For an organization using SD-WAN, a branch site typically routes SaaS application traffic by default over SD-WAN overlay links to a data center. From the data center, the SaaS traffic reaches the SaaS server.

For example, in a large organization with a central data center and branch sites, employees might use Office 365 at a branch site. By default, the Office 365 traffic at a branch site would be routed over SD-WAN overlay links to a centralized data center, and from there to the Office 365 cloud server.

Scenario 1: If the branch site has a direct internet access (DIA) connection, you may choose to improve performance by routing the SaaS traffic through that direct route, bypassing the data center.

Scenario 2: If the branch site connects to a gateway site that has DIA links, you may choose to enable SaaS traffic to use the DIA of the gateway site.

Scenario 3: Hybrid method.

When enabling Cloud OnRamp for SaaS to manage Office 365 traffic, you can limit Cloud OnRamp for SaaS path selection to apply to some or all Office 365 traffic, with the following options:

• Optimize traffic

• Optimize and Allow traffic

• All Office 365 traffic

These options correspond to the three categories of Office 365 traffic that Microsoft defines as follows:

• Optimize: Traffic most sensitive to network performance, latency, and availability.

• Allow: Traffic less sensitive to network performance, latency, and availability.

• Default: Traffic not sensitive to network performance.

Specifying traffic by Office 365 category requires enabling the Cisco SD-AVC Cloud Connector component in Administration > Settings.

Cloud OnRamp for SaaS selects the best path for each application using an algorithm that takes input from the following sources.

For Office 365 traffic, you can view a log of the metrics that factor into the best-path determination. The metrics appear in a Cisco SD-WAN Analytics page specifically designed to display only this information, and available directly from Cisco SD-WAN Manager.

Cloud OnRamp for SaaS can determine the best network path for each type of cloud traffic. However, if multiple direct internet access (DIA) interfaces on a WAN edge device at a branch site provide acceptable performance for a cloud application, Cloud OnRamp for SaaS can employ load balancing across up to three interfaces to further improve performance.

When you enable load balancing across multiple interfaces of a WAN edge device, load balancing is enabled for all cloud applications that are managed by Cloud OnRamp for SaaS. After determining the best path interface for a cloud application, Cloud OnRamp compares the performance statistics for other interfaces. To use another interface for load balancing, the following must be true:

• The packet loss value of the interface cannot vary from the packet loss value of the best path interface by more than a configured value (%). You can configure a smaller value to restrict load balancing only to interfaces with a packet loss value very close to that of the best path interface, or you can configure a larger value to be more inclusive of interfaces that might have a higher packet loss than the best path interface.

• The latency value of the interface cannot vary from the latency value of the best path interface by more than a configured value (milliseconds). You can configure a smaller value to restrict load balancing only to interfaces with a latency value very close to that of the best path interface, or you can configure a larger value to be more inclusive of interfaces that might have a higher latency than the best path interface.

If required, you can select an option to ensure that all traffic from a single host uses a single interface – for example, to ensure that DNS and application traffic use the same path.

A branch site may connect to the internet through one or more direct internet access (DIA) interfaces at the branch site itself, or through a gateway site, which might use a service VPN or VPN 0 to connect to the internet.

In addition to probing the DIA interfaces at a branch site, Cloud OnRamp for SaaS can probe interfaces at a gateway site, whether they use service VPNs (VPN 1, VPN 2, …) or the transport VPN (VPN 0), when determining the best path to use for the traffic of specified cloud applications. This is helpful when the branch site connects to the internet through a gateway site.

When configuring Cloud OnRamp for SaaS to use the gateway site, specify whether the gateway site uses service VPNs or VPN 0 to connect to the internet, as shown in the following illustrations.

Minimum releases: Cisco IOS XE Catalyst SD-WAN Release 17.7.1a and Cisco vManage Release 20.7.1

When you enable Cloud OnRamp for SaaS best path determination for an application, Cisco SD-WAN Manager updates match conditions in the application-aware policy in the active centralized policy to support Cloud OnRamp for SaaS functionality for the application. For most applications, the match conditions do not require any later update.

For Webex, Cloud OnRamp for SaaS uses a more complex method than for most other applications. Cloud OnRamp for SaaS maintains a list of worldwide Webex servers. When you enable Cloud OnRamp for SaaS best path determination for Webex, Cloud OnRamp for SaaS determines the best path for each Webex server worldwide. It adds match conditions in the application-aware policy to address each of the regional Webex servers. This provides the Webex application with the best path to any Webex server worldwide that it may need to connect to.

Minimum supported release: Cisco vManage Release 20.8.1

Cisco Catalyst SD-WAN uses a component called SD-AVC Cloud Connector to collect information from Microsoft Cloud about the Microsoft application servers that handle Office 365 traffic. The information includes the transport protocols for the traffic; and the domain names, IP addresses, and ports of the application servers that manage the traffic. This server information improves the process of identifying network traffic—for example, making it possible to identify traffic from the first packet. Improving traffic identification enhances the effectiveness of application-aware routing policies because policies can often match all traffic, from the first packet.

The SD-AVC Cloud Connector page provides visibility into the application servers that are used for Office 365 traffic. It provides a table of the server information that Cisco Catalyst SD-WAN has collected for Office 365 traffic. For example, the table may indicate that the domains represented by *-admin.sharepoint.com correspond to Sharepoint traffic. In this case, any traffic flow with a destination domain included in those domains, such as connect-admin.sharepoint.com, can be identified as Sharepoint traffic from the first packet of the flow.

Minimum supported release: Cisco vManage Release 20.8.1

For Office 365 traffic, you can view charts showing the path scores (OK, NOT-OK, or INIT) provided by Microsoft telemetry for each Microsoft service area, including Exchange, Sharepoint, and Skype. The chart shows the path scores over time for each available interface.

Viewing the path score history can be useful when troubleshooting network performance issues for Office 365 traffic—for example, to determine whether Microsoft consistently rates a particular interface as NOT-OK for some types of traffic, such as Skype traffic. If that occurs, you can investigate why the interface is consistently receiving a low path score.

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

When you enable Microsoft 365 on the Applications and Policy page, and choose a traffic category, Cloud OnRamp for SaaS adds sequences to all application-aware routing (AAR) policies to enable Cloud OnRamp for SaaS operation on Microsoft 365 traffic, in accordance with the traffic category that you have chosen. Adding these sequences to the AAR policies enables Cloud OnRamp for SaaS operation on this traffic, with the selected traffic category.

Starting from Cisco vManage Release 20.9.1, you can edit the sequences in AAR policies individually to change the specified Microsoft 365 traffic category and service area for specific AAR policies.

Note	This feature is only available for the Microsoft 365 application.

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.2.1

Starting from Cisco vManage Release 20.9.1, you can selectively enable Cloud OnRamp for SaaS to operate for a particular application at specific sites, while excluding other sites. When you enable an application on the Applications and Policy page, Cloud OnRamp for SaaS adds AAR policy sequences that match traffic for the selected application and direct the traffic in accordance with the Cloud OnRamp for SaaS best path calculation. This has the effect of enabling Cloud OnRamp for SaaS operation at all sites.

To exclude Cloud OnRamp for SaaS operation for applications at specific sites, you can edit an AAR policy and delete a specific application within the AAR policy. This disables Cloud OnRamp for SaaS activity for that application on sites that use the AAR policy.

In contrast to editing the traffic category or service area for specific policies (see Information About Configuring the Traffic Category and Service Area for Specific Policies), which works only with Microsoft 365 traffic, you can use this feature to enable or exclude any SaaS application.

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Catalyst SD-WAN Release 17.9.1a

Cisco vManage Release 20.9.1 introduces improved application visibility, enabling you to monitor Microsoft 365 traffic processed by Cloud OnRamp for SaaS in more detail. You can view, in graph or table formats, the volume of Microsoft 365 traffic over time, with details as to how much traffic used a direct internet access (DIA) link, and how much was routed through a gateway site. The monitoring page also shows the volume of traffic that Cloud OnRamp for SaaS does not affect.

Minimum releases: Cisco vManage Release 20.9.1

From Cisco vManage Release 20.9.1, you can control whether the Cloud OnRamp for SaaS best path decision includes Microsoft telemetry data as a factor for Microsoft 365 traffic. When enabling telemetry for Microsoft 365 (Office 365) traffic, the Application Feedback dialog box contains a Traffic Steering check box. Check this check box to enable the use of Microsoft telemetry data in best path decisions. For information, see Enable Application Feedback Metrics for Office 365 Traffic.

Even when you elect not to use Microsoft telemetry data in best path decisions, you can view the telemetry data. You can view the telemetry data related to the Microsoft 365 application, as well as detailed information about the best path decisions made on devices, using Cisco vAnalytics. For information about Cisco SD-WAN Analytics, see Cisco vAnalytics.

For information about enabling Microsoft to provide telemetry for Microsoft 365 traffic, see Enable Microsoft to Provide Telemetry for Office 365 Traffic.

After Upgrading Cisco SD-WAN Manager

If you have enabled Microsoft telemetry on a previous release of Cisco SD-WAN Manager, and are now upgrading to Cisco vManage Release 20.9.1, Cloud OnRamp for SaaS does not automatically enable the use of Microsoft telemetry data in best path decisions. To ensure that devices use Microsoft telemetry for best path decisions, if you have configured that option, perform one of the following:

• Disable and enable Microsoft telemetry for Microsoft 365 traffic. See Enable Application Feedback Metrics for Office 365 Traffic

• Disable and enable monitoring for Microsoft 365 traffic. See Configure Applications for Cloud OnRamp for SaaS Using Cisco SD-WAN Manager

• Perform the following steps:

  1. Detach and attach sites and gateways. See Configure Client Sites.

  2. From the Cisco SD-WAN Manager menu, choose Configuration > Cloud OnRamp for SaaS.

  3. In the Manage Cloud OnRamp for SaaS drop-down list, choose Applications and Policy. The Applications and Policy page displays all SaaS applications.

  4. Click Save Applications and Next. This sends the traffic steering values to devices at each site.

Note	From Cisco vManage Release 20.9.1, you can enter the public system IP of edge devices, on the Microsoft portal. For details, see step 2-c under Enable Microsoft to Provide Telemetry for Office 365 Traffic.

Minimum supported release: Cisco IOS XE Catalyst SD-WAN Release 17.13.1a

Cloud OnRamp for SaaS supports loopback, dialer, and subinterfaces. You can configure TLOC-extension and SIG on these interfaces.

You can configure different interfaces on a Cisco IOS XE Catalyst SD-WAN device based on your requirements. For more information about configuring network interfaces, see Configure Network Interfaces.

For more information about supported Network Address Translation (NAT) configuration on loopback and dialer interfaces, see Configure NAT.

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.9.1a , Cisco Catalyst SD-WAN Manager Release 20.13.1

You can define a list of destination IP prefixes to exclude from Cloud OnRamp for SaaS optimization. You can apply a data prefix exclusion list to all SaaS applications or individually to a specific application.

A common use is to exclude the prefixes of on-premises SaaS application servers or private-cloud-hosted SaaS application servers. For example, if you have local on-premises SharePoint servers and configure Cloud OnRamp for SaaS to optimize SharePoint traffic, you can exclude the prefixes for the local SharePoint servers from Cloud OnRamp for SaaS optimization. This enables the SharePoint traffic to be routed internally, unaffected by Cloud OnRamp for SaaS.

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, Cisco Catalyst SD-WAN Manager Release 20.13.1

Cloud OnRamp for SaaS performs best-path determination using probes on all available interfaces. If internet connectivity on an interface fails, Cloud OnRamp for SaaS reroutes to another path, which is called failover. Detecting the failure might take some time. When relying on probes, it takes two to four minutes to detect internet connectivity failure on an interface.

To achieve a faster failover, you can configure a DIA tracker and associate it with a DIA or gateway site configured for Cloud OnRamp for SaaS. The tracker probes the transport interface periodically to determine if the internet or external network is unavailable. Associating a tracker with Cloud OnRamp for SaaS allows faster switching to an alternate path when the primary link for an application is unavailable.

The speed of a tracker or tracker group depends on the configuration of parameters such as threshold, interval, multiplier, and so on. For more information about the DIA tracker, see NAT DIA Tracker.

For information about previous support for faster failover when using Cloud OnRamp for SaaS over a SIG tunnel, see Information About Cloud OnRamp for SaaS Over SIG Tunnels.

The prerequisites for using Cloud OnRamp for SaaS differ for Cisco vEdge devices and Cisco IOS XE Catalyst SD-WAN devices. For information about using Cloud OnRamp for SaaS with Cisco vEdge devices, see Cloud OnRamp Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20.

For Cisco IOS XE Catalyst SD-WAN devices, the requirements are:

• The devices must be running Cisco IOS XE Catalyst SD-WAN Release 17.3.1a or later.

• The devices must be in Manager mode.

• All Cisco Catalyst SD-WAN Controller instances must be in Manager mode.

• A centralized policy that includes an application-aware policy must be activated. You can configure more than one centralized policy in Cisco SD-WAN Manager, but only one can be active.

  Note	This is an important difference from using Cloud OnRamp for SaaS with Cisco vEdge devices, which do not have this requirement.

• Cloud OnRamp for SaaS is enabled (Administration > Settings).

  From Cisco Catalyst SD-WAN Manager Release 20.13.1, Cloud OnRamp for SaaS is enabled by default. (Administration > Settings)

To specify traffic by Office 365 traffic category, the following are also required:

• Cisco SD-AVC is enabled (Administration > Cluster Management).

• Cisco SD-AVC Cloud Connector is enabled (Administration > Settings). If Cloud Connector is not enabled, policies specifying Office 365 traffic cannot match the Office 365 traffic. The traffic uses the default path, rather than the best path selected by Cloud OnRamp for SaaS.

Cloud OnRamp for SaaS probing through VPN 0 interfaces at gateway sites presupposes that a branch site connects to the internet through a gateway site, and that the gateway site connects to the internet using a VPN 0 interface. The branch site may or may not also connect to the internet through one or more DIA connections.

Minimum releases: Cisco IOS XE Catalyst SD-WAN Release 17.7.1a and Cisco vManage Release 20.7.1

• To download the latest information about Webex servers, as described in "Maintaining an Up-to-Date List of Webex Servers" in Information About Cloud OnRamp for SaaS Support for Webex, Cisco SD-WAN Manager requires access to the internet.

• When you enable Cloud OnRamp for SaaS to optimize Webex traffic, ensure that for each router, the service VPN has a default route configured. This default route is required for the Webex DNS and control traffic, which are components of Webex traffic that are not optimized by Cloud OnRamp for SaaS.

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

• You must have multiple active AAR policies.

• To edit the service area and traffic category, you must enable Monitoring and Policy/Cloud SLA for the Microsoft 365 application. For information, see Configure Applications for Cloud OnRamp for SaaS Using Cisco SD-WAN Manager.

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.2.1

Availability of multiple AAR policies associated with different sets of sites.

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Catalyst SD-WAN Release 17.9.1a

• Enable application visibility and flow visibility. For information, see Enable Application Visibility and Flow Visibility.

• To view the graphical visualizations of traffic, and to view logs, enable on-demand troubleshooting. For information, see On Demand Troubleshooting in the Cisco Catalyst SD-WAN Monitor and Maintain Configuration Guide.

Minimum releases: Cisco vManage Release 20.9.1

Enable Microsoft traffic metrics.

See Enable Microsoft to Provide Traffic Metrics for Office 365 Traffic.

Minimum releases: Cisco vManage Release 20.10.1, Cisco IOS XE Catalyst SD-WAN Release 17.10.1a

• Enable SD-AVC in Administration > Settings.

• Enable Cloud Services in Administration > Settings.

• Webex account (This is usually an account for your organization).

• Enable server-side metrics. See Enable Webex Server-Side Metrics.

Minimum supported release: Cisco IOS XE Catalyst SD-WAN Release 17.13.1a

To use a dialer interface for Cloud OnRamp for SaaS, the Point-to-Point Protocol (PPP) models associated with the DIA interface must support NAT DIA.

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, Cisco Catalyst SD-WAN Manager Release 20.13.1

Before using or creating a destination data prefix list for a Cloud OnRamp for SaaS application, perform the following on the Applications and Policy page, for the application or applications for which you are excluding specific prefixes:

• Enable monitoring for the application.

• Enable Policy/Cloud SLA for the application.

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, Cisco Catalyst SD-WAN Manager Release 20.13.1

• Configure a tracker with a DNS name or an IP address of the endpoint on the DIA or gateway site where Cloud OnRamp for SaaS is enabled.

  • To configure a DIA tracker using a Cisco System feature template, see Configure NAT DIA Tracker on IPv4 Interfaces Using Feature Templates in Cisco SD-WAN Manager.

  • Devices on the site must have a tracker or tracker group associated with them.

  • You can configure an ICMP tracker using a CLI template. For more information about configuring an ICMP tracker, see Information About NAT DIA Tracking.

• Ensure the DIA interfaces are configured for Cloud OnRamp for SaaS before associating a tracker.

Beginning with Cisco vManage Release 20.10.1 and Cisco IOS XE Catalyst SD-WAN Release 17.10.1a, when you enable Cloud OnRamp for SaaS to operate on Webex traffic, Cisco SD-WAN Manager uses a more efficient policy model, while still supporting existing legacy control policies that enable Cloud OnRamp for SaaS for Webex. If you disable the Webex application in Cloud OnRamp for SaaS, and then re-enable the Webex application, Cisco SD-WAN Manager can only use the newer policy model. Before disabling and then re-enabling the Webex application, ensure that devices in the network are using Cisco IOS XE Catalyst SD-WAN Release 17.10.1a or later, and that SD-AVC is enabled (in Administration > Settings).

Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.13.1

You can associate a tracker with a gateway site only if connectivity to the gateway site uses VPN 0, not a service VPN.

Enable gateway probing through VPN 0 interfaces if the following conditions apply:

• A branch site connects to the internet through a gateway site. The branch site may or may not also connect to the internet through one or more DIA interfaces.

• The gateway site has internet exits that use the transport VPN (VPN 0) through one or more interfaces.

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

An organization relies heavily on Microsoft 365 for its office applications and has configured Cloud OnRamp for SaaS to optimize Microsoft 365 traffic at its headquarters and at each branch office. In addition, it uses an on-premises Outlook server at a data center to handle its company email.

Microsoft distinguishes different types of Microsoft 365 traffic using the following service areas:

• Common: Microsoft 365 ProPlus, Office in a browser, Azure Active Directory (AD), and other common network endpoints

• Exchange: Exchange Online and Exchange Online Protection

• SharePoint: SharePoint Online and OneDrive for Business

• Skype: Skype for Business and Microsoft Teams

Because the organization uses an on-premises Outlook server, the network administrator chooses to exclude Outlook traffic from the Cloud OnRamp for SaaS optimization of Microsoft 365 traffic. By modifying the AAR policies, they exclude the Exchange service area (for Outlook) from the Microsoft 365 traffic that Cloud OnRamp for SaaS operates on, thereby ensuring the best performance for the email traffic using the on-premises Outlook server.

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Catalyst SD-WAN Release 17.2.1r

An organization’s network spans numerous sites. Most of the sites utilize the Box.com cloud storage application, but a subset of sites does not use Box.com.

First, the network administrator creates an AAR policy that serves the subset of sites that do not use Box.com. Next, the network administrator enables Cloud OnRamp for SaaS for Box.com traffic, which enables Cloud OnRamp for SaaS operation at all sites in the network.

To exclude the subset of sites that do not use Box.com, the network administrator edits the AAR policy for that subset of sites, to disable Cloud OnRamp for SaaS operation for Box.com traffic. This has the effect of disabling Cloud OnRamp for SaaS operation for Box.com traffic at that subset of sites only.

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, Cisco Catalyst SD-WAN Manager Release 20.13.1

Some organizations host SaaS applications in private data centers that are reachable only through the organization's internal network. If you enable Cloud OnRamp for SaaS to optimize traffic for one of these SaaS applications, then Cloud OnRamp for SaaS might attempt to route the SaaS traffic to a server outside the organization's internal network. This inadvertently prevents the SaaS traffic from reaching the private data center.

For example, an organization hosts a private on-premises SharePoint server for its internal SharePoint traffic. At the same time, the organization has enabled Cloud OnRamp for SaaS optimization for several SaaS applications, including SharePoint. This can inadvertently interfere with the SharePoint traffic.

To prevent Cloud OnRamp for SaaS optimization of the internal SharePoint traffic, network administrators configure Cloud OnRamp for SaaS to exclude the IP prefixes of the internal SharePoint servers. Consequently, internal SharePoint traffic flows correctly to the on-premises SharePoint server at the private data center.

You can enable Cloud OnRamp for SaaS in your Cisco Catalyst SD-WAN overlay network on sites with Direct Internet Access (DIA) and on DIA sites that access the internet. You can also enable Cloud OnRamp for SaaS on client sites that access the internet through another site in the overlay network, called a gateway site. Gateway sites can include regional data centers or carrier-neutral facilities. When you enable Cloud OnRamp for SaaS on a client site that accesses the internet through a gateway, you also enable Cloud OnRamp for SaaS on the gateway site.

Note

You can only enable Cloud OnRamp for SaaS features using the Cisco SD-WAN Manager procedures described in this document. We do not support configuring Cloud OnRamp for SaaS using CLI templates. Even when you configure other features on a device using a CLI template, you must nevertheless use Cisco SD-WAN Manager for configuring Cloud OnRamp for SaaS features.

1. Open Cloud OnRamp for SaaS.

   • From the Cisco SD-WAN Manager menu, choose Configuration > Cloud OnRamp for SaaS.

     or

   • In Cisco SD-WAN Manager, click the cloud icon near the top right and choose Cloud OnRamp for SaaS.

2. In the Manage Cloud OnRamp for SaaS drop-down list, choose Applications and Policy.

   The Applications and Policy window displays all SaaS applications.

3. Optionally, you can filter the list of applications by clicking an option in the App Type field.

   • Standard: Applications included by default for Cloud OnRamp for SaaS.

   • Custom: User-defined SaaS application lists (see Information About SaaS Application Lists).

4. (Optional) (Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.13.1) To exclude specific data prefixes for all SaaS applications, click Exclude Destination Data Prefix.

   In the drop-down list, choose an existing data prefix list or click New Data Prefix List to define a new data prefix list.

   For more information about configuring a data prefix, see the Configure Data Prefix section in Centralized Policy in the Cisco Catalyst SD-WAN Policies Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 17.x.

   Note	To exclude data prefixes for a specific SaaS application, see a later step in this procedure.

   For information about excluding data prefixes, see Information About Excluding Data Prefixes.

5. Enable applications and configure.

   Column	Description
   Applications	Applications that can be used with Cloud OnRamp for SaaS. If you enable the Office 365 application, you can click the Enable Application Feedback link to enable Cloud OnRamp for SaaS to receive server-side metrics from Microsoft. For information, see Enable Application Feedback Metrics for Office 365 Traffic. If you enable the Webex application, you can click the Enable Application Telemetry link to enable Cloud OnRamp for SaaS to receive server-side metrics from Webex. For information, see Enable Webex Server-Side Metrics. Note   Enabling application feedback metrics opens a Microsoft site that requests various permissions to access your application telemetry data. These permissions enable Cisco Catalyst SD-WAN to receive application telemetry data from Microsoft and correlate it with network telemetry data. This is part of the process of computing best paths to optimally route Microsoft 365 traffic.
   Monitoring	Enabled: Enables Cloud OnRamp for SaaS to initiate the Quality of Experience probing to find the best path. Disabled: Cloud OnRamp for SaaS stops the Quality of Experience probing for this application.
   VPN	(Cisco vEdge devices) Specify one or more VPNs.
   Policy/Cloud SLA	(Cisco IOS XE Catalyst SD-WAN devices) Select Enable to enable Cloud OnRamp for SaaS to use the best path for this application. Note   You can select Enable only if there is a centralized policy that includes an application-aware policy has been activated.
   	(Cisco IOS XE Catalyst SD-WAN devices) For Microsoft 365 (M365), select one of the following to specify which types of M365 traffic to include for best path determination: Optimize: Include only M365 traffic categorized by Microsoft as “optimize” – the traffic most sensitive to network performance, latency, and availability. Optimize and Allow: Include only M365 traffic categorized by Microsoft as “Optimize” or “Allow”. The “Allow” category of traffic is less sensitive to network performance and latency than the “Optimize” category. All: Include all M365 traffic.
   	Starting from Cisco IOS XE Catalyst SD-WAN Release 17.5.1a, you can choose the service area that your M365 application belongs to. This allows you to apply the policy to only those applications in the specified service area. Microsoft allows the following service area options: Common: M365 Pro Plus, Office in a browser, Azure AD, and other common network endpoints. Exchange: Exchange Online and Exchange Online Protection. SharePoint: SharePoint Online and OneDrive for Business. Skype: Skype for Business and Microsoft Teams. See the Microsoft documentation for information about updates to the service areas.
   Exclude Destination Data Prefix	(Optional) From Cisco Catalyst SD-WAN Manager Release 20.13.1, you can exclude a data prefix list for a specific SaaS application: Click Select Destination Data Prefix. In the drop-down list, choose a data prefix list or click New Data Prefix List to define a new list. Click Save. Note   To exclude data prefixes for all SaaS applications, see a previous step in this procedure. For information about excluding data prefixes, see Information About Excluding Data Prefixes.

6. Click Save Applications and Next.

   The Application Aware Routing Policy window appears, showing the application-aware policy for the current active centralized policy.

   • You can select the application-aware policy and click Review and Edit to view the policy details. The match conditions of the policy show the SaaS applications for which monitoring has been enabled.

   • For an existing policy, you cannot edit the site list or VPN list.

   • You can create a new policy for sites that are not included in existing centralized policies. If you create a new policy, you must add a VPN list for the policy.

   • You can delete one or more new sequences that have been added for the SaaS applications, or change the order of the sequences.

7. Click Save Policy and Next. This saves the policy to the Cisco Catalyst SD-WAN Controller.

8. To activate the modified policy, click Activate.

Configure two types of sites:

• Client sites

• Direct internet access (DIA) sites

Beginning with Cisco IOS XE Catalyst SD-WAN Release 17.4.1a, you can enable the following types of application feedback from additional sources. Cloud OnRamp for SaaS can use these metrics to help determine the best path for Office 365 traffic. See Best Path Determination.

• Enable telemetry with Microsoft Exchange cloud servers, which can provide best path metrics for Office 365 traffic on specifically configured interfaces. This involves use of a Microsoft service called Microsoft 365 informed network routing. To understand this feature better, see the information available in the Microsoft 365 informed network routing document.

• Enable application response time (ART) metrics, which configures network devices to report ART metrics.

You can enable Microsoft Exchange cloud servers to calculate traffic metrics for Microsoft Exchange traffic coming from specific interfaces in the Cisco Catalyst SD-WAN overlay. Using the Microsoft Azure portal, you specify which interfaces to include, indicating the interfaces by their public IP addresses. This is called opting in the interfaces.

For the specified interfaces, Microsoft identifies the Office 365 traffic by packet source ID and provides metrics that Cloud OnRamp for SaaS can use to determine the best path for the Office 365 traffic.

Enable Microsoft to Provide Telemetry for Office 365 Traffic

Note

The functionality of the Microsoft Azure portal is subject to change and is therefore outside the scope of this documentation. These high-level instructions provide some guidance, but see Microsoft 365 documentation for details. For information about the following steps, see the "Microsoft 365 informed network routing" topic in the Microsoft 365 documentation.

1. Log in to the Microsoft Azure portal. (For information about how to create a Microsoft Azure tenant account, see the Microsoft Azure documentation.)

2. Using the Microsoft Azure portal, specify Cisco Catalyst SD-WAN overlay network interfaces for which to track traffic metrics.

   1. In the Azure portal, access the Microsoft 365 admin center.

   2. On the Locations page, add a location entry for each location in the SD-WAN overlay network, as desired.

   3. Within a location entry, do one of the following:

      • For locations using an edge router operating with Cisco IOS XE Release 17.9.1a or later, on the "Add an office location" page (or the equivalent), enable the option to allow an SD-WAN solution to automatically set the LAN subnet and egress address range. Then enter the system IP address of the edge device for the location.

      • For locations using an edge router operating with Cisco IOS XE Release 17.8.x or earlier, add egress IP addresses, using the public IP address of the desired interfaces.

Minimum releases: Cisco IOS XE Catalyst SD-WAN Release 17.7.1a and Cisco vManage Release 20.7.1

To enable Cloud OnRamp for SaaS to determine the best path for Webex traffic, enable the Webex application in the same way as other applications. See Enable Cloud OnRamp for SaaS, Cisco IOS XE SD-WAN Devices.

Minimum releases: Cisco vManage Release 20.10.1, Cisco IOS XE Catalyst SD-WAN Release 17.10.1a

policy
app-visibility
ip visibility features
  cxp        enable
  probe-saas enable

Minimum releases: Cisco IOS XE Catalyst SD-WAN Release 17.7.1a and Cisco vManage Release 20.7.1

1. From the Cisco SD-WAN Manager menu, choose Configuration > Cloud OnRamp for SaaS to display the Cloud OnRamp for SaaS dashboard.

2. (This step applies only to releases earlier than Cisco vManage Release 20.10.1.) If the dashboard shows a dialog box prompting you to synchronize Webex server information, click Yes in the dialog box.

   Cisco SD-WAN Manager displays the Application Aware Routing Policy page, enabling you to review the policy. The policy includes updated match conditions that use the latest Webex server information.

3. Click Save Policy.

   Cloud OnRamp for SaaS updates the following, as needed, to reflect the updated information for Webex servers worldwide:

   • Match conditions in the application-aware policy

   • Configuration for probing the cloud application

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Catalyst SD-WAN Release 17.2.1r

1. Open Cloud OnRamp for SaaS.

   • From the Cisco SD-WAN Manager menu, choose Configuration > Cloud OnRamp for SaaS.

     Or

   • In Cisco SD-WAN Manager menu, click the cloud icon near the top right and choose Cloud OnRamp for SaaS.

2. In the Manage Cloud OnRamp for SaaS drop-down list, choose Applications and Policy.

   The Applications and Policy page displays all the Cloud OnRamp for SaaS applications.

3. Click Save Applications and Next.

   The Application Aware Routing Policy page opens, showing the application-aware policies in the current active centralized policy.

4. Select the policy you wish to edit and click Review and Edit to view the policy details.

5. You can now delete one or more sequences that have been added by Cloud OnRamp for SaaS for specific applications or change the order of the sequences.

6. Click Save Policy and Next. This pushes the updated policy to the Cisco SD-WAN Controller.

Note	Note: When you enable an application on the Applications and Policy page, by default, Cloud OnRamp for SaaS is enabled for all AAR policies that are part of the current active centralized policy.

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Catalyst SD-WAN Release 17.9.1a

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Catalyst SD-WAN Release 17.9.1a

Minimum releases (for Microsoft 365 traffic): Cisco vManage Release 20.9.1, Cisco IOS XE Catalyst SD-WAN Release 17.9.1a

Minimum releases (for Webex traffic): Cisco vManage Release 20.10.1, Cisco IOS XE Catalyst SD-WAN Release 17.10.1a

1. Open Cloud OnRamp for SaaS.

   • From the Cisco SD-WAN Manager menu, choose Configuration > Cloud OnRamp for SaaS.

     Or

   • In Cisco SD-WAN Manager, click the cloud icon near the top right and select Cloud OnRamp for SaaS.

2. Click Manage Cloud OnRamp for SaaS.

3. Click the Microsoft 365 application or the Webex application. A list of devices that are attached to a DIA or gateway is shown.

4. In the Application Usage column of a device, click View Usage.

   For the Webex application, the usage information is shown according to Webex region.

5. The CoR SaaS Application Usage page displays the information for each type of traffic. To limit the traffic information that is displayed, click the Search field, and choose All CoR SaaS Traffic, DIA, Gateway, or Non CoR SaaS.

   Note

   The information presented in the above graphs or logs is for an individual device. You can view the information related to only one device at a time. The graphs or logs are only shown for those devices for which on-demand troubleshooting is enabled. For information about on-demand troubleshooting, see On-Demand Troubleshooting. IP visibility feature commands are supported only through CLI or add-on CLI template. If you don't see any application usage for each type of traffic for a particular Cisco IOS XE Catalyst SD-WAN device, add the following configuration to the device using a CLI add-on feature template: policy app-visibility ip visibility features cxp enable probe-saas enable

1. From the Cisco SD-WAN Manager menu, choose Configuration > Cloud OnRamp for SaaS.

2. Click Manage Cloud OnRamp for SaaS and choose Applications and Policy.

   The Applications and Policy window displays all SaaS applications.

3. In the row of the application that you are verifying, check that the Monitoring column and the Policy/Cloud SLA column both show Enabled.

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

1. From the Cisco SD-WAN Manager menu, choose Configuration > Devices.

2. Click Controllers.

   Note	Starting from Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, the Controllers tab is renamed as the Control Components tab to stay consistent with Cisco Catalyst SD-WAN rebranding.

   A list of devices is displayed.

3. For the device you wish to verify, click … and click Running Configuration. The Running Configuration window opens, displaying the running configuration.

4. Verify that the running configuration reflects any changes that you have made to AAR policies.

Or

1. From the Cisco SD-WAN Manager menu, choose Configuration > Policies.

   The Policies page displays the policies.

2. For the policy, you wish to verify, click … and click Preview.

   The Policy Configuration Preview pop-up window appears, providing a preview of the running configuration.

3. Verify that the policy preview reflects any changes that you have made to AAR policies.

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Release 17.2.1

1. From the Cisco SD-WAN Manager menu, choose Configuration > Devices.

2. Click Controllers.

   Note	Starting from Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, the Controllers tab is renamed as the Control Components tab to stay consistent with Cisco Catalyst SD-WAN rebranding.

   A list of devices is displayed.

3. For the device you wish to verify, click … and click Running Configuration. The Running Configuration window opens, displaying the running configuration.

4. Verify that the running configuration reflects any changes that you have made to AAR policies.

1. From the Cisco SD-WAN Manager menu, choose Configuration > Policies.

   The Policies window displays the policies.

2. For the policy, you wish to verify, click … and click Preview.

   The Policy Configuration Preview page appears, providing a preview of the running configuration.

3. Verify that the policy reflects any changes that you have made to AAR policies.

Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.13.1

1. Open Cloud OnRamp for SaaS.

   • From the Cisco SD-WAN Manager menu, choose Configuration > Cloud OnRamp for SaaS.

     or

   • In Cisco SD-WAN Manager, click the cloud icon at the top right and click Cloud OnRamp for SaaS.

   The page includes a tile for each monitored application, with the following information:

   • How many sites are operating with Cloud OnRamp for SaaS.

   • A color-coded rating of the Quality of Experience (vQoE) score for the application (green=good score, yellow=moderate score, red=poor score) on the devices operating at each site.

2. Optionally, you can click a tile to show details of Cloud OnRamp for SaaS activity for the application, including the following:

   Field	Description
   vQoE Status	A green checkmark indicates that the vQoE score for the best path meets the criteria of an acceptable connection. The vQoE is calculated based on average loss and average latency. For Office 365 traffic, other connection metrics are also factored in to the vQoE score.
   vQoE Score	For each site, this is the vQoE score of the best available path for the cloud application traffic. The vQoE score is determined by the Cloud OnRamp for SaaS probe. Depending on the type of routers at the site, you can view details of the vQoE Score as follows: Cisco IOS XE Catalyst SD-WAN devices: To show a chart of the vQoE score history for each available interface, click the chart icon. In the chart, each interface vQoE score history is presented as a colored line. A solid line indicates that Cloud OnRamp for SaaS has designated the interface as the best path for the cloud application at the given time on the chart. You can place the cursor over a line, at a particular time on the chart, to view details of the vQoE score of an interface at that time. From Cisco vManage Release 20.8.1, for the Office 365 application, the chart includes an option to show the vQoE score history for a specific service area, such as Exchange, Sharepoint, or Skype. For each service area, a solid line in the chart indicates the interface chosen as the best path at a given time. If you have enabled Cloud OnRamp for SaaS to use Microsoft traffic metrics for Office 365 traffic, the choice of best path takes into account the Microsoft traffic metrics. Cisco vEdge devices: To show a chart of the vQoE score history, click the chart icon. The chart shows the vQoE score for the best path chosen by Cloud OnRamp for SaaS.
   DIA Status	The type of connection to the internet, such as local (from the site), or through a gateway site.
   Selected Interface	The interface providing the best path for the cloud application. Note   If the DIA status is Gateway, this field displays N/A. From Cisco Catalyst SD-WAN Manager Release 20.13.1, if the best path is a loopback interface, this field displays the interface bind to the loopback.
   Activated Gateway	For a site that connects to the internet through a gateway site, this indicates the IP address of the gateway site. Note   If the DIA status is Local, this field displays N/A.
   Local Color	For a site that connects to the internet through a gateway site, this is the local color identifier of the tunnel used to connect to the gateway site. Note   If the DIA status is Local, this field displays N/A.
   Remote Color	For a site that connects to the internet through a gateway site, this is the remote (gateway site) color identifier of the tunnel used to connect to the gateway site. Note   If the DIA status is Local, this field displays N/A.
   SDWAN Computed Score	This field is applicable only if the site uses Cisco IOS XE Catalyst SD-WAN devices. It does not apply for Cisco vEdge devices. From Cisco vManage Release 20.8.1, for the Microsoft Office 365 application, an SDWAN Computed Score column provides links to view charts of the path scores (OK, NOT-OK, or INIT) provided by Microsoft telemetry for each Microsoft service area, including Exchange, Sharepoint, and Skype. The chart shows the scores over time for each available interface. The scores are defined as follows: OK: Acceptable path NOT-OK: Unacceptable path INIT: Insufficient data These charts provide visibility into how Cloud OnRamp for SaaS chooses a best path for each type of Microsoft Office 365 traffic. A use case for viewing the path score history is for determining whether Microsoft consistently rates a particular interface as NOT-OK for some types of traffic, such as Skype traffic.

Minimum releases: Cisco IOS XE Catalyst SD-WAN Release 17.7.1a and Cisco vManage Release 20.7.1

1. From the Cisco SD-WAN Manager menu, choose Configuration > Cloud OnRamp for SaaS.

   The page displays each monitored application, the relevant sites, with information about each.

2. Optionally, you can click a site to display a chart of the scores for various available paths for the application traffic, and the best path (solid line).

3. Beginning with Cisco vManage Release 20.10.1, for each site and region, you can view information about the interfaces that Webex traffic is using. For information, see View Application Usage.

Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.13.1

1. From the Cisco SD-WAN Manager menu, choose Monitor > Devices.

2. Click on the device to select it.

3. Click Real Time in the left pane.

4. Click the Device Options drop-drop list, and choose Policy App Route Filter.

A table displays real-time statistics, including the packet counter name that represents the data prefix list for an application.

The Cisco Cloud OnRamp for SaaS notifications and alarms are populated in the syslog. These notifications and alarms are not populated in the console log. Starting from Cisco IOS XE Catalyst SD-WAN Release 17.12.1a, the Cisco Cloud OnRamp for SaaS notifications and alarms are displayed both in syslog and console logs. However, to avoid flooding of notifications and alarms on both syslog and console logs, Cisco SD-WAN Manager generates NETCONF by default, the syslogs on demand and the console logs when you add a CLI template. For more information about using CLI templates, see CLI Add-on Feature Templates and CLI Templates.

1. Use the system alarms alarm cloud-express-score change syslog command using a CLI template to print the cloud express score change notifications both in syslogs and console logs.

2. Use the system alarms alarm cloud-express-application-change syslog command using a CLI template to print the cloud express application change notifications both in syslogs and console logs.

• The SIG tunnels created using the Secure Internet Gateway (SIG) template must have a valid Tracker Source IP address. Cloud OnRamp for SaaS uses the Tracker Source IP address in the SIG template for probing purposes.

• Configure the device to use an internet-based DNS server with an IP address that can be reached through the SIG tunnel.

• Application identification:

  An application must be identified by Cloud OnRamp for SaaS from the very first packet in a flow going through the edge routers, between a branch and Cloud OnRamp for SaaS. If an application cannot be identified in the first packet of a flow, the best path that is selected by Cloud OnRamp cannot be implemented for the subsequent packets in that given flow. After an application is classified, the subsequent traffic flow goes through the best path selected by Cloud OnRamp for SaaS.

• Gateway exit and DIA:

  Cloud OnRamp for SaaS comparison logic between a gateway exit and a Direct Internet Access (DIA) exit cannot determine if the Cloud OnRamp for SaaS in the remote gateway is executing a computation with an underlay interface or a SIG interface.

• IPv6 support:

  IPv6 is not supported with Cloud OnRamp for SaaS.

• Support for telemetry:

  • You cannot enable Microsoft 365 telemetry or Webex server-side metrics on a site that uses Cloud OnRamp for SaaS over SIG tunnels.

  • From Cisco Catalyst SD-WAN Manager Release 20.14.1, in a scenario that includes (a) sites that use Cloud OnRamp for SaaS over SIG tunnels, and also (b) sites that use Cloud OnRamp for SaaS without SIG tunnels, Microsoft 365 telemetry and Webex server-side metrics are supported only on the sites that do not use a SIG tunnel.

    When you enable Microsoft 365 telemetry or Webex server-side metrics globally, they are active only on sites that do not use Cloud OnRamp for SaaS over SIG tunnels.

  • From Cisco vManage Release 20.6.1 through Cisco Catalyst SD-WAN Manager Release 20.13.x, in a scenario that includes (a) sites that use Cloud OnRamp for SaaS over SIG tunnels, and also (b) sites that use Cloud OnRamp for SaaS without SIG tunnels, Microsoft 365 telemetry and Webex server-side metrics are not supported on any of the sites in the network.

    If you attempt to enable Microsoft 365 telemetry or Webex server-side metrics in this scenario, an error appears in the task list, associated with the push feature template configuration task.

Using Cloud OnRamp for SaaS, a site can connect to SaaS applications through the following:

• Through the best performing SIG tunnel

• Through a gateway site in which the traffic is sent through the best-performing overlay tunnel from the branch to the gateway, and then from the gateway site through the best-performing SIG tunnel.

When you configure Cloud OnRamp for SaaS for a site to connect over SIG tunnels, you have secure access to the SaaS applications over the internet.

From Cisco Catalyst SD-WAN Control Components Release 20.6.1 and Cisco IOS XE Catalyst SD-WAN Release 17.6.1a, Cloud OnRamp for SaaS supports faster failover on SIG tunnels by default, if the SIG tunnels are configured with Layer 7 health check. For more information about configuring Layer 7 health check, see Support for Layer 7 Health Check.

Connecting to Cloud OnRamp for SaaS over SIG tunnels has the following benefits:

• You have secure access to the SaaS applications over SIG tunnels.

• Cloud OnRamp for SaaS over SIG tunnels provides best path performance where access to the SaaS applications is enabled through the best-performing tunnel.

There are different ways through which you can access the SaaS applications over SIG tunnels:

This section provides sample CLI configurations for Cloud OnRamp for SaaS over SIG tunnels.

Device# config-transaction 
Device(config)# probe-path {branch|gateway} {all-auto-sig-tunnels|sig-tunnel-list} list of SIG tunnels 
Device(config)# ip sdwan route vrf vrf ip address service sig 

Device# config-transaction 
Device(config)# probe-path gateway {all-auto-sig-tunnels|sig-tunnel-list} list of SIG tunnels 
Device(config)# ip sdwan route vrf vrf ip address service sig 
Device(config)# interface tunnel-id 
Device(config-if)# ip nbar protocol-discovery 

Device# config-transaction
Device(config)# probe-path gateway all-auto-sig-tunnels
Device(config)# ip sdwan route vrf 1 192.168.0.1 service sig
Device(config)# interface Tunnel101
Device(config-if)# ip nbar protocol-discovery
Device(config-if)# interface Tunnel102
Device(config-if)# ip nbar protocol-discovery

Device# config-transaction 
Device(config)# vrf definition vrf 
Device(config-vrf)# address-family ipv4 
Device(config-vrf)# exit-address-family 

Device(config)# interface  Loopback interface_number  
Device(config-if)# no shutdown 
Device(config-vrf)# vrf forwarding vrf_number 
Device(config-vrf)# ip address ip address mask 
Device(config-vrf)# exit 

To monitor Cloud OnRamp for SaaS over SIG tunnels, perform the following steps:

1. From the Cisco SD-WAN Manager menu, choose Monitor > Devices.

   Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose Monitor > Network.

2. From the list of devices that is displayed, select a device.

3. Click Real Time in the left pane.

4. Click Device Options drop-drop list, and choose one of the following commands:

   Device Option	Description
   CloudExpress Applications	Displays the best path for applications that are configured with Cloud OnRamp for SaaS. The best path could be a local interface with DIA, or the path to a remote gateway.
   CloudExpress Gateway Exits	Displays the loss and latency on each gateway exit for applications that are configured with Cloud OnRamp for SaaS.
   CloudExpress Local Exits	Displays the application loss and latency on each DIA interface that is enabled for Cloud OnRamp for SaaS.

5. From the Cisco SD-WAN Manager menu, choose Configuration > Cloud OnRamp for SaaS to access the dashboard where you can view the applications available on Cloud OnRamp for SaaS.

The following example shows the configuration of Cloud on Ramp for SaaS over SIG tunnels:

Device(config)# probe-path branch sig-tunnel-list Tunnel100015 Tunnel100016
Device(config)# probe-path branch all-auto-sig-tunnels