Professional Documents
Culture Documents
BRKOPS-2857
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Introduction
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Introduction
• Agent Deployment
• Test Configuration
• Secure Remote Worker
• Secure Edge
• Recap
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Introduction
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SASE Bundle
• Cloud security with Cisco Umbrella
• SD-WAN powered by Cisco and Meraki
• Zero-trust network access (ZTNA) with Cisco Secure Access by
Duo
• Visibility with Cisco Thousand Eyes
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Why do you need Visibility?
IF
YOU
CAN
READ THIS,
Y O U
S A
D
S
O
E
P R O B A B L Y
N
V
’
I
T
S I
N
B
E
I
E
L I
D
T Y
* Visibility? Observability?
Potato, potato!
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Why do you need Visibility?
Houston, we
have a problem
Employee
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Problem Landscape: Secure Remote Worker
Is it the
transit ISP?
CISCO SASE
Internet
Umbrella
DNS Secure web Cloud access
Is it the Public / private apps security gateway security broker
(CASB)
WiFi? Secure TLS
Is it SECaaS?
Is it the
Is it the VPN Application?
Gateway?
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Problem Landscape: Secure Edge
CISCO SASE
Is it the
SECURITY AS A SERVICE transit ISP?
Duo Duo
Adaptive MFA Device posture Behavior Continuous
and health analytics verification
SD-WAN Is it the
router SECaaS? SD-WAN SSO
SaaS
Network edge Is it the SaaS
Analytics / Middle-mile Telemetry Application
app?
automation efficiency SLA
SD-WAN mesh
Is it the SD-WAN fabric
enterprise
LAN? On-prem apps
SaaS Integrated multi-
Is it SD-WAN optimization cloud access
underlay?
Is it the
Application?
Is it SD-WAN
overlay?
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
ThousandEyes SASE Visibility
SASE &
Application service
availability availability
Per-office
Per-office performance
availability
SASE
performance
Application
performance
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Visibility
puts you in
control
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility Must Be Actionable
When service degradation occurs, quickly identify where the problem is.
Office 365 HTTP Response Time from LJ Office
Service degradation
due to a network path
change in SaaS
provider network
3 Caused by a network path change
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Agent
Deployment
Secure Remote Worker
ThousandEyes
Endpoint agent
Remote worker
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Endpoint Agent
• Install it on your employees’ computers (Windows & macOS)
• Manual, Group policy or Managed Software Center
• Performs active application and network performance tests
• Passively collects performance data (WiFi metrics, CPU, …)
• Detects and monitors VPNs, proxies
• Follows the employee wherever he works from
• Work from home
• Work from office
• Work from anywhere
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Secure Edge
ThousandEyes
Enterprise agent
Office
ThousandEyes
Cloud agent
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Enterprise Agent
• Install it in your office in user VLAN
• Cisco Catalyst 8000, Catalyst 9000 and ISR 4000 Series
• VM, Docker, Intel NUC, Raspberry Pi
• Install on whatever available, Catalyst devices give you no visibility
advantage
• Performs active application and network performance tests
• Performs complex Web application testing (incl. ZTNA)
• Can test VPN and SD-WAN underlay
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Enterprise Agent Installation on Cisco Devices
• Catalyst 8200, 8300, 8500, ISR 4000, ASR 1000
• Install it through vManage
• CLI installation only when router is not in SD-WAN mode
• IOS XE > 17.6.1 (17.8 for Cat 8500 & ASR 1000)
• Agent software auto-updates independent from IOS XE
• No Browserbot tests
• Catalyst 9300, 9400
• Install it through DNAC or CLI
• IOS XE > 17.5.1 (17.3.3 for 9300 basic functionality)
• SSD required for Browserbot tests
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Enterprise Agent Installation on Meraki?
• Keep an eye on Cisco Live 23 announcements in June
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Cloud Agent
• Installed in 241 cities and 63 countries around the world
• Broadband ISPs
• Cloud providers (AWS, Azure, GCP, Alibaba)
• Webex data centers
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Test
Configuration
Secure Remote
Worker
Endpoint Agent: Passive Monitoring
Browser WiFi
performance performance
metrics metrics Umbrella Cloud
SaaS
Webex Cloud
Remote
worker
Internet
Secure TLS
Data Center
Computer performance
metrics (CPU, memory, …)
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Endpoint Agent: Default Network Testing
Network test
against the
proxy
Webex Cloud
Remote
worker
Internet
Secure TLS
Data Center
Underlay network
Network test
test against the
against the
VPN gateway
default gateway
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Endpoint Agent: Scheduled Testing
HTTP test against the
business-critical
SaaS applications
Umbrella Cloud
SaaS
Webex Cloud
Remote
worker
Internet
Secure TLS
Data Center
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Endpoint Agent: Scheduled Testing
• Target business-critical applications regardless of their location
• ThousandEyes test traffic will follow routing of your SASE environment
through Umbrella, VPN or Internet
• Umbrella CA cert will be preinstalled on client computer
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Endpoint Agent: Automated Session Testing
Umbrella Cloud
Collaboration SaaS
applications
AST
Webex Cloud
Remote
worker
Internet
Secure TLS
Data Center
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Endpoint Agent: Automated Session Testing
• Collaboration client connects to multiple different nodes
• Web zone
• Multi-media nodes
• Collaboration bridges
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Secure Edge
Enterprise Agent: Application Testing
Web test against the
SaaS applications
Umbrella Cloud
SaaS
DNS test against the
DNS server(s)
Webex Cloud
Data Center
SD-WAN tunnel
MPLS
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Cloud Agent: Application Testing
• Cloud agent doesn’t play a major role in SASE Visibility
• Use Cloud agents in Webex data centers for two-way network and
RTP tests
• Use Cloud agents in the same area as your office for reference
testing
• Does a business-application perform better or worse from my office
compared to a cloud location in the area?
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Enterprise Agent: Underlay Testing
Underlay network
test against Umbrella
IPSec gateway Umbrella Cloud
SaaS
Webex Cloud
DNS Server
IPSec tunnel
SD-WAN tunnel
Office
Internet
Data Center
SD-WAN tunnel
MPLS
Underlay network test
against DC vEdge Internet
facing interface
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Enterprise Agent: Underlay Testing
• Underlay testing gives you hop-by-hop insight into the underlay
Internet
• Typically requires additional data policies on your edge router
• Enterprise agent runs in user subnet (VLAN/VRF)
• Underlay tests target Umbrella IPSec gateway or DC edge router with
ICMP
• You’re OK if DIA is already configured for those IPs
• Interested in deep implementation details?
• BRKENT-2126 - 3 Steps to Gain Actionable Visibility in the Cisco SD-WAN
Using ThousandEyes
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Enterprise Agent on a Cisco Router
Edge Router
• Agent has an interface in VPG Service VPNn
testing
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Cisco Router Underlay Testing Policies
Configure data
Configure data policy to NAT all
DC Edge Router policy to NAT all SRC 10.4.253.13 Branch Edge Router
SRC 10.4.253.13 DSCP 12
DSCP 10 IP packets into Service VPNn
Service VPNn
IP packets into the the MPLS
Internet
VirtualPort
Group 4
Agent IP
NAT 10.4.253.13
Transport
Transport Internet VPN0
VPN0 Agent-to-server
Internet Internet ICMP test
64.100.249.64 64.100.249.66 against
64.100.249.65
DSCP 10
MPLS MPLS
172.29.0.2 MPLS 172.29.0.22
Agent-to-server
ICMP test
against
172.29.0.2
DSCP 12
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
vManage Underlay Testing Policy Configuration
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
SD-WAN topologies
• Hub & spoke
• w = (n – 1) * 2
• Full-mesh
• w = n * (n – 1)
• Hybrid
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Umbrella Underlay Testing
• If you have 1 Internet and 1 MPLS transport network with DIA
enabled, it will work out of the box
• Otherwise, you need configure another Data Policy on the SD-
WAN router
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Demo
Umbrella SSL Inspection
• If Umbrella is decrypting SSL, agent will fail to connect to
ThousandEyes cloud
• Download Umbrella root cert and install it on the agent (preferred)
• Disable SSL decryption for agent traffic (source IP based)
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Umbrella SAML Authentication
• If Umbrella is enforcing SAML authentication for all users, your
web tests will fail
• Disable SAML authentication for agent traffic (source IP based)
• Use Web Transaction tests to solve SAML authentication
• … but HTTP server tests will then terminate at Umbrella
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Endpoint Agent in Secure Edge
• But wait, why can’t you just use the Endpoint agent?
• Endpoint agent does bring some value into Secure Edge
• Employees still use WiFi and rely on local network performance when in
office
• But the Enterprise agents has multiple benefits
• Consistent baseline
• App layer scheduled test types (Web transactions, RTP test, DNS test, …)
• Underlay testing
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Device Layer & Internet Insights
• Device layer provides visibility into performance of Secure Edge
internal network devices by gathering network device topology
• Internet insights provide network and SaaS app outage detection at
Internet scale
• Visibility into network outages that disrupt your global SD-WAN mesh
• Visibility into SaaS application outages, and its scale and geographic scope
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Visibility
puts you in
control
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recap
Recap
Secure Remote Worker Secure Edge
• Endpoint agent • Enterprise agent
• Employees’ computer • Catalyst, VM, appliance, …
• Passive performance • Web, DNS, network, RTP tests
monitoring
• Two-way tests vs Cloud agents
• Active scheduled tests
• Underlay tests
• Automated session testing
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Visibility
puts you in
control
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete your Session Survey
• Please complete your session survey
after each session. Your feedback
is important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (open from Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events Mobile App or
by logging in to the Session Catalog and clicking the
"Attendee Dashboard” at
https://www.ciscolive.com/emea/learn/sessions/session-catalog.html
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Continue
Agenda Your Education
BRKOPS-2857 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Thank you