SDWSECis a Cisco SASE (Secure Access Service Edge) training targeted to engineers and technical personnel involved in designing, deploying, operating, and securing Cisco Edge solutions both in enterprise and Service Provider environments. This training is specifically designed for partners and customers implementing secure Cisco SD-WAN integrated with the complete feature set of Cisco Umbrella including DNS Security, Cloud Based Firewall and Secure Internet Gateway. The course walks you through how each integration works and how to design and implement it step-by-step.
The course qualifies for 24 Cisco Continuing Education Credits (CE).
Skills Gained
Upon completing this course, you will be able to meet the following objectives:
- Describe SD-WAN Architecture
- Design Cisco SD-WAN Branch Security
- Implement Cisco SD-WAN Secure Internet and Cloud Access
- Integrate and Troubleshoot Cisco SD-WAN with a SASE Solution
Who Can Benefit
The primary audience for this course is as follows:
- Systems Engineers
- Technical Solutions Architects
- Field Engineers
Prerequisites
The knowledge and skills that the learner should have before attending this course are as follows:
- Knowledge of WAN architectures and routing networking concepts
- High-level familiarity with basic network protocols and applications
- Familiarity with common application delivery methods
- Fundamental Understanding of perimeter security
- Basic Cisco SD-WAN familiarity
Module 1: Cisco SD-WAN Introduction
- High-level Cisco SD-WAN Deployment models
- Application-level SD-WAN solution
- Cisco SDWAN plan for HA and Scalability
- Cisco SD-WAN solution components: vManage NMS, vSmart Controller, vBond Orchestrator
- Edge Routers (cEdge, vEdge, and Catalyst 8K)
- Cloud Based Deployment vs On-Premises Deployment
Module 2: Zero Touch Provisioning
- Overview
- User Input Required for the ZTP Automatic Authentication Process
- Authentication between the vBond Orchestrator and WAN Edges
- Authentication between the Edge Routers and the vManage NMS
- Authentication between the vSmart Controller and the Edge Routers
Module 3: Cisco SD-WAN Solution
- Overlay Management Protocol (OMP)
- Cisco SD-WAN Circuit Aggregation Capabilities
- Secure Connectivity in Cisco SD-WAN
- Performance Tracking Mechanisms
- Application Discovery
- Dynamic Path Selection
- Performance Based Routing
- Direct Internet Access
- Advanced Routing (OSPF, BGP, LISP, VXLAN, MPLS)
- Application Aware Routing
- Localized and Centralized Policies (Data and Control)
- Cisco SD-WAN In-built Security features: App Aware FW, Talos IPS, URL Filtering, Umbrella Integration, and Advanced Malware Protection
- Dynamic Cloud Access: Cloud On-Ramp for SaaS and IaaS (AWS, Azure & GPC)
- API and Programmatic Interaction via Python
Module 4: Deeper Insight into Cisco SD-WAN Security
- Designing Security Requirements within Cisco SD-WANDIA SecurityDirect Cloud Access SecurityGuest User SecurityCompliance Requirements
- Security Implementation at the Branch Site
- Implementing Zone Based Firewalls on Cisco WAN Edge
- Implementing UTD on Cisco WAN EdgeConfiguring URL FilteringConfiguring Snort IPSBest Practices for UTD setup (Based on production deployment experiences)
- Implementing Advanced Malware ProtectionConfiguring AMPOverview of integration with Threat Grid
Module 5: Designing and Implementing DNS Security
- Prerequisite check before integrating Umbrella with Cisco SD-WANMaking sure you have the correct licensingPlatform support checkInternet Connectivity check
- Walking through the Umbrella DashboardDashboard OverviewDNS Policy GUI OverviewFirewall Policy GUI OverviewWeb Policy GUI OverviewUmbrella AD/SAML Integration Overview (optional)
- Integrating Cisco Umbrella for DNS SecurityUmbrella API Integration
- Configuring the DNS Encryption PolicyExcluding the local domainsConfiguring the Security Policy in vManageImplementing the policy at the DIA Sites
- VerificationChecking the logs on Umbrella DashboardChecking the vManage Security Dashboard
Module 6: Cisco SD-WAN and Cisco Umbrella SIG Integration
- SIG Integration Overview
- Configuring Cisco vManage Templates for SIG Tunnel CreationUsing the pre-configured Feature Templates in vManage 20.X
- Adding the SD-WAN Routers and Sites in Umbrella IdentitiesValidate that the routers show up from the Umbrella Dashboard
- Designing and Configuring Policy for SIG RedirectionSetting up the vSmart Centralized Policies for SIG Redirection on DIA Traffic
- VerificationChecking the logs on Umbrella DashboardChecking the vManage Security Dashboard
Module 7: Cisco SD-WAN and Cisco Umbrella Cloud Firewall Integration
- Umbrella Cloud Firewall Integration Overview
- Configuring Cisco vManage Templates for Firewall Tunnel CreationUsing the pre-configured Feature Templates in vManage 20.X
- Adding the SD-WAN Routers and Sites in Umbrella IdentitiesValidate that the routers show up from the Umbrella Dashboard
- Designing and Configuring Policy for Firewall RedirectionSetting up the vSmart Centralized Policies for Umbrella FW Redirection on DIA Traffic
- VerificationChecking the logs on Umbrella DashboardChecking the vManage Security Dashboard
Module 8: Troubleshooting Umbrella Integration
- Troubleshooting DNS SecurityAPI Integration not workingDNS for local domain failingNo redirection to Cisco Umbrella for external domains
- Troubleshooting SIG and FirewallMaking sure the IPSec Tunnels to Troubleshooting the vManage policies for redirectionLoad balancing using vManage policiesReviewing logs in Umbrella
- Checking Alarms and NotificationsChecking Alarms on vManageChecking Alarms on Cisco Umbrella
Lab Outline:
Labs are designed to assure learners a whole practical experience, through the following practical activities:
- Onboard Edge
- Onboard Edge via ZTP
- Onboard vSmart Controller
- AVC integration and Traffic Visibility
- Application Aware Routing Lab
- Local DIA and Regional DIA
- Backup and Restore using Python API
- Intra Zone Firewall
- Inter Zone Firewall
- UTD integrationURL FilteringSnort IPS
- Umbrella IntegrationDNS PolicyWeb Policy
- SIG Tunnel Creation
- SIG Tunnel Redirection Policy
- Configuring Policy for Umbrella Firewall Redirection
- Trouble Ticket 1
- Trouble Ticket 2
- Trouble Ticket 3