CHAPTER 2-1 Deploying the Cisco Cloud Services Router 1000V Series in Amazon Web Services Design and Implementation Guide 2 Cisco CSR in AWS Deployment AWS virtual private clouds (VPCs) are logically isolated networks with their own IP range, routes, security groups, and network access control lists (ACLs). IP ranges can overlap between VPCs, but NAT is required for the instances within a VPC to either access or be accessed by resources outside the VPC. The Internet gateway routes outside and between VPCs and the subnet router routes within the VPC. The subnet router can route between any two subnets via the “local” route (Figure 2-1). Figure 2-1 AWS VPC Overview For design purposes, the Cisco CSR is thought of as sitting between the subnet outer and the instance (Figure 2-2). However, because of the network mechanics of an AWS VPC, the CSR sits parallel to the actual instances, as shown in Figure 2-3. For this reason, for the traffic to flow through the CSR, a subnet route pointing to the CSR must be added or the default gateway of each of the instances must be changed to the CSR. Figure 2-2 Logical Placement of CSR in VPC
Transcript
Deploying the Cisco Cloud Servic
Design and Implementation Guide
C H A P T E R 2
Cisco CSR in AWS Deployment
AWS virtual private clouds (VPCs) are logically isolated networks with their own IP range, routes, security groups, and network access control lists (ACLs). IP ranges can overlap between VPCs, but NAT is required for the instances within a VPC to either access or be accessed by resources outside the VPC. The Internet gateway routes outside and between VPCs and the subnet router routes within the VPC. The subnet router can route between any two subnets via the “local” route (Figure 2-1).
Figure 2-1 AWS VPC Overview
For design purposes, the Cisco CSR is thought of as sitting between the subnet outer and the instance (Figure 2-2). However, because of the network mechanics of an AWS VPC, the CSR sits parallel to the actual instances, as shown in Figure 2-3. For this reason, for the traffic to flow through the CSR, a subnet route pointing to the CSR must be added or the default gateway of each of the instances must be changed to the CSR.
Figure 2-2 Logical Placement of CSR in VPC
2-1es Router 1000V Series in Amazon Web Services
Chapter 2 Cisco CSR in AWS Deployment Deploying CSR in Conjunction with Direct Connect
Figure 2-3 Actual Placement of CSR in VPC
You can deploy the CSR in either a single- or dual-subnet configuration. The dual-subnet configuration (Figure 2-4) is recommended because it is most like traditional router deployments and allows full-functionality of all features supported in AWS. In some circumstances, however, a single subnet deployment (Figure 2-5) can be simpler to integrate into existing networks.
Figure 2-4 Dual Subnet Deployment
Figure 2-5 Single Subnet deployment
Deploying CSR in Conjunction with Direct ConnectAmazon Web Services (AWS) Direct Connect offers an easy way to provision physical circuits between Enterprise locations, and one or more AWS regions. Once an AWS Direct Connect circuit has been provisioned, the enterprise can use up to 10 Gbps of private bandwidth between their Enterprise and AWS Cloud locations, without incurring large monthly data transfer fees. Technically, AWS Direct Connect maps an 802.1q VLAN tag from a physical location, to a Virtual Interface connected to a VPC in AWS. Multiple VLAN tags may be defined at the physical location, with each VLAN mapping to, and terminating in a different VPC in AWS. The BPG routing protocol is used by AWS Direct Connect to advertise AWS routes to the physical location, and by the physical location to advertise enterprise routing prefixes into the AWS VPC.
2-2Deploying the Cisco Cloud Services Router 1000V Series in Amazon Web Services
Design and Implementation Guide
Chapter 2 Cisco CSR in AWS Deployment Management Options for AWS Direct Connect Security
One limitation of AWS Direct Connect is the unencrypted nature of the system. Security of AWS Direct Connect is similar to that of any other private circuit provisioned by a WAN service provider. In many cases the assumed isolation of a private circuit is an adequate level of protection for the needs of a given enterprise. For other enterprises, business policy or regulatory compliance may necessitate the need for encrypting WAN traffic despite the promise of network isolation provided by a private circuit. After all, without encrypting your WAN links it is entirely possible for a security breach at the service provider to expose your network traffic without any fault of your own.
Figure 2-6 Securing AWS Direct Connect Using the Cisco CSR 1000V
The Cisco Cloud Services Router 1000V (CSR 1000V) sets the standard for enterprise network services and security in the Amazon Web Services (AWS) cloud. The Cisco CSR 1000V is based on Cisco IOS® XE Software, which powers cutting-edge routers including the Cisco ASR 1000 Series Aggregation Services Routers (ASR 1000) and Cisco 4400 Series Integrated Services Routers (ISRs), and represents decades of Cisco IOS Software development accelerated by innovation and customer demand.
One of the most important functions offered by IOS XE running on the CSR 1000V is the highly flexible Virtual Private Network (VPN) system. Cisco pioneered many of the commonly used VPN architectures and technologies in use throughout the world today, allowing the CSR 1000V to be a natural extension to VPN deployments of any type and architecture. In the case of an AWS Direct Connect deployment, the CSR 1000V can be used with Dynamic Multipoint VPN (DMVPN) to secure the AWS Direct Connect circuits and VLAN mappings (Figure 2-6).
At each enterprise location a Cisco ISR or ASR series router would be deployed, or may already be in place as the AWS Direct Connect endpoint. In the AWS VPC a Cisco CSR 1000V would be provisioned from the AWS Marketplace, and positioned as the default route for all private subnets within the VPC. A VPN configuration would then be built between the ISR/ASR, and the CSR 1000V to secure all traffic traversing the AWS Direct Connect circuit. Once in place, the CSR 1000V may also be configured to enable any other desired features and services, including NAT, Zone Based Firewall, Application Visibility and Control, and many more features available in IOS XE.
Management Options for AWS Direct Connect SecurityThe configurations of all routers in this design may be managed directly by the enterprise IT staff in enterprises that desire a more hands-on approach to IT. Businesses not staffed to manage complex networks, or that simply prefer to outsource its networks, may choose to have Level 3 Communications deploy and manage a secure hybrid-cloud network in its behalf. Cisco, Level 3 Communications, and
2-3Deploying the Cisco Cloud Services Router 1000V Series in Amazon Web Services
Design and Implementation Guide
Chapter 2 Cisco CSR in AWS Deployment Supported Instance Types
Amazon Web Services have formed a partnership to offer this functionality, and to drive innovation in hybrid-cloud deployments. Contact your Cisco, Level 3 Communications, or AWS account team for more information on managed deployments.
Supported Instance TypesTable 2-1 and Table 2-2 provide AMI instance types supported for the Cisco CSR 1000V, and the specifications as set by AWS. For more information, see the Amazon Web Services documentation for AMI instance specifications.
For more information, refer to:http://www.cisco.com/c/en/us/td/docs/routers/CSR1000/software/aws/CSRaws/awsinstall.html
Table 2-1 AMI Instance Specifications (Bring Your Own License)
Instance Type
EC2 Compute Units
Virtual Cores
Memory Required
Platform I/O
Maximum Number of Network Interfaces Supported per Instance (EC2-VPC only)
Standard Medium (m1.medium)
2 1 3.75 GB 32-bit64-bit
Moderate 2
Standard Large (m1.large)
8 2 (with 2 ECUs each)
7.5 GB 64-bit Moderate 4
Standard XL (m1.xlarge)
8 4 (with 2 ECUs each)
15 GB 64-bit High 4
M3 Extra Large (m3.xlarge)
13 4 (with 3.25 ECUs each)
15 GB 64 bit High 4
Table 2-2 AMI Instance Specifications (Hourly Billed)
Instance Type
EC2 Compute Units
Virtual Cores
Memory Required
Platform I/O
Maximum Number of Network Interfaces Supported per Instance (EC2-VPC only)
M3 Medium (m3.medium)
3 1 (with 3 ECUs each)
3.75 GB 64 bit Moderate 2
M3 Large (m3.large)
6.5 2 (with 3.25 ECUs each)
7.5 GB 64 bit Moderate 3
M3 Extra Large (m3.xlarge)
13 4 (with 3.25 ECUs each)
15 GB 64 bit High 4
C3 Large (c3.large)
7 2 (with 3.5 ECUs each)
3.75 GB 64 bit Moderate 3
C3 Extra Large (c3.xlarge)
14 4 (with 3.5 ECUs each)
7.5 GB 64 bit Moderate 4
2-4Deploying the Cisco Cloud Services Router 1000V Series in Amazon Web Services
Chapter 2 Cisco CSR in AWS Deployment Deploying CSR in AWS
Step 13 Verify the public interface.
This public IP is a 1:1 NAT to the private IP performed by the Internet Gateway for the VPC and is transparent to user.
Caution Automatic public IP assignment is only available during launch. Rebooting CSR will disassociate the public IP and the instance will become inaccessible. To ensure the IP is persistent across reboots, associate the CSR instance with an Elastic IP.
Step 14 Configure and manage the CSR.
2-12Deploying the Cisco Cloud Services Router 1000V Series in Amazon Web Services
Design and Implementation Guide
Chapter 2 Cisco CSR in AWS Deployment Deploying CSR in AWS
If you're using a single subnet deployment as shown in Figure 2-5, skip steps 15-17.
Step 15 Attach the network interface.
Step 16 Configure IP address.
2-13Deploying the Cisco Cloud Services Router 1000V Series in Amazon Web Services
Design and Implementation Guide
Chapter 2 Cisco CSR in AWS Deployment Deploying CSR in AWS
Step 17 Disable Source/Dest checking.
2-14Deploying the Cisco Cloud Services Router 1000V Series in Amazon Web Services
