Prisma Access
Cisco Catalyst SD-WAN Solution Guide
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Cisco Catalyst SD-WAN Solution Guide
The following sections describe how you secure a Cisco Catalyst SD-WAN with Prisma
Access to provide next-generation security.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Supported IKE and IPSec Cryptographic Profiles
The following table documents the IKE/IPSec crypto settings that are supported with
Prisma Access and Cisco Catalyst SD-WAN, formerly known as Viptela SD-WAN, devices.
Use the recommended settings when you onboard a remote network and define IKE and
IPSec cryptographic settings when connecting the Prisma Access and Cisco Catalyst
SD-WAN device.
A check mark indicates that the profile or architecture type is supported; a dash (—)
indicates that it is not supported. Default and Recommended settings are noted in
the table.
Crypto Profiles | Prisma Access | Cisco Catalyst SD-WAN | |
---|---|---|---|
Tunnel Type | IPSec Tunnel |
√
|
√
|
GRE Tunnel | — |
√
| |
Routing | Static Routes |
√
|
√
|
Dynamic Routing (BGP) |
√
| — | |
Dynamic Routing (OSPF) | — | — | |
IKE Versions | IKE v1 |
√
|
√
|
IKE v2 |
√
|
√
| |
IPSec Phase 1 DH-Group | Group 1 |
√
| — |
Group 2 | √ (Default) |
√
| |
Group 5 |
√
| — | |
Group 14 |
√
|
√
| |
Group 15 | — |
√
| |
Group 16 | — | √ (Default) | |
Group 19 |
√
| — | |
Group 20 | √ (Recommended) | — | |
IPSec Phase 1 Auth If you use
IKEv2 with certificate-based authentication, only SHA1 is
supported in IKE crypto profiles (Phase 1). | MD5 |
√
| — |
SHA1 | √ (Default) |
√
| |
SHA256 |
√
| — | |
SHA384 |
√
| — | |
SHA512 | √ (Recommended) | — | |
IPSec Phase 1 Encryption | DES |
√
| — |
3DES | √ (Default) | — | |
AES-128-CBC | √ (Default) |
√
| |
AES-192-CBC |
√
| — | |
AES-256-CBC | √ (Recommended) | √ (Default) | |
IPSec Phase 1 Key Lifetime Default | √ (8 Hours) | √ (4 Hours) | |
IPSec Phase 1 Peer Authentication | Pre-Shared Key |
√
|
√
|
Certificate |
√
| — | |
IKE Peer Identification | FQDN |
√
|
√
|
IP Address |
√
| √ (Default) | |
User FQDN |
√
|
√
| |
IKE Peer | As Static Peer |
√
|
√
|
As Dynamic Peer |
√
| — | |
Options | NAT Traversal |
√
|
√
|
Passive Mode |
√
| — | |
Ability to Negotiate Tunnel | Per Subnet Pair |
√
| — |
Per Pair of Hosts |
√
| — | |
Per Gateway Pair |
√
|
√
| |
IPSec Phase 2 DH-Group | Group 1 |
√
| — |
Group 2 | √ (Default) | √ (Default) | |
Group 5 |
√
| — | |
Group 14 |
√
| — | |
Group 15 | — |
√
| |
Group 16 | — | √ (Default) | |
Group 19 |
√
| — | |
Group 20 | √ (Recommended) | — | |
No PFS |
√
|
√
| |
IPSec Phase 2 Auth | MD5 |
√
| — |
SHA1 | √ (Default) | √ (Default) | |
SHA256 |
√
| — | |
SHA384 |
√
| — | |
SHA512 | √ (Recommended) | — | |
None |
√
| — | |
IPSec Phase 2 Encryption | DES |
√
| — |
3DES | √ (Default) | — | |
AES-128-CBC | √ (Default) | — | |
AES-192-CBC |
√
| — | |
AES-256-CBC |
√
|
√
| |
AES-128-CCM |
√
| — | |
AES-128-GCM |
√
| — | |
AES-256-GCM | √ (Recommended) | √ (Default) | |
NULL |
√
|
√
| |
IPSec Protocol | ESP |
√
|
√
|
AH |
√
| — | |
IPSec Phase 2 Key Lifetime Default | √ 1 Hour | √ 1 Hour | |
Tunnel Monitoring Fallback | Dead Peer Detection (DPD) |
√
|
√
|
ICMP | — | — | |
Bidirectional Forwarding Detection (BFD) | — | — | |
SD-WAN Architecture Type | With Regional Hub/Gateway/Data Center | NA |
√
|
No Regional Hub/Gateway/Data Center | NA |
√
|