Thursday, January 21, 2016

MPLS task #3. Tuning and security.

Topology:




Use configuration from MPLS task #2 as initial configuration for this task.

Requirements: 

1. All routers shall retain the LDP bindings received from the neighbor peer, in the event of interface failure between the routers. 
2. Routers R1, R2, R6 and R3 shall include Fault Tolerant TLV in LDP initiation message. 
3. Authenticate the LDP sessions between the routers. 
       3.1 Use password "WEAK" for sessions R1-R2, R1-R6, R4-R3, R4-R5. 
       3.2 Use password "STRONG" for all other sessions. 
       3.3 Use the minimal possible number of commands to configure the authentication. 

Solution:

Highlight the text below to reveal the solution.

This task requires understanding of MPLS LDP authentication configuration options, MPLS LDP graceful-restart and MPLS LDP session-protection

Requirement #1 - configure MPLS LDP session protection on all routers. 
Requirement #2 - configure routers R1, R2, R6 and R3 for MPLS LDP graceful-restart. Graceful                                      restart is negotiated by including FT TLV in initiation message. 

Requirement #3 - configure authentication for LDP neighbors. In order to minimize the number of                                  commands required, use fallback password feature, so not to configure password                                  for every neighbor pair. 


R1: 


!
mpls ldp password fallback WEAK
mpls ldp graceful-restart
mpls ldp session protection
!

R2:

!
mpls ldp password fallback STRONG
mpls ldp neighbor 16.0.1.1 password WEAK
mpls ldp explicit-null
mpls ldp graceful-restart
mpls ldp session protection
!

R3:

!
mpls ldp
 graceful-restart
 router-id 16.0.3.3
 neighbor
  password encrypted 13362320242223
  16.0.4.4:0 password encrypted 15252E2D2F
 !
 session protection
 address-family ipv4
  label
   local
    advertise
     explicit-null
    !
   !
  !
 !
 interface GigabitEthernet0/0/0/0
  address-family ipv4
  !
 !
 interface GigabitEthernet0/0/0/1
 !
 interface GigabitEthernet0/0/0/2
 !
!

R4:


!
mpls ldp
 router-id 16.0.4.4
 neighbor
  password encrypted 113E3C243C
 !
 session protection
 address-family ipv4
 !
!

R5:


!
mpls ldp password fallback STRONG
mpls ldp neighbor 16.0.4.4 password WEAK
mpls ldp session protection
!


R6:

!
mpls ldp password fallback STRONG
mpls ldp neighbor 16.0.1.1 password WEAK
mpls ldp graceful-restart
mpls ldp session protection
!

R7:

!
mpls ldp password fallback STRONG
mpls ldp session protection
!

Verification:


R1#show mpls ldp neighbor 16.0.2.2 detail
    Peer LDP Ident: 16.0.2.2:0; Local LDP Ident 16.0.1.1:0
        TCP connection: 16.0.2.2.22140 - 16.0.1.1.646; MD5 on
        Password: not required, fallback, in use
        State: Oper; Msgs sent/rcvd: 54/54; Downstream; Last TIB rev sent 69
        Up time: 00:29:14; UID: 13; Peer Id 0;
        LDP discovery sources:
          Ethernet0/0; Src IP addr: 16.0.12.2
            holdtime: 15000 ms, hello interval: 5000 ms
          Targeted Hello 16.0.1.1 -> 16.0.2.2, active, passive;
            holdtime: infinite, hello interval: 10000 ms
        Addresses bound to peer LDP Ident:
          16.0.12.2       16.0.26.2       16.0.25.2       16.0.23.2
          16.0.2.2
        Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
        Clients: Dir Adj Client
        LDP Session Protection enabled, state: Ready
            duration: 86400 seconds
        Capabilities Sent:
          [Dynamic Announcement (0x0506)]
          [Typed Wildcard (0x050B)]
        Capabilities Received:
          [Dynamic Announcement (0x0506)]
          [Typed Wildcard (0x050B)]


RP/0/0/CPU0:R3#show mpls ldp neighbor 16.0.2.2:0 detail
Mon Jan  4 15:17:56.091 UTC

Peer LDP Identifier: 16.0.2.2:0
  TCP connection: 16.0.2.2:646 - 16.0.3.3:26985; MD5 on
  Graceful Restart: Yes (Reconnect Timeout: 120 sec, Recovery: 0 sec)
  Session Holdtime: 180 sec
  State: Oper; Msgs sent/rcvd: 52/52; Downstream-Unsolicited
  Up time: 00:27:33
  LDP Discovery Sources:
      GigabitEthernet0/0/0/0
      Targeted Hello (16.0.3.3 -> 16.0.2.2, active)
  Addresses bound to this peer:
      16.0.2.2       16.0.12.2      16.0.23.2      16.0.25.2
      16.0.26.2
  Peer holdtime: 180 sec; KA interval: 60 sec; Peer state: Estab
  NSR: Disabled
  Clients: Session Protection
  Session Protection:
    Enabled, state: Ready
    Duration: 86400 sec
  Capabilities:
    Sent:
      0x508  (MP: Point-to-Multipoint (P2MP))
      0x509  (MP: Multipoint-to-Multipoint (MP2MP))
      0x50b  (Typed Wildcard FEC)
    Received:
      0x50b  (Typed Wildcard FEC)

No comments:

Post a Comment