Using CSR 1000v as VPN Relay in AWS

karthik.gopalakrishnan · ‎05-20-2014

Hello

I'm trying to build a VPN relay between two Instances in AWS, using a 3rd instance running a pair of CSR routers, to overcome the limitation that I cant build a VPC GW from two instances within a region to the same VPN Device.

For that, I am planning to use sub-interfaces on one of the CSR port and define them under different VRFs. However, for some reason the VPN doesnt seem to come up. Has anyone been able to deploy VPN using VRF (or VRF Lite) and sub-interfaces using the AWS model?

High level deployment model is below. Please let me know if you have any more questions or suggestions

Thank you

Christopher Hocker · ‎05-21-2014

Hi Karthik,

I am not sure that sub-interfaces in a VPC will work. VPCs do not have the concept of VLANs. They do have subnets, and you can create multiple interfaces on a CSR using the AWS VPC console and assign each to a different subnet. These interfaces will appear on the CSR as gig1, gig2, etc.

I have tested a similiar topology. If you are using BGP, be aware that most of the AWS regions use the same ASN (7224). BGP loop prevention will cause the VGWs to reject other VGW routes. If you are running CSR version 3.12, you can use the BGP as-override neighbor command to fix this. However, there are some regions that do not use 7224 and will still reject 7224 routes, and as-override will not help here.

Chris