The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Locator/ID Separation Protocol (LISP) Data Plane Security feature ensures that only traffic from within a LISP VPN can be decapsulated into the VPN. The feature is enforced when LISP packets are decapsulated by a tunnel router at the destination. Egress tunnel routers (ETRs) and proxy egress tunnel routers (PETRs) validate that the source Routing Locator (RLOC) address carried by the data packet is a member of the LISP VPN.
The solution relies on Unicast Reverse Path Forwarding (uRPF) being implemented in the RLOC network to ensure that the RLOC source addresses in LISP encapsulated data packets cannot be spoofed. Packets from outside the LISP VPN carry invalid source RLOCs that are blocked during decapsulation by ETRs and PETRs.
The advantages of implementing the LISP Data Plane Security feature are given below:
Understanding of LISP concepts, including the concept of virtual routing and forwarding (VRF) instances bound to instance IDs (IIDs). These concepts are explained in the chapters LISP Overview, Configuring LISP, and LISP Shared Model Virtualization.
uRPF implementation in the RLOC network.
Information About LISP Data Plane Security
This feature enhances data plane security by monitoring LISP packets during the decapsulation stage, when the packets are sent from an ingress tunnel router (ITR) or proxy ingress tunnel router (PITR) to an ETR or PETR. To protect LISP VPN end sites from decapsulating LISP packets that do not belong to the VPN, whether the result of misconfiguration or an attack, the source address in the incoming LISP packets are compared with a dynamically distributed set of source RLOC addresses corresponding to valid LISP VPN end sites. LISP packet decapsulation by ETRs and PETRs validate that a source RLOC address of an incoming LISP data packet is a member of the VPN. Note that this solution requires that source RLOC addresses are not spoofed, and hence unicast RPF or ingress anti-spoofing access control lists (ACLs) are required within the RLOC core network.
Consider the scenario in the image below:
Customer A has 2 LISP sites, site1 and site2, each having an xTR (a device performing the role of ETR and ITR). Site 1 and Site 2 register with the Map-Servers (of the Map-Server/Map-Resolver [MSMR] devices) supporting the LISP control plane for the LISP VPN with instance ID 1. The Map-Server automatically records the registration RLOCs for both sites, and dynamically pushes this list of valid RLOCs to both sites. In this way, site 1 and site 2 of the customer A LISP VPN can send traffic between each other. No other LISP encapsulated traffic is permitted, as the source RLOC will not match the valid source RLOC list.
Customer N also has 2 LISP sites, site1 and site2, and both register to the Map-Servers supporting the LISP control plane for this LISP VPN with instance ID 2. The Map-Server automatically records the registration RLOCs for both sites, and dynamically pushes this list of valid RLOCs to both sites. In this way, site 1 and site 2 of the customer N LISP VPN can send traffic between each other. No other LISP encapsulated traffic is permitted, as the source RLOC will not match the valid source RLOC list.
In addition to the automatically learned source RLOCs of registering LISP sites, the per-IID (instance ID) membership list can be extended to include specific source RLOCs of valid devices that do no register, such as PxTRs. When this feature is deployed, the source RLOCs of the PxTR is made available with the xTRs.
Some pointers for implementing source RLOC decapsulation filtering are given below :
For Map-Servers to be able to construct the complete list of members for an EID instance ID, they must receive registrations from all the xTRs participating in the customer VPN.
Map-Servers construct the EID instance ID-RLOC membership list using the RLOC information in the received mapping records in map-register messages.
All IP prefixes associated with a specific instance ID must be delegated from a common Map-Server to ensure that these Map-Servers can construct a complete RLOC set for the given LISP VPN.
All xTRs within a VPN must register with a common set of Map-Servers.
PxTRs do not (normally) register with the Map-Servers, such that the Map-Servers could discover the PxTR RLOC, and that the Map-Servers could distribute learned RLOCs to the PxTRs. Thus, PxTR RLOCs need to be manually configured on the Map-Server.
The EID instance membership lists built by Map-Servers are communicated only to xTRs and PxTRs that are members of the VPN.
The LISP data plane security mechanism requires the automated distribution and updating of RLOC filter lists to VPN members. This automated distribution is accomplished through a TCP-based session established between the xTRs and Map-Servers after the normal registration process has completed.
For example, xTRs periodically transmit map register messages and process the resulting map notify messages issued by the Map-Server. The Map-Servers process map register messages, update corresponding registration state, and transmit matching map notify messages.
To implement a more reliable, secure, and scalable transport option, TCP-based sessions are provided for LISP-related communication between xTRs and Map-Servers.
Some pointers regarding TCP-based sessions are given below:
The xTRs belonging to the same VPN must register with the same Map-Servers. This limits the number of sites within a VPN to the number of TCP sessions that a Map-Server can support.
How to Configure LISP Data Plane Security
To configure the MSMR devices, perform the steps given below:
 Note |
Steps 5 to 10 are optional. You can use those to modify the list of RLOC addresses (filter list) discovered by the Map-Server. |
Ensure that you have available any RLOCs associated with PxTRs serving within the LISP VPN.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
||
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
||
|
Step 3 |
router lisp Example: |
Enters LISP configuration mode. |
||
|
Step 4 |
map-server rloc members distribute Example: |
Enables distribution of the list of EID prefixes to xTRs at the customer end. |
||
|
Step 5 |
locator-set locator-set-name Example: |
(Optional) Specifies a locator set for the PxTR and enters LISP locator set configuration mode. |
||
|
Step 6 |
ipv4-address priority value weight value Example: |
(Optional) Configures the LISP locator set. You can configure each locator address by creating a locator entry with an assigned priority and weight |
||
|
Step 7 |
exit Example: |
(Optional) Exits LISP locator set configuration mode and enters LISP configuration mode. |
||
|
Step 8 |
eid-table vrf vrf-name instance-id iid Example: |
(Optional) Configures an association between a VRF table and a LISP instance ID, and enters eid-table configuration submode. |
||
|
Step 9 |
map-server rloc members modify-discovered add locator-set locator-set-name Example: |
(Optional) Adds RLOC addresses in the specified locator set to the list of discovered RLOC addresses.
|
||
|
Step 10 |
exit Example: |
(Optional) Exits eid-table configuration submode and enters LISP configuration mode. |
To enable data plane security on the xTRs belonging to customer A (as shown in the image), configure the xTR at site1, as shown below:
Ensure that you have configured the MSMR devices.
Ensure that uRPF is implemented in the RLOC network.
Ensure that you have identified EIDs and the LISP device acting as an xTR.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
router lisp Example: |
Enters LISP configuration mode. |
|
Step 4 |
decapsulation filter rloc source member Example: |
Enables source RLOC address validation of LISP packets. |
|
Step 5 |
exit Example: |
Exits LISP configuration mode and returns to global configuration mode. |
The above steps enable data plane security for the xTR at one of customer A's sites, 'site1'. You need to repeat the steps to enable RLOC decapsulation filtering for customer A's second site, 'site2'.
To configure the PxTR, perform the steps given below:
Ensure that the MSMR devices and xTRs at the customer sites are configured.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
router lisp Example: |
Enters LISP configuration mode. |
|
Step 4 |
decapsulation filter rloc source members Example: |
Enables source RLOC address validation of LISP packets. |
|
Step 5 |
exit Example: |
Exits LISP configuration mode and returns to global configuration mode. |
Verify the LISP Data Plane Security feature on a Map-Server by using the commands given below:
|
Step 1 |
show lisp [session [ established] | vrf [ vrf-name [session [peer-address]]]] Example: |
|
Step 2 |
show lisp site rloc members [instance-id iid] Example: |
Verify the LISP Data Plane Security feature on an xTR or PxTR by using the commands given below:
|
Step 1 |
show lisp [session [ established] | vrf [ vrf-name [session [peer-address]]]] Example: |
|
Step 2 |
show lisp decapsulation filter [ IPv4-rloc-address | IPv6-rloc-address] [ eid-table eid-table-vrf | instance-id iid] Example: |
|
Step 3 |
show cef source-filter table Example: |
|
Step 4 |
debug lisp control-plane eid-membership Example: |
|
Step 5 |
debug lisp control-plane session Example: |
Configuration Examples for LISP Data Plane Security
Note |
Steps for adding the locator set and the RLOC address are optional. You can use those steps to modify the list of RLOC addresses (filter list) discovered by the Map-Server. |
Device> enable
Device# configure terminal
Device(config)# router lisp
Device(config-router-lisp)# map-server rloc members distribute
Device(config-router-lisp)# locator-set PTR_set
Device(config-router-lisp-locator-set)# 10.10.10.1 priority 1 weight 1
Device(config-router-lisp-locator-set)# exit
Device(config-router-lisp)# eid-table vrf cust-A instance-id 1
Device(config-router-lisp-eid-table)# map-server rloc members modify-discovered add locator-set PTR_set
Device(config-router-lisp-eid-table)# exit
Repeat the above steps to configure one or more map servers, as needed
Device> enable
Device# configure terminal
Device(config)# router lisp
Device(config-router-lisp)# decapsulation filter rloc source member
Device(config-router-lisp)# exit
The above steps enable data plane security for the xTR at one of customer sites. You must repeat the steps to enable RLOC decapsulation filtering for other sites.
Device> enable
Device# configure terminal
Device(config)# router lisp
Device(config-router-lisp)# decapsulation filter rloc source member
Device(config-router-lisp)# exit
|
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
Locator/ID Separation Protocol (LISP) commands |
|
Standard/RFC |
Title |
|---|---|
|
RFC 6830 |
Locator/ID Separation Protocol (LISP) |
|
RFC 6832 |
Interworking between Locator/ID Separation Protocol (LISP) and Non-LISP Sites |
|
RFC 6833 |
Locator/ID Separation Protocol (LISP) Map-Server Interface |
|
MIB |
MIBs Link |
|---|---|
|
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
|
Description |
Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
LISP Data Plane Security |
The LISP Data Plane Security feature ensures that only traffic from within a LISP VPN can be decapsulated into the VPN. The following commands were introduced by this feature: clear lisp vrf , decapsulation filter rloc source , debug lisp control-plane eid-membership , debug lisp control-plane session , map-server rloc members distribute , map-server rloc members modify-discovered , show lisp decapsulation filter , show lisp site rloc members , show lisp session . |
Feedback