Categories
CCNP Enterprise Core (350-401) Cisco Overlay

VXLAN With Static Unicast Underlay

VXLAN can be configured without multicast. It can be configured simply by pointing one router towards another using unicast.

The topology being used for unicast VXLAN

User-Device-1 can ping User-Device-2 in the same subnet, despite there no being no routing between them.

User-Device-1#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/3 ms

Site-1

Site-1#show run
Building configuration...

Current configuration : 6497 bytes
!
! Last configuration change at 21:37:46 UTC Thu Oct 14 2021
!
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname Site-1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1297834211
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1297834211
 revocation-check none
 rsakeypair TP-self-signed-1297834211
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1297834211
 certificate self-signed 01
  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31323937 38333432 3131301E 170D3231 31303133 32303039
  35315A17 0D333131 30313332 30303935 315A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32393738
  33343231 31308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
  0A028201 0100A133 610C0FE7 4646CB17 EE422451 AD5BAFC5 71D122AD D15682C0
  B5847B37 5AE5B325 C509B943 F7518FD1 9AB46BAE B3F05760 0B72D80A 630BD3E4
  B41A02CD 642247D9 CF324892 0CE05A6E E600D619 CABA187F C6E4946A 9F808E1B
  3BD990A9 5A0E411E 676CC100 1C3B7B94 63CC01AB 909EF611 45DAF74B C29FBAAD
  F1C2C488 8121692E 4724B4B2 0907B896 730A4E78 5EAF7FEA 414BA0A3 F16E4ED5
  26354B39 B1C1CD5C 2F29B604 0E1F0FAF 5563A625 AC5CEEB5 EEADAA10 9FB82E70
  C9A54114 80E0D327 FD112523 4774AD0C 061C5C80 562FAD0F D93ACB53 D3958D54
  0173C167 C5BF0B28 75148F5E DC6964A0 9C0EB532 3F67537F A45246D7 4B5C0AD1
  2AA8A6B6 1AE10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
  301F0603 551D2304 18301680 14FA911F 98C7EFE5 49BFBBF5 3A1F997F DD1AE7B7
  1F301D06 03551D0E 04160414 FA911F98 C7EFE549 BFBBF53A 1F997FDD 1AE7B71F
  300D0609 2A864886 F70D0101 05050003 82010100 7AD58541 EB0F7002 7E1A7FD3
  CA945546 D88C623D C1192F04 911FD3B3 40B993B8 412E0BCE 6D4A9841 795CC5B2
  DDC4715F 457AC97C 402AE4E7 36CF01F8 CDEEC689 1977EC39 92842175 1642A0F4
  BAA3A719 7A2AD763 C34D09C6 00219F00 BD7AD862 D1F63EBD BC13CAD7 5C58D0BF
  05FF51B4 4BB7E73A 3EFE14C2 34BF7B91 D8C641C0 9DF70671 BAAE3B26 93C685CF
  27DF61F6 23CF420D FCB264C0 FA268BFB C6E3FEF2 CBFDEDAC 17A544F9 D22F8216
  CE2AC2E2 E19D48EF 76A82FB2 23FAA71F C5097989 B22D260B F15AD2B6 DC6132D8
  FB8A8958 444CD821 02ECD18E F623984A 9A1133DA 4FBFFDD4 A9957D2D F74C2D57
  9F943985 F17BD8AF 7A5AC7AB B8F7E0F4 5B998758
        quit
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
  D697DF7F 28
        quit
!
license udi pid CSR1000V sn 9FJ935MF15G
diagnostic bootup level minimal
memory free low-watermark processor 71507
!
!
spanning-tree extend system-id
!
!
redundancy
!
bridge-domain 1
 member vni 4096
 member GigabitEthernet1 service-instance 1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.10.10.10 255.255.255.255
 ip ospf 1 area 0
!
interface Tunnel1
 ip address 192.168.1.1 255.255.255.0
 ip ospf 1 area 0
 tunnel source GigabitEthernet2
 tunnel destination 1.1.4.2
!
interface GigabitEthernet1
 no ip address
 negotiation auto
 no mop enabled
 no mop sysid
 service instance 1 ethernet
  encapsulation untagged
 !
!
interface GigabitEthernet2
 ip address 1.1.1.1 255.255.255.0
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet3
 no ip address
 shutdown
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet4
 no ip address
 shutdown
 negotiation auto
 no mop enabled
 no mop sysid
!
interface nve1
 no ip address
 source-interface Loopback0
 member vni 4096
  ingress-replication 10.10.10.20
 !
 no mop enabled
 no mop sysid
!
router ospf 1
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 1.1.1.2
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
 stopbits 1
line vty 0 4
 login
 length 0
 transport input ssh
!
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
!
!
!
!
!
end

Site-2

version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname Site-2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-849732361
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-849732361
 revocation-check none
 rsakeypair TP-self-signed-849732361
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-849732361
 certificate self-signed 01
  3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 38343937 33323336 31301E17 0D323131 30313332 30333530
  335A170D 33313130 31333230 33353033 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3834 39373332
  33363130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02
  82010100 B62E08A0 DE8C4923 E33F1E37 3FEC0FF5 40045B37 8D2F8B22 F3973F3B
  05170CA0 34D4605A 024347B9 BD8F72D5 0245A3EB 7BD89D26 05C1C0C8 1E3BE448
  DB912ECD E639D29A 68DAB41A D12D96CF CA1B6942 35D5A1BA 2551AAA1 2D149035
  9AC1E79C 39149F19 276890BB 6FE1D7C9 B918FA7C 2E5BF6DF B53A8683 885783DA
  B5E4FABC F932C1F4 EF34BCC7 B467F6E5 5EC2343A C3099E70 75D272E3 6F5C4E91
  49D61599 43B36081 37E3A404 969FB356 4A492FC8 E4331256 4088508D 1131A340
  38A36F0C 7C6B508C 9DCC50E2 25FA63A4 BDD57002 2FBE88E2 BC7CD01E 52425207
  21C9D7C3 48CBB709 D6B32768 F3368294 CFCC67E2 0ECB8D6C 0E39ABF3 CE903B63
  742CC6A3 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F
  0603551D 23041830 1680143C 96FC975C CF1882ED DA221103 B9C96131 F8061430
  1D060355 1D0E0416 04143C96 FC975CCF 1882EDDA 221103B9 C96131F8 0614300D
  06092A86 4886F70D 01010505 00038201 01009AA5 3B37C8FA 25F333BE F984AAD7
  A4A9F61B 5B05D378 BB8EFAC8 DDE9570A 46C86B00 C46B739D 17D54C9D D44059E5
  67964D39 EA0C64DA 759EA038 5D5C0B4C A7910914 E4EC9B85 0136FB13 56D7C106
  9FF3B6A6 3B0425DC CE3CF545 B6D3230B 576A4D2A B5052641 ECB331F2 49094794
  5DB196A1 B1265715 A33C33D5 9AB11F42 7CE7F875 CE82A874 E938875D 7F4B0DAC
  0C613734 216C1390 5E74EF5D 8CB37E29 2FD98125 2C2B8FBB 5C9A3F5E A975C6E5
  65F50248 E099F181 A0FF1D3B 439B4263 F6E04174 FE462726 76846479 9DE64645
  25502B54 88E23B5F 086285E3 C7027291 41708015 226EB6F7 B356EF7B 5F7FC313
  B2DD05DF 8C55795B E75B1264 AAA86EB9 C690
        quit
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
  D697DF7F 28
        quit
!
license udi pid CSR1000V sn 9USN3N7UQKF
diagnostic bootup level minimal
memory free low-watermark processor 71507
!
!
spanning-tree extend system-id
!
!
redundancy
!
bridge-domain 1
 member vni 4096
 member GigabitEthernet1 service-instance 1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback1
 ip address 10.10.10.20 255.255.255.255
 ip ospf 1 area 0
!
interface Tunnel1
 ip address 192.168.1.2 255.255.255.0
 ip ospf 1 area 0
 tunnel source GigabitEthernet2
 tunnel destination 1.1.1.1
!
interface GigabitEthernet1
 no ip address
 negotiation auto
 no mop enabled
 no mop sysid
 service instance 1 ethernet
  encapsulation untagged
 !
!
interface GigabitEthernet2
 ip address 1.1.4.2 255.255.255.0
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet3
 no ip address
 shutdown
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet4
 no ip address
 shutdown
 negotiation auto
 no mop enabled
 no mop sysid
!
interface nve1
 no ip address
 source-interface Loopback1
 member vni 4096
  ingress-replication 10.10.10.10
 !
 no mop enabled
 no mop sysid
!
router ospf 1
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 1.1.4.1
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
 stopbits 1
line vty 0 4
 login
 transport input ssh
!
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
!
!
!
!
!
end
Categories
CCNP Enterprise Core (350-401) Cisco Overlay

VXLAN with Multicast Underlay

One of the control planes with VXLAN is with a Multicast Underlay; this is how it was configured.

Topology

The goal is to allow User-Device-1 on 10.1.1.1 to communicate on User-Device-2 on 10.1.1.2 via VXLAN, making both devices appear as if they were in a single broadcast domain.

Site-1 and Site-2 are the enterprise owned routers.

There is a GRE tunnel between Site-1 and Site-2 to act as a VPN for the VXLAN

Core-A, Core-B, Core-C is the internet service providers network, it provides only routing between Site-1 and Site-2 through multiple hops

Testing

User-Device-1#ping 10.1.1.2 source 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

User-Device-1 Configuration (Generic L2 Switch)

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname User-Device-1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone GMT 0 0
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Vlan1
 ip address 10.1.1.1 255.255.255.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end

User-Device-2 Configuration(Generic L2 Switch)

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname User-Device-2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone GMT 0 0
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Vlan1
 ip address 10.1.1.2 255.255.255.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end

Site-1 Configuration (CSR1000V)

version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname Site-1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
ip multicast-routing distributed
!
!
!
!
!
!
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1297834211
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1297834211
revocation-check none
rsakeypair TP-self-signed-1297834211
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1297834211
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323937 38333432 3131301E 170D3231 31303133 32303039
35315A17 0D333131 30313332 30303935 315A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32393738
33343231 31308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100A133 610C0FE7 4646CB17 EE422451 AD5BAFC5 71D122AD D15682C0
B5847B37 5AE5B325 C509B943 F7518FD1 9AB46BAE B3F05760 0B72D80A 630BD3E4
B41A02CD 642247D9 CF324892 0CE05A6E E600D619 CABA187F C6E4946A 9F808E1B
3BD990A9 5A0E411E 676CC100 1C3B7B94 63CC01AB 909EF611 45DAF74B C29FBAAD
F1C2C488 8121692E 4724B4B2 0907B896 730A4E78 5EAF7FEA 414BA0A3 F16E4ED5
26354B39 B1C1CD5C 2F29B604 0E1F0FAF 5563A625 AC5CEEB5 EEADAA10 9FB82E70
C9A54114 80E0D327 FD112523 4774AD0C 061C5C80 562FAD0F D93ACB53 D3958D54
0173C167 C5BF0B28 75148F5E DC6964A0 9C0EB532 3F67537F A45246D7 4B5C0AD1
2AA8A6B6 1AE10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 14FA911F 98C7EFE5 49BFBBF5 3A1F997F DD1AE7B7
1F301D06 03551D0E 04160414 FA911F98 C7EFE549 BFBBF53A 1F997FDD 1AE7B71F
300D0609 2A864886 F70D0101 05050003 82010100 7AD58541 EB0F7002 7E1A7FD3
CA945546 D88C623D C1192F04 911FD3B3 40B993B8 412E0BCE 6D4A9841 795CC5B2
DDC4715F 457AC97C 402AE4E7 36CF01F8 CDEEC689 1977EC39 92842175 1642A0F4
BAA3A719 7A2AD763 C34D09C6 00219F00 BD7AD862 D1F63EBD BC13CAD7 5C58D0BF
05FF51B4 4BB7E73A 3EFE14C2 34BF7B91 D8C641C0 9DF70671 BAAE3B26 93C685CF
27DF61F6 23CF420D FCB264C0 FA268BFB C6E3FEF2 CBFDEDAC 17A544F9 D22F8216
CE2AC2E2 E19D48EF 76A82FB2 23FAA71F C5097989 B22D260B F15AD2B6 DC6132D8
FB8A8958 444CD821 02ECD18E F623984A 9A1133DA 4FBFFDD4 A9957D2D F74C2D57
9F943985 F17BD8AF 7A5AC7AB B8F7E0F4 5B998758
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
!
license udi pid CSR1000V sn 9KXQ2Y1ERO2
diagnostic bootup level minimal
memory free low-watermark processor 71507
!
!
spanning-tree extend system-id
!
!
redundancy
!
bridge-domain 1
member vni 4096
member GigabitEthernet1 service-instance 1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.10.10.10 255.255.255.255
ip pim sparse-mode
ip ospf 1 area 0
!
interface Tunnel1
ip address 192.168.1.1 255.255.255.0
ip pim sparse-mode
ip ospf 1 area 0
tunnel source GigabitEthernet2
tunnel destination 1.1.4.2
!
interface GigabitEthernet1
no ip address
negotiation auto
no mop enabled
no mop sysid
service instance 1 ethernet
encapsulation untagged
!
!
interface GigabitEthernet2
ip address 1.1.1.1 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface nve1
no ip address
ip pim sparse-mode
source-interface Loopback0
member vni 4096 mcast-group 230.1.1.1
no mop enabled
no mop sysid
!
router ospf 1
!
ip forward-protocol nd
ip pim rp-address 10.10.10.20
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 1.1.1.2
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
stopbits 1
line vty 0 4
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
!
end

Site-2 Configuration (CSR1000V)

version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname Site-2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
ip multicast-routing distributed
!
!
!
!
!
!
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-849732361
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-849732361
revocation-check none
rsakeypair TP-self-signed-849732361
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-849732361
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 38343937 33323336 31301E17 0D323131 30313332 30333530
335A170D 33313130 31333230 33353033 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3834 39373332
33363130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02
82010100 B62E08A0 DE8C4923 E33F1E37 3FEC0FF5 40045B37 8D2F8B22 F3973F3B
05170CA0 34D4605A 024347B9 BD8F72D5 0245A3EB 7BD89D26 05C1C0C8 1E3BE448
DB912ECD E639D29A 68DAB41A D12D96CF CA1B6942 35D5A1BA 2551AAA1 2D149035
9AC1E79C 39149F19 276890BB 6FE1D7C9 B918FA7C 2E5BF6DF B53A8683 885783DA
B5E4FABC F932C1F4 EF34BCC7 B467F6E5 5EC2343A C3099E70 75D272E3 6F5C4E91
49D61599 43B36081 37E3A404 969FB356 4A492FC8 E4331256 4088508D 1131A340
38A36F0C 7C6B508C 9DCC50E2 25FA63A4 BDD57002 2FBE88E2 BC7CD01E 52425207
21C9D7C3 48CBB709 D6B32768 F3368294 CFCC67E2 0ECB8D6C 0E39ABF3 CE903B63
742CC6A3 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F
0603551D 23041830 1680143C 96FC975C CF1882ED DA221103 B9C96131 F8061430
1D060355 1D0E0416 04143C96 FC975CCF 1882EDDA 221103B9 C96131F8 0614300D
06092A86 4886F70D 01010505 00038201 01009AA5 3B37C8FA 25F333BE F984AAD7
A4A9F61B 5B05D378 BB8EFAC8 DDE9570A 46C86B00 C46B739D 17D54C9D D44059E5
67964D39 EA0C64DA 759EA038 5D5C0B4C A7910914 E4EC9B85 0136FB13 56D7C106
9FF3B6A6 3B0425DC CE3CF545 B6D3230B 576A4D2A B5052641 ECB331F2 49094794
5DB196A1 B1265715 A33C33D5 9AB11F42 7CE7F875 CE82A874 E938875D 7F4B0DAC
0C613734 216C1390 5E74EF5D 8CB37E29 2FD98125 2C2B8FBB 5C9A3F5E A975C6E5
65F50248 E099F181 A0FF1D3B 439B4263 F6E04174 FE462726 76846479 9DE64645
25502B54 88E23B5F 086285E3 C7027291 41708015 226EB6F7 B356EF7B 5F7FC313
B2DD05DF 8C55795B E75B1264 AAA86EB9 C690
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
!
license udi pid CSR1000V sn 91G3NG7XFED
diagnostic bootup level minimal
memory free low-watermark processor 71507
!
!
spanning-tree extend system-id
!
!
redundancy
!
bridge-domain 1
member vni 4096
member GigabitEthernet1 service-instance 1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback1
ip address 10.10.10.20 255.255.255.255
ip pim sparse-mode
ip ospf 1 area 0
!
interface Tunnel1
ip address 192.168.1.2 255.255.255.0
ip pim sparse-mode
ip ospf 1 area 0
tunnel source GigabitEthernet2
tunnel destination 1.1.1.1
!
interface GigabitEthernet1
no ip address
negotiation auto
no mop enabled
no mop sysid
service instance 1 ethernet
encapsulation untagged
!
!
interface GigabitEthernet2
ip address 1.1.4.2 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface nve1
no ip address
ip pim sparse-mode
source-interface Loopback1
member vni 4096 mcast-group 230.1.1.1
no mop enabled
no mop sysid
!
router ospf 1
!
ip forward-protocol nd
ip pim rp-address 10.10.10.20
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 1.1.4.1
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
stopbits 1
line vty 0 4
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
!
end
Categories
CCNP Enterprise Core (350-401) Cisco Overlay

Cisco Software Defined Access (SD-Access)

Cisco Software Defined Access is an example of VXLAN implementation with the LISP control plane.

VXLAN specific originated from Layer 2 LISP specification that aimed to introduce Layer 2 segmentation support to LISP.

LISP encapsulation can only support IP in IP over UDP encapsulation, whilst VXLAN can encapsulate the original ethernet header to perform MAC in IP encapsulation to support Layer 2 and Layer 3 overlays

Categories
CCNP Enterprise Core (350-401) Cisco Overlay

Virtual Extensible Local Area Network (VXLAN)

VXLAN is an overlay data plane encapsulation scheme developed to address the various issues seen in layer 2 networks.

It can extend Layer 2 and Layer 3 overlay networks over a Layer 3 underlay network, using MAC-in-IP/UDP tunnelling. Each overlay is known as a VXLAN segment.

IANA (Internet Assigned Numbers Authority) gave VXLAN the UDP destination port of 4789, or 8472 in Linux. It is different in Linux as when first developed for Linux, it did not use an officially designated port as there was not one defined.

VXLAN has a 24-bit VXLAN Network Identifier (VNI) which allows up to 16 million VXLAN segments. Much more than 12 bits/4000 VLANs.

The VXLAN Network Identifier is part of a VXLAN shim header that encapsulates the original inner MAC address originated from an endpoint.

The VNI provides the segmentation for Layer 2 and Layer 3 traffic.

To allow discovery of VNIs, a technology called VTEPs, virtual tunnel endpoints, are used. A Virtual Tunnel Endpoint originates or terminates a VXLAN tunnel.

VTEPs map Layer 2 and Layer 3 packets to a VXLAN to be used in the overlay network, there are two interfaces to a VTEP, the local LAN interface and the IP interface.

The local LAN interface provides a bridging interface between local hosts.

The IP interface is a core facing network interface for VXLAN. The IP address associated with the interface helps identify the VTEP on the network. It is used for encapsulating and decapsulating traffic.

A VXLAN gateway can connect devices that do not support VXLAN into a normal a common layer 2 domain with both VLAN and VXLAN.

The standard of VXLAN does not define a control plane, but only a data plane protocol. This means that VXLAN is left open to be used with multiple different types of control plane. Cisco devices support four different types:

  • VXLAN with a Multicast underlay
  • VXLAN with static unicast VXLAN tunnels
  • VXLAN with MP-BGP EVPN control plane
  • VXLAN with a LISP control plane

MP-BGP EVPN and Multicast are the most popular control planes in use for data centre and private cloud environments.

Categories
CCNP Enterprise Core (350-401) Cisco Overlay

Lab: Configuring Simple LISP

LISP turns traditional routing upside down.

Instead of routes being pushed to all over to other router in the network, routers now request a central server on how and where to access a certain route, almost like a computer querying a DNS server with a domain name for an IP address.

The topology for this lab

The goal in this lab is to establish connectivity between Branch-A (192.168.1.1) and Branch-B (192.168.2.1) without any of the Core-X devices knowing anything about 192.168.0.0/16

This means between LISP1 and LISP2 packets should be encapsulated within another UDP frame, being dissembled or assembled once they reach LISP1 or LISP2.

LISP3 will be the Map Resolver and Map Server in this topology, it will let Branch-A know how to reach Branch-B’s 192.168.2.0 network

Core-A

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Core-A
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
clock timezone GMT 0 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
!
!


!
!
!
!
ip cef    
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
!
!
!
redundancy
!
!
! 
!
!
!
!
!         
!
!
!
!
!
!
!
interface Ethernet0/0
 ip address 10.0.2.2 255.255.255.0
 ip ospf 1 area 0
!
interface Ethernet0/1
 ip address 10.0.3.2 255.255.255.0
 ip ospf 1 area 0
!
interface Ethernet0/2
 ip address 10.0.1.1 255.255.255.0
 ip ospf 1 area 0
!
interface Ethernet0/3
 no ip address
 shutdown
!         
router ospf 1
 default-information originate metric 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Null0
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input none
!
!
end

Core-B

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Core-B
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
clock timezone GMT 0 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
!
!


!
!
!
!
ip cef    
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
!
!
!
redundancy
!
!
! 
!
!
!
!
!         
!
!
!
!
!
!
!
interface Ethernet0/0
 ip address 10.0.1.2 255.255.255.0
 ip ospf 1 area 0
!
interface Ethernet0/1
 ip address 10.0.0.1 255.255.255.0
 ip ospf 1 area 0
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!         
router ospf 1
 passive-interface default
 no passive-interface Ethernet0/0
 no passive-interface Ethernet0/1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!         
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input none
!
!
end

Branch A

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Branch-A
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone GMT 0 0
!
!
!
!         
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
! 
!
!
!
!
!
!
!
!         
!
!
!
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
!
ip default-gateway 192.168.1.254
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!         
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
!
!
end

Branch B

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Branch-B
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone GMT 0 0
!
!
!
!         
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
! 
!
!
!
!
!
!
!
!         
!
!
!
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Vlan1
 ip address 192.168.2.1 255.255.255.0
!
ip default-gateway 192.168.2.254
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.2.254
!         
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
!
!
end

Branch C

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Branch-C
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone GMT 0 0
!
!
!
!         
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
! 
!
!
!
!
!
!
!
!         
!
!
!
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Vlan1
 ip address 192.168.3.1 255.255.255.0
!
ip default-gateway 192.168.3.254
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.3.254
!         
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
!
!
end

LISP1

version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname LISP1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!         
!
!
!
!
!
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
! 
! 
! 
! 
!
!         
multilink bundle-name authenticated
!
!
site-manager
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2035463266
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2035463266
 revocation-check none
 rsakeypair TP-self-signed-2035463266
!         
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-2035463266
 certificate self-signed 01
  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 32303335 34363332 3636301E 170D3231 31303130 31363337 
  30335A17 0D333131 30313031 36333730 335A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30333534 
  36333236 36308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201 
  0A028201 0100A6F1 31F3927D 9F3B7EB0 9302859C 80BB6A1F C1F5808B 752FC5DD 
  613ABC83 9F92F397 E7B3D8C8 2C743B47 C11E80BA C378ACC2 E40FB8B2 2BD13BFA 
  B389D314 7436897D D1DC79E7 47DDB4F6 5EDD4487 27EAB93D 8E7D55DF 7B742103 
  F19F441B D4BF7512 CD74668B CD4F704E 05142CF6 18B3CCE1 8113BE3A 18F5C06E 
  9368AC4C E5C14182 68618C44 2437270C 82357403 6A913437 83D85E59 452D5094 
  31415EE2 A2538C2B B3E754CE F3BADCCF AD3739C8 0BE24F26 ADF7DB9A A058199D 
  75D7C93A 9F839A68 A78C584D FE7F8C34 5A294FE8 53FC459F 2B440F74 C9D1A953 
  BE446592 EE17C752 85CCC0BA B757ABD3 D9A6D054 7A8E04B4 A9BD39B7 0CC6C100 
  CC22D49B 4AAB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 
  301F0603 551D2304 18301680 14F17BA8 02DDDA46 D7F98977 87B1BB48 7EF49CA6 
  84301D06 03551D0E 04160414 F17BA802 DDDA46D7 F9897787 B1BB487E F49CA684 
  300D0609 2A864886 F70D0101 05050003 82010100 968AFCCA 3E655823 3530EF7C 
  357AFC1D 2C607F6E 1BE914C3 B67E3E12 CEAB44BC FFE571C3 0FCF3940 470A288F 
  29241DB5 C366EDF2 6CECF6AF 47149388 5F446B15 3B74C3F1 EA90504E 63C7B366 
  A3AA3C1F D192648A 795D1863 93A001F9 3F95B318 8824850A 24619305 DFC8F6B9 
  110C0E70 48CC6C2D 86DF5C65 83007962 F7DC2DE9 892A5B6C E113814F 1A3CED14 
  5DD20BAB 6AEA9C35 15DBCED3 B9D69B7F FF1A2D78 EA9E30C4 712863A2 61D5989C 
  0357D07B DD73B1CE 2218998E 5DCC0EE0 E998C523 AA218063 FC3AE0CE 5CF8C252 
  52AC13D3 4F79DB2E DA762DB8 380C174B 0A64E7F5 E4825B60 7DE8874D 85B2FE7A 
  56705E07 B624B55D 5A407583 83E11BC7 33216902
  quit
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030 
  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363 
  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934 
  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305 
  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720 
  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 
  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D 
  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520 
  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE 
  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC 
  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188 
  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7 
  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191 
  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44 
  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201 
  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85 
  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500 
  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905 
  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B 
  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8 
  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C 
  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B 
  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678 
  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB 
  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0 
  D697DF7F 28
  quit
!
license udi pid CSR1000V sn 9P5KOJYS125
diagnostic bootup level minimal
memory free low-watermark processor 71507
!
!         
spanning-tree extend system-id
!
!
redundancy
!
!
!
!
!
!
!
! 
!
!
!
!
!
!
!
!
!
!
!         
!
!
! 
! 
!
!
interface Loopback1
 ip address 192.168.100.1 255.255.255.255
!
interface LISP0
!
interface GigabitEthernet1
 ip address 10.0.0.2 255.255.255.0
 ip ospf 1 area 0
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet2
 ip address 192.168.1.254 255.255.255.0
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet3
 no ip address
 shutdown
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet4
 no ip address
 shutdown
 negotiation auto
 no mop enabled
 no mop sysid
!
router lisp
 locator-table default
 locator-set LISP1
  10.0.0.2 priority 10 weight 10
  exit-locator-set
 !
 service ipv4
  itr map-resolver 10.0.3.1
  itr
  etr map-server 10.0.3.1 key cisco
  etr
  exit-service-ipv4
 !
 instance-id 0
  service ipv4
   eid-table default
   database-mapping 192.168.1.0/24 locator-set LISP1
   database-mapping 192.168.100.1/32 locator-set LISP1
   exit-service-ipv4
  !
  exit-instance-id
 !
 loc-reach-algorithm rloc-probing
 exit-router-lisp
!
router ospf 1
 passive-interface default
 no passive-interface GigabitEthernet1
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
 stopbits 1
line vty 0 4
 login
 transport input ssh
!         
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
!
!
!
!
!
end

LISP2

version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname LISP2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!         
!
!
!
!
!
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
! 
! 
! 
! 
!
!         
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1261116406
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1261116406
 revocation-check none
 rsakeypair TP-self-signed-1261116406
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1261116406
 certificate self-signed 01
  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31323631 31313634 3036301E 170D3231 31303130 31363336 
  33395A17 0D333131 30313031 36333633 395A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32363131 
  31363430 36308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201 
  0A028201 0100A35E D9B5A6EE 658AFD0D CB2C33F5 3AD6416F E2B62DCF 0E062D29 
  C26780C8 C721F7BD 09C8CEAE 34777B93 3D32D2FA 8790ECF5 03F103F3 21FBA7A9 
  DDDFDF12 8ADDF4C0 68A5F9AB 17CAD94B 1607F5B0 8B44AE01 14235D48 4FCE6D4B 
  FD7AC641 39270D56 53C234A7 DE39C2F2 5319AB5D 658F8F69 4C83A19D A774F59D 
  BCC6A2C6 C4764455 3470395C AD2EBCB6 0672AAD0 2CF77955 A50FC051 5DF28BE9 
  0B631415 9DBD3261 0C1AEAFA 7D3D01CC 48CCEDC2 0D7F0E54 7B765D3D 2C5EAA76 
  ADB36331 80DFC7E3 E0CCA52E A5DB06B2 DA3881D5 1D7EAC5B FB0884F7 EF5BF474 
  BD5E6078 C56F3CFD A64659E2 1AC9A4F2 A504F012 56C6261B 1CC63613 052F52A0 
  B92DA76F C85D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 
  301F0603 551D2304 18301680 14519F25 068BB5F6 07E7C465 BF6B05AF 7BAFE374 
  33301D06 03551D0E 04160414 519F2506 8BB5F607 E7C465BF 6B05AF7B AFE37433 
  300D0609 2A864886 F70D0101 05050003 82010100 5FE8C44B 6D3A999A A4A003D1 
  D53657F9 B916B63A EB5E5DC1 CBCD43E9 F743BE63 F4187110 E95A1E79 62446FFB 
  F81A19DE E0FF6D1F DCAEA103 F78702A1 71E26618 44E6EA03 8DC071A7 9108C661 
  BF41CCFC 3FF05BC1 5E1E6D00 CE560997 BCB89668 D150AE25 9828AA22 D1430630 
  300DBE4F E17C5FE4 72209835 AF179A5B 401F6FE0 AC485EC4 BCAE5839 333E960B 
  79A404F9 FC33F81C 46E685AB 755ACC5C 226456D7 0B9EC1DD 8A9DA36D 408EF5CD 
  CC5A994C A5DD65AE 84BFE14B B205AA37 810A2623 FFBD5A8D 72199926 3F5078D4 
  44733B94 E6ACCCDE F6407B2D 572E26AF 0D7B5A2C 06C6E860 15E7ED7E EB0949B7 
  EE89D43F 477E256C 8C615010 5F3872B7 EF07816A
  quit
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030 
  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363 
  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934 
  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305 
  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720 
  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 
  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D 
  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520 
  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE 
  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC 
  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188 
  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7 
  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191 
  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44 
  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201 
  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85 
  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500 
  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905 
  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B 
  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8 
  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C 
  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B 
  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678 
  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB 
  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0 
  D697DF7F 28
  quit
!
license udi pid CSR1000V sn 92ON2VPD1AD
diagnostic bootup level minimal
memory free low-watermark processor 71507
!
!
spanning-tree extend system-id
!
!
redundancy
!
!
!
!
!
!
!
! 
!
!
!
!
!
!
!
!
!
!
!
!         
!
! 
! 
!
!
interface Loopback1
 ip address 192.168.100.2 255.255.255.255
!
interface LISP0
!
interface GigabitEthernet1
 ip address 10.0.2.1 255.255.255.0
 ip ospf 1 area 0
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet2
 ip address 192.168.2.254 255.255.255.0
 negotiation auto
 no mop enabled
 no mop sysid
!         
interface GigabitEthernet3
 no ip address
 shutdown
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet4
 no ip address
 shutdown
 negotiation auto
 no mop enabled
 no mop sysid
!
router lisp
 locator-table default
 locator-set LISP2
  10.0.2.1 priority 10 weight 10
  exit-locator-set
 !
 service ipv4
  itr map-resolver 10.0.3.1
  itr     
  etr map-server 10.0.3.1 key cisco
  etr
  exit-service-ipv4
 !
 instance-id 0
  service ipv4
   eid-table default
   database-mapping 192.168.2.0/24 locator-set LISP2
   database-mapping 192.168.100.2/32 locator-set LISP2
   exit-service-ipv4
  !
  exit-instance-id
 !
 loc-reach-algorithm rloc-probing
 exit-router-lisp
!
router ospf 1
 passive-interface default
 no passive-interface GigabitEthernet1
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
 stopbits 1
line vty 0 4
 login
 transport input ssh
!
call-home 
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
!
!
!
!
!
end

LISP3

version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname LISP3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!         
!
!
!
!
!
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
! 
! 
! 
! 
!
!         
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3119736560
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3119736560
 revocation-check none
 rsakeypair TP-self-signed-3119736560
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-3119736560
 certificate self-signed 01
  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33313139 37333635 3630301E 170D3231 31303130 31363336 
  35315A17 0D333131 30313031 36333635 315A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31313937 
  33363536 30308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201 
  0A028201 0100C40A B68A6671 56175861 B63FF248 960BF6C5 20943E05 F22CDE0F 
  BADAB556 5F82064A 56D56332 D0E22FC3 AE7E3143 3AA4E495 D2A7DAF0 471A3A1C 
  E333F94D E60FB6FC F062DCB1 763FECEE 5DC26433 75AB6977 763EC8C5 C9DE4419 
  6A10D00D D1F85E6C 52B2A7A0 6025FD80 334F37F9 739170A1 50B51388 8ACAD89C 
  A9911653 C6800F7F B554ADD6 F8DC19E2 ED711DE2 5A65BEF6 288D4EC3 D35B425C 
  92A606E8 ECB08869 36A477A9 A32F5ED8 D7CC39B1 A60D3955 8D5AD0A3 F389895D 
  A2B2748A D03F47B2 DA8627EA 38FBD6B9 3D4F1C52 6E841D45 7A7C4E79 D24983C5 
  24E2C802 5E3CC5E6 56457F54 F33F448B 73E7771D 0F23565D 18F4EE05 EA52324D 
  F8959A51 01070203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 
  301F0603 551D2304 18301680 14AF537D C73ADF95 55749D2D CDA12AEA 977797F7 
  4B301D06 03551D0E 04160414 AF537DC7 3ADF9555 749D2DCD A12AEA97 7797F74B 
  300D0609 2A864886 F70D0101 05050003 82010100 82B30EDB 9DC69939 9EC523AA 
  71408F94 0CB5C350 612D6F72 636DC0B3 AC0B3660 7C229550 8B642C7B C09A8B90 
  34A6DB02 82ED2048 A80E1354 22E73353 3391AFE8 BDDCF00C A83A6CAF 691D6495 
  9647F357 8E799E5F 8BD31259 13DAF573 F88741EB 3B466E08 F3016E42 A402362D 
  A5E05CBF EC2F54EE 275D43F4 D028DFE1 305D3872 2EA34DD3 E88467AF FB672D30 
  755EDD19 14391E75 95111C44 8EA2FD61 3C8893F7 C74A46DF E1FEEDE2 95A2237B 
  00ECD375 466FED07 B71602B1 0DF02507 3BD8C656 5B181C0A 7143654F E7AAB94F 
  04E10992 77C7EF1F 928DFD11 05149CCF F0A24734 A4145566 295FE488 BEC4EEFD 
  7B89D712 79E18B50 030A0A95 7748EE0B 40D16E16
  quit
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030 
  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363 
  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934 
  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305 
  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720 
  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 
  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D 
  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520 
  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE 
  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC 
  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188 
  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7 
  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191 
  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44 
  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201 
  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85 
  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500 
  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905 
  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B 
  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8 
  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C 
  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B 
  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678 
  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB 
  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0 
  D697DF7F 28
  quit
!
license udi pid CSR1000V sn 9HKSRSBJ1LY
diagnostic bootup level minimal
memory free low-watermark processor 71507
!
!
spanning-tree extend system-id
!
!
redundancy
!
!
!
!
!
!
!
! 
!
!
!
!
!
!
!
!
!
!
!
!         
!
! 
! 
!
!
interface Loopback1
 ip address 192.168.100.3 255.255.255.255
!
interface GigabitEthernet1
 ip address 10.0.3.1 255.255.255.0
 ip ospf 1 area 0
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet2
 ip address 192.168.3.254 255.255.255.0
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet3
 no ip address
 shutdown
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet4
 no ip address
 shutdown
 negotiation auto
 no mop enabled
 no mop sysid
!
router lisp
 locator-table default
 locator-set self
  IPv4-interface GigabitEthernet1 priority 0 weight 0
  exit-locator-set
 !
 service ipv4
  itr
  etr
  map-server
  map-resolver
  exit-service-ipv4
 !
 site LISP1
  description Site of LISP1
  authentication-key cisco
  eid-record 192.168.1.0/24
  eid-record 192.168.100.1/32
  allowed-locator 10.0.0.2
  exit-site
 !
 site LISP2
  description Site of LISP2
  authentication-key cisco
  eid-record 192.168.2.0/24
  eid-record 192.168.100.2/32
  allowed-locator 10.0.2.1
  exit-site
 !
 exit-router-lisp
!
router ospf 1
 passive-interface default
 no passive-interface GigabitEthernet1
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
 stopbits 1
line vty 0 4
 login
 transport input ssh
!
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
!
!
!
!
!
end
Categories
CCNP Enterprise Core (350-401) Cisco Overlay

Proxy Ingress Tunnel Router (PITR)

A proxy ingress tunnel router receives traffic destined to a LISP end point identifier from non-LISP sites. Proxy ingress tunnel routers behave similarly to ingress tunnel routers. They resolve a mapping for the destination end point identifier to encapsulate and forward the traffic to the destination routing locator.

A proxy ingress tunnel router will send a map request to the mapping resolver even if the source of the traffic is not coming from a non-LISP site. This is different behaviour from a regular ingress tunnel router as inbound traffic is not checked whether the source is registered in the local map cache as an end point identifier before sending a map request message to the map resolver.

Categories
CCNP Enterprise Core (350-401) Cisco Overlay

Proxy Egress Tunnel Router (PETR)

A proxy egress tunnel router is a router that is connected to a non-LISP site, such as a data centre or the internet. It used when a LISP site needs to communicate with a non-LISP site.

As a proxy egress tunnel router is connected to non-LISP sites, it does not register any end point prefix addresses with the database system.

If an ingress tunnel router sends a map request and the endpoint identifier is not registered in the mapping database system, a negative response is sent from the mapping server. When that ingress tunnel router receives the reply, it forwards the LISP encapsulated traffic to the proxy egress tunnel router instead. The ingress tunnel router must be configured to send traffic to the proxy egress tunnel router when a negative response is received.

When the mapping database system receives a map request for a non-LISP destination, it calculates the shortest prefix that matches the destination but does not match any LISP end point identifiers. The calculated non-LISP prefix is included in the negative reply so the ingress tunnel router can add the prefix to its map cache and forwarding information base. The ITR is able to quickly lookup this mapping in its cache and forward the traffic to the proxy egress tunnel router

Categories
CCNP Enterprise Core (350-401) Cisco Overlay

How LISP Operates

Map Registration and Notification

When a LISP is set up, the ETR routers will need to be configured with the endpoint identifier (EID) prefixes within that LISP site that will be registered with the map server (MS).

Any subnets that are attached to the egress tunnel router (ETR) that were not configured as endpoint identifier (EID) prefixes will be forwarded using traditional routing.

Map Registration Process

The egress tunnel router sends a map register message to the map server (MS) to register it’s associated prefix (e.g. 192.168.1.0). The registration message will also include the Routing Locator (RLOC) IP address (10.0.0.1) to be used by the map server (MS) when forwarding map requests receive through the database system.

The egress tunnel router (ETR) can respond to map request messages, but in a map register message it can request that the map server (MS) answers these map requests on the map server (MS) on the egress tunnel routers (ETR) behalf by setting the proxy map reply flag (P-bit).

The map server will respond with a map notify message to to the egress tunnel router to confirm that the map register message has been processed. The map notify message uses port 4342 on UDP for both its source and destination on this message.

Map Request and Reply

When an endpoint in a LISP site is trying to communicate with a host outside of the LISP site, the ingress tunnel router needs to perform some steps to route the traffic.

The first host will send IP packets of the destination IP address to its default gateway which is the ingress tunnel router (ITR).

The ingress tunnel router performs a forwarding information base lookup to check if the packet matches a default route or a specific route. If a specific route is found, the packet is forwarded using that. If the packet only matches a default route, a LISP check is performed if the source IP address part of a registered endpoint identifier prefix in the local map cache.

If the source IP address is part of a endpoint identifier prefix, a ingress tunnel router will send an encapsulate map request to the map resolver for the destination address in the packet with a destination UDP port of 4342 and a specifically chosen source port.

If the map resolver and map server are on the same device, the database system will forward the request to the authoritative egress tunnel router.

The egress tunnel router (ETR) will respond to the ingress tunnel router (ITR) a map reply message that includes an endpoint identifier to routing locator (EID-to-RLOC) mapping, unless the egress tunnel router requested the map server responds to messages on its behalf using the proxy map reply flag (P-bit). The map reply message uses the UDP source port of 4342 and the destination port is the one that was specifically selected by the ITR in the map request message.

The ingress tunnel router will install the EID-to-RLOC mapping in its local map cache and forwarding information base, ready to forward traffic.

The LISP Data Path

After the ingress tunnel router receives the endpoint identifier to routing locator mapping from the egress tunnel router or map server, it is ready to forward traffic.

The ITR will continue to receive packets from Host A and encapsulate them with an outer header containing the routing locator IP address from the ingress tunnel router as the source, and egress tunnel routers routing locator IP address as the destination.

Categories
CCNP Enterprise Core (350-401) Cisco Overlay

LISP Data Plane

Ingress Tunnel Routers (ITRs) encapsulate packets that are received from an endpoint identifier inside a UDP header with a source and destination address in the router locater space, performing an IP-in-IP/UDP encapsulation:

Outer LISP IP header

The outer LISP IP header is added by the ingress tunnel router to encapsulate the endpoint identifier IP address

Outer LISP UDP header

The UDP header will contain a source port purposefully chosen by the ingress tunnel router to prevent traffic from one LISP site to another site taking the exactly same path, even with equal-cost multipath links. The destination port used by LISP is 4341

Instance ID

The instance ID is a 24 bit value that provides device and path level network virtualisation. It allows VRFs and VPNs for virtualisation and segmentation in the same way VPN IDs for MPLS networks. It helps prevent IP address duplication in a LISP site and creates a secure boundary between multiple organisations.

The original IP header and data are preserved, the inner header.

Between the two headers there is a LISP shim header to encode information required to enable forwarding functionality.

Categories
CCNP Enterprise Core (350-401) Cisco Overlay

LISP Control Plane

The LISP control plane works in a similar way to DNS.

As DNS changes a domain name into an IP address, LISP resolves an endpoint identifier (EID) into a routing locator (RLOC) by sending a request to a map resolver (MR)

This means that LISP is built as a pull model, it only gains the routing information that is requested, rather than a push model where all information, including irrelevant information, is sent to the device.