Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Using CSR 1000v as VPN Relay in AWS


I'm trying to build a VPN relay between two Instances in AWS, using a 3rd instance running a pair of CSR routers, to overcome the limitation that I cant build a VPC GW from two instances within a region to the same VPN Device.


For that, I am planning to use sub-interfaces on one of the CSR port and define them under different VRFs. However, for some reason the VPN doesnt seem to come up. Has anyone been able to deploy VPN using VRF (or VRF Lite) and sub-interfaces using the AWS model?

High level deployment model is below. Please let me know if you have any more questions or suggestions


Thank you

Cisco Employee

Hi Karthik,I am not sure that

Hi Karthik,

I am not sure that sub-interfaces in a VPC will work. VPCs do not have the concept of VLANs. They do have subnets, and you can create multiple interfaces on a CSR using the AWS VPC console and assign each to a different subnet. These interfaces will appear on the CSR as gig1, gig2, etc.

I have tested a similiar topology. If you are using BGP, be aware that most of the AWS regions use the same ASN (7224). BGP loop prevention will cause the VGWs to reject other VGW routes. If you are running CSR version 3.12, you can use the BGP as-override neighbor command to fix this. However, there are some regions that do not use 7224 and will still reject 7224 routes, and as-override will not help here.


CreatePlease login to create content