When an (P)ETR decapsulates LISP packets, this occurs without consideration of the LISP packet outer header
source address. In networking environments where the source address can be trusted, it may be desired to
consider the source address of the LISP packet prior to decapsulation. By configuring the decapsulation filter
source command on (P)xTRs, a device will establish a TCP-based reliable transport session with its
Map-Server(s) and download and use filter list(s) when decapsulating LISP packets. Either or both of the
members or locator-set keywords must be specified.
When the members keyword is specified the xTR will attempt to establish a reliable transport (TCP) sessions
with the configured map-servers to automatically obtain the registered RLOC membership list. When a
locator-set is specified the filtering will be performed against the locators that are configured within the
locator-set. When both the locator-set and the "members" keyword are specified then the configured locators
and the automatically discovered ones will be merged and the resulting list used to filter decapsulated packets.
Note
•
A (P)xTR normally communicates with multiple Map-Servers. However, in the event that all reliable
transport session goes down, any existing (possibly stale) filter list will remain in use during a small
window of time (several minutes), during which time the (P)xTR tries to re-establish the session(s)
with the MS and refresh its membership.
•
If no filter list can be downloaded, or the existing list times out, packets will be dropped. (fail closed.)
•
If the xTR changes RLOCs (via DHCP for example), as soon as the RLOC is changed, the registration
with the Map-Server is updated and the new registered RLOC is pushed to all “members” of this
IID/VPN (event-driven).
Before You Begin
Ensure that the following pre-requisites are met:
•
On an xTR, the TCP-based reliable transport session is established only after the UDP-based (normal)
Map-Registration process successfully completes.
•
On a PxTR, since this device does not (normally) register with a Map-Server, a 'stub' (fake)
Map-Registration configuration must be added to allow the establishment of the reliable transport session
and the download of any filter lists. The Map-Server requires the PETR RLOC(s) to be included in a
map-server rloc members modify-discovered add command to permit this session establishment.
Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.3.x
663
Implementing Data Plane Security
Enable Source RLOC-based Decapsulation Filtering
To Next Page
Loading...
Need help?
General
