Catalyst SD-WAN Integration with Cisco Secure Connect

Overview

Organizations are shifting their network landscape by moving on-prem applications to the public or private cloud. Previously all traffic was backhauled through central data centers with security stack choking links and increasing latency significantly, but now almost 80% of traffic is routed directly to the internet from branch. Securing a network edge has always been complex and with this change in network infrastructure, it became even more difficult to manage and secure an entire organization. 

Secure Access Service Edge (SASE) is the convergence of Network as a Service and Security as a Service within a unified cloud delivered platform. Cisco Secure Connect is Cisco’s unified SASE solution with an integrated Remote access capability, cloud managed network delivered through the Cisco Meraki cloud and centralized cloud managed security powered by Cisco Umbrella. This unified full stack SASE solution is one of its kind that delivers complete end to end control, connectivity, security and policy management of remote users, branches, and private applications across both Cisco SD-WAN (powered by Catalyst SD-WAN and Meraki) solution. 

This deployment guide outlines how to integrate your Cisco SD-WAN fabric to the Cisco Secure Connect solution and manage both the remote worker and SD-WAN branch network connectivity and security using the Cisco Secure Connect cloud dashboard.

Acronyms and Terminologies: 

Viptela = Catalyst SD-WAN 

 

 

Onboarding - Getting your Cisco Secure Connect Dashboard

To begin, you'll first need to integrate Cisco Meraki and Cisco Umbrella management together for a seamless experience.  For further instructions, see  Cisco Secure Connect Onboarding 

Enrolling Catalyst SD-WAN Sites to Cisco Secure Connect

After successfully provisioning Cisco Secure Connect, go to the Secure Connect > Sites page. There are 2 use cases that are supported independently with Cisco Secure Connect. 

 

1. Create tunnels to Catalyst SD-WAN HUBs from Cisco Secure Connect using SC's enhanced headend. Remote users connecting to Cisco Secure Connect can securely access applications or resources behind the integrated Hub.  

2. Import secure internet access Catalyst SD-WAN branch tunnels already integrated to SIG into Cisco Secure Connect. Enabling a single point of monitoring of both private and internet access tunnels. (only umbrella SIG tunnels supported)  

 

 

Integrating Viptela SDWAN Private Application Service Hub to Cisco Secure Connect 

Cisco Secure Connect establishes a secure interconnect between the remote users and the applications or resources hosted behind Viptela SDWAN service hubs. The first step towards the integration is to establish a connectivity between Viptela devices and Cisco Secure Connect fabric.  

Click on > Connect Viptela Devices

 

Give the Site you are creating a tunnel from a name and from the drop down select the region you want to connect your Catalyst SD-WAN hubs then,  

After choosing the region and the name for your Site, next create tunnels from the Site to Cisco Secure Connect enhanced headend in the chosen region. Give the tunnel a unique name and a secure passphrase. Click on > Next 

 

 

 

This successfully configures 2 tunnels (primary, secondary) in the DC locations associated with the chosen regions. After successful creation of the tunnels, there is pop up window that gives all the required information regarding the tunnels created. The tunnel pairs configs can be associated with single router or multiple routers on the Catalyst SD-WAN hub location . Every router within the hub location will have primary and secondary tunnel towards Secure Connect primary and secondary DC respectively for that region. 

Please copy and save all the information shown in the pop-up window related to both the tunnels before clicking on Done.

 

 

The tunnel ID and the Secure Connect DC IPs for each tunnel and its associated DC need to be entered in the corresponding templates in vManage. To know more about associated vManage template please click on the following link  

After clicking ‘Done’ on the pop-up window, in the Sites page you will see the newly created Site with the primary and secondary tunnels in the drop down of the Site. 

 

Click on the newly created Site > This opens a side drawer for that Site, listing out the 2 tunnels and their status. The main step here is to ‘Configure Routing’ 

Click on ‘Configure Routing’ > In the pop-up window, define your local BGP AS number for that particular region to peer with Cisco Secure Connect. If you observe the Secure Connect BGP details like AS Number and Neighbor IP is displayed.  

 

Secure connect BGP number is 64512 as shown above. The bgp neighbor for primary DC and secondary DC will be displayed as shown above. 

After entering the AS Number click on > Configure, wait till BGP is successfully configured for the tunnels. Click on Done.  

 

 

After successfully configuring the Tunnel and BGP configs from Cisco Secure Connect dashboard, proceed towards your Cisco SD-WAN vManage dashboard to provision the tunnels from your Catalyst SD-WAN edge device. Login to your Catalyst SDWAN vManage > Click on the burger menu drop down.

 

 

Select ‘Configuration’ > Templates. After clicking on Templates, navigate to > Feature Templates tab. You will need to create 2 Cisco VPN IPSEC interface templates and 1 BGP template, a total of 3 templates. The same template can be used for multiple routers by using variables. 

 

 

Select > Add Template > Select the Device from the list > and choose the Cisco VPN IPSEC interface template for each primary and secondary tunnels that we created from Cisco Secure Connect enhanced headend.

 

 

 

 

Next important step is to configure the destination IP address for the device, this is the DC IPs that we received from the pop window when we configured the tunnels in Cisco Secure Connect. For the primary tunnel template enter the DC 1 IP and for the secondary tunnel template enter the DC 2 IP.  

 

 

 

 

 

 

Verify Tunnel is up on Secure connect dashboard or check using show ip int brief or using vManage as shown below vManage>Monitor>Device>interface 

 

 

Once tunnel(s) are up, Configure BGP template for route-exchange, the routes will consist of following

1. Viptela HUB to CSC DC=Application routes 

2. CSC DC to Viptela Hub= Remote access pool routes 

BGP and Tunnel needs to be configured under service vpn template and are unique to service vpn/vrf for more segments (VRF), user has to create more tunnels 

BGP Template is available from Feature Template in the vManage 

 

 

Make sure to have OMP routes redistributed in the template 

ADD CNHE neighbor ip which was provided earlier and also the BGP AS number for remote AS 

 

The route policy names can also be defiend here ( will be discussed in redundancy section) Also redistribute BGP routes to OMP by modifying OMP or service VPN template as below

 

Once BGP is up , the routes can be verified by issuing sh ip bgp vpnv4 vrf X all or using vManage realtime device dashboard and issues bgp routes commands as below 

 

 

 

Once BGP is up and routes exchange with connectivity established end-to-end, users can test 2 usecases 

Usecase1: Private application access using any connect 

Usecase2:Private application using client-less device ( Browser based) 

Please refer to Secure Connect documentation  for configuring remote access and clientless application access on Secure connect and umbrella dashboards 

There is a stop gap limitation for all Cisco Secure Connect created Catalyst SD-WAN hubs to be associated with the same region. Thus, mostly the primary and secondary DC IPs and the templates will stay the same until this limitation is removed. The benefit out of this is for the remote access users, they are not confined to be connected to the same region and have the ability for users located from any DCs to connect to the private App hosted behind Catalyst SD-WAN Hub connected to Cisco Secure Connect region. 

Integrating Cisco Viptela SD-WAN SIG Branches to Cisco Secure Connect 

Cisco Secure Connect today only imports the existing integration of Cisco Viptela SD-WAN SIG branch enabling complete monitoring of the tunnel and management of the SIG capabilities of the tunnel in Cisco Umbrella. The initial provisioning, integration and connecting of the Cisco Viptela SD-WAN branch via the SIG tunnel is through vManage and is an IPSEC tunnel directly to the Cisco Secure Connect integrated Cisco Umbrella. This is an existing workflow and the following is the link that gives step by step workflow of enabling a SIG tunnel from a Cisco Viptela SD-WAN branch to Cisco Umbrella.  

After successfully establishing your SIG tunnel from Cisco Viptela SD-WAN branch, you can now import that tunnel to Cisco Secure Connect.  

Go to Secure Connect > Sites  

Click on Add Site > Monitor – Cisco SD-WAN SIG Tunnels 

 

This will import the SIG Tunnels created from Cisco Viptela SD-WAN to Cisco Secure Connect. 

 

After successfully importing the tunnel to Cisco Secure Connect, we now can manage the SIG tunnel from Cisco Umbrella’s Network Tunnel management.  

Click on the Viptela SIG Tunnel Site > In the side drawer click on Manage tunnel in Umbrella 

 

 

Detaching Catalyst SD-WAN SIG Branches from Cisco Secure Connect 

Cisco Secure Connect provides the capability to detach a Catalyst SD-WAN Site from the integration with its fabric. This is a simple user experience, where you will need to,  

Click on the Catalyst SDWAN Private App Hub Site that we need to detach > In the side drawer scroll to the bottom most section and click on Detach Site. 

 

You will get a confirmation window, re-enter the Site name that we want to detach and click on Remove Site. This will successfully detach the selected Catalyst SD-WAN Site from Cisco Secure Connect including both tunnels to the regional DCs.  

 

After clicking Remove Site > The tunnel will be detached from Cisco Secure Connect.