Cisco Secure SD-WAN (Viptela) - Single DCv1

First Published: 2022-05-24

Last Modified: 2022-09-21

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
About
Topology

Note OSPF is running in the DC and Branch 2 in VPN 10. All other segments are using static routing/VRRP.

Host IPs for testing data plane connectivity

e0124tNPiS
V
DtseTI(
)PI

01.0210C
.1.0D
1X

0h1c.0214n0.a3.0rB
31
1

Device Addresses

Cisco Secure SD-WAN (Viptela) - Single DCv1

5
 About
Before You Present

System IP Interface IP

vBond1 11.11.11.11 198.18.1.11

vSmart1 198.18.1.12

vSmart1 198.18.1.22

vManage 10.10.10.10 198.18.1.10

Get Started

Сonnect to the workstation with Cisco AnyConnect VPN and the local RDP client on your laptop

• Workstation 1: 198.18.133.36, Username: dcloud\demouser, Password: C1sco12345

Cisco Secure SD-WAN (Viptela) - Single DCv1

6
 CHAPTER 2
Scenarios
• Zero Touch Site Bring Up, on page 7
• Hub and Spoke Topology, on page 20
• Multi-Topology - Different Topologies Per VPN, on page 29
• Service Insertion – Regional/DC Firewall, on page 34
• Application Firewalling using Centralized Policies, on page 43
• Application Aware Routing, on page 51
• SD-WAN Security Overview, on page 59

Zero Touch Site Bring Up

Note Deploy a branch using vManage configuration templates and Viptela’s Zero Touch Provisioning (ZTP)
service.
The ZTP process simulated in this lab, using default configuration from the factory, for the vEdge in
Branch 2.
The only difference is the out of band VPN 512 configuration. This is configured for the demo user to
be able to log in to the vEdge. The ZTP transport (ge0/0) in this case is in shutdown mode. A no shut
will be done to simulate connecting vEdge to the transport.

Cisco Secure SD-WAN (Viptela) - Single DCv1

7
 Scenarios
vManage Overview

vManage Overview
Procedure

Step 1 Connect to Workstation 1 and launch the Chrome browser.

Step 2 Click the bookmark for Viptela vManage and click through the security warnings to proceed to the vManage
service.
Step 3 Log in to vManage using username admin and password C1sco12345.
Note The vManage Dashboard displays the controllers that are up. There are four operational vEdges.
Branch-2 vEdge is not provisioned yet.

Step 4 Load the vManage dashboard. Talk about network level monitoring capabilities including:
• Up/Down Status of all Viptela components
• vEdge Health
• Applications/Flow Visibility
• Transport Health Visibility

Cisco Secure SD-WAN (Viptela) - Single DCv1

9
 Scenarios
vManage Overview

Step 5 Click the number associated with WAN Edge to view operational devices.

Cisco Secure SD-WAN (Viptela) - Single DCv1

10
 Scenarios
Configuring Templates

Configuring Templates

Note Multiple preconfigured templates are available. We use the preconfigured BranchType2 template to
illustrate how a customer can use a template to facilitate and simplify the roll out of a new branch site.

Procedure

Step 1 In the main menu in the sandwich icon on top-left corner, select Configuration > Templates, and then select
the Device Templates tab.
Step 2 Click the three dots (…) in the far right column for BranchType2Template-vEdge and select Attach Devices.

The Attach Devices window displays.

Step 3 In the Available Devices pane, find and select the device with chassis-id/UUID of
52c7911f-c5b0-45df-b826-3155809a2a1a. Click the arrow to move the selected device to the Selected Devices
pane. Click Attach

Cisco Secure SD-WAN (Viptela) - Single DCv1

11
 Scenarios
Configuring Templates

Step 4 Click the three dots (…) in the far right column and select Edit Device template.

Cisco Secure SD-WAN (Viptela) - Single DCv1

12
Scenarios
Configuring Templates

Step 5 Show that the device values can be updated from this window. However, we use a .csv file to populate the
device in the remainder of this scenario. Click Cancel when done.
Step 6 Click .
Step 7 Click Choose File. Navigate to \Desktop\SD-WAN Demo\csvConfigFiles and select
BranchType2Template.csv. Click Open.

Cisco Secure SD-WAN (Viptela) - Single DCv1

13
 Scenarios
Configuring Templates

Step 8 Click Upload.

Step 9 Click Next.

Step 10 Select the device to view the full configuration. Click Configure Devices.

Cisco Secure SD-WAN (Viptela) - Single DCv1

14
 Scenarios
Simulate the Device to be Connected to the Transport for ZTP

Step 11 Wait for few seconds until the device status changes from In Progress to Done - Scheduled.

Step 12 In the main menu, select Monitor > Overview.

Note The dashboard reflects that only four Edge devices are operational.

Simulate the Device to be Connected to the Transport for ZTP

Procedure

Step 1 From the desktop, double-click the Python script named TurnUp-BR2-INET-Connection.py.

Cisco Secure SD-WAN (Viptela) - Single DCv1

15
 Scenarios
Simulate the Device to be Connected to the Transport for ZTP

Note The script will disappear within 5 to 10 seconds.

Step 2 Refresh the vManage dashboard.

The BR2-VEDGE1 comes up and the dashboard shows a total of five (5) Edge devices are operational.
Note This may take a few minutes. Be patient, and if needed, refresh the dashboard by clicking over the
Cisco vManage title or the web browser.

Cisco Secure SD-WAN (Viptela) - Single DCv1

16
Scenarios
Simulate the Device to be Connected to the Transport for ZTP

Step 3 From the main menu, select Monitor > Devices.

Step 4 Select BR2-VEDGE1 from the list.
The device dashboard for BR2-VEDGE1 displays.

Note At this time, there is no policy defined for the overlay and hence we have full-mesh connectivity
across all three VPNs (10, 20, 40).

Step 5 Click Control Connections. Validate that control sessions are established to vSmart and vManage.

Cisco Secure SD-WAN (Viptela) - Single DCv1

17
 Scenarios
Simulate the Device to be Connected to the Transport for ZTP

Step 6 To validate IP reachability within Branch2 VPN10, ping the VPN10 test host at 10.4.10.10. Open the
mRemoteNG application.

Step 7 Double-click on BR2-VEDGE1.

Step 8 On the command line, enter ping vpn 10 10.4.10.10 count 5 to test connectivity to a host at
Branch 2

Cisco Secure SD-WAN (Viptela) - Single DCv1

18
Scenarios
Simulate the Device to be Connected to the Transport for ZTP

Note (Optional) after running ZTP, you can confirm that DIA has been enabled over the Branch2-Clients
for VPN 10-40. Do this by checking the clients over mRemoteNG where RDP is already
preconfigured.

Step 9 Return to the vManage browser tab. From the main menu, select Monitor > Geography.
Step 10 Hover your mouse over devices on the map to see the device details.

Step 11 From the main menu, select Monitor > Devices. From the device list, select BR2-VEDGE1.
Step 12 To view granular application network profile data, click SAIE Applications.
Note Before checking SAIE, it may take 15 minutes after performing ZTP to see output.

Step 13 Click 1h

Note If data does not display, adjust the custom window to a shorter date range.

Cisco Secure SD-WAN (Viptela) - Single DCv1

19
 Scenarios
Hub and Spoke Topology

Step 14 Click Interface. Click 1h to see utilization of the interfaces on the Edge device.

Hub and Spoke Topology

Value Proposition: This scenario shows scalability, simplicity, and ease of management. An enterprise may
prefer a hub-and-spoke topology over a full mesh. Through powerful and intuitive policy configuration in
vManage a full mesh topology can be easily and quickly converted from full mesh to a hub and spoke topology.
In our example we will create a fabric with IPSec tunnels that are established only between the branch/spoke
sites and the DC. We will leverage our policy configuration to ensure that no IPSec tunnels are established
directly between the branch/spoke sites.
For corporate VPN 10, we will only advertise the branch routes to the DC and not to other branches.
The DC advertising default routes and hence when a branch needs to talk to other branches, they will take the
default to the DC.
The DC vEdges then route the traffic back to the other remote branches.
For the PCI/IOT segment (VPN 20), we will advertise the routes between the branches by setting the next-hop
pointing to the DC TLOCs.
This is being done to provide Hub-n-Spoke communication between the branches through the DC as there is
no default route being advertised from the DC.
We can filter the routes here as well, so that access for applications is only via the DC or specific destinations
limiting access for the particular VPN.
For guest WiFi VPN 40, we don’t need any communication between the branches.
We will restrict the route exchange between sites for VPN 40.
There will be only one static default route in VPN 40 providing direct internet access.

Cisco Secure SD-WAN (Viptela) - Single DCv1

20
 Scenarios
Trace Route Tunnels

Trace Route Tunnels

Procedure

Step 1 From the vManage main menu, select Monitor > Devices.
Step 2 Click BR2-VEDGE1.
Step 3 Click Tunnel.
The next screen shows IPSec tunnels are established to the DC and the remote Branch-1 (full mesh).

Cisco Secure SD-WAN (Viptela) - Single DCv1

22
Scenarios
Trace Route Tunnels

Step 4 Click Troubleshooting.

Step 5 Under Connectivity, click Trace Route.

Note The results of the trace routes in this scenario illustrate a direct (i.e. spoke-to-spoke) path taken from
Branch2 to hosts within VPNs 10 and 20 at Branch1.

Step 6 For Destination IP enter 10.3.10.10, from VPN select VPN 10, and from Source/Interface for VPN 10
select the only available option. Click Start.

Cisco Secure SD-WAN (Viptela) - Single DCv1

23
 Scenarios
Configure Policies

Note The output on your screen may not be exactly like the screen shown in the guide. If traceroute times
out, please retry, this is an expected behavior.

Step 7 For Destination IP* enter 10.3.20.10, for VPN select VPN 20, and for Source/Interface for VPN 20 select
the only available option. Click Start.
Note The output on your screen may not be exactly like the screen shown in the guide.

Configure Policies
Procedure

Step 1 From the main menu, select Configuration > Policies.

Step 2 Click on the three dots (…) for StrictHub-n-Spoke and select Activate.

Cisco Secure SD-WAN (Viptela) - Single DCv1

24
Scenarios
Configure Policies

Step 3 On Activate Policy, click Activate.

Step 4 Click on Activate one more time over the configuration to be pushed, and then wait until the policy activation
status changes to Success.

Cisco Secure SD-WAN (Viptela) - Single DCv1

25
 Scenarios
Configure Policies

Note The policy is applied to the vSmart controllers. vSmart will process the policy and advertise the
correct TLOC and route information to the appropriate vEdge routers to achieve the expected result.

Step 5 From the main menu, select Monitor > Devices. Click BR2-VEDGE1.
Step 6 Click Tunnel
Note Point out that only tunnels to the DC vEdges are in an operational UP state.
The tunnels highlighted on your screen may not be exactly like the screen shown in the guide.
However, the tunnels to the DC vEdges will be the only tunnels in an operational/up state.

Cisco Secure SD-WAN (Viptela) - Single DCv1

26
Scenarios
Configure Policies

Step 7 Click Troubleshooting and then click Trace Route.

Step 8 Trace the route from BR2 to BR1 by entering 10.3.20.10 as the destination and selecting VPN 20.

Note Point out that the inter-branch traffic path now traverses the DC for VPN 20.
The output on your screen may not be exactly like the screen shot shown in the guide.

Step 9 To de-activate the policy, from the main menu, select Configuration > Policies.
Step 10 Click the three dots (…) to the right of the StrictHub-n-Spoke policy name policy, and then click Deactivate
two times.

Cisco Secure SD-WAN (Viptela) - Single DCv1

27
 Scenarios
Configure Policies

Step 11 On Deactivate Policy, click Deactivate two times.

Note The policy status changes from In Progress to Success, and the policy is successfully removed from
vSmart-1 and vSmart-2. Full mesh connectivity has been restored.

Cisco Secure SD-WAN (Viptela) - Single DCv1

28
 Scenarios
Multi-Topology - Different Topologies Per VPN

Multi-Topology - Different Topologies Per VPN

Value Proposition: Enterprises may have multiple VPN segments and may need different connectivity
models/topologies. The default in Cisco SD-WAN is to have full mesh for all VPNs. In this scenario we will
demonstrate the following topologies for different VPNs using policies:
• Corporate VPN 10 – Full Mesh
• PCI/IOT VPN 20 – Hub and Spoke
• GuestWiFI VPN 40 – DIA ONLY in Branches

Cisco Secure SD-WAN (Viptela) - Single DCv1

29
 Scenarios
Activate Multi-Topology Policy

Activate Multi-Topology Policy

Procedure

Step 1 From the main menu, select Configuration > Policies.

Step 2 Click on the three dots (…) to the right of MultiTopologyPolicy and select Activate.

Step 3 On Activate Policy, click Activate two times.

Step 4 When the policy has successfully pushed to each vSmart, the activation status changes to Success.

Cisco Secure SD-WAN (Viptela) - Single DCv1

31
 Scenarios
Validate Full Mesh for VPN 10 and Hub-n-Spoke for VPN 20

Validate Full Mesh for VPN 10 and Hub-n-Spoke for VPN 20

Procedure

Step 1 From the main menu, select Monitor > Devices. Click BR2-VEDGE1.
Step 2 Click Troubleshooting, and then click Trace Route.
Step 3 For Destination IP enter 10.3.10.10, for VPN select VPN 10, and for Source/Interface for VPN 10 select
the only available option. Click Start.

Note If the output yields no results, click Start again or redo the entire trace route steps above.
The output on your screen may not be exactly like the screen shown in the guide.

Step 4 To de-activate the policy, from the main menu select Configuration > Policies.
Step 5 Click the three dots (…) to the right of the MultiTopologyPolicy policy name and click Deactivate.

Cisco Secure SD-WAN (Viptela) - Single DCv1

32
Scenarios
Validate Full Mesh for VPN 10 and Hub-n-Spoke for VPN 20

Step 6 On Deactivate Policy, click Deactivate twice.

Cisco Secure SD-WAN (Viptela) - Single DCv1

33
 Scenarios
Service Insertion – Regional/DC Firewall

On Deactivate Policy, click Deactivate twice.

Service Insertion – Regional/DC Firewall

Value Proposition: When new branches are added from an acquired entity, the enterprise may initially want
the direct branch to branch communication to go through the Firewall in the DC or a Colo/Regional facility
hosting Firewall services.

Procedure

Step 1 In the main menu, select Configuration > Policies.

Step 2 Click the three dots (…) to the right of the policy that is named MultiTopologyPlusFWInsertion and click
Activate.

Cisco Secure SD-WAN (Viptela) - Single DCv1

34
Scenarios
Service Insertion – Regional/DC Firewall

Step 3 On Activate Policy, click Activate twice.

Cisco Secure SD-WAN (Viptela) - Single DCv1

39
 Scenarios
Service Insertion – Regional/DC Firewall

Wait until the policy is successfully pushed to each vSmart.

Step 4 In the main menu, select Monitor > Devices. Click BR2-VEDGE1.

Cisco Secure SD-WAN (Viptela) - Single DCv1

40
Scenarios
Service Insertion – Regional/DC Firewall

Note You can see that traffic between branches is being rerouted through the data center where a firewall
is inspecting traffic.

Step 5 Click Troubleshooting and then click Trace Route.

Step 6 For Destination IP enter 10.3.10.10, for VPN select VPN 10, and for Source/Interface for VPN 10 select
the only available option. Click Start.
Note If the output yields n/a results, click Start again or redo the entire trace route steps above.
The output on your screen may not be exactly like the screenshot that is shown in the guide.

Step 7 For Destination IP enter 10.3.20.10, for VPN select VPN 20, and for Source/Interface for VPN 20 select the
only available option. Click Start.
Note If the output yields n/a results, click Start again or redo the entire trace route steps above.
The output on your screen may not be exactly like the screenshot that is shown in the guide.

Step 8 In the main menu, select Configuration > Policies.

Step 9 Click the three dots (…) to the right of MultiTopologyPlusFWInsertion and then click Deactivate.

Cisco Secure SD-WAN (Viptela) - Single DCv1

41
 Scenarios
Service Insertion – Regional/DC Firewall

Step 10 On the Deactivate Policy window, click Deactivate two times.

The policy status changes from In Progress to Success, and the policy is successfully removed from each
vSmart.

Cisco Secure SD-WAN (Viptela) - Single DCv1

42
 Scenarios
Application Firewalling using Centralized Policies

Application Firewalling using Centralized Policies

Value Proposition: In this scenario, implement the policy as a centralized data policy where based on source
and destination prefix match, traffic between BR1 and BR2 is dropped in VPN 20. The PCI/IOT segment
only requires connectivity to DC from remotes. More granular matches can be done to limit certain applications
and allow other applications to flow between the branches.

Cisco Secure SD-WAN (Viptela) - Single DCv1

43
 Scenarios
Application Firewalling using Centralized Policies

Procedure

Step 1 In the main menu, select Monitor > Devices.

Step 2 Select BR2-VEDGE1.
Step 3 Click Troubleshooting.
Step 4 Click Ping.
Step 5 Validate connectivity from BR2-VEDGE1 to the test host in Branch3 in VPN 10 by entering the destination
IP 10.3.10.10. Click Ping.

Step 6 Validate the connectivity from BR2-VEDGE1 to the test host in Branch3 in VPN 20 using the destination IP
of 10.3.20.10. Click Ping.

Step 7 In the main menu, select Configuration > Policies.

Cisco Secure SD-WAN (Viptela) - Single DCv1

46
Scenarios
Application Firewalling using Centralized Policies

Step 8 Click the three dots (…) to the right of the MultiTopologyPlusACL policy and select Activate.

Step 9 On Activate Policy, click Activate.

Note You can revise the configuration being pushed to the controllers to make this policy successfully.
Click Activate one more time:

Cisco Secure SD-WAN (Viptela) - Single DCv1

47
 Scenarios
Application Firewalling using Centralized Policies

Step 10 Wait until the policy is successfully pushed to each vSmart.

Step 11 In the main menu, select Monitor > Devices.

Step 12 Select BR2-VEDGE1.
Step 13 Click Troubleshooting.
Step 14 Click Ping.
Step 15 Validate connectivity from BR2-VEDGE1 to the test host in Branch1 in VPN 10 by entering the destination
IP 10.3.10.10. Click Ping.

Cisco Secure SD-WAN (Viptela) - Single DCv1

48
Scenarios
Application Firewalling using Centralized Policies

Step 16 Validate there is no connectivity from Branch2 in VPN 20 using the destination IP of 10.3.20.10. Click
Ping.
Note The ping fails due to centralized ACL blocking communication between the branches for PCI/IOT
segment.

Step 17 To de-activate the policy, in the main menu, select Configuration > Policies.
Step 18 Click the three dots (…) to the right of the MultiTopologyPlusACL policy name and select Deactivate.

Cisco Secure SD-WAN (Viptela) - Single DCv1

49
 Scenarios
Application Firewalling using Centralized Policies

Step 19 On the Deactivate Policy window, click Deactivate two times.

The policy status changes from In Progress to Success, and the policy is successfully removed from vSmart-1
and vSmart-2. Full mesh connectivity has been restored.

Cisco Secure SD-WAN (Viptela) - Single DCv1

50
 Scenarios
Application Aware Routing

Application Aware Routing

Value Proposition: In this scenario, some of the applications have already had SLAs defined and are pinned
to the MPLS (interface ge0/0 on BR2-VEDGE1) transport. Some applications have been pinned to the
INTERNET (interface ge0/1 on BR2-VEDGE1) transport. Observe how:
• The traffic received switch from the MPLS interface to INTERNET interface after the latency impairment
on the MPLS transport
• Fast deployment model for flexible topologies, any type of circuit could be deployed, which provides
the ability to direct distinct types of traffic over distinct types of links. Video could go over the internet,
mission critical applications can go over MPLS. LTE could be circuit of last resort. This provides path
diversity and high availability.
• New application delivery models, having the capability to move traffic based on application performance.
• The traffic received by BR2-VEDGE1 on the MPLS interface (ge0/0) and the INTERNET interface
(ge0/1).
• The policy is applied to all sites, so the policy has impact on all the traffic received and sent by
BR2-VEDGE1. More traffic is received than sent by the BR2-VEDGE1.

Cisco Secure SD-WAN (Viptela) - Single DCv1

51
 Scenarios
Enable Application Aware Routing

Enable Application Aware Routing

Procedure

Step 1 From the main menu, select Configuration > Policies

Step 2 Click the three dots (…) next to the MultiTopologyPlusAppRoute policy and select Activate.

Step 3 On Activate Policy, click Activate two times.

Cisco Secure SD-WAN (Viptela) - Single DCv1

53
 Scenarios
Enable Application Aware Routing

Step 4 Wait until the policy is successfully pushed to each vSmart.

Step 5 From the main menu, select Monitor > Devices.

Step 6 Click BR2-VEDGE1.
Step 7 Click Real Time.
Step 8 Search for App Routes Statistics using the Device Options search.
Step 9 Select App Routes Statistics. On Select Filter, click Do Not Filter.

Cisco Secure SD-WAN (Viptela) - Single DCv1

54
Scenarios
Enable Application Aware Routing

Note These values are much lower than the SLA definitions defined for the app-route policies.

Step 10 Scroll to the right to see the columns showing Mean Loss, Mean Latency, and Mean Jitter for each of the
tunnels on MPLS and Internet.

Note Simulate Flows provides a simulation on what IPSec tunnels will used for the defined flow based
on policies and transport performance measurements.

Cisco Secure SD-WAN (Viptela) - Single DCv1

55
 Scenarios
WAN Impairment

Step 11 Click Troubleshooting.

Step 12 Click Simulate Flows.
Step 13 Indicate troubleshooting criteria.
a. For VPN, select VPN - 10
b. For Source/Interface for VPN - 10, select the only available option.
c. For Destination IP, enter 10.3.10.10.
d. Click Advanced Options.
e. For DSCP, enter 46.
f. Click Simulate.

Note This shows that the traffic class with DSCP of 46 will go over MPLS as it meets the SLA (latency
<= 50msec) and is the preferred color.

Note Notice the path uses only MPLS.

WAN Impairment
Procedure

Step 1 Open a new tab in Chrome and click the WAN Impairment bookmark.

Cisco Secure SD-WAN (Viptela) - Single DCv1

56
Scenarios
WAN Impairment

Step 2 Click Branch 1, choose mpls, and then click Submit.

Step 3 Click back to the open vManage browser tab.
Step 4 When latency has been added, to show internet transport, wait 1 minute and then run the test again.

Note You can go back to Monitor > Devices > BR2-VEDGE1, select Real Time, Select App Routes
Statistics. On Select Filter, click Do Not Filter, and finally confirm how much Mean Loss, and
Latency values have increased:

Cisco Secure SD-WAN (Viptela) - Single DCv1

57
 Scenarios
WAN Impairment

Step 5 Return to the WAN Impairment Tool browser tab and click Remove Latency. Close the browser tab.
Step 6 To de-activate the policy, from the main menu, select Configuration > Policies.
Step 7 Click the three dots (…) to the right of the MultiTopologyPlusAppRoute policy name and select Deactivate.

Step 8 On Deactivate Policy, click Deactivate two times.

Cisco Secure SD-WAN (Viptela) - Single DCv1

58
 Scenarios
SD-WAN Security Overview

Note The policy status changes from In Progress to Success, and the policy is successfully removed from
vSmart-1 and vSmart-2. Full mesh connectivity has been restored.

SD-WAN Security Overview

Value Proposition: In this scenario, the remote offices all utilize a Guest Internet VPN which allows customers
to browse the internet via Direct Internet Access. SD-WAN Security policy has been activated on this guest
VPN to protect them. Cisco SD-WAN Security can provide protection against known and unknown malware
threats with AMP and Threat Grid.

Remember It may take 15 minutes after the demo has fully launched to start seeing dashboard activity for the
SD-WAN Security dashboard, please plan accordingly. If after 20 minutes, the dashboard hasn’t populated
(this is a known issue that will be fixed in the next release), please start a new session.

View Templates
Procedure

Step 1 From the main menu, select Monitor > Security.

Step 2 Click the small drop down icon in any widget and adjust time frame to Last 1 hour.
Cisco Secure SD-WAN (Viptela) - Single DCv1
59
 Scenarios
View Templates

Step 3 From the main menu, select Configuration > Templates > Device Templates.
Step 4 Click the three dots (…) to the right of CSR_BranchType1Template-CSR and then select View.

Step 5 Click Additional Templates to jump to the bottom of the page, where Security Policy is listed.

Cisco Secure SD-WAN (Viptela) - Single DCv1

62
 Scenarios
SD-WAN Security Policies

Note Notice the Security Policy and the Container Profile. The Container runs the snort IPS engine.

Step 6 Click Cancel.

SD-WAN Security Policies

Value Proposition: Explore the preconfigured SD-WAN Security policy. Each security offering needs its
own policy. Explore each one now.

Procedure

Step 1 From the main menu, select Configuration > Security.

Step 2 Click the three dots (…) to the right of Branch-DIA-Security and select View.

Cisco Secure SD-WAN (Viptela) - Single DCv1

63
 Scenarios
SD-WAN Security Policies

Step 3 Click Firewall. Click the three dots (…) to the right of BRANCH-DIA-GUEST and select View to see the
firewall rules in effect.

Note Due to a visual bug in vManage, the implicit deny rule (called Drop) shows above the other rules.
It will NOT take effect before the configured rules.
Notice that this firewall is zone-based and is configured to inspect traffic from the Guest VPN to
the Outside.
The rules are allowing traffic from the branch subnets and the traffic is being inspected.

Step 4 Click Cancel to go back to the SD-WAN Security Policy.

Cisco Secure SD-WAN (Viptela) - Single DCv1

64
Scenarios
SD-WAN Security Policies

Step 5 Click Intrusion Prevention. Click the three dots (…) to the right of Branch-DIA-IPS and select .

Value Proposition: Notice that there is only 1 VPN targeted, which is the Guest VPN. We can select a security
posture as well as detect or protect against attacks. The SD-WAN IPS is based on Snort which uses Cisco
Talos signatures, and while not as granular as the full Firepower offering should meet 99% of remote office
needs.

Step 6 Click Advanced.

Note Notice that we can create a signature whitelist if certain applications are triggering the IPS but
should be allowed (common with some corporate home-grown applications).

Step 7 Click Cancel.

Step 8 Click URL Filtering. Click the three dots (…) for Branch-DIA-URL-Filter and select View.

Cisco Secure SD-WAN (Viptela) - Single DCv1

65
 Scenarios
SD-WAN Security Policies

Note The URL Filtering policy is functionally like the expanded Cisco Web Security Appliance (WSA)
offering. Though not as granular as the full WSA appliance, the URL Filtering offering in SD-WAN
Security allows you to customize category/reputation, specify a block page (or redirect per something
like ISE), as well as to customize a whitelist/blacklist.

Step 9 Click Cancel.

Value Proposition: Advanced Malware Protection (AMP) provides cloud-based file reputation checking,
while Threat Grid's behavior-based deep file analysis can help detect and stop zero-day and polymorphic
malware threats.

Step 10 Click Advanced Malware Protection. Click the three dots (…) for BRANCH-DIA-AMP and select View.

Cisco Secure SD-WAN (Viptela) - Single DCv1

66
Scenarios
SD-WAN Security Policies

Step 11 Click Cancel.

Cisco Secure SD-WAN (Viptela) - Single DCv1

67