No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
Huawei Firewall Security Policy Essentials
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How to Configure Security Policies to Allow LDP

How to Configure Security Policies to Allow LDP

Label Distribution Protocol (LDP) is widely used in the Multiprotocol Label Switching (MPLS) system. Label switching routers (LSRs) exchange messages such as label mapping and release messages through LDP sessions. The process of establishing an LDP session involves the following phases: discovery, TCP three-way handshake, session establishment, and message exchange.

In the LDP discovery phase, Hello messages are sent through UDP packets, and the destination port number is 646. The following LDP discovery mechanisms are supported: basic discovery and extended discovery.

Table 8-9 LDP discovery mechanisms

Discovery Mechanism

Application Scenario

Message

Destination Address

Destination Port

Initiator

Basic discovery

Discovers directly connected LSR peers on the link.

Link Hello

224.0.0.2 (multicast)

UDP: 646

Two-way (symmetric)

Extended discovery

Discovers LSR peers not directly connected on a link.

Targeted Hello

Specified peer IP address (unicast)

UDP: 646

Triggered by the initiator (asymmetric)

After the discovery phase, the initiator initiates a TCP connection request, establishes a TCP connection and an LDP session, and exchanges messages using TCP unicast packets. The destination port number is 646. In the basic discovery mechanism, the initiator is the party with a larger transport address. In the extended discovery mechanism, the initiator is manually specified. In this document, the firewall functions as the initiator.

Table 8-10 Security policy example — LDP

No.

Name

Source Security Zone

Destination Security Zone

Source Address/Region

Destination Address/Region

Service

Action

101

Allow ldp basic discovery

Local

Untrust

10.1.1.10/24

10.1.1.1/24

ldp-tcp (TCP: 646)

permit

102

Allow ldp extended discovery

Local

Untrust

10.1.1.10/24

10.1.2.1/24

ldp-tcp (TCP: 646)

ldp-udp (UDP: 646)

permit

If the initiator cannot be determined, you can configure security policies in both directions, view the policy matching statistics, and delete the security policy that has never been matched.

Translation
简体中文
Download
Updated: 2023-04-06

Document ID: EDOC1100172313

Views: 124194

Downloads: 558

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :