The Locator ID Separation Protocol (LISP) is a network architecture and protocol. LISP replaces a single IP address with two numbering spaces—Routing Locators (RLOCs), which are topologically assigned to network attachment points and used for routing and forwarding of packets through the network; and Endpoint Identifiers (EIDs), which are assigned independently from the network topology and used for numbering devices, and are aggregated along administrative boundaries.

LISP defines functions for mapping between the two numbering spaces and encapsulating traffic originated by devices using non-routable EIDs for transport across a network infrastructure that routes and forwards using RLOCs. LISP provides a set of functions for devices to exchange information that is used to map non-routable EIDs to routable RLOCs.

LISP requires LISP-specific configuration of one or more LISP-related devices, such as the LISP egress tunnel router (ETR), ingress tunnel router (ITR), proxy ETR (PETR), proxy ITR (PITR), map resolver (MR), map server (MS), and LISP alternative logical topology (ALT) device.

The zone-based firewall can be deployed either on the southbound or northbound of the Locator ID Separator Protocol (LISP) xTR device, depending on where the edge router (routers such as Cisco ASR 1000 Aggregation Services Routers) is located in the network. The ingress tunnel router (ITR) and egress tunnel router (ETR) together are called the xTR device.

When the zone-based firewall is at the northbound of the xTR device; then the firewall can view LISP encapsulated packets, such as LISP tunneled packets, that pass through the network.

When the zone-based firewall is at the southbound of the xTR device, then the firewall can view the original packet. However; the firewall is not aware of any LISP xTR processing or do not see any LISP header. For egress packets, the xTR device does LISP encapsulation and adds the LISP header on top of the original packet after the firewall inspection. For ingress packets, the xTR device does LISP decapsulation (removal of the LISP header) before the firewall inspection and as a result, the firewall only inspects the original packet; and has no interaction with LISP at all.

This section describes the scenario when the zone-based firewall is deployed at the southbound of the LISP xTR device:

If an edge router is configured as a LISP xTR device to perform LISP encapsulation and decapsulation functions, you can configure the zone-based firewall between the LISP interface and the interfaces that face the LISP local endpoint identifier (EID) devices on the same edge router. LISP header decapsulation is performed before the header enters the zone-based firewall at the LISP interface. LISP header encapsulation is performed after the packet egresses from the firewall at the LISP interface. The firewall inspects only native traffic (what is native traffic here?) in the EID space.

This section describes the scenario when the zone-based firewall is deployed at the northbound of the LISP xTR devicce:

If more than one edge routers are deployed as load-sharing routers at the northbound of the xTR device, the firewall on the edge router is considered northbound of the xTR device. In this case, all packets that pass through the zone-based firewall are LISP encapsulated packets. When a packet arrives, the firewall inspects either the inner header or outer header of the LISP packets. By default, only the outer header is inspected. You can enable inner header inspection by using the lisp inner-packet-inspection command.

In Cisco IOS XE Release, if LISP inner packet inspection is enabled, the firewall only inspects the first fragmented inner packet, and all subsequent inner packets pass through the firewall without further inspection. If LISP inner packet inspection is enabled, the LISP instance ID is treated as virtual routing and forwarding (VRF) ID, and LISP packets that belong to different instance IDs are associated with different zone-based firewall sessions.

In Cisco IOS XE Release 3.13S, the LISP and Zone-Based Firewall Integration and Interoperability feature, works with the following features:

• IPv4 inner and outer headers

• IPv6 inner and outer headers

• LISP multitenancy

• Application layer gateways (ALGs)

• Application Inspection and Control (AIC)

• Mulitprotocol Label Switching (MPLS)

• In-Service Software Upgrade (ISSU)

• PxTR Case

In Cisco IOS XE Release 3.14S, the LISP and Zone-Based Firewall Integration and Interoperability feature supports both intrachassis and interchassis high availability. When Location ID Separation Protocol (LISP) inner packet inspection is enabled, interchassis and intrachassis redundancy are supported at the xTR northbound device.

For LISP inner packet inspection at the northbound device, LISP instance ID is used as the virtual routing and forwarding (VRF) instance. The VRF configuration at northbound device is ignored if LISP inner packet inspection is enabled.

When two devices are located at the northbound of the xTR device and the xTR device is located inside the cloud, if LISP inner packet inspection is enabled on both devices, zone-based firewall sessions that are created for LISP inner packet flow is synced to the standby device.

A typical interchassis (box-to-box) high availability topology will have two devices in the routing locator (RLOC) space at the northbound of the xTR device. The xTR device sits in the inside network. If LISP inner packet inspection is enabled on both devices, zone-based firewall sessions that are created for LISP inner packets are synced to the standby device.

There are no configuration changes for intrachassis redundancy.