Monday, March 18, 2013

MPLS Neighbor Security

I am going to show you how to implement LDP security between neighbors.  These are computed as MD5 Signatures.


Lets verify how our neighborship currently looks on R2 AKA the (P) router. We see have two diffrent neighbors.  Lets set a password for each.

R2#show mpls ldp neighbor
    Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 2.2.2.2:0
        TCP connection: 1.1.1.1.646 - 2.2.2.2.48828
        State: Oper; Msgs sent/rcvd: 8/8; Downstream
        Up time: 00:00:07
        LDP discovery sources:
          GigabitEthernet0/0, Src IP addr: 192.168.100.1
        Addresses bound to peer LDP Ident:
          192.168.100.1   1.1.1.1
    Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 2.2.2.2:0
        TCP connection: 4.4.4.4.23134 - 2.2.2.2.646
        State: Oper; Msgs sent/rcvd: 8/8; Downstream
        Up time: 00:00:06
        LDP discovery sources:
          GigabitEthernet2/0, Src IP addr: 192.168.104.1
        Addresses bound to peer LDP Ident:
          192.168.104.1   4.4.4.4

R2(config)#mpls ldp neighbor 1.1.1.1 password joel
R2(config)#mpls ldp neighbor 4.4.4.4 password joel

Now we will need to do the same on R1 and R4 but lets not do it yet. I am going to clear the LDP neighborship to see what errors are generated since we have not made any changes on R1 and R4.

R2#clear mpls ldp neighbor *
R2#
*Mar 18 22:27:26.395: %LDP-5-CLEAR_NBRS: Clear LDP neighbors (*) by console
*Mar 18 22:27:26.455: %LDP-5-NBRCHG: LDP Neighbor 1.1.1.1:0 (3) is DOWN (User cleared session manually)
*Mar 18 22:27:26.471: %LDP-5-NBRCHG: LDP Neighbor 4.4.4.4:0 (1) is DOWN (User cleared session manually)
R2#

We can see from the alert below that we are not getting an MD5 from either neighbor 4.4.4.4 or 1.1.1.1. If they had a password set but it was incorrect it would say something alongs the line as it was invalid.

R2#
*Mar 18 22:27:43.707: %TCP-6-BADAUTH: No MD5 digest from 4.4.4.4(35699) to 2.2.2.2(646) tableid - 0
*Mar 18 22:27:44.055: %TCP-6-BADAUTH: No MD5 digest from 1.1.1.1(646) to 2.2.2.2(45946) tableid - 0

Now lets configure R1 and R4.

R1(config)#mpls ldp neighbor 2.2.2.2 password joel
R1(config)#end
R1#
*Mar 18 22:30:03.471: %SYS-5-CONFIG_I: Configured from console by console
R1#
*Mar 18 22:30:13.451: %LDP-5-NBRCHG: LDP Neighbor 2.2.2.2:0 (1) is UP

R4(config)#mpls ldp neighbor 2.2.2.2 password joel
R4(config)#end
R4#
*Mar 18 22:31:05.403: %SYS-5-CONFIG_I: Configured from console by console
R4#
*Mar 18 22:31:17.335: %LDP-5-NBRCHG: LDP Neighbor 2.2.2.2:0 (1) is UP
R4#

We are all done now.

Posted by at
Labels: , , ,
Location: Avenel, NJ 07001, USA

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)