Describes the three essential building blocks of policies: lists, policy definitions, and policy applications.
Cisco Catalyst SD-WAN Controller policy components are a configuration framework that
-
consists of three essential building blocks: lists, policy definitions, and policy applications
-
enables centralized management and enforcement of overlay network-wide policies on Cisco Catalyst SD-WAN Control Components, and
-
ensures consistency in policy enforcement across the overlay network through centralized configuration.
Policy component architecture
The Cisco SD-WAN Controller policies that implement overlay network-wide policies are implemented on a Cisco Catalyst SD-WAN Control Components. Because Cisco SD-WAN Controllers are centralized devices, you can manage and maintain Cisco SD-WAN Controller policies centrally, and you can ensure consistency in the enforcement of policies across the overlay network.
The implementation of Cisco SD-WAN Controller policy is done by configuring the entire policy on the Cisco Catalyst SD-WAN Control Components. Cisco SD-WAN Controller policy configuration is accomplished with three building blocks:
-
Lists define the targets of policy application or matching.
-
Policy definition, or policies, controls aspects of control and forwarding. There are different types of policy, including:
-
app-route-policy (for application-aware routing)
-
cflowd-template (for cflowd flow monitoring)
-
control-policy (for routing and control plane information)
-
data-policy (for data traffic)
-
vpn-membership-policy (for limiting the scope of traffic to specific VPNs)
-
-
Policy application controls what a policy is applied towards. Policy application is site-oriented, and is defined by a specific list called a site-list.
You assemble these three building blocks to Cisco SD-WAN Controller policy. More specifically, policy is the sum of one or more lists, one policy definition, and at least one policy applications, as shown in the table below.
| Lists |
Policy Definition |
Policy Application |
||
|---|---|---|---|---|
| data-prefix-list: List of prefixes for use with a data-policy prefix-list: List of prefixes for use with any other policy site-list: List of site-id:s for use in policy and apply-policy tloc-list : List of tloc:s for use in policy vpn-list : List of vpn:s for use in policy |
+ |
app-route-policy: Used with sla-classes for application-aware routing cflowd-template: Configures the cflowd agents on the Cisco IOS XE Catalyst SD-WAN devices control-policy: Controls OMP routing control data-policy: Provides vpn-wide policy-based routing vpn-membership-policy: Controls vpn membership across nodes |
+ |
apply-policy: Used with a site-list to determine where policies are applied |
The example illustrated below creates two lists (a site-list and a tloc-list), defines one policy (a control policy), and applies the policy to the site-list. In the figure, the items are listed as they are presented in the node configuration. In a normal configuration process, you create lists first (group together all the things you want to use), then define the policy itself (define what things you want to do), and finally apply the policy (specify the sites that the configured policy affects). |
||||
apply-policy
site-list site1 ––––––––→ Apply the defined policy towards the sites in site-list
control-policy prefer_local out
!
policy
lists
site-list site1
site-id 100
tloc-list prefer_site1 –––→ Define the lists required for apply-policy and for use within the policy
tloc 192.0.2.1 color mols encap ipsec preference 400
control-policy prefer_local
sequence 10
match route
site-list sitele ––––––->Lists previously defined used within policy
!
action accept
set
tloc-list prefer_site
!
!
!