Extending Enterprise Network into Public Cloud with Cisco CSR1000v

Transcription

1

2 Extending Enterprise Network into Public Cloud with Cisco CSR1000v Fan Yang, Technical Marketing Engineer Tony Banuelos, Product Manager BRKARC-2749

3 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, cs.co/ciscolivebot#brkarc Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Your Speaker Tony Banuelos Product Manager Product Manager at Cisco and at the company for 17 years working across different technologies like VoIP, UC Interoperability, SONET, Cisco VXI and public cloud solution. Fan Yang Technical Marketing Engineer 5 years in Cisco Youtube Channel: BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 Related Cisco Live Las Vegas 2017 Sessions BRKSDN-2411 NFV Performance - Challenges and Solutions BRKSEC-3007 Advanced Cisco IOS Security BRKSEC-2064 NGFWv and ASAv in Public Cloud (AWS and Azure) BRKARC-2023 Building Hybrid Clouds in Amazon Web Services with the CSR 1000v [LAB] LTRVIR-2100 Deploying Cisco Cloud Services Router CSR 1000V on AWS and Azure BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Agenda Introduction of Cisco CSR1000V in Public Cloud CSR Use Cases on Public Cloud Transit solution Licensing and Resources

7 Introduction of Cisco CSR1000V in Public Cloud

8 What is Public Cloud? On-demand extensible network and compute resources Supports IaaS model, allowing users to create virtual machines, storage, networking, security, and other services Supports open API to automate deployment of application services Amazon AWS and Microsoft Azure are leaders in public cloud BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Enterprises are Moving Applications to Cloud Numerous Challenges to Adopt Enterprise adoption of cloud continues to grow Security is still top of the list concern 70% of enterprise cloud solutions are hybrid approach where both private and public clouds are used Multi-Cloud becomes strategy for enterprise customers BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Cloud Adoption Numbers Data is collected from 1000 cloud customers across different business segments In 2016 Private Cloud Adoption fell to 72% from 77% the previous year, which impacted hybrid cloud which fell to 67% from 71% 95 percent of organizations surveyed are running applications or experimenting with infrastructure-as-aservice (Public Cloud) 85 percent of enterprises have a multi-cloud strategy, up from 82 percent in 2016 Most customers run their application in the cloud, with 41% running apps in public cloud and 38% in private cloud Source: RightScale 2017 State of the Cloud BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 How do I Size Cisco CSR 1000V? CSR is offered on Amazon AWS and Microsoft Azure CSR1000V pricing based on technology package, throughput, license term PLUS platform cost How do I choose the platform for CSR on AWS or Azure? Notice: Actual cost will depend on negotiated terms and discounts BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Cisco CSR 1000V Cloud Platform Options CSR on AWS Size CEF(Mbps) IPSEC(Mbps) T2.medium M3.Medium C4.large C4.xlarge C3.2xlarge C4.2xlarge C4.4xlarge C4.8xlarge CSR on Azure Size CEF(Mbps) IPSEC(Mbps) D2_v DS2_v D3_v DS3_v D4_v DS4_v BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Cisco CSR1000V on AWS Cloud Platform Cisco CSR1000V is supported on EC2 Instance Types: C3, C4, M3, T2 (R4 coming soon) Cost of CSR VM hosting depends on instance type model, size, term and region AWS offers pay-as-you-go (hourly) and pay-upfront (1Y or 3y term) consumption models Instance type size determines achievable CSR1000V performance Use AWS Simple Monthly Calculator to calculate cost Next slide shows an example on calculating AWS costs BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14

15 Cisco CSR1000V on Azure Cloud Platform Cisco CSR1000V is supported on VM Types: D-series, Dv2-series and DSv2-series Cost of CSR VM hosting depends on instance type model, size, term and region Azure offers month-to-month consumption model VM type size determines achievable CSR1000V performance Use Azure Simple Monthly Calculator to calculate cost Next slide shows an example on calculating Azure costs BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 CSR1000V on Azure Cloud Platform Azure cost calculator BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Cisco Cloud Services Router (CSR) 1000V Cisco IOS XE Software in a Virtual Appliance Form-Factor App OS App OS CSR 1000V Software Familiar IOS XE software with ASR1000 and ISR4000 Infrastructure Agnostic Runs on x86 platforms Supported Hypervisors: VMware ESXi, Linux KVM, Citrix Xen, Microsoft Hyper-V, Cisco NFVIS and CSP2100 Supported Cloud Platforms: Amazon AWS, Microsoft Azure Virtual Switch Hypervisor Server Enterprise-class Networking with Rapid Deployment and Flexibility Performance Elasticity Available licenses range from 10 Mbps to 10 Gbps CPU footprint ranges from 1vCPU to 8vCPU License Options Term based 1 year, 3 year or 5 year Smart License enabled Programmability NetConf/Yang, RESTConf, Guest Shell and SSH/Telnet *Only Available on Amazon AWS. BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 IOS-XE Coverage for All Deployment Types CSR 1000v CSR 1000v ISR 4400 ASR 1000 Hypervisor Cloud Platform Enterprise Data Center or Branch BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 The Benefits of Bringing IOS XE into Public Clouds Extends Existing Routing Topology Integrates With Existing VPN Topology (Eg. DMVPN) Shares Existing Zone Based Firewall Policies Network Logging to Existing Tools Identifies Cloud Performance Problems IOS XE Supportable by Existing IT Staff Existing Monitoring Tools Existing Troubleshooting Steps BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Public Cloud 101

21 Region and Availability Zone Concepts VM (Virtual Machines) is hosted in multiple data centers across the world. A region is a separate geographic area VM instances have to be launched into a specific region. Locating instances close to end users can reduce latency Region is consisted by multiple AZs (Availability Zone). Each AZ is isolated, but AZs in a region are connected through low latency and high bandwidth links. BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Virtual Private Cloud () Concepts is isolated from other s environment. s IP ranges (RFC 1918) can overlap. IGW (Internet Gateway) provides external access. Granular subnets can be created in. Route Table can be associated to subnets UDR (User Defined Route) can be added to route table Security Options: - Network ACLs protect subnets - Security Groups protect instances Internet EIP to EIP communication is going through Cloud Provider s backbone James Bond CIDR /16 Internet Gateway Elastic IP Mappings Route Table Subnet A /24 Subnet B /24 WebApp1 Instance IP: BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 No Link Local Broadcast in the No Link local multicast or broadcast Affected Services Include: IGPs HSRP/VRRP BFD Proxy ARP, Gratuitous ARP > LISP-VM Mobility GRE as work-around for some services, some cloud BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Multiple Ways to Insert CSR 1000V as Gateway Two Armed Mode: CSR has one interface in each network. Two options to change gateway 1. Change application VM s default gateway to CSR IP 2. Change application subnet s route table pointing to CSR as gateway. (Recommended, more flexible and scalable) Limitation on # of interfaces for CSR imposed by different cloud providers. One Armed Mode: CSR has single interface and a default gateway pointed towards Internet Gateway. Other subnets have route added to their route table, pointing to the CSR as gateway. Instances in other subnets don t need their default gateway manually changed. Number of subnets is not limited by number of interfaces IGW IGW g1 Public subnet /24 g1 Route Table g2 Private subnet BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 CSR1000v Use Cases

26 CSR 1000V use cases for all public clouds Extend Enterprise Routing Architecture to Cloud Common routing fabric securely extended to cloud DMVPN, FlexVPN, GETVPN* Support up to 1000 tunnels corporate office/branch Remote Worker VPN Access FlexVPN IPSEC or SSLVPN via AnyConnect Flexible AAA server options for authentication Launch applications in regions near your users Cloud, US West Across Region/Cloud Provider Interconnection Distribute applications globally Accessibility across on-prem and cloud locations Overcomes VPN tunnel limitation on AWS and Azure Extend on-prem routing architecture into Public Cloud Monitor/Analyze/Shape traffic in Public Cloud Security(vFW, VRF, AVC, Snort IPS/URL Filtering) Assurance(IP SLA, BFD, QoS) Scale to hundreds of across regions/accounts (Transit ) Monitoring and troubleshooting with known common tools virtual private cloud Cloud, US East virtual private cloud *GETVPN supported on DX/ER only (no NAT) BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 CSR 1000V Routing High Availability on Cloud No virtual IP as with HSRP, since Cloud Provider doesn t allow multicast or broadcast. BFD over GRE tunnel(aws), IPSEC or VXLAN-GPE (Azure*) is enabled between two CSRs to detect failure Failure detection is automatic. Route Tables for app subnets are repointed to surviving CSR. CSR itself calls Cloud Provider s REST API to shift Route Table routes. IGW CSR Subnet BFD Cloud REST API App Subnet A App Subnet B Before HA Failover / After HA Failover *Azure drop GRE packets BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Traffic Flow During Failover IGW CSR-A CSR-A Internet BFD Internet BFD CSR-B CSR-B *Asymmetric routing may exist CSR-A CSR-A Internet BFD Internet BFD CSR-B CSR-B Cloud REST API BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 Two deployment models Application Gateway CSR deployed in application Provide IPSEC gateway for entire Need high availability Transit Hub Router CSR deployed in dedicated Transit Hub, not in application High speed traffic routing for spoke High availability is built-in natively Application AZ1 AZ2 Transit Hub BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 CSR1000v Performance in AWS and Azure Max 10 NICs Support on HVM instance types including T2, M3, C3, C4 Performance go up to 5Gbps L3 Routing and 4.5Gbps IPSEC 2, 4, 8 NICs deployment template Support on D2_V2, DS2_V2, D3_V2, DS3_V2, D4_V2, DS4_V2 instances Performance with 2Gbps L3 Routing and 1.8Gbps IPSEC BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 Technical comparison between AWS and Azure for CSR 1000v Feature AWS Azure IPSEC Throughput 4.5 Gbps 1.8 Gbps Number of vnic supported today 10 2/4/8 High Availability (Routing) Supported Supported Multiple IP addresses on vnic Supported Supported Allow Overlapping IP addresses Yes Yes GRE Tunnel support in /VNet Supported Not supported L2 Broadcast and Multicast Not supported Not supported Add or remove interfaces on running CSR 1000V VM Yes No (need to stop instance) BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Connection Options

33 Cloud to On-Premise Connection Internet Customer Network New York Co-location VGW (Virtual Private Gateway) WAN Customer Network San Jose Connection Option Use Cases Limitations VPN Dedicated Circuit* IPSEC VPN connections for to across regions Consistent 1G/10G connection to Cloud Provider Co-Location Throughput limited by VGW or VPN instance Point to Point High Cost Relationship required for 3 rd party * AWS DX (Direct Connect) and Azure ER (Express Route) BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 to Connection VGW (Virtual Private Gateway) Dev QA Prod Peering Co-lo Co-lo us-west WAN Connection Option Use Cases Limitations us-east Peering High bandwidth to connection No across region peering Point to Point VPN* IPSEC VPN connections for to across regions Throughput limited by VGW or VPN instance Point to Point Dedicated Circuit* Consistent 1G/10G connection to Cloud Provider Co-Location VGW to VGW connection is only supported on Azure today High Cost Relationship required for 3 rd party BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 Peering High Bandwidth to Interconnection Share Private IP CIDR blocks between the s Point to Point No Across Region Peering No Transit Peering Dev Peering QA us-west BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Dedicated Circuit (Direct Connect) Overview Dedicated connection between the enterprise and AWS Provides (1) private access to s and (2) public access to AWS services (S3, etc) Sub-interface on corporate DC router for each service BGP peering for route exchange for each service 1G and 10G dedicated connections; sub-1g connections available via partners Multiple connections for redundancy No Native Encryption Corporate DC Direct Connect Circuit Virtual Private Cloud Cisco ISR/ASR Virtual Private Gateway (VGW) BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 A Closer Look At VGW (Virtual Private Gateway) VGW is an easy to use VPN service provided by AWS. It supports IPSEC VPN with pre-shared key (no certificate based). It supports static route and BGP routing (no route-map and fixed BGP AS number) VGW uses two end-points for high availability CGW (Customer Gateway) is needed to establish a IPSEC VPN. IPSEC can t be established between two VGWs VGW is also used in DX (Direct Connect) Static route and BGP routing No encryption BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Comparison: CSR 1000v, VGW and Peering Features Enterprise Grade CSR 1000v Hub Spoke network design Active/Active for Tunnels Across regions and accounts Site-to-Site/DMVPN network Full Transit Routing functions Full Traffic Control (QoS) and visibility Provide HA Redundancy VGW Full mesh network design Active/Standby for Tunnels Across regions and accounts Only Site-to-Site IPSEC Basic BGP No Traffic Control and visibility Provide HA (Two Tunnels per ) Simple Conn Peering Full mesh network design Same region No Transit Routing No Traffic Control Max 50 peers on AWS(up to 125 by contact support) Max 10 peers on Azure(up to 40 by contact support) Performance Op to 5Gbps CEF and 4.5Gbps IPSEC Two CSRs doubles to 10Gbps Max 500Mbps on AWS (up to 1Gbps by contact support) 200Mbps on Azure Same bandwidth between instances in same 400K BGP routes 100 routes Price Hourly and Annual BYOL(Bring Your Own License) Data Transfer* Hourly (per VPN connection) Data Transfer* *same cost for Data Transfer across three solutions, 0.02$/GB bi-directional Data Transfer* BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 Transit with CSR1000v

40 Public Cloud Transit Routing Challenge -A Transit Routing NOT supported Full mesh A-to-C-thru-B A-B Peering B-C Peering -B 2 Private DC Backhaul -C No transit routing capability See next slide Don t support across region peering BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 Transit Hub Point Network transit hub connecting multiple, geographically disperse networks High speed routing point in a centralized location Source: BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Across regions, accounts/subscriptions Transit Design A B C Dedicated : Simplifies routing by not combining with other shared services.... Spoke CSR1000v Virtual Network Appliances: Provide dynamic routing and VPN network tunnels Redundancy: Dynamic routing combined with multi-az deployment creates a robust network infrastructure. VGW: virtual gateways provide highly available connections to transit virtual network appliances. Automated solution is available on AWS. Customer can build same solution without automation on Azure. AZ1 CSR1 Direct Connect Express Route Internet Transit ASR Private DC AZ2 CSR2 Other Provider Networks BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 42 VGW IGW

43 Traffic Segregation Traffic segregation is built-in natively CSR1 -A -B -C CSR2 Each Spoke is represented as a different VRF in CSR -A VRF -B VRF -C VRF Routing is controlled through RT (Route Target) MP-BGP Different s can communicate by export/import same RT On-Premise VRF Follow same mechanism to create customized VRF like on-premise VRF Private DC BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 High Availability in Transit Active Tunnel Standby Tunnel Spoke VGW has two tunnels with both CSRs. Spoke VGW doesn t support load balance across two tunnels. It s using active standby. A B... Spoke C It s possible different VGW uses different CSR as active. Both CSRs are forwarding traffic independently at same time. CSR1 CSR2 In case of CSR fail, the other CSR will take over all traffic. Transit VGW IGW BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 Connect to DX (Direct Connect) Detached VGW Create a Detached VGW which is not attached to any. DX connection is terminated on Detached VGW ASR doesn t learn CIDR of Transit Routes will be exchanged through VGW like a middle hop Specify same tag on VGW and tunnels will be automatically provisioned like another spoke Throughput will be restrained by VGW doing IPSEC encryption (Current 1Gbps) IPSEC Encrypted Non-Encrypted CSR1 Detached VGW Transit ASR Private DC AWS Direct Connect CSR2 BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 45 BGP1 BGP2

46 Connect to DX (Direct Connect) Attached VGW Create a VGW for DX and attach it to Transit DX connection is terminated on Detached VGW ASR learns CIDR of Transit CSR1 VGW CSR2 Transit CSR builds BGP peering with ASR directly BGP2 Manual configuration needed, can t leverage previous Lambda scripts Tunnel AWS Direct Connect BGP1 Throughput goes up to 10Gbps with 2xCSR ASR Private DC BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 Multi Region Deployment us-west us-east CSR2 Tunnel Tunnel CSR3 CSR1 CSR4 Transit Transit DX/ER Internet DX/ER Internet VGW IGW ASR Private DC 1 Keep localized traffic in same region ASR Private DC 2 BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 Scale Out Add another pair of CSRs to scale out Remote end (VGW) has multiple tunnels and do L3 ECMP (Equal Cost Multiple Path) Elasticity as you go: monitor CSR real-time throughput and spin up new CSRs on demand. CSR1 CSR2 CSR3 CSR4 Transit DX/ER Internet ASR Private DC... VGW IGW BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 Transit Architecture and Components on AWS Transit : deployed with two Cisco CSR instances in separate AZs S3 bucket: Storage location for transit config files KMS (Key Management Service): All data in the S3 bucket is encrypted using a solution-specific AWS KMS managed customer master key (CMK). VGW Tags: Customer-specified opt-in tags to automatically join a spoke to the transit network VGW Poller (Lambda function): Identifies and configures VGWs to connect to the transit network (checks all regions every minute) Writes new VPN connection details to an S3 bucket Cisco Configurator (Lambda function): Pushes VPN configuration to CSR instances when config files are saved to S3 Spoke A AZ 1 Transit Corporate Data Center Spoke B AZ 2 VGW Poller Other Provider Networks Spoke n Amazon S3 bucket AWS KMS Cisco Configurator BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 Transit Security Configuration Transit : No inbound traffic all VPN connections originate from CSRs CSR Hardening: SSH restricted to Cisco Configurator function security group SSH public key auth only (password auth disabled) Enables EC2 Auto Recovery for CSR instances Cisco Configurator: Runs inside Uses automation-specific, unique SSH keys for auth S3 bucket: AES-256 SSE for all files Bucket policy controls which additional accounts may join the transit network BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 Transit workflow Adding new transit spoke VGW Poller Amazon S3 bucket Cisco Configurator 4 A C B 5 CSR 1 CSR 2 AZ 1 AZ 2 Transit BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 Transit workflow (cont.) VGW Poller Logic VGW Poller 1 2 Amazon S3 bucket Does the VGW have the appropriate tag? yes Is there an existing VPN connection? No Create Customer Gateways (if required) for the IPs of the CSR instances A B Create a VPN connection to the Customer Gateway Download the VPN configuration file in XML and push it to Amazon S3 C VGW Poller logic BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 Transit workflow (cont.) Adding new transit spoke Copy the XML VPN configuration file and SSH keys from the Amazon S3 bucket From the XML file, extract VPN, BGP, and interface parameters. Create a Cisco config using these values. Amazon S3 bucket 3 Cisco Configurator 4 SSH into the CSR instances Apply the Cisco config onto the CSR instances Cisco Configurator logic CSR 1 CSR 2 AZ 1 AZ 2 Transit BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 Transit Best Practice (1) Is CSR dropping packets? Make sure CSR is running at licensed throughput BYOL (Bring Your Own License) CSR-BYOL#show license all License Store: Primary License Storage StoreIndex: 0 Feature: ax_2500m Version: 1.0 License Type: Permanent Start Date: N/A, End Date: May License State: Active, In Use License Count: Non-Counted License Priority: Medium CSR-BYOL#show platform hardware throughput level The current throughput level is kb/s Hourly CSR-hourly#show license all License Store: Primary License Storage CSR-hourly#show platform hardware throughput level The current throughput level is kb/s Check Packet drop BR #show platform hardware qfp active statistics drop Global Drop Stats Packets Octets Ipv4NoAdj BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 Transit Best Practice (2) I observe tunnel status on VGW is down on AWS console. Check tunnel status on CSR. VGW status might be a little bit delayed. If tunnel on CSR is down or no tunnel info, check if CSR has correct configurations pushed. If CSR has configurations, tunnels should be up typically. If CSR doesn t have correct configurations. It means Lambda function has at least one of following problems. 1. VGW Poller can t poll tag or wrong tag specified on VGW 2. Cisco Configurator can t push configurations to CSR Check Cloud Watch logs to identify root cause for Lambda Note: CSR security group doesn t need inbound rule of UDP 500/4500 since IPSEC session is initialized from CSR to VGW. Security group doesn t restrict any outbound traffic. BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 55

56 Transit Best Practice (3) I want to choose active CSR for spoke. This is used to enable state full features, like ZBFW and etc. By default two CSRs are forwarding traffic at same time. Spoke VGW randomly picks one CSR as active, the other CSR as standby. You can use preferred tag and set specific CSR as active and standby. VGW Preferred tag=csr1 Active Tunnel Standby Tunnel CSR1 CSR2 BGP as-path prepend Transit BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 56

57 Transit Best Practice (4) How to do maintenance on CSR? For example, version upgrade. CSR supports inline upgrade in b version and onwards. It will be the same process as upgrading a physical IOS-XE router (Upload bin and change boot). Two CSRs are working as active active. Let one CSR stop forwarding traffic gracefully by shutdown tunnels on CSR. All traffic will be forwarded to the other CSR. Upgrade the CSR to correct version and bring up tunnels. Traffic will be load balanced across two CSRs. Redo same steps on the other CSR. BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 Transit Best Practice (5) How do I manage CSR through private IP, rather than EIP. Customer wants to manage CSR through private IP since most NMS (Network Management System) or Network Engineers sits in on premise network. For security concern, security group on CSR is only open to internal IPs. Create a MGMT VRF and tie to a Loopback interface Redistribute this loopback interface into BGP domain ip vrf mgmt rd 64512:2 route-target export 64512:0 route-target import 64512:0 interface Loopback0 ip vrf forwarding mgmt ip address router bgp address-family ipv4 vrf mgmt redistribute connected BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 Transit Sizing Sizes include*: 2 x 500 Mbps (c4.large) 2 x 1 Gbps (c4.xlarge) 2 x 2.5 Gbps (c4.2xlarge) 2 x 4.5 Gbps (c4.4xlarge) 2 x 5 Gbps (c4.8xlarge) Need SEC technology pack (BGP routing, IPSEC, VRF-Lite) Number of connections: 100 out-of-the-box (VGW limits) 1000s with customized route summarization *Additional virtual appliances can be added to increase aggregate bandwidth and to create additional network paths using BGP multi-path BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 Transit Variations

61 What if I want to push more throughput to spoke and have traffic visibility?

62 Variation #1 DMVPN Transit High Throughput: spoke scales up to 4.5Gbps, 400K routes on CSR, while 1Gbps, 100 routes on VGW Inter Traffic: spoke to spoke communication directly which saves Transit CSR throughput Redundancy: two CSRs in spoke acts as high availability pair to provide redundancy Application Visibility: provide application level visibility in spoke with NBAR capability on CSR Advanced Security: push security policy to edge. Provide ZBFW, IPS and URL filtering A CSR1 Direct Connect Internet B DMVPN Private DC... Transit ASR Spoke CSR2 Other Provider Networks BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 62 C IGW

63 What if I want to enable security policy and DIA (Direct Internet Access)?

64 Central versus DIA (Direct Internet Access) VM software/os update and etc. Central Internet Access Leverage existing enterprise internet connection and security perimeter All traffic traverses the VPN Tunnel DIA (Direct Internet Access) Optimal access to cloud based resources Offload Internet traffic from DX or ER Doesn t lose central security enforcement -A -B -C -A -B -C Internet Security Internet Transit Transit Security Private DC Private DC BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 Variation #2 Integrated Security Features on CSR Support Coming Integrated Security Low TCO by enabling security services Built-in high availability with routing ACL VRF Zone Based Firewall Single device to manage routing and security Snort IPS Web Root URL Filtering Umbrella CSR1 CSR2 IPSEC Trust Sec AAA Transit Hub BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 65

66 Variation #3.1 Secured DMZ by extending Transit A B... Spoke C CISCO VERIFIED Internet CSR1 CSR2 NGFWv Transit VGW IGW Routing: CSR redirects Internet traffic to NGFWv Security: NGFWv as standalone IPS VM provides full IPS features and easily managed through FMCv NAT: NGFWv acts as NAT device. NAT/PAT supported Automation: One click Launch by using template and scripts NGFWv (Next Generation FireWall Virtual) FMCv (Firepower Management Center Virtual) Deployment Video BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 66

67 Variation #3.2 Deploy IDS In Passive Mode CISCO VERIFIED Internet IDS (NGFWv) deployed in Passive Mode CSR1000v sends traffic through ERSPAN session NGFWv inspects traffic over ERSPAN session passively Spoke to spoke traffic is agnostic to IDS device CSR1 ERSPAN CSR2 * ERSPAN= Encapsulated Remote Switch Port Analyzer Port NGFWv Transit VGW NGFWv (Next Generation FireWall Virtual) FMCv (Firepower Management Center Virtual) IGW BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 67

68 Variation #4 Dedicated Security Internet Separate security services into dedicated Network team manages Transit A Security FW IPS B Security team manages Security /0 No end-to-end automation, manual configuration needed Additional Internet traffic cost going to Security. Transit Additional hop for latency. VGW Private DC IGW BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 68

69 Summary on 5 Variations Variations /Features Hub-Spoke Spoke-Spoke Spoke Throughput IOS-XE Features at Spoke #0 Transit Solution 1Gbps Lower Cost #1 DMVPN Transit 5Gbps Higher Variations /Features L4 FW L7 FW IPS/IDS Routing Security Separation Domain Separation Traffic Latency #2 Integrated Security Lower Lower Cost #3 Secured DMZ Medium Higher #4 Dedicated Security Higher Higher BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 69

70 Summary on 5 Variations Variations Pros Cons #0 Transit Solution Lower TCO by using VGW on spoke Centralized routing domain and security enforcement Highly automated #1 DMVPN Transit Higher throughput at spoke Spoke to spoke connection, not limited by transit CSRs throughput Full enterprise features including traffic control and visibility at spoke Security policy pushed to edge spoke Highly automated #2 Integrated Security Lower TCO by leveraging existed features on CSR L4 firewall, IPS and URL filtering Central security enforcement Native high availability on CSR VGW s throughput and routes limited at spoke No traffic control and visibility at spoke Capacity limited by two CSRs throughput Higher TCO by using CSR on spoke (price close to VGW if using for 5 years) Throughput impact based on security features enabled No L7 firewall and full IPS functions #3 Secured DMZ Advanced security features offered by 3 rd party VNF Separate VNFs for routing and security Shared for routing and security #4 Dedicated Security Advanced security features offered by 3 rd party VNF Separate VNFs for routing and security Separate for routing and security Higher TCO by adding 3 rd party VNF (FW, IPS or IDS) High availability depends on 3 rd party VNF Throughput limited by 3 rd party VNF Higher TCO by adding 3 rd party VNF (FW, IPS or IDS) High availability depends on 3 rd party VNF Throughput limited by 3 rd party VNF One more to manage and additional traffic cost BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 70

71 CSR 1000V IWAN on Amazon AWS us-west Branch 1 CSR Subnet us-east App Subnet A csr1000v csr1000v BR1 virtual private cloud Internet csr1000v App Subnet B csr1000v us-west Branch 2 BR2 MC csr1000v virtual private cloud MPLS/DX APIC-EM Physical branch Cloud Data Center BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 71

72 CSR Programmability

73 CSR1000v Automation Cloud Center APIC EM NSO Guest Shell Ansible Deploy Infra SD-WAN Function Pack Cloud, US West Cloud Formation virtual private cloud Lambda Public Cloud SP Infrastructure Devops BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 73

74 CSR1000v Web GUI BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 74

75 Application Visibility on CSR1000v BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 75

76 Guest Shell Guest Shell runs in a LXC container It gives you native Linux Shell (Command) access to run customized scripts Access to IOS-XE CLI, boot flash Python is the language we support today Linux applications You can install AWS CLI and SDK to automate day-to-day jobs through scripts EEM can be leveraged to create Crontab tasks calling Guest Shell scripts Cisco Devnet Lab Guest Shell Open Application Container API Network OS BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 76

77 Enable Guest Shell Guest shell uses VPG as source interface and connect to outside through NAT interface GigabitEthernet1 ip address dhcp ip nat outside ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 overload ip access-list standard GS_NAT_ACL permit IOS Guest Shell Container interface VirtualPortGroup0 ip address ip nat inside G1 VPG CSR 1000v eth guestshell enable virtualportgroup 0 guest-ip name-server BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 77

78 Enter Guest Shell Same Linux Shell Access Install AWS CLI and Python SDK ip #guestshell ~]$ pwd /home/guestshell ~]$ ls scripts ~]$ uname -a Linux guestshell #1 SMP Wed Mar 22 07:08:50 PDT 2017 x86_64 x86_64 x86_64 GNU/Linux sudo -E pip install awscli sudo -E pip install boto3 aws configure or configure ~/.aws/config and ~/.aws/credentials BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 78

79 Use Case #1: Monitor CSR Real-Time Throughput by AWS Cloud Watch Python script in Guest Shell Gather CSR throughput by show platform hardware qfp active datapath utilization Send key metric to AWS Cloud Watch through AWS python SDK boto3 EEM(Embedded Event Manager) script Trigger python script based on regular time interval Visualize throughput on Cloud Watch event manager applet get-throughput event timer watchdog time 15 action 0.0 cli command "enable" action 1.0 cli command "guestshell run /home/guestshell/get-sys-throughput-fyang2.py" action 10.0 syslog msg "guestshell-get-throughput executed!" BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 79

80 Use Cases #2: Network Services Zone Failover Firewall and IPS EIP failover Virtual network functions (router, firewall, IPS and etc) deployed across multiple AZs for redundancy FW EIP FW In case of AZ failure, all networking functions need to failover to a different AZ IPS IPS Hard to push all vendors to have same failover mechanism AZ1 CSR1 AZ2 CSR2 Write your own Python scripts to do seamless failover Cloud REST API BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 80

81 Guest Shell Demo

82 Licensing

83 CSR 1000v Licensing Structure Pick one option from each column Technology Package (See next slide for details) Throughput License Type Example: IPBase 250 Mbps 1-Year IPBase SEC AppX AX 10 Mbps 50 Mbps 100 Mbps 250 Mbps 500 Mbps 1 Gbps 2.5 Gbps 5 Gbps 10 Gbps Subscription (1-year, 3-year or 5-year) Utility Based Note: CSR add-on license options not shown above BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 83

84 CSR 1000v Technology Package Features Technology Package IP Base IOS-XE Features Basic Networking: BGP, OSPF, EIGRP, RIP, ISIS, IPv6, GRE, VRF-LITE, NTP, QoS, PBR, BFD Multicast: IGMP, PIM High Availability: HSRP, VRRP, GLBP Addressing: 802.1Q VLAN, EVC, NAT, DHCP, DNS Basic Security: ACL, AAA, RADIUS, TACACS+ Management: IOS-XE CLI, SSH, Flexible NetFlow, SNMP, EEM, NETCONF SEC IP Base Plus Advanced Security: Zone Based Firewall, IPSec VPN, EZVPN, DMVPN, FlexVPN, SSLVPN, GETVPN High Availability: Box-to-box HA for FW and NAT AppX IP Base Plus Advanced Networking: L2TPv3, MPLS, VRF, VXLAN (Except L3 VXLAN-GPE) Application Experience: WCCPv2, AppNAV, NBAR2, AVC, IP SLA Hybrid Cloud Connectivity: LISP, OTV, VPLS, EoMPLS AX ALL FEATURES Feature in Red will not work in AWS/Azure limitation of public cloud infrastructure(lack of L2 support, Multicast not support) BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 84

85 Flexible Licensing Options on Public Cloud Purchase Model Cloud Provider Subscription Model BYOL (Bring Your Own License) 1-year, 3-year and 5-year Hourly Annual AWS No TAC TAC TAC convertible Non-convertible Azure TAC Management Model License Model PAK Smart Licensing UDI Independent 1-click Re-host License Utilization BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 85

86 License Behavior Change Licensed Period + 1 Year Throughput CLI will be blocked 1Mbps after Kbps before 16.5 Running at Licensed throughput Loss connectivity to SL Server Keep running at previous throughput Sending expiration Warning Syslog Keep running at previous Throughput CLI will be blocked Throttle to 1Mbps or 100Kbps Boot Up Licensed 90days Grace Period 90days Expiration Date 1 year SL ID_TOKEN Expires 1 Year BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 86

87 Additional Resources

88 Joint Webinar with Under Armour and Adobe Webinar recording on Youtube: Webinar deck on Slideshare: BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 88

89 Book: Virtual Routing in the Cloud Available now at Virtual Routing in the Cloud, First Edition By: Arvind Durai, Stephen Lynn, Amit Srivastava Publisher: Cisco Press Pub. Date: April 22, 2016 Print ISBN: BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 89

90 Miercom Performance testing of CSR1000V Miercom is a world leading independent testing and consultant provider. It provides unbiased hands-on testing, research and certification services. CSR1000V on private cloud platforms delivers up to 20Gbps on a single x86 server, across 3 CSRs CSR1000V on Amazon AWS delivers up to 5Gbps of encrypted traffic running on Instance type C4.8xlarge Miercom tested different combinations of features enabled to determine real world performance (IPV4 Forwarding, QoS, NBAR, Firewall, IPSEC) Cisco CSR1000V Miercom report: BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 90

91 Additional Resources Free CSR Test Drive Program on AWS Public Documentation: 20+ Demo Videos on CSR 1000V Youtube Channel CSR 1000V Configuration Guide for AWS CSR 1000V Configuration Guide for Azure AWS Mailer Azure Mailer BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 91

92 Key Takeaways

93 Summary: CSR 1000V is built for the cloud CSR 1000V runs industry-leading Cisco IOS-XE software. CSR 1000V supports comprehensive networking features to best suit enterprise needs in cloud journey. CSR 1000V abstracts different public cloud networking capability and gives customer an unified view of management. BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 93

94 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

95 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKARC Cisco and/or its affiliates. All rights reserved. Cisco Public 95

96 Thank you

97