Cisco Catalyst SD-WAN Policies Configuration Guide, Releases 26.x and Later

PDF

Cisco Catalyst SD-WAN Policies Configuration Guide, Releases 26.x and Later

Cisco Cisco Catalyst SD-WAN Controller policy operation

Want to summarize with AI?

Log in

Explains at a high level how control, data, and VPN membership policies function to manage the network.


Cisco Cisco Catalyst SD-WAN Controller policy operation is a network management mechanism that

  • operates on routing information carried in OMP updates through control policy

  • affects data traffic through data policy, and

  • controls the distribution of VPN routing tables through VPN membership.

Basic policy types

The basic Cisco SD-WAN Controller policies are:

  • Control Policy

  • Data Policy

  • VPN Membership


Control policy

A control policy is a routing policy mechanism that

  • operates on routes and routing information in the control plane of the overlay network

  • customizes network-wide routing decisions that determine or influence routing paths through the overlay network, and

  • allows modification of OMP route attributes before they are placed in the route table or advertised to devices.

Control policy types and operation

Two types of control policy provide routing customization:

  • Centralized control policy: Provisioned on the Cisco SD-WAN Controller and customizes network-wide routing decisions through the overlay network

  • Local control policy: Provisioned on a Cisco IOS XE Catalyst SD-WAN device and allows customization of routing decisions made by BGP and OSPF on site-local branch or enterprise networks

The routing information that forms the basis of centralized control policy is carried in Cisco IOS XE Catalyst SD-WAN route advertisements, which are transmitted on the DTLS or TLS control connections between Cisco SD-WAN Controllers and Cisco IOS XE Catalyst SD-WAN devices.

Centralized control policy determines which routes and route information are placed into the centralized route table on the Cisco SD-WAN Controller and which routes and route information are advertised to the Cisco IOS XE Catalyst SD-WAN devices in the overlay network. Basic centralized control policy establish traffic engineering, to set the path that traffic takes through the network. Advanced control policy supports a number of features, which allows Cisco IOS XE Catalyst SD-WAN devices in the overlay network to share network services, such as firewalls and load balancers.

Centralized control policy affects the OMP routes that are distributed by the Cisco SD-WAN Controller throughout the overlay network. The Cisco SD-WAN Controller learns the overlay network topology from OMP routes that are advertised by the Cisco IOS XE Catalyst SD-WAN devices over the OMP sessions inside the DTLS or TLS connections between the Cisco SD-WAN Controller and the devices.

Three types of OMP routes carry the information that the Cisco SD-WAN Controller uses to determine the network topology:

  • Cisco Catalyst SD-WAN OMP routes: Similar to IP route advertisements, advertise routing information that the devices have learned from their local site and the local routing protocols (BGP and OSPF) to the Cisco SD-WAN Controller. These routes are also referred to as OMP routes or Routes.

  • TLOC routes: Carry overlay network–specific locator properties, including the IP address of the interface that connects to the transport network, a link color, which identifies a traffic flow, and the encapsulation type.

  • Service routes: Advertise the network services, such as firewalls, available to VPN members at the local site.

By default, no centralized control policy is provisioned. In this bare, unpolicied network, all OMP routes are placed in the Cisco SD-WAN Controller's route table as is, and the Cisco SD-WAN Controller advertises all OMP routes, as is, to all the devices in the same VPN in the network domain.

By provisioning centralized control policy, you can affect which OMP routes are placed in the Cisco SD-WAN Controller's route table, what route information is advertised to the devices, and whether the OMP routes are modified before being put into the route table or before being advertised.

Cisco IOS XE Catalyst SD-WAN devices place all the route information learned from the Cisco SD-WAN Controllers, as is, into their local route tables, for use when forwarding data traffic. Because the Cisco SD-WAN Controller's role is to be the centralized routing system in the network, edge devices do not perform any policy actions on routes learned from the Cisco SD-WAN Controllers.

The figure below shows the OMP route flow in the overlay network and illustrates the effects of centralized control policy. Centralized control policy affects the exchange of routing information between the Cisco IOS XE Catalyst SD-WAN devices and the Cisco SD-WAN Controllers. As shown in the figure, you can apply a policy in two directions:

  • Inbound—A policy applied to routes being received by the Cisco SD-WAN Controller from the Cisco IOS XE Catalyst SD-WAN devices in the network

  • Outbound—A policy applied to routes being sent by the Cisco SD-WAN Controller to the Cisco IOS XE Catalyst SD-WAN devices in the network

For inbound policy, the routes received from the Cisco IOS XE Catalyst SD-WAN devices are modified before they are placed in the Cisco SD-WAN Controller's route table, and the modified routes are also sent to all other Cisco IOS XE Catalyst SD-WAN devices. Inbound policies affect all the devices in the network domain because the Cisco SD-WAN Controller advertises the modified routes to all the Cisco IOS XE Catalyst SD-WAN devices in the VPN.

For an outbound policy, the routes in the Cisco SD-WAN Controller's route table are not modified. Instead, the Cisco SD-WAN Controller reads a route from its route table, creates a copy of the route, modifies the copy as directed by the policy, and sends this modified copy to the destination devices. The original route in the Cisco SD-WAN Controller's route table remains unchanged after the update. Again, note that the direction is outbound from the perpspective of the Cisco SD-WAN Controller.

In contrast to an inbound policy, which affects the centralized route table on the Cisco SD-WAN Controller and has a broad effect on the route attributes advertised to all the devices in the overlay network. A control policy applied in the outbound direction influences only the route tables on the individual devices included in the site-list.

The same control policy (the prefer_local policy) is applied to both the inbound and outbound OMP updates. However, the effects of applying the same policy to inbound and outbound are different. The usage shown in the figure illustrates the flexibility of the Cisco IOS XE Catalyst SD-WAN control policy design architecture and configuration.


Data policies

A data policy is a network traffic control mechanism that

  • influences the flow of data traffic traversing the network based either on fields in the IP header of packets or the router interface on which the traffic is being transmitted or received

  • controls data traffic traveling over IPsec connections between Cisco IOS XE Catalyst SD-WAN devices, and

  • examines fields in data packet headers, looking at source and destination addresses and ports, protocol and DSCP values.

Data policy types

The Cisco IOS XE Catalyst SD-WAN architecture implements two types of data policy:

  • Centralized data policy: Controls the flow of data traffic based on the source and destination addresses and ports and DSCP fields in the packet's IP header (referred to as a 5-tuple), and based on network segmentation and VPN membership. These types of data policy are provisioned centrally, on the Cisco SD-WAN Controller, and they affect traffic flow across the entire network.

  • Localized data policy: Controls the flow of data traffic into and out of interfaces and interface queues on a Cisco IOS XE Catalyst SD-WAN device. This type of data policy is provisioned locally using access lists. It allows you to classify traffic and map different classes to different queues. It also allows you to mirror traffic and to police the rate at which data traffic is transmitted and received.

By default, no centralized data policy is provisioned. The result is that all prefixes within a VPN are reachable from anywhere in the VPN. Provisioning centralized data policy allows you to apply a 6-tuple filter that controls access between sources and destinations.

Centralized data policy controls access between sources and destinations within a VPN using a 6-tuple filter.

As with centralized control policy, you provision a centralized data policy on the Cisco SD-WAN Controller, and that configuration remains on the Cisco SD-WAN Controller. The effects of data policy are reflected in how the Cisco IOS XE Catalyst SD-WAN devices direct data traffic to its destination. Unlike control policy, however, centralized data polices are pushed to the devices in a read-only fashion. They are not added to the router's configuration file, but you can view them from the CLI on the router.

Alt text for the image is missing in the provided context. Please provide the surrounding text that describes the image's action or purpose so I can generate the appropriate alt text.

With no access lists provisioned on a Cisco IOS XE Catalyst SD-WAN device, all data traffic is transmitted at line rate and with equal importance, using one of the interface's queues. Using access lists, you can provision class of service, which allows you to classify data traffic by importance, spread it across different interface queues, and control the rate at which different classes of traffic are transmitted. You can provision policing.

Data policy is configured and applied on the Cisco SD-WAN Controller, and then it is carried in OMP updates to the Cisco IOS XE Catalyst SD-WAN devices in the site-list that the policy is applied to. The match operation and any resultant actions are performed on the devices as it transmits or receives data traffic.

Data policy topology example

In the Data Policy Topology figure, a data policy named "change_next_hop" is applied to a list of sites that includes Site 3. The OMP update that the Cisco SD-WAN Controller sends to the devices at Site 3 includes this policy definition. When the device sends or receives data traffic that matches the policy, it changes the next hop to the specified TLOC. Non-matching traffic is forwarded to the original next-hop TLOC.

Figure 1. Data policy topology

In the apply-policy command for a data policy, specify a direction from the perspective of the device. The "all" direction in the figure applies the policy to incoming and outgoing data traffic transiting the tunnel interface. You can limit the span of the policy to only incoming traffic with a data-policy change_next_hop from-tunnel command or to only outgoing traffic with a data-policy change_next_hop from-service command.


Restrictions for data policy

You can apply only one data policy per site in each direction on Cisco SD-WAN Controller regardless of the number of VPNs configured.

  • Supported directions:

    • From-service

    • From-tunnel

    • All- this direction represents both from-service and from-tunnel traffic.

  • Supported configurations: You can use any one of the following:

    • One data policy for from-service direction and One data policy for from-tunnel direction, or

    • One data policy for all direction.

  • Unsupported configurations:

    • One data policy for from-service and another for all at the same site.

    • One data policy for from-tunnel and another for all at the same site.

    Applying multiple data policies in the same direction at a site is not supported and can result in unintended behavior.


VPN membership policy operation

VPN membership policy operation is a network routing mechanism that

  • affects the VPN route tables that are distributed to particular Cisco IOS XE Catalyst SD-WAN devices

  • filters route updates sent to devices, removing routes for VPNs they do not service, and

  • enforces business usage model restrictions on device participation in particular VPNs.

VPN membership policy behavior

In an overlay network with no VPN membership policy, the Cisco Catalyst SD-WAN Controller pushes the routes for all VPNs to all the devices. If your business usage model restricts participation of specific devices in particular VPNs, a VPN membership policy is used to enforce this restriction.

The Cisco SD-WAN Controller always applies this type of policy to the OMP updates that it sends outside to the Cisco IOS XE Catalyst SD-WAN devices. Direction is not set when applying VPN membership policy.

Figure 2. VPN membership topology
The VPN membership topology illustrates the operation of VPN membership policy in filtering OMP updates sent outside to the specified entities.

VPN membership policy filtering scenario

The VPN Membership Topology illustrates how VPN membership policy works. This topology has three Cisco IOS XE Catalyst SD-WAN devices:

  • The Cisco IOS XE Catalyst SD-WAN devices at Sites 1 and 2 service only VPN 2.

  • The Cisco IOS XE Catalyst SD-WAN devices at Site 3 services both VPN 1 and VPN 2.

In the figure, the device at Site 3 receives all route updates from the Cisco SD-WAN Controller, because these updates are for both VPN 1 and VPN 2. However, because the other Cisco IOS XE Catalyst SD-WAN devices service only VPN 2, it can filter the route updates sent to them, remove the routes associated with VPN 1 and sends only the ones that apply to VPN 2.