Professional Documents
Culture Documents
Cisco Cloud Services Router and Google Cloud Platform Solutions
Cisco Cloud Services Router and Google Cloud Platform Solutions
Cisco public
Google Kubernetes Engine (GKE) Figure 1. Site-to-site IPsec VPNs
VRF segmentation
Zone-based firewall security Cloud Virtual Network
Application traffic visibility into
GCP VPC Internet
Maintain consistent policies
With Cisco TrustSec IPSEC
Corporate
DC ASR CSR
Deployment options Cloud Interconnect
Single NIC
Multi-NIC Note: See more details in the following sections on achieving encryption over a cloud interconnect.
High availability As shown in Figure 1, an IPsec tunnel can be established between the Cisco
Shared VPC ASR 1000 Aggregation Services Router deployed in the corporate data
Automation and management center and the CSR 1000V in GCP. In order for the CSR 1000V to build the
IPsec tunnel, inbound Google Compute Engine (GCE) firewall rules must
Deployment manager example
be added to allow traffic for User Datagram Protocol (UDP) ports 500 and
(YAML file)
4500. The source address could be the ASR’s public IP address. To allow
Get the CSR 1000V image Virtual Machines (VMs) inside the VPC to use the CSR 1000V as a secure
from Cisco gateway to reach out to the data center, specific routes for data center
prefixes must be added in the GCE routing table with next-hop as the CSR
Summary 1000V’s interface private IP address. For example, if the data center prefix
is 192.168.0.0/16 and the CSR 1000V’s IP address is 10.138.0.6 in a VPC
(10.138.0.0/16), the route would look like:
Static routing or dynamic routing should be enabled over the IPsec tunnel to
establish end-to-end connectivity.
© 2018 Cisco and/or its affiliates. All rights reserved.
White paper
Cisco public
BGP2
IPSEC
Note: In Figure 2’s topology, the CSR 1000V is deployed with multiple Network Interface Cards (NIC), each attached to a different VPC. The same
topology can be deployed with a single NIC CSR 1000V as well. However, appropriate import and export routing policies must be configured to
avoid recursive routing issues.
us-west
Cloud Virtual Network
us-east
CSR Cloud Virtual Network
Corporate ASR
DC
DMVPN/VPN
CSR
For DMVPN configuration samples, refer to the white paper, “Dynamic Multipoint IPsec VPNs.”
As shown in Figure 4, customers can deploy the CSR 1000V with NAT to address the overlapping IP address
problem. The IPsec tunnel is built using public IP addresses owned by Google. It rides over Google’s backbone,
not through public Internet. A customer can enable NAT on interface G1 and Tunnel1 and translate each side into a
different CIDR block. For example, the test VPC (172.16.2.0/24) can be translated into 10.0.2.0/24, the development
VPC (172.16.2.0) can be translated into 192.168.2.0/24. This is called static 1:1 NAT, and it requires the NAT Pool to
be the same size as your VPC CIDR. A customer can also use Port Address Translation (PAT) to translate the test VPC
into a single (or multiple) IP address to save some space. Either way, for the CSR 1000V to get the return traffic, a
specific route (NAT pool or next-hop CSR 1000V) needs to be configured in the development VPC’s route table.
Figure 4. Deploying a Cisco CSR 1000V with NAT to address overlapping IP addresses
IPSEC
CSR CSR
Tunnel1 Tunnel1
#Left CSR
ip nat inside source static network 172.16.2.0 10.0.2.0/24
ip nat outside source static network 10.0.2.0 172.16.2.0/24
!
interface gigabitethernet 1
ip address 172.16.2.5 255.255.255.0
ip nat inside
!
interface Tunnel 1
ip address x.x.x.1(depends on your environment) 255.255.255.240
ip nat outside
#Right CSR
ip nat inside source static network 172.16.2.0 192.168.2.0/24
ip nat outside source static network 192.168.2.0 172.16.2.0/24
!
interface gigabitethernet 1
ip address 172.16.2.5 255.255.255.0
ip nat inside
!
interface Tunnel 1
ip address x.x.x.2 (depends on your environment) 255.255.255.240
ip nat outside
Container (10.0.0.10/24)
Internet Container (10.0.0.11/24)
VM: 172.16.1.10
IPSEC Container (10.0.1.10/24)
VRF segmentation
Place the CSR 1000V’s interfaces in different Virtual Routing Forwarding (VRF) instances to have different
segmentations. By default, VRFs don’t share routing information. A VRF doesn’t have routes to another VRF, so all
traffic is segmented. If the customer needs cross-VRF communication, there are different ways to enable route
leaking, such as Policy-Based Routing (PBR), Multiprotocol Border Gateway Protocol (MP-BGP) with VRF Route Target
(RT) import and export, and others. The idea is that customers have the flexibility to decide which VRF can talk to
which VRF. Furthermore, if customers are already using VRFs in their data centers or running a MPLS VPN network,
they can bring VRFs from on premises to Google Cloud for the same consistent network policy. The CSR 1000V
supports up to 4000 VRFs. Figure 6 is an example of extending VRF segmentation into Google VPC by using the CSR
1000V. Note that it requires multi-NIC deployment, which is discussed in detail in the Deployment Options section.
Figure 6. Extending VRFs into Google VPC by using CSR 1000V with multi-NIC
Public VPC
172.16.1.0/24
Internet Front
Dev Door VRF
VRF G1
Dev VRF G2 Dev Dev VPC
Pro VRF 172.16.2.0/24
Pro Tunnel 1 VRF
ASR IPSEC
VRF CSR1000V G3
Public VPC
G1 G2 Dev VPC
Internet 172.16.2.0/24
CSR1000V G3
Pro VPC
172.16.3.0/24
AVC uses stateful Deep Packet Inspection (DPI) to classify more than 1400 applications. It creates a true
application-aware network and improves the performance of business-critical applications. It sends application
usage and performance statistics through NetFlow to a central collector, such as Cisco Prime® Infrastructure, Cisco
Stealthwatch®, or any third-party NetFlow collector like LiveAction. Based on the application performance, different
policies can be automatically applied to re-prioritize applications using QoS capabilities. AVC has been widely
deployed in customers’ campus and data center networks. Now you can bring the same functionality into the GCP
VPC by using the Cisco CSR 1000V.
You need to add a route in the VPC to redirect traffic to the CSR 1000V (described in the previous section). Once the
addition has been done, the CSR 1000V will be able to receive the VM’s traffic and inspect the traffic. For example,
Figure 8, which is a screenshot taken using LiveAction, displays the traffic going through a CSR 1000V in a GCP VPC.
Figure 8. Traffic flowing through a CSR 1000V in a GCP VPC
Guidance:
1. You need to change the <LIVEACTION_SERVER_IP> to your LiveAction server IP.
2. G1 is enabled with AVC for this example. You need to re-apply those configurations to other interfaces that need visibility.
CSR configurations sample:
flow record LIVEACTION-FLOWRECORD
description DO NOT MODIFY. USED BY LIVEACTION.
match flow direction
interface GigabitEthernet1
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
ip address dhcp
ip nbar protocol-discovery
negotiation auto
no mop enabled
no mop sysid
For customers who have already deployed TrustSec with Cisco Identity Services Engine (ISE), you don’t have to
modify the current policies. Just connect ISE with the CSR 1000V in GCP. Tag mappings and polices are automatically
propagated to the CSR 1000V, and enforcement can happen on the CSR 1000V in GCP. For example, a customer
may have a development server in the data center tagged as Dev Group, and it has a policy associated that states the
Dev Group can’t access the HR server in the data center. By moving this development server into GCP, the customer
just needs to update the mapping to include the development server in GCP tagged as Dev Group. Then the same
policy will be applied. The development server in GCP won’t be able to access HR server in the data center.
Deployment options
Customers have the option to deploy the CSR 1000V either as single NIC VM or multi-NIC VM, depending upon the
customer’s requirements.
Single NIC
The Cisco CSR 1000V can be deployed with a single NIC in a given VPC as shown in
Figure 9. CSR 1000V as a single NIC
Pro VPC
DC
Tun
ne
l1
.... G1
Branch
Tunnel N
CSR 1000V
To connect multiple VPCs to an on-premises environment, multiple CSR 1000V routers (one CSR 1000V per VPC)
need to be deployed, as shown in Figure 10.
Figure 10. Two single NIC CSR 1000Vs deployed in two VPCs
G1 G1
CSR CSR
1
n el
Tu n
Tunnel 1
Tunnel 2
nne Tu
l2
DC Branch
Multi-NIC
GCP supports VMs with multiple network interfaces, each connecting to different VPCs. During the CSR 1000V
creation, you can select up to eight interfaces, meaning eight different VPCs. This gives a customer the capability to
connect multiple VPCs to the on-premises network with a single CSR 1000V. As shown in Figure 11, the CSR 1000V
has a primary interface, G1 in Pro VPC, and a second interface, G2 in Dev VPC. The CSR 1000V can advertise the
CIDR of both the Pro VPC and Dev VPC over tunnels to establish end-to-end connectivity. Compared to single NIC,
multi-NIC deployment consolidates the IPsec connection.
Figure 11. Multi-NIC CSR 1000V
Tunnel 1 G1
DC
.... G2
Dev VPC
Tunnel N
Branch
High availability
Cisco’s cloud-native high availability is not yet supported on GCP, however customers can still achieve high availability
with GCE’s native routing capabilities and redundant IPsec tunnels on premises for most failure scenarios. Similar to
an on-premises environment, two Cisco CSR 1000V routers can be deployed, as shown in Figure 12. Both active-
active and active-standby architectures are possible by choosing the same or different priorities on GCE to forward
traffic to the CSR 1000Vs. If one CSR 1000V fails, GCE will detect the failure of the instance and deactivate the
associated route. That will trigger all outbound traffic to flow through the second CSR 1000V. Next, establish IPsec
tunnels from both CSR 1000Vs with the Cisco ASR 1000 deployed on premises with appropriate routing metrics, as
shown in Figure 12.
Figure 12. CSR 1000V setup as active-standby through use of VPC routes
VPC
App Subnet A
CSR Subnet1
IPSEC Route
Table
Internet
CSR 1
ASR IPS
EC App Subnet B
Corporate DC
CSR Subnet2
Route
Table
CSR 2
With the Cisco cloud-native high-availability feature, both CSR 1000V routers can be configured with a keep-alive
that will monitor the state of the CSR 1000V. In case the CSR 1000V fails, the loss of keep-alive messages will trigger
high-availability failover. Then the CSR 1000V will make Representational State Transfer (REST) APIs to modify GCE
route tables, as shown in Figure 13. It supports both active-active and active-standby. Failover can also be triggered
by a Cisco IOS Embedded Event Manager (EEM) event and Guest Shell script, which offer customers flexibility to
create more advanced scenarios like failover and failback.
VPC
App Subnet A
CSR Subnet1
IPSEC Route
Table
Internet
CSR 1
ASR IPSEC
Keepalive App Subnet B
Corporate DC CSR Subnet2
Route
Table
CSR 2
Shared VPC
Shared VPC is a powerful feature that allows organization administrators to delegate responsibilities, such as creating
instances in service projects, while maintaining centralized control over network resources such as subnets, firewall
rules, etc. To learn more about shared VPC see Google’s shared VPC overview. For the purposes of this document,
the CSR 1000V can be deployed in the host project and a single VPC or multiple shared VPCs can be connected
to the CSR based on the requirements. The main advantage of deploying the CSR 1000V in the host project is that
multiple service projects can receive connectivity to the on-premises network versus deploying a CSR 1000V in
each project separately. In the case of a shared VPC, all custom routes, which make VMs to use the CSR 1000V as a
gateway (described in the previous section), are defined in the host project.
Figure 14. CSR 1000V (single NIC) deployed in a shared VPC
VPC Routing
IPSEC Public
subnet
ASR G1 Mobile Instance
Corporate DC Tunnel subnet
Cloud CSR 1000V
Interconnect Service Project
Host Project (Shared Testing) (Mobile Testing)
Gcloud CLI example (creates a CSR 1000V with 1vCPU, 4 GB memory, 8 GB disk):
Once the CSR 1000V is up and running in the customer’s VPC environment, the customer can use Secure Shell (SSH)
to log in and configure it like any other Cisco IOS XE Software routers. The CSR 1000V also supports a RESTConf/
NetConf API. More detailed information can be found at: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/
configuration/169/b_169_programmability_cg/restconf_programmable_interface.html
For later login management, customers can add the CSR 1000V router to their TACACS+ or RADIUS server for
Authentication, Authorization, and Accounting (AAA).
Summary
As customers move workloads to Google Cloud Platform, it’s important that they maintain a consistent network
across branches, campus, data center, and cloud. By deploying the Cisco CSR 1000V in the GCP VPC, customers
can extend their on-premises network to GCP using the same Cisco IOS XE features so they can maintain the same
secure VPN connections, segmentation, and application visibility and control.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of
Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (1110R) C11-741200-00 12/18