Cisco CSR 1000v Deployment Guide for Microsoft Azure

Transcription

1 Last Modified: Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA USA Tel: NETS (6387) Fax: Text Part Number:

2 2017 Cisco Systems, Inc. All rights reserved.

3 CONTENTS Preface Preface v Objectives v Revision History v Document Conventions vi Related Documentation vii Obtaining Documentation and Submitting a Service Request vii CHAPTER 1 Overview of Cisco CSR 1000v on Microsoft Azure 1 Overview of Cisco CSR 1000v on Microsoft Azure 1 Introduction 1 CHAPTER 2 Usage Guidelines for User Defined Routes 3 Introduction to the Cisco CSR 1000v Route Tables 3 User Defined Routes in the Same Virtual Network 3 Routing between Virtual Networks or On-Premises Networks 4 User Defined Routes for High Availability 5 CHAPTER 3 Information About Deploying Cisco CSR 1000v on Microsoft Azure 7 Prerequisites for Deploying Cisco CSR 1000v on Microsoft Azure 7 Information About Cisco CSR 1000v on Microsoft Azure 8 Licensing for Cisco CSR 1000v on Microsoft Azure 9 Summary of the Stages for Deploying the Cisco CSR 1000v on Microsoft Azure 10 CHAPTER 4 How to Deploy Cisco CSR 1000v on Microsoft Azure 11 Customize the Microsoft Azure Portal 11 Create Resources 12 Deploy the CSR 1000v on Microsoft Azure 15 iii

4 Contents Access the Cisco CSR 1000v CLI 17 CHAPTER 5 Configuring Cisco CSR 1000v on Microsoft Azure 19 Update Route Tables 19 Update Security Group 20 Configuring IPsec VPN in a Microsoft Azure Cisco CSR 1000v 21 Configuring IPsec VPN in an Amazon Web Services Cisco CSR 1000v 21 Upgrading a Cisco IOS XE Image on Microsoft Azure 22 Differences between CSR 1000v on Microsoft Azure and Amazon Web Services 24 Best Practices and Caveats 25 Other Related Resources 25 CHAPTER 6 Configuring High Availability on the Cisco CSR 1000v 27 Information about Configuring High Availability on Microsoft Azure 27 Introduction to Configuring High Availability on Microsoft Azure 27 Before You Begin 28 Methods for Configuring Microsoft Azure 28 Create a Self-signed Certificate and Thumbprint 28 Create an Application in a Microsoft Azure Active Directory 31 Obtain the Tenant ID from the Application Endpoints 32 Create an Authentication Key for the Application 34 Edit the Manifest File 34 Add an Application under Access Control to a Route Table 36 Configure a Trustpool 37 Configure a Trustpoint 37 Configure a Tunnel Between Cisco CSR 1000v Routers 39 Configuring EIGRP over Virtual Tunnel Interfaces 40 Configure Failure Detection for the Cisco CSR 1000v on Microsoft Azure 42 Verify the Configuration of CSR 1000v High Availability 43 iv

5 Preface This section contains the following topics: Objectives, page v Revision History, page v Document Conventions, page vi Related Documentation, page vii Obtaining Documentation and Submitting a Service Request, page vii Objectives This document provides an overview of the Cisco CSR 1000V Series Router deployment on Microsoft Azure. It is not intended as a comprehensive guide to all of the software features that can be run using the Cisco CSR 1000V Series router. For more information, see the Cisco CSR 1000V Series Cloud Services Router Software Configuration Guide. For information on general software features that are also available on the Cisco CSR 1000V Series router, see the CSR 1000v Series Configuration Guides. Revision History The Revision History records technical changes to this document. The table shows the Cisco IOS XE software release number, the date of the change, and a brief summary of the change Release Date Change Summary Cisco IOS XE Release 16 and Cisco IOS XE 3.16 June 8, 2016 First release. v

6 Document Conventions Preface Document Conventions This documentation uses the following conventions: Convention ^ or Ctrl string Description The ^ and Ctrl symbols represent the Control key. For example, the key combination ^D or Ctrl-D means hold down the Control key while you press the D key. Keys are indicated in capital letters but are not case sensitive. A string is a nonquoted set of characters shown in italics. For example, when setting an SNMP community string to public, do not use quotation marks around the string or the string will include the quotation marks. Command syntax descriptions use the following conventions: Convention bold italics [x] [x y] {x y} [x {y z}] Description Bold text indicates commands and keywords that you enter exactly as shown. Italic text indicates arguments for which you supply values. Square brackets enclose an optional element (keyword or argument). A vertical line indicates a choice within an optional or required set of keywords or arguments. Square brackets enclosing keywords or arguments separated by a vertical line indicate an optional choice. Braces enclosing keywords or arguments separated by a vertical line indicate a required choice. Braces and a vertical line within square brackets indicate a required choice within an optional element. vi

7 Preface Related Documentation Examples use the following conventions: Convention screen bold screen < >! [ ] Description Examples of information displayed on the screen are set in Courier font. Examples of text that you must enter are set in Courier bold font. Angle brackets enclose text that is not printed to the screen, such as passwords. An exclamation point at the beginning of a line indicates a comment line. (Exclamation points are also displayed by the Cisco IOS XE software for certain processes.) Square brackets enclose default responses to system prompts. The following conventions are used to attract the attention of the reader: Note Means reader take note. Notes contain helpful suggestions or references to materials that may not be contained in this manual. Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Related Documentation For related documentation, see Cisco CSR 1000v Documentation in the Documentation Roadmap for Cisco CSR 1000v Series, Cisco IOS XE 16. Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: Subscribe to the What s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0. vii

8 Obtaining Documentation and Submitting a Service Request Preface viii

9 CHAPTER 1 Overview of Cisco CSR 1000v on Microsoft Azure Overview of Cisco CSR 1000v on Microsoft Azure, page 1 Introduction, page 1 Overview of Cisco CSR 1000v on Microsoft Azure The Cisco Cloud Services Router (CSR) 1000v is a full-featured Cisco IOS XE router, enabling IT departments to deploy enterprise-class networking services in the Microsoft Azure cloud. Most Cisco IOS XE features are also available on the virtual Cisco CSR 1000v. The following VPN features are supported on the Cisco CSR 1000v: IPsec, DMVPN, FlexVPN, Easy VPN and SSLVPN. You can use dynamic routing protocols such as EIGRP, OSPF, and BGP to construct multi-tier architectures within Azure, and interconnect with corporate locations or other clouds. You can also secure, inspect, and audit hybrid cloud network traffic with application-aware Zone Based Firewall. Use IP SLA and Application Visibility and Control (AVC) to discover performance issues, fingerprint application flows and export detailed flow data for real-time analysis and network forensics. Cisco CSR 1000v software bundles are available with the deployment template wizard that deploys the Cisco CSR 1000v on new or existing infrastructure, such as a virtual network (vnet). This document uses the example of a Cisco CSR 1000v image with 2 vnics. Other images with multiple vnics are available and these images can be deployed in a similar way to the example. Refer to the Cisco CSR 1000v Release Notes for more information about the different types of image that are available. Introduction When deploying 2 vnic CSR 1000v VMs, the following items are created: CSR 1000v virtual machine with 2 vcpu, 7G RAM and 2 interfaces. Public IP address to the interface on the first subnet (NIC0). Security group with inbound rules for the interface on the first subnet (NIC0). Routing table on the Microsoft Azure hypervisor router for each CSR 1000v subnet and a default route for the second subnet (NIC1) that points to the IP address of the second interface (NIC1). 1

10 Introduction Overview of Cisco CSR 1000v on Microsoft Azure An example configuration of the Cisco CSR 1000v is shown below: Note that a Cisco CSR 1000v can be deployed on new or existing virtual networks. Deployment of Cisco CSR 1000v on a New Network A default route ( /0) is created and associated to the internal facing second subnet. Deployment of Cisco CSR 1000v on an Existing Network A default route ( /0) is created. However, it is not associated to the internal facing second subnet, to avoid interruption to the existing network. You can associate the default route manually. Subnetting Limits The Cisco CSR 1000v supports a subnet mask between /8 and /29 (CIDR definition). The subnet /29 is the smallest available in Microsoft Azure, which supports 8 IP host addresses. Note that Azure reserves the use of 4 host addresses per subnet. This leaves 4 host addresses for your use. 2

11 CHAPTER 2 Usage Guidelines for User Defined Routes This section contains the following topics: Introduction to the Cisco CSR 1000v Route Tables, page 3 User Defined Routes in the Same Virtual Network, page 3 Routing between Virtual Networks or On-Premises Networks, page 4 User Defined Routes for High Availability, page 5 Introduction to the Cisco CSR 1000v Route Tables This section provides guidelines which will help you to decide user-defined routes to add to the route tables. When a Cisco CSR 1000v is deployed in a Virtual Network using the Microsoft Azure Marketplace template, a route table is created for each subnet to which the Cisco CSR 1000v has a network connection. For example, if you deploy a 4-NIC version of the Cisco CSR 1000v from the Microsoft Azure Marketplace, 4 subnets are created. Each subnet has an associated route table. No routes are automatically installed in the route table. For further information on defining user-defined routes, also see the Microsoft Azure documentation: /docs.microsoft.com/en-us/azure/, and search for "user defined routes". User Defined Routes in the Same Virtual Network By default, the Microsoft Azure network infrastructure provides a basic routing service which interconnects all the subnets within a virtual network. Packets can be passed between any virtual machines within the same virtual network without the assistance of the Cisco CSR 1000v. However, if you need inter-subnet packets to be delivered to the Cisco CSR 1000v (to implement advanced services such as filtering and QoS), then you need to install a user defined route in the routing table for the subnet that designates the Cisco CSR 1000v as the next hop router. 3

12 Routing between Virtual Networks or On-Premises Networks Usage Guidelines for User Defined Routes Routing between Virtual Networks or On-Premises Networks The Microsoft Azure network infrastructure does not by default interconnect different virtual networks or connect virtual networks to on-premises networks. To connect to these networks you must create a user-defined route in each route table to specify the Cisco CSR 1000v as the next hop router to each remote network. The user-defined route can be either a default route or a specific destination route. To force traffic through the Cisco CSR 1000v, install either a default route or a specific destination route in the route table that points to the Cisco CSR 1000v. (Refer to the two examples below.) Note If a default route is installed in a route table, all traffic is diverted to the specified next hop. This causes a problem if you have virtual machines with an allocated public IP address (used for management access to the VM). If you have a default route in the route table associated with the subnet, the virtual machine is not reachable via its public IP address. Note Microsoft Azure supports a feature called VNET Peering, which can interconnect virtual networks as long as they are hosted in the same region. In order to use VNET Peering and utilize services within the Cisco CSR 1000v, you need to add a user-defined route to force traffic through the Cisco CSR 1000v. The following example shows a default route pointing to the Cisco CSR 1000v. Figure 1: Routing table in Microsoft Azure with a default route to the Cisco CSR 1000v 4

13 Usage Guidelines for User Defined Routes User Defined Routes for High Availability The following example shows a specific destination route pointing to the Cisco CSR 1000v. Figure 2: Routing table in Microsoft Azure with a specific destination route to the Cisco CSR 1000v User Defined Routes for High Availability You can deploy two Cisco CSR 1000v's in the same virtual network to provide 1:1 redundancy for high availability. A Cisco CSR 1000v, configured with high availability, monitors the reachability of its peer router. If the Cisco CSR 1000v believes that the peer router has gone down, it installs its own IP address in the route table. This causes traffic to be routed through the "working" Cisco CSR 1000v. When you configure user defined routes, you need to decide if you want the entries in the route table to be updated when there is a failure of one of the Cisco CSR 1000v peer routers. You must configure a redundancy node for each user-defined route table if the route table is one in which the high availability feature needs to redirect traffic to the working Cisco CSR 1000v. For Cisco IOS XE Everest 16.6, all the routes in the route table specified by a redundancy node are updated in the case of a Cisco CSR 1000v peer failure. 5

14 User Defined Routes for High Availability Usage Guidelines for User Defined Routes 6

15 CHAPTER 3 Information About Deploying Cisco CSR 1000v on Microsoft Azure Prerequisites for Deploying Cisco CSR 1000v on Microsoft Azure, page 7 Information About Cisco CSR 1000v on Microsoft Azure, page 8 Licensing for Cisco CSR 1000v on Microsoft Azure, page 9 Summary of the Stages for Deploying the Cisco CSR 1000v on Microsoft Azure, page 10 Prerequisites for Deploying Cisco CSR 1000v on Microsoft Azure Perform the following steps: 1 Create a Microsoft Azure user account/subscription. For more information, refer to the Microsoft Azure Getting Started Guide. 2 Request a Cisco CSR 1000v license to enable various combinations of throughput level and technology packages. For more information about obtaining a license, refer to the CSR1000v data sheet. 3 Plan the parameters/settings for the Cisco CSR 1000v as shown in the following list. The values of these parameters are required in later steps. Resource Group Infrastructure group for existing resources, such as vnet. Example DC4 Resource Group CSR 1000v. Example DC4-csr Note: For a completely new deployment, the Resource Group CSR 1000v can have the same value as the first parameter, Resource Group Infrastructure; For example, DC4 Subscription Microsoft Azure user account subscription. Example Free Location. East Trial US Storage account name. dc4storagegroup Storage Account Type Redundancy method provided by Microsoft Azure. Standard-LRS (Locally Redundant, which is the only supported type in the current release). Virtual Network name. vnet01 7

16 Information About Cisco CSR 1000v on Microsoft Azure Information About Deploying Cisco CSR 1000v on Microsoft Azure Virtual network Address space CIDR of the virtual network /16 Subnets First subnet name Name of the subnet. It will be the subnet for gig1 of CSR 1000v. DC4-pub Subnets First subnet address prefix CIDR for first subnet, which needs to be within Virtual network Address space /24 Subnets Second subnet name Name of the subnet. It will be the subnet for gig2 of CSR 1000v. DC4-sub Subnets Second subnet address prefix CIDR for second subnet, which needs to be within Virtual network Address space /24 Public IP address name Name for public IP address which is the NAT IP for CSR gig0. dc4csrpub Public IP address DNS name label (Optional) DNS name for the public IP address. dc4csrpub Virtual Machine name. DC4-csr Username (Optional) Admin Username for the VM. azureuser Authentication type Default is Password, but you can use this field in the table to note an SSH public key to use in future steps. Password Password Password for the VM. (Check the Microsoft Azure password requirements in the Azure Documentation). Virtual machine size Size of the VM. For a CSR 1000v with 2 vnics, specify the 1 x Standard D2 image(default); for a CSR 1000v with 4 vnics, specify the 1 x Standard D4 image. Information About Cisco CSR 1000v on Microsoft Azure Deploying Cisco CSR 1000v on Microsoft Azure allows users to create resources such as Resource Group, Storage Account, Virtual Network and Public IP on the fly during the creation of the CSR 1000v. If you are a new user of Cisco CSR 1000v on Microsoft Azure, it is best to understand the resources that you can create at the start of the deployment process. Later, you can reuse these resources if you need to re-create a Cisco CSR1000v VM. Microsoft Azure supports different image types with different performance expectations. (Search for D-series VM size on the Microsoft Azure website to see the D-Series Performance Expectations.) The number of interfaces (vnics) for the CSR 1000v maps to the number of cores in the VM. For example, a 4 vnic CSR 1000v requires a Standard D3 image type, which has 4 cores. Further information about the main types of resources is below. Resource Group A Resource Group in Microsoft Azure refers to a set of resources. The resources include virtual machines, interfaces, virtual networks, routing tables, public IP addresses, security groups and storage accounts. The resources in a resource group need to have a unique name. If you create an object that depends upon another object in another resource group, the other resource group cannot be deleted before you delete your object. 8

17 Information About Deploying Cisco CSR 1000v on Microsoft Azure Licensing for Cisco CSR 1000v on Microsoft Azure Refer to this Resource Group article for more details: resource-group-overview/ The resource group can be created by performing steps shown in Create Resources, on page 12 or by using the deployment template wizard in Deploy the CSR 1000v on Microsoft Azure, on page 15. In the wizard, follow the steps to create a new resource, such as a storage group or a virtual network (vnet), or a resource from an existing resource group. Storage Account A Storage Account keeps details of the VM disk file and boot-log for Microsoft Azure and it is one of the set of resources in a resource group. Not all resources require a storage account. Refer to the following Microsoft Azure article for more details: storage-create-storage-account/ The storage account can be created by performing steps shown in Create Resources, on page 12 or by using the deployment template wizard in Deploy the CSR 1000v on Microsoft Azure, on page 15. Virtual Network A Virtual Network is a logical cloud-based network, used by Microsoft Azure to represent the private network. Refer to the following Microsoft Azure article for more details: documentation/articles/virtual-networks-overview/ The virtual network can be created by performing steps shown in Create Resources, on page 12 or by using the deployment template wizard in Deploy the CSR 1000v on Microsoft Azure, on page 15. Public IP Address A public IP address is reachable by internet users or devices. It is part of a one-to-one NAT performed by the Azure hypervisor router. The first subnet IP address of the Cisco CSR 1000v will be assigned a public IP address. Cisco recommends that you use a reserved IP address, since a dynamic IP address may cause a tunnel malfunction after the VM is shuts down/is deallocated and then boots up again. Refer to the following Microsoft Azure article for more details about a reserved public IP address: azure.microsoft.com/en-us/documentation/articles/virtual-networks-reserved-public-ip/ The public IP address can be created by performing steps shown in Create Resources, on page 12 or by using the deployment template wizard in Deploy the CSR 1000v on Microsoft Azure, on page 15. Licensing for Cisco CSR 1000v on Microsoft Azure The Cisco CSR1000v offers a variety of throughput and technology package licenses. For the Cisco CSR1000v there are two licensing models: Cisco Software License (CSL) which is the traditional PAK-based licensing model and Cisco Smart Licensing which allows customers to assign license to Cisco CSR1000v instances dynamically. For further information on licensing, refer to the following documents: Cisco CSR1000v licensing: b_csr1000v_configuration_guide/b_csr1000v_configuration_guide_chapter_ html#d21290e159a1635 Cisco CSR1000v datasheet: cloud-services-router-1000v-series/datasheet-c html 9

18 Summary of the Stages for Deploying the Cisco CSR 1000v on Microsoft Azure Information About Deploying Cisco CSR 1000v on Microsoft Azure Summary of the Stages for Deploying the Cisco CSR 1000v on Microsoft Azure The following list briefly describes the deployment process which is later explained in detail in the section: How to Deploy Cisco CSR 1000v on Microsoft Azure. Note You can skip the first two stages below (for customizing the portal and creating resources) if you want to enter the values of public IP address and virtual network later, in the following stage: Deploy the CSR 1000v on Microsoft Azure, on page 15. Customize the Microsoft Azure portal GUI by adding objects into the left hand side panel. See Customize the Microsoft Azure Portal, on page 11. Create individual resources: Resource Group Infrastructure, Storage Account, Virtual Network and Public IP address. See Create Resources, on page 12. Deploy a basic CSR 1000v virtual machine. See Deploy the CSR 1000v on Microsoft Azure, on page 15. Access the Cisco CSR 1000v CLI. See Access the Cisco CSR 1000v CLI, on page 17. Apply a license. See Installing Cisco CSR 1000v Licenses in the Cisco CSR 1000v Series Cloud Services Router Software Configuration Guide. 10

19 CHAPTER 4 How to Deploy Cisco CSR 1000v on Microsoft Azure Customize the Microsoft Azure Portal, page 11 Create Resources, page 12 Deploy the CSR 1000v on Microsoft Azure, page 15 Access the Cisco CSR 1000v CLI, page 17 Customize the Microsoft Azure Portal Customize the Microsoft Azure portal GUI by selecting or tagging frequently used objects, such as Virtual machines, Virtual network, so that they show up in the left hand side panel. SUMMARY STEPS 1. Sign in to Microsoft Azure. 2. To add an object to the left hand side panel, click Browse. 3. In the drop-down menu, click the star symbol for your chosen object. DETAILED STEPS Command or Action Purpose Step 1 Sign in to Microsoft Azure. After creating Azure Subscriptions, you should be able to login to the Microsoft Azure portal. In the next two steps, customize the Microsoft Azure portal GUI by selecting frequently used objects, such as Virtual machines and Virtual network, so that they show up in the left hand side panel. Step 2 To add an object to the left hand side panel, click Browse. Create objects for objects such as: Resource group, Virtual machine, Subscription, Network security group, Network interface, Public IP address, Virtual network, Route table or Storage account. 11

20 Create Resources How to Deploy Cisco CSR 1000v on Microsoft Azure Step 3 Command or Action In the drop-down menu, click the star symbol for your chosen object. Purpose This saves the details of the object for future use. Repeat this step and the previous step (steps 2 and 3) to add objects to the left hand side panel for easy access in future. In future steps it is assumed that you have added the following list of objects to the left hand side panel: Resource groups, Virtual machines, Subscriptions, Network security groups, Network interfaces, Public IP addresses, Virtual networks, Route tables and Storage accounts. What to Do Next Create Resources Go to Create Resources, on page 12 Before You Begin For this procedure it is assumed that you have previously added the following list of objects to the left hand side panel: Resource groups, Virtual machines, Subscriptions, Network security groups, Network interfaces, Public IP addresses, Virtual networks, Route tables and Storage accounts. 12

21 How to Deploy Cisco CSR 1000v on Microsoft Azure Create Resources SUMMARY STEPS 1. Click Resource Group on the left hand side panel to create a resource group. 2. Click Add, at the top of the window. 3. Enter the name of the Resource Group; for example, DC4 and select the Subscription and Resource group location from dropdown lists. 4. Click Create. 5. Click Storage accounts in the left hand side panel to create a storage account. 6. Click Add. 7. Click Create to create the storage account. 8. Click Virtual networks in the left hand side panel to create a virtual network. 9. Click Add. 10. Enter the required values for this virtual network using values that you collected during planning. 11. Click Create. 12. Select the name of the recently created virtual network in the left hand side panel. 13. Click All Settings. 14. Click Subnet. 15. Click Add (at the top of the pane) to add a second subnet. 16. Enter the subnet name and CIDR for the second subnet and click OK. 17. Click Public IP address on the left hand side panel. 18. Click Add 19. Change the IP address assignment from Dynamic to Static. 20. Click Create to finish. DETAILED STEPS Step 1 Step 2 Command or Action Click Resource Group on the left hand side panel to create a resource group. Click Add, at the top of the window. Purpose The Resource groups page appears with a list of name/subscription/location for all existing Resource groups. This is the first of a series of steps to create individual resources in a Resource Group. For information about resource groups see Information About Deploying Cisco CSR 1000v on Microsoft Azure, on page 7. The Create Resource Group pane opens. Step 3 Step 4 Enter the name of the Resource Group; for example, DC4 and select the Subscription and Resource group location from dropdown lists. Click Create. Verify the object was added successfully by clicking Resource groups in the left hand side panel. The new group should appear in the list of resource groups. 13

22 Create Resources How to Deploy Cisco CSR 1000v on Microsoft Azure Step 5 Step 6 Step 7 Step 8 Command or Action Click Storage accounts in the left hand side panel to create a storage account. Click Add. Click Create to create the storage account. Click Virtual networks in the left hand side panel to create a virtual network. Purpose The Storage accounts pane opens. For information on storage accounts, see Information About Deploying Cisco CSR 1000v on Microsoft Azure, on page 7. The Create storage account pane opens, showing text boxes for fields such as Name, Type and Storage Group. Enter the storage account name. Select a Type from the drop-down menu. Select a resource group from the drop-down menu (for example, DC4 ). Ensure that the Location is correct. The virtual networks pane opens. For information on virtual networks, see Information About Deploying Cisco CSR 1000v on Microsoft Azure, on page 7. Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Step 18 Step 19 Step 20 Click Add. Enter the required values for this virtual network using values that you collected during planning. Click Create. Select the name of the recently created virtual network in the left hand side panel. Click All Settings. Click Subnet. Click Add (at the top of the pane) to add a second subnet. Enter the subnet name and CIDR for the second subnet and click OK. Click Public IP address on the left hand side panel. Click Add Change the IP address assignment from Dynamic to Static. Click Create to finish. The Create virtual network pane opens. See example values in Prerequisites for Deploying Cisco CSR 1000v on Microsoft Azure, on page 7. Note Only one subnet is created in this initial stage in the creation of a virtual network. Verify the object was added successfully by clicking Virtual networks in the left hand side panel. The new group should appear in the list of resource groups in the main pane. The Settings pane appears. The Subnets pane appears. The Create Public IP address pane appears. Enter the required values for the IP address using values that you collected during planning (for example, see example values in Prerequisites for Deploying Cisco CSR 1000v on Microsoft Azure, on page 7). This completes the setup of values for the virtual machine. You can now proceed to create a Cisco CSR 1000v deployment by performing the steps in the following section. 14

23 How to Deploy Cisco CSR 1000v on Microsoft Azure Deploy the CSR 1000v on Microsoft Azure What to Do Next Go to Deploy the CSR 1000v on Microsoft Azure, on page 15. Deploy the CSR 1000v on Microsoft Azure During this deployment process you can use a resource group that you created previously or enter values directly (such as the values for username, authentication type, password). Before You Begin (Optional) Create individual resources by following the procedures in Customize the Microsoft Azure Portal, on page 11 and Create Resources, on page 12. SUMMARY STEPS 1. Click Virtual machines in the left hand side panel. 2. Click Add. 3. Enter csr. 4. Click Basic CSR 1000v Deployment w/two NICs 5. Click Create This option is at the bottom of the page of introductory text, on the right hand side. 6. Click 1 Basics. 7. Enter values for fields such as Username, Authentication Type and Password. 8. (Optional) As an alternative to entering the Username noted during planning (see Prerequisites for Deploying Cisco CSR 1000v on Microsoft Azure, on page 7), you can specify a Username of azureuser, in order to use an SSH public key. 9. Click OK. 10. Click Virtual machine size and select the desired value 11. Click Storage account. 12. Click OK. 13. Click OK 14. Click Create 15. Click Virtual machines on the left hand panel. 16. When the VM status changes from Creating to Running, click the VM. DETAILED STEPS Command or Action Purpose Step 1 Click Virtual machines in the left hand side panel. 15

24 Deploy the CSR 1000v on Microsoft Azure How to Deploy Cisco CSR 1000v on Microsoft Azure Step 2 Step 3 Command or Action Click Add. Enter csr. Purpose The Compute page appears. A search starts, to find any Cisco CSR 1000v virtual machines that are available in Marketplace. Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Click Basic CSR 1000v Deployment w/two NICs Click Create This option is at the bottom of the page of introductory text, on the right hand side. Click 1 Basics. Enter values for fields such as Username, Authentication Type and Password. (Optional) As an alternative to entering the Username noted during planning (see Prerequisites for Deploying Cisco CSR 1000v on Microsoft Azure, on page 7), you can specify a Username of azureuser, in order to use an SSH public key. Click OK. Click Virtual machine size and select the desired value Click Storage account. Use the values that you collected during planning. For example, see Prerequisites for Deploying Cisco CSR 1000v on Microsoft Azure, on page 7. You can only create a Cisco CSR 1000v in a new Resource Group. Then select resources from an existing Resource Group. To remove a Resource Group, first delete the Cisco CSR 1000v VM and then delete the Resource Group. (Cisco IOS XE version or above) you can use an SSH public key to access the CSR by setting Username field to azureuser. To obtain information about this restricted use of the username: from the Microsoft Azure launch page, click the small i (information) icon to the right of Username. The 2 Cisco CSR settings menu option is now highlighted. For example, 1x Standard D2. If you created a storage account in section Create Resources, on page 12, you can now select an account from the dropdown list. Similarly, select values for Public IP address, Virtual network and Subnets from the dropdown menus. (If you did not previously create values for Storage Account and other settings then you can specify them now instead.) Step 12 Step 13 Click OK. Click OK If the Cisco CSR 1000v has multiple NICs (2 NICs or 4 NICs are supported on Microsoft Azure in the current release) the first NIC will be used in public subnet. The other NICs will be used in the private subnets. The IP address of other NICs can be assigned by DHCP using ip dhcp address in the interface configuration. Alternatively, the IP address can also be set up statically. However, if you do this, ensure that the IP address is the same as the IP address assigned by Microsoft Azure. The 3 Summary Review menu option is now displayed on the screen. Confirms the settings. The 4 Buy menu option is now displayed on the screen. 16

25 How to Deploy Cisco CSR 1000v on Microsoft Azure Access the Cisco CSR 1000v CLI Step 14 Step 15 Step 16 Command or Action Click Create Click Virtual machines on the left hand panel. When the VM status changes from Creating to Running, click the VM. Purpose The purchase is confirmed. After a few minutes the VM will come up. Verifies the VM status. Shows the VM's details. Take a note of the Public IP address. What to Do Next Go to Access the Cisco CSR 1000v CLI, on page 17. Access the Cisco CSR 1000v CLI SUMMARY STEPS Access the CLI of the Cisco CSR 1000v VM via a terminal server. Before You Begin Complete the previous procedure Deploy the CSR 1000v on Microsoft Azure, on page Enter the ssh command using a command syntax from one of the two substeps below. If you did not previously use an SSH public key (you did not specify a username of azureuser (in Deploy the CSR 1000v on Microsoft Azure, on page 15), then you can access the Cisco CSR 1000v CLI using the following command: ssh o ServerAliveInterval=60 username@csr_address If you did previously use an SSH public key (you did specify a username of azureuser (in Deploy the CSR 1000v on Microsoft Azure, on page 15), then you can access the Cisco CSR 1000v CLI using the following command: ssh ikey-o ServerAliveInterval=60 azureuser@csr_address DETAILED STEPS Step 1 Command or Action Enter the ssh command using a command syntax from one of the two substeps below. If you did not previously use an SSH public key (you did not specify a username of azureuser (in Deploy the CSR 1000v on Microsoft Azure, on page 15), then you can access the Cisco CSR 1000v CLI using the following command: ssh o ServerAliveInterval=60 username@csr_address If you did previously use an SSH public key (you did specify a username of azureuser (in Deploy the CSR 1000v on Microsoft Azure, on page 15), then you can access Purpose Enter the ssh command in a terminal server of your choice to access the CLI. 17

26 Access the Cisco CSR 1000v CLI How to Deploy Cisco CSR 1000v on Microsoft Azure Command or Action the Cisco CSR 1000v CLI using the following command: ssh ikey-o ServerAliveInterval=60 Purpose In the following example, username= azureuser, public IP address = and password=xxx are used as parameters in the ssh command, before other commands such as show ip route. No ssh public key was previously specified.) $ ssh o ServerAliveInterval=60 azureuser@ The authenticity of host ' ( )' can't be established. RSA key fingerprint is 94:79:e9:d2:2e:85:93:d6:52:41:cc:a3:d9:14:7f:5f. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ' ' (RSA) to the list of known hosts. Password: mypassword # show ip int br Interface IP-Address OK? Method Status Protocol GigabitEthernet YES DHCP up up GigabitEthernet2 unassigned YES unset administratively down down # configure terminal Enter configuration commands, one per line. End with CNTL/Z. # interface g2 # ip address dh # ip address dhcp # no shutdown # end # show run interface g2 Building configuration... Current configuration : 69 bytes! interface GigabitEthernet2 ip address dhcp negotiation auto end # show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet YES DHCP up up GigabitEthernet YES DHCP up up # show ip route <output snipped for brevity> Gateway of last resort is to network S* /0 [1/0] via /8 is variably subnetted, 4 subnets, 2 masks C /24 is directly connected, GigabitEthernet1 L /32 is directly connected, GigabitEthernet1 C /24 is directly connected, GigabitEthernet2 L /32 is directly connected, GigabitEthernet /32 is subnetted, 1 subnets S [254/0] via

27 CHAPTER 5 Configuring Cisco CSR 1000v on Microsoft Azure Update Route Tables, page 19 Update Security Group, page 20 Configuring IPsec VPN in a Microsoft Azure Cisco CSR 1000v, page 21 Configuring IPsec VPN in an Amazon Web Services Cisco CSR 1000v, page 21 Upgrading a Cisco IOS XE Image on Microsoft Azure, page 22 Differences between CSR 1000v on Microsoft Azure and Amazon Web Services, page 24 Best Practices and Caveats, page 25 Other Related Resources, page 25 Update Route Tables In Microsoft Azure, all VMs send packets to a hypervisor router, and the hypervisor forwards the packets based on the routing table associated with that subnet. When a Cisco CSR 1000v VM is created, a route table is created for each subnet. For a 2 vnic Cisco CSR 1000v VM, a default route is created for a second (internally facing) subnet that points to the CSR. All the VMs created on this subnet use the Cisco CSR 1000v as the default gateway. For Cisco CSR 1000v VMs that have more than two vnics, you need to define the default routes and apply them to the subnets. SUMMARY STEPS 1. Click Route tables 2. Navigate to the "Route tables" pane and select the target route table. 3. Click All Settings 4. In the Settings pane, click Routes 19

28 Update Security Group Configuring Cisco CSR 1000v on Microsoft Azure DETAILED STEPS Step 1 Step 2 Step 3 Step 4 Command or Action Click Route tables Navigate to the "Route tables" pane and select the target route table. Click All Settings In the Settings pane, click Routes Purpose Expands the Settings pane. Add or modify routes. Update Security Group A Security Group controls which ports/destinations the hypervisor allows/denies for certain interfaces. When creating a Cisco CSR 1000v, a new Security Group is created for the first subnet inbound interface by default. For Cisco CSR1000v virtual machines, deployed through this deployment, the following ports are added for inbound internet traffic: TCP 22, UDP 500 and UDP Use of other ports is denied. SUMMARY STEPS 1. Click Network security groups on the left hand side panel. 2. Click the target network security group. 3. Click All Settings. 4. Click Inbound security rules. 5. Click Add (under "Network security groups") to add additional rules. DETAILED STEPS Command or Action Purpose Step 1 Click Network security groups on the left hand side panel. The Network security groups pane appears, and shows a list of security groups. Step 2 Step 3 Step 4 Step 5 Click the target network security group. Click All Settings. Click Inbound security rules. Click Add (under "Network security groups") to add additional rules. A pane appears that shows the details of the security group. The Settings pane appears. 20

29 Configuring Cisco CSR 1000v on Microsoft Azure Configuring IPsec VPN in a Microsoft Azure Cisco CSR 1000v Configuring IPsec VPN in a Microsoft Azure Cisco CSR 1000v This example shows an IPsec VPN being setup on a Microsoft Azure Cisco CSR 1000v. This is to enable the IPsec VPN to connect to an AWS Cisco CSR 1000v. (To set up the IPsec VPN in an Amazon Web Services (AWS) Cisco CSR 1000v see the following section: Configuring IPsec VPN in an Amazon Web Services Cisco CSR 1000v, on page 21). crypto isakmp policy 1 encr aes hash sha256 authentication pre-share group 14 crypto isakmp key cisco123 address crypto ipsec transform-set T1 esp-3des esp-md5-hmac mode transport crypto ipsec profile P1 set transform-set T1 interface Tunnel0 ip address tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination tunnel protection ipsec profile P1 end!!!! To test, create loop back interface and static route!!!!! interface Loopback1 ip address end ip route Tunnel0 Configuring IPsec VPN in an Amazon Web Services Cisco CSR 1000v This example shows an IPsec VPN being setup in an Amazon Web Services Cisco CSR 1000v. (To enable the IPsec VPN to connect to a Microsoft Azure Cisco CSR 1000v, set up the IPsec VPN in a Microsoft Azure Cisco CSR 1000v as shown in Configuring IPsec VPN in a Microsoft Azure Cisco CSR 1000v, on page 21). crypto isakmp policy 1 encr aes hash sha256 authentication pre-share group 14 crypto isakmp key cisco123 address crypto ipsec transform-set T1 esp-3des esp-md5-hmac mode transport crypto ipsec profile P1 set transform-set T1 interface Tunnel0 ip address tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination tunnel protection ipsec profile P1 end 21

30 Upgrading a Cisco IOS XE Image on Microsoft Azure Configuring Cisco CSR 1000v on Microsoft Azure Note To test, create a loop back interface and static route. interface Loopback1 ip address end ip route Tunnel0 Upgrading a Cisco IOS XE Image on Microsoft Azure This procedure shows how to upgrade the image on a running CSR 1000v (Cisco IOS XE Fuji and later). Before You Begin To upgrade a Cisco CSR 1000v image for a Cisco CSR 1000v running in Microsoft Azure, the current version of Cisco IOS XE running on the Cisco CSR 1000v must be Cisco IOS XE Fuji or later. Note You cannot downgrade a Cisco CSR 1000v image on Microsoft Azure to Cisco IOS XE Everest or earlier. For example, if you are running Cisco IOS XE Fuji or later you must not downgrade to Cisco IOS XE Everest or earlier. Note To upgrade or downgrade a Cisco CSR 1000v image on Microsoft Azure, you need to expand the.bin file and use packages.conf to upgrade to the new version. Check the version of Cisco IOS XE that is running on the Cisco CSR 1000v by using the show version command. Router# show version Cisco IOS XE Software, Version _14.44_user4 Cisco IOS Software [Fuji], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Experimental Version SUMMARY STEPS 1. scp upgrade-image azure-username@csr-public-ip-address:copied-upgrade-image 2. request platform software package expand file bootflash: copied-upgrade-image to bootflash:upgrade/ 3. configure terminal 4. boot system bootflash:upgrade/packages.conf 5. end 6. show run sec boot 7. copy running-configuration startup-configuration 8. Reload the router. 22

31 Configuring Cisco CSR 1000v on Microsoft Azure Upgrading a Cisco IOS XE Image on Microsoft Azure DETAILED STEPS Step 1 Step 2 Command or Action scp upgrade-image azure-username@csr-public-ip-address:copied-upgrade-image Router# scp UpgradeImage.bin azureusr1@ :upgrade.bin request platform software package expand file bootflash: copied-upgrade-image to bootflash:upgrade/ Purpose Copy the new image to the CSR 1000v (boot flash memory). You can choose any name for the copy of the image in bootflash; for example, upgrade.bin. The public IP address of the Cisco CSR 1000v used in the following example is Expand the image that is in boot flash memory. Step 3 Router# request platform software package expand file bootflash:upgrade.bin to bootflash:upgrade/ Nov 8 03:25: %INSTALL-5-OPERATION_START_INFO: R0/0: packtool: Started expand package bootflash:upgrade.bin Verifying parameters Expanding superpackage bootflash:upgrade.bin Validating package type Copying package files SUCCESS: Finished expanding all-in-one software package. configure terminal Enter global configuration mode. Step 4 Step 5 Step 6 boot system bootflash:upgrade/packages.conf The following example shows how to correctly enter a boot system entry: Router(config)# boot system bootflash:upgrade/packages.conf end Router(config)# end Router# show run sec boot Add a boot system entry to the packages.conf file that was generated in step 2; for example, add it to /bootflash/upgrade/packages.conf as shown in the example on the left. Note: Do not add the boot system entry like this: boot system bootflash:upgrade.bin. This command tells the Cisco CSR 1000v to boot from upgrade.bin. However, then the CSR 1000v will fail if the file size of upgrade.bin is greater than the low memory size that is allowed by GRUB in Microsoft Azure. Exit global configuration mode and return to privileged EXEC mode. Verify the boot system entry. Router# show run sec boot boot-start-marker boot system bootflash:upgrade/packages.conf boot-end-marker diagnostic bootup level minimal 23

32 Differences between CSR 1000v on Microsoft Azure and Amazon Web Services Configuring Cisco CSR 1000v on Microsoft Azure Step 7 Command or Action copy running-configuration startup-configuration Purpose Save the configuration. Router# copy running-configuration startup-configuration Building configuration... Step 8 [OK] Reload the router. Differences between CSR 1000v on Microsoft Azure and Amazon Web Services The differences between deploying Cisco CSR 1000v on Microsoft Azure and Amazon Web Services (AWS) are shown in the following table: Table 1: Comparing Cisco CSR 1000v on Microsoft Azure and Amazon Web Services Function Number of Interfaces Multiple IP addresses GRE tunnel Redundancy Attachment/Detachment of interface on the running Cisco CSR 1000v Overlapping IP subnet Cisco CSR 1000v on Microsoft Azure 2/4/8 Interfaces Multiple IP addresses per vnic GRE tunnel is unsupported Redundancy is supported Not supported Supports overlapping IP subnets in different virtual networks. Cisco CSR1000v on AWS 3 or more Interfaces Multiple IP addresses per vnic GRE tunnel is supported Routing Redundancy is supported through 2 CSR instances Supported Support overlapping IP subnet in different VPC 24

33 Configuring Cisco CSR 1000v on Microsoft Azure Best Practices and Caveats Best Practices and Caveats 1 Cisco recommends keeping all resources in the same Resource Group, as much as possible for provisioning purposes. So when you need to clean up the whole setup, you only need to remove the relevant Resource Group. 2 When the Cisco CSR 1000v virtual machine is deleted, not all the resources are deleted (route table, security group, public IP, network interfaces), so when you create a new Cisco CSR 1000v with the same name, the resources maybe re-used. If this is not desired, please either manually remove these resources, remove the Route Group that contains these resources, or create a new Cisco CSR 1000v with a different name. 3 If you use the deployment template to create a Cisco CSR 1000v, make sure that the public IP address is configured as static on Microsoft Azure. (In Microsoft Azure, navigate to the public IP address and in the configuration settings, see if the address is shown as Dynamic or Static. Ensure that Static is selected (the default is Dynamic). Other Related Resources DMVPN is supported on Microsoft Azure and AWS. The configuration for Microsoft Azure is similar to AWS. For further information, see the following white paper: Extending Your IT Infrastructure Into Amazon Web Services Using Cisco DMVPN and the Cisco Cloud Services Router 1000V Series (PDF) 25

34 Other Related Resources Configuring Cisco CSR 1000v on Microsoft Azure 26

35 CHAPTER 6 Configuring High Availability on the Cisco CSR 1000v This section contains the following topics: Information about Configuring High Availability on Microsoft Azure, page 27 Create a Self-signed Certificate and Thumbprint, page 28 Create an Application in a Microsoft Azure Active Directory, page 31 Obtain the Tenant ID from the Application Endpoints, page 32 Create an Authentication Key for the Application, page 34 Edit the Manifest File, page 34 Add an Application under Access Control to a Route Table, page 36 Configure a Trustpool, page 37 Configure a Trustpoint, page 37 Configure a Tunnel Between Cisco CSR 1000v Routers, page 39 Configuring EIGRP over Virtual Tunnel Interfaces, page 40 Configure Failure Detection for the Cisco CSR 1000v on Microsoft Azure, page 42 Verify the Configuration of CSR 1000v High Availability, page 43 Information about Configuring High Availability on Microsoft Azure Introduction to Configuring High Availability on Microsoft Azure For network designs that require fast convergence after an error, two Cisco CSR 1000v VMs can be deployed in a redundant pair with failover between them. 27

36 Before You Begin Configuring High Availability on the Cisco CSR 1000v This section explains how to configure redundancy (or high availability) for Cisco CSR 1000v VMs running on Microsoft Azure. After an error occurs, such as a BFD peer down event, traffic can be redirected around the failure, using a modified virtual private cloud route table. Note The High Availability feature is available using Cisco IOS XE b or higher. Before You Begin Before configuring High Availability for CSR 1000v on Microsoft Azure, you require: A virtual network setup in Microsoft Azure with two subnets Two Cisco CSR 1000v VMs Licenses for each Cisco CSR 1000v: (Cisco IOS XE Everest or later) Enable the AX or SEC license, using BFD. (Cisco IOS XE Everest or earlier) Enable the AX license, using BFD. For instructions on setting up subnets and a single Cisco CSR 1000v VM, see section How to Deploy Cisco CSR 1000v on Microsoft Azure, on page 11. After setting up a single Cisco CSR 1000v, you need to create a second Cisco CSR 1000v VM using the same instructions. Methods for Configuring Microsoft Azure The following methods can be used for configuring Microsoft Azure: Microsoft Azure CLI commands Powershell commands Classic Portal Preview Portal (a new portal under development) In this document, most configuration steps are shown using the Classic portal (some actions are not yet supported on the preview portal). To start configuring High Availability, go to Create a Self-signed Certificate and Thumbprint, on page 28. Create a Self-signed Certificate and Thumbprint This procedure creates a certificate text and a thumbprint. The certificate text is cut from the self-signed certificate (a file containing a public and private key) and the thumbprint is a string that is generated from the self-signed certificate. The certificate text and thumbprint are needed later, in Edit the Manifest File, on page

37 Configuring High Availability on the Cisco CSR 1000v Create a Self-signed Certificate and Thumbprint Before You Begin You need a computer that has the openssl command installed. Step 1 Create a public and private key using the command: openssl req -x509 -days newkey rsa:2048 -out outputfile.pem -nodes -subj '/CN=certname' openssl req -x509 -days newkey rsa:2048 -out app_cert.pem -nodes -subj '/CN=CSRHAapp' outputfile.pem file is the public key. The private key privkey.pem is auto-generated. For the certname, enter your choice of name. For example: "CSRHAapp". The command creates two files: the public key (outputfile.pem) and the private key (privkey.pem). In the example above these files are: app_cert.pem and privkey.pem. Step 2 Combine the public and private keys to create a certificate using the following command:cat private-key.pem public-key.pem > certificate.pem cat privkey.pem app_cert.pem > full_cert.pem The certificate file is self-signed because it is signed with its own private key. For private-key.pem, use the name of the private key created by the openssl command. For public-key.pem, use the name of the public key created by the openssl command. For certificate.pem.pem, use a name of your choice. For example, full_cert.pem. Step 3 openssl x509 -noout -text -in certificate.pem Displays the certificate certificate.pem contents. openssl x509 -noout -text -in full_cert.pem -----BEGIN RSA PRIVATE KEY----- MIIEoQIBAAKCAQEAvH9hjYWJ4zxnnf7/3rZZceYl3LTcbldnQk5Q+O8jJFaB6aIQ bmroh++goagobmtouroaukr8ozrvd60dqkbztrqbevsffsronq0xq3jshcaqhvvs yzf8ur2crnvm3+ftrerph7zmbtdqzypi/s4ej5tbtvdesqxubejpiqsip74yvhjr G42HxphqgnuaouuO9K5THsHFmlwxmGisXWfDwBwZce/mAiZUtZirZ4F+X7j0i8Hw 2/KFO4/kkme5soIIItKlVKUDecn4NyVItGm8vgwCwrpkOBUe0RKvNIJOKUkUOhgX 8V2BEgNpKevqX9r571dTRsShBo8BtD33dXx21QIDAQABAoIBAQCg6LhVAB7iLSli 1VCFRPJ76XR+wKG/S7to/cPfjPxZw8MotuEAjeuBlY49vsw4LgNgJ9MIbNx+iddx uquu20yap0sawxz/plhsynoxgekaap3nmvdk8bbcro2qzftk9ag3fd2/ixjglm8r niewap0o8mjsmqfgetwiimrxfwuvtwyrpgy29wibk84+funrtv0zpecbwsktukjm 6lH6fxE5L1h29wY/epcPIUc85cQocRXGC/BXnGugu7Qqu8Ig/ecHTut//resFPJK bvjhhndmqlmcvtl4e8mugi54dhlv69j690au7+lyppnyylikb/czgqykakpg7iip jrcmglwnaogbaoksmd8nxkdci04d6epx3nvrbkbqew/hm308p1g6uaognzjvudhc Kg/fwPSNqjyHuwroVCvyZ8Ewmwchai8ZGpoaVZPTY4qGyKUTYxut8L2YJXcRdz79 grwogxq4won6rhe+daexnawmfx/4x4fe+marj2mzllbrb4v8vos+cq+/aogbam7z ihlvmdflcjismwlt1sqhi8rms6b9hgycor+xehtnplv69dgpy1ie2zwjlelh5ipq P0DOtJIBHw9fML315aI4eM8fVHt8N0lzYg9Yd9KonIER1oAnIBiqwRxgHGfiR7G6 NIR3KD43QcGsgHg1XVEQ2aZPH+kiWbyouOAK7y35L2YVJ1tymBV6ojKPNV+jQpHz qpeh4zcajylevsivpmvrfpvyeqrhzrjfimakzhrra0cb2d5zdnwfzv+rrdwpdbm6 RH7lTSTG39B4lV2lslkfCm8CfxQ1tEbHlRaAR1ae8Fz40thW7k/iN6kXDteHajSu IBVH9aXDXBV9dTWPza/Mv63F14sKVSL/DKM1eNMHeLsUSFiPKz0O0jE88Ck8G1dk TE9GKAJyu3/IUloWUsVynVOHxXiVwRWslp6qG/MVZ7DDcxWzpBCyCsmfkq8pUTas WFsCgYAyr5X1WysIhx0h1BhkE8r7OBYssBq5tyE6ryiAyplMBeHn7cB2K0uFVFyj wmwzfhr4fd+y6zuhe/+vzw8m8z3qx8m/erkcgqy/irf3oitytnu/ecaaoccs7szh ylgd4j3e1worcj+iazpb8ban+bseaszjvto+8wseubpkeob+ih== -----END RSA PRIVATE KEY

38 Create a Self-signed Certificate and Thumbprint Configuring High Availability on the Cisco CSR 1000v Step 4 Step BEGIN CERTIFICATE----- MIIDIzCCAgugAwIBAgIJAIcOpSlBolzNMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV BAMTCkNTUjEwMDB2SEEwHhcNMTYxMTA5MTU1NTMxWhcNMjYxMTA3MTU1NTMxWjAV MRMwEQYDVQQDEwpDU1IxMDAwdkhBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAvH9hjYWJ4zxnnf7/3rZZceYl3LTcbldnQk5Q+O8jJFaB6aIQbMrOH++G oagobmtouroaukr8ozrvd60dqkbztrqbevsffsronq0xq3jshcaqhvvsyzf8ur2c RNvM3+ftRerpH7zmbtDqzyPI/S4EJ5TbtvdESqxUbEJPIqSiP74yvHJrG42Hxphq gnuaouuo9k5thshfmlwxmgisxwfdwbwzce/maizutzirz4f+x7j0i8hw2/kfo4/k kme5soiiitklvkudecn4nyvitgm8vgwcwrpkobue0rkvnijokukuohgx8v2begnp KevqX9r571dTRsShBo8BtD33dXx21QIDAQABo3YwdDAdBgNVHQ4EFgQUlTWjI6PL 9LHP3Fcz66iuqDqGU2cwRQYDVR0jBD4wPIAUlTWjI6PL9LHP3Fcz66iuqDqGU2eh GaQXMBUxEzARBgNVBAMTCkNTUjEwMDB2SEGCCQCHDqUpQaJczTAMBgNVHRMEBTAD AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAncnNaQW9qcVEvOitFp6UC/n70UyZ+Dj1U snn+9slqhrte3xpifvq4w/noet5gvbrbfyuvy8t63fm0r3hns+9mcysjwkvmwrsm Rp+l/v2w9nPc+uzzgun0OwgWUv5ZoAbyHlVp4ISLPGpGSi/yqdZRUwKRZppImZfI cl0gkdbwdqpgzwawnl4r7vzn8wou5xm5zan6si7omaqoarkn+4ke767rhghfz5ss ojfl7jygwejet70qubg4egcxff6jm8t217r/nsxtnbarfu5g3orsx/r31lmxhrcb 6OSvQA/Wi0zpxAkOFUoVK7aQuONznTvg+Va+4Rq/6SKrWr0aasxy -----END CERTIFICATE----- Using your favorite text editor, open the certificate.pem file and copy the lines between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----into a text file the "certificate text file". Certificate details, which are required later to create a service principal. Use the following command on the certificate to generate a thumbprint (character string): openssl x509 -in "path\certificate.pem" -fingerprint -noout sed 's/sha1 Fingerprint=//g' sed 's/://g' openssl x509 -in "mydirectory\full_cert.pem" -fingerprint -noout sed 's/sha1 Fingerprint=//g' sed 's/://g' C82143BF7B2A2C89ED60068EDF6AC873 Save the thumbprint in a text file. ; for example: ( C82143BF7B2A2C89ED60068EDF6AC873). You should now have the thumbprint text file, certificate text file and the certificate. What to Do Next Go to Create an Application in a Microsoft Azure Active Directory, on page

39 Configuring High Availability on the Cisco CSR 1000v Create an Application in a Microsoft Azure Active Directory Create an Application in a Microsoft Azure Active Directory This section explains how to create an application in a Microsoft Azure Active Directory with permissions to access Microsoft Azure Resource Manager APIs. These configuration steps use the classic portal. (At the time of writing, some actions are not yet supported on the preview portal.) Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Go to the classic portal for Microsoft Azure: Choose your account name and sign in using your Microsoft Azure password. Click Azure Active Directory in the left navigation pane (towards the bottom of the list of options shown) and select an active directory in the main pane. To view applications, click "APPLICATIONS" at the top of the window and ensure that the "Show" textbox contains the value "Applications my company owns". To create a new application, click "Add" at the bottom of the screen. Choose "Add an application my organization is developing". Specify the name of the application and ensure that "WEB APPLICATION AND/OR WEB API" is selected and click the Next arrow. Specify the Sign-on URL in the format Replace "example" with a name such as your name and the name of your company. Step 9 Enter a name for your application into the APP-ID URI text box. Use a name for the APP-ID URI which is in the URI format, but does not have to be reachable. (Note that the APP-ID URI is not the App ID.) You can use a string in the following format: For example, if your application name is "myapp" and the domain name of your directory is "mydir.onmicrosoft.com", use Step 10 Step 11 Step 12 Click the checkmark symbol at the bottom right of the dialog box. Under the name of the application that you have added, click "CONFIGURE". Take a note of the numeric "App ID". Note that under the Microsoft Azure properties, the "App ID" is called the "CLIENT ID". What to Do Next Go to Obtain the Tenant ID from the Application Endpoints, on page

40 Obtain the Tenant ID from the Application Endpoints Configuring High Availability on the Cisco CSR 1000v Obtain the Tenant ID from the Application Endpoints Step 1 In the classic portal, navigate to the "default directory" pane. Step 2 Step 3 Click the application. For example, "CSRHA2". Click "VIEW ENDPOINTS", which is shown in the middle of the bottom part of the screen. 32

41 Configuring High Availability on the Cisco CSR 1000v Obtain the Tenant ID from the Application Endpoints The "App Endpoints" dialog box appears Step 4 Copy the text from one of the displayed text boxes; For example, Then copy the central part of the alphanumeric string, such as the following :- 227b0f8f-684d-48fa-9803-c08138b77ae9. This is the tenant ID. Take a note of it by copying it into a text file. For example, it is used in a later section, Edit the Manifest File, on page 34. What to Do Next Go to Create an Authentication Key for the Application, on page

42 Create an Authentication Key for the Application Configuring High Availability on the Cisco CSR 1000v Create an Authentication Key for the Application Create an authentication key for the application by performing the following steps: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 In the list of applications shown in the "default directory" pane, choose the Application Name; for example, "CSRHA2". Click CONFIGURE (at the top of the pane). Choose Windows Azure Active Directory. To create a key for API access, in the "Settings" tab, choose API Access > Keys and choose a value for Duration the length of time until the key becomes invalid. Make a note of the API key from the "Value" field. You must convert the API key to URL encoded format. (To find a suitable conversion tool, enter "URL encoder" into an internet search engine.) Having a URL encoded API key prevents issues later;for example, when the API key is used in step 10 of Configure Failure Detection for the Cisco CSR 1000v on Microsoft Azure, on page 42. Note Store the API key carefully as it cannot be retrieved later. API Key before URL encoding: 5yOhH593dtD/O8gzAlWgulrkWz5dH02d2STk3LDbI4c= API Key after URL encoding: 5yOhH593dtD%2FO8gzAlWgulrkWz5dH02d2STk3LDbI4c%3D What to Do Next Go to Edit the Manifest File, on page 34. Edit the Manifest File This task describes how to edit a manifest file that allows a Cisco CSR 1000v to communicate with an application. The manifest file is a description and configuration of the application in the Microsoft Azure Active Directory. It holds the application credentials. To edit the manifest file in the procedure below, you can use text editing software that does not change text such as the type of quotation marks in files or add line breaks/return characters. For example, some editing software will display a quotation mark as. However, this is not a valid JSON symbol. The quotation mark must appear like this: ". In addition the text editing software should not add line breaks/return characters. Step 1 Step 2 In the Azure Active Directory, choose the application; for example, "CSRHA2". Click Manage Manifest and choose Download Manifest. The manifest file (with.json extension) is downloaded to your computer. Make a note of the download location. 34

43 Configuring High Availability on the Cisco CSR 1000v Edit the Manifest File Step 3 Step 4 Open the manifest file in a text editor. Edit the downloaded.json manifest file and locate the keycredentials CLI command. "keycredentials": [ { "customkeyidentifier": "<thumbprint>", "keyid": "<guid>", "type": "AsymmetricX509Cert", "usage": "verify", "value": "<cert>" } ] Step 5 For the parameters of customkeyidentifier, keyid and value, enter the values that you previously noted for thumbprint, tenant ID and certificate. <thumbprint> :- This was obtained in Create a Self-signed Certificate and Thumbprint, on page C82143BF7B2A2C89ED60068EDF6AC874. <guid> :- This is the tenant ID (previously obtained in Obtain the Tenant ID from the Application Endpoints, on page 32). 227b0f8f-684d-48fa-9803-c08138b77ae9. <cert> :- This is the certificate text obtained in Create a Self-signed Certificate and Thumbprint, on page 28(It consists of a part of the certificate.pem file and consists of an alphanumeric string within header/footer text----begin CERTIFICATE----- and -----END CERTIFICATE----. MIIDIzCCAgugAwIBAgIJAIcOpSlBolzNMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNVBAMTCkNTUjEwMDB2SEEwHhcNM TYxMTA5MTU1NTMxWhcNMjYxMTA3MTU1NTMxWjAVMRMwEQYDVQQDEwpDU1IxMDAwdkhBMIIBIjANBgkqhkiG9w0BAQ EFAAOCAQ8AMIIBCgKCAQEAvH9hjYWJ4zxnnf7/3rZZceYl3LTcbldnQk5Q+O8jJFaB6aIQbMrOH++GoAGoBMTouRoA Ukr8OzRvd60dqkbZTRQbeVSfFSRonq0xq3JSHCaqhvVsyzF8ur2CRNvM3+ftRerpH7zmbtDqzyPI/S4EJ5TbtvdESqx UbEJPIqSiP74yvHJrG42HxphqgnuaouuO9K5THsHFmlwxmGisXWfDwBwZce/mAiZUtZirZ4F+X7j0i8Hw2/KFO4/kkme 5soIIItKlVKUDecn4NyVItGm8vgwCwrpkOBUe0RKvNIJOKUkUOhgX8V2BEgNpKevqX9r571dTRsShBo8BtD33dXx21QI DAQABo3YwdDAdBgNVHQ4EFgQUlTWjI6PL9LHP3Fcz66iuqDqGU2cwRQYDVR0jBD4wPIAUlTWjI6PL9LHP3Fcz66iuqDq GU2ehGaQXMBUxEzARBgNVBAMTCkNTUjEwMDB2SEGCCQCHDqUpQaJczTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA A4IBAQAncnNaQW9qcVEvOitFp6UC/n70UyZ+Dj1UsNN+9SLqHRTe3xPIFVq4w/NoET5gVBRbFyuvY8T63fM0R3hNS+9mC YsJWKVmwRsmRp+l/v2w9nPc+uzzgun0OwgWUv5ZoAbyHlVp4ISLPGpGSi/yqdZRUwKRZppImZfIcl0gKDbWdQpgzwawNL 4R7VZN8WOu5xM5zAN6SI7omAqoarKN+4kE767rhGHFZ5SsojFL7jygwEjet70QUbg4eGcXfF6JM8t217r/NSxtnBarfu5g 3OrSX/r31lmxhRCB6OSvQA/Wi0zpxAkOFUoVK7aQuONznTvg+Va+4Rq/6SKrVr0aasjw Step 6 Step 7 Step 8 Validate the syntax of the manifest file by copying and pasting the file contents into an online.json validation tool; for example, Upload the manifest file by choosing Manage Manifest and choose Upload Manifest. In the Upload Manifest dialog box, click BROWSE FOR FILE and choose the.json manifest file to be uploaded.. Note If the upload fails, try uploading the file again after checking and re-entering the certificate text (the <cert> parameter of keycredentials) in the manifest file. This certificate text, which starts with the characters "MI", should be one contiguous string with no line return characters or missing characters. Note After editing the manifest file, when you view the file in the Resource portal, under keycredentials, "value" : "null is shown, instead of the certificate that you provided. This is expected behavior. The portal hides the key for security purposes. 35

44 Add an Application under Access Control to a Route Table Configuring High Availability on the Cisco CSR 1000v What to Do Next Go to Add an Application under Access Control to a Route Table, on page 36. Add an Application under Access Control to a Route Table This section explains how to configure the route table of a subnet to allow the application (for example, CSRHA2) to modify the CSR 1000v route table. Step 1 To add an application onto an existing network, in the All resources pane of the classic portal, choose a private side subnet in the left pane;for example, "subnet2-csr-routetable". Step 2 Step 3 Step 4 Step 5 Step 6 In the right pane, click +Add. In the "Role" textbox, choose Network contributor. In the "Select" textbox, enter the name of the application. Click CONFIGURE. In the keys section, choose the duration; for example, 1 year. After completing the procedures in this document up to this point, ensure that you have saved the values of the following IDs and keys: Tenant ID (For example: 227b0f8f-684d-48fa-9803-c08138b77ae9 ) App ID (For example: 80848f fb-ba65-3d5aa596cd0c ). Refer to step 12 in Create an Application in a Microsoft Azure Active Directory, on page 31. API key (For example: 5yOhH593dtD%2FO8gzAlWgulrkWz5dH02d2STk3LDbI4c%3D ). Refer to step 6 in Create an Authentication Key for the Application, on page