Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
LISP – Nová síťová architektura a její využití v podnikových sítích
Miroslav Brzek, Systems Engineer
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP - Úvod
LISP - Jak to funguje
LISP - Příklad využití v prostředí podnikové sítě
LISP - Současný stav
Shrnutí
LISP - A Next Generation Networking Architecture
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Overview Original Motivation - Resolve route scaling problems
Today’s Internet Behavior
The “Default Free Zone” (DFZ) contains all types or routes:
• Edge (site) routes
• Core (Provider) route
• More specifics of both types for TE purposes
In this model, everything goes in the DFZ
Internet
DFZ
Internet
DFZ Map System LISP
Mapping
System
LISP Behavior
• Locator/ID “split” architecture treats “core” and “site” prefixes differently
• In this model, prefixes describing core topology (locators) go in the DFZ; prefixes describing end sites (EIDs) go in the LISP mapping system
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Overview Locator/ID split enables other (more important) benefits…
Internet
Device IPv4 or IPv6 address
represents identity and
location
x.y.z.1
When the device moves, it gets a new
IPv4 or IPv6 address for its new identity
and location w.z.y.9
Device IPv4 or IPv6
address represents
identity only
When the device moves, keeps its
IPv4 or IPv6 address.
It has the same identity
Internet
a.b.c.1
e.f.g.7
Only the location changes
x.y.z.1
x.y.z.1
Today’s Internet Behavior
LISP Behavior
5
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Addresses today combine location and identity semantics in a single 32-bit or 128-bit number
Separating Location and Identity changes this… • Provide a clear separation at the Network Layer between
what we are looking for vs. how best to get there
• Translation vs. Tunneling is a key question
Network Layer Identifier: WHO you are in the network – long-term binding to the thing that they name, does not change often at all
Network Layer Locator: WHERE you are in the network – Think of the source and destination “addresses” used in routing and forwarding
WHERE you are can change! WHO you are should be the same!
Routing and Addressing Architecture of the Internet Protocol
6
LISP Overview
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP - Úvod
LISP - Jak to funguje
LISP - Příklad využití v prostředí podnikové sítě
LISP - Současný stav
Shrnutí
LISP - A Next Generation Networking Architecture
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Operations
LISP namespaces
• EID (Endpoint Identifier) is the IP address of a host – just as it is today
• RLOC (Routing Locator) is the IP address of the LISP router for the host
• EID-to-RLOC mapping is the distributed architecture that maps EIDs to RLOCs
Main attributes of LISP
8
Network-based solution
No host changes
Minimal configuration
No DNS changes
Address Family agnostic
Incrementally deployable (support LISP and non-LISP)
Support for mobility
Prefix Next-hop w.x.y.1 e.f.g.h x.y.w.2 e.f.g.h z.q.r.5 e.f.g.h z.q.r.5 e.f.g.h
Non-LISP
RLOC Space
EID-to-RLOC mapping
EID Space xTR
xTR
MS/MR
PxTR
xTR
EID RLOC a.a.a.0/24 w.x.y.1
b.b.b.0/24 x.y.w.2
c.c.c.0/24 z.q.r.5
d.d.0.0/16 z.q.r.5
EID RLOC a.a.a.0/24 w.x.y.1
b.b.b.0/24 x.y.w.2
c.c.c.0/24 z.q.r.5
d.d.0.0/16 z.q.r.5
EID Space
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Operations
LISP “Level of Indirection” is analogous to a DNS lookup
‒ DNS resolves IP addresses for URL Answering the “WHO IS” question
LISP : Mapping Resolution “Level of Indirection” DNS analog
9
host
DNS
Name-to-IP
URL Resolution
[ who is lisp.cisco.com ] ?
DNS
Server
[153.16.5.29, 2610:D0:110C:1::3 ]
‒ LISP resolves locators for queried identities Answering the “WHERE IS” question
LISP
Identity-to-locator
Mapping Resolution LISP
router
LISP
Mapping
System
[ where is 153.16.5.29 ] ?
[ locator is 128.107.81.169 ]
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Operations LISP IPv4 EID / IPv4 RLOC Data Packet Header Example
10
IPv4 Outer
Header:
ITR supplies
RLOCs
IPv4 Inner
Header:
Host supplies
EIDs
LISP Header:
UDP
Header:
Q: How does the UDP
source port get
selected ?
A: It’s either a 3-tuple or
5-tuple hash of the
inner (EID) header
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Operations LISP Encapsulation Combinations – IPv4 and IPv6 Supported
11
IPv6/IPv4
IPv6
Outer
Header
IPv4
Inner
Header
UDP
LISP
IPv6/IPv6
IPv6
Outer
Header
IPv6
Inner
Header
UDP
LISP
IPv4/IPv6
IPv4
Outer
Header
IPv6
Inner
Header
UDP
LISP
IPv4/IPv4
IPv4
Outer
Header
IPv4
Inner
Header
UDP
LISP
Q: Doesn’t encapsulation cause MTU issues?
A: It can… But preparation limits issues… Encapsulation overhead is 36B IPv4 and 56B IPv6
LISP supports “stateful” (PMTUD) and “stateless”
(fragmentation) options
Tunnel/MTU issues are well known (GRE, IPsec, etc.)
and are usually operationally tractable
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Operations LISP Data Plane : Ingress/Egress Tunnel Router (xTR)
12
PI EID-prefix
2001:db8:2::/48 xTR-3
ETR
ITR
xTR-4
ETR
ITR
LISP Site 2 D LISP Site 1 S
xTR-1
ETR
ITR
xTR-2
ETR
ITR
PI EID-prefix
2001:db8:1::/48
10.0.0.0/8
11.0.0.0/8
12.0.0.0/8
13.0.0.0/8
packet flow packet flow
ETR – Egress Tunnel Router
‒ Receives packets from core-facing interfaces
‒ De-cap and deliver packets to local EIDs at site
ITR – Ingress Tunnel Router
‒ Receives packets from site-facing interfaces
‒ Encap to remote LISP sites, or native-fwd to
non-LISP sites
IP Network
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Operations LISP Data Plane : Ingress/Egress Tunnel Router (xTR)
PI EID-prefix
2001:db8:2::/48 xTR-3
ETR
ITR
xTR-4
ETR
ITR
LISP Site 2 D LISP Site 1 S
xTR-1
ETR
ITR
xTR-2
ETR
ITR
PI EID-prefix
2001:db8:1::/48
10.0.0.0/8
11.0.0.0/8
12.0.0.0/8
13.0.0.0/8
packet flow packet flow
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
!
router lisp
locator-set SITE2
12.0.0.2 priority 1 weight 50
13.0.0.2 priority 1 weight 50
exit
!
eid-table default instance-id 0
database-mapping 2001:db8:2::/48 locator-set SITE2
exit
!
ipv6 itr map-resolver 66.2.2.2
ipv6 itr
ipv6 etr map-server 66.2.2.2 key S3cr3t-2
ipv6 etr
exit
!
ip route 0.0.0.0 0.0.0.0 12.0.0.1
ip route 0.0.0.0 0.0.0.0 13.0.0.1
!
Identical config on both xTRs!
13
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Operations LISP Data Plane : Unicast Packet Flow
14
PI EID-prefix
2001:db8:2::/48 xTR-3
ETR
ITR
xTR-4
ETR
ITR
LISP Site 2 D LISP Site 1 S
xTR-1
ETR
ITR
xTR-2
ETR
ITR
PI EID-prefix
2001:db8:1::/48
10.0.0.0/8
11.0.0.0/8
12.0.0.0/8
13.0.0.0/8
packet flow packet flow
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
DNS entry:
D.abc.com AAAA 2001:db8:2::1
1 2
2001:db8:1::1 -> 2001:db8:2::1
2001:db8:1::1 -> 2001:db8:2::1
11.0.0.2 -> 12.0.0.2
4
5
2001:db8:1::1 -> 2001:db8:2::1
11.0.0.2 -> 12.0.0.2
6
7
2001:db8:1::1 -> 2001:db8:2::1
EID-prefix: 2001:db8:2::/48
Locator-set:
12.0.0.2, priority: 1, weight: 50 (D1)
13.0.0.2, priority: 1, weight: 50 (D2)
Map-Cache Entry
3
This policy controlled
by the destination site
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Operations
LISP Control Plane Provides On-Demand Mappings
• Control Plane is separate from the Data Plane (UDP 4342 vs UDP 4341)
• Map-Resolver and Map-Server (similar to DNS Resolver and DNS Server)
• LISP Control Plane Messages for EID-to-RLOC resolution
• Distributed databases and map-caches hold mappings
LISP Control Plane : Introduction…
15
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Operations LISP Control Plane : Map-Server/Map-Resolver (MS/MR)
16
PI EID-prefix
2001:db8:2::/48 xTR-3
ETR
ITR
xTR-4
ETR
ITR
LISP Site 2 D LISP Site 1 S
xTR-1
ETR
ITR
xTR-2
ETR
ITR
PI EID-prefix
2001:db8:1::/48
10.0.0.0/8
Provider B
11.0.0.0/8
12.0.0.0/8
Provider D
13.0.0.0/8
packet flow packet flow
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
Mapping System
MR MS
MR – Map-Resolver
‒ Receives Map-Request from ITR
‒ Forwards Map-Request to Mapping System
‒ Sends Negative Map-Replies in response to
Map-Requests for non-LISP sites
MS – Map-Server
‒ LISP site ETRs register their EID prefixes here;
requires configured “lisp site” policy,
authentication key
‒ Receives Map-Requests via Mapping System,
forwards them to registered ETRs
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Operations LISP Control Plane : Map-Server/Map-Resolver (MS/MR)
17
PI EID-prefix
2001:db8:2::/48 xTR-3
ETR
ITR
xTR-4
ETR
ITR
LISP Site 2 D LISP Site 1 S
xTR-1
ETR
ITR
xTR-2
ETR
ITR
PI EID-prefix
2001:db8:1::/48
10.0.0.0/8
11.0.0.0/8
12.0.0.0/8
13.0.0.0/8
packet flow packet flow
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
Mapping System
MR MS
LISP Map Cache (ITR)
‒ Only stores mappings for sites to which the ITR is
currently sending packets
‒ Populated by receiving Map-Replies from ETRs
‒ ITRs must respect Map-Reply policy (TTLs, RLOC
up/down status, RLOC priorities/weights
LISP Site Mapping-Database (ETR)
‒ EID-to-RLOC mappings in all ETRs for local LISP site
‒ ETR is “authoritative” for its EIDs, sends Map-Replies
to ITRs
‒ ETRs can tailor policy based on Map-Request source
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Operations LISP Control Plane : Map-Registration Example
18
PI EID-prefix
2001:db8:2::/48 xTR-3
ETR
ITR
xTR-4
ETR
ITR
LISP Site 2 D LISP Site 1 S
xTR-1
ETR
ITR
xTR-2
ETR
ITR
PI EID-prefix
2001:db8:1::/48
10.0.0.0/8
11.0.0.0/8
12.0.0.0/8
13.0.0.0/8
packet flow packet flow
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
Mapping System
MR MS
66.2.2.2
1 LISP Map-Register
(udp 4342)
SHA2 HMAC
2001:db8:2::/48
12.0.0.2, 13.0.0.2
12.0.0.2 -> 66.2.2.2
Other sites… 2
1 LISP Map-Register
. . .
12.0.0.2 -> 66.2.2.2
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Operations LISP Control Plane : Map-Request/Map-Reply Example
PI EID-prefix
2001:db8:2::/48 xTR-3
ETR
ITR
xTR-4
ETR
ITR
LISP Site 2 D LISP Site 1 S
xTR-1
ETR
ITR
xTR-2
ETR
ITR
PI EID-prefix
2001:db8:1::/48
10.0.0.0/8
11.0.0.0/8
12.0.0.0/8
13.0.0.0/8
packet flow packet flow
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
Mapping System
MR MS
66.2.2.2
DNS entry:
D.abc.com AAAA 2001:db8:2::1
1 2
2001:db8:1::1 -> 2001:db8:2::1
Is 2001:db8:2::1 a
LISP Destination?
3 11.0.0.2 -> 66.2.2.2
LISP ECM
(udp 4342)
11.0.0.2 / 2001:db8:2::1
Map-Request
(udp 4342)
nonce
EID-prefix: 2001:db8:2::/48
Locator-set:
12.0.0.2, priority: 1, weight: 50 (D1)
13.0.0.2, priority: 1, weight: 50 (D2)
Map-Cache Entry 6
4 66.2.2.2 -> 12.0.0.2
LISP ECM
(udp 4342)
11.0.0.2 / 2001:db8:2::1
Map-Request
(udp 4342)
nonce
5
12.0.0.2 ->11.0.0.2
Map-Reply
(udp 4342)
nonce / TTL
2001:db8:2::/48
12.0.0.2 [1, 50]
13.0.0.2 [1, 50]
19
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Operations LISP Control Plane : Map-Proxy Map-Reply Example
PI EID-prefix
2001:db8:2::/48 xTR-3
ETR
ITR
xTR-4
ETR
ITR
LISP Site 2 D LISP Site 1 S
xTR-1
ETR
ITR
xTR-2
ETR
ITR
PI EID-prefix
2001:db8:1::/48
10.0.0.0/8
11.0.0.0/8
12.0.0.0/8
13.0.0.0/8
packet flow packet flow
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
Mapping System
MR MS
66.2.2.2
EID-prefix: 2001:db8:2::/48
Locator-set:
12.0.0.2, priority: 1, weight: 50 (D1)
13.0.0.2, priority: 1, weight: 50 (D2)
Map-Cache Entry 4
3
66.2.2.2 ->11.0.0.2
Map-Reply
(udp 4342)
nonce / TTL
2001:db8:2::/48
12.0.0.2 [1, 50]
13.0.0.2 [1, 50]
2 11.0.0.2 -> 66.2.2.2
LISP ECM
(udp 4342)
11.0.0.2 / 2001:db8:2::1
Map-Request
(udp 4342)
nonce
1 LISP Map-Register
(udp 4342)
SHA2 HMAC
Proxy-Bit Set
2001:db8:2::/48
12.0.0.2, 13.0.0.2
12.0.0.2 -> 66.2.2.2
20
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Operations LISP Control Plane : Map-Server/Map-Resolver (MS/MR)
PI EID-prefix
2001:db8:2::/48 xTR-3
ETR
ITR
xTR-4
ETR
ITR
LISP Site 2 D LISP Site 1 S
xTR-1
ETR
ITR
xTR-2
ETR
ITR
PI EID-prefix
2001:db8:1::/48
10.0.0.0/8
Provider B
11.0.0.0/8
12.0.0.0/8
13.0.0.0/8
packet flow packet flow
10.0.0.2
11.0.0.2
12.0.0.2
13.0.0.2
Mapping System
MR MS
66.2.2.2
!
router lisp
site Site-1
authentication-key S3cr3t-1
eid-prefix 2001:db8:1::/48
exit
!
site Site-2
authentication-key S3cr3t-2
eid-prefix 2001:db8:2::/48
exit
!
!-::continued, more LISP site configs
!
ipv6 map-server
ipv6 map-resolver
exit
!
21
!
router lisp
locator-set SITE2
12.0.0.2 priority 1 weight 50
13.0.0.2 priority 1 weight 50
exit
!
eid-table default instance-id 0
database-mapping 2001:db8:2::/48 locator-set SITE2
exit
!
ipv6 itr map-resolver 66.2.2.2
ipv6 itr
ipv6 etr map-server 66.2.2.2 key S3cr3t-2
ipv6 etr
exit
!
ip route 0.0.0.0 0.0.0.0 12.0.0.1 (or 13.0.0.1)
!
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Operations LISP Internetworking : Day-One Incremental Deployment
Early Recognition
‒ Up-front recognition of an incremental deployment plan
‒ LISP will not be widely deployed day-one
Interworking for:
‒ LISP-sites to non-LISP sites (e.g. the rest of the Internet)
‒ non-LISP sites to LISP-sites
Proxy-ITR/Proxy-ETR are deployed today
‒ Infrastructure LISP network entity
‒ Creates a monetized service opportunity for infrastructure players
22
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
An over-the-top technology
• Address Family agnostic
• Incrementally deployable
• End systems can be unaware of LISP
Deployment simplicity
• No host changes
• Minimal CPE changes
• Some new core infrastructure components
Enables IP Number Portability
• Never change host IP’s; No renumbering costs
• No DNS changes; “name == EID” binding
• Session survivability
An Open Standard
• Being developed in the IETF (RFC 6830-6836)
• No Cisco Intellectual Property Rights
Uses pull vs. push routing
• OSPF and BGP are push models; routing stored in the forwarding plane
• LISP is a pull model; Analogous to DNS; massively scalable
LISP Overview LISP : A Routing Architecture – Not a Feature
LISP use-cases are complimentary
• Simplified multi-homing with Ingress traffic Engineering; no need for BGP
• Address Family agnostic support
• Virtualization support
• End-host mobility without renumbering
23
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP - Úvod a přehled
LISP - Jak to funguje
LISP - Příklad využití v prostředí podnikové sítě
LISP Současný stav
Shrnutí
LISP - A Next Generation Networking Architecture
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Use Cases
IPv6 Transition Support
• v6-over-v4, v6-over-v6
• v4-over-v6, v4-over-v4
IPv4
Internet
IPv6
Internet
v6
v6 v4 v6
LISP
router LISP
router
v6
services
VM-Mobility
• Cloud / Layer 3 VM moves
• Segmentation
Data
Center 1
Data
Center 2
a.b.c.1 VM
a.b.c.1 VM
VM move
LISP
router
LISP
router
Internet
VPNs and Segmentation
• Over-the-Top
• Multi-tenancy
HQ LISP
Site
Internet
Data
Center User
Network
Remote
LISP Site Remote
LISP Site Remote
LISP Site
Remote
LISP Site . . 10k . .
Efficient Multi-Homing
• IP Portability
• Ingress Traffic Engineering without BGP
LISP
routers
LISP
Site
Internet
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP and IPv6 Transition Support LISP and MPLS Integration
1: Existing IPv4 MPLS VPN
Blue MPLS-VPN
SP MPLS
Blue Site 1
PE1 PE4
PE3 PE2
Blue Site 2
Blue Site 3
IPv4
IPv4 IPv4
IPv4
CE3 CE2
CE1
IGP
eBGP
IPv4 IPv4
PE2#show ip route vrf BLUE
---<skip>---
10.0.0.0/8 is subnetted, 9 subnets
B 10.1.0.0/24 [20/11] via 12.1.0.2, 00:17:55
B 10.1.2.0/24 [20/11] via 12.1.0.2, 00:17:55
B 10.3.0.0/24 [20/11] via 12.3.0.2, 00:12:01
B 10.3.1.0/24 [20/11] via 12.3.0.2, 00:12:01
---<more>---
12.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 12.1.0.0/30 is directly connected, Ethernet1/0
L 12.1.0.1/32 is directly connected, Ethernet1/0
---<more>---
PE2#
Customer Prefixes (EIDs!!)
PE-CE links (RLOCs!!)
CE1#show ip route
---<skip>---
10.0.0.0/8 is subnetted, 9 subnets
O IA 10.1.0.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/0
O IA 10.1.2.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/1
---<skip>---
B 10.3.0.0/24 [20/11] via 12.3.0.2, 00:12:01
B 10.3.1.0/24 [20/11] via 12.3.0.2, 00:12:01
---<more>---
12.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 12.1.0.2/30 is directly connected, Ethernet0/0
B 12.1.0.8/30 [20/11] via 12.3.0.1, 00:12:01
---<more>---
CE1#
Customer Prefixes (EIDs!!)
PE-CE links (RLOCs!!)
26
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP and IPv6 Transition Support LISP and MPLS Integration
1: Existing IPv4 MPLS VPN – Add LISP!
Blue MPLS-VPN
SP MPLS
Blue Site 1
PE1 PE4
PE3 PE2
Blue Site 2
Blue Site 3
IPv4
IPv4
IPv4 IPv4
IPv4
CE3 CE2
CE1
IGP
eBGP
IPv4 IPv4
xTR
xTR MSMR
xTR
✗ route-map deny EIDs out
27
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP and IPv6 Transition Support LISP and MPLS Integration
1: Existing IPv4 MPLS VPN – Add LISP!
Blue MPLS-VPN
SP MPLS
Blue Site 1
PE1
Purple MPLS-VPN
PE4
PE3 PE2
Blue Site 2
Blue Site 3
IPv4
IPv4
IPv4 IPv4
IPv4
CE3 CE2
CE1
IGP
eBGP
IPv4 IPv4
xTR
xTR MSMR
xTR
PE2#show ip route vrf BLUE
---<skip>---
12.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 12.1.0.0/30 is directly connected, Ethernet1/0
L 12.1.0.1/32 is directly connected, Ethernet1/0
---<more>---
PE2#
PE-CE links (RLOCs!!)
✗ route-map deny EIDs out
CE1#show ip route
---<skip>---
10.0.0.0/8 is subnetted, 9 subnets
O IA 10.1.0.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/0
O IA 10.1.2.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/1
---<skip>---
12.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 12.1.0.2/30 is directly connected, Ethernet0/0
B 12.1.0.8/30 [20/11] via 12.3.0.1, 00:12:01
---<more>---
CE1#
This sites Prefixes (EIDs!!)
PE-CE links (RLOCs!!)
28
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP and IPv6 Transition Support LISP and MPLS Integration
2: Add IPv6 over IPv4 MPLS VPN with LISP
Blue MPLS-VPN
SP MPLS
Blue Site 1
PE1 PE4
PE3 PE2
Blue Site 2
Blue Site 3
IPv4
IPv4
IPv4 IPv4
IPv4
CE3 CE2
CE1
IGP
eBGP
IPv4 IPv4
✗ route-map deny EIDs out
IPv6
IPv6 IPv6
xTR
xTR MSMR
xTR
PE2#show ipv6 route vrf Blue
% Specified IPv6 routing table does not exist
PE2#
IPv6 Not Enabled!
IPv6 EIDs!!
CE1#show run | begin router lisp
---<skip>---
router lisp
eid-table default instance-id 0
database-mapping 2001:db8:a:a::/64 12.1.0.2 pri 1 wei 100
exit
!
ipv6 itr map-resolver 12.1.0.2
ipv6 itr
ipv6 etr map-server 12.1.0.2 key ce1-xtr
ipv6 etr
exit
!
---<more>---
CE1#
29
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization LISP and MPLS Integration
Blue MPLS-VPN
SP MPLS
Blue Site 1
PE1 PE4
PE3 PE2
Blue Site 2
Blue Site 3
IPv4
IPv4
IPv4 IPv4
IPv4
CE3 CE2
CE1
IGP
eBGP
IPv4 IPv4
xTR
xTR MSMR
xTR
✗ route-map deny EIDs out
VRF-A Site 3
VRF-A Site 1
VRF-A Site 2
Let’s say that the Enterprise wants departmental
segmentation inside their network…
30
3: Add LISP Virtualization
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization LISP and MPLS Integration
Blue MPLS-VPN
SP MPLS
Blue Site 1
PE1
Purple MPLS-VPN
PE4
PE3 PE2
Blue Site 2
Blue Site 3
IPv4
IPv4 IPv4
IPv4
IPv4
CE3 CE2
CE1
IGP
eBGP
IPv4 IPv4
xTR
xTR MSMR
xTR
✗ route-map deny EIDs out
VRF-A Site 3
VRF-A Site 1
VRF-A Site 2
There’s no need to talk to the SP to get another
VRF in the MPLS core. Just use LISP!
Virtualized!
CE1#show run | begin router lisp
---<skip>---
router lisp
eid-table default instance-id 0
database-mapping 2001:db8:a:a::/64 12.1.0.2 pri 1 wei 100
exit
!
eid-table vrf VRF-A instance-id 1
database-mapping 10.1.1.0/24 12.1.0.2 pri 1 wei 100
exit
!
ipv4 itr
ipv4 etr
ipv4 itr map-resolver 12.1.0.2
ipv4 etr map-server 12.1.0.2 key ******
ipv6 itr
ipv6 etr
ipv6 itr map-resolver 12.1.0.2
ipv6 etr map-server 12.1.0.2 key ******
exit
!
31
3: Add LISP Virtualization
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization LISP and MPLS Integration
Blue MPLS-VPN
SP MPLS
Blue Site 1
PE1
Purple MPLS-VPN
PE4
PE3 PE2
Blue Site 2
Blue Site 3
IPv4
IPv4
IPv4 IPv4
IPv4
CE3 CE2
CE1
IGP
eBGP
IPv4 IPv4
xTR
xTR MSMR
xTR
✗ route-map deny EIDs out
VRF-A Site 3
VRF-A Site 1
VRF-A Site 2
There’s no need to talk to the SP to get another
VRF in the MPLS core. Just use LISP!
Virtualized!
CE1#ping 10.3.1.1 source 10.1.1.1 rep 10
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 10.3.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
..!!!!!!!!
Success rate is 80 percent (8/10), round-trip min/avg/max = 2/3/2 ms
CE1#
CE1#show ip lisp map-cache instance-id 1
LISP IPv4 Mapping Cache for EID-table vrf VRF-A (IID 1), 2 entries
0.0.0.0/0, uptime: 00:11:15, expires: never, via static send map-request
Negative cache entry, action: send-map-request
10.3.1.0/24, uptime: 00:01:49, expires: 23:58:14, via map-reply, complete
Locator Uptime State Pri/Wgt
12.3.1.2 00:01:49 up 1/100
---<more>---
CE1#
32
3: Add LISP Virtualization
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Virtualization/VPNs LISP Virtualization Support – Concepts
33
Virtualization of the DEVICE level – Virtual Routing and Forwarding (VRF)
tables segment Layer 3 routing tables
– VRFs are used to virtualize the component resources
– Virtualization secures movement of traffic between networks and enhances security policy options
Virtualization of the PATH level – VRFs assist in path isolation
– Single-hop (hop-by-hop)
– Multi-hop (over-the-top)
VRF-1
VRF-2
Global IP
802.1q, DLCI,
VPI/VCI PW,
EVN
GRE, MPLS
LISP
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Virtualization/VPNs LISP Virtualization Support – Concepts
Recalling that… LISP is “Locator/ID” separation… and creates two namespaces: EIDs and RLOCs… LISP can virtualize both EID and RLOC namespaces, or both!
EID virtualization uses LISP Instance-IDs in conjunction with EID VRFs
– Instance-IDs maintain address space segmentation in control plane and data plane
– Instance-IDs are numerical tags defined in LISP Canonical Address Format (LCAF)
• IID: a 24-bit unstructured number
• Data Plane: IID is included in LISP encapsulation header
• Control Plane: IID is encoded with the EID in LCAF header
34
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Virtualization/VPNs LISP Virtualization Support – Concepts
Default (non-Virtualized) Model – at the device level • Conceptually, the Default Model is just a single Parallel Model instance
• All EID lookups are also in the same single table – default
• Thus, EIDs are associated with Instance-ID 0
• All RLOC lookups are in a single table – default
• The Mapping System is part of the locator address space
• Single RLOC namespace
• Default table or RLOC VRF
Shared RLOC
namespace To EID namespace
(direct connect, IGP, etc.)
• Single EID namespace
• Default table
Default
To VPNs (MPLS,
802.1Q, VRF-Lite, or
separate networks)
35
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Virtualization/VPNs LISP Virtualization Support – Concepts
Shared Model – at the device level • Multiple EID-prefixes are allocated privately using VRFs
• EID lookups are in the VRF associated with an Instance-ID
• All RLOC lookups are in a single table – (default/global or RLOC VRF)
• The Mapping System is part of the locator address space and is shared
To VPNs (MPLS, 802.1Q,
VRF-Lite, or separate
networks)
• EID namespace,
VRF Pink, IID 1
• EID namespace,
VRF Blue, IID 2
Default
Pink
Blue • Single RLOC namespace
• Default table or RLOC VRF
Shared RLOC
namespace To VPNs (MPLS,
802.1Q, VRF-Lite, or
separate networks)
36
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization
All VPNs share a set of common requirements
37
1. Encapsulation:
‒ Virtualization
• EID prefix virtualization
o Tied to EID VRFs
• Locators can be virtualized too
3. Security: Built-In and Add-on
‒ Built-in security mechanisms
‒ LISP Works with any crypto scheme
• Locators or EIDs can be encrypted
‒ LISP-SEC for control plane security
2. Site to Site Routing:
‒ Spoke to spoke connectivity
‒ Optional local Internet offload (split-tunnel)
‒ No IGP required to branch sites!
LISP Virtualization Support – Concepts
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization
LISP – Inherently scalability and virtualization, rapidly deployable
Scalability
(# of VPN site) Unconstrained
VPN site-to-
site routing Unnecessary
Secure
Segmentation 24-bit Instance
ID with VRF
Performance Optimal
Path(P2P),
Loadbalancing
• No protocol constraint • 100K concurrent site connections
?
?
?
?
• No site-to-site routing required • No VPN route injection into core • LISP / Non-LISP site interworking through PxTR
• 16M unique VPN classifiers • Used for LISP control plane and data plane • Optional data plane encryption with GETVPN
• Shortest path between LISP sites • Equal cost/unequal cost loadbalancing
38
LISP Virtualization Support – Concepts
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
MPLS Core
Network
MPLS VPN
. .
Group A
Device
Group B
Device
Group C
Device
Group N
Device
CE Device
xTR
xTR
GM
. .
Location X
Group A
Network
Group B
Network
Group C
Network
Group N
Network
. .
Group A
Device
Group B
Device
Group C
Device
Group N
Device
CE Device
xTR
xTR
GM
. .
Location Y
Group A
Network
Group B
Network
Group C
Network
Group N
Network
No need for multiple MPLS VRFs
for traffic segmentation. • LISP encapsulates all traffic into
the “RLOC namespace”
• LISP Instance-IDs (IIDs) provide
segmentation
Customer Networks: • IPv4, IPv6..
• LISP Instance-IDs (IIDs)
provide segmentation
• Add GETVPN for encryption,
per-customer (simple!)
Core Network Access Flexibility: • One or multiple WAN connections
• One or multiple CE devices…
• IPv4 and/or IPv6…
• Multiple SP Cores…
Everything “just works” with LISP…
SP1 SP1 SP1 SP2
39
LISP VPN/Virtualization LISP Virtualization Support – Overview
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
MPLS Core
Network
MPLS VPN
. .
Group A
Device
Group B
Device
Group C
Device
Group N
Device
CE Device
xTR
xTR
GM
. .
Location X
Group A
Network
Group B
Network
Group C
Network
Group N
Network
. .
Group A
Device
Group B
Device
Group C
Device
Group N
Device
CE Device
xTR
xTR
GM
. .
Location Y
Group A
Network
Group B
Network
Group C
Network
Group N
Network
40
Segmentation by
physical, Layer 2, or
Layer 3 means
(e.g. 802.1Q, EVN,
physically separate
networks) Default
• Single RLOC
namespace
• Default table
(or RLOC VRF)
To IPv4 or IPv6 Core
RLOC namespace
VRF-B, IID 2
To Enterprise
Internal Networks
LISP0.1
LISP0.2
LISP0.3
LISP VPN/Virtualization LISP Virtualization Support – Overview
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization
Say we want to build this… - Three VRFs, IPv4 and IPv6
- HQ multihomed, two CPE
- Remote multihomed, one CPE
- Remote single-homed, DHCP
- Add encryption
IPv4 Core
xTR
GM xTR
GM
xTR
GM
xTR
GM MSMR MSMR
xTR
GM
KS KS
HQ VRF DeptC, IID 3
VRF DeptB, IID 2
VRF DeptA, IID 1
Site 1 Site 2
Site 3
41
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization
How do we build this?
Three common steps: 1. Build the underlay (RLOCs)
2. Add the LISP overlay (EIDs)
3. Add encryption
IPv4 Core
xTR
GM xTR
GM
xTR
GM
xTR
GM MSMR MSMR
xTR
GM
KS KS
HQ VRF DeptC, IID 3
VRF DeptB, IID 2
VRF DeptA, IID 1
Site 1 Site 2
Site 3
42
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization
1. Build the underlay (RLOCs)
IPv4 Core
xTR
GM xTR
GM
xTR
GM
xTR
GM MSMR MSMR
xTR
GM
KS KS
HQ VRF DeptC, IID 3
VRF DeptB, IID 2
VRF DeptA, IID 1
Site 1 Site 2
Site 3
HQ1 xTR/MSMR/GM
!
hostname HQ1
!
interface Ethernet0/0
ip address 10.0.14.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 10.0.14.1
!
Remote2 xTR/GM
!
hostname Remote2
!
interface Ethernet0/0
ip address 10.2.1.2 255.255.255.252
!
interface Ethernet1/0
ip address 10.2.2.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 10.2.1.1
ip route 0.0.0.0 0.0.0.0 10.2.2.1
!
Examples: • Normal IP routing…
• Nothing to do with LISP!
All other sites are
similar!
43
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization
2. Add the LISP overlay (EIDs)
IPv4 Core
xTR
GM xTR
GM
xTR
GM
xTR
GM MSMR MSMR
xTR
GM
KS KS
HQ VRF DeptC, IID 3
VRF DeptB, IID 2
VRF DeptA, IID 1
Site 1 Site 2
Site 3
Remote2 xTR/GM
!
router lisp
locator-set Site2
10.2.1.2 priority 1 weight 50
10.2.2.2 priority 1 weight 50
exit
!
eid-table default instance-id 0
database-mapping 192.168.255.12/32 locator-set Site2
exit
!
eid-table vrf DeptA instance-id 1
database-mapping 192.168.12.0/24 locator-set Site2
database-mapping 1:1:12::/64 locator-set Site2
exit
!
eid-table vrf DeptB instance-id 2
database-mapping 192.168.12.0/24 locator-set Site2
database-mapping 2:2:12::/64 locator-set Site2
exit
!
eid-table vrf DeptC instance-id 3
database-mapping 192.168.12.0/24 locator-set Site2
database-mapping 3:3:12::/64 locator-set Site2
exit
!
Examples: • Bind VRFs to IIDs
• Bind EIDs to RLOCs
44
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization
2. Add the LISP overlay (EIDs)
IPv4 Core
xTR
GM xTR
GM
xTR
GM
xTR
GM MSMR MSMR
xTR
GM
KS KS
HQ VRF DeptC, IID 3
VRF DeptB, IID 2
VRF DeptA, IID 1
Site 1 Site 2
Site 3
Examples: • Bind VRFs to IIDs
• Bind EIDs to RLOCs
Remote2 xTR/GM
! – continued – LISP control plane
!
ipv4 itr map-resolver 10.0.14.2
ipv4 itr map-resolver 10.0.15.2
ipv4 itr
ipv4 etr map-server 10.0.14.2 key site2-pswd
ipv4 etr map-server 10.0.15.2 key site2-pswd
ipv4 etr
ipv6 map-server
ipv6 map-resolver
ipv6 itr map-resolver 10.0.14.2
ipv6 itr map-resolver 10.0.15.2
ipv6 itr
ipv6 etr map-server 10.0.14.2 key site2-pswd
ipv6 etr map-server 10.0.15.2 key site2-pswd
ipv6 etr
exit
!
All other sites are
similar!
45
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization
2. Add the LISP overlay (EIDs)
IPv4 Core
xTR
GM xTR
GM
xTR
GM
xTR
GM MSMR MSMR
xTR
GM
KS KS
HQ VRF DeptC, IID 3
VRF DeptB, IID 2
VRF DeptA, IID 1
Site 1 Site 2
Site 3
Examples: • Bind VRFs to IIDs
• Bind EIDs to RLOCs
HQ2 xTR/MSMR/GM
router lisp
!
site HQ
authentication-key hq-pswd
eid-prefix 192.168.18.0/24
eid-prefix 192.168.19.0/24
eid-prefix 192.168.255.14/32
eid-prefix 192.168.255.15/32
eid-prefix instance-id 1 192.168.14.0/24
eid-prefix instance-id 1 1:1:14::/64
eid-prefix instance-id 2 192.168.14.0/24
eid-prefix instance-id 2 2:2:14::/64
eid-prefix instance-id 3 192.168.14.0/24
eid-prefix instance-id 3 3:3:14::/64
exit
!
site Site1
authentication-key site1-pswd
eid-prefix 192.168.255.11/32
eid-prefix instance-id 1 192.168.11.0/24
eid-prefix instance-id 1 1:1:11::/64
eid-prefix instance-id 2 192.168.11.0/24
eid-prefix instance-id 2 2:2:11::/64
eid-prefix instance-id 3 192.168.11.0/24
eid-prefix instance-id 3 3:3:11::/64
exit
!
---<etc.>---
Map-Server
Config…
46
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization
2. Add the LISP overlay (EIDs)
IPv4 Core
xTR
GM xTR
GM
xTR
GM
xTR
GM MSMR MSMR
xTR
GM
KS KS
HQ VRF DeptC, IID 3
VRF DeptB, IID 2
VRF DeptA, IID 1
Site 1 Site 2
Site 3
Examples: • Bind VRFs to IIDs
• Bind EIDs to RLOCs
HQ2 xTR/MSMR/GM HQ2#show lisp site
LISP Site Registration Information
Site Name Last Up Who Last Inst EID Prefix
Register Registered ID
HQ 00:00:46 yes 10.0.14.2 0 192.168.18.0/24
00:00:05 yes 10.0.15.2 0 192.168.19.0/24
00:00:46 yes 10.0.14.2 0 192.168.255.14/32
00:00:05 yes 10.0.15.2 0 192.168.255.15/32
00:00:09 yes 10.0.14.2 1 192.168.14.0/24
00:00:56 yes 10.0.14.2 1 1:1:14::/64
00:00:32 yes 10.0.15.2 2 192.168.14.0/24
00:00:23 yes 10.0.15.2 2 2:2:14::/64
00:00:54 yes 10.0.15.2 3 192.168.14.0/24
00:00:43 yes 10.0.14.2 3 3:3:14::/64
Site1 00:00:07 yes 10.0.11.2 0 192.168.255.11/32
00:00:16 yes 10.0.11.2 1 192.168.11.0/24
00:00:42 yes 10.0.11.2 1 1:1:11::/64
00:00:32 yes 10.0.11.2 2 192.168.11.0/24
00:00:41 yes 10.0.11.2 2 2:2:11::/64
---<etc.>---
Verification…
47
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization
2. Add the LISP overlay (EIDs)
IPv4 Core
xTR
GM xTR
GM
xTR
GM
xTR
GM MSMR MSMR
xTR
GM
KS KS
HQ VRF DeptC, IID 3
VRF DeptB, IID 2
VRF DeptA, IID 1
Site 1 Site 2
Site 3
Examples: • Bind VRFs to IIDs
• Bind EIDs to RLOCs
Verification…
Site3#ping vrf DeptC 192.168.14.1 source 192.168.13.1 rep 10
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.14.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.13.1%DeptC
..!!!!!!!!
Success rate is 80 percent (8/10), round-trip min/avg/max = 1/1/1 ms
Site3
Example:
EID to EID
48
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization
2. Add the LISP overlay (EIDs)
IPv4 Core
xTR
GM xTR
GM
xTR
GM
xTR
GM MSMR MSMR
xTR
GM
KS KS
HQ VRF DeptC, IID 3
VRF DeptB, IID 2
VRF DeptA, IID 1
Site 1 Site 2
Site 3
Examples: • Bind VRFs to IIDs
• Bind EIDs to RLOCs
Verification…
Site3#show ip lisp map-cache instance-id 3
LISP IPv4 Mapping Cache for EID-table vrf DeptC (IID 3), 4 entries
---<skip>---
192.168.14.0/24, uptime: 00:01:38, expires: 23:58:25, via map-reply, complete
Locator Uptime State Pri/Wgt
10.0.14.2 00:01:38 up 1/50
10.0.15.2 00:01:38 up 1/50
---<skip>---
Site3#
Example:
EID to EID
49
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization
2. Add the LISP overlay (EIDs)
IPv4 Core
xTR
GM xTR
GM
xTR
GM
xTR
GM MSMR MSMR
xTR
GM
KS KS
HQ VRF DeptC, IID 3
VRF DeptB, IID 2
VRF DeptA, IID 1
Site 1 Site 2
Site 3
Examples: • Bind VRFs to IIDs
• Bind EIDs to RLOCs
Verification…
Site3#ping vrf DeptA 1:1:14::1 source 1:1:13::1 rep 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 1:1:14::1, timeout is 2 seconds:
Packet sent with a source address of 1:1:13::1%DeptA
..!!!!!!!!
Success rate is 80 percent (8/10), round-trip min/avg/max = 1/1/1 ms
Site3
Example:
EID to EID
50
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization
2. Add the LISP overlay (EIDs)
IPv4 Core
xTR
GM xTR
GM
xTR
GM
xTR
GM MSMR MSMR
xTR
GM
KS KS
HQ VRF DeptC, IID 3
VRF DeptB, IID 2
VRF DeptA, IID 1
Site 1 Site 2
Site 3
Examples: • Bind VRFs to IIDs
• Bind EIDs to RLOCs
Verification…
Site3#show ipv6 lisp map-cache instance-id 1
LISP IPv6 Mapping Cache for EID-table vrf DeptA (IID 1), 4 entries
---<skip>---
1:1:14::/64, uptime: 00:00:33, expires: 23:59:28, via map-reply, complete
Locator Uptime State Pri/Wgt
10.0.14.2 00:00:33 up 1/50
10.0.15.2 00:00:33 up 1/50
---<skip>---
Site3#
Example:
EID to EID
51
Adding Encryption to LISP using GETVPN
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Virtualization/VPNs LISP Virtualization with GETVPN
Why GET VPN?
Large scale any-to-any connectivity
Native routing without tunnel overlay
Optimal for QoS & Multicast support
Flexible span of control between enterprise and service provider
Centralized policy distribution
Transport agnostic: Private WAN, FR/ATM, IP, MPLS
GET VPN provides:
53
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Virtualization/VPNs LISP Virtualization with encryption
Group Domain of Interpretation (GDOI) RFC 6407 – adding encryption
54
Group
Member
Group
Member
Group
Member
Group
Member
Key
Server
Routing
Domain
Group Member
• Encryption Devices
• Route Between Secure /
Unsecure Regions
• Multicast Participation
Key Server
• Validate Group Members
• Manage Security Policy
• Create Group Keys
• Distribute Policy / Keys
Key Encryption Key
(KEK)
Traffic Encryption
Key (TEK)
GET VPN
GDOI
• RFC 6407
• “Stateless” IPsec
• Traffic encryption keys computed on Key Server, distributed to all Group Members
• Better scaling than vanilla IPsec
Group Policy
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Virtualization/VPNs LISP Virtualization with GETVPN
Use-Case Vanilla
IPsec
GETVPN Comments
LISP Default
Model
crypto-map on
RLOC ✔ ✔ LISP encap first, then encryption based on RLOC
crypto-map on
LISP0 ✔ ✔ Encryption first based on EID, then LISP encap
LISP
Virtualization
crypto-map on
RLOC ✔ ✔ LISP encap first, then encryption based on RLOC
crypto-map on
LISP0.x ✔ ✔ Encryption first based on EID, then LISP encap
See: lisp.cisco.com for the GETVPN+LISP Configuration Guide!
LISP and encryption (IOS)
• Recalling that… LISP is “Locator/ID” separation… and creates two namespaces: EIDs and RLOCs
• LISP provides two ways to apply a crypto map
55
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Virtualization/VPNs LISP Virtualization with GETVPN
LISP provides two ways to apply a crypto map, resulting in different packet outcomes
LISP0 :: Encryption, and then LISP processing
RLOC :: LISP processing, and then encryption
LISP + GETVPN
On RLOC
GETVPN + LISP
On LISP0
dad
dr
1
sad
dr
8 0
1
dad
dr
50
sad
dr
S:x
x
D:4
34
1
dad
dr
17
sad
dr
Original IPv4 Header
ESP
trailer
xx
Host
IP Hdr
ICMP
Hdr
Payload
8 xxxx 20
ESP
SPI
xx
Host
IP Hdr
20
UDP
Hdr
(LISP)
LISP
Hdr
8 8
ITR
IP Hdr
20
dad
dr
1
sad
dr
S:x
x
D:4
34
1
8 0
dad
dr
17
17
sad
dr
dad
dr
50
sad
dr
ESP
trailer
xx
Host
IP Hdr
ICMP
Hdr
Payload
8 xxxx 20
LISP
Hdr
8 8
ITR
IP Hdr
20
ESP
SPI
xx
ITR
IP Hdr
20
Original IPv4 Header
UDP
Hdr
(LISP)
56
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization LISP Virtualization with GETVPN
3. Add encryption
IPv4 Core
xTR
GM xTR
GM
xTR
GM
xTR
GM MSMR MSMR
xTR
GM
KS KS
HQ VRF DeptC, IID 3
VRF DeptB, IID 2
VRF DeptA, IID 1
Site 1 Site 2
Site 3
Examples: • GETVPN Key Servers
• Nothing to do with LISP!
Redundant Key
Server identical!
KS1
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 16
crypto isakmp key FOO address 0.0.0.0
crypto isakmp keepalive 15 periodic
!
crypto ipsec transform-set GDOI-TRANS esp-aes
256 esp-sha512-hmac
!
crypto ipsec profile GDOI-PROFILE
set transform-set GDOI-TRANS
!
crypto gdoi group V4GROUP-0001
identity number 10001
server local
rekey retransmit 60 number 2
rekey authentication mypubkey rsa GET-KEYS1
rekey transport unicast
sa ipsec 1
profile GDOI-PROFILE
match address ipv4 GETVPN-0001
replay time window-size 5
address ipv4 192.168.18.2
redundancy
local priority 100
peer address ipv4 192.168.19.2
!
---<cont.>---
57
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization LISP Virtualization with GETVPN
3. Add encryption
IPv4 Core
xTR
GM xTR
GM
xTR
GM
xTR
GM MSMR MSMR
xTR
GM
KS KS
HQ VRF DeptC, IID 3
VRF DeptB, IID 2
VRF DeptA, IID 1
Site 1 Site 2
Site 3
Examples: • GETVPN Key Servers
• Nothing to do with LISP!
Redundant Key
Server identical!
KS1
! ---<cont.>---
!
crypto gdoi group ipv6 V6GROUP-0003
identity number 20003
server local
rekey retransmit 60 number 2
rekey authentication mypubkey rsa GET-KEYS3
rekey transport unicast
sa ipsec 1
profile GDOI-PROFILE
match address ipv6 GETVPN6-0003
replay time window-size 5
address ipv4 192.168.18.2
redundancy
local priority 100
peer address ipv4 192.168.19.2
!
ip access-list extended GETVPN-0001
permit ip any any
ip access-list extended GETVPN-0002
permit ip any any
ip access-list extended GETVPN-0003
permit ip any any
!
ipv6 access-list GETVPN6-0001
permit ipv6 any any
!
ipv6 access-list GETVPN6-0002
permit ipv6 any any
!
ipv6 access-list GETVPN6-0003
permit ipv6 any any
!
58
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization LISP Virtualization with GETVPN
IPv4 Core
xTR
GM xTR
GM
xTR
GM
xTR
GM MSMR MSMR
xTR
GM
KS KS
HQ VRF DeptC, IID 3
VRF DeptB, IID 2
VRF DeptA, IID 1
Site 1 Site 2
Site 3
Remote2 xTR/GM !
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 16
crypto isakmp key FOO address 192.168.18.2
crypto isakmp key FOO address 192.168.19.2
!
crypto gdoi group V4GROUP-0001
identity number 10001
server address ipv4 192.168.18.2
server address ipv4 192.168.19.2
client registration interface Loopback0
!
---<skip>---
crypto gdoi group ipv6 V6GROUP-0003
identity number 20003
server address ipv4 192.168.18.2
server address ipv4 192.168.19.2
client registration interface Loopback0
!
crypto map MAP-V4-0001 10 gdoi
set group V4GROUP-0001
!
---<skip>---
crypto map ipv6 MAP-V6-0003 10 gdoi
set group V6GROUP-0003
!
3. Add encryption
Examples: • GETVPN Group Members
• Add crypto map to LISP0.x
ALL LISP SITES
identical! Cut/Paste!
59
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization LISP Virtualization with GETVPN
IPv4 Core
xTR
GM xTR
GM
xTR
GM
xTR
GM MSMR MSMR
xTR
GM
KS KS
HQ VRF DeptC, IID 3
VRF DeptB, IID 2
VRF DeptA, IID 1
Site 1 Site 2
Site 3
3. Add encryption
Examples: • GETVPN Group Members
• Add crypto map to LISP0.x
ALL LISP SITES
identical! Cut/Paste!
Remote2 xTR/GM !
interface LISP0
!
interface LISP0.1
ip mtu 1456
ipv6 mtu 1436
ipv6 crypto map MAP-V6-0001
crypto map MAP-V4-0001
!
interface LISP0.2
ip mtu 1456
ipv6 mtu 1436
ipv6 crypto map MAP-V6-0002
crypto map MAP-V4-0002
!
interface LISP0.3
ip mtu 1456
ipv6 mtu 1436
ipv6 crypto map MAP-V6-0003
crypto map MAP-V4-0003
!
60
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization LISP Virtualization with GETVPN
IPv4 Core
xTR
GM xTR
GM
xTR
GM
xTR
GM MSMR MSMR
xTR
GM
KS KS
HQ VRF DeptC, IID 3
VRF DeptB, IID 2
VRF DeptA, IID 1
Site 1 Site 2
Site 3
3. Add encryption
Examples: • GETVPN Group Members
• Add crypto map to LISP0.x
Verification…
Site3#ping vrf DeptA 192.168.14.1 source 192.168.13.1 rep 100
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 192.168.14.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.13.1%DeptA
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 5/6/12 ms
Site3#
Example:
EID to EID
61
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization LISP Virtualization with GETVPN
IPv4 Core
xTR
GM xTR
GM
xTR
GM
xTR
GM MSMR MSMR
xTR
GM
KS KS
HQ VRF DeptC, IID 3
VRF DeptB, IID 2
VRF DeptA, IID 1
Site 1 Site 2
Site 3
3. Add encryption
Examples: • GETVPN Group Members
• Add crypto map to LISP0.x
Verification…
Site3#show crypto engine connection active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
---<skip>---
143 IPsec AES256+SHA512 0 100 0 192.168.14.1
144 IPsec AES256+SHA512 100 0 0 192.168.14.1
---<skip>---
Site3#
Example:
EID to EID
62
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP VPN/Virtualization Efficient Virtualization and High-Scale VPNs
LISP Solution:
• 24-bit LISP Instance-ID segments control plane and data plane, with VRF binding to the Instance-ID
Benefits:
• Very high scale tenant segmentation
• IP-based “overlay” solution, transport independent
• Inter-Departmental VPNs without additional PE VRFs
• No MPLS VPN complexity
• Use of LISP removes Customer IPv4 Prefixes from MPLS
• Use of LISP (v6-over-v4) removes SP from Customer IPv6 config/mgmt
LISP Site
IP Network
West
DC
Legacy Site Legacy Site Legacy Site
East
DC
PxTR
Mapping
DB
LISP+GETVPN Config Guide: http://lisp.cisco.com
63
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP - Úvod a přehled
LISP - Jak to funguje
LISP - Příklad využití v prostředí podnikové sítě
LISP Současný stav
Shrnutí
LISP - A Next Generation Networking Architecture
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Status LISP RFCs and notable drafts…
IETF LISP WG: http://tools.ietf.org/wg/lisp/
Draft Target
LISP Canonical Address Format (draft-ietf-lisp-lcaf-04) Active Working Group Document
LISP Deployment (draft-ietf-lisp-deployment-11) Active Working Group Document
LISP SEC (draft-ietf-lisp-sec-05) Active Working Group Document
LISP DDT (draft-fuller-lisp-ddt-01) Active Working Group Document
LISP Introduction (draft-ietf-lisp-introduction-03) Active Working Group Document
LISP Mobile Node (draft-meyer-lisp-mn-10) Related Working Group Document
LISP NAT-Traversal (draft-ermagan-lisp-nat-traversal-05)
Related Working Group Document
LISP GPE (draft-lewis-lisp-gpe) Related Working Group Document
LISP Deployment (draft-ietf-lisp-deployment-12) RFC-Editor’s Queue
LISP Based FlowMapping for Scaling NVF (draft-barakai-lisp-nvf-04)
Related Internet Draft
LISP Reliable Transport (draft-kouvelas-lisp-reliable-transport-00)
Related Internet Draft
RFCs
Locator/ID Separation Protocol (LISP) base document
RFC 6830
LISP Map Server RFC 6833
LISP Interworking RFC 6832
LISP Multicast RFC 6831
LISP Internet Groper RFC 6835
LISP Map Versioning RFC 6834
LISP+ALT RFC 6836
LISP MIB RFC 7052
LISP Network Element Deployment Considerations
RFC 7215
65
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Status LISP Software – Available Releases : IOS Platforms
Cisco Releases (http://lisp.cisco.com)
ISRG1 - 1800 Series
- 2800 Series
- 3800 Series
Mainline Build:
- 15.4(2)T
Engineering:
- 15.3(3)XB12
Engineering Build:
- 15.3(3)XB12
Hardware Software Notes/Caveats
ISRG2 - 800 Series
- 1900 Series
- 2900 Series
- 3900 Series
ISRs are EOS/EOL (Cisco support rules apply).
LISP features require “datak9” or “securityk9” license
66
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Status LISP Software – Available Releases : IOS-XE Platforms
Cisco Releases (http://lisp.cisco.com)
ASR1K - 1001 Series
- 1002 Series
- 1004 Series
- 1006 Series
- 1013 Series
- 4451-X
Mainline Build:
- 3.12.0S (15.4-2.S)
Engineering Build:
- 3.10.01xb.S
Hardware Software Notes
CSR1KV - Cisco CSR1KV
- Amazon Web Srvc
LISP features require “Advanced IP Services” or
“Advanced Enterprise Services” license
LISP features require “Premium” license Mainline Build:
- 3.12.0S (15.4-2.S)
Engineering Build:
- 3.10.01xb.S
67
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Status LISP Software – Available Releases : NX-OS Platforms
Cisco Releases (http://lisp.cisco.com)
Nexus 7000 Mainline Build:
- 6.2(8)
Hardware Software Notes
Nexus 7700 LISP requires EPLD updated so that FE Bridge is at
version 186.008: Mainline Build:
- 6.2(8)
Requires M1-32 LC modules. F1 modules and the
F2e LC module can be used for LISP using proxy
forwarding to an installed M1-32 LC module.
Beginning with NX-OS 7.1.0, F3 modules will also
support LISP
The Transport Services license must be installed to
enable LISP
68
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Status LISP Software – Available Releases : Catalyst Platforms
Cisco Releases (http://lisp.cisco.com)
Catalyst 6500 Mainline Build:
- 15.1.2-SY2
Hardware Software Notes
Requires Sup2T supervisor engine and WS-X6904-
40GE or WS-X6908-10G line cards
Supports xTR (IPv4-only RLOC), shared mode
virtualization, PxTR, MS and MR
Catalyst 6800 Mainline Build:
- 15.1.2-SY2
6880-X (semi-fixed chassis) - supported on all ports at
FCS: 15.1(2)SY1 for the baseboard and 15.1(2)SY2
for the port cards
6807-XL (modular chassis) - supported with Sup2T
and 6900 series line cards (6908 and 6904) at FCS:
15.1(2)SY1 (not supported natively on Sup2T, need
6900 modules for encap/decap)
Supports xTR (IPv4-only RLOC), shared mode
virtualization, PxTR, MS and MR
69
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP - Úvod a přehled
LISP - Jak to funguje
LISP - Příklad využití v prostředí podnikové sítě
LISP Současný stav
Shrnutí
LISP - A Next Generation Networking Architecture
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
LISP Summary Part of the LISP Solution Space
LISP is an Architecture…
IPv4 Core
IPv4 Core
v4
IPv4 Network
xTR
xTR
1. Multihoming
2. IPv6 Transition
3. Virtualization/VPN
4. Mobility
71
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
v6
LISP Summary Part of the LISP Solution Space
LISP is an Architecture…
IPv4 Core
IPv6 Core
v4
IPv4 Network
xTR
xTR
1. Multihoming
2. IPv6 Transition
3. Virtualization/VPN
4. Mobility
IPv6 Network
72
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
v6
LISP Summary Part of the LISP Solution Space
LISP is an Architecture…
IPv4 Core
IPv6 Core
v4
IPv4 Network
xTR
xTR
1. Multihoming
2. IPv6 Transition
3. Virtualization/VPN
4. Mobility
IPv6 Network
73
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
v6
LISP Summary Part of the LISP Solution Space
LISP is an Architecture…
IPv4 Core
IPv6 Core
v4
IPv4 Network
xTR
xTR
1. Multihoming
2. IPv6 Transition
3. Virtualization/VPN
4. Mobility
IPv6 Network
74
Prosíme, ohodnoťte tuto přednášku
• Děkujeme
Q & A