virtualizace podnikové sítě -...

© 2011 Cisco and/or its affiliates. All rights reserved. 1

Virtualizace podnikové sítě

Miroslav [email protected]

16.02. 2012


• Why Virtualize your Network Infrastructure

• What are the Virtualization Components

• How can you Deploy Network Virtualization

• MPLS VPN

• VRF-lite

or

• Recent Cisco Innovations in Virtualization

• Easy Virtual Network (EVN)

• Locator/ID Separation Protocol (LISP)


Guest Access

Virtual Network

Creates Logical Partitions

• Allows the use of unique security policies per logical domain

• Provides traffic isolation per application, group, service etc…

• The logical separation of traffic using one physical infrastructure

Virtual Private Network

Actual Physical Infrastructure

Virtual Network

Merged Company

Virtual Network

Isolated Service(s)


• Cost Reduction

Allowing a single physical network the ability to support multiple users and virtual networks

• Groups and services are logically separated

Guest/partner access

Department separation

Telephony systems

Building control and video surveillance

• Security Policies are unique to each virtual group/service

PCI compliance


Key Building Blocks

Access Control Path Isolation Services Edge

WAN – MAN – Campus

Functions

Branch – Campus Data Center – Internet Edge

VRFs

GRE MPLS

Authenticate client (user, device, app) attempting to gain network access

Authorize client into a partition (VLAN/VPN)

Deny access to unauthenticated clients

Maintain traffic partitioned over shared Layer 2/3 infrastructure

Map Layer 3 isolated path to VLANs / VRFs in access and services edge

Provide access to services

Shared

Dedicated

Apply policy per partition

Isolate application environments if necessary

Service

IP MPLS

802.1q

Internet

Data

Center


Device Virtualization

“Virtualizing” the Routing and Forwarding of the Device

One physical device

Switch

Router

Firewall

Etc…

VLAN

VRF: Virtual Routing and Forwarding

VDC (Virtual Device Context)

VRF

VRF

VRF


Data Path Virtualization

Hop-by-Hop

VRF-Lite End-to-End EVN (Easy Virtual Network)

802.1q for Separation

Multi-Hop

VRF-Lite + GREGRE for Separation

LISP

Multi-Hop

MPLS-VPNMPLS Labels for Separation

Extending and Maintaining the “Virtualized” Devices over Any Media


• Layer 3 or Layer 2 VPN/Segmentation using Labels

L3 MPLS VPN (RFC 2547bis)

L2 VPN: VPLS or EoMPLS

• Provides Any-to-Any connectivity

• QoS Capabilities

• IP Multicast (per VPN/VRF)

• Transport of IPv6 over an IPv4

SP L2

Service

MPLS

LAN/MAN

MPLS

Enabled

Links

E-P

E-PE

E-PE E-PE

E-PE

Remote

Branches

RR RR


PE

VPN Backbone IGP

MP-iBGP – VPNv4

Label Exchange

PE

P P

P P

Configuration Example (IOS)

VRF Blue

VRF Green

EBGP, OSPF, RIPv2, Static

CE

CE

VPN 1

VPN 2

! PE router

router bgp 65100

neighbor 192.168.100.4 remote-as 65100

!

address-family vpnv4

neighbor 192.168.100.4 activate

neighbor 192.168.100.4 send-community extended

exit-address-family

!

address-family ipv4 vrf blue



exit-address-family

!

address-family ipv4 vrf green



exit-address-family

! PE Router – Multiple VRFs

ip vrf blue

rd 65100:10

route-target import 65100:10

route-target export 65100:10

ip vrf green

rd 65100:20



!

interface GigabitEthernet0/1.10

ip vrf forwarding blue

interface GigabitEthernet0/1.20

ip vrf forwarding green

VRF Configuration (PE) MP-iBGP Configuration (PE)


Summary

• Large-scale VRF’s solution

• Leverages standard based L2 transports (no overlay)

• Allows full deployment of MPLS services

L2 VPN, QoS, Multicast, IPv6, MPLS TE, TE-FRR

• Offers tight control for QoS Service Level requirements

• Offers rapid deployment for virtualization “turn up”

• Extremely scalable but requires a higher level of Operational

expertise


• Not all networks are MPLS

Enterprise wants to turn on their own MPLS VPN service (on their “CE”) while using an SP managed MPLS VPN service

SP not offering a “Carrier Supporting Carrier” service for buildingenterprise own MPLS VPN service

• IP Only Transit Option Between MPLS Islands (i.e. networks)

Core/transit network not owned by Enterprise, and IP transport is only option

Source/Destination Network “islands” are IP only

IP VPN Service from SP is only offering available


MPLS VPN over DMVPN

• DMVPN is a Cisco IOS Software solution for building IPSec + GRE VPNs in an easy, dynamic and scalable manner

• Relies on two proven technologies

Next Hop Resolution Protocol (NHRP) (RFC 2332)

Creates a distributed (NHRP) mapping database of all the spoke’s tunnel to real (public interface) addresses

Multipoint GRE Tunnel Interface

Single GRE interface to support multiple GRE/IPsec tunnels

Simplifies size and complexity of configuration

What Is Dynamic Multipoint VPN?


Data Center/HQ

MPLS VPN over a DMVPN (2547oDMVPN)

P

Remote

Branches

IP

Transport

Shared

VRF

Campus

RR

C-PE

C-PE

C-PE

VRF-Lite or

MPLS

VPN in

Campus

Branch LAN

802.1q Trunk

Physical Cable

MPLS/LDP

and VPNv4

over mGRE Tunnel

• Hub acts as a “P” router

• Spokes act as a “PE” router

• IGP and LDP is running over the entire MPLS network

• Leverages NHRP for dynamic tunnel endpoint discovery

• Data path for spoke-to-spoke traffic transits the Hub (“P” function)

• Data traffic can be easily encrypted

• Multicast replication is done at the Hub (even is source is at spoke)

Internet

Single mGRE

Tunnel Running

LDP


Data Center/HQ

MPLS VPNs over Multipoint GRE Using BGP for End Point Discovery

• Leverages SP IP transport while

overlaying self deployed MPLS VPN

• Leverages multipoint GRE (mGRE)

• No LDP and NHRP required

• BGP replaces LDP and NHRP

• Offers dynamic Tunnel Endpoint

Discovery via BGP

• Dynamic spoke-to-spoke access

PE

Remote

Branches

IP

Transport

Shared

VRF

Campus

Internet

RR

C-PE

C-PE

C-PE

VPNv4 Label

over mGRE Encapsulation

VRF-Lite or

MPLS

VPN in

Campus

Multipoint

GRE

Interface

Branch LAN

802.1q Trunk

Physical Cable


Feature Components

• mGRE is a multipoint bi-directional GRE tunnel

• Control Plane is based on RFC 4364 using MP-BGP

Signaling VPNv4 routes, VPN labels, and tunnel endpoints

• VPNv4 label and VPN payload is carried in mGRE tunnel encap

• New encapsulation profile in CLI offers dynamic endpoint discovery:

(1) Sets IP encapsulation for next-hop, (2) Installs Rx prefixes to tunnel

• Solution does NOT require manual GRE interfaces or the configuration of LDP on

any interface(s)

IP

Service

PE1

PE2PE3

PE4

PE5PE6

172.16.255.4

172.16.255.3172.16.255.2

172.16.255.1

172.16.255.5172.16.255.6

Multipoint

GRE Tunnel (mGRE)1

1

2

mGRE Encapsulation of

VPNv4 Label + VPN Payload3

Tunnel Endpoint

172.16.255.6

172.16.255.5

172.16.255.3

172.16.255.2

172.16.255.1

View for PE 44

3

4

2


eBGP

AS 65000

172.16.1.1

MPLS

Campus/MAN

E-PE

Branch Site

RRE-PE

mGREiBGP

SP Cloud

AS 1

Interface Loopback0

ip address 10.100.1.201 255.255.255.255

router bgp 65000

no bgp default ipv4-unicast

bgp log-neighbor-changes


neighbor 10.100.1.204 update-source Loopback0


neighbor 172.16.1.1 update-source Ethernet0/0

!

address-family ipv4

no synchronization

redistribute connected metric 1


no auto-summary

exit-address-family

!



neighbor 10.100.1.204 send-community both

neighbor 10.100.1.204 route-map mgre_v4 in

exit-address-family

eBGP Peer to SP

Address Family for eBGP to SP

iBGP Peer for MP-BGP (VPNv4)

Address Family for MPLS-VPN

over IP (i-BGP)

Configuration Example


interface Loopback0

ip address 10.0.0.4 255.255.255.255

!

l3vpn encapsulation ip Vegas

transport ipv4 source Loopback0

!

router bgp 100

. . .



neighbor 10.0.0.1 send-community extended

neighbor 10.0.0.1 route-map next-hop-TED in

exit-address-family

. . .

!

route-map next-hop-TED permit 10

set ip next-hop encapsulate l3vpn Vegas

Configuration Example

CE2PE1 PE4

eBGP eBGP

IPv4 Cloud

Lo0: 10.0.0.1Lo0: 10.0.0.4

Target Address

mGRE

Apply Route-Map to Received

Advertisement from Remote iBGP

Neighbor

Sets mGRE Encapsulation

“Profile” for BGP Next-Hop

Use IP Encap (GRE) for Next-Hop

and Install Prefix in VPN Table as

Connected Tunnel Interface

CE1

10.0.9.9

Example for PE4


Summary and Configuration Notes

• Leverages SP IP transport while overlaying self deployed MPLS VPN

• Solution leverages standard MP-BGP control plane (RFC 4364)

• Tunnel endpoint discovery is done via i-BGP

• E-BGP can/is still used for route exchange with the SP

• Solution does not requires GRE tunnel configuration or LDP

• Supports multicast VPN and IPv6 per MPLS VPN model (MDT and

6vPE respectfully)

• Supports IPSec for PE-PE encryption (GET VPN or manual SA)

Branch LAN

VPNv4 Label

over mGRE Encapsulation


LAN/WAN

VRF

VRF

VRF

Per VRF:Virtual Routing TableVirtual Forwarding Table

VRF

VRF

VRF

802.1q, DLCI, VPI/VCI, GRE

• Leverages “Virtual” encapsulation for separation:

• Ethernet/802.1Q in campus LAN, ATM or Frame Realy PVCs in

WAN

• Frame Relay encapsulation can be used to virtualize a leased line

• The routing protocol is also “VRF aware”

• EIGRP, OSPF, BGP, RIP/v2, static (per VFR)

• Layer 3 VRF interfaces cannot belong to more than a single VRF


VRF-Lite Subinterface Config

ip vrf red

!

ip vrf green

!

interface TenGigabitEthernet1/1

ip address 10.122.5.1 255.255.255.252

ip pim query-interval 1

ip pim sparse-mode

!

interface TenGigabitEthernet1/1.101

description Subinterface for Red VRF

encapsulation dot1Q 101

ip vrf forwarding red

ip address 10.122.5.1 255.255.255.252


ip pim sparse-mode

!


description Subinterface for green VRF



ip address 10.122.5.1 255.255.255.252


ip pim sparse-mode

ip vrf red

!

ip vrf green

!


ip address 10.122.5.2 255.255.255.252


ip pim sparse-mode

!


description Subinterface for red VRF


ip vrf forwarding red

ip address 10.122.5.2 255.255.255.252


ip pim sparse-mode

!


description Subinterface for green VRF



ip address 10.122.5.2 255.255.255.252


ip pim sparse-mode


OSPF Examplerouter ospf 1

network 10.0.0.0 0.255.255.255 area 0

passive-interface default

no passive-interface vlan 2000

!

router ospf 100 vrf green

network 11.0.0.0 0.255.255.255 area 0


!

router ospf 200 vrf red

network 12.0.0.0 0.255.255.255 area 0


router eigrp 100

network 10.0.0.0 0.255.255.255

passive-interface default


no auto-summary

!

address-family ipv4 vrf green autonomous-system 100

network 11.0.0.0 0.255.255.255

no auto-summary

exit-address-family

!

address-family ipv4 vrf red autonomous-system 100

network 12.0.0.0 0.255.255.255

no auto-summary

exit-address-family

EIGRP Example


• Leverages VRF in router (RIB/FIB, interface) and “virtual”

encapsulation on interface for segmentation

• No MPLS, LDP, or BGP required

• Easy implementation in campus architecture

• Optimal solution when VRF count is small (~ <8)

• Provisioning challenges in large campus networks

• Supports multicast and QoS solutions

Sub Interface per

VRF Branch LAN


IGP per VRF

IGP per VRF

IPv4

Service

Branch Site

Multi-

VRF CE

IGP per VRF

BGP/Static BGP/Static

Enterprise Routing

Routing to SP

mGRE Tunnel

per VRF Data Center/HQ

PE

Shared

VRF

Internet Campus

VRF-Lite or

VPNv4 to

Campus

VRF-Lite or MPLS

VPN in PE

• Each VRF uses a unique GRE tunnel

• GRE tunnel interface is “VRF aware”

• Routing protocol process created per VRF (each end)

• Offers virtualized segmentation within a single interface

VRF-Lite over GRE


IP

Transport

Branch Site

VRF-Lite or

VPNv4 to

Campus

Data Center/HQ

PE

Shared

VRF

Internet

VRF-Lite or MPLS

VPN in PE

Campus

DC/HQ ConfigurationBranch Configuration

interface Loopback100

ip address 172.16.100.50 255.255.255.255

!

interface Tunnel100

Description GRE to PE router 201


ip address 11.1.0.2 255.255.255.0

tunnel source Loopback100

tunnel destination 172.16.100.10

!

interface Ethernet0/0

ip address 172.16.5.2 255.255.255.0

!

router eigrp 1

!

address-family ipv4 vrf blue autonomous-system 1

network 11.0.0.0

no auto-summary

exit-address-family

no auto-summary

interface Loopback100

ip address 172.16.100.10 255.255.255.255

!

interface Tunnel100

Description GRE to PE router 201


ip address 11.1.0.1 255.255.255.0



!

interface Ethernet0/0

ip address 172.16.6.2 255.255.255.0

!

router eigrp 1

!

address-family ipv4 vrf blue autonomous-system 1

network 11.0.0.0

no auto-summary

exit-address-family

no auto-summary

11.1.0.x

Physical: 172.16.5.2 (E0/0)

Lo0: 172.16.100.50

Manually Configured Tunnelip vrf blue

rd 2:2

VRF

Command

Applied per

GRE Tunnel

Prefix Advertised to SP


Data Center/HQ• Allows virtualization over DMVPN

framework

• A Multipoint GRE (mGRE) interface is

enabled per VRF (1:1)

• Solution allows spoke-to-spoke data

forwarding per VRF

• Unique RIB, FIB, and mGRE interface

per VRF

• Routing to the provider is based on the

“global” address space

• Each VRF uses a unique network ID for

each NHRP server

VRF-Lite or

MPLS

VPN in

CampusPE

Remote

Branches

Multi-

VRF CE

Multipoint

GRE Tunnel

per VRF

IP

Transport

Branch LAN

Shared

VRF

Campus

C-PE

C-PE

C-PE

Internet

GRE Tunnel per

VRF


IGP per VRF

IGP per VRF

IPv4

ServiceBranch Site

IGP per VRF

BGP/Static BGP/Static

Enterprise Routing

Routing to SP

Multipoint GRE per VRF

• Unique RIB, FIB, and mGRE interface per VRF

• Routing to the provider is based on the “global” address space

• Each VRF uses a unique network ID for each NHRP server

Per-VRF

NHRP

Server

mGRE Tunnel


PE

Shared

VRF

Internet

VRF-Lite or MPLS

VPN in Campus

CampusBranch Site

mGRE Tunnel

per VRF

mGRE Tunnel

per VRF

Tunnels Are

Multipoint


IP

Transport

Branch Site

Multi-

VRF CE

Config Example (IOS)

Per-VRF

NHRP

Server

mGRE Tunnel


PE

Shared

VRF

Internet

VRF-Lite or MPLS

VPN in Campus

Campus

Hub Configuration

ip vrf blue

!

interface Loopback0

ip address 10.126.100.1 255.255.255.255

!

interface Tunnel0

description mGRE for blue


ip address 11.1.1.1 255.255.255.0

no ip redirects

ip nhrp map multicast dynamic

ip nhrp network-id 100


tunnel mode gre multipoint

ip vrf blue

!

interface Loopback0

ip add 10.123.100.1 255.255.255.255

!

interface Tunnel0

description GRE to hub


ip address 11.1.1.10 255.255.255.0


ip nhrp nhs 11.1.1.1



!

interface Vlan10

description blue Subnet


ip address 11.1.100.1 255.255.255.0

Spoke Configuration

Unique “network-id” Parameter per

VRF

Branch SitemGRE Tunnel

per VRF


IP

Transport

Branch Site

Multi-

VRF CE

Config Example (IOS)

Per-VRF

NHRP

Server

mGRE Tunnel


PE

Shared

VRF

Internet

VRF-Lite or MPLS

VPN in Campus

Campus

Hub Configuration

ip vrf blue

!

interface Loopback0

ip address 10.126.100.1 255.255.255.255

!

interface Tunnel0

description mGRE for blue


ip address 11.1.1.1 255.255.255.0

no ip redirects





ip vrf blue

!

interface Loopback0

ip add 10.123.100.1 255.255.255.255

!

interface Tunnel0



ip address 11.1.1.10 255.255.255.0





!

interface Vlan10

description blue Subnet


ip address 11.1.100.1 255.255.255.0

Spoke Configuration

ip vrf Green

!

interface Loopback1

ip add 10.123.101.1 255.255.255.255

!

interface Tunnel1


ip vrf forwarding Green

ip address 11.1.2.10 255.255.255.0





!

interface Vlan10

description Green Subnet


ip address 11.1.101.1 255.255.255.0

ip vrf Green

!

interface Loopback1

ip address 10.126.101.1 255.255.255.255

!

interface Tunnel1

description mGRE for Green


ip address 11.1.2.1 255.255.255.0

no ip redirects





Branch SitemGRE Tunnel

per VRF


Summary • Leverages VRF in router (RIB/FIB, interface) and interface for

segmentation


• Optimal solution when VRF count is small (~ <8)

• Recommended for hub-and-spoke requirements

• Ideal solution when spoke-to-spoke traffic patterns are required (bypass

Hub), per VRF

• Redundant Hub configurations can also be added for high availability

• Multicast is supported, but must traverse hub (traffic pattern is source

hub spoke)

• Tunnels in different VRF’s cannot share the same source address

Branch LAN

Multipoint GRE

Tunnel per VRF

over DMVPN


VRF

VRF

VRF

Per VRF:Virtual Routing TableVirtual Forwarding Table

VRF

VRF

VRF

Offers a dynamic way to configure the “VNET trunk” between two

devices for carrying multiple VRF’s instead of 802.1q subinterfaces

EVN, like VRF-Lite, still leverages:

VRF aware routing (RIB) and forwarding (FIB)

VRF aware routing protocol processes (EIGRP, OSPF, BGP, RIPv2, static)

Simplifies route replication configuration where a “shared” VRF is

required (vs. complex BGP import/export)

VNET Trunk


VRF-Lite Subinterface Config


ip address 10.122.5.31 255.255.255.254

ip pim query-interval 333 msec

ip pim sparse-mode

logging event link-status


description Subinterface for Red VRF


ip vrf forwarding Red

ip address 10.122.5.31 255.255.255.254


ip pim sparse-mode

logging event subif-link-status


description Subinterface for Green VRF



ip address 10.122.5.31 255.255.255.254


ip pim sparse-mode


VNET Trunk Config


vnet trunk

ip address 10.122.5.32 255.255.255.254


ip pim sparse-mode


Global Config:vrf definition red

vnet tag 101

vrf definition green

vnet tag 102

Both Routers Have VRFs Defined

VNET Router Has Tags

ip vrf red

rd 101:101

ip vrf green

rd 102:102


Campus Core

Layer 2 Trunks

VLAN 21 Red

VLAN 22 Green

VLAN 23 Blue

VLAN 31 Red

VLAN 32 Green

VLAN 33 Blue

g1/0

g1/1interface vlan 21

vrf forwarding red

interface vlan 22

vrf forwarding green

interface vlan 23

vrf forwarding blue

interface vlan 31

vrf forwarding red

interface vlan 32

vrf forwarding green

interface vlan 33

vrf forwarding blue

SiSi SiSiLayer 3

Layer 2

vrf definition red

vnet tag 101

vrf definition green

vnet tag 102

vrf definition blue

vnet tag 103

interface g1/0

vnet trunk


VRF-Lite Subinterfaces EVN (VNET) Trunks


description 10GE to core 3


ip vrf forwarding Red

ip address 10.122.5.31 255.255.255.254


ip pim sparse-mode






ip address 10.122.5.31 255.255.255.254


ip pim sparse-mode




vnet trunk

ip address 10.122.5.31 255.255.255.254


ip pim sparse-mode


1 Point-to-Point

Subinterface Configuration,

per VRF per Physical

Interfaces

1 Point-to-Point Trunk

Configuration per

Physical Interface

Virtual

NetworksNeighbors

VRF

Subinterfaces

VNET

Trunks

4 4 16 4

10 4 40 4

20 4 80 4

30 4 120 4


R2

R3

Yellow VRF

Green VRF

Red VRF

Green VRF

Red VRF

Yellow VRF

Red VRF

R1

R6

R4 R5

R7

vrf list group-a

member red

member yellow

interface g1/0

vnet trunk vrf-list group-a

vrf list group-b

member red

member green

interface g2/0

vnet trunk vrf-list group-bGroup B

Group A

VRF lists can filter

traffic carried over

VNET trunks


Services that you don’t want to duplicate:

Internet Gateway

Firewall and NAT - DMZ

DNS

DHCP

Corporate Communications - Hosted Content

Requires IP Connectivity between VRFs

This Is Usually Accomplished Through Some Type of Extranet Capability:

Leverage the BGP route-target mechanism for route leaking

Deployment of a fusion router


Before: Sharing Services in

Existing Technologies

Route-Replication Advantage:

• No BGP required

• No Route Distinguisher required

• No Route Targets required

• No Import/Export required

• Simple Deployment

• Supports both Unicast/Mcast

vrf definition SHARED

address-family ipv4

route-replicate from vrf RED unicast all route-map red-map

route-replicate from vrf GREEN unicast all route-map grn-map

After: Simple Shared Service Definition

vrf definition RED

address-family ipv4

route-replicate from vrf SHARED unicast all

vrf definition GREEN

address-family ipv4

route-replicate from vrf SHARED unicast all

ip vrf SHARED

rd 3:3




!

ip vrf RED

rd 1:1



!

ip vrf GREEN

rd 2:2



!

router bgp 65001

bgp log-neighbor-changes

!

address-family ipv4 vrf SHARED

redistribute ospf 3

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf RED

redistribute ospf 1

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf GREEN

redistribute ospf 2

no auto-summary

no synchronization

exit-address-family

!


EVN

Yellow VRF

Green VRF

Red VRF

EVN

Yellow VRF

Green VRF

Red VRF

IP Service

eBGPeBGP

L3VPNoMGREMP-BGP

EVN

Yellow VRF

Green VRF

Red VRF

EVN

Yellow VRF

Green VRF

Red VRFMPLS-VPN

eBGPeBGP

Multi-VRF

EVN

Yellow VRF

Green VRF

Red VRF

EVN

Yellow VRF

Green VRF

Red VRF

IP Service

eBGPeBGP

LISP

EVN

Yellow VRF

Green VRF

Red VRF

EVN

Yellow VRF

Green VRF

Red VRF

IP Service

eBGPeBGP

DMVPNEncryption

Single VRF

Single VRF

Single VRF

Options


Summary

• Easy integration with VRF-Lite

• Any to any connectivity within VPNs

• LAN (VNET) Trunks

• VLAN-ID reuse

• Significant configuration simplitication

• VRFs are pre-provisioned on Trunk

• Enhanced Troubleshooting and Usability

• Route replication simplifies deployment

• Works with IGPs without any additional protocol

• Supports VRF Global and Global VRF

• Optimal solution for campus LAN/MANs when VRF count

is medium (~ <30)

• Supports multicast and QoS solutions


EID (Endpoint Identifier) is the IP address of a host – just as it is today

RLOC (Routing Locator) is the IP address of the LISP router for the host

Mapping is the distributed architecture that maps EIDs to RLOCs

ITR is Ingress Tunnel Router that receives packets from site-facing interfaces and encap to remote LISP sites

ETR is Egress Tunnel Router that receives packets from core-facing interfaces and decap to deliver packets to local EIDs at site

Prefix Next-hopw.x.y.1 e.f.g.h

x.y.w.2 e.f.g.h

z.q.r.5 e.f.g.h

z.q.r.5 e.f.g.h

Non-LISP

RLOC Space

Mapping

DB

xTR

EID SpacexTR

EID RLOCa.a.a.0/24 w.x.y.1

b.b.b.0/24 x.y.w.2

c.c.c.0/24 z.q.r.5

d.d.0.0/16 z.q.r.5

MS/MR

PxTR

xTR


b.b.b.0/24 x.y.w.2

c.c.c.0/24 z.q.r.5

d.d.0.0/16 z.q.r.5


b.b.b.0/24 x.y.w.2

c.c.c.0/24 z.q.r.5

d.d.0.0/16 z.q.r.5

EID Space


IP Network

West

DC

LISP Site

Legacy Site Legacy Site Legacy Site

East

DC

PxTR

Mapping

DB

24-bit LISP Instance-ID segments control plane and data plane, with VRF binding to the Instance-ID

Very high scale segmentation

IP-based “overlay” solution, transport independent

Mapping DB and LISP Cache on xTRs is “instance ID -aware”

On xTRs use VRFs as map cache contexts


IPv4/IPv4

IPv4

Outer

Header

IPv4

Inner

Header

UDP

LISP

LISP Data packet


hostname Left!ipv6 unicast-routing!vrf definition PURPLEaddress-family ipv4exitaddress-family ipv6exit!vrf definition GOLDaddress-family ipv4exitaddress-family ipv6exit!interface Ethernet0/0ip address 10.0.0.2 255.255.255.0!interface Ethernet1/0.1encapsulation dot1q 101vrf forwarding PURPLEip address 192.168.1.1 255.255.255.0ipv6 address 2001:DB8:A:A::1/64!interface Ethernet1/0.2encapsulation dot1q 102vrf forwarding GOLDip address 192.168.1.1 255.255.255.0ipv6 address 2001:DB8:B:A::1/64!

router lispeid-table vrf PURPLE instance-id 101database-mapping 192.168.1.0/24 10.0.0.2 priority 1 weight 1database-mapping 2001:DB8:A:A::/64 10.0.0.2 priority 1 weight 1 eid-table vrf GOLD instance-id 102database-mapping 192.168.1.0/24 10.0.0.2 priority 1 weight 1database-mapping 2001:DB8:B:A::/64 10.0.0.2 priority 1 weight 1 exit!ipv4 itr map-resolver 10.0.2.2ipv4 itripv4 etr map-server 10.0.2.2 key Left-keyipv4 etripv6 itr map-resolver 10.0.2.2ipv6 itripv6 etr map-server 10.0.2.2 key Left-keyipv6 etrexit!ip route 0.0.0.0 0.0.0.0 10.0.0.1ipv6 route ::/0 Null0


hostname MSMR!interface Ethernet0/0ip address 10.0.2.2 255.255.255.0!router lisp!site Leftauthentication-key Left-keyeid-prefix instance-id 101 192.168.1.0/24eid-prefix instance-id 101 2001:DB8:A:A::/64eid-prefix instance-id 102 192.168.1.0/24eid-prefix instance-id 102 2001:DB8:B:A::/64 exit!site Rightauthentication-key Right-keyeid-prefix instance-id 101 192.168.2.0/24eid-prefix instance-id 101 2001:DB8:A:B::/64eid-prefix instance-id 102 192.168.2.0/24eid-prefix instance-id 102 2001:DB8:B:B::/64 exit!ipv4 map-serveripv4 map-resolveripv6 map-serveripv6 map-resolver exit!ip route 0.0.0.0 0.0.0.0 10.0.2.1

Note: VRF’s are not

required to be defined

on the Map-Sever.

Virtualization in the LISP

control plane is handled

by LISP IIDs.


Summary

• Leverages IP transport while overlaying self

deployed IP VPN

• Any to any connectivity within VPNs


• Offers rapid deployment for virtualization “turn

up”

• Supports IPv4/IPv6 MPLS VPNs

• Extremely scalable


• VRF-Lite is a reasonable solution with <8 VRFs and no MPLS requirements

• EVN is a manageable IP base solution for up to 30 VRFs

• MPLS-VPN is the most scalable way to deploy Network Virtualization >32 VRFs today

• Consider Cisco innovations (EVN, LISP) for simplifying network virtualization

• The ability to transport VRF-Lite and MPLS-VPN over IP allows flexible transport options

• MPLS VPN over mGRE offers simpler, and more scalable, deployment that reduces the need for LDP, manual GRE, and works with GET VPN

• VRF-Lite, EVN, MPLS-VPN and LISP are completely compatible


www.cisco.com/go/networkvirtualization

lisp.cisco.com

http://www.cisco.com/go/networkvirtualization

virtualizace podnikové sítě -...

Documents