Cisco Catalyst SD-WAN Integration with Netskope Configuration Guide
Available Languages
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Cisco and Netskope have collaborated to offer customers a leading Secure Access Service Edge (SASE) solution. This solution provides a simple and effortless way to set up tunnels and direct traffic to Netskope. It has been tested and validated for use with Cisco IOS XE SD-WAN routers that run on software versions 17.9 or 20.9 (August — 2022), as well as the Netskope cloud dashboard. The most significant advantage for customers is the easy implementation of a complete end-to-end solution for SD-WAN and security.
Cisco Catalyst SD-WAN integration with Netskope is used for north-south traffic that is leaving the SD-WAN branch and destined for the internet or a Software-as-a-Service (SaaS) application and needs to be inspected at Netskope.
Connectivity
● Connection Types: IPsec and GRE
● Bandwidth (BW): 2Gbps for IPsec and GRE
Foundational features
● Configuration simplification using reusable SIG templates
● Tunnel health check using L7 probes
● Redundancy: Active — Backup tunnel
● Redirection for internet-bound traffic
● Customized tunnel naming for easy monitoring and troubleshooting
Advanced feature set
● Granular traffic redirection: Traffic policies based on IP/user/applications
● Enhanced throughput: 4 active and 4 backup tunnels
● Traffic Load Balancing: Equal Cost Multipath (ECMP) and weighted load balancing
● CoR for SaaS applications: Ability to select the best tunnel for a given application
Monitoring/Visibility
● Tunnel Status, Application health, Tunnel and Application Statistics
Prerequisites
● Netskope SSE cloud platform.
● We have tested this on version 17.9 software on the Cisco Catalyst™ 8000 platform.
Step 1: Set up tunnels on the Netskope SSE cloud platform. Generic Routing Encapsulation (GRE) and IPsec configurations are shown.
Step 2: Set up tunnels on the Catalyst SD-WAN Manager (formerly vManage) platform using Secure Internet Gateway (SIG) templates.
Step 3: Set up policy to route traffic to Netskope.
Step 1. Logging into SD-WAN manager
Open the SD-WAN manager and the SIG templates. All the configuration for setting up a connection to Netskope has to be done on this SIG template. Within a few minutes, this template can be configured and pushed out to hundreds or even thousands of your devices.
GRE tunnel setup: On the Netskope dashboard, go to Settings -> Security Cloud Platform and choose IPsec or GRE tunnels.
To create the tunnel, you need to obtain the IPs of the Netskope Points of Presence (POPs), which are shown below. You can choose the PoP based on the geographical location. This IP will be used to configure the SD-WAN Manager SIG templates later.
Then click "New GRE configuration" and enter the name of the tunnel and the source IP of the Cisco Catalyst SD-WAN router from which the tunnel is originating, as shown below.
You can have multiple tunnels (up to four) for redundancy purposes, originating from the same source IP but terminating at different Netskope POPs.
IPsec tunnel setup: Go to the IPsec section and click “Add new tunnel” as shown below.
Enter the tunnel name and source IP address or Fully Qualified Domain Name (FQDN). Select the IPsec POPs from the drop-down. Use both primary and secondary tunnel POP IPs for redundancy. The preshared keys and cipher for encryption of the IPsec tunnel will be shown on the screen and can be matched on the SD-WAN Manager side. You can also choose the maximum bandwidth required.
Step 2. To set up tunnels in SD-WAN Manager using SIG templates, navigate to the SD-WAN Manager, select Configuration -> Templates -> Feature Template -> Create a SIG template. This will allow for easy and efficient configuration of tunnels on the Cisco Catalyst SD-WAN platform.
● In the SIG template, select the Generic tunnel option.
● Create a tracker to ensure the health of the tunnel. For this, you can use any stable IP address. In the given example, google.com has been used as the endpoint address.
As part of the tunnel creation, select the tracker you created in the previous step from the drop-down.
Enter the IP of the Netskope POP endpoint for tunnel destination IP.
Standby tunnel: In a similar manner, create the standby tunnel and use the other Netskope POP IP.
Once the two tunnels are created, as seen below, add a High Availability (HA) configuration using these two tunnels. This helps ensure that traffic fails over to the secondary tunnel in case the primary one goes down.
Step 3. Setting up a route-based service route
To set up the route-based service route for sending traffic through the tunnels for inspection in Netskope before it reaches the destination, follow these steps:
1. Use a service route and select SIG from the drop-down. The tunnels will automatically be picked up.
2. Add the subnets of the specific traffic that needs to be inspected at Netskope.
Take the first step in modernizing your WAN architecture. Contact us for a free consultation on integrating your Cisco Catalyst SD-WAN with Netskope.
Learn more about Cisco Catalyst SD-WAN Security