Showing results for 
Search instead for 
Did you mean: 

IWAN DCA(Direct Cloud Access) for SaaS FAQ


IWAN DCA(Direct Cloud Access) feature helps customers to optimize their Software as a service (SaaS) applications (Office 365, Google, etc.) with better performance and reduced cost. It continuously measures and monitors the performance of each SaaS application along with local break out path as well as backhaul path, and chooses the best-performing path in policy to provide the most optimal user experience.


Q1: What benefit I can get from this solution?

A1: As more and more traffic shift to the public cloud such as Office 365, this SaaS applications requires the network to provide good application performance to ensure good user experience, if not, users may have bad user experience of this SaaS applications.  Nowadays, the traffic of a SaaS user at the branch office is backhauled from branch (eg. Asia) to the enterprise data center (eg. US) and access a SaaS server close to the data center (US.), this long path usually has high latency. If we can locally break out this SaaS traffic and directly access a SaaS server close to the branch, it usually has much less latency which means better user experience. Also, traffic will not go to data center and occupy extra network bandwidth at the data center.  At same time, we continuously monitor the local break out path as well as backhaul path and select the best path in policy thus we can sure best user experience and high availability.


Q2: which releases support this feature?

A2: This feature was developed in IOS-XE16.8.1 and generally available in IWAN2.3/IOS-XE16.9.1. IOS-XE16.9.4 is the current recommended release.


Q3: what devices support this feature?

A3: It is supported in Enterprise Routing Platforms such as ASR1000/ISR4K/ISR1k/CSR1000v/ENCS.

IOS G2 does not support this.


Q4: Do I need to enable some special license for this feature?

A4: No, it is the same license as you enable IWAN.


Q5: what SaaS are supported here?

A5: Popular SaaS are all supported, like Salesforce, Microsoft O365, Sharepoint, AWS, Dropbox, Box, Google apps, Zendesk, SAP, Webex.


Q6: Can I local break out websites like facebook/Linkedin etc.?

A6: Yes, you can, but Cisco test only focus on the popular SaaS mentioned above.


Q8: I want to break out some URL domain, but it is not found in the NBAR support list, How can I do that?

A8: You can use NBAR custom protocol to achieve this.


Q9: Does solution support 1st packet classification?

A9: Yes, we support this.


Q10: I am happy from the network side for this solution and any security considerations for this?

A10: The LAN and Internet links are segmented in different VRF and no route leakage. Only trusted SaaS traffic like O365, Google, Salesforce in the whitelist are allowed to local breakout from the internet, traffic initiated from the internet can’t get into the internal network. You can also enable security services such as ZBFW/Snort on the box to enable more security services.


Q11: Is umbrella license/registration a must have?

A11: No, the umbrella configuration here is to intercept the DNS request to SaaS from an internal DNS resolver to a public DNS resolver to achieve location proximity to get a SaaS server close to the user.

By default, Umbrella DNS resolver is used and you can use other DNS resolvers such as Google as you like. If you need umbrella security service, you can buy umbrella license.


Q12: Do we need to change any DNS configuration in my network or host devices?

A12: No, you don’t need to change any DNS configuration. Only the DNS request of SaaS interested will be intercepted and it is done automatically by Umbrella connector. Other DNS is not affected.


Q13: What does “application ms-lync-group domain dscp default” mean?

A13: This is only for performance probe, not packet classification. In order to measure the path performance to a SaaS like O365, we actively send HTTP probe packets from our router to the SaaS via a different path and measure the performance. Here it tells how to probe the O365(send HTTP probe to with DSCP default).


Q14: For O365, there are plenty of URLs, Do I need to configure all of them?

A14: No. You only need to configure one like As stated above, this is only for probe, not packet classification. The internal DPI engine can classify SaaS based on other mechanisms and depend on the config here. Even we have several different URLs for one SaaS, the path performance difference inside the provide data center is minimum.


Q15: What kind of branch can get benefit from this solution?

A15: if you have an internet link then you can enable this solution, the internet link can be in another device like one MPLS link in router A and one internet link route B, SaaS traffic received on the MPLS router also can be local breakout via the Internet router.


Q16. Do I need to enable NAT?

A16: In order to make your host which normally in a private network directly communicate with the SaaS application in the public, normally we need NAT in the path, you can enable NAT on the same router which has DCA enabled or other devices in the path.


Q17. In my current deployment, all internet traffic at branch going to a proxy server located at DC and security devices in DC only allow proxy traffic and whitelist traffic, Can I use DCA feature?

A17: Per O365 recommendation, extra proxy server and Firewall will add extra latency for O365 traffic and impact user experience, and DCA also can't local break out proxy traffic as it may not classified as SaaS and destination is to proxy server instead of public SaaS cloud.  

The recommendation is to bypass the proxy server for O365 and also add O365 in the Firewall whitelist. For more detail, you can refer to O365 recommendations


A tool to generate O365 PAC file to bypass proxy for O365


Q18. Is there any configuration guide for this solution?

A18: Yes, please refer to


Q19: Looking at the configuration guide, I still have a couple of questions, where can I ask for help?

A19: You can ask in the community or contact Cisco TAC.


Q20: This solution looks good, but we have a centralized hub and a large number of branch sites.

Can we just try this in one or two branches first and not upgrade the hub site, if it is good, then upgrade other sites?

A20: Yes, you can do that. Normally we recommend to have the same image in the network,  one option is to use DCA local policy which does not require any image or configuration change of Hub site, only need to upgrade image on a branch site to 16.10.1 and above. Please refer to


Q21: This solution looks really great, but we don't have IWAN enabled, Can we get similar SaaS benefit? 

A21: Yes, you can refer to Cisco Application-Based Routing(DCA/DIA) FAQ which can work w/o IWAN


Q22: We have Umbrella client on PC, it may encrypt DNS request to SaaS, Can DCA work reliable in this case?

A22: When DCA enabled on a branch site, it is recommended to change Umbrella settings to make it work in the "Protected Network" mode where Umbrella client will be automatically disabled and rely on network policy.

Cisco Employee

thanks for sharing this doc. very helpful for understanding DCA.