Tag: Virtual Aplliance

Spin up Cisco CSR 1000v in VMware Fusion in 5 Minutes

I have been using the Cisco CSR 1000v as a default gateway in my home lab and I run an IPSec tunnel & LISP between it and my cloud provider (more on LISP in a separate post). The CSR 1000v runs on VMware ESXi, Microsoft Hyper-V, and Amazon Xen hypervisors but it can also run on a laptop/desktop hypervisor like VirtualBox or VMWare Fusion for testing or training purposes.

In this post I will show how to spin up a CSR 1000v instance in VMware Fusion for Mac.


Requirements:

1) I’m running VMWare Fusion 6.0 Professional but you can also run this virtual router on Fusion 4 or 5. I highly recommend using Fusion 5 Professional or 6 Professional if you want to create additional networks and assign the CSR 1000v interfaces to those networks. The feature to add additional networks (similar to Network Editor in VMWare Workstation) was added by VMWare in Fusion 5 Professional and it’s not available in the standard edition of Fusion. Alternatively if you don’t want to pay the extra bucks for the Professional edition, you can use this free tool from Nick Weaver to create the networks if you are running the standard edition. Nick’s tool isn’t the best but it does the job.

2) Go to Cisco and download the latest and greatest software version of the CSR 1000v. The CSR runs Cisco IOS XE and you need to download the OVA package for the deployment.

 
Installation:

The installation process is simple and quick:

1- Launch Fusion and go to File -> New from the top bar menu

2- Once the Installation wizard starts click on More options.  Select Install an existing virtual machine and click Continue.

3- On the next screen click Choose File. Navigate to the folder containing the OVA package, select the file, and click Open and then Continue.

4-  The next window will ask you to save the VM name, choose a name and click Save.

5- The final step of the wizard is to either customize or click fire up the VM. The CSR 1000v by default comes with three interfaces. If you need to add more interfaces click on Customize, otherwise click Finish.

Finish

 
6- Once you click Finish, the CSR 1000v will boot a couple of times and then you will be in traditional Cisco router User Mode.

 
Interfaces Management:

Enter Exec mode and enter “show ip int bri” to see the three interfaces. 

CSR interfaces

 

By default interfaces will become part of the Ethernet or WiFi network (that’s done by Fusion) depending on which adapter is active during the installation and you can assign from here IP interfaces and default gateway.

Adapter setting

 

If you wish to put the interfaces on separate networks (VLANs), select the CSR VM and go to Virtual Machine -> Setting and choose the desired Network Adapter. You may also create custom networks by going to VMWare Fusion -> Preferences -> Network. From there add the + sign to add additional network and choose wether to enable DHCP or not.  

Add network


Activating The License

In order to enable the full features of the CSR 1000v, you need to purchase a license from Cisco. If you want to try the full features before purchasing, Cisco offers 60 day free trial license. To activate the free trial license, go into the router configuration mode and enter: license boot level premium. You will be asked to boot the router after you enter the command.   

 


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Using Cisco CSR 1000v As Secure VPN Gateway To Extend Network To The Cloud

Cisco Services Cloud Router (CSR) 1000v is a virtual router you can deploy either in private/public cloud or in a virtualized data center.

One of the common use cases for the CSR 1000v is a secure VPN gateway in the cloud to terminate VPN tunnels. So if you run some applications in the cloud and you want to allow your branch offices to access those application over a secure network, you can run IPsec tunnels between those branch offices and the CSR 1000v in the cloud. From performance perspective this would work much better than back hauling the traffic to the data center (HQ) and then to the cloud.

In this post I will show you how to set up a VPN tunnel between Cisco CSR 1000v and a branch office router using Cisco Easy VPN. You may also use standard IPSec VPN but in my configurations I use Easy VPN because it’s, well, easier 🙂

The following configurations are part of a demo I gave at Cisco Live 2013 in Orlando where the CSR 1000v was the VPN server and the branch server (Cisco 2900 in this case) was the VPN client.

If you would like to learn how to install the CSR 1000v on Verizon Terremark eCloud, follow these steps in my post.

You will also need to open UDP port 500 and IP protocol ID 50 (ESP) on all firewalls sitting between the CSR 1000v and the branch router for the IPSec tunnel to be established successfully. Additionally depending on your design you may need to configure NAT.

In my setup, I’m using:

  • Cisco CSR 1000v with IOS XE 3.9x running in Verizon Terremark Enterprise Cloud
  • Cisco 2900 running IOS 153.2.T (branch office)

Here are the configs of the CSR 1000v (VPN Server). Only relevant configs are shown:

CSR-1#sh run
hostname CSR-1
!
aaa new-model
!
!
aaa authentication login hw-client-groupname local
aaa authorization network hw-client-groupname local
!
!
aaa session-id common
!
!
username myusername password 0 mypassword
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group hw-client-groupname
key hw-client-password
dns 8.8.8.8
domain domain.com
pool dynpool
save-password
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap client authentication list hw-client-groupname
crypto map dynmap isakmp authorization list hw-client-groupname
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
interface GigabitEthernet2
description WAN
ip address 10.22.36.71 255.255.255.224
negotiation auto
crypto map dynmap
!
interface GigabitEthernet3
description LAN
ip address 10.22.39.91 255.255.255.240
negotiation auto
!
ip local pool dynpool 192.168.1.1
!
!
ip access-list extended split_t
permit ip 10.22.39.0 0.0.0.255 any
!
end

Here are the configs for the Cisco 2900 router (VPN client).


no aaa new-model
!
ip cef
!
!
username vpntest password 0 vpntest
!
!
crypto ipsec client ezvpn hw-client
connect auto
group hw-client-groupname key hw-client-password
mode client
peer 10.22.36.71
username myusername password mypassword
xauth userid mode local
!
!
interface GigabitEthernet0/0
description WAN
ip address 10.35.120.104 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn hw-client
!
interface GigabitEthernet0/1
description LAN
ip address 172.16.4.102 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn hw-client inside
!
ip route 0.0.0.0 0.0.0.0 10.35.120.1
!
end 

Note: You can also install the CSR 1000v as a VM in VMware Fusion or Oracle VirtualBox if you want to play.

 


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

© 2017

Theme by Anders NorenUp ↑