-
Notifications
You must be signed in to change notification settings - Fork 1
1 Introduction and target audience
In CY16, Cisco products filled a ~56% share of the Ethernet Switch market, a ~42% share of the combined Enterprise and Service Provider Router markets, and ~13% of the highly fragmented [next-gen] firewall market. All were number one positions in the respective markets. The install-base of Cisco equipment in these domains is also signficant.
When combining those numbers with the Cisco Networking Academy programme, Cisco's significant technical leadership inc. R&D investment, and the large number of trained Cisco Certified engineers out there, it's fair to say that most organisations have a significant investment in Cisco products and solutions.
This investment spans across people, process, and technology. It boils down to such things as open and proprietary technology use on the platforms, adoption of Cisco's own and Cisco product-supporting software tooling, training/certifications/hiring and onboarding processes, architectural principles, and operational processes and documentation (i.e. validated and approved 'products' and ITIL-aligned practices).
With what's described above as the context, oganisations with an investment in Cisco Routing, Switching, and Security solutions often wish to extend at least parts of their operational model into public cloud environments so that they don't have a model per-cloud/environment. Also, in some cases, they are getting value from a specific Cisco technology/feature and/or they have an architectural principle/pre-validated and approved service offering that dictates that they must use a specific Cisco product/feature in all deployment environments.
One solution that they could be getting some real value from is Dynamic Multipoint Virtual Private Network (DMVPN).
The focus of this guide is on helping you to understand and build a DMVPN-overlay between Azure Regions/customer-defined zones spread across Azure Regions.
DMVPN is an IPSec-underpinned VPN solution that is adopted by many Cisco customers and it's available on Cisco routing platforms. In this guide we will be using the Cloud Services Router 1000v (CSR 1000v) to achieve our stated aim. The CSR 1000v router is shipped in a virtual form factor. The CSR 1000v can be hosted on many private and public cloud platforms including Microsoft Azure.
When extending service deployment across a hybrid, multi-cloud setting, Cisco's cloud-agnostic features and solutions delivered on the CSR 1000v running the IOS-XE operating system include (see hyperlinks for 'what is?'):
Here is a table that lists Microsoft Azure and Cisco IOS-XE features/functions that are [almost] synonymous alongside each other:
|
Microsoft Azure (Fabric-wide mgmt) |
Cisco IOS-XE (Per-hop mgmt) |
|---|---|
| Resource Name/Computer Name | Hostname |
| Azure Active Directory (AAD) | AAA and TACACS+ (+ ISE) |
| Network Interface (NIC) | Interface |
| Virtual Network (VNET) | Virtual Routing and Forwarding Table (VRF) |
| Subnet | Routed Interface |
| VNET Peering | Inter-VRF Route Leaking |
| User Defined Route table (UDR) | Static Routes and Route Redistribution into 'Customer' VRF |
| Route to 'None' | Route to Null0 interface |
| INTERNET route | Global Routing Table (GRT)/'Common' VRF to 'Customer' VRF 0.0.0.0/0 (default) route leaking |
| BGP route | Prefix learned from any BGP neighbor(s) with target VRF |
| Service Endpoint | Tunnel with IGP (and Route Filtering) |
| Endpoint Access Control List (ACL) | Access Control List (ACL) |
| Network Security Group (NSG) | Zone-based Firewall (ZBFW) with ACLs and Network Object Groups or Cisco TrustSec SGT and SGACLs |
| NSG Default Tags and Service Tags for NSGs | Templated Network Object Groups, Templated ZBFW Zones, or Templated/Propagated TrustSec SGTs |
| Application Security Group (ASG) | [ZBFW with] Automated ACL with Object Groups or Cisco TrustSec SGT Static/Dynamic Classification with SGT Mapping Propagation (+ ISE VM for a comparable capability) |
| Augmented Security Rules for NSGs | Network Object Groups and Service Object Groups and/or ZBFW Class Maps and Policy Maps |
| Marketplace – Next-Gen Firewall ISV Solution – 'Application Control' | Application Visibility and Control (AVC) - Network Based Application Recognition 2 (NBAR2) and ACLs |
| NSG Data Plane Logs and Analytics | Netflow/Flexible-Netflow (+ a Netflow Collector for a comparable capability) |
| VPN Gateway | 'crypto' and 'tunnel' configuration |
| VPN Gateway peer count limit | 'crypto call admission' (IKE) |
| Restricted/no Broadcast or Multicast | Feature/protocol support for Non-broadcast Multiple Access Networks (NBMA) |
| Public IP (PIP) | Static Network Address Translation (NAT) |
| Route = INTERNET' PAT/NAT Pool addresses | Port Address Translation (PAT) - 'overload' on Outside interface |
| Load Balancer NAT Rule | NAT and Static Port Translation |
This document is aimed at an audience of Azure IaaS technical specialists and the Cisco elements hit a '201' level. i.e. you will be exposed to more of the 'What?' rather than the 'How?'.
While we're not aiming for a full production-grade setup, to be 'sensible' in the approach, you will be exposed to a few concepts and features beyond those that come together to form DMVPN. This will include a relatively significant exposure to Zone Based Firewall (ZBFW) as the routers that we will be provisioning will be exposed to the internet so they, and VMs + Services behind them, need to be protected from attacks up to a basic level.