LISP Nov ová - Cisco€¦ · Presentation_ID Cisco and/or its affiliates. ... The “Default Free Zone” (DFZ) contains all types or routes: • Edge (site) routes • Core (Provider)

LISP – Nová síťová architektura a její využití v podnikových sítích

Miroslav Brzek, Systems Engineer

[email protected]

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

LISP - Úvod

LISP - Jak to funguje

LISP - Příklad využití v prostředí podnikové sítě

LISP - Současný stav

Shrnutí

LISP - A Next Generation Networking Architecture


LISP Overview Original Motivation - Resolve route scaling problems

Today’s Internet Behavior

The “Default Free Zone” (DFZ) contains all types or routes:

• Edge (site) routes

• Core (Provider) route

• More specifics of both types for TE purposes

In this model, everything goes in the DFZ

Internet

DFZ

Internet

DFZ Map System LISP

Mapping

System

LISP Behavior

• Locator/ID “split” architecture treats “core” and “site” prefixes differently

• In this model, prefixes describing core topology (locators) go in the DFZ; prefixes describing end sites (EIDs) go in the LISP mapping system


LISP Overview Locator/ID split enables other (more important) benefits…

Internet

Device IPv4 or IPv6 address

represents identity and

location

x.y.z.1

When the device moves, it gets a new

IPv4 or IPv6 address for its new identity

and location w.z.y.9

Device IPv4 or IPv6

address represents

identity only

When the device moves, keeps its

IPv4 or IPv6 address.

It has the same identity

Internet

a.b.c.1

e.f.g.7

Only the location changes

x.y.z.1

x.y.z.1

Today’s Internet Behavior

LISP Behavior

5


Addresses today combine location and identity semantics in a single 32-bit or 128-bit number

Separating Location and Identity changes this… • Provide a clear separation at the Network Layer between

what we are looking for vs. how best to get there

• Translation vs. Tunneling is a key question

Network Layer Identifier: WHO you are in the network – long-term binding to the thing that they name, does not change often at all

Network Layer Locator: WHERE you are in the network – Think of the source and destination “addresses” used in routing and forwarding

WHERE you are can change! WHO you are should be the same!

Routing and Addressing Architecture of the Internet Protocol

6

LISP Overview


LISP - Úvod



LISP - Současný stav

Shrnutí



LISP Operations

LISP namespaces

• EID (Endpoint Identifier) is the IP address of a host – just as it is today

• RLOC (Routing Locator) is the IP address of the LISP router for the host

• EID-to-RLOC mapping is the distributed architecture that maps EIDs to RLOCs

Main attributes of LISP

8

Network-based solution

No host changes

Minimal configuration

No DNS changes

Address Family agnostic

Incrementally deployable (support LISP and non-LISP)

Support for mobility

Prefix Next-hop w.x.y.1 e.f.g.h x.y.w.2 e.f.g.h z.q.r.5 e.f.g.h z.q.r.5 e.f.g.h

Non-LISP

RLOC Space

EID-to-RLOC mapping

EID Space xTR

xTR

MS/MR

PxTR

xTR

EID RLOC a.a.a.0/24 w.x.y.1

b.b.b.0/24 x.y.w.2

c.c.c.0/24 z.q.r.5

d.d.0.0/16 z.q.r.5

EID RLOC a.a.a.0/24 w.x.y.1

b.b.b.0/24 x.y.w.2

c.c.c.0/24 z.q.r.5

d.d.0.0/16 z.q.r.5

EID Space


LISP Operations

LISP “Level of Indirection” is analogous to a DNS lookup

‒ DNS resolves IP addresses for URL Answering the “WHO IS” question

LISP : Mapping Resolution “Level of Indirection” DNS analog

9

host

DNS

Name-to-IP

URL Resolution

[ who is lisp.cisco.com ] ?

DNS

Server

[153.16.5.29, 2610:D0:110C:1::3 ]

‒ LISP resolves locators for queried identities Answering the “WHERE IS” question

LISP

Identity-to-locator

Mapping Resolution LISP

router

LISP

Mapping

System

[ where is 153.16.5.29 ] ?

[ locator is 128.107.81.169 ]


LISP Operations LISP IPv4 EID / IPv4 RLOC Data Packet Header Example

10

IPv4 Outer

Header:

ITR supplies

RLOCs

IPv4 Inner

Header:

Host supplies

EIDs

LISP Header:

UDP

Header:

Q: How does the UDP

source port get

selected ?

A: It’s either a 3-tuple or

5-tuple hash of the

inner (EID) header


LISP Operations LISP Encapsulation Combinations – IPv4 and IPv6 Supported

11

IPv6/IPv4

IPv6

Outer

Header

IPv4

Inner

Header

UDP

LISP

IPv6/IPv6

IPv6

Outer

Header

IPv6

Inner

Header

UDP

LISP

IPv4/IPv6

IPv4

Outer

Header

IPv6

Inner

Header

UDP

LISP

IPv4/IPv4

IPv4

Outer

Header

IPv4

Inner

Header

UDP

LISP

Q: Doesn’t encapsulation cause MTU issues?

A: It can… But preparation limits issues… Encapsulation overhead is 36B IPv4 and 56B IPv6

LISP supports “stateful” (PMTUD) and “stateless”

(fragmentation) options

Tunnel/MTU issues are well known (GRE, IPsec, etc.)

and are usually operationally tractable


LISP Operations LISP Data Plane : Ingress/Egress Tunnel Router (xTR)

12

PI EID-prefix

2001:db8:2::/48 xTR-3

ETR

ITR

xTR-4

ETR

ITR

LISP Site 2 D LISP Site 1 S

xTR-1

ETR

ITR

xTR-2

ETR

ITR

PI EID-prefix

2001:db8:1::/48

10.0.0.0/8

11.0.0.0/8

12.0.0.0/8

13.0.0.0/8

packet flow packet flow

ETR – Egress Tunnel Router

‒ Receives packets from core-facing interfaces

‒ De-cap and deliver packets to local EIDs at site

ITR – Ingress Tunnel Router

‒ Receives packets from site-facing interfaces

‒ Encap to remote LISP sites, or native-fwd to

non-LISP sites

IP Network


LISP Operations LISP Data Plane : Ingress/Egress Tunnel Router (xTR)

PI EID-prefix

2001:db8:2::/48 xTR-3

ETR

ITR

xTR-4

ETR

ITR


xTR-1

ETR

ITR

xTR-2

ETR

ITR

PI EID-prefix

2001:db8:1::/48

10.0.0.0/8

11.0.0.0/8

12.0.0.0/8

13.0.0.0/8


10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

!

router lisp

locator-set SITE2

12.0.0.2 priority 1 weight 50


exit

!

eid-table default instance-id 0

database-mapping 2001:db8:2::/48 locator-set SITE2

exit

!

ipv6 itr map-resolver 66.2.2.2

ipv6 itr

ipv6 etr map-server 66.2.2.2 key S3cr3t-2

ipv6 etr

exit

!

ip route 0.0.0.0 0.0.0.0 12.0.0.1

ip route 0.0.0.0 0.0.0.0 13.0.0.1

!

Identical config on both xTRs!

13


LISP Operations LISP Data Plane : Unicast Packet Flow

14

PI EID-prefix

2001:db8:2::/48 xTR-3

ETR

ITR

xTR-4

ETR

ITR


xTR-1

ETR

ITR

xTR-2

ETR

ITR

PI EID-prefix

2001:db8:1::/48

10.0.0.0/8

11.0.0.0/8

12.0.0.0/8

13.0.0.0/8


10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

DNS entry:

D.abc.com AAAA 2001:db8:2::1

1 2

2001:db8:1::1 -> 2001:db8:2::1

2001:db8:1::1 -> 2001:db8:2::1

11.0.0.2 -> 12.0.0.2

4

5

2001:db8:1::1 -> 2001:db8:2::1

11.0.0.2 -> 12.0.0.2

6

7

2001:db8:1::1 -> 2001:db8:2::1

EID-prefix: 2001:db8:2::/48

Locator-set:

12.0.0.2, priority: 1, weight: 50 (D1)


Map-Cache Entry

3

This policy controlled

by the destination site


LISP Operations

LISP Control Plane Provides On-Demand Mappings

• Control Plane is separate from the Data Plane (UDP 4342 vs UDP 4341)

• Map-Resolver and Map-Server (similar to DNS Resolver and DNS Server)

• LISP Control Plane Messages for EID-to-RLOC resolution

• Distributed databases and map-caches hold mappings

LISP Control Plane : Introduction…

15


LISP Operations LISP Control Plane : Map-Server/Map-Resolver (MS/MR)

16

PI EID-prefix

2001:db8:2::/48 xTR-3

ETR

ITR

xTR-4

ETR

ITR


xTR-1

ETR

ITR

xTR-2

ETR

ITR

PI EID-prefix

2001:db8:1::/48

10.0.0.0/8

Provider B

11.0.0.0/8

12.0.0.0/8

Provider D

13.0.0.0/8


10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

Mapping System

MR MS

MR – Map-Resolver

‒ Receives Map-Request from ITR

‒ Forwards Map-Request to Mapping System

‒ Sends Negative Map-Replies in response to

Map-Requests for non-LISP sites

MS – Map-Server

‒ LISP site ETRs register their EID prefixes here;

requires configured “lisp site” policy,

authentication key

‒ Receives Map-Requests via Mapping System,

forwards them to registered ETRs



17

PI EID-prefix

2001:db8:2::/48 xTR-3

ETR

ITR

xTR-4

ETR

ITR


xTR-1

ETR

ITR

xTR-2

ETR

ITR

PI EID-prefix

2001:db8:1::/48

10.0.0.0/8

11.0.0.0/8

12.0.0.0/8

13.0.0.0/8


10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

Mapping System

MR MS

LISP Map Cache (ITR)

‒ Only stores mappings for sites to which the ITR is

currently sending packets

‒ Populated by receiving Map-Replies from ETRs

‒ ITRs must respect Map-Reply policy (TTLs, RLOC

up/down status, RLOC priorities/weights

LISP Site Mapping-Database (ETR)

‒ EID-to-RLOC mappings in all ETRs for local LISP site

‒ ETR is “authoritative” for its EIDs, sends Map-Replies

to ITRs

‒ ETRs can tailor policy based on Map-Request source


LISP Operations LISP Control Plane : Map-Registration Example

18

PI EID-prefix

2001:db8:2::/48 xTR-3

ETR

ITR

xTR-4

ETR

ITR


xTR-1

ETR

ITR

xTR-2

ETR

ITR

PI EID-prefix

2001:db8:1::/48

10.0.0.0/8

11.0.0.0/8

12.0.0.0/8

13.0.0.0/8


10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

Mapping System

MR MS

66.2.2.2

1 LISP Map-Register

(udp 4342)

SHA2 HMAC

2001:db8:2::/48

12.0.0.2, 13.0.0.2

12.0.0.2 -> 66.2.2.2

Other sites… 2

1 LISP Map-Register

. . .

12.0.0.2 -> 66.2.2.2


LISP Operations LISP Control Plane : Map-Request/Map-Reply Example

PI EID-prefix

2001:db8:2::/48 xTR-3

ETR

ITR

xTR-4

ETR

ITR


xTR-1

ETR

ITR

xTR-2

ETR

ITR

PI EID-prefix

2001:db8:1::/48

10.0.0.0/8

11.0.0.0/8

12.0.0.0/8

13.0.0.0/8


10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

Mapping System

MR MS

66.2.2.2

DNS entry:

D.abc.com AAAA 2001:db8:2::1

1 2

2001:db8:1::1 -> 2001:db8:2::1

Is 2001:db8:2::1 a

LISP Destination?

3 11.0.0.2 -> 66.2.2.2

LISP ECM

(udp 4342)

11.0.0.2 / 2001:db8:2::1

Map-Request

(udp 4342)

nonce


Locator-set:



Map-Cache Entry 6

4 66.2.2.2 -> 12.0.0.2

LISP ECM

(udp 4342)

11.0.0.2 / 2001:db8:2::1

Map-Request

(udp 4342)

nonce

5

12.0.0.2 ->11.0.0.2

Map-Reply

(udp 4342)

nonce / TTL

2001:db8:2::/48

12.0.0.2 [1, 50]

13.0.0.2 [1, 50]

19


LISP Operations LISP Control Plane : Map-Proxy Map-Reply Example

PI EID-prefix

2001:db8:2::/48 xTR-3

ETR

ITR

xTR-4

ETR

ITR


xTR-1

ETR

ITR

xTR-2

ETR

ITR

PI EID-prefix

2001:db8:1::/48

10.0.0.0/8

11.0.0.0/8

12.0.0.0/8

13.0.0.0/8


10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

Mapping System

MR MS

66.2.2.2


Locator-set:



Map-Cache Entry 4

3

66.2.2.2 ->11.0.0.2

Map-Reply

(udp 4342)

nonce / TTL

2001:db8:2::/48

12.0.0.2 [1, 50]

13.0.0.2 [1, 50]

2 11.0.0.2 -> 66.2.2.2

LISP ECM

(udp 4342)

11.0.0.2 / 2001:db8:2::1

Map-Request

(udp 4342)

nonce

1 LISP Map-Register

(udp 4342)

SHA2 HMAC

Proxy-Bit Set

2001:db8:2::/48

12.0.0.2, 13.0.0.2

12.0.0.2 -> 66.2.2.2

20



PI EID-prefix

2001:db8:2::/48 xTR-3

ETR

ITR

xTR-4

ETR

ITR


xTR-1

ETR

ITR

xTR-2

ETR

ITR

PI EID-prefix

2001:db8:1::/48

10.0.0.0/8

Provider B

11.0.0.0/8

12.0.0.0/8

13.0.0.0/8


10.0.0.2

11.0.0.2

12.0.0.2

13.0.0.2

Mapping System

MR MS

66.2.2.2

!

router lisp

site Site-1

authentication-key S3cr3t-1

eid-prefix 2001:db8:1::/48

exit

!

site Site-2

authentication-key S3cr3t-2

eid-prefix 2001:db8:2::/48

exit

!

!-::continued, more LISP site configs

!

ipv6 map-server

ipv6 map-resolver

exit

!

21

!

router lisp

locator-set SITE2



exit

!


database-mapping 2001:db8:2::/48 locator-set SITE2

exit

!


ipv6 itr

ipv6 etr map-server 66.2.2.2 key S3cr3t-2

ipv6 etr

exit

!

ip route 0.0.0.0 0.0.0.0 12.0.0.1 (or 13.0.0.1)

!


LISP Operations LISP Internetworking : Day-One Incremental Deployment

Early Recognition

‒ Up-front recognition of an incremental deployment plan

‒ LISP will not be widely deployed day-one

Interworking for:

‒ LISP-sites to non-LISP sites (e.g. the rest of the Internet)

‒ non-LISP sites to LISP-sites

Proxy-ITR/Proxy-ETR are deployed today

‒ Infrastructure LISP network entity

‒ Creates a monetized service opportunity for infrastructure players

22


An over-the-top technology

• Address Family agnostic

• Incrementally deployable

• End systems can be unaware of LISP

Deployment simplicity

• No host changes

• Minimal CPE changes

• Some new core infrastructure components

Enables IP Number Portability

• Never change host IP’s; No renumbering costs

• No DNS changes; “name == EID” binding

• Session survivability

An Open Standard

• Being developed in the IETF (RFC 6830-6836)

• No Cisco Intellectual Property Rights

Uses pull vs. push routing

• OSPF and BGP are push models; routing stored in the forwarding plane

• LISP is a pull model; Analogous to DNS; massively scalable

LISP Overview LISP : A Routing Architecture – Not a Feature

LISP use-cases are complimentary

• Simplified multi-homing with Ingress traffic Engineering; no need for BGP

• Address Family agnostic support

• Virtualization support

• End-host mobility without renumbering

23


LISP - Úvod a přehled



LISP Současný stav

Shrnutí



LISP Use Cases

IPv6 Transition Support

• v6-over-v4, v6-over-v6

• v4-over-v6, v4-over-v4

IPv4

Internet

IPv6

Internet

v6

v6 v4 v6

LISP

router LISP

router

v6

services

VM-Mobility

• Cloud / Layer 3 VM moves

• Segmentation

Data

Center 1

Data

Center 2

a.b.c.1 VM

a.b.c.1 VM

VM move

LISP

router

LISP

router

Internet

VPNs and Segmentation

• Over-the-Top

• Multi-tenancy

HQ LISP

Site

Internet

Data

Center User

Network

Remote

LISP Site Remote

LISP Site Remote

LISP Site

Remote

LISP Site . . 10k . .

Efficient Multi-Homing

• IP Portability

• Ingress Traffic Engineering without BGP

LISP

routers

LISP

Site

Internet


LISP and IPv6 Transition Support LISP and MPLS Integration

1: Existing IPv4 MPLS VPN

Blue MPLS-VPN

SP MPLS

Blue Site 1

PE1 PE4

PE3 PE2

Blue Site 2

Blue Site 3

IPv4

IPv4 IPv4

IPv4

CE3 CE2

CE1

IGP

eBGP

IPv4 IPv4

PE2#show ip route vrf BLUE

---<skip>---

10.0.0.0/8 is subnetted, 9 subnets

B 10.1.0.0/24 [20/11] via 12.1.0.2, 00:17:55

B 10.1.2.0/24 [20/11] via 12.1.0.2, 00:17:55

B 10.3.0.0/24 [20/11] via 12.3.0.2, 00:12:01

B 10.3.1.0/24 [20/11] via 12.3.0.2, 00:12:01

---<more>---

12.0.0.0/8 is variably subnetted, 5 subnets, 2 masks

C 12.1.0.0/30 is directly connected, Ethernet1/0

L 12.1.0.1/32 is directly connected, Ethernet1/0

---<more>---

PE2#

Customer Prefixes (EIDs!!)

PE-CE links (RLOCs!!)

CE1#show ip route

---<skip>---


O IA 10.1.0.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/0

O IA 10.1.2.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/1

---<skip>---

B 10.3.0.0/24 [20/11] via 12.3.0.2, 00:12:01

B 10.3.1.0/24 [20/11] via 12.3.0.2, 00:12:01

---<more>---



B 12.1.0.8/30 [20/11] via 12.3.0.1, 00:12:01

---<more>---

CE1#

Customer Prefixes (EIDs!!)


26



1: Existing IPv4 MPLS VPN – Add LISP!

Blue MPLS-VPN

SP MPLS

Blue Site 1

PE1 PE4

PE3 PE2

Blue Site 2

Blue Site 3

IPv4

IPv4

IPv4 IPv4

IPv4

CE3 CE2

CE1

IGP

eBGP

IPv4 IPv4

xTR

xTR MSMR

xTR

✗ route-map deny EIDs out

27



1: Existing IPv4 MPLS VPN – Add LISP!

Blue MPLS-VPN

SP MPLS

Blue Site 1

PE1

Purple MPLS-VPN

PE4

PE3 PE2

Blue Site 2

Blue Site 3

IPv4

IPv4

IPv4 IPv4

IPv4

CE3 CE2

CE1

IGP

eBGP

IPv4 IPv4

xTR

xTR MSMR

xTR

PE2#show ip route vrf BLUE

---<skip>---



L 12.1.0.1/32 is directly connected, Ethernet1/0

---<more>---

PE2#



CE1#show ip route

---<skip>---


O IA 10.1.0.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/0

O IA 10.1.2.0/24 [110/11] via 172.16.6.1, 00:29:49, Ethernet1/1

---<skip>---



B 12.1.0.8/30 [20/11] via 12.3.0.1, 00:12:01

---<more>---

CE1#

This sites Prefixes (EIDs!!)


28



2: Add IPv6 over IPv4 MPLS VPN with LISP

Blue MPLS-VPN

SP MPLS

Blue Site 1

PE1 PE4

PE3 PE2

Blue Site 2

Blue Site 3

IPv4

IPv4

IPv4 IPv4

IPv4

CE3 CE2

CE1

IGP

eBGP

IPv4 IPv4


IPv6

IPv6 IPv6

xTR

xTR MSMR

xTR

PE2#show ipv6 route vrf Blue

% Specified IPv6 routing table does not exist

PE2#

IPv6 Not Enabled!

IPv6 EIDs!!

CE1#show run | begin router lisp

---<skip>---

router lisp


database-mapping 2001:db8:a:a::/64 12.1.0.2 pri 1 wei 100

exit

!


ipv6 itr

ipv6 etr map-server 12.1.0.2 key ce1-xtr

ipv6 etr

exit

!

---<more>---

CE1#

29


LISP VPN/Virtualization LISP and MPLS Integration

Blue MPLS-VPN

SP MPLS

Blue Site 1

PE1 PE4

PE3 PE2

Blue Site 2

Blue Site 3

IPv4

IPv4

IPv4 IPv4

IPv4

CE3 CE2

CE1

IGP

eBGP

IPv4 IPv4

xTR

xTR MSMR

xTR


VRF-A Site 3

VRF-A Site 1

VRF-A Site 2

Let’s say that the Enterprise wants departmental

segmentation inside their network…

30

3: Add LISP Virtualization



Blue MPLS-VPN

SP MPLS

Blue Site 1

PE1

Purple MPLS-VPN

PE4

PE3 PE2

Blue Site 2

Blue Site 3

IPv4

IPv4 IPv4

IPv4

IPv4

CE3 CE2

CE1

IGP

eBGP

IPv4 IPv4

xTR

xTR MSMR

xTR


VRF-A Site 3

VRF-A Site 1

VRF-A Site 2

There’s no need to talk to the SP to get another

VRF in the MPLS core. Just use LISP!

Virtualized!

CE1#show run | begin router lisp

---<skip>---

router lisp


database-mapping 2001:db8:a:a::/64 12.1.0.2 pri 1 wei 100

exit

!

eid-table vrf VRF-A instance-id 1

database-mapping 10.1.1.0/24 12.1.0.2 pri 1 wei 100

exit

!

ipv4 itr

ipv4 etr


ipv4 etr map-server 12.1.0.2 key ******

ipv6 itr

ipv6 etr


ipv6 etr map-server 12.1.0.2 key ******

exit

!

31




Blue MPLS-VPN

SP MPLS

Blue Site 1

PE1

Purple MPLS-VPN

PE4

PE3 PE2

Blue Site 2

Blue Site 3

IPv4

IPv4

IPv4 IPv4

IPv4

CE3 CE2

CE1

IGP

eBGP

IPv4 IPv4

xTR

xTR MSMR

xTR


VRF-A Site 3

VRF-A Site 1

VRF-A Site 2

There’s no need to talk to the SP to get another

VRF in the MPLS core. Just use LISP!

Virtualized!

CE1#ping 10.3.1.1 source 10.1.1.1 rep 10

Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 10.3.1.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

..!!!!!!!!

Success rate is 80 percent (8/10), round-trip min/avg/max = 2/3/2 ms

CE1#

CE1#show ip lisp map-cache instance-id 1

LISP IPv4 Mapping Cache for EID-table vrf VRF-A (IID 1), 2 entries

0.0.0.0/0, uptime: 00:11:15, expires: never, via static send map-request

Negative cache entry, action: send-map-request

10.3.1.0/24, uptime: 00:01:49, expires: 23:58:14, via map-reply, complete

Locator Uptime State Pri/Wgt

12.3.1.2 00:01:49 up 1/100

---<more>---

CE1#

32



LISP Virtualization/VPNs LISP Virtualization Support – Concepts

33

Virtualization of the DEVICE level – Virtual Routing and Forwarding (VRF)

tables segment Layer 3 routing tables

– VRFs are used to virtualize the component resources

– Virtualization secures movement of traffic between networks and enhances security policy options

Virtualization of the PATH level – VRFs assist in path isolation

– Single-hop (hop-by-hop)

– Multi-hop (over-the-top)

VRF-1

VRF-2

Global IP

802.1q, DLCI,

VPI/VCI PW,

EVN

GRE, MPLS

LISP



Recalling that… LISP is “Locator/ID” separation… and creates two namespaces: EIDs and RLOCs… LISP can virtualize both EID and RLOC namespaces, or both!

EID virtualization uses LISP Instance-IDs in conjunction with EID VRFs

– Instance-IDs maintain address space segmentation in control plane and data plane

– Instance-IDs are numerical tags defined in LISP Canonical Address Format (LCAF)

• IID: a 24-bit unstructured number

• Data Plane: IID is included in LISP encapsulation header

• Control Plane: IID is encoded with the EID in LCAF header

34



Default (non-Virtualized) Model – at the device level • Conceptually, the Default Model is just a single Parallel Model instance

• All EID lookups are also in the same single table – default

• Thus, EIDs are associated with Instance-ID 0

• All RLOC lookups are in a single table – default

• The Mapping System is part of the locator address space

• Single RLOC namespace

• Default table or RLOC VRF

Shared RLOC

namespace To EID namespace

(direct connect, IGP, etc.)

• Single EID namespace

• Default table

Default

To VPNs (MPLS,

802.1Q, VRF-Lite, or

separate networks)

35



Shared Model – at the device level • Multiple EID-prefixes are allocated privately using VRFs

• EID lookups are in the VRF associated with an Instance-ID

• All RLOC lookups are in a single table – (default/global or RLOC VRF)

• The Mapping System is part of the locator address space and is shared

To VPNs (MPLS, 802.1Q,

VRF-Lite, or separate

networks)

• EID namespace,

VRF Pink, IID 1

• EID namespace,

VRF Blue, IID 2

Default

Pink

Blue • Single RLOC namespace

• Default table or RLOC VRF

Shared RLOC

namespace To VPNs (MPLS,

802.1Q, VRF-Lite, or

separate networks)

36


LISP VPN/Virtualization

All VPNs share a set of common requirements

37

1. Encapsulation:

‒ Virtualization

• EID prefix virtualization

o Tied to EID VRFs

• Locators can be virtualized too

3. Security: Built-In and Add-on

‒ Built-in security mechanisms

‒ LISP Works with any crypto scheme

• Locators or EIDs can be encrypted

‒ LISP-SEC for control plane security

2. Site to Site Routing:

‒ Spoke to spoke connectivity

‒ Optional local Internet offload (split-tunnel)

‒ No IGP required to branch sites!

LISP Virtualization Support – Concepts



LISP – Inherently scalability and virtualization, rapidly deployable

Scalability

(# of VPN site) Unconstrained

VPN site-to-

site routing Unnecessary

Secure

Segmentation 24-bit Instance

ID with VRF

Performance Optimal

Path(P2P),

Loadbalancing

• No protocol constraint • 100K concurrent site connections

?

?

?

?

• No site-to-site routing required • No VPN route injection into core • LISP / Non-LISP site interworking through PxTR

• 16M unique VPN classifiers • Used for LISP control plane and data plane • Optional data plane encryption with GETVPN

• Shortest path between LISP sites • Equal cost/unequal cost loadbalancing

38

LISP Virtualization Support – Concepts


MPLS Core

Network

MPLS VPN

. .

Group A

Device

Group B

Device

Group C

Device

Group N

Device

CE Device

xTR

xTR

GM

. .

Location X

Group A

Network

Group B

Network

Group C

Network

Group N

Network

. .

Group A

Device

Group B

Device

Group C

Device

Group N

Device

CE Device

xTR

xTR

GM

. .

Location Y

Group A

Network

Group B

Network

Group C

Network

Group N

Network

No need for multiple MPLS VRFs

for traffic segmentation. • LISP encapsulates all traffic into

the “RLOC namespace”

• LISP Instance-IDs (IIDs) provide

segmentation

Customer Networks: • IPv4, IPv6..

• LISP Instance-IDs (IIDs)

provide segmentation

• Add GETVPN for encryption,

per-customer (simple!)

Core Network Access Flexibility: • One or multiple WAN connections

• One or multiple CE devices…

• IPv4 and/or IPv6…

• Multiple SP Cores…

Everything “just works” with LISP…

SP1 SP1 SP1 SP2

39

LISP VPN/Virtualization LISP Virtualization Support – Overview


MPLS Core

Network

MPLS VPN

. .

Group A

Device

Group B

Device

Group C

Device

Group N

Device

CE Device

xTR

xTR

GM

. .

Location X

Group A

Network

Group B

Network

Group C

Network

Group N

Network

. .

Group A

Device

Group B

Device

Group C

Device

Group N

Device

CE Device

xTR

xTR

GM

. .

Location Y

Group A

Network

Group B

Network

Group C

Network

Group N

Network

40

Segmentation by

physical, Layer 2, or

Layer 3 means

(e.g. 802.1Q, EVN,

physically separate

networks) Default

• Single RLOC

namespace

• Default table

(or RLOC VRF)

To IPv4 or IPv6 Core

RLOC namespace

VRF-B, IID 2

To Enterprise

Internal Networks

LISP0.1

LISP0.2

LISP0.3

LISP VPN/Virtualization LISP Virtualization Support – Overview



Say we want to build this… - Three VRFs, IPv4 and IPv6

- HQ multihomed, two CPE

- Remote multihomed, one CPE

- Remote single-homed, DHCP

- Add encryption

IPv4 Core

xTR

GM xTR

GM

xTR

GM

xTR

GM MSMR MSMR

xTR

GM

KS KS

HQ VRF DeptC, IID 3

VRF DeptB, IID 2

VRF DeptA, IID 1

Site 1 Site 2

Site 3

41



How do we build this?

Three common steps: 1. Build the underlay (RLOCs)

2. Add the LISP overlay (EIDs)

3. Add encryption

IPv4 Core

xTR

GM xTR

GM

xTR

GM

xTR

GM MSMR MSMR

xTR

GM

KS KS

HQ VRF DeptC, IID 3

VRF DeptB, IID 2

VRF DeptA, IID 1

Site 1 Site 2

Site 3

42



1. Build the underlay (RLOCs)

IPv4 Core

xTR

GM xTR

GM

xTR

GM

xTR

GM MSMR MSMR

xTR

GM

KS KS

HQ VRF DeptC, IID 3

VRF DeptB, IID 2

VRF DeptA, IID 1

Site 1 Site 2

Site 3

HQ1 xTR/MSMR/GM

!

hostname HQ1

!

interface Ethernet0/0

ip address 10.0.14.2 255.255.255.252

!

ip route 0.0.0.0 0.0.0.0 10.0.14.1

!

Remote2 xTR/GM

!

hostname Remote2

!


ip address 10.2.1.2 255.255.255.252

!


ip address 10.2.2.2 255.255.255.252

!

ip route 0.0.0.0 0.0.0.0 10.2.1.1

ip route 0.0.0.0 0.0.0.0 10.2.2.1

!

Examples: • Normal IP routing…

• Nothing to do with LISP!

All other sites are

similar!

43




IPv4 Core

xTR

GM xTR

GM

xTR

GM

xTR

GM MSMR MSMR

xTR

GM

KS KS

HQ VRF DeptC, IID 3

VRF DeptB, IID 2

VRF DeptA, IID 1

Site 1 Site 2

Site 3

Remote2 xTR/GM

!

router lisp

locator-set Site2



exit

!


database-mapping 192.168.255.12/32 locator-set Site2

exit

!

eid-table vrf DeptA instance-id 1


database-mapping 1:1:12::/64 locator-set Site2

exit

!

eid-table vrf DeptB instance-id 2



exit

!

eid-table vrf DeptC instance-id 3



exit

!

Examples: • Bind VRFs to IIDs

• Bind EIDs to RLOCs

44




IPv4 Core

xTR

GM xTR

GM

xTR

GM

xTR

GM MSMR MSMR

xTR

GM

KS KS

HQ VRF DeptC, IID 3

VRF DeptB, IID 2

VRF DeptA, IID 1

Site 1 Site 2

Site 3



Remote2 xTR/GM

! – continued – LISP control plane

!



ipv4 itr

ipv4 etr map-server 10.0.14.2 key site2-pswd


ipv4 etr

ipv6 map-server

ipv6 map-resolver



ipv6 itr



ipv6 etr

exit

!

All other sites are

similar!

45




IPv4 Core

xTR

GM xTR

GM

xTR

GM

xTR

GM MSMR MSMR

xTR

GM

KS KS

HQ VRF DeptC, IID 3

VRF DeptB, IID 2

VRF DeptA, IID 1

Site 1 Site 2

Site 3



HQ2 xTR/MSMR/GM

router lisp

!

site HQ

authentication-key hq-pswd

eid-prefix 192.168.18.0/24

eid-prefix 192.168.19.0/24

eid-prefix 192.168.255.14/32

eid-prefix 192.168.255.15/32

eid-prefix instance-id 1 192.168.14.0/24

eid-prefix instance-id 1 1:1:14::/64





exit

!

site Site1

authentication-key site1-pswd

eid-prefix 192.168.255.11/32







exit

!

---<etc.>---

Map-Server

Config…

46




IPv4 Core

xTR

GM xTR

GM

xTR

GM

xTR

GM MSMR MSMR

xTR

GM

KS KS

HQ VRF DeptC, IID 3

VRF DeptB, IID 2

VRF DeptA, IID 1

Site 1 Site 2

Site 3



HQ2 xTR/MSMR/GM HQ2#show lisp site

LISP Site Registration Information

Site Name Last Up Who Last Inst EID Prefix

Register Registered ID

HQ 00:00:46 yes 10.0.14.2 0 192.168.18.0/24

00:00:05 yes 10.0.15.2 0 192.168.19.0/24

00:00:46 yes 10.0.14.2 0 192.168.255.14/32

00:00:05 yes 10.0.15.2 0 192.168.255.15/32

00:00:09 yes 10.0.14.2 1 192.168.14.0/24

00:00:56 yes 10.0.14.2 1 1:1:14::/64

00:00:32 yes 10.0.15.2 2 192.168.14.0/24

00:00:23 yes 10.0.15.2 2 2:2:14::/64

00:00:54 yes 10.0.15.2 3 192.168.14.0/24

00:00:43 yes 10.0.14.2 3 3:3:14::/64

Site1 00:00:07 yes 10.0.11.2 0 192.168.255.11/32

00:00:16 yes 10.0.11.2 1 192.168.11.0/24

00:00:42 yes 10.0.11.2 1 1:1:11::/64

00:00:32 yes 10.0.11.2 2 192.168.11.0/24

00:00:41 yes 10.0.11.2 2 2:2:11::/64

---<etc.>---

Verification…

47




IPv4 Core

xTR

GM xTR

GM

xTR

GM

xTR

GM MSMR MSMR

xTR

GM

KS KS

HQ VRF DeptC, IID 3

VRF DeptB, IID 2

VRF DeptA, IID 1

Site 1 Site 2

Site 3



Verification…

Site3#ping vrf DeptC 192.168.14.1 source 192.168.13.1 rep 10

Type escape sequence to abort.


Packet sent with a source address of 192.168.13.1%DeptC

..!!!!!!!!


Site3

Example:

EID to EID

48




IPv4 Core

xTR

GM xTR

GM

xTR

GM

xTR

GM MSMR MSMR

xTR

GM

KS KS

HQ VRF DeptC, IID 3

VRF DeptB, IID 2

VRF DeptA, IID 1

Site 1 Site 2

Site 3



Verification…

Site3#show ip lisp map-cache instance-id 3

LISP IPv4 Mapping Cache for EID-table vrf DeptC (IID 3), 4 entries

---<skip>---

192.168.14.0/24, uptime: 00:01:38, expires: 23:58:25, via map-reply, complete


10.0.14.2 00:01:38 up 1/50

10.0.15.2 00:01:38 up 1/50

---<skip>---

Site3#

Example:

EID to EID

49




IPv4 Core

xTR

GM xTR

GM

xTR

GM

xTR

GM MSMR MSMR

xTR

GM

KS KS

HQ VRF DeptC, IID 3

VRF DeptB, IID 2

VRF DeptA, IID 1

Site 1 Site 2

Site 3



Verification…

Site3#ping vrf DeptA 1:1:14::1 source 1:1:13::1 rep 10


Sending 10, 100-byte ICMP Echos to 1:1:14::1, timeout is 2 seconds:

Packet sent with a source address of 1:1:13::1%DeptA

..!!!!!!!!


Site3

Example:

EID to EID

50




IPv4 Core

xTR

GM xTR

GM

xTR

GM

xTR

GM MSMR MSMR

xTR

GM

KS KS

HQ VRF DeptC, IID 3

VRF DeptB, IID 2

VRF DeptA, IID 1

Site 1 Site 2

Site 3



Verification…

Site3#show ipv6 lisp map-cache instance-id 1

LISP IPv6 Mapping Cache for EID-table vrf DeptA (IID 1), 4 entries

---<skip>---

1:1:14::/64, uptime: 00:00:33, expires: 23:59:28, via map-reply, complete


10.0.14.2 00:00:33 up 1/50

10.0.15.2 00:00:33 up 1/50

---<skip>---

Site3#

Example:

EID to EID

51

Adding Encryption to LISP using GETVPN


LISP Virtualization/VPNs LISP Virtualization with GETVPN

Why GET VPN?

Large scale any-to-any connectivity

Native routing without tunnel overlay

Optimal for QoS & Multicast support

Flexible span of control between enterprise and service provider

Centralized policy distribution

Transport agnostic: Private WAN, FR/ATM, IP, MPLS

GET VPN provides:

53


LISP Virtualization/VPNs LISP Virtualization with encryption

Group Domain of Interpretation (GDOI) RFC 6407 – adding encryption

54

Group

Member

Group

Member

Group

Member

Group

Member

Key

Server

Routing

Domain

Group Member

• Encryption Devices

• Route Between Secure /

Unsecure Regions

• Multicast Participation

Key Server

• Validate Group Members

• Manage Security Policy

• Create Group Keys

• Distribute Policy / Keys

Key Encryption Key

(KEK)

Traffic Encryption

Key (TEK)

GET VPN

GDOI

• RFC 6407

• “Stateless” IPsec

• Traffic encryption keys computed on Key Server, distributed to all Group Members

• Better scaling than vanilla IPsec

Group Policy



Use-Case Vanilla

IPsec

GETVPN Comments

LISP Default

Model

crypto-map on

RLOC ✔ ✔ LISP encap first, then encryption based on RLOC

crypto-map on

LISP0 ✔ ✔ Encryption first based on EID, then LISP encap

LISP

Virtualization

crypto-map on

RLOC ✔ ✔ LISP encap first, then encryption based on RLOC

crypto-map on

LISP0.x ✔ ✔ Encryption first based on EID, then LISP encap

See: lisp.cisco.com for the GETVPN+LISP Configuration Guide!

LISP and encryption (IOS)

• Recalling that… LISP is “Locator/ID” separation… and creates two namespaces: EIDs and RLOCs

• LISP provides two ways to apply a crypto map

55



LISP provides two ways to apply a crypto map, resulting in different packet outcomes

LISP0 :: Encryption, and then LISP processing

RLOC :: LISP processing, and then encryption

LISP + GETVPN

On RLOC

GETVPN + LISP

On LISP0

dad

dr

1

sad

dr

8 0

1

dad

dr

50

sad

dr

S:x

x

D:4

34

1

dad

dr

17

sad

dr

Original IPv4 Header

ESP

trailer

xx

Host

IP Hdr

ICMP

Hdr

Payload

8 xxxx 20

ESP

SPI

xx

Host

IP Hdr

20

UDP

Hdr

(LISP)

LISP

Hdr

8 8

ITR

IP Hdr

20

dad

dr

1

sad

dr

S:x

x

D:4

34

1

8 0

dad

dr

17

17

sad

dr

dad

dr

50

sad

dr

ESP

trailer

xx

Host

IP Hdr

ICMP

Hdr

Payload

8 xxxx 20

LISP

Hdr

8 8

ITR

IP Hdr

20

ESP

SPI

xx

ITR

IP Hdr

20

Original IPv4 Header

UDP

Hdr

(LISP)

56


LISP VPN/Virtualization LISP Virtualization with GETVPN

3. Add encryption

IPv4 Core

xTR

GM xTR

GM

xTR

GM

xTR

GM MSMR MSMR

xTR

GM

KS KS

HQ VRF DeptC, IID 3

VRF DeptB, IID 2

VRF DeptA, IID 1

Site 1 Site 2

Site 3

Examples: • GETVPN Key Servers


Redundant Key

Server identical!

KS1

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 16

crypto isakmp key FOO address 0.0.0.0

crypto isakmp keepalive 15 periodic

!

crypto ipsec transform-set GDOI-TRANS esp-aes

256 esp-sha512-hmac

!

crypto ipsec profile GDOI-PROFILE

set transform-set GDOI-TRANS

!

crypto gdoi group V4GROUP-0001

identity number 10001

server local

rekey retransmit 60 number 2

rekey authentication mypubkey rsa GET-KEYS1

rekey transport unicast

sa ipsec 1

profile GDOI-PROFILE

match address ipv4 GETVPN-0001

replay time window-size 5

address ipv4 192.168.18.2

redundancy

local priority 100

peer address ipv4 192.168.19.2

!

---<cont.>---

57



3. Add encryption

IPv4 Core

xTR

GM xTR

GM

xTR

GM

xTR

GM MSMR MSMR

xTR

GM

KS KS

HQ VRF DeptC, IID 3

VRF DeptB, IID 2

VRF DeptA, IID 1

Site 1 Site 2

Site 3

Examples: • GETVPN Key Servers


Redundant Key

Server identical!

KS1

! ---<cont.>---

!

crypto gdoi group ipv6 V6GROUP-0003


server local

rekey retransmit 60 number 2

rekey authentication mypubkey rsa GET-KEYS3

rekey transport unicast

sa ipsec 1

profile GDOI-PROFILE

match address ipv6 GETVPN6-0003

replay time window-size 5

address ipv4 192.168.18.2

redundancy

local priority 100

peer address ipv4 192.168.19.2

!

ip access-list extended GETVPN-0001

permit ip any any


permit ip any any


permit ip any any

!

ipv6 access-list GETVPN6-0001

permit ipv6 any any

!


permit ipv6 any any

!


permit ipv6 any any

!

58



IPv4 Core

xTR

GM xTR

GM

xTR

GM

xTR

GM MSMR MSMR

xTR

GM

KS KS

HQ VRF DeptC, IID 3

VRF DeptB, IID 2

VRF DeptA, IID 1

Site 1 Site 2

Site 3

Remote2 xTR/GM !

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 16



!

crypto gdoi group V4GROUP-0001


server address ipv4 192.168.18.2


client registration interface Loopback0

!

---<skip>---

crypto gdoi group ipv6 V6GROUP-0003




client registration interface Loopback0

!

crypto map MAP-V4-0001 10 gdoi

set group V4GROUP-0001

!

---<skip>---

crypto map ipv6 MAP-V6-0003 10 gdoi

set group V6GROUP-0003

!

3. Add encryption

Examples: • GETVPN Group Members

• Add crypto map to LISP0.x

ALL LISP SITES

identical! Cut/Paste!

59



IPv4 Core

xTR

GM xTR

GM

xTR

GM

xTR

GM MSMR MSMR

xTR

GM

KS KS

HQ VRF DeptC, IID 3

VRF DeptB, IID 2

VRF DeptA, IID 1

Site 1 Site 2

Site 3

3. Add encryption



ALL LISP SITES

identical! Cut/Paste!

Remote2 xTR/GM !

interface LISP0

!

interface LISP0.1

ip mtu 1456

ipv6 mtu 1436

ipv6 crypto map MAP-V6-0001

crypto map MAP-V4-0001

!

interface LISP0.2

ip mtu 1456

ipv6 mtu 1436



!

interface LISP0.3

ip mtu 1456

ipv6 mtu 1436



!

60



IPv4 Core

xTR

GM xTR

GM

xTR

GM

xTR

GM MSMR MSMR

xTR

GM

KS KS

HQ VRF DeptC, IID 3

VRF DeptB, IID 2

VRF DeptA, IID 1

Site 1 Site 2

Site 3

3. Add encryption



Verification…

Site3#ping vrf DeptA 192.168.14.1 source 192.168.13.1 rep 100



Packet sent with a source address of 192.168.13.1%DeptA

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


Site3#

Example:

EID to EID

61



IPv4 Core

xTR

GM xTR

GM

xTR

GM

xTR

GM MSMR MSMR

xTR

GM

KS KS

HQ VRF DeptC, IID 3

VRF DeptB, IID 2

VRF DeptA, IID 1

Site 1 Site 2

Site 3

3. Add encryption



Verification…

Site3#show crypto engine connection active

Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address

---<skip>---

143 IPsec AES256+SHA512 0 100 0 192.168.14.1

144 IPsec AES256+SHA512 100 0 0 192.168.14.1

---<skip>---

Site3#

Example:

EID to EID

62


LISP VPN/Virtualization Efficient Virtualization and High-Scale VPNs

LISP Solution:

• 24-bit LISP Instance-ID segments control plane and data plane, with VRF binding to the Instance-ID

Benefits:

• Very high scale tenant segmentation

• IP-based “overlay” solution, transport independent

• Inter-Departmental VPNs without additional PE VRFs

• No MPLS VPN complexity

• Use of LISP removes Customer IPv4 Prefixes from MPLS

• Use of LISP (v6-over-v4) removes SP from Customer IPv6 config/mgmt

LISP Site

IP Network

West

DC

Legacy Site Legacy Site Legacy Site

East

DC

PxTR

Mapping

DB

LISP+GETVPN Config Guide: http://lisp.cisco.com

63






Shrnutí



LISP Status LISP RFCs and notable drafts…

IETF LISP WG: http://tools.ietf.org/wg/lisp/

Draft Target

LISP Canonical Address Format (draft-ietf-lisp-lcaf-04) Active Working Group Document

LISP Deployment (draft-ietf-lisp-deployment-11) Active Working Group Document

LISP SEC (draft-ietf-lisp-sec-05) Active Working Group Document

LISP DDT (draft-fuller-lisp-ddt-01) Active Working Group Document

LISP Introduction (draft-ietf-lisp-introduction-03) Active Working Group Document

LISP Mobile Node (draft-meyer-lisp-mn-10) Related Working Group Document

LISP NAT-Traversal (draft-ermagan-lisp-nat-traversal-05)

Related Working Group Document

LISP GPE (draft-lewis-lisp-gpe) Related Working Group Document

LISP Deployment (draft-ietf-lisp-deployment-12) RFC-Editor’s Queue

LISP Based FlowMapping for Scaling NVF (draft-barakai-lisp-nvf-04)

Related Internet Draft

LISP Reliable Transport (draft-kouvelas-lisp-reliable-transport-00)

Related Internet Draft

RFCs

Locator/ID Separation Protocol (LISP) base document

RFC 6830

LISP Map Server RFC 6833

LISP Interworking RFC 6832

LISP Multicast RFC 6831

LISP Internet Groper RFC 6835

LISP Map Versioning RFC 6834

LISP+ALT RFC 6836

LISP MIB RFC 7052

LISP Network Element Deployment Considerations

RFC 7215

65


LISP Status LISP Software – Available Releases : IOS Platforms

Cisco Releases (http://lisp.cisco.com)

ISRG1 - 1800 Series

- 2800 Series

- 3800 Series

Mainline Build:

- 15.4(2)T

Engineering:

- 15.3(3)XB12

Engineering Build:

- 15.3(3)XB12

Hardware Software Notes/Caveats

ISRG2 - 800 Series

- 1900 Series

- 2900 Series

- 3900 Series

ISRs are EOS/EOL (Cisco support rules apply).

LISP features require “datak9” or “securityk9” license

66


LISP Status LISP Software – Available Releases : IOS-XE Platforms


ASR1K - 1001 Series

- 1002 Series

- 1004 Series

- 1006 Series

- 1013 Series

- 4451-X

Mainline Build:

- 3.12.0S (15.4-2.S)

Engineering Build:

- 3.10.01xb.S

Hardware Software Notes

CSR1KV - Cisco CSR1KV

- Amazon Web Srvc

LISP features require “Advanced IP Services” or

“Advanced Enterprise Services” license

LISP features require “Premium” license Mainline Build:

- 3.12.0S (15.4-2.S)

Engineering Build:

- 3.10.01xb.S

67


LISP Status LISP Software – Available Releases : NX-OS Platforms


Nexus 7000 Mainline Build:

- 6.2(8)


Nexus 7700 LISP requires EPLD updated so that FE Bridge is at

version 186.008: Mainline Build:

- 6.2(8)

Requires M1-32 LC modules. F1 modules and the

F2e LC module can be used for LISP using proxy

forwarding to an installed M1-32 LC module.

Beginning with NX-OS 7.1.0, F3 modules will also

support LISP

The Transport Services license must be installed to

enable LISP

68


LISP Status LISP Software – Available Releases : Catalyst Platforms


Catalyst 6500 Mainline Build:

- 15.1.2-SY2


Requires Sup2T supervisor engine and WS-X6904-

40GE or WS-X6908-10G line cards

Supports xTR (IPv4-only RLOC), shared mode

virtualization, PxTR, MS and MR

Catalyst 6800 Mainline Build:

- 15.1.2-SY2

6880-X (semi-fixed chassis) - supported on all ports at

FCS: 15.1(2)SY1 for the baseboard and 15.1(2)SY2

for the port cards

6807-XL (modular chassis) - supported with Sup2T

and 6900 series line cards (6908 and 6904) at FCS:

15.1(2)SY1 (not supported natively on Sup2T, need

6900 modules for encap/decap)

Supports xTR (IPv4-only RLOC), shared mode

virtualization, PxTR, MS and MR

69






Shrnutí



LISP Summary Part of the LISP Solution Space

LISP is an Architecture…

IPv4 Core

IPv4 Core

v4

IPv4 Network

xTR

xTR

1. Multihoming

2. IPv6 Transition

3. Virtualization/VPN

4. Mobility

71


v6



IPv4 Core

IPv6 Core

v4

IPv4 Network

xTR

xTR

1. Multihoming

2. IPv6 Transition


4. Mobility

IPv6 Network

72


v6



IPv4 Core

IPv6 Core

v4

IPv4 Network

xTR

xTR

1. Multihoming

2. IPv6 Transition


4. Mobility

IPv6 Network

73


v6



IPv4 Core

IPv6 Core

v4

IPv4 Network

xTR

xTR

1. Multihoming

2. IPv6 Transition


4. Mobility

IPv6 Network

74

Prosíme, ohodnoťte tuto přednášku

• Děkujeme

Q & A

Documents

LISP Nov ová - Cisco€¦ · Presentation_ID Cisco and/or its affiliates. ... The “Default Free Zone” (DFZ) contains all types or routes: • Edge (site) routes • Core (Provider)