Cisco GETVPN+LISP Lab Guide

GETVPN+LISP Lab Guide

Developers and Lab Proctors This lab was created by: Gregg Schudel, TME – LISP Development Team Version 1.0: Created by Gregg Schudel Lab proctor: Gregg Schudel ([email protected])

Lab Exercises This lab guide includes the following exercises:

• Lab Exercise 1: Topology Review, including GETVPN Key Server Components • Lab Exercise 2: Deploying LISP Shared Model Virtualization for IPv4 and IPv6 EIDs • Lab Exercise 3: Deploying GETVPN with LISP Shared Model Virtualization

The Locator/ID Separation Protocol (LISP) implements a new routing architecture via a set of protocols that utilize a level of indirection to separate an IP address into two namespaces: Endpoint Identifiers (EIDs), which are assigned to end-hosts, and Routing Locators (RLOCs), which are assigned to devices (primarily routers) that make up the global routing system. In addition to helping solve routing scalability issues, LISP provides many other benefits, including: simplified, cost-effective multihoming and ingress traffic engineering; multi-address-family support (IPv4 and IPv6); IP address (host) mobility, including session persistence across mobility events; and simplified, highly-scalable network virtualization. The inherent properties of LISP that support multi-homing, multiple address families, host/VM mobility, and virtualization, also make it an ideal architecture for creating highly efficient, AF-agnostic, Virtual Private Networks (VPNs). Existing IOS encryption support provided by the IPsec and GETVPN features can be used directly (in a “bolt-on” manner) with LISP to build encrypted VPNs. The purpose of this lab is to familiarize you with the configuration of a notional Enterprise VPN deployment using LISP shared model virtualization and GETVPN for encryption. In this lab, IPv4 and IPv6 “endpoint identifiers” (EIDs) are used at each VPN site, with virtualization (three departmental VPNs), all running over a common IPv4 core. GETVPN is added on a per-VRF and per-address family basis (i.e. IPv4 and IPv6 associated with each VRF is encrypted separately), and redundant Map-Servers and Key Servers are deployed. Multihoming is also included in at some sites. Assumptions: Some understanding of LISP and of GETVPN is assumed. This lab does not focus on the basics of each technology, but rather, focuses on the integration of the two.

Lab Topology and Access Every attendee will be given access to a POD including eight Cisco routers. The general baseline topology for the GETVPN+LISP lab is illustrated in Figure 1 below.

Lab Topology The baseline topology used for the lab is shown in Figure 1 below.

Figure 1. Baseline Topology for the GETVPN+LISP Lab Exercise

This baseline topology includes the following elements:

-‐ The topology includes a “Headquarters” (HQ) site and three “Remote Office” sites.

o The HQ site is multihomed using two CPE routers (RTR14 and RTR15), each with a single WAN connection to the IPv4 core network. These CPE routers function as LISP xTRs, as well as MS/MRs for the entire VPN. They also function as GETVPN GMs. The HQ site also hosts two separate CPE routers that function as redundant GETVPN Key Servers (RTR18 /KS1 and RTR19/KS2).

o One Remote site is also multihomed and uses a single CPE router (RTR16); the other two Remote sites are singled homed to the IPv4 core network (RTR11 and RTR13). All CPE routers at these remote sites function as LISP xTRs, as well as GETVPN GMs.

-‐ The core network is running IPv4. (Note that if the core network were instead running IPv6, a single configuration change only would be required on each site – that being the RLOC address. No other changes to other configurations, including the GETVPN configuration, would be necessary.)

-‐ Three “departmental VPNS” are configured at all four sites; each of these VPNs includes both IPv4 and IPv6 site prefixes (EIDs). LISP instance-IDs are used to provide segmentation.

-‐ GETVPN is added on a per-VRF and per-address family basis (i.e. IPv4 and IPv6 associated with each VRF is encrypted separately). Redundant Key Servers are also deployed.

Lab IP Address Assignment Headquarters (HQ) Site

Device WAN Link IPv4 EIDs IPv6 EIDs RTR14 LISP xTR, MSMR GETVPN GM

10.0.14.2/30 Default: 192.168.255.14/32 IID 0 Default: 192.168.18.0/24 IID 0 DeptA: 192.168.14.0/24 IID 1 DeptB: 192.168.14.0/24 IID 2 DeptC: 192.168.14.0/24 IID 3

DeptA: 1:1:14::/64 IID 1 DeptB: 2:2:14::/64 IID 2 DeptC: 3:3:14::/64 IID 3

RTR15 LISP xTR, MSMR GETVPN GM

10.0.15.2/30 Default: 192.168.255.15/32 IID 0 Default: 192.168.19.0/24 IID 0 DeptA: 192.168.14.0/24 IID 1 DeptB: 192.168.14.0/24 IID 2 DeptC: 192.168.14.0/24 IID 3


RTR18 (KS1) -‐ 192.168.18.2/24 -‐ RTR19 (KS2) -‐ 192.168.19.2/24 -‐ Remote Site 1

Device WAN Link IPv4 EIDs IPv6 EIDs RTR11 LISP xTR GETVPN GM

10.0.11.2/30 Default: 192.168.255.11/32 IID 0 DeptA: 192.168.11.0/24 IID 1 DeptB: 192.168.11.0/24 IID 2 DeptC: 192.168.11.0/24 IID 3


Remote Site 2 Device WAN Link IPv4 EIDs IPv6 EIDs

RTR16 LISP xTR GETVPN GM

10.0.16.2/30 10.0.16.6/30

Default: 192.168.255.16/32 IID 0 DeptA: 192.168.16.0/24 IID 1 DeptB: 192.168.16.0/24 IID 2 DeptC: 192.168.16.0/24 IID 3


Remote Site 3 Device WAN Link IPv4 EIDs IPv6 EIDs

RTR13 LISP xTR GETVPN GM

10.0.13.2/30 Default: 192.168.255.13/32 IID 0 DeptA: 192.168.13.0/24 IID 1 DeptB: 192.168.13.0/24 IID 2 DeptC: 192.168.13.0/24 IID 3


Core Router 12 Device WAN Link IPv4 EIDs IPv6 EIDs

RTR12 (core) 10.0.11.1/30 10.0.13.1/30 10.0.14.1/30 10.0.15.1/30 10.0.16.1/30 10.0.16.5/30

-‐ -‐

Notes: All WAN Link IP addressing has been preconfigured and all links are “up.” The Key Servers KS1 and KS2, and the core router (RTR12) are also fully preconfigured.

Lab Exercise 1: Topology Review, Including GETVPN Key Server Components Exercise Description

As the intention of the overall GETVPN+LISP Lab is to familiarize you with the fundamentals, configuration and management of a notional Enterprise VPN deployment that incorporates LISP with shared model virtualization and GETVPN. This exercise (Exercise 1) reviews the overall topology and addressing used within the lab.

Exercise Objective By completing this exercise, you will learn the functions, baseline configurations, and forwarding characteristics of each router in the topology. This will provide you with knowledge of this topology that is required to complete the LISP deployment exercise that follows.

Lab Exercise Steps Step 0 Headquarters LISP Site Review - Review the IPv4 and IPv6 EID addressing and the

IPv4 WAN addressing for the Headquarters LISP Site, which includes the routers RTR14 and R15, as well as the Key Servers RTR18 and RTR19. • The Headquarters LISP Site is multi-homed and includes two CPE routers, RTR14

and R15, which function as LISP xTRs, LISP Map-Server/Map-Resolvers, and as GETVPN Group Members (GMs). The Headquarters LISP Site also includes routers RTR18 and RTR19, which function as redundant Key Servers (KSs) for GETVPN.

• RTR14 and RTR15 are configured with three VRFs, DeptA, DeptB, and DeptC, each serving both the IPv4 and IPv6 address space. For example, on RTR14:

RTR14-xTR#show run ---<skip>--- ! vrf definition DeptA ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptB ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptC ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family !

• The addressing and routing for RTR14 is shown below. Ethernet0/0 is the WAN

interface and has the IPv4 address 10.0.14.2/30. This serves as one of the LISP RLOCs for this multihomed site. (The WAN link for RTR15 serves as the other RLOC

for this multihomed site.) The interface Ethernet0/1 includes 3 subinterfaces, and each is within one of the VRFs highlighted above. These subinterfaces are for the IPv4 and IPv6 EID prefixes contained within this LISP site. (Note that these EID prefixes match those given in the table at the beginning of this Lab Guide.) Interface Ethernet0/2 provides the connectivity to one of the GETVPN Key Servers, KS1 in this case. The IPv4 prefix 192.168.18.0/24 is also in EID space at this LISP site. Loopback0 is used as a reference/management address. One additional notable attribute is the default route for all egress traffic. Since this site is using LISP, only the default route is required.

RTR14-xTR#show run | begin Loop interface Loopback0 ip address 192.168.255.14 255.255.255.255 ! interface Ethernet0/0 ip address 10.0.14.2 255.255.255.252 ! interface Ethernet0/1 no ip address ! interface Ethernet0/1.1 encapsulation dot1Q 1 native vrf forwarding DeptA ip address 192.168.14.1 255.255.255.0 ipv6 address 1:1:14::1/64 ! interface Ethernet0/1.2 encapsulation dot1Q 2 vrf forwarding DeptB ip address 192.168.14.1 255.255.255.0 ipv6 address 2:2:14::1/64 ! interface Ethernet0/1.3 encapsulation dot1Q 3 vrf forwarding DeptC ip address 192.168.14.1 255.255.255.0 ipv6 address 3:3:14::1/64 ! interface Ethernet0/2 ip address 192.168.18.1 255.255.255.0 ! interface Ethernet0/3 no ip address shutdown ! ---<skip>--- ip route 0.0.0.0 0.0.0.0 10.0.14.1 !

• The addressing and routing for RTR15 is similar to that of RTR14 and is shown as

follows. In the case of RTR15, the IPv4 prefix associated with Ethernet0/2 – 192.168.19.0/24 – is the EID space for the Key Server KS2.

RTR15-xTR#show run | begin Loop interface Loopback0 ip address 192.168.255.15 255.255.255.255 ! interface Ethernet0/0 ip address 10.0.15.2 255.255.255.252 ! interface Ethernet0/1 no ip address

! interface Ethernet0/1.1 encapsulation dot1Q 1 native vrf forwarding DeptA ip address 192.168.14.2 255.255.255.0 ipv6 address 1:1:14::2/64 ! interface Ethernet0/1.2 encapsulation dot1Q 2 vrf forwarding DeptB ip address 192.168.14.2 255.255.255.0 ipv6 address 2:2:14::2/64 ! interface Ethernet0/1.3 encapsulation dot1Q 3 vrf forwarding DeptC ip address 192.168.14.2 255.255.255.0 ipv6 address 3:3:14::2/64 ! interface Ethernet0/2 ip address 192.168.19.1 255.255.255.0 ! interface Ethernet0/3 no ip address shutdown ! ---<skip>--- ip route 0.0.0.0 0.0.0.0 10.0.15.1 !

• The addressing and routing for RTR18 (KS1) is shown as follows. (The full

configuration of RTR18 (KS1) will be reviewed in Lab Exercise 3 when GETVPN is added to LISP for encryption.)

RTR18-KS1#show run ---<skip>--- ! interface Ethernet0/0 ip address 192.168.18.2 255.255.255.0 ! ---<skip>--- ip route 0.0.0.0 0.0.0.0 192.168.18.1 !

• The addressing and routing for RTR19 (KS2) is shown as follows. (The full

configuration of RTR19 (KS2) will be reviewed in Lab Exercise 3 when GETVPN is added to LISP for encryption.)

RTR19-KS2#show run ---<skip>--- ! interface Ethernet0/0 ip address 192.168.19.2 255.255.255.0 ! ---<skip>--- ip route 0.0.0.0 0.0.0.0 192.168.19.1 !

Step 1 Remote LISP Site 1 Review – Review the IPv4 and IPv6 EID addressing and the IPv4 WAN addressing for Remote LISP Site 1, which includes router RTR11. • Remote LISP Site 1 is single-homed and includes one CPE router, RTR11, which

functions as a LISP xTRs and as GETVPN GM. • RTR11 is configured with three VRFs, DeptA, DeptB, and DeptC, each serving both

the IPv4 and IPv6 address space. The addressing and routing for RTR11 is shown below. Ethernet0/0 is the WAN interface and has the IPv4 address 10.0.11.2/30. This serves as the LISP RLOC for this site. The interfaces Loopback1, Loopback2, and Loopback3 are used, as is typically done in lab environments, to hold down the IPv4 and IPv6 EID prefixes contained within this LISP site. Each Loopback is within one of the VRFs highlighted above. (Note that these EID prefixes match those given in the table at the beginning of this Lab Guide.) Loopback0 is used as a reference/management address. One additional notable attribute is the default route for all egress traffic. Since this site is using LISP, only the default route is required.

RTR11-xTR#show run ---<skip>--- ! vrf definition DeptA ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptB ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptC ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! ---<skip>--- interface Loopback0 ip address 192.168.255.11 255.255.255.255 ! interface Loopback1 vrf forwarding DeptA ip address 192.168.11.1 255.255.255.0 ipv6 address 1:1:11::1/64 ! interface Loopback2 vrf forwarding DeptB ip address 192.168.11.1 255.255.255.0 ipv6 address 2:2:11::1/64 ! interface Loopback3 vrf forwarding DeptC ip address 192.168.11.1 255.255.255.0 ipv6 address 3:3:11::1/64 ! interface Ethernet0/0 ip address 10.0.11.2 255.255.255.252

! ---<skip>--- ip route 0.0.0.0 0.0.0.0 10.0.11.1 !

Step 2 Remote LISP Site 3 Review – Review the IPv4 and IPv6 EID addressing and the IPv4

WAN addressing for Remote LISP Site 3, which includes router RTR13. • Remote LISP Site 3 is single-homed and includes one CPE router, RTR13, which

function as a LISP xTRs and as GETVPN GM. • RTR13 is configured with three VRFs, DeptA, DeptB, and DeptC, each serving both

the IPv4 and IPv6 address space. The addressing and routing for RTR13 is shown below. Ethernet0/0 is the WAN interface and has the IPv4 address 10.0.13.2/30. This serves as the LISP RLOC for this site. The interfaces Loopback1, Loopback2, and Loopback3 are used, as is typically done in lab environments, to hold down the IPv4 and IPv6 EID prefixes contained within this LISP site. Each Loopback is within one of the VRFs highlighted above. (Note that these EID prefixes match those given in the table at the beginning of this Lab Guide.) Loopback0 is used as a reference/management address. One additional notable attribute is the default route for all egress traffic. Since this site is using LISP, only the default route is required.

RTR13-xTR#show run ---<skip>--- ! vrf definition DeptA ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptB ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptC ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! ---<skip>--- interface Loopback0 ip address 192.168.255.13 255.255.255.255 ! interface Loopback1 vrf forwarding DeptA ip address 192.168.13.1 255.255.255.0 ipv6 address 1:1:13::1/64 ! interface Loopback2 vrf forwarding DeptB ip address 192.168.13.1 255.255.255.0 ipv6 address 2:2:13::1/64 ! interface Loopback3

vrf forwarding DeptC ip address 192.168.13.1 255.255.255.0 ipv6 address 3:3:13::1/64 ! interface Ethernet0/0 ip address 10.0.13.2 255.255.255.252 ! ---<skip>--- ip route 0.0.0.0 0.0.0.0 10.0.13.1 !

Step 3 Remote LISP Site 2 Review – Review the IPv4 and IPv6 EID addressing and the IPv4

WAN addressing for Remote LISP Site 2, which includes router RTR16. • Remote LISP Site 2 is multihomed but includes only one CPE router, RTR16, which

functions as a LISP xTRs and as GETVPN GM. • RTR16 is configured with three VRFs, DeptA, DeptB, and DeptC, each serving both

the IPv4 and IPv6 address space. The addressing and routing for RTR16 is shown below. Ethernet0/0 and Ethernet01 are the WAN interfaces (RTR16 is multihomed), and have the IPv4 addresses 10.0.16.2/30 and 10.0.16.6/30, respectively. These serve as the LISP RLOCs for this site. The interfaces Loopback1, Loopback2, and Loopback3 are used, as is typically done in lab environments, to hold down the IPv4 and IPv6 EID prefixes contained within this LISP site. Each Loopback is within one of the VRFs highlighted above. (Note that these EID prefixes match those given in the table at the beginning of this Lab Guide.) Loopback0 is used as a reference/management address. One additional notable attribute is the default routes for all egress traffic. Since this site is using LISP, only the default routes are required.

RTR16-xTR#show run ---<skip>--- ! vrf definition DeptA ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptB ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptC ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! ---<skip>--- interface Loopback0 ip address 192.168.255.16 255.255.255.255 ! interface Loopback1 vrf forwarding DeptA ip address 192.168.16.1 255.255.255.0 ipv6 address 1:1:16::1/64

! interface Loopback2 vrf forwarding DeptB ip address 192.168.16.1 255.255.255.0 ipv6 address 2:2:16::1/64 ! interface Loopback3 vrf forwarding DeptC ip address 192.168.16.1 255.255.255.0 ipv6 address 3:3:16::1/64 ! interface Ethernet0/0 ip address 10.0.16.2 255.255.255.252 ! interface Ethernet0/1 ip address 10.0.16.6 255.255.255.252 ! ---<skip>--- ip route 0.0.0.0 0.0.0.0 10.0.16.1 ip route 0.0.0.0 0.0.0.0 10.0.16.5 !

Step 4 Core Router Review – Review the IPv4 IPv4 WAN addressing for Core router, RTR12.

• RTR12-core, as is typically the case in lab environments, is used to simulate an entire core network. The IPv4 addresses are shown below. Because all other routers are directly connected, no additional routing information is needed for reachability.

RTR12-core#show run ---<skip>--- ! interface Ethernet0/0 ip address 10.0.11.1 255.255.255.252 ! interface Ethernet0/1 ip address 10.0.13.1 255.255.255.252 ! interface Ethernet0/2 ip address 10.0.14.1 255.255.255.252 ! interface Ethernet0/3 ip address 10.0.15.1 255.255.255.252 ! interface Ethernet1/0 ip address 10.0.16.1 255.255.255.252 ! interface Ethernet1/1 ip address 10.0.16.5 255.255.255.252 ! RTR12-core#

• From RTR12, you should only be able to ping any of the WAN/RLOC interfaces for

RTR14, RTR15, RTR11, RTR13, and RTR16. Examples are shown below. Obviously, none of the IPv4 or IPv6 LISP EID prefixes are reachable from the core.

RTR12-core#ping 10.0.11.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.11.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms RTR12-core#ping 10.0.13.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.13.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms RTR12-core#ping 10.0.14.2 Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.14.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/6 ms RTR12-core#ping 10.0.15.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.15.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms RTR12-core#ping 10.0.16.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.16.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms RTR12-core#ping 10.0.16.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.16.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms RTR12-core#

The above “ping” tests demonstrate one of the basic principles of LISP – that being locator/ID separation. This inherent property makes LISP an ideal routing architecture for supporting virtual private networks.

End of Exercise: You have successfully completed this exercise. Proceed to next section.

Lab Exercise 2: Deploying LISP Shared Model Virtualization for IPv4 and IPv6 EIDs Exercise Description

This exercise (Exercise 2) will familiarize you with the configuration of LISP shared model virtualization. Recalling that LISP implements “Locator/ID” separation to create two namespaces - EIDs and RLOCs, it is easy to see that LISP can consider both EID and RLOC namespaces for virtualization. Either or both can be virtualized.

Associating a LISP Instance-ID (IID) to an EID VRF enables EID virtualization. IIDs are numerical tags that are used to maintain EID address space segmentation in both the control plane and data plane. EID namespace virtualization is referred to in LISP as shared model because multiple, distinct EID namespaces, as segmented by VRFs and IIDs, are “sharing” a common RLOC namespace, as illustrated in Figure 2 below. Notice in Figure 3 that a “LISP0.x” virtual interface is automatically created for each IID. Thus, as shown in Figure 2, IID 1 is associated with LISP0.1, IID2 is associated with LISP0.2, and IID3 is associated with LISP0.3. (This will also be important when crypto-maps are added to the configuration.)

Figure 2. LISP shared model virtualization showing three separate EID namespaces, segmented by LISP instance-IDs associated with EID VRFs, and sharing a single, IPv4 RLOC namespace.

In this exercise, each of the LISP Site routers will be configured to support three “departmental” VRFs: DeptA, DeptB, and DeptC. Each VPN will also serving IPv4 and IPv6 address space. You likely noticed that each VRF uses the same, overlapping IPv4 address space. This is possible because of the LISP IID that will be associated with each namespace to provide segmentation. The IPv6 address space used within each VRF is unique, however.

Exercise Objective By completing this exercise, you will learn the configuration details required to enable LISP shared model virtualization.

Lab Exercise Steps Step 5 Headquarters LISP Site Configuration – The Headquarters LISP Site is multihomed

and includes two CPE routers, RTR14 and R15, which function as LISP xTRs, LISP Map-Server/Map-Resolvers, and as GETVPN Group Members (GMs). The Headquarters LISP Site also includes routers RTR18 and RTR19, which function as redundant Key Servers (KSs) for GETVPN. In this step, you will configure the LISP Map-Server services, as well as LISP xTR services on RTR14 and RTR15. The relevant information for the HQ LISP site is shown in Figure 3 below.

Figure 3. Relevant topology and addressing for the HQ LISP Site

• Configure RTR14 and RTR15 for LISP Map-Server services. The configuration for the Map-Server is identical on both routers. The configuration for the map-server functions is as follows. Apply this to both RTR14 and RTR15.

RTR14 and RTR15 ! router lisp ! site HQ authentication-key hq-pswd eid-prefix 192.168.18.0/24 eid-prefix 192.168.19.0/24 eid-prefix 192.168.255.14/32 eid-prefix 192.168.255.15/32 eid-prefix instance-id 1 192.168.14.0/24 eid-prefix instance-id 1 1:1:14::/64 eid-prefix instance-id 2 192.168.14.0/24 eid-prefix instance-id 2 2:2:14::/64 eid-prefix instance-id 3 192.168.14.0/24 eid-prefix instance-id 3 3:3:14::/64 exit ! site Site11 authentication-key site11-pswd eid-prefix 192.168.255.11/32 eid-prefix instance-id 1 192.168.11.0/24 eid-prefix instance-id 1 1:1:11::/64 eid-prefix instance-id 2 192.168.11.0/24 eid-prefix instance-id 2 2:2:11::/64 eid-prefix instance-id 3 192.168.11.0/24 eid-prefix instance-id 3 3:3:11::/64 exit ! site Site13 authentication-key site13-pswd eid-prefix 192.168.255.13/32 eid-prefix instance-id 1 192.168.13.0/24 eid-prefix instance-id 1 1:1:13::/64 eid-prefix instance-id 2 192.168.13.0/24 eid-prefix instance-id 2 2:2:13::/64 eid-prefix instance-id 3 192.168.13.0/24 eid-prefix instance-id 3 3:3:13::/64 exit ! site Site16 authentication-key site16-pswd

eid-prefix 192.168.255.16/32 eid-prefix instance-id 1 192.168.16.0/24 eid-prefix instance-id 1 1:1:16::/64 eid-prefix instance-id 2 192.168.16.0/24 eid-prefix instance-id 2 2:2:16::/64 eid-prefix instance-id 3 192.168.16.0/24 eid-prefix instance-id 3 3:3:16::/64 exit ! ipv4 map-server ipv4 map-resolver ipv6 map-server ipv6 map-resolver !

• Configure RTR14 and RTR15 for LISP xTR services for their IPv4 and IPv6 EID

prefixes. The configurations for both xTR are similar – differing only in the local Loopback used for management (loop0). The LISP xTR configurations for RTR14 and RTR15 are as follows.

RTR14 ! router lisp locator-set HQ-RLOC 10.0.14.2 priority 1 weight 50 10.0.15.2 priority 1 weight 50 exit ! eid-table default instance-id 0 database-mapping 192.168.18.0/24 10.0.14.2 priority 1 weight 1 database-mapping 192.168.255.14/32 10.0.14.2 priority 1 weight 1 exit ! eid-table vrf DeptA instance-id 1 database-mapping 192.168.14.0/24 locator-set HQ-RLOC database-mapping 1:1:14::/64 locator-set HQ-RLOC exit ! eid-table vrf DeptB instance-id 2 database-mapping 192.168.14.0/24 locator-set HQ-RLOC database-mapping 2:2:14::/64 locator-set HQ-RLOC exit ! eid-table vrf DeptC instance-id 3 database-mapping 192.168.14.0/24 locator-set HQ-RLOC database-mapping 3:3:14::/64 locator-set HQ-RLOC exit ! no ipv4 map-cache-persistent ipv4 itr map-resolver 10.0.14.2 ipv4 itr map-resolver 10.0.15.2 ipv4 itr ipv4 etr map-server 10.0.14.2 key hq-pswd ipv4 etr map-server 10.0.15.2 key hq-pswd ipv4 etr no ipv6 map-cache-persistent ipv6 itr map-resolver 10.0.14.2 ipv6 itr map-resolver 10.0.15.2 ipv6 itr ipv6 etr map-server 10.0.14.2 key hq-pswd ipv6 etr map-server 10.0.15.2 key hq-pswd ipv6 etr exit !

RTR15 ! router lisp locator-set HQ-RLOC 10.0.14.2 priority 1 weight 50 10.0.15.2 priority 1 weight 50 exit ! eid-table default instance-id 0 database-mapping 192.168.19.0/24 10.0.15.2 priority 1 weight 1 database-mapping 192.168.255.15/32 10.0.15.2 priority 1 weight 1 exit ! eid-table vrf DeptA instance-id 1 database-mapping 192.168.14.0/24 locator-set HQ-RLOC database-mapping 1:1:14::/64 locator-set HQ-RLOC exit ! eid-table vrf DeptB instance-id 2 database-mapping 192.168.14.0/24 locator-set HQ-RLOC database-mapping 2:2:14::/64 locator-set HQ-RLOC exit ! eid-table vrf DeptC instance-id 3 database-mapping 192.168.14.0/24 locator-set HQ-RLOC database-mapping 3:3:14::/64 locator-set HQ-RLOC exit ! no ipv4 map-cache-persistent ipv4 itr map-resolver 10.0.14.2 ipv4 itr map-resolver 10.0.15.2 ipv4 itr ipv4 etr map-server 10.0.14.2 key hq-pswd ipv4 etr map-server 10.0.15.2 key hq-pswd ipv4 etr no ipv6 map-cache-persistent ipv6 itr map-resolver 10.0.14.2 ipv6 itr map-resolver 10.0.15.2 ipv6 itr ipv6 etr map-server 10.0.14.2 key hq-pswd ipv6 etr map-server 10.0.15.2 key hq-pswd ipv6 etr exit !

• Several configuration details are worth noting.

1. The Map-Server configuration is identical on both RTR14 and RTR15. 2. The xTRs are using the “locator-set” command to specify the RLOCs for the

entire LISP site (i.e., both RLOC interfaces for RTR14 and RTR15). Using the locator-set construct reduces the complexity of the database-mapping configurations that follow it.

3. The local loopback0 interface and Key Server EID prefix are configured in the default (global) table and use the local RLOC only for connectivity.

4. All other VRF-related EID prefixes are reachable via both RLOCs and hence are associated with the configured locator-set.

• At this point, the HQ LISP Site should be active and registering to both Map-Servers. Verify this by reviewing the status of the LISP sites registering to each Map-Server. (RTR14 is shown; RTR15 is similar.)

RTR14 RTR14-xTR#show lisp site LISP Site Registration Information Site Name Last Up Who Last Inst EID Prefix Register Registered ID HQ 00:00:44 yes 10.0.14.2 0 192.168.18.0/24 00:00:07 yes 10.0.15.2 0 192.168.19.0/24 00:00:44 yes 10.0.14.2 0 192.168.255.14/32 00:00:07 yes 10.0.15.2 0 192.168.255.15/32 00:00:30 yes 10.0.15.2 1 192.168.14.0/24 00:00:29 yes 10.0.14.2 1 1:1:14::/64 00:00:31 yes 10.0.14.2 2 192.168.14.0/24 00:00:05 yes 10.0.15.2 2 2:2:14::/64 00:00:55 yes 10.0.15.2 3 192.168.14.0/24 00:00:26 yes 10.0.14.2 3 3:3:14::/64 Site11 never no -- 0 192.168.255.11/32 never no -- 1 192.168.11.0/24 never no -- 1 1:1:11::/64 never no -- 2 192.168.11.0/24 never no -- 2 2:2:11::/64 never no -- 3 192.168.11.0/24 never no -- 3 3:3:11::/64 Site13 never no -- 0 192.168.255.13/32 never no -- 1 192.168.13.0/24 never no -- 1 1:1:13::/64 never no -- 2 192.168.13.0/24 never no -- 2 2:2:13::/64 never no -- 3 192.168.13.0/24 never no -- 3 3:3:13::/64 Site16 never no -- 0 192.168.255.16/32 never no -- 1 192.168.16.0/24 never no -- 1 1:1:16::/64 never no -- 2 192.168.16.0/24 never no -- 2 2:2:16::/64 never no -- 3 192.168.16.0/24 never no -- 3 3:3:16::/64 RTR14-xTR#

Step 6 Remote LISP Site 1 Configuration – Remote LISP Site 1 is single-homed and includes

one CPE router, RTR11, which functions as a LISP xTRs and as GETVPN GM. In this step, you will configure the LISP xTR services on RTR11. The relevant information for the Remote LISP Site 1 is shown in Figure 4 below.

Figure 4. Relevant topology and addressing for Remote LISP Site 1

• Configure RTR11 for LISP xTR services for IPv4 and IPv6 EID prefixes. The LISP xTR configuration for RTR11 is as follows.

RTR11 ! router lisp locator-set Site11-RLOC IPv4-interface Ethernet0/0 priority 1 weight 1 exit ! eid-table default instance-id 0 database-mapping 192.168.255.11/32 locator-set Site11-RLOC exit ! eid-table vrf DeptA instance-id 1 database-mapping 192.168.11.0/24 locator-set Site11-RLOC database-mapping 1:1:11::/64 locator-set Site11-RLOC exit ! eid-table vrf DeptB instance-id 2 database-mapping 192.168.11.0/24 locator-set Site11-RLOC database-mapping 2:2:11::/64 locator-set Site11-RLOC exit ! eid-table vrf DeptC instance-id 3 database-mapping 192.168.11.0/24 locator-set Site11-RLOC database-mapping 3:3:11::/64 locator-set Site11-RLOC exit ! no ipv4 map-cache-persistent ipv4 itr map-resolver 10.0.14.2 ipv4 itr map-resolver 10.0.15.2 ipv4 itr ipv4 etr map-server 10.0.14.2 key site11-pswd ipv4 etr map-server 10.0.15.2 key site11-pswd ipv4 etr ipv6 map-server ipv6 map-resolver no ipv6 map-cache-persistent ipv6 itr map-resolver 10.0.14.2 ipv6 itr map-resolver 10.0.15.2 ipv6 itr ipv6 etr map-server 10.0.14.2 key site11-pswd ipv6 etr map-server 10.0.15.2 key site11-pswd ipv6 etr exit !


1. The xTR is using the “locator-set” command to specify the RLOC for this LISP site. In this case, locator-set is referring to the IPv4 address associated with interface Ethernet0/0. This allows the specification of an RLOC in cases (for example) where the address is not directly configured, such as when DHCP is used to obtain the WAN IP address. Using the locator-set construct reduces the complexity of the database-mapping configurations that follow it.

2. The local loopback0 interface is configured in the default (global) table. 3. All other VRF-related EID prefixes are reachable via the RLOC associated

with the configured locator-set. • At this point, Remote LISP Site 1 should be active and registering to both Map-

Servers. This can be verified by reviewing the status of the LISP sites registering to each Map-Server as shown in Step 1 above.

Step 7 Remote LISP Site 2 Configuration – Remote LISP Site 2 is multihomed but includes only one CPE router, RTR16, which functions as a LISP xTRs and as GETVPN GM. The relevant information for the Remote LISP Site 2 is shown in Figure 5 below.



RTR16 ! router lisp locator-set Site16-RLOC 10.0.16.2 priority 1 weight 50 10.0.16.6 priority 1 weight 50 exit ! eid-table default instance-id 0 database-mapping 192.168.255.16/32 locator-set Site16-RLOC exit ! eid-table vrf DeptA instance-id 1 database-mapping 192.168.16.0/24 locator-set Site16-RLOC database-mapping 1:1:16::/64 locator-set Site16-RLOC exit ! eid-table vrf DeptB instance-id 2 database-mapping 192.168.16.0/24 locator-set Site16-RLOC database-mapping 2:2:16::/64 locator-set Site16-RLOC exit ! eid-table vrf DeptC instance-id 3 database-mapping 192.168.16.0/24 locator-set Site16-RLOC database-mapping 3:3:16::/64 locator-set Site16-RLOC exit ! no ipv4 map-cache-persistent ipv4 itr map-resolver 10.0.14.2 ipv4 itr map-resolver 10.0.15.2 ipv4 itr ipv4 etr map-server 10.0.14.2 key site16-pswd ipv4 etr map-server 10.0.15.2 key site16-pswd ipv4 etr ipv6 map-server ipv6 map-resolver no ipv6 map-cache-persistent

ipv6 itr map-resolver 10.0.14.2 ipv6 itr map-resolver 10.0.15.2 ipv6 itr ipv6 etr map-server 10.0.14.2 key site16-pswd ipv6 etr map-server 10.0.15.2 key site16-pswd ipv6 etr exit !


1. The xTR is using the “locator-set” command to specify the two RLOCs for this LISP site. Using the locator-set construct reduces the complexity of the database-mapping configurations that follow it.




Step 8 Remote LISP Site 3 Configuration – Remote LISP Site 3 is single-homed and includes

one CPE router, RTR13, which functions as a LISP xTRs and as GETVPN GM. In this step, you will configure the LISP xTR services on RTR13. The relevant information for the Remote LISP Site 3 is shown in Figure 6 below.



RTR13 ! router lisp locator-set Site13-RLOC IPv4-interface Ethernet0/0 priority 1 weight 1 exit ! eid-table default instance-id 0 database-mapping 192.168.255.13/32 locator-set Site13-RLOC exit ! eid-table vrf DeptA instance-id 1 database-mapping 192.168.13.0/24 locator-set Site13-RLOC

database-mapping 1:1:13::/64 locator-set Site13-RLOC exit ! eid-table vrf DeptB instance-id 2 database-mapping 192.168.13.0/24 locator-set Site13-RLOC database-mapping 2:2:13::/64 locator-set Site13-RLOC exit ! eid-table vrf DeptC instance-id 3 database-mapping 192.168.13.0/24 locator-set Site13-RLOC database-mapping 3:3:13::/64 locator-set Site13-RLOC exit ! no ipv4 map-cache-persistent ipv4 itr map-resolver 10.0.14.2 ipv4 itr map-resolver 10.0.15.2 ipv4 itr ipv4 etr map-server 10.0.14.2 key site13-pswd ipv4 etr map-server 10.0.15.2 key site13-pswd ipv4 etr ipv6 map-server ipv6 map-resolver no ipv6 map-cache-persistent ipv6 itr map-resolver 10.0.14.2 ipv6 itr map-resolver 10.0.15.2 ipv6 itr ipv6 etr map-server 10.0.14.2 key site13-pswd ipv6 etr map-server 10.0.15.2 key site13-pswd ipv6 etr exit !


1. The xTR is using the “locator-set” command to specify the RLOC for this LISP site. In this case, locator-set is referring to the IPv4 address associated with interface Ethernet0/0. This allows the specification of an RLOC in cases (for example) where the address is not directly configured, such as when DHCP is used to obtain the WAN IP address. Using the locator-set construct reduces the complexity of the database-mapping configurations that follow it.




Step 9 LISP Shared Model Virtualization Verification – At this point in the Lab, LISP should

be fully operational. A number of options are available to verify proper configuration and operation. Some of these are demonstrated below.

• On each xTR, you can verify the configuration of LISP for each address-family and

within each IID using the show ip|ipv6 lisp instance-id iid command. For example, on RTR16 (Remote LISP Site 2) observe the following:

RTR16-xTR#show ip lisp Information applicable to all EID instances: Router-lisp ID: 0 Locator table: default Ingress Tunnel Router (ITR): enabled Egress Tunnel Router (ETR): enabled Proxy-ITR Router (PITR): disabled

Proxy-ETR Router (PETR): disabled Map Server (MS): disabled Map Resolver (MR): disabled Delegated Database Tree (DDT): disabled ITR Map-Resolver(s): 10.0.14.2, 10.0.15.2 ETR Map-Server(s): 10.0.14.2, 10.0.15.2 xTR-ID: 0x6AA6BD2D-0x2853B967-0x71C2B7B7-0xC5591B03 site-ID: unspecified ITR Solicit Map Request (SMR): accept and process Max SMRs per map-cache entry: 8 more specifics Multiple SMR suppression time: 20 secs ETR accept mapping data: disabled, verify disabled ETR map-cache TTL: 1d00h Locator Status Algorithms: RLOC-probe algorithm: disabled LSB reports: process IPv4 RLOC minimum mask length: /0 IPv6 RLOC minimum mask length: /0 Map-cache limit: 1000 Map-cache activity check period: 60 secs Persistent map-cache: disabled RTR16-xTR#show ip lisp instance-id 1 Instance ID: 1 Router-lisp ID: 0 Locator table: default EID table: vrf DeptA Ingress Tunnel Router (ITR): enabled Egress Tunnel Router (ETR): enabled Proxy-ITR Router (PITR): disabled Proxy-ETR Router (PETR): disabled Map Server (MS): disabled Map Resolver (MR): disabled Delegated Database Tree (DDT): disabled Map-Request source: 192.168.16.1 ITR Map-Resolver(s): 10.0.14.2, 10.0.15.2 ETR Map-Server(s): 10.0.14.2 (00:00:43), 10.0.15.2 (00:00:56) xTR-ID: 0x6AA6BD2D-0x2853B967-0x71C2B7B7-0xC5591B03 site-ID: unspecified ITR Solicit Map Request (SMR): accept and process Max SMRs per map-cache entry: 8 more specifics Multiple SMR suppression time: 20 secs ETR accept mapping data: disabled, verify disabled ETR map-cache TTL: 1d00h Locator Status Algorithms: RLOC-probe algorithm: disabled LSB reports: process IPv4 RLOC minimum mask length: /0 IPv6 RLOC minimum mask length: /0 Static mappings configured: 0 Map-cache size/limit: 1/1000 Imported route count/limit: 0/1000 Map-cache activity check period: 60 secs Map-database size/limit: 1/1000 Persistent map-cache: disabled RTR16-xTR#show ip lisp instance-id 2 Instance ID: 2 Router-lisp ID: 0 Locator table: default EID table: vrf DeptB Ingress Tunnel Router (ITR): enabled Egress Tunnel Router (ETR): enabled Proxy-ITR Router (PITR): disabled Proxy-ETR Router (PETR): disabled Map Server (MS): disabled Map Resolver (MR): disabled

Delegated Database Tree (DDT): disabled Map-Request source: 192.168.16.1 ITR Map-Resolver(s): 10.0.14.2, 10.0.15.2 ETR Map-Server(s): 10.0.14.2 (00:00:40), 10.0.15.2 (00:00:25) xTR-ID: 0x6AA6BD2D-0x2853B967-0x71C2B7B7-0xC5591B03 site-ID: unspecified ITR Solicit Map Request (SMR): accept and process Max SMRs per map-cache entry: 8 more specifics Multiple SMR suppression time: 20 secs ETR accept mapping data: disabled, verify disabled ETR map-cache TTL: 1d00h Locator Status Algorithms: RLOC-probe algorithm: disabled LSB reports: process IPv4 RLOC minimum mask length: /0 IPv6 RLOC minimum mask length: /0 Static mappings configured: 0 Map-cache size/limit: 1/1000 Imported route count/limit: 0/1000 Map-cache activity check period: 60 secs Map-database size/limit: 1/1000 Persistent map-cache: disabled RTR16-xTR#show ip lisp instance-id 3 Instance ID: 3 Router-lisp ID: 0 Locator table: default EID table: vrf DeptC Ingress Tunnel Router (ITR): enabled Egress Tunnel Router (ETR): enabled Proxy-ITR Router (PITR): disabled Proxy-ETR Router (PETR): disabled Map Server (MS): disabled Map Resolver (MR): disabled Delegated Database Tree (DDT): disabled Map-Request source: 192.168.16.1 ITR Map-Resolver(s): 10.0.14.2, 10.0.15.2 ETR Map-Server(s): 10.0.14.2 (00:00:12), 10.0.15.2 (00:00:31) xTR-ID: 0x6AA6BD2D-0x2853B967-0x71C2B7B7-0xC5591B03 site-ID: unspecified ITR Solicit Map Request (SMR): accept and process Max SMRs per map-cache entry: 8 more specifics Multiple SMR suppression time: 20 secs ETR accept mapping data: disabled, verify disabled ETR map-cache TTL: 1d00h Locator Status Algorithms: RLOC-probe algorithm: disabled LSB reports: process IPv4 RLOC minimum mask length: /0 IPv6 RLOC minimum mask length: /0 Static mappings configured: 0 Map-cache size/limit: 1/1000 Imported route count/limit: 0/1000 Map-cache activity check period: 60 secs Map-database size/limit: 1/1000 Persistent map-cache: disabled RTR16-xTR#show ipv6 lisp instance-id 1 Instance ID: 1 Router-lisp ID: 0 Locator table: default EID table: vrf DeptA Ingress Tunnel Router (ITR): enabled Egress Tunnel Router (ETR): enabled Proxy-ITR Router (PITR): disabled Proxy-ETR Router (PETR): disabled Map Server (MS): enabled

Map Resolver (MR): enabled Delegated Database Tree (DDT): disabled Map-Request source: 1:1:16::1 ITR Map-Resolver(s): 10.0.14.2, 10.0.15.2 ETR Map-Server(s): 10.0.14.2 (00:00:12), 10.0.15.2 (00:00:50) xTR-ID: 0x6AA6BD2D-0x2853B967-0x71C2B7B7-0xC5591B03 site-ID: unspecified ITR Solicit Map Request (SMR): accept and process Max SMRs per map-cache entry: 8 more specifics Multiple SMR suppression time: 20 secs ETR accept mapping data: disabled, verify disabled ETR map-cache TTL: 1d00h Locator Status Algorithms: RLOC-probe algorithm: disabled LSB reports: process IPv4 RLOC minimum mask length: /0 IPv6 RLOC minimum mask length: /0 Static mappings configured: 0 Map-cache size/limit: 1/1000 Imported route count/limit: 0/1000 Map-cache activity check period: 60 secs Map-database size/limit: 1/1000 Persistent map-cache: disabled RTR16-xTR#show ipv6 lisp instance-id 2 Instance ID: 2 Router-lisp ID: 0 Locator table: default EID table: vrf DeptB Ingress Tunnel Router (ITR): enabled Egress Tunnel Router (ETR): enabled Proxy-ITR Router (PITR): disabled Proxy-ETR Router (PETR): disabled Map Server (MS): enabled Map Resolver (MR): enabled Delegated Database Tree (DDT): disabled Map-Request source: 2:2:16::1 ITR Map-Resolver(s): 10.0.14.2, 10.0.15.2 ETR Map-Server(s): 10.0.14.2 (00:00:40), 10.0.15.2 (00:00:04) xTR-ID: 0x6AA6BD2D-0x2853B967-0x71C2B7B7-0xC5591B03 site-ID: unspecified ITR Solicit Map Request (SMR): accept and process Max SMRs per map-cache entry: 8 more specifics Multiple SMR suppression time: 20 secs ETR accept mapping data: disabled, verify disabled ETR map-cache TTL: 1d00h Locator Status Algorithms: RLOC-probe algorithm: disabled LSB reports: process IPv4 RLOC minimum mask length: /0 IPv6 RLOC minimum mask length: /0 Static mappings configured: 0 Map-cache size/limit: 1/1000 Imported route count/limit: 0/1000 Map-cache activity check period: 60 secs Map-database size/limit: 1/1000 Persistent map-cache: disabled RTR16-xTR#show ipv6 lisp instance-id 3 Instance ID: 3 Router-lisp ID: 0 Locator table: default EID table: vrf DeptC Ingress Tunnel Router (ITR): enabled Egress Tunnel Router (ETR): enabled Proxy-ITR Router (PITR): disabled Proxy-ETR Router (PETR): disabled

Map Server (MS): enabled Map Resolver (MR): enabled Delegated Database Tree (DDT): disabled Map-Request source: 3:3:16::1 ITR Map-Resolver(s): 10.0.14.2, 10.0.15.2 ETR Map-Server(s): 10.0.14.2 (00:00:31), 10.0.15.2 (00:00:46) xTR-ID: 0x6AA6BD2D-0x2853B967-0x71C2B7B7-0xC5591B03 site-ID: unspecified ITR Solicit Map Request (SMR): accept and process Max SMRs per map-cache entry: 8 more specifics Multiple SMR suppression time: 20 secs ETR accept mapping data: disabled, verify disabled ETR map-cache TTL: 1d00h Locator Status Algorithms: RLOC-probe algorithm: disabled LSB reports: process IPv4 RLOC minimum mask length: /0 IPv6 RLOC minimum mask length: /0 Static mappings configured: 0 Map-cache size/limit: 1/1000 Imported route count/limit: 0/1000 Map-cache activity check period: 60 secs Map-database size/limit: 1/1000 Persistent map-cache: disabled RTR16-xTR#!

• On each xTR, you can verify the IPv4 and IPv6 EID prefixes that the LISP site is

registering and authoritative for within each IID using the show ip|ipv6 lisp database instance-id iid command. For example, on RTR16 (Remote LISP Site 2) observe the following:

RTR16-xTR#show ip lisp database instance-id 0 LISP ETR IPv4 Mapping Database for EID-table default (IID 0), LSBs: 0x3, 1

entries 192.168.255.16/32, locator-set Site16-RLOC Locator Pri/Wgt Source State 10.0.16.2 1/50 cfg-addr site-self, reachable 10.0.16.6 1/50 cfg-addr site-self, reachable RTR16-xTR#show ip lisp database instance-id 1 LISP ETR IPv4 Mapping Database for EID-table vrf DeptA (IID 1), LSBs: 0x3, 1

entries 192.168.16.0/24, locator-set Site16-RLOC Locator Pri/Wgt Source State 10.0.16.2 1/50 cfg-addr site-self, reachable 10.0.16.6 1/50 cfg-addr site-self, reachable RTR16-xTR#show ip lisp database instance-id 2 LISP ETR IPv4 Mapping Database for EID-table vrf DeptB (IID 2), LSBs: 0x3, 1

entries 192.168.16.0/24, locator-set Site16-RLOC Locator Pri/Wgt Source State 10.0.16.2 1/50 cfg-addr site-self, reachable 10.0.16.6 1/50 cfg-addr site-self, reachable RTR16-xTR#show ip lisp database instance-id 3 LISP ETR IPv4 Mapping Database for EID-table vrf DeptC (IID 3), LSBs: 0x3, 1

entries 192.168.16.0/24, locator-set Site16-RLOC Locator Pri/Wgt Source State 10.0.16.2 1/50 cfg-addr site-self, reachable 10.0.16.6 1/50 cfg-addr site-self, reachable RTR16-xTR#show ipv6 lisp database instance-id 0

% No local database entries configured. RTR16-xTR#show ipv6 lisp database instance-id 1 LISP ETR IPv6 Mapping Database for EID-table vrf DeptA (IID 1), LSBs: 0x3, 1

entries 1:1:16::/64, locator-set Site16-RLOC Locator Pri/Wgt Source State 10.0.16.2 1/50 cfg-addr site-self, reachable 10.0.16.6 1/50 cfg-addr site-self, reachable RTR16-xTR#show ipv6 lisp database instance-id 2 LISP ETR IPv6 Mapping Database for EID-table vrf DeptB (IID 2), LSBs: 0x3, 1

entries 2:2:16::/64, locator-set Site16-RLOC Locator Pri/Wgt Source State 10.0.16.2 1/50 cfg-addr site-self, reachable 10.0.16.6 1/50 cfg-addr site-self, reachable RTR16-xTR#show ipv6 lisp database instance-id 3 LISP ETR IPv6 Mapping Database for EID-table vrf DeptC (IID 3), LSBs: 0x3, 1

entries 3:3:16::/64, locator-set Site16-RLOC Locator Pri/Wgt Source State 10.0.16.2 1/50 cfg-addr site-self, reachable 10.0.16.6 1/50 cfg-addr site-self, reachable RTR16-xTR#

• On each xTR, you can verify the IPv4 and IPv6 EID prefixes that the LISP site is

authoritative for are actually registering by using the lig self ip|ipv6 instance-id iid command. For example, on RTR16 (Remote LISP Site 2) observe the following:

RTR16-xTR#lig self ipv4 instance-id 0 Mapping information for EID 192.168.255.16 from 10.0.16.6 with RTT 2 msecs 192.168.255.16/32, uptime: 00:00:08, expires: 23:59:59, via map-reply, self,

complete Locator Uptime State Pri/Wgt 10.0.16.2 00:00:08 up, self 1/50 10.0.16.6 00:00:08 up, self 1/50 RTR16-xTR#lig self ipv4 instance-id 1 Mapping information for EID 192.168.16.0 from 10.0.16.2 with RTT 1 msecs 192.168.16.0/24, uptime: 00:00:00, expires: 23:59:59, via map-reply, self,



complete Locator Uptime State Pri/Wgt 10.0.16.2 00:00:00 up, self 1/50 10.0.16.6 00:00:00 up, self 1/50 RTR16-xTR#lig self ipv6 instance-id 1 Mapping information for EID 1:1:16:: from 10.0.16.6 with RTT 1 msecs 1:1:16::/64, uptime: 00:00:00, expires: 23:59:59, via map-reply, self, complete Locator Uptime State Pri/Wgt 10.0.16.2 00:00:00 up, self 1/50

10.0.16.6 00:00:00 up, self 1/50 RTR16-xTR#lig self ipv6 instance-id 2 Mapping information for EID 2:2:16:: from 10.0.16.2 with RTT 1 msecs 2:2:16::/64, uptime: 00:00:00, expires: 23:59:59, via map-reply, self, complete Locator Uptime State Pri/Wgt 10.0.16.2 00:00:00 up, self 1/50 10.0.16.6 00:00:00 up, self 1/50 RTR16-xTR#lig self ipv6 instance-id 3 Mapping information for EID 3:3:16:: from 10.0.16.6 with RTT 1 msecs 3:3:16::/64, uptime: 00:00:00, expires: 23:59:59, via map-reply, self, complete Locator Uptime State Pri/Wgt 10.0.16.2 00:00:00 up, self 1/50 10.0.16.6 00:00:00 up, self 1/50 RTR16-xTR#

• Of course, sending traffic between LISP sites provides the best verification of proper

configuration and operation. You can verify this by using the ping vrf <vrfname> <dstaddr> source <srcaddr> repeat <count> command. Some examples for RTR16 (Remote LISP Site 2) are shown next:

RTR16-xTR#ping vrf DeptA 192.168.14.1 source 192.168.16.1 repeat 10 Type escape sequence to abort. Sending 10, 100-byte ICMP Echos to 192.168.14.1, timeout is 2 seconds: Packet sent with a source address of 192.168.16.1 !!!!!!!!!! Success rate is 100 percent (10/10), round-trip min/avg/max = 6/6/7 ms RTR16-xTR#ping vrf DeptA 192.168.11.1 source 192.168.16.1 repeat 10 Type escape sequence to abort. Sending 10, 100-byte ICMP Echos to 192.168.11.1, timeout is 2 seconds: Packet sent with a source address of 192.168.16.1 !!!!!!!!!! Success rate is 100 percent (10/10), round-trip min/avg/max = 5/6/8 ms RTR16-xTR#ping vrf DeptA 192.168.13.1 source 192.168.16.1 repeat 10 Type escape sequence to abort. Sending 10, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds: Packet sent with a source address of 192.168.16.1 ..!!!!!!!! Success rate is 80 percent (8/10), round-trip min/avg/max = 5/5/6 ms RTR16-xTR#ping vrf DeptB 192.168.14.1 source 192.168.16.1 repeat 10 Type escape sequence to abort. Sending 10, 100-byte ICMP Echos to 192.168.14.1, timeout is 2 seconds: Packet sent with a source address of 192.168.16.1 ..!!!!!!!! Success rate is 80 percent (8/10), round-trip min/avg/max = 5/5/6 ms RTR16-xTR#ping vrf DeptC 192.168.14.1 source 192.168.16.1 repeat 10 Type escape sequence to abort. Sending 10, 100-byte ICMP Echos to 192.168.14.1, timeout is 2 seconds: Packet sent with a source address of 192.168.16.1 ..!!!!!!!! Success rate is 80 percent (8/10), round-trip min/avg/max = 5/5/6 ms RTR16-xTR# RTR16-xTR#ping vrf DeptA 1:1:14::1 source 1:1:16::1 rep 10 Type escape sequence to abort. Sending 10, 100-byte ICMP Echos to 1:1:14::1, timeout is 2 seconds: Packet sent with a source address of 1:1:16::1%DeptA !!!!!!!!!! Success rate is 100 percent (10/10), round-trip min/avg/max = 6/6/9 ms RTR16-xTR#ping vrf DeptA 1:1:11::1 source 1:1:16::1 rep 10 Type escape sequence to abort. Sending 10, 100-byte ICMP Echos to 1:1:11::1, timeout is 2 seconds: Packet sent with a source address of 1:1:16::1%DeptA !!!!!!!!!! Success rate is 100 percent (10/10), round-trip min/avg/max = 5/6/7 ms RTR16-xTR#ping vrf DeptA 1:1:13::1 source 1:1:16::1 rep 10

Type escape sequence to abort. Sending 10, 100-byte ICMP Echos to 1:1:13::1, timeout is 2 seconds: Packet sent with a source address of 1:1:16::1%DeptA .!!!!!!!!! Success rate is 90 percent (9/10), round-trip min/avg/max = 5/5/7 ms RTR16-xTR#ping vrf DeptB 2:2:14::1 source 2:2:16::1 rep 10 Type escape sequence to abort. Sending 10, 100-byte ICMP Echos to 2:2:14::1, timeout is 2 seconds: Packet sent with a source address of 2:2:16::1%DeptB ..!!!!!!!! Success rate is 80 percent (8/10), round-trip min/avg/max = 5/6/7 ms RTR16-xTR#ping vrf DeptC 3:3:14::1 source 3:3:16::1 rep 10 Type escape sequence to abort. Sending 10, 100-byte ICMP Echos to 3:3:14::1, timeout is 2 seconds: Packet sent with a source address of 3:3:16::1%DeptC ..!!!!!!!! Success rate is 80 percent (8/10), round-trip min/avg/max = 6/6/9 ms RTR16-xTR#

Notice that in some cases, the first or first two packets are lost. These packets were discarded while RTR16 built its map-cache entry for the destination EID prefix. Once this map-cache entry is built, subsequent flows use the cached mapping entry.

• After pinging various sites, you can use the show ip|ipv6 lisp map-cache instance-

id iid command to show the contents of the IPv4 or IPv6 map-cache. Some examples for RTR16 (Remote LISP Site 2) are shown next:

RTR16-xTR#show ip lisp map-cache instance-id 0 LISP IPv4 Mapping Cache for EID-table default (IID 0), 3 entries 0.0.0.0/0, uptime: 2d22h, expires: never, via static send map-request Negative cache entry, action: send-map-request 192.168.19.0/24, uptime: 2d22h, expires: 04:28:55, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.15.2 2d22h up 1/1 192.168.255.16/32, uptime: 00:30:36, expires: 23:30:38, via map-reply, self,

complete Locator Uptime State Pri/Wgt 10.0.16.2 00:30:36 up, self 1/50 10.0.16.6 00:30:36 up, self 1/50 RTR16-xTR#show ip lisp map-cache instance-id 1 LISP IPv4 Mapping Cache for EID-table vrf DeptA (IID 1), 5 entries 0.0.0.0/0, uptime: 2d22h, expires: never, via static send map-request Negative cache entry, action: send-map-request 192.168.11.0/24, uptime: 00:18:54, expires: 23:41:46, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.11.2 00:18:54 up 1/1 192.168.13.0/24, uptime: 00:13:05, expires: 23:47:22, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.13.2 00:13:05 up 1/1 192.168.14.0/24, uptime: 00:19:06, expires: 23:41:34, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.14.2 00:19:06 up 1/50 10.0.15.2 00:19:06 up 1/50 192.168.16.0/24, uptime: 00:30:28, expires: 23:30:38, via map-reply, self,

complete Locator Uptime State Pri/Wgt 10.0.16.2 00:30:28 up, self 1/50 10.0.16.6 00:30:28 up, self 1/50 RTR16-xTR#show ip lisp map-cache instance-id 2 LISP IPv4 Mapping Cache for EID-table vrf DeptB (IID 2), 3 entries

0.0.0.0/0, uptime: 2d22h, expires: never, via static send map-request Negative cache entry, action: send-map-request 192.168.14.0/24, uptime: 00:12:44, expires: 23:47:43, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.14.2 00:12:44 up 1/50 10.0.15.2 00:12:44 up 1/50 192.168.16.0/24, uptime: 00:30:28, expires: 23:30:38, via map-reply, self,

complete Locator Uptime State Pri/Wgt 10.0.16.2 00:30:28 up, self 1/50 10.0.16.6 00:30:28 up, self 1/50 RTR16-xTR#show ip lisp map-cache instance-id 3 LISP IPv4 Mapping Cache for EID-table vrf DeptC (IID 3), 3 entries 0.0.0.0/0, uptime: 2d22h, expires: never, via static send map-request Negative cache entry, action: send-map-request 192.168.14.0/24, uptime: 00:12:36, expires: 23:47:50, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.14.2 00:12:36 up 1/50 10.0.15.2 00:12:36 up 1/50 192.168.16.0/24, uptime: 00:30:28, expires: 23:30:38, via map-reply, self,

complete Locator Uptime State Pri/Wgt 10.0.16.2 00:30:28 up, self 1/50 10.0.16.6 00:30:28 up, self 1/50 RTR16-xTR#show ipv6 lisp map-cache instance-id 1 LISP IPv6 Mapping Cache for EID-table vrf DeptA (IID 1), 5 entries ::/0, uptime: 2d22h, expires: never, via static send map-request Negative cache entry, action: send-map-request 1:1:11::/64, uptime: 00:11:59, expires: 23:48:26, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.11.2 00:11:59 up 1/1 1:1:13::/64, uptime: 00:11:16, expires: 23:49:07, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.13.2 00:11:16 up 1/1 1:1:14::/64, uptime: 00:12:15, expires: 23:48:11, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.14.2 00:12:15 up 1/50 10.0.15.2 00:12:15 up 1/50 1:1:16::/64, uptime: 00:30:25, expires: 23:30:40, via map-reply, self, complete Locator Uptime State Pri/Wgt 10.0.16.2 00:30:25 up, self 1/50 10.0.16.6 00:30:25 up, self 1/50 RTR16-xTR#show ipv6 lisp map-cache instance-id 2 LISP IPv6 Mapping Cache for EID-table vrf DeptB (IID 2), 3 entries ::/0, uptime: 2d22h, expires: never, via static send map-request Negative cache entry, action: send-map-request 2:2:14::/64, uptime: 00:06:47, expires: 23:53:27, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.14.2 00:06:47 up 1/50 10.0.15.2 00:06:47 up 1/50 2:2:16::/64, uptime: 00:30:28, expires: 23:30:38, via map-reply, self, complete Locator Uptime State Pri/Wgt 10.0.16.2 00:30:28 up, self 1/50 10.0.16.6 00:30:28 up, self 1/50 RTR16-xTR#show ipv6 lisp map-cache instance-id 3 LISP IPv6 Mapping Cache for EID-table vrf DeptC (IID 3), 3 entries ::/0, uptime: 2d22h, expires: never, via static send map-request Negative cache entry, action: send-map-request 3:3:14::/64, uptime: 00:06:34, expires: 23:53:40, via map-reply, complete Locator Uptime State Pri/Wgt 10.0.14.2 00:06:34 up 1/50

10.0.15.2 00:06:34 up 1/50 3:3:16::/64, uptime: 00:30:28, expires: 23:30:38, via map-reply, self, complete Locator Uptime State Pri/Wgt 10.0.16.2 00:30:28 up, self 1/50 10.0.16.6 00:30:28 up, self 1/50 RTR16-xTR#!

• Additional detail can be queried on a per-destination EID basis using the show

ip|ipv6 cef vrf vrfname dst-eid internal command to show the contents of the IPv4 or IPv6 CEF table. This shows, for example, the hash-bucket distribution for the destination prefix (if multihomed) and the output interface distribution. Some examples for RTR16 (Remote LISP Site 2) are shown next.

RTR16-xTR#show ip cef vrf DeptA 192.168.14.1 internal 192.168.14.0/24, epoch 0, flags default route handler, subtree context, check lisp

eligibility, default route, refcount 5, per-destination sharing sources: IPL, LISP subblocks: SC owned: LISP remote EID - locator status bits 0x00000003 LISP remote EID: 19 packets 1648 bytes fwd action encap LISP source path list path list B310246C, flags 0x49, 3 locks, per-destination ifnums: LISP0.1(15): 10.0.14.2, 10.0.15.2 2 paths path B30F9B90, path list B310246C, share 50/50, type attached nexthop, for IPv4 nexthop 10.0.14.2 LISP0.1, adjacency IP midchain out of LISP0.1, addr 10.0.14.2

B3671100 path B30F9CE0, path list B310246C, share 50/50, type attached nexthop, for IPv4 nexthop 10.0.15.2 LISP0.1, adjacency IP midchain out of LISP0.1, addr 10.0.15.2

B3671230 1 output chain chain[0]: loadinfo B426A034, per-session, 2 choices, flags 0083, 5 locks flags: Per-session, for-rx-IPv4, 2buckets 2 hash buckets < 0 > IP midchain out of LISP0.1, addr 10.0.14.2 B3671100 IP adj out of

Ethernet0/0, addr 10.0.16.1 B3973A48 < 1 > IP midchain out of LISP0.1, addr 10.0.15.2 B3671230 IP adj out of

Ethernet0/1, addr 10.0.16.5 B3973918 Subblocks: None 2 IPL sources [unresolved, active source] Dependent covered prefix type inherit cover 0.0.0.0/0 ifnums: (none) path B30F9AB0, path list B31023CC, share 1/1, type recursive, for IPv4, flags doesnt-

source-via, cef-internal, recursive-via-prefix-no-nh recursive via 0.0.0.0/0<nh:192.168.14.0>[IPv4:DeptA], fib B2181BEC, 1 terminal fib,

v4:DeptA:0.0.0.0/0 path B30FA300, path list B3102D7C, share 1/1, type special prefix, for IPv4 no route output chain: LISP eligibility check 0xB05C3B8C for IPv4:DeptA, 4 locks <L> PushCounter(LISP:192.168.14.0/24) B3C3F790 loadinfo B426A034, per-session, 2 choices, flags 0083, 5 locks flags: Per-session, for-rx-IPv4, 2buckets 2 hash buckets < 0 > IP midchain out of LISP0.1, addr 10.0.14.2 B3671100 IP adj out of

Ethernet0/0, addr 10.0.16.1 B3973A48 < 1 > IP midchain out of LISP0.1, addr 10.0.15.2 B3671230 IP adj out of

Ethernet0/1, addr 10.0.16.5 B3973918 Subblocks: None <N> no route RTR16-xTR#sh ipv6 cef vrf DeptA 1:1:14::1 internal 1:1:14::/64, epoch 0, flags default route handler, subtree context, check lisp

eligibility, default route, refcount 4, per-destination sharing sources: IPL, LISP subblocks: SC owned: LISP remote EID - locator status bits 0x00000003

LISP remote EID: 38 packets 6086 bytes fwd action encap LISP source path list path list B3101F1C, flags 0x49, 3 locks, per-destination ifnums: LISP0.1(15): 10.0.14.2, 10.0.15.2 2 paths path B30F92D0, path list B3101F1C, share 12/50, type attached nexthop, for IPv6 nexthop 10.0.14.2 LISP0.1, adjacency IPV6 midchain out of LISP0.1, addr 10.0.14.2

B36D6068 path B30F9260, path list B3101F1C, share 50/50, type attached nexthop, for IPv6 nexthop 10.0.15.2 LISP0.1, adjacency IPV6 midchain out of LISP0.1, addr 10.0.15.2

B36D6198 1 output chain chain[0]: loadinfo B36D6D94, per-session, 2 choices, flags 0085, 5 locks flags: Per-session, for-rx-IPv6, 2buckets 2 hash buckets < 0 > IPV6 midchain out of LISP0.1, addr 10.0.14.2 B36D6068 IP adj out of

Ethernet0/0, addr 10.0.16.1 B3973A48 < 1 > IPV6 midchain out of LISP0.1, addr 10.0.15.2 B36D6198 IP adj out of

Ethernet0/1, addr 10.0.16.5 B3973918 Subblocks: None 2 IPL sources [unresolved, active source] Dependent covered prefix type inherit cover ::/0 ifnums: (none) path B30F9340, path list B3101F6C, share 1/1, type recursive, for IPv6, flags doesnt-

source-via, cef-internal, recursive-via-prefix-no-nh recursive via ::/0<nh:1:1:14::>[IPv6:DeptA], fib B3517F90, 1 terminal fib,

v6:DeptA:::/0 path B30FA840, path list B3102B9C, share 1/1, type special prefix, for IPv6 no route output chain: LISP eligibility check 0xB05C3A4C for IPv6:DeptA, 4 locks <L> PushCounter(LISP:1:1:14::/64) B3C3F628 loadinfo B36D6D94, per-session, 2 choices, flags 0085, 5 locks flags: Per-session, for-rx-IPv6, 2buckets 2 hash buckets < 0 > IPV6 midchain out of LISP0.1, addr 10.0.14.2 B36D6068 IP adj out of

Ethernet0/0, addr 10.0.16.1 B3973A48 < 1 > IPV6 midchain out of LISP0.1, addr 10.0.15.2 B36D6198 IP adj out of

Ethernet0/1, addr 10.0.16.5 B3973918 Subblocks: None <N> no route RTR16-xTR#

End of Exercise: You have successfully completed this exercise. Proceed to next section.

Lab Exercise 3: Deploying GETVPN with LISP Shared Model Virtualization Exercise Description

This exercise (Exercise 3) will familiarize you with the configuration of GETVPN to add encryption to the LISP shared model virtualization configuration completed in Exercise 2.

Existing IOS encryption support provided by the IPsec and GETVPN features can be used directly (in a “bolt-on” manner) with LISP to build encrypted VPNs. This Lab focuses solely on GETVPN, which uses the Group Domain of Interpretation (GDOI) group key management protocol to create and distribute cryptographic keys and policies to a group of devices. This creates a trusted group and eliminates the need for point-to-point IPsec associations. All group members (GMs) share a common security association (SA), enabling all GMs to decrypt traffic that was encrypted by any other GM. GDOI cryptographic keys and policies are generated by a Key Server (KS), the most important entity in GETVPN. Multiple, cooperative (COOP) KSs are supported to ensure seamless fault recovery. An overview of the GETVPN/GDOI architecture is illustrated in Figure 7 below.

Figure 7. GETVPN/GDO Architecture Overview

This document focuses solely on the GETVPN+LISP solution that applies the crypto map to the LISP0.x virtual interface created as part of LISP shared model virtualization. This is the most common architecture and provides the most flexibility for applying unique security policies within the resultant VPN environment. When applied to the LISP0.x virtual interface, GETVPN encryption occurs first, followed by LISP encapsulation. The resultant packet construction is illustrated in Figure 8 below.

Figure 8. GETVPN+LISP packet construction when the crypto map is applied to the

LISP0.x virtual interface.

In Exercise 2, each of the LISP Site routers have been be configured to support three “departmental” VRFs: DeptA, DeptB, and DeptC. Each VPN also serves IPv4 and IPv6 address space. In this exercise, you will configure six GETVPN crypto polices – one for each VPN for each address-family. This provides encryption for each VPN and each address-family separately.

Note: The point of this exercise is not to provide detailed background and training on GETPN and its configuration. The main point here is to demonstrate the simplicity with which the GETVPN encryption model can be integrated with LISP to provide highly scalable, virtualized, encryption environments for IPv4 and IPv6 customer prefixes over IPv4 or IPv6 core networks – including the public Internet (IPv4 or IPv6).

There are two Key Servers (KSs) in this lab – RTR18 and RTR19 – both operating as a cooperative pair. These KSs are preconfigured for this lab. The KS addresses, 192.168.18.2 and 192.168.19.2 respectively, are reachable as EID addresses in the default table. This means that each GM uses LISP encapsulation (in the default table) to reach the KS. Running the Key Servers in IPv4 LISP EID space allows the use of these GETVPN KSs, even if the core is an IPv6-only network. (This example uses an IPv4 core, but if an IPv6 core were used as RLOC space, no changes whatsoever would be need on the KSs or LISP devices).

Note: If the KS is not configured for this lab, the full configurations, as well as the instructions for creating the (required) RSA Public/Private keys, is included in Appendix A at the end of this document.

Exercise Objective By completing this exercise, you will learn the configuration details required to enable GETVPN in conjunction with LISP shared model virtualization.

Lab Exercise Steps Step 1 Key Server Configuration Review – As discussed above, the two KSs are

preconfigured for this lab. However, because the KS is the most important element in GETVPN, a short review is useful in order to highlight the main features. • Review the configuration for RTR18 and RTR19. A portion of the RTR18

configuration follows. ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 16 crypto isakmp key FOO address 0.0.0.0 crypto isakmp keepalive 15 periodic ! crypto ipsec transform-set GDOI-TRANS esp-aes 256 esp-sha512-hmac ! crypto ipsec profile GDOI-PROFILE set transform-set GDOI-TRANS ! crypto gdoi group V4GROUP-0001 identity number 10001 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS1 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv4 GETVPN-0001 replay time window-size 5 address ipv4 192.168.18.2 redundancy local priority 100 peer address ipv4 192.168.19.2 ! crypto gdoi group V4GROUP-0002 identity number 10002 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS2

rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv4 GETVPN-0002 replay time window-size 5 address ipv4 192.168.18.2 redundancy local priority 100 peer address ipv4 192.168.19.2 ! crypto gdoi group V4GROUP-0003 identity number 10003 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS3 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv4 GETVPN-0003 replay time window-size 5 address ipv4 192.168.18.2 redundancy local priority 100 peer address ipv4 192.168.19.2 ! crypto gdoi group ipv6 V6GROUP-0001 identity number 20001 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS1 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv6 GETVPN6-0001 replay time window-size 5 address ipv4 192.168.18.2 redundancy local priority 100 peer address ipv4 192.168.19.2 ! crypto gdoi group ipv6 V6GROUP-0002 identity number 20002 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS2 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv6 GETVPN6-0002 replay time window-size 5 address ipv4 192.168.18.2 redundancy local priority 100 peer address ipv4 192.168.19.2 ! crypto gdoi group ipv6 V6GROUP-0003 identity number 20003 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS3 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv6 GETVPN6-0003 replay time window-size 5 address ipv4 192.168.18.2 redundancy local priority 100 peer address ipv4 192.168.19.2 ! ! ip access-list extended GETVPN-0001 permit ip any any

ip access-list extended GETVPN-0002 permit ip any any ip access-list extended GETVPN-0003 permit ip any any ! ipv6 access-list GETVPN6-0001 permit ipv6 any any ! ipv6 access-list GETVPN6-0002 permit ipv6 any any ! ipv6 access-list GETVPN6-0003 permit ipv6 any any !

Notice in the above configuration, the following:

• The IKE (isakmp) policy is common to the entire KS configuration. • A single IPsec transform-set (GDOI-TRANS) is configured. However, additional IPsec

transform-sets could be configured and applied. • A single GDOI profile (GDOI-PROFILE) is configured. However, individual GDOI

profiles could be configured and applied (and would be needed if additional IPsec transform-sets were used).

• Multiple GDOI groups (e.g., V4GROUP-0001, V6GROUP-0001, etc.) are configured. These GDOI groups create the bindings between the GDOI-PROFILE, KS properties, and the access-list of ‘interesting traffic.” Creating multiple GDOI groups provides the opportunity to apply an individual, custom policy to each LISP VPN and for each address-family. These GDOI groups are referred to on each GM by their association to the configured crypto-maps.

• Each GDOI group points to a different access-list. For simplicity, the access-lists in all cases permit all traffic. In a production deployment, you can configure these access-lists as needed to enforce a particular policy of interest. Notice that these access-lists do not need to deny the UDP 848 (for GDOI), since, even thought the KS is behind a GM, the encryption policy is not applied to the default table (only the VRFs).

Step 2 Configure the GM Crypto Maps – One of the most important aspects of the GETVPN

configuration is that of the GDOI crypto group and the crypto map. One very nice configuration aspect of GETVPN is that these configurations are identical on all GMs in the VPN. It is a very simple “cookie-cutter” process then to apply these configurations to each GM in the system. • Apply the following configuration to each GM (RTR14, RTR15, RTR11, RTR16, and

RTR13). This defines the isakmp attributes (for communicating with the KSs), and the GDOI crypto group and the crypto maps that will be applied to the LISP VPNs. Simply “cut-and-paste” the following into each GM (in “config t” mode).

! crypto isakmp policy 10 encr aes 256 authentication pre-share group 16 crypto isakmp key FOO address 192.168.18.2 crypto isakmp key FOO address 192.168.19.2 ! crypto gdoi group V4GROUP-0001 identity number 10001 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group V4GROUP-0002 identity number 10002 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2

client registration interface Loopback0 ! crypto gdoi group V4GROUP-0003 identity number 10003 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0001 identity number 20001 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0002 identity number 20002 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0003 identity number 20003 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto map MAP-V4-0001 10 gdoi set group V4GROUP-0001 ! crypto map MAP-V4-0002 10 gdoi set group V4GROUP-0002 ! crypto map MAP-V4-0003 10 gdoi set group V4GROUP-0003 ! crypto map ipv6 MAP-V6-0001 10 gdoi set group V6GROUP-0001 ! crypto map ipv6 MAP-V6-0002 10 gdoi set group V6GROUP-0002 ! crypto map ipv6 MAP-V6-0003 10 gdoi set group V6GROUP-0003 !


• The IKE (isakmp) policy matches the one configured on each KS. • Multiple GDOI groups (e.g., V4GROUP-0001, V6GROUP-0001, etc.) are configured.

These GDOI groups match the ones configured on each KS. • Multiple crypto maps are configured. Each of these will provide a separate encryption

policy or each LISP VPN and address-family. Step 3 Apply the Crypto Maps to LISP – Now that the crypto maps are defined, you can

apply them to the appropriate LISP0.x interface. • Apply the crypto maps to each GM (RTR14, RTR15, RTR11, RTR16, and RTR13).

Simply “cut-and-paste” the following into each GM (in “config t” mode).

! interface LISP0.1 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0001 crypto map MAP-V4-0001

! interface LISP0.2 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0002 crypto map MAP-V4-0002 ! interface LISP0.3 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0003 crypto map MAP-V4-0003 !


• Each LISP0.x interface receives its own IPv4 and IPv6 crypto map that is associated with a specific GDOI group ID. The names are arbitrary, but it is usually helpful (for operational purposes) to make the names meaningful.

• Each LISP0.x interface is also configured to have its IPv4 and IPv6 MTU value adjusted (lower) to accommodate the LISP overhead. (This helps ensure that fragmentation does not occur after encryption.)

Step 4 GETVPN+LISP Encryption Verification – After applying the crypto maps to the

LISP0.x virtual interfaces, each GM will register with the KS and obtain all of the group policies, and enable the TEKs per VPN/group. Once this occurs, you can again source traffic from each VRF and address-family, and then verify the encryption is occurring. • On each xTR, you will see the GDOI policies being installed (and later, re-keyed).

This is part of the debug output (no configuration needed). For example, on RTR11 (Remote LISP Site 2) observe the following:

RTR11-xTR# *Nov 30 17:16:19.887: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group V4GROUP-0001

transitioned to Unicast Rekey. *Nov 30 17:16:19.887: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated *Nov 30 17:16:19.887: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated *Nov 30 17:16:19.896: %GDOI-5-GM_REGS_COMPL: Registration to KS 192.168.19.2

complete for group V4GROUP-0001 using address 192.168.255.11 *Nov 30 17:16:19.896: %GDOI-5-GM_REGS_COMPL: Registration to KS 192.168.19.2





complete for group V6GROUP-0003 using address 192.168.255.11 *Nov 30 17:16:19.896: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS:

Installation of Reg/Rekey policies from KS 192.168.19.2 for group V4GROUP-0001 & gm identity 192.168.255.11

RTR11-xTR#

• On either KS, you can verify that all GMs have registered properly by using the show

crypto gdoi ks members command. For example, on RTR11 (Remote LISP Site 2) verify that all five GMs are registering for all six groups, as shown next:

RTR18-KS1#show crypto gdoi ks members | include Group Group Member Information : Group Member ID : 192.168.255.11 GM Version: 1.0.4

Group ID : 10001 Group Name : V4GROUP-0001 Group Member ID : 192.168.255.13 GM Version: 1.0.4 Group ID : 10001 Group Name : V4GROUP-0001 Group Member ID : 192.168.255.14 GM Version: 1.0.4 Group ID : 10001 Group Name : V4GROUP-0001 Group Member ID : 192.168.255.15 GM Version: 1.0.4 Group ID : 10001 Group Name : V4GROUP-0001 Group Member ID : 192.168.255.16 GM Version: 1.0.4 Group ID : 10001 Group Name : V4GROUP-0001 Group Member ID : 192.168.255.11 GM Version: 1.0.4 Group ID : 10002 Group Name : V4GROUP-0002 Group Member ID : 192.168.255.13 GM Version: 1.0.4 Group ID : 10002 Group Name : V4GROUP-0002 Group Member ID : 192.168.255.14 GM Version: 1.0.4 Group ID : 10002 Group Name : V4GROUP-0002 Group Member ID : 192.168.255.15 GM Version: 1.0.4 Group ID : 10002 Group Name : V4GROUP-0002 Group Member ID : 192.168.255.16 GM Version: 1.0.4 Group ID : 10002 Group Name : V4GROUP-0002 Group Member ID : 192.168.255.11 GM Version: 1.0.4 Group ID : 10003 Group Name : V4GROUP-0003 Group Member ID : 192.168.255.13 GM Version: 1.0.4 Group ID : 10003 Group Name : V4GROUP-0003 Group Member ID : 192.168.255.14 GM Version: 1.0.4 Group ID : 10003 Group Name : V4GROUP-0003 Group Member ID : 192.168.255.15 GM Version: 1.0.4 Group ID : 10003 Group Name : V4GROUP-0003 Group Member ID : 192.168.255.16 GM Version: 1.0.4 Group ID : 10003 Group Name : V4GROUP-0003 Group Member ID : 192.168.255.11 GM Version: 1.0.4 Group ID : 20001 Group Name : V6GROUP-0001 Group Member ID : 192.168.255.13 GM Version: 1.0.4 Group ID : 20001 Group Name : V6GROUP-0001 Group Member ID : 192.168.255.14 GM Version: 1.0.4 Group ID : 20001 Group Name : V6GROUP-0001 Group Member ID : 192.168.255.15 GM Version: 1.0.4 Group ID : 20001 Group Name : V6GROUP-0001 Group Member ID : 192.168.255.16 GM Version: 1.0.4 Group ID : 20001 Group Name : V6GROUP-0001 Group Member ID : 192.168.255.11 GM Version: 1.0.4 Group ID : 20002 Group Name : V6GROUP-0002 Group Member ID : 192.168.255.13 GM Version: 1.0.4 Group ID : 20002 Group Name : V6GROUP-0002

Group Member ID : 192.168.255.14 GM Version: 1.0.4 Group ID : 20002 Group Name : V6GROUP-0002 Group Member ID : 192.168.255.15 GM Version: 1.0.4 Group ID : 20002 Group Name : V6GROUP-0002 Group Member ID : 192.168.255.16 GM Version: 1.0.4 Group ID : 20002 Group Name : V6GROUP-0002 Group Member ID : 192.168.255.11 GM Version: 1.0.4 Group ID : 20003 Group Name : V6GROUP-0003 Group Member ID : 192.168.255.13 GM Version: 1.0.4 Group ID : 20003 Group Name : V6GROUP-0003 Group Member ID : 192.168.255.14 GM Version: 1.0.4 Group ID : 20003 Group Name : V6GROUP-0003 Group Member ID : 192.168.255.15 GM Version: 1.0.4 Group ID : 20003 Group Name : V6GROUP-0003 Group Member ID : 192.168.255.16 GM Version: 1.0.4 Group ID : 20003 Group Name : V6GROUP-0003 RTR18-KS1#

• On each xTR, you can source traffic in each VRF and for each address-family, and

then check that encryption and decryption is being performed as expected using the show crypto engine connection active command. For example, let’s ping in each VRF for IPv4 and then again for IPv6. In order to make it obvious which IPsec ID is tied to which VRF and for which AF, for IPv4 let’s use 800 pings for DeptA, 700 pings for DeptB, and 600 pings for DeptC, and for IPv6 let’s use 400 pings for DeptA, 300 pings for DeptB, and 200 pings for DeptC. Here’s an example from RTR11 toward RTR13:

RTR11-xTR#ping vrf DeptA 192.168.13.1 so 192.168.11.1 repeat 800 Type escape sequence to abort. Sending 800, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds: Packet sent with a source address of 192.168.11.1 ..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ---<skip>--- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 99 percent (798/800), round-trip min/avg/max = 5/6/12 ms RTR11-xTR#ping vrf DeptB 192.168.13.1 so 192.168.11.1 repeat 700 Type escape sequence to abort. Sending 700, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds: Packet sent with a source address of 192.168.11.1 ..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ---<skip>--- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 99 percent (698/700), round-trip min/avg/max = 5/6/12 ms RTR11-xTR#ping vrf DeptC 192.168.13.1 so 192.168.11.1 repeat 600 Type escape sequence to abort. Sending 600, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds: Packet sent with a source address of 192.168.11.1 .!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ---<skip>--- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 99 percent (599/600), round-trip min/avg/max = 5/6/25 ms RTR11-xTR#ping vrf DeptA 1:1:13::1 so 1:1:11::1 repeat 400 Type escape sequence to abort. Sending 400, 100-byte ICMP Echos to 1:1:13::1, timeout is 2 seconds: Packet sent with a source address of 1:1:11::1%DeptA ..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ---<skip>--- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 99 percent (398/400), round-trip min/avg/max = 5/5/8 ms RTR11-xTR#ping vrf DeptB 2:2:13::1 so 2:2:11::1 repeat 300 Type escape sequence to abort. Sending 300, 100-byte ICMP Echos to 2:2:13::1, timeout is 2 seconds: Packet sent with a source address of 2:2:11::1%DeptB ..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ---<skip>--- !!!!!!!!!!!!!!!!!!!! Success rate is 99 percent (298/300), round-trip min/avg/max = 5/5/7 ms RTR11-xTR#ping vrf DeptC 3:3:13::1 so 3:3:11::1 repeat 200 Type escape sequence to abort. Sending 200, 100-byte ICMP Echos to 3:3:13::1, timeout is 2 seconds: Packet sent with a source address of 3:3:11::1%DeptC ..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 99 percent (198/200), round-trip min/avg/max = 5/5/8 ms RTR11-xTR#show crypto engine connections active Crypto Engine Connections ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 13 IPsec AES256+SHA512 0 798 0 192.168.11.1 14 IPsec AES256+SHA512 799 0 0 192.168.11.1 15 IPsec AES256+SHA512 0 698 0 192.168.11.1 16 IPsec AES256+SHA512 699 0 0 192.168.11.1 17 IPsec AES256+SHA512 0 599 0 192.168.11.1 18 IPsec AES256+SHA512 599 0 0 192.168.11.1 19 IPsec AES256+SHA512 0 398 0 FE80::A8BB:CCFF:FE00:B00 20 IPsec AES256+SHA512 399 0 0 FE80::A8BB:CCFF:FE00:B00 21 IPsec AES256+SHA512 0 298 0 FE80::A8BB:CCFF:FE00:B00 22 IPsec AES256+SHA512 299 0 0 FE80::A8BB:CCFF:FE00:B00 23 IPsec AES256+SHA512 0 198 0 FE80::A8BB:CCFF:FE00:B00 24 IPsec AES256+SHA512 199 0 0 FE80::A8BB:CCFF:FE00:B00 1001 IKE SHA+AES256 0 0 0 192.168.255.11 1002 IKE SHA+3DES 0 0 0 1003 IKE SHA+3DES 0 0 0 1004 IKE SHA+3DES 0 0 0 1005 IKE SHA+3DES 0 0 0 1006 IKE SHA+3DES 0 0 0 1007 IKE SHA+3DES 0 0 0 RTR11-xTR#

How nice is that! (Note that since the map-cache was initially empty in each case, the first two packets were lost while the map-cache was being built. All subsequent packets were handled normally by LISP.)

End of Exercise: You have successfully completed this exercise. Congratulations! You have successfully completed the GETVPN+LISP Lab.

Appendix A: Key Server RSA Keys Before starting the KS configuration, you must generate the RSA keys to be used during rekeys. With cooperative KSs, all KSs must share the same keys, so these keys must be generated with an exportable tag. The keys can be created on one KS and then imported on the remaining KSs. The following describes how the RSA keys were generated for this GETVPN+LISP lab. KS1 (RTR18) is used to generate these keys. Three (3) keys are generated: GET-KEYS1, GET-KEYS2, and GET-KEYS3. These are then used within the GDOI group definitions. Here are the commands used to generate the RSA keys: crypto key gen rsa general-keys label GET-KEYS1 modulus 2048 exportable crypto key gen rsa general-keys label GET-KEYS2 modulus 2048 exportable crypto key gen rsa general-keys label GET-KEYS2 modulus 2048 exportable

Once these keys are generated on the primary KS (RTR18), you need to export both private and public keys (on RTR18) and then import them to the COOP KS (RTR19). To export the RSA public and private keys, use these commands, one at a time, on RTR18: crypto key export rsa GET-KEYS1 pem term 3des CISCO123 crypto key export rsa GET-KEYS2 pem term 3des CISCO123 crypto key export rsa GET-KEYS3 pem term 3des CISCO123

When the above commands are issued, one at a time, the associated RSA public and private keys will be displayed. For example: RTR18-KS1(config)# crypto key export rsa GET-KEYS1 pem term 3des CISCO123 % Key name: GET-KEYS1 Usage: General Purpose Key Key data: -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz4l/nfU5603hXm2PpOph XLYUjYlgEyLzF+wq/dYYkLUI7s9Z/irBrpma7u8+D1M5Cqrb98ASurstOLWLnTal ---<skip>--- XBFpF1pJxwLD5H6CRrA4B1p67nsF3RVZcXEySBw5ROpy0Y0FoCQjxv9ttiO7FAHh dwIDAQAB -----END PUBLIC KEY----- -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,CFFFD62CD376B68D 0Dd4eokm0ahxrZ0s7KFS0HXHBzSC2xRs57EmTyMM4OqNbNRykfFSgGpbpFjI5q6t JwfeTDZaIQwl/KJPmUPF7SRzR7odxHLaSfRQiQzIT7caaFBvIeLTXfHprmk1K4ql ---<skip>--- LggPidQz77rHlLL1UyNVRpUxFJnw2E1joJZOj4w1PRENL7Y1kM//qQ== -----END RSA PRIVATE KEY----- RTR18-KS1(config)#

Once these RSA public and private keys are displayed, you can import them on the COOP KS (RTR19). To do this, use these commands, one at a time, on RTR19: crypto key import rsa GET-KEYS1 pem exportable terminal CISCO123 crypto key import rsa GET-KEYS2 pem exportable terminal CISCO123 crypto key import rsa GET-KEYS3 pem exportable terminal CISCO123

When you issue one of these commands, “copy” the public or private key from RTR18 and “paste” it in to RTR19 when asked to do so – follow the prompts on the router. For example, “copy” the entire Public Key displayed on RTR18, including the line starting with -----BEGIN PUBLIC KEY----- and ending with -----END PUBLIC KEY-----

Then, “paste” this into RTR19. For example: RTR19-KS2(config)# crypto key import rsa GET-KEYS1 pem exportable terminal CISCO123 % Enter PEM-formatted public General Purpose key or certificate. % End with a blank line or "quit" on a line by itself. -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz4l/nfU5603hXm2PpOph XLYUjYlgEyLzF+wq/dYYkLUI7s9Z/irBrpma7u8+D1M5Cqrb98ASurstOLWLnTal B4tSu3JZWIk/zbBW12j0aVGnw7nyC9cFyZH6Mcf/+TA8AMIhHAoixWJ4Bhy1BmiS ciQPmoEbj5Y+F/jxTPmrQBm8o/rltzF7qmvbbxyZwC23UvBi5cvxk68sLnCROWcz VFjSMYp+c3ZNHCNaPd6k2g4/an0tdZZCTRsi44CF9+dIIoh6ePmtDqX9jLQdK74m XBFpF1pJxwLD5H6CRrA4B1p67nsF3RVZcXEySBw5ROpy0Y0FoCQjxv9ttiO7FAHh dwIDAQAB -----END PUBLIC KEY----- quit % Enter PEM-formatted encrypted private General Purpose key. % End with "quit" on a line by itself. -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,CFFFD62CD376B68D 0Dd4eokm0ahxrZ0s7KFS0HXHBzSC2xRs57EmTyMM4OqNbNRykfFSgGpbpFjI5q6t JwfeTDZaIQwl/KJPmUPF7SRzR7odxHLaSfRQiQzIT7caaFBvIeLTXfHprmk1K4ql N9+z4aLWZ0noGUefeBypq9N6BJnegOGGA367/g3LEw2cPCMwZSksDQ+JV9kkJbd/ ---<skip>--- PL9NhOFliyPYbP1Hn6waM/kGarX6haMuR/qlvuB54wf8EZMn1DxtFfpFZKYUHclx Y5XtkIyUIdlP/RhcXuo6Pc0ozv/awc0nBQs/lAn/hf7OUjZKJhtfbj/OWpmrapji QW3uSyW7OFUOVimgvhArlYT3PdgrczGfauivszR85FE0QIBICM5VSWCaX1dzjgIA LggPidQz77rHlLL1UyNVRpUxFJnw2E1joJZOj4w1PRENL7Y1kM//qQ== -----END RSA PRIVATE KEY----- quit % Key pair import succeeded. RTR19-KS2(config)#

Repeat the above steps for all RSA keys.

Appendix B: Router Configurations The following router configurations are provided as “final” results for the GETVPN+LISP Lab.

RTR12 – Core Router ! hostname RTR12-core ! no ip domain lookup ip cef ipv6 unicast-routing ipv6 cef ! interface Ethernet0/0 ip address 10.0.11.1 255.255.255.252 ! interface Ethernet0/1 ip address 10.0.13.1 255.255.255.252 ! interface Ethernet0/2 ip address 10.0.14.1 255.255.255.252 ! interface Ethernet0/3 ip address 10.0.15.1 255.255.255.252 ! interface Ethernet1/0 ip address 10.0.16.1 255.255.255.252 ! interface Ethernet1/1 ip address 10.0.16.5 255.255.255.252 ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 line vty 0 4 exec-timeout 0 0 privilege level 15 password cisco login transport input all !

RTR11 – Remote LISP Site 1 (xTR/GM) ! hostname RTR11-xTR ! vrf definition DeptA ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptB ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptC ! address-family ipv4 exit-address-family !

address-family ipv6 exit-address-family ! no ip domain lookup ip cef ipv6 unicast-routing ipv6 cef ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 16 crypto isakmp key FOO address 192.168.18.2 crypto isakmp key FOO address 192.168.19.2 ! crypto gdoi group V4GROUP-0001 identity number 10001 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group V4GROUP-0002 identity number 10002 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group V4GROUP-0003 identity number 10003 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0001 identity number 20001 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0002 identity number 20002 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0003 identity number 20003 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto map MAP-V4-0001 10 gdoi set group V4GROUP-0001 ! crypto map MAP-V4-0002 10 gdoi set group V4GROUP-0002 ! crypto map MAP-V4-0003 10 gdoi set group V4GROUP-0003 ! crypto map ipv6 MAP-V6-0001 10 gdoi set group V6GROUP-0001 ! crypto map ipv6 MAP-V6-0002 10 gdoi set group V6GROUP-0002 ! crypto map ipv6 MAP-V6-0003 10 gdoi set group V6GROUP-0003 ! ! interface Loopback0 ip address 192.168.255.11 255.255.255.255 !

interface Loopback1 vrf forwarding DeptA ip address 192.168.11.1 255.255.255.0 ipv6 address 1:1:11::1/64 ! interface Loopback2 vrf forwarding DeptB ip address 192.168.11.1 255.255.255.0 ipv6 address 2:2:11::1/64 ! interface Loopback3 vrf forwarding DeptC ip address 192.168.11.1 255.255.255.0 ipv6 address 3:3:11::1/64 ! interface LISP0 ! interface LISP0.1 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0001 crypto map MAP-V4-0001 ! interface LISP0.2 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0002 crypto map MAP-V4-0002 ! interface LISP0.3 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0003 crypto map MAP-V4-0003 ! interface Ethernet0/0 ip address 10.0.11.2 255.255.255.252 ! interface Ethernet0/1 no ip address shutdown ! interface Ethernet0/2 no ip address shutdown ! interface Ethernet0/3 no ip address shutdown ! router lisp locator-set Site11-RLOC IPv4-interface Ethernet0/0 priority 1 weight 1 exit ! eid-table default instance-id 0 database-mapping 192.168.255.11/32 locator-set Site11-RLOC exit ! eid-table vrf DeptA instance-id 1 database-mapping 192.168.11.0/24 locator-set Site11-RLOC database-mapping 1:1:11::/64 locator-set Site11-RLOC exit ! eid-table vrf DeptB instance-id 2 database-mapping 192.168.11.0/24 locator-set Site11-RLOC database-mapping 2:2:11::/64 locator-set Site11-RLOC exit ! eid-table vrf DeptC instance-id 3 database-mapping 192.168.11.0/24 locator-set Site11-RLOC database-mapping 3:3:11::/64 locator-set Site11-RLOC exit

! no ipv4 map-cache-persistent ipv4 itr map-resolver 10.0.14.2 ipv4 itr map-resolver 10.0.15.2 ipv4 itr ipv4 etr map-server 10.0.14.2 key site11-pswd ipv4 etr map-server 10.0.15.2 key site11-pswd ipv4 etr ipv6 map-server ipv6 map-resolver no ipv6 map-cache-persistent ipv6 itr map-resolver 10.0.14.2 ipv6 itr map-resolver 10.0.15.2 ipv6 itr ipv6 etr map-server 10.0.14.2 key site11-pswd ipv6 etr map-server 10.0.15.2 key site11-pswd ipv6 etr exit ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 10.0.11.1 ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 line vty 0 4 exec-timeout 0 0 privilege level 15 password cisco login transport input all !

RTR16 – Remote LISP Site 2 (xTR/GM) ! hostname RTR16-xTR ! vrf definition DeptA ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptB ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptC ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! no ip domain lookup ip cef ipv6 unicast-routing ipv6 cef ! crypto isakmp policy 10 encr aes 256

authentication pre-share group 16 crypto isakmp key FOO address 192.168.18.2 crypto isakmp key FOO address 192.168.19.2 ! crypto gdoi group V4GROUP-0001 identity number 10001 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group V4GROUP-0002 identity number 10002 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group V4GROUP-0003 identity number 10003 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0001 identity number 20001 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0002 identity number 20002 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0003 identity number 20003 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto map MAP-V4-0001 10 gdoi set group V4GROUP-0001 ! crypto map MAP-V4-0002 10 gdoi set group V4GROUP-0002 ! crypto map MAP-V4-0003 10 gdoi set group V4GROUP-0003 ! crypto map ipv6 MAP-V6-0001 10 gdoi set group V6GROUP-0001 ! crypto map ipv6 MAP-V6-0002 10 gdoi set group V6GROUP-0002 ! crypto map ipv6 MAP-V6-0003 10 gdoi set group V6GROUP-0003 ! interface Loopback0 ip address 192.168.255.16 255.255.255.255 ! interface Loopback1 vrf forwarding DeptA ip address 192.168.16.1 255.255.255.0 ipv6 address 1:1:16::1/64 ! interface Loopback2 vrf forwarding DeptB ip address 192.168.16.1 255.255.255.0 ipv6 address 2:2:16::1/64 ! interface Loopback3

vrf forwarding DeptC ip address 192.168.16.1 255.255.255.0 ipv6 address 3:3:16::1/64 ! interface LISP0 ! interface LISP0.1 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0001 crypto map MAP-V4-0001 ! interface LISP0.2 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0002 crypto map MAP-V4-0002 ! interface LISP0.3 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0003 crypto map MAP-V4-0003 ! interface Ethernet0/0 ip address 10.0.16.2 255.255.255.252 ! interface Ethernet0/1 ip address 10.0.16.6 255.255.255.252 ! interface Ethernet0/2 no ip address shutdown ! interface Ethernet0/3 no ip address shutdown ! router lisp locator-set Site16-RLOC 10.0.16.2 priority 1 weight 50 10.0.16.6 priority 1 weight 50 exit ! eid-table default instance-id 0 database-mapping 192.168.255.16/32 locator-set Site16-RLOC exit ! eid-table vrf DeptA instance-id 1 database-mapping 192.168.16.0/24 locator-set Site16-RLOC database-mapping 1:1:16::/64 locator-set Site16-RLOC exit ! eid-table vrf DeptB instance-id 2 database-mapping 192.168.16.0/24 locator-set Site16-RLOC database-mapping 2:2:16::/64 locator-set Site16-RLOC exit ! eid-table vrf DeptC instance-id 3 database-mapping 192.168.16.0/24 locator-set Site16-RLOC database-mapping 3:3:16::/64 locator-set Site16-RLOC exit ! no ipv4 map-cache-persistent ipv4 itr map-resolver 10.0.14.2 ipv4 itr map-resolver 10.0.15.2 ipv4 itr ipv4 etr map-server 10.0.14.2 key site16-pswd ipv4 etr map-server 10.0.15.2 key site16-pswd ipv4 etr ipv6 map-server ipv6 map-resolver no ipv6 map-cache-persistent

ipv6 itr map-resolver 10.0.14.2 ipv6 itr map-resolver 10.0.15.2 ipv6 itr ipv6 etr map-server 10.0.14.2 key site16-pswd ipv6 etr map-server 10.0.15.2 key site16-pswd ipv6 etr exit ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 10.0.16.1 ip route 0.0.0.0 0.0.0.0 10.0.16.5 ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 line vty 0 4 exec-timeout 0 0 privilege level 15 password cisco login transport input all !

RTR13 – Remote LISP Site 3 (xTR/GM) ! hostname RTR13-xTR ! vrf definition DeptA ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptB ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptC ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! no ip domain lookup ip cef ipv6 unicast-routing ipv6 cef ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 16 crypto isakmp key FOO address 192.168.18.2 crypto isakmp key FOO address 192.168.19.2 ! crypto gdoi group V4GROUP-0001 identity number 10001 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0

! crypto gdoi group V4GROUP-0002 identity number 10002 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group V4GROUP-0003 identity number 10003 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0001 identity number 20001 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0002 identity number 20002 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0003 identity number 20003 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto map MAP-V4-0001 10 gdoi set group V4GROUP-0001 ! crypto map MAP-V4-0002 10 gdoi set group V4GROUP-0002 ! crypto map MAP-V4-0003 10 gdoi set group V4GROUP-0003 ! crypto map ipv6 MAP-V6-0001 10 gdoi set group V6GROUP-0001 ! crypto map ipv6 MAP-V6-0002 10 gdoi set group V6GROUP-0002 ! crypto map ipv6 MAP-V6-0003 10 gdoi set group V6GROUP-0003 ! interface Loopback0 ip address 192.168.255.13 255.255.255.255 ! interface Loopback1 vrf forwarding DeptA ip address 192.168.13.1 255.255.255.0 ipv6 address 1:1:13::1/64 ! interface Loopback2 vrf forwarding DeptB ip address 192.168.13.1 255.255.255.0 ipv6 address 2:2:13::1/64 ! interface Loopback3 vrf forwarding DeptC ip address 192.168.13.1 255.255.255.0 ipv6 address 3:3:13::1/64 ! interface LISP0 ! interface LISP0.1 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0001

crypto map MAP-V4-0001 ! interface LISP0.2 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0002 crypto map MAP-V4-0002 ! interface LISP0.3 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0003 crypto map MAP-V4-0003 ! interface Ethernet0/0 ip address 10.0.13.2 255.255.255.252 ! interface Ethernet0/1 no ip address shutdown ! interface Ethernet0/2 no ip address shutdown ! interface Ethernet0/3 no ip address shutdown ! router lisp locator-set Site13-RLOC IPv4-interface Ethernet0/0 priority 1 weight 1 exit ! eid-table default instance-id 0 database-mapping 192.168.255.13/32 locator-set Site13-RLOC exit ! eid-table vrf DeptA instance-id 1 database-mapping 192.168.13.0/24 locator-set Site13-RLOC database-mapping 1:1:13::/64 locator-set Site13-RLOC exit ! eid-table vrf DeptB instance-id 2 database-mapping 192.168.13.0/24 locator-set Site13-RLOC database-mapping 2:2:13::/64 locator-set Site13-RLOC exit ! eid-table vrf DeptC instance-id 3 database-mapping 192.168.13.0/24 locator-set Site13-RLOC database-mapping 3:3:13::/64 locator-set Site13-RLOC exit ! no ipv4 map-cache-persistent ipv4 itr map-resolver 10.0.14.2 ipv4 itr map-resolver 10.0.15.2 ipv4 itr ipv4 etr map-server 10.0.14.2 key site13-pswd ipv4 etr map-server 10.0.15.2 key site13-pswd ipv4 etr ipv6 map-server ipv6 map-resolver no ipv6 map-cache-persistent ipv6 itr map-resolver 10.0.14.2 ipv6 itr map-resolver 10.0.15.2 ipv6 itr ipv6 etr map-server 10.0.14.2 key site13-pswd ipv6 etr map-server 10.0.15.2 key site13-pswd ipv6 etr exit ! no ip http server no ip http secure-server

ip route 0.0.0.0 0.0.0.0 10.0.13.1 ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 line vty 0 4 exec-timeout 0 0 privilege level 15 password cisco login transport input all !

RTR14 – HQ LISP Site (xTR/MSMR/GM) ! hostname RTR14-xTR ! vrf definition DeptA ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptB ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptC ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! no ip domain lookup ip cef ipv6 unicast-routing ipv6 cef ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 16 crypto isakmp key FOO address 192.168.18.2 crypto isakmp key FOO address 192.168.19.2 ! crypto gdoi group V4GROUP-0001 identity number 10001 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group V4GROUP-0002 identity number 10002 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group V4GROUP-0003 identity number 10003 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2

client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0001 identity number 20001 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0002 identity number 20002 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0003 identity number 20003 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto map MAP-V4-0001 10 gdoi set group V4GROUP-0001 ! crypto map MAP-V4-0002 10 gdoi set group V4GROUP-0002 ! crypto map MAP-V4-0003 10 gdoi set group V4GROUP-0003 ! crypto map ipv6 MAP-V6-0001 10 gdoi set group V6GROUP-0001 ! crypto map ipv6 MAP-V6-0002 10 gdoi set group V6GROUP-0002 ! crypto map ipv6 MAP-V6-0003 10 gdoi set group V6GROUP-0003 ! interface Loopback0 ip address 192.168.255.14 255.255.255.255 ! interface LISP0 ! interface LISP0.1 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0001 crypto map MAP-V4-0001 ! interface LISP0.2 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0002 crypto map MAP-V4-0002 ! interface LISP0.3 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0003 crypto map MAP-V4-0003 ! interface Ethernet0/0 ip address 10.0.14.2 255.255.255.252 ! interface Ethernet0/1 no ip address ! interface Ethernet0/1.1 encapsulation dot1Q 1 native vrf forwarding DeptA ip address 192.168.14.1 255.255.255.0 ipv6 address 1:1:14::1/64 !

interface Ethernet0/1.2 encapsulation dot1Q 2 vrf forwarding DeptB ip address 192.168.14.1 255.255.255.0 ipv6 address 2:2:14::1/64 ! interface Ethernet0/1.3 encapsulation dot1Q 3 vrf forwarding DeptC ip address 192.168.14.1 255.255.255.0 ipv6 address 3:3:14::1/64 ! interface Ethernet0/2 ip address 192.168.18.1 255.255.255.0 ! interface Ethernet0/3 no ip address shutdown ! router lisp locator-set HQ-RLOC 10.0.14.2 priority 1 weight 50 10.0.15.2 priority 1 weight 50 exit ! eid-table default instance-id 0 database-mapping 192.168.18.0/24 10.0.14.2 priority 1 weight 1 database-mapping 192.168.255.14/32 10.0.14.2 priority 1 weight 1 exit ! eid-table vrf DeptA instance-id 1 database-mapping 192.168.14.0/24 locator-set HQ-RLOC database-mapping 1:1:14::/64 locator-set HQ-RLOC exit ! eid-table vrf DeptB instance-id 2 database-mapping 192.168.14.0/24 locator-set HQ-RLOC database-mapping 2:2:14::/64 locator-set HQ-RLOC exit ! eid-table vrf DeptC instance-id 3 database-mapping 192.168.14.0/24 locator-set HQ-RLOC database-mapping 3:3:14::/64 locator-set HQ-RLOC exit ! site HQ authentication-key hq-pswd eid-prefix 192.168.18.0/24 eid-prefix 192.168.19.0/24 eid-prefix 192.168.255.14/32 eid-prefix 192.168.255.15/32 eid-prefix instance-id 1 192.168.14.0/24 eid-prefix instance-id 1 1:1:14::/64 eid-prefix instance-id 2 192.168.14.0/24 eid-prefix instance-id 2 2:2:14::/64 eid-prefix instance-id 3 192.168.14.0/24 eid-prefix instance-id 3 3:3:14::/64 exit ! site Site11 authentication-key site11-pswd eid-prefix 192.168.255.11/32 eid-prefix instance-id 1 192.168.11.0/24 eid-prefix instance-id 1 1:1:11::/64 eid-prefix instance-id 2 192.168.11.0/24 eid-prefix instance-id 2 2:2:11::/64 eid-prefix instance-id 3 192.168.11.0/24 eid-prefix instance-id 3 3:3:11::/64 exit ! site Site13 authentication-key site13-pswd eid-prefix 192.168.255.13/32

eid-prefix instance-id 1 192.168.13.0/24 eid-prefix instance-id 1 1:1:13::/64 eid-prefix instance-id 2 192.168.13.0/24 eid-prefix instance-id 2 2:2:13::/64 eid-prefix instance-id 3 192.168.13.0/24 eid-prefix instance-id 3 3:3:13::/64 exit ! site Site16 authentication-key site16-pswd eid-prefix 192.168.255.16/32 eid-prefix instance-id 1 192.168.16.0/24 eid-prefix instance-id 1 1:1:16::/64 eid-prefix instance-id 2 192.168.16.0/24 eid-prefix instance-id 2 2:2:16::/64 eid-prefix instance-id 3 192.168.16.0/24 eid-prefix instance-id 3 3:3:16::/64 exit ! ipv4 map-server ipv4 map-resolver no ipv4 map-cache-persistent ipv4 itr map-resolver 10.0.14.2 ipv4 itr map-resolver 10.0.15.2 ipv4 itr ipv4 etr map-server 10.0.14.2 key hq-pswd ipv4 etr map-server 10.0.15.2 key hq-pswd ipv4 etr ipv6 map-server ipv6 map-resolver no ipv6 map-cache-persistent ipv6 itr map-resolver 10.0.14.2 ipv6 itr map-resolver 10.0.15.2 ipv6 itr ipv6 etr map-server 10.0.14.2 key hq-pswd ipv6 etr map-server 10.0.15.2 key hq-pswd ipv6 etr exit ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 10.0.14.1 ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 line vty 0 4 exec-timeout 0 0 privilege level 15 password cisco login transport input all !

RTR15 – HQ LISP Site (xTR/MSMR/GM) ! hostname RTR15-xTR ! vrf definition DeptA ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptB ! address-family ipv4

exit-address-family ! address-family ipv6 exit-address-family ! vrf definition DeptC ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! no ip domain lookup ip cef ipv6 unicast-routing ipv6 cef ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 16 crypto isakmp key FOO address 192.168.18.2 crypto isakmp key FOO address 192.168.19.2 ! crypto gdoi group V4GROUP-0001 identity number 10001 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group V4GROUP-0002 identity number 10002 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group V4GROUP-0003 identity number 10003 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0001 identity number 20001 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0002 identity number 20002 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto gdoi group ipv6 V6GROUP-0003 identity number 20003 server address ipv4 192.168.18.2 server address ipv4 192.168.19.2 client registration interface Loopback0 ! crypto map MAP-V4-0001 10 gdoi set group V4GROUP-0001 ! crypto map MAP-V4-0002 10 gdoi set group V4GROUP-0002 ! crypto map MAP-V4-0003 10 gdoi set group V4GROUP-0003 ! crypto map ipv6 MAP-V6-0001 10 gdoi set group V6GROUP-0001 !

crypto map ipv6 MAP-V6-0002 10 gdoi set group V6GROUP-0002 ! crypto map ipv6 MAP-V6-0003 10 gdoi set group V6GROUP-0003 ! interface Loopback0 ip address 192.168.255.15 255.255.255.255 ! interface LISP0 ! interface LISP0.1 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0001 crypto map MAP-V4-0001 ! interface LISP0.2 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0002 crypto map MAP-V4-0002 ! interface LISP0.3 ip mtu 1456 ipv6 mtu 1436 ipv6 crypto map MAP-V6-0003 crypto map MAP-V4-0003 ! interface Ethernet0/0 ip address 10.0.15.2 255.255.255.252 ! interface Ethernet0/1 no ip address ! interface Ethernet0/1.1 encapsulation dot1Q 1 native vrf forwarding DeptA ip address 192.168.14.2 255.255.255.0 ipv6 address 1:1:14::2/64 ! interface Ethernet0/1.2 encapsulation dot1Q 2 vrf forwarding DeptB ip address 192.168.14.2 255.255.255.0 ipv6 address 2:2:14::2/64 ! interface Ethernet0/1.3 encapsulation dot1Q 3 vrf forwarding DeptC ip address 192.168.14.2 255.255.255.0 ipv6 address 3:3:14::2/64 ! interface Ethernet0/2 ip address 192.168.19.1 255.255.255.0 ! interface Ethernet0/3 no ip address shutdown ! router lisp locator-set HQ-RLOC 10.0.14.2 priority 1 weight 50 10.0.15.2 priority 1 weight 50 exit ! eid-table default instance-id 0 database-mapping 192.168.19.0/24 10.0.15.2 priority 1 weight 1 database-mapping 192.168.255.15/32 10.0.15.2 priority 1 weight 1 exit ! eid-table vrf DeptA instance-id 1 database-mapping 192.168.14.0/24 locator-set HQ-RLOC

database-mapping 1:1:14::/64 locator-set HQ-RLOC exit ! eid-table vrf DeptB instance-id 2 database-mapping 192.168.14.0/24 locator-set HQ-RLOC database-mapping 2:2:14::/64 locator-set HQ-RLOC exit ! eid-table vrf DeptC instance-id 3 database-mapping 192.168.14.0/24 locator-set HQ-RLOC database-mapping 3:3:14::/64 locator-set HQ-RLOC exit ! site HQ authentication-key hq-pswd eid-prefix 192.168.18.0/24 eid-prefix 192.168.19.0/24 eid-prefix 192.168.255.14/32 eid-prefix 192.168.255.15/32 eid-prefix instance-id 1 192.168.14.0/24 eid-prefix instance-id 1 1:1:14::/64 eid-prefix instance-id 2 192.168.14.0/24 eid-prefix instance-id 2 2:2:14::/64 eid-prefix instance-id 3 192.168.14.0/24 eid-prefix instance-id 3 3:3:14::/64 exit ! site Site11 authentication-key site11-pswd eid-prefix 192.168.255.11/32 eid-prefix instance-id 1 192.168.11.0/24 eid-prefix instance-id 1 1:1:11::/64 eid-prefix instance-id 2 192.168.11.0/24 eid-prefix instance-id 2 2:2:11::/64 eid-prefix instance-id 3 192.168.11.0/24 eid-prefix instance-id 3 3:3:11::/64 exit ! site Site13 authentication-key site13-pswd eid-prefix 192.168.255.13/32 eid-prefix instance-id 1 192.168.13.0/24 eid-prefix instance-id 1 1:1:13::/64 eid-prefix instance-id 2 192.168.13.0/24 eid-prefix instance-id 2 2:2:13::/64 eid-prefix instance-id 3 192.168.13.0/24 eid-prefix instance-id 3 3:3:13::/64 exit ! site Site16 authentication-key site16-pswd eid-prefix 192.168.255.16/32 eid-prefix instance-id 1 192.168.16.0/24 eid-prefix instance-id 1 1:1:16::/64 eid-prefix instance-id 2 192.168.16.0/24 eid-prefix instance-id 2 2:2:16::/64 eid-prefix instance-id 3 192.168.16.0/24 eid-prefix instance-id 3 3:3:16::/64 exit ! ipv4 map-server ipv4 map-resolver no ipv4 map-cache-persistent ipv4 itr map-resolver 10.0.14.2 ipv4 itr map-resolver 10.0.15.2 ipv4 itr ipv4 etr map-server 10.0.14.2 key hq-pswd ipv4 etr map-server 10.0.15.2 key hq-pswd ipv4 etr ipv6 map-server ipv6 map-resolver no ipv6 map-cache-persistent ipv6 itr map-resolver 10.0.14.2

ipv6 itr map-resolver 10.0.15.2 ipv6 itr ipv6 etr map-server 10.0.14.2 key hq-pswd ipv6 etr map-server 10.0.15.2 key hq-pswd ipv6 etr exit ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 10.0.15.1 ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 line vty 0 4 exec-timeout 0 0 privilege level 15 password cisco login transport input all !

RTR18 – HQ LISP Site (KS1) ! hostname RTR18-KS1 ! no ip domain lookup ip cef ipv6 unicast-routing ipv6 cef ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 16 crypto isakmp key FOO address 0.0.0.0 crypto isakmp keepalive 15 periodic ! crypto ipsec transform-set GDOI-TRANS esp-aes 256 esp-sha512-hmac ! crypto ipsec profile GDOI-PROFILE set transform-set GDOI-TRANS ! crypto gdoi group V4GROUP-0001 identity number 10001 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS1 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv4 GETVPN-0001 replay time window-size 5 address ipv4 192.168.18.2 redundancy local priority 100 peer address ipv4 192.168.19.2 ! crypto gdoi group V4GROUP-0002 identity number 10002 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS2 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv4 GETVPN-0002 replay time window-size 5 address ipv4 192.168.18.2

redundancy local priority 100 peer address ipv4 192.168.19.2 ! crypto gdoi group V4GROUP-0003 identity number 10003 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS3 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv4 GETVPN-0003 replay time window-size 5 address ipv4 192.168.18.2 redundancy local priority 100 peer address ipv4 192.168.19.2 ! crypto gdoi group ipv6 V6GROUP-0001 identity number 20001 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS1 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv6 GETVPN6-0001 replay time window-size 5 address ipv4 192.168.18.2 redundancy local priority 100 peer address ipv4 192.168.19.2 ! crypto gdoi group ipv6 V6GROUP-0002 identity number 20002 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS2 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv6 GETVPN6-0002 replay time window-size 5 address ipv4 192.168.18.2 redundancy local priority 100 peer address ipv4 192.168.19.2 ! crypto gdoi group ipv6 V6GROUP-0003 identity number 20003 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS3 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv6 GETVPN6-0003 replay time window-size 5 address ipv4 192.168.18.2 redundancy local priority 100 peer address ipv4 192.168.19.2 ! interface Ethernet0/0 ip address 192.168.18.2 255.255.255.0 ! interface Ethernet0/1 no ip address shutdown ! interface Ethernet0/2 no ip address

shutdown ! interface Ethernet0/3 no ip address shutdown ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 192.168.18.1 ! ip access-list extended GETVPN-0001 permit ip any any ip access-list extended GETVPN-0002 permit ip any any ip access-list extended GETVPN-0003 permit ip any any ! ipv6 access-list GETVPN6-0001 permit ipv6 any any ! ipv6 access-list GETVPN6-0002 permit ipv6 any any ! ipv6 access-list GETVPN6-0003 permit ipv6 any any ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 line vty 0 4 exec-timeout 0 0 privilege level 15 password cisco login transport input all !

RTR19 – HQ LISP Site (KS2) ! hostname RTR19-KS2 ! no ip domain lookup ip cef ipv6 unicast-routing ipv6 cef ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 16 crypto isakmp key FOO address 0.0.0.0 crypto isakmp keepalive 15 periodic ! crypto ipsec transform-set GDOI-TRANS esp-aes 256 esp-sha512-hmac ! crypto ipsec profile GDOI-PROFILE set transform-set GDOI-TRANS ! crypto gdoi group V4GROUP-0001 identity number 10001 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS1 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv4 GETVPN-0001 replay time window-size 5 address ipv4 192.168.19.2

redundancy local priority 100 peer address ipv4 192.168.18.2 ! crypto gdoi group V4GROUP-0002 identity number 10002 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS2 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv4 GETVPN-0002 replay time window-size 5 address ipv4 192.168.19.2 redundancy local priority 100 peer address ipv4 192.168.18.2 ! crypto gdoi group V4GROUP-0003 identity number 10003 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS3 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv4 GETVPN-0003 replay time window-size 5 address ipv4 192.168.19.2 redundancy local priority 100 peer address ipv4 192.168.18.2 ! crypto gdoi group ipv6 V6GROUP-0001 identity number 20001 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS1 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv6 GETVPN6-0001 replay time window-size 5 address ipv4 192.168.19.2 redundancy local priority 100 peer address ipv4 192.168.18.2 ! crypto gdoi group ipv6 V6GROUP-0002 identity number 20002 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS2 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv6 GETVPN6-0002 replay time window-size 5 address ipv4 192.168.19.2 redundancy local priority 100 peer address ipv4 192.168.18.2 ! crypto gdoi group ipv6 V6GROUP-0003 identity number 20003 server local rekey retransmit 60 number 2 rekey authentication mypubkey rsa GET-KEYS3 rekey transport unicast sa ipsec 1 profile GDOI-PROFILE match address ipv6 GETVPN6-0003

replay time window-size 5 address ipv4 192.168.19.2 redundancy local priority 100 peer address ipv4 192.168.18.2 ! interface Ethernet0/0 ip address 192.168.19.2 255.255.255.0 ! interface Ethernet0/1 no ip address shutdown ! interface Ethernet0/2 no ip address shutdown ! interface Ethernet0/3 no ip address shutdown ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 192.168.19.1 ! ip access-list extended GETVPN-0001 permit ip any any ip access-list extended GETVPN-0002 permit ip any any ip access-list extended GETVPN-0003 permit ip any any ! ipv6 access-list GETVPN6-0001 permit ipv6 any any ! ipv6 access-list GETVPN6-0002 permit ipv6 any any ! ipv6 access-list GETVPN6-0003 permit ipv6 any any ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 line vty 0 4 exec-timeout 0 0 privilege level 15 password cisco login transport input all !

Appendix C: Additional Resources You can find other useful information related to the topics covered in this lab at the following URLs:

• Cisco LISP Download Site (EXTERNAL) You can find software downloads, configurations, command reference guides, and more. This is available to customers. http://lisp.cisco.com (IPv4 and IPv6 accessible)

• LISP Beta Network (EXTERNAL) You can find operational information on the LISP Beta Network, and general LISP protocol information. This site is available to customers. http://www.lisp4.net/ http://www.lisp6.net

• Cisco LISP Marketing Page (EXTERNAL) Cisco Marketing maintains this page. This site is available to customers. http://www.cisco.com/go/lisp

Documents

Cisco GETVPN+LISP Lab Guide