BRKRST-2614.Pdf

#CLUS LISP in a SDA World

Peyton Schouest – Solutions Architect @net20234 Anthony Swanson – Systems Engineer

BRKRST-2614

#CLUS Agenda • Introduction

• Overview of LISP • Control & Data Plane • LISP to Non-LISP Reachability

• LISP within SD-Access • Control & Data Plane • Border Node to Non-SDA Reachability

• Multicast Functionality with LISP and SDA • LISP Multicast Control & Data Plane (Phase 1) • SDA Multicast Control & Data Plane

• Conclusion

Peyton Schouest Anthony Swanson Solutions Architect Systems Engineer US Federal US Federal CCIE# 20234 CCIE# 17153

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space

Webex Teams will be moderated cs.co/ciscolivebot#BRKRST-2614 by the speaker until June 18, 2018.

“Routing scalability is the most important problem facing the internet and must be solved.”

Internet Architecture Board (IAB) October 2006 Workshop (RFC 4984)

• Implications • Router and FIB memory costs • Heat and Power • Routing churn and convergence • Will only get worse with IPv6

• Non-aggregatable prefixes • Multi-homing

Internet (DFZ) Internet (DFZ) 2.3./16 5.6./16

1./8 2./8 1./8 2./8

1.2./16 1.2./16

5.6./16 2.3./16

• The Overloading of IP Address Semantics Internet Internet (DFZ) • Location (DFZ) 5.6./16 2.3./16 • Where you are in the network • Identity 1./8 2./8 1./8 2./8 • Who you are in the network 1.2./1 6 1.2./1 6

5.6./1 6 2.3./16

• A rroutingouting ArchitectureArchitecture EEIDID • SeSeparateparate addressaddress spacesspaces forfor IdentityIdentity andand LoLocationcation • End- point Identifiers (EID) MappingMapping End-point Identifiers (EID) SystemSystem • RoutingRouting locatorslocators ((RLOC)RLOC) RLOCRLOC • A CControlontrol PlanePlane ProtocolProtocol • A ssystemystem thatthat mapsmaps endend-pointpoint identitiesidentities to ththeireir currentcurrent locationlocation EEIDID • A DaDatata PlanePlane ProtocolProtocol • EnEncapsulatescapsulates EID-addressedaddressed packetspackets InInsideside RRLOCLOC- adaddresseddressed header.header.

RLOC

EID EID

Routing Scalability Mobility

RLOC Internet EID LISP EID Site

Efficient Multi-homing Virtualization

IPv6 IPv4 IPv6

IPv6 Transition

EID Programmable Overlays

RLOC EID EID

Multicast

NCP GUI approach provides automation &

ISE NDP assurance of all Fabric configuration, management and group-based policy DNA Center DNA Center integrates multiple systems, to orchestrate your LAN, Wireless LAN and WAN access

. Campus Fabric

CLI or API approach to build a LISP + VXLAN + CTS Fabric overlay for your enterprise Campus networks

Campus CLI provides backwards compatibility Fabric but management is box-by-box. API provides device automation via NETCONF/YANG

Separated management systems

A Fabric is an Overlay

• An Overlay network is a logical topology used to virtually connect devices, built on top of some arbitrary physical Underlay topology.

• An Overlay network network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay.

Examples of Network Overlays • GRE or mGRE • LISP • MPLS or VPLS • OTV • IPSec or DMVPN • DFA • CAPWAP • ACI

LISP “Mapping System” is analogous to a DNS lookup

‒ DNS resolves IP Addresses for queried Name Answers the “WHO IS” question

[ Who is lisp.cisco.com ] ? DNS DNS Host Name -to- IP Server URL Resolution [ Address is 153.16.5.29, 2610:D0:110C:1::3 ]

‒ LISP resolves Locators for queried Identities Answers the “WHERE IS” question

[ Where is 2610:D0:110C:1::3 ] ? LISP LISP LISP Map Router System ID -to- Locator Map Resolution [ Locator is 128.107.81.169, 128.107.81.170 ]

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Locator / ID Separation Protocol Map System EID RLOC a.a.a.0/24 w.x.y.1 LISP Roles & Responsibilities b.b.b.0/24 x.y.w.2 c.c.c.0/24 z.q.r.5 d.d.0.0/16 z.q.r.5

EID RLOC a.a.a.0/24 w.x.y.1 EID Space b.b.b.0/24 x.y.w.2 c.c.c.0/24 z.q.r.5 Map Server / Resolver d.d.0.0/16 z.q.r.5

EID RLOC ITR a.a.a.0/24 w.x.y.1 • EID to RLOC Mappings b.b.b.0/24 x.y.w.2 c.c.c.0/24 z.q.r.5 d.d.0.0/16 z.q.r.5 Non-LISP • Can be distributed across Prefix Next-hop w.x.y.1 e.f.g.h x.y.w.2 e.f.g.h z.q.r.5 e.f.g.h multiple LISP devices z.q.r.5 e.f.g.h PXTR RLOC Space Tunnel Router - XTR • Edge Devices Encap / Decap ETR • Ingress / Egress (ITR / ETR) Proxy Tunnel Router - PXTR EID Space

• Connects between LISP • EID = End-point Identifier and non-LISP domains • Host Address or Subnet • Ingress / Egress (PITR / PETR) • RLOC = Routing Locator • Local Router Address

DNA . DNA Center – provides simple GUI management and intent based automation NCP Center Identity (e.g. NCP) and context sharing Services ISE NDP . Identity Services – NAC & ID Systems Analytics (e.g. ISE) for dynamic Endpoint to Group Engine mapping and Policy definition . Analytics Engine – Data Collectors (e.g. NDP) analyze Endpoint to App flows Fabric Border Fabric Wireless and monitor fabric status Nodes Controller B B . Control-Plane Nodes – Map System that manages Endpoint to Device relationships Intermediate Control-Plane C Nodes . Fabric Border Nodes – A Fabric device Nodes (Underlay) (e.g. Core) that connects External L3 network(s) to the SDA Fabric Campus . Fabric Edge Nodes – A Fabric device Fabric Edge (e.g. Access or Distribution) that connects Nodes Fabric Wired Endpoints to the SDA Fabric . Fabric Wireless Controller – A Fabric device (WLC) that connects APs and Wireless Endpoints to the SDA Fabric

• “Control-Plane Node” ≈ “LISP Map-Server”

• “Edge Node” ≈ “LISP XTR + Endpoints”

• “Border Node” ≈ “PXTR” + “LISP XTR + Subnets”

• “Intermediate Node” ≈ “Non-LISP IP Forwarder”

18 IPv4 EID / IPv4 RLOC Data Plane Headers

IPv4 Outer Header: ITR supplies 4341 - Data RLOCs 4342 - Control

UDP Header:

LISP Header:

IPv4 Inner Header: Host supplies EIDs

IPv4 IPv4 Outer Outer Header Header IPv6 IPv6 Outer Outer Header Header UDP LISP UDP LISP

IPv4 Inner UDP UDP Header LISP LISP

IPv6 Inner Header IPv4 IPv4/IPv4 Inner Header

IPv6 Inner Header IPv4/IPv6 IPv6/IPv4

IPv6/IPv6

ORIGINAL ETHERNET IP PAYLOAD PACKET Supports L3 Overlay Only PACKET IN ETHERNET IP UDP LISP IP PAYLOAD LISP Supports L2 & L3 Overlay PACKET IN ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD VXLAN

• How to determine tunnel MTU

IPV4 1. Path MTU discovery between (RLOCS) local and remote RLOC 2. Set it to a conservative value UDP • What if packet exceeds tunnel LISP MTU ? 1. Send “packet too big” message IPV4 to source (EIDS) 2. Fragment before encapsulation. End-host will reassemble

b::/64  2.0.0.2 , 3.0.0.3 ETR1  2.0.0.2 priority 1 weight 75 1. ETR1 registers: ETR2  3.0.0.3 priority 1 weight 25 b::/64  2.0.0.2 4 2. MS sends Map-Notify to 1 ETR1 MR MS ETR1 b::/64  2.0.0.2 a::/64 2.0.0.2 b::/64 3. ETR2 registers: 1.0.0.1 2 b::/64  3.0.0.3 ITR 3.0.0.3 ETR2 3 Pinkman 4. White MS sends Map-Notify to 4 both ETRs b::/64  2.0.0.2, 3.0.0.3

xTR: Tunnel Router when direction of flow is irrelevant

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 For Your Reference Map-Request & Map-Reply b::/64  2.0.0.2 , 3.0.0.3 1. Packets from a::1 to b::2 ETR1  2.0.0.2 priority 1 weight 75 drawn to ITR via default ETR2  3.0.0.3 priority 1 weight 25 gateway or IGP.

2. ITR FIB lookup for b::2 is a miss or a match on ::/0. LISP MR MS 2 3 ETR1 control plane signaled. a::/64 2.0.0.2 X 4 b::/64 3. ITR sends Map-Request to 1.0.0.1 MS for b::2/128. 1 3.0.0.3 ITR ETR2 Pinkman 4. MS forwards Map-Request to White 5 one of the ETRs.

b::/64  5. ETR2 sends Map-Reply to 2.0.0.2 priority 1 weight 75 ITR 3.0.0.3 priority 1 weight 25 b::/64  2.0.0.2, 3.0.0.3

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 For Your Reference Data Path b::/64  2.0.0.2 , 3.0.0.3 ETR1  2.0.0.2 priority 1 weight 75 1. Packets from a::1 to b::2 ETR2  3.0.0.3 priority 1 weight 25 drawn to ITR via default gateway or IGP.

MR MS 2. ITR finds route for b::/64. 2 ETR1 a::/64 2.0.0.2 b::/64 • Pre-encap load 1.0.0.1 4 balancing between 3.0.0.3 1 ETR2 2.0.0.2 and 3.0.0.3. ITR 3 Pinkman White 3. Post-encap load balance to 2.0.0.2 and transmit. b::/64  2.0.0.2 priority 1 weight 75 4. ETR1 decapsulates and 3.0.0.3 priority 1 weight 25 forwards to b::2.

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 For Your Reference Proxy Map-Reply b::/64  2.0.0.2 , 3.0.0.3 ETR1  2.0.0.2 priority 1 weight 75 1. ETRs send Map- ETR2  3.0.0.3 priority 1 weight 25 Register for b::/64 with for proxy-reply bit set. 2 MR MS ETR1 2. ITR sends Map- a::/64 2.0.0.2 1 b::/64 Request for b::/64 to 3 the mapping system. 1.0.0.1 3.0.0.3 ETR2 ITR Proxy bit set Pinkman White 3. Mapping system sends Proxy Map-Reply for b::/64  b::/64 on behalf of 2.0.0.2 priority 1 weight 75 3.0.0.3 priority 1 weight 25 ETRs.

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 router lisp alternative form: locator-set SET1 Basic IPv4-interface e0/0 2.0.0.2 priority 0 weight 50 auto-discover-rlocs XTR exit ! Configuration eid-table default instance-id 0 database-mapping b::/64 locator-set SET1 exit ! ipv6 itr map-resolver 100.0.0.1 ipv6 itr ipv6 etr map-server 100.0.0.1 key foo ipv6 etr 100.0.0.1 exit

MR MS ETR1 2.0.0.2 a::/64 1.0.0.1 b::/64 3.0.0.3 ITR ETR2 Pinkman

White

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 2727 router lisp site all authentication-key foo Map Server eid-prefix ::/0 accept-more-specifics exit Configuration ! ipv6 map-server ipv6 map-resolver exit !

100.0.0.1

MR MS ETR1 2.0.0.2 a::/64 1.0.0.1 b::/64 3.0.0.3 ITR ETR2 Pinkman

White

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 2828 router lisp Multi-site site one authentication-key bar Map Server Configuration eid-prefix a::/64 accept-more-specifics exit ! site two authentication-key foo eid-prefix b::/64 accept-more-specifics exit ! ipv6 map-server ipv6 map-resolver exit ! 100.0.0.1

MR MS ETR1 2.0.0.2 a::/64 1.0.0.1 b::/64 3.0.0.3 ITR ETR2 Pinkman

White

! router lisp Identical configs on both xTRs! locator-set SITE2 12.0.0.2 priority 1 weight 50 13.0.0.2 priority 1 weight 50 exit ! ETR Provider A Provider C ETR eid-table default instance-id 0 10.0.0.0/8 12.0.0.0/8 database-mapping 2001:db8:2::/48ITR locator-set SITE2 ITR 10.0.0.2 12.0.0.2 exitPI EID-prefix xTR-1 xTR-3 PI EID-prefix ! 2001:db8:1::/48 packet flow packet flow 2001:db8:2::/48 ipv6 itr map-resolver 66.2.2.2 ipv6 itr ETR Provider B Provider D ETR ipv6 etr map-server 66.2.2.2ITR key S3cr3t11.0.0.0/8-2 13.0.0.0/8 ITR ipv6 etr S xTR-2 11.0.0.2 13.0.0.2 xTR-4 exit LISP Site 1 D ! LISP Site 2 ip route 0.0.0.0 0.0.0.0 12.0.0.1 (or 13.0.0.1) !

Mapping Map-Register System Map-Request Map-Notify Map-Reply Separate Map-Request MR Standard MS RFC 6830 RFC 6830 RFC 6833 RFC 6833

Map-Reply Socilit-Map-Request ITR RFC 6830 ETR

• Deploy multiple stand-alone Map-Servers.

ITR • ETRs register to all Map-Servers ETR MS MR • ITRs send ITR Map-Request to Multiple Map-Registers

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3232 Delegated Database Tree • ETR Registers to (DDT) Multiple Map-Servers • ITR Sends Map-Request to a Map-Resolver DDT DDT • Map-Resolvers Walks

MR The Delegated Tree DDT DDT DDT • Authoritative Map-Server Forwards Map-Request

MS MS MS MS MS MS to ETR • ETR Sends Map-Reply to ITR

ETR ITR

MS/MR • Early Recognition a::/64 b::/64 • LISP not widely deployed 2.0.0.2 1.0.0.1 on day-one ITR XTR • LISP designed with

White incremental deployments in mind.

c::/64 Internet Site Goodman

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Negative Map-Reply & Native Forwarding 1. Packets from a::1 to a::/64  1.0.0.1 c::3 drawn to ITR via b::/64  2.0.0.2 default gateway or IGP. 2. FIB lookup for c::3 is a miss or a match on ::/0. MS/MR 2 3 3. ITR sends Map-Request for a::/64 b::/64 c::3/128. X 2.0.0.2 1.0.0.1 1 4. Map server sends Negative ITR 4 XTR Map-Reply with shortest

White possible prefix: C::/14  forward-native • Covering c::3/128 • Not covering EID prefixes c::/64 Internet Site • In this example: c::/14 Goodman

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Negative Map-Reply & Native Forwarding 1. Packets from a::1 to c::3 drawn to ITR via a::/64  1.0.0.1 b::/64  2.0.0.2 default gateway or IGP. 2. FIB lookup for c::3

MS/MR matches forward-native 2 route. a::/64 b::/64 3.  2.0.0.2 Native (a::1,c::3) 1.0.0.1 1 packet sent ITR XTR • Potential Pitfall White 3 • URPF Check at ISP C::/14  forward-native X • Drop packets not c::/64 sourced by 1.0.0.1 Internet Site Goodman

• Interworking • Communicate with the rest of MS/MR the Internet a::/64 b::/64 • LISP sites to non-LISP sites 2.0.0.2 1.0.0.1 • Non-LISP sites to LISP sites ITR ETR PETR 3.0.0.3 White c::/14  3.0.0.3 6 c::/64 Internet Site Goodman

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Proxy ETR (PETR) LISP Site to non-LISP Site 1. ITR configured to use PETR for negative map-replies. 1 2. Negative map-reply ipv6 use-petr 3.0.0.3 received for non-LISP prefix. MS/MR 3. Packets from a::1 to c::3 drawn to ITR . a::/64 2 b::/64 2.0.0.2 1.0.0.1 4. FIB match on c::/14 3 ITR XTR 5. ITR encapsulates, load 5 PETR 3.0.0.3 balances & transmits to 4 White PETR c::/14  3.0.0.3 6 6. PETR decapsulates and c::/64 forwards natively. Internet Site Goodman

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 Proxy ITR (PITR) • PITR advertises coarse- non-LISP Site to LISP Site aggregate EID Prefix. • 8::/14 in this example • 153.16.0.0/16 on LISP Beta Network MS/MR 1. Traffic from Internet a::/64 b::/64 drawn to PITR 2 2.0.0.2 4 1.0.0.1 (c::3 to a::1) XTR ITR 3 2. PITR exchanges Map- PITR Request & Map-Reply for White 3.0.0.3 a::/64  1.0.0.1 a::1 with Mapping 1 System 3. PITR encapsulates and c::/64 transmits to ETR Internet Site Goodman 4. ETR decapsulates and forwards to destination

How can an IPv4 RLOC 1talk to an IPv6 RLOC 2. RLOCs in ETR Map-Register match Scope 2 Scope 1  IPv4 RLOC Prefix Scope 2  IPv6 RLOC Prefix 3. RLOCs in ITR Map-Request MS/M match Scope 1 3 R 2 4. Map-Server detects disjoint 4 Scopes & sends Proxy Map- Reply with RTR IPv4 RLOC.

IPv6 5. ITR encapsulates & Transmits IPv4 b::/64 a::/64 RLOCs 6 RLOCs to IPv4 RTR RLOC (Scope 1) (Scope 2) ETR ITR 6. RLOCs in RTR Map-Request match Scope 1 and Scope 2. No disjointss. Map-reply sent 5 7 with ETR RLOCs. 7. RTR re-encapsulates & Example assumes Transmits to ETR RLOC proxy Map-Reply RTR #CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 IID EID RLOC 1 1.0.0.0/8 RLOC1 Virtualization 1 2.0.0.0/8 RLOC2 MS/MR 2 1.0.0.0/8 RLOC1 2 2.0.0.0/8 RLOC2

vrf green, IID 1 Payload IP LISP IP vrf green, IID 1 1.0.0.0/8 2./8 IID 1 RLOC2 2.0.0.0/8

RLOC1 RLOC2

vrf blue, IID 2 Payload IP LISP IP vrf blue, IID 2 2./8 IID 2 RLOC2 1.0.0.0/8 2.0.0.0/8

• Shared MS/MR • Located in RLOC Space

• Multi-tenant XTR • Accommodates multiple customers • Deployed as PE

VRF B, IID 2 LISP0. . crypto-map 1 To Enterprise VRF A, IID 1 LISP0. Internal Networks 2 LISP0. . Assign QoS Policy 3 To IPv4 or IPv6 Core RLOC namespace KS xTR xTR KS Segmentation by MSMR MSMR GM GM . Netflow physical, Layer 2, or Layer 3 means VRF B, IID 2 (e.g. 802.1Q, EVN, . ACL’s physically separate Default networks) IPv4 Core • Single RLOC namespace • Default table (or RLOC VRF)

xTR GM

xTR xTR GM GM

Site 3

Site 1 Site 2

. LISP and encryption (IOS) – Recalling that… LISP is “Locator/ID” separation… and creates two namespaces: EIDs and RLOCs – LISP provides two ways to apply a crypto map

Use-Case Vanilla GETVPN Comments IPsec LISP Default crypto-map ✔ ✔ LISP encap first, then encryption based on RLOC on RLOC Model crypto-map ✔ ✔ Encryption first based on EID, then LISP encap on LISP0 LISP crypto-map ✔ ✔ LISP encap first, then encryption based on RLOC on RLOC Virtualization crypto-map ✔ ✔ Encryption first based on EID, then LISP encap on LISP0.x

See: lisp.cisco.com for the GETVPN+LISP Configuration Guide!

. LISP provides two ways to apply a crypto map, resulting in different packet outcomes – RLOC :: LISP processing, and then encryption – LISP0 :: Encryption, and then LISP processing

xx xxxx 8 20 xx 20 8 8 20

D:4341

daddr

daddr saddr

saddr

8 8 0

S:xx

17 1 IPsec + LISP 1 On LISP0 ESP Payload ICMP Host ESP Host LISP UDP ITR trailer Hdr IP Hdr SPI IP Hdr Hdr Hdr IP Hdr (LISP)

xx xxxx 8 20 8 8 20 xx 20

D:4341

daddr

saddr

daddr

saddr

8 8 0

S:xx

17 50

LISP + IPsec 1 On RLOC ESP Payload ICMP Host LISP UDP ITR ESP ITR trailer Hdr IP Hdr Hdr Hdr IP Hdr SPI IP Hdr (LISP)

. LISP provides two ways to apply a crypto map, resulting in different packet outcomes – RLOC :: LISP processing, and then encryption – LISP0 :: Encryption, and then LISP processing

xx xxxx 8 20 xx 20 8 8 20

D:4341

daddr

daddr saddr

saddr

8 0 8

S:xx

17 1 GETVPN + LISP 1 On LISP0 ESP Payload ICMP Host ESP Host LISP UDP ITR trailer Hdr IP Hdr SPI IP Hdr Hdr Hdr IP Hdr Original IPv4 Header (LISP)

xx xxxx 8 20 8 8 20 xx 20

D:4341

daddr

saddr

daddr

saddr

8 0 8

S:xx

17 50

LISP + GETVPN 1 On RLOC ESP Payload ICMP Host LISP UDP ITR ESP ITR trailer Hdr IP Hdr Hdr Hdr IP Hdr SPI IP Hdr (LISP) Original IPv4 Header

HQ VRF DeptC, IID 3 ip mtu 1456 ipv6 mtu 1436 VRF DeptB, IID 2 ipv6 crypto map MAP1 crypto map MAP1 VRF DeptA, IID 1 ! . . . ! cryptocrypto mapmap MAP1MAP1 1010 gdoigdoi KS xTR xTR KS MSMR MSMR GM GM setset group group V4GROUP GROUP1-0001 ! cryptocrypto isakmpisakmp policypolicy 1010 encr aes 256 IPv4 Core encr aes 256 authenticationauthentication pre pre-share-share groupgroup 16 16 cryptocrypto isakmp isakmpxTR key key FOO FOO address address 192.168.18.2 192.168.18.2 cryptocrypto isakmp isakmpGM key key FOO FOO address address 192.168.19.2 192.168.19.2 ! xTR xTR GM GM cryptocrypto gdoigdoi groupgroup V4GROUPGROUP1 -0001 identityidentity number number 10001 10001 serverserver address address ipv4 ipv4 192.168.18.2 192.168.18.2 serverserver address addressSite ipv4 3ipv4 192.168.19.2 192.168.19.2 clientclient registration registration interface interface Loopback0 Loopback0 Site 1 Site 2

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 KS1 LISP encryption (1) ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 16 crypto isakmp key FOO address 0.0.0.0 HQ VRF DeptC, IID 3 3. Add encryption crypto isakmp keepalive 15 periodic ! VRF DeptB,crypto IID 2 ipsec transform-set GDOI-TRANS esp-aes Examples: 256 esp-sha512-hmac VRF DeptA, IID! 1 • GETVPN Key Servers crypto ipsec profile GDOI-PROFILE set transform-set GDOI-TRANS • Nothing to do with LISP! ! KS xTR xTR KS MSMR cryptoMSMR gdoi group V4GROUP-0001 GM GM identity number 10001 Redundant Key server local rekey retransmit 60 number 2 Server identical! IPv4 Core rekey authentication mypubkey rsa GET-KEYS1 rekey transport unicast sa ipsec 1

profile GDOI-PROFILE xTR match address ipv4 GETVPN-0001GM replay time window-size 5 xTR xTR address ipv4 192.168.18.2 GM GM redundancy local priority 100 peer address ipv4 192.168.19.2 ! Site 3 ------ Site 1 Site 2

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 KS1 LISP encryption (2) ! ------ ! crypto gdoi group ipv6 V6GROUP-0003 identity number 20003 server local rekey retransmit 60 number 2 HQ VRF DeptC, IID 3 3. Add encryption rekey authentication mypubkey rsa GET-KEYS3 rekey transport unicast VRF DeptB, IIDsa 2 ipsec 1 Examples: profile GDOI-PROFILE VRF DeptA, IID 1 match address ipv6 GETVPN6-0003 • GETVPN Key Servers replay time window-size 5 address ipv4 192.168.18.2 • Nothing to do with LISP! redundancy KS xTR xTR KS MSMR MSMRlocal priority 100 GM GM peer address ipv4 192.168.19.2 Redundant Key ! ip access-list extended GETVPN-0001 Server identical! IPv4 Core permit ip any any ip access-list extended GETVPN-0002 permit ip any any

ip access-list extended GETVPNxTR-0003 permit ip any any GM ! xTR xTR ipv6 access-list GETVPN6-0001 GM GM permit ipv6 any any ! ipv6 access-list GETVPN6-0002 permit ipv6 any any Site 3 ! ipv6 access-list GETVPN6-0003 Site 1 Site 2 permit ipv6 any any ! #CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 Remote2 xTR/GM ! LISP encryption (3) crypto isakmp policy 10 encr aes 256 authentication pre-share group 16 crypto isakmp key FOO address 192.168.18.2 HQ cryptoVRF DeptC isakmp, IID 3 key FOO address 192.168.19.2 3. Add encryption ! VRF DeptBcrypto, IID 2gdoi group V4GROUP-0001 Examples: identity number 10001 VRF DeptAserver, IID 1 address ipv4 192.168.18.2 • GETVPN Group Members server address ipv4 192.168.19.2 client registration interface Loopback0 • Add crypto map to LISP0.x ! KS xTR ---xTR ---KS MSMR MSMR GM cryptoGM gdoi group ipv6 V6GROUP-0003 ALL LISP SITES identity number 20003 server address ipv4 192.168.18.2 identical! Cut/Paste! server address ipv4 192.168.19.2 IPv4 Core client registration interface Loopback0 ! crypto map MAP-V4-0001 10 gdoi set group V4GROUP-0001 xTR GM ! ------ xTR xTR crypto map ipv6 MAP-V6-0003 10 gdoi GM GM set group V6GROUP-0003 ! Site 3

Site 1 Site 2

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 Remote2 xTR/GM ! LISP encryption (4) interface LISP0 ! interface LISP0.1 ip mtu 1456 ipv6 mtu 1436 HQ ipv6VRF DeptC crypto, IID 3 map MAP-V6-0001 3. Add encryption crypto map MAP-V4-0001 VRF DeptB! , IID 2 interface LISP0.2 Examples: ip mtu 1456 VRF DeptA, IID 1 ipv6 mtu 1436 • GETVPN Group Members ipv6 crypto map MAP-V6-0002 • Add crypto map to LISP0.x crypto map MAP-V4-0002 KS xTR ! xTR KS MSMR MSMR GM interfaceGM LISP0.3 ALL LISP SITES ip mtu 1456 ipv6 mtu 1436 identical! Cut/Paste! ipv6 crypto map MAP-V6-0003 IPv4 Core crypto map MAP-V4-0003 !

xTR GM

xTR xTR GM GM

Site 3

Site 1 Site 2

VRF DeptB, IID 2

LISP encryption VRF DeptA, IID 1 Verification (1) KS xTR xTR KS MSMR MSMR GM GM

IPv4 Core

xTR GM

xTR xTR GM GM

Site 3 Example: Site3#ping vrf DeptA 192.168.14.1 source 192.168.13.1 rep 100 Site 1 SiteEID 2 to EID Type escape sequence to abort. Sending 10, 100-byte ICMP Echos to 192.168.14.1, timeout is 2 seconds: Packet sent with a source address of 192.168.13.1%DeptA !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), round-trip min/avg/max = 5/6/12 ms Site3#

VRF DeptB, IID 2

LISP encryption VRF DeptA, IID 1 Verification (2) KS xTR xTR KS MSMR MSMR GM GM

IPv4 Core

xTR GM

xTR xTR GM GM

Site 3 Example: Site3#show crypto engine connection active Site 1 Site 2EID to EID Crypto Engine Connections ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address ------ 143 IPsec AES256+SHA512 0 100 0 192.168.11.1 144 IPsec AES256+SHA512 100 0 0 192.168.11.1 ------ Site3#

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 LISP Deployment Examples Public and Private LISP Deployment Models Private Model Public Model • “Private” LISP deployment • “Public” LISP deployment supports the needs of support single Enterprises or multiple Enterprises Entities • LISP Enterprises subscribe to LISP SP, and • LISP Enterprise deploys: deploy their own xTRs - xTRs - Mapping System - Proxy System Global Examples Stand-Alone Example ddt-root.org LISP SP LISP SP Private Enterprise Examples LISP SP NJEdge.Net VXNet InTouch LISP Ent Enterprise A Enterprise C PCCC CCM BCC LISP Beta Enterprise B CCC MU Princeton LISP Ent

LISP VPNs Cryptography Routing and Tunneling! -- all in one!

Site to Site Security Encapsulation Routing • LISP Works with any • EID prefix virtualization • Spoke to spoke crypto scheme • Tied to VRFs connectivity • Locators or EIDs can • Optional local Internet • Locators can be be encrypted virtualized too offload (split-tunnel) • LISP-SEC for control • No IGP required to plane security branch sites!

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 LISP Deployment Examples Efficient Virtualization and High-Scale VPNs LISP – Inherently scalability and virtualization, rapidly deployable

? • No protocol constraint Scalability Unconstrained • 100K concurrent site connections (# of VPN site)

? • No site-to-site routing required VPN site-to- Unnecessary • No VPN route injection into core site routing • LISP / Non-LISP site interworking through PxTR

? • 16M unique VPN classifiers Secure 24-bit Instance ID • Used by LISP control plane and data plane Segmentation with VRF • Optional data plane encryption with GETVPN

? Optimal • Shortest path between LISP sites Performance Path(P2P), • Equal cost/unequal cost loadbalancing Loadbalancing

• LISP provides a scalable way to Location Y Location X extend VPNs Group A MPLS Group A Device across an IP/MPLS Group A Core Device Group A Network Network core Network Group B GM GM MSMR Group B • Avoid per-VRF Group B Device xTR xTR Device Group B Network PE PE Network costs Group C Group C . . Device Group C Device MPLS VPN Group C • Pull VPN routes Network CE CE Network Device Device out of the MPLS . . Group N xTR xTR Group N core Device Group N Device Group N Network PE-CE = BGP PE-CE = BGP Network • Circumvent address family constraints CE to CE Customer routes = LISP • Fast convergence on site Up/Down events

What can a LISP-MN Device do? 64.0.0.1 wifi 3G 65.0.0.1 • Two MNs can roam and stay connected • MNs can be servers • MNs roam without changing DNS entries This device • MNs can use multiple interfaces is a LISP • MNs can control ingress packet policy xTR ! • Faster hand-offs • Low battery use by MS proxy-replying • And most importantly, packets have stretch of “1” – best for latency/delay sensitive applications EID-prefix: 2610:00d0:xxxx::1/128 Map-Server: 64.1.1.1 LISP-MN can scale to1 billion hand-sets!

LISP-MN mobility around the world!

LISP MAP-REGISTER Message . Created by ETR . TYPE 3 Control Plane Message . Registers Local EID Space . P bit Not Set by Default

SRC MAC: fa:16:3e:ce:dc:9d DST MAC: fa:16:3e:9d:07:51 SRC IP: 192.168.110.4 DST IP: 192.168.110.1 LISP, TYPE: 0011 P bit: NOT SET, M bit: SET MAP RECORD: 10.1.0.0/24 INSTANCE ID: 4099 LOCATOR: 192.168.110.4 P:10/W:10, MP:10/MW:10

SRC MAC: fa:16:3e:9d:07:51 DST MAC: fa:16:3e:ce:dc:9d SRC IP: 192.168.110.1 LISP MAP-NOTIFY Message DST IP: 192.168.110.4 LISP, TYPE: 0100 . Created by Map Server (MS) MAP RECORD: 10.1.0.0/24 INSTANCE ID: 4099 LOCATOR: 192.168.110.4 . TYPE 4 Control Plane Message P:10/W:10, MP:10/MW:10 . Triggered by M bit in MAP-REGISTER . Notifies Successful Registration

LISP Eligibility Check live_xTR01#show ip route vrf Production 10.1.1.100

Routing Table: Production % Subnet not in table

live_xTR01#show ip cef vrf Production 10.1.1.100 detail LISP Eligibility Criteria 0.0.0.0/0, epoch 0, flags [default route handler, check lisp eligibility, default route] LISP remote EID: 0 packets 0 bytes fwd action signal, cfg as EID space . Absence of Specific Route in RIB LISP source path list attached to LISP0.4099 1 IPL source [unresolved] . Presence of Default Route in RIB no route

. Originated by Local EID Space live_xTR01#show ip lisp instance-id 4099 forwarding eid local Prefix 10.1.0.0/24

live_xTR01#show ip lisp map-cache instance-id 4099 LISP IPv4 Mapping Cache for EID-table vrf Production (IID 4099), 1 entries

0.0.0.0/0, uptime: 00:04:45, expires: never, via static send map-request Negative cache entry, action: send-map-request

SRC MAC: fa:16:3e:ce:dc:4d DST MAC: fa:16:3e:dd:b7:64 SRC IP: 10.1.0.100 DST IP: 10.1.1.100 ICMP Type: 8

LISP MAP-REQUEST Message . Created by ITR . TYPE 1 Control Plane Message . Map-Cache Miss Triggered . Sent to Map Resolver (MR) . Request EID-to-RLOC mapping

SRC MAC: fa:16:3e:ce:dc:9d DST MAC: fa:16:3e:9d:07:51 SRC IP: 192.168.110.4 DST IP: 192.168.110.1 LISP, TYPE: 0001 SRC EID: 10.1.0.100 INSTANCE ID: 4099 MAP REQUEST: 10.1.1.101/32 INSTANCE ID: 4099 MAP REPLY: 10.1.0.100/32 INSTANCE ID: 4099 LOCATOR: 192.168.110.4 P:10/W:10, MP:10/MW:10

SRC MAC: fa:16:3e:9d:07:51 DST MAC: fa:16:3e:dd:b7:66 SRC IP: 192.168.110.1 LISP MAP-REQUEST Message DST IP: 192.168.110.5 LISP, TYPE: 0001 . MR Resolves EID-to-RLOC Mapping SRC EID: 10.1.0.100 INSTANCE ID: 4099 MAP REQUEST: 10.1.1.101/32 . Could be Forwarded into Map System INSTANCE ID: 4099 MAP REPLY: 10.1.0.100/32 INSTANCE ID: 4099 . Forwarded to ETR for Registered EID LOCATOR: 192.168.110.4 P:10/W:10, MP:10/MW:10

LISP MAP-REPLY Message . Created by Authoritative ETR . TYPE 2 Control Plane Message . Matches Against Site EID Prefixes . Sent Directly from ETR to Requesting ITR

SRC MAC: fa:16:3e:dd:b7:66 DST MAC: fa:16:3e:ce:dc:9d SRC IP: 192.168.110.5 DST IP: 192.168.110.4 LISP, TYPE: 0010 MAP RECORD: 10.1.1.0/24 AUTHORITATIVE BIT: SET INSTANCE ID: 4099 LOCATOR RECORD: 192.168.110.5 P:10/W:10, MP:10/MW:10

live_xTR01#show ip cef vrf Production 10.1.1.100 detail 10.1.1.0/24, epoch 0, flags [default route handler, subtree context, check lisp LISP Eligibility Criteria eligibility, default route] SC owned,sourced: LISP remote EID - locator status bits 0x00000001 LISP remote EID: 9 packets 900 bytes fwd action encap . Absence of Specific Route in RIB LISP source path list nexthop 192.168.110.5 LISP0.4099 . Presence of Default Route in RIB 2 IPL sources [unresolved, active source] Dependent covered prefix type inherit, cover 0.0.0.0/0 recursive via 0.0.0.0/0 . Originated by Local EID Space no route

. CEF Table Populated by MAP-REPLY ive_xTR01#show ip lisp map-cache instance-id 4099 LISP IPv4 Mapping Cache for EID-table vrf Production (IID 4099), 2 entries

. Map-Cache Hit for Remote EID 0.0.0.0/0, uptime: 00:05:44, expires: never, via static send map-request Negative cache entry, action: send-map-request 10.1.1.0/24, uptime: 00:00:38, expires: 23:59:21, via map-reply, complete Locator Uptime State Pri/Wgt 192.168.110.5 00:00:38 up 1/100

SRC MAC: fa:16:3e:ce:dc:4d DST MAC: fa:16:3e:dd:b7:64 SRC IP: 10.1.0.100 DST IP: 10.1.1.100 ICMP Type: 8

LISP Data Encapsulation . Inner MAC Header Removed . Outer MAC Header Appended . Outer IP Header Appended . SRC and DST RLOCs . UDP Header Appended . Random SRC Port . Well Known DST Port

. LISP Header Appended SRC MAC: fa:16:3e:ce:dc:9d DST MAC: fa:16:3e:dd:b7:66 OUT SRC IP: 192.168.110.4 . L Bit Set OUT DST IP: 192.168.110.5 UDP, SRC: 1024, DST: 4341 LISP, L Bit: SET, I Bit: SET . I Bit Set INSTANCE ID: 4099 IN SRC IP: 10.1.0.100 IN DST IP: 10.1.1.100 . Instance ID: 4099 ICMP Type: 8

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 LISP Data Plane LISP Data Encapsulation Outer Ethernet Header Outer IP Header (Src: live_xTR01, Dst: live_xTR02) LISP Header

Instance ID 4099, VRF Production Inner IP Header (Src: Local EID, Dst: Remote EID)

LISP Data Decapsulation . Outer MAC Header Removed . Outer IP Header Removed . UDP and LISP Header Removed . Instance ID Evaluated . Placed in Production VRF . New Inner MAC Header Appended SRC MAC: fa:16:3e:ce:dc:68 DST MAC: fa:16:3e:dd:b7:69 . Packet Forwarded to Destination EID SRC IP: 10.1.0.100 DST IP: 10.1.1.100 ICMP Type: 8

LISP Proxy ETR Non-Lisp Site . LISP to Non-LISP Communication . EID Space Non-Routable . uRPF Failure in ISP . Multi-Address Family Support

SRC MAC: fa:16:3e:72:e4:6e DST MAC: fa:16:3e:f3:a7:e0 SRC IP: 10.1.0.100 DST IP: 72.163.4.161 ICMP Type: 8

LISP MAP-REQUEST Message Non-Lisp Site . Created by PxTR . TYPE 1 Control Plane Message . Map-Cache Miss Triggered . Sent to Map Resolver (MR) . Request Specific Non-LISP Prefix Mapping

SRC MAC: fa:16:3e:bc:9e:83 DST MAC: fa:16:3e:aa:81:3f SRC IP: 192.168.110.4 DST IP: 192.168.110.1 LISP, Type: 0001 SRC EID: 10.1.0.100 INSTANCE ID: 4099 MAP REQUEST: 72.163.4.161/32 INSTANCE ID: 4099 MAP REPLY: 10.1.0.100/32 INSTANCE ID: 4099 LOCATOR: 192.168.110.4 P:10/W:10, MP:10/MW:10

SRC MAC: fa:16:3e:aa:81:3f DST MAC: fa:16:3e:bc:9e:83 Non-Lisp Site LISP MAP-REPLY Message SRC IP: 192.168.110.1 DST IP: 192.168.110.4 . Created by Authoritative ETR LISP, Type: 0010 MAP RECORD: 64.0.0.0/2 ACTION: NATIVELY-FORWARD . TYPE 2 Control Plane Message AUTHORITATIVE BIT: SET INSTANCE ID: 4099 . Provides Coarse Map Record . Natively Forward if No PETR

live_xTR01#show ip lisp instance-id 4099 map-cache EID to Non-LISP Packet LISP IPv4 Mapping Cache for EID-table vrf Production (IID 4099), 3Non entries-Lisp Site

0.0.0.0/0, uptime: 02:08:29, expires: never, via static send map-request . Looks at Map-Cache Negative cache entry, action: send-map-request 10.1.1.0/24, uptime: 00:05:12, expires: 23:54:47, via map-reply, complete Locator Uptime State Pri/Wgt . Gets a Hit (64.0.0.0/2) 192.168.110.5 00:05:12 up 1/100 64.0.0.0/2, uptime: 00:07:50, expires: 00:07:09, via map-reply, forward-native . Forward-Native Encapsulating to proxy ETR live_xTR01#show run | i etr ipv4 use-petr 192.168.110.1 . Encapsulate Non-LISP to PETR live_xTR01# . Configured to 192.168.110.1

SRC MAC: fa:16:3e:72:e4:6e DST MAC: fa:16:3e:f3:a7:e0 SRC IP: 10.1.0.100 DST IP: 72.163.4.161 ICMP Type: 8

LISP Data Encapsulation Non-Lisp Site . Inner MAC Header Removed . Outer MAC Header Appended . Outer IP Header Appended . SRC and DST RLOCs . DST is Proxy ETR . UDP Header Appended . Random SRC Port

. Well Known DST Port SRC MAC: fa:16:3e:bc:9e:83 DST MAC: fa:16:3e:aa:81:3f OUT SRC IP: 192.168.110.4 . LISP Header Appended OUT DST IP: 192.168.110.1 UDP, SRC: 1024, DST: 4341 LISP, L Bit: SET, I Bit: SET . L Bit Set INSTANCE ID: 4099 IN SRC IP: 10.1.0.100 IN DST IP: 72.163.4.161 . I Bit Set ICMP Type: 8 . Instance ID: 4099

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 LISP to Non-LISP Sites Proxy ETR Functionality Outer Ethernet Header Outer IP Header (Src: live_xTR01, Dst: PETR) LISP Header

Instance ID 4099, VRF Production Inner IP Header (Src: Local EID, Dst: www.cisco.com)

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 LISP to Non-LISP Sites Proxy Functionality LISP Data Decapsulation . Outer MAC Header Removed SRC MAC: fa:16:3e:18:b5:bd . Outer IP Header Removed DST MAC: fa:16:3e:e5:aa:8d SRC IP: 10.1.0.100 DST IP: 72.163.4.161 . UDP and LISP Header Removed ICMP Type: 8 . Instance ID Evaluated . Placed in Production VRF . New Inner MAC Header Appended . Packet Forwarded to Destination EID

LISP Proxy ITR SRC MAC: fa:16:3e:e5:aa:8d DST MAC: fa:16:3e:18:b5:bd . Non-LISP to LISP Communication SRC IP: 72.163.4.161 DST IP: 10.1.0.100 . Advertises Coarse Prefix Space ICMP Type: 8

live-LISPMap#show ip lisp instance-id 4099 map-cache . Typically Close to ISP of IXP LISP IPv4 Mapping Cache for EID-table vrf Production (IID 4099), 2 entries

0.0.0.0/0, uptime: 02:32:03, expires: never, via static send map-request . Ideal for Load Balancing Negative cache entry, action: send-map-request 10.1.0.0/24, uptime: 00:30:34, expires: 23:29:25, via map-reply, complete Locator Uptime State Pri/Wgt 192.168.110.4 00:30:34 up 1/100

live-LISPMap#show run | i proxy ipv4 proxy-etr ipv4 proxy-itr 192.168.110.1 live-LISPMap#

LISP Data Encapsulation SRC MAC: fa:16:3e:aa:81:3f . Inner MAC Header Removed DST MAC: fa:16:3e:bc:9e:83 OUT SRC IP: 192.168.110.1 OUT DST IP: 192.168.110.4 . Outer MAC Header Appended UDP, SRC: 18279, DST: 4341 LISP, L Bit: set, I Bit: set INSTANCE ID: 4099 . Outer IP Header Appended IN SRC IP: 72.163.4.161 IN DST IP: 10.1.0.100 ICMP Type: 8 . SRC and DST RLOCs . UDP Header Appended . Random SRC Port . Well Known DST Port . LISP Header Appended . L Bit Set . I Bit Set . Instance ID: 4099

Outer Ethernet Header Outer IP Header (Src: PITR, Dst: live_xTR01) LISP Header

Instance ID 4099, VRF Production

Inner IP Header (Src: www.cisco.com, Dst: Local EID)

SRC MAC: fa:16:3e:f3:a7:e0 DST MAC: fa:16:3e:72:e4:6e SRC IP: 72.163.4.161 DST IP: 10.1.0.100 ICMP Type: 8

LISP MAP-REGISTER Message . Created by SDA Edge Node . TYPE 3 Control Plane Message . Registers IP Pool Space . P bit Set

SRC MAC: 00:bf:77:e2:30:40 DST MAC: ec:1d:8b:0a:40:58 SRC IP: 192.168.110.4 DST IP: 192.168.110.1 LISP, Type: 0011 P Bit: SET, M bit: SET MAP RECORD: 10.1.0.100/32 INSTANCE ID: 4099 LOCATOR: 192.168.110.4 P:10/W:10, MP:10/MW:10

SRC MAC: ec:1d:8b:0a:40:58 DST MAC: 00:bf:77:e2:30:40 LISP MAP-NOTIFY Message SRC IP: 192.168.110.1 DST IP: 192.168.110.4 . Created by Control Plane Node LISP, TYPE: 0100 MAP RECORD: 10.1.0.100/32 INSTANCE ID: 4099 . TYPE 4 Control Plane Message LOCATOR: 192.168.110.4 P:10/W:10, MP:10/MW:10 . Triggered by M bit in MAP-REGISTER . Notifies Successful Registration

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 SDA Control Plane SDA Eligibility Check live_EdgeNode02#show ip route vrf Production 10.1.0.100 Routing Table: Production Routing entry for 10.1.0.0/20 Known via "connected", distance 0, metric 0 (connected, via interface) Routing Descriptor Blocks: * directly connected, via Vlan1021 SDA Eligibility Criteria Route metric is 0, traffic share count is 1

. Doesn’t Care About Connected Route live_EdgeNode02#show ip cef vrf Production 10.1.0.100 detail 10.1.0.0/20, epoch 2, flags [attached, connected, cover dependents, need deagg, subtree . Originated by Local IP Pool Space context, check lisp eligibility] LISP remote EID: 2 packets 1152 bytes fwd action signal, cfg as EID space, cfg as dynamic-EID space, dynamic EID need encap SC owned,sourced: LISP cfg dyn-EID - LISP configured dynamic-EID LISP EID attributes: localEID No, c-dynEID Yes, d-dynEID No LISP source path list attached to LISP0.4099 Covered dependent prefixes: 3 need deagg: 2 notify cover updated: 1 2 IPL sources [no flags] attached to LISP0.4099

SRC MAC: fa:16:3e:ce:dc:4d DST MAC: fa:16:3e:dd:b7:64 SRC IP: 10.1.0.100 DST IP: 10.1.0.101 ICMP Type: 8

live_EdgeNode02#show ip lisp map-cache instance-id 4099 SDA Eligibility Check LISP IPv4 Mapping Cache for EID-table vrf Production (IID 4099), 4 entries

0.0.0.0/0, uptime: 00:01:10, expires: never, via static-send-map-request Negative cache entry, action: send-map-request 10.1.0.0/20, uptime: 00:01:10, expires: never, via dynamic-EID, send-map-request Negative cache entry, action: send-map-request SDA Eligibility Criteria 224.0.0.0/3, uptime: 00:00:43, expires: 00:00:16, via map-reply, forward-native Encapsulating to proxy ETR . LISP Registers SDA IP Pool live_EdgeNode02#show lisp instance-id 4099 dynamic-eid detail . LISP Mobility Feature Listens LISP Dynamic EID Information for VRF "Production" Dynamic-EID name: 10_1_0_0-Production . Registers Specific Endpoints Database-mapping EID-prefix: 10.1.0.0/20, locator-set rloc_3ed0dcce-39df-4f83-99da- . No MAP-NOTIFY Group 7fa4499395ec Registering more-specific dynamic-EIDs Map-Server(s): none configured, use global Map-Server Site-based multicast Map-Notify group: none configured Number of roaming dynamic-EIDs discovered: 1 Last dynamic-EID discovered: 10.1.0.101, 00:00:54 ago 10.1.0.101, Vlan1021, uptime: 00:00:54 last activity: 00:00:54, discovered by: Packet Reception

SRC MAC: fa:16:3e:ce:dc:4d DST MAC: fa:16:3e:dd:b7:64 SRC IP: 10.1.0.100 DST IP: 10.1.0.101 ICMP Type: 8

LISP Encapsulated MAP-REQUEST Message . Created by Local SDA Edge Node . TYPE 8 Control Plane Message . Negative Map-Cache Entry Triggered . Sent to Map Resolver (MR) . Request EID-to-RLOC mapping

SRC MAC: 00:bf:77:e2:30:40 DST MAC: ec:1d:8b:0a:40:58 SRC IP: 192.168.110.4 DST IP: 192.168.110.1 LISP, TYPE: 1000 SRC EID: 10.1.0.100 INSTANCE ID: 4099 MAP REQUEST: 10.1.0.101/32 INSTANCE ID: 4099 MAP REPLY: 10.1.0.100/32 INSTANCE ID: 4099 LOCATOR: 192.168.110.4 P:10/W:10, MP:10/MW:10

SRC MAC: ec:1d:8b:0a:40:58 DST MAC: 00:bf:77:e2:30:40 SRC IP: 192.168.110.1 LISP MAP-REPLY Message DST IP: 192.168.110.4 LISP, TYPE: 0010 . Sent from MR to the ITR (P bit Set) MAP RECORD: 10.1.0.101/32 AUTHORITATIVE BIT: NOT SET INSTANCE ID: 4099 . TYPE 2 Control Plane Message LOCATOR RECORD: 192.168.110.5 P:10/W:10, MP:10/MW:10 . Matches Against Site EID Prefixes

live_EdgeNode01#show ip route vrf Production 10.1.0.101

Routing Table: Production Routing entry for 10.1.0.0/20 SDA Eligibility Criteria Known via "connected", distance 0, metric 0 (connected, via interface) Routing Descriptor Blocks: . Doesn’t Care About Connected Route * directly connected, via Vlan1021 Route metric is 0, traffic share count is 1

. Originated by Local IP Pool Space live_EdgeNode01# show ip cef vrf Production 10.1.0.101 detail 10.1.0.101/32, epoch 2, flags [subtree context, check lisp eligibility] SC owned,sourced: LISP remote EID - locator status bits 0x00000001 LISP remote EID: 2 packets 1152 bytes fwd action encap, cfg as EID space, dynamic EID need encap SC inherited: LISP cfg dyn-EID - LISP configured dynamic-EID LISP EID attributes: localEID No, c-dynEID Yes, d-dynEID No LISP source path list nexthop 192.168.110.5 LISP0.4099 2 IPL sources [no flags] nexthop 192.168.110.5 LISP0.4099

SRC MAC: fa:16:3e:ce:dc:4d DST MAC: fa:16:3e:dd:b7:64 SRC IP: 10.1.0.100 DST IP: 10.1.0.101 ICMP Type: 8

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90 SDA Data Plane live_EdgeNode01#show ip lisp map-cache instance-id 4099 SDA Eligibility Check LISP IPv4 Mapping Cache for EID-table vrf Production (IID 4099), 5 entries 0.0.0.0/0, uptime: 00:05:21, expires: never, via static-send-map-request Negative cache entry, action: send-map-request 10.1.0.0/20, uptime: 00:05:21, expires: never, via dynamic-EID, send-map-request Negative cache entry, action: send-map-request 10.1.0.101/32, uptime: 00:01:43, expires: 23:58:17, via map-reply, complete SDA Eligibility Criteria Locator Uptime State Pri/Wgt Encap-IID . LISP Registers SDA IP Pool 192.168.110.5 00:01:43 up 10/10 - live_EdgeNode01#show lisp instance-id 4099 dynamic-eid detail . LISP Mobility Feature Listens LISP Dynamic EID Information for VRF "Production" Dynamic-EID name: 10_1_0_0-Production . Registers Specific Endpoints Database-mapping EID-prefix: 10.1.0.0/20, locator-set rloc_3ed0dcce-39df-4f83-99da-7fa4499395ec . No MAP-NOTIFY Group Registering more-specific dynamic-EIDs Map-Server(s): none configured, use global Map-Server Site-based multicast Map-Notify group: none configured Number of roaming dynamic-EIDs discovered: 1 Last dynamic-EID discovered: 10.1.0.100, 00:00:54 ago 10.1.0.100, Vlan1021, uptime: 00:00:54 last activity: 00:00:54, discovered by: Packet Reception

SRC MAC: fa:16:3e:ce:dc:4d DST MAC: fa:16:3e:dd:b7:64 SRC IP: 10.1.0.100 DST IP: 10.1.0.101 ICMP Type: 8

SDA Eligibility Criteria . LISP Registers SDA IP Pool live_EdgeNode01#show ip lisp map-cache instance-id 4099 . LISP Mobility Feature Listens LISP IPv4 Mapping Cache for EID-table vrf Production (IID 4099), 5 entries 0.0.0.0/0, uptime: 00:05:21, expires: never, via static-send-map-request . Registers Specific Endpoints Negative cache entry, action: send-map-request 10.1.0.0/20, uptime: 00:05:21, expires: never, via dynamic-EID, send-map-request . No MAP-NOTIFY Group Negative cache entry, action: send-map-request 10.1.0.101/32, uptime: 00:01:43, expires: 23:58:17, via map-reply, complete Locator Uptime State Pri/Wgt Encap-IID 192.168.110.5 00:01:43 up 10/10 -

SRC MAC: fa:16:3e:ce:dc:4d DST MAC: fa:16:3e:dd:b7:64 SRC IP: 10.1.0.100 DST IP: 10.1.0.101 ICMP Type: 8

VXLAN Data Encapsulation . Inner MAC Header Preserved . Outer MAC Header Appended . Outer IP Header Appended . SRC and DST RLOCs . UDP Header Appended . Random SRC Port . Well Known DST Port SRC MAC: 00:bf:77:e2:30:40 DST MAC: ec:1d:8b:0a:40:58 . VXLAN Header Appended OUT SRC IP: 192.168.110.4 OUT DST IP: 192.168.110.5 UDP, SRC: 65283, DST: 4789 . VNI Set VXLAN, VNI: 4099 GROUP POLICY ID: 17 . Group Policy ID Set SRC MAC: fa:16:3e:ce:dc:4d DST MAC: fa:16:3e:dd:b7:64 IN SRC IP: 10.1.0.100 IN DST IP: 10.1.0.101 ICMP Type: 8

Outer Ethernet Header Outer IP Header (Src: live_EdgeNode01, Dst: live_EdgeNode02) VXLAN Header

Group Policy 17 VNI 4099, VRF Production Inner Ethernet Header Inner IP Header (Src: Local Endpoint, Dst: Remote Endpoint)

VXLAN Data Decapsulation . Outer MAC Header Removed . Outer IP Header Removed . UDP and VXLAN Header Removed . VNI Evaluated . Placed in Production VRF

SRC MAC: fa:16:3e:ce:dc:4d . Group Policy Evaluated DST MAC: fa:16:3e:dd:b7:64 SRC IP: 10.1.0.100 DST IP: 10.1.0.101 . Inner MAC Header Preserved ICMP Type: 8 . Packet Forwarded to Destination Endpoint

LISP Header - IP based VXLAN Header - Ethernet based

OUTER HEADER 4789

OVERLAY HEADER

INNER HEADER

There are 2 Types of Border Nodes . Fabric Border . Known Routes (DC, WLC, FW) . Default Border . Unknown Routes (GLR)

. Uses PETR to Reach Border SRC MAC: fa:16:3e:ce:dc:4d DST MAC: fa:16:3e:dd:b7:64 SRC IP: 10.1.0.101 DST IP: 173.37.145.84 ICMP Type: 8

LISP MAP-REQUEST Message . Created by PxTR . TYPE 1 Control Plane Message . Map-Cache Miss Triggered SRC MAC: 00:bf:77:e2:30:40 . Sent to Map Resolver (MR) DST MAC: ec:1d:8b:0a:40:58 SRC IP: 192.168.110.5 DST IP: 192.168.110.1 . Request Specific Non-LISP Prefix Mapping LISP, Type: 1000 SRC EID: 10.1.0.101 INSTANCE ID: 4099 MAP REQUEST: 173.37.145.84/32 INSTANCE ID: 4099 MAP REPLY: 10.1.0.101/32 INSTANCE ID: 4099 LOCATOR: 192.168.110.5 P:10/W:10, MP:10/MW:10

SRC MAC: fa:16:3e:dd:b7:66 DST MAC: fa:16:3e:ce:dc:9d LISP MAP-REPLY Message SRC IP: 192.168.110.1 DST IP: 192.168.110.5 . Created by Authoritative ETR LISP, TYPE: 0010 MAP RECORD: 128.0.0.0/2 ACTION: Natively-Forward . TYPE 2 Control Plane Message AUTHORITATIVE BIT: SET INSTANCE ID: 4099 . Provides Coarse Map Record . Natively Forward if No PETR

EID to Non-LISP Packet live_EdgeNode02#show ip lisp instance-id 4099 map-cache LISP IPv4 Mapping Cache for EID-table vrf Production (IID 4099), 3 entries

. Looks at Map-Cache 0.0.0.0/0, uptime: 02:08:29, expires: never, via static send map-request Negative cache entry, action: send-map-request ... . Gets a Hit (128.0.0.0/2) 128.0.0.0/2, uptime: 00:07:50, expires: 00:07:09, via map-reply, forward-native Encapsulating to proxy ETR

. Forward-Native live_EdgeNode02#show run | i etr | Production vrf forwarding Production use-petr 192.168.110.1 . Encapsulate Non-LISP to PETR live_EdgeNode02#

. Configured to SRC MAC: fa:16:3e:ce:dc:4d DST MAC: fa:16:3e:dd:b7:64 SRC IP: 10.1.0.101 . 192.168.110.1 DST IP: 173.37.145.84 ICMP Type: 8

LISP Data Encapsulation . Inner MAC Header Preserved . Outer MAC Header Appended . Outer IP Header Appended . SRC and DST RLOCs SRC MAC: fa:16:3e:ce:dc:9d DST MAC: fa:16:3e:dd:b7:66 . UDP Header Appended OUT SRC IP: 192.168.110.5 OUT DST IP: 192.168.110.1 UDP, SRC: 65472, DST: 4789 . Random SRC Port VXLAN, VNI: 4099 GROUP POLICY ID: 17 SRC MAC: fa:16:3e:ce:dc:4d . Well Known DST Port DST MAC: fa:16:3e:dd:b7:64 IN SRC IP: 10.1.0.101 IN DST IP: 173.37.145.84 . LISP Header Appended ICMP Type: 8 . L Bit Set . I Bit Set . Instance ID: 4099

Outer Ethernet Header Outer IP Header (Src: live_EdgeNode02, Dst: live_Border01) VXLAN Header

Group Policy 17 VNI 4099, VRF Production Ethernet Header Preserved Inner IP Header (Src: Local Endpoint, Dst: www.cisco.com) Inner IP Header

VXLAN Data Decapsulation SRC MAC: fa:16:3e:ce:dc:4d DST MAC: fa:16:3e:dd:b7:64 . Outer MAC Header Removed SRC IP: 10.1.0.101 DST IP: 173.37.145.84 . Outer IP Header Removed ICMP Type: 8 . UDP and VXLAN Header Removed . VNI Evaluated . Placed in Production VRF . Group Policy Evaluated . Inner MAC Header Preserved . Packet Forwarded to Destination Endpoint

SDA Default Border SRC MAC: fa:16:3e:ce:dc:4d DST MAC: fa:16:3e:dd:b7:64 . Non-SDA to SDA Communication SRC IP: 173.37.145.84 DST IP: 10.1.0.101 ICMP Type: 8 . Advertises Summarized Prefix . Close to Network Border

SDA Border SRC MAC: fa:16:3e:ce:dc:4d DST MAC: fa:16:3e:dd:b7:64 . Non-SDA to SDA Communication SRC IP: 173.37.145.84 DST IP: 10.1.0.101 ICMP Type: 8 . Advertises Summarized Prefix

live-sdaborder01#show ip lisp instance-id 4099 map-cache . Close to Network Border LISP IPv4 Mapping Cache for EID-table vrf Production (IID 4099), 2 entries

0.0.0.0/0, uptime: 02:32:03, expires: never, via static send map-request Negative cache entry, action: send-map-request 10.1.0.101/32, uptime: 1w1d, expires: 20:58:36, via map-reply, self, complete Locator Uptime State Pri/Wgt Encap-IID 192.168.110.5 1w1d up 10/10 -

live-sdaborder01#show run | i proxy ipv4 proxy-etr ipv4 proxy-itr 192.168.110.1 live-LISPMap#

VXLAN Data Encapsulation SRC MAC: fa:16:3e:ce:dc:9d DST MAC: fa:16:3e:dd:b7:66 OUT SRC IP: 192.168.110.1 . Inner MAC Header Preserved OUT DST IP: 192.168.110.5 UDP, SRC: 65472, DST: 4789 VXLAN, VNI: 4099 . Outer MAC Header Appended GROUP POLICY ID: NONE SRC MAC: fa:16:3e:ce:dc:4d DST MAC: fa:16:3e:dd:b7:64 . Outer IP Header Appended IN SRC IP: 173.37.145.84 IN DST IP: 10.1.0.101 . SRC and DST RLOCs ICMP Type: 8 . UDP Header Appended . Random SRC Port . Well Known DST Port . VXLAN Header Appended . VNI Set . Group Policy ID Set

Outer Ethernet Header Outer IP Header (Src: live_Border01, Dst: live_EdgeNode02) VXLAN Header

Group Policy None VNI 4099, VRF Production Ethernet Header Preserved Inner IP Header (Src: www.cisco.com, Dst: Local Endpoint)

VXLAN Data Decapsulation . Outer MAC Header Removed . Outer IP Header Removed . UDP and VXLAN Header Removed . VNI Evaluated . Placed in Production VRF

. Group Policy Evaluated SRC MAC: fa:16:3e:ce:dc:4d DST MAC: fa:16:3e:dd:b7:64 SRC IP: 173.37.145.84 . Inner MAC Header Preserved DST IP: 10.1.0.101 DST IP: ICMP Type: 8 . Packet Forwarded to Destination Endpoint

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109 Multicast Functionality with LISP and SDA LISP Protocol Multicast Control and Data Plane (Phase 1) Multicast over LISP Phase 1

Phase 1 Supports the Following Configurations: . Supports Unicast Head-end Replication . IPv4 EID over IPv4 RLOCs (Transport) . IPv6 EID over IPv4 RLOCs (Transport) . Supports EID in Virtual Routing and Forwarding (VRF) . Supports Any Source Multicast (ASM) and Source Specific Multicast (SSM) . Supports Static RP Configuration Only . Supports Both LISP and Non-LISP capable Source and Receiver . Does NOT Support RP Redundancy . Does NOT Support LISP Mobility in Data Center

. In general, LISP introduces a mapping function that relates site EID prefixes to associated RLOC address(es): - For unicast packets: o LISP semantics require mapping both source and destination addresses o Both source and destination are topologically significant . When considering Multicast, LISP mapping functions require the following modifications: - For multicast packets: o LISP semantics require mapping of only the source (S) addresses o Only “source” (S) addresses are topologically significant in multicast o Destination “group” (G) addresses are topologically opaque (can be used anywhere)

. LISP Multicast (RFC6831) defaults to multicast transport over a multicast enabled core - (S-EID, G) o S-EID is the source host o G is the group address that receivers “join” o state resides in both source and receiver sites - (S-RLOC, G) o S-RLOC is the ITR RLOC address on multicast tree o G is the group address receivers “join” o state resides in the core

LISP Multicast Phase 1 . LISP Encapsulation PIM . Register Messages . PIM Register . Sends First Packet to RP 10.1.1.1 . RP is 10.1.1.1 SRC MAC: fa:16:3e:72:e4:6e DST MAC: fa:16:3e:f3:a7:e0 SRC IP: 10.1.1.100 DST IP: 10.1.1.1 PIMv2, TYPE: REGISTER SRC IP: 10.1.1.100 DST IP: 239.0.0.1 ICMP: TYPE 8

LISP Multicast Phase 1 . LISP Encapsulation PIM . Register Messages . PIM Register . Sends First Packet to RP 10.1.0.1 . RP is 10.1.1.1

SRC MAC: fa:16:3e:93:eb:fc DST MAC: fa:16:3e:7e:ee:47 OUT SRC IP: 192.168.110.4 OUT DST IP: 192.168.110.5 UDP, SRC: 26213, DST: 4341 LISP, L Bit: SET, I Bit: SET INSTANCE ID: 4099 IN SRC IP: 10.1.0.100 IN DST IP: 10.1.1.1 PIMv2, TYPE: REGISTER SRC IP: 10.1.0.100 DST IP: 239.0.0.1 ICMP: TYPE 8

LISP Multicast Phase 1 . IGMP Membership Report . Sent from 10.1.0.100 . Received by 10.1.0.1 (live_xTR01)

SRC MAC: fa:16:3e:34:83:59 DST MAC: 01:00:5e:00:00:01 SRC IP: 10.1.0.100 DST IP: 239.0.0.1 PROTOCOL: IGMP IGMP,TYPE: MEMBERSHIP REPORT MULTICAST ADDRESS: 224.0.0.13

LISP Multicast Phase 1 . LISP Encapsulation PIM . Prune/Join Messages . PIM Join . Source is 10.1.0.1 . RP is 10.1.1.1 . Joins Root Path Tree . Tells RP Forward Multicast

SRC MAC: fa:16:3e:b8:29:83 DST MAC: fa:16:3e:be:91:d1 OUT SRC IP: 192.168.110.4 OUT DST IP: 192.168.110.5 UDP, SRC: 36109, DST: 4341 LISP, L Bit: SET, I Bit: SET INSTANCE ID: 4099 IN SRC IP: 10.1.0.1 IN DST IP: 224.0.0.13 PIMv2, TYPE: JOIN/PRUNE

live_xTR01#show ip mroute vrf Production Phase 1 Overview IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, E - Extranet, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, Receiver Side ETR U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel, z - MDT-data group sender, Y - Joined MDT-data group, y - Sending to MDT-data group, . (S-EID, G) state: G - Received BGP C-Mroute, g - Sent BGP C-Mroute, N - Received BGP Shared-Tree Prune, n - BGP C-Mroute suppressed, . S-EID: 10.1.1.100 Q - Received BGP S-A Route, q - Sent BGP S-A Route, V - RD & Vector, v - Vector, p - PIM Joins on route, x - VxLAN group . Group: 239.0.0.1 Outgoing interface flags: H - Hardware switched, A - Assert winner, p - PIM Join Timers: Uptime/Expires . Incoming Interface: LISP0.4099 Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 239.0.0.1), 00:27:09/00:03:16, RP 10.1.1.1, flags: SJC . Outgoing Interface: Gi0/2 Incoming interface: LISP0.4099, RPF nbr 192.168.110.5 Outgoing interface list: . Head-End Replication GigabitEthernet0/2, Forward/Sparse, 00:27:09/00:03:16 (10.1.1.100, 239.0.0.1), 00:00:21/00:02:38, flags: T . No (S-RLOC, G) state in underlay Incoming interface: LISP0.4099, RPF nbr 192.168.110.5 Outgoing interface list: GigabitEthernet0/2, Forward/Sparse, 00:00:21/00:03:21

(*, 224.0.1.40), 00:27:10/00:03:18, RP 10.1.1.1, flags: SJCL Incoming interface: LISP0.4099, RPF nbr 192.168.110.5 Outgoing interface list: GigabitEthernet0/2, Forward/Sparse, 00:27:09/00:03:18

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 119 live_xTR02#show ip mroute vrf Production IP Multicast Routing Table Multicast over LISP Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, E - Extranet, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, Phase 1 Overview U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel, z - MDT-data group sender, Y - Joined MDT-data group, y - Sending to MDT-data group, G - Received BGP C-Mroute, g - Sent BGP C-Mroute, N - Received BGP Shared-Tree Prune, n - BGP C-Mroute suppressed, Q - Received BGP S-A Route, q - Sent BGP S-A Route, Source Side ITR V - RD & Vector, v - Vector, p - PIM Joins on route, x - VxLAN group . (S-EID, G) state: Outgoing interface flags: H - Hardware switched, A - Assert winner, p - PIM Join Timers: Uptime/Expires . S-EID: 10.1.1.100 Interface state: Interface, Next-Hop or VCD, State/Mode (*, 239.0.0.1), 00:25:02/stopped, RP 10.1.1.1, flags: S . Group: 239.0.0.1 Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: . Incoming Interface: Gi0/2 LISP0.4099, 192.168.110.4, Forward/Sparse, 00:25:02/00:03:04 (10.1.1.100, 239.0.0.1), 00:00:12/00:02:47, flags: T . Outgoing Interface: LISP0.4099 Incoming interface: GigabitEthernet0/2, RPF nbr 10.1.1.100 Outgoing interface list: . Head-End Replication LISP0.4099, 192.168.110.4, Forward/Sparse, 00:00:12/00:03:17 (*, 224.0.1.40), 00:25:02/00:03:04, RP 10.1.1.1, flags: SJCL . No (S-RLOC, G) underlay state Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: GigabitEthernet0/2, Forward/Sparse, 00:24:47/00:02:50 LISP0.4099, 192.168.110.4, Forward/Sparse, 00:25:02/00:03:04

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 120 Multicast over LISP LISP Data Encapsulation live_xTR01#show ip pim vrf Production neighbor PIM Neighbor Table Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority, P - Proxy Capable, S - State Refresh Capable, G - GenID Capable, L - DR Load-balancing Capable Receiver Side LISP Encapsulation Neighbor Interface Uptime/Expires Ver DR Address Prio/Mode . PIM Neighbor Interfaces: 10.1.0.100 GigabitEthernet0/2 00:48:15/00:01:27 v2 1 / DR S P G 192.168.110.5 LISP0.4099 00:53:24/00:01:37 v2 0 /

. Incoming Interface: LISP0.4099 live_xTR01#show ip pim vrf Production rp Group: 239.0.0.1, RP: 10.1.1.1, uptime 00:53:41, expires never . Outgoing Interface: Gi0/2 Group: 224.0.1.40, RP: 10.1.1.1, uptime 00:53:42, expires never live_xTR01#show ip lisp instance-id 4099 map-cache . LISP Phase 1 RP Configuration: LISP IPv4 Mapping Cache for EID-table vrf Production (IID 4099), 2 entries

0.0.0.0/0, uptime: 01:07:28, expires: never, via static send map-request . Static RP 10.1.1.1 Negative cache entry, action: send-map-request 10.1.1.0/24, uptime: 00:53:46, expires: 23:06:13, via map-reply, complete . RP LISP Reachability: Locator Uptime State Pri/Wgt 192.168.110.5 00:53:46 up 1/100 . Remote EID: 10.1.1.0/24 . RLOC: 192.168.110.5 . RPF Interface: LISP0.4099

live_xTR02#show ip pim vrf Production neighbor PIM Neighbor Table Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority, Source Side LISP Encapsulation P - Proxy Capable, S - State Refresh Capable, G - GenID Capable, L - DR Load-balancing Capable . PIM Neighbor Interfaces: Neighbor Interface Uptime/Expires Ver DR Address Prio/Mode . Incoming Interface: Gi0/2 10.1.1.100 GigabitEthernet0/2 00:46:53/00:01:22 v2 1 / DR S P G live_xTR02#show ip pim vrf Production rp . Outgoing Interface: LISP0.4099 Group: 239.0.0.1, RP: 10.1.1.1, next RP-reachable never Group: 224.0.1.40, RP: 10.1.1.1, next RP-reachable never

. LISP Phase 1 RP Configuration: live_xTR01#show ip lisp instance-id 4099 map-cache LISP IPv4 Mapping Cache for EID-table vrf Production (IID 4099), 3 entries . Static RP 10.1.1.1 (This Router) 0.0.0.0/0, uptime: 01:36:08, expires: never, via static send map-request Negative cache entry, action: send-map-request . RP LISP Reachability: 10.1.1.0/24, uptime: 01:20:24, expires: 22:39:36, via map-reply, self, complete Locator Uptime State Pri/Wgt . Remote EID: No State 192.168.110.5 01:20:24 up, self 1/100 . RLOC: No State . RPF Interface: LISP0.4099

Source Side LISP Encapsulation . Multicast Traffic Flow: . Source: 10.1.1.100 . Group: 239.0.0.1 . Type: ICMP Echo . Follows SPT to Rendezvous Point . Static RP address 10.1.1.1 SRC MAC: fa:16:3e:0a:fd:33 DST MAC: 01:00:5e:00:00:01 SRC IP: 10.1.1.100 DST IP: 239.0.0.1 ICMP: TYPE 8

Source Side LISP Encapsulation . Inner MAC Header Removed . Outer MAC Header Appended . Outer IP Header Appended . SRC and DST RLOCs

. UDP Header Appended SRC MAC: fa:16:3e:b8:29:83 DST MAC: fa:16:3e:be:91:d1 OUT SRC IP: 192.168.110.5 . Random SRC Port OUT DST IP: 192.168.110.4 UDP, SRC: 58724, DST: 4341 LISP, L Bit: SET, I Bit: SET . Well Known DST Port INSTANCE ID: 4099 IN SRC IP: 10.1.1.100 IN DST IP: 239.0.0.1 . LISP Header Appended ICMP Type: 8 . L Bit Set . I Bit Set . Instance ID: 4099

Outer Ethernet Header Outer IP Header (Src: live_xTR02, Dst: live_xTR01)

LISP Header

Instance ID 4099, VRF Production

Inner IP Header (Src: S-EID, Dst: G) Multicast Traffic Generated by “ping 239.0.0.1” command

SRC MAC: fa:16:3e:a8:68:f1 DST MAC: 01:00:5e:00:00:01 SRC IP: 10.1.1.100 DST IP: 239.0.0.1 ICMP Type: 8

LISP Multicast Phase 1 . LISP Encapsulation PIM . Register Messages . PIM Register . Sends First Packet to RP 10.1.16.5 . RP is 10.1.16.1 SRC MAC: 1c:e8:5d:af:00:00 DST MAC: 01:00:5e:00:00:01 SRC IP: 10.1.0.101 DST IP: 239.0.0.1 UDP: SRC: 4000, DST:4000

LISP Multicast Phase 1 . LISP Encapsulation PIM . Register Messages . PIM Register

SRC MAC: 1c:e8:5d:af:99:c0 . Sends First Packet to RP DST MAC: ec:1d:8b:0a:40:76 Out SRC IP: 192.168.110.5 Out DST IP: 192.168.110.1 10.1.16.5 UDP, SRC: 26213, DST: 4341 VXLAN, VNI: 4099 GROUP POLICY ID: 0 . RP is 10.1.16.1 SRC IP: 10.1.16.5 DST IP: 10.1.16.1 PIMv2, TYPE: REGISTER SRC IP: 10.1.0.101 DST IP: 239.0.0.1 ICMP: TYPE 8

LISP Multicast Phase 1 . IGMP Membership Report . Sent from 10.1.0.100 . Received by 10.1.16.4 (live_EdgeNode01)

SRC MAC: fa:16:3e:34:83:59 DST MAC: 01:00:5e:00:00:01 SRC IP: 10.1.0.100 DST IP: 239.0.0.1 PROTOCOL: IGMP IGMP,TYPE: MEMBERSHIP REPORT MULTICAST ADDRESS: 224.0.0.13

LISP Multicast Phase 1 . LISP Encapsulation PIM . Prune/Join Messages . PIM Join . Source is 10.1.16.4 . RP is 10.1.16.1 . Joins Root Path Tree

. Tells RP Forward Multicast SRC MAC: 00:bf:77:e2:30:40 DST MAC: ec:1d:8b:0a:40:58 Out SRC IP: 192.168.110.4 Out DST IP: 192.168.110.1 UDP, SRC: 2056, DST: 4789 VXLAN, VNI: 4099 GROUP POLICY ID: 17 SRC MAC: 00:bf:77:e2:30:40 DST MAC: ba:25:cd:f4:ad:38 SRC IP: 10.1.16.4 DST IP: 224.0.0.13 PIMv2, TYPE: JOIN

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 131 live-EdgeNode1#show ip mroute vrf Production IP Multicast Routing Table Multicast over SDA Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, E - Extranet, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, Phase 1 Overview U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel, z - MDT-data group sender, Y - Joined MDT-data group, y - Sending to MDT-data group, G - Received BGP C-Mroute, g - Sent BGP C-Mroute, N - Received BGP Shared-Tree Prune, n - BGP C-Mroute suppressed, Receiver Side ETR Q - Received BGP S-A Route, q - Sent BGP S-A Route, V - RD & Vector, v - Vector, p - PIM Joins on route, x - VxLAN group . (S-EID, G) state: Outgoing interface flags: H - Hardware switched, A - Assert winner, p - PIM Join Timers: Uptime/Expires . S-EID: 10.1.0.101 Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 239.0.0.1), 00:29:42/stopped, RP 10.1.16.1, flags: SJC . Group: 239.0.0.1 Incoming interface: LISP0.4099, RPF nbr 192.168.110.1 Outgoing interface list: . Incoming Interface: LISP0.4099 Vlan1021, Forward/Sparse, 00:29:42/00:02:16 (10.1.0.101, 239.0.0.1), 00:28:24/00:00:56, flags: JT Incoming interface: LISP0.4099, RPF nbr 192.168.110.5 . Outgoing Interface: Vlan1021 Outgoing interface list: Vlan1021, Forward/Sparse, 00:28:24/00:02:16 . Head-End Replication (*, 224.0.1.40), 00:29:43/00:02:20, RP 10.1.16.1, flags: SJCL Incoming interface: LISP0.4099, RPF nbr 192.168.110.1 Outgoing interface list: . No (S-RLOC, G) state in Loopback4099, Forward/Sparse, 00:29:42/00:02:20 underlay

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 132 live-EdgeNode02#show ip mroute vrf Production IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, Multicast over SDA L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, E - Extranet, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, Phase 1 Overview U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel, z - MDT-data group sender, Y - Joined MDT-data group, y - Sending to MDT-data group, G - Received BGP C-Mroute, g - Sent BGP C-Mroute, N - Received BGP Shared-Tree Prune, n - BGP C-Mroute suppressed, Q - Received BGP S-A Route, q - Sent BGP S-A Route, Source Side ITR V - RD & Vector, v - Vector, p - PIM Joins on route, x - VxLAN group . (S-EID, G) state: Outgoing interface flags: H - Hardware switched, A - Assert winner, p - PIM Join Timers: Uptime/Expires . S-EID: 10.1.1.101 Interface state: Interface, Next-Hop or VCD, State/Mode (*, 239.0.0.1), 00:23:53/stopped, RP 10.1.16.1, flags: SPF . Group: 239.0.0.1 Incoming interface: LISP0.4099, RPF nbr 192.168.110.1 Outgoing interface list: Null (10.1.0.101, 239.0.0.1), 00:23:53/00:01:37, flags: FT . Incoming Interface: Vlan1021 Incoming interface: Vlan1021, RPF nbr 0.0.0.0 Outgoing interface list: . Outgoing Interface: LISP0.4099 LISP0.4099, 192.168.110.4, Forward/Sparse, 00:23:52/00:03:13 (*, 224.0.1.40), 00:27:26/00:02:35, RP 10.1.16.1, flags: SJCL Incoming interface: LISP0.4099, RPF nbr 192.168.110.1 . Head-End Replication Outgoing interface list: Loopback4099, Forward/Sparse, 00:27:25/00:02:35 . No (S-RLOC, G) underlay state

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 133 live_EdgeNode01#show ip pim vrf Production neighbor PIM Neighbor Table Multicast over SDA Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority, P - Proxy Capable, S - State Refresh Capable, G - GenID Capable, L - DR Load-balancing Capable Neighbor Interface Uptime/Expires Ver DR SDA Data Encapsulation Address Prio/Mode 192.168.110.1 LISP0.4099 00:53:28/00:01:52 v2 0 /

live_EdgeNode01#show ip pim vrf Production rp Receiver Side LISP Group: 239.0.0.1, RP: 10.1.16.1, uptime 00:50:50, expires never live_EdgeNode01#show ip lisp instance-id 4099 map-cache Encapsulation LISP IPv4 Mapping Cache for EID-table vrf Production (IID 4099), 3 entries 0.0.0.0/0, uptime: 00:54:50, expires: never, via static-send-map-request . PIM Neighbor Interfaces: Negative cache entry, action: send-map-request 10.1.0.0/20, uptime: 00:54:50, expires: never, via dynamic-EID, send-map-request Negative cache entry, action: send-map-request . Incoming Interface: LISP0.4099 10.1.0.100/32, uptime: 00:51:14, expires: 23:08:45, via map-reply, self, complete Locator Uptime State Pri/Wgt Encap-IID . Outgoing Interface: Vlan1021 192.168.110.4 00:51:14 up, self 10/10 - 10.1.16.1/32, uptime: 00:54:27, expires: 23:05:32, via map-reply, complete Locator Uptime State Pri/Wgt Encap-IID . :Static RP 10.1.16.1 192.168.110.1 00:54:27 up 10/10

. RP LISP Reachability: SRC MAC: 1c:e8:5d:af:00:00 DST MAC: 01:00:5e:00:00:01 SRC IP: 10.1.0.101 . Remote EID: 10.1.1.0/24 DST IP: 239.0.0.1 UDP: SRC:4000, DST:4000 . RLOC: 192.168.110.5 . RPF Interface: LISP0.4099

VXLAN Data Encapsulation . Inner MAC Header Preserved . Outer MAC Header Appended

SRC MAC: 1c:e8:5d:af:99:c0 . Outer IP Header Appended DST MAC: ec:1d:8b:0a:40:76 Out SRC IP: 192.168.110.5 . SRC and DST RLOCs Out DST IP: 192.168.110.4 UDP, Src: 65472, Dst: 4789 VXLAN, VNI: 4099 . UDP Header Appended GROUP POLICY ID: 17 SRC MAC: 1c:e8:5d:af:00:00 . Random SRC Port DST MAC: 01:00:5e:00:00:01 SRC IP: 10.1.0.101 DST IP: 239.0.0.1 . Well Known DST Port UDP: SRC:4000, DST:4000 . VXLAN Header Appended . VNI Set . Group Policy ID Set

Outer Ethernet Header Outer IP Header (Src: live_EdgeNode02, Dst: live_EdgeNode01)

VXLAN Header

Group Policy None VNI 4099, VRF Production Ethernet Header Preserved Inner IP Header (Src: S-EID, Dst: Group)

VxLAN Data Decapsulation . Outer MAC Header Removed . Outer IP Header Removed . UDP and VXLAN Header Removed . VNI Evaluated SRC MAC: 1c:e8:5d:af:00:00 DST MAC: 01:00:5e:00:00:01 . Placed in Production VRF SRC IP: 10.1.0.101 DST IP: 239.0.0.1 . Group Policy Evaluated UDP: SRC:4000, DST:4000 . Inner MAC Header Preserved . Packet Forwarded to Destination Endpoint

1 3 Group-Prefix: 239.2.0.0/24 Multicast Stream: Source: 192.3.0.1 Group: 239.2.0.1 Mapping Replicator-Set: Entry 3.1.1.1, priority: 1, weight: 50 (D1) 2.1.2.1, priority: 1, weight: 50 (D2) Non-LISP

2 PXTR 4.4.4.4  3.1.1.1 192.3.0.1  239.2.0.1 S1 192.3.0.1  239.2.0.1

4.4.4.4 5.3.3.3

41 IP Network 5.1.1.1 5.2.2.2 Mapping 4.4.4.4  2.1.2.1 System 192.3.0.1  239.2.0.1

2.1.1.1 ETR 2.1.2.1 3.1.1.1 ETR 3.1.2.1

5 51 192.3.0.1  239.2.0.1 192.3.0.1  239.2.0.1 Campus D1 D2 DC 10.2.0.0/24 10.3.0.0/24

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 138138 Conclusion #CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 140 SD-Access Resources Would you like to know more?

cisco.com/go/sdaccess cisco.com/go/dnacenter • SD-Access At-A-Glance • DNA Center At-A-Glance • SD-Access Design Guide • DNA Center 'How To' Video Resources • SD-Access FAQs cisco.com/go/cvd • DNA Center Data Sheet • SD-Access Migration Guide • SD-Access Design Guide - Dec 2017 • SD-Access Solution Data Sheet • SD-Access Deploy Guide - Jan 2018 • SD-Access Solution White Paper

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 141 IETF LISP WG: LISP Status http://tools.ietf.org/wg/lisp/ LISP RFCs RFCs RFCs Locator/ID Separation Protocol (LISP) RFC LISP Delegated Database Tree RFC base document 6830 (LISP-DDT) 8111 LISP Map Server RFC LISP Crypto RFC 6833 8061 LISP Interworking RFC LISP EID Block RFC 6832 7954 LISP Multicast RFC LISP EID Block MGMT RFC 6831 7955 LISP Internet Groper RFC LISP Impact RFC 6835 7834 LISP Map Versioning RFC LISP LCAF RFC 6834 8060 LISP+ALT RFC LISP Signal Free Multicast RFC 6836 8378 LISP MIB RFC LISP Threats RFC 7052 7835 LISP Type Iana RFC LISP Deployment RFC 8113 7215

Draft Target LISP Traffic Engineering Active

LISP Geo-Coordinate Active

LISP Security (SEC) Active

LISP Predictive RLOCs Active

LISP YANG Model Active

LISP Mobile Node Active

LISP EID Mobility w/ Unified Control Plane Active

LISP Generic Protocol Extension (GPE) Active

LISP Based FlowMapping for Scaling NFV Active

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 143 LISP Status EMAIL: [email protected] LISP Beta Network – International R&D and demonstration network . LISP Community Operated: • More than 5+ years of operation… • More than ~600+ Sites, 45+ countries… . Interoperable LISP implementations: • Cisco - IOS (ISR, ISRG2, 7200) and IOS-XE (ASR1K, CSR1KV) - Cisco IOS-XR (CRS3, ASR9K) - Cisco NX-OS (N7K) - Cisco Cat6K http://www.lisp4.net http://www.lisp.intouch.eu/ • AVM “FRITZ!Box”

• OpenWrt http://vinciconsulting.com/vxnet http://www.itris-enterprise.ch/ • Open Source - FreeBSD: OpenLISP and more… - Linux: Aless, LISPmob, OpenWrtPlus some others… ;-) - Android

WEB: http://lisp.cisco.com

EMAIL: [email protected]

Give us your feedback to be entered into a Daily Survey Drawing. Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.

#CLUS BRKRST-2614 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 146 Continue Demos in Walk-in Meet the Related your the Cisco self-paced engineer sessions education campus labs 1:1 meetings

#CLUS #CLUS