LDP Conditional Label Advertisement

Load isis.cfg

#IOS-XE
config replace flash:isis.cfg

#IOS-XR
configure
load bootflash:isis.cfg
commit replace
y

  • Configure LDP using IGP autoconfig on all routers

  • Configure R2 to only advertise labels for /32 routes to R1

  • Configure XR1 to only advertise labels for /32 routes to XR2

Answer

#R1-R6
router isis
 mpls ldp autoconfig

#R2
no mpls ldp advertise-labels
mpls ldp advertise-labels for SACL_HOST_ROUTES to SACL_PERMIT_ANY
mpls ldp advertise-labels for SACL_PERMIT_ANY to SACL_LDP_ALL_OTHER_NEIGHBORS
!
ip access-list standard SACL_HOST_ROUTES
 permit host 1.1.1.1
 permit host 2.2.2.2
 permit host 3.3.3.3
 permit host 4.4.4.4
 permit host 5.5.5.5
 permit host 6.6.6.6
 permit host 19.19.19.19
 permit host 20.20.20.20
!
ip access-list standard SACL_PERMIT_ANY
 permit any
!
ip access-list standard SACL_LDP_ALL_OTHER_NEIGHBORS
 deny host 1.1.1.1
 permit any

#XR1, XR2
router isis 1
 add ipv4
  mpls ldp auto-config
!
mpls ldp

#XR1
mpls ldp
 address-family ipv4
  label
   local
    advertise
     disable
     for ACL_HOST_ROUTES to ACL_PERMIT_ANY
     for ACL_NOT_HOST_ROUTES to ACL_NOT_XR2
!
ipv4 access-list ACL_HOST_ROUTES
 permit ipv4 host 1.1.1.1 any
 permit ipv4 host 2.2.2.2 any
 permit ipv4 host 3.3.3.3 any
 permit ipv4 host 4.4.4.4 any
 permit ipv4 host 5.5.5.5 any
 permit ipv4 host 6.6.6.6 any
 permit ipv4 host 19.19.19.19 any
 permit ipv4 host 20.20.20.20 any
!
ipv4 access-list ACL_PERMIT_ANY 
 permit ipv4 any any
!
ipv4 access-list ACL_NOT_HOST_ROUTES
 deny ipv4 host 1.1.1.1 any
 deny ipv4 host 2.2.2.2 any
 deny ipv4 host 3.3.3.3 any
 deny ipv4 host 4.4.4.4 any
 deny ipv4 host 5.5.5.5 any
 deny ipv4 host 6.6.6.6 any
 deny ipv4 host 19.19.19.19 any
 deny ipv4 host 20.20.20.20 any
 permit ipv4 any any
!
ipv4 access-list ACL_NOT_XR2
 deny ipv4 host 20.20.20.20 any
 permit ipv4 any any

Explanation

LDP Conditional label advertisement is very confusing. First, on any router we want to implement outbound advertisement filtering, we must disable the default advertisement which is for all prefixes. Without doing this, we will always advertise all label bindings to all neighbors, no matter what additional filters we add.

#IOS-XE
no mpls ldp advertise-labels

#IOS-XR
mpls ldp
 address-family ipv4
  label
   local
    advertise
     disable

This posses a big problem when we go to advertise labels to only certain peers. For example, if we implement the following filter on R2 towards R1, we are also at the same time not advertising any label bindings towards R3 or R4. (This is due to no mpls ldp advertise-labels command).

#R2
no mpls ldp advertise-labels
mpls ldp advertise-labels for SACL_HOST_ROUTES to SACL_R1
!
ip access-list standard SACL_HOST_ROUTES
 permit host 1.1.1.1
 permit host 2.2.2.2
 permit host 3.3.3.3
 permit host 4.4.4.4
 permit host 5.5.5.5
 permit host 6.6.6.6
 permit host 19.19.19.19
 permit host 20.20.20.20
!
ip access-list standard SACL_R1
 permit host 1.1.1.1

So instead, we must advertise the host routes to all peers, and then advertise all prefixes to not R1.

#R2
no mpls ldp advertise-labels
mpls ldp advertise-labels for SACL_HOST_ROUTES to SACL_PERMIT_ANY
mpls ldp advertise-labels for SACL_PERMIT_ANY to SACL_LDP_ALL_OTHER_NEIGHBORS
!
ip access-list standard SACL_HOST_ROUTES
 permit host 1.1.1.1
 permit host 2.2.2.2
 permit host 3.3.3.3
 permit host 4.4.4.4
 permit host 5.5.5.5
 permit host 6.6.6.6
 permit host 19.19.19.19
 permit host 20.20.20.20
!
ip access-list standard SACL_PERMIT_ANY
 permit any
!
ip access-list standard SACL_LDP_ALL_OTHER_NEIGHBORS
 deny host 1.1.1.1
 permit any

Unfortunately, this logic does not work on XR1. On XR1, if we try this, XR1 will seem to match the SACL_PERMIT_ANY entry first, and not advertise any label bindings to XR2. So instead, we implement something even more complicated. We have a second ACL which is ACL_NOT_HOST_ROUTES which individually denies the loopback prefixes.

#XR1
mpls ldp
 address-family ipv4
  label
   local
    advertise
     disable
     for ACL_HOST_ROUTES to ACL_PERMIT_ANY
     for ACL_NOT_HOST_ROUTES to ACL_NOT_XR2
!
ipv4 access-list ACL_HOST_ROUTES
 permit ipv4 host 1.1.1.1 any
 permit ipv4 host 2.2.2.2 any
 permit ipv4 host 3.3.3.3 any
 permit ipv4 host 4.4.4.4 any
 permit ipv4 host 5.5.5.5 any
 permit ipv4 host 6.6.6.6 any
 permit ipv4 host 19.19.19.19 any
 permit ipv4 host 20.20.20.20 any
!
ipv4 access-list ACL_PERMIT_ANY 
 permit ipv4 any any
!
ipv4 access-list ACL_NOT_HOST_ROUTES
 deny ipv4 host 1.1.1.1 any
 deny ipv4 host 2.2.2.2 any
 deny ipv4 host 3.3.3.3 any
 deny ipv4 host 4.4.4.4 any
 deny ipv4 host 5.5.5.5 any
 deny ipv4 host 6.6.6.6 any
 deny ipv4 host 19.19.19.19 any
 deny ipv4 host 20.20.20.20 any
 permit ipv4 any any
!
ipv4 access-list ACL_NOT_XR2
 deny ipv4 host 20.20.20.20 any
 permit ipv4 any any

The above label advertisement indentifies two separate ACLs for advertisement:

  • ACL_HOST_ROUTES to any neighbors

  • ACL_NOT_HOST_ROUTES (anything not to a loopback) to any neighbors besides XR2

Verification

On R3, verify that R2 is still advertising a label binding for every prefix:

On R1, verify that R2 is only advertising a label binding for host routes:

On R6, we should likewise see all label bindings advertised from XR1:

On XR2, we should only see bindings for /32 prefixes:

On R2, we can see each LIB entry and the ACL it matches using the following command:

We can see the same on XR1:

Using this command, we can see why the logic we are doing on R2 didn’t work on XR1. Let’s move the XR1 advertisement filtering back to:

  • ACL_HOST_ROUTES to all neighbors

  • ACL_PERMIT_ANY to all neighbors besides XR2

mpls ldp
 address-family ipv4
  label
   local
    advertise
     disable
     for ACL_HOST_ROUTES to ACL_PERMIT_ANY
     for ACL_PERMIT_ANY to ACL_NOT_XR2

Above, the ACL_HOST_ROUTES never gets matched. This appears to be because the ACL entries get re-ordered in the config:

On R2, the SACL_HOST_ROUTES is first in the config, which might explain why it works. This actually seems very fragile. Could a router reload change the ACL order and break this on R2?

Summary

Outbound LDP label advertisement filtering is very complex. You are limited to using an ACL which makes it difficult to scale as well. In this lab, we would have to manually add ACL entries for every new router’s loopback that is added to the topology.

Additionally, there is the complexity of having to completely disable outbound label advertisements altogether, and create new outbound policies to re-advertise all label bindings to all other neighbors. So in this situation, using local allocating filtering is much better than trying to achieve a similar result using outbound label filtering.

I can see this feature only working well perhaps for a Unified MPLS type of setup, where the ABR is advertising label bindings for the “other” IGP. You could do outbound label filtering in that case. If, for example, you use 10/8 and 20/8 for each separate IGP, that might help scale the ACL management. However, it doesn’t matter if the ABR advertises these bindings, because the router will not have IGP routes for those bindings, and simply won’t use them. But perhaps a lab task could be to implement this feature for scalability. (You’re doing Unified MPLS to scale anyways, so why advertise all those label bindings unnecessarily too?)

PreviousLDP Local Allocation FilteringNextLDP Inbound Label Advertisement Filtering

Last updated