Skip to content

1 Introduction and target audience

rbannist edited this page Nov 13, 2017 · 6 revisions





Cisco CSR 1000v-underpinned Network Security on Azure



Learner Guide:

  • Technology Overview

  • Suggested Deployment Framework

  • Deployment Instructions and Repository



November 2017




Introduction and target audience

In CY16, Cisco products filled a ~56% share of the Ethernet Switch market, a ~42% share of the combined Enterprise and Service Provider Router markets, and ~13% of the highly fragmented [next-gen] firewall market.   All were number one positions in the respective markets.   The install-base of Cisco equipment in these domains is also signficant.

When combining those numbers with the Cisco Networking Academy programme, Cisco's significant technical leadership inc. R&D investment, and the large number of trained Cisco Certified engineers out there, it's fair to say that most organisations have a significant investment in Cisco products and solutions.

This investment spans across people, process, and technology.   It boils down to such things as open and proprietary technology use on the platforms, adoption of Cisco's own and Cisco product-supporting software tooling, training/certifications/hiring and onboarding processes, architectural principles, and operational processes and documentation (i.e. validated and approved 'products' and ITIL-aligned practices).

With what's described above as the context, oganisations with an investment in Cisco Routing, Switching, and Security solutions often wish to extend at least parts of their operational model into public cloud environments so that they don't have a model per-cloud/environment.   Also, in some cases, they are getting value from a specific Cisco technology/feature and/or they have an architectural principle/pre-validated and approved service offering that dictates that they must use a specific Cisco product/feature in all deployment environments.

One solution that they could be getting some real value from is Dynamic Multipoint Virtual Private Network (DMVPN).

The focus of this guide is on helping you to understand and build a DMVPN-overlay between Azure Regions/customer-defined zones spread across Azure Regions.

DMVPN is an IPSec-underpinned VPN solution that is adopted by many Cisco customers and it's available on Cisco routing platforms.   In this guide we will be using the Cloud Services Router 1000v (CSR 1000v) to achieve our stated aim.   The CSR 1000v router is shipped in a virtual form factor.   The CSR 1000v can be hosted on many private and public cloud platforms including Microsoft Azure.



When extending service deployment across a hybrid, multi-cloud setting, Cisco's cloud-agnostic features and solutions delivered on the CSR 1000v running the IOS-XE operating system include (see hyperlinks for 'what is?'):


Category Feature(s) or Solution(s)
Identity
Authentication, Authorization, and Accounting (AAA) with
  1. Terminal Access Controller Access-Control System Plus (TACACS+)
  2. Identity Services Engine (ISE)
Routing
Virtual Routing and Forwarding (VRF) inc. VRF-Lite/Multi-VRF
Interior Gateway Protocols (IGP) (public cloud = over tunnels)
Exterior Gateway Protocols (EGP)
Locator/Identity Separation Protocol (LISP)
Overlay Transport Virtualization (OTV)
Tunneling and Virtual Private Networks
Dynamic Multipoint Virtual Private Network (DMVPN)
FlexVPN
Easy VPN
Group Encrypted Transport VPN (GETVPN)
Virtual eXtensible Local Area Network (VXLAN)
[Multipoint] Generic Routing Encapsulation (GRE/mGRE)
Layer 2 Tunneling Protocol Version 3 (L2TPv3)
Ethernet Virtual Connection (EVC)
Tag/Label Switching
Multiprotocol Label Switching (MPLS) inc.
Packet Inspection
Network-Based Application Recognition Version 2 (NBAR2)
Application Visibility and Control (AVC)
Packet Filtering and Context-based Firewall/Filtering
Zone-based Firewall (ZBFW)
TrustSec inc.
Multicast (public cloud = tunneled)
Internet Group Management Protocol (IGMP)
Protocol Independent Multicast (PIM)
Traffic Redirection
Policy Based Routing (PBR)
Web Cache Communication Protocol (WCCP)
AppNav
Performance Monitoring and Control
[Hierarchical] Modular Quality of Service (QoS)
Simple Network Management Protocol (SNMP)
Syslog
[Flexible] NetFlow
Internet Protocol Service Level Agreement (IPSLA)
Other
Network Address Translation (NAT)
Bidirectional Forwarding Detection (BFD)
Domain Name System (DNS)
NETCONF
Embedded Event Manager (EEM)
Network Functions Virtualization (NFV)
Smart Call Home

Here is a table that lists Microsoft Azure and Cisco IOS-XE features/functions that are [almost] synonymous alongside each other:

Microsoft Azure
(Fabric-wide mgmt)
Cisco IOS-XE
(Per-hop mgmt)
Resource Name/Computer Name Hostname
Azure Active Directory (AAD) AAA and TACACS+ (+ ISE)
Network Interface (NIC) Interface
Virtual Network (VNET) Virtual Routing and Forwarding Table (VRF)
Subnet Routed Interface
VNET Peering Inter-VRF Route Leaking
User Defined Route table (UDR) Static Routes and Route Redistribution into 'Customer' VRF
Route to 'None' Route to Null0 interface
INTERNET route Global Routing Table (GRT)/'Common' VRF to 'Customer' VRF 0.0.0.0/0 (default) route leaking
BGP route Prefix learned from any BGP neighbor(s) with target VRF
Service Endpoint Tunnel with IGP (and Route Filtering)
Endpoint Access Control List (ACL) Access Control List (ACL)
Network Security Group (NSG) Zone-based Firewall (ZBFW) with ACLs and Network Object Groups or Cisco TrustSec SGT and SGACLs
NSG Default Tags and Service Tags for NSGs Templated Network Object Groups, Templated ZBFW Zones, or Templated/Propagated TrustSec SGTs
Application Security Group (ASG) [ZBFW with] Automated ACL with Object Groups or Cisco TrustSec SGT Static/Dynamic Classification with SGT Mapping Propagation (+ ISE VM for a comparable capability)
Augmented Security Rules for NSGs Network Object Groups and Service Object Groups and/or ZBFW Class Maps and Policy Maps
Marketplace – Next-Gen Firewall ISV Solution – 'Application Control' Application Visibility and Control (AVC) - Network Based Application Recognition 2 (NBAR2) and ACLs
NSG Data Plane Logs and Analytics Netflow/Flexible-Netflow (+ a Netflow Collector for a comparable capability)
VPN Gateway 'crypto' and 'tunnel' configuration
VPN Gateway peer count limit 'crypto call admission' (IKE)
Restricted/no Broadcast or Multicast Feature/protocol support for Non-broadcast Multiple Access Networks (NBMA)
Public IP (PIP) Static Network Address Translation (NAT)
Route = INTERNET' PAT/NAT Pool addresses Port Address Translation (PAT) - 'overload' on Outside interface
Load Balancer NAT Rule NAT and Static Port Translation


This document is aimed at an audience of Azure IaaS technical specialists and the Cisco elements hit a '201' level.   i.e. you will be exposed to more of the 'What?' rather than the 'How?'.


While we're not aiming for a full production-grade setup, to be 'sensible' in the approach, you will be exposed to a few concepts and features beyond those that come together to form DMVPN.   This will include a relatively significant exposure to Zone Based Firewall (ZBFW) as the routers that we will be provisioning will be exposed to the internet so they, and VMs + Services behind them, need to be protected from attacks up to a basic level.

Clone this wiki locally