Part 2 of the 2-part IPsec Series
In this weblog, you’ll discover ways to configure IPsec and Cisco Umbrella tunnels on a Catalyst 9300X by onboarding it with the Plug and Play (PNP) Cloud Service and Cisco DNA Center.
This functionality is supported with Cisco DNA Center 2.3.4. The change will want IOS-XE 17.8.1 for onboarding and an Advantage license. The IPsec function on the change requires an HSEC K9. Please confer with Part 1 of this sequence to know at the very least three use instances that may leverage IPsec on a Catalyst change.
PnP Cloud Service (Onboarding C9300X with IPsec)
The onboarding part beneath assumes that the change solely has direct web and requires a safe connection again to Cisco DNA Center for administration. Traditionally a change has entry to an area PnP Server however with this lean department deployment with simply the 9300X connectivity again to a PnP server is very unlikely.
Cisco has augmented the PNP Connect with Plug and Play as a Service (PnPaaS). This enhancement permits Cisco DNA Center to ship the Day 0 change configuration file to the PnP Cloud Service. Once the change sends its PnP request to devicehelper.cisco.com, the PnP Cloud Service responds with the configuration file. This permits the change to determine the IPsec tunnel and for Cisco DNA Center to handle the newly onboarded change.
So, how do you create the Day 0 configuration file? Easy, it’s fairly simple. Just go to Cisco DNA Center Provision –> Services –> Secure Tunnels and click on on Onboard New Device. The kind will ask for a Site and a Virtual Account the place the change is related. Once this data is confirmed, the shape will be accomplished with the next: the change serial quantity, a administration IP (leading to a loopback tackle on the change), the IP tackle of the Head-End (or distant aspect), an IPsec pre-shared key, the HSEC token, and a change hostname. If the change already has the HSEC token pre-installed from manufacturing on the time of buy (it requires a variety in CCW), then the HSEC token entry doesn’t have to be crammed in. To take a look at the configuration file previous to its implementation, choose the Day-0 Configuration Preview tab.
After choosing the Onboard Device choice, the onboarding standing of the change will be verified below Provision –> Network Devices –> Plug and Play. Initially, the change will seem as Unclaimed, and the state as Planned. When the method completes (please be affected person, it can take a number of minutes) the change seems below Provisioned and the state as Provisioned.
After the change is onboarded, it may be managed over the IPsec tunnel utilizing the loopback by choosing Provision –> Network Devices –> Inventory.
Cisco Umbrella – Creating Secure Tunnels
Now that the change is below Cisco DNA Center administration, extra IPsec tunnels will be configured to hook up with a Secure Internet Gateway (SIG). In this case, it is going to be to Cisco Umbrella, however it may also be to a 3rd social gathering like Zscaler. In order to automate either side of the tunnel the change and Cisco Umbrella there’s a prerequisite to combine Cisco Umbrella and Cisco DNA Center utilizing API Keys (System –> Settings –> External Services). This subject is just not coated right here. Cisco DNA Center will solely automate the change portion when the API integration is just not established.
In order so as to add the Cisco Umbrella tunnels, go to Cisco DNA Center Provision –> Services –> Secure Tunnels however this time click on on Create Secure Tunnel. The kind would require the next data: Site, Device, variety of Cisco Umbrella tunnels (as much as 4), Tunnel Name, and Tunnel Source Interface. In addition, a collection of the Cisco Umbrella knowledge heart location will be made, in any other case, the choice shall be made primarily based on the change web site location. If you’ve a couple of tunnel, both the identical knowledge heart or a special location will be chosen.
The subsequent display screen will ask for the Cisco Umbrella Tunnel Pre-Shared Key and the choice to vary the default IKEv2 and Transform Set values. The default values are for finest observe and shouldn’t be modified until it’s for interoperability or different safety causes.
In the subsequent display screen, site visitors will be dealt with both by sending all site visitors to Cisco Umbrella utilizing Equal-Cost Multi-Path (ECMP) load balancing when utilizing a number of tunnels or site visitors will be steered utilizing Policy-Based Routing (PBR). Handling the site visitors on this method ought to assist with most use instances. Subsequently, there shall be a abstract display screen and a variety to create the tunnel(s).
After the change and Cisco Umbrella have been provisioned, the standing of the tunnels will be verified below Cisco DNA Center Provision –> Services –> Secure Tunnels.
The IPsec tunnel data to each Cisco DNA Center and Cisco Umbrella will be verified through the CLI as properly. Tunnel1 is the tunnel to Cisco DNA Center and Tunnel2 is the tunnel to Cisco Umbrella.
Alternatively, Cisco Umbrella may also show the IPsec tunnel established to the Catalyst 9300X.
Conclusion
Thank you for taking the time to know how Cisco DNA Center might help provision a Catalyst 9300X for administration over the Internet utilizing IPsec. In addition, the power to create a safe tunnel(s) to Cisco Umbrella a SIG supplier. I hope this data has helped in illustrating how completely different Cisco parts combine seamlessly collectively and assist make the automation of your networks simpler.
Additional Resources:
Share: