Be SASE with Cisco SD-WAN
Hello today we are going to talk about how to start using SASE on Cisco SD-WAN (powered by Viptela).
What is SASE ?
Secure Access Service Edge (SASE) is the cloud-native security solution which is provide security functional such as DNS Security, Cloud-Delivered Firewall (CDFW), Secure Web Gateway (SWG) and more.. Cisco can be delivered this architecture with “Cisco Umbrella”
How do I start to using SASE with Cisco SD-WAN ?
With the power of SD-WAN we can make something called “Direct Internet Access (DIA)” more easier let’s imagine that we had 40 branches deployed with direct internet attaching to the branch how do we can control a security policy if we don’t want all traffic backhauled via our DC ? I have two options for you.
Option 1: Distribute a firewall appliance to each branch
This is good option from a security perspective we can distribute a firewall appliance to the large branches that we can take full security control with next-gen firewall functional but…
how about the small branches for 10 – 40 users (for example)?
If we do the same way as before don’t forget to considering a :
1. High Availability -> We should deployed two appliance for active, standby.
2. Maintenance -> such as software upgrade, hardware maintenance etc..
for every branches this make our day 0 day 1 & day 2 more complicated.
Option 2: Deploy Secure Internet Gateway (SIG) with Cisco Umbrella
With this option we can leverage a cloud-based firewall capabilities by tunnel all internet traffic to the cloud firewall powered by Cisco Umbrella then you can start protecting your branch without any firewall appliance distributed to every branches.
Today starting from Viptela 20.1 , IOS-XE 17.2.1 or later we can do more integration between Cisco SD-WAN and Umbrella with SIG auto tunnel supported. previously we need configure IPSEC tunnel between Cisco SD-WAN router & Umbrella portal manually but today we can done this automatically via vManage let’s take a look at my lab topology.
As you can see from my lab topology I have two CSR as a hub router connected to datacenter and one vEdge as a branch router with DIA policies already configured our mission today is automate SIG tunnel from vManage to established ipsec tunnel to umbrella cloud.
Let’s start
Firstly you need to register vManage with Umbrella API key please follow below steps:
login to umbrella portal -> on the left panel go to Admin -> API key -> looking for Umbrella Management you will find your keys and secret inside. (this secret appear only first time only please copy and secure your secret)
Note: If you already have Cisco smart account configure on vManage you can skip this step.
Next go to vManage -> Feature Template -> Add Template -> choose your router model (in my case is vEdge cloud) -> Other Templates -> SIG Credentials
Paste your organization id, registration key and secret which we obtained earlier or you can also clicking on “Get Keys” in case of your smart account has been synced with vManage.
What next ?
Let’s start to configure Secure Internet Gateway (SIG) in feature template
Go to vManage -> Feature Template -> Add Template -> choose your router model (in my case is vEdge cloud) -> Secure Internet Gateway (SIG)
Looking for “Add Tunnel” button and click Add. Then you will see a basic configuration of SIG tunnel as below picture.
Next enter an ipsec interface name (ipsec1 to 255) and source interface (internet facing interface)
you can add another tunnel to be backup tunnel (optional)
lastly looking at “High Availability” section and configure your primary tunnel as an Active but if you have a Secondary tunnel you can configure as Backup otherwise configure this tunnel as “None” if you have only one primary interface.
That’s it !! we have done our umbrella SIG tunnel configuration.
What next ?
I’ll starting to configure traffic redirection from vEdge (or cEdge) router to umbrella SIG.
Go to your services VPN template (eg. VPN 1) -> Service Route -> New Service Route -> Add Prefix 0.0.0.0/0 to Service SIG -> Click Add.
This configuration will help us to redirect traffic from service VPN to umbrella SIG tunnel.
Don’t forget to enable NAT in feature template of the internet facing interface.
Ok all features template configuration has been done !! let’s attached to the device template and start using umbrella SIG.
Go to Template -> Devices Template -> Select your device -> right click to edit
In the “Transport & Management” VPN section select Secure Internet Gateway from “Additional VPN 0 Templates” and select your SIG feature template.
Then scroll down into “Additional Templates” and select your SIG credentials from feature template and click update your device template.
After your configuration has modified just waiting for a moment and then you can see your SIG tunnel established on “Network Tunnels”
As you can see all of ipsec configuration between Umbrella and vManage is fully automated no need to touch any tunnel configuration on Umbrella side.
Done !! so let’s try to create one simple policy on umbrella and try it !
I just create one simple policy on Umbrella to deny ICMP to 8.8.8.8 please take a look as below example:
Just looking at my lab diagram again I have one windows 7 client connected to VPN 1 on vEdge
I typing “what is my ip” in Google and you can see my ISP has changed to “Cisco OpenDNS, Country Singapore” this meaning is our traffic has been redirection and Umbrella will act as proxy for our internet traffic.
This is “ping 8.8.8.8” result before I apply any policy on Umbrella.
And then I created a rule to block ICMP traffic to 8.8.8.8 from Umbrella dashboard -> Policies -> Firewall Policy and Save.
Go back to our client and try to “ping 8.8.8.8” again here is the result
You can see that our policy applied immediately the ICMP send to 8.8.8.8 is blocked.
All done for today.
I hope you have got an idea and understand more on SASE with Cisco SD-WAN and Umbrella.
Thank you for reading.
See you next time.
Jirapat Srimarut
