#CLUS

Building Hybrid
Clouds in AWS with
the CSR 1000v

Chris Hocker, Customer Solutions Architect

Steven Carter, Principal Systems Engineer
BRKARC-2023

#CLUS
Agenda
• CSR 1000v and AWS Overview
• Cloud WAN Architectures
• Cloud WAN Designs with SDWAN
• Automation
• Conclusion

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Related Sessions
• Multicloud Networking – Design & Deployment [BRKCLD-3440]
• Wednesday, June 12, 1:00 PM - 3:00 PM

• Extending Enterprise Network into Public Cloud with Cisco CSR1000v [BRKARC-
2749]
• Thursday, June 13, 1:00 PM - 2:30 PM

• How to extend your ACI fabric to Public Cloud (AWS and Azure) [BRKACI-2690]
• Tuesday, June 11, 1:00 PM - 3:00 PM

• Public cloud deployment of Cisco CSR1000v [LABCLD-1002]

• Cloud-Ready WAN for IAAS and SAAS with Cisco Next-Gen SD-WAN [BRKCRS-2113]
• Tuesday, June 11, 4:00 PM – 6:00 PM

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

Webex Teams will be moderated cs.co/ciscolivebot# BRKARC-2023

by the speaker until June 16, 2019.

#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
CSR 1000v and
AWS Overview
Cisco Cloud Services Router (CSR) 1000V
Cisco IOS XE Software in a virtual network function form-factor

Software Performance Elasticity

Same IOS XE software as the Available licenses range from
ASR1000 and ISR4000 10 Mbps to 10 Gbps
CSR 1000V
App App CPU footprint ranges from
Infrastructure Agnostic 1vCPU to 8vCPU
Runs on x86 platforms OS OS
Supported Hypervisors: Programmability
Virtual Switch
VMware ESXi, RHEL Linux KVM, NetConf/Yang, RESTConf, Guest
Suse Linux KVM, Citrix Xen, Hypervisor Shell and SSH/Telnet
Microsoft Hyper-V, Cisco NFVIS
and CSP2100 Server
Supported Cloud Platforms: License Options
Amazon Web Services, Microsoft Term based 1 year, 3 year
Azure, Google Cloud Platform

Enterprise-class networking with rapid deployment and flexibility

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
 Q: Where can I find the CSR on AWS?
A: In the AWS marketplace!

1. Search for “Cisco” 2. Pick a flavor

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
 What are the different CSR 1000V types listed?
1. Cloud Services Router 1000V BYOL
• Can be any tech package and throughput level depending on license purchased from Cisco
and installed on CSR (not all throughputs supported)

2. Cloud Services Router 1000V Security Tech Package

• Includes features from the Security technology package. Performance based on AWS instance
type selected (more or less vCPU/vMemory)

3. Cloud Services Router 1000V AX Tech Package

• Includes features from the AX technology package. Performance based on AWS instance type
selected (more or less vCPU/vMemory)

Note on “Maximum Performance”

• CSR1K image for HVM instance types

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
CSR 1000v Licensing Structure

Technology Package Throughput License Type

10 Mbps

IPBase 50 Mbps
Hourly or Annual
100 Mbps (Available on AWS)

SEC 250 Mbps

CSR 500 Mbps
1000v
AppX 1 Gbps

2.5 Gbps Term based license

(1-year, 3-year or 5-year)
AX 5 Gbps

10 Gbps*
*10 Gbps is only available on the IPBase Technology Package

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
 CSR 1000v Technology Package Features
Technology Package IOS-XE Features
 Basic Networking: BGP, OSPF, EIGRP, RIP, ISIS, IPv6, GRE, VRF-LITE, NTP, QoS, BFD
 Multicast: IGMP, PIM
Note:
IPBase  High Availability: HSRP, VRRP, GLBP
NEW, BFD moves to
(formerly Standard)  Addressing: 802.1Q VLAN, EVC, NAT, DHCP, DNS
IPBASE in 16.6.1,
 Basic Security: ACL, AAA, RADIUS, TACACS+
AWS/Azure HA requires
 Management: IOS-XE CLI, SSH, Flexible NetFlow, SNMP, EEM, NETCONF
SEC only

IPBase Plus…
SEC  Advanced Security: Zone Based Firewall, IPSec VPN, EZVPN, DMVPN, FlexVPN, SSLVPN,
(formerly Advanced)
GETVPN
IPBase Plus…
 Advanced Networking: L2TPv3, MPLS, VRF, VXLAN
AppX  Application Experience: WCCPv2, AppXNAV, NBAR2, AVC, IP SLA
 Hybrid Cloud Connectivity: LISP, OTV, VPLS, EoMPLS
 Subscriber Management: PTA, LNS, ISG

AX ALL FEATURES
(formerly Premium)

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Networking limitations for the public cloud

Limitations Affected Services

• IGPs
No L2 Multicast • HSRP/VRRP
• GLBP
No L2 Broadcast • BFD
• L2TPv3
GRE • OTV
• 802.1Q VLAN
MTU Limitations • AppNav
• WCCP
• Proxy ARP, Gratuitous ARP > LISP-
VM Mobility

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
 Reference
CSR 1000V License Throughput Enforcement
• Rate shaper is implemented in the ESP
data path at the root of the QoS hierarchy
15 Mbps 10 Mbps
• All egress traffic is subjected to the shaper G1 ESP G3
• The rate is derived from license
SHAPER
• Throughput limit is global, not per-interface (50)
20 Mbps 15 Mbps
• Shaper does not distinguish between different G2
G4
types of traffic 10Mbps (60-50)

• To ensure high-priority traffic is not

dropped by the license shaper, configure G1->G3: 15
QoS G2->G4: 20

• E.g. LLQ on interfaces (leveraging priority G3->G2: 10

propagation of the QoS Scheduler) G4->G3: 15
Total: 60 Mbps
• Note that Control Plane Policing can be
applied to also mark control plane packets!

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
 Cisco CSR 1000V Performance on Public Clouds
IOS-XE 16.10.1 release, large packet, with Intel Meltdown and Spectre fix.

Size CEF(Mbps) IPSEC(Mbps) Size CEF IPSEC Size CEF IPSEC

T2.medium 450 200
D2_v2 1300 900 N1-standard-1 1850 1100
C4.large 650 650
DS2_v2 1300 900 N1-standard-2 3700 1250
C4.xlarge 850 850
D3_v2 2700 2000 N1-standard-4 7450 2000
C4.2xlarge 2300 2300
DS3_v2 2700 2000 N1-standard-8 7850 3800
C4.4xlarge 4600 4200
D4_v2 4700 4400
C4.8xlarge 6200 4500
C5.large 5200 2300 DS4_v2 4700 4400

C5.xlarge 6100 2800

With Accelerated Networking
C5.2xlarge 8100 5000
C5.4xlarge 12300 8200
C5.9xlarge 13600 8900
Enhanced Networking #CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
 Reference
CSR Scale (across all public and private clouds)
IOS-XE 16.9.1

Feature Scale

IPSEC tunnels 8,000

VRF 4000

NAT 512,000

BGP routes 400,000

BFD 500

IPSLA 10,000

ACE (ACL Entries) 65,000

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
 VPC 101
VPC
• Logically isolated network with its own IP 10.99.0.0/16
Subnet A
range, routes, security, etc.
10.99.1.0/24
• IP ranges (RFC1918) can be overlapping
• Subnets created inside VPC
• Internet gateway (IGW) connects outside IGW Subnet B
and between VPCs 10.99.2.0/24

• Public IP or NAT for egress

• Security:
• Network ACLs for subnets • VPC route tables directs traffic within the
• Security Groups for instances VPC
• VPC “router” is really an encap/decap
https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises- device b/w hypervisors
network-engineers-part-one/

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Region and Availability Zone Concepts
• VM (Virtual Machines) is hosted in multiple data centers across the world. A region is
a separate geographic area
• VM instances have to be launched into a specific region. Locating instances close to
end users can reduce latency
• Region is consisted by multiple AZs (Availability Zone). Each AZ is isolated, but AZs
in a region are connected through low latency and high bandwidth links.

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
VGW (Virtual Private Gateway)

• VGW is a easy to use VPN service provided by AWS.

• It supports IPSEC VPN with pre-shared key (no certificate
based).
• Static and BGP routing
• 1.25 Gbps IPSEC throughput
• VGW uses two end-points for high availability
• CGW (Customer Gateway) is needed to establish a IPSEC
VPN.
• IPSEC can’t be established between two VGWs
• Also used for Direct Connect (no crypto)

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
VPC Peering
• High Bandwidth VPC to VPC Interconnection
• Share Private IP CIDR routes between the VPCs
• Inter-Region Peering is new
• Point to Point
• No Transit Peering VPC
Dev
VPC
QA
Peering

us-west
#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
CSR Advantages over…
Virtual Private Gateway: VPC Peering:
• Scalability • Scalability
• Performance • Performance
• Continuity of Operations • Overlapping CIDR blocks
• Richer routing features • Transitive peering relationships
• Active/Active Tunnels • Multiple peerings per VPC
• Spoke-to-spoke routing • Spoke-to-spoke routing
• Security/Application Visibility • Security/Application Visibility

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
AWS Transit Gateway
• Connect multiple VPCs at scale
• Significant scale & performance
improvements over VGW
• Support multiple accounts in a
single region
• Manage via AWS console, CLI, &
SDKs
• Pricing based on attachment and
GB of data processed

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
CSR Deployment Models
Application VPC Gateway Transit Hub Router

• CSR deployed in application VPC • CSR deployed in dedicated Transit Hub,

not in application VPC
• Provide IPSEC gateway for entire VPC
• High speed traffic routing for spoke VPC
• Need high availability
• High availability is built-in natively

VPC

AZ1 AZ2
Application VPC Transit Hub
VPC

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
 Application VPC Design Models with CSRs
One Armed Mode

• Single interface on CSR

• VPC Route Table modified to add CSR as gateway
• CSR default gateway points to VPC router

VPC
IGW Router

G1
Public Subnet Private Subnet

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Application VPC Design Models with CSRs
Two Armed Mode

• Local Interface in each subnet

IGW
• One CSR interface in each subnet
• Private Subnet VPC Route Table points to the local CSR G1 G2
interface
• Can be extended to more than 2 interfaces Public Subnet Private Subnet

• Network Subnet
• Both CSR interfaces in the same subnet VPC
IGW Router
• Use VRFs to separate interfaces for terminating tunnels,
local traffic, and management
• Private Subnet VPC Route Table modified to add CSR as G1 G2
gateway
Network Subnet Private Subnet

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Application VPC Design Models with CSRs
Multiple Availability Zone Design Model

• Two CSRs in different availability zones

• Private Subnet VPC Route Table modified
to point to one of CSRs as a gateway
• CSR Cloud HA feature used for failover
Public Private
• Can be run in single armed or two armed Subnet Subnet
mode
G1 VPC
Router
AZ1

Public Private
IGW Subnet Subnet

G1
AZ2

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
No Link Local Broadcast in the VPC
• No Link local multicast or broadcast
• Affected services include:
• IGPs NAT 10.1.1.10
54.x.x.x 10.1.1.10
• HSRP/VRRP
10.1.1.11
• BFD
• Proxy ARP, Gratuitous ARP 10.1.1.12

• GRE as work-around for some services

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
NAT in a VPC
• Will break services that do not work over
NAT, such as GET-VPN
• Tunnel source will be a private address
NAT 10.1.1.10
• Tunnel destination from the perspective of 54.x.x.x 10.1.1.10
VPN peers will be a public address
10.1.1.11
• Assign EC2 elastic IP address so that
address does not change if the CSR1K is 10.1.1.12
shutdown
• Other VPCs see Elastic IP address unless
using VPC peering

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
CSR and VPN Tunnels
• May need to open security groups for IKE (UDP/500)
and ESP (either IP/50 or UDP/4500)
• Disable Src/Dst Check on interfaces with local VPC
traffic
• Use interface name as tunnel source (e.g. Gig1)
• Use VPC route table to direct traffic for VPN Virtual Private Cloud

destinations to the CSR

• Traffic leaving a VPC has 1500B limitation
• Adjust Tunnel ‘ip mtu’ and ‘ip tcp adjust-mss’

• Cisco VPN designs recommend front-door VRF

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
 Reference
MTU Considerations
• Jumbo frames (up to 9000 bytes) are allowed within single VPC.
• Traffic going out of a VPC or VPC peering connection has MAX 1500 MTU.
• CSR supports jumbo frames by putting “mtu <1500-9216>” under
interface configuration. However, when CSR sends traffic out of a VPC,
packets will be fragmented if it’s over 1500 bytes.
• Supported instance types:
• General purpose: M3, M4, M5, T2
• Compute optimized: C3, C4, C5, C5 with instance storage, CC2
• Accelerated computing: F1, G2, G3, P2, P3
• Memory optimized: CR1, R3, R4, X1
• Storage optimized: D2, H1, HS1, I2, I3

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html#jumbo_frame_instances

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
CSR Management Access
• No console in AWS
• Management and remote access of the CSR will
happen over SSH via a private or public IP
address
• Need to open SSH (TCP/22) ingress in the
security group
• Consider using dedicated management interface
• Configuring VRF causes loss of connectivity
• EEM script used to work around.

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Cloud Network
Architectures
Use Case 1 – Enterprise Extension into AWS
VPC

Internet Enterprise Network

New York

WAN
Enterprise Network
San Jose

• Connect one or many physical locations into an Amazon VPC. IPSec, DMVPN,
FlexVPN, EZVPN, etc…
• Up to 1,000 concurrent VPN tunnels per CSR.

• Familiar configuration, familiar troubleshooting, not a black box.

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Use Case 1A – Internal App in Public Cloud
Design Options

• Direct branch access to AWS or CSR1K ASR1K

branch connected to AWS

through HQ/DC
Virtual Private Cloud Enterprise DC
• VPN topologies can be DMVPN
or P2P IPSec
WAN Internet/MPLS
• DMVPN hubs can be located at
the Enterprise DC/HQ or in the
public cloud
ISR4K ISR4K ASR1K

• Direct Connect or Internet for

transport
Branch Office Branch Office Corporate Office

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Use Case 1B – Public App to Data Center

Subnet 1 Subnet 2

Back-end connection for:

• App Tiers/Data
• Management
• Remote Access
• Internet Access

Internet

Internet Users
Corporate Data Center

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Use Case 2 – VPC Interconnection

Virtual Private Cloud Virtual Private Cloud

US West Region US East Region

AWS cloud

• Common requirement to build overlay network topologies with in an AWS

environment to address advanced networking requirements.
• Tunnels can be deployed over Internet, VPC Peering, or Direct Connect.

• VPCs can be in the same region or different regions, or in other cloud providers

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
 Across regions, accounts/subscriptions
Transit VPC VPC
Shared
VPC
A
VPC
C
Services

• Dedicated VPC for routing

…...
Spoke VPC
• High Scale and Performance

• High Availability: Redundant VPN

Tunnels with dynamic routing in a
multi-AZ deployment CSR1 CSR2

AZ1 AZ2
• Enterprise class routing features in
the Transit VPC VPC Transit VPC

• VGW or CSRs in the spoke VPCs Direct Connect

Or Internet
• See BRKARC-2749 for more
information ASR Other
Provider
Networks
Private DC
#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
AWS TGW Integration
A

AZ1

CSR1 B
ASR Transit
AZ2
Gateway
Direct Connect
CSR2
Or Internet

Private DC Transit VPC

C

Other
Provider
Networks

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Direct Connect Overview
• Dedicated connection between the enterprise and AWS
• Provides (1) private peering to VPCs and (2) public peering to AWS public services
• Sub-interface on corporate DC router for each service
• BGP peering for route exchange for each service

• 1G and 10G dedicated connections; sub-1G connections available via partners

• Multiple connections for redundancy
Direct Connect
• No Native Encryption Corporate DC Circuit
Virtual Private Cloud

Cisco
Virtual Private
ISR/ASR
Gateway (VGW)

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
 Direct Connect Topologies (1/2)

Direct Connect
Corporate DC
Virtual Private Cloud

Direct from
Enterprise ISR/ASR VGW

Direct Connect
Corporate DC
Virtual Private Cloud
SP Managed SP VPN
Service
ISR/ASR SP Router
VGW

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
 Direct Connect Topologies (2/2)

Direct Connect
Corporate DC
Virtual Private Cloud
Co-Lo
Direct from Co-Lo
ISR/ASR ISR/ASR VGW

Direct Connect
Corporate DC Virtual Private Cloud
Co-Lo

Co-Lo Cloud
Exchange

Cloud Exchange ISR/ASR ISR/ASR VGW

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Direct Connect Peering Requirements Reference
• Each private (VPC) and public connection requires a virtual interface
• BGP peering to AWS for each virtual peering for route exchange
• Can use VRFs to segment peerings into different routing domains
• Typical peering router requirements
• 1GE/10GE interfaces
• Bi-directional line-rate performance
• Sub-interfaces ISR4000 – Up to 2 Gbps
• BGP
• VRFs
• IPSec/Tunnels/Crypto
• High availability features ASR1000 - Up to 200 Gbps
• Netflow/AVC
• QoS (shaping)
• NAT
• Security Features

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Direct Connect With CSR 1000V and Private VIF
• Primary use cases are encryption, Transit VPC, WAN/DMVPN extension, VRF
Extension
• Tunnel endpoints are private IP addresses
• Up to 4.5 Gbps throughput per CSR1K

Private Virtual Interface Peering

Corporate DC Direct Connect

Virtual Private Cloud
Co-Lo BGP Peering

Connected VPC
Cisco VGW CSR 1000V
Interface CIDR Block
ISR/ASR

IPSec Tunnel

Enterprise Overlay VPC CIDR

IPs Routing Block(s)

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
 Reference
Direct Connect With CSR 1000V and Public VIF
• Public Virtual Interface
Public Virtual Interface Peering

Corporate DC Direct Connect

Virtual Private Cloud
Co-Lo BGP Peering

Public Connected AWS

Cisco IGW CSR 1000V
Interface Public IPs
ISR/ASR

IPSec Tunnel

Enterprise Overlay VPC CIDR

IPs Routing Block(s)

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Internet Access Options (1/2)
App VPC Internet Access On-prem Internet Access

• EC2 Public IP, Local NAT Instance, or • Leverage existing enterprise internet
Elastic Load Balancer connection and security perimeter

• Most applicable to public apps • Backhauls all traffic to enterprise

VPC-A VPC-B VPC-C VPC-A VPC-B VPC-C

Internet Internet

Transit VPC Transit VPC

Security

Private DC Private DC

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Internet Access Options (2/2) Co-Lo Internet Access
Transit VPC Internet Access • Leverage local co-lo internet
• Central security enforcement
connectivity

• Integrated CSR1K security features or 3rd VPC-A VPC-B VPC-C

party VNF
Internet
VPC-A VPC-B VPC-C
Transit VPC

Security Internet
Co-Lo
Security
Transit VPC

Private DC Private DC
#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
CSR Cloud High Availability
VPC
• No virtual IP as with HSRP, since CSR
Subnet
AWS doesn’t allow multicast App
Subnet A
• AWS Route Tables for app
subnets are re-pointed to
opposite CSR
App
• Failure detection is automatic Subnet B

• CSR itself calls AWS API to

adjust AWS Route Table routes
• EC2 API Endpoint can reached
Before HA Failover
via Public IP or via Private IP with AWS REST API
VPC Endpoints After HA Failover

http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/b_csraws/b_csraws_chapter_0100.html

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
 Extend Segmentation to AWS

Multi-tenant Mission
Network Subnet 1

MPLS over GRE

PE

MPLS PE
PE CSR – MPLS
Core Direct VPN over GRE
Connect Subnet 2
PE

• Desire to extend multi-tenant segments into a “single” VPC

Tenant/Mission 1
• Extend MPLS VPN segmentation to AWS cloud
Tenant/Mission 2
• Leverage MPLS VPN over GRE or GRE VRF-Lite to CSR

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Enterprise-Wide Application Visibility
• Uses Netflow and IP SLA
• GUI for application visibility
• IP SLA configuration and monitoring
• Extends application visibility to your
cloud border

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Cloud WAN
Designs with
SDWAN
 Cisco SD-WAN: Cloud SDN Architecture
Management Plane Analytics
• Single pane of glass • Machine Learning
vManage vAnalytics
• Monitoring and Troubleshooting • Carrier Performance
• RBAC and APIs APIs • Bandwidth Forecasting

Control Plane 3rd Party

Automation
• SDN Architecture
• Routing and Security Distribution
• Horizontal Scale, Low Complexity
vSmart Controllers
Data Plane MultiCloud Security Application
• Physical of Virtual OnRamp (+Cloud) QoE
MPLS 4G
• Zero Touch Provisioning
INET
• On-Premise or Cloud WAN Edge

Cloud Data Center CoLo Campus Branch

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
XE-SDWAN Software
• Modular router operating system
• Based on Cisco IOS-XE*
• Powers Cisco SD-WAN physical and virtual edge platforms

Viptela Component
* Does not include all Cisco IOS-XE features
#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
 Cloud Edge Deployment Use Cases

• Cloud onRamp is a set of

different Cisco SD-WAN DC
features for Cloud Edge
SaaS IaaS
• Key 3 Use Cases
• SaaS CoLo

• IaaS
• Colocations
Internet SD-WAN

Remote Site
#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Public Sector Cloud Ready Network
HQ

West Coast East Coast

Cloud Cloud

West East Coast

Coast COLO
COLO

Branch

Branch
#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Cloud Onramp for AWS Key Use Cases
• Direct Branch to AWS applications
• Internet + Direct Connect for load balancing (Application Routing)
• Segmentation
• Encryption
• Service Chaining
• Transit VPC
• Multicloud Operations

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
SD-WAN CSR Deployment Models
Cloud Gateway Cloud onRamp for IaaS

• WAN Edge deployed in each virtual • Two WAN Edges deployed in a Transit
network Hub, acting as virtual aggregation routers

• Full extension of SD-WAN Fabric • Partial extension of SD-WAN Fabric

VPC

AZ1 AZ2
Application VPC Transit Hub
VPC

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Cloud onRamp Automation in vManage
Standard IPSec + BGP • Fully automated through
BGP <-> OMP vManage
AZ1 • Fast failover
R
• Speed of BGP
VGW
AZ2 IGW convergence
Host VPC
AZ1
CSR1Kv
INET • BFD dead interval on
overlay
• Supports Standard IPSec
MPLS

AZ2 VGW Direct

CSR1Kv Connect tunnel between CSR and AWS
AZ1 Gateway VPC VGW
R

VGW
AZ2

Host VPC
vManage
AWS Region

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Automation
Orchestration and Automation

vManage

CSR 1000V vEdge/cEdge

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
 AWS CloudFormation
• AWS technology to define cloud stacks via a JSON file
• Comparable technologies in OpenStack (Heat) and Azure (RM Templates)
• Can be used to create VPCs or launch EC2 instances into existing VPCs
• For CSR, can be used to initially launch, and then also configure via user data
• Most useful for Day 0
• Template for CSR in GitHub repository

stack
template AWS
CloudFormation

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Programmable Interfaces

NETCONF RESTconf gRPC

YANG Data Model

Open Native Open Native
Models Models Models Models
Programmable
Configuration Operation
Interfaces
Device Features
SNMP
Physical and Virtual Network Infrastructure Interface BGP QoS ACL …

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Guest Shell Application
Linux Shell Environment On Your Switch or Router
• Maintains IOS-XE system integrity
• Isolated User Space
• Fault Isolation
Linux
• Resource Isolation applications
• On-box rapid prototyping
• Device-level API Integration Guest Shell

• Scripting (Python)
Open Application Container
• Linux Commands
API
• Application Hosting
Network OS
• Integrate into your Linux workflow
• Integrated with IOS-XE

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Guest Shell with On-Box Python for AWS
• Python is the de facto automation language for networking
• Local Scripts and Automation
• Get instance metadata
• Get summary of VPC configuration
• IOS-XE configuration automation
• EEM integration

• Interact with public cloud services

• Copy configs, show command data, or files to/from S3
• Export metrics and logs to CloudWatch
• Interface with AWS API Endpoints (e.g. customize HA behavior)

https://github.com/CiscoDevNet/csr_aws_guestshell

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
ACI Extension to AWS – overall architecture
Multi-Site Orchestrator (MSO)
On-Premise Public Cloud

• Single or group of multiple

regions in AWS represents
an ACI site
Infra VPC
AWS Instances

User VPC • Each Region in AWS is

Site A Region 1 similar to ACI POD in the
Site B cloud

• Cluster of minimum 3 cAPICs

Infra VPC will be spin up in the infra
AWS Instances
VPC at each Site.
Region 2 User VPC
CSR-1000V AWS Internet Gateway (IGW)

Cloud APIC

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Automation Demo
Cloud onRamp Demo

AZ1 AZ1
R R

VGW
AZ2 AZ2
AZ1
Host VPC CSR1Kv Host VPC

AZ2
CSR1Kv

Gateway VPC

VGW

AWS West AWS East

vManage
Region Region
#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Cloud onRamp Demo

AZ1 AZ1
R R

VGW
AZ2 AZ2
AZ1 AZ1
Host VPC CSR1Kv CSR1Kv Host VPC

AZ2 AZ2
CSR1Kv CSR1Kv

Gateway VPC Gateway VPC

VGW

AWS West AWS East

vManage
Region Region
#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Cloud onRamp Demo

AZ1 AZ1
R R

VGW
AZ2 AZ2
AZ1 AZ1
Host VPC CSR1Kv CSR1Kv Host VPC

AZ2 AZ2
CSR1Kv CSR1Kv

Gateway VPC Gateway VPC

VGW

AWS West AWS East

vManage
Region Region
#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Summary
Cisco CSR 1000v Summary
• Primary use cases are:
• Enterprise Network Extension
• VPC Interconnection (including Transit VPC)

• Virtualized IOS-XE Benefits

• Secure connectivity using IPSec, DMVPN, SD-WAN, etc.
• Enterprise-class networking services including Routing, FW, and NAT
• Rich telemetry for security and performance monitoring with Netflow/AVC and IP SLA
• Normalize operations across multiple public clouds and on-prem networks

• HSRP-like High Availability for AWS VPCs

• Consider automation for scaling deployments

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Additional Resources
Public Documentation:
• 20+ Demo Videos on CSR 1000V Youtube Channel
https://www.youtube.com/playlist?list=PLCiTBLSYkcoTUS6b4MFthdvhDrseo6MeN
• CSR 1000V Configuration Guide for AWS
http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/b_csraws.html
• CSR 1000V Configuration Guide for Azure
http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/azu/b_csr1000config-
azure.html
• Multicloud Design Guides
https://www.cisco.com/c/en/us/solutions/design-zone/cloud-design-guides.html
• AWS VPC Presentations
https://www.youtube.com/user/AmazonWebServices/search?query=VPC
AWS Mailer (ask-csr-aws-pm@cisco.com)
Azure Mailer (ask-csr-azure-pm@cisco.com)

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
CSR1000V Youtube Channel

http://cs.co/csr1000v

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Continue your education

Demos in the
Walk-in labs
Cisco campus

Meet the engineer

Related sessions
1:1 meetings

#CLUS BRKARC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Thank you

#CLUS
#CLUS