We're slowly getting closer to the true implementation of LISP in Cisco's SD-Access. LISP has the capability of being VRF-aware - this is achieved via multi-instance LISP.
The idea is fairly simple - you have multiple instances of LISP (mapped to corresponding VRFs) - all your LISP tables are now maintained per instance.
We will be using the following topology for this:
We have moved R1 and R5 into a VRF called 'TEST'. This is done by assigning the port facing R1 on xTR2 to this VRF:
Similar configuration is done on xTR4 as well. To make LISP VRF aware, you need to create instances of LISP and map the instance to a particular VRF. All your database mappings will now come under this instance-ID.
For this example, we will create an instance-ID of 100 and map the VRF 'TEST' to this instance-ID.
Similar configuration is done on xTR4 as well:
All of these database mappings will now be per instance-ID. They will no longer show up in the global LISP database.
From the MS/MR perspective, we simply map the instance-IDs to the EIDs within the sites:
From this point on, the control-plane and data-plane packet walks are the same - the only difference is that the lookups happen against the specific instance-IDs that are defined. Let's consider both possible scenarios in our above topology.
If the packet comes from R1, it comes in the VRF called TEST. This can be visualized like so:
If the packet comes from R8, it comes in another VRF we created called TEST_2. This can be visualized like so:
How does the LISP process know which instance-ID to consider? This is populated in the LISP packets themselves. For example, consider the following 'Encapsulated Map Request' packet:
The LISP packet format has the provision to carry the instance-ID as an attribute within the source EID (as you can see from the above packet). This determines which instance-ID the lookups are done in.
The same instance-ID is carried in actual data-plane packets as well. Consider the following ICMP packet as an example:
This is the truest form of LISP implementation in SDA and this is exactly how SDA achieves macro segmentation. The terminology is 'Virtual Network' or VN in the SDA world however this is nothing but VRFs.