Cisco IOS LISP Application Note Series: Access Control Lists

Similar documents
Cisco IOS LISP Application Note Series: Lab Testing Guide

TTL Propagate Disable and Site-ID Qualification

LISP Router IPv6 Configuration Commands

GETVPN+LISP Lab Guide

Locator ID Separation Protocol (LISP) Overview

LISP Parallel Model Virtualization

IP Routing: LISP Configuration Guide, Cisco IOS Release 15M&T

Enterprise IPv6 Transition Strategy

LISP Multicast. Finding Feature Information. Prerequisites for LISP Multicast

LISP Generalized SMR

LISP Locator/ID Separation Protocol

Location ID Separation Protocol. Gregory Johnson -

IP Mobility Design Considerations

DNA SA Border Node Support

Deploying LISP Host Mobility with an Extended Subnet

LISP. - innovative mobility w/ Cisco Architectures. Gerd Pflueger Consulting Systems Engineer Central Europe Version 0.

LISP: Intro and Update

LISP: What and Why. RIPE Berlin May, Vince Fuller (for Dino, Dave, Darrel, et al)

LISP in Campus Networks

GRE Tunnel with VRF Configuration Example

Cisco Nexus 7000 Series NX-OS LISP Command Reference

Cisco Nexus 7000 Series NX-OS LISP Configuration Guide

Cisco Nexus 7000 Series NX-OS LISP Configuration Guide

Manually Configured IPv6 over IPv4 Tunnels

LISP Mobile-Node. draft-meyer-lisp-mn-05.txt. Chris White, Darrel Lewis, Dave Meyer, Dino Farinacci cisco Systems

Internet Engineering Task Force (IETF) Request for Comments: Cisco Systems January 2013

Implement Static Routes for IPv6 Configuration Example

LISP. Migration zu IPv6 mit LISP. Gerd Pflueger Version Feb. 2013

INTRODUCTION 2 DOCUMENT USE PREREQUISITES 2

Multiprotocol Label Switching Virtual Private Network

Locator/ID Separation Protocol (LISP)

LISP: A NOVEL APPROACH FOR FUTURE ATN/IPS

BGP-MVPN SAFI 129 IPv6

MPLS VPN--Inter-AS Option AB

Contents. Introduction. Prerequisites. Background Information

LISP A Next-Generation Networking Architecture

MPLS VPN Inter-AS Option AB

LISP: A Level of Indirection for Routing

ICN IDENTIFIER / LOCATOR. Marc Mosko Palo Alto Research Center ICNRG Interim Meeting (Berlin, 2016)

Basic Router Configuration

IPv6 Switching: Provider Edge Router over MPLS

Configuration and Operation of FTD Prefilter

Chapter 7 Lab 7-1, Configuring BGP with Default Routing

Request for Comments: 8112 Category: Informational. I. Kouvelas Arista D. Lewis Cisco Systems May 2017

Cisco Campus Fabric Introduction. Vedran Hafner Systems engineer Cisco

Membership test for Mapping Information optimization draft-flinck-lisp-membertest-00

Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT

Mobility and Virtualization in the Data Center with LISP and OTV

IPv6 over IPv4 GRE Tunnels

Configuring MPLS and EoMPLS

IPv6 Switching: Provider Edge Router over MPLS

Chapter 8 Lab 8-3, Configuring 6to4 Tunnels

EIGRP on SVTI, DVTI, and IKEv2 FlexVPN with the "IP[v6] Unnumbered" Command Configuration Example

The information in this document is based on Cisco IOS Software Release 15.4 version.

APT: A Practical Transit-Mapping Service Overview and Comparisons

Lecture 7 Advanced Networking Virtual LAN. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it

Intended status: Informational. C. White Logical Elegance, LLC. October 24, 2011

Configuring FlexVPN Spoke to Spoke

Easy Virtual Network Configuration Example

OSPF Filtering (Part I)

IPv6 Tunnel through an IPv4 Network

Chapter 8 Lab 8-2, Using Manual IPv6 Tunnels with EIGRP for IPv6

A NOVICE APPROACH ON TRANSITION FROM IPV4-IPV6 USING TUNNELING AND PROTOCOLS OF TUNNELING

IPv6 Module 6 ibgp and Basic ebgp

Step 2. Manual configuration of global unicast and link-local addresses

IPv6 Module 6x ibgp and Basic ebgp

Access Rules. Controlling Network Access

The term "router" in this document refers to both routers and Layer 3 switches. Step Command Remarks. ipv6 host hostname ipv6-address

MPLS VPN over mgre. Finding Feature Information. Last Updated: November 1, 2012

Internet Engineering Task Force (IETF) Category: Experimental ISSN: D. Meyer D. Lewis. Cisco Systems. January 2013

IPv6 over IPv4 GRE Tunnels

IPv6 over IPv4 GRE Tunnels

Implementing MPLS VPNs over IP Tunnels

Building the Routing Table. Introducing the Routing Table Directly Connected Networks Static Routing Dynamic Routing Routing Table Principles

Configuring MLPPP. Finding Feature Information

Configuring IPv6 DNS. Introduction to IPv6 DNS. Configuring the IPv6 DNS client. Configuring static domain name resolution

Lab Configuring and Verifying Standard IPv4 ACLs (Instructor Version Optional Lab)

Campus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches)

IP Tunneling. GRE Tunnel IP Source and Destination VRF Membership. Tunnel VRF CHAPTER

Configure Virtual LANs in Layer 2 VPNs

Campus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 3650 Switches)

MPLS VPN. 5 ian 2010

Using NAT in Overlapping Networks

Implementing Tunneling for IPv6

Lab Using Wireshark to Examine Ethernet Frames

Securizarea Calculatoarelor și a Rețelelor 32. Tehnologia MPLS VPN

CCIE R&S Techtorial MPLS

Internet Engineering Task Force (IETF) Request for Comments: D. Lewis Cisco Systems January 2013

Advanced IPv6 Training Course. Lab Manual. v1.3 Page 1

BGP mvpn BGP safi IPv4

Future Routing and Addressing Models

MPLS Ping and Traceroute for BGP and IGP Prefix-SID

MPLS VPN C H A P T E R S U P P L E M E N T. BGP Advertising IPv4 Prefixes with a Label

LISP A Next Generation Networking Architecture

L2TP IPsec Support for NAT and PAT Windows Clients

Lab Configuring and Verifying Standard ACLs Topology

Lab Using Wireshark to Examine Ethernet Frames

8K GM Scale Improvement

Configuring the Catena Solution

Internet Engineering Task Force (IETF) Category: Experimental. O. Bonaventure Universite catholique de Louvain January 2013

Transcription:

Cisco IOS LISP Application Note Series: Access Control Lists Version 1.1 (28 April 2011) Background The LISP Application Note Series provides targeted information that focuses on the integration and configuration of relevant Cisco IOS features in conjunction with the deployment of LISP. LISP (Locator/ID Separation Protocol) is not a feature, but rather a next- generation routing architecture which implements a new semantic for IP addressing that creates two namespaces: Endpoint Identifiers (EIDs), which are assigned to end- hosts, and Routing Locators (RLOCs), which are assigned to devices (primarily routers) that make up the global routing system. Creating separate namespaces for EIDs and RLOCs creates a level of indirection that yields many advantages over a single namespace (i.e. the current IP address concept) including: improved scalability of the routing system through greater aggregation of RLOCs, improved multi- homing efficiency, ingress traffic engineering, and the ability to move EIDs without breaking sessions (mobility). LISP also was designed at the outset to be Address Family agnostic, and thus handles multiple AF s seamlessly making its use ideal in IPv6 transition solutions. This and other LISP Application Notes in this series assume a working knowledge of LISP and are not intended to provide basic information on its use- cases, or guidelines on configuration and deployment. These details can be found in the Cisco LISP Command Reference Guide, Cisco LISP Configuration Guide, (References [1]) and other information available at http://lisp.cisco.com. Application Note Organization Like all Application Notes in the LISP series, this application note is organized into three main sections. 1. Concept Overview This section provides a brief description of the feature or technology being addressed in this Application Note in the context of a LISP implementation. 2. Concept Details This section provides a detailed description of the feature or technology and its interaction with LISP, and a description of its (typical) usage in deployment. 3. Concept Examples This section provides detailed testing of the feature or technology. This provides verification of the detailed descriptions, and also allows network administrators to set up a similar LISP environment and repeat the feature test. Comments and corrections are welcome. Please direct all queries to: lisp- support@cisco.com. 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 1

Concept Overview: Cisco IOS Access Control Lists and LISP The Access Control List (ACL) is perhaps one of the most fundamental features of Cisco IOS and its use is familiar to network administrators for many applications including: restricting traffic flows, classifying and identifying interesting traffic for other functions such as Network Address Translation (NAT), Quality of Service (QoS), and IP Security (IPSec), and for filtering routing updates and many others. This application note describes the use of ACLs for restricting traffic within LISP implementations. When considering the deployment of ACLs with LISP, the following aspects are important. 1. LISP encapsulation utilizes a UDP header just prior to the LISP header for all packets to distinguish between two distinct packet groups: LISP control plane packets, which utilize a UDP destination port of 4342, and LISP data plane packets, which utilize a UDP destination port of 4341. ACLs may need to consider this distinction between these two groups of packets. 2. LISP is an encapsulation protocol and, because ACLs only filter based on Layer 3 and Layer 4 header information, ACLs may need to be applied at a specific point or at several different points within the packet forwarding and LISP encapsulation process in order to implement a site security policy. The application point and direction of the ACL will dictate whether EID namespace or RLOC namespace is used within the ACL itself. Packets can be filtered using EID namespace just prior to LISP encapsulation or just after LISP decapsulation; packets can be filtered using RLOC namespace just after LISP encapsulation or just prior to LISP decapsulation. This application note covers both of the above topics in detail. Concept Details: Cisco IOS Access Control Lists and LISP LISP Packets For the purposes of this application note, LISP packets can be separated into two groups, as follows: LISP control plane packets LISP- enabled devices create control plane packets to register EID- prefixes with Map- Servers, to conduct EID- to- RLOC mapping resolutions, and for various other protocol operations purposes. The UDP destination port 4342 in the LISP packet header indicates that it contains a LISP control plane packet. LISP control plane packets are handled directly by the LISP device itself (i.e. the device route processor). As with other types of control plane traffic, protecting the control plane from abuse is beneficial to network health (see Reference [5]). LISP control plane message types are described in Reference [2]. LISP data plane packets LISP- enabled devices encapsulate data plane packets to forward user traffic between LISP sites. The UDP destination port 4341 in the LISP packet header indicates that it contains a LISP data plane packet. LISP data plane packets are handled in the fast path (hardware/cef processing) of the LISP device. The LISP device is only responsible for encapsulating and forwarding, or decapsulating and forwarding these packets. LISP data plane packet encapsulation consists of an outer IPv4 or IPv6 header utilizing RLOC namespace addresses, and a UDP header and LISP header, all being added to the original packet. Figure 1 below shows a typical LISP data plane packet encapsulation with an IPv4 EID and IPv4 RLOC. ACLs can be applied at several different configuration points, giving them the ability to operate on packets either before or after LISP encapsulation (or both), as desired, to meet the site security requirements. Since ACLs only operate on the Layer 3 and Layer 4 headers of a packet, ACLs that are applied to packets after LISP encapsulation will only be able to operate on the outer header illustrated in Figure 1. In this case the ACL would see only the RLOC namespace addresses and the LISP UDP header. ACLs that are applied to packets 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 2

before LISP encapsulation or after LISP decapsulation will operate on the original, host- generated packets. These are the addresses that become the inner header illustrated in Figure 1. Figure 1. LISP data plane packet format (draft- 09 header) LISP Processing and ACLs In Cisco IOS, ACLs are applied to interfaces, and from a LISP perspective, three interfaces are relevant to ACL discussions: the LISP Site- facing interface, the Core- facing interface, and the LISP0 interface, as illustrated in Figure 2. At each of these different application points, ACLs can be applied in the in (ingress) and out (egress) direction, leading to the possibility of six unique ACLs per address family (IPv4 and IPv6). This gives them the ability to operate on packets either before or after LISP encapsulation (or both), as desired, to meet the site security requirements. Figure 2. Conceptual interfaces and ACL application points with LISP 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 3

The LISP process in IOS creates the LISP0 virtual interface, as illustrated in Figure 2, as a reference point for encapsulation and decapsulation operations. This LISP0 virtual interface, described in detail in the Application Note available at Reference [1], serves as the natural boundary between the EID and RLOC namespaces for the Ingress Tunnel Router (ITR) or Egress Tunnel Router (ETR) commonly referred to as an xtr when both LISP functions are deployed. Egress features are applied to packets that are leaving the router via LISP, just prior to LISP encapsulation. Similarly, ingress features are applied to packets that are arriving from LISP, just after LISP decapsulation. Note that in both cases, the LISP0 ingress and egress feature application points are in the EID namespace. It is important to understand that these three application points do not offer the same filtering options, due to the LISP encapsulation process. Referring to Figure 2, the following observations can be made about the point of application and functionality of ACLs used within a LISP deployment: ACLs can be applied in the in (ingress) direction and the out (egress) direction on the LISP site- facing interface, shown as E1/0 in the figure. When ACLs are applied here, filtering will be applied to user- packets in the EID namespace either before (potential) LISP encapsulation (when applied in the in direction), or after LISP decapsulation (when applied in the out direction). ACLs can be applied in the in (ingress) direction and the out (egress) direction on the SP Core/Internet- facing interface, shown as E0/0 in the figure. When ACLs are applied here, filtering will be applied to packets in the RLOC namespace either before LISP decapsulation (when applied in the in direction), or after LISP encapsulation (when applied in the out direction). ACLs can be applied in the in (ingress) direction and the out (egress) direction on the LISP0 interface. The LISP0 interface is logical and simply provides a reference point for the application of CEF features, like ACLs. ACLs applied here always refer to user- packets in the EID namespace (i.e. not LISP encapsulated). An ACL applied in the in direction refers to user- packets that have just been decapsulated and are being forwarded toward the LISP site, and an ACL applied in the out direction refers to user- packets being sent to LISP to be encapsulated and then forwarded toward the SP Core/Internet. No preferential manner for applying ACLs is implied or intended. The selected interface(s) and direction(s) should be based on site needs in terms of security requirements and management support. For example, sites may find that that existing ACLs can be reapplied without modification to the LISP0 interface. This document is not intended to provide guidance on specific site security policies. A thorough review of existing policies, combined with an understanding of the use of ACLs with LISP, and adequate validation testing should be completed prior to any production deployments of any technology. Caveats and Notes Related to ACLs The following caveats and notes are applicable to ACLs for use with LISP: 1. As is always the case with ACLs and Cisco IOS devices, the use of the log keyword can be used to provide additional detail about source and destinations for a given protocol. Although this keyword provides valuable insight into the details of ACL hits, using the log keyword results in packets matching the access- list statement being handled by process switching (slow path) instead of CEF switching, resulting in platform- dependent performance impacts. 2. In Cisco IOS devices, there should be no performance difference between using an ACL on a physical (or logical) interface, and using an ACL on the LISP 0 interface. In both cases, assuming the log keyword is not used, packets are CEF- switched and should experience that same forwarding performance through the router. Therefore, the primary consideration should be to develop and apply ACLs that best meet the security requirements of the site. 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 4

In general, normal Cisco IOS ACL rules are applicable, and normal procedures for the construction of ACLs should be followed. Concept Examples: Cisco IOS Access Control Lists and LISP The following example demonstrates the use of ACLs within a LISP deployment. This example is provided only as validation for the above ACL discussions, and not as an indication of appropriate ACL deployments for meeting site security requirements. Initial LISP Configuration The test network topology for this example is illustrated in Figure 3. In this test network, the following elements are defined: LISP Site A, which includes the LISP IPv4 EID- prefix 192.168.1.0/24. The Cisco IOS router xtr- A is the LISP xtr, and it registers with the Map- Server located at 10.0.0.10. The router Site- A provides a convenient host for traffic source/destination during the ACL validation testing. The ACLs will all be applied only to xtr- A. LISP Site B, which includes the LISP IPv4 EID- prefix 192.168.2.0/24. The Cisco IOS router xtr- B is the LISP xtr, and it registers with the Map- Server located at 10.0.0.10. The router Site- B provides a convenient host for traffic source/destination during the ACL validation testing. SP Core/Internet, which includes the router Core, represents the public (RLOC- space) through which the LISP sites communicate. This core network is IPv4- only in this example. Map- Server/Map- Resolver, which provides mapping- resolution services for the LISP sites. The Cisco ISO router MS/MR is deployed as a LISP Map- Server/Map- Resolver. The xtrs from LISP Site A and LISP Site B register to this device, and use it for EID- to- RLOC mapping resolution. This is a fairly basic network topology, but it is quite adequate for demonstrating the use of ACLs within a LISP deployment. Full configurations for each device are included in the Appendix of this application note. Figure 3. Cisco IOS ACL use with LISP example test network topology Cisco IOS ACL Examination The ACL examination testing documented here applies a unique ACL to each possible location and direction that is relevant to the LISP deployment using router xtr- A as the device under test (DUT). Thus, six separate ACLs in total are applied: two (in, out) to the site- facing interface E0/1, two (in, out) to the Internet- facing interface E0/0, and two (in, out) to the LISP0 interface. The location and direction of these six ACLs is illustrated in Figure 4. 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 5

Figure 4. Cisco IOS ACL use with LISP example ACL deployment locations Source- pings from Site- A (192.168.1.1) to Site- B (192.168.2.1) are used as traffic generators for this ACL testing. All six uniquely identified ACLs have identical elements. In this way, the counters displayed for each ACL indicate the directionality and specific Layer 3 header information at each test point. Therefore, all ACLs are constructed with the following entries: permit icmp host 192.168.1.1 host 192.168.2.1 echo Step 1. Preparations for testing ACLs First, clear the access- list counters on xtr- A in order to minimize ambiguity during testing. xtr-a#clear access-list counters Step 2. Test the ACLs with a source- ping. Source- ping Site B EID (192.168.2.1) with a source of the Site A EID (192.168.1.1), using a repeat value of 100. All packets should succeed. SiteA#ping 192.168.2.1 so 192.168.1.1 repeat 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds: 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 6

Packet sent with a source address of 192.168.1.1 Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/8 ms All 100 echo/echo- reply packets succeeded. This is also reflected in the value of the counters in the ACLs. Step 3. Review the ACL counters. Show each ACL and observer which counters have incremented by 100. xtr-a#sh ip access-lists lisp0-out Extended IP access list lisp0-out 10 permit icmp host 192.168.1.1 host 192.168.2.1 echo (100 matches) 20 30 40 50 xtr-a#sh ip access-lists site-in Extended IP access list site-in 10 permit icmp host 192.168.1.1 host 192.168.2.1 echo (100 matches) 20 30 40 50 xtr-a#show ip access-lists lisp0-in Extended IP access list lisp0-in 10 permit icmp host 192.168.1.1 host 192.168.2.1 echo 20 (100 matches) 30 40 50 xtr-a#sh ip access-lists site-out Extended IP access list site-out 10 permit icmp host 192.168.1.1 host 192.168.2.1 echo 20 (100 matches) 30 40 50 xtr-a#sh ip access-lists rloc-out Extended IP access list rloc-out 10 permit icmp host 192.168.1.1 host 192.168.2.1 echo 20 30 (100 matches) 40 50 xtr-a#sh ip access-lists rloc-in Extended IP access list rloc-in 10 permit icmp host 192.168.1.1 host 192.168.2.1 echo 20 30 40 (100 matches) 50 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 7 of 7

Several observations can be made based on the above show command output. 1. As expected, the ACLs applied to the LISP0 interface and the site- facing interface (E0/1 in this case) show the same results, but in the opposite directions. That is, lisp0- out and site- in show the same results, and lisp0- in and site- out show the same results. This reflects the directional behavior of the ACLs on the respective interface. The ACLs lisp0- out and site- in both see the echo packets with source 192.168.1.1 and destination 192.168.2.1, while the ACLs lisp0- in and site- out both see the echo- reply packets with source 192.168.2.1 and destination 192.168.1.1. When developing and applying ACLs to meet a site security requirement, it may be useful to consider that an ACL only needs to be applied to the LISP0 interface (one place) as opposed to potentially numerous site- facing interfaces when filtering using EID addresses. 2. ACLs rloc- in and rloc- out are the only ACLs that see the LISP- encapsulated (outer header) addresses. When developing and applying ACLs to meet a site security requirement, consider that an ACL can only be applied to core- facing interfaces in order to filter on RLOC addresses. Based on these observations, it is clear that LISP data plane packets can be filtered by ACLs applied to site- facing interfaces or the LISP0 interface, using the EID addresses. When applied to Core- facing interfaces, ACLs can only filter LISP data plane packets based on the UDP destination port 4341 and RLOC addresses. It is also clear that LISP control plane packets can only be filtered by ACLs applied to Core- facing interfaces, and then only based on the UDP destination port 4342 and RLOC addresses. IPv6 Considerations The mixed address family capabilities of LISP allow for both IPv4 and IPv6 packets to be used as EIDs and as RLOCs, with the following combinations being possible (lisp site address- family, rloc address- family): (IPv4, IPv4), (IPv4, IPv6), (IPv6, IPv4), and (IPv6, IPv6). It is possible then that both IPv4 and IPv6 ACLs may be required to satisfy site security needs. Only IPv4 ACLs were used in this example test case; IPv6 packets and ACLs were not illustrated. However, the use and application of IPv6 ACLs is exactly the same as the use and application of IPv4 ACLs in terms of interactions (interfaces and directions) with LISP. Whether IPv4 and/or IPv6 ACLs are required is dictated by the site security needs. As an example, note that the both LISP sites shown in Figure 3 have both IPv4 and IPv6 EIDs (Site- A: 192.168.1.0/24, 2001:db8:a::/48, and Site- B: 192.168.2.0/24, 2001:db8:b::/48). Only the IPv4 EIDs were used in the example tests above. Note also that the Core network and both sites only use IPv4 addresses. It is quite simple with LISP to connect these two IPv6 islands over the IPv4 infrastructure. In this case, IPv6 ACLs would be required on the site- facing interfaces and the LISP0 interface, and IPv4 ACLs would be required on the core- facing interface since the original packets would be IPv6 and the LISP0- encapsulted packets would use IPv4 RLOCs (outer header). Conclusions This application note described the use of ACLs with LISP implementations. ACLs are one of the most fundamental tools available to network administrators for restricting traffic flows and implementing site security policies. The interactions of ACLs with LISP operations were described, and an example using IPv4 EIDs and RLOCs was used to illustrate these concepts. The LISP0 interface is logical and simply provides a reference point for the application of CEF features, like ACLs. Applying ACLs to LISP0 only affects packets in EID namespace and can be a helpful for consolidating ACLs when there are numerous site- facing interfaces. In general, the selected interface(s) and direction(s) should be based on site needs in terms of security requirements and management support. Finally, the mixed address family capabilities of LISP were highlighted, and the potential impact of this on the selection of appropriate ACLs was described. 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 8

LISP Resources 1. LISP Documentation, including the LISP Command Reference Guide, LISP Configuration Guide, and LISP Lab Test Guide, which can be found here: http://lisp.cisco.com/lisp_down.html 2. LISP IETF Draft RFCS can be found here: http://tools.ietf.org/wg/lisp/ 3. Cisco Marketing Information about LISP can be found here: http://www.cisco.com/go/lisp 4. LISP Beta Network information can be found here: http://www.lisp4.net and http://www.lisp6.net 5. Router Security Strategies: Securing IP Network Traffic Planes, Cisco Press. http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365 Comments and corrections are welcome. Please direct all queries to: lisp- support@cisco.com. 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 9 of 9

Appendix: Test Network Router Configurations xtr- A hostname xtr-a ip cef no ip domain lookup ipv6 unicast-routing ipv6 cef interface Loopback0 no ip address interface LISP0 ip access-group lisp0-in in ip access-group lisp0-out out interface Ethernet0/0 description To Core ip address 10.0.0.2 255.255.255.252 ip access-group rloc-in in ip access-group rloc-out out interface Ethernet0/1 description To Site ip address 172.16.1.2 255.255.255.0 ip access-group site-in in ip access-group site-out out ipv6 address 2001:DB8:A:2::2/64 router lisp database-mapping 192.168.1.0/24 10.0.0.2 priority 1 weight 1 database-mapping 2001:DB8:A::/48 10.0.0.2 priority 1 weight 1 ipv4 itr map-resolver 10.0.0.10 ipv4 itr ipv4 etr map-server 10.0.0.10 key site-a-s3cr3t ipv4 etr ipv6 itr map-resolver 10.0.0.10 ipv6 itr ipv6 etr map-server 10.0.0.10 key site-a-s3cr3t ipv6 etr exit router ospf 1 log-adjacency-changes network 172.16.1.2 0.0.0.0 area 0 default-information originate ip route 0.0.0.0 0.0.0.0 10.0.0.1 ip access-list extended lisp0-in permit icmp host 192.168.1.1 host 192.168.2.1 echo ip access-list extended lisp0-out permit icmp host 192.168.1.1 host 192.168.2.1 echo ip access-list extended rloc-in permit icmp host 192.168.1.1 host 192.168.2.1 echo ip access-list extended rloc-out 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 10 of 10

permit icmp host 192.168.1.1 host 192.168.2.1 echo ip access-list extended site-in permit icmp host 192.168.1.1 host 192.168.2.1 echo ip access-list extended site-out permit icmp host 192.168.1.1 host 192.168.2.1 echo ipv6 route 2001:DB8:A::1/128 2001:DB8:A:2::1 ipv6 route ::/0 Null0 Site- A hostname SiteA ip cef no ip domain lookup ipv6 unicast-routing ipv6 cef interface Loopback0 ip address 192.168.1.1 255.255.255.0 ipv6 address 2001:DB8:A::1/128 interface Ethernet0/1 ip address 172.16.1.1 255.255.255.0 ipv6 address 2001:DB8:A:2::1/64 router ospf 1 log-adjacency-changes passive-interface Loopback0 network 172.16.1.1 0.0.0.0 area 0 network 192.168.1.1 0.0.0.0 area 0 ipv6 route ::/0 2001:DB8:A:2::2 xtr- B hostname xtr-b ip cef no ip domain lookup ipv6 unicast-routing ipv6 cef interface Loopback0 no ip address interface LISP0 interface Ethernet0/0 ip address 172.16.2.2 255.255.255.0 ipv6 address 2001:DB8:B:2::2/64 interface Ethernet0/1 description To Core ip address 10.0.0.6 255.255.255.252 router lisp 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 11 of 11

database-mapping 192.168.2.0/24 10.0.0.6 priority 1 weight 1 database-mapping 2001:DB8:B::/48 10.0.0.6 priority 1 weight 1 ipv4 itr map-resolver 10.0.0.10 ipv4 itr ipv4 etr map-server 10.0.0.10 key site-b-s3cr3t ipv4 etr ipv6 itr map-resolver 10.0.0.10 ipv6 itr ipv6 etr map-server 10.0.0.10 key site-b-s3cr3t ipv6 etr exit router ospf 1 log-adjacency-changes network 172.16.2.2 0.0.0.0 area 0 default-information originate ip route 0.0.0.0 0.0.0.0 10.0.0.5 ipv6 route 2001:DB8:B::1/128 2001:DB8:B:2::1 ipv6 route ::/0 Null0 Site- B hostname SiteB ip cef no ip domain lookup ipv6 unicast-routing ipv6 cef interface Loopback0 ip address 192.168.2.1 255.255.255.0 ipv6 address 2001:DB8:B::1/128 interface Ethernet0/0 ip address 172.16.2.1 255.255.255.0 ipv6 address 2001:DB8:B:2::1/64 router ospf 1 log-adjacency-changes passive-interface Loopback0 network 172.16.2.1 0.0.0.0 area 0 network 192.168.2.1 0.0.0.0 area 0 ipv6 route ::/0 2001:DB8:2::2 MS- MR hostname MS-MR vrf definition lisp rd 1:1 address-family ipv4 exit-address-family address-family ipv6 exit-address-family ip cef no ip domain lookup ipv6 unicast-routing ipv6 cef router lisp site Site-A description LISP Site A authentication-key site-a-s3cr3t 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 12 of 12

eid-prefix 192.168.1.0/24 eid-prefix 2001:DB8:A::/48 exit site Site-B description LISP Site B authentication-key site-b-s3cr3t eid-prefix 192.168.2.0/24 eid-prefix 2001:DB8:B::/48 exit ipv4 map-server ipv4 map-resolver ipv4 alt-vrf lisp ipv6 map-server ipv6 map-resolver ipv6 alt-vrf lisp exit interface LISP0 interface Ethernet0/0 description To Core ip address 10.0.0.10 255.255.255.252 ip route 0.0.0.0 0.0.0.0 10.0.0.9 Core hostname Core ip cef no ip domain lookup no ipv6 cef interface Loopback0 ip address 10.100.0.1 255.255.255.0 interface Ethernet0/0 description To xtr-a ip address 10.0.0.1 255.255.255.252 interface Ethernet0/1 description To xtr-b ip address 10.0.0.5 255.255.255.252 interface Ethernet0/2 description To MS-MR ip address 10.0.0.9 255.255.255.252 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 13 of 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback