本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。
思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。
Cisco Locator/ID Separation Protocol(LISP)通過建立兩個新名稱空間來更改當前IP地址語義:分配給終端主機的端點識別符號(EID)和分配給組成全域性路由系統的裝置(主要是路由器)的路由定位器(RLOC)。
當路由器具有完整的internet路由表時,需要記憶體和進程利用率,LISP可以幫助減少記憶體利用率。
思科建議您瞭解LISP的基本知識。
本文件所述內容不限於特定軟體和硬體版本。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路正在作用,請確保您已瞭解任何指令可能造成的影響。
網路圖表
以下影象將用作本文檔其餘部分的示例拓撲:
xTR = LISP路由器可以是ITR或ETR,具體取決於流量方向。如果流量從LISP路由器流出,則該流量將成為ITR,接收端LISP路由器將成為ETR。
ITR =輸入通道路由器
ETR =輸出通道路由器
對映解析器(MR) = 對映解析器是LISP基礎結構裝置,在解析EID到RLOC的對映時,LISP站點ITR會將LISP對映請求查詢傳送到該裝置。R5是本文中的MR。
對映伺服器(MS) = 對映伺服器是LISP基礎結構裝置,LISP站點ETR使用其EID字首註冊到該裝置。對映伺服器向LISP對映系統通告已註冊EID字首的聚合。所有LISP站點都使用LISP對映系統解析EID到RLOC的對映。R7是本文中的MS。
終端識別符號(EID)地址:EID地址由標識終端的IP地址和字首組成。通過解析EID到RLOC的對映,可以跨LISP站點實現EID可達性。
路由定位器(RLOC)地址:RLOC地址由標識IP網路中不同路由器的IP地址和字首組成。RLOC空間內的可達性是通過傳統的路由方法實現的。
ALT(替代邏輯拓撲):通過R6連線對映解析器和對映伺服器的鏈路,是此圖中的ALT,僅用於兩者之間的控制平面通訊。此鏈路從未用於xTR之間的實際流量。
alt-vrf:此虛擬路由和轉送(VRF)用於配置當直接通過備用邏輯拓撲(ALT)傳送IPv4端點識別符號到路由定位器(EID到RLOC)對映的對映請求時,定位器/ID分離協定(LISP)應使用哪個VRF例項支援該IPv4地址系列
!
router lisp
database-mapping 172.16.1.1/32 10.1.12.1 priority 5 weight 100 ------> EID Mapping with RLOC
ipv4 itr map-resolver 192.168.5.5
ipv4 itr
ipv4 etr map-server 192.168.7.7 key cisco ---> ETR will send the map-register message to map server for EID
ipv4 etr
exit
!
!
router lisp
database-mapping 172.16.4.4/32 10.1.34.4 priority 5 weight 100 ------> EID Mapping with RLOC
ipv4 itr map-resolver 192.168.5.5
ipv4 itr
ipv4 etr map-server 192.168.7.7 key cisco ---> ETR will send the map-register message to map server for EID
ipv4 etr
exit
!
在Map-Resolved下,強制將vrf定義為alt-vrf,這將用於在MR和MS之間形成MPBGP對等,然後用於共用由xTR註冊到MS的遠端站點的EID。
!
vrf definition lisp
rd 100:1
!
address-family ipv4
route-target export 100:1
route-target import 100:1
exit-address-family
!
!
interface Tunnel1
vrf forwarding lisp
ip address 10.1.45.4 255.255.255.0
tunnel source Ethernet0/1
tunnel destination 10.1.67.7
!
!
router lisp
ipv4 map-resolver
ipv4 alt-vrf lisp >>> This command defines "lisp" as the alt-vrf.
exit
!
router bgp 65000
!
address-family ipv4 vrf lisp
neighbor 10.1.45.5 remote-as 65000
neighbor 10.1.45.5 activate
exit-address-family
!
與MR類似,MS上也需要配置alt-vrf。
!
router lisp
site 1
authentication-key cisco
eid-prefix 172.16.4.4/32 accept-more-specifics
exit
!
site 2
authentication-key cisco
eid-prefix 172.16.1.1/32 accept-more-specifics
exit
!
ipv4 map-server
ipv4 alt-vrf lisp >>>>>>> ALT VRF is lisp
exit
!
vrf definition lisp
rd 100:1
!
address-family ipv4
route-target export 100:1
route-target import 100:1
exit-address-family
!
!
interface Tunnel1
vrf forwarding lisp
ip address 10.1.45.5 255.255.255.0
tunnel source Ethernet0/0
tunnel destination 10.1.56.5
!
router bgp 65000
!
address-family ipv4 vrf lisp
redistribute lisp
neighbor 10.1.45.4 remote-as 65000
neighbor 10.1.45.4 activate
exit-address-family
!
end
驗證
為了觸發LISP通訊,需要滿足以下條件之一:
操作順序如下:
R1_XTR#sh ip route 172.16.4.4 -----> R4's EID
% Subnet not in table
R1_XTR#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0 (connected), candidate default path
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1
如上所示,到達R4的EID的路由:17.16.4.4不在路由表中。而是靜態配置了指向null0的預設路由。在滿足必要的觸發條件時,對17.16.4.4執行ping操作現在將觸發LISP封裝。
R1_XTR#ping 172.16.4.4 source lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.4, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 1/4/7 ms
R1_XTR#
為了讓上述ping正常工作,R4通過LISP通訊將目標xTR的資訊傳送到R1:
R1_XTR#sh ip lisp map-cache
LISP IPv4 Mapping Cache for EID-table default (IID 0), 2 entries
0.0.0.0/0, uptime: 06:10:24, expires: never, via static send map-request
Negative cache entry, action: send-map-request
172.16.4.4/32, uptime: 05:55:27, expires: 18:04:32, via map-reply, complete
Locator Uptime State Pri/Wgt
10.1.34.4 05:55:27 up 1/100
以下是一些調試輸出和資料包捕獲檢查LISP資料包流。已啟用以下debug命令以擷取資訊:"debug lisp control-plane all"。
附註:請注意,debug命令會產生大量資料,需要在受控環境中運行。
在下面的調試消息中,R1向MS註冊其EID,然後MS進行確認。同樣地,R4也會將其EID註冊到MS。
*Oct 16 12:46:09.398: LISP-0: IPv4 Map Server IID 0 192.168.7.7, Sending map-register (src_rloc 10.1.15.1) nonce 0xBEB73F0C-0xFE3EBC4E.
*Oct 16 12:46:09.403: LISP: Processing received Map-Notify message from 192.168.7.7 to 10.1.15.1
現在,從R1向R4的EID發起來自R1的ping,並且R1立即向MR傳送對映請求資料包。
R1_XTR#ping 172.16.4.4 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.4, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
*Oct 16 12:46:23.380: LISP: Send map request type remote EID prefix
*Oct 16 12:46:23.380: LISP: Send map request for EID prefix IID 0 172.16.4.4/32
*Oct 16 12:46:23.380: LISP-0: Remote EID IID 0 prefix 172.16.4.4/32, Send map request (1) (sources: <signal>, state: incomplete, rlocs: 0).
*Oct 16 12:46:23.380: LISP-0: AF IPv4, Sending map-request from 10.1.12.1 to 172.16.4.4 for EID 172.16.4.4/32, ITR-RLOCs 1, nonce 0x99255979-0x30A1BAC1 (encap src 10.1.15.1, dst 192.168.5.5).
接收資料包的MR會聯絡MS以標識為該EID註冊的xTR,並將對映請求消息轉發給R4。R4作為交換,將對映應答傳送回R1及其RLOC:
*Oct 16 12:46:23.389: LISP: Processing received Map-Reply message from 10.1.34.4 to 10.1.12.1
*Oct 16 12:46:23.389: LISP: Received map reply nonce 0x99255979-0x30A1BAC1, records 1
*Oct 16 12:46:23.389: LISP: Processing Map-Reply mapping record for IID 0 172.16.4.4/32, ttl 1440, action none, authoritative, 1 locator
10.1.34.4 pri/wei=1/100 LpR
*Oct 16 12:46:23.389: LISP-0: Map Request IID 0 prefix 172.16.4.4/32 remote EID prefix[LL], Received reply with rtt 9ms.
*Oct 16 12:46:23.389: LISP: Processing mapping information for EID prefix IID 0 172.16.4.4/32
如下所示,MR首先從R1收到對映請求消息,以瞭解172.16.4.4的RLOC。然後它會檢查其BGP lisp vrf表,以查詢從MS獲取的EID中的匹配項,找到匹配項後,MR將對映請求轉發給MS:
LISP_Resolver#show ip bgp vpnv4 vrf lisp
BGP table version is 3, local router ID is 192.168.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf lisp)
*>i 172.16.1.1/32 10.1.45.5 1 100 0 ?
*>i 172.16.4.4/32 10.1.45.5 1 100 0 ?
*Oct 16 12:46:23.384: LISP: Processing received Map-Request message from 10.1.12.1 to 172.16.4.4
*Oct 16 12:46:23.384: LISP: Received map request for IID 0 172.16.4.4/32, source_eid IID 0 172.16.1.1, ITR-RLOCs: 10.1.12.1, records 1, nonce 0x99255979-0x30A1BAC1
*Oct 16 12:46:23.384: LISP-0: AF IID 0 IPv4, Forwarding map request to 172.16.4.4 on the ALT.
附註:即使日誌消息表明對映請求正在轉發到172.16.4.4,它實際上根據BGP表中的下一跳條目傳送到MS。
在MS上運行的調試顯示來自R1和R4的對映暫存器消息首先註冊它們各自的ETR:
*Oct 16 12:46:09.398: LISP: Processing Map-Register mapping record for IID 0 172.16.1.1/32, ttl 1440, action none, authoritative, 1 locator
10.1.12.1 pri/wei=5/100 LpR
*Oct 16 12:46:09.398: LISP-0: MS registration IID 0 prefix 172.16.1.1/32 10.1.15.1 site 2, Updating.
*Oct 16 12:46:41.445: LISP: Processing Map-Register mapping record for IID 0 172.16.4.4/32, ttl 1440, action none, authoritative, 1 locator
10.1.34.4 pri/wei=1/100 LpR
*Oct 16 12:46:41.445: LISP-0: MS registration IID 0 prefix 172.16.4.4/32 10.1.47.4 site 1, Updating.
現在,兩個xTR均已成功註冊其EID:
R7#show lisp site detail
LISP Site Registration Information
Site name: 1
Allowed configured locators: any
Allowed EID-prefixes:
EID-prefix: 172.16.4.4/32
First registered: 05:02:48 Routing table tag: 0
Origin: Configuration, accepting more specifics
Merge active: No
Proxy reply: No
TTL: 1d00h
State: complete
Registration errors:
Authentication failures: 0
Allowed locators mismatch: 0
ETR 10.1.47.4, last registered 00:00:21, no proxy-reply, map-notify
TTL 1d00h, no merge, hash-function sha1, nonce 0x56D89121-0xC39C2892
state complete, no security-capability
xTR-ID 0xF7DE6C93-0x06F8DDA4-0x7D6400B1-0x19EC9669
site-ID unspecified
Locator Local State Pri/Wgt
10.1.34.4 yes up 1/100
Site name: 2
Allowed configured locators: any
Allowed EID-prefixes:
EID-prefix: 172.16.1.1/32
First registered: 05:02:46
Routing table tag: 0
Origin: Configuration, accepting more specifics
Merge active: No
Proxy reply: No
TTL: 1d00h
State: complete
Registration errors:
Authentication failures: 0
Allowed locators mismatch: 0
ETR 10.1.15.1, last registered 00:00:50, no proxy-reply, map-notify
TTL 1d00h, no merge, hash-function sha1, nonce 0xBEB73F0C-0xFE3EBC4E
state complete, no security-capability
xTR-ID 0xCF7E1300-0x302FF91A-0x1C2D0499-0x8A105258
site-ID unspecified
Locator Local State Pri/Wgt
10.1.12.1 yes up 5/100
從R1執行ping操作且MR向MS傳送對映請求消息時,MS上可看到以下日誌:
*Oct 16 12:46:23.388: LISP: Processing received Map-Request message from 10.1.12.1 to 172.16.4.4
*Oct 16 12:46:23.388: LISP: Received map request for IID 0 172.16.4.4/32, source_eid IID 0 172.16.1.1, ITR-RLOCs: 10.1.12.1, records 1, nonce 0x99255979-0x30A1BAC1
*Oct 16 12:46:23.388: LISP-0: MS EID IID 0 prefix 172.16.4.4/32 site 1, Forwarding map request to ETR RLOC 10.1.34.4.
R4上發生以下事件:
*Oct 16 13:32:40.700: LISP: Processing received Encap-Control message from 10.1.47.7 to 10.1.34.4
*Oct 16 13:32:40.702: LISP: Processing received Map-Request message from 10.1.12.1 to 172.16.4.4
*Oct 16 13:32:40.702: LISP: Received map request for IID 0 172.16.4.4/32, source_eid IID 0 172.16.1.1, ITR-RLOCs: 10.1.12.1, records 1, nonce 0x188823A0-0xAFF029C8
*Oct 16 13:32:40.702: LISP: Processing map request record for EID prefix IID 0 172.16.4.4/32
*Oct 16 13:32:40.702: LISP-0: Sending map-reply from 10.1.34.4 to 10.1.12.1.
以下資料包捕獲用於來自R1的R4的對映請求:
Internet Protocol Version 4, Src: 10.1.15.1 (10.1.15.1), Dst: 192.168.5.5 (192.168.5.5)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 120
Identification: 0x1446 (5190)
Flags: 0x00
Fragment offset: 0
Time to live: 31
Protocol: UDP (17)
Header checksum: 0xa7c0 [validation disabled]
Source: 10.1.15.1 (10.1.15.1)
Destination: 192.168.5.5 (192.168.5.5)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 4342 (4342), Dst Port: 4342 (4342)
Locator/ID Separation Protocol
Internet Protocol Version 4, Src: 10.1.12.1 (10.1.12.1), Dst: 172.16.4.4 (172.16.4.4)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 88
Identification: 0x1445 (5189)
Flags: 0x00
Fragment offset: 0
Time to live: 32
Protocol: UDP (17)
Header checksum: 0xbf7a [validation disabled]
Source: 10.1.12.1 (10.1.12.1)
Destination: 172.16.4.4 (172.16.4.4)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 4342 (4342), Dst Port: 4342 (4342)
Locator/ID Separation Protocol
對映暫存器資料包捕獲如下:
Internet Protocol Version 4, Src: 10.1.47.4 (10.1.47.4), Dst: 192.168.7.7 (192.168.7.7)
User Datagram Protocol, Src Port: 4342 (4342), Dst Port: 4342 (4342)
Locator/ID Separation Protocol
0011 .... .... .... .... .... = Type: Map-Register (3)
.... 0... .... .... .... .... = P bit (Proxy-Map-Reply): Not set
.... .0.. .... .... .... .... = S bit (LISP-SEC capable): Not set
.... ..1. .... .... .... .... = I bit (xTR-ID present): Set
.... ...0 .... .... .... .... = R bit (Built for an RTR): Not set
.... .... 0000 0000 0000 000. = Reserved bits: 0x000000
.... .... .... .... .... ...1 = M bit (Want-Map-Notify): Set
Record Count: 1
Nonce: 0x56d89121c39c2892
Key ID: 0x0001
Authentication Data Length: 20
Authentication Data: ce8f37f14c76d49e52717d1c5407e638e2733015
Mapping Record 1, EID Prefix: 172.16.4.4/32, TTL: 1440, Action: No-Action, Authoritative
Record TTL: 1440
Locator Count: 1
EID Mask Length: 32
000. .... .... .... = Action: No-Action (0)
...1 .... .... .... = Authoritative bit: Set
.... .000 0000 0000 = Reserved: 0x0000
0000 .... .... .... = Reserved: 0x0000
.... 0000 0000 0000 = Mapping Version: 0
EID Prefix AFI: IPv4 (1)
EID Prefix: 172.16.4.4 (172.16.4.4)
Locator Record 1, Local RLOC: 10.1.34.4, Reachable, Priority/Weight: 1/100, Multicast Priority/Weight: 255/0
xTR-ID: f7de6c9306f8dda47d6400b119ec9669
Site-ID: 0000000000000000
從R4接收的R1上捕獲的Map-Reply消息
Internet Protocol Version 4, Src: 10.1.34.4 (10.1.34.4), Dst: 10.1.12.1 (10.1.12.1)
User Datagram Protocol, Src Port: 4342 (4342), Dst Port: 4342 (4342)
Locator/ID Separation Protocol
0010 .... .... .... .... .... = Type: Map-Reply (2)
.... 0... .... .... .... .... = P bit (Probe): Not set
.... .0.. .... .... .... .... = E bit (Echo-Nonce locator reachability algorithm enabled): Not set
.... ..0. .... .... .... .... = S bit (LISP-SEC capable): Not set
.... ...0 0000 0000 0000 0000 = Reserved bits: 0x000000
Record Count: 1
Nonce: 0xe9ee73f07b0cb7d6
Mapping Record 1, EID Prefix: 172.16.4.4/32, TTL: 1440, Action: No-Action, Authoritative
Record TTL: 1440
Locator Count: 1
EID Mask Length: 32
000. .... .... .... = Action: No-Action (0)
...1 .... .... .... = Authoritative bit: Set
.... .000 0000 0000 = Reserved: 0x0000
0000 .... .... .... = Reserved: 0x0000
.... 0000 0000 0000 = Mapping Version: 0
EID Prefix AFI: IPv4 (1)
EID Prefix: 172.16.4.4 (172.16.4.4)
Locator Record 1, Local RLOC: 10.1.34.4, Reachable, Priority/Weight: 1/100, Multicast Priority/Weight: 255/0