Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Configuring Centralized Data Policy

This article provides general procedures for configuring centralized data policy on vSmart controllers. Centralized data policy can be used for different purposes, which are described in separate sections in this article:

  • To base policy decisions on source and destination prefixes and on the headers in the IP data packets, you use centralized data policy, which you configure with the policy data-policy command. The vSmart controller pushes this type of data policy to the vEdge routers. In domains with multiple vSmart controllers, all the controllers must have the same centralized data policy configuration to ensure that traffic flow within the overlay network remains synchronized.
  • To base policy decisions on the application information in the packet payload, you use centralized data policy to perform deep packet inspection. You configure this by creating lists of applications with the policy lists app-list command and then calling these lists in a policy data-policy command. To specify the path that application traffic takes through the network, you can set the local TLOC or the remote TLOC, or both, to use to send the traffic over.
  • To configure the VPNs that vEdge routers are allowed to receive routes from, you use centralized data policy, which you configure with the policy vpn-membership command. VPN membership policy affects which routes the vSmart controller sends to the vEdge router. The policy itself remains on the vSmart controller and is not pushed to the vEdge routers.

Configuring Centralized Data Policy Based on Prefixes and IP Headers

A centralized data policy based on source and destination prefixes and on headers in IP packets consists of a series of numbered (ordered) sequences of match-action pair that are evaluated in order, from lowest sequence number to highest sequence number. When a packet matches one of the match conditions, the associated action is taken and policy evaluation on that packets stops. Keep this in mind as you design your policies to ensure that the desired actions are taken on the items subject to policy.

If a packet matches no parameters in any of the sequences in the policy configuration, it is dropped and discarded by default.

To create a centralized data policy to filter based on IP prefixes and IP packet headers, you include the following components in the configuration on a vSmart controller:

Component

Description

Configuration Command

Lists

Groupings of related items that you reference in the match and action portions of the data policy configuration. For centralized data policy, you can group applications, IP prefixes, sites, TLOCs, and VPNs.

policy lists

Centralized data policy instance

Container for centralized data policy that filters packets based on IP prefix and IP packet header fields.

policy data-policy

VPN list

List of VPNs to which to apply the centralized data policy.

policy data-policy vpn-list

Numbered sequences of match–action pairs

Sequences that establish the order in which the policy components are applied

policy data-policy vpn-list sequence

Match parameters

Conditions that packets must match to be considered for a data policy.

policy data-policy vpn-list sequence match

Actions

Whether to accept or reject (and drop) matching packets, and how to process matching packets.

policy data-policy vpn-list sequence action

Default action

Action to take if a packet matches none of the policy conditions.

policy data-policy vpn-list default-action

Application of centralized data policy

For a data policy to take effect, you apply it to one or more sites in the overlay network.

apply-policy site-list data-policy

The following figure illustrates the configuration components for centralized data policy:

General vManage Configuration Procedure

To configure centralized data policies, use the vManage policy configuration wizard. The wizard consists of four sequential screens that guide you through the process of creating and editing policy components:

  1. Create Applications or Groups of Interest—Create lists that group together related items and that you call in the match or action components of a policy.
  2. Configure Topology—Create the network structure to which the policy applies.
  3. Configure Traffic Rules—Create the match and action conditions of a policy.
  4. Apply Policies to Sites and VPNs—Associate policy with sites and VPNs in the overlay network.

In the first three policy configuration wizard screens, you are creating policy components or blocks. In the last screen, you are applying policy blocks to sites and VPNs in the overlay network.

For a centralized data policy to take effect, you must activate the policy.

Start the Policy Configuration Wizard

To start the policy configuration wizard:

  1. In vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. Click Add Policy.

The policy configuration wizard opens, and the Create Applications or Groups of Interest screen is displayed.

Create Applications or Groups of Interest

To create lists of applications or groups to use in centralized data policy:

  1. Start the policy configuration wizard as explained above.
  2. Create new lists, as described in the following table:
List Type Procedure
Application
  1. In the left bar, click Application.
  2. Click New Application List.
  3. Enter a name for the list.
  4. Click either the Application or Application Family button.
  5. From the Select drop-down, select the desired applications or application families.
  6. Click Add.

Two application lists are preconfigured. You cannot edit or delete these lists.

  • Google_Apps—Includes Google applications, such as gmail, Google maps, and YouTube. To display a full list of Google applications, click the list in the Entries column.
  • Microsoft_Apps—Includes Microsoft applications, such as Excel, Skype, and Xbox. To display a full list of Microsoft applications, click the list in the Entries column.
Data Prefix
  1. In the left bar, click Data Prefix.
  2. Click New Data Prefix List.
  3. Enter a name for the list.
  4. In the Add Data Prefix field, enter one or more data prefixes separated by commas.
  5. Click Add.
Policer
  1. In the left bar, click Policer.
  2. Click New Policer List.
  3. Enter a name for the list.
  4. Define the policing parameters:
    1. In the Burst field, enter the maximum traffic burst size, a value from 15,000 to 10,000,000 bytes.
    2. In the Exceed field, select the action to take when the burst size or traffic rate is exceeded. It can be drop, which sets the packet loss priority (PLP) to low, or remark, which sets the PLP to high.
    3. In the Rate field, enter the maximum traffic rate, a value from 0 through 264 – 1 bits per second (bps).
  5. Click Add.
Prefix
  1. In the left bar, click Prefix.
  2. Click New Prefix List.
  3. Enter a name for the list.
  4. In the Add Prefix field, enter one or more data prefixes separated by commas.
  5. Click Add.
Site
  1. In the left bar, click Site.
  2. Click New Site List.
  3. Enter a name for the list.
  4. In the Add Site field, enter one or more site IDs separated by commas.
  5. Click Add.
TLOC
  1. In the left bar, click TLOC.
  2. Click New TLOC List. The TLOC List popup displays.
  3. Enter a name for the list.
  4. In the TLOC IP field, enter the system IP address for the TLOC.
  5. In the Color field, select the TLOC's color.
  6. In the Encap field, select the encapsulation type.
  7. In the Preference field, optionally select a preference to associate with the TLOC.
  8. Click Add TLOC to add another TLOC to the list.
  9. Click Save.
VPN
  1. In the left bar, click VPN.
  2. Click New VPN List.
  3. Enter a name for the list.
  4. In the Add VPN field, enter one or more VPN IDs separated by commas.
  5. Click Add.
  1. Click Next to move to Configure Topology in the wizard. When you first open this screen, the Topology tab is selected by default.

Configure the Network Topology

To configure the network topology or a VPN membership to use in centralized data policy:

  1. If you are already in the policy configuration wizard, skip to Step 4. Otherwise, in vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. Click Add Policy. The policy configuration wizard opens, and the Create Applications or Groups of Interest screen is displayed
  3. Click Next. The Network Topology screen opens, and in the Topology bar, the Topology tab is selected by default.
  4. Create a network topology, as described in the following table:
Policy Type Description Procedure
Hub and Spoke Policy for a topology with one or more central hub sites and with spokes connected to a hub
  1. In the Add Topology drop-down, select Hub and Spoke.
  2. Enter a name for the hub-and-spoke policy.
  3. Enter a description for the policy.
  4. In the VPN List field, select the VPN list for the policy.
  5. In the left pane, click Add Hub and Spoke. A hub-and-spoke policy component containing the text string My Hub-and-Spoke is added in the left pane.
  6. Double-click the My Hub-and-Spoke text string, and enter a name for the policy component.
  7. In the right pane, add hub sites to the network topology:
    1. Click Add Hub Sites.
    2. In the Site List Field, select a site list for the policy component.
    3. Click Add.
    4. Repeat Steps 7a, 7b, and 7c to add more hub sites to the policy component.
  8. In the right pane, add spoke sites to the network topology:
    1. Click Add Spoke Sites.
    2. In the Site List Field, select a site list for the policy component.
    3. Click Add.
    4. Repeat Steps 8a, 8b, and 8c to add more spoke sites to the policy component.
  9. Repeat Steps 5 through 8 to add more components to the hub-and-spoke policy.
  10. Click Save Hub and Spoke Policy.
Mesh Partial-mesh or full-mesh region
  1. In the Add Topology drop-down, select Mesh.
  2. Enter a name for the mesh region policy component.
  3. Enter a description for the mesh region policy component.
  4. In the VPN List field, select the VPN list for the policy.
  5. Click New Mesh Region.
  6. In the Mesh Region Name field, enter a name for the individual mesh region.
  7. In the Site List field, select one or more sites to include in the mesh region.
  8. Repeat Steps 5 through 7 to add more mesh regions to the policy.
  9. Click Save Mesh Region.
  1. To use an existing topology:
    1. In the Add Topology drop-down, click Import Existing Topology. The Import Existing Topology popup displays.
    2. Select the type of topology.
    3. In the Policy drop-down, select the name of the topology.
    4. Click Import.
  2. To create a VPN membership policy, in the Topology bar, click VPN Membership. Then:
    1. Click Add VPN Membership Policy. The Update VPN Membership Policy popup displays.
    2. Enter a name and description for the VPN membership policy.
    3. In the Site List field, select the site list.
    4. In the VPN Lists field, select the VPN list.
    5. Click Add List to add another VPN to the VPN membership.
    6. Click Save
  3. Click Next to move to Configure Traffic Rules in the wizard. When you first open this screen, the Application-Aware Routing tab is selected by default.

Configure Traffic Rules

To create the match and action rules to apply to traffic affected by the policy:

  1. If you are already in the policy configuration wizard, skip this procedure. Otherwise, in vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. Click Add Policy. The policy configuration wizard opens, and the Create Applications or Groups of Interest screen is displayed
  3. Click Next. The Network Topology screen opens, and in the Topology bar, the Topology tab is selected by default.
  4. Click Next. The Configure Traffic Rules screen opens, and in the Application-Aware Routing bar, the Application-Aware Routing tab is selected by default.

To configure traffic rules for centralized data policy:

  1. In the Application-Aware Routing bar, select the Traffic Data tab.
  2. Click the Add Policy drop-down.
  3. Select Create New. The Add Data Policy popup opens.
  4. Select the type of data policy from Application Firewall, QoS, Service Chaining, Traffic Engineering, and Custom.
  5. In the left pane, click Sequence Type. A policy sequence containing the text string Application Firewall, QoS, Service Chaining, Traffic Engineering, or Custom is added in the left pane.
  6. Double-click the text string, and enter a name for the policy sequence.The name you type is displayed both in the Sequence Type list in the left pane and in the right pane.
  7. In the right pane, click Sequence Rule. The Match/Action box opens, and Match is selected by default. The available policy match conditions are listed below the box.
  8. To select one or more Match conditions, click its box and set the values as described in the following table. Note that not all match conditions are available for all policy sequence types.
Match Condition Procedure
None (match all packets) Do not specify any match conditions.
Applications/Application Family List
  1. In the Match conditions, click Applications/Application Family List.
  2. In the drop-down, select the application family.
  3. To create an application list:
    1. Click New Application List.
    2. Enter a name for the list.
    3. Click the Application button to create a list of individual applications. Click the Application Family to create a list of related applications.
    4. In the Select Application drop-down, select the desired applications or application families.
    5. Click Save.
Destination Data Prefix
  1. In the Match conditions, click Destination Data Prefix.
  2. To match a list of destination prefixes, select the list from the drop-down.
  3. To match an individual destination prefix, type the prefix in the Destination box.
Destination Port
  1. In the Match conditions, click Destination Port.
  2. In the Destination field, enter the port number. Specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).
DNS Application List (to enable split DNS)
  1. In the Match conditions, click DNS Application List.
  2. In the drop-down, select the application family.
DNS (to enable split DNS)
  1. In the Match conditions, click DNS.
  2. In the drop-down, select Request to process DNS requests for the DNS applications, and select Response to process DNS responses for the applications.
DSCP
  1. In the Match conditions, click DSCP.
  2. In the DSCP field, type the DSCP value, a number from 0 through 63.
Packet Length
  1. In the Match conditions, click Packet Length.
  2. In the Packet Length field, type the length, a value from 0 through 65535.
PLP
  1. In the Match conditions, click PLP.
  2. In the PLP drop-down, select Low or High. To set the PLP to high, apply a policer that includes the exceed remark option.
Protocol
  1. In the Match conditions, click Protocol.
  2. In the Protocol field, type the Internet Protocol number, a number from 0 through 255.
Source Data Prefix
  1. In the Match conditions, click Source Data Prefix.
  2. To match a list of source prefixes, select the list from the drop-down.
  3. To match an individual source prefix, type the prefix in the Source box.
Source Port
  1. In the Match conditions, click Source Port.
  2. In the Source field, enter the port number. Specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).
TCP
  1. In the Match conditions, click TCP.
  2. In the TCP field, syn is the only option available.
  1. To select actions to take on matching data traffic, click the Actions box.
  2. To drop matching traffic, click the Drop button.
  3. To accept matching traffic, click the Accept button. The available policy actions are listed to the right of the button.
  4. Set the policy action as described in the following table:
Match Condition Description Procedure
Counter Count matching data packets.
  1. In the Action conditions, click Counter.
  2. In the Counter Name field, enter the name of the file in which to store packet counters.
DSCP Assign a DSCP value to matching data packets.
  1. In the Action conditions, click DSCP.
  2. In the DSCP field, type the DSCP value, a number from 0 through 63.
Forwarding Class Assign a forwarding class to matching data packets.
  1. In the Match conditions, click Forwarding Class.
  2. In the Forwarding Class field, type the class value, which can be up to 32 characters long.
Log

Place a sampled set of packets that match the SLA class rule into system logging (syslog) files. In addition to logging the packet headers, a syslog message is generated the first time a packet header is logged and then every 5 minutes thereafter, as long as the flow is active.

  1. In the Action conditions, click Log to enable logging.
Policer Apply a policer to matching data packets.
  1. In the Match conditions, click Policer.
  2. In the Policer drop-down field, select the name of a policer.
  1. Click Save Match and Actions.
  2. Create additional sequence rules as desired. Drag and drop to re-arrange them.
  3. Create additional sequence types as desired. Drag and drop to re-arrange them.
  4. Click Save Data Policy.

Click Next to move to Apply Policies to Sites and VPNs in the wizard.

Apply Policies to Sites and VPNs

In the last screen of the policy configuration wizard, you associate the policy blocks that you created on the previous three screens with VPNs and with sites in the overlay network.

To apply a policy block to sites and VPNs in the overlay network:

  1. If you are already in the policy configuration wizard, skip to Step 6. Otherwise, in vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. Click Add Policy. The policy configuration wizard opens, and the Create Applications or Groups of Interest screen is displayed
  3. Click Next. The Network Topology screen opens, and in the Topology bar, the Topology tab is selected by default.
  4. Click Next. The Configure Traffic Rules screen opens, and in the Application-Aware Routing bar, the Application-Aware Routing tab is selected by default.
  5. Click Next. The Apply Policies to Sites and VPNs screen opens.
  6. In the Policy Name field, enter a name for the policy. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  7. In the Policy Description field, enter a description of the policy. It can contain up to 2048 characters. This field is mandatory, and it can contain any characters and spaces.
  8. From the Topology bar, select the type of policy block. The table then lists policies that you have created for that type of policy block.
  9. Associate the policy with VPNs and sites. The choice of VPNs and sites depends on the type of policy block:
    1. For a Topology policy block, click Add New Site List and VPN List or Add New Site. Some topology blocks might have no Add buttons. Select one or more site lists, and select one or more VPN lists. Click Add.
    2. For an Application-Aware Routing policy block, click Add New Site List and VPN list. Select one or more site lists, and select one or more VPN lists. Click Add.
    3. For a Traffic Data policy block, click Add New Site List and VPN List. Select the direction for applying the policy (From Tunnel, From Service, or All), select one or more site lists, and select one or more VPN lists. Click Add.
    4. For a cflowd policy block, click Add New Site List. Select one or more site lists, Click Add.
  10. Click Preview to view the configured policy. The policy is displayed in CLI format.
  11. Click Save Policy. The Configuration ► Policies screen opens, and the policies table includes the newly created policy.

Activate a Centralized Data Policy

Activating a centralized data policy sends that policy to all connected vSmart controllers. To activate a centralized policy:

  1. In vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. Select a policy.
  3. Click the More Actions icon to the right of the row, and click Activate. The Activate Policy popup opens. It lists the IP addresses of the reachable vSmart controllers to which the policy is to be applied.
  4. Click Activate.

General CLI Configuration Procedure

Following are the high-level steps for configuring a centralized data policy based on prefixes and the headers in the IP packets. By default, matching is done on the 6-tuple consisting of the source IP address, destination IP address, source port, destination port, protocol, and DSCP.

  1. Create a list of overlay network sites to which the centralized data policy is to be applied (in the apply-policy command):
    vSmart(config)# policy​
    vSmart(config-policy)# lists site-list list-name
    vSmart(config-lists-list-name)# site-id site-id

    The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–).
    Create additional site lists, as needed.
  2. Create lists of IP prefixes and VPNs, as needed:
    vSmart(config)# policy lists
    vSmart(config-lists)# data-prefix-list list-name
    vSmart(config-lists-list-name)# ip-prefix prefix/length

    vSmart(config)# policy lists
    vSmart(config-lists)# vpn-list list-name
    vSmart(config-lists-list-name)# vpn vpn-id
  3. Create lists of TLOCs, as needed:
    vSmart(config)# policy​
    vSmart(config-policy)# lists tloc-list list-name
    vSmart(config-lists-list-name)# tloc ip-address color color encap encapsulation [preference number]
  4. Define policing parameters, as needed:
    vSmart(config-policy)# policer policer-name
    vSmart(config-policer)# rate bandwidth
    vSmart(config-policer)# burst bytes
    vSmart(config-policer)# exceed action
  5. Create a data policy instance and associate it with a list of VPNs:
    vSmart(config)# policy data-policy policy-name
    vSmart(config-data-policy-policy-name)# vpn-list list-name
  6. Create a series of match–pair sequences:
    vSmart(config-vpn-list)# sequence number
    vSmart(config-sequence-number)#

    The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is).
  7. Define match parameters for packets:
    ​​vSmart(config-sequence-number)# match parameters
  8. Define actions to take when a match occurs:
    vSmart(config-sequence-number)# action (accept | drop) [count counter-name] [log] [tcp-optimization]
    vSmart(config-sequence-number)# action acccept nat [pool number] [use-vpn 0]
    vSmart(config-sequence-number)# action accept redirect-dns (host | ip-address)
    vSmart(config-sequence-number)# action accept set parameters
  9. Create additional numbered sequences of match–action pairs within the data policy, as needed.
  10. If a route does not match any of the conditions in one of the sequences, it is rejected by default. To accept nonmatching prefixed, configure the default action for the policy:
    vSmart(config-policy-name)# default-action accept
  11. Apply the policy to one or more sites in the overlay network:
    vSmart(config)# apply-policy site-list list-name data-policy policy-name (all | from-service | from-tunnel)

Structural Components of Policy Configuration for Centralized Data Policy

Following are the structural components required to configure centralized data policy based on IP addresses and prefixes. Each one is explained in more detail in the sections below.

policy
  lists
    app-list list-name
      (app applications | app-family application-families)
    data-prefix-list list-name 
      ip-prefix prefix 
    site-list list-name 
      site-id site-id 
    tloc-list list-name
      tloc ip-address color color encap encapsulation [preference value]
    vpn-list list-name 
      vpn vpn-id 
  policer policer-name
    burst bytes
    exceed action
    rate bandwidth
  data-policy policy-name 
    vpn-list list-name 
      sequence number 
        match
          app-list list-name
          destination-data-prefix-list list-name
          destination-ip prefix/length
          destination-port port-numbers
          dscp number
          dns-app-list list-name
          dns (request | response)
          packet-length number
          protocol number
          source-data-prefix-list list-name
          source-ip prefix/length
          source-port port-numbers
          tcp flag
        action
          cflowd (not available for deep packet inspection)
          count counter-name
          drop
          log
          redirect-dns (dns-ip-address | host)
          tcp-optimization
          accept
            nat [pool number] [use-vpn 0]
            set 
              dscp number
              forwarding-class class
              local-tloc color color [encap encapsulation] [restrict]
              next-hop ip-address
              policer policer-name
              service service-name local [restrict] [vpn vpn-id]
              service service-name [tloc ip-address | tloc-list list-name] [vpn vpn-id]
              tloc ip-address color color [encap encapsulation]
              tloc-list list-name
              vpn vpn-id
      default-action
        (accept | drop)
apply-policy site-list list-name 
  data-policy policy-name (all | from-service | from-tunnel) 

Lists

Centralized data policy uses the following types of lists to group related items. You configure lists under the policy lists command hierarchy on vSmart controllers.

List Type

Description

Command

Applications and application families

List of one or more applications or application families running on the subnets connected to the vEdge router. Each app-list can contain either applications or application families, but you cannot mix the two. To configure multiple applications or application families in a single list, include multiple app or app-family options, specifying one application or application family in each app or app-family option.
application-name is the name of an application. The Viptela software supports about 2300 different applications. To list the supported applications, use the ? in the CLI.
application-family is the name of an application family. It can one of the following: antivirus, application-service, audio_video, authentication, behavioral, compression, database, encrypted, erp, file-server, file-transfer, forum, game, instant-messaging, mail, microsoft-office, middleware, network-management, network-service, peer-to-peer, printer, routing, security-service, standard, telephony, terminal, thin-client, tunneling, wap, web, and webmail.

app-list list-name
(app applications|
app-family application-families)

Data prefixes

List of one or more IP prefixes. To configure multiple prefixes in a single list, include multiple ip-prefix options, specifying one prefix in each option.

data-prefix-list list-name
  ip-prefix prefix/length

Sites

List of one or more site identifiers in the overlay network. To configure multiple sites in a single list, include multiple site-id options, specifying one site number in each option. You can specify a single site identifier (such as site-id 1) or a range of site identifiers (such as site-id 1-10).

site-list list-name
  site-id site-id

TLOCs

List of one or more address of transport locations (TLOCs) in the overlay network. For each TLOC, specify its address, color, and encapsulation. address is the system IP address.

For each TLOC, specify its address, color, and encapsulation. address is the system IP address. color can be one of 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver. encapsulation can be gre or ipsec.
Optionally, set a preference value (from 0 to 232 – 1) to associate with the TLOC address. When you apply a TLOC list in an action accept condition, when multiple TLOCs are available and satisfy the match conditions, the TLOC with the lowest preference value is used. If two or more of TLOCs have the lowest preference value, traffic is sent among them in an ECMP fashion.

tloc-list list-name
  tloc ip-address color color
  encap encapsulation
  [preference value]

VPNs

List of one or more VPNs in the overlay network. For data policy, you can configure any VPNs except for VPN 0 and VPN 512.
To configure multiple VPNs in a single list, include multiple vpn options, specifying one VPN number in each option. You can specify a single VPN identifier (such as vpn 1) or a range of VPN identifiers (such as vpn 1-10).

vpn-list list-name
  vpn vpn-id

In the vSmart controller configuration, you can create multiple iterations of each type of list. For example, it is common to create multiple site lists and multiple VPN lists so that you can apply data policy to different sites and different customer VPNs across the network.

You cannot apply the same type of policy to site lists that contain overlapping site IDs. That is, all data policies cannot have overlapping site lists among themselves. If you accidentally misconfigure overlapping site lists, the attempt to commit the configuration on the vSmart controller fails.

VPN Lists

Each centralized data policy is associated with a VPN list. You configure VPN lists with the policy data-policy vpn-list command. The list you specify must be one that you created with a policy lists vpn-list command.

For centralized data policy, you can include any VPNs except for VPN 0 and VPN 512. VPN 0 is reserved for control traffic, so never carries any data traffic, and VPN 512 is reserved for out-of-band network management, so also never carries any data traffic. Note that while the CLI allows you to include these two VPNs in a data policy configuration, the policy is not applied to these two VPNs.

Policer Parameters

To configure policing parameters, create a policer that specifies the maximum bandwidth and burst rate for traffic on an interface, and how to handle traffic that exceeds these values:

vSmart(config)# policy policer policer-name
vSmart(config-policer)# rate bps
vSmart(config-policer)# burst bytes
vSmart(config-policer)# exceed action

rate is the maximum traffic rate. It can be a value from 0 through 264 – 1 bits per second.

burst is the maximum traffic burst size. It can be a value from 15000 to 1000000 bytes

exceed is the action to take when the burst size or traffic rate is exceeded. action can be drop (the default) or remark. The drop action is equivalent to setting the packet loss priority (PLP) bit to low. The remark action sets the PLP bit to high. In centralized data policy, access lists, and application-aware routing policy, you can match the PLP with the match plp option.

Sequences

Each VPN list consists of sequences of match–action pairs. The sequences are numbered to set the order in which data traffic is analyzed by the match–action pairs in the policy. You configure sequences with the policy data-policy vpn-list sequence command.

Each sequence can contain one match command and one action command.

Match Parameters

Centralized data policy can match IP prefixes and fields in the IP headers, as well as applications. You can also enable split DNS. You configure the match parameters under the policy data-policy vpn-list sequence match command.

Each sequence in a policy can contain one match command.

For data policy, you can match these parameters:

Description

Command

Value or Range

Match all packets

Omit match command

Applications or application families

app-list list-name

Name of an app-list list

Group of destination prefixes

destination-data-prefix-list list-name

Name of a data-prefix-list list

Individual destination prefix

destination-ip prefix/length

IP prefix and prefix length

Destination port number

destination-port number

0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-])

Enable split DNS, to resolve and process DNS requests and responses on an application-by-application basis dns-app-list list-name Name of an app-list list. This list specifies the applications whose DNS requests are processed.
Specify the direction in which to process DNS packets

dns (request | response)

To process DNS requests sent by the applications (for outbound DNS queries), specify dns request.
To process DNS responses returned from DNS servers to the applications, specify dns response.

DSCP value

dscp number

0 through 63

Packet length

packet-length number

0 through 65535; specify a single length, a list of lengths (with numbers separated by a space), or a range of lengths (with the two numbers separated with a hyphen [-])

Packet loss priority (PLP) plp (high | low)
By default, packets have a PLP value of low. To set the PLP value to high, apply a policer that includes the exceed remark option.

Internet protocol number

protocol number

0 through 255

Group of source prefixes

source-data-prefix-list list-name

Name of a data-prefix-list list

Individual source prefix

source-ip prefix/length

IP prefix and prefix length

Source port number

source-port address

0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-])

TCP flag

tcp flag

syn

Action Parameters

When data traffic matches the conditions in the match portion of a centralized data policy, the packet can be accepted or dropped, and it can be counted. Then, you can associate parameters with accepted packets. You configure the action parameters under the policy data-policy vpn-list sequence action command.

Each sequence in a centralized data policy can contain on action command.

In the action, you first specify whether to accept or drop a matching data packet, and whether to count it:

Description

Command

Value or Range

Accept the packet. An accepted packet is eligible to be modified by the additional parameters configured in the action portion of the policy configuration.

accept

Enable cflowd traffic monitoring. cflowd

Count the accepted or dropped packets.

count counter-name

Name of a counter. Use the show policy access-lists counters command on the vEdge router.

Discard the packet. This is the default action.

drop

Log the packet. Packets are placed into the messages and vsyslog system logging (syslog) files. log To view the packet logs, use the show app log flows and show log commands.

Redirect DNS requests to a particular DNS server. Redirecting requests is optional, but if you do so, you must specify both actions.

redirect-dns host
redirect-dns
ip-address

For an inbound policy, redirect-dns host allows the DNS response to be correctly forwarded back to the requesting service VPN.

For an outbound policy, specify the IP address of the DNS server.

Fine-tune TCP to decrease round-trip latency and improve throughout for matching TCP traffic. tcp-optimization

Then, for a packet that is accepted, the following parameters can be configured:

Description

Parameter

Value or Range

Enable cflowd traffic monitoring.

cflowd

Direct matching traffic to the NAT functionality so that it can be redirected directly to the Internet or other external destination.

nat [pool number] [use-vpn 0]

DSCP value.

set dscp value

0 through 63

Forwarding class.

set forwarding-class value

Name of forwarding class

Direct matching packets to a TLOC that mathces the color and encapsulation
By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC.

set local-tloc color color [encap encapsulation]

color​ can be 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.
By default, encapsulation is ipsec. It can also be gre.

Direct matching packets to one of the TLOCs in the list if the TLOC matches the color and encapsulation
By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC. To drop traffic if a TLOC is unavailable, include the restrict option.

set local-tloc-list color color encap encapsulation [restrict]

color​ can be 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.
By default, encapsulation is ipsec. It can also be gre.

Set the next hop to which the packet should be forwarded.

set next-hop ip-address

IP address

Apply a policer.

set policer policer-name

Name of policer configured with a policy policer command

Specify a service to redirect traffic to before delivering the traffic to its destination.

The TLOC address or list of TLOCs identifies the remote TLOCs to which the traffic should be redirected to reach the service. In the case of multiple TLOCs, the traffic is load-balanced among them.

The VPN identifier is where the service is located.

Configure the services themselves on the vEdge routers that are collocated with the service devices, using the vpn service command.

set service service-name [tloc ip-address​ | tloc-list list-name] [vpn vpn-id]

Standard services: FW, IDS, IDP
Custom services: netsvc1, netsvc2,netsvc3, netsvc4

TLOC list is configured with a policy lists tloc-list list

Direct traffic to a remote TLOC that matches the IP address, color, and encapsulation.

set tloc address color color [encap encapsulation]

TLOC address, color, and encapsulation

Direct traffic to one of the remote TLOCs in the TLOC list if it matches the IP address, color, and encapsulation of one of the TLOCs in the list. If a preference value is configured for the matching TLOC, that value is assigned to the traffic.

set tloc-list list-name

Name of a policy lists tloc-list list

Set the VPN that the packet is part of.

set vpn vpn-id

0 through 65530

Default Action

If a data packet being evaluated does not match any of the match conditions in a data policy, a default action is applied to the packet. By default, the data packet is dropped. To modify this behavior, include the policy data-policy vpn-list default-action accept command.

Applying Centralized Data Policy

For a centralized data policy to take effect, you apply it to a list of sites in the overlay network:

vSmart(config)# apply-policy site-list list-name data-policy policy-name (all | from-service | from-tunnel)

By default, data policy applies to all data traffic passing through the vEdge router: the policy evaluates all data traffic going from the local site (that is, from the service side of the router) into the tunnel interface, and it evaluates all traffic entering to the local site through the tunnel interface. You can explicitly configure this behavior by including the all option. To have the data policy apply only to traffic coming from the service site and exiting from the local site through the tunnel interface, include the from-service option. To have the policy apply only to traffic entering from the tunnel interface and traveling to the service site, include the from-tunnel option. You can apply different data policies in each of the two traffic directions.

For all data-policy policies that you apply with apply-policy commands, the site IDs across all the site lists must be unique. That is, the site lists must not contain overlapping site IDs. An example of overlapping site IDs are those in the two site lists site-list 1 site-id 1-100 and site-list 2 site-id 70-130. Here, sites 70 through 100 are in both lists. If you were to apply these two site lists to two different data-policy policies, the attempt to commit the configuration on the vSmart controller would fail.

The same type of restriction also applies to the following types of policies:

  • Application-aware routing policy (app-route-policy)
  • Centralized control policy (control-policy)
  • Centralized data policy used for cflowd flow monitoring (data-policy hat includes a cflowd action and apply-policy that includes a cflowd-template command)

You can, however, have overlapping site IDs for site lists that you apply for different types of policy. For example, the sites lists for control-policy and data-policy policies can have overlapping site IDs. So for the two example site lists above, site-list 1 site-id 1-100 and site-list 2 site-id 70-130, you could apply one to a control policy and the other to a data policy.

As soon as you successfully activate the configuration by issuing a commit command, the vSmart controller pushes the data policy to the vEdge routers located in the specified sites. To view the policy as configured on the vSmart controller, use the show running-config command on the vSmart controller:

vSmart# show running-config policy
vSmart# show running-config apply-policy

To view the policy that has been pushed to the vEdge router, use the show policy from-vsmart command on the vEdge router.

vEdge# show policy from-vsmart

Configuring Deep Packet Inspection

You configure deep packet inspection using a standard centralized data policy. You define the applications of interest in a policy lists app-list command, and you call these lists in the match portion of the data policy. You can control the path of the application traffic through the network by defining, in the action portion of the data policy, the local TLOC or the remote TLOC, or for strict control, you can define both.

General vManage Configuration Procedure

To configure a centralized data policy for deep packet inspection in vManage NMS, perform the following steps:

  1. Configure lists to group related items to be called in the centralized data policy.
  2. Configure the centralized data policy.
  3. Apply the policy.

Configure Lists

  1. In vManage NMS, select the Configuration ► Policies screen.
  2. In the Policies title bar, click the Centralized Policy/Localized Policy drop-down. When you first open the Policy Screen, Centralized Policy is selected by default.
  3. Click Define Lists, located in the upper right corner of the screen.
  4. In the left pane, select the type of list. For centralized data policy for deep packet inspection, you can use Application, Site, and VPN lists.
  5. To create a new list, click New List.
    To modify an existing list, click the More Actions icon to the right of the desired list, and click the pencil icon.
  6. In the List Name field, enter a name for the list. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  7. In the field below the List Name field, enter the desired values for the list. For some lists you type the desired values, and for others you select from a drop-down.
  8. Click Add (for a new list) or Save (for an existing list).

Configure a Centralized Data Policy

  1. In vManage NMS, select the Configuration ► Policies screen.
  2. In the Policy title bar, click the Centralized Policy/Localized Policy drop-down. When you first open the Policy Screen, Centralized Policy is selected by default.
  3. In the Policy bar, click Traffic.
  4. To create a new centralized data policy, click Data Policy.
    To modify an existing policy, click the More Actions icon to the right of the desired policy, and click the pencil icon.
  5. If data traffic does not match any of the conditions in one of the sequences, it is dropped by default. If you want nonmatching routes to be accepted, click the pencil icon in the Default Action, click Accept, and click Save Match And Actions.
  6. To create a match–action sequence for data traffic:
    1. Click Sequence Type.
    2. To create a match–action rule, click Sequence Rule. The Match button is selected by default.
    3. Click the desired Match button, and enter the desired values in Match Conditions. For some conditions, you type the desired values, and for others you select from a drop-down.
    4. Click the Actions button. The default action is Reject. To accept matching packets, click the Accept radio button. Then click the desired action, and enter the desired values for Actions.
    5. Click Save Match and Actions.
    6. Create additional Sequence Rules or Sequence Types, as needed.
  7. To rename a Sequence Type, double-click its name in the right pane, and type the new name. The name also changes in the right pane.
  8. To re-order sequence rules and types, drag and drop them them.
  9. Click Save.

You can also configure a centralized data policy for deep packet inspection directly from the Configuration ► Policies screen:

  1. Click Assemble Full Policy.
  2. In the Policy Name field, enter a name for the policy. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  3. In the Policy Description field, enter a description for the route policy. This field is mandatory, and it can contain any characters and spaces.
  4. Click Data in the bar located directly below the Policy Description field.
  5. In the left pane, click Add Data Policy, and follow Steps 6, 7, and 8 above.

Apply a Centralized Data Policy

  1. In vManage NMS, select the Configuration ► Policies screen.
  2. Click Assemble Full Policy.
  3. In the Policy Name field, enter a name for the policy. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  4. In the Policy Description field, enter a description for the route policy. This field is mandatory, and it can contain any characters and spaces.
  5. Click Data in the bar located directly below the Policy Description field.
  6. In the left pane, select a data policy. The right pane displays the New Site List and VPN List box.
  7. Click New Site List and VPN List.
  8. Click the Select Site List field, and select a site list.
  9. Click the Select VPN List field, and select a VPN list.
  10. Click Add.
  11. To add additional components to the centralized data policy, repeat Steps 6 through 10.
  12. Click Save.

General CLI Configuration Procedure

Following are the high-level steps for configuring a centralized data policy to use for deep packet inspection:

  1. Create a list of overlay network sites to which the data policy is to be applied (in the apply-policy command):
    vSmart(config)# policy​
    vSmart(config-policy)# lists site-list list-name
    vSmart(config-lists-list-name)# site-id site-id

    The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–).
    Create additional site lists, as needed.
  2. Create lists of applications and application families that are to be subject to the data policy, Each list can contain one or more application names, or one or more application families. A single list cannot contain both applications and application families.
    vSmart(config)# policy lists
    vSmart(config-lists)# app-list list-name
    vSmart(config-app-list)# app application-name

    vSmart(config)# policy lists
    vSmart(config-lists)# app-list list-name
    vSmart(config-applist)# app-family family-name
  3. Create lists of IP prefixes and VPNs, as needed:
    vSmart(config)# policy lists
    vSmart(config-lists)# data-prefix-list list-name
    vSmart(config-lists-list-name)# ip-prefix prefix/length

    vSmart(config)# policy lists
    vSmart(config-lists)# vpn-list list-name
    vSmart(config-lists-list-name)# vpn vpn-id
  4. Create lists of TLOCs, as needed:
    vSmart(config)# policy​
    vSmart(config-policy)# lists tloc-list list-name
    vSmart(config-lists-list-name)# tloc ip-address color color encap encapsulation [preference number]
  5. Define policing parameters, as needed:
    vSmart(config-policy)# policer policer-name
    vSmart(config-policer)# rate bandwidth
    vSmart(config-policer)# burst bytes
    vSmart(config-policer)# exceed action
  6. Create a data policy instance and associate it with a list of VPNs:
    vSmart(config)# policy data-policy policy-name
    vSmart(config-data-policy-policy-name)# vpn-list list-name
  7. Create a series of match–pair sequences:
    vSmart(config-vpn-list)# sequence number
    vSmart(config-sequence-number)#

    The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is).
  8. Define match parameters based on applications:
    vSmart(config-sequence-number)# match app-list list-name
  9. Define additional match parameters for data packets:
    ​​vSmart(config-sequence-number)# match parameters
  10. Define actions to take when a match occurs:
    vSmart(config-sequence-number)# action (accept | drop) [count]
  11. For packets that are accepted, define the actions to take. To control the tunnel over which the packets travels, define the remote or local TLOC, or for strict control over the tunnel path, set both:
    vSmart(config-action)# set tloc ip-address color color encap encapsulation
    vSmart(config-action)# set tloc-list list-name
    vSmart(config-action)# set local-tloc color color encap encapsulation

    vSmart(config-action)# set local-tloc-list color color encap encapsulation [restrict]
  12. Define additional actions to take.
  13. Create additional numbered sequences of match–action pairs within the data policy, as needed.
  14. If a route does not match any of the conditions in one of the sequences, it is rejected by default. If you want nonmatching prefixes to be accepted, configure the default action for the policy:
    vSmart(config-policy-name)# default-action accept
  15. Apply the policy to one or more sites in the overlay network:
    vSmart(config)# apply-policy site-list list-name data-policy policy-name (all | from-service | from-tunnel)

To enable the infrastructure for deep packet inspection on the vEdge routers, include the following command in the configuration on the routers:

vEdge(config)# policy app-visibility

Structural Components of Policy Configuration for Deep Packet Inspection

Following are the structural components required to configure centralized data policy for deep packet inspection. Each one is explained in more detail in the sections below.

On the vSmart controller:
policy
  lists
    app-list list-name
      (app applications | app-family application-families)
    data-prefix-list list-name 
      ip-prefix prefix 
    site-list list-name 
      site-id site-id 
    tloc-list list-name
      tloc ip-address color color encap encapsulation [preference value]
    vpn-list list-name 
      vpn vpn-id 
  policer policer-name
    burst bytes
    exceed action
    rate bps
  data-policy policy-name 
    vpn-list list-name 
      sequence number 
        match
          app-list list-name
          destination-data-prefix-list list-name
          destination-ip ip-addresses
          destination-port port-numbers
          dscp number
          packet-length number
          protocol protocol
          source-data-prefix-list list-name
          source-ip ip-addresses
          source-port port-numbers
          tcp flag
        action
          drop
          count counter-name
          log
          accept
            nat [pool number] [use-vpn 0]
            set 
              dscp number
              forwarding-class class
              local-tloc color color [encap encapsulation] [restrict]
              next-hop ip-address
              policer policer-name
              service service-name local [restrict] [vpn vpn-id]
              service service-name (tloc ip-address | tloc-list list-name) [vpn vpn-id]
              tloc ip-address color color encap encapsulation
              tloc-list list-name
              vpn vpn-id
      default-action
        (accept | drop)
apply-policy site-list list-name 
  data-policy policy-name (all | from-service | from-tunnel) 
  
On the vEdge router:
policy
  app-visibility

Lists

Centralized data policy for deep packet inspection uses the following types of lists to group related items. You configure lists under the policy lists command hierarchy on vSmart controllers.

List Type

Description

Command

Application list

List of one or more applications or application families running on the subnets connected to the vEdge router.
application-names can be the names of one or more applications. The Viptela software supports about 2300 different applications. To list the supported applications, use the ? in the CLI.
application-families can be one or more of the following: antivirus, application-service, audio_video, authentication, behavioral, compression, database, encrypted, erp, file-server, file-transfer, forum, game, instant-messaging, mail, microsoft-office, middleware, network-management, network-service, peer-to-peer, printer, routing, security-service, standard, telephony, terminal, thin-client, tunneling, wap, web, and webmail.

app-list list-name
  (app applications|
  app-family application-families)

Prefix list

List of one or more IP prefixes.

prefix-list list-name
  ip-prefix prefix/length

Site list

List of one or more site identifiers in the overlay network. You can specify a single site identifier (such as site-id 1) or a range of site identifiers (such as site-id 1-10).

site-list list-name
  site-id site-id

TLOC list

List of one or more TLOCs in the overlay network.

For each TLOC, specify its address, color, and encapsulation. address is the system IP address. color can be one of 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver. encapsulation can be gre or ipsec.
Optionally, set a preference value (from 0 to 232 – 1) to associate with the TLOC address. When you apply a TLOC list in an action accept condition, when multiple TLOCs are available and satisfy the match conditions, the TLOC with the lowest preference value is used. If two or more of TLOCs have the lowest preference value, traffic is sent among them in an ECMP fashion.

tloc-list list-name
  tloc ip-address color color
  encap encapsulation
  [preference value]

VPN list

List of one or more VPNs in the overlay network. For data policy, you can configure any VPNs except for VPN 0 and VPN 512. You can specify a single VPN identifier (such as vpn 1) or a range of VPN identifiers (such as vpn 1-10).

vpn-list list-name
  vpn vpn-id

In the vSmart controller configuration, you can create multiple iterations of each type of list. For example, it is common to create multiple site lists and multiple VPN lists so that you can apply data policy to different sites and different customer VPNs across the network.

You cannot apply the same type of policy to site lists that contain overlapping site IDs. That is, all data policies cannot have overlapping site lists among themselves. If you accidentally misconfigure overlapping site lists, the attempt to commit the configuration on the vSmart controller fails.

VPN Lists

Each centralized data policy is associated with a VPN list. You configure VPN lists with the policy data-policy vpn-list command. The list you specify must be one that you created with a policy lists vpn-list command.

Yo can include any VPNs except for VPN 0, which is reserved for control traffic, so never carries any data traffic, and VPN 512, which is reserved for out-of-band network management, so also never carries any data traffic. Note that while the CLI allows you to include these two VPNs in a data policy configuration, the policy is not applied to these two VPNs.

Policer Parameters

To configure policing parameters, create a policer that specifies the maximum bandwidth and burst rate for traffic on an interface, and how to handle traffic that exceeds these values:

vSmart(config)# policy policer policer-name
vSmart(config-policer)# rate bps
vSmart(config-policer)# burst bytes
vSmart(config-policer)# exceed action

rate is the maximum traffic rate. It can be a value from 0 through 264 – 1 bits per second.

burst is the maximum traffic burst size. It can be a value from 15000 to 1000000 bytes

exceed is the action to take when the burst size or traffic rate is exceeded. actionrop (the default) or remark. The drop action is equivalent to setting the packet loss priority (PLP) bit to low. The remark action sets the PLP bit to high. In centralized data policy, access lists, and application-aware routing policy, you can match the PLP with the match plp option.

Sequences

Within each VPN list are sequences of match–action pairs. The sequences are numbered to set the order in which data traffic is analyzed by the match–action pairs in the policy. You configure sequences with the policy data-policy vpn-list sequence command.

Each sequence can contain one match command and one action command.

Match Parameters

For deep packet inspection, centralized data policy must match one or more applications. It can also match IP prefixes and fields in the IP headers. You configure the match parameters under the policy data-policy vpn-list sequence match command.

Each sequence in a policy can contain one match command.

For data policy, you can match these parameters:

Description

Command

Value or Range

Group of applications

app-list list-name

Name of an app-list list

Group of destination prefixes

destination-data-prefix-list list-name

Name of a data-prefix-list list

Individual destination prefix

destination-ip prefix/length

IP prefix and prefix length

Destination port number

destination-port number

0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-])

DSCP value

dscp number

0 through 63

Packet length

packet-length number

0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-])

Internet Protocol number

protocol number

0 through 255

Group of source prefixes

source-data-prefix-list list-name

Name of a data-prefix-list list

Individual source prefix

source-ip prefix/length

IP prefix and prefix length

Source port number

source-port address

0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-])

TCP flag

tcp flag

syn

Action Parameters

When data traffic matches the conditions in the match portion, the data packets can be accepted or dropped, and they can be counted. Then, you can associate parameters with accepted packets. You configure the action parameters under the policy data-policy vpn-list sequence action command.

Each sequence in a centralized data policy can contain one action command.

In the action, you first specify whether to accept or drop a matching data packet, and whether to count it:

Description

Command

Value or Range

Accept the packet. An accepted packet is eligible to be modified by the additional parameters configured in the action portion of the policy configuration.

accept

Count the accepted or dropped packets.

count counter-name

Name of a counter. Use the show policy access-lists counter command on the vEdge router to display counter information.

Discard the packet. This is the default action.

drop

Place a sampled set of packets that match the match conditions into the messages and vsyslog system logging (syslog) files. log

To view the packet logs, use the show app log flows and show log commands.

Then, for a packet that is accepted, the following parameters can be configured. Note that you cannot use DPI with either cflowd or NAT.

Description

Parameter

Value or Range

DSCP value.

set dscp value

0 through 63

Forwarding class.

set forwarding-class value

Name of forwarding class

Direct matching packets to a TLOC that mathces the color and encapsulation
By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC.

set local-tloc color color [encap encapsulation]

color​ can be 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.
By default, encapsulation is ipsec. It can also be gre.

Direct matching packets to one of the TLOCs in the list if the TLOC matches the color and encapsulation
By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC. To drop traffic if a TLOC is unavailable, include the restrict option.

set local-tloc-list color color encap encapsulation [restrict]

color​ can be 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.
By default, encapsulation is ipsec. It can also be gre.

Set the next hop to which matching packets should be forwarded.

set next-hop ip-address

IP address.

Apply a policer.

set policer policer-name

Name of policer configured with a policy policer command

Direct matching packets to the name service, before delivering the traffic to its ultimate destination.

The TLOC address or list of TLOCs identifies the remote TLOCs to which the traffic should be redirected to reach the service. In the case of multiple TLOCs, the traffic is load-balanced among them.

The VPN identifier is where the service is located.

Configure the services themselves on the vEdge routers that are collocated with the service devices, using the vpn service configuration command.

set service service-name [tloc ip-address​ | tloc-list list-name] [vpn vpn-id]

Standard services: FW, IDS, IDP
Custom services: netsvc1, netsvc2,netsvc3, netsvc4

TLOC list is configured with a policy lists tloc-list command

Direct matching packets to the named service that is reachable via a GRE tunnel whose source is in the transport VPN (VPN 0). If the GRE tunnel used to reach the service is down, packet routing falls back to using standard routing. To drop packets when a GRE tunnel to the service is unreachable, include the restrict option. In the service VPN, you must also advertise the service using the service command. You configure the GRE interface or interfaces in the transport VPN (VPN 0). set service service-name local [restrict] [vpn vpn-id] Standard services: FW, IDS, IDP
Custom services: netsvc1, netsvc2,netsvc3, netsvc4

Direct traffic to a remote TLOC. The TLOC is defined by its IP address, color, and encapsulation.

set tloc address color color [encap encapsulation]

TLOC address, color, and encapsulation

Direct traffic to one of the remote TLOCs in the TLOC list.

set tloc-list list-name

Name of a policy lists tloc-lists list

Set the VPN that the packet is part of.

set vpn vpn-id

0 through 65530

Default Action

If a data packet being evaluated does not match any of the match conditions in a control policy, a default action is applied to this route. By default, the data packet is dropped. To modify this behavior, include the policy data-policy vpn-list default-action accept command.

Applying Centralized Data Policy for Deep Packet Inspection

For a deep packet inspection centralized data policy to take effect, you apply it to a list of sites in the overlay network:

vSmart(config)# apply-policy site-list list-name data-policy policy-name (all | from-service | from-tunnel)

By default, data policy applies to all data traffic passing through the vEdge router: the policy evaluates all data traffic going from the local site (that is, from the service side of the router) into the tunnel interface, and it evaluates all traffic entering to the local site through the tunnel interface. You can explicitly configure this behavior by including the all option. To have the data policy apply only to policy exiting from the local site, include the from-service option. To have the policy apply only to incoming traffic, include the from-tunnel option.

You cannot apply the same type of policy to site lists that contain overlapping site IDs. That is, all data policies cannot have overlapping site lists among themselves. If you accidentally misconfigure overlapping site lists, the attempt to commit the configuration on the vSmart controller fails.

As soon as you successfully activate the configuration by issuing a commit command, the vSmart controller pushes the data policy to the vEdge routers located in the specified sites. To view the policy as configured on the vSmart controller, use the show running-config command on the vSmart controller:

vSmart# show running-config policy
vSmart# ;show running-config apply-policy

To view the policy that has been pushed to the vEdge router, use the show policy from-vsmart command on the vEdge router.

vEdge# show policy from-vsmart

Monitor Running Applications

To enable the deep packet inspection infrastructure on the vEdge routers, you must enable application visibility on the routers:

vEdge(config)# policy app-visibility

To display information about the running applications, use the show app dpi supported-applications, show app dpi applications, and show app dpi flows commands on the router.

Configuring VPN Membership Policy

A VPN membership data policy consists of a series of numbered (ordered) sequences of match-action pair that are evaluated in order, from lowest sequence number to highest sequence number. When a packet matches one of the match conditions, the associated action is taken and policy evaluation on that packets stops. Keep this in mind as you design your policies to ensure that the desired actions are taken on the items subject to policy.

If a packet matches no parameters in any of the sequences in the policy configure, it is, by default, rejected and discarded.

To create a VPN membership policy, you include the following components in the configuration on a vSmart controller:

Component

Description

Configuration Command

Lists

Groupings of related items that you reference in the match and action portions of the data policy configuration. For VPN membership policy, you can group sites and VPNs.

policy lists

Centralized VPN membership policy instance

Container for VPN membership policy to filter packets based on VPN.

policy vpn-membership

Numbered sequences of match–action pairs

Sequences that establish the order in which the policy components are applied

policy vpn-membership sequence

Match parameters

Conditions that packets must match to be considered for the VPN membership policy.

policy vpn-membership sequence match

Actions

Whether to accept or reject matching packets.

policy vpn-membership sequence action

Default action

Action to take if a packet matches none of the policy conditions.

policy vpn-membership default-action

Application of VPN membership policy

For a VPN membership policy to take effect, you apply it to one or more sites in the overlay network.

apply-policy site-list vpn-membership

General Configuration Procedure

Following are the high-level steps for configuring a VPN membership data policy:

  1. Create a list of overlay network sites to which the VPN membership policy is to be applied (in the apply-policy command):
    vSmart(config)# policy​
    vSmart(config-policy)# lists site-list list-name
    vSmart(config-lists-list-name)# site-id site-id

    The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–).
    Create additional site lists, as needed.
  2. Create lists VPNs, as needed:
    vSmart(config)# policy lists
    vSmart(config-lists)# vpn-listlist-name
    vSmart(config-lists-list-name)# vpn vpn-id
  3. Create a VPN membership policy instance:
    vSmart(config)# policy vpn-membership policy-name
  4. Create a series of match–pair sequences:
    vSmart(config-policy-nsme)# sequence number
    vSmart(config-sequence-number)#

    The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the packet or accepting it).
  5. Define match parameters for VPNs:
    vSmart(config-sequence-number)# match (vpn vpn-id | vpn-list list-name)
  6. Define actions to take when a match occurs:
    vSmart(config-sequence-number)# action (accept | reject)
  7. Create additional numbered sequences of match–action pairs within the data policy, as needed.
  8. If a packet does not match any of the conditions in one of the sequences, it is rejected by default. If you want nonmatching packets to be accepted, configure the default action for the policy:
    vSmart(config-policy-name)# default-action accept
  9. Apply the policy to one or more sites in the overlay network:
    vSmart(config)# apply-policy site-list list-name vpn-membership policy-name

Structural Components of VPN Membership Policy Configuration

Following are the structural components required to configure VPN membership policy. Each one is explained in more detail in the sections that follow.

policy
  lists
    site-list list-name 
      site-id site-id 
    vpn-list list-name 
      vpn vpn-id 
  vpn-membership policy-name 
    sequence number 
      match
        match-parameters 
      action
        (accept | reject)
      default-action
          (accept | reject)
apply-policy site-list list-name 
  vpn-membership policy-name 

Lists

Centralized data policy uses the following types of lists to group related items. You configure lists under the policy lists command hierarchy on vSmart controllers.

List Type

Description

Command

Site list

List of site identifiers in the overlay network. You can specify a single site identifier (such as site-id 1) or a range of site identifiers (such as site-id 1-10).

site-list list-name
  site-id site-id

VPN list

List of VPNs in the overlay network

vpn-list list-name
  vpn vpn-id

In the vSmart controller configuration, you can create multiple iterations of each type of list. For VPN membership policy, you commonly create multiple site lists and multiple VPN lists so that you can apply data policy to different sites and different customer VPNs across the network.

You cannot apply the same type of policy to site lists that contain overlapping site IDs. That is, all VPN membership policies cannot have overlapping site lists among themselves. If you accidentally misconfigure overlapping site lists, the attempt to commit the configuration on the vSmart controller fails.

Match Parameters

For VPN membership policy, you can match these parameters:

Description

Command

Value or Range

Individual VPN identifier

vpn vpn-id

0 through 65535

Name of a VPN list.

vpn-list list-name

Name of a vpn-list name

Action Parameters

When data traffic matches the conditions in the match portion of a VPN membership policy, the packet can be either accepted or rejected:

Description

Command

Value or Range

Accept the packet.

accept

Reject the packet. This is the default action.

reject

Default Action

If a data packet being evaluated does not match any of the match conditions in a VPN membership policy, a default action is applied to this route. By default, the route is rejected. To modify this behavior, include the default-action accept command in the VPN membership policy.

Applying VPN Membership Policy

For a VPN membership policy to take effect, you must apply it to a list of sites in the overlay network:

vSmart(config)# apply-policy site-list list-name vpn-membership policy-name

You cannot apply the same type of policy to site lists that contain overlapping site IDs. That is, all data policies cannot have overlapping site lists among themselves. If you accidentally misconfigure overlapping site lists, the attempt to commit the configuration on the vSmart controller fails.

To display the VPN membership policy as configured on the vSmart controller, use the show running-config command on the vSmart controller:

vSmart# show running-config policy
vSmart# show running-config apply-policy