cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
327
Views
0
Helpful
0
Replies
Highlighted
Beginner

Setting up LISP between 1000v and 892 for Extended Subnet (ESM) solution with VM mobility

Hello everybody,

 

Hope you can point me to the right direction. I am trying LISP after my original attempt of extending L2 with IPSec/L2TPv3 did not work with 1000v.

 

I have being trying to setup PoC using 1000v on central site and 892 on a remote site. I am using following white paper documentation as a reference: 

http://www.cisco.com/c/en/us/products/collateral/routers/cloud-services-router-1000v-series/white-paper-c11-731872.pdf

 

However it does not work properly. Setup/traffic flow is (should be) following:

 

Device connected to an internal switchport of 892->fa8 (892 outside interface)-LISP tunnel-G3 (1000v outside interface)-G2.subinterface->Destination_VLAN/devices

 

Purpose of the setup is to have devices connected to 892 to be in the same network/IP space as devices in the destination VLAN in DC. Remote devices should receive IP addresses from the DHCP server from the DC VLAN and send all traffic to the default gateway of that VLAN when accessing Internet. Again - extend the VLAN/subnet to another location, for all devices everything should remain transparent.

 

I have followed the setup in the above mentioned document but changed couple of things - because 892 has a dynamic IP address on outside interface, 1000v has a virtual template (DVTi) configured to form dynamic tunnel once traffic is received from 892. Also instead of static IPs on tunnel interfaces I used loopbacks.

 

What is working - tunnel interface is up and running: traffic flows across the tunnel, OSPF is up and running, on both sides the other side's loopback interface is shown at ip route output.

 

892:

C892#sh ip route

Gateway of last resort is 192.168.0.254 to network 0.0.0.0
...
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, FastEthernet8
L        192.168.0.100/32 is directly connected, FastEthernet8
      192.168.6.0/32 is subnetted, 1 subnets
O        192.168.6.6 [110/1001] via 10.0.20.2, 01:33:21, Tunnel2
      192.168.7.0/32 is subnetted, 1 subnets
C        192.168.7.7 is directly connected, Loopback0

1000v:

1000v#sh ip route

C        10.65.11.0/24 is directly connected, GigabitEthernet2.511
l        10.65.11.10/32 [10/1] via 10.65.11.10, 01:36:41, GigabitEthernet2.511
l        10.65.11.30/32 [10/1] via 10.65.11.30, 01:36:41, GigabitEthernet2.511
l        10.65.11.88/32 [10/1] via 10.65.11.88, 01:36:41, GigabitEthernet2.511
l        10.65.11.89/32 [10/1] via 10.65.11.89, 01:36:41, GigabitEthernet2.511
L        10.65.11.129/32 is directly connected, GigabitEthernet2.511
l        10.65.11.130/32
           [10/1] via 10.65.11.130, 01:36:41, GigabitEthernet2.511
l        10.65.11.132/32
           [10/1] via 10.65.11.132, 01:36:41, GigabitEthernet2.511
l        10.65.11.134/32
           [10/1] via 10.65.11.134, 01:36:41, GigabitEthernet2.511
      192.168.6.0/32 is subnetted, 1 subnets
C        192.168.6.6 is directly connected, Loopback0
      192.168.7.0/32 is subnetted, 1 subnets
O        192.168.7.7 [110/1001] via 10.0.20.1, 01:36:34, Virtual-Access1

However caveats are that I can't ping none of loopback or Tunnel interface IP addresses from remote locations.
The first question comes - is the above behaviour normal?

 

Now the main peculiarities - LISP tunnel 'apparently' is up and running, but only working condition is when I assign static IP address to the device connected to 892 and only traffic to the DC's known devices flows. 

 

What is not working with the current setup:

1. Can't ping to/from DC VLAN devices to/from interface VLAN of 892. Pinging VLAN IP from a device connected directly to 892 works.

2. DHCP on the device connected to 892 can't get IP address from the DHCP server in DC VLAN.

3. Internet access or sending traffic to any device outside of the current VLAN/network does not work.

 

As a example, following setup:

  • DC VLAN - default gateway for devices in the VLAN - 10.65.11.10, DHCP/DNS server - 10.65.11.30, one local server in the DC VLAN - 10.65.11.132
  • Subinterface IP address on 1000v for DC VLAN - 10.65.11.129
  • VLAN 12 on 892, VLAN12 IP address - 10.65.11.29
  • A device connected to port 6 on 892 which is configured with switchport access vlan 12
  • A device connect to port 6 configured with static IP 10.65.11.140

 

ping 10.65.11.140<->10.65.11.10/30/132 - works on both directions

ping 10.65.11.140<->10.65.11.29 - works on both directions

ping 10.65.11.29<->10.65.11.10/30/132 - does not work for any devices in the DC for both directions

ping 10.65.11.129<->10.65.11.29/140 - does not work the device connected to 892 or interface VL12 for both directions

 

As I said, if I put DHCP on the device connected to 892, it does not get IP address. Also, browsing Internet does not work either.

 

 Could you please tell where should I start debug? Obviously some part of LISP is working but why no DHCP and no access to Internet? 

 

Thanks.

 

Below is the relevant config sections for both client on 892 and 1000v on DC side.

 

 

 

--------------client 892--------------------
crypto ikev2 keyring P511
 peer P511
  address 1000_public_ip
  pre-shared-key password1

crypto ikev2 profile P511
 match identity remote email 1000v@project.site
 identity local email p511@project.site
 authentication remote pre-share
 authentication local pre-share
 keyring local P511

crypto ipsec profile VPN-profile
 set ikev2-profile P511
 reverse-route

interface Loopback0
 ip address 192.168.7.7 255.255.255.255
 ip ospf 1 area 0

interface Loopback10
 ip address 10.0.20.1 255.255.255.255

interface Tunnel2
 description to 1000v
 ip unnumbered Loopback10
 ip ospf network point-to-point
 ip ospf 1 area 0
 load-interval 30
 tunnel source FastEthernet8
 tunnel mode ipsec ipv4
 tunnel destination 1000_public_ip
 tunnel protection ipsec profile VPN-profile
interface LISP0

interface FastEthernet6
 switchport access vlan 12
 no ip address

interface FastEthernet8
 description WAN-FA8
 ip address dhcp
 ip virtual-reassembly in
 ip virtual-reassembly out
 ip tcp adjust-mss 1380
 duplex auto
 speed auto
 hold-queue 2048 in
 hold-queue 2048 out

interface Vlan12
 ip address 10.65.11.29 255.255.255.0
 lisp mobility LISP1

router lisp
 locator-set SIN
  192.168.7.7 priority 1 weight 100
  exit
 !
 eid-table default instance-id 0
  dynamic-eid LISP1
   database-mapping 10.65.11.0/24 locator-set SIN
   map-notify-group 239.0.0.1
   exit
  !
  exit
 !
 ipv4 use-petr 192.168.6.6
 ipv4 itr map-resolver 192.168.6.6
 ipv4 itr
 ipv4 etr map-server 192.168.6.6 key 7 cisco
 ipv4 etr
 exit

router ospf 1 router-id 192.168.7.7
------------------server 1000v-------------------------- crypto ikev2 keyring P511 peer P511 address 0.0.0.0 0.0.0.0 pre-shared-key password1 crypto ikev2 profile P511 match identity remote email p511@project.site identity local email 1000v@project.site authentication remote pre-share authentication local pre-share keyring local P511 nat keepalive 360 virtual-template 1 crypto ipsec profile VPN-profile set ikev2-profile P511 reverse-route interface Loopback0 ip address 192.168.6.6 255.255.255.255 ip ospf 1 area 0 interface Loopback10 ip address 10.0.20.2 255.255.255.255 interface LISP0 interface GigabitEthernet2.511 description P511 subint access encapsulation dot1Q 511 ip address 10.65.11.129 255.255.255.0 lisp mobility LISP1 interface GigabitEthernet3 ip address 1000_public_ip negotiation auto cdp enable no mop enabled no mop sysid ip virtual-reassembly max-reassemblies 1024 ip virtual-reassembly-out max-reassemblies 1024 interface Virtual-Template1 type tunnel ip unnumbered Loopback10 ip ospf network point-to-point ip ospf 1 area 0 load-interval 30 tunnel source GigabitEthernet3 tunnel mode ipsec ipv4 tunnel destination dynamic tunnel protection ipsec profile VPN-profile router lisp locator-set SIN 192.168.6.6 priority 1 weight 100 exit !q eid-table default instance-id 0 dynamic-eid LISP1 database-mapping 10.65.11.0/24 locator-set SIN map-notify-group 239.0.0.1 exit ! ipv4 itr map-resolver 192.168.6.6 no ipv4 itr ipv4 etr map-server 182.168.6.6 key 7 cisco ipv4 etr no ipv6 itr exit ! site SIN_CCC authentication-key 7 cisco eid-prefix 10.65.11.0/24 accept-more-specifics exit ! ipv4 map-server ipv4 map-resolver ipv4 itr map-resolver 192.168.6.6 ipv4 etr map-server 192.168.6.6 key 7 cisco ipv4 proxy-etr ipv4 proxy-itr 192.168.6.6 exit ! router ospf 1 router-id 192.168.6.6

 

Everyone's tags (8)
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards