Filtering Inbound LDP Label Bindings
You can filter received LDP label bindings, applying policies
to accept or deny bindings advertised by neighboring routers. To configure
received-label filtering, include the import statement:
import [ policy-names ];
For a list of hierarchy levels at which you can include this statement, see the statement summary section for this statement.
The named policy (configured at the [edit policy-options] hierarchy level) is applied to all label bindings received from
all LDP neighbors. All filtering is done with from statements. Table 1 lists the only from operators
that apply to LDP received-label filtering.
from Operator |
Description |
|---|---|
|
Matches on bindings received from a neighbor that is adjacent over the specified interface |
|
Matches on bindings received from the specified LDP router ID |
|
Matches on bindings received from a neighbor advertising the specified interface address |
|
Matches on bindings with the specified prefix |
If a binding is filtered, it still appears in the LDP database, but is not considered for installation as part of a label-switched path (LSP).
Generally, applying policies in LDP can be used only to block the establishment of LSPs, not to control their routing. This is because the path that an LSP follows is determined by unicast routing, and not by LDP. However, when there are multiple equal-cost paths to the destination through different neighbors, you can use LDP filtering to exclude some of the possible next hops from consideration. (Otherwise, LDP chooses one of the possible next hops at random.)
LDP sessions are not bound to interfaces or interface addresses.
LDP advertises only per-router (not per-interface) labels; so if multiple
parallel links exist between two routers, only one LDP session is
established, and it is not bound to a single interface. When a router
has multiple adjacencies to the same neighbor, take care to ensure
that the filter does what is expected. (Generally, using next-hop and interface is not appropriate in this case.)
If a label has been filtered (meaning that it has been rejected by the policy and is not used to construct an LSP), it is marked as filtered in the database:
user@host> show ldp database Input label database, 10.10.255.1:0-10.10.255.6:0 Label Prefix 3 10.10.255.6/32 (Filtered) Output label database, 10.10.255.1:0-10.10.255.6:0 Label Prefix 3 10.10.255.1/32 (Filtered)
For more information about how to configure policies for LDP, see the Routing Policies, Firewall Filters, and Traffic Policers User Guide.
Examples: Filtering Inbound LDP Label Bindings
Accept only /32 prefixes from all neighbors:
[edit]
protocols {
ldp {
import only-32;
...
}
}
policy-options {
policy-statement only-32 {
term first {
from {
route-filter 0.0.0.0/0 upto /31;
}
then reject;
}
then accept;
}
}
Accept 192.168/16 or longer from router ID 10.10.255.2 and
accept all prefixes from all other neighbors:
[edit]
protocols {
ldp {
import nosy-neighbor;
...
}
}
policy-options {
policy-statement nosy-neighbor {
term first {
from {
neighbor 10.10.255.2;
route-filter 192.168.0.0/16 orlonger accept;
route-filter 0.0.0.0/0 orlonger reject;
}
}
then accept;
}
}