AWS igw.254. Figure 1: CSR 1000v in one-armed mode.

Transcription

1 Overview The Cisco Cloud Services Router (CSR) 1000V is software appliance version of the Cisco ASR 1000 Series routers. It can be used to extend advanced enterprise network and security services such as IPSec VPNs, NAT, FW, application visibility, and SLA monitoring into an AWS VPC environment. The CSR 1000v runs as an EC2 instance and is launched from the AWS market place. Figure 1 shows a notional view of the CSR 1000v in an AWS VPC. By using the VPC routing table, traffic from the EC2 instances will be forwarded through the CSR 1000v so that services can be applied. AWS igw.254 CSR 1000v Figure 1: CSR 1000v in one-armed mode. Since the CSR 1000v runs as an EC2 instance, it can rely on native EC2 high availability mechanisms in the event of underlying compute hardware issues. In this case, the CSR would be restarted and recovery times would be on the order of minutes. For designs that require fast convergence, the CSR 1000v can be deployed in a redundant pair with failover between them. In typical Ethernet environments, gateway redundancy is provided by protocols such as HSRP and VRRP. These protocols present a pair of routers as a single virtual IP address that can be used by hosts as their default gateway. HSRP and VRRP use link local multicast packets for peer status monitoring and active gateway selection Cisco. All rights reserved Page 1 of 24

2 In an AWS VPC environment, link local multicast and broadcast traffic are not supported. This white paper will discuss an alternate gateway redundancy option for the CSR 1000v when used in an AWS VPC. Solution Overview The logic of the solution is as follow: 1. A pair of CSR 1000v s are deployed into an AWS VPC. 2. A GRE tunnel is configured between the CSRs. 3. Bi-directional Forwarding Detection (BFD) and a routing protocol (EIGRP or BGP) are enabled on the GRE tunnel for peer failure detection. 4. Each CSR 1000v is configured with an Embedded Event Manager (EEM) applet that will monitor BFD peer down events 5. When a BFD peer down event is detected, the EEM applet will use the AWS EC2 VPC API to modify the VPC route table to redirect traffic around the failure. Solution Details The topology in figure 2 is an example of a VPN gateway configuration. Figure 2: Initial Topology This topology uses a single availability zone and four VPC subnets. Other topologies, including multiple availability zones, single or multi subnet VPCs, multiple VPN tunnels, and multiple CSR Ethernet interfaces, are possible and would be applicable to this solution Cisco. All rights reserved Page 2 of 24

3 For this scenario, each CSR has a primary Ethernet interface (GigabitEthernet1) that is assigned to the public subnet. The public subnet has a VPC route table with a default route target of the Internet gateway. Each CSR also has a VPN tunnel to Internet. These tunnels would typically terminate at another VPN device located on the enterprise network or another VPC. To support the high availability solution, a GRE tunnel is configured between the local CSRs. These GRE tunnels allow the CSRs to exchange BFD control packets that are used for peer failure detection. Next, each CSR has an Ethernet interface (GigabitEthernet2) in a private subnet to connect to the helper VMs. These helper VMs are required to access AWS APIs to modify the routing table upon peer failure detection. In the above topology, Private Subnet-1 and Private Subnet-2 are two subnets dedicated to CSR-A and CSR-B to access the helper VMs. The EC2 instances reside in a private subnet, Private Subnet-3, in the topology diagram. If the CSR is not directly connected to this private subnet, it is recommended to add a static route for the private subnet to each CSR. This static route points to the address of the VPC router on the public subnet. This address will always be the first usable address of a subnet. For example, the VPC router address for the subnet /25 will EIGRP is used as the routing protocol, though other routing protocols could be used. The primary purpose of the routing protocol is to register as a BFD client. BFD requires at least one client protocol before it will initiate neighbor discovery. An additional benefit of the GRE tunnel and the routing protocol is that they can be used to establish a back-up path in case of VPN tunnel failures. The EC2 private subnet, Public Subet-3, has its own VPC route table. The default route for this subnet will have a target of the public subnet network interface (GigabitEthernet1) of one of the CSRs. Because the VPC route table only allows for one active target per route, only one CSR is in the egress traffic path for this subnet. Ingress traffic flow over the VPN tunnels is determined by the remote VPN devices, so it is possible that CSR-B is the active ingress path or that load sharing is being done between CSR-A and CSR-B. In this example, ingress and egress traffic is initially being forwarded through CSR-A, as shown in Figure Cisco. All rights reserved Page 3 of 24

4 Figure 3: Initial Traffic Flow CSR-A then fails, as shown in Figure 4. The goal is to shift traffic so that it will egress through CSR-B and no longer ingress through CSR-A. Figure 4: CSR-A Failure For the ingress traffic flow, the remote VPN device will detect that the VPN tunnel terminated at CSR-A is no longer available. This is done using traditional VPN tunnel high availability techniques such as routing protocols (with or with out BFD) and IKE dead peer detection Cisco. All rights reserved Page 4 of 24

5 For the egress traffic direction, CSR-B will detect the failure of CSR-A and modify the VPC route table to redirect traffic to CSR-B. When BFD times out on CSR-B, a log message similar the following is generated. %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor (Tunnel33) is down: BFD peer down notified EEM is an event detection and automation technology available on the CSR. The EEM applet is configured to run whenever the BFD peer down log message is generated. Figure 5: EEM Applet Triggered with BFD Peer Down Event When triggered, the EEM applet will use the AWS API ec2-replace-route command to modify the VPC route table to make itself the new target for the default route. The CSR cannot access the AWS EC2 API directly. This requires use of a helper VM with the AWS EC2 CLI tools installed. CSR-B will SSH into the helper VM and run the ec2- replace-route command. See the section titled Setting up the Helper VM for more details on configuring this VM. An example EEM applet is found in figure 6. The EEM configuration on CSR-A and CSR- B will be nearly the same. This is covered in more detail in the deployment procedure section Cisco. All rights reserved Page 5 of 24

6 event manager environment q " event manager environment USER csr event manager environment PASS cisco123 event manager environment IP event manager environment RTB rtb-c41b78a5 event manager environment CIDR /0 event manager environment ENI eni-65ef154e event manager applet replace-route event syslog pattern "\(Tunnel33\) is down: BFD peer down notified" action 1.0 cli command "enable" action 2.0 cli command "ssh -l $USER $IP $q ec2-replace-route $RTB -r $CIDR -n $ENI$q" pattern "word:" action 2.1 cli command "$PASS" Figure 6: EEM Applet Figure 7 shows CSR-B modifying the VPC Route table for the default route. Figure 7: EEM Applet modifies the VPC Route Table Once the VPC route table is modified, the VPC will begin directing egress traffic to the CSR-B, as show in Figure Cisco. All rights reserved Page 6 of 24

7 Figure 8: New Traffic Flow Step-by-Step Deployment Procedure Step 1: Configure VPC with dual CSRs. The VPC should be created and configured based on the topology requirements. Additionally, two CSRs should be launched into the VPC and initial configurations, including VPN tunnels, should be applied. For more information on deployment steps and CSR configuration, please consult the following documents. CSR 1000v for AWS Deployment Guide support.pdf Setting up DMVPN on the CSR in AWS Cloud _cloud.pdf Step 2: Enable the AX license. The BFD solution in this document requires the AX feature license. This can be enabled by configuring the license boot level ax command, saving the configuration, and rebooting. This enables a 60-day evaluation license. After 60-days, the license will fall back to a limited feature set, at which time a permanent license will need to be installed. The show license command can be used to inspect the license status. CSR-A(config)#license boot level ax 2014 Cisco. All rights reserved Page 7 of 24

8 % use 'write' command to make license boot config take effect on next boot CSR-A(config)#end CSR-A#wr mem Building configuration... [OK] CSR-A#reboot Step 3: Configure the CSRs for the Helper VM networks. A private subnet is required from each CSR for connectivity to the helper VMs. First, you will need to create two private subnets for the helper VM using the VPC dashboard. You can use a /28 subnet mask since these subnets will only be used by the CSR and the helper VMs. Once these subnets are created, navigate to the EC2 dashboard and create two network interfaces, one in each of these subnets. Be sure to note the ENI values and IP addresses for these newly created interfaces. Then attach the network interfaces to the two CSRs. These will show up as an additional Gigabit Ethernet interface (GigabitEthernet2 in our example). Use the IOS CLI to manually configure the IP address and no shut the new interfaces. CSR-A(config)#int gigabitethernet 2 CSR-A(config-if)#no shut CSR-A(config-if)# ip address Navigate back to the VPC dashboard. Then create two new route tables and add a default route ( /0) to each, one with a target of the CSR-A GigabitEthernet2 ENI value, and the other with a target of CSR-B. Next, associate the new route tables to the new subnets. Be sure the default route target ENI is local to that subnet, e.g. the route table with a /0 target of CSR-A GigabitEthernet2 ENI is mapped to the subnet assigned to the CSR-A GigabitEthernet2 ENI. Finally, NAT translation should be configured on the CSRs to allow the helper VMs to access the AWS APIs to modify the routes. The NAT configuration on the CSR will translate the helper VM IP address to the CSR interface address when it connects to AWS API servers. The following is a sample NAT configuration, where GigabitEthernet1 is the public interface, GigabitEthernet2 is the helper VM subnet interface, and is the address of the Helper VM. interface GigabitEthernet1 ip nat outside interface GigabitEthernet2 ip nat inside ip nat inside source list helper-vm-list interface GigabitEthernet1 overload 2014 Cisco. All rights reserved Page 8 of 24

9 ip access-list extended helper-vm-list permit ip host any Step 4: Setup the 2 helper VMs. Please refer to the section titled Setting up the Helper VM in this document for the deployment procedure of the helper VM. Each helper VM is associated with a CSR. Step 5: Configure the GRE tunnel, EIGRP, and BFD. The following is a sample configuration. interface Tunnel33 ip address bfd interval 500 min_rx 500 multiplier 3 tunnel source GigabitEthernet1 tunnel destination router eigrp 1 bfd interface Tunnel33 network passive-interface GigabitEthernet1 The BFD values are configurable and can be made more aggressive if faster convergence is desired. However, this can lead to BFD peer down events during intermittent connectivity. The above values, which will detect peer failure within 1.5 seconds, have been tested to be stable in an AWS VPC environment. There is also a variable delay associated with the time the AWS API command is executed and the time the VPC routing table changes go into effect. This is usually on the order a few seconds. Step 6: Collect the route table ID and network interface ID for each CSR. The route table ID and network interface ID can be found using the AWS console Cisco. All rights reserved Page 9 of 24

10 1 2 3 Figure 10: Route Table ID in AWS Console Step 7: Configure the EEM applet. Figure 11: Network Interface ID for CSR-B in AWS Console event manager environment q " event manager environment RTB rtb-c41b78a5 event manager environment CIDR /0 event manager environment USER csr event manager environment PASS cisco123 event manager environment IP event manager environment ENI eni-060ce72d event manager applet replace-route2 event syslog pattern "\(Tunnel33\) is down: BFD peer down notified" action 1.0 cli command "enable" action 2.0 cli command "ssh -l $USER $IP $q ec2-replace-route $RTB -r $CIDR -n $ENI$q" pattern "word:" 2014 Cisco. All rights reserved Page 10 of 24

11 action 2.1 cli command "$PASS" To promote the reusability of this applet, local variables are separated out of the body of the EEM applet and are defined as EEM environment variables. The variables used are as follows: q used to substitute a quotation mark into the ssh command USER Linux user account of the helper VM PASS Linux user password of the helper VM IP IP address of the helper VM RTB the route table ID for the private subnet VPC route table CIDR destination value for the default route ENI network interface ID of the CSR gigabit interface The main differences between the CSR-A and CSR-B EEM applet should be the helper VM and the ENI environment variables. These should be set to the local helper VM address and local network interface ID of the CSR. Step 8: Verification First check that the BFD and EIGRP relationships are established and normal on both peers. This example as shows the local peer on Tunnel 33, and also the remote peer on Tunnel 98. CSR-A#show bfd neighbors IPv4 Sessions NeighAddr LD/RD RH/RS State Int /4104 Up Up Tu /4108 Up Up Tu98 CSR-A#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(1) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num Tu :20: Tu :20: Log into the Helper VM and verify the current VPC route table configuration. [csr@ip ~]$ ec2-describe-route-tables rtb-c41b78a5 ROUTETABLE rtb-c41b78a5 vpc f4 ROUTE local active /24 CreateRouteTable ROUTE i-6f3aef4c active /0 eni-060ce72d CreateRoute ASSOCIATION rtbassoc-c6cc33a3 subnet-b00b68d1 For this example, the current active gateway is CSR-A, which has the ENI value of eni- 060ce72d. To create a failure, the active CSR is rebooted. The new target for the default route should be the ENI of CSR-B. [csr@ip ~]$ ec2-describe-route-tables rtb-c41b78a5 ROUTETABLE rtb-c41b78a5 vpc f Cisco. All rights reserved Page 11 of 24

12 ROUTE local active /24 CreateRouteTable ROUTE i-6f3aef4c active /0 eni-7e072d55 CreateRoute ASSOCIATION rtbassoc-c6cc33a3 subnet-b00b68d1 Full Configurations CSR-A version 15.4 service timestamps debug datetime msec service timestamps log datetime msec no platform punt-keepalive disable-kernel-core platform console virtual hostname CSR-A boot-start-marker boot-end-marker no aaa new-model subscriber templating multilink bundle-name authenticated crypto pki trustpoint TP-self-signed enrollment selfsigned subject-name cn=ios-self-signed-certificate revocation-check none rsakeypair TP-self-signed crypto pki certificate chain TP-self-signed certificate self-signed A D0609 2A F70D E30 2C F532D 53656C66 2D E65642D D E17 0D A170D A E302C F 532D5365 6C662D E65 642D D F300D 06092A F70D D CF087FE6 23BA0724 A729B1D5 E0B4A C24A A6958DFF D A EFA F3A271EF B1463E17 A4F6AC36 67D215CF 3A12A199 06F17F4B 2194F7B9 4F28C E C4DD5 B24BA518 2CB913F8 1E8DB5F5 8484D22F F69E2B0A 8716BFC2 D34C1110 C0B7A703 3A480AA1 E4E9F95D 5D71E7D6 03DC44EA B333471F A F D FF FF301F D FD A B81CA2DD DB D D0E FD AB8 1CA2DD DB D 06092A F70D A7A0CE E3A90EA7 0DDE2E48 12AC5D98 DBE1075B BE4C1DE0 C42DC4DA 8D8F9F51 F E8F66193 A250385E 8A1B476F 0F3ED5B1 D750A497 6DA564CD 8E0B4CB5 E D3F 44B762A0 81B888E2 1DA A15F9 2E27DBB5 23B3415A 9E98DC12 D69F0AFF B6E7B7D3 52E350F1 6D2D7FED 41C E264F64 BF61C3DE 89 quit license udi pid CSR1000V sn 9J7C89PX47H license boot level ax spanning-tree extend system-id username ec2-user privilege 15 secret 5 $1$00XX$BXyXX2Mpsdq3bLPdeJZFw1 redundancy mode none crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn csr-a.cisco.com authentication remote pre-share key cisco123 authentication local pre-share key cisco Cisco. All rights reserved Page 12 of 24

13 crypto ikev2 dpd 10 2 on-demand ip ssh rsa keypair-name ssh-key ip ssh version 2 ip ssh pubkey-chain username ec2-user key-hash ssh-rsa 1CE65034F E CE6C8AB2 chockerva interface Tunnel33 ip address bfd interval 500 min_rx 500 multiplier 3 tunnel source GigabitEthernet1 tunnel destination interface Tunnel98 ip address ip summary-address eigrp bfd interval 500 min_rx 500 multiplier 3 tunnel source GigabitEthernet1 tunnel destination interface GigabitEthernet1 ip address dhcp ip nat outside negotiation auto interface GigabitEthernet2 ip address ip nat inside negotiation auto router eigrp 1 bfd interface Tunnel98 bfd interface Tunnel33 network passive-interface GigabitEthernet1 passive-interface GigabitEthernet2 virtual-service csr_mgmt ip shared host-interface GigabitEthernet1 activate ip nat inside source list helper-vm-list interface GigabitEthernet1 overload ip forward-protocol nd no ip http server ip http secure-server ip route ip access-list extended helper-vm-list permit ip host any ip access-list extended ssh-in permit tcp any any eq 22 ip access-list extended ssh-out permit tcp any eq 22 any control-plane line con 0 stopbits 1 line vty 0 4 login local event manager environment q " event manager environment IP event manager environment RTB rtb-848e3de1 event manager environment CIDR /0 event manager environment USER csr event manager environment PASS cisco123 event manager environment ENI eni-7b78c10d event manager applet replace-route event syslog pattern "\(Tunnel33\) is down: BFD peer down notified" action 1.0 cli command "enable" action 2.0 cli command "ssh -l $USER $IP $q ec2-replace-route $RTB -r $CIDR -n $ENI$q" pattern "word:" action 2.1 cli command "$PASS" 2014 Cisco. All rights reserved Page 13 of 24

14 end CSR-B version 15.4 service timestamps debug datetime msec service timestamps log datetime msec no platform punt-keepalive disable-kernel-core platform console virtual hostname CSR-B boot-start-marker boot-end-marker no aaa new-model subscriber templating multilink bundle-name authenticated crypto pki trustpoint TP-self-signed enrollment selfsigned subject-name cn=ios-self-signed-certificate revocation-check none rsakeypair TP-self-signed crypto pki certificate chain TP-self-signed certificate self-signed B A D0609 2A F70D F30 2D F532D 53656C66 2D E65642D D E 170D A17 0D A F302D F532D53 656C662D E 65642D D F 300D0609 2A F70D D CEEC A9E186D C56B5C7D B3A42A89 A1EDF09B E394A952 FB029E8F F960F953 6A8C643E D D5EE20 F866E6BE 65DDB9F9 67E1D118 AB42A2E3 11A5B7F8 B E9E0AF 5BC28553 C443494E 3DF1041F 1F029AB9 F14EAC EC B5C50 D7E85A54 A3B8671A A878F422 E922A96C 02D7188D BC A F D FF FF 301F D E BA79B04D 38488FF1 C1B2FB36 8CF9CBD D D0E EBA 79B04D38 488FF1C1 B2FB368C F9CBD D0609 2A F70D D60 92ED396B 268A11F8 543FAFB1 9A7D293F AF39182B 1A297A6A 57EEC65F 9513A99E 46D89EF1 D17F59EE 7BF A734F 703FC30B A105AC5D 10A5803F 593B1013 CDA07D43 B209BF88 C2404C0C DB DC559AED E19DA40A C54C94F5 B8EF C2D7 CE55A438 2A61380C D6D4108A 494A8FDE 19A59A1C 6F4CC3 quit license udi pid CSR1000V sn 9TMLDL66HOH license boot level ax spanning-tree extend system-id username ec2-user privilege 15 secret 5 $1$GMHV$rx2mhUL6iLtdnBRUID4Zr1 redundancy mode none crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn csr-b.cisco.com authentication remote pre-share key cisco123 authentication local pre-share key cisco123 crypto ikev2 dpd 10 2 on-demand ip ssh rsa keypair-name ssh-key ip ssh version 2 ip ssh pubkey-chain username ec2-user 2014 Cisco. All rights reserved Page 14 of 24

15 key-hash ssh-rsa 1CE65034F E CE6C8AB2 chockerva interface Tunnel33 ip address bfd interval 500 min_rx 500 multiplier 3 tunnel source GigabitEthernet1 tunnel destination interface Tunnel96 ip address ip summary-address eigrp bfd interval 500 min_rx 500 multiplier 3 tunnel source GigabitEthernet1 tunnel destination interface GigabitEthernet1 ip address dhcp ip nat outside negotiation auto interface GigabitEthernet2 ip address ip nat inside negotiation auto router eigrp 1 bfd interface Tunnel96 bfd interface Tunnel33 network passive-interface GigabitEthernet1 passive-interface GigabitEthernet2 virtual-service csr_mgmt ip shared host-interface GigabitEthernet1 activate ip nat inside source list helper-vm-list interface GigabitEthernet1 overload ip forward-protocol nd no ip http server ip http secure-server ip route ip access-list extended helper-vm-list permit ip host any ip access-list extended ssh-in permit tcp any any eq 22 ip access-list extended ssh-out permit tcp any eq 22 any control-plane line con 0 stopbits 1 line vty 0 4 login local event manager environment q " event manager environment IP event manager environment RTB rtb-848e3de1 event manager environment CIDR /0 event manager environment USER csr event manager environment PASS cisco123 event manager environment ENI eni-7a78c10c event manager applet replace-route event syslog pattern "\(Tunnel33\) is down: BFD peer down notified" action 1.0 cli command "enable" action 2.0 cli command "ssh -l $USER $IP $q ec2-replace-route $RTB -r $CIDR -n $ENI$q" pattern "word:" action 2.1 cli command "$PASS" end 2014 Cisco. All rights reserved Page 15 of 24

16 Setting up the Helper VM The Helper VM is used as a proxy to run the AWS API commands to modify the route table. The following procedure can be used to setup the helper VM. Step 1: Create IAM role to access AWS APIs The IAM role is created to access AWS APIs. The helper VM can then be launched with the privileges of this IAM role. Browse to the IAM dashboard, and navigate to Roles> Create Role as shown below Create a role with appropriate role name. In this example, we are using the name ChangeRouteRole Cisco. All rights reserved Page 16 of 24

17 Select Amazon EC2 in the AWS Service Roles section Select Custom Policy Cisco. All rights reserved Page 17 of 24

18 The following policy can be used for this role. { "Version": " ", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:associateroutetable", "ec2:createroute", "ec2:createroutetable", "ec2:deleteroute", "ec2:deleteroutetable", "ec2:describeroutetables", "ec2:describevpcs", "ec2:replaceroute", "ec2:disassociateroutetable", "ec2:replaceroutetableassociation" ], "Resource": "*" } ] } Click next and then create the role Cisco. All rights reserved Page 18 of 24

19 Step 2: Launch EC2 instance for the Helper VMs. The helper VM is only used to run EC2 API commands, so a micro instance can be used. Two helper VMs need to be created, one in each of the private subnet local to the CSR. It is advised to configure an AWS security group that restricts access inbound to SSH only, and ideally, the IP address of the CSRs and any administrative workstations. Initially, an administrative workstation will be required to login to the ec2-user account and setup the helper VM. During the launch use the IAM role setup in the previous steps. The following figures show the steps for launching the helper VM from the AWS console Cisco. All rights reserved Page 19 of 24

20 Cisco. All rights reserved Page 20 of 24

21 You will then be prompted to select a key pair for logging into the EC2 instance. You can either creature a new key pair and save it, or use an existing key pair Cisco. All rights reserved Page 21 of 24

22 Step 3: SSH to the helper VM Since the helper VMs do not have public addresses, it may be required to first SSH into an EC2 instance that does have direct internet access, and then log into the helper VM hosts from that public host using the key pair that was assigned in the previous step. Under the list of EC2 instances, find the helper VM and locate the IP address. SSH to this address using your key pair. ssh -i chockerva.pem Step 4: Configure to helper VM for password authentication. sudo vi /etc/ssh/sshd_config Find the line that says PasswordAuthentication no and change to PasswordAuthentication yes. Restart sshd. sudo service sshd restart Step 5: Create the csr account ~]$ sudo useradd -m csr ~]$ sudo passwd csr 2014 Cisco. All rights reserved Page 22 of 24

23 This username and password will be used by the CSR to log into the helper VM. Step 7: Login into the csr account. ssh Step 8: Set the default region environment variable based on your VPN location Edit the.bashrc file to set the region for the local VPC. ~]$ vi.bashrc Add the following lines to the end of the.bashrc file. export EC2_URL= This example sets the region to be us-east-1. Source the.bashrc again and run a API command to make sure the local region is set. [csr@ip ~]$ source.bashrc [csr@ip ~]$ ec2-describe-vpcs VPC vpc f4 available /24 dopt-ceb970af default false Make sure to record the private IP address of the VM and the created csr account username and password so that they can be used in the EEM applet. References CSR 1000v for AWS Deployment Guide support.pdf CSR 1000v for AWS Documentation CSR 1000v for AWS Community Forum Embedded Event Manager Configuration Guide 3s/asr1000/eem-xe-3s-asr1000-book.html Bidirectional Forwarding Detection (BFD) Configuration Guide 2014 Cisco. All rights reserved Page 23 of 24

24 3s/asr1000/irb-xe-3s-asr1000-book.html AWS EC2 CLI Documentation Cisco. All rights reserved Page 24 of 24