cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7753
Views
5
Helpful
4
Comments
yicliu
Cisco Employee
Cisco Employee

Solution Overview

Digital innovation is overwhelming the branch and WAN. More specifically, 80 percent of employees and customers work in or are served in branch offices*, which is leading to a 73 percent growth in mobile devices from 2014 to 2018**. These mobile devices are accessing a significantly larger number of cloud applications (such as Office 365, salesforce.com, and Google apps) and as a result, demand for bandwidth and related costs will increase by 20 to 50 percent per year through 2018. The increased surface area and complexity of cyber attacks, and the subsequent increase in time required to mitigate these attacks, have made the branch a prime target for advanced threats.

 

Please refer to below Cisco Verified Profile for design and configuration

https://www.cisco.com/c/en/us/solutions/collateral/design-zone/cisco-validated-profiles/cvp-c17-743043.html

 

Direct Internet Access:

Forward certain Internet-bound traffic(eg. facebook, youtube etc.) from the branch directly to the Internet. It helps reduce IT spending, ensure better application experiences, and provide guest Wi-Fi at the branch.

 

Direct Cloud Access:

Forward SaaS traffic(eg.  Office365, Salesforce, Box, Google etc.) from the branch directly to the Internet or the backhaul path to DC based on candidate path performance, it ensures the best SaaS application experience and also reduce the IT WAN cost.

 

Q1: Who is the target customer for this solution?

A1: Enterprise who manages their own WAN networking or Service Provider who provides managed WAN networking services.

 

Q2: what benefit can I get from this solution?

A2: 

For enterprise customers, more and more applications moving to the cloud and SaaS applications(eg. Office365, Box, Webex, Salesforce, Google etc,) adopted quickly,  with this solution, it can greatly improve SaaS application user experience(much lower latency) and also reduce the WAN link cost.  Other than that, the non business traffic(such as facebook, youtube) are growing, this may occupy the expensive WAN link and impact business critical applications, with this solution, you can route non business traffic to the internet link ,thus can ensure the business application user experience. 

 

For service provider,  with this solution, you can provide better SaaS application experience to your end customers and also can use the internet link to offload the expensive WAN link ,thus reduce your IT cost.

 

 

Q3: This looks good, but what is pre-requisites of this solution?  Do I need to enable Cisco IWAN or SD-WAN?

A3:   No, IWAN or SD-WAN not needed, this solution is a lightweight solution ,IWAN/SD-WAN not needed, it can be enabled with only one routers, no dependency of any overlay/IPsec.

If you already deployed Cisco IWAN, please refer to IWAN DCA solution FAQ:

https://community.cisco.com/t5/networking-documents/iwan-dca-direct-cloud-access-for-saas-faq/ta-p/3701734

 

Q4:  This sounds a pretty simple solution,  what is the difference between this and PBR(Policy based routing)?

A4:  This is a much better solution 

  •  It can directly match application/application group, or URL and achieve application based routing while PBR can only match DSCP/prefix etc.
  • Some applications requires several packets to be classified(eg. first 3 packets classified as TCP,  later packets classified as youtube) , In PBR solution, the first few packets may take backhaul path and later packets take the internet path once classified,  this may cause TCP connection reset and impact user experience.  This solution provides flow stickiness which stick to the original path , thus no connection reset and provide best user experience. 
  • Configuration simplicity. This solution requires very limited config and automatically start IP SLA to probe the path.
  • Better support of 2 or more branch devices.  some medium or big site may have 2 branch routers for redundancy ( 1 MPLS link and 1 INET link , or 2 INET link),  with this solution, we can fully leverage the 2 links(active/active) and configuration is very simple(similar to 1 device config)

Q5:  I like this solution, but what about security if we local breakout the internet traffic?

A5:  This solution only allow whitelist traffic(like Office365, Facebook etc. defined by policy) initiated for LAN  to the internet, these traffic can be trusted, other traffic still follow the existing path. Other that, you can enable VRF segmentation to segment the internet traffic .   You can also enable NAT, Umbrella or ZBFW or UTD on the device to improve the security

 

Q6: what SaaS are supported here?

A6: Popular SaaS are all supported, like Salesforce, Microsoft O365, Sharepoint, AWS, Dropbox, Box, Google apps, Zendesk, SAP, Webex.

 

Q7: I want to break out some URL domain, but it is not found in the NBAR support list, How can I do that?

A7: You can use NBAR custom protocol to achieve this.

 

Q8. Do I need to enable NAT?

A8: In order to make your host which normally in a private network directly communicate with the  server application in the public, normally we need NAT in the path, you can enable NAT on the same router which has DCA enabled or other devices in the path.

 

Q9. Is there any configuration guide for this solution?

A9: Yes, please refer to  

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/xe-16-11/iri-xe-16-11-book/epbr-appl-based-routing.html

 

Q10: Looking at the configuration guide, I still have a couple of questions, where can I ask for help?

A10: You can ask in the community or contact Cisco TAC.

 

 

Q11:  This sounds very attractive,  Does it need extra license?

A11:  No extra license, AppX is enough.

 

Q12: what is the recommend image release for this solution?

A12: This first available release is IOS-XE 16.11.1, The recommended release is IOS-XE 16.12.1 which is a extended release 

 

Q13: what devices support this feature?

A13: It is supported in Enterprise Routing Platforms such as ASR1000/ISR4K/ISR1k/CSR1000v/ENCS.

IOS G2 does not support this.

 

 

 

 

 

 

 

Comments
Philipp Kreidl
Level 1
Level 1

The configuration guide is really confusing, the config parts don't add up, can you please provide a working configuration for a dual branch with site-manager DCA config?

yicliu
Cisco Employee
Cisco Employee

Hi Philipp,

Please refer to below Cisco Verified Profile for dual border branch config

https://www.cisco.com/c/en/us/solutions/collateral/design-zone/cisco-validated-profiles/cvp-c17-743043.html

 

Philipp Kreidl
Level 1
Level 1

Unfortunately I only get: 403 - Forbidden Page or Application

Should this document not be accessible by customers?

yicliu
Cisco Employee
Cisco Employee
I am not sure whether customer need to log in with account to see this.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: