Published On: August 5ᵗʰ, 2019 19:03

Release 15.4SY Supervisor Engine 2T Software Configuration Guide

Campus Fabric provides the basic infrastructure for building virtual networks based on policy-based segmentation constructs. Fabric Overlay provides services such as host mobility and enhanced security, which are additional to normal switching and routing capabilities.

Campus Fabric Overlay provisioning consists of three main components:

• Control-Plane

• Data-Plane

• Policy-Plane

Understanding Fabric Domain Elements

The following section describes the elements that make up the fabric domain.

  • Fabric Edge Devices — Provide connectivity to users and devices that connect to the fabric domain. Fabric edge devices identify and authenticate endpoints, and register endpoint ID information in the fabric host-tracking database. They encapsulate at ingress and decapsulate at egress, to forward traffic to and from endpoints connected to the fabric domain.
  • Fabric Control-Plane Devices — Provide overlay reachability information and endpoints-to-routing-locator mapping, in the host-tracking database. The control-plane device receives registrations from fabric edge devices with local endpoints, and resolves requests from edge devices to locate remote endpoints.
  • Fabric Border Devices — Connect traditional Layer 3 networks or different fabric domains to the local domain, and translate reachability and policy information, such as VRF and SGT information, from one domain to another.
  • Virtual Contexts — Provide virtualization at the device level, using virtual routing and forwarding (VRF) to create multiple instances of Layer 3 routing tables. Contexts or VRFs provide segmentation across IP addresses, allowing for overlapped address space and traffic separation.
  • Host-Pools — Group endpoints in the fabric domain into IP pools, and identify them with a VLAN ID and an IP subnet.

Campus Fabric Licensing

This section describes command-line interface (CLI) commands for managing Campus Fabric licensing.

To activate licensing, use the following commands:

[no] license boot level addon dna-essentials
[no] license boot level addon dna-advantage
 

To accept end-user license agreement (EULA), use the following command:

[no] license accept end user agreement force

Example:

router#sh run | i license
license boot level addon dna-advantage
license accept end user agreement force
router#

Example: Show commands for license right-to-use

All the examples listed in this section are based on the following configuration:

router#sh run | i license
license boot level addon dna-advantage
license accept end user agreement force
router#

show license right-to-use

router#sh license right-to-use
slot License Name Type Period left
--------------------------------------------------------------------
Active sup Advanced Enterprise Services permanent Lifetime
Active sup dna-advantage Subscription CSSM Managed
Standby sup Advanced Enterprise Services permanent Lifetime
Standby sup dna-advantage Subscription CSSM Managed

show license right-to-use default

router#sh license right-to-use default
slot License Name Type
----------------------------------------------------
Active sup Advanced Enterprise Services permanent
Standby sup Advanced Enterprise Services permanent
 

show license right-to-use detail

router#sh license right-to-use detail
Index 1
License Name : Advanced Enterprise Services
Period left : Lifetime
License Type : permanent
License State : Active, In use
 
Index 2
License Name : dna-essentials
Period left : CSSM Managed
License Type : Subscription
License State : Not Activated
 
Index 3
License Name : dna-advantage
Period left : CSSM Managed
License Type : Subscription
License State : Active, In use
 

show license right-to-use summary

router#sh license right-to-use summary
License Name Type Period left
-------------------------------------------------------
Advanced Enterprise Services permanent Lifetime
dna-advantage Subscription CSSM Managed
-------------------------------------------------------
 
License Level In Use: Advanced Enterprise Services addon: dna-advantage
License Level on Reboot: Advanced Enterprise Services addon: dna-advantage
 

show license right-to-use usage

router#sh license right-to-use usage
slot License Name Type In-use EULA
----------------------------------------------------------------------
Active sup Advanced Enterprise Services permanent yes yes
Active sup dna-essentials Subscription no yes
Active sup dna-advantage Subscription yes yes
----------------------------------------------------------------------
Standby sup Advanced Enterprise Services permanent yes yes
Standby sup dna-essentials Subscription no yes
Standby sup dna-advantage Subscription yes yes
----------------------------------------------------------------------
 

show license right-to-use eula

router#sh license right-to-use eula ?
permanent Displays EULA for permanent license.
subscription Displays EULA for the subscription license.

Campus Fabric Configuration Guidelines

Consider the following guidelines and limitations when configuring campus fabric elements:

  • Catalyst 6500 switch can act as a border router or control plane device.
  • If RBACL enforcement is not done on the border router, then the user needs to configure SGT caching on the border and transport the SGT via SXP to a further upstream router.
  • Configure no more than 512 virtual contexts for unicast and 100 virtual contexts for multicast, in each fabric border node.
  • IPv6 layer 3 mobility is not supported.

How to Configure Fabric Overlay

Configuring Control-Plane Devices Using IPv4

To configure control-plane devices using IPv4, use the following LISP commands:

Before You Begin

Configure a loopback IP address for the control-plane device to ensure that the device is reachable.

Command
Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters the global configuration mode.

Step 3

router lisp

Example:

Device(config)# router lisp

Enters Locator ID/Separation Protocol (LISP) configuration mode.

Step 4

site site-name

Example:

Device(config-router-lisp)# site FD_Default

Configures a LISP site on a control-plane device and enters LISP site configuration mode.

Step 5

authentication-key key

Example:

Device(config-router-lisp-site)# authentication-key examplekey

Configures the password used to create the Hash-based Message Authentication Code (HMAC) Secure Hash Algorithm (SHA-1) hash for authenticating the map-register messages sent by edge devices when registering with the control-plane device.

Step 6

eid-prefix instance-id <value> <prefix> accept-more-specifics

Example:

Device(config-router-lisp-site)# eid-prefix 10.1.0.0/16 accept-more-specifics

Device(config-router-lisp-site)# eid-prefix instance-id 10 10.1.0.0/16 accept-more-specifics

Configures a host-pool or a list of endpoint identifier (EID) prefixes that are allowed in a map-register message sent by the edge device when registering with the control-plane device. Specifies that an EID prefix that is more specific than the EID prefix configured is accepted and tracked. The instance-id keyword includes the specified instance ID (the instance ID used by the context you want to include in the host-pool) with the host-pool when it is registered with the control-plane device.

Step 7

exit

Example:

Device(config-router-lisp-site)# exit

Exits LISP site configuration mode and returns to LISP configuration mode.

Step 8

Repeat Step 4 to Step 7 to configure another LISP site.

Step 9

ipv4 map-server

Example:

Device(config-router-lisp)# ipv4 map-server

Configures a device to act as an IPv4 control-plane device.

Step 10

ipv4 map-resolver

Example:

Device(config-router-lisp)# ipv4 map-resolver

In the fabric domain, the control-plane device acts as the map-server and the map-resolver. Enables the control-plane device with IPv4 LISP map resolver capabilities.

Step 11

end

Example:

Device(config-router-lisp)# end

Exits LISP configuration mode and returns to privileged EXEC mode.

Configuring Control-Plane Devices Using IPv6

To configure control-plane devices using IPv6, use the following LISP commands:

Before You Begin

Configure a loopback IP address for the control-plane device to ensure that the device is reachable.

Command
Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters the global configuration mode.

Step 3

router lisp

Example:

Device(config)# router lisp

Enters Locator ID/Separation Protocol (LISP) configuration mode.

Step 4

site site-name

Example:

Device(config-router-lisp)# site FD_Default

Configures a LISP site on a control-plane device and enters LISP site configuration mode.

Step 5

authentication-key key

Example:

Device(config-router-lisp-site)# authentication-key examplekey

Configures the password used to create the Hash-based Message Authentication Code (HMAC) Secure Hash Algorithm (SHA-1) hash for authenticating the map-register messages sent by edge devices when registering with the control-plane device.

Step 6

eid-prefix instance-id <value> <ipv6_prefix>

Example:

Device(config-router-lisp-site)# eid-prefix 10:1::/64

Device(config-router-lisp-site)# eid-prefix instance-id 10 10:1::/64

Configures a host-pool or a list of endpoint identifier (EID) prefixes that are allowed in a map-register message sent by the edge device when registering with the control-plane device. Specifies that an EID prefix that is more specific than the EID prefix configured is accepted and tracked. The instance-id keyword includes the specified instance ID (the instance ID used by the context you want to include in the host-pool) with the host-pool when it is registered with the control-plane device.

Step 7

exit

Example:

Device(config-router-lisp-site)# exit

Exits LISP site configuration mode and returns to LISP configuration mode.

Step 8

Repeat Step 4 to Step 7 to configure another LISP site.

Step 9

ipv6 map-server

Example:

Device(config-router-lisp)# ipv6 map-server

Configures a device to act as an IPv6 control-plane device.

Step 10

ipv6 map-resolver

Example:

Device(config-router-lisp)# ipv6 map-resolver

In the fabric domain, the control-plane device acts as the map-server and the map-resolver. Enables the control-plane device with IPv6 LISP map resolver capabilities.

Step 11

end

Example:

Device(config-router-lisp)# end

Exits LISP configuration mode and returns to privileged EXEC mode.

Configuring Border Devices Using IPv4

To configure a border device using IPv4, use the following LISP commands.

Before You Begin

Configure a loopback IP address for the border device to ensure that the device is reachable.

Command
Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters the global configuration mode.

Step 3

router lisp

Example:

Device(config)# router lisp

Enters LISP configuration mode.

Step 4

encapsulation vxlan

Example:

Device(config-router-lisp)# encapsulation vxlan

Specifies VXLAN-based encapsulation.

Step 5

eid-table vrf <vrf_name> instance-id <value>

Example:

Device(config-router-lisp)# eid-table vrf abcd instance-id 10

Associates the non-default EID table with the specified instance ID.

Step 6

eid-table default instance-id instance-id

Example:

Device(config-router-lisp)# eid-table default instance-id 0

Associates the default EID table with the specified instance ID.

Control-plane device messages include this instance ID along with the associated EID prefixes.

Step 7

map-cache eid-prefix map-request

Example:

Device(config-router-lisp)# map-cache 10.1.1.0/24 map-request

Configures a static IPv4 EID-to-RLOC mapping relationship by adding a map-cache with action send-map-request for the specified dynamic EID or host pool.

Step 8

ipv4 sgt

Example:

Device(config-router-lisp)# ipv4 sgt

Enables the transport of Security Group Tags (SGT) in the fabric. For more information on SGTs, see Cisco TrustSec Configuration Guide.

Step 9

ipv4 proxy-etr

Example:

Device(config-router-lisp)# ipv4 proxy-etr

Enables the border device service in the fabric domain.

Step 10

ipv4 proxy-itr ipv4 address

Example:

Device(config-router-lisp)# ipv4 proxy-itr 10.1.1.1

Configures the device to operate as an IPv4 proxy ingress tunnel router (PITR), and configures the interface IP address used as a source address for encapsulation of data packets. The IPv4 locator address is used as the source address for data packets or a map-request messages.

Step 11

ipv4 itr map-resolver ipv4 address

Example:

Device(config-router-lisp)# ipv4 itr map-resolver 10.1.1.2

Configures the map-resolver IP from where it needs to query the RLOC corresponding to destination EID IP

Step 12

exit

Example:

Device(config-router-lisp)# exit

Exits LISP configuration mode and enters global configuration mode.

Step 13

ip route ipv4-prefix next-hop

Example:

Device(config)# ip route 0.0.0.0 0.0.0.0 10.10.10.1

Configures an IPv4 static route.

Step 14

exit

Example:

Device(config)# exit

Exits global configuration mode and returns to privileged EXEC mode.

Configuring Border Devices Using IPv6

To configure a border device using IPv6, use the following LISP commands.

Before You Begin

Configure a loopback IP address for the border device to ensure that the device is reachable.

Command
Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode. Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters the global configuration mode.

Step 3

router lisp

Example:

Device(config)# router lisp

Enters LISP configuration mode.

Step 4

encapsulation vxlan

Example:

Device(config-router-lisp)# encapsulation vxlan

Specifies VXLAN-based encapsulation.

Step 5

eid-table vrf <vrf_name> instance-id <value>

Example:

Device(config-router-lisp)# eid-table vrf abcd instance-id 10

Associates the non-default EID table with the specified instance ID.

Step 6

eid-table default instance-id instance-id

Example:

Device(config-router-lisp)# eid-table default instance-id 0

Associates the default EID table with the specified instance ID.

Control-plane device messages include this instance ID along with the associated EID prefixes.

Step 7

map-cache eid-prefix ipv6 address/subnet mask map-request

Example:

Device(config-router-lisp)# map-cache 10:1:1::/64 map-request

Configures a static IPv6 EID-to-RLOC mapping relationship by adding a map-cache with action send-map-request for the specified dynamic EID or host pool.

Step 8

ipv6 sgt

Example:

Device(config-router-lisp)# ipv6 sgt

Enables the transport of Security Group Tags (SGT) in the fabric. For more information on SGTs, see Cisco TrustSec Configuration Guide.

Step 9

ipv6 proxy-etr

Example:

Device(config-router-lisp)# ipv6 proxy-etr

Enables the border device service in the fabric domain.

Step 10

ipv6 proxy-itr ipv6 address

Example:

Device(config-router-lisp)# ipv6 proxy-itr 10.1.1.1

Configures the device to operate as an IPv6 proxy ingress tunnel router (PITR), and configures the interface IP address used as a source address for encapsulation of data packets. The IPv6 locator address is used as the source address for data packets or a map-request messages.

Step 11

ipv6 itr map-resolver ipv6 address

Example:

Device(config-router-lisp)# ipv6 itr map-resolver 10.1.1.2

Configures the map-resolver IP from where it needs to query the RLOC corresponding to destination EID IP

Step 12

exit

Example:

Device(config-router-lisp)# exit

Exits LISP configuration mode and enters global configuration mode.

Step 13

exit

Example:

Device(config)# exit

Exits global configuration mode and returns to privileged EXEC mode.

Example: Configuring Fabric Border and Control-Plane Devices

Fabric Border Router Using IPv4

vrf definition abcd
rd 1:1
!
address-family ipv4
exit-address-family
!
interface Loopback10
ip address 1.3.3.3 255.255.255.255
!
interface TenGigabitEthernet2/8 < ----------- North upstream facing
ip address 119.1.1.1 255.255.255.0
end
!
interface TenGigabitEthernet2/9 < -------- North upstream facing
vrf forwarding abcd
ip address 19.1.1.1 255.255.255.0
end
!
interface TenGigabitEthernet 4/12 < -------- South RLOC facing
ip address 141.1.1.2 255.255.255.0
ip lisp source-locator Loopback10
!
router lisp
encapsulation vxlan
locator-set set1
1.3.3.3 priority 1 weight 100
exit
!
eid-table default instance-id 0
map-cache 120.1.1.0/24 map-request <------ EID subnet at fabric edge
exit
!
eid-table vrf abcd instance-id 1
map-cache 20.1.1.0/24 map-request <------ EID subnet at fabric edge
exit
!
ipv4 sgt
ipv4 proxy-etr
ipv4 proxy-itr 1.3.3.3
ipv4 itr map-resolver 1.4.4.4
exit
 

Fabric Border Router Using IPv6

vrf definition abcd
rd 1:1
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
interface Loopback10
ip address 1.3.3.3 255.255.255.255
!
interface TenGigabitEthernet2/8 < ----------- North upstream facing
ipv6 address 119:1:1::1/64
end
!
interface TenGigabitEthernet2/9 < -------- North upstream facing
vrf forwarding abcd
ip address 19:1:1::1/64
end
!
interface TenGigabitEthernet 4/12 < -------- South RLOC facing
ip address 141.1.1.2 255.255.255.0
ip lisp source-locator Loopback10
!
router lisp
encapsulation vxlan
locator-set set1
1.3.3.3 priority 1 weight 100
exit
!
eid-table default instance-id 0
map-cache 120:1:1::/64 map-request <------ EID subnet at fabric edge
exit
!
eid-table vrf abcd instance-id 1
map-cache 20:1:1::/64 map-request <------ EID subnet at fabric edge
exit
!
Ipv6 sgt
Ipv6 proxy-etr
Ipv6 proxy-itr 1.3.3.3
Ipv6 itr map-resolver 1.4.4.4
exit

Control Plane Using IPv4

interface Loopback10
ip address 1.4.4.4 255.255.255.255
!
router lisp
encapsulation vxlan
locator-set set1
1.4.4.4 priority 1 weight 100
exit
!
site site1
authentication-key key1
eid-prefix 120.1.1.0/24 accept-more-specifics
eid-prefix instance-id 1 20.1.1.0/24 accept-more-specifics
exit
!
ipv4 map-server
ipv4 map-resolver
exit

Control Plane Using IPv6

interface Loopback10
ip address 1.4.4.4 255.255.255.255
!
router lisp
encapsulation vxlan
locator-set set1
1.4.4.4 priority 1 weight 100
exit
!
site site1
authentication-key key1
eid-prefix 120:1:1::/64
eid-prefix instance-id 1 20:1:1::/64
exit
!
Ipv6 map-server
Ipv6 map-resolver
exit