Configuring Campus Fabric - Cisco · also configured as a DHCP Relay Agents to enable DHCP Snooping. Before You Begin • Configure a loopback0 IP address fo r each edge device to

Cisco Catalyst 4500 Series Switches, Cisco IOS Softw

C H A P T E R 3
Configuring Campus Fabric
Campus Fabric provides the basic infrastructure for building virtual networks based on policy-based segmentation constructs.

Beginning with Cisco IOS Release 3.9.1E, Campus Fabric is supported on Cisco Catalyst 4500-E series switches on Supervisor Engine 8-E. Cisco IOS XE Release 3.10.0E supports Campus Fabric on Catalyst 4500-E series switches on Supervisor Engine 9-E.Campus Fabric is not supported on Supervisor Engines 7-E, 7L-E, 8L-E, and on Cisco Catalyst 4500-X series switches.

This chapter includes the following major sections:

• About Campus Fabric

• Campus Fabric Configuration Guidelines

• Limitations and Restrictions

• Understanding Fabric Domain Elements

• Configuring Fabric Edge Devices

• Configure Fabric Edge Node as Anycast SVI

• LISP Multicast Using Campus Fabric Overlay

• Configure Broadcast on Fabric Edge Node

• Campus Fabric Configuration Examples for LISP Multicast

Note For complete syntax and usage information for the switch commands used in this chapter, see theCisco IOS Command Reference Guides for the Catalyst 4500 Series Switch.

About Campus FabricCampus Fabric is a Locator ID Separator Protocol (LISP) based overlay network built on top of an arbitrary underlay network.

Campus Fabric Overlay provisioning uses three components to enable flexible attachment of users and devices, and enhanced security through user-based and device-group based policies:

• Control-Plane

• Data-Plane

• Policy-Plane

3-1are Configuration Guide - Cisco IOS XE 3.10.0E

https://www.cisco.com/c/en/us/support/switches/catalyst-4500-series-switches/products-command-reference-list.html

Chapter 3 Configuring Campus FabricAbout Campus Fabric

This feature is supported on both the Enterprise Services and IP Base software images.

Benefits of Provisioning a Campus Fabric Network

• A hybrid Layer 2 and Layer 3 overlay offers best of both the services.

• Provides end to end segmentation using LISP Virtualization technology wherein only the Fabric Edge and Border nodes need to be LISP-aware. The rest of the components are just IP forwarders.

• Eliminates Spanning Tree Protocol (STP), improves link utilization, brings in faster convergence and ECMP load balancing.

• Fabric header supports Secure Group Tag (SGT) propagation that helps in uniform policy model across the network. SGT based policy constructs are subnet independent.

• Provides host mobility for both wired and wireless clients.

• Use of LISP helps decouple the host address and its location, simplifying the routing operations and improving the scalability and support.

Understanding Fabric Domain Elements

The following figure displays the elements that make up the fabric domain.

3-2Cisco Catalyst 4500 Series Switches, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.10.0E

Chapter 3 Configuring Campus FabricAbout Campus Fabric

• Fabric Edge Devices — Provide connectivity to users and devices, including wireless Access Points (APs) that connect to the fabric domain. Fabric edge devices identify and authenticate endpoints, and register endpoint ID information in the fabric host-tracking database. They encapsulate at ingress and decapsulate at egress, to forward traffic to and from endpoints connected to the fabric domain.

• Fabric Control-Plane Devices — Provide overlay reachability information and endpoints-to-routing-locator mapping, in the host-tracking database. The control-plane device receives registrations from fabric edge devices with local endpoints, and resolves requests from edge devices to locate remote endpoints. You can configure a total of 3 control-plane devices, internally (a fabric border device) and externally (a designated control-plane device such as a Cisco CSR1000v), to allow redundancy on your network.

• Fabric Border Devices — Connect traditional Layer 3 networks or different fabric domains to the local domain, and translate reachability and policy information, such as VRF and SGT information, from one domain to another. You can configure up to 2 border devices to allow redundancy on your network.

• Virtual Contexts — Provide virtualization at the device level, using virtual routing and forwarding (VRF) to create multiple instances of Layer 3 routing tables. Contexts or VRFs provide segmentation across IP addresses, allowing for overlapped address space and traffic separation. You can configure up to 64 contexts in the fabric domain with the Enterprise license and limited to three contexts with the IP Base license.

• Host-Pools — Group endpoints in the fabric domain into IP pools, and identify them with a VLAN ID and an IP subnet.

Support for Fabric Enabled Wireless

Cisco IOS XE 3.10.0E introduces support for Fabric Enabled Wireless (FEW), also known as Software-Defined Access Wireless (SD Access Wireless), on the fabric edge devices. To boot a switch in wireless mode (also called install mode), see the Install Boot section of Cisco Catalyst 4500Supervisor Engine 8-E Wireless Mode Quick-Start Guide. The same boot steps are followed on Supervisor Engine 9-E as well.

For information on FEW for 3.10.0E, refer Software-Defined Access Wireless for Catalyst 4500E Series Switches, Cisco IOS XE 3.10.0E

For guidelines on FEW support on the fabric edge device, refer the section on Guidelines for Fabric Enabled Wireless (FEW) support on Catalyst 4500 Series Switch.


https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-4500-series-switches/guide-c07-733704.html

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-4500-series-switches/guide-c07-733704.html

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-10-0E/wireless/b_sda.html

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-10-0E/wireless/b_sda.html

Chapter 3 Configuring Campus FabricCampus Fabric Configuration Guidelines

Supported Platforms in Campus Fabric

Campus Fabric Configuration GuidelinesConsider the following guidelines and limitations when configuring campus fabric elements:

• Configure no more than three control-plane devices in each fabric domain.

• Configure no more than two border devices in each fabric domain.

• Each fabric edge device supports up to 5000 endpoints. This includes IPv4, IPv6, Layer 2, Layer 3, wired and wireless endpoints. Note that to configure more than 1000 end points, you need to increase the map cache limit and database mapping limit using the map-cache-limit and database-mapping-limit dynamic commands.

• Each control-plane device supports up to 5000 fabric edge device registrations.

• Ensure that you use 10-Gigabit-Ethernet supervisor uplinks when configuring underlay connectivity.

• Layer 2(IPv4 host) and Layer 3 (IPv6 Host) LISP overlay functionality is supported on Cisco IOS XE 3.10.0E.

Guidelines for Fabric Enabled Wireless (FEW) support on Catalyst 4500 Series Switch

• To enable wireless on the fabric, ensure that the device is booted in install boot mode

• Configure the AP network as a dynamic EID under Layer 3 LISP instance. You can configure the client network also as a dynamic EID under the Layer 3 LISP instance.

• It is mandatory to have an SVI for AP VLAN.

• If an RLOC interface and AP VLAN share different VRFs, configure another interface with the same RLOC IP under the AP VLAN’s VRF.

• You can configure only one AP per port. (We recommend to configure the AP connecting port as access port).

• Maximum of 100 APs and 2000 wireless clients are supported.

Table 3-1

Platform Support Fabric EdgeFabric Control-Plane Fabric Border

Cisco Catalyst 4500-E Series Switches Yes No No

Cisco Catalyst 6800 Series Switches No Yes Yes

Cisco Catalyst 3850 Series Switches Yes Yes Yes

Cisco Nexus 7700 Series Switches No Yes Yes

Cisco CSR 1000v No Yes No

Cisco Catalyst 9300 Series Switches Yes No No

Cisco Catalyst 9500 Series Switches No Yes Yes


Chapter 3 Configuring Campus FabricLimitations and Restrictions

• Ensure that the VLAN of APs is different from the VLAN of wireless clients.

• Ensure that AP and wireless clients are configured in IPv4 network. Cisco IOS XE 3.10.0E does not support AP and wireless clients on IPv6 network.

• Converged Access is deprecated starting with Cisco IOS XE 3.10.0E.

• To put the SVI in UP state, use no autostate command under the client’s SVI VLAN, if there are no other ports configured under the same VLAN.

Limitations and Restrictions• You can configure Cisco Catalyst 4500-E series switches as edge devices only.

• Campus Fabric is not supported in Virtual Switching System (VSS) mode and in VSS wireless mode.

• Virtual Extensible LAN (VXLAN) encapsulation is supported on the Supervisor uplink modules only. Ensure that you use supervisor uplink modules for underlay connections between fabric elements.

• Campus Fabric is supported only on Cisco Catalyst 4500-E series switches, on Supervisor Engine 8-E, and Supervisor Engine 9-E.

• Cisco IOS XE 3.10.0E supports 64 virtual networks in Enterprise License but is limited to three virtual networks in IP Base license.

• Cisco IOS XE 3.10.0E does not support IPv6 Resource Locators (RLOCs). It supports only IPv4 RLOCs.

• Policy-based routing (PBR) and Web Cache Communication Protocol (WCCP) are not supported within the fabric domain.

• Cisco TrustSec SGT Exchange Protocol (SXP) cannot be used to propagate SGTs across devices within the fabric domain.

• On the edge device, Cisco TrustSec links are not supported only on uplink interfaces connected to the underlay.

• Layer 3 source group tags cannot be applied to uplink interfaces connected to the underlay.

• Layer 3 overlay does not support IPv6 EID mobility.

• Layer 2 overlay, SGT and wireless access points do not support IPv6.

Campus Fabric Network Scale and Performance• The maximum number of Layer 2 EID VLANs possible is 2000 (VLAN IDs 1 to 2000).

• The maximum number of local and remote hosts on each fabric edge is 5000.

• The maximum number of Access Points that can be connected to the fabric is 100.

• The maximum number of wireless clients that a campus fabric can onboard is 2000


Chapter 3 Configuring Campus FabricCLI changes starting Cisco IOS XE 3.10.0E

CLI changes starting Cisco IOS XE 3.10.0EStarting Cisco IOS XE 3.10.0E, the CLI model for L2 LISP configuration is redesigned to better reflect the configuration flow and to configure LISP behavior specific to different functionalities like support for Layer 2 MAC Address as EID prefixes, and so on.

• The new CLI provides two levels of inheritance in two paths:

– router lisp -> service: called the global service / top service mode

– router lisp -> instance-id -> service: called the instance-service mode

• eid-table is decoupled from the instance-id. You can now configure eid-table without specifying the instance-id. The hierarchy is router lisp -> instance-id -> service -> eid-table

• You can have the common configuration under global service mode and instance-id specific configuration under instance-service mode.

• CLI configured at the global level of the hierarchy affects operational state of all instance services on lower levels of the hierarchy, unless explicitly overridden.

• All the { ipv4| ipv6} [proxy] {itr|etr} commands appear under their respective service mode without their Address Family prefix.

• All LISP show commands commence with show lisp prefix.

• A new command, locator default-set, configured at the global level marks one of the locater-set as default.

• service-ethernet is now a new sub-mode which enables Layer 2 MAC ID as EID space.

Note Once you enter the commands in the new configuration style, the old CLIs are not supported. To switch to the old CLIs, reload the system with all the new configuration style CLIs removed.

How to Configure Campus FabricConfiguring Campus Fabric involves the following stages:

• Network Provisioning — Setting up the management plane and the underlay mechanism.

• Overlay Provisioning — Setting up the fabric overlay that consists of the Edge, Border devices.

• Policy Management — Setting up virtual contexts or VRFs, endpoint groups and policies.

Configuring Fabric Edge DevicesYou can configure Cisco Catalyst 4500-E series switches as edge devices only. These edge devices are also configured as a DHCP Relay Agents to enable DHCP Snooping.

Before You Begin

• Configure a loopback0 IP address for each edge device to ensure that the device is reachable. Ensure that you apply the ip lisp source-locator loopback0 command to the uplink interface.

• Ensure that your underlay configuration is set up.


Chapter 3 Configuring Campus FabricConfiguring Fabric Edge Devices

• Configure control-plane devices and border devices in your fabric domain. Cisco Catalyst 4500-E series switches cannot be configured as control-plane or border devices. For more information on configuring control-plane and border devices, see the How to Configure Fabric Overlay section in Software Configuration Guide, Cisco IOS XE Denali 16.3.x (Catalyst 3850 Switches)

Command Purpose

Step 1 Switch# configure terminal Enters global configuration mode.

Step 2 Switch(config)# router lisp Enters LISP configuration mode.

Step 3 Switch(config-router-lisp)# locator-table name {default | vrf vrf-name}

Associates a virtual routing and forwarding (VRF) table through which the router can reach the locator address space.

Step 4 Switch(config-router-lisp)# locator-set name

Specifies a named locator set.

Step 5 Switch(config-router-lisp-locator-set)# IPv4-interface Loopback-address { priority priority_value | weightweight_value }

Configure the loopback ip address to ensure the device is reachable.

Step 6 Switch(config-router-lisp-locator-set)# exit-locator-set

Exits the locator-set configuration mode

Step 7 Switch(config-router-lisp)# instance-id instance

Creates a LISP EID instance to group multiple services. Configuration under this instance-id will apply to all services underneath it.

Step 8 Switch(config-router-lisp-instance))# dynamic-eid dynamic-EID

Creates the dynamic-eid policy and enters the dynamic-eid configuration mode.

Step 9 Switch(config-router-lisp-instance-dynamic-eid)# database-mapping eid locator-set RLOC -name

Configures EID to RLOC mapping relationship

Step 10 Switch(config-router-lisp-instance-dynamic-eid)# exit-dynamic-eid

Exits the dynamic-eid configuration mode.

Step 11 Do one of the following depending on whether you are configuring L2 overlay or L3 overlay:

Switch(config-router-lisp-inst)# service ipv4Switch(config-router-lisp-inst-serv-ipv4)#

Switch(config-router-lisp-inst)# service ipv6Switch(config-router-lisp-inst-serv-ipv6)#

Switch(config-router-lisp)# service ethernetSwitch(config-router-lisp-inst-serv-eth)#

Enables layer 3 network services for the IPv4 Address family and enters the service-ipv4 submode.

Enables layer 3 network services for the IPv6 Address family and enters the service-ipv6 submode.

Enables layer 2 network services and enters the service-ethernet submode

Note: You cannot configure service IPv4/IPv6 and service ethernet in the same instance.

Step 12 Switch(config-router-lisp-inst-serv-ipv4)# eid-table vrf vrf-table

Associates the LISP instance-id configured earlier with a virtual routing and forwarding (VRF) table through which the endpoint identifier address space is reachable

Step 13 Switch(config-router-lisp-inst-serv-ipv4)# map-cache destination-eid map-request

Generates a static map request for the destination-eid.


http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-3/configuration_guide/b_163_consolidated_3850_cg/b_163_consolidated_3850_cg_chapter_010100010.html#d477859e213a1635




Configure Fabric Edge Node as Anycast SVI

Step 14 Switch(config-router-lisp-inst-serv-ipv4)# itr map-resolver map-resolver-address

Configures the map-resolver IP from where it needs to query the RLOC corresponding to destination endpoint identifier (EID) IP

Step 15 Switch(config-router-lisp-inst-serv-ipv4)#itr

Specifies that this device acts as an Ingress Tunnel Router (ITR).

Step 16 Switch(config-router-lisp-inst-serv-ipv4)# etr map-server map-server-addr key {0 | 6} authentication key

Configures the locator address of the LISP map server to be used by the Egress Tunnel Router (ETR) when registering the IPv4 endpoint identifiers.

Step 17 Switch(config-router-lisp-inst-serv-ipv4)# etr

Specifies that this device acts as an Egress Tunnel Router (ETR).

Step 18 Switch(config-router-lisp-inst-serv-ipv4)# use-petr locator-address {priority priority_value | weight weight_value }

Configures the device to use Proxy Egress Tunnel Router (PETR)

Step 19 Do one of the following depending on what you have confgired in step 11.

Switch(config-router-lisp-inst-serv-ipv4)#exit-service-ipv4

Switch(config-router-lisp-inst-serv-ipv6)#exit-service-ipv6

Switch(config-router-lisp-inst-serv-eth)#exit-service-ethernet

Exits the service submode.

Step 20 Switch(config-router-lisp-instance)# exit-instance-id

Exits the instance submode.

Command Purpose

Command Purpose


Step 2 Switch(config)# interface interface Enters SVI configuration mode.

Step 3 Switch(config-if)# mac-address ba25.cdf4.ad38

Configures the anycast gateway MAC Address on the interface. ba25.cdf4.ad38 is the unique MAC address for all Layer 3 LISP/ VXLAN encapsulation.

Step 4 Switch(config-if)# ip vrf forwarding EMPable name {defualt | vrf vrf-name}

Configures VRF on the interface

Step 5 Switch(config-if)# ip address ipv4-address

Configures the IP address on the interface.

Step 6 Switch(config-if)# ip helper-address ipaddress

DHCP broadcasts will be forwarded as a unicast to this specific helper address rather than be dropped by the router.



Configure the Fabric Edge Node as DHCP Relay agent

Show Commands for Troubleshooting LISP Configuration

• show lisp instance-id id database

• show lisp

• show lisp instance-id id map-cache

• show lisp eid-table-summary

• show lisp forwarding eid local

• show lisp forwarding eid remote

• show lisp forwarding state

• show lisp instance-id id dynamic-eid

• show lisp site (for MS/MR)

• show adjacency lisp 0 detail

Show Commands for Troubleshooting FEW

• show access-tunnel summary

Step 7 Switch(config-if)# no lisp mobility liveness test

Specifies that mobility liveness test is not performed on the device.

Step 8 Swtich(cnfig-if)# lisp mobility dynamic-EID policy

Configures the interface to participate in LISP virtual machine mobility which is dynamic-EID roaming. Ensure that this is the same dynamic-EID configured as the dynamic-EID on the fabric edge node in step8.

Command Purpose

Command Purpose


Step 2 Switch(config)# ip dhcp snooping Enables DHCP snooping globally.Step 3 Switch(config)# ip dhcp snooping

vlan vlan-numberEnables DHCP snooping on a specified VLAN

Step 4 Switch(config-if)# ip dhcp relay information option

Enables the system to insert the DHCP relay agent information option (option-82 field) in the messages forwarded to a DHCP server.



• show access-tunnel detail

• show mac address-table vlan 51

• show device-tracking database

• show l2lisp mappings

Examples for LISP Configuration on Fabric Edge NodeConsider the following topology:

This is a sample output for the show running-configuration command on the fabric edge node:

interface Loopback0 ip address 2.1.1.1 255.255.255.255!interface Vlan10 mac-address ba25.cdf4.ad38 ip address 10.1.1.1 255.255.255.0 lisp mobility DEFAULT.EID.engend!interface Vlan11 mac-address ba25.cdf4.ad38 ip address 192.168.101.1 255.255.255.0end!router lisp locator-table default locator-set set1 IPv4-interface Loopback0 priority 1 weight 1 exit-locator-set ! locator default-set set1 service ipv4 itr map-resolver 2.1.1.6 itr etr map-server 2.1.1.6 key foo etr map-server 2.1.1.6 proxy-reply etr exit-service-ipv4



! service ethernet itr map-resolver 2.1.1.6 itr etr map-server 2.1.1.6 key foo etr map-server 2.1.1.6 proxy-reply etr exit-service-ethernet ! instance-id 30 dynamic-eid DEFAULT.EID.eng database-mapping 10.1.1.0/24 locator-set set1 exit-dynamic-eid ! service ipv4 eid-table default

database-mapping 10.1.0.0/16 locator-set set1exit-service-ipv4

! exit-instance-id ! instance-id 101 service ethernet eid-table vlan 10 database-mapping mac locator-set set1 map-cache-limit 1000 database-mapping limit dynamic 2000 itr map-resolver 2.1.1.6 itr etr map-server 2.1.1.6 key foo etr map-cache-ttl 10000 etr exit-service-ethernet ! exit-instance-id ! instance-id 102 service ethernet eid-table vlan 11 database-mapping mac locator-set set1 map-cache-limit 1000 database-mapping limit dynamic 2000 itr map-resolver 2.1.1.6 itr etr map-server 2.1.1.6 key foo etr map-cache-ttl 10000 etr exit-service-ethernet ! exit-instance-id exit-router-lisp!

This is a sample configuration for ipv6 unicast routing:

router lisp!locator-set rloc1 IPv4-interface Loopback0 priority 1 weight 50 exit-locator-set



!service ipv6 itr map-resolver 2.1.1.6 itr etr map-server 2.1.1.6 key cisco etr exit-service-ipv6

!instance-id 1service ipv6

eid-table vrf lisp_vrf_red database-mapping 11:1:1:1::/64 locator-set rloc1 exit-service-ipv6

!interface Vlan45vrf forwarding lisp_vrf_redipv6 address 11:1:1:1::1/64end!interface Loopback0ip address 111.1.1.1 255.255.0.0!

A sample output for the show running-configuration command on the Control Plane::

router lispservice ipv4map-servermap-resolverexit-service-ipv4!service ipv6map-servermap-resolverexit-service-ipv6!service ethernetmap-servermap-resolverexit-service-ethernet!instance-id 10map-server rloc members distributeservice ipv4exit-service-ipv4!exit-instance-id!map-server rloc members distributesite site-3authentication-key ciscoeid-record instance-id 30 10.1.0.0/16eid-record instance-id 30 10.1.0.0/24 accept-more-specificsexit-site!

A sample output of the show running-configuration command on the Border node:

interface Loopback0ip address 7.7.7.7 255.255.255.0


Chapter 3 Configuring Campus FabricDataplane Security

router lisplocator-table defaultlocator-set set1IPv4-interface Loopback0 priority 10 weight 10exit-locator-set!locator default-set rlocservice ipv4itr map-resolver 2.1.1.6etr map-server 2.1.1.6 key fooproxy-etrproxy-itr 7.7.7.7exit-service-ipv4!service ipv6itr map-resolver 2.1.1.6etr map-server 2.1.1.6 key fooproxy-etrproxy-itr 7.7.7.7exit-service-ipv6!instance-id 30service ipv4eid-table defaultmap-cache 10.1.0.0/16 map-requestexit-service-ipv4!exit-instance-id!exit-router-lisp

Dataplane Security Campus Fabric Data Plane Security ensures that only traffic from within a fabric domain can be decapsulated, by an edge device at the destination. Edge and border devices in the fabric domain validate that the source Routing Locator (RLOC), or the uplink interface address, carried by the data packet is a member of the fabric domain.

Data Plane Security ensures that the edge device source addresses in the encapsulated data packets cannot be spoofed. Packets from outside the fabric domain carry invalid source RLOCs that are blocked during decapsulation by edge and border devices.

Configuring Dataplane Security on Fabric Edge Devices

You can configure Cisco Catalyst 4500-E series switches as edge devices only.

Before You Begin

• Configure a loopback0 IP address for each edge device to ensure that the device is reachable. Ensure that you apply the ip lisp source-locator loopback0 command to the uplink interface.

• Ensure that your underlay configuration is set up.


Chapter 3 Configuring Campus FabricSecurity Group Tags and Policy Enforcement in Campus Fabric

To Configure DataPlane Security on the MSMR, do the following:

MS/MR(config)#router lisp MS/MR(config-router-lisp)#map-server rloc members distribute

Security Group Tags and Policy Enforcement in Campus Fabric

Campus Fabric overlay propagates source group tags (SGTs) across devices in the fabric domain. Packets are encapsulated using virtual extensible LAN (VXLAN) and carry the SGT information in the header. The SGT mapped to the IP address of the edge device is carried within the encapsulated packet and propagated to the destination device, where the packet is decapsulated and the Source Group Access Control List (SGACL) policy is enforced.

Consider the following points when configuring SGT/SGACL:

• VLAN ACLs (VACLs) are not supported on Layer 2 Overlay VLANs.

• Do not enforce SGACL policy if two clients with the same IP address but in different VRFs are involved in Layer 2 overlay.

• SGACL policy is applied on wireless clients only when CTS is enabled on LISP VLAN.

For more information on Cisco TrustSec and Source Group Tags, see Cisco TrustSec Switch Configuration Guide.

LISP Multicast Using Campus Fabric Overlay You can use Campus Fabric overlay to carry multicast traffic over core networks. Cisco IOS XE 3.10.0E supports two modes of multicast traffic:

• For core networks that do not have native multicast capabilities, campus fabric overlay allows unicast transport of multicast traffic with head-end replication at the edge device.

Command Purpose


Step 2 Switch(config)# router lisp Enters LISP configuration mode.

Step 3 Switch(config-router-lisp)# instance-id instance-id

Creates a LISP EID instance to group multiple services. Configuration under this instance-id will apply to all services underneath it.

Step 4 Switch(config-router-lisp)# decapsulation filter rloc source [locator-set loc-name] [member]

Enables source RLOC address validation of encapsulated packets in the fabric domain.

Step 5 Switch(config-router-lisp)# exit Exits LISP configuration mode and returns to global configuration mode.

Step 6 Switch(config-if)# exit Exits interface configuration mode and enters global configuration mode.

Step 7 Switch(config)# show lisp [session [established] | vrf [vrf-name [session [peer-address]]]}

Displays reliable transport session information. If there is more than one transport session, the corresponding information is displayed.


http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html

Chapter 3 Configuring Campus FabricLISP Multicast Using Campus Fabric Overlay

• For core networks with native multicast capabilities, campus fabric overlay allows multicast replication.

Note Only Protocol Independent Multicast (PIM) Sparse Mode and PIM Source Specific Multicast (SSM) are supported in Campus Fabric. Dense mode is not supported in Campus Fabric.

Information About LISP Multicast

The implementation of LISP multicast includes the following features and guidelines:

• Mapping of multicast source addresses as LISP endpoint identifiers (EIDs). (Destination group addresses are not topology dependent).

• Building the multicast distribution tree across LISP overlays.

• Unicast head-end replication of multicast data packets from sources within a root ingress tunnel router site to receiver egress tunnel routers.

• Support for ASM (Any Source Multicast) and SSM (Source Specific Multicast) service models for unicast replication. Support for only SSM in core tree for multicast replication.

• Support for various combinations of LISP and non-LISP capable source and receiver sites.

• Support for IPv6 endpoint identifiers (EIDs) with head end replication multicast mode.

• IPv6 multicast routing is supported only on default VRF.

• By default, IPv6 multicast is enabled on IPv6 interfaces. Hence EID facing interface does not require explicit IPv6 multicast configuration.

• Cisco IOS XE 3.10.0E does not support Dense Mode or Bidirectional Protocol Independent Multicast (PIM). Only PIM-Sparse Mode (SM) and PIM Source Specific Multicast (SSM) modes are supported.

• Multicast does not support group to Rendezvous Point (RP) mapping distribution mechanisms, Auto-RP and Bootstrap Router (BSR). Only Static RP configuration is supported.

• Multicast RP redundancy is not supported in the fabric domain

• Ensure RP is either in the EID space or the fabric border space for reachability.

• Enable PIM on uplink and loopback interfaces.

• IPv6 multicast supports only head-end replication.

Note If a LISP xTR is also a PIM First Hop Router (FH) or a Rendezvous Point and the device is only receiving traffic, ensure that at least one interface on the device is covered by a local LISP database mapping. No additional configuration is required to ensure that proper address is selected

Configure IPv4 Multicast in Campus Fabric

Before You Begin

Ensure that you have already configured basic LISP services on the device.


Chapter 3 Configuring Campus FabricLISP Multicast Using Campus Fabric Overlay

Command Purpose


Step 2 Switch(config)# ip multicast-routing

Enables IP multicast routing.

Step 3 Enter one of the following:

Switch(config)# ip pim rp-address rp address

Switch(config)# ip pim ssm {default | range {access-list-name | access-list-name}

Statically configures the address of a Protocol Independent Multicast (PIM) rendezvous point (RP) for multicast groups.

Defines the Source Specific Multicast (SSM) range of IP multicast addresses.

Step 4 Switch(config)# interface LISP interface number

Specifies the LISP interface and the subinterface on which to enable Protocol Independent Multicast (PIM) sparse mode.

Step 5 Do one of the following depending on the multicast mode:

Switch(config-if)# ip pim sparse-mode

Switch(config-if)# ip pim lisp transport multicast ipv4

Enables Protocol Independent Multicast (PIM) on the interface for sparse-mode operation. Use this command when the core does not have native multicast capabilities. Multicast over the fabric is achieved by head-end replication at the source XTR.

Enables PIM on the interface for sparse-mode operation. Use this command when the core network has native multicast capabilities.

Note: Enable PIM on the uplink interface

Step 6 Switch(config-if)# exit Exits interface configuration mode and enters global configuration mode.

Step 7 Switch(config)# interface interface type interface number

Configures the interface facing the endpoint, and enters interface configuration mode.

Step 8 Switch(config-if)# ip pim sparse-mode

Enables Protocol Independent Multicast (PIM) on interface for sparse-mode operation.

Step 9 Switch(config-if)# end Ends the current configuration session and returns to privileged EXEC mode.

Step 10 Switch# show ip mroute multicast-ip-address

Verifies the multicast routes on the device.

Step 11 Switch# ping multicast-ip-address Verifies basic multicast connectivity by pinging the multicast address.

Step 12 Switch# show ip mfib Displays the forwarding entries and interfaces in the IPv4 Multicast Forwarding Information Base (MFIB)


Chapter 3 Configuring Campus FabricShow Commands for Troubleshooting LISP Multicast Configuration

Configure IPv6 Multicast in Campus Fabric

Configure Broadcast on Fabric Edge Node

Use the following configurations to enable broadcast on the fabric edge:

• Use broadcast-underlay multicast-address command under instance-service-ethernet mode.

• Enable PIM sparse mode on the uplink port using ip pim sparse-mode command.

• Enable PIM RP address using ip pimrp-address address command.

• Ensure that you enable PIM sparse mode and PIM RP address on the fabric edge.

Show Commands for Troubleshooting LISP Multicast Configuration• show ip pim vrf vrf_name rp mapping

• show ip pim vrf vrf_name neighbor

Command Purpose


Step 2 Switch(config)# ipv6 multicast-routing

Enables IPv6 multicast routing.

Step 3 Switch(config)# ipv6 unicast-routing

Enables IPv6 unicast routing.

Step 4 Switch(config)# ipv6 pim rp-address rpaddress

Statically configures the IPv6 address of a PIM RP for multicast group

Step 5 Switch(config)# instance-id instance

Creates a LISP EID instance to group multiple services. Configuration under this instance-id will apply to all services underneath i

Step 6 Switch(config-inst)# service ipv6 Enables layer 3 network services for the IPv6 Address family and enters the service-ipv6 submode.

Step 7 Switch(config-inst-serv-ipv6)# eid-table default

Associates the LISP instance-id configured earlier with the default VRF table through which the endpoint identifier address space is reachable.

Step 8 Switch(config-inst-serv-ipv6)# database-mapping eid locator-set RLOC name

Configures EID to RLOC mapping relationship

Step 9 Switch(config-inst-serv-ipv6)# exit-service-ipv6

Exit the service ipv6 configuration submode.

Step 10 Switch(config-inst)# exit-instance-id

Exit the instance-id configuration mode

Step 11 Switch(config)# interface lisp-interface

Enters the LISP subinterface configuration mode. The lisp-interface is represented by LISP0.instance-id

Step 12 Switch(config-if)# ip unnumbered lisp-interface

Verifies basic multicast connectivity by pinging the multicast address.

Step 13 Switch(config-if)#ipv6 pim lisp transport multicast ipv4

Enables PIM on the interface for sparse-mode operation.


Chapter 3 Configuring Campus FabricCampus Fabric Configuration Examples for LISP Multicast

• show ip pim vrf vrf_name tunnel

• show ip mroute vrf vrf_name

• show ip mfib vrf vrf_name

• show ip mfib vrf vrf_name count

• show ip multicast interface

• show ip pim vrf vrf_name interface

• show ipv6 mroute

• show ipv6 mfib group ip ,

• show ipv6 pim tunnel

• show ipv6 mfib count

• show ipv6 pim topology

Campus Fabric Configuration Examples for LISP Multicast

A sample configuration for LISP multicast on a fabric edge node, FE1:

ip multicast-routingip pim ssm default!interface Loopback0 ip address 11.1.1.1 255.0.0.0!interface Loopback100 ip address 66.66.66.66 255.255.255.255ip pim sparse-mode! interface GigabitEthernet0/1ip address 90.0.0.1 255.255.255.0ip pim sparse-mode! Interface Vlan100ip address 100.0.0.1 255.255.0.0no ip redirects



ip local-proxy-arpip pim sparse-modeip route-cache same-interfaceno lisp mobility liveness testlisp mobility vl_100 ip pim sparse-mode!interface GigabitEthernet1/0/1 switchport access vlan 100 switchport mode access!router lisp encapsulation vxlan locator-table default locator-set rloc_1 IPv4-interface Loopback0 priority 1 weight 1 exit eid-table default instance-id 0database-mapping 66.66.66.66/32 locator-set rloc_1dynamic-eid vl_100 database-mapping 100.0.0.0/16 locator-set rloc_1exit!sgt use-petr 14.1.1.1 itr map-resolver 30.3.1.1 itr etr map-server 30.3.1.1 key lisp etr!

interface LISP0 ip pim sparse-mode!ip pim rp-address 66.66.66.66

i

A sample configuration on the Control Plane (MS/MR) for Multicast:

interface Loopback0 ip address 30.3.1.1 255.255.255.255!interface GigabitEthernet0/1ip address 90.0.0.2 255.255.255.0Ip pim sparse-mode!interface GigabitEthernet0/2ip address 90.1.0.2 255.255.255.0Ip pim sparse-mode!router lisp site Fabric authentication-key lisp eid-prefix 100.0.0.0/16 accept-more-specifics eid-prefix 66.66.66.66/32 accept-more-specificseid-prefix 77.77.77.77/32 accept-more-specificseid-prefix 88.88.88.88/32 accept-more-specifics exit!ipv4 map-serveripv4 map-resolverexit



A sample configuration for IPv6 Multicast Routing:

ipv6 unicast-routingipv6 multicast-routingipv6 pim rp-address 3000::1 // Configure IPv6 PIM RP addressrouter lisp!locator-set rloc1 IPv6-interface Loopback0 priority 1 weight 50 exit-locator-set

!instance-id 10 service ipv6 eid-table default database-mapping 4000::/64 locator-set RLOC1 exit-service-ipv6

! exit-instance-id

!//LISP subinterface configuration interface LISP0.10ip unnumbered LISP0.10ip pim sparse-modeipv6 pim lisp transport unicast ipv4!Running configuration on the EID facing interface :FE1# show running-config int vlan 300Building configuration...

Current configuration : 65 bytes!interface Vlan300no ip addressipv6 address 4000::1/64end

Configuration Example for Enabling Broadcast traffic on Campus Fabric

Below is a sample configuration on the fabric edge node to enable broadcast traffic:

instance-id 250 service ethernet eid-table vlan 250 broadcast-underlay 225.1.1.1 //IP address is any valid multicast address. database-mapping mac locator-set rloc2

exit-service-ethernet ! exit-instance-id

interface Port-channel1mtu 9198ip address 123.1.1.1 255.255.0.0ip pim sparse-modeip router isisip lisp source-locator Loopback1load-interval 30endinterface Loopback1ip address 122.1.1.1 255.255.0.0ip pim sparse-mode


Chapter 3 Configuring Campus FabricDHCP Configuration for Campus Fabric

ip router isisend

!ip pim rp-address 113.1.1.2!

DHCP Configuration for Campus FabricIn a Campus fabric network, DHCP server is deployed as a shared service located in a network that is different from the fabric endpoints. Every fabric edge is configured as a DHCP Relay agent to relay the DHCP traffic between fabric endpoints and DHCP server. DHCP server is located in the non-EID space in the enterprise fabric network and the fabric edge node uses the fabric border as Proxy Tunnel Router (PxTR) to communicate with the DHCP server.

DHCP solution deployment in Campus Fabric is based on Fabric Anycast Gateway model where the Gateway IP for the clients is an anycast Switched Virtual Interface (SVI) IP address configured on all the fabric edge nodes. DHCP is implemented in layer 3 overlay with anycast address support and network address transparency.

DHCP Packet Flow

1

In this topology that implements Option-82 Remote-ID Suboption for DHCP:



• Fabric edge node is configured as LISP Ingress or Egress Tunnel Router (xTR) with locator address as 1.1.1.1

• Fabric border node is configured as LISP Proxy Tunnel Router (PxTR).

• Host 1 is the DHCP client attached to fabric edge, VLAN 10, prefix 192.168.10.0/24.

• Layer 3 interface (SVI) connects to mobility subnet, interface VLAN 10.

• DHCP relay agent configured for SVI VLAN 10 on fabric edge node.

• DHCP server attached to the native network and its address is 172.168.1.1/24, reachable via fabric border node.

Sequence of Operations in Assigning IP Address to DHCP Client in Campus Fabric Network

DHCP Client (host1)

1. Host 1 generates a DHCP discovery message and broadcasts it on the network.

DHCP Relay Agent

2. The DHCP relay agent (fabric edge node) intercepts the packet, and sets the following fields in the packet:

– GIADDR: Set to incoming Anycast SVI interface IP address (192.168.10.1).

– Option-82 Remote-ID Sub Option: String encoded as “SRLOC IPv4 address" and "VxLAN L3 VNI ID" associated with Client segment.

– Locator address is set to 1.1.1.1

– L3 VNI ID is set to 20

– Circuit ID Suboption: Encoded in VLAN-PORT-Module format, with VLAN=10, Port/Module set to incoming port and switch number.

3. Builds the DHCP message by re-writing the inner DHCP source address, inner VXLAN Mac header,

VXLAN header, UDP header, Outer IP header, and Outer L2 Header. It then forwards this VxLAN encapsulated DHCP unicast packet to the fabric border node.

Fabric Border Node

4. Fabric Border device decapsulates the VXLAN encapsulated DHCP packet and natively forwards the packets destined to DHCP server address, to the next-hop router.

DHCP Server

5. The following process occurs on the DHCP server after receiving the DHCP packet from the DHCP relay agent:

– DHCP server selects the IP pool (192.168.10.0/24) based on the value of GIADDR (192.168.10.1) set in the incoming message.

– Allocates IP address (192.168.10.2) from the IP pool.



– Generates DHCP OFFER messages, with the destination address set to the value of GIADDR received. This is piggy-backed with the Option-82 sub-options that incude Circuit ID and Remote ID.

6. DHCP server routes the DHCP reply packets toward the DHCP relay agent through the fabric border. (Fabric border is the entry point for all in-bound traffic toward the fabric).

Fabric Border Node

7. Fabric border node configured as LISP PxTR acts as an ingress LISP tunnel router for all packets destined to the fabric subnets. When it receives the DHCP reply message (DHCP OFFER) destined to DHCP relay agent address, the fabric border device makes the DHCP OFFER message VXLAN encapsulated using the Option 82 Remote ID fields (Src RLOC IP and VNI fields) and forwards it to the DHCP relay agent.

DHCP Relay agent

8. DHCP relay agent receives the DHCP OFFER packet, processes it and forwards it to the client.

DHCP Client:

9. DHCP client receives the DHCP OFFER packet, and initiates DHCP request packet to request for the IP address (192.168.10.2).

The DHCP Request packet is then treated the same way as explained in steps 2 to 4 until it reaches the DHCP server.

The DHCP server does a regular processing of DHCP request packet and sends back a DHCP ACK to theDHCP relay agent. DHCP ACK follows the same forwarding procedure as mentioned in steps 5 to 9.

DHCP Configuration Example

Consider the following topology:



Configure Loopback 0 on the fabric edge node

Configure terminalinterface loopback 0ip address 1.1.1.1/32exit

Configure fabric edge as Proxy ITR with a 0/0 map-cache for the DHCP request to be sent in the Overlay

router lisplocator-set edge1IPv4-interface loopback 0exit-locator-set!instance-id 4098dynamic-eid userdatabase-mapping 10.1.18.0/24 locator-set edge1exit-dynamic-eid!service ipv4eid-table vrf Usermap-cache 0.0.0.0/0 map-requestitr map-resolver 3.3.3.3proxy-itr 1.1.1.1etr map-server 3.3.3.3 key ucietruse-petr 3.3.3.3exit-service-ipv4!exit-instance-id!exit-router-lisp

Enable DHCP snooping on all the VLANs in the fabric

ip dhcp relay information optionip dhcp snoopingip dhcp snooping vlan 101

Discover/Request Packets are sent via overlay in VRF “dhcp” destined to 20.20.20.20 (DHCP Server IP). Configure the DHCP server helper address under the SVI which is the gateway.

interface Vlan101ip vrf forwarding Userip address 10.1.18.1 255.255.255.0ip helper-address 20.20.20.20no lisp mobility liveness testlisp mobility userend

Configure host facing ports on the fabric edge.

interface GigabitEthernet1/0/38description conn_IX_0104switchport access vlan 101switchport mode accessspanning-tree portfastend



Configure fabric border which is also the Mapserver router that connects to the network where DHCP server is located

router lisplocator-table defaultlocator-set borderIPv4-interface Loopback0 priority 10 weight 10!instance-id 4098service ipv4eid-table vrf PACAFroute-export site-registrationsdistance site-registrations 250map-cache site-registrationexit-service-ipv4!exit-instance-idrouter bgp 65002bgp log-neighbor-changes!address-family ipv4 vrf USERaggregate-address 10.1.18.0 255.255.255.0 summary-onlyredistribute lisp metric 10neighbor 30.1.1.1 remote-as 200exit-address-family

Create Loopback interface for Anycast SVI IP Address per VNI at the border to facilitate punting the DHCP packets received from the DHCP server to the CPU.

interface Loopback3000vrf forwarding Userip address 10.1.18.1 255.255.255.255255.255.255.255end

Advertise Anycast SVI address to BGP peers.

router bgp 100address-family ipv4 vrf Userbgp router-id 23.1.1.1network 10.1.18.1 mask 255.255.255.255aggregate-address 10.1.18.0 255.255.0.0 summary-onlyredistribute lisp metric 10neighbor 23.1.1.2 remote-as 200neighbor 23.1.1.2 ebgp-multihop 3neighbor 23.1.1.2 activateexit-address-family

Create DHCP Pool. On the DHCP server, ensure that the default-router IP address is the SVI gateway within LISP.

ip dhcp excluded-address 10.1.18.1ip dhcp excluded-address 10.1.18.202 10.1.18.255!ip dhcp pool Usernetwork 10.1.18.0 255.255.255.0default-router 10.1.18.1!




Documents

Configuring Campus Fabric - Cisco · also configured as a DHCP Relay Agents to enable DHCP Snooping. Before You Begin • Configure a loopback0 IP address fo r each edge device to