csr_aws_vpc_gw_redundancy_v1_0
advertisement
VPC Gateway Redundancy with the CSR 1000v Overview The Cisco Cloud Services Router (CSR) 1000V is software appliance version of the Cisco ASR 1000 Series routers. It can be used to extend advanced enterprise network and security services such as IPSec VPNs, NAT, FW, application visibility, and SLA monitoring into an AWS VPC environment. The CSR 1000v runs as an EC2 instance and is launched from the AWS market place. Figure 1 shows a notional view of the CSR 1000v in an AWS VPC. By using the VPC routing table, traffic from the EC2 instances will be forwarded through the CSR 1000v so that services can be applied. AWS igw CSR 1000v .254 Figure 1: CSR 1000v in one-armed mode. Since the CSR 1000v runs as an EC2 instance, it can rely on native EC2 high availability mechanisms in the event of underlying compute hardware issues. In this case, the CSR would be restarted and recovery times would be on the order of minutes. For designs that require fast convergence, the CSR 1000v can be deployed in a redundant pair with failover between them. In typical Ethernet environments, gateway redundancy is provided by protocols such as HSRP and VRRP. These protocols present a pair of routers as a single virtual IP address that can be used by hosts as their default gateway. HSRP and VRRP use link local multicast packets for peer status monitoring and active gateway selection. In an AWS VPC environment, link local multicast and broadcast traffic are not supported. This white paper will discuss an alternate gateway redundancy option for the CSR 1000v when used in an AWS VPC. Solution Overview The logic of the solution is as follow: 1. A pair of CSR 1000v’s are deployed into an AWS VPC. 2. A GRE tunnel is configured between the CSRs. 3. Bi-directional Forwarding Detection (BFD) and a routing protocol (EIGRP or BGP) are enabled on the GRE tunnel for peer failure detection. 4. Each CSR 1000v is configured with an Embedded Event Manager (EEM) applet that will monitor BFD peer down events 5. When a BFD peer down event is detected, the EEM applet will use the AWS EC2 VPC API to modify the VPC route table to redirect traffic around the failure. Solution Details The topology in figure 2 is an example of a VPN gateway configuration. EC2 Helper VM Route Table CSR-A Internet VPC Internet Gateway VPN GRE Tunnels Tunnel VPC Router EC2 Instances CSR-B Public Subnet Private Subnet Figure 2: Initial Topology This topology uses a single availability zone and two VPC subnets. Each CSR has a single Ethernet interface that is connected to the public VPC subnet. This public subnet has a VPC route table with a default route target of the Internet gateway. Each CSR has a VPN tunnel to Internet. These tunnels would typically terminate at another VPN device located on the enterprise network or another VPC. Finally, a GRE tunnel is configured between the local CSRs. This GRE tunnels allows the CSRs to exchange BFD control packets that are used for peer failure detection. Since the CSR is not directly connected to the private subnet, a static route for the private subnet is added to each CSR. This static route points the address of the VPC router on the public subnet. This address will always be the first usable address of a subnet. For example, the VPC router address for the subnet 172.24.2.0/25 will 172.24.2.1. Other topologies, including multiple availability zones, single or multi subnet VPCs, multiple VPN tunnels, and multiple CSR Ethernet interfaces, are possible and would be applicable to this solution. EIGRP is used as the routing protocol, though other routing protocols could be used. The primary purpose of the routing protocol is to register as a BFD client. BFD requires at least one client protocol before it will initiate neighbor discovery. An additional benefit of the GRE tunnel and the routing protocol is that they can be used to establish a back-up path in case of VPN tunnel failures. The EC2 instances reside in a private subnet with its own VPC route table. The default route for this subnet will have a target of the network interface of one of the CSRs. Because the VPC route table only allows for one active target per route, only one CSR is in the egress traffic path for this subnet. Ingress traffic flow over the VPN tunnels is determined by the remote VPN devices, so it is possible that CSR-B is the active ingress path or that load sharing is being done between CSR-A and CSR-B. In this example, ingress and egress traffic is initially being forwarded through CSR-A, as shown in Figure 3. EC2 Helper VM Route Table CSR-A Initial Traffic Flow Internet VPC Internet Gateway VPN GRE Tunnels Tunnel VPC Router EC2 Instances CSR-B Public Subnet Private Subnet Figure 3: Initial Traffic Flow CSR-A then fails, as shown in Figure 4. The goal is to shift traffic so that it will egress through CSR-B and no longer ingress through CSR-A. EC2 Helper VM Route Table CSR-A Initial Traffic Flow Internet VPC Internet Gateway CSR-A Fails VPN GRE Tunnels Tunnel VPC Router EC2 Instances CSR-B Public Subnet Private Subnet Figure 4: CSR-A Failure For the ingress traffic flow, the remote VPN device will detect that the VPN tunnel terminated at CSR-A is no longer available. This is done using traditional VPN tunnel high availability techniques such as routing protocols (with or with out BFD) and IKE dead peer detection. For the egress traffic direction, CSR-B will detect the failure of CSR-A and modify the VPC route table to redirect traffic to CSR-B. When BFD times out on CSR-B, a log message similar the following is generated. %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.24.33.1 (Tunnel33) is down: BFD peer down notified EEM is an event detection and automation technology available on the CSR. The EEM applet is configured to run whenever the BFD peer down log message is generated. EC2 Helper VM Route Table CSR-A Initial Traffic Flow Internet VPC Internet Gateway VPN GRE Tunnels Tunnel VPC Router BFD Peer Down CSR-B Public Subnet EC2 Instances Triggers EEM Applet Private Subnet Figure 5: EEM Applet Triggered with BFD Peer Down Event When triggered, the EEM applet will use the AWS API ec2-replace-route command to modify the VPC route table to make itself the new target for the default route. The CSR cannot access the AWS EC2 API directly. This requires use of a helper VM with the AWS EC2 CLI tools installed. CSR-B will SSH into the helper VM and run the ec2-replace-route command. See the section titled “Setting up the Helper VM” for more details on configuring this VM. An example EEM applet is found in figure 6. The EEM configuration on CSR-A and CSR-B will be nearly the same. This is covered in more detail in the deployment procedure section. event manager environment q " event manager environment USER eem event manager environment PASS cisco123 event manager environment IP 172.24.2.84 event manager environment RTB rtb-c41b78a5 event manager environment CIDR 0.0.0.0/0 event manager environment ENI eni-65ef154e event manager applet replace-route event syslog pattern "\(Tunnel33\) is down: BFD peer down notified" action 1.0 cli command "enable" action 2.0 cli command "ssh -l $USER $IP $q ec2-replace-route $RTB -r $CIDR -n $ENI$q" pattern "word:" action 2.1 cli command "$PASS" Figure 5: EEM Applet Figure 8 shows CSR-B modifying the VPC Route table for the default route. EC2 Helper VM Route Table CSR-A Initial Traffic Flow Internet VPC Internet Gateway VPN GRE Tunnels Tunnel EEM applet connects to VPC Router EC2 Instances CSR-B helper VM andPublic Subnet runs ec2- Private Subnet replace-route Figure 8: EEM Applet modifies the VPC Route Table Once the VPC route table is modified, the VPC will begin directing egress traffic to the CSR-B, as show in Figure 9. EC2 Helper VM Route Table CSR-A VPC Route Table has a new Internet VPN Tunnels VPC New Traffic Internet Flow Gateway GRE target of CSR-B Tunnel VPC Router EC2 Instances CSR-B Public Subnet Private Subnet Figure 9: New Traffic Flow Step-by-Step Deployment Procedure Step 1: Configure VPC with dual CSRs. The VPC should be created and configured based on the topology requirements. Additionally, two CSRs should be launched into the VPC and initial configurations, including VPN tunnels, should be applied. For more information on deployment steps and CSR configuration, please consult the following documents. CSR 1000v for AWS Deployment Guide https://supportforums.cisco.com/sites/default/files/deployment_guide_final_com munity_support.pdf Setting up DMVPN on the CSR in AWS Cloud https://supportforums.cisco.com/sites/default/files/setting_up_dmvpn_using_csr_i n_aws_cloud.pdf Step 2: Enable the premium license. The BFD solution in this document requires the premium feature license. This can be enabled by configuring the “license boot level premium” command, saving the configuration, and rebooting. This enables a 60-day evaluation license. After 60days, the license will fall back to a limited feature set, at which time a permanent license will need to be installed. The “show license” command can be used to inspect the license status. CSR-A(config)#license boot level premium % use 'write' command to make license boot config take effect on next boot CSR-A(config)#end CSR-A#wr mem Building configuration... [OK] CSR-A#reboot Step 3: Setup the helper VM. Please refer to the section titled “Setting up the Helper VM” in this document for the deployment procedure of the helper VM. Step 4: Configure the GRE tunnel, EIGRP, and BFD. The following is a sample configuration. interface Tunnel33 ip address 172.24.33.1 255.255.255.252 bfd interval 500 min_rx 500 multiplier 3 tunnel source GigabitEthernet1 tunnel destination 172.24.2.125 ! router eigrp 1 bfd interface Tunnel33 network 172.24.0.0 passive-interface GigabitEthernet1 The BFD values are configurable and can be made more aggressive if faster convergence is desired. However, this can lead to BFD peer down events during intermittent connectivity. The above values, which will detect peer failure within 1.5 seconds, have been tested to be stable in an AWS VPC environment. There is also a variable delay associated with the time the AWS API command is executed and the time the VPC routing table changes go into effect. This is usually on the order a few seconds. Step 5: Collect the route table ID and network interface ID for each CSR. The route table ID and network interface ID can be found using the AWS console. 1 3 2 Figure 10: Route Table ID in AWS Console 1 2 3 5 4 Figure 11: Network Interface ID for CSR-B in AWS Console Step 6: Configure the EEM applet. event event event event event manager manager manager manager manager environment environment environment environment environment q " RTB rtb-c41b78a5 CIDR 0.0.0.0/0 USER csr PASS cisco123 event manager environment IP 172.24.2.84 event manager environment ENI eni-060ce72d event manager applet replace-route2 event syslog pattern "\(Tunnel33\) is down: BFD peer down notified" action 1.0 cli command "enable" action 2.0 cli command "ssh -l $USER $IP $q ec2-replace-route $RTB -r $CIDR -n $ENI$q" pattern "word:" action 2.1 cli command "$PASS" To promote the reusability of this applet, local variables are separated out of the body of the EEM applet and are defined as EEM environment variables. The variables used are as follows: q – used to substitute a quotation mark into the ssh command USER – Linux user account of the helper VM PASS – Linux user password of the helper VM IP – IP address of the helper VM RTB – the route table ID for the private subnet VPC route table CIDR – destination value for the default route ENI – network interface ID of the CSR gigabit interface The only difference between the CSR-A and CSR-B EEM applet should be the ENI environment variable, which should be set to the network interface ID of the local CSR. Step 6: Verification First check that the BFD and EIGRP relationships are established and normal on both peers. This example as shows the local peer on Tunnel 33, and also the remote peer on Tunnel 98. CSR-A#show bfd neighbors IPv4 Sessions NeighAddr 172.24.33.2 172.24.98.1 LD/RD 4097/4104 4098/4108 CSR-A#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(1) H Address Interface 1 0 172.24.98.1 172.24.33.2 Tu98 Tu33 RH/RS Up Up State Up Up Hold Uptime SRTT (sec) (ms) 12 00:20:12 70 12 00:20:15 11 Int Tu33 Tu98 RTO Q Cnt 1470 0 1470 0 Seq Num 391 88 Log into the Helper VM and verify the current VPC route table configuration. [csr@ip-172-24-2-85 ~]$ ec2-describe-route-tables rtb-c41b78a5 ROUTETABLE rtb-c41b78a5 vpc-950467f4 ROUTE local active 172.24.2.0/24 CreateRouteTable ROUTE i-6f3aef4c active 0.0.0.0/0 eni-060ce72d CreateRoute ASSOCIATION rtbassoc-c6cc33a3 subnet-b00b68d1 For this example, the current active gateway is CSR-A, which has the ENI value of eni-060ce72d. To create a failure, the active CSR is rebooted. The new target for the default route should be the ENI of CSR-B. [csr@ip-172-24-2-85 ~]$ ec2-describe-route-tables rtb-c41b78a5 ROUTETABLE rtb-c41b78a5 vpc-950467f4 ROUTE local active 172.24.2.0/24 CreateRouteTable ROUTE i-6f3aef4c active 0.0.0.0/0 eni-7e072d55 CreateRoute ASSOCIATION rtbassoc-c6cc33a3 subnet-b00b68d1 Full Configurations CSR-A version 15.4 service timestamps debug datetime msec service timestamps log datetime msec no platform punt-keepalive disable-kernel-core platform console virtual ! hostname CSR-A ! boot-start-marker boot-end-marker ! ! ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local ! ! ! ! ! aaa session-id common ! ! ! ! ! ! ! no ip domain lookup ! ! ! ! ! ! ! ! ! ! subscriber templating ! multilink bundle-name authenticated ! crypto pki trustpoint TP-self-signed-208042347 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-208042347 revocation-check none rsakeypair TP-self-signed-208042347 ! ! crypto pki certificate chain TP-self-signed-208042347 certificate self-signed 01 30820229 30820192 A0030201 02020101 300D0609 2A864886 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 69666963 6174652D 32303830 34323334 37301E17 0D313430 395A170D 32303031 30313030 30303030 5A303031 2E302C06 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 33343730 819F300D 06092A86 4886F70D 01010105 0003818D BDDDA641 7A750902 23B63746 2D3DACFC 776F89A2 F4960F6B A61FFBC8 2984312C 03160B6F 887AB254 49063821 2E8FA3DD F03D35F3 790723E4 0892424C 441CD535 4A457E02 25EA16E2 5CD52617 6B28B26C 07EE4B5D 020F2964 5234EB55 38EB2175 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 23041830 168014E6 B8C2B043 C691E45B 287D1A0A 30DD905B 1D0E0416 0414E6B8 C2B043C6 91E45B28 7D1A0A30 DD905BC1 4886F70D 01010505 00038181 0058C096 57A0D0C9 B28C8EAA F70D0101 6E65642D 33313831 03550403 652D3230 00308189 19673309 9B9622D4 68A9064B 02D129E0 01FF301F C1A77F30 A77F300D BEA74B84 05050030 43657274 34343234 1325494F 38303432 02818100 36AEF620 687D871F 0874896E 30B17A81 0603551D 1D060355 06092A86 53BA2062 12B64621 60D348F8 FB152E52 565F0CCA 77430C45 55458D06 6190D7E7 6DAB65D9 B92CD045 9119BA29 6B295BB9 5128CEE9 0EC6AD18 35C3D8AC 54563CE9 62D04947 8B9B31CF 56308CE3 19BEFC95 795121C5 44673211 B9DE5B9A 0AFB687F 1D33979F 4191CE4B 3E9CB684 272BCD98 F5 quit license udi pid CSR1000V sn 9F4TK27JDDU license boot level premium spanning-tree extend system-id ! username ec2-user privilege 15 secret 5 $1$MIDl$ZZmKyk5rWdQ/UdrGS0v/N. ! redundancy mode none ! ! ! ! crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn csn-aws-va-csr5.cisco.com authentication remote pre-share key cisco123 authentication local pre-share key cisco123 ! crypto ikev2 dpd 10 2 on-demand ! ! ! ip ssh rsa keypair-name ssh-key ip ssh version 2 ip ssh pubkey-chain username ec2-user key-hash ssh-rsa 1CE65034F2481508E0466998CE6C8AB2 chockerva ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Tunnel33 ip address 172.24.33.1 255.255.255.252 bfd interval 500 min_rx 500 multiplier 3 tunnel source GigabitEthernet1 tunnel destination 172.24.2.125 ! interface Tunnel98 ip address 172.24.98.2 255.255.255.252 ip summary-address eigrp 1 172.24.2.0 255.255.255.0 bfd interval 500 min_rx 500 multiplier 3 tunnel source GigabitEthernet1 tunnel destination 54.200.135.205 tunnel protection ipsec profile default ! interface VirtualPortGroup0 ip unnumbered GigabitEthernet1 no mop enabled no mop sysid ! interface GigabitEthernet1 ip address dhcp negotiation auto ! ! router eigrp 1 bfd interface Tunnel98 bfd interface Tunnel33 network 172.24.0.0 passive-interface GigabitEthernet1 ! ! virtual-service csr_mgmt activate ! ip forward-protocol nd ! no ip http server ip http secure-server ip route 172.24.2.128 255.255.255.128 172.24.2.1 ! ! ! ! ! ! ! control-plane ! ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 transport input ssh ! event manager environment q " event manager environment USER csr event manager environment PASS cisco123 event manager environment IP 172.24.2.84 event manager environment RTB rtb-c41b78a5 event manager environment CIDR 0.0.0.0/0 event manager environment ENI eni-060ce72d event manager applet replace-route event syslog pattern "\(Tunnel33\) is down: BFD peer down notified" action 1.0 cli command "enable" action 2.0 cli command "ssh -l $USER $IP $q ec2-replace-route $RTB -r $CIDR -n $ENI$q" pattern "word:" action 2.1 cli command "$PASS" ! end CSR-B version 15.4 service timestamps debug datetime msec service timestamps log datetime msec no platform punt-keepalive disable-kernel-core platform console virtual ! hostname CSR-B ! boot-start-marker boot-end-marker ! ! ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local ! ! ! ! ! aaa session-id common ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! subscriber templating ! multilink bundle-name authenticated ! crypto pki trustpoint TP-self-signed-3088625601 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3088625601 revocation-check none rsakeypair TP-self-signed-3088625601 ! ! crypto pki certificate chain TP-self-signed-3088625601 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 69666963 6174652D 33303838 36323536 3031301E 170D3134 34375A17 0D323030 31303130 30303030 305A3031 312F302D 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 32353630 3130819F 300D0609 2A864886 F70D0101 01050003 8100C354 8092363B B6FAEDA3 C86D3E6D 098BE68E 816A817B 71252DBC 6EBC5498 ACDB7CD2 7EA49F68 7FFCDEC1 5E3B0C7B 1D8A1636 DA0DBB46 3D57587A FCA519AE 75054641 96AB1491 BCCC7890 7B2AA21B 1CFD9195 A3787271 A2BBDA0F 316C1497 FEDD0203 010001A3 53305130 0F060355 1D130101 FF040530 551D2304 18301680 14BC4913 F3712915 87A396C3 752F2472 03551D0E 04160414 BC4913F3 71291587 A396C375 2F2472FF F70D0101 6E65642D 30343031 06035504 74652D33 818D0030 91E11086 1802431F EE23A624 9D889531 030101FF FF5CA2DF 5CA2DFBB 05050030 43657274 31333033 03132649 30383836 81890281 284F01EE CD0EC583 E95D442D 58FDABE4 301F0603 BB301D06 300D0609 2A864886 F70D0101 05050003 81810061 F3FD3584 A5BA99FD 51C0689E EBF557F6 D5AC4BD6 D6975B79 DEB139E3 2E182087 C1C9839A DBF7AEA3 4CBA3632 41D8CFE2 BEFDBE98 8292814D C322A153 150C8787 FD40BAB8 8E4BBF9D 642733B4 B1EEB0CD 50A6EBFE D3A91922 494CB001 F34BFE6F BE906F82 ED2BED87 AA6B41E6 444943F5 1A824738 610DF594 61EF842C 0D3C9D quit license udi pid CSR1000V sn 9MZ1BE4UHG2 license boot level premium spanning-tree extend system-id ! username ec2-user privilege 15 secret 5 $1$sg9o$.4qkVnSQJSB4V/Onto.Si0 username csn-admin privilege 15 password 7 0230590F44551F287E1D ! redundancy mode none ! ! ! ! crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn csn-aws-va-csr8.cisco.com authentication remote pre-share key cisco123 authentication local pre-share key cisco123 ! crypto ikev2 dpd 10 2 on-demand ! ! ! ip ssh rsa keypair-name ssh-key ip ssh version 2 ip ssh pubkey-chain username ec2-user key-hash ssh-rsa 1CE65034F2481508E0466998CE6C8AB2 chockerva ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Tunnel33 ip address 172.24.33.2 255.255.255.252 bfd interval 500 min_rx 500 multiplier 3 tunnel source GigabitEthernet1 tunnel destination 172.24.2.126 ! interface Tunnel96 ip address 172.24.96.1 255.255.255.252 ip summary-address eigrp 1 172.24.2.0 255.255.255.0 bfd interval 500 min_rx 500 multiplier 3 tunnel source GigabitEthernet1 tunnel destination 54.200.135.205 tunnel protection ipsec profile default ! interface VirtualPortGroup0 ip unnumbered GigabitEthernet1 no mop enabled no mop sysid ! interface GigabitEthernet1 ip address dhcp negotiation auto ! ! router eigrp 1 bfd interface Tunnel96 bfd interface Tunnel33 network 172.24.0.0 passive-interface GigabitEthernet1 ! ! virtual-service csr_mgmt activate ! ip forward-protocol nd ! no ip http server ip http secure-server ip route 172.24.2.128 255.255.255.128 172.24.2.1 ! ! ! ! ! ! ! control-plane ! ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 transport input ssh ! event manager environment q " event manager environment USER csr event manager environment PASS cisco123 event manager environment IP 172.24.2.84 event manager environment RTB rtb-c41b78a5 event manager environment CIDR 0.0.0.0/0 event manager environment ENI eni-65ef154e event manager applet replace-route event syslog pattern "\(Tunnel33\) is down: BFD peer down notified" action 1.0 cli command "enable" action 2.0 cli command "ssh -l $USER $IP $q ec2-replace-route $RTB -r $CIDR -n $ENI$q" pattern "word:" action 2.1 cli command "$PASS" ! end Setting up the Helper VM The Helper VM is used as a proxy to run the AWS API commands to modify the route table. The following procedure can be used to setup the helper VM. Step 1: Generate AWS access keys Access keys are needed to authenticate to the AWS API. If you already have an access key and the associated secret, you can skip this step. Browse to the IAM dashboard, and navigate to Users > Username > Security Credentials > Manage Access Keys, as show in next figure. 1 2 3 4 5 Click create access key and either download the credentials or click show credentials and save them. Step 2: Launch EC2 instance The helper VM is only used to run EC2 API commands, so a micro instance can be used. This should be launched into the same VPC and subnet as the public interface of the CSR. Make sure that an public IP address is auto-assigned as this is necessary to connect to the AWS APIs. It is advised to configure an AWS security group that restricts access inbound to SSH only, and ideally, the IP address of the CSRs and any administrative workstations. Initially, an administrative workstation will be required to login to the ec2-user account and setup the helper VM. The following figures show the steps for launching the helper VM from the AWS console. 3 1 2 1 2 1 2 3 4 (optional) 5 1 2 3 4 (optional) 5 You will then be prompted to select a key pair for logging into the EC2 instance. You can either creature a new key pair and save it, or use an existing key pair. Note, this key pair is not the same as the access keys that will be used to authenticate to the AWS API. Step 3: SSH to public IP address of helper VM Under the list of EC2 instances, find the helper VM and locate the public IP address. SSH to this address using your key pair. ssh -i chockerva.pem ec2-user@54.86.153.44 Step 4: Install software updates. [ec2-user@ip-172-24-2-85 ~]$ sudo yum update Step 5: Configure to helper VM for password authentication. sudo vi /etc/ssh/sshd_config Find the line that says “PasswordAuthentication no” and change to “PasswordAuthentication yes”. Restart sshd. sudo service sshd restart Step 6: Create the csr account [ec2-user@ip-172-24-2-85 ~]$ sudo useradd -m csr [ec2-user@ip-172-24-2-85 ~]$ sudo passwd csr This username and password will be used by the CSR to log into the helper VM. Step 7: Login into the csr account. ssh csr@54.86.153.44 Step 8: Add the AWS API credentials. Edit the csr user .bashrc file and add two environment variables the API tools will use to authenticate to the API. [csr@ip-172-24-2-85 ~]$ vi .bashrc Add the following lines to the end of the .bashrc file. export AWS_ACCESS_KEY=xxxx export AWS_SECRET_KEY=yyyy where xxxx and yyyy are the values that were generated in step 1. Source the .bashrc file and run a EC2 API command to see if the VM can successfully reach the AWS API. [csr@ip-172-24-2-85 ~]$ source .bashrc [csr@ip-172-24-2-85 ~]$ ec2-describe-regions REGION eu-west-1 ec2.eu-west-1.amazonaws.com REGION sa-east-1 ec2.sa-east-1.amazonaws.com REGION us-east-1 ec2.us-east-1.amazonaws.com REGION ap-northeast-1 ec2.ap-northeast-1.amazonaws.com REGION us-west-2 ec2.us-west-2.amazonaws.com REGION us-west-1 ec2.us-west-1.amazonaws.com REGION ap-southeast-1 ec2.ap-southeast-1.amazonaws.com REGION ap-southeast-2 ec2.ap-southeast-2.amazonaws.com Step 9: Set the default region environment variable. Edit the .bashrc file again to set the region for the local VPC. [csr@ip-172-24-2-85 ~]$ vi .bashrc Add the following lines to the end of the .bashrc file. export EC2_URL=https://ec2.us-east-1.amazonaws.com” This example sets the region to be us-east-1. Source the .bashrc again and run a API command to make sure the local region is set. [csr@ip-172-24-2-85 ~]$ source .bashrc [csr@ip-172-24-2-85 ~]$ ec2-describe-vpcs VPC vpc-950467f4 available 172.24.2.0/24 dopt-ceb970af default false Make sure to record the private IP address of the VM and the created csr account username and password so that they can be used in the EEM applet. References CSR 1000v for AWS Deployment Guide https://supportforums.cisco.com/sites/default/files/deployment_guide_final_com munity_support.pdf CSR 1000v for AWS Documentation http://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/csraws.h tml CSR 1000v for AWS Community Forum https://supportforums.cisco.com/community/csr-amazon Embedded Event Manager Configuration Guide http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/eem/configuration/xe3s/asr1000/eem-xe-3s-asr1000-book.html Bidirectional Forwarding Detection (BFD) Configuration Guide http://www.cisco.com/c/en/us/td/docs/iosxml/ios/iproute_bfd/configuration/xe-3s/asr1000/irb-xe-3s-asr1000-book.html AWS EC2 CLI Documentation http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/Welcome.h tml
