Policy sequence generation for match and action rules | Application Priority and SLA | Cisco Catalyst SD-WAN Policy Groups Configuration Guide, Releases 26.x and Later

Explains policy sequence generation for match and action rules, covering the creation of match conditions and corresponding actions to automate traffic handling and enforcement.

The workflow generates data policy and app-route policy sequences based on the match and action conditions configured in a traffic rule. The following rules apply:

A data policy sequence is generated when the rule includes a data match condition, a data action, or both. If no match condition is configured but a data action is configured, the workflow also generates a data policy sequence.
An app-route policy sequence is generated when the rule includes an app-route match condition, an app-route action, or both. The workflow also generates an app-route policy sequence for a common-only sequence if a data policy sequence is not already generated for that sequence.
If the rule includes only the Cloud Monitoring action, the workflow drops the sequence. If the Cloud Monitoring action is configured with other actions, the workflow evaluates the sequence according to the data policy and app-route policy sequence generation rules.
If both the match and action conditions are empty, the workflow generates an empty data policy sequence.
For the Cloud OnRamp for SaaS excluded data prefix use case, if the rule includes an application list and either a destination data prefix list or destination IP address with the count action, the workflow also generates an app-route policy sequence.

Match conditions

Table 1. Match parameters - data policy and app-route policy
Match Condition	Description
Omit	Match all packets.
(Applicable only to app-route policy) Cloud Saas Application List	Cisco SD-WAN Manager provides a list of several cloud applications that Cisco Catalyst SD-WAN Cloud OnRamp for SaaS can use to determine the best path selection for each SaaS application. For more information on Cisco Catalyst SD-WAN Cloud OnRamp for SaaS, see the Cisco Catalyst SD-WAN Cloud OnRamp Configuration Guide, Cisco IOS XE Release 17.x. Note Cloud Saas Application List displays as a match condition if you specify IPv4 as the Protocol option. In the drop-down list, choose a SaaS application from the drop-down list.
(Applicable only to data policy) Packet length	Specifies the packet length. The range is 0 through 65535; specify a single length, a list of lengths (with numbers separated by a space), or a range of lengths (with the two numbers separated with a hyphen [-]).
(Applicable only to data policy) TCP Flag	Specifies the TCP flag, syn.
Applications/Application Family List	Applications or application families. This match condition is available for IPv6 traffic from Cisco IOS XE Release 17.9.1a and Cisco vManage Release 20.9.1.
Destination Data Prefix	Group of destination prefixes, IP prefix and prefix length. The range is 0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).
Destination Port	Enter the port number. Specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).
Destination Region	Choose one of the following: Primary: Match traffic if the destination device is in the same primary region (also called access region) as the source. This traffic reaches the destination using a multi-hop path, through the core region. Secondary: Match traffic if the destination device is not in the same primary region as the source but is within the same secondary region as the source. This traffic can reach the destination using a direct tunnel, as described for secondary regions. Other: Match traffic if the destination device is not in the same primary region or secondary region as the source. This traffic requires a multi-hop path from the source to the destination. Note Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Catalyst SD-WAN Release 17.9.1a
DNS	Specify the direction in which to process DNS packets. To process DNS requests sent by the applications (for outbound DNS queries), specify dns request . To process DNS responses returned from DNS servers to the applications, specify dns response .
DNS Application List	Enables split DNS, to resolve and process DNS requests and responses on an application-by-application basis. Name of an app-list list . This list specifies the applications whose DNS requests are processed. This match condition is available for IPv6 traffic from Cisco IOS XE Release 17.9.1a and Cisco vManage Release 20.9.1.
DSCP	Specifies the DSCP value.
ICMP Message	For Protocol IPv4 when you enter a Protocol value as 1, the ICMP Message field displays where you can select an ICMP message to apply to the data policy. Likewise, the ICMP Message field displays for Protocol IPv6 when you enter a Protocol value as 58. When you select Protocol as Both, the ICMP Message or ICMPv6 Message field displays. Note This field is available from Cisco IOS XE Release 17.4.1, Cisco vManage Release 20.4.1.
Packet Loss Priority (PLP)	Specifies the packet loss priority. By default, packets have a PLP value of low . To set the PLP value to high , apply a policer that includes the exceed remark option.
Protocol	Specifies Internet protocol number. The range is 0 through 255.
Source Data Prefix	Specifies the group of source prefixes or an individual source prefix.
Source Port	Specifies the source port number. The range is 0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).
Traffic To	In a Multi-Region Fabric architecture, match border router traffic flowing to the access region that the border router is serving, the core region, or a service VPN. Note Minimum release: Cisco vManage Release 20.8.1

Action conditions

In the action, you first specify whether to accept or drop a matching data packet, and whether to count it:

Table 2. Action conditions - data policy and app-route policy
Action Condition	Description
Click Accept	Accepts the packet. An accepted packet is eligible to be modified by the additional parameters configured in the action portion of the policy configuration.
Click Drop	Discards the packet. This is the default action. When you choose this option, then only Counter and Log can be added as additional actions and all other actions are not available to select.
Counter	Counts the accepted or dropped packets. Specifies the name of a counter. Use the show policy access-lists counters command on the Cisco IOS XE Catalyst SD-WAN device.
Log	Minimum release: Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco vManage Release 20.11.1 Click Log to enable logging. When (DP, AAR or ACL) data policy packets are configured with log action, logs generated and logged to syslog. Due to the global log-rate-limit, not all logs are logged. A syslog message is generated the first time a packet header is logged and then every 5 minutes thereafter, as long as the flow is active. For information on policy log-rate-limit CLI, see policy log-rate-limit command in the Cisco Catalyst SD-WAN Qualified Command Reference Guide.
(Applicable only to app-route policy) Cloud SLA	Cloud SLA enables traffic to use the best path selection with Cisco Catalyst SD-WAN Cloud OnRamp for SaaS. Click Cloud SLA.
(Applicable only to app-route policy) SLA Class List	Choose from the following options: SLA Class List Set the policy action for an SLA Class List match condition. For the SLA class, all matching data traffic is directed to a tunnel whose performance matches the SLA parameters defined in the class. The device first tries to send the traffic through a tunnel that matches the SLA. If a single tunnel matches the SLA, data traffic is sent through that tunnel. If two or more tunnels match, traffic is distributed among them. If no tunnel matches the SLA, data traffic is sent through one of the available tunnels. Click SLA Class List. In the SLA Class drop-down list, choose one or more SLA classes. Preferred Color In the Preferred Color drop-down list, choose the color of the data plane tunnel or tunnels to prefer. Traffic is load-balanced across all the tunnels. If no tunnels match the SLA, data traffic is sent through any available tunnel. That is, color preference is a loose matching, not a strict matching. Preferred Color Group When the Preferred Color is not selected, you can choose the preferered color group from the Preferred Color Group drop-down list. Select the preferred color group of the data plane tunnel or tunnels to prefer. You can configure up to three levels of priority based on the color or path preference. This field is available from Cisco IOS XE Catalyst SD-WAN Release 17.9.1a and Cisco vManage Release 20.9.1. Restrict to Preferred Color This option is appicable only with Preferred Color Group. Check the Restrict to Preferred Color option to drop traffic if no tunnels match the SLA in the prefered color group. When there is no SLA match you can choose the following options: Strict/Drop Click Strict/Drop to perform strict matching of the SLA class. If no data plane tunnel is available that satisfies the SLA criteria, traffic is dropped. Fallback to best path Click Fallback to best path to select the best available tunnel to avoid a packet drop. You can select the Fallback to best path action only when the Fallback Best Tunnel option is enabled while defining a SLA class. If the Fallback Best Tunnel option is not enabled, then the following error message displays in Cisco SD-WAN Manager: `SLA Class selected, does not have Fallback Best Tunnel enabled. Please change the SLA class or change to Strict/Drop.` Load-balance. Click Load Balance to load balance traffic across all the tunnels. You can now select the Backup SLA Preferred Color. Set the policy action for a Backup SLA Preferred Color match condition. When no tunnel matches the SLA, direct the data traffic to a specific tunnel. Data traffic is sent out the configured tunnel if that tunnel interface is available. If that tunnel interface is not available, traffic is sent out to another available tunnel. You can specify one or more colors. The backup SLA preferred color is a loose matching condition, not a strict matching condition. Remote Preferred Color Set a Remote Preferred Color in the AAR policy to control traffic routing based on the application list. You can add multiple remote preferred colors in the AAR policy. Use the Restrict to Remote Color to restrict the tunnel to preferred TLOCs. With Restrict to Remote Color option, the traffic drops when the SLA is not met with the preferred remote color.
(Applicable only to data policy) Cflowd	Enables cflowd traffic monitoring.
(Applicable only to data policy) DSCP	DSCP value. The range is 0 through 63.
(Applicable only to data policy) Forwarding Class	Name of the forwarding class.
(Applicable only to data policy) Local TLOC	Enables sending packets to one of the TLOCs that matches the color and encapsulation. The available colors are: 3g, biz-internet, blue, bronze, custom1,custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red and silver. The encapsulation options are: ipsec and gre. By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC. To drop traffic if a TLOC is unavailable, include the restrict option. By default, encapsulation is ipsec.
(Applicable only to data policy) NAT Pool or NAT VPN	Enables NAT functionality, so that traffic can be redirected directly to the internet or other external destination. You can configure up to 31 (1–31) NAT pools per router.
(Applicable only to data policy) Next Hop	Sets the next hop IP address to which the packet should be forwarded. Note Starting from Cisco IOS XE Catalyst SD-WAN Release 17.5.1a and Cisco vManage Release 20.5.1, the Use Default Route when Next Hop is not available field is available next to the Next Hop action parameter. This option is available only when the sequence type is Traffic Engineering or Custom, and the protocol is either IPv4 or IPv6, but not both.
(Applicable only to data policy) Policer	Applies a policer. Specifies the name of policer configured with the policy policer command.
(Applicable only to data policy) Redirect DNS	Redirects DNS requests to a particular DNS server or Umbrella. Redirecting requests is optional, but if you do so, you must specify both actions. For an inbound policy, redirect-dns host allows the DNS response to be correctly forwarded back to the requesting service VPN. For an outbound policy, specify the IP address of the DNS server. redirect-dns umbrella is only supported in Direct Internet Interface (DIA) use cases. It is not supported in SIG/SSE or overlay scenarios. When using redirect-dns umbrella , you do not need to explicitly configure nat use-vpn 0 . Note When you upgrade to releases later than Cisco IOS XE Catalyst SD-WAN Release 17.7.1a, you must configure redirect DNS through nat use-vpn 0 to redirect DNS to Direct Internet Interface (DIA). Note You can set only local TLOC preferences with redirect-dns as actions on the same sequence, but not remote TLOC. Note You cannot configure Redirect DNS and SIG at the same time. NAT DIA fallback and redirect-dns IP actions are supported at the same time in data policy beginning with Cisco IOS XE Catalyst SD-WAN Release 26.1.1.
(Applicable only to data policy) Remote Preferred Color	Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.15.1a and Cisco Catalyst SD-WAN Manager Release 20.15.1 You can set a preferred remote color in the AAR policy to control traffic routing based on the application list. Use the Restrict to Remote Color option to drop traffic if the selected remote color does not meet the SLA.
(Applicable only to data policy) Secure Internet Gateway	Redirect application traffic to a SIG. Note Before you apply a data policy for redirecting application traffic to a SIG, you must have configured the SIG tunnels. For more information on configuring Automatic SIG tunnels, see Automatic Tunnels . For more information on configuring Manual SIG tunnels, see Manual Tunnels. Check the Fallback to Routing check box to route internet-bound traffic through the Cisco SD-WAN overlay when all SIG tunnels are down. This option is introduced in Cisco IOS XE Catalyst SD-WAN Release 17.8.1a and Cisco vManage Release 20.8.1.
(Applicable only to data policy) Secure Service Edge	Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.13.1a and Cisco Catalyst SD-WAN Manager Release 20.13.1 Redirect application traffic to a Secure Service Edge instance. For more information on configuring Automatic tunnels on Cisco Secure Access, see Automatic Tunnels . Check the Fallback to Routing check box to route internet-bound traffic through the Cisco SD-WAN overlay when all Secure Service Edge tunnels are down.
(Applicable only to data policy) Service	Specifies a service to redirect traffic to before delivering the traffic to its destination. The TLOC address or list of TLOCs identifies the remote TLOCs to which the traffic should be redirected to reach the service. In the case of multiple TLOCs, the traffic is load-balanced among them. The VPN identifier is where the service is located. Standard services: FW, IDS, IDP Custom services: netsvc1, netsvc2,netsvc3, netsvc4 TLOC list is configured with a policy lists tloc-list list. Configure the services themselves on the Cisco IOS XE Catalyst SD-WAN devices that are collocated with the service devices, using the vpn service command.
(Applicable only to data policy) TLOC	Direct traffic to a remote TLOC that matches the IP address, color, and encapsulation of one of the TLOCs in the list. If a preference value is configured for the matching TLOC, that value is assigned to the traffic.
(Applicable only to data policy) VPN.	Set the VPN that the packet is part of. Range: 1 to 65525, excluding 512. For details see the VRF range behavior change described here.