Building Hybrid Clouds with CSR 1000v Steven Carter, Solutions Architect Chris Hocker, Consulting Systems Engineer BRKARC-2023

Transcription

1

2 Building Hybrid Clouds with CSR 1000v Steven Carter, Solutions Architect Chris Hocker, Consulting Systems Engineer BRKARC-2023

3 Agenda CSR Deployment in AWS On-Prem Deployment Options in VMware & OpenStack Building Scalable Overlay Networks Deploying CSR Features

4 CSR Deployment in AWS

5 CSR 1000V Architecture Virtualized ASR 1001 Forwarding Plane (FP) FFP Client / Driver Forwarding Mgr. FFP code vcpu vmemory vdisk Control Plane IOS Chassis Mgr. Forwarding Mgr. Linux Container vnic Hypervisor (VMware / Citrix / KVM) CPU Memory Disk NIC Virtualized IOS XE Generalized to work on any x86 system Hardware specifics abstracted through a virtualization layer Forwarding (ESP) and Control (RP) mapped to vcpus Bootflash: NVRAM: are mapped into memory from hard dis No dedicated crypto engine we leverage the Intel AES-NI instruction set to provide hardware crypto assist. Physical Hardware

6 CSR 1000V Architecture - IOSd Forwarding Plane FFP Client / Driver Chassis Mgr. Forwarding Mgr. FFP code vcpu vmemory vdisk Physical Hardware Control Plane IOS Chassis Mgr. Forwarding Mgr. vnic Hypervisor (VMware / Citrix / KVM) CPU Memory Disk NIC Runs as a process under the Guest Linux Kernel IOS timing is governed by Linux Kernel scheduling Provides virtualized management ports Since these are managed by their respective software processes No direct hardware component access! Communicates with other software processes via IPC Runs Control plane features CLI and configuration processing SNMP handling, routing protocols, session mgmt.

7 Q: Where can I find the CSR on AWS? A: In the AWS marketplace! 1. Search for Cisco 2. Pick a flavor

8 CSR 1000V Licensing for AWS Two Options Bring Your Own License BYOL AWS Marketplace Billing Provision BYOL CSR instances from AWS Marketplace Only pay AWS for basic instance-type fees Purchase desired license from Cisco or Cisco Partner Install purchased license onto BYOL version of CSR you provisioned from the AWS Marketplace Provision hourly billed CSR instances from AWS Marketplace Pay AWS for basic instance-type usage AND fees for CSR usage AWS pays Cisco for CSR usage fees they collect. You pay Cisco nothing directly. No license file to manage or install

9 CSR 1000V Licensing Structure Pick one option from each column Technology Package (See next slide for details) Throughput License Type Example: IP Base 250 Mbps 1-Year IP Base SEC AppX AX 10 Mbps 50 Mbps 100 Mbps 250 Mbps 500 Mbps 1 Gbps 2.5 Gbps 5 Gbps 10 Gbps Perpetual Subscription (1-year or 3-year) Usage (target date Q1 CY15) * CSR add-on license options not shown above

10 CSR 1000V Features Per Technology Package Technology Package IPBase (formerly Standard) SEC (formerly Advanced) AppX IOS-XE Features Basic Networking: BGP, OSPF, EIGRP, RIP, ISIS, IPv6, GRE, VRF-LITE, NTP, QoS Multicast: IGMP, PIM High Availability: HSRP, VRRP, GLBP Addressing: 802.1Q VLAN, EVC, NAT, DHCP, DNS Basic Security: ACL, AAA, RADIUS, TACACS+ Management: IOS-XE CLI, SSH, Flexible NetFlow, SNMP, EEM, NETCONF IPBase Plus Advanced Security: Zone Based Firewall, IPSec VPN, EZVPN, DMVPN, FlexVPN, SSLVPN, GETVPN IPBase Plus Advanced Networking: L2TPv3, BFD, MPLS, VRF, VXLAN Application Experience: WCCPv2, AppXNAV, NBAR2, AVC, IP SLA Hybrid Cloud Connectivity: LISP, OTV, VPLS, EoMPLS AX (formerly Premium) ALL FEATURES Features in Red will not work in Amazon infrastructure issues (lack of L2 support, Multicast not supported)

11 What are all the different CSR 1000V types listed? 1. Cloud Services Router 1000V BYOL Can be any tech package and throughput level depending on license purchased from Cisco and installed on CSR (not all throughputs supported) 2. Cloud Services Router 1000V Security Tech Package Includes features from the Security technology package. Performance based on AWS instance type selected (more or less vcpu/vmemory) 3. Cloud Services Router 1000V AX Tech Package Includes features from the AX technology package. Performance based on AWS instance type selected (more or less vcpu/vmemory) 4. Maximum Performance versions of the above three Enables SR-IOV enhanced networking for higher performance 5. CSR Direct Connect 1 Gig and Multi-Gig Instances used for securing AWS Direct Connect circuits

12 CSR 1000V in Microsoft Azure Available in Azure Marketplace (End of June): Search for Cisco CSR 1000V product page will contain pricing, support, and deployment information

13 CSR with InterCloud Fabric VLAN A VM VM VM VM Trunk InterCloud Extender Secure L2 Extension VLAN A VM VM InterCloud Switch VM VM VLAN B InterCloud CSR VLAN B On-Prem AWS

14 Cisco ASAv Firewall and Management Features Cisco ASA Feature Set Cisco ASAv in AWS Removed clustering and multiple-context mode VLAN tagging Virtualization displaces multiple-context and clustering Parity with all other Cisco ASA platform features Traditional (Cisco ASDM and CSM) management tools Dynamic routing includes OSPF, EIGRP, and BGP IPv6 inspection support, NAT66, and NAT46/NAT64 REST API for programmed configuration and monitoring Cisco TrustSec PEP with SGT-based ACLs Zone-based firewall, Equal-Cost Multipath Policy Based Routing, VxLAN Support (VTEP) Failover Active/Standby HA model Subset of ASAv features are not supported in AWS

15 VPC 101 Logically isolated network with its own IP range, routes, security, etc. IP ranges can be overlapping Internet gateway routes outside and between VPCs Public IP or NAT for egress VPC peering needed to route between VPCs Security: Network ACLs at the border of VPC Security Groups within the VPC Maps to AWS Elastic IP Internet IP 54.x.x.x Subnet router routes within the VPC Subnet router is really an encap/decap device b/w hypervisors

16 CSR placement in the AWS network NAT at the Internet GW Will break services that do not work over NAT, such as GET-VPN Tunnel source will be a private address Tunnel destination from the perspective of VPN peers will be a public address Assign EC2 elastic IP address so that address does not change if the CSR1K is shutdown Other VPCs see Elastic IP address unless using VPC peering Maps to AWS Elastic IP Internet IP 54.x.x.x Gi Gi Gi Gi CSR should be the default gateway for the application VMs

17 No Link Local Broadcast in the VPC No Link local multicast or broadcast Affected Services Include: IGPs HSRP/VRRP BFD Proxy ARP, Gratuitous ARP > LISP-VM Mobility GRE as work-around for some services FHRP difficult b/c of AWS Routing NAT x.x.x

18 Multiple Ways to Insert CSR as Gateway Two Armed Mode CSR has one interface in each network Instances have default gateway changed to point to CSR IP or change AWS Route Table default route Limitation on # of interfaces for CSR imposed by AWS One Armed Mode CSR has single interface and a default gateway pointed towards AWS Internet Gateway Other subnets have route added to their route table, pointing to the CSR as gateway Instances in other subnets don t need their default gateway manually changed. Continue to use AWS Route Table. AWS IGW AWS IGW /24 g1 g / / /24 g1 VPC Router

19 Management and Front Door VRF Management and remote access of the CSR will happens over a public interface (i.e. Floating IP) No interactive console on AWS Cisco VPN designs recommend front-door VRF Simplifies routing: send a default route over the tunnel Improves security: isolating the LAN from the public internet Configuring VRF causes loss of connectivity EEM script used to work around. Internet access required for other AWS services (e.g. S3) Can not use front-door VRFs in these scenarios

20 CSR Advantages over Virtual Private Gateway: Scalability Continuity of Operations Spoke-to-spoke routing Richer routing features Security/Application Visibility VPC Peering: Overlapping CIDR blocks Peering between regions Transitive peering relationships Multiple peerings per VPC Unicast Reverse Path Forwarding Spoke-to-spoke routing

21 Multi-Site, Full Mesh Hybrid Cloud Full Tunnel Mesh West Coast Region East Coast Region Corporate Network

22 Overlay Options HQ On-Prem Anchored Overlay: Head-End Traditional physical enterprise with good connectivity at HQ Redundant DM-VPN at HQ Extends enterprise network to other sites, field offices, teleworkers, and public clouds AWS West Home Branch AWS East Cloud Anchored Overlay: Traditional physical enterprise with less-good connectivity or wanting geographic redundancy HQ Virtual-only enterprise with Cloud-based DC Redundant DM-VPN in Cloud Head-End West Head-End East Extends enterprise to other sites, field offices, teleworkers, and public clouds AWS West AWS East Home Branch

23 On-Prem Deployment Options in VMware & OpenStack

24 On-Prem Termination Hardware vs. Virtual Hardware: Performance, Determinism Virtual: Flexibility Places in the Network Border for Entire Organization Hardware: ASR/ISR Data Center for Individual Tenants: Software: CSR Border Campus Data Center CSR 1000V ASR 1000/ISR 4400 CSR 1000V

25 CSR in Private Cloud Tenant Router, Head-End, or NFV Supported on Multiple Hypervisors Managed by tenant or network team Manual or orchestrated deployment Dedicated hosts or distributed with tenant workloads Tenant Gateway Tenant VLANs Hypervisor Hypervisor

26 CSR Images for On-Prem Deployment

27 Deployment in VMware Deploy as OVA Chose performance Virtual Interfaces = Router Interfaces g0 g1 g2

28 Deployment in OpenStack Neutron server Hosting Device Manager Routing-aaS service plugin Firewall-aaS service plugin VPN-aaS service plugin Plugging Driver Scheduler Notifications Some server CfgAgent Driver specific communication Compute server CSR1kv Hosting devices

29 What is supported today April Openstack I Release J release K release CSR as Tenant VM Supported Routing-aaS CSR as replacement of Neutron router - Merged VPN-aaS CSR for site-to-site IPsec VPN CSR out of band bring up Merged FW-aaS plugin CSR as FW enabled by ACLs - - Merged

30 Building Scalable Overlay Networks

31 Enterprise VPN Termination into AWS virtual private cloud AWS cloud corporate office/branch Connect one or many physical locations into an Amazon VPC. IPSec, DMVPN, FlexVPN, EZVPN, etc Up to 1,000 concurrent VPN tunnels per CSR, and no per-tunnel charges from Amazon. Familiar configuration, familiar troubleshooting, not a black box.

32 Back-End Corporate Access Subnet 1 Subnet 1 Private Public Internet Corporate Users Internet Users Site to Site VPN connection (Data & management) Corporate Data Center

33 Remote Access and Site-to-Site VPN to AWS Subnet 1 Subnet 1 Private Public Internet Users connecting via VPN (ikev2 and IPSec/L2TP) Internet Site to Site VPN connection (Data & management) Corporate Data Center Corporate Users

34 Interconnecting AWS VPCs Using the CSR 1000V virtual private cloud US west region AWS cloud virtual private cloud US east region Easily integrate multiple AWS regions into existing VPN topology as new sites Can be leveraged for hierarchical designs with in regions. Distribute applications across the globe, and keep the network simple

35 DMVPN Design Model 1 Full Tunnel for AWS Application VMs DMVPN sites have access to AWS-hosted applications through IPSec tunnels to CSR DMVPN Default Route Uses front-door VRF for VPN termination AWS application VMs run in the global routing table AWS IGW G1 Default Tun0 G2 AWS application VMs do not have local internet access or local access to AWS public services* G1 VRF INET G2, Tun0 - Global Requires EEM Script *New feature called VPC endpoints for S3 service

36 Embedded Event Manager Provides real-time network event detection and onboard automation. Adapt the behavior of your network devices to network conditions More than 20 event detectors Simple applets and more complex scripts Create the Cisco EEM Applet: event manager applet fvrf event none action 1.0 cli command "enable action 1.1 cli command "conf t action 1.2 cli command "interface gig1 action 1.3 cli command "vrf forwarding internet-vrf action 1.4 cli command "ip address dhcp action 2.0 cli command "end Run the Cisco EEM Applet: event manager run fvrf

37 DMVPN Design Model 2 Direct Internet Access for AWS Application VMs DMVPN sites have direct access to AWS-hosted applications VPN and AWS application VMs run in global routing table Leverage NAT overload to the Elastic IP address AWS application VMs have local internet access and local access to AWS public services DMVPN AWS IGW G1 Default G1, G2, Tun0 - Global Specific Routes Tun0 G2

38 CSR VPN High Availability No virtual IP as with HSRP, since AWS doesn t allow multicast VPC CSR Subnet App Subnet A AWS Route Tables for app subnets are re-pointed to opposite CSR Failure detection is automatic App Subnet B CSR itself calls AWS API to adjust AWS Route Table routes AWS REST API Before HA Failover After HA Failover

39 CSR VPN HA Configuration Create IAM ChangeRouteRole ], { ] } "Version": " ", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:associateroutetable", "ec2:createroute", "ec2:createroutetable", "ec2:deleteroute", "ec2:deleteroutetable", "ec2:describeroutetables", "ec2:describevpcs", "ec2:replaceroute", "ec2:disassociateroutetable", "ec2:replaceroutetableassociation" "Resource": "*" }

40 CSR VPN HA Configuration Deploy CSR and Assign IAM Role

41 CSR VPN HA Configuration Configure GRE Tunnel, BFD, and EIGRP interface Tunnel1 ip address bfd interval 500 min_rx 500 multiplier 3 tunnel source GigabitEthernet1 tunnel destination ! VPC CSR Subnet App Subnet A router eigrp 1 bfd interface Tunnel1 Tunnel1 network passive-interface GigabitEthernet1 App Subnet B

42 CSR VPN HA Configuration Configure EEM event manager environment CIDR /0 event manager environment ENI eni-d679128f event manager environment RTB rtb-631bda06 event manager environment REGION us-west-2/ event manager applet replace-route2 event syslog pattern "\(Tunnel1\) is down: BFD peer down notified" action 1.0 publish-event sub-system 55 type 55 arg1 "$RTB" arg2 "$CIDR" arg3 "$ENI" arg4 "$REGION"

43 Direct Connect With CSR 1000V Remove existing BGP configuration from customer router Create new BGP neighbor relationship between tunnel interface addresses (to ensure routes are learned via tunnel) Advertise prefixes from campus/data center and AWS VPC Corporate HQ /24 VLAN Sub-Interface: Gig /30 Direct Connect Circuit BGP Virtual Private Cloud /16 Customer Router (Cisco ISR/ASR) Virtual Private Gateway (VGW) /30 CSR 1000V IP: EIP: Interface Tunnel 1 IP: Destination: BGP Advertisements: /24 IPSec Tunnel Interface Tunnel 1 IP: Destination: BGP Advertisements: /16

44 Deploying CSR Features

45 Firewall and Application Visibility in the AWS Cloud virtual private cloud AWS cloud corporate office/branch Flexible NetFlow Records Stateful firewall between AWS regions and physical locations Familiar Zone-Based Firewall configuration Application Visibility and Control (AVC) Uses NBAR2 to identify over 1,000 different applications Monitor and control application usage Track packet loss, latency, jitter, and response time of your cloud.

46 Edge Router and Firewall Subnet 1 Subnet 1 Private Public Internet Internet Users Internet users accessing AWS resources using translated IPs

47 Zone Based Firewall Configuration Example (1/2) class-map type inspect match-any tunnelinside match protocol icmp match protocol http match protocol https match protocol ssh match access-group name tunnel-inside Outside g1 g2 Inside ip access-list extended tunnel-inside permit tcp any host eq 3389 Tunnel policy-map type inspect tunnel-inside class type inspect tunnel-inside inspect class class-default drop log

48 Zone Based Firewall Configuration Example (2/2) zone security outside zone security inside zone security tunnel zone-pair security tunnel-inside source tunnel destination inside service-policy type inspect tunnel-inside interface Tunnel0 zone-member security tunnel interface GigabitEthernet1 zone-member security outside interface GigabitEthernet2 zone-member security inside Outside g1 Tunnel g2 Inside

49 NAT interface GigabitEthernet1 ip nat outside Floating IP: g1 g2 interface GigabitEthernet2 ip nat inside / /25 ip nat inside source list nat interface GigabitEthernet1 overload ip nat inside source static tcp extendable ip access-list standard nat permit Needs to be the Internal Address

50 Enterprise-Wide Application Visibility Uses Netflow and IP SLA GUI for application visibility IP SLA configuration and monitoring Extends application visibility to your cloud border

51 Enterprise-Wide Security Visibility Uses Netflow GUI for security visibility Extends application visibility to your cloud: Detecting Sophisticated and Persistent Threats Identifying BotNet Command & Control Activity Uncovering Network Reconnaissance Finding Internally Spread Malware Revealing Data Loss NetFlow https StealthWatch FlowCollector StealthWatch Management Console

52 IP SLA Actively monitor and measure performance Includes data about response time, one-way latency, jitter, packet loss, voice-quality scoring, network resource availability, application performance, and server response time Performance data can be used in routing decisions and EEM Detect Partner Failover ip sla 1 icmp-echo source-ip tag DMVPN_SLA ip sla 2 icmp-echo source-ip tag DMVPN_SLA ip sla group schedule scheduleperiod 60 frequency 60 start-time now life forever ip sla responder

53 Remote Worker VPN Access into AWS virtual private cloud AWS cloud IPSec and SSLVPN access via AnyConnect for teleworkers and remote users AAA server options for user database Easily host copies of your apps in regions close to your remote users No similar service offered natively by AWS

54 SSL VPN Configuration Example (1/3) Create a Server Certificate A self-signed certificated is generated by default when the CSR is launched. Can generate a new self-signed certificate or provision a certificate from an Enterprise CA crypto key generate rsa label sslvpn-key modulus 2048! crypto pki trustpoint sslvpn-self-signed enrollment selfsigned subject-name cn=csr-aws-sslvpn revocation-check none rsakeypair sslvpn-key! crypto pki enroll sslvpn-self-signed virtual private cloud AWS cloud

55 SSL VPN Configuration Example (2/3) Configure User Database and Address Pool User database can be on AAA server or defined locally aaa new-model aaa authentication login sslvpn local aaa authorization exec default local aaa authorization network sslvpn local! username chocker privilege 15 secret 5 $1$VHFK$5jHUYC/Sy.0yCaexJs6xo1 virtual private cloud AWS cloud! ip local pool pool

56 SSL VPN Configuration Example (3/3) Configure Crypto crypto ssl proposal proposal1! protection rsa-aes128-sha1 crypto ssl authorization policy authpolicy1! netmask pool pool1 crypto ssl policy policy1 crypto ssl profile profile1 match policy policy1 aaa authentication list sslvpn aaa authorization group list sslvpn authpolicy1! authentication remote user-credentials crypto vpn anyconnect bootflash:/webvpn/anyconnect-macosx-i k9.pkg sequence 1 ssl proposal proposal1 pki trustpoint sslvpn-self-signed sign ip interface GigabitEthernet1 port 443!

57 CSR REST API REST is Representational State Transfer Based on HTTP. Client-Server model. Stateless. Identify resources through URIs - /api/v1/global/ntp/servers Request & Response type: JSON (Javascript Object Notation) Common Methods: PUT, POST, GET, DELETE are/restapi/restapi/restapiintro.html PUT /api/v1/global/host-name Content-Type: application/json Accept: application/json { host-name : eng-router } 200 Ok Content-Type: application/json { host-name : eng-router } 200 Ok GET /license/udi Content-Type: application/json Accept: application/json { } link: /license/udi, UDI : ACRPSJAE9486R

58 Summary

59 Cisco CSR 1000v Summary Extends enterprise network to public cloud Normalize operations across multiple public clouds Hybrid cloud designs using CSR in the public cloud and ASR1K/ISR/CSR1K on-premise Primary use case - secure connectivity using IPSec, DMVPN, SSL VPN, etc. Enterprise-class networking services including Routing, FW, and NAT Rich telemetry for security and performance monitoring with Netflow/AVC Used with AWS Direct Connect for encryption and overlay routing HSRP-like High Availability for AWS VPCs

60 CSR 1000v in AWS Design Guide /docs/solutions/hybrid_cloud/in tercloud/csr/aws/csraws.p df

61 Evaluation Licenses Only BYOL instances need an evaluation license, since non-byol instances are pre-licensed as part of the hourly cost. By default BYOL instances boot with all features and 100 Kbps throughput. 60-day evaluation licenses are self-serve at: Router# show license udi

62 Resources AWS VPC Presentations CSR in AWS CVD CSR in AWS Support Forum CSR in AWS Test Drive CSR in AWS Marketplace Evalulation Licenses

63 Thank you

64 Participate in the My Favorite Speaker Contest Promote Your Favorite Speaker and You Could be a Winner Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) Send a tweet and include Your favorite speaker s Twitter Two hashtags: #CLUS #MyFavoriteSpeaker You can submit an entry for more than one of your favorite speakers Don t forget to View the official rules at

65 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

66 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings Related sessions

67