BRKRST 3045

LISP – A Next-Generation
Architecture
Peyton Schouest – Customer Solutions Architect @net20234
Mitch Mitchiner – Customer Solutions Architect
BRKRST-3045
Session Presenters
Peyton Schouest Mitch Mitchiner

Solutions Architect Solutions Architect
US Federal US Federal
CCIE# 20234 CCIE# 3958
BRKRST-3045 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Spark
Questions?
Use Cisco Spark to chat with the
speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
Cisco Spark spaces will be cs.co/ciscolivebot#BRKRST-3045

available until July 3, 2017.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• LISP Overview
• LISP Operations
• LISP Setup
• LISP Deployment Examples
• LISP Status
• LISP Summary
LISP Overview
Historical Motivation – Routing Scalability
“Routing scalability is the most
important problem facing the internet
and must be solved.”
Internet Architecture Board (IAB)
October 2006 Workshop (RFC 4984)
• Implications
• Router and FIB memory costs
• Heat and Power
• Routing churn and convergence
• Will only get worse with IPv6
Routing Scalability Factors
• Non-aggregatable prefixes • Multi-homing
Internet (DFZ)
Internet (DFZ)
2.3./16
5.6./16
1./8 1./8 2./8

2./8
1.2./16
1.2./16
5.6./16 2.3./16
Genesis of Routing Scalability Factors
Internet (DFZ) Internet (DFZ)

• The Overloading of IP Address 5.6./16 2.3./16
Semantics
• Location 1./8 2./8 1./8 2./8
• Where you are in the network
• Identity 1.2./16
• Who you are in the network 1.2./16
5.6./16 2.3./16
Locator/ID Separation Protocol (LISP)
• A routing Architecture
• Separate address spaces for Identity and EID
Location
• End-point Identifiers (EID)
• Routing locators (RLOC) Mapping
System
• A Control Plane Protocol
RLOC
• A system that maps end-point identities to
their current location
• A Data Plane Protocol
• Encapsulates EID-addressed packets EID
Inside RLOC-addressed header.
LISP Properties
• On demand routing (pull model) • Address family agnostic
• BGP and OSPF use push model • IPv4 or IPv6 EIDs
• massively scalable • IPV4 or IPV6 RLOCs
• Forwarding state proportional to
• IP Number Portability
router capacity
• Never renumber again
• Simple to Deploy • No DNS changes
• Incrementally deployable • Session survivability
• No host changes
• Open Standard
• End systems unaware of LISP
• RFC 6830
Use Cases
RLOC
EID EID
Routing Scalability Mobility
RLOC
Internet
EID EID
LISP
Site
Efficient Multi-homing Virtualization
Use Cases
IPv6
IPv4 IPv6
IPv6 Transition
EID
Programmable Overlays
RLOC
EID EID
Multicast
SD-Access
Campus Fabric + DNA Center (Automation & Assurance)
 SD-Access – Available July 31
APIC-EM
APIC-EM
2.0
1.X GUI approach provides automation &
assurance of all Fabric configuration,
ISE NDP
management and group-based policy.
DNA Center
Leverages DNA Center to integrate
external Service Apps, to orchestrate
your entire LAN, Wireless LAN and
WAN access network.
B B  Campus Fabric – Shipping Now

CLI or API form of the new overlay
C
Fabric solution for your enterprise
Campus access networks.
Campus CLI approach provides backwards
Fabric compatibility and customization,
Box-by-Box. API approach provides
automation via NETCONF / YANG.
APIC-EM, ISE, NDP are all separate.
BRKCRS-2810 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
LISP Operations
Identity (EID) to Location (RLOC) Resolution
• Level of Indirection – Analogous to DNS
• DNS Answers “WHO IS ?”
Who is lisp.cisco.com ?
DNS
Server
153.16.5.29
• LISP Answers “WHERE IS ?”
Where is 153.16.5.29?
LISP
Mapping
System
128.107.81.169
IPv4 EID / IPv4 RLOC Data Plane Headers
IPv4 Outer
Header:
ITR supplies
RLOCs
UDP
Header:
LISP Header:
IPv4 Inner
Header:
Host supplies
EIDs
EID & RLOC Combinations For Your
Reference
IPv4
IPv4
Outer
Outer
Header
Header
IPv6 IPv6
Outer Outer
Header Header
UDP
UDP
LISP
LISP
IPv4
Inner UDP UDP
Header LISP LISP
IPv6
Inner
Header IPv4
IPv4/IPv4 Inner
Header
IPv6
Inner
Header
IPv4/IPv6 IPv6/IPv4
IPv6/IPv6
Map-Registration with RLOC Merging
b::/64  2.0.0.2, 3.0.0.3
ETR1  2.0.0.2 priority 1 weight 75 1. ETR1 registers:
ETR2  3.0.0.3 priority 1 weight 25 b::/64  2.0.0.2
4
2. MS sends Map-Notify to
1 ETR1
MR MS b::/64  2.0.0.2
a::/64 2.0.0.2 ETR1 b::/64 3. ETR2 registers:
ITR 1.0.0.1 2 b::/64  3.0.0.3
3.0.0.3 ETR2
3 Pinkman 4. MS sends Map-Notify to
White
4 both ETRs
b::/64  2.0.0.2,
3.0.0.3
xTR: Tunnel Router when direction of flow is irrelevant
Map-Request & Map-Reply
1. Packets from a::1 to b::2
b::/64  2.0.0.2, 3.0.0.3 drawn to ITR via default
ETR1  2.0.0.2 priority 1 weight 75
gateway or IGP.
2. ITR FIB lookup for b::2 is a
miss or a match on ::/0.
LISP control plane signaled.
MR MS
2
X
3
b::/64
3. ITR sends Map-Request to
a::/64 2.0.0.2 ETR1
ITR
4 MS for b::2/128.
1.0.0.1
1 3.0.0.3 ETR2 4. MS forwards Map-Request
White
Pinkman to one of the ETRs.
5
b::/64 
5. ETR2 sends Map-Reply to
2.0.0.2 priority 1 weight 75 ITR
3.0.0.3 priority 1 weight 25 b::/64  2.0.0.2, 3.0.0.3
Data Path
b::/64  2.0.0.2, 3.0.0.3
ETR1  2.0.0.2 priority 1 weight 75 1. Packets from a::1 to b::2
ETR2  3.0.0.3 priority 1 weight 25 drawn to ITR via default
gateway or IGP.
2. ITR finds route for b::/64.
MR MS • Pre-encap load balancing
2
between 2.0.0.2 and
a::/64
ITR 1.0.0.1
2.0.0.2 ETR1 b::/64
4
3.0.0.3.
1 3 3.0.0.3 ETR2 3. Post-encap load balance to
White
Pinkman 2.0.0.2 and transmit.
b::/64 
4. ETR1 decapsulates and
2.0.0.2 priority 1 weight 75
forwards to b::2.
Proxy Map-Reply
b::/64  2.0.0.2, 3.0.0.3
1. ETRs send Map-Register for
b::/64 with for proxy-reply
bit set.
2 MR MS
2. ITR sends Map-Request for
a::/64 b::/64
1
2.0.0.2 ETR1
b::/64 to the mapping
ITR 3
1.0.0.1
system.
3.0.0.3 ETR2
Proxy bit set Pinkman 3. Mapping system sends

White
Proxy Map-Reply for
b::/64  b::/64 on behalf of ETRs.
router lisp
alternative form: locator-set SET1
Basic IPv4-interface e0/0 2.0.0.2 priority 0 weight 50
auto-discover-rlocs
exit
XTR !
eid-table default instance-id 0
Configuration database-mapping b::/64 locator-set SET1
exit
!
ipv6 itr map-resolver 100.0.0.1
ipv6 itr
ipv6 etr map-server 100.0.0.1 key foo
ipv6 etr
exit
100.0.0.1 !
MR MS
2.0.0.2 XTR1
a::/64 XTR 1.0.0.1 b::/64

3.0.0.3 XTR2
Pinkman
White
router lisp
site all
authentication-key foo
Map Server eid-prefix ::/0 accept-more-specifics
exit
Configuration !
ipv6 map-server
ipv6 map-resolver
exit
!
100.0.0.1
MR MS
2.0.0.2 XTR1
a::/64 XTR 1.0.0.1 b::/64

3.0.0.3 XTR2
Pinkman
White
router lisp
site one
authentication-key bar
Multi-site eid-prefix a::/64 accept-more-specifics
exit
Map Server !
site two
authentication-key foo
Configuration eid-prefix b::/64 accept-more-specifics
exit
!
ipv6 map-server
ipv6 map-resolver
exit
!
100.0.0.1
MR MS
2.0.0.2 XTR1
a::/64 XTR 1.0.0.1 b::/64

3.0.0.3 XTR2
Pinkman
White
LISP Operations
LISP Data Plane :: Ingress/Egress Tunnel Router (ITR/ETR)(xTR)
!
router lisp Identical configs on both xTRs!
locator-set SITE2
exit
!
eid-table default instance-id
ETR 0 Provider A Provider C ETR
database-mapping 2001:db8:2::/48
ITR locator-set SITE212.0.0.0/8
10.0.0.0/8 ITR
exit 10.0.0.2 12.0.0.2 PI EID-prefix
PI EID-prefix xTR-1 xTR-3
!
2001:db8:1::/48
ipv6 packet flow
itr map-resolver 66.2.2.2 packet flow 2001:db8:2::/48
ipv6 itr
ETR ETR
ipv6 etr map-server 66.2.2.2 key S3cr3t-2
Provider B Provider D
ipv6 etr ITR 11.0.0.0/8 13.0.0.0/8 ITR
Sexit xTR-2 11.0.0.2 13.0.0.2 xTR-4
D
! LISP Site 1 LISP Site 2
ip route 0.0.0.0 0.0.0.0 12.0.0.1 (or 13.0.0.1)
!
What About MTU ? • Determine tunnel MTU. Never
exceed it.
• No reassembly at ETR !!
• How to determine tunnel MTU
IPV4 1. Path MTU discovery between
(RLOCS)
local and remote RLOC
2. Set it to a conservative value
UDP
LISP
• What if packet exceeds
tunnel MTU ?
IPV4
1. Send “packet too big”
(EIDS) message to source
2. Fragment before
encapsulation.
End-host will reassemble
LISP Mapping System RFC 6830 LISP
RFC 6833 Map-Server Interface
Mapping
System
Map-Register
Map-Request Separate Map-Notify
Map-Reply Map-Request
Standard
RFC 6830 RFC 6830
RFC 6833 RFC 6833
Map-Reply
Socilit-Map-Request
RFC 6830
Mapping System Redundancy
• Deploy multiple
stand-alone
Map-Servers.
ITR
• ETRs register to all
ETR MS MR Map-Servers
ITR • ITRs send
Map-Request to
Multiple Map-Registers
Delegated Database Tree • ETR Registers to
(DDT) Multiple Map-Servers
• ITR Sends Map-Request
DDT DDT to a Map-Resolver
• Map-Resolvers Walks
DDT DDT DDT MR
The Delegated Tree
• Authoritative Map-Server
MS MS MS MS MS MS
Forwards Map-Request
to ETR
• ETR Sends Map-Reply to
ETR ITR ITR
LISP Interworking
• Early Recognition
• LISP not widely deployed
on day-one
MS/MR
• LISP designed with
incremental deployments in
a::/64 b::/64
2.0.0.2 XTR
mind.
ITR 1.0.0.1
• Interworking
• Communicate with the rest
White
of the Internet
• LISP sites to non-LISP
c::/64 sites
Internet Site • Non-LISP sites to LISP
Goodman sites
Negative Map-Reply &
Native Forwarding
1. Packets from a::1 to c::3
a::/64  1.0.0.1 drawn to ITR via default
b::/64  2.0.0.2 gateway or IGP.
2. FIB lookup for c::3 is a
MS/MR
miss or a match on ::/0.
2 3. ITR sends Map-Request for
X
3
a::/64 b::/64 c::3/128.
2.0.0.2 XTR
ITR 1.0.0.1 4. Map server sends Negative
1
4 Map-Reply with shortest
possible prefix:
White
• Covering c::3/128
C::/14  forward-native
• Not covering EID prefixes
• In this example: c::/14
c::/64
Internet Site
Goodman
Negative Map-Reply &
Native Forwarding 1. Packets from a::1 to
c::3 drawn to ITR via
a::/64  1.0.0.1
default gateway or IGP.
b::/64  2.0.0.2
2. FIB lookup for c::3
matches forward-native
MS/MR
route.
2
a::/64

ITR 1.0.0.1
2.0.0.2 XTR
b::/64 3. Native (a::1,c::3)
packet sent
1
• Potential Pitfall
3 • URPF Check at ISP
X
White
C::/14  forward-native
• Drop packets not
c::/64
sourced by 1.0.0.1
Internet Site
Goodman
Proxy ETR (PETR)
LISP Site to non-LISP Site 1. ITR configured to use
PETR for negative map-
1 replies.
ipv6 use-petr 3.0.0.3 2. Negative map-reply
received for non-LISP
MS/MR prefix.
a::/64 2 b::/64
3. Packets from a::1 to
ITR 1.0.0.1
2.0.0.2 XTR c::3 drawn to ITR .
3
FIB match on c::/14
4
4.
5 PETR
3.0.0.3 5. ITR encapsulates, load
White
c::/14  3.0.0.3
balances & transmits to
6 PETR
c::/64 6. PETR decapsulates and
Internet Site forwards natively.
Goodman
Proxy ITR (PITR) • PITR advertises coarse-
non-LISP Site to LISP Site aggregate EID Prefix.
• 8::/14 in this example
• 153.16.0.0/16 on
LISP Beta Network
MS/MR
1. Traffic from Internet drawn

a::/64 b::/64
to PITR
2 2.0.0.2 XTR
4 ETR 1.0.0.1 (c::3 to a::1)
3 2. PITR exchanges Map-
PITR Request & Map-Reply for
a::/64  1.0.0.1
White 3.0.0.3
a::1 with Mapping
1 System
c::/64
3. PITR encapsulates and
transmits to ETR
Internet Site
Goodman 4. ETR decapsulates and
forwards to destination
1. Locator scopes configured in
Disjoint Locator Space the Map Server.
How can an IPv4 RLOC 1talk to an IPv6 RLOC 2. RLOCs in ETR Map-Register
match Scope 2
Scope 1  IPv4 RLOC Prefix
Scope 2  IPv6 RLOC Prefix 3. RLOCs in ITR Map-Request
match Scope 1
3 MS/MR
2 4. Map-Server detects disjoint
4 Scopes & sends Proxy Map-
Reply with RTR IPv4 RLOC.
IPv6
5. ITR encapsulates & Transmits
IPv4 b::/64
a::/64 ITR RLOCs 6 RLOCs ETR to IPv4 RTR RLOC
(Scope 1) (Scope 2)
6. RLOCs in RTR Map-Request
match Scope 1 and Scope 2.
IPv6 SP Map-reply
No disjointness.
5 sent with ETR RLOCs.
7
RTR 7. RTR re-encapsulates &
Example assumes Transmits to ETR RLOC
proxy Map-Reply © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
IID EID RLOC
Virtualization 1
1
1.0.0.0/8
2.0.0.0/8
RLOC1
RLOC2
MS/MR 2 1.0.0.0/8 RLOC1
2 2.0.0.0/8 RLOC2
vrf green, IID 1 vrf green, IID 1
Payload IP LISP IP
1.0.0.0/8 2./8 IID 1 RLOC2 2.0.0.0/8
RLOC1 RLOC2
vrf blue, IID 2 vrf blue, IID 2

Payload IP LISP IP
1.0.0.0/8 2./8 IID 2 RLOC2
2.0.0.0/8
• Shared MS/MR
• Located in RLOC Space
• Multi-tenant XTR
• Accommodates multiple customers
• Deployed as PE
Interface LISP0
Interface LISP0.x X= IID
HQ
Attach config for: VRF C, IID 3
VRF B, IID 2 LISP0.

 crypto-map 1
LISP0.
To Enterprise VRF A, IID 1
2
Internal Networks
 Assign QoS Policy LISP0.
3 To IPv4 or IPv6 Core
KS xTR xTR KS
RLOC namespace
 Netflow Segmentation by
physical, Layer 2, or
GM
MSMR
GM
MSMR
Layer 3 means
VRF B, IID 2
 ACL’s
(e.g. 802.1Q, EVN,
physically separate Default
networks) IPv4 Core • Single RLOC namespace
• Default table (or RLOC VRF)
xTR
GM
xTR
xTR
GM
GM
Site 3
Site 1 Site 2
How to setup
LISP
LISP example topology
Build the network configuration
HQ
Say we want to build this… VRF DeptC, IID 3
- Three VRFs, IPv4 and IPv6 VRF DeptB, IID 2

- HQ multihomed, two CPE
VRF DeptA, IID 1
- Remote multihomed, one CPE
- Remote single-homed, DHCP
- Add encryption KS xTR
MSMR
xTR
MSMR
KS
GM GM
IPv4 Core
xTR
GM
xTR xTR
GM GM
Site 3
Site 1 Site 2
Three steps to go
HQ
How do we build this? Three VRF DeptC, IID 3
common steps: VRF DeptB, IID 2

1. Build the underlay (RLOCs)
VRF DeptA, IID 1
2. Add the LISP overlay (EIDs)
3. Add encryption
KS xTR xTR KS
MSMR MSMR
GM GM
IPv4 Core
xTR
GM
xTR xTR
GM GM
Site 3
Site 1 Site 2
LISP “underlay”
HQ1 xTR/MSMR/GM
HQ VRF DeptC, IID 3
1. Build the underlay (RLOCs) !
hostname HQ1
VRF DeptB, IID 2
!
interface Ethernet0/0
Examples: VRF DeptA, IID 1 ip address 10.0.14.2 255.255.255.252
• Normal IP routing… !
ip route 0.0.0.0 0.0.0.0 10.0.14.1
• Nothing to do with LISP! KS xTR
MSMR
xTR
MSMR
KS
!
GM GM
All other sites are similar! Remote2 xTR/GM

!
IPv4 Core hostname Remote2
!
ip address 10.2.1.2 xTR
255.255.255.252
GM
!
xTR xTR
GM GM
ip address 10.2.2.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 10.2.1.1
ip route 0.0.0.0 0.0.0.0 10.2.2.1
! Site 3
Site 1 Site 2
LISP “underlay”
HQ VRF DeptC, IID 3

1. Build the underlay (RLOCs)
VRF DeptB, IID 2
Examples: VRF DeptA, IID 1
• Normal IP routing…
• Nothing to do with LISP! KS xTR
MSMR
xTR
MSMR
KS
GM GM
Verification…
IPv4 Core
xTR
GM
xTR xTR Example:

Site2#ping 10.0.14.2
GM
source 10.2.2.2 rep 10 GM
RLOC to RLOC
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.0.14.2, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2 Site 3
!!!!!!!!!!
Success rate is 100 percent (10/10),
Site 1 round-trip min/avg/max = 8/7/8
Site ms
2
Site2#
!
LISP VPN/Virtualization router lisp

locator-set Site2
exit
!
HQ eid-table default instance-id 0
VRF DeptC, IID 3
2. Add the LISP overlay (EIDs) database-mapping 192.168.255.16/32 locator-set Site2
exit
VRF !
DeptB, IID 2
eid-table vrf DeptA instance-id 1
Examples: database-mapping
VRF DeptA, IID 1 192.168.16.0/24 locator-set Site2
• Bind VRFs to IIDs database-mapping 1:1:16::/64 locator-set Site2
exit
• Bind EIDs to RLOCs KS xTR
!
xTR
MSMR eid-table
KS
MSMRvrf DeptB instance-id 2
GM GM
database-mapping 192.168.16.0/24 locator-set Site2
database-mapping 2:2:16::/64 locator-set Site2
exit
IPv4 Core !
eid-table vrf DeptC instance-id 3
database-mapping 192.168.16.0/24 locator-set Site2
database-mapping 3:3:16::/64 locator-set
xTR
Site2
exit GM
!
xTR xTR
GM GM Remote2 xTR/GM
Site 3
Site 1 Site 2
! – continued – LISP control plane
LISP VPN/Virtualization !
ipv4 itr
ipv4 etr map-server 10.0.14.2 key site2-pswd
ipv4 etr map-server 10.0.15.2 key site2-pswd
HQ ipv4 etr
VRF DeptC, IID 3
2. Add the LISP overlay (EIDs) ipv6 map-server
ipv6 map-resolver
VRF ipv6
DeptB, itr
IID 2 map-resolver 10.0.14.2
Examples: ipv6IIDitr
VRF DeptA, 1
• Bind VRFs to IIDs ipv6 etr map-server 10.0.14.2 key

ipv6 etr map-server 10.0.15.2 key
site2-pswd
site2-pswd
ipv6 etr
MSMR exit
xTR
MSMR
KS
GM GM
!
All other sites are similar!
Remote2 xTR/GM
IPv4 Core
xTR
GM
xTR xTR
GM GM
Site 3
Site 1 Site 2
LISP VPN/Virtualization
router lisp
! HQ VRF DeptC, IID 3
site HQ
authentication-key hq-pswd
eid-prefix 192.168.18.0/24 VRF DeptB, IID 2
eid-prefix 192.168.19.0/24
Examples:
eid-prefix 192.168.255.14/32 VRF DeptA, IID 1 Map-Server Config…
• Bind VRFs to IIDs
eid-prefix 192.168.255.15/32
eid-prefix instance-id 1 192.168.14.0/24
• Bind EIDs to RLOCs
eid-prefix instance-id 1 1:1:14::/64
KS xTR
MSMR
xTR
MSMR
KS
GM GM
exit
IPv4 Core
!
site Site1
authentication-key site1-pswd xTR
eid-prefix 192.168.255.11/32 GM
eid-prefix instance-id
xTR 1 1:1:11::/64 xTR
eid-prefix instance-id
GM 2 192.168.11.0/24 GM
exit
Site 3
!
---<etc.>--- Site 1 Site 2
HQ2 xTR/MSMR/GM
HQ VRF DeptC, IID 3

VRF DeptB, IID 2
Verification…
• Bind VRFs to IIDs HQ2 xTR/MSMR/GM

HQ2#show lisp site
• Bind EIDs to RLOCs
LISP Site Registration Information KS xTR
MSMR
xTR
MSMR
KS
Site Name Last Up Who Last Inst EID Prefix GM GM
Register Registered ID
HQ 00:00:46 yes 10.0.14.2 0 192.168.18.0/24
00:00:05 yes 10.0.15.2 0 192.168.19.0/24
00:00:46 yes 10.0.14.2 0 IPv4 Core
192.168.255.14/32
00:00:05 yes 10.0.15.2 0 192.168.255.15/32
00:00:09 yes 10.0.14.2 1 192.168.14.0/24
00:00:56 yes 10.0.14.2 1 1:1:14::/64 xTR
GM
00:00:32 yes 10.0.15.2 2 192.168.14.0/24
00:00:23 yes 10.0.15.2 2 2:2:14::/64
xTR xTR
00:00:54GM yes 10.0.15.2 3 192.168.14.0/24
GM
00:00:43 yes 10.0.14.2 3 3:3:14::/64
Site1 00:00:07 yes 10.0.11.2 0 192.168.255.11/32
00:00:16 yes 10.0.11.2 1 192.168.11.0/24
00:00:42 yes 10.0.11.2 1 1:1:11::/64 Site 3
00:00:32 yes 10.0.11.2 2 192.168.11.0/24
00:00:41 yes 10.0.11.2 2 2:2:11::/64
---<etc.>---
Site 1 Site 2
HQ VRF DeptC, IID 3

VRF DeptB, IID 2

MSMR
xTR
MSMR
KS
GM GM
Verification…
IPv4 Core
xTR
GM
Example:
xTR
Site3#ping vrf DeptC
GM
192.168.14.1 source 192.168.13.1
xTR
GM
rep 10 EID to EID
Packet sent with a source address of 192.168.13.1%DeptC
..!!!!!!!!
Site 3
Success rate is 80 percent (8/10), round-trip min/avg/max = 1/1/1 ms
Site3 Site 1 Site 2
HQ VRF DeptC, IID 3

VRF DeptB, IID 2

MSMR
xTR
MSMR
KS
GM GM
Verification…
IPv4 Core
xTR
GM
Site3#show ip lisp map-cache instance-id 3
LISP IPv4 Mapping Cache
xTR for EID-table vrf DeptC (IID
xTR
3), 4 entries
---<skip>--- GM GM
192.168.14.0/24, uptime: 00:01:38, expires: 23:58:25, via map-reply, complete

Locator Uptime State Pri/Wgt
10.0.14.2 00:01:38 up 1/50 Site 3
10.0.15.2 00:01:38 up 1/50
---<skip>--- Example:
Site 1 Site 2 EID to EID
Site3#
HQ VRF DeptC, IID 3

VRF DeptB, IID 2

MSMR
xTR
MSMR
KS
GM GM
Verification…
IPv4 Core
xTR
GM
Example:
xTR
Site3#ping vrf DeptA
GM
1:1:14::1 source 1:1:13::1 repGM
10
xTR
EID to EID
Sending 10, 100-byte ICMP Echos to 1:1:14::1, timeout is 2 seconds:
Packet sent with a source address of 1:1:13::1%DeptA
..!!!!!!!!
Site 3
Site3 Site 1 Site 2
HQ VRF DeptC, IID 3

VRF DeptB, IID 2

MSMR
xTR
MSMR
KS
GM GM
Verification…
IPv4 Core
xTR
GM
Site3#show ipv6 lisp map-cache instance-id 1
LISP IPv6 Mapping Cache
xTR for EID-table vrf DeptA (IIDxTR1), 4 entries
---<skip>--- GM GM
1:1:14::/64, uptime: 00:00:33, expires: 23:59:28, via map-reply, complete

10.0.14.2 00:00:33 up 1/50 Site 3
10.0.15.2 00:00:33 up 1/50
---<skip>--- Example:
Site 1 Site 2 EID to EID
Site3#
Adding Encryption
to LISP using
GETVPN
LISP encryption
 LISP and encryption (IOS)

– Recalling that… LISP is “Locator/ID” separation… and creates two
namespaces: EIDs and RLOCs
– LISP provides two ways to apply a crypto map
Use-Case Vanilla GETVPN Comments

IPsec
LISP Default crypto-map on
RLOC
✔ ✔ LISP encap first, then encryption based on RLOC
Model
crypto-map on
LISP0
✔ ✔ Encryption first based on EID, then LISP encap
LISP crypto-map on
RLOC
✔ ✔ LISP encap first, then encryption based on RLOC
Virtualization CSCuc63717
crypto-map on
LISP0.x
✔ ✔ Encryption first based on EID, then LISP encap
See: lisp.cisco.com for the GETVPN+LISP Configuration Guide!
LISP Header with IPSec For Your
Reference
 LISP provides two ways to apply a crypto map,

resulting in different packet outcomes
– RLOC :: LISP processing, and then encryption
– LISP0 :: Encryption, and then LISP processing
xx xxxx 8 20 xx 20 8 8 20
daddr
D:4341
saddr
daddr
daddr
saddr
saddr
IPsec + LISP
8 0
S:xx
50
17
1
1
On LISP0
ESP Payload ICMP Host ESP Host LISP UDP ITR
trailer Hdr IP Hdr SPI IP Hdr Hdr Hdr IP Hdr
(LISP)
xx xxxx 8 20 8 8 20 xx 20
LISP + IPsec
D:4341
daddr
saddr
daddr
saddr
daddr
saddr
8 0
S:xx
17
17
50
1
On RLOC
ESP Payload ICMP Host LISP UDP ITR ESP ITR
trailer Hdr IP Hdr Hdr Hdr IP Hdr SPI IP Hdr
(LISP)
LISP Header with GETVPN
 LISP provides two ways to apply a crypto map,

resulting in different packet outcomes
– RLOC :: LISP processing, and then encryption
– LISP0 :: Encryption, and then LISP processing
xx xxxx 8 20 xx 20 8 8 20
daddr
D:4341
saddr
daddr
daddr
saddr
saddr
GETVPN + LISP
8 0
S:xx
50
17
1
1
On LISP0
ESP Payload ICMP Host ESP Host LISP UDP ITR
trailer Hdr IP Hdr SPI IP Hdr Hdr Hdr IP Hdr
Original IPv4 Header (LISP)
xx xxxx 8 20 8 8 20 xx 20
LISP + GETVPN
D:4341
daddr
saddr
daddr
saddr
daddr
saddr
8 0
S:xx
17
17
50
1
On RLOC
ESP Payload ICMP Host LISP UDP ITR ESP ITR
trailer Hdr IP Hdr Hdr Hdr IP Hdr SPI IP Hdr
(LISP) Original IPv4 Header
Encryption Configuration interface LISP0
!
interface LISP0.1
HQ VRF DeptC, IID 3
ip mtu 1456
ipv6 mtu 1436
VRF DeptB, IID 2 ipv6 crypto map MAP1
crypto map MAP1
VRF DeptA, IID 1 !
. . .
!
KS
crypto map
crypto map MAP1
MAP1 10 10 gdoi
gdoi
xTR xTR KS
GM
MSMR
GM
MSMR
setgroup
set groupV4GROUP-0001
GROUP1
!
crypto isakmp
crypto isakmp policy
policy 1010
encr aes 256
encr aes 256
IPv4 Core
authenticationpre-share
authentication pre-share
group1616
group
crypto
crypto isakmp
isakmp
xTR keykey
FOOFOO address
address 192.168.18.2
192.168.18.2
GM
crypto
crypto isakmp
isakmp keykey
FOOFOO address
address 192.168.19.2
192.168.19.2
xTR xTR
!
GM GM crypto gdoi
crypto gdoi group
group V4GROUP-0001
GROUP1
identity number
identity number 1000110001
serveraddress
server addressipv4ipv4192.168.18.2
192.168.18.2
serveraddress
server address ipv4192.168.19.2
Siteipv4
3 192.168.19.2
clientregistration
client registrationinterface
interfaceLoopback0
Loopback0
Site 1 Site 2
KS1
LISP encryption (1) !
crypto isakmp policy 10
encr aes 256
group 16
HQ crypto isakmp key FOO address 0.0.0.0
VRF DeptC, IID 3
3. Add encryption crypto isakmp keepalive 15 periodic
!
VRF DeptB,crypto
IID 2 ipsec transform-set GDOI-TRANS esp-aes
Examples: 256 esp-sha512-hmac
• GETVPN Key Servers !1
VRF DeptA, IID
crypto ipsec profile GDOI-PROFILE
• Nothing to do with LISP! set transform-set GDOI-TRANS
KS
!
xTR xTR KS
GM
MSMR crypto
GM
MSMR gdoi group V4GROUP-0001
Redundant Key Server identity number 10001

server local
identical! rekey retransmit 60 number 2
IPv4 Core rekey authentication mypubkey rsa GET-KEYS1
rekey transport unicast
sa ipsec 1
profile GDOI-PROFILE xTR
match address ipv4 GETVPN-0001
GM
replay time window-size 5
xTR xTR address ipv4 192.168.18.2
GM GM redundancy
local priority 100
peer address ipv4 192.168.19.2
! Site 3
---<cont.>---
Site 1 Site 2
KS1
LISP encryption (2) ! ---<cont.>---
!
crypto gdoi group ipv6 V6GROUP-0003
identity number 20003
server local
HQ rekey retransmit 60 number 2
VRF DeptC, IID 3
3. Add encryption rekey authentication mypubkey rsa GET-KEYS3
rekey transport unicast
VRF DeptB, IIDsa
2 ipsec 1
Examples: profile GDOI-PROFILE
• GETVPN Key Servers VRF DeptA, IID 1 match address ipv6 GETVPN6-0003
replay time window-size 5
• Nothing to do with LISP! address ipv4 192.168.18.2
KS
redundancy
xTR xTR KS
GM
MSMR
GM
local priority 100
MSMR
Redundant Key Server peer address ipv4 192.168.19.2

!
identical! ip access-list extended GETVPN-0001
IPv4 Core permit ip any any
ip access-list extended GETVPN-0002
permit ip any any
ip access-list extended GETVPN-0003
xTR
permit ip any any GM
!
xTR xTR ipv6 access-list GETVPN6-0001
GM GM permit ipv6 any any
!
ipv6 access-list GETVPN6-0002
permit ipv6 any any Site 3
!
ipv6 access-list GETVPN6-0003
Site 1 Site 2 permit ipv6 any any
!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
crypto isakmp policy 10
Remote2 xTR/GM
encr aes 256

group 16
crypto isakmp key FOO address 192.168.18.2
HQ crypto
VRF DeptC, isakmp
IID 3 key FOO address 192.168.19.2
3. Add encryption !
crypto
VRF DeptB, IID gdoi
2 group V4GROUP-0001
Examples: identity number 10001
server
IID 1 address ipv4 192.168.18.2
• GETVPN Group Members VRF DeptA,
server address ipv4 192.168.19.2
• Add crypto map to LISP0.x !
client registration interface Loopback0
KS xTR
MSMR
---<skip>---
xTR
MSMR
KS
GM cryptoGM gdoi group ipv6 V6GROUP-0003
ALL LISP SITES identical! identity number 20003
Cut/Paste! server address ipv4 192.168.18.2
server address ipv4 192.168.19.2
IPv4 Core client registration interface Loopback0
!
crypto map MAP-V4-0001 10 gdoi
xTR
set group V4GROUP-0001
GM
!
---<skip>---
xTR xTR
GM GM
crypto map ipv6 MAP-V6-0003 10 gdoi
set group V6GROUP-0003
!
Site 3
Site 1 Site 2
interface LISP0
Remote2 xTR/GM
!
interface LISP0.1
ip mtu 1456
ipv6 mtu 1436
HQ ipv6DeptC,
VRF crypto
IID 3 map MAP-V6-0001
3. Add encryption crypto map MAP-V4-0001
!
VRF DeptB, IID 2
Examples: interface LISP0.2
ip mtu 1456
• GETVPN Group Members VRF DeptA, IID 1
ipv6 mtu 1436
ipv6 crypto map MAP-V6-0002
• Add crypto map to LISP0.x crypto map MAP-V4-0002
KS xTR ! xTR KS
MSMR MSMR
GM interface
GM LISP0.3
ALL LISP SITES identical! ip mtu 1456
Cut/Paste! ipv6 mtu 1436
ipv6 crypto map MAP-V6-0003
IPv4 Core crypto map MAP-V4-0003
!
xTR
GM
xTR xTR
GM GM
Site 3
Site 1 Site 2
HQ VRF DeptC, IID 3
LISP encryption VRF DeptB, IID 2
VRF DeptA, IID 1
Verification (1) KS xTR xTR KS

MSMR MSMR
GM GM
IPv4 Core
xTR
GM
xTR xTR
GM GM
Site 3
Example:
Site3#ping vrf DeptA 192.168.14.1 source 192.168.13.1 rep 100 EID to EID
Site 1 Site 2
Packet sent with a source address of 192.168.13.1%DeptA
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Site3#
HQ VRF DeptC, IID 3
LISP encryption VRF DeptB, IID 2
VRF DeptA, IID 1
Verification (2) KS xTR xTR KS

MSMR MSMR
GM GM
IPv4 Core
xTR
GM
xTR xTR
GM GM
Site 3
Example:
Site3#show crypto engine connection active EID to EID
Crypto Engine Connections
Site 1 Site 2
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
---<skip>---
143 IPsec AES256+SHA512 0 100 0 192.168.11.1
144 IPsec AES256+SHA512 100 0 0 192.168.11.1
---<skip>---
Site3#
LISP
Deployment
Examples
LISP Deployment Examples
• LISP Deployment Models

• LISP Over MPLS
• Efficient IPv4 & IPv6 Multihoming
• Data Center Mobility
• LISP Mobile Nodes
Public and Private LISP Deployment Models
Private Model Public Model
• “Private” LISP deployment • “Public” LISP deployment supports the needs of
support single Enterprises or multiple Enterprises
Entities • LISP Enterprises subscribe to LISP SP, and deploy
• LISP Enterprise deploys: their own xTRs
- xTRs
- Mapping System
- Proxy System Global Examples
ddt-root.org
Stand-Alone Example
LISP SP
Private Enterprise Examples LISP SP
LISP SP
NJEdge.Net VXNet
InTouch
LISP Ent
Enterprise A Enterprise C PCCC CCM BCC LISP Beta
Enterprise B CCC
MU Princeton
LISP Ent

• LISP Over MPLS
Efficient Virtualization and High-Scale VPNs
LISP VPNs
Cryptography
Routing and Tunneling! -- all in one!
Encapsulation Site to Site Security

Routing
• EID prefix virtualization • LISP Works with any
• Spoke to spoke crypto scheme
• Tied to VRFs connectivity
• Locators or EIDs can be
• Locators can be • Optional local Internet encrypted
virtualized too offload (split-tunnel)
• LISP-SEC for control
• No IGP required to plane security
branch sites!
Efficient Virtualization and High-Scale VPNs
LISP – Inherently scalability and virtualization, rapidly deployable
?
• No protocol constraint
Scalability
Unconstrained • 100K concurrent site connections
(# of VPN site)
?
• No site-to-site routing required
VPN site-to-
Unnecessary • No VPN route injection into core
site routing • LISP / Non-LISP site interworking through PxTR
?
• 16M unique VPN classifiers
Secure 24-bit Instance
ID with VRF
• Used by LISP control plane and data plane
Segmentation • Optional data plane encryption with GETVPN
?
Optimal • Shortest path between LISP sites
Performance Path(P2P), • Equal cost/unequal cost loadbalancing
Loadbalancing
LISP and MPLS interaction
• LISP provides a
scalable way to
Location Y Location X extend VPNs
Group A MPLS Group A across an IP/MPLS
Device
Group A
Network
Core Device Group A
Network core
Network
Group B
Group B
Device
GM
xTR
GM MSMR
xTR
Group B
Device Group B
• Avoid per-VRF
Network
PE PE Network
costs
Group C Group C
Group C Device
.. MPLS VPN .. Device Group C
Network
• Pull VPN routes
Network CE CE
Device Device
out of the MPLS
.. ..
Group N xTR xTR Group N core
Device Device Group N
Group N
Network
PE-CE = BGP PE-CE = BGP Network
• Circumvent
address family
constraints
CE to CE Customer routes
= LISP • Fast convergence
on site Up/Down
events

• LISP Over MPLS
Efficient Multihoming and Multi-AF (IPv4/IPv6) Support
Efficient Multihoming
 Needs:
Internet
‒ Site connectivity to multiple providers for resiliency
‒ Low OpEx/CapEx solution for Ingress TE
‒ Rapid IPv6 deployment, minimal disruption LISP LISP
Site routers
 LISP Solution:
Connecting IPv4 or IPv6
‒ LISP provides a streamlined solution for handling multi- Islands over IPv6 or IPv4
provider connectivity and policy without BGP complexities Cores
‒ LISP encapsulation is Address Family agnostic, allowing

for IPv6 over an IPv4 core, or IPv4 over an IPv6 core
 Benefits:
‒ OpEx-friendly multi-homing across different providers IPv6 Transition Support
PxTR v6
‒ Ingress Traffic Engineering that actually “works”
v4v6
IPv4 Core
‒ Minimal configuration IPv6
Interne
v6 service
‒ No core network changes xTR
IPv4 t
v6 Internet
IPv4 or IPv6 egress

feature
LISP
tx encap
IPv4 or IPv6
s IPv6
LISP Site To Enterprise LISP 2001:db8:e000:2::2
RLOC Internal IPv4 or 0
LISP
2001:db8:e000:2::1
ingress
feature rcv decap To IPv4 or IPv6 Core
IPv6 Networks
GE0/0/0 MR/M RLOC namespace PxTR
s
SP1
10.1.1.2/30 S
10.10.10.11
10.10.10.10
IPv4 Default
xTR-1
EIDs IPv4 Internet
172.16.1.2/24
2001:db8:a:1::2/64
SP2
10.10.30.11
xTR-2 IPv4 10.10.30.10
PxTR
GE0/0/0 MR/M 2001:db8:f000:2::2
2001:db8:f000:2::1
10.2.1.2/30 S
RLOC IPv6
PxTR1#show ip lisp map-cache
LISP IPv4 Mapping Cache for EID-table default (IID 0), 196 entries
---<skip>---
172.16.1.0/24, uptime: 00:01:38, expires: 23:58:25,
IPv6 via map-reply, complete
LISP Site RLOC
2001:db8:e000:2::1
2001:db8:e000:2::2
10.1.1.2 00:01:38 up 1/50
GE0/0/0 10.2.1.2 00:01:38
SP1 up 1/50
MR/M PxTR
10.1.1.2/30 ---<skip>--- S
10.10.10.11
10.10.10.10
IPv4
xTR-1
EIDs IPv4 Internet
172.16.1.2/24
2001:db8:a:1::2/64
SP2
10.10.30.11
xTR-2 IPv4 10.10.30.10
PxTR
GE0/0/0 MR/M 2001:db8:f000:2::2
2001:db8:f000:2::1
10.2.1.2/30 S
RLOC IPv6
Efficient Multihoming and Multi-AF (IPv4/IPv6) Support – Customer Example
NJEDge.Net PRODUCTION
Target Market: Customer Site: http://njedge.net

• State of New Jersey Educational Entities
(k-12, universities, colleges) Customer Case Study: http://lisp.cisco.com
LISP Services:
• BGP-free Multihoming
• IPv6 Internet Access
• Host Mobility Disaster-Recovery (adding now…)
• Inter-Departmental VPNs (adding next…)
More…
Some.. v6
v6
IPv6 Internet
Facebook
Google
Some..
v4 More…
v4
IPv4 Internet
Transit
SP
Tier 1 SP1 Tier 1 SP2 Commodity

Constituent Member Default SP
Route
Topologies…
CPE Default
Route BGP
Member 1 BGP
Or BGP
CPE CPE CPE CPE
Member 2
.
.
.
Member 3 Member N
LISP Deployment Examples router bgp 100
bgp router-id 172.16.2.1
Efficient Multihoming and Multi-AF (IPv4/IPv6) Support – Customer Example bgp asnotation dot
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 172.16.2.1 remote-as 300 <== eBGP to SP1
neighbor 172.16.1.2 remote-as 400 <== eBGP to SP2
Many more features ! More…
Some.. address-family ipv4
v6
Before LISP… v6canbe added here... no synchronization
redistribute ospf route-map populate-default
IPv6 Internet neighbor 172.16.1.2 activate
• Configuration neighbor 172.16.1.2 route-map filter-out out
neighbor 172.16.1.2 route-map filter-in in
complexity… neighbor 172.16.1.2 maximum-prefix 450000 90
neighbor 172.16.2.1 activate
Facebook
• Uneven multihoming Google
neighbor 172.16.2.1 route-map filter-out out
neighbor 172.16.2.1 route-map filter-in in
load shares…
neighbor 172.16.2.1 maximum-prefix 450000 90
Some.. no auto-summary
They wanted:
v4
exit-address-family
More…
!
50%/50% ip bgp-community new-format v4
ip community-list standard outlist permit 100:123
They got: IPv4 Internet !
90%/10% ? Transit
route-map populate-default permit 10
set origin igp
80%/20% ? set community 100:123
SP
Never 50%/50% !
route-map filter-out permit 10
match community outlist
Constituent Member Default ! SP
Route route-map filter-in permit 10
Topologies… match community inlist
!
CPE Default
Route BGP
Member 1 BGP
Or BGP
CPE CPE CPE CPE
Member 2
.
.
.
Member 3 Member N
More…
Some.. v6
NJEDge.Net v6
LISP Network IPv6 Internet NJEDge.Net
LISP Network
MS/MR
Facebook
MS/MR
PxTR Google router lisp
PxTR
Some.. locator-set Site3
Deploy LISP… v4 172.16.1.2 priority 1 weight 50 More…
• Configuration exit
v4
simplicity… IPv4 Internet !

eid-table default Transit
instance-id 0
database-mappingSP 10.1.1.0/24 locator-set Site3
exit
Tier 1 !
SP2
Tier 1 SP1 ipv4 itr
Commodity
Constituent Member Default
SP
Route ipv4 etr
Topologies… ipv4 itr map-resolver 172.17.1.1
CPE
xTR Default Default ipv4 etr map-server 172.17.1.1 key s3cr3t
Default ipv4 use-petr 10.5.5.5 Default
Route BGP
Route
Member 1 Route BGP
Or BGP ! Route
xTR
CPE xTR
CPE xTR
CPE xTR
CPE
Member 2
.
.
.
Member 3 Member N
More…
Some.. v6
NJEDge.Net v6
Non-LISP-to-LISP LISP Network
MS/MR
Facebook
MS/MR
PxTR Google PxTR
Some..
Deploy LISP… v4 IPv4 EID More…
• Configuration Aggregate
v4
simplicity… IPv4 Internet

Advertisement Transit
SP

Default
SP
Route
CPE
xTR Default Default
Default
Route BGP
Route Default
LISP-to-LISP Member 1 Route
Or BGP BGP
Route
xTR
CPE xTR
CPE xTR
CPE xTR
CPE
Member 2
.
.
.
Member 3 Member N
IPv6 EID
Aggregate More…
Some.. v6
NJEDge.Net v6 Advertisement
LISP Network
MS/MR
Facebook
MS/MR
PxTR Google PxTR
Some..
NJEDge.Net is now v4
Non-LISP-to-LISP More…
adding IPv6 for its v4
members! IPv4 Internet

Transit
SP

Default
SP
Route
CPE
xTR Default Default
Default
Route BGP
Route Default
IPv6 Member 1 Route BGP
Or BGP Route
EIDs xTR
CPE xTR
CPE xTR
CPE xTR
CPE
IPv6
IPv6
EIDs
LISP-to-LISP Member 2
.
.
.
Member 3 IPv6 Member N EIDs
EIDs

• LISP Over MPLS
Data Center/Host Mobility
 Needs:
‒ VM-Mobility extending subnets and across
subnets
‒ Move detection, dynamic EID-to-RLOC Data Internet
Data
Center 1 Center 2
mappings, traffic redirection
 Historical Solutions: LISP
router
LISP
router
VM move
‒ Sub-optimal Routing (Triangulation)
VM VM
‒ Additional Resource Consumption a.b.c.1 a.b.c.1
‒ Increased Complexity (DNS updates)

‒ OpEx Spend
 LISP:
‒ Changes the Paradigm
LISP Deployment Examples LISP Host Mobility Config Guide:
http://lisp.cisco.com
Data Center/Host Mobility
Moves With LAN Extension Moves Without LAN Extension

LISP Site LISP Site
Non-LISP
Site XTR XTR
Mapping DB Mapping DB
IPv4 Network IPv4 Network DR Location
or Cloud
Provider DC
LAN Extension
LISP-VM LISP-VM
(XTR) (XTR)
West-DC East-DC West-DC East-DC
 Routing for Extended Subnets  IP Mobility Across Subnets

Active-Active Data Centers Disaster Recovery
Distributed Data Centers Cloud Bursting
Data Center/Host Mobility – No LAN Extension : First-Hop Routing
• SVI (Interface VLAN x) and HSRP configured as usual
– Consistent GWY-MAC configured across all dynamic subnets
• The lisp mobility <dyn-eid-map> command enables proxy-arp functionality on the SVI
– The LISP-VM router services first hop routing requests for both local and roaming subnets
• Moving hosts always talk to a local gateway with the same MAC
interface vlan 200
interface vlan 100
interface vlan 100 ip address 10.2.0.8/24
ip address 10.3.0.7/24
ip address 10.2.0.5/24 lisp mobility roamer
lisp mobility roamer
ip address 10.1.0.6/24
lisp mobility roamer ip proxy-arp
ip proxy-arp
lisp mobility ip roamer
proxy-arp hsrp 201
hsrp 201
ip proxy-arp hsrp 101 mac-address 0000.0e1d.010c
B C mac-address 0000.0e1d.010c
hsrp 101 mac-address 0000.0e1d.010c A ip 10.3..0.1
D ip 10.3.0.1
mac-addressip0000.0e1d.010c
10.2.0.1
ip 10.2.0.1
LISP-VM (xTR) HSRP Active
HSRP Active
West-DC East-DC
10.2.0.0 /24 10.3.0.0 /24
HSRP HSRP
ARP ARP
GWY-MAC GWY-MAC
10.2.0.2
Data Center/Host Mobility – ETR Updates across LISP sites
10.2.0.0/16 – RLOC A, B
6 10.2.0.2/32 – RLOC C, D Null0 host routes indicate the host is “away”
Map-Register
10.2.0.2/32 <C,D>
Map-Notify Mapping DB
10.2.0.2/32 <C,D> 5.1.1.1 5.2.2.2
Routing Table:
Routing Table: 5 10.3.0.0/16 – Local
10.2.0.0/16 – Local
7 10.2.0.0/24 – Null0
10.2.0.2/32 – Null0 4 10.2.0.2/32 – Local
Routing Table:
10 A B 10.3.0.0/16 – Local C D
10.2.0.0/24 – Null0
2 10.2.0.2/32 – Local
Routing Table: 3
9 10.2.0.0/16 – Local
10.2.0.0 /16 10.3.0.0 /16
8 10.2.0.2/32 – Null0 1 East-DC
West-DC Y
X Map-Notify
Map-Notify Y
10.2.0.2/32 <C,D> 10.2.0.2 10.2.0.2/32 <C,D>
LISP Deployment Examples Map Cache @ ITR
Data Center/Host Mobility – Refreshing map-caches 10.2.0.0/16 – RLOC A,B
1. ITRs and PITRs with cached mappings LISP site

continue to send traffic to the old locators ITR
10.2.0.2/32 – RLOC C,D
• The old DC xTR knows the host has moved
(Null0 route)
2. Old xTR sends Solicit Map Request (SMR) Mapping DB

messages to any encapsulators sending
traffic to the moved host
3. The ITR then initiates a new map request
process
A B C D
4. An updated map-reply is issued from the LISP-VM (xTR)
new location
West-DC East-DC
5. The ITR Map Cache is updated 10.2.0.0 /16 10.3.0.0 /16
Y
Traffic now flows shortest path X Y Z
10.2.0.2
Data Center/Host Mobility – Customer Example
MPLS Core, Across Subnets – Topology
Customer-A
CE2 Site 2
ITR/ETR ITR/ETR
PE2
Customer-A
MPLS-VPN
Customer-A
Site 1 PE1 MPLS Core
CE1
ITR/ETR ITR/ETR
PE3 PE4
MS/MR CE3 CE4 MS/MR CE5 CE6
172.17.0.0/16 Blue/DC 1 ITR/ETR ITR/ETR Blue/DC 2

172.18.0.0/16
(Location 1) (Location 2)
172.17.0.0/24
DYNAMIC EID
Data Center/Host Mobility – Customer Example IOS
router lisp
eid-table default instance-id 0
database-mapping 172.16.1.0/24 10.1.1.2 pri 1 wei 100
exit
! Customer-A
ipv4 itr CE2 Site 2
ITR/ETR ipv4 etr ITR/ETR IOS

PE2
Customer-A router lisp
RLOC 10.1.1.2 MPLS-VPN
ipv4 etr map-server 10.1.5.1 key s3cr3t !
Customer-A ipv4 etr map-server 10.1.6.1 key s3cr3t site DCs
Site 1 PE1 ! MPLS Core authentication-key DCs3cr3t
CE1
eid-prefix 172.17.0.0/16 accept-more-specifics
ITR/ETR ITR/ETR
eid-prefix 172.18.0.0/16
EID 172.16.1.0/24 RLOC 10.1.5.1 PE3 RLOC 10.1.6.1PE4
exit
!
MS/MR CE3 CE4 MS/MR CE5 site Site-1
CE6
authentication-key s3cr3t
eid-prefix 172.16.1.0/24
exit
172.17.0.0/16 Blue/DC 1 ITR/ETR ITR/ETR ! Blue/DC 2
172.18.0.0/16
--<more sites>---
ipv4 map-server
ipv4 map-resolver
exit
172.17.0.0/24
!
DYNAMIC EID
NX-OS
ip lisp itr-etr
ip lisp itr-etr
NX-OS
ip lisp database-mapping 172.17.0.0/16 10.2.5.1 p 1 w 50
ip lisp database-mapping 172.17.0.0/16 10.2.5.5 p 1 w 50 ip lisp database-mapping 172.18.0.0/16 10.2.6.1 p 1 w 50
ip lisp database-mapping 172.18.0.0/16 10.2.6.5 p 1 w 50
ip lisp itr map-resolver 10.1.5.1
MPLSip Core, Across Subnets
lisp itr map-resolver 10.1.6.1 – Topology ip lisp itr map-resolver 10.1.5.1
ip lisp etr map-server 10.1.5.1 key DCs3cr3t ip lisp itr map-resolver 10.1.6.1
ip lisp etr map-server 10.1.6.1 key DCs3cr3t ip lisp etr map-server 10.1.5.1 key DCs3cr3t
ip lisp etr map-server 10.1.6.1 key DCs3cr3t
Customer-A
lisp dynamic-eid CUST-A-ROAM Site 2
database-mapping 172.17.0.0/24 10.2.5.1 p 1 w 50 lisp dynamic-eid CUST-A-ROAMCE2
database-mapping 172.17.0.0/24 10.2.5.5 p 1 w 50 database-mapping 172.17.0.0/24 10.2.6.1 p 1 w 50
ITR/ETR database-mapping ITR/ETR10.2.6.5 p 1 w 50
172.17.0.0/24
map-notify-group 239.1.1.1 PE2
map-notify-group 239.2.2.2
Customer-A
RLOC 10.1.1.2
interface vlan 100 MPLS-VPN
ip address 172.17.0.2/24 (or 172.17.0.3/24) interface vlan 100
Customer-A
lisp mobility CUST-A-ROAM ip address 172.18.0.2/24 (or 172.18.0.3/24)
Site 1
ip proxy-arp PE1 MPLS Core lisp mobility CUST-A-ROAM
hsrp 101
CE1 ip proxy-arp
ITR/ETR
mac-address 0000.0e1d.010c hsrp 101 ITR/ETR
EID ip 172.17.0.1
172.16.1.0/24 RLOC 10.1.5.1 mac-address 0000.0e1d.010c
RLOC 10.1.6.1PE4
PE3
ip 172.18.0.1

RLOC-A 10.2.5.1 10.2.5.5 RLOC-B RLOC-C 10.2.6.1 10.2.6.5 RLOC-D

172.18.0.0/16
172.17.0.0/24
DYNAMIC EID
Customer-A
CE2 Site 2
ITR/ETR ITR/ETR
PE2
Customer-A
Customer-A
CE1
ITR/ETR ITR/ETR
EID 172.16.1.0/24 PE3 PE4
map-cache
EID-prefix: 172.17.0.12/32
Locator-set: RLOC-A 10.2.5.1 10.2.5.5 RLOC-B RLOC-C 10.2.6.1 10.2.6.5 RLOC-D
10.2.5.1, priority: 1, weight: 50
172.18.0.0/16
the server is here 172.17.0.12/32

Customer-A
CE2 Site 2
ITR/ETR ITR/ETR
PE2
Customer-A
Customer-A
CE1
ITR/ETR ITR/ETR
EID 172.16.1.0/24 PE3 PE4
map-cache
EID-prefix: 172.17.0.12/32
Locator-set: RLOC-A 10.2.5.1 10.2.5.5 RLOC-B RLOC-C 10.2.6.1 10.2.6.5 RLOC-D
172.18.0.0/16
the server moves here

172.17.0.12/32
LISP for Cloud Connect
CSR1kV
Customer-A
MPLS-VPN
Internet
Customer-A
CE1
ITR/ETR
PE5 PE6 ISP
Blue/DC 1 ITR/ETR ITR/ETR Blue/DC 2

172.17.0.0/16 (Location 1) (Location 2) 172.18.0.0/16

• LISP Over MPLS
LISP Mobile Node
A LISP-MN Phone is a LISP Site!!…
What can a LISP-MN Device do?

64.0.0.1 wifi 3G 65.0.0.1 • Two MNs can roam and stay connected
• MNs can be servers
• MNs roam without changing DNS entries
This device • MNs can use multiple interfaces
• MNs can control ingress packet policy
is a LISP • Faster hand-offs
xTR ! • Low battery use by MS proxy-replying
• And most importantly, packets have stretch of “1” –
best for latency/delay sensitive applications
EID-prefix: 2610:00d0:xxxx::1/128
Map-Server: 64.1.1.1 LISP-MN can scale to1 billion hand-sets!
LISP Mobile Node
LISP-MN mobility around the world!

LISP Status
LISP Status IETF LISP WG: http://tools.ietf.org/wg/lisp/
LISP RFCs and notable drafts Draft Target

LISP Traffic Engineering Use-Cases (draft-farinacci-lisp- Active Working Group Document
te-12)
RFCs
LISP L2/L3 EID Mobility Using a Unified Control Plane Active Working Group Document
Locator/ID Separation Protocol (LISP) RFC 6830 (draft-ietf-lisp-eid-mobility-00)
base document
LISP SEC (draft-ietf-lisp-sec-05) Active Working Group Document
LISP Map Server RFC 6833
LISP Interworking RFC 6832 LISP Predictive RLOCs (draft-ietf-lisp-predictive-rlocs-00) Active Working Group Document
LISP Multicast RFC 6831
LISP Configuration YANG Model (draft-ietf-lisp-yang-04) Active Working Group Document
LISP Internet Groper RFC 6835
LISP Map Versioning RFC 6834 LISP Mobile Node (draft-meyer-lisp-mn-10) Related Working Group Document
LISP+ALT RFC 6836
LISP MIB RFC 7052 LISP NAT-Traversal (draft-ermagan-lisp-nat-traversal- Related Working Group Document
05)
LISP Network Element Deployment RFC 7215
LISP GPE (draft-lewis-lisp-gpe) Related Working Group Document
Considerations
LISP Data-Plane Confidentiality RFC 8061 Signal-Free LISP Multicast (draft-ietf-lisp-signal-free- RFC-Editor’s Queue
multicast-04)
LISP Delegated Database Tree (LISP- RFC 8111 LISP Based FlowMapping for Scaling NVF (draft- Related Internet Draft
DDT) barakai-lisp-nvf-04)
LISP Reliable Transport (draft-kouvelas-lisp-reliable- Related Internet Draft
transport-00)
LISP - Open Standard Specification
IETF Work…
IETF Specification
• Nine RFCs presently published: RFC 6830 thru 6836, 7052 and 7215
• 6+ year thorough customer/vendor review
• No IPR claims on LISP IETF specifications
Ongoing IETF LISP WG Focus
• LISP base specifications (LCAF, deployment, LISP-SEC, LISP-DDT, LISP-MN)
• Use cases being documented:
• DC Virtualization and Host Mobility
• WAN Virtualization, Multi-Homing, IPv6 Adoption/Transition
• Traffic Engineering and Service Chaining
• SDN/NFV
IETF LISP WG: http://tools.ietf.org/wg/lisp/
LISP Status EMAIL: lisp-support@cisco.com
LISP Beta Network – International R&D and demonstration network

 LISP Community Operated:
• More than 5+ years of operation…
• More than ~600+ Sites, 45+ countries…
 Interoperable LISP implementations:

• Cisco
- IOS (ISR, ISRG2, 7200) and IOS-XE (ASR1K, CSR1KV)
- Cisco IOS-XR (CRS3, ASR9K)
- Cisco NX-OS (N7K)
- Cisco Cat6K
• AVM “FRITZ!Box” http://www.lisp4.net http://www.lisp.intouch.eu/
• OpenWrt
• Open Source http://vinciconsulting.com/vxnet http://www.itris-enterprise.ch/
- FreeBSD: OpenLISP
- Linux: Aless, LISPmob, OpenWrt
- Android and more…
Plus some others… ;-)
Cisco Releases (http://lisp.cisco.com)
LISP Status
LISP Software – Available Features:: By operating System
Features IOS IOS-XE NX-OS IOS-XR Cat 6K
 Roles:
- ITR/ETR     
- PITR/PETR     
- MS/MR    ASR9k 
- RTR   roadmap roadmap roadmap
 AF Support
- EID v4/v6     
- RLOC v4/v6   v4 only 5.3.0 v4 only
 Virtualization
- Shared/Parallel     shared
 Mobility
- ESM/ASM    roadmap ASM 15.2(1)SY
- ESM Multi-Hop    roadmap roadmap
 Multicast    roadmap roadmap
 NAT-Traversal testing testing testing roadmap roadmap
LISP References
Links and emails
WEB: http://lisp.cisco.com
EMAIL: lisp-support@cisco.com
LISP Summary
LISP Summary 1. Multihoming
Part of the LISP Solution Space 2. IPv6 Transition
3. Virtualization/VPN
4. Mobility
IPv6 Network
IPv6 Core
xTR
v6
IPv4 Network
xTR IPv4 Core
v4
LISP is an Architecture…
LISP Summary 1. Multihoming
Part of the LISP Solution Space 2. IPv6 Transition
3. Virtualization/VPN
4. Mobility
IPv6 Network
IPv6 Core
xTR
v6
IPv4 Network
xTR IPv4 Core
v4
LISP is an Architecture…
Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be

available for viewing on demand after the
event at www.CiscoLive.com/Online.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions:
• Advanced – Troubleshooting LISP. Session ID: BRKRST-3047

• Enhancing VXLAN/EVPN Fabrics with LISP. Session ID: LTRDCT-2224
• Networking Challenges when Interconnecting Data Center Fabrics. Session ID: BRKDCN-2001
• Transition to an IPv6 environment using LISP - A Hands-on LAB. Session ID: LABRST-2020
Presentation ID © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
SD-Access Cisco Live Sessions
Breakout Sessions:
BRKCRS-2810: DNA Campus Fabric Automation – A Look Under the Hood (2 Hour, Shawn Wargo) (run twice)
BRKCRS-2811: DNA Campus Fabric Automation – Connecting the Campus Fabric to External Networks (2 Hour, Satish
Kondalam) (run twice)
BRKCRS-2812: DNA Campus Fabric Automation – Integrating with Your Existing Network (2 Hour, Kedar Karmarkar)
BRKCRS-2813: DNA Campus Fabric Automation – Monitoring and Troubleshooting (90 min, Vimarsh Puneet)
BRKCRS-2814: DNA Campus Fabric Automation – Assurance and Analytics (90 min, Karthik Kumar Thatikonda)
BRKCRS-3811: DNA Campus Fabric Automation – Policy Driven Manageability (90 min, Victor Moreno)
BRKEWN-2020: DNA Campus Fabric Automation – Wireless Integration (2 Hour, Simone Arena and Kedar Karmarkar)
BRKDCN-2489: DNA Campus Fabric Automation – Integration with Data Center Architectures (90 min, Karthik Kumar
Thatikonda)
Labs:
LTRCRS-2810: DNA Campus Fabric Automation – Hands-On Lab (4 Hour, Derek Huckaby and Larissa Overbey) (run twice)
Thank you

BRKRST 3045

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKRST 3045

Uploaded by

Copyright:

Available Formats

LISP – A Next-Generation

Mitch Mitchiner – Customer Solutions Architect

Peyton Schouest Mitch Mitchiner

Cisco Spark spaces will be cs.co/ciscolivebot#BRKRST-3045

1./8 1./8 2./8

Internet (DFZ) Internet (DFZ)

Routing Scalability Mobility

Efficient Multi-homing Virtualization

B B  Campus Fabric – Shipping Now

APIC-EM, ISE, NDP are all separate.

• LISP Answers “WHERE IS ?”

xTR: Tunnel Router when direction of flow is irrelevant

Proxy bit set Pinkman 3. Mapping system sends

a::/64 XTR 1.0.0.1 b::/64

a::/64 XTR 1.0.0.1 b::/64

a::/64 XTR 1.0.0.1 b::/64

1. Traffic from Internet drawn

vrf blue, IID 2 vrf blue, IID 2

VRF B, IID 2 LISP0.

- Three VRFs, IPv4 and IPv6 VRF DeptB, IID 2

common steps: VRF DeptB, IID 2

All other sites are similar! Remote2 xTR/GM

HQ VRF DeptC, IID 3

Examples: VRF DeptA, IID 1

xTR xTR Example:

LISP VPN/Virtualization router lisp

• Bind VRFs to IIDs ipv6 etr map-server 10.0.14.2 key

HQ VRF DeptC, IID 3

• Bind VRFs to IIDs HQ2 xTR/MSMR/GM

HQ VRF DeptC, IID 3

Examples: VRF DeptA, IID 1

• Bind VRFs to IIDs

HQ VRF DeptC, IID 3

Examples: VRF DeptA, IID 1

• Bind VRFs to IIDs

192.168.14.0/24, uptime: 00:01:38, expires: 23:58:25, via map-reply, complete

HQ VRF DeptC, IID 3

Examples: VRF DeptA, IID 1

• Bind VRFs to IIDs

HQ VRF DeptC, IID 3

Examples: VRF DeptA, IID 1

• Bind VRFs to IIDs

1:1:14::/64, uptime: 00:00:33, expires: 23:59:28, via map-reply, complete

 LISP and encryption (IOS)

Use-Case Vanilla GETVPN Comments

See: lisp.cisco.com for the GETVPN+LISP Configuration Guide!

 LISP provides two ways to apply a crypto map,

 LISP provides two ways to apply a crypto map,

Redundant Key Server identity number 10001

Redundant Key Server peer address ipv4 192.168.19.2

encr aes 256

LISP encryption VRF DeptB, IID 2

VRF DeptA, IID 1

Verification (1) KS xTR xTR KS

LISP encryption VRF DeptB, IID 2

VRF DeptA, IID 1

Verification (2) KS xTR xTR KS

• LISP Deployment Models

• LISP Deployment Models

Encapsulation Site to Site Security

• LISP Deployment Models

‒ LISP encapsulation is Address Family agnostic, allowing

IPv4 or IPv6 egress