《分支路由器分段和安全.pdf》由会员分享,可在线阅读,更多相关《分支路由器分段和安全.pdf(64页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveKureli Sankar,Leader Technical MarketingjmckgBRKSEC-2419Subtitle goes hereBranch Router Segmentation&Security 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the sp
2、eaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco and/or its affil
3、iates.All rights reserved.Cisco Public3BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbout Me BS in Electrical and Electronics Engineering2006 2013 TAC EngineerCCIE Security#355052013 2018 Technical Marketing Engineer2018 Present Leader,Technical MarketingAre
4、as of expertiseIOS and IOS-XE security featuresSD-WAN Security solutions#35505Kureli Sankar4BRKSEC-2419Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicData Plane Security Zone Based Firewall Snort IPSURL-FilteringAdvanced Malware Protection Cisco Umbrella Integration Secure I
5、nternet GatewayLive Demo6BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBroadest Set of Enterprise Routing PortfolioCloud AggregationBranchVirtualization(NFVIS)SD-WAN(Viptela OS)SD-WAN+Services(IOS XE)ISR 4000ISR 1000ASR 1000vEdge 2000vEdge 5000vEdge CloudISR
6、1100-4G/6G/LTE(Dual OS)ISR 1100X-4G/6G(Dual OS)Catalyst 8300/8200/8200LCatalyst 8500/8500LCatalyst 8000VCloud EdgeSRIOVHypervisor/CloudCatalyst 8000VENCS 5400Catalyst 8200 uCPECatalyst 8000VSRIOVHypervisor/CloudCatalyst 8000VTransition platform depends on Ports in use and expected throughputCSP 5000
7、UCS-C M6+NFVIS7BRKSEC-2419Zone Based Firewall 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZone Based Firewall Use Case:PCI Compliance Data CentreApplicationsHQ Destined TrafficEmployee Internet TrafficPCI ComplianceInternetVPN20VPN10EngineeringFinanceRoutingSD-WAN Ent.
8、FW App Aware9BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZone Based Firewall Benefits and Requirements*PCI Payment Card IndustrySEC-K9 license or Cisco DNA Network Essentials(Catalyst 8000)XE 3.9 and above on ISR 4KXE 16.6.1 and above on ISR 1KXE 16.6.1 and
9、 above on ISRvXE 3.7S and above on ASR1KXE 3.10S and above on CSR 1000VXE 17.3.2 and above for C8300 and C8500XE 17.4.1 and above for C8500L,C8200 and 8000VRequirementsPCI*complianceStateful firewall built into branch routers Segmentation Supports VRFSupports IPv6Supports SGTSupports FQDNBenefits10B
10、RKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive Inspect Pass Drop Service policy applied to trafficApply zones to interface Access-list Match ProtocolsAction using policy-mapIdentity traffic using class-mapApply action using zone-pairAssign ZonesZone Based Fire
11、wall-Configuration12BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInterface G0/0/0zone-member security OUTSIDEInterface G0/0/1zone-member security INSIDEclass-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS match protocol ftp match protocol tcp|or match ac
12、cess-list match protocol udp match protocol icmp zone-pair security IN_OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE-TO-OUTSIDE-POLICY policy-map type inspect INSIDE-TO-OUTSIDE-POLICY class type inspect INSIDE-TO-OUTSIDE-CLASS inspect class class-default drop Zone Based Fi
13、rewallzone security INSIDEzone security OUTSIDE Employee 1Data CentreApplicationsVPN Tunnel HQ Destined TrafficEmployee Internet TrafficEmployee 2InternetSecurity Zone OUTSIDESecurity Zone INSIDEG0/0/0G0/0/1Theory-directional,different policy based on packet directionhttps:/cs.co/snortips-config13BR
14、KSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFirewall App Aware Benefits and RequirementsSEC-K9 license or Cisco DNA Essentials(Catalyst 8000)XE 3.9 and above on ISR 4KXE 16.6.1 and above on ISR 1KXE 16.6.1 and above on ISRvXE 3.7S and above on ASR1KXE 3.10S a
15、nd above on CSR 1000VXE 17.3.2 and above for C8300 and C8500XE 17.4.1 and above for C8500L,C8200 and 8000VRequirementsApplication Visibility and Granular control 1694+layer 7 applications classifiedAllow or block traffic by application,category,application-family or application-groupSegmentationPCI
16、complianceSupports VRF and IPv6Benefits17BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInterface G0/0/0 zone security OUTSIDE Interface G0/0/1 Zone security INSIDEpolicy-map type inspect INSIDE-TO-OUTSIDE-POLICY class type inspect INSIDE-TO-OUTSIDE-CLASS insp
17、ect service-policy avc AVC-POLICY class class-default drop zone security INSIDEzone security OUTSIDE class-map match-any AVC-CLASS match protocol yahoo match protocol amazon match protocol attribute category consumer-streaming match protocol attribute category gaming match protocol attribute categor
18、y social-networkingpolicy-map type inspect avc AVC-POLICY class AVC-CLASS deny class class-default allowclass-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS match protocol ftp match protocol tcp AND/OR match access-group name match protocol udp match protocol icmp Firewall App Aware-Configuratio
19、nzone-pair security IN_OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE-TO-OUTSIDE-POLICY 18BRKSEC-2419Snort IPS 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSnort IPS Use Case:PCI ComplianceData CentreApplicationsHQ Destined TrafficEmployee Inte
20、rnet TrafficPCI ComplianceInternetEngineeringVPN20VPN10FinanceRoutingSD-WAN IPSEnt.FW App Aware20BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSnort IPS-AppendixVPG Virtual Port GroupDIA Direct Internet AccessCSR-Cloud Services RouterWL WhitelistingTAR Tape A
21、Rchive FileUTD Unified Threat DefensePCI Payment Card IndustryTCO Total Cost of OwnershipBQS Buffer Queueing and SchedulingFYI21BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSnort IPS Benefits and RequirementsSEC-K9 license or Cisco DNA Essentials(Catalyst 80
22、00)4 GB additional memoryXE 3.16.1 and above on ISR4KXE 16.8.1 and above on ISRvXE 16.3.1 and above on CSRXE 17.2.1r and above on ISR1KXE 17.3.2 and above on C8300XE 17.4.1 and above on C8500L,C8200 and 8000VSubscription(1Yr,3Yr or 5Yr)Monitoring via 3-rd partyRequirementsPCI complianceThreat protec
23、tion built into Catalyst,ISR,and ISRv branch routers Complements ISR Integrated SecurityLightweight IPS solution with low TCO and automated signature updatesSupports VRF(16.6)Supports IPv6Snort 2.0=3.0 in17.12 Benefits22BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci
24、scoLiveSnort IPS Configuration Application HostingISR 1K/ISR 4K/ISRv*/CSR1Kv*C8500L/C8300/8200/8000VETH1192.168.103.2ETH2192.0.2.2VPG0192.168.103.1VPG1192.0.2.1ContainerG0/1/0Vlan 101192.168.101.2G0/0/0192.168.128.5.1Cisco Software StoreSignature UpdateInternetETH3G0 VPG1 ETH2 Flow of data packets V
25、PG0 ETH1 Management Choice 1 G0 ETH3 Management Choice 2VPG Mapping and Purpose*EoS/EoL refer slides in the resource section29BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep 2 Configure Port GroupsStep 2 Configure Port Groupsinterface VirtualPortGroup0 des
26、cription Management interface ip address 192.168.1.1 255.255.255.252interface VirtualPortGroup1 description Data interface ip address 192.0.2.1 255.255.255.252Step 3 Step 3 Configure and Activate Application HostingConfigure and Activate Application Hostingapp-hosting appid utdapp-vnic gateway0 virt
27、ualportgroup 0 guest-interface 0 guest-ipaddress 192.168.1.2 netmask 255.255.255.252app-vnic gateway1 virtualportgroup 1 guest-interface 1 guest-ipaddress 192.0.2.2 netmask 255.255.255.252app-resource package-profile low(low,medium,high)startStep 1 Step 1 Configure application hosting(exec prompt)Co
28、nfigure application hosting(exec prompt)ioxapp-hostint install appid utd pack bootflash:utd.tarStep 5 Step 5 Enabling UTD(data plane)Enabling UTD(data plane)utd all-interfaces engine standard fail close(fail open is default)Step 4 Step 4 Configuring UTD(service plane)Configuring UTD(service plane)ut
29、d engine standard logging host 10.12.5.55 logging syslog threat-inspection threat protection(protection-IPS,detection-IDS)policy security(security,balanced,connectivity)logging level warning signature update server cisco user pass signature update occur-at daily 0 0Step 6 Step 6 Allow List(optional)
30、Allow List(optional)utd threat-inspection whitelist generator id 1 signature id 21599 comment Index generator id 1 signature id 20148 comment ActiveXutd engine standard threat-inspection whitelistIntrusion Prevention-IOx https:/cs.co/snortips-config31URL-Filtering 2023 Cisco and/or its affiliates.Al
31、l rights reserved.Cisco Public#CiscoLiveURL Filtering OverviewBlock/Allow based on Categories,ReputationRequests for“risky”domain requestsURL FilteringAllow/Block lists of custom URLsContent Filtering for BYOD82+Web Categories with dynamic updates from Webroot/BrightCloudBlock based on Web Reputatio
32、n scoreCreate custom Allow or BlacklistCustomizable Block Page/serverSupports VRF and IPv6BenefitsBenefitsSEC-K9 license or DNA Essentials 4 GB additional memory(8GB min for platform)XE 16.3 and above on CSRMultitenancy 16.6.1 on CSRXE 16.8.1 and above on ISRvXE 17.4.1 and above on 8000VRequirements
33、RequirementsRoutingSD-WAN 33BRKSEC-2419Advance Malware Protection 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicIntegration with AMP File reputation File retrospection Integration with Cisco Malware Analytics(ThreatGrid)File AnalysisInspects traffic in VPNs of interestLeverages Sn
34、ort engine to identify file transfers Supported ProtocolsHTTP,HTTPS(with TLS-Decryption),SMTP,IMAP,POP3,FTP,SMBAdvanced Malware Protection+CMAInternetInternetMalware SandboxAMPCisco Malware AnalyticsCheck SignatureCheck file40SD-WAN BRKSEC-2419Cisco Umbrella Integration 2023 Cisco and/or its affilia
35、tes.All rights reserved.Cisco Public#CiscoLiveCisco Umbrella IntegrationGuestEmployeeVLAN 102Data CentreApplicationsHQ Destined TrafficDirect Cloud AccessUmbrella ProtectionEmployee Internet TrafficSaaSGuest Internet TrafficInternetEnt.FW App AwareIPSRoutingSD-WAN VLAN 10144BRKSEC-2419 2023 Cisco an
36、d/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Umbrella IntegrationToken-Token is ONLY used for Device Registration and obtain Origin IDOrigin ID Device ID.Good until someone deletes that Network Device Identity from the dashboard.EDNS Extension mechanisms for DNSCFT Common Flow
37、 TablePTR Pointer RecordDNSCrypt Protocol that authenticates communications between a DNS client and a DNS resolverFQDN Fully Qualified Domain NameAPI Application Programming InterfaceReST API Representational State Transfer APIFMAN Forwarding ManagerCPP Cisco Packet Processor(external name is Quant
38、um Flow Processor)Phishing-The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information,such as passwords and credit card numbers.FYI45BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci
39、scoLiveUmbrella Integration Benefits and RequirementsWAN EdgeDNSDNSBranchDNS layer protectionNo need to look within HTTP or HTTPS packetsComplements ISR Integrated SecurityConfigure policies based on tags per interfaceBlocks phishing,malwareSupports DNScryptSupports VRFBenefitsProvision to get token
40、 ID and portal loginSEC-K9 license or DNA EssentialsXE 16.3 and above on ISR 4K series routersXE 16.8.1 and above on ISRv and ISR 1K series routersXE 16.10.1 and above on ASR1KXE 16.3 and above on CSRPer device subscriptionMonitoring and Reporting via Umbrella PortalRequirementsUmbrella46BRKSEC-2419
41、 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Umbrella Integration-Solution OverviewMarthaInternetRouter running IOS-XEDNS Request(1)DNS Response(4)Encrypted DNS Request(2)Encrypted DNS Response(3)Approved Content(5)Blocked Content(5)Web ServersUmbrellaBlocked req
42、uestSafe request47BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStep 2 Step 2 Configure local domain(optional)and tokenConfigure local domain(optional)and tokenparameter-map type regex dns_bypass pattern pattern.*eisg.cisco.*parameter-map type umbrella global
43、 token 562D3C7FF844001 dnscrypt(optional)local-domain dns_bypassStep 3 Step 3 Enable umbrella“out”and“in”with a tag Enable umbrella“out”and“in”with a tag interface g0/0/0 description Internet facing umbrella outinterface vlan102 description Wireless Guest umbrella in Wireless-clientsStep 1 Step 1 Ce
44、rtificate import(mandatory for device registration via https)Certificate import(mandatory for device registration via https)crypto pki trustpool import url http:/ Umbrella Integration https:/cs.co/dns-layer-config50BRKSEC-2419Secure Internet Gateway 2023 Cisco and/or its affiliates.All rights reserv
45、ed.Cisco Public#CiscoLiveUmbrellaEmployee 1192.168.101.2Data CentreApplicationsVPN Tunnel HQ Destined TrafficWired Employee IKEv2 IPsec Tunnel to Umbrella SIGGuest192.168.102.2InternetG0/0/0Vlan 101.1192.168.128.5WAN InterfaceWireless Guest users traffic getting DNS-layer Security IKEv2 IPsec Tunnel
46、 to UmbrellaVlan 102RoutingSD-WAN http:/cs.co/isr-sig-config52BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork Tunnel in Umbrella Manual CreationUmbrella Portal-Deployments Network Tunnels53BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved
47、.Cisco Public#CiscoLiveNetwork Tunnel in Umbrella-Manual creationDeployments Network TunnelsIloveciscoumbrella2023Iloveciscoumbrella2023ISR1121X224XX25-58XXX1506-54BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork Tunnel in Umbrella Manual CreationDeploym
48、ents Network Tunnels55BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIKEv2 IPsec Tunnel to UmbrellaStep 1:Configure IKEv2 ProposalStep 1:Configure IKEv2 Proposalcrypto ikev2 proposal umbrella-proposal encryption aes-cbc-256 integrity sha256 group 19 20Step 2:C
49、onfigure IKEv2 PolicyStep 2:Configure IKEv2 Policycrypto ikev2 proposal umbrella-pol proposal umbrella-proposal match address local 192.168.128.5(WAN IP not mandatory)Step 3:Configure IKEv2 KeyringStep 3:Configure IKEv2 Keyringcrypto ikev2 keyring umbrella-kr peer umbrella address 146.112.67.8(Umbre
50、lla DC)pre-shared-key Iloveciscoumbrella2023Step 4:Configure IKEv2 ProfileStep 4:Configure IKEv2 Profilecrypto ikev2 profile umbrella-ikev2-profile match identity remote address 146.112.67.8 255.255.255.255 identity local email ISR1121X224XX25-58XXX1506- authentication remote pre-share authenticatio
51、n local pre-share keyring local umbrella-kr dpd 10 2 periodicStep 5:Configure IPsec Transform SetStep 5:Configure IPsec Transform Setcrypto ipsec transform-set umbrella-tset esp-aes 256 esp-sha256-hmac mode tunnelStep 6:Configure IPsec ProfileStep 6:Configure IPsec Profilecrypto ipsec profile umbrel
52、la-ipsec-profile set transform-set umbrella-tset set ikev2-profile umbrella-ikev2-profileStep 7:Configure Tunnel Interface Step 7:Configure Tunnel Interface interface Tunnel1 ip unnumbered GigabitEthernet0/0/0 tunnel source GigabitEthernet0/0/0 tunnel mode ipsec ipv4 tunnel destination 146.112.67.8(
53、Umbrella DC)tunnel protection ipsec profile umbrella-ipsec-profileCisco Umbrella DC Locatorhttps:/cs.co/umbrella-dcCisco Umbrella IPsec Parameters https:/cs.co/sig-ipsechttp:/cs.co/isr-sig-config56BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIKEv2 IPsec Tunn
54、el to UmbrellaStep 8:Configure an accessStep 8:Configure an access-listlistip access-list ext To_Umbrella permit ip 192.168.101.0 0.0.0.255 anyStep 9:Configure routeStep 9:Configure route-mapmaproute-map umbrella-routemap permit 10 match ip address To_Umbrella set interface Tunnel1Step 10:Apply rout
55、eStep 10:Apply route-map under the interfacemap under the interface interface vlan101 ip policy route-map umbrella-routemapBranchCiscoUmbrellaIKEv2 IPsecGuest19168.102.0/24Employee192.168.101.0/24Optional:Just configure a default route to SIGOptional:Just configure a default route to SIG instead of
56、steps 8,9 and 10instead of steps 8,9 and 10ip route 0.0.0.0 0.0.0.0 interface Tunnel1Vlan 102Vlan 10157BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnterprise RoutingSNMPSSHICMPAccess Control ListAuthenticationAuthorizationAccountingTACACSCoPPRate LimitersPa
57、ssword ManagementKeepalivesCPUMemoryNATFirewallFilteringManagement Plane ProtectionIOS XE Hardening EncryptionSSHv2ConsoleVirtual terminalAUXTTL Based SecurityEncrypt Management SessionsEncrypt Management SessionsMemory ThresholdIP FragmentsTACACSProxy ARPFTPTFTPRouting ProtocolsuRPFNetFlowAnti-Spoo
58、fingCoPPrhttp:/cs.co/iosxe-hardeningBRKSEC-241958DemoZone Based Firewall-https:/cs.co/zbf-configSnort IPS-https:/cs.co/snortips-configUmbrella Integration-http:/cs.co/dns-layer-configUmbrella SIG http:/cs.co/isr-sig-configTroubleshooting-https:/cs.co/ios-xe-packet-trace 2023 Cisco and/or its affilia
59、tes.All rights reserved.Cisco Public#CiscoLiveUmbrellaWired 192.168.101.2Data CentreApplicationsVPN Tunnel HQ Destined TrafficWired Employees IKEv2 IPsec Tunnel to Umbrella SIGWireless192.168.102.2InternetG0/0/0Vlan 101192.168.101.1192.168.128.5Wireless Guest users traffic getting DNS-layer Security
60、 Demo Topology.1eth1192.168.103.2eth2192.0.2.2VPG0192.168.103.1VPG1192.0.2.1ContainerG0/1/0Vlan 101192.168.101.2G0/0/0192.168.128.5.1Vlan 102Routing 63BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUmbrella10.8.40.130Data CentreApplicationsVRF 2 users get Umbr
61、ella SIG SecurityInternetVRF 2VRF 1 traffic is subjected to FW+IPS+URL-F+TLS DecryptionDemo Topology.129VRF 1SD-WAN .12910.8.30.13065BRKSEC-2419Performance 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCatalyst 8000 SD-WAN PerformanceMiercom Verified:http:/ 8300/8200/820
62、0L Series Edge PlatformsCatalyst 8500/8500L Series Edge PlatformsCatalyst 8200 Edge uCPEBranchAggregationVirtual/NFVIS383 Gbps of SD-WAN throughputIndustry leading SD-WAN SolutionReferenceslide75BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive383.9208.465.148.8
63、18.818.816.613.92.02.00.50.51.91.0IPsecIPsec+QoS+DPI+FNFC8500-20X6CC8500-12X4QCC8500L-8S4XC8300-1N1S-4T2XC8300-1N1S-6TC8200L-1N-4TC8200-UCPE-1N8SD-WAN Throughput PerformanceC8500,C8300,C8200L and C8200 uCPEReferenceslideMiercom Verified:http:/cs.co/cat8k-miercomreport76BRKSEC-2419Summary 2023 Cisco
64、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSummaryFeatureFeatureDescriptionDescriptionZBFZBFA firewall is a network security device that prevents unauthorized access.It inspects incoming and outgoing traffic based on the set of rules thereby blocking unauthorized access.Provides
65、 stateful firewall and segmentation.Supports VRF and SGT.SnortSnort IPSIPSSnort IPS is the most widely deployed Intrusion Prevention System in the world.The Snort IPS feature enables Intrusion Prevention System(IPS)or Intrusion Detection System(IDS)for branch offices on Catalyst 8500L,8300,8200,8000
66、V ISR 4K,ASR 1K,ISRv and CSR routers.Snort monitors network traffic and analyzes against a defined rule set.Performs attack classification and invokes actions against matched rules.Supports VRF.URLURL-F FThis on-box feature enables content filtering based on 82 different categories as well as web re
67、putation score using Brightcloud database.AMPAMPThe process of SHA256 hash used to compare the file against the Advanced Malware Protection(AMP)cloud server and access its threat intelligence information.The response can be Clean,Unknown,or Malicious.If the response is Unknown,and if File Analysis i
68、s configured,the file is automatically submitted for further analysis.Cisco UmbrellaCisco UmbrellaCisco Umbrella Integration offers easy-to-manage DNS-layer content filtering based on categories as well as reputation.It prevents branch users and guests from accessing inappropriate content and known
69、malicious sites that might contain malware and other security risks.Supports VRF.Umbrella SIGUmbrella SIGTunnels all or selected traffic from a WAN edge to Umbrella Cloud and provide IPS,Cloud Delivered Firewall,DNS layer security,CASB,Secure Web Gateway and Interactive Threat Intel.FYI78BRKSEC-2419
70、Use Cases 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOn-board in bulkTalk to the HQ securelyApply on-prem security5 Gbps IQDF throughputOption to add switch modulesWe want toBranch&Aggregation Router Use CaseDIAMPLSEthernetData CenterLTEC8300-1N1S-4T2XSDSD-WANWANFabri
71、cFabricCisco UmbrellaAdd 100G port densityImplement cloud securityHave small 1RU form factorMinimum 35 Gbps IPsec throughputWe want toC8500-12X4QC80BRKSEC-2419Ent.FW App AwareSecurity StackIPSDNS/web layer securityAMPURL Filtering 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cis
72、coLiveAggregation Router Use CaseInternetWe want toWe want to Add 100G port density Implement cloud security Have small 1RU form factor Minimum 35 Gbps IPsec ThroughputWe need 4 of theseWe need 4 of theseC8500-12X4QCDIA81BRKSEC-2419CiscoUmbrella 2023 Cisco and/or its affiliates.All rights reserved.C
73、isco Public#CiscoLiveBranch Router Use CaseHead QuartersInternetWe want toWe want to On-board in bulk Talk to the HQ securely Apply on-prem security Min 200 Mbps IQDF Throughput Need LTE backup Need WiFi 6We need 5000 of theseWe need 5000 of theseC1131X-8PLTEPW82SDSD-WANWANFabricFabricBRKSEC-2419Ent
74、.FW App AwareSecurity StackIPSDNS/web layer securityAMPURL FilteringC8500-20X6CResources 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZone Based Firewall-Resources ZBF Step-by-Step Gidehttp:/cs.co/zbf-configZone Based Firewall Deployment Guidehttp:/ IOS XE Router Harden
75、ing Guidehttps:/ Channelhttps:/cs.co/CatalystTVFYI84BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSnort IPS-Resources Router Security:Snort IPS Step-by-step Guidehttps:/cs.co/ips-configSnort IPS Troubleshooting Guidehttps:/ Sheethttp:/ IPS Deployment Guidehtt
76、ps:/ Channelhttps:/cs.co/CatalystTVFYI85BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveURL Filtering-Resources Configuring Multi-Tenancy for Unified Threat Defensehttps:/ Resource Requirements for AppQoE,ThousandEyes&UTD https:/ URL-F Configuration on C8000V h
77、ttps:/cs.co/c8kv-urlfYouTube Channelhttps:/cs.co/CatalystTVFYI86BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdvance Malware Protection and TLS Decryption87Advance Malware Protection Troubleshootinghttps:/ Malware Protection Integrationhttps:/ Decryptionhttp
78、s:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Umbrella-ResourcesRouter Security DNS-layer Security Step by Step Configurationhttp:/cs.co/dns-layer-configCisco Umbrella Integration Troubleshootinghttps:/ Umbrella Configuration Guidehttp:/ Channelhttps:/cs.co/Cat
79、alystTVFYI88BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIKEv2 IPsec Tunnel to Umbrella Router Security IPsec IKEv2 Tunnel to Umbrellahttp:/cs.co/isr-sig-configUmbrella Documentationhttps:/ Umbrella DC Locatorhttps:/ Umbrella IPsec Parametershttps:/ Channelh
80、ttps:/cs.co/CatalystTVFYI89BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOther ResourcesOther ResourcesCisco DNA Software SD-WAN and Routing Licensinghttps:/ Packet Tracerhttps:/ Protocol Packs Download https:/ 2 Protocolshttps:/ user guide https:/ 2023 Cisco
81、 and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveISR G2 1900,2900,3900End of SaleDec 9,2017End of vulnerability/security supportDec 8,2020Last Date of Support(LDoS)Dec 31,2022Last Supported Software ReleaseIOS 15.7.3M8Resource-http:/cs.co/isr-2900-3900-eoshttp:/cs.co/isr-1900-eosCSR
82、1000vEnd of SaleJune 11,2019End of vulnerability/security supportJune 10,2020Last Date of Support(LDoS)June 30,2024Last Supported Software ReleaseIOS XE 17.3.xResource-http:/cs.co/csr1kv-eosProduct End of Sale/End of LifeASR1001-X,ASR1002-X,ASR1000-6TGE,ASR1000-2T+20X1GEASR1000-RP2,SPAEnd of SaleAug
83、 1,2022End of SaleAug 15,2022End of vulnerability/security supportJuly 31,2025End of vulnerability/security supportNov 3,2023Last Date of Support(LDoS)July 31,2027Last Date of Support(LDoS)Nov 30,2027Last Supported Software ReleaseIOS XE 17.9.xLast Supported Software ReleaseIOS XE 17.9.xResource-htt
84、p:/cs.co/asr1001-1002-eosResource Resource-http:/cs.co/asr1001-1002-eosvEdge-100,vEdge-1000End of SaleJan 30,2021End of vulnerability/security supportJan 30,2024Last Date of Support(LDoS)Jan 31,2026Last Supported Software ReleaseViptela 20.6Resource-http:/cs.co/vedge100-1k-eosISRvEnd of SaleDec 16,2
85、022 End of vulnerability/security supportDec 16,2023 Last Date of Support(LDoS)Dec 31,2027 Last Supported Software ReleaseIOS XE 17.3.xResource-http:/cs.co/isrv-eosFYI91BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivevEdge-2000,vEdge-5000End of SaleJan 31,2023E
86、nd of vulnerability/security supportSept 30,2025Last Date of Support(LDoS)Jan 31,2028Last Supported Software ReleaseViptela 20.9Resource-http:/cs.co/vedge2k-5k-eosProduct End of Sale/End of Life continuedISR 4000 -ISR4200,ISR4300,ISR4400(except ISR4461)End of SaleNov 7,2023End of vulnerability/secur
87、ity supportNov 30,2028Last Date of Support(LDoS)Nov 30,2028Last Supported Software ReleaseIOS XE 17.9.x,17.12.xResource-http:/cs.co/isr4k-eosISR 1000-C1101,C1109,C111x,C1121,C1121X (only WiFi5 PIDs)End of SaleMay 9,2023End of vulnerability/security supportMay 31,2028Last Date of Support(LDoS)May 31,
88、2028Last Supported Software ReleaseIOS XE 17.12Resource-http:/cs.co/isr1k-wifi5-eosSolution EoS/EoL IWANPrime InfraEnd of SaleAug 31,2021End of SaleSept 29,2023End of vulnerability/security supportAug 31,2023End of vulnerability/security supportSept 28,2025Last Date of Support(LDoS)Aug 31,2026Last D
89、ate of Support(LDoS)Sept 30,2028Last Supported Software ReleaseIOS XE 17.3.xLast Supported Software ReleaseResource-http:/cs.co/iwan-eosResource-http:/cs.co/prime-infra-eosvEdge CloudEnd of SaleMay 2,2023End of vulnerability/security supportMarch 31,2025Last Date of Support(LDoS)May 31,2026Last Supp
90、orted Software ReleaseViptela 20.9Resource-http:/cs.co/vedgecloud-eosFYI92BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Catalyst SD-WAN-RebrandingOld NameNew Name(Rebranding)DocumentationDisplayed on ScreensAPI/CLI-DocumentationCisco SD-WANCisco Catalys
91、t SD-WANCisco Catalyst SD-WANCisco Catalyst SD-WANCisco Catalyst SD-WANvManageCisco Catalyst SD-WAN ManagerSD-WAN ManagerManagervManagevAnalyticsCisco Catalyst SD-WAN AnalyticsSD-WAN AnalyticsAnalyticsvAnalyticsvBondCisco Catalyst SD-WAN ValidatorSD-WAN ValidatorValidatorvBondvSmartCisco Catalyst SD
92、-WAN ControllerSD-WAN ControllerControllervSmartSelf Service PortalCisco Catalyst SD-WAN PortalCisco Catalyst SD-WAN PortalCisco Catalyst SD-WAN PortalSD-WAN PortalCloud-Delivered Cisco SD-WANCloud-Delivered Cisco Catalyst SD-WANCloud-Delivered Cisco Catalyst SD-WANCloud-Delivered Cisco Catalyst SD-
93、WANNAFYI93BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the
94、 leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.94BRKSEC-2419 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your education Visit the Cisco Showcase for related demos Book your one-on-oneMeet the Engineer meeting Attend the interactive education with DevNet,Capture the Flag,and Walk-in Labs Visit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive#CiscoLive