Skip to content

Cisco SD-WAN

Cloudflare partners with Cisco's SD-WAN solution to provide users with an integrated SASE solution. The Cisco SD-WAN appliances (physical and virtual) manage subnets associated with branch offices and cloud instances. Anycast Tunnels are set up between these SD-WAN edge devices and Cloudflare to securely route Internet-bound traffic. This tutorial describes how to configure the Cisco Catalyst 8000 Edge Platforms (physical or virtual) in the SD-WAN mode for north-south (Internet-bound) use cases.

Prerequisites

Before setting up a connection between Cisco SD-WAN and Cloudflare, you must have:

  • Purchased Magic WAN and Secure Web Gateway.
  • Cloudflare provision Magic WAN and Secure Web Gateway.
  • Received two Cloudflare tunnel endpoints (anycast IP address) assigned to Magic WAN.
  • Cisco SD-WAN appliances (physical or virtual). This ensures specific Internet-bound traffic from the sites' private networks is routed over the anycast GRE tunnels to Secure Web Gateway to enforce a user's specific web access policies.
  • A static IP pair to use with the tunnel endpoints. The static IPs should be /31 addresses separate from the IPs used in the subnet deployment.
  • Release 20.6 Controllers and vEdge Device Builds. You should also pair them with devices that are on at least version Cisco IOS XE SD-WAN 17.6. Refer to Cisco documentation to learn more Cisco softweare versions.

1. Create a SIG template on Cisco vManage

Cisco vManage is Cisco's SD-WAN management tool that is used to manage all the SD-WAN appliances in branch offices.

For this example scenario, a generic template for SIG-Branch was created.

Traffic flow diagram for GRE

To create a Secure Internet Gateway (SIG) using vManage:

  1. From Cisco vManage under Configuration, select Generic and Add Tunnel.
  2. Refer to the table below for the setting fields and their options.
SettingType/Detail
Global TemplateFactory_Default_Global_CISCO_Template
Cisco BannerFactory_Default_Retail_Banner
PolicyBranch-Local-Policy

Transport & Management VPN settings

SettingType/Detail
Cisco VPN 0GCP-Branch-VPN0
Cisco Secure Internet GatewayBranch-SIG-GRE-Template
Cisco VPN Interface EthernetGCP-Branch-Public-Internet-TLOC
Cisco VPN Interface EthernetGCP-VPN0-Interface
Cisco VPN 512Default_AWS_TGW_CSR_VPN512_V01

Basic Information settings

SettingType/Detail
Cisco SystemDefault_BootStrap_Cisco_System_Template
Cisco LoggingDefault_Logging_Cisco_V01
Cisco AAAAWS-Branch-AAA-Template
Cisco BFDDefault_BFD_Cisco-V01
Cisco OMPDefault_AWS_TGW_CSR_OMP_IPv46_...
Cisco SecurityDefault_Security_Cisco_V01

When creating the Feature Template, you can choose values that apply globally or that are device specific. For example, the Tunnel Source IP Address, Interface Name and fields from Update Tunnel are device specific and should be chosen accordingly.

2. Create tunnels in vManage

From vManage, select Configuration > Templates. You should see the newly created template where you will update the device values.

Because the template was created to add GRE tunnels, you only need to update the device values. Note that VPN0 is the default, and the WAN interface used to build the tunnel must be part of VPN0.

Update template fields for GRE tunnel

3. Create tunnels in Cloudflare

Refer to Configure tunnel endpoints for more information on creating a GRE tunnel.

Established GRE tunne in Cloudflash dashboard

4. Define static routes

Refer to Configure static routes for more information on configuring your static routes.

Established GRE static routes in Cloudflare dashboard

5. Validate traffic flow

In the example below, a request for neverssl.com was issued, which has a Cloudflare policy blocking traffic to neverssl.com.

On the client VM (192.168.30.3), a blocked response is visible.

cURL example for a request to neverssl.com

A matching blocked log line is visible from the Cloudflare logs.

A blocked log from Gateway Activity Log in the Cloudflare dashboard

Add new tunnels using IPsec

IPsec tunnels to Cloudflare can only be created on Cisco 8000v in the router mode today. Refer to the Cisco IOS XE for more information.