Looking at the possiblity of deploying LISP VM Mobility between geographically disparate data centers with extended subnet mode via OTV. I've looked over the Cisco guide and it states that the ETR function needs to be L2 adjacent to the mobile nodes to detect the vm migration between sites.
Unfortunately, we need firewalling and traditionally we would have the firewall separating the Core and WAN modules of the network design. Placing the xTRs at the distribution layer would tunnel through the firewalls. Anyone dealt with something to this effect? Unless someone knows of a firewall that is LISP aware and can inspect the inner headers and payload, I am thinking the only way to get proper security would be to put the firewalls in transparent mode between the mobile nodes and the default gateway (ITR). Alternatively would be to use host based, hypervisor based security, or ASA 1000v which in our case seems unlikely due to needing a mix of virtual and physical hosts with a large mix of OSes.
Am hoping that the mobility event generated by the detection of the VM migration can be separated from the xTR function. This way we could place the xTR function in the WAN block on the ASRs and have the dynamic EIDs defined on the 7K. When the 7K detects the migration, it can either register the EID with the MS on behalf of the ITRs or it can notify the ITR to do the same. This way the xTR encap/decap can happen outside the firewall while the mobility occurs inside the firewall and these functions can be L3 separated. Is this currently possible and just not mentioned in the guide?
Would love to get some feedback.