Introduction to Cisco SD-WAN Policy
In this article, we will discuss about the different types of Cisco SD-WAN Policy.
Policies are a core part of the Cisco SD-WAN solution and are used to manipulate the packet flow across the overlay fabric. Policies are created on vManage controller by using the policy wizard tool and pushed via NETCONF either to vSmart controllers (centralized policies) or directly to vEdges (localized policies) device. Centralized policies allow us to manipulate the whole overlay fabric traffic in a centralized fashion and eliminate the manual method of pushing configuration on device and avoiding human errors.
In traditional method, configurations are typically applied on a device per device basis using CLI mode. Cisco SD-WAN has been designed to overcome this by implementing a centralized management plane that implement on all devices without any human error.
Types of Cisco SD-WAN Policy
There are two main types of policies:
- Centralized Policy
- Localized Policy
In this article, we will discuss Localized Policy in detail.
Localized policies are those policies that are applied locally on the vEdge routers on the overlay network. Similar to the centralized policies, localized policies can be used to manipulate both the control plane and the data plane traffic. The two main types of localized policy:
- Traditional Localized Policy
- Security Policy
Traditional Localized Policy
Traditional localized policies include Route Policy, Quality of Service (QoS), and Access Control Lists (ACLs).
The traditional localized policies can further be categorized as:
- Traditional localized policies that affect the Control Plane: Route Policy
- Traditional localized policies that affect the Data Plane: Quality of Service (QoS), and Access Control Lists (ACLs)
Localized policies that affect the control plane, called route policies, can be used to filter or manipulate routes exchanged or learned outside of the SD-WAN fabric via protocols such as BGP, OSPF, and EIGRP. Route policies can also be used to filter routes as they are redistributed from one protocol to another including into and out of OMP. Route policies are the only way to impact the control plane with localized policy.
Quality of Service:
Quality of Service (QoS) can be configured on the WAN Edge routers to perform queuing, shaping, policing, congestion avoidance, and congestion management.
Access Control Lists:
Access control lists (ACLs) can be created with the localized policy to filter traffic at the interface level. ACLs can also be used to mark or remark traffic for QoS purposes.
The security policy feature set supports use cases such as compliance, guest access, Direct Cloud Access (DCA), and Direct Internet Access (DIA). Security policies were first introduced in version 18.2 with the Zone-Based Firewall (ZBFW) feature set and have continued to expand in functionality in subsequent releases. As of version 19.2, the Security Policy feature set currently supports Application-Aware ZBFW, Intrusion Prevention, URL Filtering, Advanced Malware Protection (AMP), and DNS Security. These features are used to affect traffic in the data plane.
Key Points of Cisco SD-WAN Policy
Centralized Data policy:
- Centralized data policy can only be enabled per VPN site ID.
- Configuration does not stay in the Edge, it gets delivered via OMP and stored in the volatile RIB, hence, temporary not stays after reboot.
- The Localized control policies also called route policy and affects BGP and OSPF routing behavior on site local network.
Localized Data Policy:
- Localized data policy e.g. route policy, QoS, ACLs.
- Configuration stays in the Edge, it gets delivered via NETCONF through command line in the device’s CLI.
- Local policy provision ACL and applies to specific interface or interfaces on the vEdge router. Any access will be allowed or restricted based on 6 tuple match (source IP, Destination IP, Ports, DSCP Field and Protocol).
- Access-List allow provision of Class of Service (CoS), Policing, and mirroring and control how data traffic will flow in and out from interfaces.
Data Policies can be applied in three modes on vEdge:
- From Service (toward upstream from WAN to the LAN)
- From Tunnel (toward downstream from LAN to the WAN)
- All (Both Upstream and Downstream)
Provisioning of Policies:
Policies can be provisioned in two ways:
- Centralized: Pushed from vManage to vSmart via a NETCONF transaction and then advertised to Edge devices by vSmart via OMP and affects all edges matched by a list.
- Localized: Pushed from vManage directly to Edge devices via a NETCONF transaction – affects specific devices requiring tailored policies or settings (requires a feature template to reference it).