In the example, the Map-Servers build a separate VPN (EID instance) membership list for each customer and
then push the contents of the list out. The two xTRs for customer A each register their site RLOCs. They each
receive back from the Map-Server the complete list of RLOCs of all the xTRs for customer A. The received
list is used to filter decapsulated traffic and enforce the data plane security.
When PxTRs are being used (for example to provide internet connectivity to the VPN) then the xTRs
participating in the VPN must accept and decapsulate the LISP data packets sent by the PxTRs. The RLOC
addresses used by the PxTRs have to be included in the EID instance membership list communicated to the
xTRs by the Map-Server. The PxTRs do not register EID prefixes with the Map-Server that the Map-Server
can use to discover the PxTR RLOCs. Those RLOCs will have to be manually configured on the Map-Server.
The EID instance membership lists built by Map-Servers are only useful to boxes participating in the VPN.
As an added security measure, the Map-Server will only communicate the contents of the membership list
for an EID instance to xTRs and PxTRs that are members of that VPN.
Map-Server Membership Gleaning and Distribution
A LISP Map-Server is responsible for tracking the per EID instance membership and distributing it to (P)xTRs.
Use the map-server rloc members distribute command to enable this functionality. The command configures
the Map-Server to:
•
Build a list of RLOC addresses using Map-Registrations and configuration from which to accept reliable
transport sessions.
•
Accept TCP connections from (P)xTRs in above list.
•
Glean and maintain per EID instance RLOC membership from received Map-Register messages.
Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.3.x
659
Implementing Data Plane Security
Map-Server Membership Gleaning and Distribution
To Next Page
Loading...
Need help?
General
