Cisco Catalyst SD-WAN Policies Configuration Guide, Releases 26.x and Later

PDF

Cisco Catalyst SD-WAN Policies Configuration Guide, Releases 26.x and Later

Configure centralized policies

Want to summarize with AI?

Log in

Configure centralized policies using the CLI

To configure a centralized control policy using the CLI:

Procedure

1.

Create a list of overlay network sites to which the centralized control policy is to be applied (in the apply-policy command):​

Example:

vSmart(config)# policy​
vSmart(config-policy)# lists site-list list-name
vSmart(config-lists-list-name)# site-id site-id

The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–). Create additional site lists, as needed.

2.

Create lists of IP prefixes, TLOCs, and VPNs as needed:​

Example:

vSmart(config)# policy lists    
vSmart(config-lists)# prefix-list list-name     
vSmart(config-lists-list-name)# ip-prefix prefix/length  
vSmart(config)# policy lists    
vSmart(config-lists)# tloc-list list-name    
vSmart(config-lists-list-name)# tloc address 
color color
encap encapsulation 
[preference value]    
vSmart(config)# policy lists    
vSmart(config-lists)# vpn-list list-name    
vSmart(config-lists-list-name)# vpn vpn-id
vsmart(config)# policy lists data-ipv6-prefix-list dest_ip_prefix_list
vsmart(config-data-ipv6-prefix-list-dest_ip_prefix_list)# ipv6-prefix 2001:DB8::/32
vsmart(config-data-ipv6-prefix-list-dest_ip_prefix_list)# commit
Commit complete.
vsmart(config)# policy data-policy data_policy_1 vpn-list vpn_1
vsmart (config-sequence-100)# match destination-data-ipv6-prefix-list dest_ip_prefix_list
vsmart (config-match)# commit
vsmart(config-match)# exit
vsmart(config-sequence-100)# match source-data-ipv6-prefix-list dest_ip_prefix_list
vm9(config-match)# commit
Commit complete.
vm9(config-match)# end
vsmart(config)# policy
vsmart(config-policy)#  data-policy data_policy_1
vsmart(config-data-policy-data_policy_1)# vpn-list vpn_1
vsmart(config-vpn-list-vpn_1)# sequence 101
vsmart(config-sequence-101)# match source-ipv6 2001:DB8::/32
vsmart(config-match)# exit
vsmart(config-sequence-101)# match destination-ipv6 2001:DB8::/32
vsmart(config-match)#
3.

Create a control policy instance:

Example:

vSmart(config)# policy control-policy policy-name    
vSmart(config-control-policy-policy-name)#
4.

Create a series of match–action pair sequences:

Example:

vSmart(config-control-policy-policy-name)# sequence
number    
vSmart(config-sequence-number)# 

The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is).

5.

Define match parameters for routes and for TLOCs:

Example:

​​vSmart(config-sequence-number)# match route route-parameter    
vSmart(config-sequence-number)# match tloc tloc-parameter
6.

Define actions to take when a match occurs:

Example:

vSmart(config-sequence-number)# action reject    
vSmart(config-sequence-number)# action accept export-to (vpn
vpn-id | vpn-list list-name)    
vSmart(config-sequence-number)# action accept set omp-tag
number
vSmart(config-sequence-number)# action accept set
preference value
vSmart(config-sequence-number)# action accept set
service service-name 
(tloc ip-address | 
tloc-list list-name) 
[vpn vpn-id]
vSmart(config-sequence-number)# action accept set tloc
ip-address
color color 
[encap encapsulation]    
vSmart(config-sequence-number)# action accept set tloc-action
action
vSmart(config-sequence-number)# action accept set tloc-list list-name
Note

Match origin command is available only for Cisco vEdge devices but not on Cisco IOS XE Catalyst SD-WAN devices.

7.

Create additional numbered sequences of match–action pairs within the control policy, as needed.

8.

If a route does not match any of the conditions in one of the sequences, it is rejected by default. If you want nonmatching routes to be accepted, configure the default action for the policy:

Example:

vSmart(config-policy-name)# default-action accept
9.

Apply the policy to one or more sites in the Cisco Catalyst SD-WAN overlay network:

Example:

vSmart(config)# apply-policy site-list
list-name
control-policy
policy-name (in | out)
10.

If the action you are configuring is a service, configure the required services on the Cisco IOS XE Catalyst SD-WAN device so that the Cisco Catalyst SD-WAN Controller knows how to reach the services:

Example:

vsmart(config)# policy data-policy data_policy_1 vpn-list vpn_1 sequence 100
vsmart(config-sequence-100)# action accept set next-hop-ipv6 2001:DB8::/32
vsmart(config-set)#

Specify the VPN is which the service is located and one to four IP addresses to reach the service device or devices. If multiple devices provide the same service, the device load-balances the traffic among them. Note that the Cisco IOS XE Catalyst SD-WAN device keeps track of the services, advertising them to the Cisco Catalyst SD-WAN Controller only if the address (or one of the addresses) can be resolved locally, that is, at the device's local site, and not learned through OMP. If a previously advertised service becomes unavailable, the Cisco IOS XE Catalyst SD-WAN device withdraws the service advertisement.


Configure a VPN membership data policy

The high-level steps for configuring a VPN membership data policy are shown below:

Procedure

1.

Create a list of overlay network sites to which the VPN membership policy is to be applied (in the apply-policy command):

Example:

vSmart(config)# policy​ 
vSmart (config-policy)# lists site-list list-name 
vSmart(config-lists-list-name)# site-id site-id

The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–). Create additional site lists, as needed.

2.

Create lists of IP prefixes and VPNs, as needed:

Example:

vSmart(config)# policy lists 
vSmart(config-lists)# data-prefix-list list-name
vSmart(config-lists-list-name)# ip-prefix prefix/length
vSmart(config)# policy lists
vSmart(config-lists)# vpn-list list-name
vSmart(config-lists-list-name)# vpn vpn-id
vsmart(config)# policy lists data-ipv6-prefix-list dest_ip_prefix_list
vsmart(config-data-ipv6-prefix-list-dest_ip_prefix_list)# ipv6-prefix 2001:DB8:19::1
vsmart(config-data-ipv6-prefix-list-dest_ip_prefix_list)# commit
Commit complete.
vsmart(config)# policy data-policy data_policy_1 vpn-list vpn_1
vsmart (config-sequence-100)# match destination-data-ipv6-prefix-list dest_ip_prefix_list
vsmart (config-match)# commit
vsmart(config-match)# exit
vsmart(config-sequence-100)# match source-data-ipv6-prefix-list dest_ip_prefix_list
vm9(config-match)# commit
Commit complete.
vm9(config-match)# end
vsmart(config)# policy
vsmart(config-policy)# data-policy data_policy_1
vsmart(config-data-policy-data_policy_1)# vpn-list vpn_1
vsmart(config-vpn-list-vpn_1)# sequence 101
vsmart(config-sequence-101)# match source-ipv6 2001:DB8:19::1
vsmart(config-match)# exit
vsmart(config-sequence-101)# match destination-ipv6 2001:DB8:19::1
vsmart(config-match)#
3.

Create lists of TLOCs, as needed.

Example:

vSmart(config)# policy​
vSmart(config-policy)# lists tloc-list list-name
vSmart(config-lists-list-name)# tloc ip-address color color encap encapsulation [preference number}
4.

Define policing parameters, as needed:

Example:

vSmart(config-policy)# policer policer-name
vSmart(config-policer)# rate bandwidth
vSmart(config-policer)# burst bytes
vSmart(config-policer)# exceed action
5.

Create a data policy instance and associate it with a list of VPNs:

Example:

vSmart(config)# policy data-policy policy-name
vSmart(config-data-policy-policy-name)# vpn-list list-name
6.

Create a series of match–pair sequences:

Example:

vSmart(config-vpn-list)# sequence number
vSmart(config-sequence-number)# 

The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is).

7.

Define match parameters for packets:

Example:

​​vSmart(config-sequence-number)# match parameters
8.

Define actions to take when a match occurs:

Example:

vSmart(config-sequence-number)# action (accept | drop) [count counter-name] [log] [tcp-optimization]
vSmart(config-sequence-number)# action acccept nat [pool number] [use-vpn 0]
vSmart(config-sequence-number)# action accept redirect-dns (host | ip-address)
vSmart(config-sequence-number)# action accept set parameters
vsmart(config)# policy data-policy data_policy_1 vpn-list vpn_1 sequence 100
vsmart(config-sequence-100)# action accept set next-hop-ipv6 2001:DB8:19::1
vsmart(config-set)#
9.

Create additional numbered sequences of match–action pairs within the data policy, as needed.

10.

If a route does not match any of the conditions in one of the sequences, it is rejected by default. To accept nonmatching prefixed, configure the default action for the policy:

Example:

vSmart(config-policy-name)# default-action accept
11.

Apply the policy to one or more sites in the overlay network:

Example:

vSmart(config)# apply-policy site-list list-name data-policy policy-name (all |from-service | from-tunnel)

Centralized policies using classic policies

Centralized policies using classic policies are network management configurations that

  • use the Cisco SD-WAN Manager policy configuration wizard to guide policy creation and editing

  • consist of multiple operations including creating groups, configuring topology, and defining traffic rules, and

  • require activation for the centralized policy to take effect in the overlay network.

Configuration operations

The wizard consists of these operations that guide you through the process of creating and editing policy components:

  • Create Groups of Interest: Create lists that group together related items and that you call in the match or action components of a policy.

  • Configure Topology and VPN Membership: Create the network structure to which the policy applies.

  • Configure Traffic Rules: Create the match and action conditions of a policy.

  • Apply Policies to Sites and VPNs: Associate the policy with sites and VPNs in the overlay network.

  • Activate the centralized policy.

    For a centralized policy to take effect, you must activate the policy.

To configure centralized policies using Cisco SD-WAN Manager, use the steps identified in the procedures that follow this section.


Start the policy configuration wizard

Start the policy configuration wizard to create and configure centralized policies for your SD-WAN deployment.

The policy configuration wizard provides a guided interface for creating centralized policies. Use this procedure when you need to create new policies for traffic management, security, or service chaining.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Policies.

2.

Click Centralized Policy.

3.

Click Add Policy.

The policy configuration wizard appears, and the Create Groups of Interest window is displayed.

The policy configuration wizard opens with the Create Groups of Interest window displayed, ready for policy configuration.


Configure groups of interest for centralized policy

In Create groups of interest, create new groups of list types as described in the following sections to use in a centralized policy:

Procedure

1.

Configure application:

  1. In the groups of interest list, click Application list type.

  2. Click New Application List.

  3. Enter a name for the list.

  4. Choose either Application or Application Family.

    Application can be the names of one or more applications, such as Third Party Control, ABC News, Mircosoft Teams, and so on. The Cisco IOS XE Catalyst SD-WAN devices support about 2300 different applications. To list the supported applications, use the ? in the CLI.

    Application Family can be one or more of the following: antivirus, application-service, audio_video, authentication, behavioral, compression, database, encrypted, erp, file-server, file-transfer, forum, game, instant-messaging, mail, microsoft-office, middleware, network-management, network-service, peer-to-peer, printer, routing, security-service, standard, telephony, terminal, thin-client, tunneling, wap, web, and webmail.

    Note

    A single app-list can hold either app names or application families. It cannot hold more than 10 application families. When you try to put an application in atmost one app-list. When you have to reuse the application, keep the number of shared applications less than or equal to 10. Keep the number of lists in an applictaion less than or equal to five. Do not keep more than one shared app in the same list.

  5. In the Select drop-down, in the 'Search' filter, select the required applications or application families.

    A few application lists are preconfigured. You cannot edit or delete these lists.

    Microsoft_Apps—Includes Microsoft applications, such as Excel, Skype, and Xbox. To display a full list of Microsoft applications, click the list in the Entries column.

    Google_Apps—Includes Google applications, such as Gmail, Google maps, and YouTube. To display a full list of Google applications, click the list in the Entries column.

2.

Configure color:

  1. In the groups of interest list, click Color.

  2. Click New Color List.

  3. Enter a name for the list.

  4. In the Select Color drop-down, in the 'Search' filter select the required colors.

    Colors can be: 3g, biz-internet, blue, bronze, custom1 through custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.

  5. Click Add.

    To configure multiple colors in a single list, you can select multiple colors from the drop-down.

3.

Configure community:

  1. In the group of interest list, click Community.

  2. Click New Community List.

  3. Enter a name for the community list.

  4. Choose either Standard or Expanded.

    • Standard community lists are used to specify communities and community numbers.

    • Expanded community lists are used to filter communities using a regular expression. Regular expressions are used to specify patterns to match community attributes.

  5. In the Add Community field, enter one or more data prefixes separated by commas in any of the following formats:

    • aa:nn: Autonomous System (AS) number and network number. Each number is a 2-byte value with a range from 1 to 65535.

    • internet: Routes in this community are advertised to the internet community. This community comprises all BGP-speaking networking devices.

    • local-as: Routes in this community are not advertised outside the local AS number.

    • no-advertise: Attaches the NO_ADVERTISE community to routes. Routes in this community are not advertised to other BGP peers.

    • no-export: Attaches the NO_EXPORT community to routes. Routes in this community are not advertised outside the local AS or outside a BGP confederation boundary. To configure multiple BGP communities in a single list, include multiple community options, specifying one community in each option.

  6. Click Add.

4.

Configure data prefix:

  1. In the Groups of Interest list, click Data Prefix.

  2. Click New Data Prefix List.

  3. Enter a name for the list.

  4. Choose either IPv4 or IPv6.

  5. In the Add Data Prefix field, enter one or more data prefixes separated by commas.

  6. Click Add.

5.

Configure policer:

  1. In the groups of interest list, click Policer.

  2. Click New Policer List.

  3. Enter a name for the list.

  4. Define the policing parameters:

    1. In the Burst field, enter the maximum traffic burst size, a value from 15,000 to 10,000,000 bytes.

    2. In the Exceed field, select the action to take when the burst size or traffic rate is exceeded. It can be drop, which sets the packet loss priority (PLP) to low.

      You can use the remark action to set the packet loss priority (PLP) to high.

    3. In the Rate field, enter the maximum traffic rate, a value from 0 through 264 – 1 bits per second (bps).

  5. Click Add.

    Note

    For ACL or data policy, even if the same policer object is used in different sequences, each sequence is policed separately. For example, consider that policer rate is 1000000 or 1Mb. If the same policer is set for multiple sequences then each sequence polices 1Mb traffic. If there are different policers configured for difference sequences, then each policer polices traffic based on the respective policing rate.

6.

Configure prefix:

  1. In the groups of interest list, click Prefix.

  2. Click New Prefix List.

  3. Enter a name for the list.

  4. In the Add Prefix field, enter one or more data prefixes separated by commas.

  5. Click Add.

7.

Configure site:

  1. In the groups of interest list, click Site.

  2. Click New Site List.

  3. Enter a name for the list.

  4. In the Add Site field, enter one or more site IDs separated by commas.

    For example, 100 or 200 separated by commas or in the range, 0 - 4294967295.

  5. Click Add.

8.

Configure app probe class:

  1. In the groups of interest list, click App Probe Class.

  2. Click New App Probe Class.

  3. Enter the probe class name in the Probe Class Name field.

  4. Select the required forwarding class from the Forwarding Class drop-down list.

  5. In the Entries pane, select the appropriate color from the Color drop-down list and enter the DSCP value.

    You can add more entries if needed by clicking on the + symbol.

  6. Click Save.

9.

Configure SLA class:

  1. In the groups of interest list, click SLA Class.

  2. Click New SLA Class List.

  3. Enter a name for the list.

  4. Define the SLA class parameters:

    1. In the Loss field, enter the maximum packet loss on the connection, a value from 0 through 100 percent.

    2. In the Latency field, enter the maximum packet latency on the connection, a value from 0 through 1,000 milliseconds.

    3. In the Jitter field, enter the maximum jitter on the connection, a value from 1 through 1,000 milliseconds.

    4. Select the required app probe class from the App Probe Class drop-down list.

  5. (Optional) Select the Fallback Best Tunnel checkbox to enable the best tunnel criteria.

    This optional field is available from Cisco IOS XE Catalyst SD-WAN Release 17.5.1a to pick the best path or color from the available colors when SLA is not met. When this option is selected, you can choose the required criteria from the drop-down. The criteria are a combination of one or more of losses, latency, and, jitter values.

  6. Select the Criteria from the drop-down list. The available criteria are:

    • Latency

    • Loss

    • Jitter

    • Latency, Loss

    • Latency, Jitter

    • Loss, Latency

    • Loss, Jitter

    • Jitter, Latency

    • Jitter, Loss

    • Latency, Loss, Jitter

    • Latency, Jitter, Loss

    • Loss, Latency, Jitter

    • Loss, Jitter, Latency

    • Jitter, Latency, Loss

    • Jitter, Loss, Latency

  7. Enter the Loss Variance (%), Latency Variance (ms), and the Jitter Variance (ms) for the selected criteria.

  8. Click Add.

10.

Configure TLOC:

  1. In the groups of interest list, click TLOC.

  2. Click New TLOC List. The TLOC List popup displays.

  3. Enter a name for the list.

  4. In the TLOC IP field, enter the system IP address for the TLOC.

  5. In the Color field, select the TLOC's color.

  6. In the Encap field, select the encapsulation type.

  7. In the Preference field, optionally select a preference to associate with the TLOC.

    The range is 0 to 4294967295.

  8. Click Add TLOC to add another TLOC to the list.

  9. Click Save.

    Note

    To use the set tloc and set tloc-list commands, you must use the set-vpn command.

    For each TLOC, specify its address, color, and encapsulation. Optionally, set a preference value (from 0 to 232 – 1) to associate with the TLOC address. When you apply a TLOC list in an action accept condition, when multiple TLOCs are available and satisfy the match conditions, the TLOC with the highest preference value is used. If two or more TLOCs have the highest preference value, traffic is sent among them in an ECMP fashion.

    If IPsec preference is set on the local preferred color for an edge router, the local TLOC and the color does not overlap with the centralized policy configured with local color preference. The edge router with local TLOC preference takes the precedence. In this case, the preferred TLOC configured in centralized policy is not considered.

11.

Configure VPN:

  1. In the groups of interest list, click VPN.

  2. Click New VPN List.

  3. Enter a name for the list.

  4. In the Add VPN field, enter one or more VPN IDs separated by commas.

    For example, 100 and 200 separated by commas. Range: 1 to 65525, excluding 512. For details see the VRF range behavior change described here.

    Click Add.

12.

Configure region:

Minimum release: Cisco SD-WAN Release 20.7.1

To configure a list of regions for Multi-Region Fabric (formerly Hierarchical SD-WAN), ensure that Multi-Region Fabric is enabled in Administration > Settings.

  1. In the groups of interest list, click Region.

  2. Click New Region List.

  3. In the Region List Name field, enter a name for the region list.

  4. In the Add Region field, enter one or more regions, separated by commas, or enter a range.

    For example, specify regions 1, 3 with commas, or a range 1-4.

  5. Click Add.

    Click Next to move to Configure Topology and VPN Membership in the wizard.

13.

Configure preferred color group:

You can configure the order of transport preference to choose the preference order for forwarding traffic.

The Preferred Color Group is supported only on overlay traffic but not on DIA traffic.

  1. In the groups of interest list, click Preferred Color Group.

  2. Click New Preferred Color Group.

  3. In the Preferred Color Group Name field, enter a name for the preferred color group.

  4. In the Primary Colors pane, do the following:

    1. Choose the color preference from the Color Preference drop-down list.

    2. Choose the path preference from the Path Preference drop-down list.

    Field

    Description

    Preferred Color Group Name

    Enter a name of the preferred color group.

    Color Preference

    Choose the color preference from the drop-down list. The options are:

    • default

    • 3g

    • biz-internet

    • blue

    • bronze

    • custom1

    • custom2, and so on

    You can select multiple colors.

    Path Preference

    Choose the path preference from the drop-down list. The options are:

    • Direct Path: Use only a direct path between the source and the destination devices.

    • Multi Hop Path: In a Multi-Region Fabric network, use a multi-hop path, which includes the core region, between the source and destination devices, even if a direct path is available.

    • All Paths: Use any path between the source and destination devices.

      Note

      This option is equivalent to not configuring path preference at all. If you are applying the policy to a non-Multi-Region Fabric network, use this option.

  5. In the Secondary Colors pane, do the following:

    1. Choose the color preference in the Color Preference drop-down list.

    2. Choose the path preference from the Path Preference drop-down list.

  6. In the Tertiary Colors pane, do the following:

    1. Choose the color preference from the Color Preference drop-down list.

    2. Choose the path preference from the Path Preference drop-down list.

  7. Click Add.

    The following guidelines are helpful when configuring the ranking for colors:

    • Primary preference is mandatory, and at each priority level, at least one preference path or color is mandatory. Both can also be configured.

    • More than one color can be configured as a preference.

    • If path preference is not configured, all paths are constrained by the preferred colors that are available.

    • If color preference is not configured within the constraint of the path preference, then all the colors are available.

    • The preferences apply in order of priority to determine the path or color for forwarding traffic.

    When the primary, secondary, and tertiary colors are down, packets are not dropped. The traffic falls back to the usual routing preference to choose if any other colors are up.


Integrating WAN insight (WANI) into Cisco SD-WAN Manager

Integrating WAN insight (WANI) into Cisco SD-WAN Manager is a cloud-based analytics service integration that

  • provides comprehensive insights into application and network performance for Cisco Catalyst SD-WAN

  • enables Predictive Path Recommendations to be applied to actionable centralized AAR policy to influence forwarding decisions, and

  • applies recommendations as TLOC preferences in AAR policies pushed to Cisco SD-WAN Controller.

Implementation details

Cisco SD-WAN Analytics collects and stores metadata about traffic flows in its cloud storage and produces analytics based on this collected data. The analytics service is available with Cisco DNA Advantage and Cisco DNA Premier software subscriptions. Predictive Path Analytics generates recommendations for path based on long term insights. These recommendations need to be converted into policy created manually on Cisco SD-WAN Manager and then applied to the network.

The Predictive Path Recommendations feature allows you to apply active recommendations to the actionable centralized AAR policy to influence the forwarding decisions in the Cisco Catalyst SD-WAN network.

For more information about using Predictive Path Recommendations, see Predictive Path Recommendations.

To apply predictive path recommendations when there are recommendations in Cisco SD-WAN Analytics:

  1. In the Cisco SD-WAN Manager menu, click the bell icon at the top-right corner. The Notifications pane is displayed with active alarms.

  2. If there are any Active Recommendations in the Notifications pane, click on the site to view the recommendations. Alternatively, you can view from the Cisco SD-WAN Manager menu, click Analytics > Predictive Networks.

  3. Click Active Recommendations, and then click Apply.

  4. In the Apply Predictive Path Recommendations window, click Proceed to Apply to apply new recommendations.

    You can review the applied recommendations in the Cisco SD-WAN Manager generated configs and push the recommendations to Cisco SD-WAN Controller.

Points to consider when integrating WAN insight:

  • Cisco SD-WAN Manager pulls recommendations when you log in. If you want to update the recommendations, refresh the page or log in again.

  • Cisco SD-WAN Manager support recommendations for application lists which are associated with some AAR policy only. If AAR Policy does not exist for a given application list, the recommendations are not valid and policy processing is not done.

  • WAN Insights generates recommendations for standard App Groups even when the AAR Policy is not defined. However, the policy automation is not done since AAR policy is not defined.

  • When for the same site and application list, if WANI generates a terminate for a recommendation which is applied and also generates another recommendation, the recommendations are applied based on the preferences.

  • Application of WANI recommendations for Cloud OnRamp for SaaS is not supported.


Predictive path recommendations

WAN Insights (WANI) allows you to track the performance of your current network setup and tune your policies and paths to achieve the best user experience. Predictive path recommendations influence AAR policy TLOC preferences.

WAN Insights is a predictive network optimization tool that uses a statistical model to examine historical data from Cisco Catalyst SD-WAN, in order to find the best paths for application traffic. WANI analyzes the telemetry data exported during application traffic flows, and then generates long-term recommendations for paths that would reduce the probability of experiencing an SLA violation (for example, low-quality performance).

Predictive network associates some SLA with each application list that is defined in the AAR policy in order to detect SLA violations for the applications. This is used to calculate a probability of SLA violation on a given site and TLOC and generates recommendations.

For more information about configuring group of interest for data policies, see Configure Groups of Interest for Centralized Policy.


Configure topology and VPN membership

Configure network topology to define the communication patterns between sites in your SD-WAN deployment and establish VPN membership for routing policies.

When you first open the Configure Topology and VPN Membership window, the Topology window is displayed by default.

You can configure three types of topologies: Hub-and-Spoke for centralized communication, Mesh for full connectivity between sites, and Custom Control for advanced route and TLOC control policies.

Procedure

1.

Configure a hub-and-spoke topology.

Hub-and-Spoke

  1. In the Add Topology drop-down, select Hub-and-Spoke.

  2. Enter a name for the hub-and-spoke policy.

  3. Enter a description for the policy.

  4. In the VPN List field, select the VPN list for the policy.

  5. In the left pane, click Add Hub-and-Spoke. A hub-and-spoke policy component containing the text string My Hub-and-Spoke is added in the left pane.

  6. Double-click the My Hub-and-Spoke text string, and enter a name for the policy component

  7. In the right pane, add hub sites to the network topology:

    1. Click Add Hub Sites.

    2. In the Site List field, select a site list for the policy component.

    3. Click Add.

    4. Repeat these steps to add more hub sites to the policy component.

  8. In the right pane, add spoke sites to the network topology:

    1. Click Add Spoke Sites.

    2. In the Site List Field, select a site list for the policy component.

    3. Click Add.

    4. Repeat these steps to add more spoke sites to the policy component.

  9. Repeat steps as needed to add more components to the hub-and-spoke policy.

  10. Click Save Hub-and-Spoke Policy.

2.

Configure a mesh topology.

Mesh

  1. In the Add Topology drop-down, select Mesh.

  2. Enter a name for the mesh region policy component.

  3. Enter a description for the mesh region policy component.

  4. In the VPN List field, select the VPN list for the policy.

  5. Click New Mesh Region.

  6. In the Mesh Region Name field, enter a name for the individual mesh region.

  7. In the Site List field, select one or more sites to include in the mesh region.

  8. Click Add.

  9. Repeat these steps to add more mesh regions to the policy.

  10. Click Save Mesh Topology.

3.

Configure a custom control policy for route control.

Custom Control (Route & TLOC): Centralized route control policy (for matching OMP routes)

  1. In the Add Topology drop-down, select Custom Control (Route & TLOC).

  2. Enter a name for the control policy.

  3. Enter a description for the policy.

  4. In the left pane, click Sequence Type. The Add Custom Control Policy popup displays.

  5. Select Route. A policy component containing the text string Route is added in the left pane.

  6. Double-click the Route text string, and enter a name for the policy component.

  7. In the right pane, click Sequence Rule. The Match/Actions box opens, and Match is selected by default.

  8. From the boxes under the Match box, select the desired policy match type. Then select or enter the value for that match condition. Configure additional match conditions for the sequence rule, as desired.

  9. Click Actions. The Reject option is selected by default. To configure actions to perform on accepted packets, click the Accept option. Then select the action or enter a value for the action.

  10. Click Save Match and Actions.

  11. Click Sequence Rule to configure more sequence rules, as desired. Drag and drop to re-order them.

  12. Click Sequence Type to configure more sequences, as desired. Drag and drop to re-order them.

  13. Click Save Control Policy.

4.

Configure a custom control policy for TLOC control.

Custom Control (Route & TLOC): Centralized TLOC control policy (for matching TLOC routes)

  1. In the Add Topology drop-down, select Custom Control (Route & TLOC).

  2. Enter a name for the control policy.

  3. Enter a description for the policy.

  4. In the left pane, click Sequence Type. The Add Custom Control Policy popup displays.

  5. Select TLOC. A policy component containing the text string TLOC is added in the left pane.

  6. Double-click the TLOC text string, and enter a name for the policy component.

  7. In the right pane, click Sequence Rule. The Match/Actions box opens, and Match is selected by default.

  8. From the boxes under the Match box, select the desired policy match type. Then select or enter the value for that match condition. Configure additional match conditions for the sequence rule, as desired.

  9. Click Actions. The Reject option is selected by default. To configure actions to perform on accepted packets, click the Accept option. Then select the action or enter a value for the action.

  10. Click Save Match and Actions.

  11. Click Sequence Rule to configure more sequence rules, as desired. Drag and drop to re-order them.

  12. Click Sequence Type to configure more sequences, as desired. Drag and drop to re-order them.

  13. Click Save Control Policy.

The topology and VPN membership configuration is saved. A centralized control policy contains sequences of match–action pairs. The sequences are numbered to set the order in which a route or TLOC is analyzed by the match–action pairs in the policy.

Note

Sequence can have either match app-list or dns-app-list configured for a policy, but not both. Configuring both match app-list and dns-app-list for a policy is not supported.

Each sequence in a centralized control policy can contain one match condition (either for a route or for a TLOC​) and one action condition.

Note

The Cisco Catalyst SD-WAN policy supports maximum up to 1024 sequences, including default sequence.

If a selected route or TLOC does not match any of the match conditions in a centralized control policy, a default action is applied to it. By default, the route or TLOC is rejected.

If a selected data packet does not match any of the match conditions in a data policy, a default action is applied to the packet. By default, the data packet is dropped.


Import existing topology

Import an existing topology to reuse previously configured network structures and policies.

Use this procedure when you need to incorporate a topology that was previously created and configured in your environment.

Before you begin

Follow these steps to import existing topology:

Procedure

1.

In the Add Topology drop-down, click Import Existing Topology.

The Import Existing Topology popup appears.

2.

Select the type of topology.

3.

For Policy Type, choose the name of the topology you want to import.

4.

In the Policy drop-down, select a policy to import.

Note

The policy configuration wizard does not let you import an already configured policy as in other instances of centralized policies (data, control, or application-aware routing). The policy must be configured in its entirety.

5.

Click Import.

6.

Click Next to move to Configure Traffic Rules in the wizard.

The existing topology is imported and you can proceed to configure traffic rules in the wizard.


Create a VPN membership policy

Create a VPN membership policy to establish which sites can access specific VPNs in your network topology.

VPN membership policies define the relationship between site lists and VPN lists in your network configuration. Only one VPN membership policy can be added at a time, so all required site lists and VPN lists must be included in a single policy.

Procedure

1.

In the Specify your network topology area, click VPN Membership.

2.

Click Add VPN Membership Policy.

Note

You can add only one VPN membership at a time, therefore all site lists and VPN lists must be included in a single policy.

The Add VPN Membership Policy popup displays.

3.

Enter a name and description for the VPN membership policy.

4.

In the Site List field, select the site list.

5.

In the VPN Lists field, select the VPN list.

6.

Click Add List to add another VPN to the VPN membership.

7.

Click Save.

8.

Click Next to move to Configure Traffic Rules in the wizard.

The VPN membership policy is created and you can proceed to configure traffic rules for your network topology.


Configure traffic rules

When you first open the Configure Traffic Rules window, Application-Aware Routing is selected by default.

You can also view already created AAR routing policies listed in the page. It provides various information related to the policies such as the Name of the policy, Type, Mode, Description, Update By, and Last Updated details.

Note

You can refer to the Mode column for the security status details of the policy. The status helps to differentiate whether the policy is used in unified security or not. The mode status is applicable only for security policies and not relevant to any centralized or localized policies.

For more information on configuring traffic rules for the Cisco SD-WAN Manager Application Intelligence Engine (SAIE) flow, see the SD-WAN Application Intelligence Engine Flow section in the Cisco Catalyst SD-WAN Policies Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 26.x.

Before you begin

In Cisco SD-WAN Release 20.7.1 and earlier releases, the SAIE flow is called the deep packet inspection (DPI) flow.

Procedure

1.

Click Traffic Data.

2.

Click the Add Policy drop-down.

3.

Click Create New. The Add Data Policy window displays.

4.

Enter a name and a description for the data policy.

5.

In the right pane, click Sequence Type. The Add Data Policy popup opens.

6.

Select the type of data policy you want to create, Application Firewall, QoS, Traffic Engineering, or Custom.

Note

If you want to configure multiple types of data policies for the same match condition, you need to configure a custom policy.

7.

A policy sequence containing the text string Application, Firewall, QoS, Traffic Engineering, or Custom is added in the left pane.

8.

Double-click the text string, and enter a name for the policy sequence. The name you type is displayed both in the Sequence Type list in the left pane and in the right pane.

9.

In the right pane, click Sequence Rule. The Match/Action box opens, and Match is selected by default. The available policy match conditions are listed below the box.

Note

Adding multiple application matches, subnet matches, or combining several match conditions in a single sequence may increase the total filter count beyond the allowed maximum.

If this total filter count is reached, an error message Filter count exceeded MAX (64) is displayed when applying a data policy configuration.

Match Condition Procedure
None (match all packets) Do not specify any match conditions.
Applications /Application Family List
  1. In the Match conditions, click Applications/Application Family List.

  2. In the drop-down, select the application family.

  3. To create an application list:

    1. Click New Application List.

    2. Enter a name for the list.

    3. Click Application to create a list of individual applications. Click Application Family to create a list of related applications.

    4. In the Select Application drop-down, select the desired applications or application families.

    5. Click Save.

This match condition is available for IPv6 traffic from Cisco IOS XE Catalyst SD-WAN Release 17.9.1a and Cisco SD-WAN Release 20.9.1.

Destination Data Prefix
  1. In the Match conditions, click Destination Data Prefix.

  2. To match a list of destination prefixes, select the list from the drop-down.

  3. To match an individual destination prefix, enter the prefix in the Destination: IP Prefix field.

Destination Port
  1. In the Match conditions, click Destination Port.

  2. In the Destination Port field, enter the port number. Specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).

DNS Application List

Add an application list to enable split DNS.

  1. In the Match conditions, click DNS Application List.

  2. In the drop-down, select the application family.

This match condition is available for IPv6 traffic from Cisco IOS XE Catalyst SD-WAN Release 17.9.1a and Cisco SD-WAN Release 20.9.1.

DNS

Add an application list to process split DNS.

  1. In the Match conditions, click DNS.

  2. In the drop-down, select Request to process DNS requests for the DNS applications, and select Response to process DNS responses for the applications.

DSCP
  1. In the Match conditions, click DSCP.

  2. In the DSCP field, type the DSCP value, a number from 0 through 63.

Packet Length
  1. In the Match conditions, click Packet Length.

  2. In the Packet Length field, type the length, a value from 0 through 65535.

PLP
  1. In the Match conditions, click PLP to set the Packet Loss Priority.

  2. In the PLP drop-down, select Low or High. To set the PLP to High, apply a policer that includes the exceed remark option.

Protocol
  1. In the Match conditions, click Protocol.

  2. In the Protocol field, type the Internet Protocol number, a number from 0 through 255.

ICMP Message

To match ICMP messages, in the Protocol field, set the Internet Protocol Number to 1, or 58, or both.

Note

This field is available from Cisco IOS XE Catalyst SD-WAN Release 17.4.1a, Cisco SD-WAN Release 20.4.1.

Source Data Prefix
  1. In the Match conditions, click Source Data Prefix.

  2. To match a list of source prefixes, select the list from the drop-down.

  3. To match an individual source prefix, enter the prefix in the Source field.

Source Port
  1. In the Match conditions, click Source Port.

  2. In the Source field, enter the port number. Specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).

TCP
  1. In the Match conditions, click TCP.

  2. In the TCP field, syn is the only option available.

10.

For QoS and Traffic Engineering data policies: From the Protocol drop-down list, select IPv4 to apply the policy only to IPv4 address families, IPv6 to apply the policy only to IPv6 address families, or Both to apply the policy to IPv4 and IPv6 address families.

11.

To select one or more Match conditions, click its box and set the values as described.

Note

Not all match conditions are available for all policy sequence types.

12.

To select actions to take on matching data traffic, click the Actions box.

13.

To drop matching traffic, click Drop. The available policy actions are listed in the right side.

14.

To accept matching traffic, click Accept. The available policy actions are listed in the right side.

15.

Set the policy action as described.

Note

Not all actions are available for all match conditions.

Note

If IPv4 packet contains non-initial fragment of UDP or TCP datagram, it has no L4 ports information available because there is no UDP or TCP header. For such fragments destination-port or source-port match is ignored.

In the following example, all the UDP packets to destination port 161 and any other IPv4 packets having protocol ID field in IPv4 header set to 17 with IPv4 header having fragment-offset set will be dropped.

policy
 app-visibility
 access-list SDWAN_101
  sequence 100
   match
    destination-port 161
    protocol         17
   !
   action drop
   !
  !
Action Condition Description Procedure
Counter Count matching data packets.
  1. In the Action conditions, click Counter.

  2. In the Counter Name field, enter the name of the file in which to store packet counters.

DSCP Assign a DSCP value to matching data packets.
  1. In the Action conditions, click DSCP.

  2. In the DSCP field, type the DSCP value, a number from 0 through 63.

Forwarding Class Assign a forwarding class to matching data packets.
  1. In the Match conditions, click Forwarding Class.

  2. In the Forwarding Class field, type the class value, which can be up to 32 characters long.

Log

Minimum release: Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco Catalyst SD-WAN Control Components Release 20.11.1

Click Log to enable logging.

When (DP, AAR or ACL) data policy packets are configured with log action, logs generated and logged to syslog. Due to the global log-rate-limit, not all logs are logged. A syslog message is generated the first time a packet header is logged and then every 5 minutes thereafter, as long as the flow is active.

  1. In the Action conditions, click Log to enable logging.

Policer Apply a policer to matching data packets.
  1. In the Match conditions, click Policer.

  2. In the Policer drop-down field, select the name of a policer.

Loss Correction

Apply loss correction to matching data packets.

Forward Error Correction (FEC) recovers lost packets on a link by sending redundant data, enabling the receiver to correct errors without the need to request retransmission of data.

FEC is supported only for IPSEC tunnels, it is not supported for GRE tunnels.

  • FEC Adaptive – Corresponding packets are subjected to FEC only if the tunnels that they go through have been deemed unreliable based on measured loss.

    If you choose FEC Adaptive, an additional field, Loss Threshold, displays that allows you to specify the packet loss threshold for automatically enabling FEC.

    Adaptive FEC starts to work at 2% packet loss; this value is configurable.

    You can specify a loss threshold of 1 to 5%. The default packet loss threshold is 2%.

  • FEC Always – Corresponding packets are always subjected to FEC.

  • Packet Duplication – Sends duplicate packets over a single tunnel. If more than one tunnel is available, duplicated packets will be sent over the tunnel with the best parameters.

  1. In the Match conditions, click Loss Correction.

  2. In the Loss Correction field, select FEC Adaptive, FEC Always, or Packet Duplication.

Click Save Match and Actions.
16.

Create additional sequence rules as desired. Drag and drop to re-arrange them.

17.

Click Save Data Policy.

18.

Click Next to move to Apply Policies to Sites and VPNs in the wizard.


Match parameters - control policy

For OMP AND TLOC routes, you can match attributes to control routing behavior AND traffic flow in your SD-WAN network.

Table 1. Control policy match parameters

Match Condition

Description

Color List

One OR more colors. The available colors are: 3g, biz-internet, blue, bronze, custom1,custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red AND silver.

Community List

List of one OR more BGP communities. In the Community List field, you can specify:

aa:nn: AS number AND network number. Each number is a 2-byte value with a range from 1 to 65535.

internet: Routes in this community are advertised to the internet community. This community comprises all BGP-speaking networking devices.

local-AS: Routes in this community are not advertised outside the local AS.

NO-ADVERTISE: Attach the NO_ADVERTISE community to routes. Routes in this community are not advertised to other BGP peers.

NO-EXPORT: Attach the NO_EXPORT community to routes. Routes in this community are not advertised outside the local AS OR outside a BGP confederation boundary. To configure multiple BGP communities in a single list, include multiple community options, specifying one community in each option.

Types

Specifies the community type. Choose Standard to specify communities AND community numbers OR, Expanded to filter communities using a regular expression. Regular expressions are used to specify patterns to match community attributes.

Criteria OR

Compares each regex string in the community list against the community string of the route.

The OR condition is applicable across multiple community lists AND is valid for all devices.

Starting from Cisco IOS XE Catalyst SD-WAN Release 17.5.1a, the Community Types AND Criteria fields are available.

OMP Tag

Tag value associated with the route OR prefix in the routing database on the device.

The range is 0 through 4294967295.

Origin

Protocol from which the route was learned.

Originator

IP address from which the route was learned.

Path Type

In a Hierarchical SD-WAN architecture, match a route by its path type, which can be one of the following:

  • Hierarchical Path: A route that includes hops from an access region to a border router, through region 0, to another border router, then to an edge router in a different access region

  • Direct Path: A direct path route from one edge router to another edge router.

  • Transport Gateway Path: A route that is re-originated by a router that has transport gateway functionality enabled.

Note

This option is available beginning with Cisco vManage Release 20.8.1.

Preference

How preferred a prefix is. This is the preference value that the route OR prefix has in the local site, that is, in the routing database on the device. A higher preference value is more preferred.The range is 0 through 255.

Prefix List

One OR more prefixes. Specifies the name of a prefix list.

Not available in Cisco SD-WAN Manager.

One OR more overlay network site identifiers.

Site

Individual site identifier.

The range is 0 through 4294967295.

Region

Region defined for Hierarchical SD-WAN.

The range is 1 to 63.

Note

This option is available beginning with Cisco vManage Release 20.7.1.

Role

In a Hierarchical SD-WAN architecture, match by the device type, which can be Border Router OR Edge Router.

Note

This option is available beginning with Cisco vManage Release 20.8.1.

TLOC

Individual TLOC address.

Note

To use the set TLOC AND set TLOC-list commands, you must use the set-VPN command.

VPN

Individual VPN identifier. Range: 1 to 65525, excluding 512. For details see the VRF range behavior change described here.

When a policy is pushed with duplicate VPN IDs, the latest VPN ID overwrites the first one. However, starting from Cisco IOS XE Catalyst SD-WAN Release 17.9.5, the first one is not overridden.

Carrier

Carrier for the control traffic. Values are: default, carrier1 through carrier8.

Domain ID

Domain identifier associated with a TLOC.

The range is 0 through 4294967295.

OMP Tag

Tag value associated with the TLOC route in the route table on the device.

The range is 0 through 4294967295.

Site

Individual site contributor OR more overlay network site identifiers..

The range is 0 through 4294967295.

In the CLI, you configure the OMP route attributes to match with the policy control-policy sequence match route command, AND you configure the TLOC attributes to match with the policy control-policy sequence match TLOC command.


Match parameters - data policy

A centralized data policy can match IP prefixes and fields in the IP headers, as well as applications. You can also enable split DNS.

Each sequence in a policy can contain one or more match conditions.

Table 2.
Match Condition Description

Omit

Match all packets.

Applications/Application Family List

Applications or application families.

This match condition is available for IPv6 traffic from Cisco IOS XE Catalyst SD-WAN Release 17.9.1a and Cisco SD-WAN Release 20.9.1.

Destination Data Prefix

Group of destination prefixes, IP prefix and prefix length. The range is 0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).

Destination Region

Choose one of the following:

  • Primary: Match traffic if the destination device is in the same primary region (also called access region) as the source. This traffic reaches the destination using a multi-hop path, through the core region.

  • Secondary: Match traffic if the destination device is not in the same primary region as the source but is within the same secondary region as the source. This traffic can reach the destination using a direct tunnel, as described for secondary regions.

  • Other: Match traffic if the destination device is not in the same primary region or secondary region as the source. This traffic requires a multi-hop path from the source to the destination.

Note

Minimum releases: Cisco IOS XE Catalyst SD-WAN Release 17.9.1a, Cisco SD-WAN Release 20.9.1

DNS Application List Enables split DNS, to resolve and process DNS requests and responses on an application-by-application basis. Name of an app-list list . This list specifies the applications whose DNS requests are processed.

This match condition is available for IPv6 traffic from Cisco IOS XE Catalyst SD-WAN Release 17.9.1a and Cisco SD-WAN Release 20.9.1.

DNS

Specify the direction in which to process DNS packets. To process DNS requests sent by the applications (for outbound DNS queries), specify dns request . To process DNS responses returned from DNS servers to the applications, specify dns response .

DSCP

Specifies the DSCP value.

Packet length

Specifies the packet length. The range is 0 through 65535; specify a single length, a list of lengths (with numbers separated by a space), or a range of lengths (with the two numbers separated with a hyphen [-]).
Packet Loss Priority (PLP) Specifies the packet loss priority. By default, packets have a PLP value of low . To set the PLP value to high , apply a policer that includes the exceed remark option.

Protocol

Specifies Internet protocol number. The range is 0 through 255.

ICMP Message

For Protocol IPv4 when you enter a Protocol value as 1, the ICMP Message field displays where you can select an ICMP message to apply to the data policy. Likewise, the ICMP Message field displays for Protocol IPv6 when you enter a Protocol value as 58.

When you select Protocol as Both, the ICMP Message or ICMPv6 Message field displays.

Note

This field is available from Cisco IOS XE Catalyst SD-WAN Release 17.4.1a and Cisco SD-WAN Release 20.4.1 .

Source Data Prefix

Specifies the group of source prefixes or an individual source prefix.

Source Port

Specifies the source port number. The range is 0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).

TCP Flag

Specifies the TCP flag, syn.

Traffic To

In a Multi Region Fabric architecture, match border router traffic flowing to the access region that the border router is serving, the core region, or a service VPN.

Note

Minimum release: Cisco SD-WAN Release 20.8.1

Note

If IPv4 packet contains non-initial fragment of UDP or TCP datagram, it has no L4 ports information available because there is no UDP or TCP header. For such fragments destination-port or source-port match is ignored.

In the following example, all the UDP packets to destination port 161 and any other IPv4 packets having protocol ID field in IPv4 header set to 17 with IPv4 header having fragment-offset set will be dropped.

policy
 app-visibility
 access-list SDWAN_101
  sequence 100
   match
    destination-port 161
    protocol         17
   !
   action drop
   !
  !
Table 3. ICMP Message Types/Codes and Corresponding Enumeration Values

Type

Code

Enumeration

0 0 echo-reply
3 unreachable
0 net-unreachable
1 host-unreachable
2 protocol-unreachable
3 port-unreachable
4 packet-too-big
5 source-route-failed
6 network-unknown
7 host-unknown
8 host-isolated
9 dod-net-prohibited
10 dod-host-prohibited
11 net-tos-unreachable
12 host-tos-unreachable
13 administratively-prohibited
14 host-precedence-unreachable
15 precedence-unreachable
5 redirect
0 net-redirect
1 host-redirect
2 net-tos-redirect
3 host-tos-redirect
8 0 echo
9 0 router-advertisement
10 0 router-solicitation
11 time-exceeded
0 ttl-exceeded
1 reassembly-timeout
12 parameter-problem
0 general-parameter-problem
1 option-missing
2 no-room-for-option
13 0 timestamp-request
14 0 timestamp-reply
40 0 photuris
42 0 extended-echo
43 extended-echo-reply
0 echo-reply-no-error
1 malformed-query
2 interface-error
3 table-entry-error
4 multiple-interface-match
Table 4. ICMPv6 Message Types/Codes and Corresponding Enumeration Values
Type Code Enumeration
1 unreachable
0 no-route
1 no-admin
2 beyond-scope
3 destination-unreachable
4 port-unreachable
5 source-policy
6 reject-route
7 source-route-header
2 0 packet-too-big
3 time-exceeded
0 hop-limit
1 reassembly-timeout
4 parameter-problem
0 Header
1 next-header
2 parameter-option
128 0 echo-request
129 0 echo-reply
130 0 mld-query
131 0 mld-report
132 0 mld-reduction
133 0 router-solicitation
134

0

router-advertisement

135 0 nd-ns
136 0 nd-na
137 0 redirect

138

router-renumbering
0 renum-command
1 renum-result
255 renum-seq-number
139 ni-query
0 ni-query-v6-address
1 ni-query-name
2 ni-query-v4-address
140 ni-response
0 ni-response-success
1 ni-response-refuse
2

ni-response-qtype-unknown

141 0 ind-solicitation
142 0

ind-advertisement

143 mldv2-report
144 0 dhaad-request
145 0 dhaad-reply
146 0 mpd-solicitation
147 0

mpd-advertisement

148 0 cp-solicitation
149 0

cp-advertisement

151 0

mr-advertisement

152 0 mr-solicitation
153 0 mr-termination
155 0 rpl-control

Action parameters - control policy

For each match condition, you configure a corresponding action to take if the route or TLOC matches for a control policy. In the CLI, you configure actions with the policy control-policy action command. Each sequence in a centralized control policy can contain one action condition.

In the action, you first specify whether to accept or reject a matching route or TLOC:

Description

Cisco SD-WAN Manager

Accept the route. An accepted route is eligible to be modified by the additional parameters configured in the action portion of the policy configuration.

Click Accept.

Discard the packet.

Click Reject.

Then, for a route or TLOC that is accepted, you can configure these actions:

Action Condition

Description

Export To

Export the route the the specified VPN or list of VPNs (for a match route match condition only).

The range is 0 through 65535 or list name.

OMP Tag

Change the tag string in the route, prefix, or TLOC.

The range is 0 through 4294967295.

Preference

Change the preference value in the route, prefix, or TLOC to the specified value. A higher preference value is more preferred. The range is 0 through 255.

Service

Specify a service to redirect traffic to before delivering the traffic to its destination.

The TLOC address or list of TLOCs identifies the TLOCs to which the traffic should be redirected to reach the service. In the case of multiple TLOCs, the traffic is load-balanced among them.

The VPN identifier is where the service is located.

Standard services: FW, IDS, IDP Custom services: netsvc1, netsvc2, netsvc3, netsvc4

Configure the services themselves on the Cisco IOS XE Catalyst SD-WAN devices that are collocated with the service devices, using the VPN service configuration command.

TLOC

Change the TLOC address, color, and encapsulation to the specified address and color.

For each TLOC, specify its address, color, and encapsulation. address is the system IP address. color can be one of 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver. encapsulation can be gre or ipsec. Optionally, set a preference value (from 0 to 232 – 1) to associate with the TLOC address. When you apply a TLOC list in an action accept condition, when multiple TLOCs are available and satisfy the match conditions, the TLOC with the highest preference value is used. If two or more of TLOCs have the highest preference value, traffic is sent among them in an ECMP fashion.

TLOC Action

Direct matching routes or TLOCs using the mechanism specified by action, and enable end-to-end tracking of whether the ultimate destination is reachable.

Setting the TLOC action option enables the Cisco Catalyst SD-WAN Controller to perform end-to-end tracking of the path to the ultimate destination device.

Note

The preference command controls the preference for directing inbound and outbound traffic to a tunnel. The preference can be a value from 0 through 4294967295 (232 – 1), and the default value is 0. A higher value is preferred over a lower value.

When a Cisco vEdge device has two or more tunnels, if all the TLOCs have the same preference and no policy is applied that affects traffic flow, all the TLOCs are advertised into OMP. When the router transmits or receives traffic, it distributes traffic flows evenly among the tunnels, using ECMP.


Action parameters - data policy

When data traffic matches the conditions in the match portion of a centralized data policy, the packet can be accepted or dropped. Then, you can associate parameters with accepted packets.

In the CLI, you configure the action parameters with the policy data-policy vpn-list sequence action command.

Each sequence in a centralized data policy can contain one action condition.

In the action, you first specify whether to accept or drop a matching data packet, and whether to count it:

Action Condition

Description
Click Accept Accepts the packet. An accepted packet is eligible to be modified by the additional parameters configured in the action portion of the policy configuration.

Cflowd

Enables cflowd traffic monitoring.

Counter

Counts the accepted or dropped packets. Specifies the name of a counter. Use the show policy access-lists counters command on the Cisco IOS XE Catalyst SD-WAN device.

Click Drop

Discards the packet. This is the default action.

Log

Minimum release: Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco vManage Release 20.11.1.

Click Log to enable logging.

When (DP, AAR or ACL) data policy packets are configured with log action, logs generated and logged to syslog. Due to the global log-rate-limit, not all logs are logged. A syslog message is generated the first time a packet header is logged and then every 5 minutes thereafter, as long as the flow is active.

For information on policy log-rate-limit CLI, see policy log-rate-limit command in the Cisco Catalyst SD-WAN Qualified Command Reference Guide.

Redirect DNS

Redirects DNS requests to a particular DNS server or Umbrella. Redirecting requests is optional, but if you do so, you must specify both actions.

For an inbound policy, redirect-dns host allows the DNS response to be correctly forwarded back to the requesting service VPN.

For an outbound policy, specify the IP address of the DNS server.

redirect-dns umbrella is only supported in Direct Internet Interface (DIA) use cases. It is not supported in SIG/SSE or overlay scenarios. When using redirect-dns umbrella , you do not need to explicitly configure nat use-vpn 0 .

Note

When you upgrade to releases later than Cisco IOS XE Catalyst SD-WAN Release 17.7.1a, you must configure redirect DNS through nat use-vpn 0 to redirect DNS to Direct Internet Interface (DIA).

Note

You can set only local TLOC preferences with redirect-dns as actions on the same sequence, but not remote TLOC.

Note

You cannot configure Redirect DNS and SIG at the same time.

NAT DIA fallback and redirect-dns IP actions are supported at the same time in data policy beginning with Cisco IOS XE Catalyst SD-WAN Release 26.1.1.

Note
  1. Starting from Cisco IOS XE Release 17.15.5, data policy action redirect-dns IP supports SIG/SSE. You can configure sig-action sse action along with redirect-dns IP action. Data policy action redirect-dns umbrella supports Direct Internet Interface (DIA). You can configure nat use-vpn 0 action along with redirect-dns umbrella action.

  2. Starting from Cisco IOS XE Catalyst SD-WAN Release 26.1.1, data policy action redirect-dns IP supports direct internet interface fallback. You can configure nat use-van 0 and nat fallback action along with redirect-dns IP action.

TCP Optimization

Fine-tune TCP to decrease round-trip latency and improve throughout for matching TCP traffic.
Secure Internet Gateway

Redirect application traffic to a SIG.

Note

Before you apply a data policy for redirecting application traffic to a SIG, you must have configured the SIG tunnels.

For more information on configuring Automatic SIG tunnels, see Automatic Tunnels . For more information on configuring Manual SIG tunnels, see Manual Tunnels.

Check the Fallback to Routing check box to route internet-bound traffic through the Cisco SD-WAN overlay when all SIG tunnels are down. This option is introduced in Cisco IOS XE Catalyst SD-WAN Release 17.8.1a and Cisco SD-WAN Release 20.8.1 .

Note

On Cisco IOS XE Catalyst SD-WAN devices, all the ongoing optimized flows are dropped when the TCP Optimization is removed.

Then, for a packet that is accepted, the following parameters can be configured:

Action Condition

Description

Cflowd

Enables cflowd traffic monitoring.

NAT Pool or NAT VPN

Enables NAT functionality, so that traffic can be redirected directly to the internet or other external destination. You can configure up to 31 (1–31) NAT pools per router.

DSCP

DSCP value. The range is 0 through 63.

Forwarding Class

Name of the forwarding class.

Local TLOC

Enables sending packets to one of the TLOCs that matches the color and encapsulation. The available colors are: 3g, biz-internet, blue, bronze, custom1,custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red and silver.

The encapsulation options are: ipsec and gre.

By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC. To drop traffic if a TLOC is unavailable, include the restrict option.

By default, encapsulation is ipsec.

Next Hop

Sets the next hop IP address to which the packet should be forwarded.
Note
Starting from Cisco IOS XE Catalyst SD-WAN Release 17.5.1a and Cisco SD-WAN Release 20.5.1, the Use Default Route when Next Hop is not available field is available next to the Next Hop action parameter. This option is available only when the sequence type is Traffic Engineering or Custom, and the protocol is either IPv4 or IPv6, but not both.

Policer

Applies a policer. Specifies the name of policer configured with the policy policer command.

Service

Specifies a service to redirect traffic to before delivering the traffic to its destination.

The TLOC address or list of TLOCs identifies the remote TLOCs to which the traffic should be redirected to reach the service. In the case of multiple TLOCs, the traffic is load-balanced among them.

The VPN identifier is where the service is located.

Standard services: FW, IDS, IDP

Custom services: netsvc1, netsvc2,netsvc3, netsvc4

TLOC list is configured with a policy lists tloc-list list.

Configure the services themselves on the Cisco IOS XE Catalyst SD-WAN devices that are collocated with the service devices, using the vpn service command.

TLOC

Direct traffic to a remote TLOC that matches the IP address, color, and encapsulation of one of the TLOCs in the list. If a preference value is configured for the matching TLOC, that value is assigned to the traffic.

Click Accept, then action VPN.

Set the VPN that the packet is part of. Range: 1 to 65525, excluding 512. For details see the VRF range behavior change described here.
Note

Data policies are applicable on locally generated packets, including routing protocol packets, when the match conditions are generic.

Example configuration:

sequence 21
   match
    source-ip 10.0.0.0/8
   action accept

In such situations, it may be necessary to add a sequence in the data policy to escape the routing protocol packets. For example to skip OSPF, use the following configuration:

sequence 20
   match
    source-ip 10.0.0.0/8 
    protocol  89
   action accept
sequence 21
   match
    source-ip 10.0.0.0/8
   action accept

The following table describes the IPv4 and IPv6 actions.

Table 5.

IPv4 Actions

IPv6 Actions

drop, dscp, next-hop (from-service only)/vpn, count, forwarding class, policer (only in interface ACL), App-route SLA (only)

N/A

App-route preferred color, app-route sla strict, cflowd, nat, redirect-dns

N/A

N/A

drop, dscp, next-hop/vpn, count, forwarding class, policer (only in interface ACL)

App-route SLA (only), App-route preferred color, app-route sla strict

policer (DataPolicy), tcp-optimization, fec-always,

policer (DataPolicy)

tloc, tloc-list (set tloc, set tloc-list)

tloc, tloc-list (set tloc, set tloc-list)

App-Route backup-preferred color, local-tloc, local-tloc-list

App-Route backup-preferred color, local-tloc, local-tloc-list

Apply policies to sites and VPNs

Apply policies to specific sites and VPNs to control network behavior and traffic management across your SD-WAN infrastructure.

Use the Apply Policies to Sites and VPNs page to associate configured policies with specific network locations and VPN segments. Different policy blocks require different site and VPN list associations based on their functionality.

Procedure

1.

In the Policy Name field, enter a name for the policy.

This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.

2.

In the Policy Description field, enter a description of the policy.

It can contain up to 2048 characters. This field is mandatory, and it can contain any characters and spaces.

3.

Associate the policy with VPNs and sites.

The choice of VPNs and sites depends on the type of policy block:

Table 6. Policy block associations

If policy block type is...

Then...

Topology

Click New Site List, Inbound Site List, Outbound Site List, or VPN List. Some topology blocks might have no Add buttons. Choose one or more site lists, and choose one or more VPN lists. Click Add.

Application-Aware Routing

Click New Site List and VPN list. Choose one or more site lists, and choose one or more VPN lists. Click Add.

Traffic Data

Click New Site List and VPN List. Choose the direction for applying the policy (From Service, From Tunnel, or All), choose one or more site lists, and choose one or more VPN lists. Click Add.

cflowd

Click New Site List. Choose one or more site lists, and click Add.

4.

Click Preview to view the configured policy.

The policy appears in CLI format.

5.

Click Save Policy.

The Configuration > Policies page appears, and the policies table includes the newly created policy.

The policy is successfully applied to the selected sites and VPNs and is available in the policies table for management and deployment.


Configure NAT fallback on Cisco IOS XE Catalyst SD-WAN Devices

This task enables NAT fallback functionality on Cisco IOS XE Catalyst SD-WAN Devices, allowing traffic to fall back to direct internet access (DIA) when tunnel connectivity is unavailable.

NAT DIA fallback provides redundancy for internet-bound traffic by automatically switching to direct internet access when the primary tunnel path fails. This configuration ensures continuous connectivity and improved network resilience.

Note

To use Cisco SD-WAN Manager to configure NAT DIA fallback, Cisco SD-WAN Manager must manage your Cisco Catalyst SD-WAN Controller.

Before you begin

Follow these steps to configure NAT fallback on Cisco IOS XE Catalyst SD-WAN Devices:

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Policies.

2.

From the Custom options drop-down, under Centralized Policy, select Traffic Policy.

3.

Click Traffic Data.

4.

From the Add Policy drop-down, click Create New.

5.

Click Sequence Type and select Custom.

6.

Click (+) Sequence Rule to create a new sequence rule.

7.

After adding match conditions, click Actions and click Accept.

8.

Click NAT VPN and select the Fallback checkbox.

9.

Click Save and Match Actions.

10.

Click Save Data Policy.

11.

Click Centralized Policy and for the required centralized policy, click ... and select Edit.

12.

Click Traffic Rules and select Traffic Data.

13.

From the Add Policy drop-down, select Import Existing.

14.

Select the NAT policy that you created from the Policy drop-down.

15.

Click Policy Application and select Traffic Data.

16.

Click + New Site List and VPN List.

17.

Select the direction, VPN, and site as required.

18.

Click Add.

19.

Click Save Policy Changes.

20.

Click to select VPN, and Site from the drop-down.

NAT fallback is configured and enabled. Traffic will automatically fall back to direct internet access when tunnel connectivity is unavailable.

Note

Policy configured for the from-tunnel traffic is also applied to the return DIA (Underlay) traffic apart from the return traffic coming over the tunnel. If none of the sequences in that policy match, it matches the default sequence in that policy.

Note

The following NAT fallback actions/commands are now supported:

  • Action: NAT fallback

  • When applying a policy: direction from-tunnel


Activate a centralized policy

Activating a centralized policy sends that policy to all connected Cisco SD-WAN Controllers, enabling consistent policy enforcement across your SD-WAN network.

Centralized policies provide a unified approach to managing network behavior across your SD-WAN infrastructure. You can also view, copy, edit, and delete existing policies as needed to maintain your network configuration.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Policies.

Centralized Policy is selected and displayed by default.

2.

For the required policy, click ... and select Activate.

The Activate Policy popup appears. It lists the IP addresses of the reachable Cisco SD-WAN Controllers to which the policy must be applied.

3.

Click Activate.

4.

To view centralized policies, select a policy from the Centralized Policy list.

5.

For a policy created using the UI policy builder or using the CLI, click ... and select View.

The policy created using the UI policy builder is displayed in graphical format while the policy created using the CLI method is displayed in text format.

6.

For a policy created using Cisco SD-WAN Manager policy configuration wizard, click ... and select Preview.

This policy is displayed in text format.

7.

To copy a policy, select a policy from the Centralized Policy list and click ... and select Copy.

8.

In the Policy Copy popup window, enter the policy name and a description of the policy.

Note

Starting with the Cisco IOS XE Release 17.2, 127 characters are supported for policy names for these policy types:

  • Central route policy

  • Local route policy

  • Local Access Control lOst (ACL)

  • Local IPv6 ACL

  • Central data policy

  • Central app route policy

  • QoS map

  • Rewrite rule

All other policy names support 32 characters.

9.

Click Copy.

10.

To edit policies created using the Cisco SD-WAN Manager policy configuration wizard, click ... and select Edit.

11.

Edit the policy as needed and click Save Policy Changes.

12.

To edit polices created using the CLI method, in the Custom Options drop-down, click CLI Policy.

13.

For the desired policy, click ... and select Edit.

14.

Edit the policy as needed and click Update.

15.

To delete policies, select a policy from the Centralized Policy list and click ... and select Delete.

16.

Click OK to confirm deletion of the policy.

The centralized policy is activated and distributed to all connected devices, or the selected policy management action is completed successfully.