Cisco Catalyst SD-WAN Policies Configuration Guide, Releases 26.x and Later

PDF

Cisco Catalyst SD-WAN Policies Configuration Guide, Releases 26.x and Later

Cisco Catalyst SD-WAN Controller Policy components

Want to summarize with AI?

Log in

Describes the three essential building blocks of policies: lists, policy definitions, and policy applications.


Cisco Catalyst SD-WAN Controller policy components are a configuration framework that

  • consists of three essential building blocks: lists, policy definitions, and policy applications

  • enables centralized management and enforcement of overlay network-wide policies on Cisco Catalyst SD-WAN Control Components, and

  • ensures consistency in policy enforcement across the overlay network through centralized configuration.

Policy component architecture

The Cisco SD-WAN Controller policies that implement overlay network-wide policies are implemented on a Cisco Catalyst SD-WAN Control Components. Because Cisco SD-WAN Controllers are centralized devices, you can manage and maintain Cisco SD-WAN Controller policies centrally, and you can ensure consistency in the enforcement of policies across the overlay network.

The implementation of Cisco SD-WAN Controller policy is done by configuring the entire policy on the Cisco Catalyst SD-WAN Control Components. Cisco SD-WAN Controller policy configuration is accomplished with three building blocks:

  • Lists define the targets of policy application or matching.

  • Policy definition, or policies, controls aspects of control and forwarding. There are different types of policy, including:

    • app-route-policy (for application-aware routing)

    • cflowd-template (for cflowd flow monitoring)

    • control-policy (for routing and control plane information)

    • data-policy (for data traffic)

    • vpn-membership-policy (for limiting the scope of traffic to specific VPNs)

  • Policy application controls what a policy is applied towards. Policy application is site-oriented, and is defined by a specific list called a site-list.

You assemble these three building blocks to Cisco SD-WAN Controller policy. More specifically, policy is the sum of one or more lists, one policy definition, and at least one policy applications, as shown in the table below.

Table 1. The three building blocks of Cisco SD-WAN Controller policies

Lists

Policy Definition

Policy Application

data-prefix-list: List of prefixes for use with a data-policy

prefix-list: List of prefixes for use with any other policy

site-list: List of site-id:s for use in policy and apply-policy

tloc-list : List of tloc:s for use in policy

vpn-list : List of vpn:s for use in policy

+

app-route-policy: Used with sla-classes for application-aware routing

cflowd-template: Configures the cflowd agents on the Cisco IOS XE Catalyst SD-WAN devices

control-policy: Controls OMP routing control

data-policy: Provides vpn-wide policy-based routing

vpn-membership-policy: Controls vpn membership across nodes

+

apply-policy: Used with a site-list to determine where policies are applied

The example illustrated below creates two lists (a site-list and a tloc-list), defines one policy (a control policy), and applies the policy to the site-list. In the figure, the items are listed as they are presented in the node configuration. In a normal configuration process, you create lists first (group together all the things you want to use), then define the policy itself (define what things you want to do), and finally apply the policy (specify the sites that the configured policy affects).

apply-policy 
 site-list site1  ––––––––→ Apply the defined policy towards the sites in site-list
  control-policy prefer_local out
  !
policy 
 lists 
 site-list site1 
  site-id 100 
 tloc-list prefer_site1 –––→ Define the lists required for apply-policy and for use within the policy
  tloc 192.0.2.1 color mols encap ipsec preference 400
 control-policy prefer_local 
  sequence 10  
   match route 
    site-list sitele ––––––->Lists previously defined used within policy
  ! 
   action accept 
    set 
     tloc-list prefer_site
    !
   !
  !

TLOC attributes used in policies

A transport location, or TLOC, defines a specific interface in the overlay network. Each TLOC consists of a set of attributes that are exchanged in OMP updates among the Cisco IOS XE Catalyst SD-WAN devices. Each TLOC is uniquely identified by a 3-tuple of IP address, color, and encapsulation. Other attributes can be associated with a TLOC.

The TLOC attributes listed below can be matched or set in Cisco SD-WAN Controller policies.

TLOC Attribute

Function

Application Point

Set By

Application Point

Modify By

Address (IP address)

system-IP address of the source device on which the interface is located.

Configuration on source device

control-policy data-policy

Carrier

Identifier of the carrier type. It primarily indicates whether the transport is public or private.

Configuration on source device

control-policy

Color

Identifier of the TLOC type.

Configuration on source device

control-policy data-policy

Domain ID

Identifier of the overlay network domain.

Configuration on source device

control-policy

Encapsulation

Tunnel encapsulation, either IPsec or GRE.

Configuration on source device

control-policy data-policy

Originator

system-IP address of originating node.

Configuration on any originator

control-policy

Preference

OMP path-selection preference. A higher value is a more preferred path.

Configuration on source device

control-policy

Site ID

Identification for a give site. A site can have multiple nodes or TLOCs.

Configuration on source device

control-policy

Tag

Identifier of TLOC on any arbitrary basis.

Configuration on source device

control-policy


Cisco Catalyst SD-WAN Route attributes used in policies

A Cisco Catalyst SD-WAN route, defines a route in the overlay network and is similar to a standard IP route, has a TLOC and VPN attributes. The Cisco IOS XE Catalyst SD-WAN devices exchange routes in OMP updates.

The routes attributes listed below can be matched or set in Cisco SD-WAN Controller policies.

Table 2.

Route Attribute

Function

Application Point

Set By

Application Point

Modify By

Origin

Source of the route, either BGP, OSPF, connected, static.

Match origin command is available only for Cisco vEdge devices but not on Cisco IOS XE Catalyst SD-WAN devices.

Source device

control-policy

Originator

Source of the update carrying the route.

Any originator

control-policy

Preference

OMP path-selection preference. A higher value is a more preferred path.

Configuration on source device or policy

control-policy

Service

Advertised service associated with the route.

Configuration on source device

control-policy

Site ID

Identifier for a give site. A site can have multiple nodes or TLOCs.

Configuration on source device

control-policy

Tag

Identification on any arbitrary basis.

Configuration on source device

control-policy

TLOC

TLOC used as next hop for the route.

Configuration on source device or policy

control-policy data-policy

VPN

VPN to which the route belongs.

Configuration on source device or policy

control-policy data-policy