CISCO SD-WAN Policies Configuration Edge Routers Installation Guide
- June 15, 2024
- Cisco
Table of Contents
CISCO SD-WAN Policies Configuration Edge Routers
Product Information
Specifications
- Product: vEdge Routers
- Software: Cisco SD-WAN Release 20
- First Published: 2020-03-17
- Last Modified: 2022-08-26
- Manufacturer: Cisco Systems, Inc.
- Headquarters: 170 West Tasman Drive San Jose, CA 95134-1706 USA
- Website: http://www.cisco.com
- Contact: Tel: 408 526-4000, 800 553-NETS (6387), Fax: 408 527-0883
Product Usage Instructions
Chapter 1: Read Me First
This chapter provides important information to consider before using the vEdge
Routers with Cisco SD-WAN.
Chapter 2: What’s New in Cisco Catalyst SD-WAN
This chapter highlights the new features and updates in Cisco Catalyst SD-WAN.
Chapter 3: Centralized Policy Overview
This chapter provides an overview of centralized policies in Cisco SD-WAN,
including the types of centralized policies available.
Configure Centralized Policies Using Cisco SD-WAN Manager
This section explains how to configure centralized policies using the Cisco
SD-WAN Manager.
Chapter 4: Policies Configuration Guide for vEdge Routers,
Cisco SD-WAN Release 20
This chapter serves as a comprehensive guide for configuring policies on
vEdge Routers using Cisco SD-WAN Release 20.
Chapter 5: Start the Policy Configuration Wizard
This chapter provides step-by-step instructions on how to start the Policy Configuration Wizard.
Configure Groups of Interest for Centralized Policy
This section explains how to configure groups of interest for centralized
policy configuration.
Integrating WAN Insight (WANI) into Cisco SD-WAN Manager
This section provides information on integrating WAN Insight (WANI) into
the Cisco SD-WAN Manager.
FAQ
Q: Are the IP addresses and phone numbers mentioned in the document
real?
A: No, the IP addresses and phone numbers used in the document are not
intended to be actual addresses and phone numbers. They are for illustrative
purposes only.
Q: Where can I find the latest version of this document?
A: All printed copies and duplicate soft copies of this document are
considered uncontrolled. Please refer to the current online version for the
latest updates.
Q: How can I contact Cisco for support or inquiries?
A: You can find addresses and phone numbers of Cisco offices worldwide on
the Cisco website at http://www.cisco.com/go/offices.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20
First Published: 2020-03-17 Last Modified: 2022-08-26
Americas Headquarters
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA
http://www.cisco.com Tel: 408 526-4000
800 553-NETS (6387) Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE
SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND
RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED
WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL
RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET
FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE
INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A
COPY.
The Cisco implementation of TCP header compression is an adaptation of a
program developed by the University of California, Berkeley (UCB) as part of
UCB’s public domain version of the UNIX operating system. All rights reserved.
Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF
THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-
NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING,
WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,
CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST
PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE
THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document
are not intended to be actual addresses and phone numbers. Any examples,
command display output, network topology diagrams, and other figures included
in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and
coincidental.
All printed copies and duplicate soft copies of this document are considered
uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are
listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco
and/or its affiliates in the U.S. and other countries. To view a list of Cisco
trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party
trademarks mentioned are the property of their respective owners. The use of
the word partner does not imply a partnership relationship between Cisco and
any other company. (1721R)
© 20192022 Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER 1 CHAPTER 2 CHAPTER 3
CHAPTER 4
Read Me First
What’s New in Cisco Catalyst SD-WAN 3
Policy Overview 5 Policy Architecture 7 Centralized Control Policy
Architecture 8 Route Types 8 Default Behavior Without Centralized Control
Policy 9 Behavior Changes with Centralized Control Policy 9 Examples of
Modifying Traffic Flow with Centralized Control Policy 10 Configure
Centralized Policy Based on Prefixes and IP Headers 12 Cisco Catalyst SD-WAN
Controller Policy Components 13 TLOC Attributes Used in Policies 17 Cisco
Catalyst SD-WAN Route Attributes Used in Policies 18 Design Cisco Catalyst SD-
WAN Controller Policy Processing and Application 19 Cisco Cisco Catalyst SD-
WAN Controller Policy Operation 20 Control Policy 20 Data Policy 23 VPN
Membership Policy Operation 24 Configure and Execute Cisco SD-WAN Controller
Policies 25
Centralized Policy 27 Overview of Centralized Policies 27 Types of Centralized
Policies 27 Configure Centralized Policies Using Cisco SD-WAN Manager 28
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 iii
Contents
CHAPTER 5
Start the Policy Configuration Wizard 29 Configure Groups of Interest for
Centralized Policy 29 Integrating WAN Insight (WANI) into Cisco SD-WAN Manager
34
Predictive Path Recommendations 35 Configure Topology and VPN Membership 36
Import Existing Topology 38 Create a VPN Membership Policy 39 Configure
Traffic Rules 39 Match Parameters – Control Policy 44 Match Parameters – Data
Policy 47 Action Parameters – Control Policy 52 Action Parameters – Data
Policy 54 Apply Policies to Sites and VPNs 58 NAT Fallback on Cisco IOS XE
Catalyst SD-WAN Devices 58 Activate a Centralized Policy 60 Configure
Centralized Policies Using the CLI 61 Centralized Policies Configuration
Examples 64 Verify Centralized Control Policies Configuration 71
Localized Policy 73 Overview of Localized Policies 73 Types of Localized
Policies 74 Configure Localized Policy Using Cisco SD-WAN Manager 75 Start the
Policy Configuration Wizard 75 Configure Groups of Interest for Localized
Policy 76 Configure Forwarding Classes/QoS 78 Configure ACLs 80 Explicit and
Implicit Access Lists 81 Configure Route Policies 82 Match Parameters 83
Action Parameters 85 Configure Policy Settings 86 Apply Localized Policy in a
Device Template 87 Activate a Localized Policy 88
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 iv
Contents
CHAPTER 6
CHAPTER 7 CHAPTER 8
Configure Localized Policy for IPv4 Using the CLI 89 Configure Localized
Policy for IPv6 Using the CLI 91 Localized Data Policy Configuration Examples
92 QoS For Router Generated Cisco SD-WAN Manager Traffic 93 Information About
QoS For Router-Generated Cisco SD-WAN Manager Traffic 93 Restrictions For QoS
For Router Generated Cisco SD-WAN Manager Traffic 94 Configure QoS for Router
Generated Cisco SD-WAN Manager Traffic Using a CLI Template 94 Verify QoS for
Router Generated Cisco SD-WAN Manager Traffic Using CLI 95 Troubleshooting QoS
For Router Generated Cisco SD-WAN Manager Traffic 97
Default AAR and QoS Policies 99 Information About Default AAR and QoS Policies
99 Benefits of Default AAR and QoS Policies 100 Prerequisites for Default AAR
and QoS Policies 101 Restrictions for Default AAR and QoS Policies 101
Supported Devices for Default AAR and QoS Policies 101 Use Cases for Default
AAR and QoS Policies 101 Configure Default AAR and QoS Policies Using Cisco
SD-WAN Manager 101 Monitor Default AAR and QoS Policies 106
Device Access Policy 107 Device Access Policy Overview 108 Configure Device
Access Policy Using Cisco SD-WAN Manager 108 Configure Device Access Policy
Using the CLI 110 Verifying Device Access Policy Configuration 111
Cisco Catalyst SD-WAN Application Intelligence Engine Flow 115 Cisco Catalyst
SD-WAN Application Intelligence Engine Flow Overview 115 Configure Cisco
Catalyst SD-WAN Application Intelligence Engine Flow Using Cisco SD-WAN
Manager 116 Apply Centralized Policy for SD-WAN Application Intelligence
Engine Flow 116 Monitor Running Applications 117 View SAIE Applications 117
Action Parameters for Configuring SD-WAN Application Intelligence Engine Flow
118
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 v
Contents
CHAPTER 9 CHAPTER 10
Configure SD-WAN Application Intelligence Engine Flow Using the CLI 120
Traffic Classification Using NBAR 122
Information about NBAR 122 Integration with NBAR 123
Supported Platforms for Traffic Classification Using NBAR 124 Benefits of
Using NBAR 125 Restrictions for Traffic Classification Using NBAR 125
Custom Applications 127 Information About Custom Applications 127 Restrictions
for Custom Applications 129 Configure Custom Applications Using Cisco SD-WAN
Manager 130 Verify Custom Applications 131
Application-Aware Routing 133 Information About Application-Aware Routing 133
Application-Aware Routing Support for Multicast Protocols 134 Components of
Application-Aware Routing 134 SLA Classes 135 Classification of Tunnels into
SLA Classes 137 Measure Loss, Latency, and Jitter 137 Calculate Average Loss,
Latency, and Jitter 138 Determine SLA Classification 138 Per-Class
Application-Aware Routing 139 Per-Class Application-Aware Routing Overview 139
Application Probe Class 139 Default DSCP Values 140 Configure Application-
Aware Routing 140 Configure Application-Aware Routing Policies Using Cisco SD-
WAN Manager 141 Configure Best Tunnel Path 142 Best Tunnel Path Overview 142
Recommendation for the Best Tunnel Path 143 Configure Variance for Best Tunnel
Path 143 Verify Configuration of Variance for Best Tunnel Path 143
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 vi
Contents
CHAPTER 11
Configure SLA Class 145 Configure Traffic Rules 146 Default Action of
Application-Aware Routing Policy 149 Configure Application Probe Class through
Cisco Catalyst SD-WAN Manager 150
Add App-Probe-Class to an SLA Class 151 Configure Default DSCP on Cisco BFD
Template 151 Apply Policies to Sites and VPNs 151 How Application-Aware
Routing Policy is Applied in Combination with Other Data Policies 153 Activate
an Application-Aware Routing Policy 154 Monitor Data Plane Tunnel Performance
154 Enable Application Visibility on Cisco SD-WAN Devices 156 Dampen Data
Plane Tunnels 156 Restrictions for Tunnel Dampening 156 Information About
Tunnel Dampening 156 Functionalities of Tunnel Dampening 157 Default Class
Behavior of Tunnel Dampening 157 Configure Tunnel Dampening Using the CLI 157
Verify Tunnel Dampening 158 Configure Application-Aware Routing Using CLIs 159
Configure Application Probe Class Using CLI 161 Application-Aware Routing
Policy Configuration Example 161
Traffic Flow Monitoring with Cflowd 169 Information about Traffic Flow
Monitoring 169 Traffic Flow Monitoring with Cflowd Overview 169 Restrictions
for Enabling Collect Loopback in Flow Telemetry When Using Loopbacks as TLOCs
170 Components of Cflowd 170 IPFIX Information Elements for Cisco vEdge
Devices 171 Configure Cflowd Traffic Flow Monitoring 172 Configure Cflowd
Traffic Flow Monitoring Using the CLI 176 Verify Collect Loopback 178 Verify
Interface Binding on the Device 180 Configuration Examples for Flexible
NetFlow Export of BFD Metrics 181 Apply and Enable Cflowd Policy 182
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 vii
Contents
CHAPTER 12 CHAPTER 13 CHAPTER 14 CHAPTER 15 CHAPTER 16
Cflowd Traffic Flow Monitoring Configuration Examples 183
Forward Error Correction 189 Supported Devices for Forward Error Correction
189 Configure Forward Error Correction for a Policy 190 Monitor Forward Error
Correction Tunnel Information 190 Monitor Forward Error Application Family
Information 191 Monitor Forward Error Correction Status Using the CLI 192
Packet Duplication for Noisy Channels 193 Information about Packet Duplication
193 Configure Packet Duplication 194 Monitor Packet Duplication Per
Application 194
Elephant Flow Throttling 197 Information About Elephant Flow 197 Restrictions
for Elephant Flow Throttling 198 Configure Elephant Flow Throttling Using a
CLI Template 198 Verify Elephant Flow Throttling Configurations Using the CLI
199
Service Chaining 201 Configure Service Chaining 203 Service Chaining
Configuration Examples 205 Monitor Service Chaining 213
Cisco vEdge Device as a NAT Device 217 Cisco vEdge Device as a NAT Device on
the Transport Side 217 Transport-Side NAT Operation 218 Cisco vEdge Device as
a Service-Side NAT Device 220 Configure Local Internet Exit 220 Configure
Service-Side NAT 225 Configure Split DNS 232 Configure Transport-Side NAT 242
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 viii
CHAPTER 17
Service-Side NAT Configuration Example 244
Lawful Intercept 2.0 259 Information About Lawful Intercept 2.0 260
Prerequisites for Cisco Catalyst SD-WAN Lawful Intercept 2.0 262 Benefits of
Cisco Catalyst SD-WAN Lawful Intercept 2.0 262 Configure Lawful Intercept 2.0
Workflow 262 Create a Lawful Intercept Administrator 262 Create a Lawful
Intercept API User 263 Create an Intercept 263 Retrieve an Intercept 265
Contents
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 ix
Contents
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 x
Read Me First
1 C H A P T E R
Note To achieve simplification and consistency, the Cisco SD-WAN solution has
been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN
Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following
component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to
Cisco Catalyst SD-WAN Validator, and Cisco vSmart to Cisco Catalyst SD-WAN
Controller. See the latest Release Notes for a comprehensive list of all the
component brand name changes. While we transition to the new names, some
inconsistencies might be present in the documentation set because of a phased
approach to the user interface updates of the software product.
Related References · Cisco Catalyst SD-WAN Control Components Compatibility
Matrix and Server Recommendations · Cisco Catalyst SD-WAN Device Compatibility
User Documentation · User Documentation for Cisco SD-WAN Release 20
Communications, Services, and Additional Information · Sign up for Cisco email
newsletters and other communications at: Cisco Profile Manager. · For
information on the latest technical, advanced, and remote services to increase
the operational reliability of your network visit Cisco Services. · To browse
and discover secure, validated enterprise-class apps, products, solutions, and
services, visit Cisco Devnet. · To obtain general networking, training, and
certification titles from Cisco Press Publishers, visit Cisco Press. · To find
warranty information for a specific product or product family, visit Cisco
Warranty Finder. · To view open and resolved bugs for a release, access the
Cisco Bug Search Tool. · To submit a service request, visit Cisco Support.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 1
Read Me First
Documentation Feedback To provide feedback about Cisco technical documentation
use the feedback form available in the right pane of every online document.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 2
2 C H A P T E R
What’s New in Cisco Catalyst SD-WAN
Note To achieve simplification and consistency, the Cisco SD-WAN solution has
been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN
Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following
component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to
Cisco Catalyst SD-WAN Validator, and Cisco vSmart to Cisco Catalyst SD-WAN
Controller. See the latest Release Notes for a comprehensive list of all the
component brand name changes. While we transition to the new names, some
inconsistencies might be present in the documentation set because of a phased
approach to the user interface updates of the software product.
Note Cisco is constantly enhancing the Cisco Catalyst SD-WAN solution with
every release and we try and keep the content in line with the latest
enhancements. The following table lists new and modified features we
documented in the Configuration, Command Reference, and Hardware Installation
guides. For information on additional features and fixes that were committed
to the Cisco Catalyst SD-WAN solution, see the Resolved and Open Bugs section
in the Release Notes.
What’s New in Cisco SD-WAN (vEdge) Release 20.x
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 3
What’s New in Cisco Catalyst SD-WAN
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 4
Policy Overview
3 C H A P T E R
Note To achieve simplification and consistency, the Cisco SD-WAN solution has
been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN
Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following
component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to
Cisco Catalyst SD-WAN Validator, and Cisco vSmart to Cisco Catalyst SD-WAN
Controller. See the latest Release Notes for a comprehensive list of all the
component brand name changes. While we transition to the new names, some
inconsistencies might be present in the documentation set because of a phased
approach to the user interface updates of the software product.
Policy influences the flow of data traffic and routing information among Cisco
vEdge deviceCisco IOS XE Catalyst SD-WAN devices in the overlay network.
Policy comprises:
· Routing policy–which affects the flow of routing information in the
network’s control plane.
· Data policy–which affects the flow of data traffic in the network’s data
plane.
To implement enterprise-specific traffic control requirements, you create
basic policies, and deploy advanced features that are activated by means of
the policy configuration infrastructure.
Just as the Cisco Catalyst SD-WAN overlay network architecture clearly
separates the control plane from the data plane and control between
centralized and localized functions, the Cisco Catalyst SD-WAN policy is
cleanly separated. Policies apply either to control plane or data plane
traffic, and they are configured either centrally on Cisco SD-WAN Controllers
or locally on Cisco vEdge deviceCisco IOS XE Catalyst SD-WAN devices. The
following figure illustrates the division between control and data policy, and
between centralized and local policy.
Figure 1: Policy Architecture
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 5
Policy Overview
Control and Data Policy Control policy is the equivalent of routing protocol
policy, and data policy is equivalent to what are commonly called access
control lists (ACLs) and firewall filters.
Centralized and Localized Policy The Cisco Catalyst SD-WAN policy design
provides a clear separation between centralized and localized policy. In
short, centralized policy is provisioned on the centralized Cisco SD-WAN
Controllers in the overlay network, and the localized policy is provisioned on
Cisco vEdge devices, which sit at the network edge between a branch or
enterprise site and a transport network, such as the Internet, MPLS, or metro
Ethernet.
Centralized Policy Centralized policy refers to policy provisioned on Cisco
SD-WAN Controllers, which are the centralized controllers in the Cisco
Catalyst SD-WAN overlay network. Centralized policy comprises two components:
· Control policy, which affects the overlay networkwide routing of traffic ·
Data policy, which affects the data traffic flow throughout the VPN segments
in the network
Centralized control policy applies to the network-wide routing of traffic by
affecting the information that is stored in the Cisco SD-WAN Controller’s
route table and that is advertised to the Cisco vEdge devices. The effects of
centralized control policy are seen in how Cisco vEdge devices direct the
overlay network’s data traffic to its destination.
Note The centralized control policy configuration itself remains on the Cisco
SD-WAN Controller and is never pushed to local devices.
Centralized data policy applies to the flow of data traffic throughout the
VPNs in the overlay network. These policies can permit and restrict access
based either on a 6-tuple match (source and destination IP addresses and
ports, DSCP fields, and protocol) or on VPN membership. These policies are
pushed to the selected Cisco vEdge devices.
Localized Policy Localized policy refers to a policy that is provisioned
locally through the CLI on the Cisco vEdge devices, or through a Cisco SD-WAN
Manager device template. Localized control policy is also called as route
policy, which affects (BGP and OSPF) routing behavior on the site-local
network. Localized data policy allows you to provision access lists and apply
them to a specific interface or interfaces on the device. Simple access lists
permit and restrict access based on a 6-tuple match (source and destination IP
addresses and ports, DSCP fields, and protocol), in the same way as with
centralized data policy. Access lists also allow provisioning of class of
service (CoS), policing, and mirroring, which control how data traffic flows
out of and in to the device’s interfaces and interface queues. The design of
the Cisco Catalyst SD-WAN policy distinguishes basic and advanced policies.
Basic policy allows you to influence or determine basic traffic flow through
the overlay network. Here, you perform standard policy tasks, such as managing
the paths along which traffic is routed through the network, and permitting or
blocking traffic based on the address, port, and DSCP fields in the packet’s
IP header. You can
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 6
Policy Overview
Policy Architecture
also control the flow of data traffic into and out of a Cisco vEdge device ‘s
interfaces, enabling features such as class of service and queuing, mirroring,
and policing.
Advanced features of Cisco Catalyst SD-WAN policy offer specialized policy-
based network applications. Examples of these applications include the
following:
· Service chaining, which redirects data traffic to shared devices in the
network, such as firewall, intrusion detection and prevention (IDS), load
balancer, and other devices, before the traffic is delivered to its
destination. Service chaining obviates the need to have a separate device at
each branch site.
· Application-aware routing, which selects the best path for traffic based on
real-time network and path performance characteristics.
· Cflowd, for monitoring traffic flow.
· Converting a Cisco vEdge device into a NAT device, to allow traffic destined
for the Internet or other public network can exit directly from the Cisco
vEdge device.
By default, no policy of any kind is configured on Cisco vEdge devices, either
on the centralized Cisco SD-WAN Controllers or the local Cisco vEdge devices.
When control plane traffic, which distributes route information, is
unpolicied:
· All route information that OMP propagates among the Cisco vEdge devices is
shared, unmodified, among all Cisco SD-WAN Controllers and all Cisco vEdge
devices in the overlay network domain.
· No BGP or OSPF route policies are in place to affect the route information
that Cisco vEdge device s propagate within their local site network.
When data plane traffic is unpolicied, all data traffic is directed towards
its destination based solely on the entries in the local Cisco vEdge device’s
route table, and all VPNs in the overlay network can exchange data traffic.
· Policy Architecture, on page 7 · Cisco Catalyst SD-WAN Controller Policy
Components, on page 13 · Design Cisco Catalyst SD-WAN Controller Policy
Processing and Application, on page 19 · Cisco Cisco Catalyst SD-WAN
Controller Policy Operation, on page 20 · Configure and Execute Cisco SD-WAN
Controller Policies, on page 25
Policy Architecture
This topic offers an orientation about the architecture of the Cisco Catalyst
SD-WAN policy used to implement overlay network-wide policies. These policies
are called Cisco SD-WAN Validator policy or centralized policy, because you
configure them centrally on a Cisco SD-WAN Controller. Cisco SD-WAN Controller
policy affects the flow of both control plane traffic (routing updates carried
by Overlay Management Protocol (OMP) and used by the Cisco SD-WAN Controllers
to determine the topology and status of the overlay network) and data plane
traffic (data traffic that travels between the Cisco vEdge devices across the
overlay network).
With Cisco Catalyst SD-WAN, you can also create routing policies on the Cisco
vEdge devices. These policies are simply traditional routing policies that are
associated with routing protocol (BGP or OSPF) locally on the devices. You use
them in the traditional sense for controlling BGP and OSPF, for example, to
affect the exchange of route information, to set route attributes, and to
influence path selection.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 7
Centralized Control Policy Architecture
Policy Overview
Centralized Control Policy Architecture
In the Cisco Catalyst SD-WAN network architecture, centralized control policy
is handled by the Cisco SD-WAN Controller, which effectively is the routing
engine of the network. The Cisco SD-WAN Controller is the centralized manager
of network-wide routes, maintaining a primary route table for these routes.
The Cisco SD-WAN Controller builds its route table based on the route
information advertised by the Cisco vEdge devices in its domain, using these
routes to discover the network topology and to determine the best paths to
network destinations. The Cisco SD-WAN Controller distributes route
information from its route table to the devices in its domain which in turn
use these routes to forward data traffic through the network. The result of
this architecture is that networking-wide routing decisions and routing policy
are orchestrated by a central authority instead of being implemented hop by
hop, by the devices in the network.
Centralized control policy allows you to influence the network routes
advertised by the Cisco SD-WAN Controllers. This type of policy, which is
provisioned centrally on the Cisco SD-WAN Controller, affects both the route
information that the Cisco SD-WAN Controller stores in its primary route table
and the route information that it distributes to the devices.
Centralized control policy is provisioned and applied only on the Cisco SD-WAN
Controller. The control policy configuration itself is never pushed to devices
in the overlay network. What is pushed to the devices, using the Overlay
Management Protocol (OMP), are the results of the control policy, which the
devices then install in their local route tables and use for forwarding data
traffic. This design means that the distribution of network-wide routes is
always administered centrally, using policies designed by network
administrators. These policies are always implemented by centralized Cisco SD-
WAN Controllers, which are responsible for orchestrating the routing decisions
in the Cisco Catalyst SD-WAN overlay network.
Within a network domain, the network topology map on all Cisco SD-WAN
Controllers must be synchronized. To support this, you must configure
identical policies on all the Cisco SD-WAN Controllers in the domain.
Figure 2: Centralized Control Policy
Route Types
All centralized control plane traffic, including route information, is carried
by OMP peering sessions that run within the secure, permanent DTLS connections
between devices and the Cisco SD-WAN Controllers in their domain. The end
points of an OMP peering session are identified by the system IDs of the
devices, and the peering sessions carry the site ID, which identifies the site
in which the device is located. A DTLS connection and the OMP session running
over it remain active as long as the two peers are operational.
Control policy can be applied both inbound, to the route advertisements that
the Cisco SD-WAN Controller receives from the devices, and outbound, to
advertisements that it sends to them. Inbound policy controls which routes and
route information are installed in the local routing database on the Cisco SD-
WAN Controller, and whether this information is installed as-is or is
modified. Outbound control policy is applied after a route is retrieved from
the routing database, but before a Cisco SD-WAN Controller advertises it, and
affects whether the route information is advertised as-is or is modified.
The Cisco SD-WAN Controller learns the network topology from OMP routes, which
are Cisco Catalyst SD-WAN-specific routes carried by OMP. There are three
types of OMP routes:
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 8
Policy Overview
Default Behavior Without Centralized Control Policy
· Cisco Catalyst SD-WAN OMP routes–These routes carry prefix information that
the devices learn from the routing protocols running on its local network,
including routes learned from BGP and OSPF, as well as direct, connected, and
static routes. OMP advertises OMP routes to the Cisco SD-WAN Controller by
means of an OMP route SAFI (Subsequent Address Family Identifier). These
routes are commonly simply called OMP routes.
· TLOC routes–These routes carry properties associated with transport
locations, which are the physical points at which the devices connect to the
WAN or the transport network. Properties that identify a TLOC include the IP
address of the WAN interface and a color that identifies a particular traffic
flow. OMP advertises TLOC routes using a TLOC SAFI.
· Service routes–These routes identify network services, such as firewalls and
IDPs, that are available on the local-site network to which the devices are
connected. OMP advertises these routes using a service SAFI.
Default Behavior Without Centralized Control Policy
By default, no centralized control policy is provisioned on the Cisco SD-WAN
Controller. This results in the following route advertisement and
redistribution behavior within a domain:
· All Cisco vEdge devices redistribute all the route-related prefixes that
they learn from their site-local network to the Cisco SD-WAN Controller. This
route information is carried by OMP route advertisements that are sent over
the DTLS connection between the devices and the Cisco SD-WAN Controller. If a
domain contains multiple Cisco SD-WAN Controllers, the devices send all OMP
route advertisements to all the controllers.
· All the devices send all TLOC routes to the Cisco SD-WAN Controller or
controllers in their domain, using OMP.
· All the devices send all service routes to advertise any network services,
such as firewalls and IDPs, that are available at the local site where the
device is located. Again, these are carried by OMP.
· The Cisco SD-WAN Controller accepts all the OMP, TLOC, and service routes
that it receives from all the devices in its domain, storing the information
in its route table. The Cisco SD-WAN Controller tracks which OMP routes,
TLOCs, and services belong to which VPNs. The Cisco SD-WAN Controller uses all
the routes to develop a topology map of the network and to determine routing
paths for data traffic through the overlay network.
· The Cisco SD-WAN Controller redistributes all information learned from the
OMP, TLOC, and service routes in a particular VPN to all the devices in the
same VPN.
· The devices regularly send route updates to the Cisco SD-WAN Controller.
· The Cisco SD-WAN Controller recalculates routing paths, updates its route
table, and advertises new and changed routing information to all the devices.
Behavior Changes with Centralized Control Policy
When you do not want to redistribute all route information to all Cisco vEdge
devices in a domain, or when you want to modify the route information that is
stored in the Cisco Catalyst SD-WAN Controller’s route table or that is
advertised by the Cisco Catalyst SD-WAN Controller, you design and provision a
centralized control policy. To activate the control policy, you apply it to
specific sites in the overlay network in either the inbound or the outbound
direction. The direction is with respect to the Cisco Catalyst SD-WAN
Controller. All provisioning of centralized control policy is done on the
Cisco Catalyst SD-WAN Controller.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 9
Examples of Modifying Traffic Flow with Centralized Control Policy
Policy Overview
Applying a centralized control policy in the inbound direction filters or
modifies the routes being advertised by the Cisco vEdge device before they are
placed in the route table on the Cisco Catalyst SD-WAN Controller. As the
first step in the process, routes are either accepted or rejected. Accepted
routes are installed in the route table on the Cisco Catalyst SD-WAN
Controller either as received or as modified by the control policy. Routes
that are rejected by a control policy are silently discarded.
Applying a control policy in outbound direction filters or modifies the routes
that the Cisco Catalyst SD-WAN Controller redistributes to the Cisco vEdge
devices. As the first step of an outbound policy, routes are either accepted
or rejected. For accepted routes, centralized control policy can modify the
routes before they are distributed by the Cisco Catalyst SD-WAN Controller.
Routes that are rejected by an outbound policy are not advertised.
VPN Membership Policy
A second type of centralized data policy is VPN membership policy. It controls
whether a Cisco vEdge device can participate in a particular VPN. VPN
membership policy defines which VPNs of a device is allowed and which is not
allowed to receive routes from.
VPN membership policy can be centralized, because it affects only the packet
headers and has no impact on the choice of interface that a Cisco vEdge device
uses to transmit traffic. What happens instead is that if, because of a VPN
membership policy, a device is not allowed to receive routes for a particular
VPN, the Cisco Catalyst SD-WAN Controller never forwards those routes to that
driver.
Examples of Modifying Traffic Flow with Centralized Control Policy
This section provides some basic examples of how you can use centralized
control policies to modify the flow of data traffic through the overlay
network.
Create an Arbitrary Topology
When data traffic is exchanged between two Cisco vEdge devices, if you have
provisioned no control policy, the two devices establish an IPsec tunnel
between them and the data traffic flows directly from one device to the next.
For a network with only two devices or with just a small number of devices,
establishing connections between each pair of devices is generally not been an
issue. However, such a solution does not scale. In a network with hundreds or
even thousands of branches, establishing a full mesh of IPsec tunnels tax the
CPU resources of each device.
Figure 3: Arbitrary Topology
One way to minimize this overhead is to create a hub-and-spoke type of
topology in which one of the devices acts as a hub site that receives the data
traffic from all the spoke, or branch, devices and then redirects the traffic
to the proper destination. This example shows one of the ways to create such a
hub-and-spoke topology, which is to create a control policy that changes the
address of the TLOC associated with the destination.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 10
Policy Overview
Set Up Traffic Engineering
The figure illustrates how such a policy might work. The topology has two
branch locations, West and East. When no control policy is provisioned, these
two devices exchange data traffic with each other directly by creating an
IPsec tunnel between them (shown by the red line). Here, the route table on
the Device West contains a route to Device East with a destination TLOC of
203.0.113.1, color gold (which we write as the tuple {192.0.2.1, gold}), and
Device East route table has a route to the West branch with a destination TLOC
of {203.0.113.1, gold}.
To set up a hub-and-spoketype topology here, we provision a control policy
that causes the West and East devices to send all data packets destined for
the other device to the hub device. (Remember that because control policy is
always centralized, you provision it on the Cisco Catalyst SD-WAN Controller.)
On the Device West, the policy simply changes the destination TLOC from
{203.0.113.1, gold} to {209.165.200.225, gold}, which is the TLOC of the hub
device, and on the Device East, the policy changes the destination TLOC from
{192.0.2.1, gold} to the hub’s TLOC, {209.165.200.225, gold}. If there were
other branch sites on the west and east sides of the network that exchange
data traffic, you could apply these same two control policies to have them
redirect all their data traffic through the hub.
Set Up Traffic Engineering
Control policy allows you to design and provision traffic engineering. In a
simple case, suppose that you have two devices acting as hub devices. If you
want data traffic destined to a branch Cisco vEdge device to always transit
through one of the hub devices, set the TLOC preference value to favor the
desired hub device.
Figure 4: Traffic Engineering Topology
The figure shows that Site ID 100 has two hub devices, one that serves the
West side of the network and a second that serves the East side. Data traffic
from the Device West must be handled by the Device West hub, and similarly,
data traffic from the Device East branch must go through the Device East hub.
To engineer this traffic flow, you provision two control policies, one for
Site ID 1, where the Device West device is located, and a second one for Site
ID 2. The control policy for Site ID 1 changes the TLOC for traffic destined
to the Device East to {209.165.200.225, gold}, and the control policy for Site
ID 2 changes the TLOC for traffic destined for Site ID 1 to {198.51.100.1,
gold}. One additional effect of this traffic engineering policy is that it
load-balances the traffic traveling through the two hub devices.
With such a traffic engineering policy, a route from the source device to the
destination device is installed in the local route table, and traffic is sent
to the destination regardless of whether the path between the source and
destination devices is available. Enabling end-to-end tracking of the path to
the ultimate destination allows the Cisco Catalyst SD-WAN Controller to
monitor the path from the source to the destination, and to inform the source
device when that path is not available. The source device can then modify or
remove the path from its route table.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 11
Configure Centralized Policy Based on Prefixes and IP Headers Figure 5: Traffic Engineering 2
Policy Overview
The figure Traffic Engineering 2 illustrates end-to-end path tracking. It
shows that traffic from Device-A that is destined for Device-D first goes to
an intermediate device, Device-B, perhaps because this intermediate device
provides a service, such as a firewall. (You configure this traffic
engineering with a centralized control policy that is applied to Device-A, at
Site 1.) Then Device-B, which has a direct path to the ultimate destination,
forwards the traffic to Device-D. So, in this example, the end-to-end path
between Device-A and Device-D comprises two tunnels, one between Device-A and
Device-B, and the second between Device-B and Device-D. The Cisco Catalyst SD-
WAN Controller tracks this end-to-end path, and it notifies Device-A if the
portion of the path between Device-B and Device-D becomes unavailable.
As part of end-to-end path tracking, you can specify how to forwarded traffic
from the source to the ultimate destination using an intermediate device. The
default method is strict forwarding, where traffic is always sent from
Device-A to Device-B, regardless of whether Device-B has a direct path to
Device-D or whether the tunnel between Device-B and Device-D is up. More
flexible methods forward some or all traffic directly from Device-A to
Device-D. You can also set up a second intermediate device to provide a
redundant path with the first intermediate device is unreachable and use an
ECMP method to forward traffic between the two. The figure Traffic
Engineering3 adds Device-C as a redundant intermediate device.
Figure 6: Traffic Engineering 3
Centralized control policy, which you configure on Cisco Catalyst SD-WAN
Controllers, affects routing policy based on information in OMP routes and OMP
TLOCs. This type of policy allows you to set actions for matching routes and
TLOCs, including redirecting packets through network services, such as
firewalls, a feature that is called service chaining. In domains with multiple
Cisco Catalyst SD-WAN Controllers, all the controllers must have the same
centralized control policy configuration to ensure that routing within the
overlay network remains stable and predictable.
Configure Centralized Policy Based on Prefixes and IP Headers
A centralized data policy based on source and destination prefixes and on
headers in IP packets consists of a series of numbered (ordered) sequences of
match-action pair that are evaluated in order, from lowest sequence number to
highest sequence number. When a packet matches one of the match conditions,
the associated action is taken and policy evaluation on that packets stops.
Keep this in mind as you design your policies to ensure that the desired
actions are taken on the items subject to policy.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 12
Policy Overview
Cisco Catalyst SD-WAN Controller Policy Components
If a packet matches no parameters in any of the sequences in the policy
configuration, it is dropped and discarded by default.
Configuration Components The following figure illustrates the configuration
components for a centralized data policy:
Cisco Catalyst SD-WAN Controller Policy Components
The Cisco SD-WAN Controller policies that implement overlay network-wide
policies are implemented on a Cisco Catalyst SD-WAN Control Components.
Because Cisco SD-WAN Controllers are centralized devices, you can manage and
maintain Cisco SD-WAN Controller policies centrally, and you can ensure
consistency in the enforcement of policies across the overlay network.
The implementation of Cisco SD-WAN Controller policy is done by configuring
the entire policy on the Cisco Catalyst SD-WAN Control Components. Cisco SD-
WAN Controller policy configuration is accomplished with three building
blocks:
· Lists define the targets of policy application or matching.
· Policy definition, or policies, controls aspects of control and forwarding.
There are different types of policy, including:
· app-route-policy (for application-aware routing)
· cflowd-template (for cflowd flow monitoring)
· control-policy (for routing and control plane information)
· data-policy (for data traffic)
· vpn-membership-policy (for limiting the scope of traffic to specific VPNs)
· Policy application controls what a policy is applied towards. Policy
application is site-oriented, and is defined by a specific list called a site-
list.
You assemble these three building blocks to Cisco SD-WAN Controller policy.
More specifically, policy is the sum of one or more lists, one policy
definition, and at least one policy applications, as shown in the table below.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 13
Cisco Catalyst SD-WAN Controller Policy Components
Policy Overview
Table 1: The Three Building Blocks of Cisco SD-WAN Controller Policies
Lists
Policy Definition
Policy Application
data-prefix-list: List of prefixes for use with a data-policy
app-route-policy: Used with sla-classes for application-aware routing
prefix-list: List of prefixes
cflowd-template: Configures
for use with any other policy
the cflowd agents on the Cisco
site-list: List of site-id:s for
vEdge devices
apply-policy: Used with a
use in policy and apply-policy + control-policy: Controls OMP + site-list to determine where
tloc-list : List of tloc:s for use
routing control
policies are applied
in policy
data-policy: Provides
vpn-list : List of vpn:s for use
vpn-wide policy-based routing
in policy
vpn-membership-policy:
Controls vpn membership across
nodes
=
Complete policy definition configured on Cisco SD-WAN Controller and enforced either on Cisco SD-WAN Controller or on Cisco vEdge devices.
Lists
Lists are how you group related items so that you can reference them all
together. Examples of items you put in lists are prefixes, TLOCs, VPNs, and
overlay network sites. In the Cisco SD-WAN Controller policy, you invoke lists
in two places: when you create a policy definition and when you apply a
policy. Separating the definition of the related items from the definition of
policy means that when you can add or remove items from a lists, you make the
changes only in a single place: You do not have to make the changes through
the policy definition. So if you add ten sites to your network and you want to
apply an existing policy to them, you simply add the site identifiers to the
site list. You can also change policy rules without having to manually modify
the prefixes, VPNs, or other things that the rules apply to.
Table 2: List Types
List type data-prefix-list
prefix-list site-list tloc-list
Usage
Used in data-policy to define prefix and upper layer ports, either
individually or jointly, for traffic matching.
Used in control-policy to define prefixes for matching RIB entries.
Used in control-policy to match source sites, and in apply-policy to define
sites for policy application.
Used in control-policy to define TLOCs for matching RIB entries and to apply
redefined TLOCs to vRoutes.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 14
Policy Overview
Cisco Catalyst SD-WAN Controller Policy Components
List type vpn-list
Usage
Used in control-policy to define prefixes for matching RIB entries, and in
data-policy and app-route-policy to define VPNs for policy application.
The following configuration shows the types of Cisco SD-WAN Controller policy
lists:
policy lists data-prefix-list app1 ip-prefix 209.165.200.225/27 port 100 !
prefix-list pfx1 ip-prefix 209.165.200.225/27 ! site-list site1 site-id 100 !
tloc-list site1-tloc tloc 209.165.200.225 color mpls vpn-list vpn1 vpn1 !
!
Policy Definition
The policy definition is where you create the policy rules. You specify match
conditions (route-related properties for control policy and data-related
fields for data policy) and actions to perform when a match occurs. A policy
contains matchaction pairings that are numbered and that are examined in
sequential order. When a match occurs, the action is performed, and the policy
analysis on that route or packet terminates. Some types of policy definitions
apply only to specific VPNs.
Table 3: Policy Types
Policy type policy-type
vpn-list sequence match action
Usage
Can be control-policy, data-policy, or vpn-menbership–dictates the type of
policy. Each type has a particular syntax and a particular set of match
conditions and settable actions.
Used by data-policy and app-route-policy to list the VPNs for which the policy
is applicable.
Defines each sequential step of the policy by sequence number.
Decides what entity to match on in the specific policy sequence.
Determines the action that corresponds to the preceding match statement.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 15
Cisco Catalyst SD-WAN Controller Policy Components
Policy Overview
Policy type default-action
Usage
Action to take for any entity that is not matched in any sequence of the
policy. By default, the action is set to reject.
The following configuration shows the components of the Cisco SD-WAN
Controller policy definition. These items are listed in the logical order you
should use when designing policy, and this order is also how the items are
displayed in the configuration, regardless of the order in which you add them
to the configuration.
policy policy-type name vpn-list vpn-list sequence number match <route | tloc
vpn | other> ! action
! !
Policy Application The following are the configuration components: Component
site-list
policy-type
Usage
Determines the sites to which a given policy is applies. The direction (in |
out) applies only to control-policy.
The policy type can be control-policy, data-policy, or vpn-membership–and name
refer to an already configured policy to be applied to the sites specified in
the site-list for the section.
For a policy definition to take effect, you associate it with sites in the
overlay network.
apply-policy site-list name control-policy name
Policy Example
For a complete policy, which consists of lists, policy definition, and policy
application. The example illustrated below creates two lists (a site-list and
a tloc-list), defines one policy (a control policy), and applies the policy to
the site-list. In the figure, the items are listed as they are presented in
the node configuration. In a normal configuration process, you create lists
first (group together all the things you want to use), then define the
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 16
Policy Overview
TLOC Attributes Used in Policies
policy itself (define what things you want to do), and finally apply the
policy (specify the sites that the configured policy affects).
apply-policy
site-list site1 Apply the defined policy towards the sites in site-
list control-policy prefer_local out !
policy lists site-list site1 site-id 100
tloc-list prefer_site1 Define the lists required for apply-policy and for
use within the policy
tloc 192.0.2.1 color mols encap ipsec preference 400 control-policy
prefer_local
sequence 10 match route site-list sitele ->Lists previously defined used
within policy
! action accept set tloc-list prefer_site ! !
!
TLOC Attributes Used in Policies
A transport location, or TLOC, defines a specific interface in the overlay
network. Each TLOC consists of a set of attributes that are exchanged in OMP
updates among the Cisco IOS XE Catalyst SD-WAN devices. Each TLOC is uniquely
identified by a 3-tuple of IP address, color, and encapsulation. Other
attributes can be associated with a TLOC.
The TLOC attributes listed below can be matched or set in Cisco SD-WAN
Controller policies.
Table 4:
TLOC Attribute Function
Application Point Set By
Address (IP address)
system-ip address of the source device on which the interface is located.
Configuration on source device
Carrier
Identifier of the carrier type. It primarily indicates whether the transport is public or private.
Configuration on source device
Color
Identifier of the TLOC type.
Configuration on source device
Domain ID
Identifier of the overlay network Configuration on source
domain.
device
Encapsulation Tunnel encapsulation, either IPsec Configuration on source
or GRE.
device
Application Point Modify By control-policy data-policy
control-policy
control-policy data-policy control-policy
control-policy data-policy
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 17
Cisco Catalyst SD-WAN Route Attributes Used in Policies
Policy Overview
TLOC Attribute Function
Application Point Set By
Originator
system-ip address of originating node.
Configuration on any originator
Preference
OMP path-selection preference. A Configuration on source higher value is a more preferred path. device
Site ID
Identification for a give site. A site Configuration on source can have multiple nodes or TLOCs. device
Tag
Identifier of TLOC on any arbitrary Configuration on source
basis.
device
Application Point Modify By control-policy
control-policy
control-policy
control-policy
Cisco Catalyst SD-WAN Route Attributes Used in Policies
A Cisco Catalyst SD-WAN route, defines a route in the overlay network and is
similar to a standard IP route, has a TLOC and VPN attributes. The Cisco vEdge
devices exchange routes in OMP updates. The routes attributes listed below can
be matched or set in Cisco SD-WAN Controller policies.
Table 5:
Route Attribute Origin Originator Preference
Service Site ID Tag TLOC VPN
Function
Application Point Set By
Source of the route, either BGP, OSPF, connected, static.
Source device
Source of the update carrying the Any originator route.
OMP path-selection preference. A Configuration on source higher value is a more preferred device or policy path.
Advertised service associated with Configuration on source
the route.
device
Identifier for a give site. A site can Configuration on source have multiple nodes or TLOCs. device
Identification on any arbitrary basis. Configuration on source device
TLOC used as next hop for the route. Configuration on source device or policy
VPN to which the route belongs. Configuration on source device or policy
Application Point Modify By control-policy
control-policy
control-policy
control-policy
control-policy
control-policy
control-policy data-policy control-policy data-policy
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 18
Policy Overview
Design Cisco Catalyst SD-WAN Controller Policy Processing and Application
Design Cisco Catalyst SD-WAN Controller Policy Processing and Application
Understanding how a Cisco SD-WAN Controller policy is processed and applied
allows for proper design of policy and evaluation of how policy is implemented
across the overlay network.
Policy is processed as follows:
· A policy definition consists of a numbered, ordered sequence of matchaction
pairings. Within each policy, the pairings are processed in sequential order,
starting with the lowest number and incrementing.
· As soon as a match occurs, the matched entity is subject to the configured
action of the sequence and is then no longer subject to continued processing.
· Any entity not matched in a sequence is subject to the default action for
the policy. By default, this action is reject.
Cisco SD-WAN Controller policy is applied on a per-site-list basis, so:
· When applying policy to a site-list, you can apply only one of each type of
policy. For example, you can have one control-policy and one data-policy, or
one control-policy in and one control-policy out. You cannot have two data
policies or two outbound control policies.
· Because a site-list is a grouping of many sites, you should be careful about
including a site in more than one site-list. When the site-list includes a
range of site identifiers, ensure that there is no overlap. If the same site
is part of two site-lists and the same type of policy is applied to both site-
lists, the policy behavior is unpredictable and possibly catastrophic.
· Control-policy is unidirectional, being applied either inbound to the Cisco
SD-WAN Controller or outbound from it. When control-policy is needed in both
directions, configure two control policies.
· Data-policy is bidirectional and can be applied either to traffic received
from the service side of the Cisco vEdge device, traffic received from the
tunnel side, or all of these combinations.
· VPN membership policy is always applied to traffic outbound from the Cisco
SD-WAN Controller.
· Control-policy remains on the Cisco SD-WAN Controller and affects routes
that the controller sends and receives.
· Data-policy is sent to either the Cisco vEdge devices in the site-list. The
policy is sent in OMP updates, and it affects the data traffic that the
devices send and receive.
· When any node in the overlay network makes a routing decision, it uses any
and all available routing information. In the overlay network, it is the Cisco
Catalyst SD-WAN Controller that distributes routing information to the Cisco
vEdge device nodes.
· In a network deployment that has two or more Cisco Catalyst SD-WAN
Controllers, each controller acts independently to disseminate routing
information to other Cisco SD-WAN Controllers and to Cisco vEdge devices in
the overlay network. So, to ensure that the Cisco SD-WAN Controller policy has
the desired effect in the overlay network, each Cisco SD-WAN Controller must
be configured with the same policy, and the policy must be applied
identically. For any given policy, you must configure the identical policy and
apply it identically across all the Cisco SD-WAN Controllers.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 19
Cisco Cisco Catalyst SD-WAN Controller Policy Operation
Policy Overview
Note When you deploy a policy, the deployment status is updated only for 30
minutes, which is the timeout limit for policies. After the timeout period,
the deployment task status is not monitored. If you are deploying a bigger
policy with more number of lines, and if it takes more than 30 minutes, the
task status will not be monitored.
Cisco Cisco Catalyst SD-WAN Controller Policy Operation
At a high level, control policy operates on routing information, which in the
Cisco Catalyst SD-WAN network is carried in OMP updates. Data policy affects
data traffic, and VPN membership controls the distribution of VPN routing
tables.
The basic Cisco SD-WAN Controller policies are:
· Control Policy
· Data Policy
· VPN Membership
Control Policy
Control policy, which is similar to standard routing policy, operates on
routes and routing information in the control plane of the overlay network.
Centralized control policy, which is provisioned on the Cisco SD-WAN
Controller, is the Cisco Catalyst SD-WAN technique for customizing network-
wide routing decisions that determine or influence routing paths through the
overlay network. Local control policy, which is provisioned on a Cisco vEdge
device, allows customization of routing decisions made by BGP and OSPF on
site-local branch or enterprise networks.
The routing information that forms the basis of centralized control policy is
carried in Cisco Catalyst SD-WAN route advertisements, which are transmitted
on the DTLS or TLS control connections between Cisco SD-WAN Controllers and
Cisco vEdge devices. Centralized control policy determines which routes and
route information are placed into the centralized route table on the Cisco SD-
WAN Controller and which routes and route information are advertised to the
Cisco vEdge devices in the overlay network. Basic centralized control policy
establish traffic engineering, to set the path that traffic takes through the
network. Advanced control policy supports a number of features, including
service chaining, which allows Cisco vEdge devices in the overlay network to
share network services, such as firewalls and load balancers.
Centralized control policy affects the OMP routes that are distributed by the
Cisco SD-WAN Controller throughout the overlay network. The Cisco SD-WAN
Controller learns the overlay network topology from OMP routes that are
advertised by the Cisco vEdge devices over the OMP sessions inside the DTLS or
TLS connections between the Cisco SD-WAN Controller and the devices.
Three types of OMP routes carry the information that the Cisco SD-WAN
Controller uses to determine the network topology:
· Cisco Catalyst SD-WAN OMP routes, which are similar to IP route
advertisements, advertise routing information that the devices have learned
from their local site and the local routing protocols (BGP and OSPF) to the
Cisco SD-WAN Controller. These routes are also referred to as OMP routes or
Routes.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 20
Policy Overview
Control Policy
· TLOC routes carry overlay networkspecific locator properties, including the
IP address of the interface that connects to the transport network, a link
color, which identifies a traffic flow, and the encapsulation type. (A TLOC,
or transport location, is the physical location where a Cisco vEdge device
connects to a transport network. It is identified primarily by IP address,
link color, and encapsulation, but a number of other properties are associated
with a TLOC.)
· Service routes advertise the network services, such as firewalls, available
to VPN members at the local site.
Figure 7: Control Policy Topology
By default, no centralized control policy is provisioned. In this bare,
unpolicied network, all OMP routes are placed in the Cisco SD-WAN Controller’s
route table as is, and the Cisco SD-WAN Controller advertises all OMP routes,
as is, to all the devices in the same VPN in the network domain.
By provisioning centralized control policy, you can affect which OMP routes
are placed in the Cisco SD-WAN Controller’s route table, what route
information is advertised to the devices, and whether the OMP routes are
modified before being put into the route table or before being advertised.
Cisco vEdge devices place all the route information learned from the Cisco SD-
WAN Controllers, as is, into their local route tables, for use when forwarding
data traffic. Because the Cisco SD-WAN Controller’s role is to be the
centralized routing system in the network, Cisco vEdge devices can never
modify the OMP route information that they learn from the Cisco SD-WAN
Controllers.
The Cisco SD-WAN Controller regularly receives OMP route advertisements from
the devices and, after recalculating and updating the routing paths through
the overlay network, it advertises new routing information to the devices.
The centralized control policy that you provision on the Cisco SD-WAN
Controller remains on the Cisco SD-WAN Controller and is never downloaded to
the devices. However, the routing decisions that result from centralized
control policy are passed to the devices in the form of route advertisements,
and so the affect of the control policy is reflected in how the devices direct
data traffic to its destination.
A type of centralized control policy called service chaining allows data
traffic to be routed through one or more network services, such as firewall,
load balancer, and intrusion detection and prevention (IDP) devices, en route
to its destination.
Localized control policy, which is provisioned locally on the devices, is
called route policy. This policy is similar to the routing policies that you
configure on a regular driver, allowing you to modify the BGP and OSPF routing
behavior on the site-local network. Whereas centralized control policy affects
the routing behavior across the entire overlay network, route policy applies
only to routing at the local branch.
The Cisco Catalyst SD-WAN devices periodically exchange OMP updates, which
carry routing information pertaining to the overlay network. Two of the things
that these updates contain are Route attributes and Transport Locations (TLOC)
attributes.
The Cisco SD-WAN Controller uses these attributes from the OMP updates to
determine the topology and status of the overlay network, and installs routing
information about the overlay network into its route table. The controller
then advertises the overlay topology to the Cisco vEdge devices in the network
by sending OMP updates to them.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 21
Control Policy
Policy Overview
Control policy examines the Route and TLOC attributes carried in OMP updates
and can modify attributes that match the policy. Any changes that results from
control policy are applied directionally, either inbound or outbound.
The figure shows a control-policy named prefer_local that is configured on a
Cisco SD-WAN Controller and that is applied to Site 1 (via site-list list1)
and to Site 2 (via site-list list2).
Figure 8: Control Policy Topology
Device# apply-policy site-list list1 control-policy prefer_local in !
The upper left arrow shows that the policy is applied to Site 1–more
specifically, to site-list list1, which contains an entry for Site 1. The
command control-policy prefer_local in is used to apply the policy to OMP
updates that are coming in to the Cisco SD-WAN Controller from the Cisco vEdge
device, which is inbound from the perspective of the controller. The in
keyword indicates an inbound policy. So, for all OMP updates that the Site 1
devices send to the Cisco SD-WAN Controller, the “prefer_local” control policy
is applied before the updates reach the route table on the Cisco SD-WAN
Controller. If any Route or TLOC attributes in an OMP update match the policy,
any changes that result from the policy actions occur before the Cisco SD-WAN
Controller installs the OMP update information into its route table.
The route table on the Cisco SD-WAN Controller is used to determine the
topology of the overlay network. The Cisco SD-WAN Controller then distributes
this topology information, again via OMP updates, to all the devices in the
network. Because applying policy in the inbound direction influences the
information available to the Cisco SD-WAN Controller. It determines the
network topology and network reachablity, modifying Route and TLOC attributes
before they are placed in the controller’s route table.
apply-policy site-list list2 control-policy prefer_local out !
On the right side of the figure above, the “prefer_local” policy is applied to
Site 2 via the control-policy prefer_local out command. The out keyword in the
command indicates an outbound policy, which means that the policy is applied
to OMP updates that the Cisco SD-WAN Controller is sending to the devices at
Site 2. Any changes that result from the policy occur, after the information
from the Cisco SD-WAN Controller’s route table is placed in to an OMP update
and before the devices receive the update. Again, note that the direction is
outbound from the perpspective of the Cisco SD-WAN Controller.
In contrast to an inbound policy, which affects the centralized route table on
the Cisco SD-WAN Controller and has a broad effect on the route attributes
advertised to all the devices in the overlay network. A control policy applied
in the outbound direction influences only the route tables on the individual
devices included in the site-list.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 22
Policy Overview
Data Policy
The same control policy (the prefer_local policy) is applied to both the
inbound and outbound OMP updates. However, the effects of applying the same
policy to inbound and outbound are different. The usage shown in the figure
illustrates the flexibility of the Cisco Catalyst SD-WAN control policy design
architecture and configuration.
Data Policy
Data policy influences the flow of data traffic traversing the network based
either on fields in the IP header of packets or the router interface on which
the traffic is being transmitted or received. Data traffic travels over the
IPsec connections between Cisco vEdge devices, shown in purple in the adjacent
figure.
The Cisco Catalyst SD-WAN architecture implements two types of data policy:
· Centralized data policy controls the flow of data traffic based on the
source and destination addresses and ports and DSCP fields in the packet’s IP
header (referred to as a 5-tuple), and based on network segmentation and VPN
membership. These types of data policy are provisioned centrally, on the Cisco
SD-WAN Controller, and they affect traffic flow across the entire network.
· Localized data policy controls the flow of data traffic into and out of
interfaces and interface queues on a Cisco vEdge device. This type of data
policy is provisioned locally using access lists. It allows you to classify
traffic and map different classes to different queues. It also allows you to
mirror traffic and to police the rate at which data traffic is transmitted and
received.
By default, no centralized data policy is provisioned. The result is that all
prefixes within a VPN are reachable from anywhere in the VPN. Provisioning
centralized data policy allows you to apply a 6-tuple filter that controls
access between sources and destinations.
As with centralized control policy, you provision a centralized data policy on
the Cisco SD-WAN Controller, and that configuration remains on the Cisco SD-
WAN Controller. The effects of data policy are reflected in how the Cisco
vEdge devices direct data traffic to its destination. Unlike control policy,
however, centralized data polices are pushed to the devices in a read-only
fashion. They are not added to the router’s configuration file, but you can
view them from the CLI on the router.
With no access lists provisioned on a Cisco vEdge device, all data traffic is
transmitted at line rate and with equal importance, using one of the
interface’s queues. Using access lists, you can provision class of service,
which allows you to classify data traffic by importance, spread it across
different interface queues, and control the rate at which different classes of
traffic are transmitted. You can provision policing. You can also provision
packet mirroring.
Data policy examines fields in the headers of data packets, looking at the
source and destination addresses and ports, and the protocol and DSCP values,
and for matching packets, it can modify the next hop in a variety of ways or
apply a policer to the packets. Data policy is configured and applied on the
Cisco SD-WAN Controller, and then it is carried in OMP updates to the Cisco
vEdge devices in the site-list that the policy is
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 23
VPN Membership Policy Operation
Policy Overview
applied to. The match operation and any resultant actions are performed on the
devices as it transmits or receives data traffic.
In the Data Policy Topology figure, a data policy named “change_next_hop” is
applied to a list of sites that includes Site 3. The OMP update that the Cisco
SD-WAN Controller sends to the devices at Site 3 includes this policy
definition. When the device sends or receives data traffic that matches the
policy, it changes the next hop to the specified TLOC. Non-matching traffic is
forwarded to the original next-hop TLOC.
Figure 9: Data Policy Topology
In the apply-policy command for a data policy, specify a direction from the
perspective of the device. The “all” direction in the figure applies the
policy to incoming and outgoing data traffic transiting the tunnel interface.
You can limit the span of the policy to only incoming traffic with a data-
policy change_next_hop from-tunnel command or to only outgoing traffic with a
data-policy change_next_hop from-service command.
VPN Membership Policy Operation
VPN membership policy, as the name implies, affects the VPN route tables that
are distributed to particular Cisco vEdge devices. In an overlay network with
no VPN membership policy, the Cisco Catalyst SD-WAN Controller pushes the
routes for all VPNs to all the devices. If your business usage model restricts
participation of specific devices in particular VPNs, a VPN membership policy
is used to enforce this restriction. The figure VPN Membership Topology
illustrates how VPN membership policy works. This topology has three Cisco
vEdge devices:
· The Cisco vEdge devices at Sites 1 and 2 service only VPN 2. · The Cisco
vEdge devices at Site 3 services both VPN 1 and VPN 2.
In the figure, the device at Site 3 receives all route updates from the Cisco
SD-WAN Controller, because these updates are for both VPN 1 and VPN 2.
However, because the other Cisco vEdge devices service only VPN
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 24
Policy Overview
Configure and Execute Cisco SD-WAN Controller Policies
2, it can filter the route updates sent to them, remove the routes associated
with VPN 1 and sends only the ones that apply to VPN 2.
Figure 10: VPN Membership Topology
Notice that here, direction is not set when applying VPN membership policy.
The Cisco SD-WAN Controller always applies this type of policy to the OMP
updates that it sends outside to the Cisco vEdge devices.
Configure and Execute Cisco SD-WAN Controller Policies
All Cisco SD-WAN Controller policies are configured on the Cisco vEdge
devices, using a combination of policy definition and lists. All Cisco SD-WAN
Controller policies are also applied on the Cisco vEdge devices, with a
combination of apply-policy and lists. However, where the actual Cisco SD-WAN
Controller policy executes depends on the type of policy, as shown in this
figure:
Figure 11: Cisco SD-WAN Controller Policy
For control policy and VPN membership policy, the entire policy configuration
remains on the Cisco SD-WAN Controller, and the actions taken as a result of
routes or VPNs that match a policy are performed on the Cisco SD-WAN
Controller. For the other three policy types–application-aware routing, cflowd
templates, and data policy–the policies are transmitted in OMP updates to the
Cisco vEdge devices, and any actions taken as a result of the policies are
performed on the devices.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 25
Configure and Execute Cisco SD-WAN Controller Policies
Policy Overview
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 26
Centralized Policy
4 C H A P T E R
Note To achieve simplification and consistency, the Cisco SD-WAN solution has
been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN
Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following
component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN
Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to
Cisco Catalyst SD-WAN Validator, and Cisco vSmart to Cisco Catalyst SD-WAN
Controller. See the latest Release Notes for a comprehensive list of all the
component brand name changes. While we transition to the new names, some
inconsistencies might be present in the documentation set because of a phased
approach to the user interface updates of the software product.
The topics in this section provide overview information about the different
types of centralized policies, the components of centralized policies, and how
to configure centralized policies using Cisco SD-WAN Manager or the CLI.
· Overview of Centralized Policies, on page 27 · Configure Centralized
Policies Using Cisco SD-WAN Manager, on page 28 · Configure Centralized
Policies Using the CLI, on page 61 · Centralized Policies Configuration
Examples, on page 64 · Verify Centralized Control Policies Configuration, on
page 71
Overview of Centralized Policies
Centralized policies refer to policies that are provisioned on Cisco SD-WAN
Controllers, which are the centralized controllers in the Cisco Catalyst SD-
WAN overlay network.
Types of Centralized Policies
Centralized Control Policy
Centralized control policy applies to the network-wide routing of traffic by
affecting the information that is stored in the Cisco Catalyst SD-WAN
Controller’s route table and that is advertised to the Cisco vEdge devices.
The effects of centralized control policy are seen in how Cisco vEdge devices
direct the overlay network’s data traffic to its destination.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 27
Configure Centralized Policies Using Cisco SD-WAN Manager
Centralized Policy
Note The centralized control policy configuration itself remains on the Cisco
Catalyst SD-WAN Controller and is never pushed to local devices.
Centralized Data Policy Centralized data policy applies to the flow of data
traffic throughout the VPNs in the overlay network. These policies can permit
and restrict access based either on a 6-tuple match (source and destination IP
addresses and ports, DSCP fields, and protocol) or on VPN membership. These
policies are pushed to the selected Cisco vEdge devices.
Centralized Data Policy Based on Packet Header Fields Policy decisions
affecting data traffic can be based on the packet header fields, specifically,
on the source and destination IP prefixes, the source and destination IP
ports, the protocol, and the DSCP. This type of policy is often used to modify
traffic flow in the network. Here are some examples of the types of control
that can be effected with a centralized data policy:
· Which set of sources are allowed to send traffic to any destination outside
the local site. For example, local sources that are rejected by such a data
policy can communicate only with hosts on the local network.
· Which set of sources are allowed to send traffic to a specific set of
destinations outside the local site. For example, local sources that match
this type of data policy can send voice traffic over one path and data traffic
over another.
· Which source addresses and source ports are allowed to send traffic to any
destination outside the local site or to a specific port at a specific
destination.
Configure Centralized Policies Using Cisco SD-WAN Manager
To configure a centralized policy, use the Cisco SD-WAN Manager policy
configuration wizard. The wizard consists of the following operations that
guide you through the process of creating and editing policy components:
· Create Groups of Interest: Create lists that group together related items
and that you call in the match or action components of a policy.
· Configure Topology and VPN Membership: Create the network structure to which
the policy applies.
· Configure Traffic Rules: Create the match and action conditions of a policy.
· Apply Policies to Sites and VPNs: Associate the policy with sites and VPNs
in the overlay network.
· Activate the centralized policy. For a centralized policy to take effect,
you must activate the policy.
To configure centralized policies using Cisco SD-WAN Manager, use the steps
identified in the procedures that follow this section.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 28
Centralized Policy
Start the Policy Configuration Wizard
Start the Policy Configuration Wizard
To start the policy configuration wizard: 1. From the Cisco SD-WAN Manager
menu, choose Configuration > Policies. 2. Click Centralized Policy. 3. Click
Add Policy.
The policy configuration wizard appears, and the Create Groups of Interest
window is displayed.
Configure Groups of Interest for Centralized Policy
In Create Groups of Interest, create new groups of list types as described in
the following sections to use in a centralized policy:
Configure Application 1. In the groups of interest list, click Application
list type. 2. Click New Application List. 3. Enter a name for the list. 4.
Choose either Application or Application Family.
Application can be the names of one or more applications, such as Third Party
Control, ABC News, Mircosoft Teams, and so on. The Cisco vEdge devices support
about 2300 different applications. To list the supported applications, use the
? in the CLI. Application Family can be one or more of the following:
antivirus, application-service, audio_video, authentication, behavioral,
compression, database, encrypted, erp, file-server, file-transfer, forum,
game, instant-messaging, mail, microsoft-office, middleware, network-
management, network-service, peer-to-peer, printer, routing, security-service,
standard, telephony, terminal, thin-client, tunneling, wap, web, and webmail.
5. In the Select drop-down, in the ‘Search’ filter, select the required
applications or application families. 6. Click Add.
A few application lists are preconfigured. You cannot edit or delete these
lists. Microsoft_Apps–Includes Microsoft applications, such as Excel, Skype,
and Xbox. To display a full list of Microsoft applications, click the list in
the Entries column. Google_Apps–Includes Google applications, such as gmail,
Google maps, and YouTube. To display a full list of Google applications, click
the list in the Entries column.
Configure Color 1. In the groups of interest list, click Color. 2. Click New
Color List. 3. Enter a name for the list. 4. In the Select Color drop-down, in
the ‘Search’ filter select the required colors.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 29
Configure Groups of Interest for Centralized Policy
Centralized Policy
Colors can be: 3g, biz-internet, blue, bronze, custom1 through custom3,
default, gold, green, lte, metro-ethernet, mpls, private1 through private6,
public-internet, red, and silver. 5. Click Add.
To configure multiple colors in a single list, you can select multiple colors
from the drop-down.
Configure Community
Table 6: Feature History
Feature Name
Release Information
Description
Ability to Match and Set Communities
Cisco SD-WAN Release This feature lets you match and set communities using
20.5.1
a control policy. Control policies are defined and
Cisco IOS XE Catalyst applied on devices to manipulate communities.
SD-WAN Release 17.5.1a With this feature, you can match and assign single or
Cisco vManage Release 20.5.1
multiple BGP community tags to your prefixes based on which routing policies can be manipulated.
A community list is used to create groups of communities to use in a match
clause of a route map. A community list can be used to control which routes
are accepted, preferred, distributed, or advertised. You can also use a
community list to set, append, or modify the communities of a route. 1. In the
group of interest list, click Community.
2. Click New Community List.
3. Enter a name for the community list.
4. Choose either Standard or Expanded. · Standard community lists are used to
specify communities and community numbers.
· Expanded community lists are used to filter communities using a regular
expression. Regular expressions are used to specify patterns to match
community attributes.
5. In the Add Community field, enter one or more data prefixes separated by
commas in any of the following formats:
· aa:nn: Autonomous System (AS) number and network number. Each number is a
2-byte value with a range from 1 to 65535.
· internet: Routes in this community are advertised to the internet community.
This community comprises all BGP-speaking networking devices.
· local-as: Routes in this community are not advertised outside the local AS
number.
· no-advertise: Attaches the NO_ADVERTISE community to routes. Routes in this
community are not advertised to other BGP peers.
· no-export: Attaches the NO_EXPORT community to routes. Routes in this
community are not advertised outside the local AS or outside a BGP
confederation boundary. To configure multiple BGP communities in a single
list, include multiple community options, specifying one community in each
option.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 30
Centralized Policy
Configure Groups of Interest for Centralized Policy
6. Click Add.
Configure Data Prefix 1. In the Groups of Interest list, click Data Prefix. 2.
Click New Data Prefix List. 3. Enter a name for the list. 4. Choose either
IPv4 or IPv6. 5. In the Add Data Prefix field, enter one or more data prefixes
separated by commas. 6. Click Add.
Configure Policer 1. In the groups of interest list, click Policer. 2. Click
New Policer List. 3. Enter a name for the list. 4. Define the policing
parameters:
a. In the Burst field, enter the maximum traffic burst size, a value from
15,000 to 10,000,000 bytes. b. In the Exceed field, select the action to take
when the burst size or traffic rate is exceeded. It can be
drop, which sets the packet loss priority (PLP) to low. You can use the remark
action to set the packet loss priority (PLP) to high. c. In the Rate field,
enter the maximum traffic rate, a value from 0 through 264 1 bits per second
(bps).
5. Click Add.
Configure Prefix 1. In the groups of interest list, click Prefix. 2. Click New
Prefix List. 3. Enter a name for the list. 4. In the Add Prefix field, enter
one or more data prefixes separated by commas. 5. Click Add.
Configure Site 1. In the groups of interest list, click Site. 2. Click New
Site List. 3. Enter a name for the list. 4. In the Add Site field, enter one
or more site IDs separated by commas.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 31
Configure Groups of Interest for Centralized Policy
Centralized Policy
For example, 100 or 200 separated by commas or in the range, 1- 4294967295. 5.
Click Add.
Configure App Probe Class 1. In the groups of interest list, click App Probe
Class. 2. Click New App Probe Class. 3. Enter the probe class name in the
Probe Class Name field. 4. Select the required forwarding class from the
Forwarding Class drop-down list. 5. In the Entries pane, select the
appropriate color from the Color drop-down list and enter the DSCP value.
You can add more entries if needed by clicking on the + symbol. 6. Click Save.
Configure SLA Class 1. In the groups of interest list, click SLA Class. 2.
Click New SLA Class List. 3. Enter a name for the list. 4. Define the SLA
class parameters:
a. In the Loss field, enter the maximum packet loss on the connection, a value
from 0 through 100 percent.
b. In the Latency field, enter the maximum packet latency on the connection, a
value from 0 through 1,000 milliseconds.
c. In the Jitter field, enter the maximum jitter on the connection, a value
from 1 through 1,000 milliseconds.
d. Select the required app probe class from the App Probe Class drop-down
list.
5. (Optional) Select the Fallback Best Tunnel checkbox to enable the best
tunnel criteria. This optional filed is available from Cisco SD-WAN Release
20.5.1 to pick the best path or color from the available colors when SLA is
not met. When this option is selected, you can choose the required criteria
from the drop-down. The criteria are a combination of one or more of loss,
latency, and, jitter values.
6. Select the Criteria from the drop-down list. The available criteria are: ·
Latency · Loss · Jitter · Latency, Loss · Latency, Jitter
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 32
Centralized Policy
Configure Groups of Interest for Centralized Policy
· Loss, Latency · Loss, Jitter · Jitter, Latency · Jitter, Loss · Latency,
Loss, Jitter · Latency, Jitter, Loss · Loss, Latency, Jitter · Loss, Jitter,
Latency · Jitter, Latency, Loss · Jitter, Loss, Latency
7. Enter the Loss Variance (%), Latency Variance (ms), and the Jitter
Variance (ms) for the selected criteria.
8. Click Add.
Configure TLOC 1. In the groups of interest list, click TLOC. 2. Click New
TLOC List. The TLOC List popup displays. 3. Enter a name for the list. 4. In
the TLOC IP field, enter the system IP address for the TLOC. 5. In the Color
field, select the TLOC’s color. 6. In the Encap field, select the
encapsulation type. 7. In the Preference field, optionally select a preference
to associate with the TLOC.
The range is 0 to 4294967295. 8. Click Add TLOC to add another TLOC to the
list. 9. Click Save.
Note To use the set tloc and set tloc-list commands, you must use the set-vpn
command.
For each TLOC, specify its address, color, and encapsulation. Optionally, set
a preference value (from 0 to 232 1) to associate with the TLOC address.
When you apply a TLOC list in an action accept condition, when multiple TLOCs
are available and satisfy the match conditions, the TLOC with the highest
preference value is used. If two or more of TLOCs have the highest preference
value, traffic is sent among them in an ECMP fashion.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 33
Integrating WAN Insight (WANI) into Cisco SD-WAN Manager
Centralized Policy
Configure VPN 1. In the groups of interest list, click VPN. 2. Click New VPN
List. 3. Enter a name for the list. 4. In the Add VPN field, enter one or more
VPN IDs separated by commas.
For example, 100 or 200 separated by commas or in the range, 1- 65530. 5.
Click Add.
Configure Region Minimum release: Cisco vManage Release 20.7.1 To configure a
list of regions for Multi-Region Fabric (formerly Hierarchical SD-WAN), ensure
that Multi-Region Fabric is enabled in Administration > Settings. 1. In the
groups of interest list, click Region. 2. Click New Region List. 3. In the
Region List Name field, enter a name for the region list. 4. In the Add Region
field, enter one or more regions, separated by commas, or enter a range.
For example, specify regions 1, 3 with commas, or a range 1-4. 5. Click Add.
Click Next to move to Configure Topology and VPN Membership in the wizard.
Integrating WAN Insight (WANI) into Cisco SD-WAN Manager
Table 7: Feature History
Feature Name
Release Information
Description
WAN Insight Policy Automation
Cisco IOS XE Catalyst SD-WAN With this feature, you can apply the
Release 17.12.1a
recommendations that are available
Cisco Catalyst SD-WAN Manager Release 20.12.1
on Cisco SD-WAN Analytics toCisco SD-WAN Manager AAR policy and view the applied
recommendations on Cisco
SD-WAN Manager.
Cisco SD-WAN Analytics is a cloud-based analytics service for Cisco Catalyst SD-WAN offering comprehensive insights into application and network performance. The analytics service is available with Cisco DNA Advantage and Cisco DNA Premier software subscriptions. Cisco SD-WAN Analytics collects and stores metadata about traffic flows in its cloud storage and produces analytics based on this collected data. Predictive Path Analytics generates recommendations for path based on long term insights. These recommendations need to be converted into policy created manually on Cisco SD-WAN Manager and then applied to the network.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 34
Centralized Policy
Predictive Path Recommendations
The Predictive Path Recommendations feature allows you to apply active
recommendations to the actionable centralized AAR policy to influence the
forwarding decisions in the Cisco Catalyst SD-WAN network. The recommendations
are applied as a part of the AAR policy and then pushed to Cisco SD-WAN
Controller. The Predictive Path Recommendations are applied to the SD-WAN
network as TLOC preferences in AAR policies.
For more information about using Predictive Path Recommendations, see
Predictive Path Recommendations.
Apply Predictive Path Recommendations
When there are predictive path recommendations in Cisco SD-WAN Analytics,
perform the following steps to apply the recommendations to the Application-
Aware routing policies:
1. In the Cisco SD-WAN Manager menu, click the bell icon at the top-right
corner. The Notifications pane is displayed with active alarms.
2. If there are any Active Recommendations in the Notifications pane, click
on the site to view the recommendations. Alternatively, you can view from the
Cisco SD-WAN Manager menu, click Analytics > Predictive Networks.
3. Click Active Recommendations, and then click Apply.
4. In the Apply Predictive Path Recommendations window, click Proceed to
Apply to apply new recommendations.
You can review the applied recommendations in the Cisco SD-WAN Manager
generated configs and push the recommendations to Cisco SD-WAN Controller.
Points to Consider
· Cisco SD-WAN Manager pulls recommendations when you log in. If you want to
update the recommendations, refresh the page or log in again.
· Cisco SD-WAN Manager support recommendations for application lists which are
associated with some AAR policy only. If AAR Policy does not exist for a given
application list, the recommendations are not valid and policy processing is
not done.
· WAN Insights generates recommendations for standard App Groups even when the
AAR Policy is not defined. However, the policy automation is not done since
AAR policy is not defined.
· When for the same site and application list, if WANI generates a terminate
for a recommendation which is applied and also generates another
recommendation, the recommendations are applied based on the preferences.
· Application of WANI recommendations for Cloud OnRamp for SaaS is not
supported.
Predictive Path Recommendations
WAN Insights (WANI) allows you to track the performance of your current
network setup and tune your policies and paths to achieve the best user
experience. Predictive path recommendations influence AAR policy TLOC
preferences.
WAN Insights is a predictive network optimization tool that uses a statistical
model to examine historical data from Cisco Catalyst SD-WAN, in order to find
the best paths for application traffic. WANI analyzes the telemetry data
exported during application traffic flows, and then generates long-term
recommendations for paths that would reduce the probability of experiencing an
SLA violation (for example, low-quality performance).
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 35
Configure Topology and VPN Membership
Centralized Policy
Predictive network associates some SLA with each application list that is
defined in the AAR policy in order to detect SLA violations for the
applications. This is used to calculate a probability of SLA violation on a
given site and TLOC and generates recommendations. For more information about
configuring group of interest for data policies, see Configure Groups of
Interest for Centralized Policy.
Configure Topology and VPN Membership
When you first open the Configure Topology and VPN Membership window, the
Topology window is displayed by default. To configure topology and VPN
membership: Hub-and-Spoke 1. In the Add Topology drop-down, select Hub-and-
Spoke. 2. Enter a name for the hub-and-spoke policy. 3. Enter a description
for the policy. 4. In the VPN List field, select the VPN list for the policy.
5. In the left pane, click Add Hub-and-Spoke. A hub-and-spoke policy component
containing the text
string My Hub-and-Spoke is added in the left pane. 6. Double-click the My Hub-
and-Spoke text string, and enter a name for the policy component 7. In the
right pane, add hub sites to the network topology:
a. Click Add Hub Sites. b. In the Site List field, select a site list for the
policy component. c. Click Add. d. Repeat these steps to add more hub sites to
the policy component.
8. In the right pane, add spoke sites to the network topology: a. Click Add
Spoke Sites. b. In the Site List Field, select a site list for the policy
component. c. Click Add. d. Repeat these steps to add more spoke sites to the
policy component.
9. Repeat steps as needed to add more components to the hub-and-spoke policy.
10. Click Save Hub-and-Spoke Policy.
Mesh 1. In the Add Topology drop-down, select Mesh. 2. Enter a name for the
mesh region policy component. 3. Enter a description for the mesh region
policy component.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 36
Centralized Policy
Configure Topology and VPN Membership
4. In the VPN List field, select the VPN list for the policy. 5. Click New
Mesh Region. 6. In the Mesh Region Name field, enter a name for the individual
mesh region. 7. In the Site List field, select one or more sites to include in
the mesh region. 8. Click Add. 9. Repeat these steps to add more mesh regions
to the policy. 10. Click Save Mesh Topology.
Custom Control (Route & TLOC): Centralized route control policy (for matching
OMP routes) 1. In the Add Topology drop-down, select Custom Control (Route &
TLOC). 2. Enter a name for the control policy. 3. Enter a description for the
policy. 4. In the left pane, click Sequence Type. The Add Custom Control
Policy popup displays. 5. Select Route. A policy component containing the text
string Route is added in the left pane. 6. Double-click the Route text string,
and enter a name for the policy component. 7. In the right pane, click
Sequence Rule. The Match/Actions box opens, and Match is selected by default.
8. From the boxes under the Match box, select the desired policy match type.
Then select or enter the
value for that match condition. Configure additional match conditions for the
sequence rule, as desired. 9. Click Actions. The Reject option is selected by
default. To configure actions to perform on accepted
packets, click the Accept option. Then select the action or enter a value for
the action. 10. Click Save Match and Actions. 11. Click Sequence Rule to
configure more sequence rules, as desired. Drag and drop to re-order them. 12.
Click Sequence Type to configure more sequences, as desired. Drag and drop to
re-order them. 13. Click Save Control Policy.
Custom Control (Route & TLOC): Centralized TLOC control policy (for matching
TLOC routes) 1. In the Add Topology drop-down, select Custom Control (Route &
TLOC). 2. Enter a name for the control policy. 3. Enter a description for the
policy. 4. In the left pane, click Sequence Type. The Add Custom Control
Policy popup displays. 5. Select TLOC. A policy component containing the text
string TLOC is added in the left pane. 6. Double-click the TLOC text string,
and enter a name for the policy component. 7. In the right pane, click
Sequence Rule. The Match/Actions box opens, and Match is selected by default.
8. From the boxes under the Match box, select the desired policy match type.
Then select or enter the
value for that match condition. Configure additional match conditions for the
sequence rule, as desired.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 37
Import Existing Topology
Centralized Policy
9. Click Actions. The Reject option is selected by default. To configure
actions to perform on accepted packets, click the Accept option. Then select
the action or enter a value for the action.
10. Click Save Match and Actions. 11. Click Sequence Rule to configure more
sequence rules, as desired. Drag and drop to re-order them. 12. Click Sequence
Type to configure more sequences, as desired. Drag and drop to re-order them.
13. Click Save Control Policy.
A centralized control policy contains sequences of matchaction pairs. The
sequences are numbered to set the order in which a route or TLOC is analyzed
by the matchaction pairs in the policy.
Note Sequence can have either match app-list or dns-app-list configured for a
policy, but not both. Configuring both match app-list and dns-app-list for a
policy is not supported. NAT DIA fallback and DNS redirection are not
supported at the same time in data policy.
Each sequence in a centralized control policy can contain one match condition
(either for a route or for a TLOC) and one action condition.
Default Action If a selected route or TLOC does not match any of the match
conditions in a centralized control policy, a default action is applied to it.
By default, the route or TLOC is rejected. If a selected data packet does not
match any of the match conditions in a data policy, a default action is
applied to the packet. By default, the data packet is dropped.
Import Existing Topology
1. In the Add Topology drop-down, click Import Existing Topology. The Import
Existing Topology popup appears.
2. Select the type of topology. 3. For Policy Type, choose the name of the
topology you want to import. 4. In the Policy drop-down, select a policy to
import.
Note The policy configuration wizard does not let you import an already
configured policy as in other instances of centralized policies (data,
control, or application-aware routing). The policy must be configured in its
entirety.
5. Click Import.
Click Next to move to Configure Traffic Rules in the wizard.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 38
Centralized Policy
Create a VPN Membership Policy
Create a VPN Membership Policy
1. In the Specify your network topology area, click VPN Membership. 2. Click
Add VPN Membership Policy.
Note You can add only one VPN membership at a time, therefore all site lists
and VPN lists must be included in a single policy.
The Add VPN Membership Policy popup displays. 3. Enter a name and description
for the VPN membership policy. 4. In the Site List field, select the site
list. 5. In the VPN Lists field, select the VPN list. 6. Click Add List to add
another VPN to the VPN membership. 7. Click Save. 8. Click Next to move to
Configure Traffic Rules in the wizard.
Configure Traffic Rules
Table 8: Feature History
Feature Name
Release Information Description
Policy Matching with Cisco SD-WAN
ICMP Message
Release 20.4.1
Cisco vManage Release 20.4.1
This feature provides support for a new match condition that you can use to specify a list of ICMP messages for centralized data policies, localized data policies, and Application-Aware Routing policies.
When you first open the Configure Traffic Rules window, Application-Aware
Routing is selected by default.
You can also view already created AAR routing policies listed in the page. It
provides various information related to the policies such as the Name of the
policy, Type, Mode, Description, Update By, and Last Updated details.
Note You can refer to the Mode column for the security status details of the
policy. The status helps to differentiate whether the policy is used in
unified security or not. The mode status is applicable only for security
policies and not relevant to any centralized or localized policies.
For more information on configuring traffic rules for the Cisco Catalyst SD-
WAN Application Intelligence Engine (SAIE) flow, see Cisco Catalyst SD-WAN
Application Intelligence Engine Flow.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 39
Configure Traffic Rules
Centralized Policy
Note In Cisco vManage Release 20.7.1 and earlier releases, the SAIE flow is
called the deep packet inspection (DPI) flow.
To configure traffic rules for a centralized data policy: 1. Click Traffic
Data. 2. Click the Add Policy drop-down. 3. Click Create New. The Add Data
Policy window displays. 4. Enter a name and a description for the data policy.
5. In the right pane, click Sequence Type. The Add Data Policy popup opens. 6.
Select the type of data policy you want to create, Application Firewall, QoS,
Service Chaining, Traffic
Engineering, or Custom.
Note If you want to configure multiple types of data policies for the same match condition, you need to configure a custom policy.
7. A policy sequence containing the text string Application, Firewall, QoS,
Service Chaining, Traffic Engineering, or Custom is added in the left pane.
8. Double-click the text string, and enter a name for the policy sequence.
The name you type is displayed both in the Sequence Type list in the left pane
and in the right pane.
9. In the right pane, click Sequence Rule. The Match/Action box opens, and
Match is selected by default. The available policy match conditions are listed
below the box.
Match Condition
Procedure
None (match all packets)
Do not specify any match conditions.
Applications /Application Family a. In the Match conditions, click Applications/Application Family List.
List
b. In the drop-down, select the application family.
c. To create an application list:
1. Click New Application List.
2. Enter a name for the list.
3. Click Application to create a list of individual applications. Click Application Family to create a list of related applications.
4. In the Select Application drop-down, select the desired applications or application families.
5. Click Save.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 40
Centralized Policy
Configure Traffic Rules
Match Condition Destination Data Prefix
Destination Port
DNS Application List DNS
DSCP Packet Length PLP Protocol ICMP Message
Procedure a. In the Match conditions, click Destination Data Prefix.
b. To match a list of destination prefixes, select the list from the drop-
down.
c. To match an individual destination prefix, enter the prefix in the
Destination: IP Prefix field.
a. In the Match conditions, click Destination Port.
b. In the Destination Port field, enter the port number. Specify a single port
number, a list of port numbers (with numbers separated by a space), or a range
of port numbers (with the two numbers separated with a hyphen [-]).
Add an application list to enable split DNS. a. In the Match conditions, click DNS Application List. b. In the drop-down, select the application family.
Add an application list to process split DNS.
a. In the Match conditions, click DNS.
b. In the drop-down, select Request to process DNS requests for the DNS
applications, and select Response to process DNS responses for the
applications.
a. In the Match conditions, click DSCP. b. In the DSCP field, type the DSCP value, a number from 0 through 63.
a. In the Match conditions, click Packet Length. b. In the Packet Length field, type the length, a value from 0 through 65535.
a. In the Match conditions, click PLP to set the Packet Loss Priority.
b. In the PLP drop-down, select Low or High. To set the PLP to High, apply a
policer that includes the exceed remark option.
a. In the Match conditions, click Protocol. b. In the Protocol field, type the Internet Protocol number, a number from 0 through 255.
To match ICMP messages, in the Protocol field, set the Internet Protocol Number to 1, or 58, or both.
Note
This field is available from , Cisco SD-WAN Release 20.4.1 Cisco vManage
Release 20.4.1.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 41
Configure Traffic Rules
Centralized Policy
Match Condition Source Data Prefix
Source Port
TCP
Procedure a. In the Match conditions, click Source Data Prefix. b. To match a
list of source prefixes, select the list from the drop-down. c. To match an
individual source prefix, enter the prefix in the Source field.
a. In the Match conditions, click Source Port. b. In the Source field, enter
the port number. Specify a single port number, a list of port
numbers (with numbers separated by a space), or a range of port numbers (with
the two numbers separated with a hyphen [-]).
a. In the Match conditions, click TCP. b. In the TCP field, syn is the only
option available.
10. For QoS and Traffic Engineering data policies: From the Protocol drop-
down list, select IPv4 to apply the policy only to IPv4 address families, IPv6
to apply the policy only to IPv6 address families, or Both to apply the policy
to IPv4 and IPv6 address families.
11. To select one or more Match conditions, click its box and set the values
as described.
Note Not all match conditions are available for all policy sequence types.
12. To select actions to take on matching data traffic, click the Actions
box. 13. To drop matching traffic, click Drop. The available policy actions
are listed in the right side. 14. To accept matching traffic, click Accept.
The available policy actions are listed in the right side. 15. Set the policy
action as described.
Note Not all actions are available for all match conditions.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 42
Centralized Policy
Configure Traffic Rules
Note If IPv4 packet contains non-initial fragment of UDP or TCP datagram, it has no L4 ports information available because there is no UDP or TCP header. For such fragments destination-port or source-port match is ignored.
In the following example, all the UDP packets to destination port 161 and any other IPv4 packets having protocol ID field in IPv4 header set to 17 with IPv4 header having fragment-offset set will be dropped.
policy
app-visibility
access-list SDWAN_101
sequence 100
match
destination-port 161
protocol
17
!
action drop
!
!
Action Condition
Counter
Description Count matching data packets.
Procedure
a. In the Action conditions, click Counter. b. In the Counter Name field,
enter the
name of the file in which to store packet counters.
DSCP
Assign a DSCP value to matching data packets.
a. In the Action conditions, click DSCP.
b. In the DSCP field, type the DSCP value, a number from 0 through 63.
Forwarding Assign a forwarding class to matching data packets. Class
a. In the Match conditions, click Forwarding Class.
b. In the Forwarding Class field, type the class value, which can be up to 32
characters long.
Log Policer
Minimum release: Cisco vManage Release 20.11.1 and Cisco IOS a. In the Action conditions, click Log to
XE Release 17.11.1a
enable logging.
Click Log to enable logging.
When (DP, AAR or ACL) data policy packets are configured with log action, logs generated and logged to syslog. Due to the global log-rate-limit, not all logs are logged. A syslog message is generated the first time a packet header is logged and then every 5 minutes thereafter, as long as the flow is active.
Apply a policer to matching data packets.
a. In the Match conditions, click Policer.
b. In the Policer drop-down field, select the name of a policer.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 43
Match Parameters – Control Policy
Centralized Policy
Action Condition
Loss Correction
Description
Procedure
Apply loss correction to matching data packets.
a. In the Match conditions, click Loss
Forward Error Correction (FEC) recovers lost packets on a link by
Correction.
sending redundant data, enabling the receiver to correct errors without b. In the Loss Correction field, select FEC
the need to request retransmission of data.
Adaptive, FEC Always, or Packet
FEC is supported only for IPSEC tunnels, it is not supported for GRE Duplication.
tunnels.
· FEC Adaptive Corresponding packets are subjected to FEC only if the tunnels that they go through have been deemed unreliable based on measured loss. Adaptive FEC starts to work at 2% packet loss; this value is hard-coded and is not configurable.
If you choose FEC Adaptive, an additional field, Loss Threshold, displays that allows you to specify the packet loss threshold for automatically enabling FEC.
Adaptive FEC starts to work at 2% packet loss; this value is configurable.
You can specify a loss threshold of 1 to 5%. The default packet loss threshold is 2%.
· FEC Always Corresponding packets are always subjected to FEC.
· Packet Duplication Sends duplicate packets over a single tunnel. If more than one tunnel is available, duplicated packets will be sent over the tunnel with the best parameters.
Click Save Match and Actions. 16. Create additional sequence rules as desired. Drag and drop to re-arrange them. 17. Click Save Data Policy. 18. Click Next to move to Apply Policies to Sites and VPNs in the wizard.
Match Parameters – Control Policy
For OMP and TLOC routes , you can match the following attributes:
Match Condition
Description
Color List
One or more colors. The available colors are: 3g, biz-internet, blue, bronze, custom1,custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red and silver.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 44
Centralized Policy
Match Condition Community List
Types OMP Tag Origin Originator
Match Parameters – Control Policy
Description
List of one or more BGP communities. In the Community List field, you can
specify: · aa:nn: AS number and network number. Each number is a 2-byte value
with a range from 1 to 65535. · internet: Routes in this community are
advertised to the internet community. This community comprises all BGP-
speaking networking devices. · local-as: Routes in this community are not
advertised outside the local AS. · no-advertise: Attach the NO_ADVERTISE
community to routes. Routes in this community are not advertised to other BGP
peers. · no-export: Attach the NO_EXPORT community to routes. Routes in this
community are not advertised outside the local AS or outside a BGP
confederation boundary. To configure multiple BGP communities in a single
list, include multiple community options, specifying one community in each
option.
Specifies the community type. Choose Standard to specify communities and
community numbers or, Expanded to filter communities using a regular
expression. Regular expressions are used to specify patterns to match
community attributes.
Tag value associated with the route or prefix in the routing database on the
device. The range is 0 through 4294967295.
Protocol from which the route was learned.
IP address from which the route was learned.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 45
Match Parameters – Control Policy
Centralized Policy
Match Condition Path Type
Preference Prefix List Not available in Cisco SD-WAN Manager. Site Region Role
TLOC
Description
In a Hierarchical SD-WAN architecture, match a route by its path type, which
can be one of the following:
· Hierarchical Path: A route that includes hops from an access region to a
border router, through region 0, to another border router, then to an edge
router in a different access region
· Direct Path: A direct path route from one edge router to another edge
router.
· Transport Gateway Path: A route that is re-originated by a router that has
transport gateway functionality enabled.
Note
This option is available beginning with
Cisco vManage Release 20.8.1.
How preferred a prefix is. This is the preference value that the route or prefix has in the local site, that is, in the routing database on the device. A higher preference value is more preferred.The range is 0 through 255.
One or more prefixes. Specifies the name of a prefix list.
Individual site identifier. The range is 0 through 4294967295.
One or more overlay network site identifiers.
Region defined for Hierarchical SD-WAN.
The range is 1 to 63.
Note
This option is available beginning with
Cisco vManage Release 20.7.1.
In a Hierarchical SD-WAN architecture, match by the device type, which can be Border Router or Edge Router.
Note
This option is available beginning with
Cisco vManage Release 20.8.1.
Individual TLOC address.
Note
To use the set tloc and set tloc-list
commands, you must use the set-vpn
command.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 46
Centralized Policy
Match Parameters – Data Policy
Match Condition VPN Carrier Domain ID OMP Tag
Site
Description
Individual VPN identifier. The range is 0 through 65535.
Carrier for the control traffic. Values are: default, carrier1 through
carrier8.
Domain identifier associated with a TLOC. The range is 0 through 4294967295.
Tag value associated with the TLOC route in the route table on the device. The
range is 0 through 4294967295.
Individual site contributor or more overlay network site identifiers.. The
range is 0 through 4294967295.
In the CLI, you configure the OMP route attributes to match with the policy control-policy sequence match route command, and you configure the TLOC attributes to match with the policy control-policy sequence match tloc command.
Match Parameters – Data Policy
A centralized data policy can match IP prefixes and fields in the IP headers,
as well as applications. You can also enable split DNS. Each sequence in a
policy can contain one or more match conditions.
Table 9:
Match Condition Omit
Applications/Application Family List
Destination Data Prefix
Description Match all packets. Applications or application families.
Group of destination prefixes, IP prefix and prefix length. The range is 0
through 65535; specify a single port number, a list of port numbers (with
numbers separated by a space), or a range of port numbers (with the two
numbers separated with a hyphen [-]).
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 47
Match Parameters – Data Policy
Centralized Policy
Match Condition Destination Region
Description
Choose one of the following:
· Primary: Match traffic if the destination device is in the same primary
region (also called access region) as the source. This traffic reaches the
destination using a multi-hop path, through the core region.
· Secondary: Match traffic if the destination device is not in the same
primary region as the source but is within the same secondary region as the
source. This traffic can reach the destination using a direct tunnel, as
described for secondary regions.
· Other: Match traffic if the destination device is not in the same primary
region or secondary region as the source. This traffic requires a multi-hop
path from the source to the destination.
Note
Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Catalyst SD-WAN
Release 17.9.1a
DNS Application List DNS DSCP
Enables split DNS, to resolve and process DNS requests and responses on an
application-by-application basis. Name of an app-list list . This list
specifies the applications whose DNS requests are processed.
Specify the direction in which to process DNS packets. To process DNS requests
sent by the applications (for outbound DNS queries), specify dns request. To
process DNS responses returned from DNS servers to the applications, specify
dns response.
Specifies the DSCP value.
Packet length
Specifies the packet length. The range is 0 through 65535; specify a single length, a list of lengths (with numbers separated by a space), or a range of lengths (with the two numbers separated with a hyphen [-]).
Packet Loss Priority (PLP) Specifies the packet loss priority. By default, packets have a PLP value of low. To set the PLP value to high, apply a policer that includes the exceed remark option.
Protocol
Specifies Internet protocol number. The range is 0 through 255.
ICMP Message
For Protocol IPv4 when you enter a Protocol value as 1, the ICMP Message field displays where you can select an ICMP message to apply to the data policy. Likewise, the ICMP Message field displays for Protocol IPv6 when you enter a Protocol value as 58.
When you select Protocol as Both, the ICMP Message or ICMPv6 Message field displays.
Note
This field is available from , Cisco SD-WAN Release 20.4.1 Cisco vManage Release
20.4.1.
Source Data Prefix Source Port
TCP Flag Traffic To
Specifies the group of source prefixes or an individual source prefix.
Specifies the source port number. The range is 0 through 65535; specify a
single port number, a list of port numbers (with numbers separated by a
space), or a range of port numbers (with the two numbers separated with a
hyphen [-]).
Specifies the TCP flag, syn.
In a Multi-Region Fabric architecture, match border router traffic flowing to the access region that the border router is serving, the core region, or a service VPN.
Note
Minimum release: Cisco vManage Release 20.8.1
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 48
Centralized Policy
Match Parameters – Data Policy
Note If IPv4 packet contains non-initial fragment of UDP or TCP datagram, it has no L4 ports information available because there is no UDP or TCP header. For such fragments destination-port or source-port match is ignored.
In the following example, all the UDP packets to destination port 161 and any other IPv4 packets having protocol ID field in IPv4 header set to 17 with IPv4 header having fragment-offset set will be dropped.
policy
app-visibility
access-list SDWAN_101
sequence 100
match
destination-port 161
protocol
17
!
action drop
!
!
Table 10: ICMP Message Types/Codes and Corresponding Enumeration Values
Type Code Enumeration
0 0 echo-reply
3
unreachable
0 net-unreachable
1 host-unreachable
2 protocol-unreachable
3 port-unreachable
4 packet-too-big
5 source-route-failed
6 network-unknown
7 host-unknown
8 host-isolated
9 dod-net-prohibited
10 dod-host-prohibited
11 net-tos-unreachable
12 host-tos-unreachable
13 administratively-prohibited
14 host-precedence-unreachable
15 precedence-unreachable
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 49
Match Parameters – Data Policy
5 0 1 2 3
80 90 10 0 11
0 1 12 0 1 2 13 0 14 0 40 0 42 0 43 0 1 2 3 4
redirect net-redirect host-redirect net-tos-redirect host-tos-redirect echo router-advertisement router-solicitation time-exceeded ttl-exceeded reassembly-timeout parameter-problem general-parameter-problem option-missing no-room-for-option timestamp-request timestamp-reply photuris extended-echo extended-echo-reply echo-reply-no-error malformed-query interface-error table- entry-error multiple-interface-match
Table 11: ICMPv6 Message Types/Codes and Corresponding Enumeration Values
Type Code Enumeration
Centralized Policy
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 50
Centralized Policy
1 0 1 2 3 4 5 6 7
20 3
0 1 4 0 1 2 128 0 129 0 130 0 131 0 132 0 133 0 134 0
unreachable no-route no-admin beyond-scope destination-unreachable port- unreachable source-policy reject-route source-route-header packet-too-big time-exceeded hop-limit reassembly-timeout parameter-problem Header next- header parameter-option echo-request echo-reply mld-query mld-report mld- reduction router-solicitation router-advertisement
135 0 nd-ns
136 0 nd-na
137 0 redirect
138
router-renumbering
0 renum-command
1 renum-result
255 renum-seq-number
Match Parameters – Data Policy
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 51
Action Parameters – Control Policy
Centralized Policy
139 0 1 2
140 0 1 2
141 0 142 0
143 144 0 145 0 146 0 147 0
148 0 149 0
151 0
152 0 153 0 155 0
ni-query ni-query-v6-address ni-query-name ni-query-v4-address ni-response ni-
response-success ni-response-refuse ni-response-qtype-unknown
ind-solicitation ind-advertisement
mldv2-report dhaad-request dhaad-reply mpd-solicitation mpd-advertisement
cp-solicitation cp-advertisement
mr-advertisement
mr-solicitation mr-termination rpl-control
Action Parameters – Control Policy
For each match condition, you configure a corresponding action to take if the
route or TLOC matches for a control policy. In the CLI, you configure actions
with the policy control-policy action command. Each sequence in a centralized
control policy can contain one action condition. In the action, you first
specify whether to accept or reject a matching route or TLOC:
Table 12:
Description
Cisco SD-WAN Manager
Accept the route. An accepted route is eligible to be modified by the additional parameters Click Accept. configured in the action portion of the policy configuration.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 52
Centralized Policy
Action Parameters – Control Policy
Description Discard the packet.
Cisco SD-WAN Manager Click Reject.
Then, for a route or TLOC that is accepted, you can configure the following actions:
Action Condition Description
Export To
Export the route the the specified VPN or list of VPNs (for a match route match condition only). The range is 0 through 65535 or list name.
OMP Tag
Change the tag string in the route, prefix, or TLOC. The range is 0 through 4294967295.
Preference
Change the preference value in the route, prefix, or TLOC to the specified value. A higher preference value is more preferred. The range is 0 through 255.
Service
Specify a service to redirect traffic to before delivering the traffic to its
destination.
The TLOC address or list of TLOCs identifies the TLOCs to which the traffic
should be redirected to reach the service. In the case of multiple TLOCs, the
traffic is load-balanced among them.
The VPN identifier is where the service is located.
Standard services: FW, IDS, IDP Custom services: netsvc1, netsvc2, netsvc3,
netsvc4
Configure the services themselves on the Cisco SD-WAN devices that are
collocated with the service devices, using the vpn service configuration
command.
TLOC TLOC Action
Change the TLOC address, color, and encapsulation to the specified address and
color.
For each TLOC, specify its address, color, and encapsulation. address is the
system IP address. color can be one of 3g, biz-internet, blue, bronze,
custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls,
private1 through private6, public-internet, red, and silver. encapsulation can
be gre or ipsec. Optionally, set a preference value (from 0 to 232 1) to
associate with the TLOC address. When you apply a TLOC list in an action
accept condition, when multiple TLOCs are available and satisfy the match
conditions, the TLOC with the highest preference value is used. If two or more
of TLOCs have the highest preference value, traffic is sent among them in an
ECMP fashion.
Direct matching routes or TLOCs using the mechanism specified by action, and
enable end-to-end tracking of whether the ultimate destination is reachable.
Setting the TLOC action option enables the Cisco Catalyst SD-WAN Controller to
perform end-to-end tracking of the path to the ultimate destination device.
Note The preference command controls the preference for directing inbound and
outbound traffic to a tunnel. The preference can be a value from 0 through
4294967295 (232 1), and the default value is 0. A higher value is preferred
over a lower value.
When a Cisco vEdge device has two or more tunnels, if all the TLOCs have the
same preference and no policy is applied that affects traffic flow, all the
TLOCs are advertised into OMP. When the router transmits or receives traffic,
it distributes traffic flows evenly among the tunnels, using ECMP.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 53
Action Parameters – Data Policy
Centralized Policy
Action Parameters – Data Policy
Table 13: Feature History
Feature Name
Release Information Description
Path Preference Support for Cisco IOS XE Catalyst SD-WAN Devices
Cisco IOS XE Catalyst SD-WAN Release 17.2.1r
This feature extends to Cisco IOS XE Catalyst SD-WAN devices, support for selecting one or more local transport locators (TLOCs) for a policy action.
Traffic Redirection to SIG Using Data Policy
Cisco SD-WAN Release 20.4.1
Cisco vManage Release 20.4.1
With this feature, while creating a data policy, you can define an application list along with other match criteria and redirect the application traffic to a Secure Internet Gateway (SIG).
Next Hop Action Enhancement in Data Policies
Cisco SD-WAN Release 20.5.1
Cisco vManage Release 20.5.1
This feature enhances match action conditions in a centralized data policy for parity with the features configured on Cisco vEdge devices. When you are setting up next-hop-loose action, this feature helps to redirect application traffic to an available route when next-hop address is not available.
Action Condition Click Accept
Cflowd Counter
Click Drop
When data traffic matches the conditions in the match portion of a centralized
data policy, the packet can be accepted or dropped. Then, you can associate
parameters with accepted packets. In the CLI, you configure the action
parameters with the policy data-policy vpn-list sequence action command. Each
sequence in a centralized data policy can contain one action condition. In the
action, you first specify whether to accept or drop a matching data packet,
and whether to count it:
Description
Accepts the packet. An accepted packet is eligible to be modified by the
additional parameters configured in the action portion of the policy
configuration.
Enables cflowd traffic monitoring.
Counts the accepted or dropped packets. Specifies the name of a counter. Use
the show policy access-lists counters command on the Cisco vEdge device.
Discards the packet. This is the default action.
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 54
Centralized Policy
Action Parameters – Data Policy
Action Condition Log
Redirect DNS
TCP Optimization Secure Internet Gateway
Description
Minimum release: Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco
vManage Release 20.11.1
Click Log to enable logging.
When (DP, AAR or ACL) data policy packets are configured with log action, logs
generated and logged to syslog. Due to the global log-rate-limit, not all logs
are logged. A syslog message is generated the first time a packet header is
logged and then every 5 minutes thereafter, as long as the flow is active.
For information on policy log-rate-limit CLI, see policy log-rate-limit
command in the Cisco Catalyst SD-WAN Qualified Command Reference Guide.
Redirects DNS requests to a particular DNS server. Redirecting requests is optional, but if you do so, you must specify both actions.
For an inbound policy, redirect-dns host allows the DNS response to be correctly forwarded back to the requesting service VPN.
For an outbound policy, specify the IP address of the DNS server.
Note
When you upgrade to releases later than Cisco IOS XE
Catalyst SD-WAN Release 17.7.1a, you must configure
redirect DNS through nat use-vpn 0 to redirect DNS to
Direct Internet Interface (DIA).
Note
You can set only local TLOC preferences with redirect-dns
as actions on the same sequence, but not remote TLOC.
Note
You cannot configure Redirect DNS and SIG at the same
time.
NAT DIA fallback and DNS redirection are not supported at the same time in data policy.
Fine-tune TCP to decrease round-trip latency and improve throughout for matching TCP traffic.
Redirect application traffic to a SIG.
Note
Before you apply a data policy for redirecting application
traffic to a SIG, you must have configured the SIG tunnels.
For more information on configuring Automatic SIG tunnels, see Automatic Tunnels. For more information on configuring Manual SIG tunnels, see Manual Tunnels.
Then, for a packet that is accepted, the following parameters can be configured:
Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20 55
Action Parameters – Data Policy
Action Condition Cflowd NAT Pool or NAT VPN DSCP Forwarding Class Local TLOC
Next Hop
Policer Service
Centralized Policy
Description
Enables cflowd traffic monitoring.
Enables NAT functionality, so that traffic can be redirected directly to the
internet or other external destination.
DSCP value. The range is 0 through 63.
Name of the forwarding class.
Enables sending packets to one of the TLOCs that matches the color and
encapsulation. The available colors are: 3g, biz-internet, blue, bronze,
custom1,custom2, custom3, default, gold, green, lte, metro-ethernet, mpls,
private1 through private6, public-internet, red and silver.
The encapsulation options are: ipsec and gre.
By default, if the TLOC is not available, traffic is forwarded using an
alternate TLOC. To drop traffic if a TLOC is unavailable, include the restrict
option.
By default, encapsulation is ipsec.
Sets the next hop IP address to which the packet should be forwarded.
Note
Starting from Cisco SD-WAN Release 20.5.1 and Cisco
vManage Release 20.5.1, the Use Default Route when
Next Hop is not available field is available next to the
Next Hop action parameter. This option is available only
when the sequence type is Traffic Engineering or
Custom, and the protocol is either IPv4 or IPv6, but not
both.
Applies a policer. Specifies the name of policer configured with the policy
policer command.
Specifies a service to redirect traffic to before delivering the traffic to
its destination.
The TLOC address or list of TLOCs identifies the remote TLOCs to which the
traffic should be redirected to reach the service. In the case of multiple
TLOCs, the traffic is load-balanced among them.
The VPN identifier is where the service is located.
Standard services: FW, IDS, IDP
Custom services: netsvc1, netsvc2,netsvc3, netsvc4
TLOC list is configured with a policy lists tloc-list list.
Configure the services themselves on the Cisco vEdge devic
Read User Manual Online (PDF format)
Read User Manual Online (PDF format) >>