Does CSR 1000v support HA feature?
I noticed that redundancy command support in configuration mode,but neither sso/ha mode can config,
Redundancy configuration commands:
default Set a command to its defaults
exit Exit from redundancy configuration mode
main-cpu Enter main-cpu mode
mode redundancy mode for this chassis
no Negate a command or set its defaults
timer Select a timer to configure
none no redundancy
Chassis type: CSR1000V
Slot Type State Insert time (ago)
--------- ------------------- --------------------- -----------------
R0 CSR1000V ok, active 00:18:57
F0 CSR1000V ok, active 00:18:57
Is it possible to enable HA feature in csr1000v?
I noticed that in startup, R1 was insert，but not online，which was in disabled state.
The CSR1000V does not support any form of software redundancy. There are no plans to do so. You can (depending on your installation) use other forms of feature redundancy like route redundancy, etc. However at an IOS-XE level redundancy it is not supported on the CSR1000V.
HSRP and all other multicast protocols are not supported on Amazon.
Can you check if route redundancy is supported on Amazon and possibly recommend a solution?
I contacted Amazon support and they pointed us back to the Cisco folks. I did not manage to find any support numbers to call on the page that is selling the CSR1000v instance to its customers.
How do we get support? I am assuming that once we got CSR1000v we should have some form of support from Cisco and hopefully forum is not the only avenue we have.
You're right, I have updated my response. HSRP is not supported within Amazon. Here is a list of features that are supported on the CSR1000V, but not supported within an AWS installation:
What exactly are you trying to accomplish with regards to redundancy? We can see if there is a solution that will work for you.
With regards to the support options for Amazon installations the Bring Your Own License (BYOL) option provides support via Cisco TAC if there is a valid license file installed (this does not include the 60 day trial license):
The hourly paid option is currently supported through the support forum:
So it really depends on the type of installation that you are considering.
> You're right, I have updated my response. HSRP is not supported within Amazon. Here is a list of features that are supported on the CSR1000V, but not supported within an AWS installation:
It seems that this list may not be complete. VRRP is a multicasting protocol which is also not supported in Amazon.
> What exactly are you trying to accomplish with regards to redundancy? We can see if there is a solution that will work for you.
I am looking to migrate my servers from Equinix to Amazon. However, I have a few hundred VPN partners who currently connects to our Juniper SSG 140 VPN device and talks to our backend servers via the VPN. Therefore, I need to set up VPN devices on Amazon to be highly redundant / available and then migrate them over. However, it seems that multicast is not supported on Amazon. Thus if I were to set up only one Cisco CSR 1000v on Amazon, it would only happen in one data center. As we know Amazon instances do fail checks from time to time, therefore we need to build our infrastructure with HA in mind. The idea is have one VPN device in each availability zone and if that VPN device fails, everything should still function. How can this be easily achieved? As far as I know there are no official documentation that states this. I am surprised that this high availability problem is common but nothing much was ever documented.
> With regards to the support options for Amazon installations the Bring Your Own License (BYOL) option provides support via Cisco TAC if there is a valid license file installed (this does not include the 60 day trial license):
What if I get the instance with advanced license that comes with Amazon. Where would I be able to get support via Cisco TAC?
HA provided across a network segment within AWS is not a simple solution due to the restrictions that they place on the L2 segments. As an example, here is Amazon's suggestion for NAT HA:
With that said, we're working on documenting a solution that will work around some of the restrictions through overlaid connections. At a high level, one way that you can do this is with a couple of CSR1000Vs connected via a GRE tunnel over their Amazon segment. You then would have to setup BFD and configure an EEM script to watch for a peer down event. This script would then have to modify the AWS VPC Routing table (the VPC gateway) so that the hosts use the appropriate CSR as an exit point. The unfortunate piece is that from the CSR1000V we cannot call the AWS API directly so this requires use of a second EEM script to SSH to a helper VM and execute the AWS VPC commands. Hopefully within the next couple of weeks we will have a configuration guide to step through the individual components, as there are many moving parts. At a high level this solution was presented in the Cisco Live session BRKARC-2023 around slides 35-40 (Session PDF) are some of the network diagrams and an example of the EEM script.
With that said, another solution that you might consider is Cisco InterCloud:
This allows for a secure Layer 2 extension from your data center into the public cloud which could remove some complexity in dealing with the AWS infrastructure. This solution is not one that would be for the one off, single CSR type deployment, however if you are looking at scale it could be a good alternative.
As for TAC support with the Advanced License, this is the hourly paid model that we have within Amazon. Support for this type of licensing is currently only offered through the support forum, however we are looking at other options that could allow direct TAC engagement on a case by case basis rather than a term license. Depending on where you are at with regards to your deployment it may be appropriate to engage your Cisco Account Team to help determine which solution is best for you. I can help track them down if you want to send me a private message.
I also have a requirement to implement this kind of HA. I found BRKARC-2023 most useful. I look forward to the forthcoming configuration guide but as an EEM script example is provided in the breakout I might just have a bash at testing this now.
It would be great if the Amazon folks could come up with a route table variant that could accept propagated routes from two sources and use a metric to decide which routes to install (hint hint) :-)
I also have requirement to implement kind of HA on the CSR in AWS. Can you explain me how can i use EEM script to change the VPC route table to point to second CSR in the event of first CSR is down ?
My plan is to spin up another CSR-2 in seperate availability zone in AWS other than CSR-1 & get it ready with public address & S2S VPN tunnel configuration with same parameter as CSR-1 to customer on it. On the customer side VPN tunnel, I will ask them to configure CSR-2 public address as secondary peer under the same VPN tunnel which is currently terminating on CSR-1. In the event of CSR-1 down, the customer side VPN tunnel will try to negotiate phase 1 & phase 2 parameters with CSR-2 & the tunnel should come up on CSR-2.
The only thing which we have to move manually is VPC route table pointing towards CSR-2. so that both way the traffic will be there on CSR-2
Do you have any suggestion on getting this done with an EEM script or automatically ?
We have just completed a document that describes this process:
The section titled "VPC Gateway Redundancy" and the Appendices will be the most helpful for you. There is an example of the script, as well as sample configurations from the two devices configured with BFD.
Hopefully that helps you accomplish what you're after.
I would be happy to link up with you to discuss this offline.
I can't seem to find the private message function. Could you advise on how I can get there. Alternatively, you could PM me instead?