Cisco CSR1000V Overview

The Cisco Cloud Services Router 1000V (CSR 1000V) sets the standard for enterprise network
services and security in the Amazon Web Services (AWS) cloud. The Cisco CSR 1000V is based
on Cisco IOS-XE Software. CSR 1000V provides the familiar user interface of Cisco IOS XE
Software, and enables you to take advantage of your existing network management tools and
processes.

Cisco CSR 1000V Use Cases in Amazon AWS

Today, enterprises have two networks that are managed separately. They have applications in
the enterprises data center, which are in enterprise on-prem network, and they haveapplications
in AWS cloud, which sit in enterprises AWS cloud network. Enterprises would like to converge
their on-prem network with their AWS cloud network and manage the entire network with a
single network management tool. To converge the on-prem and AWS cloud network, enterprises
need a virtual router in their AWS cloud.
Many AWS customers have a Cisco router on their premises. They know Cisco management
tools. They understand Cisco. Hence, most AWS customers prefer a Cisco virtual router to
converge their on-prem network with their AWS cloud network. Ciscos Cloud Services Router
(CSR1000V) is Ciscos first virtual IOS-XE router.
With CSR1000V in their AWS cloud, customers can converge their on-prem network with their
AWS cloud network. Below are some of the CSR1000V use cases for on-prem-cloud network
convergence that are included in this test drive. More use cases will follow in subsequent test
drives:

Branch-Office, Campus, and Data Center VPN Aggregation: Without the CSR1000V,
branch-offices, campus sites, and remote workers have to connect through the
enterprises data center in order to get to enterprises apps in the AWS cloud. With the
CSR in enterprises VPC in AWS cloud, branch-offices, campus sites, and remote
workers can connect directly to enterprises apps in the AWS cloud using the public
Internet. This process reduces latency, eliminates expensive private WAN links, and
enables route-based VPN topologies. You can choose from a wide variety of VPN
technologies supported on the CSR 1000V, including point-to-point IPSecurity (IPsec),
FlexVPN, Dynamic Multipoint VPN (DMVPN), and EasyVPN. Familiar Cisco IOS XE
VPN configurationallows IT staff to quickly integrate an Amazon AWS VPC into
existing enterprise VPN topologies.

Secure Inter-VPC Connectivity: Larger AWS customers have multiple VPCs in the
AWS cloud, and they would like to make these VPCs an integral part of their on-prem
enterprise network. By deploying a Cisco CSR 1000V instance in a VPC in each region
and interconnecting through VPN, larger AWS customers can create and secure a global

network topology that converges their on-prem network with their multiple VPCs in
AWS.

Branch-Office to AWS and Inter-Application Security: The Cisco CSR 1000V

includes advanced Cisco IOS XE Software security, including access control lists (ACLs)
and stateful Zone-Based Firewall (ZBFW). It extendsenterprise security policies into the
Amazon cloudusing a familiar platform and configuration syntax. These features may be
used to apply security between virtual networks within Amazon AWS, or between
Amazon AWS and external locations.
Application Performance Monitoring and Control: Application Visibility and Control
(AVC) is a CiscoIOS XE feature that allows the CSR 1000V to identify and classify
thousands of different applications, reporting key performance metrics for each. When
classified, quality-of-service (QoS) policies can be used to prioritizeor block specific
applications. AVC data collectedfrom Amazon AWS and external locations can be used
to pinpoint application performance degradation.

Lab Description
The purpose of this lab is to experiment with certain elements of CSR 1000v through step-bystep exercises, although you are free to use the lab as you wish. It is ideal for self-paced training
for Amazon customers. In the next sections, we are going to configure IPsec VPN between
CSR1000V in AWS VPC to another VPC or to a private Data center
If this is the first time for you to configure CSR1000v, it is recommended that you watch the
CSR1000v AWS installation video (link) first before you attempt these labs.

Lab Login Information

To start the lab, go to https://csrtestdrive.com/. After you register and sign in, you should see a
screen similar to the figure below (figure 1)

Figure 1

Click on Try it Now button to start, and on the next screen, click the launch button. Then
follow the lab wizard. It takes about three minutes to setup the lab including the AWS VPCs
configuration and CSR1000v router bring up.
The next screen will display the IP addresses of your VPC and CSR1000v. Keep the IP addresses
saved, you will need them to perform the labs described in the following sections.A copy of the
Ip addresses and the key pair is sent to your email address. Note: you need to wait for two
minutes to ping/ssh the routers or ssh, usually the routers will still be booting even if the IP
addresses are assigned from amazon AWS VPC.

Lab Topology and IP addressing

In this lab, you are going to configure an IPSec site-to-site VPN between two AWS VPCs using
CSR1000V. You may use the same configuration to connect CSR1000V (in AWS VPC) to a
Cisco IOS router, Cisco ASA, or other brand of router/firewall you have in your private data
center.
The figure below describes the lab topology that you are going to use. There are two VPCs
created for you. Each VPC has one CSR1000 and one Linux server. The linux server has one
interface with a private IP address (see figure 2 for IP address assignment). CSR1000 will act as
the default gateway for the linux machine. CSR1000 will have two interfaces; interface Gigabit1
is connected to the linux machine through the same subnet, interface Gigabit2 is connected to

amazon Internet gateway. We pre-configured amazon gateway to map the amazon elastic IP
address to CSR1000 Gigabit2 interface.

Figure 2
Table1: IP address assignment

VPC-1

Hostname

IP address

CSR1-int1

10.1.1.10/24

This IP address is assigned to interface GigabitEthernet 1 and

it is mapped to Amazon elastic (public) IP addr 54.X.X.X.
CSR1-int2

10.1.2.10/24

You are going to assign this IP address to interface

GigabitEthernet 2. This IP address will be the default gateway
for linux server 1.
Linux server 1

10.1.1.11/24

Login Credentials Username: cisco

Password: cisco123

VPC-2

CSR2-int1

CSR2-int2

Linux server 2

10.2.3.10/24

This IP address is assigned to interface GigabitEthernet 1 and

it is mapped to Amazon elastic (public) IP addr 54.X.X.X.
10.2.4.10/24 (Public Subnet)
You are going to assign this IP address to interface
GigabitEthernet 2. This IP address will be the default gateway
for linux server 2.
10.2.3.11/24

Login Credentials Username: cisco

Password: cisco123

Lab Details: Configure IPSec site-to-site VPN

Here is the summary on how to configure IPsec and perform this lab:
1. Login to the CSR1000v router
a. Configure it with the ip addresses mentioned
2. Activate the demo license
a. To enable all the features and all the cli required
3. Configure ISAKMP (ISAKMP Phase 1) on CSR-Routers (CSRRouter1 and
CSRRouter2)
o ISAKMP security settings with the AES encryption
o Pre-shared Key for authentication
4. Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP) on CSR-Routers
(CSRRouter1 and CSRRouter2)
o Create Access-list(ACL) to define what traffic is and is not encrypted between the
two routers
o Create IPSec Transformto set the IPSec encryption settings
o Create Crypto Map to bring the policy, key, transform-set, and access-list all
together
o Apply crypto map to the public interface
5. Login to the Linux servers (linux1 and linux2) and verify connectivity through ping
Lets cover the steps in details:

1) Login to CSR1000v Router (CSR1)

Step 1 Download the key pair to use it for authentication when you SSH to your
CSR1000V instance. If you are a mac or linux user, you would need to change the file
mod to 600. The key pair is located athttps://s3-us-west2.amazonaws.com/csrkey/CSRRouterKey.pem

 Step 2 Open your SSH client (for example, Putty on Windows or Terminal on
Macintosh) to access the CSR 1000V console. Type: ssh i <keypair filename
path>ec2-user@<CSR1 public IP address>
Username-ec2-user
CSR1 public IP address- a copy of the IP address is sent to your email.
Note: If you are using Mac or Linux, you may need to change the key pair file
permissions by typing chmod 600 CSRRouterKey.pem

Step 3 Change Host name to CSR1 by typing configure terminal then hostname
CSR1 then end.

Step 4 Check the IP address for interface Gi1. It should be 10.1.2.10 (based on Figure
2 or table 1). Type show IP interface brief and show run interface gi1

Step 5 Configure the IP address for interface Gi2. It should be 10.1.1.10 (based on
Figure 2 or table 1). Type configure terminal interface gi2 ip address
10.1.1.10 255.255.255.0 no shut end. Once you finish configuration, type

show IP interface brief and show run interface gi2 to verify that your configuration
got applied

Step 6 Verify that CSR has the routing table configured correctly by typing show ip
route.
CSR will be configured correctly, if the default route points to 10.1.2.1 which is amazon
default gateway for the subnet.

Step 7 Now ping the Linux server that is sitting on the same subnet (10.1.1.11)

 Step 8 Repeat the same steps for the second router (CSR-Router-2)

2) Activate the demo license to enable all CSR features

Step 9When you first install the Cisco CSR 1000V, CSR1000v will have all the
interface ports up and active. However, you will have limited features and limited
throughput (2.5Mbps). You need to install license to enable the features that you want to
configure (such as VPN). If you plan to use CSR just for evaluation or lab use, you can
use the demo license that comes built-in inside the router. The demo license is valid for
60 days, and it will make all that features available to you with 50Mbps throughput.
In this step, you are going to enable the evaluation license with a feature package
Premium. Go to CSR1, type configure terminal license boot level premium
accept the EULA agreement, save the configuration, and then reload the router for the
evaluation license to be effective.

 Step 10 Repeat the previous step for CSR2

Note: you will lose the SSH connectivity with the CSR routers, since the routers are reloading.
Give it couple of minutes (usually 3-4 minutes) and ssh again to the routers. They should be up.
If your SSH connection timeout, this means that the router is still rebooting. Just reconnect again.

3) Configure ISAKMP (IKE) - (ISAKMP Phase 1)

Step 11Lets go to CSR1 and change the terminal to the current ssh monitor. By
default, Cisco IOS does not send log messages to a terminal session over IP, that is, telnet
or SSH connections dont get log messages.

Step 12 Lets go to CSR1 and configure an ISAKMP Phase 1 policy. KE must

negotiate an SA (an ISAKMP SA) relationship with the peer.

The above commands define the following (in listed order):

AES - The encryption method to be used for Phase 1.
MD5 - The hashing algorithm
Pre-share - Use Pre-shared key as the authentication method
Group 2 - Diffie-Hellman group to be used
86400 Session key lifetime. Expressed in either kilobytes (after x-amount of traffic,
change the key) or seconds. Value set is the default value.
Step 13 Configure pre shared key
Next you are going to define a pre-shared key for authentication with our peer (CSR2
router) by using the following command:

The peers pre shared key is set to ciscoaws and thepeer address is CSR2 public IP
address (the CSR2 public IP address is mentioned in figure 2, and also a copy of the IP
address is sent to your email). Every time R1 tries to establish a VPN tunnel with CSR2
(public IP), this pre shared key will be used.

4) Configure IPsec - (ISAKMP Phase 2, ACL, Crypto-map)

Step 14Create ACL
Next step is to create an access-list and define the traffic we would like the router to pass
through the VPN tunnel. In this example, it would be traffic from one network to the
other, 10.1.1.0/24 to 10.2.3.0/24 (linux server 1 network to linux server 2 network).
Access-lists that define VPN traffic are sometimes called crypto access-list or interesting
traffic access-list.

Step 15CreateIPSec Transform (ISAKMP Phase 2 policy)

Next step is to create the transform set used to protect our data. Weve named this TS:

The above command defines the following:

- ESP-AES - Encryption method
- MD5 - Hashing algorithm
Step 16Create Crypto Map
The Crypto map is the last step of our setup and connects the previously defined
ISAKMP and IPSec configuration together:

Weve named our crypto map cmap. The ipsec-isakmp tag tells the router that this
crypto map is an IPsec crypto map. Although there is only one peer declared in this
crypto map (the CSR2 public IP address), it is possible to have multiple peers within a
given crypto map.

 Step 17Apply Crypto Map to the Public Interface

The final step is to apply the crypto map to the outgoing interface of the router. Here, the
outgoing interface is GigabitEthernet1.

As soon as we apply crypto map on the interface, you should receive a message from the
CSR1000v router that confirms isakmp is on: ISAKMP is ON.Note that you can
assign only one crypto map to an interface.
At this point, we have completed the IPSec VPN configuration on the Site 1 router.
Step 18We now move to the CSR2 router to complete the VPN configuration. The
settings for CSR2 are identical, with the only difference being the peer IP Addresses and
access lists:

Step 19Verify that the VPN tunnel is up

At this point, weve completed our configuration and the VPN Tunnel is ready to be
brought up. Note: The encrypted tunnel is formed when the first packet is sent that
matches the ACL. To initiate the VPN Tunnel, we will force one packet to traverse the
VPN and this can be achieved by pinging from one router to another:

The first ping or two have received a timeout, but the rest received a reply, as expected.
The time required to bring up the VPN Tunnel is sometimes slightly more than 2 seconds,
causing the first two pings to timeout.
To verify the VPN Tunnel, use the show crypto session command:

5) Login to the Linux Servers

Step 20 From CSR2, login to linux server 2 by typing ssh l cisco 10.2.3.11. The
password is cisco123.

 Step 21 As the final step, you can ping from linux 2 to linux 1. Your traffic will go
through the VPN tunnel created on CSR2 and CSR1.

Congratulations, now you have completed the lab.

Resources
For more information on CSR1000V, please check the following links:
1)
2)
3)
4)
5)
6)
7)
8)
9)
10)

Product introduction video

CSR 1000V AWS Installation Video
CSR 1000V Documentation
CSR 1000V Home Page
CSR 1000V AWS deployment Guide
CSR 1000V Technical whitepaper for AWS Use Cases
CSR AWS BYOL page
CSR AWS Hourly page
CSR Free Community Support Portal
CSR Customer testimonial