The many faces of Cloud Services Router (CSR) 1000v
I’ve recently spent some time with an Enterprise customer planning to migrate some of his Data Center services to Amazon Web Services (AWS). The discussion revolved around the challenges of such a task, which were related to AWS Virtual Private Cloud (VPC) infrastructure limitations and to the migration process itself.
At the same time, I had been discussing with engineers from the IT department of the same customer about the evolution of their on premises Private Cloud and the virtualization of network functions as part of their “Lean IT” strategy. The common denominator in both these discussions was the CSR1000v and the benefits it brings for these completely different use cases.
The CSR1000v is a router in a virtual form factor or, to put it differently, the Cloud Edition of IOS-XE. It is infrastructure agnostic, since it is just a VM, so it can run on any x86 server that supports VMware ESXi, Citrix XenServer, Red Hat KVM, Microsoft Hyper-V and on Public Clouds such as Amazon Web Services or Microsoft Azure.
What makes the CSR1000v unique is that it is built on the same proven IOS-XE Software platform that is inside the Integrated Services Routers (ISR) and Aggregation Services Routers (ASR). This means it supports a rich set of features, such as routing (BGP, OSPF, EIGRP, etc.), VPN (DMVPN, SSL VPN, GETVPN,…) , Zone-based firewall, NAT, QoS, Network & Application Visibility (AVC, IP SLA), advanced networking (GRE, BFD, MPLS, VxLAN, LISP) and WAN optimization (WAAS). At the same time, it offers the same IOS CLI, it supports the same IOS management tools and the same TAC support model as the ISRs and ASRs.
The most impressive characteristic of CSR1000v however is its versatility, since it is a fundamental building block in any Cloud/Virtualization use case:
In the Enterprise space
1. In a virtualized Data Center (Private Cloud deployment), CSR1000v can act as a tenant router providing routing, VPN and FW services per tenant. This capability is supported in a variety of virtualization environments including OpenStack, where CSR1000v provides a plugin interface to implement Neutron’s L3 Network (RaaS), Firewall (FWaaS) and VPN (VPNaaS) service APIs.
2. For Enterprise Branches, there is an ongoing discussion about the benefits that branch virtualization could bring. Branch virtualization is already supported via the UCS-E compute blade that can be inserted in the ISR routers but in such a case, routing is still performed by the physical ISR device. With CSR1000v, we could see a case of flipping the coin and providing routing as a virtual function on an x86-based platform that could also run other virtual network functions such as vWAAS or vASA. Stay tuned since interesting stuff is being worked on in this area and 2016 will definitely bring us closer to this capability.
3. In a Public Cloud deployment, where an Enterprise has purchased IaaS (Infrastructure as a Service) from a Cloud Provider (eg. Virtual Private Cloud (VPC) from AWS), CSR1000v can help the Enterprise address some of the networking and security challenges of the Public Cloud environment. I am giving an overview of some of these challenges below, including the benefit that CSR1000v brings. A point to highlight here is that some of the Public Clouds have inherenet infrastructure limitations that might cause specific CSR1000v features not to be available in that particular environment. An example of this is AWS, which does not support L2 or multicast; as a result, CSR1000v features such as HSRP/VRRP, IGMP or OTV are not available in AWS. However, in some cases there are workarounds around that, as in the VPN Gateway case, which I am further describing below.
a) Inconsistent VPN/security policies and limited connection reliability: The CSR1000v can be deployed as a Secure VPN Gateway, offering route-based IPSec VPNs (DMVPN, EasyVPN, and FlexVPN), along with a Zone-based Firewall and access control, enabling an enterprise to securely connect distributed sites directly to its cloud deployment. An exciting capability in this case is that although AWS does not support L2/multicast, which means that HSRP/VRRP cannot be used to enable High Availability by deploying pairs of CSR1000v Gateways in a VPC, there is a workaround via the combination of BFD, GRE and EEM (Embedded Event Manager) that enables deploying a redundant CSR1000v pair with failover between the pair members; more details on this can be found here.
b) Difficulty in extending network configuration into cloud and limited scalability: The CSR1000v can serve as a WAN Gateway, ie. an MPLS Customer Edge (CE) or Provider Edge (PE) router that enables end-to-end managed connectivity with performance guarantees and increased scale (eg. in the number of supported VLANs or networks per tenant). At the same time, if one CSR1000v is deployed per VPC and the customer has multiple VPCs within AWS, the CSRs can be used to enable VPC peering, a capability which is not natively available in AWS.
c) DC Interconnect/Extension: The CSR1000V offers features such as LISP and VxLAN that enable an enterprise to maintain addressing consistency across premise and cloud as it moves applications back and forth or bursts compute capacity into the cloud.
d) Lack of end-to-end visibility and traffic monitoring: The CSR1000V can act as a Network Control Point, offering Application Visibility and Control (AVC) and IP SLA support for monitoring network and application performance. This makes it possible to measure latency and packet loss end-to-end from the Enterprise Data Center to the Public Cloud tenant and troubleshoot application performance issues even within the Public Cloud.
A full-blown Cisco Validated Design (CVD) is actually available for deploying CSR1000v in AWS, which can be accessed here.
In the Service Provider space
1. CSR1000v is the fundamental building block of virtual Managed Services (vMS), Cisco’s “NFV as a Service” platform for Service Providers who want to deliver automated cloud based services to customers, such as Cloud VPN or Cloud Intelligent WAN using a fully integrated, pre-packaged solution that allows service customization via a self-service portal. CSR1000v is acting as the vRouter component in this solution; the vRouter is the Virtual Network Function (VNF) that provides the routing and VPN service capabilites to the SP’s customer via a point-and-click portal interface.
2. CSR1000v can be deployed as a virtual wireline Gateway (vBNG/vBRAS) or Wireless Access Gateway (vWAG/vISG): vBNG allows service providers to deploy the CSR 1000v in virtual PPP terminated access (vPTA) or L2TP Network Server (vLNS) mode for fixed wireline deployments, while vISG can be deployed as a wireless access gateway for hospitality environments. In such scenarios, vBNG or vISG scale per VM is smaller (8000 sessions) compared to a physical ASR1000, however additional scale can be provided by spinning up additional VMs as needed by a VM lifecycle manager such as Elastic Services Controller (ESC). In addition, the resilience model dramatically changes when BNG or WAG are provided as a Virtual Network Function (VNF), since subscriber state no longer needs to be centralized on a single physical platform (eg. 48.000 subscribers on a single ASR1000 BRAS). Subsribers can be distributed in 8k chunks across a number of VMs which means that if a vBNG fails, the impact is much smaller in terms of affected subscribers.
3. Virtual Route Reflector (vRR): The CSR1000v can be deployed as a vRR to simplify the routing adjacencies required in larger networks. Because route reflection is a process-intensive but not throughput-intensive application, many instances of route reflectors may be consolidated onto a single server running multiple CSR 1000v routers. This approach significantly reduces the physical footprint, power, cooling, and cabling overhead of maintaining numerous physical route-reflector systems. At the same time, a CSR1000v vRR actually provides more scale than an ASR1001-X/ASR1002-X (24M IPv4 routes on CSR1000v vs. 13M IPv4 routes on ASR1002-X with 16GB DRAM) so this is a case where the coin is flipped in favor of the CSR1000v in terms of scale. When a Route Reflector is not run on purpose-built hardware, it is easier to scale up while still maintaining a very small HW footprint (ie. x86 servers).
4. Another use case for CSR1000v is as a Multi Service Edge platform for smaller SPs since the CSR1000v is still an advanced routing platform that enables L2VPN, L3VPN and NATv4/v6 capabilities at the network edge of the Data Center.
Hopefully, the above provided a good overview of CSR1000v capabilities and versatility!
Great blog Panos.
The vLNS potential alone with the CSR1000 is superb, not to mention it can give SP’s far broader resilience at a much lower TCO.
Thanks for sharing.