Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Physical Hardware
CSR 1000V Architecture - IOSd
Forwarding Plane Control Plane • Runs as a process under the Guest Linux
FFP Client IOS
Kernel
/ Driver
• IOS timing is governed by Linux Kernel
Chassis Mgr.
Chassis Mgr.
Forwarding Mgr. scheduling
Forwarding Mgr.
• Provides virtualized management ports
FFP code • Since these are managed by their respective
software processes
vCPU vMemory vDisk vNIC
• No direct hardware component access!
• Communicates with other software processes
Hypervisor (VMware / Citrix / KVM) via IPC
• Runs Control plane features
CPU Memory Disk NIC • CLI and configuration processing
Physical Hardware • SNMP handling, routing protocols, session
mgmt.
Q: Where can I find the CSR on AWS?
A: In the AWS marketplace!
2. Pick a flavor
CSR 1000V Licensing for AWS
Two Options…
Bring Your Own License “BYOL” AWS Marketplace Billing
• Provision “BYOL” CSR instances from AWS • Provision hourly billed CSR instances from AWS
Marketplace Marketplace
• Only pay AWS for basic instance-type fees • Pay AWS for basic instance-type usage AND fees
• Purchase desired license from Cisco or Cisco for CSR usage
Partner
• AWS pays Cisco for CSR usage fees they collect.
• Install purchased license onto “BYOL” version of You pay Cisco nothing directly.
CSR you provisioned from the AWS Marketplace
• No license file to manage or install
CSR 1000V Licensing Structure Example:
Pick one option from each column…
IP Base
Technology Package Throughput License Type 250 Mbps
(See next slide for details)
1-Year
10 Mbps
IP Base Perpetual
50 Mbps
100 Mbps
SEC 250 Mbps
Subscription
500 Mbps (1-year or 3-year)
AppX 1 Gbps
2.5 Gbps
5 Gbps Usage
AX (target date Q1 CY15)
10 Gbps
* CSR add-on license options not shown above
CSR 1000V Features Per Technology Package
Technology
IOS-XE Features
Package
Basic Networking: BGP, OSPF, EIGRP, RIP, ISIS, IPv6, GRE, VRF-LITE, NTP, QoS
Multicast: IGMP, PIM
IPBase High Availability: HSRP, VRRP, GLBP
(formerly Standard) Addressing: 802.1Q VLAN, EVC, NAT, DHCP, DNS
Basic Security: ACL, AAA, RADIUS, TACACS+
Management: IOS-XE CLI, SSH, Flexible NetFlow, SNMP, EEM, NETCONF
IPBase Plus…
SEC Advanced Security: Zone Based Firewall, IPSec VPN, EZVPN, DMVPN, FlexVPN,
(formerly Advanced)
SSLVPN, GETVPN
IPBase Plus…
Advanced Networking: L2TPv3, BFD, MPLS, VRF, VXLAN
AppX
Application Experience: WCCPv2, AppXNAV, NBAR2, AVC, IP SLA
Hybrid Cloud Connectivity: LISP, OTV, VPLS, EoMPLS
AX ALL FEATURES
(formerly Premium)
VM VM
VM VM
VLAN A
Secure L2 Extension VLAN A
InterCloud
CSR
InterCloud InterCloud
Extender Switch VM VM
VM VM Trunk
VLAN B
VLAN B
On-Prem AWS
Cisco ASAv Firewall and Management Features
Subset of ASAv features are
Cisco® ASA Feature Set not supported in AWS
VLAN tagging
Virtualization displaces multiple-context and clustering
Parity with all other Cisco ASA platform features
Corporate Network
Overlay Options HQ
Head-End
On-Prem Anchored Overlay:
• Traditional physical enterprise with good connectivity at HQ
• Redundant DM-VPN at HQ AWS AWS
• Extends enterprise network to other sites, field offices, teleworkers, West East
and public clouds Home Branch
Tenant VLANs
Hypervisor Hypervisor
CSR Images for On-Prem Deployment
Deployment in VMware
• Deploy as OVA
• Chose performance
g0 g1
g2
Deployment in OpenStack
Neutron server Compute server
Hosting Device
Plugging Driver
Manager
Routing-aaS
service plugin Notifications
CfgAgent
Firewall-aaS
service plugin …
Driver specific
VPN-aaS communication
service plugin
Hosting devices
Scheduler
What is supported today – April 2015.
Openstack “I” Release “J” release “K” release
Routing-aaS - Merged
CSR as replacement of Neutron router
• Connect one or many physical locations into an Amazon VPC. IPSec, DMVPN,
FlexVPN, EZVPN, etc…
• Up to 1,000 concurrent VPN tunnels per CSR, and no per-tunnel charges from
Amazon.
• Familiar configuration, familiar troubleshooting, not a black box.
Back-End Corporate Access
Subnet 1 Subnet 1
Private
Public
Corporate Users
Internet
Subnet 1 Subnet 1
Private
Public
• Easily integrate multiple AWS regions into existing VPN topology as new sites
• Can be leveraged for hierarchical designs with in regions.
• Distribute applications across the globe, and keep the network simple
DMVPN Design Model 1
Full Tunnel for AWS Application VMs
router eigrp 1
network 172.16.0.0
App
passive-interface GigabitEthernet1 Subnet B
CSR VPN HA Configuration
Configure EEM
IPSec Tunnel
Interface Tunnel 1 Interface Tunnel 1
IP: 169.254.1.1 IP: 169.254.1.2
Destination: 54.1.2.3 Destination: 10.10.10.1
BGP Advertisements: BGP Advertisements:
172.17.1.0/24 172.16.0.0/16
Deploying CSR Features
Firewall and Application Visibility in the AWS Cloud
• Stateful firewall between AWS
regions and physical locations
• Familiar Zone-Based Firewall
configuration
• Application Visibility and Control
(AVC)
virtual private cloud • Uses NBAR2 to identify over 1,000
AWS cloud corporate office/branch different applications
• Monitor and control application
usage
Flexible NetFlow Records
• Track packet loss, latency, jitter,
and response time of your cloud.
Edge Router and Firewall
Subnet 1 Subnet 1
Private
Public
Internet
Tunnel
ip access-list extended tunnel-inside
permit tcp any host 172.24.2.200 eq 3389
g1 g2
zone-pair security tunnel-inside source
tunnel destination inside
service-policy type inspect tunnel-inside
Tunnel
interface Tunnel0
zone-member security tunnel
interface GigabitEthernet1
zone-member security outside
interface GigabitEthernet2
zone-member security inside
NAT
Floating IP:
55.128.99.23
interface GigabitEthernet1
g1 g2
ip nat outside
interface GigabitEthernet2 172.24.2.0/25 172.24.2.128/25
ip nat inside
ip nat inside source list nat interface GigabitEthernet1 overload
ip nat inside source static tcp 172.24.2.200 80 172.24.2.17 80 extendable
ip access-list standard nat
permit 172.24.2.128 0.0.1.255
Needs to be the Internal Address
Enterprise-Wide Application Visibility
• Uses Netflow and IP SLA
• GUI for application visibility
• IP SLA configuration and monitoring
• Extends application visibility to your
cloud border
Enterprise-Wide Security Visibility
• Uses Netflow
• GUI for security visibility
• Extends application visibility to your cloud:
NetFlow
• Detecting Sophisticated and Persistent
Threats
StealthWatch
• Identifying BotNet Command & Control FlowCollector
Activity https
AWS cloud
• IPSec and SSLVPN access via AnyConnect for teleworkers and remote users
• AAA server options for user database
• Easily host copies of your apps in regions close to your remote users
• No similar service offered natively by AWS
SSL VPN Configuration Example (1/3)
Create a Server Certificate
crypto key generate rsa label sslvpn-key
• A self-signed certificated is modulus 2048
generated by default when the CSR
!
is launched.
crypto pki trustpoint sslvpn-self-signed
• Can generate a new self-signed
enrollment selfsigned
certificate or provision a certificate
from an Enterprise CA subject-name cn=csr-aws-sslvpn
revocation-check none
rsakeypair sslvpn-key
!
virtual private
cloud ip local pool pool1 10.10.10.50
AWS cloud 10.10.10.100
SSL VPN Configuration Example (3/3)
Configure Crypto
crypto ssl proposal proposal1 crypto ssl profile profile1
crypto ssl authorization policy auth- aaa authorization group list sslvpn auth-
policy1 policy1
pool pool1 !
!
CSR REST API
REST is Representational State Transfer http://www.cisco.com/c/en/us/td/docs/routers/csr1000/softw
Based on HTTP. Client-Server model. Stateless. are/restapi/restapi/RESTAPIintro.html
200 Ok
Accept: application/json {
“link: “/license/UDI”,
“UDI”: “ACRPSJAE9486R”
}
Summary
Cisco CSR 1000v Summary
• Extends enterprise network to public cloud
• Normalize operations across multiple public clouds
• Hybrid cloud designs using CSR in the public cloud and ASR1K/ISR/CSR1K
on-premise
• Primary use case - secure connectivity using IPSec, DMVPN, SSL VPN, etc.
• Enterprise-class networking services including Routing, FW, and NAT
• Rich telemetry for security and performance monitoring with Netflow/AVC
• Used with AWS Direct Connect for encryption and overlay routing
• HSRP-like High Availability for AWS VPCs
CSR 1000v in AWS
Design Guide
http://www.cisco.com/c/en/us/td
/docs/solutions/Hybrid_Cloud/In
tercloud/CSR/AWS/CSRAWS.p
df
Evaluation Licenses
• Only BYOL instances need an evaluation license, since non-BYOL instances
are pre-licensed as part of the hourly cost.
• By default BYOL instances boot with all features and 100 Kbps throughput.
• 60-day evaluation licenses are self-serve at:
• http://www.cisco.com/go/license
• Router# show license udi
Resources
• AWS VPC Presentations
• https://www.youtube.com/user/AmazonWebServices/search?query=VPC
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
• Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions