Router# configure terminal
Router(config)# mpls label protocol ldp
Router(config)# access-list 15 permit host 10.15.15.15
Router(config)# mpls ldp explicit-null to 15
If you issue the show mpls forwarding-table command, the output shows that explicit null labels are
going only to the router specified in the access list.
Router# show mpls forwarding-table
Local Outgoing Prefix Bytes label Outgoing Next Hop
label label or VC or Tunnel Id switched interface
19 Pop tag 10.12.12.12/32 0 Fa2/1/0 172.16.0.1
22 0 10.14.14.14/32 0 Fa2/0/0 192.168.0.2
23 0 172.24.24.24/32 0 Fa2/0/0 192.168.0.2
24 0 192.168.0.0/8 0 Fa2/0/0 192.168.0.2
25 0 10.15.15.15/32 0 Fa2/0/0 192.168.0.2
26 0 172.16.0.0/8 0 Fa2/0/0 192.168.0.2
27 25 10.16.16.16/32 0 Fa2/0/0 192.168.0.22
28 0 10.34.34.34/32 0 Fa2/0/0 192.168.0.2
Enabling explicit-null with both the forand tokeywords enables you to specify which routes to advertise
with explicit-null labels and to which adjacent routers to advertise these explicit-null labels.
Router# show access 15
Standard IP access list 15
permit 10.15.15.15 (7 matches)
Router# show access 24
Standard IP access list 24
permit 10.24.24.24 (11 matches)
Router# configure terminal
Router(config)# mpls label protocol ldp
Router(config)# mpls ldp explicit-null for 24 to 15
If you issue the show mpls forwarding-table command on the router called 47K-60-4, the output shows
that it receives explicit null labels for 10.24.24.24/32.
Router# show mpls forwarding-table
Local Outgoing Prefix Bytes label Outgoing Next Hop
label label or VC or Tunnel Id switched interface
17 0 <--- 10.24.24.24/32 0 Et4 172.16.0.1
20 Pop tag 172.16.0.0/8 0 Et4 172.16.0.1
21 20 10.12.12.12/32 0 Et4 172.16.0.1
22 16 10.0.0.0/8 0 Et4 172.16.0.1
23 21 10.13.13.13/32 0 Et4 172.16.0.1
25 Pop tag 10.14.14.14/32 0 Et4 172.16.0.1
27 Pop tag 192.168.0.0/8 0 Et4 172.16.0.1
28 25 10.16.16.16/32 0 Et4 172.16.0.1
29 Pop tag 192.168.34.34/32 0 Et4 172.16.0.1
Protecting Data Between LDP Peers with MD5 Authentication
You can enable authentication between two LDP peers, which verifies each segment sent on the TCP
connection between the peers. You must configure authentication on both LDP peers using the same
password; otherwise, the peer session is not established.
Authentication uses the Message Digest 5 (MD5) algorithm to verify the integrity of the communication
and authenticate the origin of the message.
To enable authentication, issue the mpls ldp neighborcommand with the passwordkeyword. This causes
the router to generate an MD5 digest for every segment sent on the TCP connection and check the MD5
digest for every segment received from the TCP connection.
When you configure a password for an LDP neighbor, the router tears down existing LDP sessions and
establishes new sessions with the neighbor.
Protecting Data Between LDP Peers with MD5 Authentication
How to Configure MPLS LDP
MPLS LDP Configuration Guide, Cisco IOS Release 12.4
18