Ingress Tunnel Routers (ITRs) encapsulate packets that are received from an endpoint identifier inside a UDP header with a source and destination address in the router locater space, performing an IP-in-IP/UDP encapsulation:
Outer LISP IP header
The outer LISP IP header is added by the ingress tunnel router to encapsulate the endpoint identifier IP address
Outer LISP UDP header
The UDP header will contain a source port purposefully chosen by the ingress tunnel router to prevent traffic from one LISP site to another site taking the exactly same path, even with equal-cost multipath links. The destination port used by LISP is 4341
The instance ID is a 24 bit value that provides device and path level network virtualisation. It allows VRFs and VPNs for virtualisation and segmentation in the same way VPN IDs for MPLS networks. It helps prevent IP address duplication in a LISP site and creates a secure boundary between multiple organisations.
The original IP header and data are preserved, the inner header.
Between the two headers there is a LISP shim header to encode information required to enable forwarding functionality.