Campus Fabric

Campus Fabric provides the basic infrastructure for building virtual networks based on policy-based segmentation constructs.Fabric Overlay provides services such as host mobility and enhanced security, which are additional to normal switching and routing capabilities.

Campus Fabric Overlay provisioning consists of three main components:

• Control-Plane

• Data-Plane

• Policy-Plane

Understanding Fabric Domain Elements

The following figure displays the elements that make up the fabric domain.

  • Fabric Edge Devices — Provide connectivity to users and devices that connect to the fabric domain. Fabric edge devices identify and authenticate endpoints, and register endpoint ID information in the fabric host-tracking database. They encapsulate at ingress and decapsulate at egress, to forward traffic to and from endpoints connected to the fabric domain.
  • Fabric Control-Plane Devices — Provide overlay reachability information and endpoints-to-routing-locator mapping, in the host-tracking database. The control-plane device receives registrations from fabric edge devices with local endpoints, and resolves requests from edge devices to locate remote endpoints.
  • Fabric Border Devices — Connect traditional Layer 3 networks or different fabric domains to the local domain, and translate reachability and policy information, such as VRF and SGT information, from one domain to another.
  • Virtual Contexts — Provide virtualization at the device level, using virtual routing and forwarding (VRF) to create multiple instances of Layer 3 routing tables. Contexts or VRFs provide segmentation across IP addresses, allowing for overlapped address space and traffic separation.
  • Host-Pools — Group endpoints in the fabric domain into IP pools, and identify them with a VLAN ID and an IP subnet.

Campus Fabric Configuration Guidelines

Consider the following guidelines and limitations when configuring campus fabric elements:

  • Catalyst 6500 switch can act as a border router or control plane device.
  • Fabric edge functionality will not be supported on Catalyst 6500 switch.
  • If RBACL enforcement is not done on the border router, then the user needs to configure SGT caching on the border and transport the SGT via SXP to a further upstream router.
  • Configure no more than 250 virtual contexts in each fabric border node.

How to Configure Fabric Overlay

Configuring Fabric Edge Devices

For detailed instructions, see this publication:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-3/configuration_guide/b_163_consolidated_3850_cg/b_163_consolidated_3850_cg_chapter_010100010.html

Configuring Control-Plane Devices

To configure control-plane devices, use the following LISP commands:

Before You Begin

Configure a loopback IP address for the control-plane device to ensure that the device is reachable.

Command
Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters the global configuration mode.

Step 3

router lisp

Example:

Device(config)# router lisp

Enters Locator ID/Separation Protocol (LISP) configuration mode.

Step 4

site site-name

Example:

Device(config-router-lisp)# site FD_Default

Configures a LISP site on a control-plane device and enters LISP site configuration mode.

Step 5

authentication-key key

Example:

Device(config-router-lisp-site)# authentication-key examplekey

Configures the password used to create the Hash-based Message Authentication Code (HMAC) Secure Hash Algorithm (SHA-1) hash for authenticating the map-register messages sent by edge devices when registering with the control-plane device.

Step 6

eid-prefix [ instance-id instance-id] eid-prefix accept-more-specifics

Example:

Device(config-router-lisp-site)# eid-prefix 10.1.0.0/16 accept-more-specifics

 

Device(config-router-lisp-site)# eid-prefix instance-id 10 10.1.0.0/16 accept-more-specifics

Configures a host-pool or a list of endpoint identifier (EID) prefixes that are allowed in a map-register message sent by the edge device when registering with the control-plane device. Specifies that an EID prefix that is more specific than the EID prefix configured is accepted and tracked. The instance-id keyword includes the specified instance ID (the instance ID used by the context you want to include in the host-pool) with the host-pool when it is registered with the control-plane device.

Step 7

exit

Example:

Device(config-router-lisp-site)# exit

Exits LISP site configuration mode and returns to LISP configuration mode.

Step 8

Repeat Step 4 to Step 7 to configure another LISP site.

 

Step 9

ipv4 map-server

Example:

Device(config-router-lisp)# ipv4 map-server

Configures a device to act as an IPv4 control-plane device.

Step 10

Step 10 ipv4 map-resolver

Example:

Device(config-router-lisp)# ipv4 map-resolver

In the fabric domain, the control-plane device acts as the map-server and the map-resolver. Enables the control-plane device with IPv4 LISP map resolver capabilities.

Step 11

Step 11 end

Example:

Device(config-router-lisp)# end

Exits LISP configuration mode and returns to privileged EXEC mode.

Configuring Border Devices

To configure a border device, use the following LISP commands.

Before You Begin

Configure a loopback IP address for the border device to ensure that the device is reachable.

Command
Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters the global configuration mode.

Step 3

router lisp

Example:

Device(config)# router lisp

Enters LISP configuration mode.

Step 4

encapsulation vxlan

Example:

Device(config-router-lisp)# encapsulation vxlan

Specifies VXLAN-based encapsulation.

Step 5

eid-table default instance-id instance-id

Example:

Device(config-router-lisp)# eid-table default instance-id 0

Associates the default EID table with the specified instance ID.

Control-plane device messages include this instance ID along with the associated EID prefixes.

Step 6

map-cache eid-prefix ipv4 address/subnet mask map-request

Example:

Device(config-router-lisp)# map-cache 10.1.1.0/24 map-request

Configures a static IPv4 EID-to-RLOC mapping relationship by adding a map-cache with action send-map-request for the specified dynamic EID or host pool.

Step 7

ipv4 sgt

Example:

Device(config-router-lisp)# ipv4 sgt

Enables the transport of Security Group Tags (SGT) in the fabric. For more information on SGTs, see Cisco TrustSec Configuration Guide.

Step 8

ipv4 proxy-etr

Example:

Device(config-router-lisp)# ipv4 proxy-etr

Enables the border device service in the fabric domain.

Step 9

ipv4 proxy-itr ipv4 address

Example:

Device(config-router-lisp)# ipv4 proxy-itr 10.1.1.1

Configures the device to operate as an IPv4 proxy ingress tunnel router (PITR), and configures the interface IP address used as a source address for encapsulation of data packets. The IPv4 locator address is used as the source address for data packets or a map-request messages.

Step 10

ipv4 itr map-resolver ipv4 address

Example:

Device(config-router-lisp)# ipv4 itr map-resolver 10.1.1.2

Configures the map-resolver IP from where it needs to query the RLOC corresponding to destination EID IP

Step 11

exit

Example:

Device(config-router-lisp)# exit

Exits LISP configuration mode and enters global configuration mode.

Step 12

ip route ipv4-prefix next-hop

Example:

Device(config)# ip route 0.0.0.0 0.0.0.0 10.10.10.1

Configures an IPv4 static route.

Step 13

exit

Example:

Device(config)# exit

 

Exits global configuration mode and returns to privileged EXEC mode.

Example: Configuring Fabric Border and Control-Plane Devices

Fabric Border Router

vrf definition abcd
rd 1:1
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
interface Loopback10
ip address 1.3.3.3 255.255.255.255
!
interface TenGigabitEthernet2/8 < ----------- North upstream facing
ip address 119.1.1.1 255.255.255.0
end
!
interface TenGigabitEthernet2/9 < -------- North upstream facing
vrf forwarding abcd
ip address 19.1.1.1 255.255.255.0
end
!
interface TenGigabitEthernet 4/12 < -------- South RLOC facing
ip address 141.1.1.2 255.255.255.0
ip lisp source-locator Loopback10
!
router lisp
encapsulation vxlan
locator-set set1
1.3.3.3 priority 1 weight 100
exit
!
eid-table default instance-id 0
map-cache 120.1.1.0/24 map-request <------ EID subnet at fabric edge
exit
!
eid-table vrf abcd instance-id 1
map-cache 20.1.1.0/24 map-request <------ EID subnet at fabric edge
exit
!
ipv4 sgt
ipv4 proxy-etr
ipv4 proxy-itr 1.3.3.3
ipv4 itr map-resolver 1.4.4.4
exit
 

Control Plane

interface Loopback10
ip address 1.4.4.4 255.255.255.255
!
router lisp
encapsulation vxlan
locator-set set1
1.4.4.4 priority 1 weight 100
exit
!
site site1
authentication-key key1
eid-prefix 120.1.1.0/24 accept-more-specifics
eid-prefix instance-id 1 20.1.1.0/24 accept-more-specifics
exit
!
ipv4 map-server
ipv4 map-resolver
exit