Move your VMware and KVM applications to the cloud without making any changes

  • July 7, 2015

How to emulate DCs in public cloud and connect them using Cisco CSR 1000v?

Mirko Grabel
Mirko Grabel is a ‘Kick-Ass’ Technical Marketing Engineer with Cisco, and an active CCIE certified speaker at Cisco Live. He has global technical responsibility for ISR, CSR and ASR product lines.

Cisco’s Cloud Services Router (CSR) running IOS-XE is a very popular network appliance used in a variety of scenarios – as a VPN gateway, as a MPLS termination, to connect DCs, to provide an internet split-out for branches, to connect branches to HQ. Coupled with LISP, CSR can also be used to extend the DC with hybrid cloud infrastructure. There are numerous ‘how-to’ articles on the web that articulate how CSR can be used to connect cloud infrastructure to DC or HQ to secure hub-to-spoke or spoke-to-spoke traffic with DMVPN and IPSEC. To create topologies for these use-cases, however, one requires infrastructure to run the CSR routers and networking interconnect to connect them.

In most organizations, it takes weeks to months to procure and deploy new hardware – servers, racks, switches, and it is expensive. CSR’s Amazon Machine Image (AMI) offers an alternative to try out some of CSR features without having to invest in physical hardware. However, due to networking limitations on AWS (e.g. broadcast and multicast packets are heavily filtered, L2 unavailable), many CSR features are unsupported without tunneling on the AMI (e.g. OSPF, IGMP, PIM, OTV, VxLAN, WCCPv2, MPLS, EoMPLS, VRF, VPLS, HSRP). Further, only one network interface can be configured as DHCP. This presents a difficulty in creating full-featured CSR environments that I need as a CCIE to play with different features, and mock-up PoC environments.

This is where Ravello helps. Ravello is a SaaS solution powered by nested virtualization and software defined networking overlay. Ravello enables networking professionals like me to create full-featured networking labs with a multitude of networking & security of VMware or KVM appliances (including Cisco’s CSR 1000v!) on top of public cloud (AWS or Google Cloud), and benefit from unlimited capacity and usage based pricing. Ravello’s software defined networking overlay exposes a clean L2 network – just like a DC environment – and offers built-in network services such as DNS, DHCP, Firewall, Virtual Switch and Virtual Router – should I need it. Further, it allows me to bring in my own router (CSR 1000v in this case), if I want specialized network functionality as a part of my environment.

Connecting DCs in the Cloud

A little skeptical of the tall claims made by Ravello, I decided to put Ravello’s Network Smart Lab to test. (Data-center functionality – running VMware & KVM VMs with L2 access – at public cloud prices and flexibility just seemed too good to be true!) I embarked on creating a CSR deployment connecting two different data-centers through VPN tunnel on Ravello. To emulate a DC, I added some LAMP servers and pointed CSR to be their Gateway on Ravello. With a click, I made two copies of this setup and associated public IPs to CSR’s external network interfaces. Using Ravello’s ability to run VMs in multiple clouds, I published one of the copies of my setup to run on AWS and another in Google. Once both environments were up and running, I configured each CSR instance in AWS and Google cloud to point to the other’s public IP, and voila – my two DCs running on AWS and Google were securely connected!

The rest of this article details configuration to get my multi-DC environment connected through CSR 1000v on Ravello.

Environment Setup

Getting this environment set up on Ravello involved 4 simple steps –

  • Uploading my CSR 1000v and LAMP servers to Ravello
  • Configuring networking on CSR VM
  • Publishing the environments on AWS and Google
  • Configuring the CSR

1. Uploading VMs

I used the Ravello Import Tool to upload all 3 of my VMs. Ravello’s VM uploader gave me multiple options - ranging from directly uploading my multi-VM environment from vSphere/vCenter to uploading OVFs or VMDKs or QCOW or ISOs individually. I uploaded my CSR1000v as an QCOW image.

2. Configuring Networking

Upon uploading the CSR 1000v, Ravello asked to confirm the resources (CPU, Memory, Storage) for my VM. Since Ravello had already identified the resources, it was more of a verification exercise.

Clicking on the Network tab, I added two network interfaces to the CSR – one each for internal and external networks. I configured a static IPs on the interfaces and chose “VirtIO” as the device type. I also associated ‘Elastic IP’ to the external interface so that I could access it from anywhere.

To enable SSH access to my VMs, I opened port 22 in the “Services” tab.

Next, I created an ‘Application’ on Ravello. An ‘Application’ in Ravello’s terms is essentially a multi-VM environment. To create my DC, I dragged and dropped my CSR and LAMP VMs on the application canvas.

Next, I saved my application as a ‘Blueprint’ – which was similar to taking a snapshot of the entire multi-VM setup. Blueprint enabled me to make additional copies of this ‘application’ environment.

3. Publishing environment on Google & AWS

With blueprint of this environment in hand, I was able to create two application copies. I modified the IPs on the second copy so that it didn’t conflict with the first copy. Next, I published an instance of each to run in Google Cloud and AWS respectively. Publishing the application was a piece of cake – a one-click action.

4. Configuring CSR

With my DC environments set up in AWS and Google cloud, the next step was to configure the CSR to connect the two environments through a VPN tunnel. Here is how I configured the CSR for this environment using CLI.

Defined the hostname first

hostname CSR1000V-AMAZON

For convenience’s sake if I mistype something, I disabled domain lookup.

no ip domain lookup

To get SSH access, I needed a domain name, so I set one up.

ip domain name ravellosystems.com

Next, I generated SSH key pair

crypto key generate rsa

Then configured a username & password for CSR

username admin privilege 15 password 0 XXXXXX

Next I allowed SSH on the incoming lines

line vty 0 4 login local transport input ssh

To give out IPs to my client VMs, I also set up a local DHCP Server

ip dhcp excluded-address

ip dhcp pool DHCP

And here comes the tricky part – how to get the IPSEC tunnel to fly. Here is the full config required for this. Details for each command can be found in the Cisco config guides.

crypto isakmp policy 1 encr aes authentication pre-share group 2 crypto isakmp key PASSWORD address  crypto ipsec transform-set TRANSFORM_SET esp-aes 256 esp-md5-hmac mode tunnel crypto ipsec profile 1 set transform-set TRANSFORM_SET  interface Tunnel0 ip address tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 ! The tunnel destination is the elastic IP of the other side! tunnel destination tunnel protection ipsec profile 1

Here is the simple IP interface configuration, nothing fancy...

interface GigabitEthernet1 description EXTERNAL ip address negotiation auto  interface GigabitEthernet2 description LAN ip address negotiation auto

My default route points to the internet (required to find the other Elastic IP) and my inter DC traffic (just traffic going to points to the other side of the tunnel:

ip route ip route

The tunnels are on-demand tunnels so they only come up once traffic is present. Also to see some counters increase, I created 2 SLAs – one that works just in the tunnel and one that pings end-to-end from one LAN to the other.

ip sla 1 icmp-echo source-ip frequency 10 ip sla schedule 1 life forever start-time now ip sla 2 icmp-echo source-ip frequency 10 ip sla schedule 2 life forever start-time now

To check if my CSR sees the right interfaces I have to type this tedious long command. So, I made an alias for it –

alias exec sps show platform software vnic-if interface-mapping

Upon doing a similar configuration on the CSR running in Google Cloud (and pointing it its peer in Amazon), the two DCs were securely connected through a VPN tunnel.

Verifying it works

To verify that this setup works, I typed in sh ip sla stat. Increase in the number of successes for the counters confirmed that my VPN was setup and active (hurrah!).


Ravello’s Network Smart Lab offers an unique and simple way for networking professionals to create full-featured CSR environments for PoCs and network design (without needing hardware investments) on AWS & Google. Drop me a line if you would like to play with my CSR Blueprint setup.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.