Prisma Access
Integrate Prisma Access with Cisco Catalyst SD-WAN
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrate Prisma Access with Cisco Catalyst SD-WAN
Learn how to integrate Prisma Access automatically with Cisco Catalyst
SD-WAN.
Where Can I Use
This? | What Do I Need? |
---|---|
|
|
You can onboard a remote network using IPSec tunnels between Cisco Catalyst SD-WAN, formerly known as
Viptela SD-WAN, and
Prisma Access
automatically or manually. When you enable a
Cisco Catalyst SD-WAN for the integration, Prisma Access creates remote networks for
devices, based on the topology you configure, using IPSec tunnels. Prisma Access
identifies eligible interfaces on the Cisco Catalyst SD-WAN devices, and you can
select the interface to onboard the remote network using the tunnel. To onboard the Cisco Catalyst SD-WAN networks manually, see Integrate Prisma Access with Catalyst
SD-WAN (Manual Integration).
Ensure you meet the following requirements before you integrate Prisma Access with
Cisco Catalyst SD-WAN:
Product | Requirement |
---|---|
Prisma Access |
|
Cisco Catalyst SD-WAN |
|
Cisco Catalyst SD-WAN supports the following deployment architectures for use with
Prisma Access.
Use Case | Architecture |
---|---|
Securing traffic from each branch site with 1 WAN
link (Type 1) | ![]() |
Securing branch and HQ sites with active/backup
SD-WAN connections | ![]() |
Securing branch and HQ sites with active/active
SD-WAN connections | ![]() |
Securing branch and HQ sites with SD-WAN edge devices
in HA mode | ![]() |
Securing traffic from one device using active/active
WAN links, that is, 2 WAN links from the device, both will be active
on different compute regions | ![]() |
For any other deployment architectures, use the manual integration
workflow.
Before you begin, ensure you configure the Cisco Catalyst SD-WAN devices based on the
requirements mentioned above. To secure a Cisco Catalyst SD-WAN with Prisma Access,
complete the following steps.
- In the Cisco vManage dashboard, go to.ConfigurationTemplatesDevice Templates
- Update the template descriptions of your devices based on the type of redundancy.TopologyDevicesWAN Links (VPN 0)Tunnel TypeDevice Template Description UpdatesSingle WANSingle Device1 WAN Link1 Tunnel to singlePrisma Accessregion/IPSec Termination NodeNo changesActive/active tunnelsSingle Device1 WAN Link2 Tunnels (on the same WAN) to 2 differentPrisma AccessRegions/IPSec Termination NodesAppendPA-AAto the description2 WAN LinksDifferentPrisma Accessregions or different IPSec Termination Node in the same regionAppendPA-AAto the descriptionActive/backup tunnelsSingle Device2 WAN LinksPrimary/Secondary onPrisma Accessto same remote networkAppendPA-ABto the description2 WAN LinksDifferent regions/IPSec Termination Nodes inPrisma AccessAppendPA-ABto the description
- InPrisma Access, if you have not already, allocate bandwidth forPrisma Accesslocations.
- Go to.SettingsPrisma Access SetupRemote NetworksBandwidth Management
- Edit theAssigned Bandwidthfor the remote network’s compute location.
- Pushthe changes.
- Go toCisco Catalyst SD-WAN Integration with Prisma Accesssettings.
- Select.WorkflowsIntegrationsPrisma Access
- Locate theCisco Catalyst SD-WAN Integration with Prisma Accessapplication.
- Enter the information needed to check the connectivity between Prisma Access and Cisco Catalyst SD-WAN by editing theSettings.
- Enter the hostname, username, and the password.
- Enter thePSK Seed, which is a string used to derive pre-shared keys (PSKs) per tunnel.
- (Optional) Enter an FQDN IKE identifier as theLocal Identifierin the following syntax:name@domain.comThis identifier acts as a template to generate a unique ID per tunnel.
- (Optional) Enter an FQDN IKE identifier different from the local identifier as theRemote Identifierin the following syntax:name@domain.com
- Set theAdmin StateasEnabled.You can setAdmin Statein the following modes:
- Enabled: Enables the integration to discover new devices on Cisco Catalyst SD-WAN that are eligible for tunnel formation with Prisma Access. Additionally, this verifies current configurations.
- Disabled: Disable the integration to remove all configurations created in Prisma Access as well as in Cisco Catalyst SD-WAN, when a connection was set up between them.
- Paused: When you pause the integration, you can no longer add new devices or remove any unconfigured devices. However, the current configurations don't change.
- Check Connectivityto verify the connection.
- Savethe changes.You canSavechanges only after youCheck Connectivityevery time you change settings or configurations.After you save the changes, you can see the Cisco Catalyst SD-WAN networks eligible for tunnel formation with Prisma Access inDiscovered Sites. Cisco Catalyst SD-WAN networks are displayed as sites here. It might take some time to view the discovered sites.
- Establish the tunnel setup between Prisma Access and Cisco Catalyst SD-WAN devices.
- View the discovered Cisco Catalyst SD-WAN networks and their information by clicking the site count.The integration checks for new Cisco Catalyst SD-WAN networks regularly. You can also initiate an on-demand site discovery.
- Select theInterfaceBy default, Prisma Access scans for devices and identifies interfaces from the Cisco Catalyst devices that are eligible to form tunnels with Prisma Access.
- (Optional) Select the nearestPrisma Access Locationfor the networks.
- (Optional) SelectIPSec Termination Nodefor each site.If you select the same Prisma Access location for multiple networks, ensure to allocate the bandwidth equally by selecting different IPSec termination nodes for the networks sharing the same Prisma Access location.The integration assigns Prisma Access location and IPSec termination nodes automatically. However, you can choose other Prisma Access locations or IPSec termination nodes if needed.Redundancy TypeNumber of InterfacesNumber of Prisma Access Locations to SelectNumber of IPSec Termination Nodes to SelectSingle WAN111Active/active tunnels222After you enable the device, Prisma Access creates 2 remote networks. Select the same IPSec termination nodes for both locations. These conditions are valid for HA deployments as well.Active/backup tunnels2 (Primary/Secondary onPrisma Accessto same remote network)The interface at the top is the primary tunnel.22After you enable the device, Prisma Access creates 1 remote network. This configuration provides redundancy at internet circuit level.2 (Different regions/IPSec Termination Nodes inPrisma Access)The interface at the top is the primary tunnel. The feature template you configure Cisco Catalyst SD-WAN devices assigns the interface as active or backup.22When the primary tunnel has connectivity issues, Prisma Access establishes a connection with the failover path, which is the secondary or backup tunnel.
- Select the Cisco Catalyst SD-WAN device and toggle theEnableoption to establish a tunnel formation with Prisma Access.
- Updatethe changes.You can view all theEnabled SitesandConfigured Sitesin theCisco Catalyst SD-WAN Integration with Prisma Accessapplication.When you click a site count, the hyperlink takes you to a filtered list of sites based on the site count you click. For example, if you click the site count of enabled sites, the list shows only the sites that are enabled and not all discovered sites.
- Verify the changes in Prisma Access.
- Go to.WorkflowsPrisma Access SetupRemote NetworksAlternatively, you can clickRemote Networks - Cisco Catalyst SD-WAN Integration with Prisma Access >.Verify the tunnel status. The integration creates remote networks automatically. Such remote networks have names in the following syntax:AUTO-CATALYST-Device_NameThe configuration status of Cisco Catalyst SD-WAN devices takes some time to beIn sync.
- View the IPSec Tunnel, IKE gateway, IKE Crypto profile, and IPSec Crypto profile details.Select the remote network site to view these details.IPSec Tunnel details:
- Selectto viewIncidents and AlertsLog ViewerCommonAuditCisco Catalyst SD-WAN Integration with Prisma Accesslogs.The logs specify if the changes were made in Prisma Access or in the Cisco Catalyst SD-WAN.
- (Optional) In the Cisco Catalyst SD-WAN integration app, view information, errors, or warnings inMessages.See Troubleshoot Integration Errors to troubleshoot more errors.
- Verify the Cisco Catalyst SD-WAN configurations in Cisco vManage.
- Log in to the Cisco SD-WAN dashboard, and select.MonitorDevices
- Select.ConfigurationTemplatesFeature TemplatesThe integration creates secure internet gateway (SIG) templates. The SIG template stores details of the IPSec tunnel and IKE values. Don't update these SIG templates manually.If there are multiple devices that are part of a device template, configure all devices for tunnel formation with Prisma Access.
- Check the running configuration for the interfaces.In Cisco vManage, select.Configuration Devices WAN Edge ListView theRunning Configurationof the corresponding devices.When you have multiple devices under a device template, devices that are not enabled will have dummy values.To avoid dummy values on other devices, move the devices, for those you want to enable connectivity, to a separate device template and enable the connectivity for each device in this device template. If you enable devices with dummy values, Prisma Access overwrites those dummy values with the tunnel configuration values. Prisma Access populates dummy values for the description, tunnel source interface, tunnel destination, pre-shared secret, and IKE local ID.If you add a new device to the device template that has a SIG, configure a few dummy values and attach the device to the device template. After the integration discovers this device, enable it.
- Verify the tunnel status in Cisco Catalyst SD-WAN Manager.Log in to the Cisco SD-WAN dashboard, and select. Select the device and view theMonitorDevicesInterface. Verify the admin status and operational status of the tunnel that was auto created for this device.
On-Demand Site Discovery
You can initiate network discoveries anytime to view new networks added in the
Cisco vManage dashboard. You can also initiate network discoveries to resolve
any misconfiguration in the integration-created objects. To initiate on-demand
network discovery, perform the following steps:
- Select.WorkflowsIntegrationsPrisma Access
- Locate theCisco Catalyst SD-WAN Integration with Prisma Accessapplication.
- View the discovered Cisco Catalyst SD-WAN networks and their information by clicking the site count.
- Discover Sitesto identify new eligible Cisco Catalyst SD-WAN networks when required.
Troubleshoot Integration Errors
Audit logs provide records of administrators'
configuration changes in the integration. You can use these logs for the compliance
and troubleshooting purposes. You can also view the
Messages
in the integration settings for information, errors, and warnings.- If Cisco Catalyst SD-WAN locks a template, don't perform any manual operations on the integration-created objects to avoid template lock due to multiple sessions.
- If your template is locked in edit mode while editing, relog in after sometime and try to edit the template. If the issue persists, contact Cisco Systems support.
- If your template edit request session expires, re-log in after sometime and try to edit the template. If the issue persists, contact Cisco Systems support.
- If your device does not exist in Cisco Catalyst SD-WAN Manager, try discovering the missing device.