Create, Maintain and Distribute Decapsulation Filter Lists
A Map-Server can be configured to dynamically create, maintain, and distribute decapsulation filter lists, on
a per instance-ID basis, to appropriate LISP devices using the map-server rloc members distribute command
in site configuration mode. When configured:
•
The Map-Server allows the establishment of TCP-based LISP reliable transport sessions with appropriate
xTRs
•
The Map-Server creates/maintains lists (per-IID) of LISP site RLOCs (per-IID) based on RLOC addresses
of registered LISP sites
•
The Map-Server pushes/updates filters lists over the reliable transport mechanism to established devices
Note
• Data plane security is enabled by the use of the “map-server roc members distribute” command. The
optional command “map-server rloc members modified-discovered [add | override] is used to append
to or override the dynamically maintained RLOC filter list.
•
This feature is used in conjunction with the decapsulation filter rloc source command, configured
on (P)xTR devices which are performing the decapsulation
This example shows how you can configure the Map-Server to create reliable transport sessions with specific
LISP sites, to dynamically create, maintain, and distribute decapsulation filter lists.
router lisp
locator-set PxTR_set
2001:DB8:E:F::2
exit
!
eid-table vrf 1001 instance-id 1001
map-server rloc members modify-discovered add locator-set PxTR_set
exit
!
---<skip>---
!
map-server rloc members distribute
!
Add or Override Decapsulation Filter List
When a Map-Server is configured to dynamically create, maintain, and distribute a decapsulation filter list,
the decapsulation filter list can be added to or overridden by using the map-server rloc members
modify-discovered command in EID-table configuration mode. Uses may include:
• When a PxTR is included in the architecture, the PITR LISP-encapsulates packets to an ETR – and the
ETR must therefore include the PITR RLOC in its decapsulation filter list. Since PITRs do not register
with Map-Servers, their RLOCs are not automatically included in the decapsulation filter list and must
be added via configuration using this command.
•
A PETR can also be configured to filter upon decapsulation, but again, because a PETR does not register
with a Map-Server, it needs a way to obtain the decapsulation filter list. The add form of this command
includes the mechanisms to establish the reliable transport session with the Map-Server for obtaining
the decapsulation filter list on the PETR.
Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.3.x
667
Implementing Data Plane Security
Create, Maintain and Distribute Decapsulation Filter Lists
To Next Page
Loading...
Need help?
General
