The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To configure an instance ID to be associated with EID prefixes configured for this dynamic-EID policy, use the instance-id command. To disable this functionality, use the no form of this command.
instance-id id
no instance-id id
id |
Instance ID for this xTR. The range is from 1 to 16777215. |
None
Dynamic-EID configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
Virtualization support is currently available in LISP xTRs and Map Server (MS) or Map Resolver (MRs), including for LISP VM mobility. The instance ID has been added to LISP to support virtualization.
Use this command to configure the instance ID associated with EID prefixes configured for this dynamic-EID policy. Entering this command allows ETRs to register multiple overlapping EID prefixes in a segmented manner by using the instance ID as the distinguisher. Only one instance-id may be configured for each dynamic-EID policy. When an instance-id is configured, this instance ID is included with the EID prefixes when they are registered with the Map Server. The Map Server must also include the same instance-id within the EID prefix configurations for this LISP site. Instance IDs are configured on the MS using the eid-prefix command within the lisp site command mode.
Note | Virtualization support is not currently available for the LISP ALT, which means that it is also not supported on LISP PITRs. |
This command does not require a license.
This example shows how to configure an instance ID for the dynamic-EID policy Roamer-1:
switch# configure terminal switch(config)# lisp dynamic-eid Roamer-1 switch(config-lisp-dynamic-eid)# instance-id 123
Command |
Description |
---|---|
eid-prefix |
Enters the LISP Map-Server site configuration mode subcommand for configuring the EID prefix and associated instance ID for a LISP site. |
To configure the virtual routing and forwarding (VRF) instance that the Cisco NX-OS device uses when sending map requests for an IPv4 end point identifier (EID) to Routing Locator mapping directly over the Locator/ID Separation Protocol Alternative Topology (LISP-ALT), use the ip lisp alt-vrf command. To remove the reference to a VRF, use the no form of this command.
ip lisp alt-vrf vrf-name
no ip lisp alt-vrf vrf-name
vrf-name |
Name assigned to the LISP ALT VRF. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
Use the ip lisp alt-vrf command to configure which virtual routing and forwarding (VRF) instance that the LISP device should use for control plane mapping resolution functions.
You must use the ip lisp alt-vrf command for all devices that connect to the ALT to exchange LISP control plane messages for mapping. These devices include LISP Map-Server (MS), Map-Resolver (MR), and Proxy Ingress Tunnel Router (PITR) devices, and directly ALT-connected xTRs.
Follow these guidelines when using this command:
Note | When you use the ip lisp alt-vrf command, the referenced VRF must already have been created by using the vrf context command. In addition, the corresponding configurations for connecting the LISP device to the ALT, including the generic routing encapsulation (GRE) tunnel interface(s) and any routing that is associated with the VRF (static or dynamic) you must also have created. |
This example shows how to configure the VRF named lisp and then configure LISP to use this VRF when resolving IPv4 EID-to-RLOC mappings:
switch# configure terminal switch(config)# vrf context lisp switch(config-vrf)# exit switch(config-vrf)# ip lisp alt-vrf lisp
Command |
Description |
---|---|
ip lisp itr map-resolver |
Configures the IPv4 or IPv6 locator address of the LISP Map-Resolver to which the Ingress Tunnel Router (ITR) sends IPv4 Map-Request messages. |
ip lisp it |
Configures the Cisco NX-OS device to act as an IPv4 LISP Ingress Tunnel Router (ITR). |
ip lisp proxy-itr |
Configures the NX-OS device to act as an IPv4 LISP Proxy Ingress Tunnel Router (PITR). |
To configure an IPv4 endpoint identifier to Routing Locator (EID-to-RLOC) mapping relationship and its associated traffic policy, use the ip lisp database-mapping command. To remove the configured database mapping, use the no form of this command.
ip lisp database-mapping EID-prefix { locator | dynamic } priority priority weight weight
no ip lisp database-mapping EID-prefix { locator | dynamic } priority priority weight weight
EID-prefix |
IPv4 EID prefix and length. |
locator |
IPv4 or IPv6 RLOC associated with this EID prefix. |
dynamic |
Allows the RLOC associated with this EID to be determined dynamically. |
priority priority |
Specifies the priority (value between 0 and 255) assigned to the RLOC. When multiple locators have the same priority, they can be used in load-shared fashion. A lower value indicates a higher priority. |
weight weight |
Specifies the weight (value between 0 and 100) assigned to the locator. Use this keyword to determine how to load-share traffic between multiple locators when the priorities assigned to multiple locators are the same. The weight argument represents the percentage of traffic to be load-shared. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
Use the ip lisp database-mapping command to configure the LISP database parameters for the specified IPv4 EID prefix block, including its associated locator, priority, and weight. The IPv4 EID prefix is the LISP IPv4 EID prefix block that is associated with the site that the Cisco NX-OS Series device registers as being authoritative with a Map Server. The locator is typically the IPv4 or IPv6 address of a loopback interface but can be the IPv4 or IPv6 address of any interface used as the Routing Locator (RLOC) address for the EID prefix assigned to the site. A priority and weight are used to define traffic policies when multiple RLOCs apply to the same EID prefix block.
When you configure a Cisco NX-OS Series device as an egress tunnel router (ETR), these LISP database-mapping parameters are advertised within a Map-Reply message to indicate the ingress traffic preferences of the site for the associated EID prefix block. An ingress tunnel router (ITR) then selects a source locator (outer header) address for encapsulating packets destined to the EID prefix based on these advertised parameters.
When a LISP site has multiple locators associated with the same EID prefix block, you use multiple ip lisp database mapping commands to configure all of the locators for a given EID prefix block. Each locator can be assigned with the same or a different priority value between 0 and 255. When multiple locators are assigned different priority values, the priority value is used to determine which locator to prefer. A lower value indicates a more preferable path. A value of 255 indicates that the locator must not be used for unicast traffic forwarding.
When multiple locators have the same priority, they can be used in a load-sharing manner. In this case, for a given priority, the weight given to each locator is used to determine how to load-balance unicast packets between them. The weight is a value between 0 and 100 and represents the percentage of traffic to be load shared to that locator. If you assign a nonzero weight value to any locator for a given EID prefix block, you must assign all locators with the same priority for that same EID prefix block with a nonzero weight value. The sum of all weight values must equal 100. If you assign a weight value of zero to any locator for a given EID prefix block, you must assign all locators with the same priority for that same EID prefix block with a weight value of zero. A weight value of zero indicates to an Ingress Tunnel Router (ITR) that receives the Map-Reply that it can decide how to load-share traffic destined to that EID prefix block.
When you assign a LISP site with multiple IPv4 EID prefixes, the ip lisp database-mapping is configured for each IPv4 EID prefix assigned to the site and for each locator that has a reachable IPv4 EID prefix.
When multiple ETRs are used at a LISP site, you must enter the ip lisp database-mapping command on all ETRs for all locators to make an IPv4 EID prefix block reachable even when the locator is not local to the specific ETR that is being configured.
If the ETR receives its RLOC through a dynamic process such as DHCP, or if it is sited behind a Network Address Translation (NAT) device and the routing locator belongs to the private address space that the NAT device translates to a public globally routed address, you might not be able to specify a locator in the ip lisp database-mapping entry. Add the dynamic keyword with the ip lisp database-mapping command so that the RLOC for this Cisco NX-OS device will be determined dynamically rather than being statically defined in each ip lisp database-mapping entry.
When an ETR is sited behind NAT, it needs to know the public global locator address; this is address that is required for Map-Register and Map-Reply messages. You should enter the {ip | ipv6} lisp nat-traversal command. For more information, see the {ip | ipv6} lisp nat-traversal command.
This command does not require a license.
This example shows how to configure LISP database-mapping entries for a single IPv4 EID prefix block and two locators associated with the EID prefix block. Each locator is assigned with the same priority (1) and weight (50), indicating that ingress traffic is expected to be load-shared equally across both paths.
switch# configure terminal switch(config)# ip lisp database-mapping 192.168.1.0/24 10.1.2.1 priority 1 weight 50 switch(config)# ip lisp database-mapping 192.168.1.0/24 10.1.1.1 priority 1 weight 50
Command |
Description |
---|---|
ip lisp etr map-server |
Configures the IPv4 or IPv6 locator address of the LISP Map Server that ETR uses to register its IPv4 EID prefixes. |
ip lisp locator-down |
Configures an IPv4 or IPv6 locator from a locator set associated with the IPv4 EID prefix database mapping to be down. |
ip lisp map-cache |
Configures a static IPv4 EID prefix to the locator map-cache entry. |
ip lisp nat-transversal |
Configures an ETR with a private locator that is sited behind a NAT device to dynamically determine its NAT-translated public globally routed locator address for the applied interface. |
To configure a Cisco NX-OS device to act as an IPv4 Locator/ID Separation Protocol (LISP) Egress Tunnel Router (ETR), use the ip lisp etr command. To remove LISP ETR functionality, use the no form of this command.
ip lisp etr
no ip lisp etr
This command has no arguments or keywords.
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When you configure a Cisco NX-OS device as an IPv4 ETR, also use the ip lisp database-mapping command so that the Egress Tunnel Router (ETR) knows what endpoint identifier (EID) prefix blocks and corresponding locators are used for the LISP site. You should configure the ETR to register with a Map Server by using the ip lisp etr map-server command or to use static LISP EID-to-RLOC mappings by using the ip lisp map-cache command in order to participate in LISP networking.
When a map-cache entry contains mixed locators (both IPv4 and IPv6 RLOCs) and an ingress tunnel router (ITR) encapsulates using an IPv4 locator, you must configure the ETR that is assigned with the IPv4 locator by using the ip lisp etr command. When an IPv6 locator is used by an Ingress Tunnel Router (ITR), you must configure the ETR that is assigned with the IPv6 locator by using the ipv6 lisp etr command.
Note | You can configure an ETR as an Ingress Tunnel Router (ITR). However, the LISP architecture does not require that you do so. When configuring a device as both an Ingress Tunnel Router (ITR) and an ETR, use the ip lisp itr-etr command to enable both capabilities. |
This command does not require a license.
This example shows how to configure the IPv4 LISP ETR functionality on the Cisco NX-OS device:
switch# configure terminal switch(config)# ip lisp etr
Command |
Description |
---|---|
ip lisp database-mapping |
Specifies to configure an IPv4 EID-to-RLOC mapping relationship and its associated traffic policy. |
ip lisp itr-etr |
Configures the router to act as an IPv4 LISP Ingress Tunnel Router (ITR) and an IPv4 LISP Egress Tunnel Router (ETR) with one command. |
ip lisp etr map-server |
Configures the IPv4 or IPv6 locator address of the LISP Map-Server to which an ETR should register for its IPv4 EID prefixes. |
ip lisp itr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Ingress Tunnel Router (ITR). |
ip lisp map-cache |
Configures a static IPv4 EID Prefix to the locator map-cache entry. |
To configure an Egress Tunnel Router (ETR) to cache IPv4 mapping data contained in a Map-Request message, use the ip lisp etr accept-map-request-mapping command. To remove this functionality, use the no form of this command.
ip lisp etr accept-map-request-mapping [verify]
no ip lisp etr accept-map-request-mapping [verify]
verify |
(Optional) Specifies that mapping data should be cached but not used for forwarding packets until the ETR can send its own Map Request to one of the locators from the mapping data record and receive a Map Reply with the same data in response. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When an ETR receives a Map-Request message, this message might contain mapping data for the invoking IPv4 source-EID packet. By default, the ETR ignores mapping data included in Map-Request messages. However, by entering the ip lisp etr accept-map-request-mapping command, the ETR caches the mapping data in its map cache and immediately uses it to forward packets.
When you use the optional verify keyword, the ETR still caches the mapping data but does not forward packets until the ETR can send its own Map Request to one of the locators from the mapping data record and receive the same data in a Map-Reply message.
Note | For security purposes, we recommend that you use the verify keyword. Unless you deploy the ETR and Ingress Tunnel Router (ITR) in a trusted environment, you should use the optional verify keyword. In a trusted environment, if you do not use the optional verify keyword, the new mapping occurs in one-half round-trip-time (RTT) as compared with the normal Map-Request/Map-Reply exchange process. |
When you enable and then later disable this command, you must enter the clear ip lisp map-cache command to clear any map-cache entries that are currently in the tentative state. Map-cache entries can remain in the tentative state for up to one minute; therefore, you might want to clear these entries manually when this command is removed.
This command does not require a license.
This example shows how to configure the ETR to cache IPv4 mapping data included in Map-Request messages and verify its accuracy prior to using this data to forward packets:
switch# configure terminal switch(config)# ip lisp etr accept-map-request-mapping verify
Command |
Description |
---|---|
ip lisp etr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Egress Tunnel Router (ETR). |
clear ip lisp map-cache |
Clears the LISP IPv4 map cache on the local Cisco NX-OS device. |
To configure an egress tunnel router (ETR) to add inner header (EID) source address to outer header (RLOC) source address mappings it to its endpoint identifier to Routing Locator (EID-to-RLOC) cache (map-cache), use the ip lisp etr glean-mapping command. To remove this functionality, use the no form of this command.
ip lisp etr glean-mapping [verify]
no ip lisp etr glean-mapping [verify]
verify |
(Optional) Specifies that gleaned EID-to-RLOC mapping data should be cached but not used for forwarding packets until the ETR can send its own Map Request to the originating Ingress Tunnel Router (ITR) and receive a Map Reply with the same data. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When an ETR receives Locator/ID Separation Protocol (LISP)-encapsulated packets, the inner header EID source address and outer header RLOC source address should match an entry found in the map cache as determined by the results of a Map-Request/Map-Reply exchange. When a host moves from one ingress tunnel router (ITR) to another ITR, the EID-to-RLOC mapping changes because the new Ingress Tunnel Router (ITR) can encapsulate packets to the ETR using a different locator. By entering the ip lisp etr glean-mapping command, the ETR recognizes the new locator information for the moved host’s EID and updates the map cache with this information.
The learned EID-to-RLOC map-cache entries are stored with a priority of 1 and a weight of 100.
When you enter the optional verify keyword, the ETR caches the learned EID-to-RLOC mapping data but does not forward packets until the ETR can send its own Map Request to the originating Ingress Tunnel Router (ITR) and receive a Map Reply. The gleaned locator will then be used. When you specify the verify keyword, the locator is used to forward traffic and all packets are dropped until the Map Reply is returned.
Note | For security purposes, we recommend that you use the verify keyword. Unless you deploy the ETR and Ingress Tunnel Router (ITR) in a trusted environment, you should use the optional verify keyword. In a trusted environment, if you do not use the optional verify keyword, the new mapping occurs in one-half round-trip-time (RTT) as compared with the normal Map-Request/Map-Reply exchange process. |
This command does not require a license.
This example shows how to configure the ETR to cache IPv4 mapping data included in Map-Request messages and verify its accuracy prior to using this data to forward packets:
switch# configure terminal switch(config)# ip lisp etr glean-mapping verify
Command |
Description |
---|---|
ip lisp etr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Egress Tunnel Router (ETR). |
To configure the Time-to-live (TTL) value inserted into Locator/ID Separation Protocol (LISP) IPv4 Map-Reply messages, use the ip lisp etr map-cache-ttl command. To remove the configured TTL value and return to the default value, use the no form of this command.
ip lisp etr map-cache-ttl time-to-live
no ip lisp etr map-cache-ttl time-to-live
time-to-live |
Value, in minutes, to be inserted in the TTL field in Map-Reply messages. The range is from 60 to 10080. |
1440
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
Use the ip lisp etr map-cache-ttl command to change the default value associated with the TTL field in IPv4 Map-Reply messages. Use this command when you want to change the default TTL that remote Ingress Tunnel Routers (ITRs) cache and use for your site’s IPv4 EID prefix. The default value is 1440 minutes (24 hours). The minimum value cannot be less than 60 minutes, and the maximum cannot be greater than 10080 minutes (one week).
This command does not require a license.
This example shows how to configure the ETR to use a TTL of 120 minutes in its IPv4 Map-Reply messages:
switch# configure terminal switch(config)# ip lisp etr map-cache-ttl 120
Command |
Description |
---|---|
ip list etr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Egress Tunnel Router (ETR). |
To configure the IPv4 or IPv6 locator address of the Locator/ID Separation Protocol (LISP) Map Server to be used by the egress tunnel router (ETR) when registering for IPv4 EIDs, use the ip lisp etr map-server command. To remove the configured locator address of the LISP Map Server, use the no form of this command.
ip lisp etr map-server map-server-address { [ key key-type authentication-key ] | proxy-reply }
no ip lisp etr map-server map-server-address { [ key key-type authentication-key ] | proxy-reply }
map-server-address |
IPv4 or IPv6 address of the Map Server. |
key |
(Optional) Specifies the key type that indicates how the following SHA-1 password (key) is encoded. |
key-type |
Key type. Type (0) indicates that a clear text password follows, Type (3) indicates that a 3DES encrypted key follows, and Type (7) indicates that a Cisco Type 7 encrypted password follows. |
authentication-key |
Password used for computing the SHA-1 HMAC hash that is included in the header of the Map-Register message. |
proxy-reply |
Specifies that the ETR should indicate to the Map Server through a Map Register message that the Map Server should send Map Replies on behalf of the site. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
Use the ip lisp etr map-server command to configure the IPv4 or IPv6 locator of the Map Server to which the ETR registers for its IPv4 EID(s). A password used for a SHA-1 HMAC hash that is included in the header of the Map-Register message must also be provided. You can configure the ETR to register with a maximum of two Map Servers per EID address family. Once the ETR registers with the Map-Server(s), the Map Server(s) begin to advertise the EID prefix block(s) and RLOC(s) for the LISP site.
You can enter the SHA-1 HMAC password in unencrypted (cleartext) form or encrypted form. To enter an unencrypted password, specify a key-type value of 0. To enter a 3DES-encrypted password, specify a key-type value of 3. To enter a Cisco-encrypted password, specify a key-type value of 7.
Caution | A Map-Server authentication key entered in cleartext form will automatically be converted to Type 3 (encrypted) form. |
Note | You must also configure the Map Server with IPv4 EID prefixes that match the IPv4 EID prefixes configured on this ETR by using the ip lisp database-mapping command, as well as a password that matches the one provided with the key keyword on this ETR. |
When you use the proxy-reply keyword, the ETR indicates to the Map Server through a Map-Register message that the Map Server should send Map Replies on behalf of the site. The Map Server sends nonauthoritative Map Replies for all the EID prefixes in the Map-Register message. On the Map Server, the show lisp site site-name command indicates whether proxy-reply is enabled or not.
This command does not require a license.
This example shows how to configure the ETR to register to two Map Servers, one with the locator 10.1.1.1 and another with the locator 172.16.1.7:
switch# configure terminal switch(config)# ip lisp etr map-server 10.1.1.1 key 3 1c27564ab12121212 switch(config)# ip lisp etr map-server 172.16.1.7 key 3 1c27564ab12121212
This example shows how to configure the ETR to register to the Map Server with the locator 10.1.1.1 and to request a Map Server proxy reply for the site:
switch# configure terminal switch(config)# ip lisp etr map-server 10.1.1.1 key 3 1c27564ab12121212 switch(config)# ip lisp etr map-server 10.1.1.1 proxy-reply
Command |
Description |
---|---|
ip lisp alt-vrf |
Configures which VRF that LISP should use when sending map requests for an IPv4 EID-to-RLOC mapping directly over the ALT. |
ip lisp database-mapping |
Configures an IPv4 EID-to-RLOC mapping relationship and its associated traffic policy. |
ip lisp etr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Egress Tunnel Router (ETR). |
lisp mobility |
Configures an interface on an Ingress Tunnel Router (ITR) to participate in LISP VM Mobility (dynamic-EID roaming). |
lisp site |
Configure a LISP site and enters site configuration mode on a Map Server. |
To enable hardware-forwarding specifically on the Cisco Nexus 7000 Series device when at least one 32x10GE line card is installed, use the ip lisp hardware-forwarding command. To disable hardware-forwarding functionality, use the no form of this command.
ip lisp hardware-forwarding
no ip lisp hardware-forwarding
This command has no arguments or keywords.
Enabled
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
The ip lisp hardware-forwarding command is applicable to the Cisco Nexus 7000 Series switch only. Hardware forwarding for LISP is supported on the N7K-M132XP-12 line card only. That is, LISP input and output interfaces must be on the N7K-M132XP-12 line card.
Caution | Disabling hardware forwarding should only be used in diagnostic situations. Entering the no ip lisp hardware-forwarding command causes a full map-cache download to the Cisco NX-OS device hardware. |
This command does not require a license.
This example shows how to disable IPv4 LISP hardware forwarding on the Cisco Nexus 7000 Series device:
switch# configure terminal switch(config)# no ip lisp hardware-forwarding switch(config)# exit
To configure a Cisco NX-OS device to act as an IPv4 LISP Ingress Tunnel Router (ITR), use the ip lisp itr command. To remove LISP Ingress Tunnel Router (ITR) functionality, use the no form of this command.
ip lisp itr
no ip lisp itr
This command has no arguments or keywords.
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When a Cisco NX-OS device is configured as an Ingress Tunnel Router (ITR), if a packet is received for which no IPv4 destination address prefix match exists in the routing table or which matches a default route (you can configure that the source address of the packet matches an IPv4 EID prefix block configured by using the ip lisp database-mapping command or ip lisp map-cache command. The packet is a candidate for LISP routing. The Ingress Tunnel Router (ITR) looks in the LISP map cache and forwards either the packet, drops the packet, sends a Map Request, or LISP-encapsulates the packet.
If there is no match in the LISP map cache, the Ingress Tunnel Router (ITR) might use one of two methods to obtain an IPv4 EID-to-RLOC mapping. When a Map Resolver is configured when you enter the ip lisp itr map-resolver command, the Ingress Tunnel Router (ITR) sends its Map Request in a LISP Encapsulated Control Message (ECM) to the Map Resolver. When the Ingress Tunnel Router (ITR) is attached to the ALT using the ip lisp alt-vrf command, the Ingress Tunnel Router (ITR) sends its Map Request directly on the alternate LISP topology (LISP-ALT). The Ingress Tunnel Router (ITR) caches the IPv4 EID-to-RLOC mapping information returned by the associated Map Reply in its map cache. Subsequent packets destined to the same IPv4 EID prefix block are then LISP-encapsulated according to this IPv4 EID-to-RLOC mapping entry.
Note | An Ingress Tunnel Router (ITR) can also be configured as an ETR. However, the LISP architecture does not require this requirement. |
This command does not require a license.
This example shows how to configure the IPv4 LISP Ingress Tunnel Router (ITR) on the Cisco NX-OS device:
switch# configure terminal switch(config)# ip lisp itr
Command |
Description |
---|---|
ip lisp alt-vrf |
Configures which VRF that LISP should use when sending Map Requests for an IPv4 EID-to-RLOC mapping directly over the ALT. |
ip lisp database-mapping |
Configures an IPv4 EID-to-RLOC mapping relationship and its associated traffic policy. |
ip lisp itr map-resolver |
Configures the IPv4 or IPv6 locator address of the LISP Map Resolver to which the Ingress Tunnel Router (ITR) sends IPv4 Map-Request messages. |
ip lisp map-cache |
Configures a static IPv4 EID prefix to locator map-cache entry. |
To configure the IPv4 or IPv6 locator address of the Locator/ID Separation Protocol (LISP) Map Resolver to be used by the ingress tunnel router (ITR) or Proxy ITR (PITR) when sending Map Requests for IPv4 EID-to-RLOC mapping resolution, use the ip lisp itr map-resolver command. To remove the configured locator address of the LISP Map Resolver, use the no form of this command.
ip lisp itr map-resolver map-resolver-address
no ip lisp itr map-resolver map-resolver-address
map-resolver-address |
IPv4 or IPv6 locator addresses of the Map Resolver. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
Up to two Map Resolvers can be configured per Ingress Tunnel Router (ITR) or PITR within a site for each address family.
When a LISP Ingress Tunnel Router (ITR) or PITR needs to resolve an IPv4 EID-to-RLOC mapping for a destination EID, you can be configure it to send a map request either to a Map Resolver by using the ip lisp itr map-resolver command or directly over the LISP ALT by using the ip lisp alt-vrf command. When a Map Resolver is used, map requests are sent to the Map Resolver with the additional LISP Encapsulated Control Message (ECM) header that includes the Map Resolver RLOC as its destination address. When the ALT is used, map requests are sent directly over the ALT without the additional LISP Encapsulated Control Message (ECM) header, where the destination of the map request is the EID being queried.
Note | When you use the ip lisp itr map-resolver command, the Ingress Tunnel Router (ITR) or PITR does not run the LISP-ALT. All commands related to the ALT-VRF are ignored (and may be removed). |
This command does not require a license.
This example shows how to configure an Ingress Tunnel Router (ITR) to use the Map Resolver when sending its Map-Request messages:
switch# configure terminal switch(config)# ip lisp itr map-resolver 10.1.1.1 switch(config)# ip lisp itr map-resolver 2001:db8:0a::1
Command |
Description |
---|---|
ip lisp alt-vrf |
Configures which VRF that LISP should use when sending Map Requests for an IPv4 EID-to-RLOC mapping directly over the ALT. |
ip lisp itr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Ingress Tunnel Router (ITR). |
ip lisp map-request-source |
Configures the source IPv4 or IPv6 address to be used in IPv4 LISP Map-Request messages. |
To configure an ingress tunnel router (ITR) or Proxy ITR (PITR) to find an IPv4 endpoint identifier to Routing Locator (EID-to-RLOC) mapping for a packet it needs to encapsulate by sending a Data Probe rather than by sending a Map-Request message, use the ip lisp itr send-data-probe command. To remove this functionality, use the no form of this command.
ip lisp itr send-data-probe
no ip lisp itr send-data-probe
This command has no arguments or keywords.
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When a Locator/ID Separation Protocol (LISP) Ingress Tunnel Router (ITR) or PITR gets a map-cache miss and needs to resolve an IPv4 EID-to-RLOC mapping for a destination EID, you can send a Map-Request message either in a LISP Encapsulate Control Message (ECM) to the Map Resolver by using the ip lisp itr map-resolver command or directly over the Locator/ID Separation Protocol Alternative Topology (LISP-ALT) by using the ip lisp alt-vrf command. In either case, the first packet of the flow that caused the map-cache miss is dropped. Once the Map Reply populates the map cache, subsequent packets to the same destination are forwarded directly by LISP.
Note | When you configure an Ingress Tunnel Router (ITR) or PITR by using the ip lisp itr send-data-probe command, you must also configure the Ingress Tunnel Router (ITR) or PITR to use the LISP-ALT by using the ip lisp alt-vrf command because the data probe is sent over the LISP-ALT. |
Caution | We do not recommend that you use the LISP data probe because this mechanism forwards data plane traffic over the LISP-ALT. The LISP-ALT is intended to function solely as a control plane mechanism for LISP and its use subjects it to denial of service attacks. |
This command does not require a license.
This example shows how to configure a LISP Ingress Tunnel Router (ITR) to send data probes to determine IPv4 EID-to-RLOC mappings:
switch# configure terminal switch(config)# ip lisp itr send-data-probe
Command |
Description |
---|---|
ip lisp alt-vrf |
Configures which VRF supporting the IPv4 address-family that LISP should use when sending Map Requests for an IPv4 EID-to-RLOC mapping directly over the ALT. |
ip lisp itr map-resolver |
Configures the IPv4 or IPv6 locator address of the LISP Map Resolver to which the Ingress Tunnel Router (ITR) sends IPv4 Map Request messages. |
To configure a Cisco NX-OS device to act as both an IPv4 LISP Ingress Tunnel Router (ITR) and Egress Tunnel Router (ETR), use the ip lisp itr-etr command. To remove the LISP Ingress Tunnel Router (ITR) functionality, use the no form of this command.
ip lisp itr-etr
no ip lisp itr-etr
This command has no arguments or keywords
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
Use the ip lisp itr-etr command to enable the Cisco NX-OS device to perform both IPv4 LISP Ingress Tunnel Router (ITR) and Egress Tunnel Router (ETR) functionality simultaneously, by using a single command.
For usage guidelines for the IPv4 LISP Ingress Tunnel Router (ITR) functionality, see the ip lisp itr command.
For usage guidelines for the IPv4 LISP ETR functionality, see the ip lisp etr command.
Note | If you use the ip lisp itr-etr command and either of the ip lisp itr or ip lisp etr commands have already been configured, they are automatically removed from the configuration file. When configuring a device as both an Ingress Tunnel Router (ITR) and an ETR, use the command ip lisp itr-etr to enable both capabilities. |
This command does not require a license.
This example shows how to configure the IPv4 LISP Ingress Tunnel Router (ITR) and ETR functionality:
switch# configure terminal switch(config)# ip lisp itr-etr
Command |
Description |
---|---|
ip lisp etr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Egress Tunnel Router (ETR). |
ip lisp itr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Ingress Tunnel Router (ITR). |
To configure a locator from a locator set that is associated with an IPv4 endpoint identifier (EID)-prefix database-mapping to be unreachable (down), use the ip lisp locator-down command. To return the locator to be reachable (up), remove the configuration using the no form of this command.
ip lisp locator-down EID-prefix/prefix-length locator
no ip lisp locator-down EID-prefix/prefix-length locator
EID-prefix/prefix-length |
IPv4 EID prefix and length advertised by the Cisco NX-OS device. |
locator |
IPv4 or IPv6 Routing Locator (RLOC) associated with this EID prefix. |
An IPv4 or IPv6 locator associated with a configured IPv4 EID prefix block is considered reachable (up) unless an IGP routing protocol indicates it is down.
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When you configure LISP database parameters on an Ingress Tunnel Router (ITR) for specified IPv4 EID prefix blocks by using the ip lisp database-mapping command or the ip lisp map-cache command, the locators associated with these IPv4 EID prefix blocks are considered as reachable (up) by default. You can use the ip lisp locator-down command to configure a locator from a locator-set associated with the EID prefix database mapping to be down.
When you enter the ip lisp locator-down command, the Locator Status Bits (LSBs) for the configured locator is cleared when encapsulating packets to remote sites. ETRs at remote sites look for changes in the LSB when decapsulating LISP packets, and when the LSB indicates that a specific locator is down, the ETR refrains from encapsulating packets using this locator to reach the local site.
Note | If you enter the ip lisp locator-down command on an Ingress Tunnel Router (ITR) to indicate that a locator is unreachable (down) and the LISP site includes multiple Ingress Tunnel Routers (ITRs), you must enter the ip lisp locator-down command on all Ingress Tunnel Routers (ITRs) at the site to ensure that the site consistently tells remote sites that the configured locator is not reachable. |
This command does not require a license.
This example shows how to configure the locator down state for the EID prefix block:
switch# configure terminal switch(config)# ip lisp locator-down 192.168.1.0/24 10.1.1.1
Command |
Description |
---|---|
ip lisp database-mapping |
Configures an IPv4 EID-to-RLOC mapping relationship and its associated traffic policy. |
ip lisp itr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Ingress Tunnel Router (ITR). |
ip lisp map-cache |
Configures a static IPv4 EID prefix to the locator map-cache entry. |
To configure a nondefault virtual routing and forwarding (VRF) table to be referenced by any IPv4 locators, use the ip lisp locator-vrf command. To return to using the default routing table for locator address references, use the no form of this command.
ip lisp locator-vrf { vrf-name | default }
no ip lisp locator-vrf { vrf-name | default }
vrf-name |
Name of the VRF instance to be referenced by IPv4 locator addresses. |
default |
Specifies that the default VRF should be referenced by the IPv4 locator addresses. |
IPv4 locator addresses are associated with the default (global) routing table.
VRF configuration mode
Release |
Modification |
---|---|
5.0(3) |
This command was introduced. |
When you configure Locator/ID Separation Protocol (LISP) in a nondefault VRF to keep EID prefixes in one VRF separate from EID prefixes in another VRF, and both EID VRFs share the same locator-based core network and same mapping database system infrastructure, these locator addresses must be reachable from the default VRF or a specified common VRF. Use the ip lisp locator-vrf command to specify the VRF to be associated with these locator addresses.
When you enter the ip lisp locator-vrf command, the locator addresses in any subsequent LISP commands are referenced to the specified VRF. For example, the locator addresses in the ip lisp itr map-resolver and ip lisp etr map-server commands refer to the VRF that you configured when you entered the ip lisp locator-vrf command. The Map Servers and Map Resolvers can also share the configuration from the locator VRF.
Note | When you configure mixed address families (for example, IPv4 EIDs and IPv6 locators or IPv6 EIDs and IPv4 locators), use the ip lisp locator-vrf command. |
This command does not require a license.
In the following example, a LISP xTR is configured with three EID contexts red, blue, and green, and the locator VRF default. Red and blue are both using the RLOC of 10.10.10.1 if you enter the ip lisp locator-vrf default command. In addition, red and blue both inherit the globally defined map-resolver and Map Server located at 10.100.1.1 (configured at the end of this example). Both red and blue have an EID prefix of 172.16.0.0/24, but segmentation is maintained due to the unique LISP instance ID for each VRF context. The green context also uses the RLOC of 10.10.10.1 if you enter the ip lisp locator-vrf default command. However, green overrides the inheritance of the globally defined Map Resolver and Map Server by including the ones configured within the VRF context and located at 10.200.1.1. The locator for this locally defined map resolver or Map Server remains within the default VRF when you enter the ip lisp locator-vrf default command.
switch# configure terminal switch(config)# vrf context red switch(config-vrf)# ip lisp itr-etr switch(config-vrf)# ip lisp database-mapping 172.16.0.0/24 10.10.10.1 priority 1 weight 1 switch(config-vrf)# lisp instance-id 111 switch(config-vrf)# ip lisp locator-vrf default switch(config-vrf)# exit switch(config)# vrf context blue switch(config-vrf)# ip lisp itr-etr switch(config-vrf)# ip lisp database-mapping 172.16.0.0/24 10.10.10.1 priority 1 weight 1 switch(config-vrf)# lisp instance-id 222 switch(config-vrf)# ip lisp locator-vrf default switch(config-vrf)# exit switch(config)# vrf context green switch(config-vrf)# ip lisp itr-etr switch(config-vrf)# ip lisp database-mapping 172.16.3.0/24 10.10.10.1 priority 1 weight 1 switch(config-vrf)# lisp instance-id 444 switch(config-vrf)# ip lisp locator-vrf default switch(config-vrf)# ip lisp itr map-resolver 10.200.1.1 switch(config-vrf)# ip lisp etr map-server 10.200.1.1 key 3 xxxxxxxxxxx switch(config-vrf)# exit switch(config)# ip lisp itr map-resolver 10.100.1.1 switch(config)# ip lisp etr map-server 10.100.1.1 key 3 xxxxxxxxxxx
Command |
Description |
---|---|
ip lisp etr map-server |
Configures the IPv4 or IPv6 locator address of the LISP Map Server to which an ETR should register for its IPv4 EID prefixes. |
ip lisp itr map-resolver |
Configures the locator address of the LISP Map Resolver to which the Ingress Tunnel Router (ITR) sends Map-Request messages. |
To configure a static IPv4 endpoint identifier to Routing Locator (EID-to-RLOC) mapping relationship and its associated traffic policy or to statically configure the packet handling behavior associated with a specified destination IPv4 EID prefix, use the ip lisp map-cache command. To remove the configuration, use the no form of this command.
ip lisp map-cache destination-EID-prefix-prefix-length locator priority priority priority weight weight
no ip lisp map-cache destination-EID-prefix-prefix-length locator priority priority priority weight weight
ip lisp map-cache destination-EID-prefix/prefix-length { drop | map-request | native-forward }
no ip lisp map-cache destination-EID-prefix/prefix-length { drop | map-request | native-forward }
destination-EID-prefix |
Destination IPv4 EID prefix. |
prefix-length |
Prefix length. |
locator |
IPv4 or IPv6 Routing Locator (RLOC) associated with this EID prefix/prefix-length. |
priority priority |
Specifies the priority (value between 0 and 255) assigned to the RLOC. When multiple locators have the same priority, they may be used in load sharing. A lower value indicates a higher priority. |
weight weight |
Specifies the weight (value between 0 and 100) assigned to the locator. This command is used in order to determine how to load-share traffic between multiple locators when the priorities assigned to multiple locators are the same. The value represents the percentage of traffic to be load balanced. |
drop |
(Optional) Drops packets that match this map-cache entry. |
map-request |
(Optional) Sends a Map Request for packets. |
native-forward |
Optional) Forwards packets natively that match this map-cache entry. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
You can use of the ip lisp map-cache command to configure an ingress tunnel router (ITR) with a static IPv4 EID-to-RLOC mapping relationship and its associated traffic policy. For each entry, you must enter a destination IPv4 EID prefix block and its associated locator, priority, and weight. The IPv4 EID prefix/prefix length is the LISP EID prefix block at the destination site. The locator is an IPv4 or IPv6 address of the remote site where the IPv4 EID prefix can be reached. The locator address has a priority and weight that are used to define traffic policies when multiple RLOCs are defined for the same EID prefix block. You can enter this command up to four times for a given EID prefix. Static IPv4 EID-to-RLOC mapping entries configured when you enter the ip lisp map-cache command take precedence over dynamic mappings learned through Map-Request/Map-Reply exchanges.
You can also use the ip lisp map-cache command to statically configure the packet handling behavior associated with a specified destination IPv4 EID prefix. For each entry, a destination IPv4 EID prefix block is associated with a configured forwarding behavior. When a packet's destination address matches the EID prefix, one of the following packet handling occur:
This command does not require a license.
This example shows how to configure a destination EID-to-RLOC mapping and associated traffic policy for the IPv4 EID prefix block 192.168.1.0/24. In this example, the locator for this EID prefix block is 10.1.1.1 and the traffic policy for this locator has a priority of 1 and a weight of 100.
switch# configure terminal switch(config)# ip lisp map-cache 192.168.1.0/24 10.1.1.1 priority 1 weight 100
This example shows how to configure a destination EID-to-RLOC mapping and associated traffic policy for the IPv4 EID prefix block 192.168.2.0/24 to drop. No traffic is forwarded to this destination as a result.
switch# configure terminal switch(config)# ip lisp map-cache 192.168.2.0/24 drop
Command |
Description |
---|---|
ip lisp database-mapping |
Configures an IPv4 EID-to-RLOC mapping relationship and its associated traffic policy. |
ip lisp itr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Ingress Tunnel Router (ITR). |
ip lisp map-cache-limit |
Configures the maximum number of IPv4 LISP map-cache entries allowed to be stored by the Cisco NX-OS device. |
To configure the maximum number of IPv4 Locator/ID Separation Protocol (LISP) map-cache entries allowed to be stored by the Cisco NX-OS device, use the ip lisp map-cache-limit command. To remove the configured map-cache limit, use the no form of this command.
ip lisp map-cache-limit cache-limit [ reserve-list list ]
no ip lisp map-cache-limit cache-limit [ reserve-list list ]
cache-limit |
(Optional) Set of IPv4 EID prefixes in the referenced prefix list for which dynamic map-cache entries shall always be stored. |
reserve-list list |
(Optional) Specifies the maximum number of IPv4 LISP map-cache entries allowed to be stored on the Cisco NX-OS device. The valid range is from 0 to 10000. |
1000
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
Use the ip lisp map-cache-limit command to control the maximum number of IPv4 LISP map-cache entries that are allowed to be stored on the Cisco NX-OS device. An optional reserve list can be configured to guarantee that the Cisco NX-OS device always stores the referenced IPv4 EID prefixes.
LISP IPv4 map-cache entries are added in one of two ways: dynamically or statically. Dynamic entries are added when a valid Map-Reply message is returned for a Map Request message generated in response to a cache-miss lookup. Static entries are added when you enter the ip lisp map-cache command.
Dynamic map-cache entries are always added until the default or configured cache limit is reached. After the default or configured cache limit is reached, unless the optional reserve list is configured, no further dynamic entries are added and no further Map Requests are generated in response to cache-miss lookups until a free position is available.
When you do no configure an optional reserve-list keyword, dynamic entries are added on a first-in-first-added basis until the configured map-cache limit is reached. After that time, no new dynamic entries can be added. If the reserve-list keyword is configured but the prefix list to which it refers is not configured, the results are the same as if the reserve-list keyword was not configured.
When you use the optional reserve-list keyword, a Map Request is generated and a new dynamic map-cache entry can be added only for IP v4 EID prefixes that are permitted by the prefix-list referenced by the reserve-list keyword. The new entry must be able to replace an existing dynamic entry so that the cache limit is maintained. The deleted dynamic entry is either a nonreserve idle map-cache entry or a nonreserve active map-cache entry. Idle map-cache entries are those entries that have seen no activity in the last 10 minutes. If all current dynamic entries are also permitted by the prefix-list referenced by the reserve list, no further dynamic entries can be added.
Existing dynamic IPv4 map-cache entries can time out due to inactivity or can be removed by the using the clear ip lisp map-cache command to create a free position in the map cache.
Static map-cache entries are always added, until the default or configured cache limit is reached. After the default or configured cache limit is reached, unless the optional reserve-list is configured, no further static entries are added.
When the optional reserve-list keyword is used, static entries are added on a first-in-first-added basis until the configured map-cache limit is reached. After that time, no new static entries can be added. If you use the reserve-list keyword but you do not configure the prefix-list to which it refers, the results are the same as if the reserve-list keyword was not configured.
When you use the optional reserve-list keyword, you can add a prefix list to a static entry that matches the reserve list, but only if it can replace an existing static entry or dynamic entry that does not match the reserve list prefix list.
Caution | W the optional reserve-list keyword is used, once the configured cache limit is reached, if all existing entries also match the prefix list and are not candidates for deletion, no new dynamic or static entries are added, even if a new dynamic or static entry also matches the reserve list prefix list. |
Note | When you use the reserve-list command, make sure that the prefix list includes entries that match all expected prefixes in any Map-Reply, including the more-specifics. Appending le 32 to the end of all prefix-list entries for IPv4 prefixes. For example, if you want to match 153.16.0.0/16 and any of the more specifics, you should specify ip prefix-list lisp-list seq 5 permit 153.16.0.0/16 le 32 in order to cover all replies within this range. |
This command does not require a license.
This example shows how to configures a LISP cache limit of 2000 entries and a reserve list that references the IPv4 prefix-list LISP-v4-always:
switch# configure terminal switch(config)# ip lisp map-cache-limit 2000 reserve-list LISP-v4-always switch(config)# ip prefix-list LISP-v4-always seq 20 permit 172.16.0.0/16 le 32
Command |
Description |
---|---|
ip lisp map-cache |
Configures a static IPv4 EID prefix to the locator map-cache entry. |
clear ip lisp map-cache |
Clears the LISP IPv4 map cache on the local Cisco NX-OS device. |
To configure an IPv4 or IPv6 address to be used as the source address for Locator/ID Separation Protocol (LISP) IPv4 Map-Request messages, use the ip lisp map-request-source command. To remove the configured Map-Request source address and return to the default behavior, use the no form of this command.
ip lisp map-request-source source-address
no ip lisp map-request-source source-address
source-address |
IPv4 or IPv6 source address to be used in LISP IPv4 Map-Request messages. |
The Cisco NX-OS device uses one of the locator addresses that you configure by using the ipv6 lisp database-mapping command as the default source address for LISP Map-Request messages.
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
A locator address that you configured by using the ip lisp database-mapping command is used as the source address for LISP IPv4 Map-Request messages. There are cases, however, where it might be necessary to configure the specified source address for these Map-Request messages. For example, when the ingress tunnel router (ITR) is behind a Network Address Translation (NAT) device, you might need to specify a source address that matches the NAT configuration to properly allow for return traffic.
When you enter the ip lisp map-request-source command on an Ingress Tunnel Router (ITR), the specified IPv4 or IPv6 locator is used by an Ingress Tunnel Router (ITR) as the source address for LISP IPv4 Map-Request messages. When you enter the ip lisp map-request-source command on a Map Server, this locator is used as the source address in the Encapsulated Control Message that carries a Map Request to an ETR.
This command does not require a license.
This example shows how to configure an Ingress Tunnel Router (ITR) to use the source IP address 172.16.1.7 in its IPv4 Map-Request messages:
switch# configure terminal switch(config)# ip lisp map-request-source 172.16.1.7
Command |
Description |
---|---|
ip lisp database-mapping |
Configures an IPv4 EID-to-RLOC mapping relationship and its associated traffic policy. |
To configure a Cisco NX-OS device to act as an IPv4 Locator/ID Separation Protocol (LISP) Map-Resolver (MR), use the ip lisp map-resolver command. To remove LISP Map-Resolver functionality, use the no form of this command.
ip lisp map-resolver
no ip lisp map-resolver
This command has no arguments or keywords.
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
A Map Resolver receives a LISP Encapsulated Control Message (ECM) that contains a Map Request from a LISP Ingress Tunnel Router (ITR) directly over the underlying locator-based network. The Map Resolver decapsulates this message and forwards it on the LISP Alternative Topology (LISP-ALT), where it is delivered either to an ingress tunnel router (ITR) that is directly connected to the LISP-ALT and that is authoritative for the endpoint identifier (EID) being queried by the Map Request or to the Map Server that is injecting EID prefixes into the LISP-ALT on behalf of the authoritative ETR.
Map Resolvers also send Negative Map Replies directly back to an Ingress Tunnel Router (ITR) in response to queries for non-LISP addresses.
When deploying a LISP Map Resolver, follow these guidelines:
This command does not require a license.
This example shows how to configure the IPv4 LISP Map-Resolver functionality on the Cisco NX-OS device:
switch# configure terminal switch(config)# ip lisp map-resolver
Command |
Description |
---|---|
ip lisp alt-vrf |
Configures which VRF that LISP should use when sending Map Requests for an IPv4 EID-to-RLOC mapping directly over the ALT. |
To configure the Cisco NX-OS device to act as an IPv4 Locator/ID Separation Protocol (LISP) Map-Server (MS), use the ip lisp map-server command. To remove the LISP Map-Server functionality, use the no form of this command.
ip lisp map-server
no ip lisp map-server
This command has no arguments or keywords.
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
LISP site commands are configured on the Map Server for a LISP egress tunnel router (ETR) that registers to it, including an authentication key, which must match the one also configured on the ETR. A Map Server receives Map-Register control packets from ETRs. When you configure the Map Server with a service interface to the LISP Alternative Topology (LISP-ALT), it injects aggregates for the registered EID prefixes into the LISP-ALT.
The Map Server also receives Map-Request control packets from the LISP-ALT, which it then forwards as a LISP Encapsulated Control Message (ECM) to the registered ETR that is authoritative for the EID prefix being queried. The ETR returns a Map-Reply message directly back to the Ingress Tunnel Router (ITR).
When deploying a LISP Map-Resolver, follow these guidelines:
This command does not require a license.
This example shows how to configure the IPv4 LISP Map-Server functionality on the Cisco NX-OS device:
switch# configure terminal switch(config)# ip lisp map-server
Command |
Description |
---|---|
ip lisp alt-vrf |
Configures which VRF that LISP should use when sending Map Requests for an IPv4 EID-to-RLOC mapping directly over the ALT. |
To configure the device to support Locator/ID Separation Protocol (LISP) to carry multicast traffic, when the Ingress Tunnel Router (ITR) or ETR function is enabled, use the ip lisp multicast command. To remove the LISP Map-Server functionality, use the no form of this command.
ip lisp multicast
no ip lisp multicast
This command has no arguments or keywords.
None
VRF configuration mode
network-adminvdc-admin
Release |
Modification |
---|---|
6.2(2) |
This command was introduced. |
This command does not require a license.
This example shows how to configure the device to support Locator/ID Separation Protocol (LISP) to carry multicast traffic:
switch# configure terminal switch(config-vrf)# ip lisp multicast switch(config-vrf)#
Command |
Description |
---|---|
ip lisp alt-vrf |
Configures which VRF that LISP should use when sending Map Requests for an IPv4 EID-to-RLOC mapping directly over the ALT. |
To configure an egress tunnel router (ETR) with a private locator that is sited behind a Network Address Translation (NAT) device to dynamically determine its NAT-translated public locator for use in Map-Register and Map-Reply messages, use the ip lisp nat-transversal command. To remove this functionality, use the no form of this command.
ip lisp nat-transversal
no ip lisp nat-transversal
This command has no arguments or keywords.
None
Interface configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When an ETR is sited behind a NAT device, its routing locator belongs to the private address space that the NAT device translates to a public globally routed address. The ETR needs to know this public global locator address because this address is required for use in Map-Register and Map-Reply messages.
When you enter the ip lisp nat-transversal command, the ETR determines its own public global locator dynamically. When configured, the ETR sends a LISP Echo-Request message to the configured Map Server out the interface under which this command is configured. The Map Server replies with an Echo-Reply message that includes the source address from the Echo Request, which is the NAT-translated public global locator address.
The ip lisp nat-transversal is useful when the dynamic keyword is used with the ip lisp database-mapping command in order to dynamically determine the routing locator rather than statically defining it.
This command does not require a license.
This example shows how to configure the ETR to dynamically determine its public global routing locator when it is behind a NAT device:
switch# configure terminal switch(config)# interface Ethernet 2/0 switch(config-if)# ip lisp nat-transversal
Command |
Description |
---|---|
ip lisp database-mapping |
Configures an IPv6 EID-to-RLOC mapping relationship and its associated traffic policy. |
ip lisp etr |
Configures the switch to act as an IPv4 LISP Egress Tunnel Router (ETR). |
To configure the Cisco NX-OS device to act as the IPv4 Locator/ID Separation Protocol (LISP) Proxy Egress Tunnel Router (PETR), use the ip lisp proxy-etr command. To remove the LISP PETR functionality, use the no form of this command.
ip lisp proxy-etr
no ip lisp proxy-etr
This command has no arguments or keywords.
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
The Cisco NX-OS device accepts LISP-encapsulated packets from an ingress tunnel router (ITR) or Proxy ITR (PITR) that are destined to non-LISP sites, deencapsulates them, and then forwards them natively toward the non-LISP destination.
PETR services may be necessary in several cases. For example, by default, when a LISP site forwards packets to a non-LISP site natively (not LISP encapsulated), the source IP address of the packet is that of a site EID. If the provider side of the access network is configured with strict unicast reverse path forwarding (uRPF) or an anti spoofing access-list, it would consider these packets to be spoofed and drop them because EIDs are not advertised in the provider default free zone (DFZ). Instead of natively forwarding packets destined to non-LISP sites, the Ingress Tunnel Router (ITR) encapsulates these packets using the site locator as the source address and the PETR as the destination address. Packets destined for LISP sites follow normal LISP forwarding processes and are sent directly to the destination ETR.
Note | When an Ingress Tunnel Router (ITR) or PITR requires IPv4 PETR services, you must configure Ingress Tunnel Router (ITR) or PITR to forward IPv4 EID packets to the PETR by using the ip lisp use-petr command. |
This command does not require a license.
This example shows how to configure the Cisco NX-OS device to act as an IPv4 LISP PETR:
switch# configure terminal switch(config)# ip lisp proxy-etr
Command |
Description |
---|---|
ip lisp etr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Egress Tunnel Router (ETR). |
ip lisp use-petr |
Configures an Ingress Tunnel Router (ITR) or PITR to use the PETR for traffic destined to non-LISP IPv4 destinations. |
To configure a Cisco NX-OS device to act as an IPv4 Locator/ID Separation Protocol (LISP) Proxy Ingress Tunnel Router (PITR), use the ip lisp proxy-itr command. To remove the LISP PITR functionality, use the no form of this command.
ip lisp proxy-itr ipv4-local-locator [ipv6-local-locator]
no ip lisp proxy-itr ipv4-local-locator [ipv6-local-locator]
ipv4-local-locator |
IPv4 locator address used as a source address for encapsulation of data packets, a data probe, or a Map-Request message. |
ipv6-local-locator |
(Optional) IPv6 locator address used as a source address for encapsulation of data packets, a data probe, or a Map-Request message when the locator-hash function returns a destination Routing Locator (RLOC) in the IPv6 address family. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
The Cisco NX-OS device receives native packets from non-LISP sites that are destined for LISP sites, encapsulates them, and forwards them to the ETR that is authoritative for the destination LISP site EID.
PITR services are required to provide interworking between non-LISP sites and LISP sites. For example, when connected to the Internet, a PITR acts as a gateway between the legacy Internet and the LISP-enabled network. The PITR must advertise one or more highly aggregated endpoint identifier (EID) prefixes on behalf of LISP sites into the underlying default free zone (DFZ) (that is the Internet) and act as an Ingress Tunnel Router (ITR) for traffic received from the public Internet.
When you enable PITR services by using the ip lisp proxy-itr command, the PITR creates LISP-encapsulated packets when it sends a data packet to a LISP site, sends a data probe, or sends a Map-Request message. The outer (LISP) header address family and source address are determined as follows:
When you configure a switch to function as an IPv4 PITR, you can also configure it to use the LISP-ALT for IPv4 EID-to-RLOC mapping resolution. When configured to use the LISP-ALT, the PITR sends its map request messages directly over the LISP ALT using the virtual routing and forwarding (VRF) when you enter the ip lisp alt-vrf command. A PITR can send a Map Request to a configured Map Resolver for EID-to-RLOC mapping resolution as an alternative to sending a Map Request directly over the LISP-ALT. (See the ipv4 map-resolver command) When using a PITR in a virtualized LISP deployment, you must configure the PITR to use a Map-Resolver for EID-to-RLOC mapping resolution and not the LISP-ALT because the LISP-ALT does not support virtualization.
Note | A switch that is configured as an Ingress Tunnel Router (ITR) performs a check to see if the source of any packet intended for LISP encapsulation is within the address range of a local EID prefix. A Cisco NX-OS device configured as a PITR does not perform this check. Unlike the Cisco IOS LISP implementation, in Cisco NX-OS you can configure a Cisco NX-OS device to support both Ingress Tunnel Router (ITR) and PITR functionality at the same time. If you configure a Cisco NX-OS device as an Ingress Tunnel Router (ITR) and as a PITR, preference goes to PITR functionality for packet processing. |
This command does not require a license.
This example shows how to configure the LISP PITR functionality on the Cisco NX-OS device and how to encapsulate packets using a source locator:
switch# configure terminal switch(config)# ip lisp proxy-itr 10.1.1.1
Command |
Description |
---|---|
ip lisp alt-vrf |
Configures which VRF that LISP should use when sending Map Requests for an IPv4 EID-to-RLOC mapping directly over the ALT. |
ip lisp itr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Ingress Tunnel Router (ITR). |
To configure the shortest IPv4 endpoint identifier (EID)-prefix mask length that is acceptable to an ingress tunnel router (ITR) or Proxy ITR (PITR) in a received Map-Reply message or to an ETR in the mapping-data record of a received Map Request, use the ip lisp shortest-eid-prefix-length command. To return to the default configuration, use the no form of this command.
ip lisp shortest-eid-prefix-length IPv4-EID-prefix-length
no ip lisp shortest-eid-prefix-length IPv4-EID-prefix-length
IPv4-EID-prefix-length |
Shortest IPv4 EID prefix-length accepted from a Map Reply or data record in a Map Request. The range is from 0 to 32. |
a/6
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When an Ingress Tunnel Router (ITR) or PITR receives a Map-Reply message, the mapping data it contains includes the EID mask length for the returned EID prefix. By default, the shortest EID prefix mask length accepted by an Ingress Tunnel Router (ITR) or PITR for an IPv4 EID prefix is a /16. You can use the ip lisp shortest-eid-prefix-length command to change this default. For example, it might be necessary for a PITR to accept a shorter (coarser) prefix if one exists.
When an ETR receives a Map-Request message, it might contain a mapping data record that the ETR can cache and possibly use to forward traffic depending on the configuration of the ip lisp etr accept-map-request-mapping command. Use the ip lisp shortest-eid-prefix-length command to change the shortest prefix length accepted by the ETR. In this case, the check for the shortest EID prefix mask length is done prior to the verifying Map-Request, if also configured. If the EID prefix mask length is less than the configured value, the verifying Map Request is not sent and the mapping data is not accepted.
This command does not require a license.
This example shows how to configure the Cisco NX-OS device to accept a minimum IPv4 EID prefix length:
switch# configure terminal switch(config)# ip lisp shortest-eid-prefix-length 12
Command |
Description |
---|---|
ip lisp etr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Egress Tunnel Router (ETR). |
ip lisp itr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Ingress Tunnel Router (ITR). |
ip lisp proxy-itr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Proxy Ingress Tunnel Router (PITR). |
To configure a source locator to be used for IPv4 Locator/ID Separation Protocol (LISP)-encapsulated packets, use the ip lisp source-locator command. To remove the configured source locator, use the no form of this command.
ip lisp source-locator interface
no ip lisp source-locator interface
interface |
Name of the interface whose IPv4 address should be used as the source locator address for outbound LISP-encapsulated packets. |
The IPv4 address of the outbound interface is used by default as the source locator address for outbound LISP encapsulated packets.
Interface configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When sending a LISP-encapsulated packet (data or control message), the Cisco NX-OS device performs a destination lookup to determine the appropriate outgoing interface. By default, the IPv4 address of this outgoing interface is used as the source locator for the outbound LISP encapsulated packet.
You might need to use the IPv4 address of a different interface as the source locator for the outbound LISP-encapsulated packets rather than that of the outgoing interface. For example, when an Ingress Tunnel Router (ITR) has multiple egress interfaces, you might configure a loopback interface for stability purposes and instruct the Ingress Tunnel Router (ITR) to use the address of this loopback interface as the source locator for the outbound LISP-encapsulated packets rather than one or both of the physical interface addresses. This command is also important for maintaining locator consistency between the two LISP Tunnel Routers (xTRs) when RLOC-probing is used.
This command does not require a license.
This example shows how to configure the source locator:
switch# configure terminal switch(config)# interface Ethernet2/0 switch(config-if)# ip lisp source-locator Loopback0 switch(config-if)# interface Ethernet2/1 switch(config-if)# ip lisp source-locator Loopback0
Command |
Description |
---|---|
ip lisp itr |
Configures the switch to act as an IPv4 LISP Ingress Tunnel Router (ITR). |
To configure IPv4 Locator/ID Separation Protocol (LISP) translation mapping, use the ip lisp translate command. To remove IPv4 LISP translation mappings and return to the default value, use the no form of this command.
ip lisp translate inside IPv4-inside-EID outside IPv4-outside-EID
no ip lisp translate inside IPv4-inside-EID outside IPv4-outside-EID
inside |
Indicates that the inside (non routable) IPv4 endpoint identifier (EID) prefix follows. |
IPv4-inside-EID |
Nonroutable IPv4 address associated with an inside EID prefix. |
outside |
Indicates that the outside (routable) IPv4 EID prefix follows. |
IPv4-outside-EID |
IPv4 address associated with an outside EID prefix. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When you configure a LISP Ingress Tunnel Router (ITR) or Engress Tunnel Router (ETR) with a nonroutable EID prefix and you want to replace it with a routable EID prefix, use the ip lisp translate command. A LISP device that acts as an Ingress Tunnel Router (ITR) and detects a nonroutable EID in the source IPv4 address field replaces it with the routable EID when you use the inside and outside keyword. In the opposite direction when acting as an ETR, it replaces the routable EID referred to by the outside keyword with the no-routable EID referred to by the inside keyword.
Note | The outside EID address can be assigned to the Cisco NX-OS device itself, in which case it responds to Address Resolution Protocol (ARP) requests, ICMP echo-requests (ping) and any other packet sent to this address. When you do not assign the outside EID to the device, the address does not answer ARP requests. |
This feature may be useful if you want to upgrade but you want to continue to communicate with non-LISP sites. An alternative approach for providing communications between LISP and non-LISP sites is to use Proxy-ITR services. See the ip lisp proxy-itr command for further details. Both proxy-ITR and Network Address Translation (NAT) translation services, also referred to as Interworking services, are described in draft-ietf-lisp-interworking-00.
This command does not require a license.
This example shows how to configure LISP to translate the inside address to the outside address:
switch# configure terminal switch(config)# ip lisp translate inside 192.168.10.1 outside 10.1.10.1
Command |
Description |
---|---|
ip lisp etr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Egress Tunnel Router (ETR). |
ip lisp itr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Ingress Tunnel Router (ITR). |
ip lisp proxy-itr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Proxy Ingress Tunnel Router (PITR). |
To configure a Cisco NX-OS device to use an IPv4 LISP Proxy Egress Tunnel Router (PETR), use the ip lisp use-petr command. To remove the use of a LISP PETR, use the no form of this command.
ip lisp use-petr locator-address
no ip lisp use-petr locator-address
locator-address |
IPv4 or IPv6 locator address of the PETR. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When the use of PETR services is enabled, instead of natively forwarding packets destined to non-LISP sites, these packets are LISP-encapsulated and forwarded to the PETR, where these packets are then deencapsulated and forwarded natively toward the non-LISP destination. An Ingress Tunnel Router (ITR) or PITR can be configured to use PETR services.
PETR services might be necessary in several cases. By default, when a LISP sites forwards packets to a non-LISP site natively (not LISP encapsulated), the source IP address of the packet is that of a site endpoint identifier (EID). If the provider side of the access network is configured with strict unicast reverse path forwarding (uRPF), it considers these packets to be spoofed and drops them because EIDs are not advertised in the provider default free zone (DFZ). In this case, instead of natively forwarding packets destined to non-LISP sites, the Ingress Tunnel Router (ITR) encapsulates these packets using the site locator as the source address and the PETR as the destination address. Packets destined for LISP sites follow normal LISP forwarding processes and are sent directly to the destination ETR.
Note | Because LISP supports mixed protocol encapsulations, the locator specified for the PETR can either be an IPv4 or IPv6 address. Up to eight PETRs can be configured per address family. |
This command does not require a license.
This example shows how to configure the Ingress Tunnel Router (ITR) to use the PETR with the IPv4 locator:
switch# configure terminal switch(config)# ip lisp use-petr 10.1.1.1
Command |
Description |
---|---|
ip lisp proxy-etr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Proxy Egress Tunnel Router (PETR). |
To configure the static rendezvous point RP for a group range, use the ip pim rp-address command. To remove the static RP for a group range, use the no form of this command.
ip pim rp-address rp-address group-list access-list
no ip lisp use-petr rp-address group-list access-list
rp-address |
Specifies the IP address of router which is the RP for the group range. |
group-list |
Specifies the group range for the static RP. |
access-list |
Group range prefixes. |
None
VRF configuration mode
Release |
Modification |
---|---|
6.2(2) |
This command was introduced. |
This command does not require a license.
This example shows how to configure the static RP for a group range:
switch# configure terminal switch(config)# vrf context management switch(config-vrf)# ip pim rp-address 10.0.0.1 group-list 224.0.0.0/8 switch(config-vrf)#
Command |
Description |
---|---|
ip lisp proxy-etr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Proxy Egress Tunnel Router (PETR). |
To define the Source Specific Multicast (SSM) range of IP, use the ip pim ssm command. To remove the SSM range of IP, use the no form of this command.
ip pim ssm range access-list
no ip lisp use-petr access-list
access-list |
Group range prefixes. |
None
VRF configuration mode
Release |
Modification |
---|---|
6.2(2) |
This command was introduced. |
This command does not require a license.
This example shows how to configure the Source Specific Multicast (SSM) range of IP:
switch# configure terminal switch(config)# vrf context management switch(config-vrf)# ip pim ssm 224.0.0.0/8
Command |
Description |
---|---|
ip lisp proxy-etr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Proxy Egress Tunnel Router (PETR). |
To configure a default route to the upstream next hop for all IPv4 destinations, use the ip route command. To remove the default route to the upstream next hop for all IPv4 destinations, use the no form of this command.
ip route ipv4-prefix next-hop
no ip route ipv4-prefix next-hop
ipv4-prefix |
IP prefix in i.i.i.i format. |
next-hop |
IP network mask in m.m.m.m format. |
None
Global configuration mode
Release |
Modification |
---|---|
6.2(2) |
This command was introduced. |
This command does not require a license.
This example shows how to configure a default route to the upstream next hop for all IPv4 destinations:
switch# configure terminal switch(config)# ip route 0.0.0.0 0.0.0.0 10.0.0.1
Command |
Description |
---|---|
ip lisp proxy-etr |
Configures the Cisco NX-OS device to act as an IPv4 LISP Proxy Egress Tunnel Router (PETR). |
To configure the virtual routing and forwarding (VRF) instance that the Cisco NX-OS device uses when sending map requests for an IPv6 end point identifier (EID) to Routing Locator mapping directly over the Locator/ID Separation Protocol Alternative Topology (LISP-ALT), use the ipv6 lisp alt-vrf command. To remove the reference to a VRF, use the no form of this command.
ipv6 lisp alt-vrf vrf-name
no ipv6 lisp alt-vrf vrf-name
vrf-name |
Name assigned to the LISP ALT VRF. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
Use the ipv6 lisp alt-vrf command to configure which virtual routing and forwarding (VRF) instance that the LISP device should use for control plane mapping resolution functions.
You must use the ipv6 lisp alt-vrf command for all devices that connect to the ALT to exchange LISP control plane messages for mapping. These devices include LISP Map-Server (MS), Map Resolver (MR), and Proxy Ingress Tunnel Router (PITR) devices, and directly ALT-connected xTRs.
Follow these guidelines when using this command:
Note | When you use the ip lisp alt-vrf command, the referenced VRF must already have been created by using the vrf context command. In addition, the corresponding configurations for connecting the LISP device to the ALT, including the generic routing encapsulation (GRE) tunnel interface(s) and any routing that is associated with the VRF (static or dynamic) you must also have created. |
This example shows how to configure the VRF named lisp and then configure LISP to use this VRF when resolving IPv6 EID-to-RLOC mappings:
switch# configure terminal switch(config)# vrf context lisp switch(config-vrf)# exit switch(config)# ipv6 lisp alt-vrf lisp
Command |
Description |
---|---|
ipv6 lisp itr map-resolver |
Configures the locator address of the LISP Map-Resolver to which the Ingress Tunnel Router (ITR) sends Map-Request messages. |
ipv6 lisp itr |
Configures the Cisco NX-OS device to act as a LISP Ingress Tunnel Router (ITR). |
ipv6 lisp pitr |
Configures the Cisco NX-OS device to act as a LISP Proxy Ingress Tunnel Router (PITR). |
To configure an IPv4 endpoint identifier to Routing Locator (EID-to-RLOC) mapping relationship and its associated traffic policy, use the ipv6 lisp database-mapping command. To remove the configured database mapping, use the no form of this command.
ipv6 lisp database-mapping EID-prefix { locator | dynamic } priority priority weight weight
no ipv6 lisp database-mapping EID-prefix { locator | dynamic } priority priority weight weight
EID-prefix |
IPv4 EID prefix and length. |
locator |
IPv4 or IPv6 RLOC associated with this EID prefix. |
dynamic |
Allows the RLOC associated with this EID to be determined dynamically. |
priority priority |
Specifies the priority (value between 0 and 255) assigned to the RLOC. When multiple locators have the same priority they can be used in load-shared fashion. A lower value indicates a higher priority. |
weight weight |
Specifies the weight (value between 0 and 100) assigned to the locator. Use this keyword to determine how to load-share traffic between multiple locators when the priorities assigned to multiple locators are the same. The weight argument represents the percentage of traffic to be load-shared. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
Use the ipv6 lisp database-mapping command to configure the LISP database parameters for the specified IPv4 EID prefix block, including its associated locator, priority and weight. The IPv6 EID prefix is the LISP IPv6 EID prefix block that is associated with the site that the Cisco NX-OS Series device registers as being authoritative with a Map Server. The locator is typically the IPv4 or IPv6 address of a loopback interface but can be the IPv4 or IPv6 address of any interface used as the Routing Locator (RLOC) address for the EID prefix assigned to the site. A priority and weight are used to define traffic policies when multiple RLOCs apply to the same EID prefix block.
When you configure a Cisco NX-OS Series device as an egress tunnel router (ETR), these LISP database-mapping parameters are advertised within a Map-Reply message to indicate the ingress traffic preferences of the site for the associated EID prefix block. An ingress tunnel router (ITR) then selects a source locator (outer header) address for encapsulating packets destined to the EID prefix based on these advertised parameters.
When a LISP site has multiple locators associated with the same EID prefix block, you use multiple ipv6 lisp database mapping commands to configure all of the locators for a given EID prefix block. Each locator can be assigned with the same or a different priority value between 0 and 255. When multiple locators are assigned different priority values, the priority value alone is used to determine which locator to prefer. A lower value indicates a more preferable path. A value of 255 indicates that the locator must not be used for unicast traffic forwarding.
When multiple locators have the same priority, they can be used in a load-sharing manner. In this case, for a given priority, the weight given to each locator is used to determine how to load-balance unicast packets between them. The weight is a value between 0 and 100 and represents the percentage of traffic to be load shared to that locator. If you assign a nonzero weight value to any locator for a given EID prefix block, you must assign all locators with the same priority for that same EID prefix block with a nonzero weight value. The sum of all weight values must equal 100. If you assign a weight value of zero to any locator for a given EID prefix block, you must assign all locators with the same priority for that same EID prefix block a weight value of zero. A weight value of zero indicates to an ITR that receives the Map-Reply that it can decide how to load-share traffic destined to that EID prefix block.
When you assign a LISP site with multiple IPv6 EID prefixes, the ipv6 lisp database-mapping is configured for each IPv4 EID prefix assigned to the site and for each locator that has a reachable IPv6 EID prefix.
When multiple ETRs are used at a LISP site, you must enter the ipv6 lisp database-mapping command on all ETRs for all locators to make an IPv4 EID prefix block reachable even when the locator is not local to the specific ETR that is being configured.
If the ETR receives its RLOC through a dynamic process such as DHCP, or if it is sited behind a Network Address Translation (NAT) device and the routing locator belongs to the private address space that the NAT device translates to a public globally routed address, you might not be able to specify a locator in the ip lisp database-mapping entry. Aadd the dynamic keyword with the ipv6 lisp database-mapping command so that the RLOC for this Cisco NX-OS device will be determined dynamically rather than being statically defined in each ip lisp database-mapping entry.
When an ETR is sited behind NAT, it needs to know the public global locator address; this address that is required for Map-Register and Map-Reply messages. You should enter the {ip | ipv6} lisp nat-traversal command. For more information, see the {ip | ipv6} lisp nat-traversal command.
This command does not require a license.
This example shows how to configure lisp database-mapping entries for a single IPv6 EID prefix block and two IPv4 locators that are associated with the EID prefix block:
switch# configure terminal switch(config)# ipv6 lisp database-mapping 2001:DB8:BB::/48 10.1.1.1 priority 1 weight 100 switch(config)# ipv6 lisp database-mapping 2001:DB8:BB::/48 10.1.2.1 priority 1 weight 100
Command |
Description |
---|---|
ipv6 lisp etr map-server |
Configures the IPv4 or IPv6 locator address of the LISP Map Server that ETR registers its IPv6 EID prefixes. |
ipv6 lisp locator-down |
Configures an IPv4 or IPv6 locator from a locator set associated with the IPv6 EID prefix database mapping to be down. |
ipv6 lisp map-cache |
Configures a static IPv6 EID prefix to the the locator map-cache entry. |
ipv6 lisp nat-transversal |
Configures an ETR with a private locator that is sited behind a NAT device to dynamically determine its NAT-translated public globally routed locator address for the applied interface. |
To configure a Cisco NX-OS device to act as an IPv6 Locator/ID Separation Protocol (LISP) Egress Tunnel Router (ETR), use the ipv6 lisp etr command. To remove LISP ETR functionality, use the no form of this command.
ipv6 lisp etr
no ipv6 lisp etr
This command has no arguments or keywords.
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
Use the ipv6 lisp etr command to enable the Cisco NX-OS device to perform IPv4 LISP Egress Tunnel Router (ETR) functionality. When you configure a Cisco NX-OS device as an IPv4 ETR, also use ipv6 lisp database-mapping command so that the ETR knows what EID prefix blocks and corresponding locators are used for the LISP site. In addition, you should configure the ETR to register with a Map-Server by using the ipv6 lisp etr map-server command, or to use static LISP EID-to-RLOC mappings by using the ipv6 lisp map-cache command in order to participate in LISP networking.
When a map-cache entry contains mixed locators (both IPv4 and IPv6 RLOCs) and an Ingress Tunnel Router (ITR) encapsulates using an IPv4 locator, you must configure the ETR that is assigned with the IPv4 locator by using the ipv6 lisp etr command. When an IPv6 locator is used by an Ingress Tunnel Router (ITR), you must configure the ETR that is assigned with the IPv6 locator by using the ipv6 lisp etr command.
Note | You configure an ETR as an Ingress Tunnel Router (ITR). However, the LISP architecture does not require that you do so. When configuring a device as both an Ingress Tunnel Router (ITR) and an ETR, use the ipv6 lisp itr-etr command to enable both capabilities. |
This command does not require a license.
This example shows how to configure IPv6 LISP ETR functionality on the Cisco NX-OS device:
switch# configure terminal switch(config)# ipv6 lisp etr
Command |
Description |
---|---|
ipv6 lisp database-mapping |
Specifies to configure an IPv6 EID-to-RLOC mapping relationship and its associated traffic policy. |
ipv6 lisp etr map-server |
Configures the IPv4 or IPv6 locator address of the LISP Map-Server to which an ETR should register for its IPv6 EID prefixes. |
ipv6 lisp itr |
Configures the Cisco NX-OS device to act as an IPv6 LISP Ingress Tunnel Router (ITR) |
ipv6 lisp map-cache |
Configures a static IPv6 EID prefix to locator map-cache entry. |
To configure an Egress Tunnel Router (ETR) to cache IPv6 mapping data contained in a Map-Request message, use the ipv6 lisp etr accept-map-request-mapping command. To remove this functionality, use the no form of this command.
ipv6 lisp etr accept-map-request-mapping [verify]
no ipv6 lisp etr accept-map-request-mapping [verify]
verify |
(Optional) Specifies that mapping data should be cached but not used for forwarding packets until the ETR can send its own Map Request to one of the locators from the mapping data record and receive a Map Reply with the same data in response. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When an ETR receives a Map-Request message, this message might contain mapping data for the invoking IPv4 source-EID packet. By default, the ETR ignores mapping data included in Map-Request messages. However, by entering the ipv6 lisp etr accept-map-request-mapping command, the ETR caches the mapping data in its map cache and immediately uses it to forward packets.
When you use the optional verify keyword, the ETR still caches the mapping data but does not forward packets until the ETR can send its own Map Request to one of the locators from the mapping data record and receive the same data in a Map-Reply message.
Note | For security purposes, we recommend that you use the verify keyword. Unless you deploy the ETR and Ingress Tunnel Router (ITR) in a trusted environment, you should use the optional verify keyword. In a trusted environment, if you do not use the optional verify keyword, the new mapping occurs in one-half round-trip-time (RTT) as compared with the normal Map-Request/Map-Reply exchange process. |
When you enable and then later disable this command, you must enter the clear ipv6 lisp map-cache command to clear any map-cache entries that are currently in the tentative state. Map-cache entries can remain in the tentative state for up to one minute; therefore, you might want to clear these entries manually when this command is removed.
This command does not require a license.
This example shows how to configure the ETR to accept and cache IPv6 mapping data included in Map-Request messages and verify its accuracy prior to using this data to forward packets:
switch# configure terminal switch(config)# ipv6 lisp etr accept-map-request-mapping verify
Command |
Description |
---|---|
ipv6 lisp etr |
Configures the Cisco NX-OS device to act as an IPv6 LISP Egress Tunnel Router (ETR). |
clear ipv6 lisp map-cache |
Clears the LISP IPv6 map cache on the local Cisco NX-OS device. |
To configure an egress tunnel router (ETR) to add inner header (EID) source address to outer header (RLOC) source address mappings it to its endpoint identifier to Routing Locator (EID-to-RLOC) cache (map-cache), use the ipv6 lisp etr glean-mapping command. To remove this functionality, use the no form of this command.
ipv6 lisp etr glean-mapping [verify]
no ipv6 lisp etr glean-mapping [verify]
verify |
Optional) Specifies that gleaned EID-to-RLOC mapping data should be cached but not used for forwarding packets until the ETR can send its own Map Request to the originating Ingress Tunnel Router (ITR) and receive a Map Reply with the same data in response. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When an ETR receives Locator/ID Separation Protocol (LISP)-encapsulated packets, the inner header EID source address and outer header RLOC source address should match an entry found in the map cache as determined by the results of a Map-Request/Map-Reply exchange. When a host moves from one ingress tunnel router (ITR) to another ITR, the EID-to-RLOC mapping changes because the new ITR can encapsulate packets to the ETR using a different locator. By entering the ipv6 lisp etr glean-mapping command, the ETR recognizes the new locator information for the moved host’s EID and updates the map cache with this information.
The learned EID-to-RLOC map-cache entries are stored with a priority of 1 and a weight of 100.
When you enter the optional verify keyword, the ETR caches the learned EID-to-RLOC mapping data but does not forward packets until the ETR can send its own Map Request to the originating Ingress Tunnel Router (ITR) and receive a Map Reply. The gleaned locator will then be used. When you specify the verify keyword, the locator is used to forward traffic and all packets are dropped until the Map Reply is returned.
Note | For security purposes, we recommend that you use the verify keyword. Unless you deploy the ETR and Ingress Tunnel Router (ITR) in a trusted environment, you should use the optional verify keyword. In a trusted environment, if you do not use the optional verify keyword, the new mapping occurs in one-half round-trip-time (RTT) as compared with the normal Map-Request/Map-Reply exchange process. |
This command does not require a license.
This example shows how to configure the ETR to glean and cache IPv6 mapping data included in Map-Request messages and verify its accuracy prior to using this data to forward packets:
switch# configure terminal switch(config)# ipv6 lisp etr glean-mapping verify
Command |
Description |
---|---|
ipv6 lisp etr |
Configures the Cisco NX-OS device to act as an IPv6 LISP Egress Tunnel Router (ETR). |
To configure the Time-to-live (TTL) value inserted into Locator/ID Separation Protocol (LISP) IPv6 Map-Reply messages, use the ipv6 lisp etr map-cache-ttl command. To remove the configured TTL value and return to the default value, use the no form of this command.
ipv6 lisp etr map-cache-ttl time-to-live
no ipv6 lisp etr map-cache-ttl time-to-live
time-to-live |
Value, in minutes, to be inserted in the TTL field in Map-Reply messages. The range is from 60 to 10080. |
1440
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
Use the ipv6 lisp etr map-cache-ttl command to change the default value associated with the TTL field in IPv4 Map-Reply messages. Use this command when you want to change the default TTL that remote Ingress Tunnel Routers (ITRs) cache and use for your site’s IPv4 EID prefix. The default value is 1440 minutes (24 hours). The minimum value cannot be less than 60 minutes, and the maximum cannot be greater than 10080 minutes (one week).
This command does not require a license.
This example shows how to configure the ETR to use a TTL in its IPv6 Map-Reply messages:
switch# configure terminal switch(config)# ipv6 lisp etr map-cache-ttl 120
Command |
Description |
---|---|
ipv6 lisp etr |
Configures the Cisco NX-OS device to act as an IPv6 LISP Egress Tunnel Router (ETR). |
To configure the IPv4 or IPv6 locator address of the Locator/ID Separation Protocol (LISP) Map Server to be used by the egress tunnel router (ETR) when registering for IPv4 EIDs, use the ipv6 lisp etr map-server command. To remove the configured locator address of the LISP Map Server, use the no form of this command.
ipv6 lisp etr map-server map-server-address { [ key key-type authentication-key ] | proxy-reply }
no ipv6 lisp etr map-server map-server-address { [ key key-type authentication-key ] | proxy-reply }
map-server-address |
IPv4 or IPv6 address of the Map Server. |
key |
(Optional) Specifies how the keytype that indicates how the following SHA-1 password (key) is encoded. |
key-type |
Key type. Type (0) indicates that a clear text password follows, Type (3) indicates that a 3DES encrypted key follows, and Type (7) indicates that a Cisco Type 7 encrypted password follows. |
authentication-key |
Password used for computing the SHA-1 HMAC hash that is included in the header of the Map-Register message. |
proxy-reply |
Specifies that the ETR should indicate to the Map Server through a Map Register message that the Map Server should send Map Replies on behalf of the site. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
Use the ipv6 lisp etr map-server command to configure the IPv4 or IPv6 locator of the Map Server to which the ETR registers for its IPv4 EID(s). A password used for a SHA-1 HMAC hash that is included in the header of the Map-Register message must also be provided. You can configure the ETR to register with a maximum of two Map Servers per EID address family. Once the ETR registers with the Map-Server(s), the Map Server(s) begin to advertise the EID prefix block(s) and RLOC(s) for the LISP site.
You can enter the SHA-1 HMAC password in unencrypted (cleartext) form or encrypted form. To enter an unencrypted password, specify a key-type value of 0. To enter a 3DES-encrypted password, specify a key-type value of 3. To enter a Cisco-encrypted password, specify a key-type value of 7.
Caution | A Map-Server authentication key entered in cleartext form will automatically be converted to Type 3 (encrypted) form. |
Note | You must also configure the Map Server with IPv4 EID prefixes that match the IPv4 EID prefixes configured on this ETR by using the ipv6 lisp database-mapping command, as well as a password that matches the one provided with the key keyword on this ETR. |
Note | When you use the proxy-reply keyword, the ETR indicates to the Map-Server through a Map-Register message that the Map Server should sends Map Replies on behalf of the site. The Map Server sends non-authoritative Map Replies for all the EID prefixes contained in the Map Register message. On the Map Server, the show lisp site site-name command indicates whether proxy-reply is enabled or not. |
This command does not require a license.
This example shows how to configure ETR to register to two Map Servers:
switch# configure terminal switch(config)# ipv6 lisp etr map-server 2001:db8:0a::1 key 3 1c275642c17d1e17 switch(config)# ipv6 lisp etr map-server 2001:db8:0b::1 key 3 1c275642c17d1e17
This example shows how to configure ETR to register to the Map Server:
switch# configure terminal switch(config)# ipv6 lisp etr map-server 2001:db8:0a::1 key 3 1c275642c17d1e17 switch(config)# ipv6 lisp etr map-server 2001:db8:0a::1 proxy-reply
Command |
Description |
---|---|
ipv6 lisp alt-vrf |
Configures which VRF that LISP should use when sending Map Requests for an IPv6 EID-to-RLOC mapping directly over the ALT. |
ipv6 lisp database-mapping |
Configures an IPv6 EID-to-RLOC mapping relationship and its associated traffic policy. |
ipv6 lisp etr |
Configures the Cisco NX-OS device to act as an IPv6 LISP Egress Tunnel Router (ETR). |
lisp site |
Configures a LISP site and enters site configuration mode on a Map Server. |
lisp mobility |
Configures an interface on an Ingress Tunnel Router (ITR) to participate in LISP VM Mobility (dynamic-EID roaming). |
To enable hardware-forwarding specifically on the Cisco Nexus 7000 Series device when at least one 32x10GE line card is installed, use the ipv6 lisp hardware-forwarding command. To disable this functionality, use the no form of this command.
ipv6 lisp hardware-forwarding
no ipv6 lisp hardware-forwarding
This command has no arguments or keywords.
Enabled when at least one 32x10 GE line card is installed.
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
This command is only applicable to the Cisco NX-OS device.
The ip lisp hardware-forwarding command is applicable to the Cisco Nexus 7000 Series device only. Hardware forwarding for LISP is supported on the N7K-M132XP-12 line card only. That is, LISP input and output interfaces must be on the N7K-M132XP-12 line card.
Caution | Disabling hardware forwarding should only be used in diagnostic situations. Entering the no ip lisp hardware-forwarding command will cause a full map-cache download to the Cisco NX-OS device hardware. |
This command does not require a license.
This example shows how to disable the IPv6 LISP hardware forwarding feature:
switch# configure terminal switch(config)# no ipv6 lisp hardware-forwarding switch(config)# exit
Command |
Description |
---|---|
lisp beta |
Enables LISP functionality on the Cisco NX-OS device. |
To configure a Cisco NX-OS device to act as an IPv6 Locator/ID Separation Protocol (LISP) Ingress Tunnel Router (ITR), use the ipv6 lisp itr command. To remove LISP Ingress Tunnel Router (ITR) functionality, use the no form of this command.
ipv6 lisp itr
no ipv6 lisp itr
This command has no arguments or keywords.
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When a Cisco NX-OS device is configured as an Ingress Tunnel Router (ITR), if a packet is received for which no IPv6 destination address prefix match exists in the routing table or which matches a default route (you can configure that the source address of the packet matches an IPv4 EID prefix block configured by using the ipv6 lisp database-mapping command or ipv6 lisp map-cache command. The packet is a candidate for LISP routing. The Ingress Tunnel Router (ITR) looks in the LISP map cache and forwards either the packet, drops the packet, sends a Map Request, or LISP-encapsulates the packet.
If there is no match in the LISP map cache, the Ingress Tunnel Router (ITR) might use one of two methods to obtain an IPv6 EID-to-RLOC mapping. When a Map Resolver is configured when you enter the ipv6 lisp itr map-resolver command, the Ingress Tunnel Router (ITR) sends its Map Request in a LISP Encapsulated Control Message (ECM) to the Map-Resolver. When the Ingress Tunnel Router (ITR) is attached to the ALT using the ipv6 lisp alt-vrf command, the Ingress Tunnel Router (ITR) sends its Map Request directly on the alternate LISP topology (LISP-ALT). The Ingress Tunnel Router (ITR) caches the IPv4 EID-to-RLOC mapping information returned by the associated Map Reply in its map cache. Subsequent packets destined to the same IPv6 EID prefix block are then LISP-encapsulated according to this IPv4 EID-to-RLOC mapping entry.
Note | An Ingress Tunnel Router (ITR) can also be configured as an ETR. However, the LISP architecture does not require this requirement. |
This command does not require a license.
This example shows how to configure the Ingress Tunnel Router (ITR) functionality on the NX-OS device:
switch# configure terminal switch(config)# ipv6 lisp itr
Command |
Description |
---|---|
ipv6 lisp alt-vrf |
Configures the VRF that LISP should use when sending Map Requests for an IPv6 EID-to-RLOC mapping directly over the ALT. |
ipv6 lisp database-mapping |
Configures an IPv6 EID-to-RLOC mapping relationship and its associated traffic policy. |
ipv6 lisp itr map-resolver |
Configures the IPv4 or IPv6 locator address of the LISP Map Resolver to which the Ingress Tunnel Router (ITR) sends IPv6 Map Request messages |
ipv6 lisp map-cache |
Configures a static IPv6 EID prefix to locator map-cache entry. |
To configure the IPv4 or IPv6 locator address of the Locator/ID Separation Protocol (LISP) Map Resolver to be used by the ingress tunnel router (ITR) or Proxy ITR (PITR) when sending Map Requests for IPv4 EID-to-RLOC mapping resolution, use the ipv6 lisp itr map-resolver command. To remove the configured locator address of the LISP Map Resolver, use the no form of this command.
ip lispv6 itr map-resolver map-resolver-address
no ipv6 lisp itr map-resolver map-resolver-address
map-resolver-address |
IPv4 or IPv6 locator addresses of the Map Resolver. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
Up to two Map Resolvers can be configured per Ingress Tunnel Router (ITR) or PITR within a site for each address family.
When a LISP Ingress Tunnel Router (ITR) or PITR needs to resolve an IPv6 EID-to-RLOC mapping for a destination EID, you can be configure it to send a map request either to a Map Resolver by using the ipv6 lisp itr map-resolver command or directly over the LISP ALT by using the ipv6 lisp alt-vrf command. When a Map Resolver is used, map requests are sent to the Map Resolver with the additional LISP Encapsulated Control Message (ECM) header that includes the Map Resolver RLOC as its destination address. When the ALT is used, map requests are sent directly over the ALT without the additional LISP Encapsulated Control Message (ECM) header, where the destination of the map request is the EID being queried.
Note | When you use the ipv6 lisp itr map-resolver command, the Ingress Tunnel Router (ITR) or PITR does not run the LISP-ALT. All commands related to the ALT-VRF are ignored (and can be removed). |
This command does not require a license.
This example shows how to configure an Ingress Tunnel Router (ITR) to use the Map Resolver located at 2001:DB8:0A::1 when sending its Map-Request messages.
switch# configure terminal switch(config)# ipv6 lisp itr map-resolver 2001:DB8:0A::1
Command |
Description |
---|---|
ipv6 lisp alt-vrf |
Configures the VRF that LISP should use when sending Map Requests for an IPv6 EID-to-RLOC mapping directly over the ALT. |
ipv6 lisp itr |
Configures the switch to act as an IPv6 LISP Ingress Tunnel Router (ITR). |
ipv6 lisp map-request-source |
Configures the source IPv4 or IPv6 address to be used in IPv6 LISP Map-Request messages. |
To configure an ingress tunnel router (ITR) or Proxy ITR (PITR) to find an IPv4 endpoint identifier to Routing Locator (EID-to-RLOC) mapping for a packet it needs to encapsulate by sending a data probe rather than by sending a Map-Request message, use the ipv6 lisp itr send-data-probe command. To remove this functionality, use the no form of this command.
ipv6 lisp itr send-data-probe
no ipv6 lisp itr send-data-probe
This command has no arguments or keywords.
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When a Locator/ID Separation Protocol (LISP) Ingress Tunnel Router (ITR) or PITR gets a map-cache miss and needs to resolve an IPv4 EID-to-RLOC mapping for a destination EID, you can send a Map-Request message either in a LISP Encapsulate Control Message (ECM) to the Map Resolver by using the ip lisp itr map-resolver command or directly over the Locator/ID Separation Protocol Alternative Topology (LISP-ALT) by using the ip lisp alt-vrf command. In either case, the first packet of the flow that caused the map-cache miss is dropped. Once the Map Reply populates the map cache, subsequent packets to the same destination are forwarded directly by LISP.
Note | When you configure an Ingress Tunnel Router (ITR) or PITR by using the ip lisp itr send-data-probe command, you must also configure the Ingress Tunnel Router (ITR) or PITR to use the LISP-ALT by using the ip lisp alt-vrf command because the data probe is sent over the LISP-ALT. |
Caution | We do not recommend that you use the LISP data probe because this mechanism forwards data plane traffic over the LISP-ALT. The LISP-ALT is intended to function solely as a control plane mechanism for LISP and its use subjects it to denial of service attacks. |
This command does not require a license.
This example shows how to configure a LISP Ingress Tunnel Router (ITR) to send Data Probes to determine IPv6 EID-to-RLOC mappings:
switch# configure terminal switch(config)# ipv6 lisp itr send-data-probe
Command |
Description |
---|---|
ipv6 lisp alt-vrf |
Configures which VRF that LISP should use when sending Map Requests for an IPv6 EID-to-RLOC mapping directly over the ALT. |
ipv6 lisp itr map-resolver |
Configured the IPv4 or IPv6 locator address of the LISP Map-Resolver to which the Ingress Tunnel Router (ITR) sends IPv6 Map Request messages. |
To configure a switch to act as both an IPv6 LISP Ingress Tunnel Router (ITR) and Egress Tunnel Router (ETR), use the ipv6 lisp itr-etr command. To remove the LISP Ingress Tunnel Router (ITR) functionality, use the no form of this command.
ipv6 lisp itr-etr
no ipv6 lisp itr-etr
This command has no arguments or keywords.
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
Use the ipv6 lisp itr-etr command to enable the Cisco NX-OS device to perform both IPv6 LISP Ingress Tunnel Router (ITR) and Egress Tunnel Router (ETR) functionality simultaneously, by using a single command.
For usage guidelines for the IPv6 LISP Ingress Tunnel Router (ITR) functionality, see the ipv6 lisp itr command.
For usage guidelines for the IPv6 LISP ETR functionality, see the ipv6 lisp etr command.
Note | If you use the ipv6 lisp itr-etr command and either of the ipv6 lisp itr or ipv6 lisp etr commands have already been configured, they are automatically removed from the configuration file. When configuring a device as both an Ingress Tunnel Router (ITR) and an ETR, use the command iv6p lisp itr-etr to enable both capabilities. |
This command does not require a license.
This example shows how to configure the IPv6 LISP Ingress Tunnel Router (ITR) and ETR functionality on the NX-OS device:
switch# configure terminal switch(config)# ipv6 lisp itr-etr
Command |
Description |
---|---|
ipv6 lisp etr |
Configures the switch to act as an IPv6 LISP Egress Tunnel Router (ETR). |
ipv6 lisp itr |
Configures the switch to act as an IPv6 LISP Ingress Tunnel Router (ITR). |
To configure a locator from a locator set that is associated with an IPv6 endpoint identifier (EID) prefix database-mapping to be unreachable (down), use the ipv6 lisp locator-down command. To return the locator to be reachable (up), use the no form of this command.
ipv6 lisp map-cache destination-EID-prefix/prefix-length locator
no ipv6 lisp map-cache destination-EID-prefix/prefix-length locator
EID-prefix/prefix-length |
IPv6 EID prefix and length advertised by this switch. |
locator |
IPv4 or IPv6 Routing Locator (RLOC) associated with this EID prefix. |
An IPv4 or IPv6 locator associated with a configured IPv6 EID prefix block is considered reachable (up) unless an IGP routing protocol indicates it is down.
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When you configure LISP database parameters on an Ingress Tunnel Router (ITR) for specified IPv4 EID prefix blocks by using the ipv6 lisp database-mapping command or the ipv6 lisp map-cache command, the locators associated with these IPv4 EID prefix blocks are considered as reachable (up) by default. You can use the ipv6 lisp locator-down command to configure a locator from a locator-set associated with the EID prefix database mapping to be down.
When you enter the ipv6 lisp locator-down command, the Locator Status Bits (LSBs) for the configured locator is cleared when encapsulating packets to remote sites. ETRs at remote sites look for changes in the LSB when decapsulating LISP packets, and when the LSB indicates that a specific locator is down, the ETR refrains from encapsulating packets using this locator to reach the local site.
Note | If you enter the ipv6 lisp locator-down command on an Ingress Tunnel Router (ITR) to indicate that a locator is unreachable (down) and the LISP site includes multiple Ingress Tunnel Routers (ITRs), you must enter the ip lisp locator-down command on all Ingress Tunnel Routers (ITRs) at the site to ensure that the site consistently tells remote sites that the configured locator is not reachable. |
This command does not require a license.
This example shows how to configure the locator to a down state for the IPv6 EID prefix block:
switch# configure terminal switch(config)# ipv6 lisp locator-down 2001:DB8:BB::/48 2001:DB8:0A::1
Command |
Description |
---|---|
ipv6 lisp database-mapping |
Configures an IPv6 EID-to-RLOC mapping relationship and its associated traffic policy. |
ipv6 lisp itr |
Configures the switch to act as an IPv6 LISP Ingress Tunnel Router (ITR). |
ipv6 lisp map-cache |
Configures a static IPv6 EID prefix to the locator map-cache entry. |
To configure a nondefault virtual routing and forwarding (VRF) table to be referenced by any IPv6 locator addresses, use the ipv6 lisp locator-vrf command. To return to using the default routing table for locator address references, use the no form of this command.
ipv6 lisp locator-vrf vrf-name
no ipv6 lisp locator-vrf vrf-name
vrf-name |
Name of the VRF instance to be referenced by IPv6 locator addresses instead of the default table. |
IPv6 locator addresses are associated with the default (global) routing table.
VRF configuration
network-adminvdc-admin
Release |
Modification |
---|---|
5.0(3.lisp) |
This command was introduced. |
When you configure Locator/ID Separation Protocol (LISP) in a nondefault VRF to keep EID prefixes in one VRF separate from EID prefixes in another VRF, and both EID VRFs share the same locator-based core network and same mapping database system infrastructure, these locator addresses must be reachable from the default VRF or a specified common VRF. Use the ipv6 lisp locator-vrf command to specify the VRF to be associated with these locator addresses.
When you enter the ipv6 lisp locator-vrf command, the locator addresses in any subsequent LISP commands are referenced to the specified VRF. For example, the locator addresses in the ipv6 lisp itr map-resolver and ipv6 lisp etr map-server commands refer to the VRF that you configured when you entered the ip lisp locator-vrf command. The Map Servers and Map-Resolvers can also share the configuration from the locator VRF.
Note | When you configure mixed address families (for example, IPv4 EIDs and IPv6 locators or IPv6 EIDs and IPv4 locators), use the ipv6 lisp locator-vrf command. |
This command does not require a license.
In the following example, a LISP xTR is configured with three EID contexts red, blue, and green, and the locator VRF default. Red and blue are both using the RLOC of 10.10.10.1 if you enter the ipv6 lisp locator-vrf default command. In addition, red and blue both inherit the globally defined map resolver and Map Server located at 10.100.1.1 (configured at the end of this example). Both red and blue have an EID prefix of 172.16.0.0/24, but segmentation is maintained due to the unique LISP instance ID for each VRF context. The green context also uses the RLOC of 10.10.10.1 if you enter the ipv6 lisp locator-vrf default command. However, green overrides the inheritance of the globally defined map-resolver and Map-Server by including the ones configured within the VRF context and located at 10.200.1.1. The locator for this locally defined map-resolver or Map-Server remains within the default VRF when you enter the ipv6 lisp locator-vrf default command.
switch# configure terminal switch(config)# vrf context red switch(config-vrf)# ipv6 lisp itr-etr switch(config-vrf)# ipv6 lisp database-mapping 2001:db8:a::/48 10.10.10.1 priority 1 weight 1 switch(config-vrf)# lisp instance-id 111 switch(config-vrf)# ipv6 lisp locator-vrf default switch(config-vrf)# exit switch(config)# vrf context blue switch(config-vrf)# ipv6 lisp itr-etr switch(config-vrf)# ipv6 lisp database-mapping 2001:db8:a::/48 10.10.10.1 priority 1 weight 1 switch(config-vrf)# lisp instance-id 222 switch(config-vrf)# ipv6 lisp locator-vrf default switch(config-vrf)# exit switch(config)# vrf context green switch(config-vrf)# ipv6 lisp itr-etr switch(config-vrf)# ipv6 lisp database-mapping 2001:db8:b::/48 10.10.10.1 priority 1 weight 1 switch(config-vrf)# lisp instance-id 444 switch(config-vrf)# ipv6 lisp locator-vrf default switch(config-vrf)# ipv6 lisp itr map-resolver 10.200.1.1 switch(config-vrf)# ipv6 lisp etr map-server 10.200.1.1 key 3 xxxxxxxxxxx switch(config-vrf)# exit switch(config)# ipv6 lisp itr map-resolver 10.100.1.1 switch(config)# ipv6 lisp etr map-server 10.100.1.1 key 3 xxxxxxxxxxx
Command |
Description |
---|---|
ipv6 lisp etr map-server |
Configures the IPv4 or IPv6 locator address of the LISP Map Server to which an ETR should register for its IPv6 EID prefixes |
ipv6 lisp itr map-resolver |
Configures the locator address of the LISP Map Resolver to which the Ingress Tunnel Router (ITR) sends Map Request messages |
To configure a static IPv6 endpoint identifier to Routing Locator (EID-to-RLOC) mapping relationship and its associated traffic policy or to statically configure the packet handling behavior associated with a specified destination IPv6 EID prefix, use the ipv6 lisp map-cache command. To remove the configuration, use the no form of this command.
ipv6 lisp map-cache destination-EID-prefix-prefix-length locator priority priority weight weight
no ipv6 lisp map-cache destination-EID-prefix-prefix-length locator priority priority weight weight
ipv6 lisp map-cache destination-EID-prefix/prefix-length { drop | map-request | native-forward }
no ipv6 lisp map-cache destination-EID-prefix/prefix-length { drop | map-request | native-forward }
destination-EID-prefix |
Destination IPv6 EID prefix. |
prefix-length |
Prefix length. |
locator |
IPv4 or IPv6 Routing Locator (RLOC) associated with this EID prefix/prefix-length. |
priority priority |
Specifies the priority (value between 0 and 255) assigned to the RLOC. When multiple locators have the same priority, they may be used in load-sharing. A lower value indicates a higher priority. |
weight weight |
Specifies the weight (value between 0 and 100) assigned to the locator. This command is used in order to determine how to load-share traffic between multiple locators when the priorities assigned to multiple locators are the same. The value represents the percentage of traffic to be load balanced. |
drop |
(Optional) Drops packets that match this map-cache entry. |
map-request |
(Optional) Sends a Map Request for packets. |
native-forward |
Optional) Forwards packets natively that match this map-cache entry. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
You can use the ip lisp map-cache command to configure an ingress tunnel router (ITR) with a static IPv6 EID-to-RLOC mapping relationship and its associated traffic policy. For each entry, you must enter a destination IPv6 EID prefix block and its associated locator, priority, and weight. The IPv6 EID prefix/prefix-length is the LISP EID prefix block at the destination site. The locator is an IPv6 or IPv6 address of the remote site where the IPv6 EID prefix can be reached. The locator address has a priority and weight that are used to define traffic policies when multiple RLOCs are defined for the same EID prefix block. You can enter this command up to four times for a given EID prefix. Static IPv4 EID-to-RLOC mapping entries configured when you enter the ip lisp map-cache command take precedence over dynamic mappings learned through Map-Request/Map-Reply exchanges.
You can also use of the ipv6 lisp map-cache command to statically configure the packet handling behavior associated with a specified destination IPv6 EID prefix. For each entry, a destination IPv4 EID prefix block is associated with a configured forwarding behavior. When a packet's destination address matches the EID prefix, one of the following packet handling options:
This command does not require a license.
This example shows how to configure a destination EID-to-RLOC mapping and associated traffic policy:
switch# configure terminal switch(config)# ipv6 lisp map-cache 2001:DB8:BB::/48 2001:DB8:0A::1 priority 1 weight 100
This example shows how to configure a destination EID-to-RLOC mapping and associated traffic policy to drop:
switch# configure terminal switch(config)# ip lisp map-cache 2001:DB8:AA::/64 drop
Command |
Description |
---|---|
ipv6 lisp database-mapping |
Configures an IPv6 EID-to-RLOC mapping relationship and its associated traffic policy. |
ipv6 lisp itr |
Configures the switch to act as an IPv6 LISP Ingress Tunnel Router (ITR). |
ipv6 lisp map-cache-limit |
Configures the maximum number of IPv6 LISP map-cache entries allowed to be stored by the switch. |
To configure the maximum number of IPv4 Locator/ID Separation Protocol (LISP) map-cache entries allowed to be stored by the Cisco NX-OS device, use the ipv6 lisp map-cache-limit command. To remove the configured map-cache limit, use the no form of this command.
ipv6 lisp map-cache-limit cache-limit [ reserve-list list ]
no ipv6 lisp map-cache-limit cache-limit [ reserve-list list ]
cache-limit |
(Optional) Set of IPv4 EID prefixes in the referenced prefix list for which dynamic map-cache entries shall always be stored. |
reserve-list list |
(Optional) Specifies the maximum number of IPv4 LISP map-cache entries allowed to be stored on the Cisco NX-OS device. The valid range is from 0 to 10000. |
1000
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
Use the ip lisp map-cache-limit command to control the maximum number of IPv6 LISP map-cache entries that are allowed to be stored on the Cisco NX-OS device. An optional reserve list can be configured to guarantee that the Cisco NX-OS device always stores the referenced IPv6 EID prefixes.
LISP IPv6 map-cache entries are added in one of two ways: dynamically or statically. Dynamic entries are added when a valid Map-Reply message is returned for a Map-Request message generated in response to a cache-miss lookup. Static entries are added when you enter the ipv6 lisp map-cache command.
Dynamic map-cache entries are always added until the default or configured cache limit is reached. After the default or configured cache limit is reached, unless the optional reserve list is configured, no further dynamic entries are added and no further Map Requests are generated in response to cache-miss lookups until a free position is available.
When you do no configure an optional reserve-list keyword, dynamic entries are added on a first-in-first-added basis until the configured map-cache limit is reached. After that time, no new dynamic entries can be added. If the reserve-list keyword is configured but the prefix list to which it refers is not configured, the results are the same as if the reserve-list keyword was not configured.
When you use the optional reserve-list keyword, a Map Request is generated and a new dynamic map-cache entry can be added only for IP v6 EID prefixes that are permitted by the prefix-list referenced by the reserve-list keyword. The new entry must be able to replace an existing dynamic entry so that the cache limit is maintained. The deleted dynamic entry is either a nonreserve idle map-cache entry ora non-reserve active map-cache entry. Idle map-cache entries are those entries that have seen no activity in the last 10 minutes. If all current dynamic entries are also permitted by the prefix list referenced by the reserve-list, no further dynamic entries can be added.
Existing dynamic IPv6 map-cache entries can time out due to inactivity or can be removed by the using the clear ip lisp map-cache command to create a free position in the map cache.
Static map-cache entries are always added, until the default or configured cache limit is reached. After the default or configured cache limit is reached, unless the optional reserve-list is configured, no further static entries are added.
When the optional reserve-list keyword used, static entries are added on a first-in-first-added basis until the configured map-cache limit is reached. After that time, no new static entries can be added. If you use the reserve-list keyword but you do not configure the prefix list to which it refers, the results are the same as if the reserve-list keyword was not configured.
When you use the optional reserve-list keyword, you can add a prefix list, but only if it can replace an existing static entry or dynamic entry that does not match the reserve list prefix list.
Note | When you use the reserve-list command, make sure that the prefix list includes entries that match all expected prefixes in any Map Reply, including the more-specifics. Appending le 128 to the end of all prefix-list entries for IPv6 prefixes. For example, if you want to match 2001:DDB8:BB::/48 and any of the more specifics, you should enter ipv6 prefix-list lisp-list seq 5 permit 2001:DDB8:BB::/48 le 128 in order to cover all replies within this range. |
This command does not require a license.
This example shows how to configure the LISP cache-limit and a reserve-list:
switch# configure terminal switch(config)# ipv6 lisp map-cache-limit 2000 reserve-list LISP-v6-always switch(config)# ip prefix-list LISP-always seq 10 permit 2001:DB8:BA::/46 le 128
Command |
Description |
---|---|
ipv6 lisp map-cache |
Configures a static IPv6 EID prefix to the locator map-cache entry. |
clear ipv6 lisp map-cache |
Clears the LISP IPv6 map-cache on the local switch. |
debug ipv6 lisp mapping control |
Displays logs for Map Request, Map-Reply, and other LISP IPv6 mapping activities |
To configure an IPv4 or IPv6 address to be used as the source address for Locator/ID Separation Protocol (LISP) IPv6 Map-Request messages, use the ipv6 lisp map-request-source command. To remove the configured Map-Request source address and return to the default behavior, use the no form of this command.
ipv6 lisp map-request-source source-address
no ipv6 lisp map-request-source source-address
source-address |
IPv4 or IPv6 source address to be used in LISP IPv6 Map-Request messages. |
The Cisco NX-OS device uses one of the locator addresses that you configure by using the ipv6 lisp database-mapping command as the default source address for LISP Map-Request messages.
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
A locator address that you configured by using the ipv6 lisp database-mapping command is used as the source address for LISP IPv6 Map-Request messages. There are cases, however, where it might be necessary to configure the specified source address for these Map-Request messages. For example, when the ingress tunnel router (ITR) is behind a Network Address Translation (NAT) device, you might need to specify a source address that matches the NAT configuration to properly allow for return traffic.
When you enter the ipv6 lisp map-request-source command on an Ingress Tunnel Router (ITR), the specified IPv4 or IPv6 locator is used by an Ingress Tunnel Router (ITR) as the source address for LISP IPv6 Map Request messages. When you enter the ipv6 lisp map-request-source command on a Map Server, this locator is used as the source address in the Encapsulated Control Message that carries a Map Request to an ETR.
This command does not require a license.
This example shows how to configure an Ingress Tunnel Router (ITR) to use the source IPv6 address in its IPv6 Map-Request messages:
switch# configure terminal switch(config)# ipv6 lisp map-request-source 2001:DB8:0A::1
Command |
Description |
---|---|
ipv6 lisp database-mapping |
Configures an IPv6 EID-to-RLOC mapping relationship and its associated traffic policy. |
To configure a switch to act as an IPv6Locator/ID Separation Protocol (LISP) Map Resolver (MR), use the ipv6 lisp map-resolver command. To remove LISP Map-Resolver functionality, use the no form of this command.
ipv6 lisp map-resolver
no ipv6 lisp map-resolver
This command has no arguments or keywords.
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
A Map Resolver receives a LISP Encapsulated Control Message (ECM) that contains a Map-Request from a LISP Ingress Tunnel Router (ITR) directly over the underlying locator-based network. The Map Resolver decapsulates this message and forwards it on the LISP Alternative Topology (LISP-ALT) topology, where it is delivered either to an ingress tunnel router (ITR) that is directly connected to the LISP-ALT and that is authoritative for the endpoint identifier (EID) being queried by the Map Request or to the Map Server that is injecting EID prefixes into the LISP-ALT on behalf of the authoritative ETR.
Map Resolvers also send Negative Map Replies directly back to an Ingress Tunnel Router (ITR) in response to queries for non-LISP addresses.
When deploying a LISP Map Resolver, follow these guidelines:
This command does not require a license.
This example shows how to configure the IPv6 LISP Map-Resolver functionality on the NX-OS device.
switch# configure terminal switch(config)# ipv6 lisp map-resolver
Command |
Description |
---|---|
ipv6 lisp alt-vrf |
Configures which VRF that LISP should use when sending Map Requests for an IPv4 EID-to-RLOC mapping directly over the ALT. |
To configure a switch to act as an IPv6 Locator/ID Separation Protocol (LISP) Map-Server (MS), use the ipv6 lisp map-server command. To remove LISP Map-Server functionality, use the no form of this command.
ipv6 lisp map-server
no ipv6 lisp map-server
This command has no arguments or keywords.
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
LISP site commands are configured on the Map Server for a LISP egress tunnel router (ETR) that registers to it, including an authentication key, which must match the one also configured on the ETR. A Map Server receives Map-Register control packets from ETRs. When you configure the Map Server with a service interface to the LISP Alternative Topology (LISP-ALT), it injects aggregates for the registered EID prefixes into the LISP-ALT.
The Map Server also receives Map-Request control packets from the LISP-ALT, which it then forwards as a LISP Encapsulated Control Message (ECM) to the registered ETR that is authoritative for the EID prefix being queried. The ETR returns a Map-Reply message directly back to the Ingress Tunnel Router (ITR).
When deploying a LISP Map Resolver, follow these guidelines:
This command does not require a license.
This example shows how to configure IPv6 LISP Map-Server functionality on the NX-OS device.
switch# configure terminal switch(config)# ipv6 lisp map-server
Command |
Description |
---|---|
ipv6 lisp alt-vrf |
Configure which VRF supporting the IPv6 address-family LISP should use when sending Map Requests for an IPv6 EID-to-RLOC mapping directly over the ALT. |
To configure an egress tunnel router (ETR) with a private locator that is sited behind a Network Address Translation (NAT) device to dynamically determine its NAT-translated public locator for use in Map-Register and Map-Reply messages, use the ip lisp nat-transversal command. To remove this functionality, use the no form of this command.
ipv6 lisp nat-transversal
no ipv6 lisp nat-transversal
This command has no arguments or keywords.
None
Interface configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When an ETR is sited behind a NAT device, its routing locator belongs to the private address space that the NAT device translates to a public globally routed address. The ETR needs to know this public global locator address because this address is required for use in Map-Register and Map-Reply messages.
When you enter the ip lisp nat-transversal command is configured, the ETR determines its own public global locator dynamically. When configured, the ETR sends a LISP Echo-Request message to the configured Map Server out the interface under which this command is configured. The Map Server replies with an Echo Reply message that includes the source address from the Echo Request, which is the NAT-Translated public global locator address.
The ipv6 lisp nat-transversal command is useful when the dynamic keyword is used with the ipv6 lisp database-mapping command in order to dynamically determine the routing locator rather than statically defining it.
This command does not require a license.
This example shows how to configure the ETR to dynamically determine its public global routing locator when it is behind a NAT device:
switch# configure terminal switch(config)# interface Ethernet2/0 switch(config-if)# ipv6 lisp nat-transversal
Command |
Description |
---|---|
ipv6 lisp database-mapping |
Configures an IPv6 EID-to-RLOC mapping relationship and its associated traffic policy. |
ipv6 lisp etr |
Configures the switch to act as an IPv4 LISP Egress Tunnel Router (ETR). |
To configure a switch to act as an IPv6 Locator/ID Separation Protocol (LISP) Proxy Egress Tunnel Router (PETR), use the ipv6 lisp proxy-etr command. To remove LISP PETR functionality, use the no form of this command.
ipv6 lisp proxy-etr
no ipv6 lisp proxy-etr
This command has no arguments or keywords.
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
The Cisco NX-OS device accepts LISP-encapsulated packets from an ingress tunnel router (ITR) or Proxy ITR (PITR) that are destined to non-LISP sites, deencapsulates them, and then forwards them natively toward the non-LISP destination.
PETR services may be necessary in several cases. For example, by default, when a LISP site forwards packets to a non-LISP site natively (not LISP encapsulated), the source IP address of the packet is that of a site EID. If the provider side of the access network is configured with strict unicast reverse path forwarding (uRPF) or an antispoofing access-list, it would consider these packets to be spoofed and drop them because EIDs are not advertised in the provider default free zone (DFZ). Instead of natively forwarding packets destined to non-LISP sites, the Ingress Tunnel Router (ITR) encapsulates these packets using the site locator as the source address and the PETR as the destination address. Packets destined for LISP sites follow normal LISP forwarding processes and are sent directly to the destination ETR.
Note | When an Ingress Tunnel Router (ITR) or PITR requires IPv4 PETR services, you must configure Ingress Tunnel Router (ITR) or PITR to forward IPv4 EID packets to the PETR by using the ip lisp use-petr command. |
This command does not require a license.
This example shows how to configure IPv6 LISP PETR functionality on the NX-OS device:
switch# configure terminal switch(config)# ipv6 lisp proxy-etr
Command |
Description |
---|---|
ipv6 lisp etr |
Configures the switch to act as an IPv6 LISP Egress Tunnel Router (ETR) |
ipv6 lisp use-petr |
Configures an Ingress Tunnel Router (ITR) or PITR to use the PETR for traffic destined to non-LISP IPv6 destinations. |
To configure a switch to act as an IPv6 Locator/ID Separation Protocol (LISP) Proxy Ingress Tunnel Router (PITR), use the ipv6 lisp proxy-itr command. To remove the LISP PITR functionality, use the no form of this command.
ipv6 lisp proxy-itr ipv6-local-locator [ipv4-local-locator]
no ipv6 lisp proxy-itr ipv6-local-locator [ipv4-local-locator]
ipv6-local-locator |
IPv6 locator address used as a source address for encapsulation of data packets, a data probe, or a Map-Request message. |
ipv4-local-locator |
(Optional) IPv4 locator address used as a source address for encapsulation of data packets, a data probe, or a Map-Request message when the locator-hash function returns a destination Routing Locator (RLOC) in the IPv4 address family. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
The Cisco NX-OS device receives native packets from non-LISP sites that are destined for LISP sites, encapsulates them, and forwards them to the ETR that is authoritative for the destination LISP site EID.
PITR services are required to provide interworking between non-LISP sites and LISP sites. For example, when connected to the Internet, a PITR acts as a gateway between the legacy Internet and the LISP-enabled network. The PITR must advertise one or more highly aggregated endpoint identifier (EID) prefixes on behalf of LISP sites into the underlying DFZ (that is the Internet) and act as an Ingress Tunnel Router (ITR) for traffic received from the public Internet.
When you enable PITR services by using the ipv6 lisp proxy-itr command, the PITR creates LISP-encapsulated packets when it sends a data packet to a LISP site, sends a data probe, or sends a Map-Request message. The outer (LISP) header address family and source address are determined as follows:
When you configure a switch to function as an IPv4 PITR, you can also configure it to use the LISP-ALT for IPv4 EID-to-RLOC mapping resolution. When configured to use the LISP-ALT, the PITR sends its map request messages directly over the LISP ALT using the virtual routing and forwarding (VRF) when you enter the ipv6 lisp alt-vrf command. A PITR can send a Map Request to a configured Map Resolver for EID-to-RLOC mapping resolution as an alternative to sending a Map Request directly over the LISP-ALT. (See the ipv6 map-resolver command) When using a PITR in a virtualized LISP deployment, you must configure the PITR to use a Map-Resolver for EID-to-RLOC mapping resolution and not the LISP-ALT because the LISP-ALT does not support virtualization.
Note | A switch that is configured as an Ingress Tunnel Router (ITR) performs a check to see if the source of any packet intended for LISP encapsulation is within the address range of a local EID prefix. ACisco NX-OS device configured as a PITR does not perform this check. Unlike the Cisco IOS LISP implementation, in Cisco NX-OS you can configure a Cisco NX-OS device to support both IIngress Tunnel Router (ITR) and PITR functionality at the same time. If you configure a Cisco NX-OS device as an Ingress Tunnel Router (ITR) and as a PITR, preference goes to PITR functionality for packet processing. |
This command does not require a license.
This example shows how to configure the LISP PITR functionality on the NX-OS device and to encapsulate packets using a source locator:
switch# configure terminal switch(config)# ipv6 lisp proxy-itr 2001:db8:bb::1
Command |
Description |
---|---|
ipv6 lisp alt-vrf |
Configures which VRF supporting the IPv6 address-family LISP should use when sending Map Requests for an IPv6 EID-to-RLOC mapping directly over the ALT. |
ipv6 lisp itr |
Configures the switch to act as an IPv6 LISP Ingress Tunnel Router (ITR). |
To configure the shortest IPv6 endpoint identifier (EID)-prefix mask length that is acceptable to an ingress tunnel router (ITR) or Proxy ITR (PITR) in a received Map-Reply message or to an ETR in the mapping-data record of a received Map Request, use the ipv6 lisp shortest-eid-prefix-length command. To return to the default configuration, use the no form of this command.
ipv6 lisp shortest-eid-prefix-length IPv6-EID-prefix-length
no ipv6 lisp shortest-eid-prefix-length IPv6-EID-prefix-length
IPv6-EID-prefix-length |
Shortest IPv6 EID prefix-length accepted from a Map Reply or data record in a Map Request. The range is from 0 to 128. |
48
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When an Ingress Tunnel Router (ITR) or PITR receives a Map Reply message, the mapping data it contains includes the EID mask-length for the returned EID prefix. By default, the shortest EID prefix mask length accepted by an Ingress Tunnel Router (ITR) or PITR for an IPv4 EID prefix is a /48.
You can use the ipv6 lisp shortest-eid-prefix-length command to change this default. For example, it might be necessary for a PITR to accept a shorter (coarser) prefix if one exists.
When an ETR receives a Map-Request message, it might contain a mapping data record that the ETR can cache and possibly use to forward traffic depending on the configuration of the ipv6 lisp etr accept-map-request-mapping command.
Use the ipv6 lisp shortest-eid-prefix-length command to change the shortest prefix length accepted by the ETR. In this case, the check for the shortest EID prefix mask length is done prior to the verifying Map Request, if also configured. If the EID prefix mask length is less than the configured value, the verifying Map Request is not sent and the mapping data is not accepted.
This example shows how to configure the NX-OS device to accept a minimum IPv6 EID prefix length:
switch# configure terminal switch(config)# ipv6 lisp shortest-eid-prefix-length 40
Command |
Description |
---|---|
ipv6 lisp etr |
Configures the switch to act as an IPv6 LISP Egress Tunnel Router (ETR). |
ipv6 lisp itr |
Configures the switch to act as an IPv6 LISP Ingress Tunnel Router (ITR). |
ipv6 lisp proxy-itr |
Configures the switch to act as an IPv6 LISP Proxy Ingress Tunnel Router (PITR). |
To configure a source locator to be used for IPv6 Locator/ID Separation Protocol (LISP)-encapsulated packets, use the ipv6 lisp source-locator command. To remove the configured source locator, use the no form of this command.
ipv6 lisp source-locator interface
no ipv6 lisp source-locator interface
interface |
Name of the interface whose IPv6 address should be used as the source locator address for outbound LISP-encapsulated packets. |
The IPv6 address of the outbound interface is used by default as the source locator address for outbound LISP-encapsulated packets.
Interface configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When sending a LISP-encapsulated packet (data or control message), the Cisco NX-OS device performs a destination lookup to determine the appropriate outgoing interface. By default, the IPv6 address of this outgoing interface is used as the source locator for the outbound LISP-encapsulated packet.
You might need to use the IPv6 address of a different interface as the source locator for the outbound LISP encapsulated packets rather than that of the outgoing interface. For example, when an Ingress Tunnel Router (ITR) has multiple egress interfaces, you might configure a loopback interface for stability purposes and instruct the Ingress Tunnel Router (ITR) to use the address of this loopback interface as the source locator for the outbound LISP-encapsulated packets rather than one or both of the physical interface addresses. This command ipv6 lisp source-locator is also important for maintaining locator consistency between the two LISP Tunnel Routers (xTRs) when RLOC-probing is used.
This command does not require a license.
This example shows how to configure the source locator when sending LISP encapsulated packets:
switch# configuration terminal switch(config)# interface Ethernet 2/0 switch(config-if)# ipv6 lisp source-locator Loopback0 switch(config-if)# interface Ethernet2/1 switch(config-if)# ipv6 lisp source-locator Loopback0
Command |
Description |
---|---|
ipv6 lisp itr |
Configures the switch to act as an IPv6 LISP Ingress Tunnel Router (ITR). |
To configure IPv6 Locator/ID Separation Protocol (LISP) translation mapping, use the ipv6 lisp translate command. To remove IPv6 LISP translation mappings and return to the default value, use the no form of this command.
ipv6 lisp translate inside IPv6-inside-EID outside IPv6-outside-EID
no ipv6 lisp translate inside IPv6-inside-EID outside IPv6-outside-EID
inside |
Indicates that the inside (nonroutable) IPv6 endpoint identifier (EID) prefix follows. |
IPv6-inside-EID |
Nonroutable IPv6 address associated with an inside EID prefix. |
outside |
Indicates that the outside (routable) IPv6 EID prefix follows. |
IPv6-outside-EID |
Routable IPv6 address associated with an outside EID prefix. |
None
Global configuration mode
network-adminvdc-admin
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When you configure a LISP Ingress Tunnel Router (ITR) or Egress Tunnel Router (ETR) with a nonroutable EID prefix and you want to replace it with a routable EID prefix, use the ipv6 lisp translate command. A LISP device that acts as an Ingress Tunnel Router (ITR) and detects a nonroutable EID in the source IPv4 address field replaces it with the routable EID when you use the inside and outside keyword. In the opposite direction when acting as an ETR, it replaces the routable EID referred to by the outside keyword with the no-routable EID referred to by the inside keyword.
Note | The outside EID address can be assigned to the Cisco NX-OS device itself, in which case it responds to Address Resolution Protocol (ARP) requests, ICMP echo-requests (ping) and any other packet sent to this address. When you do not assign the outside EID to the device, the address does not answer ARP requests. |
This feature may be useful if you want to upgrade but you want to continue to communicate with non-LISP sites. An alternative approach for providing communications between LISP and non-LISP sites is to use Proxy-ITR services. See the ipv6 lisp proxy-itr command for further details. Both proxy-ITR and NAT translation services, also referred to as Interworking services, are described in draft-ietf-lisp-interworking-00.
This command does not require a license.
This example shows how to configure LISP to translate the inside address to the outside address:
switch# configuration terminal switch(config)# ipv6 lisp translate inside 2001:db8:aa::1 outside 2001:db8:bb::1
Command |
Description |
---|---|
ipv6 lisp etr |
Configures the switch to act as an IPv6 LISP Egress Tunnel Router (ETR). |
ipv6 lisp itr |
Configures the switch to act as an IPv6 LISP Ingress Tunnel Router (ITR). |
ipv6 lisp proxy-itr |
Configures the switch to act as an IPv6 LISP Proxy Ingress Tunnel Router (PITR). |
To configure a switch to use an IPv6 Locator/ID Separation Protocol (LISP) Proxy Egress Tunnel Router (PETR), use the ipv6 lisp use-petr command. To remove the use of a LISP PETR, use the no form of this command.
ipv6 lisp use-petr locator-address
no ipv6 lisp use-petr locator-address
locator-address |
IPv4 or IPv6 locator address of the PETR. |
None
Global configuration mode
Release |
Modification |
---|---|
5.0(1.13) |
This command was introduced. |
When the use of PETR services is enabled, instead of natively forwarding packets destined to non-LISP sites, these packets are LISP-encapsulated and forwarded to the PETR, where these packets are then deencapsulated and forwarded natively toward the non-LISP destination. An Ingress Tunnel Router (ITR) or PITR can be configured to use PETR services.
PETR services might be necessary in several cases. By default, when a LISP sites forwards packets to a non-LISP site natively (not LISP encapsulated), the source IP address of the packet is that of a site endpoint identifier (EID). If the provider side of the access network is configured with strict unicast reverse path forwarding (uRPF), it considers these packets to be spoofed and drops them because EIDs are not advertised in the provider default free zone (DFZ). In this case, instead of natively forwarding packets destined to non-LISP sites, the Ingress Tunnel Router (ITR) encapsulates these packets using the site locator as the source address and the PETR as the destination address. Packets destined for LISP sites follow normal LISP forwarding processes and are sent directly to the destination ETR.
Note | Because LISP supports mixed protocol encapsulations, the locator specified for the PETR can either be an IPv4 or IPv6 address. Up to eight PETRs can be configured per address family. |
This command does not require a license.
This example shows how to configure an Ingress Tunnel Router (ITR) to use the PETR with the IPv6 locator:
Note | This example assumes that the PETR supports dual-stack connectivity. |
switch# configuration terminal switch(config)# ipv6 lisp use-petr 10.1.1.1
Command |
Description |
---|---|
ipv6 lisp proxy-etr |
Configures the switch to act as an IPv6 LISP Proxy Egress Tunnel Router (PETR). |
To configures a default route to the upstream next hop for all IPv6 destinations, use the ipv6 route command. To remove the default route to the upstream next hop for all IPv6 destinations, use the no form of this command.
ipv6 route ipv6-prefix next-hop
no ipv6 route ipv6-prefix next-hop
ipv6-prefix |
IPv6 prefix format: xxxx:xxxx/ml, xxxx:xxxx::/ml, xxxx::xx/128. |
next-hop |
Link local next hop interface. IPv6 address format: aaaa:bbbb:cccc:dddd:eeee:ffff:gggg:hhhh, aaaa::bbbb. |
None
Global configuration mode
Release |
Modification |
---|---|
6.2(2) |
This command was introduced. |
Adding an IPv6 default route to Null0 ensures that all IPv6 packets are handled by LISP processing. (Use of the static route to Null0 is not strictly required, but is recommended as a LISP best practice). If the destination is another LISP site, packets are LISP-encapsulated (using IPv4 RLOCs) to the remote site. If the destination is non-LISP, all IPv6 EIDs are LISP-encapsulated to a PETR (assuming one is configured).
This command does not require a license.
This example shows how to configure a default route to the upstream next hop for all IPv6 destinations:
switch# configuration terminal switch(config)# ipv6 route ::/0 null0 switch(config)#
Command |
Description |
---|---|
ipv6 lisp proxy-etr |
Configures the switch to act as an IPv6 LISP Proxy Egress Tunnel Router (PETR). |