I have written a couple of books about Network Virtualization Overlay over Layer 3 (NVO3). My first book was about Datacenter network virtualization based on BGP L2VPN EVPN. After that, I wrote a book about Campus networks based on LISP. In my latest book, I introduced the Cisco SD-WAN solution running OMP in Control-Plane. I wanted to write one more book where I combine these three different NVO3 solutions. I haven’t used pictures in the “About This Book” section in my previous books but now I decided to do that because one picture tells more than 1000 words. The figure below combines these three NVO3 solutions and illustrates what is needed to have IP connectivity between EP1 in the LISP domain and EP2 in the BGP EVPN domain. After reading this book you should be able to understand the processes of how IP reachability information about local hosts are advertised from the LISP domain over the SD-WAN to BGP EVPN domain and another way around. I wanted to keep this complex solution as simple as possible. That is why I didn’t include any redundancy.
Figure
1-1 illustrates phases of how Edge-xTR-11 registers the IP/VRF information of its
connected host EP1 to the centralized Control Plane device MapSrv-22. First,
Edge-xTR-11 verifies that it can reach the MapSrv-22. Then it sends an
unreliable Map-Register message concerning EP1 information to MapSrv-22 to
which MapSrv-22 responds with Map-Notify message. After that Edge-xTR-11 opens a
TCP connection to Map-Srv-22 and sends new, reliable Map-Register message.
Figure 1-1: Overview of EID-to-RLOC Map-Register Process.
Phase-1: Updating Local MAC table and Dynamic EID
Device Edge-xTR-11 in figure 1-2 has two roles, it is an egress Tunnel Router (eTR). This means that it forwards traffic from remote endpoints to its locally connected hosts. In this role, it registers locally connected hosts to Control Plane node MapSrv-22. In its other role, Edge-xTR-11 is an ingress Tunnel Router (iTR). This means that when one of its locally connected endpoints wants to communicate with a remote endpoint, Edge-xTR-11 requests location information from the MapSrv-22 if the information is not yet resolved and stored into local Mapping Cache.
When
EP1 in our example boots up, it sends a Gratuitous ARP message to make sure
that other devices are not using the IP address assigned to it. When
Edge-xTR-11 as a role of iTR receives the massage, it first saves the host MAC/instance
(BDI)/ interface information to its MAC address table (example 1-1). Besides,
it stores the information into the LISP Dynamic Endpoint Identifier
(Dynamic-EID) database (example 1-2). In our example, EP1 belongs to Layer 2
Bridge Domain 100 (subnet 172.16.100.0/24). Subnet 172.16.100.0/24 (VRF
100_NWKT), in turn, is attached to LISP instance 100, which uses RLOC 192.168.0.11
(Loopback 0 IP of Edge-xTR-11).
Figure 1-2: EID-to-RLOC Map-Register – Local Learning.
Edge-xTR-11#show bridge-domain 100
Bridge-domain
100 (2 ports in all)
State:
UP Mac learning:
Enabled
Aging-Timer:
300 second(s)
BDI100
(up)
GigabitEthernet2 service instance 100
AED MAC address Policy
Tag Age Pseudoport
-
0001.0001.0001 to_bdi static 0
BDI100
0
0050.7966.680D forward dynamic
251 GigabitEthernet2.EFP100
Example 1-1: EID-to-RLOC Map-Register – Local Learning –
Mac Address Table.
Edge-xTR-11#show lisp instance-id 100 ipv4 database
172.16.100.10/32
LISP ETR
IPv4 Mapping Database for EID-table vrf 100_NWKT (IID 100), LSBs: 0x1
Entries
total 1, no-route 0, inactive 0
172.16.100.10/32,
dynamic-eid 172_16_100_0-100_NWKT, inherited from default locator-set RLOC-SET1
Locator
Pri/Wgt Source State
192.168.0.11 1/1
cfg-intf site-self, reachable
Example 1-2: EID-to-RLOC Map-Register – Local Learning–
Dynamic EID Database.
Phase-2: Verifying Mapping Server reachability
After
updating its MAC table and Dynamic-EID table, Edge-xTR-11 starts the
EID-to-RLOC mapping process (figure 1-2). As a first step, it verifies that
MapSrv-22 is reachable. It sends an IP packet without payload and with TCP SYN
bit set using destination TCP port 4342 to MapSrv-22 (Capture 1-1). When
MapSrv-22 receives an “empty” IP packet with TCP SYN bit set and with the
destination TCP port 4342, it knows that this is just a probe. It replies with an
empty IP packet with TCP ACK and RST bits set (Capture 1-2).
Figure 1-3: EID-to-RLOC Map-Register – TCP Probes.
Internet
Protocol Version 4, Src: 192.168.0.11, Dst: 192.168.0.22
Transmission
Control Protocol, Src Port: 42548, Dst Port: 4342, Seq: 0, Len: 0
Source Port: 42548
Destination Port: 4342
[Stream index: 0]
[TCP Segment Len: 0]
Sequence number: 0 (relative sequence number)
Sequence number (raw): 1675383545
[Next sequence number: 1 (relative sequence number)]
Acknowledgment number: 0
Acknowledgment number (raw): 0
0110 .... = Header Length: 24 bytes (6)
Flags: 0x002 (SYN)
<snipped>
Capture 1-1: EID-to-RLOC Map-Register - TCP Probe Sent by
Edge-xTR-11.
Internet
Protocol Version 4, Src: 192.168.0.22, Dst: 192.168.0.11
Transmission
Control Protocol, Src Port: 4342, Dst Port: 42548, Seq: 1, Ack: 1, Len: 0
Source Port: 4342
Destination Port: 42548
[Stream index: 0]
[TCP Segment Len: 0]
Sequence number: 1 (relative sequence number)
Sequence number (raw): 0
[Next sequence number: 1 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Acknowledgment number (raw): 1675383546
0101 .... = Header Length: 20 bytes (5)
Flags: 0x014 (RST, ACK)
<snipped>
Capture 1-2: EID-to-RLOC Map-Register – Reply to TCP
Probe by MapSrv-22.
Phase-3: Unreliable EID-to-RLOC registration (UDP)
After
verifying the IP connectivity to MapSrv-22, Edge-xTR-11 sends a LISP
Map-Register message to MapSrv-22. At this phase, the Map-Register message is
sent by using unreliable UDP by using source/destination port 4342 (capture
1-3). Map-Register message describes the EID of EP1. EID is a combination of
the LISP Instance Id 100 bind to subnet 172.16.100.0/24 and the host IP address
172.16.100.10/32. The EID itself is bind to location information Routing
Locator (RLOC). In other words, the Map-Register message tells MapSrv-22 that
EP1 has an IP address 172.16.100.10/32, it belongs to Virtual Network 100, and
it is reachable through the Edge-xTR-11 (192.168.0.11).
There
are three bits set in the Map-Register message originated by Edge-xTR-11. The Proxy-Map-Reply bit, when set, means
that Map-Srv-22 can respond to requested endpoint information on behalf of
Edge-xTR-11. The xTR-Id present bit,
when set, describes that this message carries randomly generated xTR-Identifier
of sender. The Want-Map-Notify bit,
when set, in the Map-register message indicates that Edge-xTR-11 wants
MapSrv-22 to confirm that it has received the message. This means that even
though Edge-xTR-11 uses UDP at this phase, it uses LISP Map-Notify messages like
TCP uses Acknowledgement messages. The Authoritative bit, when set, tells that
the Edge-xTR-11 is the last-hop router for the EID.
The Nonce value carried within the Map-Register
message protects against Map-Register
Reply Attacks. Edge-xTR-11 accepts Map-Notify messages from MapSrv-22 only
if the nonce value in the message is the same as what it uses with the Map-Register
message. Edge-xTR-11 also increases the nonce value every time it sends a new
Map-Register message. MapSrv-22 knows this and it only allows Map-Register
messages from Edge-xTR-11 if the nonce value is higher than carried with the previous
Map-Register message.
Figure 1-4: EID-to-RLOC Map-Register - Unreliable
Map-Register Message.
Internet
Protocol Version 4, Src: 192.168.0.11, Dst: 192.168.0.22
User
Datagram Protocol, Src Port: 4342, Dst Port: 4342
Locator/ID
Separation Protocol
0011 .... .... .... .... .... = Type:
Map-Register (3)
.... 1... .... .... .... .... = P bit
(Proxy-Map-Reply): Set
.... .0.. .... .... .... .... = S bit
(LISP-SEC capable): Not set
.... ..1. .... .... .... .... = I bit
(xTR-ID present): Set
.... ...0 .... .... .... .... = R bit
(Built for an RTR): Not set
.... .... 0000 0000 0000 000. = Reserved
bits: 0x0000
.... .... .... .... .... ...1 = M bit
(Want-Map-Notify): Set
Record Count: 1
Nonce: 0x3e4c8dce8abf56b7
Key ID: 0x0001
Authentication Data Length: 20
Authentication Data:
a705477bc22dc0d6842c2462125a35dbfa34b0ee
Mapping Record 1, EID Prefix: [100]
172.16.100.10/32, TTL: 1440, Action: No-Action, Authoritative
Record TTL: 1440
Locator Count: 1
EID Mask Length: 32
000. .... .... .... = Action: No-Action (0)
...1 .... .... .... = Authoritative
bit: Set
.... .000 0000 0000 = Reserved: 0x000
0000 .... .... .... = Reserved: 0x0
.... 0000 0000 0000 = Mapping Version:
0
EID Prefix AFI: LISP Canonical Address
Format (LCAF) (16387)
EID Prefix: [100] 172.16.100.10
LCAF: Instance ID: 100, Address:
172.16.100.10
LCAF Header: 00000220000a
Instance ID: 100
Address AFI: IPv4 (1)
Address: 172.16.100.10
Locator Record 1, Local RLOC:
192.168.0.11, Reachable, Priority/Weight: 1/1, Multicast Priority/Weight: 1/1
xTR-ID: e5e601fff689f8a9aab82834637ee536
Site-ID: 0000000000000000
Capture 1-3: EID-to-RLOC Map-Register - Unreliable
Map-Register Message.
Phase-4: Map-Server - EID-RLOC DB Updates
MapSrv-22
has two roles. The first one, the Mapping
Servers component is responsible for EID-to-RLOC Map-Register message
handling. It validates the message by checking the authentication data matches
and that the nonce value is higher if this is not the first Map-Register
message from Edge-xTR-11. Then, if the EID IP address is within the subnet
listed in the site and instance-specific EID-Record, the EOD-to-RLOC is
installed into the Mapping Database. The process is shown in example 1-3. Example
1-4 shows the IP address 172.16.100.10/32 in instance 100 (virtual network 100)
is reachable through the 192.168.0.11 (Edge-xTR-11). Note that the TTL field in
the example is represented as 1 day, while in the original Map-Register message
the TTL was represented as 1440 seconds which is 24 hours.
Figure 1-5: EID-to-RLOC Map-Register - Updating Mapping
Database.
00:50:43:
LISP: Processing IP Map-Register mapping record for IID 100 172.16.100.10/32
LCAF 2, ttl 1440, action none, authoritative, 1 locator
192.168.0.11 pri/wei=1/1 LpR
00:50:43:
LISP-0: MS Site EID IID 100 prefix 172.16.100.10/32 SVC_IP_IAF_IPv4 site
Network-Times, Created dynamic site EID prefix entry.
00:50:43:
LISP-0: MS registration IID 100 prefix 172.16.100.10/32 192.168.0.11
SVC_IP_IAF_IPv4 site Network-Times, Created new registration.
Example 1-3: EID-to-RLOC Map-Register Processing.
MapSrv-22# show lisp site name Network-Times
instance-id 100 | sec 172.16.100.10
EID-prefix: 172.16.100.10/32 instance-id 100
First registered: 01:47:46
Last registered: 01:47:42
Routing table tag: 0
Origin: Dynamic, more specific of
172.16.100.0/24
Merge active: No
Proxy reply: Yes
TTL: 1d00h
State: complete
Registration errors:
Authentication failures: 0
Allowed locators mismatch: 0
ETR 192.168.0.11, last registered 01:47:42,
proxy-reply, map-notify
TTL 1d00h, no merge,
hash-function sha1, nonce 0x3E4C8DCE-0x8ABF56B7
state complete, no
security-capability
xTR-ID
0xE5E601FF-0xF689F8A9-0xAAB82834-0x637EE536
site-ID unspecified
sourced by reliable
transport
Locator Local
State Pri/Wgt Scope
192.168.0.11 yes
up 1/1 IPv4 none
Example 1-4: EID-to-RLOC Map-Register - Mapping Database
Verification.
Phase 5: Map-Server - LISP Map-Notify
Because
the Wants-Map-Notify bit was set in the Map-Register message, MapSrv-22
confirms that it has received the message by sending a Map-Notify message to
Edge-xTR-11. The process is shown in example 1-5. The message contains
basically the same information as what we saw in the Map-Register message.
Figure 1-6: EID-to-RLOC Map-Register - Map-Notify
Message Sent By MapSrv-22.
00:50:43:
LISP-0: MS EID IID 100 prefix 172.16.100.10/32 SVC_IP_IAF_IPv4 site
Network-Times, Scheduling map notifications for prefix 172.16.100.10/32.
00:50:43:
LISP-0: MS EID IID 100 prefix 172.16.100.10/32 SVC_IP_IAF_IPv4 site
Network-Times, Scheduling unreliable map notification for prefix 172.16.100.10/32
to ETR 192.168.0.11 which registered 172.16.100.10/32.
00:50:43:
LISP-0: Map-Notify 192.168.0.22:4342->192.168.0.11:4342 xTR-ID
0xB8F66E3B-0x101CCD7C-0x5B9F516E-0x3526FC6E, sending with 1 prefix, nonce
0xE297E49D-0xEDA98C98
Example 1-5: EID-to-RLOC Map-Register - Map-Notify
Message Processing.
Internet
Protocol Version 4, Src: 192.168.0.22, Dst: 192.168.0.11
User
Datagram Protocol, Src Port: 4342, Dst Port: 4342
Locator/ID
Separation Protocol
0100 .... .... .... .... .... = Type: Map-Notify
(4)
.... 1... .... .... .... .... = I bit
(xTR-ID present): Set
.... .0.. .... .... .... .... = R bit
(Built for an RTR): Not set
.... ..00 0000 0000 0000 0000 = Reserved
bits: 0x00000
Record Count: 1
Nonce: 0x3e4c8dce8abf56b7
Key
ID: 0x0001
Authentication Data Length: 20
Authentication Data:
3fbdd90d102be7e6ce504e295dfb196a52b238f2
Mapping Record 1, EID Prefix: [100]
172.16.100.10/32, TTL: 1440, Action: No-Action, Not Authoritative
<snipped>
EID Prefix AFI: LISP Canonical Address
Format (LCAF) (16387)
EID Prefix: [100] 172.16.100.10
<snipped>
Locator Record 1, RLOC: 192.168.0.11,
Reachable, Priority/Weight: 1/1, Multicast Priority/Weight: 1/1
xTR-ID: e5e601fff689f8a9aab82834637ee536
Site-ID: 0000000000000000
Capture 1-4: EID-to-RLOC Map-Register Map-Notify Message
Sent by MapSrv-22.
Phase 6: TCP Connection Between Edge-xTR-11 and MapSrv-22
After
receiving Map-Notify message from MapSrv-22, Edge-xTR-11 starts the reliable
EID-to-RLOC Mapping process by opening TCP connection with MapSrv-22 (figure
1-7).
Figure 1-7: EID-to-RLOC Map-Register - TCP Three Way
Handshake.
Captures
1-5, 1-6, and 1-7 show the TCP three-way handshake process.
Internet
Protocol Version 4, Src: 192.168.0.11, Dst: 192.168.0.22
Transmission
Control Protocol, Src Port: 46666, Dst Port: 4342, Seq: 0, Len: 0
Source Port: 46666
Destination Port: 4342
<snipped>
Flags: 0x002 (SYN)
<snipped>
Capture 1-5: EID-to-RLOC Map Register - TCP Three Way
Handshake TCP SYN.
Internet
Protocol Version 4, Src: 192.168.0.22, Dst: 192.168.0.11
Transmission
Control Protocol, Src Port: 4342, Dst Port: 46666, Seq: 0, Ack: 1, Len: 0
Source Port: 4342
Destination Port: 46666
<snipped>
Flags: 0x012 (SYN, ACK)
<snipped>
Capture 1-6: EID-to-RLOC Map Register - TCP Three Way
Handshake TCP SYN, ACK.
Internet
Protocol Version 4, Src: 192.168.0.11, Dst: 192.168.0.22
Transmission
Control Protocol, Src Port: 46666, Dst Port: 4342, Seq: 1, Ack: 1, Len: 0
Source Port: 46666
Destination Port: 4342
Flags: 0x010 (ACK)
<snipped>
Capture 1-7: EID-to-RLOC Map Register - TCP Three Way
Handshake TCP ACK.
Phase 7: LISP Registration Refresh
After
successful TCP session establishment, MapSrv-22 asks Edge-xTR-11 to send
complete EID-to-RLOC information now by using the reliable method using TCP.
Figure 1-8: EID-to-RLOC Map-Register - LISP Registration
Refresh Message.
Capture
1-8 below shows the LISP Registration Refresh message. The message is sent
using TCP.
Internet
Protocol Version 4, Src: 192.168.0.22, Dst: 192.168.0.11
Transmission
Control Protocol, Src Port: 4342, Dst Port: 46666, Seq: 1, Ack: 1, Len: 15
Locator/ID
Separation Protocol (Reliable Transport), Msg: 0, Registration Refresh, Scope:
All prefixes under all address families under all EID instances
Type: Registration Refresh (20)
Length: 15
Message ID: 0
Registration refresh scope: All prefixes
under all address families under all EID instances (0)
0... .... .... .... = Rejected only: Not
set
.000 0000 0000 0000 = Reserved: 0x0000
Message End Marker: 0x9facade9 (correct)
Capture 1-8: EID-to-RLOC Map-Register - LISP Registration
Refresh Message.
Phase 8: Reliable EID-to-RLOC registration (TCP)
As a
response to Registration Refresh message, Edge-xTR-11 send the EID-to-RLOC
Map-Register message to MapSrv-22 but now using TCP. Because Edge-xTR-11 now
uses reliable transport, MapSrv-22 has to confirm that it has received the
message by sending the Registration Refresh message among the Map-Notify
message (due to Want-Map-Notify). As the last step, Edge-xTR-11 sends an IP
packet with the TCP ACK bit set.
Figure 1-9: EID-to-RLOC Map-Register - Registration Over
TCP.
Capture
1-9 shows the Map-register message sent by Edge-xTR-11
Internet Protocol
Version 4, Src: 192.168.0.11, Dst: 192.168.0.22
Transmission Control
Protocol, Src Port: 46666, Dst Port: 4342, Seq: 1, Ack: 16, Len: 130
<snipped>
Locator/ID Separation
Protocol (Reliable Transport), Msg: 1, Registration for [100] 172.16.100.10/32
Type: Registration (17)
Length: 112
Message ID: 1
Map-Register
.... 1... .... .... .... .... = P bit
(Proxy-Map-Reply): Set
.... .0.. .... .... .... .... = S bit
(LISP-SEC capable): Not set
.... ..1. .... .... .... .... = I bit
(xTR-ID present): Set
.... ...0 .... .... .... .... = R bit
(Built for an RTR): Not set
.... .... 0000 0000 0000 000. =
Reserved bits: 0x0000
.... .... .... .... .... ...1 = M bit
(Want-Map-Notify): Set
Record Count: 1
Nonce: 0x3e4c8dce8abf56b7
Key ID: 0x0001
Authentication Data Length: 20
Authentication Data:
a705477bc22dc0d6842c2462125a35dbfa34b0ee
Mapping Record 1, EID Prefix: [100]
172.16.100.10/32, TTL: 1440, Action: No-Action, Authoritative
<snipped>
EID Prefix AFI: LISP Canonical
Address Format (LCAF) (16387)
EID Prefix: [100] 172.16.100.10
LCAF: Instance ID: 100,
Address: 172.16.100.10
LCAF Header: 00000220000a
Instance ID: 100
Address AFI: IPv4 (1)
Address: 172.16.100.10
Locator Record 1, Local RLOC:
192.168.0.11, Reachable, Priority/Weight: 1/1, Multicast Priority/Weight: 1/1
<snipped>
Capture 1-9: EID-to-RLOC Map-Register - Registration Over
TCP (Step 1).
Capture
1-10 verifies that both registration Ack and Map-Notify messages are sent
within the same IP packet. Capture 1-11 shows the TCP ACK sent by Edge-xTR-11.
Internet Protocol
Version 4, Src: 192.168.0.22, Dst: 192.168.0.11
Transmission Control
Protocol, Src Port: 4342, Dst Port: 46666, Seq: 16, Ack: 131, Len: 107
<snipped>
Locator/ID Separation
Protocol (Reliable Transport), Msg: 1,
Registration ACK for [100] 172.16.100.10/32
Type: Registration ACK (18)
Length: 31
Message ID: 1
EID Prefix: [100] 172.16.100.10/32
Message End Marker: 0x9facade9 (correct)
Locator/ID Separation
Protocol (Reliable Transport), Msg: 2, Mapping
Notification for [100] 172.16.100.10/32
<snipped>
Mapping Record 1, EID Prefix: [100]
172.16.100.10/32, TTL: 1440, Action: No-Action, Not Authoritative
<snipped>
EID Prefix AFI: LISP Canonical Address
Format (LCAF) (16387)
EID Prefix: [100] 172.16.100.10
LCAF: Instance ID: 100, Address:
172.16.100.10
<snipped>
Locator Record 1, RLOC: 192.168.0.11,
Reachable, Priority/Weight: 1/1, Multicast Priority/Weight: 1/1
<snipped>
Capture 1-10: EID-to-RLOC Map-Register - Registration Over
TCP (Step 2).
Internet Protocol
Version 4, Src: 192.168.0.11, Dst: 192.168.0.22
Transmission Control
Protocol, Src Port: 46666, Dst Port: 4342, Seq: 131, Ack: 123,
<snipped>
Flags: 0x010 (ACK)
<snipped>
Capture 1-11: EID-to-RLOC Map-Register - Registration Over
TCP (Step 3).
In this phase, MapSrv-22 can respond to Map-request messages on behalf of
Edge-xTR-11. The next chapter describes how the EID-to-RLOC information is
advertised to Border-PxTR-13. Because the LISP Control-Plane node, in our case
MapSrv-22, does not redistribute EID-to-RLOC information in an unsolicited way like
BGP Route-Reflector, we need another mechanism for that and that’s where MP-BGP
VPNv4 comes into play.
Hello Toni, I have been reading your SD-WAN series.Those are meticulously written and self explanatory with diagrams. Thanks for sharing.If you are looking for network services especially SD-WAN in India ,"Skylark" would be the one stop solution for Data Center Networking,Wi-Fi Solutions,SD-WANs and Campus & Branch Networking. To know more,please visit https://www.skylarkinfo.com/enterprise-networking/sd-wan
ReplyDelete