CSR 1000v First Impressions

At Cisco Live London I attended a very interesting session about the Cisco Cloud Services Router by Anurag Gurtu (BRKVIR-2016 – Cisco’s Cloud Services Router (CSR 1000v): Extending the Enterprise Network to the Cloud).

The CSR 1000v, which was announced last summer at Cisco Live San Diego, is a router in a VM form-factor, based on the Cisco ASR 1000 platform. It runs a modified version of the same IOS XE software that also runs on the physical ASR routers and has a very similar feature set. Ultimately, it will allow enterprises to run their workloads in a cloud infrastructure and then connect those VMs to their own network based on familiar WAN technologies, using the same CLI that they also use on their physical Cisco routers. In addition, the CSR will support a number of APIs to allow automated provisioning of CSR instances in a cloud infrastructure.

During the Data Center Security Techtorial that I attended on Monday, I had already had a sneak preview of the software running in VMware on the presenter’s laptop. Since the CSR has not officially been released yet, this was a beta version, but as far as I could see it was fully functional. Anurag also had a couple of screenshots of the software in his presentation and he was kind enough to offer the session attendees access to the software if they wanted to evaluate it by themselves. Of course, I jumped on this opportunity.

So now that Cisco Live and last week’s training course are out of the way, I finally have some time to play with the software and see for myself how it works. The software is packaged as a VMware OVA template, so pretty simple to deploy. Originally, I planned to deploy the CSR on the Nexus 1000v in my lab, but I quickly find that this does not work. The CSR OVA template is setup for 4 vCPUs, which I don’t have on my virtualized ESXi hosts. Luckily, there is no real need to deploy the CSR 1000v on top of a Nexus 1000v, so I decide to deploy it on my bare-metal ESXi host instead. (Actually, the documentation for the CSR 1000v states that currently it isn’t even supported to run the CSR on top of the Nexus 1000v, but only on the VMware vSwitch.)

This is one of the important things that I picked up during Anurag’s presentation. Because of the 1000v in the name of the product I had always assumed that this product was part of the Nexus 1000v ecosystem, depending on the Nexus 1000v vPath redirection mechanism that is used for other virtual appliances such as the VSG and the ASA 1000v. It turns out that this is actually not the case. The CSR 1000v can be deployed on a standard VMware vSwitch and is simply set up as the default gateway for the VMs in the connected VLANs. Of course this means that all traffic will pass through the CSR VM, but given that this product is positioned as an entry and exit point for the virtual data center this is not a real limitation.

So I start by deploying the OVA template:

Deploy CSR OVA Template

I answer the usual set of questions, accept the Cisco EULA, and allow the VM to boot up. It goes through some initialization procedures followed by a reboot and then I get the familiar router console:

CSR Console

I configure the hostname and an IP address for the first interface and proceed to test if I can ping the default gateway. Unfortunately, this doesn’t work:

First ping fails

A quick check of the configuration reveals the problem. The first interface of the CSR is configured as a management interface in a separate management VRF by default. I test again, and now the ping succeeds:

Second ping succeeds

Of course, I could have known this if I had actually read the documentation that Anurag provided with the software, but like most engineers I tend to just jump into it and only start reading the documentation once I have gotten myself in trouble…

I proceed to configure an admin user, set the domain name, generate an RSA key, and enable local authentication and authorization in order to gain access through SSH. At this point my basic configuration consists of the following:

hostname csr1kv
!
aaa new-model
!
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec default local
!
clock timezone CEST 1 0
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 2:00
!
ip domain lookup source-interface GigabitEthernet0
ip domain name lab.layerzero.nl
ip name-server vrf Mgmt-intf 192.168.37.2
!
username admin privilege 15 secret 4 ILils0mOI614rA8jp3XNafw4S8TS/LC8I5.hdufdbkI
!         
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address 192.168.37.65 255.255.255.0
!
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 192.168.37.1
!
line con 0
 privilege level 15
 login authentication CONSOLE
!         
ntp server vrf Mgmt-intf 192.168.37.2

Next I want to try to push some traffic through the router. Before you can activate the non-management interfaces on the CSR, it is necessary to activate the license and accept the Cisco EULA.

csr1kv#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
csr1kv(config)#license feature csr
PLEASE  READ THE  FOLLOWING TERMS  CAREFULLY. INSTALLING THE LICENSE OR
LICENSE  KEY  PROVIDED FOR  ANY CISCO  PRODUCT  FEATURE  OR  USING SUCH
PRODUCT  FEATURE  CONSTITUTES  YOUR  FULL ACCEPTANCE  OF  THE FOLLOWING
TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO  BE BOUND
BY ALL THE TERMS SET FORTH HEREIN.
Use of this product feature requires an additional license from Cisco,
together with an additional payment. You may use this product feature
on an evaluation basis, without payment to Cisco, for 60 days. Your use
of the product, including during the 60 day evaluation period, is
subject to the Cisco end user license agreement
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
If you use the product feature beyond the 60 day evaluation period, you
must submit the appropriate payment to Cisco for the license. After the
60 day evaluation period, your use of the product feature will be
governed solely by the Cisco end user license agreement (link above),
together with any supplements relating to such product feature. The
above applies even if the evaluation license is not automatically
terminated and you do not receive any notice of the expiration of the
evaluation period. It is your responsibility to determine when the
evaluation period is complete and you are required to make payment to
Cisco for your use of the product feature beyond the evaluation period.

Your acceptance of this agreement for the software features on one
product shall be deemed your acceptance with respect to all such
software on all Cisco products you purchase which includes the same
software. (The foregoing notwithstanding, you must purchase a license
for each software feature you use past the 60 days evaluation period,
so that if you enable a software feature on 1000 devices, you must
purchase 1000 licenses for use past the 60 day evaluation period.)

Activation of the software command line interface will be evidence of
your acceptance of this agreement.

ACCEPT? (yes/[no]): yes
csr1kv(config)#

Now I should be able to enable the Gigabit 1 and Gigabit 2 interfaces, configure IP and pass some traffic. To make it simple to connect some clients I configure two subnets and corresponding DHCP pools:

!
ip dhcp pool NET-10.4.4.0/24
 network 10.4.4.0 255.255.255.0
 default-router 10.4.4.254 
 dns-server 192.168.37.2 
 domain-name lab.layerzero.nl
!
ip dhcp pool NET-10.5.5.0/24
 network 10.5.5.0 255.255.255.0
 default-router 10.5.5.254 
 dns-server 192.168.37.2 
 domain-name lab.layerzero.nl
!
interface GigabitEthernet1
 no ip address
 negotiation auto
!
interface GigabitEthernet1.4
 encapsulation dot1Q 4
 ip address 10.4.4.254 255.255.255.0
!
interface GigabitEthernet1.5
 encapsulation dot1Q 5
 ip address 10.5.5.254 255.255.255.0

To make my life easy I connected my CSR GigabitEthernet 1 interface to a port-group that is enabled for trunking. This allows me to use sub-interfaces on the CSR to connect to any of my lab VLANs. Alternatively, I could have used two separate physical interfaces on the CSR and put them in different port-groups, one for each VLAN.

To test my connectivity I now move two of my lab VMs onto VLANs 4 and 5 and allow them to grab an IP from the DHCP pools.

csr1kv#sh ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address      Client-ID/ 		Lease expiration 	Type       State      Interface
		Hardware address/
		User name
10.4.4.1        0100.5056.bfc2.65       Feb 12 2013 09:57 PM    Automatic  Active     GigabitEthernet1.4
10.5.5.1        0100.5056.af56.e1       Feb 12 2013 10:13 PM    Automatic  Active     GigabitEthernet1.5

As an encore, I add external routing and NAT to allow my VMs to browse the web through the CSR:

!
interface GigabitEthernet1.4
 ip nat inside
!
interface GigabitEthernet1.5
 ip nat inside
!
interface GigabitEthernet2
 ip address 192.168.37.66 255.255.255.0
 ip nat outside
!
ip route 0.0.0.0 0.0.0.0 192.168.37.1
!
ip access-list extended NAT-SOURCES
 permit ip 10.0.0.0 0.255.255.255 any
!
ip nat inside source list NAT-SOURCES interface GigabitEthernet2 overload

Finally, I decide to use iperf to push some traffic between my VMs and see if I can manage to get up to the 50 Mbps that this version of the CSR should be capable of. Once the product is released Cisco will have licenses that cap the forwarding rate of the CSR at various different levels. The evaluation version that I am using in the lab is capped at 50 Mbps as can be seen from the show license command:

csr1kv#show license detail 
Index: 1 	Feature: csr1kv_50M                        Version: 1.0
	License Type: Evaluation
	License State: Active, In Use
	    Evaluation total period: 8  weeks 4  days 
	    Evaluation period left: 8  weeks 3  days 
	    Period used: 13 hours 50 minutes 
	    Expiry date: Apr 12 2013 22:51:32
	License Count: Non-Counted
	License Priority: Low
	Store Index: 0
	Store Name: Built-In License Storage

To get an idea of the performance, I run iperf between the two VMs. Clearly, using iperf on a pair of Windows XP VMs, which are running on top of a pair of ESXi hosts that are virtualized themselves, doesn’t really make for a very good test setup. But just to get a first impression, I think it is sufficient. Anybody who is interested in deploying this product should clearly run it through some more rigorous tests. My initial test results show the following:

Iperf Client

Iperf Server

The iperf test shows a throughput of roughly 45 Mbps, which is close enough to the projected 50 Mbps for my taste, especially given the limitations of this testbed.

However, the capping of throughput does raise some interesting questions:  How is the licensed bandwidth actually enforced? Is this through some form of policing? And if so, do I get any visibility into this process? Is this mechanism QoS aware? Would it for example be possible to split the 50 Mbps across several different traffic classes in order to protect interactive high priority traffic from random high bandwidth sessions?

All-in-all, the CSR 1000v looks very interesting. Because it is based on IOS XE it feels like a regular Cisco router, making it very easy to configure. In addition, my basic tests show that it is capable of forwarding a decent traffic load, even in my very suboptimal lab setup. One of the things that I am really looking forward to is the release of an Amazon AMI version of the CSR, which will enable real hybrid cloud scenarios.

Another thing that makes this product very interesting is its potential as a learning and testing tool. Could this be the official Cisco answer to Dynamips and its extended family? As a trainer and consultant I can see great potential in using the CSR to explore new protocols and technologies, test new features, or even to validate network changes. I will have to do some further testing to see how many instances I can run concurrently in my lab, but at first sight it looks like you could easily build some interesting lab scenarios using a couple of CSR instances on ESXi.

So to wrap up this post: My first impressions of the CSR are quite favorable and I look forward to running it through some more complex scenarios!

4 thoughts on “CSR 1000v First Impressions

  1. Hi,

    Good article. CSR1000v has great potential when you need to deploy a “data center in a box” solution.
    When combined with other technologies like LISP, you can stretch your data center in a short period of time. Great for testing.
    For your readers, I have included a link on troubleshooting “missing CPU feature requirements” messages that are sometimes encountered with deploying it in an existing ESX farm.

    http://vinciconsulting.com/blog/-/blogs/troubleshooting-a-cloud-services-router-csr-1000v-install

    Hope it will save someone the pain of researching how to solve it.

    Regards,
    Lawrence Suciu

    • Thanks for the link!
      It’s always useful to have this kind of problem documented in case somebody else runs into it.

      By the way, interesting site and blog you have there!

      Regards,

      Tom

  2. Hello. You made really useful overview. And you know I was definatly sure that this product was part of the Nexus 1000v ecosystem too. So you made me more clarifying in it. I tried to find this product via interenet,I found only this web site http://hardware.nl/cisco but unsuccesesfull.. Could tell me where can I her information about it price?

Leave a Reply

Your email address will not be published. Required fields are marked *