SCAZT: Integrating Cisco Catalyst SD-WAN Branch Site with Cisco Umbrella
1. Overview
Note: This tutorial is adapted from the SCAZT course on Cisco U. If you find this helpful, consider taking the full course.
What You’ll Learn
- How to deploy Cisco Umbrella Secure Internet Gateway (SIG)
- Integrating the Cisco Catalyst Software-Defined WAN (SD-WAN) deployment with Cisco Umbrella SIG
- How to deploy policies to route internet-bound traffic through the security services in the Cisco Umbrella cloud
What You’ll Need
- Cisco Umbrella
- Cisco Catalyst SD-WAN
2. Cisco Umbrella Secure Internet Gateway (SIG)
Network decentralization and the associated security challenges are the top IT issues for all enterprises. To alleviate these challenges, security leaders are increasingly turning to integrated, cloud-delivered solutions that provide comprehensive user protection while greatly simplifying security operations and reducing the cost, time, and resources previously required for implementation, configuration, and integration.
Cisco Umbrella is a cloud-based SIG platform that offers many layers of protection against internet-based attacks. Cisco Umbrella includes secure web gateway, firewall, Domain Name System (DNS) layer security, and cloud access security broker (CASB) functions to protect your systems from threats.
Cisco Umbrella has evolved over the years from providing crucial DNS security to a fully developed security stack. By integrating the mentioned components, you can deliver Cisco Umbrella as a one-cloud service:
DNS layer security: Cisco Umbrella protects your network and endpoints by enforcing security at the DNS layer. Cisco Umbrella blocks requests to malicious and unwanted destinations even before establishing a connection. This action stops threats over any port or protocol before they reach your network or endpoints.
Secure web gateway (full proxy): Cisco Umbrella contains a cloud-based complete proxy that is capable of logging and inspecting all your online traffic for increased visibility, control, and protection. You can use IP Security (IPsec) tunnels, proxy autoconfiguration (PAC) files, and proxy chaining to forward traffic to get complete visibility, URL and application-level controls, and enhanced threat protection.
CDFW: The Cisco Umbrella cloud-delivered firewall (CDFW) delivers visibility and control over traffic originating from internet requests, spanning all ports and protocols.
CASB: Cisco Umbrella helps with exposing shadow IT by recognizing and reporting on cloud applications used throughout your environment. Insights can aid in cloud adoption management, risk reduction, and the prevention of the deployment of harmful or inappropriate cloud applications.
Remote browser isolation (optional add-on): The Cisco Umbrella remote browser isolation (RBI) protects the Umbrella secure web gateway by separating web traffic from the user’s device and the threat. This way, you can explore risky websites without being at risk.
Understanding the traffic flow through Cisco Umbrella is essential for network and security engineers:
Umbrella SIG puts all traffic from the network; using IPsec tunnels from network devices and endpoint connectors on roaming devices. In a Cisco Umbrella policy, Umbrella represents a network entity, user, or group as an identity. The settings for the Cisco Umbrella policy apply to both an identity and a destination. When Cisco Umbrella receives a destination request from an identity, it implements the destination’s enabled DNS policies. If the destination is not blocked by the Cisco Umbrella DNS layer security, Umbrella forwards web traffic to the CDFW and secure web gateway.
Here is the policy implementation workflow:
When Cisco Umbrella receives a DNS request, it associates the identity and destination with an enabled DNS policy. The DNS layer security enforces the DNS policy actions.
When a firewall policy is enabled, Cisco Umbrella routes all requests permitted by the DNS layer security to the CDFW. The Cisco Umbrella CDFW either filters the request or forwards it to the secure web gateway through port 80 or 443.
Once you enable a web policy, the Cisco Umbrella secure web gateway assesses web traffic on ports 80 and 443 and executes the web policy actions.
After that, the permitted traffic is egressed via Network Address Translation (NAT).
3. Secure Internet Access with the Application-Aware Firewall
In this part of the tutorial, you will configure both Cisco Umbrella and your Cisco Catalyst SD-WAN (formerly Cisco SD-WAN) network to bring up the secure automated tunnels for protecting Direct Internet Access (DIA) traffic of your remote site Branch 2. You will generate Cisco Umbrella application programming interface (API) keys and then create and attach SIG-related templates to your Branch 2 WAN Edge router.
Note: The lab environment is not available for this tutorial. However, the configuration steps are provided for your reference. Feel free to follow along with the provided outputs.
The first step in the integration between Cisco Umbrella and Catalyst SD-WAN is to create a key and secret for the Umbrella Management API. In the Cisco Umbrella dashboard, navigate to Admin > API Keys, click Legacy Keys, expand the Umbrella Management section, and then click Generate Token. Save the generated key and secret to a text file. Make sure that you copy both values before closing the view. For security purposes, this value is displayed just once.
The Cisco Umbrella Management API is used by the supported network devices to establish the IPsec tunnels to Cisco Umbrella. Remember to also retrieve the organization ID of your Cisco Umbrella account, because you will need all three values—key, secret, and organization ID—for Cisco Umbrella registration in Cisco Catalyst SD-WAN Manager (formerly Cisco vManage).
Note: Although Cisco vManage is now called Cisco Catalyst SD-WAN Manager, the screenshots shown in this tutorial still display the previous name.
- The generated key and secret values will be unique and different from those shown in the figures in this tutorial.
- In addition to the key and the secret, you must also make a note of the organization ID. This is a seven-digit number and is found in the URL of the Cisco Umbrella dashboard.
Once you have saved the API key, the secret, and the organization ID, you can proceed to integrate your Catalyst SD-WAN fabric with Cisco Umbrella SIG.
Return to SD-WAN Manager and create the feature template for the Cisco SIG credentials. Use the credentials saved in the previous step to prepare the feature template.
In SD-WAN Manager, navigate to Configuration > Templates.
- Open the Feature Templates tab, and click Add Template to create a new feature template.
- Choose the C8000v device model, scroll down, and create the Cisco SIG Credentials feature template.
- Provide a name and a description for the template (example: Lab6_Task2_SIG_Credentials). Make sure that Cisco Umbrella is chosen as the SIG Provider and populates the required parameters based on the information saved in the previous step. The Get Keys option is not available because SD-WAN Manager is not configured with a Smart Account. Click the Save button to save the feature template.
- Verify that the new feature template is created. You can scroll through the available feature templates or reorder the list based on the Last Updated time. The new template will be displayed at the top of the list.
4. Templates for SIG Tunnels
Create the feature template for the SIG tunnels. Use the following information to configure the feature template:
- Name and Description
- Name: Lab6_Task2_SIG
- Description: Cisco Umbrella SIG Tunnels
- Tracker
- Source IP Address: Device Specific variable
- Configuration:
- Tunnel 1
- Interface Name: ipsec2
- Tunnel Source Interface: GigabitEthernet2
- Data Center: Primary
- TCP MSS: 1300
- Tunnel 2
- Interface Name: ipsec3
- Tunnel Source Interface: GigabitEthernet3
- Data Center: Secondary
- TCP MSS: 1300
- Tunnel 1
- High Availability:
- Active: ipsec2
- Backup: ipsec3
In SD-WAN Manager, on the Feature Templates screen, click Add Template to create a new feature template.
- Choose C8000v as the device model, scroll down, and create a Cisco Secure Internet Gateway (SIG) feature template.
- Provide a name and a description for the feature template (example: Lab6_Task2_SIG). Configure the Tracker Source IP Address as a Device Specific variable. You can leave the default variable name (vpn_trackersrcip).
- In the Configuration section, make sure that Umbrella is selected as your SIG Provider, and click the Add Tunnel button.
- Provide the tunnel Interface Name (ipsec2) and the Tunnel Source Interface (GigabitEthernet2).
- Scroll down and choose the Data Center as Primary, then expand Advanced Options.
- Under Advanced Options, set the TCP MSS (maximum segment size) to 1300 bytes. Click Add to add the primary tunnel.
- Verify that the primary tunnel is added to the configuration. Click the Add Tunnel button once more to add a secondary tunnel.
- Provide the tunnel Interface Name (ipsec3) and the Tunnel Source Interface (GigabitEthernet3).
- Scroll down and choose the Data Center as Secondary, then expand Advanced Options.
- Under Advanced Options, set the TCP MSS to 1300 byte. Click Add to add the primary tunnel.
- Verify that both tunnels have been added to the configuration. Under the High Availability section, configure ipsec2 as the Active tunnel and ipsec3 as the Backup tunnel. Do not modify any other parameters. Click the Save button to save the feature template.
- Verify that both feature templates are created. You can scroll through the available feature templates or reorder the list based on the Last Updated time. The new template will be displayed at the top of the list.
5. Attaching Templates
Attach the Cisco Umbrella SIG feature templates to the device template that is already attached to devices at Branch 2. The SIG tunnel template is attached under the Transport VPN, and the SIG Credentials template is attached under the Additional Templates section.
- In SD-WAN Manager, navigate to Configuration > Templates > Device Templates. Locate the template attached to Catalyst SD-WAN devices at Branch 2 (SDWSCS1.0_EDGE_BRANCH_SingeRouter_BR2), click the more options (…) button, and choose Edit to modify the template.
- In the device template, scroll down to the Transport & Management VPN section. From the right-side menu, attach the Cisco Secure Internet Gateway feature template, and then choose the feature template that you previously created.
- Now, scroll down to the Additional Templates section. Because you attached the Cisco SIG template to the Transport VPN, you must also attach the Cisco SIG Credentials feature template. Choose the Cisco SIG Credentials template that you created in the previous task, and click the Update button to save your changes.
- The template that you modified is attached to devices, so you must deploy the changes immediately. Click the more options (…) button, and choose Edit Device Template.
- Provide the IP address for the vpn_trackersrcip variable. Find the variable Source IP Address (vpn_trackersrcip). Enter the value 10.2.2.50/32. Pay attention to the format of the value; it must be a /32 prefix, not just an IP address. Click the Update button to submit the changes.
For Cisco IOS XE SD-WAN, a loopback 65530 interface in VRF 65530 is created and used to source the Layer 7 health check probes through each active and backup tunnel. The user must configure a tracker source IP address, which is a private RFC 1918 address that should not overlap with other interfaces. In this case, 10.2.2.50/32 is used as the source IP address.
Click the Next button to continue to verify the configuration and deploy the changes.
- Choose a device from the left-side menu, and choose Config Diff to preview the changes.
- Scroll down and view the changes highlighted in green. You will notice the credentials, the service configuration, and the IPsec profiles and tunnels. Once you’re done, click the Configure Devices button to initiate the deployment.
- Wait for the deployment to complete, and verify that it was deployed successfully.
6. Verify Tunnels
Verify the IPsec tunnels configured on the Catalyst SD-WAN router at Branch 2.
- In SD-WAN Manager, navigate to Monitor > Devices.
- Choose the BR2-Edge device.
- Open the Interface section, and look for Tunnel100002 and Tunnel10003. These are the two tunnels created for Cisco Umbrella SIG. Both tunnels should be operational.
Verify the network tunnels created in Cisco Umbrella.
Note: The tunnels may take up to 10 minutes to get established between the Catalyst SD-WAN routers and the Cisco Umbrella cloud. Please be patient.
In Google Chrome, open the Dashboard bookmark. Click the View button to open the Cisco Umbrella dashboard.
In the Cisco Umbrella dashboard, on the Overview page, look at the number of Active Network Tunnels. Click the tunnels to be redirected to the Network Tunnels page.
Note: The tunnels may take up to 10 minutes to get established between the Catalyst SD-WAN routers and the Cisco Umbrella cloud. Please be patient.
Verify the two tunnels configured under Cisco Umbrella. The tunnel names are generated automatically, based on the site ID and system IP of the device.
Note: Do not change anything on this page; otherwise, you may break the integration of your Catalyst SD-WAN network with Cisco Umbrella.
7. Route Traffic to Cisco Umbrella SIG
In this step, you will configure the Catalyst SD-WAN routers to route internet traffic to the Cisco Umbrella SIG via the configured IPsec tunnels. There are multiple options to accomplish this. In this task, you will use a service route configured under the Service VPN feature template.
Modify the Service VPN feature template and add a service route to forward internet traffic to Cisco Umbrella SIG. Add the 0.0.0.0/0 prefix to the route, and choose SIG as the Service.
In SD-WAN Manager, navigate to Configuration > Templates.
- From the Device Templates page, open the Feature Templates tab.
- Find the Service VPN template (SDWSCS10_serviceVPN_100), click the more options (…) button, and choose Edit to modify the template.
- Inside the Service VPN feature template, open the Service Route section.
- Click the New Service Route button to add a new service route. Enter 0.0.0.0/0 as the prefix, and make sure that SIG is chosen as the Service. Click the Add button to add the service route.
- Verify that the service route is added to the configuration, and click the Update button to save your changes.
- Because the Service VPN template that you modified is attached to multiple device templates, from the Device Template menu at the top left, choose the correct device template attached to Branch 2.
- Use the more options (…) button for the BR2-Edge device, and choose Edit Device Template to edit variable values.
- Remove Prefix from vpn100_nat_route. This action is required to route traffic to the SIG service. Click the Update button to save your changes.
- Once the NAT route prefix is removed, click the Next button to proceed.
- Choose the correct device template from the menu, and click the BR2-Edge device. Choose Config Diff to view the changes that are being deployed.
Scroll down and find the changes highlighted in green or red. Green is for the added and red is for the removed configuration. You should see the NAT route removed and the service route added. Click the Configure Devices button to initiate the deployment.
You may also notice the API keys being changed. This is not an issue, because it is only the encrypted string of the API secret.
- Because the feature template is attached to multiple devices, you must confirm the deployment. Mark the check box to confirm deployment, and click the OK button to start deploying the configuration.
- Wait for the configuration to be deployed, and verify that the deployment is successful.
8. Testing with PC
From Windows PC2, verify that internet traffic is now routed to Cisco Umbrella SIG and that you have full internet access. From a web browser, verify that the current public IP address is now different from the public IP address that you noted before. Open websites, such as Facebook or Twitter, and verify that they can be accessed.
Open a web browser on Windows PC2 and type what is my ip in the search box. This time, you should not see the same IP address that you noted before. The public IP address of the traffic from Cisco Umbrella SIG users will appear to come from the address ranges 146.112.0.0/16, 155.190.0.0/16, or 151.186.0.0/16. The actual IP address that you will see may differ from the screenshot.
Open a new tab in the web browser and try to access Facebook or Twitter. Both websites should be accessible because there is currently no policy configured in Cisco Umbrella.
9. Congratulations
You’ve completed this tutorial, advancing in your CCNP journey. To continue building your networking skills, check out our additional tutorials, courses, and learning paths.
Why Create a Free Cisco U. Account?
A Cisco U. account helps you:
Personalize training: Set your learning goals and pace.
Track progress: Monitor your achievements and learning milestones.
Resume anytime: Continue your learning exactly where you stopped.
Further Learning Resources
Inside Cisco U.: Step-by-Step Guide to Learning Paths, Courses, Labs, and Tutorials
Explore more on Cisco U.:
Training Resources
- Designing and Implementing Secure Cloud Access for Users and Endpoints v1.0 (SCAZT 300-740) is a 90-minute exam associated with the CCNP Security Certification.
Need Help or Want to Engage?
To ask questions and share ideas, join our Cisco Learning Community.
For technical issues, feedback, or more resources, visit our Cisco U. Support page.
Finishing Up
Don’t forget to click Exit Tutorial to log your completed content.