LISP A Next Generation Networking Architecture

Transcription

1

2 LISP A Next Generation Networking Architecture Victor Moreno Distinguished Engineer #clmel

3 Agenda LISP Overview LISP Operations How setup LISP LISP Deployment Examples LISP Status LISP Summary 3

4 LISP Overview

5 LISP Overview Original Motivation An IP address overloads location and identity Today addressing follows topology Efficient aggregation is only available for Provider Assigned (PA) addresses Ingress Traffic Engineering usually requires Provider Independent (PI) addresses and the injection of more specifics :: this limits route aggregation compactness IPv6 does not fix this Route scaling issues drive system costs higher Forwarding plane (FIB) requires expensive memory Route scaling drivers are also seen in Data Centres and for Mobility :: not just the Internet DFZ routing scalability is the most important problem facing the Internet today and must be solved Internet Architecture Board (IAB) October 2006 Workshop (written as RFC 4984) 5

6 Locator/ID Split and LISP Routing and Addressing Architecture of the Internet Protocol Addresses today combine location and identity semantics in a single 32-bit or 128-bit number Separating Location and Identity changes this Provide a clear separation at the Network Layer between what we are looking for vs. how best to get there Translation vs. Tunnelling is a key question Network Layer Identifier: WHO you are in the network long-term binding to the thing that they name, does not change often at all Network Layer Locator: WHERE you are in the network Think of the source and destination addresses used in routing and forwarding WHERE you are can change WHO you are should be the same 6

7 LISP Overview LISP: A Routing Architecture Not a Feature LISP changes the routing architecture to implement a level of indirection between a hosts IDENTITY and its LOCATION in the network LISP changes the current ROUTING Architecture Changes lead to DISRUPTION Disruption leads to OPPORTUNITIES LISP allows both SPs and Enterprises to do remarkably different things than allowed by traditional approaches LISP enables NEW services (VPNs, IPv6, Mobility, cloud ) in one, common, simple architecture 7

8 LISP Overview LISP: A Routing Architecture Not a Feature Uses pull vs. push routing LISP use-cases are complimentary OSPF and BGP are push models; routing stored in the forwarding plane LISP is a pull model; Analogous to DNS; massively scalable An over-the-top technology Address Family agnostic Incrementally deployable End systems can be unaware of LISP Deployment simplicity No host changes Minimal CPE changes Some new core infrastructure components Simplified multi-homing with Ingress traffic Engineering; no need for BGP Address Family agnostic support Virtualisation support End-host mobility without renumbering Enables IP Number Portability Never change host IP s; No renumbering costs No DNS changes; name == EID binding Session survivability An Open Standard Being developed in the IETF No Cisco Intellectual Property Rights on Protocol 8

9 LISP Operations

10 LISP Operations Main attributes of LISP LISP namespaces EID (Endpoint Identifier) is the IP address of a host just as it is today Non-LISP EID Space EID-to-RLOC mapping MS/MR EID a.a.a.0/24 b.b.b.0/24 c.c.c.0/24 d.d.0.0/16 RLOC w.x.y.1 x.y.w.2 z.q.r.5 z.q.r.5 RLOC (Routing Locator) is the IP address of the LISP router for the host Prefix w.x.y.1 x.y.w.2 z.q.r.5 z.q.r.5 Next-hop e.f.g.h e.f.g.h e.f.g.h e.f.g.h EID-to-RLOC mapping is the distributed architecture that maps EIDs to RLOCs P RLOC Space EID Space Network-based solution No host changes Minimal configuration No DNS changes Address Family agnostic Incrementally deployable (support LISP and non-lisp) Support for mobility 10

11 LISP Operations LISP: Mapping Resolution Level of Indirection LISP Level of Indirection is analogous to a DNS lookup DNS resolves IP addresses for URL Answering the WHO IS question host [ who is lisp.cisco.com ]? [ , 2610:D0:110C:1::3 ] DNS Server DNS Name-to-IP URL Resolution LISP resolves locators for queried identities Answering the WHERE IS question LISP router [ where is 2610:D0:110C:1::3 ]? LISP Mapping System [ locator is , ] LISP Identity-to-locator Mapping Resolution 11

12 LISP Operations LISP IPv4 EID/IPv4 RLOC Data Plane Header Example IPv4 Outer Header: ITR supplies RLOCs UDP Header: LISP Header: IPv4 Inner Header: Host supplies EIDs 12

13 LISP Operations LISP Encapsulation Combinations IPv4 and IPv6 Supported IPv4 Outer Header UDP LISP IPv4 Outer Header UDP LISP IPv6 Outer Header IPv6 Outer Header IPv4 Inner Header IPv4/IPv4 IPv6 Inner Header IPv4/IPv6 UDP LISP IPv4 Inner Header IPv6/IPv4 UDP LISP IPv6 Inner Header Q: Doesn t encapsulation cause MTU issues? IPv6/IPv6 A: It can But preparation limits issues Encapsulation overhead is 36B IPv4 and 56B IPv6 LISP supports stateful (PMTUD) and stateless (fragmentation) options Tunnel/MTU issues are well known (GRE, IPsec, etc.) and are usually operationally tractable 13

14 LISP Operations LISP Data Plane: Ingress/Egress Tunnel Router (ITR/ETR)() ETR Egress Tunnel Router Receives packets from core-facing interfaces De-cap and deliver packets to local EIDs at site PI EID-prefix 2001:db8:1::/48 ETR ITR -1 packet flow Provider A /8 Provider C /8 packet flow ETR ITR -3 PI EID-prefix 2001:db8:2::/48 S LISP Site 1 ETR ITR -2 ITR Ingress Tunnel Router Provider B /8 Provider D /8 ETR ITR -4 LISP Site 2 D Receives packets from site-facing interfaces Encap to remote LISP sites, or native-fwd to non-lisp sites 14

15 LISP Operations LISP Data Plane: Unicast Packet Flow Map-Cache Entry EID-prefix: 2001:db8:2::/48 Locator-set: , priority: 1, weight: , priority: 1, weight: 50 This policy controlled by the destination site 2001:db8:1::1 -> 2001:db8:2::1 7 1 S PI EID-prefix 2001:db8:1::/48 LISP Site 1 ETR ITR -1 ETR ITR :db8:1::1 -> 2001:db8:2::1 2 DNS entry: D.abc.com AAAA packet flow :db8:2::1 Provider A /8 Provider B / > :db8:1::1 -> 2001:db8:2::1 4 Provider C /8 ETR ITR > packet flow 2001:db8:1::1 -> 2001:db8:2::1 Provider D /8 6 ETR ITR PI EID-prefix 2001:db8:2::/48 LISP Site 2 D 15

16 LISP Operations LISP Data Plane: Ingress/Egress Tunnel Router (ITR/ETR)() router lisp locator-set SITE priority 1 weight priority 1 weight 50 exit eid-table default instance-id ETR 0 Provider A Provider C database-mapping 2001:db8:2::/48 ITR locator-set /8 SITE /8 exit PI EID-prefix -1 ipv6 2001:db8:1::/48 itr map-resolver packet flow packet flow ipv6 itr ETR ipv6 etr map-server key S3cr3t-2 Provider B Provider D ipv6 etr ITR / /8 Sexit LISP Site 1 ip route (or ) Identical configs on both s ETR ITR -3 ETR ITR -4 PI EID-prefix 2001:db8:2::/48 LISP Site 2 D 16

17 LISP Operations LISP Control Plane: Introduction LISP Control Plane Provides On-Demand Mappings Control Plane is separate from the Data Plane (UDP 4342 vs UDP 4341) Map-Resolver and Map-Server (similar to DNS Resolver and DNS Server) LISP Control Plane Messages for EID-to-RLOC resolution Distributed databases and map-caches hold mappings 17

18 LISP Operations LISP Control Plane: Map-Server/Map-Resolver (MS/MR) Mapping System MR MS S PI EID-prefix 2001:db8:1::/48 MR Map-Resolver LISP Site 1 ETR ITR -1 ETR packet flow Receives Map-Request ITRfrom ITR Provider A /8 Provider B /8 Forwards Map-Request to Mapping System Sends Negative Map-Replies in response to Map-Requests for non-lisp sites Provider C / packet flow MS Map-Server ETR ITR -3 PI EID-prefix 2001:db8:2::/48 ETR Provider D /8 ITR requires configured lisp site policy, LISP site ETRs register their EID prefixes here; authentication key LISP Site 2 Receives Map-Requests via Mapping System, forwards them to registered ETRs D 18

19 LISP Operations LISP Control Plane: Map-Server/Map-Resolver (MS/MR) Mapping System LISP Site Mapping-Database (ETR) MR MS EID-to-RLOC mappings in all ETRs for local LISP site ETR is authoritative for its EIDs, sends Map-Replies to ITRs ETRs can tailor policy based on Map-Request source PI EID-prefix 2001:db8:1::/48 ETR ITR packet flow Provider A /8 Provider C / packet flow ETR ITR -3 PI EID-prefix 2001:db8:2::/48 S LISP Map Cache (ITR) LISP Site 1 ETR ITR Provider B /8 19 Provider D /8 Only stores mappings for sites the ITR is currently sending packets to Populated by receiving Map-Replies from ETRs ETR ITR -4 ITRs must respect Map-Reply policy (TTLs, RLOC up/down status, RLOC priorities/weights LISP Site 2 D

20 LISP Operations LISP Control Plane: Control Plane Messages Control Plane Control Plane EID Registration Map-Register message Sent by ETR to Map-Server to register its associated EID prefixes Specifies RLOC(s) to be used by the MS when forwarding Map-Requests to the ETR Control Plane Data-triggered mapping services Map-Request message Sent by an ITR to Map-Resolver to learn an EID/RLOC mapping test an RLOC for reachability refresh a mapping before TTL expiration respond to a Solicit Map-Request (SMR) Sent by an ETR (with S bit set) as a Solicit Map-Request (SMR) to signal site change Map-Reply message Sent by an ETR to an ITR in response to valid map-request to provide EID/RLOC mapping and site ingress policy for the requested EID Map-Notify message Sent by Map-Server to an ETR to acknowledge successful registration of an EDI prefix 20

21 LISP Operations LISP Control Plane: Map-Register Mapping System MR MS Other sites > LISP Map-Register (udp 4342) SHA2 HMAC 2001:db8:2::/ , PI EID-prefix 2001:db8:1::/48 ETR ITR Provider A /8 Provider C / ETR ITR -3 PI EID-prefix 2001:db8:2::/48 S LISP Site 1 ETR ITR Provider B /8 Provider D / ETR ITR -4 LISP Site 2 D > LISP Map-Register

22 LISP Operations LISP Control Plane: Map-Request/Map-Reply Is 2001:db8:2::1 a LISP Destination? PI EID-prefix 2001:db8:1::/ > Mapping LISP ECMSystem (udp 4342) / 2001:db8:2::1 Map-Request (udp 4342) nonce ETR ITR packet flow Provider A /8 MR MS Provider C / packet flow > LISP ECM (udp 4342) / 2001:db8:2::1 Map-Request (udp 4342) nonce ETR ITR -3 PI EID-prefix 2001:db8:2::/48 1 S :db8:1::1 -> 2001:db8:2::1 LISP Site 1 2 DNS entry: D.abc.com AAAA ETR ITR :db8:2::1 6 Provider B /8 Map-Cache Entry Provider D /8 EID-prefix: 2001:db8:2::/48 Locator-set: , priority: 1, weight: , priority: 1, weight: ETR -> Map-Reply ITR (udp 4342) nonce / TTL 2001:db8:2::/ [1, 50] [1, 50] 5 LISP Site 2 D 22

23 LISP Operations LISP Control Plane: Map-Request/Proxy-Map-Reply > Mapping LISP ECMSystem (udp 4342) / 2001:db8:2::1 Map-Request (udp 4342) nonce MR MS > LISP Map-Register (udp 4342) SHA2 HMAC Proxy-Bit Set 2001:db8:2::/ , S PI EID-prefix 2001:db8:1::/48 LISP Site 1 ETR ITR -1 ETR ITR packet flow Provider A /8 Provider B /8 Map-Cache Entry 23 Provider C /8 Provider D /8 EID-prefix: 2001:db8:2::/48 Locator-set: , priority: 1, weight: , priority: 1, weight: 50 ETR ITR packet flow -> Map-Reply (udp ETR 4342) nonce ITR / TTL 2001:db8:2::/ [1, 50] [1, 50] PI EID-prefix 2001:db8:2::/48 3 LISP Site 2 D

24 LISP Operations LISP Control Plane: Map-Request/Negative-Map-Reply Is 2001:db7:1::1 a LISP Destination? S PI EID-prefix 2001:db8:1::/48 LISP Site > Mapping LISP ECMSystem (udp 4342) ETR ITR -1 ETR ITR :db8:1::1 -> 2001:db7:1:: / 2001:db7:1::1 Map-Request (udp 4342) nonce packet flow Provider A /8 Provider B /8 MR MS Map-Cache Entry Provider C /8 Provider D /8 EID-prefix: 2001:8000::/21 forward-native Notes: ETR When an ITR queries for a destination that is not in the Mapping System, the Map-Resolver returns an NMR. A TTL of 1-minute or 15-minutes is set depending on the space covered by the NMR. ITR > PI EID-prefix Negative-Map-Reply 2001:db8:2::/48 3 packet flow (udp 4342) nonce / TTL 2001:8000::/21 ETR ITR NOTE: The actual covering prefix returned in an LISP Site 2 DNMR depends on the number and distribution of EID prefixes in the Mapping System. The NMR prefix will cover the shortest prefix that doesn t cover any LISP Sites in the Mapping System 24

25 LISP Operations LISP Control Plane: MS/MR Configuration Example S PI EID-prefix 2001:db8:1::/48 LISP Site 1 Mapping System MR MS ETR Provider A router lisp ITR /8 site ALL authentication-key -1 S3cr3t eid-prefix 2001:db8::/32 packet flow accept-more-specifics exit ETR ipv6 map-server Provider B ITR ipv6 map-resolver /8 exit Alternative Provider C /8 Provider D / packet flow router lisp site Site-1 authentication-key S3cr3t-1 eid-prefix 2001:db8:1::/48 exit site Site-2 authentication-key S3cr3t-2 eid-prefix 2001:db8:2::/48 exit -:: more LISP site configs ipv6 map-server ETR ipv6 map-resolver ITRexit -3 ETR ITR -4 PI EID-prefix 2001:db8:2::/48 LISP Site 2 D 25

26 LISP Operations LISP Control Plane: Mapping System Scaling LISP Delegated Database Tree ddt-root ddt-tld Scaling the LISP Mapping System The LISP Beta Network uses DDT today Deploy multiple stand-alone Map-Servers and register each LISP Site to all of them (up to eight) Deploy Map-Resolvers in an Anycast manner Or, deploy a hierarchical Mapping System - DDT MR MS DDT Delegated Distributed Tree Hierarchy for Instance IDs and for EID Prefixes s Ps s s s MS/MRs s MS/MRs MS/MRs s DDT s MS/MRs DDT DDT MS/MRs Ps DDT s MS/MRs MS/MRs s MS/MRs Ps s s s s s DDT Map-Resolvers sends (ECM) Map-Requests DDT Nodes Return Map-Referral messages DDT Resolvers resolve the Map-Server s RLOC iteratively Conceptually, similar to DNS (IN-ADDR hierarchy) but different prefix encoding, messages, etc. 26

27 LISP Deployment Examples Public and Private LISP Deployment Models Private Model Private LISP deployment support single Enterprises or Entities LISP Enterprise deploys: - s - Mapping System, if required - Proxy System, if required Private Enterprise Examples Enterprise A Enterprise B Enterprise C Public Model Public LISP deployment supports the needs of multiple Enterprises LISP Service Provider deploys shared Mapping System and Proxy System LISP Enterprises subscribe to LISP SP, and deploy their own s Stand-Alone Example LISP SP LISP Ent CCC NJEdge.Net PCCC CCM BCC MU Princeton Global Examples LISP SP VXNet ddt-root.org LISP Beta LISP SP InTouch LISP Ent 27

28 LISP Operations LISP Interworking: Day-one Incremental Deployment Early Recognition Up-front recognition of an incremental deployment plan LISP will not be widely deployed day-one Interworking for: LISP-sites to non-lisp sites (e.g. the rest of the Internet) non-lisp sites to LISP-sites Proxy-ITR/Proxy-ETR are deployed today Infrastructure LISP network entity Creates a monetised service opportunity for infrastructure players 28

29 LISP Operations LISP Interworking: Proxy-Ingress/Egress Tunnel Router (P) Mapping System MR MS PITR IPv6 Internet PETR S ETR ITR Provider A /8 PI EID-prefix :db8:1::/48 PITR Proxy ITR Receives traffic from ETR non-lisp Provider sites; B ITR encapsulates traffic to LISP sites / LISP Advertises Site 1coarse-aggregate EID prefixes LISP sites see ingress TE day-one IPv4 Internet Provider C /8 ETR ITR -3 PI EID-prefix PETR Proxy ETR 2001:db8:2::/48 Allows an EID in one AF [IPv4 or IPv6] ETR and the opposite RLOC [IPv6 or IPv4] to /8 ITR reach non-lisp prefix in that same AF (AF-hop-over) -4 Provider D LISP Site 2 Allows LISP sites with urpf restrictions to reach non-lisp sites D 29

30 LISP Operations LISP Interworking: Proxy-Ingress/Egress Tunnel Router (P) 2001:db8::/ :f:f::1 Mapping System PITR 2001:d:1::1 -> 2001:db8:2::1 MR MS IPv6 Internet PETR :f:e::1 Non-LISP v6 Site 2001:d:1::1 2001:db8:2::1 -> 2001:d:1:: :d:1::1 -> 2001:db8:2::1 PI EID-prefix 2001:db8:1::/48 ETR ITR Provider A /8 IPv4 Internet Provider C / ETR ITR -3 PI EID-prefix 2001:db8:2::/48 S LISP Site 1 ETR ITR Provider B / > :d:1::1 -> 2001:db8:2::1 2 Provider D / > :db8:2::1 -> 2001:d:1::1 ETR ITR -4 LISP Site 2 5 ipv4 use-petr D 2001:db8:2::1 -> 2001:d:1::1 30

31 Disjoined Locator Space Only MS/MR needs to be upgraded and configured MSMR RTR IPv4 SP IPv6 SP 4 EID /24 EID 4:4:4::/48 IPv /16 (scope 1) IPv /16 (scope 2) How can an IPv4 RLOC talk to an IPv6 RLOC IPv6 10:A::/32 (scope 3) 6 EID /24 EID 6:6:6::/48 IPv4 SP 5 EID /24 EID 5:5:5::/48 IPv4 SP IPv4 SP 7 EID /24 EID 7:7:7::/48 IPv6 SP

32 Instance ID, VRF and LISP Efficient Virtualisation and High-Scale VPNs Generalised LISP Shared Model deployment EID Name Space (IPv4/IPv6) User Blue EID /24 IID 1 VRF Blue User Red EID /24 IID 2 VRF Red MS/MR Shared by multiple customers Located in RLOC name space 1 2 (Single Tenant) Accommodates single customer Deployed for CPE Overlay model Located at customer site MS/MR IID LISP Data EID 1 Hdr RLOC Name Space (IPv4/IPv6) Data EID IID 2 LISP Hdr IID EID RLOC / / / /24 3 RLOC RLOC 3 LISP router Non LISP router EID RLOC EID Name Space (IPv4/IPv6) User Blue EID /24 IID 1 VRF Blue User Red EID /24 IID 2 VRF Red (Multi-Tenant) Accommodates multiple customers Deployed for PE model Located at Edge layer, DC or customer site 32

33 Interface LISP0 Interface LISP0.x X= IID Attach config for: HQ VRF C, IID 3 crypto-map Assign QoS Policy Netflow ACL s Segmentation by physical, Layer 2, or Layer 3 means (e.g Q, EVN, physically separate netw orks) To Enterprise Internal Networks KS VRF B, IID 2 IPv4 Core VRF A, IID 1 MSMR VRF B, IID 2 MSMR LISP0. 1 LISP0. 2 LISP0. 3 KS Default To IPv4 or IPv6 Core RLOC namespace Single RLOC namespace Default table (or RLOC VRF) Site 3 Site 1 Site

34 How to Setup LISP

35 LISP Example Topology Build the network configuration Say we want to build this - Three VRFs, IPv4 and IPv6 - HQ multihomed, two CPE - Remote multihomed, one CPE - Remote single-homed, DHCP - Add encryption HQ VRF DeptC, IID 3 KS VRF DeptB, IID 2 VRF DeptA, IID 1 MSMR MSMR KS IPv4 Core Site 3 Site 1 Site 2 35

36 Three Steps To Go How do we build this? Three common steps: 1. Build the underlay (RLOCs) 2. Add the LISP overlay (EIDs) 3. Add encryption HQ VRF DeptC, IID 3 KS VRF DeptB, IID 2 VRF DeptA, IID 1 MSMR MSMR KS IPv4 Core Site 3 Site 1 Site 2 36

37 LISP Underlay 1. Build the underlay (RLOCs) Examples: Normal IP routing Nothing to do with LISP All other sites are similar HQ VRF DeptC, IID 3 KS IPv4 Core VRF DeptB, IID 2 VRF DeptA, IID 1 MSMR MSMR KS HQ1 /MSMR/ hostname HQ1 interface Ethernet0/0 ip address ip route Remote2 / hostname Remote2 interface Ethernet0/0 ip address interface Ethernet1/0 ip address ip route ip route Site 3 Site 1 Site 2 37

38 LISP Underlay 1. Build the underlay (RLOCs) HQ VRF DeptC, IID 3 VRF DeptB, IID 2 Examples: Normal IP routing Nothing to do with LISP KS VRF DeptA, IID 1 MSMR MSMR KS Verification IPv4 Core Site2#ping source rep 10 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to , timeout is 2 seconds: Packet sent with a source address of Success rate is 100 percent (10/10), Site 1 round-trip min/avg/max = 8/7/8 Site ms 2 Site2# Example: RLOC to RLOC Site 3 38

39 LISP VPN/Virtualisation 2. Add the LISP overlay (EIDs) Examples: Bind VRFs to IIDs Bind EIDs to RLOCs router lisp locator-set Site priority 1 weight priority 1 weight 50 exit HQ eid-table default instance-id 0 VRF DeptC, IID 3 database-mapping /32 locator-set Site2 exit VRF DeptB, IID 2 eid-table vrf DeptA instance-id 1 VRF DeptA, database-mapping IID /24 locator-set Site2 database-mapping 1:1:16::/64 locator-set Site2 exit KS MSMR MSMR KS eid-table vrf DeptB instance-id 2 database-mapping /24 locator-set Site2 database-mapping 2:2:16::/64 locator-set Site2 exit IPv4 Core eid-table vrf DeptC instance-id 3 database-mapping /24 locator-set Site2 database-mapping 3:3:16::/64 locator-set Site2 exit Remote2 / Site 1 Site 2 Site 3 39

40 LISP VPN/Virtualisation 2. Add the LISP overlay (EIDs) Examples: Bind VRFs to IIDs Bind EIDs to RLOCs All other sites are similar continued LISP control plane ipv4 itr map-resolver ipv4 itr map-resolver ipv4 itr ipv4 etr map-server key site2-pswd ipv4 etr map-server key site2-pswd HQ ipv4 etr VRF DeptC, IID 3 ipv6 map-server ipv6 map-resolver VRF ipv6 DeptB, itr IID 2 map-resolver ipv6 itr map-resolver VRF DeptA, ipv6 IID itr 1 ipv6 etr map-server key site2-pswd ipv6 etr map-server key site2-pswd ipv6 etr KS MSMR MSMR KS exit IPv4 Core Remote2 / Site 3 Site 1 Site 2 40

41 LISP VPN/Virtualisation router lisp 2. site Add HQ the LISP overlay (EIDs) authentication-key hq-pswd eid-prefix /24 eid-prefix /24 eid-prefix /32 Examples: eid-prefix /32 eid-prefix Bind VRFs instance-id to IIDs /24 eid-prefix instance-id 1 1:1:14::/64 eid-prefix Bind EIDs instance-id to RLOCs /24 eid-prefix instance-id 2 2:2:14::/64 eid-prefix instance-id /24 eid-prefix instance-id 3 3:3:14::/64 exit site Site1 authentication-key site1-pswd eid-prefix /32 eid-prefix instance-id /24 eid-prefix instance-id 1 1:1:11::/64 eid-prefix instance-id /24 eid-prefix instance-id 2 2:2:11::/64 eid-prefix instance-id /24 eid-prefix instance-id 3 3:3:11::/64 exit ---<etc.>--- HQ VRF DeptC, IID 3 KS IPv4 Core VRF DeptB, IID 2 VRF DeptA, IID 1 MSMR Site 1 Site 2 HQ2 /MSMR/ MSMR KS Map-Server Config Site 3 41

42 LISP VPN/Virtualisation 2. Add the LISP overlay (EIDs) HQ VRF DeptC, IID 3 Examples: Bind VRFs to IIDs Bind EIDs to RLOCs VRF DeptB, IID 2 VRF DeptA, IID 1 HQ2 /MSMR/ HQ2#show lisp site LISP Site Registration Information KS Site Name Last Up Who Last Inst EID Prefix MSMR Register Registered ID HQ 00:00:46 yes /24 00:00:05 yes /24 00:00:46 yes /32 IPv4 Core 00:00:05 yes /32 00:00:09 yes /24 00:00:56 yes :1:14::/64 00:00:32 yes /24 00:00:23 yes :2:14::/64 00:00:54 yes /24 00:00:43 yes :3:14::/64 Site1 00:00:07 yes /32 00:00:16 yes /24 00:00:42 yes :1:11::/64 00:00:32 yes /24 00:00:41 yes :2:11::/64 Site 1 ---<etc.>--- Site 2 MSMR KS Verification Site 3 42

43 LISP VPN/Virtualisation 2. Add the LISP overlay (EIDs) HQ VRF DeptC, IID 3 VRF DeptB, IID 2 Examples: Bind VRFs to IIDs Bind EIDs to RLOCs KS VRF DeptA, IID 1 MSMR MSMR KS Verification IPv4 Core Example: Site3#ping vrf DeptC source rep 10 EID to EID Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to , timeout is 2 seconds: Packet sent with a source address of %DeptC.. Success rate is 80 percent (8/10), round-trip min/avg/max = 1/1/1 ms Site3 Site 1 Site 2 Site 3 43

44 LISP VPN/Virtualisation 2. Add the LISP overlay (EIDs) HQ VRF DeptC, IID 3 VRF DeptB, IID 2 Examples: Bind VRFs to IIDs Bind EIDs to RLOCs KS VRF DeptA, IID 1 MSMR MSMR KS Verification IPv4 Core Site3#show ip lisp map-cache instance-id 3 LISP IPv4 Mapping Cache for EID-table vrf DeptC (IID 3), 4 entries ---<skip> /24, uptime: 00:01:38, expires: 23:58:25, via map-reply, complete Locator Uptime State Pri/Wgt :01:38 up 1/ :01:38 up 1/50 Site 1 Site 2 ---<skip>--- Site3# Example: EID to EID Site 3 44

45 LISP VPN/Virtualisation 2. Add the LISP overlay (EIDs) HQ VRF DeptC, IID 3 VRF DeptB, IID 2 Examples: Bind VRFs to IIDs Bind EIDs to RLOCs KS VRF DeptA, IID 1 MSMR MSMR KS Verification IPv4 Core Example: Site3#ping vrf DeptA 1:1:14::1 source 1:1:13::1 rep 10 EID to EID Type escape sequence to abort. Sending 10, 100-byte ICMP Echos to 1:1:14::1, timeout is 2 seconds: Packet sent with a source address of 1:1:13::1%DeptA.. Success rate is 80 percent (8/10), round-trip min/avg/max = 1/1/1 ms Site3 Site 1 Site 2 Site 3 45

46 LISP VPN/Virtualisation 2. Add the LISP overlay (EIDs) HQ VRF DeptC, IID 3 VRF DeptB, IID 2 Examples: Bind VRFs to IIDs Bind EIDs to RLOCs KS VRF DeptA, IID 1 MSMR MSMR KS Verification IPv4 Core Site3#show ipv6 lisp map-cache instance-id 1 LISP IPv6 Mapping Cache for EID-table vrf DeptA (IID 1), 4 entries ---<skip>--- 1:1:14::/64, uptime: 00:00:33, expires: 23:59:28, via map-reply, complete Locator Uptime State Pri/Wgt :00:33 up 1/ :00:33 up 1/50 ---<skip>--- Site3# Site 1 Site 2 Example: EID to EID Site 3 46

47 Adding Encryption to LISP Using GETVPN

48 LISP Encryption LISP and encryption (IOS) Recalling that LISP is Locator/ID separation and creates two namespaces: EIDs and RLOCs LISP provides two ways to apply a crypto map Use-Case LISP Default Model LISP Virtualization crypto-map on RLOC crypto-map on LISP0 crypto-map on RLOC crypto-map on LISP0.x Vanilla IPsec GETVPN Comments LISP encap first, then encryption based on RLOC Encryption first based on EID, then LISP encap LISP encap first, then encryption based on RLOC CSCuc63717 Encryption first based on EID, then LISP encap See: lisp.cisco.com for the GETVPN+LISP Configuration Guide 48

49 LISP Header with IPSec LISP provides two ways to apply a crypto map, resulting in different packet outcomes RLOC :: LISP processing, and then encryption LISP0 :: Encryption, and then LISP processing IPsec + LISP On LISP0 xx xxxx saddr daddr xx saddr daddr 8 8 S:xx D: saddr daddr ESP trailer Payload ICMP Hdr Host IP Hdr ESP SPI Host IP Hdr LISP UDP Hdr Hdr (LISP) ITR IP Hdr LISP + IPsec On RLOC xx xxxx saddr daddr 8 8 S:xx D: saddr daddr xx saddr daddr ESP trailer Payload ICMP Hdr Host IP Hdr LISP UDP Hdr Hdr (LISP) ITR IP Hdr ESP SPI ITR IP Hdr 49

50 LISP Header with GETVPN LISP provides two ways to apply a crypto map, resulting in different packet outcomes RLOC :: LISP processing, and then encryption LISP0 :: Encryption, and then LISP processing GETVPN + LISP On LISP0 xx ESP trailer xxxx 8 20 Payload 8 0 ICMP Hdr 1 saddr daddr Host IP Hdr xx saddr daddr ESP Host SPI IP Hdr Original IPv4 Header 8 8 S:xx D:4341 LISP UDP Hdr Hdr (LISP) saddr daddr ITR IP Hdr LISP + GETVPN On RLOC xx ESP trailer xxxx 8 20 Payload 8 0 ICMP Hdr 1 saddr daddr Host IP Hdr 8 8 LISP Hdr S:xx D:4341 UDP Hdr (LISP) saddr daddr ITR IP Hdr xx saddr daddr ESP ITR SPI IP Hdr Original IPv4 Header 50

51 LISP Encryption (1) 3. Add encryption Examples: GETVPN Key Servers Nothing to do with LISP Redundant Key Server identical crypto isakmp policy 10 encr aes 256 authentication pre-share group 16 HQ crypto isakmp key FOO address VRF DeptC, IID 3 crypto isakmp keepalive 15 periodic VRF DeptB, crypto IID 2 ipsec transform-set GDOI-TRANS esp-aes 256 esp-sha512-hmac VRF DeptA, IID 1 crypto ipsec profile GDOI-PROFILE set transform-set GDOI-TRANS KS MSMR MSMR KS crypto gdoi group V4GROUP-0001 identity number server local rekey retransmit 60 number 2 IPv4 Core rekey authentication mypubkey rsa GET-KEYS1 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE Site 1 Site 2 match address ipv4 GETVPN-0001 replay time window-size 5 address ipv redundancy local priority 100 peer address ipv <cont.>--- Site 3 KS1 51

52 LISP Encryption (2) 3. Add encryption Examples: GETVPN Key Servers Nothing to do with LISP Redundant Key Server identical ---<cont.>--- crypto gdoi group ipv6 V6GROUP-0003 identity number server local HQ rekey retransmit 60 number 2 VRF DeptC, IID 3 rekey authentication mypubkey rsa GET-KEYS3 rekey transport unicast VRF DeptB, IID sa2 ipsec 1 profile GDOI-PROFILE VRF DeptA, IID 1 match address ipv6 GETVPN replay time window-size 5 address ipv redundancy KS MSMR MSMR KS local priority 100 peer address ipv ip access-list extended GETVPN-0001 IPv4 Core permit ip any any ip access-list extended GETVPN-0002 permit ip any any ip access-list extended GETVPN-0003 permit ip any any ipv6 access-list GETVPN permit ipv6 any any ipv6 access-list GETVPN permit ipv6 any any Site 3 ipv6 access-list GETVPN permit ipv6 any any Site 1 Site 2 KS1 52

53 LISP Encryption (3) 3. Add encryption Examples: GETVPN Group Members Add crypto map to LISP0.x ALL LISP SITES identical Cut/Paste KS IPv4 Core MSMR MSMR Remote2 / crypto isakmp policy 10 encr aes 256 authentication pre-share group 16 crypto isakmp key FOO address HQ VRF DeptC, IID 3 crypto isakmp key FOO address VRF DeptB, crypto IID gdoi 2 group V4GROUP-0001 identity number VRF DeptA, server IID 1 address ipv server address ipv client registration interface Loopback0 ---<skip>--- KS crypto gdoi group ipv6 V6GROUP-0003 identity number server address ipv server address ipv client registration interface Loopback0 crypto map MAP-V gdoi set group V4GROUP <skip>--- crypto map ipv6 MAP-V gdoi set group V6GROUP-0003 Site 3 Site 1 Site 2 53

54 LISP Encryption (4) 3. Add encryption Examples: GETVPN Group Members Add crypto map to LISP0.x ALL LISP SITES identical Cut/Paste interface LISP0 interface LISP0.1 ip mtu 1456 ipv6 mtu 1436 HQ VRF DeptC, IID 3 KS IPv4 Core VRF DeptB, IID 2 interface LISP0.2 ip mtu 1456 VRF DeptA, IID 1 MSMR ipv6 crypto map MAP-V crypto map MAP-V ipv6 mtu 1436 ipv6 crypto map MAP-V crypto map MAP-V MSMR KS interface LISP0.3 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V crypto map MAP-V Remote2 / Site 3 Site 1 Site 2 54

55 LISP Encryption Verification (1) Efficient Virtualisation and High-Scale VPNs Overview 3. Add encryption HQ VRF DeptC, IID 3 Examples: GETVPN Group Members Add crypto map to LISP0.x Verification KS VRF DeptB, IID 2 VRF DeptA, IID 1 MSMR MSMR KS IPv4 Core Example: Site3#ping vrf DeptA source rep 100 EID to EID Type escape sequence to abort. Sending 10, 100-byte ICMP Echos to , timeout is 2 seconds: Packet sent with a source address of %DeptA Success rate is 100 percent (100/100), round-trip min/avg/max = 5/6/12 ms Site 1 Site 2 Site3# Site 3 55

56 LISP Encryption Verification (2) Efficient Virtualisation and High-Scale VPNs Overview 3. Add encryption HQ VRF DeptC, IID 3 Examples: GETVPN Group Members Add crypto map to LISP0.x Verification KS VRF DeptB, IID 2 VRF DeptA, IID 1 MSMR MSMR KS IPv4 Core Site3#show crypto engine connection active Crypto Engine Connections ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address ---<skip> IPsec AES256+SHA IPsec AES256+SHA Site 1 Site 2 ---<skip>--- Site3# Example: EID to EID Site 3 56

57 LISP Deployment Examples

58 LISP Deployment Examples LISP Deployment Examples 1. Efficient Multihoming and Multi-AF (IPv4 and IPv6) 2. Efficient Virtualisation and High-Scale VPNs 3. Data Centre/Host Mobility 4. LISP-Mobile Node These examples highlight functionality integrated in LISP. All use-case multi-homing, v6 transition, virtualisation, and mobility work together 58

59 LISP Deployment Examples LISP Deployment Examples 1. Efficient Multihoming and Multi-AF (IPv4 and IPv6) 2. Efficient Virtualisation and High-Scale VPNs 3. Data Centre/Host Mobility 4. LISP-Mobile Node 59

60 LISP Deployment Examples Efficient Multihoming and Multi-AF (IPv4/IPv6) Support LISP Site EIDs / :db8:a:1::2/ RLOC GE0/0/ /30 GE0/0/ /30 RLOC IPv4 or IPv6 To Enterprise Internal IPv4 or IPv6 Networks IPv4 IPv4 SP1 SP2 egress feature s ingress feature s LISP tx encap LISP LISP 0 rcv decap Default MR/M S IPv4 or IPv6 IPv6 2001:db8:e000:2::1 To IPv4 or IPv6 Core MR/M RLOC namespace P S IPv4 Internet P 2001:db8:f000:2::1 IPv6 2001:db8:e000:2:: :db8:f000:2::2 60

61 LISP Deployment Examples Efficient Multihoming and Multi-AF (IPv4/IPv6) Support LISP Site EIDs / :db8:a:1::2/ RLOC GE0/0/ /30 GE0/0/ /30 RLOC P1#show ip lisp map-cache LISP IPv4 Mapping Cache for EID-table default (IID 0), 196 entries ---<skip> /24, uptime: 00:01:38, expires: 23:58:25, IPv6via map-reply, complete Locator Uptime State Pri/Wgt 2001:db8:e000:2::2 2001:db8:e000:2:: :01:38 up 1/ :01:38 up SP1 MR/M 1/50 P <skip>--- S IPv4 IPv4 SP2 MR/M S IPv4 Internet P 2001:db8:f000:2::1 IPv :db8:f000:2::2 61

62 LISP Deployment Examples Efficient Multihoming and Multi-AF (IPv4/IPv6) Support LISP Site EIDs / :db8:a:1::2/ RLOC GE0/0/ /30 GE0/0/ /30 RLOC P1#show ipv6 lisp map-cache LISP IPv6 Mapping Cache for EID-table default (IID 0), 13 entries ---<skip> :DB8:A:1::/64, uptime: 00:01:38, expires: 23:58:25, IPv6 via map-reply, complete Locator Uptime State Pri/Wgt 2001:db8:e000:2::2 2001:db8:e000:2:: :01:38 up 1/ :01:38 up SP1 MR/M 1/50 P <skip>--- S IPv4 IPv4 SP2 MR/M S IPv4 Internet P 2001:db8:f000:2::1 IPv :db8:f000:2::2 62

63 LISP Deployment Examples Efficient Multihoming and Multi-AF (IPv4/IPv6) Support Needs: Site connectivity to multiple providers for resiliency Efficient Multihoming Internet Low OpEx/CapEx solution for Ingress TE Rapid IPv6 deployment, minimal disruption LISP Solution: LISP Site LISP routers LISP provides a streamlined solution for handling multiprovider connectivity and policy without BGP complexities Connecting IPv4 or IPv6 Islands over IPv6 or IPv4 Cores LISP encapsulation is Address Family agnostic, allowing for IPv6 over an IPv4 core, or IPv4 over an IPv6 core Benefits: OpEx-friendly multi-homing across different providers Simple policy management Ingress Traffic Engineering that actually works Minimal configuration No core network changes IPv6 Transition Support IPv4 Core v6 service v6 v4v6 IPv4 Internet P v6 IPv6 Interne t 63

64 LISP Deployment Examples Efficient Multihoming and Multi-AF (IPv4/IPv6) Support Customer Example NJEDge.Net PRODUCTION Target Market: State of New Jersey Educational Entities (k-12, universities, colleges) LISP Services: BGP-free Multihoming IPv6 Internet Access Host Mobility Disaster-Recovery (adding now ) Inter-Departmental VPNs (adding next ) Customer Site: Customer Case Study: 64

65 LISP Deployment Examples Efficient Multihoming and Multi-AF (IPv4/IPv6) Support Customer Example Some.. v6 IPv6 Internet More v6 Some.. v4 Facebook Google IPv4 Internet Transit SP More v4 Constituent Member Topologies Default Route CPE Member 1 Default Route Or BGP Tier 1 SP1 CPE CPE BGP CPE Tier 1 SP2 CPE Commodity SP BGP Member 2 Member 3... Member N 65

66 LISP Deployment Examples bgp asnotation dot Efficient Multihoming and Multi-AF (IPv4/IPv6) Support Customer Example no bgp default ipv4-unicast Before LISP Configuration complexity Uneven multihoming load shares Constituent Member Topologies Some.. They wanted: v4 50%/50% They got: 90%/10%? 80%/20%? Never 50%/50% Default Route Member 1 Some.. v6 CPE Many more features can be added here... IPv6 Internet Facebook Default Route Or BGP Tier 1 SP1 CPE Member 2 Google IPv4 Internet CPE BGP CPE Member 3 Tier 1 SP2... router bgp 100 bgp router-id bgp log-neighbor-changes neighbor remote-as 300 <== ebgp to SP1 neighbor remote-as 400 <== ebgp to SP2 More v6 address-family ipv4 no synchronization redistribute ospf route-map populate-default neighbor activate neighbor route-map filter-out out neighbor route-map filter-in in neighbor maximum-prefix neighbor activate neighbor route-map filter-out out neighbor route-map filter-in in neighbor maximum-prefix no auto-summary exit-address-family ip bgp-community new-format ip community-list standard outlist permit 100:123 route-map populate-default Transit permit 10 set origin igp SP set community 100:123 route-map filter-out permit 10 match community outlist route-map filter-in permit 10 match community inlist CPE Member N Commodity SP BGP More v4 66

67 LISP Deployment Examples Efficient Multihoming and Multi-AF (IPv4/IPv6) Support Customer Example NJEDge.Net LISP Network Some.. v6 IPv6 Internet More v6 NJEDge.Net LISP Network Deploy LISP Configuration simplicity MS/MR P Constituent Member Topologies Some.. v4 Default Route CPE Member 1 Facebook Tier 1 SP1 Default Default Route Route Or BGP CPE Member 2 Google IPv4 Internet CPE Default Route BGP CPE Member 3 router lisp MS/MR P locator-set Site priority 1 weight 50 More priority 1 weight 50 v4 exit eid-table default Transit instance-id 0 database-mapping SP /24 locator-set Site3 exit Tier 1 SP2 ipv4 itr ipv4 etr... CPE Member N Commodity SP ipv4 itr map-resolver ipv4 etr map-server key s3cr3t ipv4 use-petr Default BGP Route 67

68 LISP Deployment Examples Efficient Multihoming and Multi-AF (IPv4/IPv6) Support Customer Example NJEDge.Net LISP Network Some.. v6 IPv6 Internet Non-LISP-to-LISP More v6 NJEDge.Net LISP Network Deploy LISP Configuration simplicity MS/MR P Some.. v4 Facebook IPv4 EID Aggregate Advertisement Google IPv4 Internet Transit SP MS/MR P More v4 Default Route Tier 1 SP1 Tier 1 SP2 Commodity SP LISP-to-LISP CPE Member 1 Default Default Route Route Or BGP CPE Member 2 CPE Default Route BGP CPE Member 3... CPE Member N Default BGP Route 68

69 LISP Deployment Examples Efficient Multihoming and Multi-AF (IPv4/IPv6) Support Customer Example NJEDge.Net LISP Network Some.. v6 IPv6 EID Aggregate Advertisement IPv6 Internet More v6 NJEDge.Net LISP Network NJEDge.Net is now adding IPv6 for its members MS/MR P Some.. v4 Facebook Google Non-LISP-to-LISP IPv4 Internet Transit SP MS/MR P More v4 Default Route Tier 1 SP1 Tier 1 SP2 Commodity SP IPv6 EIDs CPE Member 1 LISP-to-LISP Default Default Route Route Or BGP IPv6 EIDs CPE Member 2 69 CPE Default Route BGP CPE Member 3 IPv6 EIDs... CPE Member N Default BGP Route IPv6 EIDs

70 LISP and MPLS Interaction How it works together Location Y Location X Group A Network Group A Dev ice MPLS Core Network Group A Dev ice Group A Network Group B Network Group B Dev ice PE PE Group B Dev ice Group B Network Group C Network Group C Dev ice.. CE Device MPLS VPN CE Device.. Group C Dev ice. Group C Network Group N Network Group N Dev ice PE-CE = BGP PE-CE = BGP Group N Dev ice Group N Network CE to CE Customer routes = LISP 70

71 LISP Deployment Examples LISP Deployment Examples 1. Efficient Multihoming and Multi-AF (IPv4 and IPv6) 2. Efficient Virtualisation and High-Scale VPNs 3. Data Centre/Host Mobility 4. LISP-Mobile Node 71

72 LISP Deployment Examples Efficient Virtualisation and High-Scale VPNs Needs: Integrated Segmentation Global scale and interoperability Minimal Infrastructure disruption LISP Solution: 24-bit LISP Instance-ID segments control plane and data plane, with VRF binding to the Instance-ID Benefits: Very high scale tenant segmentation Global mobility + high scale segmentation integrated in single IP solution IP-based overlay solution, transport independent No Inter-AS complexity LISP Site West DC LISP+GETVPN Config Guide: Legacy Site Legacy Site Legacy Site IP Network East DC P Mapping DB 72

73 LISP Virtualisation/VPNs LISP Virtualisation/Multi-Tenancy Support Concepts Default (non-virtualised) Model at the device level Conceptually, the Default Model is just a single Parallel Model instance All EID lookups are also in the same single table default Thus, EIDs are associated with Instance-ID 0 All RLOC lookups are in a single table default The Mapping System is part of the locator address space To EID namespace (direct connect, IGP, etc.) Single EID namespace Default table Default Shared RLOC namespace Single RLOC namespace Default table or RLOC VRF To VPNs (MPLS, 802.1Q, VRF-Lite, or separate networks) 73

74 LISP Virtualisation/VPNs LISP Virtualisation/Multi-Tenancy Support Concepts Shared Model at the device level Multiple EID-prefixes are allocated privately using VRFs EID lookups are in the VRF associated with an Instance-ID All RLOC lookups are in a single table (default/global or RLOC VRF) The Mapping System is part of the locator address space and is shared To VPNs (MPLS, 802.1Q, VRF-Lite, or separate networks) EID namespace, VRF Pink, IID 1 Pink Shared RLOC namespace To VPNs (MPLS, 802.1Q, VRF-Lite, or separate networks) EID namespace, VRF Blue, IID 2 Blue Default Single RLOC namespace Default table or RLOC VRF 74

75 LISP Virtualisation/VPNs LISP Virtualisation/Multi-Tenancy Support Concepts Parallel Model at the device level Multiple EID-prefixes are allocated privately using VRFs EID lookups are in the VRF associated with an Instance-ID RLOC lookups are in the VRF associated with the locator table A Mapping System must be part of each locator address space To VPNs (MPLS, 802.1Q, VRF-Lite, or separate networks) EID namespace, VRF Pink, IID 1 Pink RLOC uses Pink namespace To VPNs (MPLS, 802.1Q, VRF-Lite, or separate networks) Blue EID namespace, VRF Blue, IID 2 Default RLOC uses Blue namespace 75

76 LISP Virtualisation/VPNs LISP Virtualisation/Multi-Tenancy Support Concepts Shared and Parallel Models Combined at the device level Multiple Shared Model instantiations combined with Multiple Parallel Model instantiations Multiple EID VRFs bound to a single RLOC VRF Multiple RLOC VRFs on the same device To VPNs (MPLS, 802.1Q, VRF-Lite, or separate networks) VRF Cust1, IID 101 VRF Cust2, IID 102 VRF Cust3, IID 103 VRF CustA, IID 901 VRF CustB, IID 902 VRF CustC, IID 903 Cust1 Cust2 Cust3 CustA CustB CustC Pink Default Blue RLOC uses Pink namespace RLOC uses Blue namespace To VPNs (MPLS, 802.1Q, VRF-Lite, or separate networks) 76

77 LISP Deployment Examples Efficient Virtualisation and High-Scale VPNs LISP VPNs Routing and Tunnelling -- all in one Cryptography Encapsulation EID prefix virtualisation Tied to VRFs Locators can be virtualised too Site to Site Routing Spoke to spoke connectivity Optional local Internet offload (split-tunnel) No IGP required to branch sites Security LISP Works with any crypto scheme Locators or EIDs can be encrypted LISP-SEC for control plane security 77

78 LISP Deployment Examples Efficient Virtualisation and High-Scale VPNs LISP Inherently scalability and virtualisation, rapidly deployable? Scalability (# of VPN site) Unconstrained No protocol constraint 100K concurrent site connections? VPN site-tosite routing Unnecessary No site-to-site routing required No VPN route injection into core LISP / Non-LISP site interworking through P? Secure Segmentation 24-bit Instance ID with VRF 16M unique VPN classifiers Used by LISP control plane and data plane Optional data plane encryption with GETVPN? Performance Optimal Path(P2P), Loadbalancing Shortest path between LISP sites Equal cost/unequal cost loadbalancing 78

79 LISP VPN/Virtualisation Efficient Virtualisation and High-Scale VPNs Overview Generalised LISP Shared Model deployment EID Name Space (IPv4/IPv6) User Blue EID /24 IID 1 VRF Blue User Red EID /24 IID 2 VRF Red MS/MR Shared by multiple customers Located in RLOC name space 1 2 MS/MR IID LISP Data EID 1 Hdr RLOC Name Space (IPv4/IPv6) Data EID IID 2 LISP Hdr IID EID RLOC / / / /24 3 RLOC RLOC 3 LISP router Non LISP router EID RLOC EID Name Space (IPv4/IPv6) User Blue EID /24 IID 1 VRF Blue User Red EID /24 IID 2 VRF Red (Single Tenant) Accommodates single customer Deployed for CPE Overlay model Located at customer site (Multi-Tenant) Accommodates multiple customers Deployed for PE model Located at Edge layer, DC or customer site 79

80 LISP Use Cases: Virtualisation/VPNs Customer Example: US State Government (Multi-tenancy) Location Y Location X Group A Network Group A Dev ice MPLS Core Network Group A Dev ice Group A Network Group B Network Group B Dev ice Group B Dev ice Group B Network Group C Network Group C Dev ice.. CE Device MPLS VPN CE Device.. Group C Dev ice. Group C Network Group N Network Group N Dev ice Group N Dev ice Group N Network 80

81 LISP Use Cases: Virtualisation/VPNs Customer Example: US State Government (Multi-tenancy) Group A Network Group A Dev ice Customer Networks: IPv4, IPv6.. Location Y LISP Instance-IDs (IIDs) provide segmentation Add GETVPN for encryption, per-customer (simple) MPLS Core Network Location X Group A Dev ice Group A Network Group B Network Group B Dev ice Group B Dev ice Group B Network Group C Network Group C Dev ice.. CE Device MPLS VPN CE Device.. Group C Dev ice. Group C Network Group N Network Group N Dev ice Core Network Access Flexibility: One or multiple WAN connections One or multiple CE devices IPv4 and/or IPv6 Multiple SP Cores Everything just w orks with LISP SP1 SP1 SP1 SP2 No need for multiple MPLS VRFs for traffic segmentation. LISP encapsulates all traffic into the RLOC namespace LISP Instance-IDs (IIDs) provide segmentation Group N Dev ice Group N Network 81

82 LISP Use Cases: Virtualisation/VPNs Customer Example: US State Government (Multi-tenancy) Location Y Location X Group A Network Group A Dev ice MPLS Core Network Group A Dev ice Group A Network Group B Network Group B Dev ice Group B Dev ice Group B Network Group C Network Group N Network Group C Dev ice. Group N Dev ice. CE Device Segmentation by physical, Layer 2, or Layer 3 means (e.g Q, EVN, physically separate netw orks) MPLS VPN To Enterprise Internal Networks VRF-B, IID 2 CE Device LISP0. 1. LISP0. 2 LISP0. 3 Default Group C Dev ice. Group N Dev ice Group C Network To IPv4 or IPv6 Core RLOC namespace Group N Network Single RLOC namespace Default table (or RLOC VRF) 82

83 LISP Use Cases: Virtualisation/VPNs Customer Example: US State Government (Multi-tenancy) Location Y Location X Group A Network Group A Dev ice MPLS Core Network Group A Dev ice Group A Network Group B Network Group B Dev ice Group B Dev ice Group B Network Group C Network Group N Network Group C Dev ice. Group N Dev ice. CE Device MPLS VPN router lisp locator-set CE priorit y 1 weight 1 00 exit eid-table vrf GROUPA instance-id 1 database-mapping /24 locator -set CE database-mapping 1:1:16::/64 locator-set CE exit eid-table vrf GROUPB instance -id 2 database-mapping /24 locator -set CE database-mapping 2:2:16::/64 locator-set CE exit eid-table vrf GROUPC instance -id 3 database-mapping /24 locator -set CE database-mapping 3:3:16::/64 locator-set CE exit CE Device.. Group C Dev ice. Group N Dev ice Group C Network Group N Network 83

84 LISP Deployment Examples LISP Deployment Examples 1. Efficient Multihoming and Multi-AF (IPv4 and IPv6) 2. Efficient Virtualisation and High-Scale VPNs 3. Data Centre/Host Mobility 4. LISP-Mobile Node 84

85 LISP Deployment Examples Data Centre/Host Mobility Needs: VM-Mobility extending subnets and across subnets Move detection, dynamic EID-to-RLOC mappings, traffic redirection LISP Solution: Data Centre 1 Internet Data Centre 2 OTV + LISP for VM-moves in extended subnets LISP for VM-moves across subnets Benefits: VM OS agnostic, seamless, integrated, global workload mobility LISP router VM move VM a.b.c.1 VM a.b.c.1 LISP router Direct Path (no triangulation) Connections survive across moves No routing re-convergence, no DNS updates Global Scalability (cloud bursting) ARP elimination 85

86 LISP Deployment Examples Data Centre/Host Mobility LISP Host Mobility Config Guide: Moves With LAN Extension Moves Without LAN Extension Non-LISP Site LISP Site XTR LISP Site XTR LAN Extension IPv4 Network Mapping DB Mapping DB IPv4 Network DR Location or Cloud Provider DC LISP-VM (XTR) West-DC East-DC LISP-VM (XTR) West-DC East-DC Routing for Extended Subnets Active-Active Data Centres Distributed Data Centres Application Members Distributed Broadcasts across sites IP Mobility Across Subnets Disaster Recovery Cloud Bursting Application Members In One Location 86

87 LISP Deployment Examples Data Centre/Host Mobility No LAN Extension : First-Hop Routing SVI (Interface VLAN x) and HSRP configured as usual Consistent GWY-MAC configured across all dynamic subnets The lisp mobility <dyn-eid-map> command enables proxy-arp functionality on the SVI The LISP-VM router services first hop routing requests for both local and roaming subnets Moving hosts always talk to a local gateway with the same MAC interface vlan 200 interface vlan 100 interface vlan 100 ip address /24 interface Ethernet2/4 ip address /24 lisp mobility roamer ip address /24 ip address /24 lisp mobility roamer ip proxy-arp lisp mobility roamer ip proxy-arp lisp mobility iproamer proxy-arp hsrp 201 ip proxy-arphsrp 101 mac-address hsrp e1d.010c 201 hsrp 101 A B C mac-address e1d.010c ip mac-address e1d.010c D ip mac-address ip e1d.010c ip LISP-VM () HSRP Active HSRP Active West-DC East-DC / /24 HSRP HSRP ARP ARP GWY-MAC GWY-MAC

88 LISP Deployment Examples Data Centre/Host Mobility ETR Updates across LISP sites /16 RLOC A, B /32 RLOC C, D Null0 host routes indicate the host is away Routing Table: /16 Local /32 Null0 10 Map-Notify /32 <C,D> Map-Notify /32 <C,D> A X B Mapping DB Routing Table: /16 Local /24 Null /32 Local Routing Table: / /16 Local / /32 Null0 1 East-DC West-DC Y Map-Register /32 <C,D> Y C 4 D Routing Table: /16 Local /24 Null /32 Local Map-Notify /32 <C,D> 88

89 LISP Deployment Examples Data Centre/Host Mobility Refreshing map-caches Map ITR /16 RLOC A,B 1. ITRs and PITRs with cached mappings continue to send traffic to the old locators The old DC knows the host has moved (Null0 route) LISP site ITR /32 RLOC C,D 2. Old sends Solicit Map Request (SMR) messages to any encapsulators sending traffic to the moved host Mapping DB 3. The ITR then initiates a new map request process 4. An updated map-reply is issued from the new location 5. The ITR Map Cache is updated Traffic now flows shortest path A B C D LISP-VM () West-DC East-DC / /16 X Y Y Z

90 On-subnet Server-Server Traffic West-to-East X ARPs for Y, /32 Null0 entry for Y triggers proxy-arp on West-DC s to ensure traffic is steered there Note: entry for Y in X ARP cache is cleared by GARP message originated by West-DC XTRs Traffic to Y is LISP encapsulated East-to-West Y ARPs for X, /24 Null0 entry for the home subnet triggers proxy-arp on East DC s to ensure traffic is steered there Note: assumption is that ARP cache on Y is refreshed after the move Traffic to X is LISP encapsulated B C C B A B C D A B C D LISP DC LISP DC W est-dc W est-dc /24 East-DC / /24 East-DC / Y Y X Y Z X Y Z

91 LISP Deployment Examples Data Centre/Host Mobility Customer Example MPLS Core, Across Subnets Topology Customer-A Site 2 CE2 CE4 Customer-A Site 4 ITR/ETR PE2 PE4 ITR/ETR Customer-A MPLS-VPN Customer-A Site 1 CE1 PE1 MPLS Core PE3 CE3 Customer-A Site 3 ITR/ETR PE5 PE6 ITR/ETR MS/MR CE5 CE6 MS/MR CE7 CE /16 Blue/DC 1 (Location 1) ITR/ETR Blue/DC 2 (Location 2) ITR/ETR / /24 DYNAMIC EID 91

92 LISP Deployment Examples Data Centre/Host Mobility Customer Example MPLS Core, Across Subnets eid-table LISP default Configurations instance-id 0 (Sites and MS/MRs) Customer-A Site 2 Customer-A Site 1 EID /24 CE2 ITR/ETR RLOC CE1 ITR/ETR /16 RLOC PE5 RLOC PE6 MS/MR Blue/DC 1 (Location 1) PE2 PE1 CE5 router lisp database-mapping / pri 1 wei 100 exit ipv4 itr ipv4 etr ipv4 itr map-resolver ipv4 itr map-resolver Customer-A MPLS-VPN ipv4 etr map-server key s3cr3t ipv4 etr map-server key s3cr3t MPLS Core CE6 ITR/ETR /24 DYNAMIC EID 92 MS/MR CE7 ITR/ETR IOS PE4 CE4 ITR/ETR /16 Customer-A Site 4 IOS router lisp site DCs Customer-A PE3 authentication-key DCs3cr3t Site 3 CE3 eid-prefix /16 accept-more-specifics ITR/ETR eid-prefix /16 exit site CE8 Site-1 authentication-key s3cr3t eid-prefix /24 exit Blue/DC 2 (Location 2) --<more sites>--- ipv4 map-server ipv4 map-resolver exit

93 NX-OS LISP Deployment Examples ip lisp itr-etr ip lisp database-mapping / p 1 w 50 Data ipcenter/host lisp database-mapping Mobility / Customer p 1 w 50 Example NX-OS ip lisp itr-etr ip lisp database-mapping / p 1 w 50 ip lisp database-mapping / p 1 w 50 ip lisp itr map-resolver ip lisp itr map-resolver ip lisp itr map-resolver ip lisp etr map-server key DCs3cr3t ip lisp itr map-resolver ip lisp etr map-server key DCs3cr3t ip lisp etr map-server key DCs3cr3t ip lisp etr map-server key DCs3cr3t Customer-A Customer-A lisp Site dynamic-eid 2 CUST-A-ROAM CE2 CE4 Site 4 database-mapping / p 1 w 50 lisp dynamic-eid CUST-A-ROAM database-mapping ITR/ETR / p 1 w 50 database-mapping / p 1 w 50 ITR/ETR PE2 PE4 map-notify-group database-mapping / p 1 w 50 map-notify-group Customer-A interface vlan 100 RLOC MPLS-VPN ip address /24 (or /24) interface vlan 100 Customer-A Customer-A lisp mobility CUST-A-ROAM ip address /24 (or /24) Site 1 PE1 MPLS Core PE3 ip proxy-arp lisp mobility CUST-A-ROAM Site 3 CE1 CE3 hsrp 101 ip proxy-arp mac-address e1d.010c ITR/ETR hsrp 101 ITR/ETR EID ip / RLOC PE5 RLOC mac-address e1d.010c PE6 ip MPLS Core, Across Subnets LISP Configurations (Data Centers) MS/MR CE5 RLOC-A CE6 MS/MR CE7 CE RLOC-B RLOC-C RLOC-D /16 Blue/DC 1 (Location 1) ITR/ETR ITR/ETR Blue/DC 2 (Location 2) /16 93

94 LISP Deployment Examples Data Centre/Host Mobility Customer Example MPLS Core, Extending Subnets Initial State Customer-A Site 2 CE2 CE4 Customer-A Site 4 ITR/ETR PE2 PE4 ITR/ETR Customer-A MPLS-VPN Customer-A Site 1 CE1 PE1 MPLS Core PE3 CE3 Customer-A Site 3 EID /24 ITR/ETR PE5 PE6 ITR/ETR map-cache EID-prefix: /32 Locator-set: , priority: 1, weight: , priority: 1, weight: /16 MS/MR Blue/DC 1 (Location 1) CE5 RLOC-A CE6 ITR/ETR MS/MR CE7 ITR/ETR CE RLOC-B RLOC-C RLOC-D Blue/DC 2 (Location 2) /16 the server is here /32 94

95 LISP Deployment Examples Data Centre/Host Mobility Customer Example MPLS Core, Extending Subnets After the move Customer-A Site 2 CE2 CE4 Customer-A Site 4 ITR/ETR PE2 PE4 ITR/ETR Customer-A MPLS-VPN Customer-A Site 1 CE1 PE1 MPLS Core PE3 CE3 Customer-A Site 3 EID /24 ITR/ETR PE5 PE6 ITR/ETR map-cache EID-prefix: /32 Locator-set: , , priority: 1, weight: , , priority: 1, weight: /16 MS/MR Blue/DC 1 (Location 1) CE5 RLOC-A CE6 ITR/ETR MS/MR CE7 ITR/ETR CE RLOC-B RLOC-C RLOC-D Blue/DC 2 (Location 2) / /32 the server moves here 95

96 LISP for Cloud Connect Here you need to add an RTR and MS/MR connected to both IP Spaces for Disjoined RLOC space MPLS and Internet are not routable Customer-A Site 2 CE2 CSR1kV ITR/ETR PE2 Customer-A MPLS-VPN Internet Customer-A Site 1 CE1 PE1 MPLS Core ITR/ETR PE5 PE6 ISP MS/MR CE5 CE6 MS/MR CE7 CE /16 Blue/DC 1 (Location 1) ITR/ETR Blue/DC 2 (Location 2) ITR/ETR /16 96

97 LISP Host-Mobility First Hop Routing With Extended Subnets Consistent GWY-IP and GWY-MAC configured across all sites Consistent HSRP group number across sites consistent GWY-MAC Servers can move anywhere and always talk to a local gateway with the same IP/MAC interface vlan 100 interface vlan 200 interface vlan 100 ip address /24 ip address /24 interface Ethernet2/4 ip address /24 lisp mobility roamer ip address /24 lisp mobility roamer lisp mobility roamer lisp extended-subnet-mode lisp mobility lisp roamer lisp extended-subnet-mode extended-subnet-mode hsrp 101 LAN Ext. hsrp 101 lisp extended-subnet-mode hsrp 101 ip hsrp 101 ip ip A B C D ip HSRP Active LISP-VM () West-DC East-DC /24 HSRP HSRP /24 ARP ARP GWY-MAC GWY-MAC HSRP Active 97

98 4 Host-Mobility and Multi-homing ETR Updates Extended Subnets 6 Routing Table: /16 Local /24 Null /16 RLOC A, B /32 RLOC C, D X Map-Notify /32 <C,D> Mapping DB Null0 host routes indicate the host is away Map-Register /32 <C,D> Y Routing Table: /16 Local /24 Null /32 Local Routing Table: /16 Local /32 Null /24 Null0 4 A B /32 Local C D Routing Table: /16 Local /24 Null /32 Null / /16 1 OTV East-DC West-DC Y /24 is the dyn-eid Map-Notify /32 <C,D> 98

99 Refreshing the Map Caches 1. ITRs and PITRs with cached mappings continue to send traffic to the old locators 1. The old knows the host has moved (Null0 route) 2. Old sends Solicit Map Request (SMR) messages to any encapsulators sending traffic to the moved host 3. The ITR then initiates a new map request process 4. An updated map-reply is issued from the new location 5. The ITR Map Cache is updated Traffic is now re-directed SMRs are an important integrity measure to avoid unsolicited map responses and spoofing 99 LISP-VM () West-DC OTV East-DC / /16 X LISP site Y ITR A B C D Y Map ITR /32 RLOC A,B /32 RLOC A,B /32 RLOC C,D Z Mapping DB

100 On-subnet Server-Server Traffic On Subnet Traffic Across L3 Boundaries With LAN Extension Live moves and cluster member dispersion Traffic between X & Y uses the LAN Extension Link-local-multicast handled by the LAN Extension Without LAN Extensions Cold moves, no application dispersion X- Y traffic is sent to the LISP-VM router & LISP encapsulated Need LAN extensions for link-local multicast traffic B C LAN Ext Mapping DB A B C D A B C D LISP-VM () LISP-VM () W est-dc /16 East-DC W est-dc /16 East-DC / X Y Y Z X Y Y Z

101 LISP Deployment Examples LISP Deployment Examples 1. Efficient Multihoming and Multi-AF (IPv4 and IPv6) 2. Efficient Virtualisation and High-Scale VPNs 3. Data Centre/Host Mobility 4. LISP-Mobile Node 101

102 LISP Mobile Node A LISP-MN Phone is a LISP Site wifi 3G EID-prefix: 2610:00d0:xxxx::1/128 Map-Server: This device is a LISP What can a LISP-MN Device do? Two MNs can roam and stay connected MNs can be servers MNs roam without changing DNS entries MNs can use multiple interfaces MNs can control ingress packet policy Faster hand-offs Low battery use by MS proxy-replying And most importantly, packets have stretch of 1 best for latency/delay sensitive applications LISP-MN can scale to1 billion hand-sets 102

103 LISP Status

104 LISP Status LISP RFCs and notable drafts IETF LISP WG: RFCs Locator/ID Separation Protocol (LISP) base document RFC 6830 LISP Map Server RFC 6833 LISP Interworking RFC 6832 LISP Multicast RFC 6831 LISP Internet Groper RFC 6835 LISP Map Versioning RFC 6834 LISP+ALT RFC 6836 LISP MIB RFC 7052 LISP Network Element Deployment Considerations RFC 7215 Draft LISP Canonical Address Format (draft-ietf-lisp-lcaf-04) LISP Deployment (draft-ietf-lisp-deployment-11) LISP SEC (draft-ietf-lisp-sec-05) LISP DDT (draft-fuller-lisp-ddt-01) LISP Introduction (draft-ietf-lisp-introduction-03) LISP Mobile Node (draft-meyer-lisp-mn-10) LISP NAT-Traversal (draft-ermagan-lisp-nat-traversal- 05) LISP GPE (draft-lewis-lisp-gpe) LISP Deployment (draft-ietf-lisp-deployment-12) LISP Based FlowMapping for Scaling NVF (draft-barakai-lisp-nvf-04) LISP Reliable Transport (draft-kouvelas-lisp-reliable-transport-00) Target Active Working Group Document Active Working Group Document Active Working Group Document Active Working Group Document Active Working Group Document Related Working Group Document Related Working Group Document Related Working Group Document RFC-Editor s Queue Related Internet Draft Related Internet Draft 104

105 LISP Status LISP Beta Network International R&D and demonstration network LISP Community Operated: More than 5+ years of operation More than ~600+ Sites, 45+ countries Interoperable LISP implementations: Cisco IOS (ISR, ISRG2, 7200) and IOS-XE (ASR1K, CSR1KV) Cisco IOS-XR (CRS3, ASR9K) Cisco NX-OS (N7K) Cisco Cat6K AVM FRITZBox OpenWrt Open Source FreeBSD: OpenLISP Linux: Aless, LISPmob, OpenWrt Android Plus some others ;-) ww.lisp4.net inciconsulting.com/vxnet ww.lisp.intouch.eu/ ww.itris-enterprise.ch/ and more 105

106 Cisco Releases ( LISP Status LISP Software Available Features:: By operating System Features Roles: - ITR/ETR - PITR/PETR - MS/MR - RTR AF Support - EID v4/v6 - RLOC v4/v6 Virtualisation - Shared/Parallel Mobility - ESM/ASM - Multi-Hop Multicast NAT-Traversal IOS IOS-XE NX-OS IOS-XR Cat 6K testing testing roadmap v4 only testing ASR9k roadmap roadmap roadmap roadmap roadmap roadmap v4 only shared ASM 15.2(1)SY roadmap roadmap roadmap

107 APIC-EM - LISP Overlay Service 112

108 LISP - Open Standard Specification IETF Specification Nine RFCs presently published: RFC 6830 thru 6836, 7052 and year thorough customer/vendor review No IPR claims on LISP IETF specifications IETF LISP WG: Ongoing IETF LISP WG Focus Complete LISP base specifications (LCAF, deployment, LISP-SEC, LISP-DDT, LISP-MN) Use cases being documented: o DC Virtualisation and Host Mobility o WAN Virtualisation, Multi-Homing, IPv6 Adoption/Transition o Traffic Engineering and Service Chaining o SDN/NFV

109 LISP Important Contacts WEB: Download of this Breakout Session PDF s and Videos: Facebook Linkedin

110 LISP Status LISP Information LISP Mailing Lists Cisco LISP Questions IETF LISP Working Group LISP Interest (public). LISPmob Questions... LISP Information Cisco LISP Site. Cisco LISP Marketing Site... LISP Beta Network Site LISP DDT Root... IETF LISP Working Group or

111 LISP Summary

112 LISP Summary Part of the LISP Solution Space 1. Multihoming 2. IPv6 Transition 3. Virtualisation/VPN 4. Mobility IPv6 Network IPv6 Core IPv4 Network IPv4 Core v6 v4 LISP is an Architecture 117

113 Call to Action Visit the World of Solutions for Cisco Campus Walk in Labs Technical Solution Clinics Meet the Engineer Lunch time Table Topics DevNet zone related labs and sessions Recommended Reading: for reading material and further resources for this session, please visit 118

114 Q & A

115 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2015 T-Shirt Complete your Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site Visit any Cisco Live Internet Station located throughout the venue T-Shirts can be collected in the World of Solutions on Friday 20 March 12:00pm - 2:00pm Learn online with Cisco Live Visit us online after the conference for full access to session videos and presentations.

116