Advanced CSR Lab with High Availability and Transit VPC

Advanced CSR Lab with High Availability and Transit VPC Fan Yang, Cisco, Engineer, Technical Marketing Nikolai Pitaev, Cisco, Engineer, Technical Marketing LTRVIR-3004

Agenda Slides (30 Min.): CSR 1000V Introduction AWS and Azure Concepts CSR Lab Modules Walk Through LAB see the Lab Guide for details

What s in it for me?" Understanding CSR 1000V on AWS and Azure In this session Short introduction of CSR 1000V Lab: CSR 1000v high availability on cloud and Transit VPC solution Short summary at the end of the lab Out of scope Physical ASR 1000 routers running the same IOS XE Deep dive into cloud tools Cloud design and architecture LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

Related Cisco Live Berlin 2017 Sessions BRKSPG-2063 vbng Solution with CSR1000V and ESC Orchestration LABSPG-1015 Walk-In Self-Paced Lab Deploying CSR1000v as virtual LAC / LNS LTRVIR-2100 Deploying Cisco Cloud Services Router CSR 1000V on AWS and Azure LTRARC-3500 IOS XE (4xxx, ASR1K and CSR1000V) troubleshooting TECSPG-2300 Network Function Virtualization (NfV) seminar LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

What is Public Cloud? On-demand extensible network and compute resources Supports IaaS model, allowing app developers to run projects using a range of development tools Supports PaaS model, allowing users to create virtual machines, storage, networking, security, and other services Approximately 40% market share in public cloud between Azure and AWS* Web based management tools, Microsoft also offers MS PowerShell management option * https://www.channele2e.com/2016/02/04/cloud-market-share-2016-aws-microsoft-ibm-google/ LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

Cisco Cloud Services Router (CSR) 1000V Cisco IOS XE Software in a Virtual Appliance Form-Factor App OS App OS Virtual Switch Hypervisor Server CSR 1000V Enterprise-class Networking with Rapid Deployment and Flexibility Software 3000+ features. Same software as ASR 1000 and ISR 4000. Infrastructure Agnostic No dependency on specific Server or vswitch Runs on VMWare ESXi, RHEL KVM, Ubuntu KVM, Citrix Xen, Microsoft Hyper-V, Amazon AWS and Microsoft Azure Throughput Elasticity Licensable throughput from 10 Mbps to 10 Gbps Footprint options from 1 to 8 virtual CPUs Licensing Models Term 1 Year, 3 Years, 5 Years or Hourly Usage* Smart License Programmability NetConf/Yang, RESTConf and SSH/Telnet for automated provisioning, management, and monitoring *Only Available on Amazon AWS. LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

CSR 1000V use cases for all public clouds 1. Branch Location VPN Termination: IPSec, DMVPN, FlexVPN, EZVPN, etc. Up to 1,000 concurrent VPN tunnels per CSR corporate office/branch 2. Remote Worker VPN Access: SSLVPN via AnyConnect for remote users Cloud, US West 3. VPC / DC Interconnection: Distribute applications across the globe, connect different regions simple 4. Firewall and Application Inspection: Stateful firewall between regions * Routers do not actually produce fire (usually) virtual private cloud Cloud, US East virtual private cloud LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

AWS/Azure Transit Routing Challenge VPC A VPC B VPC C Subnet Subnet Subnet Virtual Network VGW Virtual Network VGW VGW Virtual Network VPC Peer-to-Peer routing is supported. VPC A subnets can route to VPC B VPC transit Routing is not supported. VPC A subnets cannot route to VPC C subnets across VPC B Across Region Peering is not supported! LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

AWS/Azure Transit Routing Challenge Peer-to-Peer routing supported VPC A VPC B VPC C A-B B-C Subnet Subnet Subnet Virtual Network VGW Virtual Network VGW VGW Virtual Network VPC Peer-to-Peer routing is supported. VPC A subnets can route to VPC B VPC transit Routing is not supported. VPC A subnets cannot route to VPC C subnets across VPC B Across Region Peering is not supported! LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

AWS/Azure Transit Routing Challenge Transit Routing NOT supported VPC A A-to-C-thru-B VPC B VPC C Subnet Subnet Subnet Virtual Network VGW Virtual Network VGW VGW Virtual Network VPC Peer-to-Peer routing is supported. VPC A subnets can route to VPC B VPC transit Routing is not supported. VPC A subnets cannot route to VPC C subnets across VPC B Across Region Peering is not supported! LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Amazon AWS Concept

Virtual Private Cloud (VPC) logically isolates networks VPCs IP ranges can overlap. Internet GW provides external access. VPC James Bond CIDR 10.2.0.0/16 Subnet A 10.2.1.0/24 VPC Peering can route between VPCs. Security Options: - Network ACLs protect subnets - Security Groups protect instances Internet Gateway Subnet B 10.2.2.0/24 AWS Route Tables route within the VPC. LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

Elastic IP Address is a routable address mapped to an instance in VPC Internet Gateway Elastic IP Mappings 54.32.54.32 10.2.1.25 James VPC CIDR 10.2.0.0/16 Subnet A 10.2.1.0/24 Subnet B 10.2.2.0/24 WebApp1 Instance IP: 10.2.1.25 Instances never have a publicly routable IP address directly assigned. Addresses are associated with AWS account and not the instance. Elastic IP for CSR 1000V becomes tunnel endpoint for VPN in this lab. LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

Microsoft Azure Concept

Azure Basic Concepts (continued) Virtual Network (VNet) A VNet logically isolates a network s own IP range, routes, security policies, etc. Each subnet created is automatically assigned a route table that contains system routes: Local VNet Rule, On-prime rule and Internet Rule System routes can be overwritten by User Defined Routes Virtual Network CIDR 10.2.0.0/16 Subnet A 10.2.1.0/24 Subnet B 10.2.2.0/24 VNets IP ranges cannot overlap Public IP NAT or Overload NAT for outbound traffic (No true public IPs) Azure system route table routes within the VNet All VNet subnets ALWAYS have a route to all other VNet subnets! LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

Technical comparison between AWS and Azure for CSR 1000V Feature AWS Azure Number of vnic supported today 10 2 / 4 / 8 Routing High Availability supported Planned in 2017 Elastic/public and private IP address on the same interface multiple IP addresses multiple IP addresses Allow Overlapping IP addresses yes Yes GRE Tunnel support supported Not supported Add or remove interfaces on running CSR 1000V VM yes no LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

Lab Modules 1. AWS VPC Gateway Redundancy with CSR 1000v (70 min.) 2. Transit VPC with CSR 1000v (50 min.) 3. (Optional) Build DMVPN Between Transit VPC and Azure (30 min.) 4. (Optional) Add security services into Transit VPC (60 min.)

CSR 1000V Routing High Availability 20.0.0.0/16 Virtual Network CIDR 30.0.0.0/16 Public Subnet 20.0.0.0/24 Private Subnet IPSEC 20.0.1.0/24 CSR-Active Private Subnet Public Subnet IPSEC 30.0.1.0/24 30.0.0.0/24 20 Min. CSR-Backup 20 Min. 30 Min. Failover is in sub-second! AWS REST API Before HA Failover / After HA Failover LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

CSR 1000V Failover 20.0.0.0/16 Virtual Network CIDR 30.0.0.0/16 Public Subnet 20.0.0.0/24 Private Subnet IPSEC 20.0.1.0/24 CSR-Active Private Subnet Public Subnet IPSEC 30.0.1.0/24 30.0.0.0/24 20 Min. CSR-Backup 20 Min. 30 Min. Failover is in sub-second! AWS REST API Before HA Failover / After HA Failover LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

AWS VPC details PxV1 HA VPC 20.0.0.0/16 Internet IGW Public Subnet 20.0.0.0/24 Private Subnet 20.0.1.0/24 CSR-Active CSR-Backup Priv ate route table 20.0.0.0/16 local 0.0.0.0/0 CSR-Activ e Public route table 20.0.0.0/16 local 0.0.0.0/0 IGW LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

Azure VNET Details PxV1 VNET Virtual Network CIDR 30.0.0.0/16 Internet CSR 1000v Private Subnet 30.0.1.0/24 Public Subnet 30.0.0.0/24 Priv ate route table 30.0..0.0/24 CSR 20.0.0.0/16 CSR Public route table 30.0.1.0/24 CSR LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

Transit VPC Design A B... C Spoke VPC Dedicated VPC: Simplifies routing by not combining with other shared services. CSR1000v Virtual Network Appliances: Provide dynamic routing and VPN network tunnels Redundancy: Dynamic routing combined with multi-az deployment creates a robust network infrastructure. VGW: VPC virtual gateways provide highly available connections to transit VPC virtual network appliances. AZ1 Direct Connect Internet Transit VPC ASR Private DC AZ2 Other Provider Networks 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

Transit VPC Lab A B 20 Min. 30 Min. AZ1 Transit VPC AZ2 DMVPN 30 Min. *Optional Single DMVPN Dual Hub (Active/Standby) Active Hub Standby Hub Private* DC Azure VNet Branch* *Private DC and Branch is not included in this lab 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

DMVPN Details Active Hub Private IP: 100.64.127.229 EIP: 35.163.107.11 Tunnel 0: 172.110.123.1 VRF: DMVPN AZ1 Transit VPC AZ2 Backup Hub Private IP: 100.64.127.244 EIP: 35.165.119.20 Tunnel 0: 172.110.123.2 VRF: DMVPN AS 64512 AS 64512 DMVPN Single DMVPN Dual Hub (Active/Standby) Active Hub Private* DC Azure VNet Branch* Standby Hub AS 65001 Azure Spoke Private IP: 30.0.0.4 EIP: 13.91.58.87 Tunnel 0: 172.110.123.3 *Private DC and Branch is not included in this lab Azure blocks GRE packets, IPSEC is enabled LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

Secured Transit VPC A B... C Spoke VPC Internet A1 Transit VPC A2 Routing: Spoke forwards Internet traffic to CSR, then CSR redirects traffic to FTDv to be inspected. Security: FTDv as IPS device in Transit VPC. Customer can turn on IPS/URL Filtering and other features. NAT: FTDv acts as NAT device. Customer can deploy static NAT/PAT. *Only one IGW, two IGWs for better diagram. Direct Connect Private DC 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

Lab Tips and Guidance

Before you begin Make sure, you have one page with additional lab information Make sure, that you are using assigned AWS region! All your resources created should be named in certain way. For example: P23V1 for pod23 LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

Filter resources for better view This lab is in a shared environment and 5 attendees are sharing one region. You are able to see other attendees resources. Please filter resources by name to view your own resources clearly and avoid shutting down other people s instance. AWS Azure Note: Please always filter resources For example, Pod23 filter AWS with P23V1, Azure with pod23 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

Disable IP Source/Destination Checking in the lab By default AWS blocks traffic not to/from a given instance. Toggle the Source/Dest Check option to allow a CSR instance to pass traffic for other subnets (i.e. act as a gateway). Note: Always review this setting for any new interfaces you add! LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

Choose BYOL when launching CSR BYOL(Bring Your Own License) will have all features with 100Kbps throughput which is enough for our lab. Please use BYOL which is 10 times cheaper than License Included. BYOL License Included Note: Please choose BYOL LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

Resources needed per user Make sure, you are using the right instance type! Cloud VPC/VNET CIDR EIP Instance Instance Type VGW IGW 5 VPC, 5 EIP, 3 Linux EC2 and 4 CSR EC2, 2 VGW, 3 IGW 0 PxV1 HA-VM Linux (t2.micro) IGW-HA 1 PxV1 CSR Active CSR (t2.medium) HA VPC 20.0.0.0/16 1 PxV1 CSR Backup CSR (t2.medium) 1 Transit VPC CSR1 CSR (c4.large) IGW-T Transit VPC 100.64.127.224/27 1 Transit VPC CSR2 CSR (c4.large) Spoke-A VPC 40.0.0.0/16 1 VM-A Linux (t2.micro) VGW-A IGW-A AWS Spoke-B VPC 50.0.0.0/16 0 VM-B Linux (t2.micro) VGW-B Azure VNET 30.0.0.0/16 1 VNET, 1 EIP, 1 Linux VM and 1 CSR 1 VM-2 Linux (DS1 v2) 1 CSR Azure CSR (D2 v2) AWS: 5 VPC, 5 EIP, 3 Linux EC2 and 4 CSR EC2, 2 VGW, 3 IGW Azure: 1 VNET, 1 EIP, 1 Linux VM and 1 CSR LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

CSR 1000V Learning Resources

Book: Virtual Routing with CSR 1000V CSR 1000V s role and features Architecture, licensing & packet flow Use cases and configurations Public Cloud & OpenStack Orchestration ISBN: 9780134135670 LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Miercom tested CSR 1000V also on AWS Using just one or two vcpus per VM, it delivers up to physical limit of 20 Gbps on x86 Server with two 10 GE ports and up to 5 Gbps on AWS. Unlike classic routers a CSR 1000v setup has to be configured for optimal performance on several levels. Major IO technologies like SR-IOV, fd.io VPP, OVS-DPDK were tested as vswitch. Different AWS Tests were done: IPv4 Forwarding Feature Tests (QoS, NBAR, Firewall) IPSec site to site on AWS LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Free CSR 1000V Test Drive on AWS http://www.csrtestdrive.com Make sure, you allow security exception with https certificate in your browser LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

Key Takeaways

Summary: CSR 1000V is built for the cloud CSR 1000V supports all key virtualization technologies including multi-vendor Hypervisors, different image formats, I/O models and VM flavors. CSR 1000V runs on variety of virtualized infrastructures, and it can be orchestrated by many of NfV software including Cisco ACI/NSO/ESC, OpenStack and other 3 rd party NfV SW. CSR 1000V VNF provides variety of interfaces and Open API s: REST API s, Netconf, XML, OpenStack, etc. LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions LTRVIR-3004 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

Thank You