Skip to main content

 

Cisco Meraki Documentation

Catalyst SD-WAN Integration with Cisco Secure Connect

Cisco Secure Connect Catalyst SD-WAN Integration Deployment Guide

 

Overview

Organizations are shifting their network landscape by moving on-prem applications to the public or private cloud. Previously all traffic was backhauled through central data centers with security stack choking links and increasing latency significantly, but now almost 80% of traffic is routed directly to the internet from branch. Securing a network edge has always been complex and with this change in network infrastructure, it became even more difficult to manage and secure an entire organization. 

Secure Access Service Edge (SASE) is the convergence of Network as a Service and Security as a Service within a unified cloud delivered platform. Cisco Secure Connect is Cisco’s unified SASE solution with an integrated Remote access capability, cloud managed network delivered through the Cisco Meraki cloud and centralized cloud managed security powered by Cisco Umbrella. This unified full stack SASE solution is one of its kind that delivers complete end to end control, connectivity, security and policy management of remote users, branches, and private applications across both Cisco SD-WAN (powered by Catalyst SD-WAN and Meraki) solution. 

This deployment guide outlines how to integrate your Cisco SD-WAN fabric to the Cisco Secure Connect solution and manage both the remote worker and SD-WAN branch network connectivity and security using the Cisco Secure Connect cloud dashboard.

Acronyms and Terminologies: 

Viptela = Catalyst SD-WAN 

 

A picture containing diagram

Description automatically generated

 

Onboarding - Getting your Cisco Secure Connect Dashboard

To begin, you'll first need to integrate Cisco Meraki and Cisco Umbrella management together for a seamless experience.  For further instructions, see  Cisco Secure Connect Onboarding 

Enrolling Catalyst SD-WAN Sites to Cisco Secure Connect

After successfully provisioning Cisco Secure Connect, go to the Secure Connect > Sites page. There are 2 use cases that are supported independently with Cisco Secure Connect. 

 

  1. Create tunnels to Catalyst SD-WAN HUBs from Cisco Secure Connect using SC's enhanced headend. Remote users connecting to Cisco Secure Connect can securely access applications or resources behind the integrated Hub.  

  1. Import secure internet access Catalyst SD-WAN branch tunnels already integrated to SIG into Cisco Secure Connect. Enabling a single point of monitoring of both private and internet access tunnels. (only umbrella SIG tunnels supported)  

Graphical user interface, text, application

Description automatically generated 

Graphical user interface, application, Teams

Description automatically generated 

Integrating Viptela SDWAN Private Application Service Hub to Cisco Secure Connect 

Cisco Secure Connect establishes a secure interconnect between the remote users and the applications or resources hosted behind Viptela SDWAN service hubs. The first step towards the integration is to establish a connectivity between Viptela devices and Cisco Secure Connect fabric.  

Click on > Connect Viptela Devices

Graphical user interface, application, Teams

Description automatically generated 

Give the Site you are creating a tunnel from a name and from the drop down select the region you want to connect your Catalyst SD-WAN hubs then,  

After choosing the region and the name for your Site, next create tunnels from the Site to Cisco Secure Connect enhanced headend in the chosen region. Give the tunnel a unique name and a secure passphrase. Click on > Next 

Currently site name and tunnel name are concatenated for tunnel identity. Currently in vManage ipsec template, the tunnel identity field is only 63 characters. Therefore its recommended to use shorter names for site name and tunnel names so that the overall tunnel identity is less than 63 characters. 

Passphare is 16 character minium 

 

 

Graphical user interface, text, application

Description automatically generated

 

Graphical user interface, text, application, email, Teams

Description automatically generated

This successfully configures 2 tunnels (primary, secondary) in the DC locations associated with the chosen regions. After successful creation of the tunnels, there is pop up window that gives all the required information regarding the tunnels created. The tunnel pairs configs can be associated with single router or multiple routers on the Catalyst SD-WAN hub location . Every router within the hub location will have primary and secondary tunnel towards Secure Connect primary and secondary DC respectively for that region. 

Please copy and save all the information shown in the pop-up window related to both the tunnels before clicking on Done.

 

Graphical user interface, text, application, email

Description automatically generated

 

The auto tunnel automation is not available end to end for viptela sd-wan. Therefore, the tunnel needs to be manually created under service vpns of the devices using vManage templates. 

The ipsec parameters for tunnel needs to be shown in the GUI here or follow the below screen shots.(for customers we should finalized on some secure parameters) 

The tunnel ID and the Secure Connect DC IPs for each tunnel and its associated DC need to be entered in the corresponding templates in vManage. To know more about associated vManage template please click on the following link  

After clicking ‘Done’ on the pop-up window, in the Sites page you will see the newly created Site with the primary and secondary tunnels in the drop down of the Site. 

 

Table

Description automatically generated

Click on the newly created Site > This opens a side drawer for that Site, listing out the 2 tunnels and their status. The main step here is to ‘Configure Routing’ 

Click on ‘Configure Routing’ > In the pop-up window, define your local BGP AS number for that particular region to peer with Cisco Secure Connect. If you observe the Secure Connect BGP details like AS Number and Neighbor IP is displayed.  

 

Graphical user interface

Description automatically generated

Secure connect BGP number is 64512 as shown above. The bgp neighbor for primary DC and secondary DC will be displayed as shown above. 

After entering the AS Number click on > Configure, wait till BGP is successfully configured for the tunnels. Click on Done.  

 

Graphical user interface, text, application, Teams

Description automatically generated

 

Graphical user interface, text, application

Description automatically generated

After successfully configuring the Tunnel and BGP configs from Cisco Secure Connect dashboard, proceed towards your Cisco SD-WAN vManage dashboard to provision the tunnels from your Catalyst SD-WAN edge device. Login to your Catalyst SDWAN vManage > Click on the burger menu drop down.

 

 

Select ‘Configuration’ > Templates. After clicking on Templates, navigate to > Feature Templates tab. You will need to create 2 Cisco VPN IPSEC interface templates and 1 BGP template, a total of 3 templates. The same template can be used for multiple routers by using variables. 

 

Graphical user interface, text

Description automatically generated

 

Graphical user interface, text, application, chat or text message

Description automatically generated

Select > Add Template > Select the Device from the list > and choose the Cisco VPN IPSEC interface template for each primary and secondary tunnels that we created from Cisco Secure Connect enhanced headend.

 

Graphical user interface, text, application, Teams

Description automatically generated

 

Graphical user interface, application

Description automatically generated

 

 

Graphical user interface, application

Description automatically generated

Next important step is to configure the destination IP address for the device, this is the DC IPs that we received from the pop window when we configured the tunnels in Cisco Secure Connect. For the primary tunnel template enter the DC 1 IP and for the secondary tunnel template enter the DC 2 IP.  

 

Graphical user interface, application

Description automatically generated

 

 

 

Destination is the ip which was provided during tunnel creation for the primary and secondary DC 

 

IKE version 2 needs to be used,  

IKE local end point is tunnel identity 

IKE and IPSEC parameters can be changed or finalized (see below the working config) 

 

Graphical user interface, application

Description automatically generated

Verify Tunnel is up on Secure connect dashboard or check using show ip int brief or using vManage as shown below vManage>Monitor>Device>interface 

 

 

Once tunnel(s) are up, Configure BGP template for route-exchange, the routes will consist of following

  1. Viptela HUB to CSC DC=Application routes 

  1. CSC DC to Viptela Hub= Remote access pool routes 

BGP and Tunnel needs to be configured under service vpn template and are unique to service vpn/vrf for more segments (VRF), user has to create more tunnels 

BGP Template is available from Feature Template in the vManage 

 

Graphical user interface, text, application

Description automatically generated

 

Graphical user interface

Description automatically generated

Make sure to have OMP routes redistributed in the template 

ADD CNHE neighbor ip which was provided earlier and also the BGP AS number for remote AS 

 

Graphical user interface, application

Description automatically generated

The route policy names can also be defiend here ( will be discussed in redundancy section) Also redistribute BGP routes to OMP by modifying OMP or service VPN template as below

 

Once BGP is up , the routes can be verified by issuing sh ip bgp vpnv4 vrf X all or using vManage realtime device dashboard and issues bgp routes commands as below 

 

 

Graphical user interface, application, email

Description automatically generated

 

Once BGP is up and routes exchange with connectivity established end-to-end, users can test 2 usecases 

Usecase1: Private application access using any connect 

Usecase2:Private application using client-less device ( Browser based) 

Please refer to Secure Connect documentation  for configuring remote access and clientless application access on Secure connect and umbrella dashboards 

There is a stop gap limitation for all Cisco Secure Connect created Catalyst SD-WAN hubs to be associated with the same region. Thus, mostly the primary and secondary DC IPs and the templates will stay the same until this limitation is removed. The benefit out of this is for the remote access users, they are not confined to be connected to the same region and have the ability for users located from any DCs to connect to the private App hosted behind Catalyst SD-WAN Hub connected to Cisco Secure Connect region. 

Integrating Cisco Viptela SD-WAN SIG Branches to Cisco Secure Connect 

Cisco Secure Connect today only imports the existing integration of Cisco Viptela SD-WAN SIG branch enabling complete monitoring of the tunnel and management of the SIG capabilities of the tunnel in Cisco Umbrella. The initial provisioning, integration and connecting of the Cisco Viptela SD-WAN branch via the SIG tunnel is through vManage and is an IPSEC tunnel directly to the Cisco Secure Connect integrated Cisco Umbrella. This is an existing workflow and the following is the link that gives step by step workflow of enabling a SIG tunnel from a Cisco Viptela SD-WAN branch to Cisco Umbrella.  

For configuring DIA tunnels from Catalyst SD-WAN branches to Cisco Secure Connect's Umbrella instance, following are the two ways:

Manual Tunnel Provisioning : https://docs.umbrella.com/umbrella-u...s/manual-cedge

Automatica Tunnel Provisioning : https://docs.umbrella.com/umbrella-u...edge-and-vedge

After successfully establishing your SIG tunnel from Cisco Viptela SD-WAN branch, you can now import that tunnel to Cisco Secure Connect.  

Go to Secure Connect > Sites  

Graphical user interface, application

Description automatically generated

Click on Add Site > Monitor – Cisco SD-WAN SIG Tunnels 

 

This will import the SIG Tunnels created from Cisco Viptela SD-WAN to Cisco Secure Connect. 

 

Graphical user interface, application

Description automatically generated

After successfully importing the tunnel to Cisco Secure Connect, we now can manage the SIG tunnel from Cisco Umbrella’s Network Tunnel management.  

Click on the Viptela SIG Tunnel Site > In the side drawer click on Manage tunnel in Umbrella 

 

 

Detaching Catalyst SD-WAN SIG Branches from Cisco Secure Connect 

Cisco Secure Connect provides the capability to detach a Catalyst SD-WAN Site from the integration with its fabric. This is a simple user experience, where you will need to,  

Click on the Catalyst SDWAN Private App Hub Site that we need to detach > In the side drawer scroll to the bottom most section and click on Detach Site. 

 

Graphical user interface, application

Description automatically generated

You will get a confirmation window, re-enter the Site name that we want to detach and click on Remove Site. This will successfully detach the selected Catalyst SD-WAN Site from Cisco Secure Connect including both tunnels to the regional DCs.  

 

After clicking Remove Site > The tunnel will be detached from Cisco Secure Connect.

 

Customers who have a mixed deployment of Meraki and Catalyst SD-WAN in their network infrastructure and are looking for a unified SASE solution can leverage this integration of Catalyst SD-WAN with Cisco Secure Connect. 

Interested customers please reach out to your Cisco sales team to enable this solution.