Deep Packet Inspection
Configure Deep Packet Inspection
Configure Deep Packet Inspection Using Cisco vManage
Configure Deep Packet Inspection Using the CLI
Components of Policy Configuration for Deep Packet Inspection
Action Parameters for Configuring Deep Packet Inspection
Apply Centralized Policy for Deep Packet Inspection

Deep Packet Inspection

The topics in this section provide overview information about deep packet inspection (DPI), and how to configure DPI using Cisco vManage or the CLI.

Configure Deep Packet Inspection

You configure DPI using a centralized data policy. You define the applications of interest in a Cisco vManage policy list or with the policy lists app-list CLI command, and you call these lists in a policy data-policy command. You can control the path of the application traffic through the network by defining, in the action portion of the data policy, the local TLOC or the remote TLOC, or for strict control, you can define both.

Configure Deep Packet Inspection Using Cisco vManage

To configure a centralized data policy for deep packet inspection, use the Cisco vManage policy configuration wizard.

For more information, see Configure Centralized Policy Using Cisco vManage.

Configure Deep Packet Inspection Using the CLI

Following are the high-level steps for configuring a centralized data policy for deep packet inspection:

Create a list of overlay network sites to which the data policy is to be applied using the apply-policy command:
```
vSmart(config)# policy
vSmart(config-policy)# lists site-list list-name
vSmart(config-lists-list-name)# site-id site-id
```
The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–).

Create additional site lists, as needed.
Create lists of applications and application families that are to be subject to the data policy. Each list can contain one or more application names, or one or more application families. A single list cannot contain both applications and application families.
```
vSmart(config)# policy lists
vSmart(config-lists)# app-list list-name
vSmart(config-app-list)# app application-name

vSmart(config)# policy lists
vSmart(config-lists)# app-list list-name
vSmart(config-applist)# app-family family-name
```

Create lists of IP prefixes and VPNs, as needed:

vSmart(config)# policy lists
vSmart(config-lists)# data-prefix-list list-name
vSmart(config-lists-list-name)# ip-prefix prefix/length

vSmart(config)# policy lists
vSmart(config-lists)# vpn-list list-name
vSmart(config-lists-list-name)# vpn vpn-id

Create lists of TLOCs, as needed:

vSmart(config)# policy
vSmart(config-policy)# lists tloc-list list-name
vSmart(config-lists-list-name)# tloc ip-address color color encap encapsulation [preference number]

Define policing parameters, as needed:

vSmart(config-policy)# policer policer-name
vSmart(config-policer)# rate bandwidth
vSmart(config-policer)# burst bytes
vSmart(config-policer)# exceed action

Create a data policy instance and associate it with a list of VPNs:

vSmart(config)# policy data-policy policy-name
vSmart(config-data-policy-policy-name)# vpn-list list-name

Create a series of match–pair sequences:
```
vSmart(config-vpn-list)# sequence number
vSmart(config-sequence-number)#
```
The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is).

Define match parameters based on applications:

vSmart(config-sequence-number)# match app-list list-name

Define additional match parameters for data packets:
```
vSmart(config-sequence-number)# match parameters
```

Define actions to take when a match occurs:

vSmart(config-sequence-number)# action (accept | drop) [count]

For packets that are accepted, define the actions to take. To control the tunnel over which the packets travels, define the remote or local TLOC, or for strict control over the tunnel path, set both:

vSmart(config-action)# set tloc ip-address color color encap encapsulation
vSmart(config-action)# set tloc-list list-name
vSmart(config-action)# set local-tloc color color encap encapsulation
vSmart(config-action)# set local-tloc-list color color encap encapsulation [restrict]

Define additional actions to take.
Create additional numbered sequences of match–action pairs within the data policy, as needed.
If a route does not match any of the conditions in one of the sequences, it is rejected by default. If you want nonmatching prefixes to be accepted, configure the default action for the policy:
```
vSmart(config-policy-name)# default-action accept
```

Apply the policy to one or more sites in the overlay network:

vSmart(config)# apply-policy site-list list-name data-policy policy-name (all | from-service | from-tunnel)

To enable the infrastructure for deep packet inspection on Cisco vEdge devices, include the following command in the configuration on the devices:

vEdge(config)# policy app-visibility

Components of Policy Configuration for Deep Packet Inspection

Following are the components required to configure a centralized data policy for deep packet inspection. Each one is explained in more detail in the sections below.

On the vSmart controller:
policy
  lists
    app-list list-name
      (app applications | app-family application-families)
    data-prefix-list list-name 
      ip-prefix prefix 
    site-list list-name 
      site-id site-id 
    tloc-list list-name
      tloc ip-address color color encap encapsulation [preference value]
    vpn-list list-name 
      vpn vpn-id 
  policer policer-name
    burst bytes
    exceed action
    rate bps
  data-policy policy-name 
    vpn-list list-name 
      sequence number 
        match
          app-list list-name
          destination-data-prefix-list list-name
          destination-ip ip-addresses
          destination-port port-numbers
          dscp number
          packet-length number
          protocol protocol
          source-data-prefix-list list-name
          source-ip ip-addresses
          source-port port-numbers
          tcp flag
        action
          drop
          count counter-name
          log
          accept
            nat [pool number] [use-vpn 0]
            set 
              dscp number
              forwarding-class class
              local-tloc color color [encap encapsulation] [restrict]
              next-hop ip-address
              policer policer-name
              service service-name local [restrict] [vpn vpn-id]
              service service-name (tloc ip-address | tloc-list list-name) [vpn vpn-id]
              tloc ip-address color color encap encapsulation
              tloc-list list-name
              vpn vpn-id
      default-action
        (accept | drop)
apply-policy site-list list-name 
  data-policy policy-name (all | from-service | from-tunnel) 
  
On the vEdge router:
policy
  app-visibility

Action Parameters for Configuring Deep Packet Inspection

When data traffic matches the conditions in the match portion of a centralized data policy, the packet can be accepted or dropped, and it can be counted. Then, you can associate parameters with accepted packets.

In Cisco vManage, you configure match parameters from:

Configuration > Policies > Centralized Policy > Add Policy > Configure Traffic Rules > (Application-Aware Routing | Traffic Data | Cflowd) > Sequence Type > Sequence Rule > Action
Configuration > Policies > Custom Options > Centralized Policy > Traffic Policy > (Application-Aware Routing | Traffic Data | Cflowd) > Sequence Type > Sequence Rule > Action.

In the CLI, you configure the action parameters under the policy data-policy vpn-list sequence action command.

Each sequence in a centralized data policy can contain one action condition.

In the action, you first specify whether to accept or drop a matching data packet, and whether to count it:

Table 1.
Description	Cisco vManage	CLI Command	Value or Range
Accept the packet. An accepted packet is eligible to be modified by the additional parameters configured in the action portion of the policy configuration.	Click Accept.	accept	—
Count the accepted or dropped packets.	Action Counter Click Accept, then action Counter	count `counter-name`	Name of a counter. Use the show policy access-lists counters command on the Cisco device.
Discard the packet. This is the default action.	Click Drop	drop	—
Log the packet. Packets are placed into the messages and vsyslog system logging (syslog) files.	Action Log Click Accept, then action Log	log	To view the packet logs, use the show app log flows and show log commands.

To view the packet logs, use the show app log flow and show log commands.

Then, for a packet that is accepted, the following parameters can be configured.

Note

You cannot use deep packet inspection with either cflowd or NAT.

Table 2.
Description	Cisco vManage	CLI Command	Value or Range
DSCP value.	Click Accept, then action DSCP.	set dscp `value`	0 through 63
Forwarding class.	Click Accept, then action Forwarding Class.	set forwarding-class `value`	Name of forwarding class
Direct matching packets to a TLOC that matches the color and encapsulation By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC.	Click Accept, then action Local TLOC.	set local-tloc color `color` [encap `encapsulation`]	`color` can be: 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green lte, metro-ethernet mpls, private1 through private6, public-internet, red, and silver. By default, `encapsulation` is ipsec. It can also be gre.
Direct matching packets to one of the TLOCs in the list if the TLOC matches the color and encapsulation By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC. To drop traffic if a TLOC is unavailable, include the restrict option.	Click Accept, then action Local TLOC	set local-tloc-list color `color` encap `encapsulation` [restrict]
Set the next hop to which the packet should be forwarded.	Click Accept, then action Next Hop.	set next-hop `ip-address`	IP address
Apply a policer.	Click Accept, then action Policer.	set policer `policer-name`	Name of policer configured with a policy policer command.
Direct matching packets to the name service, before delivering the traffic to its ultimate destination. The TLOC address or list of TLOCs identifies the remote TLOCs to which the traffic should be redirected to reach the service. In the case of multiple TLOCs, the traffic is load-balanced among them. The VPN identifier is where the service is located. Configure the services themselves on the Cisco devices that are collocated with the service devices, using the vpn service configuration command.	Click Accept, then action Service.	set service `service-name` [tloc `ip-address` \| tloc-list `list-name`] [vpn `vpn-id`]	Standard services: FW, IDS, IDP Custom services: netsvc1, netsvc2,netsvc3, netsvc4 TLOC list is configured with a policy lists tloc-list list.
Direct matching packets to the named service that is reachable using a GRE tunnel whose source is in the transport VPN (VPN 0). If the GRE tunnel used to reach the service is down, packet routing falls back to using standard routing. To drop packets when a GRE tunnel to the service is unreachable, include the restrict option. In the service VPN, you must also advertise the service using the service command. You configure the GRE interface or interfaces in the transport VPN (VPN 0).	Click Accept, then action Service.	set service `service-name` [tloc `ip-address` \| tloc-list `list-name`] [vpn `vpn-id`]	Standard services: FW, IDS, IDP Custom services: netsvc1, netsvc2,netsvc3, netsvc4
Direct traffic to a remote TLOC. The TLOC is defined by its IP address, color, and encapsulation.	Click Accept, then action TLOC.	set local-tloc color `color` [encap `encapsulation`]	TLOC address, color, and encapsulation
Direct traffic to one of the remote TLOCs in the TLOC list.	Click Accept, then action TLOC.	set tloc-list `list-name`	Name of a policy lists tloc-list list
Set the VPN that the packet is part of.	Click Accept, then action VPN.	set vpn `vpn-id`	0 through 65530

Default Action

If a data packet being evaluated does not match any of the match conditions in a data policy, a default action is applied to the packet. By default, the data packet is dropped.

In Cisco vManage, you modify the default action from Configuration > Policies > Centralized Policy > Add Policy > Configure Traffic Rules > Application-Aware Routing > Sequence Type > Sequence Rule > Default Action.

In the CLI, you modify the default action with the policy data-policy vpn-list default-action accept command.

Apply Centralized Policy for Deep Packet Inspection

For a deep packet inspection centralized data policy to take effect, you apply it to a list of sites in the overlay network.

To apply a centralized policy in Cisco vManage, see Configure Centralized Policy Using Cisco vManage.

To apply a centralized policy in the CLI:

vSmart(config)# apply-policy site-list list-name data-policy policy-name (all | from-service | from-tunnel)

By default, data policy applies to all data traffic passing through the Cisco vSmart Controller: the policy evaluates all data traffic going from the local site (that is, from the service side of the router) into the tunnel interface, and it evaluates all traffic entering to the local site through the tunnel interface. You can explicitly configure this behavior by including the all option. To have the data policy apply only to policy exiting from the local site, include the from-service option. To have the policy apply only to incoming traffic, include the from-tunnel option.

You cannot apply the same type of policy to site lists that contain overlapping site IDs. That is, all data policies cannot have overlapping site lists among themselves. If you accidentally misconfigure overlapping site lists, the attempt to commit the configuration on the Cisco vSmart Controller fails.

As soon as you successfully activate the configuration by issuing a commit command, the Cisco vSmart Controller pushes the data policy to the Cisco vEdge devices located in the specified sites. To view the policy as configured on the Cisco vSmart Controller, use the show running-config command on the Cisco vSmart Controller:

vSmart# show running-config policy
vSmart# show running-config apply-policy

To view the policy that has been pushed to the Cisco vEdge device, use the show policy from-vsmart command on the Cisco vEdge device.

vEdge# show policy from-vsmart

Monitor Running Applications

To enable the deep packet inspection infrastructure on Cisco vEdge devices, you must enable application visibility on the devices:

vEdge(config)# policy app-visibility

To display information about the running applications, use the show app dpi supported-applications, show app dpi applications, and show app dpi flows commands on the device.

View DPI Applications Using Cisco vManage

You can view the list of all the application-aware applications supported by the Cisco SD-WAN software on the router using the following steps:

In Cisco vManage, select the Monitor > Network screen.
From the WAN-Edge pane, select the Device that supports DPI. The Cisco vManage Control Connections page displays.
In the left pane, select Real Time to view the device details.
From the Device Options drop-down, choose DPI Applications to view the list of applications running on the device.
From the Device Options drop-down, choose DPI Supported Applications to view the list of applications that are supported on the device.

Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20

Bias-Free Language

Book Title

Policies Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20

Chapter Title