Cisco Router – Virtual Appliance Guide

ciscocisco-iosvirtual

My colleague said that it is possible to virtualize a Cisco router i.e. run the Cisco IOS inside ESXi and it would act like a real cisco router so thus can be used in a light production environment.

I was a bit skeptical about this and have tried to Google it. I also found to a Cisco IOS XRv 9000 Router. Though I am still not clear I understand this.

Is it possible to actually virtualize a Cisco router as a VM to use it as a router in a network to do things like static route, RIP etc?

Best Answer

The IOS XRv 9000 is probably a bit of an oddball - it's IOS-XR based. I never got round to get my hands on it or any other device running IOS-XR. That's carrier and service provider grade stuff, and my CCNA/CCNP SP career never quite took off.

You're probably looking for the Cisco CSR1000V, and yes, that's a perfectly "normal" IOS-XE based router in a VM shell.

It needs to be licensed by feature sets and desired throughput levels (from 10M to 10G). I comes in Xen, Hyper-V, KVM, ESXi and even AWS flavours, and has up to 8 virtual interfaces/vNICs, each of which can be run with 802.1q tagging, if the underlying hypervisor allows for it. It can do VRF-lite, MPLS, NAT, WaaS, QoS, IPSec, runs any routing protocol IOS-XE supports and can do ... possibly anything you can do with IOS-XE that does not require special hardware features. And none of these things need to be "lightweight".

IOS on an IOS-XE based router (such as the ISR4000 series) is nothing much more than an IOS environment on a well-hidden hypervisor. So why not run it on someone else's hypervisor, too?

I've been using CSR1000vs for uses cases like:

Router based CA for running a FlexVPN/IKEv2-DMVPN-alike IPSec WAN overlay with certificate authentication
internal-BGP route reflector for MPLS-VPN setups
FlexVPN Client to connect to financial service providers (instead of housing yet another 890 series)
or just a simple IPsec VPN peer for various needs of site-to-site connectivity
experimenting with IPv6 and NAT64

Related Solutions

Cisco VPNv4 Over eMPBGP – Comprehensive Guide

Wasn't able to resolve my issue.

Cisco router + cable modem – How to configure routing

I'm making some assumptions on your setup and how exactly your ISP is giving you these IPs, so if any of this is wrong I apologize and will happily change my answer

For your internal network I would suggest you setup a DHCP pool for your workstations and statically assign IPs to your servers. I'll leave the DHCP pool setup for you, as I think you're mainly aiming to make sure both public IPs are utilized by the proper networks.

i.e.
  172.16.1.0/24 for your workstations, with DHCP, assigned to VLAN10
  172.16.2.0/29 for your servers, statically assigned, on VLAN20

That all being said here is what I personally would try and setup to get your gear online.

int g0/0
  ip address dhcp

This will pull an IP from your modem and give it to your external port. I suspect it will be an ISP internal IP because I doubt they'd give your modem a publicly routable IP. That'd be weird.

In this scenario, you should not be manually inputting any default routes on your router as it should all be supplied from the DHCP pull.

int g0/1.10
  ip address 172.16.1.1 255.255.255.0
int g0/1.20
  ip address 172.16.2.1 255.255.255.248

This setups the internal gateways for your two networks. So all your workstations will be pointing to 172.16.1.1 and your servers to 172.16.2.1

After that you'll need to setup NAT rules on the router to handle passing of traffic outwards for your workstations.

int g0/0
  ip nat outside

This setups your external facing interface as your outside nat interface.

int g0/1.10
  ip nat inside

This setups your internal facing interface as an inside nat interface.

Router(config)# ip nat pool internet 128.66.0.2 128.66.0.2 prefix 24

Creates a NAT pool named internet being translated to one of your public IPs.

Router(config)# ip nat inside source list 7 pool name internet overload

This says to NAT all IPs in list 7 to the NAT pool you just created and that you can overload it. Which is to say more than one internal IP can use the same external IP.

Router(config)# access-list 7 172.16.1.0 0.0.0.255

Creates the list referenced in the previous command. Now onto NAT for your servers, which I suggest be statically assigned if you want them publicly available.

int g0/1.20
  ip nat inside

Same as before, this setups your internal interface as an inside NAT interface.

Router(config)# ip nat inside source static 172.16.2.(2-6) 128.66.1.(2-6)

A new line for each static assignment is needed. This creates a static translation between your internal IP and your external IP that was assigned to you.

As for your switch; all you would need to do is properly tag your ports depending on what is plugged in and make sure your trunk is passing both VLANs.

At this point both subnets should hitting your router, and your router should know where to pass the traffic, be it internally (your workstations getting to your servers) or externally (internet). Access control can either be setup with ACLs on the router, a stand-alone firewall, or firewalls on your servers.

Now this all hinges on how your ISP has your modem setup. If it works the way I think it works, when your external interface pulls it's information through DHCP, your router should populate both your public IP ranges so that when your router NATs it knows where to send your traffic.

I suspect someone will give a better written answer, but hopefully this points you in the correct direction.

I also referenced the following link for help on the NAT parts as they are definitely not something I play with very often.

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

Best Answer

Related Solutions

Cisco VPNv4 Over eMPBGP – Comprehensive Guide

Cisco router + cable modem – How to configure routing

Related Topic