Cisco Locator ID Separation Protocol (LISP)

This topic is to discuss the following lesson:

Hello Mr Molenaar is there any way that you could attach a small lab with this Lesson
Regards Evan-

Hello Evan,

I will add a walkthrough of the configuration soon. I didn’t do it right away because the CCNP ENCOR exam only covers LISP in theory.

If you want to take a look at a working lab, I have the configs of the topology that I used in this explanation:

Here are the configs:

hostname H1
!
no ip routing
!
interface GigabitEthernet0/1
 ip address 192.168.1.101 255.255.255.0
!
ip default-gateway 192.168.1.254
!
end
hostname H2
!
no ip routing
!
interface GigabitEthernet0/1
 ip address 192.168.2.102 255.255.255.0
!
ip default-gateway 192.168.2.254
!
end
hostname XTR1
!
interface LISP0
!
interface GigabitEthernet0/1
 ip address 192.168.123.1 255.255.255.0
!
interface GigabitEthernet0/2
 ip address 192.168.1.254 255.255.255.0
!
router lisp
 locator-set SITE1
  192.168.123.1 priority 10 weight 10
  exit
 !
 database-mapping 192.168.1.0/24 locator-set SITE1
 ipv4 itr map-resolver 192.168.123.3
 ipv4 itr
 ipv4 etr map-server 192.168.123.3 key MY_SECRET
 ipv4 etr
 exit
!
end
hostname XTR2
!
interface LISP0
!
interface GigabitEthernet0/1
 ip address 192.168.123.2 255.255.255.0
!
interface GigabitEthernet0/2
 ip address 192.168.2.254 255.255.255.0
!
router lisp
 locator-set SITE2
  192.168.123.2 priority 10 weight 10
  exit
 !
 database-mapping 192.168.2.0/24 locator-set SITE2
 ipv4 itr map-resolver 192.168.123.3
 ipv4 itr
 ipv4 etr map-server 192.168.123.3 key MY_SECRET
 ipv4 etr
 exit
!
end
hostname MR-MS
!
interface GigabitEthernet0/1
 ip address 192.168.123.3 255.255.255.0
!
router lisp
 site SITE1
  authentication-key MY_SECRET
  eid-prefix 192.168.1.0/24
  exit
 !
 site SITE2
  authentication-key MY_SECRET
  eid-prefix 192.168.2.0/24
  exit
 !
 ipv4 map-server
 ipv4 map-resolver
 exit
!
end

Some commands you might want to try:

  • show ip lisp
  • show lisp site
  • show ip lisp map-cache
  • debug lisp control-plane all

Once I work on the CCIE Enterprise material, I’ll create a full walkthrough for this.

Rene

2 Likes

Thank you Rene for the info and lab, I have to re-certify for CCNP by May 31. BTW your website is outstanding.

Best Regards Evan-

3 Likes

Hi Rene:
Thanks for sharing this LISP topic. I would like to know how does H1 at site 1 knows the address of H2 in site2 in the first place? ( Is it same as ARP request / response?). In that case the ARP packet also goes through the same encapsulation process ?
Thanks
Rama

Hello Ramakrishnan

H1 knows the address of H2, in most cases, simply because a user has input it. For example, if H2 is an email server, then the email client of H1 has been manually configured to reach that email server. If H2 is a web server, then H1 has used a DNS lookup service for www.ip-address-of-h2.net, for example, and resolved the destination address for that host.

Note also that LISP is a feature that interconnects subnets. What I mean is, the gateways of both H1 and H2 are found within their local LISP sites. This means that Layer 2 protocols such as ARP remain within the local sites. Only routing functions operate between LISP sites and the RLOC space. So you would never see ARP requests traversing the RLOC space.

I hope this has been helpful!

Laz

1 Like

Thanks Lagapides for the prompt reply. I will read through and will update if I have any more questions.

1 Like

Hi,
I have a question please
Can you please explain to me this part of the lisp lesson im confused ?
"Is the source IP a registered EID-prefix in the local map-cache?
If not, forward the packet with regular IP routing.
If so, the ITR:
Selects a UDP source port.
Sets the UDP destination port to 4342.
Sends an encapsulated Map-Request to the MR for 192.168.2.102.
The source IP is the a IP adress if the hosts ???

Hello Sala

Yes, in this particular example, the source IP is the IP address of the host, specifically, 192.168.1.101. Using LISP terminology, this is the Endpoint Identifier (EID).

The question stated as “Is the source IP a registered EID-prefix in the local map-cache?” simply asks if the specific EID is found within a prefix (such as 192.168.1.0/24) in the local map-cache. If so, then the ITR uses LISP to forward the packet to the appropriate ETR for further routing.

I hope this has been helpful!

Laz

thanks for your answer :slight_smile:

Hi Rene, Lazaros,

Hope you’re guys are doing well…

I’ve some questions regarding Proxy ETR and ITR and how LISP can help to reduce routing entries.

Proxy ETR (PETR) - Since it’s a non-LISP site the PETR doesn’t “advertise” the EID to the MS, how would the MS learn the 3.21.157.0/24 prefix?

Proxy ITR (PITR) - I don’t seem to see the difference between this and the ITR… What are the salient differences besides the general understanding that it is non-LISP site to LISP site?

Another point is - so far I don’t understand how LISP can significantly reduce the Internet routing table. We still need the number of entries in the map cache. It seems to me like we’re just moving the numbers/entries from the routing table to the map cache… Also going to the MR to get the EID/RLOC info will take time, not quite sure if that is worth the effort given the powerful CPU and large memory the routers have nowadays…

Thanks.

Hello Edmund

As mentioned in the lesson, (Step 3 of the PETR section):

The MR forwards the Map-Request to the MS. The MS replies with a Negative Map-Reply and includes a calculated non-LISP prefix. When the ITR receives the Negative Map-Reply, it installs the non-LISP prefix in its mapping cache and FIB.

So here are the steps:

  • The MR will forward the request to the MS.
  • The requested EID is not found in the mapping database system, therefore, it must be a non-LISP destination
  • It replies with a negative map-reply which is simply a map-reply that contains an empty locator-set. This tells the ITR to “natively forward” (using IP routing) the packet to the destination
  • Within the negative map-reply, it contains a calculated non-LISP prefix, also known as an EID-Prefix according to RFC6833 which is simply the shortest prefix that matches the requested destination but does not match any LSIP EIDs. This is actually obtained from the destination IP address.
  • When the ITR receives this, it simply routes the packet to the PETR using IP.

I think the best explanation can be found in this Cisco Publication: The LSIP Network: Evloution to the Next-Generation of Data Networks. The excerpt says:

PITRs request mappings and encapsulate traffic toward an EID regardless of whether the source of the traffic is an EID or not; this is the basic difference between configuring the router as an ITR or PITR. When configured as an ITR, the router checks whether the source is registered in LSIP as an EID before doing anything else. If the source isn’t an EID, the ITR does not handle the traffic as LSIP traffic, and forwarding of this traffic depends on the presence of a route to the destination in the underlying routing tables. In other words, if the source is an RLOC (not an EID), an ITR assumes the destination is also an RLOC and allows the router to handle it as such in the underlying routing. A PITR does not check on the source because its role is to actually receive traffic from RLOC sources and forward it to EID destinations. Therefore, the fact that a source is in the RLOC space actually indicates to the PITR that it needs to forward the traffic in LISP.

Traditional routing requires that every router on the Internet have a partial or complete BGP internet routing table to function. LISP centralizes this routing information in MS/MR devices, so that each router doesn’t have to have this information but can request it whenever needed.

Yes it will take time, but think about this. If your packet has to traverse say, 12 routers over the Internet to reach its destination, that means 12 routing table lookups, each one going through up to 800000 prefixes to find the next hop. This too takes time and CPU/Memory, and LISP relieves these routers from such burdensome processes.

I hope this has been helpful!

Laz

2 Likes

Hi Rene and team.
I am confusing about MS device. If it has 2 entry in the mapping database with the same EID. So how MS could know exactly which ETR to forward Map-Request to.
Does it related to the Instance ID in LISP Header send by ITR ?

Hello Kien

You may have two entries with the same EID, but no two entries will have both the same EID and RLOC. It is the combination of both pieces of information that make the mapping unique.

I understand that the “EID-to-RLOC mapping” terminology can be confusing, because it seems to indicate that you ask for one component to receive the other, like you would with a DNS mapping between domain name and IP. But here, the term “EID-to-RLOC mapping” is the name of the unique entity found within the MS which is sent as a whole in the Map-Reply.

I hope this has been helpful!

Laz

1 Like

Hi Rene,
The configuration doesn’t seem very complicated, but it seems like you have defined the EID entries statically on the MR/MS - what does it means?
Would you have to configure 2 millions of prefixes statically if the whole internet would work with LISP? (well maybe not 2 million, but a dozens of prefixes).

BTW , I assume that Proxy LISP depends on BGP NLRI which the prefixes equals to the EID and the Next-hop equals to the RLOC.
in such a case would it be right to assume that all of the ASBR routers should be configured as ITR and ETR in the LISP network? (not a LISP-site but the whole LISP domain including all the sites of it and the MR/MS).

Thanks you very much, this was a great lesson and very helpfull!

Hello Nitay

That’s a very good question, and its answer tells us a little bit more about the purpose of LISP and how it is implemented and who actually implements it. LISP is not meant to reduce the size of all of the BGP routing tables on the Internet, but is designed to work in a multi-homing environment and supports communications between LISP and non-LISP sites for interworking. The LISP components, including the MS/MR are in most cases configured and maintained by the enterprise that owns the multiple interconnected multihomed sites. As such, the EID entries in the MS/MR are indeed statically configured, but they include only those associated with the particular enterprise involved. Now having said that, you can use the following command under the router lisp site configuration:

eid-prefix 192.168.0.0/16 accept-more-specifics

This will allow the MS/MR to accept requests from any EID prefix that is found within the range of addresses shown by the prefix, rather than specifically configured prefixes. This can simplify your configuration, but it may also present a security risk, as your MS/MR may be accessible as it will be connected to the Internet at large.

That’s not quite the case. In the event that you use a PETR, the actual EID of the PETR will be configured in the ITR. It will indeed use BGP to reach it, but the next-hop will not be the RLOC. (In the diagram the next hop is the RLOC, but that’s only because the ITR and PETR are directly connected. In a real-world scenario, these would be connected over the Internet over multiple hops).

The term ASBR is a term used for OSPF, but I understand that you mean the routers bordering the LISP sites and the RLOC space. Yes, all such routers will be either an ITR or an ETR. What role they will play depends upon the direction of traffic. In one direction, a particular router will play the role of the ITR, while in the other direction of traffic flow, it will be an ETR. This is not only best practice, but necessary for LISP to function.

I hope this has been helpful!

Laz

Hello, Thank you for clear explanation.
I have two questions. Rene says in the lesson that;
“The source port is selected by the ITR to prevent traffic from one LISP site to another LISP site to take the same path if you have equal-cost multipath (ECMP) links to the destination. Different source ports prevent polarization. The destination port is 4341.”
According to CEF polarization lesson, default load sharing algorithm is Original.
So, CEF load sharing algorithm should be manually set to L4 algorithm on ITRs to use source UDP port ?
My second question is more generic. How LISP can be used in SD-Access ? As I understand in SD-Access environment, control plane uses VXLAN encapsulation, and maps MAC-to-VTEP similar to LISP mapping that is EID-to-RLOC. How does LISP get a role in SD Access environment? Both LISP and VXLAN can be used in SDA together?
Sorry for long questions, still trying to understand main concepts… Thank you.

Hello Ike

The polarization that is mentioned here applies only when Layer 4 ports are involved in the load balancing algorithm. As you mention, by default CEF uses the Original algorithm, but if the include-ports option is enabled, then yes, this could cause polarization.

But remember, it’s not only CEF that is involved, but also the inherent routing mechanisms that are used by various routing protocols. As a rule, ECMP causes packets that belong to the same flow (identical source and destination IPs and ports) to be routed over the same link to ensure orderly transmission. This is good for traffic in general but bad for LISP.

The reason that LISP chooses random source ports is so that, regardless of how the underlying routing is configured, ECMP load balancing algorithms that may be in place that are based on source UDP ports will not cause polarization. So you can set the CEF algorithm however you like, knowing that LISP will not be affected.

If you look at the diagrams in the lesson, you will see that LISP functionality only exists in the RLOC space. Everything within the LISP site uses conventional addressing and communication.
As such, LISP resides within what can be loosely classified as “WAN technologies”. In this way, LISP can belong to the SD-WAN realm. Conversely, SD-Access belongs generally to the “LAN realm”. So in this topology, SD-Access implementations would exist within the LISP Site, while LISP exists to simply interconnect those LSIP sites. So LISP and SD-Access wouldn’t interact directly but would interconnect at the ITR and ETR.

I hope this has been helpful!

Laz

Thank you very much Laz for clarification.

1 Like

Hi,

I have a question about the following statement:

The instance ID is a unique identifier, which keeps prefixes apart when you have overlapping (private) EID addresses in your LISP sites.

Does that you mean that you can have multiple sites with the same subnet, with each having a unique ID? And the hosts can all communicate with each other?

And is that ID included in the MAP-Register and MAP-Reply?

After asking the above questions I read this:

Which basically says that the LISP ID is tied to a VRF on a router, thereby keeping data separate at sites, almost like a tag in 802.1q trunk. Is my understanding correct?

Thanks,

Sam