Dataplane Security - Cisco Catalyst 4500 Series Software Configuration Manual
Cisco ios xe release 3.9.xe and cisco ios release 15.2(5)ex
Hide thumbs
Also See for Catalyst 4500 Series:
- Administration manual (1814 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Chapter 41
Configuring Campus Fabric
Dataplane Security
Campus Fabric Data Plane Security ensures that only traffic from within a fabric domain can be
decapsulated, by an edge device at the destination. Edge and border devices in the fabric domain validate
that the source Routing Locator (RLOC), or the uplink interface address, carried by the data packet is a
member of the fabric domain.
Data Plane Security ensures that the edge device source addresses in the encapsulated data packets
cannot be spoofed. Packets from outside the fabric domain carry invalid source RLOCs that are blocked
during decapsulation by edge and border devices.
Configuring Dataplane Security on Fabric Edge Devices
You can configure Cisco Catalyst 4500-E series switches as edge devices only.
Before You Begin
•
•
•
Command
Step 1
Switch# configure terminal
Step 2
Switch(config)# router lisp
Step 3
Switch(config-router-lisp)#
decapsulation filter rloc source
member
Step 4
Switch(config-router-lisp)# exit
Step 5
Switch(config-if)# exit
Step 6
Switch(config)# show lisp [session
[established] | vrf [vrf-name
[session [peer-address]]]}
Step 7
Switch(config)# show lisp
decapsulation filter
[IPv4-rloc-address I
IPv6-rloc-address] [eid-table
eid-table-vrf |instance-id iid]
To configure dataplane security in static mode:
Configure a loopback0 IP address for each edge device to ensure that the device is reachable. Ensure
that you apply the ip lisp source-locator loopback0 command to the uplink interface.
Ensure that your underlay configuration is set up.
Configure control-plane devices and border devices in your fabric domain. Cisco Catalyst 4500-E
series switches cannot be configured as control-plane or border devices. For more information on
configuring dataplane security control-plane and border devices, see the
Overlay
section in Software Configuration Guide, Cisco IOS XE Denali 16.3.x (Catalyst 3850
Switches).
Purpose
Enters global configuration mode.
Enters LISP configuration mode.
Enables source RLOC address validation of encapsulated packets in the
fabric domain.
Exits LISP configuration mode and returns to global configuration mode.
Exits interface configuration mode and enters global configuration mode.
Displays reliable transport session information. If there is more than one
transport session, the corresponding information is displayed.
Displays RLOC address configuration details (whether manually
configured or discovered) on the edge device.
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Dataplane Security
How to Configure Fabric
41-9
Advertisement
Chapters
Table of Contents
Troubleshooting
