#CLMEL

Extending Enterprise
Network into Public
Cloud with Cisco
CSR1000v
Travis Carlson, Product Manager
BRKARC-2749

#CLMEL
 Cisco Webex Teams

Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session

How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKARC-2749

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• State of the Public Cloud
• AWS/Azure/GCP Overview
• CSR1000V Introduction
• Cisco solutions for
AWS/Azure/GCP
• Advanced Deployment
• Summary

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
State of the Public
Cloud
 It’s a multicloud world

85% 87% 94%

Evaluating or using Taken steps towards a Plan to use

public cloud hybrid cloud strategy multiple clouds
Among cloud users
Source: IDC CloudView, April, 2017, n=8,293 worldwide respondents, weighted by country, company size and industry
Organizations leverage almost 5 clouds on
average

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
AWS Leads but Azure grows faster

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Advantages of using Public Cloud
Public
Cloud
Applications or Workload Scalability
Scale-up and scale-down
Customers

High availability
Regions and Availability zones

Employees

Cost effectiveness
Pay-as-you-go, per minute and per second billing options

Applications
Or
Workload
Partners
Data Center
Application agility

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Cloud Connectivity Challenges Cloud
Connect

• Complexity & Dependency – Need a

simple and scalable way to securely
extend the private network across
Multicloud environments Public Cloud

• Inconsistent security policies between

private & public- Need to apply
consistent security policies Users
On-Prem Datacenters
• Performance and ambiguity for best
path to reach the cloud – Need
enhance application experience Applications

Remote Branches
#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Interconnect Multiple Clouds

DC

DR-DC

Cloud
Connect

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
AWS/Azure/GCP
Overview
Each Cloud Provider offers virtual private
networks for your VMs and cloud resources

Virtual Private Cloud (VPC) Virtual Network (VNet) Virtual Private Cloud (VPC)

Scope Region Region Global (a single VPC can span

multiple regions)

Level 1 Region Region Region

Geography &
Level 2 Availability Zones Availability Zones Zone
Regions
Level 3 Availability Sets
Connecting VPC/Vnets Peering Peering Peering
VPC/VNet CIDR User Defined User Defined No CIDR defined for VPC
Subnet CIDR Derived from VPC CIDR Derived from VNet CIDR User Defined
Network ACLs Network ACLs
Security Firewall
Security Groups Network Security Group

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
 Virtual Private Cloud (VPC) Concepts
Subnet Next Hop

10.2.0.0/16 local

0.0.0.0/0 IGW
• VPC is isolated from other’s environment.
• More specific VPC CIDR 10.2.2.0/24 XXX
• VPCs’ IP ranges (RFC 1918) can overlap. routes can’t be added (not allowed)

• IGW (Internet Gateway) provides external VPC James Bond

access.
CIDR 10.2.0.0/16
• Granular subnets can be created in VPC. Subnet A
• Route Table can be associated to subnets Internet 10.2.1.0/24
Gateway
• UDR (User Defined Route) can be added to Route Table
route table
Subnet B
• Security Options:
10.2.2.0/24
• - Network ACLs protect subnets
• - Security Groups protect instances Internet
• EIP to EIP communication is going through Elastic IP Mappings
WebApp1
Cloud Provider’s backbone 54.32.54.32 – 10.2.1.25 Instance
IP: 10.2.1.25
#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
 Virtual Network (VNet) Basic Concepts
• A VNet logically isolates a network’s own IP range,
Virtual Network
routes, security policies, etc. CIDR 10.2.0.0/16
• Each subnet created is automatically assigned a route Subnet A
10.2.1.0/24
table that contains system routes:
Local VNet Rule, On-prem rule and Internet Rule
• System routes can be overwritten by User Defined Subnet B
10.2.2.0/24
Routes
• Public IP NAT or Overload NAT for outbound traffic (No
true public IPs)
• Azure system route table routes within
• No L2 Broadcast/Multicast capability either. the VNet
• GRE packet is blocked within Azure.
• All VNet subnets ALWAYS have a
route to all other VNet subnets!

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Google Cloud VPCs are global
subnets are regional
James’ VPC
us-east-1

us-east-1a us-east-1b
Subnet1
10.0.0.0/24

Subnet Next Hop

Internet 10.0.0.0/24 Virtual network

10.0.1.0/24 Virtual network

us-west-1a us-west-1b 0.0.0.0/0 Default Internet

Subnet2 GW
10.0.1.0/24

us-west-1

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Networking limitations for the public cloud

Limitations Affected Services

• IGPs
No L2 Multicast • HSRP/VRRP
• GLBP
No L2 Broadcast • BFD
• L2TPv3
GRE • OTV
• 802.1Q VLAN
MTU Limitations • AppNav
• WCCP
• Proxy ARP, Gratuitous ARP > LISP-
Support for Jumbo Frames
VM Mobility

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Native options for routing
Virtual Private Gateway (VGW) VPN Gateway Cloud Router

Transitive Routing • No • No • No

Transitive • No • No • No

Performance • 1.25G • 1.25 • 1.7G

Tunnels • 10 • 30 • 128 (across multiple routers)

Scale • 100 • 400 • 200 (100 regional, 100

VGW (BGP advertised global)
routes per route table)

HA • Yes • Yes • Yes

Visibility • VPC flowlog • NSG flowlog • VPC flowlog

Overlap IP address • No • No • No

Routing and VPN • S2S • S2S, P2S • S2S

• IPSEC (IKEv1) • IPSEC (IKEv1, v2) • IPSEC (IKEv1, v2)
• Static, BGP • Static, BGP • Static, BGP

Routing Control • No • No • No

Policy • SG • SG • SG

CLI Access • No • No • No

Orchestration • AWS Dashboard • Azure Dashboard • GCP Dashboard

Programmability • Restful, SDK • Restful, SDK • Restful, SDK

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
VGW (Virtual Private Gateway)

• VGW is an easy to use VPN service provided by AWS.

• IPSEC VPN with pre-shared key, IKEv1 only. IPSEC responder
only, not initiator.
• Static route. BGP routing is preferred (honor as-path prepend)
• 1.25 Gbps IPSEC throughput
• Two end-points/tunnels for high availability
• CGW (Customer Gateway) is needed to establish a IPSEC VPN.
• Route propagation enabled per route table

• VGW is also used in DX (Direct Connect)

• BGP routing
• No encryption
• Up to 10Gbps

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
VGW Limitations

• No ECMP (BGP multipath), active/standby tunnels

Development Account
• Maximum 100 BGP learned routes us-west-1

• No overlapping CIDR blocks.

• IPSEC VPN can’t be established between two VGWs

• No visibility and hard to trouble shoot

192.168.0.0
• No BFD support, convergence time relies on BGP timer

10.1.0.0
192.168.0.0
Internet

Corporate
DC 10.0.0.0
>100 routes us-east-1
#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Peering on AWS, Azure, and GCP

• High bandwidth VPC to VPC or VNet to VNet interconnection

• Share Private IP CIDR blocks between the VPCs or VNets

• Peering can be created within same accounts or different accounts

• Peering connection can be across regions

• MTU 1500 Bytes

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
 Peering Limitations

• No overlapping CIDR blocks

• No transitive peering

• Services can’t be extended through peering

• Limited number of peering connections per VPC/VNet

Ref: https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-
basics.html#vpc-peering-limitations #CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Dedicated Circuits are available to provide
connectivity between on-prem and the cloud

Direct Connect Express Route Cloud Interconnect

1 Gbps 50, 100, 200, & 500 Mbps
Speeds 10 Gbps
10 Gbps 1, 2, 5, & 10 Gbps
sub-1G connections sub-10G connections
Alternatives n/a
available via partners available via partners
Geographic Region
Scope Region Global
Global Reach Add-On
Per Cloud Interconnect and VLAN
Bandwidth Per Direct Connect Per Express Route Attachment
Pricing Inbound free free free
Outbound $/GB $/GB $/GB

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Direct Connect and VPN Backup
• Route selection priority : static > DX > VPN Subnet Next Hop

0.0.0.0/0 IGW
• DX is always preferred regardless of AS path prepending
192.168.0.0/16 VGW(DX)
• Automatically failover to one level down if failure happens.

• Complex to add granular control for APP path selection

Corporate DC

Internet
ISR/ASR

Partner / Direct Connect

192.168.0.0 Carrier
Network
Co-location

customer router DX router DX GW

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
AWS Transit Gateway
AWS Transit Gateway
• Connect multiple VPCs at scale
• Significant scale & performance
improvements over VGW
• Support multiple accounts in a
single region
• Manage via AWS console, CLI, &
SDKs
• Pricing based on attachment and
GB of data processed

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
CSR1000V Introduction
Cisco Cloud Services Router (CSR) 1000V
Cisco IOS XE Software in a virtual network function form-factor

Software Performance Elasticity

Same IOS XE software as the Available licenses range from
ASR1000 and ISR4000 10 Mbps to 10 Gbps
CSR 1000V
App App CPU footprint ranges from
Infrastructure Agnostic 1vCPU to 8vCPU
Runs on x86 platforms OS OS
Supported Hypervisors: Programmability
Virtual Switch
VMware ESXi, RHEL Linux KVM, NetConf/Yang, RESTConf, Guest
Suse Linux KVM, Citrix Xen, Hypervisor Shell and SSH/Telnet
Microsoft Hyper-V, Cisco NFVIS
and CSP2100 Server
License Options
Supported Cloud Platforms: Term based 1 year, 3 year
Amazon Web Services, Microsoft or 5 year
Azure, Google Cloud Platform

Enterprise-class networking with rapid deployment and flexibility

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
CSR availability on multiple clouds

• AWS Commercial
• Azure Commercial
• AWS GovCloud
• Azure GovCloud • Google Commercial
• AWS C2S
• Azure China
• AWS China

Under consideration

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
 CSR licensing options on multiple clouds

private cloud GCP

BYOL (Bring Your Own License): features as licensed, IP-Base, SEC, APPX or AX BYOL in July CY18

performance gated by license performance gated by smaller of license or instance size

PAYG (Pay As Yo Go): choice of AX or SEC Roadmap

performance gated by instance size only

• Basic Networking: BGP, OSPF, EIGRP, RIP, ISIS, IPv6, GRE, VRF-L, QoS, BFD • Advanced Networking: L2TPv3, MPLS, L3 VXLAN
• Multicast: IGMP, PIM • Unified Communications: CUBE-ENT
APPX,
• High Availability: HSRP, VRRP, GLBP • App Experience: WCCP, AppNav, NBAR2, IPSLA
IP-Base Base plus:
• Addressing: 802.1Q VLAN, EVC, NAT, DHCP, DNS • Hybrid Cloud Connectivity: LISP, OTV, VPLS,
• Basic Security: ACL, AAA, RADIUS, TACACS+, SGT/TrustSec, VASI EoMPLS
• Management: CLI, SSH, NetFlow, SNMP, EEM, NETCONF • Subscriber Management: PTA, LNS, ISG

SEC, • Adv Security: ZBF, IPSec VPN, EZVPN, DMVPN, FlexVPN, SSLVPN, GETVPN
AX all features
Base plus: • High Availability: Box-to-box HA for FW and NAT

Feature in Red will not work in AWS, Azure, and GCP – limitation of public cloud infrastructure(lack of L2 support, Multicast not support)
#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
What are the different CSR 1000V types listed?

1. Cloud Services Router 1000V BYOL 1. Cisco CSR 1000v - XE 16.x 2, 4, or 8

NICs
• BYOL
• BYOL & PAYG
2. Cisco Cloud Services Router (CSR) 1000v - Transit
Network VPC – BYOL 2. Cisco CSR 1000v – All CSR TVNET with
DMVPN
• BYOL, Transit VPC Cloud Formation Template
• BYOL version
3. Cloud Services Router 1000V Security Tech
Package
• PAYG

4. Cloud Services Router 1000V AX Tech Package

Launcher
• PAYG

5. Cloud Services Router 1000V All CSR TVPC 1. Cloud Services Router 1000V BYOL
• BYOL • BYOL version

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Driver Matters!

performance
Virtual Kernel Driver Virtual Kernel Driver Virtual Kernel Driver
Machine Machine Machine
virtqueue
QEMU FE virtqueue
QEMU FE

QEMU Driver User-space

Compute Host Compute Host Compute Host
User space User space switch User space

Tap Device

OVS / LB
Compute Host Compute Host Compute Host
Kernel space Kernel Drivers Kernel space Kernel space

eth1 eth1 eth1

Kernel space User space

vswitch DPDK

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
 Cisco CSR 1000V Performance on Public Clouds
IOS-XE 16.10.1 release, large packet, with Intel Meltdown and Spectre fix.

Size CEF(Mbps) IPSEC (Mbps) Size CEF IPSEC Size CEF IPSEC
(Mbps) (Mbps) (Mbps) (Mbps)
T2.medium 450 200
D2_v2 1300 900 N1-standard-1 1850 1100
C4.large 650 650
DS2_v2 1300 900 N1-standard-2 3700 1250
C4.xlarge 850 850
D3_v2 2700 2000 N1-standard-4 7450 2000
C4.2xlarge 2300 2300
C4.4xlarge 4600 4200 DS3_v2 2700 2000 N1-standard-8 7850 3800

C4.8xlarge 6200 4500 D4_v2 4700 4400

C5.large 5200 2300 DS4_v2 4700 4400

C5.xlarge 6100 2800

C5.2xlarge 8100 5000 With Accelerated Networking

C5.4xlarge 12300 8200

C5.9xlarge 13600 8900

Enhanced Networking #CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
CSR Scale (across all public and private clouds)
IOS-XE 16.9.1

Feature Scale

IPSEC tunnels 8,000

VRF 4000

NAT 512,000

BGP routes 400,000

BFD 500

IPSLA 10,000

ACE (ACL Entries) 65,000

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Comparison
Transitive Routing • Yes Enterprise • No Simple • No Simple • No Simple
Grade VPC Conn VPC Conn VPC Conn
Transitive • Yes • No • No • No

Performance • 5G • 1.25G • 1.25 • 1.7G

Tunnels • 1,000 • 10 • 30 • 128 (across multiple routers)

VGW Scale • 400,000 • 100 • 400 • 200 (100 regional, 100

(BGP advertised global)
routes pe route table)

HA • Yes • Yes • Yes • Yes

Visibility • AVC, NBAR, Netflow • VPC flowlog • NSG flowlog • VPC flowlog

Overlap IP address • Yes • No • No • No

Routing and VPN • IPSEC (IKEv1, v2), DMVPN, • S2S • S2S, P2S • S2S
FlexVPN, GetVPN, SSL VPN, • IPSEC (IKEv1) • IPSEC (IKEv1, v2) • IPSEC (IKEv1, v2)
MPLS • Static, BGP • Static, BGP • Static, BGP
• BGP, EIGRP, OSPF, ISIS

Routing Control • Yes • No • No • No

Policy • VRF, QoS, TrustSec, ACL • SG • SG • SG

CLI Access • Yes • No • No • No

Orchestration • AWS Cloud Formation, Azure • AWS Dashboard • Azure Dashboard • GCP Dashboard
Resource Template

Programmability • Netconf, Restconf • Restful, SDK

#CLMEL
• Restful, SDK
BRKARC-2749
• Restful, SDK
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Cisco solutions for
AWS/Azure/GCP
Two deployment models
Application VPC Gateway Transit Hub Router
• CSR deployed in application VPC • CSR deployed in dedicated Transit
Hub, not in application VPC
• Provide IPSEC gateway for entire VPC
• High speed traffic routing for spoke
• Need high availability VPC
• High availability is built-in natively

VPC

AZ1 AZ2
Application VPC Transit Hub
VPC

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
CSR 1000V Routing High Availability on Cloud
VPC
App Subnet A
• No virtual IP as with HSRP, since CSR Subnet1
Cloud Provider doesn’t allow
multicast or broadcast. CSR1

• BFD over GRE tunnel is enabled BFD

App Subnet B

between two CSRs to detect failure IGW

CSR2
• Failure detection is automatic.
CSR Subnet2

• Route Tables for app subnets are

re-pointed to surviving CSR.
• CSR itself calls Cloud Provider’s Cloud REST API

REST API to shift Route Table

routes. Before HA Failover / After HA Failover

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
VGW Limitations

• No ECMP (BGP multipath), active/standby tunnels Development Account

us-west-1
• Maximum 100 BGP learned routes

• No overlapping CIDR blocks.

• IPSEC VPN can’t be established between two VGWs

• No visibility and hard to trouble shoot 192.168.0.0

10.1.0.0
192.168.0.0
Internet

Corporate
DC 10.0.0.0
>100 routes us-east-1
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Work with CSR1000V

• ECMP (BGP multipath), all tunnels are active Development Account

us-west-1
• Maximum 400,000 BGP learned routes

• CSR NAT to support overlapping CIDR blocks.

• Direct IPSEC encryption between two VPCs

• Application visibility and control 10.2.0.0

• IOS-XE CLI access
10.1.0.0
10.2.0.0
Internet

Corporate
DC 10.0.0.0
400,000 routes us-east-1
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Transit VPC Design
• Dedicated VPC: Simplifies routing by not
combining with other shared services.

• CSR1000v Virtual Network Appliances:

Provide dynamic routing and VPN network
tunnels

• Redundancy: Dynamic routing combined

with multi-AZ deployment creates a robust
network infrastructure.

• VGW: VPC virtual gateways provide highly

available connections to transit VPC virtual
network appliances.

• Security services: Easily layer Firewall, IPS,

URL Filtering and Cisco ETA (Encrypted
Traffic Analysis)
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Transit VNET with Dynamic VPN Overlay
Across regions, accounts/subscriptions

• Dedicated VNET: Simplifies routing by not

A B C
combining with other shared services. Spoke VNET
• Spoke to Spoke: Any to any communication …...
with higher throughput.
• CSR1000v Virtual Network Appliances:
Dynamic VPN Overlay
Provide dynamic routing overlays for VPN
IPSec tunnels Transit HUB VNET

• VPN Connection: Guarantee secured

connection across regions CSR1
AZ1
CSR2
AZ2
• Redundancy: Dynamic routing combined
with multi-AZ deployment creates a robust Express Route
OR Internet
network infrastructure.
• Automation: Fully automated with Azure ASR

Resource Template, Azure Function and

Guest shell Private DC Spoke

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
CSR Transit VNET
with Dynamic VPN Overlay Templatized Deployment

Spoke HUB
Templat Templat
e e Transit
Azure Functions HUB Storage Acc
Azure Marketplace VNET

Spoke
VNET

AZ 1 AZ 2
SPOKE HUB1 HUB2
1

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 AWS: Auto-Scale

Spoke VPC

• Simplify your capacity planning with

elasticity as you go
VPC

• Monitor CSR real-time throughput

and spin up new CSRs on demand. …...
CSR1 CSR2 CSR3 CSR4
• Optimize your cost via flexible Transit VPC
licensing options: BYOL and PAYG
• Load sharing is being done through DX
multiple tunnels to multiple CSRs in Internet

Transit VPC
ASR

Private DC
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Azure: Auto-Scale
Spoke VNET
…...

• Simplify your capacity planning with Dynamic VPN Overlay

elasticity as you go
• Monitor CSR real-time throughput
and spin up new CSRs on demand. …...
CSR1 CSR2 CSR3 CSR4
• Optimize your cost via flexible Transit VNet
licensing options: BYOL and PAYG
• Load sharing is being done through ER
multiple tunnels to multiple CSRs in Internet

Transit VNet
ASR

Private DC
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
AWS TGW Integration
A

AZ1

CSR1 B
ASR Transit
AZ2
Gateway
Direct Connect
CSR2
Or Internet

Private DC Transit VPC

C

Other
Provider
Networks

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
 AWS VPN Gateway AWS Transit Gateway
Cisco CSR 1000v
(VGW) (TGW)
Type of Router Enterprise Grade Simple VPC Connectivity Advanced VPC Connectivity

Transitive Routing Yes No

Yes*
(no support for overlapping IPs)

Performance 10G 1.25G

1.25G per tunnel scales
horizontally to up to 50G

Tunnels 8,000 10 5,000

Scale
(BGP advertised 400,000 100 10,000
routes pe route table)

HA Yes Yes Yes

Visibility AVC, NBAR, Netflow VPC flowlog VPC flowlog

Overlapping IP address Yes No No

Routing and VPN • IPSEC (IKEv1, v2), DMVPN, • S2S • S2S

FlexVPN, GetVPN, SSL VPN, • IPSEC (IKEv1) • IPSEC (IKEv1)
MPLS • Static, BGP • Static, BGP
• BGP, EIGRP, OSPF, ISIS

Direct Connect Support Yes Yes No

Cloud Provider Support AWS, Azure, and GCP AWS AWS

SD-WAN Capable Yes No No

Segmentation Yes No
Yes*
(Limited to 20 route domains)

Multiple Regions Yes No No

Control of End-to-End
Yes Yes No
Encryption
Transit VPC Deep Dive
What’s inside of Transit VPC. I mean VPC..
Subnet Next Hop

0.0.0.0 IGW
IGW
• Two subnets in different AZs
Transit VPC
• A route table associated with two subnets VPC Router

• An IGW is attached to this VPC and a default

route pointing to IGW exists in the route table.
Tunnel over
• CSR only has one interface (Gi1) with default AWS
BackBone
route pointing to AWS VPC Router (first IP of CSR1 CSR2
that subnet) Subnet1 Subnet2
Subnet Next Hop
• Direct connect if you have 0.0.0.0 1st ip of subnet

• Attached VGW: it advertises on-prem routes to VPC Availability Zone Availability Zone
Detached
router. CSR->VPC Router->VGW->DC VGW
• Detached VGW: it established IPSEC to CSR Attached VGW
through EIP. CSR->VPC->IGW->VGW->DC

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 What’s outside of Transit VPC?

…
• S3 bucket: Storage location for transit VPC config
Spoke VPC Spoke VPC Spoke VPC
files
A
Spoke
B
VPC ‘n’
• KMS (Key Management Service): All data in the
S3 bucket is encrypted using a solution-specific
AWS KMS managed customer master key (CMK).
• VGW Tags: Customer-specified opt-in tags to
automatically join a spoke VPC to the transit
network
VGW Poller
• VGW Poller (Lambda function):
• Identifies and configures VGWs to connect to Transit VPC
the transit network (checks all regions every AZ 1 AZ 2
Amazon S3 bucket AWS KMS
minute)
• Writes new VPN connection details to an S3
bucket
• Cisco Configurator (Lambda function): Cisco Configurator
• Pushes VPN configuration to CSR instances
when config files are saved to S3 Other
Provider
Corporate
On-Prem Network Networks
#CLMEL
Data Center © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Traffic Segregation
VPC-A VPC-B VPC-C

CSR2
• Traffic segregation is built-in
natively CSR1

• Each Spoke VPC is represented VPC-A VRF VPC-B VRF VPC-C VRF
as a different VRF in CSR
• Routing is controlled through RT MP-BGP

(Route Target)
• Different VPCs can communicate On-Premise VRF
by export/import same RT
• Follow same mechanism to
create customized VRF like on-
premise VRF Private DC

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 High Availability in Transit VPC
Active Tunnel
Standby Tunnel

• Spoke VGW has two tunnels with VPC VPC VPC

both CSRs. A B C
• Spoke VGW doesn’t support load …...
balance across two tunnels. It’s
using active standby. Spoke VPC

• It’s possible different VGW uses

different CSR as active.
• Both CSRs are forwarding traffic
CSR1 CSR2
independently at same time.
Transit VPC
• In case of CSR fail, the other CSR VPC

will take over all traffic. VGW

IGW

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multi Region Deployment
us-west us-east

region1:spoke region2:spoke

VPC VPC
Tunnel
CSR2 CSR3
Tunnel
AWS
Peering
CSR1 CSR4

Transit VPC Peering Transit VPC

DX/ER DX/ER
Internet Internet
Use different spoke tags so spoke is
not connected to a different region
ASR ASR
Use different BGP ASNs for easy
trouble shooting
Private DC 1 Keep localized traffic in same region Private DC 2
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 VPC
VPC VPC
VPC
VPC VPC VPC
VPC VPC

VPC
VPC VPC

eu-central-1

us-west-1 us-east-1 ap-northeast-1

DMVPN VPC
VPC
VPC

ap-southeast-1

Use different spoke tags so spoke is

not connected to a different region

Multi Region Transit VPC with DMVPN

Direct Tunnel from anywhere to anywhere
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-WAN Integration
Connecting Users to the Data Center was the
Priority

Internet
Best
Users Applications Effort

WAN
Branch/Campus

Data Center

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Then the Way We Worked Changed

Devices & Things

DC/Private
Cloud

Campus & Branch Users WAN

Mobile Users

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Applications Moving to Not One Cloud, But Many

Devices & Things

DC/Private Cloud

Campus & Branch Users WAN

SaaS

Mobile Users

IaaS

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Cloud OnRamp for IaaS

1. Public cloud
3. IaaS 2. vEdge Cloud / credentials added
resources CSR instances vManage
discovered instantiated Platform

Workloads
4. IaaS resources MPLS
added and reachable
via SD-WAN overlay Branch
Workloads
WAN Edge

Public Cloud Region 1

Internet

DC
 Host VPCs in one cloud account can be mapped to transit VPCs in another

 New separate workloads can be discovered and mapped to VPN segments later

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud OnRamp for IaaS
• VGW for host VPCs
• Gateway VPC per-region
- Multiple for scale

• Standard based IPSec

- Connectivity redundancy

• BGP across IPSec tunnels for route

advertisement
- Active/active forwarding
- BGP into OMP redistribution (not
Cloud onRamp automation)
- Advertise default route to host VPCs

• Optional Direct Connect

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Cloud OnRamp for IaaS
• VPN Gateway for host VNets
• Gateway VNets per-region
- Multiple for scale

• Standard based IPSec

- Connectivity redundancy

• BGP across IPSec tunnels for route

advertisement
- Active/active forwarding
- BGP into OMP redistribution (not
Cloud onRamp automation)
- Advertise default route to host VNets

• Optional Express Route

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
SD-WAN Cloud OnRamp for CSR1000v
Advanced Deployment
 Coming
ACI Anywhere: On-Prem Connectivity To AWS
VPC With Direct Connect + VPN

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
L2 extension into Public Cloud
• Extend same subnet into public cloud
• VPC CIDR overlaps with on-prem DC
• On CSR1 in DC, configure LISP dynamic host detection
Branch2
under LAN facing interface Router

• On CSR2 in AWS, static configure Web-Server2 and DB- Client

Server2 as LISP EID. Internet

CSR2/xTR2 CSR1/xTR1
Gi1 Internet Internet Gi1
Internet Gi2
Gi2 Gi3

LISP DB-Server1
DB-Server2 Web-Server1
Web-Server2
192.168.10.0/24

AWS 192.168.20.0/24 DC
#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
 Extend Trust Sec into AWS Transit VPC
Simplifying Segmentation and Control
Dev App 1 Pro App 2 Test
App 3
VPC1 VPC2 VPC3

• Control Traffic between VPC’s

• Simplify Security Configurations
• Scale Security Group Control
• Single Control Point Control Access to spoke VPC’s
based on SGT Tags and Policy
Enforcement within the Transit
CSR1 VPC Hub CSRv’s
AZ1 CSR2 AZ2
Dynamic Route Peering
Transit VPC
App 1 App 2 App 3
(VPC1) (VPC2) (VPC3) Internet Direct Connect
Employee X ✓ ✓ ✓ Employee Tag

Developer ✓ X ✓ ✓ Developer Tag

Guest Tag
Guest X X ✓ ✓ ASR1K
ISE Non-Compliant Tag
Non-Compliant X X ✓ ✓ Data Center Identity & Access Control
#CLMEL © 2019Enforcement
Policy Cisco and/or its affiliates. All rights reserved. Cisco Public
 VPC VPC VPC CISCO
A B C
Secured DMZ VERIFIED

by extending Transit VPC …...

Spoke VPC

VPC

Internet
CSR1 CSR2
VGW
NGFWv
Transit VPC
IGW

• Routing: CSR redirects Internet traffic to NGFWv

• Security: NGFWv as standalone IPS VM provides full IPS NGFWv (Next Generation FireWall Virtual)
features and easily managed through FMCv FMCv (Firepower Management Center Virtual)
• NAT: NGFWv acts as NAT device. NAT/PAT supported
• Automation: One click Launch by using template and scripts
Deployment Video
https://www.youtube.com/playlist?list=PLCiTBLSYkcoRREnds3OK8W19seZs5n-Vg

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary
Summary and Key Takeaways

MultiCloud is a reality, each cloud has unique challenges and a

1
cohesive solution is required.

CSR 1000V brings full Cisco IOS-XE functionalities into public

2
cloud.

As more workloads move to the cloud, CSR 1000V can provide

3
the scale and performance that is required.

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Additional Resources
Term Used

• CSP (Cloud Service Provider) • MTU (Maximum Transmission Unit)

• VPC (Virtual Private Cloud) • TGW (Transit Gateway)
• CIDR (Classless Inter-Domain • VNET (Virtual Network)
Routing)
• IGW (Internet Gateway)

• VGW (Virtual Private Gateway)

• DX (AWS Direct Connect)

• ER (Azure Express Route)

• IC (GCP Inter Connect)

• DMVPN (Dynamic Multipoint VPN)

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
 Joint Webinar with Under Armour and Adobe

• Webinar recording on Youtube:

• https://www.youtube.com/watch?v=aLk8ExZ14v8
• Webinar deck on Slideshare:
• http://www.slideshare.net/AmazonWebServices/cisco-csr-1000v-securely-extend-
your-apps-to-the-cloud

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Infor: How Do I build a Global Transit Network on AWS
• AWS re:Invent 2017

• Youtube Link
• https://www.youtube.com/watch?v=blzw
5DFPSI4&t=2215s

• Slides
• https://www.slideshare.net/AmazonWeb
Services/how-do-i-build-a-global-
transit-network-on-aws-msc302-
reinvent-2017

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
CSR1000V Youtube Channel

http://cs.co/csr1000v

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Miercom Performance testing of CSR1000V
Miercom is a world leading independent testing and consultant provider. It
provides unbiased hands-on testing, research and certification services.

• CSR1000V on private cloud platforms delivers up to 20Gbps on a single x86 server,

across 3 CSRs
• CSR1000V on Amazon AWS delivers up to 5Gbps of encrypted traffic running on
Instance type C4.8xlarge
• Miercom tested different combinations of features enabled to determine real world
performance (IPV4 Forwarding, QoS, NBAR, Firewall, IPSEC)

Cisco CSR1000V Miercom report: http://miercom.com/pdf/reports/20161111.pdf

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Additional Resources

Public Documentation:
• MultiCloud Cloud Connect Design Deployment Guide for AWS Transit VPC with CSR1000V
https://www.cisco.com/c/en/us/products/collateral/routers/cloud-services-router-1000v-
series/guide-c07-740270.html
• CSR 1000V Configuration Guide for AWS
http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/b_csraws.html
• CSR 1000V Configuration Guide for Azure
http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/azu/b_csr1000config-
azure.html
AWS Mailer (ask-csr-aws-pm@cisco.com)
Azure Mailer (ask-csr-azure-pm@cisco.com)

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Appendix
Region and Availability Zone Concepts

• VM (Virtual Machines) is hosted in multiple data centers across the world. A region is
a separate geographic area
• VM instances have to be launched into a specific region. Locating instances close to
end users can reduce latency
• Region is consisted by multiple AZs (Availability Zone). Each AZ is isolated, but AZs
in a region are connected through low latency and high bandwidth links.

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
 Deploy CSRs in different Availability Zones, only during instance creation

Geography—Data Residency boundary Region b

Region

Region 1 Region 2

Zone 1 Zone 2 Zone 3 Zone 1 Zone 2 Zone 3

Achieve full resiliency with Protect against entire Run mission-critical apps
Data Residency datacenter loss with 99.99% SLA at GA
Availability Zones and a paired region Each zone is physically separated with High Availability supported with
within the same data residency independent power, network, and cooling industry best SLA when VMs are
boundary provides high availability, and logically separated through zone- running in two or more Availability
disaster recovery, and backup. isolated services. Zones in the same region.

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Availability Set (Within same AZ)
Azure Fault Domains
Microsoft periodically updates the underlying Azure fabric that’s
used to host VMs to patch security vulnerabilities and improve
reliability and performance. These updates, which Microsoft refers
to as planned maintenance events, are often performed without
any impact to guest VMs. Sometimes, however, guest VMs must
be rebooted to complete an update. To reduce the impact on
guest VMs, the Azure fabric is divided into Update Domains to
ensure that not all guest VMs are rebooted at the same time.

Update Domains
Unplanned maintenance events are those which involve a
hardware or physical failure in the fabric, such as a disk, power,
or network card outage. Azure automatically fails over guest VMs
to a working physical host in a different Fault Domain when an
error condition is detected, again aimed at ensuring availability.

Availability set overview

An Availability Set is a logical grouping capability that you can use
in Azure to ensure that the VM resources you place within it are
isolated from each other when they are deployed within an Azure
datacenter. It ensures your VMs are deployed across multiple
Fault Domains and Update Domains

If one AZ has multiple CSRs, deploy CSRs in same Availability

Set, across different FDs and UDs, only during instance creation
#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
 Direct Connect Overview
• Dedicated connection between the enterprise and AWS,
low latency.

• Provides (1) private peering to VPCs and (2) public

peering to AWS public services
• Sub-interface on corporate DC router for each service
• BGP peering for route exchange for each service

• 1G and 10G dedicated connections; sub-1G connections

available via partners

• Multiple accounts can share a connection

• Multiple connections for redundancy.

• BFD for fast failure detection and failover

• No Native Encryption

• Data-in is free, data-out is cheaper (compared to Internet)

https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
 Direct Connect Topologies (1/2)
Customer managed SP managed AWS managed

Direct Connect
Corporate DC
Virtual Private Cloud
Direct from Enterprise
L2 Circuit
ISR/ASR VGW

Customer managed SP managed AWS managed

SP Managed Service Corporate DC

Direct Connect
Virtual Private Cloud
L3 VPN to Multiple- Partner /
Clouds Carrier
ISR/ASR
Network
ATT Netbond, Verizon SP Router
VGW
SCI

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Direct Connect Topologies (2/2)
SP Customer Colo
Customer managed managed managed managed AWS managed

Direct Connect
Corporate DC
Virtual Private Cloud
Co-Lo
Direct from Co-Lo

ISR/ASR ISR/ASR
VGW

SP Customer Colo
Customer managed managed managed managed AWS managed

Direct Connect
Co-Lo Cloud Exchange Corporate DC Virtual Private Cloud
Co-Lo
(connects to multiple Cloud
Exchange
IaaS/SaaS)
ISR/ASR ISR/ASR VGW

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Direct Connect – Public VIF

• Access AWS public-facing services, such as S3, Glacier, EC2 (EIP)

• BGP routing between customer/partner router and AWS DX router

• AWS advertise all its public prefixes. IP ranges can be found at https://ip-
ranges.amazonaws.com/ip-ranges.json
• No “VGW” or “DX GW” required. No network level encryption.
Customer managed SP managed Customer Co-lo AWS managed

Direct Connect S3 Glacier

Corporate DC
Partner / Co-location Virtual Private Cloud
Carrier
Network
ISR/ASR BGP
customer router DX router

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Direct Connect – Private VIF
customer managed
• Access your VPC resources through private IP address

• BGP routing between customer/partner router and AWS DX router

VGW
• AWS advertise VPC’s CIDR if it’s actively linked

• Need to use VGW or DX GW (depends on use cases)

• No network level encryption

Customer managed SP managed Customer Co-lo

Direct Connect
Corporate DC
Partner / Co-location
Carrier
Network BGP
ISR/ASR
DX GW
customer router DX router

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
 Production Account
DX GW Limitations (Private VIF)
10.3.0.0

Development Account
• No transitive routing natively Push code from dev to prod
us-west-1
• No network level encryption Compliance
VGW
• No overlapping CIDR blocks Acquire a new company 10.2.0.0
• Doesn’t support across accounts Separate billing
• No routing control Enterprise segmentation
10.2.0.0

Direct Connect
10.1.0.0
Partner / Co-location
Carrier
Network BGP
Corporate
DC DX GW 10.0.0.0
customer router DX router
us-east-1
https://docs.aws.amazon.com/directconnect/lat
est/UserGuide/direct-connect-gateways.html #CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
 NAT in Azure

• No Internet GW concept at Azure. System route

(0.0.0.0/0 -> Internet) is automatically added to VM
• Azure infrastructure takes on the role of the router,
allowing access from your VNet to the public Internet
without the need of any configuration NAT
10.1.1.10
54.12.34.56 - 10.1.1.12
• VM doesn’t see public IP address, only sees its private IP
address 10.1.1.11

• Will break services that do not work over NAT, such as

10.1.1.12
GET-VPN (work over Express Route)
• Azure will translate 1 to 1 NAT for you

• Public IP for CSR becomes tunnel endpoint for VPN, etc WebApp1 Instance

• Tunnel source will be a private address IP: 10.1.1.12

#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
 Azure VGW (VPN Gateway)
• VGW supports IKEv1 & IKEv2 (PSK only)
A
• VGW supports S2S & P2S IPSec
• S2S includes: VNET-OnPrem & VNET-
VNET
• P2S is Remote-Access & includes:
• SSTP (MSFT Proprietary) & IKEv2 RA A B
• VPN types
• Policy Based (Static Route)
• Route Based (BGP)
• Active-Active & Active-Passive Tunnel
• Need a dedicated gateway subnet SKU Workload Throughput S2S/V2V P2S SLA
*
• Up to 1.25Gbps IPSEC with top-end SKU
VpnGw1 Production 650 Mbps Max. 10 128 99.95%
• Limited by Scales
VpnGw2 Production 1 Gbps Max. 30 128 99.95%
• Lacks Advanced VPN Overlays – Dynamic
VpnGw3 Production 1.25 Gbps Max. 30 128 99.95%
full/partial mesh
• Lacks Overlay Routing sophistication Basic Dev/Test 100 Mbps Max. 10 128 99.9%

Ref: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
 Microsoft ExpressRoute (ER)
• Unified connectivity to Microsoft Cloud Services
• Predictable performance
• Enterprise-grade resiliency and with SLA for availability
• Large and growing ExpressRoute partner ecosystem

Customer’s Primary Connection

Network
Partner Microsof
Edge t Edge
Secondary Connection

ExpressRoute Circuit

Microsoft Peering for Office 365 and Dynamics 365

Azure Public Peering for Azure public IPs
Azure Private Peering for Virtual Networks

BRKARC-2749 89
#CLMEL BRKARC-2749© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Transit VNET with CSR-HA and Peering

• Leverage VNET Peering, Spoke VNET can

talk to Spoke VNET through Hub VNET

• Traffic control (QoS, ACL), segregation (VRF,

ZBFW) and visibility (AVC)

• UDR in spoke VNET points to CSR1/2, CSR1

and CSR2 need to be configured as HA pair

• CSR-HA (Active-Standby) Failover takes BFD

around 10 seconds (UDR change takes time
on Azure side)

• Encryption from Hub to on-prem

• No encryption between VNETs

*2 NICs CSR, G1 receives traffic (UDR points to), G2 sends traffic (add specific routes)

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Transit Routing with CSR-HA and Peering
CSR-HA is Active-Active with ILB HA Port
ILB (Internal Load Balancer) HA port supports any port load balancing

• Leverage VNET Peering, Spoke to

Spoke through Hub VNET, load
balanced.
• UDR in spoke VNET route table is
always pointing to ILB’s VIP address probe
• CSRs doesn’t have to be configured
as HA pair
• Minimum failure detection is Transit Routing
dependent on probe (2x5=10s), traffic …
switchover is sub-second. Total ILB HA Port
failover is around 10s. . probe
• More CSRs can be added into cluster.
• On-prem device need multiple tunnels
• Encryption from Hub to on-prem
• No encryption between VNETs CSR Cluster
Hub VNET

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 CSR with Express Route Customer VNET

BGP2
4 CSR1 AZ1

BGP1
3 2 APP Subnet

ExpressRoute VNG 5
GW
ASR subnet

4 CSR2 APP Subnet

1 AZ2
BGP2

1. Talk with your service provider to create an ER Circuit in your Azure account. You need to input the BGP
parameters used for this Circuit. If you have multiple service providers, you can create multiple ER Circuits.
2. Create a Gateway Subnet within VNET and create a VNG (Virtual Network Gateway) in gateway subnet.
3. Add an ExpressRoute connection on that VNG and specify the ER Circuit created in 1st step. BGP connection will
be established from VNG to your on premise router (ASR). VNG will exchange VNET’s CIDR with ASR of your DC
CIDR. Then VNG will program those DC routes to VM’s “effective routes” automatically, including CSR1/2.
4. CSR1/2 can talk to your ASR through private IP address, you can use multi-hop eBGP or single hop eBGP over a
tunnel between CSR1/2 and your ASR. You can use IPSEC tunnel. not GRE on Azure.
5. Setup the high availability between CSR1 and CSR2. Add UDR to let your application subnet to use either CSR1 or
CSR2 as nexthop.
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
GCP: CSR available on Google Cloud Platform

• It’s targeted 16.9 release (July CY18)

• Standalone CSR in VPC, BYOL only. HA and PAYG is coming in future

• Customer can deploy CSR from GCP launcher

• Use cases: connecting hybrid cloud (on-prem to public cloud), GCP VPC to VPC,
multi-clouds
Cloud Virtual
Network

Internet

Corporate
DC
Cloud Interconnect
CSR

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
GCP VPN Gateway

• S2S VPN, IKEv1 and IKEv2,

PSK only
• Static route and BGP
• ESP Tunnel mode only, not
transport mode
• 1.7Gbps throughput

ref: https://cloud.google.com/vpn/docs/concepts/overview
#CLMEL BRKARC-2749 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
 Deploy CSR in a GCP VPC
Cloud Virtual
Network

• CSR/VM can only have one interface in a VPC. Subnet Next Hop 10.1.0.0/16

• Subnets within same VPC use Google Cloud 10.1.0.0/16 Virtual network
Router as first hop 10.2.0.0/16 Virtual network

• Add a route pointing to CSR’s instance or ip 10.3.0.0/16 Virtual network 10.3.0.0/16 10.2.0.0/16

• Create a static public ip address 0.0.0.0/0 Default Internet

GW
CSR
• Enable “IP Forwarding” on CSR’s interface 20.0.0.0/16 CSR-IP
during CSR creation (on-prem) Enable IP Forwarding
• Block “project-wide key”, need to input your
ssh-key during creation. Internet
• Make sure VPC firewall rule has UDP 500/4500
for IPSEC

Corporate
DC
Public key
Login
username 20.0.0.0/16
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue
your Cisco
Demos in
Labs Meet The
Expert
Related
sessions
education the World
of
Solutions

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
 Complete Your Online Session Evaluation
• Give us your feedback and receive a
complimentary Cisco Live 2019
Power Bank after completing the
overall event evaluation and 5 session
evaluations.
• All evaluations can be completed via
the Cisco Live Melbourne Mobile App.
• Don’t forget: Cisco Live sessions will
be available for viewing on demand
after the event at:
https://ciscolive.cisco.com/on-demand-library/

#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you

#CLMEL
#CLMEL