Brkops 2857

Deploy Visibility
in Your SASE Architecture

with ThousandEyes
Primož Sečnik Kolman

Global Technical Solutions Architect - ThousandEyes
BRKOPS-2857
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
4 Enter messages/questions in the Webex space
Webex spaces will be moderated

until February 24, 2023.
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Introduction
• Software development and

computer networks background
• Joined ThousandEyes in 2015
• Various customer-facing roles
Agenda
• Introduction
• Agent Deployment
• Test Configuration
• Secure Remote Worker
• Secure Edge
• Recap
Introduction
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SASE Bundle
• Cloud security with Cisco Umbrella
• SD-WAN powered by Cisco and Meraki
• Zero-trust network access (ZTNA) with Cisco Secure Access by
Duo
• Visibility with Cisco Thousand Eyes
• It’s a bundle. For now.
Why do you need Visibility?
IF
YOU
CAN
READ THIS,
Y O U
S A
D
S
O
E
P R O B A B L Y
N
V
’
I
T
S I
N
B
E
I
E
L I
D
T Y
* Visibility? Observability?
Potato, potato!
Why do you need Visibility?
Houston, we
have a problem
Employee
Problem Landscape: Secure Remote Worker
Is it the
transit ISP?
CISCO SASE
Is it the ISP? SECURITY AS A SERVICE
Internet
Umbrella
DNS Secure web Cloud access
Is it the Public / private apps security gateway security broker
(CASB)
WiFi? Secure TLS
DNS / HTTP / HTTPS SSO

Public cloud /
Duo Duo SaaS
Adaptive Device posture Behavior Clientless Is it the SaaS
MFA and health analytics remote access
AnyConnect app?
Network gateway
Remote worker Web apps / SSH
Optional
Remote access
Is it the home On-prem apps
network? All ports / protocols Gateway
Is it SECaaS?
Is it the
Is it the VPN Application?
Gateway?
Problem Landscape: Secure Edge
CISCO SASE
Is it the
SECURITY AS A SERVICE transit ISP?
Is it the ISP? Umbrella

DNS security Secure web L7 Cloud access
gateway firewall security broker
(CASB) Internet
Umbrella tunnel
Duo Duo
Adaptive MFA Device posture Behavior Continuous
and health analytics verification
SD-WAN Is it the
router SECaaS? SD-WAN SSO
SaaS
Network edge Is it the SaaS
Analytics / Middle-mile Telemetry Application
app?
automation efficiency SLA
SD-WAN mesh
Is it the SD-WAN fabric
enterprise
LAN? On-prem apps
SaaS Integrated multi-
Is it SD-WAN optimization cloud access
underlay?
Is it the
Application?
Is it SD-WAN
overlay?
ThousandEyes SASE Visibility
SASE &
Application service
availability availability
Per-office
Per-office performance
availability
SASE
performance
Application
performance
Visibility
puts you in
control
Visibility Must Be Actionable
When service degradation occurs, quickly identify where the problem is.
Office 365 HTTP Response Time from LJ Office
1 Increase in the service response time
Office 365 Network Latency from LJ Office
2 Due to an increase in network latency
Umbrella Network Latency from LJ Office
Service degradation
due to a network path
change in SaaS
provider network
3 Caused by a network path change
Local network Internet Umbrella Internet SaaS provider network
Agent
Deployment
Secure Remote Worker
ThousandEyes
Endpoint agent
Remote worker
Endpoint Agent
• Install it on your employees’ computers (Windows & macOS)
• Manual, Group policy or Managed Software Center
• Performs active application and network performance tests
• Passively collects performance data (WiFi metrics, CPU, …)
• Detects and monitors VPNs, proxies
• Follows the employee wherever he works from
• Work from home
• Work from office
• Work from anywhere
Secure Edge
ThousandEyes
Enterprise agent
Office
ThousandEyes
Cloud agent
Enterprise Agent
• Install it in your office in user VLAN
• Cisco Catalyst 8000, Catalyst 9000 and ISR 4000 Series
• VM, Docker, Intel NUC, Raspberry Pi
• Install on whatever available, Catalyst devices give you no visibility
advantage
• Performs active application and network performance tests
• Performs complex Web application testing (incl. ZTNA)
• Can test VPN and SD-WAN underlay
• Provides constant baseline regardless if there are any active users
Enterprise Agent Installation on Cisco Devices
• Catalyst 8200, 8300, 8500, ISR 4000, ASR 1000
• Install it through vManage
• CLI installation only when router is not in SD-WAN mode
• IOS XE > 17.6.1 (17.8 for Cat 8500 & ASR 1000)
• Agent software auto-updates independent from IOS XE
• No Browserbot tests
• Catalyst 9300, 9400
• Install it through DNAC or CLI
• IOS XE > 17.5.1 (17.3.3 for 9300 basic functionality)
• SSD required for Browserbot tests
Enterprise Agent Installation on Meraki?
• Keep an eye on Cisco Live 23 announcements in June
Cloud Agent
• Installed in 241 cities and 63 countries around the world
• Broadband ISPs
• Cloud providers (AWS, Azure, GCP, Alibaba)
• Webex data centers
• Complements and improves your Enterprise agent tests

• Reference metrics (your office vs other ISPs in the area)
• Two-way network testing between your office and Cloud providers
• Two-way RTP testing between your office and Webex data centers
Test
Configuration
Secure Remote
Worker
Endpoint Agent: Passive Monitoring
Browser WiFi
performance performance
metrics metrics Umbrella Cloud
SaaS
Webex Cloud
LAN DNS Server
Remote
worker
Internet
Secure TLS
Data Center
Computer performance
metrics (CPU, memory, …)
Endpoint Agent: Default Network Testing
Network test
against the
proxy
Network test Umbrella Cloud

SaaS
against the
DNS server
Webex Cloud
LAN DNS Server
Remote
worker
Internet
Secure TLS
Data Center
Underlay network
Network test
test against the
against the
VPN gateway
default gateway
Endpoint Agent: Scheduled Testing
HTTP test against the
business-critical
SaaS applications
Umbrella Cloud
SaaS
Webex Cloud
LAN DNS Server
Remote
worker
Internet
Secure TLS
Data Center
HTTP test against the

business-critical on-prem
applications
Endpoint Agent: Scheduled Testing
• Target business-critical applications regardless of their location
• ThousandEyes test traffic will follow routing of your SASE environment
through Umbrella, VPN or Internet
• Umbrella CA cert will be preinstalled on client computer
• Configure appropriate test types

• HTTP server for web applications
• Network tests for everything else
Endpoint Agent: Automated Session Testing
Umbrella Cloud
Collaboration SaaS
applications
AST
Webex Cloud
LAN DNS Server
Remote
worker
Internet
Secure TLS
Data Center
Endpoint Agent: Automated Session Testing
• Collaboration client connects to multiple different nodes
• Web zone
• Multi-media nodes
• Collaboration bridges
• Collaboration client connects to multiple different regions

• AST will track collaboration client connections
• and setup network tests against target nodes
Secure Edge
Enterprise Agent: Application Testing
Web test against the
SaaS applications
Umbrella Cloud
SaaS
DNS test against the
DNS server(s)
Webex Cloud
DNS Server Network/RTP test

IPSec tunnel against Webex data
SD-WAN tunnel centers
Office
Internet
Data Center
SD-WAN tunnel
MPLS
Web test against the

on-prem applications
Enterprise Agent: Application Testing
• Target business-critical applications regardless of their location
• ThousandEyes test traffic will follow routing of your SASE environment
through Umbrella, SD-WAN fabric or DIA
• Configure appropriate test types
• Page Load or Web Transaction (SSO) for web applications
• DNS server for application domains against your DNS resolvers
• Network or RTP tests for collaboration applications
• There is real value in Cloud network performance

• SASE components are just a part of whole journey
Cloud Agent: Application Testing
• Cloud agent doesn’t play a major role in SASE Visibility
• Use Cloud agents in Webex data centers for two-way network and
RTP tests
• Use Cloud agents in the same area as your office for reference
testing
• Does a business-application perform better or worse from my office
compared to a cloud location in the area?
Enterprise Agent: Underlay Testing
Underlay network
test against Umbrella
IPSec gateway Umbrella Cloud
SaaS
Webex Cloud
DNS Server
IPSec tunnel
SD-WAN tunnel
Office
Internet
Data Center
SD-WAN tunnel
MPLS
Underlay network test
against DC vEdge Internet
facing interface
Enterprise Agent: Underlay Testing
• Underlay testing gives you hop-by-hop insight into the underlay
Internet
• Typically requires additional data policies on your edge router
• Enterprise agent runs in user subnet (VLAN/VRF)
• Underlay tests target Umbrella IPSec gateway or DC edge router with
ICMP
• You’re OK if DIA is already configured for those IPs
• Interested in deep implementation details?
• BRKENT-2126 - 3 Steps to Gain Actionable Visibility in the Cisco SD-WAN
Using ThousandEyes
Enterprise Agent on a Cisco Router
Edge Router
• Agent has an interface in VPG Service VPNn
• VPG can be placed in any VPN,

but you should place it in a Interface
192.168.3.2
Routing
service VPN VirtualPort
Group 4
• VPG requires unique subnet Interface

192.168.4.4
NAT
• Which gets automatically Internet
Transport
VPN0
advertised into the SD-WAN
fabric Interface
212.30.3.2
• But not beyond!

Interface
• Up and ready for application MPLS 172.16.0.1
testing
Cisco Router Underlay Testing Policies
Configure data
Configure data policy to NAT all
DC Edge Router policy to NAT all SRC 10.4.253.13 Branch Edge Router
SRC 10.4.253.13 DSCP 12
DSCP 10 IP packets into Service VPNn
Service VPNn
IP packets into the the MPLS
Internet
VirtualPort
Group 4
Agent IP
NAT 10.4.253.13
Transport
Transport Internet VPN0
VPN0 Agent-to-server
Internet Internet ICMP test
64.100.249.64 64.100.249.66 against
64.100.249.65
DSCP 10
MPLS MPLS
172.29.0.2 MPLS 172.29.0.22
Agent-to-server
ICMP test
against
172.29.0.2
DSCP 12
vManage Underlay Testing Policy Configuration
SD-WAN topologies
• Hub & spoke
• w = (n – 1) * 2
• Full-mesh
• w = n * (n – 1)
• Hybrid
• You can’t monitor full-mesh underlay

• Focus on App data flows
• You will end up with hub-and-spoke
Umbrella Underlay Testing
• If you have 1 Internet and 1 MPLS transport network with DIA
enabled, it will work out of the box
• Otherwise, you need configure another Data Policy on the SD-
WAN router
Demo
Umbrella SSL Inspection
• If Umbrella is decrypting SSL, agent will fail to connect to
ThousandEyes cloud
• Download Umbrella root cert and install it on the agent (preferred)
• Disable SSL decryption for agent traffic (source IP based)
Umbrella SAML Authentication
• If Umbrella is enforcing SAML authentication for all users, your
web tests will fail
• Disable SAML authentication for agent traffic (source IP based)
• Use Web Transaction tests to solve SAML authentication
• … but HTTP server tests will then terminate at Umbrella
Endpoint Agent in Secure Edge
• But wait, why can’t you just use the Endpoint agent?
• Endpoint agent does bring some value into Secure Edge
• Employees still use WiFi and rely on local network performance when in
office
• But the Enterprise agents has multiple benefits
• Consistent baseline
• App layer scheduled test types (Web transactions, RTP test, DNS test, …)
• Underlay testing
Device Layer & Internet Insights
• Device layer provides visibility into performance of Secure Edge
internal network devices by gathering network device topology
• Internet insights provide network and SaaS app outage detection at
Internet scale
• Visibility into network outages that disrupt your global SD-WAN mesh
• Visibility into SaaS application outages, and its scale and geographic scope
• Eliminate unnecessary troubleshooting cycles
Visibility
puts you in
control
Recap
Recap
Secure Remote Worker Secure Edge
• Endpoint agent • Enterprise agent
• Employees’ computer • Catalyst, VM, appliance, …
• Passive performance • Web, DNS, network, RTP tests
monitoring
• Two-way tests vs Cloud agents
• Active scheduled tests
• Underlay tests
• Automated session testing
Visibility
puts you in
control
Complete your Session Survey
• Please complete your session survey
after each session. Your feedback
is important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (open from Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events Mobile App or
by logging in to the Session Catalog and clicking the
"Attendee Dashboard” at
https://www.ciscolive.com/emea/learn/sessions/session-catalog.html
Continue
Agenda Your Education
Visit the Cisco Showcase for related demos.
Book your one-on-one Meet the Engineer meeting.
Attend any of the related sessions at the DevNet,

Capture the Flag, and Walk-in Labs zones.
Visit the On-Demand Library for more sessions

at ciscolive.com/on-demand.
Thank you

Brkops 2857

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkops 2857

Uploaded by

Copyright:

Available Formats

Deploy Visibility

in Your SASE Architecture

Primož Sečnik Kolman

4 Enter messages/questions in the Webex space

Webex spaces will be moderated

• Software development and

• It’s a bundle. For now.

Is it the ISP? SECURITY AS A SERVICE

DNS / HTTP / HTTPS SSO

Is it the ISP? Umbrella

1 Increase in the service response time

Office 365 Network Latency from LJ Office

2 Due to an increase in network latency

Umbrella Network Latency from LJ Office

Local network Internet Umbrella Internet SaaS provider network

• Provides constant baseline regardless if there are any active users

• Complements and improves your Enterprise agent tests

LAN DNS Server

Network test Umbrella Cloud

LAN DNS Server

LAN DNS Server

HTTP test against the

• Configure appropriate test types

LAN DNS Server

• Collaboration client connects to multiple different regions

DNS Server Network/RTP test

Web test against the

• There is real value in Cloud network performance

• VPG can be placed in any VPN,

• VPG requires unique subnet Interface

• But not beyond!

• You can’t monitor full-mesh underlay

• Eliminate unnecessary troubleshooting cycles

Visit the Cisco Showcase for related demos.

Book your one-on-one Meet the Engineer meeting.

Attend any of the related sessions at the DevNet,

Visit the On-Demand Library for more sessions

You might also like