Outlines how policies are sequentially processed and the importance of consistent configuration across controllers.
Policy processing and application guidelines
Understanding how a Cisco SD-WAN Controller policy is processed and applied allows for proper design of policy and evaluation of how policy is implemented across the overlay network.
-
A policy definition consists of a numbered, ordered sequence of match–action pairings. Within each policy, the pairings are processed in sequential order, starting with the lowest number and incrementing.
-
As soon as a match occurs, the matched entity is subject to the configured action of the sequence and is then no longer subject to continued processing.
-
Any entity not matched in a sequence is subject to the default action for the policy. By default, this action is reject.
Site-list policy application requirements
Cisco SD-WAN Controller policy is applied on a per-site-list basis.
-
When applying policy to a site-list, you can apply only one of each type of policy. For example, you can have one control-policy and one data-policy, or one control-policy in and one control-policy out. You cannot have two data policies or two outbound control policies.
-
Because a site-list is a grouping of many sites, you should be careful about including a site in more than one site-list. When the site-list includes a range of site identifiers, ensure that there is no overlap. If the same site is part of two site-lists and the same type of policy is applied to both site-lists, the policy behavior is unpredictable and possibly catastrophic.
-
Control-policy is unidirectional, being applied either inbound to the Cisco SD-WAN Controller or outbound from it. When control-policy is needed in both directions, configure two control policies.
-
Data-policy is bidirectional and can be applied either to traffic received from the service side of the Cisco IOS XE Catalyst SD-WAN device, traffic received from the tunnel side, or all of these combinations.
-
VPN membership policy is always applied to traffic outbound from the Cisco SD-WAN Controller.
Policy distribution and routing considerations
Policy distribution and routing decisions require understanding of how information flows through the overlay network.
-
Control-policy remains on the Cisco SD-WAN Controller and affects routes that the controller sends and receives.
-
Data-policy is sent to either the Cisco IOS XE Catalyst SD-WAN devices in the site-list. The policy is sent in OMP updates, and it affects the data traffic that the devices send and receive.
-
When any node in the overlay network makes a routing decision, it uses any and all available routing information. In the overlay network, it is the Cisco Catalyst SD-WAN Controller that distributes routing information to the Cisco IOS XE Catalyst SD-WAN device nodes.
Requirement: Consistent configuration across controllers
In a network deployment that has two or more Cisco Catalyst SD-WAN Controllers, each controller acts independently to disseminate routing information to other Cisco SD-WAN Controllers and to Cisco IOS XE Catalyst SD-WAN devices in the overlay network. So, to ensure that the Cisco SD-WAN Controller policy has the desired effect in the overlay network, each Cisco SD-WAN Controller must be configured with the same policy, and the policy must be applied identically. For any given policy, you must configure the identical policy and apply it identically across all the Cisco SD-WAN Controllers.
When you deploy a policy, the deployment status is updated only for 30 minutes, which is the timeout limit for policies. After the timeout period, the deployment task status is not monitored. If you are deploying a bigger policy with more number of lines, and if it takes more than 30 minutes, the task status will not be monitored.