cloud networking solutions with cisco cloud services ... · technical comparison between aws and...
TRANSCRIPT
Cloud networking solutions with Cisco Cloud Services Router (CSR 1000V) on AWS and Azure
Fan Yang, Cisco, Engineer, Technical Marketing
Raghavendra K S, Cisco, Engineer, Technical Marketing
Nikolai Pitaev, Cisco, Engineer, Technical Marketing
LTRDCN-2100
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#LTRDCN-2100
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Multicloud Portfolio — Key Use Cases
• Cloud adoption strategy
with roadmap of
capability & gaps
• Cloud onboarding with
app dependency
mapping strategy
• Definition of value case
and value realization
• Scale applications based
on end user performance
and business metrics
• Gain visibility into
application performance
and to control cloud spend
• Manage the full application
lifecycle
CloudConsume
CloudAdvisory
• Securely extend private
network to single or
multiple public cloud
environments
• Optimize for high cloud
performance IaaS and
SaaS performance
• Secured access to the
internet and SaaS from
branches
• Secure “direct-to-cloud”
users and their devices
• Protect endpoints
including mobile devices
• Secure SaaS
applications and data
• Protect custom
workloads running in the
public cloud
CloudConnect
CloudProtect
LTRDCN-2100 5
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Multicloud Portfolio — Products Mix
CloudConsume
CloudProtect
CloudConnect
CloudAdvisory
Multicloud
Portfolio
Advisory Services
• Cloud Migration
• Cloud Connect
• Cloud Protect
• Cloud Consume
(Delivered by AS/Cisco Partners)
• AppDynamics APM
• CloudCenter
CloudConsume
CloudAdvisory
• CSR 1000v
• vEdge with Umbrella
• Umbrella
• AMP for Endpoints
• Meraki Systems
Manager
• Cloudlock
• Tetration Cloud
CloudConnect
CloudProtect
LTRDCN-2100 6
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Cloud Services Router (CSR) 1000VCisco IOS XE Software in a Virtual Appliance Form-Factor
Enterprise-class Networking with Rapid Deployment and Flexibility
Server
Hypervisor
Virtual Switch
OS
App
OS
App
CSR 1000V
Software
• Familiar IOS XE software with ASR1000 and ISR4000
Infrastructure Agnostic
• Runs on x86 platforms
• Supported Hypervisors: VMware ESXi, Linux KVM, Citrix Xen, Microsoft Hyper-V, Cisco NFVIS and CSP2100
• Supported Cloud Platforms: Amazon AWS, Microsoft Azure
Performance Elasticity
• Available licenses range from 10 Mbps to 10 Gbps
• CPU footprint ranges from 1vCPU to 8vCPU
License Options
• Term based 1 year, 3 year or 5 year
• Smart License enabled
Programmability
• NetConf/Yang, RESTConf, Guest Shell and SSH/Telnet
LTRDCN-2100 7
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco CSR 1000V Cloud Platform Options
Size CEF(Mbps) IPSEC(Mbps)
T2.medium 390 300
M3.Medium 300 250
C4.large 575 550
C4.xlarge 860 860
C3.2xlarge 1330 1000
C4.2xlarge 2300 2200
C4.4xlarge 4600 4100
C4.8xlarge 5100 4700
Size CEF(Mbps) IPSEC(Mbps)
D2_v2 1500 700
DS2_v2 1500 800
D3_v2 2000 1500
DS3_v2 2000 1500
D4_v2 2000 2000
DS4_v2 2100 2000
CSR on AWS CSR on Azure
Use Enhanced Networking Will Support Accelerated Networking in future
LTRDCN-2100
IOS-XE 16.7.1 release
8
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Extend Enterprise Routing Architecture to Cloud• Common routing fabric securely extended to cloud• DMVPN, FlexVPN, GETVPN*• Support up to 1000 tunnels
• Remote Worker VPN Access
• FlexVPN IPSEC or SSLVPN via AnyConnect
• Flexible AAA server options for authentication
• Launch applications in regions near your users
• Across Region/Cloud Provider Interconnection• Distribute applications globally
• Accessibility across on-prem and cloud locations
• Overcomes VPN tunnel limitation on AWS and Azure
• Extend on-prem routing architecture into Public Cloud
• Monitor/Analyze/Shape traffic in Public Cloud• Security(ETA, vFW, VRF, AVC, Snort IPS/URL Filtering)• Assurance(IP SLA, BFD, QoS)• Scale to hundreds of VPC across regions/accounts (Transit VPC)• Monitoring and troubleshooting with known common tools
CSR 1000V use cases for all public clouds
virtual private cloud
Cloud, US East
corporate office/branch
virtual private cloud
Cloud, US West
*GETVPN supported on DX/ER only (no NAT)
VPC
VPC
LTRDCN-2100 9
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Two deployment models
Application VPC Gateway
• CSR deployed in application VPC
• Provide IPSEC gateway for entire VPC
• Need high availability
Transit Hub Router
• CSR deployed in dedicated Transit Hub, not in application VPC
• High speed traffic routing for spoke VPC
• High availability is built-in natively
VPC
Transit Hub
AZ1 AZ2Application VPC
VPC
LTRDCN-2100 10
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPC(Virtual Private Cloud) 101
• Logically isolated network with its own IP range, routes, security, etc.
• IP ranges (RFC1918) can be overlapping
• Internet gateway (IGW) connects outside and between VPCs
• Public IP or NAT for egress
• Security:
• Network ACLs
• Security Groups
• VPC route tables directs traffic within the VPC
• VPC “router” is really an encap/decap device b/w hypervisors
VPC
10.99.0.0/16Subnet A
10.99.1.0/24
Subnet B
10.99.2.0/24
IGW
https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises-
network-engineers-part-one/
LTRDCN-2100 12
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Elastic IP Address is a routable address mapped to an instance in VPC
Instances never have a publicly routable IP address directly assigned.
Addresses are associated with AWS account and not the instance.
Elastic IP for CSR 1000V becomes tunnel endpoint for VPN in this lab.
James’ VPC
CIDR 10.2.0.0/16Subnet A
10.2.1.0/24
Subnet B
10.2.2.0/24
WebApp1 Instance
IP: 10.2.1.25
Internet Gateway Elastic IP Mappings
54.32.54.32 – 10.2.1.25
LTRDCN-2100 13
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Azure Basic Concepts
Virtual Network
CIDR 10.2.0.0/16
Subnet A
10.2.1.0/24
Subnet B
10.2.2.0/24
• Azure system route table routes within the VNet
• All VNet subnets ALWAYS have a route to all other VNet subnets!
Virtual Network (VNet)
• A VNet logically isolates a network’s own IP range, routes, security policies, etc.
• Each subnet created is automatically assigned a route table that contains system routes: Local VNet Rule, On-prime rule and Internet Rule
• System routes can be overwritten by User Defined Routes
• VNets’ IP ranges cannot overlap
• Public IP NAT or Overload NAT for outbound traffic (No true public IPs)
• No L2 Broadcast/Multicast capability either.
• GRE packet is blocked within Azure.
LTRDCN-2100 15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Azure Public IP Addresses
• Azure infrastructure takes on the role of the router, allowing access from your VNet to the public Internet without the need of any configuration
• Public IP for CSR becomes tunnel endpoint for VPN, etc
• Instances never have a publicly routable IP address directly assigned
Azure Infrastructure Public IP Mappings
54.32.54.32 – 10.2.1.25
Virtual Network
CIDR 10.2.0.0/16
Subnet A
10.2.1.0/24
Subnet B
10.2.2.0/24
WebApp1 Instance
IP: 10.2.1.25
LTRDCN-2100 16
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transit VPC/VNET DesignBA C
…...
Direct Connect
Or Internet
Private DC
Transit VPC
Spoke VPC
Other
Provider
Networks
CSR1 CSR2AZ1 AZ2
Across regions, accounts/subscriptions
ASR
VPCVPCVPC
VPC
• Dedicated VPC: Simplifies routing by not combining with other shared services.
• CSR1000v Virtual Network Appliances: Provide dynamic routing and VPN network tunnels
• Redundancy: Dynamic routing combined with multi-AZ deployment creates a robust network infrastructure.
• VGW: VPC virtual gateways provide highly available connections to transit VPC virtual network appliances.
• Security services: Easily layer Firewall, IPS, URL Filtering and Cisco ETA (Encrypted Traffic Analysis)
LTRDCN-2100 18
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transit VPC using DMVPN Solution Diagram
Transit VPCAZ1 AZ2
Spoke VPC ASpoke VPC B Spoke VPC C
• High Throughput: spoke VPC scales up to 4.5Gbps with CSR, instead of 1Gbps on VGW
• Inter VPC Traffic: spoke VPC can talk to other spoke directly which will free up Transit CSR throughput
• Redundancy: two CSRs in spoke VPC acts as high availability pair to provide redundancy
• Application Visibility: provide application level visibility in spoke with NBAR capability on CSR
• Advanced Security: provide ZBFW, IPS and URL filtering with Snort IPS on CSR for inter VPC traffic. Cisco ETA (Encrypted Traffic Analysis)
DMVPN
LTRDCN-2100 19
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multi Region Deployment with Inter Region Peering!
Private DC 1
Transit VPC
Private DC 2
Transit VPC
Tunnel
us-eastus-west
DX/ER
Internet
DX/ER
Internet
Keep localized traffic in same region
ASRASR
VPC VPC
CSR1
CSR2 CSR3
CSR4
Use different spoke tags so spoke is
not connected to a different region
Use different BGP ASNs for easy trouble shooting
region1:spoke region2:spoke
Tunnel
Inter-Region
Peering
LTRDCN-2100 20
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Technical comparison between AWS and Azure for CSR 1000v
Feature AWS Azure
IPSEC Throughput 4.5 Gbps 2 Gbps
Number of vNIC supported today 10 2/4/8
High Availability (Routing) Supported Supported
Bootstrap User Data Custom Data(Coming)
Automated Hub Spoke Solution Transit VPC Transit VNET(Coming)
PAYG (Pay As You Go) Supported Coming
GRE Tunnel support in VPC/VNet Supported Not supported
L2 Broadcast and Multicast Not supported Not supported
Add interfaces on running CSR
1000V VMYes No(need to stop instance)
LTRDCN-2100 21
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
AZ1 AZ2
BA
Transit VPC
AzureVNet
DMVPN
M1(40 Min.)
M1(40 Min.)
Guest Shell
*Optional
Transit VPC Lab Overview
M3(50 Min.)
M4(40 Min.)
M2(30 Min.)
LTRDCN-2100 23
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CSR1 CSR2
PodX-Spoke-A VPC
PodX Transit VPC
40.0.0.0/16
PodX-Spoke-B VPC
50.0.0.0/16
100.64.127.224/27
30.0.0.0/16
CSR330.0.1.4
Azure VNETSpokeA CSR SpokeB CSR
DMVPN
LTRDCN-2100 24
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Make sure, you have one page with additional lab information
Make sure, that you are using assigned AWS region!
All your resources created should be named in certain way.
For example: P21V1 for pod21
Before you begin
LTRDCN-2100 26
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Reload CSR
• Be careful about reloading CSR in the lab. Make sure to save configuration first by typing “wr” or “copy running-config startup-config”, then reload.
• You need to reconfigure CSR with “bgp router-id interface GigabitEthernet1” after reload.
• It’s because configuration loss due to reload which might cause BGP router-id conflict between Transit CSR and Spoke CSR.
• It will be fixed in later version
LTRDCN-2100
If you reload Transit CSR, configure
router bgp 64512
bgp router-id interface GigabitEthernet1
If you reload Spoke CSR, configure
router bgp 7224
bgp router-id interface GigabitEthernet1
27
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Filter resources for better view
This lab is in a shared environment and 5 attendees are sharing one region. You are able to see other attendees’ resources.
Please filter resources by name to view your own resources clearly and avoid shutting down other people’s instance.
Note: Please always filter resources
AWS
Azure
For example, Pod23 filter AWS with P23V1, Azure with pod23
LTRDCN-2100 28
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Disable IP Source/Destination Checking in the lab
By default AWS blocks traffic not to/from a given instance.
Toggle the Source/Dest Check option to allow a CSR instance to pass traffic for other subnets (i.e. act as a gateway).
Note: Always review this setting for any new interfaces you add!
LTRDCN-2100 29
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Adjust Azure Public IP address idle time
Azure SSH session will timeout with none activity in 4 minutes by default. Change it to 30 minutes for easier usage.
LTRDCN-2100 30
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Additional Resources
• Subscribe to our Youtube Channel! Over 20 technical videos!
http://cs.co/csr1000v
• CSR 1000V Configuration Guide for AWS http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/b_csraws.html
• CSR 1000V Configuration Guide for Azure http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/azu/b_csr1000config-azure.html
• Cisco CSR1000V Transit VPC DeepDive and Best Practicehttps://www.youtube.com/watch?v=MPQLKyhN-rU&t=11s
• Deploy CSR1000v High Availability on Microsoft Azure https://www.youtube.com/watch?v=JEr2ZhZ2WZs
LTRDCN-2100 31
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#LTRDCN-2100
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Visit CSR1000V Multi-Cloud booth located in WoS (World of Solution)
• Related Session
• Network Function Virtualization Seminar [TECSPG-2300] (Monday, Jan 29, 02:30 p.m. -06:45 p.m)
• Cisco vBNG solution based on CSR1000V and XRv 9000 [BRKSPG-2063] (Thursday, Feb 01, 09:00 a.m. - 11:00 a.m)
• Meet the Engineer 1:1 meetings
• Related sessions
LTRDCN-2100 34