для Cisco Cisco IOS Software Release 12.0(13)S7
MPLS—LDP MD5 Global Configuration
Information About MPLS—LDP MD5 Global Configuration
3
Cisco IOS Release: Multiple releases
•
If the neighboring nodes support graceful restart, then LDP sessions are gracefully restarted. The
LDP MD5 password configuration is checkpointed to the standby Route Processors (RPs). The LDP
MD5 password is used by the router when the new active RP attempts to establish LDP sessions with
neighbors after the switchover.
LDP MD5 password configuration is checkpointed to the standby Route Processors (RPs). The LDP
MD5 password is used by the router when the new active RP attempts to establish LDP sessions with
neighbors after the switchover.
LDP session, advertisement, and notification messages are exchanged between two LDP peers over a
TCP connection. You can configure the TCP MD5 option to protect LDP messages that are exchanged
over a TCP connection. You can configure this protection for each potential LDP peer. As a result, an
LDP ignores any LDP hello messages sent from an LSR for which you have not configured a password.
(LDP tries to establish an LDP session with each neighbor from which a hello message is received.)
TCP connection. You can configure the TCP MD5 option to protect LDP messages that are exchanged
over a TCP connection. You can configure this protection for each potential LDP peer. As a result, an
LDP ignores any LDP hello messages sent from an LSR for which you have not configured a password.
(LDP tries to establish an LDP session with each neighbor from which a hello message is received.)
Before the introduction of the MPLS—LDP MD5 Global Configuration feature, you needed to configure
a separate password for each LDP peer for which you wanted MD5 protection. This was the case even
when the same password was used for multiple LDP peers. Before this feature, LDP would tear down
LDP sessions with a peer immediately if a password for that peer had changed.
a separate password for each LDP peer for which you wanted MD5 protection. This was the case even
when the same password was used for multiple LDP peers. Before this feature, LDP would tear down
LDP sessions with a peer immediately if a password for that peer had changed.
LDP MD5 Password Configuration Information
Before the introduction of the MPLS—LDP MD5 Global Configuration feature, the command used for
configuring a password for an LDP neighbor was mpls ldp neighbor [vrf vrf-name] ip-address
password [0 | 7] password. This command configures a password for one neighbor whose router ID is
the IP address in the specified VRF. An LSR can have zero or one such configuration for each LDP
neighbor.
configuring a password for an LDP neighbor was mpls ldp neighbor [vrf vrf-name] ip-address
password [0 | 7] password. This command configures a password for one neighbor whose router ID is
the IP address in the specified VRF. An LSR can have zero or one such configuration for each LDP
neighbor.
You can use the commands provided by the MPLS—LDP MD5 Global Configuration feature to
configure passwords for LDP neighbors.
configure passwords for LDP neighbors.
You must understand how LDP determines the password for an LDP session between peers before you
configure MD5 password protection for your network. LDP determines the passwords for its sessions
based on the commands that you enter.
configure MD5 password protection for your network. LDP determines the passwords for its sessions
based on the commands that you enter.
You can enter an mpls ldp password vrf vrf-name required [for acl] command, either with an optional
acl argument that permits the LDP router ID of the neighbor or without an acl argument. Make sure that
you enter a command that configures a password. Otherwise, LDP might not establish a session with the
neighbor in question.
acl argument that permits the LDP router ID of the neighbor or without an acl argument. Make sure that
you enter a command that configures a password. Otherwise, LDP might not establish a session with the
neighbor in question.
For the commands in the following password-determining process, A.B.C.D:N represents the
LDP neighbor in VRF vpn1 and the neighbor LDP ID:
LDP neighbor in VRF vpn1 and the neighbor LDP ID:
•
A.B.C.D is the neighbor router ID.
•
N is the neighbor label space ID.
To determine the password for an LDP session for the neighbor label space A.B.C.D:N, LDP looks at the
password commands in the order indicated by the following statements:
password commands in the order indicated by the following statements:
•
If you configured this command:
mpls ldp neighbor vrf vpn1 A.B.C.D password pwd-nbr
The LDP session password is pwd-nbr. LDP looks no further and uses the password you specify.
•
Otherwise, LDP looks to see if you configured one or more mpls ldp vrf vpn1 password option
commands. LDP considers the commands in order of the ascending number arguments (number-1st
to number-n). For example:
commands. LDP considers the commands in order of the ascending number arguments (number-1st
to number-n). For example:
mpls ldp vrf vpn1 password option number-1st for acl-1st pwd-1st