1

DeploymentGuideforCiscoCSR1000vSeriesonMicrosoftAzureUpdatedDec2nd,2016

TableofContentsOverviewofCiscoCSR1000vDeploymentonMicrosoftAzure 1Introduction 1Whatissupportedandwhatisnotsupported 2

DeployingCisco1000vonMicrosoftAzure 2Prerequisites 2Step1.SigninandCustomizeAzureportalGUI 3Step2.CreatingaResourceGroup 5Step3.CreateStorageAccount 6Step4.CreatingVirtualNetwork 7Step5.CreatepublicIPaddress 8Step6.LaunchingCiscoCSR1000vvirtualmachine 9Step7.AccessingtheCiscoCSR1000vvirtualmachine 13Step8.ApplyLicensetotheCSR1000vvirtualmachine 15

ModifyingsettingsforCSR1000vonAzure 15UpdateRouteTables 15UpdateSecurityGroup 16

ConfigurationExample 17EnableIPsecVPNbetweenCSR1000vonAzureandAWSclouds 17

DifferencesbetweenCSR1000vonAzureandAWS 17BestPracticesandCaveats 18OtherRelatedResources 18

OverviewofCiscoCSR1000vDeploymentonMicrosoftAzure

IntroductionTheCiscoCloudServicesRouter(CSR)1000visafull-featuredCiscoIOSXErouter,enablingITdepartmentstodeployenterprise-classnetworkingservicesintheAzurecloud.AsaCiscoIOSXEbasedproduct,theCSR1000vincludesawiderangeoffeatures.FollowingaresomeexamplesofhowtheCSRisbeingusedtoenableenterprise-classhybridclouds.

• ExtendenterpriseVPNarchitecturesintoyourprivatecloud:TheCSR1000vsupportsIPsec,DMVPN,FlexVPN,EasyVPN,andSSLVPN(,andconfiguration,monitoring,andtroubleshootingareallfamiliarIOScommands.

• Interconnectmultipleregionsandclouds:UsingdynamicroutingprotocolssuchasEIGRP,OSPF,andBGP,constructmulti-tierarchitectureswithinAzure,andinterconnectwithcorporatelocationsorotherclouds.Avoidthelimitsofnativecloudnetworkingtools.

• Secure,inspect,andaudithybridcloudnetworktraffic:ZoneBasedFirewallontheCSR1000Vprovidesanapplication-awarefirewall.IPSLAandApplicationVisibilityandControl

2

(AVC)ontheCSR1000vcanproactivelydiscoverperformanceissues,fingerprintapplicationflows,andexportdetailedflowdataforreal-timeanalysisandnetworkforensics.

WhatissupportedandwhatisnotsupportedInthisrelease,tomakedeploymenteasieronAzure,theCSRoffersabundlewithtemplatesthatcreatesallrelatedresourcestogetherinaguidedway,whichincludesthefollowing:CSR+Virtualnetwork+RoutingTable+SecurityGroup.Thisdeploymentenablesthefollowing:

• CreatesCSRvirtualmachinewith2vCPU,7GRAMandmax2interfaces.• CreatepublicIPaddresstotheinterfaceonfirstsubnet(NIC0).• Createsecuritygroupwithinboundrulesfortheinterfaceonthefirstsubnet(NIC0).• CreateroutetableonAzurehypervisorrouterforeachCSRsubnetsandaddadefaultroute

forsecondsubnettopointtoCSRsecondinterface(NIC1)IPaddress.

ThefollowingshowstheknownlimitationsfordeployingCSR1000vonAzure:• OnlyCSR1000vwith2vnicissupported.• GREtunnelsisnotsupported,AzurewilldropGREpacketssentbyCSR.• Public/privatekeybasedsshfeatureisnotsupported.• OnlyD2profileissupported(2vCPUand7GRAM).• HighavailabilitythroughredundantCSRisnotsupported.

NOTE:ThisreleaseofCSR1000vonAzureonlysupportsBYOL(Bringyourownlicense).UserscancopyalicensetoCSRorenablesmartlicensing.

DeployingCisco1000vonMicrosoftAzure

PrerequisitesBeforedeployingCSR,pleasemakesurethefollowingchecklistisfulfilled:

• CreateanAzureaccount,formoreinformation,pleaserefertoMicrosoftAzureGetStartedGuide.

• RequestaCSRlicensetoenablethroughputabove100Kandenabledesiredtechnologypackage.Formoreinformationaboutlicense,pleaserefertoCSR1000vdatasheet.

• PlanoutthesettingsfortheCSRasshowninthefollowingtable.Notethattheitemswith*aremandatory,andthevaluesinExamplecolumnareusedthroughoutthedocumentation.

3

Table1.CSR1000vSettingsonAzureParameters Description Example*ResourceGroupname ResourceGroupname “DC4”*Subscription Azureuseraccount

subscriptionFreeTrial

*Location AzureDatacenterlocation EastUS*StorageAccountname Storageaccountname “dc4storagegroup”*StorageAccountType Redundancymethod

providedbyAzureStandard-LRS(LocallyRedundant,whichistheonlysupportedtypeinthisrelease)

*Virtualnetwork-name VirtualNetworkname “vnet01”*Virtualnetwork-Addressspace CIDRofthevirtual

network“10.4.1.0/16”

*Subnets-Firstsubnetname Nameofthesubnet.Itwillbethesubnetforgig1ofCSR

“DC4-pub”

*Subnets-Firstsubnetaddressprefix

CIDRforfirstsubnet,whichneedstobewithinVirtualnetworkAddressspace

“10.4.1.0/24”

*Subnets-Secondsubnetname Nameofthesubnet.Itwillbethesubnetforgig2ofCSR

“DC4-sub”

*Subnets-Secondsubnetaddressprefix

CIDRforfirstsubnet,whichneedstobewithinVirtualnetworkAddressspace

“10.4.2.0/24”

*PublicIPaddressname NameforpublicIPaddresswhichistheNATIPforCSRgig0.

“dc4csrpub”

PublicIPaddressDNSnamelabel

DNSnameforthepublicIPaddress

“dc4csrpub”

*VirtualMachinename NameoftheVirtualMachine(VM)

“DC4-csr”

Username AdminUsernamefortheVM

“admindemo”

*Authenticationtype DefaultisPassword,butcanhighlightSSHpublickey

Password

*Password PasswordfortheVM “Cisco123”*Virtualmachinesize ThesizeofVM 1xStandardD2(thisisthe

defaultandonlyoptioninthisrelease)

NOTE:TheAzureCSR1000vdeploymentsimplifiestheprocedurebyallowinguserstocreateresourcessuchasResourceGroup,StorageAccount,VirtualNetworkandPublicIPontheflyduringtheCSRcreation,whicharespecifiedinStep2-5inthisdocuments.Werecommendthefirsttimeusertogothroughthefollowingstepstounderstandwhatresourcescanbecreatedupfrontandreusedlaterifneedtore-createCSR1000v.Butasaquickstart,theusercanskipStep2-5andjumptoStep6tolaunchCSR1000v,anduseStep2-5asareference.

Step1.SigninandCustomizeAzureportalGUISignInAzureportalGUI

4

AftercreatingAzureSubscriptions,ausershouldbeabletologintotheAzureportal.

CustomizeAzureportalGUIInAzure,ausercanoptionallytagthefrequentlyusedobjects(e.g.Virtualmachines,Virtualnetwork,etc),sotheyshowupinthelefthandsidepanel.Thisisoptional,butwerecommendcustomizingthelefthandsidepanelforeasieruse.Tocustomizeit,afterloggingintotheAzureportal,clickBrowseandclickthe“star”anditwillshowuponthelefthandsidepanel.

NOTE:Inthisdocumentation,itisassumedthatthefollowingobjectsareselected:Resourcegroup,Virtualmachines,Subscriptions,Networksecuritygroups,Networkinterfaces,PublicIPaddresses,Virtualnetworks,Routetables,Storageaccounts.AddanObjectTherearedifferentwaystoaddanobjectfromtheGUI,andinthisdocumentation,wedoitthroughthelefthandpanel.ThefollowinggivesanexampletocreateResourceGroup,theotherobjectswillbecreatedandverifiedinthesameway,whichwillnotberepeated:

5

ClickResourceGrouponthelefthandsidepanel,whichwillexpendtoResourcegroupspagethatlistsalltheexistingResourcegroups.ClickAddtocreateanewResourceGroupasfollowing:

Toverifytheobjectiscreatedsuccessfully,clicktheResourcegroupanditshouldshowupintheResourceGroupslistedbelow:

Step2.CreatingaResourceGroupAResourceGroupinAzurereferstothesetofresourcesthatwecankeepanddeletealltogether.TheresourcesincludeVMs,interfaces,virtual-network,routing-table,public-ip-address,securitygroups,routingtables,storageaccounts.Theresourcesinoneresourcegroupneedtohaveauniquename.Ifyoucreateobjectsthatdependonotherobjectsindifferentresourcegroups,theotherresourcecannotbedeletedbeforeyoudeleteyourobject.PleaserefertoResourceGrouparticleformoredetails.TIP:ResourceGroupcanbecreatedontheflyduringCSRdeploymentaswell.Step2-1.ClickResourceGrouponthelefthandsidepanel,anditwillexpandtheResourceGrouppagewhichshowsalltheexistingResourceGroups.ClickAddonthetopanditwillexpandtoCreateResourcegrouppage.Step2-2.TypeintheResourceGroupname,selectSubscriptionandResourcegrouplocationfromthedropdownlist.ClickCreatetocreateResourceGroup“DC4”.

6

Step3.CreateStorageAccountAStorageAccountinAzureisusedtokeeptheVMdiskfileandboot-log.Itbelongstoaresourcegroup.Notallresourcesneedtohaveastorageaccount.PleaserefertoAzureStoragearticleformoredetails.TIP:StorageAccountcanbecreatedontheflyduringCSRdeploymentaswell.Step3-1.ClickStorageaccountsonthelefthandsidepanel,whichwillexpandtheStorageaccountsGUI.ClickAddtonavigatetotheCreatestorageaccountpage.Step3-2.TypeintheStorageaccountname,selecttheStorageaccounttype,selectResourceGroup“DC4”createdinStep2,makesuretheLocationiscorrect,inthiscase“EastUS”.ClickCreatetocreateStorageaccount“dc4storageaccount”.

7

Step4.CreatingVirtualNetworkVirtualNetworkisarepresentationoftheprivatenetwork,whichprovideslogicalisolationofAzurecloud.PleaserefertoVirtualNetworkarticleformoredetails.TIP:VirtualNetworkcanbecreatedontheflyduringCSRdeploymentaswell.Step4-1.ClickVirtualnetworksonthelefthandsidepanel,whichwillexpandtheVirtualnetworksGUI,thenclickAddtonavigatetotheCreatevirtualnetworkpage.Step4-2.FillintheblankwithinfopreparedinTable1.MakesurethatLocationiscorrect,whichinthiscase,itis“EastUS”.NotethatonlyonesubnetcanbecreatedduringinitialVirtualnetworkscreation.

Step4-3.AddsecondsubnettotheVirtualnetwork.ClickVirtualnetworksonthelefthandsidepanel,andclickthevirtualnetworkjustcreated,inthiscase“vnet01”,clickAllSettings,whichwillnavigatetoSettingspage.ClickSubnet,whichwillnavigatetoSubnetspage.ClickAddtoaddnewSubnet.

8

Step4-4.TypeinsubnetnameandCIDRofthesecondsubnet.ClickOKtofinish.

Step5.CreatepublicIPaddressPublicIPaddressistheIPaddressthatusersordevicesfromInternetcanreach,anditisassociatedtoaspecificIPaddress.Itisanone-to-oneNATperformedbyAzurehypervisorrouter.Inthiscase,theCSR1000vfirstsubnetIPaddresswillbeassignedapublicIPaddress.ReservedIPisrecommended,sincedynamicIPmaycausethetunnelmalfunctionwhentheVMisshutdown/deallocatedandbootupagain.PleaserefertoPublicIParticleformoredetails.TIP:PublicIPcanbecreatedontheflyduringCSRdeploymentaswell.Step5-1.ClickPublicIPaddressonthelefthandsidepaneltoexpandthePublicIPaddresspage.ClickAdd,whichwillexpandtheCreatepublicIPaddresspage.Step5-2.FillintheinfofromTable1.ChangetheIPaddressassignmentfromDynamictoStatic.ClickCreatetofinish.

9

Step6.LaunchingCiscoCSR1000vvirtualmachineStep6-1.ClickVirtualmachinesfromthelefthandsidepanel,anditwillexpandtheVirtualmachinespage.ClickAddwhichwillexpandtheComputepage.Typein“csr”andhitEnteronthekeyboard,anditwillfindalltheCSRavailableinMarketplace.ClickBasicCSR1000vDeploymentw/twoNICs.

Step6-2.Attheendofintroductionpage,clickCreate.

10

Step6-3.Click1Basics.FillintheblankwiththeinfoyoupreparedinTable1.,andclickOK.

StartingfromIOS-XE3.16.02,youcanuseSSHpublickeytoaccesstheCSR.TouseSSHpublickey,the“Username”fieldneedtobe“azureuser”duetocurrentlimitation.Inthelaunchingpage,youcanclicktherightsmallicon“i”(information)forhelpnextto“Username”inputfield.Youwillfindnoticeinformationofusernamerestrictionthere.

11

Step6-4.TheGUIwillnavigateto2CiscoCSRsettings.ClickVirtualmachinesizetoselectthedesiredvalue(whichinthisreleaseisStandardD2only).ClickStoragegroup,PublicIPaddress,Virtualnetwork,andSubnetstoselecttheitemscreatedinpreviousstepsiftheyarecreatedpreviously.Iftheydon’texit,youmaycreatethemonthefly,pleaserefertothepreviousstepsfordetails.ThenclickOKtofinish.IfyourCSRhasmultipleNICs(wesupport2NICsor4NICsonAzurecurrently),firstNICwillbeusedinpublicsubnet.TheotherNICswillbeusedintheprivatesubnets.TheipaddressofotherNICcanbeassignedbyDHCPwith“ipdhcpaddress”underinterfaceconfiguration.Itcanalsobesetupstatically,howevermakesureit’ssamewiththeipaddressassignedbyAzure.

12

Step6-5.TheGUIwillnavigateto3Summary.ReviewandClickOKtoconfirmsettings.

Step6-6.TheGUIwillnavigateto4Buy,andclickCreatetoconfirmthepurchase.ItwilltakeacoupleofminutesfortheVMtocomeup.

13

Step7.AccessingtheCiscoCSR1000vvirtualmachineToverifytheVMcreationstatus,onthelefthandsidepanel,clickVirtualmachines:

WhenthestatuschangedtoRunning,clicktheVMtoseedetails.TakenotesofthePublicIPaddress.

14

Inaterminalserverofyourchoice,sshtotheserverandusetheusernameandpasswordconfiguredwhencreatingtheVM:NOTE:DuetothemismatchofterminaltimeouttimingbetweenAzure(4mins)andCSR(infinite),theusercanbelockedoutofSSHafter4minsidlestatus,withoutthelinebeingcleared.Pleasereferto“BestPracticeandCaveats”Sectioninthispaperfordetails.FANGU-M-40A8:~ fangu$ ssh –o ServerAliveInterval=60 admindemo@40.121.148.7 The authenticity of host '40.121.148.7 (40.121.148.7)' can't be established. RSA key fingerprint is 94:79:e9:d2:2e:85:93:d6:52:41:cc:a3:d9:14:7f:5f. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '40.121.148.7' (RSA) to the list of known hosts. Password: Cisco123 DC4-csr# DC4-csr#show ip int br Interface IP-Address OK? Method Status Protocol GigabitEthernet1 10.4.1.4 YES DHCP up up GigabitEthernet2 10.4.2.4 YES DHCP up up DC4-csr#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 10.4.1.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.4.1.1 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.4.1.0/24 is directly connected, GigabitEthernet1 L 10.4.1.4/32 is directly connected, GigabitEthernet1 C 10.4.2.0/24 is directly connected, GigabitEthernet2 L 10.4.2.4/32 is directly connected, GigabitEthernet2 168.63.0.0/32 is subnetted, 1 subnets S 168.63.129.16 [254/0] via 10.4.1.1

15

IfyouhavesetSSHpublickeyatStep6.YoucanaccessyourCSRbyssh–i<key>–oServerAliveInterval=60azureuser@<csr_address>

Step8.ApplyLicensetotheCSR1000vvirtualmachineCiscoCSR1000voffersavarietyofthroughputandtechnologypackagelicensestomeeteachcustomer’srequirements.CiscoCSR1000valsoofferstwolicensingmodels:CiscoSoftwareLicense(CSL)whichisourtraditionalPAKbasedlicensingmodelandCiscoSmartLicensingwhichallowscustomerstoassignlicensetoCiscoCSR1000vinstancesdynamically.PleaseseetheCSR1000vdatasheetandtheCSR1000vmanaginglicensesdocumentsformoreinformation.AdefaultCSR1000vdeployedhasthroughputof100KwithtechnologypackageAX,inordertoincreasethethroughputtothedesiredlevelandenablethedesiredtechnologypackageacustomerneedstoinstallaCSRlicenseasfollows:Thefollowingisanexampleoftraditionalmanuallicensing:CopythelicensefiletoCSR1000vbootflashfromlocalcomputer:scp <license file> <username>@<CSRAddress>:<license file name>LogintoCSR1000vandinstalllicense: license install bootflash:<license file> Afterthelicenseisapplied,usercanchangethethroughputasfollowing:DC4-csr(config)#platform hardware throughput level MB 250

ModifyingsettingsforCSR1000vonAzure

UpdateRouteTablesInAzure,allVMssendpacketstoahypervisorrouter,andthehypervisorforwardsthepacketsbasedontheroutingtableassociatedwiththatsubnet.WhencreatingCSR1000v,tworoutetablesarecreatedandtheyareassociatedtoeachsubnetrespectively.AdefaultrouteiscreatedforthesecondsubnettopointtotheCSR,soalltheVMscreatedonthissubnetwilluseCSRasthedefaultroute.PleaserefertoFigure1.Butifthisbehaviorneedstochange,ausercanchangeitfromtheAzureportalGUI.ClickRouteTableonthelefthandsidepanel,whichwillnavigatetoRoutetablespage,findthetargetroutetable,andclickAllSettings,whichwillexpendtheSettingspage,clickRoutestoadd/modifyroutes.

16

UpdateSecurityGroupASecurityGroupcontrolswhatports/destinationsthehypervisorallows/deniesforcertaininterfaces.WhencreatingCSR,anewSecurityGroupiscreatedforFirstsubnetinboundinterfacebydefault.ForCSR1000vvirtualmachines,ifdeployedthroughthisdeployment,thefollowingportsareaddedforinboundInternettraffic:tcp22,UDP500andUDP4500,therestaredenied.TomodifySecuritygroup,clickNetworksecuritygrouponlefthandsidepanel,whichwillnavigatetoNetworksecuritygrouppage.Clickthetargetnetworksecuritygroup,whichwillexpandthedetailspage.ClickAllSettings,whichwillexpandtheSettingspage.ClickinboundsecurityrulesfromSettingsGUIpage,andclickAddtoaddadditionalrules.

17

ConfigurationExample

EnableIPsecVPNbetweenCSR1000vonAzureandAWScloudsIPSecVPNcanbesetupbetweenCSRsinAzureandAWScloud,belowisanexample:AzureCSRConfiguration AWSCSRConfigurationcrypto isakmp policy 1 encr aes hash sha256 authentication pre-share group 14 crypto isakmp key cisco123 address 0.0.0.0 crypto ipsec transform-set T1 esp-3des esp-md5-hmac mode transport crypto ipsec profile P1 set transform-set T1 interface Tunnel0 ip address 3.3.3.1 255.255.255.0 tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination 104.45.154.184 tunnel protection ipsec profile P1 end !!!! To test, create loop back interface and static route!!!!! interface Loopback1 ip address 5.5.5.5 255.255.255.255 end ip route 6.6.6.6 255.255.255.255 Tunnel0

crypto isakmp policy 1 encr aes hash sha256 authentication pre-share group 14 crypto isakmp key cisco123 address 0.0.0.0 crypto ipsec transform-set T1 esp-3des esp-md5-hmac mode transport crypto ipsec profile P1 set transform-set T1 interface Tunnel0 ip address 3.3.3.2 255.255.255.0 tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination 52.8.244.19 tunnel protection ipsec profile P1 end !!!! To test, create loop back interface and static route!!!!! interface Loopback1 ip address 6.6.6.6 255.255.255.255 end ip route 5.5.5.5 255.255.255.255 Tunnel0

DifferencesbetweenCSR1000vonAzureandAWS TherearesomedifferenceswhendeployingCSR1000vonAzureandAWS.Thefollowingtablehighlightssomeofthedifferences:Table2.ComparingCSR1000vonAzureandAWSFunction CSR1000vonAzure CSR1000vonAWSNumberofvNICs 2/4/8interfaces Multipleinterfaces(>2)MultipleIPaddress MultipleIPpervNIC MultipleIPpervNICGREtunnel Doesn’tsupportGREtunnel SupportGREtunnelRedundancy Doesn’tsupportRedundancy.

It’scomingin2017.SupportRoutingRedundancythrough2CSRinstances

Attach/DetachinterfaceontherunningCSR

Notsupported Supported

OverlappingIPsubnet Doesn’tsupportoverlappingIPsubnetindifferentvirtualnetwork

SupportoverlappingIPsubnetindifferentVPC

18

BestPracticesandCaveats1.ItisrecommendedtokeepallresourcesinthesameResourceGroup,sowhenneedtocleanupthewholesetup,justneedtoremovetheResourceGroup.2.WhentheCSRvirtualmachineisdeleted,notalltheresourcesaredeleted(routetable,securitygroup,publicIP,networkinterfaces),sowhencreatinganewCSRwiththesamename,theresourcesmaybere-used,ifitisnotdesired,pleaseeithermanuallyremovetheseresources,removetheRouteGroupthatcontainstheseresources,orcreateanewCSRwithadifferentname.3.Thisappliestothecurrent3.16.0image.Bydefault,CSRconfigurationconfiguredterminalVTYtimeoutasinfinite(exec-timeout00),butAzurehasadefaulttimeoutfortheterminalserverevery4minutes.Thiscausestheusertobelockedoutoftheterminalsessionwithoutclearingtheline.Toworkaroundit,therearetwomethods:1.SetServerAliveInterval=60duringsshsession(asshownbelow).2.Changetheexec-timeouttonon-zerovalues(e.g.exec-timeout40).4.Currently,theonlysupportedloginisthroughusername/passwordthatusercreatedduringtheCSR1000vlaunching.

OtherRelatedResourcesDMVPNissupportedonAzureaswell,andtheconfigurationissimilartoAWS,pleaserefertoExtendingYourITInfrastructureIntoAmazonWebServicesUsingCiscoDMVPNandtheCiscoCloudServicesRouter1000vSerieswhitepaper.