The Cloud Services Router 1000v (CSR) is one of Cisco's best kept secrets in the routing and security space. The CSR is an incredibly powerful product that's flexible, adaptable and offers almost limitless functionality at a very low price point. In some cases, this router will cost less to license than the ongoing support costs of the traditional router that they could replace. While infrequently positioned in these roles by VARs and account teams the CSR is surprisingly capable. In this blog post, we will review the advantages and limitations of the CSR in our experience using it on the routing and security side of the business although it's also starting to be used for some Unified Communications related roles.
The CSR is a virtual machine that can be deployed on all common virtualization platforms (ESXi, Hyper-V, Xen, KVM), as well as, purchased by the hour on the Amazon AWS cloud. It's effectively an ASR router without hardware acceleration and runs IOS-XE. It can be licensed for 1 and 3-year terms or permanently. Licensing is based on both required throughput and feature sets. One of the great advantages of the CSR is its ability to leverage existing investment in servers and other hardware. When you handle routing using a virtual machine you can take advantage of redundancy both in individual servers, as well as, in your virtualization environment. Licenses are not tied to a specific host and virtual machines can be moved to different physical hosts as required. This is an existing and required investment in most enterprise environments which can be leveraged to increase the robustness of your routing equipment without additional costs.
We have used the CSR in a variety of routing roles, be it internal routing for special projects and network segments, to manage access to customer environments and most significantly as a DMVPN hub router. It's possible to deploy the router on AWS and it can serve as a VPN router to connect your cloud resources to your internal network as you would any other site. The CSR is also an excellent tool for lab work, you can issue trial licenses from the Cisco licensing portal and build out significant lab environments with it. Older versions of the CSR included a bandwidth limited trial period without self-servicing a trial license. A related tool, VIRL, gives you the ability to build complete lab environments for a fairly modest license fee, this can be useful for simulations and training ,as well as, lab usage. For larger enterprise needs CML is also available, though at a notably higher price point.
The CSR is not without its limitations. First and foremost, you cannot live-migrate (vMotion or similar) or suspend a running VM, when it resumes most but not all functionality will work correctly ,however, there can be some very unusual exceptions. We recently saw a vMotioned CSR see inbound traffic delayed by 16 seconds on one of four interfaces, all other aspects of the router appeared to be operating correctly and it was very difficult to diagnose the issue. To be clear, there are no licensing restrictions on moving a CSR, this is only an operational limitation.
It's very important to keep track of your licensing status and to renew your licenses at the right time. Another significant issue on the VMware platform is how 802.1q trunks are handled with the standard vSwitch. If you want to deliver VLANs to the router using a trunk port you cannot limit which VLANs are presented to the router, all VLANs present on the vSwitch will be accessible to the CSR. Limiting VLANs requires you to use the distributed vSwitch or another vSwitch like the Nexus 1000V Switch for vSphere. If you do not trust the CSR to have access to all the different networks that are available on your vSwitch you will need to allocate individual VLANs to interfaces on the switch.
In current versions, if your time base license expires the router immediately stops processing traffic. There have also been some substantial changes in how the product is licensed that can create issues when upgrading the license. This shouldn't impact people buying today but it's something to be aware of if you are upgrading from the old standard / advanced / premium model to Base / Sec / AppX / AX. Be sure to upgrade to the most recent stable version before transitioning between different license types. There is increasing use of the CSR for Unified Communications, however, there are also some severe limitations in the available functionality. This is an area where the product is evolving and we have seen and expect to see more UC features to be made available over time.
Interested in learning more about our network and security solutions, in sharing your own experiences with CSR, or simply have questions about whether the CSR may be suitable for your environment be it for flexibility or cost savings, then feel free send us a comment or reach out, we look forward to hearing from you.