Cisco Catalyst SD-WAN Policies Configuration Guide, Releases 26.x and Later

PDF

Configure SAIE using the CLI

Want to summarize with AI?

Log in

Configure a centralized data policy for the SD-WAN Application Intelligence Engine (SAIE) flow using CLI commands.


This task enables you to configure a centralized data policy for the SD-WAN Application Intelligence Engine (SAIE) flow to control application traffic behavior across overlay network sites.

The SAIE flow provides application intelligence and traffic control capabilities in SD-WAN deployments. Use this configuration when you need to implement centralized policies for application traffic management across multiple sites.

Note

In Cisco vManage Release 20.7.x and earlier releases, the SAIE flow is called the deep packet inspection (DPI) flow.

Follow these steps to configure a centralized data policy for the SD-WAN Application Intelligence Engine (SAIE) flow:

Procedure

1.

Create a list of overlay network sites to which the data policy is to be applied using the apply-policy command:

Example:

vSmart(config)# policy
vSmart(config-policy)# lists site-list list-name
vSmart(config-lists-list-name)# site-id site-id

The list can contain as many site IDs as necessary. Include one site-ID command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–).

Create additional site lists, as needed.

2.

Create lists of applications and application families that are to be subject to the data policy:

Example:

vSmart(config)# policy lists
vSmart(config-lists)# app-list list-name
vSmart(config-app-list)# app application-name

vSmart(config)# policy lists
vSmart(config-lists)# app-list list-name
vSmart(config-applist)# app-family family-name

Each list can contain one or more application names, or one or more application families. A single list cannot contain both applications and application families.

3.

Create lists of IP prefixes and VPNs, as needed:

Example:

vSmart(config)# policy lists
vSmart(config-lists)# data-prefix-list list-name
vSmart(config-lists-list-name)# ip-prefix prefix/length

vSmart(config)# policy lists
vSmart(config-lists)# vpn-list list-name
vSmart(config-lists-list-name)# vpn vpn-id
4.

Create lists of TLOCs, as needed:

Example:

vSmart(config)# policy​
vSmart(config-policy)# lists tloc-list list-name
vSmart(config-lists-list-name)# tloc ip-address color color encap encapsulation [preference number]
5.

Define policing parameters, as needed:

Example:

vSmart(config-policy)# policer policer-name
vSmart(config-policer)# rate bandwidth
vSmart(config-policer)# burst bytes
vSmart(config-policer)# exceed action
6.

Create a data policy instance and associate it with a list of VPNs:

Example:

vSmart(config)# policy data-policy policy-name
vSmart(config-data-policy-policy-name)# vpn-list list-name
7.

Create a series of match–pair sequences:

Example:

vSmart(config-vpn-list)# sequence number
vSmart(config-sequence-number)#

The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is).

8.

Define match parameters based on applications:

Example:

vSmart(config-sequence-number)# match app-list list-name
9.

Define additional match parameters for data packets:

Example:

vSmart(config-sequence-number)# match parameters
10.

Define actions to take when a match occurs:

Example:

vSmart(config-sequence-number)# action (accept | drop) [count]
11.

For packets that are accepted, define the actions to take:

Example:

vSmart(config-action)# set tloc ip-address color color encap encapsulation
vSmart(config-action)# set tloc-list list-name
vSmart(config-action)# set local-tloc color color encap encapsulation
vSmart(config-action)# set local-tloc-list color color encap encapsulation [restrict]
12.

Apply the data policy to one or more sites:

Example:

vSmart(config)# apply-policy site-list list-name data-policy policy-name (all | from-service | from-tunnel)

What to do next

Use the following show commands for visibility in to traffic classification:

  • show app DPI flows

  • show support DPI flows active detail

  • show app DPI application

  • show support DPI flows expired detail

  • show support DPI statistics