Scribd
Upload
109 views100 pages

Brkarc-2023 (2018)

This document discusses building hybrid clouds in AWS using the Cisco CSR 1000v router. It provides an overview of the CSR 1000v and its support in AWS, describes different cloud network architectures, and covers advanced features, automation, and deployment in other clouds like Azure.

Uploaded by

Paul Zeto
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
109 views100 pages

Brkarc-2023 (2018)

This document discusses building hybrid clouds in AWS using the Cisco CSR 1000v router. It provides an overview of the CSR 1000v and its support in AWS, describes different cloud network architectures, and covers advanced features, automation, and deployment in other clouds like Azure.

Uploaded by

Paul Zeto
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 100

#CLUS

Building Hybrid
Clouds in Amazon
Web Services with
the CSR 1000v
Chris Hocker, Customer Solutions Architect
Steven Carter, Principal Solutions Architect, Redhat
BRKARC-2023

#CLUS
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session

How
1 Find this session in the Cisco Events App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

Webex Teams will be moderated cs.co/ciscolivebot#BRKARC-2023


by the speaker until June 18, 2018.

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• CSR 1000v and AWS Overview
• Cloud Network Architectures
• Advanced Features
• CSR 1000v in Azure
• Automation
• Summary

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
CSR 1000v and AWS
Overview
Cisco Cloud Services Router (CSR) 1000V
Cisco IOS XE Software in a Virtual Network Function Form-Factor

Software
CSR 1000V
• Familiar IOS XE software

Infrastructure Agnostic
• Runs on x86 platforms
App App
• Supported Hypervisors: VMware ESXi, Linux KVM, Citrix Xen,
RP Microsoft Hyper-V, Cisco NFVIS (ISRv) and CSP2100
OS OS DP • Supported Cloud Platforms: Amazon AWS, Microsoft Azure

Performance Elasticity
Virtual Switch • Available licenses range from 10 Mbps to 10 Gbps
Hypervisor • CPU footprint ranges from 1vCPU to 8vCPU

License Options
Server • Term based 1 year, 3 year or 5 year
• PAK and Smart License enabled

Enterprise-class Networking with Rapid Programmability


Deployment and Flexibility • NetConf/Yang, RESTConf, GuestShell and SSH/Telnet

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Q: Where can I find the CSR on AWS?
A: In the AWS marketplace!

1. Search for “Cisco”

2. Pick a flavor

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
What are the different CSR 1000V types listed?
1. Cloud Services Router 1000V BYOL
• Can be any tech package and throughput level depending on license purchased from Cisco
and installed on CSR (not all throughputs supported)

2. Cloud Services Router 1000V Security Tech Package


• Includes features from the Security technology package. Performance based on AWS instance
type selected (more or less vCPU/vMemory)

3. Cloud Services Router 1000V AX Tech Package


• Includes features from the AX technology package. Performance based on AWS instance type
selected (more or less vCPU/vMemory)

Note on “Maximum Performance”


• CSR1K image for HVM instance types

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Other CSR 1000V License Options
Cisco Smart Licensing Public Cloud Utility-Billing (Eg. Amazon)

CSR 1000V
Call Home
• No up-front purchase required (Hourly)

• 59% savings compared to hourly with annual up-front


• Bring Your Own License model purchase. TAC services available for purchase from
partners
• Pooled licensing for term and perpetual licenses shown on
previous slide • Provision from Cloud Provider Marketplace/Catalog (Eg.
Amazon AWS Marketplace)
• CSR 1000V calls home to Cisco - authorizes itself against
the purchased license pool • Cloud Provider bills monthly based on hourly usage and
number of product instances, or annually
• License not locked to a single CSR1000v instance
• Bring Your Own License (BYOL) also supported if hourly or
• Supports license transferability annual billing is not desired – You can purchase term
licenses for this scenario

Memory Upgrade Licenses

• Specific licenses available to upgrade CSR1000v RAM allocation

• By default CR1000 is allocated 4GB RAM, increase RAM by steps of 4GB up to 16GB RAM

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
CSR 1000v Licensing Structure Example:
Pick one option from each column…
IPBase
Technology Package
Throughput License Type 250 Mbps
(See next slide for details)
1-Year
10 Mbps
IPBase
50 Mbps
Term Based License
(1-year, 3-year or 5-year)
100 Mbps

SEC 250 Mbps

500 Mbps

AppX 1 Gbps

2.5 Gbps Hourly or Annual


(Available on AWS)
5 Gbps
AX
10 Gbps

Note: CSR add-on license options not shown above


#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
CSR 1000v Technology Package Features
Technology Package IOS-XE Features

 Basic Networking: BGP, OSPF, EIGRP, RIP, ISIS, IPv6, GRE, VRF-LITE, NTP, QoS, BFD
 Multicast: IGMP, PIM
IPBase  High Availability: HSRP, VRRP, GLBP
(formerly Standard)  Addressing: 802.1Q VLAN, EVC, NAT, DHCP, DNS
 Basic Security: ACL, AAA, RADIUS, TACACS+
 Management: IOS-XE CLI, SSH, Flexible NetFlow, SNMP, EEM, NETCONF

IPBase Plus…
SEC  Advanced Security: Zone Based Firewall, IPSec VPN, EZVPN, DMVPN, FlexVPN, SSLVPN,
(formerly Advanced) GETVPN
 High Availability: Box-to-box HA for FW and NAT

IPBase Plus…
 Advanced Networking: L2TPv3, MPLS, VRF, VXLAN
AppX  Application Experience: WCCPv2, AppNAV, NBAR2, AVC, IP SLA
 Hybrid Cloud Connectivity: LISP, OTV, VPLS, EoMPLS

AX ALL FEATURES
(formerly Premium)

Feature in Red will not work in AWS/Azure – limitation of public cloud infrastructure(lack of L2 support, Multicast not support)
#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Reference
CSR 1000V License Throughput Enforcement
• Rate shaper is implemented in the ESP
data path at the root of the QoS hierarchy
15 Mbps 10 Mbps
• All egress traffic is subjected to the shaper G1 ESP G3
• The rate is derived from license
SHAPER
• Throughput limit is global, not per-interface (50)
20 Mbps 15 Mbps
• Shaper does not distinguish between different G2
G4
types of traffic 10Mbps (60-50)

• To ensure high-priority traffic is not


dropped by the license shaper, configure G1->G3: 15
QoS G2->G4: 20

• E.g. LLQ on interfaces (leveraging priority G3->G2: 10


propagation of the QoS Scheduler) G4->G3: 15
Total: 60 Mbps
• Note that Control Plane Policing can be
applied to also mark control plane packets!

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Cisco CSR 1000V Performance on AWS
IOS-XE 16.8.1 release, large packet, with Intel Meltdown and Spectre fix.

SR-IOV (Enhanced Networking)

Size CEF(Mbps) IPSEC(Mbps)

T2.medium 440 220


M3.Medium 300 250
C4.large 650 640
C4.xlarge 860 860
C3.2xlarge 1330 1000
C4.2xlarge 2300 2300
C4.4xlarge 4600 4200
C4.8xlarge 6200 4500

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Reference
CSR Scale (across all public and private clouds)
IOS-XE 16.8.1

Feature Scale

IPSEC tunnels 1000

VRF 4000

NAT 512,000

BGP routes 400,000

BFD 500

IPSLA 10,000

ACE (ACL Entries) 65,000

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
VPC 101
VPC
• Logically isolated network with its own IP 10.99.0.0/16
Subnet A
range, routes, security, etc.
10.99.1.0/24
• IP ranges (RFC1918) can be overlapping
• Subnets created inside VPC
• Internet gateway (IGW) connects outside IGW Subnet B
and between VPCs 10.99.2.0/24

• Public IP or NAT for egress


• Security:
• Network ACLs for subnets • VPC route tables directs traffic within the
• Security Groups for instances VPC
• VPC “router” is really an encap/decap
https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises- device b/w hypervisors
network-engineers-part-one/

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Region and Availability Zone Concepts
• VM (Virtual Machines) is hosted in multiple data centers across the world. A region is
a separate geographic area
• VM instances have to be launched into a specific region. Locating instances close to
end users can reduce latency
• Region is consisted by multiple AZs (Availability Zone). Each AZ is isolated, but AZs
in a region are connected through low latency and high bandwidth links.

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
VGW (Virtual Private Gateway)

• VGW is a easy to use VPN service provided by AWS.


• It supports IPSEC VPN with pre-shared key (no certificate
based).
• It supports static route and BGP routing (no route-map
and fixed BGP AS number)
• VGW uses two end-points for high availability
• CGW (Customer Gateway) is needed to establish a IPSEC
VPN.
• IPSEC can’t be established between two VGWs

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
VPC Peering
• High Bandwidth VPC to VPC Interconnection
• Share Private IP CIDR routes between the VPCs
• Inter-Region Peering is new
• Point to Point
• No Transit Peering VPC
Dev
VPC
QA
Peering

us-west
#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
CSR Advantages over…
Virtual Private Gateway: VPC Peering:
• Scalability • Scalability
• Performance • Performance
• Continuity of Operations • Overlapping CIDR blocks
• Richer routing features • Transitive peering relationships
• Active/Active Tunnels • Multiple peerings per VPC
• Spoke-to-spoke routing • Spoke-to-spoke routing
• Security/Application Visibility • Security/Application Visibility

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
CSR Deployment Models
Application VPC Gateway Transit Hub Router

• CSR deployed in application VPC • CSR deployed in dedicated Transit Hub,


not in application VPC
• Provide IPSEC gateway for entire VPC
• High speed traffic routing for spoke VPC
• Need high availability
• High availability is built-in natively

VPC

AZ1 AZ2
Application VPC Transit Hub
VPC

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Application VPC Design Models with CSRs
One Armed Mode

• Single interface on CSR


• VPC Route Table modified to add CSR as gateway
• CSR default gateway points to VPC router

VPC
IGW Router

G1
Public Subnet Private Subnet

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Application VPC Design Models with CSRs
Two Armed Mode

• Local Interface in each subnet


IGW
• One CSR interface in each subnet
• Private Subnet VPC Route Table points to the local CSR G1 G2
interface
• Can be extended to more than 2 interfaces Public Subnet Private Subnet

• Network Subnet
• Both CSR interfaces in the same subnet VPC
IGW Router
• Use VRFs to separate interfaces for terminating tunnels,
local traffic, and management
• Private Subnet VPC Route Table modified to add CSR as G1 G2
gateway
Network Subnet Private Subnet

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Application VPC Design Models with CSRs
Multiple Availability Zone Design Model

• Two CSRs in different availability zones


• Private Subnet VPC Route Table modified
to point to one of CSRs as a gateway
• CSR Cloud HA feature used for failover
Public Private
• Can be run in single armed or two armed Subnet Subnet
mode
G1 VPC
Router
AZ1

Public Private
IGW Subnet Subnet

G1
AZ2

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
No Link Local Broadcast in the VPC
• No Link local multicast or broadcast
• Affected services include:
• IGPs NAT 10.1.1.10
54.x.x.x 10.1.1.10
• HSRP/VRRP
10.1.1.11
• BFD
• Proxy ARP, Gratuitous ARP 10.1.1.12

• GRE as work-around for some services

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
NAT in a VPC
• Will break services that do not work over
NAT, such as GET-VPN
• Tunnel source will be a private address
NAT 10.1.1.10
• Tunnel destination from the perspective of 54.x.x.x 10.1.1.10
VPN peers will be a public address
10.1.1.11
• Assign EC2 elastic IP address so that
address does not change if the CSR1K is 10.1.1.12
shutdown
• Other VPCs see Elastic IP address unless
using VPC peering

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
CSR and VPN Tunnels
• Need to open security groups for IKE (UDP/500) and
ESP (either IP/50 or UDP/4500)
• Disable Src/Dst Check on interfaces with local VPC
traffic
• Use interface name as tunnel source (e.g. Gig1)
• Use VPC route table to direct traffic for VPN Virtual Private Cloud

destinations to the CSR


• Traffic leaving a VPC has 1500B limitation
• Adjust Tunnel ‘ip mtu’ and ‘ip tcp adjust-mss’

• Cisco VPN designs recommend front-door VRF

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Reference
MTU Considerations
• Jumbo frames (up to 9000 bytes) are allowed within single VPC.
• Traffic going out of a VPC or VPC peering connection has MAX 1500 MTU.
• CSR supports jumbo frames by putting “mtu <1500-9216>” under
interface configuration. However, when CSR sends traffic out of a VPC,
packets will be fragmented if it’s over 1500 bytes.
• Supported instance types:
• General purpose: M3, M4, M5, T2
• Compute optimized: C3, C4, C5, C5 with instance storage, CC2
• Accelerated computing: F1, G2, G3, P2, P3
• Memory optimized: CR1, R3, R4, X1
• Storage optimized: D2, H1, HS1, I2, I3

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html#jumbo_frame_instances

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
CSR Management Access
• No console in AWS
• Management and remote access of the CSR will
happen over SSH via a private or public IP
address
• Need to open SSH (TCP/22) ingress in the
security group
• Consider using dedicated management interface
• Configuring VRF causes loss of connectivity
• EEM script used to work around.

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Cloud Network
Architectures
Cloud WAN
Reference Architecture
Cloud Cloud
Gateway Apps

IaaS Provider 1

Dedicated
Branch Connections

Enterprise
WAN Cloud Cloud
Co-Lo Gateway Apps

IaaS Provider 2

Internet

Data Internet SaaS


Center Gateway Provider

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Use Case 1 – Enterprise Extension into AWS
VPC

Internet Enterprise Network


New York

WAN
Enterprise Network
San Jose

• Connect one or many physical locations into an Amazon VPC. IPSec, DMVPN,
FlexVPN, EZVPN, etc…
• Up to 1,000 concurrent VPN tunnels per CSR.

• Familiar configuration, familiar troubleshooting, not a black box.

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Use Case 1A – Private App in Public Cloud
Design Options

• Direct branch access to AWS or CSR1K ASR1K

branch connected to AWS


through HQ/DC
Virtual Private Cloud Enterprise DC
• VPN topologies can be DMVPN
or P2P IPSec
WAN Internet/MPLS
• DMVPN hubs can be located at
the Enterprise DC/HQ or in the
public cloud
ISR4K ISR4K ASR1K

• Direct Connect or Internet for


transport
Branch Office Branch Office Corporate Office

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Use Case 1B - Public App in Public Cloud

Subnet 1 Subnet 2

Back-end connection for:


• App Tiers/Data
• Management
• Remote Access

Internet

Internet Users
Corporate Data Center

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Use Case 2 – VPC Interconnection

Virtual Private Cloud Virtual Private Cloud

US West Region US East Region


AWS cloud

• Common requirement to build overlay network topologies with in an AWS


environment to address advanced networking requirements.
• Tunnels can be deployed over Internet, VPC Peering, or Direct Connect.

• VPCs can be in the same region or different regions, or in other cloud providers

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Across regions, accounts/subscriptions
Transit VPC VPC
Shared
VPC
A
VPC
C
Services

• High Scale and Performance


…...
Spoke VPC
• High Availability: Redundant VPN
Tunnels with dynamic routing in a
multi-AZ deployment

• Enterprise class routing features in CSR1 CSR2


the Transit VPC AZ1 AZ2
• VGW or CSRs in the spoke VPCs VPC Transit VPC

• See BRKARC-2749 for more Direct Connect


information Or Internet

ASR Other
Provider
Networks
Private DC
#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Direct Connect Overview
• Dedicated connection between the enterprise and AWS
• Provides (1) private peering to VPCs and (2) public peering to AWS public services
• Sub-interface on corporate DC router for each service
• BGP peering for route exchange for each service

• 1G and 10G dedicated connections; sub-1G connections available via partners


• Multiple connections for redundancy
Direct Connect
• No Native Encryption Corporate DC Circuit
Virtual Private Cloud

Cisco
Virtual Private
ISR/ASR
Gateway (VGW)

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Direct Connect Topologies (1/2)

Direct Connect
Corporate DC
Virtual Private Cloud

Direct from
Enterprise ISR/ASR VGW

Direct Connect
Corporate DC
Virtual Private Cloud
SP Managed SP VPN
Service
ISR/ASR SP Router
VGW

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Direct Connect Topologies (2/2)

Direct Connect
Corporate DC
Virtual Private Cloud
Co-Lo
Direct from Co-Lo
ISR/ASR ISR/ASR VGW

Direct Connect
Corporate DC Virtual Private Cloud
Co-Lo

Co-Lo Cloud
Exchange

Cloud Exchange ISR/ASR ISR/ASR VGW

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Direct Connect Peering Requirements Reference
• Each private (VPC) and public connection requires a virtual interface
• BGP peering to AWS for each virtual peering for route exchange
• Can use VRFs to segment peerings into different routing domains
• Typical peering router requirements
• 1GE/10GE interfaces
• Bi-directional line-rate performance
• Sub-interfaces ISR4000 – Up to 2 Gbps
• BGP
• VRFs
• IPSec/Tunnels/Crypto
• High availability features ASR1000 - Up to 200 Gbps
• Netflow/AVC
• QoS (shaping)
• NAT
• Security Features

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Direct Connect With CSR 1000V and Private VIF
• Primary use cases are encryption, Transit VPC, WAN/DMVPN extension, VRF
Extension
• Tunnel endpoints are private IP addresses
• Up to 4.5 Gbps throughput per CSR1K

Private Virtual Interface Peering

Corporate DC Direct Connect


Virtual Private Cloud
Co-Lo BGP Peering

Connected VPC
Cisco VGW CSR 1000V
Interface CIDR Block
ISR/ASR

IPSec Tunnel

Enterprise Overlay VPC CIDR


IPs Routing Block(s)

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Direct Connect With CSR 1000V and Public VIF
• Public Virtual Interface
Public Virtual Interface Peering

Corporate DC Direct Connect


Virtual Private Cloud
Co-Lo BGP Peering

Public Connected AWS


Cisco IGW CSR 1000V
Interface Public IPs
ISR/ASR

IPSec Tunnel

Enterprise Overlay VPC CIDR


IPs Routing Block(s)

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Internet Access Options (1/2)
Local Internet Access Central Internet Access

• EC2 Public IP, Local NAT Instance, or • Leverage existing enterprise internet
Elastic Load Balancer connection and security perimeter

• Most applicable to public apps • Backhauls all traffic to enterprise

VPC-A VPC-B VPC-C VPC-A VPC-B VPC-C

Internet Internet

Transit VPC Transit VPC

Security

Private DC Private DC

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Internet Access Options (2/2) Co-Lo Internet Access
Direct Internet Access • Leverage local co-lo internet
• Central security enforcement
connectivity

• Integrated CSR1K security features or 3rd VPC-A VPC-B VPC-C


party VNF
Internet
VPC-A VPC-B VPC-C
Transit VPC

Security Internet
Co-Lo
Security
Transit VPC

Private DC Private DC
#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Advanced Features
DMVPN Design Option 1
Local Internet Access for App Subnets

• Single global routing table for public DMVPN Specific


subnet, App subnets, and VPN Internal
tunnels Routes

• Default route to the IGW Tun0

• Specific internal routes over the G1 G2


tunnel 0/0
IGW
• NAT overload to CSR public address Public
Subnet
App
Subnet
for App VM internet access
G1, G2, Tun0 are all in
• App VMs can have local internet the global routing table
access and local access to AWS
public services

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
DMVPN Design Option 2
“Full Tunnel” for App Subnets
• Separate routing tables for internet
DMVPN
and App/internal networks
0/0
• Uses front-door “internet” VRF for
connecting to VPN peers
Tun0
• App VMs and Tunnels are in the
global routing table G1 G2
0/0
• App VMs usually will not have local IGW
Public App
internet access or local access to Subnet Subnet
AWS public services
• Can use “route leaking” if desired G1 – internet VRF
• VPC endpoints for S3 service G2, Tun0 - Global

• Requires EEM Script

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Reference
Front Door VRF Cisco EEM Applet
event manager applet fvrf
event none
• Common design option for Cisco WAN action 1.0 cli command "enable”
designs. See action 1.1 cli command "conf t”
• http://www.cisco.com/c/dam/en/us/td/doc action 1.2 cli command "interface gig1”
s/solutions/CVD/Feb2016/CVD- action 1.3 cli command "vrf forwarding
internet-vrf”
IWANDesignGuide-FEB16.pdf
action 1.4 cli command "ip address dhcp”
• Can be used to install multiple default action 2.0 cli command "end”
routes
• One to the internet to reach VPN peers Run the Cisco EEM Applet
event manager run fvrf
• One over the tunnel to reach internal
networks
17.24.0.0/2
Tunnel
• Can also be used to resolve recursive 4

routing issues
VPC
peering
• Requires EEM applet
#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
CSR Cloud High Availability
VPC
• No virtual IP as with HSRP, since CSR
Subnet
AWS doesn’t allow multicast App
Subnet A
• AWS Route Tables for app
subnets are re-pointed to
opposite CSR
App
• Failure detection is automatic Subnet B

• CSR itself calls AWS API to


adjust AWS Route Table routes
• EC2 API Endpoint can reached
Before HA Failover
via Public IP or via Private IP with AWS REST API
VPC Endpoints After HA Failover

http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/b_csraws/b_csraws_chapter_0100.html

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
CSR Cloud HA Configuration
Create IAM ReplaceRoute Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AssociateRouteTable",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DescribeRouteTables",
"ec2:DescribeVpcs",
"ec2:ReplaceRoute",
"ec2:DisassociateRouteTable",
"ec2:ReplaceRouteTableAssociation»
],
"Resource": "*"
}
] }

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
CSR Cloud HA Configuration • IAM role can now be assigned to
EC2 instance after launch
Deploy CSR and Assign IAM Role

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
CSR Cloud HA Configuration
Configure GRE Tunnel, BFD, and EIGRP

interface Tunnel99

ip address 172.24.99.1 255.255.255.252

bfd interval 500 min_rx 500 multiplier 3

tunnel source GigabitEthernet1 VPC


CSR
tunnel destination 172.24.0.253 Subnet
App
! Subnet A

! Not required for 16.3.1a and later


Tunnel99
router eigrp 1

bfd interface Tunnel99 App


Subnet B
network 172.24.0.0

passive-interface GigabitEthernet1

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
CSR Cloud HA Configuration (prior to 16.3.1a)
Configure EEM

event manager environment CIDR 0.0.0.0/0

event manager environment ENI eni-d679128f

event manager environment RTB rtb-631bda06

event manager environment REGION us-west-2/172.24.0.2

event manager applet replace-route

event syslog pattern "\(Tunnel99\) is down: BFD peer down notified"

action 1.0 publish-event sub-system 55 type 55 arg1 "$RTB" arg2


"$CIDR" arg3 "$ENI" arg4 "$REGION"

• Can have multiple “action” commands to implement multiple route


changes or change multiple route tables
• Can also adjust EEM to perform additional behaviors like preemption
#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
CSR Cloud HA Configuration (after 16.3.1a)
Configure using cloud HA CLI

Reference Example
redundancy redundancy
cloud provider [ aws | azure ] <node-id> cloud provider aws 1
bfd peer <ipaddr> bfd peer 172.24.99.2
route-table <table-id> route-table rtb-631bda06
cidr ip <ipaddr>/<mask> cidr ip 0.0.0.0/0
eni <elastic-network-interface> eni eni-d679128f
region <region-name> region us-west-2

• Update includes HA log messages, show command, and debug


• No longer requires routing protocol to initiate BFD peering
• Support for Azure in 16.5.1

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Extend Segmentation to AWS

Multi-tenant Mission
Network Subnet 1

MPLS over GRE


PE

MPLS PE
PE CSR – MPLS
Core Direct VPN over GRE
Connect Subnet 2
PE

• Desire to extend multi-tenant segments into a “single” VPC


Tenant/Mission 1
• Extend MPLS VPN segmentation to AWS cloud
Tenant/Mission 2
• Leverage MPLS VPN over GRE or GRE VRF-Lite to CSR

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Multi-VRF VPCs
Option 1 – Interface per Subnet VPC
• CSR Interfaces Public
Subnet
• Public subnet interface in global table, GE2
App
used for tunnels Subnet A

• App subnet interfaces in VRFs* 172.24.1.0/24

• VRF extension using a GRE tunnel per GE1

VRF or MPLS VPN over GRE

• VPC Routing GE3 App


Subnet B
• Configure a route table for each App 172.24.1.0/24
172.24.2.0/24
subnet with a 0/0 route to the CSR ENI
for that subnet.

• VPC Security
• Use VPC network ACLs and/or security
groups to isolate subnets from each
other.
* Number of interfaces supported varies by instance type

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Multi-VRF VPCs
Option 2 - CSR in Public Subnet VPC
• CSR Configuration Public
Subnet
• Single public subnet interface in global App
table Subnet A

• PBR set-VRF to map App subnets to VRFs 172.24.1.0/24

• Static VRF routes that map to the global


table App subnets
• VRF extension using a GRE tunnel per VRF App
or MPLS VPN over GRE Subnet B
172.24.1.0/24

VPC Routing
172.24.2.0/24

• Single route table for App subnets with a
0/0 route to the CSR public subnet ENI

• VPC Security
• Use VPC network ACLs and/or security
groups to isolate subnets from each
other.

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Reference
PBR Set-VRF Sample Configuration
access-list 100 permit ip 172.24.1.0 interface GigabitEthernet1
0.0.0.255 any
ip vrf receive blue
access-list 101 permit ip 172.24.2.0
0.0.0.255 any ip vrf receive green

! ip address dhcp

route-map setvrf permit 10 ip policy route-map setvrf

match ip address 100 !

set vrf blue ip route vrf blue 172.24.1.0 255.255.255.0


172.24.0.1 global
!
ip route vrf green 172.24.2.0 255.255.255.0
route-map setvrf permit 20 172.24.0.1 global

match ip address 101

set vrf green

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
NAT
• NAT overload to allow private subnet VMs to communicate to internet
• Complex NAT scenarios are possible by assigning secondary private and public
addresses to CSR instances and using these as additional NAT addresses
• NAT pools
• 1:1 NAT Floating IP:
55.128.99.23
• NAT is not stateful between an HA pair in AWS
interface GigabitEthernet1
g1 g2
ip nat outside

interface GigabitEthernet2
172.24.2.0/25 172.24.2.128/25
ip nat inside

ip nat inside source list nat interface GigabitEthernet1 overload

ip nat inside source static tcp 172.24.2.200 80 172.24.2.17 80 extendable

ip access-list standard nat

permit 172.24.2.128 0.0.1.255 Public subnet address of CSR

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Enterprise-Wide Application Visibility
• Uses Netflow and IP SLA
• GUI for application visibility
• IP SLA configuration and monitoring
• Extends application visibility to your
cloud border

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Enterprise-Wide Security Visibility
• Uses Netflow
• GUI for security visibility
• Extends application visibility to your cloud: NetFlow

• Detecting Sophisticated and Persistent Threats


StealthWatch
• Identifying BotNet Command & Control Activity FlowCollector

https
• Uncovering Network Reconnaissance
• Finding Internally Spread Malware StealthWatch
Management
• Revealing Data Loss Console

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
IP SLA
• Actively monitor and measure performance
• Collects data about response time, one-way latency, jitter, packet
loss, voice-quality scoring, application performance, and server
response time
• IP SLA events can be used in routing decisions and EEM

ip sla 1
icmp-echo 192.168.1.11 source-ip 172.24.0.4
ip sla schedule 1 start-time now life forever
ip sla responder

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Other Features
• Remote Access VPN – IPSec and SSL VPN
• Zone-Based Firewall
• Encrypted Traffic Analytics

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Emerging Solutions
Extend Trust Sec into AWS Transit VPC
Dev App 1 Pro App 2 Test
App 3
VPC1 VPC2 VPC3

• Control Traffic between VPC’s


• Simplify Security Configurations
• Scale Security Group Control
• Single Control Point Control Access to spoke VPC’s
based on SGT Tags and Policy
Enforcement within the Transit
CSR1 VPC Hub CSRv’s
AZ1 CSR2 AZ2
Transit VPC
App 1 App 2 App 3
(VPC1) (VPC2) (VPC3) Internet Direct Connect
Employee X ✓ ✓ ✓ Employee Tag

Developer ✓ X ✓ ✓ Developer Tag

ASR1K Guest Tag


Guest X X ✓ ✓
ISE Non-Compliant Tag
Non-Compliant X X ✓ ✓ Data Center Identity & Access Control
#CLUS Policy
© 2018Enforcement
Cisco and/or its affiliates. All rights reserved. BRKARC-2023
Cisco Public 64
AWS: Performance based scale-out
Spoke VPC

• Simplify your capacity planning with


elasticity as you go
VPC

• Monitor CSR real-time throughput


and spin up new CSRs on demand. …...
CSR1 CSR2 CSR3 CSR4
• Optimize your cost via flexible Transit VPC
licensing options: BYOL and PAYG
• Load sharing is being done through DX/ER
multiple tunnels to multiple CSRs in Internet

Transit VPC
ASR

Private DC
#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Cisco SD-WAN Solution
vManage

APIs

3 rd Party
vAnalytics
Automation

vBond

vSmart Controllers

MPLS 4G

INET
vEdge Routers

Cloud Data Center Campus Branch SOHO

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Cloud onRamp for SaaS
• Optimized Connectivity to SaaS Microsoft
Express

Applications
Cloud Apps
Route

• across DIA (1) Equinix Direct


Cloud INET Internet
• across DC and Regional exits (2) Exchange Access

• Continuous Network Health-checks Regional


DC
Regional
DC

• Automatic selection of Optimized Path vManage


Platform

MPLS INET

2 1

Application Quality Probing

vEdge vEdge
Branch DC
#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Cloud onRamp for IaaS – Attached Compute
• WAN to Cloud Extension

• vEdge router is instantiated in Amazon VPCs or Microsoft Azure Compute


VNETs VPC/VNET
vEdge
• One vEdge router per VPC/VNET gateway

• vEdge router joins the fabric and all fabric services are extended
to the IaaS instances, e.g. multipathing, segmentation and QoS vManage
Platform

MPLS INET

vEdge vEdge
Branch DC

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Cloud onRamp for IaaS – Gateway VPC/VNET
• A pair of vEdge routers is instantiated in Amazon
VPC or Microsoft Azure VNET
BGP BGP BGP
• A pair of standard based IPSec tunnels is stretched
from gateway VPC/VNET to each host VPCs/VNETs Gateway
VPC/VNET
• BGP is established across IPSec tunnels for route
advertisement vManage
Platform

• Entire process is automated through vManage


workflow MPLS INET

vEdge vEdge
Branch DC

Standard IPSec
#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Coming
ACI Anywhere: On-Prem Connectivity To AWS
Multi-Site

Site A On-Premises Public Cloud Site B


DX Location
BGP EVPN Control Plane
User VPC-1
OVERLAY
Colocation
CSR1000V
L3 Out
+ Golf
VXLAN TUNNEL (DATA PLANE)
Customer
Premise Customer Amazon CSR1000V
Router Router VGW
AWS Direct AWS Instances
Connect
Routers

Infra VPC
VM VM VM CSR1000V

AWS Instances

AWS Region User VPC-2

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
CSR 1000v in Azure
Where to Find the CSR 1000v on Azure

• In the Azure Marketplace:


• http://azure.microsoft.com/en-
us/marketplace/

• Search for “Cisco”

• CSR 1000v product page will


contain pricing, support, and
deployment information

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Cisco CSR 1000V Performance on Public Clouds
IOS-XE 16.8.1 release, large packet, with Intel Meltdown and Spectre fix.

SR-IOV (Enhanced Networking) Non SR-IOV (AN*)

Size CEF(Mbps) IPSEC(Mbps) Size CEF IPSEC

T2.medium 440 220 D2_v2 1200 900


M3.Medium 300 250 DS2_v2 1200 1100
C4.large 650 640 D3_v2 1250 1000
C4.xlarge 860 860 DS3_v2 1230 1100
C3.2xlarge 1330 1000 D4_v2 1200 1120
C4.2xlarge 2300 2300 DS4_v2 1250 1120
C4.4xlarge 4600 4200
* AN (Accelerated Networking) coming!
C4.8xlarge 6200 4500

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Azure General Terminology
Azure Concept AWS Related Concept
Virtual Machine EC2 Instance
Region Region
Availability Zone (new) Availability Zone
Availability Set No equivalent
Resource Group Resource Group
Resource Manager Templates Cloud Formation Templates

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Azure Network Terminology
Azure Concept AWS Related Concept
Virtual Network (VNet) VPC
Network Security Group Security Groups and Network ACL
VNet Route Table VPC Route Table
User-Defined Routes Added VPC Routes
Virtual Network Gateway (VPN or Express Router) VGW
Local Network Gateway CGW
Gateway Subnet Not applicable
ExpressRoute Direct Connect
Public IP Address (Dynamic / Static) Public IP / Elastic IP
Network Virtual Appliance (NVA) EC2 Instance
VNet Peering VPC Peering
Virtual Network Service Endpoint VPC Endpoint

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Azure Virtual Networks (VNet)
• A VNet logically isolates a network’s own IP range,
Virtual Network
routes, security policies, etc.
CIDR 10.2.0.0/16
• Each subnet created is automatically assigned a route
Subnet A
table that contains system routes:
Local VNet Rule, On-prem rule and Internet Rule 10.2.1.0/24

• System routes can be overwritten by User Defined


Routes
Subnet B
• VNets’ IP ranges cannot overlap 10.2.2.0/24

• Public IP NAT or Overload NAT for outbound traffic

• Azure system route table routes within the


VNet
• All VNet subnets ALWAYS have a route to
all other VNet subnets!

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
CSR 1000v as Gateway in Azure
• To make deployment of the CSR easy, we insert a set of templates in
the Azure portal to deploy all these resources at once:
172.24.2.0/24
• 2 NIC CSR (currently, the only supported type)

• VNet with 2 subnets: public and private g1 g2


• Routing tables on each subnet, with user defined routes.
Private subnet will use private-facing interface ge2 as the
172.24.2.0/25 172.24.2.128/25
gateway. This also disallows VMs’ access to Internet. Public
Public subnet Private subnet
subnet will use internet facing interface ge1

• Enable IP forwarding for each interface

• Allow port UDP 500 (ISKAMP) and UDP 4500 (NAT-T) in


security group on public subnet for VPN connection

• Azure NAT at the Azure Infrastructure is very similar to AWS

• CSR should be the default gateway for the application VMs

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Notable Azure Networking Differences vs AWS
• CSR1K Solution Templates in Marketplace
• VNet Route Tables vs VPC Route Tables
• No equivalent to Internet Gateway in Azure
• Outbound internet connectivity by default in Azure
• VNet Peering allows transit routing
• Availability Sets vs Availability Zones
• Gateway subnet for Express Route
• GRE not supported

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
CSR1000v with VNET Peering
• VNET Peering can be configured to allow transit
routing natively
• UDRs created for spokes that point to CSR as a
gateway.
• Can be specific routes or 0.0.0.0/0

• CSR1K provides inter-VNET routing with


enterprise routing features
• Traffic control (QoS, ACL), segregation (VRF, ZBFW)
and visibility (AVC)

• Extend VPN tunnels from CSRs to on-prem


• Can be combined with CSR Azure HA feature

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Transit VNET with Tunnels Across regions, accounts/subscriptions

VNET VNET VNET

A B C
• High Throughput: spoke VPC scales up to
2Gbps, 400K routes on CSR, while 1.25Gbps on …...
VNG Spoke VPC

• Redundancy: two CSRs in spoke VNET acts as


high availability pair to provide redundancy
• Enterprise Routing Features: choice of routing
protocols, VRFs for segmentation, BFD for fast
failover
CSR1 CSR2

VNET
Transit VNET
• Application Visibility and Security
• Multi-Cloud: similar design for AWS and Azure Direct Connect
Internet

ASR Other
Provider
Networks
Private DC

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
CSR with Express Route Customer VNET

BGP2
4 CSR1 AZ1

BGP1
3 2 APP Subnet

ExpressRoute VNG 5
GW
ASR subnet

4 CSR2 APP Subnet


1 AZ2
BGP2

1. Build Express Route Circuit

2. Create a Gateway Subnet and Virtual Network Gateway.

3. Add an ExpressRoute connection to the Virtual Network Gateway.

4. Build tunnels and BGP peering between CSR1/2 and ASR.

5. Setup the high availability between CSR1 and CSR2. Point your application subnet to either CSR1 or CSR2.

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Automation
AWS CloudFormation
• AWS technology to define cloud stacks via a JSON file
• Comparable technologies in OpenStack (Heat) and Azure (RM Templates)
• Can be used to create VPCs or launch EC2 instances into existing VPCs
• For CSR, can be used to initially launch, and then also configure via user data
• Most useful for Day 0
• Template for CSR in GitHub repository

stack
template AWS
CloudFormation

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
IOS-XE 16.3

Programmable Interfaces CSR/ISR/ASR


3650/3850

NETCONF RESTconf gRPC

YANG Data Model


Open Native Open Native
Models Models Models Models
Programmable
Configuration Operation
Interfaces
Device Features
SNMP
Physical and Virtual Network Infrastructure Interface BGP QoS ACL …

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Guest Shell Application
Linux Shell Environment On Your Switch or Router
• Maintains IOS-XE system integrity
• Isolated User Space
• Fault Isolation
Linux
• Resource Isolation applications
• On-box rapid prototyping
• Device-level API Integration Guest Shell

• Scripting (Python)
Open Application Container
• Linux Commands
API
• Application Hosting
Network OS
• Integrate into your Linux workflow
• Integrated with IOS-XE

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Guest Shell with On-Box Python for AWS
• Python is the de facto automation language for networking
• Local Scripts and Automation
• Get instance metadata
• Get summary of VPC configuration
• IOS-XE configuration automation
• EEM integration

• Interact with public cloud services


• Copy configs, show command data, or files to/from S3
• Export metrics and logs to CloudWatch
• Interface with AWS API Endpoints (e.g. customize HA behavior)

https://github.com/CiscoDevNet/csr_aws_guestshell

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Monitor CSR Real-Time Throughput by AWS
Cloud Watch
• Python script in Guest Shell
• Gather CSR throughput by “show platform hardware qfp active datapath utilization”
• Send key metric to AWS Cloud Watch through AWS python SDK boto3

• EEM(Embedded Event Manager) script


• Trigger python script based on regular time interval

• Visualize throughput on Cloud Watch

event manager applet get-throughput


event timer watchdog time 15
action 0.0 cli command "enable"
action 1.0 cli command "guestshell run
/home/guestshell/get-sys-throughput-fyang2.py"
action 10.0 syslog msg "guestshell-get-throughput
executed!"

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Automation Demo
Multi-Site/Cloud Demo
10.1.0.0/16 10.2.0.0/16
host1 host1

Scenario: Provision remote site router


10.1.2.10 10.2.2.10

and add to corporate DMVPN Overlay 10.1.2.0/24 10.2.2.0/24

Step 1: Configure remote router


Site1 Site2
-
- Set Hostname, DNS, Banners, etc.
- Harden router
- Configure Interfaces Public
- Backup
Internet
- Step 2: Add remote router to VPN
- Checkpoint
- Create DMVPN Overlay control
10.0.2.10

- Check Connectivity
- Rollback on failure 10.0.2.0/24

Hub 10.0.0.0/16

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Ansible
• Open-Source Infrastructure as Code Cloud

• Seeks specified end-state


• Design Principles
• Simple: Easy to understand and learn Application

• Powerful: 1000s of Modules


• Agentless: Automate Everything
• Full Lifecycle Virtual/
Container
• Provisioning
• Maintaining
• Securing Infrastructure
• De-Provisioning

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Summary
Cisco CSR 1000v Summary
• Primary use cases are:
• Enterprise Network Extension
• VPC Interconnection (including Transit VPC)

• Virtualized IOS-XE Benefits


• Secure connectivity using IPSec, DMVPN, SSL VPN, etc.
• Enterprise-class networking services including Routing, FW, and NAT
• Rich telemetry for security and performance monitoring with Netflow/AVC and IP SLA
• Normalize operations across multiple public clouds and on-prem networks

• HSRP-like High Availability for AWS VPCs


• Consider automation for scaling deployments

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Evaluation Licenses
• , since non-BYOL instances are
pre-licensed as part of the hourly cost.
• By default BYOL instances boot with all features and 1 Mbps throughput.
• 60-day evaluation licenses are self-serve at:
• http://www.cisco.com/go/license

• Router# show license udi

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Additional Resources
Public Documentation:
• 20+ Demo Videos on CSR 1000V Youtube Channel
https://www.youtube.com/playlist?list=PLCiTBLSYkcoTUS6b4MFthdvhDrseo6MeN
• CSR 1000V Configuration Guide for AWS
http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/b_csraws.html
• CSR 1000V Configuration Guide for Azure
http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/azu/b_csr1000config-
azure.html
• Multicloud Design Guides
https://www.cisco.com/c/en/us/solutions/design-zone/cloud-design-guides.html
• AWS VPC Presentations
https://www.youtube.com/user/AmazonWebServices/search?query=VPC
AWS Mailer ([email protected])
Azure Mailer ([email protected])

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
GitHub Repositories
• Ansible Demo
https://github.com/ismc/brkarc-2023_clus2018
• BRKARC-2023 Repo
https://github.com/chrishocker/brkarc-2023
• Ansible Playbooks
• CloudFormation Template
• Other Repos
https://github.com/CiscoDevNet/csr_aws_guestshell
https://github.com/stmosher/AWS-and-Azure-Hybrid-Cloud-Using-Cisco-
CSR1000v-DMVPN_v3.0

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Related Sessions
Multicloud Networking – Design & Deployment [BRKCLD-3440]
• Wednesday, Jun 13, 10:30 a.m. - 12:00 p.m. | W414C
Extending Enterprise Network into Public Cloud with Cisco CSR1000v
[BRKARC-2749]
• Monday, Jun 11, 04:00 p.m. - 05:30 p.m. | W240AB
Automated VPC Connection Using a Transitive Hub in AWS [CCSCLD-2003]
• Monday, Jun 11, 03:00 p.m. - 04:00 p.m. | W315A
Continuous Integration and Testing for Networks with Ansible [DEVNET-
2076]
• Thursday, Jun 14, 10:30 a.m. - 11:15 a.m.

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Complete your online session evaluation

Give us your feedback to be entered


into a Daily Survey Drawing.
Complete your session surveys through
the Cisco Live mobile app or on
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at www.CiscoLive.com/Online.

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Thank you

#CLUS
#CLUS
Continue
your Demos in
the Cisco
Walk-in
self-paced
Meet the
engineer
Related
sessions
education campus labs 1:1
meetings

#CLUS BRKARC-2023 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 100

You might also like