Mobility and Virtualization in the Data Center with LISP and OTV

Transcription

1

2 Mobility and Virtualization in the Data Center with LISP and OTV Victor Moreno, Distinguished Engineer

3 Agenda Mobility and Virtualization in the Data Center Introduction to LISP LISP Data Center Use Cases LAN Extensions: OTV LISP + OTV Deployment Considerations Summary and Conclusion Slides Identified with the Book Icon Are Provided for Your Reference and Will Not Be Part of the Live Presentation 3

4 Distributed Data Centers Building the Data Center Cloud Distributed Data Center Goals Seamless workload mobility Distributed applications Pool and maximize global resources Business Continuity Interconnect Challenges Complex operations Transport dependence IP subnets and mobility Failure containment Geographically Disperse Data Centers 4

5 Connecting Virtualized Data Centers Multi-tenancy/segmentation: Segment-IDs in LISP, FabricPath and OTV OTV OTV IP Mobility: LISP Network Services Elasticity: ACE, GSS, ASA, VSG OTV L2 Domain Elasticity: Inter-DC: OTV/VPLS Intra-DC: vpc, FabricPath, FEX, VXLAN Location of compute resources is transparent to the user Storage Solutions & Partners: FCIP, Read/write Acceleration EMC, NetApp 5 OTV OTV VM-awareness: Port Profiles

6 Agenda Mobility and Virtualization in the Data Center Introduction to LISP LISP Data Center Use Cases LAN Extensions: OTV LISP + OTV Deployment Considerations Summary and Conclusion 6

7 Location Identity Separation Protocol What do we mean by Location and Identity IP core Today s IP Behavior Loc/ID Overloaded Semantic When the Device Moves, It Gets Device IPv4 or IPv6 a New IPv4 or IPv6 Address for Address Represents Its New Identity and Location Identity and Location Device IPv4 or IPv6 Address Represents Identity Only. Its Location Is Here! IP core Only the Location Changes LISP Behavior Loc/ID Split When the Device Moves, Keeps Its IPv4 or IPv6 Address. It Has the Same Identity 7

8 A LISP Packet Walk How does LISP operate? 1 DNS Entry: D.abc.com A > > > > /24 LISP Site S ETR West-DC D 3 Mapping Entry ITR /24 EID-prefix: /24 Locator-set: , priority: Non-LISP 1, weight: 50 (D1) Non-LISP site , site priority: 1, weight: 50 (D2) IP Network /24 PITR EID-to-RLOC mapping This Policy Controlled by Destination Site East-DC 8

9 A LISP Packet Walk How about Non-LISP Sites? 1 DNS Entry: D.abc.com A Non-LISP Site S Non-LISP Site 3 Mapping Entry EID-Prefix: /24 Locator-Set: , priority: 1, weight: 50 (D1) , priority: 1, weight: 50 (D2) > ETR West-DC > D > > /24 IP Network /24 PITR EID-to-RLOC mapping East-DC

10 LISP Roles and Address Spaces What are the Different Components Involved? LISP Roles Tunnel Routers - xtrs Edge devices encap/decap Ingress/Egress Tunnel Routers (ITR/ETR) Proxy Tunnel Routers - PxTR Coexistence between LISP and non-lisp sites Ingress/Egress: PITR, PETR EID to RLOC Mapping DB RLOC to EID mappings Distributed across multiple Map Servers (MS) Non-LISP PxTR EID Space Prefix Next-hop w.x.y.1 x.y.w.2 z.q.r.5 z.q.r.5 Address Spaces EID = End-point Identifier Host IP or prefix RLOC = Routing Locator IP address of routers in the backbone 10 e.f.g.h e.f.g.h e.f.g.h e.f.g.h ITR Mapping DB ETR EID a.a.a.0/24 b.b.b.0/24 c.c.c.0/24 d.d.0.0/16 RLOC w.x.y.1 x.y.w.2 z.q.r.5 z.q.r.5 EID a.a.a.0/24 b.b.b.0/24 c.c.c.0/24 d.d.0.0/16 ALT RLOC Space EID Space EID a.a.a.0/24 b.b.b.0/24 c.c.c.0/24 d.d.0.0/16 RLOC w.x.y.1 x.y.w.2 z.q.r.5 z.q.r.5 RLOC w.x.y.1 x.y.w.2 z.q.r.5 z.q.r.5

11 LISP Mapping Database The Basics Registration and Resolution Mapping Cache Entry (on ITR): LISP Site /16-> ( , ) ITR Map Server / Resolver: Database Mapping Entry (on ETR): /16 -> ( , ) Map-Reply /16 -> ( , ) ETR ETR ETR ETR Database Mapping Entry (on ETR): /16 -> ( , ) West-DC East-DC / /16 Y X Y Z

12 LISP Mapping Database Node Resiliency/Clustering Mapping Cache Entry (on ITR): /16-> ( , ) LISP Site ITR No Synchronization Protocol Between Map Servers; ETRs Must Register with All Map Servers Individually; ITRs anycast Map Requests Database Mapping Entry (on ETR): /16 -> ( , ) Map-Reply /16 -> ( , ) Map Resolver: (Anycast) Map Server: Mapping DB Map Server: Node Cluster ETR ETR ETR ETR Database Mapping Entry (on ETR): /16 -> ( , ) West-DC East-DC / /16 Y X Y Z

13 Basic LISP Configuration Servers ip lisp map-resolver ip lisp map-server lisp site west-dc authentication-key 0 s3cr3t eid-prefix /24 Border Routers Between Backbones ip lisp proxy-itr ip lisp ITR map-resolver Branch Routers ip lisp itr-etr ip lisp ITR map-resolver DC Aggregation Routers ip lisp itr-etr ip lisp database-mapping / p1 w50 ip lisp database-mapping / p1 w50 ip lisp ETR map-server key s3cr3t ip lisp ETR map-server key s3cr3t Usually Devices Will Be Configured as ITRs and ETRs to Handle Traffic in Both Directions; We Illustrate Only One Direction for Simplicity 13 LISP Site ITR ETR West-DC /24 RLOC Non-LISP Sites PITR IP Network EID Mapping DB East-DC LISP Encap/Decap

14 Location ID/Separation Protocol(LISP) Next Generation Networking Architecture Single Network Architecture Delivers: Host Mobility (topology independent addressing) Security: VPNs/Multi-tenancy Route Scalability (on demand routing) IPv6 enablement, Routing Policy simplification Benefits Services integrated in a single architecture Services can be offered across organizational boundaries (multiple providers) Very large scale Open model to integrate with cloud orchestrators Use-Cases DCI route optimization/mobility Workload Portability to Cloud Secure Multi-tenancy across organizations Rapid IPv6 Deployment Route scaling 2014 Cisco and/or its affiliates. Making All rights reserved. the Network 14 Cloud-Ready

15 LISP Use Cases Efficient Multi-Homing LISP Site LISP Routers IP Portability Ingress Traffic Engineering without BGP Multi-Tenancy and VPNs LISP Site Internet IP Network IPv6 Transition Support v6 Services LISP Router v6 LISP Router IPv4 Internet v4 v6 v6-over-v4, v6-over-v6 v4-over-v6, v4-over-v4 Host-Mobility LISP Site v6 IPv6 Internet IP Network West-DC East-DC West-DC East-DC Reduced CapEx/OpEx Large scale Segmentation 15 Cloud / Layer 3 VM moves Segmentation

16 Agenda Mobility and Virtualization in the Data Center Introduction to LISP LISP Data Center Use Cases Host-Mobility LAN Extensions: OTV LISP + OTV Deployment Considerations Summary and Conclusion 16

17 Moving vs. Distributing Workloads Why do we really need LAN Extensions? Hypervisor Moving Workloads Hypervisor Control Traffic (routable) IP Network Hypervisor Move workloads with IP mobility solutions: LISP Host Mobility IP preservation is the real requirement (LAN extensions not mandatory) Distribute workloads with LAN extensions Application High Availability with Distributed Clusters O S O S Distributed App (GeoCluster) O S Non-IP application traffic (heartbeats) LAN Extension (OTV) 17

18 LISP Host-Mobility Needs: Global IP-Mobility across subnets Optimized routing across extended subnet sites LISP Solution: Automated move detection on XTRs Dynamically update EID-to-RLOC mappings Traffic Redirection on ITRs or PITRs Benefits: Direct Path (no triangulation) Connections maintained across move No routing re-convergence No DNS updates required Transparent to the hosts Global Scalability (cloud bursting) IPv4/IPv6 Support 18 LISP Site XTR LAN Extensions LISP-VM (XTR) West-DC RLOC Non-LISP Sites PXTR Mapping DB IP Network East-DC EID LISP Encap/Decap

19 Host-Mobility Scenarios Moves Without LAN Extension Moves With LAN Extension LISP Site XTR Non-LISP Site LISP Site XTR Mapping DB Internet or Shared WAN DR Location or Cloud Provider DC LAN Extension IP Network Mapping DB LISP-VM (XTR) LISP-VM (XTR) West-DC East-DC West-DC East-DC IP Mobility Across Subnets Disaster Recovery Cloud Bursting Application Members in One Location 19 Routing for Extended Subnets Active-Active Data Centers Distributed Clusters Application Members Distributed (Broadcasts across sites)

20 LISP Host-Mobility Move Detection Monitor the source of Received Traffic The new xtr checks the source of received traffic Configured dynamic-eids define which prefixes may roam lisp dynamic-eid roamer database-mapping /24 <RLOC-C> p1 w50 database-mapping /24 <RLOC-D> p1 w50 map-server key abcd interface vlan 100 lisp mobility roamer LISP-VM (xtr) Mapping DB A B C D Received a Packet It s from a New Host It s in the Dynamic-EID Allowed Range It s a Move! Register the /32 with LISP West-DC East-DC / /16 Y X Y Z

21 LISP Host-Mobility Traffic Redirection Update Location Mappings for the Host System Wide When a host move is detected, updates are triggered: The host-to-location mapping in the Database is updated to reflect the new location The old ETR is notified of the move ITRs are notified to update their Map-caches Ingress routers (ITRs or PITRs) now send traffic to the new location LISP Site xtr A B C D /16 RLOC A, B Mapping DB /32 RLOC C, D LISP-VM (xtr) West-DC East-DC / /16 Y X Y Z

22 Host Mobility without LAN extensions

23 LISP Host-Mobility First Hop Routing No LAN Extension SVI (Interface VLAN x) and HSRP configured as usual Consistent GWY-MAC configured across all dynamic subnets The lisp mobility <dyn-eid-map> command enables proxy-arp functionality on the SVI The LISP-VM router services first hop routing requests for both local and roaming subnets Moving hosts always talk to a local gateway with the same MAC interface vlan 100 interface Ethernet2/4 ip address /24 ip address /24 lisp mobility roamer lisp mobility ( roamer ip proxy-arp) (ip proxy-arp hsrp 101 hsrp 101 mac-address e1d.010c mac-address ip e1d.010c ip HSRP Active LISP-VM (xtr) A B C D West-DC East-DC / /24 HSRP HSRP ARP ARP GWY-MAC GWY-MAC interface vlan 200 interface vlan 100 ip address /24 ip address /24 lisp mobility roamer lisp mobility roamer (ip proxy-arp (ip proxy-arp) hsrp 201 hsrp 201 mac-address e1d.010c mac-address e1d.010c ip ip HSRP Active

24 Host-Mobility and Multi-homing ETR Updates Across LISP Sites Null0 host routes indicate the host is away /16 RLOC A, B /32 RLOC C, D Routing Table: /16 Local /32 Null0 10 Map-Notify /32 <C,D> Map-Notify /32 <C,D> A X B Mapping DB Routing Table: /16 Local / / /32 Null0 1 East-DC West-DC Y Routing Table: /16 Local /24 Null /32 Local 24 5 Map-Register /32 <C,D> Y C 4 D Routing Table: /16 Local /24 Null /32 Local Map-Notify /32 <C,D>

25 Refreshing the Map Caches 1. ITRs and PITRs with cached mappings continue to send traffic to the old locators 1. The old xtr knows the host has moved (Null0 route) 2. Old xtr sends Solicit Map Request (SMR) messages to any encapsulators sending traffic to the moved host 3. The ITR then initiates a new map request process 4. An updated map-reply is issued from the new location 5. The ITR Map Cache is updated Map ITR /16 RLOC A,B LISP site ITR /32 RLOC C,D Mapping DB A B C D Traffic is now re-directed SMRs are an important integrity measure to avoid unsolicited map responses and spoofing LISP-VM (xtr) West-DC East-DC / /16 Y X Y Z

26 LISP Mobility Across LISP Sites Client-server communication established without the need to discover the workloads in the home subnet in West-DC /16 RLOC A, B Map ITR /16 RLOC A,B LISP site ITR Mapping DB Routing Table: /24 Local /24 West-DC A X B Y Routing Table: /24 Local /24 Null0 Routing Table: /24 Local C D /24 Routing Table: /24 Local /24 Null0 Installed by LISP to allow Proxy-ARP functions when moving x workloads here East-DC 26

27 On-subnet Server-Server Traffic West-to-East East-to-West X ARPs for Y, /32 Null0 entry for Y triggers proxy-arp on West-DC xtrs to ensure traffic is steered there Note: entry for Y in X ARP cache is cleared by GARP message originated by West-DC XTRs Traffic to Y is LISP encapsulated Y ARPs for X, /24 Null0 entry for the home subnet triggers proxy-arp on East DC xtrs to ensure traffic is steered there Note: assumption is that ARP cache on Y is refreshed after the move Traffic to X is LISP encapsulated B C C B A B C D A B C D LISP DC xtr LISP DC xtr West-DC West-DC /24 East-DC / /24 East-DC / Y Y X Y Z X Y Z

28 LISP Host-Mobility Configuration Without LAN Extensions ip lisp ITR-ETR ip lisp database-mapping /16 <RLOC-A> ip lisp database-mapping /16 <RLOC-B> ip lisp ITR-ETR ip lisp database-mapping /16 <RLOC-C> ip lisp database-mapping /16 <RLOC-D> lisp dynamic-eid roamer database-mapping /24 <RLOC-A> database-mapping /24 <RLOC-B> map-server key abcd map-server key abcd map-notify-group interface vlan 100 ip address /16 lisp mobility roamer (ip proxy-arp) hsrp 101 mac-address e1d.010c ip LISP-VM (xtr) A B C D lisp dynamic-eid roamer database-mapping /24 <RLOC-C> database-mapping /24 <RLOC-D> map-server key abcd map-server key abcd map-notify-group interface vlan 100 ip address /16 lisp mobility roamer (ip proxy-arp) hsrp 201 mac-address e1d.010c ip Mapping DB West-DC East-DC / /16 X 28 Y Z

29 MS/MR Deployment across LISP Sites Recommended Option: co-locate MS/MR functionality on the DC xtr (one per DC site) MS/MR in West-DC LISP site /24 ip lisp map-resolver ip lisp map-server lisp site BRANCH_1 eid-prefix / /24 authentication-key abcd lisp site West-DC eid-prefix / /16 accept-more-specifics authentication-key abcd lisp site East-DC eid-prefix / /16 accept-more-specifics authentication-key abcd A B C D MS/MR in East-DC West-DC East-DC / /24 X Y Z 29

30 Agenda Mobility and Virtualization in the Data Center Introduction to LISP LISP Data Center Use Cases LAN Extensions: OTV LISP + OTV Deployment Considerations Summary and Conclusion 30

31 Moving vs. Distributing Workloads Why do we really need LAN Extensions? Hypervisor Moving Workloads Hypervisor Control Traffic (routable) IP Network Hypervisor Move workloads with IP mobility solutions: LISP Host Mobility IP preservation is the real requirement (LAN extensions not mandatory) Distribute workloads with LAN extensions Application High Availability with Distributed Clusters OS OS Distributed App (GeoCluster) OS Non-IP application traffic (heartbeats) LAN Extension (OTV) 31

32 LAN Extensions Evolution From Circuits to Packets Circuits + Data Plane Flooding Packet Switching + Control Protocol DC- 1 DC- 2 DC- 1 DC- 2 L3 L2 L3 L2 B A C D B A C D Full mesh of circuits (pseudo-wires) MAC learning based on flooding Failure propagation Limited information Operationally Challenging Loop prevention and multi-homing must be provided separately Traditional L2 VPNs 32 B A C D B A C D Packet switched connectivity MAC learning by control protocol Failure containment Rich information Operational simplification Automatic loop prevention & multi-homing MAC Routing

33 OTV Data Plane 1. Layer 2 lookup on the destination MAC. MAC 3 is reachable through IP B 2. The Edge Device encapsulates the frame 3. The transport delivers the packet to the Edge Device on site East 4. The Edge Device on site East receives and decapsulates the packet 5. Layer 2 lookup on the original frame. MAC 3 is a local MAC 6. The frame is delivered to the destination 1 Layer 2 Lookup MAC TABLE VLAN MAC IF Transport Infrastructure 100 MAC 1 Eth 2 IP A IP B 100 MAC 1 IP A OTV OTV OTV OTV 100 MAC 2 Eth 1 Encap 100 MAC 2 IP A MAC 1 MAC 3 IP A IP B 100 MAC 3 IP B MAC 1 MAC 3 IP A IP B 100 MAC 3 Eth MAC 4 IP B 2 3 Decap 4 MAC TABLE VLAN MAC IF 100 MAC 4 Eth 4 5 Layer 2 Lookup MAC 1 MAC 3 MAC 1 West Site 33 East Site MAC 1 MAC 3 MAC 3 6

34 Building the MAC Tables The OTV Control Plane OTV proactively advertises MAC reachability (control-plane learning) MAC addresses advertised in the background once OTV has been configured IS-IS is the OTV Control Protocol running between the Edge Devices No specific configuration is required OTV MAC Addresses Advertisements OTV West IP A IP B East IP C OTV 34 South

35 Overlay Transport Virtualization (OTV) Simplifying LAN Extensions Ethernet LAN Extension over any Network Works over dark fiber, MPLS, or IP Multi-data center scalability Simplified Configuration & Operation Seamless overlay - No network re-design Single touch site configuration High Resiliency Failure domain isolation Seamless Multi-homing Maximizes available bandwidth Automated multi-pathing Optimal multicast replication Many Physical Sites One Logical Data Center Any Workload, Anytime, Anywhere Unleashing the Full Potential of Compute Virtualization 35

36 Ingress Routing Challenge in DCI Extending Subnets Creates a Routing Challenge A subnet traditionally implies location Yet we use LAN extensions to stretch subnets across locations Location semantics of subnets are lost LISP site XTR Traditional routing relies on the location semantics of the subnet Can t tell if a server is at the East or West location of the subnet LAN Extension IP Network More granular (host level) information is required LISP provides host level location semantics West-DC East-DC 36

37 Host Mobility in Extended Subnets

38 LISP Host-Mobility First Hop Routing With Extended Subnets Consistent GWY-IP and GWY-MAC configured across all sites Consistent HSRP group number across sites consistent GWY-MAC Servers can move anywhere and always talk to a local gateway with the same IP/MAC interface vlan 100 interface vlan 200 interface vlan 100 ip address /24 interface Ethernet2/4 ip address /24 ip address /24 lisp mobility roamer ip address /24 lisp mobility roamer lisp mobility roamer lisp extended-subnet-mode lisp mobility lisp roamer lisp extended-subnet-mode extended-subnet-mode hsrp 101 lisp extended-subnet-mode LAN Ext. hsrp 101 hsrp 101 ip hsrp 101 ip ip A B C D ip HSRP Active LISP-VM (xtr) West-DC East-DC /24 HSRP HSRP /24 ARP ARP GWY-MAC GWY-MAC HSRP Active 38

39 Host-Mobility and Multi-homing ETR updates Extended Subnets /16 RLOC A, B /32 RLOC C, D Mapping DB Routing Table: Routing Table: /16 Local Routing Table: /16 Local /24 Null /16 Local /24 Null /32 Null /24 Null /32 Local A B /32 Local C D Routing Table: /16 Local /24 Null /32 Null / /16 1 OTV East-DC West-DC Y X Y Map-Notify Map-Notify /32 <C,D> /32 <C,D> Null0 host routes indicate the host is away /24 is the dyn-eid Map-Register /32 <C,D>

40 Refreshing the Map Caches Map ITR 1. ITRs and PITRs with cached mappings continue to send traffic to the old locators 1. The old xtr knows the host has moved (Null0 route) 2. Old xtr sends Solicit Map Request (SMR) messages to any encapsulators sending traffic to the moved host 3. The ITR then initiates a new map request process 4. An updated map-reply is issued from the new location 5. The ITR Map Cache is updated Traffic is now re-directed SMRs are an important integrity measure to avoid unsolicited map responses and spoofing West-DC OTV East-DC / /16 X LISP site Y ITR A B C D /32 RLOC A,B /32 RLOC A,B /32 RLOC C,D Y Z Mapping DB LISP-VM (xtr) 40

41 Server to Server Intra-subnet flows Live moves and cluster member dispersion LAN Ext. A B C D Traffic flows in both E-W and W-E directions leverage LAN Extension (LISP does not come into the picture since traffic is handled at Layer 2) LISP DC xtr West-DC / Y East-DC /24 Link-local-multicast handled by the LAN Extension X Y Z 41

42 LISP VM-Mobility Configuration With Extended Subnets extended-subnet-mode ip lisp ITR-ETR ip lisp database-mapping /16 <RLOC-A> ip lisp database-mapping /16 <RLOC-B> ip lisp ITR-ETR ip lisp database-mapping /16 <RLOC-C> ip lisp database-mapping /16 <RLOC-D> lisp dynamic-eid roamer database-mapping /24 <RLOC-A> database-mapping /24 <RLOC-B> map-server key abcd map-server key abcd map-notify-group interface vlan 100 ip address /16 lisp mobility roamer lisp extended-subnet-mode hsrp 101 ip LISP-VM (xtr) LAN Ext A B C D lisp dynamic-eid roamer database-mapping /24 <RLOC-C> database-mapping /24 <RLOC-D> map-server key abcd map-server key abcd map-notify-group interface vlan 100 ip address /16 lisp mobility roamer lisp extended-subnet-mode hsrp 101 ip Mapping DB West-DC /16 East-DC X 42 Y Z

43 Off-subnet Client-Server Traffic All Off-Subnet/Off-Site Traffic Is LISP Encapsulated Clients ( & communicate with Server Client-server traffic is LISP encapsulated at the ITRs or PITRs CLIENT Client-to-server: to ETRs C or D Server-to-client: to ETR (F) for LISP sites to PETR (G) for non-lisp sites Server-Server off-subnet traffic across sites is also LISP encapsulated LISP Site 43 F xtr CLIENT F C A B C D Mapping DB LISP-VM (xtr) West-DC East-DC / / Y X Y Non-LISP Sites G PxTR G D

44 On-subnet Server-Server Traffic On Subnet Traffic Across L3 Boundaries With LAN Extension Live moves and cluster member dispersion Traffic between X & Y uses the LAN Extension Link-local-multicast handled by the LAN Extension Without LAN Extensions Cold moves, no application dispersion X- Y traffic is sent to the LISP-VM router & LISP encapsulated Need LAN extensions for link-local multicast traffic B C Mapping DB LAN Ext A B C D A B C D LISP-VM (xtr) LISP-VM (xtr) West-DC /16 East-DC West-DC /16 East-DC / Y Y X Y Z X Y Z

45 Agenda Mobility and Virtualization in the Data Center LAN Extensions: OTV Introduction to LISP LISP Data Center Use Cases Multi-Tenancy LISP + OTV Deployment Considerations Summary and Conclusion 45

46 LISP Multi-Tenancy High Level View Needs: Integrated Segmentation Ease of operations Global Scale and interoperability LISP Site xtr Non- LISP Sites PxTR Instance IP Location Red A East Blue A West Yellow C (Move) East West LISP Solution: IP Network Mapping DB Traffic (control & data) is colored (tagged) with an instance-id Mappings are also colored in DB and caches On xtrs use VRFs as map cache contexts Benefits: xtr West-DC East-DC Very high scale tenant segmentation Distributed/on-demand/no-adjacencies Global mobility IP based solution, transport independent Overlay solution is transparent to the core RLOC EID LISP Encap/Decap 46

47 Network Virtualization in LISP LISP Multi-tenancy To MPLS VPNs, VRF-lite or separate networks Colored Map Requests/Replies Instance EID IP Location Green A East Blue A West Yellow C East West To LISP Virtualized Mapping Service: EID entries with instance-id semantics Control packets also contain instance-id semantics G D Instance G E Instance G F Instance Single RLOC space shared by multiple instances Virtualized Map Cache (xtrs): Mappings cached in different VRFs per instance-id Interoperable with other VRF features/solutions Colored Traffic: Instance-ID tag in LISP data header Instance-ID encoded in LISP control packets 47

48 LISP Multi-Tenancy Two Modes Shared Mode Parallel Mode EID RLOC EID RLOC Multiple EID VRFs Multiple RLOC VRFs run in parallel All EID VRFs map to one shared RLOC VRF EID space is virtualized RLOC space not virtualized EID VRFs map to different RLOC VRFs RLOC and EID spaces are virtualized 48

49 LISP Virtualization Shared Model Shared Model at the device level - Multiple EID-prefixes are allocated privately using VRFs - EID lookups are in the VRF associated with an Instance-ID - All RLOC lookups are in a single table default - The Mapping System is part of the locator address space and is shared To VPNs (MPLS, 802.1Q, VRF-Lite, or separate networks) EID namespace, VRF Pink, IID 1 Pink To RLOC namespace EID namespace, VRF Blue, IID 2 Blue Default Single RLOC namespace Default table or RLOC VRF 49

50 LISP Virtualization Parallel Model Parallel Model at the device level - Multiple EID-prefixes are allocated privately using VRFs - EID lookups are in the VRF associated with an Instance-ID - RLOC lookups are in the VRF associated with the locator table - A Mapping System must be part of each locator address space To VPNs (MPLS, 802.1Q, VRF-Lite, or separate networks) EID namespace, VRF Pink, IID 1 Pink RLOC uses Pink namespace To VPNs (MPLS, 802.1Q, VRF-Lite, or separate networks) EID namespace, VRF Blue, IID 2 Blue Default RLOC uses Blue namespace 50

51 LISP Mobility in multiple VRFs Configuration Shared mode LISP Virtualization vrf context BLUE ip lisp ITR-ETR ip lisp database-mapping /16 <RLOC-A> ip lisp database-mapping /16 <RLOC-B> lisp instance-id 102 ip lisp locator-vrf RED vrf context BLUE ip lisp ITR-ETR ip lisp database-mapping /16 <RLOC-C> ip lisp database-mapping /16 <RLOC-D> lisp instance-id 102 ip lisp locator-vrf RED lisp dynamic-eid roamer database-mapping /24 <RLOC-A> database-mapping /24 <RLOC-B> map-server key abcd map-notify-group interface vlan 100 vrf member BLUE ip address /16 lisp mobility roamer hsrp 101 ip LISP-VM (xtr) A B C D lisp dynamic-eid roamer database-mapping /24 <RLOC-C> database-mapping /24 <RLOC-D> map-server key abcd map-notify-group interface vlan 100 vrf member BLUE ip address /16 lisp mobility roamer hsrp 101 ip Mapping DB West-DC East-DC / /16 X 51 Y Z

52 LISP Mobility in multiple VRFs Configuration Parallel mode LISP Virtualization vrf context BLUE ip lisp ITR-ETR ip lisp database-mapping /16 <RLOC-A> ip lisp database-mapping /16 <RLOC-B> lisp instance-id 102 ip lisp locator-vrf BLUE vrf context BLUE ip lisp ITR-ETR ip lisp database-mapping /16 <RLOC-C> ip lisp database-mapping /16 <RLOC-D> lisp instance-id 102 ip lisp locator-vrf BLUE lisp dynamic-eid roamer database-mapping /24 <RLOC-A> database-mapping /24 <RLOC-B> map-server key abcd map-notify-group interface vlan 100 vrf member BLUE ip address /16 lisp mobility roamer hsrp 101 ip LISP-VM (xtr) A B C D lisp dynamic-eid roamer database-mapping /24 <RLOC-C> database-mapping /24 <RLOC-D> map-server key abcd map-notify-group interface vlan 100 vrf member BLUE ip address /16 lisp mobility roamer hsrp 101 ip Mapping DB West-DC East-DC / /16 X 52 Y Z

53 LISP Multi-tenant + Mobility Configuration ip lisp map-resolver ip lisp map-server lisp site BRANCH_1 eid-prefix /24 authentication-key abcd lisp site West-DC eid-prefix /16 instance-id 102 accept-more-specifics authentication-key abcd lisp site East-DC eid-prefix /16 authentication-key abcd LISP-VM (xtr) A B C D Mapping DB West-DC East-DC / /16 X 53 Y Z

54 Segmentation End-to-end LISP-VRF Integration servers Enterprise Core A Enterprise WAN B Global Corp-A User Global VRF- Corp-A101 VRF-Corp-A102 MS/MR VRF-Lite / EVN (or MPLS VPN) xtr11 LISP Multi-Tenancy Instances 0,101,102 A B Instance 0 A B Instance 101 A B Instance 102 S D in Global S D in Corp-A101 S D in Corp-A102 xtr203 Enterprise Remote Site Doctor Corp-A101 User Finance Corp-A102 User VRF-Lite / EVN (or MPLS VPN) Global VRF- Corp-A101 VRF-Corp-A102 Single RLOC space shared by multiple instances 54 Legend: EIDs -> Green Locators -> Red LISP encap/decap

55 VRFs and LISP Multi-Tenancy Routes and Mappings in VRFs On a PITR, routes can be advertized on different VRFs Leverage VRF enabled functionality: PBR VRF-select DHCP relay ExTRanet Imports/Exports IGP/BGP routing protocols Interoperate with existing VPN networks To MPLS VPNs, VRF-Lite or Separate Networks 55

56 Agenda Mobility and Virtualization in the Data Center LAN Extensions: OTV Introduction to LISP LISP Data Center Use Cases LISP + OTV Deployment Considerations Summary and Conclusion 56

57 LISP Host-Mobility XTR Router Main Data Disaster Recover facilities Ideally: First hop routers for the subnets in which the mobile hosts reside: Detect host moves Provide a consistent first hop presence Could also be the second hop Usually the Aggregation Switches in the Data Center Customer Managed LISP Site XTR LISP-VM (XTR) West-DC RLOC Internet / WAN Backbone Data Center IP Backbone EID LISP-VM (XTR) DC-Aggregation DC-Access East-DC LISP Encap/Decap DR Location or Cloud Provider DC 57

58 OTV Router Main Data Centers only Typically not Disaster Recover facilities First hop routers for the subnets in which the mobile hosts reside: Connect to the VLANs to be extended Connect to the IP core Usually the Aggregation Switches in the Data Center Customer Managed LISP Site XTR OTV West-DC RLOC LAN Extension to DR or Cloud Facilities Is Usually Not Required Internet / WAN Backbone EID Data Center IP Backbone DC-Aggregation DC-Access East-DC LISP Encap/Decap DR Location or Cloud Provider DC OTV 58

59 PxTR Placement Advertise DC Routes to Non-LISP Sites PXTR Ideally placed on path between non-lisp and LISP sites Aggregation points are optimal: Border routers between DC core and WAN Internet Routers Customer Routers at Co-location Provider routers (PXTR service) PITRs must be configured to inject routes into the non-lisp network Attract traffic from Non-LISP sites Encap and send to the Data Center West-DC Provider PXTR RLOC Internet / WAN Backbone Data Center IP Backbone EID Non-LISP Sites DC-Aggregation DC-Access Private PXTR East-DC LISP Encap/Decap 59

60 PxTR Placement Advertise DC Routes to Non-LISP Sites PxTR on path between non-lisp and LISP sites (ideal) 1. Border routers between DC core and WAN Internet Routers Customer Routers at Co-location 2. Provider routers (PXTR service) 2 PxTRs at LISP sites (tromboning) 3. PXTR at Data Center edge 4. PxTR at regional hub branch PITRs must be configured to inject routes into the non-lisp network Attract traffic from Non-LISP sites Encap and send to the Data Center LISP Site West-DC RLOC XTR/PXTR 4 Internet / WAN Backbone Data Center IP Backbone PXTR EID 3 Non-LISP Sites Private PXTR East-DC Provider PXTR 1 LISP Encap/Decap 2 60

61 Map Server Placement A Daemon on a Router The Map Server functionality can be enabled on any router BGP route-reflectors are a good analogy Off path is good, but not mandatory Distribute Map Servers across different locations Private Data Centers (Self managed) SP Data Centers/Cloud (SP Service) Map Server resiliency options: Clustered and distributed Distributed Database (DDT) West-DC LISP Site SP Mapping Service Private Map Server RLOC XTR Internet / WAN Backbone Data Center IP Backbone EID Non-LISP Sites DC-Aggregation DC-Access Private Map Server East-DC LISP Encap/Decap 61

62 Map Server Placement Private DC deployment Options Option 1: co-locate MS/MR functionality on the DC xtr (same as for LISP Across Subnet Mode) Option 2: push the MS/MR functionality on the OTV VDC (one per DC site) MS/MR in West DC MS/MR in West DC MS/MR in West DC MS/MR in West DC 62

63 Summary - Where to Deploy LISP and OTV Roles and Places in the Network XTR: Branch LISP Sites Customer-managed/owned SP-Managed CE service PXTR: Border Transit Points Customer backbone routers Customer co-location SP provided router/service LISP-VM XTR: Aggregation Data Center Customer-managed/owned LISP Site XTR Internet / WAN Backbone Data Center IP LISP-VM (XTR) Backbone PXTR DC-Aggregation Non-LISP Sites Mapping DB Mapping Servers/Routers: Distributed Across Data Centers Customer-managed/owned SP provided service OTV OTV: Aggregation Data Center Customer-managed/owned West-DC RLOC 63 DC-Access East-DC EID LISP Encap/Decap

64 Nexus 7000 OTV and LISP Co-Existence OTV must run in a separate VDC in order to support SVIs for IP routing on extended VLANs Aggregation VDC OTV VDC IP Services, SVIs, LISP OTV Services LISP runs in the Aggregation VDC, separate from OTV, just like any other IP routing service 64

65 Nexus 7000 Hardware Requirements Encap/Decap Interfaces N7K-M132XP-12 N7K-M132XP-12L Other M-Series F1 & F2E-Series Cards (Proxy Mode) N7K-M132XP-12 N7K-M132XP-12L Only F3, N7K-M132XP-12 and N7K- M132XP-12L support LISP encapsulation F1 and F2E-Series can use N7K-M132XP-12 Proxy mode to support LISP Other M-series cards cannot operate in Proxy mode, should be deployed in a separate VDC Multi-hop mode can be leveraged if the first hop is not lisp encap capable (M-series) 65

66 Agenda Mobility and Virtualization in the Data Center LAN Extensions: OTV Introduction to LISP LISP Data Center Use Cases LISP + OTV Deployment Considerations Stateful Services Considerations Summary and Conclusion 66

67 Live Moves or Cold Moves Live (hot) Moves preserve existing connections and state e.g. vmotion, Cluster failover Requires synchronous storage and network policy replication Distance limitations Cold Moves bring machines down and back up elsewhere e.g. Site Recovery Manager No state preservation: less constrained by distances or services capabilities Moving Workloads Hypervisor Hypervisor Control Traffic (routable) IP Network Hypervisor Mobility across PODs within a site or across different locations 67

68 Live Moves or Cold Moves Services Live Moves Established before the move Established after the move Services Cold Moves LISP LISP LISP LISP LAN Extension DC1 DC2 Redirection of established flows: - Extended Clusters - Cluster or LISP based re-direction DC1 DC2 IP preservation Uniform Policies 68

69 Cold Moves / Disaster Recovery Localized FW & SLB Clusters Independent FW & SLB cluster in each location LAN extensions not required New state created after moves No state synchronization LISP steers traffic to different locations Disaster recovery Cold workload relocation LISP FW cluster SLB cluster LISP FW cluster SLB cluster DC1 DC2 69

70 LISP and Services Integration Active/Standby Units Deployed in Each Site LISP site Layer 3 Core FWs in separated sites work independently Stateless Active/Active scenario FW in different sites are not sync d Policies have to be replicated between sites VIP ESX VIP Workload/Server Farm Moves ESX No state information maintained between sites VIP on ACE must be moved between independent pairs Will drop previously established sessions after live workload move (i.e. vmotion) Data Center 1 Data Center 2 Positioned for cold migration scenarios (like Disaster Recovery for example) 70

71 Live Moves Extended Firewall Clusters All Active FW cluster extended across locations LAN extensions for heartbeats, state sync and redirection within the cluster FW state is synchronized across all cluster members All members active LISP steers traffic to different locations Flows existing prior to the move will be redirected within the FW cluster (over the LAN extension) New flows will be instantiated on the FWs at the new site LISP LISP Extended cluster LAN Extension DC1 DC2 71

72 LISP and Services Integration What about Stretching Services across Sites? LISP site VIP ESX Data Center 1 Layer 3 Core Workload/Server Farm Moves Data Center 2 ESX VIP FW and SLB stretched extended locations LAN extensions for heartbeats & state sync LISP steers traffic to Data Center 2 after Workload/Server Farm move Sub-optimal traffic pattern Not truly leveraging LISP inbound Path Optimization functionality advantages 72

73 SLB Virtual-IP (VIP) Failover VIP is active at one location at a time VIP location is advertised in LISP VIP may failover on failure or change active device on machine moves VIP becomes active at a new site LISP VIP LISP VIP VIP activity is detected by the VM-mobility logic LAN Extension LAN Extension VIP location is updated in LISP on failover DC1 DC2 73

74 Inserting Firewalls in routed mode Traffic is Decapsulated Before Being Handed off to the FWs LISP Messages XTR is not the first hop router LISP host-mobility functionality is split to two places: SG XTR LISP registration/encap/decap 1 st Hop router Move detection, map notification to XTR, proxy default GWY The SG XTR LISP registers host mappings in the dynamic-eid range LISP encap/decap LISP signaling Move Detection Host route injection Default GWY proxy L3 Core roamer (lands in a foreign network) R3: Site GWY XTR (SG) R2: FW (non- LISP) R1: First Hop (FH) 74

75 LISP-HM Multi-hop ESM L3 Core Map-Notify 4 LISP Registration/ Notifications 3 Map-Register L3 Core LISP encap/decap LISP encap/decap EID-Notify 5 2 EID-Notify Extended LAN (east-west traffic) 1 Map-Notify roamer (lands in a foreign network) 2 75

76 LISP-HM Multi-hop ESM Configuration L3 SG LISP Registrations ip lisp itr-etr LISP encap/decap lisp dynamic-eid foo database-mapping <eid-prefix> <xtr-rloc> priority <p> weight <w> SG1 SGn map-server <map-server-address> eid-notify authentication-key <key-value> LISP Notifications roamer (lands in a foreign network) lisp dynamic-eid foo 76 database-mapping <eid-prefix> <xtr-rloc> priority <p> weight <w> eid-notify <xtr-address-1> key <key-value> eid-notify <xtr-address-n> key <key-value>

77 LISP Host-mobility IGP Assist (LISP HMIA) Dynamic Host Routes Installed by LISP and redistributed into the IGP L3 Core roamer (lands in a foreign network) R1: FHR Host routing end to end LISP provides host mobility detection LISP provides signaling to guide IGP convergence The IGP propagates host routes received from LISP No LISP encapsulation involved 77

78 LISP-HM IGP Assist ESM e2e host routing LISP Signaling assists IGP convergence No mapping infrastructure for ESM L3 Core Redistribut e LISP routes into IGP Remove /32 lisp interface route 3 Map-Notify 2 78 Host detection 1 roamer (lands in a foreign network) Map-Notify 2 Redistribut e LISP routes into IGP Install /32 lisp interface route 2

79 LISP HM IGP Assist Configuration - FHR L3 Core lisp dynamic-eid foo database-mapping <eid-prefix> redistribute map-notify-group Dynamic Host Routes Installed by LISP and redistributed into the IGP R1: FHR router <favorite-routing-protocol> foo redistribute lisp route-map <bar> ip prefix-list <eid-list-name> seq 5 permit <eid-prefix> ge 32 route-map <bar> permit 10 roamer (lands in a foreign network) match ip address <eid-list-name> 79

80 LISP-HM IGP Assist ASM e2e host routing Without LISP signaling: Blackhole period L3 Core Redistribut e LISP routes into IGP Redistribut e LISP routes into IGP Remove /32 lisp interface route 4 3 Dyn-eid timeout Host detection 1 Map-Notify 2 Install /32 lisp interface route 2 80 roamer (lands in a foreign network)

81 LISP-HM IGP Assist ASM e2e host routing LISP Signaling assists IGP convergence L3 Core Map-Server Redistribut e LISP routes into IGP 4 Map-Notify 3 Map-Register Redistribut e LISP routes into IGP Remove /32 lisp interface route 5 Map-Notify 5 Host detection 1 Map-Notify 2 Install /32 lisp interface route 2 81 roamer (lands in a foreign network)

82 LISP HM IGP Assist Configuration - FHR ip lisp etr <<<< Must be ETR only L3 Core lisp dynamic-eid foo database-mapping <eid-prefix> redistribute Dynamic Host Routes Installed by LISP and redistributed into the IGP R1: FHR database-mapping <eid-prefix> rloc <rloc> p1 w50 map-server <ms-address> key <some-key> map-notify-group router <favorite-routing-protocol> foo redistribute lisp route-map <bar> roamer (lands in a foreign network) 82 ip prefix-list <eid-list-name> seq 5 permit <eid-prefix> ge 32 route-map <bar> permit 10 match ip address <eid-list-name>

83 Summary and Conclusions

84 Summary and Conclusions LISP provides an effective solution for host mobility Some applications may require LAN extensions in combination with host mobility LISP consolidates many network services in one architecture: Mobility, network segmentation, traffic engineering Enhanced scalability Location Identity Separation opens many opportunities in the Data Center space 84

85 LISP Host Mobility Support Part of the LISP Solution Space IPv6 Network xtr IPv6 Core 1. Multihoming 2. IPv6 Transition 3. Virtualization/VPN 4. Mobility IPv4 Network xtr IPv4 Core v6 v4 LISP is an Architecture 85

86 LISP References

87 LISP References LISP Information Cisco LISP Site. (IPv4 and IPv6) Cisco LISP Marketing Site... LISP Beta Network Site or LISP DDT Root... IETF LISP Working Group... LISP Mailing Lists Cisco LISP Questions IETF LISP Working Group LISP Interest (public). LISPmob Questions... 87

88 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online 88

89 Continue Your Education Demos in the Cisco Campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings 89

90

91