lisp - a next generation routing architecturelisp.cisco.com/docs/brkrst-3045_vegas2011.pdflisp...

BRKCRS-3045

LISP - A Next Generation Routing Architecture

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKCRS-3045 2

 LISP Overview  LISP Operations  LISP Use Cases  LISP Status  Summary  References

LISP - Agenda



LISP - Agenda


LISP Overview What’s the problem with an “overloaded” semantic?

  The IP address is overloaded on location and identity Why do current IP semantics cause scaling issues? − Overloaded IP address semantic makes

efficient routing impossible

− Today, “addressing follows topology,” which limits route aggregation compactness

−  IPv6 does not fix this

Why are route scaling issues bad? − Routers require expensive memory to hold

the Internet Routing Table in forwarding plane

− Your router may have enough memory today; network gear lifetime can be 7 years or more.

− Replacing equipment for the wrong reason (to hold the routing table); gear replacement should be to implement new features and to meet bandwidth requirements

“… routing scalability is the most important problem facing the Internet today and must be solved … ”

Internet Architecture Board (IAB) October 2006 Workshop (written as RFC 4984)


Internet

LISP Overview How does Location/ID Split help solve this problem?

Internet

Today’s Internet Behavior Loc/ID “overload”

LISP Behavior Loc/ID “split”

DFZ

DFZ Map System

LISP Mapping System

In this model, everything goes in the Default Free Zone (DFZ)

In this model, only RLOCs go in the DFZ; EIDs go in the LISP Mapping System!


LISP creates a Level of indirec-on with two namespaces: EID and RLOC

  EID (Endpoint Iden-fier) is the IP address of a host – just as it is today

  RLOC (Rou-ng Locator) is the IP address of the LISP router for the host

  EID-‐to-‐RLOC mapping is the distributed architecture that maps EIDs to RLOCs

 Network-‐based solu?on  No host changes  Minimal configura?on

  Incrementally deployable

  Support for mobility

  Address Family agnos?c

LISP Overview A “level of indirection”

Prefix Next-‐hop w.x.y.1 e.f.g.h x.y.w.2 e.f.g.h z.q.r.5 e.f.g.h z.q.r.5 e.f.g.h

Non-‐LISP

RLOC Space

EID-‐to-‐RLOC

mapping

xTR

EID Space xTR

EID RLOC a.a.a.0/24 w.x.y.1 b.b.b.0/24 x.y.w.2 c.c.c.0/24 z.q.r.5 d.d.0.0/16 z.q.r.5

MS/MR

PxTR

xTR



EID Space


LISP “Level of Indirection” is analogous to a DNS lookup   DNS resolves IP addresses for URLs

  LISP resolves locators for queried identities

host DNS URL Resolution

LISP Identity-to-location Map Resolution

[ who is lisp4.cisco.com] ?

LISP router

DNS Server

LISP Mapping System

[153.16.5.29 ]

[ where is 153.16.5.29 ] ?

[ location is 128.107.81.169 ]

LISP Overview LISP Mapping Resolution – DNS analog



LISP - Agenda


IPv4 Outer Header: Router supplies

RLOCs

IPv4 Inner Header: Host supplies

EIDs

LISP header

UDP

draft-ietf-lisp-12

LISP – Data Format Example IPv4 EID/IPv4 RLOC Example


LISP – Data Format Example All Combinations – IPv4 and IPv6 Supported

IPv4/IPv4

IPv4 Outer

Header

IPv4 Inner

Header

UDP LISP

IPv4/IPv6

IPv4 Outer

Header

IPv6 Inner

Header

UDP LISP

IPv6/IPv4

IPv6 Outer

Header

IPv4 Inner

Header

UDP LISP

IPv6/IPv6

IPv6 Outer

Header

IPv6 Inner

Header

UDP LISP


ITR – Ingress Tunnel Router •  Receives packets from site-facing interfaces •  Encap to remote LISP sites, or native-fwd to

non-LISP sites

ETR – Egress Tunnel Router •  Receives packets from core-facing interfaces •  De-cap, deliver packets to local EIDs at site

S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D

Provider A 10.0.0.0/8

Provider B 11.0.0.0/8

Provider X 12.0.0.0/8

Provider Y 13.0.0.0/8

LISP Site LISP Site

LISP Data Plane Ingress/Egress Tunnel Router (xTR)

packet flow packet flow


S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





LISP Site LISP Site LISP Site LISP Site

10.0.0.1

11.0.0.1 13.0.0.2

12.0.0.2

PI EID-prefix 2.0.0.0/24


This policy controlled by destination site

Legend: EIDs -> Green Locators -> Red Physical link

DNS entry: D.abc.com A 3.0.0.3

1

EID-prefix: 3.0.0.0/24 Locator-set:

12.0.0.2, priority: 1, weight: 50 (D1) 13.0.0.2, priority: 1, weight: 50 (D2)

Mapping Entry

3

LISP Data Plane Unicast Packet Forwarding

2.0.0.2 -> 3.0.0.3

2

2.0.0.2 -> 3.0.0.3 11.0.0.1 -> 12.0.0.2

4

5

6

2.0.0.2 -> 3.0.0.3 11.0.0.1 -> 12.0.0.2

7

2.0.0.2 -> 3.0.0.3

8


Control Plane EID Registration Map-Register message

Sent by ETR to Map-Server to register its associated EID prefixes

Specifies the RLOC(s) to be used by the Map-Server when forwarding Map-Requests to the ETR

Control Plane “Data-triggered” mapping service Map-Request message

Sent by an ITR when it needs for EID/RLOC mapping, to test an RLOC for reachability, or to refresh a mapping before TTL expiration

Map-Reply message Sent by an ETR in response to a valid map-request to provide the EID/RLOC mapping and site ingress Policy for the requested EID

LISP Control Plane Control Plane Messages


S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





LISP Site LISP Site

MS – Map-Server •  LISP site ETRs Register their EID prefixes

here; requires configured “lisp site” policy, authentication key.

•  Injects routes for registered site EID prefixes into BGP ALT topology.

•  Receives Map-Requests via ALT and forwards them to registered ETRs.

MR – Map-Resolver •  Receives Map-Request from ITR. •  Forwards Map-Request onto the ALT topology. •  Sends Negative Map-Replies in response to

Map-Requests for non-LISP sites.

LISP Control Plane Map-Server/Map-Resolver (MS/MR)

MR

ALT

MS

ALT

ALT ALT

ALT – Alternate Topology •  Aggregate EID-prefixes along allocation hierarchy •  Advertise EID-prefixes in alternate BGP-over-GRE

tunnels •  Forward Map-Requests with EID destination address

over GRE topology


S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





LISP Site LISP Site

MR

ALT

MS

ALT

ALT ALT

LISP Map Cache •  “Lives” on ITRs and only stores mappings for sites to

which ITR is currently sending packets. •  Map-Cache populated by sending Map-Requests

through ALT and receiving Map-Replies from ETRs •  ITRs must respect Map-Reply policy, including TTLs,

RLOC up/down status, RLOC priorities/weights

LISP Control Plane Mapping Database (ETR), Map-Cache (ITR)

LISP Site Mapping-Database •  EID-to-RLOC mappings in all ETRs for local LISP site •  ETR is “authoritative” for its EIDs, sends Map-Replies to ITRs •  ETRs can tailor policy based on Map-Request source •  Decentralization increases attack resiliency


S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





LISP Site LISP Site

LISP Control Plane Map-Server/Map-Resolver (MS/MR)

MR

ALT

MS

ALT

ALT ALT


S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





LISP Site LISP Site

MR

ALT

MS

ALT

ALT ALT

10.0.0.1

11.0.0.1 13.0.0.2

12.0.0.2

LISP Site LISP Site

65.1.1.1 66.2.2.2

Legend: EIDs -> Green Locators -> Red BGP-over-GRE Physical link

[1]

12.0.0.2-> 66.2.2.2 LISP Map-Register

(udp 4342) SHA-1

3.0.0.0/24 12.0.0.2, 13.0.0.2

Other 3/8 sites…

MS advertises into ALT

BGP over GRE

3.0.0.0/8

[2]

ALT propagation includes the

Map-Resolver [3]

3.0.0.0/8

LISP Control Plane Map-Registration example




S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





LISP Site LISP Site

MR

ALT

MS

ALT

ALT ALT

10.0.0.1

11.0.0.1 13.0.0.2

12.0.0.2

65.1.1.1 66.2.2.2


DNS entry: D.abc.com A 3.0.0.3

How do I get to 3.0.0.3?

11.0.0.1 -> 3.0.0.3 Map-Request

(udp 4342) nonce

11.0.0.1 -> 65.1.1.1 LISP ECM (udp 4342)

[1]

[2] [3] [4]

11.0.0.1 -> 3.0.0.3 Map-Request

(udp 4342) nonce 11.0.0.1 -> 3.0.0.3

Map-Request (udp 4342)

nonce

66.2.2.2 -> 12.0.0.2 LISP ECM (udp 4342) [5]

LISP Control Plane Map-Request example

2.0.0.2 -> 3.0.0.3




S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





LISP Site LISP Site

MR

ALT

MS

ALT

ALT ALT

10.0.0.1

11.0.0.1 13.0.0.2

12.0.0.2

65.1.1.1 66.2.2.2


12.0.0.2 ->11.0.0.1 Map-Reply (udp 4342)

nonce 3.0.0.0/24

12.0.0.2 [1, 50] 13.0.0.2 [1, 50]

[6]

EID-prefix: 3.0.0.0/24 Locator-set:


Mapping Entry

LISP Control Plane Map-Reply example




S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





LISP Site LISP Site

MR

ALT

MS

ALT

ALT ALT

10.0.0.1

11.0.0.1 13.0.0.2

12.0.0.2

65.1.1.1 66.2.2.2


12.0.0.2 ->11.0.0.1 Proxy Map-Reply

(udp 4342) nonce

3.0.0.0/24 12.0.0.2 [1, 50] 13.0.0.2 [1, 50]

[6] EID-prefix: 3.0.0.0/24 Locator-set:


Mapping Entry

LISP Control Plane Proxy Map-Reply example (when configured)




 Early Recognition: •  LISP will not be widely deployed day-one •  Up-front recognition of an incremental deployment plan

  Interworking for: •  LISP-sites to non-LISP sites (e.g. the rest of the Internet) •  non-LISP sites to LISP-sites

 Two basic Techniques •  Proxy ITR (PITR) and Proxy ETR (PETR) •  LISP Network Address Translators (LISP-NAT)

 Proxy-ITR/Proxy-ETR are being deployed today Infrastructure LISP network entity Creates a monetized service opportunity for infrastructure players

LISP Interworking Day-One incremental deployment


S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





LISP Site LISP Site

MR

ALT

MS

ALT

ALT ALT

PETR – Proxy ETR •  Allows IPv6 LISP sites with IPv4 RLOCs to reach

IPv6 LISP sites that only have IPv6 RLOCs •  Allows LISP sites with uRPF restrictions to reach

non-LISP sites

PITR – Proxy ITR •  Receives traffic from non-LISP sites;

encapsulates traffic to LISP sites •  Advertises coarse-aggregate EID prefixes •  LISP sites see ingress TE “day-one”

LISP Interworking Proxy Ingress/Egress Tunnel Routers (PITR/PETR)

PITR PETR


S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





LISP Site LISP Site

10.0.0.1

11.0.0.1 13.0.0.2

12.0.0.2

65.1.1.1 66.2.2.2

LISP Interworking Proxy Ingress Tunnel Router example

Non-LISP Site

65.1.0.0/16

Non-LISP Site

65.9.1.1

65.1.1.1 -> 3.0.0.1 [1]

65.1.1.1 -> 3.0.0.1 65.9.1.1 -> 13.0.0.2

[2]

PITR

65.1.1.1 -> 3.0.0.1 [3]

3.0.0.1 -> 65.1.1.1

[4]

65.9.2.1

3.0.0.1 -> 65.1.1.1

[5]



PETR

MR

ALT

MS

ALT

ALT ALT

3.0.0.0/8




LISP Interworking Proxy Egress Tunnel Router example

S1

S2

ITR

ITR

D1

D2

ETR

ETR

S D





PITR PETR

MR

ALT

MS

ALT

ALT ALT

LISP Site LISP Site

10.0.0.1

11.0.0.1 13.0.0.2

12.0.0.2

65.1.1.1 66.2.2.2

3.0.0.0/8

Non-LISP Site

65.1.0.0/16

Non-LISP Site

65.9.1.1

65.1.1.1 -> 3.0.0.1 [1]

65.1.1.1 -> 3.0.0.1 65.9.1.1 -> 13.0.0.2

[2] 65.1.1.1 -> 3.0.0.1

[3]

3.0.0.1 -> 65.1.1.1

[4]

65.9.2.1

ip lisp use-petr 65.9.2.1

3.0.0.1 -> 65.1.1.1

[6]

3.0.0.1 -> 65.1.1.1

13.0.0.2 -> 65.9.2.1

[5]


Security…

LISP and Security Aspects of LISP Security

Internet

S LISP router

D

x.y.z.1

a.b.c.1 LISP router

r.s.t.7

e.f.g.9

Host IP available

Topological location

Internet

LISP router

LISP Site

Non-LISP Site

LISP Site

Non-LISP Site

“drop” policy push

Core S LISP

router D

x.y.z.1

a.b.c.1 LISP router

r.s.t.7

e.f.g.9

MS/MR

Map-Register

(SHA-1) Map-Register (SHA-1)

… of the protocol   Inherent security of the

protocol itself

… impact of the protocol on existing networks   Changes that need to be made

made to a site and core network to handle the protocol

… enabled by the protocol   New types of network

security that can be deployed because of the new protocol



LISP - Agenda


IPv6 Transition Support

  v6-over-v4, v6-over-v6   v4-over-v6, v4-over-v4

IPv4 Internet

IPv6 Internet

v6

v6 v4 v6

LISP router LISP

router v6

services

VM-Mobility

  Cloud / Layer 3 VM moves   Segmentation

Data Center 1

Data Center 2

a.b.c.1 VM

a.b.c.1 VM

VM move

LISP router

LISP router

Internet

LISP Use Cases Overview

VPNs and Segmentation

  Over-the-Top   Multi-tenency

HQ LISP Site

Internet

Data Center

User Network

Remote LISP Site

Remote LISP Site Remote

LISP Site Remote

LISP Site . . 10k . .

Efficient Multi-Homing

  IP Portability   Ingress Traffic Engineering without BGP

LISP routers

LISP Site

Internet


LISP Use Cases Efficient Multi-Homing

Needs:   Site connectivity to multiple providers   Low OpEx/CapEx

LISP Solution:   LISP provides a streamlined solution for

handling multi-provider connectivity and policy without BGP complexity

Benefits:   Multi-homing across different providers   Simple policy management   Ingress Traffic Engineering   Egress Traffic Engineering

LISP routers

LISP Site

Internet


LISP Use Cases – Efficient Multi-Homing Customer Case Study #1 – Requirements

Multi-Homed Remote-Sites:   More than 400 remote sites (limited access), need to be “as robust as possible”   T-1 (~$600/month) + dial-backup cost prohibitive vs. 3G access (~$60/month)

Necessary Features:   IOS Firewall and NAT for Internet Access   Mixed of dynamic (DHCP) and Static Interface IP address (RLOC)

LISP Design:   Private LISP Mapping System (MS/MR) for RFC1918 EIDs at Hub & Remote Sites   ASR1002s (2) at Hub Site, C2811s w/ 3G-HWICs at remote sites (2 each)   NAT to Internet, IOS FW, DHCP   Active/Backup minimum, Active/Active “stretch goal” for WAN utilization


LISP Use Cases – Efficient Multi-Homing Customer Case Study #1 – Topology

Internet

LISP Hub Site

Corporate Data Center

Carrier 1 3G

Carrier 2 3G

3G HWIC

3G HWIC

LISP Spoke Sites X 400

. . . . . .

ASR 1002 • Map-Server/Map-Resolver

for private LISP mapping •  xTR for LISP encap/decap

ISR (2811) •  xTR at Remote LISP site • Dual 3G-HWICs • RFC1918 EID Space • DHCP or static RLOCs • DHCP server for internal hosts • NAT/IOS FW to Internet

Customer Network

3G HWIC

3G HWIC

3G HWIC

3G HWIC

3G HWIC

3G HWIC

172.16.1.1 172.16.1.5


LISP Use Cases – Efficient Multi-Homing Customer Case Study #1 – LISP Configurations

Internet

LISP Hub Site


Carrier 1 3G

Carrier 2 3G

3G HWIC

3G HWIC


. . . . . .

Customer Network

3G HWIC

3G HWIC

3G HWIC

3G HWIC

3G HWIC

3G HWIC

172.16.1.1 172.16.1.5

router lisp database-mapping 10.10.1.0/24 ipv4-interface cell0/0/0 priority 1 weight 50 database-mapping 10.10.1.0/24 ipv4-interface cell0/0/1 priority 1 weight 50 ip itr ip etr ip itr map-resolver 172.16.1.1 ip itr map-resolver 172.16.1.5 ip etr map-server 172.16.1.1 key xxxxxx ip etr map-server 172.16.1.5 key xxxxxx

router lisp site All-Sites eid-prefix 10.0.0.0/16 eid-prefix 10.10.0.0/16 accept-more-

specifics authentication-key 0 xxxxxx description all remote sites exit database-mapping 10.0.0.0/16 172.16.1.5

priority 1 weight 50 database-mapping 10.0.0.0/16 172.16.1.1

priority 1 weight 50 ipv4 map-server ipv4 map-resolver ipv4 itr ipv4 etr ip itr map-resolver 172.16.1.1 ip itr map-resolver 172.16.1.5 ip etr map-server 172.16.1.1 key xxxxxx ip etr map-server 172.16.1.5 key xxxxxx

10.10.1.0/24 10.10.0.0/24 10.10.x.0/24 10.10.y.0/24


LISP Use Cases – Efficient Multi-Homing Customer Case Study #1 – Packet Flow Example

Internet

LISP Hub Site


Carrier 1 3G

Carrier 2 3G

3G HWIC

3G HWIC


. . . . . .

Customer Network

3G HWIC

3G HWIC

3G HWIC

3G HWIC

3G HWIC

3G HWIC

172.16.1.1 172.16.1.5

10.10.0.1 -> 10.0.0.1

10.10.0.1 -> 10.0.0.1 172.17.1.1 -> 172.16.1.1

10.10.0.1

10.0.0.1

172.16.1.1 172.16.1.5

172.17.1.1

10.10.0.1 -> 10.0.0.1 10.0.0.1 -> 10.10.0.1

10. 0.0.1 -> 10.10.0.1 172.16.1.1 -> 172.17.1.1

10.0.0.1 -> 10.10.0.1


LISP Use Cases – Efficient Multi-Homing Customer Case Study #1 – Other IOS Configurations

Internet

LISP Hub Site


Carrier 1 3G

Carrier 2 3G

3G HWIC

3G HWIC


. . . . . .

Customer Network

3G HWIC

3G HWIC

3G HWIC

3G HWIC

3G HWIC

3G HWIC

172.16.1.1 172.16.1.5

12.1.1.5

VzW

Internet

13.1.1.5

10.0.0.0/16

VzW

Cellular0/3/0 Cellular0/3/1

10.10.0.0/24

ip nat inside

ip inspect out

ip access-group 101 in

ip address negotiated

ip verify unicast source reachable-via rx

ip nat outside

LISP is executed in CEF. Any CEF process should be available when LISP is enabled. Commonly used CEF functions that have been tested include:   Access Control Lists   Network Address Translation   Quality of Service   Flexible NetFlow   IPSec   IOS Firewall   IOS Intrusion Protection Srvc   Flexible Packet Matching


LISP Use Cases IPv6 Migration Support

Needs:   Rapid IPv6 Deployment

  Minimal Infrastructure disruption

LISP Solution:   LISP encapsulation is Address Family

agnostic IPv6 interconnected over IPv4 core

IPv4 interconnected over IPv6 core

Benefits:   Accelerated IPv6 adoption

  Minimal added configurations

  No core network changes

  Can be used as a transitional or permanent solution

IPv4 Internet

IPv6 Internet

v6

v6 v4 PxTR

IPv4 Core

v6

xTR v6 service

IPv4 Internet IPv4

Enterprise Core

v6 v4

v6

v6 island IPv4 Enterprise

Core

v6

xTR v6 island

xTR

IPv6 Internet

IPv4 access & Internet

PxTR v6

v6 home Network

.

v6 home Network

v6 home Network

xTR

xTR

xTR

PxTR

PxTR

v6

. v6 site

v6 v4

Connecting IPv6 Islands

IPv6 Transition Support

IPv6 Access Support


LISP Use Cases – IPv6 Migration Support Customer Case Study #2 – Requirements

IPv6 Access to Company Services:   Corporate employees deploying IPv6 home networks   Requesting same access to services as IPv4 home users

Necessary Features:   Take advantage of existing infrastructure; minimal changes to add IPv6 support   Use existing SSL VPN equipment   Use existing Load Balancers – capable of v6/v4 header translation

LISP Design:   IPv6 EID allocation from Cisco LISP Beta Network block

−  Could “bring their own” IPv6 block, but used ours…

  Cisco ISR-G2 (3945) as xTR


LISP Use Cases – IPv6 Migration Support Customer Case Study #2 – General Topology

IPv4 Internet

IPv6 Internet

Customer IPv4 DFZ

Internal v4 Network

v4-vlan v6-vlan

xTR

192.168.2.1

192.168.1.1

172.16.1.5 2001:db8:ff::1

PxTR

2001:db8:a::1

10.10.10.10

v6 VIP 2001:db8:c5c0::1

MSMR 172.16.1.6 2001:db8:ff::6

ISR G2 (3945) •  xTR for LISP encap/decap •  “use-petr” for v6/v4

interworking

A-record: www.customer.com 10.1.1.1 (example)

v4 VIP 10.1.1.1

AAAA-record: www.lisp6.customer.com 2001:db8:c5c0::1 (example)

SSL VPN Appliance

Load Balancer •  v6/v4 translation


LISP Use Cases – IPv6 Migration Support Customer Case Study #2 – LISP Configuration

IPv4 Internet

IPv6 Internet

Customer IPv4 DFZ

Internal v4 Network

v4-vlan v6-vlan

xTR

172.16.1.5 2001:db8:ff::1

PxTR

2001:db8:a::1

10.10.10.10

v6 VIP 2001:db8:c5c0::1

router lisp database-mapping 2001:db8:c5c0::/48 10.10.10.10 priority 1 weight 1 ipv6 itr ipv6 etr ipv6 itr map-resolver 172.16.1.6 ipv6 etr map-server 172.16.1.6 key xxxxxx ipv6 use-petr 172.16.1.5

MSMR 172.16.1.6 2001:db8:ff::6

192.168.2.1

192.168.1.1


LISP Use Cases – IPv6 Migration Support Customer Case Study #2 – Example Packet Flow

IPv4 Internet

IPv6 Internet

Customer IPv4 DFZ

Internal v4 Network

v4-vlan v6-vlan

xTR

172.16.1.5 2001:db8:ff::1

PxTR

2001:db8:a::1

10.10.10.10

v6 VIP 2001:db8:c5c0::1

MSMR 172.16.1.6 2001:db8:ff::6

192.168.2.1

192.168.1.1

2001:db8:a::1 -> 2001:db8:c5c0::1

172.16.1.5 -> 10.10.10.10 2001:db8:a::1 -> 2001:db8:c5c0::1

2001:db8:a::1 -> 2001:db8:c5c0::1

192.168.1.1 -> 192.168.2.1 192.168.2.1 -> 192.168.1.1

2001:db8:c5c0::1 -> 2001:db8:a::1

10.10.10.10 -> 172.16.1.5 2001:db8:c5c0::1 -> 2001:db8:a::1

2001:db8:c5c0::1 -> 2001:db8:a::1


LISP Use Cases VPNs and Segmentation

Needs:   Highly-scalable VPNs supporting

IPv4 and IPv6   Remove IGP scaling limitations

for Branch WAN aggregation

LISP Solution:   LISP Instance-IDs for

Over-the-Top VPNs   Supports complex topologies including

multi-homed branches, partial mesh, etc.   IPv4/IPv6 co-existence

Benefits:   No CE-PE coordination required   LISP Mapping System supports high scalability   Simplified Management

HQ LISP Site

Internet

Data Center

User Network

Remote LISP Site

Remote LISP Site Remote

LISP Site Remote

LISP Site . . x10,000 . .


IPv6 Network

IPv4 LISP Spoke Site

Any to Any Access



xTR xTR xTR

IPv4 LISP Hub Site

xTR

IPv4

IP

v6

IPv4

GET VPN KS

LISP MS/MR

IPv4 Data

IPv4 Data IPv4 Data

IPv6 IPv4 Encrypted

IPv6 IPv4 Data

IPv4 over IPv6 Encapsulation (LISP Mixed Mode) • W/ No Encryption • W/ Encryption

VPN Platform Service: • Private LISP EID Mapping/Resolution

• GET Key Distribution

1.  Transport −  Tunnel-less IPv4 site interconnect over

IPv6 network based on LISP

−  Private IP address mapping

−  IPv6 site interconnect possible

IPv4 Data

LISP Use Cases – High-Scale VPNs Customer Case Study #3 – Requirements

2.  Security −  Tunnel-less group encryption based on

GETVPN

−  “Bootstrap” Map-Cache to Key Server

−  GETVPN keeps EID and Security Policy in sync

•  GET ACL and LISP database are same subnet at Site

3.  Site Routing −  No Dynamic Routing between Spoke

and Hub

−  Spoke router only has IPv6 Default Route on WAN side

−  Hub router aggregates Spoke Site Routes

−  Proxy xTR can be placed on Hub Site and can route non-LISP site or Internet


IPv4 IPv6

IPv6 Network

LISP Site A

LISP Site B

MS/MRxTR

xTR IPv4 LAN IPv4 LAN

IPv6

IPv4

IPv4

Lo0

Lo0

GM

KS

Lo0 GM

xTR

Control Path (GETVPN) Control Path (LISP) Forwarding Path

Payload Payload ESP SPI

ESP Trailer

IPv4 Src/Dst

LISP Hdr UDP IPv6

Src/Dst IPv4

Src/Dst IPv4

Src/Dst

Encrypted Original Packet

Payload IPv4 Src/Dst

Packet Construction (Forwarding Path)

Original IPv4 Header

• Validation of Group Members • Distribution of Group Policies and Keys

• EID Registration • Mapping Request/Reply IPv4 EID

LISP RLOC LISP EID Original Packet Original Packet

Payload LISP Hdr UDP IPv6

Src/Dst IPv4

Src/Dst Payload IPv4 Src/Dst

LISP RLOC LISP EID Original Packet Original Packet

Payload IPv4 Src/Dst

With No Encryption

With Encryption

LISP

LISP Use Cases – High-Scale VPNs Customer Case Study #3 – Functional Overview

LISP

GET LISP GET LISP


LISP Virtualization – Segmentation

LISP Virtualization   A technique to Virtualized the EID and RLOC namespaces

  The LISP Instance-ID is the mechanism to separate address spaces in the control and data planes

Instance-ID   a 24-bit unstructured number

  Data-plane: in LISP encapsulation header

  Control-plane: EID encoded in LCAF format


Shared Infrastructure for Scaling, Private VPN sites for Segmentation

LISP Virtualization – Address Separation Shared Mapping System, Single-Tenency

Shared Mapping Database System

xTR xTR

Shared Core Routing System

xTR xTR

MS/MR MS/MR

MS/MR 10.1.0.0/16) 10.2.0.0/16)

xTR xTR

xTR xTR

10.1.0.0/16) 10.2.0.0/16) ( ( IID1, IID1,

( ( IID2, IID2,


Shared Mapping Database System

Shared Core Routing System

LISP Virtualization – Address Separation Shared Mapping System and xTR, Multi-Tenancy

(IID2, 10.2.0.0/16)

xTR xTR

(IID1, 10.2.0.0/16)

xTR xTR

xTR xTR

(IID1, 10.1.0.0/16) (IID2, 10.1.0.0/16)

MS/MR MS/MR


vrf vrf vrf

10.3.2.0/24 10.2.2.0/24 10.1.2.0/24

Lo1 Lo2 Lo3

Loop0 13.1.1.1/32

Loop0 13.1.1.3/32

xTR

LISP Site-3

xTR

LISP Site-1

12.1.0.0/30 E0/0 (.2)

E0/0 (.1)

12.3.0.0/30 E0/0 (.2)

E0/0 (.1)

12.2.0.0/30

E0/0 (.1)

E0/0 (.2)

xTR MS/MR

LISP Site-2

Loop0 13.1.1.2/32

10.3.1.0/24

vrf vrf vrf

Lo1 Lo2 Lo3

10.2.1.0/24 10.1.1.0/24

vrf vrf vrf

10.3.3.0/24

E1/0 E1/1 E1/2

10.2.3.0/24 10.1.3.0/24

LISP Use-Cases – Multi-Tenancy Customer Case Study #4 – Configurations

! hostname xTR-1 ! vrf definition blue ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition teal ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition green ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! ip cef ipv6 unicast-routing ipv6 cef !

! interface Loopback0 ip address 13.1.1.1 255.255.255.255 ! interface Loopback1 vrf forwarding blue ip address 10.1.1.1 255.255.255.0 ! interface Loopback2 vrf forwarding teal ip address 10.2.1.1 255.255.255.0 ! interface Loopback3 vrf forwarding green ip address 10.3.1.1 255.255.255.0 ! interface Ethernet0/0 description to R30 (Core) ip address 12.1.0.2 255.255.255.252 !

! router lisp eid-table default instance-id 0 database-mapping 13.1.1.1/32 IPv4-interface Ethernet0/0 priority 1 weight 1 exit ! eid-table vrf blue instance-id 1 database-mapping 10.1.1.0/24 IPv4-interface Ethernet0/0 priority 1 weight 1 exit ! eid-table vrf teal instance-id 2 database-mapping 10.2.1.0/24 IPv4-interface Ethernet0/0 priority 1 weight 1 exit ! eid-table vrf green instance-id 3 database-mapping 10.3.1.0/24 IPv4-interface Ethernet0/0 priority 1 weight 1 exit ! ipv4 itr map-resolver 12.2.0.2 ipv4 itr ipv4 etr map-server 12.2.0.2 key secret ipv4 etr exit ! ip route 0.0.0.0 0.0.0.0 12.1.0.1 !


LISP Use-Cases – Multi-Tenancy Customer Case Study #4 – Configurations

vrf vrf vrf

10.3.2.0/24 10.2.2.0/24 10.1.2.0/24

Lo1 Lo2 Lo3

Loop0 13.1.1.1/32

Loop0 13.1.1.3/32

xTR

LISP Site-3

xTR

LISP Site-1

12.1.0.0/30 E0/0 (.2)

E0/0 (.1)

12.3.0.0/30 E0/0 (.2)

E0/0 (.1)

12.2.0.0/30

E0/0 (.1)

E0/0 (.2)

xTR MS/MR

LISP Site-2

Loop0 13.1.1.2/32

10.3.1.0/24

vrf vrf vrf

Lo1 Lo2 Lo3

10.2.1.0/24 10.1.1.0/24

vrf vrf vrf

10.3.3.0/24

E1/0 E1/1 E1/2

10.2.3.0/24 10.1.3.0/24

! router lisp eid-table default instance-id 0 database-mapping 13.1.1.2/32 12.2.0.2 priority 1 weight 1 exit ! eid-table vrf blue instance-id 1 database-mapping 10.1.2.0/24 12.2.0.2 priority 1 weight 1 exit ! eid-table vrf teal instance-id 2 database-mapping 10.2.2.0/24 12.2.0.2 priority 1 weight 1 exit ! eid-table vrf green instance-id 3 database-mapping 10.3.2.0/24 12.2.0.2 priority 1 weight 1 exit ! site All-Sites authentication-key secret eid-prefix 13.1.1.0/24 accept-more-specifics eid-prefix instance-id 1 10.1.0.0/16 accept-more-specifics eid-prefix instance-id 2 10.2.0.0/16 accept-more-specifics eid-prefix instance-id 3 10.3.0.0/16 accept-more-specifics exit ! ipv4 map-server ipv4 map-resolver ipv4 itr map-resolver 12.2.0.2 ipv4 itr ipv4 etr map-server 12.2.0.2 key secret ipv4 etr exit !

! hostname xTR-2 ! vrf definition blue ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition teal ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition green ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! ip cef ipv6 unicast-routing ipv6 cef !

! interface Loopback0 ip address 13.1.1.2 255.255.255.255 ! interface Loopback1 vrf forwarding blue ip address 10.1.2.1 255.255.255.0 ! interface Loopback2 vrf forwarding teal ip address 10.2.2.1 255.255.255.0 ! interface Loopback3 vrf forwarding green ip address 10.3.2.1 255.255.255.0 ! interface Ethernet0/0 description to R30 (Core) ip address 12.2.0.2 255.255.255.252 !


LISP Use-Cases – Multi-Tenancy Customer Case Study #4 – Results

vrf vrf vrf

10.3.2.0/24 10.2.2.0/24 10.1.2.0/24

Lo1 Lo2 Lo3

Loop0 13.1.1.1/32

Loop0 13.1.1.3/32

xTR

LISP Site-3

xTR

LISP Site-1

12.1.0.0/30 E0/0 (.2)

E0/0 (.1)

12.3.0.0/30 E0/0 (.2)

E0/0 (.1)

12.2.0.0/30

E0/0 (.1)

E0/0 (.2)

xTR MS/MR

LISP Site-2

Loop0 13.1.1.2/32

10.3.1.0/24

vrf vrf vrf

Lo1 Lo2 Lo3

10.2.1.0/24 10.1.1.0/24

vrf vrf vrf

10.3.3.0/24

E1/0 E1/1 E1/2

10.2.3.0/24 10.1.3.0/24

xTR-2#show lisp site LISP Site Registration Information

Site Name Last Up Who Last Inst EID Prefix Register Registered ID All-Sites never no -- 0 13.1.1.0/24 00:00:34 yes 12.1.0.2 0 13.1.1.1/32 00:00:06 yes 12.2.0.2 0 13.1.1.2/32 00:00:02 yes 12.3.0.2 0 13.1.1.3/32 never no -- 1 10.1.0.0/16 00:00:27 yes 12.1.0.2 1 10.1.1.0/24 00:00:03 yes 12.2.0.2 1 10.1.2.0/24 00:00:03 yes 12.3.0.2 1 10.1.3.0/24 never no -- 2 10.2.0.0/16 00:00:24 yes 12.1.0.2 2 10.2.1.0/24 00:00:58 yes 12.2.0.2 2 10.2.2.0/24 00:00:02 yes 12.3.0.2 2 10.2.3.0/24 never no -- 3 10.3.0.0/16 00:00:33 yes 12.1.0.2 3 10.3.1.0/24 00:00:04 yes 12.2.0.2 3 10.3.2.0/24 00:00:00 yes 12.3.0.2 3 10.3.3.0/24 xTR-2#

xTR-2#show lisp site instance-id 0 LISP Site Registration Information

Site Name Last Up Who Last Inst EID Prefix Register Registered ID All-Sites never no -- 0 13.1.1.0/24 00:00:48 yes 12.1.0.2 0 13.1.1.1/32 00:00:20 yes 12.2.0.2 0 13.1.1.2/32 00:00:18 yes 12.3.0.2 0 13.1.1.3/32 xTR-2#show lisp site instance-id 1 LISP Site Registration Information



Site Name Last Up Who Last Inst EID Prefix Register Registered ID All-Sites never no -- 3 10.3.0.0/16 00:00:56 yes 12.1.0.2 3 10.3.1.0/24 00:00:28 yes 12.2.0.2 3 10.3.2.0/24 00:00:25 yes 12.3.0.2 3 10.3.3.0/24 xTR-2#


LISP Use-Cases – Multi-Tenancy Customer Case Study #4 – Results

vrf vrf vrf

10.3.2.0/24 10.2.2.0/24 10.1.2.0/24

Lo1 Lo2 Lo3

Loop0 13.1.1.1/32

Loop0 13.1.1.3/32

xTR

LISP Site-3

xTR

LISP Site-1

12.1.0.0/30 E0/0 (.2)

E0/0 (.1)

12.3.0.0/30 E0/0 (.2)

E0/0 (.1)

12.2.0.0/30

E0/0 (.1)

E0/0 (.2)

xTR MS/MR

LISP Site-2

Loop0 13.1.1.2/32

10.3.1.0/24

vrf vrf vrf

Lo1 Lo2 Lo3

10.2.1.0/24 10.1.1.0/24

vrf vrf vrf

10.3.3.0/24

E1/0 E1/1 E1/2

10.2.3.0/24 10.1.3.0/24

xTR-1#ping 13.1.1.3 source 13.1.1.1 repeat 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 13.1.1.3, timeout is 2 seconds: Packet sent with a source address of 13.1.1.1 ..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 98 percent (98/100), round-trip min/avg/max = 1/1/4 ms

xTR-1#ping vrf blue 10.1.3.1 source 10.1.1.1 rep 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 10.1.3.1, timeout is 2 seconds: Packet sent with a source address of 10.1.1.1 ..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 98 percent (98/100), round-trip min/avg/max = 1/1/4 ms

xTR-1#ping vrf teal 10.2.3.1 source 10.2.1.1 rep 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 10.2.3.1, timeout is 2 seconds: Packet sent with a source address of 10.2.1.1 ..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 98 percent (98/100), round-trip min/avg/max = 1/1/4 ms xTR-1#ping vrf green 10.3.3.1 source 10.3.1.1 rep 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 10.3.3.1, timeout is 2 seconds: Packet sent with a source address of 10.3.1.1 ..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 98 percent (98/100), round-trip min/avg/max = 1/1/4 ms xTR-1#


6 E0/0

.1 E2/0

.2

172.16.6.0/30

OSPF (6)

3 1 2 E0/0

.1

E1/0

.5

E0/0

.2 12.0.0.0/30 12.0.0.4/30

E0/0

.6 E0/0 .2

E1/0 .1

E0/0

.2

E1/0

.1 4

12.2.0.0/30 12.1.0.0/30

5 7 E0/0

.1 E2/0 .2

Loop0 13.1.1.1/32 172.16.7.0/30

Site 2 Site 1

OSPF (0)

LDP LDP

ISIS ISIS

mp-‐BGP OSPF (1)

ce2 pe2

Loop0 12.9.3.3/32

Loop0 13.1.1.2/32

Loop0 12.9.1.1/32

Loop0 12.9.2.2/32

ce1

OSPF (0)

12 E0/0

.1 E2/0

.2

172.16.12.0/30

OSPF (1)

E0/0 .2

E1/0 .1 10

12.3.0.0/30

Site 3

ce3

OSPF (0)

pe1

Loop0 13.1.1.3/32

p

l0: 10.1.0.6/24 l1: 10.1.1.6/24 l2: 10.1.2.6/24

l0: 10.2.0.7/24 l1: 10.2.1.7/24 l2: 10.2.2.7/24

l0: 10.3.0.12/24 l1: 10.3.1.12/24 l2: 10.3.2.12/24

MPLS Baseline Case   OSPF process on CE   OSPF process on PE

•  Routing change at site cause OSPF changes on PE   BGP on PE side

•  Changes in OSPF redistribute to BGP, propagate all sites in vrf •  The greater the number of cust routes, the more thrashing?

Impact on PE router   Memory and CPU per VRF for routing, changes

Adding IPv6 for the customer   Requires CE-PE link dual-stack   New BGP VPNV6   OSPFv3

LISP Use-Cases – MPLS Customer Case Study #5 – Conceptual


6 E0/0

.1 E2/0

.2

172.16.6.0/30

OSPF (6)

3 1 2 E0/0

.1

E1/0

.5

E0/0

.2 12.0.0.0/30 12.0.0.4/30

E0/0

.6 E0/0 .2

E1/0 .1

E0/0

.2

E1/0

.1 4

12.2.0.0/30 12.1.0.0/30

5 7 E0/0

.1 E2/0 .2

Loop0 13.1.1.1/32 172.16.7.0/30

Site 2 Site 1

OSPF (0)

LDP LDP

ISIS ISIS

mp-‐BGP OSPF (1)

ce2 pe2

Loop0 12.9.3.3/32

Loop0 13.1.1.2/32

Loop0 12.9.1.1/32

Loop0 12.9.2.2/32

ce1

OSPF (0)

12 E0/0

.1 E2/0

.2

172.16.12.0/30

OSPF (1)

E0/0 .2

E1/0 .1 10

12.3.0.0/30

Site 3

ce3

OSPF (0)

pe1

Loop0 13.1.1.3/32

p

l0: 10.1.0.6/24 l1: 10.1.1.6/24 l2: 10.1.2.6/24

l0: 10.2.0.7/24 l1: 10.2.1.7/24 l2: 10.2.2.7/24

l0: 10.3.0.12/24 l1: 10.3.1.12/24 l2: 10.3.2.12/24

LISP Use-Cases – MPLS Customer Case Study #5 – Baseline

MPLS Baseline Case   What does routing look like:

•  On CE? •  On PE?

Customer Routes (9)

CE-‐PE Links (3)

CE Loopbacks (3)

R2-PE#show ip route vrf Cust1 ---<skip>--- 10.0.0.0/32 is subnetted, 9 subnets O IA 10.3.1.12 [110/21] via 12.3.0.2, 00:23:54, Ethernet2/0 O IA 10.3.0.12 [110/21] via 12.3.0.2, 00:23:54, Ethernet2/0 O IA 10.3.2.12 [110/21] via 12.3.0.2, 00:23:40, Ethernet2/0 O IA 10.1.1.6 [110/21] via 12.1.0.2, 00:23:58, Ethernet1/0 B 10.2.2.7 [200/21] via 12.9.3.3, 00:26:10 O IA 10.1.0.6 [110/21] via 12.1.0.2, 00:23:58, Ethernet1/0 B 10.2.1.7 [200/21] via 12.9.3.3, 00:26:26 B 10.2.0.7 [200/21] via 12.9.3.3, 00:26:26 O IA 10.1.2.6 [110/21] via 12.1.0.2, 00:24:00, Ethernet1/0 12.0.0.0/30 is subnetted, 3 subnets C 12.1.0.0 is directly connected, Ethernet1/0 B 12.2.0.0 [200/0] via 12.9.3.3, 00:40:13 C 12.3.0.0 is directly connected, Ethernet2/0 13.0.0.0/32 is subnetted, 3 subnets O 13.1.1.1 [110/11] via 12.1.0.2, 00:24:00, Ethernet1/0 O 13.1.1.3 [110/11] via 12.3.0.2, 00:24:00, Ethernet2/0 B 13.1.1.2 [200/11] via 12.9.3.3, 00:38:58 R2-PE#

Customer Routes (all sites) (9)

Customer Infrastructure (all sites) (4)

CE Loopbacks (all sites) (3)

CE-‐PE Links (all sites) (4)

R4-CE#show ip route ---<skip>--- 10.0.0.0/32 is subnetted, 9 subnets O IA 10.1.0.6 [110/11] via 172.16.6.1, 01:09:49, Ethernet1/0 O IA 10.1.1.6 [110/11] via 172.16.6.1, 01:10:54, Ethernet1/0 O IA 10.1.2.6 [110/11] via 172.16.6.1, 01:09:39, Ethernet1/0 O IA 10.2.0.7 [110/31] via 12.1.0.1, 01:03:46, Ethernet0/0 O IA 10.2.1.7 [110/31] via 12.1.0.1, 01:03:46, Ethernet0/0 O IA 10.2.2.7 [110/31] via 12.1.0.1, 01:03:31, Ethernet0/0 O IA 10.3.0.12 [110/31] via 12.1.0.1, 01:01:15, Ethernet0/0 O IA 10.3.1.12 [110/31] via 12.1.0.1, 01:01:15, Ethernet0/0 O IA 10.3.2.12 [110/31] via 12.1.0.1, 01:01:01, Ethernet0/0 12.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 12.1.0.0/30 is directly connected, Ethernet0/0 L 12.1.0.2/32 is directly connected, Ethernet0/0 O IA 12.2.0.0/30 [110/11] via 12.1.0.1, 01:17:27, Ethernet0/0 O 12.3.0.0/30 [110/20] via 12.1.0.1, 01:17:27, Ethernet0/0 13.0.0.0/32 is subnetted, 3 subnets C 13.1.1.1 is directly connected, Loopback0 O IA 13.1.1.2 [110/21] via 12.1.0.1, 01:16:18, Ethernet0/0 O 13.1.1.3 [110/21] via 12.1.0.1, 01:13:37, Ethernet0/0 172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks C 172.16.6.0/30 is directly connected, Ethernet1/0 L 172.16.6.2/32 is directly connected, Ethernet1/0 O IA 172.16.7.0/30 [110/30] via 12.1.0.1, 01:16:18, Ethernet0/0 O 172.16.12.0/30 [110/30] via 12.1.0.1, 01:13:37, Ethernet0/0 R4-CE#


6 E0/0

.1 E2/0

.2

172.16.6.0/30

OSPF (6)

pe2

12.9.0.0/30 .2

.1

ms/mr

3 1 2 E0/0

.1

E1/0

.5

E0/0

.2 12.0.0.0/30 12.0.0.4/30

E0/0

.6 E0/0 .2

E1/0 .1

E0/0

.2

E1/0

.1 4

12.2.0.0/30 12.1.0.0/30

5 7 E0/0

.1 E2/0 .2

Loop0 13.1.1.1/32 172.16.7.0/30

Site 2 Site 1

OSPF (0)

LDP LDP

ISIS ISIS

mp-‐BGP OSPF (1)

ce2

Loop0 12.9.3.3/32

Loop0 13.1.1.2/32

Loop0 12.9.1.1/32

Loop0 12.9.2.2/32

ce1

OSPF (0)

12 E0/0

.1 E2/0

.2

172.16.12.0/30

OSPF (1)

E0/0 .2

E1/0 .1 10

12.3.0.0/30

Site 3

ce3

OSPF (0)

pe1

Loop0 13.1.1.3/32

p

l0: 10.1.0.6/24 l1: 10.1.1.6/24 l2: 10.1.2.6/24

l0: 10.3.0.12/24 l1: 10.3.1.12/24 l2: 10.3.2.12/24

LISP Use-Cases – MPLS Customer Case Study #5 – Add LISP (Remove eBGP)

router lisp eid-table default instance-id 0 database-mapping 10.1.0.0/24 12.1.0.2 priority 1 weight 100 database-mapping 10.1.1.0/24 12.1.0.2 priority 1 weight 100 database-mapping 10.1.2.0/24 12.1.0.2 priority 1 weight 100 database-mapping 13.1.1.1/32 12.1.0.2 priority 1 weight 100 exit ! ipv4 itr map-resolver 12.9.0.2 ipv4 itr ipv4 etr map-server 12.9.0.2 key secret ipv4 etr exit



router lisp site Site-all authentication-key secret eid-prefix 10.0.0.0/8 accept-more-specifics eid-prefix 2001:DB8::/32 accept-more-specifics exit ! ipv4 map-server ipv4 map-resolver ipv6 map-server ipv6 map-resolver exit

l0: 10.2.0.7/24 l1: 10.2.1.7/24 l2: 10.2.2.7/24


6 E0/0

.1 E2/0

.2

172.16.6.0/30

OSPF (6)

3 1 2 E0/0

.1

E1/0

.5

E0/0

.2 12.0.0.0/30 12.0.0.4/30

E0/0

.6 E0/0 .2

E1/0 .1

E0/0

.2

E1/0

.1 4

12.2.0.0/30 12.1.0.0/30

5 7 E0/0

.1 E2/0 .2

Loop0 13.1.1.1/32 172.16.7.0/30

Site 2 Site 1

OSPF (0)

LDP LDP

ISIS ISIS

mp-‐BGP OSPF (1)

ce2 pe2

Loop0 12.9.3.3/32

Loop0 13.1.1.2/32

Loop0 12.9.1.1/32

Loop0 12.9.2.2/32

ce1

OSPF (0)

12 E0/0

.1 E2/0

.2

172.16.12.0/30

OSPF (1)

E0/0 .2

E1/0 .1 10

12.3.0.0/30

Site 3

ce3

OSPF (0)

pe1

Loop0 13.1.1.3/32

p

l0: 10.1.0.6/24 l1: 10.1.1.6/24 l2: 10.1.2.6/24

l0: 10.2.0.7/24 l1: 10.2.1.7/24 l2: 10.2.2.7/24

l0: 10.3.0.12/24 l1: 10.3.1.12/24 l2: 10.3.2.12/24

LISP Use-Cases – MPLS Customer Case Study #5 – New Routing

Customer Routes (this site only)(3)

CE Loopbacks (1)

CE-‐PE Links (this site only)(1)

Customer Infrastructure (this site only) (1)

R4-CE#show ip route ---<skip>--- S* 0.0.0.0/0 [1/0] via 12.1.0.1 10.0.0.0/32 is subnetted, 3 subnets O IA 10.1.0.6 [110/11] via 172.16.6.1, 00:37:54, Ethernet1/0 O IA 10.1.1.6 [110/11] via 172.16.6.1, 00:37:54, Ethernet1/0 O IA 10.1.2.6 [110/11] via 172.16.6.1, 00:37:54, Ethernet1/0 12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 12.1.0.0/30 is directly connected, Ethernet0/0 L 12.1.0.2/32 is directly connected, Ethernet0/0 13.0.0.0/32 is subnetted, 1 subnets C 13.1.1.1 is directly connected, Loopback0 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.6.0/30 is directly connected, Ethernet1/0 L 172.16.6.2/32 is directly connected, Ethernet1/0 R4-CE#

default route

CE-‐PE Links (3)

R2-PE#show ip route vrf Cust1 ---<skip>--- 12.0.0.0/30 is subnetted, 3 subnets C 12.1.0.0 is directly connected, Ethernet1/0 B 12.2.0.0 [200/0] via 12.9.3.3, 00:40:13 C 12.3.0.0 is directly connected, Ethernet2/0 R2-PE#

NO CUSTOMER ROUTES!

Now look at CE and PE   What does routing look like:

•  On CE? •  On PE?


6 E0/0

.1 E2/0

.2

172.16.6.0/30

OSPF (6)

pe2

12.9.0.0/30 .2

.1

ms/mr

3 1 2 E0/0

.1

E1/0

.5

E0/0

.2 12.0.0.0/30 12.0.0.4/30

E0/0

.6 E0/0 .2

E1/0 .1

E0/0

.2

E1/0

.1 4

12.2.0.0/30 12.1.0.0/30

5 7 E0/0

.1 E2/0 .2

Loop0 13.1.1.1/32 172.16.7.0/30

Site 2 Site 1

OSPF (0)

LDP LDP

ISIS ISIS

mp-‐BGP OSPF (1)

ce2

Loop0 12.9.3.3/32

Loop0 13.1.1.2/32

Loop0 12.9.1.1/32

Loop0 12.9.2.2/32

ce1

OSPF (0)

12 E0/0

.1 E2/0

.2

172.16.12.0/30

OSPF (1)

E0/0 .2

E1/0 .1 10

12.3.0.0/30

Site 3

ce3

OSPF (0)

pe1

Loop0 13.1.1.3/32

p

l0: 10.1.0.6/24 l1: 10.1.1.6/24 l2: 10.1.2.6/24

l0: 10.2.0.7/24 l1: 10.2.1.7/24 l2: 10.2.2.7/24

l0: 10.3.0.12/24 l1: 10.3.1.12/24 l2: 10.3.2.12/24

LISP Use-Cases – MPLS Customer Case Study #5 – Add IPv6

•  Add IPv6 at Customer Sites •  ZERO changes in SP Core •  A few more lines of config on the

xTRs (CE’s) and MS

router lisp site Site-all authentication-key secret eid-prefix 10.0.0.0/8 accept-more-specifics eid-prefix 2001:DB8::/32 accept-more-specifics exit ! ipv4 map-server ipv4 map-resolver ipv6 map-server ipv6 map-resolver exit

l0: 2001:db8:2:a::7/64 l1: 2001:db8:2:b::7/64 l2: 2001:db8:2:c::7/64

l0: 2001:db8:3:a::c/64 l1: 2001:db8:3:b::c/64 l2: 2001:db8:3:c::c/64

l0: 2001:db8:1:a::6/64 l1: 2001:db8:1:b::6/64 l2: 2001:db8:1:c::6/64

router lisp eid-table default instance-id 0 database-mapping 10.1.0.0/24 12.1.0.2 priority 1 weight 100 database-mapping 10.1.1.0/24 12.1.0.2 priority 1 weight 100 database-mapping 10.1.2.0/24 12.1.0.2 priority 1 weight 100 database-mapping 13.1.1.1/32 12.1.0.2 priority 1 weight 100 database-mapping 2001:DB8:1:A::/64 12.1.0.2 priority 1 weight 100 database-mapping 2001:DB8:1:B::/64 12.1.0.2 priority 1 weight 100 database-mapping 2001:DB8:1:C::/64 12.1.0.2 priority 1 weight 100 exit ! ipv4 itr map-resolver 12.9.0.2 ipv4 itr ipv4 etr map-server 12.9.0.2 key secret ipv4 etr ipv6 itr map-resolver 12.9.0.2 ipv6 itr ipv6 etr map-server 12.9.0.2 key secret ipv6 etr exit

--similar to R4--

--similar to R4--


LISP Use Cases VM-Mobility

Needs:   VM-Mobility across subnets   Move detection, dynamic EID-to-

RLOC mappings, traffic redirection

LISP Solution:   xTR Dynamic EID (VM-Mobility) on

access or aggregation switches

Benefits:   Integrated Mobility   Direct Data Path (no triangulation)   Connections maintained across moves   No routing re-convergence   Transparent to hosts

  No DNS updates required   Global Scalability (cloud bursting)   IPv4/IPv6 Support   ARP elimination   Automated move detection

Data Center 1

Data Center 2

a.b.c.1 VM

a.b.c.1 VM

VM move

LISP router

LISP router

Internet


LISP Use Cases – VM-Mobility Detailed Look: Roaming Across Subnets

Mapping Database System

S2

A

S3 S4

B

S5 S6

C

S7 S8

D RLOC A RLOC B RLOC C RLOC D

10.1.0.0/16 10.2.0.0/16 10.3.0.0/16 10.4.0.0/16

LISP Router or infrastructure device

10.1.0.0/16 -> A 10.2.0.0/16 -> B 10.3.0.0/16 -> C 10.4.0.0/16 -> D

S1

10.1.0.1/32 S1 moves across subnets

S1

10.1.0.1/32 -> C MS/MR

MS/MR


LISP Use Cases – VM-Mobility Topology and Initial Map Cache entries

Enterprise Core

EAST

VM3 : 10.10.20.1

Server C WEST

VM2 : 10.10.10.2

Server B

Enterprise WAN

192.168.30.1

Host 1: 10.10.30.1

VM1 : 10.10.10.1

Server A

Map Cache Table

EID RLOC

10. 10.20.0/24 192.168.20.1 192.168.20.2

10.10.30.0/24 192.168.30.1

DC EID Space, Home Subnet 10.10.20.0/24


Branch EID Space, 10.10.30.0/25

EID RLOC

10.10.10.0/24 192.168.10.1 192.168.10.2

10.10.20.0/24 192.168.20.1 192.168.20.2

10.10.30.0/24 192.168.30.1

Enterprise Remote

Site Map Cache Table

EID RLOC

10.10.10.0/24 192.168.10.1 192.168.10.2

Map Cache Table

EID RLOC

10.10.10.0/24 192.168.10.1 192.168.10.2

192.168.10.1 192.168.10.2 192.168.20.1 192.168.20.2


LISP Use Cases – VM-Mobility Traffic Flows – Before Move

Enterprise Core

EAST

VM3 : 10.10.20.1

Server C WEST

VM2 : 10.10.10.2

Server B

Enterprise WAN

192.168.30.1

Host 1: 10.10.30.1

VM1 : 10.10.10.1

Server A DC EID Space, Home Subnet 10.10.20.0/24



Enterprise Remote

Site

10.10.30.1<->10.10.10.1

10.10.20.1<->10.10.10.1 10.10.20.1<->10.10.10.1 10.10.10.2<->10.10.10.1

Traffic Flows

Before Move

Map Cache Table

EID RLOC

10. 10.20.0/24 192.168.20.1 192.168.20.2

10.10.30.0/24 192.168.30.1

EID RLOC

10.10.10.0/24 192.168.10.1 192.168.10.2

10.10.20.0/24 192.168.20.1 192.168.20.2

10.10.30.0/24 192.168.30.1

Enterprise Remote


EID RLOC

10.10.10.0/24 192.168.10.1 192.168.10.2

Map Cache Table

EID RLOC

10.10.10.0/24 192.168.10.1 192.168.10.2

192.168.10.1 192.168.10.2

192.168.30.1<->192.168.10.2 10.10.30.1<->10.10.10.1

192.168.20.1 192.168.20.2

192.168.20.2<->192.168.10.2 10.10.20.1<->10.10.10.1

10.10.30.1<->10.10.10.1


LISP Use Cases – VM-Mobility Map Cache Updates – After Move

Enterprise Core

EAST

VM3 : 10.10.20.1

Server C WEST

VM2 : 10.10.10.2

Server B

Enterprise WAN

192.168.30.1

Host 1: 10.10.30.1




Enterprise Remote

Site

VM1 : 10.10.10.1

Server A

1

2

3

4 4

4

Traffic Flows

Before Move

192.168.20.1

Map Cache Table

EID RLOC

10. 10.20.0/24 192.168.20.1 192.168.20.2

10.10.30.0/24 192.168.30.1

EID RLOC

10.10.10.0/24 192.168.10.1 192.168.10.2

10.10.20.0/24 192.168.20.1 192.168.20.2

10.10.30.0/24 192.168.30.1

Enterprise Remote


EID RLOC

10.10.10.0/24 192.168.10.1 192.168.10.2

Map Cache Table

EID RLOC

10.10.10.0/24 192.168.10.1 192.168.10.2

192.168.10.1 192.168.10.2 192.168.20.2 10.10.10.1/32 192.168.20.1 192.168.20.2

10.10.10.1/32 192.168.20.1 192.168.20.2

10.10.30.0/24 192.168.30.1

10.10.10.1/32 192.168.20.1 192.168.20.2


LISP Use Cases – VM-Mobility Traffic Flows – After Move

Enterprise Core

EAST

VM3 : 10.10.20.1

Server C WEST

VM2 : 10.10.10.2

Server B

Enterprise WAN

192.168.30.1

Host 1: 10.10.30.1




Enterprise Remote

Site

Traffic Flows

Before Move

AYer Move

VM1 : 10.10.10.1

Server A

10.10.30.1<->10.10.10.1

10.10.20.1<->10.10.10.1

10.10.30.1<->10.10.10.1

10.10.20.1<->10.10.10.1 10.10.10.2<->10.10.10.1 10.10.10.2<->10.10.10.1

192.168.20.1 192.168.20.2

192.168.30.1<->192.168.20.1 10.10.30.1<->10.10.10.1

Map Cache Table

EID RLOC

10.10.10.0/24 192.168.10.1 192.168.10.2

Map Cache Table

EID RLOC

10.10.10.0/24 192.168.10.1 192.168.10.2

10.10.30.0/24 192.168.30.1

10.10.10.1/32 192.168.20.1 192.168.20.2

Map Cache Table

EID RLOC

10. 10.20.0/24 192.168.20.1 192.168.20.2

10.10.30.0/24 192.168.30.1

EID RLOC

10.10.10.0/24 192.168.10.1 192.168.10.2

10.10.20.0/24 192.168.20.1 192.168.20.2

10.10.30.0/24 192.168.30.1

10.10.10.1/32 192.168.20.1 192.168.20.2

10.10.10.1/32 192.168.20.1 192.168.20.2

192.168.10.1 192.168.10.2

192.168.10.1<->192.168.20.1 10.10.10.2<->10.10.10.1



LISP - Agenda


DraY Current Status Next Steps/Target

LISP base protocol (dra]-‐ie^-‐lisp-‐12) Submi_ed: 04/26/2011 WG Last Call now…

LISP+ALT (dra]-‐ie^-‐lisp-‐alt-‐06) Submi_ed: 03/04/2011 WG Last Call now…

LISP Interworking (dra]-‐ie^-‐lisp-‐interworking-‐01)

Submi_ed: 08/26/2010 WG Last Call now…

LISP Map Server (dra]-‐ie^-‐lisp-‐ms-‐08) Submi_ed: 04/28/2011 WG Last Call now…

LISP Mul-cast (dra]-‐ie^-‐lisp-‐mul?cast-‐05)

Submi_ed: 04/05/2010 WG Last Call now…

LISP Internet Groper (dra]-‐ie^-‐lisp-‐lig-‐02)

Submi_ed: 04/05/2011 Several implementa?ons available (including open source)

LISP Mobile Node (dra]-‐meyer-‐lisp-‐mn-‐04)

Submi_ed: 10/25/2010 Three prototype implementa?ons underway Not WG Document

LISP Canonical Address Format (dra]-‐farinacci-‐lisp-‐lcaf-‐05)

Submi_ed: 04/28/2011 -‐05 update sent to WG list Proposed for WG adop?on

LISP MIB (dra]-‐ie^-‐lisp-‐mib-‐01) Submi_ed: 03/14/2011 -‐01 update sent to WG list

LISP Map Versioning (dra]-‐ie^-‐lisp-‐map-‐versioning-‐01)

Submi_ed: 03/11/2011 -‐01 update sent to WG list

LISP Standardization Effort Open Design

IETF LISP WG: http://tools.ietf.org/wg/lisp/


LISP Community-‐Operated   > 4 years opera?onal   > 120+ sites, 18 countries

Many LISP implementa?ons   Cisco: IOS/IOS-‐XE, NX-‐OS   FreeBSD: OpenLISP   Two Linux implementa?ons   Android implementa?on   “another” router vendor

Company IPv4 Sites IPv6 Sites

Cisco http://www.lisp4.net http://lisp.cisco.com

http://www.lisp6.net http://lisp.cisco.com

Facebook http://www.lisp6.facebook.com

Qualcomm http://www6.eudora.com http://myvpn6.qualcomm.com

InTouch http://www.lisp.intouch.eu/ http://www.lisp.intouch.eu/

LISP Global Pilot Network Deployed/Operational Experience

Notables who are using LISP –


Step 1: Market Seeding via Early Deployment (ED) software LISP ED releases available on CCO as private images (“hidden” posts) −  Not orderable via the Cisco Global Configuration tool −  Intended only for deployment on LISP nodes −  Not intended nor recommended for production deployment scenarios −  TAC supported (unless deployed in non-LISP environment)

−  Refer to LISP Early ED Software Release Product Bulletin for details −  Links to Software Here: http://lisp.cisco.com (IPv4 and IPv6 access)

Step 2: Production LISP Deployments via mainline integration LISP production software images available via CCO download −  Orderable via the Cisco Global Configuration tool −  Approved for use in all production deployment scenarios −  TAC supported −  Links to Software Here: http://lisp.cisco.com (IPv4 and IPv6 access)

LISP Software Release Strategy Two-pronged approach


Phase 1 Dec’09

Phase 2 March ’10

Phase 3 June ’10

Phase 4 October ’10

Phase 5 April ’11

Phase 6 June ’11

Phase 7 Sept ’11

ISR, ISR G2 7200(1)

IPv4 xTR IPv6 xTR IPv4/v6 PxTR

IPv4/v6 MS/MR

MS/MR Mul?-‐Tenant xTR Single-‐Tenant

xTR Mul?-‐Tenant

Route Server for PITR LISP-‐SEC (OTK)* Mul?-‐Tenent Parallel Mode* Mul?ple xTR dyn-‐RLOCs

Planning

ASR1K IPv4/v6 xTR IPv4/v6 PxTR

IPv4/v6 MS/MR

MS/MR Mul?-‐Tenant

N7K(*) IPv4/v6 PxTR

IPv4/v6 xTR

(Aug 2010) VM-‐Mobility (Nov 2010) MS/MR Mul?-‐Tenant xTR Mul?-‐Tenant

(Feb 2011) VM-‐Mobility MS/MR Mul?-‐Tenant xTR Mul?-‐Tenant

LISP-‐SEC (OTK) LISP-‐ODF

Planning

UCS C200(*) IPv4/v6 MS/MR IPv4/v6 PxTR

MS/MR Mul?-‐Tenant xTR Mul?-‐Tenant

Virtual Appliance

MS/MR PxTR

LISP Software Release Strategy ED Software Releases

(1) C7200 support subject to change without notice. (*) Subject to change without notice. − ED support doesn’t automatically imply that there will be mainline support in the future;

some items may not be productized. − Access is provided for early field testing; Images and terms available at lisp.cisco.com


1HCY11 2HCY11 1HCY12 2HCY12

ISR, ISR G2, 7200(1)

15.1(4)M (March/Shipping) Base (xTR, PxTR), MS/MR

15.2(2)T (Nov) Mul?-‐Tenancy for xTR, MS/MR

15.2(3)T(*) PITR Route Server LISP-‐SEC (OTK) Mul?-‐tenant Parallel Mode Mul?ple xTRs w/ dyn RLOCs

Planning

ASR 1K XE3.3.0S (March/Shipping) Base (xTR, PxTR), MS/MR

XE3.5.0S (Nov) Mul?-‐Tenancy for xTR, MS/MR

XE3.6.0S(*) PITR Route Server LISP-‐SEC (OTK) Connected App LISP support Mul?-‐tenant Parallel Mode Mul?ple xTRs w/ dyn RLOCs

Planning

Catalyst 6K(*) Base (xTR, PxTR), MS/MR

N7K 5.2 (May) Base (xTR, PxTR), MS/MR VM Mobility, Mul?-‐tenant

VM Mobility enhancements Mul?-‐Tenancy enhancements

6.0(*)

Mul?cast Support for F3 hardware

Planning

Virtual Appliance 6.0(*)

IPv4/v6 MS/MR

ASR 9K Base (xTR, PxTR)

LISP Software Release Strategy Mainline Software Releases

(1) C7200 support subject to change without notice. (*) Subject to change without notice. − Access to mainline images and terms available at www.cisco.com



LISP - Agenda


LISP – A Routing Architecture; Not a Feature LISP Innovations

LISP enables IP Number Portability

  With session survivability

  Never change host IP addresses No renumbering costs

  No DNS “name -> EID” binding change

LISP uses pull vs. push routing

  OSPF and BGP are push models; routing stored in the forwarding plane

  LISP is a pull model; Analogous to DNS; massively scalable

LISP is an over-the-top technology

  Address Family agnostic

  Incrementally deployable

  No changes in end systems

LISP creates a Level of Indirection

  Separates End-Host and Site addresses

LISP deployment simplicity

  No host changes

  Minimal CPE changes

  Some new core infrastructure components

LISP enables other interesting features

  Simplified multi-homing with Ingress traffic engineering – without the need for BGP

  End-host mobility without renumbering

  Address Family agnostic support

LISP is an Open Standard

  No Cisco Intellectual Property Rights



LISP - Agenda


LISP Information •  IETF LISP WG h_p://tools.ie^.org/wg/lisp/

•  LISP Beta Network h_p://www.lisp4.net or h_p://www.lisp6.net

•  Cisco LISP Site h_p://lisp.cisco.com (v4 and v6)

•  Cisco LISP Marketing h_p://www.cisco.com/go/lisp

Mailing Lists •  IETF LISP WG lisp@ie^.org

•  LISP Interest (public) lisp-‐[email protected]

•  Cisco LISP Questions lisp-‐[email protected]

LISP References Resources


Complete Your Online Session Evaluation

• Receive 25 Cisco Preferred Access points for each session evaluation you complete.

• Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd.

• Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

• Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com

Visit the Cisco Store for Related Titles

http://theciscostores.com


Thank you.

lisp - a next generation routing architecturelisp.cisco.com/docs/brkrst-3045_vegas2011.pdflisp...

Documents