Cloud onRamp for SaaS, Cisco IOS XE Release 17.3.1a and Later
Many organizations rely on software-as-a-service (SaaS) applications for business-critical functions. These cloud-based services include Amazon AWS, Box, Dropbox, Google Apps, Office 365, and many others. As cloud-based services, these SaaS applications must communicate with their own remote servers, which are available through internet connections. At remote sites, SaaS applications may pose these special challenges:
Cloud onRamp for SaaS (formerly called CloudExpress service) addresses these challenges. It enables you to select specific SaaS applications and interfaces, and to let Cisco SD-WAN determine the best performing path for each SaaS application, using the specified interfaces. For example, you can enable:
Ensuring the best path for cloud traffic is critical. SD-WAN monitors each available path for each SaaS application continually, so if a problem occurs in one path, it can adjust dynamically and move SaaS traffic to a better path. Information About Cloud onRamp for SaaSCommon Scenarios for Using Cloud onRamp for SaaSFor an organization using SD-WAN, a branch site typically routes SaaS application traffic by default over SD-WAN overlay links to a data center. From the data center, the SaaS traffic reaches the SaaS server. For example, in a large organization with a central data center and branch sites, employees might use Office 365 at a branch site. By default, the Office 365 traffic at a branch site would be routed over SD-WAN overlay links to a centralized data center, and from there to the Office 365 cloud server. Scenario 1: If the branch site has a direct internet access (DIA) connection, you may choose to improve performance by routing the SaaS traffic through that direct route, bypassing the data center. Scenario 2: If the branch site connects to a gateway site that has DIA links, you may choose to enable SaaS traffic to use the DIA of the gateway site. Scenario 3: Hybrid method. Scenario 1: Cloud Access through Direct Internet Access LinksIn this scenario, a branch site has one or more direct internet access (DIA) links, as shown in the illustration below. Using Cloud onRamp for SaaS, SD-WAN can select the best connection for each SaaS application through the DIA links or through the SD-WAN overlay links. Note that the best connection may differ for different SaaS applications. For example, Office365 traffic may be faster through one link, and Dropbox traffic may be faster through a different link. Scenario 2: Cloud Access through a Gateway SiteIn this scenario, a branch site has one or more direct connections to a gateway site, and the gateway site has links to the internet. Using Cloud onRamp for SaaS, SD-WAN can select the best connection for each SaaS application through the gateway site. If the branch site connects to more than one gateway site, SD-WAN ensures that SaaS traffic uses the best path for each SaaS application, even through different gateway sites. Scenario 3: Hybrid ApproachIn this scenario, a branch site has both direct internet access (DIA) links, and links to a gateway site, which also has links to the internet. Using Cloud onRamp for SaaS, SD-WAN can select the best connection for each SaaS application, either through DIA links or through the gateway site. Specify Office 365 Traffic CategoryWhen enabling Cloud onRamp for SaaS to manage Office 365 traffic, you can limit Cloud onRamp for SaaS path selection to apply to some or all Office 365 traffic, with the following options:
These options correspond to the three categories of Office 365 traffic that Microsoft defines as follows:
Specifying traffic by Office 365 category requires enabling the Cisco SD-AVC Cloud Connector component in Administration > Settings. Best Path DeterminationCloud onRamp for SaaS selects the best path for each application using an algorithm that takes input from the following sources.
For Office 365 traffic, you can view a log of the metrics that factor into the best-path determination. The metrics appear in a Cisco vAnalytics page specifically designed to display only this information, and available directly from Cisco vManage. Load Balancing Across Multiple InterfacesCloud onRamp for SaaS can determine the best network path for each type of cloud traffic. However, if multiple direct internet access (DIA) interfaces on a WAN edge device at a branch site provide acceptable performance for a cloud application, Cloud onRamp for SaaS can employ load balancing across up to three interfaces to further improve performance. When you enable load balancing across multiple interfaces of a WAN edge device, load balancing is enabled for all cloud applications that are managed by Cloud onRamp for SaaS. After determining the best path interface for a cloud application, Cloud onRamp compares the performance statistics for other interfaces. To use another interface for load balancing, the following must be true:
If required, you can select an option to ensure that all traffic from a single host uses a single interface – for example, to ensure that DNS and application traffic use the same path. Information About Cloud OnRamp for SaaS Probing Through VPN 0 Interfaces at Gateway SitesA branch site may connect to the internet through one or more direct internet access (DIA) interfaces at the branch site itself, or through a gateway site, which might use a service VPN or VPN 0 to connect to the internet. In addition to probing the DIA interfaces at a branch site, Cloud OnRamp for SaaS can probe interfaces at a gateway site, whether they use service VPNs (VPN 1, VPN 2, …) or the transport VPN (VPN 0), when determining the best path to use for the traffic of specified cloud applications. This is helpful when the branch site connects to the internet through a gateway site. When configuring Cloud OnRamp for SaaS to use the gateway site, specify whether the gateway site uses service VPNs or VPN 0 to connect to the internet, as shown in the following illustrations. Figure 1. Branch Site Connects to a Gateway Site That Uses Service VPNs to Connect to the Internet Figure 2. Branch Site Connects to a Gateway Site That Uses VPN 0 to Connect to the InternetInformation About Cloud onRamp for SaaS Support for WebexMinimum releases: Cisco IOS XE Release 17.7.1a and Cisco vManage Release 20.7.1 When you enable Cloud onRamp for SaaS best path determination for an application, Cisco vManage updates match conditions in the application-aware policy in the active centralized policy to support Cloud onRamp for SaaS functionality for the application. For most applications, the match conditions do not require any later update. For Webex, Cloud onRamp for SaaS uses a more complex method than for most other applications. Cloud onRamp for SaaS maintains a list of worldwide Webex servers. When you enable Cloud onRamp for SaaS best path determination for Webex, Cloud onRamp for SaaS determines the best path for each Webex server worldwide. It adds match conditions in the application-aware policy to address each of the regional Webex servers. This provides the Webex application with the best path to any Webex server worldwide that it may need to connect to. Table 2. Best Path Determination Method for Webex, Compared with the Method for Other Applications
Maintaining an Up-to-Date List of Webex ServersTo maintain an up-to-date list of Webex servers, Cisco vManage periodically retrieves the latest server information and determines whether there are any changes to the information. If Cisco vManage detects that there are changes to the Webex server information, it displays notifications on the Cloud onRamp for SaaS dashboard, prompting you to synchronize the Webex server information. The notifications are shown in a dialog box that appears on the Cloud onRamp for SaaS dashboard page, and in a message in the Webex application pane that appears on the dashboard. Information About the SD-AVC Cloud ConnectorMinimum supported release: Cisco vManage Release 20.8.1 Cisco SD-WAN uses a component called SD-AVC Cloud Connector to collect information from Microsoft Cloud about the Microsoft application servers that handle Office 365 traffic. The information includes the transport protocols for the traffic; and the domain names, IP addresses, and ports of the application servers that manage the traffic. This server information improves the process of identifying network traffic—for example, making it possible to identify traffic from the first packet. Improving traffic identification enhances the effectiveness of application-aware routing policies because policies can often match all traffic, from the first packet. The SD-AVC Cloud Connector page provides visibility into the application servers that are used for Office 365 traffic. It provides a table of the server information that Cisco SD-WAN has collected for Office 365 traffic. For example, the table may indicate that the domains represented by *-admin.sharepoint.com correspond to Sharepoint traffic. In this case, any traffic flow with a destination domain included in those domains, such as connect-admin.sharepoint.com, can be identified as Sharepoint traffic from the first packet of the flow. Information About Viewing Path Scores for Office 365 TrafficMinimum supported release: Cisco vManage Release 20.8.1 For Office 365 traffic, you can view charts showing the path scores (OK, NOT-OK, or INIT) provided by Microsoft telemetry for each Microsoft service area, including Exchange, Sharepoint, and Skype. The chart shows the path scores over time for each available interface. Viewing the path score history can be useful when troubleshooting network performance issues for Office 365 traffic—for example, to determine whether Microsoft consistently rates a particular interface as NOT-OK for some types of traffic, such as Skype traffic. If that occurs, you can investigate why the interface is consistently receiving a low path score. Information About Configuring the Traffic Category and Service Area for Specific PoliciesMinimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.5.1a When you enable Microsoft 365 on the Applications and Policy page, and choose a traffic category, Cloud OnRamp for SaaS adds sequences to all application-aware routing (AAR) policies to enable Cloud OnRamp for SaaS operation on Microsoft 365 traffic, in accordance with the traffic category that you have chosen. Adding these sequences to the AAR policies enables Cloud OnRamp for SaaS operation on this traffic, with the selected traffic category. Starting from Cisco vManage Release 20.9.1, you can edit the sequences in AAR policies individually to change the specified Microsoft 365 traffic category and service area for specific AAR policies.
Benefits of Configuring the Traffic Category and Service Area for Specific PoliciesBy editing individual AAR policies, you can enable Cloud OnRamp for SaaS to operate on different Microsoft 365 service areas and traffic categories in different policies. Information About Enabling Cloud OnRamp for SaaS Operation for Specific Applications at Specific SitesMinimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.2.1 Starting from Cisco vManage Release 20.9.1, you can selectively enable Cloud OnRamp for SaaS to operate for a particular application at specific sites, while excluding other sites. When you enable an application on the Applications and Policy page, Cloud OnRamp for SaaS adds AAR policy sequences that match traffic for the selected application and direct the traffic in accordance with the Cloud OnRamp for SaaS best path calculation. This has the effect of enabling Cloud OnRamp for SaaS operation at all sites. To exclude Cloud OnRamp for SaaS operation for applications at specific sites, you can edit an AAR policy and delete a specific application within the AAR policy. This disables Cloud OnRamp for SaaS activity for that application on sites that use the AAR policy. In contrast to editing the traffic category or service area for specific policies (see Information About Configuring the Traffic Category and Service Area for Specific Policies), which works only with Microsoft 365 traffic, you can use this feature to enable or exclude any SaaS application. Benefits of Enabling Cloud OnRamp for SaaS Operation for Specific Applications at Specific SitesThis feature enables granular, site-level control of applications that Cloud OnRamp for SaaS operates on at each site in the network. Information About Visibility for Microsoft 365 SaaS TrafficMinimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.9.1a Cisco vManage Release 20.9.1 introduces improved application visibility, enabling you to monitor Microsoft 365 traffic processed by Cloud OnRamp for SaaS in more detail. You can view, in graph or table formats, the volume of Microsoft 365 traffic over time, with details as to how much traffic used a direct internet access (DIA) link, and how much was routed through a gateway site. The monitoring page also shows the volume of traffic that Cloud OnRamp for SaaS does not affect. Benefits of Visibility for Microsoft 365 SaaS trafficVisibility into the details of how Cloud OnRamp for SaaS is routing traffic can be helpful when troubleshooting traffic routing issues. Information About Including or Excluding Microsoft Telemetry Data from the Best Path Decision for Microsoft 365 TrafficMinimum releases: Cisco vManage Release 20.9.1 From Cisco vManage Release 20.9.1, you can control whether the Cloud OnRamp for SaaS best path decision includes Microsoft telemetry data as a factor for Microsoft 365 traffic. When enabling telemetry for Microsoft 365 (Office 365) traffic, the Application Feedback dialog box contains a Traffic Steering check box. Check this check box to enable the use of Microsoft telemetry data in best path decisions. For information, see Enable Application Feedback Metrics for Office 365 Traffic. Even when you elect not to use Microsoft telemetry data in best path decisions, you can view the telemetry data. You can view the telemetry data related to the Microsoft 365 application, as well as detailed information about the best path decisions made on devices, using Cisco vAnalytics. For information about Cisco vAnalytics, see Cisco vAnalytics. For information about enabling Microsoft to provide telemetry for Microsoft 365 traffic, see Enable Microsoft to Provide Telemetry for Office 365 Traffic. After Upgrading Cisco vManageIf you have enabled Microsoft telemetry on a previous release of Cisco vManage, and are now upgrading to Cisco vManage Release 20.9.1, Cloud OnRamp for SaaS does not automatically enable the use of Microsoft telemetry data in best path decisions. To ensure that devices use Microsoft telemetry for best path decisions, if you have configured that option, perform one of the following:
Benefits of Cloud onRamp for SaaSBenefits of Cloud OnRamp for SaaS Probing Through VPN 0 Interfaces at Gateway SitesIn some network scenarios, a site connects to the internet, entirely or in part, through a gateway site that uses a VPN 0 interface to connect to the internet. This is in contrast to using service VPNs (VPN 1, VPN 2, …). When the gateway site connects to the internet using VPN 0, the best path to cloud application servers may be through the VPN 0 interface. When Cloud onRamp for SaaS probes for the best path for the traffic of specified cloud applications, it can probe through VPN 0 interfaces at gateway sites. This extends the best path options to include more of the available interfaces connected to the internet.
Benefits of Cloud onRamp for SaaS Support for WebexMinimum releases: Cisco IOS XE Release 17.7.1a and Cisco vManage Release 20.7.1 By maintaining a list of worldwide Webex servers, and determining the best path for all available Webex servers, Cloud onRamp for SaaS provides a high degree of path optimization for Webex traffic. Even if the Webex application connects to a distant cloud server, or connects to different servers at different times, Cloud onRamp for SaaS always provides the best path to any Webex server worldwide. Supported Devices for Cloud onRamp for SaaSCisco IOS XE SD-WAN devices and Cisco vEdge devices support Cloud onRamp for SaaS. The following table describes the device support for specific Cloud onRamp for SaaS features. Table 3. Device Feature Support
For information about features supported on Cisco vEdge devices, see Cloud onRamp for SaaS, Cisco SD-WAN Release 20.3.1 and Later. Prerequisites for Cloud OnRamp for SaaSThe following sections describe the prerequisites for Cloud OnRamp for SaaS features. Prerequisites for Cloud onRamp for SaaS, GeneralThe prerequisites for using Cloud onRamp for SaaS differ for Cisco vEdge devices and Cisco IOS XE SD-WAN devices. For information about using Cloud onRamp for SaaS with Cisco vEdge devices, see Cloud OnRamp Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20. For Cisco IOS XE SD-WAN devices, the requirements are:
To specify traffic by Office 365 traffic category, the following are also required:
Prerequisites for Cloud OnRamp for SaaS Probing Through VPN 0 Interfaces at Gateway SitesCloud onRamp for SaaS probing through VPN 0 interfaces at gateway sites presupposes that a branch site connects to the internet through a gateway site, and that the gateway site connects to the internet using a VPN 0 interface. The branch site may or may not also connect to the internet through one or more DIA connections. Prerequisites for Cloud onRamp for SaaS Support for WebexMinimum releases: Cisco IOS XE Release 17.7.1a and Cisco vManage Release 20.7.1 To download the latest information about Webex servers, as described in Maintaining an Up-to-Date List of Webex Servers, Cisco vManage requires access to the internet. Prerequisites for Configuring the Traffic Category and Service Area for Specific PoliciesMinimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.5.1a
Prerequisites for Enabling Cloud OnRamp for SaaS Operation for Specific Applications at Specific SitesMinimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.2.1 Availability of multiple AAR policies associated with different sets of sites. Prerequisites for Visibility for Microsoft 365 SaaS TrafficMinimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.9.1a
Prerequisites for Including or Excluding Microsoft Telemetry Data from the Best Path Decision for Microsoft 365 TrafficMinimum releases: Cisco vManage Release 20.9.1 Enable Microsoft traffic metrics. See Enable Microsoft to Provide Traffic Metrics for Office 365 Traffic. Restrictions for Cloud onRamp for SaaSThe following section(s) describe the restrictions applicable to Cloud OnRamp for SaaS features. Restrictions for Cloud onRamp for SaaS, GeneralConfiguring Cloud onRamp for SaaS when a site is using a loopback as a transport locator (TLOC) interface is not supported. Configuring Cloud OnRamp for SaaS on Cisco IOS XE SD-WAN devices is only through centralized app-aware policy using match condition "cloud-saas-app-list" and action "cloud-saas". For mixed deployments including Cisco SD-WAN and Cisco IOS XE SD-WAN devices, we recommend to have different app-aware policies for Cisco SD-WAN and Cisco IOS-XE SD-WAN devices.
Use Cases for Cloud onRamp for SaaSUse Cases for Cloud OnRamp for SaaS Probing Through VPN 0 Interfaces at Gateway SitesEnable gateway probing through VPN 0 interfaces if the following conditions apply:
Use Cases for the SD-AVC Cloud ConnectorMinimum supported release: Cisco vManage Release 20.8.1 Visibility into server information is helpful when troubleshooting. For example, after creating a policy that applies Cloud onRamp for SaaS only to Office 365 traffic in the Sharepoint service area, you might find that Cisco SD-WAN is not routing the first few flows of Sharepoint traffic on the best path determined by Cloud onRamp for SaaS, and Sharepoint performance is below expectations. To troubleshoot, you can do the following:
Use Case for Configuring the Traffic Category and Service AreaMinimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.5.1a An organization relies heavily on Microsoft 365 for its office applications, and has configured Cloud OnRamp for SaaS to optimize Microsoft 365 traffic at its headquarters and at each branch office. In addition, it uses an on-premises Outlook server at a data center to handle its company email. Microsoft distinguishes different types of Microsoft 365 traffic using the following service areas:
Because the organization uses an on-premises Outlook server, the network administrator chooses to exclude Outlook traffic from the Cloud OnRamp for SaaS optimization of Microsoft 365 traffic. By modifying the AAR policies, they exclude the Exchange service area (for Outlook) from the Microsoft 365 traffic that Cloud OnRamp for SaaS operates on, thereby ensuring the best performance for the email traffic using the on-premises Outlook server. Use Case for Enabling Specific Applications at Specific SitesMinimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.2.1r An organization’s network spans numerous sites. Most of the sites utilize the Box.com cloud storage application, but a subset of sites does not use Box.com. First, the network administrator creates an AAR policy that serves the subset of sites that do not use Box.com. Next, the network administrator enables Cloud OnRamp for SaaS for Box.com traffic, which enables Cloud OnRamp for SaaS operation at all sites in the network. To exclude the subset of sites that do not use Box.com, the network administrator edits the AAR policy for that subset of sites, to disable Cloud OnRamp for SaaS operation for Box.com traffic. This has the effect of disabling Cloud OnRamp for SaaS operation for Box.com traffic at that subset of sites only. Configure Cloud onRamp for SaaSThe following sections describe configuration procedures for Cloud OnRamp for SaaS features. Enable Cloud OnRamp for SaaS, Cisco IOS XE SD-WAN DevicesYou can enable Cloud OnRamp for SaaS in your Cisco SD-WAN overlay network on sites with Direct Internet Access (DIA) and on DIA sites that access the internet. You can also enable Cloud OnRamp for SaaS on client sites that access the internet through another site in the overlay network, called a gateway site. Gateway sites can include regional data centers or carrier-neutral facilities. When you enable Cloud OnRamp for SaaS on a client site that accesses the internet through a gateway, you also enable Cloud OnRamp for SaaS on the gateway site.
Enable Cloud OnRamp for SaaS
Configure Applications for Cloud onRamp for SaaS Using Cisco vManage
Configure Sites for Cloud onRamp for SaaS Using Cisco vManageConfigure two types of sites:
Configure Client SitesTo configure Cloud OnRamp for SaaS on client sites that access the internet through gateways, configure Cloud OnRamp for SaaS both on the client sites and on the gateway sites.
Client sites in the Cloud onRamp service choose the best gateway site for each application to use for accessing the internet.
Edit Interfaces on Gateway Sites
Configure Direct Internet Access (DIA) Sites
Edit Interfaces on Direct Internet Access (DIA) Sites
To return to the Cloud OnRamp for SaaS Dashboard, select . Enable Application Feedback Metrics for Office 365 TrafficBeginning with Cisco IOS XE Release 17.4.1a, you can enable the following types of application feedback from additional sources. Cloud onRamp for SaaS can use these metrics to help determine the best path for Office 365 traffic. See Best Path Determination.
Before You Begin
Enable Application Feedback Metrics for Office 365 Traffic
Enable Microsoft to Provide Telemetry for Office 365 TrafficYou can enable Microsoft Exchange cloud servers to calculate traffic metrics for Microsoft Exchange traffic coming from specific interfaces in the Cisco SD-WAN overlay. Using the Microsoft Azure portal, you specify which interfaces to include, indicating the interfaces by their public IP addresses. This is called opting in the interfaces. For the specified interfaces, Microsoft identifies the Office 365 traffic by packet source ID and provides metrics that Cloud onRamp for SaaS can use to determine the best path for the Office 365 traffic. Before You Begin
Enable Microsoft to Provide Telemetry for Office 365 Traffic
Enable Webex for Cloud onRamp for SaaSMinimum releases: Cisco IOS XE Release 17.7.1a and Cisco vManage Release 20.7.1 To enable Cloud onRamp for SaaS to determine the best path for Webex traffic, enable the Webex application in the same way as other applications. See Enable Cloud onRamp for SaaS, Cisco IOS XE SD-WAN Devices. Update the Webex Server Information for Cloud onRamp for SaaSMinimum releases: Cisco IOS XE Release 17.7.1a and Cisco vManage Release 20.7.1
Configure the Traffic Category and Service Area for Specific Policies Using Cisco vManageMinimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.5.1a Before You BeginTo edit the service area and traffic category, you must enable Monitoring and Policy/Cloud SLA for the Microsoft 365 application with a minimum of one service area. For information, see Configure Applications for Cloud onRamp for SaaS Using Cisco vManage. Configure the Traffic Category and Service Area
Configure AAR Policy to Enable Cloud OnRamp Operation on Specific Applications at Specific Sites Using Cisco vManageMinimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.2.1
Enable Application Visibility and Flow VisibilityMinimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.9.1a Enable Visibility and Flow Visibility Using Cisco vManage
Enable Application Visibility and Flow Visibility Using a CLI TemplateFor more information about using CLI templates, see CLI Add-On Feature Templates and CLI Templates. Configure Visibility for Microsoft 365 SaaS traffic Using Cisco vManageMinimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.9.1a Enable a Device to Provide Data for the Visualization of Microsoft 365 Traffic
View Application Usage Information for Microsoft 365 SaaS Traffic
Verify Cloud onRamp for SaaSThe following section(s) describe the procedures for verifying Cloud OnRamp for SaaS features. Verify That an Application is Enabled for Cloud onRamp for SaaS
Verify Changes to the Configuration of the Traffic Category and Service Area for Specific Policies Using Cisco vManageMinimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.5.1a
Or
Verify Which Applications Are Enabled for Specific Devices Using Cisco vManageMinimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.2.1
Verify Which Applications Are Enabled for a Specific Policy Using Cisco vManage
Monitor Cloud onRamp for SaaSThe following section(s) describe the procedures for monitoring Cloud OnRamp for SaaS features. View Details of Monitored Applications
Monitor the Status of Webex for Cloud onRamp for SaaSMinimum releases: Cisco IOS XE Release 17.7.1a and Cisco vManage Release 20.7.1
View Office 365 Server Information Using the SD-AVC Cloud ConnectorBefore You Begin
View Office 365 Server Information
Cloud onRamp for SaaS Over SIG Tunnels
Prerequisites for Cloud onRamp for SaaS Over SIG Tunnels
Restrictions for Cloud onRamp for SaaS Over SIG Tunnels
Information About Cloud onRamp for SaaS Over SIG TunnelsUsing Cloud OnRamp for SaaS, a site can connect to SaaS applications through the following:
When you configure Cloud onRamp for SaaS for a site to connect over SIG tunnels, you have secure access to the SaaS applications over the internet. Benefits of Cloud onRamp for SaaS Over SIG TunnelsConnecting to Cloud OnRamp for SaaS over SIG tunnels has the following benefits:
Use Cases for Cloud onRamp for SaaS Over SIG TunnelsThere are different ways through which you can access the SaaS applications over SIG tunnels: Direct Access to SaaS Applications with Multiple SIG Tunnels from Branch Using DIAIn this scenario:
Access to SaaS Applications with Multiple SIG Tunnels from Branch Using a GatewayIn this scenario:
Access to SaaS Applications with Multiple SIG Tunnels from Branch Using DIA and GatewayIn this scenario:
Configure Cloud onRamp for SaaS Over SIG TunnelsConfigure Cloud onRamp for SaaS over SIG Tunnels Using DIA
Configure Cloud onRamp for SaaS over SIG Tunnels Using a GatewayTo configure Cloud onRamp for SaaS over SIG tunnels a Gateway, perform the following steps:
Configure Cloud onRamp for SaaS Over SIG Tunnels Using the CLIThis section provides sample CLI configurations for Cloud onRamp for SaaS over SIG tunnels. Configure Cloud OnRamp for SaaS over SIG Tunnels for DIA and Gateway Sites
Enable NBAR Protocol Discovery for Cloud OnRamp for SaaS Over SIG Tunnels for Gateway Sites
Example The following example configures Cloud onRamp for SaaS over SIG tunnels for a gateway site and enables NBAR protocol discovery on tunnel interfaces Tunnel100001 and Tunnel100002.
Configure VPN with Loopback Interfaces
Monitor Cloud onRamp for SaaS Over SIG TunnelsTo monitor Cloud onRamp for SaaS over SIG tunnels, perform the following steps:
Monitor Cloud onRamp for SaaS Over SIG Tunnels Using the CLIExample 1The following is a sample output from the show sdwan cloudexpress local-exits command on Cisco IOS XE SD-WAN devices . This example displays the application loss and latency on each DIA interface that is enabled for Cloud OnRamp for SaaS.
Example 2The following is a sample output from the show sdwan cloudexpress gateway-exits command on Cisco IOS XE SD-WAN devices. This example displays the loss and latency on each gateway exit for applications that are configured with Cloud OnRamp for SaaS.
Example 3The following is a sample output from the show sdwan cloudexpress applications command on Cisco IOS XE SD-WAN devices. This example displays the best path for applications that are configured with Cloud OnRamp for SaaS. The best path could be a local interface with DIA, or the path to a remote gateway.
Example 4The following is a sample output from the show ip route vrf command on Cisco IOS XE SD-WAN devices. This example displays the IP routing table that is associated with a specific VPN routing and forwarding (VRF) instance.
Example 5The following is a sample output from the show sdwan run probe-path command on Cisco IOS XE SD-WAN devices. This example displays the probe path for SIG tunnels.
Configuration Example for Cloud onRamp for SaaS Over SIG TunnelsThe following example shows the configuration of Cloud on Ramp for SaaS over SIG tunnels: Example
What type of traffic is described as requiring latency to be no more than 150 milliseconds MS?What's an acceptable level of jitter? If possible, jitter should be below 30 milliseconds, packet loss should be no greater than 1% and network latency should not be more than 150 ms one way and 300 ms RTT.
What type of traffic is described as being tolerate a certain amount of latency jitter and loss without any noticeable effects?Voice packets must receive a higher priority than other types of traffic. Cisco products use the RTP port range 16384 to 32767 to prioritize voice traffic. Voice can tolerate a certain amount of latency, jitter, and loss without any noticeable effects.
|