Samstag, 22. Juni 2013

LISP Mobility across subnets with CSR1000V

Today i'v tested LISP Mobility across subnets with CSR1000V
according to Cisco Doc Cisco LISP Mobility across subnets-DOC 

The lab setup :
In this scenario we're moving one VM from DC1 to DC2 via LISP without any L2 connection between the DC-networks.

IP Adressing scheme :

Branch-Router
Gi1 192.168.3.245/24 (CORE-Network)
Gi2 192.168.4.254/24 (Branch)

DC1-R1
Lo0 1.1.1.1/32
Gi1 192.168.3.241/24 (CORE-Network)
Gi2 10.1.1.241/24 (DC 1)

DC1-R2
Lo0 1.1.1.2/32
Gi1 192.168.3.242/24 (CORE-Network)
Gi2 10.1.1.242/24 (DC 1)
HSRP 10.1.1.254/24

DC2-R3
Lo0 2.2.2.1/32
Lo10 1.1.1.100/32 (Map-Server / Map-Resolver)
Gi1 192.168.3.243/24 (CORE-Network)
Gi2 10.2.1.243/24 (DC 2)

DC2-R4
Lo0 2.2.2.2/32
Gi1 192.168.3.244/24 (CORE-Network)
Gi2 10.2.1.244/24 (DC 2)
HSRP 10.2.1.254/24

DC1-Host 10.1.1.1
DC2-Host 10.2.1.1
Branch-Host 192.168.4.1

VMWare Network Map :





























Basic Configurations :

Branch-Router

!
! Last configuration change at 12:31:55 UTC Sat Jun 22 2013
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname Branch
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
no aaa new-model
!
!
!
!
!


!
ip dhcp pool BRANCH
 network 192.168.4.0 255.255.255.0
 default-router 192.168.4.254 
!
!
!
!
!
!
!
!
!         
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
spanning-tree extend system-id
!
!
redundancy
 mode none
!
!
!
!
!
!
ip tftp source-interface GigabitEthernet0
!         
! 
!
!
!
!
!
!
!
!
! 
! 
!
interface LISP0
!
interface GigabitEthernet1
 description CORE Network
 ip address 192.168.3.245 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2
 description BRANCH NETWORK
 platform ring rx 256
 ip address 192.168.4.252 255.255.255.0
 standby 0 preempt
 standby 4 ip 192.168.4.254
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address dhcp
 negotiation auto
!
!
router eigrp 1
 network 192.168.3.0
!
router lisp
 database-mapping 192.168.4.0/24 IPv4-interface GigabitEthernet1 priority 1 weight 100
 ipv4 itr map-resolver 1.1.1.100
 ipv4 itr
 ipv4 etr map-server 1.1.1.100 key BRANCH
 ipv4 etr
 exit
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
cdp run
!
!
!
control-plane
!
 !
 !
 !
!
!
!
!
line con 0
 privilege level 15
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 privilege level 15
 no login
line vty 5 15
 privilege level 15
 no login
!
!
end

Branch#  

DC1-R1

!
! Last configuration change at 17:47:49 UTC Sat Jun 22 2013
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname DC1-R1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
no aaa new-model
!
ip vrf MGMT
!
!
!
!
!


!
!
!
!
!
!
!
!
!
!
!         
otv site bridge-domain 101
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license accept end user agreement
spanning-tree extend system-id
!
!
redundancy
 mode none
!
!
!
!
!
!
ip tftp source-interface GigabitEthernet0
!
! 
!
!
!
!
!
!
!
!
! 
! 
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface LISP0
!
interface GigabitEthernet1
 description CORE NETWORK
 ip address 192.168.3.241 255.255.255.0
 negotiation auto
 ipv6 address autoconfig default
!
interface GigabitEthernet2
 description DC1
 ip address 10.1.1.241 255.255.255.0
 standby 1 ip 10.1.1.254
 standby 1 preempt
 standby 1 mac-address 00a0.0000.0001
 negotiation auto
 lisp mobility MOBILITY
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address dhcp
 negotiation auto
!
!
router eigrp 1
 network 1.0.0.0
 network 192.168.3.0
 passive-interface GigabitEthernet2
!
router lisp
 locator-set DC
  1.1.1.1 priority 1 weight 50
  1.1.1.2 priority 1 weight 50
  exit
 !
 database-mapping 10.1.0.0/16 1.1.1.1 priority 1 weight 50
 database-mapping 10.1.0.0/16 1.1.1.2 priority 1 weight 50
 dynamic-eid MOBILITY
  database-mapping 10.1.1.0/24 locator-set DC
  map-notify-group 224.0.0.100
  exit
 !
 ipv4 itr map-resolver 1.1.1.100
 ipv4 itr
 ipv4 etr map-server 1.1.1.100 key DC1
 ipv4 etr
 exit
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip pim ssm default
!         
!
cdp run
!
!
!
control-plane
!
 !
 !
 !
!
!
!
!
line con 0
 privilege level 15
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 privilege level 15
 no login
line vty 5 15
 privilege level 15
 no login
!
!
end



DC1-R2

!
! Last configuration change at 17:48:53 UTC Sat Jun 22 2013
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname DC1-R2
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
no aaa new-model
!
!
!
!
!


!
!
!
!
!
!
!
!
!
!
!
multilink bundle-name authenticated
!         
!
!
!
!
!
!
spanning-tree extend system-id
!
!
redundancy
 mode none
!
!
!
!
!
!
ip tftp source-interface GigabitEthernet0
!
! 
!
!
!         
!
!
!
!
!
! 
! 
!
interface Loopback1
 ip address 1.1.1.2 255.255.255.255
!
interface LISP0
!
interface GigabitEthernet1
 description CORE-Network
 ip address 192.168.3.242 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2
 description DC1
 ip address 10.1.1.242 255.255.255.0
 standby 1 ip 10.1.1.254
 standby 1 preempt
 standby 1 mac-address 00a0.0000.0001
 negotiation auto
 lisp mobility MOBILITY
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address dhcp
 negotiation auto
!
!
router eigrp 1
 network 1.0.0.0
 network 192.168.3.0
 passive-interface GigabitEthernet2
!
router lisp
 locator-set DC
  1.1.1.1 priority 1 weight 50
  1.1.1.2 priority 1 weight 50
  exit
 !
 database-mapping 10.1.0.0/16 1.1.1.1 priority 1 weight 50
 database-mapping 10.1.0.0/16 1.1.1.2 priority 1 weight 50
 dynamic-eid MOBILITY
  database-mapping 10.1.1.0/24 locator-set DC
  map-notify-group 224.0.0.100
  exit    
 !    
 ipv4 itr map-resolver 1.1.1.100
 ipv4 itr
 ipv4 etr map-server 1.1.1.100 key DC1
 ipv4 etr
 exit
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip pim ssm default
!
!
!
!
!
control-plane
!
 !
 !
 !
!
!
!         
!
line con 0
 privilege level 15
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 privilege level 15
 no login
line vty 5 15
 privilege level 15
 no login
!
!
end

DC1-R2# 


DC2-R3

!
! Last configuration change at 17:49:41 UTC Sat Jun 22 2013
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname DC2-R3
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
no aaa new-model
!
!
!
!
!


!
!
!
!
!
!
!
!
!
!
!
multilink bundle-name authenticated
!         
!
!
!
!
!
!
spanning-tree extend system-id
!
!
redundancy
 mode none
!
!
!
!
!
!
ip tftp source-interface GigabitEthernet0
!
! 
!
!
!         
!
!
!
!
!
! 
! 
!
interface Loopback1
 ip address 2.2.2.1 255.255.255.255
!
interface Loopback10
 ip address 1.1.1.100 255.255.255.255
 delay 1000000
!
interface LISP0
!
interface GigabitEthernet1
 description CORE-Network
 ip address 192.168.3.243 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2
 description DC2
 ip address 10.2.1.243 255.255.255.0
 standby 1 ip 10.2.1.254
 standby 1 preempt
 standby 1 mac-address 00a0.0000.0001
 negotiation auto
 lisp mobility MOBILITY
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address dhcp
 negotiation auto
!
!
router eigrp 1
 network 1.0.0.0
 network 2.0.0.0
 network 192.168.3.0
 passive-interface GigabitEthernet2
!
router lisp
 locator-set DC
  2.2.2.1 priority 1 weight 50
  2.2.2.2 priority 1 weight 50
  exit
 !
 site BRANCH
  authentication-key BRANCH
  eid-prefix 192.168.4.0/24 accept-more-specifics
  exit
 !
 site DC1
  authentication-key DC1
  eid-prefix 10.1.0.0/16 accept-more-specifics
  exit
 !
 site DC2
  authentication-key DC2
  eid-prefix 10.2.0.0/16 accept-more-specifics
  exit
 !
 database-mapping 10.2.0.0/16 2.2.2.1 priority 1 weight 1
 database-mapping 10.2.0.0/16 2.2.2.2 priority 1 weight 1
 dynamic-eid MOBILITY
  database-mapping 10.1.1.0/24 locator-set DC
  map-notify-group 224.0.0.100
  exit
 !
 ipv4 map-server
 ipv4 map-resolver
 ipv4 itr map-resolver 1.1.1.100
 ipv4 itr
 ipv4 etr map-server 1.1.1.100 key DC2
 ipv4 etr
 exit
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip pim ssm default
!
!
cdp run
!
!
!
control-plane
!         
 !
 !
 !
!
!
!
!
line con 0
 privilege level 15
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 privilege level 15
 no login
line vty 5 15
 privilege level 15
 no login
!
!
end

DC2-R3#   

DC2-R4

!
! Last configuration change at 17:51:23 UTC Sat Jun 22 2013
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname DC2-R4
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
logging buffered 65000 notifications
!
no aaa new-model
!
!
!
!
!


!
!
!
!
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
spanning-tree extend system-id
!
!
redundancy
 mode none
!
!
!
!
!
!
ip tftp source-interface GigabitEthernet0
!
! 
!
!         
!
!
!
!
!
!
! 
! 
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface LISP0
!
interface GigabitEthernet1
 description CORE-Network
 ip address 192.168.3.244 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2
 description DC2
 ip address 10.2.1.244 255.255.255.0
 standby 1 ip 10.2.1.254
 standby 1 priority 101
 standby 1 preempt
 standby 1 mac-address 00a0.0000.0001
 negotiation auto
 lisp mobility MOBILITY
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address 192.168.3.185 255.255.255.0
 negotiation auto
!
!
router eigrp 1
 network 1.0.0.0
 network 2.0.0.0
 network 192.168.3.0
 passive-interface GigabitEthernet2
!
router lisp
 locator-set DC
  2.2.2.1 priority 1 weight 50
  2.2.2.2 priority 1 weight 50
  exit    
 !
 database-mapping 10.2.0.0/16 2.2.2.1 priority 1 weight 50
 database-mapping 10.2.0.0/16 2.2.2.2 priority 1 weight 50
 dynamic-eid MOBILITY
  database-mapping 10.1.1.0/24 locator-set DC
  map-notify-group 224.0.0.100
  exit
 !
 ipv4 itr map-resolver 1.1.1.100
 ipv4 itr
 ipv4 etr map-server 1.1.1.100 key DC2
 ipv4 etr
 exit
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip pim ssm default
ip route 0.0.0.0 0.0.0.0 192.168.3.254
!
!
cdp run   
!
!
!
control-plane
!
 !
 !
 !
!
!
!
!
line con 0
 privilege level 15
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 privilege level 15
 no login
line vty 5 15
 privilege level 15
 no login 
!
!
end

Let's start :

The inital setup is quite normal. DC1-Host resides in DC1. In this setup, DC1-Host can be reached from the Branch via LISP.


root@DC1-Host:~# ping 192.168.4.1 -c 1
PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data.
64 bytes from 192.168.4.1: icmp_req=1 ttl=62 time=1.26 ms

--- 192.168.4.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.265/1.265/1.265/0.000 ms
root@DC1-Host:~# 


DC1-R2#show ip lisp map-cache 
LISP IPv4 Mapping Cache for EID-table default (IID 0), 3 entries

0.0.0.0/0, uptime: 06:16:12, expires: never, via static send map-request
  Negative cache entry, action: send-map-request
10.2.0.0/16, uptime: 00:10:47, expires: 23:49:12, via map-reply, complete
  Locator  Uptime    State      Pri/Wgt
  2.2.2.1  00:10:47  up           1/50 
  2.2.2.2  00:10:47  up           1/50 
192.168.4.0/24, uptime: 05:36:07, expires: 18:23:52, via map-reply, complete
  Locator        Uptime    State      Pri/Wgt
  192.168.3.245  05:36:07  up           1/100
DC1-R2#

Now we move over DC-Host1 to DC2





















The ping from DC1 to the Branch-Host shows that we had a short interruption (approx. 4 sec)















After the move from DC1 -> DC2, we can see the following dynamic-eid entries in DC2 The * indicates that the HSRP standby router learned from the moved VM through a Map-Notification via Multicast. He cannot learn it directly as the moved VM communicates to the HSRP MAC which is active on DC2-R4.
The LISP Map

DC2-R4#show lisp dynamic-eid summary 
LISP Dynamic EID Summary for VRF "default"

* = Dyn-EID learned by site-based Map-Notify
Dyn-EID Name   Dynamic-EID      Interface     Uptime    Last      Pending
                                                        Packet    Ping Count
MOBILITY       10.1.1.1         Gi2           00:02:13  00:00:16  0 
DC2-R4#
--------------------------------------------------------------------
DC2-R3#show lisp dynamic-eid summary 
LISP Dynamic EID Summary for VRF "default"

* = Dyn-EID learned by site-based Map-Notify
Dyn-EID Name   Dynamic-EID      Interface     Uptime    Last      Pending
                                                        Packet    Ping Count
MOBILITY      *10.1.1.1         Gi2           00:02:52  00:00:47  0 
DC2-R3#  

Let's see some debugs. What happens during switchover of VM from DC1 to DC2 ->

DC2-R4#debug lisp control-plane dynamic-eid 
LISP control plane dynamic EID debugging is on
DC2-R4#
*Jun 22 18:33:20.727: LISP-0: AF IID 0 IPv4, 10.2.1.1 does not match configured dyn-EID groups.
DC2-R4#
DC2-R4#term mon
DC2-R4#
*Jun 22 18:33:38.080: LISP: Processing dyn-EID detection for GigabitEthernet2 EID prefix 10.1.1.1/32
*Jun 22 18:33:38.080: LISP-0: DynEIDgrp IID 0 [MOBILITY] Sending triggered multicast map-notify.
*Jun 22 18:33:38.080: LISP-0: DynEID IID 0 10.1.1.1 [MOBILITY:GigabitEthernet2] Created.
DC2-R4#show ip route lisp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.3.254 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
l        10.1.1.1/32 [10/1] via 10.1.1.1, 00:02:26, GigabitEthernet2
DC2-R4#

From Branch-Router perspective :

Branch#show ip lisp map-cache    
LISP IPv4 Mapping Cache for EID-table default (IID 0), 5 entries

0.0.0.0/0, uptime: 03:41:28, expires: never, via static send map-request
  Negative cache entry, action: send-map-request
10.1.0.0/16, uptime: 03:39:45, expires: 23:59:46, via map-reply, complete
  Locator  Uptime    State      Pri/Wgt
  1.1.1.1  03:39:45  up           1/50 
  1.1.1.2  03:39:45  up           1/50 
10.1.1.1/32, uptime: 00:07:22, expires: 23:52:37, via map-reply, complete
  Locator  Uptime    State      Pri/Wgt
  2.2.2.1  00:07:22  up           1/50 
  2.2.2.2  00:07:22  up           1/50 
10.2.0.0/16, uptime: 03:30:25, expires: 20:29:35, via map-reply, complete
  Locator  Uptime    State      Pri/Wgt
  2.2.2.1  03:30:25  up           1/1  
  2.2.2.2  03:30:25  up           1/1  
64.0.0.0/2, uptime: 00:23:58, expires: 00:05:53, via map-reply, forward-native
  Negative cache entry, action: forward-native
Branch# 

Now where moving the VM back to DC1 by changing the NIC network.>





















Again where experiencing some packet loss as the dynamic-map-entry need to timeout.















See below how DC2-R4 taking care

DC2-R4#show lisp dynamic-eid summary 
LISP Dynamic EID Summary for VRF "default"

* = Dyn-EID learned by site-based Map-Notify
Dyn-EID Name   Dynamic-EID      Interface     Uptime    Last      Pending
                                                        Packet    Ping Count
MOBILITY       10.1.1.1         Gi2           00:14:34  00:00:49  0 
DC2-R4#show lisp dynamic-eid summary 
LISP Dynamic EID Summary for VRF "default"

* = Dyn-EID learned by site-based Map-Notify
Dyn-EID Name   Dynamic-EID      Interface     Uptime    Last      Pending
                                                        Packet    Ping Count
MOBILITY       10.1.1.1         Gi2           00:14:43  00:00:57  0 
DC2-R4#
*Jun 22 18:48:25.359: LISP-0: DynEID IID 0 10.1.1.1 [MOBILITY:GigabitEthernet2] Received ping 100% -> 0% ok event, deleting.
*Jun 22 18:48:25.359: LISP-0: DynEID IID 0 10.1.1.1 [MOBILITY:GigabitEthernet2] Delete.
*Jun 22 18:48:25.359: LISP-0: DynEIDgrp IID 0 [MOBILITY] Sending triggered multicast map-notify.
DC2-R4#show lisp dynamic-eid summary 
LISP Dynamic EID Summary for VRF "default"

* = Dyn-EID learned by site-based Map-Notify
Dyn-EID Name   Dynamic-EID      Interface     Uptime    Last      Pending
                                                        Packet    Ping Count
DC2-R4#

Pros of the solution
 - no need for DCI (OTV,vPC,EoMPLS,VPLS)
- runs on any L3-transport
- optimal ingress traffic routing

 Small drawbacks of the solution
-in the DOC Cisco says it's only for cold migration, from my perspective this is no longer valid as the active DC router now sends Gratuitous ARP for the moved VM

See below ARP of DC1-Host before and after move from DC1 to DC2
root@DC1-Host:~# arp -an | grep '(10.1.1.2)'
? (10.1.1.2) auf 00:0c:29:99:25:2f [ether] auf eth1
root@DC1-Host:~# 
root@DC1-Host-2:~# arp -an | grep '(10.1.1.1)'
? (10.1.1.1) auf 00:0c:29:0d:b5:cc [ether] auf eth1
root@DC1-Host-2:~#


After 30 seconds the ARP entries got updated on communication between 2 Linux hosts

root@DC1-Host-2:~# arp -an | grep '(10.1.1.2)'
? (10.1.1.2) auf 00:a0:00:00:00:01 [ether] auf eth1
root@DC1-Host-2:~#
root@DC1-Host-2:~# arp -an | grep '(10.1.1.1)'
? (10.1.1.1) auf 00:a0:00:00:00:01 [ether] auf eth1
root@DC1-Host-2:~#


See the complete behaviour in the following Trace-Files


Because of Gratutious ARP from DC1-R1 for 10.1.1.1 with HSRP vMAC.
and Proxy-ARP from DC2-R3 for 10.1.1.2 with HSRP vMAC.
View from DC1-Host-1 (10.1.1.1)
View from DC1-Host-2 (10.1.1.2)