LISP – A Next-Generation Architecture
Peyton Schouest – Customer Solutions Architect @net20234 Mitch Mitchiner – Customer Solutions Architect
BRKRST-3045 Session Presenters
Peyton Schouest Mitch Mitchiner Solutions Architect Solutions Architect US Federal US Federal CCIE# 20234 CCIE# 3958
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Cisco Spark
Questions? Use Cisco Spark to chat with the speaker after the session
How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space
Cisco Spark spaces will be cs.co/ciscolivebot#BRKRST-3045 available until July 3, 2017.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Agenda
• LISP Overview
• LISP Operations
• LISP Setup
• LISP Deployment Examples
• LISP Status
• LISP Summary LISP Overview Historical Motivation – Routing Scalability
“Routing scalability is the most important problem facing the internet and must be solved.”
Internet Architecture Board (IAB) October 2006 Workshop (RFC 4984)
• Implications • Router and FIB memory costs • Heat and Power • Routing churn and convergence • Will only get worse with IPv6
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Routing Scalability Factors
• Non-aggregatable prefixes • Multi-homing
Internet (DFZ) Internet (DFZ) 2.3./16 5.6./16
1./8 2./8 1./8 2./8
1.2./16 1.2./16
5.6./16 2.3./16
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Genesis of Routing Scalability Factors
Internet (DFZ) Internet (DFZ) • The Overloading of IP Address 5.6./16 Semantics 2.3./16
• Location 1./8 2./8 1./8 2./8 • Where you are in the network • Identity 1.2./16 • Who you are in the network 1.2./16
5.6./16 2.3./16
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Locator/ID Separation Protocol (LISP)
• A routing Architecture • Separate address spaces for Identity and EID Location • End-point Identifiers (EID) • Routing locators (RLOC) Mapping System • A Control Plane Protocol RLOC • A system that maps end-point identities to their current location
• A Data Plane Protocol • Encapsulates EID-addressed packets EID Inside RLOC-addressed header.
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 LISP Properties • On demand routing (pull model) • Address family agnostic • BGP and OSPF use push model • IPv4 or IPv6 EIDs • massively scalable • IPV4 or IPV6 RLOCs • Forwarding state proportional to • IP Number Portability router capacity • Never renumber again • Simple to Deploy • No DNS changes • Incrementally deployable • Session survivability • No host changes • Open Standard • End systems unaware of LISP • RFC 6830
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Use Cases
RLOC
EID EID
Routing Scalability Mobility
RLOC Internet EID LISP EID Site Efficient Multi-homing Virtualization
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Use Cases
IPv6 IPv4 IPv6
IPv6 Transition
EID Programmable Overlays
RLOC EID EID
Multicast
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 SD-Access Campus Fabric + DNA Center (Automation & Assurance) . SD-Access – Available July 31
APICAPIC--EMEM 1.X2.0 GUI approach provides automation & assurance of all Fabric configuration, ISE NDP management and group-based policy.
DNA Center Leverages DNA Center to integrate external Service Apps, to orchestrate your entire LAN, Wireless LAN and WAN access network.
B B . Campus Fabric – Shipping Now
CLI or API form of the new overlay C Fabric solution for your enterprise Campus access networks.
Campus CLI approach provides backwards Fabric compatibility and customization, Box-by-Box. API approach provides automation via NETCONF / YANG.
APIC-EM, ISE, NDP are all separate.
BRKCRS-2810 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 LISP Operations Identity (EID) to Location (RLOC) Resolution
• Level of Indirection – Analogous to DNS • DNS Answers “WHO IS ?”
Who is lisp.cisco.com ? DNS Server
153.16.5.29
• LISP Answers “WHERE IS ?”
Where is 153.16.5.29? LISP Mapping System 128.107.81.169
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 IPv4 EID / IPv4 RLOC Data Plane Headers
IPv4 Outer Header: ITR supplies RLOCs
UDP Header: LISP Header:
IPv4 Inner Header: Host supplies EIDs
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 For Your EID & RLOC Combinations Reference
IPv4 IPv4 Outer Outer Header Header IPv6 IPv6 Outer Outer Header Header UDP UDP LISP LISP
IPv4 Inner UDP UDP Header LISP LISP
IPv6 Inner Header IPv4 IPv4/IPv4 Inner Header
IPv6 Inner Header IPv4/IPv6 IPv6/IPv4
IPv6/IPv6
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Map-Registration with RLOC Merging
b::/64 2.0.0.2, 3.0.0.3 ETR1 2.0.0.2 priority 1 weight 75 1. ETR1 registers: ETR2 3.0.0.3 priority 1 weight 25 b::/64 2.0.0.2 4 2. MS sends Map-Notify to 1 ETR1 MR MS b::/64 2.0.0.2
a::/64 2.0.0.2 ETR1 b::/64 3. ETR2 registers: ITR 1.0.0.1 2 b::/64 3.0.0.3 3.0.0.3 ETR2 3 Pinkman 4. MS sends Map-Notify to White 4 both ETRs b::/64 2.0.0.2, 3.0.0.3
xTR: Tunnel Router when direction of flow is irrelevant
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Map-Request & Map-Reply 1. Packets from a::1 to b::2 b::/64 2.0.0.2, 3.0.0.3 drawn to ITR via default ETR1 2.0.0.2 priority 1 weight 75 gateway or IGP. ETR2 3.0.0.3 priority 1 weight 25 2. ITR FIB lookup for b::2 is a miss or a match on ::/0. LISP control plane signaled. MR MS 2 3 3. ITR sends Map-Request to a::/64 2.0.0.2 ETR1 b::/64 X 4 MS for b::2/128. ITR 1.0.0.1 1 3.0.0.3 ETR2 4. MS forwards Map-Request Pinkman to one of the ETRs. White 5
b::/64 5. ETR2 sends Map-Reply to 2.0.0.2 priority 1 weight 75 ITR 3.0.0.3 priority 1 weight 25 b::/64 2.0.0.2, 3.0.0.3
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Data Path
b::/64 2.0.0.2, 3.0.0.3 ETR1 2.0.0.2 priority 1 weight 75 1. Packets from a::1 to b::2 ETR2 3.0.0.3 priority 1 weight 25 drawn to ITR via default gateway or IGP.
2. ITR finds route for b::/64. MR MS • Pre-encap load balancing 2 between 2.0.0.2 and a::/64 2.0.0.2 ETR1 b::/64 3.0.0.3. ITR 1.0.0.1 4 1 3 3.0.0.3 ETR2 3. Post-encap load balance to Pinkman 2.0.0.2 and transmit. White 4. ETR1 decapsulates and b::/64 2.0.0.2 priority 1 weight 75 forwards to b::2. 3.0.0.3 priority 1 weight 25
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Proxy Map-Reply
b::/64 2.0.0.2, 3.0.0.3 ETR1 2.0.0.2 priority 1 weight 75 ETR2 3.0.0.3 priority 1 weight 25 1. ETRs send Map-Register for b::/64 with for proxy-reply bit set. 2 MR MS 2. ITR sends Map-Request for a::/64 2.0.0.2 ETR1 b::/64 1 b::/64 to the mapping ITR 3 system. 1.0.0.1 3.0.0.3 ETR2
Proxy bit set Pinkman 3. Mapping system sends White Proxy Map-Reply for b::/64 b::/64 on behalf of ETRs. 2.0.0.2 priority 1 weight 75 3.0.0.3 priority 1 weight 25
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 router lisp alternative form: locator-set SET1 IPv4-interface e0/0 2.0.0.2 priority 0 weight 50 Basic auto-discover-rlocs exit XTR ! eid-table default instance-id 0 Configuration database-mapping b::/64 locator-set SET1 exit ! ipv6 itr map-resolver 100.0.0.1 ipv6 itr ipv6 etr map-server 100.0.0.1 key foo ipv6 etr exit 100.0.0.1 !
MR MS 2.0.0.2 XTR1 a::/64 XTR 1.0.0.1 b::/64 3.0.0.3 XTR2 Pinkman
White
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 router lisp site all authentication-key foo Map Server eid-prefix ::/0 accept-more-specifics exit Configuration ! ipv6 map-server ipv6 map-resolver exit !
100.0.0.1
MR MS 2.0.0.2 XTR1 a::/64 XTR 1.0.0.1 b::/64 3.0.0.3 XTR2 Pinkman
White
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 router lisp site one authentication-key bar eid-prefix a::/64 accept-more-specifics Multi-site exit ! Map Server site two authentication-key foo Configuration eid-prefix b::/64 accept-more-specifics exit ! ipv6 map-server ipv6 map-resolver exit ! 100.0.0.1
MR MS 2.0.0.2 XTR1 a::/64 XTR 1.0.0.1 b::/64 3.0.0.3 XTR2 Pinkman
White
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 LISP Operations LISP Data Plane :: Ingress/Egress Tunnel Router (ITR/ETR)(xTR)
! router lisp Identical configs on both xTRs! locator-set SITE2 12.0.0.2 priority 1 weight 50 13.0.0.2 priority 1 weight 50 exit ! eid-table default instanceETR -id 0 Provider A Provider C ETR database-mapping 2001:db8:2::/48ITR 10.0.0.0/8locator-set SITE212.0.0.0/8 ITR exitPI EID-prefix 10.0.0.2 12.0.0.2 PI EID-prefix ! xTR-1 xTR-3 ipv62001:db8:1::/48 itr map-resolver 66.2.2.2packet flow packet flow 2001:db8:2::/48 ipv6 itr ipv6 etr map-server 66.2.2.2ETR key S3cr3tProvider-2 B Provider D ETR ipv6 etr ITR 11.0.0.0/8 13.0.0.0/8 ITR Sexit xTR-2 11.0.0.2 13.0.0.2 xTR-4 ! LISP Site 1 LISP Site 2 D ip route 0.0.0.0 0.0.0.0 12.0.0.1 (or 13.0.0.1) !
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 What About MTU ? • Determine tunnel MTU. Never exceed it. • No reassembly at ETR !! • How to determine tunnel MTU IPV4 1. Path MTU discovery between (RLOCS) local and remote RLOC 2. Set it to a conservative value UDP
LISP • What if packet exceeds tunnel MTU ? 1. Send “packet too big” IPV4 (EIDS) message to source 2. Fragment before encapsulation. End-host will reassemble
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 LISP Mapping System RFC 6830 LISP RFC 6833 Map-Server Interface
Mapping System Map-Register Map-Request Separate Map-Notify Map-Reply Standard Map-Request RFC 6830 RFC 6830 RFC 6833 RFC 6833
Map-Reply Socilit-Map-Request RFC 6830
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Mapping System Redundancy
• Deploy multiple stand-alone Map-Servers. ITR • ETRs register to all ETR MS MR Map-Servers
ITR • ITRs send Map-Request to Multiple Map-Registers
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Delegated Database Tree • ETR Registers to (DDT) Multiple Map-Servers • ITR Sends Map-Request DDT DDT to a Map-Resolver • Map-Resolvers Walks DDT DDT DDT MR The Delegated Tree • Authoritative Map-Server MS MS MS MS MS MS Forwards Map-Request to ETR • ETR Sends Map-Reply to
ETR ITR ITR
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 LISP Interworking • Early Recognition • LISP not widely deployed on day-one MS/MR • LISP designed with incremental deployments in a::/64 b::/64 2.0.0.2 XTR mind. ITR 1.0.0.1 • Interworking • Communicate with the rest White of the Internet • LISP sites to non-LISP c::/64 sites Internet Site • Non-LISP sites to LISP Goodman sites
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Negative Map-Reply & Native Forwarding 1. Packets from a::1 to c::3 a::/64 1.0.0.1 drawn to ITR via default b::/64 2.0.0.2 gateway or IGP. 2. FIB lookup for c::3 is a miss or a match on ::/0. MS/MR 2 3 3. ITR sends Map-Request for a::/64 b::/64 c::3/128. X 2.0.0.2 XTR ITR 1.0.0.1 4. Map server sends Negative 1 4 Map-Reply with shortest possible prefix: White • Covering c::3/128 C::/14 forward-native • Not covering EID prefixes • In this example: c::/14 c::/64 Internet Site Goodman
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Negative Map-Reply & Native Forwarding 1. Packets from a::1 to c::3 drawn to ITR via a::/64 1.0.0.1 default gateway or IGP. b::/64 2.0.0.2 2. FIB lookup for c::3 matches forward-native MS/MR route. 2 a::/64 b::/64 3. Native (a::1,c::3) 2.0.0.2 XTR ITR 1.0.0.1 packet sent 1 • Potential Pitfall White 3 • URPF Check at ISP C::/14 forward-native X • Drop packets not c::/64 sourced by 1.0.0.1 Internet Site Goodman
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Proxy ETR (PETR) LISP Site to non-LISP Site 1. ITR configured to use PETR for negative map- 1 replies. ipv6 use-petr 3.0.0.3 2. Negative map-reply received for non-LISP MS/MR prefix. 3. Packets from a::1 to a::/64 2 b::/64 2.0.0.2 XTR ITR 1.0.0.1 c::3 drawn to ITR . 3 4. FIB match on c::/14 5 PETR 4 3.0.0.3 5. ITR encapsulates, load White c::/14 3.0.0.3 balances & transmits to 6 PETR c::/64 6. PETR decapsulates and Internet Site forwards natively. Goodman
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Proxy ITR (PITR) • PITR advertises coarse- non-LISP Site to LISP Site aggregate EID Prefix. • 8::/14 in this example • 153.16.0.0/16 on LISP Beta Network MS/MR 1. Traffic from Internet drawn a::/64 b::/64 to PITR 2 2.0.0.2 XTR 4 ETR 1.0.0.1 (c::3 to a::1) 3 2. PITR exchanges Map- PITR Request & Map-Reply for White 3.0.0.3 a::/64 1.0.0.1 a::1 with Mapping 1 System 3. PITR encapsulates and c::/64 transmits to ETR Internet Site Goodman 4. ETR decapsulates and forwards to destination
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 1. Locator scopes configured in Disjoint Locator Space the Map Server.
How can an IPv4 RLOC 1talk to an IPv6 RLOC 2. RLOCs in ETR Map-Register match Scope 2 Scope 1 IPv4 RLOC Prefix Scope 2 IPv6 RLOC Prefix 3. RLOCs in ITR Map-Request match Scope 1 3 MS/MR 2 4. Map-Server detects disjoint 4 Scopes & sends Proxy Map- Reply with RTR IPv4 RLOC.
5. ITR encapsulates & Transmits IPv4 IPv6 RLOCs b::/64 to IPv4 RTR RLOC a::/64 ITR RLOCs 6 ETR (Scope 1) (Scope 2) 6. RLOCs in RTR Map-Request match Scope 1 and Scope 2. No disjointness.IPv6 SP Map-reply 5 sent with ETR RLOCs. 7
RTR 7. RTR re-encapsulates & Example assumes Transmits to ETR RLOC proxy Map-Reply © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 IID EID RLOC Virtualization 1 1.0.0.0/8 RLOC1 1 2.0.0.0/8 RLOC2 MS/MR 2 1.0.0.0/8 RLOC1 2 2.0.0.0/8 RLOC2
vrf green, IID 1 vrf green, IID 1 Payload IP LISP IP 1.0.0.0/8 2./8 IID 1 RLOC2 2.0.0.0/8
RLOC1 RLOC2
vrf blue, IID 2 Payload IP LISP IP vrf blue, IID 2 2./8 IID 2 RLOC2 1.0.0.0/8 2.0.0.0/8
• Shared MS/MR • Located in RLOC Space
• Multi-tenant XTR • Accommodates multiple customers • Deployed as PE
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Interface LISP0 Interface LISP0.x X= IID Attach config for: HQ VRF C, IID 3
VRF B, IID 2 LISP0. . crypto-map 1 To Enterprise VRF A, IID 1 LISP0. 2 Internal Networks LISP0. . Assign QoS Policy 3 To IPv4 or IPv6 Core RLOC namespace KS xTR xTR KS Segmentation by MSMR MSMR GM GM . Netflow physical, Layer 2, or Layer 3 means VRF B, IID 2 (e.g. 802.1Q, EVN, . ACL’s physically separate Default networks) IPv4 Core • Single RLOC namespace • Default table (or RLOC VRF)
xTR GM
xTR xTR GM GM
Site 3
Site 1 Site 2
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 How to setup LISP LISP example topology Build the network configuration
Say we want to build this… HQ VRF DeptC, IID 3
- Three VRFs, IPv4 and IPv6 VRF DeptB, IID 2 - HQ multihomed, two CPE - Remote multihomed, one CPE VRF DeptA, IID 1 - Remote single-homed, DHCP
KS xTR xTR KS - Add encryption MSMR MSMR GM GM
IPv4 Core
xTR GM
xTR xTR GM GM
Site 3
Site 1 Site 2
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Three steps to go
How do we build this? Three HQ VRF DeptC, IID 3
common steps: VRF DeptB, IID 2 1. Build the underlay (RLOCs) 2. Add the LISP overlay (EIDs) VRF DeptA, IID 1 3. Add encryption KS xTR xTR KS MSMR MSMR GM GM
IPv4 Core
xTR GM
xTR xTR GM GM
Site 3
Site 1 Site 2
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 LISP “underlay”
HQ1 xTR/MSMR/GM HQ VRF DeptC, IID 3 1. Build the underlay (RLOCs) ! hostname HQ1 VRF DeptB, IID 2 ! interface Ethernet0/0 Examples: VRF DeptA, IID 1 ip address 10.0.14.2 255.255.255.252 • Normal IP routing… ! ip route 0.0.0.0 0.0.0.0 10.0.14.1 ! • Nothing to do with LISP! KS xTR xTR KS MSMR MSMR GM GM All other sites are similar! Remote2 xTR/GM ! IPv4 Core hostname Remote2 ! interface Ethernet0/0 ip address 10.2.1.2 xTR255.255.255.252 GM ! interface Ethernet1/0 xTR xTR GM GM ip address 10.2.2.2 255.255.255.252 ! ip route 0.0.0.0 0.0.0.0 10.2.1.1 ip route 0.0.0.0 0.0.0.0 10.2.2.1 ! Site 3
Site 1 Site 2
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 LISP “underlay”
1. Build the underlay (RLOCs) HQ VRF DeptC, IID 3
VRF DeptB, IID 2
Examples: VRF DeptA, IID 1 • Normal IP routing…
• Nothing to do with LISP! KS xTR xTR KS MSMR MSMR GM GM Verification…
IPv4 Core
xTR GM
xTR xTR Example: Site2#ping 10.0.14.2GM source 10.2.2.2 rep 10 GM RLOC to RLOC Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 10.0.14.2, timeout is 2 seconds: Packet sent with a source address of 10.2.2.2 Site 3 !!!!!!!!!! Success rate is 100 percent (10/10),Site 1 round-trip min/avg/max = 8/7/8Site ms2 Site2#
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 ! router lisp LISP VPN/Virtualization locator-set Site2 10.2.1.2 priority 1 weight 50 10.2.2.2 priority 1 weight 50 exit ! eid-table default instance-id 0 HQ VRF DeptC, IID 3 2. Add the LISP overlay (EIDs) database-mapping 192.168.255.16/32 locator-set Site2 exit VRF !DeptB, IID 2 eid-table vrf DeptA instance-id 1 Examples: VRF DeptAdatabase, IID 1 -mapping 192.168.16.0/24 locator-set Site2 database-mapping 1:1:16::/64 locator-set Site2 • Bind VRFs to IIDs exit ! • Bind EIDs to RLOCs KS xTR xTR KS MSMR eid-tableMSMR vrf DeptB instance-id 2 GM GM database-mapping 192.168.16.0/24 locator-set Site2 database-mapping 2:2:16::/64 locator-set Site2 exit IPv4 Core ! eid-table vrf DeptC instance-id 3 database-mapping 192.168.16.0/24 locator-set Site2
database-mapping 3:3:16::/64 locatorxTR -set Site2 exit GM !
xTR xTR GM GM Remote2 xTR/GM
Site 3
Site 1 Site 2
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 ! – continued – LISP control plane ! LISP VPN/Virtualization ipv4 itr map-resolver 10.0.14.2 ipv4 itr map-resolver 10.0.15.2 ipv4 itr ipv4 etr map-server 10.0.14.2 key site2-pswd ipv4 etr map-server 10.0.15.2 key site2-pswd ipv4 etr HQ VRF DeptC, IID 3 2. Add the LISP overlay (EIDs) ipv6 map-server ipv6 map-resolver VRF ipv6DeptB , itrIID 2 map-resolver 10.0.14.2 ipv6 itr map-resolver 10.0.15.2 Examples: VRF DeptAipv6, IID itr 1 ipv6 etr map-server 10.0.14.2 key site2-pswd • Bind VRFs to IIDs ipv6 etr map-server 10.0.15.2 key site2-pswd ipv6 etr • Bind EIDs to RLOCs KS xTR xTR KS MSMR exit MSMR GM GM ! All other sites are similar! Remote2 xTR/GM IPv4 Core
xTR GM
xTR xTR GM GM
Site 3
Site 1 Site 2
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 LISP VPN/Virtualization
router lisp ! HQ 2. siteAdd HQ the LISP overlay (EIDs) VRF DeptC, IID 3 authentication-key hq-pswd eid-prefix 192.168.18.0/24 VRF DeptB, IID 2 eid-prefix 192.168.19.0/24 Examples:eid-prefix 192.168.255.14/32 VRF DeptA, IID 1 Map-Server Config… eid-prefix 192.168.255.15/32 •eidBind-prefix VRFs instanceto- idIIDs 1 192.168.14.0/24 eid-prefix instance-id 1 1:1:14::/64 • Bind EIDs to RLOCs KS xTR xTR KS eid-prefix instance-id 2 192.168.14.0/24 MSMR MSMR GM GM eid-prefix instance-id 2 2:2:14::/64 eid-prefix instance-id 3 192.168.14.0/24 eid-prefix instance-id 3 3:3:14::/64 exit IPv4 Core ! site Site1 authentication-key site1-pswd xTR eid-prefix 192.168.255.11/32 GM eid-prefix instance-id 1 192.168.11.0/24
eid-prefix instancexTR -id 1 1:1:11::/64 xTR eid-prefix instanceGM -id 2 192.168.11.0/24 GM eid-prefix instance-id 2 2:2:11::/64 eid-prefix instance-id 3 192.168.11.0/24 eid-prefix instance-id 3 3:3:11::/64 exit Site 3 ! ---
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 LISP VPN/Virtualization
2. Add the LISP overlay (EIDs) HQ VRF DeptC, IID 3
VRF DeptB, IID 2 Verification… Examples: VRF DeptA, IID 1 • Bind VRFs to IIDsHQ2 xTR/MSMR/GM HQ2#show lisp site
LISP Site• RegistrationBind EIDs Informationto RLOCs KS xTR xTR KS MSMR MSMR Site Name Last Up Who Last Inst EID Prefix GM GM Register Registered ID HQ 00:00:46 yes 10.0.14.2 0 192.168.18.0/24 00:00:05 yes 10.0.15.2 0 192.168.19.0/24 00:00:46 yes 10.0.14.2 0 192.168.255.14/32IPv4 Core 00:00:05 yes 10.0.15.2 0 192.168.255.15/32 00:00:09 yes 10.0.14.2 1 192.168.14.0/24 00:00:56 yes 10.0.14.2 1 1:1:14::/64 xTR 00:00:32 yes 10.0.15.2 2 192.168.14.0/24 GM 00:00:23 yes 10.0.15.2 2 2:2:14::/64 00:00:54xTR yes 10.0.15.2 3 192.168.14.0/24xTR GM GM 00:00:43 yes 10.0.14.2 3 3:3:14::/64 Site1 00:00:07 yes 10.0.11.2 0 192.168.255.11/32 00:00:16 yes 10.0.11.2 1 192.168.11.0/24 00:00:42 yes 10.0.11.2 1 1:1:11::/64 Site 3 00:00:32 yes 10.0.11.2 2 192.168.11.0/24 00:00:41 yes 10.0.11.2Site 1 2 2:2:11::/64 Site 2 ---
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 LISP VPN/Virtualization
2. Add the LISP overlay (EIDs) HQ VRF DeptC, IID 3
VRF DeptB, IID 2
Examples: VRF DeptA, IID 1 • Bind VRFs to IIDs
• Bind EIDs to RLOCs KS xTR xTR KS MSMR MSMR GM GM Verification…
IPv4 Core
xTR GM Example: Site3#ping vrf DeptCxTR 192.168.14.1 source 192.168.13.1xTR rep 10 GM GM EID to EID Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 192.168.14.1, timeout is 2 seconds: Packet sent with a source address of 192.168.13.1%DeptC Site 3 ..!!!!!!!! Success rate is 80 percent (8/10), round-trip min/avg/max = 1/1/1 ms Site3 Site 1 Site 2
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 LISP VPN/Virtualization
2. Add the LISP overlay (EIDs) HQ VRF DeptC, IID 3
VRF DeptB, IID 2
Examples: VRF DeptA, IID 1 • Bind VRFs to IIDs
• Bind EIDs to RLOCs KS xTR xTR KS MSMR MSMR GM GM Verification…
IPv4 Core
xTR GM Site3#show ip lisp map-cache instance-id 3 LISP IPv4 Mapping Cache for ), 4 entries xTR EID-table vrf DeptC (IIDxTR 3 ---
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 LISP VPN/Virtualization
2. Add the LISP overlay (EIDs) HQ VRF DeptC, IID 3
VRF DeptB, IID 2
Examples: VRF DeptA, IID 1 • Bind VRFs to IIDs
• Bind EIDs to RLOCs KS xTR xTR KS MSMR MSMR GM GM Verification…
IPv4 Core
xTR GM Example: Site3#ping vrf DeptAxTR 1:1:14::1 source 1:1:13::1 repxTR 10 GM GM EID to EID Type escape sequence to abort. Sending 10, 100-byte ICMP Echos to 1:1:14::1, timeout is 2 seconds: Packet sent with a source address of 1:1:13::1%DeptA Site 3 ..!!!!!!!! Success rate is 80 percent (8/10), round-trip min/avg/max = 1/1/1 ms Site3 Site 1 Site 2
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 LISP VPN/Virtualization
2. Add the LISP overlay (EIDs) HQ VRF DeptC, IID 3
VRF DeptB, IID 2
Examples: VRF DeptA, IID 1 • Bind VRFs to IIDs
• Bind EIDs to RLOCs KS xTR xTR KS MSMR MSMR GM GM Verification…
IPv4 Core
xTR GM Site3#show ipv6 lisp map-cache instance-id 1 LISP IPv6 Mapping Cache for , 4 entries xTR EID-table vrf DeptA (IIDxTR 1) ---
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 Adding Encryption to LISP using GETVPN LISP encryption
. LISP and encryption (IOS) – Recalling that… LISP is “Locator/ID” separation… and creates two namespaces: EIDs and RLOCs – LISP provides two ways to apply a crypto map
Use-Case Vanilla GETVPN Comments IPsec LISP Default crypto-map on LISP encap first, then encryption based on RLOC RLOC ✔ ✔ Model crypto-map on Encryption first based on EID, then LISP encap LISP0 ✔ ✔ LISP crypto-map on LISP encap first, then encryption based on RLOC RLOC ✔ ✔ Virtualization CSCuc63717 crypto-map on Encryption first based on EID, then LISP encap LISP0.x ✔ ✔
See: lisp.cisco.com for the GETVPN+LISP Configuration Guide!
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 For Your LISP Header with IPSec Reference
. LISP provides two ways to apply a crypto map, resulting in different packet outcomes – RLOC :: LISP processing, and then encryption – LISP0 :: Encryption, and then LISP processing
xx xxxx 8 20 xx 20 8 8 20
daddr
D:4341
saddr
daddr
daddr
saddr
saddr
8 0 8
S:xx
50
17 1 IPsec + LISP 1 On LISP0 ESP Payload ICMP Host ESP Host LISP UDP ITR trailer Hdr IP Hdr SPI IP Hdr Hdr Hdr IP Hdr (LISP)
xx xxxx 8 20 8 8 20 xx 20
D:4341
daddr
saddr
daddr
saddr
daddr
saddr
8 0 8
S:xx
17
17 50
LISP + IPsec 1 On RLOC ESP Payload ICMP Host LISP UDP ITR ESP ITR trailer Hdr IP Hdr Hdr Hdr IP Hdr SPI IP Hdr (LISP)
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 LISP Header with GETVPN
. LISP provides two ways to apply a crypto map, resulting in different packet outcomes – RLOC :: LISP processing, and then encryption – LISP0 :: Encryption, and then LISP processing
xx xxxx 8 20 xx 20 8 8 20
daddr
D:4341
saddr
daddr
daddr
saddr
saddr
8 0 8
S:xx
50
17 1 GETVPN + LISP 1 On LISP0 ESP Payload ICMP Host ESP Host LISP UDP ITR trailer Hdr IP Hdr SPI IP Hdr Hdr Hdr IP Hdr Original IPv4 Header (LISP)
xx xxxx 8 20 8 8 20 xx 20
D:4341
daddr
saddr
daddr
saddr
daddr
saddr
8 0 8
S:xx
17
17 50
LISP + GETVPN 1 On RLOC ESP Payload ICMP Host LISP UDP ITR ESP ITR trailer Hdr IP Hdr Hdr Hdr IP Hdr SPI IP Hdr (LISP) Original IPv4 Header
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 interface LISP0 Encryption Configuration ! interface LISP0.1
HQ VRF DeptC, IID 3 ip mtu 1456 ipv6 mtu 1436 VRF DeptB, IID 2 ipv6 crypto map MAP1 crypto map MAP1 VRF DeptA, IID 1 ! . . . ! cryptocrypto mapmap MAP1MAP1 1010 gdoigdoi KS xTR xTR KS MSMR MSMR GM GM setset group group V4GROUP GROUP1-0001 ! cryptocrypto isakmpisakmp policypolicy 1010 encr aes 256 IPv4 Core encr aes 256 authenticationauthentication pre pre-share-share groupgroup 16 16 cryptocrypto isakmp isakmpxTR key key FOO FOO address address 192.168.18.2 192.168.18.2 cryptocrypto isakmp isakmpGM key key FOO FOO address address 192.168.19.2 192.168.19.2 ! xTR xTR GM GM cryptocrypto gdoigdoi groupgroup V4GROUPGROUP1 -0001 identityidentity number number 10001 10001 serverserver address address ipv4 ipv4 192.168.18.2 192.168.18.2 serverserver address addressSite ipv4 3ipv4 192.168.19.2 192.168.19.2 clientclient registration registration interface interface Loopback0 Loopback0 Site 1 Site 2
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 KS1
LISP encryption (1) ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 16 crypto isakmp key FOO address 0.0.0.0 HQ VRF DeptC, IID 3 3. Add encryption crypto isakmp keepalive 15 periodic ! VRF DeptB,crypto IID 2 ipsec transform-set GDOI-TRANS esp-aes Examples: 256 esp-sha512-hmac • GETVPN Key Servers VRF DeptA, IID! 1 crypto ipsec profile GDOI-PROFILE • Nothing to do with LISP! set transform-set GDOI-TRANS ! KS xTR xTR KS MSMR MSMR GM GMcrypto gdoi group V4GROUP-0001 Redundant Key Server identity number 10001 server local identical! rekey retransmit 60 number 2 IPv4 Core rekey authentication mypubkey rsa GET-KEYS1 rekey transport unicast sa ipsec 1
profile GDOI-PROFILE xTR match address ipv4 GETVPN-0001GM replay time window-size 5 xTR xTR address ipv4 192.168.18.2 GM GM redundancy local priority 100 peer address ipv4 192.168.19.2 ! Site 3 ---
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 KS1
LISP encryption (2) ! ---
ip access-list extended GETVPNxTR-0003 permit ip any any GM ! xTR xTR ipv6 access-list GETVPN6-0001 GM GM permit ipv6 any any ! ipv6 access-list GETVPN6-0002 permit ipv6 any any Site 3 ! ipv6 access-list GETVPN6-0003 Site 1 Site 2 permit ipv6 any any !
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Remote2 xTR/GM LISP encryption (3) ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 16 crypto isakmp key FOO address 192.168.18.2 3. Add encryption HQ cryptoVRF DeptC isakmp, IID 3 key FOO address 192.168.19.2 ! VRF DeptBcrypto, IID gdoi2 group V4GROUP-0001 Examples: identity number 10001 VRF DeptAserver, IID 1 address ipv4 192.168.18.2 • GETVPN Group Members server address ipv4 192.168.19.2 client registration interface Loopback0 • Add crypto map to LISP0.x ! KS xTR ---
Site 1 Site 2
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 Remote2 xTR/GM LISP encryption (4) ! interface LISP0 ! interface LISP0.1 ip mtu 1456 ipv6 mtu 1436 HQ VRFipv6 DeptC crypto, IID 3 map MAP-V6-0001 3. Add encryption crypto map MAP-V4-0001 VRF DeptB! , IID 2 Examples: interface LISP0.2 ip mtu 1456 VRF DeptA, IID 1 • GETVPN Group Members ipv6 mtu 1436 ipv6 crypto map MAP-V6-0002 • Add crypto map to LISP0.x crypto map MAP-V4-0002
KS xTR ! xTR KS MSMR MSMR GM interfaceGM LISP0.3 ALL LISP SITES identical! ip mtu 1456 Cut/Paste! ipv6 mtu 1436 ipv6 crypto map MAP-V6-0003 IPv4 Core crypto map MAP-V4-0003 !
xTR GM
xTR xTR GM GM
Site 3
Site 1 Site 2
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 HQ VRF DeptC, IID 3 LISP encryption VRF DeptB, IID 2 VRF DeptA, IID 1 Verification (1) KS xTR xTR KS MSMR MSMR GM GM
IPv4 Core
xTR GM
xTR xTR GM GM
Site 3 Example: Site3#ping vrf DeptA 192.168.14.1Site source1 192.168.13.1 rep 100 SiteEID 2 to EID Type escape sequence to abort. Sending 10, 100-byte ICMP Echos to 192.168.14.1, timeout is 2 seconds: Packet sent with a source address of 192.168.13.1%DeptA !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), round-trip min/avg/max = 5/6/12 ms Site3#
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 HQ VRF DeptC, IID 3 LISP encryption VRF DeptB, IID 2 VRF DeptA, IID 1 Verification (2) KS xTR xTR KS MSMR MSMR GM GM
IPv4 Core
xTR GM
xTR xTR GM GM
Site 3 Example: Site3#show crypto engine connectionSite 1 active Site EID2 to EID Crypto Engine Connections ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address ---
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 LISP Deployment Examples LISP Deployment Examples
• LISP Deployment Models • LISP Over MPLS • Efficient IPv4 & IPv6 Multihoming • Data Center Mobility • LISP Mobile Nodes LISP Deployment Examples Public and Private LISP Deployment Models Private Model Public Model • “Private” LISP deployment • “Public” LISP deployment supports the needs of support single Enterprises or multiple Enterprises Entities • LISP Enterprises subscribe to LISP SP, and deploy • LISP Enterprise deploys: their own xTRs - xTRs - Mapping System - Proxy System Global Examples Stand-Alone Example ddt-root.org LISP SP LISP SP Private Enterprise Examples LISP SP NJEdge.Net VXNet InTouch LISP Ent Enterprise A Enterprise C PCCC CCM BCC LISP Beta Enterprise B CCC MU Princeton LISP Ent
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 LISP Deployment Examples
• LISP Deployment Models • LISP Over MPLS • Efficient IPv4 & IPv6 Multihoming • Data Center Mobility • LISP Mobile Nodes LISP Deployment Examples Efficient Virtualization and High-Scale VPNs
LISP VPNs Cryptography Routing and Tunneling! -- all in one!
Encapsulation Site to Site Security Routing • EID prefix virtualization • LISP Works with any • Spoke to spoke crypto scheme • Tied to VRFs connectivity • Locators or EIDs can be • Locators can be • Optional local Internet encrypted virtualized too offload (split-tunnel) • LISP-SEC for control • No IGP required to plane security branch sites!
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 LISP Deployment Examples Efficient Virtualization and High-Scale VPNs
LISP – Inherently scalability and virtualization, rapidly deployable
? • No protocol constraint Scalability Unconstrained • 100K concurrent site connections (# of VPN site)
? • No site-to-site routing required VPN site-to- Unnecessary • No VPN route injection into core site routing • LISP / Non-LISP site interworking through PxTR
? • 16M unique VPN classifiers Secure 24-bit Instance • Used by LISP control plane and data plane ID with VRF Segmentation • Optional data plane encryption with GETVPN
? Optimal • Shortest path between LISP sites Performance Path(P2P), • Equal cost/unequal cost loadbalancing Loadbalancing
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 LISP and MPLS interaction
• LISP provides a scalable way to extend VPNs Location Y MPLS Location X Group A Group A Device across an IP/MPLS Group A Core Device Group A Network Network core Network Group B GM GM MSMR Group B • Avoid per-VRF Group B Device xTR xTR Device Group B Network PE PE Network costs Group C Group C Device . . Device Group C MPLS VPN Group C • Pull VPN routes Network CE CE Network Device Device out of the MPLS . . Group N xTR xTR Group N core Device Group N Device Group N Network PE-CE = BGP PE-CE = BGP Network • Circumvent address family constraints CE to CE Customer routes = LISP • Fast convergence on site Up/Down events
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 LISP Deployment Examples
• LISP Deployment Models • LISP Over MPLS • Efficient IPv4 & IPv6 Multihoming • Data Center Mobility • LISP Mobile Nodes LISP Deployment Examples Efficient Multihoming and Multi-AF (IPv4/IPv6) Support
Efficient Multihoming . Needs: Internet ‒ Site connectivity to multiple providers for resiliency ‒ Low OpEx/CapEx solution for Ingress TE ‒ Rapid IPv6 deployment, minimal disruption LISP LISP Site routers . LISP Solution: Connecting IPv4 or IPv6 ‒ LISP provides a streamlined solution for handling multi- Islands over IPv6 or IPv4 provider connectivity and policy without BGP complexities Cores ‒ LISP encapsulation is Address Family agnostic, allowing for IPv6 over an IPv4 core, or IPv4 over an IPv6 core . Benefits:
‒ OpEx-friendly multi-homing across different providers IPv6 Transition Support PxTR v6 ‒ Ingress Traffic Engineering that actually “works” v4v6 IPv4 Core ‒ Minimal configuration IPv6 Interne v6 service ‒ No core network changes xTR IPv4 t v6 Internet
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 LISP Deployment Examples Efficient Multihoming and Multi-AF (IPv4/IPv6) Support
IPv4 or IPv6 egress LISP IPv4 or IPv6 feature tx encap s IPv6 LISP LISP Site To Enterprise 2001:db8:e000:2::2 RLOC 2001:db8:e000:2::1 Internal IPv4 or ingress LISP0 feature rcv decap To IPv4 or IPv6 Core IPv6 Networks s GE0/0/0 SP1 MR/M RLOC namespacePxTR 10.1.1.2/30 10.10.10.11 S 10.10.10.10 IPv4 Default xTR-1 EIDs IPv4 Internet 172.16.1.2/24 2001:db8:a:1::2/64 SP2 10.10.30.11 xTR-2 IPv4 10.10.30.10 PxTR GE0/0/0 MR/M 2001:db8:f000:2::2 2001:db8:f000:2::1 10.2.1.2/30 S RLOC IPv6
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 LISP Deployment Examples Efficient Multihoming and Multi-AF (IPv4/IPv6) Support
PxTR1#show ip lisp map-cache LISP IPv4 Mapping Cache for EID-table default (IID 0), 196 entries ---
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 LISP Deployment Examples Efficient Multihoming and Multi-AF (IPv4/IPv6) Support – Customer Example
NJEDge.Net PRODUCTION
Target Market: Customer Site: http://njedge.net • State of New Jersey Educational Entities (k-12, universities, colleges) Customer Case Study: http://lisp.cisco.com LISP Services: • BGP-free Multihoming • IPv6 Internet Access • Host Mobility Disaster-Recovery (adding now…) • Inter-Departmental VPNs (adding next…)
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 LISP Deployment Examples Efficient Multihoming and Multi-AF (IPv4/IPv6) Support – Customer Example
More… Some.. v6 v6 IPv6 Internet
Facebook Google Some.. v4 More… v4 IPv4 Internet Transit SP
Tier 1 SP1 Tier 1 SP2 Commodity Constituent Member Default SP Topologies… Route
CPE Default Route BGP Member 1 Or BGP BGP CPE
CPE CPE CPE
. . . Member 2 Member 3 Member N
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 LISP Deployment Examples router bgp 100 bgp router-id 172.16.2.1 bgp asnotation dot Efficient Multihoming and Multi-AF (IPv4/IPv6) Support – Customerno bgp default ipv4 -Exampleunicast bgp log-neighbor-changes neighbor 172.16.2.1 remote-as 300 <== eBGP to SP1 neighbor 172.16.1.2 remote-as 400 <== eBGP to SP2 Many more features ! More… Some.. addressv6-family ipv4 v6can be added here... no synchronization Before LISP… redistribute ospf route-map populate-default IPv6 Internet neighbor 172.16.1.2 activate • Configuration neighbor 172.16.1.2 route-map filter-out out neighbor 172.16.1.2 route-map filter-in in neighbor 172.16.1.2 maximum-prefix 450000 90 complexity… neighbor 172.16.2.1 activate Facebook neighbor 172.16.2.1 route-map filter-out out • Uneven multihoming neighbor 172.16.2.1 route-map filter-in in Google neighbor 172.16.2.1 maximum-prefix 450000 90 load shares… Some.. no auto-summary They wanted: exit-address-family More… v4 ! 50%/50% ip bgp-community new-format v4 They got: ip community-list standard outlist permit 100:123 IPv4 Internet ! 90%/10% ? route-map populateTransit-default permit 10 set origin igp 80%/20% ? set community 100:123SP Never 50%/50% ! route-map filter-out permit 10 Tier 1 SP1 Tier 1 SP2match community outlistCommodity Constituent Member Default ! SP Route route-map filter-in permit 10 Topologies… match community inlist ! CPE Default Route BGP Member 1 Or BGP BGP CPE
CPE CPE CPE
. . . Member 2 Member 3 Member N
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 LISP Deployment Examples Efficient Multihoming and Multi-AF (IPv4/IPv6) Support – Customer Example
More… Some.. v6 NJEDge.Net v6 LISP Network IPv6 Internet NJEDge.Net LISP Network
Facebook MS/MR PxTR Google router lisp MS/MR PxTR Some.. locator-set Site3 Deploy LISP… v4 172.16.1.2 priority 1 weight 50 More… 172.16.2.2 priority 1 weight 50 v4 • Configuration exit simplicity… IPv4 Internet ! eid-table default Transitinstance-id 0 database-mappingSP 10.1.1.0/24 locator-set Site3 exit Tier 1 SP1 Tier 1 SP2! Commodity ipv4 itr Constituent Member Default SP Route ipv4 etr Topologies… ipv4 itr map-resolver 172.17.1.1
CPExTR Default Default ipv4 etr map-server 172.17.1.1 key s3cr3t Default Route RouteBGP ipv4 use-petr 10.5.5.5 Default Member 1 Route Member 1 Or BGP ! BGPRoute CPExTR
CPExTR CPExTR CPExTR
. . . Member 2 Member 3 Member N
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77 LISP Deployment Examples Efficient Multihoming and Multi-AF (IPv4/IPv6) Support – Customer Example
More… Some.. v6 NJEDge.Net v6 LISP Network IPv6 Internet NJEDge.Net Non-LISP-to-LISP LISP Network
Facebook MS/MR PxTR Google MS/MR PxTR Some.. Deploy LISP… v4 IPv4 EID More… v4 • Configuration Aggregate simplicity… IPv4 Internet Advertisement Transit SP
Tier 1 SP1 Tier 1 SP2 Commodity Default SP Route
CPExTR Default Default Default Route RouteBGP Default Member 1 Route LISP-to-LISPMember 1 Or BGP BGPRoute CPExTR
CPExTR CPExTR CPExTR
. . . Member 2 Member 3 Member N
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78 LISP Deployment Examples Efficient Multihoming and Multi-AF (IPv4/IPv6) Support – Customer Example IPv6 EID Aggregate More… Some.. v6 NJEDge.Net v6 Advertisement LISP Network IPv6 Internet NJEDge.Net LISP Network
Facebook MS/MR PxTR Google MS/MR PxTR Some.. NJEDge.Net is now v4 Non-LISP-to-LISP More… adding IPv6 for its v4 IPv4 Internet members! Transit SP
Tier 1 SP1 Tier 1 SP2 Commodity Default SP Route
CPExTR Default Default Default Route RouteBGP Default Member 1 Route IPv6 Member 1 Or BGP BGPRoute EIDs CPExTR IPv6 CPExTR CPExTR CPExTR
IPv6
. . EIDs . LISP-to-LISP Member 2 Member 3 IPv6 Member N EIDs EIDs BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79 LISP Deployment Examples
• LISP Deployment Models • LISP Over MPLS • Efficient IPv4 & IPv6 Multihoming • Data Center Mobility • LISP Mobile Nodes LISP Deployment Examples Data Center/Host Mobility
. Needs: ‒ VM-Mobility extending subnets and across subnets
‒ Move detection, dynamic EID-to-RLOC Data Internet Data mappings, traffic redirection Center 1 Center 2
LISP LISP . Historical Solutions: router router VM move ‒ Sub-optimal Routing (Triangulation) VM VM ‒ Additional Resource Consumption a.b.c.1 a.b.c.1 ‒ Increased Complexity (DNS updates) ‒ OpEx Spend . LISP: ‒ Changes the Paradigm
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81 LISP Deployment Examples LISP Host Mobility Config Guide: Data Center/Host Mobility http://lisp.cisco.com
Moves With LAN Extension Moves Without LAN Extension
LISP Site LISP Site Non-LISP Site XTR XTR
Mapping DB Mapping DB IPv4 Network IPv4 Network DR Location or Cloud Provider DC LAN Extension LISP-VM LISP-VM (XTR) (XTR) West-DC East-DC West-DC East-DC
. Routing for Extended Subnets . IP Mobility Across Subnets Active-Active Data Centers Disaster Recovery Distributed Data Centers Cloud Bursting
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82 LISP Deployment Examples Data Center/Host Mobility – No LAN Extension : First-Hop Routing
• SVI (Interface VLAN x) and HSRP configured as usual – Consistent GWY-MAC configured across all dynamic subnets • The lisp mobility
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83 LISP Deployment Examples Data Center/Host Mobility – ETR Updates across LISP sites
10.2.0.0/16 – RLOC A, B 6 10.2.0.2/32 – RLOC C, D Null0 host routes indicate the host is “away” Map-Register 10.2.0.2/32
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84 LISP Deployment Examples Map Cache @ ITR Data Center/Host Mobility – Refreshing map-caches 10.2.0.0/16 – RLOC A,B
1. ITRs and PITRs with cached mappings LISP site continue to send traffic to the old locators ITR 10.2.0.2/32 – RLOC C,D • The old DC xTR knows the host has moved (Null0 route)
2. Old xTR sends Solicit Map Request (SMR) Mapping DB messages to any encapsulators sending traffic to the moved host 3. The ITR then initiates a new map request process A B C D
4. An updated map-reply is issued from the LISP-VM (xTR) new location West-DC East-DC 5. The ITR Map Cache is updated 10.2.0.0 /16 10.3.0.0 /16 Y Traffic now flows shortest path X Y Z 10.2.0.2
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 LISP Deployment Examples Data Center/Host Mobility – Customer Example
MPLS Core, Across Subnets – Topology
Customer-A CE2 Site 2 ITR/ETR ITR/ETR PE2
Customer-A MPLS-VPN Customer-A Site 1 PE1 MPLS Core CE1 ITR/ETR ITR/ETR PE3 PE4
MS/MR CE3 CE4 MS/MR CE5 CE6
172.17.0.0/16 Blue/DC 1 ITR/ETR ITR/ETR Blue/DC 2 172.18.0.0/16 (Location 1) (Location 2)
172.17.0.0/24 DYNAMIC EID BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86 LISP Deployment Examples Data Center/Host Mobility – Customer Example IOS router lisp MPLS Core, Across Subnets – Topologyeid-table default instance-id 0 database-mapping 172.16.1.0/24 10.1.1.2 pri 1 wei 100 exit ! Customer-A ipv4 itr CE2 Site 2 ITR/ETR ipv4 etr ITR/ETR IOS ipv4 itr map-resolver 10.1.5.1 PE2 ipv4 itr map-resolver 10.1.6.1 router lisp RLOC Customer-A 10.1.1.2 ipv4 etr map-server 10.1.5.1MPLS-VPNkey s3cr3t ! Customer-A ipv4 etr map-server 10.1.6.1 key s3cr3t site DCs Site 1 PE1 ! MPLS Core authentication-key DCs3cr3t CE1 eid-prefix 172.17.0.0/16 accept-more-specifics ITR/ETR eid-prefix 172.18.0.0/16ITR/ETR EID 172.16.1.0/24 RLOC 10.1.5.1 RLOC 10.1.6.1 PE3 PE4 exit ! site Site-1 MS/MR CE3 CE4 MS/MR CE5 CE6 authentication-key s3cr3t eid-prefix 172.16.1.0/24 exit 172.17.0.0/16 Blue/DC 1 ITR/ETR ITR/ETR ! Blue/DC 2 172.18.0.0/16 (Location 1) (Location 2) --
MS/MR CE3 CE4 MS/MR CE5 CE6 RLOC-A 10.2.5.1 10.2.5.5 RLOC-B RLOC-C 10.2.6.1 10.2.6.5 RLOC-D
172.17.0.0/16 Blue/DC 1 ITR/ETR ITR/ETR Blue/DC 2 172.18.0.0/16 (Location 1) (Location 2)
172.17.0.0/24 DYNAMIC EID BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88 LISP Deployment Examples Data Center/Host Mobility – Customer Example
MPLS Core, Across Subnets – Topology
Customer-A CE2 Site 2 ITR/ETR ITR/ETR PE2
RLOC Customer-A 10.1.1.2 MPLS-VPN Customer-A Site 1 PE1 MPLS Core CE1 ITR/ETR ITR/ETR EID 172.16.1.0/24 PE3 PE4 map-cache MS/MR MS/MR EID-prefix: 172.17.0.12/32 CE3 CE4 CE5 CE6 Locator-set: RLOC-A 10.2.5.1 10.2.5.5 RLOC-B RLOC-C 10.2.6.1 10.2.6.5 RLOC-D 10.2.5.1, priority: 1, weight: 50 10.2.5.5, priority: 1, weight: 50 172.17.0.0/16 Blue/DC 1 ITR/ETR ITR/ETR Blue/DC 2 172.18.0.0/16 (Location 1) (Location 2)
the server is here 172.17.0.12/32
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89 LISP Deployment Examples Data Center/Host Mobility – Customer Example
MPLS Core, Across Subnets – Topology
Customer-A CE2 Site 2 ITR/ETR ITR/ETR PE2
RLOC Customer-A 10.1.1.2 MPLS-VPN Customer-A Site 1 PE1 MPLS Core CE1 ITR/ETR ITR/ETR EID 172.16.1.0/24 PE3 PE4 map-cache MS/MR MS/MR EID-prefix: 172.17.0.12/32 CE3 CE4 CE5 CE6 Locator-set: RLOC-A 10.2.5.1 10.2.5.5 RLOC-B RLOC-C 10.2.6.1 10.2.6.5 RLOC-D 10.2.6.1, priority: 1, weight: 50 10.2.6.5, priority: 1, weight: 50 172.17.0.0/16 Blue/DC 1 ITR/ETR ITR/ETR Blue/DC 2 172.18.0.0/16 (Location 1) (Location 2)
the server moves here 172.17.0.12/32
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90 LISP for Cloud Connect
CSR1kV
Customer-A MPLS-VPN Internet Customer-A Site 1 PE1 MPLS Core CE1 ITR/ETR PE5 PE6 ISP
MS/MR CE5 CE6 MS/MR CE7 CE8
Blue/DC 1 ITR/ETR ITR/ETR Blue/DC 2 172.17.0.0/16 (Location 1) (Location 2) 172.18.0.0/16
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91 LISP Deployment Examples
• LISP Deployment Models • LISP Over MPLS • Efficient IPv4 & IPv6 Multihoming • Data Center Mobility • LISP Mobile Nodes LISP Mobile Node A LISP-MN Phone is a LISP Site!!…
What can a LISP-MN Device do? 64.0.0.1 wifi 3G 65.0.0.1 • Two MNs can roam and stay connected • MNs can be servers • MNs roam without changing DNS entries This device • MNs can use multiple interfaces is a LISP • MNs can control ingress packet policy • Faster hand-offs xTR ! • Low battery use by MS proxy-replying • And most importantly, packets have stretch of “1” – best for latency/delay sensitive applications EID-prefix: 2610:00d0:xxxx::1/128 Map-Server: 64.1.1.1 LISP-MN can scale to1 billion hand-sets!
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93 LISP Mobile Node
LISP-MN mobility around the world!
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94 LISP Status LISP Status IETF LISP WG: http://tools.ietf.org/wg/lisp/ LISP RFCs and notable drafts Draft Target LISP Traffic Engineering Use-Cases (draft-farinacci-lisp- Active Working Group Document te-12) RFCs LISP L2/L3 EID Mobility Using a Unified Control Plane Active Working Group Document Locator/ID Separation Protocol (LISP) RFC 6830 (draft-ietf-lisp-eid-mobility-00) base document LISP SEC (draft-ietf-lisp-sec-05) Active Working Group Document LISP Map Server RFC 6833 LISP Interworking RFC 6832 LISP Predictive RLOCs (draft-ietf-lisp-predictive-rlocs-00) Active Working Group Document LISP Multicast RFC 6831 LISP Configuration YANG Model (draft-ietf-lisp-yang-04) Active Working Group Document LISP Internet Groper RFC 6835 LISP Map Versioning RFC 6834 LISP Mobile Node (draft-meyer-lisp-mn-10) Related Working Group Document LISP+ALT RFC 6836 LISP MIB RFC 7052 LISP NAT-Traversal (draft-ermagan-lisp-nat-traversal- Related Working Group Document 05) LISP Network Element Deployment RFC 7215 LISP GPE (draft-lewis-lisp-gpe) Related Working Group Document Considerations LISP Data-Plane Confidentiality RFC 8061 Signal-Free LISP Multicast (draft-ietf-lisp-signal-free- RFC-Editor’s Queue multicast-04) LISP Delegated Database Tree (LISP- RFC 8111 LISP Based FlowMapping for Scaling NVF (draft- Related Internet Draft DDT) barakai-lisp-nvf-04) LISP Reliable Transport (draft-kouvelas-lisp-reliable- Related Internet Draft transport-00)
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96 LISP - Open Standard Specification IETF Work…
IETF Specification • Nine RFCs presently published: RFC 6830 thru 6836, 7052 and 7215 • 6+ year thorough customer/vendor review • No IPR claims on LISP IETF specifications Ongoing IETF LISP WG Focus • LISP base specifications (LCAF, deployment, LISP-SEC, LISP-DDT, LISP-MN) • Use cases being documented: • DC Virtualization and Host Mobility • WAN Virtualization, Multi-Homing, IPv6 Adoption/Transition • Traffic Engineering and Service Chaining • SDN/NFV
IETF LISP WG: http://tools.ietf.org/wg/lisp/
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97 LISP Status EMAIL: [email protected] LISP Beta Network – International R&D and demonstration network
. LISP Community Operated: • More than 5+ years of operation… • More than ~600+ Sites, 45+ countries…
. Interoperable LISP implementations: • Cisco - IOS (ISR, ISRG2, 7200) and IOS-XE (ASR1K, CSR1KV) - Cisco IOS-XR (CRS3, ASR9K) - Cisco NX-OS (N7K) - Cisco Cat6K
• AVM “FRITZ!Box” http://www.lisp4.net http://www.lisp.intouch.eu/ • OpenWrt • Open Source http://vinciconsulting.com/vxnet http://www.itris-enterprise.ch/ - FreeBSD: OpenLISP - Linux: Aless, LISPmob, OpenWrt - Android and more… Plus some others… ;-)
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98 LISP Status Cisco Releases (http://lisp.cisco.com) LISP Software – Available Features:: By operating System Features IOS IOS-XE NX-OS IOS-XR Cat 6K . Roles: - ITR/ETR - PITR/PETR - MS/MR ASR9k - RTR roadmap roadmap roadmap . AF Support - EID v4/v6 - RLOC v4/v6 v4 only 5.3.0 v4 only . Virtualization - Shared/Parallel shared . Mobility - ESM/ASM roadmap ASM 15.2(1)SY - ESM Multi-Hop roadmap roadmap . Multicast roadmap roadmap . NAT-Traversal testing testing testing roadmap roadmap
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99 LISP References Links and emails
WEB: http://lisp.cisco.com
EMAIL: [email protected]
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100 LISP Summary LISP Summary 1. Multihoming Part of the LISP Solution Space 2. IPv6 Transition 3. Virtualization/VPN 4. Mobility
IPv6 Network IPv6 Core xTR
IPv4 Network v6 xTR IPv4 Core v4
LISP is an Architecture…
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102 LISP Summary 1. Multihoming Part of the LISP Solution Space 2. IPv6 Transition 3. Virtualization/VPN 4. Mobility
IPv6 Network IPv6 Core xTR
IPv4 Network v6 xTR IPv4 Core v4
LISP is an Architecture…
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103 Complete Your Online Session Evaluation
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. • Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions:
• Advanced – Troubleshooting LISP. Session ID: BRKRST-3047 • Enhancing VXLAN/EVPN Fabrics with LISP. Session ID: LTRDCT-2224 • Networking Challenges when Interconnecting Data Center Fabrics. Session ID: BRKDCN-2001 • Transition to an IPv6 environment using LISP - A Hands-on LAB. Session ID: LABRST-2020
Presentation ID © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105 SD-Access Cisco Live Sessions
Breakout Sessions:
BRKCRS-2810: DNA Campus Fabric Automation – A Look Under the Hood (2 Hour, Shawn Wargo) (run twice)
BRKCRS-2811: DNA Campus Fabric Automation – Connecting the Campus Fabric to External Networks (2 Hour, Satish Kondalam) (run twice)
BRKCRS-2812: DNA Campus Fabric Automation – Integrating with Your Existing Network (2 Hour, Kedar Karmarkar)
BRKCRS-2813: DNA Campus Fabric Automation – Monitoring and Troubleshooting (90 min, Vimarsh Puneet)
BRKCRS-2814: DNA Campus Fabric Automation – Assurance and Analytics (90 min, Karthik Kumar Thatikonda)
BRKCRS-3811: DNA Campus Fabric Automation – Policy Driven Manageability (90 min, Victor Moreno)
BRKEWN-2020: DNA Campus Fabric Automation – Wireless Integration (2 Hour, Simone Arena and Kedar Karmarkar)
BRKDCN-2489: DNA Campus Fabric Automation – Integration with Data Center Architectures (90 min, Karthik Kumar Thatikonda) Labs:
LTRCRS-2810: DNA Campus Fabric Automation – Hands-On Lab (4 Hour, Derek Huckaby and Larissa Overbey) (run twice)
BRKRST-3047 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106 Thank you