CSR 1000V works flawlessly, but beware of hardware requirements, licensing issues
The Cisco CSR 1000V router is designed for enterprise network managers who want to have a little piece of their Cisco infrastructure in the cloud.
Whether that's for firewalling, VPN or dynamic routing — the CSR 1000V supports all major technologies in IOS -- the idea is that a virtual router gives the network manager the flexibility to enforce policy, connect or provide high availability using familiar Cisco tools and technologies.
We tested the CSR 1000V, a full-featured IOS XE router running v3.8S of XE in a VMware-compatible virtual machine. Does it work? Yes, in fact, it works just fine. It works great, actually.
In our functional testing, the CSR 1000V met all the requirements we'd expect for this type of environment. We tried bringing up VPN connections, defining firewall and NAT rules, and running both OSPF and BGP routing protocols. We set up two CSR 1000V virtual machines on two different hosts, and used HSRP to failover between them. We exercised both IPv4 and IPv6, and we tested management with Cisco's ever-popular command line, as well as SNMP monitoring and remote SYSLOG logging.
With thousands of pages of IOS documentation, we may not have scratched the surface of full functional testing, but certainly the key features that we think most enterprise network managers will want are all in place and working just fine.
Virtualization alphabet soup
The version of the CSR 1000V we tested is only supported on VMware's ESXi 5 infrastructure. We looked at an early release version; Cisco told us that the virtual appliance should be available to all customers around March. At that time, IOS XE will be upgraded to v3.9. Cisco is also predicting that it will support Amazon Web Services (based on Citrix's XenServer hypervisor technology) and Red Hat KVM with the v3.10 release of the CSR 1000V in July. Microsoft's Hyper-V isn't on Cisco's public road map, at least not yet.
Running the CSR 1000V is not for the faint of heart. We started out with the idea that we'd put it on our test VMware farm, which was running older servers with vSphere v4. In years of testing, that's never given anyone a problem — until Cisco came along.
The CSR 1000V not only requires vSphere v5, but also has very strict hardware requirements, including a minimum of four physical (not virtual, but physical) cores, all in the same socket, dedicated to the CSR 1000V without any sharing, 4GB of memory, and Intel Nehalem or newer CPUs. Don't follow the specifications, and you've got a crashing CSR 1000V, which isn't much fun.
Cisco told us that it is considering allowing future versions of the CSR 1000V to share CPUs with other virtual machines, but the version we tested doesn't have that option: Four CPU cores had to be exclusively dedicated to the CSR 1000V.
Compared to alternative software router technologies, the CSR 1000V is fairly heavyweight. The requirement for so many physical cores and the newer CPUs may limit the options for deploying CSR 1000V in clouds running older hardware or ones without quad-core CPUs.
We looked at performance on the CSR 1000V and found that it meets its requirements, but they're pretty modest. Cisco technical staff told us that they've gotten up to 1Gbps out of the CSR 1000V, but the official data sheet cuts that number considerably, to 50Mbps. Cisco told us to expect higher throughput (in the 1Gbps range, depending on hardware, of course) in future versions later in 2013.
Cisco may be shooting low here for some reason, but we think that network managers might be disappointed with this level of performance in cloud deployments. After all, one of the reasons for using cloud service providers is to get extra bandwidth at lower cost. The performance we saw would be fine for typical management and off-site database applications, but you wouldn't want to put the CSR 1000V in front of an Internet-facing Web server unless the bandwidth requirements were very low.
With the CSR 1000V in pure routing mode and sending and receiving packets from external devices outside of the VMware environment, we were able to push about 48Mbps through it before it started dropping packets, just about hitting that 50Mbps number. While the overall system CPU wasn't really breaking a sweat at that level, one of the four cores was flat-lined at nearly 100%. Either Cisco is wasting cycles as part of its bandwidth cap, or the virtual appliance was topped out. We confirmed this suspicion by turning on firewall and NAT features, and got the same within-data-sheet performance, although with a higher CPU load spread across more cores.
We validated that the VMware hardware we were using (a Dell R610 server) was not the problem by loading up the open source Vyatta router on the same hardware and pushing a hefty 500Mbps (input) through the hardware, using only a single CPU core and a single external Gigabit Ethernet port. We also tested the CSR 1000V and the Vyatta router on Cisco's own UCS Express hardware, with the same results.
With Cisco pushing the AppNav-XE technology into the CSR 1000V, the low throughput may inhibit adoption in Internet-facing applications.
AppNav is Cisco coming backward into the load balancer world — no one wants to compete head-on with F5, not even Cisco — with a coordinated technology that handles distribution of traffic from the WAN into application servers, such as instant messaging, file sharing, Web traffic and Microsoft Exchange.
AppNav is officially "complementary" to Cisco's older WCCP (Web Cache Communication Protocol), the much-maligned load distribution and redirection technology Cisco took on when it purchased ArrowPoint Communications in 2000. But many network managers will discover that with AppNav they can do away with ugly and complicated WCCP deployments.
We successfully built a small AppNav deployment, putting the CSR 1000V in front of two other virtual machines running Web services and found it easy to put together with ample documentation — but we didn't stress AppNav's configuration capabilities or try and scale up because of the 50Mbps limit on the CSR 1000V.
For years, IOS users have gotten away with simple and non-intrusive licensing models from Cisco. The CSR 1000V tries to keep a fairly lightweight licensing model, but there's no question that Cisco is not giving this virtual hardware away. Starting with the March release, you'll be able to license the appliance on a term basis. This means that you have to buy a one-, three- or five-year license, and when that license expires, the CSR 1000V throttles traffic down to 2.5Mbps.
To lock down the CSR 1000V virtual machine as much as possible, Cisco has built a licensing scheme that requires a different license for each virtual machine. Although you can vMotion the CSR 1000V all over your network without requiring a new license, you can't just clone a legal CSR 1000V to get a second CSR 1000V appliance -- you must pay for and apply a different license to the cloned VM.
Network managers looking for high availability can either use the built-in high-availability features of VMware to resurrect a single CSR 1000V, if the host hardware fails, or can use Cisco's own HSRP to keep two (or more) legally licensed CSR 1000Vs alive all the time. Or both.
Overall, Cisco has come to a reasonable approach to keep its intellectual property intact. And network managers intent on using the CSR 1000V for their CCIE study labs shouldn't fear, as the CSR 1000V has a 60-day evaluation mode that doesn't require a license.
Snyder, a Network World Test Alliance partner, is a senior partner at Opus One in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.
In what may be a first for the technology industry, RSA Conference 2015 next month apparently will be...
Website password strength meters, like a spouse asked to assess your haircut or outfit, often tell you...
With all the public cloud storage offerings on the market today, many vendors just want customers to...
Sponsored by AT&T
Sponsored by Brocade
Investors made a crowd around the cloud this week, investing $175 million in companies focused on...
The SDN project now has a security response team to quickly handle new vulnerability reports
Here's how many cybersecurity entry-level job seekers fail to make a great first impression.
As CIOs become overwhelmed by IT demands, chief data officers (CDOs) are stepping in to serve as a...