What type of traffic is described as requiring latency to be no more than 400 milliseconds (ms)?

Q: What type of traffic is described as requiring latency to be no more than 150 milliseconds MS?

Whats an acceptable level of jitter? If possible, jitter should be below 30 milliseconds, packet loss should be no greater than 1% and network latency should not be more than 150 ms one way and 300 ms RTT.

Cloud onRamp for SaaS, Cisco IOS XE Release 17.3.1a and Later

Table 1. Feature History

Feature Name Inhaltsverzeichnis Show Cloud onRamp for SaaS, Cisco IOS XE Release 17.3.1a and Later Information About Cloud onRamp for SaaS Common Scenarios for Using Cloud onRamp for SaaS Specify Office 365 Traffic Category Best Path Determination Load Balancing Across Multiple Interfaces Information About Cloud OnRamp for SaaS Probing Through VPN 0 Interfaces at Gateway Sites Information About Cloud onRamp for SaaS Support for Webex Information About the SD-AVC Cloud Connector Information About Viewing Path Scores for Office 365 Traffic Information About Configuring the Traffic Category and Service Area for Specific Policies Information About Enabling Cloud OnRamp for SaaS Operation for Specific Applications at Specific Sites Information About Visibility for Microsoft 365 SaaS Traffic Information About Including or Excluding Microsoft Telemetry Data from the Best Path Decision for Microsoft 365 Traffic Benefits of Cloud onRamp for SaaS Supported Devices for Cloud onRamp for SaaS Prerequisites for Cloud OnRamp for SaaS Prerequisites for Cloud onRamp for SaaS, General Prerequisites for Cloud OnRamp for SaaS Probing Through VPN 0 Interfaces at Gateway Sites Prerequisites for Cloud onRamp for SaaS Support for Webex Prerequisites for Configuring the Traffic Category and Service Area for Specific Policies Prerequisites for Enabling Cloud OnRamp for SaaS Operation for Specific Applications at Specific Sites Prerequisites for Visibility for Microsoft 365 SaaS Traffic Prerequisites for Including or Excluding Microsoft Telemetry Data from the Best Path Decision for Microsoft 365 Traffic Restrictions for Cloud onRamp for SaaS Restrictions for Cloud onRamp for SaaS, General Use Cases for Cloud onRamp for SaaS Use Cases for Cloud OnRamp for SaaS Probing Through VPN 0 Interfaces at Gateway Sites Use Cases for the SD-AVC Cloud Connector Use Case for Configuring the Traffic Category and Service Area Use Case for Enabling Specific Applications at Specific Sites Configure Cloud onRamp for SaaS Enable Cloud OnRamp for SaaS, Cisco IOS XE SD-WAN Devices Configure Applications for Cloud onRamp for SaaS Using Cisco vManage Configure Sites for Cloud onRamp for SaaS Using Cisco vManage Enable Application Feedback Metrics for Office 365 Traffic Enable Microsoft to Provide Telemetry for Office 365 Traffic Enable Webex for Cloud onRamp for SaaS Update the Webex Server Information for Cloud onRamp for SaaS Configure the Traffic Category and Service Area for Specific Policies Using Cisco vManage Configure AAR Policy to Enable Cloud OnRamp Operation on Specific Applications at Specific Sites Using Cisco vManage Enable Application Visibility and Flow Visibility Configure Visibility for Microsoft 365 SaaS traffic Using Cisco vManage Verify Cloud onRamp for SaaS Verify That an Application is Enabled for Cloud onRamp for SaaS Verify Changes to the Configuration of the Traffic Category and Service Area for Specific Policies Using Cisco vManage Verify Which Applications Are Enabled for Specific Devices Using Cisco vManage Verify Which Applications Are Enabled for a Specific Policy Using Cisco vManage Monitor Cloud onRamp for SaaS View Details of Monitored Applications Monitor the Status of Webex for Cloud onRamp for SaaS View Office 365 Server Information Using the SD-AVC Cloud Connector Cloud onRamp for SaaS Over SIG Tunnels Prerequisites for Cloud onRamp for SaaS Over SIG Tunnels Restrictions for Cloud onRamp for SaaS Over SIG Tunnels Information About Cloud onRamp for SaaS Over SIG Tunnels Benefits of Cloud onRamp for SaaS Over SIG Tunnels Use Cases for Cloud onRamp for SaaS Over SIG Tunnels Configure Cloud onRamp for SaaS Over SIG Tunnels Configure Cloud onRamp for SaaS Over SIG Tunnels Using the CLI Monitor Cloud onRamp for SaaS Over SIG Tunnels Monitor Cloud onRamp for SaaS Over SIG Tunnels Using the CLI Configuration Example for Cloud onRamp for SaaS Over SIG Tunnels What type of traffic is described as requiring latency to be no more than 150 milliseconds MS? What type of traffic is described as being tolerate a certain amount of latency jitter and loss without any noticeable effects?	Release Information	Description
Support for Specifying Office 365 Traffic Categories for Cloud onRamp for SaaS on Cisco IOS XE SD-WAN Devices	Cisco IOS XE Release 17.3.1a Cisco vManage Release 20.3.1	This feature updates the existing Cloud onRamp for SaaS configuration workflow for Cisco IOS XE SD-WAN devices. The feature allows you to limit the use of best path selection to some or all Office 365 traffic, according to the Office 365 traffic categories defined by Microsoft.
Application Feedback Metrics for Office 365 Best Path Selection on Cisco IOS XE SD-WAN Devices	Cisco IOS XE Release 17.4.1a Cisco vManage Release 20.4.1	This feature adds new metrics as inputs to the best-path selection algorithm for Office 365 traffic. The new inputs include best-path metrics from Microsoft Cloud Services. The feature also provides a new page for viewing detailed logs of the input data used by the best path algorithm.
Load Balancing Across Multiple Interfaces	Cisco IOS XE Release 17.5.1a Cisco vManage Release 20.5.1	This feature adds the ability to balance traffic for cloud applications across multiple DIA interfaces.
Support for Cloud OnRamp for SaaS Probing through VPN 0 Interfaces at Gateway Sites	Cisco IOS XE Release 17.6.1a Cisco vManage Release 20.6.1	Cloud OnRamp for SaaS tests the performance of (probes) routing paths to find the best routing path for specific cloud application traffic. Using the best routing path for the traffic of a cloud application optimizes the performance of the application. This feature enables Cloud OnRamp for SaaS to probe through VPN 0 interfaces at gateway sites as part of determining the best path to use for the traffic of specified cloud applications. This extends the best path probing to include more of the available interfaces connected to the internet. Using this feature, Cloud OnRamp for SaaS can probe interfaces at a gateway site, whether they use service VPNs (VPN 1, VPN 2, and so on) or the transport VPN (VPN 0). This is helpful when a branch site connects to the internet, exclusively or in part, through a gateway site that uses a VPN 0 interface to connect to the internet.
Cloud onRamp for SaaS Support for Webex	Cisco IOS XE Release 17.7.1a Cisco vManage Release 20.7.1	This feature adds Webex to the list of cloud applications supported by Cloud onRamp for SaaS. Cloud onRamp for SaaS can determine the best network path to Webex cloud servers. Cisco vManage periodically downloads a list of Webex servers organized by geographic region. Cloud onRamp for SaaS uses this server list to help calculate the best network path for Webex traffic in different regions.
Support for Using Microsoft Telemetry Metrics for Microsoft 365 SharePoint and Teams Traffic.	Cisco IOS XE Release 17.7.1a Cisco SD-WAN Release 20.7.1	This feature adds support for using Microsoft telemetry metrics for Microsoft 365 SharePoint and Teams. Cloud onRamp for SaaS uses the metrics data when determining the best path for Office 365 traffic.
View Details of Microsoft Telemetry and View Application Server Information for Office 365 Traffic	Cisco IOS XE Release 17.8.1a Cisco vManage Release 20.8.1	This feature adds better visibility into how Cloud onRamp for SaaS determines the best path for Microsoft Office 365 traffic, if you have opted to use Microsoft telemetry. One enhancement is a chart that shows how Microsoft rates the connection quality of different interfaces, specifically for different types (called service areas) of Office 365 traffic. This is helpful for troubleshooting Office 365 performance issues. Another addition is the SD-AVC Cloud Connector page, which shows a list of Microsoft URL and IP endpoints and categories that Cisco SD-WAN receives from Microsoft Cloud.
Configure the Traffic Category and Service Area for Specific Policies	Cisco vManage Release 20.9.1 Cisco IOS XE Release 17.5.1a	You can edit AAR policies individually to change the specified Microsoft 365 traffic category and service area for specific AAR policies.
Enable Cloud OnRamp for SaaS Operation for Specific Applications at Specific Sites	Cisco vManage Release 20.9.1 Cisco IOS XE Release 17.2.1	This feature allows you to selectively delete AAR policy sequences to exclude Cloud OnRamp for SaaS operation on specific applications at specific sites.
Improved Visibility for Microsoft 365 Traffic	Cisco vManage Release 20.9.1 Cisco IOS XE Release 17.9.1a	This feature provides improved visibility to allow you to monitor the details of Microsoft 365 traffic processed by Cloud OnRamp for SaaS.
Option to Include or Exclude Microsoft Telemetry Data from Best Path Decision for Microsoft 365 Traffic	Cisco vManage Release 20.9.1	This feature allows you to choose whether Cloud OnRamp for SaaS should factor in the Microsoft telemetry data in the best path decision. If you disable this option, you can still view the Microsoft telemetry data in the Cisco vAnalytics dashboard, but it does not affect the best path decision.

Many organizations rely on software-as-a-service (SaaS) applications for business-critical functions. These cloud-based services include Amazon AWS, Box, Dropbox, Google Apps, Office 365, and many others. As cloud-based services, these SaaS applications must communicate with their own remote servers, which are available through internet connections.

At remote sites, SaaS applications may pose these special challenges:

Performance: If remote sites, such as branch offices, route SaaS traffic through a centralized location, such as a data center, performance degrades, with latency that affects the user experience.
Inability to optimize routing: Network administrators may not have any visibility into the performance of these SaaS applications, or any ability to change the routing of the SaaS traffic to more efficient paths.

Cloud onRamp for SaaS (formerly called CloudExpress service) addresses these challenges. It enables you to select specific SaaS applications and interfaces, and to let Cisco SD-WAN determine the best performing path for each SaaS application, using the specified interfaces. For example, you can enable:

routing through a direct internet access (DIA) connection at a branch site, if available
routing through a gateway location, such as a regional data center

Ensuring the best path for cloud traffic is critical. SD-WAN monitors each available path for each SaaS application continually, so if a problem occurs in one path, it can adjust dynamically and move SaaS traffic to a better path.

Information About Cloud onRamp for SaaS

Common Scenarios for Using Cloud onRamp for SaaS

For an organization using SD-WAN, a branch site typically routes SaaS application traffic by default over SD-WAN overlay links to a data center. From the data center, the SaaS traffic reaches the SaaS server.

For example, in a large organization with a central data center and branch sites, employees might use Office 365 at a branch site. By default, the Office 365 traffic at a branch site would be routed over SD-WAN overlay links to a centralized data center, and from there to the Office 365 cloud server.

Scenario 1: If the branch site has a direct internet access (DIA) connection, you may choose to improve performance by routing the SaaS traffic through that direct route, bypassing the data center.

Scenario 2: If the branch site connects to a gateway site that has DIA links, you may choose to enable SaaS traffic to use the DIA of the gateway site.

Scenario 3: Hybrid method.

Scenario 1: Cloud Access through Direct Internet Access Links

In this scenario, a branch site has one or more direct internet access (DIA) links, as shown in the illustration below.

Using Cloud onRamp for SaaS, SD-WAN can select the best connection for each SaaS application through the DIA links or through the SD-WAN overlay links. Note that the best connection may differ for different SaaS applications. For example, Office365 traffic may be faster through one link, and Dropbox traffic may be faster through a different link.

Scenario 2: Cloud Access through a Gateway Site

In this scenario, a branch site has one or more direct connections to a gateway site, and the gateway site has links to the internet.

Using Cloud onRamp for SaaS, SD-WAN can select the best connection for each SaaS application through the gateway site. If the branch site connects to more than one gateway site, SD-WAN ensures that SaaS traffic uses the best path for each SaaS application, even through different gateway sites.

Scenario 3: Hybrid Approach

In this scenario, a branch site has both direct internet access (DIA) links, and links to a gateway site, which also has links to the internet.

Using Cloud onRamp for SaaS, SD-WAN can select the best connection for each SaaS application, either through DIA links or through the gateway site.

Specify Office 365 Traffic Category

When enabling Cloud onRamp for SaaS to manage Office 365 traffic, you can limit Cloud onRamp for SaaS path selection to apply to some or all Office 365 traffic, with the following options:

Optimize traffic
Optimize and Allow traffic
All Office 365 traffic

These options correspond to the three categories of Office 365 traffic that Microsoft defines as follows:

Optimize: Traffic most sensitive to network performance, latency, and availability.
Allow: Traffic less sensitive to network performance, latency, and availability.
Default: Traffic not sensitive to network performance.

Specifying traffic by Office 365 category requires enabling the Cisco SD-AVC Cloud Connector component in Administration > Settings.

Best Path Determination

Cloud onRamp for SaaS selects the best path for each application using an algorithm that takes input from the following sources.

	Input	All Cloud Application Traffic	Office 365 Traffic
1	Cloud onRamp for SaaS metrics based on path probing	Yes	Yes
2	Application response time (ART) metrics	No	Yes (if enabled)
3	Microsoft telemetry metrics	No	Yes (if enabled)

For Office 365 traffic, you can view a log of the metrics that factor into the best-path determination. The metrics appear in a Cisco vAnalytics page specifically designed to display only this information, and available directly from Cisco vManage.

Load Balancing Across Multiple Interfaces

Cloud onRamp for SaaS can determine the best network path for each type of cloud traffic. However, if multiple direct internet access (DIA) interfaces on a WAN edge device at a branch site provide acceptable performance for a cloud application, Cloud onRamp for SaaS can employ load balancing across up to three interfaces to further improve performance.

When you enable load balancing across multiple interfaces of a WAN edge device, load balancing is enabled for all cloud applications that are managed by Cloud onRamp for SaaS. After determining the best path interface for a cloud application, Cloud onRamp compares the performance statistics for other interfaces. To use another interface for load balancing, the following must be true:

The packet loss value of the interface cannot vary from the packet loss value of the best path interface by more than a configured value (%). You can configure a smaller value to restrict load balancing only to interfaces with a packet loss value very close to that of the best path interface, or you can configure a larger value to be more inclusive of interfaces that might have a higher packet loss than the best path interface.
The latency value of the interface cannot vary from the latency value of the best path interface by more than a configured value (milliseconds). You can configure a smaller value to restrict load balancing only to interfaces with a latency value very close to that of the best path interface, or you can configure a larger value to be more inclusive of interfaces that might have a higher latency than the best path interface.

If required, you can select an option to ensure that all traffic from a single host uses a single interface – for example, to ensure that DNS and application traffic use the same path.

Information About Cloud OnRamp for SaaS Probing Through VPN 0 Interfaces at Gateway Sites

A branch site may connect to the internet through one or more direct internet access (DIA) interfaces at the branch site itself, or through a gateway site, which might use a service VPN or VPN 0 to connect to the internet.

In addition to probing the DIA interfaces at a branch site, Cloud OnRamp for SaaS can probe interfaces at a gateway site, whether they use service VPNs (VPN 1, VPN 2, …) or the transport VPN (VPN 0), when determining the best path to use for the traffic of specified cloud applications. This is helpful when the branch site connects to the internet through a gateway site.

When configuring Cloud OnRamp for SaaS to use the gateway site, specify whether the gateway site uses service VPNs or VPN 0 to connect to the internet, as shown in the following illustrations.

Figure 1. Branch Site Connects to a Gateway Site That Uses Service VPNs to Connect to the Internet

Figure 2. Branch Site Connects to a Gateway Site That Uses VPN 0 to Connect to the Internet

Information About Cloud onRamp for SaaS Support for Webex

Minimum releases: Cisco IOS XE Release 17.7.1a and Cisco vManage Release 20.7.1

When you enable Cloud onRamp for SaaS best path determination for an application, Cisco vManage updates match conditions in the application-aware policy in the active centralized policy to support Cloud onRamp for SaaS functionality for the application. For most applications, the match conditions do not require any later update.

For Webex, Cloud onRamp for SaaS uses a more complex method than for most other applications. Cloud onRamp for SaaS maintains a list of worldwide Webex servers. When you enable Cloud onRamp for SaaS best path determination for Webex, Cloud onRamp for SaaS determines the best path for each Webex server worldwide. It adds match conditions in the application-aware policy to address each of the regional Webex servers. This provides the Webex application with the best path to any Webex server worldwide that it may need to connect to.

Table 2. Best Path Determination Method for Webex, Compared with the Method for Other Applications

Application	Cloud onRamp for SaaS Method
Most cloud applications	Cloud onRamp for SaaS determines the best path to the most relevant server for the cloud application, as determined by the DNS response, using the DNS server configured for the device.
Webex	Cloud onRamp for SaaS maintains a list of worldwide Webex servers, and determines the best path for all available Webex servers.

Maintaining an Up-to-Date List of Webex Servers

To maintain an up-to-date list of Webex servers, Cisco vManage periodically retrieves the latest server information and determines whether there are any changes to the information. If Cisco vManage detects that there are changes to the Webex server information, it displays notifications on the Cloud onRamp for SaaS dashboard, prompting you to synchronize the Webex server information. The notifications are shown in a dialog box that appears on the Cloud onRamp for SaaS dashboard page, and in a message in the Webex application pane that appears on the dashboard.

Information About the SD-AVC Cloud Connector

Minimum supported release: Cisco vManage Release 20.8.1

Cisco SD-WAN uses a component called SD-AVC Cloud Connector to collect information from Microsoft Cloud about the Microsoft application servers that handle Office 365 traffic. The information includes the transport protocols for the traffic; and the domain names, IP addresses, and ports of the application servers that manage the traffic. This server information improves the process of identifying network traffic—for example, making it possible to identify traffic from the first packet. Improving traffic identification enhances the effectiveness of application-aware routing policies because policies can often match all traffic, from the first packet.

The SD-AVC Cloud Connector page provides visibility into the application servers that are used for Office 365 traffic. It provides a table of the server information that Cisco SD-WAN has collected for Office 365 traffic. For example, the table may indicate that the domains represented by *-admin.sharepoint.com correspond to Sharepoint traffic. In this case, any traffic flow with a destination domain included in those domains, such as connect-admin.sharepoint.com, can be identified as Sharepoint traffic from the first packet of the flow.

Information About Viewing Path Scores for Office 365 Traffic

Minimum supported release: Cisco vManage Release 20.8.1

For Office 365 traffic, you can view charts showing the path scores (OK, NOT-OK, or INIT) provided by Microsoft telemetry for each Microsoft service area, including Exchange, Sharepoint, and Skype. The chart shows the path scores over time for each available interface.

Viewing the path score history can be useful when troubleshooting network performance issues for Office 365 traffic—for example, to determine whether Microsoft consistently rates a particular interface as NOT-OK for some types of traffic, such as Skype traffic. If that occurs, you can investigate why the interface is consistently receiving a low path score.

Information About Configuring the Traffic Category and Service Area for Specific Policies

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.5.1a

When you enable Microsoft 365 on the Applications and Policy page, and choose a traffic category, Cloud OnRamp for SaaS adds sequences to all application-aware routing (AAR) policies to enable Cloud OnRamp for SaaS operation on Microsoft 365 traffic, in accordance with the traffic category that you have chosen. Adding these sequences to the AAR policies enables Cloud OnRamp for SaaS operation on this traffic, with the selected traffic category.

Starting from Cisco vManage Release 20.9.1, you can edit the sequences in AAR policies individually to change the specified Microsoft 365 traffic category and service area for specific AAR policies.

Note

This feature is only available for the Microsoft 365 application.

Benefits of Configuring the Traffic Category and Service Area for Specific Policies

By editing individual AAR policies, you can enable Cloud OnRamp for SaaS to operate on different Microsoft 365 service areas and traffic categories in different policies.

Information About Enabling Cloud OnRamp for SaaS Operation for Specific Applications at Specific Sites

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.2.1

Starting from Cisco vManage Release 20.9.1, you can selectively enable Cloud OnRamp for SaaS to operate for a particular application at specific sites, while excluding other sites. When you enable an application on the Applications and Policy page, Cloud OnRamp for SaaS adds AAR policy sequences that match traffic for the selected application and direct the traffic in accordance with the Cloud OnRamp for SaaS best path calculation. This has the effect of enabling Cloud OnRamp for SaaS operation at all sites.

To exclude Cloud OnRamp for SaaS operation for applications at specific sites, you can edit an AAR policy and delete a specific application within the AAR policy. This disables Cloud OnRamp for SaaS activity for that application on sites that use the AAR policy.

In contrast to editing the traffic category or service area for specific policies (see Information About Configuring the Traffic Category and Service Area for Specific Policies), which works only with Microsoft 365 traffic, you can use this feature to enable or exclude any SaaS application.

Benefits of Enabling Cloud OnRamp for SaaS Operation for Specific Applications at Specific Sites

This feature enables granular, site-level control of applications that Cloud OnRamp for SaaS operates on at each site in the network.

Information About Visibility for Microsoft 365 SaaS Traffic

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.9.1a

Cisco vManage Release 20.9.1 introduces improved application visibility, enabling you to monitor Microsoft 365 traffic processed by Cloud OnRamp for SaaS in more detail. You can view, in graph or table formats, the volume of Microsoft 365 traffic over time, with details as to how much traffic used a direct internet access (DIA) link, and how much was routed through a gateway site. The monitoring page also shows the volume of traffic that Cloud OnRamp for SaaS does not affect.

Benefits of Visibility for Microsoft 365 SaaS traffic

Visibility into the details of how Cloud OnRamp for SaaS is routing traffic can be helpful when troubleshooting traffic routing issues.

Information About Including or Excluding Microsoft Telemetry Data from the Best Path Decision for Microsoft 365 Traffic

Minimum releases: Cisco vManage Release 20.9.1

From Cisco vManage Release 20.9.1, you can control whether the Cloud OnRamp for SaaS best path decision includes Microsoft telemetry data as a factor for Microsoft 365 traffic. When enabling telemetry for Microsoft 365 (Office 365) traffic, the Application Feedback dialog box contains a Traffic Steering check box. Check this check box to enable the use of Microsoft telemetry data in best path decisions. For information, see Enable Application Feedback Metrics for Office 365 Traffic.

Even when you elect not to use Microsoft telemetry data in best path decisions, you can view the telemetry data. You can view the telemetry data related to the Microsoft 365 application, as well as detailed information about the best path decisions made on devices, using Cisco vAnalytics. For information about Cisco vAnalytics, see Cisco vAnalytics.

For information about enabling Microsoft to provide telemetry for Microsoft 365 traffic, see Enable Microsoft to Provide Telemetry for Office 365 Traffic.

After Upgrading Cisco vManage

If you have enabled Microsoft telemetry on a previous release of Cisco vManage, and are now upgrading to Cisco vManage Release 20.9.1, Cloud OnRamp for SaaS does not automatically enable the use of Microsoft telemetry data in best path decisions. To ensure that devices use Microsoft telemetry for best path decisions, if you have configured that option, perform one of the following:

Disable and enable Microsoft telemetry for Microsoft 365 traffic. See Enable Application Feedback Metrics for Office 365 Traffic
Disable and enable monitoring for Microsoft 365 traffic. See Configure Applications for Cloud OnRamp for SaaS Using Cisco vManage
Perform the following steps:
1. Detach and attach sites and gateways. See Configure Client Sites.
2. From the Cisco vManage menu, choose .
3. In the Manage Cloud OnRamp for SaaS drop-down list, choose Applications and Policy. The Applications and Policy page displays all SaaS applications.
4. Click Save Applications and Next. This sends the traffic steering values to devices at each site.

Benefits of Cloud onRamp for SaaS

Benefits of Cloud OnRamp for SaaS Probing Through VPN 0 Interfaces at Gateway Sites

In some network scenarios, a site connects to the internet, entirely or in part, through a gateway site that uses a VPN 0 interface to connect to the internet. This is in contrast to using service VPNs (VPN 1, VPN 2, …).

When the gateway site connects to the internet using VPN 0, the best path to cloud application servers may be through the VPN 0 interface. When Cloud onRamp for SaaS probes for the best path for the traffic of specified cloud applications, it can probe through VPN 0 interfaces at gateway sites. This extends the best path options to include more of the available interfaces connected to the internet.

Note

A branch site that connects to the internet through a gateway site may also connect to the internet through one or more DIA interfaces at the branch site itself.

Benefits of Cloud onRamp for SaaS Support for Webex

Minimum releases: Cisco IOS XE Release 17.7.1a and Cisco vManage Release 20.7.1

By maintaining a list of worldwide Webex servers, and determining the best path for all available Webex servers, Cloud onRamp for SaaS provides a high degree of path optimization for Webex traffic. Even if the Webex application connects to a distant cloud server, or connects to different servers at different times, Cloud onRamp for SaaS always provides the best path to any Webex server worldwide.

Supported Devices for Cloud onRamp for SaaS

Cisco IOS XE SD-WAN devices and Cisco vEdge devices support Cloud onRamp for SaaS.

The following table describes the device support for specific Cloud onRamp for SaaS features.

Table 3. Device Feature Support

Feature	Cisco IOS XE SD-WAN Device Support	Cisco vEdge Device Support
Basic Cloud onRamp for SaaS functionality	Yes	Yes
Cloud OnRamp for SaaS Probing Through VPN 0 Interfaces at Gateway Sites	Yes	Yes
Webex application support	Yes	No
Application Feedback Metrics for Office 365 Traffic	Yes	No
Microsoft to Provide Traffic Metrics for Office 365 Traffic	Yes	No
SD-AVC Cloud Connector	Yes	No
Viewing Path Scores for Office 365 Traffic	Yes	No
Cloud onRamp for SaaS Over SIG Tunnels	Yes	No
SaaS Application Lists	Yes	No

For information about features supported on Cisco vEdge devices, see Cloud onRamp for SaaS, Cisco SD-WAN Release 20.3.1 and Later.

Prerequisites for Cloud OnRamp for SaaS

The following sections describe the prerequisites for Cloud OnRamp for SaaS features.

Prerequisites for Cloud onRamp for SaaS, General

The prerequisites for using Cloud onRamp for SaaS differ for Cisco vEdge devices and Cisco IOS XE SD-WAN devices. For information about using Cloud onRamp for SaaS with Cisco vEdge devices, see Cloud OnRamp Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20.

For Cisco IOS XE SD-WAN devices, the requirements are:

The devices must be running Cisco IOS XE Release 17.3.1a or later.
The devices must be in vManage mode.
All Cisco vSmart Controller instances must be in vManage mode.
A centralized policy that includes an application-aware policy must be activated. You can configure more than one centralized policy in Cisco vManage, but only one can be active.

Note
This is an important difference from using Cloud onRamp for SaaS with Cisco vEdge devices, which do not have this requirement.
Cloud onRamp for SaaS is enabled (Administration > Settings).

To specify traffic by Office 365 traffic category, the following are also required:

Cisco SD-AVC is enabled (Administration > Cluster Management).
Cisco SD-AVC Cloud Connector is enabled (Administration > Settings). If Cloud Connector is not enabled, policies specifying Office 365 traffic cannot match the Office 365 traffic. The traffic uses the default path, rather than the best path selected by Cloud onRamp for SaaS.

Prerequisites for Cloud OnRamp for SaaS Probing Through VPN 0 Interfaces at Gateway Sites

Cloud onRamp for SaaS probing through VPN 0 interfaces at gateway sites presupposes that a branch site connects to the internet through a gateway site, and that the gateway site connects to the internet using a VPN 0 interface. The branch site may or may not also connect to the internet through one or more DIA connections.

Prerequisites for Cloud onRamp for SaaS Support for Webex

Minimum releases: Cisco IOS XE Release 17.7.1a and Cisco vManage Release 20.7.1

To download the latest information about Webex servers, as described in Maintaining an Up-to-Date List of Webex Servers, Cisco vManage requires access to the internet.

Prerequisites for Configuring the Traffic Category and Service Area for Specific Policies

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.5.1a

You must have multiple active AAR policies.
To edit the service area and traffic category, you must enable Monitoring and Policy/Cloud SLA for the Microsoft 365 application. For information, see Configure Applications for Cloud onRamp for SaaS Using Cisco vManage.

Prerequisites for Enabling Cloud OnRamp for SaaS Operation for Specific Applications at Specific Sites

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.2.1

Availability of multiple AAR policies associated with different sets of sites.

Prerequisites for Visibility for Microsoft 365 SaaS Traffic

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.9.1a

Configure app visibility and flow visibility. See < Configure App visibility and Flow Visibility >.
To view the traffic graphs and log, you must first enable <On Demand Troubleshooting>.

Prerequisites for Including or Excluding Microsoft Telemetry Data from the Best Path Decision for Microsoft 365 Traffic

Minimum releases: Cisco vManage Release 20.9.1

Enable Microsoft traffic metrics.

See Enable Microsoft to Provide Traffic Metrics for Office 365 Traffic.

Restrictions for Cloud onRamp for SaaS

The following section(s) describe the restrictions applicable to Cloud OnRamp for SaaS features.

Restrictions for Cloud onRamp for SaaS, General

Configuring Cloud onRamp for SaaS when a site is using a loopback as a transport locator (TLOC) interface is not supported.

Configuring Cloud OnRamp for SaaS on Cisco IOS XE SD-WAN devices is only through centralized app-aware policy using match condition "cloud-saas-app-list" and action "cloud-saas". For mixed deployments including Cisco SD-WAN and Cisco IOS XE SD-WAN devices, we recommend to have different app-aware policies for Cisco SD-WAN and Cisco IOS-XE SD-WAN devices.

Note

Beginning with Cisco IOS XE Release 17.8.1a and Cisco SD-WAN Release 20.8.1, Cloud onRamp for SaaS does not support ICMP traffic. This has a minor effect on Webex traffic counters, as compared with Cisco IOS XE Release 17.7.1a and Cisco SD-WAN Release 20.7.1.

Use Cases for Cloud onRamp for SaaS

Use Cases for Cloud OnRamp for SaaS Probing Through VPN 0 Interfaces at Gateway Sites

Enable gateway probing through VPN 0 interfaces if the following conditions apply:

A branch site connects to the internet through a gateway site. The branch site may or may not also connect to the internet through one or more DIA interfaces.
The gateway site has internet exits that use the transport VPN (VPN 0) through one or more interfaces.

Use Cases for the SD-AVC Cloud Connector

Minimum supported release: Cisco vManage Release 20.8.1

Visibility into server information is helpful when troubleshooting. For example, after creating a policy that applies Cloud onRamp for SaaS only to Office 365 traffic in the Sharepoint service area, you might find that Cisco SD-WAN is not routing the first few flows of Sharepoint traffic on the best path determined by Cloud onRamp for SaaS, and Sharepoint performance is below expectations.

To troubleshoot, you can do the following:

Determine which server the Sharepoint traffic is using.
Open the SD-AVC Cloud Connector page and filter for the term, “sharepoint”.
Look for the Sharepoint server you found in the first step. If that server does not appear in the list, it means that Cloud onRamp for SaaS is not classifying the traffic to that server as Sharepoint traffic. If it is not classified as Sharepoint traffic, it does not use the best path determined by Cloud onRamp for SaaS for the first few flows.

Use Case for Configuring the Traffic Category and Service Area

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.5.1a

An organization relies heavily on Microsoft 365 for its office applications, and has configured Cloud OnRamp for SaaS to optimize Microsoft 365 traffic at its headquarters and at each branch office. In addition, it uses an on-premises Outlook server at a data center to handle its company email.

Microsoft distinguishes different types of Microsoft 365 traffic using the following service areas:

Common: Microsoft 365 ProPlus, Office in a browser, Azure Active Directory (AD), and other common network endpoints
Exchange: Exchange Online and Exchange Online Protection
SharePoint: SharePoint Online and OneDrive for Business
Skype: Skype for Business and Microsoft Teams

Because the organization uses an on-premises Outlook server, the network administrator chooses to exclude Outlook traffic from the Cloud OnRamp for SaaS optimization of Microsoft 365 traffic. By modifying the AAR policies, they exclude the Exchange service area (for Outlook) from the Microsoft 365 traffic that Cloud OnRamp for SaaS operates on, thereby ensuring the best performance for the email traffic using the on-premises Outlook server.

Use Case for Enabling Specific Applications at Specific Sites

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.2.1r

An organization’s network spans numerous sites. Most of the sites utilize the Box.com cloud storage application, but a subset of sites does not use Box.com.

First, the network administrator creates an AAR policy that serves the subset of sites that do not use Box.com. Next, the network administrator enables Cloud OnRamp for SaaS for Box.com traffic, which enables Cloud OnRamp for SaaS operation at all sites in the network.

To exclude the subset of sites that do not use Box.com, the network administrator edits the AAR policy for that subset of sites, to disable Cloud OnRamp for SaaS operation for Box.com traffic. This has the effect of disabling Cloud OnRamp for SaaS operation for Box.com traffic at that subset of sites only.

Configure Cloud onRamp for SaaS

The following sections describe configuration procedures for Cloud OnRamp for SaaS features.

Enable Cloud OnRamp for SaaS, Cisco IOS XE SD-WAN Devices

You can enable Cloud OnRamp for SaaS in your Cisco SD-WAN overlay network on sites with Direct Internet Access (DIA) and on DIA sites that access the internet. You can also enable Cloud OnRamp for SaaS on client sites that access the internet through another site in the overlay network, called a gateway site. Gateway sites can include regional data centers or carrier-neutral facilities. When you enable Cloud OnRamp for SaaS on a client site that accesses the internet through a gateway, you also enable Cloud OnRamp for SaaS on the gateway site.

Note

You can only enable Cloud OnRamp for SaaS features using the Cisco vManage procedures described in this document. We do not support configuring Cloud OnRamp for SaaS using CLI templates. Even when you configure other features on a device using a CLI template, you must nevertheless use Cisco vManage for configuring Cloud OnRamp for SaaS features.

Enable Cloud OnRamp for SaaS

From the Cisco vManage menu, choose Administration > Settings.
Click Edit, next to Cloud onRamp for SaaS.
In the Cloud onRamp for SaaS field, click Enabled.
Click Save.

Configure Applications for Cloud onRamp for SaaS Using Cisco vManage

Open Cloud onRamp for Saas.
- From the Cisco vManage menu, choose Configuration > Cloud onRamp for SaaS.
  or
- From the Cisco vManage menu, click the cloud icon near the top right and select Cloud onRamp for SaaS.
In the Manage Cloud OnRamp for SaaS drop-down list, choose Applications and Policy.
The Applications and Policy window displays all SaaS applications.
Optionally, you can filter the list of applications by clicking an option in the App Type field.
- Standard: Applications included by default for Cloud onRamp for SaaS.
- Custom: User-defined SaaS application lists (see Information About SaaS Application Lists).

Enable applications and configure.

Column

Description

Applications

Applications that can be used with Cloud onRamp for SaaS.

Monitoring

Enabled: Enables Cloud OnRamp for SaaS to initiate the Quality of Experience probing to find the best path.

Disabled: Cloud onRamp for SaaS stops the Quality of Experience probing for this application.

VPN

(Cisco vEdge devices) Specify one or more VPNs.

Policy/Cloud SLA

(Cisco IOS XE SD-WAN devices) Select Enable to enable Cloud onRamp for SaaS to use the best path for this application.

Note

You can select Enable only if there is a centralized policy that includes an application-aware policy has been activated.

(Cisco IOS XE SD-WAN devices) For Microsoft 365 (M365), select one of the following to specify which types of M365 traffic to include for best path determination:

Optimize: Include only M365 traffic categorized by Microsoft as “optimize” – the traffic most sensitive to network performance, latency, and availability.
Optimize and Allow: Include only M365 traffic categorized by Microsoft as “Optimize” or “Allow”. The “Allow” category of traffic is less sensitive to network performance and latency than the “Optimize” category.
All: Include all M365 traffic.

Starting from Cisco IOS XE Release 17.5.1a, you can choose the service area that your M365 application belongs to. This allows you to apply the policy to only those applications in the specified service area.

Microsoft allows the following service area options:

Common: M365 Pro Plus, Office in a browser, Azure AD, and other common network endpoints.
Exchange: Exchange Online and Exchange Online Protection.
SharePoint: SharePoint Online and OneDrive for Business.
Skype: Skype for Business and Microsoft Teams.

See the Microsoft documentation for information about updates to the service areas.

Click Save Applications and Next.
The Application Aware Routing Policy window appears, showing the application-aware policy for the current active centralized policy.
- You can select the application-aware policy and click Review and Edit to view the policy details. The match conditions of the policy show the SaaS applications for which monitoring has been enabled.
- For an existing policy, you cannot edit the site list or VPN list.
- You can create a new policy for sites that are not included in existing centralized policies. If you create a new policy, you must add a VPN list for the policy.
- You can delete one or more new sequences that have been added for the SaaS applications, or change the order of the sequences.
Click Save Policy and Next. This saves the policy to the Cisco vSmart Controller.

Configure Sites for Cloud onRamp for SaaS Using Cisco vManage

Configure two types of sites:

Client sites
Direct internet access (DIA) sites

Configure Client Sites

To configure Cloud OnRamp for SaaS on client sites that access the internet through gateways, configure Cloud OnRamp for SaaS both on the client sites and on the gateway sites.

Note

You cannot configure Cloud OnRamp for SaaS with Point-to-Point Protocol (PPP) interface on the gateway sites.

Client sites in the Cloud onRamp service choose the best gateway site for each application to use for accessing the internet.

From the Cisco vManage menu, choose . The Cloud OnRamp for SaaS Dashboard appears.
Click Manage Cloud OnRamp for SaaS and choose Client Sites. The page displays the following elements:
- Attach Sites: Add client sites to Cloud onRamp for SaaS service.
- Detach Sites: Remove client sites from Cloud onRamp for SaaS service.
- Client sites table: Display client sites configured for Cloud onRamp for SaaS service.
On the window, click Attach Sites. The Attach Sites dialog box displays all sites in the overlay network with available sites highlighted. For a site to be available, all devices at that site must be running in vManage mode.
Choose one or more client sites from Available Sites and move them to Selected Sites.
Click Attach. The Cisco vManage NMS saves the feature template configuration to the devices. The Task View window displays a Validation Success message.
From the Cisco vManage menu, choose to return to the Cloud OnRamp for SaaS Dashboard screen.
Click Manage Cloud OnRamp for SaaS and choose Gateways. The page displays the following elements:
- Attach Gateways: Attach gateway sites.
- Detach Gateways: Remove gateway sites from the Cloud onRamp service.
- Edit Gateways: Edit interfaces on gateway sites.
- Gateways table: Display gateway sites configured for Cloud onRamp service.
In the Manage Gateways window, click Attach Gateways. The Attach Gateways dialog box displays all sites in your overlay network with available sites highlighted. For a site to be available, all devices at that site must be running in vManage mode.
In the Device Class field, choose one of the following operating systems:
- Cisco OS: Cisco IOS XE SD-WAN devices
- Viptela OS (vEdge): Cisco vEdge devices
Choose one or more gateway sites from Available Sites and move them to Selected Sites.
(Cisco vEdge devices for releases before Cisco IOS XE Release 17.7.1a) To specify GRE interfaces for Cloud OnRamp for SaaS to use, perform the actions in Steps 11a through 11d.
(Cisco vEdge devices for releases from Cisco IOS XE Release 17.7.1a) To specify the VPN 0 interfaces or service VPN interfaces in gateway sites for Cloud OnRamp for SaaS to use, perform the actions in Steps 11a through 11d.

Note
If you do not specify interfaces for Cloud OnRamp for SaaS to use, the system selects a NAT-enabled physical interface from VPN 0.
1. Click Add interfaces to selected sites (optional), located in the bottom-right corner of the Attach Gateways window.
2. Click Select Interfaces.
3. From the available interfaces, choose the GRE interfaces to add (for releases before Cisco IOS XE Release 17.7.1a), or the VPN 0 interfaces or service VPN interfaces to add (for releases from Cisco IOS XE Release 17.7.1a).
4. Click Save Changes.

(Cisco IOS XE SD-WAN devices) To configure the routers at a gateway site, perform the following steps.

Note

If you don’t specify interfaces for Cloud OnRamp for SaaS, an error message indicates that the interfaces aren’t VPN 0.

Click Add interfaces to selected sites.

The Attach Gateways window shows each WAN edge router at the gateway site.

Beginning with Cisco IOS XE Release 17.6.1a, you can choose Service VPN or VPN 0 if the gateway uses Cisco IOS XE SD-WAN devices.

If the routers at the gateway site connect to the internet using service VPN connections (VPN 1, VPN 2, …), choose Service VPN.
If the routers at the gateway site connect to the internet using VPN 0, choose VPN 0.

Note

Correctly choosing Service VPN or VPN 0 requires information about how the gateway site connects to the internet.
All WAN edge routers at the gateway site must use either service VPN or VPN 0 connections for internet access. Cloud OnRamp for SaaS does not support a mix of both.

Do one of the following:
- If you chose Service VPN, then for each WAN edge router, choose the interfaces to use for internet connectivity.
- If you chose VPN 0, then either choose All DIA TLOC, or choose TLOC list and specify the colors to include in the TLOC list.
To enable load balancing for cloud application traffic across multiple interfaces on the WAN edge device, check the Enable Load Balancing check box. (See Load Balancing Across Multiple Interfaces.)

Configure the load-balancing options:

Option

Description

Loss (%)

After determining the best path interface for a cloud application, Cloud onRamp compares the performance statistics for other interfaces. To use another interface for load balancing, the packet loss value of the interface cannot vary from the packet loss value of the best path interface by more than this configured value.

You can configure a smaller value to restrict load balancing only to interfaces with a packet loss value very close to that of the best path interface, or you can configure a larger value to be more inclusive of interfaces that might have a higher packet loss than the best path interface.

For example, if the best path interface has a packet loss value of 2% and the Loss value is 10, then another interface can be used for load balancing only if its packet loss value is no more than 12%.

Range: 0 to 100

Default: 10

Latency (milliseconds)

To use another interface for load balancing, the latency value of the interface can’t vary from the latency of the best path interface by more than this number of milliseconds.

You can configure a smaller value to restrict load balancing only to interfaces with a latency value very close to that of the best path interface, or you can configure a larger value to be more inclusive of interfaces that might have a higher latency than the best path interface.

For example, if the best path interface has a latency of 5 milliseconds, and the Latency value is set to 50, then another interface can be used for load balancing only if its latency is no more than 55 milliseconds.

Range: 1 to 1000

Default: 50

Source IP based Load Balancing

To ensure that all traffic from a single host uses a single interface, enable this option.

For example, to ensure that DNS and application traffic use the same path, enable this option.

Click Save Changes.

Click Attach. Cisco vManage saves the feature template configuration to the devices. The Task View window displays a Validation Success message.
To return to the Cloud OnRamp for SaaS Dashboard, from the Cisco vManage menu, choose .

Edit Interfaces on Gateway Sites

Select the sites you want to edit and click Edit Gateways.

In the Edit Interfaces of Selected Sites window, select a site to edit.

To add interfaces, click the Interfaces field to select available interfaces.
To remove an interface, click the X beside its name.

To enable load balancing for cloud application traffic across multiple interfaces on the WAN edge device, check the Enable Load Balancing check box, and configure the load balancing options. (See Load Balancing Across Multiple Interfaces.)

Option

Description

Loss (%)

Range: 0 to 100

Default: 10

Latency (milliseconds)

To use another interface for load balancing, the latency value of the interface cannot vary from the latency of the best path interface by more than this number of milliseconds.

Range: 1 to 1000

Default: 50

Source IP based Load Balancing

To ensure that all traffic from a single host uses a single interface, enable this option.

For example, to ensure that DNS and application traffic use the same path, enable this option.

Click Save Changes to push the template to the device(s).

Configure Direct Internet Access (DIA) Sites

Note

Cloud onRamp for SaaS requires an SD-WAN tunnel to each physical interface to enable SaaS probing through the interface. For a physical interface configured for DIA only, without any SD-WAN tunnels going to the SD-WAN fabric, configure a tunnel interface with a default or any dummy color in order to enable use of Cloud onRamp for SaaS. Without a tunnel interface and color configured, no SaaS probing can occur on a DIA-only physical interface.

From the Cisco vManage menu, choose .
From the Manage Cloud OnRamp for SaaS drop-down list, located to the right of the title bar, choose Direct Internet Access (DIA) Sites.
The Manage DIAwindow provides options to attach, detach, or edit DIA sites, and shows a table of sites configured for the Cloud onRamp service.
Click Attach DIA Sites. The Attach DIA Sites dialog box displays all sites in your overlay network with available sites highlighted. For a site to be available, all devices at that site must be running in vManage mode.
In the Device Class field, select one of the following:
- Cisco OS: Cisco IOS XE SD-WAN devices
- Viptela OS (vEdge): Cisco vEdge devices
Choose one or more DIA sites from Available Sites and move them to Selected Sites.
(For Cisco vEdge devices) By default, if you don’t specify interfaces for Cloud OnRamp for SaaS to use, the system selects all NAT-enabled physical interfaces from VPN 0. Use the following steps to specify particular interfaces for Cloud OnRamp for SaaS.

Note
You can’t select a loopback interface.
1. Click the link, Add interfaces to selected sites (optional), located in the bottom-right corner of the window.
2. In the Select Interfaces drop-down list, choose interfaces to add.
3. Click Save Changes.
(For Cisco IOS XE SD-WAN devices, optional) Specify TLOCs for a site.

Note
Configuring Cloud onRamp for SaaS when using a loopback as a TLOC interface is not supported.

Note
If you do not specify TLOCs, the All DIA TLOC option is used by default.
1. Click the Add TLOC to selected sites link at the bottom-right corner of the Attach DIA Sites dialog box.
2. In the Edit Interfaces of Selected Sites dialog box, choose All DIA TLOC, or TLOC List and specify a TLOC list.
3. Click Save Changes.
Click Attach. The Cisco vManage NMS saves the feature template configuration to the devices. The Task View window displays a Validation Success message.
To return to the Cloud OnRamp for SaaS Dashboard, from the Cisco vManage menu, choose .

Edit Interfaces on Direct Internet Access (DIA) Sites

Select the sites to edit and click Edit DIA Sites.
(Cisco vEdge devices) On the Edit Interfaces of Selected Sites screen, select a site to edit.
- To add interfaces, click the Interfaces field to select available interfaces.
- To remove an interface, click the X beside its name.
(Cisco IOS XE SD-WAN devices) In the Edit Interfaces of Selected Sites dialog box, do the following:
1. Click All DIA TLOC to include all TLOCs, or click TLOC List to select specific TLOCs.
Click Save Changes to push the new template to the devices.

To return to the Cloud OnRamp for SaaS Dashboard, select .

Enable Application Feedback Metrics for Office 365 Traffic

Beginning with Cisco IOS XE Release 17.4.1a, you can enable the following types of application feedback from additional sources. Cloud onRamp for SaaS can use these metrics to help determine the best path for Office 365 traffic. See Best Path Determination.

Enable telemetry with Microsoft Exchange cloud servers, which can provide best path metrics for Office 365 traffic on specifically configured interfaces. This involves use of a Microsoft service called Microsoft 365 informed network routing. To understand this feature better, see the information available in the Microsoft 365 informed network routing document.
Enable application response time (ART) metrics, which configures network devices to report ART metrics.

Before You Begin

Enable monitoring for Office 365 traffic.
See Configure Applications for Cloud onRamp for SaaS Using Cisco vManage.
Configure a policy for Office 365, for Cisco IOS XE SD-WAN devices.
See the Policy/Cloud SLA options in Configure Applications for Cloud onRamp for SaaS Using Cisco vManage.
To enable NetFlow metrics, enable Cloud Services.
(From the Cisco vManage menu, choose Administration > Settings > Cloud Services)
To enable NetFlow metrics for devices in the network, enable the NetFlow and Application options in the localized policy for each device.
(From the Cisco vManage menu, choose Configuration > Policies > Localized Policy > Policy template, Policy Settings section)
Enable Cisco vAnalytics. See Cisco vAnalytics Insights.

Enable Application Feedback Metrics for Office 365 Traffic

From the Cisco vManage menu, choose Configuration > Cloud onRamp for SaaS.
In the Manage Cloud onRamp for SaaS drop-down list, choose Applications and Policy.
In the Office 365 row, click the Enable Application Feedback for Path Selection link.
The Application Feedback dialog box opens.
In the Application Feedback dialog box, enable traffic metrics:
- Telemetry: Enable Telemetry with Microsoft Exchange cloud servers to receive traffic metrics for Office 365 traffic over specific configured interfaces. For information about configuring interfaces for these metrics, see Enable Microsoft to Provide Telemetry for Office 365 Traffic.
  If the option is disabled and the dialog box shows a message requesting sign-in to a Microsoft account, copy the code provided in the message and click the link to sign in. Provide the code on the Microsoft page that is displayed and log in with your Microsoft tenant account credentials when prompted. After signing in, the Telemetry option in the dialog box is enabled.
  See Enable Microsoft to Provide Telemetry for Office 365 Traffic.
- Traffic Steering: From Cisco vManage Release 20.9.1, check this check box to allow Cloud OnRamp for SaaS to factor in the Microsoft telemetry data in the best path decision. If you disable this, you can still view the Microsoft telemetry data in the Cisco vAnalytics dashboard, but the telemetry does not affect the best path decision.
- (Optional) Application Response Time (ART): Enable ART metrics.
  
  Note
  Enabling ART automatically configures devices to report ART metrics.
Click Save.

Enable Microsoft to Provide Telemetry for Office 365 Traffic

You can enable Microsoft Exchange cloud servers to calculate traffic metrics for Microsoft Exchange traffic coming from specific interfaces in the Cisco SD-WAN overlay. Using the Microsoft Azure portal, you specify which interfaces to include, indicating the interfaces by their public IP addresses. This is called opting in the interfaces.

For the specified interfaces, Microsoft identifies the Office 365 traffic by packet source ID and provides metrics that Cloud onRamp for SaaS can use to determine the best path for the Office 365 traffic.

Before You Begin

Enable Cloud onRamp for SaaS

(Administration > Settings > Cloud onRamp for SaaS)
Enable SD-AVC Cloud Connector
(Administration > Settings > SD-AVC Cloud Connector )
See Enable Cisco SD-AVC Cloud Connector.
Enable Cloud Services
(Administration > Settings > Cloud Services )
Configure statistics collection interval to 5 minutes.
(Administration > Settings > Statistics Configuration )
Enable Microsoft telemetry for Office 365 traffic. See Enable Application Feedback Metrics for Office 365 Traffic.
Activate the Microsoft 365 informed network routing service for your Microsoft 365 tenant account. Contact Cisco at the following email address for instructions:

Enable Microsoft to Provide Telemetry for Office 365 Traffic

Note

The functionality of the Microsoft Azure portal is subject to change and is therefore outside the scope of this documentation. These high-level instructions provide some guidance, but see Microsoft 365 documentation for details.

For information about the following steps, see the "Microsoft 365 informed network routing" topic in the Microsoft 365 documentation.

Log in to the Microsoft Azure portal. (For information about how to create a Microsoft Azure tenant account, see the Microsoft Azure documentation.)
Using the Microsoft Azure portal, specify Cisco SD-WAN overlay network interfaces for which to track traffic metrics.
1. In the Azure portal, access the Microsoft 365 admin center.
2. On the Locations page, add a location entry for each location in the SD-WAN overlay network, as desired.
3. Within a location entry, do one of the following:
  - For locations using an edge router operating with Cisco IOS XE Release 17.9.1a or later, on the "Add an office location" page (or the equivalent), enable the option to allow an SD-WAN solution to automatically set the LAN subnet and egress address range. Then enter the system IP address of the edge device for the location.
  - For locations using an edge router operating with Cisco IOS XE Release 17.8.x or earlier, add egress IP addresses, using the public IP address of the desired interfaces.

Enable Webex for Cloud onRamp for SaaS

Minimum releases: Cisco IOS XE Release 17.7.1a and Cisco vManage Release 20.7.1

To enable Cloud onRamp for SaaS to determine the best path for Webex traffic, enable the Webex application in the same way as other applications. See Enable Cloud onRamp for SaaS, Cisco IOS XE SD-WAN Devices.

Update the Webex Server Information for Cloud onRamp for SaaS

Minimum releases: Cisco IOS XE Release 17.7.1a and Cisco vManage Release 20.7.1

From the Cisco vManage menu, choose to display the Cloud onRamp for SaaS Dashboard.
If the dashboard shows a dialog box prompting you to synchronize Webex server information, click Yes in the dialog box.
Cisco vManage displays the Application Aware Routing Policy page, enabling you to review the policy. The policy includes updated match conditions that use the latest Webex server information.
Click Save Policy.
Cloud onRamp for SaaS updates the following, as needed, to reflect the updated information for Webex servers worldwide:
- Match conditions in the application-aware policy
- Configuration for probing the cloud application

Configure the Traffic Category and Service Area for Specific Policies Using Cisco vManage

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.5.1a

Before You Begin

To edit the service area and traffic category, you must enable Monitoring and Policy/Cloud SLA for the Microsoft 365 application with a minimum of one service area. For information, see Configure Applications for Cloud onRamp for SaaS Using Cisco vManage.

Configure the Traffic Category and Service Area

Open Cloud onRamp for SaaS.
- From the Cisco vManage menu, choose .
  Or
- From the Cisco vManage menu, click the cloud icon near the top right and select Cloud onRamp for SaaS.
In the Manage Cloud OnRamp for SaaS drop-down list, choose Applications and Policy.
The Applications and Policy page displays all the Cloud OnRamp for SaaS applications.
Click the edit icon from the Policy/Cloud SLA column for the Microsoft 365 application.
The Policy/Cloud SLA Settings pop-up window opens.
Perform one of the following in the Policy/Cloud SLA Settings pop-up window.
- Click Yes. Select a minimun of one service area and traffic category.
- If you have already selected a service area and traffic category, click No and edit the Microsoft 365 categories or service area.
Click Save Applications and Next.
The Application Aware Routing Policy page opens. A list of AAR policies in the current active centralized policy appears.
Select the AAR policy that you wish to edit and click Review and Edit.
The Review Policy page opens.
Select the Microsoft 365 sequence you wish to edit, to change the service area or traffic category, and click the edit icon.
Edit the service area and traffic category, and click Save Match And Actions.
Click Save Policy and Next. This saves the policy.

Configure AAR Policy to Enable Cloud OnRamp Operation on Specific Applications at Specific Sites Using Cisco vManage

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.2.1

Open Cloud onRamp for SaaS.
- From the Cisco vManage menu, choose .
  Or
- From the Cisco vManage menu, click the cloud icon near the top right and select Cloud onRamp for SaaS.
In the Manage Cloud OnRamp for SaaS drop-down list, choose Applications and Policy.
The Applications and Policy page displays all the Cloud OnRamp for SaaS applications.
Click Save Applications and Next.
The Application Aware Routing Policy page opens, showing the application-aware policies in the current active centralized policy.
Select the policy you wish to edit and click Review and Edit to view the policy details.
You can now delete one or more sequences that have been added by Cloud OnRamp for SaaS for specific applications or change the order of the sequences.
Click Save Policy and Next. This pushes the updated policy to the Cisco vSmart Controller.

Note

Note: When you enable an application on the Applications and Policy page, by default, Cloud OnRamp for SaaS is enabled for all AAR policies that are part of the current active centralized policy.

Enable Application Visibility and Flow Visibility

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.9.1a

Enable Visibility and Flow Visibility Using Cisco vManage

From the Cisco vManage menu, choose .
Click Localized Policy.
Click Add Policy.
Continue clicking Next until the Policy Settings page appears.
Check the Netflow and Applications check box.
Click Save Policy.
Application visibility and flow visibility are now enabled.

Enable Application Visibility and Flow Visibility Using a CLI Template

For more information about using CLI templates, see CLI Add-On Feature Templates and CLI Templates.

Configure Visibility for Microsoft 365 SaaS traffic Using Cisco vManage

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.9.1a

Enable a Device to Provide Data for the Visualization of Microsoft 365 Traffic

From the Cisco vManage menu, choose . The On Demand Troubleshooting page opens.
Click the Select Device drop-down list and choose a device.
Click the Select Data Type drop-down list and choose the data type DPI.
Select a time range from Data Backfill Time Period.
Click Add to queue the device for processing.
Wait until the Status column shows Completed.

View Application Usage Information for Microsoft 365 SaaS Traffic

Open Cloud onRamp for SaaS.
- From the Cisco vManage menu, choose .
  Or
- From the Cisco vManage menu, click the cloud icon near the top right and select Cloud onRamp for SaaS.
Click Manage Cloud onRamp for SaaS.
Click the Microsoft 365 application. A list of devices that are attached to a DIA or gateway is shown.
In the Application Status column of a device, click View Usage.

The CoR SaaS Application Usage page displays the information for each type of traffic. To limit the traffic information that is displayed, click the Search field, and choose All CoR SaaS Traffic, DIA, Gateway, or Non CoR SaaS.

Note

The information presented in the above graphs or logs is for an individual device. You can view the information related to only one device at a time. The graphs or logs are only shown for those devices for which on-demand troubleshooting is enabled. For information about on-demand troubleshooting, see On-Demand Troubleshooting.

Verify Cloud onRamp for SaaS

The following section(s) describe the procedures for verifying Cloud OnRamp for SaaS features.

Verify That an Application is Enabled for Cloud onRamp for SaaS

From the Cisco vManage menu, choose .
Click Manage Cloud OnRamp for SaaS and choose Applications and Policy.
The Applications and Policy window displays all SaaS applications.
In the row of the application that you are verifying, check that the Monitoring column and the Policy/Cloud SLA column both show Enabled.

Verify Changes to the Configuration of the Traffic Category and Service Area for Specific Policies Using Cisco vManage

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.5.1a

From the Cisco vManage menu, choose .
Click Controllers.
A list of devices is displayed.
For the device you wish to verify, click … and click Running Configuration. The Running Configuration window opens, displaying the running configuration.
Verify that the running configuration reflects any changes that you have made to AAR policies.

From the Cisco vManage menu, choose .
The Policies page displays the policies.
For the policy, you wish to verify, click … and click Preview.
The Policy Configuration Preview pop-up window appears, providing a preview of the running configuration.
Verify that the policy preview reflects any changes that you have made to AAR policies.

Verify Which Applications Are Enabled for Specific Devices Using Cisco vManage

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.2.1

From the Cisco vManage menu, choose .
Click Controllers.
A list of devices is displayed.
For the device you wish to verify, click … and click Running Configuration. The Running Configuration window opens, displaying the running configuration.
Verify that the running configuration reflects any changes that you have made to AAR policies.

Verify Which Applications Are Enabled for a Specific Policy Using Cisco vManage

From the Cisco vManage menu, choose .
The Policies window displays the policies.
For the policy, you wish to verify, click … and click Preview.
The Policy Configuration Preview page appears, providing a preview of the running configuration.
Verify that the policy reflects any changes that you have made to AAR policies.

Monitor Cloud onRamp for SaaS

The following section(s) describe the procedures for monitoring Cloud OnRamp for SaaS features.

View Details of Monitored Applications

Open Cloud onRamp for SaaS.
- From the Cisco vManage menu, choose Configuration > Cloud onRamp for SaaS.
  or
- In Cisco vManage, click the cloud icon at the top right and click Cloud onRamp for SaaS.
The page includes a tile for each monitored application, with the following information:
- How many sites are operating with Cloud onRamp for SaaS.
- A color-coded rating of the Quality of Experience (vQoE) score for the application (green=good score, yellow=moderate score, red=poor score) on the devices operating at each site.

Optionally, you can click a tile to show details of Cloud onRamp for SaaS activity for the application, including the following:

Field

Description

vQoE Status

A green checkmark indicates that the vQoE score for the best path meets the criteria of an acceptable connection. The vQoE is calculated based on average loss and average latency. For Office 365 traffic, other connection metrics are also factored in to the vQoE score.

vQoE Score

For each site, this is the vQoE score of the best available path for the cloud application traffic.

The vQoE score is determined by the Cloud onRamp for SaaS probe. Depending on the type of routers at the site, you can view details of the vQoE Score as follows:

Cisco IOS XE SD-WAN devices:
To show a chart of the vQoE score history for each available interface, click the chart icon. In the chart, each interface vQoE score history is presented as a colored line. A solid line indicates that Cloud onRamp for SaaS has designated the interface as the best path for the cloud application at the given time on the chart.
You can place the cursor over a line, at a particular time on the chart, to view details of the vQoE score of an interface at that time.
From Cisco vManage Release 20.8.1, for the Office 365 application, the chart includes an option to show the vQoE score history for a specific service area, such as Exchange, Sharepoint, or Skype. For each service area, a solid line in the chart indicates the interface chosen as the best path at a given time. If you have enabled Cloud onRamp for SaaS to use Microsoft traffic metrics for Office 365 traffic, the choice of best path takes into account the Microsoft traffic metrics.
Cisco vEdge devices:
To show a chart of the vQoE score history, click the chart icon. The chart shows the vQoE score for the best path chosen by Cloud onRamp for SaaS.

DIA Status

The type of connection to the internet, such as local (from the site), or through a gateway site.

Selected Interface

The interface providing the best path for the cloud application.

Note

If the DIA status is Gateway, this field displays N/A.

Activated Gateway

For a site that connects to the internet through a gateway site, this indicates the IP address of the gateway site.

Note

If the DIA status is Local, this field displays N/A.

Local Color

For a site that connects to the internet through a gateway site, this is the local color identifier of the tunnel used to connect to the gateway site.

Note

If the DIA status is Local, this field displays N/A.

Remote Color

For a site that connects to the internet through a gateway site, this is the remote (gateway site) color identifier of the tunnel used to connect to the gateway site.

Note

If the DIA status is Local, this field displays N/A.

SDWAN Computed Score

This field is applicable only if the site uses Cisco IOS XE SD-WAN devices. It does not apply for Cisco vEdge devices.

From Cisco vManage Release 20.8.1, for the Microsoft Office 365 application, an SDWAN Computed Score column provides links to view charts of the path scores (OK, NOT-OK, or INIT) provided by Microsoft telemetry for each Microsoft service area, including Exchange, Sharepoint, and Skype. The chart shows the scores over time for each available interface. The scores are defined as follows:

OK: Acceptable path
NOT-OK: Unacceptable path
INIT: Insufficient data

These charts provide visibility into how Cloud onRamp for SaaS chooses a best path for each type of Microsoft Office 365 traffic.

A use case for viewing the path score history is for determining whether Microsoft consistently rates a particular interface as NOT-OK for some types of traffic, such as Skype traffic.

Monitor the Status of Webex for Cloud onRamp for SaaS

Minimum releases: Cisco IOS XE Release 17.7.1a and Cisco vManage Release 20.7.1

From the Cisco vManage menu, choose
The page displays each monitored application, the relevant sites, with information about each.
Optionally, you can click a site to display a chart of the scores for various available paths for the application traffic, and the best path (solid line).

View Office 365 Server Information Using the SD-AVC Cloud Connector

Before You Begin

Enable SD-AVC (, click … and choose Edit, and choose Enable SD-AVC).
Enable SD-AVC Cloud Connector ().

View Office 365 Server Information

From the Cisco vManage menu, choose .

The SD-AVC Cloud Connector page shows the following information collected from Microsoft Cloud about the Microsoft application servers that handle Office 365 traffic.

Field	Description
Domain tab
Application Name	Name of the application producing the traffic. Network-Based Application Recognition (NBAR), a component of Cisco IOS XE, provides the application name.
Domain	Destination domain of the traffic. This is the application server handling the cloud application traffic.
Service Area	The service area categorization, as determined by Microsoft, including exchange, sharepoint, skype, and common.
Category	Traffic categorization by Microsoft as optimize, allow, or default. A dash in this field indicates traffic that does not have a defined category.
IP Addresses tab
IP	Destination IP of the traffic. This is the IP address of the application server handling the cloud application traffic.
Port	Destination port of the traffic.
L4 Protocol	Transport protocol of the traffic, such as TCP or UDP.
Application	Name of the application producing the traffic. NBAR, a component of Cisco IOS XE, provides the application name.
Category	Traffic categorization by Microsoft as optimize, allow, or default. A dash in this field indicates that traffic does not have a defined category.
Service Area	The service area categorization, as determined by Microsoft, including exchange, sharepoint, skype, and common.

Optionally, you can use the Search field to filter the information in the table. For example, you can filter by an application name or by a domain name.

Cloud onRamp for SaaS Over SIG Tunnels

Table 4. Feature History

Feature Name

Release Information

Description

Cloud onRamp for SaaS Over SIG Tunnels

Cisco IOS XE Release 17.6.1a

Cisco vManage Release 20.6.1

This feature allows you to connect to Cloud onRamp for SaaS by means of a SIG tunnel.

The Cloud onRamp for SaaS Over SIG Tunnels feature provides you with secure access to the SaaS applications, and the capability to automatically select the best possible SIG tunnel for accessing the SaaS applications.

Prerequisites for Cloud onRamp for SaaS Over SIG Tunnels

The SIG tunnels created using the Secure Internet Gateway (SIG) template must have a valid Tracker Source IP address. Cloud onRamp for SaaS uses the Tracker Source IP address in the SIG template for probing purposes.
Configure the device to use an internet-based DNS server with an IP address that can be reached through the SIG tunnel.

Restrictions for Cloud onRamp for SaaS Over SIG Tunnels

An application must be identified by Cloud onRamp for SaaS from the very first packet in a flow going through the edge routers, between a branch and Cloud onRamp for SaaS. If an application cannot be identified in the first packet of a flow, the best path that is selected by Cloud onRamp cannot be implemented for the subsequent packets in that given flow. After an application is classified, the subsequent traffic flow goes through the best path selected by Cloud onramp for SaaS.
Cloud onRamp for SaaS comparison logic between a gateway exit and a Direct Internet Access (DIA) exit cannot determine if the Cloud onRamp for SaaS in the remote gateway is executing a computation with an underlay interface or a SIG interface.
IPv6 is not supported with Cloud onRamp for SaaS.

Information About Cloud onRamp for SaaS Over SIG Tunnels

Using Cloud OnRamp for SaaS, a site can connect to SaaS applications through the following:

Through the best performing SIG tunnel
Through a gateway site in which the traffic is sent through the best-performing overlay tunnel from the branch to the gateway, and then from the gateway site through the best-performing SIG tunnel.

When you configure Cloud onRamp for SaaS for a site to connect over SIG tunnels, you have secure access to the SaaS applications over the internet.

Benefits of Cloud onRamp for SaaS Over SIG Tunnels

Connecting to Cloud OnRamp for SaaS over SIG tunnels has the following benefits:

You have secure access to the SaaS applications over SIG tunnels.
Cloud onRamp for SaaS over SIG tunnels provides best path performance where access to the SaaS applications is enabled through the best-performing tunnel.

Use Cases for Cloud onRamp for SaaS Over SIG Tunnels

There are different ways through which you can access the SaaS applications over SIG tunnels:

Direct Access to SaaS Applications with Multiple SIG Tunnels from Branch Using DIA

In this scenario:

Multiple VPN0 tunnels over GRE or IPSec are set up from a branch to Zscaler and Cisco Umbrella.
Traffic from the branch is forwarded through the best-performing tunnel for a given SaaS application, and is terminated at Zscaler and Cisco Umbrella for security inspection.
Traffic is forwarded to the internet from SIG.

Access to SaaS Applications with Multiple SIG Tunnels from Branch Using a Gateway

In this scenario:

Multiple VPN0 tunnels over GRE or IPSec are set up from one or more regional hubs to Zscaler and Cisco Umbrella.
Traffic from branch is forwarded to the best-performing regional hub for a given SaaS application, and is terminated at Zscaler and Cisco Umbrella for security inspection.
Traffic is forwarded to the internet from SIG.

Access to SaaS Applications with Multiple SIG Tunnels from Branch Using DIA and Gateway

In this scenario:

Multiple VPN0 tunnels over GRE or IPsec are set up from a branch, regional hub, or both to Zscaler and Cisco Umbrella.
Traffic from branch, regional hub, or both is forwarded through the best-performing tunnel for a given SaaS application, and is terminated at Zscaler and Cisco Umbrella for security inspection.
Traffic is forwarded to the internet from SIG.

Configure Cloud onRamp for SaaS Over SIG Tunnels

Configure Cloud onRamp for SaaS over SIG Tunnels Using DIA

From the Cisco vManage menu, choose Configuration > Cloud onRamp for SaaS.
From Manage Cloud OnRamp for SaaSdrop-down lsit, choose Direct Internet Access (DIA) Sites.
Click Attach DIA Sites.
The Attach DIA Sites dialog box displays all the sites in your overlay network, with the available sites highlighted.
In Device Class, select:
Cisco OS (cEdge)
In the Available Sites pane, select a site that you want to attach, and click the right arrow. To remove a site, in the Selected Sites pane, click a site, and then click the left arrow.
Click Add TLOC to selected sites.
Click Secure Internet Gateway (SIG) Interfaces.
Click All Auto SIG Interfaces or SIG Interface List from Attach DIA Sites window, and then choose from the list of tunnels that are configured from the Cisco Secure Internet Gateway template.

Note
The Tunnel1000X entry in the SIG Interface List field refers to the interface name, the equivalent of the IPSec interface name entered when configuring a SIG template.
Click Save Changes.
Click Attach.
Cisco vManage pushes the feature template configuration to the devices, and the Task View window displays a Validation Success message.

Configure Cloud onRamp for SaaS over SIG Tunnels Using a Gateway

To configure Cloud onRamp for SaaS over SIG tunnels a Gateway, perform the following steps:

From the Cisco vManage menu, choose Configuration > Cloud onRamp for SaaS.
From Manage Cloud OnRamp for SaaS drop-down list, choose Gateways.
Click Attach Gateways.
The Attach Gateways pop-up window displays all the sites in your overlay network, with available sites highlighted.
In Device Class, select:
Cisco OS (cEdge)
In the Available Sites pane, select a site that you want to attach, and click the right arrow. To remove a site, in the Selected Sites pane, click a site, and then click the left arrow
Click Add interfaces to selected sites.
Click VPN 0.
Click Secure Internet Gateway (SIG) Interfaces.
Click All Auto SIG Interfaces, or SIG Interface List from Attach Gateways window, and then choose from the list of tunnels that are configured from the Cisco Secure Internet Gateway template.

Note
The Tunnel1000X entry in the SIG Interface List field refers to the interface name, the equivalent of the IPSec interface name entered when configuring a SIG template.
Click Save Changes.
Click Attach. Cisco vManage pushes the feature template configuration to the devices, and the Task View window displays a Validation Success message.

Configure Cloud onRamp for SaaS Over SIG Tunnels Using the CLI

This section provides sample CLI configurations for Cloud onRamp for SaaS over SIG tunnels.

Configure Cloud OnRamp for SaaS over SIG Tunnels for DIA and Gateway Sites


Device# config-transaction 
Device(config)# probe-path {branch|gateway} {all-auto-sig-tunnels|sig-tunnel-list} list of SIG tunnels 
Device(config)# ip sdwan route vrf vrf ip address service sig

Enable NBAR Protocol Discovery for Cloud OnRamp for SaaS Over SIG Tunnels for Gateway Sites


Device# config-transaction 
Device(config)# probe-path gateway {all-auto-sig-tunnels|sig-tunnel-list} list of SIG tunnels 
Device(config)# ip sdwan route vrf vrf ip address service sig 
Device(config)# interface tunnel-id 
Device(config-if)# ip nbar protocol-discovery

Example

The following example configures Cloud onRamp for SaaS over SIG tunnels for a gateway site and enables NBAR protocol discovery on tunnel interfaces Tunnel100001 and Tunnel100002.

Device# config-transaction
Device(config)# probe-path gateway all-auto-sig-tunnels
Device(config)# ip sdwan route vrf 1 192.168.0.1 service sig
Device(config)# interface Tunnel101
Device(config-if)# ip nbar protocol-discovery
Device(config-if)# interface Tunnel102
Device(config-if)# ip nbar protocol-discovery

Configure VPN with Loopback Interfaces

Device# config-transaction 
Device(config)# vrf definition vrf 
Device(config-vrf)# address-family ipv4 
Device(config-vrf)# exit-address-family

Device(config)# interface  Loopback interface_number  
Device(config-if)# no shutdown 
Device(config-vrf)# vrf forwarding vrf_number 
Device(config-vrf)# ip address ip address mask 
Device(config-vrf)# exit

Monitor Cloud onRamp for SaaS Over SIG Tunnels

To monitor Cloud onRamp for SaaS over SIG tunnels, perform the following steps:

From the Cisco vManage menu, choose .
Cisco vManage Release 20.6.x and earlier: From the Cisco vManage menu, choose .
From the list of devices that is displayed, select a device.
Click Real Time in the left pane.

Click Device Options drop-drop list, and choose one of the following commands:

Device Option	Description
CloudExpress Applications	Displays the best path for applications that are configured with Cloud OnRamp for SaaS. The best path could be a local interface with DIA, or the path to a remote gateway.
CloudExpress Gateway Exits	Displays the loss and latency on each gateway exit for applications that are configured with Cloud OnRamp for SaaS.
CloudExpress Local Exits	Displays the application loss and latency on each DIA interface that is enabled for Cloud OnRamp for SaaS.

From the Cisco vManage menu, choose to access the dashboard where you can view the applications available on Cloud onRamp for SaaS.

Monitor Cloud onRamp for SaaS Over SIG Tunnels Using the CLI

Example 1

The following is a sample output from the show sdwan cloudexpress local-exits command on Cisco IOS XE SD-WAN devices . This example displays the application loss and latency on each DIA interface that is enabled for Cloud OnRamp for SaaS.

Device# show sdwan cloudexpress local-exits

VPN APPLICATION INTERFACE LATENCY LOSS
----------------------------------------------------------------------
1 office365 Tunnel100015 10 0
1 office365 Tunnel100016 3 0
1 amazon_aws Tunnel100015 10 0
1 amazon_aws Tunnel100016 3 0

Example 2

The following is a sample output from the show sdwan cloudexpress gateway-exits command on Cisco IOS XE SD-WAN devices. This example displays the loss and latency on each gateway exit for applications that are configured with Cloud OnRamp for SaaS.

Device# show sdwan cloudexpress gateway-exits

                                                                      LOCAL  REMOTE  
VPN  APPLICATION              GATEWAY IP               LATENCY  LOSS  COLOR  COLOR   
-------------------------------------------------------------------------------------
1    salesforce               172.16.255.14            72       2     lte    lte     
1    google_apps              172.16.255.14            16       0     lte    lte

Example 3

The following is a sample output from the show sdwan cloudexpress applications command on Cisco IOS XE SD-WAN devices. This example displays the best path for applications that are configured with Cloud OnRamp for SaaS. The best path could be a local interface with DIA, or the path to a remote gateway.

Device# show sdwan cloudexpress applications

                              EXIT     GATEWAY                                  LOCAL  REMOTE
VPN  APPLICATION              TYPE     SYSTEM IP      INTERFACE  LATENCY  LOSS  COLOR  COLOR 
---------------------------------------------------------------------------------------------
1    salesforce               gateway  172.16.255.14  -          103      1     lte    lte   
1    google_apps              gateway  172.16.255.14  -          47       0     lte    lte

Example 4

The following is a sample output from the show ip route vrf command on Cisco IOS XE SD-WAN devices. This example displays the IP routing table that is associated with a specific VPN routing and forwarding (VRF) instance.


Device# show ip route vrf vrf1

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       I - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
       U - per-user static route, o - ODR
       T - traffic engineered route
 
Gateway of last resort is not set
 
B    10.0.0.0/8 [200/0] via 10.13.13.13, 00:24:19
C    10.0.0.0/8 is directly connected, Ethernet1/3
B    10.0.0.0/8 [20/0] via 10.0.0.1, 02:10:22
B    10.0.0.0/8 [200/0] via 10.13.13.13, 00:24:20

Example 5

The following is a sample output from the show sdwan run probe-path command on Cisco IOS XE SD-WAN devices. This example displays the probe path for SIG tunnels.


Device# show sdwan run probe-path
probe-path branch sig-tunnel-list Tunnel100015 Tunnel100016

Configuration Example for Cloud onRamp for SaaS Over SIG Tunnels

The following example shows the configuration of Cloud on Ramp for SaaS over SIG tunnels:

Example

Device(config)# probe-path branch sig-tunnel-list Tunnel100015 Tunnel100016
Device(config)# probe-path branch all-auto-sig-tunnels

What type of traffic is described as requiring latency to be no more than 150 milliseconds MS?

What's an acceptable level of jitter? If possible, jitter should be below 30 milliseconds, packet loss should be no greater than 1% and network latency should not be more than 150 ms one way and 300 ms RTT.

What type of traffic is described as being tolerate a certain amount of latency jitter and loss without any noticeable effects?

Voice packets must receive a higher priority than other types of traffic. Cisco products use the RTP port range 16384 to 32767 to prioritize voice traffic. Voice can tolerate a certain amount of latency, jitter, and loss without any noticeable effects.