The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Campus fabric architecture for Enterprise network uses Locator IP Separator Protocol (LISP) as its overlay protocol. The overlay virtual network uses Virtual Routing and Forwarding (VRF) to provide segmentation, isolation, and security among the network elements. LISP binds VRFs to instance IDs (IIDs) and these IIDs are included in the LISP header to provide traffic flow separation for single or multi-hop needs.
LISP learned mappings are kept within same instance ID (IID) or VRF context and is not shared across IIDs or VRFs. When two hosts (subscriber and provider) communicate to each other across the IIDs, LISP mappings are shared across the IIDs. This communication support across IIDs is called Extranet or LISP VRF Leaking.
Cisco IOS XE 16.6.1 supports inter-VRF communication through LISP, providing the hosts (endpoints) access to resources in other VRF while maintaining the isolation between the hosts themselves.
In the following topology, assume that hosts H1, H2 are in VRF A corresponding to IID 1000. Host H11 is in VRF B corresponding to IID 2000. Host H22 is in VRF C corresponding to IID 3000. All hosts in VRF A, VRF B, and VRF C access shared services from server H3 in VRF S, corresponding to IID 5000. You can achieve this by configuring an extranet policy on the MSMR (xTR3), as shown in the figure
Following are the sequence of events that occur:
ETRs (xTR1 and xTR2) detect local hosts(H1, H11 and H2, H22 respectively) and register them in the corresponding source IIDs (1000, 2000 and 3000).
When ITR (xTR1) receives a request from H1 to communicate to H3, it generates map-requests for destination prefix (H3) in the context of source IID 1000.
MSMR(xTR3) receives the map-request and does not find the destination eid/prefix, H3, in the source IID context (1000). It looks up H3 in the extranet policy table to determine the destination IID (5000). MSMR adds the destination IID (5000) as encapsulation IID to the map-reply packet and sends it to xTR1.
On receiving the map reply, xTR1 installs the destination VRF as the encapsulation IID (5000) with EID and RLOC in the map-cache. xTR1 uses the source IID (1000) to match the incoming packets from its hosts. It encapsulates the packets towards remote RLOCs with encapsulation IID (5000) instead of source IID (1000) .
Note the following before configuring extranet:
Ensure that there are no overlapping prefixes in different instance IDs of the extranet. However provider and client can be configured on the same node.
0.0.0.0 is not supported as extranet prefix.
Fast roaming with extranet or VRF leaking is not supported.
IPv6 EIDs are not supported.
Solicit-Map-Request (SMR) or Probing is not supported.
Prefix-list and dynamic EIDs are not supported.
Extranet multicast is not supported.
MSMR facilitiates routing among the EID prefixes by forwarding or replying map requests from ITRs. The extranet policy defined on MSMR decides leaking across VRFs to facilitate extranet communication.
Add the following configuration on MSMR to enable Extranet feature:
New extranet command
extranet ext1 eid-record-provider instance-id 5000 10.0.0.0/8 bidirectional eid-record-subscriber instance-id 1000 3.0.0.0/24 bidirectional eid-record-subscriber instance-id 2000 20.20.0.0/8 bidirectional eid-record-subscriber instance-id 3000 4.0.0.0/8 bidirectional !
Note | extranet ext1, eid-record-provider and eid-record-subscriber are new commands for extranet feature. These commands allow extranet policy in both directions—prefixes in IID 5000 can communicate with prefixes in instances 1000, 2000 and 3000 and conversely. Prefixes in IIDs 1000, 2000 and 3000 cannot communicate among themselves. |
Enhanced map-cache command to support extranet feature
If MSMR and PxTR are on the same device, use the map-cache extranet-registration command to install all configured extranet prefixes into map-cache and generate map request for all fabric destinations. Use this command in the service ipv4/ipv6 mode.
On PxTR, use route-import map-cache bgp command to install all these configured prefixes into map-cache to generate map request for fabric destinations.
show lisp extranet command shows the extranet policy per instance
MSMR# show lisp extranet ext1 instance-id 1 LISP Extranet policy table Home Instance ID: 1 Total entries: 4 Provider/Subscriber Inst ID EID prefix Provider 1 1.1.1.0/24 Subscriber 2 2.2.2.0/24 Subscriber 3 3.3.3.0/24 Subscriber 4 4.4.4.0/24 MSMR# MSMR#show lisp extranet ext1 instance-id 2 LISP Extranet policy table Home Instance ID: 2 Total entries: 2 Provider/Subscriber Inst ID EID prefix Provider 1 1.1.1.0/24 Subscriber 2 2.2.2.0/24 MSMR# MSMR#show lisp extranet ext1 instance-id 3 LISP Extranet policy table Home Instance ID: 3 Total entries: 2 Provider/Subscriber Inst ID EID prefix Provider 1 1.1.1.0/24 Subscriber 3 3.3.3.0/24 MSMR# MSMR#show lisp extranet ext1 instance-id 4 LISP Extranet policy table Home Instance ID: 4 Total entries: 2 Provider/Subscriber Inst ID EID prefix Provider 1 1.1.1.0/24 Subscriber 4 4.4.4.0/24
Add the instance-id of the VRF that provides external internet connectivity at PxTR, using the enhanced use-petr command.
service ipv4 itr map-resolver 4.4.4.4 itr etr map-server 4.4.4.4 key cisco etr use-petr 4.4.4.4 instance-id 5000 priority 1 weight 100 exit-service-ipv4
show map cache command displays destination/encapsulation IID
XTR-1#show lisp instance-id 1000 ipv4 map-cache LISP IPv4 Mapping Cache for EID-table vrf red (IID 1000), 2 entries 192.168.7.0/24, uptime: 00:00:54, expires: 23:59:56, via map-reply, complete Locator Uptime Stat Pri/Wgt Encap-IID 10.0.2.2 00:00:54 up 1/100 5000 3.0.0.0/8, uptime: 00:00:19, expires: 00:14:40, via map-reply, forward-native Encapsulating to proxy ETR Encap-IID 5000
Release |
Modification |
---|---|
Cisco IOS XE Everest 16.6.1 |
This feature was introduced. |