41-9
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 41 Configuring Campus Fabric
Dataplane Security
Dataplane Security
Campus Fabric Data Plane Security ensures that only traffic from within a fabric domain can be
decapsulated, by an edge device at the destination. Edge and border devices in the fabric domain validate
that the source Routing Locator (RLOC), or the uplink interface address, carried by the data packet is a
member of the fabric domain.
Data Plane Security ensures that the edge device source addresses in the encapsulated data packets
cannot be spoofed. Packets from outside the fabric domain carry invalid source RLOCs that are blocked
during decapsulation by edge and border devices.
Configuring Dataplane Security on Fabric Edge Devices
You can configure Cisco Catalyst 4500-E series switches as edge devices only.
Before You Begin
• Configure a loopback0 IP address for each edge device to ensure that the device is reachable. Ensure
that you apply the ip lisp source-locator loopback0 command to the uplink interface.
• Ensure that your underlay configuration is set up.
• Configure control-plane devices and border devices in your fabric domain. Cisco Catalyst 4500-E
series switches cannot be configured as control-plane or border devices. For more information on
configuring dataplane security control-plane and border devices, see the How to Configure Fabric
Overlay section in Software Configuration Guide, Cisco IOS XE Denali 16.3.x (Catalyst 3850
Switches).
To configure dataplane security in static mode:
Command Purpose
Step 1
Switch# configure terminal
Enters global configuration mode.
Step 2
Switch(config)# router lisp
Enters LISP configuration mode.
Step 3
Switch(config-router-lisp)#
decapsulation filter rloc source
member
Enables source RLOC address validation of encapsulated packets in the
fabric domain.
Step 4
Switch(config-router-lisp)# exit
Exits LISP configuration mode and returns to global configuration mode.
Step 5
Switch(config-if)# exit
Exits interface configuration mode and enters global configuration mode.
Step 6
Switch(config)# show lisp [session
[established] | vrf [vrf-name
[session [peer-address]]]}
Displays reliable transport session information. If there is more than one
transport session, the corresponding information is displayed.
Step 7
Switch(config)# show lisp
decapsulation filter
[IPv4-rloc-address I
IPv6-rloc-address] [eid-table
eid-table-vrf |instance-id iid]
Displays RLOC address configuration details (whether manually
configured or discovered) on the edge device.
To Next Page
Loading...
