#CiscoLive

Building and Using Policies with

Cisco SD-WAN
Become Sufficiently Dangerous

Stefan Olofsson, Technical Solutions Architect

DGTL-BRKRST-2791

#CiscoLive
Agenda
• Cisco SD-WAN Crash Course
• Introduction to the Cisco SD-WAN Policy Framework
• Control Policies and Applications
• Data Policies and Applications
• Application Aware Routing Policies and Applications
• More Policies and Applications
• Tips, Tricks, Scalability and Best Practices
• Conclusion

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco SD-WAN
Crash Course
Cisco SD-WAN Architecture Overview
Applying SDN Principles Onto The Wide Area Network

vBond vManage

APIs Management / Orchestration Plane

3rd Party
Automation

Control Plane
vSmart Controllers

MPLS 4G

INET
WAN Edge Routers

Data Plane
Cloud Data Center Campus Branch SOHO

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Cisco SD-WAN Terminology
• Transport Side – Controller or WAN Edge Interface connected to the underlay/WAN network
• Always VPN 0
• Traffic typically tunneled/encrypted, unless split-tunneling is used

• Service Side – WAN Edge interface attaching to the LAN

• VPN 1-511 (512 Reserved for OOB Mgmt)
• Traffic forwarded as is from original source

• TLOC – Collection of entities making up a transport side connection

• System-IP: IPv4 Address (non-routed identifier)
• Color: Interface identifier on local WAN Edge
• Private TLOC: IP Address on interface sitting on inside of NAT
• Public TLOC: IP Address on interface sitting on outside of NAT
• Private/Public can be the same if connection is not subject to NAT

• vRoute – Routes learnt/connected on Service Side

• vRoute tagged with attributes as it is picked up by OMP

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco SD-WAN Terminology
• OMP – Overlay Management Protocol
• Dynamic Routing Protocol managing the Overlay domain
• Integrated mechanism for distribution Routing, Encryption and Policies
• Site-ID – Identifies the Source Location of an advertised prefix
• Configured on every WAN Edge, vSmart and vManage
• Does not have to be unique, but then assumes same location
• Required configuration for OMP and TLOC to be brought up
• System-IP – Unique identifier of an OMP Endpoint
• 32 Bit dot decimal notation (an IPv4 Address)
• Logically a VPN 0 Loopback Interface, referred to as “system”
• The system interface is the termination point for OMP

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Introduction to the
Cisco SD-WAN
Policy Framework
Cisco SD-WAN Policy Architecture
Policy Categories

Centralized Policies Localized Policies

Topology and VPN Traffic Rules: Local Policy:

Membership: App-Aware Routing Policy Local Control Policy
Control Policy Data Policy (Traffic Data)
(Routing Policies – OSPF/BGP)
Local Data Policy
VPN Membership Policy cFlowd (QoS, ACL etc)

Policy Device
Netconf Configuration Template
Define

OMP Netconf
Volatile Storage Device
(~Policy RIB) Configuration

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
 Cisco SD-WAN Policy Architecture
Suite of Policies to address different functional domains

Data Policy:
Extensive Policy-based
Control Policy: Routing and Services

App-Route Policy: Routing and Services

App-Aware SLA-based VPN 1

WAN
Routing VPN 2

VPN 1
WAN

VPN 2

• Control Policies are applied at vSmart: Tailors routing information advertised to WAN endpoints
• App-Route Policies are applied at WAN Edge: SLA-driven path selection for applications

• Data Policies are applied at WAN Edge: Extensive Policy driven routing

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
 Cisco SD-WAN Overlay Routing
Multi-domain Routing Fabric
Overlay Routing Policy
vSmarts advertise TLOCs and
Enforcement Point
Service Prefixes to all Edges
Core SD-WAN Routing
Domain TLOC advertised to vSmarts
with set of attributes
Local Routing Policy vSmart
Service prefixes advertised to
Enforcement Point vSmarts with set of attributes
Existing Branch/DC
Routing Domain Control Plane

VPN 1 VPN 1

WAN
WAN
VPN 2 VPN 2
VPN 3
SD-WAN Fabric VPN 3

WAN Edge WAN Edge

Site1 Site4
WAN WAN

WAN Edge WAN Edge

VPN 1

VPN 2

VPN 3

VPN 1

VPN 2

VPN 3
Site2 Site3

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
 Overlay Management Protocol
High Level Description
• Path Vector Routing Protocol specifically designed for overlay networks

• Natively Multiprotocol, Multipath and VPN/Segment Aware

• Peer Auto-discovery w/ Zero line config for basic operation

• Inherent Route Target Constraint Capability

• Automatic Distribution of targeted local routing

• Overlay and Legacy Domain Loop Avoidance capabilities

• Reliable and Secure Transport (SSL)

• Broad Attribute Support

• Preference
• Identification
• Legacy Source Protocol Information

• Consistent Routing and Encryption Synchronization

• Multi-domain capable

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Overlay Management Protocol
Distribution of Routing Information for Topology-driven Routing

vRoutes TLOCs Services Policies

Branch Routing WAN Attachment:

Services:
into Overlay Private IP/Public IP Data Policy
Type of Service
Color / Encap App-Route Policy
Routing Encryption Keys
Location (TLOC)
VPN Membership
+ Forwarding
+ cFlowd Template
Attributes Information
Attributes

Distribution of Routing Information and Policies subject to endpoint push

Updates sent only on changes – Routing engine operates as with existing protocols (BGP)

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
 Overlay Management Protocol
Path Selection Route Resolvability
Next-hop TLOC is Reachable

Route Source Preference

Prefer vEdge-sourced route over vSmart-sourced
route

Admin Distance
Prefer OMP Route with lowest admin distance

Route Preference

• Default: 4 paths advertised by vSmart Prefer Route with highest route preference

omp TLOC Preference

Prefer route with highest TLOC preference
Send-path-limit [1-16]
Origin
• Backup routes can be advertised to Prefer route with best origin (Connected, Static,
eBGP, OSPF Intra, OSPF Inter, OSPF External,
vEdges for faster convergence iBGP, Unknown/Unset
omp
Tiebreaker
Send-backup-paths Prefer route from highest origin Router-ID
(System-IP)
• Origin by Admin Distance and then by
Protocol Cost / Metric Tiebreaker
Prefer route from highest Private TLOC IP-address

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Building, Applying
and Processing
SD-WAN Policies
Construction of SD-WAN Policies
Policy Building Blocks

Lists Policy Apply Policy

Policy Type Site-List

Policy Sequence 1 Policy <type> <name>

Match <route | tloc | Application> Direction (if applicable)

Action <Accept | Reject | set >

Policy Sequence 2

Match <route | tloc | Application>

Action <Accept | Reject | set >

Default Action
Site-ID <n>
<Accept | Reject>

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
 Cisco SD-WAN Policy Orchestration Process

App-Route Policy: Data Policy:

Control Policy:
1 vManage GUI –
App-Aware SLA-based Extensive Policy-based
Policy Orchestration Routing and Services Routing Routing and Services

Combine and Apply per Site

vSmart controller – Execute Control Policy

2 Policy Enforcement/Advertisement Advertise AAR/Data Policies to Sites

WAN Edge router – Execute AAR and Data Policy as received

3 Policy Enforcement Dynamic Routing and Policies Combine to
dictate behavior

Service Side

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Processing Policies
Policy Processing Logic

• Policies are processed sequentially. Order is important!

• When a match occurs, the matched entity is subject to the configured
action of the sequence and is then no longer subject to continued
processing.
• Entity not matched in a sequence is subject to default action for the policy.

• Any node will make use of any and all available routing information
• In a multi-vSmart deployment, every vSmart acts independently to
disseminate information to other vSmarts and vEdges
• vManage acts to ensure all vSmarts are synchronized

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Cisco SD-WAN Policy Execution
Topology-driven routing and Policy execution chain

Centralized App-Route Policy Routing / Forwarding Local Egress Policy

SLA-based Path Selection Topology Driven Forwarding Access Lists
2 4 6 Policing
Re-marking

Service Side – Transport Side

Local Ingress Policy Centralized Data Policy Queueing / Scheduling

Policing Shaping
1 Admission Control
Policing
Admission Control
5 WRR w/ LLQ
Classification & Marking
3 Classification & Re/Marking Congestion Avoidance
Path Selection
Services

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
App-Aware Routing and Data Policy Overlap
Policy Processing when packet is subject to match in both policies

Guiding Principle:
Data Policy Makes Final Decision with Consideration for AAR SLA Match

? ?
App-Route Policy Yes Data Policy No App-Route Policy
Incoming Packet
Path Matching SLA Found Local/Remote TLOC Action Follow Preferred/Backup SLA

No Yes
? ?
Yes App-Route Policy No Data Policy Yes
AAR Strict Configured Path Decision Matching AAR
Send Packet

No
? ?
Data Policy Data Policy
Yes No
Path Found Path Decision Determined by
Routing due to TLOC down
No Yes
?
Yes Data Policy No App-Route Policy
Drop Packet Local-TLOC Strict Configured Evaluate Default SLA Class

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Policy Management
Ensuring Intended End-to-End Policy Application

• vManage
• vSmart
• Policy Configuration section
show running-config policy
• Apply-policy configuration section
show running-config apply-policy

• WAN Edge
• View policy as received from vSmart via OMP
Show policy from vsmart

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Policy Framework:
Control Policies
 Cisco SD-WAN Policy Architecture
Suite of Policies to address different functional domains

Data Policy:
Extensive Policy-based
Control Policy: Routing and Services

App-Route Policy: Routing and Services

App-Aware SLA-based VPN 1

WAN
Routing VPN 2

VPN 1
WAN

VPN 2

• Control Policies are applied at vSmart: Tailors routing information advertised to WAN endpoints
• App-Route Policies are applied at WAN Edge: SLA-driven path selection for applications

• Data Policies are applied at WAN Edge: Extensive Policy driven routing

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
 Control Policies
Overlay Management Protocol Routing Policies
• Control policies are applied and executed on vSmart to influence routing in the Overlay domain
• Control policies filter or manipulate OMP Routing information to:
• Enable services
• Influence path selection
• Control Policies controls the following services:
• Service Chaining
• Traffic Engineering
• Extranet VPNs
• Service and Path affinity
• Arbitrary VPN Topologies
• and more …

• The Control Policy is one of the most powerful tools in the Cisco SD-WAN toolbox

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Control Policies control-policy <name>

Policy Structure sequence <n>

match route
color <color>
control-policy <name> color-list <name>
sequence <n> ipv6-prefix-list <name>
match tloc omp-tag <tag>
carrier <carrier> origin <protocol>
color <color> originator <system-ip>
color-list <name> preference <preference>
domain-id <domain-id> - Not Supported prefix-list <name>
group-id <group-id> site-id <site-id>
omp-tag <tag> site-list <name>
originator <system-ip> tloc <tloc>
preference <preference> tloc-list <name>
site-id <site-id> vpn <vpn-id>
site-list <name> vpn-list <name>
tloc <tloc> !
tloc-list <name> action accept
! export-to <vpn> | vpn-list
action accept set
set omp-tag <tag>
omp-tag <tag> preference <preference>
preference <preference> service <service-type>
! tloc <tloc>
! tloc-action <action>
! tloc-list <name>
default-action accept !
! !
!
default-action accept
!

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
 Control Policy Case #1
Interconnecting Dis-contiguous Data Planes

Problem:
Overlay with a dis-contiguous data plane and endpoints need to communicate end-to-end

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
 Control Policy Case #1
Interconnecting Dis-contiguous Data Planes

WAN Edge100
Site-id: 100
WAN Edge1 System-IP: [Link] WAN Edge2
Site-id: 10 Site-id: 20
System-IP: [Link] System-IP: [Link]

VPN 1

VPN 2
VPN 1 VPN 1

VPN 2 VPN 2

Color: mpls Color: public-internet

VPN 1

VPN 2
MPLS TLOC Internet TLOC

WAN Edge101
Site-id: 101
System-IP: [Link]
Solution:
Identify one or more multi-homed sites to bridge the data plane gap and act as gateways
Use a control policy to enable distribution of routing information between domains enabling gateway-
supported paths
#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
 Legend:

Control Policy Case #1 Original Advertisement from Endpoint

Un/Modified Advertisement from Controller

Interconnecting Dis-contiguous Data Planes

Route: VPN-1: Prefix A Route: VPN-1: Prefix B

NH: TLOC [Link] NH: TLOC [Link]
Color: mpls Color: public-internet

Route: VPN-1: Prefix B Route: VPN-1: Prefix A

NH: TLOC [Link] NH: TLOC [Link]
Color: mpls Color: public-internet

System-IP: [Link]

System-IP: [Link] System-IP: [Link]

VPN 1

VPN 2
VPN 1 VPN 1

VPN 2 VPN 2

Color: mpls Color: public-internet

VPN 1

VPN 2
MPLS TLOC Internet TLOC

System-IP: [Link]

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Control Policy Case #1
For Your
Reference

Interconnecting Dis-contiguous Data Planes

3 Define the Control Policies
policy 1 Define Gateway TLOC-lists control-policy announce-internet-sites
lists sequence 10
tloc-list internet-gateways match route
tloc [Link] color mpls encap ipsec site-list internet-sites
tloc [Link] color mpls encap ipsec !
! action accept
tloc-list mpls-gateways set
tloc [Link] color public-internet encap ipsec tloc-list internet-gateways
tloc [Link] color public-internet encap ipsec !
! !
site-list internet-sites !
site-id 20 default-action accept
! 2 Declare Target Sites !
site-list mpls-sites control-policy announce-mpls-sites
site-id 10 sequence 10
match route
site-list mpls-sites
!
apply-policy action accept
site-list internet-sites set
control-policy announce-mpls-sites out tloc-list mpls-gateways
! !
site-list mpls-sites !
control-policy announce-internet-sites out !
! default-action accept
!
4 Apply Policies to the target site-lists !
!

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Wait…
We’re doing what?
 Color: public-internet

Dis-contiguous Data Planes Color: mpls

OMP State: C=Chosen, I=Installed, R=Resolved,
TLOC Distribution and State – No Policy Applied Red=Redistributed, Inv=Invalid, U=Unreachable

vSmart# show omp tlocs

ADDRESS BFD
FAMILY TLOC IP COLOR STATUS STATUS
-----------------------------------------------------------
WAN Edge1 ipv4 [Link] mpls C,I,R - WAN Edge2
[Link] public-internet C,I,R -
Site-id: 10 Site-id: 20
[Link] mpls C,I,R -
System-IP: [Link] [Link] public-internet C,I,R - System-IP: [Link]
VPN 1 [Link] mpls C,I,R - VPN 1
[Link] public-internet C,I,R -
VPN
WAN Edge1# 2 omp tlocs
show WAN Edge2# show omp tlocs VPN 2
ADDRESS BFD ADDRESS BFD
FAMILY TLOC IP COLOR STATUS STATUS FAMILY TLOC IP COLOR STATUS STATUS
--------------------------------------------------------- ---------------------------------------------------------
ipv4 [Link] mpls C,Red,R up ipv4 [Link] mpls C,I,R down
[Link]. public-internet C,I,R down [Link]. public-internet C,Red,R up
[Link] mpls C,I,R up [Link] mpls C,I,R down
[Link] public-internet C,I,R down [Link] public-internet C,I,R up
[Link] mpls C,I,R up [Link] mpls C,I,R down
[Link] public-internet C,I,R down [Link] public-internet C,I,R up
WAN Edge100# show omp tlocs WAN Edge101# show omp tlocs
ADDRESS BFD ADDRESS BFD
FAMILY TLOC IP COLOR STATUS STATUS FAMILY TLOC IP COLOR STATUS STATUS
--------------------------------------------------------- ---------------------------------------------------------
ipv4 [Link] mpls C,I,R up ipv4 [Link] mpls C,I,R up
[Link]. public-internet C,I,R up [Link]. public-internet C,I,R up
[Link] mpls C,Red,R up [Link] mpls C,I,R up
[Link] public-internet C,Red,R up [Link] public-internet C,I,R. up
VPN 1

VPN 1
VPN 2

VPN 2
[Link] mpls C,I,R up [Link] mpls C,Red,R up
[Link] public-internetWAN Edge100
C,I,R up WAN Edge101
[Link] public-internet C,Red,R up
Site-id: 100 Site-id: 101
System-IP: [Link] System-IP: [Link]
#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
 Color: public-internet

Dis-contiguous Data Planes Color: mpls

OMP State: C=Chosen, I=Installed, R=Resolved,
vRoute Distribution and State – No Policy Applied Red=Redistributed, Inv=Invalid, U=Unreachable

vSmart# show omp routes

VPN PREFIX STATUS TLOC IP COLOR
---------------------------------------------------------
1 [Link]/24 C,R [Link] mpls
WAN Edge1 [Link]/24 C,R [Link] public-internet
WAN Edge2
Site-id: 10 [Link]/24 C,R [Link] mpls Site-id: 20
System-IP: [Link] C,R [Link] public-internet System-IP: [Link]
[Link]/24 C,R [Link] mpls
VPN 1 C,R [Link] public-internet VPN 1

VPNshow
WAN Edge1# 2 omp routes WAN Edge2# show omp routes VPN 2
VPN PREFIX STATUS TLOC IP COLOR VPN PREFIX STATUS TLOC IP COLOR
----------------------------------------------------------- -----------------------------------------------------------
1 [Link]/24 C,Red,R [Link] mpls 1 [Link]/24 Inv,U [Link] mpls
[Link]/24 Inv,U [Link] public-internet [Link]/24 C,Red,R [Link] public-internet
[Link]/24 C,I,R [Link] mpls [Link]/24 Inv,U [Link] mpls
Inv,U [Link] public-internet C,I,R [Link] public-internet
[Link]/24 C,I,R [Link] mpls [Link]/24 Inv,U [Link] mpls
Inv,U [Link] public-internet C,I,R [Link] public-internet

WAN Edge100# show omp routes WAN Edge101# show omp routes
VPN PREFIX STATUS TLOC IP COLOR VPN PREFIX STATUS TLOC IP COLOR
----------------------------------------------------------- -----------------------------------------------------------
1 [Link]/24 C,I,R [Link] mpls 1 [Link]/24 C,I,R [Link] mpls
[Link]/24 C,I,R [Link] public-internet [Link]/24 C,I,R [Link] public-internet
[Link]/24 C,Red,R [Link] mpls [Link]/24 C,I,R [Link] mpls
C,Red,R [Link] public-internet C,I,R [Link] public-internet
[Link]/24 C,I,R [Link] mpls [Link]/24 C,Red,R [Link] mpls
VPN 1

VPN 1
VPN 2

VPN 2
C,I,R [Link] public-internet C,Red,R [Link] public-internet
WAN Edge100 WAN Edge101
Site-id: 100 Site-id: 101
System-IP: [Link] System-IP: [Link]
VPN 1 Pfx: [Link]/24 VPN 1 Pfx: [Link]/24
#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
 Color: public-internet

Dis-contiguous Data Planes Color: mpls

OMP State: C=Chosen, I=Installed, R=Resolved,
Policy Components and Application Direction Red=Redistributed, Inv=Invalid, U=Unreachable

policy
lists
tloc-list internet-gateways
tloc [Link] color mpls encap ipsec WAN Edge100 WAN Edge101
tloc [Link] color mpls encap ipsec
!
tloc-list mpls-gateways
tloc [Link] color public-internet encap ipsec WAN Edge100 WAN Edge101
tloc [Link] color public-internet encap ipsec
!
site-list internet-sites
site-id 20 WAN Edge2
!
site-list mpls-sites
site-id 10
WAN Edge1

apply-policy
site-list internet-sites Apply policy on outbound update
control-policy announce-mpls-sites out from vSmart to nodes in site-list WAN Edge2
!
site-list mpls-sites
control-policy announce-internet-sites out Apply policy on outbound update
WAN Edge1
! from vSmart to nodes in site-list
!

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
 Color: public-internet

Dis-contiguous Data Planes Color: mpls

OMP State: C=Chosen, I=Installed, R=Resolved,
Policy Application and Outgoing Advertisement – Site 20 Red=Redistributed, Inv=Invalid, U=Unreachable

control-policy announce-mpls-sites WAN Edge2

sequence 10 Site-id: 20
match route
System-IP: [Link]
site-list mpls-sites
!
VPN 1
action accept
set VPN 2
tloc-list mpls-gateways
!
!
!
vSmart# show omp tlocs WAN Edge2# show omp tlocs
ADDRESS BFD default-action accept ADDRESS BFD
FAMILY TLOC IP STATUS STATUS ! FAMILY TLOC IP STATUS STATUS
------------------------------------------- ! -------------------------------------------
ipv4 [Link] C,I,R - ipv4 [Link] C,I,R down
[Link]. C,I,R - [Link]. C,Red,R up
[Link] C,I,R - [Link] C,I,R up
[Link] C,I,R - [Link] C,I,R up

vSmart# show omp routes WAN Edge2# show omp routes

VPN PREFIX STATUS TLOC IP COLOR VPN PREFIX STATUS TLOC IP COLOR
--------------------------------------------------------- -----------------------------------------------------------
1 [Link]/24 C,R [Link] mpls 1 [Link]/24 C,I,R [Link] public-internet
[Link]/24 C,R [Link] public-internet C,I,R [Link] public-internet
[Link]/24 C,R [Link] mpls [Link]/24 C,Red,R [Link] public-internet
C,R [Link] public-internet [Link]/24 Inv,U [Link] mpls
[Link]/24 C,R [Link] mpls C,I,R [Link] public-internet
C,R [Link] public-internet [Link]/24 Inv,U [Link] mpls
C,I,R [Link] public-internet

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
 Color: public-internet

Dis-contiguous Data Planes Color: mpls

OMP State: C=Chosen, I=Installed, R=Resolved,
Policy Application and Outgoing Advertisement – Site 10 Red=Redistributed, Inv=Invalid, U=Unreachable

control-policy announce-internet-sites WAN Edge1

sequence 10 Site-id: 10
match route
System-IP: [Link]
site-list internet-sites
!
VPN 1
action accept
set VPN 2
tloc-list internet-gateways
!
!
!
vSmart# show omp tlocs WAN Edge1# show omp tlocs
ADDRESS BFD default-action accept ADDRESS BFD
FAMILY TLOC IP STATUS STATUS ! FAMILY TLOC IP STATUS STATUS
------------------------------------------- ! -------------------------------------------
ipv4 [Link] C,I,R - ipv4 [Link] C,Red,R up
[Link]. C,I,R - [Link]. C,I,R down
[Link] C,I,R - [Link] C,I,R up
[Link] C,I,R - [Link] C,I,R up

vSmart# show omp routes WAN Edge1# show omp routes

VPN PREFIX STATUS TLOC IP COLOR VPN PREFIX STATUS TLOC IP COLOR
--------------------------------------------------------- -----------------------------------------------------------
1 [Link]/24 C,R [Link] mpls 1 [Link]/24 C,Red,R [Link] mpls
[Link]/24 C,R [Link] public-internet [Link]/24 C,I,R [Link] mpls
[Link]/24 C,R [Link] mpls C,I,R [Link] mpls
C,R [Link] public-internet [Link]/24 C,I,R [Link] mpls
[Link]/24 C,R [Link] mpls Inv,U [Link] public-internet
C,R [Link] public-internet [Link]/24 C,I,R [Link] mpls
Inv,U [Link] public-internet

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Back on track
 Control Policy Case #2
Network Resource (e.g. Data Center) Preference or Active/Backup

Problem:
Data Center access must be regionalized with neighboring DCs backing each other up

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
 Control Policy Case #2
Network Resource (e.g. Data Center) Preference or Active/Backup
WAN Edge100
Site-id: 100
System-IP: [Link]
WAN Edge1 DC-1 WAN Edge4
Site-id: 10 Site-id: 40
System-IP: [Link] System-IP: [Link]

WAN Edge2 DC-2 WAN Edge3

Site-id: 20 Site-id: 30
System-IP: [Link] System-IP: [Link]
WAN Edge101
Site-id: 101
Solution: System-IP: [Link]

Identify regions by Site-Id and associate Primary and Backup DC locations with the regions
A control policy is used to make the associations and defining DC preference

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
 Legend:

Control Policy Case #2 Original Advertisement from Endpoint

Un/Modified Advertisement from Controller

Network Resource (e.g. Data Center) Preference or Active/Backup

Route: VPN-1: Prefix A Route: VPN-1: Prefix A

NH: TLOC [Link] NH: TLOC [Link]
Color: mpls, Preference: 400 Color: mpls, Preference: 400
NH: TLOC [Link] NH: TLOC [Link]
Color: mpls, Preference: 200 Color: mpls, Preference: 200
Route: VPN-1: Prefix A
NH: TLOC [Link]
Color: mpls

System-IP: [Link]

System-IP: [Link] Route: VPN-1: Prefix A System-IP: [Link]

NH: TLOC [Link]
Color: mpls
System-IP: [Link] System-IP: [Link]

System-IP: [Link]
#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Control Policy Case #2
For Your
Reference

Network Resource (e.g. Data Center) Preference or Active/Backup

policy 1 Define Data Center TLOC-lists control-policy adv-dc-preference-west
lists sequence 10
tloc-list dc-preference-west match route
tloc [Link] color mpls encap ipsec preference 400 site-list dc-sites
tloc [Link] color mpls encap ipsec preference 200 !
! action accept
tloc-list dc-preference-east set
tloc [Link] color mpls encap ipsec preference 200 tloc-list dc-preference-west
tloc [Link] color mpls encap ipsec preference 400 !
! !
site-list sites-region-west !
site-id 1-20
! 2 Declare Regions !
default-action accept

site-list sites-region-east control-policy adv-dc-preference-east

site-id 21-40 sequence 10
! match route
site-list dc-sites
site-id 100-101 3 Declare Data Centers !
site-list dc-sites

action accept
apply-policy set
site-list sites-region-west tloc-list dc-preference-east
control-policy adv-dc-preference-west out !
! !
site-list sites-region-east !
control-policy adv-dc-preference-east out default-action accept
! !
! 5 Apply Policies to the target site-lists !
4 Define the Control Policies
#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
 Control Policy Case #3
Fabric Data Plane or VPN Plane Topologies
• Fabric Plane or Individual VPNs subject to specific topologies / connectivity models

• Fully meshed fabric data plane • Restricted fabric data plane

• Individual VPNs can use any topology • Individual VPNs restricted to
connectivity model used by
underlying fabric

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Control Policy Case #3
Fabric Data Plane or VPN Plane Topologies
• Fabric Plane or Individual VPNs subject to specific topologies / connectivity models
Site-Id: 100

Filter/Reassign Routes / Attributes

Site-Id: 30
Site-Id: 10
Site-Id: 20

Filter/Reassign TLOCs / Attributes

Filter/Reassign Routes / Attributes

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Control Policy Case #3
For Your
Reference

Fabric Data Plane and VPN Hub-and-Spoke Topologies

4 Define the Control Policy
policy 1 Define Hub Site TLOC-list policy
lists control-policy restricted_data_plane
tloc-list hub-site_tlocs sequence 10
tloc [Link] color red encap ipsec preference 100 match tloc
tloc [Link] color red encap ipsec preference 100
tloc [Link] color red encap ipsec !
site-list hub_sites
Advertise Hub TLOCs
! action accept
site-list branch_sites 2 Declare Branches !
!
site-id 1000-2000
! sequence 20
site-list hub_sites match route
site-id 1-100 3 Declare Hubs site-list branch_sites
! !
! action accept Branch Prefixes
set
tloc-list hub_site_tlocs
!
!
!
sequence 30
apply-policy
match tloc
site-list branch_sites
control-policy restricted_data_plane out
! Drop Branch TLOCs
action reject
!
! !
5 Apply Policy to the target site-list !
default-action accept

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Control Policy Case #3
For Your
Reference

VPN 1 Full Mesh and VPN 2 Hub-and-Spoke Topologies

Loose Hub-and-Spoke Strict Hub-and-Spoke
Spokes communicate via hub(s) No spoke to spoke communication
policy
policy
lists
lists
vpn-list VPN2
vpn-list VPN2
vpn 2
vpn 2
!
!
site-list hub_sites
site-list branch_sites
site-id 1-2
site-id 100-200
!
!
!
!
control-policy vpn_multi-topology
control-policy vpn_multi-topology
sequence 10
sequence 10
match route
match route
site-list hub_sites Advertise Hub Prefixes
site-list branch_sites
vpn-list VPN2
Branch Prefixes vpn-list VPN2
!
!
action accept
action accept
!
set
tloc [Link] color red Hub site TLOC sequence 20

Drop Branch Prefixes

match route
!
!
!
action reject
!
!
default-action accept
default-action accept

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Control Policy Case #4
Service Chaining of Centralized Services
Single/Multi-tenant Services

WAN Edge100 Application

Site-id: 100
System-IP: [Link] VPN 1

VPN 2

WAN Edge2
VPN 1
Site-id: 20
VPN 2
System-IP: [Link]
WAN Edge1
Site-id: 10
System-IP: [Link]

• Problem: Services to be consumed in-path for selected traffic

• Solution: Enable Service-Chaining Across the WAN

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
 Legend:

Control Policy Case #4 Original Advertisement from Endpoint

Un/Modified Advertisement from Controller

Service Chaining of Centralized Services

VPN 1: Prefix A, Label 10 VPN 1: Prefix B, Label 20
NH: TLOC [Link] NH: TLOC [Link]
Color: mpls Color: mpls

VPN 1: Prefix B, Label 1004 VPN 1: Prefix A, Label 1004

NH: TLOC [Link] NH: TLOC [Link]
Color: mpls Color: mpls

VPN 1: Prefix A, Label 10

VPN 1: Service FW, Label 1004 NH: TLOC [Link]
NH: TLOC [Link] Color: mpls
VPN 1: Prefix B, Label 20
Color: mpls NH: TLOC [Link]
Color: mpls

VPN 1

VPN 2
System-IP: [Link]
System-IP: [Link]

VPN 1

VPN 2

System-IP: [Link]

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Control Policy Case #4
For Your
Reference

Service Chaining
4 Define Upstream Service Chain
WAN-Edge-100 1 Define Central FW Service policy
control-policy service-chain-upstream
vpn 1 sequence 10
service FW address [Link] match route
tloc [Link] color red
vpn 1
!
action accept
policy lists set
service FW
site-list upstream-exit 2 Declare Exit Point !
site-id 20
!
!
site-list service-chain-branches !
site-id 10 default-action accept
!
! 3 Declare Attached Branches control-policy service-chain-downstream
sequence 10
match route
apply-policy site-list service-chain-branches
site-list upstream-exit !
control-policy service-chain-downstream out action accept
! set
site-list service-chain-branches service FW
control-policy service-chain-upstream out !
! ! 5 Define Downstream Service Chain
!
!
6 Apply Policies to the target site-lists default-action accept
!

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Wait…
How does Service
Chaining Actually work?
 Legend:

Service Chaining Original Advertisement from Endpoint

Un/Modified Advertisement from Controller

Centralized Services – Setting Up a Service

vSmart# show omp services

ADDRESS PATH
FAMILY VPN SERVICE ORIGINATOR FROM PEER ID LABEL STATUS
----------------------------------------------------------------------------
ipv4 10 VPN [Link] [Link] 65 1003 C,I,R
[Link] 69 1003 C,I,R
10 FW [Link] [Link] 65 1004 C,I,R
[Link] 69 1004 C,I,R
VPN 10: Service FW, Label 1004
NH: TLOC [Link], Color: mpls
VPN 10: Service FW, Label 1004
NH: TLOC [Link], Color: public-internet

VPN 1

VPN 2
System-IP: [Link]
System-IP: [Link]

VPN 1 WAN-Edge-100
VPN 2 vpn 1
service FW address [Link]
System-IP: [Link]

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
 SD-WAN Service Chaining
WAN Edge Forwarding Paradigm
Label Determines Lookup Context – VPN/RIB or VPN/Service

IP Lookup / Forward
VPN 1 RIB
Service
IF
Lookup Label Decrypt Integrity Check Receive Packet

VPN 1
Service
Label Lookup / Forward
Transport SD-WAN
(VPN0) IF
Service: [Link]
Service
IF VPN 2

WAN-Edge-100
vpn 1
service FW address [Link]
Service
IF VPN 3

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
 Legend:

Service Chaining Original Advertisement from Endpoint

Un/Modified Advertisement from Controller

Invoking the Service – Per Direction

vSmart policy
policy control-policy service-chain-downstream
control-policy service-chain-upstream sequence 10
sequence 10 match route
match route site-list service-chain-branches
tloc [Link] color mpls !
vpn 1 VPN 1: [Link]/24, Label 100 action accept
! NH: TLOC [Link] set
action accept Color: mpls VPN 1: [Link]/24, Label 200 service FW
set !
NH: TLOC [Link]
service FW
Color: mpls
! VPN 10: [Link]/24, Label 1004
NH: TLOC [Link]
Color: mpls
VPN 10: [Link]/24, Label 1004
NH: TLOC [Link]
VPN 1
Color: mpls
System-IP: [Link] VPN 2

System-IP: [Link]
VPN 1: [Link]/24
VPN 1

VPN 2
Control Policy Service Chaining:
System-IP: [Link]
VPN 1: [Link]/24 Service not advertised to WAN Edge – Applied by Routing
#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
 Legend:

Service Chaining Original Advertisement from Endpoint

Un/Modified Advertisement from Controller

Invoking the Service – Using a Data Policy

vSmart
vEdge# show policy from-vsmart policy
from-vsmart data-policy Central_Security data-policy Central_Security
direction from-service vpn-list vpn_all
vpn-list vpn_all sequence 10
sequence 10 match protocol 6
match !
protocol 6 action accept
action accept set
set service FW vpn 1
vpn-label 1004
Service Attributes Advertised !
service FW ! vSmart picked a Service
service vpn 1 !
service tloc [Link] default-action accept
service tloc color mpls
service tloc encap ipsec
default-action accept VPN 1
from-vsmart lists vpn-list vpn_all VPN 2
vpn 1
System-IP: [Link]
System-IP: [Link]
VPN 1

VPN 2
Data Policy Service Chaining:
System-IP: [Link]
Service advertised to WAN Edge – Applied to Data Plane
#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
 Legend:

Service Chaining Original Advertisement from Endpoint

Un/Modified Advertisement from Controller

Additional Options
• Using a Local Service
• The Service Chaining framework can be used for services that are locally attached as well
• Examples in the Data Policy section coming up

• Specify the service TLOC and priority using a TLOC list

vSmart policy
policy lists
control-policy service-chain-upstream tloc-list my_firewalls
sequence 10 tloc [Link] color mpls encap ipsec preference 100
match route tloc [Link] color mpls encap ipsec preference 100
tloc [Link] color mpls tloc [Link] color mpls encap ipsec preference 50
vpn 1 !
! !
action accept !
set
service FW tloc-list my_firewalls
!

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Back on track
Control Policy Case #5
Extranets
Shared Services / Resources

VPN 3
WAN Edge100
Site-id: 100
System-IP: [Link] VPN 1

VPN 2

WAN Edge2
VPN 1
Site-id: 20
VPN 2
System-IP: [Link]
WAN Edge1
Site-id: 10
System-IP: [Link]

• Problem: Shared Services to be consumed from Extranet VPN hosted location

• Solution: Provision Extranet Access from other overlay VPNs

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
 Legend:

Control Policy Case #5 Original Advertisement from Endpoint

Un/Modified Advertisement from Controller

Extranets
VPN 1: Prefix A, Label 10 VPN 1: Prefix B, Label 20
NH: TLOC [Link] NH: TLOC [Link]
Color: mpls Color: mpls

VPN 1: Prefix C, Label 100 VPN 1: Prefix C, Label 100

NH: TLOC [Link] NH: TLOC [Link]
Color: mpls Color: mpls

VPN 3: Prefix A, Label 10

VPN 3: Prefix C, Label 100 NH: TLOC [Link]
NH: TLOC [Link] Color: mpls
VPN 3: Prefix B, Label 20
Color: mpls NH: TLOC [Link]
Color: mpls

VPN 3
VPN 1

VPN 2
System-IP: [Link]
System-IP: [Link]

VPN 1

VPN 2

System-IP: [Link]

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
 Control Policy Case #5
For Your
Reference

Extranets 2 Export NAT Pool To

policy Service VPN Service Plane NAT
policy control-policy extranet NAT across sites at VPN Layer
lists sequence 10
prefix-list natpools match route
policy data-policy Srvc_Plane_NAT
ip-prefix [Link]/16 le 32 prefix-list natpools vpn-list VPN1
! vpn 1 sequence 10
site-list consumers ! match source-ip [Link]/32
site-id 3002 action accept !
site-id 3003 export-to
action accept
site-id 3004 vpn 3 nat pool 1
! ! !
! 1 Declare Consumers ! !
! default-action accept
sequence 20
!
apply-policy match route WAN-Edge
site-list consumers vpn 3 vpn 1
control-policy extranet in ! interface natpool1
! action accept ip address [Link]/32
! export-to no shutdown
4 Apply Control Policy vpn 1 !
! Export Service Prefixes to
! 3
! Consumer VPN
default-action accept
! Optional Service Plane NAT
!

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
 Control Policy Case #6
Traffic Engineering / Path Redundancy

VPN 1

VPN 2
System-IP: [Link] VPN 1

VPN 2

System-IP: [Link]

VPN 1

VPN 2 System-IP: [Link]

VPN 1

VPN 2
System-IP: [Link]

• Problem: Backup needed for direct overlay paths to manage intermediate path issues

• Solution: Identify and Provision select indirect overlay paths for redundancy and capacity

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
 Control Policy Case #6
Traffic Engineering / Path Redundancy

VPN 1

VPN 2
Backup/Indirect Path
WAN Edge3 VPN 1
System-IP: [Link] VPN 2

WAN Edge2
System-IP: [Link]
VPN 1

VPN 2 WAN Edge4

VPN 1

VPN 2
WAN Edge1 System-IP: [Link]
System-IP: [Link] Primary/Direct Path

• Identify indirect paths for targeted sites

• Decide whether to use them as Primary, ECMP or Backup paths

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Control Policy Case #6
For Your
Reference

Traffic Engineering / Path Redundancy

5 Define Control Policy
WAN-Edge3
vpn 1
1 Enable TE Service for VPN 1 policy control-policy backup-node
sequence 10
service te match route
site-list vEdge4
vpn-list VPN1
policy !
lists action accept
vpn-list VPN1 set

!
vpn 1
2 Declare Site 3 Backup TLOC tloc-action backup
tloc-list backup-tloc
tloc-list backup-tloc !
tloc [Link] color mpls encap ipsec !
! !
site-list vEdge1 default-action accept
site-id 10 3 Declare Application Site !
!
site-list vEdge4
site-id 40

!
! 4 Declare Protection Site (4)
!

apply-policy
6 Apply Control Policy
site-list vEdge1
control-policy backup-node out

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Control Policies:
Multi-domain data
plane case study
 Control Policy Case Study
Requirements

EMEA
USA

Hub/Gateway

APAC

• Support Regional Meshing for optimal connectivity

• Support remote region connectivity through Gateways Hub/Gateway

• Provide Redundant Gateway Connectivity

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
 Control Policy Case Study
Definitions and Dependencies

• Site-ID assignment allowing for Site identification – 32 bits

Continent Country Site number

X YYY ZZZZ
1-7 1-999 1-9999
Europe Sweden Site
Example
5 046 1000

• TLOC Colors illustrating how sites are attached

• System-IP identifying individual nodes

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Control Policy Case Study
Site Assignments

WAN-Edge-EU2
WAN-Edge-US2 Site-ID: 50460001
Site-ID: 60010002 WAN-Edge-EU1
Site-ID: 50440001 EMEA
WAN-Edge-US3
Site-ID: 60010003
USA
WAN-Edge-EU3 WAN-Edge-AP1
Site-ID: 50330001 Site-ID: 30810001
WAN-Edge-US1 WAN-Edge-AP3
Site-ID: 60010001 Site-ID: 30660001

APAC

WAN-Edge-AP2
Site-ID: 30610001
Hub/Gateway Hub/Gateway Hub/Gateway
WAN-Edge-US4 WAN-Edge-AP4
WAN-Edge-EU4
Site-ID: 60019001 Site-ID: 30669001
Site-ID: 50339001
WAN-Edge-US5 WAN-Edge-AP5
WAN-Edge-EU5
Site-ID: 60019002 Site-ID: 30669002
Site-ID: 50339002

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Control Policy Case Study
Reachability Information Distribution Requirements

US EMEA APAC
Inbound TLOC Advertisement Inbound TLOC Advertisement Inbound TLOC Advertisement
US Region – All Colors EMEA Region – All Colors APAC Region – All Colors
US Gateways – All Colors EMEA Gateways – All Colors APAC Gateways – All Colors
EMEA Gateways– All Colors US Gateways – All Colors EMEA Gateways – All Colors
APAC Gateway – All Colors APAC Gateways – All Colors US Gateways – All Colors

Outbound TLOC Advertisement Outbound TLOC Advertisements Outbound TLOC Advertisement

US Gateways – All Colors EMEA Gateways – All Colors APAC Gateways – All Colors

Inbound vRoute Advertisement Inbound vRoute Advertisement Inbound vRoute Advertisement

US Region – Original NH EMEA Region – Original NH APAC Region – Original NH
EMEA Region – EU GW NH US Region – US GW NH EMEA Region – EU GW NH
APAC Region – APAC GW NH APAC Region – APAC GW NH US Regions – US GW NH

Outbound vRoute Advertisement Outbound vRoute Advertisement Outbound vRoute Advertisement

US Region – US GW NH EMEA Region – EU GW NH APAC Region– APAC GW NH

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Control Policy Case Study
For Your
Reference

Policy Definition - Lists

policy
lists policy
site-list US_branch_sites lists
site-id 60010000-60018999 tloc-list US_gateway_tlocs
! tloc [Link] color mpls encap ipsec preference 100
site-list US_gateway_sites tloc [Link] color biz-internet encap ipsec preference 100
site-id 60019000-60019999 tloc [Link] color mpls encap ipsec preference 50
! tloc [Link] color biz-internet encap ipsec preference 50
site-list EMEA_branch_sites !
site-id 50010000-50338999 tloc-list EMEA_gateway_tlocs
site-id 50340000-59999999 tloc [Link] color mpls encap ipsec preference 100
! tloc [Link] color biz-internet encap ipsec preference 100
site-list EMEA_gateway_sites tloc [Link] color mpls encap ipsec preference 50
site-id 50339000-50339999 tloc [Link] color biz-internet encap ipsec preference 50
! !
site-list APAC_branch_sites tloc-list APAC_gateway_tlocs
site-id 30010000-30668999 tloc [Link] color mpls encap ipsec preference 100
site-id 30670000-39999999 tloc [Link] color biz-internet encap ipsec preference 100
! tloc [Link] color mpls encap ipsec preference 50
site-list APAC_gateway_sites tloc [Link] color biz-internet encap ipsec preference 50
site-id 30669000-30669999 !
! !
! !
!

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Control Policy Case Study
For Your
Reference

Policy Definition Cont’d – Control Policy – Applied to US Sites

sequence 50
policy match route
control-policy us_domain site-list US_branch_sites
sequence 10 !
match tloc action accept
site-list US_branch_sites !
! sequence 60
action accept match route
! site-list US_gateway_sites
! SNIP … (action accept)
sequence 20 sequence 70
match tloc match route
site-list US_gateway_sites site-list EMEA_branch_sites
SNIP … (accept) !
sequence 30 action accept
match tloc set
site-list EMEA_gateway_sites tloc-list EMEA_gateway_tlocs
SNIP … (action accept) !
sequence 40 !
match tloc !
site-list APAC_gateway_sites sequence 80
! match route
SNIP … (action accept) site-list EMEA_gateway_sites
SNIP … (action accept)

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Control Policy Case Study
For Your
Reference

Policy Definition Cont’d – Control Policy - Applied to US Sites

sequence 90
match route
site-list APAC_branch_sites • Policy Logic
!
action accept Sequence 10: Advertise US Branch TLOCs
set
tloc-list APAC_gateway_tlocs Sequence 20: Advertise US GW TLOCs
!
!
Sequence 30: Advertise EMEA GW TLOCs
!
Sequence 40: Advertise APAC GW TLOCs
sequence 100
match route Sequence 50: Advertise US Branch routes
site-list APAC_gateway_sites
! Sequence 60: Advertise US GW routes
action accept
Sequence 70: Advertise EMEA Branch routes w/ NH of EMEA GW
!
! Sequence 80: Advertise EMEA GW routes
default-action accept
Sequence 90: Advertise APAC Branch routes w/ NH of APAC GW
apply-policy
site-list US_branch_sites Sequence 100: Advertise APAC GW Routes
control-policy us_domain out
!
site-list US_gateway_sites
control-policy us_domain out
!
!

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Policy Framework:
Data Policies
 Cisco SD-WAN Policy Architecture
Suite of Policies to address different functional domains

Data Policy:
Extensive Policy-based
Control Policy: Routing and Services

App-Route Policy: Routing and Services

App-Aware SLA-based VPN 1

WAN
Routing VPN 2

VPN 1
WAN

VPN 2

• Control Policies are applied at vSmart: Tailors routing information advertised to WAN endpoints
• App-Route Policies are applied at WAN Edge: SLA-driven path selection for applications

• Data Policies are applied at WAN Edge: Extensive Policy driven routing

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
 Data Policies
Policy-driven Routing and Service Enablement

• Data policies:
• Applied on vSmart
• Advertised to and executed on WAN Edge

• A Data policy acts on an entire VPN and is not interface-specific

• Different Data Policies can be applied to different VPNs
• Data Policies are used to enable the following functions and services:
• Application Pinning
• NAT/DIA
• Classification, Policing and Marking
• and more …

• Use a Data Policy for any type of data plane centered traffic management

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Data Policies
action
accept
set
Policy Structure dscp <dscp>
forwarding-class <name>
local-tloc <tloc>
data-policy <name> local-tloc-list <list>
vpn-list <name> next-hop <ip-address>
sequence <n> next-hop-ipv6 <ipv6-address>
match policer <name>
app-list <name> service <name>
destination-data-ipv6-prefix-list <name> tloc <tloc>
destination-data-prefix—list <name> tloc-list <name>
destination-ip <ip-address> vpn <vpn-id>
destination-ipv6 <ipv6-address> cflowd
destination-port <port> count <counter>
dns request | response drop
dns app-list <name> log
dscp <dscp> loss-protect-fec-always
packet-length <length> loss-protect-fec-adaptive
plp <plp> loss-protect-packet-dup
protocol <protocol> nat-pool <nat-pool>
source-data-ipv6-prefix-list <name> nat use-vpn <vpn-id>
source-data-ip-prefix-list <name> redirect dns
source-ip <ip-address> tcp-optimization
source-ipv6 <ipv6-address> !
source-port <port> !
tcp-syn !
! !
! !
!
!
default-action accept
!

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
 Data Policy Application
Direction of Processing

• A Data Policy can be applied in three Upstream Traffic matched by Data-policy

modes:
From-Service
• From-service (Upstream)
• From-tunnel (Downstream) VPN 1

WAN
• All (Up and Downstream) VPN 2

• Different Data-policies can be applied to

From-Tunnel
the same site if they apply to different
directions Downstream Traffic matched by Data-policy

apply-policy site-list <name>

data-policy <name> all | from-service | from-tunnel

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Data Policy Case #1
Forwarding Plane Features

Data Policy

NAT Local Breakout

VPN 1

WAN
VPN 2 VPN 2
Service Plane NAT

NAT – Local Breakout

NAT – Service Plane
cFlowd
Match statement counters
Match Statement logging

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Data Policy Case #1
Forwarding Plane Features – NAT for DIA and Service VPN
Local Breakout
NAT for DIA/Split tunneling

IPv4
DST: [Link]
SRC: [Link]
Internet
NAT - Local Breakout
IPv4
DST: [Link] VPN 1

WAN
SRC: [Link]
VPN 2

Service Plane NAT

NAT across sites in a single VPN

VPN 1

WAN
IPv4 IPv4
DST: [Link] DST: [Link]
SRC: [Link] VPN 2 SRC: [Link] VPN 2

Service Plane NAT

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Data Policy Case #1
For Your
Reference

Forwarding Plane Feature Enablement – Policy Structure

Service Plane NAT Local Breakout

NAT across sites in a single VPN NAT for DIA/Split tunneling

policy data-policy Srvc_Plane_NAT policy data-policy DIA_NAT

vpn-list VPN2 vpn-list VPN1
sequence 10 sequence 10
match source-ip [Link]/32 match source-ip [Link]/32
! !
action accept action accept
nat pool 1 nat use-vpn 0
! !
! !
default-action accept default-action accept
! !
WAN-Edge
WAN-Edge
vpn 0
vpn 2
interface ge0/0
interface natpool1
ip address [Link]/32
ip address [Link]/32 no shutdown
no shutdown
nat
!
!

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Data Policy Case #1
For Your
Reference

Forwarding Plane Feature Enablement – Policy Structure

Local Breakout Local Breakout

cFlowd and Counting Logging breakout traffic

policy data-policy DIA_NAT

policy data-policy DIA_NAT
vpn-list VPN1
vpn-list VPN1
sequence 10
sequence 10
match source-ip [Link]/32
! match source-ip [Link]/32
!
action accept
action accept
cflowd
log
count local-breakout-traffic
nat use-vpn 0
nat use-vpn 0
! !
!
!
default-action accept
default-action accept
!
! WAN Edge
System
logging
• Counters visible using GUI/Realtime or via CLI server [Link]
vpn 1
source-interface loopback1
show policy data-policy-filter exit
! WAN Edge
• Use cflowd template for export-destination configuration policy
log-frequency <number>*

* Default is every 1000 packets

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Data Policy Case #2
Service Chaining – Local and Remote Services
3rd Party
Cloud Security

Data Policy VPN 1

VPN 2

POP1 POP2 Site-2

Internet

VPN 1
WAN

VPN 2

SD-WAN Fabric VPN 1

VPN 2

Site-1
Remote Service / OMP
Local Service #CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Data Policy Case #2
For Your
Reference

Service Chaining – Local Services – Policy Structure

vSmart WAN Edge 1 Define Local Service FW
policy vpn 1
data-policy Cloud_Security service FW interface gre1 gre2
vpn-list vpn_all vpn 0
interface ge0/0
sequence 10 2 Match Traffic ip address [Link]/32
match protocol 6
match destination-port 80 443 no shutdown
! nat
!
action accept Primary Tunnel
set 3 Apply Local Service interface gre1
ip address [Link]/24
service FW local
tunnel-source-interface ge0/0
!
tunnel-destination [Link]
!
no shutdown
!
!
default-action accept
interface gre2 Backup Tunnel
ip address [Link]/24
tunnel-source-interface ge0/0
tunnel-destination [Link]
no shutdown

• Data Policy redirection to locally configured service

• Service represented by local GRE or IPsec tunnel pre-configured on each WAN Edge

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Data Policy Case #2
For Your
Reference

Service Chaining – Remote Services – Policy Structure

1 Define Service FW for
vSmart WAN Edge – Site1
policy vpn 1 OMP Announcement
data-policy Central_Security service FW address [Link]
vpn-list vpn_all !
sequence 10 2 Match Traffic interface ge0/0
match protocol 6 ip address [Link]/24
match destination-port 80 443 no shutdown
!
action accept
set 3 Apply OMP FW Service
service FW vpn 1
!
!
!
default-action accept

• Data Policy redirection to remotely configured service

• Service represented by OMP advertised service identifier

• Service association can be specified via TLOC or TLOC-list (with priorities) if needed

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Data Policy Case #3 Local TLOC Selection: Loose preference, falls back to
routing upon failure
Application Pinning Remote TLOC Selection: Strict preference, traffic
dropped upon failure

App1 / Path1
App2 / Path1
mpls
mpls

App1 / Path2
App3 / Path1
public-internet
public-internet

VPN 1

VPN 2
mpls
red
App2 / Path2
App1 / Path3

public-internet

lte
App3 / Path2

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
 Data Policy Case #3
Application Pinning – Policy Structure
Local TLOC (Remote) TLOC
Prefer Local Underlay Path Prefer a remote Node/TLOC
vSmart vSmart
policy policy
data-policy local-tloc-preference data-policy local-tloc-preference
vpn-list VPN1 vpn-list VPN1
sequence 10 sequence 10
match source-ip [Link]/8 match source-ip [Link]/8
! !
action accept action accept
local—tloc red blue set
tloc [Link] color biz-internet

Or
• local-tloc – Loose match that will fall action accept
back to routing if all local TLOCs in list set
tloc-list remote-node
are down
• tloc/tloc-list refer to specific remote policy
TLOCs and will not fall back to routing lists
tloc-list remote-node
tloc [Link] color mpls encap ipsec preference 100
tloc [Link] color biz-internet encap ipsec preference 50

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Policy Framework:
Internet Breakout / DIA
Case Study
Internet Breakout / DIA
Routing and/or Policy-driven Capabilities
• The Cisco SD-WAN Architecture provides a lot of flexibility in enabling DIA

• Breakouts can be presented via:

• Routing
• Policy
• In combination, with Preference and Backup options
• Cloud-based Security as a Local Service using a Policy
• NAT is a required feature when providing a local breakout

• Service-side breakouts can be provided in case NAT is not needed or special care is
needed for public addressing
• Can be deployed in combination with Service Chaining for monitoring/security/processing
requirements

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
 Internet Breakout Leverage
Most appropriate points for breakout chosen by site

• Enterprises can gradually

progress from centralized Internet

Global Breakout
to distributed
HQ
breakouts
• Routing plane enables Internet
Internet
primary/backup as needed
• Policies further enhance DC/HQ
selection and breakout
granularity
• Align well with deployment Regional Hub Regional Hub
of Cloud-based Security
solutions Internet Internet

Branch Branch
#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
SD-WAN Internet Breakout Options
Local Breakout using a Default Route

Internet
• Static route in Service VPN
• Can be default or more granular

Branch • Redirects traffic to interfaces in VPN 0:

vpn 0 • Interfaces must have NAT enabled
interface ge0/0
nat
• Multiple interfaces enables per-flow load-sharing
tracker my_tracker • Relies on VPN 0 routing table
!
vpn 1
ip route [Link]/0 vpn 0
• Can be complemented with a Tracker to
monitor Internet availability beyond first hop
System gateway
tracker my_tracker
endpoint-ip [Link]
Interval 5
Multiplier 3
Threshold 500

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
SD-WAN Internet Breakout Options
Local Breakout using Data Policy

Color red
Internet
• Policy now redirects instead of static route
Color blue • In case local exit fails, lookup can fall back to
local service VPN routing table
Branch
WAN Edge • Redirects traffic to interfaces in VPN 0:
vpn 0
interface ge0/0
• Interfaces must have NAT enabled
nat • Multiple interfaces enables per-flow load-sharing
vSmart • Relies on VPN 0 routing table
policy
data-policy internet-breakout
vpn-list VPN1
• Can be complemented with a Tracker to
sequence 10 monitor Internet availability beyond first hop
match source-ip [Link]/8 gateway (ref: previous slide)
!
• Local TLOC to be used can be specified
action accept
nat use-vpn 0
local—tloc public-internet

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
 Legend:

SD-WAN Internet Breakout Options Original Advertisement from Endpoint

Un/Modified Advertisement from Controller

Joint Local and Regional Breakout using Data Policy + Routing

vSmart
policy
VPN 1: VPN 1: [Link]/0 data-policy internet-breakout
data-policy internet-breakout NH: TLOC Regional Hub vpn-list VPN1
Color: blue sequence 10
match source-ip [Link]/8
!
Color red action accept
Internet nat use-vpn 0
VPN 1: [Link]/0
local—tloc red blue
Color blue NH: TLOC Regional Hub
Color: blue
Branch WAN-Edge-Regional Hub
SD-WAN VPN 1
Fabric ip route [Link]/0 null0 or
WAN-Edge-Branch default from OSPF/BGP
# show ip route
VPN 1 Regional Hub
[Link]/0 via TLOC Regional Hub

• Data Policy allows for granular breakout policy matching L3/L4/L7 information
• Data Policy takes precedence
• Default route from Regional Hub acts as backup in case TLOC Red & Blue are both down

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
SD-WAN Internet Breakout Options
Joint Local and Regional Breakout using Data Policy and Cloud Security + Routing Preference
3rd Party
Cloud Security

Internet POP1 POP2

Regional Hub A
Branch
SD-WAN Internet
Fabric

Regional Hub B
#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
 SD-WAN Internet Breakout Options
For Your
Reference

Joint Local and Regional Breakout using Data Policy and Cloud Security + Routing Preference

vSmart WAN-Edge-Branch
policy vpn 1
data-policy Cloud_Security service FW interface gre1
vpn-list vpn_all
sequence 10
Exclude Internal Prefixes vpn 0
interface gre1
match from Internet Breakout ip address [Link]/24
destination-data-prefix-list internal-prefixes tunnel-source-interface ge0/0
! tunnel-destination [Link]
action accept no shutdown
!
!
sequence 20
match WAN-Edge-Regional Hub A
! Any other traffic sent to vpn 1
service FW interface gre1
action accept Internet Breakout ! ip route [Link]/0 null0 or
count count_fw
! default from OSPF/BGP
set
service FW local [restrict]
Drop Traffic if
! Service Down
policy ! WAN-Edge-Regional Hub B
lists! vpn 1
default-actioninternal-prefixes
data-prefix-list accept ! ip route [Link]/0 null0 or
!
ip-prefix [Link]/8 ! default from OSPF/BGP
ip-prefix [Link]/12
ip-prefix [Link]/16

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
SD-WAN Internet Breakout Options
For Your
Reference

Joint Local and Regional Breakout using Data Policy and Cloud Security + Routing Preference

vSmart Control Policy WAN Edge Static TLOC preference

vSmart WAN-Edge-Regional Hub A

Policy vpn 0
lists interface ge0/0
prefix-list default_route tunnel-interface
ip-prefix [Link]/0 encapsulation ipsec preference 100
! !
! vpn 1
control-policy default_priority ! ip route [Link]/0 null0 or
sequence 10 ! default from OSPF/BGP
match route
prefix-list default_route
WAN-Edge-Regional Hub B
site-id Regional Hub A
vpn 0
!
interface ge0/0
action accept
set Default from Hub A gets tunnel-interface
vpn 1
preference 100 higher preference ! ip route [Link]/0 null0 or
!
! default from OSPF/BGP
!
!
default-action accept

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
SD-WAN Internet Breakout Options
Application Specific Breakout

• The Data Policy construct can also be used to locally breakout specific applications with
defined DPI signatures (e.g. O365, FaceBook, Youtube)
• Example:
• Office365 to be locally broken out
• All other Internet traffic via regional exit

• Arrangements required for supporting O365

• Cloud On-Ramp SaaS recommended for breaking out locally
• Default route from regional exit for two purposes:
o Breakout for all non O365 traffic
o O365 session establishment involves quite a few protocols beyond the core O365 protocols – A default route
from somewhere is required to deal with those applications and allow for successful O365 operations

• SD-AVC support required to provide Application Recognition from the first packet

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Quality of Service
 WAN Edge Router Device QoS Overview
WAN Edge Router
vManage
Data Policy
Data Policy Capabilities Classification of application traffic into QoS
forwarding classes (queues)
Rewrite inner DSCP
Policing Map into FCs

Egress Interface
FC Q
In FC Q Out
FC Q

Ingress Interface

Policing Shaping QoS

QoS Forwarding
Classes Scheduler
Rewrite outer DSCP Bandwidth %
Map to
Buffer %
Egress Queue
Scheduling Priority
Drop
#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Data Policy for QoS
For Your
Reference

Quality of Service – Policy Structure

policy
data-policy enterprise_traffic
vpn-list VPN1 • App-list consists of DPI signature references
sequence 10
match app-list audio-video
! • Forwarding-class referring to configured QoS-class
action accept
set (Ref: qos-group in Cisco IOS)
dscp 46
forwarding-class EF-class
!
!
!
!
data-policy DIA
vpn-list VPN10
sequence 10
match source-ip [Link]/8 policy
! policer police_DIA
action accept rate 10000000
set
policer police_DIA
burst 1000000 Policer configured as part
exceed drop
! ! of Policy
! !
!
default-action accept
!

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Policy Framework:
App-Route Policies
 Cisco SD-WAN Policy Architecture
Suite of Policies to address different functional domains

Data Policy:
Extensive Policy-based
Control Policy: Routing and Services

App-Route Policy: Routing and Services

App-Aware SLA-based VPN 1

WAN
Routing VPN 2

VPN 1
WAN

VPN 2

• Control Policies are applied at vSmart: Tailors routing information advertised to WAN endpoints
• App-Route Policies are applied at WAN Edge: SLA-driven path selection for applications

• Data Policies are applied at WAN Edge: Extensive Policy driven routing

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
 App-Route Policies
Centralized Policy for enabling SLA-driven routing on WAN Edge endpoints

• App-route policies:
• Applied on vSmart
• Advertised to and executed on vEdge

• Monitors SLAs for active overlay paths to direct Applications along qualified paths

• Allows for the use of L3/L4 keys or DPI Signatures for application identification

• Delivers a fully distributed SLA-driven routing mechanism

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
App-Aware Routing Policies
SLA-Driven Routing / Performance Routing

4G/LTE

DPI POLICY SLA MPLS

VPN 1
mpls
VPN 2 # public-internet Broadband
lte

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
 App-Route Policies
App-route Components and Dependencies / Configuration

bfd
BFD Settings
color <color>
BFD rx_interval and multiplier settings
(only rx_interval is relevant to AAR)
hello-interval <msec>
multiplier <number>
bfd
App-route algorithm configuration app-route
Define how SLA data is used to influence path
selection multiplier <number>
poll-interval <msec>
SLA-classes
App-route Policy Definition Policy Construct
Define SLA-classes, Application associations, VPN
applicability and Policy actions/preferences match
action

DPI Engine Enablement policy

AAR relies on DPI for L7 signatures app-visibility

*[Link]

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
App-Route Policies
App-route Algorithm
Avg (B1 + B2 + B3 + B4 + B5 + B6) = Mean
Mean recalculated every Bucket completion cycle

Bucket 1: Bucket 2: Bucket 3: Bucket 4: Bucket 5: Bucket 6:

Loss Loss Loss Loss Loss Loss
Latency Latency Latency Latency Latency Latency
Jitter Jitter Jitter Jitter Jitter Jitter

Bucket Size: Bucket Update Frequency

bfd bfd
app-route poll-interval (default 600,000 ms) hello-interval (default 1000ms)

# of Buckets:
bfd
app-route multiplier (default 6)

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
 App-Route Policies
Path Blackout / Brownout Management

BFD: 7s Default Path Down timeout

100% Loss
Application-Aware Routing
AAR Algorithm Tuning:
Bucket Size + Bucket Count
Path Quality
AAR Convergence Dependency
Spectrum (Loss)

FEC: 10-20% Consistent Loss Recovery

2-3% Loss
0% Loss

• Three Components in Complementary Working Order – BFD + FEC + AAR

• Consider Downsides of Traffic Sloshing vs Instant Convergence away from Brownout

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
 App-Route Policies
App Route Algorithm Configuration

• Bucket Size in Packets = app-route poll-interval / hello-interval

• Consider bucket size (packets) impact on recalculation of Mean:

Bucket Size (pkts) 600 400 200 100 80 60 40 20 10

% weight of one lost packet 0.17 0.25 0.50 1 1.25 1.67 2.5 5 10
Default Sweet Spot
+ Loss Granularity -

Bucket Size: Bucket Update Frequency

bfd bfd
app-route poll-interval (default 600,000 ms) hello-interval (default 1000ms)

• Mean Loss / Latency / Jitter calculated across app-route-multiplier buckets

# of Buckets:
bfd
Weight of new bucket relative to multiplier: 1/6, 1/4, 1/3 etc
app-route multiplier (default 6)

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
App-Route Policies
App-route Policy Definition
Policy
sla-class <name>
SLA Classes
jitter <msec>
Loss, Latency, Jitter per Class
latency <msec>
loss <percentage>
Policy
App-list lists
Use L3/L4 or DPI Signatures app-list <name>
app <name> | app-family <family>

App-route Policy
VPN applicability and Policy
actions/preferences

App-route Logging
Enable logging of packet headers

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
App-Route Policies 1 For traffic not explicitly matched in policy

App-route Policy Definition 2 For traffic with an SLA-class disqualified across all links

3 Drop traffic if SLA-class is disqualified

SLA Classes 4 One or more preferred colors if multiple links qualify

Loss, Latency, Jitter per Class

Policy
App-list app-route-policy <name>
Use L3/L4 or DPI Signatures vpn-list <vpn-list>
default-action sla-class <name> 1
sequence <number>
App-route Policy match
VPN applicability and Policy
…
actions/preferences
action
backup—sla-preferred-color [list] 2
App-route Logging count <name>
Enable logging of packet headers log
sla-class <name> [strict] [preferred-color [list]]

3 4

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
App-Route Policies
For Your
Reference

Policy Example
Policy
policy
sla-class EF
lists
loss 1
vpn-list VPN1
latency 100
vpn 1
!
! Define SLA classes
sla-class Biz-apps 2
site-list app-route-sites
site-id 3003
loss 2 and thresholds
latency 150
!
!
app-list AVV
app-route-policy SLA-Routing
app-family audio_video
vpn-list VPN1
!
sequence 10
app-list SFDC
match app-list AVV
app salesforce
!
!
Declare app-lists for action
1 sla-class EF
Map app-lists to SLA
policy match !
3
! classes and other actions
sequence 20
match app-list SFDC
!
action
apply-policy sla-class Biz-apps
site-list app-route-sites !
app-route-policy SLA-Routing !

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
App-route Policy Path Convergence

160
140
120
SLA-Class Latency Threshold
100 Actual Latency
80
60
Mean Latency
40
20
0Bucket 1 Bucket 2 Bucket 3 Bucket 4 Bucket 5 Bucket 6

Current Mean Latency is 20ms, when Latency jumps to 150ms as Bucket 1 collection starts

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
 AAR Policy Use Case • App1
Application Pinning with SLA
SLA-class: Business
MPLS / Public-Internet: Primary – Load-share
App1 / Path1
App2 / Path1 Red: Backup
mpls Fall back to Routing

• App2
App1 / Path2 SLA-class: EF
App3 / Path1
public-internet MPLS: Primary
Red: Primary
VPN 1
Drop on Path Unavailability
VPN 2

red • App3
App2 / Path2
App1 / Path3 SLA-class: POS
Public-Internet: Primary
LTE: Backup
lte
App3 / Path2
• Other Apps
SLA-Class: Default
#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
App-Route Policies
For Your
Reference
Policy

Application Pinning with SLA

app-route-policy SLA-Routing
vpn-list VPN1
sequence 10
match app-list App1 Primary: mpls + public-internet
policy
lists
! Backup: red
action
vpn-list VPN1 Policy backup-sla-preferred-color red
vpn 1 sla-class EF
! sla-class Business preferred-color mpls public-internet
loss 1 !
site-list app-route-sites
latency 100 !
site-id 3003 ! sequence 20
! sla-class Business match app-list App2 Primary: mpls + red
app-list App1
app-family <name>
loss 2 ! Backup: None - Drop
latency 150 action
!
! sla-class EF strict preferred-color mpls red
app-list App2 sla-class POS !
app <name> loss 1 !
! latency 200
app-list App3 sequence 30
app <name>
! match app-list App3 Primary: public-internet
!
sla-class Default
loss 5
! Backup: lte
action
latency 300 backup-sla-preferred-color lte
! sla-class POS preferred-color public-internet
!
!
apply-policy sequence 40
site-list app-route-sites match Primary: Any link meeting SLA
app-route-policy SLA-Routing ! Backup: Any other link
action
sla-class Default
!
!
#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Other Centralized
Policies:
VPN Membership
cFlowd
 VPN Membership Policies
VPN Service filtering between vEdge and vSmart

Policy
lists
vpn-list restricted_vpns
vpn 1, 2
!
!
vpn-membership acme_1
No Update ✘ VPN 1 Drop ✘ VPN 1 sequence 10
match vpn-list restricted_vpns
No Update ✘ VPN 2 Drop ✘ VPN 2
action reject
Send ✔ VPN 3 Accept ✔ VPN 3
!
!
default-action accept
!
!
WAN

• Restricted VPNs become islands on hosting vEdge

VPN 1

VPN 2

VPN 3

• Outbound vSmart updates are not generated

• White-listing or Black-listing possible

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
 cFlowd / Netflow Template
Configuring the cFlowd Cache and Collectors

policy
Max Collectors: 4 cflowd-template cflowd_temp
collector vpn 100 address [Link] port 4739 transport transport_udp
Flow-active-timeout: Default 600s flow-active-timeout 60
Flow-inactive-timeout: Default 60s flow-inactive-timeout 60
flow-sampling-interval
Flow-sampling-interval: Default 0 template-refresh
Template-refresh: Default 90s !
!

• cFlowd enabled by policy / flow-visibility configuration Applied on vSmart

• Populates local flow-cache only
• cFlowd Template required to configure and enable export

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Tips and Tricks
 Useful Policy Features
For Your
Reference

Function Description Comment

Elimination statement Use Match without an action in a sequence Useful for ensuring that certain objects
Sequence 10 are eliminated from further policy
match route processing
!
action accept

Catchall statement Use ‘action accept’ without a match in a sequence Useful to ensure all traffic is matched
Generic Policy Features

Sequence 10 and to allow for use of ‘set’ or other

action accept action

Color-List Match any color using color-list Useful in control policies to match a
color-list colors selection of TLOCs with different colors
color red or routes originating from TLOCs of
color blue different colors

Counter Extremely useful for troubleshooting and policy verification To display, use:
action accept Show policy app-route-policy-filter
count <name> Show policy data-policy-filter

Default-action Applied to any traffic not matched by another statement in the Default-action is set to reject or drop by
policy default. It is always visible in the policy
default-action reject

Enable DPI vEdge and IOS-XE: IOS-XE will automatically have added:
Policy Interface x/y/z
app-visibility ip nbar protocol discovery

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
 Useful Policy Features
For Your
Reference

Function Description Comment

Match logic Match protocol AND ANY entry in prefix-list: Lists are used to matched any entry (or)
Match Entries in match statement are match all
protocol 6 (and)
destination-data-prefix-list

Match Route vs TLOC Match statements for routes and TLOCs have different match Related to the specific attributes
criteria and also allow ‘set’ of different attributes associated with each
Generic Polocy Features

Omp-tag Control-policy: Match and Set Equivalent to a BGP community for

Local Policy: Match and Set OMP for generically tagging and
identifying routes and TLOCs

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Policy Application
Rules and Restrictions
• The minimum granularity for policy application is the Site-ID
• Multiple devices sharing the same Site—ID is subject to the same policies being applied
• Any given Site-ID is restricted to a single policy of each type, per direction

• Example, given Site-ID 100:

• Control-Policy 1 in or out, or both
• Control-Policy 2 in or out, or both – where ever Control-Policy 1 is not applied
• App-route-policy 1 (only applied outbound – transport facing)
• Data-policy 1 from-service or from-tunnel, or all
• Data-policy 2 from-service or from-tunnel, or all (where Data-policy 1 is not applied)
• Different App-route policies and Data-policies can be applied per VPN

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
 Regional Internet Access via Transport
Hair-pinning via Transport data-policy Internet_breakout
vpn-list vpn_all
sequence 10
• Data-policy Sequence 10 match
destination-data-prefix-list internal-pfx
Allow standard routing for !
internal prefixes action accept
• Data-policy Sequence 20 !
Direct all other traffic to DIA sequence 20
match
• Apply Data-policy in both !
directions to service up and action accept
downstream traffic local-tloc public-internet [restrict]
!
• Originate a default route to default-action accept apply-policy
attract traffic towards breakout ! site-list regional_exit
data-policy Internet_breakout all
!
vpn 2
ip route [Link]/0 null0
VPN 1
Internet
VPN 2
VPN 1
WAN

SD-WAN Fabric
VPN 2 Site-1

Regional Office
OMP Update

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Cisco Umbrella Integration
Policy Generated via vManage Security Policy Configuration

policy
lists
Domains to exclude for redirection of
local-domain-list exclude-domains DNS lookups and subsequent flows
[Link]
!
!
!
security DNSCrypt (eDNS) allows for tracking
umbrella the origin of DNS requests, in addition
token 1234567890ABCDEF
dnscrypt to encryption
!
!
vpn matchAllVpn
dns-redirect umbrella match-local-domain-to-bypass
DNS set to use Umbrella for all VPNs.

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Platform Support
and Scalability
Policy Scalability and Performance
Policy Construction Guidelines
• Not different from most other parsing processes

• Eliminate objects / traffic in early and target simple policy statements

• Good example is to exclude internal prefixes from further processing in first sequence

• Simple Match statements are better

• Single Prefixes, Ports, DSCP, Protocol Ports, App-IDs
• Avoid placing long prefix lists and port lists early
• Ranges are better than lists if possible

• Fewer Set statements are better

• Forwarding redirection better than header modifications (Set Next-Hop vs set DSCP)

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Policy Scalability and Performance
Policy Construction Guidelines
• Control Policies, VPN Membership
• Processed on vSmart for routing updates only
• Structure is less critical
• cFlowd Template
• Simple and sent on application and update only
• App-aware Routing and Data Policies
• Affects all traffic traversing the device (in enabled VPNs)
• Policy Structure is imperative to minimize any performance impact

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Policy Scalability and Memory Consumption
Policy Construction Guidelines
• Platforms are limited in how many entities can be supported
• Policy Instances
• Sequence Instances
• Shared Memory Pools or TCAM used for Match / Set
• Memory consumption is challenging to determine upfront
• Hidden command being exposed in following releases
show policy filter-memory-usage
vEdge: 19.3 (Dec ‘19)
cEdge: 17.2.1 (Mar ’20)

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
 Policy Scalability – The Numbers
Element vEdge-100 vEdge-1/2/5K ISR ASR
Policy Instances 256 512 512 512

Policy Sequences Filter Block Dependent Filter Block Dependent Policy Memory Chunk TCAM Dependent
Forwarding Plane Policies

Dependent

Filter Block 6/16/64 * 1024 1024 x 1024 N/A N/A

(Model dependent)

Policy Memory Chunks N/A N/A 64K N/A

TCAM N/A (Next-Gen N/A N/A 20-80MB (Platform

Models=10-20MB) dependent)

Match Statement >= 1 Filter Block >= 1 Filter Block >= 1 Policy Chunk >=1 160b Entry
depending on construct depending on construct depending on construct depending on construct

Action Statement >= 1 Filter Block >= 1 Filter Block No Limit No Limit
depending on construct depending on construct

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
 Policy Feature Support
For Your
Reference

Function Description vEdge IOS-XE

Match / Route / Color Match Routes of a given color vSmart Only vSmart Only
14.1 16.9

Color-List Match routes of any color in the list vSmart Only vSmart Only
15.4 16.9

Ipv6-prefix-list Match routes present in the prefix-list vSmart Only vSmart Only
18.4 16.9

Omp-tag Match routes with the specific omp-tag vSmart Only TBD
15.4
Control Policy

origin Match routes with the specified origin protocol vSmart Only vSmart Only
(Connected, Static, eBGP, OSPF Intra, OSPF Inter, OSPF 14.1 16.9
External, iBGP, Unknown/Unset)
originator Match routes that originated from specified system-IP (as vSmart Only vSmart Only
in originating vEdge) 14.1 16.9

preference Match routes with the specified preference vSmart Only vSmart Only
14.1 16.9

Prefix-list Match routes present in the prefix-list vSmart Only vSmart Only
14.1 16.9

Site-id Match routes originating from the specified site-id vSmart Only vSmart Only
14.1 16.9

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
 Policy Feature Support
For Your
Reference

Function Description vEdge IOS-XE

Site-list Match Routes from any site present in the list vSmart Only vSmart Only
14.1 16.9

tloc Match routes from the specified TLOC vSmart Only vSmart Only
14.1 16.9

Tloc-list Match routes from any TLOC in the list vSmart Only vSmart Only
14.1 16.9

vpn Match routes belonging to the specified VPN vSmart Only vSmart Only
Control Policy

14.1 16.9

Vpn-list Match routes belonging to any VPN in the list vSmart Only vSmart Only
14.1 16.9

Match / Tloc / Carrier Match TLOCs with the specified carrier vSmart Only TBD
14.2

color Match TLOCs with the specified color vSmart Only vSmart Only
14.1 16.9

Color-list Match TLOCs with any color present in the list vSmart Only vSmart Only
15.4 16.9

Domain-id Match TLOCs originating from the specified domain-id Not currently Not currently
implemented implemented

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
 Policy Feature Support
For Your
Reference

Function Description vEdge IOS-XE

Group-id Match TLOCs with the specified Group-id vSmart Only TBD
15.1

Omp-tag Match TLOCs with the specified OMP-tag vSmart Only TBD
15.4

originator Match TLOCs originating from the specific System-IP vSmart Only vSmart Only
14.1 16.9
Control Policy

preference Match TLOCs with the specified preference vSmart Only vSmart Only
14.1 16.9

Site-id Match TLOCs originating from the specified Site-ID vSmart Only vSmart Only
14.1 16.9

Site-list Match TLOCS originating from any site in the list vSmart Only vSmart Only
14.1 16.9

tloc Match the specified TLOC vSmart Only vSmart Only

14.1 16.9

Tloc-list Match any TLOC in the list vSmart Only vSmart Only
14.1 16.9

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
 Policy Feature Support
For Your
Reference

Function Description vEdge IOS-XE

Action / Accept Accept matched route and install in RIB without further vSmart Only vSmart Only
(applicable to Match / Route) action 14.1 16.9

Export-to vpn | vpn-list Export the matched route into the specified VPN | List vSmart Only vSmart Only
14.1 16.9

Set omp-tag Set an OMP-tag on the matched route vSmart Only TBD
15.4
Control Policy

Set preference Set the preference on the matched route vSmart Only vSmart Only
14.1 16.9

Set Service <type> Associate a service with the matched route to enable 14.1 TBD
service chaining
Set service <type> [tloc] Associate the service advertised from the specified TLOC 16.3 TBD
with the matched route
Set service <type> [tloc-list] Associate the service advertised from a TLOC in the 16.3 TBD
specified list with the matched route
Set service <type> [vpn] Associate a service advertised from the specified VPN 16.3 TBD
with the matched route

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
 Policy Feature Support
For Your
Reference

Function Description vEdge IOS-XE

Set tloc Reset the TLOC on the matched route vSmart Only vSmart Only
14.1 16.9

Set tloc-action backup | Set a TLOC action for the matched route to enable overlay 16.3 TBD
ecmp | primary | strict Traffic Engineering using Service TE
Control Policy

Set tloc-list Reset the TLOC to a list of TLOCs on the matched route vSmart Only vSmart Only
14.1 16.9

Action / Accept Accept matched TLOC and install into RIB without further vSmart Only vSmart Only
(applicable to Match / TLOC) action 14.1 16.9

Set omp-tag Set OMP-tag on the matched TLOC vSmart Only TBD
15.4

Set preference Set preference on the matched TLOC vSmart Only vSmart Only
15.4 16.9

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
 Policy Feature Support
For Your
Reference

Function Description vEdge IOS-XE

Match / App-list Match DPI application signature(s) specified in App-list 15.4 16.9

Destination-data-ipv6- Match packet destination IP to any prefix specified in TBD 16.10

prefix-list prefix-list
Destination-data-prefix-list Match packet destination IP to any prefix specified in 14.1 16.9
prefix-list
Destination-ip Match packet destination IP to IP-address / Prefix 14.1 16.9
Data Policy

specified
Destination-ipv6 Match packet destination IP to IP-address / Prefix TBD 16.10
specified
Destination-port Match packet destination-port 14.1 16.9

Dns request | response Match on DNS traffic for intercept / redirect 17.2 16.9

Dns-app-list Match on DNS traffic for the specified set of applications 17.2 16.9
for intercept / redirect
dscp Match on packet DSCP 14.1 16.9

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
 Policy Feature Support
For Your
Reference

Function Description vEdge IOS-XE

Packet-length Match on packet length 14.1 16.9

plp Match packet PLP 16.3 TBD

protocol Match packet protocol 14.1 16.9

Source-data-ipv6-prefix-list Match packet source IP to any prefix specified in prefix- TBD 16.10
list
Data Policy

Source-data-prefix-list Match packet source IP to any prefix specified in prefix- 14.1 16.9
list
Source-ip Match packet destination IP to IP-address / Prefix 14.1 16.9
specified
Source-ipv6 Match packet destination IP to IP-address / Prefix 18.4 16.10
specified
Source-port Match packet source port 14.1 16.9

Tcp syn Match packet TCP flag 14.1 16.9

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
 Policy Feature Support
For Your
Reference

Function Description vEdge IOS-XE

Action / Accept Accept any matching packet for forwarding 14.1 16.9

Set dscp Set the DSCP on the matched packet 15.1 16.9

Set forwarding-class Set the packet to use a specific QoS Class within the 15.1 16.9
node without setting the DSCP (eq qos-group)
Set local-tloc color [encap] Pin the matching flow/packet to the defined TLOC 16.1 17.2.1
Data Policy

Set local-tloc-list color Pin the matching flow/packet to the list of TLOCs, using 16.1 17.2.1
[encap] [restrict] ECMP for >1. Restrict will cause drop if no chosen color is
operational, otherwise process falls back to RIB.
Set local-tloc / local-tloc-list Pin the matching flow/packet to the defined TLOC for 16.1 17.2.1
DIA/Split tunneling traffic
Set next-hop Route the matching flow/packet to the chosen IP 14.1 16.9

Set next-hop-ipv6 Route the matching flow/packet to the chosen IP 18.4 16.10

Set policer Apply the defined policer to the traffic 14.1 16.11

*Not yet Committed

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
 Policy Feature Support
For Your
Reference

Function Description vEdge IOS-XE

Set service <type> Associate a service with the matched traffic to enable 14.1 TBD
service chaining
Set service local <type> Associate a local service with the matched route to enable 15.4.1 TBD
[restrict] vpn <n> service chaining
Set service tloc <system-ip> Associate the service advertised from the specified TLOC 16.1 TBD
<color> <encap> with the matched traffic
Set service tloc-list Associate the service advertised from a TLOC in the 16.1 TBD
Data Policy

specified list with the matched traffic

Set tloc Route the matching traffic to a remote TLOC on a different 14.1 16.12
SD-WAN Edge node across the WAN
Set tloc-list Define a list of TLOCs to be used in preference order and 14.1 16.12
with ECMP in case of multiple with equal preference
Set vpn Define a next-hop VPN for the matching traffic 14.1 16.9

Action / cflowd Enable flow-accounting for the matching traffic 14.3 16.9

count Create a counter for the matching traffic 14.1 16.9

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
 Policy Feature Support
For Your
Reference

Function Description vEdge IOS-XE

drop Drop the matching traffic 14.1 16.9

Log Create a log entry (using the log configuration for the 16.3 TBD
*policy log-frequency 1000 (default node) for the matching traffic
nearest down power of 2 packet is
logged, so every 512th)

Loss-protect fec-adaptive Enable Adaptive FEC for the matching traffic (FEC is 18.4 TBD
enabled on >=2% path packet loss
Data Policy

Loss-protect fec-always Enable continuous FEC for the matching traffic 18.3 16.11

Loss-protect pkt-dup Enabled packet duplication for the matching traffic 18.4 16.12

Nat pool <name> NAT the matching traffic using the named NAT-pool 15.3 16.9

Nat use-vpn <0> [fallback] NAT the matching traffic as it is subject to split tunneling / 14.2 16.9
DIA via VPN 0. Fallback allows for falling back to routing
on NAT resource exhaustion
Nat use-vpn <0> pool NAT the matching traffic using the name NAT-pool as it is TBD 16.9
<name> subject to split tunneling / DIA via VPN 0.
*Introduced in 16.3 / TBD
#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
 Policy Feature Support
For Your
Reference

Function Description vEdge IOS-XE

Redirect-dns <ip> Redirect the intercepted DNS request to the server 17.2 16.9
residing at IP
Data Policy

Redirect-dns host Redirect the intercepted DNS request for resolution locally TBD TBD
on the node
Redirect-dns umbrella Redirect the intercepted DNS request to Umbrella / Open TBD 16.10
DNS
Tcp-optimization Enable TCP-optimization for the matching traffic 17.2 16.12

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
 Policy Feature Support
For Your
Reference

Function Description vEdge IOS-XE

Match / app-list Match DPI application signature(s) specified in App-list 14.2 16.9

Cloud-saas-app-list Used for Cloud On-Ramp SaaS (orchestrated by 16.3 17.2.1

vManage)
Destination-data-ipv6- Match packet destination IP to any prefix specified in TBD 16.10
prefix-list prefix-list
App-Route Policy

Destination-data-prefix-list Match packet destination IP to any prefix specified in 14.2 16.9

prefix-list
Destination-ip Match packet destination IP to IP-address / Prefix 14.2 16.9
specified
Destination-ipv6 Match packet destination IP to IP-address / Prefix TBD 16.10
specified
Destination-port Match packet destination-port 14.2 16.9

Dns request | response Match on DNS traffic for intercept / redirect 17.2 16.9

Dns-app-list Match on DNS traffic for the specified set of applications 17.2 16.9
for intercept / redirect

*Not yet Committed

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
 Policy Feature Support
For Your
Reference

Function Description vEdge IOS-XE

dscp Match on packet DSCP 14.2 16.9

plp Match packet PLP 16.3 TBD

protocol Match packet protocol 14.2 16.9

App-Route Policy

Source-data-ipv6-prefix-list Match packet source IP to any prefix specified in prefix- TBD 16.10
list
Source-data-prefix-list Match packet source IP to any prefix specified in prefix- 14.2 16.9
list
Source-ip Match packet destination IP to IP-address / Prefix 14.2 16.9
specified
Source-ipv6 Match packet destination IP to IP-address / Prefix 14.2 16.10
specified
Source-port Match packet source port 14.2 16.9

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
 Policy Feature Support
For Your
Reference

Function Description vEdge IOS-XE

Action / backup-sla- Specify the TLOC to use for traffic in an SLA-class 16.3 17.2.1
preferred-color disqualified across all links
Cloud-saas Used for Cloud On-Ramp SaaS (orchestrated by 16.3 17.2.1
vManage)
count Create a counter for the matching traffic 14.2 16.9
App-Route Policy

Log Create a log entry (using the log configuration for the 16.3 TBD
*policy log-frequency 1000 (default node) for the matching traffic
nearest down power of 2 packet is
logged, so every 512th)

Sla-class <name> Associate the matching traffic with a defined SLA-class 14.2 16.9

Sla-class <name> preferred- Configure a preferred TLOC for the traffic being 15.2 / 17.1^ 16.9 / 16.9
color <n> [<n>] … associated to the SLA-class (multiple for ECMP) (^multiple colors)

Sla-class <name> strict Drop the traffic being associated with the SLA-class in 14.2 16.9
case there’s no path meeting the SLA threshold(s)
Default-action sla-class Define SLA for traffic not explicitly matched in a sequence 14.2 16.9

*Introduced in 16.3 / TBD **Not yet Committed

#CiscoLive DGTL-BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Thank you

#CiscoLive
#CiscoLive