← Back To List

How to run a Cisco router on AWS

Running a cloud router

Don’t want to bother with hardware procurement and maintenance? There are plenty of cloud solutions nowadays.

Today let’s dive in the steps to run a Cisco router on AWS.

Cisco Cloud Services Router (CSR) 1000V is an Enterprise-class VPN solution in AWS for many years.

Below graph shows that CSR 1000V typically requires two network interfaces, one facing public subnet, the other one facing private subnet.

We will associate an Elastic IP with the public-facing network interface, which will be the endpoint for peer.

The private-facing network interface will receive traffic routed by other internal servers, then the traffic will be encrypted in the Cisco router and routed out to the peer’s VPN gateway.


First, let’s have a look at the prerequisites.

We need to have a VPC and two subnet. If you are starting from zero, then it’s time to create those and come back for the next steps.

Steps to add a CSR instance

  1. go to AWS marketplace and search for “Cisco CSR 1000V”
  2. On the CSR 1000V product page, click the ‘Continue’ button.
  3. Complete the deployment of a CSR 1000V AMI: Select the correct version and region, and click the ‘Continue to launch through EC2’ button.
  4. The Launch Instances Wizard will open. Select the desired instance type: by default a bigger instance is selected, for testing purpose, we choose the smallest instance available, which is t2.medium at the moment.
    Select an existing key pair to use for authentication, or create a new key pair. If you create a key pair, make sure to download and save the private key.
  5. Select VPC environment in the ‘Network’ pull-down menu.
  6. Select an IP subnet for the first CSR 1000V network interface in the ‘Subnet’ pull-down menu.
  7. Select an Security group.
  8. Add any additional network interfaces, and select the appropriate subnet for each to connect to.
  9. Click ‘Review and Launch’, if the information is correct, click ‘Launch Instances’.
  10. From the AWS Console, wait for your instance to indicate a state of ‘running’. It may take a few moments after that point, before you can connect to your CSR 1000V instance. Connect to your instance using an SSH client, and the private SSH key selected or created earlier in these steps. Example: ssh -i mykeypair.pem ec2-user@myhostname.compute-1.amazonaws.com
  11. Allocate an Elastic IP and associate it with the first (default) network interface of the CSR 1000V.
  12. Once SSH has connected, you should be at the IOS XE command prompt on the CSR 1000V. Now we can configure this instance.

Configure CSR instance

By default, the “show running-config” displays interfaces like below:

interface GigabitEthernet1
 ip address dhcp
 ip nat outside
 negotiation auto
interface GigabitEthernet2
 no ip address
 negotiation auto

Note that we will not see the EIP(Elastic IP) we associated to the first interface(interface GigabitEthernet1), nor will we see the local IP This is something we need to keep in mind, although the configuration does not show those IPs, they still exists.

We can see local IP when using command to display the details of the first interface.

ip-192-168-1-100#show interfaces gigabitEthernet 1
GigabitEthernet1 is up, line protocol is up
  Hardware is CSR vNIC, address is 02c5.fde2.baec (bia 02c5.fde2.baec)
  Internet address is

As for the 2nd interface (interface GigabitEthernet2), no IP is configured and interface is down.

Let’s configure IP for GigabitEthernet2

ip-192-168-1-100#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ip-192-168-1-100(config)#interface gigabitEthernet 2
ip-192-168-1-100(config-if)#ip address
ip-192-168-1-100(config-if)#ip nat inside
ip-192-168-1-100(config-if)#no shutdown

Then we check again the status of GigabitEthernet2 :

ip-192-168-1-100#sho run interface  GigabitEthernet2
 ip address
 ip nat inside
 negotiation auto

We can also test the connection from Cisco router to private host

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms

Voila! We have a running Cisco router on the cloud.

Cost Saving

Always purchase a yearly software contract if it’s available.

With contract, the yearly Cisco software cost is $2,285.73.

Without contract, the software cost is $0.64/hour (+ $0.046 EC2/hour), which makes $5,530 per year (2 times of yearly software contract).

Below is a screenshot of what the interface may looks like.


  1. Software contract is not available in all geo locations
    From AWS market place, the latest version is 17.03.08a and they still offer yearly software contract, which will cost $2k+ for one year.
    However, in reality, Cisco has restricted yearly offer to limited GEO locations, neither Cisco nor AWS displays on the product page where are the available geo locations.
    From our own lesson learned in a hard way, Switzerland is not in their allowed GEO location, therefore only hourly charging model is available for us.
  2. EOS of CSR 1000V
    According to a Cisco Community post and an End-of-Sale and End-of-Life announcement on the Cisco website, Cisco will no longer offer the “Cisco Cloud Services Router (CSR) 1000V” product line.
    The End-of-Sale date was December 16, 2022, and the End-of-Life date is December 16, 2025.
    This means that the product is no longer for sale and will not be supported beyond the End-of-Life date. Customers who have already purchased the product will continue to receive support until the End-of-Life date, and Cisco may offer replacement or alternative products.

Cisco is advocating for the next generation Catalyst 8000V to replace CSR 1000V. Yes, maybe the new one is more powerful and all better and shining, but the cost will be $8K+ yearly even with yearly contract!

Does it worth it? Knowing that a well-rounded Cisco router only cost around $1700, it lasts for years(until you decide to change). Of course, it means you need to host it in a data center. There will be hosting fee and you are responsible for the hardware maintenance. Depends on your priority, on-premise solution may turn out to be the best.




← Back To List