Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

match

policy app-route-policy vpn-list sequence match​, policy access-list sequence match, policy control-policy sequence match, policy data-policy vpn-list sequence match, policy route-policy sequence match, policy zone-based-policy sequence match—Define the properties that must be matched so that an IPv4 policy action can take effect (on vEdge routers and vSmart controllers only).

vManage Feature Template

For vEdge routers and vSmart controllers:

Configuration ► Policies
Configuration ► Security (for zone-based firewall policy)

Command Hierarchy

For Application-Aware Routing Policy

Configure on vSmart controllers only.

policy
  app-route-policy policy-name   
    vpn-list list-name
      sequence number
        match       
          app-list list-name
          destination-data-prefix-list list-name
          destination-ip prefix/length
          destination-port number
          dns-app-list list-name
          dns (request | response)
          dscp number
          plp (high | low)
          protocol number
          source-data-prefix-list list-name
          source-ip prefix/length
          source-port number

For Centralized Control Policy

Configure on vSmart controllers only.

policy
  control-policy policy-name
    sequence number
      match
        route
          color color
          color-list list-name
          omp-tag number
          origin protocol
          originator ip-address
          preference number
          prefix-list list-name
          site-id site-id
          site-list list-name
          tloc address color color [encap encapsulation]
          tloc-list list-name
          vpn vpn-id
          vpn-list list-name
        tloc 
          carrier carrier-name
          color color
          color-list list-name
          domain-id domain-id
          group-id group-id
          omp-tag number
          originator ip-address
          preference number
          site-id site-id
          site-list list-name
          tloc address color color [encap encapsulation]
          tloc-list list-name

For Centralized Data Policy

Configure on vSmart controllers only.

policy
  data-policy policy-name
    vpn-list vpn-list
      sequence number     
        match
          app-list list-name
          destination-data-prefix-list list-name
          destination-ip prefix/length
          destination-port number
          dns-app-list list-name
          dns (request | response)
          dscp number
          packet-length number
          plp (high | low)
          protocol number
          source-data-prefix-list list-name
          source-ip prefix/length
          source-port number
          tcp flag
  vpn-membership policy-name
    sequence number
      match
        vpn vpn-id
        vpn-list list-name

For Localized Control Policy

Configure on vEdge routers only.

policy
  route-policy policy-name
    sequence number     
      match
        address list-name
        as-path list-name
        community list-name
        ext-community list-name
        local-preference number
        metric number
        next-hop list-name
        omp-tag number       
        origin (egp | igp | incomplete)
        ospf-tag number
        peer address

For Localized Data Policy

Configure on vEdge routers only.

policy
  access-list acl-name    
    sequence number
      match
        class class-name 
        destination-data-prefix-list list-name
        destination-ip prefix/length
        destination-port number
        dscp number
        packet-length number
        plp (high | low)
        protocol number
        source-data-prefix-list list-name
        source-ip prefix/length
        source-port number
        tcp flag

For Zone-Based Firewalls

Configure on vEdge routers only.

policy
  zone-based-policy policy-name
    sequence number
      match
        destination-data-prefix-list list-name
        destination-ip prefix/length
        destination-port number
        protocol number
        source-data-prefix-list list-name
        source-ip prefix-length
        source-port number

Options

For Application-Aware Routing Policy

Application Identifier
app-id app-id-name
Match the name of an application defined with a policy app-id command.
Destination Prefix or Port
destination-data-prefix-list list-name
destination-ip prefix/length
destination-port number
Match a destination prefix or port. For prefixes, you can specify a single prefix or a list of prefixes. list-name is the name of a list defined with a policy lists prefix-list command. For the port, you can specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).
DSCP
dscp number
Match the specified DSCP value.
Packet Loss Priority
plp (high | low)
Match a packet's loss priority (PLP). By default, packets have a PLP value of low. To set a packet's PLP value to high, apply a policer that includes the exceed remark option.
Protocol
protocol number
Match the TCP or IP protocol number.
Source Prefix or Port
source-data-prefix-list list-name
source-ip prefix/length
source-port number
Match a source prefix or port. For prefixes, you can specify a single prefix or a list of prefixes. list-name is the name of a list defined with a policy lists prefix-list command. For the port, you can specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).
Split DNS
dns-app-list list-name
dns (request | response)
Resolve DNS requests and process DNS responses on an application-by-application basis when the vEdge router is configured as an internet exit point. To match specific applications or application families, specify the name of a list you created with the lists app-list command. To process DNS requests for the applications (for outbound DNS queries), specify the dns request match condition.To process DNS responses from DNS servers, specify the dns response match condition.

For Centralized Control Policy

Color
color color
color-list list-name
Match an individual color or a group of colors defined with a policy lists color-list list.
Domain
domain-id number
Match the domain identifier. Currently, the domain identifier can only be 1.
OMP Tag
omp-tag number
Match an OMP tag value in the route. number can be a value from 0 through 4294967295.
Originating Address
originator ip-address
Match the IP address of the device from which the route was learned.
Originating Protocol
origin protocol
Match the protocol from which the route was learned. protocol can be one of bgp-external, bgp-internal, connected, ospf-external1, ospf-external2, ospf-inter-area, ospf-intra-area, and static.
Preference
preference number
Match the preference value in the route.
Prefix
prefix-list list-name
Match one or more IP prefixes in a list defined with a policy lists prefix-list list.
Site
site-id site-id
site-list list-name
Match an individual Viptela overlay network site identifier number or a group of site identifiers defined with a policy lists site-list list.​
TLOC from a List of TLOCs
tloc-list list-name
Match one of the TLOCs in the list defined with a policy lists tloc-list list.
TLOC Identified by IP Address and Color
tloc address color color [encap encpasulation]
tloc-list list-name
Match an individual TLOC identified by its IP address and color, and optionally, by its encapsulation.
color​ can be 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.
By default, encapsulation is ipsec. It can also be gre.
VPN
vpn vpn-id
vpn-list list-name
Match an individual VPN identifier or the VPN identifiers in a list defined with a policy lists vpn-list command.

For Centralized Data Policy

Destination Prefix or Port
destination-data-prefix-list list-name
destination-ip prefix/length
destination-port number
Match a destination prefix or port. For prefixes, you can specify a single prefix or a list of prefixes. list-name is the name of a list defined with a policy lists prefix-list command. For the port, you can specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).
DSCP
dscp number
Match the specified DSCP value.
Packet Length
packet-length number
Match packets of the specified length. number can be 0 though 65535. Specify a single length, a list of lengths (with numbers separated by a space), or a range of lengths (with the two numbers separated with a hyphen [-])
Packet Loss Priority
plp (high | low)
Match a packet's loss priority (PLP). By default, packets have a PLP value of low. To set a packet's PLP value to high, apply a policer that includes the exceed remark option.
Protocol
protocol number
Match the TCP or IP protocol number.
Source Prefix or Port
source-data-prefix-list list-name
source-ip prefix/length
source-port number
Match a source prefix or port. For prefixes, you can specify a single prefix or a list of prefixes. list-name is the name of a list defined with a policy lists prefix-list command. For the port, you can specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).
Split DNS
dns-app-list app-list
dns (request | response)
Resolve DNS requests and process DNS responses on an application-by-application basis when the vEdge router is configured as an internet exit point. To match specific applications or application families, specify the name of a list you created with the lists app-list command. To process DNS requests for the applications (for outbound DNS queries), specify the dns request match condition.To process DNS responses from DNS servers, specify the dns response match condition.
TCP Flag
tcp flag
Match TCP flags. flag can be syn.

For Localized Control Policy

BGP AS Path
as-path list-name
AS path or paths in the route. list-name is the name of an AS path list defined with a policy lists as-path-list command.
BGP Community
community list-name
BGP community or communities in the route. list-name is the name of a BGP community list defined with a policy lists community-list command.
BGP Extended Community
ext-community list-name
BGP extended community or communities in the route. list-name is the name of a BGP extended community list defined with a policy lists ext-community-list command.
BGP Origin Code
bgp origin
BGP origin code. origin can be egp, igp, or complete. The default is egp.
Local Preference
local-preference number
BGP local preference value. number can be a value from 0 through 4294967295.
Next Hop
next-hop list-name
Next hop in the route. list-name is the name of an IP prefix list defined with a policy lists prefix-list command.
OMP Tag
omp-tag number
OMP tag number for use by BGP or OSPF. number can be a value from 0 through 4294967295.
OSPF Tag
ospf-tag number
OSPF tag value. number can be a value from 0 through 4294967295.
Peer Address
peer ip-address
IP address of the peer.
Prefix from which Route Was Learned
address list-name
IP prefix or prefixes from which the route was learned. list-name is the name of an IP prefix list defined with a policy lists prefix-list command.
Route Metric
metric number
Metric in the route. number can be a value from 0 through 4294967295.

For Localized Data Policy

Classification
class class-name
Match the specified class name.
Destination Prefix or Port
destination-data-prefix-list list-name
destination-ip prefix/length
destination-port number
Match a destination prefix or port. For prefixes, you can specify a single prefix or a list of prefixes. list-name is the name of a list defined with a policy lists prefix-list command. For the port, you can specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).
DSCP
dscp number
Match the specified DSCP value.
Packet Length
packet-length number
Match packets of the specified length. The packet length is a combination of the lengths of the IPv4 header and the packet payload. number can be 0 though 65535. Specify a single length, a list of lengths (with numbers separated by a space), or a range of lengths (with the two numbers separated with a hyphen [-]).
Packet Loss Priority
plp (high | low)
Match a packet's loss priority (PLP). By default, packets have a PLP value of low. To set a packet's PLP value to high, apply a policer that includes the exceed remark option.
Protocol
protocol number
Match the TCP or IP protocol number.
Source Prefix or Port
source-data-prefix-list list-name
source-ip prefix/length
source-port number
Match a source prefix or port. For prefixes, you can specify a single prefix or a list of prefixes. list-name is the name of a list defined with a policy lists prefix-list command. For the port, you can specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).
TCP Flag
tcp flag
Match TCP flags. flag can be syn.

For Zone-Based Firewall Policy

Destination Prefix or Port
destination-data-prefix-list list-name
destination-ip prefix/length
destination-port number
Match a destination prefix or port. For prefixes, you can specify a single prefix or a list of prefixes. list-name is the name of a list defined with a policy lists prefix-list command. For the port, you can specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).
Protocol
protocol number
Match the TCP or IP protocol number.
Source Prefix or Port
source-data-prefix-list list-name
source-ip prefix/length
source-port number
Match a source prefix or port. For prefixes, you can specify a single prefix or a list of prefixes. list-name is the name of a list defined with a policy lists prefix-list command. For the port, you can specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).

Operational Commands

show running-config policy

Example

Create an access list match condition that matches a destination IP address in a data packet:

vEdge(config-match)# show config
policy
access-list test-access-list
  sequence 10
   match
    destination-ip 172.16.0.0/16
   !
  !
 !
!

Configure a route policy that matches a list of VPNs:

vSmart(config-match-route)# show config
policy
lists
  vpn-list my-vpn-list
   vpn 1
  !
!
control-policy my-control-policy
  sequence 10
   match route
    vpn-list my-vpn-list
   !
  !
 !
!

Match a destination prefix in VPN 1:

vSmart(config-policy)# show config
policy
 data-policy my-data-policy
  vpn-list my-vpn-list
   sequence 10
    match
     destination-ip 55.0.1.0/24
    !
    action drop
    !
   !
   default-action drop
  !
 !
 lists
  vpn-list my-vpn-list
   vpn 1
  !
 !
!

Create a route policy match condition that matches the prefix from which a route was learned:

vEdge(config-match)# show config
policy
 lists
  prefix-list my-prefix-list
   ip-prefix 10.0.100.0/24
   ip-prefix 55.0.1.0/24
   ip-prefix 57.0.1.0/24
  !
 !
 route-policy my-route-policy
  sequence 10
   match
    address my-prefix-list
   !
  !
 !
!

Release Information

Command introduced in Viptela Software Release 14.1.​
Application-aware routing policy added in Release 14.2.
In Release 15.1, options made consistent among application-aware routing, centralized data policy, and localized data policy.
In Release 15.4, add omp-tag match condition for localized control policy, and rename tag to omp-tag.
In Release 16.1, add packet-length match condition for centralization and localized data policy.
In Release 16.3, add plp match condition for application-aware routing policy, centralized data policy, and localized data policy.
In Release 17.1, add ospf-tag match condition for localized control policy.
In Release 17.2, add dns and dns-app-list match conditions for application-aware routing policy and centralized data policy.
In Release 18.2, add zone-based firewall policy.

Additional Information

See the Policy Overview article for your software release.
action
apply-policy
lists
match (for IPv6 access lists)
policy

  • Was this article helpful?