advanced - lisp technical seminar
DESCRIPTION
Advanced - LISP Technical Seminar. TECRST-3191. Darrel Lewis, LISP Technical Leader Gregg Schudel, LISP Technical Marketing Engineer Marco Pessi, LISP Technical Marketing Engineer. Agenda. LISP Overview and Introduction LISP Efficient Multihoming/Multi-AF Support LISP Virtualization/VPN - PowerPoint PPT PresentationTRANSCRIPT
Advanced - LISP Technical Seminar
TECRST-3191
Darrel Lewis, LISP Technical Leader
Gregg Schudel, LISP Technical Marketing Engineer
Marco Pessi, LISP Technical Marketing Engineer
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Agenda
• LISP Overview and Introduction
• LISP Efficient Multihoming/Multi-AF Support
• LISP Virtualization/VPN
• LISP Data Center/Host Mobility
• Other LISP Topics, Status and Futures
• LISP Open Discussions
3
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Agenda
• LISP Overview and Introduction
• LISP Efficient Multihoming/Multi-AF Support
• LISP Virtualization/VPN
• LISP Data Center/Host Mobility
• Other LISP Topics, Status and Futures
• LISP Open Discussions
4
Advanced - LISP Technical SeminarLISP Overview
TECRST-3191
Darrel Lewis, LISP Technical Leader
LISP Overview
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Locator/ID Split and LISPRouting and Addressing Architecture of the Internet Protocol
Addresses today combine location and identity semantics in a single 32-bit or 128-bit number
Separating Location and Identity changes this…– Provide a clear separation at the Network Layer between
what we are looking for vs. how best to get there– Translation vs. Tunneling is a key question
Network Layer Identifier: WHO you are in the network– long-term binding to the thing that they name, does not change often at all
Network Layer Locator: WHERE you are in the network – Think of the source and destination “addresses” used in routing and forwarding
WHERE you are can change! WHO you are should be the same!
7
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OverviewOriginal Motivation…
An IP address “overloads” location and identity
– Today… “addressing follows topology” – Efficient aggregation is only available for Provider
Assigned (PA) addresses– Ingress Traffic Engineering usually requires Provider
Independent (PI) addresses and the injection of “more specifics” :: this limits route aggregation compactness
– IPv6 does not fix this
Route scaling issues drive system costs higher
– Forwarding plane (FIB) requires expensive memory– Route scaling “drivers” are also seen in Data Centers
and for Mobility :: not just the Internet DFZ
“… routing scalability is the most important problem facing the Internet today and must be solved … ”
Internet Architecture Board (IAB)October 2006 Workshop (written as RFC 4984)
8
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet
Site 1
Site 2
Site 3
eBGP64.1.0.0/1764.1.0.0/16
Tier 1 SP64.1.0.0/17
64.1.0.0/16
Transit SP
Commodity SPeBGP64.1.128.0/1764.1.0.0/16
64.1.128.0/17
64.1.0.0/16
13.1.1.2/30
AS 30013. 0/8
13.0/8
Enterprise
DFZ Routing Table
64.1/17
12.0/8
13.0/864.1.128/
1764.1/16
64.1/16
AS 10064.1.0.0/16
Identity
AS 20012. 0/8
12.0/8
12.1.1.2/30 Location
LISP OverviewIdentity and Location :: an Overloaded Concept in Routing Today…
9
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet
Tier 1 SP
LISP OverviewIdentity and Location :: an Overloaded Concept in Routing Today…
Site 1
Site 2
AS 10064.1.0.0/16
Site 3
AS 20012. 0/8
12.1.1.2/30
Enterprise
DFZ Routing Table
64.1/17
64.1/16
64.1.128/1764.1/16
Transit SP
Commodity SP
13.0/8
12.0/8
LISP Mapping System
• Let’s put ID address and Locator address in different databases
• Let’s create a “level of indirection” between ID and LOCATION in the network!
Clear Separation at the Network Layer::• who/what you are looking for
vs. …• how to best get there
Two Approaches::• Translations (e.g. NAT)
vs. …• Tunnels (e.g. GRE, IPsec, MPLS)
What if Locator/ID Separation worked on a GLOBAL Scope? No need to carry all routing in the Forwarding Plane!
13.1.1.2/30
AS 30013. 0/8
Identity
Location
10
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet
Tier 1 SP
Site 1
Site 2
AS 10064.1.0.0/16
Site 3
AS 20012. 0/8
12.1.1.2/30
Enterprise
DFZ Routing Table
LISP Mapping System
• Let’s scale the ID address databases to 1010 and allow it to hold any prefix length (e.g. /32)
• Let’s provide a mechanism to provide on-the-fly resolution of ID and locator
• High scale design, and ability to change locator for fixed ID enables Mobility!
LISP OverviewIdentity and Location :: an Overloaded Concept in Routing Today…
13.0/8
12.0/8
64.1/17
64.1/16
64.1.128/1764.1/16
64.1/16
@12.1.2.2
@13.1.1.2
Transit SP
Commodity SP
13.1.1.2/30
AS 30013. 0/8
Identity
Location
11
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP changes the routing architecture to implement a level of indirection between a hosts IDENTITY and its LOCATION in the network
LISP changes the current ROUTING Architecture• Changes lead to DISRUPTION • Disruption leads to OPPORTUNITIES• LISP allows both SPs and Enterprises to do remarkably different things
than allowed by traditional approaches• LISP enables NEW services (VPNs, IPv6, Mobility, “cloud”) in one,
common, simple architecture
LISP OverviewLISP :: A Routing Architecture – Not a Feature
12
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OverviewLocator/ID Separation :: The Mapping System is the Key
A Mapping Systems is the key component of Loc/ID separation architecture– Mapping systems provide the control plane for the architecture– Mapping systems represent the great opportunity for these architecture to excel
Most of the time, users/operators think about the data plane The control plane is where the magic happens!
Some general components of a mapping system to be aware… These affect how the system scales much differently than routing
state :: must scale to large numbers (such as 1010) of hostsrate :: must be small globally; damp reachability and mobility from globally impacting the systemlatency :: must be low enough not to harm existing applicationsscope :: must allow for both a global and a private scope for mapping
13
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OverviewLocator/ID Separation :: Changing the Routing Architecture
A Locator/ID Separation “architecture” helps solve other current network problems
IPv4/IPv6 Co-existence at the “ID” and “Locator” spaces– IPv4 and IPv6 can be implemented at the “ID” and/or “locator” spaces for simple integration– In reality, anything can be an “ID” and carried over traditional cores (IPv4 and IPv6)
e.g. RFID, VIN#, Geo-Location, MAC-Addr, etc. etc. etc.
Scaling IP Mobility is very similar to scaling Internet Multihoming– Mobility:: “ID” (unique address) moves from one network “location” to another network “location”– Multihoming:: an “ID” (unique address) connects to multiple networks “locations” simultaneously– For both Mobility and Multihoming, the network must keep “more specific state” globally about
where something is located at the current time
14
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
An over-the-top technology‒ Address Family agnostic‒ Incrementally deployable‒ End systems can be unaware of LISP
Deployment simplicity‒ No host changes‒ Minimal CPE changes‒ Some new core infrastructure components
Enables IP Number Portability‒ Never change host IP’s; No renumbering costs‒ No DNS changes; “name == EID” binding‒ Session survivability
An Open Standard‒ Being developed in IETF (RFC 6830-6836, 7052)‒ No Cisco Intellectual Property Rights
Uses pull vs. push routing‒ OSPF and BGP are push models; routing
stored in the forwarding plane‒ LISP is a pull model; Analogous to DNS;
massively scalable
LISP OverviewLISP :: A Routing Architecture – Not a Feature
LISP use-cases are complimentary‒ Simplified multi-homing with Ingress traffic
Engineering; no need for BGP‒ Address Family agnostic support‒ Virtualization support‒ End-host mobility without renumbering
15
lisp.cisco.com
LISP Operations
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsMain attributes of LISP
LISP namespaces‒ EID (Endpoint Identifier) is the IP address of
a host – just as it is today‒ RLOC (Routing Locator) is the IP address of
the LISP router for the host‒ EID-to-RLOC mapping is the distributed
architecture that maps EIDs to RLOCs
Prefix Next-hopw.x.y.1 e.f.g.hx.y.w.2 e.f.g.hz.q.r.5e.f.g.hz.q.r.5e.f.g.h
Non-LISP
RLOC Space
EID-to-RLOC mapping
EID SpacexTR
xTR
MS/MR
PxTR
xTR
EID RLOCa.a.a.0/24 w.x.y.1b.b.b.0/24 x.y.w.2c.c.c.0/24 z.q.r.5d.d.0.0/16 z.q.r.5EID Space
Network-based solution No host changes Minimal configuration No DNS changes
Address Family agnostic Incrementally deployable
(support LISP and non-LISP) Support for mobility
17
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP :: Mapping Resolution “Level of Indirection” DNS analog
LISP “Level of Indirection” is analogous to a DNS lookup‒ DNS resolves IP addresses for URL Answering the “WHO IS” question
‒ LISP resolves locators for queried identities Answering the “WHERE IS” question
hostDNS Name-to-IPURL Resolution
[ who is lisp.cisco.com ] ?
DNSServer
[153.16.5.29, 2610:D0:110C:1::3 ]
LISPIdentity-to-locatorMapping Resolution
LISP router
LISP Mapping System
[ where is 2610:D0:110C:1::3 ] ?
[ locator is 128.107.81.169, 128.107.81.170 ]
18
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP IPv4 EID / IPv4 RLOC Data Packet Header Example
IPv4 Outer Header:
ITR supplies RLOCs
IPv4 Inner Header:
Host supplies EIDs
LISP Header:
UDP Header:
19
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Encapsulation Combinations – IPv4 and IPv6 Supported
Q: Doesn’t encapsulation cause MTU issues?
A: It can… But preparation limits issues… ‒Encapsulation overhead is 36B IPv4 and 56B IPv6‒LISP supports “stateful” (PMTUD) and “stateless”
(fragmentation) options‒Tunnel/MTU issues are well known (GRE, IPsec, etc.)
and are usually operationally tractable
IPv6/IPv4
IPv6 Outer
Header
IPv4 Inner
Header
UDPLISP
IPv4/IPv6
IPv4 Outer
Header
IPv6 Inner
Header
UDPLISP
IPv4/IPv4
IPv4 Outer
Header
IPv4 Inner
Header
UDPLISP
IPv6/IPv6
IPv6 Outer
Header
IPv6 Inner
Header
UDPLISP
20
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Data Plane :: Ingress/Egress Tunnel Router (xTR)
PI EID-prefix 2001:db8:2::/48
xTR-3
ETRITR
xTR-4
ETRITR
LISP Site 2 DLISP Site 1S
xTR-1
ETRITR
xTR-2
ETRITR
PI EID-prefix 2001:db8:1::/48
Provider A10.0.0.0/8
Provider B11.0.0.0/8
Provider C12.0.0.0/8
Provider D13.0.0.0/8
packet flowpacket flow
ETR – Egress Tunnel Router‒ Receives packets from core-facing interfaces
‒ De-cap and deliver packets to local EIDs at site
ITR – Ingress Tunnel Router‒ Receives packets from site-facing interfaces
‒ Encap to remote LISP sites, or native-fwd to non-LISP sites
21
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Data Plane :: Unicast Packet Flow
PI EID-prefix 2001:db8:2::/48
xTR-3
ETRITR
xTR-4
ETRITR
LISP Site 2 DLISP Site 1S
xTR-1
ETRITR
xTR-2
ETRITR
PI EID-prefix 2001:db8:1::/48
Provider A10.0.0.0/8
Provider B11.0.0.0/8
Provider C12.0.0.0/8
Provider D13.0.0.0/8
packet flowpacket flow
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
DNS entry:D.abc.com AAAA 2001:db8:2::1
12
2001:db8:1::1 -> 2001:db8:2::1
2001:db8:1::1 -> 2001:db8:2::111.0.0.2 -> 12.0.0.2
4
5
2001:db8:1::1 -> 2001:db8:2::111.0.0.2 -> 12.0.0.2
6
72001:db8:1::1 -> 2001:db8:2::1
EID-prefix: 2001:db8:2::/48Locator-set: 12.0.0.2, priority: 1, weight: 50 13.0.0.2, priority: 1, weight: 50
Map-Cache Entry
3
This policy controlledby the destination site
22
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Data Plane :: Ingress/Egress Tunnel Router (xTR)
PI EID-prefix 2001:db8:2::/48
xTR-3
ETRITR
xTR-4
ETRITR
LISP Site 2 DLISP Site 1S
xTR-1
ETRITR
xTR-2
ETRITR
PI EID-prefix 2001:db8:1::/48
Provider A10.0.0.0/8
Provider B11.0.0.0/8
Provider C12.0.0.0/8
Provider D13.0.0.0/8
packet flowpacket flow
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
!router lisp locator-set SITE2 12.0.0.2 priority 1 weight 50 13.0.0.2 priority 1 weight 50 exit ! eid-table default instance-id 0 database-mapping 2001:db8:2::/48 locator-set SITE2 exit ! ipv6 itr map-resolver 66.2.2.2 ipv6 itr ipv6 etr map-server 66.2.2.2 key S3cr3t-2 ipv6 etr exit!ip route 0.0.0.0 0.0.0.0 12.0.0.1 (or 13.0.0.1)!
Identical configs on both xTRs!
23
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Packet Forwarding – ITR
Ingress PacketIs SRC
within local EID prefix?
Check Map-Cache entries to see which one the destination
matches (2)
YES
NO
“fwd-encap”action?
YES
NO
LISP Encap Pck to DST RLOC (3)
YES LISP EncapPck to
PETR (3)
YES
NO
Destination lookup in routing table (RIB)
(show ip route)
Is a route matched for:
1. default route (0.0.0.0/0 or ::/0)
2. “no route”
Check source address of the packet to be forwarded
Packet NOT ELIGABLE for LISP encapsulation; native
forwarding rules apply
Packet ELIGABLE for LISP encapsulation
YES
Is there a default route?
(0.0.0.0/0 or ::/0)
YES
NOYES
NOYES
NOTES:1) If the destination doesn’t match a “default route” or “no route” – the only other possibility is a
match against a “real route” with viable next-hop. This packet is not eligible for LISP encapsulation and is always forwarded natively (and will not use PETR if configured).
2) Because the LISP control plane function automatically installs a default map-cache entry with the action of “send-map-request,” there can never be a “map-cache miss.”
3) The packet is encapsulated and a destination address lookup is performed on the destination/remote RLOC; once the output interface is known, the source RLOC is filled in.
Forward PacketNatively (1)
NO
Drop Packet
Forward PacketNatively
Drop Packet
Drop Packet
“drop”action?
“send-request”action?
“forward-native”action
Send Map-Request to
Map-Resolver
Forward PacketNatively
use-petr configured?
NO
24
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Control Plane :: Introduction
LISP Control Plane Provides On-Demand Mappings‒ Control Plane is separate from the Data Plane (UDP 4342 vs UDP 4341)‒ Map-Resolver and Map-Server (similar to DNS Resolver and DNS Server)‒ LISP Control Plane Messages for EID-to-RLOC resolution‒ Distributed databases and map-caches hold mappings
25
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Control Plane :: Map-Server/Map-Resolver (MS/MR)
PI EID-prefix 2001:db8:2::/48
xTR-3
ETRITR
xTR-4
ETRITR
LISP Site 2 DLISP Site 1S
xTR-1
ETRITR
xTR-2
ETRITR
PI EID-prefix 2001:db8:1::/48
Provider A10.0.0.0/8
Provider B11.0.0.0/8
Provider C12.0.0.0/8
Provider D13.0.0.0/8
packet flowpacket flow
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
Mapping System
MR MS
MR – Map-Resolver‒ Receives Map-Request from ITR‒ Forwards Map-Request to Mapping System‒ Sends Negative Map-Replies in response to
Map-Requests for non-LISP sites
MS – Map-Server‒ LISP site ETRs register their EID prefixes here;
requires configured “lisp site” policy, authentication key
‒ Receives Map-Requests via Mapping System, forwards them to registered ETRs
26
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Control Plane :: Map-Server/Map-Resolver (MS/MR)
PI EID-prefix 2001:db8:2::/48
xTR-3
ETRITR
xTR-4
ETRITR
LISP Site 2 DLISP Site 1S
xTR-1
ETRITR
xTR-2
ETRITR
PI EID-prefix 2001:db8:1::/48
Provider A10.0.0.0/8
Provider B11.0.0.0/8
Provider C12.0.0.0/8
Provider D13.0.0.0/8
packet flowpacket flow
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
Mapping System
MR MS
LISP Map Cache (ITR)‒ Only stores mappings for sites the ITR is currently sending packets to
‒ Populated by receiving Map-Replies from ETRs
‒ ITRs must respect Map-Reply policy (TTLs, RLOC up/down status, RLOC priorities/weights
LISP Site Mapping-Database (ETR)‒ EID-to-RLOC mappings in all ETRs for local LISP site
‒ ETR is “authoritative” for its EIDs, sends Map-Replies to ITRs
‒ ETRs can tailor policy based on Map-Request source
27
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Control Plane :: Control Plane Messages
Control Plane Control Plane EID Registration‒ Map-Register message
Sent by ETR to Map-Server to register its associated EID prefixes• Specifies RLOC(s) to be used by the MS when forwarding Map-Requests to the ETR
Control Plane “Data-triggered” mapping services‒ Map-Request message
Sent by an ITR to Map-Resolver to• learn an EID/RLOC mapping• test an RLOC for reachability• refresh a mapping before TTL expiration• respond to a Solicit Map-Request (SMR)
Sent by an ETR (with “S” bit set)• as a Solicit Map-Request (SMR) to signal
site change
‒ Map-Reply messageSent by an ETR to an ITR
• in response to valid map-request to provide EID/RLOC mapping and site ingress policy for the requested EID
‒ Map-Notify messageSent by Map-Server to an ETR to
• acknowledge successful registration of an EDI prefix
28
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Control Plane :: Map-Register
PI EID-prefix 2001:db8:2::/48
xTR-3
ETRITR
xTR-4
ETRITR
LISP Site 2 DLISP Site 1S
xTR-1
ETRITR
xTR-2
ETRITR
PI EID-prefix 2001:db8:1::/48
Provider A10.0.0.0/8
Provider B11.0.0.0/8
Provider C12.0.0.0/8
Provider D13.0.0.0/8
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
Mapping System
MR MS
66.2.2.2
1LISP Map-Register(udp 4342)
SHA2 HMAC2001:db8:2::/4812.0.0.2, 13.0.0.2
12.0.0.2 -> 66.2.2.2
Other sites… 2
1LISP Map-Register
. . .
12.0.0.2 -> 66.2.2.2
29
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Control Plane :: Map-Request/Map-Reply
PI EID-prefix 2001:db8:2::/48
xTR-3
ETRITR
xTR-4
ETRITR
LISP Site 2 DLISP Site 1S
xTR-1
ETRITR
xTR-2
ETRITR
PI EID-prefix 2001:db8:1::/48
Provider A10.0.0.0/8
Provider B11.0.0.0/8
Provider C12.0.0.0/8
Provider D13.0.0.0/8
packet flowpacket flow
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
Mapping System
MR MS
66.2.2.2
DNS entry:D.abc.com AAAA 2001:db8:2::1
12
2001:db8:1::1 -> 2001:db8:2::1
Is 2001:db8:2::1 a LISP Destination?
3 11.0.0.2 -> 66.2.2.2LISP ECM(udp 4342)
11.0.0.2 / 2001:db8:2::1Map-Request
(udp 4342)nonce
EID-prefix: 2001:db8:2::/48Locator-set: 12.0.0.2, priority: 1, weight: 50 13.0.0.2, priority: 1, weight: 50
Map-Cache Entry6
4 66.2.2.2 -> 12.0.0.2LISP ECM(udp 4342)
11.0.0.2 / 2001:db8:2::1Map-Request
(udp 4342)nonce
512.0.0.2 ->11.0.0.2
Map-Reply(udp 4342)
nonce / TTL 2001:db8:2::/4812.0.0.2 [1, 50]13.0.0.2 [1, 50]
30
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Control Plane :: Map-Request/Proxy-Map-Reply
PI EID-prefix 2001:db8:2::/48
xTR-3
ETRITR
xTR-4
ETRITR
LISP Site 2 DLISP Site 1S
xTR-1
ETRITR
xTR-2
ETRITR
PI EID-prefix 2001:db8:1::/48
Provider A10.0.0.0/8
Provider B11.0.0.0/8
Provider C12.0.0.0/8
Provider D13.0.0.0/8
packet flowpacket flow
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
Mapping System
MR MS
66.2.2.2
EID-prefix: 2001:db8:2::/48Locator-set: 12.0.0.2, priority: 1, weight: 50 13.0.0.2, priority: 1, weight: 50
Map-Cache Entry4
366.2.2.2 ->11.0.0.2
Map-Reply(udp 4342)
nonce / TTL 2001:db8:2::/4812.0.0.2 [1, 50]13.0.0.2 [1, 50]
2 11.0.0.2 -> 66.2.2.2LISP ECM(udp 4342)
11.0.0.2 / 2001:db8:2::1Map-Request
(udp 4342)nonce
1LISP Map-Register
(udp 4342)SHA2 HMACProxy-Bit Set
2001:db8:2::/4812.0.0.2, 13.0.0.2
12.0.0.2 -> 66.2.2.2
31
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Control Plane :: Map-Request/Negative-Map-Reply
PI EID-prefix 2001:db8:2::/48
xTR-3
ETRITR
xTR-4
ETRITR
LISP Site 2 DLISP Site 1S
xTR-1
ETRITR
xTR-2
ETRITR
PI EID-prefix 2001:db8:1::/48
Provider A10.0.0.0/8
Provider B11.0.0.0/8
Provider C12.0.0.0/8
Provider D13.0.0.0/8
packet flowpacket flow
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
Mapping System
MR MS
66.2.2.2
EID-prefix: 2001:8000::/21 forward-native
Map-Cache Entry4
366.2.2.2 -> 11.0.0.2
Negative-Map-Reply(udp 4342)
nonce / TTL2001:8000::/21
2 11.0.0.2 -> 66.2.2.2LISP ECM(udp 4342)
11.0.0.2 / 2001:db7:1::1Map-Request
(udp 4342)nonce
12001:db8:1::1 -> 2001:db7:1::1
Is 2001:db7:1::1 a LISP Destination?
NOTE:The actual “covering prefix” returned in an NMR depends on the number and distribution of EID prefixes in the Mapping System. The NMR prefix will cover the shortest prefix that doesn’t cover
any LISP Sites in the Mapping System
Notes:‒ When an ITR queries for a destination that is
not in the Mapping System, the Map-Resolver returns an NMR.
‒ A TTL of 1-minute or 15-minutes is set depending on the space covered by the NMR.
32
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Control Plane :: MS/MR Configuration example
PI EID-prefix 2001:db8:2::/48
xTR-3
ETRITR
xTR-4
ETRITR
LISP Site 2 DLISP Site 1S
xTR-1
ETRITR
xTR-2
ETRITR
PI EID-prefix 2001:db8:1::/48
Provider A10.0.0.0/8
Provider B11.0.0.0/8
Provider C12.0.0.0/8
Provider D13.0.0.0/8
packet flowpacket flow
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
Mapping System
MR MS
66.2.2.2
!router lisp site Site-1 authentication-key S3cr3t-1 eid-prefix 2001:db8:1::/48 exit ! site Site-2 authentication-key S3cr3t-2 eid-prefix 2001:db8:2::/48 exit ! !-:: more LISP site configs ! ipv6 map-server ipv6 map-resolver exit!
!router lisp site ALL authentication-key ******* eid-prefix 2001:db8::/32 accept-more-specifics exit ! ipv6 map-server ipv6 map-resolver exit! Alternative
33
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Control Plane :: Mapping-System Scaling
MR MSMR MS
xTRs
xTRs
xTRs
PxTRs
PxTRs
xTRs
xTRs
xTRsPxTRs
xTRs
xTRsxTRs
xTRsxTRs
xTRs xTRsxTRs
MS/MRs
MS/MRsMS/MRs
MS/MRs
MS/MRs
MS/MRs
MS/MRsMS/MRs
The LISP Beta Network uses DDT today…
DDTDDTDDT
DDT
DDT – Delegated Distributed Tree
‒ Hierarchy for Instance IDs and for EID Prefixes
‒ DDT Map-Resolvers sends (ECM) Map-Requests
‒ DDT Nodes Return Map-Referral messages
‒ DDT Resolvers resolve the Map-Server’s RLOC iteratively
‒ Conceptually, similar to DNS (IN-ADDR hierarchy) but different prefix encoding, messages, etc.
Scaling the LISP Mapping System
‒ Deploy multiple “stand-alone” Map-Servers” and register each LISP Site to all of them (up to eight)
‒ Deploy Map-Resolvers in an “Anycast” manner
‒ Or, deploy a “hierarchical” Mapping System - DDT
LISP Delegated Database Tree
ddt-root
ddt-tld
MR MSMR MS
34
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsPublic and Private LISP Deployment Models
• “Private” LISP deployment support single Enterprises or Entities
• LISP Enterprise deploys: xTRs Mapping System, if required Proxy System, if required
Private Model Public Model
Enterprise AEnterprise B
Enterprise C
Private Enterprise Examples
• “Public” LISP deployment supports the needs of multiple Enterprises
• LISP Service Provider deploys “shared” Mapping System and Proxy System
• LISP Enterprises subscribe to LISP SP, and deploy their own xTRs
Stand-Alone Example
CCC
PCCC CCM BCC
MU Princeton
LISP SP
LISP Ent
NJEdge.Net
Global Examples
LISP BetaInTouch
ddt-root.org
VXNetLISP SP
LISP Ent
LISP SP
35
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Internetworking :: Day-One Incremental Deployment
Early Recognition‒ Up-front recognition of an incremental deployment plan‒ LISP will not be widely deployed day-one
Interworking for:‒ LISP-sites to non-LISP sites (e.g. the rest of the Internet)‒ non-LISP sites to LISP-sites
Proxy-ITR/Proxy-ETR are deployed today‒ Infrastructure LISP network entity‒ Creates a monetized service opportunity for infrastructure players
36
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Internetworking :: Day-One Incremental Deployment
PI EID-prefix 2001:db8:2::/48
xTR-3
ETRITR
xTR-4
ETRITR
LISP Site 2 DLISP Site 1S
xTR-1
ETRITR
xTR-2
ETRITR
PI EID-prefix 2001:db8:1::/48
Provider A10.0.0.0/8
Provider B11.0.0.0/8
Provider C12.0.0.0/8
Provider D13.0.0.0/8
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
IPv6 InternetPITR PETR
Mapping SystemMR MS
66.2.2.2
PETR – Proxy ETR‒ Allows an EID in one AF [IPv4 or IPv6]
and the opposite RLOC [IPv6 or IPv4] to
reach non-LISP prefix in that same AF (AF-hop-over)
‒ Allows LISP sites with uRPF restrictions to reach non-LISP sites
IPv4 InternetPITR – Proxy ITR‒ Receives traffic from non-LISP sites;
encapsulates traffic to LISP sites‒ Advertises coarse-aggregate EID prefixes‒ LISP sites see ingress TE “day-one”
37
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Internetworking :: Day-One Incremental Deployment
PI EID-prefix 2001:db8:2::/48
xTR-3
ETRITR
xTR-4
ETRITR
LISP Site 2 DLISP Site 1S
xTR-1
ETRITR
xTR-2
ETRITR
PI EID-prefix 2001:db8:1::/48
Provider A10.0.0.0/8
Provider B11.0.0.0/8
Provider C12.0.0.0/8
Provider D13.0.0.0/8
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
IPv6 InternetPITR PETR
Mapping SystemMR MS
66.2.2.2
2001:f:f::1 2001:f:e::12001:db8::/32
Non-LISPv6 Site
2001:d:1::1
2001:d:1::1 -> 2001:db8:2::11
2001:d:1::1 -> 2001:db8:2::110.9.1.1 -> 12.0.0.2
2
3
2001:d:1::1 -> 2001:db8:2::1
4
2001:db8:2::1 -> 2001:d:1::1
6
2001:db8:2::1 -> 2001:d:1::1
IPv4 Internet
2001:db8:2::1 -> 2001:d:1::112.0.0.2 -> 12.9.2.1
5 ipv4 use-petr 12.1.1.1
38
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Packet Forwarding – PITR
Ingress Packet
Does longest mask (or equal) prefix match against
“send-map-request” ?
YES
NOYES
Destination lookup for match in: routing table (1)
ANDmap-cache with action “send-map-request” (2)
Compare the 2 prefixes found
Take the prefix with longest/most specific mask
NOTES:1) The routing table look-up is done in the table specified in the “eid-table” command
(default or vrf)2) A map-cache entry with action “map-request” is created either by a static entry or
via the “route-import” mechanism 3) If the destination doesn’t match a RIB route or “send-map-request” map-cache
entry, then the only other possible result is the PITR has no forwarding route. The packet is dropped and a “network unreachable” ICMP is generated.
4) The destination is not a LISP EID and a RIB route is available.5) Address lookup is performed on the destination/remote RLOC; once the output
interface is known, the source RLOC is filled in.
Is match found?
NONODrop
Packet (3)
Forward PacketNatively (4)
Check Map-Cache entries to see which one the destination
matches
“fwd-encap”action?
YES
NO
LISP Encap Pck to DST RLOC (5)
YES LISP EncapPck to
PETR (5)
Packet ELIGABLE for LISP encapsulation
YES
NOYES
NOYES
Drop Packet
Drop Packet
“drop”action?
“send-request”action?
“forward-native”action
Send Map-Request to
Map-Resolver
Forward PacketNatively
use-petr configured?
NO
39
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Locator Reachability….
When RLOCs go up and down:‒ We don’t want this reflected in mapping
database; must keep the rate factor small
Use following mechanisms:‒ Underlying BGP where available
‒ ICMP Unreachables, when sent and accepted
‒ Data reception heuristics when available
‒ locator-status-bits in data packets and mapping data
Only use probing when needed:‒ Pair-wise probing won’t scale
S
xTR-S1
LISP Site 1
xTR-S2
Provider A10.0.0.0/8
Provider B11.0.0.0/8
Provider X12.0.0.0/8
Provider Y13.0.0.0/8
ETRITR
ETRITR
xTR-D1
LISP Site 2
xTR-D2
ETRITR
ETRITR
D
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
??
S
xTR-S1
LISP Site 1
xTR-S2
Provider A10.0.0.0/8
Provider B11.0.0.0/8
Provider X12.0.0.0/8
Provider Y13.0.0.0/8
ETRITR
ETRITR
xTR-D1
LISP Site 2
xTR-D2
ETRITR
ETRITR
D
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
✔?
40
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP RLOC Reachability Concepts
Reachability options
“Routing” information when you have it E.g. PE-CE links in BGP in MPLS
Direct “data plane” packet flows LISP exclusive “locator status bits” describe “status” of source site RLOCs
to receiving sites Available (automatically) in LISP Useful for bi-directional traffic flows
RLOC-Probing Source site “probes” destination RLOCs of active conversations Available in LISP Useful for updating reachability info when unidirectional traffic is prevalent
41
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Locator-Reachability Bits (LSB) example
EID-prefix: 2001:db8:2::/48Locator-set: 12.0.0.2, priority: 1, weight: 50 (D1) 13.0.0.2, priority: 1, weight: 50 (D2)
MappingEntry
-> ordinal 0-> ordinal 1
7654 3210b ’xxxx xxxx’
loc-reach-bits:0x0000 0000
11
3
PI EID-prefix 2001:db8:2::/48
xTR-3
ETRITR
xTR-4
ETRITR
LISP Site 2 DLISP Site 1S
xTR-1
ETRITR
xTR-2
ETRITR
PI EID-prefix 2001:db8:1::/48
Provider A10.0.0.0/8
Provider B11.0.0.0/8
Provider C12.0.0.0/8
Provider D13.0.0.0/8
0003
0003 xTR3 xTR4
xRT3 xTR4
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
LSBs provide “data plane” reachability info
42
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Locator-Reachability Bits (LSB) example
EID-prefix: 2001:db8:2::/48Locator-set: 12.0.0.2, priority: 1, weight: 50 (D1) 13.0.0.2, priority: 1, weight: 50 (D2)
MappingEntry
-> ordinal 0-> ordinal 1
7654 3210b ’xxxx xx11’
loc-reach-bits:0x0000 0003
0
2
PI EID-prefix 2001:db8:2::/48
xTR-3
ETRITR
xTR-4
ETRITR
LISP Site 2 DLISP Site 1S
xTR-1
ETRITR
xTR-2
ETRITR
PI EID-prefix 2001:db8:1::/48
Provider A10.0.0.0/8
Provider B11.0.0.0/8
Provider C12.0.0.0/8
Provider D13.0.0.0/8
0002
xTR4 xTR4
xRT4 xTR4
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
Outages are signaled “quickly” when traffic is flowing.(When traffic is not flowing, other mechanisms are needed)
XXX
43
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Management – LISP Data Plane…
Data Plane Management:‒ ping
PI EID-prefix 172.16.1.0/24
PI EID-prefix 172.16.2.0/24xTR2
ETRITR
LISP Site 2
D
LISP Site 1
SxTR1
ETRITR CORE
10.0.0.0/8
MS/MR
.1.2 .5.6
.9
.10
Left#ping 10.0.0.6 source 10.0.0.2 rep 10Type escape sequence to abort.Sending 100, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds:Packet sent with a source address of 10.0.0.2!!!!!!!!!!Success rate is 100 percent (10/10), round-trip min/avg/max = 0/0/1 msLeft#
Example:RLOC to RLOC
ping notes:1. Using RLOC to RLOC tests underlying network
44
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Management – LISP Data Plane…
Data Plane Management:‒ ping
PI EID-prefix 172.16.1.0/24
PI EID-prefix 172.16.2.0/24xTR2
ETRITR
LISP Site 2
D
LISP Site 1
SxTR1
ETRITR CORE
10.0.0.0/8
MS/MR
.1.2 .5.6
.9
.10
Left#ping 172.16.2.2 source 172.16.1.2 rep 10Type escape sequence to abort.Sending 100, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:Packet sent with a source address of 172.16.1.2 !!!!!!!!!!Success rate is 100 percent (10/10), round-trip min/avg/max = 0/0/1 msLeft#
Example:EID to EID
ping notes:1. Using RLOC to RLOC tests underlying network
2. Using EID-to-EID tests LISP data plane
ping notes:1. Using RLOC to RLOC tests underlying network
2. Using EID-to-EID tests LISP data plane
3. When PxTR infrastructure is involved, EID to RLOC and RLOC to EID tests can also be useful
Common Theme: • OVER for EIDs • UNDER for RLOCs
45
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Management – LISP Data Plane…
Data Plane Management:‒ traceroute
PI EID-prefix 172.16.1.0/24
PI EID-prefix 172.16.2.0/24xTR2
ETRITR
LISP Site 2
D
LISP Site 1
SxTR1
ETRITR CORE
10.0.0.0/8
MS/MR
.1.2 .5.6
.9
.10
traceroute notes:‒ Unlike other “tunneling” techniques, LISP (tries to)
shows all intermediate hops
‒ Cross Address Family traceroute is not supported because “traceroute” does not support it
Left#traceroute 172.16.2.1 source 172.16.1.1 Type escape sequence to abort.Tracing the route to 172.16.2.1VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.1 1 msec 0 msec 0 msec 2 10.0.0.6 0 msec 1 msec 0 msec 3 172.16.2.1 0 msec * 1 msecLeft#
Example:EID to EID
ttl=1
ttl=2
ttl=3
46
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Management – LISP Control Plane…
Control Plane Management:‒ lig (LISP internet Groper)
PI EID-prefix 172.16.1.0/24
PI EID-prefix 172.16.2.0/24xTR2
ETRITR
LISP Site 2
D
LISP Site 1
SxTR1
ETRITR CORE
10.0.0.0/8
MS/MR
.1.2 .5.6
.9
.10
lig notes:‒ Fetches an EID-to-RLOC database mapping entry
‒ lig self ipv4 and lig self ipv6 indicate immediately whether a site is “registered” to the Map-Server
Left#lig self ipv4Mapping information for EID 172.16.1.0 from 10.0.0.2 with RTT 32 msecs172.16.1.0/24, uptime: 00:00:00, expires: 23:59:53, via map-reply, self Locator Uptime State Pri/Wgt 10.0.0.2 00:00:00 up 1/100Left#
47
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Management – LISP Control Plane…
Control Plane Management:‒ lig (LISP internet Groper)
PI EID-prefix 172.16.1.0/24
PI EID-prefix 172.16.2.0/24xTR2
ETRITR
LISP Site 2
D
LISP Site 1
SxTR1
ETRITR CORE
10.0.0.0/8
MS/MR
.1.2 .5.6
.9
.10
lig notes:‒ Fetches an EID-to-RLOC database mapping entry
‒ lig self ipv4 and lig self ipv6 indicate immediately whether a site is “registered” to the Map-Server
‒ Using lig <eid> you can verify that a remote EID is registered (and provide the mapping and policy)
Left#lig 172.16.2.2Mapping information for EID 172.16.2.2 from 10.0.0.6 with RTT 36 msecs172.16.2.0/24, uptime: 00:00:00, expires: 23:59:52, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.0.6 00:00:00 up 1/1 Left#
48
LISP Introduction – Summary
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
An over-the-top technology‒ Address Family agnostic‒ Incrementally deployable‒ End systems can be unaware of LISP
Deployment simplicity‒ No host changes‒ Minimal CPE changes‒ Some new core infrastructure components
Enables IP Number Portability‒ Never change host IP’s; No renumbering costs‒ No DNS changes; “name == EID” binding‒ Session survivability
An Open Standard‒ Being developed in the IETF (RFC 6830-6836)‒ No Cisco Intellectual Property Rights
Uses pull vs. push routing‒ OSPF and BGP are push models; routing
stored in the forwarding plane‒ LISP is a pull model; Analogous to DNS;
massively scalable
LISP OverviewLISP :: A Routing Architecture – Not a Feature
LISP use-cases are complimentary‒ Simplified multi-homing with Ingress traffic
Engineering; no need for BGP‒ Address Family agnostic support‒ Virtualization support‒ End-host mobility without renumbering
50
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Agenda
• LISP Overview and Introduction
• LISP Efficient Multihoming/Multi-AF Support
• LISP Virtualization/VPN
• LISP Data Center/Host Mobility
• LISP Status and Futures
• LISP Open Discussions
51
Advanced - LISP Technical SeminarLISP Efficient Multihoming/Multi-AF
TECRST-3191
Gregg SchudelLISP Technical Marketing Engineer
[email protected] CCIE #9591
LISP and Multihoming Overview
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Efficient Multihoming/Multi-AF SupportWhy Multihoming?
Increased Resiliency– Access link, router, or upstream provider network failures should not interrupt service
Increased Bandwidth– Typically less $$ to add a second link vs. paying for ‘step increase’ in existing link
access bandwidth– Adding bandwidth via a second link gives other benefits not enjoyed by simply
increasing bandwidth– But, extra bandwidth has to be useable; need the ability to effect ingress traffic usage
Increased Responsiveness– Potentially, can serve customers better with diverse links
54
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Efficient Multihoming/Multi-AF SupportWide range of options
Options - Low to High Complexity– Multihoming with NATo Difficult with multiple routers due to
asymmetry in traffic flows and need for concurrent state
– Multihoming with Static Routeso Path failure detection problematic
– Multihoming with BGP – Partial Routeso Premium circuit; no outbound path
information– Multihoming with BGP – Full Routeso Requires premium circuito Requires CPU and memory, complex
configuration, and “manipulation” – especially under failure conditions
Multihoming Options
Ben
efits
Techniques
Single Homed
Fully Resilient
and Traffic Eng
55
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Efficient Multihoming/Multi-AF SupportTraditional BGP-based Multihoming
Pros…– Reachability information available from
BGP routes• Note: Some information is ‘hidden’ behind
aggregates (caution)– Full routes can provide ‘best path’ metrics
for outbound traffic • With clever configuration and tuning, you can
get ‘symmetrical’ path in/out to remote sites– Global view of the Routing System from
your Routers• Path and route analysis possible via Route
Views or commercial tools (like Arbor)
Cons…– Requires certain class of SP link
• BGP-capable access links available everywhere? ($$/BW)
– BGP configuration is complex– Constant “tuning” for load balancing
• Failures have non-deterministic impact on load-level of remaining links
– CPE routers pulling “full routes” must store 450K+ prefixes• Small scale routers with limited memory not
suitable for CPE routers– Not all SPs are created equal
• Tier-1 SPs “well-peered with everyone”• Commodity SPs buy ‘transit’ from Tier 1’s • AS Path Prepending will have varying
effectiveness; access link load balancing tricky56
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Efficient Multihoming/Multi-AF SupportLISP-based Multihoming
Pros…– Multihoming requirements are “simple“
• No access link type or PE requirements• No upstream Service Provider type or support
requirements (i.e. for BGP)– Multihoming configuration is “simple”
• LISP ETR indicates EID to RLOC relationships and ingress TE policy
• LISP Site CPE can be small; no “pushed-based” routing table needs
– Applicable to LISP-to-LISP and non-LISP-to-LISP traffic “day-one”• PITR provides non-LISP-to-LISP support for
ingress TE (LISP works day-one)• Access link ingress TE is “accurate” by design
(assuming reasonable “flow” distribution)• Flexibility in LISP Architecture for ingress TE
policy specification “per-request”
Cons…– Requires Mapping Service Provider and
Proxy Service Provider services– Reachability information must be obtained
in a different manner• Data plane signaling - locator status bits (LSBs)• Control plane signaling :: rloc-probing• Routing :: e.g. MPLS PE-CE links
– Only “simple” egress TE control; non-LISP tools needed for more than ECMP• PfR - Performance Routing• BGP – now it gets complicated (but it would be
with this method anyway)– MTU handling is important to understand
• PMTUD (don’t filter ICMP)• Proactively configure higher Internet Link MTU
(same as any tunnel/encap strategy)57
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Deployment OverviewPrivate and Public LISP Deployment Models…
• “Private” LISP deployment support single Enterprises or Entities
• LISP Enterprise deploys: xTRs Mapping System, if required Proxy System, if required
Private Model Public Model• “Public” LISP deployment supports the needs of
multiple Enterprises• LISP Service Provider deploys “shared” Mapping
System and Proxy System• LISP Enterprises subscribe to LISP SP, and deploy
their own xTRs
Enterprise AEnterprise B
Enterprise C
Private Enterprise ExamplesStand-Alone Example
CCC
PCCC CCM BCC
MU Princeton
LISP SP
LISP Ent
NJEdge.Net
Global Examples
LISP BetaInTouch
ddt-root.org
VXNetLISP SP
LISP Ent
LISP SP
58
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP OperationsLISP Encapsulation – Any IPv4 and IPv6 Combination Supported
IPv6/IPv4
IPv6/IPv6
IPv4/IPv6
IPv4/IPv4
IPv4 Outer
Header
IPv6 Outer Header
LISP
UDP
payload
IPv6 Inner
Headerpayload
IPv4InnerHeader
59
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFInherent support for AF-agnostic operations
IPv4 Internet
IPv6
IPv6LISP Site
GE0/0/010.1.1.2/30
GE0/0/010.2.1.2/30
EIDs172.16.1.0/24
2001:db8:a:1::/64
xTR-1
xTR-2
RLOC
RLOC
SP1
IPv4
SP2
IPv4
MR/MS
10.10.30.10
2001:db8:f000:2::1
PxTR
10.10.30.11
2001:db8:f000:2::2
MR/MS
2001:db8:e000:2::1
10.10.10.10
PxTR
2001:db8:e000:2::2
10.10.10.11
Default
To IPv4 or IPv6 CoreRLOC namespace
To Enterprise Internal IPv4 or IPv6 Networks
LISP0
LISPtx
encap
egress features
ingress features
LISPrx
decap
IPv4 or IPv6 IPv4 or IPv6
60
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFInherent support for AF-agnostic operations
IPv4 Internet
IPv6
IPv6LISP Site
GE0/0/010.1.1.2/30
GE0/0/010.2.1.2/30
EIDs172.16.1.0/24
2001:db8:a:1::/64
xTR-1
xTR-2
RLOC
RLOC
SP1
IPv4
SP2
IPv4
MR/MS
10.10.30.10
2001:db8:f000:2::1
PxTR
10.10.30.11
2001:db8:f000:2::2
MR/MS
2001:db8:e000:2::1
10.10.10.10
PxTR
2001:db8:e000:2::2
10.10.10.11
PxTR1#show ip lisp map-cacheLISP IPv4 Mapping Cache for EID-table default (IID 0), 196 entries---<skip>--- 172.16.1.0/24, uptime: 00:01:38, expires: 23:58:25, via map-reply, complete Locator Uptime State Pri/Wgt 10.1.1.2 00:01:38 up 1/50 10.2.1.2 00:01:38 up 1/50 ---<skip>---
61
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFInherent support for AF-agnostic operations
IPv4 Internet
IPv6
IPv6LISP Site
GE0/0/010.1.1.2/30
GE0/0/010.2.1.2/30
EIDs172.16.1.0/24
2001:db8:a:1::/64
xTR-1
xTR-2
RLOC
RLOC
SP1
IPv4
SP2
IPv4
MR/MS
10.10.30.10
2001:db8:f000:2::1
PxTR
10.10.30.11
2001:db8:f000:2::2
MR/MS
2001:db8:e000:2::1
10.10.10.10
PxTR
2001:db8:e000:2::2
10.10.10.11
PxTR1#show ipv6 lisp map-cacheLISP IPv6 Mapping Cache for EID-table default (IID 0), 13 entries---<skip>--- 2001:DB8:A:1::/64, uptime: 00:01:38, expires: 23:58:25, via map-reply, complete Locator Uptime State Pri/Wgt 10.1.1.2 00:01:38 up 1/50 10.2.1.2 00:01:38 up 1/50 ---<skip>---
62
63
LISP Multihoming/Multi-AF+ Internet
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF – Some Technical Details
Let’s look at an example…
IPv4 Internet IPv6 Internet
MSMR PxTR
xTR1 xTR2
10.200.1.1 (non-lisp target)2001:db8:c5c0::1 (non-lisp target)
192.168.7.0/242001:db8:b::/48
192.168.1.0/242001:db8:a::/48
10.0.9.2/30
EIDEID
RLOC10.0.1.2/3010.0.2.2/30RLOC
2001:db8:2:3::2/64
10.0.100.2
2001:db8:3:4::2
10.0.101.2
2001:db8:3:5::2
64
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet IPv6 Internet
MSMR PxTR
xTR1 xTR2
10.200.1.1 (non-lisp target)2001:db8:c5c0::1 (non-lisp target)
192.168.7.0/242001:db8:b::/48
192.168.1.0/242001:db8:a::/48
10.0.9.2/30
EIDEID
RLOC10.0.1.2/3010.0.2.2/30RLOC
2001:db8:2:3::2/64
10.0.100.2
2001:db8:3:4::2
10.0.101.2
2001:db8:3:5::2
LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF – Some Technical Details
router lisp locator-set SITE2 10.0.9.2 priority 1 weight 1 exit ! eid-table default instance-id 0 database-mapping 192.168.7.0/24 locator-set SITE2 database-mapping 2001:DB8:B::/48 locator-set SITE2 exit ! loc-reach-algorithm rloc-probing ipv4 itr ipv4 etr ipv4 itr map-resolver 10.0.100.2 ipv4 etr map-server 10.0.100.2 key SITE2KEY ipv4 use-petr 10.0.101.2 ipv6 itr ipv6 etr ipv6 itr map-resolver 10.0.100.2 ipv6 etr map-server 10.0.100.2 key SITE2KEY ipv6 use-petr 10.0.101.2 exit!ip route 0.0.0.0 0.0.0.0 10.0.9.1
The end-user needs to add this…
65
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet IPv6 Internet
MSMR PxTR
xTR1 xTR2
10.200.1.1 (non-lisp target)2001:db8:c5c0::1 (non-lisp target)
192.168.7.0/242001:db8:b::/48
192.168.1.0/242001:db8:a::/48
10.0.9.2/30
EIDEID
RLOC10.0.1.2/3010.0.2.2/30RLOC
2001:db8:2:3::2/64
10.0.100.2
2001:db8:3:4::2
10.0.101.2
2001:db8:3:5::2
LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF – Some Technical Details router lisp
locator-set SITE1 10.0.1.2 priority 1 weight 1 10.0.2.2 priority 1 weight 1 2001:DB8:2:3::2 priority 1 weight 1 exit ! eid-table default instance-id 0 database-mapping 192.168.1.0/24 locator-set SITE1 database-mapping 2001:DB8:A::/48 locator-set SITE1 exit ! loc-reach-algorithm rloc-probing ipv4 itr ipv4 etr ipv4 itr map-resolver 10.0.100.2 ipv4 etr map-server 10.0.100.2 key SITE1KEY ipv4 use-petr 10.0.101.2 ipv6 itr ipv6 etr ipv6 itr map-resolver 10.0.100.2 ipv6 etr map-server 10.0.100.2 key SITE1KEY ipv6 use-petr 10.0.101.2 exit!ip route 0.0.0.0 0.0.0.0 10.0.1.1ip route 0.0.0.0 0.0.0.0 10.0.2.1ipv6 route ::/0 2001:DB8:2:3::1
And this…
66
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet IPv6 Internet
MSMR PxTR
xTR1 xTR2
10.200.1.1 (non-lisp target)2001:db8:c5c0::1 (non-lisp target)
192.168.7.0/242001:db8:b::/48
192.168.1.0/242001:db8:a::/48
10.0.9.2/30
EIDEID
RLOC10.0.1.2/3010.0.2.2/30RLOC
2001:db8:2:3::2/64
10.0.100.2
2001:db8:3:4::2
10.0.101.2
2001:db8:3:5::2
LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF – Some Technical Details
router lisp site site1 authentication-key SITE1KEY eid-prefix 192.168.1.0/24 eid-prefix 2001:DB8:A::/48 exit ! site site2 authentication-key SITE2KEY eid-prefix 192.168.7.0/24 eid-prefix 2001:DB8:B::/48 exit ! ipv4 map-server ipv4 map-resolver ipv6 map-server ipv6 map-resolver exit
A LISP Service Provider (or Enterprise) will run the Mapping System…
67
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet IPv6 Internet
MSMR PxTR
xTR1 xTR2
10.200.1.1 (non-lisp target)2001:db8:c5c0::1 (non-lisp target)
192.168.7.0/242001:db8:b::/48
192.168.1.0/242001:db8:a::/48
10.0.9.2/30
EIDEID
RLOC10.0.1.2/3010.0.2.2/30RLOC
2001:db8:2:3::2/64
10.0.100.2
2001:db8:3:4::2
10.0.101.2
2001:db8:3:5::2
LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF – Some Technical Details router lisp
eid-table default instance-id 0 ipv4 route-import map-cache static route-map EID-space ipv6 route-import map-cache static route-map EID-space exit ! loc-reach-algorithm rloc-probing ipv4 proxy-etr ipv4 proxy-itr 10.0.101.2 2001:DB8:3:5::2 ipv4 itr map-resolver 10.0.100.2 ipv4 map-request-source 10.0.101.2 ipv6 proxy-etr ipv6 proxy-itr 2001:DB8:3:5::2 10.0.101.2 ipv6 itr map-resolver 10.0.100.2 ipv6 map-request-source 2001:DB8:3:5::2 exit!ip route 0.0.0.0 0.0.0.0 10.0.101.1ip route 192.168.0.0 255.255.0.0 Null0 tag 111ipv6 route 2001:DB8:A::/47 Null0 tag 111ipv6 route ::/0 2001:DB8:3:5::1!route-map EID-space permit 10 match tag 111!
And the PxTR…
68
lisp.cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet IPv6 Internet
MSMR PxTR
xTR1 xTR2
10.200.1.1 (non-lisp target)2001:db8:c5c0::1 (non-lisp target)
192.168.7.0/242001:db8:b::/48
192.168.1.0/242001:db8:a::/48
10.0.9.2/30
EIDEID
RLOC10.0.1.2/3010.0.2.2/30RLOC
2001:db8:2:3::2/64
10.0.100.2
2001:db8:3:4::2
10.0.101.2
2001:db8:3:5::2
LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF – Some Technical Details router lisp
eid-table default instance-id 0 ipv4 route-import map-cache static route-map EID-space ipv6 route-import map-cache static route-map EID-space exit ! loc-reach-algorithm rloc-probing ipv4 proxy-etr ipv4 proxy-itr 10.0.101.2 2001:DB8:3:5::2 ipv4 itr map-resolver 10.0.100.2 ipv4 map-request-source 10.0.101.2 ipv6 proxy-etr ipv6 proxy-itr 2001:DB8:3:5::2 10.0.101.2 ipv6 itr map-resolver 10.0.100.2 ipv6 map-request-source 2001:DB8:3:5::2 exit!ip route 0.0.0.0 0.0.0.0 10.0.101.1ip route 192.168.0.0 255.255.0.0 Null0 tag 111ipv6 route 2001:DB8:A::/47 Null0 tag 111ipv6 route ::/0 2001:DB8:3:5::1!route-map EID-space permit 10 match tag 111!
!router bgp 5 bgp asnotation dot bgp log-neighbor-changes neighbor 10.0.101.1 remote-as 3 neighbor 2001:DB8:3:5::1 remote-as 3 ! address-family ipv4 redistribute static route-map pop-EID neighbor 10.0.101.1 activate no neighbor 2001:DB8:3:5::1 activate exit-address-family ! address-family ipv6 redistribute static route-map pop-EID neighbor 2001:DB8:3:5::1 activate exit-address-family!route-map pop-EID permit 10 match tag 111 set origin igp set community 111:5!
BGP example
The PxTR may use BGP…
69
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF – Some Technical Details
IPv4 Internet IPv6 Internet
MSMR PxTR
xTR1 xTR2
10.200.1.1 (non-lisp target)2001:db8:c5c0::1 (non-lisp target)
192.168.7.0/242001:db8:b::/48
192.168.1.0/242001:db8:a::/48
10.0.9.2/30
EIDEID
RLOC10.0.1.2/3010.0.2.2/30RLOC
2001:db8:2:3::2/64
10.0.100.2
2001:db8:3:4::2
10.0.101.2
2001:db8:3:5::2
R114-MSMR#show lisp siteLISP Site Registration Information
Site Name Last Up Who Last Inst EID Prefix Register Registered ID site1 00:00:42 yes 10.0.2.2 192.168.1.0/24 00:00:42 yes 10.0.2.2 2001:DB8:A::/48site2 00:00:38 yes 10.0.9.2 192.168.7.0/24 00:00:06 yes 10.0.9.2 2001:DB8:B::/48R114-MSMR#
70
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF – Some Technical Details
IPv4 Internet IPv6 Internet
MSMR PxTR
xTR1 xTR2
10.200.1.1 (non-lisp target)2001:db8:c5c0::1 (non-lisp target)
192.168.7.0/242001:db8:b::/48
192.168.1.0/242001:db8:a::/48
10.0.9.2/30
EIDEID
RLOC10.0.1.2/3010.0.2.2/30RLOC
2001:db8:2:3::2/64
10.0.100.2
2001:db8:3:4::2
10.0.101.2
2001:db8:3:5::2
R114-MSMR#sh lisp site name site1---<skip>---Allowed EID-prefixes: EID-prefix: 192.168.1.0/24 ---<skip>--- Locator Local State Pri/Wgt Scope 10.0.1.2 yes up 1/1 IPv4 none 10.0.2.2 yes up 1/1 IPv4 none 2001:DB8:2:3::2 yes up 1/1 IPv6 none---<etc>---
71
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF – Some Technical Details
IPv4 Internet IPv6 Internet
MSMR PxTR
xTR1 xTR2
10.200.1.1 (non-lisp target)2001:db8:c5c0::1 (non-lisp target)
192.168.7.0/242001:db8:b::/48
192.168.1.0/242001:db8:a::/48
10.0.9.2/30
EIDEID
RLOC10.0.1.2/3010.0.2.2/30RLOC
2001:db8:2:3::2/64
10.0.100.2
2001:db8:3:4::2
10.0.101.2
2001:db8:3:5::2
R116-xTR#ping 192.168.1.254 so 192.168.7.254 rep 10 ---<skip>---!!!!!!!!!!Success rate is 100 percent (10/10), round-trip min/avg/max = 1/1/1 msR116-xTR#
R116-xTR#sh ip lisp map-cache ---<skip>---192.168.1.0/24, uptime: 1d00h, expires: 23:59:26, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.1.2 1d00h up 1/1 10.0.2.2 1d00h up 1/1 2001:DB8:2:3::2 1d00h no-route 1/1 R116-xTR#
72
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Efficient Multi-Homing and Multi-AF – Some Technical Details LISP Multihoming and Multi-AF
IPv4 Internet IPv6 Internet
MSMR PxTR
xTR1 xTR2
10.200.1.1 (non-lisp target)2001:db8:c5c0::1 (non-lisp target)
192.168.7.0/242001:db8:b::/48
192.168.1.0/242001:db8:a::/48
10.0.9.2/30
EIDEID
RLOC10.0.1.2/3010.0.2.2/30RLOC
2001:db8:2:3::2/64
10.0.100.2
2001:db8:3:4::2
10.0.101.2
2001:db8:3:5::2
R116-xTR#sh ip lisp forwarding eid remote 192.168.1.1Prefix Fwd action Locator status bits192.168.1.0/24 encap 0x00000007 packets/bytes 118/11520 path list B46EAF2C, flags 0x49, 3 locks, per-destination ifnums: LISP0(11): 10.0.1.2, 10.0.2.2 2 paths path B57E1A80, path list B46EAF2C, share 1/1, type attached nexthop, for IPv4 nexthop 10.0.1.2 LISP0, adjacency IP midchain out of LISP0, addr 10.0.1.2 B471DC28 path B57E1A10, path list B46EAF2C, share 1/1, type attached nexthop, for IPv4 nexthop 10.0.2.2 LISP0, adjacency IP midchain out of LISP0, addr 10.0.2.2 B471DAF8 1 output chain chain[0]: loadinfo B278CA5C, per-session, 2 choices, flags 0083, 5 locks flags: Per-session, for-rx-IPv4, 2buckets 2 hash buckets < 0 > IP midchain out of LISP0, addr 10.0.1.2 B471DC28 IP adj out of Ethernet0/1, addr 10.0.9.1 B4340220 < 1 > IP midchain out of LISP0, addr 10.0.2.2 B471DAF8 IP adj out of Ethernet0/1, addr 10.0.9.1 B4340220---<skip>---
73
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF – Some Technical Details
IPv4 Internet IPv6 Internet
MSMR PxTR
xTR1 xTR2
10.200.1.1 (non-lisp target)2001:db8:c5c0::1 (non-lisp target)
192.168.7.0/242001:db8:b::/48
192.168.1.0/242001:db8:a::/48
10.0.9.2/30
EIDEID
RLOC10.0.1.2/3010.0.2.2/30RLOC
2001:db8:2:3::2/64
10.0.100.2
2001:db8:3:4::2
10.0.101.2
2001:db8:3:5::2
R112-xTR#ping 2001:db8:c5c0::1 so 2001:DB8:A:1::254 rep 10---<skip>---!!!!!!!!!!Success rate is 100 percent (10/10), round-trip min/avg/max = 1/3/14 msR112-xTR#
R112-xTR#sh ipv6 lisp map-cache---<skip>---2001:DB8:8000::/33, uptime: 00:01:09, expires: 00:13:50, via map-reply, forward-native Encapsulating to proxy ETRR112-xTR#
74
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Efficient Multi-Homing and Multi-AF – Some Technical Details LISP Multihoming and Multi-AF
IPv4 Internet IPv6 Internet
MSMR PxTR
xTR1 xTR2
10.200.1.1 (non-lisp target)2001:db8:c5c0::1 (non-lisp target)
192.168.7.0/242001:db8:b::/48
192.168.1.0/242001:db8:a::/48
10.0.9.2/30
EIDEID
RLOC10.0.1.2/3010.0.2.2/30RLOC
2001:db8:2:3::2/64
10.0.100.2
2001:db8:3:4::2
10.0.101.2
2001:db8:3:5::2R115-PxTR#sh ipv6 lisp for eid remote 2001:db8:a::1Prefix Fwd action Locator status bits2001:DB8:A::/48 encap 0x00000007 packets/bytes 18/1800---<skip>--- path list B47117DC, flags 0x49, 4 locks, per-destination ifnums: LISP0(10): 10.0.1.2, 10.0.2.2, 2001:DB8:2:3::2 3 paths path B4710400, path list B47117DC, share 1/1, type attached nexthop, for IPv6 nexthop 10.0.1.2 LISP0, adjacency IPV6 midchain out of LISP0, addr 10.0.1.2 B45409B8 path B4710390, path list B47117DC, share 1/1, type attached nexthop, for IPv6 nexthop 10.0.2.2 LISP0, adjacency IPV6 midchain out of LISP0, addr 10.0.2.2 B4540888 path B4710320, path list B47117DC, share 1/1, type attached nexthop, for IPv6 nexthop 2001:DB8:2:3::2 LISP0, adjacency IPV6 midchain out of LISP0, addr 2001:DB8:2:3::2 B4540758 1 output chain---<cont>---
75
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Efficient Multi-Homing and Multi-AF – Some Technical Details LISP Multihoming and Multi-AF
IPv4 Internet IPv6 Internet
MSMR PxTR
xTR1 xTR2
10.200.1.1 (non-lisp target)2001:db8:c5c0::1 (non-lisp target)
192.168.7.0/242001:db8:b::/48
192.168.1.0/242001:db8:a::/48
10.0.9.2/30
EIDEID
RLOC10.0.1.2/3010.0.2.2/30RLOC
2001:db8:2:3::2/64
10.0.100.2
2001:db8:3:4::2
10.0.101.2
2001:db8:3:5::2---<cont>--- 15 hash buckets < 0 > IPV6 midchain out of LISP0, addr 10.0.1.2 B45409B8 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 < 1 > IPV6 midchain out of LISP0, addr 10.0.2.2 B4540888 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 < 2 > IPV6 midchain out of LISP0, addr 2001:DB8:2:3::2 B4540758 IPV6 adj out of Ethernet0/0, addr 2001:DB8:3:5::1 B4355430 < 3 > IPV6 midchain out of LISP0, addr 10.0.1.2 B45409B8 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 < 4 > IPV6 midchain out of LISP0, addr 10.0.2.2 B4540888 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 < 5 > IPV6 midchain out of LISP0, addr 2001:DB8:2:3::2 B4540758 IPV6 adj out of Ethernet0/0, addr 2001:DB8:3:5::1 B4355430 < 6 > IPV6 midchain out of LISP0, addr 10.0.1.2 B45409B8 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 < 7 > IPV6 midchain out of LISP0, addr 10.0.2.2 B4540888 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 < 8 > IPV6 midchain out of LISP0, addr 2001:DB8:2:3::2 B4540758 IPV6 adj out of Ethernet0/0, addr 2001:DB8:3:5::1 B4355430 < 9 > IPV6 midchain out of LISP0, addr 10.0.1.2 B45409B8 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 <10 > IPV6 midchain out of LISP0, addr 10.0.2.2 B4540888 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 <11 > IPV6 midchain out of LISP0, addr 2001:DB8:2:3::2 B4540758 IPV6 adj out of Ethernet0/0, addr 2001:DB8:3:5::1 B4355430 <12 > IPV6 midchain out of LISP0, addr 10.0.1.2 B45409B8 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 <13 > IPV6 midchain out of LISP0, addr 10.0.2.2 B4540888 IP adj out of Ethernet0/0, addr 10.0.101.1 B4355560 <14 > IPV6 midchain out of LISP0, addr 2001:DB8:2:3::2 B4540758 IPV6 adj out of Ethernet0/0, addr 2001:DB8:3:5::1 B4355430 Subblocks: NoneR115-PxTR#
76
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF -- Customer Example
LISP Services:• BGP-free Multihoming• IPv6 Internet Access• Host Mobility Disaster-Recovery (adding now…)• Inter-Departmental VPNs (adding next…)
Target Market:• State of New Jersey Educational Entities
(K-12, universities, colleges)
Customer Case Study: http://lisp.cisco.com
Customer Site: http://njedge.net
NJEDge.Net
Customer Site: http://lisp.njedge.net
77
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF -- Customer Example
IPv4 Internet
Tier 1 SP2 CommoditySP
...Transit
SP
Member N
CPE
Tier 1 SP1
Member 2
CPE
IPv6 InternetSome..
v6
More…v6
GoogleFacebook
Member 1
CPE
More…v4
Some..v4
Default Route
Default Route
Or BGP
Member 3
CPE CPE
BGPBGP
Constituent Member Topologies…
78
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF -- Customer Example
IPv4 Internet
Tier 1 SP2 CommoditySP
...Transit
SP
Member N
CPE
Tier 1 SP1
Member 2
CPE
IPv6 InternetSome..
v6
More…v6
GoogleFacebook
Member 1
CPE
More…v4
Some..v4
Default Route
Default Route
Or BGP
Member 3
CPE CPE
BGPBGP
Constituent Member Topologies…
They wanted: 50%/50%They got:
90%/10% ? 80%/20% ?
Never 50%/50%
router bgp 100 bgp router-id 172.16.2.1 bgp asnotation dot no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 172.16.2.1 remote-as 300 <== eBGP to SP1 neighbor 172.16.1.2 remote-as 400 <== eBGP to SP2 ! address-family ipv4 no synchronization redistribute ospf route-map populate-default neighbor 172.16.1.2 activate neighbor 172.16.1.2 route-map filter-out out neighbor 172.16.1.2 route-map filter-in in neighbor 172.16.1.2 maximum-prefix 450000 90 neighbor 172.16.2.1 activate neighbor 172.16.2.1 route-map filter-out out neighbor 172.16.2.1 route-map filter-in in neighbor 172.16.2.1 maximum-prefix 450000 90 no auto-summary exit-address-family !ip bgp-community new-formatip community-list standard outlist permit 100:123!route-map populate-default permit 10 set origin igp set community 100:123!route-map filter-out permit 10 match community outlist!route-map filter-in permit 10 match community inlist!
Many more features can be added here...Before LISP…
• Configuration complexity…
• Uneven multihoming load shares…
79
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF -- Customer Example
IPv4 Internet
Tier 1 SP2 CommoditySP
...Transit
SP
Member N
CPE
Tier 1 SP1
Member 2
CPE
IPv6 InternetSome..
v6
More…v6
GoogleFacebook
Member 1
CPE
More…v4
Some..v4
Default Route
Default Route
Or BGP
Member 3
CPE CPE
BGPBGP
Constituent Member Topologies…
Deploy LISP…
NJEDge.NetLISP Network
MS/MRPxTR
NJEDge.NetLISP Network
MS/MRPxTR
Member 1
xTR
Default Route
Default Route
Member 2
xTR
Member N
xTR
Default Route
Member 3
xTR xTR
Default Route
router lisp locator-set Site3 172.16.1.2 priority 1 weight 50 172.16.2.2 priority 1 weight 50 exit ! eid-table default instance-id 0 database-mapping 10.1.1.0/24 locator-set Site3 exit ! ipv4 itr ipv4 etr ipv4 itr map-resolver 172.17.1.1 ipv4 etr map-server 172.17.1.1 key s3cr3t ipv4 use-petr 10.5.5.5 !
• Configuration simplicity…
80
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF -- Customer Example
IPv4 Internet
Tier 1 SP2 CommoditySP
...Transit
SP
Member N
CPE
Tier 1 SP1
Member 2
CPE
IPv6 InternetSome..
v6
More…v6
GoogleFacebook
Member 1
CPE
More…v4
Some..v4
Default Route
Default Route
Or BGP
Member 3
CPE CPE
BGPBGP
Deploy LISP…
NJEDge.NetLISP Network
MS/MRPxTR
NJEDge.NetLISP Network
MS/MRPxTR
Member 1
xTR
Default Route
Default Route
Member 2
xTR
Member N
xTR
Default Route
Member 3
xTR xTR
Default Route
• Configuration simplicity…
LISP-to-LISP
Non-LISP-to-LISP
IPv4 EID Aggregate
Advertisement
81
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF -- Customer Example
IPv4 Internet
Tier 1 SP2 CommoditySP
...Transit
SP
Member N
CPE
Tier 1 SP1
Member 2
CPE
IPv6 InternetSome..
v6
More…v6
GoogleFacebook
Member 1
CPE
More…v4
Some..v4
Default Route
Default Route
Or BGP
Member 3
CPE CPE
BGPBGP
NJEDge.NetLISP Network
MS/MRPxTR
NJEDge.NetLISP Network
MS/MRPxTR
Member 1
xTR
Default Route
Default Route
Member 2
xTR
Member N
xTR
Default Route
Member 3
xTR xTR
Default Route
Non-LISP-to-LISP
IPv6 EID Aggregate Advertisement
NJEDge.Net is now adding IPv6 for its members!
IPv6 EIDs IPv6
EIDs IPv6 EIDs
IPv6 EIDsLISP-to-LISP
82
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFEfficient Multi-Homing and Multi-AF -- Customer Example
Key NJEDge.Net LISP Equipment ASR1Ks as MSMRs ASR9Ks as PxTRs (90G Internet capacity)
Key LISP Benefits No BGP to configure or manage No complex configurations Optimized Ingress load balancing Cost Savings by reducing OPEX and CAPEX LISP offers non disruptive transition approach which does not affect end
system and allows for incremental deployment Disaster Recovery for Critical Applications introduces Increased
Complexity
83
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFCustomer Example :: Cisco IT – IPv6-over-IPv4 MPLS
Current Remote Office xTR 8 Offices, ~1900 employees ~1375 IPv6 devicesPlanned Deployments (CY14)80+ additional offices
L3 MPLS VPN
PxTR, MSMR
Proxy Aggregate BW
84
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFCustomer Example :: EANTC Interoperability Demonstration
MPLS and Ethernet World Congress, SDN Summit & V6 World Congress Public Multi-Vendor Interoperability Test 2013All possible LISP encapsulations tested: IPv4 and IPv6 over IPv6 RLOC
("IPv6-only core network") IPv4 and IPv6 over IPv4 RLOC
("IPv4-only core network”) Spirent TestCenter emulated LISP xTR Cisco ASR1K as Map Server and PxTR Cisco ASR9K as PxTR Successfully tested and certified by EANTC
YouTube video demo: http://goo.gl/oZShr
85
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFCustomer Example :: “Home Router Market” (Europe)
LTE Cloud
SP Broadband
Core
Customer 192.168.1.0/24
.10
UP: xMbpsDN: yMbps
UP: aMbpsDN: bMbps
2
1
EID (Lo0)10.1.1.x/32
Internet PxTR
Multihoming by bundling multiple access technologies– 4G+xDSL
Higher BW, and resiliency
Load Sharing– Bandwidth and link conditions
Better user experience
Subscriber traffic NAT’d to EID loopback– Common configuration on all CE
Supports DHCP (RLOC) LISP hidden from customer
86
LISP Multihoming/Multi-AF+ MPLS
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFLISP and MPLS Integration
LISP / MPLS results in an “ideal” deployment environment – Locator/ID split idealizes a pure “RLOC core” and “EID overlay”
Opportunities– IPv4 over MPLS via LISP
Use of LISP (v4-over-v4) removes Customer IPv4 Prefixes from MPLSPE benefits :: (a) substantially improved scaling
(b) reduced CPU load due to customer route advertisement/churn – IPv6 over MPLS via LISP
Use of LISP (v6-over-v4) removes SP from Customer IPv6 configuration/managementImmediate support :: even if not running LISP for IPv4PE benefits :: (a) no added v6 interface
(b) no added v6 eBGP peering(c) no added IPv6 customer prefixes
– Permits Inter-Departmental VPNs without additional PE VRFs
88
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFLISP and MPLS Integration
1: Existing IPv4 MPLS
Blue MPLS-VPN
SP MPLS
BlueSite 1
PE1
PurpleMPLS-VPN
PurpleSite 1
PE4
PE3PE2
BlueSite 2
BlueSite 3
PurpleSite 2
CE4IPv4
IPv4
IPv4 IPv4
IPv4
IPv4 IPv4
IPv4
CE3CE2
CE1
CE1
IGP
eBGP
CE-PE
IPv4 IPv4
PE2#show ip route vrf BLUE---<skip>--- 10.0.0.0/8 is subnetted, 9 subnetsB 10.1.0.0/24 [20/11] via 12.1.0.2, 00:17:55B 10.1.2.0/24 [20/11] via 12.1.0.2, 00:17:55B 10.3.0.0/24 [20/11] via 12.3.0.2, 00:12:01B 10.3.1.0/24 [20/11] via 12.3.0.2, 00:12:01---<more>--- 12.0.0.0/8 is variably subnetted, 5 subnets, 2 masksC 12.1.0.0/30 is directly connected, Ethernet1/0L 12.1.0.1/32 is directly connected, Ethernet1/0---<more>---PE2#
Customer Prefixes(EIDs!!)
PE-CE links(RLOCs!!)
CE1#show ip route---<skip>--- 10.0.0.0/8 is subnetted, 9 subnetsO IA 10.1.0.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/0O IA 10.1.2.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/1---<skip>---B 10.3.0.0/24 [20/11] via 12.3.0.2, 00:12:01B 10.3.1.0/24 [20/11] via 12.3.0.2, 00:12:01---<more>--- 12.0.0.0/8 is variably subnetted, 5 subnets, 2 masksC 12.1.0.2/30 is directly connected, Ethernet0/0B 12.1.0.8/30 [20/11] via 12.3.0.1, 00:12:01---<more>---CE1#
Customer Prefixes(EIDs!!)
PE-CE links(RLOCs!!)
89
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFLISP and MPLS Integration
1: Existing IPv4 MPLS – Add LISP!
Blue MPLS-VPN
SP MPLS
BlueSite 1
PE1
PurpleMPLS-VPN
PurpleSite 1
PE4
PE3PE2
BlueSite 2
BlueSite 3
PurpleSite 2
CE4IPv4
IPv4
IPv4 IPv4
IPv4
IPv4 IPv4
IPv4
CE3CE2
CE1
CE1
IGP
eBGP
CE-PE
IPv4 IPv4
xTR
xTRMSMR
xTR
✗route-map deny EIDs out
90
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFLISP and MPLS Integration
1: Existing IPv4 MPLS – Add LISP!
Blue MPLS-VPN
SP MPLS
BlueSite 1
PE1
PurpleMPLS-VPN
PurpleSite 1
PE4
PE3PE2
BlueSite 2
BlueSite 3
PurpleSite 2
CE4IPv4
IPv4
IPv4 IPv4
IPv4
IPv4 IPv4
IPv4
CE3CE2
CE1
CE1
IGP
eBGP
CE-PE
IPv4 IPv4
xTR
xTRMSMR
xTR
PE2#show ip route vrf BLUE---<skip>---12.0.0.0/8 is variably subnetted, 5 subnets, 2 masksC 12.1.0.0/30 is directly connected, Ethernet1/0L 12.1.0.1/32 is directly connected, Ethernet1/0---<more>---PE2#
PE-CE links(RLOCs!!)
✗route-map deny EIDs out
CE1#show ip route---<skip>--- 10.0.0.0/8 is subnetted, 9 subnetsO IA 10.1.0.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/0O IA 10.1.2.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/1---<skip>---12.0.0.0/8 is variably subnetted, 5 subnets, 2 masksC 12.1.0.2/30 is directly connected, Ethernet0/0B 12.1.0.8/30 [20/11] via 12.3.0.1, 00:12:01---<more>---CE1#
This sites Prefixes (EIDs!!)
PE-CE links(RLOCs!!)
91
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFLISP and MPLS Integration
1: Existing IPv4 MPLS – Add LISP!
Blue MPLS-VPN
SP MPLS
BlueSite 1
PE1
PurpleMPLS-VPN
PurpleSite 1
PE4
PE3PE2
BlueSite 2
BlueSite 3
PurpleSite 2
CE4IPv4
IPv4
IPv4 IPv4
IPv4
IPv4 IPv4
IPv4
CE3CE2
CE1
CE1
IGP
eBGP
CE-PE
IPv4 IPv4
xTR
xTRMSMR
xTR
✗route-map deny EIDs out
CE1#show ip lisp map-cacheLISP IPv4 Mapping Cache for EID-table default (IID 0), 12 entries
0.0.0.0/0, uptime: 6w0d, expires: never, via static send map-request Negative cache entry, action: send-map-request10.3.0.0/24, uptime: 00:00:06, expires: 23:59:46, via map-reply, complete Locator Uptime State Pri/Wgt 12.3.0.2 00:00:06 up 1/100 ---<more>---CE1#
Other site EIDs!!
PE-CE link (RLOC!!)
92
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Multihoming and Multi-AFLISP and MPLS Integration
2: Add IPv6 over IPv4 MPLS with LISP
Blue MPLS-VPN
SP MPLS
BlueSite 1
PE1
PurpleMPLS-VPN
PurpleSite 1
PE4
PE3PE2
BlueSite 2
BlueSite 3
PurpleSite 2
CE2IPv4
IPv4
IPv4 IPv4
IPv4
IPv4 IPv4
IPv4
CE3CE2
CE1
CE1
IGP
eBGP
CE-PE
IPv4 IPv4
✗route-map deny EIDs outIPv6
IPv6 IPv6
xTR
xTRMSMR
xTR
PE2#show ipv6 route vrf Blue% Specified IPv6 routing table does not existPE2#
IPv6 Not Enabled!
IPv6 EIDs!!
CE1#show run | begin router lisp---<skip>---router lisp eid-table default instance-id 0 database-mapping 2001:db8:a:a::/64 12.1.0.2 pri 1 wei 100 exit ! ipv6 itr map-resolver 12.1.0.2 ipv6 itr ipv6 etr map-server 12.1.0.2 key ce1-xtr ipv6 etr exit!---<more>---CE1#
93
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4
LISP Multihoming and Multi-AFLISP and MPLS Integration
2: Add IPv6 over IPv4 MPLS with LISP
Blue MPLS-VPN
SP MPLS
BlueSite 1
PE1
PurpleMPLS-VPN
PurpleSite 1
PE4
PE3PE2
BlueSite 2
BlueSite 3
PurpleSite 2
CE2IPv4
IPv4
IPv4 IPv4
IPv4
IPv4 IPv4
IPv4
CE3CE2
CE1
CE1
IGP
eBGP
CE-PE
IPv4 IPv4
IPv6
IPv6 IPv6
xTR
xTRMSMR
xTR
✗route-map deny EIDs out
CE1#ping 2001:db8:b:b::1 so 2001:db8:a:a::1Type escape sequence to abortSending 5, 100-byte ICMP Echos to 2001:db8:b:b::1, timeout is 2 seconds:Packet sent with a source address of 2001:db8:a:a::1!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 24/25/28 msCE1#
CE1#show ipv6 lisp map-cacheLISP IPv6 Mapping Cache for EID-table default (IID 0), 3 entries
::/0, uptime: 6w0d, expires: never, via static send map-request Negative cache entry, action: send-map-request2001:DB8:B:B::/64, uptime: 00:01:17, expires: 23:58:36, via map-reply, complete Locator Uptime State Pri/Wgt 12.3.0.2 00:00:06 up 1/100---<more>---CE1#
Other site EIDs!!
PE-CE links RLOCs!!
94
LISP Disjointed RLOC Space
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP – Disjointed RLOC Space FeatureDisjointed Locator Space Support
Locator/ID separation creates two namespaces: EIDs and RLOCs– EID space is the overlay of Enterprise prefixes – RLOC space is the underlay network connectivity
The fundamental principal of any network is that connectivity must exist between sites
LISP supports sites being connected to locator spaces that have no connectivity to each other!– In LISP, this is known as a
“disjointed RLOC set”
IPv4 Internet0.0.0.0/0
IPv6Internet
::/0MPLS VPN Core
xTR
xTR xTR
xTR xTR xTRxTR
xTR
MSMR RTR
96
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP – Disjointed RLOC Space ExampleEXAMPLE: Cross Address-Family Disjointed RLOC Space
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
EXAMPLE
97
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
LISP – Disjointed RLOC Space ExampleEXAMPLE: Cross Address-Family Disjointed RLOC Space
!interface Loopback0 ip address 4.4.4.4 255.255.255.0 ipv6 address 4:4:4::4/64!interface LISP0!interface Ethernet0/0 description Conn to R1 Core (v4 only) ip address 10.0.4.1 255.255.255.252!router lisp locator-set R4 10.0.4.1 priority 1 weight 1 exit ! eid-table default instance-id 0 database-mapping 4.4.4.0/24 locator-set R4 database-mapping 4:4:4::/48 locator-set R4 exit ! ipv4 itr ipv4 etr ipv4 itr map-resolver 10.0.2.1 ipv4 etr map-server 10.0.2.1 key R4KEY ipv4 use-petr 10.0.3.1 ipv6 itr ipv6 etr ipv6 etr map-server 10.0.2.1 key R4KEY ipv6 itr map-resolver 10.0.2.1 ipv6 use-petr 10.0.3.1 exit!ip route 0.0.0.0 0.0.0.0 10.0.4.2
Normal xTR configuration• IPv4-only RLOC• IPv4 and IPv6 EIDs
98
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
LISP – Disjointed RLOC Space ExampleEXAMPLE: Cross Address-Family Disjointed RLOC Space
!interface Loopback0 ip address 6.6.6.6 255.255.255.0 ipv6 address 6:6:6::6/64!interface LISP0!interface Ethernet0/0 description Conn to R1 Core (v6 only) ipv6 address 10:0:6::1/64!router lisp locator-set R6 10:0:6::1 priority 1 weight 1 exit ! eid-table default instance-id 0 database-mapping 6.6.6.0/24 locator-set R6 database-mapping 6:6:6::/48 locator-set R6 exit ! ipv4 itr ipv4 etr ipv4 itr map-resolver 10:0:2::1 ipv4 etr map-server 10:0:2::1 key R6KEY ipv4 use-petr 10:0:3::1 ipv6 itr ipv6 etr ipv6 etr map-server 10:0:2::1 key R6KEY ipv6 itr map-resolver 10:0:2::1 ipv6 use-petr 10:0:3::1 exit!ipv6 route ::/0 10:0:6::2
Normal xTR configuration• IPv6-only RLOC• IPv4 and IPv6 EIDs
99
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
LISP – Disjointed RLOC Space ExampleEXAMPLE: Cross Address-Family Disjointed RLOC Space
!interface Ethernet0/0 description Conn to R1 Core (v4 and v6) ip address 10.0.2.1 255.255.255.252 ipv6 address 10:0:2::1/64!router lisp locator-set v4-rtr-set 10.0.3.1 priority 1 weight 1 exit ! locator-set v6-rtr-set 10:0:3::1 priority 1 weight 1 exit ! locator-scope v4-net rtr-locator-set v4-rtr-set rloc-prefix 0.0.0.0/0 exit ! locator-scope v6-net rtr-locator-set v6-rtr-set rloc-prefix ::/0 exit ! site R4 authentication-key R4KEY eid-prefix 4.4.4.0/24 eid-prefix 4:4:4::/48 exit !---<continued>---
---<continued>--- site R6 authentication-key R6KEY eid-prefix 6.6.6.0/24 eid-prefix 6:6:6::/48 exit ! ipv4 map-server ipv4 map-resolver ipv6 map-server ipv6 map-resolver exit!ip route 0.0.0.0 0.0.0.0 10.0.2.2ipv6 route ::/0 10:0:2::2!
Map-Server Configuration:• Define “locator-scopes”• Define “rtr-set”
100
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
LISP – Disjointed RLOC Space ExampleEXAMPLE: Cross Address-Family Disjointed RLOC Space
interface Ethernet0/0 description Conn to R1 Core (v4 and v6) ip address 10.0.3.1 255.255.255.252 ipv6 address 10:0:3::1/64! router lisp locator-set setALL 10.0.3.1 priority 1 weight 1 10:0:3::1 priority 1 weight 1 exit ! map-request itr-rlocs setALL eid-table default instance-id 0 map-cache 0.0.0.0/0 map-request map-cache ::/0 map-request exit ! ipv4 map-request-source 10.0.3.1 ipv4 map-cache-limit 100000 ipv4 proxy-etr ipv4 proxy-itr 10.0.3.1 10:0:3::1 ipv4 itr map-resolver 10.0.2.1 ipv4 itr map-resolver 10:0:2::1 ipv6 map-request-source 10:0:3::1 ipv6 map-cache-limit 100000 ipv6 proxy-etr ipv6 proxy-itr 10:0:3::1 10.0.3.1 ipv6 itr map-resolver 10.0.2.1 ipv6 itr map-resolver 10:0:2::1 exit!ip route 0.0.0.0 0.0.0.0 10.0.3.2ipv6 route ::/0 10:0:3::2!
RTR Configuration:• Define “rtr RLOCs”
101
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
LISP – Disjointed RLOC Space ExampleCross Address-Family Disjointed RLOC Space Example – Flows
native
lisp-encap
map-req
map-rep
data plane
controlplane
xTR4#sh ip lisp database ---<skip>---4.4.4.0/24, locator-set R4 Locator Pri/Wgt Source State 10.0.4.1 1/1 cfg-addr site-self, reachablexTR4#sh ipv6 lisp database ---<skip>---4:4:4::/48, locator-set R4 Locator Pri/Wgt Source State 10.0.4.1 1/1 cfg-addr site-self, reachablexTR4#
xTR6#sh ip lisp database---<skip>---6.6.6.0/24, locator-set R6 Locator Pri/Wgt Source State 10:0:6::1 1/1 cfg-addr site-self, reachablexTR6#sh ipv6 lisp database ---<skip>---6:6:6::/48, locator-set R6 Locator Pri/Wgt Source State 10:0:6::1 1/1 cfg-addr site-self, reachablexTR6#
102
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP – Disjointed RLOC Space ExampleCross Address-Family Disjointed RLOC Space Example – Flows
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
10:0:6::/64
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
native
lisp-encap
map-req
map-rep
data plane
controlplane
MSMR#sh lisp site detail---<skip>---Site name: R4---<skip>--- EID-prefix: 4.4.4.0/24 ---<skip>--- ETR 10.0.4.1, last registered 00:00:52, no proxy-reply, map-notify TTL 1d00h, no merge, hash-function sha1, nonce… state complete, no security-capability xTR-ID 0xEC52ECC2-0x006CEAFE-0x814263B3-0x89675EB6 site-ID unspecified Locator Local State Pri/Wgt Scope 10.0.4.1 yes up 1/1 v4-net EID-prefix: 4:4:4::/48 ---<skip>--- ETR 10.0.4.1, last registered 00:00:39, no proxy-reply, map-notify TTL 1d00h, no merge, hash-function sha1, nonce… state complete, no security-capability xTR-ID 0xEC52ECC2-0x006CEAFE-0x814263B3-0x89675EB6 site-ID unspecified Locator Local State Pri/Wgt Scope 10.0.4.1 yes up 1/1 v4-net---<skip>---
103
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP – Disjointed RLOC Space ExampleCross Address-Family Disjointed RLOC Space Example – Flows
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
10:0:6::/64
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
native
lisp-encap
map-req
map-rep
data plane
controlplane
MSMR#sh lisp site detail---<skip>---Site name: R6---<skip>--- EID-prefix: 6.6.6.0/24 ---<skip>--- ETR 10:0:6::1, last registered 00:00:26, no proxy-reply, map-notify TTL 1d00h, no merge, hash-function sha1, nonce… state complete, no security-capability xTR-ID 0x4C8D6115-0xEC9AF511-0x5A21D580-0x3D2E2429 site-ID unspecified Locator Local State Pri/Wgt Scope 10:0:6::1 yes up 1/1 v6-net EID-prefix: 6:6:6::/48 ---<skip>--- ETR 10:0:6::1, last registered 00:00:27, no proxy-reply, map-notify TTL 1d00h, no merge, hash-function sha1, nonce… state complete, no security-capability xTR-ID 0x4C8D6115-0xEC9AF511-0x5A21D580-0x3D2E2429 site-ID unspecified Locator Local State Pri/Wgt Scope 10:0:6::1 yes up 1/1 v6-net---<skip>---
104
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP – Disjointed RLOC Space ExampleCross Address-Family Disjointed RLOC Space Example – Flows
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
10:0:6::/64
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
native
lisp-encap
map-req
map-rep
data plane
controlplane
RTR#sh ip lisp map-cacheLISP IPv4 Mapping Cache for EID-table default (IID 0), 1 entries
0.0.0.0/0, uptime: 00:00:04, expires: never, via static send map-request Negative cache entry, action: send-map-requestRTR#RTR#sh ipv6 lisp map-cache LISP IPv6 Mapping Cache for EID-table default (IID 0), 1 entries
::/0, uptime: 00:00:05, expires: never, via static send map-request Negative cache entry, action: send-map-requestRTR#
105
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
LISP – Disjointed RLOC Space ExampleCross Address-Family Disjointed RLOC Space Example – Flows
native
lisp-encap
map-req
map-rep
data plane
controlplane
1
4:4:4::4 -> 6:6:6::6
How do I forward to 6:6:6::6?1. Check FIB – NO2. Check map-cache – NO 3. Maybe 6:6:6::6 is a LISP destination?
Send Map-Request
106
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
LISP – Disjointed RLOC Space ExampleCross Address-Family Disjointed RLOC Space Example – Flows
native
lisp-encap
map-req
map-rep
data plane
controlplane
1
4:4:4::4 -> 6:6:6::6
210.0.4.1-> 10.0.2.1
LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 4:4:4::4itr-rloc: 10.0.4.1record-1: [2] 6:6:6::6
xTR4#*Aug 25 01:00:32.108: LISP-0: AF IPv6, Sending map-request from 4:4:4::4 to 6:6:6::6 for EID 6:6:6::6/128, ITR-RLOCs 1, nonce 0xA0E6CC5A-0x7A1D2EEC (encap src 10.0.4.1, dst 10.0.2.1).
107
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
LISP – Disjointed RLOC Space ExampleCross Address-Family Disjointed RLOC Space Example – Flows
native
lisp-encap
map-req
map-rep
data plane
controlplane
1
4:4:4::4 -> 6:6:6::6
210.0.4.1-> 10.0.2.1
LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 4:4:4::4itr-rloc: 10.0.4.1record-1: [2] 6:6:6::6
Rec’vd Map-Request for 6:6:6::61. ETR RLOC is scope v6-net (10:0:6::1)2. ITR RLOC is scope v4-net (10.0.4.1)3. Disjoint scope - YES4. Send Proxy Map-Reply with
RTR 10.0.3.1
108
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
LISP – Disjointed RLOC Space ExampleCross Address-Family Disjointed RLOC Space Example – Flows
native
lisp-encap
map-req
map-rep
data plane
controlplane
1
4:4:4::4 -> 6:6:6::6
210.0.4.1-> 10.0.2.1
LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 4:4:4::4itr-rloc: 10.0.4.1record-1: [2] 6:6:6::6
MSMR#*Aug 25 01:11:45.734: LISP: Processing received Encap-Control(8) message on Ethernet0/0 from 10.0.4.1:4342 to 10.0.2.1:4342*Aug 25 01:11:45.734: LISP: Processing received Map-Request(1) message on Ethernet0/0 from 4:4:4::4.4342 to 6:6:6::6.4342*Aug 25 01:11:45.734: LISP: Received map request for IID 0 6:6:6::6/128, source_eid IID 0 4:4:4::4, ITR-RLOCs: 10.0.4.1, records 1, nonce 0x5A0206C2-0xF706E61B*Aug 25 01:11:45.734: LISP-0: MS EID IID 0 prefix 6:6:6::/48 site R6, No common scopes between ITR and ETR RLOCs, proxy reply.*Aug 25 01:11:45.734: LISP-0: MS EID IID 0 prefix 6:6:6::/48 site R6, Sending scope forced proxy reply to 10.0.4.1.
3
10.0.2.1 -> 10.0.4.1udp 4342Type 2 (map-reply)[P]Nonce/TTL 6:6:6::/4810.0.3.1 [1, 1]
109
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
LISP – Disjointed RLOC Space ExampleCross Address-Family Disjointed RLOC Space Example – Flows
native
lisp-encap
map-req
map-rep
data plane
controlplane
1
4:4:4::4 -> 6:6:6::6
210.0.4.1-> 10.0.2.1
LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 4:4:4::4itr-rloc: 10.0.4.1record-1: [2] 6:6:6::6
3
10.0.2.1 -> 10.0.4.1udp 4342Type 2 (map-reply)[P]Nonce/TTL 6:6:6::/4810.0.3.1 [1, 1]
xTR4#show ipv6 lisp map-cacheLISP IPv6 Mapping Cache for EID-table default (IID 0), 2 entries---<skip>---6:6:6::/48, uptime: 00:02:18, expires: 00:12:44, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.3.1 00:02:18 up 1/1 xTR4#
encap
decap
4
4:4:4::4 -> 6:6:6::6
10.0.4.1 -> 10.0.3.1
110
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
LISP – Disjointed RLOC Space ExampleCross Address-Family Disjointed RLOC Space Example – Flows
native
lisp-encap
map-req
map-rep
data plane
controlplane
1
4:4:4::4 -> 6:6:6::6
210.0.4.1-> 10.0.2.1
LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 4:4:4::4itr-rloc: 10.0.4.1record-1: [2] 6:6:6::6
3
10.0.2.1 -> 10.0.4.1udp 4342Type 2 (map-reply)[P]Nonce/TTL 6:6:6::/4810.0.3.1 [1, 1]
encap
decap
4
4:4:4::4 -> 6:6:6::6
10.0.4.1 -> 10.0.3.1How do I forward to 6:6:6::6?1. Check FIB – NO2. Check map-cache (send map-req)
Send Map-Request…
111
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
LISP – Disjointed RLOC Space ExampleCross Address-Family Disjointed RLOC Space Example – Flows
native
lisp-encap
map-req
map-rep
data plane
controlplane
1
4:4:4::4 -> 6:6:6::6
210.0.4.1-> 10.0.2.1
LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 4:4:4::4itr-rloc: 10.0.4.1record-1: [2] 6:6:6::6
3
10.0.2.1 -> 10.0.4.1udp 4342Type 2 (map-reply)[P]Nonce/TTL 6:6:6::/4810.0.3.1 [1, 1]
encap
decap
4
4:4:4::4 -> 6:6:6::6
10.0.4.1 -> 10.0.3.1
RTR#*Aug 25 01:18:17.328: LISP-0: AF IPv6, Sending map-request from 10:0:3::1 to 6:6:6::6 for EID 6:6:6::6/128, ITR-RLOCs 2, nonce 0xC437B6B6-0xCD1B12C2 (encap src 10.0.3.1, dst 10.0.2.1), FromPITR.
5
10.0.3.1-> 10.0.2.1LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 10:0:3::1 itr-rloc: 10.0.3.1 itr-rloc: 10:0:3::1record-1: [2] 6:6:6::6
112
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
LISP – Disjointed RLOC Space ExampleCross Address-Family Disjointed RLOC Space Example – Flows
native
lisp-encap
map-req
map-rep
data plane
controlplane
1
4:4:4::4 -> 6:6:6::6
210.0.4.1-> 10.0.2.1
LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 4:4:4::4itr-rloc: 10.0.4.1record-1: [2] 6:6:6::6
3
10.0.2.1 -> 10.0.4.1udp 4342Type 2 (map-reply)[P]Nonce/TTL 6:6:6::/4810.0.3.1 [1, 1]
encap
decap
4
4:4:4::4 -> 6:6:6::6
10.0.4.1 -> 10.0.3.1
5
10.0.3.1-> 10.0.2.1LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 10:0:3::1 itr-rloc: 10.0.3.1 itr-rloc: 10:0:3::1record-1: [2] 6:6:6::6
Rec’vd Map-Request for 6:6:6::61. ETR RLOC is scope v6-net (10:0:6::1)2. PITR RLOC is scope v4-net (10.0.3.1)
and scope v6-net (10:0:3::1)3. Disjoint scope - NO4. Forward Map-Request to 10:0:6::1
MSMR#*Aug 25 01:36:16.684: LISP: Processing received Encap-Control(8) message on Ethernet0/0 from 10.0.3.1:4342 to 10.0.2.1:4342*Aug 25 01:36:16.684: LISP: Processing received Map-Request(1) message on Ethernet0/0 from 10:0:3::1.4342 to 6:6:6::6.4342*Aug 25 01:36:16.685: LISP: Received map request for IID 0 6:6:6::6/128, source_eid IID 0 4:4:4::4, ITR-RLOCs: 10.0.3.1 10:0:3::1, records 1, nonce 0x098BDC65-0xE6054A2F, FromPITR*Aug 25 01:36:16.685: LISP-0: MS EID IID 0 prefix 6:6:6::/48 site R6, Forwarding map request to ETR RLOC 10:0:6::1.
6
10:0:2::1 -> 10:0:6::1LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 10:0:3::1 itr-rloc: 10.0.3.1 itr-rloc: 10:0:3::1record-1: [2] 6:6:6::6
113
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
LISP – Disjointed RLOC Space ExampleCross Address-Family Disjointed RLOC Space Example – Flows
native
lisp-encap
map-req
map-rep
data plane
controlplane
1
4:4:4::4 -> 6:6:6::6
210.0.4.1-> 10.0.2.1
LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 4:4:4::4itr-rloc: 10.0.4.1record-1: [2] 6:6:6::6
3
10.0.2.1 -> 10.0.4.1udp 4342Type 2 (map-reply)[P]Nonce/TTL 6:6:6::/4810.0.3.1 [1, 1]
encap
decap
4
4:4:4::4 -> 6:6:6::6
10.0.4.1 -> 10.0.3.1
5
10.0.3.1-> 10.0.2.1LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 10:0:3::1 itr-rloc: 10.0.3.1 itr-rloc: 10:0:3::1record-1: [2] 6:6:6::6
6
10:0:2::1 -> 10:0:6::1LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 10:0:3::1 itr-rloc: 10.0.3.1 itr-rloc: 10:0:3::1record-1: [2] 6:6:6::6
Rec’vd Map-Request for 6:6:6::61. ETR RLOC is (10:0:6::1)2. PITR RLOC is (10.0.3.1) and (10:0:3::1)3. Send Map-Reply to 10:0:3::1
114
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
LISP – Disjointed RLOC Space ExampleCross Address-Family Disjointed RLOC Space Example – Flows
native
lisp-encap
map-req
map-rep
data plane
controlplane
1
4:4:4::4 -> 6:6:6::6
210.0.4.1-> 10.0.2.1
LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 4:4:4::4itr-rloc: 10.0.4.1record-1: [2] 6:6:6::6
3
10.0.2.1 -> 10.0.4.1udp 4342Type 2 (map-reply)[P]Nonce/TTL 6:6:6::/4810.0.3.1 [1, 1]
encap
decap
4
4:4:4::4 -> 6:6:6::6
10.0.4.1 -> 10.0.3.1
5
10.0.3.1-> 10.0.2.1LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 10:0:3::1 itr-rloc: 10.0.3.1 itr-rloc: 10:0:3::1record-1: [2] 6:6:6::6
6
10:0:2::1 -> 10:0:6::1LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 10:0:3::1 itr-rloc: 10.0.3.1 itr-rloc: 10:0:3::1record-1: [2] 6:6:6::6
7
10:0:6::1 -> 10:0:3::1udp 4342Type 2 (map-reply)Nonce/TTL 6:6:6::/4810:0:6::1 [1, 1]
xTR6#*Aug 25 01:46:56.022: LISP: Processing received Encap-Control(8) message on Ethernet0/0 from 10:0:2::1.4342 to 10:0:6::1.4342*Aug 25 01:46:56.022: LISP: Processing received Map-Request(1) message on Ethernet0/0 from 10:0:3::1.4342 to 6:6:6::6.4342*Aug 25 01:46:56.022: LISP: Received map request for IID 0 6:6:6::6/128, source_eid IID 0 4:4:4::4, ITR-RLOCs: 10.0.3.1 10:0:3::1, records 1, nonce 0x634D8861-0xDBA36771, FromPITR*Aug 25 01:46:56.022: LISP: Processing map request record for EID prefix IID 0 6:6:6::6/128*Aug 25 01:46:56.022: LISP-0: Sending map-reply from 10:0:6::1 to 10:0:3::1.
115
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
LISP – Disjointed RLOC Space ExampleCross Address-Family Disjointed RLOC Space Example – Flows
native
lisp-encap
map-req
map-rep
data plane
controlplane
1
4:4:4::4 -> 6:6:6::6
210.0.4.1-> 10.0.2.1
LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 4:4:4::4itr-rloc: 10.0.4.1record-1: [2] 6:6:6::6
3
10.0.2.1 -> 10.0.4.1udp 4342Type 2 (map-reply)[P]Nonce/TTL 6:6:6::/4810.0.3.1 [1, 1]
encap
decap
4
4:4:4::4 -> 6:6:6::6
10.0.4.1 -> 10.0.3.1
5
10.0.3.1-> 10.0.2.1LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 10:0:3::1 itr-rloc: 10.0.3.1 itr-rloc: 10:0:3::1record-1: [2] 6:6:6::6
6
10:0:2::1 -> 10:0:6::1LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 10:0:3::1 itr-rloc: 10.0.3.1 itr-rloc: 10:0:3::1record-1: [2] 6:6:6::6
7
10:0:6::1 -> 10:0:3::1udp 4342Type 2 (map-reply)Nonce/TTL 6:6:6::/4810:0:6::1 [1, 1]
RTR#show ipv6 lisp map-cache---<skip>---6:6:6::/48, uptime: 00:05:17, expires: 23:54:53, via map-reply, complete Locator Uptime State Pri/Wgt 10:0:6::1 00:05:17 up 1/1 RTR#
116
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv4 Internet0.0.0.0/0(scope 1)
IPv6 Internet::/0
(scope 2)xTR4
10.0.4.0/30EID – 4.4.4.0/24EID – 4:4:4::/48
xTR610:0:6::/64
EID – 6.6.6.0/24EID – 6:6:6::/48
MSMR RTR
10.0.3.1 10:0:3::110.0.2.1 10:0:2::1
LISP – Disjointed RLOC Space ExampleCross Address-Family Disjointed RLOC Space Example – Flows
native
lisp-encap
map-req
map-rep
data plane
controlplane
1
4:4:4::4 -> 6:6:6::6
210.0.4.1-> 10.0.2.1
LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 4:4:4::4itr-rloc: 10.0.4.1record-1: [2] 6:6:6::6
3
10.0.2.1 -> 10.0.4.1udp 4342Type 2 (map-reply)[P]Nonce/TTL 6:6:6::/4810.0.3.1 [1, 1]
encap
decap
4
4:4:4::4 -> 6:6:6::6
10.0.4.1 -> 10.0.3.1
5
10.0.3.1-> 10.0.2.1LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 10:0:3::1 itr-rloc: 10.0.3.1 itr-rloc: 10:0:3::1record-1: [2] 6:6:6::6
6
10:0:2::1 -> 10:0:6::1LISP ECM(udp 4342)
Type 1 (map-request) Noncesrc-eid: [2] 10:0:3::1 itr-rloc: 10.0.3.1 itr-rloc: 10:0:3::1record-1: [2] 6:6:6::6
7
10:0:6::1 -> 10:0:3::1udp 4342Type 2 (map-reply)Nonce/TTL 6:6:6::/4810:0:6::1 [1, 1]
decap
7
10:0:6::1 -> 10:0:3::1udp 4342Type 2 (map-reply)Nonce/TTL 6:6:6::/4810:0:6::1 [1, 1]
decap
9
4:4:4::4 -> 6:6:6::6encap
84:4:4::4 -> 6:6:6::6
10:0:3::1 -> 10:0:6::1
RTR#show ipv6 lisp map-cache---<skip>---6:6:6::/48, uptime: 00:05:17, expires: 23:54:53, via map-reply, complete Locator Uptime State Pri/Wgt 10:0:6::1 00:05:17 up 1/1 RTR#
117
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Agenda
• LISP Overview and Introduction
• LISP Efficient Multihoming/Multi-AF Support
• LISP Virtualization/VPN
• LISP Data Center/Host Mobility
• LISP Status and Futures
• LISP Open Discussions
118
Advanced - LISP Technical SeminarLISP Virtualization/VPN Support
TECRST-3191
Gregg SchudelLISP Technical Marketing Engineer
[email protected] CCIE #9591
LISP and Virtualization/VPN Overview
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Virtualization/VPNsEfficient Virtualization/Multi-Tenancy Support – Concepts
Deploying a PHYSICAL network infrastructure requires large investments (for Enterprises and Service Providers
Groups within organizations often want their own topologies and control of their own destiny
Many factors make deploying multiple PHYSICAL infrastructures undesirable– Stranded capacity (underutilized Bandwidth, Processors, etc.) costs $$– Power, cooling, rack space, etc. cost $$– CapEx costs $$– OpEx costs $$
121
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Virtualization/VPNsEfficient Virtualization/Multi-Tenancy Support – Concepts
Virtualization creates multiple VIRTUAL topologies across one common PHYSICAL infrastructure
Actual Physical Network Infrastructure
Virtual
UserGroup B
Virtual
UserGroup A
Virtual
UserGroup C
122
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Virtualization/VPNsEfficient Virtualization/Multi-Tenancy Support – Concepts
Virtualization of the DEVICE level– Virtual Routing and Forwarding (VRF) tables
segment Layer 3 routing tables– VRFs are used to virtualize the component
resources– Virtualization secures movement of traffic
between networks and enhances security policy options
Virtualization of the PATH level– VRFs assist in path isolation– Single-hop (hop-by-hop)– Multi-hop (over-the-top)
VRF-1
VRF-2
GlobalIP
802.1q, DLCI, VPI/VCI PW,
EVN
GRE, MPLSLISPLISP!!
123
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Virtualization/VPNsLISP Virtualization/Multi-Tenancy Support – Concepts
Recalling that… LISP is “Locator/ID” separation… and creates two namespaces: EIDs and RLOCs… LISP can virtualize the EID, the RLOC side, or both!
These two models of operation are defined: Shared and Parallel
– Shared Model Virtualization: Virtualizes the EID namespaces Binds an EID namespace privately
defined using a VRF to an Instance-ID Uses a common (shared) RLOC
(locator) address space The Mapping System is also part of the
locator namespaces and is shared
– Parallel Model Virtualization: Virtualizes the RLOC (locator)
namespaces One or more EID instances may share
a virtualized RLOC namespace A Mapping System must also be part of
each locator namespaces
124
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Virtualization/VPNsLISP Virtualization/Multi-Tenancy Support – Concepts
RLOC virtualization is enabled in conjunction with locator table VRFs
EID virtualization uses LISP Instance-IDs in conjunction with EID VRFs– Instance-IDs maintain address space segmentation in control plane
and data plane
– Instance-IDs are numerical tags defined in LISP Canonical Address Format (LCAF) • IID: a 24-bit unstructured number• Data Plane: IID is included in LISP encapsulation header• Control Plane: IID is encoded with the EID in LCAF header
125
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Virtualization/VPNsLISP Virtualization/Multi-Tenancy Support – Concepts
Default (non-Virtualized) Model – at the device level– Conceptually, the Default Model is just a single Parallel Model instance– All EID lookups are also in the same single table – default– Thus, EIDs are associated with Instance-ID 0– All RLOC lookups are in a single table – default– The Mapping System is part of the locator address space
• Single RLOC namespace• Default table or RLOC VRF
Shared RLOC namespace
To EID namespace(direct connect, IGP, etc.)
• Single EID namespace• Default table
Default
To VPNs (MPLS, 802.1Q, VRF-Lite, or separate networks)
126
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Virtualization/VPNsLISP Virtualization/Multi-Tenancy Support – Concepts
Shared Model – at the device level– Multiple EID-prefixes are allocated privately using VRFs– EID lookups are in the VRF associated with an Instance-ID– All RLOC lookups are in a single table – (default/global or RLOC VRF)– The Mapping System is part of the locator address space and is shared
To VPNs (MPLS, 802.1Q, VRF-Lite, or separate
networks)
• EID namespace, VRF Pink, IID 1
• EID namespace, VRF Blue, IID 2
Default
Pink
Blue • Single RLOC namespace• Default table or RLOC VRF
Shared RLOC namespace To VPNs (MPLS,
802.1Q, VRF-Lite, or separate networks)
127
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Virtualization/VPNsLISP Virtualization/Multi-Tenancy Support – Concepts
Parallel Model – at the device level– Multiple EID-prefixes are allocated privately using VRFs– EID lookups are in the VRF associated with an Instance-ID– RLOC lookups are in the VRF associated with the locator table– A Mapping System must be part of each locator address space
To VPNs (MPLS, 802.1Q, VRF-Lite, or separate
networks)
• EID namespace, VRF Pink, IID 1
• EID namespace, VRF Blue, IID 2
Default
Pink
Blue
To VPNs (MPLS, 802.1Q, VRF-Lite, or separate networks)
• RLOC uses Blue namespace
• RLOC uses Pink namespace
128
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Virtualization/VPNsLISP Virtualization/Multi-Tenancy Support – Concepts
Shared and Parallel Models Combined – at the device level– Multiple “Shared Model” instantiations combined with Multiple “Parallel Model”
instantiations – Multiple EID VRFs bound to a single RLOC VRF– Multiple RLOC VRFs on the same device
To VPNs (MPLS, 802.1Q, VRF-Lite, or separate
networks)
Default
Pink
Blue
To VPNs (MPLS, 802.1Q, VRF-Lite, or separate networks)
• RLOC uses Blue namespace
• RLOC uses Pink namespace
VRF-1, IID 101VRF-2, IID 102
VRF-3, IID 103
Cust1Cust2
Cust3
VRF-A, IID 901VRF-B, IID 902
VRF-C, IID 903
CustACustB
CustC
129
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs – Overview
All VPNs share a set of common requirements1. Encapsulation:
‒ Includes some form of data plane encoding for per-tenant segmentation• Otherwise, one tunnel per structure (not
scalable)
2. Site to Site Routing:‒ Create extension to existing enterprise
internal routing and topology• Agnostic to core networks• Allows NAT, DHCP, etc.
3. Security:‒ Built-in or Add-on
• Protocol itself includes basic features• Addition of Confidentiality, Integrity, and
Authentication as needed
137
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs – Overview
1. Encapsulation:‒ LISP Data Plane and Control Plane
encoding for per-tenant segmentation• LISP IID per EID VRF• RLOC virtualization
2. Site to Site Routing:‒ Site-to-Site, hub-spoke, optional local
offload (split tunnel)‒ No IGP required to branch sites!‒ Disjointed RLOCs, NAT, DHCP, etc.
3. Security:‒ Built-in or Add-on
• LISP control and data plane measures• LISP SEC and other optional features• GDOI and IPsec on EID or RLOC side
LISP VPN: Routing? or Tunneling? -- It’s BOTH!
All VPNs share a set of common requirements
138
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs – Overview
LISP – Inherently scalability and virtualization, rapidly deployable
Scalability(# of VPN site)
Unconstrained
VPN site-to-site routing
Unnecessary
Secure Segmentation
24-bit Instance ID with VRF
PerformanceOptimal
Path(P2P),Loadbalancing
• No protocol constraint• 100K concurrent site connections
?
?
?
?
• No site-to-site routing required• No VPN route injection into core• LISP / Non-LISP site interworking through PxTR
• 16M unique VPN classifiers• Used by LISP control plane and data plane• Optional data plane encryption with GETVPN
• Shortest path between LISP sites• Equal cost/unequal cost loadbalancing
139
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
xTR (Single Tenant)• Accommodates single customer• Deployed for CPE Overlay model• Located at customer site
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs – Overview
Generalized LISP Shared Model deployment
LISP routerNon LISP router
EIDRLOC
RLOC Name Space(IPv4/IPv6)
xTR1
xTR3
EID Name Space(IPv4/IPv6)
xTR2
User Blue•EID 192.168.1.0/24•IID 1•VRF Blue
User Red•EID 192.168.1.0/24•IID 2•VRF Red
MS/MREID Name Space
(IPv4/IPv6)
xTR (Multi-Tenant)• Accommodates multiple customers• Deployed for PE model• Located at Edge layer, DC or customer site
MS/MR• Shared by multiple customers• Located in RLOC name
space
RLOCEIDData LISPHdr
IID1
RLOCEIDData LISPHdr
IID2
User Blue•EID 192.168.2/24•IID 1•VRF Blue
User Red•EID 192.168.2.0/24•IID 2•VRF Red
IID EID RLOC1 192.168.1.0/24 xTR11 192.168.2.0/24 xTR32 192.168.1.0/24 xTR22 192.168.2.0/24 xTR3
140
LISP Virtualization Examples
LISP Virtualization+Internet
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
Say we want to build this…Three VRFs, IPv4 and IPv6HQ multihomed, two CPERemote multihomed, one CPERemote single-homed, DHCPAdd encryption (GETVPN)
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 3
143
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 3
144
Segmentation by physical, Layer 2, or
Layer 3 means(e.g. 802.1Q, EVN,
physically separate networks)
Default• Single RLOC namespace• Default table (or RLOC VRF)
To IPv4 or IPv6 CoreRLOC namespaceVRF A, IID 1
VRF B, IID 2
VRF C, IID 3
To Enterprise Internal Networks
LISP0.1
LISP0.2
LISP0.3
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 3How do we build this? Three common steps:1.Build the underlay (RLOCs)2.Add the LISP overlay (EIDs)3.Add encryption
145
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 31.Build the underlay (RLOCs)HQ1 xTR/MSMR/GM
!hostname HQ1!interface Ethernet0/0 ip address 10.0.14.2 255.255.255.252!ip route 0.0.0.0 0.0.0.0 10.0.14.1!
Remote2 xTR/GM
!hostname Remote2!interface Ethernet0/0 ip address 10.2.1.2 255.255.255.252!interface Ethernet1/0 ip address 10.2.2.2 255.255.255.252!ip route 0.0.0.0 0.0.0.0 10.2.1.1ip route 0.0.0.0 0.0.0.0 10.2.2.1!
Examples:• Normal IP routing…• Nothing to do with LISP!
All other sites are similar!
146
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 31.Build the underlay (RLOCs)
Examples:• Normal IP routing…• Nothing to do with LISP!
Verification…
Site2#ping 10.0.14.2 source 10.2.2.2 rep 10Type escape sequence to abort.Sending 100, 100-byte ICMP Echos to 10.0.14.2, timeout is 2 seconds:Packet sent with a source address of 10.2.2.2!!!!!!!!!!Success rate is 100 percent (10/10), round-trip min/avg/max = 8/7/8 msSite2#
Example:RLOC to RLOC
147
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 32. Add the LISP overlay (EIDs)
Remote2 xTR/GM
!router lisp locator-set Site2 10.2.1.2 priority 1 weight 50 10.2.2.2 priority 1 weight 50 exit ! eid-table default instance-id 0 database-mapping 192.168.255.16/32 locator-set Site2 exit ! eid-table vrf DeptA instance-id 1 database-mapping 192.168.16.0/24 locator-set Site2 database-mapping 1:1:16::/64 locator-set Site2 exit ! eid-table vrf DeptB instance-id 2 database-mapping 192.168.16.0/24 locator-set Site2 database-mapping 2:2:16::/64 locator-set Site2 exit ! eid-table vrf DeptC instance-id 3 database-mapping 192.168.16.0/24 locator-set Site2 database-mapping 3:3:16::/64 locator-set Site2 exit !
Examples:• Bind VRFs to IIDs• Bind EIDs to RLOCs
148
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 32. Add the LISP overlay (EIDs)
Examples:• Bind VRFs to IIDs• Bind EIDs to RLOCs
Remote2 xTR/GM
! – continued – LISP control plane! ipv4 itr map-resolver 10.0.14.2 ipv4 itr map-resolver 10.0.15.2 ipv4 itr ipv4 etr map-server 10.0.14.2 key site2-pswd ipv4 etr map-server 10.0.15.2 key site2-pswd ipv4 etr ipv6 map-server ipv6 map-resolver ipv6 itr map-resolver 10.0.14.2 ipv6 itr map-resolver 10.0.15.2 ipv6 itr ipv6 etr map-server 10.0.14.2 key site2-pswd ipv6 etr map-server 10.0.15.2 key site2-pswd ipv6 etr exit!
All other sites are similar!
149
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
2. Add the LISP overlay (EIDs)
Examples:• Bind VRFs to IIDs• Bind EIDs to RLOCs
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 3
HQ2 xTR/MSMR/GM
router lisp ! site HQ authentication-key hq-pswd eid-prefix 192.168.18.0/24 eid-prefix 192.168.19.0/24 eid-prefix 192.168.255.14/32 eid-prefix 192.168.255.15/32 eid-prefix instance-id 1 192.168.14.0/24 eid-prefix instance-id 1 1:1:14::/64 eid-prefix instance-id 2 192.168.14.0/24 eid-prefix instance-id 2 2:2:14::/64 eid-prefix instance-id 3 192.168.14.0/24 eid-prefix instance-id 3 3:3:14::/64 exit ! site Site1 authentication-key site1-pswd eid-prefix 192.168.255.11/32 eid-prefix instance-id 1 192.168.11.0/24 eid-prefix instance-id 1 1:1:11::/64 eid-prefix instance-id 2 192.168.11.0/24 eid-prefix instance-id 2 2:2:11::/64 eid-prefix instance-id 3 192.168.11.0/24 eid-prefix instance-id 3 3:3:11::/64 exit !---<etc.>---
150
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
2. Add the LISP overlay (EIDs)
Examples:• Bind VRFs to IIDs• Bind EIDs to RLOCs
Verification…
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 3
HQ2 xTR/MSMR/GMHQ2#show lisp siteLISP Site Registration InformationSite Name Last Up Who Last Inst EID Prefix Register Registered ID HQ 00:00:46 yes 10.0.14.2 0 192.168.18.0/24 00:00:05 yes 10.0.15.2 0 192.168.19.0/24 00:00:46 yes 10.0.14.2 0 192.168.255.14/32 00:00:05 yes 10.0.15.2 0 192.168.255.15/32 00:00:09 yes 10.0.14.2 1 192.168.14.0/24 00:00:56 yes 10.0.14.2 1 1:1:14::/64 00:00:32 yes 10.0.15.2 2 192.168.14.0/24 00:00:23 yes 10.0.15.2 2 2:2:14::/64 00:00:54 yes 10.0.15.2 3 192.168.14.0/24 00:00:43 yes 10.0.14.2 3 3:3:14::/64Site1 00:00:07 yes 10.0.11.2 0 192.168.255.11/32 00:00:16 yes 10.0.11.2 1 192.168.11.0/24 00:00:42 yes 10.0.11.2 1 1:1:11::/64 00:00:32 yes 10.0.11.2 2 192.168.11.0/24 00:00:41 yes 10.0.11.2 2 2:2:11::/64---<etc.>---
151
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 32. Add the LISP overlay (EIDs)
Examples:• Bind VRFs to IIDs• Bind EIDs to RLOCs
Verification…
Site3#ping vrf DeptC 192.168.14.1 source 192.168.13.1 rep 10Type escape sequence to abort.Sending 100, 100-byte ICMP Echos to 192.168.14.1, timeout is 2 seconds:Packet sent with a source address of 192.168.13.1%DeptC..!!!!!!!!Success rate is 80 percent (8/10), round-trip min/avg/max = 1/1/1 msSite3
Example:EID to EID
152
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 32. Add the LISP overlay (EIDs)
Examples:• Bind VRFs to IIDs• Bind EIDs to RLOCs
Verification…
Site3#show ip lisp map-cache instance-id 3LISP IPv4 Mapping Cache for EID-table vrf DeptC (IID 3), 4 entries---<skip>---192.168.14.0/24, uptime: 00:01:38, expires: 23:58:25, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.14.2 00:01:38 up 1/50 10.0.15.2 00:01:38 up 1/50 ---<skip>---Site3#
Example:EID to EID
153
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 32. Add the LISP overlay (EIDs)
Examples:• Bind VRFs to IIDs• Bind EIDs to RLOCs
Verification…
Site3#ping vrf DeptA 1:1:14::1 source 1:1:13::1 rep 10Type escape sequence to abort.Sending 10, 100-byte ICMP Echos to 1:1:14::1, timeout is 2 seconds:Packet sent with a source address of 1:1:13::1%DeptA..!!!!!!!!Success rate is 80 percent (8/10), round-trip min/avg/max = 1/1/1 msSite3
Example:EID to EID
154
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 32. Add the LISP overlay (EIDs)
Examples:• Bind VRFs to IIDs• Bind EIDs to RLOCs
Verification…
Site3#show ipv6 lisp map-cache instance-id 1LISP IPv6 Mapping Cache for EID-table vrf DeptA (IID 1), 4 entries---<skip>---1:1:14::/64, uptime: 00:00:33, expires: 23:59:28, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.14.2 00:00:33 up 1/50 10.0.15.2 00:00:33 up 1/50 ---<skip>---Site3#
Example:EID to EID
155
LISP Virtualization+MPLS (CE)
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationLISP and MPLS Integration
3: Add Virtualization
Blue MPLS-VPN
SP MPLS
BlueSite 1
PE1
PurpleMPLS-VPN
PurpleSite 1
PE4
PE3PE2
BlueSite 2
BlueSite 3
PurpleSite 2
CE2IPv4
IPv4
IPv4 IPv4
IPv4
IPv4 IPv4
IPv4
CE3CE2
CE1
CE1
IGP
eBGP
CE-PE
IPv4 IPv4
IPv6
IPv6 IPv6
xTR
xTRMSMR
xTR
✗route-map deny EIDs out
Recall our MPLS network…
VRF-ASite 3
VRF-ASite 1
VRF-ASite 2
Let’s say that the Enterprise wants departmental segmentation inside their network…
157
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationLISP and MPLS Integration
3: Add Virtualization
Blue MPLS-VPN
SP MPLS
BlueSite 1
PE1
PurpleMPLS-VPN
PurpleSite 1
PE4
PE3PE2
BlueSite 2
BlueSite 3
PurpleSite 2
CE2IPv4
IPv4
IPv4 IPv4
IPv4
IPv4 IPv4
IPv4
CE3CE2
CE1
CE1
IGP
eBGP
CE-PE
IPv4 IPv4
IPv6
IPv6 IPv6
xTR
xTRMSMR
xTR
✗route-map deny EIDs out
VRF-ASite 3
VRF-ASite 1
VRF-ASite 2
There’s no need to talk to the SP to get another VRF in the MPLS core. Just use LISP!
Recall our MPLS network…
Let’s say that the Enterprise wants departmental segmentation inside their network…
Virtualized!
CE1#show run | begin router lisp---<skip>---router lisp eid-table default instance-id 0 database-mapping 2001:db8:a:a::/64 12.1.0.2 pri 1 wei 100 exit !eid-table vrf VRF-A instance-id 1 database-mapping 10.1.1.0/24 12.1.0.2 pri 1 wei 100 exit! ipv4 itr ipv4 etr ipv4 itr map-resolver 12.1.0.2 ipv4 etr map-server 12.1.0.2 key ****** ipv6 itr ipv6 etr ipv6 itr map-resolver 12.1.0.2 ipv6 etr map-server 12.1.0.2 key ****** exit!
158
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationLISP and MPLS Integration
3: Add Virtualization
Blue MPLS-VPN
SP MPLS
BlueSite 1
PE1
PurpleMPLS-VPN
PurpleSite 1
PE4
PE3PE2
BlueSite 2
BlueSite 3
PurpleSite 2
CE2IPv4
IPv4
IPv4 IPv4
IPv4
IPv4 IPv4
IPv4
CE3CE2
CE1
CE1
IGP
eBGP
CE-PE
IPv4 IPv4
IPv6
IPv6 IPv6
xTR
xTRMSMR
xTR
✗route-map deny EIDs out
VRF-ASite 3
VRF-ASite 1
VRF-ASite 2
There’s no need to talk to the SP to get another VRF in the MPLS core. Just use LISP!
Recall our MPLS network…
Let’s say that the Enterprise wants departmental segmentation inside their network…
Virtualized!
CE1#ping 10.3.1.1 source 10.1.1.1 rep 10Type escape sequence to abortSending 5, 100-byte ICMP Echos to 10.3.1.1, timeout is 2 seconds:Packet sent with a source address of 10.1.1.1..!!!!!!!!Success rate is 80 percent (8/10), round-trip min/avg/max = 2/3/2 msCE1#
CE1#show ip lisp map-cache instance-id 1LISP IPv4 Mapping Cache for EID-table vrf VRF-A (IID 1), 2 entries
0.0.0.0/0, uptime: 00:11:15, expires: never, via static send map-request Negative cache entry, action: send-map-request10.3.1.0/24, uptime: 00:01:49, expires: 23:58:14, via map-reply, complete Locator Uptime State Pri/Wgt 12.3.1.2 00:01:49 up 1/100 ---<more>---CE1#
159
LISP VirtualizationInternet Access to MPLS
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
xTR
Customer A
xTR
xTR
Customer B
Customer C
IPv4 or v6 Core
Core
Internet/IP Core domain
Starting point:• Service Provider MPLS VPN network• Multi-tenant customer sites access to MPLS
via “non-traditional” access methods- IPv4 and/or IPv6 Internet- 3G/4G/LTE access- “Other” (e.g. other MPLS VPN)
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
greenorange
blue
PxTR/MSMR
SP LISP Gateway
161
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
Let’s look at the configurations for these devices:
xTR
Customer A
xTR
xTR
Customer B
Customer C
IPv4 or v6 Core
Core
Internet/IP Core domain
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
greenorange
blue
PxTR/MSMR
SP LISP Gateway
3.3.3.3/24
3.3.3.3/24
3.3.3.3/24
1.1.1.1/24
1.1.1.1/24
1.1.1.1/24
IID 111
IID 222
IID 333IID 111IID 222IID 333
162
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
MPLS – the usual… (blah blah blah…)
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
!hostnameCE-R1!interfaceLoopback0ipaddress3.3.3.3255.255.255.0!interfaceEthernet0/0descriptionLinktoPE1-R2ipaddress10.1.2.1255.255.255.252!routerbgp101bgplog-neighbor-changesneighbor10.1.2.2remote-as1!address-familyipv4redistributeconnectedneighbor10.1.2.2activateexit-address-family!
!hostnameCE-R9!interfaceLoopback0ipaddress3.3.3.3255.255.255.0!interfaceEthernet0/0descriptionLinktoPE1-R2ipaddress10.1.9.1255.255.255.252!routerbgp201bgplog-neighbor-changesneighbor10.1.9.2remote-as1!address-familyipv4redistributeconnectedneighbor10.1.9.2activateexit-address-family!
!hostnameCE-R10!interfaceLoopback0ipaddress3.3.3.3255.255.255.0!interfaceEthernet0/0descriptionLinktoPE1-R2ipaddress10.1.10.1255.255.255.252!routerbgp301bgplog-neighbor-changesneighbor10.1.10.2remote-as1!address-familyipv4redistributeconnectedneighbor10.1.10.2activateexit-address-family!
3.3.3.3/24
3.3.3.3/24
3.3.3.3/24
163
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
xTR
Customer A
xTR
xTR
Customer B
Customer C
IPv4 or v6 Core
Core
Internet/IP Core domain
LISP – the usual… (blah blah blah…)
3.3.3.3/24
3.3.3.3/24
3.3.3.3/24
hostnameXTR-R7!interfaceLoopback0ipaddress1.1.1.1255.255.255.0!interfaceLISP0!interfaceLISP0.111!interfaceEthernet0/1descriptionLinktoCore-R6ipaddress11.6.7.2255.255.255.252!routerlisplocator-setXTRIPv4-interfaceEthernet0/1priority1weight1exit!eid-tabledefaultinstance-id111database-mapping1.1.1.0/24locator-setXTRexit!loc-reach-algorithmrloc-probingipv4itripv4etripv4itrmap-resolver11.5.6.1ipv4etrmap-server11.5.6.1keyFOOipv4use-petr11.5.6.1priority1weight1exit!iproute0.0.0.00.0.0.011.6.7.1
hostnameXTR-R11!interfaceLoopback0ipaddress1.1.1.1255.255.255.0!interfaceLISP0!interfaceLISP0.222!interfaceEthernet0/1descriptionLinktoCore-R6ipaddress11.6.11.2255.255.255.252!routerlisplocator-setXTRIPv4-interfaceEthernet0/1priority1weight1exit!eid-tabledefaultinstance-id222database-mapping1.1.1.0/24locator-setXTRexit!loc-reach-algorithmrloc-probingipv4itripv4etripv4itrmap-resolver11.5.6.1ipv4etrmap-server11.5.6.1keyBOOipv4use-petr11.5.6.1priority1weight1exit!iproute0.0.0.00.0.0.011.6.11.1
hostnameXTR-R12!interfaceLoopback0ipaddress1.1.1.1255.255.255.0!interfaceLISP0!interfaceLISP0.333!interfaceEthernet0/1descriptionLinktoCore-R6ipaddress11.6.12.2255.255.255.252!routerlisplocator-setXTRIPv4-interfaceEthernet0/1priority1weight1exit!eid-tabledefaultinstance-id333database-mapping1.1.1.0/24locator-setXTRexit!loc-reach-algorithmrloc-probingipv4itripv4etripv4use-petr11.5.6.1priority1weight1ipv4itrmap-resolver11.5.6.1ipv4etrmap-server11.5.6.1keyCOOexit!iproute0.0.0.00.0.0.011.6.12.1
1.1.1.1/24
1.1.1.1/24
1.1.1.1/24
IID 111
IID 222
IID 333
164
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
xTR
Customer A
xTR
xTR
Customer B
Customer C
IPv4 or v6 Core
Core
Internet/IP Core domain
LISP/MPLS Gateway – (PETR/PITR)
greenorange
blue
PxTR/MSMR
SP LISP Gateway
3.3.3.3/24
3.3.3.3/24
3.3.3.3/24
1.1.1.1/24
1.1.1.1/24
1.1.1.1/24
IID 111
IID 222
IID 333IID 111IID 222IID 333
hostnamePxTRMSMR-R5!vrfdefinitionKSrd2:200!address-familyipv4exit-address-family!vrfdefinitionbluerd2:400!address-familyipv4exit-address-family!vrfdefinitiongreenrd2:100!address-familyipv4exit-address-family!vrfdefinitionorangerd2:300!address-familyipv4exit-address-family!interfaceLoopback0ipaddress10.255.255.5255.255.255.255!interfaceLISP0!interfaceLISP0.111!interfaceLISP0.222!interfaceLISP0.333---<cont>---
!interfaceEthernet0/0descriptionLinktoCore-R6ipaddress11.5.6.1255.255.255.252!interfaceEthernet0/1descriptionLinktoPE2-R4noipaddress!interfaceEthernet0/1.1encapsulationdot1Q100vrfforwardinggreenipaddress10.4.5.2255.255.255.252!interfaceEthernet0/1.2encapsulationdot1Q200vrfforwardingKSipaddress10.4.5.6255.255.255.252!---<cont>---
interfaceEthernet0/1.3encapsulationdot1Q300vrfforwardingorangeipaddress10.4.5.2255.255.255.252!interfaceEthernet0/1.4encapsulationdot1Q400vrfforwardingblueipaddress10.4.5.2255.255.255.252---<cont>---
165
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
xTR
Customer A
xTR
xTR
Customer B
Customer C
IPv4 or v6 Core
Core
Internet/IP Core domain
LISP/MPLS Gateway – (PETR/PITR)
greenorange
blue
PxTR/MSMR
SP LISP Gateway
3.3.3.3/24
3.3.3.3/24
3.3.3.3/24
routerlispeid-tablevrfgreeninstance-id111ipv4route-exportsite-registrationipv4map-cachesite-registrationexit!eid-tablevrforangeinstance-id222ipv4route-exportsite-registrationipv4map-cachesite-registrationexit!eid-tablevrfblueinstance-id333ipv4route-exportsite-registrationipv4map-cachesite-registrationexit!eid-tablevrfKSinstance-id999ipv4route-exportsite-registrationipv4map-cachesite-registrationexit!---<cont>---
siteBOOauthentication-keyBOOeid-prefixinstance-id2221.0.0.0/8accept-more-specificsexit!siteCOOauthentication-keyCOOeid-prefixinstance-id3331.0.0.0/8accept-more-specificsexit!siteFOOauthentication-keyFOOeid-prefixinstance-id1111.0.0.0/8accept-more-specificsexit!siteKSauthentication-keyKSKSeid-prefixinstance-id9999.0.0.0/8accept-more-specificsexit---<cont>---
!ipv4map-serveripv4map-resolvernoipv4map-cache-persistentipv4proxy-etripv4proxy-itr11.5.6.1ipv4itrmap-resolver11.5.6.1exit!---<cont>---
1.1.1.1/24
1.1.1.1/24
1.1.1.1/24
IID 111
IID 222
IID 333IID 111IID 222IID 333
166
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
xTR
Customer A
xTR
xTR
Customer B
Customer C
IPv4 or v6 Core
Core
Internet/IP Core domain
LISP/MPLS Gateway – (PETR/PITR)
greenorange
blue
PxTR/MSMR
SP LISP Gateway
3.3.3.3/24
3.3.3.3/24
3.3.3.3/24
routerbgp2bgpasnotationdotbgplog-neighbor-changes!address-familyipv4vrfKSnetwork9.9.9.8mask255.255.255.255redistributelispneighbor10.4.5.5remote-as1neighbor10.4.5.5activateneighbor10.4.5.5send-communitybothexit-address-family!address-familyipv4vrfblueredistributelispneighbor10.4.5.1remote-as1neighbor10.4.5.1descriptionPEblueneighbor10.4.5.1activateneighbor10.4.5.1send-communitybothexit-address-family!address-familyipv4vrfgreenredistributelispneighbor10.4.5.1remote-as1neighbor10.4.5.1descriptionPEgreenneighbor10.4.5.1activateneighbor10.4.5.1send-communitybothexit-address-family!address-familyipv4vrforangeredistributelispneighbor10.4.5.1remote-as1neighbor10.4.5.1descriptionPEorangeneighbor10.4.5.1activateneighbor10.4.5.1send-communitybothexit-address-family!iproute0.0.0.00.0.0.011.5.6.2
1.1.1.1/24
1.1.1.1/24
1.1.1.1/24
IID 111
IID 222
IID 333IID 111IID 222IID 333
167
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
xTR
Customer A
xTR
xTR
Customer B
Customer C
IPv4 or v6 Core
Core
Internet/IP Core domain
Validation…
greenorange
blue
PxTR/MSMR
SP LISP Gateway
CE-R1#sh ip route---<skip>--- 1.0.0.0/24 is subnetted, 1 subnetsB 1.1.1.0 [20/0] via 10.1.2.2, 18:07:35 3.0.0.0/8 is variably subnetted, 2 subnets, 2 masksC 3.3.3.0/24 is directly connected, Loopback0L 3.3.3.3/32 is directly connected, Loopback0 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masksC 10.1.2.0/30 is directly connected, Ethernet0/0L 10.1.2.1/32 is directly connected, Ethernet0/0B 10.4.5.0/30 [20/0] via 10.1.2.2, 18:08:03CE-R1#
CE-R1#ping 1.1.1.1 so 3.3.3.3 rep 100Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:Packet sent with a source address of 3.3.3.3 .!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 99 percent (99/100), round-trip min/avg/max = 1/7/11 msCE-R1#
PE2-R4#sh bgp vpnv4 uni vrf green---<skip>--- Network Next Hop Metric LocPrf Weight PathRoute Distinguisher: 1:100 (default for vrf green) *> 1.1.1.0/24 10.4.5.2 1 0 2 ? *>i 3.3.3.0/24 22.9.1.2 0 100 0 101 ? *>i 10.1.2.0/30 22.9.1.2 0 100 0 ? *> 10.4.5.0/30 0.0.0.0 0 32768 ?PE2-R4#
PE2-R4#sh ip ro vrf greenRouting Table: green---<skip>--- 1.0.0.0/24 is subnetted, 1 subnetsB 1.1.1.0 [20/1] via 10.4.5.2, 18:24:12 3.0.0.0/24 is subnetted, 1 subnetsB 3.3.3.0 [200/0] via 22.9.1.2, 18:24:39 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masksB 10.1.2.0/30 [200/0] via 22.9.1.2, 18:24:39C 10.4.5.0/30 is directly connected, Ethernet0/0.1L 10.4.5.1/32 is directly connected, Ethernet0/0.1PE2-R4#
3.3.3.3/24
3.3.3.3/24
3.3.3.3/24
1.1.1.1/24
1.1.1.1/24
1.1.1.1/24
IID 111
IID 222
IID 333IID 111IID 222IID 333
168
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
xTR
Customer A
xTR
xTR
Customer B
Customer C
IPv4 or v6 Core
Core
Internet/IP Core domain
Validation…
greenorange
blue
PxTR/MSMR
SP LISP Gateway
PxTRMSMR-R5#sh lisp siteLISP Site Registration InformationSite Name Last Up Who Last Inst EID Prefix Register Registered ID BOO never no -- 222 1.0.0.0/8 00:00:13 yes 11.6.11.2 222 1.1.1.0/24COO never no -- 333 1.0.0.0/8 00:00:21 yes 11.6.12.2 333 1.1.1.0/24FOO never no -- 111 1.0.0.0/8 00:00:04 yes 11.6.7.2 111 1.1.1.0/24PxTRMSMR-R5#
PxTRMSMR-R5#sh ip lisp map-cache instance 111LISP IPv4 Mapping Cache for EID-table vrf green (IID 111), 1 entries
1.1.1.0/24, uptime: 18:34:07, expires: 05:25:52, via map-reply, complete Locator Uptime State Pri/Wgt 11.6.7.2 18:34:07 up 1/1 PxTRMSMR-R5#
PxTRMSMR-R5#sh bgp vpnv4 uni vrf green---<skip>--- Network Next Hop Metric LocPrf Weight PathRoute Distinguisher: 2:100 (default for vrf green) *> 1.1.1.1/32 0.0.0.0 1 32768 ? *> 3.3.3.3/32 10.4.5.1 0 1 101 ? *> 10.1.2.0/30 10.4.5.1 0 1 ? r> 10.4.5.0/30 10.4.5.1 0 0 1 ?PxTRMSMR-R5#
3.3.3.3/24
3.3.3.3/24
3.3.3.3/24
1.1.1.1/24
1.1.1.1/24
1.1.1.1/24
IID 111
IID 222
IID 333IID 111IID 222IID 333
169
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
xTR
Customer A
xTR
xTR
Customer B
Customer C
IPv4 or v6 Core
Core
Internet/IP Core domain
Validation…
greenorange
blue
PxTR/MSMR
SP LISP Gateway
3.3.3.3/24
3.3.3.3/24
3.3.3.3/24
1.1.1.1/24
1.1.1.1/24
1.1.1.1/24
IID 111
IID 222
IID 333
XTR-R7#sh ip route---<skip>---S* 0.0.0.0/0 [1/0] via 11.6.7.1 1.0.0.0/8 is variably subnetted, 2 subnets, 2 masksC 1.1.1.0/24 is directly connected, Loopback0L 1.1.1.1/32 is directly connected, Loopback0 11.0.0.0/8 is variably subnetted, 2 subnets, 2 masksC 11.6.7.0/30 is directly connected, Ethernet0/1L 11.6.7.2/32 is directly connected, Ethernet0/1XTR-R7#
XTR-R7#ping 3.3.3.3 so 1.1.1.1 rep 100Type escape sequence to abort.Sending 100, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:Packet sent with a source address of 1.1.1.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (100/100), round-trip min/avg/max = 5/8/10 msXTR-R7#
IID 111IID 222IID 333
170
Adding Encryption to LISP using GETVPN
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Virtualization/VPNsLISP Virtualization/Multi-Tenancy Support – Adding Encryption
Use-Case Vanilla IPsec
GETVPN Comments
LISP Default Model
crypto-map on RLOC ✔ ✔ LISP encap first, then encryption based on RLOC
crypto-map on LISP0 ✔ ✔ Encryption first based on EID, then LISP encap
LISP Virtualization
crypto-map on RLOC ✔ ✔ LISP encap first, then encryption based on RLOC
crypto-map on LISP0.x ✔ ✔ Encryption first based on EID, then LISP encap
See: lisp.cisco.com for the GETVPN+LISP Configuration Guide!
LISP and encryption (IOS)– Recalling that… LISP is “Locator/ID” separation… and creates two
namespaces: EIDs and RLOCs– LISP provides two ways to apply a crypto map
172
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Virtualization/VPNsLISP Virtualization/Multi-Tenancy Support – Adding Encryption
LISP provides two ways to apply a crypto map, resulting in different packet outcomes– RLOC :: LISP processing, and then encryption– LISP0 :: Encryption, and then LISP processing
ESPtrailer
xx
HostIP Hdr
ICMPHdr
Payload
8xxxx
daddr
20
1
UDP Hdr
(LISP)
LISPHdr
8
saddr
8
S:xxD
:4341
8 0
ITRIP Hdr
20daddr
17
ESPSPI
xx
ITRIP Hdr
20
17
saddr
daddr
50
saddr
ESPtrailer
xx
HostIP Hdr
ICMPHdr
Payload
8xxxx
daddr
20
1
saddr
8 0
ESPSPI
xx
1
HostIP Hdr
daddr
20
50
saddr
UDP Hdr
(LISP)
LISPHdr
8 8
S:xxD
:4341
ITRIP Hdr
20
daddr
17
saddr
LISP + IPsecOn RLOC
IPsec + LISPOn LISP0
(ping as an example)
173
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Virtualization/VPNsLISP Virtualization/Multi-Tenancy Support – Adding Encryption
LISP provides two ways to apply a crypto map, resulting in different packet outcomes– RLOC :: LISP processing, and then encryption– LISP0 :: Encryption, and then LISP processing
LISP + GETVPNOn RLOC
GETVPN + LISPOn LISP0
daddr
1
saddr
8 0
1
daddr
50
saddr
S:xxD
:4341
daddr
17
saddr
Original IPv4 Header
ESPtrailer
xx
HostIP Hdr
ICMPHdr
Payload
8xxxx 20
ESPSPI
xx
HostIP Hdr
20
UDP Hdr
(LISP)
LISPHdr
8 8
ITRIP Hdr
20
daddr
1
saddr
S:xxD
:4341
8 0
daddr
17 17
saddr
daddr
50
saddr
ESPtrailer
xx
HostIP Hdr
ICMPHdr
Payload
8xxxx 20
LISPHdr
8 8
ITRIP Hdr
20
ESPSPI
xx
ITRIP Hdr
20
Original IPv4 Header
UDP Hdr
(LISP)
(ping as an example)
174
LISP VPN+ GETVPN
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Virtualization/VPNsLISP Virtualization/Multi-Tenancy with GETVPN
Group Domain of Interpretation (GDOI) RFC 6407 – adding encryption
GroupMember
GroupMember
GroupMember
GroupMember
Key Server
RoutingDomain
Group Member•Encryption Devices•Route Between Secure / Unsecure Regions
•Multicast Participation
Key Server•Validate Group Members•Manage Security Policy•Create Group Keys•Distribute Policy / Keys
Key Encryption Key (KEK)Traffic Encryption Key (TEK)
GET VPN
GDOI−RFC 6407− “Stateless” IPsec−Traffic encryption keys computed
on Key Server, distributed to all Group Members
−Better scaling than vanilla IPsec
Group Policy
176
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Virtualization/VPNsLISP Virtualization/Multi-Tenancy with GETVPN
Why GDOI?
Hierarchical Routing Any-to-Any connectivity Redundancy established between CE & PE
10/1 IP VPN
10/3
10/4
10/5
CE1
CE2
CE3
CE4
CE5
10/2
IP VPNs want to provide any-to-any connectivity
177
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Virtualization/VPNsLISP Virtualization/Multi-Tenancy Support – Adding Encryption
Why GDOI?
Point-to-point Security Associations Overlay routing in tunnels Need N**2 tunnels to achieve any-to-any connectivity
10/1IP VPN
10/3
10/4
10/5
CE1
CE2
CE3
CE4
CE5
10/2
But… IPSec is inherently a“point-to-point” technology
178
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Virtualization/VPNsLISP Virtualization/Multi-Tenancy Support – Adding Encryption
Why GDOI?
Large scale any-to-any connectivity Native routing without tunnel overlay Optimal for QoS & Multicast support Flexible span of control between enterprise and service provider Centralized policy distribution Transport agnostic: Private WAN, FR/ATM, IP, MPLS
GDOI provides:
overlayunderlay
“any” when used with LISP
179
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 33. Add encryption
Examples:• GETVPN Key Servers• Define crypto policies for
LISP!
Redundant Key Server identical!
KS1!crypto isakmp policy 10 encr aes 256 authentication pre-share group 16crypto isakmp key FOO address 0.0.0.0 crypto isakmp keepalive 15 periodic!crypto ipsec transform-set GDOI-TRANS esp-aes 256 esp-sha512-hmac !crypto ipsec profile GDOI-PROFILE set transform-set GDOI-TRANS !crypto gdoi group V4GROUP-0001 identity number 10001 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS1 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv4 GETVPN-0001 replay time window-size 5 address ipv4 192.168.18.2 redundancy local priority 100 peer address ipv4 192.168.19.2!---<cont.>---
180
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 33. Add encryption
Examples:• GETVPN Key Servers• Define crypto policies for
LISP!
Redundant Key Server identical!
KS1! ---<cont.>---crypto gdoi group ipv6 V6GROUP-0003 identity number 20003 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS3 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv6 GETVPN6-0003 replay time window-size 5 address ipv4 192.168.18.2 redundancy local priority 100 peer address ipv4 192.168.19.2!ip access-list extended GETVPN-0001 permit ip any anyip access-list extended GETVPN-0002 permit ip any anyip access-list extended GETVPN-0003 permit ip any any!ipv6 access-list GETVPN6-0001 permit ipv6 any any!ipv6 access-list GETVPN6-0002 permit ipv6 any any!ipv6 access-list GETVPN6-0003 permit ipv6 any any!
181
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
3. Add encryption
Examples:• GETVPN Group Members• Add crypto map to LISP0.x
ALL LISP SITES identical! Cut/Paste!
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 3
Remote2 xTR/GM!crypto isakmp policy 10 encr aes 256 authentication pre-share group 16crypto isakmp key FOO address 192.168.18.2 crypto isakmp key FOO address 192.168.19.2 !crypto gdoi group V4GROUP-0001 identity number 10001 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0!---<skip>---crypto gdoi group ipv6 V6GROUP-0003 identity number 20003 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0!crypto map MAP-V4-0001 10 gdoi set group V4GROUP-0001!---<skip>---crypto map ipv6 MAP-V6-0003 10 gdoi set group V6GROUP-0003!
182
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
3. Add encryption
Examples:• GETVPN Group Members• Add crypto map to LISP0.x
ALL LISP SITES identical! Cut/Paste!
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 3
Remote2 xTR/GM!interface LISP0!interface LISP0.1 ip mtu 1456 ipv6 mtu 1456 ipv6 crypto map MAP-V6-0001 crypto map MAP-V4-0001!interface LISP0.2 ip mtu 1456 ipv6 mtu 1456 ipv6 crypto map MAP-V6-0002 crypto map MAP-V4-0002!interface LISP0.3 ip mtu 1456 ipv6 mtu 1456 ipv6 crypto map MAP-V6-0003 crypto map MAP-V4-0003!
183
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
3. Add encryption
Examples:• GETVPN Group Members• Add crypto map to LISP0.x
Verification…
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 3
Site3#ping vrf DeptA 192.168.14.1 source 192.168.13.1 rep 100Type escape sequence to abort.Sending 10, 100-byte ICMP Echos to 192.168.14.1, timeout is 2 seconds:Packet sent with a source address of 192.168.13.1%DeptA!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (100/100), round-trip min/avg/max = 5/6/12 msSite3#
Example:EID to EID
184
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationEfficient Virtualization and High-Scale VPNs over a Public Core
3. Add encryption
Examples:• GETVPN Group Members• Add crypto map to LISP0.x
Verification…
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2
IPv4 Core
xTRGM
VRF C
IID 3
VRF AIID 1
VRF
BIID
2xTRGM
MSMRMSMRxTRGM
KSKS
VRF A, IID 1
HQ
Site 1 Site 2
Site 3
VRF B, IID 2
VRF C, IID 3
Site3#show crypto engine connection activeCrypto Engine Connections ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address---<skip>--- 143 IPsec AES256+SHA512 0 100 0 192.168.11.1 144 IPsec AES256+SHA512 100 0 0 192.168.11.1---<skip>---Site3#
Example:EID to EID
185
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
xTR
Customer A
xTR
xTR
Customer B
Customer C
IPv4 or v6 Core
Core
Internet/IP Core domain
Let’s come back to this one now…
greenorange
blue
PxTR/MSMR
SP LISP Gateway
3.3.3.3/24
3.3.3.3/24
3.3.3.3/24
1.1.1.1/24
1.1.1.1/24
1.1.1.1/24
IID 111
IID 222
IID 333
Add GETVPN for encryption:• Multi-tenant GDOI encryption on data plane
between LISP sites and MPLS VPNs- Common Key Server (multi-tenant), located in its
own EID space and VRF- Separate crypto group per customer (or per IID, if
multiple IID per customer) (as desired)
IID 111IID 222IID 333
KS KS KS
KS
/GM
IID 999
9.1.1.1/32
9.2.2.2/32
9.3.3.3/32
IID 999
IID 999
IID 999
186
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
Adding encryption with GETVPN
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
xTR
Customer A
xTR
xTR
Customer B
Customer C
IPv4 or v6 Core
Core
Internet/IP Core domain
greenorange
blue
PxTR/MSMR
SP LISP Gateway
3.3.3.3/24
3.3.3.3/24
3.3.3.3/24
1.1.1.1/24
1.1.1.1/24
1.1.1.1/24
IID 111
IID 222
IID 333IID 111IID 222IID 333
KS KS KS
KS
/GM
IID 999
9.1.1.1/32
9.2.2.2/32
9.3.3.3/32
IID 999
IID 999
IID 999
hostnameKS-R8!cryptoisakmppolicy10encraes256authenticationpre-sharegroup16cryptoisakmpkeyFOOaddress0.0.0.0cryptoisakmpkeepalive15periodic!cryptoipsectransform-setGDOI-TRANSesp-aes256esp-sha512-hmacmodetunnel!cryptoipsecprofileGDOI-PROFILEsettransform-setGDOI-TRANS!cryptogdoigroupV4GROUP-111identitynumber10111serverlocalrekeyretransmit60number2rekeyauthenticationmypubkeyrsaGET-KEY1rekeytransportunicastsaipsec1profileGDOI-PROFILEmatchaddressipv4GETVPN-111replaytimewindow-size5notagaddressipv49.9.9.9!---<cont>---
cryptogdoigroupV4GROUP-222identitynumber10222serverlocalrekeyretransmit60number2rekeyauthenticationmypubkeyrsaGET-KEY2rekeytransportunicastsaipsec1profileGDOI-PROFILEmatchaddressipv4GETVPN-222replaytimewindow-size5notagaddressipv49.9.9.9!cryptogdoigroupV4GROUP-333identitynumber10333serverlocalrekeyretransmit60number2rekeyauthenticationmypubkeyrsaGET-KEY3rekeytransportunicastsaipsec1profileGDOI-PROFILEmatchaddressipv4GETVPN-333replaytimewindow-size5notagaddressipv49.9.9.9---<cont>---
interfaceLoopback0ipaddress9.9.9.9255.255.255.255!interfaceEthernet0/0ipaddress10.4.8.1255.255.255.252!routerbgp999bgpasnotationdotbgplog-neighbor-changesnetwork9.9.9.9mask255.255.255.255neighbor10.4.8.2remote-as1!iproute0.0.0.00.0.0.010.4.8.2!ipaccess-listextendedGETVPN-111permitipanyanyipaccess-listextendedGETVPN-222permitipanyanyipaccess-listextendedGETVPN-333permitipanyany!
187
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
Adding encryption with GETVPN
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
xTR
Customer A
xTR
xTR
Customer B
Customer C
IPv4 or v6 Core
Core
Internet/IP Core domain
greenorange
blue
PxTR/MSMR
SP LISP Gateway
3.3.3.3/24
3.3.3.3/24
3.3.3.3/24
1.1.1.1/24
1.1.1.1/24
1.1.1.1/24
IID 111
IID 222
IID 333IID 111IID 222IID 333
KS KS KS
KS
/GM
IID 999
9.1.1.1/32
9.2.2.2/32
9.3.3.3/32
IID 999
IID 999
IID 999
hostnameXTR-R7!vrfdefinitionKS!address-familyipv4exit-address-family!cryptokeyringkey-KSvrfKSpre-shared-keyaddress9.9.9.9keyFOO!cryptoisakmppolicy10encraes256authenticationpre-sharegroup16!cryptogdoigroupV4GROUP-111identitynumber10111serveraddressipv49.9.9.9clientregistrationinterfaceLoopback999!cryptomapMAP-V4-11110gdoisetgroupV4GROUP-111!interfaceLoopback0ipaddress1.1.1.1255.255.255.0!interfaceLoopback999vrfforwardingKSipaddress9.1.1.1255.255.255.255!---<cont>----
interfaceLISP0.111cryptomapMAP-V4-111!interfaceLISP0.999!interfaceEthernet0/1descriptionLinktoCore-R6ipaddress11.6.7.2255.255.255.252!routerlisplocator-setXTRIPv4-interfaceEthernet0/1priority1weight1exit!eid-tabledefaultinstance-id111database-mapping1.1.1.0/24locator-setXTRexit!eid-tablevrfKSinstance-id999database-mapping9.1.1.1/32locator-setXTRipv4etrmap-server11.5.6.1keyKSKSexit!---<cont>---
loc-reach-algorithmrloc-probingipv4itripv4etripv4itrmap-resolver11.5.6.1ipv4etrmap-server11.5.6.1keyFOOipv4use-petr11.5.6.1priority1weight1exit!iproute0.0.0.00.0.0.011.6.7.1
188
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
Adding encryption with GETVPN
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
xTR
Customer A
xTR
xTR
Customer B
Customer C
IPv4 or v6 Core
Core
Internet/IP Core domain
greenorange
blue
PxTR/MSMR
SP LISP Gateway
3.3.3.3/24
3.3.3.3/24
3.3.3.3/24
1.1.1.1/24
1.1.1.1/24
1.1.1.1/24
IID 111
IID 222
IID 333IID 111IID 222IID 333
KS KS KS
KS
/GM
IID 999
9.1.1.1/32
9.2.2.2/32
9.3.3.3/32
IID 999
IID 999
IID 999
hostnameXTR-R11!vrfdefinitionKS!address-familyipv4exit-address-family!cryptokeyringkey-KSvrfKSpre-shared-keyaddress9.9.9.9keyFOO!cryptoisakmppolicy10encraes256authenticationpre-sharegroup16!cryptogdoigroupV4GROUP-222identitynumber10222serveraddressipv49.9.9.9clientregistrationinterfaceLoopback999!cryptomapMAP-V4-22210gdoisetgroupV4GROUP-222!interfaceLoopback0ipaddress1.1.1.1255.255.255.0!interfaceLoopback999vrfforwardingKSipaddress9.2.2.2255.255.255.255!---<cont>----
interfaceLISP0.222cryptomapMAP-V4-222!interfaceLISP0.999!interfaceEthernet0/1descriptionLinktoCore-R6ipaddress11.6.11.2255.255.255.252!routerlisplocator-setXTRIPv4-interfaceEthernet0/1priority1weight1exit!eid-tabledefaultinstance-id222database-mapping1.1.1.0/24locator-setXTRexit!eid-tablevrfKSinstance-id999database-mapping9.2.2.2/32locator-setXTRipv4etrmap-server11.5.6.1keyKSKSexit!---<cont>---
loc-reach-algorithmrloc-probingipv4itripv4etripv4itrmap-resolver11.5.6.1ipv4etrmap-server11.5.6.1keyBOOipv4use-petr11.5.6.1priority1weight1exit!iproute0.0.0.00.0.0.011.6.11.1
189
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
Adding encryption with GETVPN
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
xTR
Customer A
xTR
xTR
Customer B
Customer C
IPv4 or v6 Core
Core
Internet/IP Core domain
greenorange
blue
PxTR/MSMR
SP LISP Gateway
3.3.3.3/24
3.3.3.3/24
3.3.3.3/24
1.1.1.1/24
1.1.1.1/24
1.1.1.1/24
IID 111
IID 222
IID 333IID 111IID 222IID 333
KS KS KS
KS
/GM
IID 999
9.1.1.1/32
9.2.2.2/32
9.3.3.3/32
IID 999
IID 999
IID 999
hostnameXTR-R12!vrfdefinitionKS!address-familyipv4exit-address-family!cryptokeyringkey-KSvrfKSpre-shared-keyaddress9.9.9.9keyFOO!cryptoisakmppolicy10encraes256authenticationpre-sharegroup16!cryptogdoigroupV4GROUP-333identitynumber10333serveraddressipv49.9.9.9clientregistrationinterfaceLoopback999!cryptomapMAP-V4-33310gdoisetgroupV4GROUP-333!interfaceLoopback0ipaddress1.1.1.1255.255.255.0!interfaceLoopback999vrfforwardingKSipaddress9.3.3.3255.255.255.255!---<cont>----
interfaceLISP0.333cryptomapMAP-V4-333!interfaceLISP0.999!interfaceEthernet0/1descriptionLinktoCore-R6ipaddress11.6.12.2255.255.255.252!routerlisplocator-setXTRIPv4-interfaceEthernet0/1priority1weight1exit!eid-tabledefaultinstance-id333database-mapping1.1.1.0/24locator-setXTRexit!eid-tablevrfKSinstance-id999database-mapping9.3.3.3/32locator-setXTRipv4etrmap-server11.5.6.1keyKSKSexit!---<cont>---
loc-reach-algorithmrloc-probingipv4itripv4etripv4itrmap-resolver11.5.6.1ipv4etrmap-server11.5.6.1keyCOOipv4use-petr11.5.6.1priority1weight1exit!iproute0.0.0.00.0.0.011.6.12.1
190
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
Adding encryption with GETVPN
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
xTR
Customer A
xTR
xTR
Customer B
Customer C
IPv4 or v6 Core
Core
Internet/IP Core domain
greenorange
blue
PxTR/MSMR
SP LISP Gateway
3.3.3.3/24
3.3.3.3/24
3.3.3.3/24
1.1.1.1/24
1.1.1.1/24
1.1.1.1/24
IID 111
IID 222
IID 333IID 111IID 222IID 333
KS KS KS
KS
/GM
IID 999
9.1.1.1/32
9.2.2.2/32
9.3.3.3/32
IID 999
IID 999
IID 999
!cryptokeyringkey-KSvrfKSpre-shared-keyaddress9.9.9.9keyFOO!cryptoisakmppolicy10encraes256authenticationpre-sharegroup16cryptoisakmpkeyFOOaddress9.9.9.9!cryptogdoigroupV4GROUP-111identitynumber10111serveraddressipv49.9.9.9clientregistrationinterfaceLoopback999!cryptogdoigroupV4GROUP-333identitynumber10333serveraddressipv49.9.9.9clientregistrationinterfaceLoopback999!cryptogdoigroupV4GROUP-222identitynumber10222serveraddressipv49.9.9.9clientregistrationinterfaceLoopback999!cryptomapMAP-V4-11110gdoisetgroupV4GROUP-111!cryptomapMAP-V4-22210gdoisetgroupV4GROUP-222!cryptomapMAP-V4-33310gdoisetgroupV4GROUP-333!---<cont>---
!interfaceLISP0!interfaceLISP0.111cryptomapMAP-V4-111!interfaceLISP0.222cryptomapMAP-V4-222!interfaceLISP0.333cryptomapMAP-V4-333!interfaceLISP0.999!
(config delta)191
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
Adding encryption with GETVPN
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
xTR
Customer A
xTR
xTR
Customer B
Customer C
IPv4 or v6 Core
Core
Internet/IP Core domain
greenorange
blue
PxTR/MSMR
SP LISP Gateway
3.3.3.3/24
3.3.3.3/24
3.3.3.3/24
1.1.1.1/24
1.1.1.1/24
1.1.1.1/24
IID 111
IID 222
IID 333IID 111IID 222IID 333
KS KS KS
KS
/GM
IID 999
9.1.1.1/32
9.2.2.2/32
9.3.3.3/32
IID 999
IID 999
IID 999
PxTRMSMR-R5#sh ip ro vrf KS---<skip>--- 9.0.0.0/32 is subnetted, 5 subnetsl 9.1.1.1 [10/1] via 0.0.0.0, 20:12:43, Null0l 9.2.2.2 [10/1] via 0.0.0.0, 20:12:51, Null0l 9.3.3.3 [10/1] via 0.0.0.0, 20:12:57, Null0C 9.9.9.8 is directly connected, Loopback999B 9.9.9.9 [20/0] via 10.4.5.5, 20:13:00 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masksC 10.4.5.4/30 is directly connected, Ethernet0/1.2L 10.4.5.6/32 is directly connected, Ethernet0/1.2B 10.4.8.0/30 [20/0] via 10.4.5.5, 20:13:00PxTRMSMR-R5#
PxTRMSMR-R5#sh ip lisp map-cache instance 999LISP IPv4 Mapping Cache for EID-table vrf KS (IID 999), 3 entries
9.1.1.1/32, uptime: 20:02:36, expires: 03:57:23, via map-reply, complete Locator Uptime State Pri/Wgt 11.6.7.2 20:02:36 up 1/1 9.2.2.2/32, uptime: 20:02:46, expires: 03:57:14, via map-reply, complete Locator Uptime State Pri/Wgt 11.6.11.2 20:02:46 up 1/1 9.3.3.3/32, uptime: 20:02:52, expires: 03:57:07, via map-reply, complete Locator Uptime State Pri/Wgt 11.6.12.2 20:02:52 up 1/1 PxTRMSMR-R5#
PxTRMSMR-R5#sh lisp siteLISP Site Registration InformationSite Name Last Up Who Last Inst EID Prefix Register Registered ID BOO never no -- 222 1.0.0.0/8 00:00:46 yes 11.6.11.2 222 1.1.1.0/24COO never no -- 333 1.0.0.0/8 00:00:50 yes 11.6.12.2 333 1.1.1.0/24FOO never no -- 111 1.0.0.0/8 00:00:15 yes 11.6.7.2 111 1.1.1.0/24KS never no -- 999 9.0.0.0/8 00:00:00 yes 11.6.7.2 999 9.1.1.1/32 00:00:16 yes 11.6.11.2 999 9.2.2.2/32 00:00:05 yes 11.6.12.2 999 9.3.3.3/32PxTRMSMR-R5#
192
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP VPN/VirtualizationMulti-tenant Internet Access to MPLS VPNs
Adding encryption with GETVPN
ISIS
MPLS
green
CE
Customer A
orange
blue PE
P
CE
CE
PE
greenorange
blue
SP MPLS domain
Customer B
Customer C
xTR
Customer A
xTR
xTR
Customer B
Customer C
IPv4 or v6 Core
Core
Internet/IP Core domain
greenorange
blue
PxTR/MSMR
SP LISP Gateway
3.3.3.3/24
3.3.3.3/24
3.3.3.3/24
1.1.1.1/24
1.1.1.1/24
1.1.1.1/24
IID 111
IID 222
IID 333IID 111IID 222IID 333
KS KS KS
KS
/GM
IID 999
9.1.1.1/32
9.2.2.2/32
9.3.3.3/32
IID 999
IID 999
IID 999
XTR-R7#sho crypto engine connection activeCrypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 47 IPsec AES256+SHA512 0 999 0 1.1.1.1 48 IPsec AES256+SHA512 999 0 0 1.1.1.1 1001 IKE SHA+AES256 0 0 0 9.1.1.1 1002 IKE SHA+3DES 0 0 0 XTR-R7#
XTR-R7#ping 3.3.3.3 so 1.1.1.1 rep 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:Packet sent with a source address of 1.1.1.1 .!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!---<skip>---!!!!!!!!!!!!!!!!!!!!Success rate is 99 percent (999/1000), round-trip min/avg/max = 4/5/22 msXTR-R7#
PxTRMSMR-R5#sho crypto engine connection activeCrypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 139 IPsec AES256+SHA512 0 0 0 10.4.5.2 140 IPsec AES256+SHA512 0 0 0 10.4.5.2 141 IPsec AES256+SHA512 0 999 0 10.4.5.2 142 IPsec AES256+SHA512 999 0 0 10.4.5.2 143 IPsec AES256+SHA512 0 0 0 10.4.5.2 144 IPsec AES256+SHA512 0 0 0 10.4.5.2 1001 IKE SHA+AES256 0 0 0 9.9.9.8 1002 IKE SHA+3DES 0 0 0 1003 IKE SHA+3DES 0 0 0 1004 IKE SHA+3DES 0 0 0 PxTRMSMR-R5#
193
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv6 Internet
IPv4 Internet
LISP Use Cases :: Virtualization/VPNsCustomer Example :: Sony bit-drive
. . .
SONY Bit-Drive Services
KS
MS/MR
GW
PxTR
IPv4/IPv6 EID Space
xTR
SMB XSite 1
IID 1001
IPv4/IPv6 EID Space
xTR
SMB XSite 2
IPv4/IPv6 EID Space
xTR
SMB XSite 3
IPv4/IPv6 EID Space
xTR
SMB YSite 1
IID 1002
IPv4/IPv6 EID Space
xTR
SMB YSite 2
IPv4/IPv6 EID Space
xTR
SMB YSite 10
. . .
XY
XY
IPv6 access
Initial deployment…
Services:• IPv4, IPv6 Internet Access• GETVPN+LISP (encryption)• Data Center (Web, Mail, Storage)
194
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IPv6 Internet
IPv4 Internet
LISP Use Cases :: Virtualization/VPNsCustomer Example :: Sony bit-drive
. . .
SONY Bit-Drive Services
KS
MS/MR
GW
PxTR
IPv4/IPv6 EID Space
xTR
SMB XSite 1
IID 1001
IPv4/IPv6 EID Space
xTR
SMB XSite 2
IPv4/IPv6 EID Space
xTR
SMB XSite 3
IPv4/IPv6 EID Space
xTR
SMB YSite 1
IID 1002
IPv4/IPv6 EID Space
xTR
SMB YSite 2
IPv4/IPv6 EID Space
xTR
SMB YSite 10
. . .
XY
XY
IPv6 access
Next plans…
Services:• IPv4, IPv6 Internet Access• GETVPN+LISP (encryption)• Data Center (Web, Mail, Storage)
SONY Bit-Drive Data Center 1
VMware ESX
VM VM VM VM VM
SONY Bit-Drive Data Center 2
VMware ESX
VM VM VM VM VM
Data Center VirtualizedHost/Cloud Service
X
Y
195
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Use Cases :: Virtualization/VPNsCustomer Example :: Sony bit-drive
Cisco Products:• SONY bit-drive LISP infrastructure
ASR1Ks for Proxy Systems ISRG2s for Mapping Systems ASR1Ks for NAT Devices ISRG2s for Key Servers
• Customer CE Devices NEW HW :: C890Js Legacy (Sony routers for DMVPN) :: being
upgraded to C890Js for LISP service
Shared LISP infrastructureMulti-tenant/Virtualized
Subscribers, per end-site
LISP-based Services Benefits:• Broadband circuits (<$)• Multihoming (<$)• IPv6 Core, IPv4 and IPv6 EIDs• Creates a private network (w/o MPLS $)
196
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Use Cases :: Virtualization/VPNsCustomer Example :: A few more highlights…
Multinational Human Resources Outsourcing Company ($22B)– “Very Large Scale” Over the Top Enterprise VPN (MPLS replacement)
GETVPN+LISP, multihoming, 4 VRFs, IPv4 and IPv6 EIDs, IPv4 Internet/RLOCs ISRG2, ASR1K-based infrastructure, 560+ sites pilot (DSL and LTE); expanding to 5600+
European Energy Producer– “Large Scale” Over the Top Enterprise VPN (critical infrastructure, hydro/nuclear plants)
GETVPN+LISP, multihoming, 3 VRFs, IPv4 and IPv6 EIDs, IPv4 MPLS/RLOCs ISRG2, ASR1K-based infrastructure, 300+ sites
Large US State Government– “Large Scale” Over the Top Enterprise VPN (MPLS replacement/cost savings)
GETVPN+LISP, multihoming, 4 VRFs, IPv4 and IPv6 EIDs, IPv4 Internet/RLOCs ISRG2, ASR1K-based infrastructure, 800+ sites (DSL and LTE)
European State Government– “Over the Top” Enterprise VPN (MPLS replacement/cost savings)
GETVPN+LISP, multihoming, 4 VRFs, IPv4 and IPv6 EIDs, IPv4 Internet/RLOCs ISRG2, ASR1K-based infrastructure, 30+ sites
Plus “many” more#1 deployed LISP use-case
197
LISP VPN+ DMVPN
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Use Cases :: Virtualization/VPNsDMVPN and GETVPN
DMVPN is an overlay VPN– Creates tunnels over a transport network
Isolates protected networks from transport network Allows private protected addresses over a public transport network
– Hubs concentrate connections – all spokes must connect Hubs concentrate part of spoke-to-spoke traffic Hubs need to know about all private networks (IGP, NHRP, mGRE)
GETVPN is an “encrypted” VPN– Encrypted packets have the same addressing as the protected packets
Does not (by itself) isolate address spaces – requires end-to-end routing– Key Server concentrates all GMs
Control plane only though… no data plane traffic– Transport network takes care of routing packets
199
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Use Cases :: Virtualization/VPNsLISP and DMVPN
Initial DMVPN deployment…DMVPN
DMVPNDMVPN
DMVPN
Core Network
CoreR1
.1
.1
HUBR2
Spoke1R4
Spoke3R6
Spoke2R5
.1
.1.2
.2.2.2
10.0.0.0/30
10.0.3.0/3010.0.1.0/30
10.0.2.0/30
172.16.2.0/24
172.16.3.0/24172.16.1.0/24
172.16.0.0/24
Standard DMVPN build-out- Here, IPv4 core- “enterprise” (private space) also IPv4 - OSPF (in this case) running over DMVPN
200
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Use Cases :: Virtualization/VPNsLISP and DMVPN
DMVPN
DMVPNDMVPN
DMVPN
Core Network
CoreR1
.1
.1
HUBR2
Spoke1R4
Spoke3R6
Spoke2R5
.1
.1.2
.2.2.2
10.0.0.0/30
10.0.3.0/3010.0.1.0/30
10.0.2.0/30
Initial DMVPN deployment…
172.16.2.0/24
172.16.3.0/24172.16.1.0/24
172.16.0.0/24
!hostname Core-R1!interface Ethernet0/0 ip address 10.0.0.2 255.255.255.252!interface Ethernet0/1 ip address 10.0.1.2 255.255.255.252!interface Ethernet0/2 ip address 10.0.2.2 255.255.255.252!interface Ethernet0/3 ip address 10.0.3.2 255.255.255.252!
!hostname Hub-R2!crypto isakmp policy 10 encr 3des authentication pre-sharecrypto isakmp key foo address 0.0.0.0 0.0.0.0!crypto ipsec transform-set ENCRYPT esp-3des esp-sha-hmac mode transport!crypto ipsec profile DMVPNPROF set transform-set ENCRYPT set pfs group1!interface Tunnel0 bandwidth 1000 ip address 172.31.255.1 255.255.255.0 no ip redirects ip mtu 1420 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 600 ip ospf network broadcast ip ospf priority 2 ip ospf mtu-ignore ip ospf 1 area 0 delay 1000 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile DMVPNPROF!---<cont>---
---<cont>---!interface Ethernet0/0 ip address 10.0.0.1 255.255.255.252!interface Ethernet0/1 ip address 172.16.0.1 255.255.255.0 ip ospf 1 area 0!router ospf 1 default-information originate!ip route 0.0.0.0 0.0.0.0 10.0.0.2!
Hub config….
Core config….
201
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Use Cases :: Virtualization/VPNsLISP and DMVPN
DMVPN
DMVPNDMVPN
DMVPN
Core Network
CoreR1
.1
.1
HUBR2
Spoke1R4
Spoke3R6
Spoke2R5
.1
.1.2
.2.2.2
10.0.0.0/30
10.0.3.0/3010.0.1.0/30
10.0.2.0/30
Initial DMVPN deployment…
172.16.2.0/24
172.16.3.0/24172.16.1.0/24
172.16.0.0/24
hostname S2-R5!crypto isakmp policy 10 encr 3des authentication pre-sharecrypto isakmp key foo address 0.0.0.0 0.0.0.0!crypto ipsec transform-set ENCRYPT esp-3des esp-sha-hmac mode transport!crypto ipsec profile DMVPNPROF set transform-set ENCRYPT set pfs group1!interface Tunnel0 bandwidth 1000 ip address 172.31.255.3 255.255.255.0 no ip redirects ip mtu 1420 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp map 172.31.255.1 10.0.0.1 ip nhrp map multicast 10.0.0.1 ip nhrp network-id 100000 ip nhrp holdtime 300 ip nhrp nhs 172.31.255.1 ip ospf network broadcast ip ospf priority 0 ip ospf 1 area 0 delay 1000 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile DMVPNPROF!---<cont>---
---<cont>---!interface Ethernet0/0 ip address 10.0.2.1 255.255.255.252!interface Ethernet0/1 description connect to XTR2 ip address 172.16.2.1 255.255.255.0 ip ospf 1 area 0!router ospf 1ip route 0.0.0.0 0.0.0.0 10.0.2.2!
Spoke config…. (example)
202
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Use Cases :: Virtualization/VPNsLISP and DMVPN
DMVPN
DMVPNDMVPN
DMVPN
Core Network
CoreR1
.1
.1
HUBR2
Spoke1R4
Spoke3R6
Spoke2R5
.1
.1.2
.2.2.2
10.0.0.0/30
10.0.3.0/3010.0.1.0/30
10.0.2.0/30
Initial DMVPN deployment…
172.16.2.0/24
172.16.3.0/24172.16.1.0/24
172.16.0.0/24
S1-R4#ping 172.16.0.1 so 172.16.1.1 rep 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:Packet sent with a source address of 172.16.1.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!---<skip>---!!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (1000/1000), round-trip min/avg/max = 4/4/10 msS1-R4#
Let’s ping for fun…(yes, it’s encrypted…)
S1-R4#show crypto engine connection activeCrypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 49 IPsec 3DES+SHA 0 1307 1307 10.0.1.1 50 IPsec 3DES+SHA 1304 0 0 10.0.1.1 1001 IKE SHA+3DES 0 0 0 10.0.1.1S1-R4#
203
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Use Cases :: Virtualization/VPNsLISP and DMVPN
Add LISP to DMVPN…Suppose you want to add virtualization or IPv6 (or IPv4) for internal networksAnd… you didn’t want to touch DMVPN at all!
To add LISP:- add a new router per site
with EID space behind them, and
- treat “DMVPN inside address space” as “LISP RLOC space”
DMVPN
DMVPNDMVPN
DMVPN
Core Network
CoreR1
.1
.1
HUBR2
Spoke1R4
Spoke3R6
Spoke2R5
.1
.1.2
.2.2.2
10.0.0.0/30
10.0.3.0/3010.0.1.0/30
10.0.2.0/30
172.16.2.0/24
172.16.3.0/24172.16.1.0/24
172.16.0.0/24
VPN BIID2
VPN AIID1
192.168.1.0/24A:A:9::/48
192.168.1.0/24B:B:9::/48
LISP0 xTRMRMS
VPN BIID2
VPN AIID1
xTRLISP1
192.168.1.0/24A:A:1::/48
192.168.1.0/24B:B:1::/48
VPN BIID2
VPN AIID1
xTRLISP3
192.168.3.0/24A:A:3::/48
192.168.3.0/24B:B:3::/48
VPN BIID2
VPN AIID1
xTRLISP2
192.168.2.0/24A:A:2::/48
192.168.2.0/24B:B:2::/48
204
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Use Cases :: Virtualization/VPNsLISP and DMVPN!
hostname R3-xTR0-MSMR!vrf definition A ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family!vrf definition B ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family!interface Loopback0 vrf forwarding A ip address 192.168.0.1 255.255.255.0 ipv6 address A:A:9::1/48!interface Loopback1 vrf forwarding B ip address 192.168.0.1 255.255.255.0 ipv6 address B:B:9::1/48!interface Ethernet0/0 description conn to HUB R2 ip address 172.16.0.2 255.255.255.0 ip ospf 1 area 0!---<cont>---
DMVPN
DMVPNDMVPN
DMVPN
Core Network
CoreR1
.1
.1
HUBR2
Spoke1R4
Spoke3R6
Spoke2R5
.1
.1.2
.2.2.2
10.0.0.0/30
10.0.3.0/3010.0.1.0/30
10.0.2.0/30
172.16.2.0/24
172.16.3.0/24172.16.1.0/24
172.16.0.0/24
VPN BIID2
VPN AIID1
192.168.1.0/24A:A:9::/48
192.168.1.0/24B:B:9::/48
LISP0 xTRMRMS
VPN BIID2
VPN AIID1
xTRLISP1
192.168.1.0/24A:A:1::/48
192.168.1.0/24B:B:1::/48
VPN BIID2
VPN AIID1
xTRLISP3
192.168.3.0/24A:A:3::/48
192.168.3.0/24B:B:3::/48
VPN BIID2
VPN AIID1
xTRLISP2
192.168.2.0/24A:A:2::/48
192.168.2.0/24B:B:2::/48
---<cont>---router lisp locator-set XTR IPv4-interface Ethernet0/0 priority 1 weight 1 exit ! eid-table vrf A instance-id 1 database-mapping 192.168.0.0/24 locator-set XTR database-mapping A:A:9::/48 locator-set XTR exit ! eid-table vrf B instance-id 2 database-mapping 192.168.0.0/24 locator-set XTR database-mapping B:B:9::/48 locator-set XTR exit ! site ALL authentication-key ALL eid-prefix instance-id 1 192.168.0.0/16 accept-more-specifics eid-prefix instance-id 1 A:A::/32 accept-more-specifics eid-prefix instance-id 2 192.168.0.0/16 accept-more-specifics eid-prefix instance-id 2 B:B::/32 accept-more-specifics exit !---<cont>---
---<cont>---! loc-reach-algorithm rloc-probing ipv4 itr ipv4 etr ipv4 map-server ipv4 map-resolver ipv4 itr map-resolver 172.16.0.2 ipv4 etr map-server 172.16.0.2 key ALL ipv6 itr ipv6 etr ipv6 map-server ipv6 map-resolver ipv6 itr map-resolver 172.16.0.2 ipv6 etr map-server 172.16.0.2 key ALL exit!router ospf 1!
205
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Use Cases :: Virtualization/VPNsLISP and DMVPN
DMVPN
DMVPNDMVPN
DMVPN
Core Network
CoreR1
.1
.1
HUBR2
Spoke1R4
Spoke3R6
Spoke2R5
.1
.1.2
.2.2.2
10.0.0.0/30
10.0.3.0/3010.0.1.0/30
10.0.2.0/30
172.16.2.0/24
172.16.3.0/24172.16.1.0/24
172.16.0.0/24
VPN BIID2
VPN AIID1
192.168.1.0/24A:A:9::/48
192.168.1.0/24B:B:9::/48
LISP0 xTRMRMS
VPN BIID2
VPN AIID1
xTRLISP1
192.168.1.0/24A:A:1::/48
192.168.1.0/24B:B:1::/48
VPN BIID2
VPN AIID1
xTRLISP3
192.168.3.0/24A:A:3::/48
192.168.3.0/24B:B:3::/48
VPN BIID2
VPN AIID1
xTRLISP2
192.168.2.0/24A:A:2::/48
192.168.2.0/24B:B:2::/48
---<cont>---router lisp locator-set XTR IPv4-interface Ethernet0/0 priority 1 weight 1 exit ! eid-table vrf A instance-id 1 database-mapping 192.168.1.0/24 locator-set XTR database-mapping A:A:1::/48 locator-set XTR exit ! eid-table vrf B instance-id 2 database-mapping 192.168.1.0/24 locator-set XTR database-mapping B:B:1::/48 locator-set XTR exit ! loc-reach-algorithm rloc-probing ipv4 itr ipv4 etr ipv4 itr map-resolver 172.16.0.2 ipv4 etr map-server 172.16.0.2 key ALL ipv6 itr ipv6 etr ipv6 itr map-resolver 172.16.0.2 ipv6 etr map-server 172.16.0.2 key ALL exit!router ospf 1!
!hostname R7-xTR1!vrf definition A ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family! vrf definition B ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family!interface Loopback0 vrf forwarding A ip address 192.168.1.1 255.255.255.0 ipv6 address A:A:1::1/48!interface Loopback1 vrf forwarding B ip address 192.168.1.1 255.255.255.0 ipv6 address B:B:1::1/48!interface Ethernet0/0 description conn to S1 R4 ip address 172.16.1.2 255.255.255.0 ip ospf 1 area 0!---<cont>---
206
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Use Cases :: Virtualization/VPNsLISP and DMVPN
DMVPN
DMVPNDMVPN
DMVPN
Core Network
CoreR1
.1
.1
HUBR2
Spoke1R4
Spoke3R6
Spoke2R5
.1
.1.2
.2.2.2
10.0.0.0/30
10.0.3.0/3010.0.1.0/30
10.0.2.0/30
172.16.2.0/24
172.16.3.0/24172.16.1.0/24
172.16.0.0/24
VPN BIID2
VPN AIID1
192.168.1.0/24A:A:9::/48
192.168.1.0/24B:B:9::/48
LISP0 xTRMRMS
VPN BIID2
VPN AIID1
xTRLISP1
192.168.1.0/24A:A:1::/48
192.168.1.0/24B:B:1::/48
VPN BIID2
VPN AIID1
xTRLISP3
192.168.3.0/24A:A:3::/48
192.168.3.0/24B:B:3::/48
VPN BIID2
VPN AIID1
xTRLISP2
192.168.2.0/24A:A:2::/48
192.168.2.0/24B:B:2::/48
Add LISP to DMVPN…R7-xTR1#ping vrf A 192.168.0.1 source 192.168.1.1 rep 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:Packet sent with a source address of 192.168.1.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!---<skip>---!!!!!!!!!!!!!!!!!!!!Success rate is 99 percent (998/1000), round-trip min/avg/max = 1/8/28 msR7-xTR1#
Let’s ping for fun… IPv4, VRF A (IID1)(yes, it’s encrypted…)
S1-R4#show crypto engine connection activeCrypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 141 IPsec 3DES+SHA 0 1428 1428 10.0.1.1 142 IPsec 3DES+SHA 1426 0 0 10.0.1.1 1003 IKE SHA+3DES 0 0 0 10.0.1.1S1-R4#
207
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Use Cases :: Virtualization/VPNsLISP and DMVPN
DMVPN
DMVPNDMVPN
DMVPN
Core Network
CoreR1
.1
.1
HUBR2
Spoke1R4
Spoke3R6
Spoke2R5
.1
.1.2
.2.2.2
10.0.0.0/30
10.0.3.0/3010.0.1.0/30
10.0.2.0/30
172.16.2.0/24
172.16.3.0/24172.16.1.0/24
172.16.0.0/24
VPN BIID2
VPN AIID1
192.168.1.0/24A:A:9::/48
192.168.1.0/24B:B:9::/48
LISP0 xTRMRMS
VPN BIID2
VPN AIID1
xTRLISP1
192.168.1.0/24A:A:1::/48
192.168.1.0/24B:B:1::/48
VPN BIID2
VPN AIID1
xTRLISP3
192.168.3.0/24A:A:3::/48
192.168.3.0/24B:B:3::/48
VPN BIID2
VPN AIID1
xTRLISP2
192.168.2.0/24A:A:2::/48
192.168.2.0/24B:B:2::/48
Add LISP to DMVPN…R7-xTR1#ping vrf B B:B:3::1 source B:B:1::1 rep 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to B:B:3::1, timeout is 2 seconds:Packet sent with a source address of B:B:1::1%B !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!---<skip>---!!!!!!!!!!!!!!!!!!!!Success rate is 99 percent (998/1000), round-trip min/avg/max = 1/8/28 msR7-xTR1#
Let’s ping for fun… IPv6, VRF B (IID2)(yes, it’s encrypted…)
S1-R4#show crypto engine connection activeCrypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 141 IPsec 3DES+SHA 0 1487 1487 10.0.1.1 142 IPsec 3DES+SHA 1483 0 0 10.0.1.1 149 IPsec 3DES+SHA 0 1001 1001 10.0.1.1 150 IPsec 3DES+SHA 1004 0 0 10.0.1.1 1003 IKE SHA+3DES 0 0 0 10.0.1.1 1021 IKE SHA+3DES 0 0 0 10.0.1.1S1-R4#
208
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Use Cases :: Virtualization/VPNsLISP and DMVPN
– tunnel protect :: LISP processing, and then DMVPN/encryption
LISP + DMVPN daddr
1
saddr
S:xxxxD
:4341
8 0
daddr
17
saddr
ESPtrailer
xx
HostIP Hdr
ICMPHdr
Payload
8xxxx 20
LISPHdr
8 8
ITRIP Hdr
20
UDP Hdr
(LISP)
4
GRE
47
daddr
50
saddr
ESPSPI
xx
External(dmvpn tunnel)IP Hdr
20
(* icmp example)
209
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Agenda
• LISP Overview and Introduction
• LISP Efficient Multihoming/Multi-AF Support
• LISP Virtualization/VPN
• LISP Data Center/Host Mobility
• LISP Status and Futures
• LISP Open Discussions
210
Advanced - LISP Technical SeminarLISP Data Center/Host Mobility
TECRST-3191
Marco PessiLISP Technical Marketing Engineer
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
AgendaLISP Data Center/Host Mobility
212
Host Mobility Business DriversLISP Host Mobility
• Fundamentals • Across Subnets• Extending Subnets• Services Integration• WAN Integration
LISP Mobile NodeLISP Summary
Host Mobility Business Drivers
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Legacy IT model: Client/Server
Emerging IT model: Mobile/Cloud
Client Server
M
M
M
M
MM
MC
C
C
C
CC
C
Attributes:• Simple• Secure• Static
Attributes:• Connected• Scalable• Multi-tenant
Networking Implications of the Mobile/Cloud EraA new era of multi-tenancy and multiple devices
214
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
IT Trends – Distribute Data CentersBuilding the Data Center Private and Hybrid Cloud
215
Distributed Data Center Goals:– Seamless workload mobility between
multiple datacenters– Distributed applications closer to end
users – Pool and maximize global compute
resources – Ensure business continuity with
workload mobility and distributed deployment Geographically Dispersed
Data Centers
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Problem StatementThe Need for a New Networking Architecture
Today’s networks aren’t designed for mobility– IP addresses are statically assigned to devices, access points,
or services. – Connecting resources on different private networks and public
networks with different owners is challenging– Movement between networks means device, service or network
element connectivity necessarily always lost
Today’s networks can’t scale– Cloud, mobility and Internet of things are overextending the
ability of today’s routers to route data packets. – Mobility of devices and/or network elements leads to a
ballooning of the amount of information stored in routing tables
Today’s networks require new security models– In a world of multiple devices and multi-tenancy it’s not feasible
to manually build every needed virtual private network
Mobility, Scalability and Interconnection Issues Must Be Solved Together
216
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Use-cases Global Workload Mobility Workload Portability to Cloud Secure Multi-tenancy across organizations Rapid IPv6 Deployment
LISP (Location / ID Separation Protocol) is an addressing architecture and set of protocols comprising an Endpoint Identifier (defining who a user is) and a Routing Locator (defining where the user is connected).
LISP separates the identity of the device or access point from where the device is located enabling Internet services to remain continually connected when users move around or change devices.
Benefits Mobility IP address Portability Scalability On-Demand Route lookup Security Tenant ID based Segmentation Address Family Independence
Overview
Locator ID/Separation Protocol (LISP)Next Generation Networking Architecture
217
EvolvingtheWorld’sNetworksfortheCloudEra
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Applicability Active-Active Data Centers Data Center Disaster Recovery Workload Portability to Cloud (aka Bursting) Federated Cloud open connectivity
Topology independent addressing Overlay solution IPv4 or IPv6 agnostic
Benefits Integrated Mobility Mobility across organizations (SPs, Cloud
Providers) IPv4, IPv6 or a combination Optimal traffic path (no triangulation)
Provider A Provider B
Primary DC Secondary DC
Overview
Solving Scale, Mobility and Security ProblemsGlobal Mobility across organizational boundaries
220
EvolvingtheWorld’sNetworksfortheCloudEra
Data Center Host Mobility
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Data Center VM IP Mobility :: Why?
• Mobility in the DC allows business continuity during network failover, maintenance and migration: active-active DC, Disaster Recovery, Hybrid Cloud, DC migration
• Server Virtualization…enables virtual server mobility
• Mobility with IP Address Retention…
• Is transparent to clients, applications and allows keeping existing network policies
A.B.C.D A.B.C.D
Original DC Service Provider DC orDisaster Recovery DC or
New DC …
Mobility = Flexibility IP Portability = Simplicity
222
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Data Center VM IP Mobility :: What do I need?
• Server Gateway Consistency
• Machine State Consistency
• Routed Traffic
• Bridged Traffic
A.B.C.D A.B.C.D
Original DC Service Provider DC orDisaster Recovery DC or New DC…
A.B.C.1 A.B.C.1
MAC A MAC A
MAC B MAC BMAC EA.B.C.E
E.F.G.HIP MAC------- ----A.B.C.1 BA.B.C.E E
IP MAC------- ----A.B.C.1 BA.B.C.E E
DiskState
MemoryState Disk
State
MemoryState
✔✔
✔✔intra-subnet
inter-subnet
223
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Live Moves With LAN Extension
IPv4 Network
West-DC East-DC
Mapping DB
XTR/FHR
LAN Extension
LISP Site
XTR
• Routing for Extended SubnetsActive-Active Data Centers
Distributed Data Centers
• Application Members Distributed
• Seamless Workload Mobility
• IP Mobility Across SubnetsDC Migration
Disaster Recovery / Cloud Bursting / Hybrid Cloud
• Application Members In One Home Location
Cold Moves Without LAN Extension
IPv4 Network
DR Location or Cloud Provider
DC
Mapping DB
West-DC East-DC
XTR/FHR
LISP Site
XTR
LISP Data Center Mobility :: Live vs Cold Mobility
224
224
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
• Existing LISP adopters– LISP sites– Enable VM Mobility in DC Sites– Natural, simple evolution of existing LISP infrastructure
• New LISP customers– Non LISP remote sites– Standalone VM Mobility Use Case– Minimal, DC only, intrusion– Phased, operationally light, incremental approach– Interworking with existing routing protocols
LISP Data Center Mobility :: Approach
East-DCWest-DCEast-DCWest-DC
Mapping DBMSMR
MSMR MSMR
225
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
• Most firewalls/SLB cannot inspect LISP data traffic (ZBF LISP Inspection: XE3.13)
Client Site
West-DC
WAN or Internet
Mobility Requirement # 1: Integration with ServicesLISP Encapsulated Traffic
East-DC
226
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
• Most firewalls/SLB cannot inspect LISP data traffic (ZBF LISP Inspection: XE3.13)
• Stateful devices like firewalls and load balancers need to inspect the traffic in both directions
Client Site
West-DC East-DC
WAN or Internet
Mobility Requirement # 1: Integration with Services
BidirectionalTraffic
LAN Extension
Example: Extended
LAN between
DCs
227
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
• Most firewalls/SLB cannot inspect LISP data traffic (ZBF LISP Inspection: XE3.13)
• Stateful devices like firewalls and load balancers need to inspect the traffic in both directions– After the silver VM moves to
East-DC across the LAN extension, firewalls on each DC see traffic only in one direction
Client Site
West-DC East-DC
WAN or Internet
Mobility Requirement # 1: Integration with Services
Return Traffic
BidirectionalTraffic
One-Way Traffic
LAN Extension
Example: Extended
LAN between
DCs
228
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
• Client traffic to moved workload is blackholed or not optimized after the move– Ex. Return traffic thru different
firewall (blackhole)
– Ex. Keep server gateway on West DC (sub optimized)
Client Site
West-DC East-DC
Mobility Requirement # 2: Ingress Path Optimization
? WAN or Internet
229
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
• Having the server gateway only on one DC does not scale well
• When the number of DR moves increase, the inter-zone traffic will hair-pin between the 2 DCs over OTV, instead of being locally routed in the DR DC
Mobility Requirement # 3: Local Routing Optimization
West-DC East-DC
WAN or Internet
Server GW on West DC only
LAN Extension
Example: Extended
LAN between
DCs
230
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Mobility Req. # 4: Multi-Zone Multi-Tenant DC
• Server Zone Segmentation – front-end/back-end servers– Internal firewall inspects inter-zone
traffic– VLAN or VRF Lite
• Tenant (or service) Segmentation– Each tenant use a private VPN– Dedicated firewall (context) per tenant
• Associate Zones to single tenant (or service)– Tenant VRF “merges” server zone
VRFs
• Scale from tens (enterprise) to thousands tenants (service provider)
Client SiteTenant 1
WANTenant 1
West-DC
Client SiteTenant 2
WANTenant 2
Client SiteTenant 1 Client Site
Tenant 2
Example: Two tenant –Three zone
IaaS Virtualization
FW ContextTenant 1
FW ContextTenant 2
231
LISP Data Center/Host MobilityFunctions and Components
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
1. Detect the host movea) For any host, without agents on the host or protocols
b) Without dependence on any hypervisor
2. Register the new host location with the Mapping System3. Notify other xTRs/PITRs of the move
a) Update routing tables at old sites
b) Update LISP Map-Caches
LISP DC Mobility :: FunctionsThree simple steps to mobility
233
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP DC Mobility :: Existing Functions
• There are minimal changes to existing LISP components to support VM Mobility– Map Server/Resolver (MSMR)– Tunnel Router (xTR): H/W encap/decap (HW capable) and
registration (control-plane) of the mobile subnet in the MS
• In a typical deployment, MSMR and TR functions coexist and are distributed (HA) on the same devices in one or all data center locations
WAN orInternet
PITRPETR
LISP Client Site
DC-1
ETRITR
FHR FHR
DC-2
ETRITR
FHR FHR
Mapping DBMSMR
Non LISP Client Site
router lisp ! [MSMR portion] site WESTEAST-DC authentication-key L15P43V3R eid-prefix 172.71.64.0/20 accept-more-specifics exit ! ipv4 map-server ipv4 map-resolverexit
EIDLISP Encap/Decap
RLOC
... LISP Device
Host Detection
MSMR
xTR
MSMR and xTR
234
xTRMSMR
IOS
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP DC Mobility :: Mobility Functions
• First Hop Router is a control-plane function for scalable, dynamic detection and signaling of a “silent” host
• LISP Single-Hop Mobility implements FHR and xTR in the same devices
• LISP Multi-Hop Mobility implements FHR and xTR in two distinct devices, allowing multiple L3 hops in between:
- Less stringent H/W capability requirements- Insertion of L3 stateful devices (non LISP capable)- Multiple points in the network capable of injecting LISP
mobile information and “influence” traffic routing
WAN orInternet
PITRPETR
LISP Client Site
DC-1
ETRITR
FHR FHR
DC-2
ETRITR
FHR FHR
Mapping DBMSMR
Non LISP Client SiteEID
LISP Encap/Decap
RLOC
... LISP Device
Host Detection
FHR
FHR: Single/Multi-Hop Mobility
235
FHR
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP DC Mobility :: Mobility Functions
• Signaling: – Single-Hop (FHR = xTR)
• Location Services:– Routed Traffic– Bridged Traffic (IP Local
Proxy ARP)
A.B.C.D A.B.C.D
Original DC Service Provider DC orDisaster Recovery DC or New DC…
A.B.C.1
MAC D MAC D
MAC AMAC EA.B.C.E
E.F.G.HIP MAC------- ----A.B.C.1 AA.B.C.E Inc
IP MAC------- ----A.B.C.1 AA.B.C.E E
DiskState
MemoryState Disk
State
MemoryState
✔
✔
✔
✔intra-subnet
inter-subnet
MAC AA.B.C.1 FHRA.B.C.F
MAC FFHR
GW GW
236
FHR – Across Subnet ModeFHR
• Detection: – ARP packets (FHR not
required to be Gateway)– IP packets– Supports Foreign Subnet– Probing (expiration)
A.B.C.0/24 or A.B.D.0/24
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
• The signaling of the mobile VM location initiated by a FHR discovery, happens on both axes:– E-W: local peers – S-N: ETR MSMR ETR
WAN orInternet
PITRPETR
LISP Client Site
DC-1
ETRITR
DC-2
ETRITR
Mapping DBMSMR
Non LISP Client Site
router lisp locator-set DC2 10.10.3.1 priority 1 weight 5 10.10.4.1 priority 1 weight 5 exit eid-table default instance-id 3333 dynamic-eid VM database-mapping 172.71.73.0/24 locator-set DC2 map-notify-group 230.23.3.1 exit ipv4 etr ipv4 etr map-server 10.10.0.1 key DC! [..]interface GigabitEthernet0/0.73 encapsulation dot1q 73 ip address 172.71.73.3 255.255.255.0 standby 0 ip 172.71.73.254 lisp mobility VM ! no lisp extended-subnet-mode ! ip proxy-arp
LISP DC Mobility :: Mobility Functions
EIDLISP Encap/Decap
RLOC
... LISP Device
Host Detection
10.10.4.110.10.3.1
FHR+ETR – Across Subnet Mode: Signaling & Config
237
FHR
ETRITR
ETRITR
IOS
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
WAN
DC-1
ETR
DC-2
ETR
Mapping DBMSMR
Non LISP Client Site
LISP DC Mobility :: Mobility Functions
EIDLISP Encap/Decap
RLOC
... LISP Device
Host Detection
FHR+ETR – Across Subnet Mode: LISP Mobility HRI
238
FHR
ETR ETR
RegionalSite • The signaling of the mobile VM location initiated
by a FHR discovery, happens on both axes:– E-W: local peers – S-N: ETR MSMR ETR
• FHR (ETR) + MSMR can be deployed as a LISP standalone function, for the lightest LISP DC mobility solution
Host RouteInjection
Host RouteInjection
ETR# show ip route [..]
172.71.0.0/16 is variably subnetted, 4 subnets, 2 masksC 172.71.73.0/24 is directly connected, Ethernet0/0.73L 172.71.73.1/32 is directly connected, Ethernet0/0.73l 172.71.73.123/32 [10/1] via 172.71.73.123, 00:01:18, Ethernet0/0.73l 172.71.73.124/32 [10/1] via 172.71.73.123, 00:01:18, Ethernet0/0.73
IOS
Can be redistributed
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP DC Mobility :: Mobility Functions
• Signaling: – Single-Hop (FHR = xTR)– Multi-Hop (FHR ≠ xTR)
• Location Services:– Routed Traffic (using LISP or
other overlay tunnel router)– FHRP Isolation
• Detection: – IP packets (FHR = GW)– Silent Host Detection
(ARP based)
A.B.C.D A.B.C.D
Original DC Service Provider DC orDisaster Recovery DC or New DC…
A.B.C.1 A.B.C.1
MAC D MAC D
MAC A MAC A
MAC EA.B.C.E
E.F.G.HIP MAC------- ----A.B.C.1 AA.B.C.E E
IP MAC------- ----A.B.C.1 AA.B.C.E E
DiskState
MemoryState ✔
✔
✔
✔ intra-subnet
inter-subnet
FHRFHRGW
GW
239
FHR – Extended Subnet Mode
LAN Extension
FHR
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
• The signaling of the mobile VM location initiated by a FHR discovery, happens on both axes:– E-W: local and remote peers – N-S: FHR xTR MSMR xTR FHR
WAN orInternet
PITRPETR
LISP Client Site
DC-1
ETRITR
FHR FHR
DC-2
ETRITR
FHR FHR
Mapping DBMSMR
Non LISP Client Site
router lisp locator-set DC2 10.10.3.1 priority 1 weight 5 10.10.4.1 priority 1 weight 5 exit eid-table default instance-id 3333 dynamic-eid VMs database-mapping 172.71.73.0/24 locator-set DC2 map-notify-group 230.23.3.1 eid-notify 10.10.1.1 key DC2-XTR exit ! [..]!interface GigabitEthernet0/0 ip address 172.71.73.3 255.255.255.0 standby 0 ip 172.71.73.1 lisp mobility VMs lisp extended-subnet-mode!
LAN Extension
LISP DC Mobility :: Mobility Functions
EIDLISP Encap/Decap
RLOC
... LISP Device
Host Detection
10.10.4.110.10.3.1
10.10.1.1
FHR – Extended Subnet Mode: Signaling & Config
240
FHR
IOS
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
• The signaling of the mobile VM location initiated by a FHR discovery, happens on both axes:– E-W: local and remote peers – N-S: FHR xTR MSMR xTR FHR
WAN orInternet
PITRPETR
LISP Client Site
DC-1
ETRITR
FHR FHR
DC-2
ETRITR
FHR FHR
Mapping DBMSMR
Non LISP Client Site
router lisp locator-set DC2 10.10.1.1 priority 1 weight 5 exit eid-table default instance-id 3333 dynamic-eid VMs database-mapping 172.71.73.0/24 locator-set DC2 eid-notify authentication-key DC2-XTR exit ipv4 etr ipv4 etr map-server 10.10.0.1 key DC ! [..]
LAN Extension
LISP DC Mobility :: Mobility Functions
EIDLISP Encap/Decap
RLOC
... LISP Device
Host Detection
10.10.4.110.10.3.1
10.10.1.1
ETR – Extended Subnet Mode: Signaling & Config
241
FHR
IOS
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
• The signaling of the mobile VM location initiated by a FHR discovery, happens on both axes:– E-W: local and remote peers – N-S: FHR xTR MSMR xTR FHR
WAN orInternet
PITRPETR
LISP Client Site
DC-1
ETRITR
FHR FHR
DC-2
ETRITR
FHR FHR
Mapping DBMSMR
Non LISP Client Site
FHR# show lisp dynamic-eid summary
LISP Dynamic EID Summary for VRF "default”* = Dyn-EID learned by site-based Map-Notify! = Dyn-EID learned by routing protocol^ = Dyn-EID learned by EID-Notify
Dyn-EID Name Dynamic-EID Interface Uptime Last Pending Packet Ping CountVMs *172.71.73.102 Vlan10 03:46:28 00:00:19 0 VMs 172.71.73.112 Vlan10 02:01:20 00:00:40 0 LAN Extension
LISP DC Mobility :: Mobility Functions
EIDLISP Encap/Decap
RLOC
... LISP Device
Host Detection
10.10.4.110.10.3.1
10.10.1.1
FHR/ETR– Extended Subnet Mode: Dynamic EID Table
242
FHR
NxOS
ETR# show lisp dynamic-eid summary
LISP Dynamic EID Summary for VRF ”default”* = Dyn-EID learned by Site-Based Map-Notify^ = Dyn-EID learned by EID Notify
Dyn-EID Name Dynamic-EID Interface Uptime Last Pending Packet Ping CountVMs ^172.71.73.102 N/A 03:46:40 00:00:54 0 VMs ^172.71.73.112 N/A 02:01:20 00:00:50 0
IOS
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
• The signaling of the mobile VM location initiated by a FHR discovery, happens on both axes:– E-W: local and remote peers – N-S: FHR xTR MSMR xTR FHR
• FHR can be deployed as a LISP standalone function, for the lightest LISP DC mobility solution
WAN
Regional Site
DC-1
FHR FHR
DC-2
FHR FHR
Non LISP Client Site
Host RouteInjection
Host RouteInjection
LISP DC Mobility :: Mobility Functions
LAN Extension
EIDLISP Encap/Decap
RLOC
... LISP Device
Host Detection
FHR – Extended Subnet Mode: LISP Mobility HRI
243
FHR
FHR# show ip route 172.71.73.0/24, ubest/mbest: 1/0, attached *via 172.71.73.5, Vlan15, [0/0], 10:45:30, direct172.71.73.0/25, ubest/mbest: 1/0 *via Null0, [249/0], 02:35:50, lisp, dyn-eid172.71.73.1/32, ubest/mbest: 1/0 *via 172.71.73.1, Vlan15, [0/0], 10:45:05, hsrp172.71.73.34/32, ubest/mbest: 1/0, attached *via 172.71.73.34, Vlan15, [249/0], 00:11:26, lisp, dyn-eid172.71.73.5/32, ubest/mbest: 1/0, attached *via 172.71.73.5, Vlan15, [0/0], 10:45:30, local172.71.73.16/32, ubest/mbest: 1/0, attached *via 172.71.73.16, Vlan15, [249/0], 00:08:06, lisp, dyn-eid172.71.73.128/25, ubest/mbest: 1/0 *via Null0, [249/0], 02:35:50, lisp, dyn-eid
NxOS
Can be redistributed
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
• FHR can detect idle servers at either DC location with proper routing design
• Steps1. LISP remote PxTR announces server subnet 2. DC-1 ETR Registers server subnet in MS3. DC-1 ETR announces server subnet to Internet DMZ4. DC-1 ETR installs server subnets to local FHRs5. FHR receives client traffic to idle servers6. FHR resolves server address and forwards traffic (over LAN
Extension)7. Return IP traffic from server hits local gateway (FHRP
Isolation) and triggers detection by FHR
• Available in both IOS and NxOS implementations
WAN orInternet
PITRPETR
LISP Client Site
DC-1
ETRITR
FHR FHR
DC-2
ETRITR
FHR FHR
Mapping DBMSMR
Non LISP Client Site
LAN Extension
LISP DC Mobility :: Mobility Functions
EIDLISP Encap/Decap
RLOC
... LISP Device
Host Detection
10.10.1.1
FHR – Extended Subnet Mode: Silent Host Detection (1/2)
244
FHR
Internet DMZ
1
23
4
56
7 7
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
• When the FHR does not announce a coarse server subnet, it can detect idle servers locally by inspecting and probing ARP traffic
• Steps1. FHR receives ARP packets from idle server2. FHR probes the IP address with an ICMP packet, using the
Virtual IP and MAC (HSRP) as source3. ICMP packet reaches the silent server on the same DC
(HSRP Isolation)4. Return ICMP packet from server hits local gateway (FHRP
Isolation) and triggers detection by FHR
• Only in NxOS
• ARP Probing is rate limited
WAN
Regional Site
DC-1
FHR FHR
DC-2
FHR FHR
Non LISP Client Site
Host RouteInjection
Host RouteInjection
LISP DC Mobility :: Mobility Functions
LAN Extension
EIDLISP Encap/Decap
RLOC
... LISP Device
Host Detection
FHR – Extended Subnet Mode: Silent Host Detection (2/2)
245
FHR
ARP
ICMP
12
3
4
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
xTRMSMRLISP DC Mobility :: Mobility Functions
SMR – Notify other Tunnel Routers of the move
East-DC
FHRFHR
xTR xTR
West-DC
FHRFHR
xTR xTR
Move Event 10.0.1.67
EIDLISP Encap/Decap
RLOC
... LISP Device
Host Detection
Private WAN
Non-LISP Client Site LISP Regional Site
PxTRNon-LISP Client Site
• Solicit Map Request (SMR) Mechanism:1 FHR Detection and EID notify to ETRs2 ETRs register dynamic EID to MS3 MS notifies old registrant ETRs4 Losing ETRs update local (IOS) or away
(NxOS) host tables5 Active decapsulated traffic from remote
PITR/ITRs that hits away host table entry triggers SMR
6 PITR/ITRs process SMR and send map-request to MR to update their map cache
7 MRMS forwards request to East DC ETR, which sends map-reply
8 PITR/ITR steer traffic to new East DC locators
Mapping DBMSMR
123
SMRSMR
554 4
6
78
246
LISP Data Center/Host MobilityAcross Subnet
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Customer :: NJEdge.NET
IPv4 Internet
Tier 1 SP2 CommoditySP
...Transit
SP
Member N
CPE
Tier 1 SP1
Member 2
CPE
IPv6 InternetSome..
v6
More…v6
GoogleFacebook
Some v4
Default Route
Or BGP
Member 3
CPE CPE
BGPBGP
NJEDge.NetLISP Network
MS/MRPxTR
Default Route
Member 1
xTR
Member N
xTR
Default Route
Member 2
xTR xTR
Default Route
LISP-to-LISP
IPv4 EID Aggregate
Advertisement Non-LISP-to-LISP
XTR
1:1 NAT192.168.0.0/24
172.31.255.0/24
172.31.255.10
192.168.0.10
• Web Server Backup Service– Cold Move – Across Subnet Mode– Single server machine needs to move
to LISP Service Provider DC for scheduled maintenance or DR
• NAT Support– Firewalls with 1:1 NAT acting as server
gateway are typically deployed on original site
– Host presence detection on original site on public prefix
– Public IP address moves to LISP Service Provider DC
248
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Bulk MigrationShared or Migration WAN
WAN
Customer :: IBM Strategic Outsourcing UK • Before LISP: Big-Bang Approach
– Perform a bulk migration with high risk– Take longer to start moving servers– Longer storage migration cycle that
requires keeping a large data set in synch over WAN
10.1.1.5 10.1.1.6
L3
L2
Any VLAN and Any
STP
10.1.1.0/24
ASR1K
L3
L2
Any VLAN and Any STP
GreenfieldIBM DC
10.1.1.0/24
BrownfieldCustomer DC
249
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP ASMIncremental
Server Migration
WAN
Customer :: IBM Strategic Outsourcing UK • With LISP:
– Can perform the server migration in smaller waves (lower risk) and faster, as soon as the server data is available on IBM DC
– The amount of data to be kept in synch is minimized, reducing risk and WAN requirements
– Path optimization from the user to the application is possible, eliminating latency concerns and reducing WAN bandwidth requirements
– Simplicity: Repeatable, easy to implement with pre-defined price
• IBM SO UK Reduced the Migration Window from years to weeks (95%)10.1.1.5 10.1.1.6
L3
L2
Any VLAN and Any
STP
ETRMSMR
ASR1K
L3
L2
Any VLAN and Any STP
GreenfieldIBM DC
10.1.1.5
BrownfieldCustomer DC
250
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
WAN
Customer :: IBM Strategic Outsourcing UK • Brownfield DC:
– Non intrusive ASR1000 placement (on-a-stick), configured as LISP PxTR
– No changes in routing advertisement (mobile aggregate subnet)
• Greenfield DC:– LISP Mapping System (MSMR)– LISP xTR with ASM Mobility (Dynamic
EID) for the migrating prefix
PxTRETR
ASR1K
10.1.1.5 10.1.1.6
L3
L2
Any VLAN and Any
STP
10.1.1.0/24
ETRMSMR
ASR1K
L3
L2
Any VLAN and Any STP
GreenfieldIBM DC
LISP Dynamic EID:10.1.1.0/24
4.4.4.4 5.5.5.5
BrownfieldCustomer DC
2.2.2.2 3.3.3.3
Mapping System:10.1.1.0 2.2.2.2 3.3.3.3
251
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
WAN
Customer :: IBM Strategic Outsourcing UK • Dynamic Granular Migration:
– As soon as server is enabled in Greenfield DC, it is discovered by IP/ARP traffic and registered into LISP Mapping System
• Dynamic Path Optimization:– Client traffic is steered to new
Greenfield location– Return traffic can be symmetric to
allow external firewalls in Brownfield DC
– Intra-subnet traffic from Brownfield DC is routed (GARP+LISP) to Greenfield DC
PxTRETR
ASR1K
10.1.1.5 10.1.1.6
L3
L2
Any VLAN and Any
STP
10.1.1.0/24
ETRMSMR
ASR1K
L3
L2
Any VLAN and Any
STP
GreenfieldIBM DC
LISP Dynamic EID:10.1.1.0/24
4.4.4.4 5.5.5.5
10.1.1.5
IP/ARP
BrownfieldCustomer DC
2.2.2.2 3.3.3.3
GARP
Mapping System:10.1.1.0 2.2.2.2 3.3.3.3
Mapping System:10.1.1.0 2.2.2.2 3.3.3.310.1.1.5 4.4.4.4 5.5.5.5
252
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
CSR 1000V
WAN Router
SwitchesServers
CSR 1000V
VPC/ vDC
VPC/ vDC
Cloud Provider Data Center
Challenges
• Simple, Fast, Transparent Application Onboarding
• Consistency with DC Network Features
Enterprise
Benefits
• Simpler App Integration
• Dynamic infrastructure• Consistent
Management
Solutions
• LISP for VM Mobility• Routing• NAT, DHCP
Use Case: DC to Cloud IP Mobility
Benefit: Simplified Application Deployment to the Cloud
LISP protocol
DC
ASRWAN
Customer :: European Service Provider
253
LISP Data Center/Host MobilityExtending Subnet
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Customer-AMPLS-VPN
MPLS Core
PE5 PE6
Blue/DC 1(Location 1)
CE5 CE6
Blue/DC 2(Location 2)
CE7 CE8
ITR/ETR
Customer-ASite 4
PE4
Customer-ASite 3PE3
MS/MRMS/MR
Customer-ASite 2
PE2
Customer-ASite 1 PE1
CE2
ITR/ETR
LAN Extension (OTV)
CE1
ITR/ETR
CE3
ITR/ETR
CE4
ITR/ETR
ITR/ETR
Customer :: US National BankMPLS Core, Extending Subnets – Topology
255
DYNAMIC EID172.17.0.0/24
172.18.0.0/16172.17.0.0/16
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Customer-AMPLS-VPN
MPLS Core
PE5 PE6
Blue/DC 1(Location 1)
CE5 CE6
Blue/DC 2(Location 2)
CE7 CE8
ITR/ETR
Customer-ASite 4
PE4
Customer-ASite 3PE3
MS/MRMS/MR
Customer-ASite 2
PE2
Customer-ASite 1 PE1
CE2
ITR/ETR
LAN Extension (OTV)
CE1
ITR/ETR
CE3
ITR/ETR
CE4
ITR/ETR
ITR/ETR
DYNAMIC EID172.17.0.0/24
172.18.0.0/16172.17.0.0/16
Customer :: US National BankMPLS Core, Extending Subnets – LISP Configurations (Sites and MSMRs)
256
EID 172.16.1.0/24
RLOC GE0/0/010.1.1.2/30
RLOC GE0/0/010.1.5.1
RLOC GE0/0/010.1.6.1
router lisp eid-table default instance-id 0 database-mapping 172.16.1.0/24 10.1.1.2 pri 1 wei 100 exit ! ipv4 itr ipv4 etr ipv4 itr map-resolver 10.1.5.1 ipv4 etr map-server 10.1.5.1 key s3cr3t ipv4 itr map-resolver 10.1.6.1 ipv4 etr map-server 10.1.6.1 key s3cr3t!
IOS
IOS
router lisp ! site DCs authentication-key DCs3cr3t eid-prefix 172.17.0.0/16 accept-more-specifics eid-prefix 172.18.0.0/16 exit ! site Site-1 authentication-key s3cr3t eid-prefix 172.16.1.0/24 exit !--<more sites>--- ipv4 map-server ipv4 map-resolver exit !
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Customer-AMPLS-VPN
MPLS Core
PE5 PE6
Blue/DC 1(Location 1)
CE5 CE6
Blue/DC 2(Location 2)
CE7 CE8
ITR/ETR
Customer-ASite 4
PE4
Customer-ASite 3PE3
MS/MRMS/MR
Customer-ASite 2
PE2
Customer-ASite 1 PE1
CE2
ITR/ETR
LAN Extension (OTV)
CE1
ITR/ETR
CE3
ITR/ETR
CE4
ITR/ETR
ITR/ETR
DYNAMIC EID172.17.0.0/24
172.18.0.0/16172.17.0.0/16
Customer :: US National BankMPLS Core, Extending Subnets – LISP Configurations (Data Centers)
257
RLOC-A10.2.5.1
RLOC-B10.2.5.5
RLOC-C10.2.6.1
RLOC-D10.2.6.5
ip lisp itr-etrip lisp database-mapping 172.18.0.0/16 10.2.6.1 p 1 w 50ip lisp database-mapping 172.18.0.0/16 10.2.6.5 p 1 w 50
ip lisp itr map-resolver 10.1.5.1 ip lisp itr map-resolver 10.1.6.1 ip lisp etr map-server 10.1.5.1 key DCs3cr3tip lisp etr map-server 10.1.6.1 key DCs3cr3t
lisp dynamic-eid CUST-A-ROAM database-mapping 172.17.0.0/24 10.2.6.1 p 1 w 50 database-mapping 172.17.0.0/24 10.2.6.5 p 1 w 50 map-notify-group 239.1.1.1
interface vlan 100 ip address 172.17.0.4/24 (or 172.17.0.5/24) lisp mobility CUST-A-ROAM lisp extended-subnet-mode hsrp 101 preempt delay reload 300 priority 130 ip 172.17.0.1
NX-OSip lisp itr-etrip lisp database-mapping 172.17.0.0/16 10.2.5.1 p 1 w 50ip lisp database-mapping 172.17.0.0/16 10.2.5.5 p 1 w 50
ip lisp itr map-resolver 10.1.5.1 ip lisp itr map-resolver 10.1.6.1 ip lisp etr map-server 10.1.5.1 key DCs3cr3tip lisp etr map-server 10.1.6.1 key DCs3cr3t
lisp dynamic-eid CUST-A-ROAM database-mapping 172.17.0.0/24 10.2.5.1 p 1 w 50 database-mapping 172.17.0.0/24 10.2.5.5 p 1 w 50 map-notify-group 239.1.1.1
interface vlan 100 ip address 172.17.0.2/24 (or 172.17.0.3/24) lisp mobility CUST-A-ROAM lisp extended-subnet-mode hsrp 101 preempt delay reload 300 priority 130 ip 172.17.0.1
NX-OS
DYNAMIC EID172.17.0.0/24
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Customer-AMPLS-VPN
MPLS Core
PE5 PE6
Blue/DC 1(Location 1)
CE5 CE6
Blue/DC 2(Location 2)
CE7 CE8
ITR/ETR
Customer-ASite 4
PE4
Customer-ASite 3PE3
MS/MRMS/MR
Customer-ASite 2
PE2
Customer-ASite 1 PE1
CE2
ITR/ETR
LAN Extension (OTV)
CE1
ITR/ETR
CE3
ITR/ETR
CE4
ITR/ETR
ITR/ETR
DYNAMIC EID172.17.0.0/24
172.18.0.0/16172.17.0.0/16
Customer :: US National BankMPLS Core, Extending Subnets – Initial State
258
RLOC-A10.2.5.1
RLOC-B10.2.5.5
RLOC-C10.2.6.1
RLOC-D10.2.6.5
172.17.0.12/32
the server is here
EID-prefix: 172.17.0.12/32Locator-set: 10.2.5.1, priority: 1, weight: 50 10.2.5.5, priority: 1, weight: 50
map-cacheEID 172.16.1.0/24
RLOC GE0/0/010.1.1.2/30
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Customer-AMPLS-VPN
MPLS Core
PE5 PE6
Blue/DC 1(Location 1)
CE5 CE6
Blue/DC 2(Location 2)
CE7 CE8
ITR/ETR
Customer-ASite 4
PE4
Customer-ASite 3PE3
MS/MRMS/MR
Customer-ASite 2
PE2
Customer-ASite 1 PE1
CE2
ITR/ETR
LAN Extension (OTV)
CE1
ITR/ETR
CE3
ITR/ETR
CE4
ITR/ETR
ITR/ETR
DYNAMIC EID172.17.0.0/24
172.18.0.0/16172.17.0.0/16
Customer :: US National BankMPLS Core, Extending Subnets – After the Move
259
RLOC-A10.2.5.1
RLOC-B10.2.5.5
RLOC-C10.2.6.1
RLOC-D10.2.6.5
EID-prefix: 172.17.0.12/32Locator-set: 10.2.5.1, priority: 1, weight: 50 10.2.5.5, priority: 1, weight: 50
map-cache
10.2.6.1, priority: 1, weight: 5010.2.6.5, priority: 1, weight: 50
172.17.0.12/32
the server moves here
EID 172.16.1.0/24
RLOC GE0/0/010.1.1.2/30
LISP Data Center/Host MobilityServices Integration
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 261
LISP DC Mobility :: Services Integration
• Virtualized First Hop Router as anycast gateway for each Server Zone– Servers move and retain their IP
address, gateway and ARP cache– LISP dynamic EID detection and
signaling
• Internal Firewall as inter zone router
• DCI Overlay Router attracts L3 traffic for servers discovered on the ‘other’ data center
FW in the data path to inspect bidirectional traffic
front-endback-endback-end
Single Router
or
N7K VDC
Single L3 FWor
FW Contexts
SLB
Overlayto/from server
other DC
DCI OverlayRouter or N7K VDC
OTV / GRE / LISP …
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 262
LISP DC Mobility :: Services IntegrationConfiguration approach: IOS
front-endback-endback-endSingle Router
Single L3 FWor
FW Contexts
SLB
Overlayto/from server
other DC
DCI OverlayRouter
OTV / GRE / LISP …
router lisp [0] LISP Role: FHR locator-table = vrf silver EID-table = vrf silver LISP Instance ID = 999router lisp 1 LISP Role: FHR locator-table = vrf gold EID-table = vrf gold LISP Instance ID = 999router lisp 2 LISP Role: FHR locator-table = vrf blue EID-table = vrf blue LISP Instance ID = 999
IOS
IOSrouter lisp [0] LISP Role: xTR Site Gateway EID-table = vrf crimson LISP Instance ID = 999
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 263
LISP DC Mobility :: Services IntegrationConfiguration example: IOS
front-endback-endback-end
Single Router
Single L3 FWor
FW Contexts
SLB
Overlayto/from server
other DC
DCI OverlayRouter
OTV / GRE / LISP …router lisp locator-table crimson locator-set WestDC 10.0.1.2 priority 1 weight 5 eid-table crimson instance-id 999 database-mapping 171.71.64.0/20 loc WestDC dynamic-eid VM-EXTENDED-SILVER database-mapping 171.71.71.0/24 loc WestDC eid-notify authentication-key WEST ! dynamic-eid VM-EXTENDED-BLUE database-mapping 171.71.73.0/24 loc WestDC eid-notify authentication-key WEST ! dynamic-eid VM-EXTENDED-GOLD database-mapping 171.71.72.0/24 loc WestDC eid-notify authentication-key WEST ! exit ipv4 etr [..]
IOS
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 264
LISP DC Mobility :: Services IntegrationConfiguration example: IOS
front-endback-endback-end
Single Router
Single L3 FWor
FW Contexts
SLB
Overlayto/from server
other DC
DCI OverlayRouter
OTV / GRE / LISP …router lisp locator-table crimson locator-set WestDC 10.0.1.2 priority 1 weight 5 eid-table crimson instance-id 999 database-mapping 171.71.64.0/20 loc WestDC dynamic-eid VM-EXTENDED-SILVER database-mapping 171.71.71.0/24 loc WestDC eid-notify authentication-key WEST ! dynamic-eid VM-EXTENDED-BLUE database-mapping 171.71.73.0/24 loc WestDC eid-notify authentication-key WEST ! dynamic-eid VM-EXTENDED-GOLD database-mapping 171.71.72.0/24 loc WestDC eid-notify authentication-key WEST ! exit ipv4 etr [..]
router lisp 2 locator-table vrf blue locator-set WestDC 10.11.3.1 p 1 weight 5 exit ! eid-table vrf blue i 999 dynamic-eid VM-EXTENDED-BLUE database-map 171.71.73.0/24 locator-set WestDC map-notify-group 230.23.3.1 eid-notify 10.11.4.1 key WEST exit![..]interface GigabitEthernet1/1.30 vrf forwarding blue lisp mobility VM-EXTENDED-BLUE lisp extended-subnet-mode standby 30 ip 171.71.73.1
IOS
IOS
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 265
LISP DC Mobility :: Services IntegrationConfiguration approach: NxOS
front-endback-endback-endSingle VDC
Single L3 FWor
FW Contexts
SLB
Overlayto/from server
other DC
DCI OverlayVDC
OTV / GRE / LISP …
vrf context silver LISP Role: FHR LISP Instance ID = 999
vrf context gold LISP Role: FHR LISP Instance ID = 999
vrf context blue LISP Role: FHR LISP Instance ID = 999
NxOS
vrf context crimson LISP Role: xTR Site Gateway LISP Instance ID = 999
NxOS
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 266
LISP DC Mobility :: Services IntegrationConfiguration example: NxOS
front-endback-endback-endSingle VDC
Single L3 FWor
FW Contexts
SLB
Overlayto/from server
other DC
DCI OverlayVDC
OTV / GRE / LISP …vrf context crimson lisp instance-id 999 ip lisp itr-etr ip lisp database-mapping 171.71.64.0/20 10.0.1.2 priority 1 weight 5 lisp dynamic-eid VM-EXT-SILVER instance-id 999 database-map 171.71.71.0/24 10.0.1.2 p 1 w 5 eid-notify authentication-key WEST ! lisp dynamic-eid VM-EXT-BLUE instance-id 999 database-map 171.71.73.0/24 10.0.1.2 p 1 w 5 eid-notify authentication-key WEST ! lisp dynamic-eid VM-EXT-GOLD instance-id 999 database-map 171.71.72.0/24 10.0.1.2 p 1 w 5 eid-notify authentication-key WEST ! [..]
NxOS
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 267
LISP DC Mobility :: Services IntegrationConfiguration example: NxOS
front-endback-endback-endSingle VDC
Single L3 FWor
FW Contexts
SLB
Overlayto/from server
other DC
DCI OverlayVDC
OTV / GRE / LISP …vrf context crimson lisp instance-id 999 ip lisp itr-etr ip lisp database-mapping 171.71.64.0/20 10.0.1.2 priority 1 weight 5 lisp dynamic-eid VM-EXT-SILVER instance-id 999 database-map 171.71.71.0/24 10.0.1.2 p 1 w 5 eid-notify authentication-key WEST ! lisp dynamic-eid VM-EXT-BLUE instance-id 999 database-map 171.71.73.0/24 10.0.1.2 p 1 w 5 eid-notify authentication-key WEST ! lisp dynamic-eid VM-EXT-GOLD instance-id 999 database-map 171.71.72.0/24 10.0.1.2 p 1 w 5 eid-notify authentication-key WEST ! [..]
NxOS
vrf context blue lisp instance-id 999 ip lisp etr lisp dynamic-eid VM-EXT-BLUE database-map 171.71.73.0/24 10.11.3.1 priority 1 weight 5 map-notify-group 230.23.3.1 eid-notify 10.11.4.1 key WEST exit![..]Interface Vlan 30 vrf member blue lisp mobility VM-EXT-BLUE lisp extended-subnet-mode hsrp 30 ip 171.71.73.1
NxOS
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 268
LISP DC Mobility :: Services Integration
• Firewall layer forwards server traffic to the DCI Overlay Router, following a default route or an aggregate route advertisement
• When LISP detects a local server presence, it dynamically inject a more specific route into the DC IGP to attract traffic from FW
Option #1 : Host route injection from local FHR
front-endback-endback-end
Overlayto/from server
other DC
Host RouteInjection
Host RouteInjection
Host RouteInjection
Follow default or aggregate route
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 269
LISP DC Mobility :: Services IntegrationOption #1 : HRI from local FHR: IOS Configuration
front-endback-endback-end
Overlayto/from server
other DC
Host RouteInjection
Host RouteInjection
Host RouteInjection
Follow default or aggregate routerouter ospf 203 vrf blue
router-id 10.11.3.1 capability vrf-lite redistribute lisp subnets route-map VMs network 171.71.73.0 0.0.0.255 area 0!ip prefix-list VMs seq 5 permit 171.71.64.0/20 ge 32route-map VMs permit 10 match ip address prefix-list VMs set tag 173!
IOS
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 270
LISP DC Mobility :: Services IntegrationOption #1 : HRI from local FHR: NxOS Configuration
front-endback-endback-end
Overlayto/from server
other DC
Host RouteInjection
Host RouteInjection
Host RouteInjection
Follow default or aggregate routerouter ospf 203
vrf blue redistribute lisp route-map VMs!interface Ethernet1/13.113 vrf member blue ip router ospf 203 area 0.0.0.0 !ip prefix-list VMs seq 5 permit 171.71.64.0/20 ge 32route-map VMs permit 10 match ip address prefix-list VMs set tag 173!
NxOS
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 271
LISP DC Mobility :: Services Integration
• Firewall layer forwards server traffic to each individual FHR, following its route advertisement or a static route
• When LISP detects a server presence in another DC, a more specific route is dynamically advertised by the overlay router to attract traffic from FW– Can be implemented by propagating
LISP HRI at a remote DC– Can be implemented by redistributing
“away host” table from LISP XTR SG
Option #2 : Host route injection from Overlay Router
front-endback-endback-end
Overlayto/from server
other DC
Host RouteInjection
Follow server subnet routes
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 272
LISP DC Mobility :: Services Integration
• L3 Firewalls that cannot handle host routes or participate in routing protocol
• Server-to-server traffic: star pattern (one server tier centric)
• Inter-VLAN router is a LISP device (xTR):– Detection for main server tier (single-
hop)– Registration for other tiers (multi-hop)– Location awareness
Option #3: Design without LISP HRI – Concept
web
app
db
Overlayto/from server
other DC
LISP
Typical Traffic Patterns
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 273
Standalone L3 FWs orFW Contexts
Single Router
or
N7K VDC
LISP DC Mobility :: Services Integration
• Virtualized Access Router
• Distribution Router (xTR)
Option #3: Distributed Implementation
web
app
db
Overlayto/from server
other DC
LISP
SLB
xTREdge Router or N7K VDC
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 274
Standalone L3 FWs or
FW Contexts
LISP DC Mobility :: Services Integration
• Combined Virtualized Router
Option #3: Combo Implementation
webappdb
Overlay
to/from server
other DC
LISP
SLB
Single Router
or
N7K VDC
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 275
LISP DC Mobility :: Services Integration
• Session state is established on West blue FW
Design without LISP HRI: traffic pattern before app move
web
app
db web
app
db
S
West-DC East-DC
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 276
LISP DC Mobility :: Services Integration
• Re-uses Session state on West DC FW
• Session Survivability
Design without LISP HRI: traffic pattern after app move
web
app
db web
app
db
LISP Overlay
1XTR detects and registers gold2
XTR encapsulates traffic to gold
3
blue subnet route points to local blue FW, but…
3
XTR SG “knows” blue is away and not behind local blue firewall
S
West-DC East-DC
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 277
LISP DC Mobility :: Services Integration
• Session state is established on West blue/silver FW
Design without LISP HRI: traffic pattern before web move
web
app
db web
app
db
S S
West-DC East-DC
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 278
LISP DC Mobility :: Services Integration
• East DC silver FW has no state
• Session needs to be re-established on both West/East DC FWs
• All firewalls see bidirectional traffic
Design without LISP HRI: traffic pattern after web move
web
app
db web
app
db
2XTR registers silver3
XTR encapsulates traffic to silver
4
No existing state!!
1FHR detects
silver
New State
5S S1SS1
New State
5
LISP Overlay
West-DC East-DC
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP DC Mobility :: Services IntegrationSession Survivability with FW Inter DC Clustering
Session survivability can be achieved by having the same firewall cluster extending across DCs
traffic is forwarded to the West-DC cluster member owning the session state (ASA 9.1.4)
Hair-pinning is temporary for sessions established before the move. New sessions state will be created on the East-DC firewall, without hair-pinning
LISP Branch Site
West-DC
FHRFHRFHR
XTR
East-DC
FHRFHRFHR
XTR
WAN
CCL over DCIS
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
https://www2.wwt.com/resilient-active-datacenters
Customer :: WorldWide Technology
• RAD: Resilient Active Datacenters
• Seamless Mobility with Session Survivability:– Compute– Cisco UCS– Storage– EMC VPLEX– NetApp Metrocluster– Networking– Cisco OTV/LISP– Virtualization– VMWare– Microsoft Hyper-V– Security– Cisco ASA Clustering
Session Survivability with FW Inter DC Clustering
280
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Internet
LISP DC Mobility :: Services Integration
• West & East Load Balancers have consistent Route Health Injection policies
• When VIP host route announcement flips from West to East DC, LISP detects VIP and optimizes ingress traffic from WAN/Internet
Integration with Load Balancer RHI
webbackend
West-DC
webbackend
East-DC
Private WANISP-1 ISP-2
XTR
PXTR PXTR
2SLB starts VIP advertisement2
SLB stops VIP advertisement
Host RouteInjection
Host RouteInjection
3 ETR+FHR detects VIP presence
4
LISP traffic converges
1Last cluster
member moves
• Event Sequence:1 All cluster resources move
East2 VIP Host route is injected
by East SLB and withdrawn by West SLB
3 VIP detection occurs at East XTR (single-hop)
• Packet based (IOS)• Host Route based (NxOS)
4 ETR registration and SMR mechanism reroute client traffic from ISP PxTRs and WAN xTRs to East DC locators
281
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Internet
LISP DC Mobility :: Services Integration
• West & East Load Balancers have consistent Route Health Injection policies
• When VIP host route announcement flips from West to East DC, LISP detects VIP and optimizes ingress traffic from WAN/Internet
Integration with Load Balancer RHI: NxOS Configuration
webbackend
West-DC
webbackend
East-DC
Private WANISP-1 ISP-2
XTR
PXTR PXTR
Host RouteInjection
ip lisp itr-etr![..]lisp dynamic-eid VIP database-mapping 172.71.73.0/28 10.11.1.1 pri 1 weight 50 register-route-notifications! [..]
NxOS
282
LISP Data Center/Host MobilityWAN Integration
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
East-DC
FHRFHRFHRMSMR
West-DC
FHRFHRFHR MSMR
LISP DC Mobility :: WAN Integration
• Virtualized First Hop Router as gateway for each Server Zone, Firewall as inter-zone router
• LISP Components:– FHRs: mobility detection and intra/inter-DC
signaling to peers– MSMRs: single-point aggregated mobility
database, accept server registration, signaling to FHRs
• East-DC (DR DC) FHRs dynamically inject host routes learned thru LISP into IGP, which propagates to:– Local FW– Remote FW, thru IGP peering over dedicated
extended VLAN (L2 overlay)– WAN Routers
Option #1: LISP Control PlanePrivate WAN
Non-LISP Client Site
Move Event 10.0.1.67
OSPF/EIGRP
Host RouteInjection
EIDLISP Encap/Decap
RLOC
... LISP Device
Host Detection
OS
PF/E
IGR
P
HRI
HRI
HRI
HRI
OSPF/EIGRP
284
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
West-DC
FHRFHRFHR MSMR
East-DC
FHRFHRFHRMSMR
LISP DC Mobility :: WAN Integration
• East-to-West (server to server)– East DC FW
• Aggregate server route pointing to “DCI Overlay router”
• More specific routes announced from local FHRs
– West DC FW• Each subnet route coming from individual FHR• More specific routes announced from “DCI
Overlay router”
• North-to-South (client to server)– West DC WAN Routers
• Announce aggregate front-end subnet to WAN– East DC WAN Routers
• Inject more specific routes for front-end servers in East DC
• Best Convergence when IGP running between remote sites and DCs (VPLS,DMVPN,…)
Option #1: traffic patterns Non-LISP Client Site
Move Event 10.0.1.67
next-hop=FHRs(static) 10.0.1.0/24
10.0.2.0/2410.0.3.0/24…
(static)next-hop=MSMR
…10.0.0.0/16
(OSPF)next-hop=MSMR
…10.0.1.67/32
East-DC Hosts
next-hop=FHRs(LISPOSPF) 10.0.1.67/32
…
East-DC Hosts
EIDLISP Encap/Decap
RLOC
... LISP Device
Host Detection
next-hop=FW
…10.0.1.0/24
Private WAN
next-hop=FW
…10.0.1.67/32
East-DC Hosts
L2 Overlay (OTV, …)
285
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
East-DC
FHRFHRFHR
West-DC
FHRFHRFHR
LISP DC Mobility :: WAN Integration
• Benefits of LISP Overlay between DCs:– Virtualization– Efficient, underlay independent, multi-homing
between DCs
• Host Route Injection for LISP discovered servers from FHRs into IGP
• East-DC can optionally propagate HRI into WAN for ingress traffic optimization
• The DCI Overlay Router is the xTR– Advertises aggregate server subnets to
southbound FW– Registers client subnets as “attached” static
LISP EIDs (database mapping)
Option #2: DCI with LISP OverlayPrivate WAN
Non-LISP Client Site
Move Event 10.0.1.67
Host RouteInjection
EIDLISP Encap/Decap
RLOC
... LISP Device
Host Detection
HRI
OSPF/EIGRP
Host RouteInjectionOSPF/EIGRP
OS
PF/E
IGR
P
xTRMSMR
xTRMSMR
xTRMSMR
xTRMSMR
Non-LISP Client Site
286
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
East-DC
FHRFHRFHR
xTRMSMR
xTRMSMR
West-DC
FHRFHRFHR
xTRMSMR
xTRMSMR
LISP DC Mobility :: WAN Integration
• East-to-West (server to server)– East & West DC FW
• Aggregate server route pointing to “DCI Overlay router” (xTR)
• More specific routes announced from local FHRs
• North-to-South (client to server)– Option A:
• East & West DC WAN Routers announce aggregate front-end subnet to WAN
• If traffic comes to the “wrong” DC it gets LISP encapsulated and forwarded to the “right” DC
• Partial Hairpinning– Option B
• Inject more specific routes for front-end servers in East DC
Option #2: traffic patterns Non-LISP Client Site
Move Event 10.0.1.67
(static)next-hop=xTR
…10.0.0.0/16
(static)next-hop=xTR
…10.0.0.0/16
EIDLISP Encap/Decap
RLOC
... LISP Device
Host Detection
Private WAN
10.0.3.81
10.0.2.11
next-hop=FW
…10.0.1.0/24next-hop=FW
…10.0.1.67/32
East-DC Hosts
next-hop=FHRs(LISPOSPF) 10.0.1.67/32
…
East-DC Hosts
next-hop=FHRs(LISPOSPF) 10.0.2.11/32
10.0.3.81/32…
West-DC Hosts
next-hop=FW
…10.0.1.0/24
LISP Overlay
287
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Regional Site
East-DC
FHRFHRFHR
West-DC
FHRFHRFHR
LISP DC Mobility :: WAN Integration
• Extending Benefits of LISP Overlay to the whole WAN:– Virtualization– Efficient, underlay independent, multi-homing
between remote sites and DC– Optimal DC Ingress Routing – no Host Route
Injection necessary
• Host Route Injection for LISP discovered servers from FHRs into IGP
• Optional HRI stopped at DC FW layer
• A subset of remote branches act as PxTR, advertising the server front-end subnet and attracting traffic from closer non LISP client sites
Option #3: LISP Overlay across WANPrivate WAN
Non-LISP Client Site
Host RouteInjection
EIDLISP Encap/Decap
RLOC
... LISP Device
Host Detection
OSPF/EIGRP
Host RouteInjectionOSPF/EIGRP
xTRMSMR
xTRMSMR
xTRMSMR
xTRMSMR
LISP Regional Site
PxTRNon-LISP Client Site
288
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
East-DC
FHRFHRFHR
xTRMSMR
xTRMSMR
West-DC
FHRFHRFHR
xTRMSMR
xTRMSMR
LISP DC Mobility :: WAN Integration
• East-to-West (server to server) as in #2– East & West DC FW
• Aggregate server route pointing to “DCI Overlay router” (xTR)
• More specific routes announced from local FHRs
Option #3: traffic patterns
Move Event 10.0.1.67
(static)next-hop=xTR
…10.0.0.0/16
(static)next-hop=xTR
…10.0.0.0/16
EIDLISP Encap/Decap
RLOC
... LISP Device
Host Detection
Private WAN
10.0.3.81
10.0.2.11
next-hop=FHRs(LISPOSPF) 10.0.1.67/32
…
East-DC Hosts
next-hop=FHRs(LISPOSPF) 10.0.2.11/32
10.0.3.81/32…
West-DC Hosts
Non-LISP Client Site LISP Regional Site
PxTRNon-LISP Client Site
289
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
East-DC
FHRFHRFHR
xTRMSMR
xTRMSMR
West-DC
FHRFHRFHR
xTRMSMR
xTRMSMR
LISP DC Mobility :: WAN Integration
• East-to-West (server to server) as in #2– East & West DC FW
• Aggregate server route pointing to “DCI Overlay router” (xTR)
• More specific routes announced from local FHRs
• North-to-South (client to server)– Regional LISP sites (PxTR) announce aggregate
front-end subnet to WAN– After server moves and it is detected/registered
by East DC ETRs, West DC ETRs signal the move to active PxTR with an SMR
– PxTR processes SMR and updates its map cache: traffic gets steered to East DC
Option #3: traffic patterns
Move Event 10.0.1.67
EIDLISP Encap/Decap
RLOC
... LISP Device
Host Detection
Private WAN
Non-LISP Client Site LISP Regional Site
PxTRNon-LISP Client Site
staticBGPtag=330
…10.0.1.0/24
DC Hosts
SMR
290
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Agenda
• LISP Overview and Introduction
• LISP Efficient Multihoming/Multi-AF Support
• LISP Virtualization/VPN
• LISP Data Center/Host Mobility
• LISP Status and Futures
• LISP Open Discussions
291
Advanced - LISP Technical SeminarOther LISP Topics and Status
TECRST-3191
Darrel Lewis, LISP Technical Leader
LISP Mobile Node
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Mobile Node
294
Global IP Mobility…‒ LISP-MN is an global IP mobility solution
Allows a LISP-MN device to maintain the same identity while roaming to any network
Using any interface/medium and support multi-homing
‒ The LISP-MN device can change locationMove to a different network or use different interfaces
No disrupting the TCP connection established with the correspondent node
Applications bind to the identity of the mobile node
The network routes the packet to the location of the mobile node
‒ The LISP-MN device is, to all effects, a LISP site. LISP-MN functions are:Implemented in the network stack of the mobile device
Totally transparent to the applications
• LISP Mobile Node Concepts
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Mobile Node
295
EID-prefix: 2610:00D0:110E::1/128
172.16.0.1 10.0.0.1
Map-Server: 10.1.1.1
wifi 3G
This device is a LISP xTR !
What can a LISP-MN Device do? • Two MNs can roam and stay connected• MNs can be servers• MNs roam without changing DNS entries• MNs can use multiple interfaces• MNs can control ingress packet policy• Faster hand-offs• Low battery use by MS proxy-replying• And most importantly, packets have stretch of “1”
giving best for latency/delay sensitive applications
LISP-MN can scale to1 billion hand-sets!
• A LISP-MN Phone is a LISP Site!
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Mobile Node
296
4G Carrier 110.2.0.0/16
3G Carrier 2172.16.0.0/16
SP WiFi172.17.0.0.0/16
Mapping SystemMR MS MR MS
PI EID-prefix 192.168.1.0/24
LISP Site 1S
xTR1
ETRITR
xTR2
ETRITR
Provider A10.0.0.0/16
Provider B10.1.0.0/16
EID-prefix: 192.168.3.3/32Locator-set: 10.2.0.2, priority: 1, weight: 100
Map-Cache Entry
Session Continuity While Roaming!
4G 10.2.0.2
LISP MN
LISP-MN EID192.168.3.3/32
• LISP-MN Mobility: Any Network, Anytime, Anywhere…
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Mobile Node
297
4G Carrier 110.2.0.0/16
3G Carrier 2172.16.0.0/16
SP WiFi172.17.0.0.0/16
Mapping SystemMR MS MR MS
PI EID-prefix 192.168.1.0/24
LISP Site 1S
xTR1
ETRITR
xTR2
ETRITR
Provider A10.0.0.0/16
Provider B10.1.0.0/16
Session Continuity While Roaming!
LISP MN
LISP-MN EID192.168.3.3/32
EID-prefix: 192.168.3.3/32Locator-set: 10.2.0.2, priority: 1, weight: 100
Map-Cache Entry
WiFi 172.17.0.2
172.17.0.2 - <MS>LISP Map-Register
(udp 4342)SHA-2
192.168.3.3/32172.17.0.2
SMR
Map-Request
Map-Reply
EID-prefix: 192.168.3.3/32Locator-set: 172.17.0.2, priority: 1, weight: 100
Map-Cache Entry
• LISP-MN Mobility: Any Network, Anytime, Anywhere…
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Home Automation Demo
SP-A Cisco
NAT-TRTR
Internet
intouch-ams-mr-ms-1LISP Mapping System
Yun LISP SitePI EID-prefix
2610:D0:218B::/48
2610:00d0:218b::1
2610:00d0:218b::300
2610:00d0:218b::11
MR/MS
173.36.254.184
intouch-ams-mr-ms-2
192.168.1.128158.38.1.92
2610:00d0:218b::301
SP-B
D1
PxTR
298
• Arduino Yun – Smallest LISP Mobile Node
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Customer Example :: Partner Case Study
Communication and information solutions for public safety, transport, maritime and air traffic management verticals
LISP overlay for provider-independent reachability and networking
• Mobility E911 Services
299
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Mobile Node Embedded HardwareOpen Source LISP Software
300300
Architecture MIPS Atheros AP81 CPU 400 Mhz Atheros 9130-BC1EFlash 8 MB cFeon EN25P64 RAM 32 MB Samsung K4H561638JEthernet 100 Mbps RTL8306SDWireless Atheros 9102 802.11 b/g/n (integrated)
Serial / JTAG
Yes / Yes
USB Yes 1x 2.0
Architecture MIPS Atheros AR7161CPU 680 Mhz Atheros 9130-BC1EFlash 16 MB Macronix MX25L12845EWI-10G RAM 64 MB 2 x Nanya NT5DS16M16CS-5TEthernet 1 Gbps RTL8366SR
WirelessAtheros AR9223 802.11b/g/n + Atheros AR9220 802.11a/n
Serial / JTAG Yes / YesUSB Yes 1x 2.0
Link
sys
WR
T160
NL
Net
gear
WN
DR
3700
v2
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Mobile NodeLISP-MN Mobility:
Website: http://lispmob.org/
GIThub: https://github.com/LISPmob/
Mailing lists:• [email protected]• [email protected]• [email protected]
IRC: #lispmob channel on Freenode
Twitter: https://twitter.com/LISPmob
301
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
4G LTE
Businesses are looking for ways to reduce costs, increase revenue, and improve business continuity.
• 4G LTE wireless connectivity is 10 to 15 times faster and has 5 times lower latency than 3G• 4G LTE allows a small enterprise branch office or remote office to set up comprehensive
services in a matter of hours, without worrying about availability of broadband services and the need for laying down the lines
• Wireless carriers offer flexible, usage-based data plans that can be catered to meet the needs and price points of the business customer
• As WAN backup alternatives, 3G and 4G LTE wireless offer greater WAN diversity and resiliency because they are independent of the local terrestrial infrastructure
• The Cisco 819 enables businesses to stay productive during service provider downtime or a network failure.
• Business Drivers
302
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Platforms
Nonhardened Cisco 819 Integrated Services Router Hardened Cisco 819 Integrated Services Router
The Cisco 819 Series Integrated Services Router• The Cisco 819 Series Integrated Services Router includes support for 4G LTE
wireless WAN (WWAN) speeds• The hardened Cisco 819HG extends the ISR M2M Gateway footprint and provides
deployment flexibility• The Cisco 819HG is an ideal solution for stationary and mobile environments where
space, heat dissipation, exposure to extreme temperatures, harsher environments, and low power consumption are critical factors
• Cisco 819 Series
303
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP MobilityCustomer Example :: Cisco Live US 2013 Transportation System
304
xTR-A xTR-B
WIFI
Telemetry Processor
LISP Beta Network
MSMRPxTRRTR
IP Cameras
AT&T 4G LTEPrivate IP NAT
Verizon 4G LTEPublic IP
Onboard WiFi
Internet / WAN
CL Orlando WoS
xTR UCS
VSM VM
VSOM VM
Fleet MgmtIPv6 Internet
WIFI
Telemetry Processor
IP Cameras
AT&T 4G LTEPrivate IP NAT
Onboard WiFi
35 Buses Operational Throughout the Event
New LISP Features
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
New LISP FeaturesLISP Local EID Database Route Import Enables dynamic creation of local EID database entries, with locators,
priorities, and weights, by direct redistribution from the RIB– Configured on ETRs, database “route-import” includes:
• Options for import from connected, static, IGP and BGP RIB entries• Options for use of route-map for filtering, and “maximum-prefix” values
SERVERSUSERS USERS
OSPF
MS/MR MS/MR
xTRxTR
Map-Register10.0.1.0/2410.50.1.0/24
router ospf 1 network 10.0.1.0 0.0.0.255 area 0 network 10.50.1.0 0.0.0.255 area 0!router lisp locator-set RED ipv4-interface gig0/0 priority 1 weight 50 auto-discover-rlocs eid-table default instance-id 0 ipv4 route-import database ospf 1 locator-set RED exit !
306
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
New LISP FeaturesLISP Local Map-Cache Route Import Enables dynamic creation of local EID map-cache entries with
action “send-map-request” (for use by a PITR), by direct redistribution from the RIB– Configured on PITRs (typically), map-cache route import
now includes:• Options for import from connected, static, IGP and BGP RIB entries• Options for use of route-map for filtering, and “maximum-prefix” values
– Typically used in concert with a Map-Server that is “exporting” registered EID prefixes into the RIB (see “route-export”)
non-LISP Sites
LISP Sites
IPv4 Internet(example)
PxTR MSMR
xTR xTRxTR
eBGP
CECE
!router lisp eid-table default instance-id 0 ipv4 route-export site-registration ---<etc.>---!
!router lisp eid-table default instance-id 0 ipv4 route-import map-cache bgp 65001 route-map ABC ---<etc.>---!
307
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
non-LISP Sites
LISP Sites
IPv4 Internet(example)
PxTR MSMR
xTR xTRxTR
eBGP
CECE
New LISP FeaturesLISP Map-Server Route Export From Site Registration Enables a Map-Server to export registered EID prefixes into the RIB
– The EID prefixes from “registered” LISP sites are automatically exported to the RIB as LISP (“l”) routes• Once in the RIB, these EID prefixes can be redistributed
into other routing protocols for desired use• It is possible to manipulate the administrative distance of the
routes inserted by LISP
– Typically used in concert with a PITR that is “importing” registered EID prefixes in order to:a. Automatically populate its
map-cache, andb. Automatically learn prefixes
to 'advertise’ into non-LISP space to 'attract traffic’ to the PITR
!router lisp eid-table default instance-id 0 ipv4 route-import map-cache bgp 65001 route-map ABC ---<etc.>---!
!router lisp eid-table default instance-id 0 ipv4 route-export site-registration ---<etc.>---!
308
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
New LISP FeaturesLISP Integrated MS/PITR Map Cache Population From Site Registration Enables the dynamic creation of local EID map-cache entries with
action “send-map-request” (for use by the PITR function) by direct installation from the Map-Server function– Configured on a “combination” Map-Server/PITR– When LISP sites register, their EID prefixes automatically get
installed as “map-cache send-map-request” entries on the PITR• Note: If the PITR requires knowledge of registered EID prefixes in its RIB for
automating ’EID advertisement’ into non-LISP space to 'attract traffic,’ use of the “[ipv4 | ipv6] route-export site-registration” command is still required
non-LISP Sites
LISP Sites
IPv4 Internet(example)
xTR xTRxTR
CECE
PxTRMSMR
!router lisp eid-table default instance-id 0 ipv4 map-cache site-registration ---<etc.>---!
309
LISP Status
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP StatusLISP RFCs and notable drafts…
IETF LISP WG: http://tools.ietf.org/wg/lisp/
Draft TargetLISP Canonical Address Format (draft-ietf-lisp-lcaf-04) Active Working Group Document
LISP Deployment (draft-ietf-lisp-deployment-11) Active Working Group Document
LISP SEC (draft-ietf-lisp-sec-05) Active Working Group Document
LISP DDT (draft-fuller-lisp-ddt-01) Active Working Group Document
LISP Introduction (draft-ietf-lisp-introduction-03) Active Working Group Document
LISP Mobile Node (draft-meyer-lisp-mn-10) Related Working Group Document
LISP NAT-Traversal (draft-ermagan-lisp-nat-traversal-05) Related Working Group Document
LISP GPE (draft-lewis-lisp-gpe) Related Working Group Document
LISP Deployment (draft-ietf-lisp-deployment-12) RFC-Editor’s Queue
LISP Based FlowMapping for Scaling NVF (draft-barakai-lisp-nvf-04)
Related Internet Draft
LISP Reliable Transport (draft-kouvelas-lisp-reliable-transport-00)
Related Internet Draft
RFCsLocator/ID Separation Protocol (LISP) base document
RFC 6830
LISP Map Server RFC 6833LISP Interworking RFC 6832LISP Multicast RFC 6831LISP Internet Groper RFC 6835LISP Map Versioning RFC 6834LISP+ALT RFC 6836LISP MIB RFC 7052
LISP Network Element Deployment Considerations
RFC 7215
311
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP Community Operated:– More than 5+ years of operation…– More than ~600 Sites, 40 countries…
Interoperable LISP implementations:– Cisco
• IOS (ISR, ISRG2, 7200) and IOS-XE (ASR1K, CSR1KV)• Cisco IOS-XR (CRS3, ASR9K)• Cisco NX-OS (N7K)
– AVM “FRITZ!Box”– OpenWrt– Open Source
• FreeBSD: OpenLISP• Linux: Aless, LISPmob, OpenWrt• Android
LISP StatusLISP Beta Network – international deployments
Plus some others… ;-)
http://www.lisp4.net
http://vinciconsulting.com/vxnet
http://www.lisp.intouch.eu/
http:/lisp.isarnet.net/
and more…
312
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP StatusLISP Software – Available Features:: By operating System
Cisco Releases (http://lisp.cisco.com)
Features
Roles:- ITR/ETR- PITR/PETR- MS/MR- RTR
AF Support- EID v4/v6- RLOC v4/v6
Virtualization- Shared/Parallel
Mobility- ESM/ASM- Multi-Hop
Multicast NAT-Traversal
IOS IOS-XE NX-OS IOS-XR Cat 6K
roadmap
testing
v4 only
testing testing
roadmap
5.3.0
roadmap
roadmap
roadmap
shared
v4 only
roadmaproadmap
roadmap
roadmap
roadmap
ASM 15.2(1)SY
ASR9kroadmap
313
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP StatusLISP Software – Available Releases :: IOS Platforms
Cisco Releases (http://lisp.cisco.com)
ISRG1- 1800 Series- 2800 Series- 3800 Series
Mainline Build:- 15.4(2)T
Engineering:- 15.3(3)XB12
Engineering Build:- 15.3(3)XB12
Hardware Software Notes/Caveats
ISRG2- 800 Series- 1900 Series- 2900 Series- 3900 Series
ISRs are EOS/EOL (Cisco support rules apply).
LISP features require “datak9” or “securityk9” licensehttp://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html
314
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP StatusLISP Software – Available Releases :: IOS-XE Platforms
Cisco Releases (http://lisp.cisco.com)
ASR1K- 1001 Series- 1002 Series- 1004 Series- 1006 Series- 1013 Series- 4451-X
Mainline Build:- 3.12.0S (15.4-2.S)
Engineering Build:- 3.10.01xb.S
Hardware Software Notes/Caveats
CSR1KV- Cisco CSR1KV- Amazon Web Srvc
LISP features require “Advanced IP Services” or “Advanced Enterprise Services” license
LISP features require “Premium” licensehttp://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/configuration/csr1000Vswcfg/csroverview.html
Mainline Build:- 3.12.0S (15.4-2.S)
Engineering Build:- 3.10.01xb.S
http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/product_bulletin_c25-448387.html
http://www.cisco.com/c/dam/en/us/products/collateral/routers/cloud-services-router-1000v-series/sales-tool-c96-730727.pdf
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/csa/configuration/xe-3s/asr903/csa-xe-3s-asr-903-book/csa-cfg-sw-activation.html
315
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP StatusLISP Software – Available Releases :: NX-OS Platforms
Cisco Releases (http://lisp.cisco.com)
Nexus 7000 Mainline Build:- 6.2(8)
Hardware Software Notes/Caveats
Nexus 7700 LISP requires EPLD updated so that FE Bridge is at version 186.008:
Mainline Build:- 6.2(8)
Requires M1-32 LC modules. F1 modules and the F2e LC module can be used for LISP using proxy forwarding to an installed M1-32 LC module.
Beginning with NX-OS 7.1.0, F3 modules will also support LISP
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/epld/epld_rn_6-0.html#wp152570
The Transport Services license must be installed to enable LISPhttp://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-switches/data_sheet_c78-437306.html
316
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP StatusLISP Software – Available Releases :: IOS-XR Platforms
Cisco Releases (http://lisp.cisco.com)
ASR 9000 Mainline Build:- 5.2.0
Hardware Software Notes/Caveats
CRS 3
LISP features available in base image
Mainline Build:- 5.2.0
Requires Typhoon line cards:
Supports basic LISP xTR and PxTR functionality only
http://www.cisco.com/c/en/us/support/docs/routers/asr-9000-series-aggregation-services-routers/116726-qanda-product-00.html
317
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP StatusLISP Software – Available Releases :: CATOS Platforms
Cisco Releases (http://lisp.cisco.com)
Catalyst 6500 Mainline Build:- 15.1.2-SY2
Hardware Software Notes/Caveats Requires Sup2T supervisor engine and WS-X6904-
40GE or WS-X6908-10G line cards Supports xTR (IPv4-only RLOC), shared mode
virtualization, PxTR, MS and MR
Catalyst 6800 Mainline Build:- 15.1.2-SY2
6880-X (semi-fixed chassis) - supported on all ports at FCS: 15.1(2)SY1 for the baseboard and 15.1(2)SY2 for the port cards
6807-XL (modular chassis) - supported with Sup2T and 6900 series line cards (6908 and 6904) at FCS: 15.1(2)SY1 (not supported natively on Sup2T, need 6900 modules for encap/decap)
Supports xTR (IPv4-only RLOC), shared mode virtualization, PxTR, MS and MR
318
LISP Summary
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP ReferencesLISP Sessions at Cisco Live US 2014…
Session Sunday, 18 MayTECRST-3191 - Advanced - LISP Technical Seminar 8:00 AM - 5:00 PM
LTRRST-2014 - Routing for Host/VM-Mobility Using LISP 8:00 AM - 12:00 PM
TECCRS-2003 - Advanced WAN Design Topics 8:00 AM - 5:00 PM
TECDCT-2181 - Deployment Considerations for Interconnecting Distributed Virtual Data Centers 8:00 AM - 5:00 PM
TECDCT-2432 - Virtualized Multi-service Data Center (VMDC) Architectures & Orchestration for Cloud 8:00 AM - 5:00 PM
TECDCT-3297 - Operating and Deploying NX-OS Nexus Devices in the Network Infrastructure 1:00 PM - 5:00 PM
Session Tuesday, 20 MayLTRRST-2014 - Routing for Host/VM-Mobility Using LISP 8:00 AM - 12:00 PM
BRKDCT-2131 - Mobility and Virtualization in the Data Center with LISP and OTV 8:00 AM - 9:30 AM
BRKDCT-2335 - Design consideration for security services spanned across Data Center Interconnect 8:00 AM - 9:30 AM
BRKRST-3045 - Advanced - LISP - A Next Generation Networking Architecture 12:30 PM - 2:30 PM
BRKSEC-2054 - Group Encryption Transport (GET) Your VPNs Secured 12:30 PM - 2:30 PM
BRKDCT-2337 - Virtual Services for Scalable Multi-tenant Cloud Architectures 12:30 PM - 2:30 PM
BRKDCT-3060 - Deployment Challenges with Interconnecting Data Centres 3:00 PM - 5:00 PM
320
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP ReferencesLISP Sessions at Cisco Live US 2014…
Session Wednesday, 21 MayBRKDCT-3434 - Enabling a Secure Hybrid Cloud Extension with CSR 1000V and LISP 8:00 AM - 9:30 AM
BRKRST-2044 - Enterprise Multi-Homed Internet Edge Architectures 8:00 AM - 9:30 AM
BRKRST-3047 - Troubleshooting LISP 1:30 PM - 3:30 PM
CCSDCT-1100 - Simplifying Data-Center migration using LISP, from 42 years to 2 years 3:00 PM - 4:00 PM
BRKDCT-2328 - Evolution of Network Overlays in Data Center Clouds 4:00 PM - 5:30 PM
Session Thursday, 21 MayBRKDCT-3237 - Versatile architecture using Nexus 7000 with a mix of F and M modules to deliver FEX, FabricPath, Multihop FCoE, MPLS and LISP all at the same time
12:30 PM - 2:00 PM
BRKARC-2023 - Building Hybrid Clouds with the CSR 1000v 12:30 PM - 2:00 PM
BRKRST-2045 - Advancements in L3 VPN over IP in the WAN 2:30 PM - 2:00 PM
321
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP ReferencesLISP Information
LISP Mailing ListsCisco LISP Questions ……………… [email protected] LISP Working Group ………… [email protected] Interest (public) ………………. [email protected] Questions ………………... [email protected]
LISP InformationCisco LISP Site ……………………. http://lisp.cisco.com (IPv4 and IPv6)Cisco LISP Marketing Site ………... http://www.cisco.com/go/lisp/LISP Beta Network Site …………… http://www.lisp4.net or http://www.lisp6.netLISP DDT Root ……………………... http://www.ddt-root.orgIETF LISP Working Group ……...… http://tools.ietf.org/wg/lisp/
322
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP SummaryPart of the LISP Solution Space
LISP is an Architecture…
IPv4 Core
IPv4 Core
v4
IPv4 Network
xTR
xTR
1. Multihoming2. IPv6 Transition3. Virtualization/VPN4. Mobility
323
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
v6
LISP SummaryPart of the LISP Solution Space
LISP is an Architecture…
IPv4 Core
IPv6 Core
v4
IPv4 Network
xTR
xTR
1. Multihoming2. IPv6 Transition3. Virtualization/VPN4. Mobility
IPv6 Network
324
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
v6
LISP SummaryPart of the LISP Solution Space
LISP is an Architecture…
IPv4 Core
IPv6 Core
v4
IPv4 Network
xTR
xTR
1. Multihoming2. IPv6 Transition3. Virtualization/VPN4. Mobility
IPv6 Network
325
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
v6
LISP SummaryPart of the LISP Solution Space
LISP is an Architecture…
IPv4 Core
IPv6 Core
v4
IPv4 Network
xTR
xTR
1. Multihoming2. IPv6 Transition3. Virtualization/VPN4. Mobility
IPv6 Network
Server
Server
326
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public 327
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include – Your favorite speaker’s Twitter handle– Two hashtags: #CLUS #MyFavoriteSpeaker
• Submit an entry for one or more of your “favorite” speakers!
• Please follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could be a Winner
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Complete Your Online Session Evaluation
• Give us your feedback and youcould win fabulous prizes. Winners announced daily.
• Complete your session evaluation through the Cisco Live mobile appor visit one of the interactive kiosks located throughout the convention center.
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
328
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
329
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP and QoSQOS Handling Support :: CoS default (copy)
LISP0
ENCAP
DECAP
lookup
LISP0ingress
features
lookup
LISP0egress
features
egress feature
s
ingress feature
slookup
lookup
ingress feature
s
egress feature
s
ENCAP
DECAP
Inner Header retains original DSCP
marking
5.
dscp
: 18
src:
172
.16.
4.9
data
dst:
172.
16.1
.9
Inner Header
has customer
DSCP markings
1.
Cust A172.16.4.0/24
172.16.4.9
UD
P
LISP
dscp
: 18
src:
10.
1.1.
1ds
t: 10
.9.9
.9
dscp
: 18
src:
172
.16.
4.9
data
dst:
172.
16.1
.9
Default Action:Copy EID header
DSCP bits to RLOC header2.
PE-ASBR
PxTR
UD
P
LISP
dscp
: 18
src:
10.
1.1.
1ds
t: 10
.9.9
.9
dscp
: 18
src:
172
.16.
4.9
data
dst:
172.
16.1
.9✗✗Outer
Header Removed4.
dscp: 18src: 172.16.4.9
data
dst: 172.16.1.9
Cust A172.16.1.0/24
172.16.1.9
Default Action:Copy DSCP bits to MPLS EXP3.
332
© 2014 Cisco and/or its affiliates. All rights reserved.TECRST-3191 Cisco Public
LISP and QoSQOS Handling Support :: CoS rewrite
LISP0
ENCAP
DECAP
lookup
LISP0ingress
features
lookup
LISP0egress
features
egress feature
s
ingress feature
slookup
lookup
ingress feature
s
egress feature
s
ENCAP
DECAP
Inner Header retains original DSCP
marking
6.
dscp
: 18
src:
172
.16.
4.9
data
dst:
172.
16.1
.9
Inner Header
has customer
DSCP markings
1.
Cust A172.16.4.0/24
172.16.4.9
UD
P
LISP
dscp
: 18
src:
10.
1.1.
1ds
t: 10
.9.9
.9
dscp
: 18
src:
172
.16.
4.9
data
dst:
172.
16.1
.9
Default Action:Copy EID header
DSCP bits to RLOC header2.
PE-ASBR
PxTR
UD
P
LISP
dscp
: 30
src:
10.
1.1.
1ds
t: 10
.9.9
.9
dscp
: 18
src:
172
.16.
4.9
data
dst:
172.
16.1
.9✗✗Outer
Header Removed5.
dscp: 18src: 172.16.4.9
data
dst: 172.16.1.9
Cust A172.16.1.0/24
172.16.1.9
Class Name
Tier 1DSCP Values
COS1 30,31
PartnerDSCP Values
40COS2.etc.
3018,20
Egress Interface “service policy” RECOLORS RLOC HEADER according to EID
header marking3.
dscp
: 30
src:
10.
1.1.
1ds
t: 10
.9.9
.9
Default Action:Copy DSCP bits to MPLS EXP4.
333