使用思科 SASE 擴展混合環境的分段策略.pdf

《使用思科 SASE 擴展混合環境的分段策略.pdf》由會員分享，可在線閱讀，更多相關《使用思科 SASE 擴展混合環境的分段策略.pdf（68頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveRyan Shoemaker Technical Solutions ArchitectersatzshoeBRKSEC-2092Using Cisco SASEExtending Your Segmentation Strategy for Your Hybrid Environment 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use

2、 Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.1234

3、https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-20923#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaIntroduction to SASE and SegmentationCloud security policy with segmentationLeveraging SAML for group-based policiesAutomating cloud

4、workload segmentation in CSPsConclusionBRKSEC-20924SASE Overview 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVPN MPLSHistoric traffic flowsLed to the age of perimeter-based security and networkingInternetTRAFFICInternal 80%Internet 20%TRAFFICInternal 80%Internet 20%Roa

5、ming/mobileBranch officesHQSecurity stackNetwork:CentralizedSecurity:Single,on-premise security stackBRKSEC-20926 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveChanges in the types of traffic and destinationsHave inverted the traffic modelProblems:App performanceUser exp

6、erienceSecurity efficacy#Tools/vendorsIntegrationsVPN MPLSTRAFFICInternal 20%Internet 80%Roaming/mobileBranch officesHQTRAFFICInternal 20%Internet 80%Bottle neckSaaSIaaSPrivate cloudBrowsingInternetBRKSEC-20927 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork transf

7、ormationInternet/cloud is new“center of universe”DC-centricInternetPerimeter security appliances to protect networkInternet/cloud-centricInternet/cloudVPN MPLSBRKSEC-20928 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Digital Transformation ArchitectureInternetSaaS

8、IaaSProviderProviderMiddle MileSecuritySD-WANSecure Access Secure Access Services EdgeServices EdgeWorker/LocationWorker/LocationVisibilityVisibilityPrivate DCReduce costImprove OpEx with circuit consolidation and consolidation of UI touchpointsImprove user experienceBring services closer to user,an

9、d leveraging middle mile partnerships+password-less authentication to optimize connectionsMinimize riskDecryption&inspection addressing data loss,leveraging a true Zero Trust approach across the IT diameter9 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-2092Segmen

10、tation 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUser Authentication to networkISE/PXGridDoctorDoctorPatientPatientActive Directory Users connecting on wired or wireless infrastructure authenticate to network Successful auth allows ISE to register users IP address an

11、d map it to Username,AD group,and VLAN Accounts for dynamic IP address changes10.109.10.5010.109.10.5010.109.30.5010.109.30.5010.109.10.5010.109.30.50UserKevinStuartIP AddrAD GroupDoctorPatientVLANStaffPatientPrivate WorkloadsBRKSEC-209211 2023 Cisco and/or its affiliates.All rights reserved.Cisco P

12、ublic#CiscoLiveSegmenting TrafficSD-Access Fabric SiteInternet/SaaSPublic CloudPrivate Cloud/DCSD-WAN FabricTraditional BranchISENurseIoTInternetSaaSDoctorPatientProd_ServApp_ServProd_ServApp_Serv10.109.10.5010.109.30.50User/ProfileKevinStuartIP AddrVRF/VPNStaffPatient10.120.10.101BobStaff10.120.40.

13、101LightIoTBRKSEC-209212 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUsers/Devices Authenticate to NetworkSD-Access Fabric SiteInternet/SaaSPublic CloudPrivate Cloud/DCSD-WAN FabricTraditional BranchISEB

14、obIoTInternetSaaSKevinStuartProd_ServApp_ServProd_ServApp_Serv10.109.10.5010.109.30.50User/ProfileKevinStuartIP AddrVRF/VPNEmployeeContractor10.120.10.101BobEmployee10.120.40.101LightIoTStaffPatientStaffIoTBRKSEC-209213 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public 2023 Cisco and

15、/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInternet/SaaS14Segmentation Prevents Dr.Kevin Talking to Stuart BRKSEC-2092SD-Access Fabric SitePublic CloudPrivate Cloud/DCSD-WAN FabricTraditional BranchISEBobIoTInternetSaaSKevinStuartProd_ServApp_ServProd_ServApp_Serv10.109.10.5010.109

16、.30.50User/ProfileKevinStuartIP AddrVRF/VPNStaffPatient10.120.10.101BobStaff10.120.40.101LightIoT 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publicsourcedestination 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive15How to Extend Segmentation Policies to Clo

17、ud?BRKSEC-2092Internet/SaaSSD-Access Fabric SitePublic CloudPrivate Cloud/DCSD-WAN FabricTraditional BranchISEBobIoTInternetSaaSKevinStuartProd_ServApp_ServProd_ServApp_Serv10.109.10.5010.109.30.50User/ProfileKevinStuartIP AddrVRF/VPNStaffPatient10.120.10.101BobStaff10.120.40.101LightIoT 2023 Cisco

18、and/or its affiliates.All rights reserved.Cisco Public?Extending Segmentation from Secure Edge 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCloud Security Provided by UmbrellaSecure Web Gateway(SWG)Cloud-Delivered Firewall(FWaaS)Cloud Access Security Broker(CASB)DNS-lay

19、er securityCisco Talos Threat IntelligenceRemote Browser Isolation(RBI)App Discovery and ControlCloud Malware DetectionMultimode Data Loss Prevention(DLP)BRKSEC-209217 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExtending Segmentation to Cloud SecurityVPN or VRF segmen

20、ted networks identifiedDifferent SASE security capabilities applied as neededDifferent security policies applied to different segmentsCorporateIoTContractorSASESASESecurityInternetSaaSPrivate DCIaaSProviderProviderBranchBranchSecure web gatewayL7 FirewallDNS securityMiddle MileServices18 2023 Cisco

21、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-2092 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveViptela SD-WAN and Umbrella IntegrationSimple,effective integration with Umbrella DNSAuto-Deploy DNS integration with Umbrella Network Devices Umbrel

22、la Network Devices APIAnycastAnycast architecture for highly available integration directs clients to not just closest DC but also includes awareness of load distributionMacro-segmentation extension through VPN/VRF aware identity sourcesDNScrypt support for enhanced securityLocal domain bypass Cloud

23、 SecurityMiami(Primary DC)Cloud SecurityDallas(Backup DC)Anycast IPBRKSEC-209219 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntegrating Viptela SD-WAN to Umbrella DNS1.Select Configuration-Security2.Choose Custom Options-Umbrella Registration3.Add Umbrella API KeysA.C

24、reated at Umbrella Dashboard:Admin-API KeysB.Use UmbrellaUmbrella Network Devices Network Devices API Key(collect Key and secret)C.Organization ID is located in URL of Umbrella Dashboard1.2.3.BRKSEC-209220 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveViptela and Umbrell

25、a DNS(Cont.)4.Add Unified Security Policy5.Skip NG Firewall to move to DNS Security and Add DNS Security Policy6.Complete Data for PolicyA.Note:Umbrella Registration Status will display green flag if registered correctlyB.B.Choose match all VPNs or Choose match all VPNs or subsetsubsetC.Create a dom

26、ain bypass list for local domainsD.Under Advanced,ensure DNSCryptDNSCrypt is enabled to convey is enabled to convey source VPN info to Umbrellasource VPN info to UmbrellaE.Save DNS Policy6.4.5.BRKSEC-209221 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveViptela and Umbrel

27、la DNS(cont.)7.Name and save security policy8.Assign policy to templateA.either traditional templateB.or UX2.07.8a.8b.BRKSEC-209222 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLeverage Source VRF/VPN for DNS PolicyUmbrella Dashboard23BRKSEC-2092In Umbrella,VPNs from br

28、anches appear automatically in:Core Core Identities Identities-Network Devices Network DevicesAssign VPNs as Identities for DNS Policies in:Policies Policies-DNS Policies DNS Policies-Specific Policy Specific Policy-Edit Identity Edit Identity 2023 Cisco and/or its affiliates.All rights reserved.Cis

29、co Public#CiscoLiveLeverage Source VRF/VPN for DNS PolicyUmbrella Dashboard24BRKSEC-2092VPNs from branches now have different policy based on source VRF/VPN 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDr.Kevin Now Has Specific DNS PolicyInternet/SaaSPublic CloudPrivate

30、 Cloud/DCSD-WAN FabricTraditional BranchInternetSaaSKevinStuart10.109.10.5010.109.30.50User/ProfileKevinStuartIP AddrVRF/VPNStaffPatient10.120.10.101BobStaff10.120.40.101LightIoTBRKSEC-209225 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicDNS 2023 Cisco and/or its affiliates.All ri

31、ghts reserved.Cisco Public#CiscoLiveDNS Policy Segmentation At Work26BRKSEC-2092Policy for Staff might differ from PatientCategory BlockedBlockedfor Patient VRF Category AllowedAllowedfor Staff VRF 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveViptela and Umbrella Integr

32、ationAuto-provision and Auto-deploy highly available SIG connection with Umbrella Umbrella ManagementManagement APIActive-Active and Active/Standby designSupport for auto or manual DC selectionECMP or weighted load-balancingThroughput capacity to 1 GbpsLayer 7 health checks to Umbrella to monitor th

33、e health of the tunnelSaaS traffic optimization for Critical Apps with Layer7 health checkPolicy-based routing to Cisco UmbrellaLayer on Full Umbrella SIGCloud SecurityMiami(Primary DC)Cloud SecurityDallas(Backup DC)AnyCast IPEnterprise Enterprise AppsAppsBRKSEC-209227 2023 Cisco and/or its affiliat

34、es.All rights reserved.Cisco Public#CiscoLiveIntegrate SD-WAN with Umbrella SIGCreate Umbrella API Key1.Add Umbrella Global Credentials by Selecting Administration Administration-Settings Settings-SIG SIG CredentialsCredentials2.Add Umbrella API KeysA.Created at Umbrella Dashboard:Admin-API KeysB.Us

35、e Umbrella Management Umbrella Management API Key(collect Key and secret)C.Organization ID is located in URL of Umbrella Dashboard1.2.BRKSEC-209228 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntegrate SD-WAN with Umbrella SIGSD-WAN Template3.SIG integration in device

36、template:A.SIG feature template added to VPN0B.For multiple active tunnels,need multiple source interfaces(can by physical or loopback)4.Verify Cisco SIG Credentials under Additional Templates has automatically selected“CiscoCisco-UmbrellaUmbrella-GlobalGlobal-CredentialsCredentials”5.SIG feature te

37、mplate:A.Create number of IPSec TunnelsB.Identify A/A or A/S configurationC.Allow auto selection of SIG DCs or select manuallyA.B.A.B.C.3.5.BRKSEC-209229 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveViptela and Umbrella SIGMap VRF/VPN sources to Web Policies6.Tunnels ap

38、pear automatically in:Deployments Deployments-Core Core Identities Identities-Network Network TunnelsTunnels7.Map VPN subnet to source tunnel in:Deployments Deployments-Configuration Configuration-Internal Internal NetworksNetworks.Then select AddAdd8.Add the VPNs IP Subnet and choose the Internal N

39、etwork Association as a Network Tunnel Network Tunnel and select each of the tunnels9.Map to a Web Policy by selecting the specific Internal Network in the Ruleset Identity:Policies Policies-Web Web Policy Policy-Add Add-Ruleset Ruleset IdentityIdentity6.7.9.BRKSEC-209230 2023 Cisco and/or its affil

40、iates.All rights reserved.Cisco Public#CiscoLiveViptela and Umbrella SIGUmbrella Dashboard6.In Umbrella,Tunnels appear automatically in:Deployments Deployments-Core Core Identities Identities-Network Network TunnelsTunnels6.BRKSEC-209231 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub

41、lic#CiscoLiveViptela and Umbrella SIGMap VRF/VPN sources to Web Policies7.Map VPN subnet to source tunnel in:Deployments Deployments-Configuration Configuration-Internal NetworksInternal Networks.Then select AddAdd8.Add the VPNs IP Subnet and choose the Internal Network Association as a Network Tunn

42、el Network Tunnel and select each of the tunnels9.Map to a Web Policy by selecting the specific Internal Network in the Ruleset Identity:Policies Policies-Web Web Policy Policy-Add Add-Ruleset Ruleset IdentityIdentity7.9.BRKSEC-209232 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public

43、#CiscoLiveViptela and Umbrella SIGMap Tunnel Sources to Firewall Policies1.Map to a Firewall Policy:Policies Policies-Firewall Policy Firewall Policy-Add Add2.Configure Source Tunnel and Source IP3.Complete FW Policy for L3/L4/L7 rulesBRKSEC-209233 2023 Cisco and/or its affiliates.All rights reserve

44、d.Cisco Public#CiscoLiveAnd Dr.Kevin Has Specific Web PolicyInternet/SaaSPublic CloudPrivate Cloud/DCSD-WAN FabricTraditional BranchInternetSaaSKevinStuart10.109.10.5010.109.30.50User/ProfileKevinStuartIP AddrVRF/VPNStaffPatient10.120.10.101BobStaff10.120.40.101LightIoTBRKSEC-209234 2023 Cisco and/o

45、r its affiliates.All rights reserved.Cisco PublicWeb 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWeb Policy Segmentation At Work35BRKSEC-2092Policy for Staff might differ from PatientCategory BlockedBlockedfor Patient VRF Category WarnedWarnedfor Staff VRF Web policy s

46、pecifically applied to traffic from VPN30 coming through SD-WAN tunnelAutomating with APIs 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAPIs Enabling AutomationUmbrellaTraditional BranchStaffPatientBRKSEC-209237 2023 Cisco and/or its affiliates.All rights reserved.Cisco

47、 PublicIoTPython 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomating Capabilities with APIsExample of Leveraging APIs to map web policy to source VRF/VPNs Integrating SD-WAN segmentation to Umbrella using APIs1.Collect Umbrella Tunnel Name(SDWAN API)https:/vmanage/d

48、ataservice/device/sig/umbrella/tunnels?deviceId=router2.Collect Service Side VPN Info(SDWAN API)https:/vmanage/dataservice/device/interface?deviceId=router3.Using VPN Name,Find Umbrella Web Policy(Umbrella API)https:/ Internal Network in Umbrella using VPN Info(Umbrella API)https:/ Internal Network

49、to Web Policy(Umbrella API)https:/ Video 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive40BRKSEC-2092 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExample code in Githubhttps:/ example code in Github deploys web policy after consuming informa

50、tion about service side VPNs from vManage.BRKSEC-209241Web Policy Selection using SAML 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExtending Umbrella Source Policy Beyond VRF/VPNUmbrella integrates with Identity services such as Active Directory,Azure Active Directory,

51、G Suite,Okta,other SCIM IdPAfter integration,become part of Core Identities and can assign policy based on user or group BRKSEC-209243 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAllowing ID as policy source from a branchUmbrella is not is not an open proxySo what?It m

52、ust trust the source of the requestThe tunnel as a source is trusted,but that means policy is based on the tunnel name of Internal Network and so the same policy applies to any device connecting through that tunnel or subnet,right?SAML to the rescue!BRKSEC-209244 2023 Cisco and/or its affiliates.All

53、 rights reserved.Cisco Public#CiscoLiveWhat is SAML?Security Assertion Markup LanguageSAML is authentication mechanism used to access multiple web applications with one set of credentials(SSO)Works by passing authentication information via HTTP redirects between a Service Provider(SP)and an Identity

54、 Provider(IdP)Authentication information includes logins,authentication state,identifiers,or other relevant attributesIdPSaaS ApplicationUserTrustedRelationshipSAMLSAMLServiceProviderBRKSEC-209245 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSetting Umbrella Web Policy

55、for SAMLIntegrate Umbrella(the SP)with an IdPOut of scope for today,but documentation on several SAML integrations is here:https:/ must have SAML Enabled and HTTPS Inspection Enabled*Necessary for SAML Cookie Surrogate acting as auth token*Could set to IP surrogate but only available for tunnels&pro

56、xy chainingSupports SAML 2.0 POST profilesEnable on a ruleset that includes Network Tunnel from which user traffic arrivesAfter Web Policy matches on Network Tunnel,the SAML challenge will be initiatedWeb Policy will be re-evaluated,but now include user and group identitiesBRKSEC-209246 2023 Cisco a

57、nd/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSAML SPSAML Auth with Umbrella&DuoInternetSaaSCloud SecuritySSOSAML IdP4567AADAdaptive MFADevice Postureand HealthUsers/GroupsAccess RulesA:Worker is proxied at Umbrella SWGB:SWG configured for SAML with Duo as SAML IdPC:Duo SSO App Prot

58、ection enforces rules,device health posture and MFAD:Upon successful authn/authz with SAML,Umbrella uses user/group info to apply rulesBranchBRKSEC-209247Kevin 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUser or Group Specific Web PolicyUser or Group specific rules can

59、 be added by mapping identity type per ruleBRKSEC-209248Documentation on integrating Umbrella to different SAML vendors can be found here:https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGroup Specific Web Policy at WorkWeb policy specifically applied to traffic fro

60、m AAD group Employees sourced from VPN10 coming through SD-WAN tunnelBRKSEC-209249Segment Cloud Workloads in CSPs 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDr.Kevin Needs to Access Workload in CSPInternet/SaaSPublic CloudPrivate Cloud/DCSD-WAN FabricTraditional Branc

61、hInternetSaaSKevinStuartProd_ServApp_Serv10.109.10.5010.109.30.50User/ProfileKevinStuartIP AddrVRF/VPNStaffPatient10.120.10.101BobStaff10.120.40.101LightIoTBRKSEC-209251 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public?2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi

62、c#CiscoLiveAutomate SD-WAN Extensions into Public CloudsAutomateAutomate SD-WAN fabric into CSPsExtend policyExtend policy framework into cloudSimplify operationsSimplify operations with one management planeEnhance visibilityEnhance visibility for devices and circuitsCloud OnRamp for MulticloudBenef

63、itsIntegrateIntegrate multiple cloud providersUnify control plane Unify control plane for dynamic routingBranchData CenterSD-WANInternetMPLSAWSAzureGCPBRKSEC-209252 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCSP Connection Cloud GWInternetIaaSData CenterSD-WANCGWCGWTG

64、WCSP Region 1VPCVPCA AVPCVPCB BVPCVPCC CTransit VPCTransit VPCInternetMPLSAutomating AWS Transit GW IntegrationCisco AutomationBranchKevinBRKSEC-209253Stuart 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCSP Connection Cloud GWInternetIaaSData CenterSD-WANCGWCGWTGWCSP Re

65、gion 1VPCVPCA AVPCVPCB BVPCVPCC CTransit VPCTransit VPCInternetMPLSAutomating AWS Transit GW IntegrationBranchKevinStuartCisco AutomationBRKSEC-209254 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCSP Connection Example Cloud GWInternetIaaSData CenterSD-WANCGWCGWTGWTGWVP

66、C AttachmentsHost VPCsHost VPCs10.166.20.0/2410.166.20.0/24Transit VPCTransit VPCInternetMPLSDynamic Routing to Host VPCsBGPInfra Route Table10.166.10.0/2410.166.10.0/2410.166.30.0/2410.166.30.0/24BGPBRKSEC-209255BranchKevinStuartProd VPCProd VPCProd VPCProd VPCDev VPCDev VPC 2023 Cisco and/or its a

67、ffiliates.All rights reserved.Cisco Public#CiscoLiveCSP Connection Example Cloud GWInternetIaaSData CenterSD-WANCGWCGWTGWTGWVPC AttachmentsHost VPCsHost VPCs10.166.20.0/2410.166.20.0/24Transit VPCTransit VPCInternetMPLSSegmenting Host VPCs to VPNsBGPInfra Route Table10.166.10.0/2410.166.10.0/2410.16

68、6.30.0/2410.166.30.0/24BGPBRKSEC-209256BranchKevinStuartProd VPCProd VPCProd VPCProd VPCDev VPCDev VPC 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCSP Connection Example Cloud GWInternetIaaSData CenterSD-WANCGWCGWTGWTGWVPC AttachmentsHost VPCsHost VPCs10.166.20.0/2410.

69、166.20.0/24Transit VPCTransit VPCInternetMPLSVPC Segmentation through AutomationBGPInfra Route Table10.166.10.0/2410.166.10.0/2410.166.30.0/2410.166.30.0/24BGPBRKSEC-209257BranchKevinStuartProd VPCProd VPCProd VPCProd VPCDevDev VPCVPC 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public

70、#CiscoLiveAutomating Cloud Extensions in SD-WANCloud OnRamp for Multicloud1.Select Cloud OnRamp for Multicloud2.Complete pre-deployment steps(per CSP)1.Associate cloud provider account2.Complete Cloud global settings3.Discover host private networks4.Deploy CGW staging template to Catalyst 8000v rout

71、er(s)3.Create Cloud Gateway(creates transit hub/VPC,transit GW,and deploys cloud service routers)BRKSEC-209258 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomating Cloud Extensions in SD-WANManaging Intent1.Select Cloud OnRamp for Multicloud2.Select Cloud Connectivit

72、yCloud Connectivity3.Edit Intent to automatically map VPNs to VPCs/VNETsVPCVRF/VPNBRKSEC-209259Conclusion 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-209261 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive62BRKSEC-2092 2023 Cisco and/o

73、r its affiliates.All rights reserved.Cisco Public#CiscoLiveConclusionSDWAN to Umbrella can differentiate web policy based on VRF/VPNSDWAN to Umbrella can differentiate DNS policy based on VRF/VPNSAML allows policy differentiation based on users and groupsVPN/VRF segmentation to CSPs integrated into

74、SDWANAPIs allow for automating non-native functionsBRKSEC-209263 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supp

75、lies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKSEC-209264 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your e

76、ducationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.

77、Cisco Public#CiscoLive67Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123467 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2092#CiscoLive