Advanced Services. OTV and LISP Design Recommendations. Arnold Ocasio CCIE #8446. Advanced Services. Marco Pessi LISP Technical Marketing. Version 1.

TM Advanced Services OTV and LISP Design Recommendations Version 1.1 Arnold Ocasio – CCIE #8446 Advanced Services Marco Pessi LISP Technical Marketing Corporate Headquarters Cisco 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures: Turn the television or radio antenna until the interference stops. Move the equipment to one side or the other of the television or radio. Move the equipment farther away from the television or radio. Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Cisco could void the FCC approval and negate your authority to operate the product. The following third-party software may be included with your product and will be subject to the software license agreement: CiscoWorks software and documentation are based in part on HP OpenView under license from the Hewlett-Packard Company. HP OpenView is a trademark of the Hewlett-Packard Company. Copyright © 1992, 1993 Hewlett-Packard Company. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. Network Time Protocol (NTP). Copyright © 1992, David L. Mills. The University of Delaware makes no representations about the suitability of this software for any purpose. Point-to-Point Protocol. Copyright © 1989, Carnegie-Mellon University. All rights reserved. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. The Cisco implementation of TN3270 is an adaptation of the TN3270, curses, and termcap programs developed by the University of California, Berkeley (UCB) as part of the UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981-1988, Regents of the University of California. Cisco incorporates Fastmac and TrueView software and the RingRunner chip in some Token Ring products. Fastmac software is licensed to Cisco by Madge Networks Limited, and the RingRunner chip is licensed to Cisco by Madge NV. Fastmac, RingRunner, and TrueView are trademarks and in some jurisdictions registered trademarks of Madge Networks Limited. Copyright © 1995, Madge Networks Limited. All rights reserved. Xremote is a trademark of Network Computing Devices, Inc. Copyright © 1989, Network Computing Devices, Inc., Mountain View, California. NCD makes no representations about the suitability of this software for any purpose. The X Window System is a trademark of the X Consortium, Cambridge, Massachusetts. All rights reserved. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVENAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PRACTICAL PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. AccessPath, AtmDirector, Browse with Me, CCIP, CCSI, CD-PAC, CiscoLink, the Cisco Powered Network logo, Cisco Networking Academy, the Cisco Networking Academy logo, Cisco Unity, Fast Step, Follow Me Browsing, FormShare, FrameShare, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, ScriptBuilder, ScriptShare, SMARTnet, TransPath, Voice LAN, Wavelength Router, and WebViewer, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco, Cisco Capital, the Cisco logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, GigaStack, IOS, IP/TV, LightStream, MICA, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0110R). Please refer to http://www.cisco.com/logo/ for the latest information on Cisco logos, branding and trademarks. INTELLECTUAL PROPERTY RIGHTS: THIS DOCUMENT CONTAINS VALUABLE TRADE SECRETS AND CONFIDENTIAL INFORMATION OF CISCO AND IT’S SUPPLIERS, AND SHALL NOT BE DISCLOSED TO ANY PERSON, ORGANIZATION, OR ENTITY UNLESS SUCH DISCLOSURE IS SUBJECT TO THE PROVISIONS OF A WRITTEN NON-DISCLOSURE AND PROPRIETARY RIGHTS AGREEMENT OR INTELLECTUAL PROPERTY LICENSE AGREEMENT APPROVED BY CISCO THE DISTRIBUTION OF THIS DOCUMENT DOES NOT GRANT ANY LICENSE IN OR RIGHTS, IN WHOLE OR IN PART, TO THE CONTENT, THE PRODUCT(S), TECHNOLOGY OF INTELLECTUAL PROPERTY DESCRIBED HEREIN. Proactive Software Recommendation Report Copyright © 2003, Cisco All rights reserved. COMMERCIAL IN CONFIDENCE. A PRINTED COPY OF THIS DOCUMENT IS CONSIDERED UNCONTROLLED. Contents Contents ........................................................................................................................................................... 3 Tables ............................................................................................................................................................... 5 Document Control ........................................................................................................................................... 6 History ......................................................................................................................................................... 6 Review ......................................................................................................................................................... 6 Executive Summary ........................................................................................................................................ 7 Introduction ...................................................................................................................................................... 8 Nexus 7000 OTV and LISP Design ................................................................................................................. 9 Nexus 7000 Line Cards Used For This Design ........................................................................................ 9 Physical & Logical Topology Diagrams ................................................................................................. 11 Prerequisites ............................................................................................................................................. 12 Nexus 7000 OTV Setup ............................................................................................................................ 13 OTV VDC Overview and Configuration ................................................................................................. 13 Step 1. OTV Configuration ............................................................................................................. 13 Step 2. HSRP Filtering ................................................................................................................... 15 Step 3. TACACS+, AAA, and Strong Password Encryption Configuration .................................... 16 Step 4. Aggregation VDC – OTV Support Configuration................................................................ 17 Nexus 7000 LISP Multihop Mobility ESM Setup .................................................................................... 19 LISP Multihop Mobility Extended Subnet Mode (ESM) Overview ......................................................... 19 LISP Multihop Aggregation VDC (FHR) Configuration .......................................................................... 20 Step 1. LISP Configuration ............................................................................................................. 20 Step 2. LISP Extended Intra-Subnets EIGRP Routing Configuration ............................................ 21 Step 3. LISP Intra-Subnets High Availability Configuration ............................................................ 23 LISP IOS-XE Design ...................................................................................................................................... 24 LISP Router Configuration (xTR and MS/MR) ...................................................................................... 24 Appendix A – Nexus LISP and OTV Configurations .................................................................................. 26 Site-A (Left) Aggregation1 VDC ............................................................................................................ 26 Site-A (Left) Aggregation2 VDC ............................................................................................................ 28 Site-B (Right) Aggregation1 VDC .......................................................................................................... 31 Site-B (Right) Aggregation2 VDC .......................................................................................................... 34 Site-A Overlay Transport Virtualization (OTV1) VDC ............................................................................ 36 Site-A Overlay Transport Virtualization (OTV2) VDC ............................................................................ 38 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 3 Contents Appendix B – IOS-XE LISP Configurations ................................................................................................. 41 Site-A ASR Ingress/Egress Tunnel Router + MS/MR ........................................................................... 41 Site-B ASR Ingress/Egress Tunnel Router + MS/MR ........................................................................... 42 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 4 4 Tables Table 1 Revision History 6 Table 2 Revision Review 6 Table 3 Port Numbers for Port Groups on N7K-F248XP-25 10 OTV and LISP Design Recommendations 5 01 October 2014 Company Confidential. A printed copy of this document is considered uncontrolled. Document Control History Table 1 Revision History Version No. Issue Date Status 1.0 09-17-2014 Initial Draft 1.1 09-22-2014 External Version Reason for Change Sanitzed for External Usage Review Table 2 Revision Review Reviewer’s Details Version No. Customer Team 1.0 Marco Pessi – Cisco LISP Technical Lead 1.0 9/16/14 Wade Lehrschal – GGSG Technical Lead 1.0 9/12/14 Justin Poole – Cisco Account SE 1.1 9/22/14 01 October 2014 Date OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 6 6 Executive Summary The customer is in the process of deploying two main data centers that consist of Cisco Nexus 7009 and 7706 chassis. One data center has M2 and F2e line cards while the other will consist of Cisco F3 line cards. Both data centers have Nexus 5596-UP, 6200 Series Fabric Interconnect, Unified Computing Systems (UCS) B Series Chassis, ASR 100x Routers, and NetApp Storage Network Storage Solution. These sites will be part of a distributed data center solution using Nexus features, such as Overlay Transport Virtualization (OTV) and Locator/ID Separation Protocol (LISP). These features empower these data centers with an active/active load balance disaster recovery solution; in which virtualized services and applications are seamlessly available to users. In addition, the customer will have the ability to efficiently move services using VMware vMotion and Microsoft Hyper-V leveraging OTV and LISP. OTV allows the secure extension of Layer 2 connectivity across multiple locations and LISP allows any host to move anywhere in the network while preserving its IP address. This LISP capability allows members of a subnet to be dispersed across many locations without requiring any changes on the hosts and while maintaining optimal routing and scalability in the network. The OTV design proposed on this document applies to all of the customer data centers. It consists of using OTV unicast with two edge devices, one on each Nexus 7000. Since there is only three data centers in the customers DC distributed design, there is no need to use OTV multicast. Furthermore, one or more of the OTV edge devices are designated as an Adjacency Server. Every OTV edge device wishing to join a specific OTV logical overlay, needs to first register with the Adjacency Server. All other OTV neighbor addresses are discovered dynamically through the Adjacency Server. Thereby, when the OTV service needs to be extended to a new DC site, only the OTV edge devices for the new site need to be configured with the Adjacency Server overlay IP addresses. No other sites need additional configuration. The testing of this design anticipated the main data center OTV edge devices being selected as OTV Adjacency Servers. Consequently, the other data centers OTV edge devices would be configured with the overlay interface IP address of the main OTV edge devices, which is configured as primary and secondary OTV Adjacency Servers. Meanwhile, the LISP design would consists of LISP Multihop Mobility Extended Subnet Mode (ESM). Cisco LISP Multihop Mobility ESM is a new feature that separates the LISP dynamic host detection function, called First Hop Router (FHR), from the LISP encapsulation/decapsulation function, called Tunnel Router (xTR), within a LISP topology. This feature is recommended for customers introducing firewalls, load balancers, and layer three devices between LISP xTR and FHR devices. In addition, this feature enables LISP Mobility for customers that do not have Nexus line cards natively supporting LISP encapsulation. This LISP Multihop Mobility Extended Subnet Mode (ESM) design was tested using EIGRP for connectivity between FHRs and xTRs within each data center. Connectivity between data centers (xTR to xTR) was provided thru BGP. Additionally, LISP Multihop Mobility ESM required to establish a routing protocol adjacency between the firsthop routers (FHRs) in different data centers over a dedicated extended VLAN; and redistribute host routes from LISP into the routing protocol for discovered hosts at each data center FHR. LISP and OTV are complementary solutions that will provide the necessary connectivity among distributed data center approach. Essentially, based upon the type of applications supported and the role of the datacenter locations, LISP and OTV would be required to provide the level of location flexibility required from the IP infrastructure. 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 7 Introduction This document is a combined High Level Design (HLD) and Low Level Design (LLD) containing detailed configuration information only on OTV and LISP features that were previously discussed in the Executive Summary section. The majority of the knowledge information on these features come from Cisco website. If additional information is required, comprehensive configuration guides for OTV and LISP are found at Cisco Nexus Configuration Guides. It is assumed that the audience of this document would have a basic knowledge of the features covered on this document, which are OTV/LISP and routing protocols such as EIGRP and BGP. In addition, it is assumed a Cisco Nexus infrastructure has been already deployed with appropriate SVI’s, HSRP, vPC’s, and relevant routing protocols mentioned on this document to support LISP. 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 8 8 Nexus 7000 OTV and LISP Design Nexus 7000 Line Cards Used For This Design Depending on the data center location, the line cards that will be used are model number: N7K-M224XP-23L with the enhanced XL option and N7K-F248XP-25E. These cards are L2/L3 capable and the XL option enables the use of the full forwarding table, which is essential for large-scale deployments. This larger forwarding table can support multiple copies of full routing tables for use in Internet-facing deployments with Virtual Routing and Forwarding (VRF) and Virtual Device Context (VDC) support. In addition, there are no VDC port assignment restrictions for N7K-M224XP-23L, in which ports needs to be shared or dedicated, as with previous M1 line cards. However for N7K-F248XP-25E, layer 2 ports that will be used for connectivity between the Nexus 5500 and Nexus 7000 must be allocated as group of four across different modules. This module has 12 port groups that consist of 4 ports each (4 interfaces x 12 port groups = 48 interfaces). Interfaces that belong to the same port group must belong to the same VDC; see Fig 3. Note that for the main DC, the F2e modules will be used for all layer two connectivity between Aggregation VDC’s, Nexus 5000, and OTV. Similarly, the M2 cards will be used for all layer three connectivity between Aggregation, WAN, and OTV VDC’s. Figure 1: Nexus 7000 N7K-M224XP-23L Line Card Figure 2: Nexus 7000 N7K-F248XP-25E Line Card 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 9 9 Figure 3: Example Interface Allocation for Port Groups on the Cisco Nexus Module N7K-F248XP-25E The table below shows the port numbering for the port groups. Table 3 Port Numbers for Port Groups on N7K-F248XP-25 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 10 10 Physical & Logical Topology Diagrams Figure 1: Physical Data Center Lab Topology Diagram 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 11 11 WAN Cisco ASRs LISP xTR’s + MS/MR Cisco ASRs LISP xTR’s + MS/MR N7K-Left-WAN1 VDC N7K-Left-WAN2 VDC E2/1 E2/13 Nexus 7000 M2 Card in Slot 2 F2e Card in Slot 3 Site B Nexus 7009 M2 Card in Slot 2 F2e Card in Slot 3 Site A E2/2 E2/2 E2/15 E2/3 vPC KA E3/x E3/x Non-vPC Link E3/6 E3/2 E3/4 Non-vPC Link E3/5 E3/6 E3/26 vPC Peer Link E3/21 E3/1 E3/2 E3/24 E3/3 Non-vPC Link E3/23 E3/22 LISP FHR E3/x E3/x Non-vPC Link E2/8 E2/20 E3/25 Po100 E3/5 E3/1 E3/x Po100 E2/8 N7K-Right-Agg2 E2/19 172.18.149.98/24 Mgmt0 VDC E2/18 E2/7 LISP FHR E3/6 E3/x LISP FHR E3/x Po57 E3/x E2/14 vPC KA N7K-Right-Agg1 172.18.149.97/24 E2/6 Mgmt0 VDC E2/19 N7K-Left-Agg2 172.18.149.95/24 Mgmt0 VDC E2/18 Po57 LISP FHR E2/15 E2/3 E2/14 N7K-Left-Agg1 172.18.149.96/24 E2/6 Mgmt0 VDC E2/7 N7K-Right-WAN2 VDC E2/13 N7K-Right-WAN1 VDC E2/1 E3/4 E3/3 E2/20 E3/25 E3/26 vPC Peer Link E3/24 E3/21 E3/23 E3/22 Non-vPC Link Non-vPC Link E2/22 Po 5 5 E3/42 E3/34 E2/11 E3/33 E3/x E3/x E3/41 Po50 N7K-Left-OTV1 VDC E1/3 N7K-Left-OTV2 VDC E1/4 E1/3 6100 FI A E1/5 E1/6 E1/6 E3 E4 E4 Po20 E1/5 6100 FI B 6100 FI A L1 E4 Po30 E1/6 Gigabit Ethernet L2 10 Gigabit Ethernet L2 Fibre Channel or FCoE SAN-B E1/6,8 E4 E5 Po40 FAS2552 SAN 6100 FI B L1 SAN-A SAN-A L2 UCS 5108 UCS 5108 Legend 10 Gigabit Ethernet L3 E1/4 5548UP E1/5,7 E5 1 L2 E1/3 1 FAS2552 SAN E3/x N7K-Right-OTV2 VDC E1/4 Po69 E3 Po10 Po60 E1/3 5548UP SAN-B E3/42 E3/41 N7K-Right-OTV1 VDC 5548UP 1 E1/5 5 E3/34 E1/4 Po69 5548UP Po 5 Po 56 E3/33 E3/x Po 56 E2/11 E2/22 Figure 2: Logical Data Center Lab Topology Prerequisites The following tasks should be completed and all information collected prior to beginning: • Identify M2 and F2e ports that will be configured as OTV L3 join and L2 internal interfaces, as well as extended VLANs and subnets • A plan that shows the Ethernet port allocation per VDC that will connect to the OTV and Aggregation VDCs, as well as a vPC number scheme that will be logical for the network • The example Table below could be used for Nexus 7000 Ethernet port allocation, per Aggregation and OTV VDC M2 and F2e Line Cards Ethernet Port Allocation Line Card Slot # 2 (M2) 3 (F2e) 01 October 2014 Aggregation VDC’s Ethernet Port(s) 8 (Joint Interface) 1,3,21,24 (Internal Interfaces w/vPC’s) Line Card Slot # 2 (M2) 3 (F2e) OTV VDC’s Ethernet Port(s) 11 (Joint Interface) 33,34,41,42 (Internal Interfaces w/vPC’s OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 12 12 1 Nexus 7000 OTV Setup OTV VDC Overview and Configuration For the customer DC deployment, the OTV VDC will provide layer two extension between distributed data centers, and is going to be configured to use redundant Adjacency Servers for other data center OTV neighbors. The main site OTV edge devices are configured as primary and secondary Adjacency Servers respectively. Furthermore, OTV introduces the concept of dynamic encapsulation for Layer 2 flows that need to be sent to remote locations. Each Ethernet frame is individually encapsulated into an IP packet and delivered across the transport network. This eliminates the need to establish virtual circuits, called Pseudowires, between the data center locations. Immediate advantages include improved flexibility when adding or removing sites to the overlay, more optimal bandwidth utilization across the WAN (specifically when the transport infrastructure is multicast enabled), and independence from the transport characteristics (Layer 1, Layer 2 or Layer 3). In this setup, the OTV VDC’s communicates to the Aggregation VDC using a L3 interface known as the Joint Interface, and L2 trunks interfaces better known as Internal Interfaces. The L3 Join Interface is used to source the OTV encapsulated traffic and send it to the L3 domain of the data center network. On the other hand, the Internal Interfaces are used to receive the Layer 2 traffic for all VLANs that need to be extended to data center remote locations. Since the main DC has M2 and F2e line cards, OTV Joint Interface uses an M2 port that connects to the Aggregation VDC, which is also configured with an M2 card assigned port. However, for OTV Internal Interfaces, the F2e line card is used for L2 connectivity toward the OTV VDC. Step 1. OTV Configuration 1. Allocate Ethernet interfaces to the OTV VDC GGSG-AS-N7k-left(config)#vdc OTV1 GGSG-AS-N7k-left(config-vdc)#allocate interface Ethernet 3/33 – 36 GGSG-AS-N7k-left(config-vdc)#allocate interface Ethernet 2/11 2. Switch to OTV1 and configure required OTV extended VLANs and site-vlan GGSG-AS-N7k-left-OTV1(config)# vlan 12 GGSG-AS-N7k-left-OTV1(config-vlan)# name LISP_ESM1 GGSG-AS-N7k-left-OTV1(config)# vlan 15 GGSG-AS-N7k-left-OTV1(config-vlan)# name LISP_ESM2 GGSG-AS-N7k-left-OTV1(config)# vlan 211 GGSG-AS-N7k-left-OTV1(config-vlan)# name Server_Net_One GGSG-AS-N7k-left-OTV1(config)# vlan 214 GGSG-AS-N7k-left-OTV1(config-vlan)# name Server_Net_Two GGSG-AS-N7k-left-OTV1(config)# vlan 996 GGSG-AS-N7k-left-OTV1(config-vlan)# name vMotion GGSG-AS-N7k-left-OTV1(config)# vlan 999 GGSG-AS-N7k-left-OTV1(config-vlan)# name OTV_Site_VLAN GGSG-AS-N7k-left-OTV1(config)# vlan 1005 GGSG-AS-N7k-left-OTV1(config-vlan)# name HyperV_LiveMigration Recommendation: Enable only data VLANs to be extended (VLANs 12,15,211,214,996,1005) and the OTV site-vlan (VLAN 999). 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 13 13 VLANs 12 and 15 are being used to support one of the recommended LISP inter data center connectivity design. In order to properly route traffic between extended VLANs when the source and destination hosts are detected by FHRs at different data centers: Establish a routing protocol adjacency between the first-hop routers (FHRs) in the different data centers over a dedicated extended VLAN. 3. Configure Join Interface (Layer 3 physical interface) GGSG-AS-N7k-left-OTV1(config)# interface Ethernet2/11 GGSG-AS-N7k-left-OTV1(config-if)# description Join Interface to N7k-left AGG e2/8 L3 GGSG-AS-N7k-left-OTV1(config-if)# speed 10000 GGSG-AS-N7k-left-OTV1(config-if)# ip address 192.168.1.2/30 GGSG-AS-N7k-left-OTV1(config-if)# no shutdown 4. Configure Internal Interfaces (Layer 2 trunk interfaces) GGSG-AS-N7k-left-OTV1(config)#feature lacp GGSG-AS-N7k-left-OTV1(config)# int e3/33-34 GGSG-AS-N7k-left-OTV1(config-range)#description OTV to N7k Aggregation VDCs GGSG-AS-N7k-left-OTV1(config-range)#channel-group 55 mode active GGSG-AS-N7k-left-OTV1(config-range)#speed 10000 GGSG-AS-N7k-left-OTV1(config-range)#no shutdown GGSG-AS-N7k-left-OTV1(config)#int po55 GGSG-AS-N7k-left-OTV1(config-if)# description OTV to N7k-right Aggregation GGSG-AS-N7k-left-OTV1(config-if)# switchport GGSG-AS-N7k-left-OTV1(config-if)# switchport mode trunk GGSG-AS-N7k-left-OTV1(config-if)# switchport trunk allowed vlan 211,214,996,999,1005 GGSG-AS-N7k-left-OTV1(config-range)#speed 10000 GGSG-AS-N7k-left-OTV1(config-range)#mtu 9216 5. Configure LISP dedicated extended interfaces GGSG-AS-N7k-left-OTV1(config)# int e3/35 GGSG-AS-N7k-left-OTV1(config-range)# description trunk to Aggr1 for L2 non-vPC GGSG-AS-N7k-left-OTV1(config-range)# switchport mode trunk GGSG-AS-N7k-left-OTV1(config-range)# switchport trunk allowed vlan 12,15 GGSG-AS-N7k-left-OTV1(config-range)#speed 10000 GGSG-AS-N7k-left-OTV1(config-range)#no shutdown Note: The same configuration above must be performed in the left OTV2; however, the port channel number will be 56. 6. Configure Overlay Interface for multicast enabled transport infrastructure. GGSG-AS-N7k-left-OTV1(config)#feature otv GGSG-AS-N7k-left-OTV1(config)#otv site-identifier 0x2 Note: The site identifier must be the same for all OTV edge devices belonging to the same DC site GGSG-AS-N7k-left-OTV1(config)#otv site-vlan 999 GGSG-AS-N7k-left-OTV1(config)#int overlay1 GGSG-AS-N7k-left-OTV1(config-if)# description Overlay to AGG N7k-Left GGSG-AS-N7k-left-OTV1(config-if)#otv join-interface e2/11 GGSG-AS-N7k-left-OTV1(config-if-overlay)# otv adjacency-server unicast-only 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 14 14 GGSG-AS-N7k-left-OTV1(config-if)#otv extend-vlan 12, 15, 211, 214, 996, 1005 GGSG-AS-N7k-left-OTV1(config-if)#no shutdown GGSG-AS-N7k-left-OTV1(config)#ip route 0.0.0.0/0 192.168.1.2 Note: A default static route can be configured to reach the Aggregation VDC or a dynamic routing protocol, such as EIGRP or OSPF. As a side note, the choice of even/odd numbers for data center interconnect VLANs on each FHR should be consistent with how VLAN load balancing is implemented across the redundant OTV VDC, and that is in order to provide shortest path bridging. Recommendations for Site-VLAN: • Use a dedicated VLAN as OTV site VLAN. • Do not extend the OTV site VLAN. • Ensure that the site VLAN is active on the OTV internal interfaces and on the port channel link connecting to the other aggregation layer device. It is critical to enable the site VLAN on multiple internal interfaces, because at least one of these interfaces needs to be always up in order for the OTV Edge Device to be able to forward OTV traffic. • The Site-VLAN must be configured before entering the no shutdown command for any overlay interface and must not be modified while any overlay is up within the site. • Using the same site VLAN at each site is not mandatory, but it could help during debugging and provide protection in case of accidental site merging. • Finally, the site VLAN should always be defined, even in scenarios where a single OTV Edge Device is defined in a given site. Missing the site VLAN definition would not allow the OTV Edge Device to forward OTV encapsulated traffic Step 2. HSRP Filtering To allow the extended VLANs to use their local HSRP gateway, an IP gateway localization technique is used to keep HSRP protocol data units (PDUs) from getting forwarded on the overlay network. This technique uses a combination of VLAN access control lists (VACLs) and OTV MAC route filters in the OTV VDC to block the propagation of HSRP packets between the OTV enabled data centers, and prevent virtual MACs of HSRP gateways from being learned over the OTV overlay interface. Alternatively, port access control lists PACL-based filtering of HSRP packets on the inside interface can also be used for similar results; however, this is outside the scope of this configuration. 1. Configure all VACL Filters: GGSG-AS-N7k-left-OTV1(config)#ip access-list ALL_IPs GGSG-AS-N7k-left-OTV1(config-acl)#10 permit ip any any GGSG-AS-N7k-left-OTV1(config)# mac access-list ALL_MACs GGSG-AS-N7k-left-OTV1(config-mac-acl)#10 permit any any GGSG-AS-N7k-left-OTV1(config-acl)#ip access-list HSRP_IP GGSG-AS-N7k-left-OTV1(config-acl)#10 permit udp any 224.0.0.2/32 eq 1985 GGSG-AS-N7k-left-OTV1(config-acl)#20 permit udp any 224.0.0.102/32 eq 1985 GGSG-AS-N7k-left-OTV1(config)#mac access-list HSRP_VMAC GGSG-AS-N7k-left-OTV1(config-mac-acl)# 10 permit 0000.0c07.ac00 0000.0000.00ff any GGSG-AS-N7k-left-OTV1(config-mac-acl)# 20 permit 0000.0c9f.f000 0000.0000.0fff any GGSG-AS-N7k-left-OTV1(config)# arp access-list HSRP_VMAC_ARP GGSG-AS-N7k-left-OTV1(config-arp-acl)# 10 deny ip any mac 0000.0c07.ac00 ffff.ffff.ff00 GGSG-AS-N7k-left-OTV1(config-arp-acl)# 20 deny ip any mac 0000.0c9f.f000 ffff.ffff.f000 GGSG-AS-N7k-left-OTV1(config-arp-acl)# 30 permit ip any mac any 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 15 15 GGSG-AS-N7k-left-OTV1(config)#feature dhcp GGSG-AS-N7k-left-OTV1(config)# ip arp inspection filter HSRP_VMAC_ARP vlan 211,214,996 GGSG-AS-N7k-left-OTV1(config)#vlan access-map HSRP_Localization 10 GGSG-AS-N7k-left-OTV1(config-access-map)#match ip address HSRP_IP GGSG-AS-N7k-left-OTV1(config-access-map)#match mac address HSRP_VMAC GGSG-AS-N7k-left-OTV1(config-access-map)#action drop GGSG-AS-N7k-left-OTV1(config)#vlan access-map HSRP_Localization 20 GGSG-AS-N7k-left-OTV1(config-access-map)#match ip address ALL_IPs GGSG-AS-N7k-left-OTV1(config-access-map)#match mac address ALL_MACs GGSG-AS-N7k-left-OTV1(config-access-map)#action forward GGSG-AS-N7k-left-OTV1(config)#vlan filter HSRP_Localization vlan-list 211,214,996 Note: In order to execute ‘ip arp inspection,’ feature dhcp must be enabled. 2. Configure the OTV MAC Route Filter GGSG-AS-N7k-left-OTV1(config)#mac-list OTV_HSRP_VMAC_deny seq 10 deny 0000.0c07.ac00 ffff.ffff.ff00 GGSG-AS-N7k-left-OTV1(config)#mac-list OTV_HSRP_VMAC_deny seq 20 deny 0000.0c9f.f000 ffff.ffff.f000 GGSG-AS-N7k-left-OTV1(config)#mac-list OTV_HSRP_VMAC_deny seq 30 permit 0000.0000.0000 0000.0000.0000 GGSG-AS-N7k-left-OTV1(config)#route-map OTV_HSRP_filter permit 10 GGSG-AS-N7k-left-OTV1(config-route-map)#match mac-list OTV_HSRP_VMAC_deny 3. Apply the route map to the default otv-isis GGSG-AS-N7k-left-OTV1(config)#otv-isis default GGSG-AS-N7k-left-OTV1(config-router)#vpn Overlay1 GGSG-AS-N7k-left-OTV(config-router)#redistribute filter route-map OTV_HSRP_filter Step 3. TACACS+, AAA, and Strong Password Encryption Configuration GGSG-AS-N7k-left-OTV1(config)# copy running-config startup-config GGSG-AS-N7k-left-OTV1(config)# feature tacacs GGSG-AS-N7k-left- OTV1(config)# tacacs-server host 172.18.149.68 timeout 30 GGSG-AS-N7k-left- OTV1(config)# tacacs-server key cisco12345 GGSG-AS-N7k-left- OTV1(config)# aaa group server tacacs+ DC GGSG-AS-N7k-left- OTV1(config-tacacs+)# server 172.18.149.68 GGSG-AS-N7k-left- OTV1(config-tacacs+)# use-vrf management GGSG-AS-N7k-left- OTV1(config)# ip tacacs source-interface mgmt 0 GGSG-AS-N7k-left- OTV1(config)# aaa authentication login default group DC GGSG-AS-N7k-left- OTV1(config)# aaa authorization commands default group DC local GGSG-AS-N7k-left- OTV1(config)# aaa accounting default group DC GGSG-AS-N7k-left-OTV1# key config-key ascii New Master Key: abcdefgABCDEFG1234567890!@#$% Retype Master Key: abcdefgABCDEFG1234567890!@#$% GGSG-AS-N7k-left-OTV1(config)# feature password encryption aes 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 16 16 GGSG-AS-N7k-left-OTV1(config)# show encryption service stat Encryption service is enabled Master Encryption Key is configured. Type-6 encryption is being used Note: Execute the same configuration steps provided above for data center left (Site-A) and right (Site-B) OTV’s. Step 4. Aggregation VDC – OTV Support Configuration After the OTV VDCs has been configured, the Aggregation VDCs must be configured with a Joint Interface port as well as Internal Interfaces port channels that will provide connectivity to the OTV VDC. There is also a requirement to configure the same LISP L2 extended VLANs previously configured in OTV, and a dedicated port channel to carry those VLANs. The first configuration is for LISP non-vPC ports. 1. Switch to the Aggregation VDC 2. Create two LISP non-vPC VLANs GGSG-AS-N7k-left-Aggr1(config)#vlan 12 GGSG-AS-N7k-left-Aggr1(config-vlan)# name LISP_ESM1 GGSG-AS-N7k-left-Aggr1(config)#vlan 15 GGSG-AS-N7k-left-Aggr1(config-vlan)# name LISP_ESM2 3. Configure a link between N7k’s Aggregation VDC’s GGSG-AS-N7k-left-Aggr1(config)#int e3/7 GGSG-AS-N7k-left-Aggr1(config-if)#description L2 link for VL 12 and 15 GGSG-AS-N7k-left-Aggr1(config-if)#speed 10000 GGSG-AS-N7k-left-Aggr(1config-if)#mtu 9216 GGSG-AS-N7k-left-Aggr1(config-if)#channel-group 57 mode active GGSG-AS-N7k-left-Aggr1(config)#interface po57 GGSG-AS-N7k-left-Aggr1(config-if)#description L2 link for VL 12 and 15 GGSG-AS-N7k-left-Aggr1(config-if)#switchport GGSG-AS-N7k-left-Aggr1(config-if)#switchport mode trunk GGSG-AS-N7k-left-Aggr1(config-if)#switchport trunk allowed vlan 12-13,15 GGSG-AS-N7k-left-Aggr1(config-if)#spanning-tree port type network GGSG-AS-N7k-left-Aggr1(config-if)#speed 10000 GGSG-AS-N7k-left-Aggr1(config-if)#mtu 9216 GGSG-AS-N7k-left-Aggr1(config-if)#no shutdown Note: VLAN 13 it is use for LISP ESM intra-subnets HA routing, and will be discuss later on this document. 4. Configure a non-vPC L2 link port connecting to OTV GGSG-AS-N7k-left-Aggr1(config)#int e3/8 GGSG-AS-N7k-left-Aggr1(config-if)#description L2 link for VL 12 and 15 GGSG-AS-N7k-left-Aggr1(config-if)#switchport GGSG-AS-N7k-left-Aggr1(config-if)#switchport mode trunk 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 17 17 GGSG-AS-N7k-left-Aggr1(config-if)#switchport trunk allowed vlan 12,15 GGSG-AS-N7k-left-Aggr1(config-if)#speed 10000 GGSG-AS-N7k-left-Aggr1(config-if)#no shutdown 5. Configure OTV L2 Internal Interfaces for each OTV (two) GGSG-AS-N7k-left-Aggr1config)#int e3/1 GGSG-AS-N7k-left-Aggr1(config-if)#description L2 OTV VLANs Toward OTV1 GGSG-AS-N7k-left-Aggr1(config-if)#channel-group 55 mode active GGSG-AS-N7k-left-Aggr1(config-if)#speed 10000 GGSG-AS-N7k-left-Aggr1(config-if)#no shutdown GGSG-AS-N7k-left-Aggr1(config)#interface port-channel55 GGSG-AS-N7k-left-Aggr1(config-if)#description L2 OTV VLANs Toward OTV1 GGSG-AS-N7k-left-Aggr1(config-if)#switchport GSG-AS-N7k-left-Aggr1(config-if)#switchport mode trunk GGSG-AS-N7k-left-Aggr1(config-if)#switchport trunk allowed vlan 211,214,996,999,1005 GGSG-AS-N7k-left-Aggr1config-if)#spanning-tree port type normal GGSG-AS-N7k-left-Aggr1(config-if)#mtu 9216 GGSG-AS-N7k-left-Aggr1(config-if)#vpc 55 GGSG-AS-N7k-left-Aggr1(config)#int e3/3 GGSG-AS-N7k-left-Aggr1(config-if)#description L2 OTV VLANs Toward OTV1 GGSG-AS-N7k-left-Aggr1(config-if)#channel-group 56 mode active GGSG-AS-N7k-left-Aggr1(config-if)#speed 10000 GGSG-AS-N7k-left-Aggr1(config-if)#no shutdown GGSG-AS-N7k-left-Aggr1(config)#interface port-channel56 GGSG-AS-N7k-left-Aggr1(config-if)#description L2 OTV VLANs Toward OTV1 GGSG-AS-N7k-left-Aggr1(config-if)#switchport GSG-AS-N7k-left-Aggr1(config-if)#switchport mode trunk GGSG-AS-N7k-left-Aggr1(config-if)#switchport trunk allowed vlan 211,214,996,999,1005 GGSG-AS-N7k-left-Aggr1(config-if)#spanning-tree port type normal GGSG-AS-N7k-left-Aggr1(config-if)#mtu 9216 GGSG-AS-N7k-left-Aggr1(config-if)#vpc 56 6. Configure a Join Interface on Nexus 7k Aggregation VDC (Layer 3 physical interface) GGSG-AS-N7k-left-Aggr1(config)# interface Ethernet2/8 GGSG-AS-N7k-left-Aggr1(config-if)# description Join Interface to OTV e2/8 L3 GGSG-AS-N7k-left-Aggr1(config-if)# speed 10000 GGSG-AS-N7k-left-Aggr1(config-if)# ip address 192.168.1.1/30 GGSG-AS-N7k-left-Aggr1(config-if)# no shutdown 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 18 18 Nexus 7000 LISP Multihop Mobility ESM Setup LISP Multihop Mobility Extended Subnet Mode (ESM) Overview This section provides an overview of LISP Multihop Mobility Extended Subnet Mode and terminologies used on a LISP deployment. These are LISP devices commonly found on a LISP deployment: • Ingress Tunnel Router (ITR) – This device is deployed as a LISP site edge device. It receives packets from site-facing interfaces (internal hosts) and either LISP encapsulates packets to remote LISP sites or the ITR natively forwards packets to non-LISP sites. • Egress Tunnel Router (ETR) – This device is deployed as a LISP site edge device. It receives packets from core-facing interfaces (the Internet) and either decapsulates LISP packets or delivers them to local EIDs at the site. • xTR Router – A router implemented with both roles, ITR and ETR. • Map Server (MS) – This device is deployed as a LISP Infrastructure component. It must be configured to permit a LISP site to register to it by specifying for each LISP site the EID prefixes for which registering ETRs are authoritative. An authentication key must match the key that is configured on the ETR. An MS receives Map-Register control packets from ETRs. • Map Resolver (MR) – This device is deployed as a LISP Infrastructure device. It receives MapRequests encapsulated to it from ITRs. The MR also sends Negative Map-Replies to ITRs in response to queries for non-LISP addresses. Note: The MS/MR role can co-located within an xTR router. In the sample topology below, a first-hop router (FHR) detects the presence of a dynamic host endpoint identifier (EID) and notifies the site gateway xTR. The site gateway xTR registers the dynamic EID with a map server. The Site Gateway xTR performs Locator/ID Separation Protocol (LISP) encapsulation/decapsulation of the traffic from or to the dynamic EID to or from remote sites. Figure 3: Sample LISP ESM Topology 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 19 19 The point of using LISP Multi-hop ESM is that multiple Layer 3 hops can exist between the FHR and the site gateway xTR when deploying this feature. Customers can insert non-LISP devices like firewalls and loadbalancers into the data center. LISP Multihop Aggregation VDC (FHR) Configuration At this point it is assumed that an Aggregation VDC has been properly configured with SVI’s and EIGRP routing protocol. The Aggregation VDC must also have connectivity to N5k’s and the WAN. This section describes how to configure the Extended Subnet Mode (ESM) multihop mobility feature to separate the Locator/ID Separation Protocol (LISP) dynamic host detection function from the LISP encapsulation/decapsulation function within a LISP topology, as shown in Fig. 3. In addition, intra-subnet ESM routing between two data centers configuration is covered on this section as well. Step 1. LISP Configuration 1. Configure a loopback interface that will be used as RLOC for LISP, and advertised that network in the routing process (EIGRP) GGSG-AS-N7k-left-Aggr1(config)# interface loopback0 GGSG-AS-N7k-left-Aggr1(config-if)#description RLOC for LISP EID's GGSG-AS-N7k-left-Aggr1(config-if)#ip address 100.1.1.1/32 GGSG-AS-N7k-left-Aggr1(config-if)#ip router eigrp 15 2. Enable LISP and PIM. Enabling LISP provide the feature set required for the Aggregation VDC (FHR) to discover LISP Endpoint Identity Hosts (EIDs), and enabling PIM allows LISP multicast map-notify to traverse the OTV with unicast core. Note that as part of building an SPT, a default SSM range is configured automatically by NX-OS (ip pim ssm range 232.0.0.0/8). But, ‘ip pim sparse-mode’ must be manually configured on LISP SVI’s. GGSG-AS-N7k-left-Aggr1(config)#feature lisp GGSG-AS-N7k-left-Aggr1(config)#feature pim 3. Configure the Aggregation VDC as an Egress Tunnel Router (ETR) GGSG-AS-N7k-left-Aggr1(config)#ip lisp etr 4. Configure and enter dynamic-EID map configuration mode GGSG-AS-N7k-left-Aggr1(config)#lisp dynamic-eid VLAN-EXT-211 5. Configure a dynamic-EID range, the RLOC mapping, relationship, and associated traffic policy for all IPv4 dynamic-EID-prefixes for this LISP site. Because this is configured under the dynamic-eid-map configuration mode, the LISP ETR registers a /32 host prefix to the mapping system when a dynamic-EID is detected in the configured range. Notice by configuring the priority and weight (traffic percentage) the locators are load-shared. GGSG-AS-N7k-left-Aggr1(config-lisp-dynamic-eid)# database-mapping 192.168.211.0/24 100.1.1.1 priority 10 weight 50 GGSG-AS-N7k-left-Aggr1(config-lisp-dynamic-eid)# database-mapping 192.168.211.0/24 100.1.1.2 ! (IP address of right Aggregation RLOC) priority 10 weight 50 6. Enable sending dynamic endpoint identifier (EID) presence notifications to a site gateway xTR with the specified IP address along with the authentication key used with the gateway xTR. In the current data center design, there are two WAN VDCs connected to ASR’s routers; thus, there will be two xTRs EID notification entries pointing to their loopback IP address. GGSG-AS-N7k-left-Aggr1(config-lisp-dynamic-eid)#eid-notify 172.20.1.1 key cisco 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 20 20 7. Configure a discovering LISP-VM router to send a Map-Notify message to other LISP-VM routers within the map-notify-group mcast-group-id same data center site so that they can also determine the location of the dynamic EID. GGSG-AS-N7k-left-Aggr1(config-lisp-dynamic-eid)#map-notify-group 225.1.1.1 Note: In LISP extended subnet mode, a dynamic-EID detection by one FHR needs to be notified to all of the FHRs that belong to the same LISP site, including FHRs in the same data center and those in other data centers. In this case, use the map-notify-group command under the dynamic-EID-map with a multicast group IP address. This address is used to send a map-notify message by the xTR to all other xTRs when a dynamic-EID is detected. The Time To Live (TTL) value for this notification message is set to 1. This multicast group IP address can be any user-defined address other than an address that is already in use in your network. The multicast message is delivered by leveraging the LAN extension connection established between separate data centers. 8. Enable LISP on ESM SVI interfaces GGSG-AS-N7k-left-Aggr1(config)#int vlan211 GGSG-AS-N7k-left-Aggr1(config-if)#lisp mobility VLAN-EXT-211 GGSG-AS-N7k-left-Aggr1(config-if)#lisp extended-subnet-mode GGSG-AS-N7k-left-Aggr1(config-if)#ip pim sparse-mode The command ‘lisp mobility’ detects a dynamic EID when a roam event occurs, and the ‘lisp extendedsubnet-mode’ accept and detect dynamic-EID roaming on extended subnets. The configuration above must be repeated for every LISP extended-subnet on each data center. In addition, it is recommended a unique mcast address be configured for each local dynamic EID mapnotify-group. However, it is mandatory that the map-notify-group must be the same for each LISP dynamic EID on both N7k’s, left (Site-A) and right (Site-B). Step 2. LISP Extended Intra-Subnets EIGRP Routing Configuration This section covers the configuration for extended non-vPC L2 VLANs (12 and 15) that are use as workaround for the proper communication among extended subnets from different data centers. The logic behind this configuration is to have SVI VLAN 12 and 15 to be configured on data center Site-A Aggregation VDCs, and the same SVI VLAN 12 and 15 be configured on Site-B Aggregation VDCs. These SVI’s will have configured a /30 IP address subnet. Similarly, the same configuration concept is accomplished with SVI 15, but with the right Aggregation VDC’s on both data centers. 1. Configure an ip prefix-list to only advertised extended subnets discovered by LISP that needs to communicate between data centers GGSG-AS-N7k-left-Aggr1(config)#ip prefix-list LISP32 seq 5 permit 192.168.96.0/19 ge 32 GGSG-AS-N7k-left-Aggr1(config)#ip prefix-list LISP32 seq 10 permit 192.168.128.0/17 ge 32 2. Configure a route map denying LISP Null0 subnets, and tagging local LISP discovered hosts GGSG-AS-N7k-left-Aggr1(config)#route-map LISP-EIGRP deny 5 GGSG-AS-N7k-left-Aggr1(config-route-map)#match interface Null0 GGSG-AS-N7k-left-Aggr1(config)#route-map LISP-EIGRP permit 10 GGSG-AS-N7k-left-Aggr1(config-route-map)#description routes from LISP local discovery with Site-A tag 100 GGSG-AS-N7k-left-Aggr1(config-route-map)#match ip address LISP32 GGSG-AS-N7k-left-Aggr1(config-route-map)#set tag 100 GGSG-AS-N7k-left-Aggr1(config)#route-map LISP-EIGRP deny 20 3. Configure another route map tagging discovered LISP subnets from other data centers, and also permitting all /25 subnets learned by LISP GGSG-AS-N7k-left-Aggr1(config)#route-map NO-LOCAL permit 10 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 21 21 GGSG-AS-N7k-left-Aggr1(config-route-map)#description allow routes from Site-B GGSG-AS-N7k-left-Aggr1(config-route-map)#match tag 200 GGSG-AS-N7k-left-Aggr1(config-route-map)#match route-type external GGSG-AS-N7k-left-Aggr1(config)#route-map NO-LOCAL permit 15 GGSG-AS-N7k-left-Aggr1(config-route-map)#description allow summarized /25 routes GGSG-AS-N7k-left-Aggr1config-route-map)#match route-type internal GGSG-AS-N7k-left-Aggr1(config)# route-map NO-LOCAL deny 20 4. Configure an additional EIGRP routing process and redistribute the route map’s GGSG-AS-N7k-left-Aggr1(config)# router eigrp 100 GGSG-AS-N7k-left-Aggr1(config-router)#redistribute lisp route-map LISP-EIGRP GGSG-AS-N7k-left-Aggr1(config-router)#table-map NO-LOCAL filter 5. Configure an SVI for the non-vPC L2 VLAN 12. LISP summarized routes are added to this interface GGSG-AS-N7k-left-Aggr1(config)# int vlan12 GGSG-AS-N7k-left-Aggr1(config-if)# description L3 Interface for LISP non-vPC intra-subnets communication among data centers GGSG-AS-N7k-left-Aggr1(config-if)#no shutdown GGSG-AS-N7k-left-Aggr1(config-if)#mtu 9216 GGSG-AS-N7k-left-Aggr1(config-if)#ip address 192.168.12.1/30 GGSG-AS-N7k-left-Aggr1(config-if)#ip router eigrp 100 GGSG-AS-N7k-left-Aggr1(config-if)#ip summary-address eigrp 100 192.168.96.0/25 172 GGSG-AS-N7k-left-Aggr1(config-if)#ip summary-address eigrp 100 192.168.96.128/25 172 GGSG-AS-N7k-left-Aggr1(config-if)#ip summary-address eigrp 100 192.168.211.0/25 172 GGSG-AS-N7k-left-Aggr1(config-if)#ip summary-address eigrp 100 192.168.211.128/25 172 GGSG-AS-N7k-left-Aggr1(config-if)#ip summary-address eigrp 100 192.168.214.0/25 172 GGSG-AS-N7k-left-Aggr1(config-if)#ip summary-address eigrp 100 192.168.214.128/25 172 GGSG-AS-N7k-left-Aggr1(config-if)#ip pim sparse-mode Note: Perform the same configuration presented above for Site-A Aggr2 VDC, but on SVI 15. 6. Since all route maps and EIGRP route processes are the same, as shown above, for Site-B (except route map description), this configuration is only showing Site-B right Aggr1 VDC SVI VLAN 12. The only two differences are the SVI’s IP addresses, and LISP routes are not advertised on SVI’s 12 and 15 Site-B data center. GGSG-AS-N7k-right-Aggr1(config)#int vlan12 GGSG-AS-N7k-right-Aggr1(config-if)#description L3 Interface for LISP non-vPC intra-subnets communication among data centers GGSG-AS-N7k-right-Aggr1(config-if)#no shutdown GGSG-AS-N7k-right-Aggr1(config-if)#mtu 9216 GGSG-AS-N7k-right-Aggr1(config-if)#ip address 192.168.12.2/30 GGSG-AS-N7k-right-Aggr1(config-if)#ip router eigrp 100 GGSG-AS-N7k-right-Aggr1(config-if)#ip pim sparse-mode 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 22 22 Step 3. LISP Intra-Subnets High Availability Configuration The following configuration enables High Availability (HA) for LISP intra-subnets routing using the previously configured VLAN 13 to establish EIGRP adjacencies between Aggregation VDC’s on the same data centers. This configuration places SVI 13 on the same routing process as SVI 12 and 15. Configure an SVI for VLAN 13 in all four Aggregation VDCs with a /30 subnet. GGSG-AS-N7k-left-Aggr1(config)#int vlan13 GGSG-AS-N7k-left-Aggr1(config-if)#description FHR HA LISP EID Routing GGSG-AS-N7k-left-Aggr1(config-if)#no shutdown GGSG-AS-N7k-left-Aggr1(config-if)#mtu 9216 GGSG-AS-N7k-left-Aggr1(config-if)#ip address 172.18.13.1/30 GGSG-AS-N7k-left-Aggr1(config-if)#ip router eigrp 100 GGSG-AS-N7k-left-Aggr2(config)#int vlan13 GGSG-AS-N7k-left-Aggr2(config-if)#description FHR HA LISP EID Routing GGSG-AS-N7k-left-Aggr2(config-if)#no shutdown GGSG-AS-N7k-left-Aggr2(config-if)#mtu 9216 GGSG-AS-N7k-left-Aggr2(config-if)#ip address 172.18.13.2/30 GGSG-AS-N7k-left-Aggr2(config-if)#ip router eigrp 100 GGSG-AS-N7k-right-Aggr1(config)#int vlan13 GGSG-AS-N7k-right-Aggr1(config-if)#description FHR HA LISP EID Routing GGSG-AS-N7k-right-Aggr1(config-if)#no shutdown GGSG-AS-N7k-right-Aggr1(config-if)#mtu 9216 GGSG-AS-N7k-right-Aggr1(config-if)#ip address 172.18.13.5/30 GGSG-AS-N7k-right-Aggr1(config-if)#ip router eigrp 100 GGSG-AS-N7k-right-Aggr2(config)#int vlan13 GGSG-AS-N7k-right-Aggr2(config-if)#description FHR HA LISP EID Routing GGSG-AS-N7k-right-Aggr2(config-if)#no shutdown GGSG-AS-N7k-right-Aggr2(config-if)#mtu 9216 GGSG-AS-N7k-right-Aggr2(config-if)#ip address 172.18.13.6/30 GGSG-AS-N7k-right-Aggr2(config-if)#ip router eigrp 100 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 23 23 LISP IOS-XE Design This section covers the ASR’s LISP design as well as routing configuration to support LISP Multihop. Each ASR is configured as site gateways LISP xTR routers and additionally; the role of LISP Map Server/Map Resolver is co-located on the same device. This design simplifies the number of devices used in the LISP network. Since the LISP implementation is small, there is no need to separate the role of xTR and MS/MR between different devices. LISP Router Configuration (xTR and MS/MR) 1. Configure a loopback interface that will be used as a xTR local RLOC locator H1-AA13-ASR1004-a(config)#int lo0 H1-AA13-ASR1004-a(config-if)#description xTR Local RLOC Locator H1-AA13-ASR1004-a(config-if)#ip address 172.20.1.1 255.255.255.255 2. Configure a router lisp process H1-AA13-ASR1004-a(config)#router lisp H1-AA13-ASR1004-a(config-router-lisp)# 3. Configure a default RLOC table H1-AA13-ASR1004-a(config-router-lisp)#locator-table default 4. Configure a name locator set (Site-A) H1-AA13-ASR1004-a(config-router-lisp)#locator-set Site-A 5. Under the locator-set object, configure the xTR local RLOC IP address H1-AA13-ASR1004-a(config-router-lisp-locator-set)#172.20.1.1 priority 10 weight 100 H1-AA13-ASR1004-a(config-router-lisp-locator-set)#exit 6. Under router-lisp process, configure a default EID table instance H1-AA13-ASR1004-a(config-router-lisp)# eid-table default instance-id 0 7. Configure local addresses that will be learned by the ETR’s H1-AA13-ASR1004-a(config-router-lisp-eid-table)#database-mapping 192.168.0.0/16 locatorset Site-A 8. Configure all dynamic EID’s with their respective authentication password that was previously setup on the FHR ETR configuration H1-AA13-ASR1004-a(config-router-lisp-eid-table)#dynamic-eid VLAN-EXT-211 H1-AA13-ASR1004-a(config-router-lisp-eid-table-dynamic-eid)#database-mapping 192.168.211.0/24 locator-set Site-A H1-AA13-ASR1004-a(config-router-lisp-eid-table-dynamic-eid)#eid-notify authentication-key cisco H1-AA13-ASR1004-a(config-router-lisp-eid-table-dynamic-eid)#exit H1-AA13-ASR1004-a(config-router-lisp-eid-table)#dynamic-eid VLAN-EXT-214 H1-AA13-ASR1004-a(config-router-lisp-eid-table-dynamic-eid)#database-mapping 192.168.214.0/24 locator-set Site-A H1-AA13-ASR1004-a(config-router-lisp-eid-table-dynamic-eid)#eid-notify authentication-key cisco H1-AA13-ASR1004-a(config-router-lisp-eid-table-dynamic-eid)#exit 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 24 24 H1-AA13-ASR1004-a(config-router-lisp-eid-table)#dynamic-eid VLAN-EXT-996 H1-AA13-ASR1004-a(config-router-lisp-eid-table-dynamic-eid)#database-mapping 192.168.96.0/24 locator-set Site-A H1-AA13-ASR1004-a(config-router-lisp-eid-table-dynamic-eid)#eid-notify authentication-key cisco H1-AA13-ASR1004-a(config-router-lisp-eid-table-dynamic-eid)#exit 9. Enable the xTR function on the ASR router and configure each xTR local RLOC. H1-AA13-ASR1004-a(config-router-lisp-eid-table)#ipv4 itr H1-AA13-ASR1004-a(config-router-lisp-eid-table)#ipv4 etr H1-AA13-ASR1004-a(config-router-lisp-eid-table)#ipv4 itr map-resolver 172.20.1.1 H1-AA13-ASR1004-a(config-router-lisp-eid-table)#ipv4 itr map-resolver 172.21.1.1 H1-AA13-ASR1004-a(config-router-lisp-eid-table)#ipv4 etr map-server 172.20.1.1 key cisco H1-AA13-ASR1004-a(config-router-lisp-eid-table)#ipv4 etr map-server 172.21.1.1 key cisco H1-AA13-ASR1004-a(config-router-lisp-eid-table)#exit Note: The configuration presented on task 9 reflects Cisco RTP lab setup in which there were only two ASR’s being used as xTR’s. In this design, there will be a total of eight entries. Four itr map resolver and four etr map server. 10. Enter a site id to configure the MS/MR function on the ASR H1-AA13-ASR1004-a(config-router-lisp)#site Site-A-B H1-AA13-ASR1004-a(config-router-lisp-site)#authentication-key cisco H1-AA13-ASR1004-a(config-router-lisp-site)#eid-prefix 192.168.0.0/16 accept-morespecifics H1-AA13-ASR1004-a(config-router-lisp-site)# exit 11. Enable the map server/map resolver (MS/MR) function on the router lisp H1-AA13-ASR1004-a(config-router-lisp)#ipv4 map-server H1-AA13-ASR1004-a(config-router-lisp)#ipv4 map-resolver 12. Configure a BGP routing process to redistribute lisp host routes to be learned by other LISP sites H1-AA13-ASR1004-a(config)#router bgp 65000 H1-AA13-ASR1004-a(config-router)#bgp log-neighbor-changes H1-AA13-ASR1004-a(config-router)#redistribute lisp H1-AA13-ASR1004-a(config-router)#neighbor 192.168.101.1 remote-as 65000 H1-AA13-ASR1004-a(config-router)#neighbor 192.168.101.1 next-hop-self The configuration presented above is the same for the remaining xTR + MS/MR ASR routers with some minor differences. For the xTR’s in site-B: 1. A different local RLOC is configured 2. There is no registration for the aggregate network 192.168.0.0/16, which is being announced only by site-A; thus, there is no need to add the following command on the other xTR routers: databasemapping 192.168.0.0/16 locator-set locator-site 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 25 25 Appendix A – Nexus LISP and OTV Configurations Site-A (Left) Aggregation1 VDC feature lisp feature pim ip lisp etr lisp dynamic-eid VLAN-EXT-211 database-mapping 192.168.211.0/24 100.1.1.1 priority 10 weight 50 database-mapping 192.168.211.0/24 100.1.1.2 priority 10 weight 50 eid-notify 172.20.1.1 key cisco map-notify-group 225.1.1.1 lisp dynamic-eid VLAN-EXT-214 database-mapping 192.168.214.0/24 100.1.1.1 priority 10 weight 50 database-mapping 192.168.214.0/24 100.1.1.2 priority 10 weight 50 eid-notify 172.20.1.1 key cisco map-notify-group 225.1.1.2 lisp dynamic-eid VLAN-EXT-996 database-mapping 192.168.96.0/24 100.1.1.1 priority 10 weight 50 database-mapping 192.168.96.0/24 100.1.1.2 priority 10 weight 50 eid-notify 172.20.1.1 key cisco map-notify-group 225.1.1.3 interface Vlan211 lisp mobility VLAN-EXT-211 lisp extended-subnet-mode ip pim sparse-mode interface Vlan214 lisp mobility VLAN-EXT-214 lisp extended-subnet-mode ip pim sparse-mode interface Vlan996 lisp mobility VLAN-EXT-996 lisp extended-subnet-mode ip pim sparse-mode ip prefix-list LISP32 seq 5 permit 192.168.96.0/19 ge 32 ip prefix-list LISP32 seq 10 permit 192.168.128.0/17 ge 32 route-map LISP-EIGRP deny 5 match interface Null0 route-map LISP-EIGRP permit 10 description routes from LISP local discovery with DC-1 tag 100 match ip address LISP32 set tag 100 route-map LISP-EIGRP deny 20 route-map NO-LOCAL permit 10 description allow routes from DC-2 match tag 200 match route-type external route-map NO-LOCAL permit 15 description allow summarized /25 routes 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 26 26 match route-type internal route-map NO-LOCAL deny 20 interface Vlan12 description L3 Interface for LISP non-vPC intra-subnets communication among data centers no shutdown mtu 9216 ip address 192.168.12.1/30 ip router eigrp 100 ip summary-address eigrp 100 192.168.96.0/25 172 ip summary-address eigrp 100 192.168.96.128/25 172 ip summary-address eigrp 100 192.168.211.0/25 172 ip summary-address eigrp 100 192.168.211.128/25 172 ip summary-address eigrp 100 192.168.214.0/25 172 ip summary-address eigrp 100 192.168.214.128/25 172 ip pim sparse-mode interface Vlan13 description FHR HA LISP EID Routing no shutdown mtu 9216 ip address 172.18.13.1/30 ip router eigrp 100 interface loopback0 description RLOC for LISP EID's ip address 100.1.1.1/32 ip router eigrp 15 interface Ethernet2/8 description L3 OTV Join Interface Toward OTV1 E2/11 speed 10000 mtu 9216 ip address 192.168.1.1/30 ip router eigrp 15 no shutdown interface Ethernet3/1 description L2 OTV VLANs Toward OTV1 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 mtu 9216 channel-group 55 mode active no shutdown interface Ethernet3/3 description OTV L2 Interface Toward OTV2 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 mtu 9216 channel-group 56 mode active no shutdown interface port-channel55 description L2 OTV VLANs Toward OTV1 switchport switchport mode trunk 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 27 27 switchport trunk allowed vlan 211,214,996,999,1005 spanning-tree port type normal mtu 9216 vpc 55 interface port-channel56 description OTV Port Channel Toward OTV2 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 spanning-tree port type normal mtu 9216 vpc 56 interface Ethernet3/7 description L2 link for VL 12 and 15 switchport mode trunk switchport trunk allowed vlan 12-13,15 speed 10000 mtu 9216 channel-group 57 mode active no shutdown interface port-channel57 description L2 link for VL 12 and 15 switchport switchport mode trunk switchport trunk allowed vlan 12-13,15 spanning-tree port type network speed 10000 mtu 9216 interface Ethernet3/8 description trunk to OTV1 for L2 non-vPC switchport mode trunk switchport trunk allowed vlan 12,15 speed 10000 no shutdown router eigrp 100 redistribute lisp route-map LISP-EIGRP table-map NO-LOCAL filter Site-A (Left) Aggregation2 VDC feature lisp feature pim ip lisp etr lisp dynamic-eid VLAN-EXT-211 database-mapping 192.168.211.0/24 100.1.1.1 priority 10 weight 50 database-mapping 192.168.211.0/24 100.1.1.2 priority 10 weight 50 eid-notify 172.20.1.1 key cisco map-notify-group 225.1.1.1 lisp dynamic-eid VLAN-EXT-214 database-mapping 192.168.214.0/24 100.1.1.1 priority 10 weight 50 database-mapping 192.168.214.0/24 100.1.1.2 priority 10 weight 50 eid-notify 172.20.1.1 key cisco 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 28 28 map-notify-group 225.1.1.2 lisp dynamic-eid VLAN-EXT-996 database-mapping 192.168.96.0/24 100.1.1.1 priority 10 weight 50 database-mapping 192.168.96.0/24 100.1.1.2 priority 10 weight 50 eid-notify 172.20.1.1 key cisco map-notify-group 225.1.1.3 interface Vlan211 lisp mobility VLAN-EXT-211 lisp extended-subnet-mode ip pim sparse-mode interface Vlan214 lisp mobility VLAN-EXT-214 lisp extended-subnet-mode ip pim sparse-mode interface Vlan996 lisp mobility VLAN-EXT-996 lisp extended-subnet-mode ip pim sparse-mode ip prefix-list LISP32 seq 5 permit 192.168.96.0/19 ge 32 ip prefix-list LISP32 seq 10 permit 192.168.128.0/17 ge 32 route-map LISP-EIGRP deny 5 match interface Null0 route-map LISP-EIGRP permit 10 description routes from LISP local discovery with DC-1 tag 100 match ip address LISP32 set tag 100 route-map LISP-EIGRP deny 20 route-map NO-LOCAL permit 10 description allow routes from DC-2 match tag 200 match route-type external route-map NO-LOCAL permit 15 description allow summarized /25 routes match route-type internal route-map NO-LOCAL deny 20 interface Vlan13 description FHR HA LISP EID Routing no shutdown mtu 9216 ip address 172.18.13.2/30 ip router eigrp 100 interface Vlan15 description L3 Interface for LISP non-vPC intra-subnets communication among data centers no shutdown mtu 9216 no ip redirects ip address 172.18.15.1/30 ip router eigrp 100 ip summary-address eigrp 100 192.168.96.0/25 172 ip summary-address eigrp 100 192.168.96.128/25 172 ip summary-address eigrp 100 192.168.211.0/25 172 ip summary-address eigrp 100 192.168.211.128/25 172 ip summary-address eigrp 100 192.168.214.0/25 172 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 29 29 ip summary-address eigrp 100 192.168.214.128/25 172 ip pim sparse-mode interface loopback0 description RLOC for LISP EID's ip address 100.1.1.2/32 ip router eigrp 15 interface Ethernet2/20 description OTV Join Interface Toward OTV2 E2/22 speed 10000 mtu 9216 ip address 192.168.1.5/30 ip router eigrp 15 no shutdown interface Ethernet3/21 description L2 OTV VLANs Toward OTV1 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 mtu 9216 channel-group 55 mode active no shutdown interface Ethernet3/24 description OTV L2 Interface Toward OTV2 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 mtu 9216 channel-group 56 mode active no shutdown interface port-channel55 description L2 OTV VLANs Toward OTV1 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 spanning-tree port type normal mtu 9216 vpc 55 interface port-channel56 description OTV Port Channel Toward OTV2 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 spanning-tree port type normal mtu 9216 vpc 56 interface Ethernet3/27 description L2 link for VL 12 and 15 switchport mode trunk switchport trunk allowed vlan 12-13,15 speed 10000 mtu 9216 channel-group 57 mode active no shutdown 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 30 30 interface port-channel57 description L2 link for VL 12 and 15 switchport switchport mode trunk switchport trunk allowed vlan 12-13,15 spanning-tree port type network speed 10000 mtu 9216 interface Ethernet3/28 description trunk to OTV1 for L2 non-vPC switchport mode trunk switchport trunk allowed vlan 12,15 speed 10000 no shutdown router eigrp 100 redistribute lisp route-map LISP-EIGRP table-map NO-LOCAL filter Site-B (Right) Aggregation1 VDC feature lisp feature pim ip lisp etr lisp dynamic-eid VLAN-EXT-211 database-mapping 192.168.211.0/24 101.1.1.1 priority 10 weight 50 database-mapping 192.168.211.0/24 101.1.1.2 priority 10 weight 50 eid-notify 172.21.1.1 key cisco map-notify-group 225.1.1.1 lisp dynamic-eid VLAN-EXT-214 database-mapping 192.168.214.0/24 101.1.1.1 priority 10 weight 50 database-mapping 192.168.214.0/24 101.1.1.2 priority 10 weight 50 eid-notify 172.21.1.1 key cisco map-notify-group 225.1.1.2 lisp dynamic-eid VLAN-EXT-996 database-mapping 192.168.96.0/24 101.1.1.1 priority 10 weight 50 database-mapping 192.168.96.0/24 101.1.1.2 priority 10 weight 50 eid-notify 172.21.1.1 key cisco map-notify-group 225.1.13 interface Vlan211 lisp mobility VLAN-EXT-211 lisp extended-subnet-mode ip pim sparse-mode interface Vlan214 lisp mobility VLAN-EXT-214 lisp extended-subnet-mode ip pim sparse-mode interface Vlan996 lisp mobility VLAN-EXT-996 lisp extended-subnet-mode ip pim sparse-mode 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 31 31 ip prefix-list LISP32 seq 5 permit 192.168.96.0/19 ge 32 ip prefix-list LISP32 seq 10 permit 192.168.128.0/17 ge 32 route-map LISP-EIGRP deny 5 match interface Null0 route-map LISP-EIGRP permit 10 description routes from LISP local discovery with DC-2 tag 200 match ip address LISP32 set tag 200 route-map LISP-EIGRP deny 20 route-map NO-LOCAL permit 10 description allow routes from DC-1 match tag 100 match route-type external route-map NO-LOCAL permit 15 description allow summarized /25 routes match route-type internal route-map NO-LOCAL deny 20 interface Vlan12 description L3 Interface for LISP non-vPC intra-subnets communication among data centers no shutdown mtu 9216 ip address 192.168.12.2/30 ip router eigrp 100 ip pim sparse-mode interface Vlan13 description FHR Peering for LISP EID Routing no shutdown mtu 9216 ip address 172.18.13.5/30 ip router eigrp 100 interface loopback0 description RLOC for LISP Site B ip address 101.1.1.1/32 ip router eigrp 15 interface Ethernet2/8 description L3 OTV Join Interface Toward OTV1 E2/11 speed 10000 mtu 9216 ip address 172.18.1.1/30 ip router eigrp 15 no shutdown interface Ethernet3/1 description L2 OTV VLANs Toward OTV1 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 mtu 9216 channel-group 55 mode active no shutdown interface Ethernet3/3 description OTV L2 Interface Toward OTV2 switchport switchport mode trunk 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 32 32 switchport trunk allowed vlan 211,214,996,999,1005 mtu 9216 channel-group 56 mode active no shutdown interface port-channel55 description L2 OTV VLANs Toward OTV1 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 spanning-tree port type normal mtu 9216 vpc 55 interface port-channel56 description OTV Port Channel Toward OTV2 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 spanning-tree port type normal mtu 9216 vpc 56 interface Ethernet3/7 description L2 link for VL 12 and 15 switchport mode trunk switchport trunk allowed vlan 12-13,15 speed 10000 mtu 9216 channel-group 57 mode active no shutdown interface port-channel57 description L2 link for VL 12 and 15 switchport switchport mode trunk switchport trunk allowed vlan 12-13,15 spanning-tree port type network speed 10000 mtu 9216 interface Ethernet3/8 description trunk to OTV1 for L2 non-vPC switchport mode trunk switchport trunk allowed vlan 12,15 speed 10000 no shutdown router eigrp 100 redistribute lisp route-map LISP-EIGRP table-map NO-LOCAL filter 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 33 33 Site-B (Right) Aggregation2 VDC feature lisp feature pim ip lisp etr lisp dynamic-eid VLAN-EXT-211 database-mapping 192.168.211.0/24 101.1.1.1 priority 10 weight 50 database-mapping 192.168.211.0/24 101.1.1.2 priority 10 weight 50 eid-notify 172.21.1.1 key cisco map-notify-group 225.1.1.1 lisp dynamic-eid VLAN-EXT-214 database-mapping 192.168.214.0/24 101.1.1.1 priority 10 weight 50 database-mapping 192.168.214.0/24 101.1.1.2 priority 10 weight 50 eid-notify 172.21.1.1 key cisco map-notify-group 225.1.1.2 lisp dynamic-eid VLAN-EXT-996 database-mapping 192.168.96.0/24 101.1.1.1 priority 10 weight 50 database-mapping 192.168.96.0/24 101.1.1.2 priority 10 weight 50 eid-notify 172.21.1.1 key cisco map-notify-group 225.1.13 interface Vlan211 lisp mobility VLAN-EXT-211 lisp extended-subnet-mode ip pim sparse-mode interface Vlan214 lisp mobility VLAN-EXT-214 lisp extended-subnet-mode ip pim sparse-mode interface Vlan996 lisp mobility VLAN-EXT-996 lisp extended-subnet-mode ip pim sparse-mode ip prefix-list LISP32 seq 5 permit 192.168.96.0/19 ge 32 ip prefix-list LISP32 seq 10 permit 192.168.128.0/17 ge 32 route-map LISP-EIGRP deny 5 match interface Null0 route-map LISP-EIGRP permit 10 description routes from LISP local discovery with DC-2 tag 200 match ip address LISP32 set tag 200 route-map LISP-EIGRP deny 20 route-map NO-LOCAL permit 10 description allow routes from DC-1 match tag 100 match route-type external route-map NO-LOCAL permit 15 description allow summarized /25 routes match route-type internal route-map NO-LOCAL deny 20 interface Vlan13 description FHR Peering for LISP EID Routing no shutdown mtu 9216 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 34 34 ip address 172.18.13.6/30 ip router eigrp 100 interface Vlan15 description L3 Interface for LISP non-vPC intra-subnets communication among data centers no shutdown mtu 9216 ip address 172.18.15.2/30 ip router eigrp 100 ip pim sparse-mode interface loopback0 description RLOC for LISP Site B ip address 101.1.1.2/32 ip router eigrp 15 interface Ethernet2/20 description OTV Join Interface Toward OTV2 E2/22 speed 10000 mtu 9216 ip address 172.18.1.5/30 ip router eigrp 15 no shutdown interface Ethernet3/21 description L2 OTV VLANs Toward OTV1 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 mtu 9216 channel-group 55 mode active no shutdown interface Ethernet3/24 description OTV L2 Interface Toward OTV2 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 mtu 9216 channel-group 56 mode active no shutdown interface port-channel55 description L2 OTV VLANs Toward OTV1 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 spanning-tree port type normal mtu 9216 vpc 55 interface port-channel56 description OTV Port Channel Toward OTV2 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 spanning-tree port type normal mtu 9216 vpc 56 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 35 35 interface Ethernet3/27 description L2 link for VL 12 and 15 switchport mode trunk switchport trunk allowed vlan 12-13,15 speed 10000 mtu 9216 channel-group 57 mode active no shutdown interface port-channel57 description L2 link for VL 12 and 15 switchport switchport mode trunk switchport trunk allowed vlan 12-13,15 spanning-tree port type network speed 10000 mtu 9216 interface Ethernet3/28 description trunk to OTV1 for L2 non-vPC switchport mode trunk switchport trunk allowed vlan 12,15 speed 10000 no shutdown router eigrp 100 redistribute lisp route-map LISP-EIGRP table-map NO-LOCAL filter Site-A Overlay Transport Virtualization (OTV1) VDC feature otv feature lacp feature dhcp ip access-list ALL_IPs 10 permit ip any any mac access-list ALL_MACs 10 permit any any ip access-list HSRP_IP 10 permit udp any 224.0.0.2/32 eq 1985 20 permit udp any 224.0.0.102/32 eq 1985 mac access-list HSRP_VMAC 10 permit 0000.0c07.ac00 0000.0000.00ff any 20 permit 0000.0c9f.f000 0000.0000.0fff any arp access-list HSRP_VMAC_ARP 10 deny ip any mac 0000.0c07.ac00 ffff.ffff.ff00 20 deny ip any mac 0000.0c9f.f000 ffff.ffff.f000 30 permit ip any mac any vlan access-map HSRP_Localization 10 match ip address HSRP_IP match mac address HSRP_VMAC action drop vlan access-map HSRP_Localization 20 match ip address ALL_IPs match mac address ALL_MACs action forward 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 36 36 vlan filter HSRP_Localization vlan-list 211,214,996 ip route 0.0.0.0/0 192.168.1.1 vlan 12 name LISP_ESM1 vlan 15 name LISP_ESM2 vlan 211 name Server_Net_One vlan 214 name Server_Net_Four vlan 996 name vMotion vlan 999 name OTV_Site_VLAN vlan 1005 name LiveMigration otv site-vlan 999 mac-list OTV_HSRP_VMAC_deny seq 10 deny 0000.0c07.ac00 ffff.ffff.ff00 mac-list OTV_HSRP_VMAC_deny seq 20 deny 0000.0c9f.f000 ffff.ffff.f000 mac-list OTV_HSRP_VMAC_deny seq 30 permit 0000.0000.0000 0000.0000.0000 route-map OTV_HSRP_filter permit 10 match mac-list OTV_HSRP_VMAC_deny interface port-channel55 description L2 Port Channel Toward Aggr1 and Aggr2 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 spanning-tree port type normal mtu 9216 interface Overlay1 description OTV Overlay Interface to Aggr1 otv join-interface Ethernet2/11 otv extend-vlan 12, 15, 211, 214, 996, 1005 otv adjacency-server unicast-only no shutdown interface Ethernet3/34 description L2 Interface Toward Aggr1 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 mtu 9216 channel-group 55 mode active no shutdown interface Ethernet2/11 description OTV Join Interface Toward Aggr1 E2/8 speed 10000 mtu 9216 ip address 192.168.1.2/30 ! This IP address changes on the other OTVs no shutdown interface Ethernet3/33 description L2 Interface Toward Aggr1 switchport 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 37 37 switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 mtu 9216 channel-group 55 mode active no shutdown interface Ethernet3/35 description trunk to Aggr1 for L2 non-vPC switchport mode trunk switchport trunk allowed vlan 12,15 speed 10000 no shutdown otv-isis default vpn Overlay1 redistribute filter route-map OTV_HSRP_filter otv site-identifier 0x2 ip arp inspection filter HSRP_VMAC_ARP vlan 211,214,996 Site-A Overlay Transport Virtualization (OTV2) VDC feature otv feature lacp feature dhcp ip access-list ALL_IPs 10 permit ip any any mac access-list ALL_MACs 10 permit any any ip access-list HSRP_IP 10 permit udp any 224.0.0.2/32 eq 1985 20 permit udp any 224.0.0.102/32 eq 1985 mac access-list HSRP_VMAC 10 permit 0000.0c07.ac00 0000.0000.00ff any 20 permit 0000.0c9f.f000 0000.0000.0fff any arp access-list HSRP_VMAC_ARP 10 deny ip any mac 0000.0c07.ac00 ffff.ffff.ff00 20 deny ip any mac 0000.0c9f.f000 ffff.ffff.f000 30 permit ip any mac any vlan access-map HSRP_Localization 10 match ip address HSRP_IP match mac address HSRP_VMAC action drop vlan access-map HSRP_Localization 20 match ip address ALL_IPs match mac address ALL_MACs action forward vlan filter HSRP_Localization vlan-list 211,214,996 ip route 0.0.0.0/0 192.168.1.1 vlan 12 name LISP_ESM1 vlan 15 name LISP_ESM2 vlan 211 name Server_Net_One vlan 214 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 38 38 name Server_Net_Four vlan 996 name vMotion vlan 999 name OTV_Site_VLAN vlan 1005 name LiveMigration otv site-vlan 999 mac-list OTV_HSRP_VMAC_deny seq 10 deny 0000.0c07.ac00 ffff.ffff.ff00 mac-list OTV_HSRP_VMAC_deny seq 20 deny 0000.0c9f.f000 ffff.ffff.f000 mac-list OTV_HSRP_VMAC_deny seq 30 permit 0000.0000.0000 0000.0000.0000 route-map OTV_HSRP_filter permit 10 match mac-list OTV_HSRP_VMAC_deny interface port-channel55 description L2 Port Channel Toward Aggr1 and Aggr2 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 spanning-tree port type normal mtu 9216 interface Overlay1 description OTV Overlay Interface to Aggr1 otv join-interface Ethernet2/11 otv extend-vlan 12, 15, 211, 214, 996, 1005 otv adjacency-server unicast-only no shutdown interface Ethernet3/41 description L2 Interface Toward Aggr1 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 mtu 9216 channel-group 55 mode active no shutdown interface Ethernet2/22 description OTV Join Interface Toward Aggr1 E2/8 speed 10000 mtu 9216 ip address 192.168.1.6/30 no shutdown interface Ethernet3/42 description L2 Interface Toward Aggr1 switchport switchport mode trunk switchport trunk allowed vlan 211,214,996,999,1005 mtu 9216 channel-group 55 mode active no shutdown interface Ethernet3/43 description trunk to Aggr1 for L2 non-vPC switchport mode trunk switchport trunk allowed vlan 12,15 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 39 39 speed 10000 no shutdown otv-isis default vpn Overlay1 redistribute filter route-map OTV_HSRP_filter otv site-identifier 0x2 ip arp inspection filter HSRP_VMAC_ARP vlan 211,214,996 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 40 40 Appendix B – IOS-XE LISP Configurations Site-A ASR Ingress/Egress Tunnel Router + MS/MR interface Loopback0 description xTR Locator ip address 172.20.1.1 255.255.255.255 ! router lisp locator-table default locator-set Site-A 172.20.1.1 priority 10 weight 100 exit ! eid-table default instance-id 0 database-mapping 192.168.0.0/16 locator-set Site-A dynamic-eid VLAN-EXT-211 database-mapping 192.168.211.0/24 locator-set Site-A eid-notify authentication-key cisco exit ! dynamic-eid VLAN-EXT-214 database-mapping 192.168.214.0/24 locator-set Site-A eid-notify authentication-key cisco exit ! dynamic-eid VLAN-EXT-996 database-mapping 192.168.96.0/24 locator-set Site-A eid-notify authentication-key cisco exit ! ipv4 itr map-resolver 172.20.1.1 ipv4 itr map-resolver 172.21.1.1 ipv4 itr ipv4 etr map-server 172.20.1.1 key cisco ipv4 etr map-server 172.21.1.1 key cisco ipv4 etr exit ! site Site-A-B authentication-key cisco eid-prefix 192.168.0.0/16 accept-more-specifics exit ! ipv4 map-server ipv4 map-resolver exit ! router bgp 65000 bgp log-neighbor-changes redistribute lisp neighbor 192.168.101.1 remote-as 65000 neighbor 192.168.101.1 next-hop-self 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 41 41 Site-B ASR Ingress/Egress Tunnel Router + MS/MR router lisp locator-set Site-B 172.21.1.1 priority 10 weight 100 exit ! eid-table default instance-id 0 dynamic-eid VLAN-EXT-211 database-mapping 192.168.211.0/24 locator-set Site-B eid-notify authentication-key cisco exit ! dynamic-eid VLAN-EXT-214 database-mapping 192.168.214.0/24 locator-set Site-B eid-notify authentication-key cisco exit ! dynamic-eid VLAN-EXT-996 database-mapping 192.168.96.0/24 locator-set Site-B eid-notify authentication-key cisco exit ! ipv4 itr map-resolver 172.20.1.1 ipv4 itr map-resolver 172.21.1.1 ipv4 itr ipv4 etr map-server 172.20.1.1 key cisco ipv4 etr map-server 172.21.1.1 key cisco ipv4 etr exit ! site Site-A-B authentication-key cisco eid-prefix 192.168.0.0/16 accept-more-specifics exit ! ipv4 map-server ipv4 map-resolver exit ! router bgp 65000 bgp log-neighbor-changes redistribute lisp neighbor 192.168.101.5 remote-as 65000 neighbor 192.168.101.5 next-hop-self 01 October 2014 OTV and LISP Design Recommendations Company Confidential. A printed copy of this document is considered uncontrolled. 42 42

Advanced Services. OTV and LISP Design Recommendations. Arnold Ocasio CCIE #8446. Advanced Services. Marco Pessi LISP Technical Marketing. Version 1.

Related documents

Products

Support

Advanced Services. OTV and LISP Design Recommendations. Arnold Ocasio CCIE #8446. Advanced Services. Marco Pessi LISP Technical Marketing. Version 1.

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib