Professional Documents
Culture Documents
1000v
Steven Carter, Solutions Architect
Chris Hocker, Consulting Systems Engineer
BRKARC-2023
Agenda
Demo
Control Plane
FFP Client
/ Driver
IOS
Chassis Mgr.
Forwarding Mgr.
Forwarding Mgr.
FFP code
vCPU
vMemory
Linux Container
vDisk
Memory
Disk
vNIC
CPU
NIC
Physical Hardware
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
2. Pick a flavor
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
CSR 1000V
Call Home
No TAC
entitlement
Pay AWS for basic instance-type usage AND fees for CSR
usage
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Example:
Technology Package
Throughput
License Type
IP Base
250 Mbps
1-Year
10 Mbps
IP Base
50 Mbps
100 Mbps
SEC
Subscription
(1-year, 3-year or perpetual)
250 Mbps
500 Mbps
AppX
1 Gbps
2.5 Gbps
SPLA
(target date Q4 CY16)
5 Gbps
AX
10 Gbps
* CSR add-on license options not shown above
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IOS-XE Features
IPBase
(formerly Standard)
SEC
(formerly Advanced)
Basic Networking: BGP, OSPF, EIGRP, RIP, ISIS, IPv6, GRE, VRF-LITE, NTP, QoS
Multicast: IGMP, PIM
High Availability: HSRP, VRRP, GLBP
Addressing: 802.1Q VLAN, EVC, NAT, DHCP, DNS
Basic Security: ACL, AAA, RADIUS, TACACS+
Management: IOS-XE CLI, SSH, Flexible NetFlow, SNMP, EEM, NETCONF
IPBase Plus
Advanced Security: Zone Based Firewall, IPSec VPN, EZVPN, DMVPN, FlexVPN,
SSLVPN, GETVPN (express route/direct connect only)
IPBase Plus
AppX
AX
(formerly Premium)
ALL FEATURES
Features in Red will not work in Amazon infrastructure issues (lack of L2 support and Multicast support)
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
CEF 1400
CEF IMIX
IPSec 1400
IPSec IMIX
PV m3.medium
PV m3.large
PV m3.xlarge
PV c3.large
PV c3.xlarge
PV c3.2xlarge
PV c3.4xlarge
35
67
76
79
73
80
70
313
696
682
534
760
1,031
1,069
108
215
297
255
281
303
306
237
454
782
514
742
1,005
1,023
97
230
250
302
313
336
346
HVM c3.large
HVM c3.xlarge
HVM c3.2xlarge
HVM c3.4xlarge
80
101
203
362
526
758
1,032
2,067
306
382
766
1,254
515
741
1,009
2,020
348
436
874
1,318
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
15 Mbps
10 Mbps
G1
G3
SHAPER
(50)
20 Mbps
15 Mbps
G4
G2
10Mbps (60-50)
ESP
G1->G3: 15
G2->G4: 20
G3->G2: 10
G4->G3: 15
Total: 60 Mbps
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
12
1.
Can be any tech package and throughput level depending on license purchased from Cisco and
installed on CSR (not all throughputs supported)
2.
Includes features from the Security technology package. Performance based on AWS instance
type selected (more or less vCPU/vMemory)
3.
Includes features from the AX technology package. Performance based on AWS instance type
selected (more or less vCPU/vMemory)
4.
5.
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
13
Microsoft Azure
CSR 1000V product page will contain pricing, support, and deployment information
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
14
Cisco
ASAv
in AWS
VLAN tagging
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
VPC 101
Maps to AWS
Elastic IP
Internet IP
54.x.x.x
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
16
Maps to AWS
Elastic IP
10.2.2.10
Gi2
10.2.1.10
Gi1
10.2.1.11
10.1.2.10
Gi2
10.1.1.10
Gi1
10.1.1.11
Internet IP
54.x.x.x
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
17
IGPs
HSRP/VRRP
BFD
Proxy ARP, Gratuitous ARP > LISP-VM
Mobility
10.1.1.10
NAT
10.1.1.10
54.x.x.x
10.1.1.11
10.1.1.12
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
18
172.24.2.0/24
AWS IGW
g1
172.24.2.0/25
g2
172.24.2.128/25
172.24.2.0/24
AWS IGW
BRKARC-2023
g1
VPC
Router
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
19
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
20
VPC Peering:
Scalability
Continuity of Operations
Spoke-to-spoke routing
Security/Application Visibility
Spoke-to-spoke routing
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
21
On-Prem Termination
CSR 1000V
Virtual: Flexibility
ASR
1000/ISR
4400
Border
Campus
CSR 1000V
Data Center
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
23
Tenant Gateway
Tenant VLANs
Hypervisor
BRKARC-2023
Hypervisor
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
24
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
25
Deployment in VMware
Deploy as OVA
Chose performance
g1
g2
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
26
Deployment in OpenStack
1) Create the Instance FlavorL
nova flavor-create csr.medium auto 4096 0 2
2) Add the Image to the repository
glance image-create name csr_image \
--disk-format qcow2 --container-format bare \
--file csr1000v-universalk9.03.12.00.S.154-2.S-std.qcow2
3) Boot the CSR
nova boot csr_instance --image csr_image \
flavor csr.medium \
--nic net-id=<Outside Network> ID \
--nic net-id=<Inside Netowork ID> \
--config-drive=true \
--file iosxe_config.txt=iosxe_config.txt
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
27
corporate office/branch
Connect one or many physical locations into an Amazon VPC. IPSec, DMVPN, FlexVPN,
EZVPN, etc
Up to 1,000 concurrent VPN tunnels per CSR, and no per-tunnel charges from Amazon.
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
29
ASR1K
CSR1K
Enterprise DC
DMVPN
ISR4K
Branch Office
ASR1K
ISR4K
Branch Office
BRKARC-2023
Internet/MPLS
Corporate Office
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
30
Subnet 1
Private
Public
Application Tiers/Data
Management
Developer Access
Corporate Users
Internet
Site to Site VPN connection
(Data & management)
Internet Users
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
31
IPSec tunnel can be to/from private IP address of CSR (IGW not needed)
Up to 2 Gbps throughput
Direct Connect
Circuit
Corporate DC
Cisco
ISR/ASR
Virtual Private
Gateway (VGW)
CSR 1000V
IPSec Tunnel
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
32
US West Region
US East Region
AWS cloud
Tunnels can be deployed over Internet Gateways, VPC Peering, or Direct Connect.
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
33
Internet
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
34
App VPC
VGW
VPC
peering
Transit
VPC
VPC
peering
Direct
Connect
Corporate Network/DC
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
35
DMVPN
Specific
Internal
Routes
Tun0
G1
G2
0/0
IGW
Public
Subnet
App
Subnet
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
36
DMVPN
0/0
Tun0
G1
G2
0/0
IGW
Public
Subnet
App
Subnet
G1 internet VRF
G2, Tun0 - Global
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
37
http://www.cisco.com/c/dam/en/us/td/docs/s
olutions/CVD/Feb2016/CVDIWANDesignGuide-FEB16.pdf
17.24.0.0/24
Tunnel
VPC
peering
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
38
VPC
CSR
Subnet
App
Subnet A
App
Subnet B
BRKARC-2023
Before HA Failover
After HA Failover
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
39
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
40
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
41
VPC
CSR
Subnet
App
Subnet A
router eigrp 1
bfd interface Tunnel99
Tunnel1
network 172.24.0.0
App
Subnet B
passive-interface GigabitEthernet1
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
42
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
43
http://docs.aws.amazon.com/general/latest/gr/rande.
html#ec2_region
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
44
Subnet 1
PE
PE
MPLS
Core
PE
Direct
Connect
CSR MPLS
VPN over GRE
Subnet 2
PE
Tenant/Mission 1
Tenant/Mission 2
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
45
Multi-VRF VPCs
Option 1 Interface per Subnet
CSR Interfaces
Public
Subnet
App
Subnet A
GE2
172.24.1.0/24
GE1
VPC Routing
VPC
App
Subnet B
GE3
172.24.1.0/24
172.24.2.0/24
VPC Security
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
46
Multi-VRF VPCs
Option 2 - CSR in Public Subnet
CSR Configuration
Public
Subnet
App
Subnet A
172.24.1.0/24
App
Subnet B
VPC Routing
VPC
172.24.1.0/24
172.24.2.0/24
VPC Security
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
47
interface GigabitEthernet1
ip address dhcp
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
48
NAT
Complex NAT scenarios are possible by assigning secondary private and public
addresses to CSR instances and using these as additional NAT addresses
NAT pools
1:1 NAT
Floating IP:
55.128.99.23
g1
g2
ip nat outside
interface GigabitEthernet2
172.24.2.0/25
172.24.2.128/25
ip nat inside
ip nat inside source list nat interface GigabitEthernet1 overload
ip nat inside source static tcp 172.24.2.200 80 172.24.2.17 80 extendable
ip access-list standard nat
permit 172.24.2.128 0.0.1.255
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
49
Other Features
Zone-Based Firewall
IP SLA
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
50
CSR Automation
AWS CloudFormation
Can be used to create VPCs or launch EC2 instances into existing VPCs
For CSR, can be used to initially launch, and then also configure via user data
stack
template
AWS
CloudFormation
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
52
Demo
Ansible
Setup
Configure
Maintain/Manage
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
54
build_aws_vpc.yml
Demo Setup
build_azure_vpc.yml
VPC
Resource Group
Host
Host
1) Create Tunnels:
ansible-playbook build_aws_vpc.yml
ansible-playbook build_azure_vpc.yml
ansible-playbook build_openstack_vpc.yml
build_dmvpn.yml
Project
build_openstack_vpc.yml
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
55
Demo Playbook
1) ec2_key
2) ec2_vpc
4) ec2_vpc_subnet
3) ec2_group
5) ec2_vpc_route_table
6) ec2
Security Group
7) ec2_vpc_subnet
8) ec2_eni
9) ec2_vpc_route_table
10) ec2
Availability Zone #1
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
56
https://github.com/chrishocker/brkarc-2023
https://github.com/stevenca/build-a-cloud
Ansible Playbooks
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
57
http://www.cisco.com/c/en/us/td/docs/routers/csr1000/softw
are/restapi/restapi/RESTAPIintro.html
/api/v1/global/ntp/servers
200 Ok
Content-Type: application/json
Accept: application/json
Content-Type: application/json
{
{
host-name: eng-router
}
host-name: eng-router
}
200 Ok
GET /license/UDI
Content-Type: application/json
Accept: application/json
{
link: /license/UDI,
UDI: ACRPSJAE9486R
}
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
58
IOS-XE 16.3
CSR/ISR/ASR
3650/3850
Programmable Interfaces
NETCONF
RESTconf
gRPC
Programmable
Interfaces
Open
Models
Native
Models
Open
Models
Configuration
Native
Models
Operation
Device Features
SNMP
Interface
BGP
BRKARC-2023
QoS
ACL
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
59
Summary
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
61
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
62
Evaluation Licenses
By default BYOL instances boot with all features and 100 Kbps throughput.
http://www.cisco.com/go/license
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
63
Resources
https://aws.amazon.com/marketplace/seller-profile?id=e201de70-32a9-47fe-8746-09fa08dd334f
Evaluation Licenses
https://csrtestdrive.com/
https://supportforums.cisco.com/community/csr-amazon
http://www.cisco.com/c/en/us/td/docs/solutions/Hybrid_Cloud/Intercloud/CSR/AWS/CSRAWS.pdf
https://www.youtube.com/user/AmazonWebServices/search?query=VPC
http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/azu/csrazure.html
https://azure.microsoft.com/en-us/marketplace/?term=Cisco
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
64
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
65
Related sessions
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
66
Thank you
Appendix
IPSec and SSLVPN access via AnyConnect for teleworkers and remote users
Easily host copies of your apps in regions close to your remote users
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
70
A self-signed certificated is
generated by default when the CSR
is launched.
Can generate a new self-signed
certificate or provision a certificate
from an Enterprise CA
subject-name cn=csr-aws-sslvpn
revocation-check none
rsakeypair sslvpn-key
!
crypto pki enroll sslvpn-self-signed
virtual private
cloud
AWS cloud
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
71
aaa new-model
aaa authentication login sslvpn local
aaa authorization exec default local
aaa authorization network sslvpn local
!
username chocker privilege 15 secret 5
$1$VHFK$5jHUYC/Sy.0yCaexJs6xo1
!
virtual private
cloud
AWS cloud
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
72
protection rsa-aes128-sha1
netmask 255.255.255.0
pool pool1
!
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
73
Outside
Inside
g2
g1
Tunnel
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
74
Outside
Inside
g2
g1
Tunnel
interface Tunnel0
zone-member security tunnel
interface GigabitEthernet1
zone-member security outside
interface GigabitEthernet2
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
75
Uses Netflow
NetFlow
StealthWatch
FlowCollector
https
StealthWatch
Management
Console
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
76
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
77
IP SLA
ip sla 1
ip sla 2
ip sla responder
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
78
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "CSR CF Template",
"Parameters": {
"SubnetId" : { "Type": "AWS::EC2::Subnet::Id" },
"PrivateIpAddress" : { "Type": "String" },
"VpcId" : { "Type" : "AWS::EC2::VPC::Id" },
"SecurityGroupId" : { "Type" : "AWS::EC2::SecurityGroup::Id" }
},
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
79
"CSRInstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"DisableApiTermination" : "FALSE",
"ImageId" : "ami-4bf7842b",
"InstanceType" : "m3.medium",
"KeyName" : "chockerva-fedcsn",
"Monitoring" : "false",
"SourceDestCheck": "FALSE",
"IamInstanceProfile": "ReplaceRouteRole",
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
80
}
],
"Tags" : [
{ "Key" : "Name", "Value" : "chocker-csr-x" },
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
81
}
}
}
}
},
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
82
BRKARC-2023
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
83