Академический Документы
Профессиональный Документы
Культура Документы
Cisco dCloud
Limitations
Requirements
Topology
Get Started
Scenario 7. Prefer Data Center DC1 and DC2 for Different Set of Branches for Regional Internet Exit
What’s Next?
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 67
Demonstration Guide
Cisco dCloud
Limitations
The following are known issues that will be resolved in future releases:
• When showing the traceroute for the first time, additional or unknown hops may display.
• If the ping from vManage to the local host fails, use CLI.
• The ping from vManage will show one loss out of five.
• This demo has an intentionally limited in scope. Cloud OnRamp for SaaS and Cloud OnRamp for IaaS is not
part of the demo
• It may take 15 minutes after the demo has fully launched to start seeing dashboard activity for the SD-WAN
Security dashboard, please plan accordingly. If after 20 minutes, the dashboard hasn’t populated, please
start a new session.
NOTE: vManage periodically polls the statistical data from the devices. To display the graphical data properly on
vManage Dashboard, please let the dcloud session run for at least 45 minutes before conducting the demo.
NOTE: The same would be true with bringing up the BR2-vEDGE1 for the first time. It may take up to 20-30
minutes to display the Flow and DPI graphical data on the Device Dashboard.
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Required Optional
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 67
Demonstration Guide
Cisco dCloud
NOTE: In this demonstration, we are not focusing on the standard SD-WAN use cases e.g. standard device
level QoS, standard routing protocols, standard network management interfaces, etc. The goal is to show
advanced SD-WAN capabilities primarily based on centralized control and policies.
NOTE: Cloud OnRamp for SaaS and Cloud OnRamp (IaaS solution) is not demonstrated due to limitation of the
topology.
• Installing remote site networks is a time consuming, manual, and expensive process
• Challenging process to translate application policy to network infrastructure configuration
• Lack visibility into transport health and impact on applications
• End-to-end WAN configuration is complex
• Lack of centralized configuration management, policy management and monitoring
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 67
Demonstration Guide
Cisco dCloud
• Automated zero touch provisioning to accelerate time to market and reduce costs
• Centralized configuration management of ALL network devices via simple use of Templates
• Business policy definition and activation from centralized vManage
• Visibility into applications and transport health from centralized vManage
• Operational simplicity
This guide helps account managers and system engineers in the demonstration of key Cisco SD-WAN
capabilities including Zero Touch Provisioning (ZTP), application performance-based path choice, regional and
Direct Internet Access (DIA) using SD-WAN security features, policy-based topology creation, and
management via vManage.
• Used to illustrate device provisioning and other workflow capabilities within vManage.
• Used to showcase a number of advanced SD-WAN use cases.
• This data cannot be modified or customized in the dCloud environment.
Cisco Intelligent SD-WAN delivers an uncompromised user experience over any kind of transport, allowing the
business to proportionally size their network with operational simplicity while lowering costs. Now, IT can fully
use their WAN investments with the highest performance, reliability, and security while ensuring that all next
generation WAN capability requirements avoid unexpected expenses, complications, and unplanned downtime.
REMINDER: To display the graphical data properly on vManage Dashboard, please let the dcloud session run
for at least 45 minutes before conducting the demo.
Solution Components
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 67
Demonstration Guide
Cisco dCloud
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of
the solution. Most components are fully configurable with predefined administrative user accounts. You can see
the IP address and user account credentials to use to access a component by clicking the component icon in
the Topology menu of your active session and in the scenario steps that require their use.
The topology includes two Datacenters and two Remote Branches. The topology has three different VPN/VRF
Segments.
dCloud Topology
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 67
Demonstration Guide
Cisco dCloud
NOTE: OSPF is running in the DCs and Branch 2 in VPN 10. All other segments are using static routing/VRRP.
Site Site ID VPN10 (Test IP) VPN20 (Test IP) VPN40 (Test IP)
Device Addresses
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 67
Demonstration Guide
Cisco dCloud
Get Started
Follow the steps to schedule a session of the content and configure your presentation environment.
1. Initiate your dCloud session. [Show Me How]
2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the
local RDP client on your laptop [Show Me How]
• Workstation 1: 198.18.133.36, Username: administrator, Password: C1sco12345
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 67
Demonstration Guide
Cisco dCloud
Additionally, the vEdge routers also support several south-bound protocols that will enable your team to extend
benefits to both Greenfield and Brownfield environments.
This scenario provides an overview of the Manage Branch Sites component to show how
• Bandwidth augmentation isn’t just as simple point-to-point connectivity but also as flexible connectivity
over any kind of transport.
• Cisco SD-WAN helps with lowering costs, maximizing investments, improving the application experience,
and delivering innovative services across the organization with agility.
Challenge:
• Installing remote site networks is a time consuming, manual and expensive process.
• Automated and adaptive provisioning accelerate time to market and reduce costs.
Objective:
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 67
Demonstration Guide
Cisco dCloud
Steps
NOTE: Deploy a Branch using vManage configuration templates and Viptela’s Zero Touch Provisioning (ZTP)
service.
NOTE: The ZTP process simulated in this lab, using default configuration from the factory, for the vEdge in
Branch 2.
NOTE: The only difference is the out of band VPN 512 configuration. This is configured for the demo user to be
able to log in to the vEdge. The ZTP transport (ge0/0) in this case is in shutdown mode. A no shut will be done
to simulate connecting vEdge to the transport.
NOTE: The vManage Dashboard displays the controllers that are up. There are seven operational vEdges.
Branch-2 vEdge is not provisioned yet.
4. Click on the vManage dashboard icon. Talk about network level monitoring capabilities including:
• Up/Down Status of all Viptela components
• vEdge Health
• Applications/Flow Visibility
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 67
Demonstration Guide
Cisco dCloud
6. Click the X.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 67
Demonstration Guide
Cisco dCloud
Configuring Templates
Value Proposition: Multiple preconfigured templates will be shown. We will select the preconfigured
BranchType2 template to illustrate how a customer can use a template to facilitate and simplify the rollout of a
new branch site.
1. Click on Configuration icon and select Templates from the drop-down menu.
NOTE: We are selecting this device since it has not been provisioned.
2. Click on the three dots (…) in the right most column for BranchType2Template-vEdge.
3. From the drop-down, select the option Attach Devices.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 67
Demonstration Guide
Cisco dCloud
4. From the left pane labeled Available Devices, find the device with chassis-id/UUID of 52c7911f-c5b0-
45df-b826-3155809a2a1a.
5. Move the selected device to the right pane labeled Selected Devices by clicking on the right arrow.
6. Once the device is moved to the right pane, click Attach.
7. Click on the three dots (…) in the right most column and select Edit Device Template.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 67
Demonstration Guide
Cisco dCloud
NOTE: The device values can be updated from the GUI interface, if desired. In this demonstration, we will use a
predefined csv file with device values.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 67
Demonstration Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 67
Demonstration Guide
Cisco dCloud
14. To populate the values for the variables based on the uploaded CSV file, click Next.
15. Click the tab in the left column with BR2-VEDGE1 label to see the full configuration for validation.
16. Click Configure Devices.
17. Wait for few seconds until the device status changes from In Progress to Done – Scheduled.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 67
Demonstration Guide
Cisco dCloud
NOTE: The dashboard will reflect that only 7 Edge devices are operational.
1. To activate the Internet connection at Branch 2, from the desktop, double-click the Python script named
TurnUp-BR2-INET-Connection.py.
NOTE: Accept any MTPutty security alerts to add the key to the Putty cache.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 67
Demonstration Guide
Cisco dCloud
2. Return to the vManage dashboard. The BR2-VEDGE1 will come up and the dashboard will show total of
eight (8) Edge devices are operational.
NOTE: At this time, there is no policy defined for the overlay and hence we have full-mesh connectivity across
all three VPNs (10, 20, 40).
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 67
Demonstration Guide
Cisco dCloud
5. From the Monitor Device menu, click Control Connections. Validate that control sessions are established
to vSmart and vManage.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 67
Demonstration Guide
Cisco dCloud
6. To validate IP reachability within Branch2 VPN10, ping the VPN10 test host at 10.4.10.10.
7. From the menu on the left, click Troubleshooting.
8. Under Connectivity, click Ping and use the following IP addresses to illustrate and confirm local
connectivity.
NOTE: To change to a different VPN, first change the Source/Interface back to Choose/Reset selections. As the
network is segmented with different VPNs (a.k.a. VRFs), you must ping destinations and use interfaces within
the same VPN.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 67
Demonstration Guide
Cisco dCloud
9. In the Destination IP* field, type 10.4.10.10, from the VPN dropdown, select VPN 10 and from the
Source/Interface for VPN 10, select the only available option from drop-down menu.
10. Click Ping.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 67
Demonstration Guide
Cisco dCloud
13. Return to Monitor > Network and select BR2-VEDGE1 from the list.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 67
Demonstration Guide
Cisco dCloud
14. To view granular application network profile data, from the Monitor Device menu, select Applications.
NOTE: Before checking DPI, it may take 15 minutes after performing ZTP to see output.
NOTE: If data does not display, adjust the custom window to a shorter date range.
16. Click on interface in the left column menu and then click 1h to see utilization of the interfaces on the Edge
device.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 67
Demonstration Guide
Cisco dCloud
For corporate VPN 10, we will only advertise the branches’ routes to the DCs and not to other branches.
• The DCs are advertising default routes and hence when a branch needs to talk to other branches, they will
take the default to the DCs.
• The DC vEdges then route the traffic back to the other remote branches.
For the PCI/IOT segment (VPN 20), we will advertise the routes between the branches by setting the next-hop
pointing to the DCs TLOCs.
• This is being done to provide Hub-n-Spoke communication between the branches through the DCs as
there is no default route being advertised from the DCs.
• We can filter the routes here as well, so that access for applications is only via the DCs or specific
destinations limiting access for the particular VPN.
For guest WiFi VPN 40, we don’t need any communication between the branches.
• We will restrict the route exchange between sites for VPN 40.
• There will be only one static default route in VPN 40 providing direct internet access.
Challenge:
• Arbitrary topology creation and management is a complex task and may require touching all the branches
and/or the provider involved.
• Simple activation of policy from central vManage results in simpler operations, reduced cost, and reduction
in time and effort.
Objective:
• Use centralized control policy to create a Hub-n-Spoke IPSec/BFD topology while maintaining branch-to-
branch communication for VPN 10 and VPN 20.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 67
Demonstration Guide
Cisco dCloud
Steps
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 67
Demonstration Guide
Cisco dCloud
NOTE: The tunnels highlighted on your screen may not be exactly like the screen shot shown in the guide.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 67
Demonstration Guide
Cisco dCloud
NOTE: The results of the following traceroutes will illustrate a direct (i.e. spoke-to-spoke) path taken from
Branch2 to hosts within VPNs 10 and 20 at Branch1.
7. In the Destination IP* field, type 10.3.10.10, from the VPN dropdown, select VPN 10 and from the
Source/Interface for VPN 10, select the only available option from drop-down menu.
8. Click Start.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 67
Demonstration Guide
Cisco dCloud
NOTE: The output on your screen may not be exactly like the screen shot shown in the guide.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 67
Demonstration Guide
Cisco dCloud
NOTE: The output on your screen may not be exactly like the screen shot shown in the guide.
Configure Policies
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 67
Demonstration Guide
Cisco dCloud
NOTE: The policy is applied to the vSmart controllers. vSmart will push the policies to the appropriate vEdge
routers.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 67
Demonstration Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 67
Demonstration Guide
Cisco dCloud
NOTE: Point out that only tunnels to the DC vEdges are in an operational UP state.
NOTE: The tunnels highlighted on your screen may not be exactly like the screen shot shown in the guide.
However, the tunnels to the DC vEdges will be the only tunnels in an operational/up state
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 67
Demonstration Guide
Cisco dCloud
NOTE: Point out that the inter-branch traffic path now traverses the DC for VPN 20.
NOTE: The output on your screen may not be exactly like the screen shot shown in the guide.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 67
Demonstration Guide
Cisco dCloud
In this scenario we will demonstrate the following topologies for different VPNs using policies:
Challenge:
• Arbitrary topology creation and management is a complex task and may require touching all the branches
and/or involving the provider.
• The activation of policy from a centralized vManage results in simpler operations, reduced cost, and
reduction in time and effort.
Objective:
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 67
Demonstration Guide
Cisco dCloud
Steps
5. When the policy has successfully pushed to each VSmart, the activation status changes to Success.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 67
Demonstration Guide
Cisco dCloud
3. Select Troubleshooting from the left column and then click Trace Route.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 67
Demonstration Guide
Cisco dCloud
4. In the Destination IP* field, type 10.3.10.10, from the VPN dropdown, select VPN 10 and from the
Source/Interface for VPN 10, select the only available option from drop-down menu.
5. Click Start.
NOTE: If the output yields n/a results, click Start again or redo the entire trace route steps above.
NOTE: The output on your screen may not be exactly like the screen shot shown in the guide.
8. Click Start.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 67
Demonstration Guide
Cisco dCloud
NOTE: If the output yields n/a results, click Start again or redo the entire trace route steps above.
NOTE: The output on your screen may not be exactly like the screen shot shown in the guide.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 67
Demonstration Guide
Cisco dCloud
Challenge:
• Arbitrary topology creation and management is a complex task and may require touching all the branches
and/or involving the provider.
• Previously, Firewall or any other service had to sit in path but with service insertion the Firewall could sit in
any of the enterprise locations.
• Simple activation of policy from central vManage. Results in simpler operations, reduced cost and reduction
in time and effort.
• Ubiquitous deployment of security controls via firewall and IPS service insertion policies.
• Using Cisco SD-WAN one can place services anywhere in the network.
• Using policies can make certain flows and sites have traffic go through those services.
Objective:
• Have to deploy and define Firewalls in DC1 and DC2 for corporate VPN 10.
• Based on policy have the branch to branch traffic go through the Firewall for corporate VPN 10.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 38 of 67
Demonstration Guide
Cisco dCloud
Steps
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 39 of 67
Demonstration Guide
Cisco dCloud
NOTE: You can see that traffic between branches is being rerouted through the data center where a firewall is
inspecting traffic.
NOTE: If the output yields n/a results, click Start again or redo the entire trace route steps above.
NOTE: The output on your screen may not be exactly like the screen shot shown in the guide.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 40 of 67
Demonstration Guide
Cisco dCloud
NOTE: If the output yields n/a results, click Start again or redo the entire trace route steps above.
NOTE: The output on your screen may not be exactly like the screen shot shown in the guide.
NOTE: Quickly change device context by using the blue Select Device drop-down menu located in the top left.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 41 of 67
Demonstration Guide
Cisco dCloud
16. Highlight the MultiTopologyPlusFWInsertion policy and then click the three dots (…) to the right of the
policy name.
17. Select Deactivate.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 42 of 67
Demonstration Guide
Cisco dCloud
Challenge:
• Implementation and maintenance of router-based FW/ACL rules requires touching all the branch routers.
• This is a manual and complex task, prone to human errors and may require considerable time and effort.
• Simple activation of policy from central vManage results in simpler operations, reduced cost, and reduction
in time and effort.
• Consistent and centralized policy deployment reduces the risk of missed policy application and human
error.
Objective:
• Deploy additional data policy to drop traffic between Branch 1 and Branch 2.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 43 of 67
Demonstration Guide
Cisco dCloud
Steps
5. Validate connectivity from BR2-VEDGE1 to the test host in Branch3 in VPN 10 by entering the destination IP
10.3.10.10.
6. Click Ping.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 44 of 67
Demonstration Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 45 of 67
Demonstration Guide
Cisco dCloud
18. Validate connectivity from BR2-VEDGE1 to the test host in Branch1 in VPN 10 by entering the destination IP
10.3.10.10.
19. Click Ping.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 46 of 67
Demonstration Guide
Cisco dCloud
NOTE: The ping will fail due to centralized ACL blocking communication between the branches for PCI/IOT
segment.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 47 of 67
Demonstration Guide
Cisco dCloud
• The traffic received switch from the mpls interface to internet interface after the latency impairment on the
mpls transport
• Fast deployment model for flexible topologies, any type of circuit could be deployed, which provides the
ability to direct distinct types of traffic over distinct types of links. Video could go over the internet, mission
critical applications can go over MPLS. LTE could be circuit of last resort. This provides path diversity and
high availability.
• New application delivery models, having the capability to move traffic based on application performance.
• The traffic received by BR2-VEDGE1 on the mpls interface (ge0/0) and the internet interface (ge0/1).
• The policy is applied to all sites, so the policy has impact on all the traffic received and sent by BR2-
VEDGE1. More traffic is received than sent by the BR2-VEDGE1.
Challenge:
• Dynamic path selection based on transport performance is complex to deploy and hard to update policies
on demand.
• Simple activation of policy from central vManage. Results in simpler operations, reduced cost and reduction
in time and effort.
Objective:
• Define SLA based policies and re-route traffic as the transport network conditions change.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 48 of 67
Demonstration Guide
Cisco dCloud
Steps
NOTE: The device dashboard for BR2-VEDGE1 displays the current performance measurement on both the
transports.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 49 of 67
Demonstration Guide
Cisco dCloud
NOTE: These values are much lower than the SLA definitions defined for the app-route policies.
11. Scroll to the right to see the columns showing (Mean and Average) Latency, Loss and Jitter for each of
the tunnels on MPLS and Internet.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 50 of 67
Demonstration Guide
Cisco dCloud
NOTE: Simulate Flows provides a simulation on what IPSec tunnels will used for the defined flow based on
policies and transport performance measurements.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 51 of 67
Demonstration Guide
Cisco dCloud
NOTE: This shows that the traffic class with DSCP of 46 will go over MPLS as it meets the SLA (latency <=
50msec) and is the preferred color.
WAN Impairment
1. Open new tab in Chrome and click the WAN Impairment bookmark.
2. Click Branch 1 and choose mpls transport and then click Submit.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 52 of 67
Demonstration Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 53 of 67
Demonstration Guide
Cisco dCloud
8. Click Deactivate.
9. The policy status will change from In Progress to Success, and the policy is successfully removed from
vSmart-1 and vSmart-2. Full mesh connectivity has been restored.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 54 of 67
Demonstration Guide
Cisco dCloud
Scenario 7. Prefer Data Center DC1 and DC2 for Different Set of Branches for
Regional Internet Exit
Value Proposition: If the customer wants DC1 the preferred exit for Branch 1 and DC2 as the preferred exit for
Branch 2, the Enterprise may want different branches to take different regional exits to the Internet on the same
overlay.
Challenge:
• Activation of policy from central vManage results in simpler operations, reduced cost, and reduction in time
and effort.
Objective:
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 55 of 67
Demonstration Guide
Cisco dCloud
Steps
NOTE: Notice that the preference is not set for the default route received from DC2 and DC1.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 56 of 67
Demonstration Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 57 of 67
Demonstration Guide
Cisco dCloud
NOTE: Point out the default route in VPN 10 to show the route installed is pointing to DC1 as the preferred path.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 58 of 67
Demonstration Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 59 of 67
Demonstration Guide
Cisco dCloud
Challenge:
• Backhauled internet-bound traffic on a corporate firewall is a complex problem which requires more
appliances.
• Activation of SD-WAN Security policy from central vManage results in simpler operations, reduced cost,
and reduction in time and effort.
• Insert a wide range of security offerings at remote locations without needing more appliances.
Objective:
• Leverage defense-in-depth security offerings in a combined platform so customers can decide what
posture to adopt in distinct locations across the WAN saving on rack space.
REMINDER: It may take 15 minutes after the demo has fully launched to start seeing dashboard activity for the
SD-WAN Security dashboard, please plan accordingly. If after 20 minutes, the dashboard hasn’t populated (this
is a known issue that will be fixed in the next release), please start a new session.
Steps
1. Click on the Dashboard button and then Security to view the SD-WAN Security dashboard.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 60 of 67
Demonstration Guide
Cisco dCloud
2. Click the small down arrow in the first widget and adjust time frame to 1 hour and click Search.
4. To the right of BranchType1Template-CSR click the three dots (…) and then select View.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 61 of 67
Demonstration Guide
Cisco dCloud
5. After the page loads, click Additional Templates which will go to the bottom, where Security Policy is
listed.
NOTE: Notice the Security Policy and the Container Profile. The Container runs the snort IPS engine.
6. Click Cancel.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 62 of 67
Demonstration Guide
Cisco dCloud
Value Proposition: Explore the preconfigured SD-WAN Security policy. Each security offering needs its own
policy. Explore each one now.
8. To the right of Branch-DIA-Security policy, click the three dots (…) and View.
NOTE: Due to a visual bug in vManage, the implicit deny rule (called Drop) shows above the other rules. It will
NOT take effect before the configured rules.
NOTE: Notice that this firewall is zone-based and is configured to inspect traffic from the Guest VPN to the
Outside.
NOTE: The rules are allowing traffic from the branch subnets and the traffic is being inspected.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 63 of 67
Demonstration Guide
Cisco dCloud
12. Click Intrusion Prevention to see how the IPS rules are set up.
13. Click on the three dots (…) to the right of the Branch-DIA-IPS policy and click View.
Value Proposition: Notice that there is only 1 VPN targeted, which is the Guest VPN. We can select a security
posture as well as detect or protect against attacks. The SD-WAN IPS is based on Snort which uses Cisco
Talos signatures, and while not as granular as the full Firepower offering should meet 99% of remote office
needs.
NOTE: Notice that we can create a signature whitelist if certain applications are triggering the IPS but should be
allowed (common with some corporate home-grown applications).
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 64 of 67
Demonstration Guide
Cisco dCloud
NOTE: The URL Filtering policy is functionally like the expanded Cisco Web Security Appliance (WSA) offering.
Though not as granular as the full WSA appliance, the URL Filtering offering in SD-WAN Security allows you to
customize category/reputation, specify a block page (or redirect per something like ISE), as well as to
customize a whitelist/blacklist.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 65 of 67
Demonstration Guide
Cisco dCloud
Value Proposition: AMP (Advanced Malware Protection) provides cloud-based file reputation checking, while
Threat Grid's behavior-based deep file analysis can help detect and stop zero-day and polymorphic malware
threats.
20. Click the three dots (…) next to the BRANCH-DIA-AMP and then select View.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 66 of 67
Demonstration Guide
Cisco dCloud
What’s Next?
• Talk about it on the dCloud Community.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 67 of 67