Other Profile

Information about the Other profile

This section describes the features available in the Other profile.

Cyber Vision

Cisco SD-WAN Manager supports integration with Cisco Cyber Vision, which is a network security solution. Cisco Cyber Vision provides visibility into the security status of your global network, indicates when devices in the network require attention to maintain a secure posture, helps you to configure security policies, and more. The browser-based manager is called Cisco Cyber Vision Center.

See Create a Configuration Group Profile with a Cyber Vision Feature.

Table 1. Name and Description

Field

Description

Name

Name for the Cisco Cyber Vision Center.

Description

Optionally, add a description.
Table 2. Base Configuration

Field

Description

Cyber Vision Center

From the drop-down list, choose a Cisco Cyber Vision Center connection from the list of previously configured connections. See Configure a Connection to a Cisco Cyber Vision Center in the Network Hierarchy.

Monitoring Source Interface

Click Add and enter the interface for the device to use for monitoring traffic. Your choice depends on your network and the traffic that you want the device to monitor.

Examples: VLAN interface, cellular interface, WAN interface

The Advanced Configuration area appears only if you are configuring a Cyber Vision feature for the SD-WAN solution option. It does not appear for the SD-Routing solution option.

The fields in this area are preconfigured to use variables that enable you to enter device-specific information for each device when deploying the configuration group. See Deploy a Configuration Group with a Cisco Cyber Vision Feature. But you can configure global device values instead of using the variables.

Table 3. Advanced Configuration

Field

Description

Capture Interface IP

IP address of the interface that captures the traffic for analysis.

Capture Interface Subnet Mask

Subnet mask for the interface that captures the traffic for analysis.

Collection Interface (Sensor to Center) IP

Enter an IP address for the collection interface that sends the captured traffic to Cisco Cyber Vision Center. Ensure that the IP address is within the subnet mask defined in the Collection Interface Subnet Mask field.

Note

 

For each device connecting to Cisco Cyber Vision Center through the same service VPN, enter a unique collection interface IP address.

It is necessary for each interface within a single service VPN to use a unique IP address.

To view the service VPN configured for communication with Cisco Cyber Vision Center, see Configure a Connection to a Cisco Cyber Vision Center in the Network Hierarchy.

Collection Interface Subnet Mask

Subnet mask for the collection interface that sends the captured traffic to Cisco Cyber Vision Center. The subnet mask defines an address space for the service VPN used for communication between device and Cisco Cyber Vision Center.

VPG5 (Virtual Port Group) IP Address

IP address within the subnet mask defined in the Collection Interface Subnet Mask field. This is an address with the same network as the collection interface.

Note

 

For each device connecting to Cisco Cyber Vision Center through the same service VPN, enter a unique VPG5 IP address.

It is necessary for each interface within a single service VPN to use a unique IP address.

VPG6 (Virtual Port Group) IP Address

This field is preset and not configurable.

SEA

Cisco Secure Equipment Access (SEA) is a solution that provides remote access to network-connected assets. Assets can include anything reachable by IP address, such as servers, industrial internet of things (IIoT) devices, and so on. Integration with Cisco Catalyst SD-WAN enables you to use Cisco SD-WAN Manager to

  • install the SEA agent on devices, such as routers, in the Cisco Catalyst SD-WAN overlay network

  • configure connectivity between the devices in the overlay network and the Cisco Secure Equipment Access cloud portal, and

  • configure how remote assets connect to the devices.

See Create a Configuration Group Profile with an SEA Feature.

Table 4. Name and Description

Field

Description

Name

Name for the feature.

Description

Optionally, add a description.

Configure the connection between the Cisco SEA agent and the physical interface of the host device, using virtual port group (VPG) 7. This is necessary to enable the Cisco SEA agent to reach the Cisco SEA cloud portal.

Table 5. Base Configuration

Field

Description

VPG IP Address

IP address to assign to virtual port group (VPG) 7. This VPG is a virtual link between the Cisco SEA agent and a physical interface of the host device.

Example: 10.100.1.1

Subnet Mask

Subnet mask for VPG interface 7, which connects to the Cisco SEA cloud portal. Together with VPG IP Address, this defines the address space for the VPG 7 network.

Example: 255.255.252.0

SEA Agent IP Address

IP address to assign to the Cisco SEA cloud agent to map it to VPG 7. Enter an address within the address space defined by VPG IP Address and Subnet Mask.

Example: 10.100.1.2

Cloud Interface

This field appears when configuring an SEA feature for use with the SD-Routing solution.

Enter the physical interface that the device uses to connect to the Cisco SEA cloud portal. The interface type can include cellular.

Example: GigabitEthernet0/0/0

Example: Cellular0/1/0

Note

 

For a device that you are configuring for the SD-WAN solution (not the SD-Routing solution), the VPG automatically connects to the host interface used for the control connection between the host device and Cisco SD-WAN Manager.

Optionally, configure one or more asset networks for connectivity to assets.

Table 6. Asset Access Networks (optional)

Field

Description

Add Access Network

Configure connectivity for up to three asset networks, each of which can include more than one asset.

Service VPN

(This field appears when configuring an SEA feature for use with the SD-WAN solution.)

If your assets are distributed across multiple different service VPNs, you may need to add each of the service VPNs here.

Note

 

Configure route leaking to provide connectivity between (a) the service VPN used for connectivity with the Cisco SEA cloud portal, and (b) each service VPN that you configure here.

Asset Interface

(This field appears when configuring an SEA feature for use with the SD-Routing solution.)

Physical interface that the device is using to connect to the asset network.

VPG IP Address

IP address to assign to the VPG interface on the router.

SEA Agent IP Address

IP address to assign to the SEA asset agent for mapping to the respective VPG interface on the router. The address must be within the same network as the asset VPG interface.

Subnet Mask

VPG subnet mask.

Action

A delete option removes a row of the table, removing an asset network configuration.

Configure a DNS server within your network, capable of resolving Cisco SEA portal domain names.

Table 7. Name Servers

Field

Description

Add Name Server

Configure a DNS server within your network, capable of resolving Cisco SEA portal domain names. Click Add Name Server to add a name server.

For information about the Cisco SEA portal domain names, see Network ports and protocols.

This is a mandatory field. If you do not configure a name server, you cannot save the configuration.

Maximum number of name servers: 5

Name Server

IP address of a domain name server.

Action

A delete option removes a row of the table, removing a name server.

ThousandEyes

Cisco ThousandEyes is a SaaS application that provides you an end-to-end view across networks and services that impact your business. It monitors the network traffic paths across internal, external, and carrier networks and the internet in real time to provide network performance data. Cisco ThousandEyes provides intelligent insights into your WAN and the cloud and helps you optimize application delivery and end-user experience.

See Configure Cisco ThousandEyes Enterprise Agent Using a Configuration Group

For each parameter of the feature that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and choose one of the following:

Table 8. Parameters

Parameter Scope

Scope Description

Device Specific (indicated by a host icon)

Use a device-specific value for the parameter. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Cisco Catalyst SD-WAN device to a device template.

When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a Cisco Catalyst SD-WAN device to a device template.

To change the default key, type a new string and move the cursor out of the Enter Key box.

Examples of device-specific parameters are system IP address, host name, GPS location, and site ID.

Global (indicated by a globe icon)

Enter a value for the parameter and apply that value to all devices.

Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

The following table describes the options for configuring the ThousandEyes feature.

Table 9. Settings

Field

Description

Type

Choose a feature from the drop-down list.

Feature Name

Enter a name for the feature.

Description

Enter a description of the feature. The description can contain any characters and spaces.

Account Group Token

Enter the Cisco ThousandEyes Account Group Token.

VPN

Service VPN. The Global or the Device Specific setting indicates service VPN.

When you set the VPN configuration as a Global or a Device Specific setting, enter the ID of the service VPN in which you want to provision the Cisco ThousandEyes Enterprise agent.

Management IP

Enter an IP address for the Cisco ThousandEyes Enterprise agent. This field is available only when you specify the service VPN.

Management Subnet

Choose a subnet mask from the drop-down list for the Cisco ThousandEyes Enterprise agent. This field is available only when you specify the service VPN.

Note

 

This IP-prefix address (Management IP and Management Subnet) must be unique within the fabric and must not overlap with the IP addresses of other branch agents.

Agent Default Gateway

Enter a default gateway address. This IP address is assigned to the virtual port group of the router. This field is available only when you specify the service VPN.

Name Server IP

Enter the IP address of your preferred DNS server.

This server can exist within or outside the Cisco Catalyst SD-WAN fabric but must be reachable from the service VPN.

Host Name

Enter the hostname that the agent must use when registering with the Cisco ThousandEyes portal. By default, the agent uses the hostname of the Cisco IOS XE Catalyst SD-WAN device.

Proxy Type

If the Cisco ThousandEyes Enterprise agent must use proxy server for external access, choose one of the following as proxy type:

  • static

  • pac

  • none

Static proxy settings:

  • Proxy Host: Set the configuration as a Global setting and enter the hostname of the proxy server.

  • Proxy Port: Set the configuration as a Global setting and enter the port number of the proxy server.

PAC settings:

  • PAC URL: Set the configuration as a Global setting and enter the URL of the proxy auto-configuration (PAC) file.

Custom Application

Cisco SD-WAN Manager supports integration with third-party-developed Cisco IOx applications. These are called custom applications, and add functionality to devices that run Cisco Catalyst SD-WAN software.

See Configure third-party custom application integration, high level.

Table 10. Name and Description

Field

Description

Name

Name for the feature.

Description

Optionally, add a description.

The basic settings are mandatory.

Table 11. Basic Settings

Field

Description

Application Name

Enter a name for the custom application. You can use upper- or lower-case letters, but not spaces or special characters.

This name appears as part of the event details on the Monitor > Logs > Events page.

Virtual Image

Choose a custom application image file from the drop-down list.

The list shows custom application images uploaded to the virtual image repository in Maintenance > Software Repository > Virtual Images.

If the custom application has a requirement for network configuration, click Add Configuration and enter the network connectivity details for up to three connections. This configures communication between the Cisco IOx application and

  • the device on which the application is operating, and

  • any external assets, such as a server if the application communicates with a server.

Here are the options for the SD-WAN solution:

Table 12. Network Configuration, SD-WAN Solution

Field

Description

Name

Name describing the entity for which you are configuring connectivity.

Service VPN

Service VPN providing the connectivity between the application and either (a) the device, or (b) an external asset.

VPG IP Address

IP address within the subnet mask defined in the Subnet Mask field for communication between the custom application and a device virtual port group (VPG) interface or external asset.

Application IP Address

IP address to assign to the custom application, for mapping to a VPG interface on the device.

Subnet Mask

Subnet mask for the VPG interface. The subnet mask defines an address space for the service VPN for communication between the custom application and a device VPG interface or external asset.

Action

Provides an option to delete a row.

Here are the options for the SD-Routing solution:

Table 13. Network Configuration, SD-Routing Solution

Field

Description

Network Configuration

Name

Name describing the entity for which you are configuring connectivity.

Communication Interface

Physical or virtual interface providing connectivity between the application and either (a) the device, or (b) an external asset.

Action

Provides an option to delete a row.

Some custom applications require information passed as variables, either global or device-specific. To add variables, click Add Variable and enter the details.

The specifics of the valid key:value pairs depend entirely on the details of the custom application. Consult with the custom application developer for information about configuring variables. Note that these values are case sensitive.

Maximum number of variables: 10

Table 14. Environment Variables

Field

Description

Key

Key name for a variable.

Value

Value of the variable. Choose Device Specific to provide a specific key value for each device.

Action

Provides an option to delete a row.

Some custom applications use data input provided through a serial interface. This option supports any serial port available on the platform.

To add a data source, click Add Data Source and enter the serial port.

Maximum number of serial ports: 7

Table 15. Data Configuration

Field

Description

Serial Line

Enter a serial port available on the device. See the platform documentation for information about serial ports.

Example: /dev/ttySerial

Action

Provides an option to delete a row.

UCSE

Use the UCSE feature to connect a UCS-E interface with a UCS-E server.

See Configure UCSE Using a Configuration Group

Some parameters have a scope drop-down list that enables you to choose Global, Device Specific, or Default for the parameter value. Choose one of the following options, as described in the table below:

Table 16. Parameter

Parameter Scope

Scope Description

Global (Indicated by a globe icon)

Enter a value for the parameter and apply that value to all devices.

Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

Device Specific (Indicated by a host icon)

Use a device-specific value for the parameter.

Choose Device Specific to provide a value for the key in the Enter Key field. The key is a unique string that helps identify the parameter. To change the default key, type a new string in the Enter Key field.

Examples of device-specific parameters are system IP address, host name, GPS location, and site ID.

Default (indicated by a check mark)

The default value is shown for parameters that have a default setting.

The following tables describe the options for configuring the UCSE feature.

Table 17. Settings

Field

Description

Type

Choose a feature from the drop-down list.

Feature Name*

Enter a name for the feature. The name can be up to 128 characters and can contain only alphanumeric characters.

Description

Enter a description of the feature. The description can be up to 2048 characters and can contain only alphanumeric characters.

Basic Configuration

Table 18. Basic Configuration

Field

Description

Bay*

 Specify the number for the SAS drive bays. The input value must be an integer.

Slot*

 Specify the slot numbers for the mezzanine adapters. The input value must be an integer.

IMC

Table 19. IMC

Field

Description

Access Port

Configure the interface as an access port. You can configure only one VLAN on an access port, and the port can carry traffic for only one VLAN.

Not all hardware models have a dedicated access port. See the release notes for your Cisco Catalyst SD-WAN release for the supported hardware.

Available options:

  • Dedicated

  • Shared

    Configure the appropriate port (GE or TE) based on the hardware module.

IPv4 Address*

 Provide the UCS-E management port address.

Default Gateway*

Gateway tracking determine, for static routes, whether the next hop is reachable before adding that route to the device’s route table.

Default: Enabled.

VLAN ID

 Provide the VLAN number, which can be a value from 1 through 4094.

Assign Priority

 Assign the priority.

Advanced Configuration

Table 20. Advanced Configuration

Field

Description

Interface Name*

 Specify the name of the interface.

Layer

 Specify the layer details necessary for traffic exchange between different VLANs.

UCSE Interface VPN

Specify the details of the UCS-E interface VPN.
IPv4 Address

Provide the UCS-E management port address.

TrustSec

Use the TrustSec feature to configure Security Group Tag (SGT) inline tagging and SXP for dynamic IP-SGT binding.

Global

Field

Description

Enable Enforcement

Enable enforcement at a global level.

Device SGT

Enter a value to configure the SGT for packets sent from a device.

Range: 2 to 65519.

Device ID

Enter a TrustSec ID for the device.

This ID must be the same as that in ISE and must not exceed 32 characters.

Device Password

Enter a clean text password for the device with length of 24 characters.

SXP Default

Field

Description

Enable SXP

Enable an SXP connection on the device.

Source IP

Enter an IPv4 address to set up a source IP address for SXP.

Preshared Key

Password

Enter a clean text password for the device with length of 24 characters.

Key chain name

Enter a key chain name that you configured in the Fabric Security feature under System profile.

SXP Connection

Click Add SXP Connection to add a new SXP peer connection details.

Field

Description

(Optional) VPN ID

Enter a VPN or VRF ID for the SXP connection.

Range: 0 to 65527

Peer IP

Configure a peer IPv4 address for SXP.

Source IP

Configure a source IPv4 address for SXP.

Preshared Key

Choose a preshared key type.

Mode

Choose a connection mode. Local refers to the local device, and Peer refers to a peer device.

Mode type

Choose a role for the device.

(Optional) Min. Hold Time

Enter time (in seconds) to configure the minimum hold time for the SXP connection.
(Optional)

Max. Hold Time

Enter time (in seconds) to configure the maximum hold time for the SXP connection.

Advanced

Field

Description

Node ID

Enter a node ID. A node ID is used to identify the individual devices within the network.

Reconciliation Period (seconds)

Enter a time (in seconds) to configure the SXP reconciliation period.

After a peer terminates an SXP connection, an internal hold-down timer starts. If the peer reconnects before the internal hold-down timer expires, the SXP reconciliation period timer starts. While the SXP reconciliation period timer is active, the Cisco TrustSec software retains the SGT mapping entries learned from the previous connection and removes the invalid entries. The default value is 120 seconds (2 minutes). Setting the SXP reconciliation period to 0 seconds disables the timer and causes all the entries from the previous connection to be removed.

Retry Period (seconds)

Enter a time (in seconds) to configure the retry period for SXP reconnection.

Speaker Hold Time (Seconds)

Enter time (in seconds) to configure the global hold-time period for a speaker device.

Minimum Listener Hold Time (Seconds)

Enter a time (in seconds) to configure the minimum allowed hold-time period for a listener device.

Maximum Listener Hold Time (Seconds)

Enter a time (in seconds) to configure the maximum allowed hold-time period for a listener device.

Log Binding Changes

Enable logging for IP-to-SGT binding changes.