertise labels for /32 routes to XR2 ## Answer ``` #R1-R6 router isis mpls ldp autoconfig #R2 no mpls ldp advertise-labels mpls ldp advertise-labels for SACL_HOST_ROUTES to SACL_PERMIT_ANY mpls ldp advertise-labels for SACL_PERMIT_ANY to SACL_LDP_ALL_OTHER_NEIGHBORS ! ip access-list standard SACL_HOST_ROUTES permit host 1.1.1.1 permit host 2.2.2.2 permit host 3.3.3.3 permit host 4.4.4.4 permit host 5.5.5.5 permit host 6.6.6.6 permit host 19.19.19.19 permit host 20.20.20.20 ! ip access-list standard SACL_PERMIT_ANY permit any ! ip access-list standard SACL_LDP_ALL_OTHER_NEIGHBORS deny host 1.1.1.1 permit any #XR1, XR2 router isis 1 add ipv4 mpls ldp auto-config ! mpls ldp #XR1 mpls ldp address-family ipv4 label local advertise disable for ACL_HOST_ROUTES to ACL_PERMIT_ANY for ACL_NOT_HOST_ROUTES to ACL_NOT_XR2 ! ipv4 access-list ACL_HOST_ROUTES permit ipv4 host 1.1.1.1 any permit ipv4 host 2.2.2.2 any permit ipv4 host 3.3.3.3 any permit ipv4 host 4.4.4.4 any permit ipv4 host 5.5.5.5 any permit ipv4 host 6.6.6.6 any permit ipv4 host 19.19.19.19 any permit ipv4 host 20.20.20.20 any ! ipv4 access-list ACL_PERMIT_ANY permit ipv4 any any ! ipv4 access-list ACL_NOT_HOST_ROUTES deny ipv4 host 1.1.1.1 any deny ipv4 host 2.2.2.2 any deny ipv4 host 3.3.3.3 any deny ipv4 host 4.4.4.4 any deny ipv4 host 5.5.5.5 any deny ipv4 host 6.6.6.6 any deny ipv4 host 19.19.19.19 any deny ipv4 host 20.20.20.20 any permit ipv4 any any ! ipv4 access-list ACL_NOT_XR2 deny ipv4 host 20.20.20.20 any permit ipv4 any any ``` ## Explanation LDP Conditional label advertisement is very confusing. First, on any router we want to implement outbound advertisement filtering, we must disable the default advertisement which is for all prefixes. Without doing this, we will always advertise all label bindings to all neighbors, no matter what additional filters we add. ``` #IOS-XE no mpls ldp advertise-labels #IOS-XR mpls ldp address-family ipv4 label local advertise disable ``` This posses a big problem when we go to advertise labels to only certain peers. For example, if we implement the following filter on R2 towards R1, we are also at the same time not advertising *any* label bindings towards R3 or R4. (This is due to **no mpls ldp advertise-labels** command). ``` #R2 no mpls ldp advertise-labels mpls ldp advertise-labels for SACL_HOST_ROUTES to SACL_R1 ! ip access-list standard SACL_HOST_ROUTES permit host 1.1.1.1 permit host 2.2.2.2 permit host 3.3.3.3 permit host 4.4.4.4 permit host 5.5.5.5 permit host 6.6.6.6 permit host 19.19.19.19 permit host 20.20.20.20 ! ip access-list standard SACL_R1 permit host 1.1.1.1 ``` So instead, we must advertise the host routes to all peers, and then advertise all prefixes to *not* R1. ``` #R2 no mpls ldp advertise-labels mpls ldp advertise-labels for SACL_HOST_ROUTES to SACL_PERMIT_ANY mpls ldp advertise-labels for SACL_PERMIT_ANY to SACL_LDP_ALL_OTHER_NEIGHBORS ! ip access-list standard SACL_HOST_ROUTES permit host 1.1.1.1 permit host 2.2.2.2 permit host 3.3.3.3 permit host 4.4.4.4 permit host 5.5.5.5 permit host 6.6.6.6 permit host 19.19.19.19 permit host 20.20.20.20 ! ip access-list standard SACL_PERMIT_ANY permit any ! ip access-list standard SACL_LDP_ALL_OTHER_NEIGHBORS deny host 1.1.1.1 permit any ``` Unfortunately, this logic does not work on XR1. On XR1, if we try this, XR1 will seem to match the SACL\_PERMIT\_ANY entry first, and not advertise *any* label bindings to XR2. So instead, we implement something even more complicated. We have a second ACL which is ACL\_NOT\_HOST\_ROUTES which individually denies the loopback prefixes. ``` #XR1 mpls ldp address-family ipv4 label local advertise disable for ACL_HOST_ROUTES to ACL_PERMIT_ANY for ACL_NOT_HOST_ROUTES to ACL_NOT_XR2 ! ipv4 access-list ACL_HOST_ROUTES permit ipv4 host 1.1.1.1 any permit ipv4 host 2.2.2.2 any permit ipv4 host 3.3.3.3 any permit ipv4 host 4.4.4.4 any permit ipv4 host 5.5.5.5 any permit ipv4 host 6.6.6.6 any permit ipv4 host 19.19.19.19 any permit ipv4 host 20.20.20.20 any ! ipv4 access-list ACL_PERMIT_ANY permit ipv4 any any ! ipv4 access-list ACL_NOT_HOST_ROUTES deny ipv4 host 1.1.1.1 any deny ipv4 host 2.2.2.2 any deny ipv4 host 3.3.3.3 any deny ipv4 host 4.4.4.4 any deny ipv4 host 5.5.5.5 any deny ipv4 host 6.6.6.6 any deny ipv4 host 19.19.19.19 any deny ipv4 host 20.20.20.20 any permit ipv4 any any ! ipv4 access-list ACL_NOT_XR2 deny ipv4 host 20.20.20.20 any permit ipv4 any any ``` The above label advertisement indentifies two separate ACLs for advertisement: * ACL\_HOST\_ROUTES to any neighbors * ACL\_NOT\_HOST\_ROUTES (anything not to a loopback) to any neighbors besides XR2 ## Verification On R3, verify that R2 is still advertising a label binding for every prefix:

On R1, verify that R2 is only advertising a label binding for host routes:

On R6, we should likewise see all label bindings advertised from XR1:

On XR2, we should only see bindings for /32 prefixes:

On R2, we can see each LIB entry and the ACL it matches using the following command:

We can see the same on XR1:

Using this command, we can see why the logic we are doing on R2 didn’t work on XR1. Let’s move the XR1 advertisement filtering back to: * ACL\_HOST\_ROUTES to all neighbors * ACL\_PERMIT\_ANY to all neighbors besides XR2 ``` mpls ldp address-family ipv4 label local advertise disable for ACL_HOST_ROUTES to ACL_PERMIT_ANY for ACL_PERMIT_ANY to ACL_NOT_XR2 ``` Above, the ACL\_HOST\_ROUTES never gets matched. This appears to be because the ACL entries get re-ordered in the config:

On R2, the SACL\_HOST\_ROUTES is first in the config, which might explain why it works. This actually seems very fragile. Could a router reload change the ACL order and break this on R2?

## Summary Outbound LDP label advertisement filtering is very complex. You are limited to using an ACL which makes it difficult to scale as well. In this lab, we would have to manually add ACL entries for every new router’s loopback that is added to the topology. Additionally, there is the complexity of having to completely disable outbound label advertisements altogether, and create new outbound policies to re-advertise all label bindings to all *other* neighbors. So in this situation, using local allocating filtering is *much* better than trying to achieve a similar result using outbound label filtering. I can see this feature only working well perhaps for a Unified MPLS type of setup, where the ABR is advertising label bindings for the “other” IGP. You could do outbound label filtering in that case. If, for example, you use 10/8 and 20/8 for each separate IGP, that might help scale the ACL management. However, it doesn’t matter if the ABR advertises these bindings, because the router will not have IGP routes for those bindings, and simply won’t use them. But perhaps a lab task could be to implement this feature for scalability. (You’re doing Unified MPLS to scale anyways, so why advertise all those label bindings unnecessarily too?) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ccie-sp.gitbook.io/ccie-spv5.1-labs/labs/ldp/ldp-conditional-label-advertisement.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.