Advanced CSR Lab with High Availability and Transit VPC

Transcription

1

2 Advanced CSR Lab with High Availability and Transit VPC Fan Yang, Cisco, Engineer, Technical Marketing Nikolai Pitaev, Cisco, Engineer, Technical Marketing LTRVIR-3004

3 Agenda Slides (30 Min.): CSR 1000V Introduction AWS and Azure Concepts CSR Lab Modules Walk Through LAB see the Lab Guide for details

4 What s in it for me?" Understanding CSR 1000V on AWS and Azure In this session Short introduction of CSR 1000V Lab: CSR 1000v high availability on cloud and Transit VPC solution Short summary at the end of the lab Out of scope Physical ASR 1000 routers running the same IOS XE Deep dive into cloud tools Cloud design and architecture LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 Related Cisco Live Berlin 2017 Sessions BRKSPG-2063 vbng Solution with CSR1000V and ESC Orchestration LABSPG-1015 Walk-In Self-Paced Lab Deploying CSR1000v as virtual LAC / LNS LTRVIR-2100 Deploying Cisco Cloud Services Router CSR 1000V on AWS and Azure LTRARC-3500 IOS XE (4xxx, ASR1K and CSR1000V) troubleshooting TECSPG-2300 Network Function Virtualization (NfV) seminar LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 What is Public Cloud? On-demand extensible network and compute resources Supports IaaS model, allowing app developers to run projects using a range of development tools Supports PaaS model, allowing users to create virtual machines, storage, networking, security, and other services Approximately 40% market share in public cloud between Azure and AWS* Web based management tools, Microsoft also offers MS PowerShell management option * LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Cisco Cloud Services Router (CSR) 1000V Cisco IOS XE Software in a Virtual Appliance Form-Factor App OS App OS Virtual Switch Hypervisor Server CSR 1000V Enterprise-class Networking with Rapid Deployment and Flexibility Software features. Same software as ASR 1000 and ISR Infrastructure Agnostic No dependency on specific Server or vswitch Runs on VMWare ESXi, RHEL KVM, Ubuntu KVM, Citrix Xen, Microsoft Hyper-V, Amazon AWS and Microsoft Azure Throughput Elasticity Licensable throughput from 10 Mbps to 10 Gbps Footprint options from 1 to 8 virtual CPUs Licensing Models Term 1 Year, 3 Years, 5 Years or Hourly Usage* Smart License Programmability NetConf/Yang, RESTConf and SSH/Telnet for automated provisioning, management, and monitoring *Only Available on Amazon AWS. LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 CSR 1000V use cases for all public clouds 1. Branch Location VPN Termination: IPSec, DMVPN, FlexVPN, EZVPN, etc. Up to 1,000 concurrent VPN tunnels per CSR corporate office/branch 2. Remote Worker VPN Access: SSLVPN via AnyConnect for remote users Cloud, US West 3. VPC / DC Interconnection: Distribute applications across the globe, connect different regions simple 4. Firewall and Application Inspection: Stateful firewall between regions * Routers do not actually produce fire (usually) virtual private cloud Cloud, US East virtual private cloud LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 AWS/Azure Transit Routing Challenge VPC A VPC B VPC C Subnet Subnet Subnet Virtual Network VGW Virtual Network VGW VGW Virtual Network VPC Peer-to-Peer routing is supported. VPC A subnets can route to VPC B VPC transit Routing is not supported. VPC A subnets cannot route to VPC C subnets across VPC B Across Region Peering is not supported! LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 AWS/Azure Transit Routing Challenge Peer-to-Peer routing supported VPC A VPC B VPC C A-B B-C Subnet Subnet Subnet Virtual Network VGW Virtual Network VGW VGW Virtual Network VPC Peer-to-Peer routing is supported. VPC A subnets can route to VPC B VPC transit Routing is not supported. VPC A subnets cannot route to VPC C subnets across VPC B Across Region Peering is not supported! LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 AWS/Azure Transit Routing Challenge VPC A VPC B VPC C Subnet Subnet Subnet Virtual Network VGW Virtual Network VGW VGW Virtual Network VPC Peer-to-Peer routing is supported. VPC A subnets can route to VPC B VPC transit Routing is not supported. VPC A subnets cannot route to VPC C subnets across VPC B Across Region Peering is not supported! LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 AWS/Azure Transit Routing Challenge Transit Routing NOT supported VPC A A-to-C-thru-B VPC B VPC C Subnet Subnet Subnet Virtual Network VGW Virtual Network VGW VGW Virtual Network VPC Peer-to-Peer routing is supported. VPC A subnets can route to VPC B VPC transit Routing is not supported. VPC A subnets cannot route to VPC C subnets across VPC B Across Region Peering is not supported! LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Amazon AWS Concept

14 Virtual Private Cloud (VPC) logically isolates networks VPCs IP ranges can overlap. Internet GW provides external access. VPC James Bond CIDR /16 Subnet A /24 VPC Peering can route between VPCs. Security Options: - Network ACLs protect subnets - Security Groups protect instances Internet Gateway Subnet B /24 AWS Route Tables route within the VPC. LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Elastic IP Address is a routable address mapped to an instance in VPC Internet Gateway Elastic IP Mappings James VPC CIDR /16 Subnet A /24 Subnet B /24 WebApp1 Instance IP: Instances never have a publicly routable IP address directly assigned. Addresses are associated with AWS account and not the instance. Elastic IP for CSR 1000V becomes tunnel endpoint for VPN in this lab. LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 VGW Concept One VGW will have two endpoints Basic IPSEC and BGP No Transit Routing LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Microsoft Azure Concept

18 Azure Basic Concepts (continued) Virtual Network (VNet) A VNet logically isolates a network s own IP range, routes, security policies, etc. Each subnet created is automatically assigned a route table that contains system routes: Local VNet Rule, On-prime rule and Internet Rule System routes can be overwritten by User Defined Routes Virtual Network CIDR /16 Subnet A /24 Subnet B /24 VNets IP ranges cannot overlap Public IP NAT or Overload NAT for outbound traffic (No true public IPs) Azure system route table routes within the VNet All VNet subnets ALWAYS have a route to all other VNet subnets! LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 19

19 Technical comparison between AWS and Azure for CSR 1000V Feature AWS Azure Number of vnic supported today 10 2 / 4 / 8 Routing High Availability supported Planned in 2017 Elastic/public and private IP address on the same interface multiple IP addresses multiple IP addresses Allow Overlapping IP addresses yes Yes GRE Tunnel support supported Not supported Add or remove interfaces on running CSR 1000V VM yes no LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 21

20 Lab Modules 1. AWS VPC Gateway Redundancy with CSR 1000v (70 min.) 2. Transit VPC with CSR 1000v (50 min.) 3. (Optional) Build DMVPN Between Transit VPC and Azure (30 min.) 4. (Optional) Add security services into Transit VPC (60 min.)

21 Module 1 Deploy CSR High Availability in AWS LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 23

22 CSR 1000V Routing High Availability /16 Virtual Network CIDR /16 Public Subnet /24 Private Subnet IPSEC /24 CSR-Active Private Subnet Public Subnet IPSEC / /24 20 Min. CSR-Backup 20 Min. 30 Min. Failover is in sub-second! AWS REST API Before HA Failover / After HA Failover LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 24

23 CSR 1000V Failover /16 Virtual Network CIDR /16 Public Subnet /24 Private Subnet IPSEC /24 CSR-Active Private Subnet Public Subnet IPSEC / /24 20 Min. CSR-Backup 20 Min. 30 Min. Failover is in sub-second! AWS REST API Before HA Failover / After HA Failover LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 25

24 AWS VPC details PxV1 HA VPC /16 Internet IGW Public Subnet /24 Private Subnet /24 CSR-Active CSR-Backup Priv ate route table /16 local /0 CSR-Activ e Public route table /16 local /0 IGW LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 26

25 Azure VNET Details PxV1 VNET Virtual Network CIDR /16 Internet CSR 1000v Private Subnet /24 Public Subnet /24 Priv ate route table /24 CSR /16 CSR Public route table /24 CSR LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 27

26 Module 2 Deploy Transit VPC solution with CSR 1000v LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 28

27 Transit VPC Design A B... C Spoke VPC Dedicated VPC: Simplifies routing by not combining with other shared services. CSR1000v Virtual Network Appliances: Provide dynamic routing and VPN network tunnels Redundancy: Dynamic routing combined with multi-az deployment creates a robust network infrastructure. VGW: VPC virtual gateways provide highly available connections to transit VPC virtual network appliances. AZ1 Direct Connect Internet Transit VPC ASR Private DC AZ2 Other Provider Networks 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

28 Transit VPC Lab A B 20 Min. 30 Min. AZ1 Transit VPC AZ2 DMVPN 30 Min. *Optional Single DMVPN Dual Hub (Active/Standby) Active Hub Standby Hub Private* DC Azure VNet Branch* *Private DC and Branch is not included in this lab 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

29 Module 3 (Optional) Build a DMVPN Network with Transit VPC and Azure VNET LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 31

30 DMVPN Details Active Hub Private IP: EIP: Tunnel 0: VRF: DMVPN AZ1 Transit VPC AZ2 Backup Hub Private IP: EIP: Tunnel 0: VRF: DMVPN AS AS DMVPN Single DMVPN Dual Hub (Active/Standby) Active Hub Private* DC Azure VNet Branch* Standby Hub AS Azure Spoke Private IP: EIP: Tunnel 0: *Private DC and Branch is not included in this lab Azure blocks GRE packets, IPSEC is enabled LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 32

31 Module 4 (Optional) Add Security Service into Transit VPC LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 33

32 Secured Transit VPC A B... C Spoke VPC Internet A1 Transit VPC A2 Routing: Spoke forwards Internet traffic to CSR, then CSR redirects traffic to FTDv to be inspected. Security: FTDv as IPS device in Transit VPC. Customer can turn on IPS/URL Filtering and other features. NAT: FTDv acts as NAT device. Customer can deploy static NAT/PAT. *Only one IGW, two IGWs for better diagram. Direct Connect Private DC 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

33 Lab Tips and Guidance

34 Before you begin Make sure, you have one page with additional lab information Make sure, that you are using assigned AWS region! All your resources created should be named in certain way. For example: P23V1 for pod23 LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 36

35 Use Multiple Web Browser's Tab to Open Different Services LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 37

36 Filter resources for better view This lab is in a shared environment and 5 attendees are sharing one region. You are able to see other attendees resources. Please filter resources by name to view your own resources clearly and avoid shutting down other people s instance. AWS Azure Note: Please always filter resources For example, Pod23 filter AWS with P23V1, Azure with pod Cisco and/or its affiliates. All rights reserved. Cisco Public 38

37 Disable IP Source/Destination Checking in the lab By default AWS blocks traffic not to/from a given instance. Toggle the Source/Dest Check option to allow a CSR instance to pass traffic for other subnets (i.e. act as a gateway). Note: Always review this setting for any new interfaces you add! LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 39

38 Choose BYOL when launching CSR BYOL(Bring Your Own License) will have all features with 100Kbps throughput which is enough for our lab. Please use BYOL which is 10 times cheaper than License Included. BYOL License Included Note: Please choose BYOL LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 40

39 Resources needed per user Make sure, you are using the right instance type! Cloud VPC/VNET CIDR EIP Instance Instance Type VGW IGW 5 VPC, 5 EIP, 3 Linux EC2 and 4 CSR EC2, 2 VGW, 3 IGW 0 PxV1 HA-VM Linux (t2.micro) IGW-HA 1 PxV1 CSR Active CSR (t2.medium) HA VPC /16 1 PxV1 CSR Backup CSR (t2.medium) 1 Transit VPC CSR1 CSR (c4.large) IGW-T Transit VPC /27 1 Transit VPC CSR2 CSR (c4.large) Spoke-A VPC /16 1 VM-A Linux (t2.micro) VGW-A IGW-A AWS Spoke-B VPC /16 0 VM-B Linux (t2.micro) VGW-B Azure VNET /16 1 VNET, 1 EIP, 1 Linux VM and 1 CSR 1 VM-2 Linux (DS1 v2) 1 CSR Azure CSR (D2 v2) AWS: 5 VPC, 5 EIP, 3 Linux EC2 and 4 CSR EC2, 2 VGW, 3 IGW Azure: 1 VNET, 1 EIP, 1 Linux VM and 1 CSR LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 41

40 CSR 1000V Learning Resources

41 Book: Virtual Routing with CSR 1000V CSR 1000V s role and features Architecture, licensing & packet flow Use cases and configurations Public Cloud & OpenStack Orchestration ISBN: LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 43

42 Miercom tested CSR 1000V also on AWS Using just one or two vcpus per VM, it delivers up to physical limit of 20 Gbps on x86 Server with two 10 GE ports and up to 5 Gbps on AWS. Unlike classic routers a CSR 1000v setup has to be configured for optimal performance on several levels. Major IO technologies like SR-IOV, fd.io VPP, OVS-DPDK were tested as vswitch. Different AWS Tests were done: IPv4 Forwarding Feature Tests (QoS, NBAR, Firewall) IPSec site to site on AWS LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 44

43 Free CSR 1000V Test Drive on AWS Make sure, you allow security exception with https certificate in your browser LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 45

44 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

45 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

46 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

47 Key Takeaways

48 Summary: CSR 1000V is built for the cloud CSR 1000V supports all key virtualization technologies including multi-vendor Hypervisors, different image formats, I/O models and VM flavors. CSR 1000V runs on variety of virtualized infrastructures, and it can be orchestrated by many of NfV software including Cisco ACI/NSO/ESC, OpenStack and other 3 rd party NfV SW. CSR 1000V VNF provides variety of interfaces and Open API s: REST API s, Netconf, XML, OpenStack, etc. LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 50

49 Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 51

50 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions LTRVIR Cisco and/or its affiliates. All rights reserved. Cisco Public 52

51 Thank You

52