2. What is it?
• Router in virtual form factor
• Runs IOS-XE (Linux-Based)
– Same base OS as ASR1k, WLC 5760
• Part of Cisco’s virtual portfolio
– Nexus 1000V, ASA 1000V, CSR 1000V,
• IP/Ethernet Traffic Only
– No T1/PRI/DSP/WIC modules
• Supported on
–
–
–
–
VMware ESXi
Amazon AMI
Citrix XenServer
Red Hat KVM
3. Feature Comparison
Cisco 892
CBAC/IOS Firewall
Cisco CSR1000V
Zone-Based Firewall
AAA Legacy & New Format AAA New Format
Netflow Top Talkers
FNF Top N Talkers
Adv. IP Services
(Included)
Feature, Throughput, Term
Licensing
(2) L3 Interfaces
Unlimited* L3 Interfaces
(8) L2 Switchports
Not Supported
Max Throughput: 51Mbps Max Throughput: 1Gbps*
*
up to maximum supported by hypervisor
7. CBAC vs ZBFW
CBAC / IOS Firewall
Interface Based Configuration
Zone Based Firewall
Zone Based Configuration
Controls Inbound and Outbound Controls Bidirectional access
access on an interface
between zones
Uses inspect statements and
stateful ACLs
Uses Class-Based Policy language
Not Supported
Support Application Inspection and
Control
Support from IOS Release 11.2
Support from IOS Release 12.4(6)T
Default “permit all” policy
Default “deny all” policy
8. Configuration Example
ip access-list extended ACL-INSIDE-TO-VPN
remark --- Allow Mgmt Ports
permit udp any any eq snmptrap
...
class-map type inspect match-any CLASS-ZBF-INSIDE-TO-VPN
match access-group name ACL-INSIDE-TO-VPN
policy-map type inspect POLICY-ZBF-INSIDE-TO-VPN
class type inspect CLASS-ZBF-INSIDE-TO-VPN
inspect
class class-default
drop log
interface GigabitEthernet2
description Customer Inside/Internal
zone-member security INSIDE
interface Tunnel1
description VPN Headend
zone-member security VPN
zone-pair security ZP-INSIDE-TO-VPN source INSIDE destination VPN
service-policy type inspect POLICY-ZBF-INSIDE-TO-VPN
9. • CSR1k VM hosted inside
– Your own server
– Your hosted server
– Cloud service provider
server (AWS)
11. What is an API?
• Interface implemented by an application which
allows other applications to communicate with it
• Examples
– Microsoft SharePoint (REST API)
https://my.sharepoint.local/_api/web/lists/getByTitle(‘sales')/items
12. Representational State Transfer (REST)
• Uses HTTP/S
• Verbs / Request Methods
– HTTP GET, POST (Create), PUT (Replace), DELETE
Request
GET https://172.30.0.123/api/v1/global/local-users
Response
HTTP/1.1 200 OK
{
"kind": "collection#local-user",
"users": [{
"username": "cisco",
"privilege": 15,
"kind": "object#local-user", "pw-type": 0
}]
}
14. One Platform Kit
• onePK is a device level API for Cisco’s core
operating systems
15. Current Uses of onePK
Common Use Cases
• Custom Routing and Traffic
Steering
• Custom Traffic Analytics
• Network Automation
• Health Monitoring
• Policy Control
• Security
• Threat Mitigation
• Data Center Orchestration
• NMS/OSS Integration
Specific Applications
• Configuration and verification tool
• Topology mapping and device
location mapping monitor
• Path trace network monitoring
• Programming application routes
based on utilization/latency/cost
• Custom encryption of selected
traffic
16. Configure & Install CSR1000V
Configure & Use RESTful API
LAB
-
30 mins
30 mins
17. Lab Summary
•
•
•
•
•
•
Configure VMware Networking
Deploy OVA from Template
Configure Router
Configure Zone-Based Firewall
Configure RESTful API
Use REST GET/POST to add & remove a NAT
See lab guide for details