CHAPTER 13
Implementing Data Plane Security
The data plane security (DPSec) feature prevents traffic injection from external sources into a LISP VPN.
DPSec relies on the integrity of the routing locator (RLOC) network which is built using unicast reverse
path forwarding (URPF) support.
In order to enable LISP shared mode segmentation without incurring the overhead of authentication and
encryption, the DPSec feature uses a mechanism called Source RLOC Decapsulation Filtering that enforces
URPF on the network. The URPF configured on the network disseminates lists of acceptable RLOCs, traffic
from which will already have been proofed by URPF. This makes it impossible to spoof the source RLOC
address of LISP control and data packets. DPSec feature uses the list of valid encapsulation sources for each
EID instance to filter LISP data packets during decapsulation at xTRs and PxTRs.
Note
•
While LISP forwarding is supported on Cisco ASR 9000 High Density 100GE Ethernet line cards,
LISP IPv6 RLOC and LISP data plane security features are not supported on these cards.
Feature History for Data Plane Security
This feature was introduced.Release 5.3.0
•
Information about Data Plane Security, page 657
•
How to Implement Data Plane Security, page 662
•
Additional References, page 672
Information about Data Plane Security
The LISP Data Plane Security feature ensures that only traffic from within a LISP VPN can be decapsulated
into the VPN. In order to understand data plane security you must be familiar with the following features and
concepts it supports:
Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.3.x
657
To Next Page
Loading...
Need help?
General
