cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2699
Views
5
Helpful
12
Replies

Loopback Interface Registration in LISP

OrkhanRustamli
Level 1
Level 1
Loopback registration in LISP

Hi All,

I have fabric campus configured with only problem policy enforcement in inter-VN traffic. This is not working because traffic goes out of VXLAN and SGTs are lost. I want to configure my Edge switches so that they will send all SGT mapping from corresponding VRFs to Border node. The problem is in Overlay this switches not talking with VRF. I created loopback interfaces which sit in same VRFs as subnets are in both Edge and Border so that I can create VRF aware SXP connection between them.

 

Edge:

interface Loopback44
description for SXP connection
vrf forwarding Security_Devices
ip address 172.19.1.4 255.255.255.255

lisp mobility 192_168_211_0-Security_Devices-IPV4

 

router lisp instance-id 4101

remote-rloc-probe on-route-change
dynamic-eid 172.19.1.0-Security_Devices-IPV4
database-mapping 172.19.1.0/24 locator-set ED
exit-dynamic-eid
!
 dynamic-eid 192_168_211_0-Security_Devices-IPV4
  database-mapping 192.168.211.0/24 locator-set ED
  exit-dynamic-eid

 

service ipv4

 eid-table vrf Security_Devices
  map-cache 0.0.0.0/0 map-request
  exit-service-ipv4

 

Border

interface Loopback44
description for SXP connection
vrf forwarding Security_Devices
ip address 172.19.1.3 255.255.255.255

 

router lisp

 site SITE

 eid-record instance-id 4101 172.19.1.0/24 accept-more-specifics

 

show lisp instance-id 4101 ipv4 server
LISP Site Registration Information
* = Some locators are down or unreachable
# = Some registrations are sourced by reliable transport

Site Name Last Up Who Last Inst EID Prefix
Register Registered ID
SITE   

never no -- 4101 0.0.0.0/0
never no -- 4101 172.19.1.0/24
00:54:57 yes# 192.168.250.3:14166 4101 172.19.1.3/32

 

I cannot see 172.19.1.4 registered and Ping not works so I cannot build my connection. Any help is appreciated.

1 Accepted Solution

Accepted Solutions

Hello Orkhan,

-Can you please share a diagram of what traffic flows you are trying to achieve?

-We do not support manual adding of interfaces to VRFs on fabric edge switches. You need to add IP interfaces using only DNAC workflows. It is not possible to add loopback interface to fabric edge through DNAC workflow, only SVIs can be added

-We do not support manual changes to LISP configuraiton. LISP should only be configured by DNAC

-If you want SGT to get from VN1 to VN2 for inter-VN policy, then you have two choices:

1. Send SGT from border to fusion inline (SGT in CMD in Ethernet, no VXLAN necessary). Fusion must support inline SGT in this scenario, not all platforms support SGT, check TrustSec comptibility documentation, OR,

2. Peer SXP from each border VRF interface to ISE, that way IP:SGT will be learned for any endpoints ISE has dynamically authorized, and border will re-add SGT to packets coming from fusion

Please note that option 2 has numerous scaling limits, so option 1 is recommended.

Jerome

View solution in original post

12 Replies 12

OrkhanRustamli
Level 1
Level 1

UP!

From your description it seems like you want to enforce policy between inter VN traffic on fusion ,by default traffic between VNs is denied and are you trying to allow traffic between VNs on fusion and then enforce policy on fusion ? if that is your use case, whichever subnets you want to talk to each other put them in same VN and which ever subnets you dont want to, put them in different VN.If you want specific traffic to be sent between subnets in same VN then create policies from DNAC

Hi @dbellamk,

I think you understand my question wrongly. Actually what I ask is more simple that route leakage of different VNs. Moreover, I would like to mention that route leakage through BGP is configured so the VNs that I permitted can talk to each other. I mostly enforce policy in Trustsec level. My question here that I just created a loopback interface as mentioned above and added it to VN which was previously configured and devices are registered with BC device. My problem is I just created new subnet and gave an IP address from that subnet to the Loopback interface. I configured Edge and BC device for that new subnet but loopback interface not registered with BC. I ask what is the problem or what i miss?

Thanks in advance!

Hello Orkhan,

-Can you please share a diagram of what traffic flows you are trying to achieve?

-We do not support manual adding of interfaces to VRFs on fabric edge switches. You need to add IP interfaces using only DNAC workflows. It is not possible to add loopback interface to fabric edge through DNAC workflow, only SVIs can be added

-We do not support manual changes to LISP configuraiton. LISP should only be configured by DNAC

-If you want SGT to get from VN1 to VN2 for inter-VN policy, then you have two choices:

1. Send SGT from border to fusion inline (SGT in CMD in Ethernet, no VXLAN necessary). Fusion must support inline SGT in this scenario, not all platforms support SGT, check TrustSec comptibility documentation, OR,

2. Peer SXP from each border VRF interface to ISE, that way IP:SGT will be learned for any endpoints ISE has dynamically authorized, and border will re-add SGT to packets coming from fusion

Please note that option 2 has numerous scaling limits, so option 1 is recommended.

Jerome

Hi @jedolphi,

Actually you understood me correctly, that is the exact thing that i am trying. My problem is I do not know how to transport SGTs from VXLAN to CMD when Border forwards traffic to Fusion. My problem is I tried inline tagging but as far as I know inline tagging work like per interface. If it is configured and traffic inside interface is comming untagged, it will tag it. The problem is in my case, inside a VN there are several tags. So how do I carry them through one interface?

 

Thanks in adnvace!

What is your border platform and the fusion platform? If it is cat9k use these commands on border interface connected to fusion, and also on fusion interface connected to border. Please test in lab before production deployment because there will be an outage when you apply these commands. Commands must be on both sides:

interface TenGigabitEthernetX/Y/Z
description --- FUSION to BORDER
no cts role-based enforcement
cts manual
propagate sgt
policy static sgt 65519 trusted

 

Hi,

I tried that in SVI interfaces for particular VNs. I configured netflow in fusion devices for checking whether after configuring propogation, fusion will receive packets with sgt values but still zero. May it be because of SVI? Do I need to configure it physical? Why i am asking instead of testing because i do not have lab environment rightnow and afraid of outage in all connections. 

Orkhan, if it is a C9K switch then you need to put those commands on physical interface. Cannot put them on SVI on switch. Only border router (ISR, ASR) supports per-routed-interface SGT propagation. Also please check the URL I shared to make sure you have SGT capable hardware and software. Regards, Jerome

Connection between Border and Fusion is portchannel and CTS command is not working when Pyhsical port is channel member so I continued with Part 2 and everything okay now. Thank you very much for your help!!

You're welcome. In my lab I can add cts commands to physical interfaces before they are in port-channel, but not after they are in port-channel. Cheers, Jerome

AAlexS
Level 1
Level 1

Late replay to this topic but. NHRP tunnel from appropriate VRF may be used for building sxp connection. This way you may distribute dynamically mapped sgt tags from edge switches to outside. This trick may be used for building SD-Access network without annoying ISE. The ISE have three main roles in SD-Access. 1) AAA - may be replaces with FreeRadius or something else. 2) Trustsec policy distribution - may be replaced with simple REST application. 3) SXP hub - you may build on , for example, ms/mr switches by NHRP infrastructure.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: