advanced - lisp technical seminar

Advanced - LISP Technical Seminar

TECRST-3191

Darrel Lewis, LISP Technical Leader

Gregg Schudel, LISP Technical Marketing Engineer

Marco Pessi, LISP Technical Marketing Engineer

© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public

Agenda

• LISP Overview and Introduction

• LISP Efficient Multihoming/Multi-AF Support

• LISP Virtualization/VPN

• LISP Data Center/Host Mobility

• Other LISP Topics, Status and Futures

• LISP Open Discussions

3


Agenda





• Other LISP Topics, Status and Futures


4

Advanced - LISP Technical SeminarLISP Overview

TECRST-3191


[email protected]

LISP Overview


Locator/ID Split and LISPRouting and Addressing Architecture of the Internet Protocol

Addresses today combine location and identity semantics in a single 32-bit or 128-bit number

Separating Location and Identity changes this…– Provide a clear separation at the Network Layer between

what we are looking for vs. how best to get there– Translation vs. Tunneling is a key question

Network Layer Identifier: WHO you are in the network– long-term binding to the thing that they name, does not change often at all

Network Layer Locator: WHERE you are in the network – Think of the source and destination “addresses” used in routing and forwarding

WHERE you are can change! WHO you are should be the same!

7

lisp.cisco.com


LISP OverviewOriginal Motivation…

An IP address “overloads” location and identity

– Today… “addressing follows topology” – Efficient aggregation is only available for Provider

Assigned (PA) addresses– Ingress Traffic Engineering usually requires Provider

Independent (PI) addresses and the injection of “more specifics” :: this limits route aggregation compactness

– IPv6 does not fix this

Route scaling issues drive system costs higher

– Forwarding plane (FIB) requires expensive memory– Route scaling “drivers” are also seen in Data Centers

and for Mobility :: not just the Internet DFZ

“… routing scalability is the most important problem facing the Internet today and must be solved … ”

Internet Architecture Board (IAB)October 2006 Workshop (written as RFC 4984)

8

lisp.cisco.com


IPv4 Internet

Site 1

Site 2

Site 3

eBGP64.1.0.0/1764.1.0.0/16

Tier 1 SP64.1.0.0/17

64.1.0.0/16

Transit SP

Commodity SPeBGP64.1.128.0/1764.1.0.0/16

64.1.128.0/17

64.1.0.0/16

13.1.1.2/30

AS 30013. 0/8

13.0/8

Enterprise

DFZ Routing Table

64.1/17

12.0/8

13.0/864.1.128/

1764.1/16

64.1/16

AS 10064.1.0.0/16

Identity

AS 20012. 0/8

12.0/8

12.1.1.2/30 Location

LISP OverviewIdentity and Location :: an Overloaded Concept in Routing Today…

9

lisp.cisco.com


IPv4 Internet

Tier 1 SP


Site 1

Site 2

AS 10064.1.0.0/16

Site 3

AS 20012. 0/8

12.1.1.2/30

Enterprise

DFZ Routing Table

64.1/17

64.1/16

64.1.128/1764.1/16

Transit SP

Commodity SP

13.0/8

12.0/8

LISP Mapping System

• Let’s put ID address and Locator address in different databases

• Let’s create a “level of indirection” between ID and LOCATION in the network!

Clear Separation at the Network Layer::• who/what you are looking for

vs. …• how to best get there

Two Approaches::• Translations (e.g. NAT)

vs. …• Tunnels (e.g. GRE, IPsec, MPLS)

What if Locator/ID Separation worked on a GLOBAL Scope? No need to carry all routing in the Forwarding Plane!

13.1.1.2/30

AS 30013. 0/8

Identity

Location

10

lisp.cisco.com


IPv4 Internet

Tier 1 SP

Site 1

Site 2

AS 10064.1.0.0/16

Site 3

AS 20012. 0/8

12.1.1.2/30

Enterprise

DFZ Routing Table

LISP Mapping System

• Let’s scale the ID address databases to 1010 and allow it to hold any prefix length (e.g. /32)

• Let’s provide a mechanism to provide on-the-fly resolution of ID and locator

• High scale design, and ability to change locator for fixed ID enables Mobility!


13.0/8

12.0/8

64.1/17

64.1/16

64.1.128/1764.1/16

64.1/16

@12.1.2.2

@13.1.1.2

Transit SP

Commodity SP

13.1.1.2/30

AS 30013. 0/8

Identity

Location

11

lisp.cisco.com


LISP changes the routing architecture to implement a level of indirection between a hosts IDENTITY and its LOCATION in the network

LISP changes the current ROUTING Architecture• Changes lead to DISRUPTION • Disruption leads to OPPORTUNITIES• LISP allows both SPs and Enterprises to do remarkably different things

than allowed by traditional approaches• LISP enables NEW services (VPNs, IPv6, Mobility, “cloud”) in one,

common, simple architecture

LISP OverviewLISP :: A Routing Architecture – Not a Feature

12

lisp.cisco.com


LISP OverviewLocator/ID Separation :: The Mapping System is the Key

A Mapping Systems is the key component of Loc/ID separation architecture– Mapping systems provide the control plane for the architecture– Mapping systems represent the great opportunity for these architecture to excel

Most of the time, users/operators think about the data plane The control plane is where the magic happens!

Some general components of a mapping system to be aware… These affect how the system scales much differently than routing

state :: must scale to large numbers (such as 1010) of hostsrate :: must be small globally; damp reachability and mobility from globally impacting the systemlatency :: must be low enough not to harm existing applicationsscope :: must allow for both a global and a private scope for mapping

13

lisp.cisco.com


LISP OverviewLocator/ID Separation :: Changing the Routing Architecture

A Locator/ID Separation “architecture” helps solve other current network problems

IPv4/IPv6 Co-existence at the “ID” and “Locator” spaces– IPv4 and IPv6 can be implemented at the “ID” and/or “locator” spaces for simple integration– In reality, anything can be an “ID” and carried over traditional cores (IPv4 and IPv6)

e.g. RFID, VIN#, Geo-Location, MAC-Addr, etc. etc. etc.

Scaling IP Mobility is very similar to scaling Internet Multihoming– Mobility:: “ID” (unique address) moves from one network “location” to another network “location”– Multihoming:: an “ID” (unique address) connects to multiple networks “locations” simultaneously– For both Mobility and Multihoming, the network must keep “more specific state” globally about

where something is located at the current time

14

lisp.cisco.com


An over-the-top technology‒ Address Family agnostic‒ Incrementally deployable‒ End systems can be unaware of LISP

Deployment simplicity‒ No host changes‒ Minimal CPE changes‒ Some new core infrastructure components

Enables IP Number Portability‒ Never change host IP’s; No renumbering costs‒ No DNS changes; “name == EID” binding‒ Session survivability

An Open Standard‒ Being developed in IETF (RFC 6830-6836, 7052)‒ No Cisco Intellectual Property Rights

Uses pull vs. push routing‒ OSPF and BGP are push models; routing

stored in the forwarding plane‒ LISP is a pull model; Analogous to DNS;

massively scalable


LISP use-cases are complimentary‒ Simplified multi-homing with Ingress traffic

Engineering; no need for BGP‒ Address Family agnostic support‒ Virtualization support‒ End-host mobility without renumbering

15

lisp.cisco.com

LISP Operations


LISP OperationsMain attributes of LISP

LISP namespaces‒ EID (Endpoint Identifier) is the IP address of

a host – just as it is today‒ RLOC (Routing Locator) is the IP address of

the LISP router for the host‒ EID-to-RLOC mapping is the distributed

architecture that maps EIDs to RLOCs

Prefix Next-hopw.x.y.1 e.f.g.hx.y.w.2 e.f.g.hz.q.r.5e.f.g.hz.q.r.5e.f.g.h

Non-LISP

RLOC Space

EID-to-RLOC mapping

EID SpacexTR

xTR

MS/MR

PxTR

xTR

EID RLOCa.a.a.0/24 w.x.y.1b.b.b.0/24 x.y.w.2c.c.c.0/24 z.q.r.5d.d.0.0/16 z.q.r.5EID Space

Network-based solution No host changes Minimal configuration No DNS changes

Address Family agnostic Incrementally deployable

(support LISP and non-LISP) Support for mobility

17

lisp.cisco.com


LISP OperationsLISP :: Mapping Resolution “Level of Indirection” DNS analog

LISP “Level of Indirection” is analogous to a DNS lookup‒ DNS resolves IP addresses for URL Answering the “WHO IS” question

‒ LISP resolves locators for queried identities Answering the “WHERE IS” question

hostDNS Name-to-IPURL Resolution

[ who is lisp.cisco.com ] ?

DNSServer

[153.16.5.29, 2610:D0:110C:1::3 ]

LISPIdentity-to-locatorMapping Resolution

LISP router

LISP Mapping System

[ where is 2610:D0:110C:1::3 ] ?

[ locator is 128.107.81.169, 128.107.81.170 ]

18

lisp.cisco.com


LISP OperationsLISP IPv4 EID / IPv4 RLOC Data Packet Header Example

IPv4 Outer Header:

ITR supplies RLOCs

IPv4 Inner Header:

Host supplies EIDs

LISP Header:

UDP Header:

19


LISP OperationsLISP Encapsulation Combinations – IPv4 and IPv6 Supported

Q: Doesn’t encapsulation cause MTU issues?

A: It can… But preparation limits issues… ‒Encapsulation overhead is 36B IPv4 and 56B IPv6‒LISP supports “stateful” (PMTUD) and “stateless”

(fragmentation) options‒Tunnel/MTU issues are well known (GRE, IPsec, etc.)

and are usually operationally tractable

IPv6/IPv4

IPv6 Outer

Header

IPv4 Inner

Header

UDPLISP

IPv4/IPv6

IPv4 Outer

Header

IPv6 Inner

Header

UDPLISP

IPv4/IPv4

IPv4 Outer

Header

IPv4 Inner

Header

UDPLISP

IPv6/IPv6

IPv6 Outer

Header

IPv6 Inner

Header

UDPLISP

20


LISP OperationsLISP Data Plane :: Ingress/Egress Tunnel Router (xTR)

PI EID-prefix 2001:db8:2::/48

xTR-3

ETRITR

xTR-4

ETRITR

LISP Site 2 DLISP Site 1S

xTR-1

ETRITR

xTR-2

ETRITR


Provider A10.0.0.0/8

Provider B11.0.0.0/8

Provider C12.0.0.0/8

Provider D13.0.0.0/8

packet flowpacket flow

ETR – Egress Tunnel Router‒ Receives packets from core-facing interfaces

‒ De-cap and deliver packets to local EIDs at site

ITR – Ingress Tunnel Router‒ Receives packets from site-facing interfaces

‒ Encap to remote LISP sites, or native-fwd to non-LISP sites

21


LISP OperationsLISP Data Plane :: Unicast Packet Flow


xTR-3

ETRITR

xTR-4

ETRITR


xTR-1

ETRITR

xTR-2

ETRITR







10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

DNS entry:D.abc.com AAAA 2001:db8:2::1

12

2001:db8:1::1 -> 2001:db8:2::1

2001:db8:1::1 -> 2001:db8:2::111.0.0.2 -> 12.0.0.2

4

5

2001:db8:1::1 -> 2001:db8:2::111.0.0.2 -> 12.0.0.2

6

72001:db8:1::1 -> 2001:db8:2::1

EID-prefix: 2001:db8:2::/48Locator-set: 12.0.0.2, priority: 1, weight: 50 13.0.0.2, priority: 1, weight: 50

Map-Cache Entry

3

This policy controlledby the destination site

22


LISP OperationsLISP Data Plane :: Ingress/Egress Tunnel Router (xTR)


xTR-3

ETRITR

xTR-4

ETRITR


xTR-1

ETRITR

xTR-2

ETRITR







10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

!router lisp locator-set SITE2 12.0.0.2 priority 1 weight 50 13.0.0.2 priority 1 weight 50 exit ! eid-table default instance-id 0 database-mapping 2001:db8:2::/48 locator-set SITE2 exit ! ipv6 itr map-resolver 66.2.2.2 ipv6 itr ipv6 etr map-server 66.2.2.2 key S3cr3t-2 ipv6 etr exit!ip route 0.0.0.0 0.0.0.0 12.0.0.1 (or 13.0.0.1)!

Identical configs on both xTRs!

23


LISP OperationsLISP Packet Forwarding – ITR

Ingress PacketIs SRC

within local EID prefix?

Check Map-Cache entries to see which one the destination

matches (2)

YES

NO

“fwd-encap”action?

YES

NO

LISP Encap Pck to DST RLOC (3)

YES LISP EncapPck to

PETR (3)

YES

NO

Destination lookup in routing table (RIB)

(show ip route)

Is a route matched for:

1. default route (0.0.0.0/0 or ::/0)

2. “no route”

Check source address of the packet to be forwarded

Packet NOT ELIGABLE for LISP encapsulation; native

forwarding rules apply

Packet ELIGABLE for LISP encapsulation

YES

Is there a default route?

(0.0.0.0/0 or ::/0)

YES

NOYES

NOYES

NOTES:1) If the destination doesn’t match a “default route” or “no route” – the only other possibility is a

match against a “real route” with viable next-hop. This packet is not eligible for LISP encapsulation and is always forwarded natively (and will not use PETR if configured).

2) Because the LISP control plane function automatically installs a default map-cache entry with the action of “send-map-request,” there can never be a “map-cache miss.”

3) The packet is encapsulated and a destination address lookup is performed on the destination/remote RLOC; once the output interface is known, the source RLOC is filled in.

Forward PacketNatively (1)

NO

Drop Packet

Forward PacketNatively

Drop Packet

Drop Packet

“drop”action?

“send-request”action?

“forward-native”action

Send Map-Request to

Map-Resolver


use-petr configured?

NO

24


LISP OperationsLISP Control Plane :: Introduction

LISP Control Plane Provides On-Demand Mappings‒ Control Plane is separate from the Data Plane (UDP 4342 vs UDP 4341)‒ Map-Resolver and Map-Server (similar to DNS Resolver and DNS Server)‒ LISP Control Plane Messages for EID-to-RLOC resolution‒ Distributed databases and map-caches hold mappings

25

lisp.cisco.com


LISP OperationsLISP Control Plane :: Map-Server/Map-Resolver (MS/MR)


xTR-3

ETRITR

xTR-4

ETRITR


xTR-1

ETRITR

xTR-2

ETRITR







10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

Mapping System

MR MS

MR – Map-Resolver‒ Receives Map-Request from ITR‒ Forwards Map-Request to Mapping System‒ Sends Negative Map-Replies in response to

Map-Requests for non-LISP sites

MS – Map-Server‒ LISP site ETRs register their EID prefixes here;

requires configured “lisp site” policy, authentication key

‒ Receives Map-Requests via Mapping System, forwards them to registered ETRs

26


LISP OperationsLISP Control Plane :: Map-Server/Map-Resolver (MS/MR)


xTR-3

ETRITR

xTR-4

ETRITR


xTR-1

ETRITR

xTR-2

ETRITR







10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

Mapping System

MR MS

LISP Map Cache (ITR)‒ Only stores mappings for sites the ITR is currently sending packets to

‒ Populated by receiving Map-Replies from ETRs

‒ ITRs must respect Map-Reply policy (TTLs, RLOC up/down status, RLOC priorities/weights

LISP Site Mapping-Database (ETR)‒ EID-to-RLOC mappings in all ETRs for local LISP site

‒ ETR is “authoritative” for its EIDs, sends Map-Replies to ITRs

‒ ETRs can tailor policy based on Map-Request source

27


LISP OperationsLISP Control Plane :: Control Plane Messages

Control Plane Control Plane EID Registration‒ Map-Register message

Sent by ETR to Map-Server to register its associated EID prefixes• Specifies RLOC(s) to be used by the MS when forwarding Map-Requests to the ETR

Control Plane “Data-triggered” mapping services‒ Map-Request message

Sent by an ITR to Map-Resolver to• learn an EID/RLOC mapping• test an RLOC for reachability• refresh a mapping before TTL expiration• respond to a Solicit Map-Request (SMR)

Sent by an ETR (with “S” bit set)• as a Solicit Map-Request (SMR) to signal

site change

‒ Map-Reply messageSent by an ETR to an ITR

• in response to valid map-request to provide EID/RLOC mapping and site ingress policy for the requested EID

‒ Map-Notify messageSent by Map-Server to an ETR to

• acknowledge successful registration of an EDI prefix

28


LISP OperationsLISP Control Plane :: Map-Register


xTR-3

ETRITR

xTR-4

ETRITR


xTR-1

ETRITR

xTR-2

ETRITR






10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

Mapping System

MR MS

66.2.2.2

1LISP Map-Register(udp 4342)

SHA2 HMAC2001:db8:2::/4812.0.0.2, 13.0.0.2

12.0.0.2 -> 66.2.2.2

Other sites… 2

1LISP Map-Register

. . .

12.0.0.2 -> 66.2.2.2

29


LISP OperationsLISP Control Plane :: Map-Request/Map-Reply


xTR-3

ETRITR

xTR-4

ETRITR


xTR-1

ETRITR

xTR-2

ETRITR







10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

Mapping System

MR MS

66.2.2.2

DNS entry:D.abc.com AAAA 2001:db8:2::1

12

2001:db8:1::1 -> 2001:db8:2::1

Is 2001:db8:2::1 a LISP Destination?

3 11.0.0.2 -> 66.2.2.2LISP ECM(udp 4342)

11.0.0.2 / 2001:db8:2::1Map-Request

(udp 4342)nonce


Map-Cache Entry6

4 66.2.2.2 -> 12.0.0.2LISP ECM(udp 4342)

11.0.0.2 / 2001:db8:2::1Map-Request

(udp 4342)nonce

512.0.0.2 ->11.0.0.2

Map-Reply(udp 4342)

nonce / TTL 2001:db8:2::/4812.0.0.2 [1, 50]13.0.0.2 [1, 50]

30


LISP OperationsLISP Control Plane :: Map-Request/Proxy-Map-Reply


xTR-3

ETRITR

xTR-4

ETRITR


xTR-1

ETRITR

xTR-2

ETRITR







10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

Mapping System

MR MS

66.2.2.2


Map-Cache Entry4

366.2.2.2 ->11.0.0.2

Map-Reply(udp 4342)

nonce / TTL 2001:db8:2::/4812.0.0.2 [1, 50]13.0.0.2 [1, 50]

2 11.0.0.2 -> 66.2.2.2LISP ECM(udp 4342)

11.0.0.2 / 2001:db8:2::1Map-Request

(udp 4342)nonce

1LISP Map-Register

(udp 4342)SHA2 HMACProxy-Bit Set

2001:db8:2::/4812.0.0.2, 13.0.0.2

12.0.0.2 -> 66.2.2.2

31

lisp.cisco.com


LISP OperationsLISP Control Plane :: Map-Request/Negative-Map-Reply


xTR-3

ETRITR

xTR-4

ETRITR


xTR-1

ETRITR

xTR-2

ETRITR







10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

Mapping System

MR MS

66.2.2.2

EID-prefix: 2001:8000::/21 forward-native

Map-Cache Entry4

366.2.2.2 -> 11.0.0.2

Negative-Map-Reply(udp 4342)

nonce / TTL2001:8000::/21

2 11.0.0.2 -> 66.2.2.2LISP ECM(udp 4342)

11.0.0.2 / 2001:db7:1::1Map-Request

(udp 4342)nonce

12001:db8:1::1 -> 2001:db7:1::1

Is 2001:db7:1::1 a LISP Destination?

NOTE:The actual “covering prefix” returned in an NMR depends on the number and distribution of EID prefixes in the Mapping System. The NMR prefix will cover the shortest prefix that doesn’t cover

any LISP Sites in the Mapping System

Notes:‒ When an ITR queries for a destination that is

not in the Mapping System, the Map-Resolver returns an NMR.

‒ A TTL of 1-minute or 15-minutes is set depending on the space covered by the NMR.

32


LISP OperationsLISP Control Plane :: MS/MR Configuration example


xTR-3

ETRITR

xTR-4

ETRITR


xTR-1

ETRITR

xTR-2

ETRITR







10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

Mapping System

MR MS

66.2.2.2

!router lisp site Site-1 authentication-key S3cr3t-1 eid-prefix 2001:db8:1::/48 exit ! site Site-2 authentication-key S3cr3t-2 eid-prefix 2001:db8:2::/48 exit ! !-:: more LISP site configs ! ipv6 map-server ipv6 map-resolver exit!

!router lisp site ALL authentication-key ******* eid-prefix 2001:db8::/32 accept-more-specifics exit ! ipv6 map-server ipv6 map-resolver exit! Alternative

33


LISP OperationsLISP Control Plane :: Mapping-System Scaling

MR MSMR MS

xTRs

xTRs

xTRs

PxTRs

PxTRs

xTRs

xTRs

xTRsPxTRs

xTRs

xTRsxTRs

xTRsxTRs

xTRs xTRsxTRs

MS/MRs

MS/MRsMS/MRs

MS/MRs

MS/MRs

MS/MRs

MS/MRsMS/MRs

The LISP Beta Network uses DDT today…

DDTDDTDDT

DDT

DDT – Delegated Distributed Tree

‒ Hierarchy for Instance IDs and for EID Prefixes

‒ DDT Map-Resolvers sends (ECM) Map-Requests

‒ DDT Nodes Return Map-Referral messages

‒ DDT Resolvers resolve the Map-Server’s RLOC iteratively

‒ Conceptually, similar to DNS (IN-ADDR hierarchy) but different prefix encoding, messages, etc.

Scaling the LISP Mapping System

‒ Deploy multiple “stand-alone” Map-Servers” and register each LISP Site to all of them (up to eight)

‒ Deploy Map-Resolvers in an “Anycast” manner

‒ Or, deploy a “hierarchical” Mapping System - DDT

LISP Delegated Database Tree

ddt-root

ddt-tld

MR MSMR MS

34


LISP OperationsPublic and Private LISP Deployment Models

• “Private” LISP deployment support single Enterprises or Entities

• LISP Enterprise deploys: xTRs Mapping System, if required Proxy System, if required

Private Model Public Model

Enterprise AEnterprise B

Enterprise C

Private Enterprise Examples

• “Public” LISP deployment supports the needs of multiple Enterprises

• LISP Service Provider deploys “shared” Mapping System and Proxy System

• LISP Enterprises subscribe to LISP SP, and deploy their own xTRs

Stand-Alone Example

CCC

PCCC CCM BCC

MU Princeton

LISP SP

LISP Ent

NJEdge.Net

Global Examples

LISP BetaInTouch

ddt-root.org

VXNetLISP SP

LISP Ent

LISP SP

35


LISP OperationsLISP Internetworking :: Day-One Incremental Deployment

Early Recognition‒ Up-front recognition of an incremental deployment plan‒ LISP will not be widely deployed day-one

Interworking for:‒ LISP-sites to non-LISP sites (e.g. the rest of the Internet)‒ non-LISP sites to LISP-sites

Proxy-ITR/Proxy-ETR are deployed today‒ Infrastructure LISP network entity‒ Creates a monetized service opportunity for infrastructure players

36




xTR-3

ETRITR

xTR-4

ETRITR


xTR-1

ETRITR

xTR-2

ETRITR






10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

IPv6 InternetPITR PETR

Mapping SystemMR MS

66.2.2.2

PETR – Proxy ETR‒ Allows an EID in one AF [IPv4 or IPv6]

and the opposite RLOC [IPv6 or IPv4] to

reach non-LISP prefix in that same AF (AF-hop-over)

‒ Allows LISP sites with uRPF restrictions to reach non-LISP sites

IPv4 InternetPITR – Proxy ITR‒ Receives traffic from non-LISP sites;

encapsulates traffic to LISP sites‒ Advertises coarse-aggregate EID prefixes‒ LISP sites see ingress TE “day-one”

37

lisp.cisco.com




xTR-3

ETRITR

xTR-4

ETRITR


xTR-1

ETRITR

xTR-2

ETRITR






10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

IPv6 InternetPITR PETR

Mapping SystemMR MS

66.2.2.2

2001:f:f::1 2001:f:e::12001:db8::/32

Non-LISPv6 Site

2001:d:1::1

2001:d:1::1 -> 2001:db8:2::11

2001:d:1::1 -> 2001:db8:2::110.9.1.1 -> 12.0.0.2

2

3

2001:d:1::1 -> 2001:db8:2::1

4

2001:db8:2::1 -> 2001:d:1::1

6

2001:db8:2::1 -> 2001:d:1::1

IPv4 Internet

2001:db8:2::1 -> 2001:d:1::112.0.0.2 -> 12.9.2.1

5 ipv4 use-petr 12.1.1.1

38


LISP OperationsLISP Packet Forwarding – PITR

Ingress Packet

Does longest mask (or equal) prefix match against

“send-map-request” ?

YES

NOYES

Destination lookup for match in: routing table (1)

ANDmap-cache with action “send-map-request” (2)

Compare the 2 prefixes found

Take the prefix with longest/most specific mask

NOTES:1) The routing table look-up is done in the table specified in the “eid-table” command

(default or vrf)2) A map-cache entry with action “map-request” is created either by a static entry or

via the “route-import” mechanism 3) If the destination doesn’t match a RIB route or “send-map-request” map-cache

entry, then the only other possible result is the PITR has no forwarding route. The packet is dropped and a “network unreachable” ICMP is generated.

4) The destination is not a LISP EID and a RIB route is available.5) Address lookup is performed on the destination/remote RLOC; once the output

interface is known, the source RLOC is filled in.

Is match found?

NONODrop

Packet (3)

Forward PacketNatively (4)

Check Map-Cache entries to see which one the destination

matches

“fwd-encap”action?

YES

NO

LISP Encap Pck to DST RLOC (5)

YES LISP EncapPck to

PETR (5)

Packet ELIGABLE for LISP encapsulation

YES

NOYES

NOYES

Drop Packet

Drop Packet

“drop”action?

“send-request”action?

“forward-native”action

Send Map-Request to

Map-Resolver


use-petr configured?

NO

39


LISP OperationsLISP Locator Reachability….

When RLOCs go up and down:‒ We don’t want this reflected in mapping

database; must keep the rate factor small

Use following mechanisms:‒ Underlying BGP where available

‒ ICMP Unreachables, when sent and accepted

‒ Data reception heuristics when available

‒ locator-status-bits in data packets and mapping data

Only use probing when needed:‒ Pair-wise probing won’t scale

S

xTR-S1

LISP Site 1

xTR-S2



Provider X12.0.0.0/8

Provider Y13.0.0.0/8

ETRITR

ETRITR

xTR-D1

LISP Site 2

xTR-D2

ETRITR

ETRITR

D

10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

??

S

xTR-S1

LISP Site 1

xTR-S2



Provider X12.0.0.0/8

Provider Y13.0.0.0/8

ETRITR

ETRITR

xTR-D1

LISP Site 2

xTR-D2

ETRITR

ETRITR

D

10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

✔?

40


LISP OperationsLISP RLOC Reachability Concepts

Reachability options

“Routing” information when you have it E.g. PE-CE links in BGP in MPLS

Direct “data plane” packet flows LISP exclusive “locator status bits” describe “status” of source site RLOCs

to receiving sites Available (automatically) in LISP Useful for bi-directional traffic flows

RLOC-Probing Source site “probes” destination RLOCs of active conversations Available in LISP Useful for updating reachability info when unidirectional traffic is prevalent

41


LISP OperationsLISP Locator-Reachability Bits (LSB) example

EID-prefix: 2001:db8:2::/48Locator-set: 12.0.0.2, priority: 1, weight: 50 (D1) 13.0.0.2, priority: 1, weight: 50 (D2)

MappingEntry

-> ordinal 0-> ordinal 1

7654 3210b ’xxxx xxxx’

loc-reach-bits:0x0000 0000

11

3


xTR-3

ETRITR

xTR-4

ETRITR


xTR-1

ETRITR

xTR-2

ETRITR






0003

0003 xTR3 xTR4

xRT3 xTR4

10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

LSBs provide “data plane” reachability info

42


LISP OperationsLISP Locator-Reachability Bits (LSB) example

EID-prefix: 2001:db8:2::/48Locator-set: 12.0.0.2, priority: 1, weight: 50 (D1) 13.0.0.2, priority: 1, weight: 50 (D2)

MappingEntry

-> ordinal 0-> ordinal 1

7654 3210b ’xxxx xx11’

loc-reach-bits:0x0000 0003

0

2


xTR-3

ETRITR

xTR-4

ETRITR


xTR-1

ETRITR

xTR-2

ETRITR






0002

xTR4 xTR4

xRT4 xTR4

10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

Outages are signaled “quickly” when traffic is flowing.(When traffic is not flowing, other mechanisms are needed)

XXX

43

lisp.cisco.com


LISP OperationsLISP Management – LISP Data Plane…

Data Plane Management:‒ ping

PI EID-prefix 172.16.1.0/24

PI EID-prefix 172.16.2.0/24xTR2

ETRITR

LISP Site 2

D

LISP Site 1

SxTR1

ETRITR CORE

10.0.0.0/8

MS/MR

.1.2 .5.6

.9

.10

Left#ping 10.0.0.6 source 10.0.0.2 rep 10Type escape sequence to abort.Sending 100, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds:Packet sent with a source address of 10.0.0.2!!!!!!!!!!Success rate is 100 percent (10/10), round-trip min/avg/max = 0/0/1 msLeft#

Example:RLOC to RLOC

ping notes:1. Using RLOC to RLOC tests underlying network

44



Data Plane Management:‒ ping



ETRITR

LISP Site 2

D

LISP Site 1

SxTR1

ETRITR CORE

10.0.0.0/8

MS/MR

.1.2 .5.6

.9

.10

Left#ping 172.16.2.2 source 172.16.1.2 rep 10Type escape sequence to abort.Sending 100, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:Packet sent with a source address of 172.16.1.2 !!!!!!!!!!Success rate is 100 percent (10/10), round-trip min/avg/max = 0/0/1 msLeft#

Example:EID to EID


2. Using EID-to-EID tests LISP data plane


2. Using EID-to-EID tests LISP data plane

3. When PxTR infrastructure is involved, EID to RLOC and RLOC to EID tests can also be useful

Common Theme: • OVER for EIDs • UNDER for RLOCs

45



Data Plane Management:‒ traceroute



ETRITR

LISP Site 2

D

LISP Site 1

SxTR1

ETRITR CORE

10.0.0.0/8

MS/MR

.1.2 .5.6

.9

.10

traceroute notes:‒ Unlike other “tunneling” techniques, LISP (tries to)

shows all intermediate hops

‒ Cross Address Family traceroute is not supported because “traceroute” does not support it

Left#traceroute 172.16.2.1 source 172.16.1.1 Type escape sequence to abort.Tracing the route to 172.16.2.1VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.1 1 msec 0 msec 0 msec 2 10.0.0.6 0 msec 1 msec 0 msec 3 172.16.2.1 0 msec * 1 msecLeft#

Example:EID to EID

ttl=1

ttl=2

ttl=3

46


LISP OperationsLISP Management – LISP Control Plane…

Control Plane Management:‒ lig (LISP internet Groper)



ETRITR

LISP Site 2

D

LISP Site 1

SxTR1

ETRITR CORE

10.0.0.0/8

MS/MR

.1.2 .5.6

.9

.10

lig notes:‒ Fetches an EID-to-RLOC database mapping entry

‒ lig self ipv4 and lig self ipv6 indicate immediately whether a site is “registered” to the Map-Server

Left#lig self ipv4Mapping information for EID 172.16.1.0 from 10.0.0.2 with RTT 32 msecs172.16.1.0/24, uptime: 00:00:00, expires: 23:59:53, via map-reply, self Locator Uptime State Pri/Wgt 10.0.0.2 00:00:00 up 1/100Left#

47


LISP OperationsLISP Management – LISP Control Plane…

Control Plane Management:‒ lig (LISP internet Groper)



ETRITR

LISP Site 2

D

LISP Site 1

SxTR1

ETRITR CORE

10.0.0.0/8

MS/MR

.1.2 .5.6

.9

.10

lig notes:‒ Fetches an EID-to-RLOC database mapping entry

‒ lig self ipv4 and lig self ipv6 indicate immediately whether a site is “registered” to the Map-Server

‒ Using lig <eid> you can verify that a remote EID is registered (and provide the mapping and policy)

Left#lig 172.16.2.2Mapping information for EID 172.16.2.2 from 10.0.0.6 with RTT 36 msecs172.16.2.0/24, uptime: 00:00:00, expires: 23:59:52, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.0.6 00:00:00 up 1/1 Left#

48

LISP Introduction – Summary


An over-the-top technology‒ Address Family agnostic‒ Incrementally deployable‒ End systems can be unaware of LISP

Deployment simplicity‒ No host changes‒ Minimal CPE changes‒ Some new core infrastructure components

Enables IP Number Portability‒ Never change host IP’s; No renumbering costs‒ No DNS changes; “name == EID” binding‒ Session survivability

An Open Standard‒ Being developed in the IETF (RFC 6830-6836)‒ No Cisco Intellectual Property Rights

Uses pull vs. push routing‒ OSPF and BGP are push models; routing

stored in the forwarding plane‒ LISP is a pull model; Analogous to DNS;

massively scalable


LISP use-cases are complimentary‒ Simplified multi-homing with Ingress traffic

Engineering; no need for BGP‒ Address Family agnostic support‒ Virtualization support‒ End-host mobility without renumbering

50

lisp.cisco.com


Agenda





• LISP Status and Futures


51

Advanced - LISP Technical SeminarLISP Efficient Multihoming/Multi-AF

TECRST-3191

Gregg SchudelLISP Technical Marketing Engineer

[email protected] CCIE #9591

LISP and Multihoming Overview


LISP Efficient Multihoming/Multi-AF SupportWhy Multihoming?

Increased Resiliency– Access link, router, or upstream provider network failures should not interrupt service

Increased Bandwidth– Typically less $$ to add a second link vs. paying for ‘step increase’ in existing link

access bandwidth– Adding bandwidth via a second link gives other benefits not enjoyed by simply

increasing bandwidth– But, extra bandwidth has to be useable; need the ability to effect ingress traffic usage

Increased Responsiveness– Potentially, can serve customers better with diverse links

54


LISP Efficient Multihoming/Multi-AF SupportWide range of options

Options - Low to High Complexity– Multihoming with NATo Difficult with multiple routers due to

asymmetry in traffic flows and need for concurrent state

– Multihoming with Static Routeso Path failure detection problematic

– Multihoming with BGP – Partial Routeso Premium circuit; no outbound path

information– Multihoming with BGP – Full Routeso Requires premium circuito Requires CPU and memory, complex

configuration, and “manipulation” – especially under failure conditions

Multihoming Options

Ben

efits

Techniques

Single Homed

Fully Resilient

and Traffic Eng

55


LISP Efficient Multihoming/Multi-AF SupportTraditional BGP-based Multihoming

Pros…– Reachability information available from

BGP routes• Note: Some information is ‘hidden’ behind

aggregates (caution)– Full routes can provide ‘best path’ metrics

for outbound traffic • With clever configuration and tuning, you can

get ‘symmetrical’ path in/out to remote sites– Global view of the Routing System from

your Routers• Path and route analysis possible via Route

Views or commercial tools (like Arbor)

Cons…– Requires certain class of SP link

• BGP-capable access links available everywhere? ($$/BW)

– BGP configuration is complex– Constant “tuning” for load balancing

• Failures have non-deterministic impact on load-level of remaining links

– CPE routers pulling “full routes” must store 450K+ prefixes• Small scale routers with limited memory not

suitable for CPE routers– Not all SPs are created equal

• Tier-1 SPs “well-peered with everyone”• Commodity SPs buy ‘transit’ from Tier 1’s • AS Path Prepending will have varying

effectiveness; access link load balancing tricky56


LISP Efficient Multihoming/Multi-AF SupportLISP-based Multihoming

Pros…– Multihoming requirements are “simple“

• No access link type or PE requirements• No upstream Service Provider type or support

requirements (i.e. for BGP)– Multihoming configuration is “simple”

• LISP ETR indicates EID to RLOC relationships and ingress TE policy

• LISP Site CPE can be small; no “pushed-based” routing table needs

– Applicable to LISP-to-LISP and non-LISP-to-LISP traffic “day-one”• PITR provides non-LISP-to-LISP support for

ingress TE (LISP works day-one)• Access link ingress TE is “accurate” by design

(assuming reasonable “flow” distribution)• Flexibility in LISP Architecture for ingress TE

policy specification “per-request”

Cons…– Requires Mapping Service Provider and

Proxy Service Provider services– Reachability information must be obtained

in a different manner• Data plane signaling - locator status bits (LSBs)• Control plane signaling :: rloc-probing• Routing :: e.g. MPLS PE-CE links

– Only “simple” egress TE control; non-LISP tools needed for more than ECMP• PfR - Performance Routing• BGP – now it gets complicated (but it would be

with this method anyway)– MTU handling is important to understand

• PMTUD (don’t filter ICMP)• Proactively configure higher Internet Link MTU

(same as any tunnel/encap strategy)57


LISP Deployment OverviewPrivate and Public LISP Deployment Models…

• “Private” LISP deployment support single Enterprises or Entities

• LISP Enterprise deploys: xTRs Mapping System, if required Proxy System, if required

Private Model Public Model• “Public” LISP deployment supports the needs of

multiple Enterprises• LISP Service Provider deploys “shared” Mapping

System and Proxy System• LISP Enterprises subscribe to LISP SP, and deploy

their own xTRs

Enterprise AEnterprise B

Enterprise C

Private Enterprise ExamplesStand-Alone Example

CCC

PCCC CCM BCC

MU Princeton

LISP SP

LISP Ent

NJEdge.Net

Global Examples

LISP BetaInTouch

ddt-root.org

VXNetLISP SP

LISP Ent

LISP SP

58


LISP OperationsLISP Encapsulation – Any IPv4 and IPv6 Combination Supported

IPv6/IPv4

IPv6/IPv6

IPv4/IPv6

IPv4/IPv4

IPv4 Outer

Header

IPv6 Outer Header

LISP

UDP

payload

IPv6 Inner

Headerpayload

IPv4InnerHeader

59


LISP Multihoming and Multi-AFInherent support for AF-agnostic operations

IPv4 Internet

IPv6

IPv6LISP Site

GE0/0/010.1.1.2/30

GE0/0/010.2.1.2/30

EIDs172.16.1.0/24

2001:db8:a:1::/64

xTR-1

xTR-2

RLOC

RLOC

SP1

IPv4

SP2

IPv4

MR/MS

10.10.30.10

2001:db8:f000:2::1

PxTR

10.10.30.11

2001:db8:f000:2::2

MR/MS

2001:db8:e000:2::1

10.10.10.10

PxTR

2001:db8:e000:2::2

10.10.10.11

Default

To IPv4 or IPv6 CoreRLOC namespace

To Enterprise Internal IPv4 or IPv6 Networks

LISP0

LISPtx

encap

egress features

ingress features

LISPrx

decap

IPv4 or IPv6 IPv4 or IPv6

60

lisp.cisco.com



IPv4 Internet

IPv6

IPv6LISP Site

GE0/0/010.1.1.2/30

GE0/0/010.2.1.2/30

EIDs172.16.1.0/24

2001:db8:a:1::/64

xTR-1

xTR-2

RLOC

RLOC

SP1

IPv4

SP2

IPv4

MR/MS

10.10.30.10

2001:db8:f000:2::1

PxTR

10.10.30.11

2001:db8:f000:2::2

MR/MS

2001:db8:e000:2::1

10.10.10.10

PxTR

2001:db8:e000:2::2

10.10.10.11

PxTR1#show ip lisp map-cacheLISP IPv4 Mapping Cache for EID-table default (IID 0), 196 entries---<skip>--- 172.16.1.0/24, uptime: 00:01:38, expires: 23:58:25, via map-reply, complete Locator Uptime State Pri/Wgt 10.1.1.2 00:01:38 up 1/50 10.2.1.2 00:01:38 up 1/50 ---<skip>---

61



IPv4 Internet

IPv6

IPv6LISP Site

GE0/0/010.1.1.2/30

GE0/0/010.2.1.2/30

EIDs172.16.1.0/24

2001:db8:a:1::/64

xTR-1

xTR-2

RLOC

RLOC

SP1

IPv4

SP2

IPv4

MR/MS

10.10.30.10

2001:db8:f000:2::1

PxTR

10.10.30.11

2001:db8:f000:2::2

MR/MS

2001:db8:e000:2::1

10.10.10.10

PxTR

2001:db8:e000:2::2

10.10.10.11

PxTR1#show ipv6 lisp map-cacheLISP IPv6 Mapping Cache for EID-table default (IID 0), 13 entries---<skip>--- 2001:DB8:A:1::/64, uptime: 00:01:38, expires: 23:58:25, via map-reply, complete Locator Uptime State Pri/Wgt 10.1.1.2 00:01:38 up 1/50 10.2.1.2 00:01:38 up 1/50 ---<skip>---

62

63

LISP Multihoming/Multi-AF+ Internet

lisp.cisco.com


LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF – Some Technical Details

Let’s look at an example…

IPv4 Internet IPv6 Internet

MSMR PxTR

xTR1 xTR2

10.200.1.1 (non-lisp target)2001:db8:c5c0::1 (non-lisp target)

192.168.7.0/242001:db8:b::/48

192.168.1.0/242001:db8:a::/48

10.0.9.2/30

EIDEID

RLOC10.0.1.2/3010.0.2.2/30RLOC

2001:db8:2:3::2/64

10.0.100.2

2001:db8:3:4::2

10.0.101.2

2001:db8:3:5::2

64



MSMR PxTR

xTR1 xTR2


192.168.7.0/242001:db8:b::/48

192.168.1.0/242001:db8:a::/48

10.0.9.2/30

EIDEID

RLOC10.0.1.2/3010.0.2.2/30RLOC

2001:db8:2:3::2/64

10.0.100.2

2001:db8:3:4::2

10.0.101.2

2001:db8:3:5::2


router lisp locator-set SITE2 10.0.9.2 priority 1 weight 1 exit ! eid-table default instance-id 0 database-mapping 192.168.7.0/24 locator-set SITE2 database-mapping 2001:DB8:B::/48 locator-set SITE2 exit ! loc-reach-algorithm rloc-probing ipv4 itr ipv4 etr ipv4 itr map-resolver 10.0.100.2 ipv4 etr map-server 10.0.100.2 key SITE2KEY ipv4 use-petr 10.0.101.2 ipv6 itr ipv6 etr ipv6 itr map-resolver 10.0.100.2 ipv6 etr map-server 10.0.100.2 key SITE2KEY ipv6 use-petr 10.0.101.2 exit!ip route 0.0.0.0 0.0.0.0 10.0.9.1

The end-user needs to add this…

65

lisp.cisco.com



MSMR PxTR

xTR1 xTR2


192.168.7.0/242001:db8:b::/48

192.168.1.0/242001:db8:a::/48

10.0.9.2/30

EIDEID

RLOC10.0.1.2/3010.0.2.2/30RLOC

2001:db8:2:3::2/64

10.0.100.2

2001:db8:3:4::2

10.0.101.2

2001:db8:3:5::2

LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF – Some Technical Details router lisp

locator-set SITE1 10.0.1.2 priority 1 weight 1 10.0.2.2 priority 1 weight 1 2001:DB8:2:3::2 priority 1 weight 1 exit ! eid-table default instance-id 0 database-mapping 192.168.1.0/24 locator-set SITE1 database-mapping 2001:DB8:A::/48 locator-set SITE1 exit ! loc-reach-algorithm rloc-probing ipv4 itr ipv4 etr ipv4 itr map-resolver 10.0.100.2 ipv4 etr map-server 10.0.100.2 key SITE1KEY ipv4 use-petr 10.0.101.2 ipv6 itr ipv6 etr ipv6 itr map-resolver 10.0.100.2 ipv6 etr map-server 10.0.100.2 key SITE1KEY ipv6 use-petr 10.0.101.2 exit!ip route 0.0.0.0 0.0.0.0 10.0.1.1ip route 0.0.0.0 0.0.0.0 10.0.2.1ipv6 route ::/0 2001:DB8:2:3::1

And this…

66



MSMR PxTR

xTR1 xTR2


192.168.7.0/242001:db8:b::/48

192.168.1.0/242001:db8:a::/48

10.0.9.2/30

EIDEID

RLOC10.0.1.2/3010.0.2.2/30RLOC

2001:db8:2:3::2/64

10.0.100.2

2001:db8:3:4::2

10.0.101.2

2001:db8:3:5::2


router lisp site site1 authentication-key SITE1KEY eid-prefix 192.168.1.0/24 eid-prefix 2001:DB8:A::/48 exit ! site site2 authentication-key SITE2KEY eid-prefix 192.168.7.0/24 eid-prefix 2001:DB8:B::/48 exit ! ipv4 map-server ipv4 map-resolver ipv6 map-server ipv6 map-resolver exit

A LISP Service Provider (or Enterprise) will run the Mapping System…

67



MSMR PxTR

xTR1 xTR2


192.168.7.0/242001:db8:b::/48

192.168.1.0/242001:db8:a::/48

10.0.9.2/30

EIDEID

RLOC10.0.1.2/3010.0.2.2/30RLOC

2001:db8:2:3::2/64

10.0.100.2

2001:db8:3:4::2

10.0.101.2

2001:db8:3:5::2


eid-table default instance-id 0 ipv4 route-import map-cache static route-map EID-space ipv6 route-import map-cache static route-map EID-space exit ! loc-reach-algorithm rloc-probing ipv4 proxy-etr ipv4 proxy-itr 10.0.101.2 2001:DB8:3:5::2 ipv4 itr map-resolver 10.0.100.2 ipv4 map-request-source 10.0.101.2 ipv6 proxy-etr ipv6 proxy-itr 2001:DB8:3:5::2 10.0.101.2 ipv6 itr map-resolver 10.0.100.2 ipv6 map-request-source 2001:DB8:3:5::2 exit!ip route 0.0.0.0 0.0.0.0 10.0.101.1ip route 192.168.0.0 255.255.0.0 Null0 tag 111ipv6 route 2001:DB8:A::/47 Null0 tag 111ipv6 route ::/0 2001:DB8:3:5::1!route-map EID-space permit 10 match tag 111!

And the PxTR…

68

lisp.cisco.com



MSMR PxTR

xTR1 xTR2


192.168.7.0/242001:db8:b::/48

192.168.1.0/242001:db8:a::/48

10.0.9.2/30

EIDEID

RLOC10.0.1.2/3010.0.2.2/30RLOC

2001:db8:2:3::2/64

10.0.100.2

2001:db8:3:4::2

10.0.101.2

2001:db8:3:5::2


eid-table default instance-id 0 ipv4 route-import map-cache static route-map EID-space ipv6 route-import map-cache static route-map EID-space exit ! loc-reach-algorithm rloc-probing ipv4 proxy-etr ipv4 proxy-itr 10.0.101.2 2001:DB8:3:5::2 ipv4 itr map-resolver 10.0.100.2 ipv4 map-request-source 10.0.101.2 ipv6 proxy-etr ipv6 proxy-itr 2001:DB8:3:5::2 10.0.101.2 ipv6 itr map-resolver 10.0.100.2 ipv6 map-request-source 2001:DB8:3:5::2 exit!ip route 0.0.0.0 0.0.0.0 10.0.101.1ip route 192.168.0.0 255.255.0.0 Null0 tag 111ipv6 route 2001:DB8:A::/47 Null0 tag 111ipv6 route ::/0 2001:DB8:3:5::1!route-map EID-space permit 10 match tag 111!

!router bgp 5 bgp asnotation dot bgp log-neighbor-changes neighbor 10.0.101.1 remote-as 3 neighbor 2001:DB8:3:5::1 remote-as 3 ! address-family ipv4 redistribute static route-map pop-EID neighbor 10.0.101.1 activate no neighbor 2001:DB8:3:5::1 activate exit-address-family ! address-family ipv6 redistribute static route-map pop-EID neighbor 2001:DB8:3:5::1 activate exit-address-family!route-map pop-EID permit 10 match tag 111 set origin igp set community 111:5!

BGP example

The PxTR may use BGP…

69




MSMR PxTR

xTR1 xTR2


192.168.7.0/242001:db8:b::/48

192.168.1.0/242001:db8:a::/48

10.0.9.2/30

EIDEID

RLOC10.0.1.2/3010.0.2.2/30RLOC

2001:db8:2:3::2/64

10.0.100.2

2001:db8:3:4::2

10.0.101.2

2001:db8:3:5::2

R114-MSMR#show lisp siteLISP Site Registration Information

Site Name Last Up Who Last Inst EID Prefix Register Registered ID site1 00:00:42 yes 10.0.2.2 192.168.1.0/24 00:00:42 yes 10.0.2.2 2001:DB8:A::/48site2 00:00:38 yes 10.0.9.2 192.168.7.0/24 00:00:06 yes 10.0.9.2 2001:DB8:B::/48R114-MSMR#

70




MSMR PxTR

xTR1 xTR2


192.168.7.0/242001:db8:b::/48

192.168.1.0/242001:db8:a::/48

10.0.9.2/30

EIDEID

RLOC10.0.1.2/3010.0.2.2/30RLOC

2001:db8:2:3::2/64

10.0.100.2

2001:db8:3:4::2

10.0.101.2

2001:db8:3:5::2

R114-MSMR#sh lisp site name site1---<skip>---Allowed EID-prefixes: EID-prefix: 192.168.1.0/24 ---<skip>--- Locator Local State Pri/Wgt Scope 10.0.1.2 yes up 1/1 IPv4 none 10.0.2.2 yes up 1/1 IPv4 none 2001:DB8:2:3::2 yes up 1/1 IPv6 none---<etc>---

71




MSMR PxTR

xTR1 xTR2


192.168.7.0/242001:db8:b::/48

192.168.1.0/242001:db8:a::/48

10.0.9.2/30

EIDEID

RLOC10.0.1.2/3010.0.2.2/30RLOC

2001:db8:2:3::2/64

10.0.100.2

2001:db8:3:4::2

10.0.101.2

2001:db8:3:5::2

R116-xTR#ping 192.168.1.254 so 192.168.7.254 rep 10 ---<skip>---!!!!!!!!!!Success rate is 100 percent (10/10), round-trip min/avg/max = 1/1/1 msR116-xTR#

R116-xTR#sh ip lisp map-cache ---<skip>---192.168.1.0/24, uptime: 1d00h, expires: 23:59:26, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.1.2 1d00h up 1/1 10.0.2.2 1d00h up 1/1 2001:DB8:2:3::2 1d00h no-route 1/1 R116-xTR#

72


Efficient Multi-Homing and Multi-AF – Some Technical Details LISP Multihoming and Multi-AF


MSMR PxTR

xTR1 xTR2


192.168.7.0/242001:db8:b::/48

192.168.1.0/242001:db8:a::/48

10.0.9.2/30

EIDEID

RLOC10.0.1.2/3010.0.2.2/30RLOC

2001:db8:2:3::2/64

10.0.100.2

2001:db8:3:4::2

10.0.101.2

2001:db8:3:5::2

R116-xTR#sh ip lisp forwarding eid remote 192.168.1.1Prefix Fwd action Locator status bits192.168.1.0/24 encap 0x00000007 packets/bytes 118/11520 path list B46EAF2C, flags 0x49, 3 locks, per-destination ifnums: LISP0(11): 10.0.1.2, 10.0.2.2 2 paths path B57E1A80, path list B46EAF2C, share 1/1, type attached nexthop, for IPv4 nexthop 10.0.1.2 LISP0, adjacency IP midchain out of LISP0, addr 10.0.1.2 B471DC28 path B57E1A10, path list B46EAF2C, share 1/1, type attached nexthop, for IPv4 nexthop 10.0.2.2 LISP0, adjacency IP midchain out of LISP0, addr 10.0.2.2 B471DAF8 1 output chain chain[0]: loadinfo B278CA5C, per-session, 2 choices, flags 0083, 5 locks flags: Per-session, for-rx-IPv4, 2buckets 2 hash buckets < 0 > IP midchain out of LISP0, addr 10.0.1.2 B471DC28 IP adj out of Ethernet0/1, addr 10.0.9.1 B4340220 < 1 > IP midchain out of LISP0, addr 10.0.2.2 B471DAF8 IP adj out of Ethernet0/1, addr 10.0.9.1 B4340220---<skip>---

73




MSMR PxTR

xTR1 xTR2


192.168.7.0/242001:db8:b::/48

192.168.1.0/242001:db8:a::/48

10.0.9.2/30

EIDEID

RLOC10.0.1.2/3010.0.2.2/30RLOC

2001:db8:2:3::2/64

10.0.100.2

2001:db8:3:4::2

10.0.101.2

2001:db8:3:5::2

R112-xTR#ping 2001:db8:c5c0::1 so 2001:DB8:A:1::254 rep 10---<skip>---!!!!!!!!!!Success rate is 100 percent (10/10), round-trip min/avg/max = 1/3/14 msR112-xTR#

R112-xTR#sh ipv6 lisp map-cache---<skip>---2001:DB8:8000::/33, uptime: 00:01:09, expires: 00:13:50, via map-reply, forward-native Encapsulating to proxy ETRR112-xTR#

74




MSMR PxTR

xTR1 xTR2


192.168.7.0/242001:db8:b::/48

192.168.1.0/242001:db8:a::/48

10.0.9.2/30

EIDEID

RLOC10.0.1.2/3010.0.2.2/30RLOC

2001:db8:2:3::2/64

10.0.100.2

2001:db8:3:4::2

10.0.101.2

2001:db8:3:5::2R115-PxTR#sh ipv6 lisp for eid remote 2001:db8:a::1Prefix Fwd action Locator status bits2001:DB8:A::/48 encap 0x00000007 packets/bytes 18/1800---<skip>--- path list B47117DC, flags 0x49, 4 locks, per-destination ifnums: LISP0(10): 10.0.1.2, 10.0.2.2, 2001:DB8:2:3::2 3 paths path B4710400, path list B47117DC, share 1/1, type attached nexthop, for IPv6 nexthop 10.0.1.2 LISP0, adjacency IPV6 midchain out of LISP0, addr 10.0.1.2 B45409B8 path B4710390, path list B47117DC, share 1/1, type attached nexthop, for IPv6 nexthop 10.0.2.2 LISP0, adjacency IPV6 midchain out of LISP0, addr 10.0.2.2 B4540888 path B4710320, path list B47117DC, share 1/1, type attached nexthop, for IPv6 nexthop 2001:DB8:2:3::2 LISP0, adjacency IPV6 midchain out of LISP0, addr 2001:DB8:2:3::2 B4540758 1 output chain---<cont>---

75




MSMR PxTR

xTR1 xTR2


192.168.7.0/242001:db8:b::/48

192.168.1.0/242001:db8:a::/48

10.0.9.2/30

EIDEID

RLOC10.0.1.2/3010.0.2.2/30RLOC

2001:db8:2:3::2/64

10.0.100.2

2001:db8:3:4::2

10.0.101.2

2001:db8:3:5::2---<cont>--- 15 hash buckets < 0 > IPV6 midchain out of LISP0, addr 10.0.1.2 B45409B8 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 < 1 > IPV6 midchain out of LISP0, addr 10.0.2.2 B4540888 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 < 2 > IPV6 midchain out of LISP0, addr 2001:DB8:2:3::2 B4540758 IPV6 adj out of Ethernet0/0, addr 2001:DB8:3:5::1 B4355430 < 3 > IPV6 midchain out of LISP0, addr 10.0.1.2 B45409B8 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 < 4 > IPV6 midchain out of LISP0, addr 10.0.2.2 B4540888 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 < 5 > IPV6 midchain out of LISP0, addr 2001:DB8:2:3::2 B4540758 IPV6 adj out of Ethernet0/0, addr 2001:DB8:3:5::1 B4355430 < 6 > IPV6 midchain out of LISP0, addr 10.0.1.2 B45409B8 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 < 7 > IPV6 midchain out of LISP0, addr 10.0.2.2 B4540888 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 < 8 > IPV6 midchain out of LISP0, addr 2001:DB8:2:3::2 B4540758 IPV6 adj out of Ethernet0/0, addr 2001:DB8:3:5::1 B4355430 < 9 > IPV6 midchain out of LISP0, addr 10.0.1.2 B45409B8 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 <10 > IPV6 midchain out of LISP0, addr 10.0.2.2 B4540888 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 <11 > IPV6 midchain out of LISP0, addr 2001:DB8:2:3::2 B4540758 IPV6 adj out of Ethernet0/0, addr 2001:DB8:3:5::1 B4355430 <12 > IPV6 midchain out of LISP0, addr 10.0.1.2 B45409B8 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 <13 > IPV6 midchain out of LISP0, addr 10.0.2.2 B4540888 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 <14 > IPV6 midchain out of LISP0, addr 2001:DB8:2:3::2 B4540758 IPV6 adj out of Ethernet0/0, addr 2001:DB8:3:5::1 B4355430 Subblocks: NoneR115-PxTR#

76


LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF -- Customer Example

LISP Services:• BGP-free Multihoming• IPv6 Internet Access• Host Mobility Disaster-Recovery (adding now…)• Inter-Departmental VPNs (adding next…)

Target Market:• State of New Jersey Educational Entities

(K-12, universities, colleges)

Customer Case Study: http://lisp.cisco.com

Customer Site: http://njedge.net

NJEDge.Net

Customer Site: http://lisp.njedge.net

77



IPv4 Internet

Tier 1 SP2 CommoditySP

...Transit

SP

Member N

CPE

Tier 1 SP1

Member 2

CPE

IPv6 InternetSome..

v6

More…v6

GoogleFacebook

Member 1

CPE

More…v4

Some..v4

Default Route

Default Route

Or BGP

Member 3

CPE CPE

BGPBGP

Constituent Member Topologies…

78



IPv4 Internet


...Transit

SP

Member N

CPE

Tier 1 SP1

Member 2

CPE

IPv6 InternetSome..

v6

More…v6

GoogleFacebook

Member 1

CPE

More…v4

Some..v4

Default Route

Default Route

Or BGP

Member 3

CPE CPE

BGPBGP


They wanted: 50%/50%They got:

90%/10% ? 80%/20% ?

Never 50%/50%

router bgp 100 bgp router-id 172.16.2.1 bgp asnotation dot no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 172.16.2.1 remote-as 300 <== eBGP to SP1 neighbor 172.16.1.2 remote-as 400 <== eBGP to SP2 ! address-family ipv4 no synchronization redistribute ospf route-map populate-default neighbor 172.16.1.2 activate neighbor 172.16.1.2 route-map filter-out out neighbor 172.16.1.2 route-map filter-in in neighbor 172.16.1.2 maximum-prefix 450000 90 neighbor 172.16.2.1 activate neighbor 172.16.2.1 route-map filter-out out neighbor 172.16.2.1 route-map filter-in in neighbor 172.16.2.1 maximum-prefix 450000 90 no auto-summary exit-address-family !ip bgp-community new-formatip community-list standard outlist permit 100:123!route-map populate-default permit 10 set origin igp set community 100:123!route-map filter-out permit 10 match community outlist!route-map filter-in permit 10 match community inlist!

Many more features can be added here...Before LISP…

• Configuration complexity…

• Uneven multihoming load shares…

79



IPv4 Internet


...Transit

SP

Member N

CPE

Tier 1 SP1

Member 2

CPE

IPv6 InternetSome..

v6

More…v6

GoogleFacebook

Member 1

CPE

More…v4

Some..v4

Default Route

Default Route

Or BGP

Member 3

CPE CPE

BGPBGP


Deploy LISP…

NJEDge.NetLISP Network

MS/MRPxTR


MS/MRPxTR

Member 1

xTR

Default Route

Default Route

Member 2

xTR

Member N

xTR

Default Route

Member 3

xTR xTR

Default Route

router lisp locator-set Site3 172.16.1.2 priority 1 weight 50 172.16.2.2 priority 1 weight 50 exit ! eid-table default instance-id 0 database-mapping 10.1.1.0/24 locator-set Site3 exit ! ipv4 itr ipv4 etr ipv4 itr map-resolver 172.17.1.1 ipv4 etr map-server 172.17.1.1 key s3cr3t ipv4 use-petr 10.5.5.5 !

• Configuration simplicity…

80



IPv4 Internet


...Transit

SP

Member N

CPE

Tier 1 SP1

Member 2

CPE

IPv6 InternetSome..

v6

More…v6

GoogleFacebook

Member 1

CPE

More…v4

Some..v4

Default Route

Default Route

Or BGP

Member 3

CPE CPE

BGPBGP

Deploy LISP…


MS/MRPxTR


MS/MRPxTR

Member 1

xTR

Default Route

Default Route

Member 2

xTR

Member N

xTR

Default Route

Member 3

xTR xTR

Default Route

• Configuration simplicity…

LISP-to-LISP

Non-LISP-to-LISP

IPv4 EID Aggregate

Advertisement

81



IPv4 Internet


...Transit

SP

Member N

CPE

Tier 1 SP1

Member 2

CPE

IPv6 InternetSome..

v6

More…v6

GoogleFacebook

Member 1

CPE

More…v4

Some..v4

Default Route

Default Route

Or BGP

Member 3

CPE CPE

BGPBGP


MS/MRPxTR


MS/MRPxTR

Member 1

xTR

Default Route

Default Route

Member 2

xTR

Member N

xTR

Default Route

Member 3

xTR xTR

Default Route

Non-LISP-to-LISP

IPv6 EID Aggregate Advertisement

NJEDge.Net is now adding IPv6 for its members!

IPv6 EIDs IPv6

EIDs IPv6 EIDs

IPv6 EIDsLISP-to-LISP

82



Key NJEDge.Net LISP Equipment ASR1Ks as MSMRs ASR9Ks as PxTRs (90G Internet capacity)

Key LISP Benefits No BGP to configure or manage No complex configurations Optimized Ingress load balancing Cost Savings by reducing OPEX and CAPEX LISP offers non disruptive transition approach which does not affect end

system and allows for incremental deployment Disaster Recovery for Critical Applications introduces Increased

Complexity

83


LISP Multihoming and Multi-AFCustomer Example :: Cisco IT – IPv6-over-IPv4 MPLS

Current Remote Office xTR 8 Offices, ~1900 employees ~1375 IPv6 devicesPlanned Deployments (CY14)80+ additional offices

L3 MPLS VPN

PxTR, MSMR

Proxy Aggregate BW

84


LISP Multihoming and Multi-AFCustomer Example :: EANTC Interoperability Demonstration

MPLS and Ethernet World Congress, SDN Summit & V6 World Congress Public Multi-Vendor Interoperability Test 2013All possible LISP encapsulations tested: IPv4 and IPv6 over IPv6 RLOC

("IPv6-only core network") IPv4 and IPv6 over IPv4 RLOC

("IPv4-only core network”) Spirent TestCenter emulated LISP xTR Cisco ASR1K as Map Server and PxTR Cisco ASR9K as PxTR Successfully tested and certified by EANTC

YouTube video demo: http://goo.gl/oZShr

85


LISP Multihoming and Multi-AFCustomer Example :: “Home Router Market” (Europe)

LTE Cloud

SP Broadband

Core

Customer 192.168.1.0/24

.10

UP: xMbpsDN: yMbps

UP: aMbpsDN: bMbps

2

1

EID (Lo0)10.1.1.x/32

Internet PxTR

Multihoming by bundling multiple access technologies– 4G+xDSL

Higher BW, and resiliency

Load Sharing– Bandwidth and link conditions

Better user experience

Subscriber traffic NAT’d to EID loopback– Common configuration on all CE

Supports DHCP (RLOC) LISP hidden from customer

86

LISP Multihoming/Multi-AF+ MPLS


LISP Multihoming and Multi-AFLISP and MPLS Integration

LISP / MPLS results in an “ideal” deployment environment – Locator/ID split idealizes a pure “RLOC core” and “EID overlay”

Opportunities– IPv4 over MPLS via LISP

Use of LISP (v4-over-v4) removes Customer IPv4 Prefixes from MPLSPE benefits :: (a) substantially improved scaling

(b) reduced CPU load due to customer route advertisement/churn – IPv6 over MPLS via LISP

Use of LISP (v6-over-v4) removes SP from Customer IPv6 configuration/managementImmediate support :: even if not running LISP for IPv4PE benefits :: (a) no added v6 interface

(b) no added v6 eBGP peering(c) no added IPv6 customer prefixes

– Permits Inter-Departmental VPNs without additional PE VRFs

88



1: Existing IPv4 MPLS

Blue MPLS-VPN

SP MPLS

BlueSite 1

PE1

PurpleMPLS-VPN

PurpleSite 1

PE4

PE3PE2

BlueSite 2

BlueSite 3

PurpleSite 2

CE4IPv4

IPv4

IPv4 IPv4

IPv4

IPv4 IPv4

IPv4

CE3CE2

CE1

CE1

IGP

eBGP

CE-PE

IPv4 IPv4

PE2#show ip route vrf BLUE---<skip>--- 10.0.0.0/8 is subnetted, 9 subnetsB 10.1.0.0/24 [20/11] via 12.1.0.2, 00:17:55B 10.1.2.0/24 [20/11] via 12.1.0.2, 00:17:55B 10.3.0.0/24 [20/11] via 12.3.0.2, 00:12:01B 10.3.1.0/24 [20/11] via 12.3.0.2, 00:12:01---<more>--- 12.0.0.0/8 is variably subnetted, 5 subnets, 2 masksC 12.1.0.0/30 is directly connected, Ethernet1/0L 12.1.0.1/32 is directly connected, Ethernet1/0---<more>---PE2#

Customer Prefixes(EIDs!!)

PE-CE links(RLOCs!!)

CE1#show ip route---<skip>--- 10.0.0.0/8 is subnetted, 9 subnetsO IA 10.1.0.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/0O IA 10.1.2.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/1---<skip>---B 10.3.0.0/24 [20/11] via 12.3.0.2, 00:12:01B 10.3.1.0/24 [20/11] via 12.3.0.2, 00:12:01---<more>--- 12.0.0.0/8 is variably subnetted, 5 subnets, 2 masksC 12.1.0.2/30 is directly connected, Ethernet0/0B 12.1.0.8/30 [20/11] via 12.3.0.1, 00:12:01---<more>---CE1#

Customer Prefixes(EIDs!!)


89



1: Existing IPv4 MPLS – Add LISP!

Blue MPLS-VPN

SP MPLS

BlueSite 1

PE1

PurpleMPLS-VPN

PurpleSite 1

PE4

PE3PE2

BlueSite 2

BlueSite 3

PurpleSite 2

CE4IPv4

IPv4

IPv4 IPv4

IPv4

IPv4 IPv4

IPv4

CE3CE2

CE1

CE1

IGP

eBGP

CE-PE

IPv4 IPv4

xTR

xTRMSMR

xTR

✗route-map deny EIDs out

90




Blue MPLS-VPN

SP MPLS

BlueSite 1

PE1

PurpleMPLS-VPN

PurpleSite 1

PE4

PE3PE2

BlueSite 2

BlueSite 3

PurpleSite 2

CE4IPv4

IPv4

IPv4 IPv4

IPv4

IPv4 IPv4

IPv4

CE3CE2

CE1

CE1

IGP

eBGP

CE-PE

IPv4 IPv4

xTR

xTRMSMR

xTR

PE2#show ip route vrf BLUE---<skip>---12.0.0.0/8 is variably subnetted, 5 subnets, 2 masksC 12.1.0.0/30 is directly connected, Ethernet1/0L 12.1.0.1/32 is directly connected, Ethernet1/0---<more>---PE2#



CE1#show ip route---<skip>--- 10.0.0.0/8 is subnetted, 9 subnetsO IA 10.1.0.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/0O IA 10.1.2.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/1---<skip>---12.0.0.0/8 is variably subnetted, 5 subnets, 2 masksC 12.1.0.2/30 is directly connected, Ethernet0/0B 12.1.0.8/30 [20/11] via 12.3.0.1, 00:12:01---<more>---CE1#

This sites Prefixes (EIDs!!)


91




Blue MPLS-VPN

SP MPLS

BlueSite 1

PE1

PurpleMPLS-VPN

PurpleSite 1

PE4

PE3PE2

BlueSite 2

BlueSite 3

PurpleSite 2

CE4IPv4

IPv4

IPv4 IPv4

IPv4

IPv4 IPv4

IPv4

CE3CE2

CE1

CE1

IGP

eBGP

CE-PE

IPv4 IPv4

xTR

xTRMSMR

xTR


CE1#show ip lisp map-cacheLISP IPv4 Mapping Cache for EID-table default (IID 0), 12 entries

0.0.0.0/0, uptime: 6w0d, expires: never, via static send map-request Negative cache entry, action: send-map-request10.3.0.0/24, uptime: 00:00:06, expires: 23:59:46, via map-reply, complete Locator Uptime State Pri/Wgt 12.3.0.2 00:00:06 up 1/100 ---<more>---CE1#

Other site EIDs!!

PE-CE link (RLOC!!)

92



2: Add IPv6 over IPv4 MPLS with LISP

Blue MPLS-VPN

SP MPLS

BlueSite 1

PE1

PurpleMPLS-VPN

PurpleSite 1

PE4

PE3PE2

BlueSite 2

BlueSite 3

PurpleSite 2

CE2IPv4

IPv4

IPv4 IPv4

IPv4

IPv4 IPv4

IPv4

CE3CE2

CE1

CE1

IGP

eBGP

CE-PE

IPv4 IPv4

✗route-map deny EIDs outIPv6

IPv6 IPv6

xTR

xTRMSMR

xTR

PE2#show ipv6 route vrf Blue% Specified IPv6 routing table does not existPE2#

IPv6 Not Enabled!

IPv6 EIDs!!

CE1#show run | begin router lisp---<skip>---router lisp eid-table default instance-id 0 database-mapping 2001:db8:a:a::/64 12.1.0.2 pri 1 wei 100 exit ! ipv6 itr map-resolver 12.1.0.2 ipv6 itr ipv6 etr map-server 12.1.0.2 key ce1-xtr ipv6 etr exit!---<more>---CE1#

93


IPv4


2: Add IPv6 over IPv4 MPLS with LISP

Blue MPLS-VPN

SP MPLS

BlueSite 1

PE1

PurpleMPLS-VPN

PurpleSite 1

PE4

PE3PE2

BlueSite 2

BlueSite 3

PurpleSite 2

CE2IPv4

IPv4

IPv4 IPv4

IPv4

IPv4 IPv4

IPv4

CE3CE2

CE1

CE1

IGP

eBGP

CE-PE

IPv4 IPv4

IPv6

IPv6 IPv6

xTR

xTRMSMR

xTR


CE1#ping 2001:db8:b:b::1 so 2001:db8:a:a::1Type escape sequence to abortSending 5, 100-byte ICMP Echos to 2001:db8:b:b::1, timeout is 2 seconds:Packet sent with a source address of 2001:db8:a:a::1!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 24/25/28 msCE1#

CE1#show ipv6 lisp map-cacheLISP IPv6 Mapping Cache for EID-table default (IID 0), 3 entries

::/0, uptime: 6w0d, expires: never, via static send map-request Negative cache entry, action: send-map-request2001:DB8:B:B::/64, uptime: 00:01:17, expires: 23:58:36, via map-reply, complete Locator Uptime State Pri/Wgt 12.3.0.2 00:00:06 up 1/100---<more>---CE1#

Other site EIDs!!

PE-CE links RLOCs!!

94

LISP Disjointed RLOC Space


LISP – Disjointed RLOC Space FeatureDisjointed Locator Space Support

Locator/ID separation creates two namespaces: EIDs and RLOCs– EID space is the overlay of Enterprise prefixes – RLOC space is the underlay network connectivity

The fundamental principal of any network is that connectivity must exist between sites

LISP supports sites being connected to locator spaces that have no connectivity to each other!– In LISP, this is known as a

“disjointed RLOC set”

IPv4 Internet0.0.0.0/0

IPv6Internet

::/0MPLS VPN Core

xTR

xTR xTR

xTR xTR xTRxTR

xTR

MSMR RTR

96


LISP – Disjointed RLOC Space ExampleEXAMPLE: Cross Address-Family Disjointed RLOC Space

IPv4 Internet0.0.0.0/0(scope 1)

IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1

EXAMPLE

97



IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1


!interface Loopback0 ip address 4.4.4.4 255.255.255.0 ipv6 address 4:4:4::4/64!interface LISP0!interface Ethernet0/0 description Conn to R1 Core (v4 only) ip address 10.0.4.1 255.255.255.252!router lisp locator-set R4 10.0.4.1 priority 1 weight 1 exit ! eid-table default instance-id 0 database-mapping 4.4.4.0/24 locator-set R4 database-mapping 4:4:4::/48 locator-set R4 exit ! ipv4 itr ipv4 etr ipv4 itr map-resolver 10.0.2.1 ipv4 etr map-server 10.0.2.1 key R4KEY ipv4 use-petr 10.0.3.1 ipv6 itr ipv6 etr ipv6 etr map-server 10.0.2.1 key R4KEY ipv6 itr map-resolver 10.0.2.1 ipv6 use-petr 10.0.3.1 exit!ip route 0.0.0.0 0.0.0.0 10.0.4.2

Normal xTR configuration• IPv4-only RLOC• IPv4 and IPv6 EIDs

98



IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1


!interface Loopback0 ip address 6.6.6.6 255.255.255.0 ipv6 address 6:6:6::6/64!interface LISP0!interface Ethernet0/0 description Conn to R1 Core (v6 only) ipv6 address 10:0:6::1/64!router lisp locator-set R6 10:0:6::1 priority 1 weight 1 exit ! eid-table default instance-id 0 database-mapping 6.6.6.0/24 locator-set R6 database-mapping 6:6:6::/48 locator-set R6 exit ! ipv4 itr ipv4 etr ipv4 itr map-resolver 10:0:2::1 ipv4 etr map-server 10:0:2::1 key R6KEY ipv4 use-petr 10:0:3::1 ipv6 itr ipv6 etr ipv6 etr map-server 10:0:2::1 key R6KEY ipv6 itr map-resolver 10:0:2::1 ipv6 use-petr 10:0:3::1 exit!ipv6 route ::/0 10:0:6::2

Normal xTR configuration• IPv6-only RLOC• IPv4 and IPv6 EIDs

99



IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1


!interface Ethernet0/0 description Conn to R1 Core (v4 and v6) ip address 10.0.2.1 255.255.255.252 ipv6 address 10:0:2::1/64!router lisp locator-set v4-rtr-set 10.0.3.1 priority 1 weight 1 exit ! locator-set v6-rtr-set 10:0:3::1 priority 1 weight 1 exit ! locator-scope v4-net rtr-locator-set v4-rtr-set rloc-prefix 0.0.0.0/0 exit ! locator-scope v6-net rtr-locator-set v6-rtr-set rloc-prefix ::/0 exit ! site R4 authentication-key R4KEY eid-prefix 4.4.4.0/24 eid-prefix 4:4:4::/48 exit !---<continued>---

---<continued>--- site R6 authentication-key R6KEY eid-prefix 6.6.6.0/24 eid-prefix 6:6:6::/48 exit ! ipv4 map-server ipv4 map-resolver ipv6 map-server ipv6 map-resolver exit!ip route 0.0.0.0 0.0.0.0 10.0.2.2ipv6 route ::/0 10:0:2::2!

Map-Server Configuration:• Define “locator-scopes”• Define “rtr-set”

100



IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1


interface Ethernet0/0 description Conn to R1 Core (v4 and v6) ip address 10.0.3.1 255.255.255.252 ipv6 address 10:0:3::1/64! router lisp locator-set setALL 10.0.3.1 priority 1 weight 1 10:0:3::1 priority 1 weight 1 exit ! map-request itr-rlocs setALL eid-table default instance-id 0 map-cache 0.0.0.0/0 map-request map-cache ::/0 map-request exit ! ipv4 map-request-source 10.0.3.1 ipv4 map-cache-limit 100000 ipv4 proxy-etr ipv4 proxy-itr 10.0.3.1 10:0:3::1 ipv4 itr map-resolver 10.0.2.1 ipv4 itr map-resolver 10:0:2::1 ipv6 map-request-source 10:0:3::1 ipv6 map-cache-limit 100000 ipv6 proxy-etr ipv6 proxy-itr 10:0:3::1 10.0.3.1 ipv6 itr map-resolver 10.0.2.1 ipv6 itr map-resolver 10:0:2::1 exit!ip route 0.0.0.0 0.0.0.0 10.0.3.2ipv6 route ::/0 10:0:3::2!

RTR Configuration:• Define “rtr RLOCs”

101



IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1

LISP – Disjointed RLOC Space ExampleCross Address-Family Disjointed RLOC Space Example – Flows

native

lisp-encap

map-req

map-rep

data plane

controlplane

xTR4#sh ip lisp database ---<skip>---4.4.4.0/24, locator-set R4 Locator Pri/Wgt Source State 10.0.4.1 1/1 cfg-addr site-self, reachablexTR4#sh ipv6 lisp database ---<skip>---4:4:4::/48, locator-set R4 Locator Pri/Wgt Source State 10.0.4.1 1/1 cfg-addr site-self, reachablexTR4#

xTR6#sh ip lisp database---<skip>---6.6.6.0/24, locator-set R6 Locator Pri/Wgt Source State 10:0:6::1 1/1 cfg-addr site-self, reachablexTR6#sh ipv6 lisp database ---<skip>---6:6:6::/48, locator-set R6 Locator Pri/Wgt Source State 10:0:6::1 1/1 cfg-addr site-self, reachablexTR6#

102




IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

10:0:6::/64

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1

native

lisp-encap

map-req

map-rep

data plane

controlplane

MSMR#sh lisp site detail---<skip>---Site name: R4---<skip>--- EID-prefix: 4.4.4.0/24 ---<skip>--- ETR 10.0.4.1, last registered 00:00:52, no proxy-reply, map-notify TTL 1d00h, no merge, hash-function sha1, nonce… state complete, no security-capability xTR-ID 0xEC52ECC2-0x006CEAFE-0x814263B3-0x89675EB6 site-ID unspecified Locator Local State Pri/Wgt Scope 10.0.4.1 yes up 1/1 v4-net EID-prefix: 4:4:4::/48 ---<skip>--- ETR 10.0.4.1, last registered 00:00:39, no proxy-reply, map-notify TTL 1d00h, no merge, hash-function sha1, nonce… state complete, no security-capability xTR-ID 0xEC52ECC2-0x006CEAFE-0x814263B3-0x89675EB6 site-ID unspecified Locator Local State Pri/Wgt Scope 10.0.4.1 yes up 1/1 v4-net---<skip>---

103




IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

10:0:6::/64

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1

native

lisp-encap

map-req

map-rep

data plane

controlplane

MSMR#sh lisp site detail---<skip>---Site name: R6---<skip>--- EID-prefix: 6.6.6.0/24 ---<skip>--- ETR 10:0:6::1, last registered 00:00:26, no proxy-reply, map-notify TTL 1d00h, no merge, hash-function sha1, nonce… state complete, no security-capability xTR-ID 0x4C8D6115-0xEC9AF511-0x5A21D580-0x3D2E2429 site-ID unspecified Locator Local State Pri/Wgt Scope 10:0:6::1 yes up 1/1 v6-net EID-prefix: 6:6:6::/48 ---<skip>--- ETR 10:0:6::1, last registered 00:00:27, no proxy-reply, map-notify TTL 1d00h, no merge, hash-function sha1, nonce… state complete, no security-capability xTR-ID 0x4C8D6115-0xEC9AF511-0x5A21D580-0x3D2E2429 site-ID unspecified Locator Local State Pri/Wgt Scope 10:0:6::1 yes up 1/1 v6-net---<skip>---

104




IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

10:0:6::/64

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1

native

lisp-encap

map-req

map-rep

data plane

controlplane

RTR#sh ip lisp map-cacheLISP IPv4 Mapping Cache for EID-table default (IID 0), 1 entries

0.0.0.0/0, uptime: 00:00:04, expires: never, via static send map-request Negative cache entry, action: send-map-requestRTR#RTR#sh ipv6 lisp map-cache LISP IPv6 Mapping Cache for EID-table default (IID 0), 1 entries

::/0, uptime: 00:00:05, expires: never, via static send map-request Negative cache entry, action: send-map-requestRTR#

105



IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1


native

lisp-encap

map-req

map-rep

data plane

controlplane

1

4:4:4::4 -> 6:6:6::6

How do I forward to 6:6:6::6?1. Check FIB – NO2. Check map-cache – NO 3. Maybe 6:6:6::6 is a LISP destination?

Send Map-Request

106



IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1


native

lisp-encap

map-req

map-rep

data plane

controlplane

1

4:4:4::4 -> 6:6:6::6

210.0.4.1-> 10.0.2.1

LISP ECM(udp 4342)

Type 1 (map-request) Noncesrc-eid: [2] 4:4:4::4itr-rloc: 10.0.4.1record-1: [2] 6:6:6::6

xTR4#*Aug 25 01:00:32.108: LISP-0: AF IPv6, Sending map-request from 4:4:4::4 to 6:6:6::6 for EID 6:6:6::6/128, ITR-RLOCs 1, nonce 0xA0E6CC5A-0x7A1D2EEC (encap src 10.0.4.1, dst 10.0.2.1).

107



IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1


native

lisp-encap

map-req

map-rep

data plane

controlplane

1

4:4:4::4 -> 6:6:6::6

210.0.4.1-> 10.0.2.1

LISP ECM(udp 4342)


Rec’vd Map-Request for 6:6:6::61. ETR RLOC is scope v6-net (10:0:6::1)2. ITR RLOC is scope v4-net (10.0.4.1)3. Disjoint scope - YES4. Send Proxy Map-Reply with

RTR 10.0.3.1

108



IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1


native

lisp-encap

map-req

map-rep

data plane

controlplane

1

4:4:4::4 -> 6:6:6::6

210.0.4.1-> 10.0.2.1

LISP ECM(udp 4342)


MSMR#*Aug 25 01:11:45.734: LISP: Processing received Encap-Control(8) message on Ethernet0/0 from 10.0.4.1:4342 to 10.0.2.1:4342*Aug 25 01:11:45.734: LISP: Processing received Map-Request(1) message on Ethernet0/0 from 4:4:4::4.4342 to 6:6:6::6.4342*Aug 25 01:11:45.734: LISP: Received map request for IID 0 6:6:6::6/128, source_eid IID 0 4:4:4::4, ITR-RLOCs: 10.0.4.1, records 1, nonce 0x5A0206C2-0xF706E61B*Aug 25 01:11:45.734: LISP-0: MS EID IID 0 prefix 6:6:6::/48 site R6, No common scopes between ITR and ETR RLOCs, proxy reply.*Aug 25 01:11:45.734: LISP-0: MS EID IID 0 prefix 6:6:6::/48 site R6, Sending scope forced proxy reply to 10.0.4.1.

3

10.0.2.1 -> 10.0.4.1udp 4342Type 2 (map-reply)[P]Nonce/TTL 6:6:6::/4810.0.3.1 [1, 1]

109



IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1


native

lisp-encap

map-req

map-rep

data plane

controlplane

1

4:4:4::4 -> 6:6:6::6

210.0.4.1-> 10.0.2.1

LISP ECM(udp 4342)


3


xTR4#show ipv6 lisp map-cacheLISP IPv6 Mapping Cache for EID-table default (IID 0), 2 entries---<skip>---6:6:6::/48, uptime: 00:02:18, expires: 00:12:44, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.3.1 00:02:18 up 1/1 xTR4#

encap

decap

4

4:4:4::4 -> 6:6:6::6

10.0.4.1 -> 10.0.3.1

110



IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1


native

lisp-encap

map-req

map-rep

data plane

controlplane

1

4:4:4::4 -> 6:6:6::6

210.0.4.1-> 10.0.2.1

LISP ECM(udp 4342)


3


encap

decap

4

4:4:4::4 -> 6:6:6::6

10.0.4.1 -> 10.0.3.1How do I forward to 6:6:6::6?1. Check FIB – NO2. Check map-cache (send map-req)

Send Map-Request…

111



IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1


native

lisp-encap

map-req

map-rep

data plane

controlplane

1

4:4:4::4 -> 6:6:6::6

210.0.4.1-> 10.0.2.1

LISP ECM(udp 4342)


3


encap

decap

4

4:4:4::4 -> 6:6:6::6

10.0.4.1 -> 10.0.3.1

RTR#*Aug 25 01:18:17.328: LISP-0: AF IPv6, Sending map-request from 10:0:3::1 to 6:6:6::6 for EID 6:6:6::6/128, ITR-RLOCs 2, nonce 0xC437B6B6-0xCD1B12C2 (encap src 10.0.3.1, dst 10.0.2.1), FromPITR.

5

10.0.3.1-> 10.0.2.1LISP ECM(udp 4342)

Type 1 (map-request) Noncesrc-eid: [2] 10:0:3::1 itr-rloc: 10.0.3.1 itr-rloc: 10:0:3::1record-1: [2] 6:6:6::6

112



IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1


native

lisp-encap

map-req

map-rep

data plane

controlplane

1

4:4:4::4 -> 6:6:6::6

210.0.4.1-> 10.0.2.1

LISP ECM(udp 4342)


3


encap

decap

4

4:4:4::4 -> 6:6:6::6

10.0.4.1 -> 10.0.3.1

5

10.0.3.1-> 10.0.2.1LISP ECM(udp 4342)


Rec’vd Map-Request for 6:6:6::61. ETR RLOC is scope v6-net (10:0:6::1)2. PITR RLOC is scope v4-net (10.0.3.1)

and scope v6-net (10:0:3::1)3. Disjoint scope - NO4. Forward Map-Request to 10:0:6::1

MSMR#*Aug 25 01:36:16.684: LISP: Processing received Encap-Control(8) message on Ethernet0/0 from 10.0.3.1:4342 to 10.0.2.1:4342*Aug 25 01:36:16.684: LISP: Processing received Map-Request(1) message on Ethernet0/0 from 10:0:3::1.4342 to 6:6:6::6.4342*Aug 25 01:36:16.685: LISP: Received map request for IID 0 6:6:6::6/128, source_eid IID 0 4:4:4::4, ITR-RLOCs: 10.0.3.1 10:0:3::1, records 1, nonce 0x098BDC65-0xE6054A2F, FromPITR*Aug 25 01:36:16.685: LISP-0: MS EID IID 0 prefix 6:6:6::/48 site R6, Forwarding map request to ETR RLOC 10:0:6::1.

6

10:0:2::1 -> 10:0:6::1LISP ECM(udp 4342)


113



IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1


native

lisp-encap

map-req

map-rep

data plane

controlplane

1

4:4:4::4 -> 6:6:6::6

210.0.4.1-> 10.0.2.1

LISP ECM(udp 4342)


3


encap

decap

4

4:4:4::4 -> 6:6:6::6

10.0.4.1 -> 10.0.3.1

5

10.0.3.1-> 10.0.2.1LISP ECM(udp 4342)


6

10:0:2::1 -> 10:0:6::1LISP ECM(udp 4342)


Rec’vd Map-Request for 6:6:6::61. ETR RLOC is (10:0:6::1)2. PITR RLOC is (10.0.3.1) and (10:0:3::1)3. Send Map-Reply to 10:0:3::1

114



IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1


native

lisp-encap

map-req

map-rep

data plane

controlplane

1

4:4:4::4 -> 6:6:6::6

210.0.4.1-> 10.0.2.1

LISP ECM(udp 4342)


3


encap

decap

4

4:4:4::4 -> 6:6:6::6

10.0.4.1 -> 10.0.3.1

5

10.0.3.1-> 10.0.2.1LISP ECM(udp 4342)


6

10:0:2::1 -> 10:0:6::1LISP ECM(udp 4342)


7

10:0:6::1 -> 10:0:3::1udp 4342Type 2 (map-reply)Nonce/TTL 6:6:6::/4810:0:6::1 [1, 1]

xTR6#*Aug 25 01:46:56.022: LISP: Processing received Encap-Control(8) message on Ethernet0/0 from 10:0:2::1.4342 to 10:0:6::1.4342*Aug 25 01:46:56.022: LISP: Processing received Map-Request(1) message on Ethernet0/0 from 10:0:3::1.4342 to 6:6:6::6.4342*Aug 25 01:46:56.022: LISP: Received map request for IID 0 6:6:6::6/128, source_eid IID 0 4:4:4::4, ITR-RLOCs: 10.0.3.1 10:0:3::1, records 1, nonce 0x634D8861-0xDBA36771, FromPITR*Aug 25 01:46:56.022: LISP: Processing map request record for EID prefix IID 0 6:6:6::6/128*Aug 25 01:46:56.022: LISP-0: Sending map-reply from 10:0:6::1 to 10:0:3::1.

115



IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1


native

lisp-encap

map-req

map-rep

data plane

controlplane

1

4:4:4::4 -> 6:6:6::6

210.0.4.1-> 10.0.2.1

LISP ECM(udp 4342)


3


encap

decap

4

4:4:4::4 -> 6:6:6::6

10.0.4.1 -> 10.0.3.1

5

10.0.3.1-> 10.0.2.1LISP ECM(udp 4342)


6

10:0:2::1 -> 10:0:6::1LISP ECM(udp 4342)


7


RTR#show ipv6 lisp map-cache---<skip>---6:6:6::/48, uptime: 00:05:17, expires: 23:54:53, via map-reply, complete Locator Uptime State Pri/Wgt 10:0:6::1 00:05:17 up 1/1 RTR#

116



IPv6 Internet::/0

(scope 2)xTR4

10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48

xTR610:0:6::/64

EID – 6.6.6.0/24EID – 6:6:6::/48

MSMR RTR

10.0.3.1 10:0:3::110.0.2.1 10:0:2::1


native

lisp-encap

map-req

map-rep

data plane

controlplane

1

4:4:4::4 -> 6:6:6::6

210.0.4.1-> 10.0.2.1

LISP ECM(udp 4342)


3


encap

decap

4

4:4:4::4 -> 6:6:6::6

10.0.4.1 -> 10.0.3.1

5

10.0.3.1-> 10.0.2.1LISP ECM(udp 4342)


6

10:0:2::1 -> 10:0:6::1LISP ECM(udp 4342)


7


decap

7


decap

9

4:4:4::4 -> 6:6:6::6encap

84:4:4::4 -> 6:6:6::6

10:0:3::1 -> 10:0:6::1

RTR#show ipv6 lisp map-cache---<skip>---6:6:6::/48, uptime: 00:05:17, expires: 23:54:53, via map-reply, complete Locator Uptime State Pri/Wgt 10:0:6::1 00:05:17 up 1/1 RTR#

117


Agenda







118

Advanced - LISP Technical SeminarLISP Virtualization/VPN Support

TECRST-3191

Gregg SchudelLISP Technical Marketing Engineer

[email protected] CCIE #9591

LISP and Virtualization/VPN Overview


LISP Virtualization/VPNsEfficient Virtualization/Multi-Tenancy Support – Concepts

Deploying a PHYSICAL network infrastructure requires large investments (for Enterprises and Service Providers

Groups within organizations often want their own topologies and control of their own destiny

Many factors make deploying multiple PHYSICAL infrastructures undesirable– Stranded capacity (underutilized Bandwidth, Processors, etc.) costs $$– Power, cooling, rack space, etc. cost $$– CapEx costs $$– OpEx costs $$

121



Virtualization creates multiple VIRTUAL topologies across one common PHYSICAL infrastructure

Actual Physical Network Infrastructure

Virtual

UserGroup B

Virtual

UserGroup A

Virtual

UserGroup C

122



Virtualization of the DEVICE level– Virtual Routing and Forwarding (VRF) tables

segment Layer 3 routing tables– VRFs are used to virtualize the component

resources– Virtualization secures movement of traffic

between networks and enhances security policy options

Virtualization of the PATH level– VRFs assist in path isolation– Single-hop (hop-by-hop)– Multi-hop (over-the-top)

VRF-1

VRF-2

GlobalIP

802.1q, DLCI, VPI/VCI PW,

EVN

GRE, MPLSLISPLISP!!

123


LISP Virtualization/VPNsLISP Virtualization/Multi-Tenancy Support – Concepts

Recalling that… LISP is “Locator/ID” separation… and creates two namespaces: EIDs and RLOCs… LISP can virtualize the EID, the RLOC side, or both!

These two models of operation are defined: Shared and Parallel

– Shared Model Virtualization: Virtualizes the EID namespaces Binds an EID namespace privately

defined using a VRF to an Instance-ID Uses a common (shared) RLOC

(locator) address space The Mapping System is also part of the

locator namespaces and is shared

– Parallel Model Virtualization: Virtualizes the RLOC (locator)

namespaces One or more EID instances may share

a virtualized RLOC namespace A Mapping System must also be part of

each locator namespaces

124



RLOC virtualization is enabled in conjunction with locator table VRFs

EID virtualization uses LISP Instance-IDs in conjunction with EID VRFs– Instance-IDs maintain address space segmentation in control plane

and data plane

– Instance-IDs are numerical tags defined in LISP Canonical Address Format (LCAF) • IID: a 24-bit unstructured number• Data Plane: IID is included in LISP encapsulation header• Control Plane: IID is encoded with the EID in LCAF header

125



Default (non-Virtualized) Model – at the device level– Conceptually, the Default Model is just a single Parallel Model instance– All EID lookups are also in the same single table – default– Thus, EIDs are associated with Instance-ID 0– All RLOC lookups are in a single table – default– The Mapping System is part of the locator address space

• Single RLOC namespace• Default table or RLOC VRF

Shared RLOC namespace

To EID namespace(direct connect, IGP, etc.)

• Single EID namespace• Default table

Default

To VPNs (MPLS, 802.1Q, VRF-Lite, or separate networks)

126



Shared Model – at the device level– Multiple EID-prefixes are allocated privately using VRFs– EID lookups are in the VRF associated with an Instance-ID– All RLOC lookups are in a single table – (default/global or RLOC VRF)– The Mapping System is part of the locator address space and is shared

To VPNs (MPLS, 802.1Q, VRF-Lite, or separate

networks)

• EID namespace, VRF Pink, IID 1

• EID namespace, VRF Blue, IID 2

Default

Pink

Blue • Single RLOC namespace• Default table or RLOC VRF

Shared RLOC namespace To VPNs (MPLS,

802.1Q, VRF-Lite, or separate networks)

127



Parallel Model – at the device level– Multiple EID-prefixes are allocated privately using VRFs– EID lookups are in the VRF associated with an Instance-ID– RLOC lookups are in the VRF associated with the locator table– A Mapping System must be part of each locator address space


networks)

• EID namespace, VRF Pink, IID 1

• EID namespace, VRF Blue, IID 2

Default

Pink

Blue


• RLOC uses Blue namespace

• RLOC uses Pink namespace

128



Shared and Parallel Models Combined – at the device level– Multiple “Shared Model” instantiations combined with Multiple “Parallel Model”

instantiations – Multiple EID VRFs bound to a single RLOC VRF– Multiple RLOC VRFs on the same device


networks)

Default

Pink

Blue


• RLOC uses Blue namespace

• RLOC uses Pink namespace

VRF-1, IID 101VRF-2, IID 102

VRF-3, IID 103

Cust1Cust2

Cust3

VRF-A, IID 901VRF-B, IID 902

VRF-C, IID 903

CustACustB

CustC

129


LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs – Overview

All VPNs share a set of common requirements1. Encapsulation:

‒ Includes some form of data plane encoding for per-tenant segmentation• Otherwise, one tunnel per structure (not

scalable)

2. Site to Site Routing:‒ Create extension to existing enterprise

internal routing and topology• Agnostic to core networks• Allows NAT, DHCP, etc.

3. Security:‒ Built-in or Add-on

• Protocol itself includes basic features• Addition of Confidentiality, Integrity, and

Authentication as needed

137



1. Encapsulation:‒ LISP Data Plane and Control Plane

encoding for per-tenant segmentation• LISP IID per EID VRF• RLOC virtualization

2. Site to Site Routing:‒ Site-to-Site, hub-spoke, optional local

offload (split tunnel)‒ No IGP required to branch sites!‒ Disjointed RLOCs, NAT, DHCP, etc.

3. Security:‒ Built-in or Add-on

• LISP control and data plane measures• LISP SEC and other optional features• GDOI and IPsec on EID or RLOC side

LISP VPN: Routing? or Tunneling? -- It’s BOTH!

All VPNs share a set of common requirements

138



LISP – Inherently scalability and virtualization, rapidly deployable

Scalability(# of VPN site)

Unconstrained

VPN site-to-site routing

Unnecessary

Secure Segmentation

24-bit Instance ID with VRF

PerformanceOptimal

Path(P2P),Loadbalancing

• No protocol constraint• 100K concurrent site connections

?

?

?

?

• No site-to-site routing required• No VPN route injection into core• LISP / Non-LISP site interworking through PxTR

• 16M unique VPN classifiers• Used by LISP control plane and data plane• Optional data plane encryption with GETVPN

• Shortest path between LISP sites• Equal cost/unequal cost loadbalancing

139


xTR (Single Tenant)• Accommodates single customer• Deployed for CPE Overlay model• Located at customer site


Generalized LISP Shared Model deployment

LISP routerNon LISP router

EIDRLOC

RLOC Name Space(IPv4/IPv6)

xTR1

xTR3

EID Name Space(IPv4/IPv6)

xTR2

User Blue•EID 192.168.1.0/24•IID 1•VRF Blue

User Red•EID 192.168.1.0/24•IID 2•VRF Red

MS/MREID Name Space

(IPv4/IPv6)

xTR (Multi-Tenant)• Accommodates multiple customers• Deployed for PE model• Located at Edge layer, DC or customer site

MS/MR• Shared by multiple customers• Located in RLOC name

space

RLOCEIDData LISPHdr

IID1

RLOCEIDData LISPHdr

IID2

User Blue•EID 192.168.2/24•IID 1•VRF Blue

User Red•EID 192.168.2.0/24•IID 2•VRF Red

IID EID RLOC1 192.168.1.0/24 xTR11 192.168.2.0/24 xTR32 192.168.1.0/24 xTR22 192.168.2.0/24 xTR3

140

LISP Virtualization Examples

LISP Virtualization+Internet


LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core

Say we want to build this…Three VRFs, IPv4 and IPv6HQ multihomed, two CPERemote multihomed, one CPERemote single-homed, DHCPAdd encryption (GETVPN)

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2

VRF C, IID 3

143



xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2

VRF C, IID 3

144

Segmentation by physical, Layer 2, or

Layer 3 means(e.g. 802.1Q, EVN,

physically separate networks)

Default• Single RLOC namespace• Default table (or RLOC VRF)

To IPv4 or IPv6 CoreRLOC namespaceVRF A, IID 1

VRF B, IID 2

VRF C, IID 3

To Enterprise Internal Networks

LISP0.1

LISP0.2

LISP0.3



xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2

VRF C, IID 3How do we build this? Three common steps:1.Build the underlay (RLOCs)2.Add the LISP overlay (EIDs)3.Add encryption

145



xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2

VRF C, IID 31.Build the underlay (RLOCs)HQ1 xTR/MSMR/GM

!hostname HQ1!interface Ethernet0/0 ip address 10.0.14.2 255.255.255.252!ip route 0.0.0.0 0.0.0.0 10.0.14.1!

Remote2 xTR/GM

!hostname Remote2!interface Ethernet0/0 ip address 10.2.1.2 255.255.255.252!interface Ethernet1/0 ip address 10.2.2.2 255.255.255.252!ip route 0.0.0.0 0.0.0.0 10.2.1.1ip route 0.0.0.0 0.0.0.0 10.2.2.1!

Examples:• Normal IP routing…• Nothing to do with LISP!

All other sites are similar!

146



xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2

VRF C, IID 31.Build the underlay (RLOCs)

Examples:• Normal IP routing…• Nothing to do with LISP!

Verification…

Site2#ping 10.0.14.2 source 10.2.2.2 rep 10Type escape sequence to abort.Sending 100, 100-byte ICMP Echos to 10.0.14.2, timeout is 2 seconds:Packet sent with a source address of 10.2.2.2!!!!!!!!!!Success rate is 100 percent (10/10), round-trip min/avg/max = 8/7/8 msSite2#

Example:RLOC to RLOC

147



xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2

VRF C, IID 32. Add the LISP overlay (EIDs)

Remote2 xTR/GM

!router lisp locator-set Site2 10.2.1.2 priority 1 weight 50 10.2.2.2 priority 1 weight 50 exit ! eid-table default instance-id 0 database-mapping 192.168.255.16/32 locator-set Site2 exit ! eid-table vrf DeptA instance-id 1 database-mapping 192.168.16.0/24 locator-set Site2 database-mapping 1:1:16::/64 locator-set Site2 exit ! eid-table vrf DeptB instance-id 2 database-mapping 192.168.16.0/24 locator-set Site2 database-mapping 2:2:16::/64 locator-set Site2 exit ! eid-table vrf DeptC instance-id 3 database-mapping 192.168.16.0/24 locator-set Site2 database-mapping 3:3:16::/64 locator-set Site2 exit !

Examples:• Bind VRFs to IIDs• Bind EIDs to RLOCs

148



xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2



Remote2 xTR/GM

! – continued – LISP control plane! ipv4 itr map-resolver 10.0.14.2 ipv4 itr map-resolver 10.0.15.2 ipv4 itr ipv4 etr map-server 10.0.14.2 key site2-pswd ipv4 etr map-server 10.0.15.2 key site2-pswd ipv4 etr ipv6 map-server ipv6 map-resolver ipv6 itr map-resolver 10.0.14.2 ipv6 itr map-resolver 10.0.15.2 ipv6 itr ipv6 etr map-server 10.0.14.2 key site2-pswd ipv6 etr map-server 10.0.15.2 key site2-pswd ipv6 etr exit!

All other sites are similar!

149



2. Add the LISP overlay (EIDs)


xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2

VRF C, IID 3

HQ2 xTR/MSMR/GM

router lisp ! site HQ authentication-key hq-pswd eid-prefix 192.168.18.0/24 eid-prefix 192.168.19.0/24 eid-prefix 192.168.255.14/32 eid-prefix 192.168.255.15/32 eid-prefix instance-id 1 192.168.14.0/24 eid-prefix instance-id 1 1:1:14::/64 eid-prefix instance-id 2 192.168.14.0/24 eid-prefix instance-id 2 2:2:14::/64 eid-prefix instance-id 3 192.168.14.0/24 eid-prefix instance-id 3 3:3:14::/64 exit ! site Site1 authentication-key site1-pswd eid-prefix 192.168.255.11/32 eid-prefix instance-id 1 192.168.11.0/24 eid-prefix instance-id 1 1:1:11::/64 eid-prefix instance-id 2 192.168.11.0/24 eid-prefix instance-id 2 2:2:11::/64 eid-prefix instance-id 3 192.168.11.0/24 eid-prefix instance-id 3 3:3:11::/64 exit !---<etc.>---

150



2. Add the LISP overlay (EIDs)


Verification…

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2

VRF C, IID 3

HQ2 xTR/MSMR/GMHQ2#show lisp siteLISP Site Registration InformationSite Name Last Up Who Last Inst EID Prefix Register Registered ID HQ 00:00:46 yes 10.0.14.2 0 192.168.18.0/24 00:00:05 yes 10.0.15.2 0 192.168.19.0/24 00:00:46 yes 10.0.14.2 0 192.168.255.14/32 00:00:05 yes 10.0.15.2 0 192.168.255.15/32 00:00:09 yes 10.0.14.2 1 192.168.14.0/24 00:00:56 yes 10.0.14.2 1 1:1:14::/64 00:00:32 yes 10.0.15.2 2 192.168.14.0/24 00:00:23 yes 10.0.15.2 2 2:2:14::/64 00:00:54 yes 10.0.15.2 3 192.168.14.0/24 00:00:43 yes 10.0.14.2 3 3:3:14::/64Site1 00:00:07 yes 10.0.11.2 0 192.168.255.11/32 00:00:16 yes 10.0.11.2 1 192.168.11.0/24 00:00:42 yes 10.0.11.2 1 1:1:11::/64 00:00:32 yes 10.0.11.2 2 192.168.11.0/24 00:00:41 yes 10.0.11.2 2 2:2:11::/64---<etc.>---

151



xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2



Verification…

Site3#ping vrf DeptC 192.168.14.1 source 192.168.13.1 rep 10Type escape sequence to abort.Sending 100, 100-byte ICMP Echos to 192.168.14.1, timeout is 2 seconds:Packet sent with a source address of 192.168.13.1%DeptC..!!!!!!!!Success rate is 80 percent (8/10), round-trip min/avg/max = 1/1/1 msSite3

Example:EID to EID

152



xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2



Verification…

Site3#show ip lisp map-cache instance-id 3LISP IPv4 Mapping Cache for EID-table vrf DeptC (IID 3), 4 entries---<skip>---192.168.14.0/24, uptime: 00:01:38, expires: 23:58:25, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.14.2 00:01:38 up 1/50 10.0.15.2 00:01:38 up 1/50 ---<skip>---Site3#

Example:EID to EID

153



xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2



Verification…

Site3#ping vrf DeptA 1:1:14::1 source 1:1:13::1 rep 10Type escape sequence to abort.Sending 10, 100-byte ICMP Echos to 1:1:14::1, timeout is 2 seconds:Packet sent with a source address of 1:1:13::1%DeptA..!!!!!!!!Success rate is 80 percent (8/10), round-trip min/avg/max = 1/1/1 msSite3

Example:EID to EID

154



xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2



Verification…

Site3#show ipv6 lisp map-cache instance-id 1LISP IPv6 Mapping Cache for EID-table vrf DeptA (IID 1), 4 entries---<skip>---1:1:14::/64, uptime: 00:00:33, expires: 23:59:28, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.14.2 00:00:33 up 1/50 10.0.15.2 00:00:33 up 1/50 ---<skip>---Site3#

Example:EID to EID

155

LISP Virtualization+MPLS (CE)


LISP VPN/VirtualizationLISP and MPLS Integration

3: Add Virtualization

Blue MPLS-VPN

SP MPLS

BlueSite 1

PE1

PurpleMPLS-VPN

PurpleSite 1

PE4

PE3PE2

BlueSite 2

BlueSite 3

PurpleSite 2

CE2IPv4

IPv4

IPv4 IPv4

IPv4

IPv4 IPv4

IPv4

CE3CE2

CE1

CE1

IGP

eBGP

CE-PE

IPv4 IPv4

IPv6

IPv6 IPv6

xTR

xTRMSMR

xTR


Recall our MPLS network…

VRF-ASite 3

VRF-ASite 1

VRF-ASite 2

Let’s say that the Enterprise wants departmental segmentation inside their network…

157




Blue MPLS-VPN

SP MPLS

BlueSite 1

PE1

PurpleMPLS-VPN

PurpleSite 1

PE4

PE3PE2

BlueSite 2

BlueSite 3

PurpleSite 2

CE2IPv4

IPv4

IPv4 IPv4

IPv4

IPv4 IPv4

IPv4

CE3CE2

CE1

CE1

IGP

eBGP

CE-PE

IPv4 IPv4

IPv6

IPv6 IPv6

xTR

xTRMSMR

xTR


VRF-ASite 3

VRF-ASite 1

VRF-ASite 2

There’s no need to talk to the SP to get another VRF in the MPLS core. Just use LISP!



Virtualized!

CE1#show run | begin router lisp---<skip>---router lisp eid-table default instance-id 0 database-mapping 2001:db8:a:a::/64 12.1.0.2 pri 1 wei 100 exit !eid-table vrf VRF-A instance-id 1 database-mapping 10.1.1.0/24 12.1.0.2 pri 1 wei 100 exit! ipv4 itr ipv4 etr ipv4 itr map-resolver 12.1.0.2 ipv4 etr map-server 12.1.0.2 key ****** ipv6 itr ipv6 etr ipv6 itr map-resolver 12.1.0.2 ipv6 etr map-server 12.1.0.2 key ****** exit!

158




Blue MPLS-VPN

SP MPLS

BlueSite 1

PE1

PurpleMPLS-VPN

PurpleSite 1

PE4

PE3PE2

BlueSite 2

BlueSite 3

PurpleSite 2

CE2IPv4

IPv4

IPv4 IPv4

IPv4

IPv4 IPv4

IPv4

CE3CE2

CE1

CE1

IGP

eBGP

CE-PE

IPv4 IPv4

IPv6

IPv6 IPv6

xTR

xTRMSMR

xTR


VRF-ASite 3

VRF-ASite 1

VRF-ASite 2

There’s no need to talk to the SP to get another VRF in the MPLS core. Just use LISP!



Virtualized!

CE1#ping 10.3.1.1 source 10.1.1.1 rep 10Type escape sequence to abortSending 5, 100-byte ICMP Echos to 10.3.1.1, timeout is 2 seconds:Packet sent with a source address of 10.1.1.1..!!!!!!!!Success rate is 80 percent (8/10), round-trip min/avg/max = 2/3/2 msCE1#

CE1#show ip lisp map-cache instance-id 1LISP IPv4 Mapping Cache for EID-table vrf VRF-A (IID 1), 2 entries

0.0.0.0/0, uptime: 00:11:15, expires: never, via static send map-request Negative cache entry, action: send-map-request10.3.1.0/24, uptime: 00:01:49, expires: 23:58:14, via map-reply, complete Locator Uptime State Pri/Wgt 12.3.1.2 00:01:49 up 1/100 ---<more>---CE1#

159

LISP VirtualizationInternet Access to MPLS


LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs

xTR

Customer A

xTR

xTR

Customer B

Customer C

IPv4 or v6 Core

Core

Internet/IP Core domain

Starting point:• Service Provider MPLS VPN network• Multi-tenant customer sites access to MPLS

via “non-traditional” access methods- IPv4 and/or IPv6 Internet- 3G/4G/LTE access- “Other” (e.g. other MPLS VPN)

ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

greenorange

blue

PxTR/MSMR

SP LISP Gateway

161



Let’s look at the configurations for these devices:

xTR

Customer A

xTR

xTR

Customer B

Customer C

IPv4 or v6 Core

Core


ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

greenorange

blue

PxTR/MSMR

SP LISP Gateway

3.3.3.3/24

3.3.3.3/24

3.3.3.3/24

1.1.1.1/24

1.1.1.1/24

1.1.1.1/24

IID 111

IID 222

IID 333IID 111IID 222IID 333

162



MPLS – the usual… (blah blah blah…)

ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

!hostnameCE-R1!interfaceLoopback0ipaddress3.3.3.3255.255.255.0!interfaceEthernet0/0descriptionLinktoPE1-R2ipaddress10.1.2.1255.255.255.252!routerbgp101bgplog-neighbor-changesneighbor10.1.2.2remote-as1!address-familyipv4redistributeconnectedneighbor10.1.2.2activateexit-address-family!



3.3.3.3/24

3.3.3.3/24

3.3.3.3/24

163



ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

xTR

Customer A

xTR

xTR

Customer B

Customer C

IPv4 or v6 Core

Core


LISP – the usual… (blah blah blah…)

3.3.3.3/24

3.3.3.3/24

3.3.3.3/24

hostnameXTR-R7!interfaceLoopback0ipaddress1.1.1.1255.255.255.0!interfaceLISP0!interfaceLISP0.111!interfaceEthernet0/1descriptionLinktoCore-R6ipaddress11.6.7.2255.255.255.252!routerlisplocator-setXTRIPv4-interfaceEthernet0/1priority1weight1exit!eid-tabledefaultinstance-id111database-mapping1.1.1.0/24locator-setXTRexit!loc-reach-algorithmrloc-probingipv4itripv4etripv4itrmap-resolver11.5.6.1ipv4etrmap-server11.5.6.1keyFOOipv4use-petr11.5.6.1priority1weight1exit!iproute0.0.0.00.0.0.011.6.7.1

hostnameXTR-R11!interfaceLoopback0ipaddress1.1.1.1255.255.255.0!interfaceLISP0!interfaceLISP0.222!interfaceEthernet0/1descriptionLinktoCore-R6ipaddress11.6.11.2255.255.255.252!routerlisplocator-setXTRIPv4-interfaceEthernet0/1priority1weight1exit!eid-tabledefaultinstance-id222database-mapping1.1.1.0/24locator-setXTRexit!loc-reach-algorithmrloc-probingipv4itripv4etripv4itrmap-resolver11.5.6.1ipv4etrmap-server11.5.6.1keyBOOipv4use-petr11.5.6.1priority1weight1exit!iproute0.0.0.00.0.0.011.6.11.1

hostnameXTR-R12!interfaceLoopback0ipaddress1.1.1.1255.255.255.0!interfaceLISP0!interfaceLISP0.333!interfaceEthernet0/1descriptionLinktoCore-R6ipaddress11.6.12.2255.255.255.252!routerlisplocator-setXTRIPv4-interfaceEthernet0/1priority1weight1exit!eid-tabledefaultinstance-id333database-mapping1.1.1.0/24locator-setXTRexit!loc-reach-algorithmrloc-probingipv4itripv4etripv4use-petr11.5.6.1priority1weight1ipv4itrmap-resolver11.5.6.1ipv4etrmap-server11.5.6.1keyCOOexit!iproute0.0.0.00.0.0.011.6.12.1

1.1.1.1/24

1.1.1.1/24

1.1.1.1/24

IID 111

IID 222

IID 333

164



ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

xTR

Customer A

xTR

xTR

Customer B

Customer C

IPv4 or v6 Core

Core


LISP/MPLS Gateway – (PETR/PITR)

greenorange

blue

PxTR/MSMR

SP LISP Gateway

3.3.3.3/24

3.3.3.3/24

3.3.3.3/24

1.1.1.1/24

1.1.1.1/24

1.1.1.1/24

IID 111

IID 222


hostnamePxTRMSMR-R5!vrfdefinitionKSrd2:200!address-familyipv4exit-address-family!vrfdefinitionbluerd2:400!address-familyipv4exit-address-family!vrfdefinitiongreenrd2:100!address-familyipv4exit-address-family!vrfdefinitionorangerd2:300!address-familyipv4exit-address-family!interfaceLoopback0ipaddress10.255.255.5255.255.255.255!interfaceLISP0!interfaceLISP0.111!interfaceLISP0.222!interfaceLISP0.333---<cont>---

!interfaceEthernet0/0descriptionLinktoCore-R6ipaddress11.5.6.1255.255.255.252!interfaceEthernet0/1descriptionLinktoPE2-R4noipaddress!interfaceEthernet0/1.1encapsulationdot1Q100vrfforwardinggreenipaddress10.4.5.2255.255.255.252!interfaceEthernet0/1.2encapsulationdot1Q200vrfforwardingKSipaddress10.4.5.6255.255.255.252!---<cont>---

interfaceEthernet0/1.3encapsulationdot1Q300vrfforwardingorangeipaddress10.4.5.2255.255.255.252!interfaceEthernet0/1.4encapsulationdot1Q400vrfforwardingblueipaddress10.4.5.2255.255.255.252---<cont>---

165



ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

xTR

Customer A

xTR

xTR

Customer B

Customer C

IPv4 or v6 Core

Core



greenorange

blue

PxTR/MSMR

SP LISP Gateway

3.3.3.3/24

3.3.3.3/24

3.3.3.3/24

routerlispeid-tablevrfgreeninstance-id111ipv4route-exportsite-registrationipv4map-cachesite-registrationexit!eid-tablevrforangeinstance-id222ipv4route-exportsite-registrationipv4map-cachesite-registrationexit!eid-tablevrfblueinstance-id333ipv4route-exportsite-registrationipv4map-cachesite-registrationexit!eid-tablevrfKSinstance-id999ipv4route-exportsite-registrationipv4map-cachesite-registrationexit!---<cont>---

siteBOOauthentication-keyBOOeid-prefixinstance-id2221.0.0.0/8accept-more-specificsexit!siteCOOauthentication-keyCOOeid-prefixinstance-id3331.0.0.0/8accept-more-specificsexit!siteFOOauthentication-keyFOOeid-prefixinstance-id1111.0.0.0/8accept-more-specificsexit!siteKSauthentication-keyKSKSeid-prefixinstance-id9999.0.0.0/8accept-more-specificsexit---<cont>---

!ipv4map-serveripv4map-resolvernoipv4map-cache-persistentipv4proxy-etripv4proxy-itr11.5.6.1ipv4itrmap-resolver11.5.6.1exit!---<cont>---

1.1.1.1/24

1.1.1.1/24

1.1.1.1/24

IID 111

IID 222


166



ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

xTR

Customer A

xTR

xTR

Customer B

Customer C

IPv4 or v6 Core

Core



greenorange

blue

PxTR/MSMR

SP LISP Gateway

3.3.3.3/24

3.3.3.3/24

3.3.3.3/24

routerbgp2bgpasnotationdotbgplog-neighbor-changes!address-familyipv4vrfKSnetwork9.9.9.8mask255.255.255.255redistributelispneighbor10.4.5.5remote-as1neighbor10.4.5.5activateneighbor10.4.5.5send-communitybothexit-address-family!address-familyipv4vrfblueredistributelispneighbor10.4.5.1remote-as1neighbor10.4.5.1descriptionPEblueneighbor10.4.5.1activateneighbor10.4.5.1send-communitybothexit-address-family!address-familyipv4vrfgreenredistributelispneighbor10.4.5.1remote-as1neighbor10.4.5.1descriptionPEgreenneighbor10.4.5.1activateneighbor10.4.5.1send-communitybothexit-address-family!address-familyipv4vrforangeredistributelispneighbor10.4.5.1remote-as1neighbor10.4.5.1descriptionPEorangeneighbor10.4.5.1activateneighbor10.4.5.1send-communitybothexit-address-family!iproute0.0.0.00.0.0.011.5.6.2

1.1.1.1/24

1.1.1.1/24

1.1.1.1/24

IID 111

IID 222


167



ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

xTR

Customer A

xTR

xTR

Customer B

Customer C

IPv4 or v6 Core

Core


Validation…

greenorange

blue

PxTR/MSMR

SP LISP Gateway

CE-R1#sh ip route---<skip>--- 1.0.0.0/24 is subnetted, 1 subnetsB 1.1.1.0 [20/0] via 10.1.2.2, 18:07:35 3.0.0.0/8 is variably subnetted, 2 subnets, 2 masksC 3.3.3.0/24 is directly connected, Loopback0L 3.3.3.3/32 is directly connected, Loopback0 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masksC 10.1.2.0/30 is directly connected, Ethernet0/0L 10.1.2.1/32 is directly connected, Ethernet0/0B 10.4.5.0/30 [20/0] via 10.1.2.2, 18:08:03CE-R1#

CE-R1#ping 1.1.1.1 so 3.3.3.3 rep 100Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:Packet sent with a source address of 3.3.3.3 .!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 99 percent (99/100), round-trip min/avg/max = 1/7/11 msCE-R1#

PE2-R4#sh bgp vpnv4 uni vrf green---<skip>--- Network Next Hop Metric LocPrf Weight PathRoute Distinguisher: 1:100 (default for vrf green) *> 1.1.1.0/24 10.4.5.2 1 0 2 ? *>i 3.3.3.0/24 22.9.1.2 0 100 0 101 ? *>i 10.1.2.0/30 22.9.1.2 0 100 0 ? *> 10.4.5.0/30 0.0.0.0 0 32768 ?PE2-R4#

PE2-R4#sh ip ro vrf greenRouting Table: green---<skip>--- 1.0.0.0/24 is subnetted, 1 subnetsB 1.1.1.0 [20/1] via 10.4.5.2, 18:24:12 3.0.0.0/24 is subnetted, 1 subnetsB 3.3.3.0 [200/0] via 22.9.1.2, 18:24:39 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masksB 10.1.2.0/30 [200/0] via 22.9.1.2, 18:24:39C 10.4.5.0/30 is directly connected, Ethernet0/0.1L 10.4.5.1/32 is directly connected, Ethernet0/0.1PE2-R4#

3.3.3.3/24

3.3.3.3/24

3.3.3.3/24

1.1.1.1/24

1.1.1.1/24

1.1.1.1/24

IID 111

IID 222


168



ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

xTR

Customer A

xTR

xTR

Customer B

Customer C

IPv4 or v6 Core

Core


Validation…

greenorange

blue

PxTR/MSMR

SP LISP Gateway

PxTRMSMR-R5#sh lisp siteLISP Site Registration InformationSite Name Last Up Who Last Inst EID Prefix Register Registered ID BOO never no -- 222 1.0.0.0/8 00:00:13 yes 11.6.11.2 222 1.1.1.0/24COO never no -- 333 1.0.0.0/8 00:00:21 yes 11.6.12.2 333 1.1.1.0/24FOO never no -- 111 1.0.0.0/8 00:00:04 yes 11.6.7.2 111 1.1.1.0/24PxTRMSMR-R5#

PxTRMSMR-R5#sh ip lisp map-cache instance 111LISP IPv4 Mapping Cache for EID-table vrf green (IID 111), 1 entries

1.1.1.0/24, uptime: 18:34:07, expires: 05:25:52, via map-reply, complete Locator Uptime State Pri/Wgt 11.6.7.2 18:34:07 up 1/1 PxTRMSMR-R5#

PxTRMSMR-R5#sh bgp vpnv4 uni vrf green---<skip>--- Network Next Hop Metric LocPrf Weight PathRoute Distinguisher: 2:100 (default for vrf green) *> 1.1.1.1/32 0.0.0.0 1 32768 ? *> 3.3.3.3/32 10.4.5.1 0 1 101 ? *> 10.1.2.0/30 10.4.5.1 0 1 ? r> 10.4.5.0/30 10.4.5.1 0 0 1 ?PxTRMSMR-R5#

3.3.3.3/24

3.3.3.3/24

3.3.3.3/24

1.1.1.1/24

1.1.1.1/24

1.1.1.1/24

IID 111

IID 222


169



ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

xTR

Customer A

xTR

xTR

Customer B

Customer C

IPv4 or v6 Core

Core


Validation…

greenorange

blue

PxTR/MSMR

SP LISP Gateway

3.3.3.3/24

3.3.3.3/24

3.3.3.3/24

1.1.1.1/24

1.1.1.1/24

1.1.1.1/24

IID 111

IID 222

IID 333

XTR-R7#sh ip route---<skip>---S* 0.0.0.0/0 [1/0] via 11.6.7.1 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masksC 1.1.1.0/24 is directly connected, Loopback0L 1.1.1.1/32 is directly connected, Loopback0 11.0.0.0/8 is variably subnetted, 2 subnets, 2 masksC 11.6.7.0/30 is directly connected, Ethernet0/1L 11.6.7.2/32 is directly connected, Ethernet0/1XTR-R7#

XTR-R7#ping 3.3.3.3 so 1.1.1.1 rep 100Type escape sequence to abort.Sending 100, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:Packet sent with a source address of 1.1.1.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (100/100), round-trip min/avg/max = 5/8/10 msXTR-R7#

IID 111IID 222IID 333

170

Adding Encryption to LISP using GETVPN


LISP Virtualization/VPNsLISP Virtualization/Multi-Tenancy Support – Adding Encryption

Use-Case Vanilla IPsec

GETVPN Comments

LISP Default Model

crypto-map on RLOC ✔ ✔ LISP encap first, then encryption based on RLOC

crypto-map on LISP0 ✔ ✔ Encryption first based on EID, then LISP encap

LISP Virtualization

crypto-map on RLOC ✔ ✔ LISP encap first, then encryption based on RLOC

crypto-map on LISP0.x ✔ ✔ Encryption first based on EID, then LISP encap

See: lisp.cisco.com for the GETVPN+LISP Configuration Guide!

LISP and encryption (IOS)– Recalling that… LISP is “Locator/ID” separation… and creates two

namespaces: EIDs and RLOCs– LISP provides two ways to apply a crypto map

172



LISP provides two ways to apply a crypto map, resulting in different packet outcomes– RLOC :: LISP processing, and then encryption– LISP0 :: Encryption, and then LISP processing

ESPtrailer

xx

HostIP Hdr

ICMPHdr

Payload

8xxxx

daddr

20

1

UDP Hdr

(LISP)

LISPHdr

8

saddr

8

S:xxD

:4341

8 0

ITRIP Hdr

20daddr

17

ESPSPI

xx

ITRIP Hdr

20

17

saddr

daddr

50

saddr

ESPtrailer

xx

HostIP Hdr

ICMPHdr

Payload

8xxxx

daddr

20

1

saddr

8 0

ESPSPI

xx

1

HostIP Hdr

daddr

20

50

saddr

UDP Hdr

(LISP)

LISPHdr

8 8

S:xxD

:4341

ITRIP Hdr

20

daddr

17

saddr

LISP + IPsecOn RLOC

IPsec + LISPOn LISP0

(ping as an example)

173



LISP provides two ways to apply a crypto map, resulting in different packet outcomes– RLOC :: LISP processing, and then encryption– LISP0 :: Encryption, and then LISP processing

LISP + GETVPNOn RLOC

GETVPN + LISPOn LISP0

daddr

1

saddr

8 0

1

daddr

50

saddr

S:xxD

:4341

daddr

17

saddr

Original IPv4 Header

ESPtrailer

xx

HostIP Hdr

ICMPHdr

Payload

8xxxx 20

ESPSPI

xx

HostIP Hdr

20

UDP Hdr

(LISP)

LISPHdr

8 8

ITRIP Hdr

20

daddr

1

saddr

S:xxD

:4341

8 0

daddr

17 17

saddr

daddr

50

saddr

ESPtrailer

xx

HostIP Hdr

ICMPHdr

Payload

8xxxx 20

LISPHdr

8 8

ITRIP Hdr

20

ESPSPI

xx

ITRIP Hdr

20

Original IPv4 Header

UDP Hdr

(LISP)

(ping as an example)

174

LISP VPN+ GETVPN


LISP Virtualization/VPNsLISP Virtualization/Multi-Tenancy with GETVPN

Group Domain of Interpretation (GDOI) RFC 6407 – adding encryption

GroupMember

GroupMember

GroupMember

GroupMember

Key Server

RoutingDomain

Group Member•Encryption Devices•Route Between Secure / Unsecure Regions

•Multicast Participation

Key Server•Validate Group Members•Manage Security Policy•Create Group Keys•Distribute Policy / Keys

Key Encryption Key (KEK)Traffic Encryption Key (TEK)

GET VPN

GDOI−RFC 6407− “Stateless” IPsec−Traffic encryption keys computed

on Key Server, distributed to all Group Members

−Better scaling than vanilla IPsec

Group Policy

176


LISP Virtualization/VPNsLISP Virtualization/Multi-Tenancy with GETVPN

Why GDOI?

Hierarchical Routing Any-to-Any connectivity Redundancy established between CE & PE

10/1 IP VPN

10/3

10/4

10/5

CE1

CE2

CE3

CE4

CE5

10/2

IP VPNs want to provide any-to-any connectivity

177



Why GDOI?

Point-to-point Security Associations Overlay routing in tunnels Need N**2 tunnels to achieve any-to-any connectivity

10/1IP VPN

10/3

10/4

10/5

CE1

CE2

CE3

CE4

CE5

10/2

But… IPSec is inherently a“point-to-point” technology

178



Why GDOI?

Large scale any-to-any connectivity Native routing without tunnel overlay Optimal for QoS & Multicast support Flexible span of control between enterprise and service provider Centralized policy distribution Transport agnostic: Private WAN, FR/ATM, IP, MPLS

GDOI provides:

overlayunderlay

“any” when used with LISP

179



xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2

VRF C, IID 33. Add encryption

Examples:• GETVPN Key Servers• Define crypto policies for

LISP!

Redundant Key Server identical!

KS1!crypto isakmp policy 10 encr aes 256 authentication pre-share group 16crypto isakmp key FOO address 0.0.0.0 crypto isakmp keepalive 15 periodic!crypto ipsec transform-set GDOI-TRANS esp-aes 256 esp-sha512-hmac !crypto ipsec profile GDOI-PROFILE set transform-set GDOI-TRANS !crypto gdoi group V4GROUP-0001 identity number 10001 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS1 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv4 GETVPN-0001 replay time window-size 5 address ipv4 192.168.18.2 redundancy local priority 100 peer address ipv4 192.168.19.2!---<cont.>---

180



xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2

VRF C, IID 33. Add encryption

Examples:• GETVPN Key Servers• Define crypto policies for

LISP!

Redundant Key Server identical!

KS1! ---<cont.>---crypto gdoi group ipv6 V6GROUP-0003 identity number 20003 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS3 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv6 GETVPN6-0003 replay time window-size 5 address ipv4 192.168.18.2 redundancy local priority 100 peer address ipv4 192.168.19.2!ip access-list extended GETVPN-0001 permit ip any anyip access-list extended GETVPN-0002 permit ip any anyip access-list extended GETVPN-0003 permit ip any any!ipv6 access-list GETVPN6-0001 permit ipv6 any any!ipv6 access-list GETVPN6-0002 permit ipv6 any any!ipv6 access-list GETVPN6-0003 permit ipv6 any any!

181



3. Add encryption

Examples:• GETVPN Group Members• Add crypto map to LISP0.x

ALL LISP SITES identical! Cut/Paste!

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2

VRF C, IID 3

Remote2 xTR/GM!crypto isakmp policy 10 encr aes 256 authentication pre-share group 16crypto isakmp key FOO address 192.168.18.2 crypto isakmp key FOO address 192.168.19.2 !crypto gdoi group V4GROUP-0001 identity number 10001 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0!---<skip>---crypto gdoi group ipv6 V6GROUP-0003 identity number 20003 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0!crypto map MAP-V4-0001 10 gdoi set group V4GROUP-0001!---<skip>---crypto map ipv6 MAP-V6-0003 10 gdoi set group V6GROUP-0003!

182



3. Add encryption


ALL LISP SITES identical! Cut/Paste!

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2

VRF C, IID 3

Remote2 xTR/GM!interface LISP0!interface LISP0.1 ip mtu 1456 ipv6 mtu 1456 ipv6 crypto map MAP-V6-0001 crypto map MAP-V4-0001!interface LISP0.2 ip mtu 1456 ipv6 mtu 1456 ipv6 crypto map MAP-V6-0002 crypto map MAP-V4-0002!interface LISP0.3 ip mtu 1456 ipv6 mtu 1456 ipv6 crypto map MAP-V6-0003 crypto map MAP-V4-0003!

183



3. Add encryption


Verification…

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2

VRF C, IID 3

Site3#ping vrf DeptA 192.168.14.1 source 192.168.13.1 rep 100Type escape sequence to abort.Sending 10, 100-byte ICMP Echos to 192.168.14.1, timeout is 2 seconds:Packet sent with a source address of 192.168.13.1%DeptA!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (100/100), round-trip min/avg/max = 5/6/12 msSite3#

Example:EID to EID

184



3. Add encryption


Verification…

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2

IPv4 Core

xTRGM

VRF C

IID 3

VRF AIID 1

VRF

BIID

2xTRGM

MSMRMSMRxTRGM

KSKS

VRF A, IID 1

HQ

Site 1 Site 2

Site 3

VRF B, IID 2

VRF C, IID 3

Site3#show crypto engine connection activeCrypto Engine Connections ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address---<skip>--- 143 IPsec AES256+SHA512 0 100 0 192.168.11.1 144 IPsec AES256+SHA512 100 0 0 192.168.11.1---<skip>---Site3#

Example:EID to EID

185



ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

xTR

Customer A

xTR

xTR

Customer B

Customer C

IPv4 or v6 Core

Core


Let’s come back to this one now…

greenorange

blue

PxTR/MSMR

SP LISP Gateway

3.3.3.3/24

3.3.3.3/24

3.3.3.3/24

1.1.1.1/24

1.1.1.1/24

1.1.1.1/24

IID 111

IID 222

IID 333

Add GETVPN for encryption:• Multi-tenant GDOI encryption on data plane

between LISP sites and MPLS VPNs- Common Key Server (multi-tenant), located in its

own EID space and VRF- Separate crypto group per customer (or per IID, if

multiple IID per customer) (as desired)

IID 111IID 222IID 333

KS KS KS

KS

/GM

IID 999

9.1.1.1/32

9.2.2.2/32

9.3.3.3/32

IID 999

IID 999

IID 999

186



Adding encryption with GETVPN

ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

xTR

Customer A

xTR

xTR

Customer B

Customer C

IPv4 or v6 Core

Core


greenorange

blue

PxTR/MSMR

SP LISP Gateway

3.3.3.3/24

3.3.3.3/24

3.3.3.3/24

1.1.1.1/24

1.1.1.1/24

1.1.1.1/24

IID 111

IID 222


KS KS KS

KS

/GM

IID 999

9.1.1.1/32

9.2.2.2/32

9.3.3.3/32

IID 999

IID 999

IID 999

hostnameKS-R8!cryptoisakmppolicy10encraes256authenticationpre-sharegroup16cryptoisakmpkeyFOOaddress0.0.0.0cryptoisakmpkeepalive15periodic!cryptoipsectransform-setGDOI-TRANSesp-aes256esp-sha512-hmacmodetunnel!cryptoipsecprofileGDOI-PROFILEsettransform-setGDOI-TRANS!cryptogdoigroupV4GROUP-111identitynumber10111serverlocalrekeyretransmit60number2rekeyauthenticationmypubkeyrsaGET-KEY1rekeytransportunicastsaipsec1profileGDOI-PROFILEmatchaddressipv4GETVPN-111replaytimewindow-size5notagaddressipv49.9.9.9!---<cont>---

cryptogdoigroupV4GROUP-222identitynumber10222serverlocalrekeyretransmit60number2rekeyauthenticationmypubkeyrsaGET-KEY2rekeytransportunicastsaipsec1profileGDOI-PROFILEmatchaddressipv4GETVPN-222replaytimewindow-size5notagaddressipv49.9.9.9!cryptogdoigroupV4GROUP-333identitynumber10333serverlocalrekeyretransmit60number2rekeyauthenticationmypubkeyrsaGET-KEY3rekeytransportunicastsaipsec1profileGDOI-PROFILEmatchaddressipv4GETVPN-333replaytimewindow-size5notagaddressipv49.9.9.9---<cont>---

interfaceLoopback0ipaddress9.9.9.9255.255.255.255!interfaceEthernet0/0ipaddress10.4.8.1255.255.255.252!routerbgp999bgpasnotationdotbgplog-neighbor-changesnetwork9.9.9.9mask255.255.255.255neighbor10.4.8.2remote-as1!iproute0.0.0.00.0.0.010.4.8.2!ipaccess-listextendedGETVPN-111permitipanyanyipaccess-listextendedGETVPN-222permitipanyanyipaccess-listextendedGETVPN-333permitipanyany!

187




ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

xTR

Customer A

xTR

xTR

Customer B

Customer C

IPv4 or v6 Core

Core


greenorange

blue

PxTR/MSMR

SP LISP Gateway

3.3.3.3/24

3.3.3.3/24

3.3.3.3/24

1.1.1.1/24

1.1.1.1/24

1.1.1.1/24

IID 111

IID 222


KS KS KS

KS

/GM

IID 999

9.1.1.1/32

9.2.2.2/32

9.3.3.3/32

IID 999

IID 999

IID 999

hostnameXTR-R7!vrfdefinitionKS!address-familyipv4exit-address-family!cryptokeyringkey-KSvrfKSpre-shared-keyaddress9.9.9.9keyFOO!cryptoisakmppolicy10encraes256authenticationpre-sharegroup16!cryptogdoigroupV4GROUP-111identitynumber10111serveraddressipv49.9.9.9clientregistrationinterfaceLoopback999!cryptomapMAP-V4-11110gdoisetgroupV4GROUP-111!interfaceLoopback0ipaddress1.1.1.1255.255.255.0!interfaceLoopback999vrfforwardingKSipaddress9.1.1.1255.255.255.255!---<cont>----

interfaceLISP0.111cryptomapMAP-V4-111!interfaceLISP0.999!interfaceEthernet0/1descriptionLinktoCore-R6ipaddress11.6.7.2255.255.255.252!routerlisplocator-setXTRIPv4-interfaceEthernet0/1priority1weight1exit!eid-tabledefaultinstance-id111database-mapping1.1.1.0/24locator-setXTRexit!eid-tablevrfKSinstance-id999database-mapping9.1.1.1/32locator-setXTRipv4etrmap-server11.5.6.1keyKSKSexit!---<cont>---

loc-reach-algorithmrloc-probingipv4itripv4etripv4itrmap-resolver11.5.6.1ipv4etrmap-server11.5.6.1keyFOOipv4use-petr11.5.6.1priority1weight1exit!iproute0.0.0.00.0.0.011.6.7.1

188




ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

xTR

Customer A

xTR

xTR

Customer B

Customer C

IPv4 or v6 Core

Core


greenorange

blue

PxTR/MSMR

SP LISP Gateway

3.3.3.3/24

3.3.3.3/24

3.3.3.3/24

1.1.1.1/24

1.1.1.1/24

1.1.1.1/24

IID 111

IID 222


KS KS KS

KS

/GM

IID 999

9.1.1.1/32

9.2.2.2/32

9.3.3.3/32

IID 999

IID 999

IID 999



loc-reach-algorithmrloc-probingipv4itripv4etripv4itrmap-resolver11.5.6.1ipv4etrmap-server11.5.6.1keyBOOipv4use-petr11.5.6.1priority1weight1exit!iproute0.0.0.00.0.0.011.6.11.1

189




ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

xTR

Customer A

xTR

xTR

Customer B

Customer C

IPv4 or v6 Core

Core


greenorange

blue

PxTR/MSMR

SP LISP Gateway

3.3.3.3/24

3.3.3.3/24

3.3.3.3/24

1.1.1.1/24

1.1.1.1/24

1.1.1.1/24

IID 111

IID 222


KS KS KS

KS

/GM

IID 999

9.1.1.1/32

9.2.2.2/32

9.3.3.3/32

IID 999

IID 999

IID 999



loc-reach-algorithmrloc-probingipv4itripv4etripv4itrmap-resolver11.5.6.1ipv4etrmap-server11.5.6.1keyCOOipv4use-petr11.5.6.1priority1weight1exit!iproute0.0.0.00.0.0.011.6.12.1

190




ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

xTR

Customer A

xTR

xTR

Customer B

Customer C

IPv4 or v6 Core

Core


greenorange

blue

PxTR/MSMR

SP LISP Gateway

3.3.3.3/24

3.3.3.3/24

3.3.3.3/24

1.1.1.1/24

1.1.1.1/24

1.1.1.1/24

IID 111

IID 222


KS KS KS

KS

/GM

IID 999

9.1.1.1/32

9.2.2.2/32

9.3.3.3/32

IID 999

IID 999

IID 999

!cryptokeyringkey-KSvrfKSpre-shared-keyaddress9.9.9.9keyFOO!cryptoisakmppolicy10encraes256authenticationpre-sharegroup16cryptoisakmpkeyFOOaddress9.9.9.9!cryptogdoigroupV4GROUP-111identitynumber10111serveraddressipv49.9.9.9clientregistrationinterfaceLoopback999!cryptogdoigroupV4GROUP-333identitynumber10333serveraddressipv49.9.9.9clientregistrationinterfaceLoopback999!cryptogdoigroupV4GROUP-222identitynumber10222serveraddressipv49.9.9.9clientregistrationinterfaceLoopback999!cryptomapMAP-V4-11110gdoisetgroupV4GROUP-111!cryptomapMAP-V4-22210gdoisetgroupV4GROUP-222!cryptomapMAP-V4-33310gdoisetgroupV4GROUP-333!---<cont>---

!interfaceLISP0!interfaceLISP0.111cryptomapMAP-V4-111!interfaceLISP0.222cryptomapMAP-V4-222!interfaceLISP0.333cryptomapMAP-V4-333!interfaceLISP0.999!

(config delta)191




ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

xTR

Customer A

xTR

xTR

Customer B

Customer C

IPv4 or v6 Core

Core


greenorange

blue

PxTR/MSMR

SP LISP Gateway

3.3.3.3/24

3.3.3.3/24

3.3.3.3/24

1.1.1.1/24

1.1.1.1/24

1.1.1.1/24

IID 111

IID 222


KS KS KS

KS

/GM

IID 999

9.1.1.1/32

9.2.2.2/32

9.3.3.3/32

IID 999

IID 999

IID 999

PxTRMSMR-R5#sh ip ro vrf KS---<skip>--- 9.0.0.0/32 is subnetted, 5 subnetsl 9.1.1.1 [10/1] via 0.0.0.0, 20:12:43, Null0l 9.2.2.2 [10/1] via 0.0.0.0, 20:12:51, Null0l 9.3.3.3 [10/1] via 0.0.0.0, 20:12:57, Null0C 9.9.9.8 is directly connected, Loopback999B 9.9.9.9 [20/0] via 10.4.5.5, 20:13:00 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masksC 10.4.5.4/30 is directly connected, Ethernet0/1.2L 10.4.5.6/32 is directly connected, Ethernet0/1.2B 10.4.8.0/30 [20/0] via 10.4.5.5, 20:13:00PxTRMSMR-R5#

PxTRMSMR-R5#sh ip lisp map-cache instance 999LISP IPv4 Mapping Cache for EID-table vrf KS (IID 999), 3 entries

9.1.1.1/32, uptime: 20:02:36, expires: 03:57:23, via map-reply, complete Locator Uptime State Pri/Wgt 11.6.7.2 20:02:36 up 1/1 9.2.2.2/32, uptime: 20:02:46, expires: 03:57:14, via map-reply, complete Locator Uptime State Pri/Wgt 11.6.11.2 20:02:46 up 1/1 9.3.3.3/32, uptime: 20:02:52, expires: 03:57:07, via map-reply, complete Locator Uptime State Pri/Wgt 11.6.12.2 20:02:52 up 1/1 PxTRMSMR-R5#

PxTRMSMR-R5#sh lisp siteLISP Site Registration InformationSite Name Last Up Who Last Inst EID Prefix Register Registered ID BOO never no -- 222 1.0.0.0/8 00:00:46 yes 11.6.11.2 222 1.1.1.0/24COO never no -- 333 1.0.0.0/8 00:00:50 yes 11.6.12.2 333 1.1.1.0/24FOO never no -- 111 1.0.0.0/8 00:00:15 yes 11.6.7.2 111 1.1.1.0/24KS never no -- 999 9.0.0.0/8 00:00:00 yes 11.6.7.2 999 9.1.1.1/32 00:00:16 yes 11.6.11.2 999 9.2.2.2/32 00:00:05 yes 11.6.12.2 999 9.3.3.3/32PxTRMSMR-R5#

192




ISIS

MPLS

green

CE

Customer A

orange

blue PE

P

CE

CE

PE

greenorange

blue

SP MPLS domain

Customer B

Customer C

xTR

Customer A

xTR

xTR

Customer B

Customer C

IPv4 or v6 Core

Core


greenorange

blue

PxTR/MSMR

SP LISP Gateway

3.3.3.3/24

3.3.3.3/24

3.3.3.3/24

1.1.1.1/24

1.1.1.1/24

1.1.1.1/24

IID 111

IID 222


KS KS KS

KS

/GM

IID 999

9.1.1.1/32

9.2.2.2/32

9.3.3.3/32

IID 999

IID 999

IID 999

XTR-R7#sho crypto engine connection activeCrypto Engine Connections

ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 47 IPsec AES256+SHA512 0 999 0 1.1.1.1 48 IPsec AES256+SHA512 999 0 0 1.1.1.1 1001 IKE SHA+AES256 0 0 0 9.1.1.1 1002 IKE SHA+3DES 0 0 0 XTR-R7#

XTR-R7#ping 3.3.3.3 so 1.1.1.1 rep 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:Packet sent with a source address of 1.1.1.1 .!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!---<skip>---!!!!!!!!!!!!!!!!!!!!Success rate is 99 percent (999/1000), round-trip min/avg/max = 4/5/22 msXTR-R7#

PxTRMSMR-R5#sho crypto engine connection activeCrypto Engine Connections

ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 139 IPsec AES256+SHA512 0 0 0 10.4.5.2 140 IPsec AES256+SHA512 0 0 0 10.4.5.2 141 IPsec AES256+SHA512 0 999 0 10.4.5.2 142 IPsec AES256+SHA512 999 0 0 10.4.5.2 143 IPsec AES256+SHA512 0 0 0 10.4.5.2 144 IPsec AES256+SHA512 0 0 0 10.4.5.2 1001 IKE SHA+AES256 0 0 0 9.9.9.8 1002 IKE SHA+3DES 0 0 0 1003 IKE SHA+3DES 0 0 0 1004 IKE SHA+3DES 0 0 0 PxTRMSMR-R5#

193


IPv6 Internet

IPv4 Internet

LISP Use Cases :: Virtualization/VPNsCustomer Example :: Sony bit-drive

. . .

SONY Bit-Drive Services

KS

MS/MR

GW

PxTR

IPv4/IPv6 EID Space

xTR

SMB XSite 1

IID 1001

IPv4/IPv6 EID Space

xTR

SMB XSite 2

IPv4/IPv6 EID Space

xTR

SMB XSite 3

IPv4/IPv6 EID Space

xTR

SMB YSite 1

IID 1002

IPv4/IPv6 EID Space

xTR

SMB YSite 2

IPv4/IPv6 EID Space

xTR

SMB YSite 10

. . .

XY

XY

IPv6 access

Initial deployment…

Services:• IPv4, IPv6 Internet Access• GETVPN+LISP (encryption)• Data Center (Web, Mail, Storage)

194


IPv6 Internet

IPv4 Internet


. . .

SONY Bit-Drive Services

KS

MS/MR

GW

PxTR

IPv4/IPv6 EID Space

xTR

SMB XSite 1

IID 1001

IPv4/IPv6 EID Space

xTR

SMB XSite 2

IPv4/IPv6 EID Space

xTR

SMB XSite 3

IPv4/IPv6 EID Space

xTR

SMB YSite 1

IID 1002

IPv4/IPv6 EID Space

xTR

SMB YSite 2

IPv4/IPv6 EID Space

xTR

SMB YSite 10

. . .

XY

XY

IPv6 access

Next plans…

Services:• IPv4, IPv6 Internet Access• GETVPN+LISP (encryption)• Data Center (Web, Mail, Storage)

SONY Bit-Drive Data Center 1

VMware ESX

VM VM VM VM VM

SONY Bit-Drive Data Center 2

VMware ESX

VM VM VM VM VM

Data Center VirtualizedHost/Cloud Service

X

Y

195



Cisco Products:• SONY bit-drive LISP infrastructure

ASR1Ks for Proxy Systems ISRG2s for Mapping Systems ASR1Ks for NAT Devices ISRG2s for Key Servers

• Customer CE Devices NEW HW :: C890Js Legacy (Sony routers for DMVPN) :: being

upgraded to C890Js for LISP service

Shared LISP infrastructureMulti-tenant/Virtualized

Subscribers, per end-site

LISP-based Services Benefits:• Broadband circuits (<$)• Multihoming (<$)• IPv6 Core, IPv4 and IPv6 EIDs• Creates a private network (w/o MPLS $)

196


LISP Use Cases :: Virtualization/VPNsCustomer Example :: A few more highlights…

Multinational Human Resources Outsourcing Company ($22B)– “Very Large Scale” Over the Top Enterprise VPN (MPLS replacement)

GETVPN+LISP, multihoming, 4 VRFs, IPv4 and IPv6 EIDs, IPv4 Internet/RLOCs ISRG2, ASR1K-based infrastructure, 560+ sites pilot (DSL and LTE); expanding to 5600+

European Energy Producer– “Large Scale” Over the Top Enterprise VPN (critical infrastructure, hydro/nuclear plants)

GETVPN+LISP, multihoming, 3 VRFs, IPv4 and IPv6 EIDs, IPv4 MPLS/RLOCs ISRG2, ASR1K-based infrastructure, 300+ sites

Large US State Government– “Large Scale” Over the Top Enterprise VPN (MPLS replacement/cost savings)

GETVPN+LISP, multihoming, 4 VRFs, IPv4 and IPv6 EIDs, IPv4 Internet/RLOCs ISRG2, ASR1K-based infrastructure, 800+ sites (DSL and LTE)

European State Government– “Over the Top” Enterprise VPN (MPLS replacement/cost savings)

GETVPN+LISP, multihoming, 4 VRFs, IPv4 and IPv6 EIDs, IPv4 Internet/RLOCs ISRG2, ASR1K-based infrastructure, 30+ sites

Plus “many” more#1 deployed LISP use-case

197

LISP VPN+ DMVPN


LISP Use Cases :: Virtualization/VPNsDMVPN and GETVPN

DMVPN is an overlay VPN– Creates tunnels over a transport network

Isolates protected networks from transport network Allows private protected addresses over a public transport network

– Hubs concentrate connections – all spokes must connect Hubs concentrate part of spoke-to-spoke traffic Hubs need to know about all private networks (IGP, NHRP, mGRE)

GETVPN is an “encrypted” VPN– Encrypted packets have the same addressing as the protected packets

Does not (by itself) isolate address spaces – requires end-to-end routing– Key Server concentrates all GMs

Control plane only though… no data plane traffic– Transport network takes care of routing packets

199


LISP Use Cases :: Virtualization/VPNsLISP and DMVPN

Initial DMVPN deployment…DMVPN

DMVPNDMVPN

DMVPN

Core Network

CoreR1

.1

.1

HUBR2

Spoke1R4

Spoke3R6

Spoke2R5

.1

.1.2

.2.2.2

10.0.0.0/30

10.0.3.0/3010.0.1.0/30

10.0.2.0/30

172.16.2.0/24

172.16.3.0/24172.16.1.0/24

172.16.0.0/24

Standard DMVPN build-out- Here, IPv4 core- “enterprise” (private space) also IPv4 - OSPF (in this case) running over DMVPN

200



DMVPN

DMVPNDMVPN

DMVPN

Core Network

CoreR1

.1

.1

HUBR2

Spoke1R4

Spoke3R6

Spoke2R5

.1

.1.2

.2.2.2

10.0.0.0/30

10.0.3.0/3010.0.1.0/30

10.0.2.0/30

Initial DMVPN deployment…

172.16.2.0/24

172.16.3.0/24172.16.1.0/24

172.16.0.0/24

!hostname Core-R1!interface Ethernet0/0 ip address 10.0.0.2 255.255.255.252!interface Ethernet0/1 ip address 10.0.1.2 255.255.255.252!interface Ethernet0/2 ip address 10.0.2.2 255.255.255.252!interface Ethernet0/3 ip address 10.0.3.2 255.255.255.252!

!hostname Hub-R2!crypto isakmp policy 10 encr 3des authentication pre-sharecrypto isakmp key foo address 0.0.0.0 0.0.0.0!crypto ipsec transform-set ENCRYPT esp-3des esp-sha-hmac mode transport!crypto ipsec profile DMVPNPROF set transform-set ENCRYPT set pfs group1!interface Tunnel0 bandwidth 1000 ip address 172.31.255.1 255.255.255.0 no ip redirects ip mtu 1420 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 600 ip ospf network broadcast ip ospf priority 2 ip ospf mtu-ignore ip ospf 1 area 0 delay 1000 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile DMVPNPROF!---<cont>---

---<cont>---!interface Ethernet0/0 ip address 10.0.0.1 255.255.255.252!interface Ethernet0/1 ip address 172.16.0.1 255.255.255.0 ip ospf 1 area 0!router ospf 1 default-information originate!ip route 0.0.0.0 0.0.0.0 10.0.0.2!

Hub config….

Core config….

201



DMVPN

DMVPNDMVPN

DMVPN

Core Network

CoreR1

.1

.1

HUBR2

Spoke1R4

Spoke3R6

Spoke2R5

.1

.1.2

.2.2.2

10.0.0.0/30

10.0.3.0/3010.0.1.0/30

10.0.2.0/30


172.16.2.0/24

172.16.3.0/24172.16.1.0/24

172.16.0.0/24

hostname S2-R5!crypto isakmp policy 10 encr 3des authentication pre-sharecrypto isakmp key foo address 0.0.0.0 0.0.0.0!crypto ipsec transform-set ENCRYPT esp-3des esp-sha-hmac mode transport!crypto ipsec profile DMVPNPROF set transform-set ENCRYPT set pfs group1!interface Tunnel0 bandwidth 1000 ip address 172.31.255.3 255.255.255.0 no ip redirects ip mtu 1420 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp map 172.31.255.1 10.0.0.1 ip nhrp map multicast 10.0.0.1 ip nhrp network-id 100000 ip nhrp holdtime 300 ip nhrp nhs 172.31.255.1 ip ospf network broadcast ip ospf priority 0 ip ospf 1 area 0 delay 1000 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile DMVPNPROF!---<cont>---

---<cont>---!interface Ethernet0/0 ip address 10.0.2.1 255.255.255.252!interface Ethernet0/1 description connect to XTR2 ip address 172.16.2.1 255.255.255.0 ip ospf 1 area 0!router ospf 1ip route 0.0.0.0 0.0.0.0 10.0.2.2!

Spoke config…. (example)

202



DMVPN

DMVPNDMVPN

DMVPN

Core Network

CoreR1

.1

.1

HUBR2

Spoke1R4

Spoke3R6

Spoke2R5

.1

.1.2

.2.2.2

10.0.0.0/30

10.0.3.0/3010.0.1.0/30

10.0.2.0/30


172.16.2.0/24

172.16.3.0/24172.16.1.0/24

172.16.0.0/24

S1-R4#ping 172.16.0.1 so 172.16.1.1 rep 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:Packet sent with a source address of 172.16.1.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!---<skip>---!!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (1000/1000), round-trip min/avg/max = 4/4/10 msS1-R4#

Let’s ping for fun…(yes, it’s encrypted…)

S1-R4#show crypto engine connection activeCrypto Engine Connections

ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 49 IPsec 3DES+SHA 0 1307 1307 10.0.1.1 50 IPsec 3DES+SHA 1304 0 0 10.0.1.1 1001 IKE SHA+3DES 0 0 0 10.0.1.1S1-R4#

203



Add LISP to DMVPN…Suppose you want to add virtualization or IPv6 (or IPv4) for internal networksAnd… you didn’t want to touch DMVPN at all!

To add LISP:- add a new router per site

with EID space behind them, and

- treat “DMVPN inside address space” as “LISP RLOC space”

DMVPN

DMVPNDMVPN

DMVPN

Core Network

CoreR1

.1

.1

HUBR2

Spoke1R4

Spoke3R6

Spoke2R5

.1

.1.2

.2.2.2

10.0.0.0/30

10.0.3.0/3010.0.1.0/30

10.0.2.0/30

172.16.2.0/24

172.16.3.0/24172.16.1.0/24

172.16.0.0/24

VPN BIID2

VPN AIID1

192.168.1.0/24A:A:9::/48

192.168.1.0/24B:B:9::/48

LISP0 xTRMRMS

VPN BIID2

VPN AIID1

xTRLISP1

192.168.1.0/24A:A:1::/48

192.168.1.0/24B:B:1::/48

VPN BIID2

VPN AIID1

xTRLISP3

192.168.3.0/24A:A:3::/48

192.168.3.0/24B:B:3::/48

VPN BIID2

VPN AIID1

xTRLISP2

192.168.2.0/24A:A:2::/48

192.168.2.0/24B:B:2::/48

204


LISP Use Cases :: Virtualization/VPNsLISP and DMVPN!

hostname R3-xTR0-MSMR!vrf definition A ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family!vrf definition B ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family!interface Loopback0 vrf forwarding A ip address 192.168.0.1 255.255.255.0 ipv6 address A:A:9::1/48!interface Loopback1 vrf forwarding B ip address 192.168.0.1 255.255.255.0 ipv6 address B:B:9::1/48!interface Ethernet0/0 description conn to HUB R2 ip address 172.16.0.2 255.255.255.0 ip ospf 1 area 0!---<cont>---

DMVPN

DMVPNDMVPN

DMVPN

Core Network

CoreR1

.1

.1

HUBR2

Spoke1R4

Spoke3R6

Spoke2R5

.1

.1.2

.2.2.2

10.0.0.0/30

10.0.3.0/3010.0.1.0/30

10.0.2.0/30

172.16.2.0/24

172.16.3.0/24172.16.1.0/24

172.16.0.0/24

VPN BIID2

VPN AIID1

192.168.1.0/24A:A:9::/48

192.168.1.0/24B:B:9::/48

LISP0 xTRMRMS

VPN BIID2

VPN AIID1

xTRLISP1

192.168.1.0/24A:A:1::/48

192.168.1.0/24B:B:1::/48

VPN BIID2

VPN AIID1

xTRLISP3

192.168.3.0/24A:A:3::/48

192.168.3.0/24B:B:3::/48

VPN BIID2

VPN AIID1

xTRLISP2

192.168.2.0/24A:A:2::/48

192.168.2.0/24B:B:2::/48

---<cont>---router lisp locator-set XTR IPv4-interface Ethernet0/0 priority 1 weight 1 exit ! eid-table vrf A instance-id 1 database-mapping 192.168.0.0/24 locator-set XTR database-mapping A:A:9::/48 locator-set XTR exit ! eid-table vrf B instance-id 2 database-mapping 192.168.0.0/24 locator-set XTR database-mapping B:B:9::/48 locator-set XTR exit ! site ALL authentication-key ALL eid-prefix instance-id 1 192.168.0.0/16 accept-more-specifics eid-prefix instance-id 1 A:A::/32 accept-more-specifics eid-prefix instance-id 2 192.168.0.0/16 accept-more-specifics eid-prefix instance-id 2 B:B::/32 accept-more-specifics exit !---<cont>---

---<cont>---! loc-reach-algorithm rloc-probing ipv4 itr ipv4 etr ipv4 map-server ipv4 map-resolver ipv4 itr map-resolver 172.16.0.2 ipv4 etr map-server 172.16.0.2 key ALL ipv6 itr ipv6 etr ipv6 map-server ipv6 map-resolver ipv6 itr map-resolver 172.16.0.2 ipv6 etr map-server 172.16.0.2 key ALL exit!router ospf 1!

205



DMVPN

DMVPNDMVPN

DMVPN

Core Network

CoreR1

.1

.1

HUBR2

Spoke1R4

Spoke3R6

Spoke2R5

.1

.1.2

.2.2.2

10.0.0.0/30

10.0.3.0/3010.0.1.0/30

10.0.2.0/30

172.16.2.0/24

172.16.3.0/24172.16.1.0/24

172.16.0.0/24

VPN BIID2

VPN AIID1

192.168.1.0/24A:A:9::/48

192.168.1.0/24B:B:9::/48

LISP0 xTRMRMS

VPN BIID2

VPN AIID1

xTRLISP1

192.168.1.0/24A:A:1::/48

192.168.1.0/24B:B:1::/48

VPN BIID2

VPN AIID1

xTRLISP3

192.168.3.0/24A:A:3::/48

192.168.3.0/24B:B:3::/48

VPN BIID2

VPN AIID1

xTRLISP2

192.168.2.0/24A:A:2::/48

192.168.2.0/24B:B:2::/48

---<cont>---router lisp locator-set XTR IPv4-interface Ethernet0/0 priority 1 weight 1 exit ! eid-table vrf A instance-id 1 database-mapping 192.168.1.0/24 locator-set XTR database-mapping A:A:1::/48 locator-set XTR exit ! eid-table vrf B instance-id 2 database-mapping 192.168.1.0/24 locator-set XTR database-mapping B:B:1::/48 locator-set XTR exit ! loc-reach-algorithm rloc-probing ipv4 itr ipv4 etr ipv4 itr map-resolver 172.16.0.2 ipv4 etr map-server 172.16.0.2 key ALL ipv6 itr ipv6 etr ipv6 itr map-resolver 172.16.0.2 ipv6 etr map-server 172.16.0.2 key ALL exit!router ospf 1!

!hostname R7-xTR1!vrf definition A ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family! vrf definition B ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family!interface Loopback0 vrf forwarding A ip address 192.168.1.1 255.255.255.0 ipv6 address A:A:1::1/48!interface Loopback1 vrf forwarding B ip address 192.168.1.1 255.255.255.0 ipv6 address B:B:1::1/48!interface Ethernet0/0 description conn to S1 R4 ip address 172.16.1.2 255.255.255.0 ip ospf 1 area 0!---<cont>---

206



DMVPN

DMVPNDMVPN

DMVPN

Core Network

CoreR1

.1

.1

HUBR2

Spoke1R4

Spoke3R6

Spoke2R5

.1

.1.2

.2.2.2

10.0.0.0/30

10.0.3.0/3010.0.1.0/30

10.0.2.0/30

172.16.2.0/24

172.16.3.0/24172.16.1.0/24

172.16.0.0/24

VPN BIID2

VPN AIID1

192.168.1.0/24A:A:9::/48

192.168.1.0/24B:B:9::/48

LISP0 xTRMRMS

VPN BIID2

VPN AIID1

xTRLISP1

192.168.1.0/24A:A:1::/48

192.168.1.0/24B:B:1::/48

VPN BIID2

VPN AIID1

xTRLISP3

192.168.3.0/24A:A:3::/48

192.168.3.0/24B:B:3::/48

VPN BIID2

VPN AIID1

xTRLISP2

192.168.2.0/24A:A:2::/48

192.168.2.0/24B:B:2::/48

Add LISP to DMVPN…R7-xTR1#ping vrf A 192.168.0.1 source 192.168.1.1 rep 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:Packet sent with a source address of 192.168.1.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!---<skip>---!!!!!!!!!!!!!!!!!!!!Success rate is 99 percent (998/1000), round-trip min/avg/max = 1/8/28 msR7-xTR1#

Let’s ping for fun… IPv4, VRF A (IID1)(yes, it’s encrypted…)


ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 141 IPsec 3DES+SHA 0 1428 1428 10.0.1.1 142 IPsec 3DES+SHA 1426 0 0 10.0.1.1 1003 IKE SHA+3DES 0 0 0 10.0.1.1S1-R4#

207



DMVPN

DMVPNDMVPN

DMVPN

Core Network

CoreR1

.1

.1

HUBR2

Spoke1R4

Spoke3R6

Spoke2R5

.1

.1.2

.2.2.2

10.0.0.0/30

10.0.3.0/3010.0.1.0/30

10.0.2.0/30

172.16.2.0/24

172.16.3.0/24172.16.1.0/24

172.16.0.0/24

VPN BIID2

VPN AIID1

192.168.1.0/24A:A:9::/48

192.168.1.0/24B:B:9::/48

LISP0 xTRMRMS

VPN BIID2

VPN AIID1

xTRLISP1

192.168.1.0/24A:A:1::/48

192.168.1.0/24B:B:1::/48

VPN BIID2

VPN AIID1

xTRLISP3

192.168.3.0/24A:A:3::/48

192.168.3.0/24B:B:3::/48

VPN BIID2

VPN AIID1

xTRLISP2

192.168.2.0/24A:A:2::/48

192.168.2.0/24B:B:2::/48

Add LISP to DMVPN…R7-xTR1#ping vrf B B:B:3::1 source B:B:1::1 rep 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to B:B:3::1, timeout is 2 seconds:Packet sent with a source address of B:B:1::1%B !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!---<skip>---!!!!!!!!!!!!!!!!!!!!Success rate is 99 percent (998/1000), round-trip min/avg/max = 1/8/28 msR7-xTR1#

Let’s ping for fun… IPv6, VRF B (IID2)(yes, it’s encrypted…)


ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 141 IPsec 3DES+SHA 0 1487 1487 10.0.1.1 142 IPsec 3DES+SHA 1483 0 0 10.0.1.1 149 IPsec 3DES+SHA 0 1001 1001 10.0.1.1 150 IPsec 3DES+SHA 1004 0 0 10.0.1.1 1003 IKE SHA+3DES 0 0 0 10.0.1.1 1021 IKE SHA+3DES 0 0 0 10.0.1.1S1-R4#

208



– tunnel protect :: LISP processing, and then DMVPN/encryption

LISP + DMVPN daddr

1

saddr

S:xxxxD

:4341

8 0

daddr

17

saddr

ESPtrailer

xx

HostIP Hdr

ICMPHdr

Payload

8xxxx 20

LISPHdr

8 8

ITRIP Hdr

20

UDP Hdr

(LISP)

4

GRE

47

daddr

50

saddr

ESPSPI

xx

External(dmvpn tunnel)IP Hdr

20

(* icmp example)

209


Agenda







210

Advanced - LISP Technical SeminarLISP Data Center/Host Mobility

TECRST-3191

Marco PessiLISP Technical Marketing Engineer

[email protected]


AgendaLISP Data Center/Host Mobility

212

Host Mobility Business DriversLISP Host Mobility

• Fundamentals • Across Subnets• Extending Subnets• Services Integration• WAN Integration

LISP Mobile NodeLISP Summary

Host Mobility Business Drivers


Legacy IT model: Client/Server

Emerging IT model: Mobile/Cloud

Client Server

M

M

M

M

MM

MC

C

C

C

CC

C

Attributes:• Simple• Secure• Static

Attributes:• Connected• Scalable• Multi-tenant

Networking Implications of the Mobile/Cloud EraA new era of multi-tenancy and multiple devices

214


IT Trends – Distribute Data CentersBuilding the Data Center Private and Hybrid Cloud

215

Distributed Data Center Goals:– Seamless workload mobility between

multiple datacenters– Distributed applications closer to end

users – Pool and maximize global compute

resources – Ensure business continuity with

workload mobility and distributed deployment Geographically Dispersed

Data Centers


Problem StatementThe Need for a New Networking Architecture

Today’s networks aren’t designed for mobility– IP addresses are statically assigned to devices, access points,

or services. – Connecting resources on different private networks and public

networks with different owners is challenging– Movement between networks means device, service or network

element connectivity necessarily always lost

Today’s networks can’t scale– Cloud, mobility and Internet of things are overextending the

ability of today’s routers to route data packets. – Mobility of devices and/or network elements leads to a

ballooning of the amount of information stored in routing tables

Today’s networks require new security models– In a world of multiple devices and multi-tenancy it’s not feasible

to manually build every needed virtual private network

Mobility, Scalability and Interconnection Issues Must Be Solved Together

216


Use-cases Global Workload Mobility Workload Portability to Cloud Secure Multi-tenancy across organizations Rapid IPv6 Deployment

LISP (Location / ID Separation Protocol) is an addressing architecture and set of protocols comprising an Endpoint Identifier (defining who a user is) and a Routing Locator (defining where the user is connected).

LISP separates the identity of the device or access point from where the device is located enabling Internet services to remain continually connected when users move around or change devices.

Benefits Mobility IP address Portability Scalability On-Demand Route lookup Security Tenant ID based Segmentation Address Family Independence

Overview

Locator ID/Separation Protocol (LISP)Next Generation Networking Architecture

217

EvolvingtheWorld’sNetworksfortheCloudEra


Applicability Active-Active Data Centers Data Center Disaster Recovery Workload Portability to Cloud (aka Bursting) Federated Cloud open connectivity

Topology independent addressing Overlay solution IPv4 or IPv6 agnostic

Benefits Integrated Mobility Mobility across organizations (SPs, Cloud

Providers) IPv4, IPv6 or a combination Optimal traffic path (no triangulation)

Provider A Provider B

Primary DC Secondary DC

Overview

Solving Scale, Mobility and Security ProblemsGlobal Mobility across organizational boundaries

220

EvolvingtheWorld’sNetworksfortheCloudEra

Data Center Host Mobility


Data Center VM IP Mobility :: Why?

• Mobility in the DC allows business continuity during network failover, maintenance and migration: active-active DC, Disaster Recovery, Hybrid Cloud, DC migration

• Server Virtualization…enables virtual server mobility

• Mobility with IP Address Retention…

• Is transparent to clients, applications and allows keeping existing network policies

A.B.C.D A.B.C.D

Original DC Service Provider DC orDisaster Recovery DC or

New DC …

Mobility = Flexibility IP Portability = Simplicity

222


Data Center VM IP Mobility :: What do I need?

• Server Gateway Consistency

• Machine State Consistency

• Routed Traffic

• Bridged Traffic

A.B.C.D A.B.C.D

Original DC Service Provider DC orDisaster Recovery DC or New DC…

A.B.C.1 A.B.C.1

MAC A MAC A

MAC B MAC BMAC EA.B.C.E

E.F.G.HIP MAC------- ----A.B.C.1 BA.B.C.E E

IP MAC------- ----A.B.C.1 BA.B.C.E E

DiskState

MemoryState Disk

State

MemoryState

✔✔

✔✔intra-subnet

inter-subnet

223


Live Moves With LAN Extension

IPv4 Network

West-DC East-DC

Mapping DB

XTR/FHR

LAN Extension

LISP Site

XTR

• Routing for Extended SubnetsActive-Active Data Centers

Distributed Data Centers

• Application Members Distributed

• Seamless Workload Mobility

• IP Mobility Across SubnetsDC Migration

Disaster Recovery / Cloud Bursting / Hybrid Cloud

• Application Members In One Home Location

Cold Moves Without LAN Extension

IPv4 Network

DR Location or Cloud Provider

DC

Mapping DB

West-DC East-DC

XTR/FHR

LISP Site

XTR

LISP Data Center Mobility :: Live vs Cold Mobility

224

224


• Existing LISP adopters– LISP sites– Enable VM Mobility in DC Sites– Natural, simple evolution of existing LISP infrastructure

• New LISP customers– Non LISP remote sites– Standalone VM Mobility Use Case– Minimal, DC only, intrusion– Phased, operationally light, incremental approach– Interworking with existing routing protocols

LISP Data Center Mobility :: Approach

East-DCWest-DCEast-DCWest-DC

Mapping DBMSMR

MSMR MSMR

225


• Most firewalls/SLB cannot inspect LISP data traffic (ZBF LISP Inspection: XE3.13)

Client Site

West-DC

WAN or Internet

Mobility Requirement # 1: Integration with ServicesLISP Encapsulated Traffic

East-DC

226



• Stateful devices like firewalls and load balancers need to inspect the traffic in both directions

Client Site

West-DC East-DC

WAN or Internet

Mobility Requirement # 1: Integration with Services

BidirectionalTraffic

LAN Extension

Example: Extended

LAN between

DCs

227



• Stateful devices like firewalls and load balancers need to inspect the traffic in both directions– After the silver VM moves to

East-DC across the LAN extension, firewalls on each DC see traffic only in one direction

Client Site

West-DC East-DC

WAN or Internet

Mobility Requirement # 1: Integration with Services

Return Traffic

BidirectionalTraffic

One-Way Traffic

LAN Extension

Example: Extended

LAN between

DCs

228


• Client traffic to moved workload is blackholed or not optimized after the move– Ex. Return traffic thru different

firewall (blackhole)

– Ex. Keep server gateway on West DC (sub optimized)

Client Site

West-DC East-DC

Mobility Requirement # 2: Ingress Path Optimization

? WAN or Internet

229


• Having the server gateway only on one DC does not scale well

• When the number of DR moves increase, the inter-zone traffic will hair-pin between the 2 DCs over OTV, instead of being locally routed in the DR DC

Mobility Requirement # 3: Local Routing Optimization

West-DC East-DC

WAN or Internet

Server GW on West DC only

LAN Extension

Example: Extended

LAN between

DCs

230


Mobility Req. # 4: Multi-Zone Multi-Tenant DC

• Server Zone Segmentation – front-end/back-end servers– Internal firewall inspects inter-zone

traffic– VLAN or VRF Lite

• Tenant (or service) Segmentation– Each tenant use a private VPN– Dedicated firewall (context) per tenant

• Associate Zones to single tenant (or service)– Tenant VRF “merges” server zone

VRFs

• Scale from tens (enterprise) to thousands tenants (service provider)

Client SiteTenant 1

WANTenant 1

West-DC

Client SiteTenant 2

WANTenant 2

Client SiteTenant 1 Client Site

Tenant 2

Example: Two tenant –Three zone

IaaS Virtualization

FW ContextTenant 1

FW ContextTenant 2

231

LISP Data Center/Host MobilityFunctions and Components


1. Detect the host movea) For any host, without agents on the host or protocols

b) Without dependence on any hypervisor

2. Register the new host location with the Mapping System3. Notify other xTRs/PITRs of the move

a) Update routing tables at old sites

b) Update LISP Map-Caches

LISP DC Mobility :: FunctionsThree simple steps to mobility

233


LISP DC Mobility :: Existing Functions

• There are minimal changes to existing LISP components to support VM Mobility– Map Server/Resolver (MSMR)– Tunnel Router (xTR): H/W encap/decap (HW capable) and

registration (control-plane) of the mobile subnet in the MS

• In a typical deployment, MSMR and TR functions coexist and are distributed (HA) on the same devices in one or all data center locations

WAN orInternet

PITRPETR

LISP Client Site

DC-1

ETRITR

FHR FHR

DC-2

ETRITR

FHR FHR

Mapping DBMSMR

Non LISP Client Site

router lisp ! [MSMR portion] site WESTEAST-DC authentication-key L15P43V3R eid-prefix 172.71.64.0/20 accept-more-specifics exit ! ipv4 map-server ipv4 map-resolverexit

EIDLISP Encap/Decap

RLOC

... LISP Device

Host Detection

MSMR

xTR

MSMR and xTR

234

xTRMSMR

IOS


LISP DC Mobility :: Mobility Functions

• First Hop Router is a control-plane function for scalable, dynamic detection and signaling of a “silent” host

• LISP Single-Hop Mobility implements FHR and xTR in the same devices

• LISP Multi-Hop Mobility implements FHR and xTR in two distinct devices, allowing multiple L3 hops in between:

- Less stringent H/W capability requirements- Insertion of L3 stateful devices (non LISP capable)- Multiple points in the network capable of injecting LISP

mobile information and “influence” traffic routing

WAN orInternet

PITRPETR

LISP Client Site

DC-1

ETRITR

FHR FHR

DC-2

ETRITR

FHR FHR

Mapping DBMSMR

Non LISP Client SiteEID

LISP Encap/Decap

RLOC

... LISP Device

Host Detection

FHR

FHR: Single/Multi-Hop Mobility

235

FHR



• Signaling: – Single-Hop (FHR = xTR)

• Location Services:– Routed Traffic– Bridged Traffic (IP Local

Proxy ARP)

A.B.C.D A.B.C.D


A.B.C.1

MAC D MAC D

MAC AMAC EA.B.C.E

E.F.G.HIP MAC------- ----A.B.C.1 AA.B.C.E Inc

IP MAC------- ----A.B.C.1 AA.B.C.E E

DiskState

MemoryState Disk

State

MemoryState

✔

✔

✔

✔intra-subnet

inter-subnet

MAC AA.B.C.1 FHRA.B.C.F

MAC FFHR

GW GW

236

FHR – Across Subnet ModeFHR

• Detection: – ARP packets (FHR not

required to be Gateway)– IP packets– Supports Foreign Subnet– Probing (expiration)

A.B.C.0/24 or A.B.D.0/24


• The signaling of the mobile VM location initiated by a FHR discovery, happens on both axes:– E-W: local peers – S-N: ETR MSMR ETR

WAN orInternet

PITRPETR

LISP Client Site

DC-1

ETRITR

DC-2

ETRITR

Mapping DBMSMR


router lisp locator-set DC2 10.10.3.1 priority 1 weight 5 10.10.4.1 priority 1 weight 5 exit eid-table default instance-id 3333 dynamic-eid VM database-mapping 172.71.73.0/24 locator-set DC2 map-notify-group 230.23.3.1 exit ipv4 etr ipv4 etr map-server 10.10.0.1 key DC! [..]interface GigabitEthernet0/0.73 encapsulation dot1q 73 ip address 172.71.73.3 255.255.255.0 standby 0 ip 172.71.73.254 lisp mobility VM ! no lisp extended-subnet-mode ! ip proxy-arp


EIDLISP Encap/Decap

RLOC

... LISP Device

Host Detection

10.10.4.110.10.3.1

FHR+ETR – Across Subnet Mode: Signaling & Config

237

FHR

ETRITR

ETRITR

IOS


WAN

DC-1

ETR

DC-2

ETR

Mapping DBMSMR



EIDLISP Encap/Decap

RLOC

... LISP Device

Host Detection

FHR+ETR – Across Subnet Mode: LISP Mobility HRI

238

FHR

ETR ETR

RegionalSite • The signaling of the mobile VM location initiated

by a FHR discovery, happens on both axes:– E-W: local peers – S-N: ETR MSMR ETR

• FHR (ETR) + MSMR can be deployed as a LISP standalone function, for the lightest LISP DC mobility solution

Host RouteInjection

Host RouteInjection

ETR# show ip route [..]

172.71.0.0/16 is variably subnetted, 4 subnets, 2 masksC 172.71.73.0/24 is directly connected, Ethernet0/0.73L 172.71.73.1/32 is directly connected, Ethernet0/0.73l 172.71.73.123/32 [10/1] via 172.71.73.123, 00:01:18, Ethernet0/0.73l 172.71.73.124/32 [10/1] via 172.71.73.123, 00:01:18, Ethernet0/0.73

IOS

Can be redistributed



• Signaling: – Single-Hop (FHR = xTR)– Multi-Hop (FHR ≠ xTR)

• Location Services:– Routed Traffic (using LISP or

other overlay tunnel router)– FHRP Isolation

• Detection: – IP packets (FHR = GW)– Silent Host Detection

(ARP based)

A.B.C.D A.B.C.D


A.B.C.1 A.B.C.1

MAC D MAC D

MAC A MAC A

MAC EA.B.C.E

E.F.G.HIP MAC------- ----A.B.C.1 AA.B.C.E E

IP MAC------- ----A.B.C.1 AA.B.C.E E

DiskState

MemoryState ✔

✔

✔

✔ intra-subnet

inter-subnet

FHRFHRGW

GW

239

FHR – Extended Subnet Mode

LAN Extension

FHR


• The signaling of the mobile VM location initiated by a FHR discovery, happens on both axes:– E-W: local and remote peers – N-S: FHR xTR MSMR xTR FHR

WAN orInternet

PITRPETR

LISP Client Site

DC-1

ETRITR

FHR FHR

DC-2

ETRITR

FHR FHR

Mapping DBMSMR


router lisp locator-set DC2 10.10.3.1 priority 1 weight 5 10.10.4.1 priority 1 weight 5 exit eid-table default instance-id 3333 dynamic-eid VMs database-mapping 172.71.73.0/24 locator-set DC2 map-notify-group 230.23.3.1 eid-notify 10.10.1.1 key DC2-XTR exit ! [..]!interface GigabitEthernet0/0 ip address 172.71.73.3 255.255.255.0 standby 0 ip 172.71.73.1 lisp mobility VMs lisp extended-subnet-mode!

LAN Extension


EIDLISP Encap/Decap

RLOC

... LISP Device

Host Detection

10.10.4.110.10.3.1

10.10.1.1

FHR – Extended Subnet Mode: Signaling & Config

240

FHR

IOS



WAN orInternet

PITRPETR

LISP Client Site

DC-1

ETRITR

FHR FHR

DC-2

ETRITR

FHR FHR

Mapping DBMSMR


router lisp locator-set DC2 10.10.1.1 priority 1 weight 5 exit eid-table default instance-id 3333 dynamic-eid VMs database-mapping 172.71.73.0/24 locator-set DC2 eid-notify authentication-key DC2-XTR exit ipv4 etr ipv4 etr map-server 10.10.0.1 key DC ! [..]

LAN Extension


EIDLISP Encap/Decap

RLOC

... LISP Device

Host Detection

10.10.4.110.10.3.1

10.10.1.1

ETR – Extended Subnet Mode: Signaling & Config

241

FHR

IOS



WAN orInternet

PITRPETR

LISP Client Site

DC-1

ETRITR

FHR FHR

DC-2

ETRITR

FHR FHR

Mapping DBMSMR


FHR# show lisp dynamic-eid summary

LISP Dynamic EID Summary for VRF "default”* = Dyn-EID learned by site-based Map-Notify! = Dyn-EID learned by routing protocol^ = Dyn-EID learned by EID-Notify

Dyn-EID Name Dynamic-EID Interface Uptime Last Pending Packet Ping CountVMs *172.71.73.102 Vlan10 03:46:28 00:00:19 0 VMs 172.71.73.112 Vlan10 02:01:20 00:00:40 0 LAN Extension


EIDLISP Encap/Decap

RLOC

... LISP Device

Host Detection

10.10.4.110.10.3.1

10.10.1.1

FHR/ETR– Extended Subnet Mode: Dynamic EID Table

242

FHR

NxOS

ETR# show lisp dynamic-eid summary

LISP Dynamic EID Summary for VRF ”default”* = Dyn-EID learned by Site-Based Map-Notify^ = Dyn-EID learned by EID Notify

Dyn-EID Name Dynamic-EID Interface Uptime Last Pending Packet Ping CountVMs ^172.71.73.102 N/A 03:46:40 00:00:54 0 VMs ^172.71.73.112 N/A 02:01:20 00:00:50 0

IOS



• FHR can be deployed as a LISP standalone function, for the lightest LISP DC mobility solution

WAN

Regional Site

DC-1

FHR FHR

DC-2

FHR FHR


Host RouteInjection

Host RouteInjection


LAN Extension

EIDLISP Encap/Decap

RLOC

... LISP Device

Host Detection

FHR – Extended Subnet Mode: LISP Mobility HRI

243

FHR

FHR# show ip route 172.71.73.0/24, ubest/mbest: 1/0, attached *via 172.71.73.5, Vlan15, [0/0], 10:45:30, direct172.71.73.0/25, ubest/mbest: 1/0 *via Null0, [249/0], 02:35:50, lisp, dyn-eid172.71.73.1/32, ubest/mbest: 1/0 *via 172.71.73.1, Vlan15, [0/0], 10:45:05, hsrp172.71.73.34/32, ubest/mbest: 1/0, attached *via 172.71.73.34, Vlan15, [249/0], 00:11:26, lisp, dyn-eid172.71.73.5/32, ubest/mbest: 1/0, attached *via 172.71.73.5, Vlan15, [0/0], 10:45:30, local172.71.73.16/32, ubest/mbest: 1/0, attached *via 172.71.73.16, Vlan15, [249/0], 00:08:06, lisp, dyn-eid172.71.73.128/25, ubest/mbest: 1/0 *via Null0, [249/0], 02:35:50, lisp, dyn-eid

NxOS

Can be redistributed


• FHR can detect idle servers at either DC location with proper routing design

• Steps1. LISP remote PxTR announces server subnet 2. DC-1 ETR Registers server subnet in MS3. DC-1 ETR announces server subnet to Internet DMZ4. DC-1 ETR installs server subnets to local FHRs5. FHR receives client traffic to idle servers6. FHR resolves server address and forwards traffic (over LAN

Extension)7. Return IP traffic from server hits local gateway (FHRP

Isolation) and triggers detection by FHR

• Available in both IOS and NxOS implementations

WAN orInternet

PITRPETR

LISP Client Site

DC-1

ETRITR

FHR FHR

DC-2

ETRITR

FHR FHR

Mapping DBMSMR


LAN Extension


EIDLISP Encap/Decap

RLOC

... LISP Device

Host Detection

10.10.1.1

FHR – Extended Subnet Mode: Silent Host Detection (1/2)

244

FHR

Internet DMZ

1

23

4

56

7 7


• When the FHR does not announce a coarse server subnet, it can detect idle servers locally by inspecting and probing ARP traffic

• Steps1. FHR receives ARP packets from idle server2. FHR probes the IP address with an ICMP packet, using the

Virtual IP and MAC (HSRP) as source3. ICMP packet reaches the silent server on the same DC

(HSRP Isolation)4. Return ICMP packet from server hits local gateway (FHRP

Isolation) and triggers detection by FHR

• Only in NxOS

• ARP Probing is rate limited

WAN

Regional Site

DC-1

FHR FHR

DC-2

FHR FHR


Host RouteInjection

Host RouteInjection


LAN Extension

EIDLISP Encap/Decap

RLOC

... LISP Device

Host Detection

FHR – Extended Subnet Mode: Silent Host Detection (2/2)

245

FHR

ARP

ICMP

12

3

4


xTRMSMRLISP DC Mobility :: Mobility Functions

SMR – Notify other Tunnel Routers of the move

East-DC

FHRFHR

xTR xTR

West-DC

FHRFHR

xTR xTR

Move Event 10.0.1.67

EIDLISP Encap/Decap

RLOC

... LISP Device

Host Detection

Private WAN

Non-LISP Client Site LISP Regional Site

PxTRNon-LISP Client Site

• Solicit Map Request (SMR) Mechanism:1 FHR Detection and EID notify to ETRs2 ETRs register dynamic EID to MS3 MS notifies old registrant ETRs4 Losing ETRs update local (IOS) or away

(NxOS) host tables5 Active decapsulated traffic from remote

PITR/ITRs that hits away host table entry triggers SMR

6 PITR/ITRs process SMR and send map-request to MR to update their map cache

7 MRMS forwards request to East DC ETR, which sends map-reply

8 PITR/ITR steer traffic to new East DC locators

Mapping DBMSMR

123

SMRSMR

554 4

6

78

246

LISP Data Center/Host MobilityAcross Subnet


Customer :: NJEdge.NET

IPv4 Internet


...Transit

SP

Member N

CPE

Tier 1 SP1

Member 2

CPE

IPv6 InternetSome..

v6

More…v6

GoogleFacebook

Some v4

Default Route

Or BGP

Member 3

CPE CPE

BGPBGP


MS/MRPxTR

Default Route

Member 1

xTR

Member N

xTR

Default Route

Member 2

xTR xTR

Default Route

LISP-to-LISP

IPv4 EID Aggregate

Advertisement Non-LISP-to-LISP

XTR

1:1 NAT192.168.0.0/24

172.31.255.0/24

172.31.255.10

192.168.0.10

• Web Server Backup Service– Cold Move – Across Subnet Mode– Single server machine needs to move

to LISP Service Provider DC for scheduled maintenance or DR

• NAT Support– Firewalls with 1:1 NAT acting as server

gateway are typically deployed on original site

– Host presence detection on original site on public prefix

– Public IP address moves to LISP Service Provider DC

248


Bulk MigrationShared or Migration WAN

WAN

Customer :: IBM Strategic Outsourcing UK • Before LISP: Big-Bang Approach

– Perform a bulk migration with high risk– Take longer to start moving servers– Longer storage migration cycle that

requires keeping a large data set in synch over WAN

10.1.1.5 10.1.1.6

L3

L2

Any VLAN and Any

STP

10.1.1.0/24

ASR1K

L3

L2

Any VLAN and Any STP

GreenfieldIBM DC

10.1.1.0/24

BrownfieldCustomer DC

249


LISP ASMIncremental

Server Migration

WAN

Customer :: IBM Strategic Outsourcing UK • With LISP:

– Can perform the server migration in smaller waves (lower risk) and faster, as soon as the server data is available on IBM DC

– The amount of data to be kept in synch is minimized, reducing risk and WAN requirements

– Path optimization from the user to the application is possible, eliminating latency concerns and reducing WAN bandwidth requirements

– Simplicity: Repeatable, easy to implement with pre-defined price

• IBM SO UK Reduced the Migration Window from years to weeks (95%)10.1.1.5 10.1.1.6

L3

L2

Any VLAN and Any

STP

ETRMSMR

ASR1K

L3

L2


GreenfieldIBM DC

10.1.1.5


250


WAN

Customer :: IBM Strategic Outsourcing UK • Brownfield DC:

– Non intrusive ASR1000 placement (on-a-stick), configured as LISP PxTR

– No changes in routing advertisement (mobile aggregate subnet)

• Greenfield DC:– LISP Mapping System (MSMR)– LISP xTR with ASM Mobility (Dynamic

EID) for the migrating prefix

PxTRETR

ASR1K

10.1.1.5 10.1.1.6

L3

L2

Any VLAN and Any

STP

10.1.1.0/24

ETRMSMR

ASR1K

L3

L2


GreenfieldIBM DC

LISP Dynamic EID:10.1.1.0/24

4.4.4.4 5.5.5.5


2.2.2.2 3.3.3.3

Mapping System:10.1.1.0 2.2.2.2 3.3.3.3

251


WAN

Customer :: IBM Strategic Outsourcing UK • Dynamic Granular Migration:

– As soon as server is enabled in Greenfield DC, it is discovered by IP/ARP traffic and registered into LISP Mapping System

• Dynamic Path Optimization:– Client traffic is steered to new

Greenfield location– Return traffic can be symmetric to

allow external firewalls in Brownfield DC

– Intra-subnet traffic from Brownfield DC is routed (GARP+LISP) to Greenfield DC

PxTRETR

ASR1K

10.1.1.5 10.1.1.6

L3

L2

Any VLAN and Any

STP

10.1.1.0/24

ETRMSMR

ASR1K

L3

L2

Any VLAN and Any

STP

GreenfieldIBM DC

LISP Dynamic EID:10.1.1.0/24

4.4.4.4 5.5.5.5

10.1.1.5

IP/ARP


2.2.2.2 3.3.3.3

GARP

Mapping System:10.1.1.0 2.2.2.2 3.3.3.3

Mapping System:10.1.1.0 2.2.2.2 3.3.3.310.1.1.5 4.4.4.4 5.5.5.5

252


CSR 1000V

WAN Router

SwitchesServers

CSR 1000V

VPC/ vDC

VPC/ vDC

Cloud Provider Data Center

Challenges

• Simple, Fast, Transparent Application Onboarding

• Consistency with DC Network Features

Enterprise

Benefits

• Simpler App Integration

• Dynamic infrastructure• Consistent

Management

Solutions

• LISP for VM Mobility• Routing• NAT, DHCP

Use Case: DC to Cloud IP Mobility

Benefit: Simplified Application Deployment to the Cloud

LISP protocol

DC

ASRWAN

Customer :: European Service Provider

253

LISP Data Center/Host MobilityExtending Subnet


Customer-AMPLS-VPN

MPLS Core

PE5 PE6

Blue/DC 1(Location 1)

CE5 CE6


CE7 CE8

ITR/ETR

Customer-ASite 4

PE4

Customer-ASite 3PE3

MS/MRMS/MR

Customer-ASite 2

PE2

Customer-ASite 1 PE1

CE2

ITR/ETR

LAN Extension (OTV)

CE1

ITR/ETR

CE3

ITR/ETR

CE4

ITR/ETR

ITR/ETR

Customer :: US National BankMPLS Core, Extending Subnets – Topology

255

DYNAMIC EID172.17.0.0/24

172.18.0.0/16172.17.0.0/16


Customer-AMPLS-VPN

MPLS Core

PE5 PE6


CE5 CE6


CE7 CE8

ITR/ETR

Customer-ASite 4

PE4

Customer-ASite 3PE3

MS/MRMS/MR

Customer-ASite 2

PE2


CE2

ITR/ETR

LAN Extension (OTV)

CE1

ITR/ETR

CE3

ITR/ETR

CE4

ITR/ETR

ITR/ETR


172.18.0.0/16172.17.0.0/16

Customer :: US National BankMPLS Core, Extending Subnets – LISP Configurations (Sites and MSMRs)

256

EID 172.16.1.0/24

RLOC GE0/0/010.1.1.2/30

RLOC GE0/0/010.1.5.1

RLOC GE0/0/010.1.6.1

router lisp eid-table default instance-id 0 database-mapping 172.16.1.0/24 10.1.1.2 pri 1 wei 100 exit ! ipv4 itr ipv4 etr ipv4 itr map-resolver 10.1.5.1 ipv4 etr map-server 10.1.5.1 key s3cr3t ipv4 itr map-resolver 10.1.6.1 ipv4 etr map-server 10.1.6.1 key s3cr3t!

IOS

IOS

router lisp ! site DCs authentication-key DCs3cr3t eid-prefix 172.17.0.0/16 accept-more-specifics eid-prefix 172.18.0.0/16 exit ! site Site-1 authentication-key s3cr3t eid-prefix 172.16.1.0/24 exit !--<more sites>--- ipv4 map-server ipv4 map-resolver exit !


Customer-AMPLS-VPN

MPLS Core

PE5 PE6


CE5 CE6


CE7 CE8

ITR/ETR

Customer-ASite 4

PE4

Customer-ASite 3PE3

MS/MRMS/MR

Customer-ASite 2

PE2


CE2

ITR/ETR

LAN Extension (OTV)

CE1

ITR/ETR

CE3

ITR/ETR

CE4

ITR/ETR

ITR/ETR


172.18.0.0/16172.17.0.0/16

Customer :: US National BankMPLS Core, Extending Subnets – LISP Configurations (Data Centers)

257

RLOC-A10.2.5.1

RLOC-B10.2.5.5

RLOC-C10.2.6.1

RLOC-D10.2.6.5

ip lisp itr-etrip lisp database-mapping 172.18.0.0/16 10.2.6.1 p 1 w 50ip lisp database-mapping 172.18.0.0/16 10.2.6.5 p 1 w 50

ip lisp itr map-resolver 10.1.5.1 ip lisp itr map-resolver 10.1.6.1 ip lisp etr map-server 10.1.5.1 key DCs3cr3tip lisp etr map-server 10.1.6.1 key DCs3cr3t

lisp dynamic-eid CUST-A-ROAM database-mapping 172.17.0.0/24 10.2.6.1 p 1 w 50 database-mapping 172.17.0.0/24 10.2.6.5 p 1 w 50 map-notify-group 239.1.1.1

interface vlan 100 ip address 172.17.0.4/24 (or 172.17.0.5/24) lisp mobility CUST-A-ROAM lisp extended-subnet-mode hsrp 101 preempt delay reload 300 priority 130 ip 172.17.0.1

NX-OSip lisp itr-etrip lisp database-mapping 172.17.0.0/16 10.2.5.1 p 1 w 50ip lisp database-mapping 172.17.0.0/16 10.2.5.5 p 1 w 50

ip lisp itr map-resolver 10.1.5.1 ip lisp itr map-resolver 10.1.6.1 ip lisp etr map-server 10.1.5.1 key DCs3cr3tip lisp etr map-server 10.1.6.1 key DCs3cr3t

lisp dynamic-eid CUST-A-ROAM database-mapping 172.17.0.0/24 10.2.5.1 p 1 w 50 database-mapping 172.17.0.0/24 10.2.5.5 p 1 w 50 map-notify-group 239.1.1.1

interface vlan 100 ip address 172.17.0.2/24 (or 172.17.0.3/24) lisp mobility CUST-A-ROAM lisp extended-subnet-mode hsrp 101 preempt delay reload 300 priority 130 ip 172.17.0.1

NX-OS



Customer-AMPLS-VPN

MPLS Core

PE5 PE6


CE5 CE6


CE7 CE8

ITR/ETR

Customer-ASite 4

PE4

Customer-ASite 3PE3

MS/MRMS/MR

Customer-ASite 2

PE2


CE2

ITR/ETR

LAN Extension (OTV)

CE1

ITR/ETR

CE3

ITR/ETR

CE4

ITR/ETR

ITR/ETR


172.18.0.0/16172.17.0.0/16

Customer :: US National BankMPLS Core, Extending Subnets – Initial State

258

RLOC-A10.2.5.1

RLOC-B10.2.5.5

RLOC-C10.2.6.1

RLOC-D10.2.6.5

172.17.0.12/32

the server is here

EID-prefix: 172.17.0.12/32Locator-set: 10.2.5.1, priority: 1, weight: 50 10.2.5.5, priority: 1, weight: 50

map-cacheEID 172.16.1.0/24

RLOC GE0/0/010.1.1.2/30


Customer-AMPLS-VPN

MPLS Core

PE5 PE6


CE5 CE6


CE7 CE8

ITR/ETR

Customer-ASite 4

PE4

Customer-ASite 3PE3

MS/MRMS/MR

Customer-ASite 2

PE2


CE2

ITR/ETR

LAN Extension (OTV)

CE1

ITR/ETR

CE3

ITR/ETR

CE4

ITR/ETR

ITR/ETR


172.18.0.0/16172.17.0.0/16

Customer :: US National BankMPLS Core, Extending Subnets – After the Move

259

RLOC-A10.2.5.1

RLOC-B10.2.5.5

RLOC-C10.2.6.1

RLOC-D10.2.6.5

EID-prefix: 172.17.0.12/32Locator-set: 10.2.5.1, priority: 1, weight: 50 10.2.5.5, priority: 1, weight: 50

map-cache

10.2.6.1, priority: 1, weight: 5010.2.6.5, priority: 1, weight: 50

172.17.0.12/32

the server moves here

EID 172.16.1.0/24

RLOC GE0/0/010.1.1.2/30

LISP Data Center/Host MobilityServices Integration

© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 261

LISP DC Mobility :: Services Integration

• Virtualized First Hop Router as anycast gateway for each Server Zone– Servers move and retain their IP

address, gateway and ARP cache– LISP dynamic EID detection and

signaling

• Internal Firewall as inter zone router

• DCI Overlay Router attracts L3 traffic for servers discovered on the ‘other’ data center

FW in the data path to inspect bidirectional traffic

front-endback-endback-end

Single Router

or

N7K VDC

Single L3 FWor

FW Contexts

SLB

Overlayto/from server

other DC

DCI OverlayRouter or N7K VDC

OTV / GRE / LISP …


LISP DC Mobility :: Services IntegrationConfiguration approach: IOS

front-endback-endback-endSingle Router

Single L3 FWor

FW Contexts

SLB


other DC

DCI OverlayRouter


router lisp [0] LISP Role: FHR locator-table = vrf silver EID-table = vrf silver LISP Instance ID = 999router lisp 1 LISP Role: FHR locator-table = vrf gold EID-table = vrf gold LISP Instance ID = 999router lisp 2 LISP Role: FHR locator-table = vrf blue EID-table = vrf blue LISP Instance ID = 999

IOS

IOSrouter lisp [0] LISP Role: xTR Site Gateway EID-table = vrf crimson LISP Instance ID = 999


LISP DC Mobility :: Services IntegrationConfiguration example: IOS


Single Router

Single L3 FWor

FW Contexts

SLB


other DC

DCI OverlayRouter

OTV / GRE / LISP …router lisp locator-table crimson locator-set WestDC 10.0.1.2 priority 1 weight 5 eid-table crimson instance-id 999 database-mapping 171.71.64.0/20 loc WestDC dynamic-eid VM-EXTENDED-SILVER database-mapping 171.71.71.0/24 loc WestDC eid-notify authentication-key WEST ! dynamic-eid VM-EXTENDED-BLUE database-mapping 171.71.73.0/24 loc WestDC eid-notify authentication-key WEST ! dynamic-eid VM-EXTENDED-GOLD database-mapping 171.71.72.0/24 loc WestDC eid-notify authentication-key WEST ! exit ipv4 etr [..]

IOS


LISP DC Mobility :: Services IntegrationConfiguration example: IOS


Single Router

Single L3 FWor

FW Contexts

SLB


other DC

DCI OverlayRouter

OTV / GRE / LISP …router lisp locator-table crimson locator-set WestDC 10.0.1.2 priority 1 weight 5 eid-table crimson instance-id 999 database-mapping 171.71.64.0/20 loc WestDC dynamic-eid VM-EXTENDED-SILVER database-mapping 171.71.71.0/24 loc WestDC eid-notify authentication-key WEST ! dynamic-eid VM-EXTENDED-BLUE database-mapping 171.71.73.0/24 loc WestDC eid-notify authentication-key WEST ! dynamic-eid VM-EXTENDED-GOLD database-mapping 171.71.72.0/24 loc WestDC eid-notify authentication-key WEST ! exit ipv4 etr [..]

router lisp 2 locator-table vrf blue locator-set WestDC 10.11.3.1 p 1 weight 5 exit ! eid-table vrf blue i 999 dynamic-eid VM-EXTENDED-BLUE database-map 171.71.73.0/24 locator-set WestDC map-notify-group 230.23.3.1 eid-notify 10.11.4.1 key WEST exit![..]interface GigabitEthernet1/1.30 vrf forwarding blue lisp mobility VM-EXTENDED-BLUE lisp extended-subnet-mode standby 30 ip 171.71.73.1

IOS

IOS


LISP DC Mobility :: Services IntegrationConfiguration approach: NxOS

front-endback-endback-endSingle VDC

Single L3 FWor

FW Contexts

SLB


other DC

DCI OverlayVDC


vrf context silver LISP Role: FHR LISP Instance ID = 999

vrf context gold LISP Role: FHR LISP Instance ID = 999

vrf context blue LISP Role: FHR LISP Instance ID = 999

NxOS

vrf context crimson LISP Role: xTR Site Gateway LISP Instance ID = 999

NxOS


LISP DC Mobility :: Services IntegrationConfiguration example: NxOS


Single L3 FWor

FW Contexts

SLB


other DC

DCI OverlayVDC

OTV / GRE / LISP …vrf context crimson lisp instance-id 999 ip lisp itr-etr ip lisp database-mapping 171.71.64.0/20 10.0.1.2 priority 1 weight 5 lisp dynamic-eid VM-EXT-SILVER instance-id 999 database-map 171.71.71.0/24 10.0.1.2 p 1 w 5 eid-notify authentication-key WEST ! lisp dynamic-eid VM-EXT-BLUE instance-id 999 database-map 171.71.73.0/24 10.0.1.2 p 1 w 5 eid-notify authentication-key WEST ! lisp dynamic-eid VM-EXT-GOLD instance-id 999 database-map 171.71.72.0/24 10.0.1.2 p 1 w 5 eid-notify authentication-key WEST ! [..]

NxOS


LISP DC Mobility :: Services IntegrationConfiguration example: NxOS


Single L3 FWor

FW Contexts

SLB


other DC

DCI OverlayVDC

OTV / GRE / LISP …vrf context crimson lisp instance-id 999 ip lisp itr-etr ip lisp database-mapping 171.71.64.0/20 10.0.1.2 priority 1 weight 5 lisp dynamic-eid VM-EXT-SILVER instance-id 999 database-map 171.71.71.0/24 10.0.1.2 p 1 w 5 eid-notify authentication-key WEST ! lisp dynamic-eid VM-EXT-BLUE instance-id 999 database-map 171.71.73.0/24 10.0.1.2 p 1 w 5 eid-notify authentication-key WEST ! lisp dynamic-eid VM-EXT-GOLD instance-id 999 database-map 171.71.72.0/24 10.0.1.2 p 1 w 5 eid-notify authentication-key WEST ! [..]

NxOS

vrf context blue lisp instance-id 999 ip lisp etr lisp dynamic-eid VM-EXT-BLUE database-map 171.71.73.0/24 10.11.3.1 priority 1 weight 5 map-notify-group 230.23.3.1 eid-notify 10.11.4.1 key WEST exit![..]Interface Vlan 30 vrf member blue lisp mobility VM-EXT-BLUE lisp extended-subnet-mode hsrp 30 ip 171.71.73.1

NxOS



• Firewall layer forwards server traffic to the DCI Overlay Router, following a default route or an aggregate route advertisement

• When LISP detects a local server presence, it dynamically inject a more specific route into the DC IGP to attract traffic from FW

Option #1 : Host route injection from local FHR



other DC

Host RouteInjection

Host RouteInjection

Host RouteInjection

Follow default or aggregate route


LISP DC Mobility :: Services IntegrationOption #1 : HRI from local FHR: IOS Configuration



other DC

Host RouteInjection

Host RouteInjection

Host RouteInjection

Follow default or aggregate routerouter ospf 203 vrf blue

router-id 10.11.3.1 capability vrf-lite redistribute lisp subnets route-map VMs network 171.71.73.0 0.0.0.255 area 0!ip prefix-list VMs seq 5 permit 171.71.64.0/20 ge 32route-map VMs permit 10 match ip address prefix-list VMs set tag 173!

IOS


LISP DC Mobility :: Services IntegrationOption #1 : HRI from local FHR: NxOS Configuration



other DC

Host RouteInjection

Host RouteInjection

Host RouteInjection

Follow default or aggregate routerouter ospf 203

vrf blue redistribute lisp route-map VMs!interface Ethernet1/13.113 vrf member blue ip router ospf 203 area 0.0.0.0 !ip prefix-list VMs seq 5 permit 171.71.64.0/20 ge 32route-map VMs permit 10 match ip address prefix-list VMs set tag 173!

NxOS



• Firewall layer forwards server traffic to each individual FHR, following its route advertisement or a static route

• When LISP detects a server presence in another DC, a more specific route is dynamically advertised by the overlay router to attract traffic from FW– Can be implemented by propagating

LISP HRI at a remote DC– Can be implemented by redistributing

“away host” table from LISP XTR SG

Option #2 : Host route injection from Overlay Router



other DC

Host RouteInjection

Follow server subnet routes



• L3 Firewalls that cannot handle host routes or participate in routing protocol

• Server-to-server traffic: star pattern (one server tier centric)

• Inter-VLAN router is a LISP device (xTR):– Detection for main server tier (single-

hop)– Registration for other tiers (multi-hop)– Location awareness

Option #3: Design without LISP HRI – Concept

web

app

db


other DC

LISP

Typical Traffic Patterns


Standalone L3 FWs orFW Contexts

Single Router

or

N7K VDC


• Virtualized Access Router

• Distribution Router (xTR)

Option #3: Distributed Implementation

web

app

db


other DC

LISP

SLB

xTREdge Router or N7K VDC


Standalone L3 FWs or

FW Contexts


• Combined Virtualized Router

Option #3: Combo Implementation

webappdb

Overlay

to/from server

other DC

LISP

SLB

Single Router

or

N7K VDC



• Session state is established on West blue FW

Design without LISP HRI: traffic pattern before app move

web

app

db web

app

db

S

West-DC East-DC



• Re-uses Session state on West DC FW

• Session Survivability

Design without LISP HRI: traffic pattern after app move

web

app

db web

app

db

LISP Overlay

1XTR detects and registers gold2

XTR encapsulates traffic to gold

3

blue subnet route points to local blue FW, but…

3

XTR SG “knows” blue is away and not behind local blue firewall

S

West-DC East-DC



• Session state is established on West blue/silver FW

Design without LISP HRI: traffic pattern before web move

web

app

db web

app

db

S S

West-DC East-DC



• East DC silver FW has no state

• Session needs to be re-established on both West/East DC FWs

• All firewalls see bidirectional traffic

Design without LISP HRI: traffic pattern after web move

web

app

db web

app

db

2XTR registers silver3

XTR encapsulates traffic to silver

4

No existing state!!

1FHR detects

silver

New State

5S S1SS1

New State

5

LISP Overlay

West-DC East-DC


LISP DC Mobility :: Services IntegrationSession Survivability with FW Inter DC Clustering

Session survivability can be achieved by having the same firewall cluster extending across DCs

traffic is forwarded to the West-DC cluster member owning the session state (ASA 9.1.4)

Hair-pinning is temporary for sessions established before the move. New sessions state will be created on the East-DC firewall, without hair-pinning

LISP Branch Site

West-DC

FHRFHRFHR

XTR

East-DC

FHRFHRFHR

XTR

WAN

CCL over DCIS


https://www2.wwt.com/resilient-active-datacenters

Customer :: WorldWide Technology

• RAD: Resilient Active Datacenters

• Seamless Mobility with Session Survivability:– Compute– Cisco UCS– Storage– EMC VPLEX– NetApp Metrocluster– Networking– Cisco OTV/LISP– Virtualization– VMWare– Microsoft Hyper-V– Security– Cisco ASA Clustering

Session Survivability with FW Inter DC Clustering

280


Internet


• West & East Load Balancers have consistent Route Health Injection policies

• When VIP host route announcement flips from West to East DC, LISP detects VIP and optimizes ingress traffic from WAN/Internet

Integration with Load Balancer RHI

webbackend

West-DC

webbackend

East-DC

Private WANISP-1 ISP-2

XTR

PXTR PXTR

2SLB starts VIP advertisement2

SLB stops VIP advertisement

Host RouteInjection

Host RouteInjection

3 ETR+FHR detects VIP presence

4

LISP traffic converges

1Last cluster

member moves

• Event Sequence:1 All cluster resources move

East2 VIP Host route is injected

by East SLB and withdrawn by West SLB

3 VIP detection occurs at East XTR (single-hop)

• Packet based (IOS)• Host Route based (NxOS)

4 ETR registration and SMR mechanism reroute client traffic from ISP PxTRs and WAN xTRs to East DC locators

281


Internet


• West & East Load Balancers have consistent Route Health Injection policies

• When VIP host route announcement flips from West to East DC, LISP detects VIP and optimizes ingress traffic from WAN/Internet

Integration with Load Balancer RHI: NxOS Configuration

webbackend

West-DC

webbackend

East-DC

Private WANISP-1 ISP-2

XTR

PXTR PXTR

Host RouteInjection

ip lisp itr-etr![..]lisp dynamic-eid VIP database-mapping 172.71.73.0/28 10.11.1.1 pri 1 weight 50 register-route-notifications! [..]

NxOS

282

LISP Data Center/Host MobilityWAN Integration


East-DC

FHRFHRFHRMSMR

West-DC

FHRFHRFHR MSMR

LISP DC Mobility :: WAN Integration

• Virtualized First Hop Router as gateway for each Server Zone, Firewall as inter-zone router

• LISP Components:– FHRs: mobility detection and intra/inter-DC

signaling to peers– MSMRs: single-point aggregated mobility

database, accept server registration, signaling to FHRs

• East-DC (DR DC) FHRs dynamically inject host routes learned thru LISP into IGP, which propagates to:– Local FW– Remote FW, thru IGP peering over dedicated

extended VLAN (L2 overlay)– WAN Routers

Option #1: LISP Control PlanePrivate WAN

Non-LISP Client Site


OSPF/EIGRP

Host RouteInjection

EIDLISP Encap/Decap

RLOC

... LISP Device

Host Detection

OS

PF/E

IGR

P

HRI

HRI

HRI

HRI

OSPF/EIGRP

284


West-DC

FHRFHRFHR MSMR

East-DC

FHRFHRFHRMSMR


• East-to-West (server to server)– East DC FW

• Aggregate server route pointing to “DCI Overlay router”

• More specific routes announced from local FHRs

– West DC FW• Each subnet route coming from individual FHR• More specific routes announced from “DCI

Overlay router”

• North-to-South (client to server)– West DC WAN Routers

• Announce aggregate front-end subnet to WAN– East DC WAN Routers

• Inject more specific routes for front-end servers in East DC

• Best Convergence when IGP running between remote sites and DCs (VPLS,DMVPN,…)

Option #1: traffic patterns Non-LISP Client Site


next-hop=FHRs(static) 10.0.1.0/24

10.0.2.0/2410.0.3.0/24…

(static)next-hop=MSMR

…10.0.0.0/16

(OSPF)next-hop=MSMR

…10.0.1.67/32

East-DC Hosts

next-hop=FHRs(LISPOSPF) 10.0.1.67/32

…

East-DC Hosts

EIDLISP Encap/Decap

RLOC

... LISP Device

Host Detection

next-hop=FW

…10.0.1.0/24

Private WAN

next-hop=FW

…10.0.1.67/32

East-DC Hosts

L2 Overlay (OTV, …)

285


East-DC

FHRFHRFHR

West-DC

FHRFHRFHR


• Benefits of LISP Overlay between DCs:– Virtualization– Efficient, underlay independent, multi-homing

between DCs

• Host Route Injection for LISP discovered servers from FHRs into IGP

• East-DC can optionally propagate HRI into WAN for ingress traffic optimization

• The DCI Overlay Router is the xTR– Advertises aggregate server subnets to

southbound FW– Registers client subnets as “attached” static

LISP EIDs (database mapping)

Option #2: DCI with LISP OverlayPrivate WAN



Host RouteInjection

EIDLISP Encap/Decap

RLOC

... LISP Device

Host Detection

HRI

OSPF/EIGRP

Host RouteInjectionOSPF/EIGRP

OS

PF/E

IGR

P

xTRMSMR

xTRMSMR

xTRMSMR

xTRMSMR


286


East-DC

FHRFHRFHR

xTRMSMR

xTRMSMR

West-DC

FHRFHRFHR

xTRMSMR

xTRMSMR


• East-to-West (server to server)– East & West DC FW

• Aggregate server route pointing to “DCI Overlay router” (xTR)


• North-to-South (client to server)– Option A:

• East & West DC WAN Routers announce aggregate front-end subnet to WAN

• If traffic comes to the “wrong” DC it gets LISP encapsulated and forwarded to the “right” DC

• Partial Hairpinning– Option B

• Inject more specific routes for front-end servers in East DC

Option #2: traffic patterns Non-LISP Client Site


(static)next-hop=xTR

…10.0.0.0/16


…10.0.0.0/16

EIDLISP Encap/Decap

RLOC

... LISP Device

Host Detection

Private WAN

10.0.3.81

10.0.2.11

next-hop=FW

…10.0.1.0/24next-hop=FW

…10.0.1.67/32

East-DC Hosts


…

East-DC Hosts


10.0.3.81/32…

West-DC Hosts

next-hop=FW

…10.0.1.0/24

LISP Overlay

287


LISP Regional Site

East-DC

FHRFHRFHR

West-DC

FHRFHRFHR


• Extending Benefits of LISP Overlay to the whole WAN:– Virtualization– Efficient, underlay independent, multi-homing

between remote sites and DC– Optimal DC Ingress Routing – no Host Route

Injection necessary

• Host Route Injection for LISP discovered servers from FHRs into IGP

• Optional HRI stopped at DC FW layer

• A subset of remote branches act as PxTR, advertising the server front-end subnet and attracting traffic from closer non LISP client sites

Option #3: LISP Overlay across WANPrivate WAN


Host RouteInjection

EIDLISP Encap/Decap

RLOC

... LISP Device

Host Detection

OSPF/EIGRP

Host RouteInjectionOSPF/EIGRP

xTRMSMR

xTRMSMR

xTRMSMR

xTRMSMR

LISP Regional Site


288


East-DC

FHRFHRFHR

xTRMSMR

xTRMSMR

West-DC

FHRFHRFHR

xTRMSMR

xTRMSMR


• East-to-West (server to server) as in #2– East & West DC FW



Option #3: traffic patterns



…10.0.0.0/16


…10.0.0.0/16

EIDLISP Encap/Decap

RLOC

... LISP Device

Host Detection

Private WAN

10.0.3.81

10.0.2.11


…

East-DC Hosts


10.0.3.81/32…

West-DC Hosts



289


East-DC

FHRFHRFHR

xTRMSMR

xTRMSMR

West-DC

FHRFHRFHR

xTRMSMR

xTRMSMR


• East-to-West (server to server) as in #2– East & West DC FW



• North-to-South (client to server)– Regional LISP sites (PxTR) announce aggregate

front-end subnet to WAN– After server moves and it is detected/registered

by East DC ETRs, West DC ETRs signal the move to active PxTR with an SMR

– PxTR processes SMR and updates its map cache: traffic gets steered to East DC

Option #3: traffic patterns


EIDLISP Encap/Decap

RLOC

... LISP Device

Host Detection

Private WAN



staticBGPtag=330

…10.0.1.0/24

DC Hosts

SMR

290


Agenda







291

Advanced - LISP Technical SeminarOther LISP Topics and Status

TECRST-3191


[email protected]

LISP Mobile Node


LISP Mobile Node

294

Global IP Mobility…‒ LISP-MN is an global IP mobility solution

Allows a LISP-MN device to maintain the same identity while roaming to any network

Using any interface/medium and support multi-homing

‒ The LISP-MN device can change locationMove to a different network or use different interfaces

No disrupting the TCP connection established with the correspondent node

Applications bind to the identity of the mobile node

The network routes the packet to the location of the mobile node

‒ The LISP-MN device is, to all effects, a LISP site. LISP-MN functions are:Implemented in the network stack of the mobile device

Totally transparent to the applications

• LISP Mobile Node Concepts


LISP Mobile Node

295

EID-prefix: 2610:00D0:110E::1/128

172.16.0.1 10.0.0.1

Map-Server: 10.1.1.1

wifi 3G

This device is a LISP xTR !

What can a LISP-MN Device do? • Two MNs can roam and stay connected• MNs can be servers• MNs roam without changing DNS entries• MNs can use multiple interfaces• MNs can control ingress packet policy• Faster hand-offs• Low battery use by MS proxy-replying• And most importantly, packets have stretch of “1”

giving best for latency/delay sensitive applications

LISP-MN can scale to1 billion hand-sets!

• A LISP-MN Phone is a LISP Site!


LISP Mobile Node

296

4G Carrier 110.2.0.0/16

3G Carrier 2172.16.0.0/16

SP WiFi172.17.0.0.0/16

Mapping SystemMR MS MR MS

PI EID-prefix 192.168.1.0/24

LISP Site 1S

xTR1

ETRITR

xTR2

ETRITR



EID-prefix: 192.168.3.3/32Locator-set: 10.2.0.2, priority: 1, weight: 100

Map-Cache Entry

Session Continuity While Roaming!

4G 10.2.0.2

LISP MN

LISP-MN EID192.168.3.3/32

• LISP-MN Mobility: Any Network, Anytime, Anywhere…


LISP Mobile Node

297

4G Carrier 110.2.0.0/16

3G Carrier 2172.16.0.0/16

SP WiFi172.17.0.0.0/16

Mapping SystemMR MS MR MS

PI EID-prefix 192.168.1.0/24

LISP Site 1S

xTR1

ETRITR

xTR2

ETRITR



Session Continuity While Roaming!

LISP MN

LISP-MN EID192.168.3.3/32


Map-Cache Entry

WiFi 172.17.0.2

172.17.0.2 - <MS>LISP Map-Register

(udp 4342)SHA-2

192.168.3.3/32172.17.0.2

SMR

Map-Request

Map-Reply


Map-Cache Entry

• LISP-MN Mobility: Any Network, Anytime, Anywhere…


Home Automation Demo

SP-A Cisco

NAT-TRTR

Internet

intouch-ams-mr-ms-1LISP Mapping System

Yun LISP SitePI EID-prefix

2610:D0:218B::/48

2610:00d0:218b::1

2610:00d0:218b::300

2610:00d0:218b::11

MR/MS

173.36.254.184

intouch-ams-mr-ms-2

192.168.1.128158.38.1.92

2610:00d0:218b::301

SP-B

D1

PxTR

298

• Arduino Yun – Smallest LISP Mobile Node


Customer Example :: Partner Case Study

Communication and information solutions for public safety, transport, maritime and air traffic management verticals

LISP overlay for provider-independent reachability and networking

• Mobility E911 Services

299


LISP Mobile Node Embedded HardwareOpen Source LISP Software

300300

Architecture MIPS Atheros AP81 CPU 400 Mhz Atheros 9130-BC1EFlash 8 MB cFeon EN25P64 RAM 32 MB Samsung K4H561638JEthernet 100 Mbps RTL8306SDWireless Atheros 9102 802.11 b/g/n (integrated)

Serial / JTAG

Yes / Yes

USB Yes 1x 2.0

Architecture MIPS Atheros AR7161CPU 680 Mhz Atheros 9130-BC1EFlash 16 MB Macronix MX25L12845EWI-10G RAM 64 MB 2 x Nanya NT5DS16M16CS-5TEthernet 1 Gbps RTL8366SR

WirelessAtheros AR9223 802.11b/g/n + Atheros AR9220 802.11a/n

Serial / JTAG Yes / YesUSB Yes 1x 2.0

Link

sys

WR

T160

NL

Net

gear

WN

DR

3700

v2


LISP Mobile NodeLISP-MN Mobility:

Website: http://lispmob.org/

GIThub: https://github.com/LISPmob/

Mailing lists:• [email protected]• [email protected]• [email protected]

IRC: #lispmob channel on Freenode

Twitter: https://twitter.com/LISPmob

301


4G LTE

Businesses are looking for ways to reduce costs, increase revenue, and improve business continuity.

• 4G LTE wireless connectivity is 10 to 15 times faster and has 5 times lower latency than 3G• 4G LTE allows a small enterprise branch office or remote office to set up comprehensive

services in a matter of hours, without worrying about availability of broadband services and the need for laying down the lines

• Wireless carriers offer flexible, usage-based data plans that can be catered to meet the needs and price points of the business customer

• As WAN backup alternatives, 3G and 4G LTE wireless offer greater WAN diversity and resiliency because they are independent of the local terrestrial infrastructure

• The Cisco 819 enables businesses to stay productive during service provider downtime or a network failure.

• Business Drivers

302


Platforms

Nonhardened Cisco 819 Integrated Services Router Hardened Cisco 819 Integrated Services Router

The Cisco 819 Series Integrated Services Router• The Cisco 819 Series Integrated Services Router includes support for 4G LTE

wireless WAN (WWAN) speeds• The hardened Cisco 819HG extends the ISR M2M Gateway footprint and provides

deployment flexibility• The Cisco 819HG is an ideal solution for stationary and mobile environments where

space, heat dissipation, exposure to extreme temperatures, harsher environments, and low power consumption are critical factors

• Cisco 819 Series

303


LISP MobilityCustomer Example :: Cisco Live US 2013 Transportation System

304

xTR-A xTR-B

WIFI

Telemetry Processor

LISP Beta Network

MSMRPxTRRTR

IP Cameras

AT&T 4G LTEPrivate IP NAT

Verizon 4G LTEPublic IP

Onboard WiFi

Internet / WAN

CL Orlando WoS

xTR UCS

VSM VM

VSOM VM

Fleet MgmtIPv6 Internet

WIFI

Telemetry Processor

IP Cameras

AT&T 4G LTEPrivate IP NAT

Onboard WiFi

35 Buses Operational Throughout the Event

New LISP Features


New LISP FeaturesLISP Local EID Database Route Import Enables dynamic creation of local EID database entries, with locators,

priorities, and weights, by direct redistribution from the RIB– Configured on ETRs, database “route-import” includes:

• Options for import from connected, static, IGP and BGP RIB entries• Options for use of route-map for filtering, and “maximum-prefix” values

SERVERSUSERS USERS

OSPF

MS/MR MS/MR

xTRxTR

Map-Register10.0.1.0/2410.50.1.0/24

router ospf 1 network 10.0.1.0 0.0.0.255 area 0 network 10.50.1.0 0.0.0.255 area 0!router lisp locator-set RED ipv4-interface gig0/0 priority 1 weight 50 auto-discover-rlocs eid-table default instance-id 0 ipv4 route-import database ospf 1 locator-set RED exit !

306


New LISP FeaturesLISP Local Map-Cache Route Import Enables dynamic creation of local EID map-cache entries with

action “send-map-request” (for use by a PITR), by direct redistribution from the RIB– Configured on PITRs (typically), map-cache route import

now includes:• Options for import from connected, static, IGP and BGP RIB entries• Options for use of route-map for filtering, and “maximum-prefix” values

– Typically used in concert with a Map-Server that is “exporting” registered EID prefixes into the RIB (see “route-export”)

non-LISP Sites

LISP Sites

IPv4 Internet(example)

PxTR MSMR

xTR xTRxTR

eBGP

CECE

!router lisp eid-table default instance-id 0 ipv4 route-export site-registration ---<etc.>---!

!router lisp eid-table default instance-id 0 ipv4 route-import map-cache bgp 65001 route-map ABC ---<etc.>---!

307


non-LISP Sites

LISP Sites


PxTR MSMR

xTR xTRxTR

eBGP

CECE

New LISP FeaturesLISP Map-Server Route Export From Site Registration Enables a Map-Server to export registered EID prefixes into the RIB

– The EID prefixes from “registered” LISP sites are automatically exported to the RIB as LISP (“l”) routes• Once in the RIB, these EID prefixes can be redistributed

into other routing protocols for desired use• It is possible to manipulate the administrative distance of the

routes inserted by LISP

– Typically used in concert with a PITR that is “importing” registered EID prefixes in order to:a. Automatically populate its

map-cache, andb. Automatically learn prefixes

to 'advertise’ into non-LISP space to 'attract traffic’ to the PITR

!router lisp eid-table default instance-id 0 ipv4 route-import map-cache bgp 65001 route-map ABC ---<etc.>---!

!router lisp eid-table default instance-id 0 ipv4 route-export site-registration ---<etc.>---!

308


New LISP FeaturesLISP Integrated MS/PITR Map Cache Population From Site Registration Enables the dynamic creation of local EID map-cache entries with

action “send-map-request” (for use by the PITR function) by direct installation from the Map-Server function– Configured on a “combination” Map-Server/PITR– When LISP sites register, their EID prefixes automatically get

installed as “map-cache send-map-request” entries on the PITR• Note: If the PITR requires knowledge of registered EID prefixes in its RIB for

automating ’EID advertisement’ into non-LISP space to 'attract traffic,’ use of the “[ipv4 | ipv6] route-export site-registration” command is still required

non-LISP Sites

LISP Sites


xTR xTRxTR

CECE

PxTRMSMR

!router lisp eid-table default instance-id 0 ipv4 map-cache site-registration ---<etc.>---!

309

LISP Status


LISP StatusLISP RFCs and notable drafts…

IETF LISP WG: http://tools.ietf.org/wg/lisp/

Draft TargetLISP Canonical Address Format (draft-ietf-lisp-lcaf-04) Active Working Group Document

LISP Deployment (draft-ietf-lisp-deployment-11) Active Working Group Document

LISP SEC (draft-ietf-lisp-sec-05) Active Working Group Document

LISP DDT (draft-fuller-lisp-ddt-01) Active Working Group Document

LISP Introduction (draft-ietf-lisp-introduction-03) Active Working Group Document

LISP Mobile Node (draft-meyer-lisp-mn-10) Related Working Group Document

LISP NAT-Traversal (draft-ermagan-lisp-nat-traversal-05) Related Working Group Document

LISP GPE (draft-lewis-lisp-gpe) Related Working Group Document

LISP Deployment (draft-ietf-lisp-deployment-12) RFC-Editor’s Queue

LISP Based FlowMapping for Scaling NVF (draft-barakai-lisp-nvf-04)

Related Internet Draft

LISP Reliable Transport (draft-kouvelas-lisp-reliable-transport-00)

Related Internet Draft

RFCsLocator/ID Separation Protocol (LISP) base document

RFC 6830

LISP Map Server RFC 6833LISP Interworking RFC 6832LISP Multicast RFC 6831LISP Internet Groper RFC 6835LISP Map Versioning RFC 6834LISP+ALT RFC 6836LISP MIB RFC 7052

LISP Network Element Deployment Considerations

RFC 7215

311


LISP Community Operated:– More than 5+ years of operation…– More than ~600 Sites, 40 countries…

Interoperable LISP implementations:– Cisco

• IOS (ISR, ISRG2, 7200) and IOS-XE (ASR1K, CSR1KV)• Cisco IOS-XR (CRS3, ASR9K)• Cisco NX-OS (N7K)

– AVM “FRITZ!Box”– OpenWrt– Open Source

• FreeBSD: OpenLISP• Linux: Aless, LISPmob, OpenWrt• Android

LISP StatusLISP Beta Network – international deployments

Plus some others… ;-)

http://www.lisp4.net

http://vinciconsulting.com/vxnet

http://www.lisp.intouch.eu/

http:/lisp.isarnet.net/

and more…

312


LISP StatusLISP Software – Available Features:: By operating System

Cisco Releases (http://lisp.cisco.com)

Features

Roles:- ITR/ETR- PITR/PETR- MS/MR- RTR

AF Support- EID v4/v6- RLOC v4/v6

Virtualization- Shared/Parallel

Mobility- ESM/ASM- Multi-Hop

Multicast NAT-Traversal

IOS IOS-XE NX-OS IOS-XR Cat 6K

roadmap

testing

v4 only

testing testing

roadmap

5.3.0

roadmap

roadmap

roadmap

shared

v4 only

roadmaproadmap

roadmap

roadmap

roadmap

ASM 15.2(1)SY

ASR9kroadmap

313


LISP StatusLISP Software – Available Releases :: IOS Platforms


ISRG1- 1800 Series- 2800 Series- 3800 Series

Mainline Build:- 15.4(2)T

Engineering:- 15.3(3)XB12

Engineering Build:- 15.3(3)XB12

Hardware Software Notes/Caveats

ISRG2- 800 Series- 1900 Series- 2900 Series- 3900 Series

ISRs are EOS/EOL (Cisco support rules apply).

LISP features require “datak9” or “securityk9” licensehttp://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html

314


LISP StatusLISP Software – Available Releases :: IOS-XE Platforms


ASR1K- 1001 Series- 1002 Series- 1004 Series- 1006 Series- 1013 Series- 4451-X

Mainline Build:- 3.12.0S (15.4-2.S)

Engineering Build:- 3.10.01xb.S


CSR1KV- Cisco CSR1KV- Amazon Web Srvc

LISP features require “Advanced IP Services” or “Advanced Enterprise Services” license

LISP features require “Premium” licensehttp://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/configuration/csr1000Vswcfg/csroverview.html

Mainline Build:- 3.12.0S (15.4-2.S)

Engineering Build:- 3.10.01xb.S

http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/product_bulletin_c25-448387.html

http://www.cisco.com/c/dam/en/us/products/collateral/routers/cloud-services-router-1000v-series/sales-tool-c96-730727.pdf

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/csa/configuration/xe-3s/asr903/csa-xe-3s-asr-903-book/csa-cfg-sw-activation.html

315


LISP StatusLISP Software – Available Releases :: NX-OS Platforms


Nexus 7000 Mainline Build:- 6.2(8)


Nexus 7700 LISP requires EPLD updated so that FE Bridge is at version 186.008:

Mainline Build:- 6.2(8)

Requires M1-32 LC modules. F1 modules and the F2e LC module can be used for LISP using proxy forwarding to an installed M1-32 LC module.

Beginning with NX-OS 7.1.0, F3 modules will also support LISP

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/epld/epld_rn_6-0.html#wp152570

The Transport Services license must be installed to enable LISPhttp://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-switches/data_sheet_c78-437306.html

316


LISP StatusLISP Software – Available Releases :: IOS-XR Platforms


ASR 9000 Mainline Build:- 5.2.0


CRS 3

LISP features available in base image

Mainline Build:- 5.2.0

Requires Typhoon line cards:

Supports basic LISP xTR and PxTR functionality only

http://www.cisco.com/c/en/us/support/docs/routers/asr-9000-series-aggregation-services-routers/116726-qanda-product-00.html

317


LISP StatusLISP Software – Available Releases :: CATOS Platforms


Catalyst 6500 Mainline Build:- 15.1.2-SY2

Hardware Software Notes/Caveats Requires Sup2T supervisor engine and WS-X6904-

40GE or WS-X6908-10G line cards Supports xTR (IPv4-only RLOC), shared mode

virtualization, PxTR, MS and MR

Catalyst 6800 Mainline Build:- 15.1.2-SY2

6880-X (semi-fixed chassis) - supported on all ports at FCS: 15.1(2)SY1 for the baseboard and 15.1(2)SY2 for the port cards

6807-XL (modular chassis) - supported with Sup2T and 6900 series line cards (6908 and 6904) at FCS: 15.1(2)SY1 (not supported natively on Sup2T, need 6900 modules for encap/decap)

Supports xTR (IPv4-only RLOC), shared mode virtualization, PxTR, MS and MR

318

LISP Summary


LISP ReferencesLISP Sessions at Cisco Live US 2014…

Session Sunday, 18 MayTECRST-3191 - Advanced - LISP Technical Seminar 8:00 AM - 5:00 PM

LTRRST-2014 - Routing for Host/VM-Mobility Using LISP 8:00 AM - 12:00 PM

TECCRS-2003 - Advanced WAN Design Topics 8:00 AM - 5:00 PM

TECDCT-2181 - Deployment Considerations for Interconnecting Distributed Virtual Data Centers 8:00 AM - 5:00 PM

TECDCT-2432 - Virtualized Multi-service Data Center (VMDC) Architectures & Orchestration for Cloud 8:00 AM - 5:00 PM

TECDCT-3297 - Operating and Deploying NX-OS Nexus Devices in the Network Infrastructure 1:00 PM - 5:00 PM

Session Tuesday, 20 MayLTRRST-2014 - Routing for Host/VM-Mobility Using LISP 8:00 AM - 12:00 PM

BRKDCT-2131 - Mobility and Virtualization in the Data Center with LISP and OTV 8:00 AM - 9:30 AM

BRKDCT-2335 - Design consideration for security services spanned across Data Center Interconnect 8:00 AM - 9:30 AM

BRKRST-3045 - Advanced - LISP - A Next Generation Networking Architecture 12:30 PM - 2:30 PM

BRKSEC-2054 - Group Encryption Transport (GET) Your VPNs Secured 12:30 PM - 2:30 PM

BRKDCT-2337 - Virtual Services for Scalable Multi-tenant Cloud Architectures 12:30 PM - 2:30 PM

BRKDCT-3060 - Deployment Challenges with Interconnecting Data Centres 3:00 PM - 5:00 PM

320


LISP ReferencesLISP Sessions at Cisco Live US 2014…

Session Wednesday, 21 MayBRKDCT-3434 - Enabling a Secure Hybrid Cloud Extension with CSR 1000V and LISP 8:00 AM - 9:30 AM

BRKRST-2044 - Enterprise Multi-Homed Internet Edge Architectures 8:00 AM - 9:30 AM

BRKRST-3047 - Troubleshooting LISP 1:30 PM - 3:30 PM

CCSDCT-1100 - Simplifying Data-Center migration using LISP, from 42 years to 2 years 3:00 PM - 4:00 PM

BRKDCT-2328 - Evolution of Network Overlays in Data Center Clouds 4:00 PM - 5:30 PM

Session Thursday, 21 MayBRKDCT-3237 - Versatile architecture using Nexus 7000 with a mix of F and M modules to deliver FEX, FabricPath, Multihop FCoE, MPLS and LISP all at the same time

12:30 PM - 2:00 PM

BRKARC-2023 - Building Hybrid Clouds with the CSR 1000v 12:30 PM - 2:00 PM

BRKRST-2045 - Advancements in L3 VPN over IP in the WAN 2:30 PM - 2:00 PM

321


LISP ReferencesLISP Information

LISP Mailing ListsCisco LISP Questions ……………… [email protected] LISP Working Group ………… [email protected] Interest (public) ………………. [email protected] Questions ………………... [email protected]

LISP InformationCisco LISP Site ……………………. http://lisp.cisco.com (IPv4 and IPv6)Cisco LISP Marketing Site ………... http://www.cisco.com/go/lisp/LISP Beta Network Site …………… http://www.lisp4.net or http://www.lisp6.netLISP DDT Root ……………………... http://www.ddt-root.orgIETF LISP Working Group ……...… http://tools.ietf.org/wg/lisp/

322


LISP SummaryPart of the LISP Solution Space

LISP is an Architecture…

IPv4 Core

IPv4 Core

v4

IPv4 Network

xTR

xTR

1. Multihoming2. IPv6 Transition3. Virtualization/VPN4. Mobility

323


v6



IPv4 Core

IPv6 Core

v4

IPv4 Network

xTR

xTR


IPv6 Network

324


v6



IPv4 Core

IPv6 Core

v4

IPv4 Network

xTR

xTR


IPv6 Network

325


v6



IPv4 Core

IPv6 Core

v4

IPv4 Network

xTR

xTR


IPv6 Network

Server

Server

326


Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include – Your favorite speaker’s Twitter handle– Two hashtags: #CLUS #MyFavoriteSpeaker

• Submit an entry for one or more of your “favorite” speakers!

• Please follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could be a Winner


Complete Your Online Session Evaluation

• Give us your feedback and youcould win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile appor visit one of the interactive kiosks located throughout the convention center.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

328

https://www.ciscolive.com/online


Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

329


LISP and QoSQOS Handling Support :: CoS default (copy)

LISP0

ENCAP

DECAP

lookup

LISP0ingress

features

lookup

LISP0egress

features

egress feature

s

ingress feature

slookup

lookup

ingress feature

s

egress feature

s

ENCAP

DECAP

Inner Header retains original DSCP

marking

5.

dscp

: 18

src:

172

.16.

4.9

data

dst:

172.

16.1

.9

Inner Header

has customer

DSCP markings

1.

Cust A172.16.4.0/24

172.16.4.9

UD

P

LISP

dscp

: 18

src:

10.

1.1.

1ds

t: 10

.9.9

.9

dscp

: 18

src:

172

.16.

4.9

data

dst:

172.

16.1

.9

Default Action:Copy EID header

DSCP bits to RLOC header2.

PE-ASBR

PxTR

UD

P

LISP

dscp

: 18

src:

10.

1.1.

1ds

t: 10

.9.9

.9

dscp

: 18

src:

172

.16.

4.9

data

dst:

172.

16.1

.9✗✗Outer

Header Removed4.

dscp: 18src: 172.16.4.9

data

dst: 172.16.1.9

Cust A172.16.1.0/24

172.16.1.9

Default Action:Copy DSCP bits to MPLS EXP3.

332


LISP and QoSQOS Handling Support :: CoS rewrite

LISP0

ENCAP

DECAP

lookup

LISP0ingress

features

lookup

LISP0egress

features

egress feature

s

ingress feature

slookup

lookup

ingress feature

s

egress feature

s

ENCAP

DECAP

Inner Header retains original DSCP

marking

6.

dscp

: 18

src:

172

.16.

4.9

data

dst:

172.

16.1

.9

Inner Header

has customer

DSCP markings

1.

Cust A172.16.4.0/24

172.16.4.9

UD

P

LISP

dscp

: 18

src:

10.

1.1.

1ds

t: 10

.9.9

.9

dscp

: 18

src:

172

.16.

4.9

data

dst:

172.

16.1

.9

Default Action:Copy EID header

DSCP bits to RLOC header2.

PE-ASBR

PxTR

UD

P

LISP

dscp

: 30

src:

10.

1.1.

1ds

t: 10

.9.9

.9

dscp

: 18

src:

172

.16.

4.9

data

dst:

172.

16.1

.9✗✗Outer

Header Removed5.

dscp: 18src: 172.16.4.9

data

dst: 172.16.1.9

Cust A172.16.1.0/24

172.16.1.9

Class Name

Tier 1DSCP Values

COS1 30,31

PartnerDSCP Values

40COS2.etc.

3018,20

Egress Interface “service policy” RECOLORS RLOC HEADER according to EID

header marking3.

dscp

: 30

src:

10.

1.1.

1ds

t: 10

.9.9

.9

Default Action:Copy DSCP bits to MPLS EXP4.

333

advanced - lisp technical seminar

Documents