Cisco SD-WAN Policy - Centralized Policy - IP With Ease

Download as pdf or txt
Download as pdf or txt
You are on page 1of 3

Cisco SD-WAN Policy: Centralized

Policy
Rashmi Bhardwaj  |   |  Blog, Programming & Software, Routing &
Switching

Cisco SD-WAN Policies


Policies are a core part of the Cisco SD-WAN solution and are used to manipulate the packet flow
across the overlay fabric. Policies are designed on vManage controller by using the policy wizard GUI
and pushed via NETCONF either to vSmart controllers (centralized policies) or directly to vEdges
(localized policies) device. Centralized policies allow us to manipulate the whole overlay fabric traffic
in a centralized fashion and eliminate the manual method of pushing configuration on device and
avoiding human errors.

In traditional method, configurations are typically applied on a device per device basis using CLI
mode. Cisco SD-WAN has been designed to overcome this by implementing a centralized
management plane that implement on all devices without any human error.

Advertisements

Types of Cisco SD-WAN Policies


Network administrators use several different types of policies in order to meet their business
objectives. Policies can be classified as either centralized policies or localized policies. As we have
already discussed localized policy in detail in our last article, in this article we will focus only on the
Centralized policy.
Centralized Policy
Centralized policies can be further classified as:

control policies (called topology policies in the vManage GUI)


data policies (called traffic policies in the vManage GUI)

Control policies are used to manipulate the structure of the Cisco SD-WAN fabric by altering the
control plane information exchanged by the Overlay Management Protocol (OMP).

Data policies are used to manipulate the data plane directly by altering the forwarding of traffic
through the Cisco SD-WAN fabric. The following flow chart visualizes the Cisco SD-WAN policy’s
structure.

Centralized Policies That Affect the Control Plane


 Control policies and VPN membership policies are used to manipulate the propagation of routing
information in the control plane, including manipulating or filtering OMP routes and Transport
Locator (TLOC) routes.

Control Policies: Control policies are used for applications such as preferring one site over
another for a specific destination (or default routing) and limiting which sites can build tunnels
directly across the fabric.
VPN Membership Policies: VPN membership policies are used to limit the distribution of
routing information about particular VPNs to specific sites. One common use case for VPN
membership policies is for guest segments where Internet access is permitted but site-to-site
communication is denied.

Centralized Policies That Affect the Data Plane


While control policies and VPN membership policies are used to manipulate the control plane,
centralized data policies and Application-Aware Routing policies directly affect the forwarding of
traffic in the data plane.

Centralized Data Policies: Centralized data policies are a flexible and powerful form of policy-
based routing and are commonly used to accomplish Direct Internet Access (DIA) for specific
applications, network service insertion, and data plane manipulations such as packet
duplication and Forward Error Correction (FEC).
Application-Aware Routing Policies: Application-Aware Routing policies are used to ensure
that a particular class of traffic is always transported across a WAN link that meets a minimum
service level agreement (SLA).
Cflowd Policies: Cflowd policies are a special type of centralized data policy that specifies the
destination where flow records should be exported so that flow information is available on
external systems for analysis.

When Centralized Control Policy not applied:


By default, no Centralized Control Policy is configured on the Viptela Control plane device.

All vEdge device send the routing update, TLOC, Service routes information to vSmart controller
without any modification in routing table via DTLS tunnel established with vSmart.
vSmart accepts all routing information received from vEdge. vSmart controller build topology
map of entire network on behalf of information received from vEdge from which VPN it
belongs.
vEgde will keep sending routing information to vSmart controller if any change occurred
vSmart controller will update its routing table.

When Centralized Control Policy applied:


When routing information needs to be manipulate which is stored in the controllers’ that is
advertised to vEdges, we provision a Centralized Control Policy. When control policy is applied, the
behavior of the traffic changes is as:

When centralized control policy applied in inbound direction toward vSmart controller coming
from vEdge all routes are filtered and installed in routing table.
When centralized control policy applied in outbound direction toward vSmart controller going
toward vEdge all routes must be filtered and then advertised to vEdge.

You might also like