Configure centralized policies
Use one of these methods to configure centralized policies:
Cisco Catalyst SD-WAN Policies Configuration Guide, Releases 26.x and Later
Cisco Catalyst SD-WAN Policies Configuration Guide, Releases 26.x and Later
Configure centralized policies
Use one of these methods to configure centralized policies:
To configure a centralized control policy using the CLI:
| 1. | Create a list of overlay network sites to which the centralized control policy is to be applied (in the apply-policy command): Example:
The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–). Create additional site lists, as needed. |
|
| 2. | Create lists of IP prefixes, TLOCs, and VPNs as needed: Example:
|
|
| 3. | Create a control policy instance: Example:
|
|
| 4. | Create a series of match–action pair sequences: Example:
The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is). |
|
| 5. | Define match parameters for routes and for TLOCs: Example:
|
|
| 6. | Define actions to take when a match occurs: Example:
|
|
| 7. | Create additional numbered sequences of match–action pairs within the control policy, as needed. |
|
| 8. | If a route does not match any of the conditions in one of the sequences, it is rejected by default. If you want nonmatching routes to be accepted, configure the default action for the policy: Example:
|
|
| 9. | Apply the policy to one or more sites in the Cisco Catalyst SD-WAN overlay network: Example:
|
|
| 10. | If the action you are configuring is a service, configure the required services on the Cisco IOS XE Catalyst SD-WAN device so that the Cisco Catalyst SD-WAN Controller knows how to reach the services: Example:
Specify the VPN is which the service is located and one to four IP addresses to reach the service device or devices. If multiple devices provide the same service, the device load-balances the traffic among them. Note that the Cisco IOS XE Catalyst SD-WAN device keeps track of the services, advertising them to the Cisco Catalyst SD-WAN Controller only if the address (or one of the addresses) can be resolved locally, that is, at the device's local site, and not learned through OMP. If a previously advertised service becomes unavailable, the Cisco IOS XE Catalyst SD-WAN device withdraws the service advertisement. |
The high-level steps for configuring a VPN membership data policy are shown below:
| 1. | Create a list of overlay network sites to which the VPN membership policy is to be applied (in the apply-policy command): Example:
The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–). Create additional site lists, as needed. |
|
| 2. | Create lists of IP prefixes and VPNs, as needed: Example:
|
|
| 3. | Create lists of TLOCs, as needed. Example:
|
|
| 4. | Define policing parameters, as needed: Example:
|
|
| 5. | Create a data policy instance and associate it with a list of VPNs: Example:
|
|
| 6. | Create a series of match–pair sequences: Example:
The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is). |
|
| 7. | Define match parameters for packets: Example:
|
|
| 8. | Define actions to take when a match occurs: Example:
|
|
| 9. | Create additional numbered sequences of match–action pairs within the data policy, as needed. |
|
| 10. | If a route does not match any of the conditions in one of the sequences, it is rejected by default. To accept nonmatching prefixed, configure the default action for the policy: Example:
|
|
| 11. | Apply the policy to one or more sites in the overlay network: Example:
|
Centralized policies using classic policies are network management configurations that
use the Cisco SD-WAN Manager policy configuration wizard to guide policy creation and editing
consist of multiple operations including creating groups, configuring topology, and defining traffic rules, and
require activation for the centralized policy to take effect in the overlay network.
The wizard consists of these operations that guide you through the process of creating and editing policy components:
Create Groups of Interest: Create lists that group together related items and that you call in the match or action components of a policy.
Configure Topology and VPN Membership: Create the network structure to which the policy applies.
Configure Traffic Rules: Create the match and action conditions of a policy.
Apply Policies to Sites and VPNs: Associate the policy with sites and VPNs in the overlay network.
Activate the centralized policy.
For a centralized policy to take effect, you must activate the policy.
To configure centralized policies using Cisco SD-WAN Manager, use the steps identified in the procedures that follow this section.
Start the policy configuration wizard to create and configure centralized policies for your SD-WAN deployment.
The policy configuration wizard provides a guided interface for creating centralized policies. Use this procedure when you need to create new policies for traffic management, security, or service chaining.
| 1. | From the Cisco SD-WAN Manager menu, choose . |
|
| 2. | Click Centralized Policy. |
|
| 3. | Click Add Policy. The policy configuration wizard appears, and the Create Groups of Interest window is displayed. |
The policy configuration wizard opens with the Create Groups of Interest window displayed, ready for policy configuration.
In Create groups of interest, create new groups of list types as described in the following sections to use in a centralized policy:
| 1. | Configure application: |
|
| 2. | Configure color: |
|
| 3. | Configure community: |
|
| 4. | Configure data prefix:
|
|
| 5. | Configure policer: |
|
| 6. | Configure prefix:
|
|
| 7. | Configure site: |
|
| 8. | Configure app probe class: |
|
| 9. | Configure SLA class: |
|
| 10. | Configure TLOC: |
|
| 11. | Configure VPN: |
|
| 12. | Configure region: Minimum release: Cisco SD-WAN Release 20.7.1 To configure a list of regions for Multi-Region Fabric (formerly Hierarchical SD-WAN), ensure that Multi-Region Fabric is enabled in . |
|
| 13. | Configure preferred color group: You can configure the order of transport preference to choose the preference order for forwarding traffic. The Preferred Color Group is supported only on overlay traffic but not on DIA traffic. |
Integrating WAN insight (WANI) into Cisco SD-WAN Manager is a cloud-based analytics service integration that
provides comprehensive insights into application and network performance for Cisco Catalyst SD-WAN
enables Predictive Path Recommendations to be applied to actionable centralized AAR policy to influence forwarding decisions, and
applies recommendations as TLOC preferences in AAR policies pushed to Cisco SD-WAN Controller.
Cisco SD-WAN Analytics collects and stores metadata about traffic flows in its cloud storage and produces analytics based on this collected data. The analytics service is available with Cisco DNA Advantage and Cisco DNA Premier software subscriptions. Predictive Path Analytics generates recommendations for path based on long term insights. These recommendations need to be converted into policy created manually on Cisco SD-WAN Manager and then applied to the network.
The Predictive Path Recommendations feature allows you to apply active recommendations to the actionable centralized AAR policy to influence the forwarding decisions in the Cisco Catalyst SD-WAN network.
For more information about using Predictive Path Recommendations, see Predictive Path Recommendations.
To apply predictive path recommendations when there are recommendations in Cisco SD-WAN Analytics:
In the Cisco SD-WAN Manager menu, click the bell icon at the top-right corner. The Notifications pane is displayed with active alarms.
If there are any Active Recommendations in the Notifications pane, click on the site to view the recommendations. Alternatively, you can view from the Cisco SD-WAN Manager menu, click .
Click Active Recommendations, and then click Apply.
In the Apply Predictive Path Recommendations window, click Proceed to Apply to apply new recommendations.
You can review the applied recommendations in the Cisco SD-WAN Manager generated configs and push the recommendations to Cisco SD-WAN Controller.
Points to consider when integrating WAN insight:
Cisco SD-WAN Manager pulls recommendations when you log in. If you want to update the recommendations, refresh the page or log in again.
Cisco SD-WAN Manager support recommendations for application lists which are associated with some AAR policy only. If AAR Policy does not exist for a given application list, the recommendations are not valid and policy processing is not done.
WAN Insights generates recommendations for standard App Groups even when the AAR Policy is not defined. However, the policy automation is not done since AAR policy is not defined.
When for the same site and application list, if WANI generates a terminate for a recommendation which is applied and also generates another recommendation, the recommendations are applied based on the preferences.
Application of WANI recommendations for Cloud OnRamp for SaaS is not supported.
WAN Insights (WANI) allows you to track the performance of your current network setup and tune your policies and paths to achieve the best user experience. Predictive path recommendations influence AAR policy TLOC preferences.
WAN Insights is a predictive network optimization tool that uses a statistical model to examine historical data from Cisco Catalyst SD-WAN, in order to find the best paths for application traffic. WANI analyzes the telemetry data exported during application traffic flows, and then generates long-term recommendations for paths that would reduce the probability of experiencing an SLA violation (for example, low-quality performance).
Predictive network associates some SLA with each application list that is defined in the AAR policy in order to detect SLA violations for the applications. This is used to calculate a probability of SLA violation on a given site and TLOC and generates recommendations.
For more information about configuring group of interest for data policies, see Configure Groups of Interest for Centralized Policy.
Configure network topology to define the communication patterns between sites in your SD-WAN deployment and establish VPN membership for routing policies.
When you first open the Configure Topology and VPN Membership window, the Topology window is displayed by default.
You can configure three types of topologies: Hub-and-Spoke for centralized communication, Mesh for full connectivity between sites, and Custom Control for advanced route and TLOC control policies.
| 1. | Configure a hub-and-spoke topology. Hub-and-Spoke
|
|
| 2. | Configure a mesh topology. Mesh
|
|
| 3. | Configure a custom control policy for route control. Custom Control (Route & TLOC): Centralized route control policy (for matching OMP routes)
|
|
| 4. | Configure a custom control policy for TLOC control. Custom Control (Route & TLOC): Centralized TLOC control policy (for matching TLOC routes)
|
The topology and VPN membership configuration is saved. A centralized control policy contains sequences of match–action pairs. The sequences are numbered to set the order in which a route or TLOC is analyzed by the match–action pairs in the policy.
Sequence can have either match app-list or dns-app-list configured for a policy, but not both. Configuring both match app-list and dns-app-list for a policy is not supported.
Each sequence in a centralized control policy can contain one match condition (either for a route or for a TLOC) and one action condition.
The Cisco Catalyst SD-WAN policy supports maximum up to 1024 sequences, including default sequence.
If a selected route or TLOC does not match any of the match conditions in a centralized control policy, a default action is applied to it. By default, the route or TLOC is rejected.
If a selected data packet does not match any of the match conditions in a data policy, a default action is applied to the packet. By default, the data packet is dropped.
Import an existing topology to reuse previously configured network structures and policies.
Use this procedure when you need to incorporate a topology that was previously created and configured in your environment.
Follow these steps to import existing topology:
| 1. | In the Add Topology drop-down, click Import Existing Topology. The Import Existing Topology popup appears. |
|
| 2. | Select the type of topology. |
|
| 3. | For Policy Type, choose the name of the topology you want to import. |
|
| 4. | In the Policy drop-down, select a policy to import.
|
|
| 5. | Click Import. |
|
| 6. | Click Next to move to Configure Traffic Rules in the wizard. |
The existing topology is imported and you can proceed to configure traffic rules in the wizard.
Create a VPN membership policy to establish which sites can access specific VPNs in your network topology.
VPN membership policies define the relationship between site lists and VPN lists in your network configuration. Only one VPN membership policy can be added at a time, so all required site lists and VPN lists must be included in a single policy.
| 1. | In the Specify your network topology area, click VPN Membership. |
|
| 2. | Click Add VPN Membership Policy.
The Add VPN Membership Policy popup displays. |
|
| 3. | Enter a name and description for the VPN membership policy. |
|
| 4. | In the Site List field, select the site list. |
|
| 5. | In the VPN Lists field, select the VPN list. |
|
| 6. | Click Add List to add another VPN to the VPN membership. |
|
| 7. | Click Save. |
|
| 8. | Click Next to move to Configure Traffic Rules in the wizard. |
The VPN membership policy is created and you can proceed to configure traffic rules for your network topology.
When you first open the Configure Traffic Rules window, Application-Aware Routing is selected by default.
You can also view already created AAR routing policies listed in the page. It provides various information related to the policies such as the Name of the policy, Type, Mode, Description, Update By, and Last Updated details.
You can refer to the Mode column for the security status details of the policy. The status helps to differentiate whether the policy is used in unified security or not. The mode status is applicable only for security policies and not relevant to any centralized or localized policies.
For more information on configuring traffic rules for the Cisco SD-WAN Manager Application Intelligence Engine (SAIE) flow, see the SD-WAN Application Intelligence Engine Flow section in the Cisco Catalyst SD-WAN Policies Configuration Guide, Cisco IOS XE Catalyst SD-WAN Release 26.x.
In Cisco SD-WAN Release 20.7.1 and earlier releases, the SAIE flow is called the deep packet inspection (DPI) flow.
| 1. | Click Traffic Data. |
|||||||||||||||||||||||||||||||
| 2. | Click the Add Policy drop-down. |
|||||||||||||||||||||||||||||||
| 3. | Click Create New. The Add Data Policy window displays. |
|||||||||||||||||||||||||||||||
| 4. | Enter a name and a description for the data policy. |
|||||||||||||||||||||||||||||||
| 5. | In the right pane, click Sequence Type. The Add Data Policy popup opens. |
|||||||||||||||||||||||||||||||
| 6. | Select the type of data policy you want to create, Application Firewall, QoS, Traffic Engineering, or Custom.
|
|||||||||||||||||||||||||||||||
| 7. | A policy sequence containing the text string Application, Firewall, QoS, Traffic Engineering, or Custom is added in the left pane. |
|||||||||||||||||||||||||||||||
| 8. | Double-click the text string, and enter a name for the policy sequence. The name you type is displayed both in the Sequence Type list in the left pane and in the right pane. |
|||||||||||||||||||||||||||||||
| 9. | In the right pane, click Sequence Rule. The Match/Action box opens, and Match is selected by default. The available policy match conditions are listed below the box.
|
|||||||||||||||||||||||||||||||
| 10. | For QoS and Traffic Engineering data policies: From the Protocol drop-down list, select IPv4 to apply the policy only to IPv4 address families, IPv6 to apply the policy only to IPv6 address families, or Both to apply the policy to IPv4 and IPv6 address families. |
|||||||||||||||||||||||||||||||
| 11. | To select one or more Match conditions, click its box and set the values as described.
|
|||||||||||||||||||||||||||||||
| 12. | To select actions to take on matching data traffic, click the Actions box. |
|||||||||||||||||||||||||||||||
| 13. | To drop matching traffic, click Drop. The available policy actions are listed in the right side. |
|||||||||||||||||||||||||||||||
| 14. | To accept matching traffic, click Accept. The available policy actions are listed in the right side. |
|||||||||||||||||||||||||||||||
| 15. | Set the policy action as described.
|
|||||||||||||||||||||||||||||||
| 16. | Create additional sequence rules as desired. Drag and drop to re-arrange them. |
|||||||||||||||||||||||||||||||
| 17. | Click Save Data Policy. |
|||||||||||||||||||||||||||||||
| 18. | Click Next to move to Apply Policies to Sites and VPNs in the wizard. |
|||||||||||||||||||||||||||||||
For OMP AND TLOC routes, you can match attributes to control routing behavior AND traffic flow in your SD-WAN network.
| Match Condition |
Description |
|---|---|
| Color List |
One OR more colors. The available colors are: 3g, biz-internet, blue, bronze, custom1,custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red AND silver. |
| Community List |
List of one OR more BGP communities. In the Community List field, you can specify: • aa:nn: AS number AND network number. Each number is a 2-byte value with a range from 1 to 65535. • internet: Routes in this community are advertised to the internet community. This community comprises all BGP-speaking networking devices. • local-AS: Routes in this community are not advertised outside the local AS. • NO-ADVERTISE: Attach the NO_ADVERTISE community to routes. Routes in this community are not advertised to other BGP peers. • NO-EXPORT: Attach the NO_EXPORT community to routes. Routes in this community are not advertised outside the local AS OR outside a BGP confederation boundary. To configure multiple BGP communities in a single list, include multiple community options, specifying one community in each option. |
| Types |
Specifies the community type. Choose Standard to specify communities AND community numbers OR, Expanded to filter communities using a regular expression. Regular expressions are used to specify patterns to match community attributes. |
| Criteria OR |
Compares each regex string in the community list against the community string of the route. The OR condition is applicable across multiple community lists AND is valid for all devices. Starting from Cisco IOS XE Catalyst SD-WAN Release 17.5.1a, the Community Types AND Criteria fields are available. |
| OMP Tag |
Tag value associated with the route OR prefix in the routing database on the device. The range is 0 through 4294967295. |
| Origin |
Protocol from which the route was learned. |
| Originator |
IP address from which the route was learned. |
| Path Type |
In a Hierarchical SD-WAN architecture, match a route by its path type, which can be one of the following:
|
| Preference |
How preferred a prefix is. This is the preference value that the route OR prefix has in the local site, that is, in the routing database on the device. A higher preference value is more preferred.The range is 0 through 255. |
| Prefix List |
One OR more prefixes. Specifies the name of a prefix list. |
| Not available in Cisco SD-WAN Manager. |
One OR more overlay network site identifiers. |
| Site |
Individual site identifier. The range is 0 through 4294967295. |
| Region |
Region defined for Hierarchical SD-WAN. The range is 1 to 63.
|
| Role |
In a Hierarchical SD-WAN architecture, match by the device type, which can be Border Router OR Edge Router.
|
| TLOC | Individual TLOC address.
|
| VPN |
Individual VPN identifier. Range: 1 to 65525, excluding 512. For details see the VRF range behavior change described here. When a policy is pushed with duplicate VPN IDs, the latest VPN ID overwrites the first one. However, starting from Cisco IOS XE Catalyst SD-WAN Release 17.9.5, the first one is not overridden. |
| Carrier |
Carrier for the control traffic. Values are: default, carrier1 through carrier8. |
| Domain ID |
Domain identifier associated with a TLOC. The range is 0 through 4294967295. |
| OMP Tag |
Tag value associated with the TLOC route in the route table on the device. The range is 0 through 4294967295. |
| Site |
Individual site contributor OR more overlay network site identifiers.. The range is 0 through 4294967295. |
In the CLI, you configure the OMP route attributes to match with the policy control-policy sequence match route command, AND you configure the TLOC attributes to match with the policy control-policy sequence match TLOC command.
A centralized data policy can match IP prefixes and fields in the IP headers, as well as applications. You can also enable split DNS.
Each sequence in a policy can contain one or more match conditions.
| Match Condition | Description |
|---|---|
| Omit |
Match all packets. |
| Applications/Application Family List |
Applications or application families. This match condition is available for IPv6 traffic from Cisco IOS XE Catalyst SD-WAN Release 17.9.1a and Cisco SD-WAN Release 20.9.1. |
| Destination Data Prefix |
Group of destination prefixes, IP prefix and prefix length. The range is 0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]). |
| Destination Region |
Choose one of the following:
|
| DNS Application List | Enables split DNS, to resolve and process DNS requests and responses on an application-by-application basis. Name of an app-list list . This list specifies the applications whose DNS requests are processed. This match condition is available for IPv6 traffic from Cisco IOS XE Catalyst SD-WAN Release 17.9.1a and Cisco SD-WAN Release 20.9.1. |
| DNS |
Specify the direction in which to process DNS packets. To process DNS requests sent by the applications (for outbound DNS queries), specify dns request . To process DNS responses returned from DNS servers to the applications, specify dns response . |
| DSCP |
Specifies the DSCP value. |
| Packet length |
Specifies the packet length. The range is 0 through 65535; specify a single length, a list of lengths (with numbers separated by a space), or a range of lengths (with the two numbers separated with a hyphen [-]). |
| Packet Loss Priority (PLP) | Specifies the packet loss priority. By default, packets have a PLP value of low . To set the PLP value to high , apply a policer that includes the exceed remark option. |
| Protocol |
Specifies Internet protocol number. The range is 0 through 255. |
| ICMP Message |
For Protocol IPv4 when you enter a Protocol value as 1, the ICMP Message field displays where you can select an ICMP message to apply to the data policy. Likewise, the ICMP Message field displays for Protocol IPv6 when you enter a Protocol value as 58. When you select Protocol as Both, the ICMP Message or ICMPv6 Message field displays.
|
| Source Data Prefix |
Specifies the group of source prefixes or an individual source prefix. |
| Source Port |
Specifies the source port number. The range is 0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]). |
| TCP Flag |
Specifies the TCP flag, syn. |
| Traffic To |
In a Multi Region Fabric architecture, match border router traffic flowing to the access region that the border router is serving, the core region, or a service VPN.
|
If IPv4 packet contains non-initial fragment of UDP or TCP datagram, it has no L4 ports information available because there is no UDP or TCP header. For such fragments destination-port or source-port match is ignored.
In the following example, all the UDP packets to destination port 161 and any other IPv4 packets having protocol ID field in IPv4 header set to 17 with IPv4 header having fragment-offset set will be dropped.
policy app-visibility access-list SDWAN_101 sequence 100 match destination-port 161 protocol 17 ! action drop ! !
| Type |
Code |
Enumeration |
| 0 | 0 | echo-reply |
| 3 | unreachable | |
| 0 | net-unreachable | |
| 1 | host-unreachable | |
| 2 | protocol-unreachable | |
| 3 | port-unreachable | |
| 4 | packet-too-big | |
| 5 | source-route-failed | |
| 6 | network-unknown | |
| 7 | host-unknown | |
| 8 | host-isolated | |
| 9 | dod-net-prohibited | |
| 10 | dod-host-prohibited | |
| 11 | net-tos-unreachable | |
| 12 | host-tos-unreachable | |
| 13 | administratively-prohibited | |
| 14 | host-precedence-unreachable | |
| 15 | precedence-unreachable | |
| 5 | redirect | |
| 0 | net-redirect | |
| 1 | host-redirect | |
| 2 | net-tos-redirect | |
| 3 | host-tos-redirect | |
| 8 | 0 | echo |
| 9 | 0 | router-advertisement |
| 10 | 0 | router-solicitation |
| 11 | time-exceeded | |
| 0 | ttl-exceeded | |
| 1 | reassembly-timeout | |
| 12 | parameter-problem | |
| 0 | general-parameter-problem | |
| 1 | option-missing | |
| 2 | no-room-for-option | |
| 13 | 0 | timestamp-request |
| 14 | 0 | timestamp-reply |
| 40 | 0 | photuris |
| 42 | 0 | extended-echo |
| 43 | extended-echo-reply | |
| 0 | echo-reply-no-error | |
| 1 | malformed-query | |
| 2 | interface-error | |
| 3 | table-entry-error | |
| 4 | multiple-interface-match |
| Type | Code | Enumeration |
| 1 | unreachable | |
| 0 | no-route | |
| 1 | no-admin | |
| 2 | beyond-scope | |
| 3 | destination-unreachable | |
| 4 | port-unreachable | |
| 5 | source-policy | |
| 6 | reject-route | |
| 7 | source-route-header | |
| 2 | 0 | packet-too-big |
| 3 | time-exceeded | |
| 0 | hop-limit | |
| 1 | reassembly-timeout | |
| 4 | parameter-problem | |
| 0 | Header | |
| 1 | next-header | |
| 2 | parameter-option | |
| 128 | 0 | echo-request |
| 129 | 0 | echo-reply |
| 130 | 0 | mld-query |
| 131 | 0 | mld-report |
| 132 | 0 | mld-reduction |
| 133 | 0 | router-solicitation |
| 134 | 0 |
router-advertisement |
| 135 | 0 | nd-ns |
| 136 | 0 | nd-na |
| 137 | 0 | redirect |
| 138 |
router-renumbering | |
| 0 | renum-command | |
| 1 | renum-result | |
| 255 | renum-seq-number | |
| 139 | ni-query | |
| 0 | ni-query-v6-address | |
| 1 | ni-query-name | |
| 2 | ni-query-v4-address | |
| 140 | ni-response | |
| 0 | ni-response-success | |
| 1 | ni-response-refuse | |
| 2 | ni-response-qtype-unknown |
|
| 141 | 0 | ind-solicitation |
| 142 | 0 | ind-advertisement |
| 143 | mldv2-report | |
| 144 | 0 | dhaad-request |
| 145 | 0 | dhaad-reply |
| 146 | 0 | mpd-solicitation |
| 147 | 0 | mpd-advertisement |
| 148 | 0 | cp-solicitation |
| 149 | 0 | cp-advertisement |
| 151 | 0 | mr-advertisement |
| 152 | 0 | mr-solicitation |
| 153 | 0 | mr-termination |
| 155 | 0 | rpl-control |
For each match condition, you configure a corresponding action to take if the route or TLOC matches for a control policy. In the CLI, you configure actions with the policy control-policy action command. Each sequence in a centralized control policy can contain one action condition.
In the action, you first specify whether to accept or reject a matching route or TLOC:
| Description |
Cisco SD-WAN Manager |
|---|---|
| Accept the route. An accepted route is eligible to be modified by the additional parameters configured in the action portion of the policy configuration. |
Click Accept. |
| Discard the packet. |
Click Reject. |
Then, for a route or TLOC that is accepted, you can configure these actions:
| Action Condition |
Description |
|---|---|
| Export To |
Export the route the the specified VPN or list of VPNs (for a match route match condition only). The range is 0 through 65535 or list name. |
| OMP Tag |
Change the tag string in the route, prefix, or TLOC. The range is 0 through 4294967295. |
| Preference |
Change the preference value in the route, prefix, or TLOC to the specified value. A higher preference value is more preferred. The range is 0 through 255. |
| Service |
Specify a service to redirect traffic to before delivering the traffic to its destination. The TLOC address or list of TLOCs identifies the TLOCs to which the traffic should be redirected to reach the service. In the case of multiple TLOCs, the traffic is load-balanced among them. The VPN identifier is where the service is located. Standard services: FW, IDS, IDP Custom services: netsvc1, netsvc2, netsvc3, netsvc4 Configure the services themselves on the Cisco IOS XE Catalyst SD-WAN devices that are collocated with the service devices, using the VPN service configuration command. |
| TLOC |
Change the TLOC address, color, and encapsulation to the specified address and color. For each TLOC, specify its address, color, and encapsulation. address is the system IP address. color can be one of 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver. encapsulation can be gre or ipsec. Optionally, set a preference value (from 0 to 232 – 1) to associate with the TLOC address. When you apply a TLOC list in an action accept condition, when multiple TLOCs are available and satisfy the match conditions, the TLOC with the highest preference value is used. If two or more of TLOCs have the highest preference value, traffic is sent among them in an ECMP fashion. |
| TLOC Action |
Direct matching routes or TLOCs using the mechanism specified by action, and enable end-to-end tracking of whether the ultimate destination is reachable. Setting the TLOC action option enables the Cisco Catalyst SD-WAN Controller to perform end-to-end tracking of the path to the ultimate destination device. |
The preference command controls the preference for directing inbound and outbound traffic to a tunnel. The preference can be a value from 0 through 4294967295 (232 – 1), and the default value is 0. A higher value is preferred over a lower value.
When a Cisco vEdge device has two or more tunnels, if all the TLOCs have the same preference and no policy is applied that affects traffic flow, all the TLOCs are advertised into OMP. When the router transmits or receives traffic, it distributes traffic flows evenly among the tunnels, using ECMP.
When data traffic matches the conditions in the match portion of a centralized data policy, the packet can be accepted or dropped. Then, you can associate parameters with accepted packets.
In the CLI, you configure the action parameters with the policy data-policy vpn-list sequence action command.
Each sequence in a centralized data policy can contain one action condition.
In the action, you first specify whether to accept or drop a matching data packet, and whether to count it:
| Action Condition |
Description |
|---|---|
| Click Accept | Accepts the packet. An accepted packet is eligible to be modified by the additional parameters configured in the action portion of the policy configuration. |
| Cflowd |
Enables cflowd traffic monitoring. |
| Counter |
Counts the accepted or dropped packets. Specifies the name of a counter. Use the show policy access-lists counters command on the Cisco IOS XE Catalyst SD-WAN device. |
| Click Drop |
Discards the packet. This is the default action. |
| Log |
Minimum release: Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco vManage Release 20.11.1. Click Log to enable logging. When (DP, AAR or ACL) data policy packets are configured with log action, logs generated and logged to syslog. Due to the global log-rate-limit, not all logs are logged. A syslog message is generated the first time a packet header is logged and then every 5 minutes thereafter, as long as the flow is active. For information on policy log-rate-limit CLI, see policy log-rate-limit command in the Cisco Catalyst SD-WAN Qualified Command Reference Guide. |
| Redirect DNS |
Redirects DNS requests to a particular DNS server or Umbrella. Redirecting requests is optional, but if you do so, you must specify both actions. For an inbound policy, redirect-dns host allows the DNS response to be correctly forwarded back to the requesting service VPN. For an outbound policy, specify the IP address of the DNS server. redirect-dns umbrella is only supported in Direct Internet Interface (DIA) use cases. It is not supported in SIG/SSE or overlay scenarios. When using redirect-dns umbrella , you do not need to explicitly configure nat use-vpn 0 .
|
| TCP Optimization |
Fine-tune TCP to decrease round-trip latency and improve throughout for matching TCP traffic. |
| Secure Internet Gateway | Redirect application traffic to a SIG.
Check the Fallback to Routing check box to route internet-bound traffic through the Cisco SD-WAN overlay when all SIG tunnels are down. This option is introduced in Cisco IOS XE Catalyst SD-WAN Release 17.8.1a and Cisco SD-WAN Release 20.8.1 . |
On Cisco IOS XE Catalyst SD-WAN devices, all the ongoing optimized flows are dropped when the TCP Optimization is removed.
Then, for a packet that is accepted, the following parameters can be configured:
| Action Condition |
Description |
|---|---|
| Cflowd |
Enables cflowd traffic monitoring. |
| NAT Pool or NAT VPN |
Enables NAT functionality, so that traffic can be redirected directly to the internet or other external destination. You can configure up to 31 (1–31) NAT pools per router. |
| DSCP |
DSCP value. The range is 0 through 63. |
| Forwarding Class |
Name of the forwarding class. |
| Local TLOC |
Enables sending packets to one of the TLOCs that matches the color and encapsulation. The available colors are: 3g, biz-internet, blue, bronze, custom1,custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red and silver. The encapsulation options are: ipsec and gre. By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC. To drop traffic if a TLOC is unavailable, include the restrict option. By default, encapsulation is ipsec. |
| Next Hop |
Sets the next hop IP address to which the packet should be forwarded.
|
| Policer |
Applies a policer. Specifies the name of policer configured with the policy policer command. |
| Service |
Specifies a service to redirect traffic to before delivering the traffic to its destination. The TLOC address or list of TLOCs identifies the remote TLOCs to which the traffic should be redirected to reach the service. In the case of multiple TLOCs, the traffic is load-balanced among them. The VPN identifier is where the service is located. Standard services: FW, IDS, IDP Custom services: netsvc1, netsvc2,netsvc3, netsvc4 TLOC list is configured with a policy lists tloc-list list. Configure the services themselves on the Cisco IOS XE Catalyst SD-WAN devices that are collocated with the service devices, using the vpn service command. |
| TLOC |
Direct traffic to a remote TLOC that matches the IP address, color, and encapsulation of one of the TLOCs in the list. If a preference value is configured for the matching TLOC, that value is assigned to the traffic. |
| Click Accept, then action VPN. |
Set the VPN that the packet is part of. Range: 1 to 65525, excluding 512. For details see the VRF range behavior change described here. |
Data policies are applicable on locally generated packets, including routing protocol packets, when the match conditions are generic.
Example configuration:
sequence 21 match source-ip 10.0.0.0/8 action acceptIn such situations, it may be necessary to add a sequence in the data policy to escape the routing protocol packets. For example to skip OSPF, use the following configuration:
sequence 20 match source-ip 10.0.0.0/8 protocol 89 action accept sequence 21 match source-ip 10.0.0.0/8 action accept
The following table describes the IPv4 and IPv6 actions.
| IPv4 Actions |
IPv6 Actions |
|---|---|
| drop, dscp, next-hop (from-service only)/vpn, count, forwarding class, policer (only in interface ACL), App-route SLA (only) |
N/A |
| App-route preferred color, app-route sla strict, cflowd, nat, redirect-dns | N/A |
| N/A |
drop, dscp, next-hop/vpn, count, forwarding class, policer (only in interface ACL) App-route SLA (only), App-route preferred color, app-route sla strict |
| policer (DataPolicy), tcp-optimization, fec-always, |
policer (DataPolicy) |
| tloc, tloc-list (set tloc, set tloc-list) |
tloc, tloc-list (set tloc, set tloc-list) |
| App-Route backup-preferred color, local-tloc, local-tloc-list |
App-Route backup-preferred color, local-tloc, local-tloc-list |
Apply policies to specific sites and VPNs to control network behavior and traffic management across your SD-WAN infrastructure.
Use the Apply Policies to Sites and VPNs page to associate configured policies with specific network locations and VPN segments. Different policy blocks require different site and VPN list associations based on their functionality.
| 1. | In the Policy Name field, enter a name for the policy. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters. |
|||||||||||
| 2. | In the Policy Description field, enter a description of the policy. It can contain up to 2048 characters. This field is mandatory, and it can contain any characters and spaces. |
|||||||||||
| 3. | Associate the policy with VPNs and sites. The choice of VPNs and sites depends on the type of policy block:
|
|||||||||||
| 4. | Click Preview to view the configured policy. The policy appears in CLI format. |
|||||||||||
| 5. | Click Save Policy. The page appears, and the policies table includes the newly created policy. |
The policy is successfully applied to the selected sites and VPNs and is available in the policies table for management and deployment.
This task enables NAT fallback functionality on Cisco IOS XE Catalyst SD-WAN Devices, allowing traffic to fall back to direct internet access (DIA) when tunnel connectivity is unavailable.
NAT DIA fallback provides redundancy for internet-bound traffic by automatically switching to direct internet access when the primary tunnel path fails. This configuration ensures continuous connectivity and improved network resilience.
To use Cisco SD-WAN Manager to configure NAT DIA fallback, Cisco SD-WAN Manager must manage your Cisco Catalyst SD-WAN Controller.
Follow these steps to configure NAT fallback on Cisco IOS XE Catalyst SD-WAN Devices:
| 1. | From the Cisco SD-WAN Manager menu, choose . |
|
| 2. | From the Custom options drop-down, under Centralized Policy, select Traffic Policy. |
|
| 3. | Click Traffic Data. |
|
| 4. | From the Add Policy drop-down, click Create New. |
|
| 5. | Click Sequence Type and select Custom. |
|
| 6. | Click (+) Sequence Rule to create a new sequence rule. |
|
| 7. | After adding match conditions, click Actions and click Accept. |
|
| 8. | Click NAT VPN and select the Fallback checkbox. |
|
| 9. | Click Save and Match Actions. |
|
| 10. | Click Save Data Policy. |
|
| 11. | Click Centralized Policy and for the required centralized policy, click ... and select Edit. |
|
| 12. | Click Traffic Rules and select Traffic Data. |
|
| 13. | From the Add Policy drop-down, select Import Existing. |
|
| 14. | Select the NAT policy that you created from the Policy drop-down. |
|
| 15. | Click Policy Application and select Traffic Data. |
|
| 16. | Click + New Site List and VPN List. |
|
| 17. | Select the direction, VPN, and site as required. |
|
| 18. | Click Add. |
|
| 19. | Click Save Policy Changes. |
|
| 20. | Click to select VPN, and Site from the drop-down. |
NAT fallback is configured and enabled. Traffic will automatically fall back to direct internet access when tunnel connectivity is unavailable.
Policy configured for the from-tunnel traffic is also applied to the return DIA (Underlay) traffic apart from the return traffic coming over the tunnel. If none of the sequences in that policy match, it matches the default sequence in that policy.
The following NAT fallback actions/commands are now supported:
Action:
NAT fallbackWhen applying a policy:
direction from-tunnel
Activating a centralized policy sends that policy to all connected Cisco SD-WAN Controllers, enabling consistent policy enforcement across your SD-WAN network.
Centralized policies provide a unified approach to managing network behavior across your SD-WAN infrastructure. You can also view, copy, edit, and delete existing policies as needed to maintain your network configuration.
| 1. | From the Cisco SD-WAN Manager menu, choose . Centralized Policy is selected and displayed by default. |
|
| 2. | For the required policy, click ... and select Activate. The Activate Policy popup appears. It lists the IP addresses of the reachable Cisco SD-WAN Controllers to which the policy must be applied. |
|
| 3. | Click Activate. |
|
| 4. | To view centralized policies, select a policy from the Centralized Policy list. |
|
| 5. | For a policy created using the UI policy builder or using the CLI, click ... and select View. The policy created using the UI policy builder is displayed in graphical format while the policy created using the CLI method is displayed in text format. |
|
| 6. | For a policy created using Cisco SD-WAN Manager policy configuration wizard, click ... and select Preview. This policy is displayed in text format. |
|
| 7. | To copy a policy, select a policy from the Centralized Policy list and click ... and select Copy. |
|
| 8. | In the Policy Copy popup window, enter the policy name and a description of the policy.
|
|
| 9. | Click Copy. |
|
| 10. | To edit policies created using the Cisco SD-WAN Manager policy configuration wizard, click ... and select Edit. |
|
| 11. | Edit the policy as needed and click Save Policy Changes. |
|
| 12. | To edit polices created using the CLI method, in the Custom Options drop-down, click CLI Policy. |
|
| 13. | For the desired policy, click ... and select Edit. |
|
| 14. | Edit the policy as needed and click Update. |
|
| 15. | To delete policies, select a policy from the Centralized Policy list and click ... and select Delete. |
|
| 16. | Click OK to confirm deletion of the policy. |
The centralized policy is activated and distributed to all connected devices, or the selected policy management action is completed successfully.