2

I'm trying to do static routing for 2 Cisco CSR 1000v routers which are deployed on 3 VMs in AWS, but it didn't work. I configured correctly 2 interfaces of both routers, but when I tried to ping the Primary Network Interface of any of those VMs is not reachable even though it is written in default routing. Here is the configuration which I have made.

R1

  • Primary Network Interface: 172.31.0.5/28,
  • G1: 172.31.1.11/28,
  • G2: 172.31.1.46/28,
  • ip route 172.31.0.32 255.255.255.240 172.31.1.38 (to the R2)

After this writing ip route, I should be able to see the R2 interface G2 by pinging, but no.

R2

  • Primary Network Interface: 172.31.0.37/28,
  • G1: 172.31.1.29/28,
  • G2: 172.31.1.38/28,
  • ip route 172.31.0.0 255.255.255.240 172.31.1.46 (to the R1)

After this writing ip route, I should be able to see the R1 interface G2 by pinging, but no.

MLu
  • 23,798
  • 5
  • 54
  • 81
Khalil Mebarkia
  • 129
  • 1
  • 1
  • 13
  • I tried to do it using dynamic routing `router ospf 1` then `network 0.0.0.0 255.255.255.255 area 0` but still, I could not ping the interfaces either. – Khalil Mebarkia Nov 26 '18 at 16:58
  • The new [AWS Transit Gateway](https://aws.amazon.com/blogs/aws/new-use-an-aws-transit-gateway-to-simplify-your-network-architecture/) service announced at Re:Invent today may be of interest. It's basically a hub that you can attach VPCs from any account / region, VPNs, and in 2019 Direct Connect connections to. This could significantly simplify your architecture if it fits your use case. The pricing isn't announced, my guess is it will probably be cheaper than multiple CSRs. – Tim Nov 27 '18 at 04:27
  • @Tim I'd would like to create a topology with IP routers where I can measure loads of the links between these routers whether it overloads it or not. I'd like to study the loads where lets these links are 1Gbps capacity and there is traffic around the network. Can AWS Transit Gateway help ? – Khalil Mebarkia Nov 27 '18 at 12:33
  • If you're using Cisco features to do the measurement, then no. If you have instances measuring traffic in VPCs, then probably yes, but it depends. It's probably more useful for enterprise connectivity than experimental stuff. – Tim Nov 27 '18 at 18:50
  • @Tim the main objective here of this experiment is to have these measurements. I could use loads of the IP links to calculate QoS. However, measuring the traffic can be done also. – Khalil Mebarkia Nov 28 '18 at 08:44

1 Answers1

1

First things first

  1. Have you got AWS Security Group configured correctly so that it permits non-restricted traffic between the two routers? E.g. are they both in the same Security Group with intra-SG traffic permitted? See e.g. this answer.

  2. Have you got Source/Dest Check disabled on both instances? By default AWS doesn't permit routing through EC2 instances (i.e. doesn't let in traffic for IPs other than the instance IPs) and you have to disable Source/Dest Check to make it work.

  3. Check AWS VPC Flow Logs to verify if there is any blocked traffic between the instances.

  4. Do you have VPC NACL in place that perhaps prevents the instances to talk to each other?

Hope that helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81
  • The security group of my instances is having the same configuration. The VMs are having all traffic type, all protocol and all port for the 1st security group which is default VPC security group. The second group the security group was generated by AWS Marketplace and is based on recommended settings for Cisco Cloud Services Router (CSR) 1000V - AX Pkg. Max Performance version 16.9.1 provided by Cisco Systems, Inc. that allows SSH traffic type with TCP protocol, port range 22 and source 0.0.0.0/0. All the instances have the above-described security group configuration – Khalil Mebarkia Nov 27 '18 at 14:12