policy control-policy default-action, policy route-policy default-action, policy data-policy vpn-list default-action, policy vpn-membership default-action, policy zone-base-policy default-action—Configure the default action to take when the match portion of a policy is not met (on vEdge routers and vSmart controllers only).
vManage Feature Template
For vEdge routers and vSmart controllers:
Configuration ► Policies
Configuration ► Security (for zone-based firewall policy)
For Application-Aware Routing
policy app-route-policy policy-name default-action sla-class sla-class-name
For Localized Data Policy
policy access-list acl-name sequence number default-action action
For Zone-Based Firewalls
Configure on vEdge routers only.
policy zone-based-policy policy-name default-action action
- Default Action for Application-Aware Routing
- default-action sla-class sla-class-name
Default SLA to apply if a data packet being evaluated by the policy matches none of the match conditions.
If you configure no default action, all data packets are accepted and no SLA is applied to them.
- Default Action for Control Policy and Data Policy
- policy control-policy policy-name default-action (accept | reject)
policy route-policy policy-name default-action (accept | reject)
policy data-policy policy-name default-action (accept | drop)
policy vpn-membership policy-name default-action (accept | drop)
policy access-list acl-name default-action (accept | drop)
Default action to take if an item being evaluated by a policy matches none of the match conditions. If you configure no policy (specifically, if you configure no match–action sequences within a policy), the default action, by default, is to accept all items. If you configure a policy with one or more match–action sequences, the default action, by default, is to either reject or drop the item, depending on the policy type.
- Default Action for Zone-Base Firewall Policy
- default-action (drop | inspect | pass)
Default action to take if a data traffic flow matches none of the match conditions.
drop discards the data traffic.
inspect inspects the packet's header to determine its source address and port. The address and port are used by the NAT device to allow traffic to be returned from the destination to the sender.
pass allows the packet to pass to the destination zone without inspecting the packet's header at all. With this action, the NAT device blocks return traffic that is addressed to the sender.
show running-config policy
Create a centralized control policy that changes the TLOC for accepted packets:
policy control-policy change-tloc default-action accept sequence 10 action accept tloc 220.127.116.11
Command introduced in Viptela Software Release 14.1.
In Release 14.2, add application-aware routing.
In Release 18.2, add zone-based firewall policy.
See the Policy Overview article for your software release.