Source RLOC Decapsulation Filtering
This illustration shows blue and black customer networks using LISP EID instance ID (IID) 100 and 200,
respectively, over a shared common RLOC core. When decapsulating LISP data packets, the PxTR validates
that packets carrying instance ID 100 have a source (SRC) RLOC in the encapsulation header of either a1,
a2 or a3. Similarly, for instance ID 200 the PxTR validates that the RLOC source is b1, b2 or b3.
LISP encapsulated data packets that do not carry a valid source RLOC are dropped. The combination of RLOC
space URPF enforcement and source RLOC-based decapsulation filtering ensures that it not possible for a
source that is not member of a tenant VPN to inject traffic into the VPN.
EID Instance Membership Distribution
To deploy the source RLOC filtering solution, an automated mechanism is required to push the list of valid
RLOCs through the mapping system to the boxes performing decapsulation. This function is performed by
the Map-Servers. The Map-Servers construct the EID instance ID RLOC membership list using the RLOC
information in the received mapping records in Map-Register messages. The complete list is then pushed out
to all the xTRs and PxTRs that must decapsulate packets for the VPN identified by the EID instance ID.
Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.3.x
658
Implementing Data Plane Security
Source RLOC Decapsulation Filtering
To Next Page
Loading...
Need help?
General
