Optimizing and Orchestrating

End-Users’ Connections to
Public and Private Clouds
In a SASE World
Ryan Shoemaker, Technical Solutions Architect
CCIE 7405
@ersatzshoe

BRKENT-2006
Agenda

• Introduction to SASE
• SD-WAN Extension into Public Clouds
• SD-WAN and SSE
• Remote Workforce
• Conclusion

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Introduction to
Secure Access
Services Edge
(SASE)
Historic traffic flows
Led to the age of perimeter-based security and networking

Network: Internet
Centralized
TRAFFIC TRAFFIC
Security: Internal 80% Internal 80%
Single, on-premise Internet 20% Internet 20%
security stack Security stack

MPLS VPN

Branch offices HQ Roaming/mobile

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Changes in the types of traffic and destinations
Have inverted the traffic model
Internet
Problems: SaaS IaaS
Private cloud Browsing
• App
performance
TRAFFIC TRAFFIC
• User experience
Internal 20% Internal 20%
• Security efficacy
Internet 80% Internet 80%
Bottle neck
• # Tools/vendors
• Integrations
MPLS VPN

Branch offices HQ Roaming/mobile

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Network transformation
Transition from a DC-centric topology to one that’s cloud ready

Private
Internet Apps Internet SaaS

Perimeter security
appliances to protect network
S A S E

MPLS VPN

DC-centric Cloud-Enabled

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
 Cisco Digital Transformation Architecture
Visibility

Worker/ Location Secure Access Provider

Services Edge
SD-WAN Private
IaaS
DC
Middle Mile

SSE Internet SaaS

Reduce cost Improve user experience Minimize risk

Improve OpEx with circuit consolidation and Bring services closer to user, and leveraging middle Decryption & inspection addressing data loss,
consolidation of UI touchpoints mile partnerships + password-less authentication to leveraging a true Zero Trust approach across the IT
optimize connections diameter

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Branch User
Extensions into
Public and
Private Clouds
 Cloud Edge Workflows – From Here Cloud Security
DNS/CBFW/SWG/DLP/CASB/RBI
Internet
Cloud
Security

SaaS
Branch
Worker Branch

IaaS
SD-WAN
Fabric
URL TLS
ZBFW IPS AMP
Filtering Proxy

Private
DC
Data
Branch Center

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
 Cloud Edge Workflows – To Here CDFW
URL
Filtering
IPS AMP
Secure
Web GW
DNS
Security

Internet

SSE

SaaS
Branch
Worker Branch

IaaS
SD-WAN
Fabric

Private
DC
Data
Branch Center

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
 Cloud Edge Workflows – To Here CDFW
URL
Filtering
IPS AMP
Secure
Web GW
DNS
Security

Internet

SSE

SaaS
Branch
Worker Branch

IaaS
SD-WAN
Fabric

Private
DC
Data
Branch Center

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Extensions to
the Public Cloud
 Improving Public Cloud Access CDFW
URL
Filtering
IPS AMP
Secure
Web GW
DNS
Security

Internet

SSE

SaaS

Branch

Bob
Azure
IaaS

AWS
IaaS
SD-WAN
Fabric GCP
IaaS

Private
DC
Data
Branch Center

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Traditional Cloud Service Provider Access
Internet

Region 1

Branch CSP
Gateway

Branch
Worker

SD-WAN Internet
CSP Backbone

Data Center

CSP
Branch Gateway

IaaS

Region 2

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Virtual Routers in CSPs extend SD-WAN
Internet

Region 1

Benefits:
Branch - Simplified control plane
SD-WAN
vRouter integration
MPLS - One Management plane to
Branch connect in CSP locations
Worker

SD-WAN Internet
Challenges:
CSP Backbone
- How to instantiate vRouter?
- Use Marketplace?
- How to connect to SD-
WAN mgmt plane?
- How to connect hosts at CSP
Data Center
SD-WAN
to vRouter?
vRouter - How to define routing protocol?
- How to extend
IaaSsegmentation
strategy?
Region 2

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
 Orchestrating SD-WAN into Public Clouds
Cisco’s Approach
Benefits
Automate SD-WAN fabric into CSPs
Branch

MPLS
AWS Extend policy framework into cloud

Azure Unify control plane for dynamic routing

SD-WAN Internet

Simplify operations with one management plane

GCP

Enhance visibility for devices and circuits

Data Center

Integrate multiple cloud providers

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
CSP Connections with the Cloud GW
Automating AWS Transit GW Integration Internet

Cisco Automation

Branch
Transit VPC Host VPCs

Bob MPLS
VPC
Prod
TGW

VPC
SD-WAN Internet
CGW
Dev

Stuart
VPC
Demo
CGW

Data Center CSP Region 1

IaaS

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
CSP Connection Example – Cloud GW
Dynamic Routing to Host VPCs Internet

VRF 10 Host VPCs

Route Table:
10.21.10.0/24 (Prod)
10.23.10.0/24 (Demo)
Bob
Branch 10.21.10.0/24
Transit VPC
TGW
MPLS Prod VPC

BGP
Stuart
Infra
VRF 20
Route Table: SD-WAN Internet
CGW Route 10.22.10.0/24
10.22.10.0/24 (Dev) Table
Dev VPC
BGP

CGW

Connect Attachments VPC Attachments 10.23.10.0/24

Data Center 2 X BGP Adjacencies per VRF
Demo VPC
IaaS

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
 Automating Cloud Extensions in SD-WAN
Cloud OnRamp for Multicloud
1. Select Cloud OnRamp for Multicloud

2. Complete pre-deployment steps

(per CSP)
1. Associate cloud provider account
2. Complete Cloud global settings
3. Discover host private networks
4. Deploy CGW staging template to
Catalyst 8000v router(s)

3. Create Cloud Gateway (creates

transit hub/VPC, transit GW, and
deploys cloud service routers)

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
 Automating Cloud Extensions in SD-WAN
Cloud OnRamp for Multicloud*
1. Select Cloud OnRamp for Multicloud

2. Complete pre-deployment steps

(per CSP)
A. Associate cloud provider account
B. Complete cloud global settings
C. Discover host private networks

*Screenshots are of Catalyst SD-WAN Manager 20.13 BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
 Automating Cloud Extensions in SD-WAN
Cloud OnRamp for Multicloud*
1. Select Cloud OnRamp for Multicloud

*Screenshots are of Catalyst SD-WAN Manager 20.13 BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
 Automating Cloud Extensions in SD-WAN
Cloud OnRamp for Multicloud*
1. Select Cloud OnRamp for Multicloud

2. Complete pre-deployment steps (per

CSP)
A. Associate cloud provider account
B. Complete Cloud global settings

*Screenshots are of Catalyst SD-WAN Manager 20.13 BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
 Automating Cloud Extensions in SD-WAN
Cloud OnRamp for Multicloud*
1. Select Cloud OnRamp for Multicloud

2. Complete pre-deployment steps (per

CSP)
A. Associate cloud provider account
B. Complete Cloud global settings
C. Discover host private networks

*Screenshots are of Catalyst SD-WAN Manager 20.13 BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
 Automating Cloud Extensions in SD-WAN
Discover Host Private Networks
*Only Tagged VPCs will be available to map to SD-WAN VRFs

1. Select VPC for Mapping

2. Add Tag
A. Name
B. Select Region
C. Select VPC

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Automating Cloud Extensions in SD-WAN
Stage C8Kvs for Cloud Gateway

D. Deploy CGW staging template to

Catalyst 8000v router(s)

Setting parameters for CGW routers includes Site Id and System IP

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Automating Cloud Extensions in SD-WAN
Stage C8Kvs for Cloud Gateway

D. Deploy CGW staging template to

Catalyst 8000v router(s)

After applying staging template, device becomes unreachable

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
 Automating Cloud Extensions in SD-WAN
Create Cloud Gateway

3. Create Cloud Gateway (creates

transit hub/VPC, transit GW, deploys
cloud service routers, creates GW
attachment, and creates subnets)

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
 Reference
Automating Cloud Extensions in SD-WAN
Validating Deployment

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
 Automating Cloud Extensions in SD-WAN
Managing Intent
1. Select Cloud OnRamp for
Multicloud

2. Select Cloud Connectivity

3. Edit Intent to automatically map

VPNs to VPCs/VNETs

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
 Reference
Automating Cloud Extensions in SD-WAN
Validating Intent

Mapping intent creates Connect Adjacency

which established GRE tunnel between C8K
router and AWS TGW and BGP adjacency(ies)
is formed over this tunnel

AWS – TG Connect Attachment

C8K – BGP summary in VRF 10

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
 Reference
Automating Cloud Extensions in SD-WAN
Validating Intent

C8K – VRF 10 Routing Table – Prod and C8K – VRF 20 Routing Table – Dev VPC
Demo VPCs present present

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
CSP Connection Example – Cloud GW
AWS Transit GW Integration Region 1
Internet
Transit VPC

VPC
A
TGW

VPC
Branch CGW
B

MPLS VPC
C
Bob CGW

SD-WAN Internet
Transit GW Peering

VPC
D

CGW
VPC
E
Data Center
TGW
VPC
F
CGW IaaS
Transit VPC

Region 2

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
CSP Connection Example – Direct Connect
AWS Transit GW Integration Region 1
Internet
Transit VPC

VPC
A
TGW
Direct DXGW
Connect
VPN or Direct VPC
Branch CGW
Attachment B

MPLS VPC
C
Bob CGW

SD-WAN Internet
Transit GW Peering

VPC
D

CGW VPN or Direct VPC

Attachment E
Data Center
TGW
VPC
F
CGW IaaS
Direct DXGW
Connect Transit VPC

Region 2

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Optimizing
Extensions to
the Public Cloud
What is the Middle Mile?
First mile Middle mile Last mile
WAN service, internet, SP core network, CSP network, ASN,
or private networks private network, ASN or private networks

Internet Route

AS4
AS5
AS3

Local Direct
Transport
Access Peering

CoLo| PoP CoLo | PoP

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
What are we enabling with Cloud Interconnect?
Cisco SD-WAN service hosted at global colocation facilities. Megaport and Equinix are the first to
host our SD-WAN service.

A cloud-delivered regional aggregation service with rich set of programmable

cloud direct-connects.

Hosted SD-WAN-as-a-Service: Cisco Router endpoint on Customer SD-WAN overlay.

Site-to-Cloud access: vManage automated direct-connect to all major cloud providers.
On-demand connectivity, no long-term contracts.

Automated, full-stack network deployment via Cisco vManage.

Cloud consumption model.

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
 Optimizing the Network Cloud

On-demand Connectivity
Region 1 “The Middle Mile” Reduce time from months to minutes
Sites
* for Multicloud connectivity
Connections worldwide

Programmability
Direct Connect / Dynamic/Automated High-Speed
Local Access Cross-Connects
Express Route
Controller APIs for partner orchestration

Cloud Management
Local Direct Peering
LocalAccess
Access Automate the connections through
single pane of glass

Colo
Colo Colo
Colo

Cisco Webex
Performance & Control
Region 2
Remove congestion risk by sending packets through a
Sites private backbone
Dynamic/Automated High-Speed
Cross-Connect

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
 Adding Cloud Interconnects
URL Secure DNS
CDFW IPS AMP Security
Filtering Web GW

Internet

SSE

SaaS
Branch
Worker Branch

Megaport

IaaS
SD-WAN
Middle Mile
Fabric
Optimizations

Private
DC
Data
Branch Center

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
 Adding Cloud Interconnects
URL Secure DNS
CDFW IPS AMP Security
Filtering Web GW

Internet

SSE

SaaS
Branch
Worker Branch

IaaS
Megaport

Middle Mile
Optimizations

Private
SD-WAN DC
Fabric Data
Branch Center

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
 Optimizing Connection to CSP
… and to Other Sites
URL Secure DNS
CDFW IPS AMP Security
Filtering Web GW

Internet

SSE

SaaS
Branch
Worker Branch

IaaS
Megaport

Middle Mile
Optimizations

Private
SD-WAN DC
Fabric Data
Branch Center

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Cloud Interconnect with SDCI
Option 2: Encrypted Multicloud Interconnects
Internet
CSP
CGW

Virtual
Branch
Workloads
ICGW
Branch
Worker CGW
Virtual Cross
Connect(s) (VXC)
SD-WAN

Public or Private VIF*

Transit VIF*
ICGW
DXGW TGW

Data Center
Public or Private
Public or Private

ERGW
vWAN

Option 1: Cloud Interconnects

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Cloud Interconnect with SDCI
Option 2: Encrypted Multicloud Interconnects
Internet
CSP
SD-WAN CGW
Fabric

Virtual
Branch
Workloads
ICGW
Branch
Worker CGW
Virtual Cross
Connect(s) (VXC)

Public or Private VIF*

Transit VIF*
ICGW
DXGW TGW

Data Center
Public or Private
Public or Private

ERGW
vWAN

Option 1: Cloud Interconnects

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Site Interconnect with SDCI
Region 1
Internet

CGW
AWS VPC
A
DXGW

VPC
Branch
B

ICGW
TGW VPC
Branch C
Worker CGW

SD-WAN Interconnect Connectivity (VXC)

CGW VNet
D

ICGW
VNet
E
Data Center
vWAN
ERGW VNet
F
CGW Azure

Region 2

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Site Interconnect Connection Example
Megaport and Encrypted Multicloud EMEA North Region
Internet
Corp Region EUR North
CGW AWS VPC
Megaport Virtual A
Edge (MVE) DXGW

ICGW VPC
Branch EUR North 1 B

TGW
VPC
C
CGW

Branch EUR North 2

CGW VNet
D
ICGW

VNet
ICGW E

Branch US East 1 vWAN

ERGW VNet
F IaaS
CGW Azure
Corp Region US East

US East Region

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
 Automating Cloud Interconnects in SD-WAN
Cloud OnRamp for Multicloud
1. Select Cloud OnRamp for Multicloud

2. Select Interconnect

3. Complete pre-deployment steps

1. Associate interconnect account
2. Complete interconnect global settings*
3. Discover host private networks
4. Deploy ICGW staging template to
Catalyst 8000v router(s)

4. Create Interconnect Gateway

*Note: Two unique colors must be set – ensure they are private and not
used elsewhere in SDWAN
1. Transit Color – used for ICGW to ICGW connections
2. CGW SDWAN Color – used for ICGW to CGW

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Automating Cloud Interconnects in SD-WAN Reference

Validating ICGW Creation

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
 Automating Cloud Interconnects in SD-WAN
Interconnect Connectivity
1. Once ICGW finishes deployment,
configure Interconnect Connectivity

2. Select Interconnect & verify ICGW is

reachable

3. Complete interconnect connectivity

1. Select interconnect connectivity
2. Choose ICGW and Add Connection
3. Select destination type:
• Cloud – Connect to CSP
• Edge – Connect to another ICGW
4. Choose method of connection (i.e.
DirectConnect/ExpressRoute or
shared)
5. Select location and bandwidth
6. Complete method specific settings

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
 Automating Cloud Interconnects in SD-WAN
Interconnect Connectivity
1. Once ICGW finishes deployment,
configure Interconnect Connectivity

2. Select Interconnect & verify ICGW is

reachable

3. Complete interconnect connectivity

1. Select interconnect connectivity

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
 Automating Cloud Interconnects in SD-WAN
Interconnect Connectivity
1. Once ICGW finishes deployment,
configure Interconnect Connectivity

2. Select Interconnect & verify ICGW is

reachable

3. Complete interconnect connectivity

1. Select interconnect connectivity
2. Choose ICGW and Add Connection

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
 Automating Cloud Interconnects in SD-WAN
Interconnect Connectivity
1. Once ICGW finishes deployment,
configure Interconnect Connectivity

2. Select Interconnect & verify ICGW is

reachable

3. Complete interconnect connectivity

1. Select interconnect connectivity
2. Choose ICGW and Add Connection
3. Select destination type:
• Cloud – Connect to CSP
• Edge – Connect to another ICGW

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
 Automating Cloud Interconnects in SD-WAN
Interconnect Connectivity
1. Once ICGW finishes deployment,
configure Interconnect Connectivity

2. Select Interconnect & verify ICGW is

reachable

3. Complete interconnect connectivity

1. Select interconnect connectivity
2. Choose ICGW and Add Connection
3. Select destination type:
• Cloud – Connect to CSP
• Edge – Connect to another ICGW
4. Choose method of connection (i.e.
DirectConnect/ExpressRoute or
shared)
5. Select location and bandwidth
6. Complete method specific settings

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
 Reference
Automating Cloud Interconnects in SD-WAN
Validating Intent

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Want to Learn More?
Additional Sessions:

BRKENT-2283 4 Steps to Unify Multicloud Connectivity and Design with Cisco SD-WAN
Principles

SPC-1283 Equinix | Cisco Hybrid Multcloud Architecture

Deployment Video Demonstration:

https://youtu.be/4-dRwbfLBb4

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Optimizing and
Securing Public
Applications
 Optimizing SaaS Flows SLA Measurement
of SaaS Apps

Measure loss and

Enterprise
latency for best path Apps

Branch ISP1
Worker Branch

SD-WAN
ISP2 Evolution of Cisco SD-WAN:
Fabric
- Historically leveraged to measure app
performance for on-prem apps

IaaS - Now measures app performance for

Cloud SaaS apps
Private
DC
Data - Multiple IPSec tunnels through Cloud
Center
security – measure best path per app

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Cloud OnRamp for SaaS

DNS Quality vQoE

Request Probing Scores

DNS ISP1
ISP Score SaaS
HTTP
ISP1
✓ 1 10 Application
DNS

ISP2
2 8

DNS requests is
User duplicated across all vQoE Scores are
available Internet HTTP ping packets calculated based on
egress points or are sent to probe the loss/ latency for
Gateway sites (loss/latency) path selection

Detection Optimization Selection Secure

*First Packet Classification can be enhanced through

SD-AVC and is beyond the scope of this slide

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
57
Optimizing SaaS Flows
Measure loss and
vQoEpath
latency for best = 10

Enterprise
Apps

ISP1
Branch
Measure loss and
ISP2
latency for vQoE =8
best path

Bob
SD-WAN
Fabric • Router collects average loss and latency of
several 2 minute buckets
IaaS
• If actual loss and latency are less than expected,
app receives vQoE of 10
• If actual loss and latency are more than expected,
then app receives score of percentage of baseline

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Cloud OnRamp for Custom App
Bring Your Own App to Cloud OnRamp for SaaS
Extend Cloud OnRamp for SaaS support
across all apps

1500+
NBAR Recognized Apps
+
Any Custom App

Standard supported apps Add your own app

BENEFITS

Dynamically route SaaS traffic Fast, secure and reliable user Gain real-time and historical visibility
to the best path experience into application performance

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
 Cloud Security
URL Secure DNS
CDFW IPS AMP Security
Filtering Web GW

Internet

SSE

SaaS
Branch
Worker Branch

IaaS
SD-WAN
Fabric

Private
DC
Data
Branch Center

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
SD-WAN and Cloud Security

For on-premises users, key use case is providing a method of

Secure Internet Access

Two items that must be determined:

1. How to connect branch offices to cloud security

2. How and what user traffic to direct to the cloud security

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
 Cloud Security for Branch Users
Primary Function is Securing Internet Applications and Flows

Branch Internet
Worker
Branch

SaaS
DNS Non-Web
FW/IPS NAT
Security

Web Traffic
SWG CASB DLP

SSE

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Cloud Security for Branch Users
Primary Function is Securing Internet Applications and Flows

Protects at DNS layer – preventing access to malicious sites

L3/4 and L7 firewall rules – web traffic is directed for additional checks

Secure Web Gateway – policy forNon-Web

internet traffic, SSL decryption, RBI
DNS
FW/IPS NAT
Security
Content Access Security Broker – policy for SaaS applications, prevent shadow IT
Web Traffic
SWG CASB DLP
Data Loss Prevention – policy to protect data, multimode for in-line and out of band

SSE

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Cloud Security for Branch Users
Primary Function is Securing Internet Applications and Flows
DNS
Protects at DNS layer – preventing access to malicious sites
Security

FW/IPS L3/4 and L7 firewall rules – web traffic is directed for additional checks

SWG Secure Web Gateway – policy for internet traffic, SSL decryption, RBI

CASB Content Access Security Broker – policy for SaaS applications, prevent shadow IT

DLP Data Loss Prevention – policy to protect data, multimode for in-line and out of band

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
SD-WAN and Secure Access
Integration
Enterprise
Apps

• Auto-provision and Auto-deploy highly Germany AZ2 Germany AZ1

(Primary DC)
available tunnels with a few clicks (Backup DC)

• Active-Active and Active/Standby design Cloud Cloud

Security Security
• Support for auto or manual DC selection
• Up to 8 active and 8 standby tunnels
• ECMP or weighted load-balancing
• Throughput capacity to 8 Gbps
• Layer 7 health checks to Secure Access
to monitor the health of the tunnel
• SaaS traffic optimization for Critical
Apps with Layer7 health check

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Weighted Load-Balancing
ECMP
Cisco Secure
Cisco Load balancing is done by flow pinning, where a Access
flow is dictated by hashing the 4 Tuple

Source IP + Destination IP + Source Port + Destination

Port.

ECMP ECMP

IPSec

IPSec
load-balancing load-balancing
1:1 1:1

S* 0.0.0.0/0 [2/65535], Tunnel100002

[2/65535], Tunnel100001

Cisco Manager Branch

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Weighted Load-Balancing
Un-Equal Cost Multi Path
Cisco Secure
With dual ISP links offering different bandwidth Access
entitlements. To optimize WAN capacity

Cisco Load balancing is done by flow pinning, where a

flow is dictated by hashing the 4 Tuple

IPSec

IPSec
Source IP + Destination IP + Source Port + Destination 80% 20%
Port.

S* 0.0.0.0/0 [2/3276], Tunnel100002

[2/819], Tunnel100001
Cisco Manager Branch
BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
 Catalyst SD-WAN and Secure Access Integration
Pre-requisites
• Manager 20.13 and Edge 17.13
• Secure Access API added to Catalyst SD-
WAN Manager: Administration -> Cloud
Credentials -> Cloud Provider Credentials ->
Cisco Secure Access
• Secure Access integration only through
Configuration Groups and Feature Profiles
• “Domain Lookup” enabled in Global Feature
• DNS Server Configured on VPN0 in Catalyst
Manager
• Each active tunnel requires a unique IP
source address – can be physical or
loopback

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
 Catalyst SD-WAN and Secure Access Integration
Policy Groups – Adding Tunnels
• Add Secure Service Edge
• Tracker source IP address –
required, any 1918 address
• Add tunnel(s) for each
connection to Secure Access
• Each active/backup pair needs
unique source interface - if
multiple tunnels will use same
physical interface, then source
tunnel using Loopbacks

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
 Catalyst SD-WAN and Secure Access Integration
Policy Groups – Choosing HA

• Automatically or manually
choose Secure Access region
• Add Interface Pair – Up to 8
active + 8 backup tunnels
allowed
• Select active and backup
interfaces and weight for each
– default is ECMP

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
 Catalyst SD-WAN and Secure Access Integration
Policy Groups – Assigning SSE
1. Add Policy Group
2. Select SSE
Configuration
3. Save Policy Group
4. Associate Device(s)
5. Deploy

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
 Verify Integration
Cisco Secure Access

• Tunnels Connected at
Secure Access
• Leverage Network
Tunnel Group for all
tunnels from router
• Enables simplified policy
rules to enforce for all
traffic coming form
router 4 IPSec tunnels:
2 Primary
2 Secondary

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Directing Traffic to Secure Access
Cisco Secure
Access

Option 1: Set Service Route of 0.0.0.0/0 to

direct default to SSE
• Simple to set the default route pointing for all non-
internal traffic to SSE
• Set per VRF M365

IPSec

IPSec
All Traffic Google
SFDC

Option 2: Policy Based Routing Using Flexible

Traffic Engineering
• Flexibility to select which applications send traffic
to SSE
• Leverage DPI for app-classification
• Route-based redirection also possible Branch 1 Branch 2

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
 Reference

Cloud Security Options

Cisco Secure Access Umbrella 3rd Party
• Secure Services Edge (SSE) • Secure Internet Gateway • SIG or SSE
(SIG)
• Handles Secure Internet • Primarily Secure Internet
Access and ZTNA flows • DNS Security handled in Access flows
separate integration
• IPSec tunnels
• Handles Secure Internet
• IPSec or GRE tunnels
• Up to 8 Gbps traffic from Access path flows
branch to Secure Access • Up to XX from branch to
• IPSec tunnels 3rd party – depends on
• Available in 17.13 / 20.13 3rd party capabilities
code releases • up to 1 Gbps traffic from
branch to Umbrella • Available in 17.X / 20.x
• Available in 17.X / 20.X code releases
code releases

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Remote Worker
Connecting to
Workloads
 Extend Protection to Remote Workers
URL Secure DNS
CDFW IPS AMP Security
Filtering Web GW

Internet
Remote
Worker SSE

SaaS

Bob

Bob Branch IaaS

SD-WAN
Fabric

Private
DC
Data
Branch Center

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Cisco Secure Client
Suite of security service enablement modules

AnyConnect VPN (Core)

Network Access Manager (NAM)
ISE Posture
HostScan (aka: ASA posture) (No UI)
Secure Endpoint (AMP)
Umbrella Module
Cloud Management Module (No UI)
Network Visibility Module (NVM) (No UI)
Diagnostics and Reporting Tool (DART)
BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Connecting Remote Workers to Internal Workloads
URL Secure DNS
CDFW IPS AMP Security
Filtering Web GW

Internet
Remote
Worker SSE

Bob SaaS

Regional
Hub
IaaS
VPN Service
SD-WAN
(SDWAN RA)
Fabric

Private
DC
Data
Center

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Connecting Remote Workers to Internal Workloads
URL Secure DNS
CDFW IPS AMP Security
Filtering Web GW

Internet
Remote
Worker SSE

Bob SaaS

Regional
Hub
IaaS
VPN Service
SD-WAN
(SDWAN RA)
Fabric

Private
DC
Data
Center

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Optimizing Remote Workers to Internal Workloads
URL Secure DNS
CDFW IPS AMP Security
Filtering Web GW

Internet
Remote
Worker SSE

Bob SaaS

IaaS
Regional Megaport

Hub

VPN Service
(SDWAN RA) Middle Mile
Optimizations

Private
SD-WAN DC
Fabric Data
Center

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
 Enabling a Distributed Remote Access
Benefits
• Extends SD-WAN benefits to RA users
• Application visibility, AAR, AppQoE
• Integrated into SD-WAN segmentation

• Leverages FlexVPN RA solution

• Use IKEv2/IPSec and SSL RA VPNs
• Integration with AAA/RADIUS for identity-
based policy
• Integration with Cisco IOS PKI for
automated certificate lifecycle mgmt.
• Split tunneling capability
Want to Learn More?
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-ra/cisco-sd-
wan-remote-access/m-sdwan-ra-configuration.html

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Conclusion
 Cisco SASE Workflows
Any Location to Any Workload Cloud Security
DNS/CBFW/SWG/DLP/CASB/RBI
Internet
Cloud
Security
Remote Worker
SSO SaaS

Remote
Access

Megaport

Branch
IaaS
Middle Mile
Optimization

Branch Worker
Private
Data DC
Center
Branch
SD-WAN
Fabric BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Optimizing and Protecting All Workflows
• Secure Edge workloads can be easily extended to CSPs through SD-
WAN built in automation
• Partnerships with Co-Lo’s provide enhanced connections to both CSPs
and other sites
• Rich integrations between SD-WAN and Cisco Secure Access allow on-
prem workers to be secured easily
• Inspection of SaaS performance from SD-WAN fabric provides an
optimized path for inside to outside workloads
• Remote Access VPN capabilities integrated into SD-WAN fabric provide
a distributed, optimized path for outside to inside workloads

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Thank you
Reference
 Catalyst SD-WAN and Umbrella
Simple, effective integration for DNS Security
Ashburn New York
• Auto-Deploy DNS integration with (Primary DC) (Backup DC)
Umbrella APIs Cloud
Cloud
Security Security
• Anycast architecture for highly available
integration – directs clients to not just
closest DC but also includes awareness of
load distribution
• Macro-segmentation extension through
VPN/VRF aware identity sources
Anycast IP
• DNScrypt support for enhanced security
• Local domain bypass

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
 Integrating Viptela SD-WAN to Umbrella DNS
1.

2.
1. Select Configuration -> Security

2. Choose Custom Options ->

Umbrella Registration

3. Add Umbrella API Keys

A. Created at Umbrella
Dashboard: Admin -> API Keys
3.
B. Use Umbrella Network Devices
API Key (collect Key and
secret)
C. Organization ID is located in
URL of Umbrella Dashboard

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
 Viptela and Umbrella DNS (Cont.)
4.
4. Add Unified Security Policy
5. Skip NG Firewall to move to DNS
5.
Security and Add DNS Security
Policy
6. Complete Data for Policy
A. Note: Umbrella Registration 6.
Status will display green flag if
registered correctly
B. Choose match all VPNs or
subset
C. Create a domain bypass list for
local domains
D. Under Advanced, ensure
DNSCrypt is enabled to convey
source VPN info to Umbrella
E. Save DNS Policy

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
 Viptela and Umbrella DNS (cont.)
7.
7. Name and save security policy
8. Assign policy to template
A. either traditional template
B. or UX2.0

8a.
8b.

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
 Viptela and Umbrella DNS (cont.)

9. In Umbrella dashboard, VPNs

from branches appear
automatically in: Core Identities
-> Network Devices

10. Assign VPNs as Identities for

DNS Policies in: Policies ->
DNS Policies -> Specific Policy
-> Edit Identity

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
 Umbrella DNS in Action

User attempting to access

malicious sites (malware,
phishing, CCC) is
automatically blocked
from access.

Umbrella default DNS

policy can block critical
offensive categories

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Viptela and Umbrella Integration
Layer on Full Umbrella SIG
• Auto-provision and Auto-deploy highly
available tunnels with a few clicks
• Active-Active and Active-Standby design
• Support for auto or manual DC selection
• ECMP or weighted load-balancing

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Viptela and Umbrella Integration
Layer on Full Umbrella SIG Enterprise
Apps
Miami
• Auto-provision and Auto-deploy highly Dallas (Primary DC)
(Backup DC)
available tunnels with a few clicks
Cloud Cloud
• Active-Active and Active/Standby design Security Security

• Support for auto or manual DC selection

• ECMP or weighted load-balancing
• Throughput capacity to 1 Gbps
• Layer 7 health checks to Umbrella to
AnyCast IP
monitor the health of the tunnel
• SaaS traffic optimization for Critical
Apps with Layer7 health check
• Policy-based routing to Cisco Umbrella

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Integrate SD-WAN with Umbrella SIG
Create Umbrella API Key 1.

1. Add Umbrella Global Credentials by

Selecting Administration -> Settings -> SIG
Credentials

2. Add Umbrella API Keys

A. Created at Umbrella Dashboard: Admin ->
API Keys
2.
B. Use Umbrella Management API Key (collect
Key and secret)
C. Organization ID is located in URL of
Umbrella Dashboard

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
 Integrate SD-WAN with Umbrella SIG
3.
5. SIG feature template:
A. A. Create number of IPSec Tunnels
B. Identify A/A or A/S configuration
C. Allow auto selection of SIG DCs or select
manually
B.

5.

A.
3. SIG integration in device template:
A. SIG feature template added to VPN0
B. For multiple active tunnels, need multiple source
interfaces (can by physical or loopback)
B.
4. Verify Cisco SIG Credentials under Additional Templates
has automatically selected “Cisco-Umbrella-Global-
Credentials” C.

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
 Viptela and Umbrella SIG
7. Assign Tunnels as Identities
6. In Umbrella Dashboard,
for FW and Web Policies in:
Tunnels appear automatically
Policies -> (Firewall or
in: Core Identities ->
Web) <Policy> -> Ruleset
Network Tunnels
Identities -> Edit
6. 7.

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
 Viptela and Umbrella SIG

8.
8. Select the Number next to
“Tunnels” to get a list of all
Network Tunnels and then
check the applicable tunnels

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
 Viptela and Umbrella SIG
6.

8. Select the Number next to

6. Tunnels appear automatically “Tunnels” to get a list of all
in: Core Identities -> Network Tunnels and then
Network Tunnels check the applicable tunnels

8.

7.

7. Assign Tunnels as Identities

for FW and Web Policies in:
Policies -> (Firewall or
Web) <Policy> -> Ruleset
Identities -> Edit

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
 Umbrella SIG in Action

User attempting to access

Firewall prohibited
applications like Torrent
and blocked.

Web policy can allow,

warn, block, or isolate
content categories or
specific websites.

BRKENT-2006 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 101