TECRST-3191 : Advanced LISP Technical Seminar

Report
Advanced - LISP Technical Seminar
TECRST-3191
Darrel Lewis, LISP Technical Leader
Gregg Schudel, LISP Technical Marketing Engineer
Marco Pessi, LISP Technical Marketing Engineer
Agenda
• LISP Overview and Introduction
• LISP Efficient Multihoming/Multi-AF Support
• LISP Virtualization/VPN
• LISP Data Center/Host Mobility
• Other LISP Topics, Status and Futures
• LISP Open Discussions
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
3
Agenda
• LISP Overview and Introduction
• LISP Efficient Multihoming/Multi-AF Support
• LISP Virtualization/VPN
• LISP Data Center/Host Mobility
• Other LISP Topics, Status and Futures
• LISP Open Discussions
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
4
Advanced - LISP Technical Seminar
LISP Overview
TECRST-3191
Darrel Lewis, LISP Technical Leader
[email protected]
LISP Overview
Locator/ID Split and LISP
lisp.cisco.com
• Routing and Addressing Architecture of the Internet Protocol
 Addresses today combine location and identity semantics in a
single 32-bit or 128-bit number
 Separating Location and Identity changes this…
– Provide a clear separation at the Network Layer between
what we are looking for vs. how best to get there
– Translation vs. Tunneling is a key question
 Network Layer Identifier: WHO you are in the network
– long-term binding to the thing that they name, does not change often at all
 Network Layer Locator: WHERE you are in the network
– Think of the source and destination “addresses” used in routing and forwarding
 WHERE you are can change! WHO you are should be the same!
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
7
LISP Overview
lisp.cisco.com
• Original Motivation…
• An IP address “overloads” location and
identity
– Today… “addressing follows topology”
– Efficient aggregation is only available for Provider
Assigned (PA) addresses
– Ingress Traffic Engineering usually requires Provider
Independent (PI) addresses and the injection of “more
specifics” :: this limits route aggregation compactness
– IPv6 does not fix this
• Route scaling issues drive system costs
higher
– Forwarding plane (FIB) requires expensive memory
– Route scaling “drivers” are also seen in Data Centers
and for Mobility :: not just the Internet DFZ
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
8
“… routing scalability is the most important problem
facing the Internet today and must be solved … ”
Internet Architecture Board (IAB)
October 2006 Workshop (written as RFC 4984)
LISP Overview
lisp.cisco.com
• Identity and Location :: an Overloaded Concept in Routing Today…
DFZ
Routing
Table
Site 1
Enterprise
eBGP
64.1.0.0/17
64.1.0.0/16
12.0/8
AS 200
12. 0/8
64.1.0.0/17
Tier 1 SP
64.1.0.0/16
Site 2
AS 100
64.1.0.0/16
12.1.1.2/30
Location
Identity
13.0/8
AS 300
13. 0/8
eBGP
64.1.128.0/17
64.1.0.0/16
TECRST-3191
IPv4 Internet
13.1.1.2/30
Commodity SP
© 2014 Cisco and/or its affiliates. All rights reserved.
64.1.0.0/16
64.1.128.0/17
Transit SP
Cisco Public
9
Site 3
LISP Overview
lisp.cisco.com
• Identity and Location :: an Overloaded Concept in Routing Today…
• Let’s put ID address and
Locator address in different
databases
• Let’s create a “level of
indirection” between ID and
LOCATION in the network!
LISP
Mapping
System
DFZ
Site 1
AS 200
12. 0/8
Enterprise
Clear Separation at the Network Layer::
•who/what you are looking for
vs. …
•how to best get thereSite 2
Tier 1 SP
AS 100
64.1.0.0/16
12.1.1.2/30
Location
Two Approaches::
IPv4 Internet
•Translations (e.g. NAT)
13.1.1.2/30
Identity
vs. …
•Tunnels (e.g. GRE,
Site 3 IPsec, MPLS)
AS 300
13. 0/8
Commodity SP
Transit SP
TECRST-3191
Routing
Table
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
10
What if Locator/ID Separation worked on a
GLOBAL Scope? No need to carry all
routing in the Forwarding Plane!
LISP Overview
lisp.cisco.com
• Identity and Location :: an Overloaded Concept in Routing Today…
• Let’s scale the ID address
databases to 1010 and allow it
to hold any prefix length
(e.g. /32)
• Let’s provide a mechanism to
provide on-the-fly resolution
of ID and locator
• High scale
design, and ability
Enterprise
to change locator for fixed ID
enables Mobility!
LISP
Mapping
System
DFZ
Routing
Table
Site 1
AS 200
12. 0/8
Tier 1 SP
Site 2
AS 100
64.1.0.0/16
12.1.1.2/30
Location
IPv4 Internet
13.1.1.2/30
Identity
AS 300
13. 0/8
Site 3
Commodity SP
Transit SP
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
11
LISP Overview
lisp.cisco.com
• LISP :: A Routing Architecture – Not a Feature
LISP changes the routing architecture to implement a level of indirection
between a hosts IDENTITY and its LOCATION in the network
LISP changes the current ROUTING Architecture
• Changes lead to DISRUPTION
• Disruption leads to OPPORTUNITIES
• LISP allows both SPs and Enterprises to do remarkably different
things than allowed by traditional approaches
• LISP enables NEW services (VPNs, IPv6, Mobility, “cloud”) in one,
common, simple architecture
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
12
LISP Overview
lisp.cisco.com
• Locator/ID Separation :: The Mapping System is the Key
 A Mapping Systems is the key component of Loc/ID separation architecture
– Mapping systems provide the control plane for the architecture
– Mapping systems represent the great opportunity for these architecture to excel
 Most of the time, users/operators think about the data plane
 The control plane is where the magic happens!
 Some general components of a mapping system to be aware…
These affect how the system scales much differently than routing
10
state :: must scale to large numbers (such as 10 ) of hosts
rate :: must be small globally; damp reachability and mobility from globally impacting the system
latency :: must be low enough not to harm existing applications
scope :: must allow for both a global and a private scope for mapping
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
13
LISP Overview
lisp.cisco.com
• Locator/ID Separation :: Changing the Routing Architecture
 A Locator/ID Separation “architecture” helps solve other current network
problems
 IPv4/IPv6 Co-existence at the “ID” and “Locator” spaces
– IPv4 and IPv6 can be implemented at the “ID” and/or “locator” spaces for simple integration
– In reality, anything can be an “ID” and carried over traditional cores (IPv4 and IPv6)
 e.g. RFID, VIN#, Geo-Location, MAC-Addr, etc. etc. etc.
 Scaling IP Mobility is very similar to scaling Internet Multihoming
– Mobility:: “ID” (unique address) moves from one network “location” to another network “location”
– Multihoming:: an “ID” (unique address) connects to multiple networks “locations” simultaneously
– For both Mobility and Multihoming, the network must keep “more specific state” globally about
where something is located at the current time
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
14
LISP Overview
lisp.cisco.com
• LISP :: A Routing Architecture – Not a Feature
 Uses pull vs. push routing
 LISP use-cases are complimentary
‒ OSPF and BGP are push models; routing
stored in the forwarding plane
‒ Simplified multi-homing with Ingress traffic
Engineering; no need for BGP
‒ LISP is a pull model; Analogous to DNS;
massively scalable
‒ Address Family agnostic support
‒ Virtualization support
 An over-the-top technology
‒ End-host mobility without renumbering
‒ Address Family agnostic
 Enables IP Number Portability
‒ Incrementally deployable
‒ Never change host IP’s; No renumbering costs
‒ End systems can be unaware of LISP
‒ No DNS changes; “name == EID” binding
 Deployment simplicity
‒ Session survivability
‒ No host changes
 An Open Standard
‒ Minimal CPE changes
‒ Being developed in IETF (RFC 6830-6836, 7052)
‒ Some new core infrastructure components
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
‒ No Cisco Intellectual Property Rights
15
LISP Operations
LISP Operations
lisp.cisco.com
• Main attributes of LISP
EID-to-RLOC
mapping
 LISP namespaces
EID Space
xTR
Non-LISP
‒ RLOC (Routing Locator) is the IP address of
the LISP router for the host
Prefix
w.x.y.1
x.y.w.2
z.q.r.5
z.q.r.5
‒ EID-to-RLOC mapping is the distributed
architecture that maps EIDs to RLOCs
Next-hop
e.f.g.h
e.f.g.h
e.f.g.h
e.f.g.h
PxTR
RLOC Space
xTR
 Network-based solution
 Address Family agnostic
 No host changes
 Incrementally deployable
(support LISP and non-LISP)
 No DNS changes
TECRST-3191
 Support for mobility
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
RLOC
w.x.y.1
x.y.w.2
z.q.r.5
z.q.r.5
MS/MR
‒ EID (Endpoint Identifier) is the IP address
of a host – just as it is today
 Minimal configuration
EID
a.a.a.0/24
b.b.b.0/24
c.c.c.0/24
d.d.0.0/16
17
xTR
EID Space
LISP Operations
lisp.cisco.com
• LISP :: Mapping Resolution “Level of Indirection” DNS analog
 LISP “Level of Indirection” is analogous to a DNS lookup
‒ DNS resolves IP addresses for URL Answering the “WHO IS” question
[ who is lisp.cisco.com ] ?
DNS
Name-to-IP
URL Resolution
DNS
Server
host
[153.16.5.29, 2610:D0:110C:1::3 ]
‒ LISP resolves locators for queried identities Answering the “WHERE IS” question
[ where is 2610:D0:110C:1::3 ] ?
LISP
LISP
Mapping
router
System
[ locator is 128.107.81.169, 128.107.81.170 ]
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18
LISP
Identity-to-locator
Mapping Resolution
LISP Operations
• LISP IPv4 EID / IPv4 RLOC Data Packet Header Example
IPv4 Outer
Header:
ITR supplies
RLOCs
UDP
Header:
LISP Header:
IPv4 Inner
Header:
Host supplies
EIDs
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
19
LISP Operations
• LISP Encapsulation Combinations – IPv4 and IPv6 Supported
IPv4
Outer
Header
IPv4
Outer
Header
UDP
LISP
UDP
LISP
IPv4
Inner
Header
IPv4/IPv4
IPv6
Inner
Header
IPv6
Outer
Header
IPv6
Outer
Header
UDP
LISP
UDP
LISP
IPv4
Inner
Header
IPv4/IPv6
IPv6/IPv4
Q: Doesn’t encapsulation cause MTU issues?
A: It can… But preparation limits issues…
‒ Encapsulation overhead is 36B IPv4 and 56B IPv6
‒ LISP supports “stateful” (PMTUD) and “stateless”
(fragmentation) options
‒ Tunnel/MTU issues are well known (GRE, IPsec, etc.)
and are usually operationally tractable
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
20
IPv6
Inner
Header
IPv6/IPv6
LISP Operations
• LISP Data Plane :: Ingress/Egress Tunnel Router (xTR)
ETR – Egress Tunnel Router
‒ Receives packets from core-facing interfaces
‒ De-cap and deliver packets to local EIDs at site
ETR
ITR
PI EID-prefix
2001:db8:1::/48
Provider C
12.0.0.0/8
xTR-1
ITR
Provider B
11.0.0.0/8
Provider D
13.0.0.0/8
xTR-2
PI EID-prefix
2001:db8:2::/48
ETR
ITR
xTR-4
LISP Site 2
‒ Receives packets from site-facing interfaces
‒ Encap to remote LISP sites, or native-fwd to non-LISP sites
© 2014 Cisco and/or its affiliates. All rights reserved.
ITR
packet flow
Site
1 Router
ITR –LISP
Ingress
Tunnel
TECRST-3191
ETR
xTR-3
packet flow
ETR
S
Provider A
10.0.0.0/8
Cisco Public
21
D
LISP Operations
• LISP Data Plane :: Unicast Packet Flow
Map-Cache Entry
EID-prefix: 2001:db8:2::/48
Locator-set:
12.0.0.2, priority: 1, weight: 50
13.0.0.2, priority: 1, weight: 50
This policy controlled
by the destination site
7
2001:db8:1::1 -> 2001:db8:2::1
ETR
ITR
PI EID-prefix
2001:db8:1::/48
3
LISP Site 1
xTR-3
11.0.0.2 -> 12.0.0.2
packet flow
2001:db8:1::1 -> 2001:db8:2::1
packet flow
Provider B
11.0.0.0/8
ITR
xTR-2
Provider D
13.0.0.0/8
2
DNS entry:
D.abc.com AAAA
TECRST-3191
PI EID-prefix
2001:db8:2::/48
ETR
ITR
xTR-4
LISP Site 2
11.0.0.2 -> 12.0.0.2
2001:db8:1::1 -> 2001:db8:2::1
2001:db8:2::1
© 2014 Cisco and/or its affiliates. All rights reserved.
6
13.0.0.2
11.0.0.2
2001:db8:1::1 -> 2001:db8:2::1
1
ITR
12.0.0.2
5
xTR-1
ETR
Provider C
12.0.0.0/8
10.0.0.2
ETR
S
Provider A
10.0.0.0/8
4
Cisco Public
22
D
LISP Operations
• LISP Data Plane :: Ingress/Egress Tunnel Router (xTR)
!
router lisp
Identical configs on both xTRs!
locator-set SITE2
12.0.0.2 priority 1 weight 50
13.0.0.2 priority 1 weight 50
exit
!
ETR
eid-table default instance-id
0 Provider A
ETR
Provider C
database-mapping 2001:db8:2::/48
locator-set SITE212.0.0.0/8
10.0.0.0/8
ITR
ITR
10.0.0.2
exit
12.0.0.2
PI EID-prefix
PI EID-prefix
xTR-1
xTR-3
!
2001:db8:2::/48
2001:db8:1::/48
packet flow
packet flow
ipv6
itr map-resolver 66.2.2.2
ipv6 itr
ETR
ETR
ipv6 etr map-server 66.2.2.2
key S3cr3t-2
Provider B
Provider D
ITR
ITR
ipv6 etr
11.0.0.0/8
13.0.0.0/8
13.0.0.2 xTR-4
exit
xTR-2 11.0.0.2
!
LISP Site 1
LISP Site 2
ip route 0.0.0.0 0.0.0.0 12.0.0.1 (or 13.0.0.1)
!
S
TECRST-3191
D
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
23
LISP Operations
Packet ELIGABLE for
LISP encapsulation
• LISP Packet Forwarding – ITR
Is SRC
within local
EID prefix?
Ingress Packet
1. default route
(0.0.0.0/0 or ::/0)
2. “no route”
Packet NOT ELIGABLE for
LISP encapsulation; native
forwarding rules apply
YES
Check source
address of the
packet to be
forwarded
Is there a
default route?
(0.0.0.0/0 or ::/0)
YES
NO
Forward Packet
Natively (1)
NO
Cisco Public
YES
LISP Encap Pck to
DST RLOC (3)
NO
YES
Drop
Packet
NO
“send-request”
action?
YES
Send
Map-Request to
Map-Resolver
Drop
Packet
NO
Forward Packet
Natively
NOTES:
1) If the destination doesn’t match a “default route” or “no route” – the only other possibility is a
match against a “real route” with viable next-hop. This packet is not eligible for LISP
encapsulation and is always forwarded natively (and will not use PETR if configured).
2) Because the LISP control plane function automatically installs a default map-cache entry with
the action of “send-map-request,” there can never be a “map-cache miss.”
3) The packet is encapsulated and a destination address lookup is performed on the
destination/remote RLOC; once the output interface is known, the source RLOC is filled in.
© 2014 Cisco and/or its affiliates. All rights reserved.
“fwd-encap”
action?
“drop”
action?
Drop
Packet
TECRST-3191
Check Map-Cache
entries to see which
one the destination
matches (2)
NO
Destination lookup in
routing table (RIB)
(show ip route)
Is a route
matched for:
YES
YES
“forward-native”
action
use-petr
configured?
NO
Forward Packet
Natively
24
YES
LISP Encap
Pck to
PETR (3)
LISP Operations
lisp.cisco.com
• LISP Control Plane :: Introduction
 LISP Control Plane Provides On-Demand Mappings
‒ Control Plane is separate from the Data Plane (UDP 4342 vs UDP 4341)
‒ Map-Resolver and Map-Server (similar to DNS Resolver and DNS Server)
‒ LISP Control Plane Messages for EID-to-RLOC resolution
‒ Distributed databases and map-caches hold mappings
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
25
LISP Operations
• LISP Control Plane :: Map-Server/Map-Resolver (MS/MR)
Mapping System
MR
ETR
ITR
PI EID-prefix
2001:db8:1::/48
MR – Map-Resolver
MS
Provider A
10.0.0.0/8
10.0.0.2
MS – Map-Server
Provider B
11.0.0.0/8
Provider D
‒ 13.0.0.0/8
LISP site
11.0.0.2
‒ Sends Negative Map-Replies in response to
Map-Requests for non-LISP sites
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
PI EID-prefix
2001:db8:2::/48
ETR
ITR
ETRs register
their EID prefixes here;
13.0.0.2
xTR-4
requires configured
“lisp site” policy,
LISP Site 2 D
authentication key
‒SForwards
Map-Request
to Mapping System
LISP Site
1
xTR-2
xTR-3
packet flow
packet flow
ITRfrom ITR
‒ Receives Map-Request
ITR
12.0.0.2
xTR-1
ETR
ETR
Provider C
12.0.0.0/8
‒ Receives Map-Requests via Mapping System,
forwards them to registered ETRs
26
LISP Operations
• LISP Control Plane :: Map-Server/Map-Resolver (MS/MR)
Mapping System
LISP Site Mapping-Database (ETR)
MR
MS
‒ EID-to-RLOC mappings in all ETRs for local LISP site
‒ ETR is “authoritative” for its EIDs, sends Map-Replies to ITRs
‒ ETRs can tailor policy based on Map-Request source
ETR
ITR
PI EID-prefix
2001:db8:1::/48
Provider A
10.0.0.0/8
10.0.0.2
LISPSMap
Cache
(ITR)
LISP
Site
1
xTR-2
xTR-3
packet flow
packet flow
Provider B
11.0.0.0/8
ITR
ITR
12.0.0.2
xTR-1
ETR
ETR
Provider C
12.0.0.0/8
ETR
Provider D
13.0.0.0/8
ITR
13.0.0.2
11.0.0.2
xTR-4
‒ Only stores mappings for sites the ITR is currently sending packets to
‒ Populated by receiving Map-Replies from ETRs
‒ ITRs must respect Map-Reply policy (TTLs, RLOC up/down status, RLOC priorities/weights
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
27
PI EID-prefix
2001:db8:2::/48
LISP Site 2
D
LISP Operations
• LISP Control Plane :: Control Plane Messages
 Control Plane Control Plane EID Registration
‒ Map-Register message
Sent by ETR to Map-Server to register its associated EID prefixes
• Specifies RLOC(s) to be used by the MS when forwarding Map-Requests to the ETR
 Control Plane “Data-triggered” mapping services
‒ Map-Reply message
‒ Map-Request message
Sent by an ETR to an ITR
Sent by an ITR to Map-Resolver to
• in response to valid map-request to provide
EID/RLOC mapping and site ingress policy
for the requested EID
• learn an EID/RLOC mapping
• test an RLOC for reachability
• refresh a mapping before TTL expiration
‒ Map-Notify message
• respond to a Solicit Map-Request (SMR)
Sent by Map-Server to an ETR to
Sent by an ETR (with “S” bit set)
• acknowledge successful registration of an EDI prefix
• as a Solicit Map-Request (SMR) to signal
site change
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
28
LISP Operations
Other sites…
• LISP Control Plane :: Map-Register
12.0.0.2 -> 66.2.2.2
LISP Map-Register
(udp 4342)
SHA2 HMAC
2001:db8:2::/48
12.0.0.2, 13.0.0.2
Mapping System
MR
MS
66.2.2.2
ETR
ITR
PI EID-prefix
2001:db8:1::/48
Provider A
10.0.0.0/8
Provider B
11.0.0.0/8
ITR
S
LISP Site 1
xTR-2
ITR
12.0.0.2
xTR-1
13.0.0.2
xTR-4
LISP Site 2
LISP Map-Register
...
© 2014 Cisco and/or its affiliates. All rights reserved.
PI EID-prefix
2001:db8:2::/48
ITR
12.0.0.2 -> 66.2.2.2
TECRST-3191
xTR-3
ETR
Provider D
13.0.0.0/8
11.0.0.2
Cisco Public
29
1
ETR
Provider C
12.0.0.0/8
10.0.0.2
ETR
2
1
D
LISP Operations
3
11.0.0.2 -> 66.2.2.2
Mapping
LISP ECMSystem
(udp 4342)
MR
Is 2001:db8:2::1 a
LISP Destination?
ETR
ITR
PI EID-prefix
2001:db8:1::/48
2
Provider B
11.0.0.0/8
TECRST-3191
Provider D
13.0.0.0/8
11.0.0.2
6
1
DNS entry:
D.abc.com AAAA
packet flow
packet flow
xTR-2
Map-Cache Entry
EID-prefix: 2001:db8:2::/48
Locator-set:
2001:db8:2::1
© 2014 Cisco and/or its affiliates. All rights reserved.
ITR
12.0.0.2
xTR-1
2001:db8:1::1 -> 2001:db8:2::1
ETR
Provider C
12.0.0.0/8
10.0.0.2
ITR
LISP Site 1
66.2.2.2
Provider A
10.0.0.0/8
ETR
S
11.0.0.2 / 2001:db8:2::1
Map-Request
(udp 4342)
nonce
MS
11.0.0.2 / 2001:db8:2::1
Map-Request
(udp 4342)
nonce
66.2.2.2 -> 12.0.0.2
LISP ECM
(udp 4342)
4
• LISP Control Plane :: Map-Request/Map-Reply
12.0.0.2, priority: 1, weight: 50
13.0.0.2, priority: 1, weight: 50
Cisco Public
30
xTR-3
PI EID-prefix
2001:db8:2::/48
12.0.0.2
ETR ->11.0.0.2
Map-Reply
ITR
(udp 4342)
13.0.0.2 xTR-4
nonce / TTL
2001:db8:2::/48
12.0.0.2 [1, 50]
13.0.0.2 [1, 50]
5
LISP Site 2
D
LISP Operations
lisp.cisco.com
• LISP Control Plane :: Map-Request/Proxy-Map-Reply
2
MR
ETR
ITR
LISP Site 1
PI EID-prefix
packet66.2.2.2
flow ->11.0.0.22001:db8:2::/48
packet flow
xTR-2
Provider B
11.0.0.0/8
Provider D
13.0.0.0/8
11.0.0.2
4
Map-Cache Entry
EID-prefix: 2001:db8:2::/48
Locator-set:
12.0.0.2, priority: 1, weight: 50
13.0.0.2, priority: 1, weight: 50
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
ITR
12.0.0.2
xTR-1
ITR
ETR
Provider C
12.0.0.0/8
10.0.0.2
ETR
S
66.2.2.2
Provider A
10.0.0.0/8
1
LISP Map-Register
(udp 4342)
SHA2 HMAC
Proxy-Bit Set
2001:db8:2::/48
12.0.0.2, 13.0.0.2
MS
11.0.0.2 / 2001:db8:2::1
Map-Request
(udp 4342)
nonce
PI EID-prefix
2001:db8:1::/48
12.0.0.2 -> 66.2.2.2
11.0.0.2 -> 66.2.2.2
Mapping
LISP ECMSystem
(udp 4342)
Cisco Public
31
xTR-3
Map-Reply
(udpETR
4342)
nonceITR
/ TTL
2001:db8:2::/48
13.0.0.2
xTR-4
12.0.0.2
[1, 50]
13.0.0.2 [1, 50]
3
LISP Site 2
D
LISP Operations
Notes:
• LISP Control Plane :: Map-Request/Negative-Map-Reply
‒ When an ITR queries for a destination that is
2
not in the Mapping System, the Map-Resolver
returns an NMR.
11.0.0.2 -> 66.2.2.2
Mapping
LISP ECMSystem
(udp 4342)
MR
Is 2001:db7:1::1 a
LISP Destination?
ITR
PI EID-prefix
2001:db8:1::/48
xTR-1
packet flow
xTR-2
Provider C
12.0.0.0/8
ETR
13.0.0.0/8
ITR
ITR
12.0.0.2
66.2.2.2 -> 11.0.0.2 PI EID-prefix
xTR-3
Negative-Map-Reply
3
2001:db8:2::/48
packet flow
(udp 4342)
nonce / TTL
ETR
2001:8000::/21
Provider D
10.0.0.2
Provider B
11.0.0.0/8
ITR
LISP Site 1
66.2.2.2
Provider A
10.0.0.0/8
ETR
S
MS
11.0.0.2 / 2001:db7:1::1
Map-Request
(udp 4342)
nonce
ETR
‒ A TTL of 1-minute or 15-minutes is set
depending on the space covered by the NMR.
11.0.0.2
2001:db8:1::1 -> 2001:db7:1::1
1
4
Map-Cache Entry
EID-prefix: 2001:8000::/21
forward-native
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
32
NOTE:
13.0.0.2 xTR-4
The actual “covering prefix” returned in an NMR
depends on the number and distribution of EID
prefixes in the Mapping System. The NMR prefix
will cover the shortest prefix that doesn’t cover
any LISP Sites in the Mapping System
LISP Site 2
D
LISP Operations
• LISP Control Plane :: MS/MR Configuration example
Mapping System
MR
MS
66.2.2.2
ETR
Provider A
!
10.0.0.0/8
router lisp
ITR
10.0.0.2
site
ALL
PI EID-prefix
xTR-1
authentication-key *******
2001:db8:1::/48
packet
flow
eid-prefix 2001:db8::/32
accept-more-specifics
exit
ETR
!
Provider B
ipv6 map-server
ITR
11.0.0.0/8
ipv6 map-resolver
11.0.0.2
xTR-2
exit
Alternative
!
S
Provider C
12.0.0.0/8
12.0.0.2
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
xTR-3
2001:db8:2::/48
packet flow
ETR
Provider D
13.0.0.0/8
ITR
13.0.0.2
LISP Site 1
TECRST-3191
!
router lisp
site Site-1
authentication-key S3cr3t-1
eid-prefix 2001:db8:1::/48
exit
!
site Site-2
authentication-key S3cr3t-2
eid-prefix 2001:db8:2::/48
exit
!
!-:: more LISP site configs
!
ipv6 map-server
ETR
ipv6 map-resolver
exit
ITR
!
PI EID-prefix
xTR-4
LISP Site 2
33
D
LISP Operations
The LISP Beta Network uses DDT today…
• LISP Control Plane :: Mapping-System Scaling
LISP Delegated Database Tree
ddt-root
ddt-tld
Scaling the LISP Mapping System
‒ Deploy multiple “stand-alone” Map-Servers” and register each
LISP Site to all of them (up to eight)
‒ Deploy Map-Resolvers in an “Anycast” manner
‒ Or, deploy a “hierarchical” Mapping System - DDT
MR
MR
MS
MS
DDT – Delegated Distributed Tree
‒ Hierarchy for Instance IDs and for EID Prefixes
xTRs
xTRs
PxTRs
MS/MRs
PxTRs
xTRs
TECRST-3191
xTRs
‒ DDT Nodes Return Map-Referral messages
xTRs
MS/MRs
DDT
MS/MRs
xTRs
xTRs
MS/MRs
xTRs
MS/MRs
‒ DDT Map-Resolvers sends (ECM) Map-Requests
xTRs
DDT
DDT
DDT
MS/MRs
xTRs
xTRs
‒ DDT Resolvers resolve the Map-Server’s RLOC iteratively
xTRs
‒ Conceptually, similar to DNS (IN-ADDR hierarchy) but different
prefix encoding, messages, etc.
MS/MRs
MS/MRs
xTRs
PxTRs
xTRs
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
34
LISP Operations
• Public and Private LISP Deployment Models
Private Model
• “Private” LISP deployment
support single Enterprises or
Entities
• LISP Enterprise deploys:
- xTRs
- Mapping System, if required
- Proxy System, if required
Public Model
• “Public” LISP deployment supports the needs of
multiple Enterprises
• LISP Service Provider deploys “shared” Mapping
System and Proxy System
• LISP Enterprises subscribe to LISP SP, and deploy
their own xTRs
Global Examples
ddt-root.org
Stand-Alone Example
LISP SP
Private Enterprise Examples
Enterprise C
Enterprise A
LISP SP
LISP Ent
Enterprise B
LISP SP
NJEdge.Net
PCCC
CCC
MU
CCM
VXNet
BCC
InTouch
LISP Beta
Princeton
LISP Ent
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
35
LISP Operations
• LISP Internetworking :: Day-One Incremental Deployment
 Early Recognition
‒ Up-front recognition of an incremental deployment plan
‒ LISP will not be widely deployed day-one
 Interworking for:
‒ LISP-sites to non-LISP sites (e.g. the rest of the Internet)
‒ non-LISP sites to LISP-sites
 Proxy-ITR/Proxy-ETR are deployed today
‒ Infrastructure LISP network entity
‒ Creates a monetized service opportunity for infrastructure players
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
36
LISP Operations
lisp.cisco.com
• LISP Internetworking :: Day-One Incremental Deployment
Mapping System
MR
MS
66.2.2.2
PITR
ETR
ITR
IPv6 Internet
Provider A
10.0.0.0/8
PETR
Provider C
12.0.0.0/8
10.0.0.2
ETR
ITR
12.0.0.2
PI EID-prefix
PI EID-prefix
xTR-1
xTR-3
PETR
–
Proxy
ETR
2001:db8:2::/48
2001:db8:1::/48
IPv4 Internet
PITR – Proxy ITR
‒ Allows an EID in one AF [IPv4 or IPv6]
ETR
ETR
‒ Receives traffic from
non-LISP Provider
sites; B
Provider
D the opposite
and
RLOC [IPv6 or IPv4] to
ITR
ITR
13.0.0.0/8
encapsulates traffic to LISP sites11.0.0.0/8
reach non-LISP prefix in that same AF
13.0.0.2
11.0.0.2
xTR-2
S ‒ Advertises coarse-aggregate
(AF-hop-over)xTR-4
EID
prefixes
LISP Site 1
LISP Site 2 D
‒ Allows LISP sites with uRPF restrictions
‒ LISP sites see ingress TE “day-one”
to reach non-LISP sites
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
37
1
LISP Operations
2001:d:1::1 -> 2001:db8:2::1
• LISP Internetworking :: Day-One Incremental Deployment
Mapping System
MR
Non-LISP
v6 Site
2001:d:1::1
MS
66.2.2.2
2001:db8::/32
2001:db8:2::1 -> 2001:d:1::1
2001:f:f::1
2001:f:e::1
PITR
ETR
ITR
PI EID-prefix
2001:db8:1::/48
LISP Site 1
2001:d:1::1 -> 2001:db8:2::1
ETR
Provider C
12.0.0.0/8
ITR
12.0.0.2
xTR-1
xTR-3
IPv4 Internet
Provider B
11.0.0.0/8
xTR-2
xTR-4
LISP Site 2
12.0.0.2 -> 12.9.2.1
Cisco Public
38
D
2001:db8:2::1 -> 2001:d:1::1
2001:db8:2::1 -> 2001:d:1::1
5
© 2014 Cisco and/or its affiliates. All rights reserved.
ITR
13.0.0.2
10.9.1.1 -> 12.0.0.2
2001:d:1::1 -> 2001:db8:2::1
PI EID-prefix
2001:db8:2::/48
ETR
Provider D
13.0.0.0/8
11.0.0.2
2
TECRST-3191
3
PETR
10.0.0.2
ITR
S
IPv6 Internet
Provider A
10.0.0.0/8
ETR
6
ipv4 use-petr 12.1.1.1
4
LISP Operations
Packet ELIGABLE for
LISP encapsulation
• LISP Packet Forwarding – PITR
Check Map-Cache
entries to see which
one the destination
matches
Ingress Packet
Does longest mask
(or equal) prefix
match against
“send-map-request” ?
Destination lookup for match in:
routing table (1)
AND
map-cache with action
“send-map-request” (2)
YES
Is match
found?
NO
NO
“fwd-encap”
action?
YES
LISP Encap Pck to
DST RLOC (5)
NO
Compare the 2
prefixes found
Take the prefix with
longest/most
specific mask
“drop”
action?
NO
Forward Packet
Natively (4)
“send-request”
action?
Drop
Packet
YES
Send
Map-Request to
Map-Resolver
Drop
Packet
NO
NOTES:
1) The routing table look-up is done in the table specified in the “eid-table”
command (default or vrf)
2) A map-cache entry with action “map-request” is created either by a static entry or
via the “route-import” mechanism
3) If the destination doesn’t match a RIB route or “send-map-request” map-cache
entry, then the only other possible result is the PITR has no forwarding route. The
packet is dropped and a “network unreachable” ICMP is generated.
4) The destination is not a LISP EID and a RIB route is available.
5) Address lookup is performed on the destination/remote RLOC; once the output
interface is known, the source RLOC is filled in.
© 2014 Cisco and/or its affiliates. All rights reserved.
YES
NO
Drop
Packet (3)
TECRST-3191
YES
Cisco Public
YES
“forward-native”
action
use-petr
configured?
NO
Forward Packet
Natively
39
YES
LISP Encap
Pck to
PETR (5)
LISP Operations
• LISP Locator Reachability….
 When RLOCs go up and down:
xTR-S1
‒ We don’t want this reflected in mapping database;
must keep the rate factor small
S
 Use following mechanisms:
Provider A
10.0.0.0/8
ETR
ITR
10.0.0.2
ETR
ITR
11.0.0.2
?
Provider Y
13.0.0.0/8
‒ locator-status-bits in data packets and mapping
data
S
 Only use probing when needed:
10.0.0.2
ETR
ITR
11.0.0.2
LISP Site 1
‒ Pair-wise probing won’t scale
Cisco Public
40
Provider A
10.0.0.0/8
ETR
ITR
xTR-S2
xTR-D1
ETR
ITR
ETR
ITR
D
xTR-D2
LISP Site 2
xTR-S1
‒ Data reception heuristics when available
© 2014 Cisco and/or its affiliates. All rights reserved.
12.0.0.2
LISP Site 1
‒ ICMP Unreachables, when sent and accepted
TECRST-3191
Provider X
12.0.0.0/8
13.0.0.2
Provider B
11.0.0.0/8
xTR-S2
‒ Underlying BGP where available
?
✔
?
Provider X
12.0.0.0/8
12.0.0.2
13.0.0.2
Provider B
11.0.0.0/8
Provider Y
13.0.0.0/8
xTR-D1
ETR
ITR
ETR
ITR
D
xTR-D2
LISP Site 2
LISP Operations
• LISP RLOC Reachability Concepts
“Routing” information when you have it
 E.g. PE-CE links in BGP in MPLS
Reachability
options
Direct “data plane” packet flows
 LISP exclusive “locator status bits” describe “status” of source site RLOCs
to receiving sites
 Available (automatically) in LISP
 Useful for bi-directional traffic flows
RLOC-Probing
 Source site “probes” destination RLOCs of active conversations
 Available in LISP
 Useful for updating reachability info when unidirectional traffic is prevalent
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
41
LISP Operations
• LISP Locator-Reachability Bits (LSB) example
Mapping
Entry
EID-prefix: 2001:db8:2::/48
Locator-set:
12.0.0.2, priority: 1, weight: 50 (D1) -> ordinal 0
13.0.0.2, priority: 1, weight: 50 (D2) -> ordinal 1
ETR
ITR
PI EID-prefix
2001:db8:1::/48
10.0.0.2
11.0.0.2
ITR
LISP Site 1
7654 3210
b ’xxxx xxxx’
11
ETR
Provider C
12.0.0.0/8
ITR
12.0.0.2
xTR-1
ETR
S
Provider A
10.0.0.0/8
loc-reach-bits:
3
0x0000 0000
Provider D 13.0.0.2
13.0.0.0/8
Provider B
11.0.0.0/8
xTR-2
xTR-3
ETR
ITR
xTR-4
LISP Site 2
LSBs provide “data plane” reachability info
TECRST-3191
PI EID-prefix
2001:db8:2::/48
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
42
D
LISP Operations
lisp.cisco.com
• LISP Locator-Reachability Bits (LSB) example
Mapping
Entry
EID-prefix: 2001:db8:2::/48
Locator-set:
12.0.0.2, priority: 1, weight: 50 (D1) -> ordinal 0
13.0.0.2, priority: 1, weight: 50 (D2) -> ordinal 1
ETR
ITR
PI EID-prefix
2001:db8:1::/48
10.0.0.2
11.0.0.2
ITR
S
LISP Site 1
7654 3210
b ’xxxx xx11’
0
X X X ETR
ITR
Provider A
10.0.0.0/8
Provider C
12.0.0.0/8
12.0.0.2
xTR-1
ETR
loc-reach-bits:
2
0x0000 0003
Provider D 13.0.0.2
13.0.0.0/8
Provider B
11.0.0.0/8
xTR-2
xTR-3
ETR
ITR
xTR-4
LISP Site 2
Outages are signaled “quickly” when traffic is flowing.
(When traffic is not flowing, other mechanisms are needed)
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
PI EID-prefix
2001:db8:2::/48
Cisco Public
43
D
ping notes:
LISP Operations
• LISP Management – LISP Data Plane…
1. Using RLOC to RLOC tests underlying network
 Data Plane Management:
‒ ping
MS/MR
.1
0
.9
S
ETR
ETR
PI EID-prefix
172.16.1.0/24
ITR
xTR1
.2
.1
CORE
10.0.0.0/8
.5
.6
ITR
xTR2
D
PI EID-prefix
172.16.2.0/24
Left#ping 10.0.0.6 source 10.0.0.2 rep 10
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds:
Example:
Packet sent with a source address of 10.0.0.2
RLOC to RLOC
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 0/0/1 ms
Left#
LISP Site 2
LISP Site 1
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
44
ping notes:
LISP Operations
• LISP Management – LISP Data Plane…
1. Using RLOC to RLOC tests underlying network
2. Using EID-to-EID tests LISP data plane
3. When PxTR infrastructure is involved, EID to RLOC
and RLOC to EID tests can also be useful
 Data Plane Management:
‒ ping
Common Theme:
• OVER for EIDs
• UNDER for RLOCs
MS/MR
.1
0
.9
S
PI EID-prefix
172.16.1.0/24
ITR
xTR1
.2
.1
D
ETR
ETR
CORE
10.0.0.0/8
.5
.6
ITR
xTR2
PI EID-prefix
172.16.2.0/24
Left#ping 172.16.2.2 source 172.16.1.2 rep 10
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
Example:
Packet sent with a source address of 172.16.1.2
EID to EID
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 0/0/1 ms
Left#
LISP Site 2
LISP Site 1
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
45
traceroute notes:
LISP Operations
• LISP Management – LISP Data Plane…
‒ Unlike other “tunneling” techniques, LISP (tries to)
shows all intermediate hops
‒ Cross Address Family traceroute is not supported
because “traceroute” does not support it
 Data Plane Management:
‒ traceroute
ttl=3
MS/MR
ttl=2
.1
0
.9
ttl=1
S
PI EID-prefix
172.16.1.0/24
LISP Site 1
TECRST-3191
ETR
ETR
ITR
xTR1
.2
.1
CORE
10.0.0.0/8
.5
.6
Left#traceroute 172.16.2.1 source 172.16.1.1
Type escape sequence to abort.
Tracing the route to 172.16.2.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.0.1 1 msec 0 msec 0 msec
2 10.0.0.6 0 msec 1 msec 0 msec
3 172.16.2.1 0 msec * 1 msec
Left#
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
46
ITR
xTR2
D
PI EID-prefix
172.16.2.0/24
Example:
EID to EID
LISP Site 2
lig notes:
LISP Operations
• LISP Management – LISP Control Plane…
‒ Fetches an EID-to-RLOC database mapping entry
‒ lig self ipv4 and lig self ipv6 indicate immediately
whether a site is “registered” to the Map-Server
 Control Plane Management:
‒ lig (LISP internet Groper)
MS/MR
.1
0
.9
S
PI EID-prefix
172.16.1.0/24
ITR
xTR1
.2
.1
D
ETR
ETR
CORE
10.0.0.0/8
.5
.6
ITR
xTR2
PI EID-prefix
172.16.2.0/24
Left#lig self ipv4
Mapping information for EID 172.16.1.0 from 10.0.0.2 with RTT 32 msecs
172.16.1.0/24, uptime: 00:00:00, expires: 23:59:53, via map-reply, self
Locator
Uptime
State
Pri/Wgt
10.0.0.2
00:00:00 up
1/100
Left#
LISP Site 2
LISP Site 1
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
47
lig notes:
LISP Operations
• LISP Management – LISP Control Plane…
 Control Plane Management:
‒ Fetches an EID-to-RLOC database mapping entry
‒ lig self ipv4 and lig self ipv6 indicate immediately
whether a site is “registered” to the Map-Server
‒ Using lig <eid> you can verify that a remote EID is
registered (and provide the mapping and policy)
‒ lig (LISP internet Groper)
MS/MR
.1
0
.9
S
PI EID-prefix
172.16.1.0/24
ITR
xTR1
.2
.1
D
ETR
ETR
CORE
10.0.0.0/8
.5
.6
ITR
xTR2
PI EID-prefix
172.16.2.0/24
Left#lig 172.16.2.2
Mapping information for EID 172.16.2.2 from 10.0.0.6 with RTT 36 msecs
172.16.2.0/24, uptime: 00:00:00, expires: 23:59:52, via map-reply, complete
Locator
Uptime
State
Pri/Wgt
10.0.0.6 00:00:00 up
1/1
Left#
LISP Site 2
LISP Site 1
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
48
LISP Introduction – Summary
LISP Overview
lisp.cisco.com
• LISP :: A Routing Architecture – Not a Feature
 Uses pull vs. push routing
 LISP use-cases are complimentary
‒ OSPF and BGP are push models; routing
stored in the forwarding plane
‒ Simplified multi-homing with Ingress traffic
Engineering; no need for BGP
‒ LISP is a pull model; Analogous to DNS;
massively scalable
‒ Address Family agnostic support
‒ Virtualization support
 An over-the-top technology
‒ End-host mobility without renumbering
‒ Address Family agnostic
 Enables IP Number Portability
‒ Incrementally deployable
‒ Never change host IP’s; No renumbering costs
‒ End systems can be unaware of LISP
‒ No DNS changes; “name == EID” binding
 Deployment simplicity
‒ Session survivability
‒ No host changes
 An Open Standard
‒ Minimal CPE changes
‒ Being developed in the IETF (RFC 6830-6836)
‒ Some new core infrastructure components
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
‒ No Cisco Intellectual Property Rights
50
Agenda
• LISP Overview and Introduction
• LISP Efficient Multihoming/Multi-AF Support
• LISP Virtualization/VPN
• LISP Data Center/Host Mobility
• LISP Status and Futures
• LISP Open Discussions
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
51
Advanced - LISP Technical Seminar
LISP Efficient Multihoming/Multi-AF
TECRST-3191
Gregg Schudel
LISP Technical Marketing Engineer
[email protected]
CCIE #9591
LISP and Multihoming Overview
LISP Efficient Multihoming/Multi-AF Support
• Why Multihoming?
 Increased Resiliency
– Access link, router, or upstream provider network failures should not interrupt service
 Increased Bandwidth
– Typically less $$ to add a second link vs. paying for ‘step increase’ in existing link
access bandwidth
– Adding bandwidth via a second link gives other benefits not enjoyed by simply
increasing bandwidth
– But, extra bandwidth has to be useable; need the ability to effect ingress traffic usage
 Increased Responsiveness
– Potentially, can serve customers better with diverse links
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
54
LISP Efficient Multihoming/Multi-AF Support
• Wide range of options
 Options - Low to High Complexity
Multihoming Options
– Multihoming with NAT
Fully
Resilient
and
Traffic Eng
o Difficult with multiple routers due to
asymmetry in traffic flows and need for
concurrent state
Benefits
– Multihoming with Static Routes
o Path failure detection problematic
– Multihoming with BGP – Partial Routes
o Premium circuit; no outbound path
information
– Multihoming with BGP – Full Routes
Single
Homed
o Requires premium circuit
o Requires CPU and memory, complex
configuration, and “manipulation” –
especially under failure conditions
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Compl…
NAT
Static
Routes
BGP+Partial BGP+Full
Techniques
55
LISP Efficient Multihoming/Multi-AF Support
• Traditional BGP-based Multihoming
 Cons…
 Pros…
– Requires certain class of SP link
– Reachability information available from
BGP routes
• BGP-capable access links available
everywhere? ($$/BW)
• Note: Some information is ‘hidden’ behind
aggregates (caution)
– BGP configuration is complex
– Constant “tuning” for load balancing
– Full routes can provide ‘best path’ metrics
for outbound traffic
• Failures have non-deterministic impact on
load-level of remaining links
– CPE routers pulling “full routes” must store
450K+ prefixes
• Small scale routers with limited memory not
suitable for CPE routers
• Tier-1 SPs “well-peered with everyone”
• Commodity SPs buy ‘transit’ from Tier 1’s
• AS Path Prepending will have varying
effectiveness; access link load balancing tricky
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
– Global view of the Routing System from
your Routers
• Path and route analysis possible via Route
Views or commercial tools (like Arbor)
– Not all SPs are created equal
TECRST-3191
• With clever configuration and tuning, you can
get ‘symmetrical’ path in/out to remote sites
56
LISP Efficient Multihoming/Multi-AF Support
• LISP-based Multihoming
 Cons…
 Pros…
– Requires Mapping Service Provider and
Proxy Service Provider services
– Reachability information must be obtained
in a different manner
– Multihoming requirements are “simple“
• No access link type or PE requirements
• No upstream Service Provider type or support
requirements (i.e. for BGP)
• Data plane signaling - locator status bits (LSBs)
• Control plane signaling :: rloc-probing
• Routing :: e.g. MPLS PE-CE links
– Only “simple” egress TE control; non-LISP
tools needed for more than ECMP
• PfR - Performance Routing
• BGP – now it gets complicated (but it would be
with this method anyway)
– MTU handling is important to understand
• PMTUD (don’t filter ICMP)
• Proactively configure higher Internet Link MTU
(same as any tunnel/encap strategy)
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
57
– Multihoming configuration is “simple”
• LISP ETR indicates EID to RLOC
relationships and ingress TE policy
• LISP Site CPE can be small; no “pushedbased” routing table needs
– Applicable to LISP-to-LISP and non-LISPto-LISP traffic “day-one”
• PITR provides non-LISP-to-LISP support for
ingress TE (LISP works day-one)
• Access link ingress TE is “accurate” by design
(assuming reasonable “flow” distribution)
• Flexibility in LISP Architecture for ingress TE
policy specification “per-request”
LISP Deployment Overview
• Private and Public LISP Deployment Models…
Private Model
• “Private” LISP deployment
support single Enterprises or
Entities
• LISP Enterprise deploys:
- xTRs
- Mapping System, if required
- Proxy System, if required
Public Model
• “Public” LISP deployment supports the needs of
multiple Enterprises
• LISP Service Provider deploys “shared” Mapping
System and Proxy System
• LISP Enterprises subscribe to LISP SP, and deploy
their own xTRs
Global Examples
ddt-root.org
Stand-Alone Example
LISP SP
Private Enterprise Examples
Enterprise C
Enterprise A
LISP SP
LISP Ent
Enterprise B
LISP SP
NJEdge.Net
PCCC
CCC
MU
CCM
VXNet
BCC
InTouch
LISP Beta
Princeton
LISP Ent
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
58
LISP Operations
• LISP Encapsulation – Any IPv4 and IPv6 Combination Supported
IPv6
Outer
Heade
r
IPv4
Outer
Header
IPv6/IPv6
IPv6/IPv4
UDP
IPv4/IPv4
LISP
IPv4/IPv6
IPv4
Inner
Header
IPv6
Inner
Header
payload
payload
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
59
LISP Multihoming and Multi-AF
lisp.cisco.com
• Inherent support for AF-agnostic operations
IPv4 or IPv6
LISP Site
egress
features
LISP
tx
encap
LISP0
RLOC
IPv4 or IPv6
IPv6
2001:db8:e000:2::2
2001:db8:e000:2::1
ingress
features
To Enterprise
GE0/0/0Internal IPv4 or
10.1.1.2/30
SP1
IPv6 Networks
LISP
rx
decap
PxTR
MR/M To IPv4 or IPv6
Core
S
RLOC
namespace
10.10.10.10
10.10.10.11
IPv4
Default
xTR-1
IPv4 Internet
EIDs
172.16.1.0/24
2001:db8:a:1::/64
SP2
10.10.30.11
IPv4
xTR-2
10.10.30.10
PxTR
MR/M
S
GE0/0/0
10.2.1.2/30
IPv6
RLOC
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
2001:db8:f000:2::2
2001:db8:f000:2::1
Cisco Public
60
LISP Multihoming and Multi-AF
• Inherent support for AF-agnostic operations
LISP Site
RLOC
GE0/0/0
10.1.1.2/30
PxTR1#show ip lisp map-cache
LISP IPv4 Mapping Cache for EID-table default (IID 0), 196 entries
---<skip>--172.16.1.0/24, uptime: 00:01:38, expires: 23:58:25,
IPv6 via map-reply, complete
Locator
Uptime
State Pri/Wgt
2001:db8:e000:2::2
2001:db8:e000:2::1
10.1.1.2 00:01:38 up
1/50
10.2.1.2 00:01:38
up
1/50
PxTR
MR/M
SP1
10.10.10.11
---<skip>--S
10.10.10.10
IPv4
xTR-1
IPv4 Internet
EIDs
172.16.1.0/24
2001:db8:a:1::/64
SP2
10.10.30.11
IPv4
xTR-2
10.10.30.10
PxTR
MR/M
S
GE0/0/0
10.2.1.2/30
IPv6
RLOC
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
2001:db8:f000:2::2
2001:db8:f000:2::1
Cisco Public
61
LISP Multihoming and Multi-AF
• Inherent support for AF-agnostic operations
LISP Site
RLOC
GE0/0/0
10.1.1.2/30
PxTR1#show ipv6 lisp map-cache
LISP IPv6 Mapping Cache for EID-table default (IID 0), 13 entries
---<skip>--2001:DB8:A:1::/64, uptime: 00:01:38, expires: 23:58:25,
via map-reply, complete
IPv6
Locator
Uptime
State Pri/Wgt
2001:db8:e000:2::2
2001:db8:e000:2::1
10.1.1.2 00:01:38 up
1/50
10.2.1.2 00:01:38
up
1/50
PxTR
MR/M
SP1
10.10.10.11
---<skip>--S
10.10.10.10
IPv4
xTR-1
IPv4 Internet
EIDs
172.16.1.0/24
2001:db8:a:1::/64
SP2
10.10.30.11
IPv4
xTR-2
10.10.30.10
PxTR
MR/M
S
GE0/0/0
10.2.1.2/30
IPv6
RLOC
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
2001:db8:f000:2::2
2001:db8:f000:2::1
Cisco Public
62
lisp.cisco.com
LISP Multihoming/Multi-AF
+ Internet
63
LISP Multihoming and Multi-AF
• Efficient Multi-Homing and Multi-AF – Some Technical Details
Let’s look at an example…
MSMR
PxTR
10.0.100.2
EID
10.0.101.2
2001:db8:3:4::2
EID
2001:db8:3:5::2
192.168.1.0/24
2001:db8:a::/48
192.168.7.0/24
2001:db8:b::/48
IPv4 Internet
IPv6 Internet
xTR1
RLOC
10.0.9.2/30
10.0.1.2/30
10.0.2.2/30
© 2014 Cisco and/or its affiliates. All rights reserved.
RLOC
10.200.1.1 (non-lisp target)
2001:db8:c5c0::1 (non-lisp target)
2001:db8:2:3::2/64
TECRST-3191
xTR2
Cisco Public
64
LISP Multihoming and Multi-AF
lisp.cisco.com
• Efficient Multi-Homing and Multi-AF – Some Technical Details
router lisp
locator-set SITE2
10.0.9.2 priority 1 weight 1
exit
MSMR
!
10.0.100.2
eid-table default instance-id 0
database-mapping 192.168.7.0/24 locator-set SITE2
EID
2001:db8:3:4::2
database-mapping 2001:DB8:B::/48 locator-set SITE2
192.168.1.0/24
exit
2001:db8:a::/48
!
loc-reach-algorithm rloc-probing
ipv4 itr
IPv4 Internet
xTR1
ipv4 etr
IPv6 Internet
ipv4 itr map-resolver 10.0.100.2
ipv4 etr map-server 10.0.100.2 key SITE2KEY
ipv4 use-petr
10.0.101.2
10.0.1.2/30
ipv6 itr
RLOC 10.0.2.2/30
ipv6 etr
ipv62001:db8:2:3::2/64
itr map-resolver 10.0.100.2
ipv6 etr map-server 10.0.100.2 key SITE2KEY
ipv6 use-petr 10.0.101.2
exit
!
ip route 0.0.0.0 0.0.0.0 10.0.9.1
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
65
The end-user needs to
add this…
PxTR
10.0.101.2
EID
2001:db8:3:5::2
192.168.7.0/24
2001:db8:b::/48
xTR2
10.0.9.2/30
RLOC
10.200.1.1 (non-lisp target)
2001:db8:c5c0::1 (non-lisp target)
LISP Multihoming and Multi-AF
router lisp
• Efficient Multi-Homing and Multi-AF
– Some
locator-set
SITE1Technical Details
And this…
10.0.1.2 priority 1 weight 1
10.0.2.2 priority 1 weight 1
2001:DB8:2:3::2 priority 1 weight 1
exit
!
eid-table default PxTR
instance-id 0
MSMR
database-mapping
192.168.1.0/24
locator-set SITE1
10.0.100.2
10.0.101.2
database-mapping 2001:DB8:A::/48 locator-set SITE1
EID
EID
2001:db8:3:4::2
2001:db8:3:5::2
exit
!
192.168.1.0/24
192.168.7.0/24
loc-reach-algorithm
rloc-probing
2001:db8:a::/48
2001:db8:b::/48
ipv4 itr
ipv4 etr
xTR1
ipv4IPv4
itr Internet
map-resolver 10.0.100.2
xTR2
ipv4IPv6
etr Internet
map-server 10.0.100.2 key SITE1KEY
ipv4 use-petr 10.0.101.2
10.0.9.2/30
ipv6 itr
10.0.1.2/30
RLOC
ipv6 etr
RLOC 10.0.2.2/30
ipv6 itr map-resolver 10.0.100.2
10.200.1.1 (non-lisp target)
ipv6 etr map-server 10.0.100.2 key SITE1KEY
2001:db8:c5c0::1 (non-lisp target)
2001:db8:2:3::2/64
ipv6 use-petr 10.0.101.2
exit
!
ip route 0.0.0.0 0.0.0.0 10.0.1.1
ip route 0.0.0.0 0.0.0.0 10.0.2.1
ipv6 route ::/0 2001:DB8:2:3::1
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
66
LISP Multihoming and Multi-AF
• Efficient Multi-Homing and Multi-AF – Some Technical Details
router lisp
site site1
authentication-key SITE1KEY
eid-prefix 192.168.1.0/24
MSMR
eid-prefix 2001:DB8:A::/48
10.0.100.2
exit
! EID
2001:db8:3:4::2
site site2
192.168.1.0/24
authentication-key SITE2KEY
2001:db8:a::/48
eid-prefix
192.168.7.0/24
eid-prefix 2001:DB8:B::/48
exit
xTR1
!
ipv4 map-server
ipv4 map-resolver
ipv6 map-server
10.0.1.2/30
ipv6 map-resolver
RLOC 10.0.2.2/30
exit
A LISP Service Provider (or Enterprise)
will run the Mapping System…
PxTR
10.0.101.2
192.168.7.0/24
2001:db8:b::/48
IPv4 Internet
IPv6 Internet
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
xTR2
10.0.9.2/30
RLOC
10.200.1.1 (non-lisp target)
2001:db8:c5c0::1 (non-lisp target)
2001:db8:2:3::2/64
TECRST-3191
EID
2001:db8:3:5::2
67
LISP Multihoming and Multi-AF
lisp.cisco.com
• Efficient Multi-Homing and Multi-AF – Some Technical Details
router lisp
eid-table default instance-id 0
ipv4 route-import map-cache static route-map EID-space
ipv6 route-import map-cache static route-map EID-space
exit
!
loc-reach-algorithm rloc-probing
MSMR
ipv4 proxy-etr
10.0.100.2
ipv4 proxy-itr 10.0.101.2 2001:DB8:3:5::2
ipv4
EIDitr map-resolver 10.0.100.2
2001:db8:3:4::2
ipv4 map-request-source 10.0.101.2
192.168.1.0/24
ipv6 proxy-etr
2001:db8:a::/48
ipv6
proxy-itr 2001:DB8:3:5::2 10.0.101.2
ipv6 itr map-resolver 10.0.100.2
ipv6 map-request-source 2001:DB8:3:5::2
IPv4 Internet
xTR1
exit
IPv6 Internet
!
ip route 0.0.0.0 0.0.0.0 10.0.101.1
ip route 192.168.0.0 255.255.0.0
10.0.1.2/30 Null0 tag 111
ipv6 route 2001:DB8:A::/47 Null0 tag 111
RLOC
10.0.2.2/30
ipv6 route ::/0
2001:DB8:3:5::1
!
2001:db8:2:3::2/64
route-map EID-space permit 10
match tag 111
!
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
68
And the PxTR…
PxTR
10.0.101.2
EID
2001:db8:3:5::2
192.168.7.0/24
2001:db8:b::/48
xTR2
10.0.9.2/30
RLOC
10.200.1.1 (non-lisp target)
2001:db8:c5c0::1 (non-lisp target)
LISP Multihoming and Multi-AF
• Efficient Multi-Homing and Multi-AF – Some Technical Details
router lisp
eid-table default instance-id 0
ipv4 route-import map-cache static route-map EID-space
ipv6 route-import map-cache static route-map EID-space
exit
!
!
loc-reach-algorithm rloc-probing
router bgp 5
MSMR
PxTR
ipv4 proxy-etr
bgp asnotation
dot
10.0.100.2
10.0.101.2
ipv4 proxy-itr 10.0.101.2 2001:DB8:3:5::2
bgp log-neighbor-changes
ipv4
itr
map-resolver
10.0.100.2
neighbor
10.0.101.1
remote-as 3
EID
EID
2001:db8:3:4::2
2001:db8:3:5::2
ipv4 map-request-source 10.0.101.2
neighbor 2001:DB8:3:5::1
remote-as 3
192.168.1.0/24
192.168.7.0/24
ipv6
proxy-etr
!
2001:db8:a::/48
2001:db8:b::/48
ipv6
proxy-itr 2001:DB8:3:5::2 10.0.101.2
address-family ipv4
ipv6 itr map-resolver 10.0.100.2
redistribute static route-map pop-EID
ipv6 map-request-source 2001:DB8:3:5::2
neighbor 10.0.101.1 activate
IPv4
Internet
xTR1
xTR2
exit
no neighbor 2001:DB8:3:5::1 activate
IPv6
Internet
!
exit-address-family
ip route 0.0.0.0 0.0.0.0 10.0.101.1
!
10.0.9.2/30
ip route 192.168.0.0 255.255.0.0
Null0
tag
111
address-family ipv6
10.0.1.2/30
RLOC
ipv6 route 2001:DB8:A::/47 Null0 tag 111
redistribute static route-map pop-EID
RLOC
10.0.2.2/30
ipv6 route ::/0 2001:DB8:3:5::1
neighbor 2001:DB8:3:5::1
activate
10.200.1.1 (non-lisp
target)
!
exit-address-family
2001:db8:c5c0::1 (non-lisp target)
2001:db8:2:3::2/64
route-map EID-space permit 10
!
match tag 111
route-map pop-EID permit 10
!
match tag 111
set origin igp
set community 111:5
!
The PxTR may use BGP…
BGP example
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
69
LISP Multihoming and Multi-AF
• Efficient Multi-Homing and Multi-AF – Some Technical Details
MSMR
PxTR
10.0.100.2
EID
10.0.101.2
2001:db8:3:4::2
EID
2001:db8:3:5::2
192.168.1.0/24
2001:db8:a::/48
192.168.7.0/24
2001:db8:b::/48
IPv4 Internet
IPv6 Internet
xTR1
R114-MSMR#show lisp site
LISP Site Registration Information
Site Name
RLOC
site1
10.0.1.2/30
Last
Up
10.0.2.2/30
Register
00:00:42 yes
2001:db8:2:3::2/64
00:00:42
00:00:38
00:00:06
site2
yes
yes
yes
10.0.9.2/30
Who Last
Registered
10.0.2.2
10.0.2.2
10.0.9.2
10.0.9.2
Inst
ID
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
EID Prefix
70
RLOC
10.200.1.1 (non-lisp target)
(non-lisp target)
192.168.1.0/24
2001:db8:c5c0::1
2001:DB8:A::/48
192.168.7.0/24
2001:DB8:B::/48
R114-MSMR#
TECRST-3191
xTR2
LISP Multihoming and Multi-AF
• Efficient Multi-Homing and Multi-AF – Some Technical Details
MSMR
PxTR
10.0.100.2
EID
2001:db8:3:4::2
192.168.1.0/24
2001:db8:a::/48
RLOC
EID
2001:db8:3:5::2
192.168.7.0/24
2001:db8:b::/48
xTR1
10.0.1.2/30
10.0.2.2/30
2001:db8:2:3::2/64
TECRST-3191
10.0.101.2
© 2014 Cisco and/or its affiliates. All rights reserved.
R114-MSMR#sh lisp site name site1
---<skip>--Allowed
EID-prefixes:
IPv4 Internet
xTR2
EID-prefix: 192.168.1.0/24
IPv6
Internet
---<skip>--Locator
Local
State
Pri/Wgt
10.0.9.2/30
10.0.1.2
yes
up
RLOC 1/1
10.0.2.2
yes
up
1/1
2001:DB8:2:3::2
yes(non-lisp
up target)
1/1
10.200.1.1
---<etc>--2001:db8:c5c0::1 (non-lisp target)
Cisco Public
71
Scope
IPv4 none
IPv4 none
IPv6 none
LISP Multihoming and Multi-AF
R116-xTR#sh ip lisp map-cache
---<skip>--192.168.1.0/24, uptime: 1d00h, expires: 23:59:26, via map-reply, complete
Locator
Uptime
State
Pri/Wgt
10.0.1.2
1d00h
up
1/1
10.0.2.2
1d00h
up
1/1
2001:DB8:2:3::2 1d00h
no-route
1/1
R116-xTR#
• Efficient Multi-Homing and Multi-AF – Some Technical Details
MSMR
PxTR
10.0.100.2
EID
10.0.101.2
2001:db8:3:4::2
EID
2001:db8:3:5::2
192.168.1.0/24
2001:db8:a::/48
192.168.7.0/24
2001:db8:b::/48
IPv4 Internet
IPv6 Internet
xTR1
RLOC
10.0.1.2/30
10.0.2.2/30
2001:db8:2:3::2/64
TECRST-3191
xTR2
10.0.9.2/30
RLOC
R116-xTR#ping 192.168.1.254
so 192.168.7.254
rep 10
10.200.1.1
(non-lisp target)
---<skip>--2001:db8:c5c0::1 (non-lisp target)
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 1/1/1 ms
R116-xTR#
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
72
LISP Multihoming and Multi-AF
R116-xTR#sh ip lisp forwarding eid remote 192.168.1.1
Prefix
Fwd action Locator status bits
192.168.1.0/24
encap
0x00000007
packets/bytes
118/11520
path list B46EAF2C, flags 0x49, 3 locks, per-destination
ifnums:
LISP0(11): 10.0.1.2, 10.0.2.2
2 paths
path B57E1A80, path list B46EAF2C, share 1/1, type attached nexthop, for IPv4
nexthop 10.0.1.2 LISP0, adjacency IP midchain
addr 10.0.1.2 B471DC28
MSMR out of LISP0, PxTR
path B57E1A10, path list B46EAF2C,
share
1/1,
type
attached
nexthop,10.0.101.2
for IPv4
10.0.100.2
nexthop 10.0.2.2 LISP0, adjacency IP midchain out of LISP0, addr 10.0.2.2 B471DAF8
EID
EID
2001:db8:3:4::2
2001:db8:3:5::2
1 output chain
chain[0]:
192.168.1.0/24
192.168.7.0/24
loadinfo
B278CA5C,
per-session,
2
choices,
flags
0083,
5
locks
2001:db8:a::/48
2001:db8:b::/48
flags: Per-session, for-rx-IPv4, 2buckets
2 hash buckets
InternetIP adj out of Ethernet0/1,xTR2
xTR1out of LISP0, addr 10.0.1.2IPv4
< 0 > IP midchain
B471DC28
addr 10.0.9.1 B4340220
< 1 > IP midchain out of LISP0, addr 10.0.2.2IPv6
B471DAF8
InternetIP adj out of Ethernet0/1, addr 10.0.9.1 B4340220
---<skip>---
• Efficient Multi-Homing and Multi-AF – Some Technical Details
RLOC
10.0.9.2/30
10.0.1.2/30
10.0.2.2/30
10.200.1.1 (non-lisp target)
2001:db8:c5c0::1 (non-lisp target)
2001:db8:2:3::2/64
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
RLOC
Cisco Public
73
LISP Multihoming and Multi-AF
• Efficient Multi-Homing and Multi-AF – Some Technical Details
R112-xTR#ping 2001:db8:c5c0::1 so 2001:DB8:A:1::254 rep 10
---<skip>--!!!!!!!!!!
R112-xTR#sh ipv6 lisp map-cache
Success rate is 100 percent
(10/10), round-trip min/avg/max = 1/3/14 ms
---<skip>--R112-xTR#
2001:DB8:8000::/33, uptime: 00:01:09, expires: 00:13:50, via map-reply, forward-native
Encapsulating to proxy ETR
R112-xTR#
MSMR
PxTR
10.0.100.2
EID
10.0.101.2
2001:db8:3:4::2
EID
2001:db8:3:5::2
192.168.1.0/24
2001:db8:a::/48
192.168.7.0/24
2001:db8:b::/48
IPv4 Internet
IPv6 Internet
xTR1
RLOC
10.0.9.2/30
10.0.1.2/30
10.0.2.2/30
© 2014 Cisco and/or its affiliates. All rights reserved.
RLOC
10.200.1.1 (non-lisp target)
2001:db8:c5c0::1 (non-lisp target)
2001:db8:2:3::2/64
TECRST-3191
xTR2
Cisco Public
74
LISP Multihoming and Multi-AF
• Efficient Multi-Homing and Multi-AF – Some Technical Details
MSMR
PxTR
10.0.100.2
EID
10.0.101.2
2001:db8:3:4::2
2001:db8:3:5::2
EID
R115-PxTR#sh
ipv6 lisp for eid remote 2001:db8:a::1
192.168.1.0/24
192.168.7.0/24
Prefix
Fwd
action
Locator
status
bits
2001:db8:a::/48
2001:db8:b::/48
2001:DB8:A::/48
encap
0x00000007
packets/bytes
18/1800
IPv4 Internet
---<skip>--xTR1
xTR2
path list B47117DC, flags 0x49, 4 locks, per-destination
IPv6 Internet
ifnums:
LISP0(10): 10.0.1.2, 10.0.2.2, 2001:DB8:2:3::2
10.0.9.2/30
10.0.1.2/30
RLOC
3 paths
path B4710400,
list B47117DC, share 1/1, type attached nexthop, for IPv6
RLOC path
10.0.2.2/30
10.200.1.1
(non-lisp
target)
nexthop 10.0.1.2 LISP0, adjacency IPV6 midchain out of LISP0,
addr 10.0.1.2
B45409B8
2001:db8:c5c0::1
(non-lisp
target)
2001:db8:2:3::2/64
path B4710390, path list B47117DC, share 1/1, type attached nexthop, for IPv6
nexthop 10.0.2.2 LISP0, adjacency IPV6 midchain out of LISP0, addr 10.0.2.2 B4540888
path B4710320, path list B47117DC, share 1/1, type attached nexthop, for IPv6
nexthop 2001:DB8:2:3::2 LISP0, adjacency IPV6 midchain out of LISP0, addr 2001:DB8:2:3::2 B4540758
1 output chain
---<cont>--TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
75
LISP Multihoming and Multi-AF
• Efficient Multi-Homing and Multi-AF – Some Technical Details
MSMR
PxTR
10.0.100.2
10.0.101.2
EID
EID
2001:db8:3:4::2
2001:db8:3:5::2
---<cont>--192.168.1.0/24
192.168.7.0/24
15 hash buckets
< 0 > IPV6 midchain out of LISP0, addr 10.0.1.2 B45409B8 IP adj out of Ethernet0/0, addr 10.0.101.1
B4355560
2001:db8:a::/48
2001:db8:b::/48
< 1 > IPV6 midchain out of LISP0, addr 10.0.2.2 B4540888 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560
< 2 > IPV6 midchain out of LISP0, addr 2001:DB8:2:3::2 B4540758 IPV6 adj out of Ethernet0/0, addr 2001:DB8:3:5::1 B4355430
< 3 > IPV6 midchainxTR1
out of LISP0, addr 10.0.1.2 B45409B8
adj out of Ethernet0/0, addr 10.0.101.1
IPv4IP
Internet
xTR2 B4355560
< 4 > IPV6 midchain out of LISP0, addr 10.0.2.2 B4540888
adj out of Ethernet0/0, addr 10.0.101.1 B4355560
IPv6IP
Internet
< 5 > IPV6 midchain out of LISP0, addr 2001:DB8:2:3::2 B4540758 IPV6 adj out of Ethernet0/0, addr 2001:DB8:3:5::1 B4355430
< 6 > IPV6 midchain out of LISP0, addr 10.0.1.2 B45409B8 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560
10.0.9.2/30
< 7 > IPV6 midchain 10.0.1.2/30
out of LISP0, addr 10.0.2.2 B4540888 IP adj out of Ethernet0/0, addr 10.0.101.1
RLOC B4355560
< 8 > IPV6 midchain out of LISP0, addr 2001:DB8:2:3::2 B4540758 IPV6 adj out of Ethernet0/0, addr 2001:DB8:3:5::1 B4355430
< 9 > IPV6 RLOC
midchain 10.0.2.2/30
out of LISP0, addr 10.0.1.2 B45409B8 IP adj out of
Ethernet0/0,
addr target)
10.0.101.1 B4355560
10.200.1.1
(non-lisp
<10 > IPV6 midchain out of LISP0, addr 10.0.2.2 B4540888 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560
(non-lisp
target)
2001:db8:2:3::2/64
<11 > IPV6 midchain
out of LISP0, addr 2001:DB8:2:3::2 B4540758 IPV6 2001:db8:c5c0::1
adj out of Ethernet0/0,
addr
2001:DB8:3:5::1 B4355430
<12 > IPV6 midchain out of LISP0, addr 10.0.1.2 B45409B8 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560
<13 > IPV6 midchain out of LISP0, addr 10.0.2.2 B4540888 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560
<14 > IPV6 midchain out of LISP0, addr 2001:DB8:2:3::2 B4540758 IPV6 adj out of Ethernet0/0, addr 2001:DB8:3:5::1 B4355430
Subblocks:
None
R115-PxTR#
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
76
LISP Multihoming and Multi-AF
• Efficient Multi-Homing and Multi-AF -- Customer Example
NJEDge.Net
Target Market:
Customer Site: http://njedge.net
• State of New Jersey Educational Entities
(K-12, universities, colleges)
Customer Site: http://lisp.njedge.net
LISP Services:
•
•
•
•
Customer Case Study: http://lisp.cisco.com
BGP-free Multihoming
IPv6 Internet Access
Host Mobility Disaster-Recovery (adding now…)
Inter-Departmental VPNs (adding next…)
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
77
LISP Multihoming and Multi-AF
• Efficient Multi-Homing and Multi-AF -- Customer Example
More…
v6
Some..
v6
IPv6 Internet
Facebook
Google
Some..
v4
More…
v4
IPv4 Internet
Constituent Member
Topologies…
CPE
Member 1
Default
Route
Or BGP
Cisco Public
78
CPE
BGP
CPE
Member 3
CPE
.
.
.
Member 2
© 2014 Cisco and/or its affiliates. All rights reserved.
Commodity
SP
BGP
CPE
TECRST-3191
Tier 1 SP2
Tier 1 SP1
Default
Route
Transit
SP
Member N
LISP Multihoming and Multi-AF
• Efficient Multi-Homing and Multi-AF -- Customer Example
Many more features
be added here...
Some..
v6can
Before LISP…
• Configuration
complexity…
• Uneven multihoming
Some..
load shares…
They wanted:
IPv6 Internet
Facebook
Google
v4
50%/50%
They got:
90%/10% ?
80%/20% ?
Never 50%/50%
Constituent Member
Topologies…
IPv4 Internet
CPE
Member 1
Default
Route
Or BGP
BGP
CPE
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
79
CPE
CPE
Member 3
CPE
.
.
.
Member 2
TECRST-3191
Tier 1 SP2
Tier 1 SP1
Default
Route
router bgp 100
bgp router-id 172.16.2.1
bgp asnotation dot
no bgp default ipv4-unicast
bgp log-neighbor-changes
More…
neighbor
172.16.2.1 remote-as 300 <== eBGP to SP1
neighbor
v6 172.16.1.2 remote-as 400 <== eBGP to SP2
!
address-family ipv4
no synchronization
redistribute ospf route-map populate-default
neighbor 172.16.1.2 activate
neighbor 172.16.1.2 route-map filter-out out
neighbor 172.16.1.2 route-map filter-in in
neighbor 172.16.1.2 maximum-prefix 450000 90
neighbor 172.16.2.1 activate
neighbor 172.16.2.1 route-map filter-out out
neighbor 172.16.2.1 route-map filter-in in
neighbor 172.16.2.1 maximum-prefix 450000
90
More…
no auto-summary
v4
exit-address-family
!
ip bgp-community new-format
Transit
ip community-list standard
outlist permit 100:123
!
SP
route-map populate-default permit 10
set origin igp
set community 100:123
Commodity
!
route-map filter-out permit 10SP
match community outlist
!
route-map filter-in permit 10
match community inlist
!
BGP
Member N
LISP Multihoming and Multi-AF
• Efficient Multi-Homing and Multi-AF -- Customer Example
More…
v6
Some..
v6
NJEDge.Net
LISP Network
Constituent Member
Topologies…
Google
Some..
v4
MS/MR
router lisp
PxTR
locator-set Site3
172.16.1.2 priority 1 weight 50 More…
172.16.2.2 priority 1 weight 50
v4
exit
!
eid-table default Transit
instance-id 0
database-mappingSP
10.1.1.0/24 locator-set Site3
exit
!
SP2
Commodity
ipv4 itr
SP
ipv4 etr
ipv4 itr map-resolver 172.17.1.1
ipv4 etr map-server 172.17.1.1 key s3cr3t
ipv4 use-petr 10.5.5.5 Default
BGP
Route
!
IPv4 Internet
CPE
xTR
Default
Default
Route
Route
Or BGP
Default
Route
BGP
xTR
CPE
Cisco Public
80
xTR
CPE
xTR
CPE
Member 3
xTR
CPE
.
.
.
Member 2
© 2014 Cisco and/or its affiliates. All rights reserved.
Tier 1
Tier 1 SP1
Default
Route
Member 1
TECRST-3191
NJEDge.Net
LISP Network
Facebook
MS/MR
PxTR
Deploy LISP…
• Configuration
simplicity…
IPv6 Internet
Member N
LISP Multihoming and Multi-AF
• Efficient Multi-Homing and Multi-AF -- Customer Example
NJEDge.Net
LISP Network
IPv6 Internet
Non-LISP-to-LISP
MS/MR
PxTR
Google
Some..
v4
IPv4 EID
Aggregate
IPv4 Internet
Advertisement
CPE
xTR
LISP-to-LISP
Member 1
Default
Default
Route
Route
Or BGP
Commodity
SP
81
xTR
CPE
Default
BGP
Route
xTR
CPE
Member 3
xTR
CPE
.
.
.
Member 2
Cisco Public
Transit
SP
Default
Route
BGP
xTR
CPE
© 2014 Cisco and/or its affiliates. All rights reserved.
More…
v4
Tier 1 SP2
Tier 1 SP1
Default
Route
TECRST-3191
NJEDge.Net
LISP Network
Facebook
MS/MR
PxTR
Deploy LISP…
• Configuration
simplicity…
More…
v6
Some..
v6
Member N
LISP Multihoming and Multi-AF
• Efficient Multi-Homing and Multi-AF -- Customer Example
IPv6 EID Aggregate
Advertisement
Some..
v6
NJEDge.Net
LISP Network
IPv6 Internet
MS/MR
PxTR
Google
Some..
v4
Non-LISP-to-LISP
IPv4 Internet
NJEDge.Net is now adding
IPv6 for its members!
CPE
xTR
Member 1
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Transit
SP
Commodity
SP
Default
Route
BGP
xTR
CPE
Member 2
82
xTR
CPE
Default
BGP
Route
xTR
CPE
Member 3
xTR
CPE
.
.
.
LISP-to-LISP
Default
Default
Route
Route
Or BGP
IPv6
EIDs
More…
v4
Tier 1 SP2
Tier 1 SP1
Default
Route
TECRST-3191
NJEDge.Net
LISP Network
Facebook
MS/MR
PxTR
IPv6
EIDs
More…
v6
IPv6
EIDs
Member N
IPv6
EIDs
LISP Multihoming and Multi-AF
• Efficient Multi-Homing and Multi-AF -- Customer Example
Key NJEDge.Net LISP Equipment
 ASR1Ks as MSMRs
 ASR9Ks as PxTRs (90G Internet capacity)
Key LISP Benefits





No BGP to configure or manage
No complex configurations
Optimized Ingress load balancing
Cost Savings by reducing OPEX and CAPEX
LISP offers non disruptive transition approach which does not affect end
system and allows for incremental deployment
 Disaster Recovery for Critical Applications introduces Increased
Complexity
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
83
LISP Multihoming and Multi-AF
• Customer Example :: Cisco IT – IPv6-over-IPv4 MPLS
Current Remote Office xTR
8 Offices, ~1900 employees
~1375 IPv6 devices
Planned Deployments (CY14)
80+ additional offices
Proxy Aggregate BW
L3 MPLS VPN
PxTR, MSMR
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
84
LISP Multihoming and Multi-AF
• Customer Example :: EANTC Interoperability Demonstration
MPLS and Ethernet World Congress,
SDN Summit & V6 World Congress
Public Multi-Vendor Interoperability
Test 2013
All possible LISP encapsulations tested:
 IPv4 and IPv6 over IPv6 RLOC
("IPv6-only core network")
 IPv4 and IPv6 over IPv4 RLOC
("IPv4-only core network”)




Spirent TestCenter emulated LISP xTR
Cisco ASR1K as Map Server and PxTR
Cisco ASR9K as PxTR
Successfully tested and certified by EANTC
YouTube video demo: http://goo.gl/oZShr
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
85
LISP Multihoming and Multi-AF
• Customer Example :: “Home Router Market” (Europe)
UP: xMbps
DN: yMbps
 Multihoming by bundling
multiple access technologies
SP
Broadband
Core
– 4G+xDSL
 Higher BW, and resiliency
1
 Load Sharing
Internet
PxTR
EID (Lo0)
10.1.1.x/32
2
LTE Cloud
– Common configuration on all CE
 Supports DHCP (RLOC)
 LISP hidden from customer
UP: aMbps
DN: bMbps
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
 Better user experience
 Subscriber traffic NAT’d to EID
loopback
.10
Customer
192.168.1.0/24
– Bandwidth and link conditions
Cisco Public
86
LISP Multihoming/Multi-AF
+ MPLS
LISP Multihoming and Multi-AF
• LISP and MPLS Integration
 LISP / MPLS results in an “ideal” deployment environment
– Locator/ID split idealizes a pure “RLOC core” and “EID overlay”
 Opportunities
– IPv4 over MPLS via LISP
Use of LISP (v4-over-v4) removes Customer IPv4 Prefixes from MPLS
PE benefits :: (a) substantially improved scaling
(b) reduced CPU load due to customer route advertisement/churn
– IPv6 over MPLS via LISP
Use of LISP (v6-over-v4) removes SP from Customer IPv6 configuration/management
Immediate support :: even if not running LISP for IPv4
PE benefits :: (a) no added v6 interface
(b) no added v6 eBGP peering
(c) no added IPv6 customer prefixes
– Permits Inter-Departmental VPNs without additional PE VRFs
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
88
LISP Multihoming and Multi-AF
• LISP and MPLS Integration
CE1#show ip route
---<skip>--10.0.0.0/8 is subnetted, 9 subnets
O IA
10.1.0.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/0
O IA
10.1.2.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/1
---<skip>--B
10.3.0.0/24 [20/11] via 12.3.0.2, 00:12:01
B
10.3.1.0/24 [20/11] via 12.3.0.2, 00:12:01
---<more>--12.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C
12.1.0.2/30 is directly connected, Ethernet0/0
B
12.1.0.8/30 [20/11] via 12.3.0.1, 00:12:01
IPv4
---<more>--CE1#
1: Existing IPv4 MPLS
PE-CE links
(RLOCs!!)
IGP
eBGP
IPv4
Blue
Site 1
IPv4
CE1
PE1
IPv4
Purple
Site 1
CE1
IPv4
PE2#show ip route vrf BLUE
IPv4
---<skip>--10.0.0.0/8 is subnetted, 9 subnets
Blue [20/11] via 12.1.0.2, 00:17:55
B
10.1.0.0/24
B
10.1.2.0/24
MPLS-VPN[20/11] via 12.1.0.2, 00:17:55
B
10.3.0.0/24 [20/11] via 12.3.0.2, 00:12:01
B
10.3.1.0/24 [20/11] via 12.3.0.2, 00:12:01
---<more>---Purple
12.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
MPLS-VPN
C
12.1.0.0/30 is directly connected, Ethernet1/0
L
12.1.0.1/32 is directly connected, Ethernet1/0
---<more>--PE2#
Blue
Site 2
TECRST-3191
IPv4
CE2
© 2014 Cisco and/or its affiliates. All rights reserved.
Customer
Prefixes
(EIDs!!)
SP MPLS
Cisco Public
PE-CE links
(RLOCs!!)
PE3
IPv4
89
Purple
Site 2
CE4
PE4
PE2
IPv4
Customer
Prefixes
(EIDs!!)
IPv4
CE3
Blue
Site 3
LISP Multihoming and Multi-AF
• LISP and MPLS Integration
1: Existing IPv4 MPLS – Add LISP!
✗route-map deny EIDs out
IGP
eBGP
IPv4
Blue
Site 1
Purple
Site 1
IPv4
CE1
MSMR xTR
IPv4
IPv4
PE1
IPv4
Blue
MPLS-VPN
CE4
PE4
CE1
Purple
MPLS-VPN
IPv4
PE3
PE2
IPv4
Blue
Site 2
TECRST-3191
Purple
Site 2
IPv4
IPv4
CE2
SP MPLS
xTR
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
90
IPv4
CE3
xTR
Blue
Site 3
LISP Multihoming and Multi-AF
• LISP and MPLS Integration
CE1#show ip route
---<skip>--10.0.0.0/8 is subnetted, 9 subnets
O IA
10.1.0.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/0
O IA
10.1.2.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/1
---<skip>--deny12.0.0.0/8
EIDs outis variably subnetted, 5 subnets, 2 masks
C
12.1.0.2/30 is directly connected, Ethernet0/0
B
12.1.0.8/30 [20/11] via 12.3.0.1, 00:12:01
IPv4
---<more>--CE1#
This sites
Prefixes
(EIDs!!)
1: Existing IPv4 MPLS – Add LISP!
✗route-map
IGP
eBGP
IPv4
Blue
Site 1
MSMR xTR
Purple
Site 1
IPv4
CE1
IPv4
PE1
IPv4
CE1
IPv4
Blue
MPLS-VPN
IPv4
Blue
Site 2
TECRST-3191
IPv4
IPv4
SP MPLS
xTR
© 2014 Cisco and/or its affiliates. All rights reserved.
PE4
Cisco Public
PE-CE links
(RLOCs!!)
PE3
CE2
91
Purple
Site 2
CE4
PE2#show ip route vrf BLUE
Purple
---<skip>--12.0.0.0/8MPLS-VPN
is variably subnetted, 5 subnets, 2 masks
C
12.1.0.0/30 is directly connected, Ethernet1/0
L
12.1.0.1/32 is directly connected, Ethernet1/0
---<more>--PE2#
PE2
PE-CE links
(RLOCs!!)
IPv4
CE3
xTR
Blue
Site 3
LISP Multihoming and Multi-AF
• LISP and MPLS Integration
CE1#show ip lisp map-cache
LISP IPv4 Mapping Cache for EID-table default (IID 0), 12 entries
1: Existing IPv4 MPLS – Add LISP!
✗route-map
IGP
eBGP
IPv4
Blue
Site 1
Purple
Site 1
Other site
EIDs!!
PE-CE link (RLOC!!)
Purple
Site 2
IPv4
CE1
MSMR xTR
0.0.0.0/0, uptime: 6w0d, expires: never, via static send map-request
Negative cache entry, action: send-map-request
10.3.0.0/24, uptime: 00:00:06, expires: 23:59:46, via map-reply, complete
Locator
Uptime
State
Pri/Wgt
deny EIDs
out
12.3.0.2
00:00:06 up
1/100
---<more>--IPv4
CE1#
IPv4
PE1
IPv4
Blue
MPLS-VPN
PE4
CE1
Purple
MPLS-VPN
IPv4
PE3
PE2
IPv4
Blue
Site 2
TECRST-3191
CE4
IPv4
IPv4
CE2
SP MPLS
xTR
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
92
IPv4
CE3
xTR
Blue
Site 3
LISP Multihoming and Multi-AF
• LISP and MPLS Integration
CE1#show run | begin router lisp
---<skip>--router lisp
eid-table default instance-id 0
database-mapping 2001:db8:a:a::/64 12.1.0.2 pri 1 wei 100
exit
!
ipv6 itr map-resolver 12.1.0.2
ipv6 itr
map-server 12.1.0.2 key ce1-xtr
deny ipv6
EIDsetr
out
ipv6 etr
exit
IPv4
!
---<more>--CE1#
IPv6
EIDs!!
2: Add IPv6 over IPv4 MPLS with LISP
✗route-map
IGP
IPv6
eBGP
IPv4
Blue
Site 1
MSMR xTR
Purple
Site 1
IPv4
CE1
IPv4
PE1
IPv4
Blue
MPLS-VPN
PE4
Purple
MPLS-VPN
ipv6
route vrf
IPv4
IPv4
Blue
Site 2
TECRST-3191
CE2
CE1
PE2#show
Blue
% Specified IPv6 routing table does not exist
PE2#
PE3
PE2
IPv6
Purple
Site 2
IPv4
IPv4
CE2
SP MPLS
xTR
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
93
IPv6 Not
Enabled!
IPv4
CE3
xTR
Blue
Site 3
IPv6
LISP Multihoming and Multi-AF
• LISP and MPLS Integration
CE1#ping 2001:db8:b:b::1 so 2001:db8:a:a::1
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 2001:db8:b:b::1, timeout is 2 seconds:
Packet sent with a source address of 2001:db8:a:a::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/25/28 ms
CE1#
2: Add IPv6 over IPv4 MPLS with LISP
IPv6
Mapping Cache for EID-table default (IID 0), 3 entries
EIDs
out
✗route-map denyLISP
CE1#show ipv6 lisp map-cache
IGP
IPv6
eBGP
IPv4
Blue
Site 1
MSMR xTR
Purple
Site 1
Purple
EIDs!!
Site 2
IPv4
CE1
PE1
IPv4
PE-CE links
RLOCs!!
Blue
MPLS-VPN
Purple
MPLS-VPN
IPv4
IPv4
Blue
Site 2
TECRST-3191
PE4
CE1
PE3
PE2
IPv6
Other site
::/0, uptime: 6w0d, expires: never, via static send map-request
IPv4
IPv4
Negative cache entry, action: send-map-request
2001:DB8:B:B::/64, uptime: 00:01:17, expires: 23:58:36, via map-reply, complete
Locator
Uptime
State
Pri/Wgt
12.3.0.2
00:00:06 up
1/100
IPv4
CE2
---<more>--CE1#
IPv4
IPv4
CE2
SP MPLS
xTR
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
94
IPv4
CE3
xTR
Blue
Site 3
IPv6
LISP Disjointed RLOC Space
LISP – Disjointed RLOC Space Feature
• Disjointed Locator Space Support
 Locator/ID separation creates two namespaces: EIDs and RLOCs
– EID space is the overlay of Enterprise prefixes
– RLOC space is the underlay network connectivity
 The fundamental principal of any network is
that connectivity must exist between sites
 LISP supports sites being connected to
locator spaces that have no connectivity
to each other!
– In LISP, this is known as a
“disjointed RLOC set”
MSMR
IPv4
Internet
0.0.0.0/0
MPLS
VPN
Core
xTR
xTR
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
xTR
96
xTR
IPv6
Internet
::/0
xTR
xTR
xTR
TECRST-3191
RTR
xTR
LISP – Disjointed RLOC Space Example
• EXAMPLE: Cross Address-Family Disjointed RLOC Space
EXAMPLE
MSMR
10.0.2.1
xTR4
10.0.4.0/30
EID – 4.4.4.0/24
EID – 4:4:4::/48
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
RTR
10:0:2::1
IPv4 Internet
0.0.0.0/0
(scope 1)
Cisco Public
97
10.0.3.1
10:0:3::1
IPv6 Internet
::/0
(scope 2)
xTR6
10:0:6::/64
EID – 6.6.6.0/24
EID – 6:6:6::/48
LISP – Disjointed RLOC Space Example
!
interface Loopback0
• EXAMPLE: Cross Address-Family
Disjointed RLOC Space
ip address 4.4.4.4 255.255.255.0
Normal xTR configuration
• IPv4-only RLOC
• IPv4 and IPv6 EIDs
xTR4
10.0.4.0/30
EID – 4.4.4.0/24
EID – 4:4:4::/48
TECRST-3191
ipv6 address 4:4:4::4/64
!
interface LISP0
!
interface Ethernet0/0
description Conn to R1 Core (v4 only)
ip address 10.0.4.1 255.255.255.252
!
MSMR
RTR
router lisp
locator-set R4
10.0.2.1priority
10:0:2::1
10.0.3.1
10:0:3::1
10.0.4.1
1 weight
1
exit
!
eid-table default instance-id 0
database-mapping 4.4.4.0/24 locator-set R4
IPv4 Internet
IPv6 Internet
database-mapping 4:4:4::/48 locator-set R4
::/0
exit 0.0.0.0/0
!
(scope 1)
(scope 2)
ipv4 itr
ipv4 etr
ipv4 itr map-resolver 10.0.2.1
ipv4 etr map-server 10.0.2.1 key R4KEY
ipv4 use-petr 10.0.3.1
ipv6 itr
ipv6 etr
ipv6 etr map-server 10.0.2.1 key R4KEY
ipv6 itr map-resolver 10.0.2.1
ipv6 use-petr 10.0.3.1
exit
!
ip route 0.0.0.0 0.0.0.0 10.0.4.2
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
98
xTR6
10:0:6::/64
EID – 6.6.6.0/24
EID – 6:6:6::/48
LISP – Disjointed RLOC Space Example
!
interface Loopback0
• EXAMPLE: Cross Address-Family
Disjointed RLOC Space
ip address 6.6.6.6 255.255.255.0
xTR4
10.0.4.0/30
EID – 4.4.4.0/24
EID – 4:4:4::/48
TECRST-3191
ipv6 address 6:6:6::6/64
!
interface LISP0
!
interface Ethernet0/0
description Conn to R1 Core (v6 only)
ipv6 address 10:0:6::1/64
!
MSMR
RTR
router lisp
locator-set R6
10.0.2.1priority
10:0:2::1
10.0.3.1
10:0:3::1
10:0:6::1
1 weight
1
exit
!
eid-table default instance-id 0
database-mapping 6.6.6.0/24 locator-set R6
IPv4 Internet
IPv6 Internet
database-mapping 6:6:6::/48 locator-set R6
::/0
exit 0.0.0.0/0
!
(scope 1)
(scope 2)
ipv4 itr
ipv4 etr
ipv4 itr map-resolver 10:0:2::1
ipv4 etr map-server 10:0:2::1 key R6KEY
ipv4 use-petr 10:0:3::1
ipv6 itr
ipv6 etr
ipv6 etr map-server 10:0:2::1 key R6KEY
ipv6 itr map-resolver 10:0:2::1
ipv6 use-petr 10:0:3::1
exit
!
ipv6 route ::/0 10:0:6::2
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
99
Normal xTR configuration
• IPv6-only RLOC
• IPv4 and IPv6 EIDs
xTR6
10:0:6::/64
EID – 6.6.6.0/24
EID – 6:6:6::/48
LISP – Disjointed RLOC Space Example
• EXAMPLE: Cross Address-Family Disjointed RLOC Space
!
interface Ethernet0/0
description Conn to R1 Core (v4 and v6)
ip address 10.0.2.1 255.255.255.252
ipv6 address 10:0:2::1/64
!
router lisp
locator-set v4-rtr-set
MSMR
10.0.3.1 priority 1 weight 1
exit
10.0.2.1
10:0:2::1
!
locator-set v6-rtr-set
10:0:3::1 priority 1 weight 1
exit
!
IPv4 Internet
locator-scope v4-net
xTR4
---<continued>---0.0.0.0/0
rtr-locator-set v4-rtr-set 10.0.4.0/30
site R6
(scope 1)
rloc-prefix
0.0.0.0/0
EID – 4.4.4.0/24
authentication-key R6KEY
exit EID – 4:4:4::/48
eid-prefix 6.6.6.0/24
!
eid-prefix 6:6:6::/48
locator-scope v6-net
exit
rtr-locator-set v6-rtr-set
!
rloc-prefix ::/0
ipv4 map-server
exit
ipv4 map-resolver
!
ipv6 map-server
site R4
ipv6 map-resolver
authentication-key R4KEY
exit
eid-prefix 4.4.4.0/24
!
eid-prefix 4:4:4::/48
ip route 0.0.0.0 0.0.0.0 10.0.2.2
exit
ipv6 route ::/0 10:0:2::2
!
!
---<continued>--TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
100
RTR
10.0.3.1
10:0:3::1
IPv6 Internet
::/0
(scope 2)
xTR6
10:0:6::/64
Map-Server Configuration:
• Define “locator-scopes”
• Define “rtr-set”
EID – 6.6.6.0/24
EID – 6:6:6::/48
LISP – Disjointed RLOC Space Example
interface Ethernet0/0
description Conn to R1 Core (v4 and v6)
ip address 10.0.3.1 255.255.255.252
ipv6 address 10:0:3::1/64
!
router lisp
locator-set setALL
10.0.3.1 priority 1 weight 1
10:0:3::1 priority 1 weight 1
exit
!
map-request itr-rlocs setALL
eid-table default instance-id 0
map-cache 0.0.0.0/0 map-request
map-cache ::/0 map-request
exit
!
ipv4 map-request-source 10.0.3.1
ipv4 map-cache-limit 100000
ipv4 proxy-etr
xTR6
ipv410:0:6::/64
proxy-itr 10.0.3.1 10:0:3::1
ipv4 itr map-resolver EID
10.0.2.1
– 6.6.6.0/24
ipv4 itr map-resolver EID
10:0:2::1
– 6:6:6::/48
ipv6 map-request-source 10:0:3::1
ipv6 map-cache-limit 100000
ipv6 proxy-etr
ipv6 proxy-itr 10:0:3::1 10.0.3.1
ipv6 itr map-resolver 10.0.2.1
ipv6 itr map-resolver 10:0:2::1
exit
!
ip route 0.0.0.0 0.0.0.0 10.0.3.2
ipv6 route ::/0 10:0:3::2
!
• EXAMPLE: Cross Address-Family Disjointed RLOC Space
MSMR
10.0.2.1
xTR4
10.0.4.0/30
EID – 4.4.4.0/24
EID – 4:4:4::/48
10:0:2::1
IPv4 Internet
0.0.0.0/0
(scope 1)
RTR
10.0.3.1
10:0:3::1
IPv6 Internet
::/0
(scope 2)
RTR Configuration:
• Define “rtr RLOCs”
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
101
LISP – Disjointed RLOC Space Example
• Cross Address-Family Disjointed RLOC Space Example – Flows
MSMR
10.0.2.1
xTR4
10.0.4.0/30
EID – 4.4.4.0/24
EID – 4:4:4::/48
xTR4#sh ip lisp database
---<skip>--4.4.4.0/24, locator-set R4
Locator
Pri/Wgt Source
10.0.4.1
1/1
cfg-addr
xTR4#sh ipv6 lisp database
---<skip>--4:4:4::/48, locator-set R4
Locator
Pri/Wgt Source
10.0.4.1
1/1
cfg-addr
xTR4#
TECRST-3191
IPv4 Internet
0.0.0.0/0
(scope 1)
State
site-self, reachable
State
site-self, reachable
© 2014 Cisco and/or its affiliates. All rights reserved.
10:0:2::1
Cisco Public
native
control
plane
map-req
RTR
10.0.3.1
10:0:3::1
IPv6 Internet
::/0
(scope 2)
xTR6#sh ip lisp database
---<skip>--6.6.6.0/24, locator-set R6
Locator
Pri/Wgt Source
10:0:6::1
1/1
cfg-addr
xTR6#sh ipv6 lisp database
---<skip>--6:6:6::/48, locator-set R6
Locator
Pri/Wgt Source
10:0:6::1
1/1
cfg-addr
xTR6#
102
data
plane
xTR6
10:0:6::/64
EID – 6.6.6.0/24
EID – 6:6:6::/48
State
site-self, reachable
State
site-self, reachable
lisp-encap
map-rep
LISP – Disjointed RLOC Space Example
• Cross Address-Family Disjointed RLOC Space Example – Flows
MSMR#sh lisp site detail
---<skip>--Site name: R4
---<skip>--EID-prefix: 4.4.4.0/24
---<skip>--ETR 10.0.4.1, last registered 00:00:52, no proxy-reply, map-notify
TTL 1d00h, no merge, hash-function sha1, nonce…
state complete, no security-capability
xTR-ID 0xEC52ECC2-0x006CEAFE-0x814263B3-0x89675EB6
xTR4
site-ID unspecified
10.0.4.0/30
Locator
Local State
Pri/Wgt Scope
EID – 4.4.4.0/24
10.0.4.1 yes
up
1/1 EID –v4-net
4:4:4::/48
EID-prefix: 4:4:4::/48
---<skip>--ETR 10.0.4.1, last registered 00:00:39, no proxy-reply, map-notify
TTL 1d00h, no merge, hash-function sha1, nonce…
state complete, no security-capability
xTR-ID 0xEC52ECC2-0x006CEAFE-0x814263B3-0x89675EB6
site-ID unspecified
Locator
Local State
Pri/Wgt Scope
10.0.4.1 yes
up
1/1
v4-net
---<skip>---
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
103
MSMR
10.0.2.1
10:0:2::1
IPv4 Internet
0.0.0.0/0
(scope 1)
data
plane
native
control
plane
map-req
lisp-encap
map-rep
RTR
10.0.3.1
10:0:3::1
IPv6 Internet
::/0
(scope 2)
10:0:6::/64
LISP – Disjointed RLOC Space Example
• Cross Address-Family Disjointed RLOC Space Example – Flows
MSMR#sh lisp site detail
---<skip>--Site name: R6
---<skip>--EID-prefix: 6.6.6.0/24
---<skip>--ETR 10:0:6::1, last registered 00:00:26, no proxy-reply, map-notify
TTL 1d00h, no merge, hash-function sha1, nonce…
state complete, no security-capability
xTR-ID 0x4C8D6115-0xEC9AF511-0x5A21D580-0x3D2E2429
xTR4
site-ID unspecified
10.0.4.0/30
Locator
Local State
Pri/Wgt Scope
EID – 4.4.4.0/24
10:0:6::1 yes
up
1/1EID – v6-net
4:4:4::/48
EID-prefix: 6:6:6::/48
---<skip>--ETR 10:0:6::1, last registered 00:00:27, no proxy-reply, map-notify
TTL 1d00h, no merge, hash-function sha1, nonce…
state complete, no security-capability
xTR-ID 0x4C8D6115-0xEC9AF511-0x5A21D580-0x3D2E2429
site-ID unspecified
Locator
Local State
Pri/Wgt Scope
10:0:6::1 yes
up
1/1
v6-net
---<skip>---
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
104
MSMR
10.0.2.1
10:0:2::1
IPv4 Internet
0.0.0.0/0
(scope 1)
data
plane
native
control
plane
map-req
lisp-encap
map-rep
RTR
10.0.3.1
10:0:3::1
IPv6 Internet
::/0
(scope 2)
10:0:6::/64
LISP – Disjointed RLOC Space Example
• Cross Address-Family Disjointed RLOC Space Example – Flows
data
plane
native
control
plane
map-req
lisp-encap
map-rep
RTR#sh ip lisp map-cache
LISP IPv4 Mapping Cache for EID-table default (IID 0), 1 entries
0.0.0.0/0, uptime: 00:00:04, expires: never, via static send map-request
Negative cache entry, action: send-map-request
RTR#
RTR#sh ipv6 lisp map-cache
LISP IPv6 Mapping Cache for EID-table default (IID 0), 1 entries
::/0, uptime: 00:00:05, expires: never, via static send map-request
Negative cache entry, action: send-map-request
RTR#
xTR4
10.0.4.0/30
EID – 4.4.4.0/24
EID – 4:4:4::/48
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
105
MSMR
10.0.2.1
10:0:2::1
IPv4 Internet
0.0.0.0/0
(scope 1)
RTR
10.0.3.1
10:0:3::1
IPv6 Internet
::/0
(scope 2)
10:0:6::/64
LISP – Disjointed RLOC Space Example
• Cross Address-Family Disjointed RLOC Space Example – Flows
1
4:4:4::4 -> 6:6:6::6
How do I forward to 6:6:6::6?
1. Check FIB – NO
2. Check map-cache – NO
3. Maybe 6:6:6::6 is a LISP destination?
MSMR
Send Map-Request
10.0.2.1
xTR4
10.0.4.0/30
EID – 4.4.4.0/24
EID – 4:4:4::/48
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
10:0:2::1
IPv4 Internet
0.0.0.0/0
(scope 1)
Cisco Public
106
data
plane
native
control
plane
map-req
RTR
10.0.3.1
10:0:3::1
IPv6 Internet
::/0
(scope 2)
xTR6
10:0:6::/64
EID – 6.6.6.0/24
EID – 6:6:6::/48
lisp-encap
map-rep
LISP – Disjointed RLOC Space Example
• Cross Address-Family Disjointed RLOC Space Example – Flows
data
plane
native
control
plane
map-req
2
10.0.4.1-> 10.0.2.1
LISP ECM
(udp 4342)
1
4:4:4::4 -> 6:6:6::6
Type 1 (map-request)
Nonce
src-eid: [2] 4:4:4::4
itr-rloc: 10.0.4.1
record-1: [2] 6:6:6::6
xTR4
10.0.4.0/30
EID – 4.4.4.0/24
EID – 4:4:4::/48
MSMR
10.0.2.1
10:0:2::1
IPv4 Internet
0.0.0.0/0
(scope 1)
RTR
10.0.3.1
10:0:3::1
IPv6 Internet
::/0
(scope 2)
xTR6
10:0:6::/64
xTR4#
*Aug 25 01:00:32.108: LISP-0: AF IPv6, Sending map-request from 4:4:4::4 to 6:6:6::6 for EID 6:6:6::6/128, ITR-RLOCs 1, nonce 0xA0E6CC5A-0x7A1D2EEC
(encap src 10.0.4.1, dst 10.0.2.1).
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
107
EID – 6.6.6.0/24
EID – 6:6:6::/48
lisp-encap
map-rep
LISP – Disjointed RLOC Space Example
• Cross Address-Family Disjointed RLOC Space Example – Flows
data
plane
native
control
plane
map-req
2
10.0.4.1-> 10.0.2.1
LISP ECM
(udp 4342)
1
4:4:4::4 -> 6:6:6::6
Type 1 (map-request)
Nonce
src-eid: [2] 4:4:4::4
itr-rloc: 10.0.4.1
record-1: [2] 6:6:6::6
xTR4
10.0.4.0/30
EID – 4.4.4.0/24
EID – 4:4:4::/48
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
MSMR
10.0.2.1
10:0:2::1
IPv4 Internet
0.0.0.0/0
(scope 1)
RTR
10.0.3.1
10:0:3::1
IPv6 Internet
::/0
(scope 2)
Rec’vd Map-Request for 6:6:6::6
1. ETR RLOC is scope v6-net (10:0:6::1)
2. ITR RLOC is scope v4-net (10.0.4.1)
3. Disjoint scope - YES
4. Send Proxy Map-Reply with
RTR 10.0.3.1
Cisco Public
108
xTR6
10:0:6::/64
EID – 6.6.6.0/24
EID – 6:6:6::/48
lisp-encap
map-rep
LISP – Disjointed RLOC Space Example
• Cross Address-Family Disjointed RLOC Space Example – Flows
data
plane
native
control
plane
map-req
2
10.0.4.1-> 10.0.2.1
LISP ECM
(udp 4342)
1
4:4:4::4 -> 6:6:6::6
Type 1 (map-request)
Nonce
src-eid: [2] 4:4:4::4
itr-rloc: 10.0.4.1
record-1: [2] 6:6:6::6
xTR4
10.0.4.0/30
EID – 4.4.4.0/24
EID – 4:4:4::/48
3
MSMR#
*Aug 25 01:11:45.734:
*Aug 25 01:11:45.734:
*Aug 25 01:11:45.734:
0xF706E61B
*Aug 25 01:11:45.734:
*Aug 25 01:11:45.734:
TECRST-3191
MSMR
10.0.2.1
10:0:2::1
IPv4 Internet
0.0.0.0/0
(scope 1)
RTR
10.0.3.1
10:0:3::1
IPv6 Internet
::/0
(scope 2)
xTR6
10:0:6::/64
10.0.2.1 -> 10.0.4.1
udp 4342
Type 2 (map-reply)[P]
Nonce/TTL
6:6:6::/48
10.0.3.1 [1, 1]
LISP: Processing received Encap-Control(8) message on Ethernet0/0 from 10.0.4.1:4342 to 10.0.2.1:4342
LISP: Processing received Map-Request(1) message on Ethernet0/0 from 4:4:4::4.4342 to 6:6:6::6.4342
LISP: Received map request for IID 0 6:6:6::6/128, source_eid IID 0 4:4:4::4, ITR-RLOCs: 10.0.4.1, records 1, nonce 0x5A0206C2LISP-0: MS EID IID 0 prefix 6:6:6::/48 site R6, No common scopes between ITR and ETR RLOCs, proxy reply.
LISP-0: MS EID IID 0 prefix 6:6:6::/48 site R6, Sending scope forced proxy reply to 10.0.4.1.
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
109
EID – 6.6.6.0/24
EID – 6:6:6::/48
lisp-encap
map-rep
LISP – Disjointed RLOC Space Example
• Cross Address-Family Disjointed RLOC Space Example – Flows
data
plane
native
control
plane
map-req
2
10.0.4.1-> 10.0.2.1
LISP ECM
(udp 4342)
1
4:4:4::4 -> 6:6:6::6
Type 1 (map-request)
Nonce
src-eid: [2] 4:4:4::4
itr-rloc: 10.0.4.1
record-1: [2] 6:6:6::6
MSMR
10.0.2.1
10:0:2::1
decap
RTR
10.0.3.1
10:0:3::1
encap
xTR4
10.0.4.0/30
EID – 4.4.4.0/24
EID – 4:4:4::/48
3
IPv4 Internet
0.0.0.0/0
4
(scope
1)
10.0.2.1 -> 10.0.4.1
udp 4342
10.0.4.1 -> 10.0.3.1
Type 2 (map-reply)[P]
4:4:4::4 -> 6:6:6::6
Nonce/TTL
6:6:6::/48
10.0.3.1 [1, 1]
xTR4#show ipv6 lisp map-cache
LISP IPv6 Mapping Cache for EID-table default (IID 0), 2 entries
---<skip>--6:6:6::/48, uptime: 00:02:18, expires: 00:12:44, via map-reply, complete
Locator Uptime State
Pri/Wgt
10.0.3.1 00:02:18 up
1/1
xTR4#
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
110
IPv6 Internet
::/0
(scope 2)
xTR6
10:0:6::/64
EID – 6.6.6.0/24
EID – 6:6:6::/48
lisp-encap
map-rep
LISP – Disjointed RLOC Space Example
• Cross Address-Family Disjointed RLOC Space Example – Flows
data
plane
native
control
plane
map-req
2
10.0.4.1-> 10.0.2.1
LISP ECM
(udp 4342)
1
4:4:4::4 -> 6:6:6::6
Type 1 (map-request)
Nonce
src-eid: [2] 4:4:4::4
itr-rloc: 10.0.4.1
record-1: [2] 6:6:6::6
MSMR
10.0.2.1
10:0:2::1
decap
RTR
10.0.3.1
10:0:3::1
encap
xTR4
10.0.4.0/30
EID – 4.4.4.0/24
EID – 4:4:4::/48
3
TECRST-3191
IPv4 Internet
0.0.0.0/0
4
(scope
1)
10.0.2.1 -> 10.0.4.1
udp 4342
10.0.4.1 -> 10.0.3.1
Type 2 (map-reply)[P]
4:4:4::4 -> 6:6:6::6
Nonce/TTL
6:6:6::/48
10.0.3.1 [1, 1]
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
111
IPv6 Internet
::/0
(scope 2)
xTR6
10:0:6::/64
How do I forward to 6:6:6::6?
1. Check FIB – NO
2. Check map-cache (send map-req)
Send Map-Request…
EID – 6.6.6.0/24
EID – 6:6:6::/48
lisp-encap
map-rep
LISP – Disjointed RLOC Space Example
• Cross Address-Family Disjointed RLOC Space Example – Flows
data
plane
native
control
plane
map-req
2
10.0.4.1-> 10.0.2.1
LISP ECM
(udp 4342)
1
4:4:4::4 -> 6:6:6::6
Type 1 (map-request)
Nonce
src-eid: [2] 4:4:4::4
itr-rloc: 10.0.4.1
record-1: [2] 6:6:6::6
MSMR
10.0.2.1
decap
10:0:2::1
RTR
10.0.3.1
10:0:3::1
5
encap
xTR4
10.0.4.0/30
EID – 4.4.4.0/24
EID – 4:4:4::/48
3
IPv4 Internet
0.0.0.0/0
4
(scope
1)
10.0.2.1 -> 10.0.4.1
udp 4342
10.0.4.1 -> 10.0.3.1
Type 2 (map-reply)[P]
4:4:4::4 -> 6:6:6::6
Nonce/TTL
6:6:6::/48
10.0.3.1 [1, 1]
IPv6 Internet
10.0.3.1-> 10.0.2.1
::/0
LISP ECM
(scope
(udp 4342)
xTR6
2)
10:0:6::/64
Type 1 (map-request)
Nonce
src-eid: [2] 10:0:3::1
itr-rloc: 10.0.3.1
itr-rloc: 10:0:3::1
record-1: [2] 6:6:6::6
RTR#
*Aug 25 01:18:17.328: LISP-0: AF IPv6, Sending map-request from 10:0:3::1 to 6:6:6::6 for EID 6:6:6::6/128, ITR-RLOCs 2, nonce 0xC437B6B60xCD1B12C2 (encap src 10.0.3.1, dst 10.0.2.1), FromPITR.
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
112
EID – 6.6.6.0/24
EID – 6:6:6::/48
lisp-encap
map-rep
LISP – Disjointed RLOC Space Example
• Cross Address-Family Disjointed RLOC Space Example – Flows
data
plane
native
control
plane
map-req
2
10.0.4.1-> 10.0.2.1
LISP ECM
(udp 4342)
1
4:4:4::4 -> 6:6:6::6
Type 1 (map-request)
Nonce
src-eid: [2] 4:4:4::4
itr-rloc: 10.0.4.1
record-1: [2] 6:6:6::6
MSMR
10.0.2.1
decap
10:0:2::1
EID – 4.4.4.0/24
EID – 4:4:4::/48
MSMR#
*Aug 25 01:36:16.684:
*Aug 25 01:36:16.684:
*Aug 25 01:36:16.685:
FromPITR
*Aug 25 01:36:16.685:
TECRST-3191
10.0.3.1
10:0:3::1
5
encap
xTR4
RTR
IPv4 Internet
0.0.0.0/0
10.0.4.0/30
Rec’vd
Map-Request for 6:6:6::6 4
(scope 1)
1. ETR RLOC is scope v6-net (10:0:6::1)
10.0.2.1 -> 10.0.4.1
2. PITR
RLOC
udp
4342 is scope v4-net
10.0.4.1(10.0.3.1)
-> 10.0.3.1
andType
scope
v6-net (10:0:3::1)
2 (map-reply)[P]
Nonce/TTL
3.3 Disjoint
scope - NO 4:4:4::4 -> 6:6:6::6
6:6:6::/48
4. Forward
Map-Request to 10:0:6::1
10.0.3.1 [1, 1]
IPv6 Internet
10.0.3.1-> 10.0.2.1
::/0
LISP ECM
(scope
(udp 4342)
6
2)
Type 1 (map-request)
Nonce
src-eid: [2] 10:0:3::1
itr-rloc: 10.0.3.1
itr-rloc: 10:0:3::1
record-1: [2] 6:6:6::6
xTR6
10:0:6::/64
10:0:2::1 -> 10:0:6::1
LISP ECM
(udp 4342)
EID – 6.6.6.0/24
EID – 6:6:6::/48
Type 1 (map-request)
Nonce
src-eid: [2] 10:0:3::1
itr-rloc: 10.0.3.1
itr-rloc: 10:0:3::1
record-1: [2] 6:6:6::6
LISP: Processing received Encap-Control(8) message on Ethernet0/0 from 10.0.3.1:4342 to 10.0.2.1:4342
LISP: Processing received Map-Request(1) message on Ethernet0/0 from 10:0:3::1.4342 to 6:6:6::6.4342
LISP: Received map request for IID 0 6:6:6::6/128, source_eid IID 0 4:4:4::4, ITR-RLOCs: 10.0.3.1 10:0:3::1, records 1, nonce 0x098BDC65-0xE6054A2F,
LISP-0: MS EID IID 0 prefix 6:6:6::/48 site R6, Forwarding map request to ETR RLOC 10:0:6::1.
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
113
lisp-encap
map-rep
LISP – Disjointed RLOC Space Example
• Cross Address-Family Disjointed RLOC Space Example – Flows
data
plane
native
control
plane
map-req
2
10.0.4.1-> 10.0.2.1
LISP ECM
(udp 4342)
1
4:4:4::4 -> 6:6:6::6
Type 1 (map-request)
Nonce
src-eid: [2] 4:4:4::4
itr-rloc: 10.0.4.1
record-1: [2] 6:6:6::6
MSMR
10.0.2.1
decap
10:0:2::1
RTR
10.0.3.1
10:0:3::1
5
encap
xTR4
10.0.4.0/30
EID – 4.4.4.0/24
EID – 4:4:4::/48
3
TECRST-3191
Rec’vd Map-Request for 6:6:6::6
1. ETR RLOC is (10:0:6::1)
2. PITR RLOC is (10.0.3.1) and (10:0:3::1)
3. Send Map-Reply to 10:0:3::1
IPv4 Internet
0.0.0.0/0
4
(scope
1)
10.0.2.1 -> 10.0.4.1
udp 4342
10.0.4.1 -> 10.0.3.1
Type 2 (map-reply)[P]
4:4:4::4 -> 6:6:6::6
Nonce/TTL
6:6:6::/48
10.0.3.1 [1, 1]
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
IPv6 Internet
10.0.3.1-> 10.0.2.1
::/0
LISP ECM
(scope
(udp 4342)
Type 1 (map-request)
Nonce
src-eid: [2] 10:0:3::1
itr-rloc: 10.0.3.1
itr-rloc: 10:0:3::1
record-1: [2] 6:6:6::6
114
6
2)
xTR6
10:0:6::/64
10:0:2::1 -> 10:0:6::1
LISP ECM
(udp 4342)
Type 1 (map-request)
Nonce
src-eid: [2] 10:0:3::1
itr-rloc: 10.0.3.1
itr-rloc: 10:0:3::1
record-1: [2] 6:6:6::6
EID – 6.6.6.0/24
EID – 6:6:6::/48
lisp-encap
map-rep
LISP – Disjointed RLOC Space Example
• Cross Address-Family Disjointed RLOC Space Example – Flows
data
plane
native
control
plane
map-req
2
10.0.4.1-> 10.0.2.1
LISP ECM
(udp 4342)
1
4:4:4::4 -> 6:6:6::6
Type 1 (map-request)
Nonce
src-eid: [2] 4:4:4::4
itr-rloc: 10.0.4.1
record-1: [2] 6:6:6::6
MSMR
10.0.2.1
decap
10:0:2::1
RTR
10.0.3.1
10:0:3::1
10:0:6::1 -> 10:0:3::1
udp 4342
Type 2 (map-reply)
Nonce/TTL
6:6:6::/48
10:0:6::1 [1, 1]
7
5
encap
xTR4
10.0.4.0/30
EID – 4.4.4.0/24
EID – 4:4:4::/48
3
IPv4 Internet
0.0.0.0/0
4
(scope
1)
10.0.2.1 -> 10.0.4.1
udp 4342
10.0.4.1 -> 10.0.3.1
Type 2 (map-reply)[P]
4:4:4::4 -> 6:6:6::6
Nonce/TTL
6:6:6::/48
10.0.3.1 [1, 1]
IPv6 Internet
10.0.3.1-> 10.0.2.1
::/0
LISP ECM
(scope
(udp 4342)
Type 1 (map-request)
Nonce
src-eid: [2] 10:0:3::1
itr-rloc: 10.0.3.1
itr-rloc: 10:0:3::1
record-1: [2] 6:6:6::6
6
2)
xTR6
10:0:6::/64
10:0:2::1 -> 10:0:6::1
LISP ECM
(udp 4342)
Type 1 (map-request)
Nonce
src-eid: [2] 10:0:3::1
itr-rloc: 10.0.3.1
itr-rloc: 10:0:3::1
xTR6#
record-1: [2] 6:6:6::6
*Aug 25 01:46:56.022: LISP: Processing received Encap-Control(8) message on Ethernet0/0 from 10:0:2::1.4342 to 10:0:6::1.4342
*Aug 25 01:46:56.022: LISP: Processing received Map-Request(1) message on Ethernet0/0 from 10:0:3::1.4342 to 6:6:6::6.4342
*Aug 25 01:46:56.022: LISP: Received map request for IID 0 6:6:6::6/128, source_eid IID 0 4:4:4::4, ITR-RLOCs: 10.0.3.1 10:0:3::1, records 1, nonce
0x634D8861-0xDBA36771, FromPITR
*Aug 25 01:46:56.022: LISP: Processing map request record for EID prefix IID 0 6:6:6::6/128
*Aug 25 01:46:56.022: LISP-0: Sending map-reply from 10:0:6::1 to 10:0:3::1.
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
115
EID – 6.6.6.0/24
EID – 6:6:6::/48
lisp-encap
map-rep
LISP – Disjointed RLOC Space Example
• Cross Address-Family Disjointed RLOC Space Example – Flows
data
plane
native
control
plane
map-req
2
10.0.4.1-> 10.0.2.1
LISP ECM
(udp 4342)
1
4:4:4::4 -> 6:6:6::6
Type 1 (map-request)
Nonce
src-eid: [2] 4:4:4::4
itr-rloc: 10.0.4.1
record-1: [2] 6:6:6::6
MSMR
10.0.2.1
decap
10:0:2::1
RTR
10.0.3.1
10:0:3::1
10:0:6::1 -> 10:0:3::1
udp 4342
Type 2 (map-reply)
Nonce/TTL
6:6:6::/48
10:0:6::1 [1, 1]
7
5
encap
xTR4
10.0.4.0/30
EID – 4.4.4.0/24
EID – 4:4:4::/48
IPv4 Internet
0.0.0.0/0
4
(scope
1)
10.0.2.1 -> 10.0.4.1
udp 4342
10.0.4.1 -> 10.0.3.1
Type 2 (map-reply)[P]
3
4:4:4::4 -> 6:6:6::6
Nonce/TTL
6:6:6::/48
10.0.3.1 [1,
1] lisp map-cache
RTR#show
ipv6
IPv6 Internet
10.0.3.1-> 10.0.2.1
::/0
LISP ECM
(scope
(udp 4342)
Type 1 (map-request)
Nonce
src-eid: [2] 10:0:3::1
itr-rloc: 10.0.3.1
itr-rloc: 10:0:3::1
record-1: [2] 6:6:6::6
6
2)
xTR6
10:0:6::/64
10:0:2::1 -> 10:0:6::1
LISP ECM
(udp 4342)
Type 1 (map-request)
Nonce
src-eid: [2] 10:0:3::1
itr-rloc: 10.0.3.1
---<skip>--itr-rloc: 10:0:3::1
6:6:6::/48, uptime: 00:05:17, expires: 23:54:53, via map-reply, complete
record-1: [2] 6:6:6::6
Locator Uptime State
Pri/Wgt
10:0:6::1 00:05:17 up
RTR#
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
1/1
Cisco Public
116
EID – 6.6.6.0/24
EID – 6:6:6::/48
lisp-encap
map-rep
LISP – Disjointed RLOC Space Example
• Cross Address-Family Disjointed RLOC Space Example – Flows
data
plane
native
control
plane
map-req
lisp-encap
map-rep
2
10.0.4.1-> 10.0.2.1
LISP ECM
(udp 4342)
1
4:4:4::4 -> 6:6:6::6
Type 1 (map-request)
Nonce
src-eid: [2] 4:4:4::4
itr-rloc: 10.0.4.1
record-1: [2] 6:6:6::6
MSMR
10.0.2.1
decap
10:0:2::1
RTR encap
10.0.3.1
10:0:3::1
10:0:6::1 -> 10:0:3::1
udp 4342
Type 2 (map-reply)
Nonce/TTL
6:6:6::/48
10:0:6::1 [1, 1]
4:4:4::4 -> 6:6:6::6
9
7
5
encap
xTR4
10.0.4.0/30
EID – 4.4.4.0/24
EID – 4:4:4::/48
IPv4 Internet
0.0.0.0/0
4
(scope
1)
10.0.2.1 -> 10.0.4.1
udp 4342
10.0.4.1 -> 10.0.3.1
Type 2 (map-reply)[P]
3
4:4:4::4 -> 6:6:6::6
Nonce/TTL
6:6:6::/48
10.0.3.1 [1,
1] lisp map-cache
RTR#show
ipv6
decap
IPv6 Internet
10.0.3.1-> 10.0.2.1
::/0
LISP ECM
(scope 2)
(udp 4342)
Type 1 (map-request)
Nonce
src-eid: [2] 10:0:3::1
itr-rloc: 10.0.3.1
itr-rloc: 10:0:3::1
record-1: [2] 6:6:6::6
6
xTR6
10:0:6::/64
EID – 6.6.6.0/24
10:0:2::1 -> 10:0:6::1
EID – 6:6:6::/48
LISP ECM
(udp 4342) 10:0:3::1 -> 10:0:6::1
Type 1 (map-request)
4:4:4::4 -> 6:6:6::6
Nonce
src-eid: [2] 10:0:3::1
itr-rloc: 10.0.3.1
---<skip>--itr-rloc: 10:0:3::1
6:6:6::/48, uptime: 00:05:17, expires: 23:54:53, via map-reply, complete
record-1: [2] 6:6:6::6
Locator Uptime State
Pri/Wgt
10:0:6::1 00:05:17 up
RTR#
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
1/1
Cisco Public
117
8
Agenda
• LISP Overview and Introduction
• LISP Efficient Multihoming/Multi-AF Support
• LISP Virtualization/VPN
• LISP Data Center/Host Mobility
• LISP Status and Futures
• LISP Open Discussions
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
118
Advanced - LISP Technical Seminar
LISP Virtualization/VPN Support
TECRST-3191
Gregg Schudel
LISP Technical Marketing Engineer
[email protected]
CCIE #9591
LISP and Virtualization/VPN Overview
LISP Virtualization/VPNs
• Efficient Virtualization/Multi-Tenancy Support – Concepts
 Deploying a PHYSICAL network infrastructure requires large
investments (for Enterprises and Service Providers
 Groups within organizations often want their own topologies and
control of their own destiny
 Many factors make deploying multiple PHYSICAL infrastructures
undesirable
– Stranded capacity (underutilized Bandwidth, Processors, etc.) costs $$
– Power, cooling, rack space, etc. cost $$
– CapEx costs $$
– OpEx costs $$
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
121
LISP Virtualization/VPNs
• Efficient Virtualization/Multi-Tenancy Support – Concepts
 Virtualization creates multiple VIRTUAL topologies across
one common PHYSICAL infrastructure
User
Group A
User
Group B
Virtual
User
Group C
Virtual
Actual Physical Network Infrastructure
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
122
Virtual
LISP Virtualization/VPNs
• Efficient Virtualization/Multi-Tenancy Support – Concepts
 Virtualization of the DEVICE level
 Virtualization of the PATH level
– Virtual Routing and Forwarding (VRF) tables
segment Layer 3 routing tables
– VRFs are used to virtualize the component
resources
– Virtualization secures movement of traffic
between networks and enhances security
policy options
– VRFs assist in path isolation
– Single-hop (hop-by-hop)
– Multi-hop (over-the-top)
802.1q, DLCI,
VPI/VCI PW,
EVN
LISP!!
VRF-1
VRF-2
IP
Global
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
GRE, MPLS
LISP
Cisco Public
123
LISP Virtualization/VPNs
• LISP Virtualization/Multi-Tenancy Support – Concepts
 Recalling that… LISP is “Locator/ID” separation… and creates
two namespaces: EIDs and RLOCs…
LISP can virtualize the EID, the RLOC side, or both!
 These two models of operation are defined: Shared and Parallel
– Shared Model Virtualization:
– Parallel Model Virtualization:
 Virtualizes the EID namespaces
 Binds an EID namespace privately
defined using a VRF to an Instance-ID
 Uses a common (shared) RLOC
(locator) address space
 The Mapping System is also part of the
locator namespaces and is shared
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
 Virtualizes the RLOC (locator)
namespaces
 One or more EID instances may share
a virtualized RLOC namespace
 A Mapping System must also be part of
each locator namespaces
124
LISP Virtualization/VPNs
• LISP Virtualization/Multi-Tenancy Support – Concepts
 RLOC virtualization is enabled in conjunction with
locator table VRFs
 EID virtualization uses LISP Instance-IDs in conjunction with
EID VRFs
– Instance-IDs maintain address space segmentation in control plane
and data plane
– Instance-IDs are numerical tags defined in LISP Canonical Address
Format (LCAF)
• IID: a 24-bit unstructured number
• Data Plane: IID is included in LISP encapsulation header
• Control Plane: IID is encoded with the EID in LCAF header
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
125
LISP Virtualization/VPNs
• LISP Virtualization/Multi-Tenancy Support – Concepts
 Default (non-Virtualized) Model – at the device level
–
–
–
–
–
Conceptually, the Default Model is just a single Parallel Model instance
All EID lookups are also in the same single table – default
Thus, EIDs are associated with Instance-ID 0
All RLOC lookups are in a single table – default
The Mapping System is part of the locator address space
Shared RLOC
namespace
To EID namespace
(direct connect, IGP, etc.)
Default
• Single EID namespace
• Default table
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
126
• Single RLOC namespace
• Default table or RLOC VRF
To VPNs (MPLS,
802.1Q, VRF-Lite, or
separate networks)
LISP Virtualization/VPNs
• LISP Virtualization/Multi-Tenancy Support – Concepts
 Shared Model – at the device level
–
–
–
–
Multiple EID-prefixes are allocated privately using VRFs
EID lookups are in the VRF associated with an Instance-ID
All RLOC lookups are in a single table – (default/global or RLOC VRF)
The Mapping System is part of the locator address space and is shared
To VPNs (MPLS, 802.1Q,
VRF-Lite, or separate
networks)
• EID namespace,
VRF Pink, IID 1
Shared RLOC
namespace
Pink
• EID namespace,
VRF Blue, IID 2
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Blue
Default
127
• Single RLOC namespace
• Default table or RLOC VRF
To VPNs (MPLS,
802.1Q, VRF-Lite, or
separate networks)
LISP Virtualization/VPNs
• LISP Virtualization/Multi-Tenancy Support – Concepts
 Parallel Model – at the device level
–
–
–
–
Multiple EID-prefixes are allocated privately using VRFs
EID lookups are in the VRF associated with an Instance-ID
RLOC lookups are in the VRF associated with the locator table
A Mapping System must be part of each locator address space
To VPNs (MPLS, 802.1Q,
VRF-Lite, or separate
networks)
• EID namespace,
VRF Pink, IID 1
• RLOC uses Pink
namespace
To VPNs (MPLS,
802.1Q, VRF-Lite, or
separate networks)
Pink
• EID namespace,
VRF Blue, IID 2
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Blue
Default
128
• RLOC uses Blue
namespace
LISP Virtualization/VPNs
• LISP Virtualization/Multi-Tenancy Support – Concepts
 Shared and Parallel Models Combined – at the device level
– Multiple “Shared Model” instantiations combined with Multiple “Parallel Model”
instantiations
– Multiple EID VRFs bound to a single RLOC VRF
– Multiple RLOC VRFs on the same device
To VPNs (MPLS, 802.1Q,
VRF-Lite, or separate
networks)
VRF-1, IID 101
VRF-2, IID 102
VRF-3, IID 103
VRF-A, IID 901
VRF-B, IID 902
Cust1
Cust3
Pink
To VPNs (MPLS,
802.1Q, VRF-Lite, or
separate networks)
CustA
VRF-C, IID 903
TECRST-3191
• RLOC uses Pink
namespace
Cust2
© 2014 Cisco and/or its affiliates. All rights reserved.
CustB
CustC
Cisco Public
Default Blue
129
• RLOC uses Blue
namespace
LISP VPN/Virtualization
• Efficient Virtualization and High-Scale VPNs – Overview
All VPNs share a set of common requirements
1. Encapsulation:
2. Site to Site Routing:
‒ Includes some form of data plane
encoding for per-tenant segmentation
‒ Create extension to existing enterprise
internal routing and topology
• Otherwise, one tunnel per structure (not
scalable)
• Agnostic to core networks
• Allows NAT, DHCP, etc.
3. Security:
‒ Built-in or Add-on
• Protocol itself includes basic features
• Addition of Confidentiality, Integrity, and
Authentication as needed
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
137
LISP VPN/Virtualization
• Efficient Virtualization and High-Scale VPNs – Overview
All VPNs share a set of common requirements
1. Encapsulation:
2. Site to Site Routing:
‒ LISP Data Plane and Control Plane
encoding for per-tenant segmentation
‒ Site-to-Site, hub-spoke, optional local
offload (split tunnel)
‒ No IGP required to branch sites!
‒ Disjointed RLOCs, NAT, DHCP, etc.
• LISP IID per EID VRF
• RLOC virtualization
LISP VPN: Routing? or Tunneling?
-- It’s BOTH!
3. Security:
‒ Built-in or Add-on
• LISP control and data plane measures
• LISP SEC and other optional features
• GDOI and IPsec on EID or RLOC side
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
138
LISP VPN/Virtualization
• Efficient Virtualization and High-Scale VPNs – Overview
LISP – Inherently scalability and virtualization, rapidly deployable
?
Scalability
(# of VPN site)
Unconstrained
?
VPN site-tosite routing
Unnecessary
Secure
Segmentation
24-bit Instance
ID with VRF
Performance
Optimal
Path(P2P),
Loadbalancing
?
?
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
• No protocol constraint
• 100K concurrent site connections
• No site-to-site routing required
• No VPN route injection into core
• LISP / Non-LISP site interworking through PxTR
• 16M unique VPN classifiers
• Used by LISP control plane and data plane
• Optional data plane encryption with GETVPN
• Shortest path between LISP sites
• Equal cost/unequal cost loadbalancing
Cisco Public
139
LISP VPN/Virtualization
• Efficient Virtualization and High-Scale VPNs – Overview
Generalized LISP Shared Model deployment
MS/MR
• Shared by multiple customers
• Located in RLOC name space
MS/MR
EID Name Space
(IPv4/IPv6)
User Blue
•EID 192.168.1.0/24
•IID 1
•VRF Blue
User Red
•EID 192.168.1.0/24
•IID 2
•VRF Red
xTR1
Data EID
EID
RLOC
IID
1
1
2
2
EID
192.168.1.0/24
192.168.2.0/24
192.168.1.0/24
192.168.2.0/24
RLOC
xTR1
xTR3
xTR2
xTR3
RLOC Name Space
(IPv4/IPv6)
xTR3
IID LISP
Data EID
2 Hdr RLOC
User Red
•EID 192.168.2.0/24
•IID 2
•VRF Red
xTR2
xTR (Multi-Tenant)
• Accommodates multiple customers
• Deployed for PE model
• Located at Edge layer, DC or customer site
• Accommodates single customer
• Deployed for CPE Overlay model
• Located at customer site
© 2014 Cisco and/or its affiliates. All rights reserved.
EID Name Space
(IPv4/IPv6)
User Blue
•EID 192.168.2/24
•IID 1
•VRF Blue
IID LISP
1 Hdr RLOC
xTR (Single Tenant)
TECRST-3191
LISP router
Non LISP router
Cisco Public
140
LISP Virtualization Examples
LISP Virtualization
+Internet
LISP VPN/Virtualization
• Efficient Virtualization and High-Scale VPNs over a Public Core
Say we want to build this…
-
Three VRFs, IPv4 and IPv6
HQ multihomed, two CPE
Remote multihomed, one CPE
Remote single-homed, DHCP
Add encryption (GETVPN)
HQ
VRF C, IID 3
VRF B, IID 2
VRF A, IID 1
KS
xTR
MSMR
GM
xTR
MSMR
GM
KS
IPv4 Core
xTR
GM
xTR
GM
xTR
GM
Site 3
Site 1
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Site 2
Cisco Public
143
LISP VPN/Virtualization
• Efficient Virtualization and High-Scale VPNs over a Public Core
HQ
VRF C, IID 3
VRF B, IID 2
LISP0.
2
To Enterprise VRF A, IID 1
Internal Networks
Segmentation by
physical, Layer 2, or
Layer 3 means
(e.g. 802.1Q, EVN,
physically separate
networks)
KS
xTR
MSMR
GM
LISP0.
1
LISP0.
3
xTR
MSMR
GM
To IPv4 or IPv6 Core
RLOC namespace
KS
VRF B, IID 2
Default
IPv4 Core
• Single RLOC namespace
• Default table (or RLOC VRF)
xTR
GM
xTR
GM
xTR
GM
Site 3
Site 1
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Site 2
Cisco Public
144
LISP VPN/Virtualization
• Efficient Virtualization and High-Scale VPNs over a Public Core
How do we build this? Three
common steps:
1. Build the underlay (RLOCs)
2. Add the LISP overlay (EIDs)
3. Add encryption
HQ
VRF C, IID 3
VRF B, IID 2
VRF A, IID 1
KS
xTR
MSMR
GM
xTR
MSMR
GM
KS
IPv4 Core
xTR
GM
xTR
GM
xTR
GM
Site 3
Site 1
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Site 2
Cisco Public
145
LISP VPN/Virtualization
• Efficient Virtualization and High-Scale VPNs over a Public Core
1. Build the underlay (RLOCs)
HQ1 xTR/MSMR/GM
HQ
VRF C, IID 3
VRF B, IID 2
Examples:
VRF A, IID 1
• Normal IP routing…
• Nothing to do with LISP!
KS
xTR
MSMR
GM
Remote2 xTR/GM
All other sites are
similar!
!
hostname Remote2
!
interface Ethernet0/0
xTR
ip address
10.2.1.2 255.255.255.252
GM
!
interface Ethernet1/0
ip address 10.2.2.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 10.2.1.1
ip route 0.0.0.0 0.0.0.0
Site 3 10.2.2.1
!
IPv4 Core
xTR
GM
xTR
GM
Site 1
TECRST-3191
xTR
MSMR
GM
!
hostname HQ1
!
interface Ethernet0/0
ip address 10.0.14.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 10.0.14.1
!
KS
© 2014 Cisco and/or its affiliates. All rights reserved.
Site 2
Cisco Public
146
LISP VPN/Virtualization
• Efficient Virtualization and High-Scale VPNs over a Public Core
1. Build the underlay (RLOCs)
HQ
VRF C, IID 3
VRF B, IID 2
Examples:
• Normal IP routing…
• Nothing to do with LISP!
VRF A, IID 1
KS
xTR
MSMR
GM
xTR
MSMR
GM
KS
Verification…
IPv4 Core
xTR
GM
xTR
Example:
xTR
GM
GM
Site2#ping 10.0.14.2
source 10.2.2.2 rep 10
RLOC to RLOC
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.0.14.2, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
!!!!!!!!!!
Success rate is 100 percent (10/10),
Site 1 round-trip min/avg/max = 8/7/8
Site 2ms
Site2#
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
147
Site 3
LISP VPN/Virtualization
!
router lisp
locator-set Site2
10.2.1.2 priority 1 weight 50
10.2.2.2 priority 1 weight 50
exit
!
eid-table default instance-id 0
VRF C, IID 3
database-mapping 192.168.255.16/32 locator-set Site2
exit
VRF
! B, IID 2
eid-table vrf DeptA instance-id 1
VRF A, IID
1
database-mapping
192.168.16.0/24 locator-set Site2
database-mapping 1:1:16::/64 locator-set Site2
exit
!
xTR
KS
xTR
MSMR eid-table
MSMRvrf DeptB instance-id 2
GM
GM
database-mapping 192.168.16.0/24 locator-set Site2
database-mapping 2:2:16::/64 locator-set Site2
exit
!
IPv4 Core
eid-table vrf DeptC instance-id 3
database-mapping 192.168.16.0/24 locator-set Site2
database-mapping 3:3:16::/64 locator-set Site2
xTR
exit
GM
!
Remote2 xTR/GM
• Efficient Virtualization and High-Scale VPNs over a Public Core
2. Add the LISP overlay (EIDs)
HQ
Examples:
• Bind VRFs to IIDs
• Bind EIDs to RLOCs
KS
xTR
GM
xTR
GM
Site 3
Site 1
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Site 2
Cisco Public
148
LISP VPN/Virtualization
! – continued – LISP control plane
!
ipv4 itr map-resolver 10.0.14.2
ipv4 itr map-resolver 10.0.15.2
ipv4 itr
ipv4 etr map-server 10.0.14.2 key
ipv4 etr map-server 10.0.15.2 key
ipv4 etr
VRF C, IID 3
ipv6 map-server
ipv6 map-resolver
VRF
B, IIDitr
2 map-resolver 10.0.14.2
ipv6
ipv6 itr map-resolver 10.0.15.2
VRF A,ipv6
IID 1 itr
ipv6 etr map-server 10.0.14.2 key
ipv6 etr map-server 10.0.15.2 key
ipv6 etr
KS
xTR
MSMR exit
MSMR
GM
!
• Efficient Virtualization and High-Scale VPNs over a Public Core
2. Add the LISP overlay (EIDs)
HQ
Examples:
• Bind VRFs to IIDs
• Bind EIDs to RLOCs
KS
All other sites are
similar!
xTR
GM
site2-pswd
site2-pswd
site2-pswd
site2-pswd
Remote2 xTR/GM
IPv4 Core
xTR
GM
xTR
GM
xTR
GM
Site 3
Site 1
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Site 2
Cisco Public
149
LISP VPN/Virtualization
• Efficient Virtualization and High-Scale VPNs over a Public Core
router lisp
!
site HQ
authentication-key hq-pswd
eid-prefix 192.168.18.0/24
eid-prefix 192.168.19.0/24
eid-prefix 192.168.255.14/32
eid-prefix 192.168.255.15/32
eid-prefix instance-id 1 192.168.14.0/24
eid-prefix instance-id 1 1:1:14::/64
eid-prefix instance-id 2 192.168.14.0/24
eid-prefix instance-id 2 2:2:14::/64
eid-prefix instance-id 3 192.168.14.0/24
eid-prefix instance-id 3 3:3:14::/64
exit
!
site Site1
authentication-key site1-pswd
eid-prefix 192.168.255.11/32
eid-prefix instance-id 1 192.168.11.0/24
eid-prefix instance-id
1 1:1:11::/64
xTR
GM
eid-prefix instance-id
2 192.168.11.0/24
eid-prefix instance-id 2 2:2:11::/64
eid-prefix instance-id 3 192.168.11.0/24
eid-prefix instance-id 3 3:3:11::/64
exit
!
Site 1
---<etc.>--HQ2 xTR/MSMR/GM
2. Add the LISP overlay (EIDs)
HQ
VRF C, IID 3
VRF B, IID 2
Examples:
• Bind VRFs to IIDs
• Bind EIDs to RLOCs
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
VRF A, IID 1
KS
xTR
MSMR
GM
xTR
MSMR
GM
KS
IPv4 Core
xTR
GM
xTR
GM
Site 3
Site 2
Cisco Public
150
LISP VPN/Virtualization
• Efficient Virtualization and High-Scale VPNs over a Public Core
2. Add the LISP overlay (EIDs)
HQ
VRF C, IID 3
VRF B, IID 2
Examples:
• Bind VRFs to IIDs
• Bind EIDs to RLOCs
HQ2 xTR/MSMR/GM
HQ2#show lisp site
LISP Site Registration Information
Site Name
Last
Up
Who Last
Inst
Register
Registered
ID
HQ
00:00:46 yes 10.0.14.2
0
00:00:05 yes 10.0.15.2
0
00:00:46 yes 10.0.14.2
0
00:00:05 yes 10.0.15.2
0
00:00:09 yes 10.0.14.2
1
00:00:56 yes 10.0.14.2
1
00:00:32 yes 10.0.15.2
2
00:00:23 yes 10.0.15.2
2
xTR
00:00:54GM
yes 10.0.15.2
3
00:00:43 yes 10.0.14.2
3
Site1
00:00:07 yes 10.0.11.2
0
00:00:16 yes 10.0.11.2
1
00:00:42 yes 10.0.11.2
1
00:00:32 yes 10.0.11.2
2
00:00:41 yes 10.0.11.2
2
Site 1
---<etc.>--TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Verification…
VRF A, IID 1
KS
EID Prefix
xTR
MSMR
GM
192.168.18.0/24
192.168.19.0/24
IPv4 Core
192.168.255.14/32
192.168.255.15/32
192.168.14.0/24
1:1:14::/64
192.168.14.0/24
2:2:14::/64
xTR
192.168.14.0/24
GM
3:3:14::/64
192.168.255.11/32
192.168.11.0/24
1:1:11::/64
192.168.11.0/24
2:2:11::/64
Site
Cisco Public
151
xTR
MSMR
GM
KS
xTR
GM
Site 3
2
LISP VPN/Virtualization
• Efficient Virtualization and High-Scale VPNs over a Public Core
2. Add the LISP overlay (EIDs)
HQ
VRF C, IID 3
VRF B, IID 2
Examples:
• Bind VRFs to IIDs
• Bind EIDs to RLOCs
VRF A, IID 1
KS
xTR
MSMR
GM
xTR
MSMR
GM
KS
Verification…
IPv4 Core
xTR
GM
Example:
xTR
xTR
Site3#ping vrf DeptC
192.168.14.1
source
192.168.13.1
rep
10
EID to EID
GM
GM
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.14.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.13.1%DeptC
..!!!!!!!!
Success rate is 80 percent (8/10), round-trip min/avg/max = 1/1/1 ms
Site 1
Site 2
Site3
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
152
Site 3
LISP VPN/Virtualization
• Efficient Virtualization and High-Scale VPNs over a Public Core
2. Add the LISP overlay (EIDs)
HQ
VRF C, IID 3
VRF B, IID 2
Examples:
• Bind VRFs to IIDs
• Bind EIDs to RLOCs
VRF A, IID 1
KS
xTR
MSMR
GM
xTR
MSMR
GM
KS
Verification…
IPv4 Core
Site3#show ip lisp map-cache instance-id 3
LISP IPv4 Mapping Cache
for EID-table vrf DeptC (IID 3), 4 entries
xTR
xTR
GM
---<skip>--GM
192.168.14.0/24, uptime: 00:01:38, expires: 23:58:25, via map-reply, complete
Locator
Uptime
State
Pri/Wgt
10.0.14.2 00:01:38 up
1/50
10.0.15.2 00:01:38 up
1/50
Example:
---<skip>--Site 1
Site 2
EID to EID
Site3#
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
153
xTR
GM
Site 3
LISP VPN/Virtualization
• Efficient Virtualization and High-Scale VPNs over a Public Core
2. Add the LISP overlay (EIDs)
HQ
VRF C, IID 3
VRF B, IID 2
Examples:
• Bind VRFs to IIDs
• Bind EIDs to RLOCs
VRF A, IID 1
KS
xTR
MSMR
GM
xTR
MSMR
GM
KS
Verification…
IPv4 Core
xTR
GM
Example:
xTR
xTR10
Site3#ping vrf DeptA
1:1:14::1
source
1:1:13::1
rep
EID to EID
GM
GM
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 1:1:14::1, timeout is 2 seconds:
Packet sent with a source address of 1:1:13::1%DeptA
..!!!!!!!!
Success rate is 80 percent (8/10), round-trip min/avg/max = 1/1/1 ms
Site 1
Site 2
Site3
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
154
Site 3
LISP VPN/Virtualization
• Efficient Virtualization and High-Scale VPNs over a Public Core
2. Add the LISP overlay (EIDs)
HQ
VRF C, IID 3
VRF B, IID 2
Examples:
• Bind VRFs to IIDs
• Bind EIDs to RLOCs
VRF A, IID 1
KS
xTR
MSMR
GM
xTR
MSMR
GM
KS
Verification…
IPv4 Core
Site3#show ipv6 lisp map-cache instance-id 1
LISP IPv6 Mapping Cache
for EID-table vrf DeptA (IID 1), 4 entries
xTR
xTR
GM
---<skip>--GM
1:1:14::/64, uptime: 00:00:33, expires: 23:59:28, via map-reply, complete
Locator
Uptime
State
Pri/Wgt
10.0.14.2 00:00:33 up
1/50
10.0.15.2 00:00:33 up
1/50
Example:
---<skip>--Site 1
Site 2
EID to EID
Site3#
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
155
xTR
GM
Site 3
LISP Virtualization
+MPLS (CE)
LISP VPN/Virtualization
Recall our MPLS network…
• LISP and MPLS Integration
Let’s say that the Enterprise wants departmental
segmentation inside their network…
3: Add Virtualization
✗route-map deny EIDs out
IGP
IPv6
eBGP
IPv4
Blue
Site 1
Purple
Site 1
IPv4
CE1
VRF-A
Site 1 MSMR xTR
IPv4
IPv4
PE1
IPv4
PE4
Purple
MPLS-VPN
IPv4
IPv4
Blue
Site 2
TECRST-3191
CE2
CE1
VRF-A
Site 2
IPv6
Blue
MPLS-VPN
Purple
Site 2
PE2
IPv4
IPv4
CE2
SP MPLS
xTR
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
VRF-A
Site 3
PE3
157
IPv4
CE3
xTR
Blue
Site 3
IPv6
LISP VPN/Virtualization
Recall our MPLS network…
• LISP and MPLS Integration
Let’s say that the Enterprise wants departmental
segmentation inside their network…
3: Add Virtualization
deny EIDs out
✗route-map
---<skip>---
CE1#show run | begin router lisp
IGP
IPv6
CE1
VRF-A
Site 1 MSMR xTR
Purple
Site 1
CE1
IPv4
VRF-A
Site 2
IPv4
Blue
Site 2
TECRST-3191
router lisp
IPv4
Purple
eid-table default instance-id 0
database-mapping 2001:db8:a:a::/64 12.1.0.2 pri 1 wei 100 Site 2
exit
IPv4
!
IPv4
CE2
eid-table vrf VRF-A instance-id 1
IPv4
PE1
database-mapping Blue
10.1.1.0/24 12.1.0.2PE4
pri 1 wei 100
Virtualized!
exit
MPLS-VPN
!
ipv4 itr
Purple
ipv4 etr
MPLS-VPN
ipv4 itr map-resolver 12.1.0.2
VRF-A
ipv4 etr map-server 12.1.0.2 key ******
PE3
Site 3
ipv6
itr
PE2
ipv6 etr
IPv4
IPv4
IPv6
IPv4
CE3
ipv6 itr map-resolver 12.1.0.2
Blue
ipv6 etr map-server 12.1.0.2 key ******
exit
xTR Site 3
!
eBGP
IPv4
Blue
Site 1
IPv6
There’s no need to talk to the SP to get another
VRF in the MPLS core. Just use LISP!
CE2
xTR
© 2014 Cisco and/or its affiliates. All rights reserved.
SP MPLS
Cisco Public
158
LISP VPN/Virtualization
Recall our MPLS network…
• LISP and MPLS Integration
Let’s say that the Enterprise wants departmental
segmentation inside their network…
3: Add Virtualization
EIDs10.3.1.1
out
✗route-map deny
CE1#ping
IGP
IPv6
There’s no need to talk to the SP to get another
VRF in the MPLS core. Just use LISP!
eBGP
IPv4
Blue
Site 1
Purple
Site 1
IPv4
CE1
VRF-A
Site 1 MSMR xTR
PE1
IPv4
CE1
Purple
IPv4
IPv4
Blue
Site 2
TECRST-3191
Blue
PE4
CE1#show ip lisp
map-cache instance-id 1
Virtualized!
MPLS-VPN
LISP IPv4 Mapping Cache for EID-table vrf VRF-A (IID 1), 2 entries
VRF-A
Site 2
IPv6
source 10.1.1.1 rep 10
Type escape sequence to abort
IPv4
Purple
Sending 5, 100-byte ICMP Echos to 10.3.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
Site 2
..!!!!!!!!
Success rate is 80 percent (8/10), round-trip
= 2/3/2 ms
IPv4min/avg/max
CE2
CE1#
IPv4
CE2
xTR
© 2014 Cisco and/or its affiliates. All rights reserved.
0.0.0.0/0, uptime: 00:11:15, expires: never, via static send map-request
MPLS-VPN
Negative cache
entry, action: send-map-request
VRF-A
10.3.1.0/24, uptime: 00:01:49, expires: 23:58:14, via
map-reply, complete
PE3 Pri/Wgt
Site 3
Locator
Uptime
State
PE2
12.3.1.2 00:01:49 up
1/100
IPv4
IPv6
IPv4
CE3
---<more>--Blue
CE1#
xTR Site 3
SP MPLS
Cisco Public
159
LISP Virtualization
Internet Access to MPLS
LISP VPN/Virtualization
• Multi-tenant Internet Access to MPLS VPNs
MPLS
Customer A
P
PxTR/MSMR
CE
Customer A
xTR
Core
Customer B
Customer B
green
CE
orange
Customer C
blue
ISIS
PE
PE
green
green
orange
orange
blue
blue
CE
xTR
Customer C
xTR
SP MPLS domain
SP LISP Gateway
Starting point:
• Service Provider MPLS VPN network
• Multi-tenant customer sites access to MPLS
via “non-traditional” access methods
-
TECRST-3191
IPv4 or v6 Core
IPv4 and/or IPv6 Internet
3G/4G/LTE access
“Other” (e.g. other MPLS VPN)
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
161
Internet/IP Core domain
LISP VPN/Virtualization
• Multi-tenant Internet Access to MPLS VPNs
3.3.3.3/24
Customer A
CE
3.3.3.3/24
Customer B
CE
3.3.3.3/24
Customer C
MPLS
P
PxTR/MSMR
IPv4 or v6 Core
Core
green
orange
blue
ISIS
PE
PE
green
green
orange
orange
blue
blue
CE
IID 111
IID 222
IID 333
1.1.1.1/24
Customer A
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
SP LISP Gateway
162
IID 111
xTR
1.1.1.1/24
Customer B
IID 222
xTR
1.1.1.1/24
Customer C
IID 333
xTR
SP MPLS domain
TECRST-3191
Let’s look at the configurations for
these devices:
Internet/IP Core domain
LISP VPN/Virtualization
• Multi-tenant Internet Access to MPLS VPNs
3.3.3.3/24
Customer A
CE
3.3.3.3/24
Customer B
CE
3.3.3.3/24
Customer C
MPLS
P
green
green
orange
blue
PE
CE
!
hostname CE-R10
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Ethernet0/0
description Link to PE1-R2
ip address 10.1.10.1 255.255.255.252
!
router bgp 301
bgp log-neighbor-changes
neighbor 10.1.10.2 remote-as 1
!
address-family ipv4
redistribute connected
neighbor 10.1.10.2 activate
exit-address-family
!
orange
ISIS
!
PE blue
hostname CE-R9
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Ethernet0/0
description Link to PE1-R2
ip address 10.1.9.1 255.255.255.252
!
router bgp 201
bgp log-neighbor-changes
neighbor 10.1.9.2 remote-as 1
!
address-family ipv4
redistribute connected
neighbor 10.1.9.2 activate
exit-address-family
!
SP MPLS domain
TECRST-3191
!
hostname CE-R1
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Ethernet0/0
description Link to PE1-R2
ip address 10.1.2.1 255.255.255.252
!
router bgp 101
bgp log-neighbor-changes
neighbor 10.1.2.2 remote-as 1
!
address-family ipv4
redistribute connected
neighbor 10.1.2.2 activate
exit-address-family
!
MPLS – the usual… (blah blah blah…)
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
163
LISP VPN/Virtualization
LISP – the usual… (blah blah blah…)
hostname XTR-R7
!
hostname XTR-R11
interface Loopback0
!
ip address 1.1.1.1 255.255.255.0
interface Loopback0
hostname XTR-R12
!
3.3.3.3/24
ip address 1.1.1.1
255.255.255.0
!
MPLS
P
interface
LISP0
Customer
A
!
interface Loopback0
!
interface LISP0
ip address 1.1.1.1 255.255.255.0
CELISP0.111
interface
3.3.3.3/24
!
!
!
green
Customer B
interface LISP0.222
interface
LISP0
green
interface Ethernet0/1
orange !
CE
!
orange
ISIS
description Link to Core-R6
3.3.3.3/24
interface Ethernet0/1 interfaceblue
LISP0.333
ip address
255.255.255.252
blue PE
PE
Customer11.6.7.2
C
description Link to Core-R6
!
!
ip address 11.6.11.2 255.255.255.252
CE
interface Ethernet0/1
router lisp
!
description Link to Core-R6
locator-set XTR
lisp
ip address 11.6.12.2 255.255.255.252
IPv4-interface Ethernet0/1 router
priority
1 weight 1
locator-set XTR
!
exit
IPv4-interface Ethernet0/1
1 weight 1
routerpriority
lisp
!
locator-set XTR
eid-table default instance-id exit
111
IPv4-interface Ethernet0/1 priority 1 weight 1
database-mapping 1.1.1.0/24 !locator-set XTR
eid-table default instance-id
exit 222
exit
database-mapping 1.1.1.0/24
locator-set XTR
!
!
exit
eid-table default instance-id 333
loc-reach-algorithm rloc-probing
!
database-mapping 1.1.1.0/24 locator-set XTR
ipv4 itr
loc-reach-algorithm rloc-probing
exit
ipv4 etr
ipv4 itr
!
ipv4 itr map-resolver 11.5.6.1
etr
loc-reach-algorithm rloc-probing
ipv4 etr map-server 11.5.6.1 ipv4
key FOO
ipv41 itr
map-resolver
11.5.6.1
ipv4 itr
ipv4 use-petr 11.5.6.1 priority
weight
1
ipv4 etr map-server 11.5.6.1
key BOO
ipv4 etr
exit
ipv4 use-petr 11.5.6.1 priority
1 weight
1
ipv4 use-petr
11.5.6.1
priority 1 weight 1
!
exit
ipv4
itr
map-resolver
11.5.6.1
ip route 0.0.0.0 0.0.0.0 11.6.7.1
!
ipv4 etr map-server 11.5.6.1 key COO
ip route 0.0.0.0 0.0.0.0exit
11.6.11.1
!
ip route 0.0.0.0 0.0.0.0 11.6.12.1
• Multi-tenant Internet Access to MPLS VPNs
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Core
164
IID 111
xTR
1.1.1.1/24
Customer B
IID 222
xTR
1.1.1.1/24
Customer C
IID 333
xTR
Internet/IP Core domain
SP MPLS domain
TECRST-3191
IPv4 or v6 Core
1.1.1.1/24
Customer A
LISP VPN/Virtualization
hostname PxTRMSMR-R5
!
vrf definition KS
rd 2:200
!
address-family ipv4
exit-address-family
1.1.1.1/24
!
3.3.3.3/24
Customer
A
MPLS
P
IPv4 or v6 Core
vrf definition
blue
Customer A
PxTR/MSMR
xTR
rd 2:400
CE
1.1.1.1/24
Core
!
3.3.3.3/24
Customer B
address-family
ipv4 green
Customer B
green
green
exit-address-family
xTR
orange
CE
orange
ISIS
orange
IID 111
!
3.3.3.3/24
1.1.1.1/24
IID 222
blue
vrf definition
green blue PE
PE blue
Customer C
Customer C
IID
333
rd 2:100
CE
xTR
!
!
address-family ipv4
interface Ethernet0/0
exit-address-family
description Link to Core-R6
!
ip address 11.5.6.1 255.255.255.252
vrf definition orange
!
rd 2:300
interface Ethernet0/1
!
description Link to PE2-R4
address-family ipv4
no ip address
exit-address-family
!
!
interface Ethernet0/1.1
interface Loopback0
interface Ethernet0/1.3
encapsulation dot1Q 100
ip address 10.255.255.5 255.255.255.255
encapsulation dot1Q 300
vrf forwarding green
!
vrf forwarding orange
ip
address
10.4.5.2
255.255.255.252
interface LISP0
ip address 10.4.5.2 255.255.255.252
!
!
!
interface Ethernet0/1.2
interface LISP0.111
interface Ethernet0/1.4
encapsulation dot1Q 200
!
encapsulation dot1Q 400
vrf forwarding KS
interface LISP0.222
vrf forwarding blue
ip
address
10.4.5.6
255.255.255.252
!
ip address 10.4.5.2 255.255.255.252
!
interface LISP0.333
---<cont>-----<cont>-----<cont>---
LISP/MPLS Gateway – (PETR/PITR)
• Multi-tenant Internet Access to MPLS VPNs
SP MPLS domain
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
SP LISP Gateway
165
Internet/IP Core domain
IID 111
IID 222
IID 333
LISP VPN/Virtualization
router lisp
eid-table vrf green instance-id 111
ipv4 route-export site-registration
ipv4 map-cache site-registration
exit
!
eid-table vrf orange instance-id 222
ipv4 route-export site-registration
3.3.3.3/24
MPLS
P
ipv4
map-cache
site-registration
Customer
A
PxTR/MSMR
exit
CE
!
3.3.3.3/24
eid-table
blue instance-id
333
green
Customervrf
B
green
green
ipv4 route-export site-registration
orange
CE
orange
ISIS
orange
IID 111
ipv4 map-cache site-registration
3.3.3.3/24
IID 222
blue
blue PE
exit
PE blue
Customer C
IID 333
!
CE
eid-table vrf KS instance-id 999
ipv4 route-export site-registration
ipv4 map-cache site-registration site BOO
exit
authentication-key BOO
!
eid-prefix instance-id 222 1.0.0.0/8 accept-more-specifics
---<cont>--exit
LISP/MPLS Gateway – (PETR/PITR)
• Multi-tenant Internet Access to MPLS VPNs
SP MPLS domain
SP LISP Gateway
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
166
Core
IID 111
xTR
1.1.1.1/24
Customer B
IID 222
xTR
1.1.1.1/24
Customer C
IID 333
xTR
!
ipv4 map-server
ipv4 map-resolver
no ipv4 map-cache-persistent
ipv4 proxy-etr
ipv4 proxy-itr 11.5.6.1
ipv4 itr map-resolver 11.5.6.1
exit
!
---<cont>---
Internet/IP Core domain
!
site COO
authentication-key COO
eid-prefix instance-id 333 1.0.0.0/8 accept-more-specifics
exit
!
site FOO
authentication-key FOO
eid-prefix instance-id 111 1.0.0.0/8 accept-more-specifics
exit
!
site KS
authentication-key KSKS
eid-prefix instance-id 999 9.0.0.0/8 accept-more-specifics
exit
---<cont>--TECRST-3191
IPv4 or v6 Core
1.1.1.1/24
Customer A
LISP VPN/Virtualization
router bgp 2
bgp asnotation dot
bgp log-neighbor-changes
!
address-family ipv4 vrf KS
network 9.9.9.8 mask 255.255.255.255
redistribute lisp
neighbor 10.4.5.5 remote-as 1
3.3.3.3/24
MPLS
P
neighbor
activate
Customer10.4.5.5
A
neighbor 10.4.5.5 send-community both
CE
exit-address-family
3.3.3.3/24
! Customer B
green
address-family ipv4 vrf blue
orange
CE
ISIS
redistribute lisp
3.3.3.3/24
blue
neighbor
remote-as
PE 1
Customer10.4.5.1
C
neighbor 10.4.5.1 description PE blue
CE
neighbor 10.4.5.1 activate
neighbor 10.4.5.1 send-community both
exit-address-family
!
address-family ipv4 vrf green
redistribute lisp
neighbor 10.4.5.1 remote-as 1
neighbor 10.4.5.1 description PE green
neighbor 10.4.5.1 activate
neighbor 10.4.5.1 send-community both
exit-address-family
!
address-family ipv4 vrf orange
redistribute lisp
neighbor 10.4.5.1 remote-as 1
neighbor 10.4.5.1 description PE orange
neighbor 10.4.5.1 activate
neighbor 10.4.5.1 send-community both
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 11.5.6.2
LISP/MPLS Gateway – (PETR/PITR)
• Multi-tenant Internet Access to MPLS VPNs
PxTR/MSMR
Core
PE
green
green
orange
orange
blue
blue
© 2014 Cisco and/or its affiliates. All rights reserved.
IID 111
IID 222
IID 333
Cisco Public
SP LISP Gateway
167
IID 111
xTR
1.1.1.1/24
Customer B
IID 222
xTR
1.1.1.1/24
Customer C
IID 333
xTR
SP MPLS domain
TECRST-3191
IPv4 or v6 Core
1.1.1.1/24
Customer A
Internet/IP Core domain
LISP VPN/Virtualization
Validation…
• Multi-tenant Internet Access to MPLS VPNs
3.3.3.3/24
Customer A
CE
3.3.3.3/24
Customer B
CE
3.3.3.3/24
Customer C
MPLS
P
PxTR/MSMR
Core
green
orange
blue
ISIS
PE
PE
green
green
orange
orange
blue
blue
CE
IID 111
IID 222
IID 333
SP MPLS domain
IID 222
xTR
1.1.1.1/24
Customer C
IID 333
CE-R1#sh ip route
---<skip>--1.0.0.0/24 is subnetted, 1 subnets
B
1.1.1.0 [20/0] via 10.1.2.2, 18:07:35
3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C
3.3.3.0/24 is directly connected, Loopback0
L
3.3.3.3/32 is directly connected, Loopback0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C
10.1.2.0/30 is directly connected, Ethernet0/0
L
10.1.2.1/32 is directly connected, Ethernet0/0
B
10.4.5.0/30 [20/0] via 10.1.2.2, 18:08:03
CE-R1#
© 2014 Cisco and/or its affiliates. All rights reserved.
PE2-R4#sh ip ro vrf green
Routing Table: green
---<skip>--1.0.0.0/24 is subnetted, 1 subnets
B
1.1.1.0 [20/1] via 10.4.5.2, 18:24:12
3.0.0.0/24 is subnetted, 1 subnets
B
3.3.3.0 [200/0] via 22.9.1.2, 18:24:39
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
B
10.1.2.0/30 [200/0] via 22.9.1.2, 18:24:39
C
10.4.5.0/30 is directly connected, Ethernet0/0.1
L
10.4.5.1/32 is directly connected, Ethernet0/0.1
PE2-R4#
SP LISP Gateway
Internet/IP Core domain
PE2-R4#sh bgp vpnv4 uni vrf green
---<skip>--Network
Next Hop
Metric LocPrf Weight Path
Route Distinguisher: 1:100 (default for vrf green)
*> 1.1.1.0/24
10.4.5.2
1
0 2 ?
*>i 3.3.3.0/24
22.9.1.2
0
100
0 101 ?
*>i 10.1.2.0/30
22.9.1.2
0
100
0 ?
*> 10.4.5.0/30
0.0.0.0
0
32768 ?
PE2-R4#
Cisco Public
168
IID 111
xTR
1.1.1.1/24
Customer B
xTR
CE-R1#ping 1.1.1.1 so 3.3.3.3 rep 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 1/7/11 ms
CE-R1#
TECRST-3191
IPv4 or v6 Core
1.1.1.1/24
Customer A
LISP VPN/Virtualization
Validation…
• Multi-tenant Internet Access to MPLS VPNs
3.3.3.3/24
Customer A
CE
3.3.3.3/24
Customer B
CE
3.3.3.3/24
Customer C
MPLS
P
PxTR/MSMR
Core
green
orange
blue
ISIS
PE
PE
green
green
orange
orange
blue
blue
PxTRMSMR-R5#sh bgp vpnv4 uni vrf green
CE
---<skip>--Network
Next Hop
Metric LocPrf Weight Path
Route Distinguisher: 2:100 (default for vrf green)
*> 1.1.1.1/32
0.0.0.0
1
32768 ?
*> 3.3.3.3/32
10.4.5.1
0 1 101
?
*> 10.1.2.0/30
10.4.5.1
0 1 ?
r> 10.4.5.0/30
10.4.5.1
0
0 1 ?
PxTRMSMR-R5#
PxTRMSMR-R5#sh lisp site
LISP Site Registration Information
Site Name
Last
Up
Who Last
Register
Registered
BOO
never
no
-00:00:13 yes 11.6.11.2
COO
never
no
-00:00:21 yes 11.6.12.2
FOO
never
no
-00:00:04 yes 11.6.7.2
PxTRMSMR-R5#
© 2014 Cisco and/or its affiliates. All rights reserved.
IID 111
IID 222
IID 333
SP LISP Gateway
IID 222
xTR
1.1.1.1/24
Customer C
IID 333
Internet/IP Core domain
PxTRMSMR-R5#sh ip lisp map-cache instance 111
LISP IPv4 Mapping Cache for EID-table vrf green (IID 111), 1 entries
Inst
ID
222
222
333
333
111
111
EID Prefix
1.0.0.0/8
1.1.1.0/24
1.0.0.0/8
1.1.1.0/24
1.0.0.0/8
1.1.1.0/24
Cisco Public
169
IID 111
xTR
1.1.1.1/24
Customer B
xTR
SP MPLS domain
TECRST-3191
IPv4 or v6 Core
1.1.1.1/24
Customer A
1.1.1.0/24, uptime: 18:34:07, expires: 05:25:52, via map-reply,
complete
Locator
Uptime
State
Pri/Wgt
11.6.7.2 18:34:07 up
1/1
PxTRMSMR-R5#
LISP VPN/Virtualization
Validation…
• Multi-tenant Internet Access to MPLS VPNs
3.3.3.3/24
Customer A
CE
3.3.3.3/24
Customer B
CE
3.3.3.3/24
Customer C
MPLS
P
PxTR/MSMR
IPv4 or v6 Core
Core
green
orange
blue
ISIS
PE
PE
green
green
orange
orange
blue
blue
CE
IID 111
IID 222
IID 333
IID 222
xTR
1.1.1.1/24
Customer C
IID 333
XTR-R7#ping 3.3.3.3 so 1.1.1.1 rep 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 5/8/10
ms
XTR-R7#
SP LISP Gateway
Internet/IP Core domain
XTR-R7#sh ip route
---<skip>--S*
0.0.0.0/0 [1/0] via 11.6.7.1
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C
1.1.1.0/24 is directly connected, Loopback0
L
1.1.1.1/32 is directly connected, Loopback0
11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C
11.6.7.0/30 is directly connected, Ethernet0/1
L
11.6.7.2/32 is directly connected, Ethernet0/1
XTR-R7#
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
170
IID 111
xTR
1.1.1.1/24
Customer B
xTR
SP MPLS domain
TECRST-3191
1.1.1.1/24
Customer A
Adding Encryption to LISP using GETVPN
LISP Virtualization/VPNs
• LISP Virtualization/Multi-Tenancy Support – Adding Encryption
 LISP and encryption (IOS)
– Recalling that… LISP is “Locator/ID” separation… and creates two
namespaces: EIDs and RLOCs
– LISP provides two ways to apply a crypto map
Use-Case
Vanilla
IPsec
GETVPN
Comments
LISP Default
Model
crypto-map on
RLOC
✔
✔
LISP encap first, then encryption based on RLOC
crypto-map on
LISP0
✔
✔
Encryption first based on EID, then LISP encap
LISP
Virtualization
crypto-map on
RLOC
✔
✔
LISP encap first, then encryption based on RLOC
crypto-map on
LISP0.x
✔
✔
Encryption first based on EID, then LISP encap
See: lisp.cisco.com for the GETVPN+LISP Configuration Guide!
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
172
LISP Virtualization/VPNs
• LISP Virtualization/Multi-Tenancy Support – Adding Encryption
 LISP provides two ways to apply a crypto map,
resulting in different packet outcomes
– RLOC :: LISP processing, and then encryption
– LISP0 :: Encryption, and then LISP processing
Host
IP Hdr
LISP UDP
Hdr Hdr
(LISP)
20
saddr
daddr
ESP
SPI
8
17
8 0
Host
IP Hdr
8
S:xx
D:4341
ICMP
Hdr
20
saddr
daddr
Payload
xx
50
ESP
trailer
IPsec + LISP
On LISP0
20
1
8
saddr
daddr
xxxx
1
xx
ITR
IP Hdr
(ping as an example)
Cisco Public
173
ITR
IP Hdr
ESP
SPI
20
saddr
daddr
© 2014 Cisco and/or its affiliates. All rights reserved.
LISP UDP
Hdr Hdr
(LISP)
xx
50
8 0
TECRST-3191
Host
IP Hdr
20
17
ICMP
Hdr
8
saddr
daddr
Payload
8
17
ESP
trailer
LISP + IPsec
On RLOC
20
S:xx
D:4341
8
saddr
daddr
xxxx
1
xx
ITR
IP Hdr
LISP Virtualization/VPNs
• LISP Virtualization/Multi-Tenancy Support – Adding Encryption
 LISP provides two ways to apply a crypto map,
resulting in different packet outcomes
– RLOC :: LISP processing, and then encryption
– LISP0 :: Encryption, and then LISP processing
LISP UDP
Hdr Hdr
(LISP)
20
saddr
daddr
ESP
Host
SPI
IP Hdr
Original IPv4 Header
8
17
8 0
Host
IP Hdr
8
S:xx
D:4341
ICMP
Hdr
20
saddr
daddr
Payload
xx
50
ESP
trailer
GETVPN + LISP
On LISP0
20
1
8
saddr
daddr
xxxx
1
xx
ITR
IP Hdr
(ping as an example)
Cisco Public
174
ITR
IP Hdr
20
saddr
daddr
© 2014 Cisco and/or its affiliates. All rights reserved.
LISP UDP
Hdr Hdr
(LISP)
xx
50
8 0
TECRST-3191
Host
IP Hdr
20
17
ICMP
Hdr
8
saddr
daddr
Payload
8
17
ESP
trailer
LISP + GETVPN
On RLOC
20
S:xx
D:4341
8
saddr
daddr
xxxx
1
xx
ESP
ITR
SPI
IP Hdr
Original IPv4 Header
LISP VPN
+ GETVPN
LISP Virtualization/VPNs
• LISP Virtualization/Multi-Tenancy with GETVPN
Group Domain of Interpretation (GDOI) RFC 6407 – adding encryption
 GDOI
− RFC 6407
− “Stateless” IPsec
− Traffic encryption keys computed
on Key Server, distributed to all
Group Members
Group Policy
Key Server
• Validate Group Members
• Manage Security Policy
• Create Group Keys
• Distribute Policy / Keys
Key
Server
Routing
Domain
− Better scaling than vanilla IPsec
Key Encryption Key
(KEK)
Traffic Encryption
Key (TEK)
Group
Member
GET VPN
Group
Member
Group Member
• Encryption Devices
• Route Between Secure /
Unsecure Regions
• Multicast Participation
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
176
Group
Member
Group
Member
LISP Virtualization/VPNs
• LISP Virtualization/Multi-Tenancy with GETVPN
Why GDOI?
CE3
CE1
10/1
IP VPN
IP VPNs want to provide
any-to-any connectivity
CE4
10/4
CE2
10/2
10/5
CE5
 Hierarchical Routing
 Any-to-Any connectivity
 Redundancy established between CE & PE
TECRST-3191
10/3
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
177
LISP Virtualization/VPNs
• LISP Virtualization/Multi-Tenancy Support – Adding Encryption
Why GDOI?
CE3
CE1
10/3
10/1
IP
VPN
But… IPSec is inherently a
“point-to-point” technology
CE4
10/4
CE2
10/2
10/5
 Point-to-point Security Associations
 Overlay routing in tunnels
 Need N**2 tunnels to achieve any-to-any connectivity
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
178
CE5
LISP Virtualization/VPNs
• LISP Virtualization/Multi-Tenancy Support – Adding Encryption
Why GDOI?
GDOI provides:






Large scale any-to-any connectivity
Native routing without tunnel overlay
Optimal for QoS & Multicast support
Flexible span of control between enterprise and service provider
Centralized policy distribution
Transport agnostic: Private WAN, FR/ATM, IP, MPLS
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
179
LISP VPN/Virtualization
KS1
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 16
crypto isakmp key FOO address 0.0.0.0
crypto
VRF
C, IID 3isakmp keepalive 15 periodic
!
crypto
ipsec transform-set GDOI-TRANS esp-aes
VRF B, IID
2
256 esp-sha512-hmac
VRF A, IID 1!
crypto ipsec profile GDOI-PROFILE
set transform-set GDOI-TRANS
!
crypto
gdoi
group V4GROUP-0001
xTR
KS
xTR
MSMR
MSMR
GM
GM
identity number 10001
server local
rekey retransmit 60 number 2
rekey authentication mypubkey rsa GET-KEYS1
IPv4 Core
rekey transport unicast
sa ipsec 1
profile GDOI-PROFILE
match addressxTRipv4 GETVPN-0001
GM
replay time window-size
5
address ipv4 192.168.18.2
redundancy
local priority 100
peer address ipv4 192.168.19.2
!
Site 3
---<cont.>---
• Efficient Virtualization and High-Scale VPNs over a Public Core
HQ
3. Add encryption
Examples:
• GETVPN Key Servers
• Define crypto policies for
LISP!
KS
Redundant Key
Server identical!
xTR
GM
xTR
GM
Site 1
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Site 2
Cisco Public
180
LISP VPN/Virtualization
KS1
! ---<cont.>--crypto gdoi group ipv6 V6GROUP-0003
identity number 20003
server local
rekey retransmit 60 number 2
rekey authentication mypubkey rsa GET-KEYS3
VRFrekey
C, IID 3 transport unicast
sa ipsec 1
VRF B, IID 2profile GDOI-PROFILE
match address ipv6 GETVPN6-0003
replay time window-size 5
VRF A, IID 1
address ipv4 192.168.18.2
redundancy
local priority 100
ipv4 192.168.19.2
xTR
KS
xTR peer address
MSMR
MSMR
GM
!GM
ip access-list extended GETVPN-0001
permit ip any any
ip access-list extended GETVPN-0002
IPv4 Core
permit ip any any
ip access-list extended GETVPN-0003
permit ip any any
!
xTR
ipv6 access-listGMGETVPN6-0001
permit ipv6 any any
!
ipv6 access-list GETVPN6-0002
permit ipv6 any any
!
Site 3
ipv6 access-list GETVPN6-0003
permit ipv6 any any
!
Site 2
• Efficient Virtualization and High-Scale VPNs over a Public Core
HQ
3. Add encryption
Examples:
• GETVPN Key Servers
• Define crypto policies for
LISP!
KS
Redundant Key
Server identical!
xTR
GM
xTR
GM
Site 1
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
181
LISP VPN/Virtualization
Remote2 xTR/GM
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 16
crypto isakmp key FOO address 192.168.18.2
VRF C,isakmp
IID 3
crypto
key FOO address 192.168.19.2
!
crypto
VRF
B, IID 2 gdoi group V4GROUP-0001
identity number 10001
server
address ipv4 192.168.18.2
VRF A, IID
1
server address ipv4 192.168.19.2
client registration interface Loopback0
!
---<skip>--xTR
KS
xTR
MSMR
MSMR
GM
GM gdoi group ipv6 V6GROUP-0003
crypto
identity number 20003
server address ipv4 192.168.18.2
server address ipv4 192.168.19.2
IPv4 Core
client registration interface Loopback0
!
crypto map MAP-V4-0001 10 gdoi
xTR
set group V4GROUP-0001
GM
!
---<skip>--crypto map ipv6 MAP-V6-0003 10 gdoi
set group V6GROUP-0003
!
• Efficient Virtualization and High-Scale VPNs over a Public Core
HQ
3. Add encryption
Examples:
• GETVPN Group Members
• Add crypto map to LISP0.x
KS
ALL LISP SITES
identical! Cut/Paste!
xTR
GM
xTR
GM
Site 3
Site 1
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Site 2
Cisco Public
182
LISP VPN/Virtualization
Remote2 xTR/GM
!
interface LISP0
!
interface LISP0.1
ip mtu 1456
ipv6 mtu 1456
ipv6
crypto
VRF C,
IID 3 map MAP-V6-0001
crypto map MAP-V4-0001
! B, IID 2
VRF
interface LISP0.2
ip1 mtu 1456
VRF A, IID
ipv6 mtu 1456
ipv6 crypto map MAP-V6-0002
crypto map MAP-V4-0002
!
xTR
KS
xTR
MSMR
MSMR
GM
GM
interface
LISP0.3
ip mtu 1456
ipv6 mtu 1456
ipv6 crypto map MAP-V6-0003
IPv4 Core
crypto map MAP-V4-0003
!
• Efficient Virtualization and High-Scale VPNs over a Public Core
HQ
3. Add encryption
Examples:
• GETVPN Group Members
• Add crypto map to LISP0.x
KS
ALL LISP SITES
identical! Cut/Paste!
xTR
GM
xTR
GM
xTR
GM
Site 3
Site 1
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Site 2
Cisco Public
183
LISP VPN/Virtualization
• Efficient Virtualization and High-Scale VPNs over a Public Core
3. Add encryption
HQ
VRF C, IID 3
VRF B, IID 2
Examples:
VRF A, IID 1
• GETVPN Group Members
• Add crypto map to LISP0.x
KS
xTR
MSMR
GM
Verification…
xTR
MSMR
GM
KS
IPv4 Core
Example:
EID to EID
Site3#ping vrf DeptA
192.168.14.1 source 192.168.13.1 rep 100
xTR
xTR
GM to abort.
Type escape sequence
GM
Sending 10, 100-byte ICMP Echos to 192.168.14.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.13.1%DeptA
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100),
5/6/12
Site 1 round-trip min/avg/max =Site
2 ms
Site3#
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
184
xTR
GM
Site 3
LISP VPN/Virtualization
• Efficient Virtualization and High-Scale VPNs over a Public Core
3. Add encryption
HQ
VRF C, IID 3
VRF B, IID 2
Examples:
VRF A, IID 1
• GETVPN Group Members
• Add crypto map to LISP0.x
KS
xTR
MSMR
GM
Verification…
xTR
MSMR
GM
KS
IPv4 Core
Site3#show crypto engine
connection active
xTR
GM
Crypto Engine Connections
ID Type
Algorithm
Encrypt
---<skip>--143 IPsec
AES256+SHA512
0
144 IPsec
AES256+SHA512
100
---<skip>--Site 1
Site3#
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Example:
EID to EID
xTR
GM
xTR
GM
Decrypt LastSeqN IP-Address
100
0
0 192.168.11.1
0 192.168.11.1
Site 2
Cisco Public
185
Site 3
LISP VPN/Virtualization
Let’s come back to this one now…
• Multi-tenant Internet Access to MPLS VPNs
KS
3.3.3.3/24
Customer A
MPLS
CE
3.3.3.3/24
Customer B
P
PxTR/MSMR/GM
KS KS
green
CE
3.3.3.3/24
Customer C
orange
blue
ISIS
PE
PE
green
orange
orange
blue
blue
CE
IID 999
IID 111
IID 222
IID 333
xTR
1.1.1.1/24
IID 222
9.2.2.2/32
IID 999
Customer
B
xTR
1.1.1.1/24
IID 333
9.3.3.3/32
IID 999
Customer
C
xTR
SP MPLS domain
SP LISP Gateway
Add GETVPN for encryption:
• Multi-tenant GDOI encryption on data plane
between LISP sites and MPLS VPNs
-
TECRST-3191
Core
KS
green
IPv4 or v6 Core
1.1.1.1/24
IID 111
9.1.1.1/32
IID 999
Customer
A
Common Key Server (multi-tenant), located in its
own EID space and VRF
Separate crypto group per customer (or per IID, if
multiple IID per customer) (as desired)
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
186
Internet/IP Core domain
LISP VPN/Virtualization
Adding encryption with GETVPN
• Multi-tenant Internet Access to MPLS VPNs
KS
hostname KS-R8
3.3.3.3/24
MPLS
P
!
Customer A
crypto isakmp policy 10
CE
encr aes 256
3.3.3.3/24
green
authentication
Customer B pre-share
group 16
orange
CE
ISIS
3.3.3.3/24
crypto isakmp key FOO address 0.0.0.0
blue
crypto Customer
isakmp Ckeepalive 15 periodic
PE
!
CE
crypto ipsec transform-set GDOI-TRANS esp-aes
256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile GDOI-PROFILE
set transform-set GDOI-TRANS
!
crypto gdoi group V4GROUP-111
identity number 10111
server local
rekey retransmit 60 number 2
rekey authentication mypubkey rsa GET-KEY1
rekey transport unicast
sa ipsec 1
profile GDOI-PROFILE
match address ipv4 GETVPN-111
replay time window-size 5
no tag
address ipv4 9.9.9.9
!
---<cont>---
PxTR/MSMR/GM
KS KS
IID 999
crypto gdoi
group V4GROUP-222
orange
orange
IID 111
identity number 10222
IID 222
blue
blue
PE local
server
IID 333
rekey retransmit 60 number 2
rekey authentication mypubkey rsa GET-KEY2
rekey transport unicast
sa ipsec 1
profile GDOI-PROFILE
match address ipv4 GETVPN-222
replay time window-size 5
no tag
address ipv4 9.9.9.9
!
crypto gdoi group V4GROUP-333
identity number 10333
server local
rekey retransmit 60 number 2
rekey authentication mypubkey rsa GET-KEY3
rekey transport unicast
sa ipsec 1
profile GDOI-PROFILE
match address ipv4 GETVPN-333
replay time window-size 5
no tag
address ipv4 9.9.9.9
---<cont>---
SP MPLS domain
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
KS
green
Cisco Public
green
SP LISP Gateway
187
IPv4 or v6 Core
Core
1.1.1.1/24
IID 111
9.1.1.1/32
IID 999
Customer
A
xTR
1.1.1.1/24
IID 222
9.2.2.2/32
IID 999
Customer
B
xTR
1.1.1.1/24
IID 333
9.3.3.3/32
IID 999
Customer
C
interface Loopback0
xTR
ip address 9.9.9.9 255.255.255.255
!
interface Ethernet0/0
ip address 10.4.8.1 255.255.255.252
!
router bgp 999
bgp asnotation dot
bgp log-neighbor-changes
network 9.9.9.9 mask 255.255.255.255
neighbor 10.4.8.2 remote-as 1
!
ip route 0.0.0.0 0.0.0.0 10.4.8.2
!
ip access-list extended GETVPN-111
permit ip any any
ip access-list extended GETVPN-222
permit ip any any
ip access-list extended GETVPN-333
permit ip any any
!
Internet/IP Core domain
LISP VPN/Virtualization
Adding encryption with GETVPN
• Multi-tenant Internet Access to MPLS VPNs
KS
1.1.1.1/24
IID 111
hostname XTR-R7
3.3.3.3/24
9.1.1.1/32
IID 999
Customer
A
!
MPLS
P
IPv4 or v6 Core
Customer A
PxTR/MSMR/GM
vrf definition KS
xTR
CE
!
1.1.1.1/24
IID 222
Core
KS
3.3.3.3/24
KS
KS
address-family ipv4
9.2.2.2/32
IID 999
Customer
B
green
Customer B
exit-address-family
green
green
IID 999
xTR
orange
CE
!
orange
ISIS
orange
IID 111
3.3.3.3/24
1.1.1.1/24
IID 333
crypto keyring key-KS vrf
KS
IID 222
blue
blue
blue
interface
LISP0.111
PE
9.3.3.3/32
PE
IID 999
Customer
C
Customer
C
pre-shared-key address 9.9.9.9 key FOO
IID
333
crypto map MAP-V4-111
CE
xTR
!
!
crypto isakmp policy 10
interface LISP0.999
encr aes 256
!
authentication pre-share
interface Ethernet0/1
group 16
description Link to Core-R6
!
ip address 11.6.7.2 255.255.255.252
crypto gdoi group V4GROUP-111
!
identity number 10111
router lisp
server address ipv4 9.9.9.9
locator-set XTR
client registration interface Loopback999
IPv4-interface Ethernet0/1 priority 1 weight 1
!
exit
crypto map MAP-V4-111 10 gdoi
loc-reach-algorithm rloc-probing
!
set group V4GROUP-111
ipv4 itr
eid-table default instance-id 111
!
ipv4 etr
database-mapping 1.1.1.0/24 locator-set XTR
interface Loopback0
ipv4 itr map-resolver 11.5.6.1
exit
ip address 1.1.1.1 255.255.255.0
ipv4 etr map-server 11.5.6.1 key FOO
!
!
ipv4 use-petr 11.5.6.1 priority 1 weight 1
eid-table vrf KS instance-id 999
interface Loopback999
exit
database-mapping 9.1.1.1/32 locator-set XTR
vrf forwarding KS
!
ipv4 etr map-server 11.5.6.1 key KSKS
ip address 9.1.1.1 255.255.255.255
ip route 0.0.0.0 0.0.0.0 11.6.7.1
exit
!
!
---<cont>------<cont>---
SP MPLS domain
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
SP LISP Gateway
188
Internet/IP Core domain
LISP VPN/Virtualization
Adding encryption with GETVPN
• Multi-tenant Internet Access to MPLS VPNs
KS
1.1.1.1/24
IID 111
hostname XTR-R11
3.3.3.3/24
9.1.1.1/32
IID 999
Customer
A
!
MPLS
P
IPv4 or v6 Core
Customer A
PxTR/MSMR/GM
vrf definition KS
xTR
CE
!
1.1.1.1/24
IID 222
Core
KS
3.3.3.3/24
KS
KS
address-family ipv4
9.2.2.2/32
IID 999
Customer
B
green
Customer B
exit-address-family
green
green
IID 999
xTR
orange
CE
!
orange
ISIS
orange
IID 111
3.3.3.3/24
1.1.1.1/24
IID 333
crypto keyring key-KS vrf
KS
IID 222
blue
blue
blue
interface
LISP0.222
PE
9.3.3.3/32
PE
IID 999
Customer
C
Customer
C
pre-shared-key address 9.9.9.9 key FOO
IID
333
crypto map MAP-V4-222
CE
xTR
!
!
crypto isakmp policy 10
interface LISP0.999
encr aes 256
!
authentication pre-share
interface Ethernet0/1
group 16
description Link to Core-R6
!
ip address 11.6.11.2 255.255.255.252
crypto gdoi group V4GROUP-222
!
identity number 10222
router lisp
server address ipv4 9.9.9.9
locator-set XTR
client registration interface Loopback999
IPv4-interface Ethernet0/1 priority 1 weight 1
!
exit
crypto map MAP-V4-222 10 gdoi
loc-reach-algorithm rloc-probing
!
set group V4GROUP-222
ipv4 itr
eid-table default instance-id 222
!
ipv4 etr
database-mapping 1.1.1.0/24 locator-set XTR
interface Loopback0
ipv4 itr map-resolver 11.5.6.1
exit
ip address 1.1.1.1 255.255.255.0
ipv4 etr map-server 11.5.6.1 key BOO
!
!
ipv4 use-petr 11.5.6.1 priority 1 weight 1
eid-table vrf KS instance-id 999
interface Loopback999
exit
database-mapping 9.2.2.2/32 locator-set XTR
vrf forwarding KS
!
ipv4 etr map-server 11.5.6.1 key KSKS
ip address 9.2.2.2 255.255.255.255
ip route 0.0.0.0 0.0.0.0 11.6.11.1
exit
!
!
---<cont>------<cont>---
SP MPLS domain
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
SP LISP Gateway
189
Internet/IP Core domain
LISP VPN/Virtualization
Adding encryption with GETVPN
• Multi-tenant Internet Access to MPLS VPNs
KS
1.1.1.1/24
IID 111
hostname XTR-R12
3.3.3.3/24
9.1.1.1/32
IID 999
Customer
A
!
MPLS
P
IPv4 or v6 Core
Customer A
PxTR/MSMR/GM
vrf definition KS
xTR
CE
!
1.1.1.1/24
IID 222
Core
KS
3.3.3.3/24
KS
KS
address-family ipv4
9.2.2.2/32
IID 999
Customer
B
green
Customer B
exit-address-family
green
green
IID 999
xTR
orange
CE
!
orange
ISIS
orange
IID 111
3.3.3.3/24
1.1.1.1/24
IID 333
crypto keyring key-KS vrf
KS
IID 222
blue
blue
blue
interface
LISP0.333
PE
9.3.3.3/32
PE
IID 999
Customer
C
Customer
C
pre-shared-key address 9.9.9.9 key FOO
IID
333
crypto map MAP-V4-333
CE
xTR
!
!
crypto isakmp policy 10
interface LISP0.999
encr aes 256
!
authentication pre-share
interface Ethernet0/1
group 16
description Link to Core-R6
!
ip address 11.6.12.2 255.255.255.252
crypto gdoi group V4GROUP-333
!
identity number 10333
router lisp
server address ipv4 9.9.9.9
locator-set XTR
client registration interface Loopback999
IPv4-interface Ethernet0/1 priority 1 weight 1
!
exit
crypto map MAP-V4-333 10 gdoi
loc-reach-algorithm rloc-probing
!
set group V4GROUP-333
ipv4 itr
eid-table default instance-id 333
!
ipv4 etr
database-mapping 1.1.1.0/24 locator-set XTR
interface Loopback0
ipv4 itr map-resolver 11.5.6.1
exit
ip address 1.1.1.1 255.255.255.0
ipv4 etr map-server 11.5.6.1 key COO
!
!
ipv4 use-petr 11.5.6.1 priority 1 weight 1
eid-table vrf KS instance-id 999
interface Loopback999
exit
database-mapping 9.3.3.3/32 locator-set XTR
vrf forwarding KS
!
ipv4 etr map-server 11.5.6.1 key KSKS
ip address 9.3.3.3 255.255.255.255
ip route 0.0.0.0 0.0.0.0 11.6.12.1
exit
!
!
---<cont>------<cont>---
SP MPLS domain
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
SP LISP Gateway
190
Internet/IP Core domain
LISP VPN/Virtualization
Adding encryption with GETVPN
• Multi-tenant Internet Access to MPLS VPNs
!
crypto keyring key-KS vrf KS
pre-shared-key address 9.9.9.9 key FOO
!
3.3.3.3/24
crypto isakmp policy 10
MPLS
P
encr Customer
aes 256A
authentication
pre-share
CE
3.3.3.3/24
group 16
green
cryptoCustomer
isakmpB key FOO address
9.9.9.9
!
orange
CE
ISIS
3.3.3.3/24
crypto gdoi group V4GROUP-111
blue
PE
Customer
C
identity
number
10111
server address
ipv4 9.9.9.9
CE
client registration interface Loopback999
!
crypto gdoi group V4GROUP-333
identity number 10333
server address ipv4 9.9.9.9
client registration interface Loopback999
!
crypto gdoi group V4GROUP-222
identity number 10222
server address ipv4 9.9.9.9
client registration interface Loopback999
!
crypto map MAP-V4-111 10 gdoi
set group V4GROUP-111
!
crypto map MAP-V4-222 10 gdoi
set group V4GROUP-222
!
crypto map MAP-V4-333 10 gdoi
set group V4GROUP-333
!
---<cont>---
KS
PxTR/MSMR/GM
KS KS
PE
green
orange
orange
blue
blue
IID 999
IID 111
IID 222
IID 333
xTR
1.1.1.1/24
IID 222
9.2.2.2/32
IID 999
Customer
B
xTR
1.1.1.1/24
IID 333
9.3.3.3/32
IID 999
Customer
C
xTR
SP MPLS domain
TECRST-3191
Core
KS
green
IPv4 or v6 Core
1.1.1.1/24
IID 111
9.1.1.1/32
IID 999
Customer
A
SP LISP Gateway
!
interface LISP0
!
interface LISP0.111
crypto map MAP-V4-111
!
interface LISP0.222
crypto map MAP-V4-222
!
interface LISP0.333
crypto map MAP-V4-333
!
interface LISP0.999
!
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
191
(config delta)
Internet/IP Core domain
LISP VPN/Virtualization
Adding encryption with GETVPN
• Multi-tenant Internet Access to MPLS VPNs
KS
3.3.3.3/24
Customer A
MPLS
CE
3.3.3.3/24
Customer B
P
KS KS
green
PxTRMSMR-R5#sh
lisp site orange
CE
3.3.3.3/24
LISP Site Registration Information
blue Who
Site Name
Up
PE Last
Customer C Last
BOO
CE
COO
FOO
KS
PxTR/MSMR/GM
Register
never
00:00:46
never
00:00:50
never
00:00:15
never
00:00:00
00:00:16
00:00:05
no
yes
no
yes
no
yes
no
yes
yes
yes
Registered
-11.6.11.2
-11.6.12.2
-11.6.7.2
-11.6.7.2
11.6.11.2
11.6.12.2
ISIS
Inst
ID
222
222
333
333
111
111
999
999
999
999
green
orange
orange
blue
EIDPE
Prefix
1.0.0.0/8
1.1.1.0/24
1.0.0.0/8
1.1.1.0/24
1.0.0.0/8
1.1.1.0/24
9.0.0.0/8
9.1.1.1/32
9.2.2.2/32
9.3.3.3/32
SP MPLS domain
blue
SP LISP
Gateway
PxTRMSMR-R5#sh
ip lisp
Cisco Public
xTR
1.1.1.1/24
IID 333
9.3.3.3/32
IID 999
Customer
C
Internet/IP Core domain
map-cache instance 999
LISP IPv4 Mapping Cache for EID-table vrf KS (IID 999), 3 entries
9.1.1.1/32, uptime: 20:02:36, expires: 03:57:23, via map-reply,
complete
Locator
Uptime
State
Pri/Wgt
11.6.7.2 20:02:36 up
1/1
9.2.2.2/32, uptime: 20:02:46, expires: 03:57:14, via map-reply,
complete
Locator
Uptime
State
Pri/Wgt
11.6.11.2 20:02:46 up
1/1
9.3.3.3/32, uptime: 20:02:52, expires: 03:57:07, via map-reply,
complete
Locator
Uptime
State
Pri/Wgt
11.6.12.2 20:02:52 up
1/1
PxTRMSMR-R5#
PxTRMSMR-R5#sh ip ro vrf KS
---<skip>--9.0.0.0/32 is subnetted, 5 subnets
l
9.1.1.1 [10/1] via 0.0.0.0, 20:12:43, Null0
l
9.2.2.2 [10/1] via 0.0.0.0, 20:12:51, Null0
l
9.3.3.3 [10/1] via 0.0.0.0, 20:12:57, Null0
C
9.9.9.8 is directly connected, Loopback999
B
9.9.9.9 [20/0] via 10.4.5.5, 20:13:00
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C
10.4.5.4/30 is directly connected, Ethernet0/1.2
L
10.4.5.6/32 is directly connected, Ethernet0/1.2
B
10.4.8.0/30 [20/0] via 10.4.5.5, 20:13:00
PxTRMSMR-R5#
© 2014 Cisco and/or its affiliates. All rights reserved.
IID 999
IID 111
IID 222
IID 333
xTR
1.1.1.1/24
IID 222
9.2.2.2/32
IID 999
Customer
B
xTR
PxTRMSMR-R5#
TECRST-3191
Core
KS
green
IPv4 or v6 Core
1.1.1.1/24
IID 111
9.1.1.1/32
IID 999
Customer
A
192
LISP VPN/Virtualization
Adding encryption with GETVPN
• Multi-tenant Internet Access to MPLS VPNs
KS
3.3.3.3/24
Customer A
CE
3.3.3.3/24
Customer B
CE
3.3.3.3/24
Customer C
MPLS
P
KS KS
green
orange
blue
ISIS
PE
PE
green
orange
orange
blue
blue
IID 999
IID 111
IID 222
IID 333
xTR
1.1.1.1/24
IID 222
9.2.2.2/32
IID 999
Customer
B
xTR
1.1.1.1/24
IID 333
9.3.3.3/32
IID 999
Customer
C
xTR
PxTRMSMR-R5#sho crypto engine connection active
Crypto Engine Connections
TECRST-3191
Core
KS
green
CE
ID Type
139 IPsec
140 IPsec
141 IPsec
142 IPsec
143 IPsec
144 IPsec
1001 IKE
1002 IKE
1003 IKE
1004 IKE
PxTRMSMR-R5#
IPv4 or v6 Core
PxTR/MSMR/GM
1.1.1.1/24
IID 111
9.1.1.1/32
IID 999
Customer
A
Algorithm
AES256+SHA512
AES256+SHA512
AES256+SHA512
AES256+SHA512
AES256+SHA512
AES256+SHA512
SHA+AES256
SHA+3DES
SHA+3DES
SHA+3DES
XTR-R7#ping 3.3.3.3 so 1.1.1.1 rep 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
---<skip>--!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (999/1000), round-trip min/avg/max = 4/5/22
ms
XTR-R7#
Decrypt LastSeqN
IP-Address SP LISP Gateway
SP MPLS
domain
0
0 10.4.5.2
Encrypt
0
0
0
999
0
0
0
0
0
0
0
999
0
0
0
0
0
0
0
© 2014 Cisco and/or its affiliates. All rights reserved.
0
0
0
0
0
0
0
0
0
10.4.5.2
10.4.5.2
10.4.5.2
10.4.5.2
10.4.5.2
9.9.9.8
XTR-R7#sho crypto engine connection active
Crypto Engine Connections
ID Type
47 IPsec
48 IPsec
1001 IKE
1002 IKE
XTR-R7#
Cisco Public
Internet/IP Core domain
193
Algorithm
AES256+SHA512
AES256+SHA512
SHA+AES256
SHA+3DES
Encrypt
0
999
0
0
Decrypt LastSeqN IP-Address
999
0 1.1.1.1
0
0 1.1.1.1
0
0 9.1.1.1
0
0
LISP Use Cases :: Virtualization/VPNs
• Customer Example :: Sony bit-drive
X
Y
Services:
IPv6 Internet
X
• IPv4, IPv6 Internet Access
• GETVPN+LISP (encryption)
• Data Center (Web, Mail, Storage)
Y
GW
SONY Bit-Drive
Services
Initial deployment…
IPv4 Internet
MS/MR
PxTR
KS
IPv6 access
IID 1002
IID 1001
SMB X
Site 1
SMB X
Site 2
xTR
IPv4/IPv6
EID Space
TECRST-3191
xTR
IPv4/IPv6
EID Space
SMB X
Site 3
xTR
IPv4/IPv6
EID Space
© 2014 Cisco and/or its affiliates. All rights reserved.
SMB Y
Site 1
SMB Y
Site 2
xTR
IPv4/IPv6
EID Space
Cisco Public
194
xTR
IPv4/IPv6
EID Space
SMB Y
Site 10
...
xTR
IPv4/IPv6
EID Space
...
LISP Use Cases :: Virtualization/VPNs
• Customer Example :: Sony bit-drive
X
Y
Services:
IPv6 Internet
X
• IPv4, IPv6 Internet Access
• GETVPN+LISP (encryption)
• Data Center (Web, Mail, Storage)
Y
IPv4 Internet
GW
SONY Bit-Drive
Services
VM
VM
VM
VM
VM
VM
VM
VM
VM
VMware ESX
VM
VMware ESX
Next plans…
Y
X
MS/MR
PxTR
KS
SONY Bit-Drive
Data Center 1
SONY Bit-Drive
Data Center 2
Data Center Virtualized
Host/Cloud Service
IPv6 access
IID 1002
IID 1001
SMB X
Site 1
SMB X
Site 2
xTR
IPv4/IPv6
EID Space
TECRST-3191
xTR
IPv4/IPv6
EID Space
SMB X
Site 3
xTR
IPv4/IPv6
EID Space
© 2014 Cisco and/or its affiliates. All rights reserved.
SMB Y
Site 1
SMB Y
Site 2
xTR
IPv4/IPv6
EID Space
Cisco Public
195
xTR
IPv4/IPv6
EID Space
SMB Y
Site 10
...
xTR
IPv4/IPv6
EID Space
...
LISP Use Cases :: Virtualization/VPNs
• Customer Example :: Sony bit-drive
Cisco Products:
• SONY bit-drive LISP infrastructure
- ASR1Ks for Proxy Systems
Shared LISP infrastructure
- ISRG2s for Mapping Systems
Multi-tenant/Virtualized
- ASR1Ks for NAT Devices
- ISRG2s for Key Servers
• Customer CE Devices
- NEW HW :: C890Js
- Legacy (Sony routers for DMVPN) :: being
Subscribers, per end-site
upgraded to C890Js for LISP service
LISP-based Services Benefits:
•
•
•
•
TECRST-3191
Broadband circuits (<$)
Multihoming (<$)
IPv6 Core, IPv4 and IPv6 EIDs
Creates a private network (w/o MPLS $)
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
196
LISP Use Cases :: Virtualization/VPNs
• Customer Example :: A few more highlights…
Plus “many” more
#1 deployed LISP use-case
 Multinational Human Resources Outsourcing Company ($22B)
– “Very Large Scale” Over the Top Enterprise VPN (MPLS replacement)
 GETVPN+LISP, multihoming, 4 VRFs, IPv4 and IPv6 EIDs, IPv4 Internet/RLOCs
 ISRG2, ASR1K-based infrastructure, 560+ sites pilot (DSL and LTE); expanding to 5600+
 European Energy Producer
– “Large Scale” Over the Top Enterprise VPN (critical infrastructure, hydro/nuclear plants)
 GETVPN+LISP, multihoming, 3 VRFs, IPv4 and IPv6 EIDs, IPv4 MPLS/RLOCs
 ISRG2, ASR1K-based infrastructure, 300+ sites
 Large US State Government
– “Large Scale” Over the Top Enterprise VPN (MPLS replacement/cost savings)
 GETVPN+LISP, multihoming, 4 VRFs, IPv4 and IPv6 EIDs, IPv4 Internet/RLOCs
 ISRG2, ASR1K-based infrastructure, 800+ sites (DSL and LTE)
 European State Government
– “Over the Top” Enterprise VPN (MPLS replacement/cost savings)
 GETVPN+LISP, multihoming, 4 VRFs, IPv4 and IPv6 EIDs, IPv4 Internet/RLOCs
 ISRG2, ASR1K-based infrastructure, 30+ sites
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
197
LISP VPN
+ DMVPN
LISP Use Cases :: Virtualization/VPNs
• DMVPN and GETVPN
 DMVPN is an overlay VPN
– Creates tunnels over a transport network
 Isolates protected networks from transport network
 Allows private protected addresses over a public transport network
– Hubs concentrate connections – all spokes must connect
 Hubs concentrate part of spoke-to-spoke traffic
 Hubs need to know about all private networks
 (IGP, NHRP, mGRE)
 GETVPN is an “encrypted” VPN
– Encrypted packets have the same addressing as the protected packets
 Does not (by itself) isolate address spaces – requires end-to-end routing
– Key Server concentrates all GMs
 Control plane only though… no data plane traffic
– Transport network takes care of routing packets
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
199
LISP Use Cases :: Virtualization/VPNs
• LISP and DMVPN
Initial DMVPN deployment…
172.16.0.0/24
DMVPN
Standard DMVPN build-out
R2
- Here, IPv4 core
- “enterprise” (private space) also IPv4
- OSPF (in this case) running over DMVPN
HUB
.1
Core
Network
.2
10.0.1.0/30
.1
R4
DMVPN
Spoke1
172.16.1.0/24
10.0.0.0/30
.2
R1
Core
.2
.2
10.0.3.0/30
.1
R6
10.0.2.0/30
Spoke3
.1
172.16.3.0/24
R5
Spoke2
DMVPN
172.16.2.0/24
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
200
DMVPN
LISP Use Cases :: Virtualization/VPNs
!
Hub-R2
•hostname
LISP
and DMVPN
!
Hub config….
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key foo address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ENCRYPT esp-3des esp-sha-hmac
mode transport
!
Core
crypto ipsec profile DMVPNPROF
set transform-set ENCRYPT
Network
set pfs group1
.2
!
interface Tunnel0
10.0.1.0/30
bandwidth 1000
.1
ip address 172.31.255.1 255.255.255.0
R4
no ip redirects
10.0.2.0/30
Spoke1
ip mtu 1420
DMVPN
ip nhrp authentication test
172.16.1.0/24
ip nhrp map multicast dynamic
---<cont>--ip nhrp network-id 100000
!
ip nhrp holdtime 600
interface Ethernet0/0
ip ospf network broadcast
ip address 10.0.0.1 255.255.255.252
ip ospf priority 2
!
ip ospf mtu-ignore
interface Ethernet0/1
ip ospf 1 area 0
ip address 172.16.0.1 255.255.255.0
delay 1000
ip ospf 1 area 0
tunnel source Ethernet0/0
!
tunnel mode gre multipoint
router ospf 1
tunnel key 100000
default-information originate
tunnel protection ipsec profile DMVPNPROF
!
!
ip route 0.0.0.0 0.0.0.0 10.0.0.2
---<cont>--!
Initial DMVPN deployment…
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
201
172.16.0.0/24
DMVPN
R2
HUB
.1
10.0.0.0/30
.2
R1
Core
.2
.1
R5
Spoke2
DMVPN
.2
10.0.3.0/30
.1
Core config….
!
R6
hostname Core-R1
Spoke3
!
DMVPN
interface Ethernet0/0
172.16.3.0/24
ip address 10.0.0.2 255.255.255.252
!
interface Ethernet0/1
ip address 10.0.1.2 255.255.255.252
!
172.16.2.0/24
interface Ethernet0/2
ip address 10.0.2.2 255.255.255.252
!
interface Ethernet0/3
ip address 10.0.3.2 255.255.255.252
!
LISP Use Cases :: Virtualization/VPNs
---<cont>--hostname S2-R5
!
!
interface Ethernet0/0
crypto isakmp policy 10
ip address 10.0.2.1 255.255.255.252
encr 3des
!
authentication pre-share
interface Ethernet0/1
crypto isakmp key foo address 0.0.0.0 0.0.0.0
description connect to XTR2 DMVPN
!
ip address 172.16.2.1 255.255.255.0
crypto ipsec transform-set ENCRYPT esp-3des esp-sha-hmac
ip ospf 1 area 0
mode transport
R2
!
!
HUB
router ospf 1
crypto ipsec profile DMVPNPROF
ip route 0.0.0.0 0.0.0.0 10.0.2.2 .1
set transform-set ENCRYPT
Core
!
set pfs group1
Network
.2
!
interface Tunnel0
R1
.2
bandwidth 1000
10.0.1.0/30
Core
ip address 172.31.255.3 255.255.255.0
.1
no ip redirects
.2
R4
ip mtu 1420
10.0.2.0/30
ip nhrp authentication test
Spoke1
DMVPN
.1
ip nhrp map multicast dynamic
ip nhrp map 172.31.255.1 10.0.0.1
172.16.1.0/24
R5
ip nhrp map multicast 10.0.0.1
Spoke2
ip nhrp network-id 100000
ip nhrp holdtime 300
DMVPN
ip nhrp nhs 172.31.255.1
ip ospf network broadcast
ip ospf priority 0
ip ospf 1 area 0
delay 1000
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile DMVPNPROF
!
---<cont>---
• LISP and DMVPN
Initial DMVPN deployment…
Spoke config…. (example)
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
202
172.16.0.0/24
10.0.0.0/30
.2
10.0.3.0/30
.1
R6
Spoke3
DMVPN
172.16.3.0/24
172.16.2.0/24
LISP Use Cases :: Virtualization/VPNs
• LISP and DMVPN
Initial DMVPN deployment…
172.16.0.0/24
DMVPN
S1-R4#ping 172.16.0.1 so 172.16.1.1 rep 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
---<skip>--!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 4/4/10 ms
S1-R4#
Let’s ping for fun…
(yes, it’s encrypted…)
R2
HUB
R4
Spoke1
TECRST-3191
Type
IPsec
IPsec
IKE
Algorithm
3DES+SHA
3DES+SHA
SHA+3DES
172.16.1.0/24
Encrypt
0
1304
0
© 2014 Cisco and/or its affiliates. All rights reserved.
R1
Core
.2
.2
10.0.3.0/30
.1
R6
10.0.2.0/30
Spoke3
.1
DMVPN
Decrypt LastSeqN IP-Address
1307
1307 10.0.1.1
0
0 10.0.1.1
0
0 10.0.1.1
Cisco Public
203
DMVPN
172.16.3.0/24
R5
Spoke2
S1-R4#show crypto engine connection active
Crypto Engine Connections
ID
49
50
1001
S1-R4#
10.0.0.0/30
.2
.2
10.0.1.0/30
.1
DMVPN
.1
Core
Network
172.16.2.0/24
LISP Use Cases :: Virtualization/VPNs
192.168.1.0/24
A:A:9::/48
192.168.1.0/24
B:B:9::/48
VPN B
IID2
VPN A
IID1
• LISP and DMVPN
xTR
LISP0
MRMS
Add LISP to DMVPN…
172.16.0.0/24
DMVPN
Suppose you want to add virtualization
or IPv6 (or IPv4) for internal networks
And… you didn’t want to touch
DMVPN at all!
R2
HUB
Spoke1
- add a new router per site
with EID space behind
them, and
- treat “DMVPN inside
address space” as “LISP
RLOC space”
TECRST-3191
.2
R1
10.0.3.0/30
.1
Core
.2
R4
DMVPN
10.0.0.0/30
.2
.2
10.0.1.0/30
.1
To add LISP:
.1
Core
Network
R6
10.0.2.0/30
Spoke3
.1
172.16.1.0/24
DMVPN
172.16.3.0/24
R5
Spoke2
LISP1
LISP3
xTR
xTR
DMVPN
VPN A
IID1
192.168.1.0/24
A:A:1::/48
© 2014 Cisco and/or its affiliates. All rights reserved.
VPN B
IID2
172.16.2.0/24
192.168.1.0/24
B:B:1::/48
LISP2
VPN A
IID1
192.168.2.0/24
A:A:2::/48
Cisco Public
204
xTR
VPN B
IID2
192.168.2.0/24
B:B:2::/48
VPN A
IID1
192.168.3.0/24
A:A:3::/48
VPN B
IID2
192.168.3.0/24
B:B:3::/48
LISP Use Cases :: Virtualization/VPNs
192.168.1.0/24
A:A:9::/48
VPN A
IID1
• LISP and DMVPN
!
hostname R3-xTR0-MSMR
!
vrf definition A
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
vrf definition B
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
interface Loopback0
vrf forwarding A
ip address 192.168.0.1 255.255.255.0
ipv6 address A:A:9::1/48
!
interface Loopback1
vrf forwarding B
ip address 192.168.0.1 255.255.255.0
ipv6 address B:B:9::1/48
!
interface Ethernet0/0
description conn to HUB R2
ip address 172.16.0.2 255.255.255.0
ip ospf 1 area 0
!
---<cont>--TECRST-3191
LISP0
192.168.1.0/24
B:B:9::/48
VPN B
IID2
xTR
MRMS
172.16.0.0/24
DMVPN
R2
HUB
---<cont>--!
loc-reach-algorithm rloc-probing
10.0.0.0/30
ipv4 itr
ipv4 etr
.2 ipv4 map-server
ipv4 10.0.3.0/30
map-resolver
ipv4 itr map-resolver 172.16.0.2
.1
ipv4 etr map-server
172.16.0.2 key ALL
R6
ipv6 itr
ipv6 etr Spoke3
.1
---<cont>--Core
router lisp
Network
.2
locator-set XTR
IPv4-interface Ethernet0/0 priority 1 weight.21
R1
exit
10.0.1.0/30
Core
!
.1
eid-table vrf A instance-id 1
R4 locator-set XTR .2
database-mapping 192.168.0.0/24
10.0.2.0/30
database-mapping A:A:9::/48 Spoke1
locator-set
XTR
DMVPN
DMVPN
.1
exit
ipv6 map-server
!
172.16.1.0/24
172.16.3.0/24
R5
ipv6 map-resolver
eid-table vrf B instance-id 2
ipv6 itr map-resolver 172.16.0.2
Spoke2
database-mapping 192.168.0.0/24 locator-set XTR
ipv6 etr map-server
key ALL
LISP1
LISP3 172.16.0.2
xTR
xTR
database-mapping B:B:9::/48 locator-set XTR
exit
DMVPN
exit
VPN B
VPN B
VPN A
VPN A
!
172.16.2.0/24
!
IID2
IID2
IID1
IID1
router ospf 1
site ALL
192.168.1.0/24
192.168.1.0/24
192.168.3.0/24
192.168.3.0/24
!
authentication-key
ALL B:B:1::/48
A:A:1::/48
A:A:3::/48
B:B:3::/48
LISP2
xTR
eid-prefix instance-id 1 192.168.0.0/16 accept-more-specifics
VPN B
VPN A
eid-prefix instance-id 1 A:A::/32 accept-more-specifics
IID2
IID1
eid-prefix instance-id 2 192.168.0.0/16 accept-more-specifics
eid-prefix instance-id 2 B:B::/32 accept-more-specifics
192.168.2.0/24
192.168.2.0/24
A:A:2::/48
B:B:2::/48
exit
!
---<cont>---
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
205
LISP Use Cases :: Virtualization/VPNs
192.168.1.0/24
A:A:9::/48
VPN A
IID1
• LISP and DMVPN
!
hostname R7-xTR1
!
vrf definition A
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
vrf definition B
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
interface Loopback0
vrf forwarding A
ip address 192.168.1.1 255.255.255.0
ipv6 address A:A:1::1/48
!
interface Loopback1
vrf forwarding B
ip address 192.168.1.1 255.255.255.0
ipv6 address B:B:1::1/48
!
interface Ethernet0/0
description conn to S1 R4
ip address 172.16.1.2 255.255.255.0
ip ospf 1 area 0
!
---<cont>--TECRST-3191
LISP0
192.168.1.0/24
B:B:9::/48
VPN B
IID2
xTR
MRMS
172.16.0.0/24
DMVPN
---<cont>--router lisp
R2
locator-set XTRHUB
IPv4-interface Ethernet0/0 priority 1 weight 1
.1
exit
Core
10.0.0.0/30
!
Network
.2
eid-table vrf A instance-id
1
database-mapping
locator-set XTR
R1 192.168.1.0/24
.2
.2
A:A:1::/48 locator-set
10.0.1.0/30database-mapping
10.0.3.0/30 XTR
Core
exit
.1!
.1
R4
R6
eid-table vrf.2B instance-id 2
10.0.2.0/30
database-mapping 192.168.1.0/24 locator-set
XTR
Spoke1
Spoke3
DMVPN
DMVPN
.1
database-mapping
B:B:1::/48 locator-set XTR
exit
172.16.1.0/24
172.16.3.0/24
R5
!
Spoke2
loc-reach-algorithm rloc-probing
LISP1
LISP3
xTR
xTR
ipv4 itr
DMVPN
ipv4 etr
VPN B
VPN B
VPN A
VPN A
172.16.2.0/24
IID2
IID2
ipv4 itr map-resolver 172.16.0.2
IID1
IID1
ipv4 etr map-server 172.16.0.2 key ALL
192.168.1.0/24
192.168.1.0/24
192.168.3.0/24
192.168.3.0/24
ipv6 itr
A:A:1::/48
B:B:1::/48
A:A:3::/48
B:B:3::/48
LISP2
xTR
ipv6 etr
VPN B172.16.0.2
A
ipv6 itr VPN
map-resolver
IID2
IID1
ipv6 etr map-server
172.16.0.2 key ALL
exit192.168.2.0/24
192.168.2.0/24
A:A:2::/48
B:B:2::/48
!
router ospf 1
!
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
206
LISP Use Cases :: Virtualization/VPNs
192.168.1.0/24
A:A:9::/48
192.168.1.0/24
B:B:9::/48
VPN B
IID2
VPN A
IID1
• LISP and DMVPN
xTR
LISP0
MRMS
Add LISP to DMVPN…
172.16.0.0/24
DMVPN
R7-xTR1#ping vrf A 192.168.0.1 source 192.168.1.1 rep 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
---<skip>--!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (998/1000), round-trip min/avg/max = 1/8/28 ms
R7-xTR1#
Let’s ping for fun…
IPv4, VRF A (IID1)
(yes, it’s encrypted…)
R2
HUB
R1
.2
10.0.3.0/30
.1
R6
10.0.2.0/30
Spoke3
.1
172.16.1.0/24
DMVPN
172.16.3.0/24
R5
Spoke2
LISP1
VPN A
IID1
192.168.1.0/24
A:A:1::/48
LISP3
xTR
S1-R4#show crypto DMVPN
engine connection active
Crypto Engine Connections 172.16.2.0/24
VPN B
IID2
192.168.1.0/24 ID
B:B:1::/48
Type
Algorithm
141 IPsecLISP2
3DES+SHA xTR
142 IPsec
3DES+SHAVPN B
VPN A
1003 IKE
SHA+3DES IID2
IID1
S1-R4#
192.168.2.0/24
A:A:2::/48
TECRST-3191
.2
Core
R4
Spoke1
10.0.0.0/30
.2
.2
10.0.1.0/30
.1
DMVPN
.1
Core
Network
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
207
192.168.2.0/24
B:B:2::/48
VPN A
IID1
xTR
VPN B
IID2
192.168.3.0/24
Encrypt 192.168.3.0/24
Decrypt LastSeqN
IP-Address
A:A:3::/48
0
1428 B:B:3::/48
1428 10.0.1.1
1426
0
0 10.0.1.1
0
0
0 10.0.1.1
LISP Use Cases :: Virtualization/VPNs
192.168.1.0/24
A:A:9::/48
VPN B
IID2
VPN A
IID1
• LISP and DMVPN
S1-R4#show crypto engine
connection active
xTR
LISP0
Crypto Engine Connections
MRMS
Add LISP to DMVPN…
172.16.0.0/24
Encrypt Decrypt LastSeqN IP-Address
ID Type
Algorithm
DMVPN
141 IPsec
3DES+SHA
142 IPsec
3DES+SHA
149 IPsec
3DES+SHA
R2
150 IPsec
3DES+SHA
HUB
1003 IKE
SHA+3DES
.1
1021 IKE
Core SHA+3DES
S1-R4#Network
R7-xTR1#ping vrf B B:B:3::1 source B:B:1::1 rep 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to B:B:3::1, timeout is 2 seconds:
Packet sent with a source address of B:B:1::1%B
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
---<skip>--!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (998/1000), round-trip min/avg/max = 1/8/28 ms
R7-xTR1#
Let’s ping for fun…
IPv6, VRF B (IID2)
(yes, it’s encrypted…)
192.168.1.0/24
B:B:9::/48
.2
1487
0
1001
0
0
0
10.0.1.1
10.0.1.1
10.0.1.1
10.0.1.1
10.0.1.1
10.0.1.1
.2
R1
10.0.3.0/30
.1
Core
.2
R4
Spoke1
1487
0
1001
0
0
0
.2
10.0.1.0/30
.1
DMVPN
10.0.0.0/30
0
1483
0
1004
0
0
R6
10.0.2.0/30
Spoke3
.1
172.16.1.0/24
DMVPN
172.16.3.0/24
R5
Spoke2
LISP1
LISP3
xTR
xTR
DMVPN
VPN A
IID1
192.168.1.0/24
A:A:1::/48
VPN B
IID2
172.16.2.0/24
192.168.1.0/24
B:B:1::/48
LISP2
VPN A
IID1
192.168.2.0/24
A:A:2::/48
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
208
xTR
VPN B
IID2
192.168.2.0/24
B:B:2::/48
VPN A
IID1
192.168.3.0/24
A:A:3::/48
VPN B
IID2
192.168.3.0/24
B:B:3::/48
LISP Use Cases :: Virtualization/VPNs
• LISP and DMVPN
– tunnel protect :: LISP processing, and then DMVPN/encryption
(* icmp example)
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
209
xx
ITR
IP Hdr
GRE
ESP
SPI
20
saddr
daddr
LISP UDP
Hdr Hdr
(LISP)
4
50
8 0
Host
IP Hdr
20
47
ICMP
Hdr
8
saddr
daddr
Payload
8
17
ESP
trailer
LISP + DMVPN
20
S:xxxx
D:4341
8
saddr
daddr
xxxx
1
xx
External
(dmvpn
tunnel)
IP Hdr
Agenda
• LISP Overview and Introduction
• LISP Efficient Multihoming/Multi-AF Support
• LISP Virtualization/VPN
• LISP Data Center/Host Mobility
• LISP Status and Futures
• LISP Open Discussions
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
210
Advanced - LISP Technical Seminar
LISP Data Center/Host Mobility
TECRST-3191
Marco Pessi
LISP Technical Marketing Engineer
[email protected]
Agenda
LISP Data Center/Host Mobility
 Host Mobility Business Drivers
 LISP Host Mobility
• Fundamentals
• Across Subnets
• Extending Subnets
• Services Integration
• WAN Integration
 LISP Mobile Node
 LISP Summary
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
212
Host Mobility Business Drivers
Networking Implications of the Mobile/Cloud Era
A new era of multi-tenancy and multiple devices
Legacy IT model: Client/Server
Client
Attributes:
• Simple
• Secure
• Static
Server
Emerging IT model: Mobile/Cloud
M
M
M
C
C
C
M
M
C
C
M
M
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
C
C
Cisco Public
214
Attributes:
• Connected
• Scalable
• Multi-tenant
IT Trends – Distribute Data Centers
Building the Data Center Private and Hybrid Cloud
 Distributed Data Center Goals:
– Seamless workload mobility between
multiple datacenters
– Distributed applications closer to end
users
– Pool and maximize global compute
resources
– Ensure business continuity with
workload mobility and distributed
deployment
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Geographically Dispersed
Data Centers
215
Problem Statement
The Need for a New Networking Architecture
 Today’s networks aren’t designed for mobility
– IP addresses are statically assigned to devices, access points,
or services.
– Connecting resources on different private networks and public
networks with different owners is challenging
– Movement between networks means device, service or network
element connectivity necessarily always lost
 Today’s networks can’t scale
– Cloud, mobility and Internet of things are overextending the
ability of today’s routers to route data packets.
– Mobility of devices and/or network elements leads to a
ballooning of the amount of information stored in routing tables
 Today’s networks require new security models
– In a world of multiple devices and multi-tenancy it’s not feasible
to manually build every needed virtual private network
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
216
Mobility,
Scalability and
Interconnection
Issues Must Be
Solved Together
Locator ID/Separation Protocol (LISP)
Next Generation Networking Architecture
Overview
 LISP (Location / ID Separation Protocol) is an
addressing architecture and set of protocols
comprising an Endpoint Identifier (defining who a user
is) and a Routing Locator (defining where the user is
connected).
 LISP separates the identity of the device or access
point from where the device is located enabling
Internet services to remain continually connected
when users move around or change devices.
Benefits
Use-cases








Mobility IP address Portability
Scalability  On-Demand Route lookup
Security  Tenant ID based Segmentation
Address Family Independence
Global Workload Mobility
Workload Portability to Cloud
Secure Multi-tenancy across organizations
Rapid IPv6 Deployment
Evolving the World’s Networks for the Cloud Era
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
217
Solving Scale, Mobility and Security Problems
Global Mobility across organizational boundaries
Overview
 Topology independent addressing
 Overlay solution
 IPv4 or IPv6 agnostic
Provider B
Provider A
Primary DC
Secondary DC
Benefits




Integrated Mobility
Mobility across organizations (SPs, Cloud Providers)
IPv4, IPv6 or a combination
Optimal traffic path (no triangulation)
Applicability




Active-Active Data Centers
Data Center Disaster Recovery
Workload Portability to Cloud (aka Bursting)
Federated Cloud open connectivity
Evolving the World’s Networks for the Cloud Era
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
220
Data Center Host Mobility
Data Center VM IP Mobility :: Why?
Mobility = Flexibility
IP Portability = Simplicity
• Mobility in the DC allows business
continuity during network failover,
maintenance and migration: active-active
DC, Disaster Recovery, Hybrid Cloud,
DC migration
• Mobility with IP Address Retention…
• Is transparent to clients, applications and
allows keeping existing network policies
• Server Virtualization…enables virtual
server mobility
Original DC
Service Provider DC or
Disaster Recovery DC or
New DC …
A.B.C.D
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
A.B.C.D
222
Data Center VM IP Mobility :: What do I need?
• Server Gateway Consistency
• Routed Traffic
• Machine State Consistency
• Bridged Traffic
Service Provider DC or
Disaster Recovery DC or New DC…
Original DC
MAC B
✔ A.B.C.1
E.F.G.H
MAC E
A.B.C.E
IP
------A.B.C.1
A.B.C.E
MAC
---B
E
MAC A
A.B.C.D
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
MAC B
A.B.C.1 ✔
Memory
State
Disk
State
Memory
State
Disk
State
MAC
---B
E
MAC A
A.B.C.D
✔
Cisco Public
IP
------A.B.C.1
A.B.C.E
223
✔
LISP Data Center Mobility :: Live vs Cold Mobility
Live Moves With LAN Extension
Cold Moves Without LAN Extension
LISP Site
LISP Site
XTR
XTR
IPv4 Network
DR
Location
or Cloud
Provider
DC
Mapping DB
Mapping DB
IPv4 Network
LAN Extension
XTR/FHR
XTR/FHR
West-DC
•
East-DC
West-DC
•
Routing for Extended Subnets
East-DC
IP Mobility Across Subnets
Active-Active Data Centers
DC Migration
Distributed Data Centers
Disaster Recovery / Cloud Bursting / Hybrid Cloud
•
Application Members Distributed
•
Seamless Workload Mobility
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
•
Cisco Public
224
Application Members In One Home Location
22
LISP Data Center Mobility :: Approach
• New LISP customers
• Existing LISP adopters
–
–
–
–
–
– LISP sites
– Enable VM Mobility in DC Sites
– Natural, simple evolution of existing LISP infrastructure
Non LISP remote sites
Standalone VM Mobility Use Case
Minimal, DC only, intrusion
Phased, operationally light, incremental approach
Interworking with existing routing protocols
MSMR
Mapping DB
East-DC
West-DC
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
West-DC
225
MSMR
MSMR
East-DC
Mobility Requirement # 1: Integration with Services
Client Site
LISP Encapsulated Traffic
• Most firewalls/SLB cannot
inspect LISP data traffic (ZBF
LISP Inspection: XE3.13)
WAN or Internet
West-DC
TECRST-3191
East-DC
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
226
Mobility Requirement # 1: Integration with Services
Example:
Extended
LAN
between
DCs
Client Site
• Most firewalls/SLB cannot
inspect LISP data traffic (ZBF
LISP Inspection: XE3.13)
WAN or Internet
• Stateful devices like firewalls
BidirectionalTraffic
and load balancers need to
inspect the traffic in both
directions
LAN Extension
West-DC
TECRST-3191
East-DC
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
227
Mobility Requirement # 1: Integration with Services
Example:
Extended
LAN
between
DCs
Client Site
• Most firewalls/SLB cannot
inspect LISP data traffic (ZBF
LISP Inspection: XE3.13)
WAN or Internet
• Stateful devices like firewalls
BidirectionalTraffic
and load balancers need to
Return Traffic
One-Way Traffic
inspect the traffic in both
directions
LAN Extension
– After the silver VM moves to
East-DC across the LAN
West-DC
East-DC
extension, firewalls on each DC
see traffic only in one direction
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
228
Mobility Requirement # 2: Ingress Path Optimization
Client Site
?
• Client traffic to moved
workload is blackholed or not
optimized after the move
WAN or Internet
– Ex. Return traffic thru different
firewall (blackhole)
– Ex. Keep server gateway on
West DC (sub optimized)
West-DC
TECRST-3191
East-DC
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
229
Mobility Requirement # 3: Local Routing Optimization
Example:
Extended
LAN
between
DCs
• Having the server gateway
only on one DC does not scale
well
WAN or Internet
• When the number of DR
Server GW on West DC
only
moves increase, the inter-zone
traffic will hair-pin between the
2 DCs over OTV, instead of
LAN Extension
being locally routed in the DR
West-DC
TECRST-3191
DC
East-DC
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
230
Mobility Req. # 4: Multi-Zone Multi-Tenant DC
Client Site
Tenant 1
Client Site
Tenant 1
• Server Zone Segmentation
Client Site
Tenant 2
– front-end/back-end servers
– Internal firewall inspects inter-zone
traffic
– VLAN or VRF Lite
Client Site
Tenant 2
WAN
Tenant 1
WAN
Tenant 2
• Tenant (or service) Segmentation
– Each tenant use a private VPN
– Dedicated firewall (context) per tenant
FW Context
Tenant 1
FW Context
Tenant 2
• Associate Zones to single tenant
(or service)
– Tenant VRF “merges” server zone
VRFs
West-DC
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
•
Example:
Two tenant –
Three zone
IaaS Virtualization
Cisco Public
231
Scale from tens (enterprise) to
thousands tenants (service
provider)
LISP Data Center/Host Mobility
Functions and Components
LISP DC Mobility :: Functions
Three simple steps to mobility
1. Detect the host move
a) For any host, without agents on the host or protocols
b) Without dependence on any hypervisor
2. Register the new host location with the Mapping System
3. Notify other xTRs/PITRs of the move
a) Update routing tables at old sites
b) Update LISP Map-Caches
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
233
LISP DC Mobility :: Existing Functions
xTR
MSMR
MSMR and xTR
LISP
Client Site
RLOC
EID
Non LISP
Client Site
PITR
PETR
LISP Encap/Decap
MSMR
–
Map Server/Resolver (MSMR)
– Tunnel Router (xTR): H/W encap/decap (HW capable) and
xTR
registration (control-plane) of the mobile subnet in the MS
Host Detection
...
LISP Device
WAN or
Internet
ETR
ITR
FHR
FHR
DC-1
TECRST-3191
• In a typical deployment, MSMR and TR functions
coexist and are distributed (HA) on the same devices
in one or all data center locations
ETR
ITR
MSMR
Mapping DB
• There are minimal changes to existing LISP
components to support VM Mobility
IOS
FHR
router lisp
! [MSMR portion]
site WESTEAST-DC
authentication-key L15P43V3R
eid-prefix 172.71.64.0/20 accept-more-specifics
exit
!
ipv4 map-server
ipv4 map-resolver
exit
FHR
DC-2
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
234
LISP DC Mobility :: Mobility Functions
FHR
FHR: Single/Multi-Hop Mobility
LISP
Client Site
RLOC
EID
Non LISP
Client Site
PITR
PETR
LISP Encap/Decap
Host Detection
...
• LISP Single-Hop Mobility implements FHR and xTR in
the same devices
LISP Device
WAN or
Internet
ETR
ITR
FHR
FHR
DC-1
TECRST-3191
• LISP Multi-Hop Mobility implements FHR and xTR in
two distinct devices, allowing multiple L3 hops in
between:
ETR
ITR
MSMR
Mapping DB
FHR
• First Hop Router is a control-plane function for
scalable, dynamic detection and signaling of a “silent”
host
-
FHR
FHR
DC-2
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
235
Less stringent H/W capability requirements
Insertion of L3 stateful devices (non LISP capable)
Multiple points in the network capable of injecting LISP
mobile information and “influence” traffic routing
LISP DC Mobility :: Mobility Functions
FHR
FHR – Across Subnet Mode
• Signaling:
• Detection:
– Single-Hop (FHR = xTR)
– ARP packets (FHR not
– Routed Traffic
required to be Gateway)
– Bridged Traffic (IP Local
– IP packets
Proxy ARP)
– Supports Foreign Subnet
Service Provider DC or
– Probing (expiration)
Disaster Recovery DC or New DC…
Original DC
✔
MAC A
A.B.C.1
GW
MAC F
A.B.C.F
FHR
• Location Services:
MAC E
A.B.C.E
GW
FHR
A.B.C.0/24 or A.B.D.0/24
E.F.G.H
IP
------A.B.C.1
A.B.C.E
MAC
---A
E
MAC D
A.B.C.D
TECRST-3191
Memory
State
Disk
State
Memory
State
Disk
State
✔
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
236
IP
------A.B.C.1
A.B.C.E
MAC
---A
Inc
MAC D
A.B.C.D
✔
MAC A
A.B.C.1
✔
LISP DC Mobility :: Mobility Functions
FHR
FHR+ETR – Across Subnet Mode: Signaling & Config
LISP
Client Site
RLOC
EID
Non LISP
Client Site
PITR
PETR
LISP Encap/Decap
– E-W: local peers
– S-N: ETR  MSMR  ETR
Host Detection
...
• The signaling of the mobile VM location initiated
by a FHR discovery, happens on both axes:
LISP Device
router lisp
locator-set DC2
10.10.3.1 priority 1 weight 5
10.10.4.1 priority 1 weight 5
exit
eid-table default instance-id 3333
dynamic-eid VM
database-mapping 172.71.73.0/24 locator-set DC2
map-notify-group 230.23.3.1
exit
ipv4 etr
ipv4 etr map-server 10.10.0.1 key DC
! [..]
interface GigabitEthernet0/0.73
encapsulation dot1q 73
ip address 172.71.73.3 255.255.255.0
standby 0 ip 172.71.73.254
lisp mobility VM
! no lisp extended-subnet-mode
! ip proxy-arp
WAN or
Internet
10.10.3.1
ETR
ITR
ETR
ITR
DC-1
TECRST-3191
10.10.4.1
ETR
ITR
MSMR
Mapping DB
ETR
ITR
DC-2
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
237
IOS
LISP DC Mobility :: Mobility Functions
FHR
FHR+ETR – Across Subnet Mode: LISP Mobility HRI
Regional
Site
RLOC
• The signaling of the mobile VM location initiated
by a FHR discovery, happens on both axes:
Non LISP
Client Site
EID
LISP Encap/Decap
– E-W: local peers
– S-N: ETR  MSMR  ETR
Host Detection
...
LISP Device
WAN
Host Route
Injection
ETR
ETR
ETR
MSMR
Mapping DB
Host Route
Injection
ETR
IOS
ETR# show ip route
[..]
C
L
l
l
DC-1
• FHR (ETR) + MSMR can be deployed as a
LISP standalone function, for the lightest LISP
DC mobility solution
172.71.0.0/16 is variably subnetted, 4 subnets, 2 masks
172.71.73.0/24 is directly connected, Ethernet0/0.73
172.71.73.1/32 is directly connected, Ethernet0/0.73
172.71.73.123/32 [10/1] via 172.71.73.123, 00:01:18, Ethernet0/0.73
172.71.73.124/32 [10/1] via 172.71.73.123, 00:01:18, Ethernet0/0.73
DC-2
Can be redistributed
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
238
LISP DC Mobility :: Mobility Functions
FHR
FHR – Extended Subnet Mode
• Signaling:
• Detection:
– Single-Hop (FHR = xTR)
– Multi-Hop (FHR ≠ xTR)
• Location Services:
– IP packets (FHR = GW)
– Silent Host Detection
(ARP based)
Service Provider DC or
Disaster Recovery DC or New DC…
MAC A
A.B.C.1
Original DC
MAC A
A.B.C.1
✔
GW
FHR
E.F.G.H
IP
------A.B.C.1
A.B.C.E
✔
MAC E
A.B.C.E
MAC
---A
E
MAC D
A.B.C.D
TECRST-3191
– Routed Traffic (using LISP or
other overlay tunnel router)
– FHRP Isolation
GW
FHR
LAN Extension
✔
© 2014 Cisco and/or its affiliates. All rights reserved.
Memory Disk
State State
Cisco Public
239
IP
------A.B.C.1
A.B.C.E
MAC D
A.B.C.D
MAC
---A
E
✔
LISP DC Mobility :: Mobility Functions
FHR
FHR – Extended Subnet Mode: Signaling & Config
LISP
Client Site
RLOC
EID
Non LISP
Client Site
PITR
PETR
LISP Encap/Decap
– E-W: local and remote peers
– N-S: FHR  xTR  MSMR  xTR  FHR
Host Detection
...
• The signaling of the mobile VM location initiated
by a FHR discovery, happens on both axes:
LISP Device
router lisp
locator-set DC2
10.10.3.1 priority 1 weight 5
10.10.4.1 priority 1 weight 5
exit
eid-table default instance-id 3333
dynamic-eid VMs
database-mapping 172.71.73.0/24 locator-set DC2
map-notify-group 230.23.3.1
eid-notify 10.10.1.1 key DC2-XTR
exit
! [..]
!
interface GigabitEthernet0/0
ip address 172.71.73.3 255.255.255.0
standby 0 ip 172.71.73.1
lisp mobility VMs
lisp extended-subnet-mode
!
WAN or
Internet
ETR
ITR
ETR
ITR
MSMR
Mapping DB
10.10.3.1
FHR
FHR
DC-1
10.10.1.1
10.10.4.1
FHR
FHR
DC-2
LAN Extension
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
240
IOS
LISP DC Mobility :: Mobility Functions
FHR
ETR – Extended Subnet Mode: Signaling & Config
LISP
Client Site
RLOC
EID
Non LISP
Client Site
PITR
PETR
LISP Encap/Decap
– E-W: local and remote peers
– N-S: FHR  xTR  MSMR  xTR  FHR
Host Detection
...
• The signaling of the mobile VM location initiated
by a FHR discovery, happens on both axes:
LISP Device
router lisp
locator-set DC2
10.10.1.1 priority 1 weight 5
exit
eid-table default instance-id 3333
dynamic-eid VMs
database-mapping 172.71.73.0/24 locator-set DC2
eid-notify authentication-key DC2-XTR
exit
ipv4 etr
ipv4 etr map-server 10.10.0.1 key DC
! [..]
WAN or
Internet
ETR
ITR
ETR
ITR
MSMR
Mapping DB
10.10.3.1
FHR
FHR
DC-1
10.10.1.1
10.10.4.1
FHR
FHR
DC-2
LAN Extension
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
241
IOS
LISP DC Mobility :: Mobility Functions
FHR
FHR/ETR– Extended Subnet Mode: Dynamic EID Table
LISP
Client Site
RLOC
EID
Non LISP
Client Site
PITR
PETR
LISP Encap/Decap
Host Detection
...
– N-S: FHR  xTR  MSMR  xTR  FHR
WAN or
Internet
VMs
VMs
ETR
ITR
MSMR
Mapping DB
10.10.3.1
FHR
FHR
LISP
* = Dyn-EID learned by Site-Based Map-Notify
– E-W:
local
^ = Dyn-EID
learned
by and
EID remote
Notify peers
Dyn-EID Name
LISP Device
ETR
ITR
10.10.1.1
10.10.4.1
FHR
FHR
DC-2
LAN Extension
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Dynamic-EID
^172.71.73.102
^172.71.73.112
Interface
Uptime
N/A
N/A
03:46:40
02:01:20
Last
Packet
00:00:54
00:00:50
Pending
Ping Count
0
0
NxOS
FHR# show lisp dynamic-eid summary
LISP Dynamic EID Summary for VRF "default”
* = Dyn-EID learned by site-based Map-Notify
! = Dyn-EID learned by routing protocol
^ = Dyn-EID learned by EID-Notify
Dyn-EID Name
DC-1
IOS
• The signaling of the mobile VM location initiated
Dynamic
Summary
for VRF ”default”
by aEIDFHR
discovery,
happens on both axes:
ETR# show lisp dynamic-eid summary
VMs
VMs
Cisco Public
Dynamic-EID
*172.71.73.102
172.71.73.112
242
Interface
Uptime
Vlan10
Vlan10
03:46:28
02:01:20
Last
Packet
00:00:19
00:00:40
Pending
Ping Count
0
0
LISP DC Mobility :: Mobility Functions
FHR
FHR – Extended Subnet Mode: LISP Mobility HRI
Regional Site
• The signaling of the mobile VM location initiated
by a FHR discovery, happens on both axes:
Non LISP
Client Site
RLOC
EID
LISP Encap/Decap
– E-W: local and remote peers
– N-S: FHR  xTR  MSMR  xTR  FHR
Host Detection
...
LISP Device
WAN
• FHR can be deployed as a LISP standalone
function, for the lightest LISP DC mobility
solution
NxOS
Host Route
Injection
Host Route
Injection
FHR
FHR
DC-1
FHR
FHR
DC-2
LAN Extension
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
FHR# show ip route
172.71.73.0/24, ubest/mbest: 1/0, attached
*via 172.71.73.5, Vlan15, [0/0], 10:45:30, direct
172.71.73.0/25, ubest/mbest: 1/0
*via Null0, [249/0], 02:35:50, lisp, dyn-eid
172.71.73.1/32, ubest/mbest: 1/0
*via 172.71.73.1, Vlan15, [0/0], 10:45:05, hsrp
172.71.73.34/32, ubest/mbest: 1/0, attached
*via 172.71.73.34, Vlan15, [249/0], 00:11:26, lisp, dyn-eid
172.71.73.5/32, ubest/mbest: 1/0, attached
Can be redistributed
*via 172.71.73.5, Vlan15, [0/0], 10:45:30, local
172.71.73.16/32, ubest/mbest: 1/0, attached
*via 172.71.73.16, Vlan15, [249/0], 00:08:06, lisp, dyn-eid
172.71.73.128/25, ubest/mbest: 1/0
*via Null0, [249/0], 02:35:50, lisp, dyn-eid
Cisco Public
243
LISP DC Mobility :: Mobility Functions
FHR
FHR – Extended Subnet Mode: Silent Host Detection (1/2)
LISP
Client Site
RLOC
EID
PITR
PETR
LISP Encap/Decap
Non LISP
Client Site
1
• Steps
Host Detection
...
LISP Device
1.
2.
3.
4.
5.
6.
LISP remote PxTR announces server subnet
DC-1 ETR Registers server subnet in MS
DC-1 ETR announces server subnet to Internet DMZ
DC-1 ETR installs server subnets to local FHRs
FHR receives client traffic to idle servers
FHR resolves server address and forwards traffic (over LAN
Extension)
7. Return IP traffic from server hits local gateway (FHRP
Isolation) and triggers detection by FHR
WAN or
Internet
Internet
DMZ
3
10.10.1.1
7
FHR
ETR
ITR
FHR
DC-1
2
4
5
6
ETR
ITR
MSMR
Mapping DB
FHR
FHR
7
• Available in both IOS and NxOS
implementations
DC-2
LAN Extension
TECRST-3191
• FHR can detect idle servers at either DC
location with proper routing design
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
244
LISP DC Mobility :: Mobility Functions
FHR
FHR – Extended Subnet Mode: Silent Host Detection (2/2)
Regional Site
Non LISP
Client Site
RLOC
EID
LISP Encap/Decap
Host Detection
...
• Steps
LISP Device
WAN
4
FHR
1. FHR receives ARP packets from idle server
2. FHR probes the IP address with an ICMP packet, using the
Virtual IP and MAC (HSRP) as source
3. ICMP packet reaches the silent server on the same DC
(HSRP Isolation)
4. Return ICMP packet from server hits local gateway (FHRP
Isolation) and triggers detection by FHR
Host Route
Injection
Host Route
Injection
FHR
FHR
1
2
• When the FHR does not announce a coarse
server subnet, it can detect idle servers locally
by inspecting and probing ARP traffic
FHR
• Only in NxOS
ARP
• ARP Probing is rate limited
DC-2
DC-1
ICMP
LAN Extension
3
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
245
LISP DC Mobility :: Mobility Functions
SMR – Notify other Tunnel Routers of the move
1
2
3
4
5
6
7
8
LISP Encap/Decap
PxTR
Private WAN
Non-LISP
Client Site
Host Detection
...
LISP Device
5
4
xTR
xTR
5
4
3
8
7
xTR
xTR
6
MSMR
Mapping DB
2
1
FHR
FHR
FHR
Move Event
West-DC
© 2014 Cisco and/or its affiliates. All rights reserved.
LISP Regional Site
EID
FHR Detection and EID notify to ETRs
ETRs register dynamic EID to MS
MS notifies old registrant ETRs
Losing ETRs update local (IOS) or away
(NxOS) host tables
Active decapsulated traffic from remote
PITR/ITRs that hits away host table entry
triggers SMR
PITR/ITRs process SMR and send maprequest to MR to update their map cache
MRMS forwards request to East DC ETR,
which sends map-reply
PITR/ITR steer traffic to new East DC locators
TECRST-3191
Non-LISP
Client Site
RLOC
• Solicit Map Request (SMR) Mechanism:
xTR
MSMR
Cisco Public
246
East-DC
FHR
10.0.1.67
LISP Data Center/Host Mobility
Across Subnet
Customer :: NJEdge.NET
• Web Server Backup Service
– Cold Move – Across Subnet Mode
– Single server machine needs to move
to LISP Service Provider DC for
scheduled maintenance or DR
More…
v6
Some..
v6
Facebook
Google
• NAT Support
172.31.255.10
XTR
IPv4 EID
Aggregate
IPv4 Internet
Advertisement
MS/MR
PxTR
Transit
SP
Tier 1 SP2
Tier 1 SP1
Default
Default
Route
Route
Or BGP
Default
CPE
xTR
2
Member 1
CPE
xTR
LISP-to-LISP
Some v4
Default
Route
Member N
BGP
CPE
xTR
Member 23
Member
Non-LISP-to-LISP
Commodity
SP
Route
BGP
CPE
xTR
.
.
.
– Firewalls with 1:1 NAT acting as server
gateway are typically deployed on
original site
– Host presence detection on original
site on public prefix
– Public IP address moves to LISP
Service Provider DC
NJEDge.Net
LISP Network
IPv6 Internet
1:1 NAT
172.31.255.0/24
Member N
192.168.0.0/24
192.168.0.10
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
248
Customer :: IBM Strategic Outsourcing UK
• Before LISP: Big-Bang Approach
– Perform a bulk migration with high risk
– Take longer to start moving servers
– Longer storage migration cycle that
requires keeping a large data set in
synch over WAN
WAN
ASR1K
L
3
L
3
L
2
L
2
Brownfield
Customer DC
Any VLAN
and Any
STP
Any
VLAN and
Any STP
Greenfield
IBM DC
Bulk Migration
Shared or Migration WAN
10.1.1.5
TECRST-3191
10.1.1.6
© 2014 Cisco and/or its affiliates. All rights reserved.
10.1.1.0/24
Cisco Public
249
Customer :: IBM Strategic Outsourcing UK
WAN
ASR1K
ETR
MSMR
L
3
L
3
L
2
L
2
Brownfield
Customer DC
10.1.1.5
TECRST-3191
Any VLAN
and Any
STP
10.1.1.6
Any
VLAN and
Any STP
Greenfield
IBM DC
LISP ASM
Incremental
Server Migration
© 2014 Cisco and/or its affiliates. All rights reserved.
• IBM SO UK Reduced the Migration
Window from years to weeks (95%)
10.1.1.5
Cisco Public
• With LISP:
– Can perform the server migration in
smaller waves (lower risk) and faster,
as soon as the server data is available
on IBM DC
– The amount of data to be kept in synch
is minimized, reducing risk and WAN
requirements
– Path optimization from the user to the
application is possible, eliminating
latency concerns and reducing WAN
bandwidth requirements
– Simplicity: Repeatable, easy to
implement with pre-defined price
250
Customer :: IBM Strategic Outsourcing UK
• Brownfield DC:
– Non intrusive ASR1000 placement
(on-a-stick), configured as LISP PxTR
– No changes in routing advertisement
(mobile aggregate subnet)
Mapping System:
10.1.1.0  2.2.2.2
 3.3.3.3
WAN
3.3.3.3
2.2.2.2
ASR1K
PxTR
ETR
ETR
MSMR
L
3
• Greenfield DC:
Brownfield
Customer DC
10.1.1.5
L
3
L
2
L
2
TECRST-3191
5.5.5.5
4.4.4.4
ASR1K
Any VLAN
and Any
STP
10.1.1.6
Any
VLAN and
Any STP
Greenfield
IBM DC
LISP Dynamic EID:
10.1.1.0/24
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
251
– LISP Mapping System (MSMR)
– LISP xTR with ASM Mobility (Dynamic
EID) for the migrating prefix
Customer :: IBM Strategic Outsourcing UK
• Dynamic Granular Migration:
WAN
3.3.3.3
2.2.2.2
PxTR
ETR
GARP
5.5.5.5
4.4.4.4
• Dynamic Path Optimization:
ASR1K
ASR1K
ETR
MSMR
L
3
L
3
L
2
L
2
Brownfield
Customer DC
Any VLAN
and Any
STP
Any VLAN
and Any
STP
Greenfield
IBM DC
IP/ARP
LISP Dynamic EID:
10.1.1.0/24
10.1.1.5
TECRST-3191
10.1.1.6
© 2014 Cisco and/or its affiliates. All rights reserved.
– As soon as server is enabled in
Greenfield DC, it is discovered by
IP/ARP traffic and registered into LISP
Mapping System
Mapping System:
10.1.1.0  2.2.2.2
 3.3.3.3
10.1.1.5  4.4.4.4
 5.5.5.5
10.1.1.5
Cisco Public
252
– Client traffic is steered to new
Greenfield location
– Return traffic can be symmetric to
allow external firewalls in Brownfield
DC
– Intra-subnet traffic from Brownfield DC
is routed (GARP+LISP) to Greenfield
DC
Customer :: European Service Provider
Challenges
Use Case: DC to Cloud IP Mobility
Benefit: Simplified Application Deployment to the Cloud
•
Simple, Fast,
Transparent Application
Onboarding
•
Consistency with DC
Network Features
Cloud Provider Data Center
CSR
1000V
DC
VPC/ vDC
WAN
Router
Solutions
•
LISP for VM Mobility
•
Routing
•
NAT, DHCP
Benefits
Switches
ASR
Servers
CSR
1000V
VPC/ vDC
LISP protocol
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
253
•
Simpler App
Integration
•
Dynamic infrastructure
•
Consistent
Management
LISP Data Center/Host Mobility
Extending Subnet
Customer :: US National Bank
MPLS Core, Extending Subnets – Topology
Customer-A
Site 2
CE2
CE4
ITR/ETR
PE2
Customer-A
Site 4
ITR/ETR
PE4
Customer-A
MPLS-VPN
Customer-A
Site 1
MPLS Core
PE1
CE1
PE3
CE3
Customer-A
Site 3
ITR/ETR
ITR/ETR
PE5
MS/MR
CE5
PE6
MS/MR
CE6
CE7
CE8
LAN Extension (OTV)
172.17.0.0/16
Blue/DC 1
(Location 1)
ITR/ETR
ITR/ETR
172.17.0.0/24
DYNAMIC EID
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
255
Blue/DC 2
(Location 2)
172.18.0.0/16
Customer :: US National Bank
MPLS Core, Extending Subnets – LISP Configurations (Sites and MSMRs)
IOS
Customer-A
Site 2
CE2
ITR/ETR
RLOC
Customer-A
Site 1
EID 172.16.1.0/24
PE2
GE0/0/0
10.1.1.2/30
PE1
router lisp
eid-table default instance-id 0
database-mapping 172.16.1.0/24 10.1.1.2 pri 1 wei 100
exit
!
ipv4 itr
ipv4 etr
ipv4 itr map-resolver 10.1.5.1
Customer-A
ipv4 etr map-server 10.1.5.1 key s3cr3t
MPLS-VPN
ipv4 itr map-resolver 10.1.6.1
ipv4 etr map-server 10.1.6.1 key s3cr3t
!
MPLS Core
CE1
ITR/ETR
RLOC
GE0/0/0
10.1.5.1
MS/MR
CE5
RLOC GE0/0/0
PE5
10.1.6.1
MS/MR
CE6
CE7
LAN Extension (OTV)
172.17.0.0/16
Blue/DC 1
(Location 1)
ITR/ETR
ITR/ETR
172.17.0.0/24
DYNAMIC EID
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
256
PE6
CE4
PE4
ITR/ETR
Customer-A
Site 4
IOS
router lisp
!
site DCs
Customer-A
authentication-key DCs3cr3t
PE3
Site 3
eid-prefix 172.17.0.0/16 accept-more-specifics
CE3
eid-prefix 172.18.0.0/16
exit
ITR/ETR
!
site Site-1
authentication-key s3cr3t
eid-prefix 172.16.1.0/24
CE8
exit
!
--<more sites>--ipv4 map-server
Blue/DC
ipv42 map-resolver
172.18.0.0/16
(Location
exit2)
!
Customer :: US National Bank
MPLS Core, Extending Subnets – LISP Configurations (Data Centers)
NX-OS
Customer-A
Site 2
CE2
ITR/ETR
Customer-A
Site 1
ip lisp itr map-resolver 10.1.5.1
ip lisp itr map-resolver 10.1.6.1
ip lisp etr map-server 10.1.5.1 key DCs3cr3t
ip lisp etr map-server 10.1.6.1 key DCs3cr3t
ip lisp itr map-resolver 10.1.5.1
ip lisp itr map-resolver 10.1.6.1 Customer-A
ip lisp etr map-server
10.1.5.1 key DCs3cr3t
Site 4
CE4
ip lisp etr map-server 10.1.6.1 key DCs3cr3t
interface vlan 100
ip address 172.17.0.2/24 (or 172.17.0.3/24)
lisp mobility CUST-A-ROAM
lisp extended-subnet-mode
hsrp 101
preempt delay reload 300
PE5priority 130
ip 172.17.0.1
MPLS Core
PE1
CE1
ITR/ETR
MS/MR
ip lisp itr-etr
ip lisp database-mapping 172.18.0.0/16 10.2.6.1 p 1 w 50
ip lisp database-mapping 172.18.0.0/16 10.2.6.5 p 1 w 50
lisp dynamic-eid CUST-A-ROAM
database-mapping 172.17.0.0/24 10.2.5.1 p 1 w 50
database-mapping 172.17.0.0/24
Customer-A 10.2.5.5 p 1 w 50
map-notify-group 239.1.1.1
MPLS-VPN
PE2
RLOC-A
CE5
10.2.5.1
NX-OS
ip lisp itr-etr
ip lisp database-mapping 172.17.0.0/16 10.2.5.1 p 1 w 50
ip lisp database-mapping 172.17.0.0/16 10.2.5.5 p 1 w 50
RLOC-B
MS/MR
10.2.5.5
CE6
PE4
PE3
PE6
RLOC-C
10.2.6.1
CE7
ITR/ETR
lisp dynamic-eid CUST-A-ROAM
database-mapping 172.17.0.0/24 10.2.6.1 p 1 w 50
database-mapping 172.17.0.0/24 10.2.6.5 p 1 w 50
map-notify-group 239.1.1.1
interface vlan 100
Customer-A
ip address 172.17.0.4/24 (or 172.17.0.5/24)
Site 3
lisp mobility CUST-A-ROAM
CE3
lisp extended-subnet-mode
ITR/ETR
hsrp 101
preempt delay reload 300
priority 130
ip 172.17.0.1
RLOC-D
10.2.6.5
CE8
LAN Extension (OTV)
172.17.0.0/16
Blue/DC 1
(Location 1)
ITR/ETR
ITR/ETR
172.17.0.0/24
DYNAMIC EID
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
257
Blue/DC 2
(Location 2)
172.18.0.0/16
Customer :: US National Bank
MPLS Core, Extending Subnets – Initial State
Customer-A
Site 2
CE2
CE4
ITR/ETR
RLOC
Customer-A
Site 1
EID 172.16.1.0/24
PE2
Customer-A
MPLS-VPN
MPLS Core
PE1
CE1
PE3
CE3
172.17.0.0/16
Customer-A
Site 3
ITR/ETR
ITR/ETR
PE5
PE6
map-cache
MS/MR
RLOC-A
CE5
10.2.5.1
RLOC-B
MS/MR
10.2.5.5
CE6
RLOC-C
10.2.6.1
CE7
RLOC-D
10.2.6.5
CE8
LAN Extension (OTV)
Blue/DC 1
(Location 1)
ITR/ETR
ITR/ETR
172.17.0.0/24
172.17.0.12/32 DYNAMIC
the server is here
TECRST-3191
ITR/ETR
PE4
GE0/0/0
10.1.1.2/30
EID-prefix: 172.17.0.12/32
Locator-set:
10.2.5.1, priority: 1, weight: 50
10.2.5.5, priority: 1, weight: 50
Customer-A
Site 4
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
258
EID
Blue/DC 2
(Location 2)
172.18.0.0/16
Customer :: US National Bank
MPLS Core, Extending Subnets – After the Move
Customer-A
Site 2
CE2
CE4
ITR/ETR
RLOC
Customer-A
Site 1
EID 172.16.1.0/24
PE2
Customer-A
MPLS-VPN
MPLS Core
PE1
CE1
PE3
CE3
172.17.0.0/16
Customer-A
Site 3
ITR/ETR
ITR/ETR
PE5
PE6
map-cache
MS/MR
RLOC-A
CE5
10.2.5.1
RLOC-B
MS/MR
10.2.5.5
CE6
RLOC-C
10.2.6.1
CE7
RLOC-D
10.2.6.5
CE8
LAN Extension (OTV)
Blue/DC 1
(Location 1)
ITR/ETR
ITR/ETR
172.17.0.0/24
DYNAMIC EID 172.17.0.12/32
the server moves here
TECRST-3191
ITR/ETR
PE4
GE0/0/0
10.1.1.2/30
EID-prefix: 172.17.0.12/32
Locator-set:
10.2.5.1,
10.2.6.1, priority: 1, weight: 50
10.2.5.5,
10.2.6.5, priority: 1, weight: 50
Customer-A
Site 4
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
259
Blue/DC 2
(Location 2)
172.18.0.0/16
LISP Data Center/Host Mobility
Services Integration
LISP DC Mobility :: Services Integration
FW in the data path to inspect bidirectional traffic
• Virtualized First Hop Router as
anycast gateway for each Server
Zone
– Servers move and retain their IP
address, gateway and ARP cache
– LISP dynamic EID detection and
signaling
OTV / GRE / LISP …
to/from
server Overlay
other DC
DCI Overlay
Router
or N7K VDC
Single L3 FW
or
FW Contexts
• Internal Firewall as inter zone router
• DCI Overlay Router attracts L3
traffic for servers discovered on the
‘other’ data center
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
SLB
Single Router
or
N7K VDC
back-end
261
back-end
front-end
LISP DC Mobility :: Services Integration
Configuration approach: IOS
IOS
IOS
router lisp [0]
LISP Role: FHR
locator-table = vrf silver
EID-table = vrf silver
LISP Instance ID = 999
router lisp 1
LISP Role: FHR
locator-table = vrf gold
EID-table = vrf gold
LISP Instance ID = 999
router lisp 2
LISP Role: FHR
locator-table = vrf blue
EID-table = vrf blue
LISP Instance ID = 999
TECRST-3191
router lisp [0]
LISP Role: xTR Site Gateway
EID-table = vrf crimson
LISP Instance ID = 999
© 2014 Cisco and/or its affiliates. All rights reserved.
OTV / GRE / LISP …
to/from
server Overlay
other DC
DCI Overlay
Router
Single L3 FW
or
FW Contexts
SLB
Single Router
back-end
Cisco Public
262
back-end
front-end
LISP DC Mobility :: Services Integration
Configuration example: IOS
IOS
router lisp
locator-table crimson
locator-set WestDC
10.0.1.2 priority 1 weight 5
eid-table crimson instance-id 999
database-mapping 171.71.64.0/20 loc WestDC
dynamic-eid VM-EXTENDED-SILVER
database-mapping 171.71.71.0/24 loc WestDCSingle L3 FW
eid-notify authentication-key WEST
or
!
FW Contexts
dynamic-eid VM-EXTENDED-BLUE
database-mapping 171.71.73.0/24 loc WestDC
eid-notify authentication-key WEST
!
dynamic-eid VM-EXTENDED-GOLD
database-mapping 171.71.72.0/24 loc WestDCSingle Router
eid-notify authentication-key WEST
!
exit
ipv4 etr
[..]
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
263
OTV / GRE / LISP …
to/from
server Overlay
other DC
DCI Overlay
Router
SLB
back-end
back-end
front-end
LISP DC Mobility :: Services Integration
Configuration example: IOS
IOS
router lisp
locator-table crimson
locator-set WestDC
10.0.1.2 priority 1 weight 5
eid-table crimson instance-id 999
database-mapping 171.71.64.0/20 loc WestDC
dynamic-eid VM-EXTENDED-SILVER
database-mapping 171.71.71.0/24 loc WestDCSingle L3 FW
eid-notify authentication-key WEST
or
!
FW Contexts
dynamic-eid VM-EXTENDED-BLUE
database-mapping 171.71.73.0/24 loc WestDC
eid-notify authentication-key WEST
!
dynamic-eid VM-EXTENDED-GOLD
database-mapping 171.71.72.0/24 loc WestDCSingle Router
eid-notify authentication-key WEST
!
exit
ipv4 etr
[..]
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
264
to/from
server Overlay
other DC
OTV / GRE / LISP …
IOS
router lisp 2
DCI Overlay
locator-table
vrf blue
Router
locator-set WestDC
10.11.3.1 p 1 weight 5
exit
!
eid-table vrf blue i 999
dynamic-eid VM-EXTENDED-BLUE
database-map 171.71.73.0/24
locator-set WestDC
SLB
map-notify-group 230.23.3.1
eid-notify 10.11.4.1 key WEST
exit
![..]
interface GigabitEthernet1/1.30
back-endvrf forwarding
back-end blue front-end
lisp mobility VM-EXTENDED-BLUE
lisp extended-subnet-mode
standby 30 ip 171.71.73.1
LISP DC Mobility :: Services Integration
Configuration approach: NxOS
NxOS
vrf context crimson
LISP Role: xTR Site Gateway
LISP Instance ID = 999
OTV / GRE / LISP …
to/from
server Overlay
other DC
DCI Overlay
NxOS
VDC
vrf context silver
LISP Role: FHR
LISP Instance ID = 999
Single L3 FW
or
vrf context gold
LISP Role: FHR
LISP Instance ID = 999
FW Contexts
SLB
vrf context blue
LISP Role: FHR
LISP Instance ID = 999
Single VDC
back-end
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
265
back-end
front-end
LISP DC Mobility :: Services Integration
Configuration example: NxOS
NxOS
vrf context crimson
lisp instance-id 999
ip lisp itr-etr
ip lisp database-mapping 171.71.64.0/20
10.0.1.2 priority 1 weight 5
lisp dynamic-eid VM-EXT-SILVER
instance-id 999
database-map 171.71.71.0/24 10.0.1.2 p 1 wSingle
5 L3 FW
eid-notify authentication-key WEST
or
!
FW Contexts
lisp dynamic-eid VM-EXT-BLUE
instance-id 999
database-map 171.71.73.0/24 10.0.1.2 p 1 w 5
eid-notify authentication-key WEST
!
lisp dynamic-eid VM-EXT-GOLD
instance-id 999
Single VDC
database-map 171.71.72.0/24 10.0.1.2 p 1 w 5
eid-notify authentication-key WEST
!
[..]
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
266
OTV / GRE / LISP …
to/from
server Overlay
other DC
DCI Overlay
VDC
SLB
back-end
back-end
front-end
LISP DC Mobility :: Services Integration
Configuration example: NxOS
NxOS
vrf context crimson
lisp instance-id 999
ip lisp itr-etr
ip lisp database-mapping 171.71.64.0/20
10.0.1.2 priority 1 weight 5
lisp dynamic-eid VM-EXT-SILVER
instance-id 999
database-map 171.71.71.0/24 10.0.1.2 p 1 wSingle
5 L3 FW
eid-notify authentication-key WEST
or
!
FW Contexts
lisp dynamic-eid VM-EXT-BLUE
instance-id 999
database-map 171.71.73.0/24 10.0.1.2 p 1 w 5
eid-notify authentication-key WEST
!
lisp dynamic-eid VM-EXT-GOLD
instance-id 999
Single VDC
database-map 171.71.72.0/24 10.0.1.2 p 1 w 5
eid-notify authentication-key WEST
!
[..]
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
267
to/from
server Overlay
other DC
OTV / GRE / LISP …
NxOS
vrf context blue
DCI Overlay
lisp instance-id
999
VDC
ip lisp etr
lisp dynamic-eid VM-EXT-BLUE
database-map 171.71.73.0/24
10.11.3.1 priority 1 weight 5
map-notify-group 230.23.3.1
eid-notify 10.11.4.1 key WEST
exit
![..]
SLB
Interface Vlan 30
vrf member blue
lisp mobility VM-EXT-BLUE
lisp extended-subnet-mode
hsrp 30
back-end
back-end
front-end
ip 171.71.73.1
LISP DC Mobility :: Services Integration
Option #1 : Host route injection from local FHR
• Firewall layer forwards server traffic
to the DCI Overlay Router, following
a default route or an aggregate
route advertisement
• When LISP detects a local server
presence, it dynamically inject a
more specific route into the DC IGP
to attract traffic from FW
to/from
server Overlay
other DC
Host Route
Injection
back-end
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
268
Follow default or
aggregate route
Host Route
Injection
back-end
Host Route
Injection
front-end
LISP DC Mobility :: Services Integration
Option #1 : HRI from local FHR: IOS Configuration
IOS
router ospf 203 vrf blue
router-id 10.11.3.1
capability vrf-lite
redistribute lisp subnets route-map VMs
network 171.71.73.0 0.0.0.255 area 0
!
ip prefix-list VMs seq 5 permit 171.71.64.0/20 ge 32
route-map VMs permit 10
match ip address prefix-list VMs
set tag 173
!
to/from
server Overlay
other DC
Host Route
Injection
back-end
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
269
Follow default or
aggregate route
Host Route
Injection
back-end
Host Route
Injection
front-end
LISP DC Mobility :: Services Integration
Option #1 : HRI from local FHR: NxOS Configuration
NxOS
router ospf 203
vrf blue
redistribute lisp route-map VMs
!
interface Ethernet1/13.113
vrf member blue
ip router ospf 203 area 0.0.0.0
!
ip prefix-list VMs seq 5 permit 171.71.64.0/20 ge 32
route-map VMs permit 10
match ip address prefix-list VMs
set tag 173
!
to/from
server Overlay
other DC
Host Route
Injection
back-end
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
270
Follow default or
aggregate route
Host Route
Injection
back-end
Host Route
Injection
front-end
LISP DC Mobility :: Services Integration
Option #2 : Host route injection from Overlay Router
• Firewall layer forwards server traffic
to each individual FHR, following its
route advertisement or a static route
to/from
server Overlay
other DC
Follow server
subnet routes
Host Route
Injection
• When LISP detects a server
presence in another DC, a more
specific route is dynamically
advertised by the overlay router to
attract traffic from FW
– Can be implemented by propagating
LISP HRI at a remote DC
– Can be implemented by redistributing
“away host” table from LISP XTR SG
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
back-end
271
back-end
front-end
LISP DC Mobility :: Services Integration
Option #3: Design without LISP HRI – Concept
to/from
server Overlay
other DC
• L3 Firewalls that cannot handle host
routes or participate in routing
protocol
• Server-to-server traffic: star pattern
(one server tier centric)
LISP
app
•  Inter-VLAN router is a LISP
device (xTR):
– Detection for main server tier (singlehop)
– Registration for other tiers (multi-hop)
– Location awareness
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Typical Traffic Patterns
db
272
web
LISP DC Mobility :: Services Integration
Option #3: Distributed Implementation
to/from
server Overlay
other DC
• Virtualized Access Router
• Distribution Router (xTR)
LISP
xTR
Edge Router
or N7K VDC
app
Standalone L3 FWs or
FW Contexts
SLB
Single Router
or
N7K VDC
db
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
273
web
LISP DC Mobility :: Services Integration
Option #3: Combo Implementation
• Combined Virtualized Router
to/from
server Overlay
other DC
LISP
Standalone
L3 FWs or
FW Contexts
SLB
Single Router
or
N7K VDC
db
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
274
app
web
LISP DC Mobility :: Services Integration
Design without LISP HRI: traffic pattern before app move
• Session state is established on
West blue FW
S
db
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
275
app
app
West-DC
East-DC
web
db
web
LISP DC Mobility :: Services Integration
Design without LISP HRI: traffic pattern after app move
• Re-uses Session state on West DC
FW
XTR
SG “knows”
blue subnet
route
blue
is to
away
points
localand
not
local
bluebehind
FW, but…
blue firewall
LISP Overlay
• Session Survivability
XTR
encapsulates
traffic to gold
XTR detects and
registers gold
2
1
3
S
db
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
276
app
app
West-DC
East-DC
web
db
web
LISP DC Mobility :: Services Integration
Design without LISP HRI: traffic pattern before web move
• Session state is established on
West blue/silver FW
S
S
db
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
277
app
app
West-DC
East-DC
web
db
web
LISP DC Mobility :: Services Integration
Design without LISP HRI: traffic pattern after web move
• East DC silver FW has no state
• Session needs to be re-established
on both West/East DC FWs
• All firewalls see bidirectional traffic
LISP Overlay
XTR
encapsulates
traffic to silver
New State
XTR registers
silver
3
SS1 5
2
Newexisting
No
State
state!!
4 S
5
1
S
app
app
FHR detects
silver
1
West-DC
db
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
278
East-DC
web
db
web
LISP DC Mobility :: Services Integration
Session Survivability with FW Inter DC Clustering
LISP Branch Site
WAN
• Session survivability can be
achieved by having the same
firewall cluster extending across
DCs
• traffic is forwarded to the West-DC
cluster member owning the session
state (ASA 9.1.4)
XTR
CCL over DCI
S
FHR
West-DC
TECRST-3191
• Hair-pinning is temporary for
sessions established before the
move. New sessions state will be
created on the East-DC firewall,
without hair-pinning
XTR
FHR
FHR
FHR
FHR
East-DC
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
FHR
Customer :: WorldWide Technology
Session Survivability with FW Inter DC Clustering
• RAD: Resilient Active Datacenters
• Seamless Mobility with Session Survivability:
–
–
–
–
–
–
–
–
–
–
–
–
Compute
Cisco UCS
Storage
EMC VPLEX
NetApp Metrocluster
Networking
Cisco OTV/LISP
Virtualization
VMWare
Microsoft Hyper-V
Security
Cisco ASA Clustering
https://www2.wwt.com/resilient-active-datacenters
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
280
LISP DC Mobility :: Services Integration
Integration with Load Balancer RHI
• West & East Load
Balancers have
consistent Route Health
Injection policies
• When VIP host route
announcement flips
from West to East DC,
LISP detects VIP and
optimizes ingress traffic
from WAN/Internet
• Event Sequence:
PXTR
PXTR
LISP traffic
converges
Internet
XTR
4
ISP-1
3
SLB stops VIP
advertisement
SLB starts VIP
advertisement
2
backend
•
•
web
backend
1
Cisco Public
281
Packet based (IOS)
Host Route based (NxOS)
4 ETR registration and SMR
mechanism reroute client
traffic from ISP PxTRs and
WAN xTRs to East DC
locators
2
East-DC
Last cluster
member moves
© 2014 Cisco and/or its affiliates. All rights reserved.
ETR+FHR
detects VIP
presence
Host Route
Injection
Host Route
Injection
West-DC
TECRST-3191
ISP-2
Private WAN
1 All cluster resources move
East
2 VIP Host route is injected
by East SLB and
withdrawn by West SLB
3 VIP detection occurs at
East XTR (single-hop)
web
LISP DC Mobility :: Services Integration
Integration with Load Balancer RHI: NxOS Configuration
• West & East Load
Balancers have
consistent Route Health
Injection policies
PXTR
PXTR
Internet
XTR
ISP-1
• When VIP host route
announcement flips
from West to East DC,
LISP detects VIP and
optimizes ingress traffic
from WAN/Internet
ISP-2
Private WAN
Host Route
Injection
NxOS
ip lisp itr-etr
West-DC
![..]
lisp dynamic-eid VIP
database-mapping 172.71.73.0/28 10.11.1.1
pri 1 weight 50web
backend
register-route-notifications
! [..]
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
282
East-DC
backend
web
LISP Data Center/Host Mobility
WAN Integration
LISP DC Mobility :: WAN Integration
Option #1: LISP Control Plane
Non-LISP Client Site
RLOC
EID
• Virtualized First Hop Router as gateway for
each Server Zone, Firewall as inter-zone
router
LISP Encap/Decap
Private WAN
Host Detection
...
LISP Device
• LISP Components:
HRI
OSPF/EIGRP
– FHRs: mobility detection and intra/inter-DC
signaling to peers
– MSMRs: single-point aggregated mobility
database, accept server registration, signaling
to FHRs
Host Route
Injection
HRI
OSPF/EIGRP
• East-DC (DR DC) FHRs dynamically inject
host routes learned thru LISP into IGP,
which propagates to:
– Local FW
– Remote FW, thru IGP peering over dedicated
extended VLAN (L2 overlay)
– WAN Routers
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
FHR
FHR
FHR MSMR
OSPF/EIGRP
MSMR FHR
Move Event
West-DC
Cisco Public
284
East-DC
FHR
FHR
10.0.1.67
LISP DC Mobility :: WAN Integration
Option #1: traffic patterns
Non-LISP Client Site
RLOC
EID
• East-to-West (server to server)
Private WAN
LISP Encap/Decap
Host Detection
– East DC FW
...
• Aggregate server route pointing to “DCI Overlay
router”
• More specific routes announced from local
FHRs
LISP Device
East-DC Hosts
…
10.0.1.0/24
…
10.0.1.67/32
next-hop=FW
next-hop=FW
– West DC FW
East-DC Hosts
• Each subnet route coming from individual FHR
• More specific routes announced from “DCI
Overlay router”
(OSPF)
next-hop=MSMR
next-hop=FHRs
(static)
• North-to-South (client to server)
FHR
– West DC WAN Routers
• Announce aggregate front-end subnet to WAN
FHR
FHR MSMR
…
10.0.1.67/32
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
…
(static)
next-hop=MSMR
next-hop=FHRs
(LISPOSPF)
MSMR FHR
Move Event
– East DC WAN Routers
• Inject more specific routes for front-end servers
in East DC
• Best Convergence when IGP running between
remote sites and DCs (VPLS,DMVPN,…)
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
West-DC
Cisco Public
East-DC
L2 Overlay (OTV, …)
285
FHR
FHR
…
10.0.0.0/16
10.0.1.67/32
…
East-DC Hosts
10.0.1.67
LISP DC Mobility :: WAN Integration
Option #2: DCI with LISP Overlay
Non-LISP Client Site
RLOC
EID
• Benefits of LISP Overlay between DCs:
Private WAN
LISP Encap/Decap
Host Detection
– Virtualization
– Efficient, underlay independent, multi-homing
between DCs
...
LISP Device
HRI
xTR
MSMR
• East-DC can optionally propagate HRI into
WAN for ingress traffic optimization
xTR
MSMR
OSPF/EIGRP
• The DCI Overlay Router is the xTR
FHR
– Advertises aggregate server subnets to
southbound FW
– Registers client subnets as “attached” static
LISP EIDs (database mapping)
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
FHR
FHR
OSPF/EIGRP
• Host Route Injection for LISP discovered
servers from FHRs into IGP
xTR
MSMR
Host Route
Injection
Cisco Public
286
Host Route
Injection
OSPF/EIGRP
FHR
Move Event
West-DC
xTR
MSMR
East-DC
FHR
FHR
10.0.1.67
LISP DC Mobility :: WAN Integration
Option #2: traffic patterns
Non-LISP Client Site
RLOC
EID
• East-to-West (server to server)
LISP Encap/Decap
Private WAN
Host Detection
– East & West DC FW
• Aggregate server route pointing to “DCI Overlay
router” (xTR)
• More specific routes announced from local FHRs
...
LISP Device
East-DC Hosts
…
10.0.1.0/24
…
10.0.1.0/24
10.0.1.67/32
next-hop=FW
• North-to-South (client to server)
– Option A:
xTR
MSMR
• East & West DC WAN Routers announce
aggregate front-end subnet to WAN
• If traffic comes to the “wrong” DC it gets LISP
encapsulated and forwarded to the “right” DC
• Partial Hairpinning
xTR
MSMR
next-hop=FW
(static)
next-hop=xTR
next-hop=FHRs
(LISPOSPF)
FHR
FHR
FHR
West-DC Hosts
FHR
Move Event
10.0.2.11
East-DC
LISP Overlay
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
287
(static)
next-hop=xTR
next-hop=FHRs
(LISPOSPF)
10.0.3.81
TECRST-3191
xTR
MSMR
10.0.2.11/32
10.0.3.81/32
…
– Option B
• Inject more specific routes for front-end servers in
East DC
West-DC
xTR
MSMR
…
10.0.0.0/16
FHR
FHR
…
10.0.0.0/16
10.0.1.67/32
…
East-DC Hosts
10.0.1.67
LISP DC Mobility :: WAN Integration
Option #3: LISP Overlay across WAN
Non-LISP
Client Site
RLOC
EID
• Extending Benefits of LISP Overlay to the
whole WAN:
– Virtualization
– Efficient, underlay independent, multi-homing
between remote sites and DC
– Optimal DC Ingress Routing – no Host Route
Injection necessary
LISP Encap/Decap
xTR
MSMR
FHR
• A subset of remote branches act as PxTR,
advertising the server front-end subnet and
attracting traffic from closer non LISP client West-DC
sites
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Non-LISP
Client Site
LISP Device
xTR
MSMR
OSPF/EIGRP
TECRST-3191
PxTR
Host Detection
...
• Host Route Injection for LISP discovered
servers from FHRs into IGP
• Optional HRI stopped at DC FW layer
Private WAN
LISP Regional Site
288
FHR
FHR
xTR
MSMR
Host Route
Injection
xTR
MSMR
Host Route
Injection
OSPF/EIGRP
FHR
East-DC
FHR
FHR
LISP DC Mobility :: WAN Integration
Option #3: traffic patterns
Non-LISP
Client Site
RLOC
EID
• East-to-West (server to server) as in #2
LISP Encap/Decap
LISP Regional Site
PxTR
Private WAN
Non-LISP
Client Site
Host Detection
– East & West DC FW
...
• Aggregate server route pointing to “DCI Overlay
router” (xTR)
• More specific routes announced from local FHRs
LISP Device
xTR
MSMR
xTR
MSMR
(static)
next-hop=xTR
next-hop=FHRs
(LISPOSPF)
FHR
FHR
FHR
xTR
MSMR
…
10.0.0.0/16
West-DC Hosts
10.0.2.11
10.0.3.81
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
289
(static)
next-hop=xTR
next-hop=FHRs
(LISPOSPF)
10.0.2.11/32
10.0.3.81/32
…
FHR
Move Event
West-DC
xTR
MSMR
East-DC
FHR
FHR
…
10.0.0.0/16
10.0.1.67/32
…
East-DC Hosts
10.0.1.67
LISP DC Mobility :: WAN Integration
Option #3: traffic patterns
Non-LISP
Client Site
RLOC
EID
• East-to-West (server to server) as in #2
LISP Encap/Decap
Private WAN
LISP Regional Site
PxTR
Non-LISP
Client Site
Host Detection
– East & West DC FW
...
• Aggregate server route pointing to “DCI Overlay
router” (xTR)
• More specific routes announced from local FHRs
DC Hosts
staticBGP …
tag=330 10.0.1.0/24
LISP Device
• North-to-South (client to server)
– Regional LISP sites (PxTR) announce aggregate
xTR
MSMR
xTR
MSMR
xTR
MSMR
xTR
MSMR
front-end subnet to WAN
– After server moves and it is detected/registered
by East DC ETRs, West DC ETRs signal the
move to active PxTR with an SMR
– PxTR processes SMR and updates its map
cache: traffic gets steered to East DC
FHR
© 2014 Cisco and/or its affiliates. All rights reserved.
FHR
FHR
Move Event
West-DC
TECRST-3191
FHR
Cisco Public
290
East-DC
FHR
FHR
10.0.1.67
Agenda
• LISP Overview and Introduction
• LISP Efficient Multihoming/Multi-AF Support
• LISP Virtualization/VPN
• LISP Data Center/Host Mobility
• LISP Status and Futures
• LISP Open Discussions
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
291
Advanced - LISP Technical Seminar
Other LISP Topics and Status
TECRST-3191
Darrel Lewis, LISP Technical Leader
[email protected]
LISP Mobile Node
LISP Mobile Node
• LISP Mobile Node Concepts
 Global IP Mobility…
‒ LISP-MN is an global IP mobility solution
Allows a LISP-MN device to maintain the same identity while roaming to any network
Using any interface/medium and support multi-homing
‒ The LISP-MN device can change location
Move to a different network or use different interfaces
No disrupting the TCP connection established with the correspondent node
Applications bind to the identity of the mobile node
The network routes the packet to the location of the mobile node
‒ The LISP-MN device is, to all effects, a LISP site. LISP-MN functions are:
Implemented in the network stack of the mobile device
Totally transparent to the applications
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
294
LISP Mobile Node
• A LISP-MN Phone is a LISP Site!
172.16.0.1
wifi
3G
What can a LISP-MN Device do?
10.0.0.1
This device
is a LISP
xTR !
EID-prefix: 2610:00D0:110E::1/128
Map-Server: 10.1.1.1
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
•
•
•
•
•
•
•
•
Two MNs can roam and stay connected
MNs can be servers
MNs roam without changing DNS entries
MNs can use multiple interfaces
MNs can control ingress packet policy
Faster hand-offs
Low battery use by MS proxy-replying
And most importantly, packets have stretch of “1”
giving best for latency/delay sensitive applications
LISP-MN can scale to1 billion hand-sets!
Cisco Public
295
LISP Mobile Node
Session Continuity While Roaming!
• LISP-MN Mobility: Any Network, Anytime, Anywhere…
MR
ETR
PI EID-prefix
192.168.1.0/24
MS
Mapping
System
ITR
4G 10.2.0.2
LISP MN
xTR1
3G Carrier 2
172.16.0.0/16
Provider B
10.1.0.0/16
xTR2
SP WiFi
172.17.0.0.0/16
Map-Cache Entry
EID-prefix: 192.168.3.3/32
Locator-set:
10.2.0.2, priority: 1, weight: 100
TECRST-3191
4G Carrier 1
10.2.0.0/16
LISP-MN EID
192.168.3.3/32
ITR
LISP Site 1
MS
Provider A
10.0.0.0/16
ETR
S
MR
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
296
LISP Mobile Node
Session Continuity While Roaming!
• LISP-MN Mobility: Any Network, Anytime, Anywhere…
MR
MS
Mapping
System
MR
MS
172.17.0.2 - <MS>
LISP Map-Register
(udpCarrier
4342)
4G
1
SHA-2
10.2.0.0/16
192.168.3.3/32
172.17.0.2
Map-Request
ETR
PI EID-prefix
192.168.1.0/24
Provider A
10.0.0.0/16
ITR
Map-Reply
xTR1
Provider B
10.1.0.0/16
ETR
SMR
ITR
S
LISP Site 1
xTR2
WiFi 172.17.0.2
SP WiFi
172.17.0.0.0/16
Map-Cache Entry
EID-prefix: 192.168.3.3/32
Locator-set:
172.17.0.2,
10.2.0.2, priority:
priority:
1, 1,
weight:
weight:
100
100
TECRST-3191
3G Carrier 2
172.16.0.0/16
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
297
LISP-MN EID
192.168.3.3/32
LISP MN
Home Automation Demo
• Arduino Yun – Smallest LISP Mobile Node
LISP Mapping System
intouch-ams-mr-ms-1
MR/MS
intouch-ams-mr-ms-2
Cisco
SP-A
Yun LISP Site
173.36.254.184
PI EID-prefix
2610:D0:218B::/48
Internet
NAT-T
RTR
192.168.1.128
PxTR
158.38.1.92
2610:00d0:218b::1
SP-B
2610:00d0:218b::11
2610:00d0:218b::300
2610:00d0:218b::301
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
298
D1
Customer Example :: Partner Case Study
• Mobility E911 Services
• Communication and
information solutions for
public safety, transport,
maritime and air traffic
management verticals
• LISP overlay for
provider-independent
reachability and
networking
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
299
LISP Mobile Node Embedded Hardware
Architecture
MIPS Atheros AP81
CPU
400 Mhz Atheros 9130-BC1E
Flash
8 MB cFeon EN25P64
RAM
32 MB Samsung K4H561638J
Ethernet
100 Mbps RTL8306SD
Wireless
Atheros 9102 802.11 b/g/n (integrated)
Serial /
JTAG
Yes / Yes
USB
Yes 1x 2.0
TECRST-3191
Netgear WNDR3700 v2
Linksys WRT160NL
• Open Source LISP Software
Architecture
MIPS Atheros AR7161
CPU
680 Mhz Atheros 9130-BC1E
Flash
16 MB Macronix MX25L12845EWI-10G
RAM
64 MB 2 x Nanya NT5DS16M16CS-5T
Ethernet
1 Gbps RTL8366SR
Wireless
Atheros AR9223 802.11b/g/n +
Atheros AR9220 802.11a/n
Serial / JTAG Yes / Yes
© 2014 Cisco and/or its affiliates. All rights reserved.
USB
Cisco Public
300
Yes 1x 2.0
300
LISP Mobile Node
• LISP-MN Mobility:
 Website: http://lispmob.org/
 GIThub: https://github.com/LISPmob/
 Mailing lists:
• [email protected][email protected][email protected]
 IRC: #lispmob channel on Freenode
 Twitter: https://twitter.com/LISPmob
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
301
4G LTE
• Business Drivers
Businesses are looking for ways to reduce costs, increase revenue, and
improve business continuity.
• 4G LTE wireless connectivity is 10 to 15 times faster and has 5 times lower latency than 3G
• 4G LTE allows a small enterprise branch office or remote office to set up comprehensive
services in a matter of hours, without worrying about availability of broadband services and the
need for laying down the lines
• Wireless carriers offer flexible, usage-based data plans that can be catered to meet the needs
and price points of the business customer
• As WAN backup alternatives, 3G and 4G LTE wireless offer greater WAN diversity and
resiliency because they are independent of the local terrestrial infrastructure
• The Cisco 819 enables businesses to stay productive during service provider downtime or a
network failure.
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
302
Platforms
• Cisco 819 Series
The Cisco 819 Series Integrated Services Router
• The Cisco 819 Series Integrated Services Router includes support for 4G LTE
wireless WAN (WWAN) speeds
• The hardened Cisco 819HG extends the ISR M2M Gateway footprint and provides
deployment flexibility
• The Cisco 819HG is an ideal solution for stationary and mobile environments where
space, heat dissipation, exposure to extreme temperatures, harsher environments,
and low power consumption are critical factors
Nonhardened Cisco 819 Integrated Services Router
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
303
Hardened Cisco 819 Integrated Services Router
35 Buses Operational
Throughout the Event
LISP Mobility
• Customer Example :: Cisco Live US 2013 Transportation System
VSM VM
LISP Beta Network
CL Orlando WoS
RTR
PxTR
MSMR
VSOM VM
xTR
IPv6 Internet
UCS
Fleet Mgmt
Internet / WAN
Onboard WiFi
AT&T 4G LTE
Private IP NAT
Verizon 4G LTE
Public IP
AT&T 4G LTE
Private IP NAT
IP Cameras
xTR-B
xTR-A
Onboard WiFi
TECRST-3191
IP Cameras
Telemetry
Processor
WIFI
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
304
WIFI
Telemetry
Processor
New LISP Features
New LISP Features
• LISP Local EID Database Route Import
 Enables dynamic creation of local EID database entries, with locators,
priorities, and weights, by direct redistribution from the RIB
– Configured on ETRs, database “route-import” includes:
•
•
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
306
10.0.1.0/24
10.50.1.0/24
MS/MR MS/MR
Options for import from connected, static, IGP and BGP RIB entries
Options for use of route-map for filtering, and “maximum-prefix” values
router ospf 1
network 10.0.1.0 0.0.0.255 area 0
network 10.50.1.0 0.0.0.255 area 0
!
router lisp
locator-set RED
ipv4-interface gig0/0 priority 1 weight 50
auto-discover-rlocs
eid-table default instance-id 0
ipv4 route-import database ospf 1 locator-set RED
exit
!
Map-Register
xTR
xTR
OSPF
USERS
SERVERS
USERS
New LISP Features
• LISP Local Map-Cache Route Import
 Enables dynamic creation of local EID map-cache entries with
action “send-map-request” (for use by a PITR), by direct !
router lisp
redistribution from the RIB
eid-table default instance-id 0
ipv4 route-export site-registration
---<etc.>---
– Configured on PITRs (typically), map-cache route import
now includes:
•
•
!
Options for import from connected, static, IGP and BGP RIB entries
Options for use of route-map for filtering, and “maximum-prefix” values
– Typically used in concert with a Map-Server that is
“exporting” registered EID prefixes into the RIB
(see “route-export”)
!
router lisp
eid-table default instance-id 0
ipv4 route-import map-cache bgp 65001 route-map ABC
---<etc.>--!
MSMR
PxTR
eBGP
IPv4 Internet
(example)
CE
xTR
CE
xTR
xTR
non-LISP Sites
LISP Sites
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
307
New LISP Features
• LISP Map-Server Route Export From Site Registration
 Enables a Map-Server to export registered EID prefixes into the RIB
– The EID prefixes from “registered” LISP sites are
automatically exported to the RIB as LISP (“l”) routes
•
•
Once in the RIB, these EID prefixes can be redistributed
into other routing protocols for desired use
It is possible to manipulate the administrative distance of the
routes inserted by LISP
!
router lisp
eid-table default instance-id 0
ipv4 route-import map-cache bgp 65001 route-map ABC
---<etc.>--!
– Typically used in concert with a PITR that is “importing”
registered EID prefixes in order to:
a. Automatically populate its
map-cache, and
b. Automatically learn prefixes
to 'advertise’ into non-LISP
space to 'attract traffic’ to
the PITR
MSMR
PxTR
eBGP
!
router lisp
eid-table default instance-id 0
ipv4 route-export site-registration
---<etc.>--!
CE
IPv4 Internet
(example)
xTR
CE
xTR
xTR
non-LISP Sites
LISP Sites
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
308
New LISP Features
• LISP Integrated MS/PITR Map Cache Population From Site Registration
 Enables the dynamic creation of local EID map-cache entries with
action “send-map-request” (for use by the PITR function) by direct
installation from the Map-Server function
– Configured on a “combination” Map-Server/PITR
– When LISP sites register, their EID prefixes automatically get
installed as “map-cache send-map-request” entries on the PITR
MSMR
PxTR
• Note: If the PITR requires knowledge of registered EID prefixes in its RIB for
automating ’EID advertisement’ into non-LISP space to 'attract traffic,’ use of
the “[ipv4 | ipv6] route-export site-registration” command is still required
!
router lisp
eid-table default instance-id 0
ipv4 map-cache site-registration
---<etc.>--!
IPv4 Internet
(example)
CE
xTR
CE
xTR
xTR
non-LISP Sites
LISP Sites
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
309
LISP Status
LISP Status
IETF LISP WG: http://tools.ietf.org/wg/lisp/
• LISP RFCs and notable drafts…
RFCs
Draft
Locator/ID Separation Protocol (LISP)
base document
RFC 6830
LISP Map Server
RFC 6833
LISP Interworking
RFC 6832
LISP Multicast
Target
LISP Canonical Address Format (draft-ietf-lisp-lcaf-04)
Active Working Group Document
LISP Deployment (draft-ietf-lisp-deployment-11)
Active Working Group Document
LISP SEC (draft-ietf-lisp-sec-05)
Active Working Group Document
RFC 6831
LISP DDT (draft-fuller-lisp-ddt-01)
Active Working Group Document
LISP Internet Groper
RFC 6835
LISP Introduction (draft-ietf-lisp-introduction-03)
Active Working Group Document
LISP Map Versioning
RFC 6834
LISP Mobile Node (draft-meyer-lisp-mn-10)
Related Working Group Document
LISP+ALT
RFC 6836
RFC 7052
LISP NAT-Traversal (draft-ermagan-lisp-nat-traversal05)
Related Working Group Document
LISP MIB
LISP Network Element Deployment
Considerations
RFC 7215
LISP GPE (draft-lewis-lisp-gpe)
Related Working Group Document
LISP Deployment (draft-ietf-lisp-deployment-12)
RFC-Editor’s Queue
LISP Based FlowMapping for Scaling NVF
(draft-barakai-lisp-nvf-04)
Related Internet Draft
LISP Reliable Transport
(draft-kouvelas-lisp-reliable-transport-00)
Related Internet Draft
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
311
LISP Status
• LISP Beta Network – international deployments
 LISP Community Operated:
– More than 5+ years of operation…
– More than ~600 Sites, 40 countries…
 Interoperable LISP implementations:
– Cisco
• IOS (ISR, ISRG2, 7200) and IOS-XE (ASR1K, CSR1KV)
• Cisco IOS-XR (CRS3, ASR9K)
• Cisco NX-OS (N7K)
– AVM “FRITZ!Box”
– OpenWrt
– Open Source
• FreeBSD: OpenLISP
• Linux: Aless, LISPmob, OpenWrt
• Android
© 2014 Cisco and/or its affiliates. All rights reserved.
http://www.lisp.intouch.eu/
http://vinciconsulting.com/vxnet
http:/lisp.isarnet.net/
and more…
Plus some others… ;-)
TECRST-3191
http://www.lisp4.net
Cisco Public
312
Cisco Releases (http://lisp.cisco.com)
LISP Status
• LISP Software – Available Features:: By operating System
Features
IOS
IOS-XE
NX-OS
IOS-XR
Cat 6K











roadmap


ASR9k
roadmap



roadmap





v4 only

5.3.0

v4 only




shared






roadmap
roadmap
ASM 15.2(1)SY

roadmap

roadmap
roadmap
testing
testing
testing
roadmap
roadmap
 Roles:
-
ITR/ETR
PITR/PETR
MS/MR
RTR
 AF Support
- EID v4/v6
- RLOC v4/v6
 Virtualization
- Shared/Parallel
 Mobility
- ESM/ASM
- Multi-Hop
 Multicast
 NAT-Traversal
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
313
roadmap
Cisco Releases (http://lisp.cisco.com)
LISP Status
• LISP Software – Available Releases :: IOS Platforms
Hardware
Software
Notes/Caveats
 ISRG1
 Engineering Build:
 ISRs are EOS/EOL (Cisco support rules apply).
- 1800 Series
- 2800 Series
- 3800 Series
 Mainline Build:
 ISRG2
-
800 Series
1900 Series
2900 Series
3900 Series
TECRST-3191
- 15.3(3)XB12
 LISP features require “datak9” or “securityk9” license
- 15.4(2)T
http://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.htm
l
 Engineering:
- 15.3(3)XB12
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
314
Cisco Releases (http://lisp.cisco.com)
LISP Status
• LISP Software – Available Releases :: IOS-XE Platforms
Hardware
Software
Notes/Caveats
 ASR1K
 Mainline Build:
 LISP features require “Advanced IP Services” or
“Advanced Enterprise Services” license
-
1001 Series
1002 Series
1004 Series
1006 Series
1013 Series
- 3.12.0S (15.4-2.S)
http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-seriesaggregation-services-routers/product_bulletin_c25-448387.html
 Engineering Build:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/csa/configuration/xe3s/asr903/csa-xe-3s-asr-903-book/csa-cfg-sw-activation.html
- 3.10.01xb.S
- 4451-X
 CSR1KV
- Cisco CSR1KV
- Amazon Web Srvc
 Mainline Build:
 LISP features require “Premium” license
- 3.12.0S (15.4-2.S)
http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/configuration/csr100
0Vswcfg/csroverview.html
 Engineering Build:
http://www.cisco.com/c/dam/en/us/products/collateral/routers/cloud-services-router1000v-series/sales-tool-c96-730727.pdf
- 3.10.01xb.S
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
315
Cisco Releases (http://lisp.cisco.com)
LISP Status
• LISP Software – Available Releases :: NX-OS Platforms
Hardware
Software
Notes/Caveats
 Nexus 7000
 Mainline Build:
 The Transport Services license must be installed to
enable LISP
- 6.2(8)
http://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-seriesswitches/data_sheet_c78-437306.html
 Nexus 7700
 Mainline Build:
 LISP requires EPLD updated so that FE Bridge is at
version 186.008:
- 6.2(8)
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/epld/epld_rn_60.html#wp152570
 Requires M1-32 LC modules. F1 modules and the
F2e LC module can be used for LISP using proxy
forwarding to an installed M1-32 LC module.
 Beginning with NX-OS 7.1.0, F3 modules will also
support LISP
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
316
Cisco Releases (http://lisp.cisco.com)
LISP Status
• LISP Software – Available Releases :: IOS-XR Platforms
Hardware
Software
Notes/Caveats
 ASR 9000
 Mainline Build:
 LISP features available in base image
- 5.2.0
 Requires Typhoon line cards:
http://www.cisco.com/c/en/us/support/docs/routers/asr-9000-series-aggregationservices-routers/116726-qanda-product-00.html
 CRS 3
 Mainline Build:
 Supports basic LISP xTR and PxTR functionality only
- 5.2.0
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
317
Cisco Releases (http://lisp.cisco.com)
LISP Status
• LISP Software – Available Releases :: CATOS Platforms
Hardware
Software
Notes/Caveats
 Catalyst 6500
 Mainline Build:
 Requires Sup2T supervisor engine and WS-X690440GE or WS-X6908-10G line cards
 Supports xTR (IPv4-only RLOC), shared mode
virtualization, PxTR, MS and MR
- 15.1.2-SY2
 Catalyst 6800
 6880-X (semi-fixed chassis) - supported on all ports at
FCS: 15.1(2)SY1 for the baseboard and 15.1(2)SY2
for the port cards
 6807-XL (modular chassis) - supported with Sup2T
and 6900 series line cards (6908 and 6904) at FCS:
15.1(2)SY1 (not supported natively on Sup2T, need
6900 modules for encap/decap)
 Supports xTR (IPv4-only RLOC), shared mode
virtualization, PxTR, MS and MR
 Mainline Build:
- 15.1.2-SY2
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
318
LISP Summary
LISP References
• LISP Sessions at Cisco Live US 2014…
Session
Sunday, 18 May
TECRST-3191 - Advanced - LISP Technical Seminar
8:00 AM - 5:00 PM
LTRRST-2014 - Routing for Host/VM-Mobility Using LISP
8:00 AM - 12:00 PM
TECCRS-2003 - Advanced WAN Design Topics
8:00 AM - 5:00 PM
TECDCT-2181 - Deployment Considerations for Interconnecting Distributed Virtual Data Centers
8:00 AM - 5:00 PM
TECDCT-2432 - Virtualized Multi-service Data Center (VMDC) Architectures & Orchestration for Cloud
8:00 AM - 5:00 PM
TECDCT-3297 - Operating and Deploying NX-OS Nexus Devices in the Network Infrastructure
1:00 PM - 5:00 PM
Session
Tuesday, 20 May
LTRRST-2014 - Routing for Host/VM-Mobility Using LISP
8:00 AM - 12:00 PM
BRKDCT-2131 - Mobility and Virtualization in the Data Center with LISP and OTV
8:00 AM - 9:30 AM
BRKDCT-2335 - Design consideration for security services spanned across Data Center Interconnect
8:00 AM - 9:30 AM
BRKRST-3045 - Advanced - LISP - A Next Generation Networking Architecture
12:30 PM - 2:30 PM
BRKSEC-2054 - Group Encryption Transport (GET) Your VPNs Secured
12:30 PM - 2:30 PM
BRKDCT-2337 - Virtual Services for Scalable Multi-tenant Cloud Architectures
12:30 PM - 2:30 PM
BRKDCT-3060 - Deployment Challenges with Interconnecting Data Centres
3:00 PM - 5:00 PM
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
320
LISP References
• LISP Sessions at Cisco Live US 2014…
Session
Wednesday, 21 May
BRKDCT-3434 - Enabling a Secure Hybrid Cloud Extension with CSR 1000V and LISP
8:00 AM - 9:30 AM
BRKRST-2044 - Enterprise Multi-Homed Internet Edge Architectures
8:00 AM - 9:30 AM
BRKRST-3047 - Troubleshooting LISP
1:30 PM - 3:30 PM
CCSDCT-1100 - Simplifying Data-Center migration using LISP, from 42 years to 2 years
3:00 PM - 4:00 PM
BRKDCT-2328 - Evolution of Network Overlays in Data Center Clouds
4:00 PM - 5:30 PM
Session
Thursday, 21 May
BRKDCT-3237 - Versatile architecture using Nexus 7000 with a mix of F and M modules to deliver FEX,
FabricPath, Multihop FCoE, MPLS and LISP all at the same time
12:30 PM - 2:00 PM
BRKARC-2023 - Building Hybrid Clouds with the CSR 1000v
12:30 PM - 2:00 PM
BRKRST-2045 - Advancements in L3 VPN over IP in the WAN
2:30 PM - 2:00 PM
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
321
LISP References
• LISP Information
 LISP Mailing Lists
Cisco LISP Questions ………………
[email protected]
IETF LISP Working Group …………
[email protected]
LISP Interest (public) ……………….
[email protected]
LISPmob Questions ………………...
[email protected]
 LISP Information
TECRST-3191
Cisco LISP Site …………………….
http://lisp.cisco.com (IPv4 and IPv6)
Cisco LISP Marketing Site ………...
http://www.cisco.com/go/lisp/
LISP Beta Network Site ……………
http://www.lisp4.net or http://www.lisp6.net
LISP DDT Root ……………………...
http://www.ddt-root.org
IETF LISP Working Group ……...…
http://tools.ietf.org/wg/lisp/
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
322
1.
2.
3.
4.
LISP Summary
• Part of the LISP Solution Space
Multihoming
IPv6 Transition
Virtualization/VPN
Mobility
IPv4 Core
xTR
IPv4 Network
xTR
IPv4 Core
v4
LISP is an Architecture…
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
323
1.
2.
3.
4.
LISP Summary
• Part of the LISP Solution Space
IPv6 Network
Multihoming
IPv6 Transition
Virtualization/VPN
Mobility
IPv6 Core
xTR
v6
IPv4 Network
xTR
IPv4 Core
v4
LISP is an Architecture…
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
324
1.
2.
3.
4.
LISP Summary
• Part of the LISP Solution Space
IPv6 Network
Multihoming
IPv6 Transition
Virtualization/VPN
Mobility
IPv6 Core
xTR
v6
IPv4 Network
xTR
IPv4 Core
v4
LISP is an Architecture…
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
325
1.
2.
3.
4.
LISP Summary
• Part of the LISP Solution Space
IPv6 Network
Multihoming
IPv6 Transition
Virtualization/VPN
Mobility
IPv6 Core
xTR
v6
IPv4 Network
xTR
IPv4 Core
v4
LISP is an Architecture…
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
326
Participate in the “My Favorite Speaker” Contest
Promote Your Favorite Speaker and You Could be a Winner
• Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
• Send a tweet and include
– Your favorite speaker’s Twitter handle
– Two hashtags: #CLUS #MyFavoriteSpeaker
• Submit an entry for one or more of your “favorite” speakers!
• Please follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
327
Complete Your Online Session Evaluation
• Give us your feedback and you
could win fabulous prizes. Winners
announced daily.
• Complete your session evaluation
through the Cisco Live mobile app
or visit one of the interactive kiosks
located throughout the convention
center.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
328
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
TECRST-3191
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
329
LISP and QoS
• QOS Handling Support :: CoS default (copy)
Inner
Header
retains
original
DSCP
marking
5.
LISP0
egress
features
LISP0
172.16.1.9
data
dscp: 18
src: 172.16.4.9
dst: 172.16.1.9
ENCA
P
DECA
P
Cust A
172.16.1.0/24
egress
feature
s
lookup
lookup
lookup
lookup
ingress
feature
s
LISP0
ingress
features
ingress
feature
s
Cust A
172.16.4.0/24
egress
feature
s
172.16.4.9
4.
TECRST-3191
Outer
Header
Removed
3.
© 2014 Cisco and/or its affiliates. All rights reserved.
Default Action:
Copy DSCP bits
to MPLS EXP
Cisco Public
2.
332
Default Action:
Copy EID header
DSCP bits to
RLOC header
1.
Inner
Header
has
customer
DSCP
markings
data
ENCAP
dscp: 18
src: 172.16.4.9
dst: 172.16.1.9
data
LISP
dscp: 18
src: 172.16.4.9
dst: 172.16.1.9
PE-ASBR
UDP
data
LISP
dscp: 18
src: 172.16.4.9
dst: 172.16.1.9
UDP
dscp: 18
src: 10.1.1.1
dst: 10.9.9.9
✗✗
dscp: 18
src: 10.1.1.1
dst: 10.9.9.9
PxTR
DECAP
LISP and QoS
• QOS Handling Support :: CoS rewrite
Class
Name
Inner
Header
retains
original
DSCP
marking
6.
3.
172.16.1.9
Egress Interface “service
policy” RECOLORS RLOC
HEADER according to EID
header marking
LISP0
egress
features
LISP0
COS1
Tier 1
DSCP Values
30,31
Partner
DSCP Values
40
18,20
30
COS2
.etc.
data
dscp: 18
src: 172.16.4.9
dst: 172.16.1.9
ENCA
P
DECA
P
Cust A
172.16.1.0/24
egress
feature
s
lookup
lookup
lookup
lookup
ingress
feature
s
LISP0
ingress
features
ingress
feature
s
Cust A
172.16.4.0/24
egress
feature
s
172.16.4.9
5.
TECRST-3191
Outer
Header
Removed
4.
© 2014 Cisco and/or its affiliates. All rights reserved.
Default Action:
Copy DSCP bits
to MPLS EXP
Cisco Public
2.
333
Default Action:
Copy EID header
DSCP bits to
RLOC header
1.
Inner
Header
has
customer
DSCP
markings
data
ENCAP
dscp: 18
src: 172.16.4.9
dst: 172.16.1.9
data
LISP
dscp: 18
src: 172.16.4.9
dst: 172.16.1.9
PE-ASBR
UDP
data
LISP
dscp: 18
src: 172.16.4.9
dst: 172.16.1.9
UDP
dscp: 30
src: 10.1.1.1
dst: 10.9.9.9
✗✗
dscp: 18
dscp:
30
src: 10.1.1.1
dst: 10.9.9.9
PxTR
DECAP

similar documents