10-01-2018 04:49 AM - edited 03-05-2019 10:57 AM
Hello everybody,
Hope you can point me to the right direction. I am trying LISP after my original attempt of extending L2 with IPSec/L2TPv3 did not work with 1000v.
I have being trying to setup PoC using 1000v on central site and 892 on a remote site. I am using following white paper documentation as a reference:
However it does not work properly. Setup/traffic flow is (should be) following:
Device connected to an internal switchport of 892->fa8 (892 outside interface)-LISP tunnel-G3 (1000v outside interface)-G2.subinterface->Destination_VLAN/devices
Purpose of the setup is to have devices connected to 892 to be in the same network/IP space as devices in the destination VLAN in DC. Remote devices should receive IP addresses from the DHCP server from the DC VLAN and send all traffic to the default gateway of that VLAN when accessing Internet. Again - extend the VLAN/subnet to another location, for all devices everything should remain transparent.
I have followed the setup in the above mentioned document but changed couple of things - because 892 has a dynamic IP address on outside interface, 1000v has a virtual template (DVTi) configured to form dynamic tunnel once traffic is received from 892. Also instead of static IPs on tunnel interfaces I used loopbacks.
What is working - tunnel interface is up and running: traffic flows across the tunnel, OSPF is up and running, on both sides the other side's loopback interface is shown at ip route output.
892:
C892#sh ip route Gateway of last resort is 192.168.0.254 to network 0.0.0.0 ... 192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.0.0/24 is directly connected, FastEthernet8 L 192.168.0.100/32 is directly connected, FastEthernet8 192.168.6.0/32 is subnetted, 1 subnets O 192.168.6.6 [110/1001] via 10.0.20.2, 01:33:21, Tunnel2 192.168.7.0/32 is subnetted, 1 subnets C 192.168.7.7 is directly connected, Loopback0
1000v:
1000v#sh ip route C 10.65.11.0/24 is directly connected, GigabitEthernet2.511 l 10.65.11.10/32 [10/1] via 10.65.11.10, 01:36:41, GigabitEthernet2.511 l 10.65.11.30/32 [10/1] via 10.65.11.30, 01:36:41, GigabitEthernet2.511 l 10.65.11.88/32 [10/1] via 10.65.11.88, 01:36:41, GigabitEthernet2.511 l 10.65.11.89/32 [10/1] via 10.65.11.89, 01:36:41, GigabitEthernet2.511 L 10.65.11.129/32 is directly connected, GigabitEthernet2.511 l 10.65.11.130/32 [10/1] via 10.65.11.130, 01:36:41, GigabitEthernet2.511 l 10.65.11.132/32 [10/1] via 10.65.11.132, 01:36:41, GigabitEthernet2.511 l 10.65.11.134/32 [10/1] via 10.65.11.134, 01:36:41, GigabitEthernet2.511 192.168.6.0/32 is subnetted, 1 subnets C 192.168.6.6 is directly connected, Loopback0 192.168.7.0/32 is subnetted, 1 subnets O 192.168.7.7 [110/1001] via 10.0.20.1, 01:36:34, Virtual-Access1
However caveats are that I can't ping none of loopback or Tunnel interface IP addresses from remote locations.
The first question comes - is the above behaviour normal?
Now the main peculiarities - LISP tunnel 'apparently' is up and running, but only working condition is when I assign static IP address to the device connected to 892 and only traffic to the DC's known devices flows.
What is not working with the current setup:
1. Can't ping to/from DC VLAN devices to/from interface VLAN of 892. Pinging VLAN IP from a device connected directly to 892 works.
2. DHCP on the device connected to 892 can't get IP address from the DHCP server in DC VLAN.
3. Internet access or sending traffic to any device outside of the current VLAN/network does not work.
As a example, following setup:
ping 10.65.11.140<->10.65.11.10/30/132 - works on both directions
ping 10.65.11.140<->10.65.11.29 - works on both directions
ping 10.65.11.29<->10.65.11.10/30/132 - does not work for any devices in the DC for both directions
ping 10.65.11.129<->10.65.11.29/140 - does not work the device connected to 892 or interface VL12 for both directions
As I said, if I put DHCP on the device connected to 892, it does not get IP address. Also, browsing Internet does not work either.
Could you please tell where should I start debug? Obviously some part of LISP is working but why no DHCP and no access to Internet?
Thanks.
Below is the relevant config sections for both client on 892 and 1000v on DC side.
--------------client 892-------------------- crypto ikev2 keyring P511 peer P511 address 1000_public_ip pre-shared-key password1 crypto ikev2 profile P511 match identity remote email 1000v@project.site identity local email p511@project.site authentication remote pre-share authentication local pre-share keyring local P511 crypto ipsec profile VPN-profile set ikev2-profile P511 reverse-route interface Loopback0 ip address 192.168.7.7 255.255.255.255 ip ospf 1 area 0 interface Loopback10 ip address 10.0.20.1 255.255.255.255 interface Tunnel2 description to 1000v ip unnumbered Loopback10 ip ospf network point-to-point ip ospf 1 area 0 load-interval 30 tunnel source FastEthernet8 tunnel mode ipsec ipv4 tunnel destination 1000_public_ip tunnel protection ipsec profile VPN-profile interface LISP0 interface FastEthernet6 switchport access vlan 12 no ip address interface FastEthernet8 description WAN-FA8 ip address dhcp ip virtual-reassembly in ip virtual-reassembly out ip tcp adjust-mss 1380 duplex auto speed auto hold-queue 2048 in hold-queue 2048 out interface Vlan12 ip address 10.65.11.29 255.255.255.0 lisp mobility LISP1 router lisp locator-set SIN 192.168.7.7 priority 1 weight 100 exit ! eid-table default instance-id 0 dynamic-eid LISP1 database-mapping 10.65.11.0/24 locator-set SIN map-notify-group 239.0.0.1 exit ! exit ! ipv4 use-petr 192.168.6.6 ipv4 itr map-resolver 192.168.6.6 ipv4 itr ipv4 etr map-server 192.168.6.6 key 7 cisco ipv4 etr exit
router ospf 1 router-id 192.168.7.7
------------------server 1000v-------------------------- crypto ikev2 keyring P511 peer P511 address 0.0.0.0 0.0.0.0 pre-shared-key password1 crypto ikev2 profile P511 match identity remote email p511@project.site identity local email 1000v@project.site authentication remote pre-share authentication local pre-share keyring local P511 nat keepalive 360 virtual-template 1 crypto ipsec profile VPN-profile set ikev2-profile P511 reverse-route interface Loopback0 ip address 192.168.6.6 255.255.255.255 ip ospf 1 area 0 interface Loopback10 ip address 10.0.20.2 255.255.255.255 interface LISP0 interface GigabitEthernet2.511 description P511 subint access encapsulation dot1Q 511 ip address 10.65.11.129 255.255.255.0 lisp mobility LISP1 interface GigabitEthernet3 ip address 1000_public_ip negotiation auto cdp enable no mop enabled no mop sysid ip virtual-reassembly max-reassemblies 1024 ip virtual-reassembly-out max-reassemblies 1024 interface Virtual-Template1 type tunnel ip unnumbered Loopback10 ip ospf network point-to-point ip ospf 1 area 0 load-interval 30 tunnel source GigabitEthernet3 tunnel mode ipsec ipv4 tunnel destination dynamic tunnel protection ipsec profile VPN-profile router lisp locator-set SIN 192.168.6.6 priority 1 weight 100 exit !q eid-table default instance-id 0 dynamic-eid LISP1 database-mapping 10.65.11.0/24 locator-set SIN map-notify-group 239.0.0.1 exit ! ipv4 itr map-resolver 192.168.6.6 no ipv4 itr ipv4 etr map-server 182.168.6.6 key 7 cisco ipv4 etr no ipv6 itr exit ! site SIN_CCC authentication-key 7 cisco eid-prefix 10.65.11.0/24 accept-more-specifics exit ! ipv4 map-server ipv4 map-resolver ipv4 itr map-resolver 192.168.6.6 ipv4 etr map-server 192.168.6.6 key 7 cisco ipv4 proxy-etr ipv4 proxy-itr 192.168.6.6 exit ! router ospf 1 router-id 192.168.6.6
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide