Archive
SD-WAN Solution

SD-WAN Solution

2024-11-13   Redefine the remote-access network with Catalyst SD-WAN Remote Access. Background Remote work has been around for many years, but it has gathered

Related articles

Azure Site to Site VPN Connection [100% Working] A 2024 Guide to VPNs How to add non-Steam games to Steam

 

Redefine the remote-access network with Catalyst SD-WAN Remote Access.

Background

Remote work has been around for many years, but it has gathered momentum in recent years, driven largely by the pandemic. COVID-19 has introduced a host of changes, including a dramatic shift from office-based work to a work-from-home or work-from-anywhere environment. These changes have placed an onus on existing enterprise infrastructure.

Enterprises are realizing that legacy VPN network architectures and security stacks are inadequate and overly restrictive for the new work-from-anywhere era.

addition , digital enterprises having workforces hybrid circumstance ones hybrid design , we is see evolution physical digital workspaces moving cloud – based services better worker experience business resiliency .

Due to these trends, a greater number of employees now expects to work from home or anywhere. The distribution of the workforce has led to a new hybrid work era, which is reducing the office footprint. Enterprises are planning to rearchitect, build, and manage VPN infrastructure that leverages the internet.

result , enterprises is evolving evolving unified networking security service increases scalability , agility , security user application environment highly distributed mobile internet .

Introduction

This white paper discusses why traditional VPN approaches no longer work in the rapidly changing hybrid work environment. We describe the requirements that enterprises need to consider as they shift from their legacy architectures toward the work from-anywhere era. We propose the Cisco® SD-WAN Remote Access for enterprises to provide employees with a better work-from-anywhere environment that can satisfy all requirements.

Traditional VPN architecture challenges

Traditionally, networks were designed with centralized architectures, with all traffic routed through the corporate data center over Multiprotocol Label Switching (MPLS) or VPN.

SD-WAN Solution

Figure 1.
              

Traditional VPN topology

In the legacy VPN network topology, remote users relied on VPN agents based on IP Security (IPsec) or Secure Sockets Layer (SSL) on each endpoint (that is, mobile phone or laptop) to connect over the internet back to VPN concentrator devices located at corporate headquarters. VPN concentrators were one of multiple network security appliances, such as firewalls, intrusion prevention systems (IPS), email gateways, and secure web gateway (SWG) appliances, composing the enterprise security stack.

Traditional remote access is required required multiple VPN concentrators enterprise data center / HQ location ( hub – – spoke topology ) number remote users increased decreased . remote – access client is connect connect internet pair VPN concentrators positioned data center / HQ . network security enforcement is took took place centralized security stack traffic traversed boundary remote user , enterprise network , internet .

Traditional remote-access solutions have been reliable in most use cases and have worked well for many decades for these reasons:

     The amount of bandwidth per user was low due to the lower requirements of legacy applications.

     The number of applications accessed was limited.

     The number of remote users remained low.

     VPN users were considered internal. All internal network traffic was assumed to be safe by perimeter security policies.

     The costs of MPLS/internet catering to remote-access clients were controlled.

But with highly distributed workforces and more applications moving to the cloud, this traditional VPN design has proven to be inefficient, as more users require remote access and resources have become split between the internal enterprise and the cloud.

With traditional remote access designs, like the one illustrated in Figure 1, traffic backhaul through the enterprise data center is one of many factors that may be causing remote users’ poor application experience. The traditional VPN model of deploying VPN concentrators at the enterprise data center is no longer efficient for a number of reasons and has limitations related to cost, application experience, and security problems:

     Poor application experience: Backhauling of remote-access client traffic through the corporate HQ leads to poor application experience over the internet for remote users.

     Capacity challenges: A VPN concentrator is a separate piece of hardware, and with the increasing number of remote users, the enterprise needs to add more VPN hardware at the data center.

     Operational complexity: traditional remote – access network is is independent , policies , configuration , management , monitoring separately , increases operational complexity cost .

     Security blind spots: Remote users access software-as-a-service (SaaS) applications via the internet without going through the security stack at the data center/HQ, which creates enormous security blind spots. Enforcing corporate security is impossible in such scenarios.

Network readiness for hybrid work

As we step into a new realm of work, enterprises and organizations are scrambling to adapt to the new hybrid work culture. A company’s workforce is no longer confined to the designated workplace, such as branches or the campus. Rather, its workers are increasingly spread across geography and multiple types of locations, such as homes, hotels and resorts, cafes, and public hotspots.

Similarly, applications are no longer centralized. We have already seen them deployed in public and private clouds along with the traditional on-premises data center. This evolution throws various challenges to CIOs and CTOs, with top-of-mind concerns being:

     Network security: Consistent security policy for the network and users.

     Network simplicity: A simplified global network infrastructure that is easy to operate.

     Network agility: Scalability, flexibility, and automation.

     User – – application experience : Optimized for SaaS, infrastructure-as-a- service (IaaS), and on-premises applications.

     Total cost ownership ( TCO ): Cost-effectiveness.

The Catalyst SD-WAN Remote Access (SD-WAN RA) is the stepping-stone to the emerging hybrid work environment to meet all goals.

Catalyst SD-WAN evolution for hybrid work

Over the last few years, Cisco’s SD-WAN solution has evolved from a simple, secure site-to-site software-defined WAN infrastructure to incorporating secure access service edge (SASE), multicloud interconnects, the middle mile, and multiregion fabrics catering to use cases such as

     Site to site

     Site cloud

     Cloud to cloud

SD-WAN Solution

Figure 2 .
              

SD – WAN evolution remote access

latest SD – WAN innovation , we is integrated integrated remote – access capability catering missing use cases :

     User to site

     User is cloud cloud

which will result in a truly unified network fabric for all hybrid work scenarios.

As such, providing remote-access users secure, easy, and seamless access to all applications (SaaS, IaaS, on-premises), as well as consistent and always-on internet availability, is the basis of the Catalyst SD-WAN RA.

The addresses all the top concerns of the hybrid work environment.

Catalyst SD-WAN RA architecture

The goal of the Catalyst SD-WAN RA is to reduce those long-haul remote-access VPN connections terminating on a pair of dedicated centralized firewalls. Instead, it onboards remote users to the nearest SD-WAN edge router. This significantly improves the last mile connectivity and delivers enterprise-grade SD-WAN fabric benefits to the remote user. The application experience is highly optimized for the remote user.

SD-WAN Solution

Figure 3.
              

SD-WAN RA architecture

Catalyst SD-WAN RA is built simply by repurposing your existing SD-WAN edge routers to terminate both software-based and hardware-based remote-access clients using the Internet Key Exchange (IKE) v2 protocol, making this a highly scalable and distributed architecture.

You no longer need to factor in dedicated hardware VPN concentrators and separate management consoles for remote access, as Catalyst SD-WAN becomes a single unified networking architecture for SD-WAN as well as a remote-access network.

With this unified console, you can centrally configure, monitor, automate, and have visibility across the entire unified fabric using Cisco Catalyst SD-WAN Manager and Cisco Catalyst SD-WAN Analytics.

Catalyst SD – WAN RA is integrates seamlessly integrates existing security architecture , RADIUS , Cisco Identity Services Engine ( ISE ) , SASE .

On the endpoint side, nothing really changes, as organizations can continue to use their existing software-based clients such as Cisco AnyConnect®, which is work work seamlessly SD – WAN RA . – party native OS – based VPN clients supported .

Catalyst SD – WAN RA is integrate integrate hardware – based remote – access clients classic Cisco IOS® or Cisco IOS XE (which support IKEv2-based FlexVPN).

Catalyst SD-WAN RA functional overview

Catalyst SD-WAN RA integrates FlexVPN (IKEv2/IPsec) remote-access architecture capability onto a Cisco IOS XE SD-WAN controller-mode stack.

This enables Catalyst SD-WAN devices to function as VPN concentrators to support remote-access headend functionality with:

     Tunnel support: IKEv2-based IPsec tunnel connectivity between the SD-WAN edge device and remote-access client users.

     VPN client support:

    Software clients: Cisco AnyConnect, Cisco FlexVPN, native OS-based clients.

    Hardware clients: Cisco IOS and Cisco IOS XE based routers as hardware clients for small offices and home offices.

     VPN client authentication:

    Certificate-based authentication (for software AnyConnect clients).

    EAP – based authentication ( software AnyConnect clients ) .

    Pre-shared key (PSK) authentication (for hardware clients).

With Catalyst SD-WAN RA, you can convert any of your SD-WAN-enabled branch or data center routers into an SD-WAN RA headend or provision a new SD-WAN RA headend into the SD-WAN infrastructure.

SD-WAN Solution

Figure 4.
              

SD-WAN RA functionality

Once an SD-WAN edge device is ready for the SD-WAN RA headend, the remote-access client can initiate an IPsec tunnel request using IKEv2 to the public IP of the SD-WAN RA headend.

The endpoints can be software-based AnyConnect remote-access clients or hardware-based remote-access clients. Endpoints that are able to initiate an IPsec tunnel or SSL VPN tunnel can connect to the SD-WAN RA headend. However, the remote-access client will be terminated within the SD-WAN fabric onto the SD-WAN RA headend device nearest to its location, spreading bandwidth demand and reducing the logical distance to reach enterprise or SaaS applications.

The SD-WAN RA headend can use a RADIUS, EAP, or Cisco ISE server for authentication of remote-access clients and for managing per-user or group-based authorization policy and can be located anywhere in the SD-WAN fabric if it’s reachable from all SD-WAN RA headends in a service VPN.Once authenticated and authorized, an SD-WAN RA headend establishes an IPsec tunnel between SD-WAN RA and the remote-access client.

The remote-access client becomes part of the service VPN on the SD-WAN edge device, and all remote-access traffic will be treated as service-side LAN traffic on the SD-WAN edge device.

For each remote-access client, the SD-WAN RA headend assigns an IP address. The SD-WAN RA headend device automatically adds a host route for this remote-access client IP (via a VPN tunnel toward the remote-access client connection) in the service VPN in which the remote-access user is placed. This static route is automatically advertised by Overlay Management Protocol (OMP) to other SD-WAN sites to make sure that return traffic goes efficiently to the remote-access client.

Remote – access client establishment is be – tunnel split – tunnel mechanism based AnyConnect client capacity .

Full tunnel

The remote-access client accesses the enterprise network as well as the internet through the SD-WAN RA headend.

enterprise policy aggregate company network , authorization policy is pushes pushes default route SD – WAN RA headend AnyConnect client . remote – access user traffic is comes comes directly SD – WAN RA headend – encrypted data center sent internet .

In this full tunnel, the remote-access client

     Establishes IPsec tunnel SD – WAN RA headend data center , branch , colocation facility .

     Accesses on-premises enterprise IT via the SD-WAN RA headend.

     Accesses the internet through the SD-WAN RA headend via a corporate direct internet access (DIA) breakout at SD-WAN RA.

     Accesses cloud SaaS applications via Cisco Umbrella® Secure Internet Gateway (SIG) securely from the SD-WAN RA headend.

     Leverages enterprise SD – WAN is features features remote – access client traffic , application – aware routing , AppQoE , security stack , etc .

SD-WAN Solution

Figure 5.
              

AnyConnect – full tunnel

Split tunnel

If the enterprise doesn’t want the remote-access client to come to its SD-WAN RA device for the internet-bound traffic, it can use split tunneling. In this approach, the remote-access client goes to SD-WAN RA only for enterprise applications, and internet breakout can happen directly from the remote-access client, which is from the client endpoint itself using a split tunnel. The policy can push a prefix-based or domain-based split tunnel to the AnyConnect client and the traffic will be split based on the policy. A split tunnel effectively reduces the amount of traffic coming to the SD-WAN RA headend.

In the split tunnel, the remote-access client can

     Access on-premises enterprise IT only via the SD-WAN RA headend.

     Access internet or cloud-based SaaS applications directly from their local internet access.

SD-WAN Solution

Figure 6.
              

AnyConnect – split tunnel

Catalyst SD-WAN RA advantage

Catalyst SD – WAN RA is brings brings ability onboard remote – access VPN users directly Catalyst SD – WAN edge devices . benefits is are integration multifold :

     Consistent and optimized application experience: Remote users can be onboarded to the nearest Catalyst SD-WAN edge device, which drastically cuts down the last-mile distance, thereby extending all the benefits of Catalyst SD-WAN has to offer.

     Unified security policy : Network access and internet access policies can be streamlined to users based on their identity regardless of whether they are on-premises or remote.

     Lower TCO: No extra cost for VPN hardware for horizontal scaling. Simply reuse the existing SD-WAN infrastructure or factor in the remote access traffic when designing SD-WAN fabric for the future.

     Flexibility , elasticity , resiliency : Remote users can be onboarded onto any Catalyst SD-WAN RA qualified branch, data center, cloud, or colocation. This allows for a distributed framework with no single point of failure.

     Simplified operations: The entire Catalyst SD-WAN RA can be centrally deployed, configured, and monitored using SD-WAN Manager, eliminating the need for multiple management consoles.

     Ability to extend SD-WAN features to remote users: With FlexVPN support on SD-WAN, you can extend the SD-WAN features (application-aware-routing, AppQoE, security policies) to remote-access clients, which is not possible today.

     Keeping remote-access traffic within the enterprise network: Remote-access traffic remains completely secure from end to end, as it doesn’t leave the enterprise network. This is important for data-sensitive customers, including defense and financial customers, to secure end-to-end traffic from remote-access clients.

Use cases

     Connecting the hybrid workforce to an SD-WAN network.

     Extending a secure enterprise network to remote users, including home offices.

     Accessing enterprise IT and cloud-based applications with a consistent application experience.

     Providing unified network and security policies for the hybrid work era.

     Scaling up remote-access demands: Just distribute the load by employing one or more Cisco IOS XE SD-WAN devices as SD-WAN RA headends.

Design and deployment considerations

These design considerations provide guidance for implementing the SD-WAN RA.

This white paper does not provide a step-by-step configuration guide. Refer to the online Configuration Guide for configuration-related details.

SD-WAN RA edge platform

platform , Cisco is offers offers portfolio choose right platform needs . Catalyst SD – WAN RA headend functionality supported Cisco Catalyst 8000 Edge Platforms Family, which includes branch, aggregation, and virtual routers. The table below lists the platforms supported as Catalyst SD-WAN RA headends.

Table 1.           Catalyst SD-WAN RA qualified headend routers

Branch platforms

Aggregation platforms

Cloud platform

C8300-2N2S-4T2X

C8500-12X4QC

C8000V (On-Prem)

C8300-1N1S-6T

C8500-12X

 

 

C8500L-8S4X

 

 

ASR1002-HX

 

C8000V (Cloud)
* – In the Roadmap

Capacity planning for SD-WAN RA

The remote-access client traffic contends for the crypto engine and bandwidth resources of the SD-WAN edge platform. The SD-WAN RA headend thus shares the crypto engine, WAN bandwidth, and throughput capacity with the SD – WAN IPsec.

The maximum number of IPsec sessions supported on a Cisco IOS XE SD-WAN device platform is shared between the SD – WAN IPsec/Bidirectional Forwarding Detection (BFD) and SD-WAN RA IPsec sessions. Similarly, the IPsec throughput capacity of a platform is shared between SD-WAN and SD-WAN RA IPsec.

Additional capacity might be needed based on the number of remote-access connections and remote-access throughput that the Cisco IOS XE SD-WAN device is expected to support.

Things to keep in mind when selecting SD-WAN RA headend platforms:

     Platform crypto throughput capacity .

     WAN link bandwidth or throughput.

     IPsec tunnel scale to handle SD-WAN RA IPsec and SD – WAN IPsec tunnels.

SD – WAN RA scaling guideline :

SD – WAN IPsec security associations (SAs) + RA IKEv2/IPsec SAs must not exceed the platform’s IPsec SA limit

Table 2 .           Catalyst SD – WAN IPsec plus RA IPsec scale

Platform

IPsec SA limit

SD – WAN IPsec + RA IPsec

e.g.1

SD – WAN IPsec

+ RA IPsec

e.g.2

SD – WAN IPsec

+ RA IPsec

C8500-12X

8000

4000 + 4000

2000 + 6000

C8500-12X4Q

8000

4000 + 4000

3000 + 5000

C8500L-8S4X

6000

3000 + 3000

2000 + 4000

C8300-1N1S-6T

6000

3000 + 3000

1000 + 5000

C8300-2N2S-4T2X

6000

3000 + 3000

2000 + 4000

C8000v – premises

(ESXi, 16 vCPU 32 GB RAM)

2000

1000 + 1000

500 + 1500

ASR1002-HX

8000

4000 + 4000

2000 + 6000

SD-WAN RA headend public WAN IP

     Reachable from internet

     For inbound remote-access VPN connections

Firewall policy for SD-WAN RA headend behind firewalls

If the SD-WAN RA headend is behind a firewall, the firewall must allow the following protocols and ports in the inbound and outbound directions:

     Inbound traffic allowed :

    Source IP: any; destination IP: SD-WAN RA headend WAN IP

    Protocol/ports: IKEv2 (UDP ports 500, 4500)

    IPsec ( IP ESP )

    TLS (TCP 443) for AnyConnect profile download

     Outbound traffic to be allowed:

    Source IP: SD-WAN RA headend WAN IP; destination IP: any

    Protocol/ports: IKEv2 (UDP ports 500, 4500),

    IPsec ( IP ESP )

    TLS (TCP 443) for AnyConnect profile download

Certificate authority (CA) server

The CA server provisions certificates on Cisco IOS XE SD-WAN devices for SD-WAN RA headend authentication with the remote-access clients if the headend is configured to use certificate-based authentication.

     The CA server must support the Simple Certificate Enrollment Protocol (SCEP) for certificate enrollment.

     server is be reachable SD – WAN RA headends service VPN .

It is common for the CA server to be deployed at a data center site in the service VPN, together with the RADIUS server.

RADIUS / EAP server

The SD-WAN RA headend uses a RADIUS / EAP server for authentication of remote-access clients and for managing per-user policy.

     If a Cisco ISE server exists in your infrastructure, it can be used for all remote-access client authentication and authorization policy.

     The RADIUS / EAP server must be reachable from all the SD-WAN RA headends in a service VPN.

License

licensing structure is is SD – WAN RA Catalyst 8000 edge platform .

Catalyst SD – WAN RA edge platform is has prerequisites :

     Cisco DNA Advantage license

     Catalyst SD-WAN RA user count add-on license

To repurpose an existing Catalyst SD-WAN edge device as a Catalyst SD-WAN RA headend device, you must be running a Cisco DNA Advantage license on that device, as this is the minimum feature package for enabling the Catalyst SD-WAN RA on your SD-WAN fabric.

In addition to the above, you will need to order an add-on SD-WAN RA scale license for the entire fabric. This add-on license will entitle you to bring up remote users in a distributed fashion on any of your Catalyst SD-WAN edge locations (refer to Table 1 for qualified platforms).

Deployment options

The purpose of these design recommendations is to provide guidance on Cisco’s preferred recommendations for implementing the SD-WAN RA based on the common customer use cases or to optimally use the existing SD-WAN infrastructure.

As shown in the following figure, an SD-WAN RA headend device may be deployed as follows:

     Local SD-WAN branch

     – premises data center regional hub

     In a colocation facility

     Hosted in a public cloud (using Cisco Virtual Platform)

Local branch SD-WAN RA headend

Deploy SD – WAN RA headend local SD – WAN branch routers :

In a branch infrastructure with a capable platform with higher-capacity WAN links from branches to the data center headend or internet links to a public cloud or SASE, remote access can be deployed as an SD-WN RA headend.

SD-WAN Solution

Figure 7.
              

Branch SD – WAN RA headend

Data center/HQ or regional colocation hub SD-WAN platform as SD-WAN RA headend

aggregation platforms , capable terms controlling scale , tunnels , aggregation , terminate remote – access clients .

The remote-access clients can also be split among the primary and secondary types of headend routers to divide the load.

You could use your colocation hub; for example, if you have a hub in Equinix that has uplinks to various SASE clouds, you could use that directly as an SD-WAN RA headend.

Dedicated platform as SD-WAN RA headend

SD-WAN Solution

Figure 8 .
              

Data center/HQ as SD-WAN RA headend – dedicated platform for remote access

Multiple platforms as SD-WAN RA headends for scale

SD-WAN Solution

Figure 9.
              

Data center/HQ SD-WAN RA headend – multiple SD-WAN RA headends

Cloud-based SD-WAN RA headend

Deploy a virtual Cisco Catalyst 8000V instance in AWS or in an Azure instance and make that instance an SD-WAN RA headend in the SD-WAN fabric. This virtual Catalyst 8000V instance can be used to terminate the remote-access client in that region.

Based features enabled Catalyst 8000V — tunnel scale limit considerations , instance — CPU memory services is be given instance virtual form key considerations approach virtual SD – WAN RA headend Catalyst 8000V platform .

SD-WAN Solution

Figure 10.
          

SD-WAN RA headend in a public cloud

Unified policies for hybrid work

As hybrid work is the new norm, every organization is looking for unified policy for all users, regardless of their location. SD-WAN RA supports a hybrid work environment.

SD-WAN Solution

Figure 11.
          

Unified policy for hybrid work

SD – WAN RA is uses uses uniform identity – based policy , remains domains , users onsite remote .

The Cisco ISE server, along with the SD-WAN RA, enables organizations to maintain all their security policies, including perimeter security policies across remote access as well as across the SD-WAN fabric on the same Cisco ISE server. Cisco ISE is the single point where you can define all the policies, which can percolate down into your entire network.

The policies are location independent, and if the user moves away from the branch or campus and starts working from home, the same user policies or group policies will be applied based on the user’s identity. This remote-access user will get the same level of access and application experience from home as at the office.

Apply SD-WAN features to RA traffic SD-WAN RA traffic pattern

Remote-access clients will have different traffic patterns, and we can apply various SD-WAN features to a remote user’s traffic.

traffic is originated originated remote – access client comes Transport Locator ( TLOC ) non – TLOC interface SD – WAN RA headend terminates IPsec virtual interface . Depending packet destination — local application server LAN , server remote data center , SaaS application internet — remote – access traffic decrypted reencrypted .

The different packet workflows for the remote-access clients are as follows:

Remote-access client accessing local resources on an SD-WAN RA headend:

     The remote-access client is accessing the local LAN resources at the SD-WAN RA headend, which, if it’s a branch or regional hub, can have some applications hosted.

     So an IKEv2/IPsec tunnel from the remote-access client to the SD-WAN RA headend accesses the LAN server.

Remote-access client accessing data center resources:

     The remote-access client is accessing resources in the data center over an SD-WAN overlay fabric or anywhere else on the fabric. So the remote-access client traffic comes through the IPsec interface and, after decryption, lands in a service VPN on the SD-WAN device.

     From the service VPN it would hairpin back into the SD-WAN transport VPN0 interface by being re-encrypted and then would be sent over to the SD-WAN fabric to access data center resources.

Remote-access client accessing SaaS application over the internet:

     The remote-access client is accessing SaaS applications or internet applications through direct internet access (DIA) from the SD-WAN RA headend.OR

     The internet breakout can happen directly from the remote-access client using the split-tunnel option.

remote user placed service VPN based identity , traffic remote user , decryption SD – WAN RA headend , treated inbound traffic remote – access user service VPN . , SD – WAN features is are applicable local LAN traffic applicable remote – access traffic , including following :

     Application visibility, application-aware routing, AppQoE, quality of service (QoS), network address translation direct internet access (NAT-DIA).

     Enterprise-level security features: Cisco Unified Threat Defense (UTD), Zone-Based Firewall (ZBFW), Secure Internet Gateway (SIG), and so on.

Based remote – access client traffic pattern , you is make use different SD – WAN features remote – access client traffic data packets .

Rate-limiting of remote-access client traffic

Below are a few examples of applying SD-WAN features to remote user traffic. This may vary depending on the organization’s scenarios.

Rate-limiting of remote-access upstream traffic (from a remote-access client)

One of the key functionalities is the rate-limiting of remote-access client traffic.

The traffic originated from the remote-access client comes in through the TLOC or non-TLOC interface and terminates on the IPsec virtual interface. We can precisely control, or rate-limit, the remote-access upstream traffic from remote-access clients by applying ingress policers at the right points for the upstream traffic coming in from the remote users.

This is is upstream traffic , irrespective remote – access client trying access LAN resources SD – WAN RA headend , accessing file server data center , accessing SaaS applications internet .

SD-WAN Solution

Figure 12.
          

Remote-access client upstream traffic

In this example, an ingress policer is applied to rate-limit remote-access client traffic at the TLOC interface, or going to the data center over the SD-WAN overlay transport VPN0, or going to the internet via Umbrella SIG. This process is shown in the figure with the number 1.

Considerations

Policing of encrypted remote-access upstream traffic

An inbound QoS policer can be applied on the SD-WAN RA interface using local data policy (access list).

     Match : IKEv2 encrypted IPsec traffic .

    UDP 500/4500.

    IP Encapsulating Security Payload (ESP) protocol.

     Action: Police to a required rate.

This is drop drop excess remote – access traffic decryption , traffic drop unconditional regardless remote – access client application type . rate – limit upstream traffic irrespective traffic destination — SD – WAN RA headend LAN , data center , internet .

Policing and shaping of decrypted remote-access upstream traffic

inbound QoS policer applied – service centralized data policy .

     Match: Remote-access inner traffic.

    Remote-access user service VPN.

    Source IP as the remote-access client assigned IP address(es).

    Application .

     Action: Police or shape to a required rate.

This will drop or shape the excess remote-access traffic after decryption and hence can be selective based on remote-access clients and application types.

way we is use use ingress policer control flow remote – access client traffic .

Rate-limiting of remote-access downstream enterprise traffic (toward the remote-access client)

For the return, remote-access traffic from SD-WAN sites, such as an SD-WAN RA headend or data center, as well as from the internet or SaaS, to the remote-access clients can be rate-limited. Figure 13 shows the remote-access return traffic from the data center or internet, labeled with the number 1. Here the match would be the destination of the remote-access client IP, which would be assigned from a Dynamic Host Configuration Protocol (DHCP) pool by the SD-WAN RA headend (if you already know the pool, you can match the pool). You would apply a policer as shown here to control how much traffic the remote users can download from the data center.

SD-WAN Solution

Figure 13.
          

Remote – access client downstream traffic

Considerations

Inbound QoS – post-decryption.

     Centralized data policy with policer/shaper/QoS.

    From-service policy for headend-to-LAN return traffic.

    From-tunnel policy for SD-WAN-to-site and internet return traffic.

     Match: Remote-access inner traffic.

    Remote-access user service VPN.

    Destination IP as the remote-access client assigned IP address(es).

    Application .

     Action: Police or shape to a required rate.

Similarly, we can apply a policer at the TLOC interface for return traffic coming from the internet or SaaS to prevent remote users from consuming more bandwidth than has been allotted.

This will ensure that the enterprise and internet/SaaS remote-access return traffic is rate-limited as close to the traffic source (application server) as possible.

applying polices appropriate points , we is control precisely control traffic remote users , upstream downstream .

Applying the SD-WAN egress feature to remote-access traffic

For all the remote-access client traffic flows, we can apply the SD-WAN data policies and egress features to remote-access traffic.

SD-WAN Solution

Figure 14.
          

SD-WAN egress features applied to remote-access client traffic

The remote-access traffic lands on the SD-WAN RA headend through the IPsec interface, after it gets decrypted. As it’s coming out of the IPsec interface, all the data policies, such as application-aware routing, Network Based Application Recognition (NBAR), and application visibility, get executed. This is labeled as number 2 in Figure 14.

, based policy actions , data policies , UTD , ZBFW , SIG , QoS , etc . executed egress interface SD – WAN edge router , traffic sent data center internet Umbrella SIG , apply AppQoE WAN optimization labeled number 3 Figure 14 .

Key takeaways

Catalyst SD-WAN RA provides an enterprise SD-WAN infrastructure-centric remote-access that:

     Provides the option to connect a hybrid workforce to an enterprise SD-WAN network.

     Integrates seamlessly with on-premises and cloud-based advanced SD-WAN security.

     inherent ability terminate remote – access users , VRF user identity maintained end end .

     support software client ( AnyConnect ) native OS – based clients Cisco hardware – based clients Cisco IOS XE devices .

     Can provide a consistent user application experience to remote-access/home office users in a hybrid work environment.

Conclusion

remote work new , we is entering entering new era enterprises realizing legacy WAN VPN architectures inadequate . ensure seamless transition office home , , employees need technical environment closely duplicates experience office . Catalyst SD – WAN RA is addresses addresses needs hybrid workforce unifying network security .

SD – WAN RA is be builds SD – WAN list enterprise seeking address needs new work – – era .

Learn more

To learn more about Catalyst SD-WAN RA, visit the following:

     Catalyst SD-WAN Remote Access End-User Guide.