Action Parameters - Data Policy
Feature Name |
Release Information |
Description |
---|---|---|
Path Preference Support for Cisco IOS XE Catalyst SD-WAN Devices |
Cisco IOS XE Catalyst SD-WAN Release 17.2.1r |
This feature extends to Cisco IOS XE Catalyst SD-WAN devices, support for selecting one or more local transport locators (TLOCs) for a policy action. |
Traffic Redirection to SIG Using Data Policy |
Cisco IOS XE Release 17.4.1 Cisco vManage Release 20.4.1 |
You can create a data policy where you can selectively define an application list along with other existing match criteria in the data-policy to redirect the application traffic to a Secure Internet Gateway (SIG). |
Next Hop Action Enhancement in Data Policies |
Cisco IOS XE Catalyst SD-WAN Release 17.5.1a Cisco vManage Release 20.5.1 |
This feature enhances match action conditions in a centralized data policy for parity with the features configured on Cisco IOS XE Catalyst SD-WAN devices. When you are setting up next-hop-loose action, this feature helps to redirect application traffic to an available route when next-hop address is not available. |
Traffic Redirection to SIG Using Data Policy: Fallback to Routing |
Cisco IOS XE Catalyst SD-WAN Release 17.8.1a Cisco vManage Release 20.8.1 |
With this feature, you can configure internet-bound traffic to be routed through the Cisco Catalyst SD-WAN overlay, as a fallback mechanism, when all SIG tunnels are down. |
Log Action for both Localized and Centralized Data Policies |
Cisco IOS XE Catalyst SD-WAN Release 17.11.1a Cisco vManage Release 20.11.1 |
This feature enables you to set a log action parameter for data policy, application route policy, and localized policy while configuring data policies on Cisco IOS XE Catalyst SD-WAN devices. The log parameter allows packets to get logged and generate syslog messages. Logs are exported to an external syslog server every five minutes when a flow is active. You can control policy logs as per the configured rate using the command policy log-rate-limit . |
When data traffic matches the conditions in the match portion of a centralized data policy, the packet can be accepted or dropped. Then, you can associate parameters with accepted packets.
In the CLI, you configure the action parameters with the policy data-policy vpn-list sequence action command.
Each sequence in a centralized data policy can contain one action condition.
In the action, you first specify whether to accept or drop a matching data packet, and whether to count it:
Action Condition |
Description | ||||||
---|---|---|---|---|---|---|---|
Click Accept | Accepts the packet. An accepted packet is eligible to be modified by the additional parameters configured in the action portion of the policy configuration. | ||||||
Cflowd |
Enables cflowd traffic monitoring. | ||||||
Counter |
Counts the accepted or dropped packets. Specifies the name of a counter. Use the show policy access-lists counters command on the Cisco IOS XE Catalyst SD-WAN device. | ||||||
Click Drop |
Discards the packet. This is the default action. | ||||||
Log |
Minimum release: Cisco IOS XE Catalyst SD-WAN Release 17.11.1a and Cisco vManage Release 20.11.1 Click Log to enable logging. When (DP, AAR or ACL) data policy packets are configured with log action, logs generated and logged to syslog. Due to the global log-rate-limit, not all logs are logged. A syslog message is generated the first time a packet header is logged and then every 5 minutes thereafter, as long as the flow is active. For information on policy log-rate-limit CLI, see policy log-rate-limit command in the Cisco Catalyst SD-WAN Qualified Command Reference Guide. |
||||||
Redirect DNS |
Redirects DNS requests to a particular DNS server. Redirecting requests is optional, but if you do so, you must specify both
actions.
For an inbound policy, redirect-dns host allows the DNS response to be correctly forwarded back to the requesting service VPN. For an outbound policy, specify the IP address of the DNS server.
|
||||||
TCP Optimization |
Fine-tune TCP to decrease round-trip latency and improve throughout for matching TCP traffic. | ||||||
Secure Internet Gateway |
Redirect application traffic to a SIG
Check the Fallback to Routing check box to route internet-bound traffic through the Cisco SD-WAN overlay when all SIG tunnels are down. This option is introduced in Cisco IOS XE Catalyst SD-WAN Release 17.8.1a and Cisco vManage Release 20.8.1. |
Note |
On Cisco IOS XE Catalyst SD-WAN devices, all the ongoing optimized flows are dropped when the TCP Optimization is removed. |
Then, for a packet that is accepted, the following parameters can be configured:
Action Condition |
Description | ||
---|---|---|---|
Cflowd |
Enables cflowd traffic monitoring. | ||
NAT Pool or NAT VPN |
Enables NAT functionality, so that traffic can be redirected directly to the internet or other external destination. | ||
DSCP |
DSCP value. The range is 0 through 63. | ||
Forwarding Class |
Name of the forwarding class. | ||
Local TLOC |
Enables sending packets to one of the TLOCs that matches the color and encapsulation. The available colors are: 3g, biz-internet, blue, bronze, custom1,custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red and silver. The encapsulation options are: ipsec and gre. By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC. To drop traffic if a TLOC is unavailable, include the restrict option. By default, encapsulation is ipsec. |
||
Next Hop |
Sets the next hop IP address to which the packet should be forwarded.
|
||
Policer |
Applies a policer. Specifies the name of policer configured with the policy policer command. | ||
Service |
Specifies a service to redirect traffic to before delivering the traffic to its destination. The TLOC address or list of TLOCs identifies the remote TLOCs to which the traffic should be redirected to reach the service. In the case of multiple TLOCs, the traffic is load-balanced among them. The VPN identifier is where the service is located. Standard services: FW, IDS, IDP Custom services: netsvc1, netsvc2,netsvc3, netsvc4 TLOC list is configured with a policy lists tloc-list list. Configure the services themselves on the Cisco IOS XE Catalyst SD-WAN devices that are collocated with the service devices, using the vpn service command. |
||
TLOC |
Direct traffic to a remote TLOC that matches the IP address, color, and encapsulation of one of the TLOCs in the list. If a preference value is configured for the matching TLOC, that value is assigned to the traffic. | ||
Click Accept, then action VPN. |
Set the VPN that the packet is part of. The range is 0 through 65530. |
Note |
Data policies are applicable on locally generated packets, including routing protocol packets, when the match conditions are generic. Example configuration:
In such situations, it may be necessary to add a sequence in the data policy to escape the routing protocol packets. For example to skip OSPF, use the following configuration:
|
The following table describes the IPv4 and IPv6 actions.
IPv4 Actions |
IPv6 Actions |
---|---|
drop, dscp, next-hop (from-service only)/vpn, count, forwarding class, policer (only in interface ACL), App-route SLA (only) |
N/A |
App-route preferred color, app-route sla strict, cflowd, nat, redirect-dns |
N/A |
N/A |
drop, dscp, next-hop/vpn, count, forwarding class, policer (only in interface ACL) App-route SLA (only), App-route preferred color, app-route sla strict |
policer (DataPolicy), tcp-optimization, fec-always, |
policer (DataPolicy) |
tloc, tloc-list (set tloc, set tloc-list) |
tloc, tloc-list (set tloc, set tloc-list) |
App-Route backup-preferred color, local-tloc, local-tloc-list |
App-Route backup-preferred color, local-tloc, local-tloc-list |