cisco csr 1000v: securely extend your apps to the cloud
TRANSCRIPT
Cisco CSR 1000V: Securely Extend Your Apps to the Cloud Nick Matthews Solutions Architect, AWSFan Yang Technical Marketing Engineer, CiscoDaniel Zuckerberg Customer Solutions Architect, CiscoCarl Coles Principal Network Architect, Adobe
Agenda AWS Networking Solutions Cloud Trend and Network Challenge CSR 1000V Overview and Cloud Use Cases CSR 1000V on Under Armour CSR 1000V on Adobe Q&A
Cloud Performance is Only as Good as Network PerformanceThe benefits of cloud computing are well-proven
But your networking performance determines to what degree you will derive those benefits
Scalability Security Global Footprint Cost-effectiveness
Core Networking Offerings
Amazon VPC AWS Direct Connect
Amazon Route 53Amazon Elastic Load Balancing
AWS offers a wide variety of networking services, with four at the center:
Layers of Networking on AWS
Region
AZ
VPC
Subnet
Routing Table
Network ACL
Security Group
Amazon VPC
Choose from multiple connectivity options including public internet, Network Address Translation, encrypted VPN, and more
Quickly and easily provision and configure using the AWS Management Console Leverage multiple layers of security to protect your applications and environment, including
access control lists, dedicated hardware, and more
Amazon Virtual Private Cloud (VPC) lets you provision a logically isolated section of the AWS cloud where you can launch resources in a virtual network you define
AWS Direct Connect
AWS Direct Connect gives you dedicated network connections between your on-premises data center and AWS
Can reduce bandwidth costs Delivers more consistent network performance with reduced latency Compatible with all AWS services Elastically scales to meet your specific needs
Direct ConnectLocation
IPVPN/ MPLS
Point to point
Customer Data Center
Customer Office
Customer Office
Customer Office
Elastic Load BalancingElastic Load Balancing automatically distributes incoming application traffic across multiple Amazon EC2 instances and Availability Zones
Enables fault tolerance, with less manual intervention in applications Ensures that only healthy Amazon EC2 instances receive traffic; traffic is re-routed to a
new Availability Zone if all Amazon EC2 instances are unhealthy Meets application traffic demands by automatically scaling its request handling capacity
Amazon Route 53Amazon Route 53 is designed to reliably and cost-effectively route end-users to internet applications
Connects user requests to infrastructure running in AWS, and can also be used to route users to infrastructure outside of AWS
Monitor application and end-point health, or re-route traffic to healthy end-points with DNS health checks
Meets application traffic demands by automatically scaling request handling capacity Manage traffic globally with Traffic Flows – route users to application end-points through a
single region, or around the globe
Augment Your Network with AWS Marketplace Offerings
ISVs in AWS Marketplace offer solutions for a wide variety of use cases:
Routing VPN Application Delivery Firewalling
Network Challenges in the Cloud
Enterprises are Moving Applications to CloudNumerous Challenges to Adopt
Enterprise adoption of cloud continues to grow Security is still top of the list of concerns 71% of enterprise cloud solutions have a hybrid approach where both private and public
clouds are used
Extending Enterprise Networks Into Any Cloud Using Proven IOS XE Platforms in All Locations
EnterpriseLocations
TheCloud
Others
ExistingEnterpriseNetwork
Cisco Cloud Services Router 1000V (CSR 1000V) for All Deployment Types
ISR 4400
ASR 1000
CSR 1000V CSR 1000V
Physical Virtual Cloud
CSR 1000V Overview and Cloud Use Cases
CSR 1000V
CSR 1000V
Server
Hypervisor
Vertical Switch
OS
App
OS
App
RP FP
Software 3000+ features. Same software as ASR 1000 and ISR 4000
Infrastructure Agnostic Amazon Web Services, as well as additional cloud platforms
Throughput Elasticity Licensable throughput from 10 Mbps to 10 Gbps Footprint options from 1 to 8 virtual CPUs
Licensing Models Term 1 Year, 3 Years, 5 Years or Hourly Usage* Smart License
Programmability NetConf/Yang, RESTConf and SSH/Telnet for automated provisioning,
management, and monitoring
CSR 1000V Use Cases for the Cloud
Branch VPN Termination: IPSec, DMVPN, FlexVPN, EZVPN, etc. Up to 1,000 concurrent VPN tunnels
Remote VPN Access: SSLVPN via AnyConnect
Virtual Cloud / DC Interconnection:Globally distributed applications, Interregional connection
Firewall and Application Inspection:Stateful firewall between regions
Virtual Cloud
Cloud, US East
Corporate Office/Branch
* Routers do not actually produce fire (usually)
Virtual Cloud
Cloud, US West
Where to Find the CSR 1000V in AWS Marketplace In AWS Marketplace:
– https://aws.amazon.com/marketplace
– Search for “CSR1000V”– CSR 1000V product
search will return a list of available CSR 1000V offers, pricing, support, and deployment information
Transit VPC with CSR 1000V
What is a Transit VPC?Network transit centers are a common network design for connecting multiple, geographically disperse networks
A Transit VPC allows AWS customers to create virtual network transit centers, without the traditional costs of establishing a physical presence in a co-location transit hub or deploying physical network gear
Corporate Data Center(s)
Other Provider Networks
Transit VPC Design
Dedicated VPC: Simplifies routing by not combining with other shared services
CSR1000V Virtual Network Appliances: Provide dynamic routing and VPN network tunnels
Redundancy: Dynamic routing combined with multi-AZ deployment creates a robust network infrastructure
VGW: VPC virtual gateways provide highly available connections to transit VPC virtual network appliances
AZ1 AZ2
BA C
Direct ConnectInternet
Private DC
Transit VPC
Spoke VPC
ASR
OtherProviderNetworks
Flexible Purchasing Options
BYOL(Bring Your Own License). Purchase 1-year, 3-year, or 5-year license subscriptions from Cisco
Pay by the hour using AWS (yearly billing is coming in future)
Pooled licensing using Cisco Smart Software Licensing (Suggested)
Multiple technology packages, and varying throughput options
Under ArmourExtending Enterprise WAN to AWS with CSR 1000V
The New IT Model for Under Armour
Enable the Application/Marketing/Financial Team’s growth Curve the organic growth of ungoverned Shadow IT resources Provide an agnostic platform that facilitates SOP Augment Application owner’s security controls Have visibility to address issues proactively
24
A Service Broker for the Lines of Business
Key Guiding Principles for UA Cloud Strategy
Time to Market Accelerate time to bring an application
or feature set from concept to deployment
Scale up IT services to support 25% YoY growth
– 450 new stores in the next 2 years Provide elastic and on-demand
infrastructure and platform service capability
Reducing Risk Profile Protect Under Armour customer data
to maintain brand reputation Design next generation security
architecture encompassing automation and self-service
Institutionalize processes for strong governance across the enterprise
Improving Quality of Service Provide SLAs targeted at high
availability and improved incident resolution rates
Adopt a service-oriented architecture to simplify and streamline application integrations
Standardize application, platform and infrastructure to drive service reusability
WAN Architecture Overview
Geographically dispersed Regional Hubs Sites are localized to their Regional Hub
– Brings the highest level of availability– Performance optimized path selection for scaling
bandwidth– Enforcement, Compliance, and Visibility
WAN Design EvolutionTraditional to Intelligent WAN (IWAN)
Internet MPLS
Branch
Internet MPLS
Branch
Two WAN Routing DomainsMPLS: eBGPRoute RedistributionRoute Filtering Loop Prevention
Active/Standby WAN PathsPrimary with Backup
One WAN Routing DomainMPLS and Internet: DefaultMinimal Route Filtering
Active/Active WAN Paths
ASR 1000 ASR 1000
ISP A SP V ISP A SP V
ASR 1000 ASR 1000
Traditional Hybrid
Data Center
IWAN Hybrid
Data Center
DMVPN DMVPN DMVPN
ISR-G2ISR-G2
UA IWAN High Level TopologyIWAN LATAM-POPIWAN US-POP IWAN ASIAPAC-POPIWAN EMEA-POP
Branch LAT-HBranch LAT-G10.1.20.0/24 10.1.21.0/24
MC+BRMC+BR
Branch US-BBranch US-A10.1.10.0/24 10.1.11.0/24
MC+BR
Branch AP-YBranch AP-X10.1.40.0/24 10.1.41.0/24
MC+BRMC+BRBRMC+BR
Branch EUR-JBranch EUR-I10.1.30.0/24 10.1.31.0/24
MC+BRMC+BR
10.3.0.0/1610.4.0.0/16T-MC
BRBR
10.1.0.0/1610.2.0.0/16DC/MC
BRBR
10.7.0.0/1610.8.0.0/16T-MC
BRBR
BRBR
10.5.0.0/1610.6.0.0/16T-MC
BRBR
BRBR
BRBR
BRBR
DMVPNMPLS-2
DMVPNINET-1
DMVPNMPLS-3
DMVPNINET-2
DMVPNMPLS-1
Transit WAN Design with the CSR 1000V on AWS Only DMVPN required with Active/Standby
Circuit Design CSR 1000V deployed as Active/Standby
– Standby only consuming minimal resources until failure
CSR 1000V enables dynamic route failover– FVRF allows for dual provider connectivity
Internal DMVPN Hub Route VGW External DMVPN Hub Route IGW
– IVRF allows for dynamic routing of App and User traffic NAT leveraged for Transit Routing
IWAN US-POP
DC/MC
BRBR
BRBR
CSR 1000V
ActiveCSR 1000V
StandbyP2P GRE Tunnel
10.10.A.0/24AWS VPC-A
App A-1
App A-2
10.10.B.0/24AWS VPC-B
App B-1
App B-2
10.10.C.0/24AWS VPC-C
App C-1
App C-2
pcx-cccctttt
pcx-bbbbtttt
pcx-aaaatttt
AWS VGW
DMVPN over AWS
Direct Connect
AWS IGW
DMVPN over INET
Adobe and CSR 1000V
Adobe Digital Marketing Cloud
Provides a comprehensive marketing solution Enables marketers to measure, personalize
and optimize digital experiences Fastest growing business unit in Adobe
which presents unique growth challenges Agility and workload mobility created the
need for cloud opportunities
31
The ACME Company
Marketing
Digital Body Language
Personalized Digital Experience
Digital Channels
Digital Devices
UsersDigital ContentAdobe
Marketing Cloud
Digital Channels
Migration to AWS Cloud
32
Speed to market required more
agility and mobility
Transition of development VPCs
to AWS
Global connectivity considerations
Adoption continued to
increase on a per account basis
AWS VPC Sprawl
33
VPC sprawl across more than 700 accounts
VPC scaling and peering limitations
Requirements for cloud connectivity
VPC security requirements VPC and cloud MPLS VPNs alignment
Existing MPLS VPN Datacenter Architecture
34
Users
Edge
Regional A
Users
Users Users
Region B
EdgeData Collection
Data Processing
Data Collection
Data Processing
Data Collection
Data CollectionEdge Edge
Closer to Customer Digital Experience
Over 30 Global Locations Edge Data Collection
Datacenters Cloud Eviornments
Core Data Processing Private Datacenters
Tenant segmentation using MPLS VPN High Speed Transport
Private Provider Connecting cloud enviornments
Adobe Multi-Cloud Transport using CSR 1000V
Global MPLS Network built with Cisco ASR routers
Integrates cloud enviornments
Four Functional Areas of the Routing Fabric Edge Transport P router Datacenter Edge P router ALG PE router CE router
Cisco CSR 1000V as P and PE routers connecting AWS locations
Adobe
Adobe
Adobe
PCP
PCP
PCP
Region B
Region C
Region A
RDCRegional Edge
Transport
Regional Edge Transport
Regional Edge Transport
Core
DPC
Edge Edge
Edge
Edge
Edge
Edge
Edge
EdgeTransport
EdgeTransport
EdgeTransport
Edge
DPC
RDC
RDC
AWS VPCs and Cisco CSR 1000V
Traditional VPC peering does not scale
Hub and spoke topology as an overlay
Cisco CSR 1000V adoption Familiar platform MPLS and routing
support Zone-Based firewall BYOL License
Support
36
Edge TransportASR 1000
Cisco
Edge TransportASR 1000
Cisco
AWS Direct Connect
Regional Core Transport
Virtual Private Cloud
AZ2
AWS VPC
Peering
Availability Zone
Availability ZoneEdgeCSR
1000V
CSR 1000VPE
Cisco Cisco
EdgeCSR
1000V
CSR 1000VPE
Cisco Cisco
Customer Spoke VPC
Virtual Private Cloud
AZ1Availability Zone
CEBIRD
CENTOS
AZ2Availability Zone
CENTOS
CEBIRD
AZ1
Horizontal Scale
Horizontal Scale
AWS VPCs and Cisco CSR 1000V Transit VPC Using MPLS VPN to
align with AWS VPC Centralized security
choke point Customer Edge
Routing BGP peering into
VRF Automated AWS
VPC routing updates Dynamic AZ failover Utilizing Terraform
for deployments
37
Edge TransportCisco
ASR 1000
AWS Direct Connect
Regional Core Transport
Virtual Private Cloud
AZ2
AWS VPC
Peering
Availability ZoneEdgeCSR
1000V
CSR 1000VPECiscoCisco
CSR 1000VPE
Cisco Cisco
Customer Spoke VPC
Virtual Private Cloud
AZ1Availability Zone
CEBIRD
CENTOS
AZ2Availability Zone
CENTOS
CEBIRD
AZ1
RR IBGP VPNv4 Peering
Availability Zone
RR IBGP VPNv4 Peering eBGP VRF Peering
EdgeCSR
1000V
Overlay GRE FabricAWS Connectivity
RR IBGP VPNv4 Peering RR IBGP VPNv4 Peering eBGP VRF Peering
Edge TransportASR 1000
Cisco
Benefits of Using AWS and Cisco CSR 1000V
38
Zone-based firewall and MPLS support to provide secure
segmentation in a multi-tenant environment
Increased cost efficiencies while reducing TCO by deploying
virtual infrastructures
Familiar platform that provides transit VPC and transport
connectivity between AWS and on-premises data centers
Thank you
Additional Resources
Additional Resources CSR 1000V Landing Page & Free Trial https://aws.amazon.com/mp/sellers/cisco/
CSR 1000V Deployment Guide for AWShttp://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/csraws/awsinstall.html
CSR 1000V Product Management Mailing [email protected]
Cisco CSR 1000V Team Fan Yang- [email protected] Tony Banuelos- [email protected]
Transit VPC ResourcesAWS Marketplace Link https://aws.amazon.com/marketplace/pp/B01IAFXXVO
Transit VPC Deployment Guidehttps://docs.aws.amazon.com/solutions/latest/cisco-based-transit-vpc/welcome.html
Transit VPC Overviewhttps://aws.amazon.com/answers/transit-vpc/
DEMOhttps://www.youtube.com/watch?v=7ZB_luipmBA
Q & A