SASE Visibility with Cisco ThousandEyes


Cisco SASE Solution


SASE Visibility with Cisco ThousandEyes

The following post discusses SASE visibility for the Cisco SASE solution, known as Cisco Umbrella SASE with Cisco ThousandEyes. Combining Cisco ThousandEyes with your SASE VPN gives you end-to-end visibility into the SASE security stacks and all network paths, including any nodes. All of which can be consumed from Cisco ThousandEyes, enabling a proactive approach to monitoring your SASE solution, a bundle of components. 

The following post aims to help you gain valuable insights and will guide you into deploying the correct network visibility and Observability into your Cisco SASE solution. Cisco ThousandEyes has several agent deployment models that you can use depending if you want visibility into remote workers or users at the branch site or even agent-to-agent testing.

Remember that ThousandEyes is not just for a Cisco SASE solution; it has multiple monitoring use cases. Cisco Umbrella SASE is just one of them. ThousandEyes also has good integrations with Cisco AppDynamics for full-stack end-to-end Observability. First, let’s do a quick recap on the SASE definition.


Preliminary Information: Useful Links to Relevant Content

Before you proceed, you may find the following posts helpful:

  1. Zero Trust SASE
  3. SASE Solution
  4. Dropped Packet Test
  5. Secure Firewall


Cisco Umbrella SASE

Key SASE Visibility Discussion Points:

  • Introduction to SASE visibility and what is involved.

  • Highlighting the details of the challenging landscape. Nothing is in your control.

  • Technical details on the issues of Internet stability and cloud connectivity.

  • Scenario: Monitoring the SD-WAN underlay and overlay. Cisco SASE solution.

  • Details on monitoring remote works and branch office locations. SASE VPN.

  • Discussion on Cisco ThousandEyes agent deployment model.


A Key Point: Knowledge Check 

  • A key point: Recap on Cisco SASE Solution with Cisco Umbrella SASE

Cisco Umbrella SASE provides recursive DNS services and helps organizations securely embrace direct internet access (DIA). Now we don’t need to backhaul all traffic to the enterprise data center when applications are hosted in the cloud. There will still be applications hosted in the data center; we can use SD-WAN.

Cisco Umbrella started with DNS security solutions and then moved to include the following features, all delivered from a single cloud security service: So, we have DNS-layer security and interactive threat intelligence, a secure web gateway, firewall, cloud access security broker (CASB) functionality, and integration with Cisco SD-WAN.

The following diagram shows several Cisco SASE solution PoPs connecting to form a SASE fabric. At each PoP location, we have network and security functions. A viable way to connect PoPs over large distances is with MPLS or Segment Routing


Cisco SASE Solution
Diagram: Cisco SASE Solution.


Challenging Landscape: Out of your control

Now that workers are everywhere with an abundance of cloud-based applications, the Internet is the new enterprise network. The perimeter is now moved to the edges, with most devices and components out of their control. And this has many consequences. So how do enterprises ensure digital experience when they no longer own the underlying transport, services, and applications their business relies on? 

With these new complex and dynamic deployment models, we now have significant blind spots. Network paths are now much longer than they were in the past. Nothing is just one or two hops away. If you do a traceroute from your SASE VPN client, it may seem like one hop, but it’s much more.

And we have a lot of complexity with multiple segments and different types of components such as the Internet, security providers such as Zscaler, and cloud providers. So, all of this is out of your control. If I were to put my finger in the air, on average, 80% could be out of my control. So, it would help if you paid immediate attention to some things, such as visibility into the underlay, applications, and service dependencies.

Diagram: SASE VPN. Many components and blind spots.

The way forward: Understanding the SASE VPN end to end

Firstly, you need to gain visibility into the network underlay. If you do a traceroute, you may see only one hop. Still, it would help if you had insights into every Layer 3 hop across the network underlay, including Layer 2 or firewalling and load-balancing services in the path.

Secondly, you also need to monitor business-critical applications efficiently. And fully understand how users are experiencing an application with full-page loads, metrics that matter most to the users, and multistep transactions beyond an application’s front door. This will include login availability along with the entire application workflow.

It would help if you gained actionable visibility into service dependencies. This will enable you to have the ability to detect, for example, any service disruptions in ISP networks and DNS providers. See how they impact application availability, response times, and page load performance.


  • A key point: Testing DNS

Always test the DNS servers, both internal and external; if this does not work, you will have problems with everything. So you need to test internal and external domains for the DNS servers that your users are using. Once the transactions start, we will have a DNS process here. You will be familiar with DNS, and it’s something familiar; it developed in early 1980. It is used to manage the mapping between names and numbers.

However, we have a hierarchy of servers involved in the DNS process to support the number of steps in the DNS process. For example, some of these steps would include requesting website information, contacting the recursive DNS servers, querying the authoritative DNS servers, Accessing the DNS record, etc. We must consider the performance of your network’s DNS servers, resolvers, and records. And this can include various vendors across the DNS hierarchy.

Cisco Umbrella DNS

The Internet is unstable.

The first issue we have is that the Internet is fragile. We have around 14,000 BGP routing incidents per year. This will include a range of outages and attacks on BGP protocol and peering relationships: Port 179. Border Gateway Protocol (BGP) is the glue of the Internet backbone, so when attacks and outages happen, it can have a rippling effect across different Autonomous Systems (AS). So, if BGP is not stable, which it is not.

Cloud connectivity based on the Internet will not be stable. Internet cloud providers need more stability regarding network performance on the Internet. These providers rely on the public Internet instead of using a private backbone to carry traffic.


Secure automation


Introducing Cisco ThousandEyes

You lose control and visibility when WAN connectivity and business-critical applications migrate to shared infrastructure, the Internet, and public cloud locations. One way to gain back visibility and control is with Cisco ThousandEyes. Cisco ThousandEyes allows you to monitor your user’s digital experience against software as a service and on-prem applications, regardless of where your users are, through the essential elements of your SASE architecture. SASE is not just one virtual machine (VM) or virtual network function and consists of various technologies or VNFs such as SD-WAN, SWG, VPN, and ZTNA. 


Introducing Cisco SASE Solution: Cisco Umbrella SASE

We know the SASE definition and the convergence of networking and security in cloud-native solutions with global PoP. Cisco SD-WAN is a great starting point for your Cisco SASE solution, especially SD-WAN security, which has been mainstream for a while now. But what would you say about gaining the correct visibility into your SASE model? We have a lot of networking and security functionality now bundled into PoPs, along with different ways to connect to the PoP, whether you are at home or working from the branch office. 


So, if you are at home, you will have a VPN client and go directly to Cisco Umbrella SASE. If you are in the Office, you will likely connect to the SASE PoP or on-premise application via Cisco SD-WAN. The SD-WAN merges with the SASE PoP with redundant IPsec tunnels. You can have up to 8 IPsec tunnels with four active tunnels. The automated policy can be set up between Cisco vManage and Cisco Umbrella, so it’s a good interaction.

Cisco Umbrella SASE is about providing secure connectivity to our users and employees. And we need to know precisely what they are doing and not just blame the network all the time when there is an issue. Unfortunately, the network is easy to blame, even though it could be something else.


Scenario: Remote Worker: Creating a SASE VPN

Let’s say we have a secure remote worker. And they need to access the business application that could be on-premises in the enterprise data center or be served in the cloud. So users will initiate their SASE VPN client to access a VPN gateway for on-premise applications and then land on the corporate LAN. Hopefully, the LAN is tied down with microsegmentation, and the SASE VPN users don’t get overly permissive broad access.

Suppose the applications are served over the Internet in a public cloud SaaS environment. In this case, the user must go through Cisco Umbrella, not to the enterprise data center but to the cloud. You know that Cisco Umbrella SASE will have a security stack such as DNS-layer filtering, CASB, and URL filtering. DNS-layer filtering is the first layer of defense.


SASE VPN: Identity Service

In both cases working remotely or from the branch office, you may have some types of Identity services that fall under the zero trust network access (ZTNA) category. Identity services are done with Cisco Duo. CyberArk also has complete identity services. These identity providers offer identity services such as Single-Sign-On (SSO) and Multi-Factor Authentication (MFA) to ensure users are who they say they are—presenting them with multiple MFA challenges and a seamless experience with SSO via an identity portal.


  • Out of your control

In both use cases of creating a SASE VPN, we need visibility into several areas out of your control. For example, suppose the user works from home. In that case, we will need visibility into their WiFi network, the secure SASE VPN tunnel to the nearest Umbrella PoP, the transit ISP, and the SASE security functions. So, there are numerous areas we need visibility into, and each region is different. But one thing that they share is that they are all out of our control. Therefore, we must question and gain complete visibility into something out of our control. 

We will have similar problems with edge use cases where workers work from the branch sites. If these users working from the branch go to the Internet, they will still use the Cisco Umbrella SASE security stack, except it will go through SD-WAN first.


Monitoring SD-WAN

However, there will be another part to monitor, using SD-WAN. So with SD-WAN, we add another layer of needed visibility into the SD-WAN overlay and underlay. For the SD-WAN underlay, there will be multiple ISPs with multiple components with decades-old equipment. We will have different applications mapped to other overlays for the overlay network—potentially changing on the fly based on performance metrics. The diagram below shows that some application types prefer different paths and network topologies based on performance metrics such as latency. 

sd-wan technology


With SD-WAN, the network overlay is now entirely virtualized, allowing an adaptive, customized network infrastructure that responds recently to an organization’s changing needs. So when you move to a SASE environment, you are becoming more dependent on an increasing number of external networks and services that you do not own and that traditional tools can’t monitor, resulting in blind spots that will lead to gaps in security and many operational challenges to moving to SASE.


Challenges to Cisco SASE Solution

So when moving to a SASE environment, we face several challenges. Internet blindspots can be an Achilles’ heel to SASE deployments and performance. After all, network paths today consist of many more hops over longer and more complex segments (e.g., Internet, security, and cloud providers) that may be entirely out of the control of IT. 

Legacy network monitoring tools are no longer suitable for this Internet-centric environment because they primarily collect passive data from on-premises infrastructure. We also have a lot of complexity and moving parts. Modern applications have become increasingly complex, involving modular architectures distributed across multi-cloud platforms. Not to mention a complex web of interconnected API calls and third-party services.

As a result, understanding the application experience for an increasingly remote and distributed workforce is challenging—and siloed monitoring tools fail to provide a complete picture of the end-to-end experience.


Cisco ThousandEyes: Different vantage Points.

Cisco ThousandEyes provides visibility end-to-end across your SASE environment. And allows you to be proactive and see problems before they happen, reducing your time to resolution. Remember that today, we have a complex environment with many new and unpredictable failure modes. Having the correct visibility lets you control the known and unknown failure modes.

Cisco ThousandEyes can also give you actionable data. For example, when service degradation occurs, you can quickly identify where the problem is. So, your visibility will need to be actionable. To gain actionable visibility, you need to monitor different things from different levels. One way to do this is with different types of agents.

Using a global collective of cloud, enterprise, and end-user vantage points, ThousandEyes enables organizations to see any network, including those belonging to Internet and cloud providers, as if it were their own—and to correlate this visibility with application performance and employee experience.

From Thousand Eyes’ different vantage points, which are based on deploying agents, we can see the layer 3 hop-by-hop underlays from remote users and SD-WAN sites to secure edge and from secure edge to application servers SaaS application performance, including monitoring login availability and application workflows, service dependency monitoring, including secure edge PoP, and DNS servers.


  • Example of an Issue: HTTP Response Time

That’s quite a lot of areas to grasp. So, let’s say you are having performance issues with Office365, and there is an increase in response time. So the first thing you know of is an increase in HTTP response time from a specific office. The next stage would be to examine the network layer and see an increase in latency. So, in this case, we have network problems.

Then you can go deeper into the problem using the packet visualization Cisco ThousandEyes offers to pinpoint precisely where it is happening. The packet visualization shows you the exact path of the Office to the Internet via Umbrella. It provides all the legs of the Internet and can pinpoint the problem to the specific device. So now we have end-to-end visibility via this remote worker right to the application.


Cisco ThousandEyes agents

Endpoint Agent

The secure remote worker could be on the move and working from anywhere. In this case, you need the ThousandEyes Endpoint agent. The Endpoint agent performs active application and network performance tests and passively collects performance data, such as WiFi and device-level metrics like CPU and memory. It also detects and monitors any SASE VPN, other VPN gateways, and proxies. The most crucial point to note about the Endpoint agent is that it follows the user regardless of where they work. The branch office or the remote locations. So the endpoint agent is location agnostics. However, creating a baseline for users with this type of movement will be challenging.

The endpoint agent, by default, does some passive monitoring. Such as, WiFi performance is a metric that always sees the percentage of retransmitted packets that would indicate a problem occurring. So if the user is working from home and saying this application is not working, you can tell if the WiIFi is now working and ask them to carry out the necessary troubleshooting if the issue is at their end.

The Endpoint agent also does default gateway networking testing. This is synthetic network testing using the default gateway, which happens automatically. Remote working has an extensive internal network, so you can map this out and help them troubleshoot. 

They can test the underlay network to the VPN termination points. So if you are on a VPN, you have one hop! But if you need to determine any packet loss etc., you must see the exact underlay. The underlay testing can tell you if there is a problem with the upstream ISP or the VPN termination points.


Cisco SASE Solution


Enterprise Agent

The Enterprise agent is set up from the Endpoint agent. The Enterprise agent has, on top of it, complete application testing. Unlike the endpoint agents, it can do page load testing. Using Webex, you can set up the RTP tests for the agent running in the various WebEx data centers.  

Then we have the secure edge design, where the users work from a branch office. This is where we have an Enterprise agent—one agent from all users working in the Office. So one agent for all users and devices in the LAN can be installed on several device types—for example, Cisco Catalyst 8000 or ISR 4000 series. Or if you can’t install it on a Cisco device, you can install it as a Docker container or in a smaller office; you can deploy it on a Raspberry PI.


  • Enterprise Agent testing

So it performs active application and network performance testing, similar to the Endpoint agent. But one main difference is that it can perform complex web application tests. So the Enterprise agent has a fully-fledged browser on top of it, and it can open up a web application, download images needed to load the page load event, and log in to the application. 

This is an important test for the zero trust network access (ZTNA) category, as it supports complete web testing for applications beyond SSO. It can also test VPN and the SDN overlay and underlay. In addition, it provides a continuous baseline regardless of any active users. So the baseline is 24/7, and you can immediately know if there are problems. This is compared to the Endpoint agent that can’t provide a baseline due to choppy data.

Cisco ThousandEyes also has a Cloud agent that can augment the Enterprise agent. The Cloud agent is installed on over 200 worldwide locations and is also in WebEx data centers. Consider the cloud agent to increase the enterprise agent. It allows you to do two-way networking and bidirectional testing. Here we can test agent to agent.


  • SD-WAN Underlay Visibility

The enterprise agent can also test the SD-WAN underlay. In the underlay testing, you can configure some data policies and allow the network test to go into the underlay and even test the Umbrella IPsec Gateway or the SD-WAN router in the data center, which gives you hop-by-hop insights into the underlay.


  • Device Layer Visibility

We also have device layer visibility. Here we have visibility into the performance of the secure edge internal devices by gathering network device topology. This will show you all the layer three nodes in your network, firewall, load balancer, and other Layer 2 devices.


AppDynamic and ThousandEye Integration

While most organizations cannot respond to 3rd party connectivity issues, ThousandEyes can give you the correct Observability into every application and service and track the network traffic hops inside and outside, including all your environments. If you want or need to go one step further, you can integrate Thousand Eye with AppDynamic and see your business transactions in detail.


Cisco SASE Solution


Matt Conran
Latest posts by Matt Conran (see all)

Comments are closed.