Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

lists

policy lists—Create groupings of similar objects, such as IP prefixes, sites, TLOC addresses, and AS paths, for use when configuring policy match conditions or action operations and for when applying a policy (on vSmart controllers and vEdge routers only).

In the configuration, you can create multiple iterations of each type of list. For example, it is common to create multiple site lists and multiple VPN lists so that you can apply data policy to different sites and different customer VPNs across the network.

When you create multiple iterations of a type of list (for example, when you create multiple VPN lists), you can include the same values or overlapping values in more than one of these list. You can do this either on purpose, to meet the design needs of your network, or you can do this accidentally, which might occur when you use ranges to specify values. Here are two examples of lists that are configured with ranges and that contain overlapping values:

  • vpn-list list-1 vpn 1-10
    vpn-list list-2 vpn 6-8
  • site-list list-1 site 1-10
    site-list list-2 site 5-15

For all lists except for site lists, when you configure policies that contain lists with overlapping values, or when you apply the policies, you must ensure that the lists do not contain overlapping values. To do this, you must manually audit your configurations. The Viptela software performs no validation on the contents of lists, on the policies themselves, or on how the policies are applied to ensure that there are no overlapping values. If you configure or apply policies that contain lists with overlapping values to the same site, one policy is applied and the others are ignored. Which policy is applied is a function of the internal behavior of Viptela software when it processes the configuration. This decision is not under user control, and so the outcome is not predictable.

For site lists, for each type of policy that is applied to site lists—app-route-policy, cflowd, control-policy, data-policy—you must ensure for that policy type that the lists do not contain any overlapping sites. Each site must be unique and used only once. However, across these four different policy types, the sites in the site lists can overlap. For example, if you apply a data-policy to sites 100-200, you can apply a control-policy to sites 120-130 or to sites 190-210, and you can apply an app-route-policy to sites 100-125. However, you cannot apply a second data-policy to sites 120-130. For a configuration example that illustrates this behavior, see apply-policy.

vManage Feature Template

For vEdge routers and vSmart controllers:

Configuration ► Policies

Command Hierarchy

For Application-Aware Routing Policy

policy
  lists
    app-list list-name
      (app application-name | app-family application-family)
    data-prefix-list list-name
      ip-prefix prefix/length
    site-list list-name
      site-id site-id
    vpn-list list-name
      vpn vpn-id

For Centralized Control Policy

policy
  lists
    color-list list-name
      color color
    prefix-list list-name
      ip-prefix prefix/length
    site-list list-name
      site-id site-id
    tloc-list list-name
      tloc address color color encap encapsulation [preference value]
    vpn-list list-name
      vpn vpn-id

For Centralized Data Policy

policy
  lists
    app-list list-name
      (app application-names | app-family application-family)
    data-prefix-list list-name
      ip-prefix prefix/length
    site-list list-name
      site-id site-id
    tloc-list list-name
      tloc ip-address color color encap encapsulation [preference value]
    vpn-list list-name
      vpn vpn-id

For Localized Control Policy

policy
  lists
    as-path-list list-name
      as-path path-list
    community-list list-name
      community [aa:nn | internet | local-as | no-advertise | no-export]
    ext-community-list list-name
      community [rt (aa:nn | ip-address) | soo (aa:nn | ip-address)]
    prefix-list list-name
      ip-prefix prefix/length

For Localized Data Policy (ACLs)

policy
  lists
    data-prefix-list list-name
      ip-prefix prefix/length

Options

For Application-Aware Routing Policy

Application List
app-list list-name
  (app application-name | app-family application-family)
List of one or more applications or application families running on the subnets connected to the vEdge router. Each app-list can contain either applications or application families, but not both. To configure multiple applications or application families in a single list, include multiple app or app-family options, specifying one application or application family in each app or app-family option.
application-name is the name of an application family. The Viptela software supports about 2300 different applications. To list the supported applications, use the ? in the CLI.
application-family is the name of an application family. It can be one of the following: antivirus, application-service, audio_video, authentication, behavioral, compression, database, encrypted, erp, file-server, file-transfer, forum, game, instant-messaging, mail, microsoft-office, middleware, network-management, network-service, peer-to-peer, printer, routing, security-service, standard, telephony, terminal, thin-client, tunneling, wap, web, and webmail.
Data Prefix List
data-prefix-list list-name
  ip-prefix prefix/length
List of one or more IP prefixes. To configure multiple prefixes in a single list, include multiple ip-prefix options, specifying one prefix in each option.
Overlay Network Site List
site-list list-name
  site-id site-id
List of one or more identifiers of sites in the Viptela overlay network. To configure multiple sites in a single list, include multiple site-id options, specifying one site number in each option. To configure a range of site IDs, separate the IDs with hyphens. In application-aware routing policy, you apply a centralized control policy (with the apply-policy command) by site list.
VPN List
vpn-list list-name
  vpn vpn-id
List of one or more identifiers of VPNs in the Viptela overlay network. To configure multiple VPNs in a single list, include multiple vpn options, specifying one VPN number in each option. To configure a range of VPN IDs, separate the IDs with hyphens. In application-aware routing policy, you group policy sequences within VPN lists, with the policy vpn-list sequence command.

For Centralized Control Policy

Color List
color-list list-name
  color color
List of of one or more TLOC colors. To configure multiple colors in a single list, include multiple color options, specifying one color in each option. color can be one of 3g, biz-internet, blue, bronze, custom1 through custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.
IP Prefix List
prefix-list list-name
  ip-prefix prefix/length
List of one or more IP prefixes. To configure multiple prefixes in a single list, include multiple ip-prefix options, specifying one prefix in each option.
Specify the IP prefixes as follows:
prefix/length—Exactly match a single prefix–length pair.
0.0.0.0/0—Match any prefix–length pair.
0.0.0.0/0 le length—Match any IP prefix whose length is less than or equal to length. For example, ip-prefix 0.0.0.0/0 le 16 matches all IP prefixes with lengths from /1 through /16.
0.0.0.0/0 ge length—Match any IP prefix whose length is greater than or equal to length. For example, ip-prefix 0.0.0.0 ge 25 matches all IP prefixes with lengths from /25 through /32.
0.0.0.0/0 ge length1 le length2, or 0.0.0.0 le length2 ge length1—Match any IP prefix whose length is greater than or equal to length1 and less than or equal to length2. For example, ip-prefix 0.0.0.0/0 ge 20 le 24 matches all /20, /21, /22, /23, and /24 prefixes. Also, ip-prefix 0.0.0.0/0 le 24 ge 20 matches the same prefixes. If length1 and length2​ are the same, a single IP prefix length is matched. For example, ip-prefix 0.0.0.0/0 ge 24 le 24 matches only /24 prefixes.
In centralized control policy, you reference a prefix list in a match route prefix-list match condition.
Site List
site-list list-name
  site-id site-id
List of one or more identifiers of sites in the Viptela overlay network. To configure multiple sites in a single list, include multiple site-id​​​​​​​ options, specifying one site number in each option. To configure a range of site IDs, separate the IDs with hyphens. In centralized control policy, you can refer to a site list in match route site-list and match tloc site-list match conditions, and you apply a centralized control policy (with the apply-policy command) by site list.
TLOC List
tloc-list list-name
  tloc address color color encap encapsulation [preference value]
List of one or more address of transport locations (TLOCs) in the Viptela overlay network. For each TLOC, specify its address, color, and encapsulation. address is the system IP address. color can be one of 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver. encapsulation can be gre or ipsec.
Optionally, set a preference value (from 0 to 232 – 1) to associate with the TLOC address. When you apply a TLOC list in an action accept condition, when multiple TLOCs are available and satisfy the match conditions, the TLOC with the lowest preference value is used. If two or more of TLOCs have the lowest preference value, traffic is sent among them in an ECMP fashion.
To configure multiple TLOCs in a single list, include multiple tloc​​​​​​​ options, specifying one TLOC number in each option.
In centralized control policy, you can refer to a TLOC list in match route tloc-list and match tloc tloc-list match conditions, and in action accept conditions.
VPN List
vpn-list list-name
  vpn vpn-id
List of one or more identifiers of VPNs in the Viptela overlay network. To configure multiple VPNs in a single list, include multiple vpn​​​​​​​ options, specifying one VPN number in each option. To configure a range of VPN IDs, separate the IDs with hyphens. In centralized control policy, you can refer to a VPN list in match route vpn-list match condition and in the action accept export-to vpn-list policy action.

For Centralized Data Policy

Application List
app-list list-name
  (app application-name | app-family application-family)
List of one or more applications or application families running on the subnets connected to the vEdge router. Each app-list can contain either applications or application families, but not both. To configure multiple applications or application families in a single list, include multiple app or app-family options, specifying one application or application family in each app or app-family option.
application-name is the name of an application. The Viptela software supports about 2300 different applications. To list the supported applications, use the ? in the CLI.
application-family is the name of an application family. It can be one or more of the following: antivirus, application-service, audio_video, authentication, behavioral, compression, database, encrypted, erp, file-server, file-transfer, forum, game, instant-messaging, mail, microsoft-office, middleware, network-management, network-service, peer-to-peer, printer, routing, security-service, standard, telephony, terminal, thin-client, tunneling, wap, web, and webmail.
In centralized data policy, you refer to an application list in a match condition.
Data Prefix List
data-prefix-list list-name
  ip-prefix prefix/length
List of one or more IP prefixes. To configure multiple prefixes in a single list, include multiple ip-prefix options, specifying one prefix in each option.
Site List
site-list list-name
  site-id site-id
List of one or more identifiers of sites in the overlay network. To configure multiple sites in a single list, include multiple site-id options, specifying one site number in each option. To configure a range of site IDs, separate the IDs with hyphens. In centralized data policy, you apply a centralized control policy (with the apply-policy command) by site list.
TLOC List
tloc-list list-name
  tloc address color color encap (gre | ipsec) [preference value weight value]
List of one or more address of transport locations (TLOCs) in the overlay network. For each TLOC, specify its address, color, and encapsulation. address is the system IP address. color can be one of 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver. encapsulation can be gre or ipsec.
Optionally, set a preference value (from 0 to 232 – 1) to associate with the TLOC address. When you apply a TLOC list in an action accept condition, when multiple TLOCs are available and satisfy the match conditions, the TLOC with the lowest preference value is used. If two or more of TLOCs have the lowest preference value, traffic is sent among them in an ECMP fashion.
To configure multiple TLOCs in a single list, include multiple tloc​​​​​​​ options, specifying one TLOC number in each option.
In centralized data policy, you can refer to a TLOC list in match route tloc-list and match tloc tloc-list match conditions, and in action accept conditions.
VPN List
vpn-list list-name
  vpn vpn-id
List of one or more identifiers of VPNs in the Viptela overlay network. To configure multiple VPNs in a single list, include multiple vpn​​​​​​​ options, specifying one VPN number in each option. To configure a range of VPN IDs, separate the IDs with hyphens. In centralized data policy, you can refer to a VPN list in a match vpn-list match condition in a VPN membership policy.
For centralized data policy, you can include any VPNs except for VPN 0 and VPN 512. VPN 0 is reserved for control traffic, so never carries any data traffic, and VPN 512 is reserved for out-of-band network management, so also never carries any data traffic. Note that while the CLI allows you to include these two VPNs in a data policy configuration, the policy is not applied to these two VPNs.

For Localized Control Policy

AS Paths
as-path path-list
List of one or more ASs that make up the AS path. You can write each AS as a single number or as a regular expression. To specify more than one AS in a single path, include the list in quotation marks (" "). To configure multiple AS paths in a single list, include multiple as-path options, specifying one AS path in each option.
BGP Communities
community [aa:nn] [internet] [local-as] [no-advertise] [no-export]
List of one of more BGP communities. In community, you can specify:
aa:nn: Autonomous system number and network number. Each number is a 2-byte value with a range from 1 to 65535.
internet: Routes in this community are advertised to the Internet community. This community comprises all BGP-speaking networking devices.
local-as: Routes in this community are not advertised outside the local AS.
no-advertise: Attach the NO_ADVERTISE community to routes. Routes in this community are not advertised to other BGP peers.
no-export: Attach the NO_EXPORT community to routes. Routes in this community are not advertised outside the local AS or outside a BGP confederation boundary.
To configure multiple BGP communities in a single list, include multiple community​​​​​​​ options, specifying one community in each option.
BGP Extended Communities
community [rt (aa:nn | ip-address)] [soo (aa:nn | ip-address)]
List of one or more BGP extended communities. In community, you can specify:
rt (aa:nn | ip-address)​: Route target community, which is one or more routers that can receive a set of routes carried by BGP. Specify this as the autonomous system number and network number, where each number is a 2-byte value with a range from 1 to 65535, or as an IP address.
soo (aa:nn | ip-address)​: Route origin community, which is one or more routers that can inject a set of routes into BGP. Specify this as the autonomous system number and network number, where each number is a 2-byte value with a range from 1 to 65535, or as an IP address.
To configure multiple extended BGP communities in a single list, include multiple community​​​​​​​ options, specifying one community in each option.
IP Prefix
ip-prefix prefix/length
List of one or more IP prefixes and length. To configure multiple prefixes in a single list, include multiple ip-prefix options, specifying one prefix in each option.
Specify the IP prefixes as follows:
prefix/length—Exactly match a single prefix–length pair.
0.0.0.0/0—Match any prefix–length pair.
0.0.0.0/0 le length—Match any IP prefix whose length is less than or equal to length. For example, ip-prefix 0.0.0.0/0 le 16 matches all IP prefixes with lengths from /1 through /16.
0.0.0.0/0 ge length—Match any IP prefix whose length is greater than or equal to length. For example, ip-prefix 0.0.0.0 ge 25 matches all IP prefixes with lengths from /25 through /32.
0.0.0.0/0 ge length1 le length2, or 0.0.0.0 le length2 ge length1—Match any IP prefix whose length is greater than or equal to length1 and less than or equal to length2. For example, ip-prefix 0.0.0.0/0 ge 20 le 24 matches all /20, /21, /22, /23, and /24 prefixes. Also, ip-prefix 0.0.0.0/0 le 24 ge 20 matches the same prefixes. If length1 and length2​ are the same, a single IP prefix length is matched. For example, ip-prefix 0.0.0.0/0 ge 24 le 24 matches only /24 prefixes.

For Localized Data Policy (ACLs)

IP Prefix
data-prefix-list list-name
  ip-prefix prefix/length
List of one or more IP prefixes. You can specify both unicast and multicast prefixes. To configure multiple prefixes in a single list, include multiple ip-prefix options, specifying one prefix in each option.

Operational Commands

show running-config policy lists

Example

Configure a list of VPNs:

policy
  lists
    vpn-list west-coast
      vpn 20-30
      vpn 42
      vpn 45

Configure a list of prefixes:

policy
  lists
    prefix-list east
      ip-prefix 8.8.0.0/16      

Release Information

Command introduced in Viptela Software Release 14.1.​
In Release 16.3, add support for overlapping sites in different site lists, and add support for IP multicast addresses.

Additional Information

See the Policy Overview article for your software release.
action
apply-policy
match
policy
sla-class

  • Was this article helpful?