Global SIG Credentials Template
Minimum supported release: Cisco vManage Release 20.9.1
In Cisco vManage Release 20.8.x and earlier releases, you must create a Cisco SIG Credentials template for a SIG provider (Cisco Umbrella or Zscaler) for each Cisco IOS XE Catalyst SD-WAN device model that you wish to connect to the SIG.
From Cisco vManage Release 20.9.1, create a single global Cisco SIG Credentials template for a SIG provider (Cisco Umbrella or Zscaler) and attach the template to the required Cisco IOS XE Catalyst SD-WAN device s, irrespective of the device model. When you attach a Cisco SIG feature template that configures automatic SIG tunnels to a device template, Cisco SD-WAN Manager automatically attaches the applicable global SIG Credentials template to the device template.
The Cisco IOS XE Catalyst SD-WAN devices of your organization connect to Cisco Umbrella or Zscaler using a common organization account with the SIG provider. As such, it is beneficial to configure the organization account credentials on the devices through a global template. When you modify the Cisco Umbrella or Zscaler credentials, update only one global template for the modified credentials to take effect on the attached Cisco IOS XE Catalyst SD-WAN devices.
High Availability and Load Balancing
When you connect a Cisco Catalyst SD-WAN edge device to Cisco Umbrella, Zscaler, or a third-party SIG, you can connect the device to a primary data center and a secondary data center. Also, you can provision more than one tunnel to each data center.
Active Tunnels: You can provision up to four IPSec tunnels to the primary data center. These tunnels serve as active tunnels, and when two or more active tunnels are provisioned, the traffic toward the SIG is distributed among these tunnels, increasing the available bandwidth toward the SIG. From Cisco IOS XE Release 17.4.1 and Cisco vManage Release 20.4.1, you can distribute the traffic equally among the active tunnels to achieve an equal-cost multi-path (ECMP) distribution, or assign different weights to the active tunnels so that some tunnels carry more traffic toward the SIG than the others.
Back-up Tunnels: You can provision up to four IPSec tunnels to the secondary data center, one for each active tunnel that you have provisioned to the primary data center. These tunnels to the secondary data center serve as back-up tunnels. When an active tunnel fails, the traffic toward the SIG is sent through the corresponding back-up tunnel. When you provision two or more back-up tunnels, the traffic toward the SIG is distributed among these tunnels, increasing the available bandwidth toward the SIG. From Cisco IOS XE Release 17.4.1 and Cisco vManage Release 20.4.1, you can distribute the traffic equally among the back-up tunnels to achieve an ECMP distribution, or assign different weights to the back-up tunnels so that some tunnels carry more traffic toward the SIG than the others.
By provisioning two or more active tunnels and distributing the traffic among them, while not provisioning any back-up tunnels, you can create an active-active setup. By provisioning a back-up tunnel for each active tunnel, you can create an active-back-up setup.
Load Sharing Among Tunnels
When you connect a Cisco Catalyst SD-WAN edge device to a SIG and redirect internet-bound traffic to the SIG, any traffic from the branch that is destined for a public IP address passes through the SIG. If you have provisioned more than one tunnel to carry traffic to the SIG, Cisco Express Forwarding (CEF) may map different traffic flows from the same source IP address, and with different public IP address destinations, to different SIG tunnels.
Source-Only Load Sharing: From Cisco IOS XE Release 17.8.1a and Cisco vManage Release 20.8.1, you can configure the traffic from a particular source IP address to be sent to the SIG over only one of the tunnels, irrespective of the destination public IP address. Cisco Express Forwarding (CEF) maps each source IP address to one of the tunnels, distributing traffic from different source IP addresses among the tunnels. For more information, see Configure Source-Only Load Sharing.
Support for Layer 7 Health Check
You can monitor the health of tunnels towards the SIG using trackers attached to the tunnels. These trackers are used to automatically fail over to backup tunnels based on the health of the tunnel.
While creating automatic tunnels, Cisco SD-WAN Manager creates and attaches a default tracker with default values for failover parameters. However, you can also create customized trackers with failover parameter values that suit your SLA requirements.
#cisco
#sdwan
#umbrella
Информация по комментариям в разработке