Configure L2 Extension for Public Cloud

This chapter describes how to enable enterprise and cloud providers to configure an L2 extension for public clouds with CSR 1000V instances using LISP. Use the command-line interface to extend a layer 2 domain between your public cloud network and the enterprise network.

The following are some of the terminologies and concepts that you should be aware before you configure the LISP Layer 2 Extension:

  • Locator/ID Separation Protocol (LISP): LISP is a network architecture and protocol that implements the use of two namespaces instead of a single IP address:

    • Endpoint identifiers (EIDs) - assigned to end hosts.

    • Routing locators (RLOCs) - assigned to devices (primarily routers) that make up the global routing system.

  • LISP-enabled virtualized router: A virtual machine or appliance that supports routing and LISP functions, including host mobility.

  • Endpoint ID (EID): An EID is an IPv4 or IPv6 address used in the source and destination address fields of the first (most inner) LISP header of a packet.

  • Routing locator (RLOC): The IPv4 or IPv6 addresses that are used to encapsulate and transport the flow between the LISP nodes. An RLOC is the output of an EID-to-RLOC mapping lookup.

  • Egress Tunnel Router (ETR): An ETR is a device that is the tunnel endpoint and connects a site to the LISP-capable part of a core network (such as the Internet), publishes EID-to-RLOC mappings for the site, responds to Map-Request messages, and decapsulates and delivers LISP-encapsulated user data to the end systems at the site. During operation, an ETR sends periodic Map-Register messages to all its configured map servers. These Map-Register messages contain all the EID-to-RLOC entries for the EID-numbered networks that are connected to the ETR’s site.

  • Ingress Tunnel Router (ITR): An ITR is a device that is the tunnel start point. An ITR is responsible for finding EID-to-RLOC mappings for all traffic destined for LISP-capable sites. When the ITR receives a packet destined for an EID, it first looks for the EID in its mapping cache. If the ITR finds a match, it encapsulates the packet inside a LISP header with one of its RLOCs as the IP source address and one of the RLOCs from the mapping cache entry as the IP destination. The ITR then routes the packet normally.

  • xTR: A generic name for a device performing both Ingress Tunnel Router (ITR) and Egress Tunnel Router (ETR) functions.

  • PxTR: The point of interconnection between an IP network and a LISP network, playing the role of ITR and ETR at this peering point.

  • Map-Server (MS): An MS is a LISP Infrastructure device that LISP site ETRs register to with their EID prefixes. An MS implements part of the distributed LISP mapping database by accepting registration requests from its client egress tunnel routers (ETRs), aggregating the successfully registered EID prefixes of those ETRs, and advertising the aggregated prefixes into the alternative logical topology (ALT) with border gateway protocol (BGP).

    In a small private mapping system deployment, an MS may be configured to stand alone (or there may be several MSs) with all ETRs configured to register to each MS. If more than one, all MSs have full knowledge of the mapping system in a private deployment.

    In a larger or public mapping system deployment, an MS is configured with a partial mesh of generic routing encapsulation (GRE) tunnels and BGP sessions to other map server systems

  • Map-Resolver (MR): An MR is a LISP Infrastructure device to which the ITRs send LISP Map-Request queries when resolving EID-to-RLOC mappings. MRs receive the request and select the appropriate map server

For detailed overview information on LISP and the terminologies, see Locator ID Separation Protocol Overview.

Information about Configuring LISP Layer 2 Extension

The Cisco CSR 1000v can be deployed on public, private, and hybrid clouds. When enterprises move to a hybrid cloud, they need to migrate the servers to the cloud without making any changes to the servers. Enterprises may want to use the same server IP address, subnet mask, and default gateway configurations, use their own IP addressing scheme in the cloud, and not be limited by the addressing scheme of the cloud provider infrastructure.

To fulfill this requirement, Cisco offers the LISP Layer 2 Extension to CSR 1000v on Amazon Web Services (AWS), where CSR 1000v acts as the bridge between the enterprise data center and the public cloud. By configuring the LISP Layer 2 Extension, you can extend your Layer 2 networks in the private data center to a public cloud to achieve host reachability between your site and the public cloud. You can also enable the migration of your application workload between the data center and the public cloud.

Benefits

  • Carry out data migration with ease and optimize the workload IP address or the firewall rules in your network. Thereby, you ensure subnet continuity with no broadcast domain extension.

  • Virtually add a VM that is on the provider site to facilitate Leverage cloud bursting to virtually insert a VM in the Enterprise server while the VM runs on the provider site.

  • Provide backup services for partial disaster recovery and disaster avoidance.

Prerequisites for configuring LISP Layer 2 Extension

Each CSR 1000V router must be configured with one external IP address. In this case, an IPsec tunnel is built between the IP addresses of the two CSR intances, and the IPsec tunnel has a private address.

Restrictions for configuring LISP Layer 2 Extension

  • Enterprise VRF number and VM address numbers are limited on an AWS ECS subnet.

  • IPv6 address format is not supported in an AWS CSR1000v Amazon Machine Image (AMI).

How to configure LISP Layer 2 Extension

To configure the L2 extension functionality, you must first deploy the CSR 1000v instance on AWS and configure the instance as an xTR. You must then configure the mapping system to complete the deployment.

The LISP site uses the CSR 1000v instance configured as both an ITR and an ETR (also known as an xTR) with two connections to upstream providers. The LISP site then registers to the standalone device that you have configured as the map resolver/map server (MR/MS) in the network core. The mapping system performs LISP encapsulation and de-encapsulation of the packets that are going to the migrated public IPs. Optionally, for traffic that is leaving AWS, whenever a route to the destination is not found on the CSR routing table, the CSR 1000v instance routes that traffic through the PxTR at the enterprise data center.

Perform the following steps to enable and configure the LISP xTR functionality when using a LISP map server and map resolver for mapping services:

Creating a CSR 1000v instance on AWS

Procedure

Step 1

Log into Amazon Web Services. In the left navigation pane, click VPC.

Step 2

Click Start VPC Wizard, and select VPC with Single Public Subnet in the left pane.

Step 3

Click Select.

Step 4

4. Create the subnet in the Virtual Private Cloud. Use the following properties:

  1. Default Subnet-10.0.0.0/24 (mapped to public IP).

  2. Additional subnets-0.0.1.0/24 and 1.0.0.2.0/24. These are private IP addresses, and might be internal for the CSR 1000v instance.

Step 5

Select Create VPC.

Step 6

Select Security > Network ACLs. Click Create Security Group to create a security group for the CSR instance. Configure the following properties:

  1. Name-SSH-Access

  2. TCP Port 22 traffic-Permitted inbound

  3. SSH access to CSR for management-Enabled

Step 7

To create additional security groups, perform step 6.

Step 8

Go to the CSR product page, and click Continue. Click Launch with E2 Console to launch the CSR in accordance with your geographical region.

Step 9

Choose the appropriate instance type. Refer tables 2-1 and 2-2 for supported instance types.

The minimum memory requirement for a medium instance type (m1.medium) is 10Mbps; large instance type (m1.large) is 50Mbps.

ECU stands for Elastic Compute Unit. ECU is Amazon’s proprietary way of measuring the CPU capacity.

All the EC2 instances are hyperthreaded.

Step 10

Launch the CSR instance in the VPC that you created. Use the following properties:

  1. Set the Shutdown behaviour to Stop.

  2. Set the Tenancy to Shared. Choose the Shared option to run a shared hardware instance.

Step 11

Associate the instance with a security group (SSH-ACCESS). The security rules enable you to configure firewall rules to control traffic for your CSR 1000v instance.

Step 12

Associate a private key with the CSR 1000v instance. A key pair is a private key and a public key. You must provide the private key to authenticate and connect to the CSR 1000v instance. The public key is stored on AWS. If required, you can create a new key pair.

Step 13

Click Launch Instances.

Step 14

Verify whether the CSR 1000v instance is deployed on AWS.

After successful deployment, the status changes to “2/2/ checks passed”.

Configure subnets

Procedure

Step 1

Select the CSR 1000v instance.

Step 2

Select Actions > Networking > Manage IP Addresses.

Step 3

Specify the enterprise host address. This IP address is the secondary address of eth1.

Step 4

Click Yes, Update.

Configure a tunnel between CSR 1000v on AWS and CSR 1000v on the enterprise system

The communication between the CSR 1000v instance deployed within the enterprise data center and the CSR 1000v instance deployed within the public cloud is secured by an IP Security (IPsec) tunnel established between them. The LISP-encapsulated traffic is protected with the IPsec tunnel that provides data origin authentication, integrity protection, anti-reply protection, and confidentiality between the public cloud and the enterprise.

Configure tunnel between CSR on AWS and CSR on DC

Procedure

Step 1

Configure a CSR 1000v instance on AWS.

interface Loopback1
 ip address 33.33.33.33 255.255.255.255
!
interface Tunnel2
 ip address 30.0.0.2 255.255.255.0
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination 173.39.145.79
 tunnel protection ipsec profile p2p_pf1
!
interface GigabitEthernet2
 ip address 10.10.10.140 255.255.255.0
 negotiation auto
 lisp mobility subnet1 nbr-proxy-reply requests 3
 no mop enabled
 no mop sysid
!

Step 2

Configure a second CSR 1000v instance on the enterprise site.

interface Loopback1
 ip address 11.11.11.11 255.255.255.255

interface Tunnel2
 ip address 30.0.0.1 255.255.255.0
 tunnel source GigabitEthernet2
 tunnel mode ipsec ipv4
 tunnel destination 52.14.116.161
 tunnel protection ipsec profile p2p_pf1
!
!
interface GigabitEthernet3
 ip address 10.10.10.2 255.255.255.0
 negotiation auto
 lisp mobility subnet1 nbr-proxy-reply requests 3
 no mop enabled
 no mop sysid
!

Configure LISP xTR on the CSR1000v instance running on AWS

Procedure

To configure LISP xTR on the CSR instance running on AWS, follow the configuration steps in the Configuring LISP (Location ID Separation Protocol) section.

Example:

router lisp
 locator-set aws
  33.33.33.33 priority 1 weight 100
  exit-locator-set
 !
 service ipv4
  itr map-resolver 11.11.11.11
  itr
  etr map-server 11.11.11.11 key cisco
  etr
  use-petr 11.11.11.11
  exit-service-ipv4
 !
 instance-id 0
  dynamic-eid subnet1
   database-mapping 10.10.10.0/24 locator-set aws
   map-notify-group 239.0.0.1
   exit-dynamic-eid
  !
  service ipv4
   eid-table default
   exit-service-ipv4
  !
  exit-instance-id
 !
 exit-router-lisp
!
router ospf 11
 network 30.0.0.2 0.0.0.0 area 11
 network 33.33.33.33 0.0.0.0 area 11
!

router lisp
 locator-set dmz
  11.11.11.11 priority 1 weight 100
  exit-locator-set
 !
 service ipv4
  itr map-resolver 11.11.11.11
  etr map-server 11.11.11.11 key cisco
  etr
  proxy-etr
  proxy-itr 11.11.11.11
  map-server
  map-resolver
  exit-service-ipv4
 !
 instance-id 0
  dynamic-eid subnet1
   database-mapping 10.10.10.0/24 locator-set dmz
   map-notify-group 239.0.0.1
   exit-dynamic-eid
  !
  service ipv4
   eid-table default
   exit-service-ipv4
  !
  exit-instance-id
 !
 site DATA_CENTER
  authentication-key cisco
  eid-record 10.10.10.0/24 accept-more-specifics
  exit-site
 !
 exit-router-lisp
!
router ospf 11
 network 11.11.11.11 0.0.0.0 area 11
 network 30.0.0.1 0.0.0.0 area 11
!

!
!

Verify the LISP Layer 2 Traffic between CSR 1000v on AWS and CSR 1000v on the enterprise system

Procedure

Perform the following steps to verify the LISP Layer 2 traffic:

Example:

csr-aws#show ip lisp database 
LISP ETR IPv4 Mapping Database for EID-table default (IID 0), LSBs: 0x1
Entries total 2, no-route 0, inactive 0

10.0.1.1/32, dynamic-eid subnet1, inherited from default locator-set aws
  Locator  Pri/Wgt  Source     State
33.33.33.33    1/100  cfg-addr   site-self, reachable
10.0.1.20/32, dynamic-eid subnet1, inherited from default locator-set aws
  Locator  Pri/Wgt  Source     State
33.33.33.33    1/100  cfg-addr   site-self, reachable
csr-aws#show ip lisp map-cache
LISP IPv4 Mapping Cache for EID-table default (IID 0), 4 entries

0.0.0.0/0, uptime: 00:09:49, expires: never, via static-send-map-request
  Negative cache entry, action: send-map-request
10.0.1.0/24, uptime: 00:09:49, expires: never, via dynamic-EID, send-map-request
  Negative cache entry, action: send-map-request
10.0.1.4/30, uptime: 00:00:55, expires: 00:00:57, via map-reply, forward-native
  Encapsulating to proxy ETR 
10.0.1.100/32, uptime: 00:01:34, expires: 23:58:26, via map-reply, complete
  Locator  Uptime    State      Pri/Wgt     Encap-IID
11.11.11.11  00:01:34  up           1/100       -
csr-aws#show lisp dynamic-eid detail
% Command accepted but obsolete, unreleased or unsupported; see documentation.

LISP Dynamic EID Information for VRF "default"

Dynamic-EID name: subnet1
  Database-mapping EID-prefix: 10.0.1.0/24, locator-set aws
  Registering more-specific dynamic-EIDs
  Map-Server(s): none configured, use global Map-Server
  Site-based multicast Map-Notify group: 239.0.0.1
  Number of roaming dynamic-EIDs discovered: 2
  Last dynamic-EID discovered: 10.0.1.20, 00:01:37 ago
    10.0.1.1, GigabitEthernet2, uptime: 00:09:23
      last activity: 00:00:42, discovered by: Packet Reception
    10.0.1.20, GigabitEthernet2, uptime: 00:01:37
      last activity: 00:00:40, discovered by: Packet Reception
CSR-DC#show ip lisp
CSR-DC#show ip lisp data
CSR-DC#show ip lisp database 
LISP ETR IPv4 Mapping Database for EID-table default (IID 0), LSBs: 0x1
Entries total 1, no-route 0, inactive 0

10.0.1.100/32, dynamic-eid subnet1, inherited from default locator-set dc
  Locator  Pri/Wgt  Source     State
11.11.11.11    1/100  cfg-addr   site-self, reachable
CSR-DC#show ip lisp
CSR-DC#show ip lisp map
CSR-DC#show ip lisp map-cache 
LISP IPv4 Mapping Cache for EID-table default (IID 0), 2 entries

10.0.1.0/24, uptime: 1d08h, expires: never, via dynamic-EID, send-map-request
  Negative cache entry, action: send-map-request
10.0.1.20/32, uptime: 00:00:35, expires: 23:59:24, via map-reply, complete
  Locator  Uptime    State      Pri/Wgt     Encap-IID
33.33.33.33  00:00:35  up           1/100

CSR-DC#show lisp dynamic-eid detail
% Command accepted but obsolete, unreleased or unsupported; see documentation.

LISP Dynamic EID Information for VRF "default"

Dynamic-EID name: subnet1
  Database-mapping EID-prefix: 10.0.1.0/24, locator-set dc
  Registering more-specific dynamic-EIDs
  Map-Server(s): none configured, use global Map-Server
  Site-based multicast Map-Notify group: 239.0.0.1
  Number of roaming dynamic-EIDs discovered: 1
  Last dynamic-EID discovered: 10.0.1.100, 1d08h ago
    10.0.1.100, GigabitEthernet2, uptime: 1d08h
      last activity: 00:00:47, discovered by: Packet Reception

CSR-DC#show lisp site
LISP Site Registration Information
* = Some locators are down or unreachable
# = Some registrations are sourced by reliable transport

Site Name      Last      Up     Who Last             Inst     EID Prefix
               Register         Registered           ID       
dc             never     no     --                            10.0.1.0/24
               00:08:41  yes#   33.33.33.33                   10.0.1.1/32
               00:01:00  yes#   33.33.33.33                   10.0.1.20/32
               1d08h     yes#   11.11.11.11                   10.0.1.100/32
CSR-DC#show ip cef 10.0.1.20
10.0.1.20/32
  nexthop 33.33.33.33 LISP0
CSR-DC#