Cisco SD-WAN Policies
Policies are a core part of the Cisco SD-WAN solution and are used to manipulate the packet flow across the overlay fabric. Policies are designed on vManage controller by using the policy wizard GUI and pushed via NETCONF either to vSmart controllers (centralized policies) or directly to vEdges (localized policies) device. Centralized policies allow us to manipulate the whole overlay fabric traffic in a centralized fashion and eliminate the manual method of pushing configuration on device and avoiding human errors.
In traditional method, configurations are typically applied on a device per device basis using CLI mode. Cisco SD-WAN has been designed to overcome this by implementing a centralized management plane that implement on all devices without any human error.
Types of Cisco SD-WAN Policies
Network administrators use several different types of policies in order to meet their business objectives. Policies can be classified as either centralized policies or localized policies. As we have already discussed localized policy in detail in our last article, in this article we will focus only on the Centralized policy.
Centralized policies can be further classified as:
- control policies (called topology policies in the vManage GUI)
- data policies (called traffic policies in the vManage GUI)
Control policies are used to manipulate the structure of the Cisco SD-WAN fabric by altering the control plane information exchanged by the Overlay Management Protocol (OMP).
Data policies are used to manipulate the data plane directly by altering the forwarding of traffic through the Cisco SD-WAN fabric. The following flow chart visualizes the Cisco SD-WAN policy’s structure.
Centralized Policies That Affect the Control Plane
Control policies and VPN membership policies are used to manipulate the propagation of routing information in the control plane, including manipulating or filtering OMP routes and Transport Locator (TLOC) routes.
- Control Policies: Control policies are used for applications such as preferring one site over another for a specific destination (or default routing) and limiting which sites can build tunnels directly across the fabric.
- VPN Membership Policies: VPN membership policies are used to limit the distribution of routing information about particular VPNs to specific sites. One common use case for VPN membership policies is for guest segments where Internet access is permitted but site-to-site communication is denied.
Centralized Policies That Affect the Data Plane
While control policies and VPN membership policies are used to manipulate the control plane, centralized data policies and Application-Aware Routing policies directly affect the forwarding of traffic in the data plane.
- Centralized Data Policies: Centralized data policies are a flexible and powerful form of policy-based routing and are commonly used to accomplish Direct Internet Access (DIA) for specific applications, network service insertion, and data plane manipulations such as packet duplication and Forward Error Correction (FEC).
- Application-Aware Routing Policies: Application-Aware Routing policies are used to ensure that a particular class of traffic is always transported across a WAN link that meets a minimum service level agreement (SLA).
- Cflowd Policies: Cflowd policies are a special type of centralized data policy that specifies the destination where flow records should be exported so that flow information is available on external systems for analysis.
When Centralized Control Policy not applied:
By default, no Centralized Control Policy is configured on the Viptela Control plane device.
- All vEdge device send the routing update, TLOC, Service routes information to vSmart controller without any modification in routing table via DTLS tunnel established with vSmart.
- vSmart accepts all routing information received from vEdge. vSmart controller build topology map of entire network on behalf of information received from vEdge from which VPN it belongs.
- vEgde will keep sending routing information to vSmart controller if any change occurred vSmart controller will update its routing table.
When Centralized Control Policy applied:
When routing information needs to be manipulate which is stored in the controllers’ that is advertised to vEdges, we provision a Centralized Control Policy. When control policy is applied, the behavior of the traffic changes is as:
- When centralized control policy applied in inbound direction toward vSmart controller coming from vEdge all routes are filtered and installed in routing table.
- When centralized control policy applied in outbound direction toward vSmart controller going toward vEdge all routes must be filtered and then advertised to vEdge.