Building Hybrid Clouds

with CSR 1000v

Steven Carter, Solutions Architect
Chris Hocker, Consulting Systems Engineer
BRKARC-2023
Agenda

• CSR Deployment in AWS

• On-Prem Deployment Options in VMware & OpenStack
• Building Scalable Overlay Networks
• Deploying CSR Features
CSR Deployment in AWS
CSR 1000V Architecture – Virtualized ASR 1001
Forwarding Plane (FP) Control Plane
Virtualized IOS XE
FFP Client • Generalized to work on any x86 system
/ Driver IOS
• Hardware specifics abstracted through a
Forwarding Mgr. Chassis Mgr.
virtualization layer
Forwarding Mgr.
FFP code Linux Container
• Forwarding (ESP) and Control (RP)
mapped to vCPUs
vCPU vMemory vDisk vNIC • Bootflash: NVRAM: are mapped into
memory from hard dis

Hypervisor (VMware / Citrix / KVM)

• No dedicated crypto engine – we
leverage the Intel AES-NI instruction set
to provide hardware crypto assist.
CPU Memory Disk NIC

Physical Hardware
CSR 1000V Architecture - IOSd
Forwarding Plane Control Plane • Runs as a process under the Guest Linux
FFP Client IOS
Kernel
/ Driver
• IOS timing is governed by Linux Kernel
Chassis Mgr.
Chassis Mgr.
Forwarding Mgr. scheduling
Forwarding Mgr.
• Provides virtualized management ports
FFP code • Since these are managed by their respective
software processes
vCPU vMemory vDisk vNIC
• No direct hardware component access!
• Communicates with other software processes
Hypervisor (VMware / Citrix / KVM) via IPC
• Runs Control plane features
CPU Memory Disk NIC • CLI and configuration processing
Physical Hardware • SNMP handling, routing protocols, session
mgmt.
 Q: Where can I find the CSR on AWS?
A: In the AWS marketplace!

1. Search for “Cisco”

2. Pick a flavor
CSR 1000V Licensing for AWS
Two Options…
Bring Your Own License “BYOL”
• Provision “BYOL” CSR instances from AWS
Marketplace
• Only pay AWS for basic instance-type fees
• Purchase desired license from Cisco or Cisco
Partner
• Install purchased license onto “BYOL” version of
CSR you provisioned from the AWS Marketplace
AWS Marketplace Billing
• Provision hourly billed CSR instances from AWS
Marketplace
• Pay AWS for basic instance-type usage AND fees
for CSR usage
• AWS pays Cisco for CSR usage fees they collect.
You pay Cisco nothing directly.
• No license file to manage or install
 CSR 1000V Licensing Structure Example:
Pick one option from each column…
IP Base
Technology Package Throughput License Type 250 Mbps
(See next slide for details)
1-Year
10 Mbps
IP Base Perpetual
50 Mbps

100 Mbps
SEC 250 Mbps
Subscription
500 Mbps (1-year or 3-year)
AppX 1 Gbps

2.5 Gbps

5 Gbps Usage
AX (target date Q1 CY15)
10 Gbps
* CSR add-on license options not shown above
CSR 1000V Features Per Technology Package
Technology
IOS-XE Features
Package
 Basic Networking: BGP, OSPF, EIGRP, RIP, ISIS, IPv6, GRE, VRF-LITE, NTP, QoS
 Multicast: IGMP, PIM
IPBase  High Availability: HSRP, VRRP, GLBP
(formerly Standard)  Addressing: 802.1Q VLAN, EVC, NAT, DHCP, DNS
 Basic Security: ACL, AAA, RADIUS, TACACS+
 Management: IOS-XE CLI, SSH, Flexible NetFlow, SNMP, EEM, NETCONF
IPBase Plus…
SEC  Advanced Security: Zone Based Firewall, IPSec VPN, EZVPN, DMVPN, FlexVPN,
(formerly Advanced)
SSLVPN, GETVPN

IPBase Plus…
 Advanced Networking: L2TPv3, BFD, MPLS, VRF, VXLAN
AppX
 Application Experience: WCCPv2, AppXNAV, NBAR2, AVC, IP SLA
 Hybrid Cloud Connectivity: LISP, OTV, VPLS, EoMPLS

AX ALL FEATURES
(formerly Premium)

 Features in Red will not work in Amazon – infrastructure issues (lack of L2

support, Multicast not supported)
What are all the different CSR 1000V types listed?
1. Cloud Services Router 1000V BYOL
• Can be any tech package and throughput level depending on license purchased from Cisco and
installed on CSR (not all throughputs supported)

2. Cloud Services Router 1000V Security Tech Package

• Includes features from the Security technology package. Performance based on AWS instance
type selected (more or less vCPU/vMemory)

3. Cloud Services Router 1000V AX Tech Package

• Includes features from the AX technology package. Performance based on AWS instance type
selected (more or less vCPU/vMemory)

4. “Maximum Performance” versions of the above three

• Enables SR-IOV enhanced networking for higher performance

5. CSR Direct Connect 1 Gig and Multi-Gig

• Instances used for securing AWS Direct Connect circuits
CSR 1000V in Microsoft Azure

 Available in Azure Marketplace

(End of June):
 http://azure.microsoft.com/en-
us/marketplace/

 Search for “Cisco”

 CSR 1000V product page will
contain pricing, support, and
deployment information
CSR with InterCloud Fabric

VM VM
VM VM
VLAN A
Secure L2 Extension VLAN A
InterCloud
CSR
InterCloud InterCloud
Extender Switch VM VM
VM VM Trunk
VLAN B

VLAN B

On-Prem AWS
Cisco ASAv Firewall and Management Features
Subset of ASAv features are
Cisco® ASA Feature Set not supported in AWS

 VLAN tagging
 Virtualization displaces multiple-context and clustering
 Parity with all other Cisco ASA platform features

Cisco  Traditional (Cisco ASDM and CSM) management tools

ASAv  Dynamic routing includes OSPF, EIGRP, and BGP

in AWS  IPv6 inspection support, NAT66, and NAT46/NAT64

 REST API for programmed configuration and monitoring
 Cisco TrustSec® PEP with SGT-based ACLs
 Zone-based firewall, Equal-Cost Multipath
 Policy Based Routing, VxLAN Support (VTEP)
Removed clustering and  Failover Active/Standby HA model
multiple-context mode
VPC 101
Maps to AWS
• Logically isolated network with its Elastic IP
own IP range, routes, security, etc.
• IP ranges can be overlapping
Internet IP
• Internet gateway routes outside and 54.x.x.x
between VPCs
• Public IP or NAT for egress
• VPC peering needed to route
between VPCs
• Security: • Subnet “router” routes within the
VPC
• Network ACLs at the border of VPC
• Security Groups within the VPC • Subnet “router” is really an
encap/decap device b/w hypervisors
CSR placement in the AWS network
• NAT at the Internet GW
• Will break services that do not work
Maps to AWS
over NAT, such as GET-VPN Elastic IP
• Tunnel source will be a private 10.2.2.10 10.2.1.10
address Gi2 Gi1 10.2.1.11
• Tunnel destination from the Internet IP
perspective of VPN peers will be a 54.x.x.x
public address
10.1.2.10 10.1.1.10
• Assign EC2 elastic IP address so that Gi2 Gi1
address does not change if the 10.1.1.11
CSR1K is shutdown
• Other VPCs see Elastic IP address • CSR should be the default gateway
unless using VPC peering for the application VMs
No Link Local Broadcast in the VPC
• No Link local multicast or broadcast
10.1.1.10
• Affected Services Include: NAT

• IGPs 10.1.1.10 54.x.x.x

10.1.1.11
• HSRP/VRRP
• BFD 10.1.1.12
• Proxy ARP, Gratuitous ARP > LISP-VM
Mobility
• GRE as work-around for some services
• FHRP difficult b/c of AWS Routing
Multiple Ways to Insert CSR as Gateway
• Two Armed Mode
172.24.2.0/24
• CSR has one interface in each network
AWS IGW
• Instances have default gateway changed to point
to CSR IP or change AWS Route Table default g1 g2
route
• Limitation on # of interfaces for CSR imposed by
AWS 172.24.2.0/25 172.24.2.128/25

• One Armed Mode

• CSR has single interface and a default gateway 172.24.2.0/24
pointed towards AWS Internet Gateway
• Other subnets have route added to their route AWS IGW g1 VPC
table, pointing to the CSR as gateway Router

• Instances in other subnets don’t need their default

gateway manually changed. Continue to use
AWS Route Table.
Management and Front Door VRF
• Management and remote access of the CSR will
happens over a public interface (i.e. Floating IP)
• No interactive console on AWS
• Cisco VPN designs recommend front-door VRF
• Simplifies routing: send a default route over the tunnel
• Improves security: isolating the LAN from the public internet

• Configuring VRF causes loss of connectivity

• EEM script used to work around.
• Internet access required for other AWS services (e.g.
S3)
• Can not use front-door VRFs in these scenarios
CSR Advantages over…
Virtual Private Gateway:
• Scalability
• Continuity of Operations
• Spoke-to-spoke routing
• Richer routing features
• Security/Application Visibility
VPC Peering:
• Overlapping CIDR blocks
• Peering between regions
• Transitive peering relationships
• Multiple peerings per VPC
• Unicast Reverse Path Forwarding
• Spoke-to-spoke routing
Multi-Site, Full Mesh Hybrid Cloud

Full Tunnel Mesh

West Coast Region East Coast Region

Corporate Network
Overlay Options HQ

Head-End
On-Prem Anchored Overlay:
• Traditional physical enterprise with good connectivity at HQ
• Redundant DM-VPN at HQ AWS AWS
• Extends enterprise network to other sites, field offices, teleworkers, West East
and public clouds Home Branch

Cloud Anchored Overlay:

• Traditional physical enterprise with less-good connectivity or wanting HQ
geographic redundancy
• Virtual-only enterprise with Cloud-based DC Head-End Head-End
• Redundant DM-VPN in Cloud West East

• Extends enterprise to other sites, field offices, teleworkers, and public

clouds AWS AWS
West East
Home Branch
On-Prem Deployment
Options in VMware &
OpenStack
On-Prem Termination CSR 1000V
Hardware vs. Virtual
• Hardware: Performance, Determinism
• Virtual: Flexibility
ASR
Places in the Network 1000/ISR
4400
• Border for Entire Organization
• Hardware: ASR/ISR Border

• Data Center for Individual Tenants: Campus

• Software: CSR CSR 1000V
Data Center
CSR in Private Cloud
• Tenant Router, Head-End, or NFV
• Supported on Multiple Hypervisors
• Managed by tenant or network team
• Manual or orchestrated deployment
• Dedicated hosts or distributed with
tenant workloads Tenant Gateway

Tenant VLANs

Hypervisor Hypervisor
CSR Images for On-Prem Deployment
Deployment in VMware

• Deploy as OVA
• Chose performance

Virtual Interfaces = Router Interfaces

g0 g1

g2
Deployment in OpenStack
Neutron server Compute server
Hosting Device
Plugging Driver
Manager

Some server CSR1kv

Routing-aaS
service plugin Notifications

CfgAgent
Firewall-aaS
service plugin …
Driver specific
VPN-aaS communication
service plugin

Hosting devices
Scheduler
What is supported today – April 2015.
Openstack “I” Release “J” release “K” release

CSR as Tenant VM Supported

Routing-aaS - Merged
CSR as replacement of Neutron router

VPN-aaS CSR out of band bring up Merged

CSR for site-to-site IPsec VPN

FW-aaS plugin - - Merged

CSR as FW enabled by ACLs
Building Scalable Overlay
Networks
Enterprise VPN Termination into AWS

virtual private cloud

AWS cloud corporate office/branch

• Connect one or many physical locations into an Amazon VPC. IPSec, DMVPN,
FlexVPN, EZVPN, etc…
• Up to 1,000 concurrent VPN tunnels per CSR, and no per-tunnel charges from
Amazon.
• Familiar configuration, familiar troubleshooting, not a black box.
Back-End Corporate Access

Subnet 1 Subnet 1

Private
Public

Corporate Users
Internet

Site to Site VPN connection

(Data & management)
Internet Users
Corporate Data Center
Remote Access and Site-to-Site VPN to AWS

Subnet 1 Subnet 1

Private
Public

Internet Corporate Users

Internet Users
connecting via
VPN (ikev2 and Site to Site VPN connection
IPSec/L2TP) (Data & management)
Corporate Data Center
Interconnecting AWS VPCs Using the CSR 1000V

virtual private cloud virtual private cloud

US west region US east region

AWS cloud

• Easily integrate multiple AWS regions into existing VPN topology as new sites
• Can be leveraged for hierarchical designs with in regions.
• Distribute applications across the globe, and keep the network simple
DMVPN Design Model 1
Full Tunnel for AWS Application VMs

• DMVPN sites have access to DMVPN

AWS-hosted applications through Default
IPSec tunnels to CSR Route

• Uses front-door VRF for VPN

AWS IGW Tun0
termination
G1 G2
• AWS application VMs run in the
Default
global routing table
• AWS application VMs do not have
local internet access or local G1 – VRF INET
access to AWS public services* G2, Tun0 - Global

• Requires EEM Script

*New feature called VPC endpoints for S3 service
Embedded Event Manager
• Provides real-time network event
detection and onboard automation.
• Adapt the behavior of your network
devices to network conditions
• More than 20 event detectors
• Simple applets and more complex
scripts
Create the Cisco EEM Applet:
event manager applet fvrf
event none
action 1.0 cli command "enable”
action 1.1 cli command "conf t”
action 1.2 cli command "interface gig1”
action 1.3 cli command "vrf forwarding
internet-vrf”
action 1.4 cli command "ip address dhcp”
action 2.0 cli command "end”
Run the Cisco EEM Applet:
event manager run fvrf
DMVPN Design Model 2
Direct Internet Access for AWS Application VMs

• DMVPN sites have direct access DMVPN

Specific
to AWS-hosted applications Routes
• VPN and AWS application VMs run
in global routing table AWS IGW Tun0

• Leverage NAT overload to the G1 G2

Elastic IP address Default
• AWS application VMs have local
internet access and local access to
AWS public services G1, G2, Tun0 - Global
CSR VPN High Availability
VPC
• No virtual IP as with HSRP, CSR
since AWS doesn’t allow Subnet
App
multicast Subnet A

• AWS Route Tables for app

subnets are re-pointed to
opposite CSR App
Subnet B
• Failure detection is automatic
• CSR itself calls AWS API to
adjust AWS Route Table
routes Before HA Failover
AWS REST API
After HA Failover
CSR VPN HA Configuration
Create IAM ChangeRouteRole
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AssociateRouteTable",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DescribeRouteTables",
"ec2:DescribeVpcs",
"ec2:ReplaceRoute",
"ec2:DisassociateRouteTable",
"ec2:ReplaceRouteTableAssociation"
],
"Resource": "*"
}
]}
CSR VPN HA Configuration
Deploy CSR and Assign IAM Role
CSR VPN HA Configuration
Configure GRE Tunnel, BFD, and EIGRP
interface Tunnel1

ip address 172.16.1.1 255.255.255.252

bfd interval 500 min_rx 500 multiplier 3

tunnel source GigabitEthernet1

VPC
tunnel destination 54.200.190.64 CSR
Subnet
App
! Subnet A

router eigrp 1

bfd interface Tunnel1 Tunnel1

network 172.16.0.0
App
passive-interface GigabitEthernet1 Subnet B
CSR VPN HA Configuration
Configure EEM

event manager environment CIDR 0.0.0.0/0

event manager environment ENI eni-d679128f

event manager environment RTB rtb-631bda06

event manager environment REGION us-west-2/172.24.1.2

event manager applet replace-route2

event syslog pattern "\(Tunnel1\) is down: BFD peer down notified"

action 1.0 publish-event sub-system 55 type 55 arg1 "$RTB" arg2

"$CIDR" arg3 "$ENI" arg4 "$REGION"
Direct Connect With CSR 1000V
• Remove existing BGP configuration from customer router
• Create new BGP neighbor relationship between tunnel interface addresses (to ensure
routes are learned via tunnel)
• Advertise prefixes from campus/data center and AWS VPC
Direct Connect
VLAN
Circuit
Corporate HQ Sub-Interface: BGP Virtual Private Cloud
172.17.1.0/24 Gig1.100 172.16.0.0/16
10.10.10.1/30

Customer Virtual Private CSR 1000V

Router Gateway (VGW) IP:172.16.1.10
(Cisco 10.10.10.2/30 EIP:54.1.2.3
ISR/ASR)

IPSec Tunnel
Interface Tunnel 1 Interface Tunnel 1
IP: 169.254.1.1 IP: 169.254.1.2
Destination: 54.1.2.3 Destination: 10.10.10.1
BGP Advertisements: BGP Advertisements:
172.17.1.0/24 172.16.0.0/16
Deploying CSR Features
Firewall and Application Visibility in the AWS Cloud
• Stateful firewall between AWS
regions and physical locations
• Familiar Zone-Based Firewall
configuration
• Application Visibility and Control
(AVC)
virtual private cloud • Uses NBAR2 to identify over 1,000
AWS cloud corporate office/branch different applications
• Monitor and control application
usage
Flexible NetFlow Records
• Track packet loss, latency, jitter,
and response time of your cloud.
Edge Router and Firewall

Subnet 1 Subnet 1

Private
Public

Internet

Internet users accessing AWS

resources using translated IPs
Internet Users
Zone Based Firewall Configuration Example (1/2)
class-map type inspect match-any tunnel-
inside
match protocol icmp Outside Inside
match protocol http
match protocol https g1 g2
match protocol ssh
match access-group name tunnel-inside

Tunnel
ip access-list extended tunnel-inside
permit tcp any host 172.24.2.200 eq 3389

policy-map type inspect tunnel-inside

class type inspect tunnel-inside
inspect
class class-default
drop log
Zone Based Firewall Configuration Example (2/2)
zone security outside
zone security inside
zone security tunnel
Outside Inside

g1 g2
zone-pair security tunnel-inside source
tunnel destination inside
service-policy type inspect tunnel-inside
Tunnel
interface Tunnel0
zone-member security tunnel
interface GigabitEthernet1
zone-member security outside
interface GigabitEthernet2
zone-member security inside
NAT
Floating IP:
55.128.99.23
interface GigabitEthernet1
g1 g2
ip nat outside
interface GigabitEthernet2 172.24.2.0/25 172.24.2.128/25
ip nat inside
ip nat inside source list nat interface GigabitEthernet1 overload
ip nat inside source static tcp 172.24.2.200 80 172.24.2.17 80 extendable
ip access-list standard nat
permit 172.24.2.128 0.0.1.255
Needs to be the Internal Address
Enterprise-Wide Application Visibility
• Uses Netflow and IP SLA
• GUI for application visibility
• IP SLA configuration and monitoring
• Extends application visibility to your
cloud border
Enterprise-Wide Security Visibility
• Uses Netflow
• GUI for security visibility
• Extends application visibility to your cloud:
NetFlow
• Detecting Sophisticated and Persistent
Threats
StealthWatch
• Identifying BotNet Command & Control FlowCollector

Activity https

• Uncovering Network Reconnaissance

StealthWatch
• Finding Internally Spread Malware Management
Console
• Revealing Data Loss
IP SLA
• Actively monitor and measure ip sla 1
icmp-echo 172.24.0.5 source-ip 172.24.0.4
performance
tag DMVPN_SLA
• Includes data about response time, ip sla 2
one-way latency, jitter, packet loss, icmp-echo 172.24.0.1 source-ip 172.24.0.4
voice-quality scoring, network tag DMVPN_SLA
resource availability, application ip sla group schedule 1 1-3 schedule-
period 60 frequency 60 start-time now life
performance, and server response forever
time ip sla responder

• Performance data can be used in

routing decisions and EEM
• Detect Partner Failover
Remote Worker VPN Access into AWS

virtual private cloud

AWS cloud

• IPSec and SSLVPN access via AnyConnect for teleworkers and remote users
• AAA server options for user database
• Easily host copies of your apps in regions close to your remote users
• No similar service offered natively by AWS
SSL VPN Configuration Example (1/3)
Create a Server Certificate
crypto key generate rsa label sslvpn-key
• A self-signed certificated is modulus 2048
generated by default when the CSR
!
is launched.
crypto pki trustpoint sslvpn-self-signed
• Can generate a new self-signed
enrollment selfsigned
certificate or provision a certificate
from an Enterprise CA subject-name cn=csr-aws-sslvpn

revocation-check none

rsakeypair sslvpn-key

crypto pki enroll sslvpn-self-signed

virtual private
cloud
AWS cloud
SSL VPN Configuration Example (2/3)
Configure User Database and Address Pool
• User database can be on AAA aaa new-model

server or defined locally aaa authentication login sslvpn local

aaa authorization exec default local

aaa authorization network sslvpn local

username chocker privilege 15 secret 5

$1$VHFK$5jHUYC/Sy.0yCaexJs6xo1

!
virtual private
cloud ip local pool pool1 10.10.10.50
AWS cloud 10.10.10.100
SSL VPN Configuration Example (3/3)
Configure Crypto
crypto ssl proposal proposal1 crypto ssl profile profile1

protection rsa-aes128-sha1 match policy policy1

! aaa authentication list sslvpn

crypto ssl authorization policy auth- aaa authorization group list sslvpn auth-
policy1 policy1

netmask 255.255.255.0 authentication remote user-credentials

pool pool1 !

! crypto vpn anyconnect

bootflash:/webvpn/anyconnect-macosx-i386-
crypto ssl policy policy1 3.1.05187-k9.pkg sequence 1
ssl proposal proposal1

pki trustpoint sslvpn-self-signed sign

ip interface GigabitEthernet1 port 443

!
CSR REST API
 REST is Representational State Transfer http://www.cisco.com/c/en/us/td/docs/routers/csr1000/softw
 Based on HTTP. Client-Server model. Stateless. are/restapi/restapi/RESTAPIintro.html

 Identify resources through URIs - /api/v1/global/ntp/servers

 Request & Response type: JSON (Javascript Object Notation)
 Common Methods: PUT, POST, GET, DELETE

PUT /api/v1/global/host-name 200 Ok

Content-Type: application/json Content-Type: application/json

Accept: application/json
{
{
“host-name”: “eng-router”
“host-name”: “eng-router”
} }

200 Ok

GET /license/UDI Content-Type: application/json

Accept: application/json {
“link: “/license/UDI”,
“UDI”: “ACRPSJAE9486R”
}
Summary
Cisco CSR 1000v Summary
• Extends enterprise network to public cloud
• Normalize operations across multiple public clouds
• Hybrid cloud designs using CSR in the public cloud and ASR1K/ISR/CSR1K
on-premise
• Primary use case - secure connectivity using IPSec, DMVPN, SSL VPN, etc.
• Enterprise-class networking services including Routing, FW, and NAT
• Rich telemetry for security and performance monitoring with Netflow/AVC
• Used with AWS Direct Connect for encryption and overlay routing
• HSRP-like High Availability for AWS VPCs
CSR 1000v in AWS
Design Guide
http://www.cisco.com/c/en/us/td
/docs/solutions/Hybrid_Cloud/In
tercloud/CSR/AWS/CSRAWS.p
df
Evaluation Licenses
• Only BYOL instances need an evaluation license, since non-BYOL instances
are pre-licensed as part of the hourly cost.
• By default BYOL instances boot with all features and 100 Kbps throughput.
• 60-day evaluation licenses are self-serve at:
• http://www.cisco.com/go/license
• Router# show license udi
Resources
• AWS VPC Presentations
• https://www.youtube.com/user/AmazonWebServices/search?query=VPC

• CSR in AWS CVD

• http://www.cisco.com/c/en/us/td/docs/solutions/Hybrid_Cloud/Intercloud/CSR/AWS/CSRAWS.pdf

• CSR in AWS Support Forum

• https://supportforums.cisco.com/community/csr-amazon

• CSR in AWS Test Drive

• https://csrtestdrive.com/

• CSR in AWS Marketplace

• https://aws.amazon.com/marketplace/seller-profile?id=e201de70-32a9-47fe-8746-09fa08dd334f
• Evalulation Licenses
Thank you
Participate in the “My Favorite Speaker” Contest
Promote Your Favorite Speaker and You Could be a Winner
• Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle @ciscocloudguy
• Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
• Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions