cisco csr1000v

#CLUS
Fan Yang, Technical Marketing Engineer
Elisa Caredio, Product Manager
BRKARC-2749
Extending Enterprise
Network into Public
Cloud with Cisco
CSR1000v

Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
#CLUS BRKARC-2749 3
• State of Public Cloud
• AWS/Azure/GCP Networking and
Challenges
• CSR1000V Introduction
• Cisco solutions for AWS/Azure/GCP
• Demo
• Advanced Deployment
• Best Practices
• Summary

#CLUS
Your Speaker
Elisa Caredio
Product Manager
Fan Yang
Technical Marketing Engineer
6 years in Cisco
Youtube Channel: http://cs.co/csr1000v
18 years Cisco veteran. Expertise includes
routing, Firewall and Threat Defense.
Twitter handle: @e_caredio
BRKARC-2749 4

#CLUS
Related Sessions you can’t miss!
Session ID Session Name
Breakout Sessions
BRKARC-2023 Building Hybrid Clouds in Amazon Web Services with the CSR 1000v
BRKSEC-2064 NGFWv and ASAv in Public Cloud (AWS and Azure)
CCSCLD-2003 Automated VPC Connection Using a Transitive Hub in AWS
TECSEC-2070 Extending Enterprise Grade Security to Public Cloud
BRKCLD-3440 Multicloud Networking – Design & Deployment
DEVNET-2076 Continuous Integration and Testing for Networks with Ansible
Lab Sessions
LTRDCN-2100 Cloud networking solutions with Cisco Cloud Services Router (CSR 1000V) on AWS
and Azure
LTRCLD-2230 Enabling a Hybrid Multicloud World
BRKARC-2749 5

#CLUS
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
Find this session in the Cisco Events App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
Webex Teams will be moderated
by the speaker until June 18, 2018.
cs.co/ciscolivebot#BRKARC-2749
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
1
2
3
4
BRKARC-2749 6

It’s a multicloud world
Source: IDC CloudView, April, 2017, n=8,293 worldwide respondents, weighted by country, company size and industry
Evaluating or using
public cloud
85%
Taken steps towards a
hybrid cloud strategy
87%
Plan to use
multiple clouds
94%
Among cloud users

#CLUS
Organizations leverage almost 5 clouds on
average
BRKARC-2749 8

#CLUS
AWS Leads but Azure grows faster
BRKARC-2749 9

#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Gartner predicts IaaS spending
in public cloud will reach
$45.8 billion in 2018
Source: https://www.gartner.com/newsroom/id/3815165
BRKARC-2749 10

#CLUS
Public cloud has great benefits
Customers
Employees
Partners
Data Center
Applications
Or
Workload
Public
Cloud
Scalability
Scale-up and scale-down
Application agility
High availability
Regions and Availability zones
Cost effectiveness
Pay-as-you-go, per minute and per second billing options
Applications or Workload
BRKARC-2749 11

Would you let Cisco
design your
Email Exchange, or Database?
Aurora
BRKARC-2749 12

Let Cisco design
high performance, scalable, and
secure multi-cloud network
Cisco is the No.1 Networking company
BRKARC-2749 13

#CLUS
Multicloud requirements
Multicloud Software
Helping customers connect, protect, and consume cloud
Multi Cloud
Networking
Management
Analytics
Security
BRKARC-2749 14

#CLUS
Cisco Multicloud Portfolio — Offers
Cloud
Consume
Cloud
Protect
Cloud
Connect
Cloud
Advisory
Multicloud
Portfolio
Advisory Services
• Cloud Migration
• Cloud Connect
• Cloud Protect
• Cloud Consume
(Delivered by AS/Cisco Partners)
• CloudCenter
• AppDynamics
Cloud
Consume
Cloud
Advisory
• CSR 1000v
• vEdge with Umbrella
• Umbrella
• AMP for Endpoints
• Meraki Systems
Manager
• Cloudlock
• Tetration Cloud
Cloud
Connect
Cloud
Protect
BRKARC-2749 15

#CLUS
Cloud Connectivity Challenges
On-Prem Datacenters
Remote Branches
Public Cloud
• Complexity & Dependency – Need a
simple and scalable way to securely
extend the private network across
Multicloud environments
• Inconsistent security policies between
private & public- Need to apply
consistent security policies
• Performance and ambiguity for best
path to reach the cloud – Need
enhance application experience Applications
Users
Cloud
Connect
BRKARC-2749 16

#CLUS
Interconnect Multiple Clouds
DC
DR-DC
Cloud
Connect
BRKARC-2749 17

Let’s Take Data Center For Example
BRKARC-2749 18

#CLUS
Data Center “Fabric” Journey to Cloud?
Public Cloud
(IAAS)
????
DR-DC
DEV PRO TEST AI/ML HR LB
FW
IPS
Leaf
Spine
BRKARC-2749 19

#CLUS
“Scalable” Cloud Fabric
DEV PRO TEST AI/ML HR
LB
FW
IPS
us-west-1
us-east-1
Europe
DC
DR-DC
….
Asia
Multi Clouds
Cloud Fabric
Leaf
scale out
Spine
BRKARC-2749 20

#CLUS
Term Used
• CSP (Cloud Service Provider)
• VPC (Virtual Private Cloud)
• CIDR (Classless Inter-Domain
Routing)
• IGW (Internet Gateway)
• VGW (Virtual Private Gateway)
• DX (AWS Direct Connect)
• ER (Azure Express Route)
• IC (GCP Inter Connect)
• DMVPN (Dynamic Multipoint VPN)
• MTU (Maximum Transmission Unit)
BRKARC-2749 21

#CLUS
Presentation Decode
22
BRKARC-2749
Reference Slides for detailed information. Most of them
are hidden in my presentation
Information, architectures applied to Amazon AWS
Information, architectures applied to Microsoft Azure
Information, architectures applied to Google Cloud Platform
Features, solutions available in future (July 2018).

AWS introduction and
network challenges

#CLUS
Region and Availability Zone Concepts
• VM (Virtual Machines) is hosted in multiple data centers across the world. A region is
a separate geographic area
• VM instances have to be launched into a specific region. Locating instances close to
end users can reduce latency
• Region is consisted by multiple AZs (Availability Zone). Each AZ is isolated, but AZs
in a region are connected through low latency and high bandwidth links.
BRKARC-2749 24

#CLUS
Virtual Private Cloud (VPC) Concepts
• VPC is isolated from other’s environment.
• VPCs’ IP ranges (RFC 1918) can overlap.
• IGW (Internet Gateway) provides external
access.
• Granular subnets can be created in VPC.
• Route Table can be associated to subnets
• UDR (User Defined Route) can be added to
route table
• Security Options:
• - Network ACLs protect subnets
• - Security Groups protect instances
• EIP to EIP communication is going through
Cloud Provider’s backbone
Route Table
Internet
Gateway
VPC James Bond
CIDR 10.2.0.0/16
Subnet A
10.2.1.0/24
Subnet B
10.2.2.0/24
WebApp1
Instance
IP: 10.2.1.25
Elastic IP Mappings
54.32.54.32 – 10.2.1.25
Internet
• More specific VPC CIDR
routes can’t be added
Subnet Next Hop
10.2.0.0/16 local
0.0.0.0/0 IGW
10.2.2.0/24
(not allowed)
XXX
BRKARC-2749 25

#CLUS
AWS VPC Networking Limitations
• No Link local multicast or broadcast
• Affected Services Include:
• IGPs
• HSRP/VRRP
• BFD
• Proxy ARP, Gratuitous ARP > LISP-VM Mobility
• GRE as work-around for some services, some cloud
10.2.1.12
10.2.1.11
10.2.1.10
BRKARC-2749 26

#CLUS
MTU Considerations
• Jumbo frames (up to 9000 bytes) are allowed within single VPC.
• Traffic going out of a VPC or VPC peering connection has MAX 1500 MTU.
• CSR supports jumbo frames by putting “mtu <1500-9216>” under
interface configuration. However, when CSR sends traffic out of a VPC,
packets will be fragmented if it’s over 1500 bytes.
• Supported instance types:
• General purpose: M3, M4, M5, T2
• Compute optimized: C3, C4, C5, C5 with instance storage, CC2
• Accelerated computing: F1, G2, G3, P2, P3
• Memory optimized: CR1, R3, R4, X1
• Storage optimized: D2, H1, HS1, I2, I3
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html#jumbo_frame_instances
BRKARC-2749 27

#CLUS
VGW (Virtual Private Gateway)
• VGW is an easy to use VPN service provided by AWS.
• IPSEC VPN with pre-shared key, IKEv1 only. IPSEC responder
only, not initiator.
• Static route. BGP routing is preferred (honor as-path prepend)
• 1.25 Gbps IPSEC throughput
• Two end-points/tunnels for high availability
• CGW (Customer Gateway) is needed to establish a IPSEC VPN.
• Route propagation enabled per route table
• VGW is also used in DX (Direct Connect)
• BGP routing
• No encryption
• Up to 10Gbps
BRKARC-2749 28

#CLUS
Internet
VGW Limitations
• No ECMP (BGP multipath), active/standby tunnels
• Maximum 100 BGP learned routes
• No overlapping CIDR blocks.
• IPSEC VPN can’t be established between two VGWs
• No visibility and hard to trouble shoot
• No BFD support, convergence time relies on BGP timer
Corporate
DC
10.1.0.0
192.168.0.0
10.0.0.0
Development Account
us-west-1
us-east-1
192.168.0.0
>100 routes
BRKARC-2749 29

#CLUS
VPC Peering
• High Bandwidth VPC to VPC Interconnection
• Share Private IP CIDR blocks between the VPCs
• Peering can be created within same accounts or different accounts
• Peering connection can be across regions
• MTU 1500 Bytes
Peering
us-west
Dev QA
us-east
BRKARC-2749 30

#CLUS
VPC Peering Limitations
• No overlapping CIDR blocks
• No transitive peering
• Services can’t be extended through peering
• 50 peering connections per VPC
Peering
Dev QA Pro
Peering
10.2.0.0
HR
10.2.0.0
Internet
ISR/ASR
Corporate DC
Ref: https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-
basics.html#vpc-peering-limitations BRKARC-2749 31

#CLUS
Direct Connect Overview
• Dedicated connection between the enterprise and
AWS, low latency.
• Provides (1) private peering to VPCs and (2) public
peering to AWS public services
• Sub-interface on corporate DC router for each service
• BGP peering for route exchange for each service
• 1G and 10G dedicated connections; sub-1G
connections available via partners
• Multiple accounts can share a connection
• Multiple connections for redundancy.
• BFD for fast failure detection and failover
• No Native Encryption
• Data-in is free, data-out is cheaper (compared to
Internet) https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
BRKARC-2749 32

#CLUS
Direct Connect Topologies (1/2)
Virtual Private Cloud
VGW
ISR/ASR
Direct Connect
Corporate DC
Direct from Enterprise
L2 Circuit
VGW
Direct Connect
SP Router
SP Managed Service
L3 VPN to Multiple-
Clouds
ATT Netbond, Verizon
SCI
ISR/ASR
Corporate DC
Partner /
Carrier
Network
Customer managed SP managed AWS managed
Customer managed SP managed AWS managed
BRKARC-2749 33

#CLUS
Direct Connect Topologies (2/2)
Co-Lo Cloud Exchange
(connects to multiple
IaaS/SaaS)
VGW
ISR/ASR
Direct Connect
Corporate DC
Co-Lo
ISR/ASR
VGW
ISR/ASR
Direct Connect
Corporate DC
Co-Lo
ISR/ASR
Direct from Co-Lo
Cloud
Exchange
Customer managed
SP
managed AWS managed
Customer
managed
Colo
managed
Customer managed
SP
managed AWS managed
Customer
managed
Colo
managed
BRKARC-2749 34

#CLUS
Direct Connect – Public VIF
• Access AWS public-facing services, such as S3, Glacier, EC2 (EIP)
• BGP routing between customer/partner router and AWS DX router
• AWS advertise all its public prefixes. IP ranges can be found at https://ip-
ranges.amazonaws.com/ip-ranges.json
• No “VGW” or “DX GW” required. No network level encryption.
ISR/ASR
Direct Connect
Corporate DC
Co-location
Partner /
Carrier
Network
Glacier
S3
BGP
Customer managed SP managed Customer AWS managed
Co-lo
DX router
customer router
BRKARC-2749 35

#CLUS
Direct Connect – Private VIF
• Access your VPC resources through private IP address
• BGP routing between customer/partner router and AWS DX router
• AWS advertise VPC’s CIDR if it’s actively linked
• Need to use VGW or DX GW (depends on use cases)
• No network level encryption
ISR/ASR
Direct Connect
Corporate DC
Co-location
Partner /
Carrier
Network BGP
Customer managed SP managed Customer
customer managed
Co-lo
DX router
customer router
DX GW
VGW
BRKARC-2749 36

#CLUS
DX GW Limitations (Private VIF)
• No transitive routing natively Push code from dev to prod
• No network level encryption Compliance
• No overlapping CIDR blocks Acquire a new company
• Doesn’t support across accounts Separate billing
• No routing control Enterprise segmentation
Direct Connect
Corporate
DC
Co-location
Partner /
Carrier
Network BGP
DX router
customer router
DX GW
VGW
10.1.0.0
10.2.0.0
10.0.0.0
10.2.0.0
10.3.0.0
Production Account
Development Account
us-west-1
us-east-1
https://docs.aws.amazon.com/directconnect/lat
est/UserGuide/direct-connect-gateways.html BRKARC-2749 37

#CLUS
Direct Connect and VPN Backup
ISR/ASR
Direct Connect
Corporate DC
Co-location
Partner /
Carrier
Network
DX router
customer router DX GW
Internet
Subnet Next Hop
0.0.0.0/0 IGW
192.168.0.0/16 VGW(DX)
192.168.0.0
• Route selection priority : static > DX > VPN
• DX is always preferred regardless of AS path prepending
• Automatically failover to one level down if failure happens.
• Complex to add granular control for APP path selection
BRKARC-2749 38

Azure Introduction and
network challenges

#CLUS
Azure Basic Concepts
Virtual Network
CIDR 10.2.0.0/16
Subnet A
10.2.1.0/24
Subnet B
10.2.2.0/24
• Azure system route table routes within
the VNet
• All VNet subnets ALWAYS have a
route to all other VNet subnets!
Virtual Network (VNet)
• A VNet logically isolates a network’s own IP range,
routes, security policies, etc.
• Each subnet created is automatically assigned a route
table that contains system routes:
Local VNet Rule, On-prem rule and Internet Rule
• System routes can be overwritten by User Defined
Routes
• Public IP NAT or Overload NAT for outbound traffic (No
true public IPs)
• No L2 Broadcast/Multicast capability either.
• GRE packet is blocked within Azure.
BRKARC-2749 40

#CLUS
NAT in Azure
• No Internet GW concept at Azure. System route
(0.0.0.0/0 -> Internet) is automatically added to VM
• Azure infrastructure takes on the role of the router,
allowing access from your VNet to the public Internet
without the need of any configuration
• VM doesn’t see public IP address, only sees its private IP
address
• Will break services that do not work over NAT, such as
GET-VPN (work over Express Route)
• Azure will translate 1 to 1 NAT for you
• Public IP for CSR becomes tunnel endpoint for VPN, etc
• Tunnel source will be a private address
10.1.1.12
10.1.1.11
10.1.1.10
NAT
54.12.34.56 - 10.1.1.12
WebApp1 Instance
IP: 10.1.1.12
BRKARC-2749 41

#CLUS
b
Region
Region
Region 2
Geography—Data Residencyboundary
Region 1
Achieve full resiliency with
Data Residency
Availability Zones and a paired region
within the same data residency
boundary provides high availability,
disaster recovery, and backup.
Protect against entire
datacenter loss
Each zone is physically separated with
independent power, network, and cooling
and logically separated through zone-
isolated services.
Run mission-critical apps
with 99.99% SLA at GA
High Availability supported with
industry best SLA when VMs are
running in two or more Availability
Zones in the same region.
Zone1 Zone3
Zone2 Zone1 Zone3
Zone 2
AZ (Availability Zones)
Deploy CSRs in different Availability Zones, only during instance creation
BRKARC-2749 42

#CLUS
Availability Set (Within same AZ)
Azure Fault Domains
Microsoft periodically updates the underlying Azure fabric that’s
used to host VMs to patch security vulnerabilities and improve
reliability and performance. These updates, which Microsoft refers
to as planned maintenance events, are often performed without
any impact to guest VMs. Sometimes, however, guest VMs must
be rebooted to complete an update. To reduce the impact on
guest VMs, the Azure fabric is divided into Update Domains to
ensure that not all guest VMs are rebooted at the same time.
Update Domains
Unplanned maintenance events are those which involve a
hardware or physical failure in the fabric, such as a disk, power,
or network card outage. Azure automaticallyfails over guest VMs
to a working physical host in a different Fault Domain when an
error condition is detected, again aimed at ensuring availability.
Availability set overview
An Availability Set is a logical grouping capability that you can use
in Azure to ensure that the VM resources you place within it are
isolated from each other when they are deployed within an Azure
datacenter. It ensures your VMs are deployed across multiple
Fault Domains and Update Domains
If one AZ has multiple CSRs, deploy CSRs in same Availability
Set, across different FDs and UDs, only during instance creation
BRKARC-2749 43

Most Comprehensive Resiliency and Best SLA
SINGLE VM
Protection with
Premium Storage
VM SLA
99.9%
AVAILABILITY SETS
Protection against failures
within datacenters
AVAILABILITY ZONES
Protection from entire
datacenter failures
REGION PAIRS
Protection from disaster with
Data Residency compliance
VM SLA
99.95%
VM SLA
99.99% at GA
REGIONS
42
Region 1 Region 2
INDUSTRY-ONLY INDUSTRY-LEADING
HIGH AVAILABILITY SLA
INDUSTRY-LEADING
DISASTER RECOVERY

#CLUS
Azure VGW (VPN Gateway)
• VGW supports IKEv1 & IKEv2 (PSK only)
• VGW supports S2S & P2S IPSec
• S2S includes: VNET-OnPrem & VNET-
VNET
• P2S is Remote-Access & includes:
• SSTP (MSFT Proprietary) & IKEv2 RA
• VPN types
• Policy Based (Static Route)
• Route Based (BGP)
• Active-Active & Active-Passive Tunnel
• Need a dedicated gateway subnet
• Up to 1.25Gbps IPSEC with top-end SKU
• Limited by Scales
• Lacks Advanced VPN Overlays – Dynamic
full/partial mesh
• Lacks Overlay Routing sophistication
SKU Workload Throughput
*
S2S/V2V P2S SLA
VpnGw1 Production 650 Mbps Max. 10 128 99.95%
VpnGw2 Production 1 Gbps Max. 30 128 99.95%
VpnGw3 Production 1.25 Gbps Max. 30 128 99.95%
Basic Dev/Test 100 Mbps Max. 10 128 99.9%
A
A B
Ref: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
BRKARC-2749 45

#CLUS
• Supports intra & inter region peering
• Low Latency Microsoft Backbone: no
encryption
• Direct VM-to-VM connectivity across
regions
• No Overlapping CIDR
• Scenarios:
• Data replication
• Database failover
Azure VNET Peering
A B
A B C
No Transitive Peering
 A is peered with B
 B is peered with C
 A cannot talk to C through B
 Needs Full-mesh peering's as VNETs
increase
 VNET peering limits apply
BRKARC-2749 46

#CLUS
Microsoft ExpressRoute (ER)
ExpressRoute Circuit
Azure Public Peering for Azure public IPs
Azure Private Peering for Virtual Networks
Microsoft Peering for Office 365 and Dynamics 365
Customer’s
Network
Primary Connection
Secondary Connection
Microsof
t Edge
Partner
Edge
• Unified connectivity to Microsoft Cloud Services
• Predictable performance
• Enterprise-grade resiliency and with SLA for availability
• Large and growing ExpressRoute partner ecosystem
BRKARC-2749 47

GCP Introduction and
network challenges

#CLUS
Google Cloud VPCs are global; subnets are regional
James’ VPC
us-east-1
us-west-1
Subnet1
10.0.0.0/24
Subnet2
10.0.1.0/24
us-east-1a us-east-1b
us-west-1a us-west-1b
Subnet Next Hop
10.0.0.0/24 Virtual network
0.0.0.0/0 Default Internet
GW
Internet
BRKARC-2749 49

#CLUS
GCP VPC Network Limitations
• A VM can only have one interface in a single VPC, it doesn’t support
multiple interfaces in same VPC. (One armed deployment for a VPC)
• GRE is blocked in 1)between VMs within a VPC, 2)VM talking to resources
out of a VPC.
• No L2 multicast and broadcast.
• VM egress throughput is capped at 2Gbps per vCPU, for example 4vCPU
gives 8Gbps throughput at maximum.
• Max MTU of 1460 bytes is supported within single VPC, jumbo frames
(more than 1460) are not supported.
https://cloud.google.com/compute/docs/troubleshooting/general-tips
BRKARC-2749 50

#CLUS
GCP VPN Gateway
• S2S VPN, IKEv1 and IKEv2,
PSK only
• Static route and BGP
• ESP Tunnel mode only, not
transport mode
• 1.7Gbps throughput
ref: https://cloud.google.com/vpn/docs/concepts/overview
BRKARC-2749 51

#CLUS
Transitive Routing • No • No • No
VGW
Transitive • No • No • No
Performance • 1.25G • 1.25 • 1.7G
Tunnels • 10 • 30 • 128 (across multiple routers)
Scale
(BGP advertised
routes per route
table)
• 100 • 400 • 200 (100 regional, 100
global)
HA • Yes • Yes • Yes
Visibility • VPC flowlog • NSG flowlog • VPC flowlog
Overlap IP address • No • No • No
Routing and VPN • S2S
• IPSEC (IKEv1)
• Static, BGP
• S2S, P2S
• IPSEC (IKEv1, v2)
• Static, BGP
• S2S
• Static, BGP
Routing Control • No • No • No
Policy • SG • SG • SG
CLI Access • No • No • No
Orchestration • AWS Dashboard • Azure Dashboard • GCP Dashboard
Programmability • Restful, SDK • Restful, SDK • Restful, SDK
Comparison
BRKARC-2749 52

#CLUS
Cisco Cloud Services Router (CSR) 1000V
Cisco IOS XE Software in a Virtual Appliance Form-Factor
Enterprise-classNetworkingwith Rapid
Deploymentand Flexibility
Server
Hypervisor
VirtualSwitch
OS
App
OS
App
CSR 1000V
Software
• Familiar IOS XE software with ASR1000 and ISR4000
Infrastructure Agnostic
• Runs on x86 platforms
• Supported Hypervisors: VMware ESXi, Linux KVM, Citrix Xen,
Microsoft Hyper-V, Cisco NFVIS and CSP2100
• Supported Cloud Platforms: Amazon AWS, Microsoft Azure,
Google Cloud Platform
Performance Elasticity
• Available licenses range from 10 Mbps to 10 Gbps
• CPU footprint ranges from 1vCPU to 8vCPU
License Options
• Term based 1 year, 3 year or 5 year
Programmability
• NetConf/Yang, RESTConf, Guest Shell and SSH/Telnet
BRKARC-2749 53

#CLUS
CSR availability on multiple clouds
• AWS Commercial
• AWS GovCloud
• AWS C2S
• AWS China
• Azure Commercial
• Azure GovCloud
• Azure China
• Google Commercial
Under consideration
BRKARC-2749 54

#CLUS
private cloud GCP
BYOL (Bring Your Own License): features as licensed, IP-Base, SEC, APPX or AX BYOL in July CY18
performance gated by license performance gated by smaller of license or instance size
PAYG (Pay As Yo Go): choice of AX or SEC
performance gated by instance size only
Roadmap
CSR licensing options on multiple clouds
IP-Base
• Basic Networking: BGP, OSPF, EIGRP, RIP, ISIS, IPv6, GRE, VRF-L, QoS, BFD
• Multicast: IGMP, PIM
• High Availability: HSRP, VRRP, GLBP
• Addressing: 802.1Q VLAN, EVC, NAT, DHCP, DNS
• Basic Security: ACL, AAA, RADIUS, TACACS+, SGT/TrustSec, VASI
• Management: CLI, SSH, NetFlow, SNMP, EEM, NETCONF
APPX,
Base plus:
• Advanced Networking: L2TPv3, MPLS, L3 VXLAN
• Unified Communications: CUBE-ENT
• App Experience: WCCP, AppNav, NBAR2, IPSLA
• Hybrid Cloud Connectivity: LISP, OTV, VPLS,
EoMPLS
• Subscriber Management: PTA, LNS, ISG
SEC,
Base plus:
• Adv Security: ZBF, IPSec VPN, EZVPN, DMVPN, FlexVPN, SSLVPN, GETVPN
• High Availability: Box-to-box HA for FW and NAT
AX all features
Feature in Blue will not work in AWS/Azure – limitation of public cloud infrastructure(lack of L2 support, Multicast not support)
BRKARC-2749 55

#CLUS
1. Cloud Services Router 1000V BYOL
• BYOL
2. Cisco Cloud Services Router (CSR) 1000v -
Transit Network VPC – BYOL
• BYOL, Transit VPC Cloud Formation Template
3. Cloud Services Router 1000V Security Tech
Package
• PAYG
4. Cloud Services Router 1000V AX Tech
Package
• PAYG
Note on “Maximum Performance”
• CSR1K image for HVM instance types
What are the different CSR 1000V types listed?
56
BRKARC-2749
1. Cisco CSR 1000v - XE 16.x with 2 NICs
• BYOL version
• BYOL version
• BYOL version
1. Cloud Services Router 1000V BYOL
• BYOL version
Launcher

#CLUS
Network Driver Matters!
Compute Host
User space
Virtual
Machine
QEMU FE
Compute Host
Kernel space
eth1
OVS / LB
Kernel Drivers
Tap Device
virtqueue
QEMU Driver
Kernel Driver
Compute Host
User space
Virtual
Machine
QEMU FE
Compute Host
Kernel space
eth1
virtqueue
Kernel Driver
Compute Host
User space
Virtual
Machine
Compute Host
Kernel space
eth1
Kernel Driver
User-space
switch
Kernel space
vswitch
User space
DPDK
SRIOV
AWS Enhanced Networking
Azure Accelerated Networking
performance
BRKARC-2749 57

#CLUS
Cisco CSR 1000V Performance on Public Clouds
Size CEF(Mbps) IPSEC(Mbps)
T2.medium 450 200
M3.Medium 300 250
C4.large 650 650
C4.xlarge 850 850
C3.2xlarge 1300 1000
C4.2xlarge 2300 2300
C4.4xlarge 4600 4200
C4.8xlarge 6200 4500
Size CEF IPSEC
D2_v2 1200 900
DS2_v2 1200 1100
D3_v2 1250 1000
DS3_v2 1250 1100
D4_v2 1200 1100
DS4_v2 1250 1100
IOS-XE 16.8.1 release, large packet, with Intel Meltdown and Spectre fix.
Size CEF IPSEC
N1-standard-1 1850 1100
N1-standard-2 3700 1250
N1-standard-4 7450 2000
N1-standard-8 7850 3800
Enhanced Networking
• Performance improvement in progress
• 2x~4x performance with AN (Accelerated
Networking) in future
• 2x performance with non-AN to similar
performance before Intel Meltdown and
Spectre fix
BRKARC-2749 58

#CLUS
CSR Scale (across all public and private clouds)
Feature Scale
IPSEC tunnels 1000
VRF 4000
NAT 512,000
BGP routes 400,000
BFD 500
IPSLA 10,000
ACE (ACL Entries) 65,000
IOS-XE 16.8.1
BRKARC-2749 59

#CLUS
Transitive Routing • Yes • No • No • No
VGW
Transitive • Yes • No • No • No
Performance • 5G • 1.25G • 1.25 • 1.7G
Tunnels • 1,000 • 10 • 30 • 128 (across multiple routers)
Scale
(BGP advertised
routes pe route table)
• 400,000 • 100 • 400 • 200 (100 regional, 100
global)
HA • Yes • Yes • Yes • Yes
Visibility • AVC, NBAR, Netflow • VPC flowlog • NSG flowlog • VPC flowlog
Overlap IP address • Yes • No • No • No
Routing and VPN • IPSEC (IKEv1, v2), DMVPN,
FlexVPN, GetVPN, SSL VPN,
MPLS
• BGP, EIGRP, OSPF, ISIS
• S2S
• IPSEC (IKEv1)
• Static, BGP
• S2S, P2S
• Static, BGP
• S2S
• Static, BGP
Routing Control • Yes • No • No • No
Policy • VRF, QoS, TrustSec, ACL • SG • SG • SG
CLI Access • Yes • No • No • No
Orchestration • AWS Cloud Formation, Azure
Resource Template
• AWS Dashboard • Azure Dashboard • GCP Dashboard
Programmability • Netconf, Restconf • Restful, SDK • Restful, SDK • Restful, SDK
Enterprise
Grade
Simple
VPC Conn
Simple
VPC Conn
Simple
VPC Conn
Comparison

#CLUS
Two deployment models
VPC
Application VPC Gateway
• CSR deployed in application VPC
• Provide IPSEC gateway for entire VPC
• Need high availability
Transit Hub Router
• CSR deployed in dedicated Transit Hub,
not in application VPC
• High speed traffic routing for spoke VPC
• High availability is built-in natively
Transit Hub
AZ1 AZ2
Application VPC
VPC
BRKARC-2749 62

#CLUS
CSR 1000V Routing High Availability on Cloud
• No virtual IP as with HSRP, since
Cloud Provider doesn’t allow
multicast or broadcast.
• BFD over GRE tunnel is enabled
between two CSRs to detect failure
• Failure detection is automatic.
• Route Tables for app subnets are
re-pointed to surviving CSR.
• CSR itself calls Cloud Provider’s
REST API to shift Route Table
routes.
CSR Subnet1
App Subnet A
App Subnet B
Before HA Failover / After HA Failover
Cloud REST API
BFD
VPC
IGW
CSR1
CSR2
CSR Subnet2
BRKARC-2749 63

#CLUS
G1
G1
G2
G2
30.0.0.0/24
30.0.1.0/24
30.0.3.0/24
Public-1
Public-2
Private-2
AZ1
AZ2
CSR1
Public route table
30.0.0.0/16 local
0.0.0.0/0 CSR1
Public route table
30.0.0.0/16 local
0.0.0.0/0 CSR2
BFD
CSR2
Security (No IGW)!!
AWS REST
(EC2) API
Amazon VPC
Peering
IPSec Tunnel
Public route table
10.0.0.0/16 local
0.0.0.0/0 IGW
x.x.x.x Peering
x.x.x.x DX
Direct Connect
30.0.2.0/24
Private-1
BRKARC-2749 64

#CLUS
G1
G1
G2
G2
30.0.0.0/24
30.0.1.0/24
30.0.2.0/24
30.0.3.0/24
Public-1
Public-2
Private-2
AZ1
AZ2
CSR1
Public route table
10.0.0.0/16 local
0.0.0.0/0 CSR1
Public route table
10.0.0.0/16 local
0.0.0.0/0 CSR2
BFD
CSR2
HA using Private Link
(No changes on CSR!)
AWS REST
(EC2) API
Amazon VPC
Peering
Public route table
10.0.0.0/16 local
0.0.0.0/0 IGW
x.x.x.x Peering
x.x.x.x DX
Direct Connect
Endpoint
Network
Interface
Enable Private DNS
Private-1
Deployment Video
https://www.youtube.com/watch?v=mO64AVRhniY&t=1595s
BRKARC-2749 65

#CLUS
event manager environment CIDR 0.0.0.0/0
event manager environment ENI eni-d679128f
event manager environment RTB rtb-631bda06
event manager environment REGION us-west-2/172.24.0.2
event manager applet replace-route
event syslog pattern "(Tunnel99) is down: BFD peer down notified"
action 1.0 publish-event sub-system 55 type 55 arg1 "$RTB" arg2 "$CIDR"
arg3 "$ENI" arg4 "$REGION"
CSR Cloud HA Configuration (prior to 16.3.1a)
Configure EEM
• AWS Only
• Can have multiple “action” commands to implement multiple route
changes or change multiple route tables
• Can also adjust EEM to perform additional behaviors like preemption
BRKARC-2749 66

#CLUS
Example
redundancy
cloud provider aws 1
bfd peer 172.24.99.2
route-table rtb-631bda06
cidr ip 0.0.0.0/0
eni eni-d679128f
region us-west-2
CSR Cloud HA Configuration (after to 16.3.1a)
Configure using cloud HA CLI
Reference
redundancy
cloud provider [ aws | azure ] <node-id>
bfd peer <ipaddr>
route-table <table-id>
cidr ip <ipaddr>/<mask>
eni <elastic-network-interface>
region <region-name>
• AWS: Use multiple nodes to support multiple route tables
BRKARC-2749 67

#CLUS
Traffic Flow During Failover
BFD
CSR-A
CSR-B
Internet
BFD
CSR-A
CSR-B
Internet
BFD
CSR-A
CSR-B
Internet
Cloud REST API
BFD
CSR-A
CSR-B
Internet
*Asymmetric routing may exist
VPC
VPC
VPC
VPC
IGW
BRKARC-2749 68

#CLUS
Internet
VGW Limitations
• No ECMP (BGP multipath), active/standby tunnels
• Maximum 100 BGP learned routes
• No overlapping CIDR blocks.
• IPSEC VPN can’t be established between two VGWs
• No visibility and hard to trouble shoot
Corporate
DC
10.1.0.0
192.168.0.0
10.0.0.0
Development Account
us-west-1
us-east-1
192.168.0.0
>100 routes
BRKARC-2749 69

#CLUS
Work with CSR1000V
Internet
PresentationID
• ECMP (BGP multipath), all tunnels are active
• Maximum 400,000 BGP learned routes
• CSR NAT to support overlapping CIDR blocks.
• Direct IPSEC encryption between two VPCs
• Application visibility and control
• IOS-XE CLI access
Corporate
DC
10.1.0.0
10.2.0.0
10.0.0.0
Development Account
us-west-1
us-east-1
10.2.0.0
400,000 routes
BRKARC-2749 70

#CLUS
DX GW Limitations (Private VIF)
• No transitive routing natively Push code from dev to prod
• No network level encryption Compliance
• No overlapping CIDR blocks Acquire a new company
• Doesn’t support across accounts Separate billing
• No routing control Enterprise segmentation
Direct Connect
Corporate
DC
Co-location
Partner /
Carrier
Network BGP
DX router
customer router
DX GW
VGW
10.1.0.0
10.2.0.0
10.0.0.0
10.2.0.0
10.3.0.0
Production Account
Development Account
us-west-1
us-east-1
BRKARC-2749 71

#CLUS
• CSR provides transitive routing -> Push code from dev to prod
• End to End IPSEC tunnel (Customer managed Key) -> Compliance
• CSR NAT overlapping CIDR blocks -> Acquire a new company
• Native multi-accounts support -> Separate billing
• BGP route-map, VRF -> Enterprise segmentation
Work with Cisco CSR1000V
Direct Connect
Co-location
BGP
DX router
customer router
DX GW
VGW
10.1.0.0
10.2.0.0
10.0.0.0
10.2.0.0
10.3.0.0
Production Account
Development Account
us-west-1
us-east-1
Partner /
Carrier
Network
AZ1
AZ2
CSR1
CSR2
IPSEC Tunnel
BRKARC-2749 72

#CLUS
VPC Peering Limitations
• No overlapping CIDR blocks
• No transitive peering
• Services can’t be extended through peering
Peering
Dev QA Pro
Peering
10.2.0.0
HR
10.2.0.0
Internet
ISR/ASR
Corporate DC
BRKARC-2749 73

#CLUS
Transit VPC Design
• Dedicated VPC: Simplifies routing by not
combining with other shared services.
• CSR1000v Virtual Network Appliances:
Provide dynamic routing and VPN network
tunnels
• Redundancy: Dynamic routing combined
with multi-AZ deployment creates a robust
network infrastructure.
• VGW: VPC virtual gateways provide highly
available connections to transit VPC virtual
network appliances.
• Security services: Easily layer Firewall, IPS,
URL Filtering and Cisco ETA (Encrypted
Traffic Analysis)
B
A C
…...
Direct Connect
Or Internet
Private DC
Transit VPC
Spoke VPC
Other
Provider
Networks
CSR1 CSR2
AZ1 AZ2
Across regions, accounts/subscriptions
ASR
VPC
VPC
VPC
VPC
BRKARC-2749 74

#CLUS
What’s inside of Transit VPC. I mean VPC..
Transit VPC
CSR1
Availability Zone
Subnet1
CSR2
Availability Zone
Subnet2
IGW
VPC Router
Attached VGW
Direct Connect
• Two subnets in different AZs
• A route table associated with two subnets
• An IGW is attached to this VPC and a default
route pointing to IGW exists in the route table.
• CSR only has one interface (Gi1) with default
route pointing to AWS VPC Router (first IP of
that subnet)
• Direct connect if you have
• Attached VGW: it advertises on-prem routes to VPC
router. CSR->VPC Router->VGW->DC
• Detached VGW: it established IPSEC to CSR
through EIP. CSR->VPC->IGW->VGW->DC
Detached
VGW
Tunnel over
AWS
BackBone
Subnet Next Hop
0.0.0.0 IGW
Subnet Next Hop
0.0.0.0 1st ip of subnet
BRKARC-2749 76

#CLUS
What’s outside of Transit VPC?
• S3 bucket: Storage location for transit VPC config
files
• KMS (Key Management Service): All data in the
S3 bucket is encrypted using a solution-specific
AWS KMS managed customer master key (CMK).
• VGW Tags: Customer-specified opt-in tags to
automatically join a spoke VPC to the transit
network
• VGW Poller (Lambda function):
• Identifies and configures VGWs to connect to
the transit network (checks all regions every
minute)
• Writes new VPN connection details to an S3
bucket
• Cisco Configurator (Lambda function):
• Pushes VPN configuration to CSR instances
when config files are saved to S3
Spoke VPC
A
Spoke VPC
B
Spoke VPC
‘n’
Corporate
Data Center
…
Other
Provider
Networks
Amazon S3 bucket
Cisco Configurator
VGW Poller
AZ 2
AZ 1
AWS KMS
Transit VPC
Spoke VPC
On-Prem Network
BRKARC-2749 77

#CLUS
Traffic Segregation
• Traffic segregation is built-in
natively
• Each Spoke VPC is represented
as a different VRF in CSR
• Routing is controlled through RT
(Route Target)
• Different VPCs can communicate
by export/import same RT
• Follow same mechanism to
create customized VRF like on-
premise VRF
CSR1
MP-BGP
On-Premise VRF
CSR2
VPC-A VPC-B VPC-C
Private DC
VPC-C VRF
VPC-B VRF
VPC-A VRF
BRKARC-2749 78

#CLUS
High Availability in Transit VPC
• Spoke VGW has two tunnels with
both CSRs.
• Spoke VGW doesn’t support load
balance across two tunnels. It’s
using active standby.
• It’s possible different VGW uses
different CSR as active.
• Both CSRs are forwarding traffic
independently at same time.
• In case of CSR fail, the other CSR
will take over all traffic.
B
A C
…...
Transit VPC
Spoke VPC
CSR1 CSR2
VPC
VPC
VPC
VPC
Active Tunnel
Standby Tunnel
VGW
IGW
BRKARC-2749 79

#CLUS
CSR1
Customer Gateway 1
CSR2
Customer Gateway 2
Spoke-A VPC
Transit VPC
20.0.0.0/16
VGW-A
Edpoint1 Edpoint2
Spoke-B VPC
30.0.0.0/16
VGW-B
Edpoint1 Edpoint2
100.64.127.224/27
IGW = Internet Gateway
Overlay
Topology
Edpoint1
BRKARC-2749 80

#CLUS
Multi Region Deployment
Private DC 1
Transit VPC
Private DC 2
Transit VPC
Tunnel
us-east
us-west
DX/ER
Internet
DX/ER
Internet
ASR
ASR
VPC VPC
CSR1
CSR2 CSR3
CSR4
Use different spoke tags so spoke is
not connected to a different region
Use different BGP ASNs for easy
trouble shooting
Keep localized traffic in same region
region1:spoke region2:spoke
Tunnel
AWS
Peering
Peering
BRKARC-2749 81

#CLUS
us-west-1 us-east-1
eu-central-1
ap-southeast-1
Multi Region Transit VPC with DMVPN
DMVPN
ap-northeast-1
Direct Tunnel from anywhere to anywhere
VPC
VPC
VPC
VPC
VPC
VPC
VPC
VPC
VPC
VPC
VPC
VPC
VPC
VPC
VPC
Use different spoke tags so spoke is
not connected to a different region
BRKARC-2749 82

#CLUS
AWS Direct
Connect
Private DC
ASR
“Detached” VGW
BGP1
BGP2
CSR2
CSR1
Transit VPC
IPSec
Tunnel
(1Gbps)
Transit VPC
CSR1 CSR2
AWS Direct
Connect
Private DC
ASR
BGP2
BGP1
“Attached” VGW
IPSec
Tunnel
(5Gbps)
IPSec
Tunnel
(5Gbps)
10G
“Detached” VGW “Attached” VGW
• 1Gbps end to end (capped by VGW doing encryption)
• ASR doesn’t learn T-VPC CIDR
• Leverage current T-VPC lambda/tagging
• 10Gbps end to end (transparent VGW)
• ASR learns T-VPC CIDR
• CSR BGP peering with ASR directly
10G
https://www.youtube.com/watch?v=3nS2gJrqhNk
BRKARC-2749 83

#CLUS
Transit VPC Sizing
Sizes include*:
• 2 x 500 Mbps (c4.large)
• 2 x 1 Gbps (c4.xlarge)
• 2 x 2.5 Gbps (c4.2xlarge)
• 2 x 4.5 Gbps (c4.4xlarge)
• 2 x 5 Gbps (c4.8xlarge)
Need SEC technology pack (BGP routing, IPSEC, VRF-Lite)
Number of connections:
• 100 out-of-the-box (VGW limits)
• 1000s with customized route summarization
*Additional virtual appliances can be added to increase aggregate bandwidth and to create additional network paths using BGP multi-path
…
BRKARC-2749 84

#CLUS
CSR 1000V Routing High Availability on Azure
CSR Subnet
App Subnet A
App Subnet B
Before HA Failover / After HA Failover
Azure UDR API
BFD
Virtual Network
• 2 CSR’s in Active-Standby mode
• No virtual IP as with HSRP, since Azure
doesn’t allow multicast.
• IPSEC or VXLAN-GPE is enabled between
two CSRs to detect failure
• BFD Failure detection is automatic.
• On Failure of Active CSR - Azure UDR (User
Defined Routes) for app subnets are re-
pointed to 2nd CSR.
• Failover takes around 10 seconds (UDR
change takes time on Azure side)
• CSR itself calls Azure UDR API to adjust
Azure Route Table routes.
BRKARC-2749 86

#CLUS
Transit VNET with CSR-HA and Peering
BFD
• Leverage VNET Peering, Spoke VNET can
talk to Spoke VNET through Hub VNET
• Traffic control (QoS, ACL), segregation (VRF,
ZBFW) and visibility (AVC)
• UDR in spoke VNET points to CSR1/2, CSR1
and CSR2 need to be configured as HA pair
• CSR-HA (Active-Standby) Failover takes
around 10 seconds (UDR change takes time
on Azure side)
• Encryption from Hub to on-prem
• No encryption between VNETs
*2 NICs CSR, G1 receives traffic (UDR points to), G2 sends traffic (add specific routes)
BRKARC-2749 87

#CLUS
Transit Routing with CSR-HA and Peering
CSR-HA is Active-Active with ILB HA Port
ILB (Internal Load Balancer) HA port supports any port load balancing
ILB HA Port
Hub VNET
probe
probe
Transit Routing
…
.
CSR Cluster
• Leverage VNET Peering, Spoke to
Spoke through Hub VNET, load
balanced.
• UDR in spoke VNET route table is
always pointing to ILB’s VIP address
• CSRs doesn’t have to be configured
as HA pair
• Minimum failure detection is
dependent on probe (2x5=10s), traffic
switchover is sub-second. Total
failover is around 10s.
• More CSRs can be added into cluster.
• On-prem device need multiple tunnels
• Encryption from Hub to on-prem
• No encryption between VNETs
BRKARC-2749 88

#CLUS
Transit VNET with Dynamic VPN Overlay
B
A C
…...
Express Route
OR Internet
Private DC Spoke
Transit HUB VNET
ASR
Dynamic VPN Overlay
Spoke VNET
CSR1 CSR2
Across regions, accounts/subscriptions
AZ1 AZ2
• Dedicated VNET: Simplifies routing by not
combining with other shared services.
• Spoke to Spoke: Any to any communication
with higher throughput.
• CSR1000v Virtual Network Appliances:
Provide dynamic routing overlays for VPN
IPSec tunnels
• VPN Connection: Guarantee secured
connection across regions
• Redundancy: Dynamic routing combined
with multi-AZ deployment creates a robust
network infrastructure.
• Automation: Fully automated with Azure
Resource Template,Azure Function and
Guest shell
BRKARC-2749 89

#CLUS
CSR Transit VNET with Dynamic VPN Overlay
Templatized Deployment
AZ 1 AZ 2
Spoke
Templat
e
HUB
Templat
e
Spoke
VNET
Transit
VNET
HUB1 HUB2
SPOKE
1
HUB Storage Acc
Azure Functions
Azure Marketplace
BRKARC-2749 90

#CLUS
CSR with Express Route
Customer VNET
ExpressRoute
GW
subnet
APP Subnet
ASR
CSR1
CSR2
AZ1
AZ2
APP Subnet
BGP1
VNG
BGP2
BGP2
3
4
4
2
1
5
1. Talk with your service provider to create an ER Circuit in your Azure account. You need to input the BGP
parameters used for this Circuit. If you have multiple service providers, you can create multiple ER Circuits.
2. Create a Gateway Subnet within VNET and create a VNG (Virtual Network Gateway) in gateway subnet.
3. Add an ExpressRoute connection on that VNG and specify the ER Circuit created in 1st step. BGP connection will
be established from VNG to your on premise router (ASR). VNG will exchange VNET’s CIDR with ASR of your DC
CIDR. Then VNG will program those DC routes to VM’s “effective routes” automatically, including CSR1/2.
4. CSR1/2 can talk to your ASR through private IP address, you can use multi-hop eBGP or single hop eBGP over a
tunnel between CSR1/2 and your ASR. You can use IPSEC tunnel. not GRE on Azure.
5. Setup the high availability between CSR1 and CSR2. Add UDR to let your application subnet to use either CSR1 or
CSR2 as nexthop. BRKARC-2749 91

#CLUS
Setup Details
Customer VNET
ExpressRoute
GW
subnet
APP Subnet
ASR
CSR1
CSR2
AZ1
AZ2
APP Subnet
BGP1
VNG
BGP2 over IPSEC
BGP2 over IPSEC
3
4
4
2
1
5
10.0.0.0/16
10.11.253.0/24
88.0.0.0/30
88.0.1.0/30
10.0.0.4
10.0.0.5
10.0.1.4
10.0.1.5
10.0.200.0/24
88.0.0.9/32
BFD
ip route 88.0.0.9 255.255.255.255 10.0.0.1
10.0.0.0/24 pub sub
10.0.1.0/24 pri sub
10.0.200.0/24 gw sub
Tunnel1 temporarily disabled due to recursive routing
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-routing
https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-
routing-protocol-eigrp/22327-gre-flap.html
AS 65002
AS 12076
AS 65011
AS 65012
https://www.youtube.com/watch?v=U2-lc8oewhA
BRKARC-2749 92

#CLUS
Cisco and Google Open Hybrid Cloud Solution
On Prem/Colo Data Center Google Cloud
Google Cloud
Platform
Google Kubernetes
Engine
Existing
Services
Apps | Data
Private Cloud infrastructure
Cisco Container Platform
(VM | Bare metal | HX, ACI)
Cloud
Apps
Istio: Hybrid Cloud
Service Management
Consistent
Environment
Networking | Security | Private Cloud Infrastructure | Consumption Management
CSR 1000v, ACI, Stealthwatch Cloud, HyperFlex, Container Platform, CloudCenter, Tetration Analytics, AppDynamics
BRKARC-2749 94

Cloud App – consume on prem service
Hybrid Cloud Use Case
Google Apigee
Exposes legacy systems as API endpoints
Google Kubernetes Engine
managed environment for deploying
containerized apps
Cisco Cloud Center
Provides Multicloud Orchestration and
Management
CSR1000v on GCP
Build a hybrid cloud network from on-prem to GCP
Cisco Stealthwatch Cloud
Security analytics service - monitoring and
reporting
BRKARC-2749
95

#CLUS
• It’s targeted 16.9 release (July CY18)
• Standalone CSR in VPC, BYOL only. HA and PAYG is coming in future
• Customer can deploy CSR from GCP launcher
• Use cases: connecting hybrid cloud (on-prem to public cloud), GCP VPC to VPC,
multi-clouds
GCP: CSR available on Google Cloud Platform
CSR
Cloud Virtual
Network
Corporate
DC
Internet
Cloud Interconnect
BRKARC-2749 96

#CLUS
Internet
Deploy CSR in a GCP VPC
Cloud Virtual
Network
Subnet Next Hop
0.0.0.0/0 Default Internet
GW
20.0.0.0/16
(on-prem)
CSR-IP
10.1.0.0/16
Enable IP Forwarding
Corporate
DC
CSR
20.0.0.0/16
10.3.0.0/16 10.2.0.0/16
• CSR/VM can only have one interface in a VPC.
• Subnets within same VPC use Google Cloud
Router as first hop
• Add a route pointing to CSR’s instance or ip
• Create a static public ip address
• Enable “IP Forwarding” on CSR’s interface
during CSR creation
• Block “project-wide key”, need to input your
ssh-key during creation.
• Make sure VPC firewall rule has UDP 500/4500
for IPSEC
Login
username
Public key
BRKARC-2749 97

#CLUS
CSR up running in GCP!
csr1#show platform software system all
Processor Details
=================
Number of Processors : 2
Processor : 1 - 2
vendor_id : GenuineIntel
cpu MHz : 2200.000
cache size : 56320 KB
Crypto Supported : Yes
model name : Intel(R) Xeon(R) CPU @
2.20GHz
Memory Details
==============
Physical Memory : 3984876KB
VNIC Details
============
Name Mac Address Status Platform MTU
GigabitEthernet1 4201.0a8a.0002 UP 1500
Hypervisor Details
===================
Manufacturer: Google
Product Name: Google Compute Engine
Serial Number: GoogleCloud-xxxxxx03
UUID: 1xxxxxxx03
Product ID : CSR1000V BYOL
Platform licensing details
=========================
None
You can manage it just like another IOS-XE router!
BRKARC-2749 98

#CLUS
Web-Server2 DB-Server2
CSR2/xTR2
Web-Server1 DB-Server1
CSR1/xTR1
AWS DC
Client
Branch2
Gi2
Gi1
Internet
Internet
Gi2 Gi3
Gi1 Internet
Router
• Extend same subnet into public cloud.
• VPC CIDR overlaps with on-prem dc.
• On CSR1 in Branch1, configure LISP dynamic host
detection under LAN facing interface.
• On CSR2 in AWS, static configure Web-Server2 and DB-
Server2 as LISP EID.
L2 extension into Public Cloud
192.168.10.0/24
192.168.20.0/24
Internet
LISP
BRKARC-2749 100

#CLUS
AWS: Performance based scale-out
Private DC
Transit VPC
DX/ER
Internet
ASR
VPC
CSR1 CSR2 CSR3 CSR4
…...
• Simplify your capacity planning with
elasticity as you go
• Monitor CSR real-time throughput
and spin up new CSRs on demand.
• Optimize your cost via flexible
licensing options: BYOL and PAYG
• Load sharing is being done through
multiple tunnels to multiple CSRs in
Transit VPC
Spoke VPC
BRKARC-2749 101
DMVPN

#CLUS
Data Center
Transit VPC
AZ1 AZ2
App 1
(VPC1)
App 2
(VPC2)
App 3
(VPC3) Internet
Employee
Developer
Guest
Non-Compliant
✓ X ✓ ✓
X X ✓ ✓
X ✓ ✓ ✓
VPC1
Extend Trust Sec into AWS Transit VPC
Simplifying Segmentation and Control
Direct Connect
Dynamic Route Peering
Employee Tag
Developer Tag
Guest Tag
Non-Compliant Tag
X X ✓ ✓
ISE
Identity & Access Control
Policy Enforcement
App 1
VPC2
App 2
VPC3
App 3
Control Access to spoke VPC’s
based on SGT Tags and Policy
Enforcement within the Transit
VPC Hub CSRv’s
• Control Traffic between VPC’s
• Simplify Security Configurations
• Scale Security Group Control
• Single Control Point
Dev Pro Test
ASR1K
CSR1 CSR2
BRKARC-2749 102

#CLUS
Transit VPC
Internet
• Routing: CSR redirects Internet traffic to NGFWv
• Security: NGFWv as standalone IPS VM provides full IPS
features and easily managed through FMCv
• NAT: NGFWv acts as NAT device. NAT/PAT supported
• Automation: One click Launch by using template and scripts
Secured DMZ
by extending Transit VPC
B
A C
…...
Spoke VPC
VPC
VPC
VPC
VPC
NGFWv (Next Generation FireWall Virtual)
FMCv (Firepower Management Center Virtual)
VGW
IGW
CISCO
VERIFIED
https://www.youtube.com/playlist?list=PLCiTBLSYkcoRREnds3OK8W19seZs5n-Vg
Deployment Video
NGFWv
CSR1 CSR2
BRKARC-2749 103

#CLUS
Transit VPC
Internet
Deploy IDS In Passive Mode
VPC
VGW
IGW
ERSPAN
VPC VPC
• IDS (NGFWv) deployed in Passive Mode
• CSR1000v sends traffic through
ERSPAN session
• NGFWv inspects traffic over ERSPAN
session passively
• Spoke to spoke traffic is agnostic to IDS
device
* ERSPAN= Encapsulated Remote Switch Port Analyzer Port NGFWv
CSR1 CSR2
CISCO
VERIFIED
BRKARC-2749 104

#CLUS
Dedicated Security VPC
A B
VPC
VPC
VPC
Private DC
Transit VPC
Internet
• Separate security services into dedicated
VPC
• Network team manages Transit VPC
• Security team manages Security VPC
• No end-to-end automation, manual
configuration needed
• Additional Internet traffic cost going to
Security VPC.
• Additional hop for latency.
0.0.0.0/0
VPC
VGW
IGW
BRKARC-2749 105

#CLUS
Transit VPC
Internet
B
A
…... Spoke VPC
CSR2
Public1 Public2
Inside1
Outside1
Inside2
Outside2
ASAv1 ASAv2
CSR2
AZ1 AZ2
DC
web app
DB
ISE
CSR1
WSA1 WSA2
Bring your whole security perimeter in the CLOUD
with consistent policy
HR
• End to end secure encryption
• Redundancy built-in with L3 ECMP
• All layer network traffic inspection by
ASAv
• Web traffic protection by WSAv
• Consistent group based security policy
extension using TrustSEC ISE
TECSEC-2070 Extending Enterprise Grade Security to Public Cloud
BRKARC-2749 106

#CLUS
Finding malicious activity in encrypted traffic
Cisco Stealthwatch
Cognitive
Analytics
Malware
detection and
cryptographic
compliance
ISR4K/ASR1K/CSR/ENCS
NetFlow
Enhanced
NetFlow
Telemetry for
encrypted malware detection
and cryptographic compliance
Enhanced analytics
and machine learning
Global-to-local
knowledge correlation
Enhanced NetFlow from
Cisco’s newest switches and
routers
Continuous
Enterprise-wide compliance
Leveraged network Faster investigation Higher precision Stronger protection
Metadata
BRKARC-2749 107

#CLUS
Corporate
Flow
Collector
Internet
CSRv with
ZBFW
Ubuntu
Linux
DMVPN
ETA enabled Interfaces
Flow Records
ETA (Encrypted Traffic Analysis) on CSR1000V
• CSR in AWS extends ETA
capabilities to the Cloud
• Sends telemetry and netflow
data to on-prem
Stealthwatch collector
• Complements end to end
security visibility from on-
prem to Cloud
BRKARC-2749 108

#CLUS
Cognitive Analytics
Encrypted Malware Detection
Expanded CTA dashboard view
Cognitive Analytics
BRKARC-2749 109

Demo: CSR Performance Scale Out on AWS

Demo: Inter-Connect MultiCloud

#CLUS
AWS CloudFormation and UserData
• AWS technology to define cloud stacks via a JSON file
• Comparable technologies in OpenStack (Heat) and Azure (RM Templates)
• Can be used to create VPCs or launch EC2 instances into existing VPCs
• Initial bring up CSR and bootstrap configurations via user data
template AWS
CloudFormation
stack
BRKARC-2749 113

#CLUS
Azure Resource Manager (ARM) Template
• With Resource Manager, you can create a template (in JSON
format) that defines the infrastructure and configuration of your
Azure solution.
• Two NICs CSR for example, customer can modify it based on
their requirement.
• Github: https://github.com/Azure/azure-quickstart-
templates/tree/master/cisco-csr-1000v
• Bootstrap CSR configurations using custom-data is supported in
16.9 (July CY18)
BRKARC-2749 114

#CLUS
• Guest Shell runs in a LXC container
• It gives you native Linux Shell (Command)
access to run customized scripts
• Access to IOS-XE CLI, boot flash
• Python is the language we support today
• You can install AWS/Azure CLI and SDK to
automate day-to-day jobs through scripts
• EEM can be leveraged to create Crontab
tasks calling Guest Shell scripts
• https://github.com/CiscoDevNet/csr_aws_guestshell
Guest Shell
Network OS
Guest Shell
Open Application Container
API
Linux
applications
BRKARC-2749 115

#CLUS
Enable Guest Shell
• Guest shell uses VPG as source interface and connect to outside
through NAT
IOS
VPG
Guest Shell Container
eth0
G1
CSR 1000v
interface VirtualPortGroup0
ip address 192.168.35.1 255.255.255.0
ip nat inside
interface GigabitEthernet1
ip address dhcp
ip nat outside
guestshell enable
virtualPortGroup 0 guest-ip
192.168.35.2 name-server 8.8.8.8
192.168.35.1 192.168.35.2
ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 overload
ip access-list standard GS_NAT_ACL
permit 192.168.0.0 0.0.255.255
BRKARC-2749 116

#CLUS
Enter Guest Shell
sudo -E pip install awscli
sudo -E pip install boto3
aws configure
or configure ~/.aws/config and ~/.aws/credentials
ip-10-0-0-21#guestshell
[guestshell@guestshell ~]$ pwd
/home/guestshell
[guestshell@guestshell ~]$ ls
scripts
[guestshell@guestshell ~]$ uname -a
Linux guestshell 4.4.51 #1 SMP Wed Mar 22 07:08:50 PDT
2017 x86_64 x86_64 x86_64 GNU/Linux
Same Linux Shell Access Install AWS CLI and Python SDK
BRKARC-2749 117

#CLUS
Use Case #1: Monitor CSR Real-Time
Throughput by AWS Cloud Watch
• Python script in Guest Shell
• Gather CSR throughput by “show platform hardware qfp active datapath utilization”
• Send key metric to AWS Cloud Watch through AWS python SDK boto3
• EEM(Embedded Event Manager) script
• Trigger python script based on regular time interval
• Visualize throughput on Cloud Watch
event manager applet get-throughput
event timer watchdog time 15
action 0.0 cli command "enable"
action 1.0 cli command "guestshell run
/home/guestshell/get-sys-throughput-fyang2.py"
action 10.0 syslog msg "guestshell-get-throughput
executed!"
BRKARC-2749 118

Best Practices
from my
thousands
customer calls…..

#CLUS
General Guidance
• Disable “source destination” or enable “ip forwarding” on CSR’s
interface from CSP’s console or dashboard.
• Use ”tunnel mode” for IPSEC tunnel since most requires NAT-T
BRKARC-2749 120

#CLUS
Is CSR dropping packets?
• Make sure CSR is running at licensed throughput
CSR-BYOL#show license all
License Store: Primary License Storage
StoreIndex: 0 Feature: ax_2500M Version: 1.0
License Type: Permanent
Start Date: N/A, End Date: May 15 2017
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
CSR-BYOL#show platform hardware throughput level
The current throughput level is 2500000 kb/s
BYOL (Bring Your Own License) Hourly
CSR-hourly#show license all
License Store: Primary License Storage
CSR-hourly#show platform hardware throughput level
The current throughput level is 200000000 kb/s
BR1-16.3.3#show platform hardware qfp active statistics drop
-------------------------------------------------------------------------
Global Drop Stats Packets Octets
-------------------------------------------------------------------------
Ipv4NoAdj 56 12876
TailDrop 1283 2873982
Check Packet drop
https://www.cisco.com/c/dam/en/us/td/docs/routers/csr1000/technical_references/CSR-Packet-Flow-Troubleshooting-Guide.pdf
Oversubscribing
license
BRKARC-2749 121

#CLUS
How to upgrade CSR version?
• Inline upgrade is supported in
• AWS: 16.5.1b and later
• Azure: 16.7.1 and later
• GCP support is coming
• Please make sure to use the right version
• It will be the same process as upgrading a physical IOS-XE router
(Upload bin and change boot).
BRKARC-2749 122

#CLUS
How do I enable 10G interface?
• Interface speed is set to 1Gbps by default.
• You need to change it to 10G capable if you use above 1Gbps license.
Changing it to 10G won’t hurt anything.
interface GigabitEthernet 1
speed 10000
no negotiation auto
Azure-CSR#show interface GigabitEthernet 1
GigabitEthernet2 is down, line protocol is down
Hardware is CSR vNIC, address is 000d.3a90.7a91 (bia 000d.3a90.7a91)
Internet address is 30.0.1.4/24
MTU 1500 bytes, BW 10000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
…….
BRKARC-2749 123

#CLUS
I notice VGW Tunnel Status is Down on AWS Console.
How do I make sure Lambda Script is Working?
• Check tunnel status on CSR. VGW status might be a little bit delayed.
• If tunnel on CSR is down or no tunnel info, check if CSR has correct configurations
pushed.
• If CSR has configurations, tunnels should be up typically.
• If CSR doesn’t have correct configurations. It means Lambda function has at least
one of following problems.
1. VGW Poller can’t poll tag or wrong tag specified on VGW
2. Cisco Configurator can’t push configurations to CSR
• Check Cloud Watch logs to identify root cause for Lambda
Note: CSR security group doesn’t need inbound rule of UDP 500/4500 since IPSEC session is initialized from CSR to VGW.
Security group doesn’t restrict any outbound traffic.
BRKARC-2749 124

#CLUS
I Want to Choose Active CSR for Spoke VPC
• This is used to enable state full features, like ZBFW and etc.
• By default two CSRs are forwarding traffic at same time.
• Spoke VGW randomly picks one CSR as active, the other CSR as standby.
• You can use “preferred tag” and set specific CSR as active and standby.
Transit VPC
CSR1 CSR2
VPC
Preferred tag=CSR1
Active Tunnel
Standby Tunnel
BGP as-path prepend
VGW
BRKARC-2749 125

#CLUS
How to do maintenance on CSR in Transit VPC?
• Two CSRs are working as active active.
• Let one CSR stop forwarding traffic gracefully by shutdown tunnels on CSR.
• All traffic will be forwarded to the other CSR.
• Upgrade the CSR to correct version and bring up tunnels.
• Traffic will be load balanced across two CSRs.
• Redo same steps on the other CSR.
If you want to destroy the CSR and create a new one, please make sure the same EIP
is attached to new CSR. If you delete (lose) EIPs, please update the S3 bucket with
new EIPs.
BRKARC-2749 126

#CLUS
How Do I manage CSR through private IP, rather than EIP?
• Customer wants to manage CSR through private IP since most NMS (Network
Management System) or Network Engineers sits in on premise network.
• For security concern, security group on CSR is only open to internal IPs.
• Create a “MGMT” VRF and tie to a Loopback interface
• Redistribute this loopback interface into BGP domain
ip vrf mgmt
rd 64512:2
route-target export 64512:0
route-target import 64512:0
interface Loopback0
ip vrf forwarding mgmt
ip address 1.1.1.1 255.255.255.255
router bgp 64512
address-familyipv4 vrf mgmt
redistribute connected
BRKARC-2749 127

#CLUS
How Do I Delete The Whole Stack?
• Deleting the CFN template will do most (99%) of the work.
• Please make sure “termination protection” is disabled on CSR
instance or you can delete (terminate) the instance manually.
• Delete the CFN template.
• You will get a “DELETE_FAILED” message at some point. It’s because
by AWS design S3 bucket can’t be deleted by CFN, however a 2nd
delete will delete the S3 Bucket.
BRKARC-2749 128

#CLUS
How to connect spoke VPC in different account? -1
• Different accounts for billing purpose.
• Acquisition of other company (accounts).
• In Transit VPC account: get S3 bucket name and prefix from the output of Transit VPC CFN
• In Spoke VPC account: 1) get spoke VPC’s <spoke-account-id> 2) launch “transit-vpc-second-
account.template” from https://docs.aws.amazon.com/solutions/latest/cisco-based-transit-
vpc/templates.html
<s3 bucket name>
<s3 bucket prefx>
BRKARC-2749 129

#CLUS
How to connect spoke VPC in different account? -2
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account-1-ID>:root",
"arn:aws:iam::<account-2-ID>:root"
]
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::<S3 bucket name>/<bucket prefix>/*"
}
]
}
Transit VPC Account
S3 Bucket Policy
Open S3 page, locate the bucket <S3 bucket
name>, click permissions, find ”Bucket Policy”
Replace it with copied value
KMS Policy
Open AWS IAM console, choose Encryption Keys, select
region of your transit vpc, you will see “Transit VPC” in the
key description. Click the key and you can edit “Key Policy”
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": {
"arn:aws:iam::<transit-account>:role/TransitVPC-DX-SolutionHelperRole-16R14KV0ZSHUZ",
"arn:aws:iam::<transit-account>:role/TransitVPC-DX-TransitVpcPollerRole-FOK5",
"arn:aws:iam::<transit-account>:role/TransitVPC-DX-CiscoConfigFunctionRole-1K7VG4M",
"arn:aws:iam::<transit-account>:root”,
"arn:aws:iam::<spoke-account-id>:root"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
Replace it with copied value.
For better security, you can limit
it only to VGW Poller Role (you
can get it after you launch the
template in spoke vpc)
arn:aws:iam::<spoke-account-id>:role/transit-spoke-TransitVpcPollerRole-2O
AWS KMS
AWS S3
BRKARC-2749 130

#CLUS
Trouble Shooting CSR HA on Azure
redundancy
cloud provider azure 100
bfd peer 192.168.101.2
default-gateway ip 10.60.1.6
route-table HaEastRouteTable
resource-group companynameusawest
subscription-id ab2fe6b2-c2bd-44
tenant-id 227b0f8f-684d-48fa-9803-c08138b77ae9
app-id 80848f32-xxxxxxxxx-3d5aa596cd0c
app-key 5yOhH593dtD%2FO8gzAlWgulrkWz5dH02d2STk3LDbI4c%3D
16.5.1b supports 1 node, you can only change
one route table.
16.6.1 supports multiple nodes, you can
change multiple route tables.
• HA is supported on 16.5.1b and later version
• Update default route or all routes if default route is
not found.
• Individual CIDR update is supported in 16.7
Remote Peer’s BFD IP address
CSR’s local IP address, ”IP Forwarding” should
be enabled on this interface
The route table need to be changed,
resource-group, subscription-id that
contains the route table. Could be
different than where CSR is deployed.
Tenant ID, HA can work across subscriptions within
same Tenant, doesn’t work across different Tenants.
APP ID, created in Active Directory
APP Key, need to be URL encoded required by Azure, before encode
“5yOhH593dtD/O8gzAxxxxxxxxxdH02d2STk3LDbI4c=”
URL encode tool: https://www.w3schools.com/tags/ref_urlencode.asp
BRKARC-2749 131

#CLUS
Summary and Key Takeaways
• MultiCloud is a reality, each cloud has unique challenges and a
cohesive solution is required.
• CSR 1000V brings full Cisco IOS-XE functionalities into public
cloud.
• As more workloads move to the cloud, CSR 1000V can
provide the high scale and performance.
BRKARC-2749 132

#CLUS
Joint Webinar with Under Armour and Adobe
• Webinar recording on Youtube:
• https://www.youtube.com/watch?v=aLk8ExZ14v8
• Webinar deck on Slideshare:
• http://www.slideshare.net/AmazonWebServices/cisco-csr-1000v-securely-extend-
your-apps-to-the-cloud
BRKARC-2749 133

#CLUS
Infor: How Do I build a Global Transit Network on AWS
• Youtube Link
• https://www.youtube.com/watch?v=blzw
5DFPSI4&t=2215s
• Slides
• https://www.slideshare.net/AmazonWeb
Services/how-do-i-build-a-global-
transit-network-on-aws-msc302-
reinvent-2017
AWS re:Invent 2017
BRKARC-2749 134

#CLUS
CSR1000V Youtube Channel
http://cs.co/csr1000v
BRKARC-2749 135

#CLUS
Cisco CSR1000V Miercom report: http://miercom.com/pdf/reports/20161111.pdf
• CSR1000V on private cloud platforms delivers up to 20Gbps on a single x86 server,
across 3 CSRs
• CSR1000V on Amazon AWS delivers up to 5Gbps of encrypted traffic running on
Instance type C4.8xlarge
• Miercom tested different combinations of features enabled to determine real world
performance (IPV4 Forwarding, QoS, NBAR, Firewall, IPSEC)
Miercom Performance testing of CSR1000V
Miercom is a world leading independent testing and consultant provider. It
provides unbiased hands-on testing, research and certification services.
BRKARC-2749 136

#CLUS
Additional Resources
Public Documentation:
• MultiCloud Cloud Connect Design Deployment Guide for AWS Transit VPC with CSR1000V
https://www.cisco.com/c/en/us/products/collateral/routers/cloud-services-router-1000v-
series/guide-c07-740270.html
• MultiCloud Design Zone: https://www.cisco.com/c/en/us/solutions/design-zone/cloud-
design-guides.html
• CSR 1000V Configuration Guide for AWS
http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/b_csraws.html
• CSR 1000V Configuration Guide for Azure
http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/azu/b_csr1000config-
azure.html
AWS Mailer (ask-csr-aws-pm@cisco.com)
Azure Mailer (ask-csr-azure-pm@cisco.com)
BRKARC-2749 137

Complete your online session evaluation
#CLUS
Give us your feedback to be entered
into a Daily Survey Drawing.
Complete your session surveys through
the Cisco Live mobile app or on
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at www.CiscoLive.com/Online.
BRKARC-2749 138

#CLUS
Demos in
the Cisco
campus
Walk-in
self-paced
labs
Meet the
engineer
1:1
meetings
Related
sessions
Continue
your
education
BRKARC-2749 139

#CLUS
Transit VPC
Internet
• Routing: CSR redirects Internet traffic to NGFWv
• Security: NGFWv as standalone IPS VM provides full IPS
features and easily managed through FMCv
• NAT: NGFWv acts as NAT device. NAT/PAT supported
• Automation: One click Launch by using template and scripts
Secured DMZ
by extending Transit VPC
B
A C
…...
Spoke VPC
VPC
VPC
VPC
VPC
VGW
IGW
CISCO
VERIFIED
https://www.youtube.com/playlist?list=PLCiTBLSYkcoRREnds3OK8W19seZs5n-Vg
Deployment Video
NGFWv
CSR1 CSR2
BRKARC-2749 143

#CLUS
Transit VPC
Subnet-1
10.0.0.0/24
IGW
Subnet-2
10.0.1.0/24
MGMT RT
Subnet Next Hop
0.0.0.0 IGW
AZ1 AZ2
CSR1 CSR2
Spoke-A
20.0.0.0/16
10.0.0.0/16
20.0.1.4
This is what we already have from Transit VPC
AZ(Availability Zone) is like Data Center, each subnet sits in
distinct AZ, can not be across AZs.
Before We Start
BRKARC-2749 144

#CLUS
Transit VPC
Internet
Subnet-1
10.0.0.0/24
Csr1-ftdv
10.0.5.0/24
Csr2-ftdv
10.0.6.0/24
FTDv-IN
10.0.4.0/24
IGW
Subnet-2
10.0.1.0/24
AZ1 AZ2
MGMT RT
OUT
.5 .6
.4
Subnet Next Hop
0.0.0.0 IGW
FTDv RT
IGW
MGMT RT
*Only one IGW, two IGWsfor better diagram.
FTDv-OUT
10.0.7.0/24
Subnet-1
.224
CSR1 CSR2
IN
Transforming…...
BRKARC-2749 145

#CLUS
Recap: Existing Resources -> New Resources
• Existed Transit VPC (10.0.0.0/16).
• Instance
• CSR1 (AZ1)
• CSR2 (AZ2)
• Subnet
• Subnet-1: 10.0.1.0/24 (AZ1)
• Subnet-2: 10.0.2.0/24 (AZ2)
• Route Table
• Route-Table-Management-Transit
• Subnet-1
• Subnet-2
• IGW
• Spoke A VPC (20.0.0.0/16)
• Instance
• Linux VM (20.0.1.4)
• Subnet
• Private subnet 20.0.1.0/24
• Route Table
• Route-table-a
• Private subnet
• IGW
• Instance
– FTDv (Firepower Threat Defense Virtual)
– FMCv (Firepower Management Center Virtual)
• Subnet
– CSR1-FTDv: 10.0.5.0/24 (AZ1)
– CSR2-FTDv: 10.0.6.0/24 (AZ2)
– FTDv-IN: 10.0.4.0/24 (AZ1)
– FTDv-OUT: 10.0.7.0/24 (AZ1)
• Route Table
– Route-Table-Management-Transit
• Subnet-1
• Subnet-2
• FTDv-OUT
– Route-Table-FTDv
• CSR1-FTDv
• CSR2-FTDv
• FTDv-IN
NEW
BRKARC-2749 146

#CLUS
VPC-A VRF VPC-B VRF
FTDv VRF
A B
G1
VPC-B VRF VPC-A VRF
FTDv VRF
G1
G2 G2
IN
OUT
CSR1 CSR2
MP-BGP MP-BGP
Multi-hop
eBGP
default-information originate
redistribute connected
route propagation
CSR can reach out to
spoke-vpc on FTDv VRF
Tunnel to Spoke A
Tunnel to Spoke B
CSR Design
BRKARC-2749 147

#CLUS
MGMT Diag
NAT OUTSIDE
NAT INSIDE
FTDv
Access Control
IPS
URL Filtering
Malware & File
AS 64512
AS 64512
AS 65002
Multi-hop
eBGP
IN
OUT
IGW
• Routing: Multi-Hop eBGP is
established between CSR 1000V
and FTDv. FTDv announces a
default route to CSR 1000V for to
redirect Internet traffic.
• Security: IPS, URL Filtering and
Malware are enabled on FTDv
• NAT: FTDv acts as NAT device.
IN interface is NAT inside, OUT
interface is NAT outside. PAT
enabled.
FTDv Design
BRKARC-2749 148

#CLUS
Transit VPC
Internet
Subnet-1
10.0.0.0/24
Csr1-ftdv
10.0.5.0/24
Csr2-ftdv
10.0.6.0/24
FTDv-IN
10.0.4.0/24
IGW
Subnet-2
10.0.1.0/24
AZ1 AZ2
MGMT RT
OUT Subnet Next Hop
10.0.5.0/24 10.0.4.1
10.0.6.0/24 10.0.4.1
0.0.0.0/0 10.0.7.1
Subnet Next Hop
10.0.4.0/24 10.0.6.1
Subnet Next Hop
10.0.4.0/0 10.0.5.1
.5 .6
.4 FTDv can reach out to 5.5 and 6.6
through IN (4.4)
Add specific routes to FTDv
No default routes because it
will be learned from BGP
session with FTDv
Add specific routes to FTDv
No default routes because it
will be learned from BGP
session with FTDv
Subnet Next Hop
0.0.0.0 IGW
Subnet Next Hop
0.0.0.0 IGW
FTDv RT
IGW
MGMT RT
FTDv-OUT
10.0.7.0/24
Subnet-1
.224
CSR1 CSR2
IN
Internet Traffic to
get out from FTDv
OUT interface
Control Plane Connectivity
BRKARC-2749 149

#CLUS
FTDv-OUT
10.0.7.7/24
Transit VPC
Internet
Csr1-ftdv
10.0.5.0/24
Csr2-ftdv
10.0.6.0/24
FTDv-IN
10.0.4.0/24
IGW
AZ1 AZ2
FTDv RT
IN
OUT Subnet Next Hop
10.0.5.0/24 10.0.4.1
10.0.6.0/24 10.0.4.1
0.0.0.0/0 10.0.7.1
Subnet Next Hop
10.0.4.0/24 10.0.6.1
Subnet Next Hop
10.0.4.0/0 10.0.5.1
.5 .6
.4
Subnet Next Hop
20.0.0.0/0 10.0.5.5 (Active
CSR1)
10.0.6.6 (Standby
CSR2)
Spoke-
CIDR
10.0.5.5 (Active
CSR1)
10.0.6.6 (Standby
CSR2)
0.0.0.0/0 10.0.4.4 (FTDv)
For internet traffic from
spoke vpc to be redirected to
FTDv
Subnet Next Hop
0.0.0.0 IGW
Subnet Next Hop
0.0.0.0 IGW
IGW
MGMT RT
MGMT RT
For return traffic to spoke
vpc to be redirected to CSR
Active
Subnet-1
.224
Subnet-1
10.0.0.0/24
Subnet-2
10.0.1.0/24
CSR1 CSR2
Data Plane Connectivity
BRKARC-2749 150

#CLUS
FTDv-OUT
10.0.7.7/24
Transit VPC
Internet
Csr1-ftdv
10.0.5.0/24
Csr2-ftdv
10.0.6.0/24
FTDv-IN
10.0.4.0/24
IGW
AZ1 AZ2
FTDv RT
IN
OUT Subnet Next Hop
10.0.5.0/24 10.0.4.1
10.0.6.0/24 10.0.4.1
0.0.0.0/0 10.0.7.1
Subnet Next Hop
10.0.4.0/24 10.0.6.1
Subnet Next Hop
10.0.4.0/0 10.0.5.1
.5 .6
.4
Subnet Next Hop
20.0.0.0/0 10.0.5.5 (Active
CSR1)
10.0.6.6 (Standby
CSR2)
Spoke-
CIDR
10.0.5.5 (Active
CSR1)
10.0.6.6 (Standby
CSR2)
0.0.0.0/0 10.0.4.4 (FTDv)
FTDv
Subnet Next Hop
0.0.0.0 IGW
Subnet Next Hop
0.0.0.0 IGW
IGW
MGMT RT
MGMT RT
Active
Subnet-1
.224
Subnet-1
10.0.0.0/24
Subnet-2
10.0.1.0/24
CSR1 CSR2
Spoke-A
Packet Flow: Internet->Spoke
BRKARC-2749 151

#CLUS
FTDv-OUT
10.0.7.7/24
Transit VPC
Internet
Subnet-1
Csr1-ftdv
10.0.5.0/24
Csr2-ftdv
10.0.6.0/24
FTDv-IN
10.0.4.0/24
IGW
Subnet-2
AZ1 AZ2
FTDv RT
IN
OUT Subnet Next Hop
10.0.5.0/24 10.0.4.1
10.0.6.0/24 10.0.4.1
0.0.0.0/0 10.0.7.1
Subnet Next Hop
10.0.4.0/24 10.0.6.1
Subnet Next Hop
10.0.4.0/0 10.0.5.1
.5 .6
.4
Subnet Next Hop
20.0.0.0/0 10.0.5.5 (Active
CSR1)
10.0.6.6 (Standby
CSR2)
Spoke-
CIDR
10.0.5.5 (Active
CSR1)
10.0.6.6 (Standby
CSR2)
0.0.0.0/0 10.0.4.4 (FTDv)
FTDv
Subnet Next Hop
0.0.0.0 IGW
Subnet Next Hop
0.0.0.0 IGW
IGW
MGMT RT
MGMT RT
Active
Subnet-1
.224
CSR1 CSR2
Spoke-A
Packet Flow: Spoke->Internet
BRKARC-2749 152

cisco csr1000v

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to cisco csr1000v

Similar to cisco csr1000v (20)

Recently uploaded

Recently uploaded (20)

cisco csr1000v