SD-Access Transit

Route-Maps Deep Dive

 SD-Access Transit
Route-Maps
Internet
DHCP, DNS, AD
198.51.100.30/24 TC
TC CP

EB EB
Shared Service in
Data Center

SD-Access Transit Fabric Site 2

CP
FE FE
IB EB

Host 2

Fabric Site 1
FE FE

Host 1

TECCRS-3810 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 419
 SD-Access Transit
Route-Maps

1. permit-all-eids (Applied to LISP Map-Cache – Border Nodes) 4. site-local-eids (Applied against LISP Database import – External Border)
▪ Matches and PERMITS IP Community value 655370 and 655371 ▪ Matches and DENIES IP Community value 655371
▪ Denies the default route ▪ Denies the default route
▪ Permits everything else ▪ Permits everything else
▪ Configured on Border Nodes ▪ Configured on Border Nodes connected to SDA Transit

2. deny-all-eids (Applied against LISP Database import – Internal Border) 5. tag_transit_eids (Applied to EBGP Neighbors – Transit Control Plane Node)
▪ Matches and DENIES IP Community value 655370 and 655371 ▪ Applies IP Community value 655371
▪ Denies the L3 IP Handoff Prefixes ▪ Configured on Transit Control Plane Nodes
▪ Denies the default route
6. deny_all (Applied to EBGP Neighbors – Transit Control Plane Node)
▪ Permits everything else
▪ Denies everything
▪ Configured on Internal-Only Border Nodes
▪ Configured on Transit Control Plane Nodes
3. tag_local_eids (Applied to IBGP Neighbors – Borders and Site-Local Control Plane Nodes)
▪ Applies IP Community Value 655370
▪ Configured on Border Nodes and Site-Local Control Plane Nodes

TECCRS-3810 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 420
 SD-Access Transit
Route-Map 1: permit-all-eids (Applied to Map-Cache on Border Nodes)

Route-Map Route-Map in Configuration Context

route-map permit-all-eids permit 15

match community 1
router lisp
route-map permit-all-eids permit 20 !
match community 2 instance-id 4097
service ipv4
route-map permit-all-eids deny 25 route-import map-cache bgp 65001 route-map permit-all-eids
match ip address prefix-list deny_0.0.0.0 !
instance-id 4099
route-map permit-all-eids deny 30 service ipv4
route-import map-cache bgp 65001 route-map permit-all-eids
ip prefix-list deny_0.0.0.0 seq 10 permit 0.0.0.0/0 !
instance-id 4100
service ipv4
ip community-list 1 permit 655370 route-import map-cache bgp 65001 route-map permit-all-eids
ip community-list 2 permit 655371

TECCRS-3810 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 421
 SD-Access Transit
Route-Map 2: deny-all-eids (Applied Against LISP Database Import –
Internal Borders)
Route-Map Route-Map in Configuration Context
route-map deny-all-eids deny 10
match ip address prefix-list l3handoff-prefixes

route-map deny-all-eids deny 15

match community 1

route-map deny-all-eids deny 20 router lisp

match community 2 !
instance-id 4097
route-map deny-all-eids deny 25 service ipv4
match ip address prefix-list deny_0.0.0.0 route-import map-cache bgp 65001 route-map permit-all-eids

route-map deny-all-eids permit 30 instance-id 4099

service ipv4
route-import database bgp 65001 route-map deny-all-eids locator-set rloc_e1c094bd
ip prefix-list deny_0.0.0.0 seq 10 permit 0.0.0.0/0
instance-id 4100
ip prefix-list l3handoff-prefixes seq 405672636 permit service ipv4
172.16.111.8/30 route-import database bgp 65001 route-map deny-all-eids locator-set rloc_e1c094bd
ip prefix-list l3handoff-prefixes seq 405820604 permit
172.16.111.4/30
ip prefix-list l3handoff-prefixes seq 405968572 permit
172.16.111.0/30

ip community-list 1 permit 655370

ip community-list 2 permit 655371

TECCRS-3810 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 422
 SD-Access Transit
Route-Map 3: tag_local_eids (Applied to IBGP Neighbors – Borders and
Site-Local Control Plane Nodes)
Route-Map Route-Map in Configuration Context

router bgp 65001

!
address-family vpnv4
route-map tag_local_eids permit 5 neighbor 192.168.10.1 activate
set community 655370 neighbor 192.168.10.1 send-community both
neighbor 192.168.10.1 route-map tag_local_eids out
exit-address-family

TECCRS-3810 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 423
 SD-Access Transit
Route-Map 4: site-local-eids (Applied against LISP Database Import –
External Border)
Route-Map
route-map site-local-eids deny 15
match community 2
route-map site-local-eids deny 25
match ip address prefix-list deny_0.0.0.0
route-map site-local-eids permit 30
ip prefix-list deny_0.0.0.0 seq 10 permit 0.0.0.0/0
ip community-list 2 permit 655371
Route-Map in Configuration Context
router lisp
instance-id 4099
service ipv4
eid-table vrf CAMPUS
database-mapping 172.16.112.0/24 locator-set rloc_7def5ec9 proxy
route-import database bgp 65001 route-map site-local-eids locator-set rloc_7def5ec9 proxy
route-import prefix-list Global/SJC/Site-01_San_Jose_list1 bgp 65001 route-map site-local-eids
instance-id 4100
remote-rloc-probe on-route-change
service ipv4
database-mapping 172.16.113.0/24 locator-set rloc_7def5ec9 proxy
route-import database bgp 65001 route-map site-local-eids locator-set rloc_7def5ec9 proxy
route-import prefix-list Global/SJC/Site-01_San_Jose_list1 bgp 65001 route-map site-local-eids
TECCRS-3810 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 424
SD-Access Transit
Route-Map 5: tag_transit_eids (Applied to EBGP Neighbors – Transit Control
Plane Nodes)
Route-Map Route-Map in Configuration Context

router bgp 65540

address-family ipv4
redistribute lisp metric 10
neighbor 192.168.10.7 activate
neighbor 192.168.10.7 send-community both
route-map tag_transit_eids permit 5 neighbor 192.168.10.7 route-map deny-all in
set community 655371
address-family vpnv4
neighbor 192.168.10.7 activate
neighbor 192.168.10.7 send-community both
neighbor 192.168.10.7 route-map deny-all in
neighbor 192.168.10.7 route-map tag_transit_eids out

TECCRS-3810 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 425
SD-Access Transit
Route-Map 6: deny-all (Applied to EBGP Neighbors – Transit Control Plane
Nodes)
Route-Map Route-Map in Configuration Context

router bgp 65540

address-family ipv4
redistribute lisp metric 10
neighbor 192.168.10.7 activate
neighbor 192.168.10.7 send-community both
neighbor 192.168.10.7 route-map deny-all in
route-map deny-all deny 5
address-family vpnv4
neighbor 192.168.10.7 activate
neighbor 192.168.10.7 send-community both
neighbor 192.168.10.7 route-map deny-all in
neighbor 192.168.10.7 route-map tag_transit_eids out

TECCRS-3810 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 426
 SD-Access Transit
Route-Maps
Internet
DHCP, DNS, AD
198.51.100.30/24 TC
TC CP

EB EB
Shared Service in route-map deny_all
Data Center
route-map tag_transit_eids

route-map tag_local_eids

SD-Access Transit Fabric Site 2

CP route-map permit-all-eids
FE route-map tag_local_eids FE
route-map deny-all-eids IB EB route-map permit-all-eids
route-map site-local-eids
route-map tag_local_eids route-map tag_local_eids

route-map permit-all-eids route-map site-local-eids

Host 2
route-map tag_local_eids

1. permit-all-eids (Configured on Border Nodes and Applied to LISP Map-Cache)

Fabric Site 1
FE FE 2. deny-all-eids (Configured on Internal-Only Border Nodes and Applied to LISP Database import)

3. tag_local_eids (Configured on Border Nodes and Site-Local Control Plane Nodes)

4. site-local-eids (Configured on Border Nodes connected to SDA Transit)

Host 1
5. tag_transit_eids (Configured on Transit Control Plane Nodes)

6. deny_all (Configured on Transit Control Plane Nodes)

TECCRS-3810 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 427
 SD-Access Transit
Route-Maps
deny-all-eids
Deny L3 Handoff Prefixes
Internet
DHCP, DNS, AD Deny 655370
198.51.100.30/24
Deny 655371 TC
Deny Default Route
Permit Everything Else
TC CP
tag_local_eids EB EB
Apply 655370
Shared Service in tag_transit_eids
Data Center permit-all-eids Apply 655371
Permit 655370 tag_local_eids
Permit 655371 deny_all Apply 655370
Deny Default Route Deny Everything
Permit Everything Else

CP SD-Access Transit Fabric Site 2

permit-all-eids
Permit 655370
Permit 655371
FE Deny Default Route FE
IB EB Permit Everything Else
permit-all-eids
Permit 655370
tag_local_eids
Permit 655371
Apply 655370
Deny Default Route
tag_local_eids Permit Everything Else
Apply 655370 site-local-eids Host 2
Deny 655371
tag_local_eids
Fabric Site 1 Apply 655370
Deny Default Route
Permit Everything Else
FE FE site-local-eids
Deny 655371
Deny Default Route
Permit Everything Else

Host 1

TECCRS-3810 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 428
 SD-Access Transit – Route Maps
Internal Borders
deny-all-eids
Deny L3 Handoff Prefixes
Internet
DHCP, DNS, AD Deny 655370 deny-all-eids
198.51.100.30/24 Deny 655371 Result: Only prefixes learned from External Peer
Deny Default Route TC
are imported into the LISP Database CP
Permit Everything Else
TC
tag_local_eids
tag_local_eids
Result: Prefixes learned from External Peer are advertised
EB
Shared Service in
Apply 655370
to Site-Local Control Plane Node with Community Value EB655370
Data Center permit-all-eids
Permit 655370 permit-all-eids
Permit 655371 Result: Prefixes learned and reflected by Site-Local
Deny Default Route
Control Plane Node are imported into map-cache
Permit Everything Else
CP
Fabric Site 2
FE FE
IB EB SD-Access Transit

Host 2

Fabric Site 1
FE FE

Host 1

TECCRS-3810 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 429
 SD-Access Transit – Route Maps
Site-Local Control Plane Nodes
Internet
DHCP, DNS, AD
198.51.100.30/24 TC
TC CP

EB EB
Shared Service in
Data Center

CP SD-Access Transit Fabric Site 2

FE FE
IB •EBPrefixes are registered by Internal Border, External Border, and Edge Nodes (Site registrations)
• Site registrations are exported to the RIB with an Administrative Distance of 250

• Prefixes learned via External Border and route-reflected to the Internal Border
tag_local_eids • (Tagged with IP Community 655370 tag_local_eids on by the External Border)
Apply 655370
Host 2
• Prefixes learned via the Internal Border and route-reflected to the External Border
Fabric Site 1 • (Tagged with IP Community 655370 tag_local_eids by the Internal Border)
FE FE Prefixes cannot be modified when traversing a BGP route reflector
•

tag_local_eids
Result: Tag site registrations learned from Edge Nodes and advertise to Border Nodes.
Site registrations from Internal Border and External Border Nodes are route-reflected and already tagged.
Host 1

TECCRS-3810 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 430
 SD-Access Transit – Route Maps
External Borders
Internet
DHCP, DNS, AD
198.51.100.30/24 TC
TC CP

EB EB
Shared Service in
Data Center

CP SD-Access Transit Fabric Site 2

permit-all-eids FE FE
permit-all-eids
IB EB Permit 655370
Permit 655371 Result: Prefixes learned and reflected by Site-Local
Deny Default Route Control Plane Node are imported into map-cache
Permit Everything Else

tag_local_eids
tag_local_eids
Apply 655370
Result: Prefixes learned from External Peer (if any) areHost 2
advertised
to Site-Local Control Plane Node with Community Value 655370
Fabric Site 1 site-local-eids site-local-eids
Deny 655371
FE FE Deny Default Route
Result #1: Only prefixes with IP Community Value 655370
Permit Everything Else are imported into LISP Database.
These are proxy registered to the Transit Control Plane Nodes.

Result #2: The site-local control plane node is used for map-
requests with prefixes with IP Community Value 655370.
Host 1
The Transit Control Plane Node is used for map-requests for all
other prefixes, which include those with IP Community Value
655371 (other Fabric Sites) and those without (Internet).
TECCRS-3810 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 431
 SD-Access Transit – Route Maps
Transit Control Plane Nodes
Internet
DHCP, DNS, AD
198.51.100.30/24 TC
TC CP
• Aggregate prefixes are registered by the Site Borders
that are connected to the SDA Transit (Site registrations)
• EB are exported to the RIB withEB
Site registrations an
Shared Service in tag_transit_eids Administrative Distance (AD) of 250
Data Center Apply 655371
tag_transit_eids
deny_all
Deny Everything Result #1: Prefixes proxy-registered via LISP to the Transit Control Plane
Nodes are advertised to all Site Borders that are connected to the

CP SD-Access Transit Fabric Site 2

SDA Transit and tagged with IP Community 655371.
This provides a method for Border Nodes to determine which prefixes
FE with their local-site.
are associated FE
IB EB
Result #2: Loop prevention mechanism.

All site registrations that the Transit Control Plane Nodes learn
are advertised to the all border nodes connected to the SDA Transit.
Host 2
Border Nodes receive their own prefixes back from the Transit Control Plane
Nodes.
Fabric Site 1
FE FE However, site-local-eids on the border nodes prevents the
prefixes advertised by the Transit Control Plane Nodes (which are tagged
with 655371 from being imported into the LISP database and
thus re-registered, creating an infinite mutual redistribution loop.

deny_all
Host 1 Result: Applied inbound to all IPv4 and VPVv4 neighbors, this route-map
ensures prefixes are learned via LISP registration and subsequent
export to the RIB. If prefixes are learned via BGP, its default
AD of 20 would be preferred over the LISP AD of 240.
TECCRS-3810 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 432