Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
833
Views
0
Helpful
0
Replies

Setting up LISP between 1000v and 892 for Extended Subnet (ESM) solution with VM mobility

irakli_n
Level 1
Level 1

‎10-01-2018 04:49 AM - edited ‎03-05-2019 10:57 AM

Hello everybody,

 

Hope you can point me to the right direction. I am trying LISP after my original attempt of extending L2 with IPSec/L2TPv3 did not work with 1000v.

 

I have being trying to setup PoC using 1000v on central site and 892 on a remote site. I am using following white paper documentation as a reference: 

http://www.cisco.com/c/en/us/products/collateral/routers/cloud-services-router-1000v-series/white-paper-c11-731872.pdf

 

However it does not work properly. Setup/traffic flow is (should be) following:

 

Device connected to an internal switchport of 892->fa8 (892 outside interface)-LISP tunnel-G3 (1000v outside interface)-G2.subinterface->Destination_VLAN/devices

 

Purpose of the setup is to have devices connected to 892 to be in the same network/IP space as devices in the destination VLAN in DC. Remote devices should receive IP addresses from the DHCP server from the DC VLAN and send all traffic to the default gateway of that VLAN when accessing Internet. Again - extend the VLAN/subnet to another location, for all devices everything should remain transparent.

 

I have followed the setup in the above mentioned document but changed couple of things - because 892 has a dynamic IP address on outside interface, 1000v has a virtual template (DVTi) configured to form dynamic tunnel once traffic is received from 892. Also instead of static IPs on tunnel interfaces I used loopbacks.

 

What is working - tunnel interface is up and running: traffic flows across the tunnel, OSPF is up and running, on both sides the other side's loopback interface is shown at ip route output.

 

892:

C892#sh ip route

Gateway of last resort is 192.168.0.254 to network 0.0.0.0
...
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, FastEthernet8
L        192.168.0.100/32 is directly connected, FastEthernet8
      192.168.6.0/32 is subnetted, 1 subnets
O        192.168.6.6 [110/1001] via 10.0.20.2, 01:33:21, Tunnel2
      192.168.7.0/32 is subnetted, 1 subnets
C        192.168.7.7 is directly connected, Loopback0

1000v:

1000v#sh ip route

C        10.65.11.0/24 is directly connected, GigabitEthernet2.511
l        10.65.11.10/32 [10/1] via 10.65.11.10, 01:36:41, GigabitEthernet2.511
l        10.65.11.30/32 [10/1] via 10.65.11.30, 01:36:41, GigabitEthernet2.511
l        10.65.11.88/32 [10/1] via 10.65.11.88, 01:36:41, GigabitEthernet2.511
l        10.65.11.89/32 [10/1] via 10.65.11.89, 01:36:41, GigabitEthernet2.511
L        10.65.11.129/32 is directly connected, GigabitEthernet2.511
l        10.65.11.130/32
           [10/1] via 10.65.11.130, 01:36:41, GigabitEthernet2.511
l        10.65.11.132/32
           [10/1] via 10.65.11.132, 01:36:41, GigabitEthernet2.511
l        10.65.11.134/32
           [10/1] via 10.65.11.134, 01:36:41, GigabitEthernet2.511
      192.168.6.0/32 is subnetted, 1 subnets
C        192.168.6.6 is directly connected, Loopback0
      192.168.7.0/32 is subnetted, 1 subnets
O        192.168.7.7 [110/1001] via 10.0.20.1, 01:36:34, Virtual-Access1

However caveats are that I can't ping none of loopback or Tunnel interface IP addresses from remote locations.
The first question comes - is the above behaviour normal?

 

Now the main peculiarities - LISP tunnel 'apparently' is up and running, but only working condition is when I assign static IP address to the device connected to 892 and only traffic to the DC's known devices flows. 

 

What is not working with the current setup:

1. Can't ping to/from DC VLAN devices to/from interface VLAN of 892. Pinging VLAN IP from a device connected directly to 892 works.

2. DHCP on the device connected to 892 can't get IP address from the DHCP server in DC VLAN.

3. Internet access or sending traffic to any device outside of the current VLAN/network does not work.

 

As a example, following setup:

  • DC VLAN - default gateway for devices in the VLAN - 10.65.11.10, DHCP/DNS server - 10.65.11.30, one local server in the DC VLAN - 10.65.11.132
  • Subinterface IP address on 1000v for DC VLAN - 10.65.11.129
  • VLAN 12 on 892, VLAN12 IP address - 10.65.11.29
  • A device connected to port 6 on 892 which is configured with switchport access vlan 12
  • A device connect to port 6 configured with static IP 10.65.11.140

 

ping 10.65.11.140<->10.65.11.10/30/132 - works on both directions

ping 10.65.11.140<->10.65.11.29 - works on both directions

ping 10.65.11.29<->10.65.11.10/30/132 - does not work for any devices in the DC for both directions

ping 10.65.11.129<->10.65.11.29/140 - does not work the device connected to 892 or interface VL12 for both directions

 

As I said, if I put DHCP on the device connected to 892, it does not get IP address. Also, browsing Internet does not work either.

 

 Could you please tell where should I start debug? Obviously some part of LISP is working but why no DHCP and no access to Internet? 

 

Thanks.

 

Below is the relevant config sections for both client on 892 and 1000v on DC side.

 

 

 

--------------client 892--------------------
crypto ikev2 keyring P511
 peer P511
  address 1000_public_ip
  pre-shared-key password1

crypto ikev2 profile P511
 match identity remote email 1000v@project.site
 identity local email p511@project.site
 authentication remote pre-share
 authentication local pre-share
 keyring local P511

crypto ipsec profile VPN-profile
 set ikev2-profile P511
 reverse-route

interface Loopback0
 ip address 192.168.7.7 255.255.255.255
 ip ospf 1 area 0

interface Loopback10
 ip address 10.0.20.1 255.255.255.255

interface Tunnel2
 description to 1000v
 ip unnumbered Loopback10
 ip ospf network point-to-point
 ip ospf 1 area 0
 load-interval 30
 tunnel source FastEthernet8
 tunnel mode ipsec ipv4
 tunnel destination 1000_public_ip
 tunnel protection ipsec profile VPN-profile
interface LISP0

interface FastEthernet6
 switchport access vlan 12
 no ip address

interface FastEthernet8
 description WAN-FA8
 ip address dhcp
 ip virtual-reassembly in
 ip virtual-reassembly out
 ip tcp adjust-mss 1380
 duplex auto
 speed auto
 hold-queue 2048 in
 hold-queue 2048 out

interface Vlan12
 ip address 10.65.11.29 255.255.255.0
 lisp mobility LISP1

router lisp
 locator-set SIN
  192.168.7.7 priority 1 weight 100
  exit
 !
 eid-table default instance-id 0
  dynamic-eid LISP1
   database-mapping 10.65.11.0/24 locator-set SIN
   map-notify-group 239.0.0.1
   exit
  !
  exit
 !
 ipv4 use-petr 192.168.6.6
 ipv4 itr map-resolver 192.168.6.6
 ipv4 itr
 ipv4 etr map-server 192.168.6.6 key 7 cisco
 ipv4 etr
 exit

router ospf 1
 router-id 192.168.7.7


------------------server 1000v--------------------------
crypto ikev2 keyring P511
 peer P511
  address 0.0.0.0 0.0.0.0
  pre-shared-key password1
 
crypto ikev2 profile P511
 match identity remote email p511@project.site
 identity local email 1000v@project.site
 authentication remote pre-share
 authentication local pre-share
 keyring local P511
 nat keepalive 360
 virtual-template 1

crypto ipsec profile VPN-profile
 set ikev2-profile P511
 reverse-route

interface Loopback0
 ip address 192.168.6.6 255.255.255.255
 ip ospf 1 area 0

interface Loopback10
 ip address 10.0.20.2 255.255.255.255

interface LISP0

interface GigabitEthernet2.511
 description P511 subint access
 encapsulation dot1Q 511
 ip address 10.65.11.129 255.255.255.0
 lisp mobility LISP1

interface GigabitEthernet3
 ip address 1000_public_ip
 negotiation auto
 cdp enable
 no mop enabled
 no mop sysid
 ip virtual-reassembly max-reassemblies 1024
 ip virtual-reassembly-out max-reassemblies 1024

interface Virtual-Template1 type tunnel
 ip unnumbered Loopback10
 ip ospf network point-to-point
 ip ospf 1 area 0
 load-interval 30
 tunnel source GigabitEthernet3
 tunnel mode ipsec ipv4
 tunnel destination dynamic
 tunnel protection ipsec profile VPN-profile

router lisp
 locator-set SIN
  192.168.6.6 priority 1 weight 100
  exit
 !q
 eid-table default instance-id 0
  dynamic-eid LISP1
   database-mapping 10.65.11.0/24 locator-set SIN
   map-notify-group 239.0.0.1
   exit
  !
  ipv4 itr map-resolver 192.168.6.6
  no ipv4 itr
  ipv4 etr map-server 182.168.6.6 key 7 cisco
  ipv4 etr
  no ipv6 itr
  exit
 !
 site SIN_CCC
  authentication-key 7 cisco
  eid-prefix 10.65.11.0/24 accept-more-specifics
  exit
 !
 ipv4 map-server
 ipv4 map-resolver
 ipv4 itr map-resolver 192.168.6.6
 ipv4 etr map-server 192.168.6.6 key 7 cisco
 ipv4 proxy-etr
 ipv4 proxy-itr 192.168.6.6
 exit
!
router ospf 1
 router-id 192.168.6.6

 

0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card