You configure a shared secret (password) on potential LDP peers. Any given pair of peers
must share the same password. When a peer sends a TCP segment to an LSR, it uses
the password and the segment to compute an MD5 digest that it sends along with the
segment.
When the LSR receives the segment, the LSR calculates its own version of the digest
using its instance of the password and the segment. The LSR validates the segment if
the local digest matches the received digest. If the comparison fails—for example, if the
password is not configured the same on both peers—the LSR drops the segment and
does not send a response to the peer.
You can optionally enable a strict authentication mode that allows only peers configured
with passwords to establish sessions. In this mode, LDP hello messages from peers that
have no password are ignored. If you do not configure strict authentication, then peers
that do not have configured passwords can establish connections with each other.
If you configure LDP MD5 authentication or change the authentication password for a
peer while it is in an established LDP session, MPLS restarts that session.
To configure LDP MD5 authentication:
1. Set the password for an LDP peer.
host1(config)#mpls ldp neighbor 10.3.5.1 password rop23ers
2. (Optional) Set strict LDP authentication mode so that only peers with passwords
can establish LDP sessions.
host1(config)#mpls ldp strict-security
Related Topics Basic MPLS Configuration Tasks on page 276•
• Additional LDP Configuration Tasks on page 288
• mpls ldp neighbor password
• mpls ldp strict-security
Controlling LDP Label Distribution
By default, LDP advertises label mappings for all IGP prefixes to all LDP peers. In this
case, mappings are not advertised for interface addresses. You can alternatively specify
that LDP labels be distributed for a particular interface itself, in addition to the subnet
that the interface is on. This behavior enables LSPs to be set up to the LSR configured
with the interface address.
When the LSR learns an IGP route and tries to decide whether to advertise a label for the
destination to a particular LDP neighbor, it attempts to match the destination against a
route access list specified by the mpls ldp advertise-labels command, in the order in
which the commands were issued. The first match determines the action taken, and no
further matching is attempted for that destination. If the destination matches, labels are
advertised to peers subject to any specified neighbor address list. If either access list is
not matched, the labels are not advertised.
Copyright © 2010, Juniper Networks, Inc.292
JunosE 11.2.x BGP and MPLS Configuration Guide
To Next Page
Loading...
Need help?
General
