Index
A
ACLs (access control lists), 112, 319–320, 338
effects of applying to localized policy, 338
referencing, 337
activating, centralized policies, 125–127
address restricted cone NAT, 76–77
administrative distances, WAN Edges, 60
AMP (Advanced Malware Protection), 349, 350–351, 372–377
monitoring statistics, 375
APIs (application programming interfaces), 13
application lists, 118
application service containers, 360–361
Application-Aware Enterprise Firewall, 349
actions, 355
dashboard, 359
destination zone, 353
firewall policies, 354
firewall policy, 353
inter-zone security, 356
intra-zone security, 355
monitoring statistics, 359
self-zone policy, 353
source zone, 353
zone pair, 353
Application-Aware Routing, 350–351
business imperative for, 286
application-based traffic engineering, 253–254
application forwarding behavior without policy changes, 254
steady and failed state, 258–260
applications, protecting from packet loss, 269–270
FEC (Forward Error Correction), 270–274
applying changes to localized data policies, 337
App-Route policies
applying, 292
backup-sla-preferred color action, 314–315
BFD (Bidirectional Forwarding Detection)
App-Route Poll Interval, 298–300
path quality monitoring, 298
mapping traffic flows to a transport tunnel, 304
monitoring tunnel performance, 294
packet forwarding, 304
traditional lookup in the routing table, 305–306
preferred color, 312
sequence rules, 289
SLA class lists, 287
traffic forwarding configurations, 309–315
App-Route Poll Interval, 298–300
automatic provisioning, 102
automatic rollback, 91
automation, 2
B
B2B (business-to-business), 4
bandwidth, WANs, 9
best path selection, OMP, 56–58
BFD (Bidirectional Forwarding Detection), 28–29, 138, 294
Multiplier value, 297
path quality monitoring
App-Route Poll Interval, 298–300
BGP (Border Gateway Protocol), 466–467
routing loop prevention, 62–63
branch-to-branch communication, enabling
BYOD (bring-your-own-device), 4, 18
C
C,I,R (chosen, installed, resolved), 51
CAs (certificate authorities), 494
CDFW (cloud-delivered firewall), 261
validating service insertion, 266–269
centralized control policies. See control policies
centralized data policies. See data policies
centralized policies, 110–112, 117, 134–136. See also control policies; data policies; localized policies
application-aware routing, 112
cflowd, 112
control, 111
and localized policies, 328
VPN membership, 111
Cisco ACI (Application Centric Infrastructure), 18
Cisco ASR (Advanced Services Router), 30
Cisco Cloud, 38
Cisco IOS-XE, upgrading, 31
Cisco ISR (Integrated Services Router), 30
Cisco SD-WAN (Software-Defined WAN), 9–10, 387–389. See also Application-Aware Enterprise Firewall; Cloud onRamp; control plane; data plane; management plane
automatic rollback, 91
Cloud onRamp, 394
configuration management, 91
control plane, 44
encryption, 35
security, 45
address restricted cone NAT, 76–77
full cone NAT, 74
pairwise encryption keys, 86–87
port restricted cone NAT, 77–80
segmentation, 66
distributed architecture, 26–27
DPI (Deep Packet Inspection), 400–402
firewall policy, configuration, 356–359
management plane, 44
migrating to
branch design, 469
complete CE replacement, 470–475
integration with branch firewall, 476–478
integration with existing CE router, 475
integration with voice services, 478–479
overlay and underlay integration, 480–489
service-side connectivity, 466–469
transport-side connectivity, 463–465
multi-tenancy options, 38
automatic provisioning, 103–105
manual bootstrapping of a WAN Edge, 102
orchestration plane, 36–37, 44
physical platforms, 30
policies, 109. See also policies
monitoring, 147
packet forwarding order of operations, 127–128
saving, 147
on-premises deployment, 494
AMP (Advanced Malware Protection), 372–377
Application-Aware Enterprise Firewall, 352–360
DNS Web Layer security, 377–381
IDS/IPS (intrusion detection and prevention), 360–367
vManage authentication and authorization, 384–389
virtual platforms, 30
VPNs, 27
Cisco Umbrella, 377
DNS Web Layer security configuration, 378–381
Cisco vEdges, 30
Cisco Webex, corporate direct cloud access, 243–252
CLI (command line interface), 3, 25–26
Cloud onRamp, 394
IaaS integration, 438
image repository, 449
redundancy and high availability, 440
service chain creation, 449–454
service chain design best practices, 440–441
service chaining for a single service node, 434–436
service chaining for multiple service nodes, 436
viewing VPC statistics, 426–428
benefits, 395
DIA (Direct Internet Access), 395
hybrid deployment, 397
monitoring statistics, 398
prerequisites for all site types, 403
prerequisites for DIA or gateway sites, 404–412
through a gateway, 397
adoption, 19
DIA (Direct Internet Access), 15–16
private clouds, 38
VPC (virtual private cloud), 413
colocation, 432
color lists, 118
colors, 312
encapsulation, 177
local-tloc, 255
max-control-connections 0, 495–496
preferred-color, 312
service, 263
show app-route stats, 310
show bfd sessions, 73
show ip bgp, 174
show omp routes, 175, 201–202, 204–206
show omp services, 56
show policy data-policy-filter, 241, 269
show policy from-vsmart, 241
show policy service-path, 250–252, 269
show policy tunnel-path, 250–252
show run omp, 59
show running-config policy, 306, 313–315, 344–346
show tunnel statistics fec, 274
sla-class, 313
strict, 315
tloc-list, 255
traceroute, 138, 148–149, 151–152, 168, 190, 194–195, 197–198, 207
common desired benefits, WANs, 5–7
configuration management, 91
connectivity
CDFW (cloud-delivered firewall), 261–263
WANs, 12
control plane, 3, 6–7, 25–27, 44
graceful restart, 47
routing loop prevention, 60–65
security, 45
control policies, 111, 134–136. See also localized policies
isolating remote branches from each other, 136–149
monitoring, 147
saving, 147
use cases
creating different network topologies per segment, 206–210
creating extranets and access to shared services, 211–222
enabling branch-to-branch communication through data centers, 149–152, 152–168
enforcing security perimeters with service insertion, 195–200
isolating guest users from the corporate WAN, 202–206
isolating remote branches from each other, 136–149
preferring regional data centers for Internet access, 180–188
regional mesh networks, 188–195
traffic engineering at sites with multiple routers, 169–176, 177–178
controllers. See also vBond; vManage; vSmart
authentication, 497
automatic enrollment for certificates, 498–501
deployment
obtaining a certificate, 498
on-premises deployment, 495–496
counters, 241
creating
localized control policies, 325–327
credit card transactions, packet duplication, 274–280
CRM (Customer Relationship Management), 9
CVVS (Common Vulnerability Scoring System), 363
D
dashboard
AMP (Advanced Malware Protection), 376–377
Application-Aware Enterprise Firewall, 359
data centers, 4
data plane, 3, 6–7, 25–32, 44, 65
pairwise encryption keys, 86–87
address restricted cone NAT, 76–77
full cone, 74
data policies, 114, 227, 228. See also App-Route policies; localized policies
App-Route, 285
backup-sla-preferred color action, 314–315
mapping traffic flows to a transport tunnel, 304
monitoring tunnel performance, 294
packet forwarding, 304, 305–315
preferred color, 312
traffic forwarding configurations, 309–315
effects on users in the guest VPN, 239–242
naming, 238
application-based traffic engineering, 253–260
direct cloud access for trusted applications, 243–252
direct Internet access for guest users, 230–242
protecting applications from packet loss, 269–280
protecting corporate users with a cloud-delivered firewall, 261–269
decryption, pairwise keys, 86–87
destination zone, 353
adding localized control policy, 327–330
setting TLOC preference, 177–178
devices
provisioning
manual bootstrapping of a WAN Edge, 102
Viptela, 102
minimal configuration, 102–103
DIA (Direct Internet Access), 15–16, 31–32, 349–350, 395
direct cloud access for trusted applications, 243–252
distributed architecture, 26–27
DNS Web Layer security, 349, 377–378
configuration, 378
security policy configuration, 378–381
DTLS (Datagram Transport Layer Security), 36–37, 45–46
E
echo mode, BFD (Bidirectional Forwarding Detection), 28–29
editing, data policies, 235–236
EIGRP (Enhanced Interior Gateway Routing Protocol), routing loop prevention, 63–65
encapsulation command, 177
encryption
pairwise encryption keys, 86–87
vSmart, 35
end-to-end segmentation, 15
ERP (Enterprise Resource Planning), 9
export-to command, 211–212, 220
F
FEC (Forward Error Correction), protecting applications from packet loss, 270–274
FEC blocks, 271
firewall(s), 381. See also Application-Aware Enterprise Firewall
Application-Aware Enterprise Firewall
destination zone, 353
firewall policy, 353
self-zone policy, 353
source zone, 353
zone pair, 353
cloud-delivered, 261
validating service insertion, 266–269
policies, 353, 354–355, 356–359
full cone NAT, 74
G-H
graceful restart, 47
guest users, direct Internet access, 230–242
Hello Interval, BFD (Bidirectional Forwarding Detection), 295–297
Active/Active, 13
I
IaaS (Infrastructure as a Service), 4, 5–6, 19
viewing VPC statistics, 426–428
IBN (intent-based networking), 8
IDS/IPS (intrusion detection and prevention)
application service containers, 360–361
security virtual image upload, 364–365
Snort, 361
interactive video, 4
Internet access
inter-zone security, 356
intra-zone security, 355
intrusion detection and prevention, 349
IoT (Internet of Things), 4, 18
IPsec (Internet Protocol Security), 27
IT industry
automation, 2
K-L
KVM (Kernel Virtual Machines), 361
SLA class, 287
liveliness detection, BFD (Bidirectional Forwarding Detection), 295–297
Multiplier value, 297
localized policies, 112–113, 319–320
and centralized policies, 328
adding to the device template, 327–330
route policy configuration, 322–324, 325
viewing effects of route policies on neighboring routers, 333–334
viewing route policies, 330–332
data, 334
ACL, referencing, 337
applying changes, 337
effects of applying an ACL, 338
QoS policy configuration, 338–339
assign traffic to forwarding class, 339–341
configure scheduling parameters for each queue, 341–342
configure the transport interface with the QoS map, 343–346
map forwarding classes to hardware queues, 341
map schedulers into a single QoS map, 342–343
local-tloc command, 255
LxC (Linux Virtual Containers), 361
M
management plane, 6–7, 25–27, 44
manually configured networks, risks, 2–3
max-control-connections 0 command, 495–496
migrating to Cisco SD-WAN
branch design, 469
complete CE replacement, 470–475
integration with branch firewall, 476–478
integration with existing CE router, 475
integration with voice services, 478–479
overlay and underlay integration
full overlay and underlay integration, 485–489
overlay with underlay backup, 481–485
service-side connectivity, 466–469
transport-side connectivity, 463–465
mobile devices, 4
monitoring
centralized policies, 147
tunnel performance, 294
MPLS (Multiprotocol Label Switching), 10–11
multi-tenancy, Cisco SD-WAN (Software-Defined WAN), 38
multi-topology policies, 206–210
N
naming
data policies, 238
localized control policies, 326–327
NAT (network address translation), 73–74, 81
address restricted cone, 76–77
full cone, 74
nat use-vpn 0 action, 249–250, 253
network controllers, 3
networks. See also IBN (intent-based networking)
complexity, 8
O
OMP (Overlay Management Protocol), 34, 44, 47–48
graceful restart, 47
routing loop prevention
status codes, 175
automatic provisioning, 103–105
manual bootstrapping of a WAN Edge, 102
orchestration plane, 44
OSPF (Open Shortest Path First), routing loop prevention, 60–62
P
packet forwarding, App-Route policies, 304
traditional lookup in the routing table, 305–306
packet loss, protecting applications from, 269–270
FEC (Forward Error Correction), 270–274
pairwise encryption keys, 86–87
path quality monitoring, App-Route policies, 298
policers, 119
policies. See also App-Route policies; centralized policies; control policies; data policies; localized policies
centralized, 110–112, 117, 134–136
application-aware routing, 112
cflowd, 112
control, 111
isolating remote branches from each other, 136–149
monitoring, 147
VPN membership, 111
firewall, 354
packet forwarding order of operations, 127–128
saving, 147
port restricted cone NAT, 77–80
PoS (point of sales) systems, 5–6
preferred-color command, 312
on-premises deployment, 494
Cisco SD-WAN (Software-Defined WAN), 38
installation process, 495
previewing, localized data policies, 335–336
private cloud deployment, Cisco SD-WAN (Software-Defined WAN), 38
Q
QoS (quality of service), 2–3, 5–6, 8, 112, 319–320, 339
policies, configuration
assign traffic to forwarding class, 339–341
configure scheduling parameters for each queue, 341–342
configure the transport interface with the QoS map, 343–346
map forwarding classes to hardware queues, 341
map schedulers into a single QoS map, 342–343
R
vSmart, 35
regional mesh networks, use case for centralized policies, 188–195
regionalizing Internet access, 180–188
RFC 4023, 27
RIB (Routing Information Base), 26–27
risks, of manually configured networks, 2–3
routing loop prevention
OSPF (Open Shortest Path First), 60–62
routing policies. See also policies, construction, 115–118
S
SaaS (Software as a Service), 4, 5–6, 9, 19
Cloud onRamp
benefits, 395
DIA (Direct Internet Access), 395
hybrid deployment, 397
monitoring statistics, 398
prerequisites for all site types, 403
prerequisites for DIA or gateway sites, 404–412
through a gateway, 397
saving, policies, 147
security
AMP (Advanced Malware Protection), 372–377
monitoring statistics, 375
Application-Aware Enterprise Firewall
actions, 355
dashboard, 359
firewall policy, 353
firewall policy configuration, 356–359
inter-zone security, 356
intra-zone security, 355
monitoring statistics, 359
self-zone policy, 353
zone pair, 353
control plane, 45
destination zone, 353
DIA (Direct Internet Access), 349–350, 350
DNS Web Layer security, 377–378
security policy configuration, 378–381
IDS/IPS (intrusion detection and prevention), 360–361
application service containers, 360–361
CVVS, 363
security virtual image upload, 364–365
policies, 112
Snort, 361
source zone, 353
threat surface, 350
URL filtering, 350–351, 367–369
vManage authentication and authorization
local authentication with RBAC, 384–387
remote authentication with RBAC, 387–389
WANs, 12
segmentation
end-to-end, 15
self-zone policy, 353
sequences
rules, App-Route policies, 289
and the public cloud, 436
service command, 263
service insertion
CDFW (cloud-delivered firewall), 266–269
service local command, 266–267
service providers, 9
show app-route stats command, 310
show bfd sessions command, 73
show bfd summary command, 151–152
show ip bgp command, 174
show omp routes command, 175, 201–202, 204–206
show omp services command, 56
show omp tlocs detail command, 53–54
show policy data-policy-filter command, 241, 269
show policy from-vsmart command, 241
show policy service-path command, 250–252, 269
show policy tunnel-path command, 250–252
show run omp command, 59
show run vpn 10 command, 59
show running-config policy command, 306, 313–315, 344–346
show tunnel statistics fec command, 274
Simulate Flows tool, 182, 241, 243, 244, 248, 310
single points of failure, 7
sla-class command, 313
SLAs (service-level agreements), 6–7, 9, 14, 253
source zone, 353
strict command, 315
summarization, enabling branch-to-branch communication, 150–152
T
TCP-Opt, 280
adding localized control policy, 327–330
enabling branch-to-branch communication, 152–168
TLOCs (Transport Location Identifiers), 52–54, 137–138, 139–140
setting preferences
with centralized policy, 171–176
with device templates, 177–178
tloc-list, 166
TLS (Transport Layer Security), 45–46
traceroute command, 138, 148–149, 151–152, 168, 190, 194–195, 197–198, 207
trends
trusted applications, direct cloud access, 243–252
U
upgrading, Cisco IOS-XE, 31
URL filtering, 349, 350–351, 367–369
use cases
control policies
creating different network topologies per segment, 206–210
creating extranets and access to shared services, 211–222
enabling branch-to-branch communication through data centers, 149–152, 152–168
enforcing security perimeters with service insertion, 195–200
isolating guest users from the corporate WAN, 202–206
isolating remote branches from each other, 136–149
preferring regional data centers for Internet access, 180–188
regional mesh networks, 188–195
traffic engineering at sites with multiple routers, 169–176, 177–178
application-based traffic engineering, 253–260
direct cloud access for trusted applications, 243–252
direct Internet access for guest users, 230–242
protecting applications from packet loss, 269–280
protecting corporate users with a cloud-delivered firewall, 261–269
V
validating, CDFW service insertion, 266–269
deployment
add controller to vManage, 516–518
initial bootstrap configuration, 514–515
initial system configuration, 514
root certificate chain install, 515
VPN 0 and VPN 512 configuration, 515
version control, 91
Viptela devices, 508
minimal configuration, 102–103
authentication and authorization
local authentication with RBAC, 384–387
remote authentication with RBAC, 387–389
configuring Cloud onRamp for SaaS, 404–412
apply initial bootstrap configuration, 506–510
bootstrap and configure controller, 506
generate certificates, 511–512
GUI, 142
initial system configuration, 507
Real Time option, 137
VPN 0 and VPN 512 configuration, 508
whitelist files, 497
VPC (virtual private cloud), 413
VPN lists, 119
and VRFs, 28
VRF (Virtual Routing and Forwarding), and VPNs, 28
vSmart, 34–35, 44, 45, 57, 147
deployment
add controller to vManage, 520–522
initial bootstrap configuration, 519–520
displaying App-Route policy, 306–308
encryption, 35
initial system configuration, 519
OMP, 34
redundancy, 35
root certificate chain install, 520
VPN 0 and VPN 512 configuration, 519–520
W
WAN Edges, 27, 28, 29, 32, 35, 44, 70, 350–351
administrative distances, 60
firewall, configuration, 197–198
manual bootstrapping, 102
QoS policy configuration, 339
assign traffic to forwarding class, 339–341
configure scheduling parameters for each queue, 341–342
configure the transport interface with the QoS map, 343–346
map forwarding classes to hardware queues, 341
map schedulers into a single QoS map, 342–343
WANs, 4–5. See also Cisco SD-WAN (Software-Defined WAN); hybrid WANs
application support, 13
bandwidth, 9
connectivity, 12
security, 12
use cases demanding changes in
bandwidth aggregation and application load balancing, 13–14
DIA (Direct Internet Access), 15–16
end-to-end segmentation, 15
fully managed network solution, 16–17
protecting critical applications with SLAs, 14
Z
zone pair, 353