Cisco SD-WAN Advanced Policy and Security

Module 1: Cisco SD-WAN Introduction

• High-level Cisco SD-WAN Deployment models
• Application-level SD-WAN solution
• Cisco SDWAN plan for HA and Scalability
• Cisco SD-WAN solution components: vManage NMS, vSmart Controller, vBond Orchestrator
• Edge Routers (cEdge, vEdge, and Catalyst 8K)
• Cloud Based Deployment vs On-Premises Deployment

Module 2: Zero Touch Provisioning

• Overview
• User Input Required for the ZTP Automatic Authentication Process
• Authentication between the vBond Orchestrator and WAN Edges
• Authentication between the Edge Routers and the vManage NMS
• Authentication between the vSmart Controller and the Edge Routers

Module 3: Cisco SD-WAN Solution

• Overlay Management Protocol (OMP)
• Cisco SD-WAN Circuit Aggregation Capabilities
• Secure Connectivity in Cisco SD-WAN
• Performance Tracking Mechanisms
• Application Discovery
• Dynamic Path Selection
• Performance Based Routing
• Direct Internet Access
• Advanced Routing (OSPF, BGP, LISP, VXLAN, MPLS)
• Application Aware Routing
• Localized and Centralized Policies (Data and Control)
• Cisco SD-WAN In-built Security features: App Aware FW, Talos IPS, URL Filtering, Umbrella Integration, and Advanced Malware Protection
• Dynamic Cloud Access: Cloud On-Ramp for SaaS and IaaS (AWS, Azure & GPC)
• API and Programmatic Interaction via Python

Module 4: Deeper Insight into Cisco SD-WAN Security

• Designing Security Requirements within Cisco SD-WANDIA SecurityDirect Cloud Access SecurityGuest User SecurityCompliance Requirements
• Security Implementation at the Branch Site
• Implementing Zone Based Firewalls on Cisco WAN Edge
• Implementing UTD on Cisco WAN EdgeConfiguring URL FilteringConfiguring Snort IPSBest Practices for UTD setup (Based on production deployment experiences)
• Implementing Advanced Malware ProtectionConfiguring AMPOverview of integration with Threat Grid

Module 5: Designing and Implementing DNS Security

• Prerequisite check before integrating Umbrella with Cisco SD-WANMaking sure you have the correct licensingPlatform support checkInternet Connectivity check
• Walking through the Umbrella DashboardDashboard OverviewDNS Policy GUI OverviewFirewall Policy GUI OverviewWeb Policy GUI OverviewUmbrella AD/SAML Integration Overview (optional)
• Integrating Cisco Umbrella for DNS SecurityUmbrella API Integration
• Configuring the DNS Encryption PolicyExcluding the local domainsConfiguring the Security Policy in vManageImplementing the policy at the DIA Sites
• VerificationChecking the logs on Umbrella DashboardChecking the vManage Security Dashboard

Module 6: Cisco SD-WAN and Cisco Umbrella SIG Integration

• SIG Integration Overview
• Configuring Cisco vManage Templates for SIG Tunnel CreationUsing the pre-configured Feature Templates in vManage 20.X
• Adding the SD-WAN Routers and Sites in Umbrella IdentitiesValidate that the routers show up from the Umbrella Dashboard
• Designing and Configuring Policy for SIG RedirectionSetting up the vSmart Centralized Policies for SIG Redirection on DIA Traffic
• VerificationChecking the logs on Umbrella DashboardChecking the vManage Security Dashboard

Module 7: Cisco SD-WAN and Cisco Umbrella Cloud Firewall Integration

• Umbrella Cloud Firewall Integration Overview
• Configuring Cisco vManage Templates for Firewall Tunnel CreationUsing the pre-configured Feature Templates in vManage 20.X
• Adding the SD-WAN Routers and Sites in Umbrella IdentitiesValidate that the routers show up from the Umbrella Dashboard
• Designing and Configuring Policy for Firewall RedirectionSetting up the vSmart Centralized Policies for Umbrella FW Redirection on DIA Traffic
• VerificationChecking the logs on Umbrella DashboardChecking the vManage Security Dashboard

Module 8: Troubleshooting Umbrella Integration

• Troubleshooting DNS SecurityAPI Integration not workingDNS for local domain failingNo redirection to Cisco Umbrella for external domains
• Troubleshooting SIG and FirewallMaking sure the IPSec Tunnels to Troubleshooting the vManage policies for redirectionLoad balancing using vManage policiesReviewing logs in Umbrella
• Checking Alarms and NotificationsChecking Alarms on vManageChecking Alarms on Cisco Umbrella

Lab Outline: Labs are designed to assure learners a whole practical experience, through the following practical activities:

• Onboard Edge
• Onboard Edge via ZTP
• Onboard vSmart Controller
• AVC integration and Traffic Visibility
• Application Aware Routing Lab
• Local DIA and Regional DIA
• Backup and Restore using Python API
• Intra Zone Firewall
• Inter Zone Firewall
• UTD integrationURL FilteringSnort IPS
• Umbrella IntegrationDNS PolicyWeb Policy
• SIG Tunnel Creation
• SIG Tunnel Redirection Policy
• Configuring Policy for Umbrella Firewall Redirection
• Trouble Ticket 1
• Trouble Ticket 2
• Trouble Ticket 3