Network-Wide Path Insight

Table 1. Feature History

Feature Name

Release Information

Description

Network-Wide Path Insight in Cisco SD-WAN Manager

Cisco IOS XE Catalyst SD-WAN Release 17.4.1a

Cisco vManage Release 20.4.1

This feature lets you view network-wide path tracing information using Cisco SD-WAN Manager.

Network-Wide Path Insight in Cisco SD-WAN Manager Enhancements

Cisco IOS XE Catalyst SD-WAN Release 17.6.1a

Cisco vManage Release 20.6.1

This feature provides enhancements to network-wide path insight tracing to include additional filters and options for traces, DNS domain discovery, and new displays for application flows, trace views, and app trends.

Network-Wide Path Insight in Cisco SD-WAN Manager Enhancements

Cisco IOS XE Catalyst SD-WAN Release 17.9.1a

Cisco vManage Release 20.9.1

This feature provides enhancements to the Network-Wide Path Insight feature to include the collection and display of insight information, trace-level insight information, path insight information, and detailed application trace information.

Network-Wide Path Insight in Cisco SD-WAN Manager Enhancements

Cisco IOS XE Catalyst SD-WAN Release 17.12.1a

Cisco Catalyst SD-WAN Manager Release 20.12.1

This feature provides enhancements to the Network-Wide Path Insight feature to include support for multiple VPNs for traces, the ability to generate synthetic traffic for traces, options for grouping trace information, support for auto-on tasks, new information on insight displays, and expanded insight summaries.

Network-Wide Path Insight Integration with Cisco Identity Services Engine

Cisco IOS XE Catalyst SD-WAN Release 17.13.1a

Cisco Catalyst SD-WAN Manager Release 20.13.1

When you integrate the Cisco Identity Service Engine with Cisco Catalyst SD-WAN, this feature enables traces to provide the identity of users who send traffic to and receive traffic from applications.

Network-Wide Path Insight Integration with Cisco ThousandEyes

Cisco IOS XE Catalyst SD-WAN Release 17.14.1a

Cisco Catalyst SD-WAN Manager Release 20.14.1

With this feature, network-wide path insight presents test results from a Cisco ThousandEyes Enterprise Agent and includes this information in flow results for your review and analysis. This information supplements data that the Cisco ThousandEyes Dashboard provides.

Insight into IPsec Failures

Cisco IOS XE Catalyst SD-WAN Release 17.15.1a

Cisco Catalyst SD-WAN Manager Release 20.15.1

This feature provides granular visibility into the IPsec drops.

Synthetic Traffic Packet Capture Replay

Cisco IOS XE Catalyst SD-WAN Release 17.16.1a

Cisco Catalyst SD-WAN Manager Release 20.16.1

With this feature, you can simulate traffic of a trace by replaying a PCAP file.

Information About Network-Wide Path Insight

Network-wide path insight provides end-to-end application-tracing serviceability in a Cisco Catalyst SD-WAN network. This feature lets you initiate application tracing and displays the trace results collected from multiple devices in a consolidated view. You also can view detailed information at the packet level, application level, domain level, flow level, and network level. Information from traces provides comprehensive insights into the operations of your network and can assist with performance analysis, planning, and troubleshooting.

For a brief video overview of network-wide path insight, see Cisco Catalyst SD-WAN Network-Wide Path Insight How to Demo.

Supported Devices for Network-Wide Path Insight

This feature is supported on Cisco IOS XE Catalyst SD-WAN devices.

Prerequisites for Network-Wide Path Insight

  • Ensure that the Data Stream option is enabled in Cisco SD-WAN Manager. To enable this option, perform the following steps.


    Note


    • In a Cisco Catalyst multitenant deployment, you must have the provider role to enable this option. For more information, see User Roles in Multitenant Environment.

    • If you try to set up a trace path when Data Stream is not enabled, you are prompted to enable it.


    1. From the Cisco SD-WAN Manager menu, choose Administration > Settings.

    2. For the Data Stream option, click View.

    3. Click Edit and choose Enable.

    4. Click Save.

  • From Cisco Catalyst SD-WAN Manager Release 20.13.1, integrating Cisco Identity Services Engine (ISE) with Cisco Catalyst SD-WAN enables network-wide path insight traces to identify the specific users who are associated with traffic flows.

    For integration information, see Configure Cisco ISE in Cisco SD-WAN Manager.

    • Ensure that the users are registered with Cisco ISE.

  • From Cisco Catalyst SD-WAN Manager Release 20.14.1, if you want traces to collect information about Cisco ThousandEyes Enterprise Agent tests, ensure that Cisco ThousandEyes is monitoring your network, and ensure that you know your Cisco ThousandEyes account username and OAuth bearer token. In addition, ensure that a Cisco ThousandEyes Enterprise Agent is deployed on a Cisco IOS XE Catalyst SD-WAN device in a service VPN other than VPN0 or 512, or on another host that is connected to a service VPN.

Restrictions for Network-Wide Path Insight

  • Support for this feature on Cisco vEdge devices is limited to interoperation with Cisco IOS XE Catalyst SD-WAN devices.

  • Only UDP and TCP can be traced using the Network-Wide Path Insight feature.

  • This feature is not supported on VPN 0 or the transport VPN.

  • This feature is not supported when extranet VPNs or service chain policies are configured in your Cisco Catalyst SD-WAN deployment.

  • Not all packet traces are captured per flow. The system takes samples for the most typical packets automatically.

  • Flow records do not display the complete history of flow path and hop information for releases before Cisco vManage Release 20.6.1.

  • Mixed application and default policies are not supported for releases before Cisco vManage Release 20.6.1.

  • You can monitor a maximum of two traces per device, and 10 concurrent active traces per Cisco SD-WAN Manager tenant.

  • The following table shows the number of active flows that can be monitored, and the supported number of completed flows. Tracing stops when the monitoring limit is reached.

    Release

    Number of Supported Active Flows

    Number of Supported Number of Completed

    Releases before Cisco vManage Release 20.6.1

    50 to 100 per device, depending on the Cisco IOS XE Catalyst SD-WAN device

    1,000

    Cisco vManage Release 20.6.1 through Cisco vManage Release 20.8.x

    50 to 100 per device, depending on the Cisco IOS XE Catalyst SD-WAN device

    10,000

    Cisco vManage Release 20.9.1 and later releases

    50 to 100 per device, depending on the Cisco IOS XE Catalyst SD-WAN device

    60,000

  • In releases before Cisco vManage Release 20.6.1, flow trace does not show the complete network path if the following optimizations are enabled:

    • UTD

    • TCP

    • SSL

    • DRE

  • In the Application Stats graphs that are available in the Insight Summary > Overview tab, you cannot choose a WAN color for Cisco ASR 1000 Series Routers and Cisco Catalyst 8500 Series Edge Platforms.

  • Traces that identify specific users who send and receive traffic provide information for IPv4 traffic only. This feature is available from Cisco Catalyst SD-WAN Manager Release 20.13.1.

  • The site at which the trace starts by default has 100 peering sites with concurrent site-to-site traffic and can be extended to 250 peers in Administration Setting of Network Wide Path Insight. If the peering site is more than the configured value, the trace doesn't start from that site.

  • For Cisco Catalyst SD-WAN Manager Release 20.14.1 and earlier releases, you can monitor traffic on flows that are initiated before you start a trace.

    For Cisco Catalyst SD-WAN Manager Release 20.15.1 and later releases, TCP/UDP flows that are initatied before you start a trace have lower chances of being monitored when compared with the newly initatied flows. You can use specific filters to monitor traffic on these flows.

Restrictions for Synthetic Traffic Packet Capture Replay

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.16.1a and Cisco Catalyst SD-WAN Manager Release 20.16.1

PCAP File Requirements

  • Only PCAP files with Ethernet packets are supported.

  • You can replay only one PCAP file at a time with up to 50 flows in a trace.

  • PCAP file size only upto 5 MB is supported

  • The total size of all PCAP files should not exceed 100 MB.

  • You can upload up to 1000 PCAP files.

  • Only TCP or UDP packets can be replayed.

  • ICMP, Multicast, Broadcast, or Anycast packets are not supported.

  • PCAP files with fragmented packets are not supported in stateful mode.

Packet Type and Size

  • Conversion of IPv4 packets to IPv6 packets and vice versa is not supported.

  • You cannot use stateless replay packets larger than 1500 bytes.

  • For packets larger than 1500 bytes in stateless mode, it is recommended to use stateful mode.

Unsupported Protocols and DIA Scenarios

  • You can only replay PCAP files in a single router for Cisco Catalyst SD-WAN DIA scenarios.

  • PCAP replay does not support scenarios where one side is a tunnel endpoint while the other side is not the corresponding tunnel's endpoint.

  • Application Level Gateway (ALG) is not supported.

  • L2VPN is not supported.

  • Security Group Tagging (SGT) is not supported.

IP Address Configurations

  • PCAP files contain multiple flows and all flows can be replaced with IP addresses configured by you.

  • You can configure only one source IP address and one destination IP address.

  • You cannot use different IP addresses for different flows.

Use Cases for Network-Wide Path Insight

  • Verification of network and policy design when deploying a new site, VPN, or application

  • Daily monitoring of network, application, and policy operations

  • Collection of information for diagnosing operational issues

For more information, see Use Cases.

Configure Cisco ThousandEyes Username and OAuth Bearer Token

From Cisco Catalyst SD-WAN Manager Release 20.14.1, to have a network-wide path insight trace include test results from Cisco ThousandEyes Enterprise Agents, configure your Cisco ThousandEyes account information in Cisco SD-WAN Manager. This information includes your Cisco ThousandEyes username and OAuth bearer token. An OAuth bearer token is one of the two user API token types that Cisco ThousandEyes tokens.

This information is required so that Cisco SD-WAN Manager can obtain from Cisco ThousandEyes information that you are authorized to receive.

You can configure your account information in one of the following ways:


Note


To determine your OAuth bearer token from the Cisco ThousandEyes application, choose Account Settings > Profile > User API Tokens.
  1. From the Cisco SD-WAN Manager menu, choose Administration > Settings.

  2. Click ThousandEyes User API Tokens.

  3. In the Username field, enter your Cisco ThousandEyes username.

  4. In the Bearer Token field, enter your Cisco ThousandEyes OAuth bearer token.

  5. (Optional) To configure information for another Cisco ThousandEyes account, Click + Add ThousandEyes User API token and enter the username and OAuth bearer token.

    You can configure up to five Cisco ThousandEyes accounts for each Cisco SD-WAN Manager user.

  6. Click OK.