SlideShare una empresa de Scribd logo

LISP + GETVPN as alternative to DMVPN+OSPF+GETVPN

J
JobSnijders

These slide are from a presentation I gave at the Cisco NAG2010 conference about using LISP to build large VPN's over the internet instead of regular GRE or DMVPN based setups.

Tecnología
1 de 32
Applied LISP LISP is good for you! Job Snijders job@instituut.net Protégé of InTouch N.V., The Netherlands
Who am I? Job Snijders • One of the chosen few: I got native v6 at home • Love bleeding edge stuff • Co-author LISP LCAF draft
What’s InTouch NV? • 16 years old (73 in internet years) • Managed Service provider • Nice & decent network through West-Europe • Sells technology independent products which we call “services” • Example: Large private networks for multinationals in multi-tenant way
What is LISP? • http://en.wikipedia.org/wiki/Locator/Identifie r_Separation_Protocol • Abstraction layer • Location independent prefixes • IPv4 over IPv4, IPv6 over IPv4, IPv4 over IPv6, IPv6 over IPv6
Problem statement Dear Santa, I’d like a manageable way of building large virtual private networks over the internet. your friend, Job
Our typical “Satellite” office • 2 (cheap) internet connections from 2 ISP’s • 1 (cheap) router • 1 RFC1918 prefix behind it • 5 to 10 people behind it that need access to corporate IT: Active Directory, Exchange, etc
Our typical “Satellite” office
Current approach Remember: We don’t own the last mile. We have to deliver over the top. • Build 2 GRE or DMVPN tunnels • Use plain IPSEC or GETVPN • OSPF for tunnel/link failover
DMVPN is horrible:
Quick overview • Replace DMVPN + OSPF with LISP • GETVPN stays because we need security • Components: – Map-Server (NX-OS) – Key-Server (IOS) – Proxy Router (IOS because we do GETVPN) – xTR (IOS)
Helicopter overview
Proxy Router (PxTR) bridge between LISP world and VRF • Public IP address (reachable for all xTR’s) • Talk BGP with VRF intouch-office • GRE Tunnel to MapServer for LISP+ALT – Talk BGP with MapServer • GRE Tunnel to Keyserver – because PxTR and xTR functionality don’t mix (this is an implementation limitation, not protocol)
PxTR Picture interface LISP0 ip policy route-map nexthop crypto map GETVPN_MAP end route-map nexthop permit 10 match ip address 10 set ip next-hop 172.16.0.1
PxTR Config ip lisp path-mtu-discovery min 1280 max 1500 ip lisp alt-vrf lisp ip lisp proxy-etr ip lisp proxy-itr 212.2.2.2 interface FastEthernet0/1.300 encapsulation dot1Q 300 ip address 172.16.0.20 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360 address-family ipv4 vrf lisp no synchronization redistribute connected redistribute static neighbor 10.0.1.1 remote-as 65100 neighbor 10.0.1.1 update-source Tunnel321 neighbor 10.0.1.1 activate neighbor 10.0.1.1 next-hop-self neighbor 10.0.1.1 soft-reconfiguration inbound exit-address-family
Pxtr# show ip route vrf lisp Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.1.0/30 is directly connected, Tunnel321 L 10.0.1.2/32 is directly connected, Tunnel321 172.16.0.0/16 is variably subnetted, 9 subnets, 2 masks B 172.16.31.1/32 [20/0] via 10.0.1.1, 6d09h B 172.16.31.3/32 [20/0] via 10.0.1.1, 1d06h B 172.16.31.4/32 [20/0] via 10.0.1.1, 6d09h B 172.16.31.5/32 [20/0] via 10.0.1.1, 5d20h B 172.16.31.6/32 [20/0] via 10.0.1.1, 1d05h B 172.16.42.0/24 [20/0] via 10.0.1.1, 6d09h B 172.16.43.0/24 [20/0] via 10.0.1.1, 6d09h B 172.16.45.0/24 [20/0] via 10.0.1.1, 5d20h B 172.16.46.0/24 [20/0] via 10.0.1.1, 1d04h
MapServer • Similar to DNS Server • Public reachable IP address • Not a part of the GETVPN cloud • xTR’s register themselves at the MapServer • PxTR talks with MapServer to know who is where (over that GRE tunnel)
MapServer picture (think DNS!)
MapServer Config lisp site jobsnijders-thuis eid-prefix 172.16.31.3/32 eid-prefix 172.16.42.0/24 authentication-key 3 28923r98234ed6cace39629cdd637 description Job Snijders home lisp site kevin-home-xtr eid-prefix 172.16.31.6/32 eid-prefix 172.16.46.0/24 authentication-key 3 3fac3b00cfbfd17b3e9ec69b8c43efd description Kevin home lisp site keyserver eid-prefix 172.16.31.1/32 authentication-key 3 023489234eabce94ed6cace3dd637 description keyserver
KeyServer • Reachable for every xTR over the LISP cloud • Has 1 /32 EID • Tunnel to PxTR so PxTR can join in the GDOI without being an xTR
KeyServer Picture
KeyServer Config #1 (LISP) lisp loc-reach-algorithm rloc-probing ip lisp database-mapping 172.16.31.1/32 IPv4- interface FastEthernet0/0.95 priority 0 weight 100 ip lisp itr map-resolver 212.2.2.2 ip lisp itr ip lisp etr map-server 212.2.2.2 key k3ys3rv3r ip lisp etr accept-map-request-mapping ip lisp etr
KeyServer config #2 (GETVPN) crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 1000 ! crypto isakmp policy 50 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key blablastrong address 0.0.0.0 0.0.0.0 no-xauth crypto isakmp keepalive 10 periodic ! ! crypto ipsec transform-set GETVPN_TS esp-3des esp-sha-hmac ! crypto ipsec profile GETVPN_PROFILE set transform-set GETVPN_TS ! crypto gdoi group GETVPN_GROUP identity number 666 server local rekey retransmit 10 number 2 rekey authentication mypubkey rsa public-intouch-office-ks-key rekey transport unicast sa ipsec 1 profile GETVPN_PROFILE match address ipv4 LAN replay time window-size 36 address ipv4 172.16.31.1 interface Loopback0 ip address 172.16.31.1 255.255.255.255 ! interface Tunnel10 description to PxTR ip address 10.0.2.1 255.255.255.252 tunnel source FastEthernet0/0.95 tunnel destination 212.26.197.2 ! interface LISP0 end ip access-list extended LAN deny udp any eq 848 any eq 848 deny udp any eq isakmp any eq isakmp deny ip 172.16.31.0 0.0.0.255 172.16.31.0 0.0.0.255 permit ip any any
xTR “the satellite office router” • 1 or 2 uplinks to the internet (just transport) • Push all packets from LAN to PxTR or other xTR’s • All “vpn” packets go with encrypted payload over the internets • “internet access” is done via Firewall in the VRF
xTR Picture xTR
xTR config #1 (LISP) lisp loc-reach-algorithm rloc-probing ip lisp path-mtu-discovery min 1280 max 1500 ip lisp use-petr 212.2.2.2 ip lisp database-mapping 172.16.31.5/32 IPv4-interface ATM0/0/0.1 priority 0 weight 100 ip lisp database-mapping 172.16.45.0/24 IPv4-interface ATM0/0/0.1 priority 0 weight 100 ip lisp itr map-resolver 212.3.3.3 ip lisp itr ip lisp etr map-server 212.3.3.3 key blablakeymap ip lisp etr accept-map-request-mapping ip lisp etr
xTR config #1 (GETVPN) crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 1000 crypto isakmp key blablastrong address 0.0.0.0 0.0.0.0 no-xauth ! ! crypto gdoi group GETVPN_GROUP_GM identity number 666 server address ipv4 172.16.31.1 client registration interface Loopback0 crypto map GETVPN_MAP 10 gdoi set group GETVPN_GROUP_GM interface Loopback0 ip address 172.16.31.5 255.255.255.255 ! interface LISP0 crypto map GETVPN_MAP interface FastEthernet0/0 description LAN ip address 172.16.45.1 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360
A Sample traceroute: from satellite office to server behind the VRF job@DennyCrane:~$ traceroute 172.16.4.202 traceroute to 172.16.4.202 (172.16.4.202), 30 hops max, 60 byte packets 1 172.16.42.253 (172.16.42.253) 6.102 ms 7.229 ms 7.212 ms 2 172.16.0.20 (172.16.0.20) 18.650 ms 18.651 ms 18.622 ms 3 172.16.0.1 (172.16.0.1) 13.968 ms 13.993 ms 14.020 ms 4 172.16.4.202 (172.16.4.202) 13.931 ms 13.899 ms 13.897 ms job@DennyCrane:~$
Things to worry about • MTU (with 1500 internet you have 1390 payload) • Security – Mapserver registrations are unencrypted – RFC1918 ip addresses are visible when wiretapping – But GETVPN protects everything and ensures integrity (So I think LISP is actually doing pretty fine)
Our status At InTouch we have been running this for a while now with a select group of “special” customers (read: guinea pigs)
Near Future We have got that much faith that we will deploy this to real customers in the next 3 weeks
Conclusion LISP is good for you! Any questions? job@instituut.net

Recomendados

Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
DMVPN
DMVPNDMVPN
DMVPNNetProtocol Xpert
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
IS-IS Protocol Introduction
IS-IS Protocol IntroductionIS-IS Protocol Introduction
IS-IS Protocol IntroductionNetProtocol Xpert
 
Proper spanning tree.pptx
Proper spanning tree.pptxProper spanning tree.pptx
Proper spanning tree.pptxEoin Irwin
 
Introduction to vxlan
Introduction to vxlanIntroduction to vxlan
Introduction to vxlanMohammed Umair
 
Introducing segment routing TE
Introducing segment routing TEIntroducing segment routing TE
Introducing segment routing TEAlex Bogdanov
 
Spanning Tree Protocol Cheat Sheet
Spanning Tree Protocol Cheat SheetSpanning Tree Protocol Cheat Sheet
Spanning Tree Protocol Cheat SheetPrasanna Shanmugasundaram
 

Recomendados

Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecCisco Russia
 
DMVPN
DMVPNDMVPN
DMVPNNetProtocol Xpert
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
IS-IS Protocol Introduction
IS-IS Protocol IntroductionIS-IS Protocol Introduction
IS-IS Protocol IntroductionNetProtocol Xpert
 
Proper spanning tree.pptx
Proper spanning tree.pptxProper spanning tree.pptx
Proper spanning tree.pptxEoin Irwin
 
Introduction to vxlan
Introduction to vxlanIntroduction to vxlan
Introduction to vxlanMohammed Umair
 
Introducing segment routing TE
Introducing segment routing TEIntroducing segment routing TE
Introducing segment routing TEAlex Bogdanov
 
Spanning Tree Protocol Cheat Sheet
Spanning Tree Protocol Cheat SheetSpanning Tree Protocol Cheat Sheet
Spanning Tree Protocol Cheat SheetPrasanna Shanmugasundaram
 
Overview of Spanning Tree Protocol
Overview of Spanning Tree ProtocolOverview of Spanning Tree Protocol
Overview of Spanning Tree ProtocolArash Foroughi
 
MPLS L3 VPN Deployment
MPLS L3 VPN DeploymentMPLS L3 VPN Deployment
MPLS L3 VPN DeploymentAPNIC
 
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...Netgate
 
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017Bruno Teixeira
 
A comparison of segment routing data-plane encodings
A comparison of segment routing data-plane encodingsA comparison of segment routing data-plane encodings
A comparison of segment routing data-plane encodingsGunter Van de Velde
 
Demystifying EVPN in the data center: Part 1 in 2 episode series
Demystifying EVPN in the data center: Part 1 in 2 episode seriesDemystifying EVPN in the data center: Part 1 in 2 episode series
Demystifying EVPN in the data center: Part 1 in 2 episode seriesCumulus Networks
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)Nutan Singh
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Kentaro Ebisawa
 
VXLAN and FRRouting
VXLAN and FRRoutingVXLAN and FRRouting
VXLAN and FRRoutingFaisal Reza
 
BGP Overview
BGP OverviewBGP Overview
BGP OverviewMatt Bynum
 
Doc6 mpls vpn-ppt
Doc6 mpls vpn-pptDoc6 mpls vpn-ppt
Doc6 mpls vpn-pptSwarup Kumar Mall
 
MPLS Layer 3 VPN
MPLS Layer 3 VPN MPLS Layer 3 VPN
MPLS Layer 3 VPN NetProtocol Xpert
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
Flexible Data Centre Fabric - FabricPath/TRILL, OTV, LISP and VXLAN
Flexible Data Centre Fabric - FabricPath/TRILL, OTV, LISP and VXLANFlexible Data Centre Fabric - FabricPath/TRILL, OTV, LISP and VXLAN
Flexible Data Centre Fabric - FabricPath/TRILL, OTV, LISP and VXLANCisco Canada
 
Network LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikNetwork LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikGLC Networks
 
SRv6 Network Programming: deployment use-cases
SRv6 Network Programming: deployment use-cases SRv6 Network Programming: deployment use-cases
SRv6 Network Programming: deployment use-cases APNIC
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsPavel Odintsov
 
STP (spanning tree protocol)
STP (spanning tree protocol)STP (spanning tree protocol)
STP (spanning tree protocol)Netwax Lab
 
TechWiseTV Workshop: Software-Defined Access
TechWiseTV Workshop: Software-Defined AccessTechWiseTV Workshop: Software-Defined Access
TechWiseTV Workshop: Software-Defined AccessRobb Boyd
 
Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Netwax Lab
 

Más contenido relacionado

La actualidad más candente

Overview of Spanning Tree Protocol
Overview of Spanning Tree ProtocolOverview of Spanning Tree Protocol
Overview of Spanning Tree ProtocolArash Foroughi
 
MPLS L3 VPN Deployment
MPLS L3 VPN DeploymentMPLS L3 VPN Deployment
MPLS L3 VPN DeploymentAPNIC
 
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...Netgate
 
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017Bruno Teixeira
 
A comparison of segment routing data-plane encodings
A comparison of segment routing data-plane encodingsA comparison of segment routing data-plane encodings
A comparison of segment routing data-plane encodingsGunter Van de Velde
 
Demystifying EVPN in the data center: Part 1 in 2 episode series
Demystifying EVPN in the data center: Part 1 in 2 episode seriesDemystifying EVPN in the data center: Part 1 in 2 episode series
Demystifying EVPN in the data center: Part 1 in 2 episode seriesCumulus Networks
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecShortestPathFirst
 
Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)Nutan Singh
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceBertrand Duvivier
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Kentaro Ebisawa
 
VXLAN and FRRouting
VXLAN and FRRoutingVXLAN and FRRouting
VXLAN and FRRoutingFaisal Reza
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
Flexible Data Centre Fabric - FabricPath/TRILL, OTV, LISP and VXLAN
Flexible Data Centre Fabric - FabricPath/TRILL, OTV, LISP and VXLANFlexible Data Centre Fabric - FabricPath/TRILL, OTV, LISP and VXLAN
Flexible Data Centre Fabric - FabricPath/TRILL, OTV, LISP and VXLANCisco Canada
 
Network LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikNetwork LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikGLC Networks
 
SRv6 Network Programming: deployment use-cases
SRv6 Network Programming: deployment use-cases SRv6 Network Programming: deployment use-cases
SRv6 Network Programming: deployment use-cases APNIC
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsPavel Odintsov
 
STP (spanning tree protocol)
STP (spanning tree protocol)STP (spanning tree protocol)
STP (spanning tree protocol)Netwax Lab
 

La actualidad más candente (20)

Overview of Spanning Tree Protocol
Overview of Spanning Tree ProtocolOverview of Spanning Tree Protocol
Overview of Spanning Tree Protocol
 
MPLS L3 VPN Deployment
MPLS L3 VPN DeploymentMPLS L3 VPN Deployment
MPLS L3 VPN Deployment
 
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
 
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
 
A comparison of segment routing data-plane encodings
A comparison of segment routing data-plane encodingsA comparison of segment routing data-plane encodings
A comparison of segment routing data-plane encodings
 
Demystifying EVPN in the data center: Part 1 in 2 episode series
Demystifying EVPN in the data center: Part 1 in 2 episode seriesDemystifying EVPN in the data center: Part 1 in 2 episode series
Demystifying EVPN in the data center: Part 1 in 2 episode series
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
 
Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)Border Gateway Protocol (BGP)
Border Gateway Protocol (BGP)
 
Cisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advanceCisco Live Milan 2015 - BGP advance
Cisco Live Milan 2015 - BGP advance
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
 
VXLAN and FRRouting
VXLAN and FRRoutingVXLAN and FRRouting
VXLAN and FRRouting
 
BGP Overview
BGP OverviewBGP Overview
BGP Overview
 
Doc6 mpls vpn-ppt
Doc6 mpls vpn-pptDoc6 mpls vpn-ppt
Doc6 mpls vpn-ppt
 
MPLS Layer 3 VPN
MPLS Layer 3 VPN MPLS Layer 3 VPN
MPLS Layer 3 VPN
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit network
 
Flexible Data Centre Fabric - FabricPath/TRILL, OTV, LISP and VXLAN
Flexible Data Centre Fabric - FabricPath/TRILL, OTV, LISP and VXLANFlexible Data Centre Fabric - FabricPath/TRILL, OTV, LISP and VXLAN
Flexible Data Centre Fabric - FabricPath/TRILL, OTV, LISP and VXLAN
 
Network LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with MikrotikNetwork LACP/Bonding/Teaming with Mikrotik
Network LACP/Bonding/Teaming with Mikrotik
 
SRv6 Network Programming: deployment use-cases
SRv6 Network Programming: deployment use-cases SRv6 Network Programming: deployment use-cases
SRv6 Network Programming: deployment use-cases
 
BGP FlowSpec experience and future developments
BGP FlowSpec experience and future developmentsBGP FlowSpec experience and future developments
BGP FlowSpec experience and future developments
 
STP (spanning tree protocol)
STP (spanning tree protocol)STP (spanning tree protocol)
STP (spanning tree protocol)
 

Similar a LISP + GETVPN as alternative to DMVPN+OSPF+GETVPN

TechWiseTV Workshop: Software-Defined Access
TechWiseTV Workshop: Software-Defined AccessTechWiseTV Workshop: Software-Defined Access
TechWiseTV Workshop: Software-Defined AccessRobb Boyd
 
Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Netwax Lab
 
Nxll17 dynamic routing with asa
Nxll17 dynamic routing with asaNxll17 dynamic routing with asa
Nxll17 dynamic routing with asaNetwax Lab
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network TroubleshootingOpen Source Consulting
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Nowjulievreeland
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
 
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...Cisco Software Defined Access - новая архитектура для корпоративных кампусных...
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...Cisco Russia
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1n|u - The Open Security Community
 
IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesDon Anto
 
Support for Network-based User Mobility with LISP
Support for Network-based User Mobility with LISPSupport for Network-based User Mobility with LISP
Support for Network-based User Mobility with LISPAndrea Galvani
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pixangelitoh11
 
dokumen.tips_linux-networking-commands.ppt
dokumen.tips_linux-networking-commands.pptdokumen.tips_linux-networking-commands.ppt
dokumen.tips_linux-networking-commands.pptThorOdinson55
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
 

Similar a LISP + GETVPN as alternative to DMVPN+OSPF+GETVPN (20)

TechWiseTV Workshop: Software-Defined Access
TechWiseTV Workshop: Software-Defined AccessTechWiseTV Workshop: Software-Defined Access
TechWiseTV Workshop: Software-Defined Access
 
Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)
 
Vpn(4)
Vpn(4)Vpn(4)
Vpn(4)
 
Nxll17 dynamic routing with asa
Nxll17 dynamic routing with asaNxll17 dynamic routing with asa
Nxll17 dynamic routing with asa
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Now
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
 
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...Cisco Software Defined Access - новая архитектура для корпоративных кампусных...
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...
 
Tech f42
Tech f42Tech f42
Tech f42
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1
 
IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & Securities
 
Support for Network-based User Mobility with LISP
Support for Network-based User Mobility with LISPSupport for Network-based User Mobility with LISP
Support for Network-based User Mobility with LISP
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pix
 
MPLS LAB Practice Vol.1.pdf
MPLS LAB Practice Vol.1.pdfMPLS LAB Practice Vol.1.pdf
MPLS LAB Practice Vol.1.pdf
 
Ipv6
Ipv6Ipv6
Ipv6
 
FD.io - The Universal Dataplane
FD.io - The Universal DataplaneFD.io - The Universal Dataplane
FD.io - The Universal Dataplane
 
dokumen.tips_linux-networking-commands.ppt
dokumen.tips_linux-networking-commands.pptdokumen.tips_linux-networking-commands.ppt
dokumen.tips_linux-networking-commands.ppt
 
IPSec VPN
IPSec VPNIPSec VPN
IPSec VPN
 
Run Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT NetworkRun Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT Network
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 

Último

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 

Último (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

LISP + GETVPN as alternative to DMVPN+OSPF+GETVPN

  • 1. Applied LISP LISP is good for you! Job Snijders job@instituut.net Protégé of InTouch N.V., The Netherlands
  • 2. Who am I? Job Snijders • One of the chosen few: I got native v6 at home • Love bleeding edge stuff • Co-author LISP LCAF draft
  • 3. What’s InTouch NV? • 16 years old (73 in internet years) • Managed Service provider • Nice & decent network through West-Europe • Sells technology independent products which we call “services” • Example: Large private networks for multinationals in multi-tenant way
  • 4. What is LISP? • http://en.wikipedia.org/wiki/Locator/Identifie r_Separation_Protocol • Abstraction layer • Location independent prefixes • IPv4 over IPv4, IPv6 over IPv4, IPv4 over IPv6, IPv6 over IPv6
  • 5. Problem statement Dear Santa, I’d like a manageable way of building large virtual private networks over the internet. your friend, Job
  • 6. Our typical “Satellite” office • 2 (cheap) internet connections from 2 ISP’s • 1 (cheap) router • 1 RFC1918 prefix behind it • 5 to 10 people behind it that need access to corporate IT: Active Directory, Exchange, etc
  • 8. Current approach Remember: We don’t own the last mile. We have to deliver over the top. • Build 2 GRE or DMVPN tunnels • Use plain IPSEC or GETVPN • OSPF for tunnel/link failover
  • 10.
  • 11. Quick overview • Replace DMVPN + OSPF with LISP • GETVPN stays because we need security • Components: – Map-Server (NX-OS) – Key-Server (IOS) – Proxy Router (IOS because we do GETVPN) – xTR (IOS)
  • 13. Proxy Router (PxTR) bridge between LISP world and VRF • Public IP address (reachable for all xTR’s) • Talk BGP with VRF intouch-office • GRE Tunnel to MapServer for LISP+ALT – Talk BGP with MapServer • GRE Tunnel to Keyserver – because PxTR and xTR functionality don’t mix (this is an implementation limitation, not protocol)
  • 14. PxTR Picture interface LISP0 ip policy route-map nexthop crypto map GETVPN_MAP end route-map nexthop permit 10 match ip address 10 set ip next-hop 172.16.0.1
  • 15. PxTR Config ip lisp path-mtu-discovery min 1280 max 1500 ip lisp alt-vrf lisp ip lisp proxy-etr ip lisp proxy-itr 212.2.2.2 interface FastEthernet0/1.300 encapsulation dot1Q 300 ip address 172.16.0.20 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360 address-family ipv4 vrf lisp no synchronization redistribute connected redistribute static neighbor 10.0.1.1 remote-as 65100 neighbor 10.0.1.1 update-source Tunnel321 neighbor 10.0.1.1 activate neighbor 10.0.1.1 next-hop-self neighbor 10.0.1.1 soft-reconfiguration inbound exit-address-family
  • 16. Pxtr# show ip route vrf lisp Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.1.0/30 is directly connected, Tunnel321 L 10.0.1.2/32 is directly connected, Tunnel321 172.16.0.0/16 is variably subnetted, 9 subnets, 2 masks B 172.16.31.1/32 [20/0] via 10.0.1.1, 6d09h B 172.16.31.3/32 [20/0] via 10.0.1.1, 1d06h B 172.16.31.4/32 [20/0] via 10.0.1.1, 6d09h B 172.16.31.5/32 [20/0] via 10.0.1.1, 5d20h B 172.16.31.6/32 [20/0] via 10.0.1.1, 1d05h B 172.16.42.0/24 [20/0] via 10.0.1.1, 6d09h B 172.16.43.0/24 [20/0] via 10.0.1.1, 6d09h B 172.16.45.0/24 [20/0] via 10.0.1.1, 5d20h B 172.16.46.0/24 [20/0] via 10.0.1.1, 1d04h
  • 17. MapServer • Similar to DNS Server • Public reachable IP address • Not a part of the GETVPN cloud • xTR’s register themselves at the MapServer • PxTR talks with MapServer to know who is where (over that GRE tunnel)
  • 19. MapServer Config lisp site jobsnijders-thuis eid-prefix 172.16.31.3/32 eid-prefix 172.16.42.0/24 authentication-key 3 28923r98234ed6cace39629cdd637 description Job Snijders home lisp site kevin-home-xtr eid-prefix 172.16.31.6/32 eid-prefix 172.16.46.0/24 authentication-key 3 3fac3b00cfbfd17b3e9ec69b8c43efd description Kevin home lisp site keyserver eid-prefix 172.16.31.1/32 authentication-key 3 023489234eabce94ed6cace3dd637 description keyserver
  • 20. KeyServer • Reachable for every xTR over the LISP cloud • Has 1 /32 EID • Tunnel to PxTR so PxTR can join in the GDOI without being an xTR
  • 22. KeyServer Config #1 (LISP) lisp loc-reach-algorithm rloc-probing ip lisp database-mapping 172.16.31.1/32 IPv4- interface FastEthernet0/0.95 priority 0 weight 100 ip lisp itr map-resolver 212.2.2.2 ip lisp itr ip lisp etr map-server 212.2.2.2 key k3ys3rv3r ip lisp etr accept-map-request-mapping ip lisp etr
  • 23. KeyServer config #2 (GETVPN) crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 1000 ! crypto isakmp policy 50 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key blablastrong address 0.0.0.0 0.0.0.0 no-xauth crypto isakmp keepalive 10 periodic ! ! crypto ipsec transform-set GETVPN_TS esp-3des esp-sha-hmac ! crypto ipsec profile GETVPN_PROFILE set transform-set GETVPN_TS ! crypto gdoi group GETVPN_GROUP identity number 666 server local rekey retransmit 10 number 2 rekey authentication mypubkey rsa public-intouch-office-ks-key rekey transport unicast sa ipsec 1 profile GETVPN_PROFILE match address ipv4 LAN replay time window-size 36 address ipv4 172.16.31.1 interface Loopback0 ip address 172.16.31.1 255.255.255.255 ! interface Tunnel10 description to PxTR ip address 10.0.2.1 255.255.255.252 tunnel source FastEthernet0/0.95 tunnel destination 212.26.197.2 ! interface LISP0 end ip access-list extended LAN deny udp any eq 848 any eq 848 deny udp any eq isakmp any eq isakmp deny ip 172.16.31.0 0.0.0.255 172.16.31.0 0.0.0.255 permit ip any any
  • 24. xTR “the satellite office router” • 1 or 2 uplinks to the internet (just transport) • Push all packets from LAN to PxTR or other xTR’s • All “vpn” packets go with encrypted payload over the internets • “internet access” is done via Firewall in the VRF
  • 26. xTR config #1 (LISP) lisp loc-reach-algorithm rloc-probing ip lisp path-mtu-discovery min 1280 max 1500 ip lisp use-petr 212.2.2.2 ip lisp database-mapping 172.16.31.5/32 IPv4-interface ATM0/0/0.1 priority 0 weight 100 ip lisp database-mapping 172.16.45.0/24 IPv4-interface ATM0/0/0.1 priority 0 weight 100 ip lisp itr map-resolver 212.3.3.3 ip lisp itr ip lisp etr map-server 212.3.3.3 key blablakeymap ip lisp etr accept-map-request-mapping ip lisp etr
  • 27. xTR config #1 (GETVPN) crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 1000 crypto isakmp key blablastrong address 0.0.0.0 0.0.0.0 no-xauth ! ! crypto gdoi group GETVPN_GROUP_GM identity number 666 server address ipv4 172.16.31.1 client registration interface Loopback0 crypto map GETVPN_MAP 10 gdoi set group GETVPN_GROUP_GM interface Loopback0 ip address 172.16.31.5 255.255.255.255 ! interface LISP0 crypto map GETVPN_MAP interface FastEthernet0/0 description LAN ip address 172.16.45.1 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360
  • 28. A Sample traceroute: from satellite office to server behind the VRF job@DennyCrane:~$ traceroute 172.16.4.202 traceroute to 172.16.4.202 (172.16.4.202), 30 hops max, 60 byte packets 1 172.16.42.253 (172.16.42.253) 6.102 ms 7.229 ms 7.212 ms 2 172.16.0.20 (172.16.0.20) 18.650 ms 18.651 ms 18.622 ms 3 172.16.0.1 (172.16.0.1) 13.968 ms 13.993 ms 14.020 ms 4 172.16.4.202 (172.16.4.202) 13.931 ms 13.899 ms 13.897 ms job@DennyCrane:~$
  • 29. Things to worry about • MTU (with 1500 internet you have 1390 payload) • Security – Mapserver registrations are unencrypted – RFC1918 ip addresses are visible when wiretapping – But GETVPN protects everything and ensures integrity (So I think LISP is actually doing pretty fine)
  • 30. Our status At InTouch we have been running this for a while now with a select group of “special” customers (read: guinea pigs)
  • 31. Near Future We have got that much faith that we will deploy this to real customers in the next 3 weeks
  • 32. Conclusion LISP is good for you! Any questions? job@instituut.net