Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

policy

policy—Configure IPv4 policy (on vSmart controllers and vEdge routers only).

vManage Feature Template

For vEdge routers and vSmart controllers:

Configuration ► Policies
Configuration ► Security (for zone-based firewall policy)

Command Hierarchy

For Application-Aware Routing Policy

Configure on vSmart controllers only.

policy
  lists
    app-list list-name
      (app application-name | app-family family-name)
    data-prefix-list list-name
      ip-prefix prefix/length
    site-list list-name
      site-id site-id
    vpn-list list-name
      vpn vpn-id
  sla-class sla-class-name
    jitter milliseconds
    latency milliseconds
    loss percentage
policy
  app-route-policy policy-name
    vpn-list list-name 
      default-action sla-class sla-class-name
      sequence number
        match
          app-list list-name          
          destination-data-prefix-list list-name
          destination-ip prefix/length
          destination-port number
          dns (request | response)
          dns-app-list list-name
          dscp number
          protocol number
          source-data-prefix-list list-name
          source-ip prefix/length
          source-port address
        action          
          backup-sla-preferred-color color
          count counter-name
          log
          sla-class sla-class-name [strict] [preferred-color colors]

For Centralized Control Policy

Configure on vSmart controllers only.

policy
  lists
    color-list list-name
      color color
    prefix-list list-name
      ip-prefix prefix/length
    site-list list-name
      site-id site-id
    tloc-list list-name
      tloc address color color encap encapsulation [preference value]
    vpn-list list-name
      vpn vpn-id
policy
  control-policy policy-name
    default-action action
    sequence number
      match
        route
          color color
          color-list list-name
          omp-tag number
          origin protocol
          originator ip-address
          preference number
          prefix-list list-name
          site-id site-id
          site-list list-name
          tloc ip-address color color [encap encapsulation]
          tloc-list list-name
          vpn vpn-id
          vpn-list list-name
        tloc 
          carrier carrier-name
          color color
          color-list list-name
          domain-id domain-id
          group-id group-id
          omp-tag number
          originator ip-address
          preference number
          site-id site-id
          site-list list-name
          tloc address color color [encap encapsulation]
          tloc-list list-name
      action
        reject
        accept
          set
            omp-tag number
            preference value
            service service-name [tloc ip-address | tloc-list list-name] [vpn vpn-id]
            tloc-action action
            tloc-list list-name

For Centralized Data Policy

Configure on vSmart controllers only.

policy
  cflowd-template template-name
    collector vpn vpn-id address ip-address port port-number transport transport-type
      source-interface interface-name
    flow-active-timeout seconds
    flow-inactive-timeout seconds
    flow-sampling-interval number
    template-refresh seconds  
  lists
    app-list list-name
      (app applications | app-family application-families)
    data-prefix-list list-name
      ip-prefix prefix
    site-list list-name
      site-id site-id
    tloc-list list-name
      tloc ip-address color color encap encapsulation [preference value]
    vpn-list list-name
      vpn-id vpn-id
policy
  data-policy policy-name
    vpn-list list-name
      default-action action
      sequence number
        match
          app-list list-name
          destination-data-prefix-list list-name
          destination-ip prefix/length
          destination-port number
          dns (request | response)
          dns-app-list list-name
          dscp number
          protocol number
          source-data-prefix-list list-name
          source-ip prefix/length
          source-port number
          tcp flag
        action
          cflowd (not available for deep packet inspection)
          count counter-name
          drop
          log
          tcp-optimization
          accept
            nat [pool number] [use-vpn 0] (in Releases 16.2 and earlier, not available for deep packet inspection)
            redirect-dns (host | ip-address)
            set
              dscp number
              forwarding-class class
              local-tloc color color [encap encapsulation]
              local-tloc-list color color [encap encapsulation] [restrict]
              next-hop ip-address
              policer policer-name
              service service-name local [restrict] [vpn vpn-id]
              service service-name (tloc ip-address | tloc-list list-name) [vpn vpn-id]
              tloc ip-address color color [encap encapsulation]
              tloc-list list-name
              vpn vpn-id
policy
  data-policy policy-name
    default-action action
    sequence number
      match
        app-list list-name
        destination-data-prefix-list list-name
        destination-ip prefix/length
        destination-port number
        dscp number
        packet-length number
        protocol number
        source-data-prefix-list list-name
        source-ip prefix/length
        source-port address
        tcp flag
      action
        count counter-name
        drop
        accept
          set local-tloc color
          set next-hop ip-address 
          set policer policer-name 
          set service service-name [tloc ip-address | tloc-list list-name] [vpn vpn-id] 
          set tloc ip-address 
          set vpn vpn-id
  vpn-membership policy-name
    default-action action
    sequence number
      match
        vpn vpn-id
        vpn-list list-name
      action
        (accept | reject)

For Localized Control Policy

Configure on vEdge routers only.

policy
  lists
    as-path-list list-name
      as-path as-number
    community-list list-name
      community [aa:nn | internet | local-as | no-advertise | no-export]
    ext-community-list list-name
      community [rt (aa:nn | ip-address) | soo (aa:nn | ip-address)]
    prefix-list list-name
      ip-prefix prefix/length
policy
  route-policy policy-name
    default-action action
    sequence number
      match
        address list-name
        as-path list-name
        community list-name
        ext-community list-name
        local-preference number
        metric number
        next-hop list-name
        omp-tag number
        origin (egp | igp | incomplete)
        ospf-tag number
        peer address
      action
        reject
        accept
          set
            aggregator as-number ip-address
            as-path (exclude | prepend) as-number
            atomic-aggregate
            community value
            local-preference number
            metric number
            metric-type (type1 | type2)
            next-hop ip-address
            omp-tag number
            origin (egp | igp | incomplete)
            originator ip-address
            ospf-tag number
            weight number

For Localized Data Policy for IPv4

Configure on vEdge routers only.

policy
  lists
    prefix-list list-name
      ip-prefix prefix/length
  class-map
    class class-name queue number
  log-frequency number
  mirror mirror-name
    remote-dest ip-address source ip-address
  policer policer-name
    burst types
    exceed action
    rate bps
  qos-map map-name
    qos-scheduler scheduler-name
  qos-scheduler scheduler-name
    bandwidth-percent percentage
    buffer-percent percentage
    class class-name
    drops drop-type
  rewrite-rule rule-name
    class class-name priority dscp (high | low) layer-2-cos number
      
policy
  access-list acl-name
    default-action action
    sequence number
      match
        class class-name
        destination-data-prefix-list list-name
        destination-ip prefix/length
        destination-port number
        dscp number
        packet-length number
        plp (high | low)
        protocol number
        source-data-prefix-list list-name
        source-ip prefix-length
        source-port number
        tcp flag
      action
        count counter-name
        drop
        log
        accept
          class class-name
          mirror mirror-name
          policer policer-name 
          set dscp value
          set next-hop ipv4-address

For Zone-Based Firewalls

Configure on vEdge routers only.

policy
  lists
    prefix-list list-name
      ip-prefix prefix/length
  tcp-syn-flood-limit number
  zone (destination-zone-name | source-zone-name)
    vpn vpn-id
  zone-to-no-zone-internet (allow | deny)
  zone-pair pair-name
    source-zone source-zone-name
    destination-zone destination-zone-name
    zone-policy policy-name
  zone-based-policy policy-name
    default-action action
    sequence number
      match
        destination-data-prefix-list list-name
        destination-ip prefix/length
        destination-port number
        protocol number
        source-data-prefix-list list-name
        source-ip prefix-length
        source-port number
      action
        drop
        inspect
        log
        pass

Options

None

Operational Commands

show running-config

Example

Apply a control policy to the sites defined in the list "west":

apply-policy
  site-list west control-policy change-tloc out

Release Information

Command introduced in Viptela Software Release 14.1.​
In Release 14.2, add application-aware routing policy.
In Release 18.2, add zone-based firewall policy.

Additional Information

See the Policy Overview article for your software release.
access-list
apply-policy
policy ipv6
redistribute

  • Was this article helpful?