BRKARC-2023 CSR Deployment in AWS

Building Hybrid Clouds with CSR
1000v
Steven Carter, Solutions Architect
Chris Hocker, Consulting Systems Engineer
BRKARC-2023
Agenda
CSR Deployment in AWS
CSR Deployment On-Prem
Building Scalable Overlay Networks
Automating CSR Deployments
Demo
CSR Deployment in AWS
CSR 1000V Architecture Virtualized IOS XE

Forwarding Plane (FP)
Control Plane
FFP Client
/ Driver
IOS
Chassis Mgr.
Forwarding Mgr.
Forwarding Mgr.
FFP code
vCPU
vMemory
Linux Container
vDisk
Memory
Disk
Generalized to work on any x86 system
Hardware specifics abstracted through a

virtualization layer
Forwarding (ESP) and Control (RP)

mapped to vCPUs
Bootflash: NVRAM: are mapped into

memory from hard dis
No dedicated crypto engine we

leverage the Intel AES-NI instruction set
to provide hardware crypto assist.
vNIC
Hypervisor (VMware / Citrix / KVM)
CPU
NIC
Physical Hardware
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Q: Where can I find the CSR on AWS?

A: In the AWS marketplace!
1. Search for Cisco
2. Pick a flavor
BRKARC-2023
Other CSR 1000V License Options

Cisco Smart Licensing
Public Cloud Utility-Billing (Eg. Amazon)
CSR 1000V
Call Home
No TAC
entitlement
Pooled licensing for term and perpetual licenses shown on

previous slide
CSR 1000V calls home to Cisco - authorizes itself against the

purchased license pool
License not locked to a single CSR1000v instance
Supports license transferability
Only pay AWS for basic instance-type fees
No up-front purchase required
Provision from Cloud Provider Marketplace/Catalog (Eg.

Amazon AWS Marketplace)
Cloud Provider bills monthly based on hourly usage and

number of product instances
Bring Your Own License (BYOL) also supported if hourly

billing is not desired Purchase term licenses for this
scenario
Pay AWS for basic instance-type usage AND fees for CSR
usage
BRKARC-2023
CSR 1000V Licensing Structure
Example:
Pick one option from each column
Technology Package
Throughput
License Type
(See next slide for details)
IP Base
250 Mbps
1-Year
10 Mbps
IP Base
50 Mbps
100 Mbps
SEC
Subscription
(1-year, 3-year or perpetual)
250 Mbps
500 Mbps
AppX
1 Gbps
2.5 Gbps
SPLA
(target date Q4 CY16)
5 Gbps
AX
10 Gbps
* CSR add-on license options not shown above
BRKARC-2023
CSR 1000V Features Per Technology Package

Technology
Package
IOS-XE Features
IPBase
(formerly Standard)
SEC
(formerly Advanced)
Basic Networking: BGP, OSPF, EIGRP, RIP, ISIS, IPv6, GRE, VRF-LITE, NTP, QoS
Multicast: IGMP, PIM
High Availability: HSRP, VRRP, GLBP
Addressing: 802.1Q VLAN, EVC, NAT, DHCP, DNS
Basic Security: ACL, AAA, RADIUS, TACACS+
Management: IOS-XE CLI, SSH, Flexible NetFlow, SNMP, EEM, NETCONF
IPBase Plus
Advanced Security: Zone Based Firewall, IPSec VPN, EZVPN, DMVPN, FlexVPN,
SSLVPN, GETVPN (express route/direct connect only)
IPBase Plus
Advanced Networking: L2TPv3, BFD, MPLS (tunneled), VRF, VXLAN
Application Experience: WCCPv2 (no clustering), AppXNAV, NBAR2, AVC, IP SLA
Hybrid Cloud Connectivity: LISP (L3 only), OTV, VPLS, EoMPLS
Subscriber Management: PTA, LNS, ISG
AppX
AX
(formerly Premium)
ALL FEATURES
Features in Red will not work in Amazon infrastructure issues (lack of L2 support and Multicast support)
BRKARC-2023
10
CSR1000v on AWS performance

CSR1000v Amazon AMI
Throughput Tests
PV - Instance types emulate I/O

devices, low to medium performance,
cheaper instance type
Build: 15.5(3)S2 (XE 03.16.02.S)
HVM - Required to take advantage of

hardware virtualization acceleration
(e.g. SR-IOV) Best performance,
pricier instance types
All numbers in Mbps

CEF 64
CEF 1400
CEF IMIX
IPSec 1400
IPSec IMIX
PV m3.medium
PV m3.large
PV m3.xlarge
PV c3.large
PV c3.xlarge
PV c3.2xlarge
PV c3.4xlarge
35
67
76
79
73
80
70
313
696
682
534
760
1,031
1,069
108
215
297
255
281
303
306
237
454
782
514
742
1,005
1,023
97
230
250
302
313
336
346
HVM c3.large
HVM c3.xlarge
HVM c3.2xlarge
HVM c3.4xlarge
80
101
203
362
526
758
1,032
2,067
306
382
766
1,254
515
741
1,009
2,020
348
436
874
1,318
BRKARC-2023
11
CSR 1000V License Throughput Enforcement
Rate shaper is implemented in the ESP

data path at the root of the QoS hierarchy
All egress traffic is subjected to the shaper

The rate is derived from license
Throughput limit is global, not per-interface
Shaper does not distinguish between different
types of traffic
15 Mbps
10 Mbps
G1
G3
SHAPER
(50)
20 Mbps
15 Mbps
G4
G2
10Mbps (60-50)
To ensure high-priority traffic is not dropped

by the license shaper, configure QoS
ESP
E.g. LLQ on interfaces (leveraging priority

propagation of the QoS Scheduler)
Note that Control Plane Policing can be applied
to also mark control plane packets!
G1->G3: 15
G2->G4: 20
G3->G2: 10
G4->G3: 15
Total: 60 Mbps
BRKARC-2023
12
What are all the different CSR 1000V types listed?

Cloud Services Router 1000V BYOL
1.
Can be any tech package and throughput level depending on license purchased from Cisco and
installed on CSR (not all throughputs supported)
Cloud Services Router 1000V Security Tech Package
2.
Includes features from the Security technology package. Performance based on AWS instance
type selected (more or less vCPU/vMemory)
Cloud Services Router 1000V AX Tech Package
3.
Includes features from the AX technology package. Performance based on AWS instance type
selected (more or less vCPU/vMemory)
Maximum Performance versions of the above three
4.
Enables SR-IOV enhanced networking for higher performance
CSR Direct Connect 1 Gig and Multi-Gig
5.
Instances used for securing AWS Direct Connect circuits
BRKARC-2023
13
Microsoft Azure
Search for Cisco CSR
CSR 1000V product page will contain pricing, support, and deployment information
BRKARC-2023
14
Cisco ASAv Firewall and Management Features

Subset of ASAv features are
not supported in AWS
Cisco ASA Feature Set
Cisco
ASAv
in AWS
Removed clustering and

multiple-context mode
VLAN tagging
Virtualization displaces multiple-context and clustering
Parity with all other Cisco ASA platform features
Traditional (Cisco ASDM and CSM) management tools
Dynamic routing includes OSPF, EIGRP, and BGP
IPv6 inspection support, NAT66, and NAT46/NAT64
REST API for programmed configuration and monitoring
Cisco TrustSec PEP with SGT-based ACLs
Zone-based firewall, Equal-Cost Multipath
Policy Based Routing, VxLAN Support (VTEP)
Failover Active/Standby HA model
BRKARC-2023
15
VPC 101
Logically isolated network with its

own IP range, routes, security, etc.
IP ranges can be overlapping
Internet gateway routes outside and
between VPCs
Public IP or NAT for egress
VPC peering needed to route
between VPCs
Security:
Maps to AWS
Elastic IP
Internet IP
54.x.x.x
Subnet router routes within the

VPC
Subnet router is really an

encap/decap device b/w hypervisors
Network ACLs at the border of VPC

Security Groups within the VPC
BRKARC-2023
16
CSR placement in the AWS network
NAT at the Internet GW
Will break services that do not work

over NAT, such as GET-VPN
Tunnel source will be a private
address
Tunnel destination from the
perspective of VPN peers will be a
public address
Assign EC2 elastic IP address so that
address does not change if the
CSR1K is shutdown
Other VPCs see Elastic IP address
unless using VPC peering
Maps to AWS
Elastic IP
10.2.2.10
Gi2
10.2.1.10
Gi1
10.2.1.11
10.1.2.10
Gi2
10.1.1.10
Gi1
10.1.1.11
Internet IP
54.x.x.x
CSR should be the default gateway

for the application VMs
BRKARC-2023
17
No Link Local Broadcast in the VPC
No Link local multicast or broadcast
Affected Services Include:
IGPs
HSRP/VRRP
BFD
Proxy ARP, Gratuitous ARP > LISP-VM
Mobility
GRE as work-around for some services
FHRP difficult b/c of AWS Routing
10.1.1.10
NAT
10.1.1.10
54.x.x.x
10.1.1.11
10.1.1.12
BRKARC-2023
18
Multiple Ways to Insert CSR as Gateway
Two Armed Mode
CSR has one interface in each network

Instances have default gateway changed to point
to CSR IP or change AWS Route Table default
route
Limitation on # of interfaces for CSR imposed by
AWS
172.24.2.0/24
AWS IGW
g1
172.24.2.0/25
g2
172.24.2.128/25
One Armed Mode
CSR has single interface and a default gateway

pointed towards AWS Internet Gateway
Other subnets have route added to their route
table, pointing to the CSR as gateway
Instances in other subnets dont need their default
gateway manually changed. Continue to use
AWS Route Table.
172.24.2.0/24
AWS IGW
BRKARC-2023
g1
VPC
Router
19
Management and Front Door VRF
Management and remote access of the CSR will

happens over a public interface (i.e. Floating IP)
No interactive console on AWS
Cisco VPN designs recommend front-door VRF
Simplifies routing: send a default route over the tunnel

Improves security: isolating the LAN from the public internet
Configuring VRF causes loss of connectivity
EEM script used to work around.
Internet access required for other AWS services (e.g.

S3)
Can not use front-door VRFs in these scenarios

BRKARC-2023
20
CSR Advantages over

Virtual Private Gateway:
VPC Peering:
Scalability
Overlapping CIDR blocks
Continuity of Operations
Peering between regions
Spoke-to-spoke routing
Transitive peering relationships
Richer routing features
Multiple peerings per VPC
Security/Application Visibility
Unicast Reverse Path Forwarding
Spoke-to-spoke routing
BRKARC-2023
21
On-Prem Deployment Options

in VMware & OpenStack
On-Prem Termination
CSR 1000V
Hardware vs. Virtual
Hardware: Performance, Determinism
Virtual: Flexibility
ASR
1000/ISR
4400
Places in the Network
Border for Entire Organization

Hardware: ASR/ISR
Border
Data Center for Individual Tenants:

Software: CSR
Campus
CSR 1000V
Data Center
BRKARC-2023
23
CSR in Private Cloud
Tenant Router, Head-End, or NFV
Supported on Multiple Hypervisors
Managed by tenant or network team
Manual or orchestrated deployment
Dedicated hosts or distributed with

tenant workloads
Tenant Gateway
Tenant VLANs
Hypervisor
BRKARC-2023
Hypervisor
24
CSR Images for On-Prem Deployment
BRKARC-2023
25
Deployment in VMware
Deploy as OVA
Chose performance
Virtual Interfaces = Router Interfaces

g0
g1
g2
BRKARC-2023
26
Deployment in OpenStack
1) Create the Instance FlavorL
nova flavor-create csr.medium auto 4096 0 2
2) Add the Image to the repository
glance image-create name csr_image \
--disk-format qcow2 --container-format bare \
--file csr1000v-universalk9.03.12.00.S.154-2.S-std.qcow2
3) Boot the CSR
nova boot csr_instance --image csr_image \
flavor csr.medium \
--nic net-id=<Outside Network> ID \
--nic net-id=<Inside Netowork ID> \
--config-drive=true \
--file iosxe_config.txt=iosxe_config.txt
BRKARC-2023
27
Building Scalable Overlay Networks
Use Case 1 - Enterprise VPN Termination into AWS
virtual private cloud

AWS cloud
corporate office/branch
Connect one or many physical locations into an Amazon VPC. IPSec, DMVPN, FlexVPN,
EZVPN, etc
Up to 1,000 concurrent VPN tunnels per CSR, and no per-tunnel charges from Amazon.
Familiar configuration, familiar troubleshooting, not a black box.
BRKARC-2023
29
Use Case 1A Private App in Public Cloud

Many Design Options
Direct branch access to AWS or

branch connected to AWS through
HQ/DC
VPN topologies can be DMVPN or

P2P IPSec
DMVPN hubs can be located at the

Enterprise DC/HQ or in the public
cloud
Direct Connect or Internet for

transport
ASR1K
CSR1K
Virtual Private Cloud
Enterprise DC
DMVPN
ISR4K
Branch Office
ASR1K
ISR4K
Branch Office
BRKARC-2023
Internet/MPLS
Corporate Office
30
Use Case 1B - Public App with Back-End Corporate

Access
Subnet 1
Subnet 1
Back-end Connection for
Private
Public
Application Tiers/Data
Management
Developer Access
Corporate Users
Internet
Site to Site VPN connection
(Data & management)
Internet Users
Corporate Data Center
BRKARC-2023
31
Use Case 1C - Direct Connect With CSR 1000V
IPSec Encryption for Direct Connect traffic
IPSec tunnel can be to/from private IP address of CSR (IGW not needed)
Up to 2 Gbps throughput
Direct Connect
Circuit
Corporate DC
Cisco
ISR/ASR
Virtual Private
Gateway (VGW)
CSR 1000V
IPSec Tunnel
BRKARC-2023
32
Use Case 2 - Interconnecting AWS VPCs
US West Region
US East Region
AWS cloud
Common requirement to build overlay network topologies with in an AWS environment to

address advanced networking requirements.
Tunnels can be deployed over Internet Gateways, VPC Peering, or Direct Connect.
Can also be used to build connectivity to other cloud providers
BRKARC-2023
33
Use Case 2A Inter-VPC VPN Tunnels
VPC Peering is not

supported between AWS
Regions, so tunnels are
needed
Tunnels could traverse

the Internet or Direct
Connect circuits that are
used to transit the
enterprise WAN
Internet
West Coast Region
East Coast Region
BRKARC-2023
34
Use Case 2B Transit VPCs
Used for hierarchical

designs
Scaling beyond VPC peering

limits
Peering to 3rd party VPCs
Security/Monitoring Services
in Transit VPC
Redundant CSRs for HA

and fast convergence
Can use VRFs to resolve

recursive routing issues
NAT for overlapping

addresses
3rd Party VPC
App VPC
VGW
VPC
peering
Transit
VPC
VPC
peering
Direct
Connect
Corporate Network/DC
Shared Services VPC
BRKARC-2023
35
DMVPN Design Model

Direct Internet Access for App Subnets
Single global routing table for public

subnet, App subnets, and VPN tunnels
Default route to the IGW
Specific internal routes over the tunnel
NAT overload to CSR public address

for App VM internet access
App VMs can have local internet

access and local access to AWS public
services
DMVPN
Specific
Internal
Routes
Tun0
G1
G2
0/0
IGW
Public
Subnet
App
Subnet
G1, G2, Tun0 are all in

the global routing table
BRKARC-2023
36
DMVPN Design Model

Full Tunnel for App Subnets
Separate routing tables for internet and

App/internal networks
Uses front-door internet VRF for

connecting to VPN peers
App VMs and Tunnels are in the global

routing table
DMVPN
0/0
Tun0
G1
G2
0/0
App VMs usually will not have local

internet access or local access to AWS
public services
Can use route leaking if desired

VPC endpoints for S3 service
IGW
Public
Subnet
App
Subnet
G1 internet VRF
G2, Tun0 - Global
Requires EEM Script

BRKARC-2023
37
Front Door VRF
Common design option for Cisco WAN

designs. See
Can be used to install multiple default

routes
http://www.cisco.com/c/dam/en/us/td/docs/s
olutions/CVD/Feb2016/CVDIWANDesignGuide-FEB16.pdf
One to the internet to reach VPN peers

One over the tunnel to reach internal
networks
Can also be used to resolve recursive

routing issues
Cisco EEM Applet:

event manager applet fvrf
event none
action 1.0 cli command "enable
action 1.1 cli command "conf t
action 1.2 cli command "interface gig1
action 1.3 cli command "vrf forwarding
internet-vrf
action 1.4 cli command "ip address dhcp
action 2.0 cli command "end
Run the Cisco EEM Applet:

event manager run fvrf
17.24.0.0/24
Requires EEM applet
Tunnel
VPC
peering
BRKARC-2023
38
CSR VPN High Availability
No virtual IP as with HSRP,

since AWS doesnt allow
multicast
VPC
CSR
Subnet
App
Subnet A
AWS Route Tables for app

subnets are re-pointed to
opposite CSR
Failure detection is automatic
CSR itself calls AWS API to

adjust AWS Route Table
routes
App
Subnet B
AWS REST API
BRKARC-2023
Before HA Failover
After HA Failover
39
CSR VPN HA Configuration

Create IAM ChangeRouteRole
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AssociateRouteTable",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DescribeRouteTables",
"ec2:DescribeVpcs",
"ec2:ReplaceRoute",
"ec2:DisassociateRouteTable",
"ec2:ReplaceRouteTableAssociation"
],
"Resource": "*"
}
]}
BRKARC-2023
40

Deploy CSR and Assign IAM Role
BRKARC-2023
41

Configure GRE Tunnel, BFD, and EIGRP
interface Tunnel99
ip address 172.24.99.1 255.255.255.252
bfd interval 500 min_rx 500 multiplier 3
tunnel source GigabitEthernet1
tunnel destination 172.24.0.253
VPC
CSR
Subnet
App
Subnet A
router eigrp 1
bfd interface Tunnel99
Tunnel1
network 172.24.0.0
App
Subnet B
passive-interface GigabitEthernet1
BRKARC-2023
42

Configure EEM
event manager environment CIDR 0.0.0.0/0
event manager environment ENI eni-d679128f
event manager environment RTB rtb-631bda06
event manager environment REGION us-west-2/172.24.0.2
event manager applet replace-route
event syslog pattern "$Tunnel99$ is down: BFD peer down notified"
action 1.0 publish-event sub-system 55 type 55 arg1 "$RTB" arg2 "$CIDR"
arg3 "$ENI" arg4 "$REGION"
Can have multiple action commands to implement multiple route

changes or change multiple route tables
Can also adjust EEM to perform additional behaviors like preemption

BRKARC-2023
43
CSR AWS HA Troubleshooting
Manual replace-route EEM Applet

event manager applet manual
event none
action 1.0 publish-event sub-system 55 type 55 arg1
"$RTB" arg2 "$CIDR" arg3 "$ENI" arg4 "$REGION
Configure an EEM applet than can be run manually
csr_a#event manager run manual
Telnet to EC2 API Endpoint to test connectivity
May need to enable DNS using ip name-server 8.8.8.8
http://docs.aws.amazon.com/general/latest/gr/rande.
html#ec2_region
Connect to EC2 API Endpoint

csr_a#telnet ec2.us-west-1.amazonaws.com 443
Trying ec2.us-west-1.amazonaws.com (176.32.118.39,
443)... Open
Verify API calls are made using CloudTrail
Restart the csr_mgmt container
Use automation tools to reliably generate and validate

HA configurations
Ansible example in the BRKARC-2023 GitHub Repository
BRKARC-2023
Restart csr_mgmt after reboot EEM Applet

event manager applet restart_csrmgmt
description disable/enable csr_mgmt container
event timer countdown time 30
action 1.0 syslog msg "restarting csr_mgmt container"
action 1.1 cli command "enable"
action 1.2 cli command "config terminal"
action 1.3 cli command "virtual-service csr_mgmt"
action 1.4 cli command "no activate"
action 1.5 syslog msg "csr deactivated"
action 1.6 wait 10
action 1.7 cli command "activate"
action 1.8 syslog msg "csr reactivated"
action 1.9 cli command "end
44
Extend VRF Segmentation to AWS

Multi-tenant
Mission Network
Subnet 1
MPLS VPN over GRE
PE
PE
MPLS
Core
PE
Direct
Connect
CSR MPLS
VPN over GRE
Subnet 2
PE
Desire to extend multi-tenant segments into a single VPC

Extend MPLS VPN segmentation to AWS cloud
Leverage MPLS VPN over GRE or GRE VRF-Lite to CSR
BRKARC-2023
Tenant/Mission 1
Tenant/Mission 2
45
Multi-VRF VPCs
Option 1 Interface per Subnet
CSR Interfaces
Public
Subnet
App
Subnet A
GE2
172.24.1.0/24
GE1
VPC Routing
Public subnet interface in global table, used

for tunnels
App subnet interfaces in VRFs*
VRF extension using a GRE tunnel per VRF
or MPLS VPN over GRE
VPC
App
Subnet B
GE3
Configure a route table for each App subnet

with a 0/0 route to the CSR ENI for that
subnet.
172.24.1.0/24
172.24.2.0/24
VPC Security
Use VPC network ACLs and/or security

groups to isolate subnets from each other.
* Number of interfaces supported varies by instance type

BRKARC-2023
46
Multi-VRF VPCs
Option 2 - CSR in Public Subnet
CSR Configuration
Public
Subnet
App
Subnet A
172.24.1.0/24
App
Subnet B
VPC Routing
Single public subnet interface in global table

PBR set-VRF to map App subnets to VRFs
Static VRF routes that map to the global table
App subnets
VRF extension using a GRE tunnel per VRF
or MPLS VPN over GRE
VPC
Single route table for App subnets with a 0/0

route to the CSR public subnet ENI
172.24.1.0/24
172.24.2.0/24
VPC Security
Use VPC network ACLs and/or security

groups to isolate subnets from each other.
BRKARC-2023
47
PBR Set-VRF Sample Configuration

access-list 100 permit ip 172.24.1.0 0.0.0.255 any
interface GigabitEthernet1
access-list 101 permit ip 172.24.2.0 0.0.0.255 any
ip vrf receive blue
ip vrf receive green
route-map setvrf permit 10
ip address dhcp
match ip address 100
ip policy route-map setvrf
set vrf blue
ip route vrf blue 172.24.1.0 255.255.255.0 172.24.0.1 global
route-map setvrf permit 20
ip route vrf green 172.24.2.0 255.255.255.0 172.24.0.1 global
match ip address 101

set vrf green
BRKARC-2023
48
NAT
NAT overload to allow private subnet VMs to communicate to internet
Complex NAT scenarios are possible by assigning secondary private and public
addresses to CSR instances and using these as additional NAT addresses
NAT pools
1:1 NAT
Floating IP:
55.128.99.23
NAT is not stateful between an HA pair in AWS

g1
g2
ip nat outside
172.24.2.0/25
172.24.2.128/25
ip nat inside
ip nat inside source list nat interface GigabitEthernet1 overload
ip nat inside source static tcp 172.24.2.200 80 172.24.2.17 80 extendable
ip access-list standard nat
permit 172.24.2.128 0.0.1.255
Public subnet address of CSR

BRKARC-2023
49
Other Features
Remote Access VPN IPSec and SSL VPN
Zone-Based Firewall
IP SLA
Netflow/AVC (Application Visibility and Control)
BRKARC-2023
50
CSR Automation
AWS CloudFormation
AWS technology to define cloud stacks via a JSON file
Comparable technologies in OpenStack (Heat) and Azure (RM Templates)
Can be used to create VPCs or launch EC2 instances into existing VPCs
For CSR, can be used to initially launch, and then also configure via user data
Most useful for Day 0
Template for CSR in GitHub repository
stack
template
AWS
CloudFormation
BRKARC-2023
52
Demo
Ansible
Open-Source, DevOps Tool

Python, YAML, Jinja2
Goal Oriented
Agentless
Idempotent
Multi-Platform/OS/Cloud/
Useful for:
Setup
Configure
Maintain/Manage
BRKARC-2023
54
build_aws_vpc.yml
Demo Setup
build_azure_vpc.yml
VPC
Resource Group
Host
Host
1) Create Tunnels:
ansible-playbook build_aws_vpc.yml
ansible-playbook build_azure_vpc.yml
ansible-playbook build_openstack_vpc.yml
build_dmvpn.yml
Builds hosts file
2) Build DMVPN Overlay:

ansible-playbook i hosts build-dmvpn.yml
Host
Project
build_openstack_vpc.yml
BRKARC-2023
55
Demo Playbook
1) ec2_key
2) ec2_vpc
4) ec2_vpc_subnet
3) ec2_group
5) ec2_vpc_route_table
6) ec2
Security Group
7) ec2_vpc_subnet
8) ec2_eni
9) ec2_vpc_route_table
10) ec2
Availability Zone #1
BRKARC-2023
56
BRKARC-2023 GitHub Repository
https://github.com/chrishocker/brkarc-2023
https://github.com/stevenca/build-a-cloud
Ansible Playbooks
Playbooks used for Ansible Demo

Enable smart licensing
Configure AWS HA
Create CSR
Delete CSR and return smart license to the pool
Network show command
CSR CloudFormation Template
BRKARC-2023
57
CSR REST API
REST is Representational State Transfer
Based on HTTP. Client-Server model. Stateless.
Identify resources through URIs -
http://www.cisco.com/c/en/us/td/docs/routers/csr1000/softw
are/restapi/restapi/RESTAPIintro.html
/api/v1/global/ntp/servers
Request & Response type: JSON (Javascript Object Notation)
Common Methods: PUT, POST, GET, DELETE

PUT /api/v1/global/host-name
200 Ok
Content-Type: application/json
Accept: application/json
{
{
host-name: eng-router
}
host-name: eng-router
}
200 Ok
GET /license/UDI
Accept: application/json
{
link: /license/UDI,
UDI: ACRPSJAE9486R
}
BRKARC-2023
58
IOS-XE 16.3
CSR/ISR/ASR
3650/3850
Programmable Interfaces
NETCONF
RESTconf
gRPC
YANG Data Model
Programmable
Interfaces
Open
Models
Native
Models
Open
Models
Configuration
Native
Models
Operation
Device Features
SNMP
Physical and Virtual Network Infrastructure
Interface
BGP
BRKARC-2023
QoS
ACL
59
Summary
Cisco CSR 1000v Summary
Primary use cases are:
Enterprise Network Extension

VPC Interconnection
Virtualized IOS-XE Benefits
Secure connectivity using IPSec, DMVPN, SSL VPN, etc.

Enterprise-class networking services including Routing, FW, and NAT
Rich telemetry for security and performance monitoring with Netflow/AVC and IP SLA
Normalize operations across multiple public clouds and on-prem networks
HSRP-like High Availability for AWS VPCs
Consider automation tools for scaling CSR deployments
BRKARC-2023
61
CSR 1000v in AWS

Design Guide
http://www.cisco.com/c/en/us/td/docs/solut
ions/Hybrid_Cloud/Intercloud/CSR/AWS/C
SRAWS.pdf
BRKARC-2023
62
Evaluation Licenses
Only BYOL instances need an evaluation license, since non-BYOL instances

are pre-licensed as part of the hourly cost.
By default BYOL instances boot with all features and 100 Kbps throughput.
60-day evaluation licenses are self-serve at:
http://www.cisco.com/go/license
Router# show license udi
BRKARC-2023
63
Resources
AWS VPC Presentations
CSR in AWS CVD
https://aws.amazon.com/marketplace/seller-profile?id=e201de70-32a9-47fe-8746-09fa08dd334f
Evaluation Licenses
CSR in Azure deployment guide
https://csrtestdrive.com/
CSR in AWS Marketplace
https://supportforums.cisco.com/community/csr-amazon
CSR in AWS Test Drive
http://www.cisco.com/c/en/us/td/docs/solutions/Hybrid_Cloud/Intercloud/CSR/AWS/CSRAWS.pdf
CSR in AWS Support Forum
https://www.youtube.com/user/AmazonWebServices/search?query=VPC
http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/azu/csrazure.html
CSR in Azure marketplace
https://azure.microsoft.com/en-us/marketplace/?term=Cisco
BRKARC-2023
64
Complete Your Online Session Evaluation
Give us your feedback to be

entered into a Daily Survey
Drawing. A daily winner will
receive a $750 Amazon gift card.
Complete your session surveys

through the Cisco Live mobile
app or from the Session Catalog
on CiscoLive.com/us.
Dont forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
BRKARC-2023
65
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Lunch & Learn
Meet the Engineer 1:1 meetings
Related sessions
BRKARC-2023
66
Thank you
Appendix
Remote Worker VPN Access into AWS
virtual private cloud

AWS cloud
IPSec and SSLVPN access via AnyConnect for teleworkers and remote users
AAA server options for user database
Easily host copies of your apps in regions close to your remote users
No similar service offered natively by AWS
See appendix for example configuration

BRKARC-2023
70
SSL VPN Configuration Example (1/3)

Create a Server Certificate
A self-signed certificated is
generated by default when the CSR
is launched.
Can generate a new self-signed
certificate or provision a certificate
from an Enterprise CA
crypto key generate rsa label sslvpn-key

modulus 2048
!
crypto pki trustpoint sslvpn-self-signed
enrollment selfsigned
subject-name cn=csr-aws-sslvpn
revocation-check none
rsakeypair sslvpn-key
!
crypto pki enroll sslvpn-self-signed
virtual private
cloud
AWS cloud
BRKARC-2023
71

Configure User Database and Address Pool
User database can be on AAA

server or defined locally
aaa new-model
aaa authentication login sslvpn local
aaa authorization exec default local
aaa authorization network sslvpn local
!
username chocker privilege 15 secret 5
$1$VHFK$5jHUYC/Sy.0yCaexJs6xo1
!
virtual private
cloud
AWS cloud
ip local pool pool1 10.10.10.50

10.10.10.100
BRKARC-2023
72

Configure Crypto
crypto ssl proposal proposal1
crypto ssl profile profile1
protection rsa-aes128-sha1
match policy policy1
aaa authentication list sslvpn
crypto ssl authorization policy authpolicy1
aaa authorization group list sslvpn authpolicy1
netmask 255.255.255.0
pool pool1
!
crypto ssl policy policy1
authentication remote user-credentials

!
crypto vpn anyconnect
bootflash:/webvpn/anyconnect-macosx-i3863.1.05187-k9.pkg sequence 1
ssl proposal proposal1

pki trustpoint sslvpn-self-signed sign
ip interface GigabitEthernet1 port 443
!
BRKARC-2023
73
Zone Based Firewall Configuration Example (1/2)

class-map type inspect match-any tunnelinside
match protocol icmp
Outside
Inside
match protocol http

match protocol https
g2
g1
match protocol ssh

match access-group name tunnel-inside
Tunnel
ip access-list extended tunnel-inside
permit tcp any host 172.24.2.200 eq 3389

policy-map type inspect tunnel-inside
class type inspect tunnel-inside
inspect
class class-default
drop log
BRKARC-2023
74
Zone Based Firewall Configuration Example (2/2)

zone security outside
zone security inside
zone security tunnel
zone-pair security tunnel-inside source
tunnel destination inside
Outside
Inside
g2
g1
service-policy type inspect tunnel-inside
Tunnel
interface Tunnel0
zone-member security tunnel
zone-member security outside
zone-member security inside
BRKARC-2023
75
Enterprise-Wide Security Visibility
Uses Netflow
GUI for security visibility
Extends application visibility to your cloud:

Detecting Sophisticated and Persistent
Threats
Identifying BotNet Command & Control
Activity
Uncovering Network Reconnaissance
Finding Internally Spread Malware
Revealing Data Loss
NetFlow
StealthWatch
FlowCollector
https
StealthWatch
Management
Console
BRKARC-2023
76
Enterprise-Wide Application Visibility
Uses Netflow and IP SLA
GUI for application visibility
IP SLA configuration and monitoring
Extends application visibility to your

cloud border
BRKARC-2023
77
IP SLA
Actively monitor and measure

performance
ip sla 1
Includes data about response time,

one-way latency, jitter, packet loss,
voice-quality scoring, network
resource availability, application
performance, and server response
time
ip sla 2
Performance data can be used in

routing decisions and EEM
Detect Partner Failover
icmp-echo 172.24.0.5 source-ip 172.24.0.4

tag DMVPN_SLA
icmp-echo 172.24.0.1 source-ip 172.24.0.4
tag DMVPN_SLA
ip sla group schedule 1 1-3 scheduleperiod 60 frequency 60 start-time now life
forever
ip sla responder
BRKARC-2023
78
CSR CloudFormation Example (1/5)

{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "CSR CF Template",
"Parameters": {
"SubnetId" : { "Type": "AWS::EC2::Subnet::Id" },
"PrivateIpAddress" : { "Type": "String" },
"VpcId" : { "Type" : "AWS::EC2::VPC::Id" },
"SecurityGroupId" : { "Type" : "AWS::EC2::SecurityGroup::Id" }
},
BRKARC-2023
79

"Resources" : {
"CSRInstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"DisableApiTermination" : "FALSE",
"ImageId" : "ami-4bf7842b",
"InstanceType" : "m3.medium",
"KeyName" : "chockerva-fedcsn",
"Monitoring" : "false",
"SourceDestCheck": "FALSE",
"IamInstanceProfile": "ReplaceRouteRole",
BRKARC-2023
80

"NetworkInterfaces": [
{
"AssociatePublicIpAddress" : "TRUE",
"Description" : "GigabitEthernet1",
"DeviceIndex" : "0",
"PrivateIpAddress": { "Ref" : "PrivateIpAddress" },
"SubnetId": { "Ref": "SubnetId" },
"GroupSet": [ { "Ref": "SecurityGroupId" } ]
}
],
"Tags" : [
{ "Key" : "Name", "Value" : "chocker-csr-x" },
{ "Key" : "Owner", "Value": "chocker" },

{ "Key" : "Role", "Value" : "router1" }
],
BRKARC-2023
81

"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [
"",
[
"ios-config-0001=hostname chocker-csr-x"
]
]
}
}
}
}
},
BRKARC-2023
82

"Outputs" : {
"InstanceID" : {
"Value" : { "Ref" : "CSRInstance" }
},
"PublicIP" : {
"Value" : { "Fn::GetAtt" : [ "CSRInstance", "PublicIp" ] }
}
}
BRKARC-2023
83

BRKARC-2023 CSR Deployment in AWS

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKARC-2023 CSR Deployment in AWS

Uploaded by

Copyright:

Available Formats

Building Hybrid Clouds with CSR

CSR Deployment in AWS

CSR Deployment On-Prem

Building Scalable Overlay Networks

Automating CSR Deployments

CSR Deployment in AWS

CSR 1000V Architecture Virtualized IOS XE

Generalized to work on any x86 system

Hardware specifics abstracted through a

Forwarding (ESP) and Control (RP)

Bootflash: NVRAM: are mapped into

No dedicated crypto engine we

Hypervisor (VMware / Citrix / KVM)

Q: Where can I find the CSR on AWS?

Other CSR 1000V License Options

Public Cloud Utility-Billing (Eg. Amazon)

Pooled licensing for term and perpetual licenses shown on

CSR 1000V calls home to Cisco - authorizes itself against the

License not locked to a single CSR1000v instance

Supports license transferability

Only pay AWS for basic instance-type fees

No up-front purchase required

Provision from Cloud Provider Marketplace/Catalog (Eg.

Cloud Provider bills monthly based on hourly usage and

Bring Your Own License (BYOL) also supported if hourly

CSR 1000V Licensing Structure

Pick one option from each column

(See next slide for details)

CSR 1000V Features Per Technology Package

Advanced Networking: L2TPv3, BFD, MPLS (tunneled), VRF, VXLAN

Application Experience: WCCPv2 (no clustering), AppXNAV, NBAR2, AVC, IP SLA

Hybrid Cloud Connectivity: LISP (L3 only), OTV, VPLS, EoMPLS

Subscriber Management: PTA, LNS, ISG

CSR1000v on AWS performance

PV - Instance types emulate I/O

Build: 15.5(3)S2 (XE 03.16.02.S)

HVM - Required to take advantage of

All numbers in Mbps

CSR 1000V License Throughput Enforcement

Rate shaper is implemented in the ESP

All egress traffic is subjected to the shaper

To ensure high-priority traffic is not dropped

E.g. LLQ on interfaces (leveraging priority

What are all the different CSR 1000V types listed?

Cloud Services Router 1000V Security Tech Package

Cloud Services Router 1000V AX Tech Package

Maximum Performance versions of the above three

Enables SR-IOV enhanced networking for higher performance

CSR Direct Connect 1 Gig and Multi-Gig

Instances used for securing AWS Direct Connect circuits

Search for Cisco CSR

Cisco ASAv Firewall and Management Features

Cisco ASA Feature Set

Removed clustering and

Virtualization displaces multiple-context and clustering

Parity with all other Cisco ASA platform features

Traditional (Cisco ASDM and CSM) management tools

Dynamic routing includes OSPF, EIGRP, and BGP

IPv6 inspection support, NAT66, and NAT46/NAT64

REST API for programmed configuration and monitoring

Cisco TrustSec PEP with SGT-based ACLs

Zone-based firewall, Equal-Cost Multipath

Policy Based Routing, VxLAN Support (VTEP)

Failover Active/Standby HA model