Upload
tranliem
View
237
Download
9
Embed Size (px)
Citation preview
1
DeploymentGuideforCiscoCSR1000vSeriesonMicrosoftAzureUpdatedDec2nd,2016
TableofContentsOverviewofCiscoCSR1000vDeploymentonMicrosoftAzure 1Introduction 1Whatissupportedandwhatisnotsupported 2
DeployingCisco1000vonMicrosoftAzure 2Prerequisites 2Step1.SigninandCustomizeAzureportalGUI 3Step2.CreatingaResourceGroup 5Step3.CreateStorageAccount 6Step4.CreatingVirtualNetwork 7Step5.CreatepublicIPaddress 8Step6.LaunchingCiscoCSR1000vvirtualmachine 9Step7.AccessingtheCiscoCSR1000vvirtualmachine 13Step8.ApplyLicensetotheCSR1000vvirtualmachine 15
ModifyingsettingsforCSR1000vonAzure 15UpdateRouteTables 15UpdateSecurityGroup 16
ConfigurationExample 17EnableIPsecVPNbetweenCSR1000vonAzureandAWSclouds 17
DifferencesbetweenCSR1000vonAzureandAWS 17BestPracticesandCaveats 18OtherRelatedResources 18
OverviewofCiscoCSR1000vDeploymentonMicrosoftAzure
IntroductionTheCiscoCloudServicesRouter(CSR)1000visafull-featuredCiscoIOSXErouter,enablingITdepartmentstodeployenterprise-classnetworkingservicesintheAzurecloud.AsaCiscoIOSXEbasedproduct,theCSR1000vincludesawiderangeoffeatures.FollowingaresomeexamplesofhowtheCSRisbeingusedtoenableenterprise-classhybridclouds.
• ExtendenterpriseVPNarchitecturesintoyourprivatecloud:TheCSR1000vsupportsIPsec,DMVPN,FlexVPN,EasyVPN,andSSLVPN(,andconfiguration,monitoring,andtroubleshootingareallfamiliarIOScommands.
• Interconnectmultipleregionsandclouds:UsingdynamicroutingprotocolssuchasEIGRP,OSPF,andBGP,constructmulti-tierarchitectureswithinAzure,andinterconnectwithcorporatelocationsorotherclouds.Avoidthelimitsofnativecloudnetworkingtools.
• Secure,inspect,andaudithybridcloudnetworktraffic:ZoneBasedFirewallontheCSR1000Vprovidesanapplication-awarefirewall.IPSLAandApplicationVisibilityandControl
2
(AVC)ontheCSR1000vcanproactivelydiscoverperformanceissues,fingerprintapplicationflows,andexportdetailedflowdataforreal-timeanalysisandnetworkforensics.
WhatissupportedandwhatisnotsupportedInthisrelease,tomakedeploymenteasieronAzure,theCSRoffersabundlewithtemplatesthatcreatesallrelatedresourcestogetherinaguidedway,whichincludesthefollowing:CSR+Virtualnetwork+RoutingTable+SecurityGroup.Thisdeploymentenablesthefollowing:
• CreatesCSRvirtualmachinewith2vCPU,7GRAMandmax2interfaces.• CreatepublicIPaddresstotheinterfaceonfirstsubnet(NIC0).• Createsecuritygroupwithinboundrulesfortheinterfaceonthefirstsubnet(NIC0).• CreateroutetableonAzurehypervisorrouterforeachCSRsubnetsandaddadefaultroute
forsecondsubnettopointtoCSRsecondinterface(NIC1)IPaddress.
ThefollowingshowstheknownlimitationsfordeployingCSR1000vonAzure:• OnlyCSR1000vwith2vnicissupported.• GREtunnelsisnotsupported,AzurewilldropGREpacketssentbyCSR.• Public/privatekeybasedsshfeatureisnotsupported.• OnlyD2profileissupported(2vCPUand7GRAM).• HighavailabilitythroughredundantCSRisnotsupported.
NOTE:ThisreleaseofCSR1000vonAzureonlysupportsBYOL(Bringyourownlicense).UserscancopyalicensetoCSRorenablesmartlicensing.
DeployingCisco1000vonMicrosoftAzure
PrerequisitesBeforedeployingCSR,pleasemakesurethefollowingchecklistisfulfilled:
• CreateanAzureaccount,formoreinformation,pleaserefertoMicrosoftAzureGetStartedGuide.
• RequestaCSRlicensetoenablethroughputabove100Kandenabledesiredtechnologypackage.Formoreinformationaboutlicense,pleaserefertoCSR1000vdatasheet.
• PlanoutthesettingsfortheCSRasshowninthefollowingtable.Notethattheitemswith*aremandatory,andthevaluesinExamplecolumnareusedthroughoutthedocumentation.
3
Table1.CSR1000vSettingsonAzureParameters Description Example*ResourceGroupname ResourceGroupname “DC4”*Subscription Azureuseraccount
subscriptionFreeTrial
*Location AzureDatacenterlocation EastUS*StorageAccountname Storageaccountname “dc4storagegroup”*StorageAccountType Redundancymethod
providedbyAzureStandard-LRS(LocallyRedundant,whichistheonlysupportedtypeinthisrelease)
*Virtualnetwork-name VirtualNetworkname “vnet01”*Virtualnetwork-Addressspace CIDRofthevirtual
network“10.4.1.0/16”
*Subnets-Firstsubnetname Nameofthesubnet.Itwillbethesubnetforgig1ofCSR
“DC4-pub”
*Subnets-Firstsubnetaddressprefix
CIDRforfirstsubnet,whichneedstobewithinVirtualnetworkAddressspace
“10.4.1.0/24”
*Subnets-Secondsubnetname Nameofthesubnet.Itwillbethesubnetforgig2ofCSR
“DC4-sub”
*Subnets-Secondsubnetaddressprefix
CIDRforfirstsubnet,whichneedstobewithinVirtualnetworkAddressspace
“10.4.2.0/24”
*PublicIPaddressname NameforpublicIPaddresswhichistheNATIPforCSRgig0.
“dc4csrpub”
PublicIPaddressDNSnamelabel
DNSnameforthepublicIPaddress
“dc4csrpub”
*VirtualMachinename NameoftheVirtualMachine(VM)
“DC4-csr”
Username AdminUsernamefortheVM
“admindemo”
*Authenticationtype DefaultisPassword,butcanhighlightSSHpublickey
Password
*Password PasswordfortheVM “Cisco123”*Virtualmachinesize ThesizeofVM 1xStandardD2(thisisthe
defaultandonlyoptioninthisrelease)
NOTE:TheAzureCSR1000vdeploymentsimplifiestheprocedurebyallowinguserstocreateresourcessuchasResourceGroup,StorageAccount,VirtualNetworkandPublicIPontheflyduringtheCSRcreation,whicharespecifiedinStep2-5inthisdocuments.Werecommendthefirsttimeusertogothroughthefollowingstepstounderstandwhatresourcescanbecreatedupfrontandreusedlaterifneedtore-createCSR1000v.Butasaquickstart,theusercanskipStep2-5andjumptoStep6tolaunchCSR1000v,anduseStep2-5asareference.
Step1.SigninandCustomizeAzureportalGUISignInAzureportalGUI
4
AftercreatingAzureSubscriptions,ausershouldbeabletologintotheAzureportal.
CustomizeAzureportalGUIInAzure,ausercanoptionallytagthefrequentlyusedobjects(e.g.Virtualmachines,Virtualnetwork,etc),sotheyshowupinthelefthandsidepanel.Thisisoptional,butwerecommendcustomizingthelefthandsidepanelforeasieruse.Tocustomizeit,afterloggingintotheAzureportal,clickBrowseandclickthe“star”anditwillshowuponthelefthandsidepanel.
NOTE:Inthisdocumentation,itisassumedthatthefollowingobjectsareselected:Resourcegroup,Virtualmachines,Subscriptions,Networksecuritygroups,Networkinterfaces,PublicIPaddresses,Virtualnetworks,Routetables,Storageaccounts.AddanObjectTherearedifferentwaystoaddanobjectfromtheGUI,andinthisdocumentation,wedoitthroughthelefthandpanel.ThefollowinggivesanexampletocreateResourceGroup,theotherobjectswillbecreatedandverifiedinthesameway,whichwillnotberepeated:
5
ClickResourceGrouponthelefthandsidepanel,whichwillexpendtoResourcegroupspagethatlistsalltheexistingResourcegroups.ClickAddtocreateanewResourceGroupasfollowing:
Toverifytheobjectiscreatedsuccessfully,clicktheResourcegroupanditshouldshowupintheResourceGroupslistedbelow:
Step2.CreatingaResourceGroupAResourceGroupinAzurereferstothesetofresourcesthatwecankeepanddeletealltogether.TheresourcesincludeVMs,interfaces,virtual-network,routing-table,public-ip-address,securitygroups,routingtables,storageaccounts.Theresourcesinoneresourcegroupneedtohaveauniquename.Ifyoucreateobjectsthatdependonotherobjectsindifferentresourcegroups,theotherresourcecannotbedeletedbeforeyoudeleteyourobject.PleaserefertoResourceGrouparticleformoredetails.TIP:ResourceGroupcanbecreatedontheflyduringCSRdeploymentaswell.Step2-1.ClickResourceGrouponthelefthandsidepanel,anditwillexpandtheResourceGrouppagewhichshowsalltheexistingResourceGroups.ClickAddonthetopanditwillexpandtoCreateResourcegrouppage.Step2-2.TypeintheResourceGroupname,selectSubscriptionandResourcegrouplocationfromthedropdownlist.ClickCreatetocreateResourceGroup“DC4”.
6
Step3.CreateStorageAccountAStorageAccountinAzureisusedtokeeptheVMdiskfileandboot-log.Itbelongstoaresourcegroup.Notallresourcesneedtohaveastorageaccount.PleaserefertoAzureStoragearticleformoredetails.TIP:StorageAccountcanbecreatedontheflyduringCSRdeploymentaswell.Step3-1.ClickStorageaccountsonthelefthandsidepanel,whichwillexpandtheStorageaccountsGUI.ClickAddtonavigatetotheCreatestorageaccountpage.Step3-2.TypeintheStorageaccountname,selecttheStorageaccounttype,selectResourceGroup“DC4”createdinStep2,makesuretheLocationiscorrect,inthiscase“EastUS”.ClickCreatetocreateStorageaccount“dc4storageaccount”.
7
Step4.CreatingVirtualNetworkVirtualNetworkisarepresentationoftheprivatenetwork,whichprovideslogicalisolationofAzurecloud.PleaserefertoVirtualNetworkarticleformoredetails.TIP:VirtualNetworkcanbecreatedontheflyduringCSRdeploymentaswell.Step4-1.ClickVirtualnetworksonthelefthandsidepanel,whichwillexpandtheVirtualnetworksGUI,thenclickAddtonavigatetotheCreatevirtualnetworkpage.Step4-2.FillintheblankwithinfopreparedinTable1.MakesurethatLocationiscorrect,whichinthiscase,itis“EastUS”.NotethatonlyonesubnetcanbecreatedduringinitialVirtualnetworkscreation.
Step4-3.AddsecondsubnettotheVirtualnetwork.ClickVirtualnetworksonthelefthandsidepanel,andclickthevirtualnetworkjustcreated,inthiscase“vnet01”,clickAllSettings,whichwillnavigatetoSettingspage.ClickSubnet,whichwillnavigatetoSubnetspage.ClickAddtoaddnewSubnet.
8
Step4-4.TypeinsubnetnameandCIDRofthesecondsubnet.ClickOKtofinish.
Step5.CreatepublicIPaddressPublicIPaddressistheIPaddressthatusersordevicesfromInternetcanreach,anditisassociatedtoaspecificIPaddress.Itisanone-to-oneNATperformedbyAzurehypervisorrouter.Inthiscase,theCSR1000vfirstsubnetIPaddresswillbeassignedapublicIPaddress.ReservedIPisrecommended,sincedynamicIPmaycausethetunnelmalfunctionwhentheVMisshutdown/deallocatedandbootupagain.PleaserefertoPublicIParticleformoredetails.TIP:PublicIPcanbecreatedontheflyduringCSRdeploymentaswell.Step5-1.ClickPublicIPaddressonthelefthandsidepaneltoexpandthePublicIPaddresspage.ClickAdd,whichwillexpandtheCreatepublicIPaddresspage.Step5-2.FillintheinfofromTable1.ChangetheIPaddressassignmentfromDynamictoStatic.ClickCreatetofinish.
9
Step6.LaunchingCiscoCSR1000vvirtualmachineStep6-1.ClickVirtualmachinesfromthelefthandsidepanel,anditwillexpandtheVirtualmachinespage.ClickAddwhichwillexpandtheComputepage.Typein“csr”andhitEnteronthekeyboard,anditwillfindalltheCSRavailableinMarketplace.ClickBasicCSR1000vDeploymentw/twoNICs.
Step6-2.Attheendofintroductionpage,clickCreate.
10
Step6-3.Click1Basics.FillintheblankwiththeinfoyoupreparedinTable1.,andclickOK.
StartingfromIOS-XE3.16.02,youcanuseSSHpublickeytoaccesstheCSR.TouseSSHpublickey,the“Username”fieldneedtobe“azureuser”duetocurrentlimitation.Inthelaunchingpage,youcanclicktherightsmallicon“i”(information)forhelpnextto“Username”inputfield.Youwillfindnoticeinformationofusernamerestrictionthere.
11
Step6-4.TheGUIwillnavigateto2CiscoCSRsettings.ClickVirtualmachinesizetoselectthedesiredvalue(whichinthisreleaseisStandardD2only).ClickStoragegroup,PublicIPaddress,Virtualnetwork,andSubnetstoselecttheitemscreatedinpreviousstepsiftheyarecreatedpreviously.Iftheydon’texit,youmaycreatethemonthefly,pleaserefertothepreviousstepsfordetails.ThenclickOKtofinish.IfyourCSRhasmultipleNICs(wesupport2NICsor4NICsonAzurecurrently),firstNICwillbeusedinpublicsubnet.TheotherNICswillbeusedintheprivatesubnets.TheipaddressofotherNICcanbeassignedbyDHCPwith“ipdhcpaddress”underinterfaceconfiguration.Itcanalsobesetupstatically,howevermakesureit’ssamewiththeipaddressassignedbyAzure.
12
Step6-5.TheGUIwillnavigateto3Summary.ReviewandClickOKtoconfirmsettings.
Step6-6.TheGUIwillnavigateto4Buy,andclickCreatetoconfirmthepurchase.ItwilltakeacoupleofminutesfortheVMtocomeup.
13
Step7.AccessingtheCiscoCSR1000vvirtualmachineToverifytheVMcreationstatus,onthelefthandsidepanel,clickVirtualmachines:
WhenthestatuschangedtoRunning,clicktheVMtoseedetails.TakenotesofthePublicIPaddress.
14
Inaterminalserverofyourchoice,sshtotheserverandusetheusernameandpasswordconfiguredwhencreatingtheVM:NOTE:DuetothemismatchofterminaltimeouttimingbetweenAzure(4mins)andCSR(infinite),theusercanbelockedoutofSSHafter4minsidlestatus,withoutthelinebeingcleared.Pleasereferto“BestPracticeandCaveats”Sectioninthispaperfordetails.FANGU-M-40A8:~ fangu$ ssh –o ServerAliveInterval=60 [email protected] The authenticity of host '40.121.148.7 (40.121.148.7)' can't be established. RSA key fingerprint is 94:79:e9:d2:2e:85:93:d6:52:41:cc:a3:d9:14:7f:5f. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '40.121.148.7' (RSA) to the list of known hosts. Password: Cisco123 DC4-csr# DC4-csr#show ip int br Interface IP-Address OK? Method Status Protocol GigabitEthernet1 10.4.1.4 YES DHCP up up GigabitEthernet2 10.4.2.4 YES DHCP up up DC4-csr#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 10.4.1.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.4.1.1 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.4.1.0/24 is directly connected, GigabitEthernet1 L 10.4.1.4/32 is directly connected, GigabitEthernet1 C 10.4.2.0/24 is directly connected, GigabitEthernet2 L 10.4.2.4/32 is directly connected, GigabitEthernet2 168.63.0.0/32 is subnetted, 1 subnets S 168.63.129.16 [254/0] via 10.4.1.1
15
IfyouhavesetSSHpublickeyatStep6.YoucanaccessyourCSRbyssh–i<key>–oServerAliveInterval=60azureuser@<csr_address>
Step8.ApplyLicensetotheCSR1000vvirtualmachineCiscoCSR1000voffersavarietyofthroughputandtechnologypackagelicensestomeeteachcustomer’srequirements.CiscoCSR1000valsoofferstwolicensingmodels:CiscoSoftwareLicense(CSL)whichisourtraditionalPAKbasedlicensingmodelandCiscoSmartLicensingwhichallowscustomerstoassignlicensetoCiscoCSR1000vinstancesdynamically.PleaseseetheCSR1000vdatasheetandtheCSR1000vmanaginglicensesdocumentsformoreinformation.AdefaultCSR1000vdeployedhasthroughputof100KwithtechnologypackageAX,inordertoincreasethethroughputtothedesiredlevelandenablethedesiredtechnologypackageacustomerneedstoinstallaCSRlicenseasfollows:Thefollowingisanexampleoftraditionalmanuallicensing:CopythelicensefiletoCSR1000vbootflashfromlocalcomputer:scp <license file> <username>@<CSRAddress>:<license file name>LogintoCSR1000vandinstalllicense: license install bootflash:<license file> Afterthelicenseisapplied,usercanchangethethroughputasfollowing:DC4-csr(config)#platform hardware throughput level MB 250
ModifyingsettingsforCSR1000vonAzure
UpdateRouteTablesInAzure,allVMssendpacketstoahypervisorrouter,andthehypervisorforwardsthepacketsbasedontheroutingtableassociatedwiththatsubnet.WhencreatingCSR1000v,tworoutetablesarecreatedandtheyareassociatedtoeachsubnetrespectively.AdefaultrouteiscreatedforthesecondsubnettopointtotheCSR,soalltheVMscreatedonthissubnetwilluseCSRasthedefaultroute.PleaserefertoFigure1.Butifthisbehaviorneedstochange,ausercanchangeitfromtheAzureportalGUI.ClickRouteTableonthelefthandsidepanel,whichwillnavigatetoRoutetablespage,findthetargetroutetable,andclickAllSettings,whichwillexpendtheSettingspage,clickRoutestoadd/modifyroutes.
16
UpdateSecurityGroupASecurityGroupcontrolswhatports/destinationsthehypervisorallows/deniesforcertaininterfaces.WhencreatingCSR,anewSecurityGroupiscreatedforFirstsubnetinboundinterfacebydefault.ForCSR1000vvirtualmachines,ifdeployedthroughthisdeployment,thefollowingportsareaddedforinboundInternettraffic:tcp22,UDP500andUDP4500,therestaredenied.TomodifySecuritygroup,clickNetworksecuritygrouponlefthandsidepanel,whichwillnavigatetoNetworksecuritygrouppage.Clickthetargetnetworksecuritygroup,whichwillexpandthedetailspage.ClickAllSettings,whichwillexpandtheSettingspage.ClickinboundsecurityrulesfromSettingsGUIpage,andclickAddtoaddadditionalrules.
17
ConfigurationExample
EnableIPsecVPNbetweenCSR1000vonAzureandAWScloudsIPSecVPNcanbesetupbetweenCSRsinAzureandAWScloud,belowisanexample:AzureCSRConfiguration AWSCSRConfigurationcrypto isakmp policy 1 encr aes hash sha256 authentication pre-share group 14 crypto isakmp key cisco123 address 0.0.0.0 crypto ipsec transform-set T1 esp-3des esp-md5-hmac mode transport crypto ipsec profile P1 set transform-set T1 interface Tunnel0 ip address 3.3.3.1 255.255.255.0 tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination 104.45.154.184 tunnel protection ipsec profile P1 end !!!! To test, create loop back interface and static route!!!!! interface Loopback1 ip address 5.5.5.5 255.255.255.255 end ip route 6.6.6.6 255.255.255.255 Tunnel0
crypto isakmp policy 1 encr aes hash sha256 authentication pre-share group 14 crypto isakmp key cisco123 address 0.0.0.0 crypto ipsec transform-set T1 esp-3des esp-md5-hmac mode transport crypto ipsec profile P1 set transform-set T1 interface Tunnel0 ip address 3.3.3.2 255.255.255.0 tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination 52.8.244.19 tunnel protection ipsec profile P1 end !!!! To test, create loop back interface and static route!!!!! interface Loopback1 ip address 6.6.6.6 255.255.255.255 end ip route 5.5.5.5 255.255.255.255 Tunnel0
DifferencesbetweenCSR1000vonAzureandAWS TherearesomedifferenceswhendeployingCSR1000vonAzureandAWS.Thefollowingtablehighlightssomeofthedifferences:Table2.ComparingCSR1000vonAzureandAWSFunction CSR1000vonAzure CSR1000vonAWSNumberofvNICs 2/4/8interfaces Multipleinterfaces(>2)MultipleIPaddress MultipleIPpervNIC MultipleIPpervNICGREtunnel Doesn’tsupportGREtunnel SupportGREtunnelRedundancy Doesn’tsupportRedundancy.
It’scomingin2017.SupportRoutingRedundancythrough2CSRinstances
Attach/DetachinterfaceontherunningCSR
Notsupported Supported
OverlappingIPsubnet Doesn’tsupportoverlappingIPsubnetindifferentvirtualnetwork
SupportoverlappingIPsubnetindifferentVPC
18
BestPracticesandCaveats1.ItisrecommendedtokeepallresourcesinthesameResourceGroup,sowhenneedtocleanupthewholesetup,justneedtoremovetheResourceGroup.2.WhentheCSRvirtualmachineisdeleted,notalltheresourcesaredeleted(routetable,securitygroup,publicIP,networkinterfaces),sowhencreatinganewCSRwiththesamename,theresourcesmaybere-used,ifitisnotdesired,pleaseeithermanuallyremovetheseresources,removetheRouteGroupthatcontainstheseresources,orcreateanewCSRwithadifferentname.3.Thisappliestothecurrent3.16.0image.Bydefault,CSRconfigurationconfiguredterminalVTYtimeoutasinfinite(exec-timeout00),butAzurehasadefaulttimeoutfortheterminalserverevery4minutes.Thiscausestheusertobelockedoutoftheterminalsessionwithoutclearingtheline.Toworkaroundit,therearetwomethods:1.SetServerAliveInterval=60duringsshsession(asshownbelow).2.Changetheexec-timeouttonon-zerovalues(e.g.exec-timeout40).4.Currently,theonlysupportedloginisthroughusername/passwordthatusercreatedduringtheCSR1000vlaunching.
OtherRelatedResourcesDMVPNissupportedonAzureaswell,andtheconfigurationissimilartoAWS,pleaserefertoExtendingYourITInfrastructureIntoAmazonWebServicesUsingCiscoDMVPNandtheCiscoCloudServicesRouter1000vSerieswhitepaper.