•
Serve EID instance membership requests received over the reliable transport sessions from (P)xTRs and
distribute membership information.
The per EID instance membership list that the MS gleans from received registrations can be extended or
completely overridden through the map-server rloc members {add | override} configuration command. The
command allows the user to extend the discovered xTR RLOC membership with PxTR RLOC addresses. The
extended membership list is used to determine whether to allow a membership request that is received over
a reliable transport session. Only requests from xTRs that have registrations in an EID instance are allowed.
The extended membership list is then pushed to decapsulating devices implementing the data plane security
feature that will then be able to accept encapsulated packets sent by both valid xTRs and PxTRs.
To prevent unauthorized attempts to establish TCP connections with the Map-Server, a list of allowed locators
from which to accept connections is built. The list contains the RLOC addresses of the registering xTRs as
well as the RLOC addresses configured in membership list extensions. Note that there is a single list from
which to accept connections per RLOC address family (it is not EID instance specific).
As an example consider the network in the above figure with two VPNs. VPNs A and B each have two xTRs
A1/A2 and B1/B2 respectively. The membership of VPN A is extended on the MS through the “map-server
rloc members add …” configuration to include PxTR RLOC address P1. The membership of VPN B is extended
to include PxTR RLOC address P2. The resulting lists maintained by the MS are:
•
EID instance 1 (VPN A) membership: A1, A2, P1
•
EID instance 2 (VPN B) membership: B1, B2, P2
•
Locators from which to accept TCP session: A1, A2, P1, B1, B2, P2
The Map-Server may receive an EID instance membership request for one or more EID instances through
each established reliable transport session. PxTRs will typically request the membership of multiple instances
through the single session that they establish with the MS. The Map-Server must provide full membership
refreshes and incremental updates for each of the accepted requests.
When a membership request is received by an MS and the peer (P)xTR originating the request is not a member
of the EID instance to which the request pertains, then the MS will reject the request and return a membership
NACK message to the (P)xTR. Note that such an event may occur during normal operation as the TCP session
and membership request from an xTR may be received before the corresponding Map-Register message that
places it in the EID instance membership. If after an EID instance membership request has been accepted by
Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.3.x
660
Implementing Data Plane Security
Map-Server Membership Gleaning and Distribution
To Next Page
Loading...
Need help?
General
