Application-Aware Routing and Quality of Experience

Learning Objectives

In the early days of the WAN, a router's job was simple: get the packet to its destination. But the modern branch sends a very different mix of traffic — a VoIP call that breaks up after 150 ms of latency, a Teams video stream that stutters with mild jitter, and a nightly backup that tolerates loss as long as it eventually completes. This chapter covers the three mechanisms Catalyst 8000 edge platforms use to deliver an application-tuned WAN: Application-Aware Routing, Quality of Service, and application visibility.

Pre-Quiz — Application-Aware Routing

1. A tunnel shows 0.5% loss, 90 ms latency, and 35 ms jitter. The voice-gold SLA class requires loss ≤ 1%, latency ≤ 100 ms, jitter ≤ 30 ms. How is this tunnel treated for voice-gold?

SLA-compliant, because two of three metrics pass SLA-violating, because jitter exceeds its threshold SLA-compliant, because latency is under 100 ms Treated as down, since BFD reports loss

2. Why can standard AAR feel "sluggish" to react to a brief loss event?

BFD only runs once per day Metrics are averaged over a 10-minute poll interval, diluting short spikes The app-route policy must be re-pushed by vSmart on every change AAR waits for the routing protocol to reconverge first

3. What is the purpose of the app-probe-class field in an app-route policy?

It encrypts the BFD probes It sets the probe DSCP so measurements reflect the actual QoS queue the traffic uses It defines the loss/latency/jitter thresholds It selects which VPN the policy applies to

4. AAR is evaluated only after the overlay route is installed. What practical trap does this create?

SLA classes must be redefined per route If OMP tie-breaking never installs the route, the app-route policy is never invoked BFD cannot run until AAR completes EAAR overrides the routing table entirely

5. Which statement about Enhanced AAR (EAAR) is correct?

It is enabled by default on all tunnels It derives metrics from inline data-plane packets and must be enabled on both ends It replaces BFD entirely and reports via OMP It removes the need for SLA classes

Application-Aware Routing

Key Points

  • AAR overrides the default tunnel choice using live loss/latency/jitter; routing protocols still decide reachability.
  • An SLA class is a reusable object; a tunnel must satisfy every threshold (loss, latency, jitter) to be SLA-compliant.
  • BFD measures metrics over a default 10-minute poll interval with a default multiplier of 6, smoothing transient spikes.
  • The app-probe-class lets probes use a specific DSCP so measurements reflect the real QoS queue (e.g., EF for voice).
  • EAAR uses inline data-plane packets plus dampening for faster, more stable failover, but must be enabled on both ends.

Routing protocols answer "Can I reach the destination?" AAR answers a harder one: "Of all the ways I can reach it, which will my users actually enjoy right now?" A useful analogy is Waze: the road map (your routing protocol) shows which roads connect, but Waze layers live traffic on top and reroutes you. AAR is the WAN equivalent — OMP, BGP, and OSPF decide reachability, but AAR overrides the default tunnel based on live path conditions.

The AAR solution rests on three pillars:

PillarWhat it doesHow
IdentificationClassifies the flow and maps it to an SLA classL3/L4 headers (IP, ports, protocol, DSCP) or NBAR2 signatures
MeasurementContinuously measures loss, latency, jitter per tunnelBFD probes (and optionally EAAR)
Path selectionSteers each flow onto an SLA-satisfying tunnelFilters tunnels by SLA compliance, then applies preferences

One subtlety: AAR is evaluated only after the overlay route is installed. If OMP tie-breaking never installs the route, the app-route policy is never invoked — a common troubleshooting trap.

SLA Classes and Probes (BFD)

An SLA class defines maximum tolerable loss-percentage, latency (ms), and jitter (ms). Think of it as a bouncer's checklist: a tunnel must satisfy every item. For example, voice-gold = loss ≤ 1%, latency ≤ 100 ms, jitter ≤ 30 ms; email-bronze = loss ≤ 5%, latency ≤ 300 ms, jitter ≤ 100 ms. Exceed any single threshold and the tunnel is marked SLA-violating and dropped from the candidate set. Set thresholds on real WAN behavior: too strict flags every tunnel "bad"; too loose never reroutes.

The numbers come from BFD (Bidirectional Forwarding Detection) sessions on each tunnel. BFD detects liveliness (fast failure detection) and measures loss/latency/jitter, recorded as PfR data. Timing matters: BFD collects stats over a poll interval defaulting to 10 minutes, computes averages, and a multiplier (default 6) means decisions look across several intervals' weighted averages. This makes standard AAR deliberately conservative — a 30-second loss burst may dilute into a 10-minute average that never breaches SLA.

Branch voice flow Data Center via tunnels Path A · MPLS Path B · biz-internet BFD: loss > SLA!
Figure 8.A — Voice rides Path A (MPLS) until BFD detects loss exceeding the SLA; AAR re-routes the flow to the still-compliant Path B (biz-internet).

Figure 8.1: BFD vs. EAAR measurement loops feeding SLA evaluation

flowchart LR subgraph Standard["Standard AAR (BFD probe loop)"] direction TB A1["BFD probes sent over tunnel"] --> A2["Collect loss / latency / jitter
over 10-min poll interval"] A2 --> A3["Compute weighted average
(multiplier x6)"] A3 --> A4["Update per-tunnel PfR metrics"] A4 --> A1 end subgraph Enhanced["Enhanced AAR (inline data-plane)"] direction TB B1["Inspect live application packets"] --> B2["Derive loss / latency / jitter inline"] B2 --> B3["Apply dampening
(prevent flapping)"] B3 --> B4["Report metrics back via BFD"] B4 --> B1 end A4 --> SLA{"Tunnel meets
SLA class?"} B4 --> SLA SLA -->|Faster reaction via EAAR| OUT["SLA-compliant / SLA-violating state"]

Enhanced Application-Aware Routing (EAAR), introduced around release 20.12, derives metrics from inline data-plane packets — the live traffic itself — and reports back via BFD, giving faster detection and quicker reroute. It includes a dampening mechanism to prevent flapping. Two operational notes: EAAR is disabled by default, and it must be enabled on both the local and remote edges to function.

Key Takeaway: SLA classes define the loss/latency/jitter thresholds an application demands; BFD continuously measures those metrics over a 10-minute averaging window, while EAAR uses live data-plane packets for much faster reaction.

App-Route Policies

The rules tying applications to SLA classes live in a centralized app-route policy, built in vManage (Cisco SD-WAN Manager) and pushed by vSmart. It is a dedicated policy type. Building blocks:

ComponentPurpose
VPN-listWhich VPN IDs the policy applies to
Application / traffic matchApp-list (NBAR2 signatures) or data-prefix list, optionally src/dst IP, ports, DSCP
App-probe-classSets the DSCP used for AAR/BFD probes (e.g., probe EF to measure the voice queue)
SLA-classThe loss/latency/jitter thresholds to evaluate
TLOC / color preferencePreferred transport colors or TLOC lists, used with SLA status

The policy is organized as match → action sequences. The app-probe-class deserves emphasis: WAN paths behave differently per queue — the priority queue carrying voice may show 20 ms latency while best-effort shows 200 ms. Probing with EF measures the actual queue your voice will use, making decisions far more accurate.

Key Takeaway: An app-route policy is a centralized match/action policy that maps applications to SLA classes and color preferences; app-probe-class lets you probe a specific DSCP so measurements reflect the real QoS queue.

Path Preference and Failover

With SLA classes defined and policy attached, the edge selects a tunnel as follows:

  1. Identify traffic and SLA — match the flow, determine the SLA class.
  2. Gather metrics — retrieve loss/latency/jitter from BFD (and EAAR) per candidate tunnel.
  3. Filter by SLA compliance — discard any tunnel exceeding a threshold.
  4. Apply preferences — narrow to preferred-color/TLOC; pick best by performance.
  5. Forward — install a forwarding entry over the chosen tunnel.
  6. React to change — if the tunnel later violates SLA, reroute to a still-compliant one (EAAR makes this fast).
  7. If no tunnel meets SLA — use best-available, fall back to default routing, or stay to avoid flapping.

Figure 8.2: AAR path-selection decision flow against the SLA

flowchart TD START["New application flow arrives"] --> MATCH["Match flow against
app-route policy"] MATCH --> SLA["Determine applicable SLA class"] SLA --> METRICS["Gather loss / latency / jitter
from BFD + EAAR per tunnel"] METRICS --> FILTER["Filter: discard tunnels that
exceed any SLA threshold"] FILTER --> ANY{"Any SLA-compliant
tunnel remaining?"} ANY -->|Yes| PREF["Apply preferred color / TLOC list"] PREF --> MULTI{"Multiple candidates
qualify?"} MULTI -->|Yes| BEST["Choose best by performance"] MULTI -->|No| BEST BEST --> FWD["Install forwarding entry
over chosen tunnel"] ANY -->|No| FALLBACK["Fallback action:
best-available, default routing,
or stay to avoid flapping"] FALLBACK --> FWD FWD --> WATCH{"Chosen tunnel
later violates SLA?"} WATCH -->|Yes - EAAR reroutes fast| METRICS WATCH -->|No| WATCH

Worked example. A branch reaches the DC over MPLS and biz-internet. voice-gold = loss ≤ 1%, latency ≤ 100 ms, jitter ≤ 30 ms; data-silver = loss ≤ 3%, latency ≤ 200 ms, jitter ≤ 50 ms. At runtime:

TunnelLossLatencyJittervoice-gold?data-silver?
MPLS0.5%80 ms20 msPassPass
Internet2%150 ms40 msFail (loss, latency)Pass

Voice takes MPLS (only compliant path, and preferred). Data finds both compliant but policy prefers biz-internet, so data uses Internet — keeping MPLS free for voice. If MPLS degrades to 5% loss, BFD marks it non-compliant and voice shifts to Internet (if compliant and permitted), preserving experience. EAAR makes that transition far faster than waiting on the 10-minute average.

Key Takeaway: Path selection filters tunnels by SLA compliance, then applies color/TLOC preferences; when the chosen tunnel degrades, AAR reroutes to a still-compliant path — and EAAR with dampening makes failover both faster and more stable.
Post-Quiz — Application-Aware Routing

1. A tunnel shows 0.5% loss, 90 ms latency, and 35 ms jitter. The voice-gold SLA class requires loss ≤ 1%, latency ≤ 100 ms, jitter ≤ 30 ms. How is this tunnel treated for voice-gold?

SLA-compliant, because two of three metrics pass SLA-violating, because jitter exceeds its threshold SLA-compliant, because latency is under 100 ms Treated as down, since BFD reports loss

2. Why can standard AAR feel "sluggish" to react to a brief loss event?

BFD only runs once per day Metrics are averaged over a 10-minute poll interval, diluting short spikes The app-route policy must be re-pushed by vSmart on every change AAR waits for the routing protocol to reconverge first

3. What is the purpose of the app-probe-class field in an app-route policy?

It encrypts the BFD probes It sets the probe DSCP so measurements reflect the actual QoS queue the traffic uses It defines the loss/latency/jitter thresholds It selects which VPN the policy applies to

4. AAR is evaluated only after the overlay route is installed. What practical trap does this create?

SLA classes must be redefined per route If OMP tie-breaking never installs the route, the app-route policy is never invoked BFD cannot run until AAR completes EAAR overrides the routing table entirely

5. Which statement about Enhanced AAR (EAAR) is correct?

It is enabled by default on all tunnels It derives metrics from inline data-plane packets and must be enabled on both ends It replaces BFD entirely and reports via OMP It removes the need for SLA classes
Pre-Quiz — Quality of Service

1. In Catalyst 8000 SD-WAN QoS, why is classification deliberately separated from queuing/shaping?

Classification must run on a different physical chip A centralized data policy decides "what goes in which class," while localized policy decides "how each class is queued" — making policy modular Queuing cannot be configured in vManage It is required to support encryption

2. A hub serves hundreds of spokes and one busy spoke keeps starving the others of bandwidth. Which feature directly addresses this?

Per-VPN QoS Adaptive QoS Per-Tunnel QoS Policing on the LAN interface

3. What is the key behavioral difference between shaping and policing?

Shaping buffers excess and releases it smoothly; policing drops or re-marks excess Shaping drops excess; policing buffers it Both buffer traffic identically Policing only applies to inbound traffic

4. Why does Adaptive QoS exist on broadband/LTE links?

A fixed shaper wastes capacity or drops traffic as the variable link rate changes It encrypts variable-rate links It is required for spoke-to-spoke tunnels It replaces forwarding classes entirely

5. Two non-negotiable QoS interaction rules are that Per-Tunnel and Per-VPN QoS are mutually exclusive on the same interface, and that...

the shaping rate must equal the sum of minimum bandwidths the sum of minimum bandwidths must be less than the interface shaping rate all queues must use strict priority policing must always replace shaping

Quality of Service

Key Points

  • AAR decides which path; QoS decides what happens once flows share a congested path.
  • Classification (centralized data policy) is separated from queuing/shaping (localized policy) for modularity.
  • Per-Tunnel QoS gives each spoke its own bandwidth share on a hub: hub-to-spoke only, 100–6000 sessions (default 2000).
  • Per-VPN QoS partitions bandwidth per VPN (20.6.1+, outbound only); it is mutually exclusive with Per-Tunnel QoS on the same interface.
  • Shaping buffers excess to a smooth rate; policing drops/re-marks; queuing decides serving order. Adaptive QoS tunes the shaper to live link conditions.

AAR decides which path a flow takes. QoS decides what happens once flows share a path and it becomes congested. When a 100 Mbps interface is asked to send 120 Mbps, something must wait or drop — QoS ensures it is the backup job that waits, not the CEO's video call. The standard per-interface workflow: define forwarding classes → map to queues → configure schedulers → group into a QoS map → apply the map plus a shaping rate on egress → classify traffic → optional DSCP rewrite. A crucial principle: classification is separated from queuing/shaping — centralized data policy decides "what goes in which class," localized QoS policy decides "how each class is queued and shaped."

Per-Tunnel and Per-VPN QoS

A forwarding class is a logical QoS class (voice, critical, default, bulk) mapped to a hardware queue with scheduling properties. A QoS map is the SD-WAN equivalent of an IOS policy-map, tying each class to a scheduler (min bandwidth %, strict priority/LLQ, optional WRED). Example:

Forwarding classQueueRole
fc-voice0Low-latency / priority (LLQ)
fc-critical1Guaranteed bandwidth
fc-default2Best effort
fc-bulk3Background / scavenger

Standard QoS operates at the physical interface level — limiting for a hub serving hundreds of spokes. Per-Tunnel QoS shapes/prioritizes traffic per IPsec tunnel to each spoke; without it, one busy spoke could starve the others. Constraints: hub-to-spoke only (no spoke-to-spoke), hubs must be IOS XE Catalyst SD-WAN (cEdge / Catalyst 8000), and sessions range 100–6000 (default 2000). It uses a per-tunnel QoS aggregator on the hub, a QoS map (referenced as underlay dqos), and a physical shaping rate representing total bandwidth.

Hub WAN interface physical shaping rate = total bandwidth Per-Tunnel QoS aggregator Tunnel A (dqos share) Tunnel B (dqos share) Tunnel C (dqos share) per-class queues (Tunnel A) Q0 Q1 Q2 Q3 voice / critical / default / bulk same 4-queue map same 4-queue map
Figure 8.B — The hierarchy builds top-down: physical shaper → per-tunnel QoS aggregator → per-spoke tunnel shapers → per-class queues filling in with stagger.

Figure 8.3: Per-Tunnel QoS hierarchy on a hub WAN interface

graph TD PHY["Hub WAN interface
(physical shaping rate = total bandwidth)"] --> AGG["Per-Tunnel QoS aggregator"] AGG --> T1["Per-spoke tunnel A
(underlay dqos share)"] AGG --> T2["Per-spoke tunnel B
(underlay dqos share)"] AGG --> T3["Per-spoke tunnel C
(underlay dqos share)"] T1 --> Q1A["fc-voice (Q0): LLQ / priority"] T1 --> Q1B["fc-critical (Q1): guaranteed BW"] T1 --> Q1C["fc-default (Q2): best effort"] T1 --> Q1D["fc-bulk (Q3): scavenger"] T2 --> Q2["Same 4-queue QoS map per tunnel"] T3 --> Q3["Same 4-queue QoS map per tunnel"]

Per-VPN QoS partitions interface bandwidth per VPN — useful for tenants/business units needing a guaranteed slice. It requires controller and vManage 20.6.1+, applies to outbound traffic only, and mandates a shaping rate. Because IPsec packets may be reordered during congestion, it requires the IPsec extended anti-replay window on both ends. Two non-negotiable rules: Per-Tunnel and Per-VPN QoS are mutually exclusive on the same interface, and the sum of minimum bandwidths must be less than the interface shaping rate.

Key Takeaway: Forwarding classes map traffic to hardware queues governed by a QoS map and shaping rate; Per-Tunnel QoS gives each spoke its own bandwidth share on a hub (hub-to-spoke only, 100–6000 sessions), while the mutually exclusive Per-VPN QoS partitions bandwidth per VPN.

Shaping, Policing, and Queuing

A water analogy: shaping is a funnel holding back excess and trickling it through; policing is a valve spilling anything over the limit onto the floor. Always set the interface shaper at or below the real ISP bandwidth — shaping above what the provider delivers means drops happen invisibly inside the provider's network, where your QoS cannot help.

Key Takeaway: Shaping buffers excess to a smooth rate, policing drops or re-marks traffic over the limit, and queuing — driven by the QoS map scheduler — decides which class's packets are served first during congestion.

Adaptive QoS

Static shaping assumes a fixed link rate, but broadband and LTE deliver variable bandwidth. A shaper hard-coded to 100 Mbps needlessly drops traffic when the link delivers 60 Mbps, or wastes capacity at 120 Mbps. Adaptive QoS dynamically adjusts the shaping rate to real-time link conditions in hub-to-spoke cEdge topologies. Requirements: IOS XE Catalyst SD-WAN devices (both ends cEdges), hub-to-spoke only, a WAN interface already configured as a hub cannot also run Adaptive QoS. Configuration is simple: in the Cisco VPN Interface Ethernet template's ACL/QoS section, change Adaptive QoS from Deactivated to Global / On.

Key Takeaway: Adaptive QoS dynamically tunes the shaping rate to actual link conditions on hub-to-spoke cEdge deployments — enabled by a single ACL/QoS template setting — avoiding the waste and drops of a fixed shaper on variable-bandwidth links.
Post-Quiz — Quality of Service

1. In Catalyst 8000 SD-WAN QoS, why is classification deliberately separated from queuing/shaping?

Classification must run on a different physical chip A centralized data policy decides "what goes in which class," while localized policy decides "how each class is queued" — making policy modular Queuing cannot be configured in vManage It is required to support encryption

2. A hub serves hundreds of spokes and one busy spoke keeps starving the others of bandwidth. Which feature directly addresses this?

Per-VPN QoS Adaptive QoS Per-Tunnel QoS Policing on the LAN interface

3. What is the key behavioral difference between shaping and policing?

Shaping buffers excess and releases it smoothly; policing drops or re-marks excess Shaping drops excess; policing buffers it Both buffer traffic identically Policing only applies to inbound traffic

4. Why does Adaptive QoS exist on broadband/LTE links?

A fixed shaper wastes capacity or drops traffic as the variable link rate changes It encrypts variable-rate links It is required for spoke-to-spoke tunnels It replaces forwarding classes entirely

5. Two non-negotiable QoS interaction rules are that Per-Tunnel and Per-VPN QoS are mutually exclusive on the same interface, and that...

the shaping rate must equal the sum of minimum bandwidths the sum of minimum bandwidths must be less than the interface shaping rate all queues must use strict priority policing must always replace shaping
Pre-Quiz — Application Visibility

1. How does NBAR2 classify a flow on its very first packet despite encryption?

It decrypts the TLS payload It correlates earlier DNS lookups with the connections that follow It blocks the flow until the user authenticates It reads the application name from the IP header

2. Why does NBAR2 split classification and forwarding into a DPI/SAIE path and a fast path?

To preserve throughput by not re-inspecting every packet once the app is identified Because DPI cannot run on Catalyst 8000 hardware To encrypt the fast-path packets Because the first packet must always be dropped

3. What makes a "trusted DIA" policy by application name more robust than a TCP/443-by-IP rule?

It is faster to type NBAR2 identifies the real app regardless of IP, so the policy survives SaaS address changes It disables encryption for trusted apps It requires no DNS visibility

4. Cloud OnRamp for SaaS steers flows to the best path. What prevents it from flapping between paths?

It only ever measures one path Hysteresis in its steering decisions It disables AAR while running It reroutes only once per day

5. A branch's clients use encrypted DNS (DoH) directly to the internet. What is the likely impact on NBAR2?

No impact; NBAR2 ignores DNS entirely First-packet classification degrades because the router cannot see the FQDN queries All traffic is automatically blocked QoS shaping stops working

Application Visibility

Key Points

  • NBAR2 is the SD-WAN DPI engine (from release 20.6.1, part of the SAIE), identifying apps by signature, heuristics, SNI, and DNS correlation.
  • It classifies on the first packet using learned DNS context, then fast-paths subsequent packets with the cached app ID to preserve throughput.
  • Application-name "trusted DIA" policy stays robust even as SaaS providers change IP ranges.
  • Cloud OnRamp for SaaS probes every viable path (DIA, backhaul, SIG), scores per app/site, and steers with hysteresis; App Feedback can fold in true M365 experience.
  • DPI and per-flow analytics consume CPU/QFP; high-scale sites should validate flow/app/tunnel counts against platform limits.

Every mechanism so far depends on the router knowing what the traffic is. Steering "Webex" onto MPLS or allowing DIA only for "Office 365" is impossible if the router sees only anonymous TCP/443 connections. Application visibility makes intent-based WAN policy possible.

NBAR2 and DPI

NBAR2 (Network Based Application Recognition v2) is the deep packet inspection (DPI) engine that identifies applications. From SD-WAN release 20.6.1, NBAR2 is the DPI engine for all SD-WAN edges, integrated into the SD-WAN Application Intelligence Engine (SAIE); the old "DPI flow" is now the SAIE flow. NBAR2 classifies using protocol signatures, heuristics, stateful inspection, and the TLS Server Name Indication (SNI), mapping each flow to an app ID like office365 or webex. A clever trick handles encryption and short-lived flows: NBAR2 correlates DNS lookups with the connections that follow, classifying a flow on its first packet.

For performance, classification and forwarding are split. A new flow first traverses the DPI/SAIE path, where NBAR2 inspects enough packets (plus DNS context) to identify the app. Once identified, subsequent packets use a fast path with the cached app ID, so the router doesn't re-inspect every packet.

Client NBAR2 / SAIE DPI path: signature + SNI + DNS context inspect first packets SaaS app DNS: FQDN → IP learned classified: office365 fast path: cached app ID
Figure 8.C — First packets traverse the DPI/SAIE path where NBAR2 inspects signature, SNI, and DNS context; once classified (e.g. office365), later packets are fast-pathed at line rate.

Figure 8.4: NBAR2 first-packet classification and fast-path forwarding

sequenceDiagram participant C as Client participant R as Catalyst 8000 (NBAR2 / SAIE) participant D as DNS resolver participant App as SaaS application C->>R: DNS query for SaaS FQDN R->>D: Forward / observe DNS lookup D-->>R: DNS response (learned FQDN to IP) Note over R: Correlate DNS with upcoming flow C->>R: First packet of new flow (TCP/443) Note over R: DPI/SAIE path - classify on first packet
using signature, SNI, DNS context (e.g. office365) R->>App: Forward with cached application ID C->>R: Subsequent packets Note over R: Fast path - reuse cached app ID
(no re-inspection) R->>App: Forward at line rate

NBAR2 plus flow statistics (Flexible NetFlow) forms Cisco's Application Visibility and Control (AVC) framework. The most powerful consequence is trusted DIA: instead of "allow DIA for TCP/443 to these IP ranges," you write "allow DIA only for office365, webex, dropbox-business" by name. Because NBAR2 identifies the real app regardless of IP, the policy survives constant SaaS address changes. This creates a design constraint: if clients use encrypted DNS (DoH/DoT) directly to the internet, the router never sees the query, degrading first-packet classification — so branches should be designed so the Catalyst 8000 (or a resolver behind it) sees the FQDN queries.

Key Takeaway: NBAR2 is the SD-WAN DPI engine (from release 20.6.1, part of the SAIE) that identifies applications by signature, SNI, and DNS correlation — enabling first-packet classification and robust application-name policies like trusted DIA, provided the router can see DNS queries.

Cloud OnRamp for SaaS

AAR optimizes paths across the overlay, but much traffic heads to SaaS clouds reachable several ways: local DIA per transport, backhaul to the DC, or via a Secure Internet Gateway (SIG). Cloud OnRamp for SaaS continuously measures, scores, and selects the best path per SaaS app and per site, in three stages:

  1. Continuous path monitoring — periodic HTTP/HTTPS probes over every viable path (including inside SIG tunnels), measuring latency, loss, sometimes server response time.
  2. Real-time scoring — a quality score per path/app for a supported set (Microsoft 365, Salesforce, Webex, Box, Dropbox, etc.).
  3. Automatic steering — steers new flows onto the best path and shifts away when quality drops, with hysteresis to prevent flapping.

Figure 8.5: Cloud OnRamp for SaaS path measurement and steering

flowchart TD SAAS["SaaS app per site
(e.g. Microsoft 365, Webex)"] --> PROBE["Send HTTP/HTTPS probes
over every viable path"] PROBE --> P1["DIA over biz-internet (ISP1)"] PROBE --> P2["DIA over public-internet (ISP2)"] PROBE --> P3["Backhaul to data center"] PROBE --> P4["Secure Internet Gateway (SIG) tunnel"] P1 --> SCORE["Compute quality score
per path, per app"] P2 --> SCORE P3 --> SCORE P4 --> SCORE FEED["App Feedback for Path Selection
(M365 true-experience telemetry)"] -.-> SCORE SCORE --> STEER["Steer new flows to best path
(hysteresis prevents flapping)"] STEER --> MONITOR{"Current path
quality drops?"} MONITOR -->|Yes| PROBE MONITOR -->|No| STEER

A distinctive capability is Application Feedback for Path Selection. For providers like Microsoft 365, Cloud OnRamp can incorporate telemetry from the SaaS service itself about real user experience — not just network metrics — and may prefer a path with better true experience even when raw latency is slightly higher.

Worked example. A Catalyst 8300 branch runs M365 and Webex; NBAR2 recognizes office365, teams, webex. Policy permits DIA only for those; everything else goes via SIG. Cloud OnRamp probes DIA on ISP1, DIA on ISP2, and the SIG tunnel. If ISP1 develops high loss while ISP2 stays clean, new Teams/Webex flows steer to ISP2 DIA automatically. With App Feedback, M365 telemetry refines toward the best actual experience — users see fewer freezes during ISP trouble, with no manual intervention.

Key Takeaway: Cloud OnRamp for SaaS probes every viable path (DIA, backhaul, SIG), scores them per app and per site, and steers flows to the best path with hysteresis — optionally using SaaS Application Feedback to optimize for true user experience rather than raw latency alone.

Application Performance Monitoring

Visibility is also how operators see whether the network meets its goals. NBAR2 visibility provides, per application: traffic volumes and top talkers, per-app performance KPIs (loss/latency/jitter, sometimes a voice MOS) when combined with AAR SLAs, and the actual per-app routing decision. Key tools:

ToolPurpose
vManage → Monitor → Real-Time → app-route statsSLA compliance per tunnel/class; EAAR adds an enhanced view
show bfd sessions, show app-route statsPer-tunnel loss/latency/jitter, SLA class, SLA Up/Down state
show platform software sdn qos ...Per-tunnel QoS state and queue/bandwidth allocation on the hub
Data-policy counters in vManagePer-class utilization and drops

Recurring troubleshooting themes: AAR does nothing if the policy isn't attached or the overlay route was never installed; SLAs too strict leave tunnels perpetually "bad," too loose never reroute; EAAR silently fails unless enabled on both ends; vManage QoS monitoring does not directly monitor Per-VPN QoS. DPI and per-flow analytics consume CPU/QFP — high-scale sites should validate flow/app/tunnel counts against platform limits, narrowing full DPI to the SaaS apps that matter most.

Key Takeaway: NBAR2 visibility plus AAR SLAs surface per-application volume, performance, and routing decisions, while app-route stats, BFD/QoS CLI commands, and data-policy counters let operators verify policy — keeping in mind pitfalls like uninstalled routes, mis-tuned SLAs, one-sided EAAR, and DPI resource consumption.
Post-Quiz — Application Visibility

1. How does NBAR2 classify a flow on its very first packet despite encryption?

It decrypts the TLS payload It correlates earlier DNS lookups with the connections that follow It blocks the flow until the user authenticates It reads the application name from the IP header

2. Why does NBAR2 split classification and forwarding into a DPI/SAIE path and a fast path?

To preserve throughput by not re-inspecting every packet once the app is identified Because DPI cannot run on Catalyst 8000 hardware To encrypt the fast-path packets Because the first packet must always be dropped

3. What makes a "trusted DIA" policy by application name more robust than a TCP/443-by-IP rule?

It is faster to type NBAR2 identifies the real app regardless of IP, so the policy survives SaaS address changes It disables encryption for trusted apps It requires no DNS visibility

4. Cloud OnRamp for SaaS steers flows to the best path. What prevents it from flapping between paths?

It only ever measures one path Hysteresis in its steering decisions It disables AAR while running It reroutes only once per day

5. A branch's clients use encrypted DNS (DoH) directly to the internet. What is the likely impact on NBAR2?

No impact; NBAR2 ignores DNS entirely First-packet classification degrades because the router cannot see the FQDN queries All traffic is automatically blocked QoS shaping stops working

Your Progress

Answer Explanations