SD-WAN Capabilities

This chapter describes the SD-WAN capabilities supported in the management center.

Overview of SD-WAN Capabilities

Software-Defined WAN (SD-WAN) solutions replace traditional WAN routers and are agnostic to WAN transport technologies. SD-WAN provides dynamic, policy-based, application path selection across multiple WAN connections and supports service chaining for additional services such as WAN optimization and firewalls.

As organizations expand their operations across multiple branch locations, ensuring secure and streamlined connectivity becomes paramount. Deploying a secure branch network infrastructure involves complex configurations, which can be time-consuming and prone to configuration errors if not handled properly. However, organizations can overcome these challenges by leveraging the Cisco Secure Firewall Management Center (management center) and the Cisco Secure Firewall Threat Defense (threat defense) devices for a simplified and secure branch deployment.

In this guide, we explore the concept of simplifying secure branch deployment using a robust firewall solution. By integrating a secure firewall as a foundational component of the branch network architecture, organizations can establish a strong security baseline while simplifying the deployment process. This approach enables organizations to enforce unified security policies, optimize traffic routing, and ensure resilient connectivity.

Some of the SD-WAN capabilities supported on the Cisco Secure Firewall are:

  • Simplified management:

    • SD-WAN Wizard

    • SASE: Umbrella auto tunnel deployment

    • Dynamic VTI (DVTI) hub spoke topology simplification

  • Application awareness:

    • Direct Internet Access (DIA) for public cloud and guest user

    • Policy based routing (PBR) using applications as a match criteria

    • Local tunnel ID support for Umbrella

  • Increased usable bandwidth:

    • ECMP support for load balancing across multiple ISPs and VTIs

    • Application-based load balancing using PBR

  • High availability with near zero network downtime:

    • Dual ISP configuration

    • Optimal path selection based on application-based interface monitoring.

  • Secure Elastic Connectivity:

    • Route-based (VTI) VPN tunnels between headquarters (hub) and branches (spokes)

    • IPv4 and IPv6 BGP, IPv4 and IPv6 OSPF, and IPv4 EIGRP over VTI

    • DVTI hubs that support spokes with static or dynamic IP

Features

The following table lists some commonly used SD-WAN features:

Feature

Introduced in

More Information

SD-WAN Wizard

Release 7.6

Using SD-WAN Wizard for Secure Branch Network Deployment

Application monitoring using SD-WAN Summary dashboard

Release 7.4.1

SD-WAN Summary Dashboard

SD-WAN Summary Dashboard

Release 7.4

SD-WAN Summary Dashboard

Policy-based routing with user identity and SGTs

Release 7.4

Policy Based Routing

Policy-based routing using HTTP path monitoring

Release 7.4

Policy Based Routing

Loopback interface support for VTIs

Release 7.3

Configure a Loopback Interface
Support for dynamic VTI (DVTI) with site-to-site VPN

Release 7.3

Dynamic VTI

Umbrella auto tunnel

Release 7.3

Deploy a SASE Tunnel on Umbrella

Support for IPv4 and IPv6 BGP, IPv4 and IPv6 OSPF, and IPv4 EIGRP for VTIs

Release 7.3

BGP, OSPF, EIGRP

Route-based site-to-site VPN with hub and spoke topology

Release 7.2

Create a Route-based Site-to-Site VPN

Policy-based routing with path monitoring

Release 7.2

Policy Based Routing

The Site to Site VPN Monitoring Dashboard

Release 7.1

Monitoring the Site-to-Site VPNs

Direct Internet Access/Policy Based Routing

Release 7.1

Policy Based Routing

Equal-Cost-Multi-Path (ECMP) zone with WAN interfaces

Release 7.1

About ECMP

ECMP zone with VTI interfaces

Release 7.1

About ECMP

Backup VTI for route-based site-to-site VPN

Release 7.0

Route Traffic Through a Backup VTI Tunnel

Support for static VTI (SVTI) with site-to-site VPN

Release 6.7

Static VTI

Using SD-WAN Wizard for Secure Branch Network Deployment

Management Center allows you to easily configure VPN tunnels and routing configuration between your centralized headquarters (hubs) and remote branch sites (spokes) using the new SD-WAN wizard.

What are Hubs and Spokes?

Hubs: Devices that enable secure VPN connectivity to and from one or more remote branch devices or spokes. Hubs also act as a gateway for spokes to communicate with each other.

Spokes: Devices in remote branches that connect over VPN to a hub to securely access the corporate resources behind the hub. Spokes communicate with each other through the hub.

Benefits of Using SD-WAN Wizard

  • Simplifies and automates the VPN and routing configuration of your SD-WAN network.

  • Creates route-based VPN tunnels and simplifies the configuration process by automating tasks such as:

    • Generating tunnel interfaces of the branches.

    • Assigning IP addresses to the tunnel interfaces.

    • Configuring BGP for the SD-WAN overlay network. These configurations ensure seamless connection between hubs and spokes, and spoke to spoke through the hub.

  • Provides seamless routing because hubs act as route reflectors and enable the following:

    • Provide connectivity between the spokes.

    • Determine the best routing path based on the spokes’ active and backup tunnels.

  • Requires minimal user input.

  • Easily add multiple branches at a time.

  • Provides easy dual ISP configurations.

  • Enables network scaling.

Guidelines and Limitations for Using SD-WAN Wizard

Guidelines

  • When you configure the DVTIs of two hubs, ensure that they have the same IPsec tunnel mode (IPv4 or IPv6).

  • In a dual-hub SD-WAN topology, the hubs can be in different geographic locations and have different protected networks behind them. To ensure direct communication between these networks, ensure that you configure the following:

    • A point-to-point route-based VPN topology between the two hubs (Devices > Site-to-site > Add > Route-Based VPN).

    • A dynamic routing protocol between the hubs (Device > Device Management > Routing).

  • When you configure IP address pools for spokes, ensure the following:

    • The Allow Overrides check box must be unchecked.

    • If you are using multiple pools, the IP addresses of the pools must not overlap.

    • IP addresses must not overlap with any of the interfaces on the spoke.

  • When you create security zones or interface groups, choose Routed as the Interface Type.

  • Use the spoke security zone to configure an access control policy that allows tunnel traffic to and from the spokes.

  • Configure the spokes' VPN interfaces in an ECMP zone to load balance the application traffic. If you do not configure the ECMP zone, the remaining paths act as backup paths when the primary path goes down.

  • In SD-WAN topologies with dual ISPs on spokes, the tunnel identity and the tunnel source of the spokes must be unique.

  • If a device has only IPv6 address configurations, you must configure the BGP router ID with a loopback or physical interface that has an IPv4 address (Device > Device Management > Routing > General Settings > BGP). ​

Limitations

  • You can configure a maximum of two hubs in an SD-WAN topology using the SD-WAN wizard.

  • For each spoke, you can use only one WAN interface per topology. However, for dual-ISP setups, you can configure a second SD-WAN topology with the second WAN interface. For more information, see Sample Configurations for Dual ISP Deployment Using SD-WAN Wizard.

  • SD-WAN wizard does not support the following:

    • IKEv1

    • Cluster devices are not supported on the hub and spoke because VTI is not supported on cluster devices.

    • Extranet hubs and spokes such as ASA, Cisco IOS, Cisco Viptela, Umbrella, Meraki, or vendor devices.​

Prerequisites for Using the SD-WAN Wizard

  • Management Center Essentials (formerly Base) license must allow export-controlled functionality.

    Choose System > Licenses > Smart Licenses to verify this functionality in the management center.

  • You must be an Admin user.

  • Hub devices must be Version 7.6.0 and later.

  • Spoke devices must be Version 7.3.0 and later.

  • The threat defense devices must have an internet-routable public IP address. The IP address can be static or dynamic.

  • Assign appropriate logical names and IP addresses to the interfaces of the threat defense devices. For example, use inside for the interface connected to the LAN, and outside for the interface connected to the internet or WAN.

  • If you are using certificate-based authentication, you must enroll the certificates in the hub and spokes.

  • Configure routing, NAT, and AC policies to ensure underlay connectivity between the devices.

Configure an SD-WAN Topology Using the SD-WAN Wizard

The SD-WAN wizard allows you to easily configure VPN tunnels between your centralized headquarters and remote branch sites.

Before you begin

Ensure that you review Prerequisites for Using the SD-WAN Wizard and Guidelines and Limitations for Using SD-WAN Wizard.

Procedure

Step 1

Choose Devices > Site To Site, and click Add.

Step 2

Enter a name for the SD-WAN VPN topology in the Topology Name field.

Step 3

Click the SD-WAN Topology radio button and click Create.

Step 4

Configure a hub:

  1. Click Add Hub.

  2. From the Device drop-down list, choose a hub.

  3. Click + next to the Dynamic Virtual Tunnel Interface (DVTI) drop-down list to add a dynamic VTI for the hub.

    The Add Virtual Tunnel Interface dialog box is prepopulated with default configurations. However, you must configure the Tunnel Source, and the Borrow IP Address. For more information, see Add a Dynamic Virtual Tunnel Interface for a Hub.

  4. Click OK.

  5. In the Hub Gateway IP Address field, enter the public IP address of the hub's VPN interface or the tunnel source of the dynamic VTI to which the spokes connect.

    This IP address is auto populated if the interface has a static IP address. If hub is behind a NAT device, you must manually configure the post-NAT IP address.

  6. From the Spoke Tunnel IP Address Pool drop-down list, choose an IP address pool or click + to create an address pool.

    When you add spokes, the wizard auto generates spoke tunnel interfaces, and assigns IP addresses to these spoke interfaces from this IP address pool.

  7. Click Add to save the hub configuration.

  8. (Optional) To add a secondary hub, repeat Step 4a to Step 4f.

  9. Click Next.

Step 5

Configure spokes:

Click Add Spoke to add a single spoke device, or click Add Spokes (Bulk Addition) to add multiple spokes to your topology.

  • Click Add Spoke. In the Add Spoke dialog box, configure the following parameters:

    1. From the Device drop-down list, choose a spoke.

    2. From the VPN Interface drop-down list, choose a WAN-facing or internet-facing physical interface to establish a VPN connection with the hub.

    3. Check the Local Tunnel (IKE) Identity check box to enable a unique and configurable identity for the VPN tunnel from this device to the remote peer. By default, this option is enabled.

    4. Choose one of the following options from the Identity Type drop-down list:

      • Key ID—(Default value) This value is auto populated as <sd-wan topologyname>_<device_IP_address>, for example, sdwantopo1_192.168.0.200. You can also specify a key ID of your choice.

      • Email ID—Specify an email ID up to 127 characters.

      • IP Address—IP address of the spoke's VPN interface.

      • Auto—IP address of the spoke's VPN interface for pre-shared key authentication or the certificate Distinguished Name (DN) for certificate-based authentication.

      • Hostname—Fully qualified hostname of the spoke.

    5. Click Save to save the spoke configuration.

  • Click Add Spokes (Bulk Addition). In the Add Bulk Spokes dialog box, configure the following parameters:

    1. Choose one or more devices from the Available Devices list and click Add to move the devices to Selected Devices.

    2. Use one of the following methods to select the VPN interfaces of the spokes:

      • Click the Interface Name Pattern radio button and specify a string to match the logical name of the internet or WAN interface of the spokes, for example, outside*, wan*.

        If the spoke has multiple interfaces with the same pattern, the first interface that matches the pattern is selected for the topology.

      • Click the Security Zone radio button and choose a security zone with the VPN interfaces of the spokes from the drop-down list, or click + to create a security zone.

    3. Click Next.

      The wizard validates if the spokes have interfaces with the specified pattern. Only the validated devices are added to the topology.

    4. Click Add.

    5. Click Next.

For each spoke, the wizard automatically selects the hub's DVTI as the tunnel source IP address.

Note

 

If the hub’s tunnel source IP address is an IPv6 address, the wizard automatically selects the first IPv6 address of the spokes' selected interface.​ To edit the IPv6 address of a spoke's tunnel source, click the edit icon next to a spoke, choose an IPv6 address from the IP Address drop-down list, and click Save.

Step 6

Configure authentication settings for the devices in the SD-WAN topology:

  1. Authentication Type—For device authentication, you can use a manual pre-shared key, an auto-generated pre-shared key, or a certificate.

    • Pre-shared Manual Key—Specify the pre-shared key for the VPN connection.

    • Pre-shared Automatic Key—(Default value) The wizard automatically defines the pre-shared key for the VPN connection. Specify the key length in the Pre-shared Key Length field. The range is 1 to 127.

    • Certificate—When you use certificates as the authentication method, the peers obtain digital certificates from a CA server in your PKI infrastructure, and use them to authenticate each other.

  2. Choose one or more algorithms from the Transform Sets drop-down list.

  3. Choose one or more algorithms from the IKEv2 Policies drop-down list.

  4. Click Next.

Step 7

Configure the SD-WAN settings:

This step involves the auto generation of spoke tunnel interfaces, and BGP configuration of the overlay network.

  1. From the Spoke Tunnel Interface Security Zone drop-down list, choose a security zone or click + to create a security zone to which the wizard automatically adds the spokes' auto-generated Static Virtual Tunnel Interfaces (SVTIs).

  2. Check the Enable BGP on the VPN Overlay Topology check box to automate BGP configurations such as neighbor configurations between the overlay tunnel interfaces and basic route redistribution from the directly connected LAN interfaces of the hubs and spokes.

  3. In the Autonomous System Number field, enter an Autonomous System (AS) number.

    AS number is a unique number for a network with a single routing policy. BGP uses AS numbers to identify networks. The spoke's BGP neighbor configuration is generated based on the corresponding hub’s AS number. Range is from 0 to 65536.

    • If all the hubs and spokes are in the same region, by default, 64512 is the AS number.

    • If the primary and secondary hubs are in different regions, the primary hub and the spokes are configured with 64512 as the AS number, and the secondary hub is configured with a different AS number.

  4. In the Community Tag for Local Routes field, enter the BGP community attribute to tag connected and redistributed local routes. This attribute enables easy route filtering.

  5. Check the Redistribute Connected Interfaces check box and choose an interface group from the drop-down list or click + to create an interface group with connected inside or LAN interfaces for BGP route redistribution in the overlay topology.

  6. Check the Enable Multiple Paths for BGP check box to allow multiple BGP routes to be used at the same time to reach the same destination. This option enables BGP to load-balance traffic across multiple links.

  7. (Optional) Check the Secondary Hub is in Different Autonomous System check box. This check box appears only if you have a secondary hub in this topology.

  8. In the Autonomous System Number field, enter the AS number for the secondary hub.

  9. In the Community Tag for Learned Routes field, enter the BGP community attribute to tag routes learned from other SD-WAN peers over the VPN tunnel. This attribute is required only for eBGP configuration when the secondary hub has a different AS number. This field appears only if you have configured two hubs in the SD-WAN topology.

  10. Click Next.

Step 8

Click Finish to save and validate the SD-WAN topology.

You can view the topology in the Site-to-Site VPN Summary page (Devices > Site-to-site VPN). After you deploy the configurations to all the devices, you can see the status of all the tunnels in this page.

What to do next

Add a Dynamic Virtual Tunnel Interface for a Hub

In the SD-WAN wizard, you must configure a DVTI for each hub. DVTI uses a virtual template to dynamically generate a unique virtual access interface for each VPN session.

Before you begin

In the SD-WAN wizard, click Add Hub, and choose a hub from the Device drop-down list.

Procedure

Step 1

Click + next to the Dynamic Virtual Tunnel Interface (DVTI) drop-down list to add a DVTI for the hub.

The Add Virtual Tunnel Interface dialog box appears with the following prepopulated default configurations.

  1. Tunnel Type: Dynamic.

  2. Name: <tunnel_source_interface_logical name>_dynamic_vti_<tunnel_ID>. For example, outside_dynamic_vti_1.

  3. Enabled check box: Checked by default.

  4. Template ID: Unique ID for the DVTI.

  5. Tunnel Source: Physical interface that is the source of the DVTI and is auto populated by default.

  6. IPsec Tunnel Mode: IPv4, by default.

Step 2

Choose a security zone for the dynamic VTI from the Security Zone drop-down list.

Step 3

Choose a physical or loopback interface from the Borrow IP drop-down list, the dynamic VTI interface inherits this IP address.

Ensure that you use an IP address different from the tunnel source IP address. We recommend that you use a loopback IP address.

Step 4

Click OK to save the dynamic VTI.

Sample Configurations for Dual ISP Deployment Using SD-WAN Wizard

Dual ISP Deployment: Two Hubs and Four Spokes in the Same Region

In the following dual ISP topology, the hubs and the spokes are in a single region, with AS number as 1111. The hubs and spokes use Internal Border Gateway Protocol (iBGP) as the routing protocol to exchange routing information.

  • Hub HA1 and Hub HA2 are hub threat defense devices at the headquarters.

  • Branch1, Branch2, Branch3, and Branch4 are spoke threat defense devices at the branches.

  • ISP1 is the VPN interface of each spoke to ISP1.

  • ISP2 is the VPN interface of each spoke to ISP2.

Figure 1. Dual ISP Topology with Two Hubs and Four Spokes in the Same Region
Dual ISP Topology with Two Hubs and Four Spokes in the Same Region

To configure this topology, you must create the following two SD-WAN topologies using the SD-WAN wizard:

SD-WAN Topology 1

Parameter

Value

Primary Hub

 Hub HA1

Secondary Hub

Hub HA2

Spokes

Branch1, Branch2, Branch3, Branch4

AS Number

1111

VPN Interface (Spoke Tunnel Source)

ISP1

Number of Tunnels

8

The total number of tunnels in SD-WAN Topology 1 is 8.

SD-WAN Topology 2

Parameter

Value

Primary Hub

Hub HA1

Secondary Hub

Hub HA2

Spokes

Branch1, Branch2, Branch3, Branch4

AS Number

1111

VPN Interface (Spoke Tunnel Source)

ISP2

Number of Tunnels

8

The total number of tunnels in SD-WAN Topology 2 is 8.

The total number of VPN tunnels for this dual ISP deployment is 16.


Note

If the hubs are in different geographic locations and have different protected networks behind them, to ensure direct communication between these networks, configure a point-to-point route-based VPN topology between the two hubs using the route-based VPN wizard.

Dual ISP Deployment: Two Hubs and Four Spokes in Different Regions

In the following dual ISP topology, the hubs are in different regions, and have two directly connected spokes each. The hubs and their directly connected spokes use Internal Border Gateway Protocol (iBGP) as the routing protocol, and the hubs use External Border Gateway Protocol (eBGP) to exchange routing information.

  • Hub HA1 and Hub HA2 are hub threat defense devices at the headquarters.

  • Branch1, Branch2, Branch3, and Branch4 are spoke threat defense devices at the branches.

  • HQ1, Branch1, and Branch2 are in a single region with AS number as 1111.

  • HQ2, Branch3, and Branch4 are in a single region with AS number as 2222.

  • ISP1 is the VPN interface of each spoke to ISP1.

  • ISP2 is the VPN interface of each spoke to ISP2.

Figure 2. Dual ISP Topology with Two Hubs and Four Spokes in Different Regions
Dual ISP Topology with Two Hubs and Four Spokes in Different Regions

To configure this topology, you must create the following four SD-WAN topologies using the SD-WAN wizard:

SD-WAN Topology 1

Parameter

Value

Primary Hub

Hub HA1

Secondary Hub

Hub HA2

Spokes

Branch1, Branch2

AS Number

1111

Secondary AS Number

2222

VPN Interface (Spoke Tunnel Source)

ISP1

The number of tunnels in SD-WAN Topology 1 is 4.

SD-WAN Topology 2

Parameter

Value

Primary Hub

Hub HA1

Secondary Hub

Hub HA2

Spokes

Branch1, Branch2

AS Number

1111

Secondary AS Number

2222

VPN Interface (Spoke Tunnel Source)

ISP2

The number of tunnels in SD-WAN Topology 2 is 4.

SD-WAN Topology 3

Parameter

Value

Primary Hub

Hub HA2

Secondary Hub

Hub HA1

Spokes

Branch3, Branch4

AS Number

2222

Secondary AS Number

1111

VPN Interface (Spoke Tunnel Source)

ISP1

The number of tunnels in SD-WAN Topology 3 is 4.

SD-WAN Topology 4

Parameter

Value

Primary Hub

Hub HA2

Secondary Hub

Hub HA1

Spokes

Branch3, Branch4

AS Number

2222

Secondary AS Number

1111

VPN Interface (Spoke Tunnel Source)

ISP2

The number of tunnels in SD-WAN Topology 4 is 4.

The total number of VPN tunnels for this dual ISP deployment is 16.


Note

If the hubs are in different geographic locations and have different protected networks behind them, to ensure direct communication between these networks, configure a point-to-point route-based VPN topology between the two hubs using the route-based VPN wizard.

Verify Tunnel Statuses of an SD-WAN Topology

Verify Tunnel Statuses on the Site-to-Site VPN Summary Page

To verify if the VPN tunnels of the SD-WAN topologies are up, choose Device > VPN > Site-to-Site.

Following are the five SD-WAN topologies with two hubs and four spokes in different regions that are connected to dual ISPs:

Verify Tunnel Statuses on the Site-to-Site VPN Dashboard

To view details of the SD-WAN VPN tunnels, choose Overview > Dashboards > Site-to-site VPN.

Following are the VPN tunnels for an SD-WAN topology with two hubs and four spokes in different regions that are connected to dual ISPs:

To view more details of each VPN tunnel:

  1. Hover over a tunnel.

  2. Click the View Full Information () icon. A pane with tunnel details and more actions appears.

  3. Click the CLI Details tab in the side pane to view the show commands and details of the IPsec security associations.

View Virtual Tunnel Interfaces of the Devices

To view the dynamic VTIs of hubs and static VTIs of spokes:

  1. Choose Devices > Device Management.

  2. Click the edit icon for a hub or a spoke device.

  3. Click the Interface tab.

  4. Click the Virtual Tunnels tab.

    For each VTI, you can view details such as name, IP address, IPsec mode, tunnel source interface details, topology, and remote peer IP.

Following image shows an example of the virtual access interfaces created dynamically by a hub's DVTI:

Following image shows an example of the static tunnel virtual interfaces (SVTIs) created on a spoke by the SD-WAN wizard:

The SD-WAN wizard assigns IP addresses to these tunnel interfaces from the IP address pool of the hub.

Verify Routing on the Hub and Branches

To verify the BGP configuration of the hubs and spokes of the SD-WAN topologies:

  1. Choose Devices > Device Management.

  2. Click the edit icon for a hub or a spoke device.

  3. Click the Device tab.

  4. Click CLI in the General card. The CLI Troubleshoot window appears.

  5. Enter the following commands in the Command field and click Execute:

    • show route

    • show bgp summary