Cisco CSR1000V Overview

The Cisco Cloud Services Router 1000V (CSR 1000V) sets the standard for enterprise network

services and security in the Amazon Web Services (AWS) cloud. The Cisco CSR 1000V is based

on Cisco IOS-XE Software. CSR 1000V provides the familiar user interface of Cisco IOS XE

Software, and enables you to take advantage of your existing network management tools and

processes.

Cisco CSR 1000V Use Cases in Amazon AWS

Today, enterprises have two networks that are managed separately. They have applications in

the enterprise‟s data center, which are in enterprise on-prem network, and they haveapplications

in AWS cloud, which sit in enterprise‟s AWS cloud network. Enterprises would like to converge

their on-prem network with their AWS cloud network and manage the entire network with a

single network management tool. To converge the on-prem and AWS cloud network, enterprises

need a virtual router in their AWS cloud.

Many AWS customers have a Cisco router on their premises. They know Cisco management

tools. They understand Cisco. Hence, most AWS customers prefer a Cisco virtual router to

converge their on-prem network with their AWS cloud network. Cisco‟s Cloud Services Router

(CSR1000V) is Cisco‟s first virtual IOS-XE router.

With CSR1000V in their AWS cloud, customers can converge their on-prem network with their

AWS cloud network. Below are some of the CSR1000V use cases for on-prem-cloud network

convergence that are included in this test drive. More use cases will follow in subsequent test

drives:

Branch-Office, Campus, and Data Center VPN Aggregation: Without the CSR1000V,

branch-offices, campus sites, and remote workers have to connect through the

enterprise‟s data center in order to get to enterprise‟s apps in the AWS cloud. With the

CSR in enterprise‟s VPC in AWS cloud, branch-offices, campus sites, and remote

workers can connect directly to enterprise‟s apps in the AWS cloud using the public

Internet. This process reduces latency, eliminates expensive private WAN links, and

enables route-based VPN topologies. You can choose from a wide variety of VPN

technologies supported on the CSR 1000V, including point-to-point IPSecurity (IPsec),

FlexVPN, Dynamic Multipoint VPN (DMVPN), and EasyVPN. Familiar Cisco IOS XE

VPN configurationallows IT staff to quickly integrate an Amazon AWS VPC into

existing enterprise VPN topologies.

Secure Inter-VPC Connectivity: Larger AWS customers have multiple VPCs in the

AWS cloud, and they would like to make these VPCs an integral part of their on-prem

enterprise network. By deploying a Cisco CSR 1000V instance in a VPC in each region

and interconnecting through VPN, larger AWS customers can create and secure a global

network topology that converges their on-prem network with their multiple VPCs in

AWS.

Branch-Office to AWS and Inter-Application Security: The Cisco CSR 1000V

includes advanced Cisco IOS XE Software security, including access control lists (ACLs)

and stateful Zone-Based Firewall (ZBFW). It extendsenterprise security policies into the

Amazon cloudusing a familiar platform and configuration syntax. These features may be

used to apply security between virtual networks within Amazon AWS, or between

Amazon AWS and external locations.

Application Performance Monitoring and Control: Application Visibility and Control

(AVC) is a CiscoIOS XE feature that allows the CSR 1000V to identify and classify

thousands of different applications, reporting key performance metrics for each. When

classified, quality-of-service (QoS) policies can be used to prioritizeor block specific

applications. AVC data collectedfrom Amazon AWS and external locations can be used

to pinpoint application performance degradation.

Lab Description

The purpose of this lab is to experiment with certain elements of CSR 1000v through step-by-

step exercises, although you are free to use the lab as you wish. It is ideal for self-paced training

for Amazon customers. In the next sections, we are going to configure “IPsec VPN between

CSR1000V in AWS VPC to another VPC or to a private Data center”

If this is the first time for you to configure CSR1000v, it is recommended that you watch the

CSR1000v AWS installation video (link) first before you attempt these labs.

Lab Login Information

To start the lab, go to https://csrtestdrive.com/. After you register and sign in, you should see a

screen similar to the figure below (figure 1)

Figure 1

Click on “Try it Now” button to start, and on the next screen, click the “launch” button. Then

follow the lab wizard. It takes about three minutes to setup the lab including the AWS VPCs

configuration and CSR1000v router bring up.

The next screen will display the IP addresses of your VPC and CSR1000v. Keep the IP addresses

saved, you will need them to perform the labs described in the following sections.A copy of the

Ip addresses and the key pair is sent to your email address. Note: you need to wait for two

minutes to ping/ssh the routers or ssh, usually the routers will still be booting even if the IP

addresses are assigned from amazon AWS VPC.

Lab Topology and IP addressing In this lab, you are going to configure an IPSec site-to-site VPN between two AWS VPCs using

CSR1000V. You may use the same configuration to connect CSR1000V (in AWS VPC) to a

Cisco IOS router, Cisco ASA, or other brand of router/firewall you have in your private data

center.

The figure below describes the lab topology that you are going to use. There are two VPCs

created for you. Each VPC has one CSR1000 and one Linux server. The linux server has one

interface with a private IP address (see figure 2 for IP address assignment). CSR1000 will act as

the default gateway for the linux machine. CSR1000 will have two interfaces; interface Gigabit1

is connected to the linux machine through the same subnet, interface Gigabit2 is connected to

amazon Internet gateway. We pre-configured amazon gateway to map the amazon elastic IP

address to CSR1000 Gigabit2 interface.

Figure 2

Table1: IP address assignment

Hostname IP address

VPC-1 CSR1-int1 10.1.1.10/24

This IP address is assigned to interface GigabitEthernet 1 and

it is mapped to Amazon elastic (public) IP addr 54.X.X.X. CSR1-int2 10.1.2.10/24

You are going to assign this IP address to interface

GigabitEthernet 2. This IP address will be the default gateway

for linux server 1. Linux server 1 10.1.1.11/24

Login Credentials Username: cisco Password: cisco123

VPC-2 CSR2-int1 10.2.3.10/24

This IP address is assigned to interface GigabitEthernet 1 and

it is mapped to Amazon elastic (public) IP addr 54.X.X.X. CSR2-int2 10.2.4.10/24 (Public Subnet)

You are going to assign this IP address to interface

GigabitEthernet 2. This IP address will be the default gateway

for linux server 2. Linux server 2 10.2.3.11/24

Login Credentials Username: cisco Password: cisco123

Lab Details: Configure IPSec site-to-site VPN

Here is the summary on how to configure IPsec and perform this lab:

1. Login to the CSR1000v router

a. Configure it with the ip addresses mentioned

2. Activate the demo license

a. To enable all the features and all the cli required

3. Configure ISAKMP (ISAKMP Phase 1) on CSR-Routers (CSRRouter1 and

CSRRouter2)

o ISAKMP security settings with the AES encryption

o Pre-shared Key for authentication

4. Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP) on CSR-Routers

(CSRRouter1 and CSRRouter2)

o Create Access-list(ACL) to define what traffic is and is not encrypted between the

two routers

o Create IPSec Transformto set the IPSec encryption settings

o Create Crypto Map to bring the policy, key, transform-set, and access-list all

together

o Apply crypto map to the public interface

5. Login to the Linux servers (linux1 and linux2) and verify connectivity through ping

Let‟s cover the steps in details:

1) Login to CSR1000v Router (CSR1)

Step 1 Download the key pair to use it for authentication when you SSH to your

CSR1000V instance. If you are a mac or linux user, you would need to change the file

mod to 600. The key pair is located athttps://s3-us-west-

2.amazonaws.com/csrkey/CSRRouterKey.pem

Step 2 Open your SSH client (for example, Putty on Windows or Terminal on

Macintosh) to access the CSR 1000V console. Type: ssh –i <keypair filename

path>ec2-user@<CSR1 public IP address>

Username-ec2-user

CSR1 public IP address- a copy of the IP address is sent to your email.

Note: If you are using Mac or Linux, you may need to change the key pair file

permissions by typing “chmod 600 CSRRouterKey.pem”

Step 3 Change Host name to CSR1 by typing “configure terminal” then “hostname

CSR1” then “end”.

Step 4 Check the IP address for interface Gi1. It should be 10.1.2.10 (based on Figure

2 or table 1). Type “show IP interface brief” and “show run interface gi1”

Step 5 Configure the IP address for interface Gi2. It should be 10.1.1.10 (based on

Figure 2 or table 1). Type “configure terminal” “interface gi2” “ip address

10.1.1.10 255.255.255.0” “no shut” “end”. Once you finish configuration, type

“show IP interface brief” and “show run interface gi2” to verify that your configuration

got applied

Step 6 Verify that CSR has the routing table configured correctly by typing show ip

route.

CSR will be configured correctly, if the default route points to 10.1.2.1 which is amazon

default gateway for the subnet.

Step 7 Now ping the Linux server that is sitting on the same subnet (10.1.1.11)

Step 8 Repeat the same steps for the second router (CSR-Router-2)

2) Activate the demo license to enable all CSR features

Step 9When you first install the Cisco CSR 1000V, CSR1000v will have all the

interface ports up and active. However, you will have limited features and limited

throughput (2.5Mbps). You need to install license to enable the features that you want to

configure (such as VPN). If you plan to use CSR just for evaluation or lab use, you can

use the demo license that comes built-in inside the router. The demo license is valid for

60 days, and it will make all that features available to you with 50Mbps throughput.

In this step, you are going to enable the evaluation license with a feature package

„Premium‟. Go to CSR1, type “configure terminal” “license boot level premium”

accept the EULA agreement, save the configuration, and then reload the router for the

evaluation license to be effective.

Step 10 Repeat the previous step for CSR2

Note: you will lose the SSH connectivity with the CSR routers, since the routers are reloading.

Give it couple of minutes (usually 3-4 minutes) and ssh again to the routers. They should be up.

If your SSH connection timeout, this means that the router is still rebooting. Just reconnect again.

3) Configure ISAKMP (IKE) - (ISAKMP Phase 1)

Step 11Let‟s go to CSR1 and change the terminal to the current ssh monitor. By

default, Cisco IOS does not send log messages to a terminal session over IP, that is, telnet

or SSH connections don‟t get log messages.

Step 12 Let‟s go to CSR1 and configure an ISAKMP Phase 1 policy. KE must

negotiate an SA (an ISAKMP SA) relationship with the peer.

The above commands define the following (in listed order):

AES - The encryption method to be used for Phase 1.

MD5 - The hashing algorithm

Pre-share - Use Pre-shared key as the authentication method

Group 2 - Diffie-Hellman group to be used

86400 – Session key lifetime. Expressed in either kilobytes (after x-amount of traffic,

change the key) or seconds. Value set is the default value.

Step 13 Configure pre shared key

Next you are going to define a pre-shared key for authentication with our peer (CSR2

router) by using the following command:

The peer‟s pre shared key is set to ciscoaws and thepeer address is CSR2 public IP

address (the CSR2 public IP address is mentioned in figure 2, and also a copy of the IP

address is sent to your email). Every time R1 tries to establish a VPN tunnel with CSR2

(public IP), this pre shared key will be used.

4) Configure IPsec - (ISAKMP Phase 2, ACL, Crypto-map)

Step 14Create ACL

Next step is to create an access-list and define the traffic we would like the router to pass

through the VPN tunnel. In this example, it would be traffic from one network to the

other, 10.1.1.0/24 to 10.2.3.0/24 (linux server 1 network to linux server 2 network).

Access-lists that define VPN traffic are sometimes called crypto access-list or interesting

traffic access-list.

Step 15CreateIPSec Transform (ISAKMP Phase 2 policy)

Next step is to create the transform set used to protect our data. We‟ve named this TS:

The above command defines the following:

- ESP-AES - Encryption method

- MD5 - Hashing algorithm

Step 16Create Crypto Map

The Crypto map is the last step of our setup and connects the previously defined

ISAKMP and IPSec configuration together:

We‟ve named our crypto map cmap. The ipsec-isakmp tag tells the router that this

crypto map is an IPsec crypto map. Although there is only one peer declared in this

crypto map (the CSR2 public IP address), it is possible to have multiple peers within a

given crypto map.

Step 17Apply Crypto Map to the Public Interface

The final step is to apply the crypto map to the outgoing interface of the router. Here, the

outgoing interface is GigabitEthernet1.

As soon as we apply crypto map on the interface, you should receive a message from the

CSR1000v router that confirms isakmp is on: “ISAKMP is ON”.Note that you can

assign only one crypto map to an interface.

At this point, we have completed the IPSec VPN configuration on the Site 1 router.

Step 18We now move to the CSR2 router to complete the VPN configuration. The

settings for CSR2 are identical, with the only difference being the peer IP Addresses and

access lists:

Step 19Verify that the VPN tunnel is up

At this point, we‟ve completed our configuration and the VPN Tunnel is ready to be

brought up. Note: The encrypted tunnel is formed when the first packet is sent that

matches the ACL. To initiate the VPN Tunnel, we will force one packet to traverse the

VPN and this can be achieved by pinging from one router to another:

The first ping or two have received a timeout, but the rest received a reply, as expected.

The time required to bring up the VPN Tunnel is sometimes slightly more than 2 seconds,

causing the first two pings to timeout.

To verify the VPN Tunnel, use the show crypto session command:

5) Login to the Linux Servers

Step 20 From CSR2, login to linux server 2 by typing “ssh –l cisco 10.2.3.11”. The

password is cisco123.

Step 21 As the final step, you can ping from linux 2 to linux 1. Your traffic will go

through the VPN tunnel created on CSR2 and CSR1.

Congratulations, now you have completed the lab.

Resources

For more information on CSR1000V, please check the following links:

1) Product introduction video

2) CSR 1000V AWS Installation Video

3) CSR 1000V Documentation

4) CSR 1000V Home Page

5) CSR 1000V AWS deployment Guide

6) CSR 1000V Technical whitepaper for AWS Use Cases

7) CSR AWS BYOL page

8) CSR AWS Hourly page

9) CSR Free Community Support Portal

10) CSR Customer testimonial