Professional Documents
Culture Documents
The Cisco Cloud Services Router 1000V (CSR 1000V) sets the standard for enterprise network
services and security in the Amazon Web Services (AWS) cloud. The Cisco CSR 1000V is based
on Cisco IOS-XE Software. CSR 1000V provides the familiar user interface of Cisco IOS XE
Software, and enables you to take advantage of your existing network management tools and
processes.
Branch-Office, Campus, and Data Center VPN Aggregation: Without the CSR1000V,
branch-offices, campus sites, and remote workers have to connect through the
enterprises data center in order to get to enterprises apps in the AWS cloud. With the
CSR in enterprises VPC in AWS cloud, branch-offices, campus sites, and remote
workers can connect directly to enterprises apps in the AWS cloud using the public
Internet. This process reduces latency, eliminates expensive private WAN links, and
enables route-based VPN topologies. You can choose from a wide variety of VPN
technologies supported on the CSR 1000V, including point-to-point IPSecurity (IPsec),
FlexVPN, Dynamic Multipoint VPN (DMVPN), and EasyVPN. Familiar Cisco IOS XE
VPN configurationallows IT staff to quickly integrate an Amazon AWS VPC into
existing enterprise VPN topologies.
Secure Inter-VPC Connectivity: Larger AWS customers have multiple VPCs in the
AWS cloud, and they would like to make these VPCs an integral part of their on-prem
enterprise network. By deploying a Cisco CSR 1000V instance in a VPC in each region
and interconnecting through VPN, larger AWS customers can create and secure a global
network topology that converges their on-prem network with their multiple VPCs in
AWS.
Lab Description
The purpose of this lab is to experiment with certain elements of CSR 1000v through step-bystep exercises, although you are free to use the lab as you wish. It is ideal for self-paced training
for Amazon customers. In the next sections, we are going to configure IPsec VPN between
CSR1000V in AWS VPC to another VPC or to a private Data center
If this is the first time for you to configure CSR1000v, it is recommended that you watch the
CSR1000v AWS installation video (link) first before you attempt these labs.
Figure 1
Click on Try it Now button to start, and on the next screen, click the launch button. Then
follow the lab wizard. It takes about three minutes to setup the lab including the AWS VPCs
configuration and CSR1000v router bring up.
The next screen will display the IP addresses of your VPC and CSR1000v. Keep the IP addresses
saved, you will need them to perform the labs described in the following sections.A copy of the
Ip addresses and the key pair is sent to your email address. Note: you need to wait for two
minutes to ping/ssh the routers or ssh, usually the routers will still be booting even if the IP
addresses are assigned from amazon AWS VPC.
amazon Internet gateway. We pre-configured amazon gateway to map the amazon elastic IP
address to CSR1000 Gigabit2 interface.
Figure 2
Table1: IP address assignment
VPC-1
Hostname
IP address
CSR1-int1
10.1.1.10/24
10.1.2.10/24
10.1.1.11/24
Password: cisco123
VPC-2
CSR2-int1
CSR2-int2
Linux server 2
10.2.3.10/24
Password: cisco123
Step 2 Open your SSH client (for example, Putty on Windows or Terminal on
Macintosh) to access the CSR 1000V console. Type: ssh i <keypair filename
path>ec2-user@<CSR1 public IP address>
Username-ec2-user
CSR1 public IP address- a copy of the IP address is sent to your email.
Note: If you are using Mac or Linux, you may need to change the key pair file
permissions by typing chmod 600 CSRRouterKey.pem
Step 3 Change Host name to CSR1 by typing configure terminal then hostname
CSR1 then end.
Step 4 Check the IP address for interface Gi1. It should be 10.1.2.10 (based on Figure
2 or table 1). Type show IP interface brief and show run interface gi1
Step 5 Configure the IP address for interface Gi2. It should be 10.1.1.10 (based on
Figure 2 or table 1). Type configure terminal interface gi2 ip address
10.1.1.10 255.255.255.0 no shut end. Once you finish configuration, type
show IP interface brief and show run interface gi2 to verify that your configuration
got applied
Step 6 Verify that CSR has the routing table configured correctly by typing show ip
route.
CSR will be configured correctly, if the default route points to 10.1.2.1 which is amazon
default gateway for the subnet.
Step 7 Now ping the Linux server that is sitting on the same subnet (10.1.1.11)
Step 8 Repeat the same steps for the second router (CSR-Router-2)
Note: you will lose the SSH connectivity with the CSR routers, since the routers are reloading.
Give it couple of minutes (usually 3-4 minutes) and ssh again to the routers. They should be up.
If your SSH connection timeout, this means that the router is still rebooting. Just reconnect again.
The peers pre shared key is set to ciscoaws and thepeer address is CSR2 public IP
address (the CSR2 public IP address is mentioned in figure 2, and also a copy of the IP
address is sent to your email). Every time R1 tries to establish a VPN tunnel with CSR2
(public IP), this pre shared key will be used.
Weve named our crypto map cmap. The ipsec-isakmp tag tells the router that this
crypto map is an IPsec crypto map. Although there is only one peer declared in this
crypto map (the CSR2 public IP address), it is possible to have multiple peers within a
given crypto map.
As soon as we apply crypto map on the interface, you should receive a message from the
CSR1000v router that confirms isakmp is on: ISAKMP is ON.Note that you can
assign only one crypto map to an interface.
At this point, we have completed the IPSec VPN configuration on the Site 1 router.
Step 18We now move to the CSR2 router to complete the VPN configuration. The
settings for CSR2 are identical, with the only difference being the peer IP Addresses and
access lists:
At this point, weve completed our configuration and the VPN Tunnel is ready to be
brought up. Note: The encrypted tunnel is formed when the first packet is sent that
matches the ACL. To initiate the VPN Tunnel, we will force one packet to traverse the
VPN and this can be achieved by pinging from one router to another:
The first ping or two have received a timeout, but the rest received a reply, as expected.
The time required to bring up the VPN Tunnel is sometimes slightly more than 2 seconds,
causing the first two pings to timeout.
To verify the VPN Tunnel, use the show crypto session command:
Step 21 As the final step, you can ping from linux 2 to linux 1. Your traffic will go
through the VPN tunnel created on CSR2 and CSR1.
Resources
For more information on CSR1000V, please check the following links:
1)
2)
3)
4)
5)
6)
7)
8)
9)
10)