Policy overview
Policy architecture
- Centralized control policy architecture
Policy validation for Cisco Catalyst SD-WAN
Cisco Catalyst SD-WAN Controller Policy components
- TLOC attributes used in policies
- Cisco Catalyst SD-WAN Route attributes used in policies
Best practice for Cisco Catalyst SD-WAN Controller policy processing and application
Cisco Cisco Catalyst SD-WAN Controller policy operation
Configure and execute Cisco SD-WAN Controller policies
Policy status and health monitoring

Policy overview

A policy is a network control mechanism that

influences the flow of data traffic and routing information among Cisco IOS XE Catalyst SD-WAN devices in the overlay network,
comprises routing policy for control plane traffic flow and data policy for data plane traffic flow, and
implements enterprise-specific traffic control requirements through basic policies and advanced features.

Table 1. Feature history
Feature	Release Information	Description
Policy enforcement failure	Cisco IOS XE Catalyst SD-WAN Release 17.18.1a Cisco Catalyst SD-WAN Manager Release 20.18.1	This feature aims to detect when a policy download fails and raises an alarm (policy-enforcement-status). Additionally, this feature introduces new service-path show commands.
Policy validation in Cisco SD-WAN	Cisco IOS XE Catalyst SD-WAN Release 26.1.1 Cisco Catalyst SD-WAN Manager Release 26.1.1.1	This feature ensures network reliability and operational efficiency by automatically validating Cisco Catalyst SD-WAN policies for accuracy, platform compliance, and alignment with network requirements before deployment.

Just as the Cisco Catalyst SD-WAN overlay network architecture clearly separates the control plane from the data plane and control between centralized and localized functions, the Cisco Catalyst SD-WAN policy is cleanly separated. Policies apply either to control plane or data plane traffic, and they are configured either centrally on Cisco SD-WAN Controllers or locally on Cisco IOS XE Catalyst SD-WAN devices. The following figure illustrates the division between control and data policy, and between centralized and local policy.

Control policy is the equivalent of routing protocol policy, and data policy is equivalent to what are commonly called access control lists (ACLs) and firewall filters.

The Cisco Catalyst SD-WAN policy design provides a clear separation between centralized and localized policy. In short, centralized policy is provisioned on the centralized Cisco SD-WAN Controllers in the overlay network, and the localized policy is provisioned on Cisco IOS XE Catalyst SD-WAN devices, which sit at the network edge between a branch or enterprise site and a transport network, such as the Internet, MPLS, or metro Ethernet.

Centralized policy refers to policy provisioned on Cisco SD-WAN Controllers, which are the centralized controllers in the Cisco Catalyst SD-WAN overlay network. Centralized policy comprises two components:

Control policy, which affects the overlay network–wide routing of traffic
Data policy, which affects the data traffic flow throughout the VPN segments in the network

Centralized control policy applies to the network-wide routing of traffic by affecting the information that is stored in the Cisco SD-WAN Controller's route table and that is advertised to the Cisco IOS XE Catalyst SD-WAN devices in the network.

Centralized data policy applies to data traffic by directing traffic flows to take specific paths through the network, or by adding Quality of Service (QoS) on packets.

Localized Policy

Localized policy refers to policy provisioned locally on Cisco IOS XE Catalyst SD-WAN devices. Localized policy also comprises two components:

Control policy, which affects the routing information that Cisco IOS XE Catalyst SD-WAN devices advertise to their local attached networks
Data policy, which applies access control lists (ACLs) and QoS to packets being transmitted from and received on Cisco IOS XE Catalyst SD-WAN device router interfaces

Localized control policy affects the routing information that Cisco IOS XE Catalyst SD-WAN devices propagate within their local site network.

When data plane traffic is unpolicied, all data traffic is directed towards its destination based solely on the entries in the local Cisco IOS XE Catalyst SD-WAN device's route table, and all VPNs in the overlay network can exchange data traffic.

Policy architecture

Policy architecture is a framework that

implements overlay network-wide policies called Cisco SD-WAN Validator policy or centralized policy
affects the flow of both control plane traffic and data plane traffic across the overlay network, and
supports traditional routing policies on Cisco IOS XE Catalyst SD-WAN devices for local routing protocol control.

Policy implementation details

The Cisco Catalyst SD-WAN policy architecture provides centralized policy configuration on a Cisco SD-WAN Controller. Cisco SD-WAN Controller policy affects control plane traffic through routing updates carried by Overlay Management Protocol (OMP) and used by the Cisco SD-WAN Controllers to determine the topology and status of the overlay network. It also affects data plane traffic that travels between the Cisco IOS XE Catalyst SD-WAN devices across the overlay network.

You can also create routing policies on the Cisco IOS XE Catalyst SD-WAN devices. These policies are traditional routing policies that are associated with routing protocol (BGP or OSPF) locally on the devices. You use them in the traditional sense for controlling BGP and OSPF, for example, to affect the exchange of route information, to set route attributes, and to influence path selection.

Centralized control policy architecture

A centralized control policy architecture is a network management framework that

enables centralized orchestration of network-wide routing decisions by a central authority instead of hop-by-hop implementation
allows influence over network routes advertised by Cisco SD-WAN Controllers through policies provisioned centrally
ensures routing policy results are distributed to devices using the Overlay Management Protocol (OMP) while maintaining centralized policy configuration.

Architecture components and implementation

In the Cisco IOS XE Catalyst SD-WAN network architecture, centralized control policy is handled by the Cisco SD-WAN Controller, which effectively is the routing engine of the network. The Cisco SD-WAN Controller is the centralized manager of network-wide routes, maintaining a primary route table for these routes. The Cisco SD-WAN Controller builds its route table based on the route information advertised by the Cisco IOS XE Catalyst SD-WAN devices in its domain, using these routes to discover the network topology and to determine the best paths to network destinations.

The Cisco SD-WAN Controller distributes route information from its route table to the devices in its domain which in turn use these routes to forward data traffic through the network. The result of this architecture is that networking-wide routing decisions and routing policy are orchestrated by a central authority instead of being implemented hop by hop, by the devices in the network.

Centralized control policy allows you to influence the network routes advertised by the Cisco SD-WAN Controllers. This type of policy, which is provisioned centrally on the Cisco SD-WAN Controller, affects both the route information that the Cisco SD-WAN Controller stores in its primary route table and the route information that it distributes to the devices.

Centralized control policy is provisioned and applied only on the Cisco SD-WAN Controller. The control policy configuration itself is never pushed to devices in the overlay network. What is pushed to the devices, using the Overlay Management Protocol (OMP), are the results of the control policy, which the devices then install in their local route tables and use for forwarding data traffic. This design means that the distribution of network-wide routes is always administered centrally, using policies designed by network administrators. These policies are always implemented by centralized Cisco SD-WAN Controllers, which are responsible for orchestrating the routing decisions in the Cisco IOS XE Catalyst SD-WAN overlay network.

Within a network domain, the network topology map on all Cisco SD-WAN Controllers must be synchronized. To support this, you must configure identical policies on all the Cisco SD-WAN Controllers in the domain.

Centralized control policy architecture illustrates the synchronization of network topology maps and the configuration of identical policies across devices in a network domain. — Figure 2. Centralized control policy

All centralized control plane traffic, including route information, is carried by OMP peering sessions that run within the secure, permanent DTLS connections between devices and the Cisco SD-WAN Controllers in their domain. The end points of an OMP peering session are identified by the system IDs of the devices, and the peering sessions carry the site ID, which identifies the site in which the device is located. A DTLS connection and the OMP session running over it remain active as long as the two peers are operational.

Control policy can be applied both inbound, to the route advertisements that the Cisco SD-WAN Controller receives from the devices, and outbound, to advertisements that it sends to them. Inbound policy controls which routes and route information are installed in the local routing database on the Cisco SD-WAN Controller, and whether this information is installed as-is or is modified. Outbound control policy is applied after a route is retrieved from the routing database, but before a Cisco SD-WAN Controller advertises it, and affects whether the route information is advertised as-is or is modified.

Route types

Route types are OMP route categorizations that

carry prefix information that the devices learn from routing protocols
identify transport locations and their properties, and
identify available network services on local-site networks.

Route type details

The Cisco SD-WAN Controller learns the network topology from OMP routes, which are Cisco IOS XE Catalyst SD-WAN-specific routes carried by OMP. There are three types of OMP routes:

Cisco IOS XE Catalyst SD-WAN OMP routes—These routes carry prefix information that the devices learn from the routing protocols running on its local network, including routes learned from BGP and OSPF, as well as direct, connected, and static routes. OMP advertises OMP routes to the Cisco SD-WAN Controller by means of an OMP route SAFI (Subsequent Address Family Identifier). These routes are commonly simply called OMP routes.
TLOC routes—These routes carry properties associated with transport locations, which are the physical points at which the devices connect to the WAN or the transport network. Properties that identify a TLOC include the IP address of the WAN interface and a color that identifies a particular traffic flow. OMP advertises TLOC routes using a TLOC SAFI.
Service routes—These routes identify network services, such as firewalls and IDPs, that are available on the local-site network to which the devices are connected. OMP advertises these routes using a service SAFI.

The difference in these three types of routes can be viewed by using the various show sdwan OMP operational commands when you are logged in to the CLI on a Cisco SD-WAN Controller or a Cisco IOS XE Catalyst SD-WAN device. The show sdwan OMP routes command displays information sorted by prefix, the show sdwan OMP services command displays route information sorted by service, and the show sdwan OMP tlocs command sorts route information by TLOC.

Default behavior without centralized control policy

Default behavior without centralized control policy is a network state that

operates when no centralized control policy is provisioned on the Cisco SD-WAN Controller
enables unrestricted sharing of all route information across controllers and devices within a domain, and
results in automatic redistribution of OMP, TLOC, and service routes throughout the network.

Route advertisement and redistribution behavior

The default behavior produces the following route advertisement and redistribution patterns within a domain:

All Cisco IOS XE Catalyst SD-WAN devices redistribute all the route-related prefixes that they learn from their site-local network to the Cisco SD-WAN Controller. This route information is carried by OMP route advertisements that are sent over the DTLS connection between the devices and the Cisco SD-WAN Controller. If a domain contains multiple Cisco SD-WAN Controllers, the devices send all OMP route advertisements to all the controllers.
All the devices send all TLOC routes to the Cisco SD-WAN Controller or controllers in their domain, using OMP.
All the devices send all service routes to advertise any network services, such as firewalls and IDPs, that are available at the local site where the device is located. Again, these are carried by OMP.
The Cisco SD-WAN Controller accepts all the OMP, TLOC, and service routes that it receives from all the devices in its domain, storing the information in its route table. The Cisco SD-WAN Controller tracks which OMP routes, TLOCs, and services belong to which VPNs. The Cisco SD-WAN Controller uses all the routes to develop a topology map of the network and to determine routing paths for data traffic through the overlay network.
The Cisco SD-WAN Controller redistributes all information learned from the OMP, TLOC, and service routes in a particular VPN to all the devices in the same VPN.
The devices regularly send route updates to the Cisco SD-WAN Controller.
The Cisco SD-WAN Controller recalculates routing paths, updates its route table, and advertises new and changed routing information to all the devices.

Behavior changes with centralized control policy

A centralized control policy is a network management mechanism that

filters, modifies, or rejects route information before distribution to Cisco IOS XE Catalyst SD-WAN devices in a domain
controls route information stored in the Cisco Catalyst SD-WAN Controller's route table or advertised by the Cisco Catalyst SD-WAN Controller, and
applies to specific sites in the overlay network in either inbound or outbound direction with respect to the Cisco Catalyst SD-WAN Controller.

Control policy direction behaviors

All provisioning of centralized control policy is done on the Cisco Catalyst SD-WAN Controller.

Control policy behavior depends on the direction of application:

Inbound direction: Filters or modifies the routes being advertised by the Cisco IOS XE Catalyst SD-WAN device before they are placed in the route table on the Cisco Catalyst SD-WAN Controller. Routes are either accepted or rejected as the first step. Accepted routes are installed in the route table on the Cisco Catalyst SD-WAN Controller either as received or as modified by the control policy. Routes that are rejected by a control policy are silently discarded.
Outbound direction: Filters or modifies the routes that the Cisco Catalyst SD-WAN Controller redistributes to the Cisco IOS XE Catalyst SD-WAN devices. Routes are either accepted or rejected as the first step. For accepted routes, centralized control policy can modify the routes before they are distributed by the Cisco Catalyst SD-WAN Controller. Routes that are rejected by an outbound policy are not advertised.

VPN membership policy is a second type of centralized data policy that controls whether a Cisco IOS XE Catalyst SD-WAN device can participate in a particular VPN. VPN membership policy defines which VPNs of a device is allowed and which is not allowed to receive routes from.

VPN membership policy can be centralized because it affects only the packet headers and has no impact on the choice of interface that a Cisco IOS XE Catalyst SD-WAN device uses to transmit traffic. If, because of a VPN membership policy, a device is not allowed to receive routes for a particular VPN, the Cisco Catalyst SD-WAN Controller never forwards those routes to that driver.

Examples of modifying traffic flow with centralized control policy

Examples of modifying traffic flow with centralized control policy are practical scenarios that demonstrate how you can use centralized control policies to modify the flow of data traffic through the overlay network.

Basic examples of traffic flow modification

This section provides some basic examples of how you can use centralized control policies to modify the flow of data traffic through the overlay network.

Arbitrary topologies

An arbitrary topology is a network design approach that

uses control policies to create specific network structures like hub-and-spoke models,
minimizes CPU resource overhead by reducing the number of direct IPsec tunnel connections, and
enables scalable network architectures for large deployments with hundreds or thousands of branches.

Hub-and-spoke topology implementation

When data traffic is exchanged between two Cisco IOS XE Catalyst SD-WAN devices, if you have provisioned no control policy, the two devices establish an IPsec tunnel between them and the data traffic flows directly from one device to the next. For a network with only two devices or with just a small number of devices, establishing connections between each pair of devices is generally not been an issue. However, such a solution does not scale. In a network with hundreds or even thousands of branches, establishing a full mesh of IPsec tunnels tax the CPU resources of each device.

A hub-and-spoke topology illustrates how a central device receives and redirects data traffic from multiple branch devices. — Figure 3. Arbitrary Topology

One way to minimize this overhead is to create a hub-and-spoke type of topology in which one of the devices acts as a hub site that receives the data traffic from all the spoke, or branch, devices and then redirects the traffic to the proper destination. This example shows one of the ways to create such a hub-and-spoke topology, which is to create a control policy that changes the address of the TLOC associated with the destination.

West-East branch hub-and-spoke configuration

The figure illustrates how such a policy might work. The topology has two branch locations, West and East. When no control policy is provisioned, these two devices exchange data traffic with each other directly by creating an IPsec tunnel between them (shown by the red line). Here, the route table on the Device West contains a route to Device East with a destination TLOC of 203.0.113.1, color gold (which we write as the tuple {192.0.2.1, gold}), and Device East route table has a route to the West branch with a destination TLOC of {203.0.113.1, gold}.

To set up a hub-and-spoke–type topology here, we provision a control policy that causes the West and East devices to send all data packets destined for the other device to the hub device. (Remember that because control policy is always centralized, you provision it on the Cisco Catalyst SD-WAN Controller.) On the Device West, the policy simply changes the destination TLOC from {203.0.113.1, gold} to {209.165.200.225, gold}, which is the TLOC of the hub device, and on the Device East, the policy changes the destination TLOC from {192.0.2.1, gold} to the hub's TLOC, {209.165.200.225, gold}. If there were other branch sites on the west and east sides of the network that exchange data traffic, you could apply these same two control policies to have them redirect all their data traffic through the hub.

Traffic engineering

Traffic engineering is a control policy capability that

allows you to design and provision traffic flow through the network using TLOC preferences
enables path tracking to monitor end-to-end path availability between source and destination devices, and
provides service chaining functionality by redirecting packets through network services such as firewalls.

Traffic engineering implementation methods

Control policy allows you to design and provision traffic engineering. In a simple case, suppose that you have two devices acting as hub devices. If you want data traffic destined to a branch Cisco IOS XE Catalyst SD-WAN device to always transit through one of the hub devices, set the TLOC preference value to favor the desired hub device.

Site ID 100 has two hub devices, one for the West side and one for the East side, illustrating how data traffic is directed through the preferred hub device. — Figure 4. Traffic engineering topology

The figure shows that Site ID 100 has two hub devices, one that serves the West side of the network and a second that serves the East side. Data traffic from the Device West must be handled by the Device West hub, and similarly, data traffic from the Device East branch must go through the Device East hub.

To engineer this traffic flow, you provision two control policies, one for Site ID 1, where the Device West device is located, and a second one for Site ID 2. The control policy for Site ID 1 changes the TLOC for traffic destined to the Device East to {209.165.200.225, gold}, and the control policy for Site ID 2 changes the TLOC for traffic destined for Site ID 1 to {198.51.100.1, gold}. One additional effect of this traffic engineering policy is that it load-balances the traffic traveling through the two hub devices.

With such a traffic engineering policy, a route from the source device to the destination device is installed in the local route table, and traffic is sent to the destination regardless of whether the path between the source and destination devices is available. Enabling end-to-end tracking of the path to the ultimate destination allows the Cisco Catalyst SD-WAN Controller to monitor the path from the source to the destination, and to inform the source device when that path is not available. The source device can then modify or remove the path from its route table.

Note

Ensure that the Traffic Engineering (TE) service is enabled on the intermediate hub to utilize the traffic engineering functionalities.

The figure Traffic Engineering 2 illustrates end-to-end path tracking. It shows that traffic from Device-A that is destined for Device-D first goes to an intermediate device, Device-B, perhaps because this intermediate device provides a service, such as a firewall. (You configure this traffic engineering with a centralized control policy that is applied to Device-A, at Site 1.) Then Device-B, which has a direct path to the ultimate destination, forwards the traffic to Device-D. So, in this example, the end-to-end path between Device-A and Device-D comprises two tunnels, one between Device-A and Device-B, and the second between Device-B and Device-D. The Cisco Catalyst SD-WAN Controller tracks this end-to-end path, and it notifies Device-A if the portion of the path between Device-B and Device-D becomes unavailable.

As part of end-to-end path tracking, you can specify how to forwarded traffic from the source to the ultimate destination using an intermediate device. The default method is strict forwarding, where traffic is always sent from Device-A to Device-B, regardless of whether Device-B has a direct path to Device-D or whether the tunnel between Device-B and Device-D is up. More flexible methods forward some or all traffic directly from Device-A to Device-D. You can also set up a second intermediate device to provide a redundant path with the first intermediate device is unreachable and use an ECMP method to forward traffic between the two. The figure Traffic Engineering3 adds Device-C as a redundant intermediate device.

Centralized control policy affects routing based on OMP routes and TLOCs. — Figure 6. Traffic engineering 3

Centralized control policy, which you configure on Cisco Catalyst SD-WAN Controllers, affects routing policy based on information in OMP routes and OMP TLOCs.

In domains with multiple Cisco Catalyst SD-WAN Controllers, all the controllers must have the same centralized control policy configuration to ensure that routing within the overlay network remains stable and predictable.

Centralized policy-based configuration on prefixes and IP headers

A centralized data policy based on source and destination prefixes and on headers in IP packets is a series of numbered sequences that

consists of ordered match-action pairs that are evaluated from lowest sequence number to highest sequence number
takes the associated action when a packet matches one of the match conditions and stops policy evaluation on that packet, and
drops and discards packets by default if no parameters in any of the sequences match.

Configuration components

The following figure illustrates the configuration components for a centralized data policy:

Policy validation for Cisco Catalyst SD-WAN

Policy validation in Cisco Catalyst SD-WAN is a process that

automatically checks if your policies are accurate,
ensures that policies comply with platform capabilities, and
confirms that policies align with your network requirements.

Application list: An application list is a collection of applications grouped together for policy matching, allowing you to apply policies to multiple applications at once.

Application family: An application family refers to a category of related applications such as Cisco Webex, Microsoft Teams, and Zoom. Application categories simplify policy management and enforcement.

Key features of policy validation

This process helps verify that all configurations operate within supported limits before deployment.

Centralized policy checks: From Cisco IOS XE Catalyst SD-WAN Release 26.1.1 policy validation is centrally managed, enabling quicker error detection and ensuring configurations remain within supported limits.
Enhanced device alerts: Devices send detailed alerts to Cisco SD-WAN Manager for proactive monitoring.
Filters in a sequence: Each policy sequence supports up to 64 filters, giving you flexibility to define granular traffic matching criteria.
Entries in a list: You can create and modify lists with a combined total of up to 8192 entries including existing and new entries to ensure scalability for complex network requirements.

Cisco Catalyst SD-WAN Controller Policy components

Cisco Catalyst SD-WAN Controller policy components are a configuration framework that

consists of three essential building blocks: lists, policy definitions, and policy applications
enables centralized management and enforcement of overlay network-wide policies on Cisco Catalyst SD-WAN Control Components, and
ensures consistency in policy enforcement across the overlay network through centralized configuration.

Policy component architecture

The Cisco SD-WAN Controller policies that implement overlay network-wide policies are implemented on a Cisco Catalyst SD-WAN Control Components. Because Cisco SD-WAN Controllers are centralized devices, you can manage and maintain Cisco SD-WAN Controller policies centrally, and you can ensure consistency in the enforcement of policies across the overlay network.

The implementation of Cisco SD-WAN Controller policy is done by configuring the entire policy on the Cisco Catalyst SD-WAN Control Components. Cisco SD-WAN Controller policy configuration is accomplished with three building blocks:

Lists define the targets of policy application or matching.
Policy definition, or policies, controls aspects of control and forwarding. There are different types of policy, including:
- app-route-policy (for application-aware routing)
- cflowd-template (for cflowd flow monitoring)
- control-policy (for routing and control plane information)
- data-policy (for data traffic)
- vpn-membership-policy (for limiting the scope of traffic to specific VPNs)
Policy application controls what a policy is applied towards. Policy application is site-oriented, and is defined by a specific list called a site-list.

You assemble these three building blocks to Cisco SD-WAN Controller policy. More specifically, policy is the sum of one or more lists, one policy definition, and at least one policy applications, as shown in the table below.

Table 2. The three building blocks of Cisco SD-WAN Controller policies
Lists		Policy Definition		Policy Application
data-prefix-list: List of prefixes for use with a data-policy prefix-list: List of prefixes for use with any other policy site-list: List of site-id:s for use in policy and apply-policy tloc-list : List of tloc:s for use in policy vpn-list : List of vpn:s for use in policy	+	app-route-policy: Used with sla-classes for application-aware routing cflowd-template: Configures the cflowd agents on the Cisco IOS XE Catalyst SD-WAN devices control-policy: Controls OMP routing control data-policy: Provides vpn-wide policy-based routing vpn-membership-policy: Controls vpn membership across nodes	+	apply-policy: Used with a site-list to determine where policies are applied
The example illustrated below creates two lists (a site-list and a tloc-list), defines one policy (a control policy), and applies the policy to the site-list. In the figure, the items are listed as they are presented in the node configuration. In a normal configuration process, you create lists first (group together all the things you want to use), then define the policy itself (define what things you want to do), and finally apply the policy (specify the sites that the configured policy affects).

apply-policy 
 site-list site1  ––––––––→ Apply the defined policy towards the sites in site-list
  control-policy prefer_local out
  !
policy 
 lists 
 site-list site1 
  site-id 100 
 tloc-list prefer_site1 –––→ Define the lists required for apply-policy and for use within the policy
  tloc 192.0.2.1 color mols encap ipsec preference 400
 control-policy prefer_local 
  sequence 10  
   match route 
    site-list sitele ––––––->Lists previously defined used within policy
  ! 
   action accept 
    set 
     tloc-list prefer_site
    !
   !
  !

TLOC attributes used in policies

A transport location, or TLOC, defines a specific interface in the overlay network. Each TLOC consists of a set of attributes that are exchanged in OMP updates among the Cisco IOS XE Catalyst SD-WAN devices. Each TLOC is uniquely identified by a 3-tuple of IP address, color, and encapsulation. Other attributes can be associated with a TLOC.

The TLOC attributes listed below can be matched or set in Cisco SD-WAN Controller policies.


TLOC Attribute	Function	Application Point Set By	Application Point Modify By
Address (IP address)	system-IP address of the source device on which the interface is located.	Configuration on source device	control-policy data-policy
Carrier	Identifier of the carrier type. It primarily indicates whether the transport is public or private.	Configuration on source device	control-policy
Color	Identifier of the TLOC type.	Configuration on source device	control-policy data-policy
Domain ID	Identifier of the overlay network domain.	Configuration on source device	control-policy
Encapsulation	Tunnel encapsulation, either IPsec or GRE.	Configuration on source device	control-policy data-policy
Originator	system-IP address of originating node.	Configuration on any originator	control-policy
Preference	OMP path-selection preference. A higher value is a more preferred path.	Configuration on source device	control-policy
Site ID	Identification for a give site. A site can have multiple nodes or TLOCs.	Configuration on source device	control-policy
Tag	Identifier of TLOC on any arbitrary basis.	Configuration on source device	control-policy

Cisco Catalyst SD-WAN Route attributes used in policies

A Cisco Catalyst SD-WAN route, defines a route in the overlay network and is similar to a standard IP route, has a TLOC and VPN attributes. The Cisco IOS XE Catalyst SD-WAN devices exchange routes in OMP updates.

The routes attributes listed below can be matched or set in Cisco SD-WAN Controller policies.

Table 3.
Route Attribute	Function	Application Point Set By	Application Point Modify By
Origin	Source of the route, either BGP, OSPF, connected, static. Match origin command is available only for Cisco vEdge devices but not on Cisco IOS XE Catalyst SD-WAN devices.	Source device	control-policy
Originator	Source of the update carrying the route.	Any originator	control-policy
Preference	OMP path-selection preference. A higher value is a more preferred path.	Configuration on source device or policy	control-policy
Service	Advertised service associated with the route.	Configuration on source device	control-policy
Site ID	Identifier for a give site. A site can have multiple nodes or TLOCs.	Configuration on source device	control-policy
Tag	Identification on any arbitrary basis.	Configuration on source device	control-policy
TLOC	TLOC used as next hop for the route.	Configuration on source device or policy	control-policy data-policy
VPN	VPN to which the route belongs.	Configuration on source device or policy	control-policy data-policy

Best practice for Cisco Catalyst SD-WAN Controller policy processing and application

Policy processing and application guidelines

Understanding how a Cisco SD-WAN Controller policy is processed and applied allows for proper design of policy and evaluation of how policy is implemented across the overlay network.

A policy definition consists of a numbered, ordered sequence of match–action pairings. Within each policy, the pairings are processed in sequential order, starting with the lowest number and incrementing.
As soon as a match occurs, the matched entity is subject to the configured action of the sequence and is then no longer subject to continued processing.
Any entity not matched in a sequence is subject to the default action for the policy. By default, this action is reject.

Site-list policy application requirements

Cisco SD-WAN Controller policy is applied on a per-site-list basis.

When applying policy to a site-list, you can apply only one of each type of policy. For example, you can have one control-policy and one data-policy, or one control-policy in and one control-policy out. You cannot have two data policies or two outbound control policies.
Because a site-list is a grouping of many sites, you should be careful about including a site in more than one site-list. When the site-list includes a range of site identifiers, ensure that there is no overlap. If the same site is part of two site-lists and the same type of policy is applied to both site-lists, the policy behavior is unpredictable and possibly catastrophic.
Control-policy is unidirectional, being applied either inbound to the Cisco SD-WAN Controller or outbound from it. When control-policy is needed in both directions, configure two control policies.
Data-policy is bidirectional and can be applied either to traffic received from the service side of the Cisco IOS XE Catalyst SD-WAN device, traffic received from the tunnel side, or all of these combinations.
VPN membership policy is always applied to traffic outbound from the Cisco SD-WAN Controller.

Policy distribution and routing considerations

Policy distribution and routing decisions require understanding of how information flows through the overlay network.

Control-policy remains on the Cisco SD-WAN Controller and affects routes that the controller sends and receives.
Data-policy is sent to either the Cisco IOS XE Catalyst SD-WAN devices in the site-list. The policy is sent in OMP updates, and it affects the data traffic that the devices send and receive.
When any node in the overlay network makes a routing decision, it uses any and all available routing information. In the overlay network, it is the Cisco Catalyst SD-WAN Controller that distributes routing information to the Cisco IOS XE Catalyst SD-WAN device nodes.

Requirement: Consistent configuration across controllers

In a network deployment that has two or more Cisco Catalyst SD-WAN Controllers, each controller acts independently to disseminate routing information to other Cisco SD-WAN Controllers and to Cisco IOS XE Catalyst SD-WAN devices in the overlay network. So, to ensure that the Cisco SD-WAN Controller policy has the desired effect in the overlay network, each Cisco SD-WAN Controller must be configured with the same policy, and the policy must be applied identically. For any given policy, you must configure the identical policy and apply it identically across all the Cisco SD-WAN Controllers.

When you deploy a policy, the deployment status is updated only for 30 minutes, which is the timeout limit for policies. After the timeout period, the deployment task status is not monitored. If you are deploying a bigger policy with more number of lines, and if it takes more than 30 minutes, the task status will not be monitored.

Cisco Cisco Catalyst SD-WAN Controller policy operation

Cisco Cisco Catalyst SD-WAN Controller policy operation is a network management mechanism that

operates on routing information carried in OMP updates through control policy
affects data traffic through data policy, and
controls the distribution of VPN routing tables through VPN membership.

Basic policy types

The basic Cisco SD-WAN Controller policies are:

Control Policy
Data Policy
VPN Membership

Control policy

A control policy is a routing policy mechanism that

operates on routes and routing information in the control plane of the overlay network
customizes network-wide routing decisions that determine or influence routing paths through the overlay network, and
allows modification of OMP route attributes before they are placed in the route table or advertised to devices.

Control policy types and operation

Two types of control policy provide routing customization:

Centralized control policy: Provisioned on the Cisco SD-WAN Controller and customizes network-wide routing decisions through the overlay network
Local control policy: Provisioned on a Cisco IOS XE Catalyst SD-WAN device and allows customization of routing decisions made by BGP and OSPF on site-local branch or enterprise networks

The routing information that forms the basis of centralized control policy is carried in Cisco IOS XE Catalyst SD-WAN route advertisements, which are transmitted on the DTLS or TLS control connections between Cisco SD-WAN Controllers and Cisco IOS XE Catalyst SD-WAN devices.

Centralized control policy determines which routes and route information are placed into the centralized route table on the Cisco SD-WAN Controller and which routes and route information are advertised to the Cisco IOS XE Catalyst SD-WAN devices in the overlay network. Basic centralized control policy establish traffic engineering, to set the path that traffic takes through the network. Advanced control policy supports a number of features, which allows Cisco IOS XE Catalyst SD-WAN devices in the overlay network to share network services, such as firewalls and load balancers.

Centralized control policy affects the OMP routes that are distributed by the Cisco SD-WAN Controller throughout the overlay network. The Cisco SD-WAN Controller learns the overlay network topology from OMP routes that are advertised by the Cisco IOS XE Catalyst SD-WAN devices over the OMP sessions inside the DTLS or TLS connections between the Cisco SD-WAN Controller and the devices.

Three types of OMP routes carry the information that the Cisco SD-WAN Controller uses to determine the network topology:

Cisco Catalyst SD-WAN OMP routes: Similar to IP route advertisements, advertise routing information that the devices have learned from their local site and the local routing protocols (BGP and OSPF) to the Cisco SD-WAN Controller. These routes are also referred to as OMP routes or Routes.
TLOC routes: Carry overlay network–specific locator properties, including the IP address of the interface that connects to the transport network, a link color, which identifies a traffic flow, and the encapsulation type.
Service routes: Advertise the network services, such as firewalls, available to VPN members at the local site.

By default, no centralized control policy is provisioned. In this bare, unpolicied network, all OMP routes are placed in the Cisco SD-WAN Controller's route table as is, and the Cisco SD-WAN Controller advertises all OMP routes, as is, to all the devices in the same VPN in the network domain.

By provisioning centralized control policy, you can affect which OMP routes are placed in the Cisco SD-WAN Controller's route table, what route information is advertised to the devices, and whether the OMP routes are modified before being put into the route table or before being advertised.

Cisco IOS XE Catalyst SD-WAN devices place all the route information learned from the Cisco SD-WAN Controllers, as is, into their local route tables, for use when forwarding data traffic. Because the Cisco SD-WAN Controller's role is to be the centralized routing system in the network, edge devices do not perform any policy actions on routes learned from the Cisco SD-WAN Controllers.

The figure below shows the OMP route flow in the overlay network and illustrates the effects of centralized control policy. Centralized control policy affects the exchange of routing information between the Cisco IOS XE Catalyst SD-WAN devices and the Cisco SD-WAN Controllers. As shown in the figure, you can apply a policy in two directions:

Inbound—A policy applied to routes being received by the Cisco SD-WAN Controller from the Cisco IOS XE Catalyst SD-WAN devices in the network
Outbound—A policy applied to routes being sent by the Cisco SD-WAN Controller to the Cisco IOS XE Catalyst SD-WAN devices in the network

For inbound policy, the routes received from the Cisco IOS XE Catalyst SD-WAN devices are modified before they are placed in the Cisco SD-WAN Controller's route table, and the modified routes are also sent to all other Cisco IOS XE Catalyst SD-WAN devices. Inbound policies affect all the devices in the network domain because the Cisco SD-WAN Controller advertises the modified routes to all the Cisco IOS XE Catalyst SD-WAN devices in the VPN.

For an outbound policy, the routes in the Cisco SD-WAN Controller's route table are not modified. Instead, the Cisco SD-WAN Controller reads a route from its route table, creates a copy of the route, modifies the copy as directed by the policy, and sends this modified copy to the destination devices. The original route in the Cisco SD-WAN Controller's route table remains unchanged after the update. Again, note that the direction is outbound from the perpspective of the Cisco SD-WAN Controller.

In contrast to an inbound policy, which affects the centralized route table on the Cisco SD-WAN Controller and has a broad effect on the route attributes advertised to all the devices in the overlay network. A control policy applied in the outbound direction influences only the route tables on the individual devices included in the site-list.

The same control policy (the prefer_local policy) is applied to both the inbound and outbound OMP updates. However, the effects of applying the same policy to inbound and outbound are different. The usage shown in the figure illustrates the flexibility of the Cisco IOS XE Catalyst SD-WAN control policy design architecture and configuration.

Data policies

A data policy is a network traffic control mechanism that

influences the flow of data traffic traversing the network based either on fields in the IP header of packets or the router interface on which the traffic is being transmitted or received
controls data traffic traveling over IPsec connections between Cisco IOS XE Catalyst SD-WAN devices, and
examines fields in data packet headers, looking at source and destination addresses and ports, protocol and DSCP values.

Data policy types

The Cisco IOS XE Catalyst SD-WAN architecture implements two types of data policy:

Centralized data policy: Controls the flow of data traffic based on the source and destination addresses and ports and DSCP fields in the packet's IP header (referred to as a 5-tuple), and based on network segmentation and VPN membership. These types of data policy are provisioned centrally, on the Cisco SD-WAN Controller, and they affect traffic flow across the entire network.
Localized data policy: Controls the flow of data traffic into and out of interfaces and interface queues on a Cisco IOS XE Catalyst SD-WAN device. This type of data policy is provisioned locally using access lists. It allows you to classify traffic and map different classes to different queues. It also allows you to mirror traffic and to police the rate at which data traffic is transmitted and received.

By default, no centralized data policy is provisioned. The result is that all prefixes within a VPN are reachable from anywhere in the VPN. Provisioning centralized data policy allows you to apply a 6-tuple filter that controls access between sources and destinations.

Centralized data policy controls access between sources and destinations within a VPN using a 6-tuple filter.

As with centralized control policy, you provision a centralized data policy on the Cisco SD-WAN Controller, and that configuration remains on the Cisco SD-WAN Controller. The effects of data policy are reflected in how the Cisco IOS XE Catalyst SD-WAN devices direct data traffic to its destination. Unlike control policy, however, centralized data polices are pushed to the devices in a read-only fashion. They are not added to the router's configuration file, but you can view them from the CLI on the router.

Alt text for the image is missing in the provided context. Please provide the surrounding text that describes the image's action or purpose so I can generate the appropriate alt text.

With no access lists provisioned on a Cisco IOS XE Catalyst SD-WAN device, all data traffic is transmitted at line rate and with equal importance, using one of the interface's queues. Using access lists, you can provision class of service, which allows you to classify data traffic by importance, spread it across different interface queues, and control the rate at which different classes of traffic are transmitted. You can provision policing.

Data policy is configured and applied on the Cisco SD-WAN Controller, and then it is carried in OMP updates to the Cisco IOS XE Catalyst SD-WAN devices in the site-list that the policy is applied to. The match operation and any resultant actions are performed on the devices as it transmits or receives data traffic.

Data policy topology example

In the Data Policy Topology figure, a data policy named "change_next_hop" is applied to a list of sites that includes Site 3. The OMP update that the Cisco SD-WAN Controller sends to the devices at Site 3 includes this policy definition. When the device sends or receives data traffic that matches the policy, it changes the next hop to the specified TLOC. Non-matching traffic is forwarded to the original next-hop TLOC.

In the apply-policy command for a data policy, specify a direction from the perspective of the device. The "all" direction in the figure applies the policy to incoming and outgoing data traffic transiting the tunnel interface. You can limit the span of the policy to only incoming traffic with a data-policy change_next_hop from-tunnel command or to only outgoing traffic with a data-policy change_next_hop from-service command.

Restrictions for data policy

You can apply only one data policy per site in each direction on Cisco SD-WAN Controller regardless of the number of VPNs configured.

Supported directions:
- From-service
- From-tunnel
- All- this direction represents both from-service and from-tunnel traffic.
Supported configurations: You can use any one of the following:
- One data policy for from-service direction and One data policy for from-tunnel direction, or
- One data policy for all direction.
Unsupported configurations:
- One data policy for from-service and another for all at the same site.
- One data policy for from-tunnel and another for all at the same site.
Applying multiple data policies in the same direction at a site is not supported and can result in unintended behavior.

VPN membership policy operation

VPN membership policy operation is a network routing mechanism that

affects the VPN route tables that are distributed to particular Cisco IOS XE Catalyst SD-WAN devices
filters route updates sent to devices, removing routes for VPNs they do not service, and
enforces business usage model restrictions on device participation in particular VPNs.

VPN membership policy behavior

In an overlay network with no VPN membership policy, the Cisco Catalyst SD-WAN Controller pushes the routes for all VPNs to all the devices. If your business usage model restricts participation of specific devices in particular VPNs, a VPN membership policy is used to enforce this restriction.

The Cisco SD-WAN Controller always applies this type of policy to the OMP updates that it sends outside to the Cisco IOS XE Catalyst SD-WAN devices. Direction is not set when applying VPN membership policy.

The VPN membership topology illustrates the operation of VPN membership policy in filtering OMP updates sent outside to the specified entities. — Figure 8. VPN membership topology

VPN membership policy filtering scenario

The VPN Membership Topology illustrates how VPN membership policy works. This topology has three Cisco IOS XE Catalyst SD-WAN devices:

The Cisco IOS XE Catalyst SD-WAN devices at Sites 1 and 2 service only VPN 2.
The Cisco IOS XE Catalyst SD-WAN devices at Site 3 services both VPN 1 and VPN 2.

In the figure, the device at Site 3 receives all route updates from the Cisco SD-WAN Controller, because these updates are for both VPN 1 and VPN 2. However, because the other Cisco IOS XE Catalyst SD-WAN devices service only VPN 2, it can filter the route updates sent to them, remove the routes associated with VPN 1 and sends only the ones that apply to VPN 2.

Configure and execute Cisco SD-WAN Controller policies

Cisco SD-WAN Controller policy configuration and execution is a centralized policy management system that

configures all policies centrally on the Cisco IOS XE Catalyst SD-WAN devices using policy definitions and lists
applies policies on the Cisco IOS XE Catalyst SD-WAN devices with apply-policy and lists, and
executes policies on different locations depending on the policy type.

Policy execution locations

The actual Cisco SD-WAN Controller policy execution location depends on the type of policy, as shown in this figure:

alt= — Figure 9. Cisco SD-WAN Controller Policy

Policy execution locations are categorized as follows:

Control policy and VPN membership policy: The entire policy configuration remains on the Cisco SD-WAN Controller, and the actions taken as a result of routes or VPNs that match a policy are performed on the Cisco SD-WAN Controller.
Application-aware routing, cflowd templates, and data policy: The policies are transmitted in OMP updates to the Cisco IOS XE Catalyst SD-WAN devices, and any actions taken as a result of the policies are performed on the devices.

Policy status and health monitoring

Tools and commands are available to verify policy enforcement and pathing in SD-WAN environments.

Service-path show commands

vm5#show sdwan policy service-path vpn 101 interface GigabitEthernet5.101 source-ip ... dest-ip ... protocol 1

Next Hop: Blackhole
AAR Policy:
  Policy name: AAR1
  VPN list name: VPN101
  Sequence number: 1
Data Policy:
  Policy name: DP1
  VPN list name: VPN101
  Sequence number: 1
Drop reason: Tunnels matching local color preference not found, dropping due to strict criteria
 
 
vm5#show sdwan policy tunnel-path vpn 101 interface GigabitEthernet5.101 source-ip ... dest-ip ... protocol 1

Next Hop: IPsec
  Source: ... 12346 Destination: ... 12366 Local Color: lte Remote Color: lte Remote System IP: ...
AAR Policy:
  Policy name: AAR1
  VPN list name: VPN101
  Sequence number: 1
Data Policy:
  Policy name: DP1
  VPN list name: VPN101
  Sequence number: 1
Exceptions:
  Tunnels matching SLA not found, SLA criteria ignored

Cisco Catalyst SD-WAN Policies Configuration Guide, Releases 26.x and Later

Bias-Free Language

Results

Chapter: Policy overview