policy
policy—Configure IPv4 policy (on vSmart controllers and vEdge routers only).
vManage Feature Template
For vEdge routers and vSmart controllers:
Configuration ► Policies
Configuration ► Security (for zone-based firewall policy)
Command Hierarchy
For Application-Aware Routing Policy
Configure on vSmart controllers only.
policy lists app-list list-name (app application-name | app-family family-name) data-prefix-list list-name ip-prefix prefix/length site-list list-name site-id site-id vpn-list list-name vpn vpn-id sla-class sla-class-name jitter milliseconds latency milliseconds loss percentage
policy app-route-policy policy-name vpn-list list-name default-action sla-class sla-class-name sequence number match app-list list-name destination-data-prefix-list list-name destination-ip prefix/length destination-port number dns (request | response) dns-app-list list-name dscp number protocol number source-data-prefix-list list-name source-ip prefix/length source-port address action backup-sla-preferred-color color count counter-name log sla-class sla-class-name [strict] [preferred-color colors]
For Centralized Control Policy
Configure on vSmart controllers only.
policy lists color-list list-name color color prefix-list list-name ip-prefix prefix/length site-list list-name site-id site-id tloc-list list-name tloc address color color encap encapsulation [preference value] vpn-list list-name vpn vpn-id
policy control-policy policy-name default-action action sequence number match route color color color-list list-name omp-tag number origin protocol originator ip-address preference number prefix-list list-name site-id site-id site-list list-name tloc ip-address color color [encap encapsulation] tloc-list list-name vpn vpn-id vpn-list list-name tloc carrier carrier-name color color color-list list-name domain-id domain-id group-id group-id omp-tag number originator ip-address preference number site-id site-id site-list list-name tloc address color color [encap encapsulation] tloc-list list-name action reject accept set omp-tag number preference value service service-name [tloc ip-address | tloc-list list-name] [vpn vpn-id] tloc-action action tloc-list list-name
For Centralized Data Policy
Configure on vSmart controllers only.
policy cflowd-template template-name collector vpn vpn-id address ip-address port port-number transport transport-type source-interface interface-name flow-active-timeout seconds flow-inactive-timeout seconds flow-sampling-interval number template-refresh seconds lists app-list list-name (app applications | app-family application-families) data-prefix-list list-name ip-prefix prefix site-list list-name site-id site-id tloc-list list-name tloc ip-address color color encap encapsulation [preference value] vpn-list list-name vpn-id vpn-id
policy data-policy policy-name vpn-list list-name default-action action sequence number match app-list list-name destination-data-prefix-list list-name destination-ip prefix/length destination-port number dns (request | response) dns-app-list list-name dscp number protocol number source-data-prefix-list list-name source-ip prefix/length source-port number tcp flag action cflowd (not available for deep packet inspection) count counter-name drop log tcp-optimization accept nat [pool number] [use-vpn 0] (in Releases 16.2 and earlier, not available for deep packet inspection) redirect-dns (host | ip-address) set dscp number forwarding-class class local-tloc color color [encap encapsulation] local-tloc-list color color [encap encapsulation] [restrict] next-hop ip-address policer policer-name service service-name local [restrict] [vpn vpn-id] service service-name (tloc ip-address | tloc-list list-name) [vpn vpn-id] tloc ip-address color color [encap encapsulation] tloc-list list-name vpn vpn-id
policy data-policy policy-name default-action action sequence number match app-list list-name destination-data-prefix-list list-name destination-ip prefix/length destination-port number dscp number packet-length number protocol number source-data-prefix-list list-name source-ip prefix/length source-port address tcp flag action count counter-name drop accept set local-tloc color set next-hop ip-address set policer policer-name set service service-name [tloc ip-address | tloc-list list-name] [vpn vpn-id] set tloc ip-address set vpn vpn-id vpn-membership policy-name default-action action sequence number match vpn vpn-id vpn-list list-name action (accept | reject)
For Localized Control Policy
Configure on vEdge routers only.
policy lists as-path-list list-name as-path as-number community-list list-name community [aa:nn | internet | local-as | no-advertise | no-export] ext-community-list list-name community [rt (aa:nn | ip-address) | soo (aa:nn | ip-address)] prefix-list list-name ip-prefix prefix/length
policy route-policy policy-name default-action action sequence number match address list-name as-path list-name community list-name ext-community list-name local-preference number metric number next-hop list-name omp-tag number origin (egp | igp | incomplete) ospf-tag number peer address action reject accept set aggregator as-number ip-address as-path (exclude | prepend) as-number atomic-aggregate community value local-preference number metric number metric-type (type1 | type2) next-hop ip-address omp-tag number origin (egp | igp | incomplete) originator ip-address ospf-tag number weight number
For Localized Data Policy for IPv4
Configure on vEdge routers only.
policy lists prefix-list list-name ip-prefix prefix/length class-map class class-name queue number log-frequency number mirror mirror-name remote-dest ip-address source ip-address policer policer-name burst types exceed action rate bps qos-map map-name qos-scheduler scheduler-name qos-scheduler scheduler-name bandwidth-percent percentage buffer-percent percentage burst packets class class-name drops (red-drop | tail-drop) scheduling (llq | wrr) rewrite-rule rule-name class class-name priority dscp (high | low) layer-2-cos number
policy access-list acl-name default-action action sequence number match class class-name destination-data-prefix-list list-name destination-ip prefix/length destination-port number dscp number packet-length number plp (high | low) protocol number source-data-prefix-list list-name source-ip prefix-length source-port number tcp flag action count counter-name drop log accept class class-name mirror mirror-name policer policer-name set dscp value set next-hop ipv4-address
For Zone-Based Firewalls
Configure on vEdge routers only.
policy zone (destination-zone-name | source-zone-name) vpn vpn-id zone-to-no-zone-internet (allow | deny) zone-pair pair-name source-zone source-zone-name destination-zone destination-zone-name zone-policy policy-name zone-based-policy policy-name default-action action sequence number match destination-data-prefix-list list-name destination-ip prefix/length destination-port number protocol number source-data-prefix-list list-name source-ip prefix-length source-port number action drop inspect log pass
Options
None
Operational Commands
Example
Apply a control policy to the sites defined in the list "west":
apply-policy site-list west control-policy change-tloc out
Release Information
Command introduced in Viptela Software Release 14.1.
In Release 14.2, add application-aware routing policy.
In Release 18.2, add zone-based firewall policy.
Additional Information
See the Policy Overview article for your software release.
access-list
apply-policy
policy ipv6
redistribute