Introduces the policy framework architecture and components of Cisco Catalyst SD-WAN Controller, covering policy design, configuration, validation, and monitoring processes.
A policy is a network control mechanism that
-
influences the flow of data traffic and routing information among Cisco IOS XE Catalyst SD-WAN devices in the overlay network,
-
comprises routing policy for control plane traffic flow and data policy for data plane traffic flow, and
-
implements enterprise-specific traffic control requirements through basic policies and advanced features.
| Feature |
Release Information |
Description |
|---|---|---|
| Policy enforcement failure |
Cisco IOS XE Catalyst SD-WAN Release 17.18.1a Cisco Catalyst SD-WAN Manager Release 20.18.1 |
This feature aims to detect when a policy download fails and raises an alarm (policy-enforcement-status). Additionally, this feature introduces new service-path show commands. |
| Policy validation in Cisco SD-WAN |
Cisco IOS XE Catalyst SD-WAN Release 26.1.1 Cisco Catalyst SD-WAN Manager Release 26.1.1.1 |
This feature ensures network reliability and operational efficiency by automatically validating Cisco Catalyst SD-WAN policies for accuracy, platform compliance, and alignment with network requirements before deployment. |
Just as the Cisco Catalyst SD-WAN overlay network architecture clearly separates the control plane from the data plane and control between centralized and localized functions, the Cisco Catalyst SD-WAN policy is cleanly separated. Policies apply either to control plane or data plane traffic, and they are configured either centrally on Cisco SD-WAN Controllers or locally on Cisco IOS XE Catalyst SD-WAN devices. The following figure illustrates the division between control and data policy, and between centralized and local policy.
Control policy is the equivalent of routing protocol policy, and data policy is equivalent to what are commonly called access control lists (ACLs) and firewall filters.
The Cisco Catalyst SD-WAN policy design provides a clear separation between centralized and localized policy. In short, centralized policy is provisioned on the centralized Cisco SD-WAN Controllers in the overlay network, and the localized policy is provisioned on Cisco IOS XE Catalyst SD-WAN devices, which sit at the network edge between a branch or enterprise site and a transport network, such as the Internet, MPLS, or metro Ethernet.
Centralized policy refers to policy provisioned on Cisco SD-WAN Controllers, which are the centralized controllers in the Cisco Catalyst SD-WAN overlay network. Centralized policy comprises two components:
-
Control policy, which affects the overlay network–wide routing of traffic
-
Data policy, which affects the data traffic flow throughout the VPN segments in the network
Centralized control policy applies to the network-wide routing of traffic by affecting the information that is stored in the Cisco SD-WAN Controller's route table and that is advertised to the Cisco IOS XE Catalyst SD-WAN devices in the network.
Centralized data policy applies to data traffic by directing traffic flows to take specific paths through the network, or by adding Quality of Service (QoS) on packets.
Localized Policy
Localized policy refers to policy provisioned locally on Cisco IOS XE Catalyst SD-WAN devices. Localized policy also comprises two components:
-
Control policy, which affects the routing information that Cisco IOS XE Catalyst SD-WAN devices advertise to their local attached networks
-
Data policy, which applies access control lists (ACLs) and QoS to packets being transmitted from and received on Cisco IOS XE Catalyst SD-WAN device router interfaces
Localized control policy affects the routing information that Cisco IOS XE Catalyst SD-WAN devices propagate within their local site network.
When data plane traffic is unpolicied, all data traffic is directed towards its destination based solely on the entries in the local Cisco IOS XE Catalyst SD-WAN device's route table, and all VPNs in the overlay network can exchange data traffic.
Policy architecture
Describes the structural division between control and data planes, as well as centralized versus localized functions.
Policy validation for Cisco Catalyst SD-WAN
Explains the policy validation for Cisco Catalyst SD-WAN devices.
Cisco Catalyst SD-WAN Controller Policy components
Describes the three essential building blocks of policies: lists, policy definitions, and policy applications.
Best practice for Cisco Catalyst SD-WAN Controller policy processing and application
Outlines how policies are sequentially processed and the importance of consistent configuration across controllers.
Cisco Cisco Catalyst SD-WAN Controller policy operation
Explains at a high level how control, data, and VPN membership policies function to manage the network.
Configure and execute Cisco SD-WAN Controller policies
Describes where policies are configured (centralized) and whether they execute on the controller or the local device.
Policy status and health monitoring
Lists tools and commands, such as service-path show commands, used to verify policy enforcement and pathing.