[How To] Connect Cisco SD-WAN to Umbrella SIG/SWG

In this post, we'll walk through configuring a Cisco Viptela SD-WAN network to integrate with Cisco Umbrella's Secure Internet Gateway (SIG) & Secure Web Gateway (SWG).

If you're interested in reading more about what SIG & SWG are, please check out my last post where I walked through this integration with a Meraki MX firewall.

For additional reading, there's also a good Umbrella blog post on all the components of Cisco's SASE architecture, which you can find here.

Okay, with that being said - let's get started!

Step 1: Umbrella API Keys

Okay, so we'll start on the Umbrella side. We'll need to generate a set of API keys, which we'll push out to our WAN edge devices. These API keys will allow our remote devices to reach out to Umbrella & auto-configure their SIG tunnels.

We'll log into our Umbrella dashboard at https://login.umbrella.com/

Once we log in, we'll hop over to Admin > API Keys. Then up in the upper-right corner, click Create.

001---umbrella-api-keys-1

For this integration, we'll need to select Umbrella Management to make sure our API keys have the access they need. Then click Create. Easy enough, right?

Once we do that, the Umbrella dashboard will display our API keys - which we'll need to copy over to our Viptela SD-WAN environment.

002---umbrella-keys

We'll also need to collect our Umbrella Organization ID. This is actually just embedded within the Umbrella Dashboard URL, and should be a seven-digit number. For example, if we look at our current URL on the API keys page:

https://dashboard.umbrella.com/o/<ORG ID>/#/admin/apikeys

And that's all we need for now from the Umbrella side. So let's hop over to Viptela.

Step 2: Viptela Templates & Config

For this post, I'll be using my SD-WAN lab in EVE-NG. Currently I just upgraded the lab to run Viptela version 20.4.1, though the SIG integration has been supported since 20.1.

Just for reference, here is the lap topology that I'm working with:

003---eve-topology-1

This lab includes a bridged connection to allow direct internet access from the lab network.

To configure our SIG automatic tunnels, we'll need to create / update a few templates:

  • Create a SIG Credentials feature template
  • Create a SIG feature template
  • Assign SIG templates to device templates
  • Edit Service-side VPN Template to inject a service route

2a: Creating a SIG Credentials Template

First we'll create a template which will store our Umbrella API credentials.

In the vManage dashboard, we'll go to Configuration > Templates, then drop into the Feature tab, and click on Add Template.

004---add-template

Once we get to the next screen, we'll select our device type. In my case, I'm using a vEdge Cloud.

A list of templates will pop up - we'll drop down to SIG Credentials, which will be near the bottom under the Other Templates header.

005---SIGCREDTEMPLATE

We'll then be taken to the page where we create our template.

We'll fill in our template name & description, then paste in our Umbrella details (Org ID, API Key, API Secret).

006---SIG-Cred-template-page

Once we're done - We'll hit Save.

Note: At time of writing, the "Get Keys" button only functions if you've purchased your SD-WAN subscription with DNA Premier licensing. This license level includes Umbrella SIG, and allows this 1-click integration that pulls your Umbrella API keys automatically.

2b: Creating a SIG Tunnel Template

Okay, next we'll need to create another feature template to specify our IPSec tunnel configuration.

Just like before, we'll head back over to Configuration > Templates > Feature > Add Template.

This time, after selecting our device type, we'll choose Secure Internet Gateway (SIG) / WAN - which is located under the VPN header.

007---SIGWANTEMPLATE

In the template configuration, we'll give the template a name & description as always. Then we'll jump down to the tunnel config.

We'll select Umbrella for SIG Provider, then click Add Tunnel.

008---sig-tunnel-02

Within the tunnel config, we'll specify an interface name - I'll name mine ipsec1 (and I'll create an ipsec2 shortly). We'll also specify a Tunnel Source, which in my lab is ge0/0 for the biz-internet VPN 0 interface.

008---sig-tunnel-03

We'll keep Data-Center as Primary, then click Add. Then - we'll add a second tunnel configuration, but using Data-Center as Secondary and the interface name as ipsec2.

When all that is done, we should have the following:

008---sig-tunnel-04

If we scroll down to the bottom of the template config, we'll have some settings for High Availability. Here, we'll specify what our active & backup IPSec tunnels are, and their weights. I'll specify ipsec1 as active & ipsec2 as backup. Then click Save to finish our template.

Note: Weight settings are only available starting with 20.4.1 & allow for ECMP routing to SIG. Not shown above, you can create up to four HA tunnel pairs. Depending on weighting, you can equal-cost or unequal-cost load balance between those pairs.

Why would you want to load balance across multiple tunnels? At time of writing, each IPSec tunnel is limited to a maximum 250Mb/s throughput. By creating multiple tunnels & load balancing, we can overcome this limitation if we need higher bandwidth.

2c: Attaching SIG to Device Templates

After we've built out our two SIG templates, we can now attach them to our device templates.

For me, I currently only have a single device template which is applied to all of my remote WAN edge devices.

So we'll go back to Configuration > Templates and find whichever device template we want to use - then click the ellipsis on the far right, end select Edit.

009---edit-device-template

In the device template, we'll scroll down and look for our VPN 0 configuration under Transport & Management VPN. We'll attach our SIG tunnel template to VPN 0, since that's where those IPSec tunnels are being sourced from.

On the right side, under Additional VPN 0 Templates, we'll click Secure Internet Gateway to add our template. Then from the drop-down, we can select the feature template we just created:

010---device-template-vpn0

We'll also include our SIG credentials template, which we can find at the bottom of the page, under Additional Templates:

011---sig-cred-template-attach-1

Once we're done, we can click Save at the bottom. This will take us through the process of pushing out these changes to our remote WAN edge devices. When this configuration is deployed, each vEdge will now reach out to Umbrella & auto-configure an IPSec tunnel.

Note: While the IPSec tunnels will be established when this configuration is pushed - no traffic will flow over them yet. We'll need to add a service route for that, which we'll do next!

2d: Injecting a Service Route

Now we have our IPSec tunnels deployed - all we need to do is start routing traffic out to Umbrella. We'll accomplish this using a service route on our LAN-side VPN.

So we'll go over to Configuration > Templates > Feature - and we'll scroll down & find whichever template we're currently using on our LAN side. For me, I want VPN 10 to route over the tunnels, so I'll be editing my VPN 10 template.

Within the template, we'll scroll down to the Service Route section, click New Service Route, and we'll enter our desired prefix. This will be what traffic will be routed over the IPSec tunnel to Umbrella. Since this is intended to be an internet gateway, I'll enter 0.0.0.0/0 to inject a default route to Umbrella.

Service should be pre-selected as SIG, so we'll click Add, then Update & deploy our changes to the remote edge devices.

012---service-route

Step 3: Validation & Troubleshooting

Awesome! Now we should have everything configured & working. So let's jump through some initial testing and validation we can do.

Within vManage, we can check the status of our IPSec tunnels. We'll go over to Monitor > Network then select one of our WAN edge devices.

We'll click on the Interfaces tab on the left side - and we should be able to see a list of all interfaces on our device. This should include an ipsec1 & ipsec2 interface.

I've also selected the Real Time monitor on mine, and filtered to just show traffic on the ipsec1 interface:

013---monitor

You might recall from my topology above, that I have a linux VM running behind each of the two vEdge Cloud appliances. Using these, I can also test web access & see what my external IP is:

014---linuxVM

And sure enough, I am getting a 146.112.x.x address - which belongs to the Umbrella datacenter.

If we log into one of our vEdge devices, we can check the routing table with show ip route vpn 10 (or whichever VPN you're using for the LAN-side). We should see our default 0.0.0.0/0 route via ipsec1, with a next-hop-VPN of VPN0:

vEdge-01# show ip route vpn 10

     ADDRESS               PATH             PROTOCOL          NEXTHOP  NEXTHOP                         NEXTHOP
VPN  FAMILY   PREFIX       ID    PROTOCOL   SUB TYPE  METRIC  IFNAME   ADDR     TLOC IP  COLOR  ENCAP  VPN      STATUS
------------------------------------------------------------------------------------------------------------------------
10   ipv4     0.0.0.0/0    0     std-ipsec  -         0       ipsec1   -        -        -      -      0        F,S
10   ipv4     10.2.2.0/24  0     connected  -         0       ge0/2    -        -        -      -      -        F,S

We can also check specifically our SIG tunnel status using the command show secure-internet-gateway tunnels:

vEdge-01# show secure-internet-gateway tunnels

TUNNEL                                                        API   LAST
IF                                                            HTTP  SUCCESSFUL     TUNNEL
NAME    TUNNEL ID  TUNNEL NAME                     FSM STATE  CODE  REQ            STATE
-------------------------------------------------------------------------------------------
ipsec1  530233543  SITE200SYS10x10x10x235IFipsec1  st-tun-up  200   create-tunnel  -
ipsec2  530233542  SITE200SYS10x10x10x235IFipsec2  st-tun-up  200   create-tunnel  -

In that output above, we'll see that we have both ipsec1 & ipsec2 tunnels shown. The last API queries to Umbrella have a HTTP 200, which is good. We'll also see our tunnel names, which we can use to find our device tunnel configuration in the Umbrella dashboard.

The tunnel name might look like a mess at first, but it's a unique identifier to represent each tunnel that was created. So if we break it down for this vEdge:

  • This vEdge is at Site ID 200
    • Shown as "SITE200"
  • This vEdge has a system IP of 10.10.10.235
    • Shown as "SYS10x10x10x235"
  • This vEdge has two IPSec interfaces, ipsec1 & ipsec2
    • Shown as "IFipec1" and "IFipsec2"

If we jump over to the Umbrella dashboard, we'll see the same. Within the Umbrella dashboard, we can jump to Deployments > Network Tunnels.

On this page, we should see a total of four tunnels listed (two from each vEdge appliance):

015---Umbrella-tunnel-status

And with everything configured & validated - now we can move onto configuring firewall and web filtering policies within Umbrella!

If you're interested in seeing how to configure Umbrella's cloud firewall & web filtering policies - please check out my YouTube Video above!