Professional Documents
Culture Documents
Multicloud
Networking – Design
and Deployment
Shannon McFarland – CCIE#5245
Distinguished Engineer
Cloud CTO
@eyepv6
BRKCLD-3440
#CLMEL
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKCLD-3440
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Multicloud Networking
Overview
• Native IPsec VPN Services
• Multicloud with Cisco SD-WAN
• DMVPN
• Automation
• Conclusion
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Disclaimer
• You won’t learn security, routing, HA, performance best practices
• There are a gazillion ways to accomplish the same thing for ALL of this
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Multicloud Networking
Overview
Hybrid vs Multicloud Networking
• Hybrid Cloud Networking = Network transport from on-premises to a single public cloud provider
• Multicloud Networking = Network transport from on-premises to multiple public cloud providers and/or between multiple
public cloud providers
• The technologies used can be identical for every connection or they can be per-provider, per-region, per-project, etc..
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Why Would You Use Multiple Cloud Providers?
• Cloud provider high availability
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Extending On Premises
Private Cloud to a Public
Cloud
Internet Over-the-Top (OTT)
• Enterprise CSP-
applications
Public Subnet 2
VPC
Campus
pod Router
172.16.4.0/24 Enterprise
• TLS/SSL capable
• Can be at odds with
Enterprise InfoSec policies
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Cloud Service Provider - Native IPsec VPN Service
Cisco ASR,
CSR, ISR
Default Network IPsec/IKEv2 Private Network
10.138.0.0/20
Google
BGP
Cloud
VPN
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
IPsec VPN - Cisco SD-WAN Example
Per-VPC Cisco vEdge
VPC Subnet(s) Private Network(s)
vEdge vEdge
VPC On-Premises
Router Cloud IPsec
Transit VPC: Cisco vEdge + CSP VPN
Transit VPC
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
IPsec VPN - Cisco CSR 1000v Example
Per-VPC Cisco CSR 1000v
VPC Subnet(s) Private Network(s)
CSRs Cisco
VPC ASR/CSR/ISR On-Premises
Router DMVPN/IPsec
Transit VPC: Cisco CSR + CSP VPN
Transit VPC
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Multicloud with Transit VPC
Transit VPC
VNet Subnet
Private Network(s)
Cisco
Transit VPC vEdge
VPC Subnet
On-Premises
vEdge
AWS VPN
GW
SD-WAN
Transit VPC
VPC Subnet
Google vEdge
Cloud VPN
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
AWS – Transit Gateway (TGW)
Dev Prod Dev Prod Dev Prod
Transit Gateway
AWS Direct
VPN
Connect
WAN
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Colocation - With or Without VPN
Cisco Routers or Firewalls + Some Combo of Colocation/peering
VLANs
VPC Subnet(s) Private Network(s)
DX Cisco
VPC VPN Cisco ASR On-Premises
Endpoint ASR/CSR/ASA
Router Gateway 1000
IPsec
VLANs
VPC Subnet(s) Private Network(s)
DX vEdge
VPC VPN vEdge On-Premises
Router Gateway Endpoint
IPsec
IPsec
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
VPN over the Internet vs Direct
Connect/ExpressRoute/Dedicated Interconnect
VPN over the Internet Direct/Express/Dedicated
Throughput Winner
QoS Winner
Latency Winner
Cost Winner
Flexibility Winner
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Cisco Cloud Services Router (CSR) 1000V
Cisco IOS XE Software in a Virtual Appliance Form-Factor
Software
CSR 1000V
• Familiar IOS XE software with ASR1000 and ISR4000
License Options
• Term based 1 year, 3 year or 5 year
https://www.youtube.com/playlist?list=PLCi • Smart License enabled
TBLSYkcoTUS6b4MFthdvhDrseo6MeN
Programmability
• NetConf/Yang, RESTConf, Guest Shell and SSH/Telnet
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Reference
• Microsoft Azure:
• VPN: https://docs.microsoft.com/en-us/azure/vpn-gateway/
• ExpressRoute: https://azure.microsoft.com/en-us/services/expressroute/
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Let’s Backup
Starting Simple
Public Cloud Provider Native IPsec VPN Service
IPsec/IKEv2 eBGP<>IGP Redistribution
Tunnel Mode
BGP AS65003
VPC Network Private Network
10.138.0.0/20 Google
172.16.0.0/24
Cloud
VPN
BGP/OSPF/EIGRP
BGP AS65000
On-Premises
Google Cloud Router
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Add More On-Premises Stuff On-Premises Tenant 1
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
On-Premises Physical/Virtual
Physical Router
Public Cloud Provider Native IPsec VPN Service
ASR 1000
Private Network
192.168.yyy.0/24
VPC Network
10.138.0.0/20 Google
Cloud
VPN
Private Network
ASA Firewall 172.16.yyy.0/24
Google Cloud Router
Physical Firewall
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Add More Public Cloud
Providers to the Mix
Stepping into Multicloud Networking
Multiple Native IPsec VPN Services
Google
Cloud VPN
VPC Network
10.138.0.0/20
Private Network
Google Cloud Router 172.16.0.0/24
BGP/OSPF/EIGRP
VPC Network On Premises Private Cloud
172.31.0.0/16
VPC VPN
Router Gateway
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Stepping into Multicloud Networking
Multiple Native IPsec VPN Services
Google
Cloud VPN
VPC Network
10.138.0.0/20
Private Network
Google Cloud Router 172.16.0.0/24
BGP/OSPF/EIGRP
VPC Network On Premises Private Cloud
172.31.0.0/16 As the number of these
VPC VPN connections increase and/or
Router Gateway
change frequently... You can see
where this is going
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Moving Away From Native VPN Services
What Conditions Cause a Change in Design?
• If On Premises routers/firewalls are behind NAT – Check for provider
support of NAT-T
• You need to extend your On Premises IGP (OSPF/EIGRP) into the public
cloud
• Operational consistency
• You need different IPsec/IKE configurations than what the provider offers
• You need SSL-based VPNs
• You need MPLS VPN
• QoS, specific network monitoring (IP SLA, NetFlow), Enterprise toolsets for
configuration and monitoring
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Options
Cisco SD-WAN
vManage vBond vSmart
VNet Network
10.50.0.0/16
vEdge/cEdge
Private Network
172.16.0.0/24
vEdge/cEdge
Cisco SD-WAN:
https://www.cisco.com/c/en/us/solutions/en
terprise-networks/sd-wan/index.html
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
DMVPN – Enable Dynamic Multicloud Networking
Cisco DMVPN - A Brownfield Way to Bolt on Multicloud
VNet Network
Cisco
10.50.0.0/16 Cisco Spoke
CSR1000v
CSR1000v
Spoke
VPC Network DMVPN
On Premises Private Cloud
172.31.0.0/16 Cisco
CSR1000v
IGP Support: OSPF, EIGRP, iBGP
QoS Policies
IP SLA, NetFlow Cisco DMVPN:
NAT-T (Transparency) https://www.cisco.com/c/en/us/products
MPLS /security/dynamic-multipoint-vpn-
etc... dmvpn/index.html
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
A Note On MTU
• All three providers recommend a different size interface MTU for the IPsec tunnel
interface:
• Google recommends 1460 on the tunnel:
https://cloud.google.com/vpn/docs/concepts/advanced#mtu
• AWS recommends 1399 on the tunnel:
https://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Introduction.html
• Azure recommends 1400 on the tunnel: https://docs.microsoft.com/en-us/azure/vpn-
gateway/vpn-gateway-about-vpn-devices
• In addition to MTU, you need to set and test your TCP MSS values
• In my testing, an IP MTU of 1400 and TCP MSS of 1360 worked for all sites but this
may need to change based on your applications and if you are adding other encaps
like MPLS
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Google Cloud Platform
– Native VPN
Reference
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Topology for GCP to On Premises CSR – IPsec VPN
BGP Routing
BGP<>OSPF Redistribution
IPsec/IKEv2
Tunnel Mode Cisco
CSR1000v
Default Network 35.xxx.xxx.x 169.254.0.2 .1 Private Network
10.138.0.0/20 192.xxx.xxx.x 192.168.100.0/24
Google
Cloud OSPF 10 Area 0
VPN
169.254.0.1 Hypervisor
BGP AS65000 BGP AS65002
Google Cloud Router
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
gcloud – Create the VPN GW, External IP and Forwarding Rules
Create a VPN gateway
# gcloud compute target-vpn-gateways create csr-gcp-vm-gw --region us-west1 --network default
Create a forwarding rule for ESP, UDP500 and UDP4500 – These are used by IKE/IPsec
# gcloud compute forwarding-rules create csr-gcp-vm-rule-esp \
--region us-west1 \
--address 35.xxx.xxx.x \
--ip-protocol ESP \
--target-vpn-gateway csr-gcp-vm-gw
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
gcloud – Create Cloud Router, VPN Tunnel and BGP session
Create the Cloud router that is used for BGP (an existing router can be used)
# gcloud compute routers create csr-gcp-vm-bgp-rtr \
--region us-west1 \
--asn=65000 \
--network default
Create a VPN tunnel and link it to the router created in the previous step
# gcloud compute vpn-tunnels create csr-gcp-vm-gw-tunnel-1 \
--region us-west1 \
--peer-address 192.xxx.xxx.x --shared-secret <pre-shared-password-goes-here> \
--ike-version 2 \
--target-vpn-gateway csr-gcp-vm-gw \
--router csr-gcp-vm-bgp-rtr
Add a new interface to the router and set the BGP session IP address for the GCP side of the connection
# gcloud compute routers add-interface csr-gcp-vm-bgp-rtr \
--interface-name if-csr-gcp-vm-bgp-rtr-01 \
--ip-address 169.254.0.1 \
--mask-length 30 \
--vpn-tunnel csr-gcp-vm-gw-tunnel-1 \
--region us-west1
Create a new BGP peer – This peer will be the Cisco CSR at the On Premises cloud
# gcloud compute routers add-bgp-peer csr-gcp-vm-bgp-rtr \
--interface if-csr-gcp-vm-bgp-rtr-01 \
--peer-asn 65002 \
--peer-name csr-gcp-vm-bgp-peer \
--peer-ip-address 169.254.0.2 \
--region us-west1
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
... Output summarised
Area 0
a - application route
Google + - replicated route, % - next hop override, p - overrides from PfR
Cloud BGP 192.168.100.0/24
VPN S* 0.0.0.0/0 [1/0] via 192.xxx.xxx.x
10.0.0.0/20 is subnetted, 1 subnets
169.254.0.1 B 10.138.0.0 [20/100] via 169.254.0.1, 00:16:59
169.254.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 169.254.0.0/30 is directly connected, Tunnel0
L 169.254.0.2/32 is directly connected, Tunnel0
192.xxx.xxx.x/24 is variably subnetted, 2 subnets, 2 masks
Google Cloud Router C 192.xxx.xxx.x/26 is directly connected, GigabitEthernet1
L 192.xxx.xxx.x/32 is directly connected, GigabitEthernet1
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, GigabitEthernet2
L 192.168.100.1/32 is directly connected, GigabitEthernet2
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Google VPN –
Dual/Redundant On
Premises Cisco CSRs
On Premises Cloud 1
Reference Topology for vSphere Hosted Cisco CSR
192.168.100.0/24
Private Network
Compute
Engine
2 1
BGP AS65002
Default Network .2
35.yyy.yyy.y HSRP – VIP = .1
10.138.0.0/20 35.xxx.xxx.x
Google
Cloud 169.254.0.10
VPN .3
169.254.0.1 ESXi Host 2
169.254.0.9 192.xxx.xxx.x
BGP AS65000 BGP AS65002
Google Cloud Router
HSRP Active
csr-gcp-01#show stand
GigabitEthernet2 - Group 0 (version 2)
State is Active
HSRP Standby
csr-gcp-02#show stand
GigabitEthernet2 - Group 0 (version 2)
State is Standby
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
... Output summarised
Pre-Failure State (2)
https://cloud.google.com/router/docs/concepts/overview
First Google Cloud Router BGP State
# gcloud compute routers get-status csr-gcp-vm-bgp-rtr
kind: compute#routerStatusResponse • Determining best path
result:
bestRoutes: • If Cloud Router receives multiple routes for the
- creationTimestamp: '2017-09-19T14:48:49.137-07:00'
destRange: 192.168.100.0/24
same destination, GCP uses route metrics and,
kind: compute#route in some cases, AS path length to determine the
nextHopIp: 169.254.0.10 best path. To help you configure your On
priority: 0
- creationTimestamp: '2017-09-19T14:48:49.137-07:00'
Premises routers, the following list describes
destRange: 192.168.100.0/24 the algorithm that GCP uses for egress traffic.
kind: compute#route
nextHopIp: 169.254.0.2 • If you have multiple BGP sessions on a single
priority: 0 Cloud Router, GCP uses the route with the
bestRoutesForRouter:
- creationTimestamp: '2017-09-19T14:48:49.137-07:00' shortest AS path length.
destRange: 192.168.100.0/24
kind: compute#route • If routes have the same AS path length, GCP uses
nextHopIp: 169.254.0.2 the route with the lower MED value.
priority: 0
bgpPeerStatus: • If routes have equal costs (same AS path length and
- advertisedRoutes: metric), GCP uses ECMP to balance traffic across
- destRange: 10.138.0.0/20 multiple paths.
kind: compute#route
nextHopIp: 169.254.0.1 • If you use multiple Cloud Routers, GCP uses
priority: 100
ipAddress: 169.254.0.1 only the MED value to determine the best path.
name: csr-gcp-vm-bgp-peer The AS path length doesn't influence the path
numLearnedRoutes: 1 selection between multiple Cloud Routers.
peerIpAddress: 169.254.0.2
state: Established
status: UP
• If a static and dynamic route have the same
uptime: 1 minutes, 48 seconds prefix and metric, GCP uses the static route.
uptimeSeconds: '108'
network: https://www.googleapis.com/compute/v1/projects/public-175116/global/networks/default
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
... Output summarised
Pre-Failure State (3)
https://cloud.google.com/router/docs/concepts/overview
Second Google Cloud Router BGP State
# gcloud compute routers get-status csr-gcp-vm-bgp-rtr-02
kind: compute#routerStatusResponse • Determining best path
result:
bestRoutes: • If Cloud Router receives multiple routes for the
- creationTimestamp: '2017-09-19T14:48:49.137-07:00'
destRange: 192.168.100.0/24
same destination, GCP uses route metrics and, in
kind: compute#route some cases, AS path length to determine the
nextHopIp: 169.254.0.10 best path. To help you configure your On
priority: 0
- creationTimestamp: '2017-09-19T14:48:49.137-07:00' Premises routers, the following list describes the
destRange: 192.168.100.0/24 algorithm that GCP uses for egress traffic.
kind: compute#route
nextHopIp: 169.254.0.2 • If you have multiple BGP sessions on a single
priority: 0
bestRoutesForRouter:
Cloud Router, GCP uses the route with the
- creationTimestamp: '2017-09-19T14:43:36.121-07:00' shortest AS path length.
destRange: 192.168.100.0/24
kind: compute#route • If routes have the same AS path length, GCP uses the
nextHopIp: 169.254.0.10 route with the lower MED value.
priority: 0
bgpPeerStatus: • If routes have equal costs (same AS path length and
- advertisedRoutes: metric), GCP uses ECMP to balance traffic across
- destRange: 10.138.0.0/20 multiple paths.
kind: compute#route
nextHopIp: 169.254.0.9 • If you use multiple Cloud Routers, GCP uses only
priority: 100
ipAddress: 169.254.0.9 the MED value to determine the best path. The
name: csr-gcp-vm-bgp-peer-02 AS path length doesn't influence the path
numLearnedRoutes: 1
peerIpAddress: 169.254.0.10
selection between multiple Cloud Routers.
state: Established
status: UP
• If a static and dynamic route have the same prefix
uptime: 6 minutes, 50 seconds and metric, GCP uses the static route.
uptimeSeconds: '410'
network: https://www.googleapis.com/compute/v1/projects/public-175116/global/networks/default
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
... Output summarised
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Failure Scenario 2 – Shut HSRP Primary LAN Interface
(BGP session is still active)
Pre-Failure GCE Instance traceroutes via 169.254.0.2 GCP BGP Path
[shmcfarl@instance-3 ~]$ traceroute 192.168.100.20
traceroute to 192.168.100.20 (192.168.100.20), 30 hops max, 60 byte packets
1 169.254.0.2 (169.254.0.2) 24.223 ms 24.430 ms 24.716 ms
2 192.168.100.20 (192.168.100.20) 24.180 ms 24.595 ms 24.422 ms
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Failure Scenario 3 – Shut IPsec Tunnel on HSRP Primary
CSR – With/Without HSRP Interface Tracking
Pre-Failure GCE Instance traceroutes via 169.254.0.2 GCP BGP Path
[shmcfarl@instance-3 ~]$ traceroute 192.168.100.20
traceroute to 192.168.100.20 (192.168.100.20), 30 hops max, 60 byte packets
1 169.254.0.2 (169.254.0.2) 24.728 ms 24.780 ms 24.766 ms
2 192.168.100.20 (192.168.100.20) 24.480 ms 24.495 ms 24.482 ms
Post-Failure GCE Instance traceroutes via 169.254.0.10 GCP BGP Path BUT traffic is re-routed to the HSRP Primary
(192.168.100.2) before going to the end host
[shmcfarl@instance-3 ~]$ traceroute 192.168.100.20
traceroute to 192.168.100.20 (192.168.100.20), 30 hops max, 60 byte packets
1 169.254.0.10 (169.254.0.10) 24.863 ms 42.763 ms 32.908 ms
2 192.168.100.2 (192.168.100.2) 54.069 ms 86.788 ms 70.963 ms
On Premises LAN re-route to HSRP Active
3 192.168.100.20 (192.168.100.20) 174.753 ms * 134.706 ms on router with failed IPsec Tunnel
LAN Re-Route Issue Resolved – Use Track
track 10 interface Tunnel0 line-protocol csr-gcp-01#show stand
! GigabitEthernet2 - Group 0 (version 2) Tunnel failed and
interface GigabitEthernet2 State is Standby track changed
description Private Network On Premises . . .
ip address 192.168.100.2 255.255.255.0 Priority 100 (configured 110) HSRP state
standby version 2 Track object 10 state Down decrement 10
standby 0 ip 192.168.100.1
standby 0 priority 110 [shmcfarl@instance-3 ~]$ traceroute 192.168.100.20
standby 0 preempt traceroute to 192.168.100.20 (192.168.100.20), 30 hops max, 60 byte packets
standby 0 authentication md5 key-string 7 01300F175804575D720D 1 169.254.0.10 (169.254.0.10) 43.113 ms 25.269 ms 33.033 ms
standby 0 track 10 decrement 10 2 192.168.100.20 (192.168.100.20) 72.879 ms 111.849 ms 53.904 ms
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
interface Tunnel0 ... Output summarized
Reference Cisco CSR Config – Primary ip address 169.254.0.2 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
crypto ikev2 proposal PHASE1-PROP tunnel source GigabitEthernet1
encryption aes-cbc-256 tunnel mode ipsec ipv4
integrity sha1 tunnel destination 35.yyy.yyy.y
group 14 tunnel protection ipsec profile CSR-GCP
! !
crypto ikev2 policy IKE-POL interface GigabitEthernet1
proposal PHASE1-PROP ip address 192.yyy.yyy.y 255.255.255.192
! !
crypto ikev2 keyring KEY interface GigabitEthernet2
peer GCP-PEER description Private Network On Premises
address 35.yyy.yyy.y ip address 192.168.100.2 255.255.255.0
hostname csr-gcp-dmz-sjc standby version 2
pre-shared-key local <PSK_PASSWORD_GOES_HERE> standby 0 ip 192.168.100.1
pre-shared-key remote <PSK_PASSWORD_GOES_HERE> standby 0 priority 110
! standby 0 preempt
crypto ikev2 profile IKEV2-SETUP standby 0 authentication md5 key-string 7 <HSRP_KEY>
match identity remote address 0.0.0.0 standby 0 track 10 decrement 10
authentication local pre-share !
authentication remote pre-share router ospf 10
keyring local KEY redistribute bgp 65002 subnets
lifetime 36000 network 192.168.100.0 0.0.0.255 area 0
! !
crypto ikev2 dpd 10 2 periodic router bgp 65002
! bgp log-neighbor-changes
track 10 interface Tunnel0 line-protocol neighbor 169.254.0.1 remote-as 65000
! neighbor 169.254.0.1 timers 20 60 60
crypto ipsec transform-set CSR-GCP-SET esp-aes 256 esp-sha-hmac !
mode tunnel address-family ipv4
! redistribute ospf 10
crypto ipsec profile CSR-GCP neighbor 169.254.0.1 activate
set transform-set CSR-GCP-SET neighbor 169.254.0.1 soft-reconfiguration inbound
set pfs group14 !
#CLMEL ip route BRKCLD-3440
0.0.0.0 © 2019 Cisco and/or
0.0.0.0 its affiliates. All rights reserved. Cisco Public
192.yyy.yyy.y 46
set ikev2-profile IKEV2-SETUP
interface Tunnel0
ip address 169.254.0.10 255.255.255.252
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Topology for AWS to On Premises CSR – IPsec
VPN
BGP Routing BGP <> OSPF Redistribution
IPsec/IKEv2
Cisco
Tunnel Mode CSR1000v
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
AWS CLI: Create VPC, VPN GW,
Customer GW and VPN Connection
Create a new AWS VPC (or use an existing one)
# aws ec2 create-vpc --cidr-block 172.31.0.0/16
Create a new customer gateway with the On Premises BGP ASN and the On Premises router IP address (do this for each connection)
# aws ec2 create-customer-gateway --bgp-asn 65002 --public-ip 192.xxx.xxx.x --type ipsec.1
Note: Lots of output will come from the above VPN creation command.
This information can be used to build the On Premises CSR config. The best method for getting the configuration is
shown on the next slide.
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Optional: Download Router Configuration
• VPC Dashboard > VPN Connections
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Reference Cisco CSR Config - Primary ... Output summarised
crypto isakmp policy 200
encryption aes 128 interface Tunnel1
authentication pre-share ip address 169.254.11.178 255.255.255.252
group 2 ip virtual-reassembly
lifetime 28800 ip mtu 1400
hash sha tunnel source 192.xxx.xxx.x
! tunnel destination 52.xxx.xxx.x
crypto keyring keyring-vpn-cec15996-0 tunnel mode ipsec ipv4
local-address 192.xxx.xxx.x tunnel protection ipsec profile ipsec-vpn-cec15996-0
pre-shared-key address 52.xxx.xxx.x key ip tcp adjust-mss 1379
<PSK_PASSWORD_GOES_HERE> !
! router ospf 10
crypto isakmp profile isakmp-vpn-cec15996-0 redistribute bgp 65002 subnets
local-address 192.xxx.xxx.x network 192.168.200.0 0.0.0.255 area 0
match identity address 52.xxx.xxx.x !
keyring keyring-vpn-cec15996-0 router bgp 65002
! neighbor 169.254.11.177 remote-as 64512
crypto ipsec transform-set ipsec-prop-vpn-cec15996-0 esp-aes neighbor 169.254.11.177 activate
128 esp-sha-hmac neighbor 169.254.11.177 timers 10 30 30
mode tunnel !
! address-family ipv4
crypto ipsec profile ipsec-vpn-cec15996-0 redistribute ospf 10
set pfs group2 neighbor 169.254.11.177 remote-as 64512
set security-association lifetime seconds 3600 neighbor 169.254.11.177 activate
set transform-set ipsec-prop-vpn-cec15996-0 neighbor 169.254.11.177 soft-reconfiguration inbound
!
crypto ipsec df-bit clear
!
crypto isakmp keepalive 10 10 on-demand
!
crypto ipsec fragmentation before-encryption
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
... Output summarised
On AWS check for the route for the on-premises network (192.168.200.0/24)
# aws ec2 describe-route-tables | grep 192.168.200.0
ROUTES 192.168.200.0/24 vgw-64277e21 EnableVgwRoutePropagation active
Cisco
VM
BGP .30
VPC Network CSR1000v
172.31.0.0/16 169.254.11.178 .1 Private Network
.121 .1 169.254.11.177 192.168.200.0/24
Hypervisor
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
On Premises Cloud 1
Topology for Dual Cisco CSR on AWS vSphere Hosted Cisco CSR
OSPF 10 Area 0
BGP AS65002
169.254.11.178
.2 ESXi Host 1
192.168.200.0/24
Private Network
VPC Network 169.254.11.177 HSRP – VIP = .1
169.254.10.213
172.31.0.0/16
VPC VPN
Router Gateway
BGP AS64512 .3 ESXi Host 2
169.254.10.214
BGP AS65002
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Azure to On Premises CSR – IPsec VPN
BGP Routing BGP <> OSPF Redistribution
IPsec/IKEv2
Cisco
Tunnel Mode CSR1000v
Vnet Subnet 40.xxx.xxx.x 10.11.255.1 .1 Private Network
10.10.0.0/16 192.168.200.0/24
VPN 10.10.255.30 192.xxx.xxx.x
Gateway OSPF 10 Area 0
BGP AS64512 Hypervisor
BGP AS65002
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Azure CLI: Create Resource Group, Networks,
Subnets
Create a new Azure Resource Group (rg)
# az group create --name azure-vpn-rg --location westus
# az configure --defaults location=westus
# az configure --defaults group=azure-vpn-rg
Create a new subnet that is used for the IPsec/BGP interface on the Azure side
# az network vnet subnet create \
--vnet-name vnet1 \
--name gatewaysubnet \
--address-prefix 10.10.255.0/27
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Azure CLI: Create a Public IP, VPN/Vnet Gateway and
Local Gateway
Create a new public IP address (Using Azure VPN service, the allocation must be ‘dynamic’)
# az network public-ip create \
--name azure-vpn-gw-eip \
--allocation-method dynamic
Create Vnet gateway using ‘RouteBased’ (BGP) and a supported sku (see earlier links for requirements). THIS TAKES AWHILE
# az network vnet-gateway create \
--name vpn-gw \
--public-ip-address azure-vpn-gw-eip \
--vnet vnet1 \
--gateway-type Vpn \
--sku VpnGw1 \
--vpn-type RouteBased \
--asn 65010
Once the Vnet gateway is up, get the Azure-side BGP Peering address (Needed for On Premises configuration)
# az network vnet-gateway list | grep bgpPeeringAddress
"bgpPeeringAddress": "10.10.255.30",
Create the local gateway (On Premises target). Local prefix/BGP peer should be the On Premises CSR tunnel info. Can’t be in Azure vne
# az network local-gateway create \
--gateway-ip-address 192.xxx.xxx.x \
--name azure-lng \
--local-address-prefixes 10.11.255.1/32 \
--asn 65002 \
--bgp-peering-address 10.11.255.1
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Azure CLI: Vnet GW, Local GW, VPN Connection
Copy the full path from the “id” line (under the ‘gatewayType: Vpn’ line) that is shown in the vnet-gateway output
# az network vnet-gateway show --name vpn-gw
"gatewayType": "Vpn",
"id": "/subscriptions/<YOUR_ID>/resourceGroups/azure-vpn-rg/providers/Microsoft.Network/virtualNetworkGateways/vpn-gw",
Copy the full path from the “id” line that is shown in the vnet-gateway output
# az network local-gateway show --name azure-ln
"id": "/subscriptions/<YOUR_ID>/resourceGroups/azure-vpn-rg/providers/Microsoft.Network/localNetworkGateways/azure-lng"
Optional: Create a new test VM on Azure and associate it with the ‘inside’ subnet
# az vm create \
--name AzTestVm \
--authentication-type ssh \
--ssh-key-value "$(< ~/.ssh/id_rsa.pub)" \
--image Canonical:UbuntuServer:16.04-LTS:latest \
--size Standard_DS1_v2 \
--vnet-name vnet1 \
--subnet inside \
--public-ip-address-allocation dynamic
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
On Premises Cisco CSR IPsec/Routing Config ... Output summarised
crypto ikev2 proposal PHASE1-PROP interface Tunnel2
encryption aes-cbc-256 ip address 10.11.255.1 255.255.255.255
integrity sha1 ip mtu 1400
group 2 ip tcp adjust-mss 1360
! tunnel source GigabitEthernet1
crypto ikev2 policy IKE-POL tunnel mode ipsec ipv4
proposal PHASE1-PROP tunnel destination 40.xxx.xxx.x
! tunnel protection ipsec profile CSR-AZURE
crypto ikev2 keyring KEY !
peer AZURE-PEER interface GigabitEthernet1
address 40.xxx.xxx.x description Internet
pre-shared-key local <PSK_PASSWORD_GOES_HERE> ip address 192.xxx.xxx.x 255.255.255.0
pre-shared-key remote <PSK_PASSWORD_GOES_HERE> no ip redirects
! no ip unreachables
crypto ikev2 profile IKEV2-SETUP no ip proxy-arp
match identity remote address 0.0.0.0 negotiation auto
authentication local pre-share !
authentication remote pre-share router ospf 10
keyring local KEY router-id 10.1.0.2
lifetime 36000 redistribute bgp 65002 subnets
! network 192.168.200.0 0.0.0.255 area 0
crypto ikev2 dpd 10 2 periodic !
! router bgp 65002
crypto ipsec security-association replay window-size 1024 bgp log-neighbor-changes
! neighbor 10.10.255.30 remote-as 65010
crypto ipsec transform-set CSR-AZURE-SET esp-aes 256 esp-sha-hmac neighbor 10.10.255.30 ebgp-multihop 255
mode tunnel !
! address-family ipv4
crypto ipsec profile CSR-AZURE redistribute ospf 10
set transform-set CSR-AZURE-SET neighbor 10.10.255.30 activate
set pfs group14 neighbor 10.10.255.30 soft-reconfiguration inbound
set ikev2-profile IKEV2-SETUP !
ip route 0.0.0.0 0.0.0.0 192.xxx.xxx.x
ip route 10.10.255.30 255.255.255.255 Tunnel2
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
... Output summarised
On Azure check for the route for the on-premises network (192.168.200.0/24)
PS Azure:\> Get-AzureRmEffectiveRouteTable -NetworkInterfaceName AzTestVmVMNic -ResourceGroupName azure-vpn-rg | Format-Table
Name State Source AddressPrefix NextHopType NextHopIpAddress
---- ----- ------ ------------- ----------- ----------------
Active VirtualNetworkGateway {192.168.200.0/24} VirtualNetworkGateway {40.xxx.xxx.x}
Cisco
Inside Subnet CSR1000v
.30
VM
10.10.1.0/24 40.xxx.xxx.x 10.11.255.1
.1 Private Network
.4 10.10.255.30 192.xxx.xxx.x 192.168.200.0/24
VPN
Gateway
Hypervisor
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Multicloud with Cisco
SD-WAN
Reference
Data Plane
- vEdge
Cloud Data Centre Campus Branch SOHO
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Cisco SD-WAN
vManage vBond vSmart
VNet Network
10.10.1.0/16
vEdge/cEdge
Private Network
10.1.1.0/24
vEdge/cEdge
Cisco SD-WAN:
https://www.cisco.com/c/en/us/solutions/en
terprise-networks/sd-wan/index.html
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Cisco SD-WAN
Public Cloud Support
• Cisco SD-WAN (vEdge) on AWS: https://sdwan-
docs.cisco.com/Product_Documentation/Getting_Started/Viptela_Overlay_Network_Bringup/07
Deploy_the_vEdge_Routers/01Create_vEdge_Cloud_VM_Instance_on_AWS
• AWS Marketplace: https://aws.amazon.com/marketplace/pp/B07BZ53FJT
• Cisco SD-WAN on Microsoft Azure: https://sdwan-
docs.cisco.com/Product_Documentation/Getting_Started/Viptela_Overlay_Network_Bringup/07
Deploy_the_vEdge_Routers/02Create_vEdge_Cloud_VM_Instance_on_Azure
• Microsoft Azure Marketplace: https://azuremarketplace.microsoft.com/en-
us/marketplace/apps/cisco.cisco_cloud_vedge_4_nics?tab=Overview
• Brand New SD-WAN Design/Deployment Guides:
https://www.cisco.com/c/en/us/solutions/design-zone/networking-design-guides/branch-wan-
edge.html
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Cisco SD-WAN and AWS Options
SD-WAN + Internet + Host VPC
VPC Subnet(s) Private Network(s)
vEdge vEdge
VPC On-Premises
Router Cloud IPsec
SD-WAN + Transit VPC Transit VPC
VLANs
VPC Subnet(s) Private Network(s)
DX vEdge
VPC VPN vEdge On-Premises
Router Gateway Endpoint Cloud
IPsec
IPsec
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Cisco SD-WAN – Transit VPC
Cloud onRamp for IaaS - AWS vManage vBond vSmart
Transit VPC
On-Premises
• AWS: https://sdwan-
docs.cisco.com/Product_Documentation/vManage_Help/Release_18.3/Configuration/Cloud_On
Ramp_with_AWS
• Azure: https://sdwan-
docs.cisco.com/Product_Documentation/vManage_Help/Release_18.3/Configuration/Cloud_On
Ramp_with_Azure
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
AWS with Cisco SD-WAN
Cloud onRamp for IaaS - AWS
GatewayVpc (192.168.0.0/16)
Transit Subnet 0
192.168.30.31
EIP
HostVpc (172.16.0.0/16)
vpn 512
VPN
vManage vBond vSmart
Tunnel EIP
vpn 1 vpn 0
192.168.85.0 192.168.59.199
EIP
172.16.0.0/24
PublicSubnet Transit Subnet 2 Transit Subnet 1
Private Network
VPC VPN GW Transit Subnet 2 Transit Subnet 1 IGW 10.1.1.0/24
172.16.3.0/24
VPC
Router
vedge
Router (VGW) vpn 1 vpn 0
PrivateSubnet 192.168.176.185 192.168.139.23
On-Premises
EIP
192.168.126.106
VPN EIP
Tunnel
vpn 512
EIP
Transit Subnet 0
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
AWS with Cisco SD-WAN
Cloud onRamp for IaaS - AWS IPsec VPN
GatewayVpc (192.168.0.0/16)
Transit Subnet 0
192.168.30.31
EIP
HostVpc (172.16.0.0/16)
vpn 512
VPN
vManage vBond vSmart
Tunnel EIP
vpn 1 vpn 0
192.168.85.0 192.168.59.199
EIP
172.16.0.0/24
Transit Subnet 2 Transit Subnet 1
PublicSubnet Private Network
VPC VPN GW Transit Subnet 2 Transit Subnet 1 IGW 10.1.1.0/24
172.16.3.0/24
VPC
Router
vedge
Router (VGW) vpn 1 vpn 0
PrivateSubnet 192.168.176.185 192.168.139.23
On-Premises
EIP
192.168.126.106
VPN EIP
Tunnel
vpn 512
EIP
Transit Subnet 0
IPsec VPN
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
AWS with Cisco SD-WAN
Cloud onRamp for IaaS - AWS IPsec VPN
GatewayVpc (192.168.0.0/16)
Transit Subnet 0
192.168.30.31
EIP
HostVpc (172.16.0.0/16)
vpn 512
VPN
vManage vBond vSmart
Tunnel
vpn 1 vpn 0
EIP
IPsec
172.16.0.0/24
EIP
192.168.85.0 192.168.59.199 VPN
PublicSubnet Transit Subnet 2 Transit Subnet 1
Private Network
VPC VPN GW Transit Subnet 2 Transit Subnet 1 IGW 10.1.1.0/24
172.16.3.0/24
VPC
Router
vedge
Router (VGW) vpn 1 vpn 0
PrivateSubnet 192.168.176.185 192.168.139.23
On-Premises
EIP
192.168.126.106
VPN EIP
Tunnel
vpn 512
EIP
Transit Subnet 0
IPsec VPN
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
vManage
Cloud onRamp for IaaS - AWS
Dashboard View (Yeah, I know, no HA on the control plane )
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
AWS – VPC/Subnet View
Cloud onRamp for IaaS - AWS
VPC View
Subnet View
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
AWS – Host VPC –to- Transit VPC Mapping
VPN Gateway (VPG) View
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
AWS – Host VPC –to- Transit VPC Mapping - IPsec
vEdge-Cloud – Transit VPC HostVpc (172.16.0.0/16)
interface ipsec8
ip address 169.254.10.14/30 Transit VPC
VPN
tunnel-source 192.168.59.199 Tunnel vEdge
tunnel-destination 52.xx.xx.xx
vpn 0
ike EIP 192.168.59.199
version 1 172.16.0.0/24
mode main PublicSubnet
rekey 28800 169.254.10.14/30
cipher-suite aes128-cbc-sha1
VPC VPN GW
group 2 172.16.3.0/24
Router (VGW)
authentication-type PrivateSubnet
pre-shared-key
pre-shared-secret <PSK_HERE> VPN
EIP 169.254.10.13/30
! Tunnel
!
!
ipsec
rekey 3600
replay-window 512
cipher-suite aes256-cbc-sha1
perfect-forward-secrecy group-16
!
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
AWS – Host VPC –to- Transit VPC Mapping - BGP
vEdge-Cloud – Transit VPC HostVpc (172.16.0.0/16)
vpn 1 Transit VPC
VPN
router
Tunnel vEdge
bgp 9988
timers vpn 0
holdtime 30 EIP 192.168.59.199
172.16.0.0/24
!
address-family ipv4-unicast PublicSubnet 169.254.10.14/30
network 0.0.0.0/0
redistribute omp VPC VPN GW
172.16.3.0/24
Router (VGW)
!
neighbor 169.254.10.13 PrivateSubnet
no shutdown
VPN
EIP 169.254.10.13/30
remote-as 64512
Tunnel
update-source ipsec8
Transit VPC
vEdge EIP
VPC CIDR VPN GW vpn 0 IPsec VPN Private Network
(VGW) 192.168.59.199
172.16.0.0/16
10.1.1.0/24
EIP vEdge
VPN
Tunnel
IPsec VPN
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Transit VPC –to- On-Premises - BGP
Transit VPC vEdge - BGP
vedge-aws-01# show ip route
OUTPUT SUMMARIZED...
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
--------------------------------------------------------------------------------------------------------------------------------------
1 10.1.1.0/24 omp - - - - 1.1.1.4 public-internet ipsec F,S
1 169.254.8.40/30 connected - ipsec7 - - - - - F,S
1 169.254.10.12/30 connected - ipsec8 - - - - - F,S
1 172.16.0.0/16 bgp e ipsec8 169.254.10.13 - - - - F,S
On-Premises vEdge - IPsec
vedge-01# show ip route
OUTPUT SUMMARIZED...
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
--------------------------------------------------------------------------------------------------------------------------------------
1 10.1.1.0/24 connected - ge0/1 - - - - - F,S
1 172.16.0.0/16 omp - - - - 2.2.2.5 default ipsec F,S
1 172.16.0.0/16 omp - - - - 2.2.2.6 default ipsec F,S
Transit VPC
vEdge EIP
VPC CIDR VPN GW vpn 0 IPsec VPN Private Network
(VGW) 192.168.59.199
172.16.0.0/16
10.1.1.0/24
vEdge
VPN
EIP
IPsec VPN
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Tunnel
DMVPN – Dynamic
Multipoint VPN
Merging in Multicloud to
an Existing Branch/WAN
Deployment
DMVPN (Dynamic Multipoint VPN)
• Cisco DMVPN
• https://www.cisco.com/c/en/us/products/security/dynamic-multipoint-vpn-dmvpn/index.html
• Cisco Live DMVPN
• https://www.ciscolive.com/global/on-demand-library/?search=dmvpn#/
• Cisco IWAN CVD
• https://www.cisco.com/c/en/us/solutions/design-zone/networking-design-guides/branch-
wan-edge.html
• DMVPN is a Cisco innovation for building GRE/mGRE + IPsec VPN connections in a
dynamic and scalable manner
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Terminology and Features
Core Network Overlay Addresses
192.168.128.0/17
192.168.101.0/24 192.168.102.0/24
Tunnel Address
Hub1 Hub 2
NBMA Address
192.168.1.0/24 192.168.2.0/24
On Demand
Spoke Tunnels
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
DMVPN Components
• Next Hop Resolution Protocol (NHRP)
• Creates a distributed (NHRP) mapping database of all the spoke’s tunnel to real (public
interface) addresses
• Routing
• Dynamic advertisement of branch networks; almost all routing protocols (EIGRP, RIP, OSPF,
BGP, ODR) are supported
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Spoke-to-hub tunnels
DMVPN Implementation
Spoke-to-spoke tunnels
2547oDMVPN tunnels
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Google Cloud Platform–
Cisco CSR and DMVPN
GCP to On Premises CSR – IPsec VPN
Example 1
BGP <> OSPF Redistribution
Compute
Engine IPsec/IKEv2
.30
Cisco
VM
2 1
Tunnel Mode
CSR1000v
Default Network 35.xxx.xxx.x 169.254.0.2 .1 Private Network
10.138.0.0/20 192.xxx.xxx.x 192.168.200.0/24
Google
Cloud OSPF 10 Area 0
VPN
169.254.0.1 Hypervisor
BGP AS65000 BGP AS65002
Google Cloud Router
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
GCP CSR to On Premises CSR – IPsec VPN
Example 2
IPsec/IKEv2
.30
VM
Default Network Cisco
inside-network Tunnel Mode CSR1000v
10.138.0.0/20
10.0.1.0/24
Compute .1 35.xxx.xxx.x .1 Private Network
Engine
2 1
.3 .2 .100 192.xxx.xxx.x 192.168.200.0/24
Cisco
CSR1000v OSPF 10 Area 0
Hypervisor
OSPF
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
GCP CSR to On Premises CSR – DMVPN
2 1
.3 .2 .100
Spoke Hub 192.168.200.0/24
Cisco CSR Tunnel: CSR Tunnel:
CSR1000v
10.1.0.1 10.1.0.2 OSPF 10 Area 0
Hypervisor
DMVPN
OSPF
Routes this side should see:
192.168.200.0/24
Routes this side should see:
10.0.1.0/24
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
gcloud – Create the GCP External IP, Inside VPC
Network and Route
Create a new external IP reservation that will be used for the GCP CSR NATed connection (or use an existing one)
# gcloud compute addresses create csr-to-csr-ext-ip --region us-west1
Create a new GCP inside network that will be attached to the ‘inside’ interface of the CSR
# gcloud compute networks create inside-network --subnet-mode=custom
Create a new GCP inside subnet - Associate it with the inside network
# gcloud compute networks subnets create inside-subnet \
--network=inside-network \
--range=10.0.1.0/24
Create a new GCP route from the CSR inside network to the On Premises private network which routes through the IPsec VPN
# gcloud compute routes create inside-to-csr-private \
--network=inside-network \
--destination-range=192.168.200.0/24 \
--next-hop-address=10.0.1.2
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
gcloud – Create GCP Firewall Rules
Create a new GCP firewall rule to allow traffic into the inside CSR network from the default network
# gcloud compute firewall-rules create allow-default-to-csr-inside \
--direction=INGRESS \
--network=inside-network \
--action=ALLOW \
--rules=all \
--source-ranges=0.0.0.0/0
Create a new GCP firewall rule to allow traffic between the default network and the On Premises CSR public IP for IKE, IPsec
# gcloud compute firewall-rules create csr-csr-vpn \
--direction=INGRESS \
--network=default \
--action=ALLOW \
--rules=udp:500,udp:4500,esp \
--source-ranges=192.xxx.xxx.x
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
gcloud – Create CSR and Test Instances
Create a new GCE CSR instance and set fixed IPv4 addresses to each of the two interfaces
# gcloud compute instances create "csr-gcp-01" \
--zone "us-west1-a" \
--machine-type "n1-standard-4" \
--network-interface subnet="default",private-network-ip="10.138.0.100",address="35.xxx.xxx.x" \
--can-ip-forward \
--network-interface subnet="inside-subnet",private-network-ip="10.0.1.2",no-address \
--image ”name_of_csr_image" \
--boot-disk-size "10" \
--boot-disk-type "pd-standard" \
--boot-disk-device-name "csr-gcp-01"
Create a new GCE test instance that will be used to validate the VPN and routing
# gcloud compute instances create "csr-inside-vm" \
--zone "us-west1-a" \
--machine-type "g1-small" \
--subnet "inside-subnet" \
--private-network-ip "10.0.1.3" \
--image "debian-9-stretch-v20170918" \
--image-project "debian-cloud" \
--boot-disk-size "10" \
--boot-disk-type "pd-standard" \
--boot-disk-device-name "csr-inside-vm"
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
... Output summarised
csr1kv-gcp#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
csr1kv-gcp(config)#interface gigabitEthernet 2
csr1kv-gcp(config-if)#ip address dhcp
csr1kv-gcp(config-if)#no shutdown
Wait a few seconds and check to make sure that both interfaces on the CSR are up and with the correct IP
addresses:
csr1kv-gcp#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 10.138.0.100 YES TFTP up up
GigabitEthernet2 10.0.1.2 YES DHCP up up
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
GCP Cisco CSR DMVPN Config ... Output summarised
Spoke interface Tunnel0
crypto ikev2 proposal AES/GCM/256 description DMVPN
encryption aes-gcm-256 ip address 10.1.0.1 255.255.255.0
prf sha512 no ip redirects
group 19 ip mtu 1400
! ip nhrp authentication <NHRP_PASSWORD>
crypto ikev2 policy AES/GCM/256 ip nhrp network-id 100
match fvrf any ip nhrp nhs 10.1.0.2 nbma 192.xxx.xxx.x multicast
proposal AES/GCM/256 ip tcp adjust-mss 1360
! ip ospf authentication-key 7 <OSPF_PASSWORD>
crypto ikev2 keyring DMVPN-KEYRING ip ospf network point-to-multipoint
peer ANY ip ospf hello-interval 10
address 0.0.0.0 0.0.0.0 tunnel source GigabitEthernet1
pre-shared-key <PSK_PASSWORD_GOES_HERE> tunnel mode gre multipoint
! tunnel key 100
crypto ikev2 profile DMVPN-IKEv2-PROFILE tunnel protection ipsec profile DMVPN-IPSEC-PROFILE
description PSK Profile !
match identity remote address 0.0.0.0 interface GigabitEthernet1
identity local address 35.xxx.xxx.x description Internet
authentication remote pre-share ip address 10.138.0.100 255.255.255.0
authentication local pre-share no ip redirects
keyring local DMVPN-KEYRING no ip unreachables
dpd 40 5 on-demand no ip proxy-arp
! negotiation auto
crypto ipsec security-association replay window-size 1024 !
! router ospf 10
crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256 router-id 10.1.0.1
mode transport network 10.0.1.0 0.0.0.255 area 1
! network 10.1.0.0 0.0.0.255 area 0
crypto ipsec profile DMVPN-IPSEC-PROFILE !
set transform-set AES256/GCM/TRANSFORM ip route 0.0.0.0 0.0.0.0 138.0.0.1
set ikev2-profile DMVPN-IKEv2-PROFILE
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
On Premises Cisco CSR DMVPN Config ... Output summarised
Hub interface Tunnel0
crypto ikev2 proposal AES/GCM/256 description DMVPN
encryption aes-gcm-256 ip address 10.1.0.2 255.255.255.0
prf sha512 no ip redirects
group 19 ip mtu 1400
! ip nhrp authentication <NHRP_PASSWORD>
crypto ikev2 policy AES/GCM/256 ip nhrp map multicast dynamic
match fvrf any ip nhrp network-id 100
proposal AES/GCM/256 ip nhrp redirect
! ip tcp adjust-mss 1360
crypto ikev2 keyring DMVPN-KEYRING ip ospf authentication-key 7 <OSPF_PASSWORD>
peer ANY ip ospf network point-to-multipoint
address 0.0.0.0 0.0.0.0 ip ospf hello-interval 10
pre-shared-key <PSK_PASSWORD_GOES_HERE> tunnel source GigabitEthernet1
! tunnel mode gre multipoint
crypto ikev2 profile DMVPN-IKEv2-PROFILE tunnel key 100
description PSK Profile tunnel protection ipsec profile DMVPN-IPSEC-PROFILE
match identity remote address 0.0.0.0 !
identity local address 192.xxx.xxx.x interface GigabitEthernet1
authentication remote pre-share description Internet
authentication local pre-share ip address 192.xxx.xxx.x 255.255.255.0
keyring local DMVPN-KEYRING no ip redirects
dpd 40 5 on-demand no ip unreachables
! no ip proxy-arp
crypto ipsec security-association replay window-size 1024 negotiation auto
! !
crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256 router ospf 10
mode transport router-id 10.1.0.2
! network 10.1.0.0 0.0.0.255 area 0
crypto ipsec profile DMVPN-IPSEC-PROFILE network 192.168.200.0 0.0.0.255 area 0
set transform-set AES256/GCM/TRANSFORM !
set ikev2-profile DMVPN-IKEv2-PROFILE ip route 0.0.0.0 0.0.0.0 192.xxx.xxx.x
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
... Output summarised
On the on-premises CSR, check for the VPC inside network route (10.0.1.0/24)
csr-mc-01#show ip route | i 10.0.1.0
. . .
O IA 10.0.1.0/24 [110/1001] via 10.1.0.1, 00:40:08, Tunnel0
Connect to the GCP test instance that was created earlier and ping to the on-premises private network
# gcloud compute ssh "csr-inside-vm“
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Amazon Web Services –
Cisco CSR and DMVPN
AWS with Cisco CSR 1000v Support
• Amazon Web Services Marketplace + Cisco CSR:
• https://aws.amazon.com/marketplace/search/results?x=0&y=0&searchTerms=csr&page=1&ref_=nav_search_
box
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
AWS to On Premises CSR – IPsec VPN
Example 1 BGP <> OSPF Redistribution
IPsec/IKEv2
Tunnel Mode Cisco
CSR1000v
VPC Network 52.xxx.xxx.x 169.254.11.178 .1 Private Network
172.31.0.0/16 192.168.200.0/24
169.254.11.177 192.xxx.xxx.x
VPC VPN
Router Gateway OSPF 10 Area 0
BGP AS64512 Hypervisor
BGP AS65002
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
AWS CSR to On Premises CSR – IPsec VPN
Example 2 Public-side Network
172.16.1.0/24
IPsec/IKEv2
Cisco
Cisco Tunnel Mode CSR1000v
CSR1000v
VPC Network 52.xxx.xxx.x .1 Private Network
172.16.2.0/24 192.xxx.xxx.x 192.168.200.0/24
VPC
Router OSPF 10 Area 0
Hypervisor
OSPF
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
AWS CSR to On Premises CSR – DMVPN
Public-side Network
172.16.1.0/24
Cisco Cisco
VPC
CSR1000v CSR1000v
Router
VPC Network 52.xxx.xxx.x 192.xxx.xxx.x .1 Private Network
172.16.2.0/24 Spoke Hub 192.168.200.0/24
CSR Tunnel: CSR Tunnel:
10.1.0.2
OSPF 10 Area 0
10.1.0.4
Hypervisor
DMVPN
OSPF
Routes this side should see:
192.168.200.0/24
Routes this side should see:
172.16.2.0/16
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
AWS CLI: Create VPC, Subnets and Internet GW
Create a new AWS VPC (vpc)
# aws ec2 create-vpc --cidr-block 172.16.0.0/16
Create a new subnet in the VPC (this one will be used for the CSR’s ’outside’ interface)
# aws ec2 create-subnet --vpc-id vpc-66a0a102 --cidr-block 172.16.1.0/24
Create another new subnet in the VPC (this one will be used for the CSR’s ‘inside’ interface)
# aws ec2 create-subnet --vpc-id vpc-66a0a102 --cidr-block 172.16.2.0/24
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
AWS CLI: Create Route Tables
Create a new route table in the VPC (rtb) that will be used by the CSR’s ‘outside’ subnet
# aws ec2 create-route-table --vpc-id vpc-66a0a102
Create a new default route in the route table and point it to the Internet gateway
# aws ec2 create-route --route-table-id rtb-aaa37dcd --destination-cidr-block 0.0.0.0/0 --gateway-id igw-591fba3d
Create a new route table in the VPC (rtb) that will be used by the CSR’s ‘inside’ subnet
# aws ec2 create-route-table --vpc-id vpc-66a0a102
Create a new default route in the route table for the ‘inside’ subnet and point it to the Internet gateway
# aws ec2 create-route --route-table-id rtb-3741e750 --destination-cidr-block 0.0.0.0/0 --gateway-id igw-591fba3d
Create a new default route in the route table and point it to the Internet gateway
# aws ec2 create-route --route-table-id rtb-3741e750 --destination-cidr-block 192.168.200.0/24 --network-interface-id eni-af67db80
Associate the new route table with the ‘inside’ VPC subnet
# aws ec2 associate-route-table --subnet-id subnet-c617baa1 --route-table-id rtb-3741e750
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Reference
AWS CLI: Create a Security Group/Rules
Create a new security group for the ‘outside’ facing interface (Optional: You can just use an existing group)
# aws ec2 create-security-group --group-name csr --description csr-rules --vpc-id vpc-66a0a102
Create a new security group rule for ICMP from the other CSRs (On Premises and GCP CSR [optional: Just showing the format for your use])
# aws ec2 authorize-security-group-ingress --group-id sg-65c39b03 \
--ip-permissions '[{"IpProtocol": "icmp", "FromPort": -1, "ToPort": -1, "IpRanges": [{"CidrIp": "192.x.x.x/32"}, {"CidrIp": "35.x.x.x/32"}]}]
Create a new security group rule for ESP (IP 50) from the other CSRs
# aws ec2 authorize-security-group-ingress --group-id sg-65c39b03 \
--ip-permissions '[{"IpProtocol": "50", "IpRanges": [{"CidrIp": ”192.x.x.x/32"}, {"CidrIp": "35.x.x.x/32"}]}]'
Create a new security group rule for IKE from the other CSRs
# aws ec2 authorize-security-group-ingress --group-id sg-65c39b03 \
--ip-permissions '[{"IpProtocol": "17", "FromPort": 500, "ToPort": 500, "IpRanges": [{"CidrIp": "192.x.x.x/32"}, {"CidrIp": "35.x.x.x/32"}]}]'
Create a new security group rule for IKE/NAT-T from the other CSRs
# aws ec2 authorize-security-group-ingress --group-id sg-65c39b03 \
--ip-permissions '[{"IpProtocol": "17", "FromPort": 4500, "ToPort": 4500, "IpRanges": [{"CidrIp": "192.x.x.x/32"}, {"CidrIp": "35.x.x.x/32"}]}]’
Optional: You may want to create a security group just for the ’inside’ subnet that has
different rules than the one for the ‘outside’ subnet
Create a new security group for the ‘outside’ facing interface (Optional: You can just use an existing group)
# aws ec2 authorize-security-group-ingress --group-id sg-84aef7e2 --protocol all --cidr 192.168.200.0/24
Create a new security group for the ‘outside’ facing interface (Optional: You can just use an existing group)
# aws ec2 authorize-security-group-ingress --group-id sg-84aef7e2 --protocol all --cidr 172.16.2.0/24
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
AWS CLI: Run a new CSR Instance Using Previous Parameters
csr-create.json
{
"ImageId": "ami-99e5d0f9",
"InstanceType": "t2.medium",
"KeyName": "mc-aws-key", Create a CSR instance using the JSON file shown to the left
"NetworkInterfaces": [ # aws ec2 run-instances --cli-input-json file://csr-create.json
{
"DeviceIndex": 0, Create a tag/name and associate it with the CSR (Optional)
"Description": "Primary network interface", # aws ec2 create-tags --resources i-0f2a0ee857e9c2540 \
"Groups": [ --tags Key=Name,Value=csr-aws-01
"sg-65c39b03"
], Create a new External IP (EIP) allocation (or use an existing one)
"PrivateIpAddresses": [ # aws ec2 allocate-address
{ eipalloc-ab35cb96 vpc 52.xxx.xxx.x
"Primary": true,
"PrivateIpAddress": "172.16.1.10" Associate the EIP with the ’outside’ interface of the CSR (GigabitEthernet 1)
} # aws ec2 associate-address --allocation-id eipalloc-ab35cb96 \
], --network-interface-id eni-dd5bd6f2
"SubnetId": "subnet-0c15b86b"
}, Modify the ’inside’ subnet to disable source/destination checking
{ # aws ec2 modify-network-interface-attribute \
"DeviceIndex": 1, --network-interface-id eni-af67db80 \
"PrivateIpAddresses": [ --source-dest-check "{\"Value\": false}"
{
"Primary": true,
"PrivateIpAddress": "172.16.2.10" A note about NAT: If you plan to use the CSR for NAT
} operation, you must disable source/destination checking
],
"SubnetId": "subnet-c617baa1" on the outside CSR interface/subnet
}
] http://docs.aws.amazon.com/AmazonVPC/latest/UserG
} uide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCh
eck #CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Connect to the AWS CSR – Enable Interfaces
Connect to the new AWS-hosted CSR and enable the GigabitEthernet 2 interface for DHCP
# ssh -i "mc-aws-key.pem" ec2-user@52.xxx.xxx.x
csr-aws-01#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
csr-aws-01(config)#interface gigabitEthernet 2
csr-aws-01(config-if)#ip address dhcp
csr-aws-01(config-if)#no shutdown
Wait a few seconds and check to make sure that both interfaces on the CSR are up and have the correct
IP addresses:
csr-aws-01#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 172.16.1.10 YES DHCP up up
GigabitEthernet2 172.16.2.10 YES DHCP up up
VirtualPortGroup0 192.168.35.1 YES TFTP up up
Note: This can all be automated (along with the DMVPN configs) by creating AWS CloudFormation templates
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
AWS Cisco CSR DMVPN Config ... Output summarised
Spoke
crypto ikev2 proposal AES/GCM/256 interface Tunnel0
encryption aes-gcm-256 description DMVPN
prf sha512 ip address 10.1.0.4 255.255.255.0
group 19 no ip redirects
! ip mtu 1400
crypto ikev2 policy AES/GCM/256 ip nhrp authentication <NHRP_PASSWORD>
match fvrf any ip nhrp network-id 100
proposal AES/GCM/256 ip nhrp nhs 10.1.0.2 nbma 192.xxx.xxx.x multicast
! ip tcp adjust-mss 1360
crypto ikev2 keyring DMVPN-KEYRING ip ospf authentication-key 7 <OSPF_PASSWORD>
peer ANY ip ospf network point-to-multipoint
address 0.0.0.0 0.0.0.0 ip ospf hello-interval 10
pre-shared-key <PSK_PASSWORD_GOES_HERE> tunnel source GigabitEthernet1
! tunnel mode gre multipoint
crypto ikev2 profile DMVPN-IKEv2-PROFILE tunnel key 100
description PSK Profile tunnel protection ipsec profile DMVPN-IPSEC-PROFILE
match identity remote address 0.0.0.0 !
identity local address 52.xxx.xxx.x interface GigabitEthernet1
authentication remote pre-share description Internet
authentication local pre-share ip address dhcp
keyring local DMVPN-KEYRING no ip redirects
dpd 40 5 on-demand no ip unreachables
! no ip proxy-arp
crypto ipsec security-association replay window-size 1024 negotiation auto
! !
crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256 router ospf 10
mode transport router-id 10.1.0.4
! network 172.16.2.0 0.0.0.255 area 2
crypto ipsec profile DMVPN-IPSEC-PROFILE network 10.1.0.0 0.0.0.255 area 0
set transform-set AES256/GCM/TRANSFORM !
set ikev2-profile DMVPN-IKEv2-PROFILE ip route 0.0.0.0 0.0.0.0 172.16.1.1
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
... Output summarised
On Premises Cisco CSR DMVPN Config
Hub – Nothing ever changes on the hub for each example
crypto ikev2 proposal AES/GCM/256
encryption aes-gcm-256 interface Tunnel0
prf sha512 description DMVPN
group 19 ip address 10.1.0.2 255.255.255.0
! no ip redirects
crypto ikev2 policy AES/GCM/256 ip mtu 1400
match fvrf any ip nhrp authentication <NHRP_PASSWORD>
ip nhrp map multicast dynamic
proposal AES/GCM/256
ip nhrp network-id 100
! ip nhrp redirect
crypto ikev2 keyring DMVPN-KEYRING ip tcp adjust-mss 1360
peer ANY ip ospf authentication-key 7 <OSPF_PASSWORD>
address 0.0.0.0 0.0.0.0 ip ospf network point-to-multipoint
pre-shared-key <PSK_PASSWORD_GOES_HERE> ip ospf hello-interval 10
! tunnel source GigabitEthernet1
crypto ikev2 profile DMVPN-IKEv2-PROFILE tunnel mode gre multipoint
tunnel key 100
description PSK Profile
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE
match identity remote address 0.0.0.0 !
identity local address 192.xxx.xxx.x interface GigabitEthernet1
authentication remote pre-share description Internet
authentication local pre-share ip address 192.xxx.xxx.x 255.255.255.0
keyring local DMVPN-KEYRING no ip redirects
dpd 40 5 on-demand no ip unreachables
! no ip proxy-arp
negotiation auto
crypto ipsec security-association replay window-size 1024
!
! router ospf 10
crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256 router-id 10.1.0.2
mode transport network 10.1.0.0 0.0.0.255 area 0
! network 192.168.200.0 0.0.0.255 area 0
crypto ipsec profile DMVPN-IPSEC-PROFILE !
set transform-set AES256/GCM/TRANSFORM ip route 0.0.0.0 0.0.0.0 192.xxx.xxx.x
set ikev2-profile DMVPN-IKEv2-PROFILE #CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
... Output summarised
On AWS check for the route for the on-premises network (192.168.200.0/24)
csr-aws-01#show ip route | i 192.168.200.0
O 192.168.200.0/24 [110/1001] via 10.1.0.2, 6d17h, Tunnel0
Cisco
VPC Network
Cisco
CSR1000v CSR1000v
.30
VM
172.16.2.0/24
.1 Private Network
.192 .10 192.168.200.0/24
Spoke Hub
CSR Tunnel: CSR Tunnel:
10.1.0.4 10.1.0.2
Hypervisor
OSPF
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
For Reference
Amazon Web
Services –
Marketplace-based
Launch Walk-thru
AWS Marketplace CSR Launch – Console (1)
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
AWS Launch CSR as an Instance – Console (1)
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
AWS Launch CSR as an Instance – Console (2)
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
AWS Launch CSR as an Instance – Console (3)
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
AWS Launch CSR as an Instance – Console (4)
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
AWS Launch CSR as an Instance – Console (5)
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
AWS Launch CSR as an Instance – Console (6)
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
AWS Launch CSR as an Instance – Console (7)
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
AWS Launch CSR as an Instance – Console (8)
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
AWS Launch CSR as an Instance – Console (9)
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
AWS Launch CSR as an Instance – Console (10)
4
3
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Microsoft Azure – Cisco
CSR and DMVPN
Azure to On Premises CSR – IPsec VPN
Example 1 BGP <> OSPF Redistribution
IPsec/IKEv2
Cisco
Tunnel Mode CSR1000v
Vnet Subnet 40.xxx.xxx.x 169.254.11.178 Private Network
.1
10.10.0.0/16 192.168.200.0/24
VPN 169.254.11.177 192.xxx.xxx.x
Gateway OSPF 10 Area 0
BGP AS64512 Hypervisor
BGP AS65002
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Azure CSR to On Premises CSR – IPsec VPN
Example 2 Outside Subnet
10.10.0.0/24
IPsec/IKEv2
Cisco
Cisco Tunnel Mode CSR1000v
CSR1000v
Inside Subnet 40.xxx.xxx.x .1 Private Network
10.10.1.0/24 192.xxx.xxx.x 192.168.200.0/24
OSPF 10 Area 0
Hypervisor
OSPF
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Azure CSR to On Premises CSR – DMVPN
Outside Subnet
10.10.0.0/24
Cisco
Cisco CSR1000v
CSR1000v
Inside Subnet 40.xxx.xxx.x 192.xxx.xxx.x .1 Private Network
10.10.1.0/24 Spoke Hub 192.168.200.0/24
CSR Tunnel: CSR Tunnel:
10.1.0.2
OSPF 10 Area 0
10.1.0.6
Hypervisor
DMVPN
OSPF
Routes this side should see:
192.168.200.0/24
Routes this side should see:
10.10.1.0/24
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Microsoft Azure with Cisco CSR 1000v
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Azure CLI: Create Resource Group, Networks,
Subnets
Create a new Azure Resource Group (rg)
# az group create --name multicloud-rg --location westus
Create a new public (external IP) IPv4 address to be used for the CSR’s ‘outside’ interface
# az network public-ip create --resource-group multicloud-rg --name csr-azure-01-eip --allocation-method static
Create a new virtual network (vnet) and a subnet to be used for the CSR’s ‘outside interface
# az network vnet create \
--resource-group multicloud-rg \
--name mc-csr-vnet \
--address-prefix 10.10.0.0/16 \
--subnet-name csr-outside \
--subnet-prefix 10.10.0.0/24
Create a new subnet for the CSR’s ‘inside’ interface and associate it with the vnet created above
# az network vnet subnet create \
--resource-group multicloud-rg \
--vnet-name mc-csr-vnet \
--name csr-inside \
--address-prefix 10.10.1.0/24
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Azure CLI: Create Route Tables
Create a new route table (rt) that will be used for the CSR’s ’outside’ subnet
# az network route-table create \
--resource-group multicloud-rg \
--name csr-outside-rt
Create a new route table that will used for the CSR’s ‘inside’ subnet
# az network route-table create \
--resource-group multicloud-rg \
--name csr-inside-rt
Create a new route table entry for the ‘inside’ subnet to reach the On Premises network (192.168.200.0) via the CSR’s IP (10.10.1.4)
# az network route-table route create \
--resource-group multicloud-rg \
--name csr-to-On Premises-route \
--route-table-name csr-inside-rt \
--address-prefix 192.168.200.0/24 \
--next-hop-type VirtualAppliance \
--next-hop-ip-address 10.10.1.4
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Azure CLI: Create Network Security Group (NSG) Reference
Create a new Network Security Group (NSG) to be used for the ‘outside’ CSR interface
# az network nsg create \
--resource-group multicloud-rg \
--name csr-nsg-outside
Create a new NSG rule to allow inbound SSH access to the CSR (can make it specific to an IP/Prefix)
# az network nsg rule create \
--resource-group multicloud-rg \
--nsg-name csr-nsg-outside \
--name SSHRule \
--priority 100 \
--source-address-prefixes 'Internet' \
--source-port-ranges '*' \
--destination-address-prefixes '*' \
--destination-port-ranges 22 \
--access Allow \
--protocol Tcp \
--direction inbound
Create a new NSG rule to allow inbound UDP 500 (IKE) traffic to the CSR (can make it specific to an IP/Prefix)
# az network nsg rule create \
--resource-group multicloud-rg \
--nsg-name csr-nsg-outside \
--name UDP-500 \
--priority 101 \
--source-address-prefixes 'Internet' \
--source-port-ranges '*' \
--destination-address-prefixes '*' \
--destination-port-ranges 500 \
--access Allow \
--protocol Udp \
--direction inbound
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Azure CLI: Create NSG Rule and NICs Reference
Create a new Network Security Group (NSG) to be used for the ‘outside’ CSR interface
# az network nsg rule create \
--resource-group multicloud-rg \
--nsg-name csr-nsg-outside \
--name UDP-4500 \
--priority 102 \
--source-address-prefixes 'Internet' \
--source-port-ranges '*' \
--destination-address-prefixes '*' \
--destination-port-ranges 4500 \
--access Allow \
--protocol Udp \
--direction inbound
Create a new NIC to be used by the CSR’s ‘outside’ interface. Associate the NIC with the NSG, Subnet, Public IP & enable forwarding
# az network nic create \
--resource-group multicloud-rg \
--name csr-nic-g1 \
--vnet-name mc-csr-vnet \
--subnet csr-outside \
--network-security-group csr-nsg-outside \
--ip-forwarding true \
--public-ip-address csr-azure-01-eip
Create a new NIC to be used by the CSR’s ‘inside’ interface. Associate the NIC with the NSG, Subnet and enable forwarding
# az network nic create \
--resource-group multicloud-rg \
--name csr-nic-g2 \
--vnet-name mc-csr-vnet \
--subnet csr-inside \
--ip-forwarding true
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Azure CLI: Run a new CSR Instance Using
Previous Parameters
Create a CSR VM using a Azure Marketplace image. Associate the VM with two the NICs created earlier.
# Note: The VM can be created with a large number of options to include SSH keys, image (BYOL, # of NICs), and size
# az vm create \
--resource-group multicloud-rg \
--name csr-azure-01 \
--admin-username csr-azure \
--admin-password <PASSWORD> \
--authentication-type password \
--image cisco:cisco-csr-1000v:16_6:16.6.120170804 \
--nics csr-nic-g1 csr-nic-g2 \
--size Standard_D2_v2
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Connect to the Azure CSR – Enable Interfaces
Connect to the new Azure-hosted CSR and enable the GigabitEthernet 2 interface for DHCP
# ssh csr-azure@40.xxx.xxx.x
csr-azure-01#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
csr-azure-01(config)#interface gigabitEthernet 2
csr-azure-01(config-if)#ip address dhcp
csr-azure-01(config-if)#no shutdown
Wait a few seconds and check to make sure that both interfaces on the CSR are up and have the correct
IP addresses:
csr-azure-01#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 10.10.0.4 YES DHCP up up
GigabitEthernet2 10.10.1.4 YES DHCP up up
VirtualPortGroup0 192.168.35.1 YES TFTP up up
Note: This can all be automated (along with the DMVPN configs) by creating Azure Automation/Resource Manager
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Azure Cisco CSR DMVPN Config ... Output summarised
Spoke
crypto ikev2 proposal AES/GCM/256
interface Tunnel0
encryption aes-gcm-256
description DMVPN
prf sha512
ip address 10.1.0.6 255.255.255.0
group 19
no ip redirects
!
ip mtu 1400
crypto ikev2 policy AES/GCM/256
ip nhrp authentication <NHRP_PASSWORD>
match fvrf any
ip nhrp network-id 100
proposal AES/GCM/256
ip nhrp nhs 10.1.0.2 nbma 192.xxx.xxx.x multicast
!
ip tcp adjust-mss 1360
crypto ikev2 keyring DMVPN-KEYRING
ip ospf authentication-key 7 <OSPF_PASSWORD>
peer ANY
ip ospf network point-to-multipoint
address 0.0.0.0 0.0.0.0
ip ospf hello-interval 10
pre-shared-key <PSK_PASSWORD_GOES_HERE>
tunnel source GigabitEthernet1
!
tunnel mode gre multipoint
crypto ikev2 profile DMVPN-IKEv2-PROFILE
tunnel key 100
description PSK Profile
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE
match identity remote address 0.0.0.0
!
identity local address 40.xxx.xxx.x
interface GigabitEthernet1
authentication remote pre-share
description Internet
authentication local pre-share
ip address dhcp
keyring local DMVPN-KEYRING
no ip redirects
dpd 40 5 on-demand
no ip unreachables
!
no ip proxy-arp
crypto ipsec security-association replay window-size 1024
negotiation auto
!
!
crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256
router ospf 10
mode transport
router-id 10.1.0.6
!
network 10.1.0.0 0.0.0.255 area 0
crypto ipsec profile DMVPN-IPSEC-PROFILE
network 10.10.1.0 0.0.0.255 area 3
set transform-set AES256/GCM/TRANSFORM
!
set ikev2-profile DMVPN-IKEv2-PROFILE
ip route 0.0.0.0 0.0.0.0 10.10.0.1
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
On Premises Cisco CSR DMVPN Config... Output summarised
Hub - Nothing ever changes on the hub for each example
crypto ikev2 proposal AES/GCM/256
encryption aes-gcm-256 interface Tunnel0
prf sha512 description DMVPN
group 19 ip address 10.1.0.2 255.255.255.0
! no ip redirects
crypto ikev2 policy AES/GCM/256 ip mtu 1400
match fvrf any ip nhrp authentication <NHRP_PASSWORD>
proposal AES/GCM/256 ip nhrp map multicast dynamic
ip nhrp network-id 100
!
ip nhrp redirect
crypto ikev2 keyring DMVPN-KEYRING ip tcp adjust-mss 1360
peer ANY ip ospf authentication-key 7 <OSPF_PASSWORD>
address 0.0.0.0 0.0.0.0 ip ospf network point-to-multipoint
pre-shared-key <PSK_PASSWORD_GOES_HERE> ip ospf hello-interval 10
! tunnel source GigabitEthernet1
crypto ikev2 profile DMVPN-IKEv2-PROFILE tunnel mode gre multipoint
description PSK Profile tunnel key 100
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE
match identity remote address 0.0.0.0
!
identity local address 192.xxx.xxx.x interface GigabitEthernet1
authentication remote pre-share description Internet
authentication local pre-share ip address 192.xxx.xxx.x 255.255.255.0
keyring local DMVPN-KEYRING no ip redirects
dpd 40 5 on-demand no ip unreachables
! no ip proxy-arp
crypto ipsec security-association replay window-size 1024 negotiation auto
!
!
router ospf 10
crypto ipsec transform-set AES256/GCM/TRANSFORM esp-gcm 256 router-id 10.1.0.2
mode transport network 10.1.0.0 0.0.0.255 area 0
! network 192.168.200.0 0.0.0.255 area 0
crypto ipsec profile DMVPN-IPSEC-PROFILE !
set transform-set AES256/GCM/TRANSFORM ip route 0.0.0.0 0.0.0.0 192.xxx.xxx.x
set ikev2-profile DMVPN-IKEv2-PROFILE
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
... Output summarised
On Azure check for the route for the on-premises network (192.168.200.0/24)
csr-azure-01#show ip route | i 192.168.200.0
O 192.168.200.0/24 [110/1001] via 10.1.0.2, 00:17:57, Tunnel0
Cisco .30
Inside Subnet Cisco
CSR1000v CSR1000v VM
10.10.1.0/24
.1 Private Network
.5 .4 192.168.200.0/24
Spoke Hub
CSR Tunnel: CSR Tunnel:
10.1.0.6 10.1.0.2
Hypervisor
OSPF
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
For Reference
Azure – Marketplace-
based Launch Walk-
thru
Azure Marketplace/Resource Search
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Azure Marketplace
– There are multiple CSR types to pick from
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Azure Marketplace
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Deployment Flow
1 2 3
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Linking DMVPN Sites
DMVPN – Enable Dynamic Multicloud Networking
Cisco DMVPN
10.10.1.0/24
Cisco
CSR1000v
Cisco
CSR1000v
Private Network
Spoke Hub
192.168.200.0/24
VPC Network
172.16.2.0/24 BGP/OSPF/EIGRP
Cisco
CSR1000v
On Premises Private Cloud
DMVPN
VPC Network
10.0.1.0/24 Spoke
Cisco
CSR1000v
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
General Guidelines for DMVPN Between Clouds
• Set the VPC routes for each site
gcloud compute routes create inside-to-aws \
--network=csr-inside-network \
--destination-range=172.16.2.0/24 \
--next-hop-address=10.0.1.2
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
... Output summarised
Routing Example – All Sites
• For spoke-to-spoke direct routing with DMVPN/NHRP:
• ‘ip nhrp redirect’ on the hubs IA - OSPF inter area
• ‘ip nhrp shortcut’ on the spokes % - next hop override
Hub On Premises CSR Spoke – Amazon Web Services CSR
csr-mc-01#show ip route ospf
csr-aws-01#show ip route ospf
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
O IA 10.0.1.0/24 [110/1001] via 10.1.0.1, 02:40:45, Tunnel0
O IA% 10.0.1.0/24 [110/2001] via 10.1.0.2, 01:21:32, Tunnel0
O 10.1.0.1/32 [110/1000] via 10.1.0.1, 02:40:45, Tunnel0
O % 10.1.0.1/32 [110/2000] via 10.1.0.2, 01:21:32, Tunnel0
O 10.1.0.4/32 [110/1000] via 10.1.0.4, 01:18:49, Tunnel0
O 10.1.0.2/32 [110/1000] via 10.1.0.2, 01:21:32, Tunnel0
O 10.1.0.6/32 [110/1000] via 10.1.0.6, 00:56:19, Tunnel0
O % 10.1.0.6/32 [110/2000] via 10.1.0.2, 00:59:01, Tunnel0
O IA 10.10.1.0/24 [110/1001] via 10.1.0.6, 00:55:34, Tunnel0
O IA% 10.10.1.0/24 [110/2001] via 10.1.0.2, 00:58:14, Tunnel0
172.16.0.0/24 is subnetted, 1 subnets
O 192.168.200.0/24 [110/1001] via 10.1.0.2, 01:21:32, Tunnel0
O IA 172.16.2.0 [110/1001] via 10.1.0.4, 01:18:49, Tunnel0
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
NHRP Example – Hub/Spoke Spoke – Azure CSR
csr-azure-01#show ip nhrp
Hub On Premises CSR 10.0.1.0/24 via 10.1.0.1
Tunnel0 created 00:06:26, expire 00:03:32
csr-mc-01#show ip nhrp
Type: dynamic, Flags: router rib nho
10.1.0.1/32 via 10.1.0.1
NBMA address: 35.xxx.xxx.x
Tunnel0 created 02:02:42, expire 00:08:17
(Claimed NBMA address: 10.138.0.100)
Type: dynamic, Flags: registered used nhop
10.1.0.1/32 via 10.1.0.1
NBMA address: 35.xxx.xxx.x
Tunnel0 created 00:06:26, expire 00:03:32
(Claimed NBMA address: 10.138.0.100)
Type: dynamic, Flags: router nhop rib nho
10.1.0.4/32 via 10.1.0.4
NBMA address: 35.xxx.xxx.x
Tunnel0 created 00:42:52, expire 00:09:17
(Claimed NBMA address: 10.138.0.100)
Type: dynamic, Flags: registered used nhop
10.1.0.2/32 via 10.1.0.2
NBMA address: 52.xxx.xxx.x
Tunnel0 created 00:21:28, never expire
(Claimed NBMA address: 172.16.1.10)
Type: static, Flags:
10.1.0.6/32 via 10.1.0.6
NBMA address: 192.xxx.xxx.x
Tunnel0 created 00:18:12, expire 00:08:26
10.1.0.4/32 via 10.1.0.4
Type: dynamic, Flags: registered used nhop
Tunnel0 created 00:12:29, expire 00:02:40
NBMA address: 40.xxx.xxx.x
Type: dynamic, Flags: router nhop rib nho
(Claimed NBMA address: 10.10.0.4)
NBMA address: 52.xxx.xxx.x
(Claimed NBMA address: 172.16.1.10)
csr-mc-01#show ip nhrp multicast
10.10.1.0/24 via 10.1.0.6
I/F NBMA address
Tunnel0 created 00:08:30, expire 00:03:33
Tunnel0 35.xxx.xxx.x Flags: dynamic (Enabled)
Type: dynamic, Flags: router unique local
Tunnel0 52.xxx.xxx.x Flags: dynamic (Enabled)
NBMA address: 10.10.0.4
Tunnel0 40.xxx.xxx.x Flags: dynamic (Enabled)
(no-socket)
172.16.2.0/24 via 10.1.0.4
Spoke – Azure VM Tunnel0 created 00:07:19, expire 00:02:40
Type: dynamic, Flags: router rib nho
shmcfarl@AzureTestVm:~$ traceroute 10.0.1.3 NBMA address: 52.xxx.xxx.x
traceroute to 10.0.1.3 (10.0.1.3), 30 hops max, 60 byte packets (Claimed NBMA address: 172.16.1.10)
1 10.10.1.4 (10.10.1.4) 1.220 ms 1.192 ms 1.328 ms csr-azure-01#show ip nhrp multicast
2 10.0.1.3 (10.0.1.3) 25.794 ms * 25.782 ms I/F NBMA address
Tunnel0 192.xxx.xxx.x Flags: nhs (Enabled)
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Split-Tunnelling/Routing
Options
Split-Tunnel/Routing Options
• All three public cloud providers allow for either split-tunnelling or forced/direct routing
• Split-tunnelling:
• Public cloud resources (instances/VMs, container clusters) will use the default VPC gateway for non-On
Premises routes
• Public cloud resources will use the On Premises-specific routes advertised by the CSR
• Forced/Direct routing – All public cloud resources will use the VPN connection as their default
route for ALL traffic (forces traffic through the On Premises site)
External/NAT
Cisco
Google Cloud VPN
Compute
10.0.0.1 CSR1000v
Engine Routing 35.xxx.xxx.x
2 1
10.0.0.5
VPC Subnetwork
GW 192.xxx.xxx.x
BGP
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Automation Challenges
Automating the Multicloud Network
• Challenges:
• Different toolsets for different jobs (Ansible, Python, Bash scripts, Terraform, etc..)
• Different toolsets for different clouds (Heat for OpenStack, CloudFormation for AWS, Deployment Manager for GCP,
Azure Automation)
• Different toolsets for different vendor products (Cisco NSO, CloudCentre, Prime, YANG development kit, etc..)
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Amazon CloudFormation
• https://aws.amazon.com/cloudformation/
• Sometimes you need to run more than one stack (in order) to get what you need
• Example template: https://github.com/shmcfarl/multicloud/tree/master/aws/cloudformation
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Google Cloud Platform – Deployment Manager
• https://cloud.google.com/deployment-manager/
• Sometimes you need to run more than one stack (in order) to get what you need
• Example templates: https://github.com/shmcfarl/multicloud/tree/master/gcp/deployment-
manager
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Microsoft Azure Automation/Resource Manager
• https://azure.microsoft.com/en-us/services/automation/
• Example template:
https://github.com/shmcfarl/multicloud/blob/master/azure/resource-manager/az-
arm-csr-cleaned.json
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Call APIs Directly
• Google Cloud Platform: https://cloud.google.com/compute/docs/reference/latest/
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Google VPN – Creating
Google VPN, Router,
IPsec, BGP via REST
APIs
Google Cloud API – Creating GCP Cloud
VPN/Routers
• Assumptions/environment:
• Understand how to authenticate to GCP APIs:
https://cloud.google.com/docs/authentication/
• In this example, the Paw application was used to craft GET, POST and PATCH calls
• Some configurations have been sanitised for security purposes
• Have On Premises Cloud infrastructure deployed and a CSR/ASR configured (can
be done after GCP side is deployed)
• In this example, the configuration will be deployed against the OpenStack use
case discussed in the earlier slides
• In this example, the default network created by GCP will be used
• Note: gcloud has VERY long delays in commands if you have IPv6 enabled on your
local machine – set to “link-local” mode on your Mac
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Reference Topology for GCP API Example
OSPF<>BGP Redistribution
IPsec/IKEv2
Tunnel Mode
169.254.0.6
Default Network 35.yyy.yyy.y .11 Private Network
10.138.0.0/20 192.yyy.yyy.y 172.16.0.0/24
Google
Cloud
VPN OSPF 10 Area 0
169.254.0.5
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
... Output summarised
GCP API (1) – Create VPN GW and External IP
POST /compute/v1/projects/<gcp_project_number>/regions/us-west1/targetVpnGateways HTTP/1.1
Authorization: Bearer XXXX POST: Create VPN
Content-Type: application/json; charset=utf-8
Host: www.googleapis.com
Connection: close
Gateway
Content-Length: 138
{
"name": "csr-gcp-os-aio-gw",
"network": "projects/<gcp_project_number>/global/networks/default",
"region": "projects/<gcp_project_number>/regions/us-west1"
}
{
"name": "gcp-to-os-dmz"
}
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
... Output summarised
GCP API (2) – Create Forwarding Rules
POST /compute/v1/projects/<gcp_project_number>/regions/us-west1/forwardingRules HTTP/1.1
Authorization: Bearer XXXX
Content-Type: application/json; charset=utf-8
POST: Create
Host: www.googleapis.com
Connection: close Forwarding rule for ESP
Content-Length: 257
{
"name": "csr-gcp-os-aio-rule-esp",
"IPProtocol": "ESP",
"IPAddress": "35.yyy.yyy.y",
"region": "projects/<gcp_project_number>/regions/us-west1",
"target": "https://www.googleapis.com/compute/v1/projects/<gcp_project_number>/regions/us-west1/targetVpnGateways/csr-gcp-os-aio-gw"
}
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
... Output summarised
GCP API (3) – Create Cloud Router and BGP Session
POST /compute/v1/projects/<gcp_project_number>/regions/us-west1/routers HTTP/1.1
Authorization: Bearer XXXX
Content-Type: application/json; charset=utf-8
Host: www.googleapis.com
Connection: close
Content-Length: 574
{
"name": "csr-gcp-os-bgp-rtr",
"bgp": {
"asn": "65000"
},
"interfaces": [
{
"name": "if-csr-gcp-os-bgp-rtr-02",
"linkedVpnTunnel": "https://www.googleapis.com/compute/v1/projects/<gcp_project_number>/regions/us-west1/vpnTunnels/csr-gcp-os-aio-gw-tunnel-1",
"ipRange": "169.254.0.5/30"
}
],
"bgpPeers": [
{
"name": "csr-gcp-os-bgp-peer",
"interfaceName": "if-csr-gcp-os-bgp-rtr-02",
"ipAddress": "169.254.0.5",
"peerIpAddress": "169.254.0.6",
"peerAsn": "65003"
}
],
"region": "projects/<gcp_project_number>/regions/us-west1",
"network": "https://www.googleapis.com/compute/v1/projects/<gcp_project_number>/global/networks/default"
}
POST: Create Cloud Router, BGP session and link to the Cloud VPN tunnel
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
... Output summarised
POST: Create a Cloud VPN tunnel and associated it with the Cloud router
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
Summary
• Cisco Multicloud Solutions: https://www.cisco.com/c/en/us/solutions/cloud/multicloud-portfolio.html
• Public cloud native IPsec VPN support is good, but it is always point-to-point, does not have consistent support and lacks
network-rich features - It may be good enough for your initial use case(s)
• If you have deployed or want to deploy SD-WAN, adding in your public cloud sites into your overall SD-WAN design can
reap many operational and cost benefits
• If you have an existing WAN/Branch deployment of DMVPN, adding spokes at public cloud site(s) can help optimize traffic
flow (no hair-pinning), enable rich network features at the public cloud site and allow for a consistent technical and
operation experience
• Multicloud between multiple public cloud providers and on-premises look like distinctly separate hybrid cloud deployments
but..
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Q&A
#CLMEL
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
Complete Your Online Session Evaluation
• Give us your feedback and receive
a complimentary Cisco Live 2019
Power Bank after completing the
overall event evaluation and 5
session evaluations.
• All evaluations can be completed
via the Cisco Live Melbourne
Mobile App.
• Don’t forget: Cisco Live sessions
will be available for viewing on
demand after the event at:
https://ciscolive.cisco.com/on-demand-
library/
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Thank you
#CLMEL
Reference
Application Deployment
GKE, Cloud VPN, Cloud
Router and an On
Premises CSR
Deployment with
Dynamic Routing (IP
Alias)
Google Container Engine (GKE) – Dynamic
Routing
• Prior to the IP alias feature, GKE clusters did not advertise their IP ranges via the GCP
Cloud Router (BGP) service: https://cloud.google.com/container-engine/docs/ip-aliases
• IP alias and self-directed alias ranges, cluster IP ranges and service IP ranges can all be
enabled via REST, gcloud and the GKE console
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
GKE – Dynamic Routing with On Premises CSR
External/
Google Container
NAT
Cluster (GKE)
Pods cbr0
10.0.0.4 BGP 192.168.100.20
eth0
10.56.2.0/24
Hypervisor
Default Network: Google Cloud
- Subnetwork: Router
- Nodes: 10.0.0.0/22
- Container Range: 10.56.0.0/14
- Services Range: 10.0.16.0/20
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
Google Container Engine - Setup Google Container
Cluster (GKE)
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 172
Google Container Engine – Node/Pod IP Verification
Using the node list from above, check the IPs assignments of each node
# kubectl describe nodes gke-gke-cls-istio-default-pool-6724d65b-zgdq | grep 'InternalIP\|PodCIDR'
InternalIP: 10.0.0.2 10.0.0.2
Pods cbr0
PodCIDR: 10.56.0.0/24 eth0
10.56.0.0/24
10.0.0.4
# kubectl describe nodes gke-gke-cls-istio-default-pool-6724d65b-x04p | grep 'InternalIP\|PodCIDR' Pods cbr0
eth0
InternalIP: 10.0.0.4 10.56.2.0/24
PodCIDR: 10.56.2.0/24
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
GKE/GCP and On Premises CSR Dynamic
... Output summarised
Routing
Get the advertised route list from the GCP Cloud Router
# gcloud compute routers get-status csr-gcp-vm-bgp-rtr
. . .
result:
. . .
bgpPeerStatus: Google
- advertisedRoutes: Cloud
- destRange: 10.0.16.0/20
VPN
kind: compute#route 169.254.0.2
nextHopIp: 169.254.0.1
priority: 100
- destRange: 10.56.0.0/14
kind: compute#route Cisco CSR
nextHopIp: 169.254.0.1
priority: 100
- destRange: 10.0.0.0/22 169.254.0.1 BGP
kind: compute#route
nextHopIp: 169.254.0.1
priority: 100
Check the BGP routes on the On Premises CSR
csr-gcp-01#show ip route bgp Google Cloud
. . . Router
B 10.0.0.0/22 [20/100] via 169.254.0.1, 00:00:04
B 10.0.16.0/20 [20/100] via 169.254.0.1, 00:00:04
B 10.56.0.0/14 [20/100] via 169.254.0.1, 00:00:04
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
GKE and CSR Routing/Access Verification
From a VM at the On Premises network (192.168.100.0/24), ping a GKE nodes IP and the cbr0 interface on that node
[root@k8s-m-01 ~]# ip a
. . .
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 Google Container
link/ether 00:50:56:bc:4b:91 brd ff:ff:ff:ff:ff:ff Cluster (GKE)
inet 192.168.100.20/24 brd 192.168.100.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 fe80::50de:b58f:8dc8:2fd5/64 scope link
valid_lft forever preferred_lft forever
10.0.0.2
Pods cbr0
[root@k8s-m-01 ~]# ping 10.0.0.2 eth0
10.56.0.0/24
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=63 time=25.4 ms 10.0.0.3
64 bytes from 10.0.0.2: icmp_seq=2 ttl=63 time=24.3 ms Pods cbr0
eth0
10.56.1.0/24
10.0.0.4
[root@k8s-m-01 ~]# ping 10.56.0.1 Pods cbr0
eth0
PING 10.56.0.1 (10.56.0.1) 56(84) bytes of data. 10.56.2.0/24
64 bytes from 10.56.0.1: icmp_seq=1 ttl=63 time=25.2 ms
64 bytes from 10.56.0.1: icmp_seq=2 ttl=63 time=24.1 ms
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
GKE Pod Routing/Access Verification
Deploy an nginx pod
# kubectl run my-nginx --image=nginx --port=80
deployment "my-nginx" created
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 176
Google Container Engine
• Deploy Pods
#CLMEL BRKCLD-3440 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
#CLMEL TECSEC-2723 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
Complete Your Online Session Evaluation
• Give us your feedback and receive a
complimentary Cisco Live 2019 Power
Bank after completing the overall event
evaluation and 5 session evaluations.
• All evaluations can be completed via the
Cisco Live Melbourne Mobile App.
• Don’t forget: Cisco Live sessions will be
available for viewing on demand after
the event at:
https://ciscolive.cisco.com/on-demand-library/
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you
#CLMEL
#CLMEL