7.11 SASE Integration with SD-Access¶
Document Information¶
| Item | Details |
|---|---|
| Organization | Abhavtech.com |
| Domain | abhavtech.com |
| Version | 2.0 |
| Last Updated | December 2025 |
1. SASE Architecture Overview¶
1.1 Cisco SASE Components¶
┌─────────────────────────────────────────────────────────────────────┐
│ Abhavtech SASE Architecture │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────┐ │
│ │ Cisco Secure Access │ │
│ │ (SSE Platform) │ │
│ ├─────────────────────┤ │
│ │ • ZTNA │ │
│ │ • SWG │ │
│ │ • CASB │ │
│ │ • FWaaS │ │
│ │ • DNS Security │ │
│ └──────────┬──────────┘ │
│ │ │
│ ┌─────────────────────────┼─────────────────────────┐ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌───────────┐ ┌───────────┐ ┌───────────┐ │
│ │ Remote │ │ Branch │ │ Campus │ │
│ │ Users │ │ Offices │ │ Users │ │
│ │ │ │ │ │ │ │
│ │ Secure │ │ Catalyst │ │ SD-Access │ │
│ │ Client │ │ SD-WAN │ │ Fabric │ │
│ └───────────┘ └───────────┘ └───────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
1.2 Integration Points¶
| Integration | Source | Destination | Data Exchanged |
|---|---|---|---|
| SGT Sync | ISE | Secure Access | Security Group Tags |
| User Identity | ISE | Secure Access | Username, Groups |
| Device Posture | ISE | Secure Access | Compliance Status |
| Threat Intel | XDR | ISE | IOCs, Threat Scores |
| VPN Context | SD-WAN | Secure Access | VRF, Site Info |
2. Cisco Secure Access Integration¶
2.1 ISE to Secure Access Configuration¶
Step 1: Enable pxGrid Cloud on ISE
Administration → pxGrid Services → Settings → pxGrid Cloud
☑ Enable pxGrid Cloud
Primary Node: NJ-ISE-PXG-01.abhavtech.com
Step 2: Configure Secure Access Integration
Cisco Secure Access Dashboard → Settings → Integrations
Add Integration:
Type: Cisco ISE
Name: Abhavtech-ISE-Production
Connection:
ISE Primary: nj-ise-01.abhavtech.com
ISE Secondary: lon-ise-01.abhavtech.com
Authentication: pxGrid Cloud
Data Sync:
☑ Security Group Tags (SGT)
☑ User/Device Sessions
☑ Endpoint Attributes
☑ Authorization Results
2.2 SGT Policy Synchronization¶
SGT_Sync_Configuration:
ISE_to_Secure_Access:
Sync_Interval: Real-time (pxGrid)
SGT_Mapping:
Employee-Full (10) → Employee-Internet-Access
Executive (11) → Executive-Full-Access
Contractor (15) → Contractor-Limited
Guest (40) → Guest-Internet-Only
IoT-Sensor (50) → IoT-Restricted
Policy_Enforcement:
Location: Secure Access Cloud
Action: Apply web/app policies based on SGT
2.3 ZTNA Configuration for Private Apps¶
Secure Access Dashboard → Resources → Private Resources
Add Private Resource:
Name: Abhavtech-SAP-ERP
Type: Web Application
Connection:
URL: https://sap.abhavtech.com
SD-WAN Tunnel: Abhavtech-NJ-Tunnel
Access Policy:
Allowed SGTs:
☑ Employee-Full (10)
☑ Executive (11)
☑ Finance (13)
Device Requirements:
☑ Managed Device Required
☑ Posture Compliant
MFA: Required (Duo Integration)
3. SD-WAN Integration¶
3.1 Catalyst SD-WAN to Secure Access¶
┌─────────────────────────────────────────────────────────────────────┐
│ SD-WAN to Secure Access Integration │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ Branch Site Secure Access │
│ ┌───────────────┐ ┌───────────────┐ │
│ │ Catalyst Edge │ │ SIG PoP │ │
│ │ (C8300/C8200) │══IPsec/GRE═▶│ (Regional) │ │
│ │ │ │ │ │
│ │ VRF: CORP │ │ SWG │ │
│ │ VRF: GUEST │ │ FWaaS │ │
│ │ VRF: IOT │ │ CASB │ │
│ └───────────────┘ └───────┬───────┘ │
│ │ │
│ ▼ │
│ ┌───────────────┐ │
│ │ Internet │ │
│ │ SaaS Apps │ │
│ │ Cloud │ │
│ └───────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
3.2 SD-WAN Manager Configuration¶
! Catalyst SD-WAN Manager → Administration → Settings → Secure Access
Secure Access Integration:
Organization ID: abhavtech-org
API Key: ****************************
Tunnel Configuration:
Primary PoP: US-East (Ashburn)
Secondary PoP: EU-West (London)
Tunnel Type: IPsec
Traffic Steering:
Policy: ABHAVTECH-SIG-POLICY
Match: All Internet-bound traffic
Action: Redirect to Secure Access
3.3 VRF-Aware Tunnel Template¶
! Feature Template: Secure-Access-SIG-Tunnel
vpn 1
name VN_CORPORATE
interface sig0
tunnel-interface
color sig
no allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
allow-service sshd
encapsulation ipsec
sig tunnel-set secure-access-set
sig tunnel sig-tunnel-1
tracker sig-health-check
!
4. Remote User Access¶
4.1 Secure Client ZTNA Module¶
Secure_Client_Deployment:
Modules:
- AnyConnect VPN (legacy sites)
- ZTNA (Secure Access)
- Umbrella Roaming Security
- Secure Endpoint (AMP)
- Posture (ISE)
ZTNA_Configuration:
Organization: abhavtech.com
Enrollment: Device Trust Certificate
Access_Method:
Primary: ZTNA (clientless where possible)
Fallback: Full tunnel VPN
Split_Tunnel:
Mode: Dynamic Split Exclude
Exclude: O365, Teams (direct)
4.2 Experience Insights (ThousandEyes)¶
Secure Access → Experience Insights
Dashboard Metrics:
┌────────────────────────────────────────────────────────────┐
│ User Experience Summary - Abhavtech │
├────────────────────────────────────────────────────────────┤
│ │
│ Remote Users: 3,456 │
│ Average Latency: 45ms │
│ Page Load Time: 1.2s │
│ Application Score: 92/100 │
│ │
│ Top Issues: │
│ 1. DNS resolution delay (Mumbai ISP) │
│ 2. TLS handshake latency (EU users) │
│ │
└────────────────────────────────────────────────────────────┘
5. Security Policy Unification¶
5.1 Unified Policy Framework¶
┌─────────────────────────────────────────────────────────────────────┐
│ Unified Policy Architecture │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────┐ │
│ │ Policy Admin │ │
│ │ (Secure Access│ │
│ │ Dashboard) │ │
│ └────────┬────────┘ │
│ │ │
│ ┌────────────────┼────────────────┐ │
│ ▼ ▼ ▼ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Web Policy │ │ App Policy │ │ Data Policy │ │
│ ├──────────────┤ ├──────────────┤ ├──────────────┤ │
│ │ URL Filter │ │ ZTNA Rules │ │ DLP Rules │ │
│ │ Content Cat │ │ SaaS Access │ │ CASB │ │
│ │ SSL Inspect │ │ Private Apps │ │ Shadow IT │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │ │ │ │
│ └────────────────┼────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────┐ │
│ │ Enforcement │ │
│ │ • Cloud (SSE) │ │
│ │ • Network (SDA) │ │
│ │ • Endpoint │ │
│ └─────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
5.2 Web Security Policy (SWG)¶
Web_Security_Policy:
Name: Abhavtech-Web-Policy
Rules:
- Name: Block-Malware
Category: Malware, Phishing, C2
Action: Block
Log: Yes
- Name: Block-Adult-Content
Category: Adult, Gambling, Violence
Action: Block
Log: Yes
- Name: Coaching-Social-Media
Category: Social Networking
Action: Warn
Message: "Social media access is monitored"
- Name: Allow-Business
Category: Business, Technology
Action: Allow
SSL_Inspection: Enabled
6. Context Sharing¶
6.1 ISE to Secure Access Context¶
Data Flow:
ISE → pxGrid → pxGrid Cloud → Secure Access
Shared Context:
├── User Identity
│ ├── Username
│ ├── AD Groups
│ └── Department
├── Device Context
│ ├── MAC Address
│ ├── Device Type
│ ├── Posture Status
│ └── MDM Compliance
├── Network Context
│ ├── SGT Assignment
│ ├── VN/VRF
│ ├── Authentication Method
│ └── Location
└── Session Context
├── Session ID
├── Start Time
└── NAS IP
6.2 Threat Context Sharing¶
XDR → ISE Integration:
Threat Detection:
Source: Cisco XDR
Trigger: Threat score > 80
Response Flow:
1. XDR detects threat on endpoint
2. Context shared via pxGrid to ISE
3. ISE issues CoA to quarantine
4. Secure Access blocks user sessions
5. SOC alert generated
Configuration:
Administration → Threat Centric NAC → Adapters → Cisco XDR
Adapter Settings:
Name: Abhavtech-XDR
Host: api.xdr.cisco.com
API Key: ************************
Response Actions:
Quarantine SGT: 999 (Quarantine)
VLAN: 999 (Quarantine VLAN)
7. Deployment Architecture¶
7.1 Regional Deployment¶
| Region | Secure Access PoP | SD-WAN Hub | ISE PSN |
|---|---|---|---|
| APAC | Singapore, Mumbai | Mumbai | MUM-ISE-PSN-01/02 |
| EMEA | London, Frankfurt | London | LON-ISE-PSN-01/02 |
| AMER | Ashburn, Dallas | New Jersey | NJ-ISE-PSN-01/02 |
7.2 Traffic Flow¶
User Request Flow:
1. Campus User (SD-Access)
User → Edge Node → Border → Internet (via Secure Access)
2. Branch User (SD-WAN)
User → SD-WAN Edge → SIG Tunnel → Secure Access → Internet
3. Remote User (ZTNA)
User → Secure Client → ZTNA → Secure Access → Private App/Internet
8. Monitoring and Visibility¶
8.1 Unified Dashboard¶
Secure Access Dashboard → Overview
Abhavtech SASE Summary:
┌──────────────────────────────────────────────────────────────┐
│ Security Events (24h) │ User Activity │
├─────────────────────────────────┼────────────────────────────┤
│ Threats Blocked: 1,234 │ Active Users: 8,456 │
│ Policy Violations: 456 │ Apps Accessed: 234 │
│ Data Policy: 89 │ Data Transferred: 2.3 TB │
│ DNS Blocks: 12,345 │ Peak Concurrent: 5,678 │
└─────────────────────────────────┴────────────────────────────┘
│ Top Blocked Destinations │ Top Applications │
├─────────────────────────────────┼────────────────────────────┤
│ 1. malware-domain.com (blocked) │ 1. Microsoft 365 (45%) │
│ 2. phishing-site.net (blocked) │ 2. Salesforce (15%) │
│ 3. gambling.com (policy) │ 3. SAP (12%) │
└─────────────────────────────────┴────────────────────────────┘
Document Version: 2.0 Abhavtech.com - SD-Access Implementation