A Cisco Catalyst 8000V on a $1/day AWS t3.medium instance gives you a production-grade hybrid cloud lab — IPsec VPN with BGP connecting your on-prem lab to AWS. No slides, no diagrams-only training. Real infrastructure, real routing.
This walkthrough covers the full build: VPC, subnets, C8000V deployment, IKEv2 IPsec tunnel, eBGP route exchange, and Transit Gateway multi-VPC extension.
What You're Building
On-Prem Lab (CML/EVE-NG) AWS Cloud
┌─────────────────────┐ ┌──────────────────────────────┐
│ CSR1000v / IOSv │ │ VPC: 10.100.0.0/16 │
│ Loopback0: 1.1.1.1 │ │ │
│ ASN 65001 │ │ ┌────────────────────────┐ │
│ │◄──►│ │ Catalyst 8000V (cEdge) │ │
│ Lab Prefix: │IPsec│ │ Public: 10.100.1.0/24 │ │
│ 192.168.0.0/16 │+BGP │ │ Private: 10.100.2.0/24 │ │
└─────────────────────┘ │ │ ASN 65002 │ │
│ └────────────────────────┘ │
│ │ │
│ Transit Gateway │
│ ┌─────┴─────┐ │
│ VPC-A VPC-B │
│ 10.200.0.0 10.201.0.0 │
└──────────────────────────────┘
eBGP exchanges routes dynamically between your physical lab and multiple AWS VPCs through Transit Gateway — the exact architecture used in enterprise hybrid cloud deployments.
Prerequisites
- AWS account with payment method
- On-prem lab — CML, EVE-NG, or GNS3 with a router that supports IKEv2 + BGP
- Public IP on your lab network (or NAT traversal)
- Cisco Smart Account for BYOL licensing (free at software.cisco.com)
Total cost for a weekend lab session: $2–5.
Step 1: Create the AWS VPC and Subnets
The VPC is your cloud-side network boundary — think of it as a VRF with a /16 address space.
# Create VPC
aws ec2 create-vpc --cidr-block 10.100.0.0/16 --tag-specifications \
'ResourceType=vpc,Tags=[{Key=Name,Value=hybrid-lab-vpc}]'
# Public subnet for C8000V outside interface
aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block 10.100.1.0/24 \
--availability-zone us-east-1a --tag-specifications \
'ResourceType=subnet,Tags=[{Key=Name,Value=public-csr}]'
# Private subnet for workloads
aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block 10.100.2.0/24 \
--availability-zone us-east-1a --tag-specifications \
'ResourceType=subnet,Tags=[{Key=Name,Value=private-workload}]'
# Internet Gateway
aws ec2 create-internet-gateway --tag-specifications \
'ResourceType=internet-gateway,Tags=[{Key=Name,Value=hybrid-lab-igw}]'
aws ec2 attach-internet-gateway --internet-gateway-id <igw-id> --vpc-id <vpc-id>
# Default route to IGW
aws ec2 create-route --route-table-id <rtb-id> \
--destination-cidr-block 0.0.0.0/0 --gateway-id <igw-id>
Cloud ↔ Cisco Translation Table
| AWS Concept | Cisco Equivalent |
|---|---|
| VPC (10.100.0.0/16) | VRF with a /16 address space |
| Subnet (10.100.1.0/24) | VLAN / SVI on a /24 segment |
| Route Table | Static routing table |
| Internet Gateway | Default route to upstream ISP |
| Security Group | Stateful ACL (auto-permits return traffic) |
| Network ACL | Stateless extended ACL |
| Elastic IP | NAT static translation |
Step 2: Deploy Catalyst 8000V from AWS Marketplace
Search "Cisco Catalyst 8000V" in AWS Marketplace. Choose BYOL if you have a Smart Account license.
Instance config:
-
Type:
t3.medium($0.042/hour, ~$1/day) - VPC: hybrid-lab-vpc
- Subnet: public (10.100.1.0/24)
- Auto-assign Public IP: Disable (use Elastic IP instead)
Security Group rules:
| Type | Protocol | Port | Source |
|---|---|---|---|
| SSH | TCP | 22 | Your IP/32 |
| Custom UDP | UDP | 500 | Your public IP/32 |
| Custom UDP | UDP | 4500 | Your public IP/32 |
| Custom Protocol | ESP (50) | All | Your public IP/32 |
| ICMP | ICMP | All | 10.0.0.0/8 |
After launch:
- Attach a second ENI in the private subnet (gives you GigabitEthernet1 + GigabitEthernet2)
- Assign an Elastic IP
- SSH in:
ssh -i your-key.pem ec2-user@<elastic-ip>
Cost tip: Stop the instance when not labbing. Stopped = $0 compute. You only pay ~$0.64/month for the 8 GB EBS volume.
Step 3: Configure the IPsec VPN Tunnel
IKEv2 with pre-shared key. Swap to certificates for production.
Cloud side (Catalyst 8000V):
crypto ikev2 proposal HYBRID-LAB
encryption aes-cbc-256
integrity sha256
group 14
crypto ikev2 keyring ONPREM-KEY
peer ONPREM
address <your-public-ip>
pre-shared-key Str0ngP@ssw0rd!
crypto ikev2 profile HYBRID-LAB
match identity remote address <your-public-ip> 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local ONPREM-KEY
crypto ipsec transform-set AES256-SHA256 esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile HYBRID-LAB
set transform-set AES256-SHA256
set ikev2-profile HYBRID-LAB
interface Tunnel0
ip address 172.16.0.1 255.255.255.252
tunnel source GigabitEthernet1
tunnel destination <your-public-ip>
tunnel mode ipsec ipv4
tunnel protection ipsec profile HYBRID-LAB
On-prem side (CML/EVE-NG router):
crypto ikev2 keyring AWS-KEY
peer AWS
address <elastic-ip>
pre-shared-key Str0ngP@ssw0rd!
crypto ikev2 profile HYBRID-LAB
match identity remote address <elastic-ip> 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local AWS-KEY
crypto ipsec transform-set AES256-SHA256 esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile HYBRID-LAB
set transform-set AES256-SHA256
set ikev2-profile HYBRID-LAB
interface Tunnel0
ip address 172.16.0.2 255.255.255.252
tunnel source GigabitEthernet1
tunnel destination <elastic-ip>
tunnel mode ipsec ipv4
tunnel protection ipsec profile HYBRID-LAB
Verify:
Router# show crypto ikev2 sa
Tunnel-id Local Remote Status
1 10.100.1.x/500 <your-ip>/500 READY
Router# ping 172.16.0.2
!!!!!
Success rate is 100 percent (5/5)
Step 4: Configure BGP Over the VPN
Static routes work, but BGP is how production hybrid clouds exchange routes. Add a VPC or lab segment → routes propagate automatically.
Cloud side:
router bgp 65002
neighbor 172.16.0.2 remote-as 65001
address-family ipv4
network 10.100.0.0 mask 255.255.0.0
network 10.100.2.0 mask 255.255.255.0
neighbor 172.16.0.2 activate
ip route 10.100.0.0 255.255.0.0 Null0
On-prem side:
router bgp 65001
neighbor 172.16.0.1 remote-as 65002
address-family ipv4
network 192.168.0.0
neighbor 172.16.0.1 activate
ip route 192.168.0.0 255.255.0.0 Null0
Verify:
Router# show bgp ipv4 unicast summary
Neighbor V AS MsgRcvd MsgSent Up/Down State/PfxRcd
172.16.0.2 4 65001 15 17 00:05:32 1
Router# show ip route bgp
B 192.168.0.0/16 [20/0] via 172.16.0.2, 00:05:32
Critical AWS step: Update the VPC route table to point on-prem prefixes to the C8000V's ENI, and disable source/dest check:
aws ec2 create-route --route-table-id <private-rtb-id> \
--destination-cidr-block 192.168.0.0/16 \
--network-interface-id <c8000v-private-eni-id>
aws ec2 modify-instance-attribute --instance-id <instance-id> \
--no-source-dest-check
Step 5: Extend to Transit Gateway (Multi-VPC)
This is where it goes from demo to enterprise architecture. TGW centralizes routing between your transit VPC and additional spoke VPCs.
# Create Transit Gateway
aws ec2 create-transit-gateway --description "hybrid-lab-tgw" \
--options "AmazonSideAsn=64512,AutoAcceptSharedAttachments=enable,DefaultRouteTableAssociation=enable,DefaultRouteTablePropagation=enable"
# Create spoke VPCs
aws ec2 create-vpc --cidr-block 10.200.0.0/16 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=spoke-vpc-a}]'
aws ec2 create-vpc --cidr-block 10.201.0.0/16 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=spoke-vpc-b}]'
# Attach all three VPCs to TGW
aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id <tgw-id> \
--vpc-id <transit-vpc-id> --subnet-ids <public-subnet-id>
aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id <tgw-id> \
--vpc-id <spoke-vpc-a-id> --subnet-ids <spoke-a-subnet-id>
aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id <tgw-id> \
--vpc-id <spoke-vpc-b-id> --subnet-ids <spoke-b-subnet-id>
# Static route for on-prem reachability via TGW
aws ec2 create-transit-gateway-route --transit-gateway-route-table-id <tgw-rtb-id> \
--destination-cidr-block 192.168.0.0/16 \
--transit-gateway-attachment-id <transit-vpc-attachment-id>
Traffic flow from Spoke VPC-A to on-prem:
Spoke VPC-A → TGW → Transit VPC → C8000V → IPsec Tunnel → On-prem router → Lab network
This is the same flow used in production Cisco SD-WAN Cloud OnRamp deployments.
Cost Breakdown
| Resource | Running Cost | Stopped Cost |
|---|---|---|
| t3.medium (C8000V) | $0.042/hr (~$1/day) | $0/hr |
| EBS gp3 (8 GB) | $0.064/month | $0.064/month |
| Elastic IP (attached) | $0.005/hr | $0.005/hr |
| Data transfer (first 100 GB) | Free | — |
| TGW attachment | $0.05/hr per attachment | — |
A typical weekend session (16 hours) costs ~$1.35. Cheaper than a coffee.
Cost-saving tips:
- Stop when not labbing — $0 compute cost
- Spot Instances — 60–90% cheaper for non-persistent sessions
- BYOL licensing — free Smart Account eval license
- Tear down TGW attachments after each session
Common Troubleshooting
IPsec tunnel won't come up:
- Security group missing UDP 500/4500 or ESP (protocol 50)
- ISP blocking outbound ESP → use NAT-T (UDP 4500)
- Elastic IP not associated to GigabitEthernet1
BGP stuck in Active:
- Tunnel interface must be up/up first
- Neighbor address must match remote tunnel IP exactly
- No ACL blocking TCP 179 on the tunnel
Can't reach spoke VPC instances from on-prem:
- Source/dest check not disabled on C8000V
- Spoke VPC route table missing 192.168.0.0/16 → TGW route
- Spoke instance security groups not allowing ICMP from 192.168.0.0/16
Originally published at firstpasslab.com. More deep dives on network engineering at FirstPassLab.
AI Disclosure: This article was adapted from the original with AI assistance. All technical content has been reviewed for accuracy.
Top comments (0)