Cloud networking solutions with Cisco Cloud Services ... · Technical comparison between AWS and Azure for CSR 1000v ... Number of vNIC supported today 10 2/4/8 High Availability

Cloud networking solutions with Cisco Cloud Services Router (CSR 1000V) on AWS and Azure

Fan Yang, Cisco, Engineer, Technical Marketing

Raghavendra K S, Cisco, Engineer, Technical Marketing

Nikolai Pitaev, Cisco, Engineer, Technical Marketing

LTRDCN-2100

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#LTRDCN-2100

• Cisco Multi-Cloud Offering (15 mins)

• Lab Introduction (5 mins)

• Lab (220 mins)

Agenda


Cisco Multicloud Portfolio — Key Use Cases

• Cloud adoption strategy

with roadmap of

capability & gaps

• Cloud onboarding with

app dependency

mapping strategy

• Definition of value case

and value realization

• Scale applications based

on end user performance

and business metrics

• Gain visibility into

application performance

and to control cloud spend

• Manage the full application

lifecycle

CloudConsume

CloudAdvisory

• Securely extend private

network to single or

multiple public cloud

environments

• Optimize for high cloud

performance IaaS and

SaaS performance

• Secured access to the

internet and SaaS from

branches

• Secure “direct-to-cloud”

users and their devices

• Protect endpoints

including mobile devices

• Secure SaaS

applications and data

• Protect custom

workloads running in the

public cloud

CloudConnect

CloudProtect

LTRDCN-2100 5


Cisco Multicloud Portfolio — Products Mix

CloudConsume

CloudProtect

CloudConnect

CloudAdvisory

Multicloud

Portfolio

Advisory Services

• Cloud Migration

• Cloud Connect

• Cloud Protect

• Cloud Consume

(Delivered by AS/Cisco Partners)

• AppDynamics APM

• CloudCenter

CloudConsume

CloudAdvisory

• CSR 1000v

• vEdge with Umbrella

• Umbrella

• AMP for Endpoints

• Meraki Systems

Manager

• Cloudlock

• Tetration Cloud

CloudConnect

CloudProtect

LTRDCN-2100 6


Cisco Cloud Services Router (CSR) 1000VCisco IOS XE Software in a Virtual Appliance Form-Factor

Enterprise-class Networking with Rapid Deployment and Flexibility

Server

Hypervisor

Virtual Switch

OS

App

OS

App

CSR 1000V

Software

• Familiar IOS XE software with ASR1000 and ISR4000

Infrastructure Agnostic

• Runs on x86 platforms

• Supported Hypervisors: VMware ESXi, Linux KVM, Citrix Xen, Microsoft Hyper-V, Cisco NFVIS and CSP2100

• Supported Cloud Platforms: Amazon AWS, Microsoft Azure

Performance Elasticity

• Available licenses range from 10 Mbps to 10 Gbps

• CPU footprint ranges from 1vCPU to 8vCPU

License Options

• Term based 1 year, 3 year or 5 year

• Smart License enabled

Programmability

• NetConf/Yang, RESTConf, Guest Shell and SSH/Telnet

LTRDCN-2100 7


Cisco CSR 1000V Cloud Platform Options

Size CEF(Mbps) IPSEC(Mbps)

T2.medium 390 300

M3.Medium 300 250

C4.large 575 550

C4.xlarge 860 860

C3.2xlarge 1330 1000

C4.2xlarge 2300 2200

C4.4xlarge 4600 4100

C4.8xlarge 5100 4700

Size CEF(Mbps) IPSEC(Mbps)

D2_v2 1500 700

DS2_v2 1500 800

D3_v2 2000 1500

DS3_v2 2000 1500

D4_v2 2000 2000

DS4_v2 2100 2000

CSR on AWS CSR on Azure

Use Enhanced Networking Will Support Accelerated Networking in future

LTRDCN-2100

IOS-XE 16.7.1 release

8


• Extend Enterprise Routing Architecture to Cloud• Common routing fabric securely extended to cloud• DMVPN, FlexVPN, GETVPN*• Support up to 1000 tunnels

• Remote Worker VPN Access

• FlexVPN IPSEC or SSLVPN via AnyConnect

• Flexible AAA server options for authentication

• Launch applications in regions near your users

• Across Region/Cloud Provider Interconnection• Distribute applications globally

• Accessibility across on-prem and cloud locations

• Overcomes VPN tunnel limitation on AWS and Azure

• Extend on-prem routing architecture into Public Cloud

• Monitor/Analyze/Shape traffic in Public Cloud• Security(ETA, vFW, VRF, AVC, Snort IPS/URL Filtering)• Assurance(IP SLA, BFD, QoS)• Scale to hundreds of VPC across regions/accounts (Transit VPC)• Monitoring and troubleshooting with known common tools

CSR 1000V use cases for all public clouds

virtual private cloud

Cloud, US East

corporate office/branch

virtual private cloud

Cloud, US West

*GETVPN supported on DX/ER only (no NAT)

VPC

VPC

LTRDCN-2100 9


Two deployment models

Application VPC Gateway

• CSR deployed in application VPC

• Provide IPSEC gateway for entire VPC

• Need high availability

Transit Hub Router

• CSR deployed in dedicated Transit Hub, not in application VPC

• High speed traffic routing for spoke VPC

• High availability is built-in natively

VPC

Transit Hub

AZ1 AZ2Application VPC

VPC

LTRDCN-2100 10

Amazon AWS Concept


VPC(Virtual Private Cloud) 101

• Logically isolated network with its own IP range, routes, security, etc.

• IP ranges (RFC1918) can be overlapping

• Internet gateway (IGW) connects outside and between VPCs

• Public IP or NAT for egress

• Security:

• Network ACLs

• Security Groups

• VPC route tables directs traffic within the VPC

• VPC “router” is really an encap/decap device b/w hypervisors

VPC

10.99.0.0/16Subnet A

10.99.1.0/24

Subnet B

10.99.2.0/24

IGW

https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises-

network-engineers-part-one/

LTRDCN-2100 12

https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises-network-engineers-part-one/


Elastic IP Address is a routable address mapped to an instance in VPC

Instances never have a publicly routable IP address directly assigned.

Addresses are associated with AWS account and not the instance.

Elastic IP for CSR 1000V becomes tunnel endpoint for VPN in this lab.

James’ VPC

CIDR 10.2.0.0/16Subnet A

10.2.1.0/24

Subnet B

10.2.2.0/24

WebApp1 Instance

IP: 10.2.1.25

Internet Gateway Elastic IP Mappings

54.32.54.32 – 10.2.1.25

LTRDCN-2100 13

Microsoft Azure Concept


Azure Basic Concepts

Virtual Network

CIDR 10.2.0.0/16

Subnet A

10.2.1.0/24

Subnet B

10.2.2.0/24

• Azure system route table routes within the VNet

• All VNet subnets ALWAYS have a route to all other VNet subnets!

Virtual Network (VNet)

• A VNet logically isolates a network’s own IP range, routes, security policies, etc.

• Each subnet created is automatically assigned a route table that contains system routes: Local VNet Rule, On-prime rule and Internet Rule

• System routes can be overwritten by User Defined Routes

• VNets’ IP ranges cannot overlap

• Public IP NAT or Overload NAT for outbound traffic (No true public IPs)

• No L2 Broadcast/Multicast capability either.

• GRE packet is blocked within Azure.

LTRDCN-2100 15


Azure Public IP Addresses

• Azure infrastructure takes on the role of the router, allowing access from your VNet to the public Internet without the need of any configuration

• Public IP for CSR becomes tunnel endpoint for VPN, etc

• Instances never have a publicly routable IP address directly assigned

Azure Infrastructure Public IP Mappings

54.32.54.32 – 10.2.1.25

Virtual Network

CIDR 10.2.0.0/16

Subnet A

10.2.1.0/24

Subnet B

10.2.2.0/24

WebApp1 Instance

IP: 10.2.1.25

LTRDCN-2100 16

Cisco CSR1000V Solutions


Transit VPC/VNET DesignBA C

…...

Direct Connect

Or Internet

Private DC

Transit VPC

Spoke VPC

Other

Provider

Networks

CSR1 CSR2AZ1 AZ2

Across regions, accounts/subscriptions

ASR

VPCVPCVPC

VPC

• Dedicated VPC: Simplifies routing by not combining with other shared services.

• CSR1000v Virtual Network Appliances: Provide dynamic routing and VPN network tunnels

• Redundancy: Dynamic routing combined with multi-AZ deployment creates a robust network infrastructure.

• VGW: VPC virtual gateways provide highly available connections to transit VPC virtual network appliances.

• Security services: Easily layer Firewall, IPS, URL Filtering and Cisco ETA (Encrypted Traffic Analysis)

LTRDCN-2100 18


Transit VPC using DMVPN Solution Diagram

Transit VPCAZ1 AZ2

Spoke VPC ASpoke VPC B Spoke VPC C

• High Throughput: spoke VPC scales up to 4.5Gbps with CSR, instead of 1Gbps on VGW

• Inter VPC Traffic: spoke VPC can talk to other spoke directly which will free up Transit CSR throughput

• Redundancy: two CSRs in spoke VPC acts as high availability pair to provide redundancy

• Application Visibility: provide application level visibility in spoke with NBAR capability on CSR

• Advanced Security: provide ZBFW, IPS and URL filtering with Snort IPS on CSR for inter VPC traffic. Cisco ETA (Encrypted Traffic Analysis)

DMVPN

LTRDCN-2100 19


Multi Region Deployment with Inter Region Peering!

Private DC 1

Transit VPC

Private DC 2

Transit VPC

Tunnel

us-eastus-west

DX/ER

Internet

DX/ER

Internet

Keep localized traffic in same region

ASRASR

VPC VPC

CSR1

CSR2 CSR3

CSR4

Use different spoke tags so spoke is

not connected to a different region

Use different BGP ASNs for easy trouble shooting

region1:spoke region2:spoke

Tunnel

Inter-Region

Peering

LTRDCN-2100 20


Technical comparison between AWS and Azure for CSR 1000v

Feature AWS Azure

IPSEC Throughput 4.5 Gbps 2 Gbps

Number of vNIC supported today 10 2/4/8

High Availability (Routing) Supported Supported

Bootstrap User Data Custom Data(Coming)

Automated Hub Spoke Solution Transit VPC Transit VNET(Coming)

PAYG (Pay As You Go) Supported Coming

GRE Tunnel support in VPC/VNet Supported Not supported

L2 Broadcast and Multicast Not supported Not supported

Add interfaces on running CSR

1000V VMYes No(need to stop instance)

LTRDCN-2100 21

Lab Introduction


AZ1 AZ2

BA

Transit VPC

AzureVNet

DMVPN

M1(40 Min.)

M1(40 Min.)

Guest Shell

*Optional

Transit VPC Lab Overview

M3(50 Min.)

M4(40 Min.)

M2(30 Min.)

LTRDCN-2100 23


CSR1 CSR2

PodX-Spoke-A VPC

PodX Transit VPC

40.0.0.0/16

PodX-Spoke-B VPC

50.0.0.0/16

100.64.127.224/27

30.0.0.0/16

CSR330.0.1.4

Azure VNETSpokeA CSR SpokeB CSR

DMVPN

LTRDCN-2100 24

Lab Tips and Guidance


Make sure, you have one page with additional lab information

Make sure, that you are using assigned AWS region!

All your resources created should be named in certain way.

For example: P21V1 for pod21

Before you begin

LTRDCN-2100 26


Reload CSR

• Be careful about reloading CSR in the lab. Make sure to save configuration first by typing “wr” or “copy running-config startup-config”, then reload.

• You need to reconfigure CSR with “bgp router-id interface GigabitEthernet1” after reload.

• It’s because configuration loss due to reload which might cause BGP router-id conflict between Transit CSR and Spoke CSR.

• It will be fixed in later version

LTRDCN-2100

If you reload Transit CSR, configure

router bgp 64512

bgp router-id interface GigabitEthernet1

If you reload Spoke CSR, configure

router bgp 7224

bgp router-id interface GigabitEthernet1

27


Filter resources for better view

This lab is in a shared environment and 5 attendees are sharing one region. You are able to see other attendees’ resources.

Please filter resources by name to view your own resources clearly and avoid shutting down other people’s instance.

Note: Please always filter resources

AWS

Azure

For example, Pod23 filter AWS with P23V1, Azure with pod23

LTRDCN-2100 28


Disable IP Source/Destination Checking in the lab

By default AWS blocks traffic not to/from a given instance.

Toggle the Source/Dest Check option to allow a CSR instance to pass traffic for other subnets (i.e. act as a gateway).

Note: Always review this setting for any new interfaces you add!

LTRDCN-2100 29


Adjust Azure Public IP address idle time

Azure SSH session will timeout with none activity in 4 minutes by default. Change it to 30 minutes for easier usage.

LTRDCN-2100 30


Additional Resources

• Subscribe to our Youtube Channel! Over 20 technical videos!

http://cs.co/csr1000v

• CSR 1000V Configuration Guide for AWS http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/b_csraws.html

• CSR 1000V Configuration Guide for Azure http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/azu/b_csr1000config-azure.html

• Cisco CSR1000V Transit VPC DeepDive and Best Practicehttps://www.youtube.com/watch?v=MPQLKyhN-rU&t=11s

• Deploy CSR1000v High Availability on Microsoft Azure https://www.youtube.com/watch?v=JEr2ZhZ2WZs

LTRDCN-2100 31

http://cs.co/csr1000v

http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/b_csraws.html

http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/azu/b_csr1000config-azure.html

https://www.youtube.com/watch?v=MPQLKyhN-rU&t=11s

https://www.youtube.com/watch?v=JEr2ZhZ2WZs


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#LTRDCN-2100


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/


Continue Your Education

• Visit CSR1000V Multi-Cloud booth located in WoS (World of Solution)

• Related Session

• Network Function Virtualization Seminar [TECSPG-2300] (Monday, Jan 29, 02:30 p.m. -06:45 p.m)

• Cisco vBNG solution based on CSR1000V and XRv 9000 [BRKSPG-2063] (Thursday, Feb 01, 09:00 a.m. - 11:00 a.m)

• Meet the Engineer 1:1 meetings

• Related sessions

LTRDCN-2100 34

Thank you

Documents

Cloud networking solutions with Cisco Cloud Services ... · Technical comparison between AWS and Azure for CSR 1000v ... Number of vNIC supported today 10 2/4/8 High Availability