Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

default-action

policy control-policy default-action, policy route-policy default-action, policy data-policy vpn-list default-action, policy vpn-membership default-action, policy zone-base-policy default-action—Configure the default action to take when the match portion of a policy is not met (on vEdge routers and vSmart controllers only).

vManage Feature Template

For vEdge routers and vSmart controllers:

Configuration ► Policies
Configuration ► Security (for zone-based firewall policy)

Command Hierarchy

For Application-Aware Routing

policy
  app-route-policy policy-name
    default-action
      sla-class sla-class-name

For Centralized Control Policy

policy
  control-policy policy-name
    default-action action

For Centralized Data Policy

policy
  data-policy policy-name
    default-action action

For Localized Control Policy

policy
  route-policy policy-name
    default-action action

For Localized Data Policy

policy
  access-list acl-name
    sequence number
      default-action action

For Zone-Based Firewalls

Configure on vEdge routers only.

policy
  zone-based-policy policy-name
    default-action action

Options

Default Action for Application-Aware Routing
default-action sla-class sla-class-name
Default SLA to apply if a data packet being evaluated by the policy matches none of the match conditions.
If you configure no default action, all data packets are accepted and no SLA is applied to them.
Default Action for Control Policy and Data Policy
policy control-policy policy-name default-action (accept | reject)
policy route-policy policy-name default-action (accept | reject)
policy data-policy policy-name default-action (accept | drop)
policy vpn-membership policy-name default-action (accept | drop)
policy access-list acl-name default-action (accept | drop)
Default action to take if an item being evaluated by a policy matches none of the match conditions. If you configure no policy (specifically, if you configure no match–action sequences within a policy), the default action, by default, is to accept all items. If you configure a policy with one or more match–action sequences, the default action, by default, is to either reject or drop the item, depending on the policy type.
Default Action for Zone-Base Firewall Policy
default-action (drop | inspect | pass)
Default action to take if a data traffic flow matches none of the match conditions.
drop discards the data traffic.
inspect inspects the packet's header to determine its source address and port. The address and port are used by the NAT device to allow traffic to be returned from the destination to the sender.
pass allows the packet to pass to the destination zone without inspecting the packet's header at all. With this action, the NAT device blocks return traffic that is addressed to the sender.

Operational Commands

show running-config policy

Example

Create a centralized control policy that changes the TLOC for accepted packets:

policy
  control-policy change-tloc
​    default-action accept
    sequence 10
      action accept
      tloc 1.1.1.2

Release Information

Command introduced in Viptela Software Release 14.1.​
In Release 14.2, add application-aware routing.
In Release 18.2, add zone-based firewall policy.

Additional Information

See the Policy Overview article for your software release.

  • Was this article helpful?