Decapsulation Filtering On (P)Xtrs - Cisco ASR 9000 Series Routing Configuration Manual

Implementing Data Plane Security
an MS, the requesting (P)xTR is removed from the EID instance membership because of a registration
expiration or configuration change, then the MS will send a Membership-NACK message to the (P)xTR to
indicate that it is no longer receiving membership updates for that instance.
When a Map-Server restarts, it must first discover and rebuild the EID instance membership lists before
serving membership requests. Specifically the MS must hold off sending any membership refresh end messages
for EID instances that do not have a complete membership list. On the MS the LISP control plane will wait
to receive registrations before considering the membership list complete. The following conditions must be
met:
• At least one registration period has elapsed (one minute) after the first registration was received and one
You can manage membership distribution on the Map-Server using the show lisp site rloc members command
in the EXEC configuration mode.
How to Implement Data Plane Security, on page 662

Decapsulation Filtering on (P)xTRs

The source RLOC decapsulation RLOC filtering feature is enabled on a (P)xTR through the decapsulation
filter rloc source command. After the feature is enabled, the (P)xTR only allows the decapsulation of LISP
data packets carrying a source RLOC that is allowed by the filter. When the feature is first enabled, if the
filter is based on the auto-discovery of the EID instance membership from the Map-Servers then traffic will
be dropped until a reliable transport connection is established with the Map-Servers and the membership is
received.
(P)xTR Membership Discovery
A (P)xTR that is configured for data plane source RLOC filtering with membership auto-discovery for one
or more EID instances through the decapsulation filter rloc source members configuration, attempt to
establish a reliable transport session with each of the configured Map-Servers for those instances. A single
reliable transport session is initiated with each Map-Server over which the membership for one or more EID
instances is communicated. The auto-discovered membership lists is extended to form the source rloc filter
through the locator-set option of the decapsulation filter rloc source command. The membership lists for
an EID instance discovered through each of the Map-Servers are merged together with the contents of the
configured locator-set and used to define the data plane source RLOC . The Map-Server only accepts incoming
reliable transport connections from RLOC addresses that have first successfully registered an EID prefix. An
xTR only attempts to establish a connection after it receives a Map-Notify acknowledging that its registration
was successful. In order to request EID instance membership services for a specific instance ID at least one
EID prefix for that instance must have been successfully registered.
Once the connection with a Map-Server is established the (P)xTR sends a Membership-Request message for
each of the EID instances that have the Map-Server in their configuration. Received Membership-Add and
Membership-Delete messages update the EID instance membership database on the (P)xTR.
of the following conditions holds:
• No accept-more-specific site EID prefix configuration exists for the EID instance and registrations
for all the configured EID prefixes have been received.
• Three registration periods have elapsed from the time that the first registration was received.
• No registrations have been received and three registration periods have elapsed from the time that
the LISP control plane restarted.
Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.3.x
Decapsulation Filtering on (P)xTRs
provides procedural details.
661