Please refer to below Cisco Verified Profile for dual border branch config
... View more
Digital innovation is overwhelming the branch and WAN. More specifically, 80 percent of employees and customers work in or are served in branch offices * , which is leading to a 73 percent growth in mobile devices from 2014 to 2018 * * . These mobile devices are accessing a significantly larger number of cloud applications (such as Office 365, salesforce.com, and Google apps) and as a result, demand for bandwidth and related costs will increase by 20 to 50 percent per year through 2018. The increased surface area and complexity of cyber attacks, and the subsequent increase in time required to mitigate these attacks, have made the branch a prime target for advanced threats.
Please refer to below Cisco Verified Profile for design and configuration
Direct Internet Access:
Forward certain Internet-bound traffic(eg. facebook, youtube etc.) from the branch directly to the Internet. It helps reduce IT spending, ensure better application experiences, and provide guest Wi-Fi at the branch.
Direct Cloud Access:
Forward SaaS traffic(eg. Office365, Salesforce, Box, Google etc.) from the branch directly to the Internet or the backhaul path to DC based on candidate path performance, it ensures the best SaaS application experience and also reduce the IT WAN cost.
Q1: Who is the target customer for this solution?
A1: Enterprise who manages their own WAN networking or Service Provider who provides managed WAN networking services.
Q2: what benefit can I get from this solution?
For enterprise customers, more and more applications moving to the cloud and SaaS applications(eg. Office365, Box, Webex, Salesforce, Google etc,) adopted quickly, with this solution, it can greatly improve SaaS application user experience(much lower latency) and also reduce the WAN link cost. Other than that, the non business traffic(such as facebook, youtube) are growing, this may occupy the expensive WAN link and impact business critical applications, with this solution, you can route non business traffic to the internet link ,thus can ensure the business application user experience.
For service provider, with this solution, you can provide better SaaS application experience to your end customers and also can use the internet link to offload the expensive WAN link ,thus reduce your IT cost.
Q3: This looks good, but what is pre-requisites of this solution? Do I need to enable Cisco IWAN or SD-WAN?
A3: No, IWAN or SD-WAN not needed, this solution is a lightweight solution ,IWAN/SD-WAN not needed, it can be enabled with only one routers, no dependency of any overlay/IPsec.
If you already deployed Cisco IWAN, please refer to IWAN DCA solution FAQ:
Q4: This sounds a pretty simple solution, what is the difference between this and PBR(Policy based routing)?
A4: This is a much better solution
It can directly match application/application group, or URL and achieve application based routing while PBR can only match DSCP/prefix etc.
Some applications requires several packets to be classified(eg. first 3 packets classified as TCP, later packets classified as youtube) , In PBR solution, the first few packets may take backhaul path and later packets take the internet path once classified, this may cause TCP connection reset and impact user experience. This solution provides flow stickiness which stick to the original path , thus no connection reset and provide best user experience.
Configuration simplicity. This solution requires very limited config and automatically start IP SLA to probe the path.
Better support of 2 or more branch devices. some medium or big site may have 2 branch routers for redundancy ( 1 MPLS link and 1 INET link , or 2 INET link), with this solution, we can fully leverage the 2 links(active/active) and configuration is very simple(similar to 1 device config)
Q5: I like this solution, but what about security if we local breakout the internet traffic?
A5: This solution only allow whitelist traffic(like Office365, Facebook etc. defined by policy) initiated for LAN to the internet, these traffic can be trusted, other traffic still follow the existing path. Other that, you can enable VRF segmentation to segment the internet traffic . You can also enable NAT, Umbrella or ZBFW or UTD on the device to improve the security
Q6: what SaaS are supported here?
A6: Popular SaaS are all supported, like Salesforce, Microsoft O365, Sharepoint, AWS, Dropbox, Box, Google apps, Zendesk, SAP, Webex.
Q7: I want to break out some URL domain, but it is not found in the NBAR support list, How can I do that?
A7: You can use NBAR custom protocol to achieve this.
Q8. Do I need to enable NAT?
A8: In order to make your host which normally in a private network directly communicate with the server application in the public, normally we need NAT in the path, you can enable NAT on the same router which has DCA enabled or other devices in the path.
Q9. Is there any configuration guide for this solution?
A9: Yes, please refer to
Q10: Looking at the configuration guide, I still have a couple of questions, where can I ask for help?
A10: You can ask in the community or contact Cisco TAC.
Q11: This sounds very attractive, Does it need extra license?
A11: No extra license, AppX is enough.
Q12: what is the recommend image release for this solution?
A12: This first available release is IOS-XE 16.11.1, The recommended release is IOS-XE 16.12.1 which is a extended release
Q13: what devices support this feature?
A13: It is supported in Enterprise Routing Platforms such as ASR1000/ISR4K/ISR1k/CSR1000v/ENCS.
IOS G2 does not support this.
... View more
IWAN DCA(Direct Cloud Access) feature helps customers to optimize their Software as a service (SaaS) applications (Office 365, Google, etc.) with better performance and reduced cost. It continuously measures and monitors the performance of each SaaS application along with local break out path as well as backhaul path, and chooses the best-performing path in policy to provide the most optimal user experience.
Q1: What benefit I can get from this solution?
A1: As more and more traffic shift to the public cloud such as Office 365, this SaaS applications requires the network to provide good application performance to ensure good user experience, if not, users may have bad user experience of this SaaS applications. Nowadays, the traffic of a SaaS user at the branch office is backhauled from branch (eg. Asia) to the enterprise data center (eg. US) and access a SaaS server close to the data center (US.), this long path usually has high latency. If we can locally break out this SaaS traffic and directly access a SaaS server close to the branch, it usually has much less latency which means better user experience. Also, traffic will not go to data center and occupy extra network bandwidth at the data center. At same time, we continuously monitor the local break out path as well as backhaul path and select the best path in policy thus we can sure best user experience and high availability.
Q2: which releases support this feature?
A2: This feature was developed in IOS-XE16.8.1 and generally available in IWAN2.3/IOS-XE16.9.1. IOS-XE16.9.4 is the current recommended release.
Q3: what devices support this feature?
A3: It is supported in Enterprise Routing Platforms such as ASR1000/ISR4K/ISR1k/CSR1000v/ENCS.
IOS G2 does not support this.
Q4: Do I need to enable some special license for this feature?
A4: No, it is the same license as you enable IWAN.
Q5: what SaaS are supported here?
A5: Popular SaaS are all supported, like Salesforce, Microsoft O365, Sharepoint, AWS, Dropbox, Box, Google apps, Zendesk, SAP, Webex.
Q6: Can I local break out websites like facebook/Linkedin etc.?
A6: Yes, you can, but Cisco test only focus on the popular SaaS mentioned above.
Q8: I want to break out some URL domain, but it is not found in the NBAR support list, How can I do that?
A8: You can use NBAR custom protocol to achieve this.
Q9: Does solution support 1 st packet classification?
A9: Yes, we support this.
Q10: I am happy from the network side for this solution and any security considerations for this?
A10: The LAN and Internet links are segmented in different VRF and no route leakage. Only trusted SaaS traffic like O365, Google, Salesforce in the whitelist are allowed to local breakout from the internet, traffic initiated from the internet can’t get into the internal network. You can also enable security services such as ZBFW/Snort on the box to enable more security services.
Q11: Is umbrella license/registration a must have?
A11: No, the umbrella configuration here is to intercept the DNS request to SaaS from an internal DNS resolver to a public DNS resolver to achieve location proximity to get a SaaS server close to the user.
By default, Umbrella DNS resolver is used and you can use other DNS resolvers such as Google as you like. If you need umbrella security service, you can buy umbrella license.
Q12: Do we need to change any DNS configuration in my network or host devices?
A12: No, you don’t need to change any DNS configuration. Only the DNS request of SaaS interested will be intercepted and it is done automatically by Umbrella connector. Other DNS is not affected.
Q13: What does “application ms-lync-group domain http://www.office.com dscp default” mean?
A13: This is only for performance probe, not packet classification. In order to measure the path performance to a SaaS like O365, we actively send HTTP probe packets from our router to the SaaS via a different path and measure the performance. Here it tells how to probe the O365(send HTTP probe to www.office.com with DSCP default).
Q14: For O365, there are plenty of URLs, Do I need to configure all of them?
A14: No. You only need to configure one like www.office.com. As stated above, this is only for probe, not packet classification. The internal DPI engine can classify SaaS based on other mechanisms and depend on the config here. Even we have several different URLs for one SaaS, the path performance difference inside the provide data center is minimum.
Q15: What kind of branch can get benefit from this solution?
A15: if you have an internet link then you can enable this solution, the internet link can be in another device like one MPLS link in router A and one internet link route B, SaaS traffic received on the MPLS router also can be local breakout via the Internet router.
Q16. Do I need to enable NAT?
A16: In order to make your host which normally in a private network directly communicate with the SaaS application in the public, normally we need NAT in the path, you can enable NAT on the same router which has DCA enabled or other devices in the path.
Q17. In my current deployment, all internet traffic at branch going to a proxy server located at DC and security devices in DC only allow proxy traffic and whitelist traffic, Can I use DCA feature?
A17: Per O365 recommendation, extra proxy server and Firewall will add extra latency for O365 traffic and impact user experience, and DCA also can't local break out proxy traffic as it may not classified as SaaS and destination is to proxy server instead of public SaaS cloud.
The recommendation is to bypass the proxy server for O365 and also add O365 in the Firewall whitelist. For more detail, you can refer to O365 recommendations
A tool to generate O365 PAC file to bypass proxy for O365
Q18. Is there any configuration guide for this solution?
A18: Yes, please refer to
Q19: Looking at the configuration guide, I still have a couple of questions, where can I ask for help?
A19: You can ask in the community or contact Cisco TAC.
Q20: This solution looks good, but we have a centralized hub and a large number of branch sites.
Can we just try this in one or two branches first and not upgrade the hub site, if it is good, then upgrade other sites?
A20: Yes, you can do that. Normally we recommend to have the same image in the network, one option is to use DCA local policy which does not require any image or configuration change of Hub site, only need to upgrade image on a branch site to 16.10.1 and above. Please refer to
Q21: This solution looks really great, but we don't have IWAN enabled, Can we get similar SaaS benefit?
A21: Yes, you can refer to Cisco Application-Based Routing(DCA/DIA) FAQ which can work w/o IWAN
Q22: We have Umbrella client on PC, it may encrypt DNS request to SaaS, Can DCA work reliable in this case?
A22: When DCA enabled on a branch site, it is recommended to change Umbrella settings to make it work in the "Protected Network" mode where Umbrella client will be automatically disabled and rely on network policy.
... View more