Monthly Archives: April 2017

Locator/ID Separation Protocol – LISP Part 1

IPv6, LISP, Service Provider, , , , ,
Locator/ID Separation Protocol – LISP

The Locator/ID Separation Protocol (LISP) is a network architecture that implements the use of two namespaces instead of a single IP address. These namespaces, known as endpoint identifiers (EIDs), are assigned to end-hosts and routing locators (RLOCs), which are assigned to devices (primarily routers) that make up the global routing system. LISP is documented in RFC6830.

Separating Location and Identity provide a clear separation at the Network Layer between what we are looking for vs. how best to get there.

Network Layer Identifier – WHO you are in the network
Network Layer Locator – WHERE you are in the network
WHERE you are can change!
WHO you are should be the same!

LISP changes the routing architecture to implement a level of indirection between a hosts IDENTITY and its LOCATION in the network.

Control Plane – Map end point identities to their current location.
Data Plane – Encapsulates EID-addressed packets inside RLOC-addressed headers.

Traditional routing protocols uses a “PUSH” model to build a topology from the information gathered from the routing protocol, compute and install best route entries, and then advertise this information to neighbors. This information is pushed to all the neighbors in the routing domain without each neighbor actually requesting the routing information.

LISP uses a “PULL” model. If a router need to make a forwarding decision, it will ask the mapping database for the RLOCs associated with the destination EID prefix. The database responds with the EIDs to RLOCs mapping and the router caches it and send the packet towards RLOC to reach the EID prefix. It resembles the architecture employed by DNS. Once the information is cached and programmed into the forwarding table, the router will perform normal packet forwarding for subsequent packets being forwarded to that same destination. In order words, the router requests the forwarding information it needs, instead of being given all of the routing information implicitly.

LISP is an encapsulation/tunneling technology used to build overlays, it can use any underlying transport, as long as there is IPv4/IPv6 reachability in the underlay. This is accomplished in our network as the SP core is running BGP with each site. Note that this “underlay” is what is referred to as the RLOC space – the global BGP table. Like GRE or other tunneling techniques, we can tunnel one address-family over another. LISP uses a simple header, consisting of the outer IPv4/IPv6 header (RLOC source/destination), and a UDP + LISP header. For user data-traffic being encapsulated, LISP uses a destination UDP port of 4341. For the control-plane messaging between LISP nodes, UDP port 4342 is used. From an MTU perspective, LISP adds 36 Bytes of overhead for IPv4 (20 for IPv4 header, 8 for UDP, 8 for LISP), and 56 Bytes for IPv6.

Use Cases

LISP Deployment Models
Private Model
  • Private LISP deployment supports single enterprise
  • LISP Enterprise deploys:
    • xTRs
    • Mapping Systems
    • Proxy System, if required
Public Model
  • Public LISP deployment supports the need of multiple enterprises
  • LISP service provider deploys ‘shared’ Mapping System and Proxy System
  • LISP Enterprises subscribe to LISP SP, and deploy their own xTRs
Main Attributes of LISP

Ingress Tunnel Router (iTR) – An iTR is a router that resides in a LISP site.  Packets sent by sources inside of the LISP site to destinations outside of the site are candidates for encapsulation by the iTR. An iTR is also in charge of querying the mapping database when trying to make a forwarding decision. The query is sent to the Map Resolver using a Map-Request message.

Egress Tunnel Router (eTR) – An eTR is a router that accepts an IP packet where the destination address in the “outer” IP header is one of its own RLOCs.  The router strips the “outer” header and forwards the packet based on the next IP header found. This device is in charge of receiving LISP encapsulated packets from the underlay network, decapsulating them, and forwarding them towards the final destination inside the site.

xTR – Usually iTR and eTR functions are collocated on the same router, that router is called xTR.

Endpoint ID (EID) – An EID is a 32-bit (for IPv4) or 128-bit (for IPv6) value, typically an IP address allocated to End hosts at a site. EIDs MUST NOT be used as LISP RLOCs.

EID Prefix – EID prefixes are block of EIDs allocated to a site.

Routing Locator (RLOC) – An RLOC is an IPv4 or IPv6 address of an Egress Tunnel Router (eTR).  An RLOC is the output of an EID-to-RLOC mapping lookup.  An EID maps to one or more RLOCs. This address is routed in the global routing and must be reachable from other LISP site’s eTRs.

Proxy-iTR (PiTR) – A PiTR acts like an iTR but does so on behalf of non-LISP sites that send packets to destinations at LISP sites. A PiTR is defined in RFC6832.

Proxy-eTR (PeTR) – A PeTR acts like an eTR but does so on behalf of LISP sites that send packets to destinations at non-LISP sites. A PeTR is defined in RFC6832.

Proxy-xTR – A router performing both functions PiTR and PeTR is called a PxTR.

Map Server (MS) – Map Server holds all of the EID to RLOC mappings for all of the sites it is responsible for. The Map Server takes registrations from eTR routers via Map-Register messages.

Map Resolver (MR)This device is queried by the iTRs using Map-Request messages. The queries consist of iTRs asking for the mapping between EID and RLOC.

LISP Router – A LISP router is a router that performs the functions of any or all of the following: iTR, eTR, Proxy-iTR (PiTR), or Proxy-eTR (PeTR).

We will use following network topology for LISP configuration.

 

Network Topology
  • R3, R4, R5, R6 are provider edge routers in SP network.
  • R7 is BGP Route-Reflector in SP network and R3, R4, R5,R6 are RR clients.
  • R7 is working as LISP MAP Resolver (MR) and MAP Server (MS).
  • R1 is working as xTR, performing both iTR and eTR functions, in LISP Site-A.
  • R1 is running dual stack, both IPv4 and IPv6, connected to LAN router R8.
  • R1 is registered with LISP MAP Server, EIDs (IPv4 – 8.8.0.0/16, IPv6 – 2001:8:8::/48) and RLOC addresses 13.13.13.1 (Weight 100) and 14.14.14.1 (Weight 50).
  • With above weight parameters, R1 is telling remote sites to send traffic for Site-A EIDs in ratio of 100:50 to RLOC addresses 13.13.13.1 and 14.14.14.1 respectively.
  • R2 is working as xTR, performing both iTR and eTR functions, in LISP Site-B.
  • R2 is running dual stack, both IPv4 and IPv6, connected to LAN router R9.
  • R2 is registered with LISP MAP Server, EIDs (IPv4 – 9.9.0.0/16, IPv6 – 2001:9:9::/48) and RLOC addresses 25.25.25.2 (Weight 100) and 26.26.26.2 (Weight 50).
  • With above weight parameters, R2 is telling remote sites to send traffic for Site-B EIDs in ratio of 100:50 to RLOC addresses 25.25.25.2 and 26.26.26.2 respectively.
Configuration
LISP Site-A Configuration
R1 - xTR (Ingress/Egress Tunnel Router)

hostname R1
!
ip cef
ipv6 unicast-routing
ipv6 cef
!
interface LISP0
!
interface FastEthernet0/0
 ip address 8.8.18.1 255.255.255.0
 ipv6 address 2001:8:8:18::1/64
!
interface FastEthernet1/0
 ip address 13.13.13.1 255.255.255.0
!
interface FastEthernet1/1
 bandwidth 50000
 ip address 14.14.14.1 255.255.255.0
!
router lisp
 !! -- Define RLOCs -- !!
 !! -- Priorities can be configured between 0-255, with a lower -- !!
 !! -- value being more preferred. If both priorities are equal -- !! 
 !! -- then both RLOCs are used. If the priorities are not equal -- !!
 !! -- then only the RLOC with the lowest priority is used in -- !!
 !! -- Active/Standby mode. -- !!
 !! -- If priorities are equal, weights can be configured to -- !!
 !! -- signal the desired ingress load sharing. -- !!
 !! -- Weights can be configured between 0-100 -- !!
 locator-set SITEA_RLOC_SET
  13.13.13.1 priority 1 weight 100
  14.14.14.1 priority 1 weight 50
  exit
 !
 !! -- Configure an EID-to-RLOC mapping relationship and its -- !!
 !! -- associated traffic policy for this LISP site. -- !!
 database-mapping 8.8.0.0/16 locator-set SITEA_RLOC_SET
 database-mapping 2001:8:8::/48 locator-set SITEA_RLOC_SET
 !! -- Enable iTR functionality for IPv4 -- !!
 ipv4 itr
 !! -- Configure the locator address of the LISP map resolver to -- !!
 !! -- which this router will send Map-Request messages for IPv4 -- !!
 !! -- EID-to-RLOC mapping resolutions -- !!
 ipv4 itr map-resolver 1.1.1.7
 !! -- Enable eTR functionality for IPv4 -- !!
 ipv4 etr
 !! -- Configure the locator address of the LISP map server and -- !!
 !! -- the authentication key that this router, acting as an IPv4 --!!
 !! -- LISP ETR, will use to register with the LISP mapping system--!! 
 ipv4 etr map-server 1.1.1.7 key LISPKEYPASS
 !
 !! -- Enable iTR functionality for IPv6 -- !!
 ipv6 itr
 !! -- Configure the locator address of the LISP map resolver to --!!
 !! -- which this router will send Map-Request messages for IPv6 -- !!
 !! -- EID-to-RLOC mapping resolutions -- !!
 ipv6 itr map-resolver 1.1.1.7
 !! -- Enable eTR functionality for IPv6 -- !!
 ipv6 etr
 !! -- Configure the locator address of the LISP map server and -- !!
 !! -- the authentication key that this router, acting as an IPv6 --!!
 !! -- LISP ETR, will use to register with the LISP mapping system--!! 
 ipv6 etr map-server 1.1.1.7 key LISPKEYPASS
 exit
!
router bgp 101
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 neighbor 13.13.13.3 remote-as 100
 neighbor 14.14.14.4 remote-as 100
!
ip route 8.8.0.0 255.255.0.0 8.8.18.8
!
ipv6 route 2001:8:8::/48 2001:8:8:18::8


R8 - LAN Router

hostname R8
!
ip cef
ipv6 unicast-routing
ipv6 cef
!
interface Loopback1
 ip address 8.8.1.1 255.255.255.0
 ipv6 address 2001:8:8:1::1/64
!
interface Loopback2
 ip address 8.8.2.1 255.255.255.0
 ipv6 address 2001:8:8:2::1/64
!
interface FastEthernet0/0
 ip address 8.8.18.8 255.255.255.0
 duplex full
 speed 100
 ipv6 address 2001:8:8:18::8/64
!
ip route 0.0.0.0 0.0.0.0 8.8.18.1
!
ipv6 route ::/0 2001:8:8:18::1
LISP Site-B Configuration
R2 - xTR (Ingress/Egress Tunnel Router)

hostname R2
!
ip cef
ipv6 unicast-routing
ipv6 cef
!
interface LISP0
!
interface FastEthernet0/0
 ip address 9.9.29.2 255.255.255.0
 duplex full
 speed 100
 ipv6 address 2001:9:9:29::2/64
!
interface FastEthernet1/0
 ip address 25.25.25.2 255.255.255.0
!
interface FastEthernet1/1
 bandwidth 50000
 ip address 26.26.26.2 255.255.255.0
!
router lisp
 locator-set SITEB_RLOC_SET
  25.25.25.2 priority 1 weight 100
  26.26.26.2 priority 1 weight 50
  exit
 !
 database-mapping 9.9.0.0/16 locator-set SITEB_RLOC_SET
 database-mapping 2001:9:9::/48 locator-set SITEB_RLOC_SET
 ipv4 itr
 ipv4 itr map-resolver 1.1.1.7
 ipv4 etr
 ipv4 etr map-server 1.1.1.7 key LISPKEYPASS
 !
 ipv6 itr 
 ipv6 itr map-resolver 1.1.1.7
 ipv6 etr
 ipv6 etr map-server 1.1.1.7 key LISPKEYPASS
 exit
!
router bgp 102
 bgp router-id 2.2.2.2
 bgp log-neighbor-changes
 neighbor 25.25.25.5 remote-as 100
 neighbor 26.26.26.6 remote-as 100
!
ip route 9.9.0.0 255.255.0.0 9.9.29.9
!
ipv6 route 2001:9:9::/48 2001:9:9:29::9
!

R9 - LAN Router

hostname R9
!
ip cef
ipv6 unicast-routing
ipv6 cef
!
interface Loopback1
 ip address 9.9.1.1 255.255.255.0
 ipv6 address 2001:9:9:1::1/64
!
interface Loopback2
 ip address 9.9.2.1 255.255.255.0
 ipv6 address 2001:9:9:2::1/64
!
interface FastEthernet0/0
 ip address 9.9.29.9 255.255.255.0
 duplex full
 speed 100
 ipv6 address 2001:9:9:29::9/64
!
ip route 0.0.0.0 0.0.0.0 9.9.29.2
!
ipv6 route ::/0 2001:9:9:29::2
!
Service Provider Network Configuration
R3 - Provider Edge Router

hostname R3
!
ip cef
!
interface Loopback0
 ip address 1.1.1.3 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 1.1.35.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 1.1.34.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet1/0
 ip address 13.13.13.3 255.255.255.0
!
interface FastEthernet1/1
 ip address 1.1.37.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
router ospf 1
 router-id 1.1.1.3
!
router bgp 100
 bgp router-id 1.1.1.3
 bgp log-neighbor-changes
 network 13.13.13.0 mask 255.255.255.0
 neighbor 1.1.1.7 remote-as 100
 neighbor 1.1.1.7 update-source Loopback0
 neighbor 13.13.13.1 remote-as 101
!

R4 - Provider Edge Router

hostname R4
!
ip cef
!
interface Loopback0
 ip address 1.1.1.4 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 1.1.46.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 1.1.34.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet1/1
 bandwidth 50000
 ip address 14.14.14.4 255.255.255.0
!
router ospf 1
 router-id 1.1.1.4
!
router bgp 100
 bgp router-id 1.1.1.4
 bgp log-neighbor-changes
 network 14.14.14.0 mask 255.255.255.0
 neighbor 1.1.1.7 remote-as 100
 neighbor 1.1.1.7 update-source Loopback0
 neighbor 14.14.14.1 remote-as 101
!

R5 - Provider Edge Router

hostname R5
!
ip cef
!
interface Loopback0
 ip address 1.1.1.5 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 1.1.35.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 1.1.56.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet1/0
 ip address 25.25.25.5 255.255.255.0
!
interface FastEthernet1/1
 ip address 1.1.57.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
router ospf 1
 router-id 1.1.1.5
!
router bgp 100
 bgp router-id 1.1.1.5
 bgp log-neighbor-changes
 network 25.25.25.0 mask 255.255.255.0
 neighbor 1.1.1.7 remote-as 100
 neighbor 1.1.1.7 update-source Loopback0
 neighbor 25.25.25.2 remote-as 102
!

R6 - Provider Edge Router

hostname R6
!
ip cef
!
interface Loopback0
 ip address 1.1.1.6 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 1.1.46.6 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 1.1.56.6 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet1/1
 ip address 26.26.26.6 255.255.255.0
 bandwidth 50000
!
router ospf 1
 router-id 1.1.1.6
!
router bgp 100
 bgp router-id 1.1.1.6
 bgp log-neighbor-changes
 network 26.26.26.0 mask 255.255.255.0
 neighbor 1.1.1.7 remote-as 100
 neighbor 1.1.1.7 update-source Loopback0
 neighbor 26.26.26.2 remote-as 102
!

R7 - LISP MAP Server/Resolver Router

hostname R7
!
ip cef
!
!
interface Loopback0
 ip address 1.1.1.7 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 1.1.37.7 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 1.1.57.7 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
router lisp
 !! -- MAP Resolver Configuration -- !!
 !! -- Enable MAP Resolver functionality for IPv4/IPv6 -- !! 
 ipv4 map-resolver
 ipv6 map-resolver
 !! -- MAP Server Configuration -- !!  
 !! -- Enable MAP Server functionality for IPv4/IPv6 -- !! 
 ipv4 map-server
 ipv6 map-server 
 !! -- Configure authentication key for eTR routers -- !!
 !! -- and what EID prefixes can be accepted for EID-to-RLOC -- !!
 !! -- mapping database from them -- !!
 site SITE_A
  authentication-key LISPKEYPASS
  eid-prefix 8.8.0.0/16 accept-more-specifics
  eid-prefix 2001:8:8::/48 accept-more-specifics
  exit
 !
 site SITE_B
  authentication-key LISPKEYPASS
  eid-prefix 9.9.0.0/16 accept-more-specifics
  eid-prefix 2001:9:9::/48 accept-more-specifics
  exit
 !
!
router ospf 1
 router-id 1.1.1.7
!
router bgp 100
 bgp router-id 1.1.1.7
 bgp log-neighbor-changes
 network 1.1.1.7 mask 255.255.255.255
 neighbor RRCLIENTS peer-group
 neighbor RRCLIENTS remote-as 100
 neighbor RRCLIENTS update-source Loopback0
 neighbor RRCLIENTS route-reflector-client
 neighbor 1.1.1.3 peer-group RRCLIENTS
 neighbor 1.1.1.4 peer-group RRCLIENTS
 neighbor 1.1.1.5 peer-group RRCLIENTS
 neighbor 1.1.1.6 peer-group RRCLIENTS
!
Verification and Testing
Routing (IPv4/IPv6) on all routers

Note: EID Prefixes should not be advertised in the global routing.

R1#show ip route | beg Gate
Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
B        1.1.1.7 [20/0] via 13.13.13.3, 00:36:24
      8.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
S        8.8.0.0/16 [1/0] via 8.8.18.8
C        8.8.18.0/24 is directly connected, FastEthernet0/0
L        8.8.18.1/32 is directly connected, FastEthernet0/0
      13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        13.13.13.0/24 is directly connected, FastEthernet1/0
L        13.13.13.1/32 is directly connected, FastEthernet1/0
      14.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        14.14.14.0/24 is directly connected, FastEthernet1/1
L        14.14.14.1/32 is directly connected, FastEthernet1/1
      25.0.0.0/24 is subnetted, 1 subnets
B        25.25.25.0 [20/0] via 13.13.13.3, 00:36:24
      26.0.0.0/24 is subnetted, 1 subnets
B        26.26.26.0 [20/0] via 13.13.13.3, 00:36:24

R1#show ipv6 route
IPv6 Routing Table - default - 4 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
       IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
S   2001:8:8::/48 [1/0]
     via 2001:8:8:18::8
C   2001:8:8:18::/64 [0/0]
     via FastEthernet0/0, directly connected
L   2001:8:8:18::1/128 [0/0]
     via FastEthernet0/0, receive
L   FF00::/8 [0/0]
     via Null0, receive


R2#show ip route | beg Gate
Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
B        1.1.1.7 [20/0] via 26.26.26.6, 00:36:24
      9.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
S        9.9.0.0/16 [1/0] via 9.9.29.9
C        9.9.29.0/24 is directly connected, FastEthernet0/0
L        9.9.29.2/32 is directly connected, FastEthernet0/0
      13.0.0.0/24 is subnetted, 1 subnets
B        13.13.13.0 [20/0] via 26.26.26.6, 00:36:24
      14.0.0.0/24 is subnetted, 1 subnets
B        14.14.14.0 [20/0] via 26.26.26.6, 00:36:24
      25.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        25.25.25.0/24 is directly connected, FastEthernet1/0
L        25.25.25.2/32 is directly connected, FastEthernet1/0
      26.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        26.26.26.0/24 is directly connected, FastEthernet1/1
L        26.26.26.2/32 is directly connected, FastEthernet1/1

R2#show ipv6 route
IPv6 Routing Table - default - 4 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
       IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
S   2001:9:9::/48 [1/0]
     via 2001:9:9:29::9
C   2001:9:9:29::/64 [0/0]
     via FastEthernet0/0, directly connected
L   2001:9:9:29::2/128 [0/0]
     via FastEthernet0/0, receive
L   FF00::/8 [0/0]
     via Null0, receive

R3#show ip route | beg Gate
Gateway of last resort is not set

      1.0.0.0/8 is variably subnetted, 14 subnets, 2 masks
C        1.1.1.3/32 is directly connected, Loopback0
O        1.1.1.4/32 [110/2] via 1.1.34.4, 00:39:03, FastEthernet0/1
O        1.1.1.5/32 [110/2] via 1.1.35.5, 00:39:03, FastEthernet0/0
O        1.1.1.6/32 [110/3] via 1.1.35.5, 00:39:03, FastEthernet0/0
                    [110/3] via 1.1.34.4, 00:39:03, FastEthernet0/1
O        1.1.1.7/32 [110/2] via 1.1.37.7, 00:39:13, FastEthernet1/1
C        1.1.34.0/24 is directly connected, FastEthernet0/1
L        1.1.34.3/32 is directly connected, FastEthernet0/1
C        1.1.35.0/24 is directly connected, FastEthernet0/0
L        1.1.35.3/32 is directly connected, FastEthernet0/0
C        1.1.37.0/24 is directly connected, FastEthernet1/1
L        1.1.37.3/32 is directly connected, FastEthernet1/1
O        1.1.46.0/24 [110/2] via 1.1.34.4, 00:39:03, FastEthernet0/1
O        1.1.56.0/24 [110/2] via 1.1.35.5, 00:39:03, FastEthernet0/0
O        1.1.57.0/24 [110/2] via 1.1.37.7, 00:39:13, FastEthernet1/1
                     [110/2] via 1.1.35.5, 00:39:03, FastEthernet0/0
      13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        13.13.13.0/24 is directly connected, FastEthernet1/0
L        13.13.13.3/32 is directly connected, FastEthernet1/0
      14.0.0.0/24 is subnetted, 1 subnets
B        14.14.14.0 [200/0] via 1.1.1.4, 00:38:03
      25.0.0.0/24 is subnetted, 1 subnets
B        25.25.25.0 [200/0] via 1.1.1.5, 00:38:03
      26.0.0.0/24 is subnetted, 1 subnets
B        26.26.26.0 [200/0] via 1.1.1.6, 00:38:03

R4#show ip route | beg Gate
Gateway of last resort is not set

      1.0.0.0/8 is variably subnetted, 13 subnets, 2 masks
O        1.1.1.3/32 [110/2] via 1.1.34.3, 00:39:21, FastEthernet0/1
C        1.1.1.4/32 is directly connected, Loopback0
O        1.1.1.5/32 [110/3] via 1.1.46.6, 00:39:31, FastEthernet0/0
                    [110/3] via 1.1.34.3, 00:39:21, FastEthernet0/1
O        1.1.1.6/32 [110/2] via 1.1.46.6, 00:39:31, FastEthernet0/0
O        1.1.1.7/32 [110/3] via 1.1.34.3, 00:39:21, FastEthernet0/1
C        1.1.34.0/24 is directly connected, FastEthernet0/1
L        1.1.34.4/32 is directly connected, FastEthernet0/1
O        1.1.35.0/24 [110/2] via 1.1.34.3, 00:39:21, FastEthernet0/1
O        1.1.37.0/24 [110/2] via 1.1.34.3, 00:39:21, FastEthernet0/1
C        1.1.46.0/24 is directly connected, FastEthernet0/0
L        1.1.46.4/32 is directly connected, FastEthernet0/0
O        1.1.56.0/24 [110/2] via 1.1.46.6, 00:39:31, FastEthernet0/0
O        1.1.57.0/24 [110/3] via 1.1.46.6, 00:39:31, FastEthernet0/0
                     [110/3] via 1.1.34.3, 00:39:21, FastEthernet0/1
      13.0.0.0/24 is subnetted, 1 subnets
B        13.13.13.0 [200/0] via 1.1.1.3, 00:38:25
      14.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        14.14.14.0/24 is directly connected, FastEthernet1/1
L        14.14.14.4/32 is directly connected, FastEthernet1/1
      25.0.0.0/24 is subnetted, 1 subnets
B        25.25.25.0 [200/0] via 1.1.1.5, 00:38:25
      26.0.0.0/24 is subnetted, 1 subnets
B        26.26.26.0 [200/0] via 1.1.1.6, 00:38:25

R5#show ip route | beg Gate
Gateway of last resort is not set

      1.0.0.0/8 is variably subnetted, 14 subnets, 2 masks
O        1.1.1.3/32 [110/2] via 1.1.35.3, 00:39:35, FastEthernet0/0
O        1.1.1.4/32 [110/3] via 1.1.56.6, 00:39:35, FastEthernet0/1
                    [110/3] via 1.1.35.3, 00:39:35, FastEthernet0/0
C        1.1.1.5/32 is directly connected, Loopback0
O        1.1.1.6/32 [110/2] via 1.1.56.6, 00:39:35, FastEthernet0/1
O        1.1.1.7/32 [110/2] via 1.1.57.7, 00:39:45, FastEthernet1/1
O        1.1.34.0/24 [110/2] via 1.1.35.3, 00:39:35, FastEthernet0/0
C        1.1.35.0/24 is directly connected, FastEthernet0/0
L        1.1.35.5/32 is directly connected, FastEthernet0/0
O        1.1.37.0/24 [110/2] via 1.1.57.7, 00:39:45, FastEthernet1/1
                     [110/2] via 1.1.35.3, 00:39:35, FastEthernet0/0
O        1.1.46.0/24 [110/2] via 1.1.56.6, 00:39:35, FastEthernet0/1
C        1.1.56.0/24 is directly connected, FastEthernet0/1
L        1.1.56.5/32 is directly connected, FastEthernet0/1
C        1.1.57.0/24 is directly connected, FastEthernet1/1
L        1.1.57.5/32 is directly connected, FastEthernet1/1
      13.0.0.0/24 is subnetted, 1 subnets
B        13.13.13.0 [200/0] via 1.1.1.3, 00:38:36
      14.0.0.0/24 is subnetted, 1 subnets
B        14.14.14.0 [200/0] via 1.1.1.4, 00:38:36
      25.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        25.25.25.0/24 is directly connected, FastEthernet1/0
L        25.25.25.5/32 is directly connected, FastEthernet1/0
      26.0.0.0/24 is subnetted, 1 subnets
B        26.26.26.0 [200/0] via 1.1.1.6, 00:38:36

R6#show ip route | beg Gate
Gateway of last resort is not set

      1.0.0.0/8 is variably subnetted, 13 subnets, 2 masks
O        1.1.1.3/32 [110/3] via 1.1.56.5, 00:39:52, FastEthernet0/1
                    [110/3] via 1.1.46.4, 00:39:52, FastEthernet0/0
O        1.1.1.4/32 [110/2] via 1.1.46.4, 00:39:52, FastEthernet0/0
O        1.1.1.5/32 [110/2] via 1.1.56.5, 00:39:52, FastEthernet0/1
C        1.1.1.6/32 is directly connected, Loopback0
O        1.1.1.7/32 [110/3] via 1.1.56.5, 00:39:52, FastEthernet0/1
O        1.1.34.0/24 [110/2] via 1.1.46.4, 00:39:52, FastEthernet0/0
O        1.1.35.0/24 [110/2] via 1.1.56.5, 00:39:52, FastEthernet0/1
O        1.1.37.0/24 [110/3] via 1.1.56.5, 00:39:52, FastEthernet0/1
                     [110/3] via 1.1.46.4, 00:39:52, FastEthernet0/0
C        1.1.46.0/24 is directly connected, FastEthernet0/0
L        1.1.46.6/32 is directly connected, FastEthernet0/0
C        1.1.56.0/24 is directly connected, FastEthernet0/1
L        1.1.56.6/32 is directly connected, FastEthernet0/1
O        1.1.57.0/24 [110/2] via 1.1.56.5, 00:39:52, FastEthernet0/1
      13.0.0.0/24 is subnetted, 1 subnets
B        13.13.13.0 [200/0] via 1.1.1.3, 00:38:46
      14.0.0.0/24 is subnetted, 1 subnets
B        14.14.14.0 [200/0] via 1.1.1.4, 00:38:46
      25.0.0.0/24 is subnetted, 1 subnets
B        25.25.25.0 [200/0] via 1.1.1.5, 00:38:46
      26.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        26.26.26.0/24 is directly connected, FastEthernet1/1
L        26.26.26.6/32 is directly connected, FastEthernet1/1

R7#show ip route | beg Gate
Gateway of last resort is not set

      1.0.0.0/8 is variably subnetted, 13 subnets, 2 masks
O        1.1.1.3/32 [110/2] via 1.1.37.3, 00:40:05, FastEthernet0/0
O        1.1.1.4/32 [110/3] via 1.1.37.3, 00:39:55, FastEthernet0/0
O        1.1.1.5/32 [110/2] via 1.1.57.5, 00:40:05, FastEthernet0/1
O        1.1.1.6/32 [110/3] via 1.1.57.5, 00:39:55, FastEthernet0/1
C        1.1.1.7/32 is directly connected, Loopback0
O        1.1.34.0/24 [110/2] via 1.1.37.3, 00:40:05, FastEthernet0/0
O        1.1.35.0/24 [110/2] via 1.1.57.5, 00:40:05, FastEthernet0/1
                     [110/2] via 1.1.37.3, 00:40:05, FastEthernet0/0
C        1.1.37.0/24 is directly connected, FastEthernet0/0
L        1.1.37.7/32 is directly connected, FastEthernet0/0
O        1.1.46.0/24 [110/3] via 1.1.57.5, 00:39:55, FastEthernet0/1
                     [110/3] via 1.1.37.3, 00:39:55, FastEthernet0/0
O        1.1.56.0/24 [110/2] via 1.1.57.5, 00:40:05, FastEthernet0/1
C        1.1.57.0/24 is directly connected, FastEthernet0/1
L        1.1.57.7/32 is directly connected, FastEthernet0/1
      13.0.0.0/24 is subnetted, 1 subnets
B        13.13.13.0 [200/0] via 1.1.1.3, 00:38:59
      14.0.0.0/24 is subnetted, 1 subnets
B        14.14.14.0 [200/0] via 1.1.1.4, 00:38:59
      25.0.0.0/24 is subnetted, 1 subnets
B        25.25.25.0 [200/0] via 1.1.1.5, 00:38:59
      26.0.0.0/24 is subnetted, 1 subnets
B        26.26.26.0 [200/0] via 1.1.1.6, 00:38:59


R8#show ip route | beg Gate
Gateway of last resort is 8.8.18.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 8.8.18.1
      8.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C        8.8.1.0/24 is directly connected, Loopback1
L        8.8.1.1/32 is directly connected, Loopback1
C        8.8.2.0/24 is directly connected, Loopback2
L        8.8.2.1/32 is directly connected, Loopback2
C        8.8.18.0/24 is directly connected, FastEthernet0/0
L        8.8.18.8/32 is directly connected, FastEthernet0/0

R8#show ipv6 route         
IPv6 Routing Table - default - 8 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
       IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
S   ::/0 [1/0]
     via 2001:8:8:18::1
C   2001:8:8:1::/64 [0/0]
     via Loopback1, directly connected
L   2001:8:8:1::1/128 [0/0]
     via Loopback1, receive
C   2001:8:8:2::/64 [0/0]
     via Loopback2, directly connected
L   2001:8:8:2::1/128 [0/0]
     via Loopback2, receive
C   2001:8:8:18::/64 [0/0]
     via FastEthernet0/0, directly connected
L   2001:8:8:18::8/128 [0/0]
     via FastEthernet0/0, receive
L   FF00::/8 [0/0]
     via Null0, receive

R9#show ip route | beg Gate
Gateway of last resort is 9.9.29.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 9.9.29.2
      9.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C        9.9.1.0/24 is directly connected, Loopback1
L        9.9.1.1/32 is directly connected, Loopback1
C        9.9.2.0/24 is directly connected, Loopback2
L        9.9.2.1/32 is directly connected, Loopback2
C        9.9.29.0/24 is directly connected, FastEthernet0/0
L        9.9.29.9/32 is directly connected, FastEthernet0/0

R9#show ipv6 route         
IPv6 Routing Table - default - 8 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
       IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
S   ::/0 [1/0]
     via 2001:9:9:29::2
C   2001:9:9:1::/64 [0/0]
     via Loopback1, directly connected
L   2001:9:9:1::1/128 [0/0]
     via Loopback1, receive
C   2001:9:9:2::/64 [0/0]
     via Loopback2, directly connected
L   2001:9:9:2::1/128 [0/0]
     via Loopback2, receive
C   2001:9:9:29::/64 [0/0]
     via FastEthernet0/0, directly connected
L   2001:9:9:29::9/128 [0/0]
     via FastEthernet0/0, receive
L   FF00::/8 [0/0]
     via Null0, receive
LISP Registration Process

R1 (eTR) will register it’s local EID ((IPv4 and IPv6) to RLOC mappings  with MAP Server (R7) via MAP-Register messages.

!! -- Initially MAP-Server database is empty -- !!

R7#sh lisp site
LISP Site Registration Information

Site Name      Last      Up   Who Last             Inst     EID Prefix
               Register       Registered           ID       
SITE_A         never     no   --                            8.8.0.0/16
               never     no   --                            2001:8:8::/48
SITE_B         never     no   --                            9.9.0.0/16
               never     no   --                            2001:9:9::/48

!! -- R1 (eTR) sends MAP-Register Messages to MAP-Server -- !!

R1#
*Apr 27 19:46:10.763: LISP: Route watch notification.
*Apr 27 19:46:10.803: LISP-0: AF IPv6, Map resolver 1.1.1.7 is reachable.
*Apr 27 19:46:10.807: LISP-0: AF IPv4, Map resolver 1.1.1.7 is reachable.

*Apr 27 19:46:35.363: LISP: Timer event (ETR map server).
*Apr 27 19:46:35.367: LISP-0: IPv6 Map Server 1.1.1.7, Schedule registration.
*Apr 27 19:46:35.375: LISP-0: AF IPv4, Route locator 1.1.1.7, src 14.14.14.1 nh 14.14.14.4 if FastEthernet1/1.
*Apr 27 19:46:35.379: LISP-0: AF IPv6, Added mapping record locator 13.13.13.1 (priority 1, weight 100, local, reachable).
*Apr 27 19:46:35.383: LISP-0: AF IPv6, Added mapping record locator 14.14.14.1 (priority 1, weight 50, local, reachable).
*Apr 27 19:46:35.383: LISP-0: AF IPv6, Built mapping record for 2001:8:8::/48 with 2 locators (action none).
*Apr 27 19:46:35.383: LISP-0: IPv6 Map Server 1.1.1.7, Built map-register, 1 records, first 2001:8:8::/48 last 2001:8:8::/48 DONE.
*Apr 27 19:46:35.383: LISP-0: IPv6 Map Server 1.1.1.7, Sending map-register (src_rloc 14.14.14.1).

*Apr 27 19:46:37.483: LISP: Timer event (ETR map server).
*Apr 27 19:46:37.483: LISP-0: IPv4 Map Server 1.1.1.7, Schedule registration.
*Apr 27 19:46:37.487: LISP-0: AF IPv4, Route locator 1.1.1.7, src 14.14.14.1 nh 14.14.14.4 if FastEthernet1/1.
*Apr 27 19:46:37.487: LISP-0: AF IPv4, Added mapping record locator 13.13.13.1 (priority 1, weight 100, local, reachable).
*Apr 27 19:46:37.491: LISP-0: AF IPv4, Added mapping record locator 14.14.14.1 (priority 1, weight 50, local, reachable).
*Apr 27 19:46:37.491: LISP-0: AF IPv4, Built mapping record for 8.8.0.0/16 with 2 locators (action none).
*Apr 27 19:46:37.491: LISP-0: IPv4 Map Server 1.1.1.7, Built map-register, 1 records, first 8.8.0.0/16 last 8.8.0.0/16 DONE.
*Apr 27 19:46:37.491: LISP-0: IPv4 Map Server 1.1.1.7, Sending map-register (src_rloc 14.14.14.1).


!! -- MAP-Server (R7) receives MAP-Register messages,  -- !!
!! -- process them and add EID-to-RLOC mappings in database -- !!

R7#
*Apr 27 19:46:35.479: LISP-0: Net receive, queuing packet for LISP process.
*Apr 27 19:46:35.487: LISP-0: Received packet datagramsize 130, encsize 14, size 116.
*Apr 27 19:46:35.495: LISP: Processing received Map-Register message from 14.14.14.1 to 1.1.1.7
*Apr 27 19:46:35.495: LISP: Processing Map-Register no proxy, no map-notify, no merge, no mobile-node, 1 record, nonce 0x18FC13A9-0x0E141375, key-id 1, auth-data-len 20
*Apr 27 19:46:35.495: LISP: Parsing mapping record for EID prefix IID 0 2001:8:8::/48
*Apr 27 19:46:35.495: LISP-0: Mapping Record has 2 locators (action none).
*Apr 27 19:46:35.495: LISP: Processing Map-Register mapping record for IID 0 2001:8:8::/48, ttl 1440, state complete, authoritative, 2 locators
        13.13.13.1 pri/wei=1/100 LpR
        14.14.14.1 pri/wei=1/50 LpR
*Apr 27 19:46:35.495: LISP-0: MS registration prefix 2001:8:8::/48 14.14.14.1 site SITE_A, Created.
*Apr 27 19:46:35.495: LISP-0: MS registration prefix 2001:8:8::/48 14.14.14.1 site SITE_A, Adding locator 13.13.13.1.
*Apr 27 19:46:35.495: LISP-0: MS RLOC prefix 2001:8:8::/48 13.13.13.1 site SITE_A, reachable change unknown->down.
*Apr 27 19:46:35.495: LISP-0: MS registration prefix 2001:8:8::/48 14.14.14.1 site SITE_A, Adding locator 14.14.14.1.
*Apr 27 19:46:35.495: LISP-0: MS RLOC prefix 2001:8:8::/48 14.14.14.1 site SITE_A, reachable change unknown->down.
*Apr 27 19:46:35.495: LISP-0: MS registration prefix 2001:8:8::/48 14.14.14.1 site SITE_A, no configuration for allowed locators.
*Apr 27 19:46:35.495: LISP-0: MS RLOC prefix 2001:8:8::/48 13.13.13.1 site SITE_A, reachable change down->up, reported by 14.14.14.1.
*Apr 27 19:46:35.499: LISP-0: MS RLOC prefix 2001:8:8::/48 14.14.14.1 site SITE_A, reachable change down->up, reported by 14.14.14.1.
*Apr 27 19:46:35.499: LISP-0: MS EID prefix 2001:8:8::/48 site SITE_A, Map-Notify, to registering ETRs due to changed registration.
*Apr 27 19:46:35.499: LISP-0: Map-Notify prefix 2001:8:8::/48 to 14.14.14.1, skipping - M-bit not set.
*Apr 27 19:46:35.499: LISP-0: Processed 1 control packets.
*Apr 27 19:46:35.499: LISP-0: MS EID prefix 2001:8:8::/48 site SITE_A, ALT route update/create.
*Apr 27 19:46:35.499: LISP-0: ALTroute prefix 2001:8:8::/48 <-> created.
*Apr 27 19:46:35.499: LISP-0: ALTroute prefix 2001:8:8::/48 <-> scheduled RIB update.
*Apr 27 19:46:35.499: LISP-0: ALTroute prefix 2001:8:8::/48 <-> add source MS-EID.
*Apr 27 19:46:35.499: LISP-0: AF IPv6, Updated 1 MS EID entries in ALT table.
*Apr 27 19:46:35.499: LISP-0: ALTroute prefix 2001:8:8::/48 <MS-EID> RIB route ignore create, no ALT RIB.
*Apr 27 19:46:35.499: LISP-0: AF IPv6, Updated 1 ALT routes in ALT RIB table.


*Apr 27 19:46:37.567: LISP-0: Net receive, queuing packet for LISP process.
*Apr 27 19:46:37.579: LISP-0: Received packet datagramsize 118, encsize 14, size 104.
*Apr 27 19:46:37.583: LISP: Processing received Map-Register message from 14.14.14.1 to 1.1.1.7
*Apr 27 19:46:37.591: LISP: Processing Map-Register no proxy, no map-notify, no merge, no mobile-node, 1 record, nonce 0x18FC13A9-0x0E141375, key-id 1, auth-data-len 20
*Apr 27 19:46:37.595: LISP: Parsing mapping record for EID prefix IID 0 8.8.0.0/16
*Apr 27 19:46:37.599: LISP-0: Mapping Record has 2 locators (action none).
*Apr 27 19:46:37.607: LISP: Processing Map-Register mapping record for IID 0 8.8.0.0/16, ttl 1440, state complete, authoritative, 2 locators
        13.13.13.1 pri/wei=1/100 LpR
        14.14.14.1 pri/wei=1/50 LpR
*Apr 27 19:46:37.607: LISP-0: MS registration prefix 8.8.0.0/16 14.14.14.1 site SITE_A, Created.
*Apr 27 19:46:37.607: LISP-0: MS registration prefix 8.8.0.0/16 14.14.14.1 site SITE_A, Adding locator 13.13.13.1.
*Apr 27 19:46:37.611: LISP-0: MS RLOC prefix 8.8.0.0/16 13.13.13.1 site SITE_A, reachable change unknown->down.
*Apr 27 19:46:37.611: LISP-0: MS registration prefix 8.8.0.0/16 14.14.14.1 site SITE_A, Adding locator 14.14.14.1.
*Apr 27 19:46:37.611: LISP-0: MS RLOC prefix 8.8.0.0/16 14.14.14.1 site SITE_A, reachable change unknown->down.
*Apr 27 19:46:37.611: LISP-0: MS registration prefix 8.8.0.0/16 14.14.14.1 site SITE_A, no configuration for allowed locators.
*Apr 27 19:46:37.611: LISP-0: MS RLOC prefix 8.8.0.0/16 13.13.13.1 site SITE_A, reachable change down->up, reported by 14.14.14.1.
*Apr 27 19:46:37.611: LISP-0: MS RLOC prefix 8.8.0.0/16 14.14.14.1 site SITE_A, reachable change down->up, reported by 14.14.14.1.
*Apr 27 19:46:37.611: LISP-0: MS EID prefix 8.8.0.0/16 site SITE_A, Map-Notify, to registering ETRs due to changed registration.
*Apr 27 19:46:37.611: LISP-0: Map-Notify prefix 8.8.0.0/16 to 14.14.14.1, skipping - M-bit not set.
*Apr 27 19:46:37.611: LISP-0: Processed 1 control packets.
*Apr 27 19:46:37.611: LISP-0: MS EID prefix 8.8.0.0/16 site SITE_A, ALT route update/create.
*Apr 27 19:46:37.611: LISP-0: ALTroute prefix 8.8.0.0/16 <-> created.
*Apr 27 19:46:37.611: LISP-0: ALTroute prefix 8.8.0.0/16 <-> scheduled RIB update.
*Apr 27 19:46:37.611: LISP-0: ALTroute prefix 8.8.0.0/16 <-> add source MS-EID.
*Apr 27 19:46:37.611: LISP-0: AF IPv4, Updated 1 MS EID entries in ALT table.
*Apr 27 19:46:37.611: LISP-0: ALTroute prefix 8.8.0.0/16 <MS-EID> RIB route ignore create, no ALT RIB.
*Apr 27 19:46:37.611: LISP-0: AF IPv4, Updated 1 ALT routes in ALT RIB table.

!! -- Now MAP-Server database is updated with EID-to-RLOC mappings--!!
!! -- received from R1 (eTR at LISP Site A) -- !!

R7#sh lisp site
LISP Site Registration Information

Site Name      Last      Up   Who Last             Inst     EID Prefix
               Register       Registered           ID       
SITE_A         00:00:07  yes  14.14.14.1                    8.8.0.0/16
               00:00:10  yes  14.14.14.1                    2001:8:8::/48
SITE_B         never     no   --                            9.9.0.0/16
               never     no   --                            2001:9:9::/48

!! -- Similarly, R2 (eTR at List Site B) will register -- !!
!! -- EID-to-RLOC mappings with MAP-Server -- !!

R7#sh lisp site
LISP Site Registration Information

Site Name      Last      Up   Who Last             Inst     EID Prefix
               Register       Registered           ID       
SITE_A         00:00:05  yes  14.14.14.1                    8.8.0.0/16
               00:00:57  yes  14.14.14.1                    2001:8:8::/48
SITE_B         00:00:08  yes  26.26.26.2                    9.9.0.0/16
               00:00:07  yes  26.26.26.2                    2001:9:9::/48
LISP Verification
R1#sh ip lisp
  Instance ID:                      0
  Router-lisp ID:                   0
  Locator table:                    default
  EID table:                        default
  Ingress Tunnel Router (ITR):      enabled
  Egress Tunnel Router (ETR):       enabled
  Proxy-ITR Router (PITR):          disabled
  Proxy-ETR Router (PETR):          disabled
  Map Server (MS):                  disabled
  Map Resolver (MR):                disabled
  Map-Request source:               8.8.18.1
  ITR Map-Resolver(s):              1.1.1.7
  ETR Map-Server(s):                1.1.1.7 (00:00:44)
  ITR Solicit Map Request (SMR):    accept and process
    Max SMRs per map-cache entry:   8 more specifics
    Multiple SMR suppression time:  60 secs
  ETR accept mapping data:          disabled, verify disabled
  ETR map-cache TTL:                1d00h
  Locator Status Algorithms:
    RLOC-probe algorithm:           disabled
  Static mappings configured:       0
  Map-cache size/limit:             1/1000
  Map-cache activity check period:  60 secs
  Map-database size/limit:          1/1000
  Persistent map-cache:             interval 01:00:00
    Earliest next store:            00:03:15
    Location:                       NONE


R1#sh ipv6 lisp
  Instance ID:                      0
  Router-lisp ID:                   0
  Locator table:                    default
  EID table:                        default
  Ingress Tunnel Router (ITR):      enabled
  Egress Tunnel Router (ETR):       enabled
  Proxy-ITR Router (PITR):          disabled
  Proxy-ETR Router (PETR):          disabled
  Map Server (MS):                  disabled
  Map Resolver (MR):                disabled
  Map-Request source:               2001:8:8:18::1
  ITR Map-Resolver(s):              1.1.1.7
  ETR Map-Server(s):                1.1.1.7 (00:00:26)
  ITR Solicit Map Request (SMR):    accept and process
    Max SMRs per map-cache entry:   8 more specifics
    Multiple SMR suppression time:  60 secs
  ETR accept mapping data:          disabled, verify disabled
  ETR map-cache TTL:                1d00h
  Locator Status Algorithms:
    RLOC-probe algorithm:           disabled
  Static mappings configured:       0
  Map-cache size/limit:             1/1000
  Map-cache activity check period:  60 secs
  Map-database size/limit:          1/1000
  Persistent map-cache:             interval 01:00:00
    Earliest next store:            now
    Location:                       NONE


R1#sh ip lisp map-cache 
LISP IPv4 Mapping Cache for EID-table default (IID 0), 1 entries

0.0.0.0/0, uptime: 01:02:57, expires: never, via static send map-request
  Negative cache entry, action: send-map-request

R1#sh ipv6 lisp map-cache 
LISP IPv6 Mapping Cache for EID-table default (IID 0), 1 entries

::/0, uptime: 01:03:34, expires: never, via static send map-request
  Negative cache entry, action: send-map-request


R2#sh ip lisp
  Instance ID:                      0
  Router-lisp ID:                   0
  Locator table:                    default
  EID table:                        default
  Ingress Tunnel Router (ITR):      enabled
  Egress Tunnel Router (ETR):       enabled
  Proxy-ITR Router (PITR):          disabled
  Proxy-ETR Router (PETR):          disabled
  Map Server (MS):                  disabled
  Map Resolver (MR):                disabled
  Map-Request source:               9.9.29.2
  ITR Map-Resolver(s):              1.1.1.7
  ETR Map-Server(s):                1.1.1.7 (00:00:20)
  ITR Solicit Map Request (SMR):    accept and process
    Max SMRs per map-cache entry:   8 more specifics
    Multiple SMR suppression time:  60 secs
  ETR accept mapping data:          disabled, verify disabled
  ETR map-cache TTL:                1d00h
  Locator Status Algorithms:
    RLOC-probe algorithm:           disabled
  Static mappings configured:       0
  Map-cache size/limit:             1/1000
  Map-cache activity check period:  60 secs
  Map-database size/limit:          1/1000
  Persistent map-cache:             interval 01:00:00
    Earliest next store:            now
    Location:                       NONE

R2#sh ipv6 lisp
  Instance ID:                      0
  Router-lisp ID:                   0
  Locator table:                    default
  EID table:                        default
  Ingress Tunnel Router (ITR):      enabled
  Egress Tunnel Router (ETR):       enabled
  Proxy-ITR Router (PITR):          disabled
  Proxy-ETR Router (PETR):          disabled
  Map Server (MS):                  disabled
  Map Resolver (MR):                disabled
  Map-Request source:               2001:9:9:29::2
  ITR Map-Resolver(s):              1.1.1.7
  ETR Map-Server(s):                1.1.1.7 (00:00:24)
  ITR Solicit Map Request (SMR):    accept and process
    Max SMRs per map-cache entry:   8 more specifics
    Multiple SMR suppression time:  60 secs
  ETR accept mapping data:          disabled, verify disabled
  ETR map-cache TTL:                1d00h
  Locator Status Algorithms:
    RLOC-probe algorithm:           disabled
  Static mappings configured:       0
  Map-cache size/limit:             1/1000
  Map-cache activity check period:  60 secs
  Map-database size/limit:          1/1000
  Persistent map-cache:             interval 01:00:00
    Earliest next store:            now
    Location:                       NONE

R2#sh ip lisp map-cache 
LISP IPv4 Mapping Cache for EID-table default (IID 0), 1 entries

0.0.0.0/0, uptime: 01:04:31, expires: never, via static send map-request
  Negative cache entry, action: send-map-request
R2#sh ipv6 lisp map-cache 
LISP IPv6 Mapping Cache for EID-table default (IID 0), 1 entries

::/0, uptime: 01:04:35, expires: never, via static send map-request
  Negative cache entry, action: send-map-request


R7#sh lisp site 
LISP Site Registration Information

Site Name      Last      Up   Who Last             Inst     EID Prefix
               Register       Registered           ID       
SITE_A         00:00:54  yes  13.13.13.1                    8.8.0.0/16
               00:00:43  yes  13.13.13.1                    2001:8:8::/48
SITE_B         00:00:54  yes  26.26.26.2                    9.9.0.0/16
               00:00:56  yes  26.26.26.2                    2001:9:9::/48

R7#sh lisp site detail 
LISP Site Registration Information

Site name: SITE_A
Allowed configured locators: any
Allowed EID-prefixes:
  EID-prefix: 8.8.0.0/16 
    First registered:     01:12:50
    Routing table tag:    0
    Origin:               Configuration, accepting more specifics
    Merge active:         No
    Proxy reply:          No
    TTL:                  1d00h
    State:                complete
    Registration errors:  
      Authentication failures:   0
      Allowed locators mismatch: 0
    ETR 13.13.13.1, last registered 00:00:59, no proxy-reply, no map-notify
                    TTL 1d00h, no merge, nonce 0x59ADC101-0x157BC67F
                    state complete
      Locator     Local  State      Pri/Wgt
      13.13.13.1  yes    up           1/100
      14.14.14.1  yes    up           1/50 
  EID-prefix: 2001:8:8::/48 
    First registered:     01:12:44
    Routing table tag:    0
    Origin:               Configuration, accepting more specifics
    Merge active:         No
    Proxy reply:          No
    TTL:                  1d00h
    State:                complete
    Registration errors:  
      Authentication failures:   0
      Allowed locators mismatch: 0
    ETR 13.13.13.1, last registered 00:00:48, no proxy-reply, no map-notify
                    TTL 1d00h, no merge, nonce 0x59ADC101-0x157BC67F
                    state complete
      Locator     Local  State      Pri/Wgt
      13.13.13.1  yes    up           1/100
      14.14.14.1  yes    up           1/50 
Site name: SITE_B
Allowed configured locators: any
Allowed EID-prefixes:
  EID-prefix: 9.9.0.0/16 
    First registered:     01:12:54
    Routing table tag:    0
    Origin:               Configuration, accepting more specifics
    Merge active:         No
    Proxy reply:          No
    TTL:                  1d00h
    State:                complete
    Registration errors:  
      Authentication failures:   0
      Allowed locators mismatch: 0
    ETR 26.26.26.2, last registered 00:00:58, no proxy-reply, no map-notify
                    TTL 1d00h, no merge, nonce 0x78688303-0x434CBFEC
                    state complete
      Locator     Local  State      Pri/Wgt
      25.25.25.2  yes    up           1/100
      26.26.26.2  yes    up           1/50 
  EID-prefix: 2001:9:9::/48 
    First registered:     01:12:55
    Routing table tag:    0
    Origin:               Configuration, accepting more specifics
    Merge active:         No
    Proxy reply:          No
    TTL:                  1d00h
    State:                complete
    Registration errors:  
      Authentication failures:   0
      Allowed locators mismatch: 0
    ETR 26.26.26.2, last registered 00:00:03, no proxy-reply, no map-notify
                    TTL 1d00h, no merge, nonce 0x78688303-0x434CBFEC
                    state complete
      Locator     Local  State      Pri/Wgt
      25.25.25.2  yes    up           1/100
      26.26.26.2  yes    up           1/50

At this moment, iTR router at both sites do not have information to reach each other’s EID prefixes.

An iTR is a router that resides in a LISP site.  Packets sent by sources inside of the LISP site to destinations outside of the site are candidates for encapsulation by the iTR. An iTR is also in charge of querying the mapping database when trying to make a forwarding decision. The query is sent to the Map Resolver using a Map-Request message.

!! -- Send traffic from Site A LAN to Site B LAN -- !!

R8#ping 9.9.1.1 source 8.8.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.1.1, timeout is 2 seconds:
Packet sent with a source address of 8.8.1.1 
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 148/174/196 ms

!! -- This traffic arrives at iTR Router R1 -- !!
!! -- Currently R1 has no information how to reach EID 9.9.1.1 -- !!
!! -- R1 (iTR) will send a map-request to MAP-Resolver (R7) -- !!

R1#

*Apr 27 23:41:14.810: LISPdata-signal: sending signal for 8.8.1.1->9.9.1.1 on in IPv4:Default
*Apr 27 23:41:14.826: LISP: Processing data signal for EID prefix IID 0 9.9.1.1/32
*Apr 27 23:41:14.830: LISP-0: Remote EID prefix 9.9.1.1/32, Created (method: data-signal, state: unknown, rlocs: 0).
*Apr 27 23:41:14.834: LISP-0: Remote EID prefix 9.9.1.1/32, Change state to incomplete (method: data-signal, state: unknown, rlocs: 0).
*Apr 27 23:41:14.834: LISP-0: Remote EID prefix 9.9.1.1/32, Schedule forwarding table update (method: data-signal, state: incomplete, rlocs: 0).
*Apr 27 23:41:14.834: LISP-0: Remote EID prefix 9.9.1.1/32, Scheduling map requests (incomplete) (method: data-signal, state: incomplete, rlocs: 0).
*Apr 27 23:41:14.834: LISP-0: Map Request prefix 9.9.1.1/32 remote EID prefix[LL], Starting request timer with delay of 00:00:00.
*Apr 27 23:41:14.834: LISP-0: Remote EID prefix 9.9.1.1/32, Placing on idle queue (method: data-signal, state: incomplete, rlocs: 0).


*Apr 27 23:41:14.878: LISP-0: Map Request prefix 9.9.1.1/32 remote EID prefix[LL], Queueing remote EID prefix map request (1/4).
*Apr 27 23:41:14.878: LISP-0: Request processing of remote EID prefix map requests.
*Apr 27 23:41:14.878: LISP: Send map request type remote EID prefix
*Apr 27 23:41:14.878: LISP: Send map request for EID prefix IID 0 9.9.1.1/32
*Apr 27 23:41:14.878: LISP-0: Remote EID prefix 9.9.1.1/32, Send map request (1) (method: data-signal, state: incomplete, rlocs: 0).
*Apr 27 23:41:14.882: LISP-0: AF IPv4, Sending map-request from 8.8.18.1 to 9.9.1.1 for EID 9.9.1.1/32, ITR-RLOCs 2, nonce 0x93BCCB84-0x9309A6A2 (encap src 14.14.14.1, dst 1.1.1.7).


!! -- MAP-Resolver R7 will recieve this request, process it and --!!
!! -- look into the MAP-Server database and find that destination --!!
!! -- EID is behind RLOCs (25.25.25.2, 26.26.26.2) and forward it --!!
!! -- to RLOC 25.25.25.2 -- !!


R7#
*Apr 27 23:41:14.902: LISP: Processing received Encap-Control message from 14.14.14.1 to 1.1.1.7
*Apr 27 23:41:14.910: LISP: Processing received Map-Request message from 8.8.18.1 to 9.9.1.1
*Apr 27 23:41:14.914: LISP: Received map request, source_eid IID 0 8.8.1.1, ITR-RLOCs: 13.13.13.1 14.14.14.1, records 1, nonce 0x93BCCB84-0x9309A6A2
*Apr 27 23:41:14.922: LISP-0: MS EID prefix 9.9.0.0/16 site SITE_B, Forwarding map request to ETR 25.25.25.2.

!! -- R2 receives this Map-request and send direct reply to -- !!
!! -- RLOC 13.13.13.1 -- !!

R2#
*Apr 27 23:41:15.006: LISP: Processing received Encap-Control message from 1.1.57.7 to 25.25.25.2
*Apr 27 23:41:15.010: LISP: Processing received Map-Request message from 8.8.18.1 to 9.9.1.1
*Apr 27 23:41:15.018: LISP: Received map request, source_eid IID 0 8.8.1.1, ITR-RLOCs: 13.13.13.1 14.14.14.1, records 1, nonce 0x93BCCB84-0x9309A6A2
*Apr 27 23:41:15.022: LISP: Processing map request record for EID prefix IID 0 9.9.1.1/32
*Apr 27 23:41:15.026: LISP-0: Sending map-reply from 26.26.26.2 to 13.13.13.1.

!! -- Also R2 sends Map-request for EID 8.8.1.1 to MAP-Resolver -- !!

*Apr 27 23:41:16.918: LISPdata-signal: sending signal for 9.9.1.1->8.8.1.1 on in IPv4:Default
*Apr 27 23:41:16.930: LISP: Processing data signal for EID prefix IID 0 8.8.1.1/32
*Apr 27 23:41:16.934: LISP-0: Remote EID prefix 8.8.1.1/32, Change state to incomplete (method: data-signal, state: unknown, rlocs: 0).
*Apr 27 23:41:16.942: LISP-0: Remote EID prefix 8.8.1.1/32, Scheduling map requests (incomplete) (method: data-signal, state: incomplete, rlocs: 0).
*Apr 27 23:41:16.950: LISPreid: Default:0.0.0.0/0 Null modify of pco 0x691B4DE0 linked to glean for LISP0
*Apr 27 23:41:16.966: LISPreid: Default:8.8.1.1/32 Added LISP IPL src, ok
*Apr 27 23:41:16.978: LISPreid: Default:8.8.1.1/32 Created pco 0x6A825820 linked to drop
*Apr 27 23:41:16.982: LISPreid: Default:8.8.1.1/32 Added LISP src, success
*Apr 27 23:41:17.002: LISP-0: Request processing of remote EID prefix map requests.
*Apr 27 23:41:17.010: LISP: Send map request type remote EID prefix
*Apr 27 23:41:17.014: LISP: Send map request for EID prefix IID 0 8.8.1.1/32
*Apr 27 23:41:17.018: LISP-0: Remote EID prefix 8.8.1.1/32, Send map request (1) (method: data-signal, state: incomplete, rlocs: 0).
*Apr 27 23:41:17.022: LISP-0: AF IPv4, Sending map-request from 9.9.29.2 to 8.8.1.1 for EID 8.8.1.1/32, ITR-RLOCs 2, nonce 0x2050AF63-0x1DABF4FD (encap src 26.26.26.2, dst 1.1.1.7).

!! -- MAP-Resolver receives this request and forward it to RLOC -- !!
!! -- 13.13.13.1 -- !!

R7#
*Apr 27 23:41:17.022: LISP: Processing received Encap-Control message from 26.26.26.2 to 1.1.1.7
*Apr 27 23:41:17.030: LISP: Processing received Map-Request message from 9.9.29.2 to 8.8.1.1
*Apr 27 23:41:17.034: LISP: Received map request, source_eid IID 0 9.9.1.1, ITR-RLOCs: 25.25.25.2 26.26.26.2, records 1, nonce 0x2050AF63-0x1DABF4FD
*Apr 27 23:41:17.042: LISP-0: MS EID prefix 8.8.0.0/16 site SITE_A, Forwarding map request to ETR 13.13.13.1.

!! -- R1 receives this Map-request and send direct reply to -- !!
!! -- RLOC 26.26.26.2 -- !!

R1#

*Apr 27 23:41:17.134: LISP: Received map request, source_eid IID 0 9.9.1.1, ITR-RLOCs: 25.25.25.2 26.26.26.2, records 1, nonce 0x2050AF63-0x1DABF4FD
*Apr 27 23:41:17.138: LISP: Parsing mapping record for EID prefix IID 0 9.9.0.0/16
*Apr 27 23:41:17.142: LISP-0: Mapping Record has 2 locators (action none).
*Apr 27 23:41:17.150: LISP: Processing map request record for EID prefix IID 0 8.8.1.1/32
*Apr 27 23:41:17.154: LISP-0: AF IPv4, Route locator 26.26.26.2, src 14.14.14.1 nh 14.14.14.4 if FastEthernet1/1.
*Apr 27 23:41:17.154: LISP-0: AF IPv4, Added mapping record locator 13.13.13.1 (priority 1, weight 100, local, reachable).
*Apr 27 23:41:17.154: LISP-0: AF IPv4, Added mapping record locator 14.14.14.1 (priority 1, weight 50, local, reachable).
*Apr 27 23:41:17.154: LISP-0: AF IPv4, Built mapping record for 8.8.0.0/16 with 2 locators (action none).
*Apr 27 23:41:17.154: LISP-0: Sending map-reply from 14.14.14.1 to 26.26.26.2.
*Apr 27 23:41:17.158: LISP-0: AF IPv4, Sending control packet out of FastEthernet1/1 with next hop 14.14.14.4.
*Apr 27 23:41:17.162: LISP: Processing mapping information for EID prefix IID 0 9.9.0.0/16

At this moment both iTR routers R1 (Site A) and R2 (Site B) has each other’s EID-to-RLOC mapping information.

R1#sh ip lisp map-cache 
LISP IPv4 Mapping Cache for EID-table default (IID 0), 2 entries

0.0.0.0/0, uptime: 06:47:07, expires: never, via static send map-request
  Negative cache entry, action: send-map-request
9.9.0.0/16, uptime: 00:59:56, expires: 22:59:56, via map-reply, complete
  Locator     Uptime    State      Pri/Wgt
  25.25.25.2  00:59:56  up           1/100
  26.26.26.2  00:59:56  up           1/50 

R2#sh ip lisp map-cache
LISP IPv4 Mapping Cache for EID-table default (IID 0), 2 entries

0.0.0.0/0, uptime: 06:47:44, expires: never, via static send map-request
  Negative cache entry, action: send-map-request
8.8.0.0/16, uptime: 01:00:35, expires: 22:59:18, via map-reply, complete
  Locator     Uptime    State      Pri/Wgt
  13.13.13.1  01:00:35  up           1/100
  14.14.14.1  01:00:35  up           1/50

!! -- Network communication is working fine between both sites now--!!

R8#ping 9.9.1.1 source 8.8.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.1.1, timeout is 2 seconds:
Packet sent with a source address of 8.8.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 192/197/204 ms

R8#ping 9.9.2.1 source 8.8.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.2.1, timeout is 2 seconds:
Packet sent with a source address of 8.8.2.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 196/198/208 ms

!! -- The IPv6 connectivity will work between both sites after -- !!
!! -- similar events (MAP-Register, MAP-Request, MAP-Reply etc.) -- !!
!! -- for IPv6 EID-to-RLOC mapping. -- !!

R8#ping 2001:9:9:1::1 source 2001:8:8:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:9:9:1::1, timeout is 2 seconds:
Packet sent with a source address of 2001:8:8:1::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 184/202/216 ms
R8#ping 2001:9:9:2::1 source 2001:8:8:2::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:9:9:2::1, timeout is 2 seconds:
Packet sent with a source address of 2001:8:8:2::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 152/168/180 ms

!! -- Finally you would see lisp map-caching as follows -- !!

R1#sh ip lisp map-cache 
LISP IPv4 Mapping Cache for EID-table default (IID 0), 2 entries

0.0.0.0/0, uptime: 00:14:43, expires: never, via static send map-request
  Negative cache entry, action: send-map-request
9.9.0.0/16, uptime: 00:07:27, expires: 23:52:25, via map-reply, complete
  Locator     Uptime    State      Pri/Wgt
  25.25.25.2  00:07:27  up           1/100
  26.26.26.2  00:07:27  up           1/50 

R1#sh ip lisp map-cache detail 
LISP IPv4 Mapping Cache for EID-table default (IID 0), 2 entries

0.0.0.0/0, uptime: 00:14:46, expires: never, via static send map-request
  State: send-map-request, last modified: 00:14:46, map-source: local
  Idle, Packets out: 1 (~ 00:06:46 ago)
  Configured as EID address space
  Negative cache entry, action: send-map-request
9.9.0.0/16, uptime: 00:07:29, expires: 23:52:23, via map-reply, complete
  State: complete, last modified: 00:07:29, map-source: 25.25.25.2
  Idle, Packets out: 34 (~ 00:06:46 ago)
  Locator     Uptime    State      Pri/Wgt
  25.25.25.2  00:07:29  up           1/100
    Last up-down state change:         00:07:29, state change count: 1
    Last route reachability change:    never, state change count: 0
    Last priority / weight change:     never/never
    RLOC-probing loc-status algorithm:
      Last RLOC-probe sent:            never
  26.26.26.2  00:07:29  up           1/50 
    Last up-down state change:         00:07:29, state change count: 1
    Last route reachability change:    never, state change count: 0
    Last priority / weight change:     never/never
    RLOC-probing loc-status algorithm:
      Last RLOC-probe sent:            never


R1#sh ipv6 lisp map-cache 
LISP IPv6 Mapping Cache for EID-table default (IID 0), 2 entries

::/0, uptime: 00:15:08, expires: never, via static send map-request
  Negative cache entry, action: send-map-request
2001:9:9::/48, uptime: 00:05:42, expires: 23:54:10, via map-reply, complete
  Locator     Uptime    State      Pri/Wgt
  25.25.25.2  00:05:42  up           1/100
  26.26.26.2  00:05:42  up           1/50 

R1#sh ipv6 lisp map-cache detail
LISP IPv6 Mapping Cache for EID-table default (IID 0), 2 entries

::/0, uptime: 00:15:13, expires: never, via static send map-request
  State: send-map-request, last modified: 00:15:13, map-source: local
  Idle, Packets out: 1 (~ 00:05:15 ago)
  Configured as EID address space
  Negative cache entry, action: send-map-request
2001:9:9::/48, uptime: 00:05:47, expires: 23:54:05, via map-reply, complete
  State: complete, last modified: 00:05:47, map-source: 25.25.25.2
  Idle, Packets out: 19 (~ 00:04:15 ago)
  Locator     Uptime    State      Pri/Wgt
  25.25.25.2  00:05:47  up           1/100
    Last up-down state change:         00:05:47, state change count: 1
    Last route reachability change:    never, state change count: 0
    Last priority / weight change:     never/never
    RLOC-probing loc-status algorithm:
      Last RLOC-probe sent:            never
  26.26.26.2  00:05:47  up           1/50 
    Last up-down state change:         00:05:47, state change count: 1
    Last route reachability change:    never, state change count: 0
    Last priority / weight change:     never/never
    RLOC-probing loc-status algorithm:
      Last RLOC-probe sent:            never

R2#sh ip lisp map-cache 
LISP IPv4 Mapping Cache for EID-table default (IID 0), 2 entries

0.0.0.0/0, uptime: 00:16:19, expires: never, via static send map-request
  Negative cache entry, action: send-map-request
8.8.0.0/16, uptime: 00:09:03, expires: 23:50:49, via map-reply, complete
  Locator     Uptime    State      Pri/Wgt
  13.13.13.1  00:09:03  up           1/100
  14.14.14.1  00:09:03  up           1/50 

R2#sh ip lisp map-cache detail
LISP IPv4 Mapping Cache for EID-table default (IID 0), 2 entries

0.0.0.0/0, uptime: 00:16:23, expires: never, via static send map-request
  State: send-map-request, last modified: 00:16:23, map-source: local
  Idle, Packets out: 1 (~ 00:08:23 ago)
  Configured as EID address space
  Negative cache entry, action: send-map-request
8.8.0.0/16, uptime: 00:09:07, expires: 23:50:45, via map-reply, complete
  State: complete, last modified: 00:09:07, map-source: 14.14.14.1
  Idle, Packets out: 33 (~ 00:08:23 ago)
  Locator     Uptime    State      Pri/Wgt
  13.13.13.1  00:09:07  up           1/100
    Last up-down state change:         00:09:07, state change count: 1
    Last route reachability change:    never, state change count: 0
    Last priority / weight change:     never/never
    RLOC-probing loc-status algorithm:
      Last RLOC-probe sent:            never
  14.14.14.1  00:09:07  up           1/50 
    Last up-down state change:         00:09:07, state change count: 1
    Last route reachability change:    never, state change count: 0
    Last priority / weight change:     never/never
    RLOC-probing loc-status algorithm:
      Last RLOC-probe sent:            never

R2#sh ipv6 lisp map-cache     
LISP IPv6 Mapping Cache for EID-table default (IID 0), 2 entries

::/0, uptime: 00:16:28, expires: never, via static send map-request
  Negative cache entry, action: send-map-request
2001:8:8::/48, uptime: 00:07:02, expires: 23:52:50, via map-reply, complete
  Locator     Uptime    State      Pri/Wgt
  13.13.13.1  00:07:02  up           1/100
  14.14.14.1  00:07:02  up           1/50 

R2#sh ipv6 lisp map-cache detail
LISP IPv6 Mapping Cache for EID-table default (IID 0), 2 entries

::/0, uptime: 00:16:33, expires: never, via static send map-request
  State: send-map-request, last modified: 00:16:33, map-source: local
  Idle, Packets out: 1 (~ 00:06:34 ago)
  Configured as EID address space
  Negative cache entry, action: send-map-request
2001:8:8::/48, uptime: 00:07:07, expires: 23:52:45, via map-reply, complete
  State: complete, last modified: 00:07:07, map-source: 14.14.14.1
  Idle, Packets out: 18 (~ 00:05:34 ago)
  Locator     Uptime    State      Pri/Wgt
  13.13.13.1  00:07:07  up           1/100
    Last up-down state change:         00:07:07, state change count: 1
    Last route reachability change:    never, state change count: 0
    Last priority / weight change:     never/never
    RLOC-probing loc-status algorithm:
      Last RLOC-probe sent:            never
  14.14.14.1  00:07:07  up           1/50 
    Last up-down state change:         00:07:07, state change count: 1
    Last route reachability change:    never, state change count: 0
    Last priority / weight change:     never/never
    RLOC-probing loc-status algorithm:
      Last RLOC-probe sent:            never


R8#traceroute 9.9.1.1 source 8.8.1.1
Type escape sequence to abort.
Tracing the route to 9.9.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 8.8.18.1 56 msec 44 msec 68 msec
  2 14.14.14.4 76 msec 76 msec 112 msec
  3 1.1.46.6 108 msec 152 msec 108 msec
  4 1.1.56.5 180 msec 152 msec 156 msec
  5 25.25.25.2 200 msec 196 msec 208 msec
  6 9.9.29.9 192 msec *  200 msec

R8#traceroute 
Protocol [ip]: ipv6
Target IPv6 address: 2001:9:9:1::1
Source address: 2001:8:8:1::1
Insert source routing header? [no]: 
Numeric display? [no]: 
Timeout in seconds [3]: 
Probe count [3]: 
Minimum Time to Live [1]: 
Maximum Time to Live [30]: 
Priority [0]: 
Port Number [0]: 
Type escape sequence to abort.
Tracing the route to 2001:9:9:1::1

  1 2001:8:8:18::1 56 msec 48 msec 36 msec
  2 2001:9:9:29::2 188 msec 140 msec 200 msec
  3 2001:9:9:29::9 172 msec 192 msec 172 msec

 

Cisco Group Encrypted Transport VPN – GET VPN

Cisco, IPSEC, Security, VPN, ,
Cisco Group Encrypted Transport VPN

GET VPN is a Cisco solution to encrypt the traffic across private WAN. In recent years government regulations, such as Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and Payment Card Industry Data Security Standard (PCI DSS), mandate encryption even over private IP networks. GET VPN is common deployed over private WAN topologies such as MPLS VPN.

Cisco IOS offers several IP security (IPsec) tunnel-based encryption solutions (for example, Site to Site IPsec, IPsec/GRE, and Dynamic Multipoint VPN (DMVPN) that can be deployed over an MPLS VPN, VPLS or shared IP networks. Traditional tunnel-based encryption solutions are point-to-point.

GET VPN uses IPSec to encrypt the traffic but the main concept of GET VPN is to use group security association (SA) as opposed to the standard LAN to LAN tunnels where the SA is created in a point to point fashion.

Traditional point-to-point IPsec tunneling solutions suffer from multicast replication issues because multicast replication must be performed before tunnel encapsulation and encryption at the IPsec CE (customer edge) router closest to the multicast source. Multicast replication cannot be performed in the provider network because encapsulated multicasts appear to the core network as unicast data.

GET VPN provides a tunnel-less VPN solution. It is tunnel-less as it retains the original IP header of the packet and encrypts only the data payload. To retain the original IP header, the original header is copied and placed before the IPSEC header. GET VPN does not rely on a point-to-point VPN mechanism and can further expand with the capability of scaling any-to-any intersite VPN connectivity. It takes advantage of underlying IP VPN routing infrastructure and does not require an overlay routing control plane.

Cisco’s Group Encrypted Transport VPN (GET VPN) introduces the concept of a trusted group to eliminate point-to-point tunnels and their associated overlay routing. All group members (GMs) share a common security association (SA), also known as a group SA. This enables GMs to decrypt traffic that was encrypted by any other GM. The CE router acts as a GM. In GET VPN networks, there is no need to negotiate point-to- point IPsec tunnels between the members of a group, because GET VPN is “tunnel-less.”

GET VPN Comparison

GET VPN Components
Group Domain of Interpretation – GDOI

The GDOI group key management protocol is used to provide a set of cryptographic keys and policies to a group of devices. In a GET VPN network, GDOI is used to distribute common IPsec keys to a group of enterprise VPN gateways that must communicate securely. These keys are periodically refreshed and are updated on all the VPN gateways using a process called “rekey.” GDOI protocol uses UDP port 848. GDOI is documented in RFC3547.

The GDOI protocol is protected by a Phase 1 Internet Key Exchange (IKE) SA. The participating VPN gateways authenticate themselves to the device providing keys using IKE. Authentication can be performed with a pre-shared key (PSK) or through a public key infrastructure (PKI). After the VPN gateways have been authenticated and provided with the appropriate security keys via the IKE SA, the IKE SA will expire and GDOI is then used to update the GMs in a more scalable and efficient manner.

Key Server – KS

A key server (KS) is an IOS device responsible for creating and maintaining the GET VPN control plane. All encryption policies, such as interesting traffic, encryption protocols, security association, rekey timers, and so on, are centrally defined on the KS and are pushed down to all GMs at registration time. The KS sends two types of keys:

  1. Traffic Encryption Key – TEK
  2. Key Encryption Key – KEK

The TEK becomes the IPsec SA, which is used to communicate with group members within the same group.

The KEK is used to encrypt the rekey messages and is used by the group members (GMs) to decrypt the incoming rekey messages from the key server (KS).

Cooperative Key Servers – COOP KSs

The KS is the most important entity in the GET VPN network because the KS maintains the control plane. Therefore, a single KS is a single point of failure for an entire GET VPN network. Because redundancy is an important consideration for KSs, GET VPN supports multiple KSs, called cooperative (COOP) KSs, to ensure seamless fault recovery if a KS fails or becomes unreachable.

A GM can be configured to register to any available KS from a list of all COOP KSs. GM configuration determines the registration order. The KS defined first is contacted first, followed by the second defined KS, and so on.

When COOP KSs boot, all KSs assume a “secondary” role and begin an election process. One KS, typically the one having the highest priority, is elected as a “primary” KS. The other KSs remain in the secondary state. The primary KS is responsible for creating and distributing group policies to all GMs, and to periodically synchronize the COOP KSs.

Group Member – GM

The group member (GM) is the router that registers with the key server (KS) to get the IPsec SA to communicate with other devices in the group.

Group SA

Unlike traditional IPsec encryption solutions, GET VPN uses the concept of group SA. All members in the GET VPN group can communicate with each other using a common encryption policy and a shared SA. With a common encryption policy and a shared SA, there is no need to negotiate IPsec between GMs.

Group Member ACL

Traffic that requires encryption is statically defined on the key server (KS) through an access control list (ACL). This policy is defined for both unicast and multicast traffic. This information is sent to all authenticated group members (GMs) to create a trusted domain of communication.

It is a best practice to summarize interesting traffic to as few permit entries as possible, and to build symmetric policies. For example, an enterprise network is using subnets from a class A major IP network 10.0.0.0/8 for all LAN interfaces behind the group members. You can define one ACL permit statement “access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255” to represent all the subnets in your network.

Unicast Rekey

The KS will generate a rekey message and send multiple copies of this message, one copy to each GM. The GM will then ACK this rekey message to the KS. The ACK mechanism keeps the list of GMs at the KS current and ensures that the rekey message is only sent to active GMs.

A KS can be configured to re-transmit rekey messages to overcome reachability issues in the network. If a GM does not send an ACK for three consecutive rekey messages, the KS will remove the GM from the active GM database and stop sending rekey messages to that GM.

Multicast Rekey

In the multicast rekey process, a single copy of the rekey message is sent to a multicast group which the GMs will have joined. Each GM joins this multicast group at registration, each GM will therefore receive this rekey message.

The multicast rekey process does not have an ACK mechanism and the KS does not keep a list of active GMs. The KS can be configured to retransmit rekey messages. The CPU overhead is a lot less with multicast rekeying since only a single messages needs to be sent compared to having to replicating it in unicast mode to potentially hundreds of routers.

Multicast must be enabled in the core network for multicast rekey to work in the GET VPN control plane.

Time Based Anti-Replay

Traditional IPSec solutions have anti replay capabilities to prevent a malicious third party from capturing IPSec packets and relaying those packets at a later time to perform an attack against the IPSec endpoints. This is normally done by having a counter based sliding window where the sender sends a packet with a sequence number and the receiver will use the sliding window to determine if the packet is acceptable or if it has arrived out of sequence and outside the window of acceptable packets.

This mechanism is not useful in GET VPN because it uses a group SA. GET VPN therefore uses a time based anti replay function where the KS uses a pseudo time clock. Because the KS uses a pseudo time clock, there is no need to synchronize the time with NTP for this reason.

The primary KS will keep this pseudo time synchronized on all GMs with rekey updates. Every GM will include its pseudo time as a time stamp in the data packets. The receiving VPN gateway will then compare the time stamp of the received packet with the GM reference pseudo time clock it maintains for the group. If the packet is too late it will be dropped.

How GET VPN works
  • GET VPN uses the keying protocol GDOI combined with IPsec standards encryption to encrypt and decrypt the packets, thereby providing an efficient mechanism to secure native (non-tunneled) IP unicast and multicast traffic.
  • Each group member (GM) sends  a registration request to the key server (KS). Using the GDOI protocol, the key server authenticates and authorizes the group member and sends the IPsec policy and the keys, which are required  to encrypt and decrypt IP unicast and multicast packets.
  • After the group member is registered with the IPsec SA, and upon receiving the respective keys, group members can directly exchange encrypted IP unicast and multicast packets with each other, bypassing the key server.
  • As needed, the key server sends a rekey message to all the group members within the group. The rekey message contains the new IPsec policy and keys that are used when the outdated IPsec SA expires.
Implementing Cisco GET VPN

We will use following topology for GET VPN implementation.

Configurations
MPLS Provider Network Configuration
R1 - PE Router

hostname R1
!
vrf definition CUST-A
 rd 100:1
 !
 address-family ipv4
  route-target export 100:1
  route-target import 100:1
 exit-address-family
!
ip cef
!
interface Loopback0
 ip address 10.1.0.1 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.15.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 vrf forwarding CUST-A
 ip address 172.16.16.1 255.255.255.0
!
router ospf 1
 router-id 10.1.0.1
!
router bgp 100
 bgp router-id 10.1.0.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.5 remote-as 100
 neighbor 10.1.0.5 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.1.0.5 activate
  neighbor 10.1.0.5 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUST-A
  redistribute connected
  neighbor 172.16.16.6 remote-as 65001
  neighbor 172.16.16.6 activate
  neighbor 172.16.16.6 as-override
 exit-address-family
!

R2 - PE Router

hostname R2
!
vrf definition CUST-A
 rd 100:1
 !
 address-family ipv4
  route-target export 100:1
  route-target import 100:1
 exit-address-family
!
ip cef
!
interface Loopback0
 ip address 10.1.0.2 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.25.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 vrf forwarding CUST-A
 ip address 172.16.27.2 255.255.255.0
!
router ospf 1
 router-id 10.1.0.2
!
router bgp 100
 bgp router-id 10.1.0.2
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.5 remote-as 100
 neighbor 10.1.0.5 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.1.0.5 activate
  neighbor 10.1.0.5 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUST-A
  redistribute connected
  neighbor 172.16.27.7 remote-as 65001
  neighbor 172.16.27.7 activate
  neighbor 172.16.27.7 as-override
 exit-address-family
!

R3 - PE Router

hostname R3
!
vrf definition CUST-A
 rd 100:1
 !
 address-family ipv4
  route-target export 100:1
  route-target import 100:1
 exit-address-family
!
ip cef
!
interface Loopback0
 ip address 10.1.0.3 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.35.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 vrf forwarding CUST-A
 ip address 172.16.38.3 255.255.255.0
!
router ospf 1
 router-id 10.1.0.3
!
router bgp 100
 bgp router-id 10.1.0.3
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.5 remote-as 100
 neighbor 10.1.0.5 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.1.0.5 activate
  neighbor 10.1.0.5 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUST-A
  redistribute connected
  neighbor 172.16.38.8 remote-as 65001
  neighbor 172.16.38.8 activate
  neighbor 172.16.38.8 as-override
 exit-address-family
!

R4 - PE Router

hostname R4
!
vrf definition CUST-A
 rd 100:1
 !
 address-family ipv4
  route-target export 100:1
  route-target import 100:1
 exit-address-family
!
ip cef
!
interface Loopback0
 ip address 10.1.0.4 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.45.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 vrf forwarding CUST-A
 ip address 172.16.49.4 255.255.255.0
!
router ospf 1
 router-id 10.1.0.4
!
router bgp 100
 bgp router-id 10.1.0.4
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.5 remote-as 100
 neighbor 10.1.0.5 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.1.0.5 activate
  neighbor 10.1.0.5 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUST-A
  redistribute connected
  neighbor 172.16.49.9 remote-as 65001
  neighbor 172.16.49.9 activate
  neighbor 172.16.49.9 as-override
 exit-address-family
!

R5 - P Router

hostname R5
!
ip cef
!
interface Loopback0
 ip address 10.1.0.5 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.15.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 10.1.25.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 ip address 10.1.35.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/1
 ip address 10.1.45.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
router ospf 1
 router-id 10.1.0.5
!
router bgp 100
 bgp router-id 10.1.0.5
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor PE-ROUTERS peer-group
 neighbor PE-ROUTERS remote-as 100
 neighbor PE-ROUTERS update-source Loopback0
 neighbor 10.1.0.1 peer-group PE-ROUTERS
 neighbor 10.1.0.2 peer-group PE-ROUTERS
 neighbor 10.1.0.3 peer-group PE-ROUTERS
 neighbor 10.1.0.4 peer-group PE-ROUTERS
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor PE-ROUTERS send-community extended
  neighbor PE-ROUTERS route-reflector-client
  neighbor 10.1.0.1 activate
  neighbor 10.1.0.2 activate
  neighbor 10.1.0.3 activate
  neighbor 10.1.0.4 activate
 exit-address-family
!
Customer Sites Configuration

We need to generate RSA key before key server (KS) configurations. RSA keys must be generated on any KS. All KSs must share the same keys, so these keys must be generated with an “exportable” tag. The keys are then imported on the remaining KSs. These keys do not need to be imported on the GMs.

!! -- Generate RSA key on Primary Key Server Router R10 -- !!

R10-Primary-KS#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R10-Primary-KS(config)#crypto key generate rsa general-keys label getvpn-export-general modulus 1024 exportable        
The name for the keys will be: getvpn-export-general

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 1 seconds)

R10-Primary-KS(config)#

!! -- Export this key to the terminal -- !!

R10-Primary-KS(config)#crypto key export rsa getvpn-export-general pem terminal 3des myrsakeypasswd
% Key name: getvpn-export-general
   Usage: General Purpose Key
   Key data:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0W2WX/cvI41mAJ+AbDgOMpRbi
l6FPtOIiw6SDYa3z4GixsYqem5pt7SLk/spxLeHFNsYaD7XqzRAj/hmDWpfrHOmE
IANfiCwfhnh4/Ep1a0+dBKCqK7C90qtQQswdDJfdX8Eunbp93E73caSws4Qkpwqs
iEigKWoAauIvFlDV6QIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,DAAC1EB9DAA8FA6D

HqkzonxyuD6bXNJZD6+Zblyscwuvbfskhs9mLnYo1CflKMUxHv1XU/5Ctdvmirp2
AVzlWFgR/FFriVYofQoT1BbCtoCJXsT4nPbF07K/rsBsP7HXX0UEsh6zx/Tagv6Q
EBOjk15Tfx+yP3twIpK7jN3hp/81Yjybg+hDV2sfVElqpVShHr8HrAqpiQdtuQiC
MNUtC3/GJy95CO0Wpg/qAKknG4H/wEQqG4wXU0yZ8qUE71xlO7p9Z2GqGMjcRmwZ
ADsIKvGBwNQSg77VZ+Bq2zYLosThz63r1kn7oVxt2dU4wNSpu3CvcAlVhxf7TJoW
mKCr7H99Yk8upFH6Nh+HUG6+BhFZEkkDOjIU1CJeFFO1qEToQA1U4ue0OMt0IQnU
KMA+1IfNCIoH05L4+x2TRHu+uEk1tgu5smU+QmJYSwn6drj74poXsuRcJgNs4VWO
0B7phKvaoXXUdkXiyaOMgHacnnCHL8LEzmp6BzVUbDCbBtYomeaFCI6B7BaOvwDv
sr1Z85xgynXhm1vGWJNd45Lk7+SSVaOp6qp/IIAcFTbA1OfqtWayMMcDHRsc1m3O
iyn5fa4AUlx6smkhkBe7lh1FCQh+C1DrZdrKVWmo7iuDfAxdC6IW+XiUW1gwlnKd
taw4Fy+AALlhMc/pKHqx2WVX1s6SAWgxwhsjxbFIZXSDdRfhkLdl9QAd6G0zVsBq
U7J1rPwZ1dMtZTDfyj/KSl2DbPpv90vJYGHMcU+h49XfBNF2QsizIkx8mjegmX0O
+ep0LsrsqV5XnMeotYzCTPNmb6PoE/fN+YdhzjWJHmTOt6HAdhRsKw==
-----END RSA PRIVATE KEY-----

R10-Primary-KS(config)#

!! -- Import this key using cut-and-paste -- !!
!! -- to other Key Server (KS) Router R11 -- !!

R11-Backup-KS#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R11-Backup-KS(config)#crypto key import rsa getvpn-export-general pem exportable terminal myrsakeypasswd    
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0W2WX/cvI41mAJ+AbDgOMpRbi
l6FPtOIiw6SDYa3z4GixsYqem5pt7SLk/spxLeHFNsYaD7XqzRAj/hmDWpfrHOmE
IANfiCwfhnh4/Ep1a0+dBKCqK7C90qtQQswdDJfdX8Eunbp93E73caSws4Qkpwqs
iEigKWoAauIvFlDV6QIDAQAB
-----END PUBLIC KEY-----
quit
% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,DAAC1EB9DAA8FA6D

HqkzonxyuD6bXNJZD6+Zblyscwuvbfskhs9mLnYo1CflKMUxHv1XU/5Ctdvmirp2
AVzlWFgR/FFriVYofQoT1BbCtoCJXsT4nPbF07K/rsBsP7HXX0UEsh6zx/Tagv6Q
EBOjk15Tfx+yP3twIpK7jN3hp/81Yjybg+hDV2sfVElqpVShHr8HrAqpiQdtuQiC
MNUtC3/GJy95CO0Wpg/qAKknG4H/wEQqG4wXU0yZ8qUE71xlO7p9Z2GqGMjcRmwZ
ADsIKvGBwNQSg77VZ+Bq2zYLosThz63r1kn7oVxt2dU4wNSpu3CvcAlVhxf7TJoW
mKCr7H99Yk8upFH6Nh+HUG6+BhFZEkkDOjIU1CJeFFO1qEToQA1U4ue0OMt0IQnU
KMA+1IfNCIoH05L4+x2TRHu+uEk1tgu5smU+QmJYSwn6drj74poXsuRcJgNs4VWO
0B7phKvaoXXUdkXiyaOMgHacnnCHL8LEzmp6BzVUbDCbBtYomeaFCI6B7BaOvwDv
sr1Z85xgynXhm1vGWJNd45Lk7+SSVaOp6qp/IIAcFTbA1OfqtWayMMcDHRsc1m3O
iyn5fa4AUlx6smkhkBe7lh1FCQh+C1DrZdrKVWmo7iuDfAxdC6IW+XiUW1gwlnKd
taw4Fy+AALlhMc/pKHqx2WVX1s6SAWgxwhsjxbFIZXSDdRfhkLdl9QAd6G0zVsBq
U7J1rPwZ1dMtZTDfyj/KSl2DbPpv90vJYGHMcU+h49XfBNF2QsizIkx8mjegmX0O
+ep0LsrsqV5XnMeotYzCTPNmb6PoE/fN+YdhzjWJHmTOt6HAdhRsKw==
-----END RSA PRIVATE KEY-----
quit
% Key pair import succeeded.

R11-Backup-KS(config)#
Configuration
!! -- R10 Primary Key Server Router -- !!

hostname R10-Primary-KS
!
!! -- IKE Phase 1 Configuration -- !!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!! --Defined Pre-shared key for peers network range 172.16.0.0/16--!! 
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.0.0
crypto isakmp keepalive 10 periodic     
!
!! -- Transform Set Configuration -- !!
crypto ipsec transform-set GDOI-TRANS esp-aes 256 esp-sha256-hmac 
 mode transport
!
!! -- IPsec Profile Configuration -- !!
crypto ipsec profile GDOI-PROFILE
 set security-association lifetime seconds 7200
 set transform-set GDOI-TRANS 
!
!! -- GDOI Group Configuration -- !!
crypto gdoi group GETVPN-GROUP
 identity number 1234
 !! -- Local keyword identified this router as Key Server -- !!
 server local
  rekey retransmit 10 number 2
  !! -- RSA Key -- !!
  rekey authentication mypubkey rsa getvpn-export-general
  !! -- Rekeying through unicast transport -- !!
  rekey transport unicast
  sa ipsec 1
   !! -- Transform Set for Group Members -- !!
   profile GDOI-PROFILE
   !! -- Policies defining traffic to be encrypted -- !!
   match address ipv4 GETVPN-ACL
   replay time window-size 5
  address ipv4 172.16.16.10
  !! -- Enable Cooperative Key Server feature -- !!
  !! -- High Priority server decides the Primary Key Server Role -- !!
  !! -- All other Key Server(s) must be configured with as peers -- !!
  redundancy
   local priority 100
   peer address ipv4 172.16.27.11
!
interface FastEthernet0/0
 ip address 172.16.16.10 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 172.16.16.6
!
ip access-list extended GETVPN-ACL
 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!

!! -- R11 Backup Key Server Router -- !!

hostname R11-Backup-KS
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.0.0  
crypto isakmp keepalive 10 periodic   
!
crypto ipsec transform-set GDOI-TRANS esp-aes 256 esp-sha256-hmac 
 mode transport
!
crypto ipsec profile GDOI-PROFILE
 set security-association lifetime seconds 7200
 set transform-set GDOI-TRANS 
!
crypto gdoi group GETVPN-GROUP
 identity number 1234
 server local
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa getvpn-export-general
  rekey transport unicast
  sa ipsec 1
   profile GDOI-PROFILE
   match address ipv4 GETVPN-ACL
   replay time window-size 5
  address ipv4 172.16.27.11
  redundancy
   local priority 75
   peer address ipv4 172.16.16.10
!
interface FastEthernet0/0
 ip address 172.16.27.11 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 172.16.27.7
!
ip access-list extended GETVPN-ACL
 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!

!! -- R6 CE, GET VPN Group Member Router -- !!

hostname R6-CE-GM
!
!! -- IKE Phase 1 Configuration -- !!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
!! -- Defined Pre-shared key for Key Server Routers -- !!
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.16.10   
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.27.11   
!
!! -- GDOI Group Configuration -- !!
crypto gdoi group GETVPN-GROUP
 identity number 1234
 server address ipv4 172.16.16.10
 server address ipv4 172.16.27.11
!
!! -- Crypto MAP Configuration -- !!
crypto map GETVPN-MAP 10 gdoi 
 set group GETVPN-GROUP
!
!! -- Associate Crypto MAP to the WAN Interfaces -- !!
interface FastEthernet0/0
 description To MPLS Provider
 ip address 172.16.16.6 255.255.255.0
 crypto map GETVPN-MAP
!
interface FastEthernet0/1
 description To LAN
 ip address 192.168.6.6 255.255.255.0
!
router bgp 65001
 bgp router-id 172.16.16.6
 bgp log-neighbor-changes
 network 192.168.0.6 mask 255.255.255.255
 network 192.168.6.0
 neighbor 172.16.16.1 remote-as 100
!

!! -- R7 CE, GET VPN Group Member Router -- !!

hostname R7-CE-GM
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.16.10   
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.27.11   
!
crypto gdoi group GETVPN-GROUP
 identity number 1234
 server address ipv4 172.16.16.10
 server address ipv4 172.16.27.11
!
crypto map GETVPN-MAP 10 gdoi 
 set group GETVPN-GROUP
!
interface FastEthernet0/0
 description To MPLS Provider
 ip address 172.16.27.7 255.255.255.0
 crypto map GETVPN-MAP
!
interface FastEthernet0/1
 description To LAN
 ip address 192.168.7.7 255.255.255.0
!
router bgp 65001
 bgp router-id 172.16.27.7
 bgp log-neighbor-changes
 network 192.168.0.7 mask 255.255.255.255
 network 192.168.7.0
 neighbor 172.16.27.2 remote-as 100
!

!! -- R8 CE, GET VPN Group Member Router -- !!

hostname R8-CE-GM
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.16.10   
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.27.11   
!
crypto gdoi group GETVPN-GROUP
 identity number 1234
 server address ipv4 172.16.16.10
 server address ipv4 172.16.27.11
!
crypto map GETVPN-MAP 10 gdoi 
 set group GETVPN-GROUP
!
interface FastEthernet0/0
 description To MPLS Provider
 ip address 172.16.38.8 255.255.255.0
 crypto map GETVPN-MAP
!
interface FastEthernet0/1
 description To LAN
 ip address 192.168.8.8 255.255.255.0
!
router bgp 65001
 bgp router-id 192.168.8.8
 bgp log-neighbor-changes
 network 192.168.8.0
 neighbor 172.16.38.3 remote-as 100
!

!! -- R9 CE, GET VPN Group Member Router -- !!

hostname R9-CE-GM
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.16.10   
crypto isakmp key $3cur3dG3tVpNK3Y address 172.16.27.11   
!
crypto gdoi group GETVPN-GROUP
 identity number 1234
 server address ipv4 172.16.16.10
 server address ipv4 172.16.27.11
!
crypto map GETVPN-MAP 10 gdoi 
 set group GETVPN-GROUP
!
interface FastEthernet0/0
 description To MPLS Provider
 ip address 172.16.49.9 255.255.255.0
 crypto map GETVPN-MAP
!
interface FastEthernet0/1
 description To LAN
 ip address 192.168.9.9 255.255.255.0
!
router bgp 65001
 bgp router-id 192.168.9.9
 bgp log-neighbor-changes
 network 192.168.9.0
 neighbor 172.16.49.4 remote-as 100
!
Verification and Testing
!! -- Routing on all Customer sites Routers -- !!

R6-CE-GM#show ip route | beg Gate
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
C        172.16.16.0/24 is directly connected, FastEthernet0/0
L        172.16.16.6/32 is directly connected, FastEthernet0/0
B        172.16.27.0/24 [20/0] via 172.16.16.1, 09:25:04
B        172.16.38.0/24 [20/0] via 172.16.16.1, 09:25:04
B        172.16.49.0/24 [20/0] via 172.16.16.1, 09:24:55
      192.168.6.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.6.0/24 is directly connected, FastEthernet0/1
L        192.168.6.6/32 is directly connected, FastEthernet0/1
B     192.168.7.0/24 [20/0] via 172.16.16.1, 09:25:04
B     192.168.8.0/24 [20/0] via 172.16.16.1, 09:25:04
B     192.168.9.0/24 [20/0] via 172.16.16.1, 09:23:48


R7-CE-GM#show ip route | beg Gate
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
B        172.16.16.0/24 [20/0] via 172.16.27.2, 09:25:25
C        172.16.27.0/24 is directly connected, FastEthernet0/0
L        172.16.27.7/32 is directly connected, FastEthernet0/0
B        172.16.38.0/24 [20/0] via 172.16.27.2, 09:25:25
B        172.16.49.0/24 [20/0] via 172.16.27.2, 09:25:16
B     192.168.6.0/24 [20/0] via 172.16.27.2, 09:25:25
      192.168.7.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.7.0/24 is directly connected, FastEthernet0/1
L        192.168.7.7/32 is directly connected, FastEthernet0/1
B     192.168.8.0/24 [20/0] via 172.16.27.2, 09:25:25
B     192.168.9.0/24 [20/0] via 172.16.27.2, 09:24:09

R8-CE-GM#show ip route | beg Gate
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
B        172.16.16.0/24 [20/0] via 172.16.38.3, 09:25:35
B        172.16.27.0/24 [20/0] via 172.16.38.3, 09:25:35
C        172.16.38.0/24 is directly connected, FastEthernet0/0
L        172.16.38.8/32 is directly connected, FastEthernet0/0
B        172.16.49.0/24 [20/0] via 172.16.38.3, 09:25:26
B     192.168.6.0/24 [20/0] via 172.16.38.3, 09:25:35
B     192.168.7.0/24 [20/0] via 172.16.38.3, 09:25:35
      192.168.8.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.8.0/24 is directly connected, FastEthernet0/1
L        192.168.8.8/32 is directly connected, FastEthernet0/1
B     192.168.9.0/24 [20/0] via 172.16.38.3, 09:24:19

R9-CE-GM#show ip route | beg Gate
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
B        172.16.16.0/24 [20/0] via 172.16.49.4, 09:24:31
B        172.16.27.0/24 [20/0] via 172.16.49.4, 09:24:31
B        172.16.38.0/24 [20/0] via 172.16.49.4, 09:24:31
C        172.16.49.0/24 is directly connected, FastEthernet0/0
L        172.16.49.9/32 is directly connected, FastEthernet0/0
B     192.168.6.0/24 [20/0] via 172.16.49.4, 09:24:31
B     192.168.7.0/24 [20/0] via 172.16.49.4, 09:24:31
B     192.168.8.0/24 [20/0] via 172.16.49.4, 09:24:31
      192.168.9.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.9.0/24 is directly connected, FastEthernet0/1
L        192.168.9.9/32 is directly connected, FastEthernet0/1

R10-Primary-KS#show ip route | beg Gate
Gateway of last resort is 172.16.16.6 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 172.16.16.6
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.16.0/24 is directly connected, FastEthernet0/0
L        172.16.16.10/32 is directly connected, FastEthernet0/0

R11-Backup-KS#show ip route | beg Gate
Gateway of last resort is 172.16.27.7 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 172.16.27.7
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.27.0/24 is directly connected, FastEthernet0/0
L        172.16.27.11/32 is directly connected, FastEthernet0/0


!! -- When only Primary Key Server is configured -- !!
!! -- KS would participate in the Election with Secondary role -- !! 

*Apr 19 15:21:13.519: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
*Apr 19 15:21:47.923: %GDOI-5-KS_REKEY_TRANS_2_UNI: Group GETVPN-GROUP transitioned to Unicast Rekey.
*Apr 19 15:22:55.623: %GDOI-5-COOP_KS_ADD: 172.16.27.11 added as COOP Key Server in group GETVPN-GROUP.
*Apr 19 15:23:35.671: %GDOI-5-COOP_KS_ELECTION: KS entering election mode in group GETVPN-GROUP (Previous Primary = NONE)

R10-Primary-KS#sh crypto gdoi ks coop 
Crypto Gdoi Group Name :GETVPN-GROUP 
        Group handle: 2147483650, Local Key Server handle: 2147483650

        Local Address: 172.16.16.10 
        Local Priority: 100      
        Local KS Role: Secondary , Local KS Status: Alive     
        Local KS version: 1.0.4 
        Secondary Timers: 
                Sec Primary Periodic Time: 30 
                Remaining Time: 2, Retries: 2
                Invalid ANN PST recvd: 0
                New GM Temporary Blocking Enforced?: No
                Antireplay Sequence Number: 3

        Peer Sessions:
        Session 1:
                Server handle: 2147483651
                Peer Address: 172.16.27.11
                Peer Version: 0.0.0 
                Peer Priority: Unknown 
                Peer KS Role: Secondary , Peer KS Status: Unknown   
                Antireplay Sequence Number: 0

                IKE status: In Progress
                Counters:
                    Ann msgs sent: 0
                    Ann msgs sent with reply request: 0
                    Ann msgs recv: 0 
                    Ann msgs recv with reply request: 0
                    Packet sent drops: 3 
                    Packet Recv drops: 0 
                    Total bytes sent: 0 
                    Total bytes recv: 0
                
!! -- It keep trying to reach peer KS but we have not confiugured--!! 
!! -- Backup KS (Peer KS) so when Primary KS do not receive response!! 
!! -- from any other KS, it will become Primary and declare -- !!
!! -- Peer KS as dead -- !!

*Apr 19 15:25:05.775: %GDOI-5-COOP_KS_TRANS_TO_PRI: KS 172.16.16.10 in group GETVPN-GROUP transitioned to Primary (Previous Primary = NONE)
*Apr 19 15:25:05.815: %GDOI-3-COOP_KS_UNREACH: Cooperative KS 172.16.27.11 Unreachable in group GETVPN-GROUP. IKE SA Status = Failed to establish.

R10-Primary-KS#sh crypto gdoi ks coop 
Crypto Gdoi Group Name :GETVPN-GROUP 
        Group handle: 2147483650, Local Key Server handle: 2147483650

        Local Address: 172.16.16.10 
        Local Priority: 100      
        Local KS Role: Primary   , Local KS Status: Alive     
        Local KS version: 1.0.4 
        Primary Timers: 
                Primary Refresh Policy Time: 20 
                Remaining Time: 18
                Antireplay Sequence Number: 5

        Peer Sessions:
        Session 1:
                Server handle: 2147483651
                Peer Address: 172.16.27.11
                Peer Version: 0.0.0 
                Peer Priority: Unknown 
                Peer KS Role: Secondary , Peer KS Status: Dead      
                Antireplay Sequence Number: 0

                IKE status: In Progress
                Counters:
                    Ann msgs sent: 0
                    Ann msgs sent with reply request: 0
                    Ann msgs recv: 0 
                    Ann msgs recv with reply request: 0
                    Packet sent drops: 5 
                    Packet Recv drops: 0 
                    Total bytes sent: 0 
                    Total bytes recv: 0

!! -- When we configure Backup Key Server, it will also participate-!!
!! -- in the Election with Secondary KS Role -- !!
!! -- When It knows Primary KS with higher priority is active -- !!
!! -- It remains in the Secondary Role -- !! 

R11-Backup-KS# 
*Apr 19 15:26:17.627: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
*Apr 19 15:27:24.143: %GDOI-5-COOP_KS_ADD: 172.16.16.10 added as COOP Key Server in group GETVPN-GROUP.
*Apr 19 15:27:24.183: %GDOI-5-COOP_KS_ELECTION: KS entering election mode in group GETVPN-GROUP (Previous Primary = NONE)
*Apr 19 15:27:29.527: %GDOI-4-GDOI_ANN_TIMESTAMP_LARGE: COOP_KS ANN received from KS 172.16.16.10 in group GETVPN-GROUP has PST bigger than myself. Adjust to new PST:
my_old_pst is 71 sec, peer_pst is 375 sec
*Apr 19 15:27:34.543: %GDOI-5-COOP_KS_TRANS_TO_PRI: KS 172.16.16.10 in group GETVPN-GROUP transitioned to Primary (Previous Primary = NONE)

R11-Backup-KS#sh crypto gdoi ks coop                 
Crypto Gdoi Group Name :GETVPN-GROUP 
        Group handle: 2147483650, Local Key Server handle: 2147483650

        Local Address: 172.16.27.11 
        Local Priority: 75       
        Local KS Role: Secondary , Local KS Status: Alive     
        Local KS version: 1.0.4 
        Secondary Timers: 
                Sec Primary Periodic Time: 30 
                Remaining Time: 27, Retries: 0
                Invalid ANN PST recvd: 0
                New GM Temporary Blocking Enforced?: No
                Antireplay Sequence Number: 1

        Peer Sessions:
        Session 1:
                Server handle: 2147483651
                Peer Address: 172.16.16.10
                Peer Version: 1.0.4 
                Peer Priority: 100             
                Peer KS Role: Primary   , Peer KS Status: Alive     
                Antireplay Sequence Number: 42

                IKE status: Established
                Counters:
                    Ann msgs sent: 0
                    Ann msgs sent with reply request: 1
                    Ann msgs recv: 29 
                    Ann msgs recv with reply request: 0
                    Packet sent drops: 0 
                    Packet Recv drops: 0 
                    Total bytes sent: 152 
                    Total bytes recv: 18415

!! -- Now IKE phase-1 is UP between Primary and Backup KS -- !!

R10-Primary-KS#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.27.11    172.16.16.10    GDOI_IDLE         1001 ACTIVE

R11-Backup-KS#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.27.11    172.16.16.10    GDOI_IDLE         1001 ACTIVE

!! -- Verify interesting traffic ACL added into GETVPN domain -- !!

R10-Primary-KS#sh crypto gdoi ks acl 
Group Name: GETVPN-GROUP
 Configured ACL:
   access-list GETVPN-ACL  permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

!! -- Verify GDOI Policy on KS, which would be pushed to the -- !!
!! -- Group Members (GM) -- !!

R10-Primary-KS#sh crypto gdoi ks policy 
Key Server Policy:
For group GETVPN-GROUP (handle: 2147483650) server 172.16.16.10 (handle: 2147483650):

  # of teks : 2  Seq num : 1
  KEK POLICY (transport type : Unicast)
    spi : 0x25C92085E5951A54B8182918A13D10B4
    management alg     : disabled    encrypt alg       : 3DES      
    crypto iv length   : 8           key size          : 24      
    orig life(sec): 86400       remaining life(sec): 79722     
    sig hash algorithm : enabled     sig key length    : 162     
    sig size           : 128       
    sig key name       : getvpn-export-general

  TEK POLICY (encaps : ENCAPS_TRANSPORT)
    spi                : 0xF22F8F3B
    access-list        : GETVPN-ACL
    transform          : esp-256-aes esp-sha256-hmac 
    alg key size       : 32            sig key size          : 32        
    orig life(sec)     : 7200          remaining life(sec)   : 523       
    tek life(sec)      : 7200          elapsed time(sec)     : 6677      
    override life (sec): 0             antireplay window size: 5         

          
  TEK POLICY (encaps : ENCAPS_TRANSPORT)
    spi                : 0xBB9CF351
    access-list        : GETVPN-ACL
    transform          : esp-256-aes esp-sha256-hmac 
    alg key size       : 32            sig key size          : 32        
    orig life(sec)     : 7200          remaining life(sec)   : 6978      
    tek life(sec)      : 7200          elapsed time(sec)     : 222       
    override life (sec): 0             antireplay window size: 5         

  Replay Value 6909.39 secs 
For group GETVPN-GROUP (handle: 2147483650) server 172.16.27.11 (handle: 2147483651):

!! -- After configuration of Group Member (GM) Router R6 -- !!
!! -- It will register to all key servers (KS) in order -- !!
!! -- of KS configuration list on GM -- !!
!! -- But GM will have ISAKMP SA only with Primary KS -- !!
!! -- and Primary KS will push the GDOI policies to GM -- !!

R6-CE-GM(config-if)#
*Apr 19 15:41:54.175: %CRYPTO-5-GM_REGSTER: Start registration to KS 172.16.16.10 for group GETVPN-GROUP using address 172.16.16.6
*Apr 19 15:41:54.191: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
R6-CE-GM(config-if)#
*Apr 19 15:41:54.719: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GETVPN-GROUP transitioned to Unicast Rekey.
*Apr 19 15:41:54.723: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated
*Apr 19 15:41:54.727: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Apr 19 15:41:54.863: %GDOI-5-GM_REGS_COMPL: Registration to KS 172.16.16.10 complete for group GETVPN-GROUP using address 172.16.16.6
*Apr 19 15:41:54.883: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 172.16.16.10 for group GETVPN-GROUP & gm identity  172.16.16.6
R6-CE-GM(config-if)#end
R6-CE-GM#

R6-CE-GM#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.16.10    172.16.16.6     GDOI_IDLE         1001 ACTIVE
172.16.16.6     172.16.16.10    GDOI_REKEY        1002 ACTIVE

!! -- Similarily configure Group Member Router R7 -- !!

R7-CE-GM(config-if)#
*Apr 19 15:46:30.231: %CRYPTO-5-GM_REGSTER: Start registration to KS 172.16.16.10 for group GETVPN-GROUP using address 172.16.27.7
*Apr 19 15:46:30.247: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
*Apr 19 15:46:31.643: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GETVPN-GROUP transitioned to Unicast Rekey.
*Apr 19 15:46:31.647: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated
*Apr 19 15:46:31.651: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Apr 19 15:46:31.851: %GDOI-5-GM_REGS_COMPL: Registration to KS 172.16.16.10 complete for group GETVPN-GROUP using address 172.16.27.7
*Apr 19 15:46:31.871: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 172.16.16.10 for group GETVPN-GROUP & gm identity  172.16.27.7

R7-CE-GM#
*Apr 19 15:46:33.451: %SYS-5-CONFIG_I: Configured from console by console
R7-CE-GM#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.16.10    172.16.27.7     GDOI_IDLE         1001 ACTIVE
172.16.27.7     172.16.16.10    GDOI_REKEY        1002 ACTIVE

!! -- Configure Group Member Router R8 -- !!

R8-CE-GM(config-if)#
*Apr 19 16:11:57.187: %CRYPTO-5-GM_REGSTER: Start registration to KS 172.16.16.10 for group GETVPN-GROUP using address 172.16.38.8
R8-CE-GM(config-if)#end
R8-CE-GM#
*Apr 19 16:11:57.207: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
R8-CE-GM#
*Apr 19 16:11:58.739: %SYS-5-CONFIG_I: Configured from console by console
*Apr 19 16:11:58.795: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GETVPN-GROUP transitioned to Unicast Rekey.
*Apr 19 16:11:58.799: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated
*Apr 19 16:11:58.803: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Apr 19 16:11:59.131: %GDOI-5-GM_REGS_COMPL: Registration to KS 172.16.16.10 complete for group GETVPN-GROUP using address 172.16.38.8
*Apr 19 16:11:59.151: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 172.16.16.10 for group GETVPN-GROUP & gm identity  172.16.38.8
R8-CE-GM#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.38.8     172.16.16.10    GDOI_REKEY        1002 ACTIVE
172.16.16.10    172.16.38.8     GDOI_IDLE         1001 ACTIVE

!! -- Configure Group Member Router R9 -- !!

R9-CE-GM(config-if)#
*Apr 19 16:13:31.651: %CRYPTO-5-GM_REGSTER: Start registration to KS 172.16.16.10 for group GETVPN-GROUP using address 172.16.49.9
R9-CE-GM(config-if)#
*Apr 19 16:13:31.667: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
R9-CE-GM(config-if)#
*Apr 19 16:13:33.055: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GETVPN-GROUP transitioned to Unicast Rekey.
*Apr 19 16:13:33.059: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated
*Apr 19 16:13:33.063: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Apr 19 16:13:33.279: %GDOI-5-GM_REGS_COMPL: Registration to KS 172.16.16.10 complete for group GETVPN-GROUP using address 172.16.49.9
*Apr 19 16:13:33.295: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 172.16.16.10 for group GETVPN-GROUP & gm identity  172.16.49.9
R9-CE-GM(config-if)#end
R9-CE-GM#
*Apr 19 16:13:35.263: %SYS-5-CONFIG_I: Configured from console by console
R9-CE-GM#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.49.9     172.16.16.10    GDOI_REKEY        1002 ACTIVE
172.16.16.10    172.16.49.9     GDOI_IDLE         1001 ACTIVE

!! -- After configuration of all GM -- !!

R10-Primary-KS#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.16.10    172.16.27.7     GDOI_IDLE         1003 ACTIVE
172.16.16.10    172.16.49.9     GDOI_IDLE         1005 ACTIVE
172.16.16.10    172.16.16.6     GDOI_IDLE         1002 ACTIVE
172.16.27.11    172.16.16.10    GDOI_IDLE         1001 ACTIVE
172.16.16.10    172.16.38.8     GDOI_IDLE         1004 ACTIVE

R11-Backup-KS#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.27.11    172.16.16.10    GDOI_IDLE         1001 ACTIVE

!! -- Verify GDOI status on Group Member (GM) Routers -- !!

R6-CE-GM#show crypto gdoi 
GROUP INFORMATION

    Group Name               : GETVPN-GROUP
    Group Identity           : 1234
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Rekeys received          : 1
    IPSec SA Direction       : Both

     Group Server list       : 172.16.16.10
                               172.16.27.11
                               
    Group member             : 172.16.16.6      vrf: None
       Version               : 1.0.4 
       Registration status   : Registered
       Registered with       : 172.16.16.10
       Re-registers in       : 6947 sec
       Succeeded registration: 1
       Attempted registration: 1
       Last rekey from       : 172.16.16.10
       Last rekey seq num    : 1
       Unicast rekey received: 1
       Rekey ACKs sent       : 1
       Rekey Rcvd(hh:mm:ss)  : 00:00:31
       allowable rekey cipher: any
       allowable rekey hash  : any
       allowable transformtag: any ESP

    Rekeys cumulative
       Total received        : 1
       After latest register : 1
       Rekey Acks sents      : 1

 ACL Downloaded From KS 172.16.16.10:
   access-list   permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

KEK POLICY:
    Rekey Transport Type     : Unicast
    Lifetime (secs)          : 79912
    Encrypt Algorithm        : 3DES
    Key Size                 : 192     
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024    

TEK POLICY for the current KS-Policy ACEs Downloaded:
  FastEthernet0/0:
    IPsec SA:
        spi: 0xF22F8F3B(4063203131)
        transform: esp-256-aes esp-sha256-hmac 
        sa timing:remaining key lifetime (sec): (714)
        Anti-Replay(Time Based) : 5 sec interval

    IPsec SA:
        spi: 0xBB9CF351(3147625297)
        transform: esp-256-aes esp-sha256-hmac 
        sa timing:remaining key lifetime (sec): (7169)
        Anti-Replay(Time Based) : 5 sec interval

!! -- No traffic is exchanged between sites yet -- !!
!! -- encap/decap and encryp/decrypt packet count is zero -- !!

R8-CE-GM#sh cry ipsec sa

interface: FastEthernet0/0
    Crypto map tag: GETVPN-MAP, local addr 172.16.38.8

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   current_peer 0.0.0.0 port 848
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.38.8, remote crypto endpt.: 0.0.0.0
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xBB9CF351(3147625297)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xBB9CF351(3147625297)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: GETVPN-MAP
        sa timing: remaining key lifetime (sec): (6387)
        Kilobyte Volume Rekey has been disabled
        IV size: 16 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBB9CF351(3147625297)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: GETVPN-MAP
        sa timing: remaining key lifetime (sec): (6387)
        Kilobyte Volume Rekey has been disabled
        IV size: 16 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

!! -- Send traffic between Site-3 and Site-4 LAN -- !!

R8-CE-GM#ping 192.168.9.9 so 192.168.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.9.9, timeout is 2 seconds:
Packet sent with a source address of 192.168.8.8 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 184/202/228 ms
R8-CE-GM#sh cry ipsec sa                

interface: FastEthernet0/0
    Crypto map tag: GETVPN-MAP, local addr 172.16.38.8

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   current_peer 0.0.0.0 port 848
     PERMIT, flags={}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.38.8, remote crypto endpt.: 0.0.0.0
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xBB9CF351(3147625297)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xBB9CF351(3147625297)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: GETVPN-MAP
        sa timing: remaining key lifetime (sec): (6373)
        Kilobyte Volume Rekey has been disabled
        IV size: 16 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBB9CF351(3147625297)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: GETVPN-MAP
        sa timing: remaining key lifetime (sec): (6373)
        Kilobyte Volume Rekey has been disabled
        IV size: 16 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

!! -- Send traffic between Site-1 and Site-3 LAN -- !!

R8-CE-GM#ping 192.168.6.6 so 192.168.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.6.6, timeout is 2 seconds:
Packet sent with a source address of 192.168.8.8 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 168/188/224 ms

!! -- Send traffic between Site-2 and Site-3 LAN -- !!

R8-CE-GM#ping 192.168.7.7 so 192.168.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.7.7, timeout is 2 seconds:
Packet sent with a source address of 192.168.8.8 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 176/194/212 ms

!! -- Traffic between each site LAN is ecnrypted now -- !!
!! -- GM has downloaded the ACL from KS, which covers LAN subnets --!!
!! -- of all sites -- !!

R8-CE-GM#sh cry ipsec sa                

interface: FastEthernet0/0
    Crypto map tag: GETVPN-MAP, local addr 172.16.38.8

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   current_peer 0.0.0.0 port 848
     PERMIT, flags={}
    #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
    #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.38.8, remote crypto endpt.: 0.0.0.0
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xBB9CF351(3147625297)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xBB9CF351(3147625297)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: GETVPN-MAP
        sa timing: remaining key lifetime (sec): (6341)
        Kilobyte Volume Rekey has been disabled
        IV size: 16 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBB9CF351(3147625297)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: GETVPN-MAP
        sa timing: remaining key lifetime (sec): (6341)
        Kilobyte Volume Rekey has been disabled
        IV size: 16 bytes
        replay detection support: Y  replay window size: 5
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
Reference:

http://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/GETVPN_DIG_version_1_0_External.pdf