Source Rloc Decapsulation Filtering; Eid Instance Membership Distribution - Cisco ASR 9000 Series Routing Configuration Manual

Aggregation services router

Hide thumbs Also See for ASR 9000 Series:

Table of Contents

Source RLOC Decapsulation Filtering

This illustration shows blue and black customer networks using LISP EID instance ID (IID) 100 and 200,

respectively, over a shared common RLOC core. When decapsulating LISP data packets, the PxTR validates

that packets carrying instance ID 100 have a source (SRC) RLOC in the encapsulation header of either a1,

a2 or a3. Similarly, for instance ID 200 the PxTR validates that the RLOC source is b1, b2 or b3.

LISP encapsulated data packets that do not carry a valid source RLOC are dropped. The combination of RLOC

space URPF enforcement and source RLOC-based decapsulation filtering ensures that it not possible for a

source that is not member of a tenant VPN to inject traffic into the VPN.

To deploy the source RLOC filtering solution, an automated mechanism is required to push the list of valid

RLOCs through the mapping system to the boxes performing decapsulation. This function is performed by

the Map-Servers. The Map-Servers construct the EID instance ID RLOC membership list using the RLOC

information in the received mapping records in Map-Register messages. The complete list is then pushed out

to all the xTRs and PxTRs that must decapsulate packets for the VPN identified by the EID instance ID.

Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.3.x

Implementing Data Plane Security

Show Quick Links

Table of Contents