Advanced Networking- Lab 5 – Deploying CSR1000v as a Tenant Router

CSR Instantiation as a tenant VM

Step 1. Source the environment
It may be required to source the correct environment variables in order to execute the OpenStack CLI commands. We should also verify that we’re on the AIO node, we should see a command prompt similar to this:

[centos@aio110 ~]$

sudo su -
source keystonerc_admin

Step 2. Verify or Add CSR Image in Image Store (Glance)
Verify if the CSR image already exists in Glance:

glance image-list

Download a copy of the CSR qcow2 format Image off CCO >here<. Or in our lab enviornment, you can copy the link here: http://10.1.1.92/csr/csr-314.qcow2, and use it as the source for the glance command below.

Add the Image file in to the Glance Image store through Glance APIs

glance image-create --name csr-314 --owner `openstack project list | awk '/ admin / {print $2}'` --disk-format qcow2 --container-format bare --copy-from http://10.1.1.92/csr/csr-314.qcow2 --is-public true

You will want to verify that the image you just added is present and show status “active” in the Glance repository, so run:

glance image-list

Step 3. Create a Flavor
Create a CSR specific Flavor with the following options using the nova flavor-create CLI.  For our purposes, the following values are appropriate: (ID: 100, Memory: 4GB, Disk Space: 0GB, VCPUs: 2)

nova flavor-create csr.2vcpu.4gb 100 4096 0 2

Step 4. Ensure we have the KVM hypervisor enabled

For the CSR specifically, it is also important that we be running the KVM hypervisor, and not just the QEMU emulation service. On both the AIO node and the Compute node we should run:

openstack-config --set /etc/nova/nova.conf libvirt virt_type kvm
service openstack-nova-compute restart

And then do that again, but this time on the compute node (which we can log into from the aio node):

ssh compute120
openstack-config --set /etc/nova/nova.conf libvirt virt_type kvm
service openstack-nova-compute restart
exit

Step 5. Create Neutron networks
In our simple use case, we’ll leverage the CSR as a router between two tenant networks. As of Kilo release, we can use the port_security_enabled flag to mark ports as being secure or not. For our purposes, a router port is _NOT_ secure, as it allows addresses other than it’s own to be sent to it. Prior to Kilo, the only option for using a router in this fashion was to disable port-security wholesale for the entire system.

There is a bug in the current Kilo environment that will break the system if port security is enabled while networks are configured, so we’ll first delete any networks/routers we have created, and then enable port security. The delete process is the same as described in Lab 4 Step 2.

List any running VMs:

nova list

Delete them:

nova delete * in list

Get a list of routers, and of networks:

neutron router-list
neutron net-list

Clear the router gateway:

neutron router-gateway-clear router*

Remove any interfaces attached to the router:

neutron router-interface-delete router* net*

Now delete your router:

neutron router-delete router*

And delete the networks:

neutron net-delete net*

Next we’ll enable the port-security feature. On the AIO node, run the following openstack-config to enable port_security as an ML2 extension. If you were doing this on a real system, you might want to first determine if any other extensions are running, as this will overwrite them:

openstack-config --set /etc/neutron/plugin.ini ml2 extension_drivers port_security
service neutron-server restart

We’ll create two networks, attach the CSR to both networks, and atach a VM to each network. We won’t enable Floating IPs, so we’ll have to log in via the nova VNC console for each at the moment.

neutron net-create public --router:external
neutron subnet-create public 10.0.0.0/24 --name public-subnet --gateway=10.0.0.1

Create a new internal network for CSR forwarded tenants:

neutron net-create private
neutron subnet-create private 10.1.0.0/24 --name private-subnet --gateway=10.1.0.1

Step 6. Create Neutron ports with port_security disabled
We also need ports that we’ll configure with port_security disabled so that our router doesn’t have anti-spoofing protection enabled. We need a port per network, so we’ll create a pub-router and priv-router port to use when we boot the CSR image:

neutron port-create public --port-security-enabled False --name pub-router
neutron port-create private --port-security-enabled False --name priv-router

Step 7. Boot the CSR
Now we can get the router started, and associate it with the networks. We need a configuration file for the CSR image so that it’s network interfaces can be configured on initial boot. Any additional configuration can be done manually by logging in via telnet or ssh, or via netconf or RESTful interfaces (but that will require additional configuration as well which is beyond the scope of this lab).

This configuration file does the following

• set the host name
• configure telnet/ssh access
• set the first interface to 10.0.0.1 and enable it
• set a second interface to 10.1.0.1 and enable it
• ensure that ip routing is enabled
• enable and active the management interface service (should allow RESTful config)

cat > /root/iosxe_config.txt <<EOF
hostname csr

line con 0
logging synchronous
transport preferred none
line vty 0 4
login local
transport preferred none
transport input ssh telnet
username stack priv 15 secret cisco
ip domain-name onecloudinc.com
crypto key generate rsa modulus 1024
 
interface GigabitEthernet1
ip address 10.0.0.1 255.255.255.0
no shutdown

interface GigabitEthernet2
ip address 10.1.0.1 255.255.255.0
no shutdown

ip router

virtual-service csr_mgmt
ip shared host-interface GigabitEthernet1
activate
license accept end user agreement
license boot level premium
end

EOF

The CSR can now be booted with Config drive enabled so that we can pass a file for the configuration, and we’re grabbing the ports we created and assigning them the same IP addresses we defined in our CSR configuration file:

nova boot csr --image csr-314 --flavor 100 --nic port-id=`neutron port-list | awk '/ pub-router / {print $2}'`,v4-fixed-ip=10.0.0.1 --nic port-id=`neutron port-list | awk '/ priv-router / {print $2}'`,v4-fixed-ip=10.1.0.1 --config-drive=true --file iosxe_config.txt=/root/iosxe_config.txt

Now that our CSR is booting, we can watch the system come up by opening a VNC console session:

sleep 30; nova get-vnc-console csr novnc | awk '/http/ {print $4}'

Step 8. Verify that the CSR image is actually routing traffic
We will now boot VMs on each of the networks so that we can reach verify that the router is functioning properly.

nova boot --image cirros --flavor 2 --nic net-id=`neutron net-list | awk '/ private / {print $2}'` csr-private
nova boot --image cirros --flavor 2 --nic net-id=`neutron net-list | awk '/ public / {print $2}'` csr-public

Log in via VNC to these systems as well, and verify that you can ping and ssh across the router interface. You can determine the local Host IP from “nova list” or from ‘ifconfig eth0’ once you’ve logged into the cirros image directly.

1. Configure NAT on the CSR, and manually enable the “public” network to talk to the “private” network via NAT.
2. Create a new network, and establish an L3_Agent based router on that network
3. attach it’s gateway to the public network we created
4. attach it’s private network to a private network
5. create a third network, and configure a CSR image to route between the private L3-attached network and the public network
6. you will need to add a static route to the l3_agent router (similar to this: https://ask.openstack.org/en/question/42529/how-to-add-extra-static-route-in-neutron-havana/)
7. also configure a floating IP across the l3 agent and associate it with the router, to allow routing into the “hidden” 3rd network