Configure SD-WAN Cloud OnRamp for SaaS
Available Languages
Introduction
This document describes the configuration for Cloud OnRamp for Software as a Service (SaaS) using branch local exit.
Prerequisites
Requirements
Cisco recommends that you have knowledge of the Cisco Software-Defined Wide Area Network (SD-WAN).
Components Used
The information in this document is based on these software and hardware versions:
- Cisco vManage version 20.9.4
- Cisco WAN Edge router version 17.9.3a
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
For an organization using SD-WAN, a branch site typically routes SaaS application traffic by default over SD-WAN overlay links to a data center. From the data center, the SaaS traffic reaches the SaaS server.
For example, in a large organization with a central data center and branch sites, employees can use Office 365 at a branch site. By default, the Office 365 traffic at a branch site is routed over an SD-WAN overlay link to a centralized data center and, from DIA exit, to the Office 365 cloud server.
This document covers this scenario: If the branch site has a direct internet access (DIA) connection, you can improve performance by routing the SaaS traffic through the local DIA, bypassing the data center.
Note: Configuring Cloud OnRamp for SaaS when a site uses a loopback as a transport locator (TLOC) interface is not supported.
Configure
Network Diagram
Network Topology
Configurations
Enable NAT on the Transport Interface
Navigate to Feature Template . Choose the Transport VPN interface template and Enable NAT.
Enable Interface NAT
CLI Equivalent Configuration:
interface GigabitEthernet2
ip nat outside
ip nat inside source list nat-dia-vpn-hop-access-list interface GigabitEthernet2 overload
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 60
Create a Centralized AAR Policy
In order to establish a Centralized policy, you must adhere to this procedure:
Step 1. Create a Site list:
VPN Interface NAT Template
Step 2. Create a VPN list:
Centralized Policy Custom Site List
Step 3. Configure the Traffic Rules and create the Application Aware Routing Policy.
Application Aware Route Policy
Step 4. Add the policy to the intendedSites and VPN:
Add policies to Sites and VPNs
CLI Equivalent Policy:
viptela-policy:policy
app-route-policy _VPN1_Cloud_OnRamp_SAAS
vpn-list VPN1
sequence 1
match
cloud-saas-app-list office365_apps
source-ip 0.0.0.0/0
!
action
count Cloud_OnRamp_-92622761
!
!
!
lists
app-list office365_apps
app skype
app ms_communicator
app windows_marketplace
app livemail_mobile
app word_online
app excel_online
app onedrive
app yammer
app sharepoint
app ms-office-365
app hockeyapp
app live_hotmail
app live_storage
app outlook-web-service
app skydrive
app ms_teams
app skydrive_login
app sharepoint_admin
app ms-office-web-apps
app ms-teams-audio
app share-point
app powerpoint_online
app ms-lync-video
app live_mesh
app ms-lync-control
app groove
app ms-live-accounts
app office_docs
app owa
app ms_sway
app ms-lync-audio
app live_groups
app office365
app windowslive
app ms-lync
app ms-services
app ms_translator
app microsoft
app sharepoint_blog
app ms_onenote
app ms-teams-video
app ms-update
app ms-teams-media
app ms_planner
app lync
app outlook
app sharepoint_online
app lync_online
app sharepoint_calendar
app ms-teams
app sharepoint_document
!
site-list DCsite_100001
site-id 100001
!
vpn-list VPN1
vpn 1
!
!
!
apply-policy
site-list DCsite_100001
app-route-policy _VPN1_Cloud_OnRamp_SAAS
!
!
Enable Application and Direct Internet Access in vManage
Step 1. Navigate to Cloud OnRamp for SaaS.
Select Cloud onRamp for SaaS
Step 2. Navigate to Applications and Policy.
Select Applications and Policy
Step 3. Navigate to Application > Enableand Save. Then click Next.
Select Applications and Enable Monitoring
Step 4. Navigate to Direct Internet Access (DIA) Sites.
Select Direct internet Access Sites
Step 5. Navigate to Attach DIA Sites and choose the Sites.
Attach DIA sites
Verification
This section describes the outcomes in order to verify the Cloud OnRamp for SaaS.
- This output shows Cloudexpress local-exits:
cEdge_West-01#sh sdwan cloudexpress local-exits
cloudexpress local-exits vpn 1 app 2 type app-group subapp 0 GigabitEthernet2
application office365
latency 6
loss 0
- This output shows Cloudexpress applications:
cEdge_West-01#sh sdwan cloudexpress applications
cloudexpress applications vpn 1 app 2 type app-group subapp 0
application office365
exit-type local
interface GigabitEthernet2
latency 6
loss 0
- This output shows incrementing counters for interested traffic:
cEdge_West-01#sh sdwan policy app-route-policy-filter
NAME NAME COUNTER NAME PACKETS BYTES
-------------------------------------------------------------------------------------------------
_VPN1_Cloud_OnRamp_SAAS VPN1 default_action_count 640 66303
Cloud_OnRamp_-403085179 600 432292
- This output shows the vQoE status and Score:
vQoE Status and Score
- This output shows the service-path from vManage GUI:
Service Path
- This output shows the service-path from Device CLI:
cEdge_West-01#sh sdwan policy service-path vpn 1 interface GigabitEthernet4 source-ip 10.2.20.70 dest-ip <Office365 server IP> protocol 6
Next Hop: Remote
Remote IP: 10.2.30.129, Interface GigabitEthernet2 Index: 8
Related Information
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
05-Oct-2023 |
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)