Policy Groups

Policy Groups

Table 1. Feature History

Feature Name

Release Information

Description

Policy Groups

Cisco IOS XE Catalyst SD-WAN Release 17.12.1a

Cisco Catalyst SD-WAN Manager Release 20.12.1

This feature provides a simple, reusable, and structured approach for configuring policies in Cisco Catalyst SD-WAN. You can create a policy group, that is, a logical grouping of policies that is applied to one or more sites or devices at the site in the network. To deploy the policy group to devices, the devices must be managed by a configuration group in Cisco Catalyst SD-WAN. You can configure policies based on features that are required, recommended, or uniquely used, and then combine them to complete a policy configuration.

The Deploy Policy Group workflow in Cisco Catalyst SD-WAN provides a guided method to select previously created policy groups and deploy them to sites or devices at the site that is managed by configuration groups.

Configure Traffic and Flow Visibility for Application Priority and SLA Policy

Cisco IOS XE Catalyst SD-WAN Release 17.13.1a

Cisco Catalyst SD-WAN Manager Release 20.13.1

You can configure settings to enable traffic and flow visibility for the application priority and SLA policy in Cisco Catalyst SD-WAN. This feature allows you to monitor application and traffic flow over IPv4, IPv6, or both networks at the global hierarchy level in Cisco SD-WAN Manager.

Preferred Remote Color in AAR Policy

Cisco IOS XE Catalyst SD-WAN Release 17.15.1a

Cisco Catalyst SD-WAN Manager Release 20.15.1

 You can set a remote preferred color in the AAR policy to control traffic routing based on the SLA criteria.

Device Tagging for Policy Groups

Cisco IOS XE Catalyst SD-WAN Release 26.1.1

Cisco Catalyst SD-WAN Manager Release 26.1.1.1

With this feature you can add devices to a policy group configuration workflow using tags.

Information About Policy Groups

Policy groups simplify the experience of configuring and deploying various policies on Cisco IOS XE Catalyst SD-WAN devices. Policy groups are a collection of different policies that you can configure through workflows and associate with and deploy on different Cisco IOS XE Catalyst SD-WAN devices.

Overview of Policy Groups

Policy Groups provide a simple, reusable, and structured approach for configuring policies and policy objects in Cisco IOS XE Catalyst SD-WAN devices.

Policy groups are a collection of various policies and policy parameters that you can configure quickly through a simplified workflow. Policy groups allows you to configure the basic and necessary policies with defaults to get your systems up and running. The more advanced user can switch to the Advanced layout to take complete control and configure detailed policy parameters such as service-level agreement (SLA) class, Quality of Service (QoS) Maps, and Match-Action parameters pertaining to the traffic policy. After creating a policy group, you can associate it with one or more sites or a single device at the site in the network and deploy it on devices managed by configuration groups.

After you've configured a policy group, you can deploy it on Cisco IOS XE Catalyst SD-WAN devices by using the Deploy Policy Group Workflow.

For more information about Cisco Catalyst SD-WAN policy and policy architecture, see Policy Overview.

Overview of Policy Group Workflows

The policy group workflow guides you in creating a policy group for one or more sites or a single device at the site in the network that is managed by configuration groups in Cisco Catalyst SD-WAN. The workflow provides you with an improved configuration and troubleshooting experience. The workflow has the following features:

  • You can review the various configuration values on a single page within the workflow.

  • You can easily identify and fix incorrect values that appear highlighted in red. In addition, an asterisk that is adjacent to a field name helps you identify the mandatory values within the workflow.

Deploy Policy Group Workflow

You can access the workflow by choosing Workflows > Deploy Policy Group menu in Cisco SD-WAN Manager.

The Deploy Policy Group workflow enables you to associate devices with a previously created policy group and deploy the policy group to the selected devices. You can review device configurations to further add Site IDs and other variables that must be provided as part of a policy group before deploying the policy group.

After deploying a policy group, any subsequent changes to the policy group will cause the Cisco SD-WAN Controller to appear in the deployment preview, even if no changes are being deployed to the controller itself.

Additionally, any modifications to the Application Priority and SLA policy are automatically pushed to all Cisco IOS XE Catalyst SD-WAN devices associated with the policy group, as well as the Cisco SD-WAN Controllers, regardless of which devices are selected in the deployment workflow. This behavior differs from NGFW, DNS Security, and SIG policies, where changes are only deployed to the selected Cisco IOS XE Catalyst SD-WAN device.

Cisco SD-WAN Controller tasks

Starting with Cisco Catalyst SD-WAN Manager Release 26.1.1.1, deploying a policy group triggers a Cisco SD-WAN Controller task during the subsequent deployment in any of the following scenarios:

  • A device that was previously part of a classic centralized policy is newly associated with any policy group.

  • A device is removed from a policy group that had Application Priority and SLA policies deployed.

  • A device associated with the policy group is included in an existing Cisco SD-WAN Controller policy configuration, even if neither of the preceding conditions applies.

Starting with Cisco Catalyst SD-WAN Manager Release 26.1.1.1, only the Cisco SD-WAN Controller intent for the current policy groups, as well as the intent for any policy group involved in a device migration is included in the CLI generation.

Policy groups for multitenant environments

Starting with Cisco Catalyst SD-WAN Manager Release 26.1.1.1, in multitenant environments, Cisco SD-WAN Manager no longer provides a preview diff for centralized policies, topology groups, policy groups, or device templates. Instead, it displays the entire generated configuration as new, reflecting exactly what is applied to the device. This ensures consistency, since multitenant environments always deploy the full configuration during each deployment.

The preview diff for single tenant environments remains unchanged and continues to show configuration differences.

Add devices to a policy group using rules

Before you begin

From SD-WAN Manager 26.1.1.1, you can add devices to a policy group using tags.

Ensure that you have added tags to devices. For more information about tagging, refer to the Device tagging section in the Cisco Catalyst SD-WAN Systems and Interfaces Configuration Guide.

Follow these steps to add devices to a policy group using rules:

Procedure

Step 1

From the Cisco SD-WAN Manager menu, choose Configuration > Policy Groups.

Step 2

Select a policy group from the available list.

Step 3

Click the + Add option adjacent to Associated in the Deployment area.

Step 4

Click Manage rule. You can select Modify rules or Remove rules. In the Rules section, choose values for the following options:

  1. Rule name: Enter a unique name for the rule. Rule names cannot be duplicated once you create it.

  2. Rule Conditions: Choose one of the two rules and configure the conditions: Match All or Match Any.

  3. Choose one of these operators:

    • Equals

    • Not equals

    • Contains

    • Not contains

    • Starts with

    • End with

    Note

     
    You cannot create a new rule if it conflicts with an existing rule.

Step 5

Click Apply.

Based on the rule, a list of devices that will be added to or removed from the policy group appears.

Step 6

Click Confirm to apply the changes.

Benefits of Policy Groups

  • Simplified user experience through an intuitive UI that allows you to quickly configure the basic policies that are required to get your Cisco Catalyst SD-WAN deployments up and running.

  • Option to edit policy groups based on the changing needs of your network and save the configuration. You can choose to deploy these changes only when needed - during maintenance windows or in off-production hours.

  • A Preview CLI option to preview the difference in configuration for relevant devices such as Cisco IOS XE Catalyst SD-WAN device and Cisco SD-WAN Controller in one location.

  • Workflows to deploy policy groups.

Information About Color Preference

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.15.1a and Cisco Catalyst SD-WAN Manager Release 20.15.1

The AAR policy enables you to use TLOC color preferences to determine how a device chooses a tunnel for routing traffic. You can configure a preferred local TLOC color and a preferred remote TLOC color, referring to the local and remote TLOCs associated with a tunnel. When multiple tunnels are available, the device prioritizes tunnels according to the color preferences. This flowchart shows the logic.

Figure 1. Color Preference Logic

For more information, see Application Priority and SLA.

For configuring remote preferred color policies using Configuration > Policies see Configure Traffic Rules.

Restricting to a Color Preference

You can restrict the choice of a tunnel to include only tunnels that meet the configured color preferences. The options are Restrict to Remote Color and Restrict to Preferred Color Group. If no tunnels meet the criteria, the device drops the traffic. This flowchart shows the logic of choosing a tunnel when restricting to the color preferences.

Figure 2. Color Preference Logic, Restricting to Local or Remote Color

Supported Devices for Policy Groups

This feature is supported only on Cisco IOS XE Catalyst SD-WAN devices.

Prerequisites for Policy Groups

Before you begin configuring policy groups, ensure that the following requirements are met:

  • Minimum software version for Cisco IOS XE Catalyst SD-WAN devices: Cisco IOS XE Catalyst SD-WAN Release 17.8.1a

    Minimum software version for Cisco SD-WAN Manager: Cisco Catalyst SD-WAN Manager Release 20.12.1

  • Ensure that these devices are deployed and managed using a configurations group. For more information about creating configuration groups, see Configuration Groups and Feature Profiles.

Configure RBAC for policy groups

Ensure that the granular role-based access control (RBAC) for policy groups is specified by expanding it. With specific permissions to the usergroup, ensure that you are able to access policy groups from Configuration > Policy Groups.

  1. From the Cisco SD-WAN Manager menu, choose Administration > Manage Users > User Groups.

  2. Click Add User Group.

  3. Enter User Group Name.

  4. Select the Read or Write check box against the Policy Group and Device feature that you want to assign to a user group.

  5. Click Add.

Configure RBAC for Application Priority Policy

Ensure that the granular RBAC for the application priority policy is specified by expanding it. With the set permissions to the usergroup, ensure that you are able to access the application priority policy from Configuration > Policy Groups.

  1. From the Cisco SD-WAN Manager menu, choose Administration > Manage Users > User Groups.

  2. Click Add User Group.

  3. Enter User Group Name.

  4. Select the Read or Write check box against the following features that you want to assign to a user group:

    • Feature Profile > Application Priority > Qos Policy

    • Feature Profile > Application Priority > Traffic Policy

    • Feature Profile > Policy Object > App List

    • Feature Profile > Policy Object > SLA Class

    • Feature Profile > Policy Object > TLOC

    • Feature Profile > Policy Object > App Probe

    • Feature Profile > Policy Object > Preferred Color Group

    • Feature Profile > Policy Object > Class

    • Feature Profile > Policy Object > Data Prefix

    • Feature Profile > Policy Object > Data Ipv6

    • Feature Profile > Policy Object > Policer

  5. Click Add.

Restrictions for Policy Groups

  • The Application Priority and SLA workflow does not support custom applications.

  • Before deploying policy groups to devices, they must first be managed by a configuration group.

  • The forwarding class in localized policy is not supported.

  • An error occurs when a duplicate parcel name (for example, Site27-VPN1) exists in another configuration group. Verify existing parcel names across all groups and modify the intended name to ensure exclusivity. Use descriptive naming conventions to prevent conflicts.

Policy validation for Cisco Catalyst SD-WAN

Policy validation in Cisco Catalyst SD-WAN is a process that

  • automatically checks if your policies are accurate,

  • ensures that policies comply with platform capabilities, and

  • confirms that policies align with your network requirements.

This process helps verify that all configurations operate within supported limits before deployment.

Key features of policy validation

Centralized policy checks: From Cisco IOS XE Catalyst SD-WAN Release 26.1.1 policy validation is centrally managed, enabling quicker error detection and ensuring configurations remain within supported limits.

Enhanced device alerts: Devices send detailed alerts to Cisco SD-WAN Manager for proactive monitoring.

Filters in a sequence: Each policy sequence supports up to 64 filters, giving you flexibility to define granular traffic matching criteria.

Entries in a list: You can create and modify lists with a combined total of up to 8192 entries including existing and new entries to ensure scalability for complex network requirements.

Key terms for policy validation

Application list: An application list is a collection of applications grouped together for policy matching, allowing you to apply policies to multiple applications at once.

Application family: An application family refers to a category of related applications such as Cisco Webex, Microsoft Teams, and Zoom. Application categories simplify policy management and enforcement.

Group of Interest - Policy

Group of interest provides a list of related policy objects that you can configure and call in the match or action components of a policy. Click Group of Interest to create new objects for the policy group as described in the following sections:

Application

  1. Click Application.

  2. Click Add Application .

  3. From the Application/Application family list drop-down, choose the required applications or application families.

  4. Click Save.

A few application lists are preconfigured. You cannot edit or delete these lists.

Microsoft_Apps: Includes Microsoft applications, such as Excel, Skype, and Xbox. To display a full list of Microsoft applications, click the list in the Entries column.

Google_Apps: Includes Google applications, such as Gmail, Google Maps, and YouTube. To display a full list of Google applications, click the list in the Entries column.

App Probe Class

  1. Click Add App Probe Class.

  2. In the App Probe dialog box, specify the following:

    Field

    Description

    Probe Class Name

    Enter a name for the probe class.

    Forwarding Class

    Choose the forwarding class from the drop-down list.

    Color

    Choose the color from the drop-down list.

    DSCP

    Enter the DSCP value.

  3. You can add more entries if needed by clicking on + icon.

  4. Click Save.

Color

  1. Click Color.

  2. Click New Color List and specify the following:

    Field

    Description

    Color List Name

    Enter a name for the list.

    Select Color

    Choose one or more color lists types from the drop-down list.

  3. Click Add.

To configure multiple colors in a single list, you can choose multiple colors from the drop-down list.

Community List

A community list is used to create groups of communities to use in a match clause of a route map. A community list can be used to control which routes are accepted, preferred, distributed, or advertised. You can also use a community list to set, append, or modify the communities of a route.

  1. Click Community List.

  2. Click Add Community List and specify the following:

    Field

    Description

    Community List Name

    Enter a name of the community list.

    Add Community

    Enter one or more communities separated by commas.

    • aa:nn: Autonomous System (AS) number and network number. Each number is a 2-byte value with a range from 1 to 65535. For example, 65526.

    • internet: Routes in this community are advertised to the internet community. This community comprises all BGP-speaking networking devices.

    • local-as: Routes in this community are not advertised outside the local AS number.

    • no-advertise: Attaches the NO_ADVERTISE community to routes. Routes in this community are not advertised to other BGP peers.

    • no-export: Attaches the NO_EXPORT community to routes. Routes in this community are not advertised outside the local AS or outside a BGP confederation boundary. To configure multiple BGP communities in a single list, include multiple community options, specifying one community in each option.

  3. Click Save.

Data Prefix

  1. Click Data Prefix.

  2. Click Add Data Prefix.

  3. In the Data Prefix list dialog box, specify the following:

    Field

    Description

    Data Prefix List Name

    Enter a name for the data prefix list.

    Add Data Prefix

    Enter one or more data prefixes separated by commas.

    Does not support: 0.0.0.0/0

  4. Click Save.

Data Prefix IPv6

  1. Click Data Prefix IPv6.

  2. Click Add Data Prefix IPv6.

  3. In the Data Prefix List dialog box, specify the following:

    Field

    Description

    Data Prefix List Name

    Enter a name for the IPv6 data prefix list.

    Add Data Prefix

    Enter one or more IPv6 data prefixes separated by commas.

    Does not support: ::/0

  4. Click Save.

Expanded Community List

  1. Click Expanded Community List.

  2. Click Add Expanded Community List and specify the fiollowing:

    Field

    Description

    Community List Name

    Enter a name for the community list.

    Add Community

    Specify details of the expanded community list that is used to filter communities using a regular expression.

Forwarding Class

  1. Click Add Forwarding Class and specify the following:

    Field

    Description

    Forwarding Class

    Enter a name for the forwarding class.

    Queue

    Choose a value for the queue from the drop-down list.

  2. Click Save.

Policer

  1. Click Policer.

  2. Click Add Policer and specify the following:

    Field

    Description

    Policer List Name

    Enter a name for the policer list.

    Burst (bytes)

    Enter the maximum traffic burst size. The range is from 15,000 to 10,000,000 bytes.

    Exceed

    Choose the action to take when the burst size or traffic rate is exceeded. The options are:

    • Drop: sets the packet loss priority (PLP) to low

    • Remark: sets the packet loss priority (PLP) to high

    Rate

    Enter the maximum traffic rate, a value from 8 through 10^11 bits per second (bps).

  3. Click Save.

Preferred Color Group

  1. Click Add Preferred Color Group.

  2. In the Preferred Color Group Name field, enter a name for the preferred color group.

  3. Choose the color preference and path prefernce for the primary, secondary, and tertiary colors from the Color Preference and the Path Preference drop-down lists.

    Field

    Description

    Preferred Color Group Name

    Enter a name for the preferred color group.

    Color Preference

    Choose the color preference from the drop-down list.

    You can choose multiple colors.

    Path Preference

    Choose the path preference from the drop-down list. The options are:

    • Direct Path

    • Multi Hop Path

    • All Paths

  4. Click Save.

Prefix List

  1. Click Prefix List.

  2. Click Add Prefix List and specify the following:

    Field

    Description

    Prefix List Name

    Enter a name for the IPv4 prefix list.

    Add Prefix

    Enter one or more IPv4 prefixes separated by commas.

  3. Click Save.

Prefix List IPv6

  1. Click Prefix List IPv6.

  2. Click Add Prefix List and specify the following:

    Field

    Description

    Prefix List Name

    Enter a name for the IPv6 prefix list.

    Add Prefix

    Enter one or more IPv6 prefixes separated by commas.

  3. Click Save.

SLA Class

  1. Click SLA Class.

  2. Click Add SLA Class and specify the following:

    Field

    Description

    SLA Class List Name

    Enter a name of the SLA class list.

    Loss (%)

    Enter the maximum packet loss on the connection, a value from 0 through 100.

    Latency

    Enter the maximum packet latency on the connection, a value from 1 through 1,000 milliseconds.

    Jitter

    Enter the maximum jitter on the connection, a value from 1 through 1,000 milliseconds.

    App Probe Class

    Choose the app probe class from the drop-down list or click Create New to create one.

    Fallback Best Tunnel

    		 Choose this option to enable the best tunnel criteria.

  3. Click Save.

TLOC List

  1. Click TLOC List.

  2. Click Add TLOC List and specify the following:

    Field

    Description

    List Name

    Enter a name for the TLOC list.

    TLOC IP

    Specify the IP address for TLOC.

    Color

    Choose the color from the drop-down list.

    Encapsulation

    Choose the value from the drop-down list. The options are:

    • IPSec

    • GRE

    Preference

    Choose a preference to associate with the TLOC.

    The range is 0 to 4294967295.

  3. Click Save.

Add Policy Group

  1. From the Cisco SD-WAN Manager menu, choose Configuration > Policy Groups > + Add Policy Group.

  2. Enter a Policy Group Name, choose a Solution from the drop-down list and provide a description (optional).

  3. Click Create.


    Note

    If you have already created a policy group, click the policy group from the list of available policy groups to edit.
Table 2. Policy group parameters

Field

Description

Policy Group Name

Specify the name of the policy group.

This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.

Description

Provide a description for the policy group.

It can contain up to 2048 characters including spaces.

Policy

Application Priority & SLA

Choose an application priority for the policy group from the drop-down list. Click Create New to create a new application priority.

Embedded Security

Choose an embedded security policy from the drop-down list. Click Create New to create a new embedded security policy by selecting a configuration group, creating firewall policies, and other configuration settings.

Secure Internet Gateway

 Configure the Secure Internet Gateway (SIG) tunnels before you apply a data policy for redirecting application traffic to an SIG. Select a Secure Internet Gateway (SIG) policy from the drop-down list. Click Create New to create a new SIG policy.

DNS Security

 Select a DNS Security policy from the drop-down list. Click Create New to create a new DNS Security policy.

  1. Click Save to save your configuration.

  2. Click the pencil icon to select or unselect devices to associate or dissociate with the policy group.


    Note

    Starting from Cisco Catalyst SD-WAN Manager Release 20.15.1, click +Add adjacent to Associated field to select or unselect devices to assoicate or dissociate with the policy group. In the associate devices workflow, you can choose devices based on Regions and not just Sites.

  3. Click Deploy to select sites and deploy the policy group..

To delete a policy group, select the ellipsis icon (...) to the right of the policy group and click Delete.

Application Priority and SLA

The application priority and SLA policies allows you to configure the app route policy, data policy, and QoS Map policies that route and prioritize traffic for best performance. All the basic information is preconfigured. You can specify a name and description for a policy group and configure the basic policy values. You can quickly configure the basic values to get started with the traffic policy. Configuring this policy provides the following benefits:

  • Manage and customize bandwidth allocations.

  • Prioritize applications based on their relevance to your business.

Create an Application Priority and SLA Policy

Click + Application priority & SLA policy to create a policy and configure the values. To edit an existing policy, click the ellipsis icon (...) next to the application priority and SLA policy under Action and click Edit.

Choose one of the following options and configure the values that are based on the likely business relevance of the applications, and to give higher priority to business-relevant applications:

  • Gold (Business-relevant): Likely to be important for business operations, for example, WebEx software.

  • Silver (Default): No determination of relevance to business operations.

  • Bronze (Business-irrelevant): Unlikely to be important for business operations, for example, gaming software.

Within each of the business-relevance categories, the workflow groups the applications into application lists, such as broadcast video, multimedia conferencing, VoIP telephony, and so on.


Note
When you upgrade Cisco SD-WAN Manager, built-in protocol pack gets updated. This might affect the existing policy groups which are using the Application priority and SLA policy in the non-advanced layout. You need to redeploy the policies when there is an upgrade. If policy is in the advanced layout, the upgrade will not affect the policy group.

Troubleshooting Policy Group Validations

When you activate or deactivate a centralized policy or deploy a controller template, some controller-related policies associated in policy groups are deployed to prevent any errors in policy. You can avoid these validation errors using any one of the following workarounds:

  • Dissociate application priority and SLA policy from any of the policy groups that have devices associated.

  • Dissociate devices from any policy group that has application priority and SLA policy.

  • Fix the issues in the application priority and SLA policy (In this case, you need to associate the device to a configuration group that has the selected VPNs).

Table 3. Cisco Catalyst SD-WAN Fabric Traffic Policy

Field

Description

Preferred Path

To configure a preferred path, choose one or more colors of the data plane tunnel or tunnels from the drop-down list. Traffic is load-balanced across all the tunnels. If no tunnels match the SLA, data traffic is sent through any available tunnel.

The preferences apply in order of priority to determine the path or color for forwarding traffic.

When SLA not met

Choose Strict/Drop to perform strict matching of the SLA class. If no data plane tunnel is available that satisfies the SLA criteria, traffic is dropped.

Choose Fallback to best path to configure the best available tunnel to avoid a packet drop. This is the default.

Backup Path: Path for traffic to use if the primary path fails.

Backup Path

To configure an alternate path for traffic flow, choose a path from the drop-down list.

Traffic Filtering

 Click Edit to view and update app classification based on the business relevance. Choose a service provider class option and drag and drop the applications into different classes such as Gold or Bronze and click Save to update the configuration.

SLA

 Add the SLA class in the traffic policy. Click Edit to configure the SLA class by adjusting the values for Loss (%), Latency (ms), or Jitter (ms) for the traffic policy.

QoS Queues

 Click Add QoS Policy to add a QoS queue. Click Edit to configure the QoS Queues. Choose one of the following values for the QoS queuing model:

  • 4 Queues

  • 5 Queues

  • 6 Queues

  • 8 Queues
Table 4. Internet Offload Traffic

Field

Description

Secure Internet Gateway

Choose an application or application family list to tunnel traffic through a Secure Internet Gateway.

Enable Fallback to routing for traffic to undergo normal routing if the SIG tunnels are down.

Starting from Cisco Catalyst SD-WAN Manager Release 20.18.1, you can choose a Cloud OnRamp for SaaS-capable application (Cloud OnRamp for SaaS applications with common user defined endpoints) from the Secure Internet Gateway dropdown.

Direct Internet Access

Select an application or application family list to allow direct internet access.

Enable Fallback to routing for traffic to undergo normal routing if Direct Internet Access (DIA) is not available.

Starting from Cisco Catalyst SD-WAN Manager Release 20.18.1, you can choose a Cloud OnRamp for SaaS-capable application (Cloud OnRamp for SaaS applications with common user defined endpoints) from the Direct Internet Access dropdown.

Table 5. Apply Policy​

Field

Description

Target

Configure the following parameters:

  • Direction: Choose the direction for applying the policy:

    • All: Bidirection traffic flow

    • Service: Incoming traffic from service.

    • Tunnel: Incoming traffic from the tunnel.

  • VPN: Choose a target VPN from the drop-down list.

  • Interface: Specify a value or a variable for the Ethernet interface or DSL PPPoE interface type for applying the QoS policy.

Advanced Layout

The advanced view provides further options to configure the traffic policy along with rules, service level agreement (SLA) class, and QoS Map. Click the Advanced button on the top-right corner of the window to swtich to the advanced view.


Note

If you make changes to the application priority and SLA policies and switch to the advanced layout, the changes are retained. You cannot switch back to the default view.

Based on the values you configure in the workflow, a policy profile and the relevant policy objects are created in the back-end when the workflow is completed. Similarly, you can configure traffic filtering and rules by creating the match and action conditions of a policy. You can also configure the app route policy SLA class and create customized QoS queues.

The VPNs that you intend to use in policy group must be present in service or transport profile of configuration group.

You can identify the VPNs when you configure VPNs using configuration groups as VPNs are identified with VPN name. Where as, when you configure VPNs from CLI template, VPNs are identified by VPN IDs. Hence, you cannot read the VPNs in policy groups when they are configured in CLI.

Table 6. Add Traffic Policy

Field

Description

Policy Name

Specify a name for the traffic policy.

VPN

Choose a VPN from the drop-down list.

Direction

  • Choose the direction for applying the policy:

    • All: Bidirectional traffic flow

    • Service: Incoming traffic from service

    • Tunnel: Incoming traffic from tunnel

Table 7. Add Rules

Field

Description

Sequence

The sequence number of the rule.

Name

Specify a name for the rule.

Protocol

Choose a protocol from the drop-down list:

  • IPv4

  • IPv6

  • Both

Match

Choose a value for the match condition from the available options. For more information about match conditions, see the Match Condition table in the section Configure Traffic Rules in Centralized Policy.

Action

Choose a value for the action to take if the policy matches, from the available options. For more information about action values, see the Action Condition table in the section Configure Traffic Rules in Centralized Policy.

Base Action

Choose one of the following base actions for the packets based on the rules:

  • Accept

  • Drop

Policy sequence generation for match and action rules

The workflow generates data policy and app-route policy sequences based on the match and action conditions configured in a traffic rule. The following rules apply:

  • A data policy sequence is generated when the rule includes a data match condition, a data action, or both. If no match condition is configured but a data action is configured, the workflow also generates a data policy sequence.

  • An app-route policy sequence is generated when the rule includes an app-route match condition, an app-route action, or both. The workflow also generates an app-route policy sequence for a common-only sequence if a data policy sequence is not already generated for that sequence.

  • If the rule includes only the Cloud Monitoring action, the workflow drops the sequence. If the Cloud Monitoring action is configured with other actions, the workflow evaluates the sequence according to the data policy and app-route policy sequence generation rules.

  • If both the match and action conditions are empty, the workflow generates an empty data policy sequence.

  • For the Cloud OnRamp for SaaS excluded data prefix use case, if the rule includes an application list and either a destination data prefix list or destination IP address with the count action, the workflow also generates an app-route policy sequence.

Table 8. Match parameters - data policy and app-route policy
Match Condition Description

Omit

 Match all packets.

(Applicable only to app-route policy)

Cloud Saas Application List

Cisco SD-WAN Manager provides a list of several cloud applications that Cisco Catalyst SD-WAN Cloud OnRamp for SaaS can use to determine the best path selection for each SaaS application.

For more information on Cisco Catalyst SD-WAN Cloud OnRamp for SaaS, see the Cisco Catalyst SD-WAN Cloud OnRamp Configuration Guide, Cisco IOS XE Release 17.x.

Note

 

Cloud Saas Application List displays as a match condition if you specify IPv4 as the Protocol option.

In the drop-down list, choose a SaaS application from the drop-down list.

(Applicable only to data policy)

Packet length

 Specifies the packet length. The range is 0 through 65535; specify a single length, a list of lengths (with numbers separated by a space), or a range of lengths (with the two numbers separated with a hyphen [-]).

(Applicable only to data policy)

TCP Flag

 Specifies the TCP flag, syn.

Applications/Application Family List

Applications or application families.

This match condition is available for IPv6 traffic from Cisco IOS XE Release 17.9.1a and Cisco vManage Release 20.9.1.

Destination Data Prefix

 Group of destination prefixes, IP prefix and prefix length. The range is 0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).

Destination Port

Enter the port number. Specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).

Destination Region

Choose one of the following:

  • Primary: Match traffic if the destination device is in the same primary region (also called access region) as the source. This traffic reaches the destination using a multi-hop path, through the core region.

  • Secondary: Match traffic if the destination device is not in the same primary region as the source but is within the same secondary region as the source. This traffic can reach the destination using a direct tunnel, as described for secondary regions.

  • Other: Match traffic if the destination device is not in the same primary region or secondary region as the source. This traffic requires a multi-hop path from the source to the destination.

Note

 

Minimum releases: Cisco vManage Release 20.9.1, Cisco IOS XE Catalyst SD-WAN Release 17.9.1a

DNS

 Specify the direction in which to process DNS packets. To process DNS requests sent by the applications (for outbound DNS queries), specify dns request . To process DNS responses returned from DNS servers to the applications, specify dns response .
DNS Application List Enables split DNS, to resolve and process DNS requests and responses on an application-by-application basis. Name of an app-list list . This list specifies the applications whose DNS requests are processed.

This match condition is available for IPv6 traffic from Cisco IOS XE Release 17.9.1a and Cisco vManage Release 20.9.1.

DSCP

 Specifies the DSCP value.

ICMP Message

For Protocol IPv4 when you enter a Protocol value as 1, the ICMP Message field displays where you can select an ICMP message to apply to the data policy. Likewise, the ICMP Message field displays for Protocol IPv6 when you enter a Protocol value as 58.

When you select Protocol as Both, the ICMP Message or ICMPv6 Message field displays.

Note

 

This field is available from Cisco IOS XE Release 17.4.1, Cisco vManage Release 20.4.1.

Packet Loss Priority (PLP) Specifies the packet loss priority. By default, packets have a PLP value of low . To set the PLP value to high , apply a policer that includes the exceed remark option.

Protocol

 Specifies Internet protocol number. The range is 0 through 255.

Source Data Prefix

 Specifies the group of source prefixes or an individual source prefix.

Source Port

 Specifies the source port number. The range is 0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).

Traffic To

In a Multi-Region Fabric architecture, match border router traffic flowing to the access region that the border router is serving, the core region, or a service VPN.

Note

 

Minimum release: Cisco vManage Release 20.8.1

In the action, you first specify whether to accept or drop a matching data packet, and whether to count it:

Table 9. Action conditions - data policy and app-route policy

Action Condition

 Description
Click Accept Accepts the packet. An accepted packet is eligible to be modified by the additional parameters configured in the action portion of the policy configuration.

Click Drop

 Discards the packet. This is the default action. When you choose this option, then only Counter and Log can be added as additional actions and all other actions are not available to select.

Counter

 Counts the accepted or dropped packets. Specifies the name of a counter. Use the show policy access-lists counters command on the Cisco IOS XE Catalyst SD-WAN device.

Log

Minimum release: Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco vManage Release 20.11.1

Click Log to enable logging.

When (DP, AAR or ACL) data policy packets are configured with log action, logs generated and logged to syslog. Due to the global log-rate-limit, not all logs are logged. A syslog message is generated the first time a packet header is logged and then every 5 minutes thereafter, as long as the flow is active.

For information on policy log-rate-limit CLI, see policy log-rate-limit command in the Cisco Catalyst SD-WAN Qualified Command Reference Guide.

(Applicable only to app-route policy)

Cloud SLA

Cloud SLA enables traffic to use the best path selection with Cisco Catalyst SD-WAN Cloud OnRamp for SaaS.

Click Cloud SLA.

(Applicable only to app-route policy)

SLA Class List

Choose from the following options:

  1. SLA Class List

    Set the policy action for an SLA Class List match condition. For the SLA class, all matching data traffic is directed to a tunnel whose performance matches the SLA parameters defined in the class. The device first tries to send the traffic through a tunnel that matches the SLA. If a single tunnel matches the SLA, data traffic is sent through that tunnel. If two or more tunnels match, traffic is distributed among them. If no tunnel matches the SLA, data traffic is sent through one of the available tunnels.

    Click SLA Class List.

    In the SLA Class drop-down list, choose one or more SLA classes.

  2. Preferred Color

    In the Preferred Color drop-down list, choose the color of the data plane tunnel or tunnels to prefer. Traffic is load-balanced across all the tunnels. If no tunnels match the SLA, data traffic is sent through any available tunnel. That is, color preference is a loose matching, not a strict matching.

  3. Preferred Color Group

    When the Preferred Color is not selected, you can choose the preferered color group from the Preferred Color Group drop-down list. Select the preferred color group of the data plane tunnel or tunnels to prefer. You can configure up to three levels of priority based on the color or path preference. This field is available from Cisco IOS XE Catalyst SD-WAN Release 17.9.1a and Cisco vManage Release 20.9.1.

  4. Restrict to Preferred Color

    This option is appicable only with Preferred Color Group. Check the Restrict to Preferred Color option to drop traffic if no tunnels match the SLA in the prefered color group.

  5. When there is no SLA match you can choose the following options:

    1. Strict/Drop

      Click Strict/Drop to perform strict matching of the SLA class. If no data plane tunnel is available that satisfies the SLA criteria, traffic is dropped.

    2. Fallback to best path

      Click Fallback to best path to select the best available tunnel to avoid a packet drop.

      You can select the Fallback to best path action only when the Fallback Best Tunnel option is enabled while defining a SLA class. If the Fallback Best Tunnel option is not enabled, then the following error message displays in Cisco SD-WAN Manager: 

      SLA Class selected, does not have Fallback Best Tunnel enabled. 
Please change the SLA class or change to Strict/Drop.

    3. Load-balance.

      Click Load Balance to load balance traffic across all the tunnels.

      You can now select the Backup SLA Preferred Color.

      Set the policy action for a Backup SLA Preferred Color match condition. When no tunnel matches the SLA, direct the data traffic to a specific tunnel. Data traffic is sent out the configured tunnel if that tunnel interface is available. If that tunnel interface is not available, traffic is sent out to another available tunnel. You can specify one or more colors. The backup SLA preferred color is a loose matching condition, not a strict matching condition.

  6. Remote Preferred Color

    Set a Remote Preferred Color in the AAR policy to control traffic routing based on the application list. You can add multiple remote preferred colors in the AAR policy.

    Use the Restrict to Remote Color to restrict the tunnel to preferred TLOCs. With Restrict to Remote Color option, the traffic drops when the SLA is not met with the preferred remote color.

(Applicable only to data policy)

Cflowd

 Enables cflowd traffic monitoring.

(Applicable only to data policy)

DSCP

 DSCP value. The range is 0 through 63.

(Applicable only to data policy)

Forwarding Class

 Name of the forwarding class.

(Applicable only to data policy)

Local TLOC

Enables sending packets to one of the TLOCs that matches the color and encapsulation. The available colors are: 3g, biz-internet, blue, bronze, custom1,custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red and silver.

The encapsulation options are: ipsec and gre.

By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC. To drop traffic if a TLOC is unavailable, include the restrict option.

By default, encapsulation is ipsec.

(Applicable only to data policy)

NAT Pool or NAT VPN

 Enables NAT functionality, so that traffic can be redirected directly to the internet or other external destination. You can configure up to 31 (1–31) NAT pools per router.

(Applicable only to data policy)

Next Hop

 Sets the next hop IP address to which the packet should be forwarded.

Note

 
Starting from Cisco IOS XE Catalyst SD-WAN Release 17.5.1a and Cisco vManage Release 20.5.1, the Use Default Route when Next Hop is not available field is available next to the Next Hop action parameter. This option is available only when the sequence type is Traffic Engineering or Custom, and the protocol is either IPv4 or IPv6, but not both.

(Applicable only to data policy)

Policer

 Applies a policer. Specifies the name of policer configured with the policy policer command.

(Applicable only to data policy)

Redirect DNS

 Redirects DNS requests to a particular DNS server or Umbrella. Redirecting requests is optional, but if you do so, you must specify both actions.

For an inbound policy, redirect-dns host allows the DNS response to be correctly forwarded back to the requesting service VPN.

For an outbound policy, specify the IP address of the DNS server.

redirect-dns umbrella is only supported in Direct Internet Interface (DIA) use cases. It is not supported in SIG/SSE or overlay scenarios. When using redirect-dns umbrella , you do not need to explicitly configure nat use-vpn 0 .

Note

 

When you upgrade to releases later than Cisco IOS XE Catalyst SD-WAN Release 17.7.1a, you must configure redirect DNS through nat use-vpn 0 to redirect DNS to Direct Internet Interface (DIA).

Note

 

You can set only local TLOC preferences with redirect-dns as actions on the same sequence, but not remote TLOC.

Note

 

You cannot configure Redirect DNS and SIG at the same time.

NAT DIA fallback and redirect-dns IP actions are supported at the same time in data policy beginning with Cisco IOS XE Catalyst SD-WAN Release 26.1.1.

(Applicable only to data policy)

Remote Preferred Color

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.15.1a and Cisco Catalyst SD-WAN Manager Release 20.15.1

You can set a preferred remote color in the AAR policy to control traffic routing based on the application list.

Use the Restrict to Remote Color option to drop traffic if the selected remote color does not meet the SLA.

(Applicable only to data policy)

Secure Internet Gateway

Redirect application traffic to a SIG.

Note

 

Before you apply a data policy for redirecting application traffic to a SIG, you must have configured the SIG tunnels.

For more information on configuring Automatic SIG tunnels, see Automatic Tunnels . For more information on configuring Manual SIG tunnels, see Manual Tunnels.

Check the Fallback to Routing check box to route internet-bound traffic through the Cisco SD-WAN overlay when all SIG tunnels are down. This option is introduced in Cisco IOS XE Catalyst SD-WAN Release 17.8.1a and Cisco vManage Release 20.8.1.

(Applicable only to data policy)

Secure Service Edge

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.13.1a and Cisco Catalyst SD-WAN Manager Release 20.13.1

Redirect application traffic to a Secure Service Edge instance.

For more information on configuring Automatic tunnels on Cisco Secure Access, see Automatic Tunnels .

Check the Fallback to Routing check box to route internet-bound traffic through the Cisco SD-WAN overlay when all Secure Service Edge tunnels are down.

(Applicable only to data policy)

Service

Specifies a service to redirect traffic to before delivering the traffic to its destination.

The TLOC address or list of TLOCs identifies the remote TLOCs to which the traffic should be redirected to reach the service. In the case of multiple TLOCs, the traffic is load-balanced among them.

The VPN identifier is where the service is located.

Standard services: FW, IDS, IDP

Custom services: netsvc1, netsvc2,netsvc3, netsvc4

TLOC list is configured with a policy lists tloc-list list.

Configure the services themselves on the Cisco IOS XE Catalyst SD-WAN devices that are collocated with the service devices, using the vpn service command.

(Applicable only to data policy)

TLOC

 Direct traffic to a remote TLOC that matches the IP address, color, and encapsulation of one of the TLOCs in the list. If a preference value is configured for the matching TLOC, that value is assigned to the traffic.

(Applicable only to data policy)

VPN.

Set the VPN that the packet is part of. Range: 1 to 65525, excluding 512. For details see the VRF range behavior change described here.

To rearrange match–action pairs in the route policy, drag them to the desired position and click Save Match and Actions.

Table 10. SLA Class Components

Parameter

Description

jitter milliseconds

The maximum jitter on the connection

Range: 1–1000 milliseconds

latency milliseconds

The maximum packet latency on the connection

Range: 1–1000 milliseconds

loss percentage

The maximum packet loss on the connection

Range: 1–100 percent

Starting from Cisco IOS XE Catalyst SD-WAN Release 17.14.1a, the SLA class loss, latency, and jitter values are as follows:

  • Default values: Loss 5%, latency 500 ms, jitter 500 ms

  • Business relevant values: Loss 2%, latency 300 ms, jitter 60 ms

  • Business irrelevant values: Loss 10%, latency 600 ms, jitter 600 ms

  • Bulk data values: Loss 5%, latency 500 ms, jitter 500 ms

For more information about SLA class and its components, see SLA Classes in Application-Aware Routing.

Table 11. QoS Queue

Field

Description

Queuing Model

Choose a value from the drop-down list for the queuing model.

Policy Name

Provide a name for the policy.

Interface

Specify a value for the interface.

Forwarding class

Choose a value for the forwarding class from the drop-down list.

Bandwidth %

Specify the maximum bandwidth. The range is 1–99.

Drops

Choose a value for the drop type from the following options:

  • Random Early

  • Tail

Scheduling type

Specify how to prioritize data packets for transmission to the destination by configuring the schedule type. The default is Weighted Round Robin (WRR).

For more information about QoS, see the section Cisco Catalyst SD-WAN Forwarding and QoS Overview in Forwarding and QoS.

Monitor traffic flow

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, Cisco Catalyst SD-WAN Manager Release 20.13.1.

You can configure collectors by clicking the Additional Settings tab, which provide options to monitor traffic flow on incoming packets in the LAN for application and flow visibility over IPv4, IPv6, or both network addresses.

Before you begin, ensure that you have configured Cflowd collector details in the Cisco SD-WAN Manager menu from Configuration > Network Hierarchy > Collectors > Cflowd.


Note

The Cflowd configuration applies to the global level and not the site level.

The additional settings that you configure are applied to the Cisco SD-WAN Controllers while deploying the application priority and SLA policy. For more information about configuring Cflowd, see the section Configure Cflowd in Configure Collectors in a Network Hierarchy.

Enable traffic flow monitoring

To enable traffic flow monitoring while configuring an application priority & SLA policy, click the Additional Settings tab in the top-right corner and configure the following values:

Table 12. Additional Settings

Field

Description

Application Visibility

Monitor all the applications running in all VPNs over IPv4, IPv6, or both networks in the LAN.

Flow Visibility

Monitor traffic flow over IPv4, IPv6, or both network addresses in the LAN.