Action Parameters - Data Policy
Feature Name |
Release Information |
Description |
---|---|---|
Traffic Redirection to SIG Using Data Policy |
Cisco SD-WAN Release 20.4.1 Cisco vManage Release 20.4.1 |
You can create a data policy where you can selectively define an application list along with other existing match criteria in the data-policy to redirect the application traffic to a Secure Internet Gateway (SIG). |
Next Hop Action Enhancement in Data Policies |
Cisco SD-WAN Release 20.5.1 Cisco vManage Release 20.5.1 |
This feature enhances match action conditions in a centralized data policy for parity with the features configured on Cisco vEdge devices. When you are setting up next-hop-loose action, this feature helps to redirect application traffic to an available route when next-hop address is not available. |
When data traffic matches the conditions in the match portion of a centralized data policy, the packet can be accepted or dropped. Then, you can associate parameters with accepted packets.
In the CLI, you configure the action parameters with the policy data-policy vpn-list sequence action command.
Each sequence in a centralized data policy can contain one action condition.
In the action, you first specify whether to accept or drop a matching data packet, and whether to count it:
Action Condition |
Description | ||||
---|---|---|---|---|---|
Click Accept | Accepts the packet. An accepted packet is eligible to be modified by the additional parameters configured in the action portion of the policy configuration. | ||||
Cflowd |
Enables cflowd traffic monitoring. | ||||
Counter |
Counts the accepted or dropped packets. Specifies the name of a counter. Use the show policy access-lists counters command on the Cisco vEdge device. | ||||
Click Drop |
Discards the packet. This is the default action. | ||||
Log |
Logs the packet. Packets are placed into the messages and syslog system logging (syslog) files. To view the packet logs, use the show app log flows and show log commands. | ||||
Redirect DNS |
Redirects DNS requests to a particular DNS server. Redirecting requests is optional, but if you do so, you must specify both
actions.
For an inbound policy, redirect-dns host allows the DNS response to be correctly forwarded back to the requesting service VPN. For an outbound policy, specify the IP address of the DNS server.
|
||||
TCP Optimization |
Fine-tune TCP to decrease round-trip latency and improve throughout for matching TCP traffic. | ||||
Secure Internet Gateway |
Redirect application traffic to a SIG
|
Then, for a packet that is accepted, the following parameters can be configured:
Action Condition |
Description | ||
---|---|---|---|
Cflowd |
Enables cflowd traffic monitoring. | ||
NAT Pool or NAT VPN |
Enables NAT functionality, so that traffic can be redirected directly to the internet or other external destination. | ||
DSCP |
DSCP value. The range is 0 through 63. | ||
Forwarding Class |
Name of the forwarding class. | ||
Local TLOC |
Enables sending packets to one of the TLOCs that matches the color and encapsulation. The available colors are: 3g, biz-internet, blue, bronze, custom1,custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red and silver. The encapsulation options are: ipsec and gre. By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC. To drop traffic if a TLOC is unavailable, include the restrict option. By default, encapsulation is ipsec. |
||
Next Hop |
Sets the next hop IP address to which the packet should be forwarded.
|
||
Policer |
Applies a policer. Specifies the name of policer configured with the policy policer command. | ||
Service |
Specifies a service to redirect traffic to before delivering the traffic to its destination. The TLOC address or list of TLOCs identifies the remote TLOCs to which the traffic should be redirected to reach the service. In the case of multiple TLOCs, the traffic is load-balanced among them. The VPN identifier is where the service is located. Standard services: FW, IDS, IDP Custom services: netsvc1, netsvc2,netsvc3, netsvc4 TLOC list is configured with a policy lists tloc-list list. Configure the services themselves on the Cisco vEdge devices that are collocated with the service devices, using the vpn service command. |
||
TLOC |
Direct traffic to a remote TLOC that matches the IP address, color, and encapsulation of one of the TLOCs in the list. If a preference value is configured for the matching TLOC, that value is assigned to the traffic. | ||
Click Accept, then action VPN. |
Set the VPN that the packet is part of. The range is 0 through 65530. |
Note |
Data policies are applicable on locally generated packets, including routing protocol packets, when the match conditions are generic. Example configuration:
In such situations, it may be necessary to add a sequence in the data policy to escape the routing protocol packets. For example to skip OSPF, use the following configuration:
|
The following table describes the IPv4 and IPv6 actions.
IPv4 Actions |
IPv6 Actions |
---|---|
drop, dscp, next-hop (from-service only)/vpn, count, forwarding class, policer (only in interface ACL), App-route SLA (only) |
N/A |
App-route preferred color, app-route sla strict, cflowd, nat, redirect-dns |
N/A |
N/A |
drop, dscp, next-hop/vpn, count, forwarding class, policer (only in interface ACL) App-route SLA (only), App-route preferred color, app-route sla strict |
policer (DataPolicy), tcp-optimization, fec-always, |
policer (DataPolicy) |
tloc, tloc-list (set tloc, set tloc-list) |
tloc, tloc-list (set tloc, set tloc-list) |
App-Route backup-preferred color, local-tloc, local-tloc-list |
App-Route backup-preferred color, local-tloc, local-tloc-list |