0% found this document useful (0 votes)

39 views

Managing.secure.cisco.sd WAN.branch.with.SASE

The document outlines the management of Cisco SD-WAN with a focus on integrating Secure Access Service Edge (SASE) and various security measures such as firewalls, intrusion prevention, and malware protection. It details the architecture, key functions, and policy configurations necessary for implementing control and data policies, as well as application-aware routing. Additionally, it discusses the use of vManage for centralized policy management and the importance of transport locators in the SD-WAN fabric operation.

Uploaded by

newslettcesar

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

39 views

Managing.secure.cisco.sd WAN.branch.with.SASE

Uploaded by

newslettcesar

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 295

Managing Secure Cisco SD-WAN

Branch with SASE

Ales Travnikar ([email protected])

November 2022
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agenda
Cisco SD-WAN Architecture and Key Functions

Designing and implementing Control Policies

Designing and implementing Data Policies

Designing and implementing Application Aware Routing (AAR)

Implementing Enterprise Zone Based Firewall (ZBFW)

Implementing Intrusion Prevention System (IPS) and URL-Filtering (URL-F)

Implementing Advanced Malware Protection (AMP)

Unified Threat Defense (UTD) Integration with TLS/SSL Proxy

Secure Access Service Edge (SASE) Integration

Implementing DNS Security with Cisco Umbrella

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
3
Agenda (Cont.)
Configuring Umbrella Secure Internet Gateway (SIG) with CDFW, SWG, CASB

AppQoE with Quality of Service (QoS), FEC, Packet Duplication and TCP Optimization

Cloud onRamp for Multicloud, SaaS and CoLo

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
5
Cisco SD-WAN
Architecture and Key Functions

vManage
Management/
APIs Orchestration Plane
3rd Party
vAnalytics
Automation

vBond Control Plane

vSmart Controllers

MPLS 4G

INET
WAN Edge Routers

Data Plane
Cloud Data Center Campus Branch SOHO

vManage Cisco vManage

APIs • Single pane of glass for Day0,

Day1 and Day2 operations
3rd Party
vAnalytics • Multitenant with web scale
Automation
• Centralized provisioning
vBond
• Policies and Templates
• Troubleshooting and
vSmart Controllers
Monitoring
MPLS 4G • Software upgrades
INET • GUI with RBAC and per VPN
WAN Edge Routers visibility
• Programmatic interfaces
(REST, NETCONF)
Cloud Data Center Campus Branch SOHO • Highly resilient

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
9
Orchestration Plane
Orchestration Plane
vManage
Cisco vBond
APIs

3rd Party
vAnalytics • Orchestrates control and
Automation
management plane
vBond • First point of authentication
(white-list model)
vSmart Controllers • Distributes a list of vSmarts/
vManage to all WAN Edge
MPLS 4G routers
INET • Facilitates NAT traversal
WAN Edge Routers
• Requires public IP Address
[could sit behind 1:1 NAT]
• Highly resilient
Cloud Data Center Campus Branch SOHO

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
10
Control Plane
Control Plane
vManage
Cisco vSmart
APIs

3rd Party • Facilitates fabric discovery

vAnalytics
Automation • Disseminates control plane
information between WAN Edges
vBond
• Distributes data plane and app-
aware routing policies to the WAN
vSmart Controllers Edge routers
MPLS 4G • Implements control plane policies,
such as service chaining, multi-
INET
WAN Edge Routers topology and multi-hop
• Dramatically reduces control plane
complexity
Cloud Data Center Campus Branch SOHO • Highly resilient

WAN Edge

vManage • WAN edge router

• Provides secure data plane with
APIs
remote WAN Edge routers
3rd Party • Establishes secure control plane
vAnalytics
Automation with vSmart controllers (OMP)
vBond • Implements data plane and
application aware routing
policies
vSmart Controllers
• Exports performance statistics
MPLS 4G • Leverages traditional routing
INET protocols like OSPF, BGP, EIGRP
WAN Edge Routers and VRRP
• Support Zero Touch Deployment
• Physical or Virtual form factor
Cloud Data Center Campus Branch SOHO

vManage

APIs
• Cloud-based analytics engine
3rdParty
vAnalytics
Automation
• Optional solution element
• Opt-in customer model
vBond • Analyze fabric telemetry
• Capacity projections
vSmart Controllers • SLA violation trends
4G • Utilization anomaly detection
MPLS
INET
• Application QoE
WAN Edge Routers • Carrier grading
• Data anonymization

Cloud Data Center Campus Branch SOHO

vManage REST

APIs
• Programmatic control over all
3rd Party
vAnalytics aspects of vManage
Automation
administration
vBond • Secure HTTPS interface
• GET, PUT, POST, DELETE
vSmart Controllers methods
• Authentication and
MPLS 4G
authorization
INET
WAN Edge Routers • Bulk API calls
• Python scripting

Cloud Data Center Campus Branch SOHO

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
14
Cisco SD-WAN Terminology
• Transport Side – Controller or vEdge Interface connected to the underlay/WAN network
• Always VPN 0
• Traffic typically tunneled/encrypted, unless split-tunneling is used

• Service Side – vEdge interface attaching to the LAN vSmart

• VPN 1-511 (512 Reserved)

• Traffic forwarded as is from original source
MPLS INET Transport
Side

WAN Edge

Connected
Service
Static Side
Dynamic
(OSPF/EIGRP/BGP)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
15
Cisco SD-WAN Terminology (Cont.)
• Site-ID – Identifies the Source Location of an advertised prefix
• Configured on every WAN Edge
• Does not have to be unique, but then assumes same location

• System-IP – Unique identifier of an OMP Endpoint

• 32 Bit dot decimal notation (an IPv4 Address)
• Logically a VPN 0 Loopback Interface, referred to as “system”
• The system interface is the termination point for OMP

• Organization-Name – Defines the OU to match in the Cert Auth Process

• OU carried in both directions for authentication between control and WAN Edge nodes

• TCP based extensible control plane protocol

• Runs between WAN Edge routers and vSmart
controllers and between the vSmart controllers
- Inside TLS/DTLS connections

vSmart vSmart • Leverages address families to advertise

reachability for TLOCs, unicast/multicast
destinations and service routes.
• Distributes IPSec encryption keys, and data and
app-aware policies

WAN Edge WAN Edge

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
17
Transport Locators (TLOCs)
vSmarts advertise TLOCs to
vSmart all WAN Edges*
(Default)

Full Mesh
SD-WAN Fabric TLOCs advertised to vSmarts
(Default)
WAN Edge

Local TLOCs
WAN Edge (System IP, Color, Encap.)

WAN Edge

WAN Edge WAN Edge * Can be influenced by the control policies

Transport Locator (TLOC) OMP IPSec Tunnel

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
18
SD-WAN Fabric Operation
OMP Update:
vSmart ▪ Reachability – IP Subnets, TLOCs
▪ Security – Encryption Keys
OMP
▪ Policy – Data/App-route Policies
DTLS/TLS Tunnel
OMP OMP
IPSec Tunnel Update Update
BFD OMP Policies OMP
Update Update

Transport1
WAN Edge WAN Edge
TLOCs TLOCs
VPN1 VPN2 Transport2 VPN1 VPN2
BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B C D Static

Subnets Subnets

Control Data
Affects Control Plane Affects Data Plane

Centralized Localized Centralized Localized

Affects network-wide Route policy in Affects network-wide Access lists
routing site-local network data traffic affects a single interface
on a single router

• Clear separation exists between control plane and data plane policies
• Clear separation exists between centralized and localized functions

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
24
Policy Distribution
Data Policy Control Policy
App Aware Routing Policy VPN Membership Policy Local Policies

vManage vManage vManage

NETCONF/YANG NETCONF/YANG NETCONF/YANG

vSmart vSmart vSmart vSmart vSmart vSmart

OMP OMP

WAN WAN WAN

Edge Edge Edge

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
25
Policy Building Blocks
• Assemble the three building blocks to configure vSmart policies: Groups of Interest,
Policy Definition, and Policy Application.
Groups of Interest Policy Definition Policy Application

Prefixes Control policies affect overlay

Sites routing An apply directive
TLOC used in conjunction
AAR policy with SLAs steer traffic with site lists enable
VPN specific policies at
Colors Data policies provide VPN-level, specific locations
SLAs policy-based routing

Centralized policy definition is configured on vManage and enforced across

the entire network
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
26
How Policies are Attached
Direction
Site-ID
vManage Centralized vSmart
Deployment Control Policy

Out
In
Control Policy
Localized
Deployment From Tunnel Direction Data Policy
Site-ID
VPN
WAN Edge
(Site-ID) Data Policy
VPN1 VPN2
From
Service Site-ID
VPN
AAR Policy
LAN1 (from-service only)
LAN2
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
27
Cisco SD-WAN
Centralized Policy
Configuration

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Adding a Centralized Policy
Select Centralized Policy and click Add Policy in the Cisco vManage Configuration | Policies

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
30
Step1b: Create Groups of Interest – Prefix Lists

1
3
4

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
31
Step1c: Create Groups of Interest – TLOC Lists

1 4

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
32
Step2a: Define a Topology (Control Policy)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
33
Step2b: Define a Topology – Simple Hub and Spoke

Name and description of the topology

VPN List and Site List are from the groups of

interest previously defined.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
34
Step3a: Configure Traffic Rules (Data Policy)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
35
Step3b: Configure Traffic Rules (Data Policy)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
37
Activating and Editing Policies
Editing Policies

You can only activate one centralized policy at once. Make sure it includes all needed
policies (Control, Data, App-Route, VPN Membership)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Control Policies
• Configured on vManage. Enabled and enforced on vSmart controllers.
They do not get forwarded to WAN Edge routers.
• Control policies operate on OMP routing information received from or sent to
WAN Edge routers. They can filter OMP updates or modify various attributes.
• Control policies can be very powerful tool changing routing behavior of the entire
SD-WAN fabric
• Control policies are used to enable many services, such as:
- Arbitrary VPN Topologies
- Service Chaining
- Traffic Engineering
- Extranet VPNs
- Service and Path affinity
- …

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
40
Control Policy – Arbitrary VPN Topologies
• Problem: Different VPNs must be provided with different connectivity based on
applications being serviced in each VPN
VPN 1: CRM System = Hub and Spoke, VPN 2: Voice = Full Mesh
• Solution: Deploy control policy to control VPN topology

Control Policy

vSmart Policy Details:

VPN1
Data Center VPN1 - vSmart advertises just the
DC prefixes to Spokes and denies
VPN1 VPN1
everything else on VPN1.
Cisco SD-WAN
VPN2 - No filter all the prefixes are
Site1 advertised to every node on VPN2.
Site3
VPN2 Site2 VPN2

VPN1 VPN2
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
41
Control Policy – Arbitrary VPN Topologies (Cont.)
policy apply-policy
lists site-list Branches
site-list Branches control-policy ArbitraryTopology out
site-id 1-3
!
vpn-list CRM
Control Policy
vpn 1
!
vSmart
VPN1
control-policy ArbitraryTopology
Data Center
sequence 10
match route VPN1 VPN1
vpn-list CRM
site-list Branches
Cisco SD-WAN
!
action reject
! Site1 Site3
! VPN2 Site2 VPN2
default-action accept
VPN1 VPN2

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
42
Control Policy Example – Data Center Priority
• Problem: Prefer main data center over DR data center. If main data center fails, traffic
should reroute to DR data center.
• Solution: Deploy control policy to influence TLOC priority

Control Policy

Policy Details:
vSmart Main DR
DC DC
Set higher preference on main data
center TLOCs than on DR data
center TLOCs
Cisco SD-WAN
Preference is set on all TLOC
colors using TLOC list
Site1

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
43
Control Policy Example – Data Center Priority (Cont.)
policy
lists
site-list Branches
site-id 1-10
tloc-list Main-DC-tlocs Control Policy
tloc-id 10.1.1.1 biz-internet
tloc-id 10.1.1.1 mpls
vSmart Main DR
control-policy prefer-Main-DC DC DC
sequence 10
match tloc
tloc-list Main-DC-tlocs
action accept
set preference 50
Cisco SD-WAN
default-action accept

apply-policy Site1
site Branches
control-policy prefer-Main-DC out

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
44
Control Policy Example – Service Chaining
• Problem: Certain departments require Firewall protection when interacting with data
center networks, while other departments do not
• Solution: Deploy a service chained Firewall service per-VPN

Firewall
Control Policy
Advertise Firewall Service Policy Details:
vSmart Regional Hub
VPN1 - Protected Regional hub advertises
availability of Firewall service
Cisco SD-WAN
Bi-directionally modify TLOC next
hop attribute for VPN1 traffic
Data between Site10 and Data Center
VPN2 - Open
Site10 Center to point at regional hub TLOCs

VPN1 - Protected VPN2 - Open

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
45
Control Policy Example – Service Chaining (Cont.)
! Applied on Regional Hub policy
vpn 1 lists
service netsvc1 address 10.0.1.1 site-list fw-inspected
site-id 10
!

Firewall control-policy fw-service

Control Policy sequence 10
Advertise Firewall Service match route
vSmart Regional Hub
vpn 1
site-id 1
VPN1 - Protected action accept
set service netsvc1 vpn 1
!
Cisco SD-WAN Site1 default-action accept
!

Data apply-policy
VPN2 - Open
Site10 Center site-list fw-inspected
control-policy fw-service out
!
VPN1 - Protected VPN2 - Open

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
46
Control Policy Example – Service Chaining (Cont.)
! Applied on Regional Hub policy
vpn 1 lists
service netsvc2 address 10.0.2.1 site-list dc
site-id 1
!

Firewall control-policy fw-service-return

Control Policy
sequence 10
Advertise Firewall Service match route
vSmart Regional Hub vpn 1
site-id 10
VPN1 - Protected action accept
set service netsvc2 vpn 1
!
Cisco SD-WAN Site1 default-action accept
!

Data
VPN2 - Open apply-policy
Site10 Center site-list dc
control-policy fw-service-
VPN1 - Protected VPN2 - Open return out
!

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
47
Control Policy Example – Shared Services
• Problem: Services residing in a VPN must be shared across users residing in multiple
other VPNs. Some VPNs don’t need access to shared services.
• Solution: Deploy control policy with route exports.

Control Policy

vSmart
VPN100 Policy Details:
Site2
Export VPN2 and VPN3 routes into
VPN1 shared service VPN100, and vice
versa
Cisco SD-WAN
VPN2 VPN1 cannot communicate with
Site1 VPN2, VPN3 or VPN100
Site3
VPN2 Site4

VPN1 VPN3

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
50
Control Policy Example – Shared Services (Cont.)
policy control-policy extranet
lists sequence 10
site-list all-extranet-sites match route
site-id 1-4 vpn-list extranet-clients
action accept
vpn-list extranet-clients
export-to vpn 100
vpn-id 2-3 !
prefix-list extranet-srv-prefix sequence 20
ip-prefix 10.1.1.1/32 match route
Control Policy vpn 100
prefix-list extranet-srv-prefix
action accept
vSmart export-to vpn-list extranet-clients
VPN100 !
Site2 !
default-action accept
VPN1 !

Cisco SD-WAN apply-policy

site-list all-extranet-sites
VPN2
control-policy extranet in
Site1 !
Site3
VPN2 Site4
VPN1 VPN3

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
51
Hierarchical Control Policy
Region 2
Hub2
10.0.0.2
Hub1
10.0.0.1

Cisco SD-WAN
Region 1 Hub3
10.0.0.3
BFD Session

Region 3
Needed tasks:
• Limit BFD sessions to intra-region and between hubs
• Adapt routing to support desired topology

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
52
Hierarchical Control Policy – Region 1
control-policy hub1 control-policy region1-spokes
sequence 1 sequence 1
match tloc match tloc
site-list region2-3-spokes site-list region2-3
action reject action reject
! !
sequence 5 sequence 5
match route match route
site-list region2-spokes site-list region2-3
action accept action accept
set set
tloc 10.0.0.2 color gold tloc 10.0.0.1 color gold
! !
sequence 10 default-action accept
match route
site-list region3-spokes
apply-policy
action accept
site-list hub1
set
control-policy hub1 out
tloc 10.0.0.3 color gold
site-list region1-spokes
!
control-policy region1-spokes out
default-action accept

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VPN Membership Policy
• The default behavior of the OMP architecture is to advertise any configured
VPN to any node where it is configured
- Automatically establishes connectivity without unnecessary configuration and
operational overhead
• Certain VPNs may be of a sensitive nature, such that their membership must
be tightly controlled
• The VPN Membership Policy serves to restrict the distribution of VPN
information from vSmart to those that are explicitly approved
- Both Whitelist and Blacklist behavior can be established
• With a VPN Membership Policy, a node not explicitly allowed to participate in
a VPN may have the VPN configured, but will only see local connectivity and
routing information

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
55
VPN Membership Policy Example
• Problem: Prevent a site from learning reachability for a VPN, even though this same VPN
is locally defined on the WAN Edge router
• Solution: Deploy VPN membership policy to filter OMP advertisements

VPN Membership Policy

VPN1 Policy Details:
vSmart Site2
VPN1 is defined on Site1 WAN Edge,
however OMP updates pertaining to
VPN1 will not be sent from vSmart to
Cisco SD-WAN Site1 WAN Edge
VPN2

vSmart will not accept any OMP

updates pertaining to VPN1 coming
Site1 from Site1 WAN Edge

VPN1 VPN2

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
56
Lab Activity
• Lab 1: Implementing Control Policies
• Lab 2: Configuring Service Chaining

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Policies
• Data policies are configured on vManage, enabled on vSmart controllers and
enforced on WAN Edge routers.
• Data policies allow easier fine-grain traffic controls when compared to
control policies.
• Certain objectives can be equally achieved by both control and data policies.
Control policies act on OMP routing advertisements, data policies act on
application traffic characteristics.
• Data policies are used to enable many services, such as:
- Transport Selection, TE
- DIA
- Service Chaining
- QoS
- cFlowd
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
59
Data Policy Example – Path Preference
• Problem: Send critical applications over MPLS transport and non-critical applications
over Internet transport
• Solution: Deploy data policy to set transport for relevant traffic

Data Policy

vSmart Policy Details:

Bi-directionally set local TLOC for

Site desired traffic
MPLS

Cisco SD-WAN Data Policy Override OMP routing decision

Site
INET Fallback on overlay routing if
Data Policy transport fails

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
60
Data Policy Example – Path Preference (Cont.)
data-policy prefer_mpls lists
vpn-list vpn10 data-prefix-list DC-Servers
sequence 5 ip-prefix 10.1.1.0/24
match data-prefix-list Clients
destination-data-prefix-list DC- ip-prefix 10.10.1.0/24
Servers !
source-data-prefix-list Clients site-list Site1-2
! site-id 1-2
action accept !
set vpn-list vpn10
local-tloc-list vpn 10
color mpls !
! !
sequence 10
match
destination-data-prefix-list Clients apply-policy
source-data-prefix-list DC-Servers site-list Site1-2
action accept data-policy prefer_mpls from-service
set
local-tloc-list
color mpls
default-action accept

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
61
Direct Internet Access (DIA)
Different options for enabling DIA:

1. NAT VPN Route

Sends all traffic in specific
service VPN via DIA.

2. Centralized Data Policy

6-tuple or DPI application
classification on which
data is sent directly via
DIA.

Prerequisite for DIA: NAT enabled on the outside interface

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
62
Option 1: NAT VPN Route - cEdge
Use case: Send all traffic in a Guest VPN via DIA.
Prerequisite: NAT enabled on the outside interface.

vpn 0 • Default NAT route cannot coexist with

interface ge0/1
static default route
nat

vpn 2
• NAT route does not get redistributed into
ip route 0.0.0.0/0 vpn 0
OMP

vpn 2
router
bgp 65000 • Service side redistribution into OSPF or
address-family ipv4-unicast BGP is supported
redistribute nat

vpn 2
router
ospf
redistribute nat

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
64
Option 1: NAT VPN Route – vEdge (Cont.)
BR1-VEDGE1# show ip route vpn 2
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area, E1 -> ospf-external1, E2 -> ospf-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursive
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
------------------------------------------------------------------------------------------------------------
-
2 0.0.0.0/0 nat - ge0/1 - 0 - - - F,S
2 0.0.0.0/0 omp - - - - 10.1.0.1 mpls ipsec -
2 0.0.0.0/0 omp - - - - 10.1.0.1 biz-internet ipsec -
2 0.0.0.0/0 omp - - - - 10.1.0.2 mpls ipsec -
2 0.0.0.0/0 omp - - - - 10.1.0.2 biz-internet ipsec -
2 10.2.0.0/24 omp - - - - 10.2.0.1 mpls ipsec F,S
2 10.2.0.0/24 omp - - - - 10.2.0.1 biz-internet ipsec F,S
2 10.2.0.0/24 omp - - - - 10.2.0.2 mpls ipsec F,S
2 10.2.0.0/24 omp - - - - 10.2.0.2 biz-internet ipsec F,S
2 10.3.0.0/24 connected - ge0/3 - - - - - F,S
2 10.10.10.0/24 omp - - - - 10.1.0.1 mpls ipsec F,S
2 10.10.10.0/24 omp - - - - 10.1.0.1 biz-internet ipsec F,S
2 10.10.10.0/24 omp - - - - 10.1.0.2 mpls ipsec F,S

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
65
Option 2: Centralized Data Policy
• Problem: Local Internet exit needs to be provided to guest WiFi users. Guest WiFi users
need to be isolated from corporate users.
• Solution: Deploy a data policy in guest VPN with a network address translation

Data Policy

Policy Details:
Internet
vSmart VPN1 – Corporate Define NAT on transport side
interface
Cisco SD-WAN Data Policy
DIA
NAT Force matching traffic in guest WiFi
DIA
Data VPN through a locally defined NAT
Center VPN2 – Guest on transport side interface
Site NAT
VPN1 – Corporate VPN2 – Guest

Data Policy

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
66
Option 2: Centralized Data Policy (Cont.)
apply-policy
site-list Site1-2
data-policy guest-wifi from-
Data Policy
service

site-list Site1-2
Internet site-id 1-2
vSmart VPN1 – Corporate !
vpn-list guest-vpn
vpn 2
Cisco SD-WAN Data Policy
DIA policy data-policy guest-wifi
DIA NAT
vpn-list guest-vpn
Data sequence 10
VPN2 – Guest
Site Center action accept
NAT nat use-vpn 0
!
VPN1 – Corporate VPN2 – Guest
!
Data Policy default-action drop
!

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
67
Tracking Transport Interface Status - vEdge

system • Tracking enables you to respond to

tracker dia
reachability status over WAN.
endpoint-ip 203.0.113.1
interval 10
multiplier 1
• When tracking destination is not reachable,
vpn 0 NAT route gets removed from routing
interface ge0/1 table.
nat
tracker dia

• Tracker uses HTTP probe!

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
68
Cisco SD-WAN
Application Aware Routing
Policies

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Aware Routing
vManage
• Enforce SLA compliant path for
applications of interest App Aware Routing Policy
App A path must have
• Other applications will follow latency <150ms and loss <2%
active/active behavior across all vSmart Controllers
paths

Internet
WAN WAN
Edge Edge

Path 2 MPLS
App A

4G LTE
Path1: 10ms, 0% loss
Path2: 200ms, 3% loss
Path3: 140ms, 1% loss IPSec Tunnel

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Control Plane 70
Bidirectional Forwarding Detection (BFD)
Multiplier = 7

BFD Probe

Hello Interval (ms)

• Each vEdge router generates BFD packet every • Hello interval and multiplier determine how
“hello” interval many BFD packets need to be lost to declare
IPSec tunnel down
• Path liveliness and quality measurement detection
protocol. Up/Down, loss/latency/jitter, IPSec • Multiplier = 7 by default
tunnel MTU
• BFD packets are generated for each transport
individually. Timers can be adjustment for quicker
detection. Fully customizable per-vEdge, per-
color
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
71
BFD - Transport SLA Monitoring
App-Route Multiplier (6)

Poll Interval Poll Interval Poll Interval (ms)

WAN Edge WAN Edge

Hello Interval (ms)
BFD Probe

• Each vEdge router generates BFD packet • Poll interval determines the average path
every “hello” interval for path quality quality measurement (loss, latency, jitter)
• BFD packets are generated for each transport • App-route multiplier determines the average
individually. Timers can be adjusted for path quality measurement across the poll
quicker detection. intervals

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
72
Brownout Detection - Algorithm
Avg. (B1 + B2 + B3 + B4 + B5 + B6) = Mean
Mean recalculated every Bucket completion cycle

Bucket 1: Bucket 2: Bucket 3: Bucket 4: Bucket 5: Bucket 6:

Loss Loss Loss Loss Loss Loss
Latency Latency Latency Latency Latency Latency
Jitter Jitter Jitter Jitter Jitter Jitter

# of Buckets Bucket Size Bucket Update Frequency

(default 6) (default 600,000 ms) (default 1000ms)

bfd bfd bfd

app-route multiplier app-route poll-interval hello-interval

160

140

120
SLA-Class Latency Threshold
100 Actual Latency

60
Mean Latency
40

0
Bucket 1 Bucket 2 Bucket 3 Bucket 4 Bucket 5 Bucket 6

• Current Mean Latency is 20ms, when Latency jumps to 150ms as Bucket 1 collection starts

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
74
Application Aware Routing Policy Example
• Problem: Critical applications traffic needs to take SLA compliant path through the
network to achieve better user quality of experience
• Solution: Deploy Application Aware Routing policy for critical application traffic
Application Aware Routing Policy
Critical Application Policy Details:
Site2
Application Aware
Define SLA class for acceptable
Routing Policy SLA thresholds for loss, latency
vSmart
and jitter
Cisco SD-WAN
Non-Critical Application
Apply SLA class to the application
aware routing policy matching on
Site1 the application traffic of interest

Non-Critical Application Critical Application Bi-directionally apply application

Application Aware Routing Policy
SLA Path aware routing policy in the VPNs of
Non-SLA Path choice

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
77
Application Aware Routing Policy Example (Cont.)
apply-policy lists
site-list spokes app-list voice
app-route-policy voice-priority app-family audio_video
site-list spokes
site-id 1-5
Application Aware Routing Policy
vpn-list vpn10
Critical Application vpn 10
Site2 policy
Application Aware sla-class sla-voice
Routing Policy latency 150
vSmart
loss 1
Cisco SD-WAN !
Non-Critical Application app-route-policy voice-priority
vpn-list vpn10
sequence 1
Site1 match
app-list voice
Non-Critical Application Critical Application !
action
Application Aware Routing Policy sla-class sla-voice preferred-
SLA Path
color mpls
Non-SLA Path
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
78
Cisco SD-WAN
cFlowd Policy

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
cFlowd Policy Example
• Problem: Need to generate application traffic flow records for monitoring and visibility
• Solution: Deploy cFlowd flow export

Flow Collector
Data policy with cFlowd export
VPN1
Policy Details:
Data Center

vSmart VPN1
Define cFlowd template with
export destination IP address
and TCP/UDP port
Cisco SD-WAN Data Policy
Include cFlowd export in the
Site2 data policy matching on
VPN2
Site1 application traffic of interest

VPN1 VPN2
Data Policy

• Create a Traffic Data Policy to match traffic of interest.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
81
cFlowd Policy Configuration (Cont.)
• Create a Cflowd Policy to specify Collector information.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
82
Lab Activity
• Lab 3: Implementing Data Policies
• Lab 4: Implementing Application Aware Routing

Internet
Network:
Centralized

Security:
Single place to enforce
policies and protection

MPLS VPN

Branch office HQ Roaming/mobile

Internet / SaaS
Network:
Decentralized

Security: SD WAN DIA/DCA

Protect at data center,

cloud, and branch edge

Branch office HQ Roaming/mobile

SaaS IaaS Outside-in threats

Exposed ingress points as traffic is no longer
Internet backhauled to the data center

NO SECURITY
Inside-out threats
Users and devices request access to
Remote infrastructure and applications

BASIC/NO SECURITY
Access
EXISTING SECURITY

User
Internal threats
Campus IOT Users Mobile
(guests) devices
Traffic must be encrypted and access must
be segmented end to end

Private Data SD-WAN Fabric

Center

Branch

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
87
SD-WAN Exposes New Security Challenges
DIRECT INTERNET ACCESS EXPOSES INGRESS & EGRESS POINTS

External Threats
SaaS IaaS

Internet • Exposure to malware & phishing due to direct

Internet and cloud access
NO SECURITY
• Data breaches
• Guest access liability
Data Center Branch

BASIC/NO SECURITY
Corporate Users (guests)
Software
Devices/IOT Internal Threats

• Untrusted access (malicious insider)

SD-WAN Fabric • Compliance (PCI, HIPPA, GDPR)
• Lateral movements
(breach propagation)
WAN Existing Security
Edge Device Stack in DMZ

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
88
Challenges with Point-Solution Security
RIGHT SECURITY IN THE RIGHT PLACE

SaaS IaaS PRO CON

Internet Consistent user
ONLY and device Lacks visibility and
NO SECURITY protection in all control over
Cloud locations and internal traffic and
Security scales on- threats
Data Center Branch demand

BASIC/NO SECURITY
Corporate Secure DIA/DCA Users (guests)
Software Visibility into all Decrypting traffic
Devices/IOT ONLY traffic and protects for malware
On-Prem against internal detection
Secure Security and external increases edge
WAN access threats device footprint
end-to-end
SD-WAN Fabric
Best balance of Complex & costly
On-Prem security and user
Cisco integrated
to deploy and
solution
WAN Existing Security Separate Separate Cloud & Cloud
and Cloud experience for manage using
eliminates these
Edge Device Stack in DMZ Security Appliance Cisco
Security
SD-WAN Service direct internet different solutions
Security access cons
or vendors

Use case: Cloud and DIA Use Case: Industry Use Case: Guest
Compliance Services
On-Prem
DNS/web layer
Firewall Firewall
security Firewall IPS URL
Filtering
IPS DNS/web layer
vManage AMP/TG AMP/TG security
Cloud

Direct Cloud Access SD-WAN

Colo

Cloud VPN1 VPN2 Data Center

Applications Applications

Service-Chain
Employee Guest

On-Demand

Internet

• Stateful Firewall, Zone Policies

Inspect policy allows
only returning traffic to Outside Zone
• Application Visibility and Granular control be allowed and drops
any new connections

• 1400+ layer 7 applications classified

Edge Device
• Allow or block traffic by application
category or specific application
Inside Guest
• Segmentation Users Zone Zone Devices

• PCI compliance
Service-VPN 1 Service-VPN 2

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
96
Ent. Firewall App Aware: Intra-Zone Security

WAN Edge WAN Edge

Zone1 Zone1
SD-WAN
VPN1 VPN1
Fabric

Action: D I P

D - Drop
I – Inspect
Host Host
P – Pass Host Host

Action: D I P

D - Drop
I – Inspect
Host Host
P – Pass Host Host

SD-WAN Site A SD-WAN Site B

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
98
Ent. Firewall App Aware Policy Building Blocks

• Source zone
• Destination zone
• Zone Pairs
• Zone-based firewall policy

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
99
Security Policy Configuration
vManage >> Configuration >>Security >> Add Security Policy

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
100
Ent. Firewall App Aware Policy Configuration
Create zones and zone-pairs by clicking on ‘Apply Zone-Pairs’.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
101
Ent. Firewall App Aware Policy Configuration
Create zones by selecting ’New Zone List’ or select existing zones.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
102
Ent. Firewall App Aware Policy Configuration
Next step is to configure sequence rules for zone-pairs.

Options available:

• Source Port / Destination Port

• Source Data Prefix / Destination Data Prefix

• Protocol

• Application/ Application-family list [AppFw]

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
103
Ent. Firewall App Aware Policy Configuration
Create a sequence rule by configuring a Match condition.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
104
Ent. Firewall App Aware Policy Configuration
Choose Actions for the match condition – It can be Pass, Inspect or Drop.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
105
Configuration - Policy Summary
Make sure “Bypass firewall policy and allow all Internet traffic to/from VPN0 “ is unchecked.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
106
Configuration – Device Template
Go to Additional Templates section and choose the Security Policy Template.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
107
Lab Activity
• Lab 5: Implementing Zone Based Enterprise Firewall

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Intrusion Prevention
(IPS/IDS)
• Snort IPS is the most widely deployed
engine in the world

• Backed by global Threat Intelligence

(TALOS) signatures updated automatically

• Signature whitelist support

IPS
• Real-time traffic analysis
On-site Services

• PCI compliance

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
110
Intrusion Prevention – Configuration Workflow
• Find the compatible Security App Hosting Image Version

• Upload the Security App Hosting image to the Software Repository

• Create a Security Policy template

• Create a Security App Hosting Profile feature template

• Create a Device Template (specifying the Security Policy and Security

App Hosting Profile templates)

• Attach the device template to one or more devices

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
112
Intrusion Prevention – Policy Configuration

• Attach VPNs

• Choose a signature set (Connectivity/Balanced/Security)

• Choose a mode of operation (Detection/Protection)

• Choose a whitelist profile

• Choose an alert level for Syslog

• Configure logging (External)

• Configure fail-open/fail-close

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
113
Policy Configuration (Cont.)
Choose a signature set (Connectivity/Balanced/Security).

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
114
Policy Configuration (Cont.)
Choose a mode of operation (Detection/Protection).

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
115
Policy Configuration (Cont.)
Choose a Signature Whitelist (optional).

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
116
Policy Configuration (Cont.)
Choose an Alert Level for Syslog.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
117
Security App Hosting Profile
Create a Security App Hosting feature template.
Select a Resource Profile for UTD engine.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
118
IPS/IDS Signature Update
• Specify the username and password to use for signature package download from CCO.
• Specify how often vManage should download and check the signature packages.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
URL-Filtering Requests for “risky” domain requests

URL Filtering
• 82+ Web Categories with dynamic
updates
White/Black lists of
custom URLs
• Block based on Web Reputation score

• Create custom Black and White Lists

Block/Allow based on
Categories,
• Customizable End-user notifications Reputation

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
121
URL-Filtering Policy Configuration
• Web categories
• Allow

• Block

• Web Reputation

• Whitelist URLs

• Blacklist URLs

• Block Page
• Local block page

• Redirect URL

• Alerts

• Attach VPNs

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
122
URL-F Policy Configuration
Specify Web Categories to Block (or) Allow.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
123
URL-F Policy Configuration (Cont.)
Specify a lower permissible threshold for Web Reputation score.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
124
URL-F Policy Configuration (Cont.)
(Optional) Click on Advanced and specify the list of custom URLs to be whitelisted or blacklisted.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
125
URL-F Policy Configuration (Cont.)
• (Optional) Specify the Block page server details (Block Page Content).

• (Optional) Specify the Block page server details (Redirect URL).

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
126
URL-F Policy Configuration (Cont.)
(Optional) Specify when Syslog alerts should be generated (Whitelist/Blacklist/Reputation/Category).

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
127
Lab Activity
• Lab 6: Implementing Intrusion Prevention System and URL-Filtering

• Integration with AMP cloud

• File reputation Internet Check Signature
• File retrospection
• Integration with ThreatGrid cloud
• File Analysis
Check file
• Backed with valuable Threat
Intelligence (TALOS) Malware Sandbox

ThreatGrid
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
130
Advanced Malware Protection (AMP)
AMP
1. Snort file pre-processor on the device
identifies file download.
2. Computes SHA256, looks up the hash
in local cache.
Internet

4 3. If no response is found, send it to AMP

3
cloud.

2 1 4. AMP cloud gives a response (malicious,

unknown, clean).

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
131
Advanced Malware Protection and ThreatGrid (AMP & TG)
AMP 1. If the response from AMP is
4 unknown, WAN edge checks for
active content.
2. If active content is found, and
config allows for export, WAN
edge sends it to ThreatGrid for
2
sandboxing

1 3 3. WAN Edge queries ThreatGrid for

a while and then queries AMP for
retrospection.
4. ThreatGrid also updates the new
status in the AMP cloud.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
132
AMP Terminology
• File Reputation
File Reputation is the process in which a SHA256 is looked up against the AMP cloud to access
threat intelligence information.

• File Analysis
File Analysis is the process of submitting a file that the AMP cloud has determined is
DISP_UNKNOWN and ACTION_SEND to the ThreatGrid cloud for detonation in a
sandbox. During the detonation, the sandbox will capture artifacts, observe behaviors, and give
the sample an overall score of abnormal behaviors.

• Retrospection
Retrospection is the process of receiving a change in file reputation intelligence from ThreatGrid
or from TALOS.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
133
vManage – AMP/TG Policy Configuration
AMP and TG configuration available in the same security policy configuration tab.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
134
vManage – Threat Grid API Key Configuration

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TLS/SSL Proxy
• Selectively proxy and decrypt TLS flows
based on L3/L7 rules

• Enables deep packet inspection by UTD

features (IPS, URL-F and AMP)

• Real-time traffic analysis

IPS, URL-F, AMP

On-site Services

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
137
TLS/SSL Decryption (MiTM Proxy)– Solution
Overview
• More Apps/Data-cloud hosted
• Internet going dark
• >80% Internet traffic encrypted Why do you need it ?
• Lack of security control
Data Centre • Malware hidden in encrypted
traffic
Applications
• URL request intercepted
Internet • Server certificate checked
• Proxy resigns server
Certificate
How does it work? • User traffic redirected via
HQ Destined Traffic
proxy
Employee Internet Traffic • Decrypt and inspect
G0/0/0
• Re-encrypt and send
10 101 10

Clear Text • Proxy runs a cert signing

G0/0/1
authority
• Re-signs server certificate
What does it do? • Redirects traffic through
security stack
Employee 2 • Enforce security control
Employee 1
• Inspect for malware

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
138
Configuration Workflow
• NTP configuration to sync clock across devices (also the controllers)

• Configure certificate authority (CA) for the TLS proxy:

• Enterprise CA configuration

• Enterprise CA with SCEP configuration

• vManage as CA configuration

• vManage as Intermediate CA configuration

• Security Policy configuration

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
140
Comparison between CA options
Enterprise CA configuration Enterprise CA with SCEP configuration
Benefits Limitations Benefits Limitations
• Certificates can be revoked • Manual certificate deployment • Certificate deployment to TLS • Offers limited visibility
and tracked through your own is required for TLS proxy Proxy can be automated through Cisco vManage
CA • Requires manual re-issuance
of expired proxy certificates

vManage as CA configuration vManage as Intermediate CA configuration

Benefits Limitations Benefits Limitations

• Certificate deployment to proxy • Cisco vManage certificate • Certificate deployment to proxy • Requires manual deployment
devices is automated needs to be pushed to the devices is automated • Maintaining two CAs causes
• Certificates are reissued and client trust store • Certificates are reissued and administrative overload
revalidated before they expire revalidated before they expire • Deployment can be complex if
• No other certificates, besides your network has
your enterprise CA certificate, multiple Cisco
need to be pushed to your vManage controllers for
client trust-store clustering or redundancy

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
141
Configuring CA for TLS Proxy -
Using Enterprise CA w/o SCEP

IOS

PKI
Enterprise CA Sub CA

CERT
Manager
Client Hello Client Hello
Proxy Cert Server Cert
Proxy Proxy
SSL Session SSL Session
Server Client

SSL PROXY SERVER

CLIENT

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
143
Enterprise CA - Configuration
For the demonstration purposes we are going to use Microsoft CA server.
Prerequisite: CA Server and devices seeking the certificate should be in time sync.

Step 1: From vManage homepage select Configuration -> TLS/SSL Proxy.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
144
Enterprise CA – Configuration (Cont.)
Step 2: Select the Enterprise CA option.

with SCEP
without SCEP
1. Automatically download CSR for your device
2. Get it signed by your CA
3. Automatically upload the signed cert back on device
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
145
Enterprise CA – Configuration (Cont.)
• Step 3: Get the CA certificate from the CA server.

Note: Make sure you download the CA certificate in PEM format.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
146
Enterprise CA – Configuration (Cont.)
• Step 4: Upload CA certificate in PEM format. Save configured certificate authority.

• Step 5: Once this is done, you can configure a Security Policy.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
147
Security Policy Configuration (Cont.)
• Step 5.1: Select Configuration -> Security.

• Step 5.2: Create a new or use one of the already configured security policies.

• Step 5.3: Navigate to the TLS/SSL Decryption tab. Click Add SSL Policy.

Note: Either IPS / URL-F or AMP need to be configured to be able to create Security Policy with TLS/SSL Decryption.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
148
Security Policy Configuration (Cont.)
• Step 5.4: Enable SSL Decryption and provide a policy name.
• Step 5.5: Click on Add rule under Network tab for Network based decryption rules.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
149
Security Policy Configuration (Cont.)
• Step 5.6: Provide Rule Name and corresponding Action.

• Step 5.7: Provide network-based decryption rules (Source VPNs, Networks,…)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
150
Security Policy Configuration (Cont.)
• Step 5.8: Under Applications tab one can limit decryption based on defined app-list.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
151
Security Policy Configuration (Cont.)
• Step 5.9: Click on Add Rule under URLs tab to create domain-based decryption rules.

• Step 5.10: Provide a Rule Name and details like Source VPN and TLS/SSL Profile.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
152
Security Policy Configuration (Cont.)
• Step 5.11: Create a new TLS/SSL Profile for the corresponding VPN.

• Step 5.12: Specify various domain categories under various actions and save the
TLS/SSL profile.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
153
Configuring CA for TLS Proxy -
Using vManage as CA

IOS

PKI
Sub CA

CERT
Manager
Client Hello Client Hello
Proxy Cert Server Cert
Proxy Proxy
SSL Session SSL Session
Server Client

SSL PROXY SERVER

CLIENT

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
155
vManage as CA – Configuration
Step 1: Select vManage as CA option.
Step 2: Fill the fields and select the validity of the CA Certificate. Click Save CA.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
156
vManage as CA – Configuration (Cont.)
Step 4: Download and import generated root certificate into the clients’ trust
store as root CA.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
157
vManage as CA – Configuration (Cont.)
Step 5: Configure the Security policy as described in the previous section.
Step 6: Attach configured security policy to the template. Once deployed, certificates
will be configured automatically.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
158
vManage as CA – Configuration (Cont.)
Step 7: To Revoke or renew the certificate, go to Configuration → Certificates → TLS
Proxy tab.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
159
Configuring CA for TLS Proxy -
Using vManage as Intermediate CA

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vManage as Intermediate CA – vManage SSL Initial Config

Solution Overview Intermediate CA Cert

Signed CA Cert
Enterprise CA

IOS

PKI
Sub CA

CERT
Manager
Client Hello Client Hello
Proxy Cert Server Cert
Proxy Proxy
SSL Session SSL Session
Server Client

SSL PROXY SERVER

CLIENT

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
161
vManage as Intermediate CA – Configuration (Cont.)
Step 1: Select vManage as CA and tick Set vManage as Intermediate CA checkbox.

Step 2: Paste the content of the PEM-encoded CA certificate file.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
162
vManage as Intermediate CA – Configuration (Cont.)
• Step 3: In the Generate CSR tab, update the fields with desired values and click on
Generate CSR.

Step 5: Copy/Download this CSR and get it signed by the CA server.

• Step 4: Click on Next to go to Intermediate Certificate tab.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
163
vManage as Intermediate CA – Configuration (Cont.)
• Step 5: Paste the signed certificate and click Upload button.

• Step 6: Click Save Authority button.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
164
vManage as Intermediate CA – Configuration (Cont.)
• Step 7: Once this is done, configure Security Policy.
• Step 8: Attach configure security policy to the template. Once deployed, certificates will
be configured.
• Step 9: To revoke or renew the certificate, go to Configuration -> Certificates -> TLS
Proxy tab.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
165
Lab Activity
• Lab 7: Implementing Advanced Malware Protection
• Lab 8: UTD Integration with SSL Proxy

“The enterprise perimeter is no longer a location; it is a

set of dynamic edge capabilities delivered when needed
as a service from the cloud.”

• Gartner
The Future of Network Security is in the Cloud

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
175
Historic traffic flows
Led to the age of perimeter-based security and networking

Network:
Internet
Centralized

Security: TRAFFIC TRAFFIC

Single, on-prem. Internal 80% Internal 80%

security stack Internet 20% Internet 20%
Security stack

MPLS VPN

Branch offices HQ Roaming/mobile

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
176
Changes in the types of traffic and destinations
Have inverted the traffic model
Internet
Problems: SaaS IaaS
Private cloud Browsing
• Cost
• Performance TRAFFIC TRAFFIC

Internal 20% Internal 20%

Internet 80% Internet 80%
Bottle neck

MPLS VPN

Branch offices HQ Roaming/mobile

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
177
A more modern approach
Internet / SaaS
Network:
Optimized routing from
anywhere to the cloud
SD-WAN DIA/DCA
Security:
Enforced at the cloud edge

Branch offices HQ Roaming/mobile

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
178
SASE Starts with Security but Includes More

Connectivity Security Identity

LAN/WLAN, SD- Wireless encryption, Zero trust

WAN, remote Segmentation, DNS for the workforce
access Security, SWG, FW, and workplace
CASB

Visibility, policy and integration

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
179
Cisco SASE – Connect, Control and Converge

Converge
Connect Control

Cisco LAN/WLAN + Cisco Umbrella

SD-WAN Cloud-delivered DNS
Security, SWG, FW,
CASB

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Where Does Umbrella Fit?
Malware
C2 Callbacks
Phishing

Network and endpoint

First line It all starts with DNS
NGFW
Network and endpoint Precedes file execution
Netflow and IP connection
Proxy
Endpoint
Sandbox Router/UTM Used by all devices

AV AV AV AV AV Port agnostic

HQ BRANCH ROAMING

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
182
Cisco Umbrella Evolution
OpenDNS Umbrella Cisco Cisco Umbrella adds Cisco Umbrella adds
for Business enterprise acquisition security functionality SWG, CDFW, and
internet CASB functionality plus
security SDWAN integration

2009 2012 2015 2020 2020

DNS DNS +
Set of security
resolution Security
services integrated
in the cloud Multi-function security
and SD-WAN

SIG
SASE
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
183
It all Starts with DNS
Traffic redirection - DNS Policy
DNS based redirection Resolvers Internet
Selective Proxy

• Safe request:
Umbrella resolves the DNS query,
Safe Malicious
returning IP of requested domain request request

• Malicious request:
Umbrella replies with IP of our
block page

• Risky request:
Umbrella replies with IP of our
selective proxy for further inspection

Safe Blocked
request request

WAN Edge
Cisco
DNS Request (1)
Umbrella

Internet
DNS Response (4)

Approved Content (5)

Web Servers 186

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Content Filtering
DNS-layer Security vs. URL Filtering
DNS Security URL Filtering
Looks only at DNS packets. Looks within HTTP packet.
Detailed monitoring and reporting available within the Can whitelist/blacklist sub-domains.
Umbrella portal (time, IP address, user ID, destination, etc.) No reporting/visibility.

Refers to internal database to decide good/bad/unknown Reputation score

domain
Cloud On-prem.
No additional memory required 8GB or
16GB memory (if the URL-F database needs to be on-the-box)

Cisco Product Via Brightcloud/Webroot

• Comes with Umbrella at DNA-E/A (no enforcement, • Comes with DNA Advantage
only monitoring) • Comes as part of embedded security in an IOSXE SD-WAN
• Enforcement with Umbrella SIG Essentials in DNA-P Cisco router with 8GB memory

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
187
DNS-layer Integration – Configuration steps
1. Generate and retrieve API key/secret from Umbrella dashboard.
2. Create a security policy template for Umbrella DNS Security.
3. Create a device template that includes the security policy template.
4. Attach the device template to the device.

Automated EDNS Automated SIG Tunnel

provisioning provisioning

Umbrella Network Device Umbrella Management

API API (Tunnel API)

DNS provisioning

SIG tunnel
provisioning

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
192
DNS-layer Integration - Configuration Workflow
• Generate and copy Network Devices API key/secret from Umbrella dashboard.
• Locate and save ORG ID from the Umbrella URL.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
193
DNS-layer Integration - Configuration Workflow (Cont.)
• In vManage, navigate to Configuration -> Security -> Custom Options -> Umbrella Registration.
• Populate your Org ID + REG key/secret values.

Click the Get Keys button to

retrieve Umbrella registration
parameters automatically.
(Smart account needed)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
194
DNS-layer Integration - Configuration Workflow (Cont.)
• Add Security Policy -> Custom -> Add/Modify DNS Security Policy.
• Specify Target VPNs and optionally define Local Domain Bypass List.

Umbrella Registration API

token can be managed later
from global settings.

DNSCrypt option enables us to encrpyt DNS traffic with EDNS (Device ID and Client IP) data.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
195
DNS-layer Integration - Configuration Workflow (Cont.)
• Deploy a defined security policy on the Edge devices using a device configuration template.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
196
DNS-layer Integration - Verification
• Verify successful Umbrella integration by navigating to Monitor -> Network -> {select a device} Real
Time -> Umbrella Device Registration.

You can verify DNS redirect to

Umbrella DNS servers by navigating
to welcome.opendns.com on a client.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
197
DNS-layer Integration – Monitoring
• Navigate to Monitor -> Network -> {select a device} -> Security Monitoring -> Umbrella DNS
Redirect.

Two tabs: DNS Re-direct count and Local Domain Bypass count.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
198
Umbrella – DNS Policy Overview
• In Umbrella, navigate to Deployments -> Core Identities -> Network Devices.

System default policy is

deployed automatically on
all devices.

Once the client starts

sending DNS queries,
device becomes
active.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
199
Umbrella – DNS Policy Configuration
• Navigate to Policies -> Management -> DNS Policies and click Add.

Policies are sorted by the

Order of Enforcement.

Default policy is automatically

applied to all identities.

When the DNS Policies page opens for the first time, it only lists the Default
policy, which should be configured as your policy of last resort.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
200
Umbrella – Set up a Policy Wizard
• Select the Policy wizard components you'd like enabled and determine how Umbrella will block
threats.

The options you choose here determine

which steps of the Policy wizard
become available for configuration.

However, selecting an option here does

not necessarily activate that feature as
some features require additional
configuration steps.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
201
Umbrella – Set up a Policy Wizard
• Select the identities you wish to apply this policy to.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
202
Umbrella – Configure the policy
• A progress bar appears listing the step you are on and the number of steps remaining until you've fully
configured the policy.

The steps available here are determined by the choices you made in step one Set up the Policy Wizard.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
203
Umbrella – Configure Security Settings
• Click Add New Setting. Define Name Setting and click Create.

Note: A grey shield indicates

that the item is not selected.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
204
Umbrella – Configure Security Settings (Cont.)
• Define categories to be blocked.

Security settings determine which

categories of security threats Umbrella
blocks.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
205
Umbrella – Limit Content Access
• Content Categories organize websites into categories based on the type of information served by the
site. Select appropriate one or define a custom one.

The High, Moderate, and Low levels

propagate upward.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
206
Umbrella – Configure Application Settings
• Select applications you'd like to block identities from accessing. Create a new Application list.

Create a new Application list.

If an application should
override a block, then
change the block action
to allow.

Note: You must enable SSL Decryption in order Application filtering to work. If not already
done, you must also download and install the Cisco Umbrella root certificate.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
207
Umbrella – Configure Destination Lists
• Destination lists control identity access (allow / block) to specific internet destinations. Destinations
supported are:
• Blocked – Domains and URLs. For URLs, you must also enable the intelligent proxy, SSL decryption and install
the Cisco Umbrella root certificate.
• Allowed - Domain, IP address (IPv4), or CIDR.

Click Upload to bulk

upload destinations
through a text file.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
208
Umbrella – Configure File Analysis
• When enabled, Umbrella inspects inbound files for malware using anti-virus signatures and AMP file
reputation before the files are downloaded. Enable File Inspection.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
209
Umbrella – Configure Block Page Settings
• Block Page settings let you set the appearance of the block page that displays when a request is
made to access a web page that is blocked by policy settings.

You can customize the block page's

appearance and redirect blocked
identities to a custom domain

Bypass users and bypass codes let you set

up a mechanism that allows identities
access to blocked destinations.

Note: Not all categories can be bypassed. If access is blocked for a Security or Malware category,
the site is considered malicious and should not be accessed under any circumstances.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
210
Umbrella – Configure Block Page Settings (Cont.)
Add a Bypass User
• A bypass user can bypass block pages by authenticating against the block page.

A user must have an Admin Account to be

added to a policy as a bypass user.

Note: Not all categories can be bypassed. If access is blocked for a Security or Malware
category, the site is considered malicious and should not be accessed under any circumstances

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
211
Umbrella – Review and save your policy
• The last step of the Policy wizard is the Policy Summary page, which lists the policy's current
configuration. Review it and click Save.

Edit / Disable possibility.

Note: Once the DNS policy is saved, it may take upwards of five minutes for the policy to
replicate through Umbrella’s global infrastructure and start taking effect.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
212
Umbrella – Enable Advanced Settings
SSL Decryption, IP-Layer Enforcement, SafeSearch,…
• Once the configured policy is saved, click on the dropdown icon on the far right to expand advanced
configuration possibilities.

Click dropdown option

to enable Advanced
Settings.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
213
Umbrella – Enable Advanced Settings (Cont.)
SSL Decryption
• Allows the intelligent proxy to inspect traffic over HTTPS and block custom URLs in destination lists.

Prerequisite: The intelligent

proxy must be enabled.

Download and install the Cisco Umbrella root

certificate on all computers integrated with
this policy.

Selective decryption allows us to configure a

list of content categories excluded from the
inspection by the intelligent proxy.

Note: SSL Decryption is required to block applications.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
214
Umbrella – Enable Advanced Settings (Cont.)
Logging Possibilities
• The logging of your identities' activities is set per-policy when you first create a policy. By default, logging
is enabled and set to log all requests for all identities.

For full logging, whether for content, security or otherwise.

For security logging only, which gives

your users more privacy.

Disables all logging.

Note: Umbrella logs are CSV formatted, compressed (gzip), and saved every ten minutes.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
219
Lab Activity
• Lab 9: Implementing DNS Security with Cisco Umbrella

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
220
Cisco Umbrella
Secure Internet Gateway (SIG)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
222
Enforcement that works together
Internet/
SaaS

DNS-layer security: First check

for domains associated with
malware
Cloud-delivered firewall (CDFW): NAT
Next check for IP, port, and Port 21
protocol rules
80/443

Secure web gateway (SWG): DNS CDFW SWG

Final check of all web traffic for Umbrella
malware and policy violations
DNS, CDFW, and
SWG blocks

SD-WAN DEVICES ON NETWORK

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
223
Simple tunnel creation Internet
Umbrella Auto-Tunnel

Without automation, customers need to

manually establish a tunnel for each WAN edge
device at the branch.

This integration enables customers to: Umbrella

• Easily set-up IPSec tunnels to Umbrella

• Quickly deploy integrated security across
thousands of branches

DEVICE EDGE

DNS DNS policies are evaluated first

• CDFW evaluates anything not blocked by

DNS
CDFW • Any 80/443 traffic sent to SWG (unless
blocked in firewall policy)

SWG evaluates 80/443 traffic not

SWG blocked by DNS and CDFW

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
225
Policies
Internet
DNS blocks:
Domains in a Destination List
CDFW allows:
Allows port 80/443
Outcome
1. DNS policy evaluated NAT

2. DNS returns IP of the block page Blocked Site Blocked Site IP

3. CDFW blocks connection

DNS CDFW SWG
Umbrella Cloud
2

Block page IP
Blocked site 1

1. DNS policy evaluated

2. Destination IP(s) returned DNS CDFW SWG
3. Request for site IP Umbrella Cloud
evaluated by CDFW 2
Destination
IP returned
4 CDFW block

4. CDFW blocks connections Request

Allowed Domain 1 3
for IP
5. CDFW blocks connection

SD-WAN ON/OFF NETWORK DEVICES

CDFW allows:
All 80/443 and port 21
4a
SWG allows/blocks:
NAT
Shopping
DEST. LIST 80/443/21 SHOPPING

Outcome 80/443
3b

1. DNS policy evaluated DNS CDFW SWG

2. Destination IP(s) returned Umbrella Cloud
Destination
3. CDFW policy evaluated, any 2
IP returned
4b SWG block

80/443 request sent to SWG Shopping site 1 3a

Ports 80/443/21
4. SWG blocks or allows request
5. SWG allows/blocks Shopping
SD-WAN ON/OFF NETWORK DEVICES

SWG allow
CDFW allows: CDFW Allow
All 80/443 and port 21
4a
SWG allows/blocks:
NAT
Shopping Port 21
DEST. LIST 80/443/21 SHOPPING

Outcome 80/443
3b

1. DNS policy evaluated DNS CDFW SWG

2. Destination IP(s) returned Umbrella Cloud
Destination
3. CDFW policy evaluated, any 2
IP returned
4b SWG block

80/443 request sent to SWG, any 1 3a

port 21 request sent direct Shopping site Ports 80/443/21

4. CDFW Allows port 21

5. SWG allows/blocks Shopping SD-WAN ON/OFF NETWORK DEVICES

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
229
SIG – Configuration Workflow
• Umbrella can be seamlessly integrated into Cisco SD-WAN using feature and device templates in
vManage.
• Generate an API secret/key pair from the Umbrella dashboard.
• Locate and save ORG ID from the Umbrella URL

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
233
SIG – Configuration Workflow (Cont.)
• Optionally add your Smart Account credentials to vManage to enable automatic retrieval of Umbrella
Organization ID, (Registration) API Key, and Secret.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
234
SIG – Configuration Workflow (Cont.)
• Configure a Cisco SIG Credentials feature template (either manually enter the Umbrella Organization
ID, Registration Key, and Secret values or use the ‘Get Keys’ button if you have connected your Cisco
Smart Account)

Optional: Auto Registration

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
235
SIG – Configuration Workflow (Cont.)
• Configure a Cisco Secure Internet Gateway (SIG) feature template.
Define IPsec tunnels and set the IKEv2/IPsec parameters.

Auto Tunnel

HA Pairs

Weighted Load-Balancing
ECMP

Use case Cisco

As a network admin, I require ECMP tunnel load- Umbrella
balancing to Umbrella for my large campus locations.

Feature
Cisco Load balancing is done by flow pinning, where a
ECMP ECMP
flow is dictated by hashing the 4 Tuple

IPsec

IPsec
load-balancing load-balancing
1:1 1:1
Source IP + Destination IP + Source Port + Destination
Port.

vManage Branch
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
238
SIG – Configuration Workflow (Cont.)
• Add a Service Route that will redirect all traffic in the VPN to SIG.

Policy Based Routing to Cisco Umbrella

Cisco
Use case
Umbrella
As a network admin, I want only my certain app traffic from
Branch 1 routed to Umbrella and all traffic from Branch 2, this
allows me to optimize for my WAN capacity.

Feature
Offers Customers flexibility to select which applications O365

IPsec
IPsec
• All Traffic
Github
send traffic to Umbrella
Google Services
• Customers can limit which types of traffic is routed through
Umbrella according to their preferences
• Leverage DPI for app-classification within Data policy

Branch 1 Branch 2

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
240
SIG – Configuration Workflow (Cont.)
• Create a Data Policy and selectively match traffic of interest that you would like to send to SIG.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
241
SIG – Configuration Workflow (Cont.)
• Attach the feature templates to the device templates you wish to deploy the Umbrella SIG on.

• You are now ready to begin configuring your SIG Cloud FW/SWG security policy!

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Failover Conditions
Data center (DC) Issues
There are situations when the Umbrella Umbrella
service itself experiences issues
2

Umbrella DC 2
DC 1
In this case, there are multiple instances
1 3

in each DC to handle customer traffic

If the entire DC has issues, it is taken
out automatically and another DC in the
same region starts serving the old DC’s Corporate
Small/ data center
IP address home office

Tunnels moves from old DC to a new DC

Availability
• 99.9% guaranteed uptime; hybrid Waltham office SF office
Anycast is used for availability
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
245
IPSec Tunnel Data Center Failover
• Data centers divided into regions
• Regions have defined DR sites

Region Code Site Failover (DR) Location

US-1 Los Angeles, CA & Palo Alto, Dallas, TX
CA
US-2 New York, NY & Ashburn, VA Dallas, TX
EU-1 London, UK & Frankfurt, DE Amsterdam, NL
AS-1 Singapore, SG & Tokyo, JP Hong Kong / Tokyo
AU-1 Sydney, AU & Melbourne, AU Hong Kong / Tokyo
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
246
Tunnel Capacity and Failover Example:
Data Center Region code US-1

IPSEC Capacity
• >250 Mbps/tunnel in each direction (IMIX) with
Los Angeles Palo Alto
ongoing development to increase capacity 146.112.67.8 146.112.66.8
Primary Secondary
• Multiple tunnels can be deployed to support
higher capacity In case of primary failure,
uses secondary DC in the
Availability same region

• Hard code primary and secondary

• DR Site used only if region failure
DR Site
• Using anycast and IKE DPD Dynamic Failover
no configuration required

Dallas TX
Automatic

Branch

Increased throughput capabilities

Support for up to 4 active tunnels with ECMP
Use case
Cisco
As a network admin, I need to pass 1Gbps of traffic to
Umbrella SIG to maintain application performance
Umbrella
Feature
• Cisco SD-WAN vManage auto-templates allow up to
4 active IPsec tunnels (each operating at 250Mbps)

1Gbps Aggregate
from a single device

250Mbps

250Mbps
• Cisco SD-WAN ECMP load-balances traffic between
IPsec tunnels

Manual Data Center Selection

Regional Compliance Requirements

Use case
• As a security admin, I need to make sure our
security architecture complies with the regional
compliance requirements.
• Our regional branches in APJC/Europe requires
that cloud data-center should be hosted within a
particular region/country.

Feature
• Starting 20.5 release, vManage provides the
flexibility for customers to select the umbrella data-
center of their choice.
• Drop-Down list with a pre-populated list of Umbrella
DC’s a customer can pick to meet their regional
compliance.
• Flexibility to auto-select closest data-centers as a
default option or manually select the data-centers of
your choice.

Source IP: 146.112.x.x (Umbrella)

• Provides firewall functionality at the
cloud edge
• Protection at the first hop for DIA NAT

branch offices and guest networks

• Ability to enforce beyond DNS HTTP/S
across all ports and protocols
• Guest Network gets NAT’d behind a CDFW SWG
Umbrella Cloud
Cisco IP address in the cloud rather
than enterprise’s IP IPSEC TUNNEL Example Source IP: 70.149.x.x

Use cases Internet

Inbound Outbound
Inbound
VPN Access Control
Branch to branch VS Security features
WAF DLP Compliance
Outbound
IDS/IPS Proxy features

• Order of operation is the same as with ACL

Example:
• Customer needs to block Tor
• While DNS helps, Tor doesn’t always send DNS queries
• SWG cannot intercept as traffic is not HTTP/S
• L7 Firewall provides coverage here

Cloud-delivered firewall
Secure web gateway
Granular control of web apps
• Layer 7 Application Visibility and Control
DNS-layer security over HTTP/S (ports 80/443):
• Extends visibility, protection, control to:
• Visibility into cloud apps • Block uploads to cloud
used in organization storage apps - Non-web (non-HTTP/S) traffic
• Identify potential risk • Block posts/shares to social - Apps that use hard-coded IP addresses
and block specific apps media apps and do not perform DNS lookup
(16K apps discoverable) • Block attachments - Apps where signature-based detection
to webmail apps (not based on IP, domain, URL) is required
• Tenant restrictions to detect and block

• The difference is “URL” filtering

• Anatomy of a URL

protocol domain name path parameters

https://video.google.co.uk:80/videoplay?docid=-7246927612831078230&hI=en#00h02m30s

subdomain port query

fragment

• Umbrella DNS is limited to filtering by domain

• Most of the web is now HTTPS

• What is visible in HTTPS without inspection?
• Server Name Indication (SNI)
• Source and destination IP addresses
• Server FQDN (from the server’s certificate)
• No URL visibility in HTTPS without inspection

• URL category blocking

• Full URL visibility/reporting
• Granular app control
• AV scanning, file reputation and sandboxing
• Block page rendering
• Basically anything that can’t be accomplished
at the DNS layer

• Visibility and set of security

measures for the increased amount
of encrypted web traffic
• Decryption, reporting and
inspection for encrypted web traffic
and files
• No hardware expense
• No scaling issues as encrypted
Internet traffic increases
• Ability to selectively decrypt

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
264
Secure Web Gateway (SWG)
Internet/
SaaS
SaaS app
• Category or URL filtering for content e.g. O365
control
App visibility and granular controls
Direct
•

• Full or selective SSL decryption

• File type controls
Umbrella SWG
• Anti-virus and AMP malware
scanning Tunnel (IPsec)
AnyConnect
PAC files
Proxy chaining

ON/OFF NETWORK DEVICES

Rules

Rulesets

Ruleset
Settings

• Content categories are used for

“acceptable use policies”
• Security categories are used for
security policies
• Umbrella SWG uses Talos categories
for both content and security
• Over 100+ categories
• Dynamic cloud updates

• Block posts/shares to social media apps Actions

• Block attachments to webmail apps
Download
• Block uploads to cloud storage, collaboration,
office productivity, content management, Upload
User Partner’s
and media apps
cloud storage

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
269
File Type Control
• Blocking file downloads by type
• File Detection on a combination of
• File Extension
• File Signature

• Over 100 different file types supported,

more being added
• Users get block page for blocked
extensions

Malware and virus protection

Threat Grid File Sandboxing

• Visibility for compliance,

monitoring, and investigations
• Multiple views at the URL level
by network, device, user, date
• See trends
• Monitor activities
• Investigate incidents

Out of band/API Inline/proxy

Cloudlock Umbrella
• User behavior monitoring/alerts • App visibility & blocking
• Cloud storage policy enforcement • Advanced app control
• DLP quarantine and revocation - Block uploads (i.e. Dropbox/Box)
actions - Block attachments (i.e. webmail)
• OAuth apps: visibility & control • Tenant controls
Umbrella • Inline DLP (field trials)
• Data-at-rest cloud malware
detection (LA)

Uncover Control usage of Secure access Protect data

shadow IT sanctioned apps to cloud apps and accounts
& block risky ones

• Addressing Shadow IT
• Cloud anti-malware, providing cloud
app data security
• Cloud DLP, providing cloud app
data protection

View SaaS app activity > Understand risk info for apps > Block unapproved apps

• Full list of cloud apps in use

• Reports by category and risk level
• Number of users and amount of
incoming and outgoing traffic.
• Blocking of high risk categories
or individual apps

3 Splash screen appears

4 Apply Application Settings to appropriate Policy

Presentation

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
284
Tenant Controls
Select the instance(s) of Core SaaS applications that can
be accessed by all users or by specific groups/individuals

cisco.com (Corp. instance)

Deb Smith (Personal instance)

Bob Jones (Personal instance)

Key Use Cases

Security Productivity
Ensure, sensitive data is created and stored Only provide access to corporate instances
in approved instances of cloud apps of core SaaS apps

• Limit access to approved Tenants

within supported SaaS app:
• Microsoft O365
• Google G Suite
• Slack

AppQoE is a Set of SD-WAN Features to address the following:

• Latency Problems
• Packet Loss on unreliable WAN Links
• Bandwidth Optimization

vSmart
Ingress Interface Egress Interface
QoS Forwarding QoS
Classes Scheduler Out
FC Q
Application
FC Q
Traffic
FC Q

Policing Map into

(ACL Action) Egress Queue Policing Shaping Bandwidth %
Buffer %
ACL Match ACL Action/Data
Scheduling Priority
Policy Control Plane
Drop
(Map into FCs)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
304
Queuing
• Per-Egress Interface Queuing • Q1-Q7: Weighted Round Robin
- 8 queues - Bandwidth percent determines queue weight
• Classification • Q1-Q7: Queue drop is RED or tail-drop
- 6-tuple or DPI - Linear drop probability, i.e. X% queue depth
- Local or central data policy results in X% drop probability
• Q0: Control traffic
- DTLS/TLS, BFD, routing protocols WAN Edge
- Not subjected to LLQ policer Q0
• Q0: LLQ

Egress Interface
Ingress Interface
Q1
Q2
- Unused bandwidth is distributed
between Q1-Q7
Q7

Classification Queuing

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
305
Shaping
• Egress physical or sub-interfaces
- Interface-level
• Conforming to shaping rate: Forward
- There are tokens in the bucket
Rate
• Exceeding shaping rate: Queue Tokens
Token Bucket
- There are no tokens in the bucket
- Weighted Round-Robin WAN Edge

Egress Interface
Ingress Interface
Classification Shaping Queuing
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
306
Policing
• Ingress and Egress Policing
- Interface or sub-Interface
• Classification
- [Sub] interface, 6 tuple or DPI
Rate
- Local or central data policy Tokens
• Conforming to policing rate: Forward Token Bucket

- There are tokens in the bucket WAN Edge

• Exceeding policing rate: Drop/Remark
- There are no tokens in the bucket

Egress Interface
Ingress Interface
• Burst Rate: Configurable
- Token bucket depth

Classification Policing Queuing

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
307
DSCP and COS (802.1p) Re-marking
Copy original DSCP markings into • Comply with service provider
outer DSCP markings
provisioned classes of service
• (Optional) Original DSCP rewrite
- Classification: 6 tuple or DPI
Egress - Action: Local or central data policy
Ingress Interface
Interface • (Default) Original DSCP marking is
copied to the outer DSCP marking

802.1p
DSCP
DSCP

DSCP

• (Optional) Egress outer DSCP rewrite

- Re-write rules based on forwarding
class mapping on ingress
Classify: 6 tuple or DPI Modify with • (Optional) Egress COS rewrite
Action: set DSCP, map into re-write rules
forwarding class (FC) (per-FC)
- Re-write rules based on forwarding
class mapping on ingress

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
308
Forward Error Correction (FEC)
• Protects against packet loss • Supports multiple transports
• Protocol (TCP/UDP) agnostic • Can be invoked dynamically
• Operates per-tunnel • Applied with data policy

XOR Notes: XOR

• Application traffic only, not BFD
• Parity packet matches the transport and DSCP
1 2 1 2
value of the last packet in the block
P • Only one packet out of 4 can be reconstructed 3
• The block size (fec-seq-sparse value) is set to
3 4 4 data packets and is not configurable P 4

5 6 1 2

7 8 3 4
Sender Receiver

SD-WAN Tunnel
FEC Header 309
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
FEC Modes
• Adaptive FEC
• FEC-adaptive implies that the corresponding packets will be subjected to FEC only
if the tunnels that they go through have been deemed lossy.
• We rely on BFD infrastructure that calculates the loss on the tunnel in terms of lost
BFD packets per PFR poll interval.
• Adaptive FEC will start to work by 2% packet loss. This value is also hard coded in
18.4 release and is not configurable.
• Please note, that FEC adaptive option is currently supported only for vEdge routers
and not on Cisco IOS XE SD-WAN (cEdge) routers.
• FEC Always
• FEC-always implies that the corresponding packets will be subjected to the FEC
algorithm ALWAYS and will not depend on our estimation of whether the tunnel is
lossy or not.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
310
Packet Duplication
• Protects against packet loss • Operates over multiple tunnels
• Protocol (TCP/UDP) agnostic • Applied with data policy

Flow1 .... 2 1 D
2 D
1 2 1 .... 2 1

Flow2 .... 2 1 2 1 2 1
.... 2 1
D D

• Allows duplicating all packets for critical traffic (i.e. credit card / ATM transactions) and sending the
duplicated packets over a second path.
• Works well when the amount of critical traffic is far less than the capacity of the network.
• In case of multiple circuits, we choose the best performing circuit (least amount of loss) to replicate the
packets to.
• Notes:
- Works only over multiple tunnels
- Duplicates are discarded on receiver
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
311
TCP Optimization
Optimized
TCP Connections TCP Connection TCP Connections

SD-WAN
Fabric

Users WAN Edge WAN Edge Servers

High Latency Path

• High latency path between users and • Optimized TCP connection uses selective
applications, i.e. geo-distances acknowledgement to prevent unnecessary
retransmissions and large initial TCP window size
• WAN Edge routers terminate TCP sessions and
to maximize throughput
provide local acknowledgements
- Hosts don’t have to wait for end-to-end TCP • Hosts using older TCP/IP stacks will see the most
ACKs and pause TCP transmission benefit

SaaS Adoption Security Performance

SaaS adoption in eneterprise is Enterprise customers Enterprise customers highlighted
growing at higher than highlighted security as a top application performance & latency as
expected rate roadblock for SaaS adoption second roadblock for SaaS adoption

No DIA Single DIA Dual DIA

Users have to back-haul for SaaS applications can take the DIA Dual DIA paths for SaaS, providing
internet access path from branch additional bandwidth and availability

• SD-WAN solution can leverage the best ISP

path for SaaS from branch to datacenter,

based performance metrics such as loss,
jitter and delay Datacenter

• Sub-optimal optimization as it wont

address the performance issues from
datacenter to SaaS
MPLS 4G
MPLS
INET

• Wan Edge routers perform DNS resolution

for the configured cloud onRamp SaaS
application
• WAN Edge routers initiate periodic HTTP
pings toward the configured cloud onRamp
SaaS application
• WAN Edge routers calculate best
performing path based on loss and latency
characteristics
• In this example, Remote WAN Edge router
compares SLA between local DIA and
composite metric of HTTP ping + BFD
through the Gateway Edge

• The vQoE value ranges from 0 to 10, with

0 being the worst quality and 10 being
the best.
• vQoE = desired metrics / actual metrics *
10
• vQoE score is computed for each remote
site application and per path

Best
Performing
• Cloud onRamp continuously monitors the Loss/
Latency
edge to SaaS performance on both the
DIA paths
ISP1 ISP2
• Cloud onRamp picks the best performing
path based on the performance metrics
(loss & delay)
MPLS 4G
Datacenter
INET
Remote Site

• Full SD-WAN capabilities in the cloud

• Common policy framework across SD-WAN and Cloud
• Managed seamlessly via vManage like any other physical router

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
328
Cloud onRamp for IaaS
Public Cloud (AWS & Azure) connectivity solution consumable through the vManage platform
Public cloud credentials
IaaS instances vManage invokes added along with other
mapped to instantiation of information to instantiate
VPNs in the WAN Edge vManage WAN Edge GWs
Cisco SD-WAN instances and adds
overlay routers to overlay Platform

IaaS instances
MPLS
Branch
IaaS instances
Cloud GW

New instances
automatically
added and Public Cloud Provider 1 Region 1
Internet
reachable
through the
DC
Cisco SD-WAN
overlay

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
329
Multi-Cloud onRamp for IaaS
Standard IPSec + BGP SD-WAN Standard IPSec + BGP
(2x) (2x)
VPC VNET
BGP <-> OMP BGP <-> OMP
AZ1
AS1

VPC VNET
VPN
VGW
AZ2 GW AS2
AZ1 INET
Host VPC WAN Edge WAN Edge
Host VNET
AS
MPLS

VPC AZ2 Direct Express

WAN Edge VNET
WAN Edge Connect Route
AZ1
Gateway VPC Gateway VNET AS1

VGW VPN
AZ2 GW AS2

Host VPC Host VNET

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud onRamp for Co-Location as SaaS Gateway
Regional Hub/CoLo
CSP5444 VNFs
1
Cat9500-40 GW
• Service Group:
Router->Firewall->Cloud
SD-WAN • Policy:
Cloud onRamp for SaaS Gateway
Cloud onRamp
for CoLo 2
DIA • Policy:
1 2 Cloud onRamp for SaaS DIA
Remote
Site
vManage

Cloud onRamp for CoLo

Cluster ID: 1
Service Group: SD-WAN,
Firewall, Load-Balancer
Regional Colo/DC
Policy: Set Next-Hop US Colo
Application: Sites 1-5, VPN 10
Cisco CSP5444 #1

Cisco CSP5444 #2

Cisco C9500-40 SD-WAN

Fabric
Cisco C9500-40

Netconf

Cisco DNA Cisco DNA

Cisco DNA Premier
Essentials Advantage
Simplified management and security Advanced SD-WAN with enhanced security for Advanced SD-WAN security will mitigate the
protection for the cost-conscious customer feature-rich & valued branch deployment models most sophisticated threats to your business

End to end direct Internet Visibility and control to defeat direct

Automated cloud security at scale
access security Internet/cloud access threats

Keep consistent controls and visibility

Improved application experience Optimized SaaS application experience
when users roam outside the WAN

Multi-domain Orchestration Deep inspection capabilities for

Simplify operations
across domains compliance

Basic voice optimization Enhanced voice optimization Granular Application Detection

Flexible Policy by
Common SD-WAN architectures Network analytics and visibility Identity SAML or AD

Cisco DNA Advantage

4 User VPN + 1 Management VPN
Limitation Cisco DNA Essentials Cisco DNA Essentials

Cisco DNA Cisco DNA

Cisco DNA Premier
Essentials Advantage
Simplified management & security protection Advanced SD-WAN with enhanced security for Advanced SD-WAN security will mitigate the
for the cost-conscious customer feature-rich branch deployment models most sophisticated threats to your business

Enterprise firewall with Talos- Advanced Cloud OnRamp for

powered IPS and app controls, Multicloud and SaaS (all applications Cisco Umbrella SIG Essentials®
URL Filtering, Cisco AMP, SSL Proxy and telemetry) (Full URL Filtering | Granular App
Cisco Umbrella DNS Monitoring AppQoE Control | File-type Controls | AMP |
Cisco Secure Malware Analytics |
Essential Cloud OnRamp for IaaS, SaaS, Segmentation
L3 – L4 Cloud Firewall | Roaming
Multicloud: GCP, AWS, Azure (Unlimited VPNs)
User Protection With AnyConnect)
Cloud Security: Cisco Umbrella Connector
Integrated border plus orchestration
Basic WAN & path optimizations for campus, branch & datacenter
Flexible topology & dynamic routing
(hub/spoke, partial/full mesh)
Integrated voice/UC gateways
Single centralized management
console in the cloud or on-prem vAnalytics
Cisco DNA Advantage
4 User VPN + 1 Management VPN
Cisco DNA Essentials Cisco DNA Essentials
Limitation

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
339
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

CCNP Enterprise Wireless Design ENWLSD 300 425 and Implementation ENWLSI 300 430 Official Cert Guide 2nd Edition Jerome Henry & David Hucaby - Download the ebook with all fully detailed chapters
100% (4)
CCNP Enterprise Wireless Design ENWLSD 300 425 and Implementation ENWLSI 300 430 Official Cert Guide 2nd Edition Jerome Henry & David Hucaby - Download the ebook with all fully detailed chapters
66 pages
300-415-unlocked (2)
No ratings yet
300-415-unlocked (2)
137 pages
Cisco+300-715 001
No ratings yet
Cisco+300-715 001
55 pages
Cisco Sd-Wan Vmanage Cluster Creation and Troubleshooting
No ratings yet
Cisco Sd-Wan Vmanage Cluster Creation and Troubleshooting
27 pages
CCNP Security 300-725 SWSA Dumps
No ratings yet
CCNP Security 300-725 SWSA Dumps
11 pages
PIW ACI Best Practice Series Access Policies Part 1
No ratings yet
PIW ACI Best Practice Series Access Policies Part 1
56 pages
Tecent 3377 Deep Dive
No ratings yet
Tecent 3377 Deep Dive
194 pages
Teccrs 2014
No ratings yet
Teccrs 2014
251 pages
300-415 - 351 to 400
No ratings yet
300-415 - 351 to 400
32 pages
NJ SDWAN - Workbook v7.0
No ratings yet
NJ SDWAN - Workbook v7.0
35 pages
CCIE Security Book List - Cisco Systems
100% (1)
CCIE Security Book List - Cisco Systems
2 pages
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
No ratings yet
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
218 pages
LISP Network Deployment and Troubleshooting The Complete Guide to LISP Implementation on IOS XE IOS XR and NX OS 1st Edition Tarique Shakil all chapter instant download
100% (5)
LISP Network Deployment and Troubleshooting The Complete Guide to LISP Implementation on IOS XE IOS XR and NX OS 1st Edition Tarique Shakil all chapter instant download
55 pages
Cisco Unified Wireless Network Solution Overview
No ratings yet
Cisco Unified Wireless Network Solution Overview
20 pages
Segment Routing
No ratings yet
Segment Routing
1,475 pages
Brkaci 2271 PDF
No ratings yet
Brkaci 2271 PDF
168 pages
Cisco APIC REST API Configuration Guide 42x
No ratings yet
Cisco APIC REST API Configuration Guide 42x
56 pages
ENSDWI Training New ENSDWI Questions - Part 3
No ratings yet
ENSDWI Training New ENSDWI Questions - Part 3
23 pages
CCIE Enterprise Wireless v1 Exam Topics
No ratings yet
CCIE Enterprise Wireless v1 Exam Topics
6 pages
Troubleshoot SD-WAN Control Connections - Cisco
No ratings yet
Troubleshoot SD-WAN Control Connections - Cisco
14 pages
BRKNMS 2426
No ratings yet
BRKNMS 2426
99 pages
145947602_CCIEDATACENTERv3-Design-3Jan2022
No ratings yet
145947602_CCIEDATACENTERv3-Design-3Jan2022
58 pages
CCNP - BSCI.Quick - Reference.Sheets - Exam.642901 Ebook - Ipmanager.ir PDF
100% (1)
CCNP - BSCI.Quick - Reference.Sheets - Exam.642901 Ebook - Ipmanager.ir PDF
73 pages
Cisco DNA Center Second-Generation Appliance Installation Guide, Release 2.3.3
No ratings yet
Cisco DNA Center Second-Generation Appliance Installation Guide, Release 2.3.3
264 pages
Implementing Cisco NX-OS Switches and Fabrics in The Data Center (DCNX) v1.0
No ratings yet
Implementing Cisco NX-OS Switches and Fabrics in The Data Center (DCNX) v1.0
3 pages
300-420 ENSLD Designing Cisco Enterprise
No ratings yet
300-420 ENSLD Designing Cisco Enterprise
3 pages
BRKRST-3066 Troubleshooting Nexus 7000
No ratings yet
BRKRST-3066 Troubleshooting Nexus 7000
74 pages
BRKCRS 2502
No ratings yet
BRKCRS 2502
153 pages
IPE DC Lab
No ratings yet
IPE DC Lab
251 pages
Ccie Lab DMVPN (Arash Deljoo)
No ratings yet
Ccie Lab DMVPN (Arash Deljoo)
10 pages
B Cisco Dna Assurance 2 3 3 Ug
No ratings yet
B Cisco Dna Assurance 2 3 3 Ug
362 pages
WBCCIESecV6
No ratings yet
WBCCIESecV6
286 pages
CCNP Security Exams and Training - Cisco
No ratings yet
CCNP Security Exams and Training - Cisco
8 pages
CCNA 200-301 Official Cert Guide, Volume 2-13
No ratings yet
CCNA 200-301 Official Cert Guide, Volume 2-13
3 pages
Implementing Cisco SD-WAN Solutions v1.1 (300-415) : Exam Description
No ratings yet
Implementing Cisco SD-WAN Solutions v1.1 (300-415) : Exam Description
3 pages
Get (Ebook) Cisco ACI: Zero to Hero: A Comprehensive Guide to Cisco ACI Design, Implementation, Operation, and Troubleshooting by Jan Janovic ISBN 9781484288375, 1484288378 PDF ebook with Full Chapters Now
100% (6)
Get (Ebook) Cisco ACI: Zero to Hero: A Comprehensive Guide to Cisco ACI Design, Implementation, Operation, and Troubleshooting by Jan Janovic ISBN 9781484288375, 1484288378 PDF ebook with Full Chapters Now
81 pages
UCPE (4) UCPE Acting As Remote Inet GW
No ratings yet
UCPE (4) UCPE Acting As Remote Inet GW
13 pages
300-415
No ratings yet
300-415
17 pages
Fab1 - Lumos Lab Guide - 5day - APT-1
No ratings yet
Fab1 - Lumos Lab Guide - 5day - APT-1
435 pages
Gpsa Sdwan 20
No ratings yet
Gpsa Sdwan 20
214 pages
Modular Policy Framework - MPF
No ratings yet
Modular Policy Framework - MPF
10 pages
Cisco Security PDF
No ratings yet
Cisco Security PDF
678 pages
Brkaci 2102
No ratings yet
Brkaci 2102
121 pages
PDF CCNP SWITCH Lab Manual (2nd Edition) (Lab Companion) Free Download and Read Online
No ratings yet
PDF CCNP SWITCH Lab Manual (2nd Edition) (Lab Companion) Free Download and Read Online
6 pages
Ping and Trace Route
No ratings yet
Ping and Trace Route
28 pages
Aindumps 2023-Dec-14 by Bishop 201q Vce
No ratings yet
Aindumps 2023-Dec-14 by Bishop 201q Vce
7 pages
VNX100
No ratings yet
VNX100
23 pages
Cisco Sdwan Casestudy Smallbranch
No ratings yet
Cisco Sdwan Casestudy Smallbranch
100 pages
Meraki
No ratings yet
Meraki
4 pages
CCNP Enterprise Workbook v1.0
No ratings yet
CCNP Enterprise Workbook v1.0
99 pages
Cisco Wireless LAN Controller Configuration Guide, Release 7.2
No ratings yet
Cisco Wireless LAN Controller Configuration Guide, Release 7.2
1,070 pages
AOS-CX Simulator Lab - Multicast PIM Dense Mode Lab Guide
No ratings yet
AOS-CX Simulator Lab - Multicast PIM Dense Mode Lab Guide
15 pages
Cisco IOS Network Management Configuration Guide, Release 12.4
No ratings yet
Cisco IOS Network Management Configuration Guide, Release 12.4
564 pages
Citrix SDX 11
No ratings yet
Citrix SDX 11
412 pages
Metro Ethernet
No ratings yet
Metro Ethernet
275 pages
N7K Architecture
No ratings yet
N7K Architecture
85 pages
B Multicast CG Asr9k 71x
No ratings yet
B Multicast CG Asr9k 71x
342 pages
BRKSDN-2777 (2019)
No ratings yet
BRKSDN-2777 (2019)
152 pages
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
From Everand
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
Marius Sandbu
No ratings yet
VMware Horizon View Essentials
From Everand
VMware Horizon View Essentials
Peter von Oven
No ratings yet
CENSEC-1801
No ratings yet
CENSEC-1801
50 pages
CENGEN-1013
No ratings yet
CENGEN-1013
21 pages
CENCOL-1016
No ratings yet
CENCOL-1016
37 pages
BRKCCT-2504
No ratings yet
BRKCCT-2504
169 pages
DEVNET-2096-Cloud OnRamp API
No ratings yet
DEVNET-2096-Cloud OnRamp API
20 pages
LTRENT 2527 Automation & Programability
No ratings yet
LTRENT 2527 Automation & Programability
40 pages
UX 2.0
No ratings yet
UX 2.0
53 pages
BRKTRS-3457-Troubleshooting SD-Access
No ratings yet
BRKTRS-3457-Troubleshooting SD-Access
115 pages
BRKENT-2105-Deploy and Manage SD-Branch
No ratings yet
BRKENT-2105-Deploy and Manage SD-Branch
46 pages
Tectrs 3477
No ratings yet
Tectrs 3477
424 pages
BRKENT-3297-Multi-Cloud SD-WAN Design
No ratings yet
BRKENT-3297-Multi-Cloud SD-WAN Design
44 pages
BRKATO-2101-Deploy Cloud COntroller
No ratings yet
BRKATO-2101-Deploy Cloud COntroller
53 pages
p4 d2 2017 p4 16 Tutorial
No ratings yet
p4 d2 2017 p4 16 Tutorial
94 pages
VMware NSX Introduction
100% (1)
VMware NSX Introduction
432 pages
Syllabus Computer Networks Fall 2024
No ratings yet
Syllabus Computer Networks Fall 2024
10 pages
KONNECT Kong Presentation
No ratings yet
KONNECT Kong Presentation
19 pages
Multicast VPN: Architecture: Bandwidth Res., TE and FRR
No ratings yet
Multicast VPN: Architecture: Bandwidth Res., TE and FRR
9 pages
Market Data Architecture
100% (1)
Market Data Architecture
38 pages
Microsoft Word - VXLAN-Part-VII - FITONPASA
No ratings yet
Microsoft Word - VXLAN-Part-VII - FITONPASA
36 pages
SDN
No ratings yet
SDN
25 pages
SDN
No ratings yet
SDN
5 pages
Vxlancontrolplaneandrouting 150522053200 Lva1 App6891
No ratings yet
Vxlancontrolplaneandrouting 150522053200 Lva1 App6891
93 pages
Junos Practice 1
100% (1)
Junos Practice 1
23 pages
Software Defined Networking (SDN) Challenges, Issues and Solution
No ratings yet
Software Defined Networking (SDN) Challenges, Issues and Solution
7 pages
Evo Controller 8200 IP Configuration KO PDF
100% (1)
Evo Controller 8200 IP Configuration KO PDF
56 pages
CCNP Switch
No ratings yet
CCNP Switch
78 pages
DNA Integrating With Existing Network - BRKCRS-2812
No ratings yet
DNA Integrating With Existing Network - BRKCRS-2812
205 pages
Full Network Programmability and Automation 2nd Edition (6th Early Release) Christian Adell Ebook All Chapters
No ratings yet
Full Network Programmability and Automation 2nd Edition (6th Early Release) Christian Adell Ebook All Chapters
49 pages
Networking.02 - Introduction To OS10 Architecture and Applications
No ratings yet
Networking.02 - Introduction To OS10 Architecture and Applications
34 pages
Cisco DNA Data Center
50% (2)
Cisco DNA Data Center
116 pages
Design Guide For NSX With Cisco Nexus 9000 and UCS V 1
No ratings yet
Design Guide For NSX With Cisco Nexus 9000 and UCS V 1
23 pages
VLLM x Triton Meetup External
No ratings yet
VLLM x Triton Meetup External
37 pages
20 Introduction To SDN and NFV
No ratings yet
20 Introduction To SDN and NFV
53 pages
NO.1 A. B. C. D.: Answer
No ratings yet
NO.1 A. B. C. D.: Answer
6 pages
FSP 3000r7
No ratings yet
FSP 3000r7
1,134 pages
Data and Digital Communication Module 13-16
No ratings yet
Data and Digital Communication Module 13-16
167 pages
Contemporary Issues in Communication, Cloud and Big Data Analytics - Download the ebook now for instant access to all chapters
100% (1)
Contemporary Issues in Communication, Cloud and Big Data Analytics - Download the ebook now for instant access to all chapters
79 pages
Professional Cloud Network Engineer Exam Guide English
No ratings yet
Professional Cloud Network Engineer Exam Guide English
7 pages
ACI Muti-Pod
No ratings yet
ACI Muti-Pod
59 pages
Design Specification Information, 2011 NPI S4 - SGSN - AT&T, USA
No ratings yet
Design Specification Information, 2011 NPI S4 - SGSN - AT&T, USA
15 pages
CCIE Service Provider v5 Learning Matrix
No ratings yet
CCIE Service Provider v5 Learning Matrix
37 pages
IOT - UNIT - 3 Part 1
100% (1)
IOT - UNIT - 3 Part 1
32 pages