Solution Workflow

This topic describes how context sharing between Catalyst SD-WAN and Secure Access works for VPN ID.

1. Catalyst SD-WAN Manager integrates with Cisco Secure Access using SSE cloud credentials.
2. Cisco Secure Access learns VPN identities using APIs (out-of-band).
3. In Catalyst SD-WAN Manager, the Secure Service Edge policy group is configured to share VPN context in IPsec tunnels.
4. Once the tunnels are up, VPN ID context is shared in the IPsec metadata header inline.
5. VPN identities are leveraged in Secure Access internet access rules.
6. Packets with VPN ID context are then subject to Secure Access policy match as source objects.

IMPORTANT: VPN ID context sharing is optional. Be aware that if the same VPN ID (VPN 88 for example) is assigned across different branches, then traffic coming into Secure Access from these branches is subject to the same policy. A Secure Access policy rule cannot differentiate traffic between branches using the same VPN ID.

Related Information

Cisco Catalyst SD-WAN Getting Started Guide Cisco Catalyst SD-WAN Getting Started Guide

Cisco Catalyst SD-WAN Security Configuration Guide Cisco Catalyst SD-WAN Security Configuration Guide

Cisco Catalyst SD-WAN Segmentation Configuration Guide Cisco Catalyst SD-WAN Segmentation Configuration Guide

Components and Prerequisites < Solution Workflow > Configure Context Sharing between Catalyst SD-WAN and Secure Access