Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Configuring Centralized Control Policy

Centralized control policy, which you configure on vSmart controllers, affects routing policy based on information in OMP routes and OMP TLOCs. This type of policy allows you to set actions for matching routes and TLOCs, including redirecting packets through network services, such as firewalls, a feature that is called service chaining.

In domains with multiple vSmart controllers, all the controllers must have the same centralized control policy configuration to ensure that routing within the overlay network remains stable and predictable.

This article provides procedures for configuring centralized control policy (including service chaining) from the CLI.

Configuration Components

A centralized control policy consists of a series of numbered (ordered) sequences of match-action pairs that are evaluated in order, from lowest sequence number to highest sequence number. When a route or TLOC matches the match conditions, the associated action or actions are taken and policy evaluation on that packets stops. Keep this process in mind as you design your policies to ensure that the desired actions are taken on the items subject to policy.

If a route or TLOC matches no parameters in any of the sequences in the policy configure, it is, by default, rejected and discarded.

The following figure illustrates the configuration components for centralized control policy.

s00097.png

To create a centralized control policy, you include the following components in the configuration on a vSmart controller:

Component

Description

vManage Configuration

CLI Configuration Command

Lists

Groupings of related items that you reference in the match and action portions of the control policy configuration.

Configuration ► Policies ► Centralized Policy ► Add Policy ► Create Groups of Interest

or

Configuration ► Policies ► Custom Options ► Centralized Policy ► Lists

policy lists

Centralized control policy instance

Container for centralized control policy.

Configuration ► Policies ► Centralized Policy ► Add Policy

policy control-policy

Network topology Conditions that define the network topology

Configuration ► Policies ► Centralized Policy ► Add Policy ► Create Groups of Interest

or

Configuration ► Policies ► Custom Options ► Centralized Policy ► Lists

Numbered sequences of match–action pairs

Sequences that establish the order in which policy components are applied.

Configuration ► Policies ► Centralized Policy ► Add Policy ► Configure Topology and VPN Membership ► Add Topology ► Custom Control ► Sequence Type

or

Configuration ► Policies ► Custom Options ► Centralized Policy ► Add Topology ► Custom Control ► Sequence Type

policy control-policy sequence

Match parameters

Conditions that the routes and TLOCs must match to be considered for a control policy.

Configuration ► Policies ► Centralized Policy ► Add Policy ► Configure Topology and VPN Membership ► Add Topology ► Custom Control ► Sequence Type ► Sequence Rule

or

Configuration ► Policies ► Custom Options ► Centralized Policy ► Add Topology ► Custom Control ► Sequence Type ► Sequence Rule

policy control-policy sequence match route—Match OMP route properties, including things such as the originating protocol and IP prefixes.

policy control-policy sequence match tloc—Match transport location parameters, including things such as the domain ID and TLOC IP address.

Actions

Whether to accept or reject matching routes and TLOCs, and how to process matching items.

Configuration ► Policies ► Centralized Policy ► Add Policy ► Configure Topology and VPN Membership ► Add Topology ► Custom Control ► Sequence Type ► Sequence Rule

or

Configuration ► Policies ► Custom Options ► Centralized Policy ► Add Topology ► Custom Control ► Sequence Type ► Sequence Rule

policy control-policy sequence action

Default action

Action to take if a route or TLOC matches none of the match parameters in any of the sequences. By default, nonmatching routes and TLOCs are rejected.

Configuration ► Policies ► Centralized Policy ► Add Policy ► Configure Topology and VPN Membership ► Add Topology ► Custom Control ► Sequence Type ► Default Action

or

Configuration ► Policies ► Custom Options ► Centralized Policy ► Add Topology ► Custom Control ► Sequence Type ► Default Action

policy control-policy default-action

Application of centralized control policy

For a control policy to take effect, you apply it to one or more sites in the overlay network.

Configuration ► Policies ► Centralized Policy ► Add Policy ► Apply Policies to Sites and VPNs

apply-policy site-list control-policy

General vManage Configuration Procedure

To configure centralized policies, use the vManage policy configuration wizard. The wizard consists of four sequential screens that guide you through the process of creating and editing policy components:

  • Create Groups of Interest—Create lists that group together related items and that you call in the match or action components of a policy.
  • Configure Topology—Create the network structure to which the policy applies.
  • Configure Traffic Rules—Create the match and action conditions of a policy.
  • Apply Policies to Sites and VPNs—Associate policy with sites and VPNs in the overlay network.

In the first three policy configuration wizard screens, you are creating policy components or blocks. In the last screen, you are applying policy blocks to sites and VPNs in the overlay network.

For a centralized policy to take effect, you must activate the policy.

Step 1: Start the Policy Configuration Wizard

To start the policy configuration wizard:

  1. In vManage NMS, select the Configure ► Policies screen.
  2. Select the Centralized Policy tab.
  3. Click Add Policy.

The policy configuration wizard opens, and the Create Applications or Groups of Interest screen is displayed.

Step 2: Configure Groups of Interest

In Create Groups of Interest, create lists of groups to use in centralized policy:

  1. Create new lists, as described in the following table:
List Type Procedure
Color
  1. In the left bar, click Color.
  2. Click New Color List.
  3. Enter a name for the list.
  4. From the Select Color drop-down, select the desired colors.
  5. Click Add.
Prefix
  1. In the left bar, click Prefix.
  2. Click New Prefix List.
  3. Enter a name for the list.
  4. In the Add Prefix field, enter one or more data prefixes separated by commas.
  5. Click Add.
Site
  1. In the left bar, click Site.
  2. Click New Site List.
  3. Enter a name for the list.
  4. In the Add Site field, enter one or more site IDs separated by commas.
  5. Click Add.
TLOC
  1. In the left bar, click TLOC.
  2. Click New TLOC List. The TLOC List popup displays.
  3. Enter a name for the list.
  4. In the TLOC IP field, enter the system IP address for the TLOC.
  5. In the Color field, select the TLOC's color.
  6. In the Encap field, select the encapsulation type.
  7. In the Preference field, optionally select a preference to associate with the TLOC.
  8. Click Add TLOC to add another TLOC to the list.
  9. Click Save.
VPN
  1. In the left bar, click VPN.
  2. Click New VPN List.
  3. Enter a name for the list.
  4. In the Add VPN field, enter one or more VPN IDs separated by commas.
  5. Click Add.
  1. Click Next to move to Configure Topology and VPN Membership in the wizard.

Step 3: Configure Topology and VPN Membership

When you first open the Configure Topology and VPN Membership screen, the Topology tab is selected by default:

G00455.png

To configure topology and VPN membership:

  1. In the Topology tab, create a network topology, as described in the following table:
Topology Type Description Procedure
Custom Control (Route & TLOC) Centralized route control policy (for matching OMP routes)
  1. In the Add Topology drop-down, select Custom Control (Route & TLOC).
  2. Enter a name for the control policy.
  3. Enter a description for the policy.
  4. In the left pane, click Add Sequence Type. The Add Control Policy popup displays.
  5. Select Route. A policy component containing the text string Route is added in the left pane.
  6. Double-click the Route text string, and enter a name for the policy component.
  7. In the right pane, click Add Sequence Rule. The Match/Actions box opens, and Match is selected by default.
  8. From the boxes under the Match box, select the desired policy match type. Then select or enter the value for that match condition. Configure additional match conditions for the sequence rule, as desired. For an explanation of the match conditions, see the OMP Route Match Attributes section in the Configuring Centralized Control Policy article for your software release.
  9. Click Actions. The Reject radio button is selected by default. To configure actions to perform on accepted packets, click the Accept radio button. Then select the action or enter a value for the action. For an explanation of the actions, see the Action Parameters section in the Configuring Centralized Control Policy article for your software release.
  10. Click Save Match and Actions.
  11. Click Add Sequence Rules to configure more sequence rules, as desired. Drag and drop to re-order them.
  12. Click Add Sequence Type to configure more sequences, as desired. Drag and drop to re-order them.
  13. Click Save Control Policy.
  Centralized TLOC control policy (for matching TLOC routes)
  1. In the Add Topology drop-down, select Custom Control (Route & TLOC).
  2. Enter a name for the control policy.
  3. Enter a description for the policy.
  4. In the left pane, click Add Sequence Type. The Add Control Policy popup displays.
  5. Select TLOC. A policy component containing the text string TLOC is added in the left pane.
  6. Double-click the TLOC text string, and enter a name for the policy component.
  7. In the right pane, click Add Sequence Rule. The Match/Actions box opens, and Match is selected by default.
  8. From the boxes under the Match box, select the desired policy match type. Then select or enter the value for that match condition. Configure additional match conditions for the sequence rule, as desired. For an explanation of the match conditions, see the OMP TLOC Match Attributes section in the Configuring Centralized Control Policy article for your software release.
  9. Click Actions. The Reject radio button is selected by default. To configure actions to perform on accepted packets, click the Accept radio button. Then select the action or enter a value for the action. For an explanation of the actions, see the Action Parameters section in the Configuring Centralized Control Policy article for your software release.
  10. Click Save Match and Actions.
  11. Click Add Sequence Rules to configure more sequence rules, as desired. Drag and drop to re-order them.
  12. Click Add Sequence Type to configure more sequences, as desired. Drag and drop to re-order them.
  13. Click Save Control Policy.
  1. To use an existing topology:
    1. In the Add Topology drop-down, click Import Existing Topology. The Import Existing Topology popup displays.
    2. Select the type of topology.
    3. In the Policy drop-down, select the name of the topology.
    4. Click Import.
  2. Click Next to move to Configure Traffic Rules in the wizard.
  3. Click Next to move to Apply Policies to Sites and VPNs in the wizard.

Step 4: Apply Policies to Sites and VPNs

In Apply Policies to Sites and VPNs, apply a policy to a sites and VPNs:

G00460.png

  1. In the Policy Name field, enter a name for the policy. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  2. In the Policy Description field, enter a description of the policy. It can contain up to 2048 characters. This field is mandatory, and it can contain any characters and spaces.
  3. From the Topology bar, select the type of policy block. The table then lists policies that you have created for that type of policy block.
  4. Associate the policy with VPNs and sites. The choice of VPNs and sites depends on the type of policy block:
    1. For a Topology policy block, click Add New Site List and VPN List or Add New Site. Some topology blocks might have no Add buttons. Select one or more site lists, and select one or more VPN lists. Click Add.
    2. For an Application-Aware Routing policy block, click Add New Site List and VPN list. Select one or more site lists, and select one or more VPN lists. Click Add.
    3. For a Traffic Data policy block, click Add New Site List and VPN List. Select the direction for applying the policy (From Tunnel, From Service, or All), select one or more site lists, and select one or more VPN lists. Click Add.
    4. For a cflowd policy block, click Add New Site List. Select one or more site lists, Click Add.
  5. Click Preview to view the configured policy. The policy is displayed in CLI format.
  6. Click Save Policy. The Configuration ► Policies screen opens, and the policies table includes the newly created policy.

Step 5: Activate a Centralized Policy

Activating a centralized policy sends that policy to all connected vSmart controllers. To activate a centralized policy:

  1. In vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. Select a policy.
  3. Click the More Actions icon to the right of the row, and click Activate. The Activate Policy popup opens. It lists the IP addresses of the reachable vSmart controllers to which the policy is to be applied.
  4. Click Activate.

General CLI Configuration Procedure

To configure a centralized control policy using the CLI:

  1. Create a list of overlay network sites to which the centralized control policy is to be applied (in the apply-policy command):​
    ​vSmart(config)# policy
    vSmart(config-policy)# lists site-list list-name
    vSmart(config-lists-list-name)# site-id site-id

    The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–).
    Create additional site lists, as needed.
  2. Create lists of IP prefixes, TLOCs, and VPNs, as needed:​
    vSmart(config)# policy lists
    vSmart(config-lists)# prefix-list list-name
    vSmart(config-lists-list-name)# ip-prefix prefix/length

    vSmart(config)# policy lists
    vSmart(config-lists)# tloc-list list-name
    vSmart(config-lists-list-name)# tloc address color color encap encapsulation [preference value]

    vSmart(config)# policy lists
    vSmart(config-lists)# vpn-list list-name
    vSmart(config-lists-list-name)# vpn vpn-id
  1. Create a control policy instance:
    vSmart(config)# policy control-policy policy-name
    vSmart(config-control-policy-policy-name)#
  2. Create a series of match–action pair sequences:
    vSmart(config-control-policy-policy-name)# sequence number
    vSmart(config-sequence-number)#

    The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is).
  3. Define match parameters for routes and for TLOCs:
    ​​vSmart(config-sequence-number)# match route route-parameter
    vSmart(config-sequence-number)# match tloc tloc-parameter
  4. Define actions to take when a match occurs:
    vSmart(config-sequence-number)# action reject
    vSmart(config-sequence-number)# action accept export-to (vpn vpn-id | vpn-list list-name)
    vSmart(config-sequence-number)# action accept set omp-tag number

    vSmart(config-sequence-number)# action accept set preference value
    vSmart(config-sequence-number)# action accept set service service-name (tloc ip-address | tloc-list list-name) [vpn vpn-id]
    vSmart(config-sequence-number)# action accept set tloc ip-address color color [encap encapsulation]
    vSmart(config-sequence-number)# action accept set tloc-action action

    vSmart(config-sequence-number)# action accept set tloc-list list-name
  5. Create additional numbered sequences of match–action pairs within the control policy, as needed.
  6. If a route does not match any of the conditions in one of the sequences, it is rejected by default. If you want nonmatching routes to be accepted, configure the default action for the policy:
    vSmart(config-policy-name)# default-action accept
  7. Apply the policy to one or more sites in the Viptela overlay network:
    vSmart(config)# apply-policy site-list list-name control-policy policy-name (in | out)
  8. If the action you are configuring is a service, configure the required services on the vEdge routers so that the vSmart controller knows how to reach the services:
    vEdge(config)# vpn vpn-idservice service-name address ip-address
    Specify the VPN is which the service is located and one to four IP addresses to reach the service device or devices. If multiple devices provide the same service, the vEdge router load-balances the traffic among them. Note that the vEdge router keeps track of the services, advertising them to the vSmart controller only if the address (or one of the addresses) can be resolved locally, that is, at the vEdge router's local site, and not learned through OMP. If a previously advertised service becomes unavailable, the vEdge router withdraws the service advertisement.

Structural Components of Policy Configuration for Centralized Control Policy

Following are the structural components required to configure centralized control policy. Each one is explained in more detail in the sections below.

policy
  lists
    color-list list-name
      color color
    prefix-list list-name 
      ip-prefix prefix 
    site-list list-name 
      site-id site-id 
    tloc-list list-name
      tloc address color color encap encapsulation [preference value]
    vpn-list list-name 
      vpn vpn-id 
  control-policy policy-name 
    sequence number 
      match
        match-parameters 
      action
        reject
        accept
          export-to vpn
        accept
          set parameter
    default-action
      (accept | reject)
apply-policy site-list list-name 
  control-policy policy-name (in | out)

Lists

Centralized control policy uses the following types of lists to group related items. In the CLI, you configure lists under the policy lists command hierarchy on vSmart controllers.

List Type

Description

vManage Configuration/
CLI Configuration Command

Colors List of one or more TLOC colors.
color can be 3g, biz-internet, blue, bronze, custom1 through custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.
To configure multiple colors in a single list, include multiple color options, specifying one color in each option.

Configuration ► Policies ► Centralized Policy ► Add Policy ► Create Groups of Interest ► Color

Configuration ► Policies ► Custom Options ► Centralized Policy ► Lists ► Color

color-list list-name
  color color

Prefixes

List of one or more IP prefixes. Specify the IP prefixes as follows:
prefix/length—Exactly match a single prefix–length pair.
0.0.0.0/0—Match any prefix–length pair.
0.0.0.0/0 le length—Match any IP prefix whose length is less than or equal to length. For example, ip-prefix 0.0.0.0/0 le 16 matches all IP prefixes with lengths from /1 through /16.
0.0.0.0/0 ge length—Match any IP prefix whose length is greater than or equal to length. For example, ip-prefix 0.0.0.0 ge 25 matches all IP prefixes with lengths from /25 through /32.
0.0.0.0/0 ge length1 le length2, or 0.0.0.0 le length2 ge length1—Match any IP prefix whose length is greater than or equal to length1 and less than or equal to length2. For example, ip-prefix 0.0.0.0/0 ge 20 le 24 matches all /20, /21, /22, /23, and /24 prefixes. Also, ip-prefix 0.0.0.0/0 le 24 ge 20 matches the same prefixes. If length1 and length2​ are the same, a single IP prefix length is matched. For example, ip-prefix 0.0.0.0/0 ge 24 le 24 matches only /24 prefixes.
To configure multiple prefixes in a single list, include multiple ip-prefix options, specifying one prefix in each option.

Configuration ► Policies ► Centralized Policy ► Add Policy ► Create Groups of Interest ► Prefix

Configuration ► Policies ► Custom Options ► Centralized Policy ► Lists ► Prefix

prefix-list list-name
  ip-prefix prefix/length

Sites

List of one of more site identifiers in the overlay network. You can specify a single site identifier (such as site-id 1) or a range of site identifiers (such as site-id 1-10).
To configure multiple sites in a single list, include multiple site-id options, specifying one site number in each option.

Configuration ► Policies ► Centralized Policy ► Add Policy ► Create Groups of Interest ► Site

Configuration ► Policies ► Custom Options ► Centralized Policy ► Lists ► Site

site-list list-name
  site-id site-id

TLOCs

List of one or more TLOCs in the overlay network.

For each TLOC, specify its address, color, and encapsulation. address is the system IP address. color can be one of 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver. encapsulation can be gre or ipsec.
Optionally, set a preference value (from 0 to 232 – 1) to associate with the TLOC address. When you apply a TLOC list in an action accept condition, when multiple TLOCs are available and satisfy the match conditions, the TLOC with the lowest preference value is used. If two or more of TLOCs have the lowest preference value, traffic is sent among them in an ECMP fashion.

Configuration ► Policies ► Centralized Policy ► Add Policy ► Create Groups of Interest ► TLOC

Configuration ► Policies ► Custom Options ► Centralized Policy ► Lists ► TLOC

tloc-list list-name
  tloc ip‑address color color
  encap (gre | ipsec) [preference number]

VPNs

List of one or more VPNs in the overlay network. For data policy, you can configure any VPNs except for VPN 0 and VPN 512.

To configure multiple VPNs in a single list, include multiple vpn options, specifying one VPN number in each option. You can specify a single VPN identifier (such as vpn 1) or a range of VPN identifiers (such as vpn 1-10).

Configuration ► Policies ► Centralized Policy ► Add Policy ► Create Groups of Interest ► VPN

Configuration ► Policies ► Custom Options ► Centralized Policy ► Lists ► VPN

vpn-list list-name
  vpn vpn-id

Sequences

A centralized control policy contains sequences of match–action pairs. The sequences are numbered to set the order in which a route or TLOC is analyzed by the match–action pairs in the policy.

In vManage NMS, you configure sequences from:

  • Configuration ► Policies ► Centralized Policy ► Add Policy ► Configure Traffic Rules ► (Application-Aware Routing | Traffic Data | Cflowd) ► Sequence Type

  • Configuration ► Policies ► Custom Options ► Centralized Policy ► Traffic Policy ► (Application-Aware Routing | Traffic Data | Cflowd) ► Sequence Type

In the CLI, you configure sequences with the policy control-policy sequence command.

Each sequence in a centralized control policy can contain one match condition (either for a route or for a TLOC​) and one action condition.

Match Parameters

Centralized control policy can match OMP route or TLOC route attributes.

In vManage NMS, you configure match parameters from:

  • Configuration ► Policies ► Centralized Policy ► Add Policy ► Configure Topology and VPN Membership ► Add Topology ► Custom Control (Route & TLOC) ► Sequence Type ► (Route | TLOC) ► Sequence Rule ► Match

  • Configuration ► Policies ► Custom Options ► Centralized Policy ► Topology ► Add Topology ► Custom Control (Route & TLOC) ► Sequence Type ► (Route | TLOC) ► Sequence Rule ► Match

In the CLI, you configure the OMP route attributes to match with the policy control-policy sequence match route command, and you configure the TLOC attributes to match with the policy control-policy sequence match tloc command.

Each sequence in a policy can contain one match section—either match route or match tloc​.

OMP Route Match Attributes

For OMP routes (vRoutes), you can match these attributes:

Description

vManage Configuration/
CLI Configuration Command

Value or Range

Individual color.

Not available in vManage NMS

color color

3g, biz-internet, blue, bronze, custom1 through custom3,default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver
One or more colors.

Match Color List

color-list list-name

Name of a color or a policy lists color-list list.

Tag value associated with the route or prefix in the routing database on the vEdge router.

Match OMP Tag
omp-tag number

0 through 4294967295

Protocol from which the route was learned.

Match Origin

origin protocol

bgp-external, bgp-internal, connected, ospf-external1, ospf-external2, ospf-inter-area, ospf-intra-area, static

IP address from which the route was learned.

Match Originator

originator ip-address

IP address

How preferred a prefix is. This is the preference value that the route or prefix has in the local site, that is, in the routing database on the vEdge router. A higher preference value is more preferred.

Match Preference

preference number

0 through 255

One or more prefixes.

Match Prefix List

prefix-list list-name

Name of a prefix list or a policy lists prefix-list list.

Individual site identifier.

Not available in vManage

site-id site-id

0 through 4294967295

One or more overlay network site identifiers.

Match Site
site-list list-name

Name of a site or a policy lists site-list list.

Individual TLOC address.

Match TLOC

tloc ip-address

IP address

One or more TLOC addresses.

Match TLOC

tloc-list list-name

Name of a TLOC or a policy lists tloc-list list.

Individual VPN identifier.

Match VPN

vpn vpn-id

0 through 65535

One or more VPN identifiers.

Match VPN

vpn-list list-name

Name of a VPN or a policy lists vpn-list list.

TLOC Route Match Attributes

For TLOC routes, you can match these attributes:

Description

vManage Configuration/
CLI Configuration Command

Value or Range

Carrier for the control traffic.

Match Carrier

carrier carrier-name

default, carrier1 through carrier8

Individual color.

Not available in vManage NMS

color color

3g, biz-internet, blue, bronze, custom1 through custom3,default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver
One or more colors.

Match Color List

color-list list-name

See the colors above.

Domain identifier associated with a TLOC.

Match Domain ID

domain-id domain-id

0 through 4294967295

Tag value associated with the TLOC route in the route table on the vEdge router.

Match OMP Tag

omp-tag number

0 through 4294967295

IP address from which the route was learned.

Match Originator

originator ip-address

IP address

How preferred a TLOC route is. This is the preference value that the TLOC route has in the local site, that is, in the route table on the vEdge router. A higher preference value is more preferred.​

Match Preference

preference number

0 through 255

Individual site identifier.

Match Site

site-id site-id

0 through 4294967295

One or more overlay network site identifiers.

Match Site

site-list list-name

Name of a policy lists site-list list.

Individual TLOC address.

Match TLOC

tloc address

IP address

One or more TLOC addresses.

Match TLOC

tloc-list list-name

Name of a policy lists tloc-list list.

Action Parameters

For each match condition, you configure a corresponding action to take if the route or TLOC matches.

In vManage NMS, you configure match parameters from:

  • Configuration ► Policies ► Centralized Policy ► Add Policy ► Configure Topology and VPN Membership ► Add Topology ► Custom Control (Route & TLOC) ► Sequence Type ► (Route | TLOC) ► Sequence Rule ► Action

  • Configuration ► Policies ► Custom Options ► Centralized Policy ► Topology ► Add Topology ► Custom Control (Route & TLOC) ► Sequence Type ► (Route | TLOC) ► Sequence Rule ► Action

In the CLI, you configure actions with the policy control-policy action command.

Each sequence in a centralized control policy can contain one action condition.

In the action, you first specify whether to accept or reject a matching route or TLOC:

Description

vManage Configuration/
CLI Configuration Command

Value or Range

Accept the route. An accepted route is eligible to be modified by the additional parameters configured in the action portion of the policy configuration.

Click Accept

accept

Discard the packet.

Click Reject

reject

Then, for a route or TLOC that is accepted, you can configure the following actions:

Description

vManage Configuration/
CLI Configuration Command

Value or Range

Export the route the the specified VPN or list of VPNs (for a match route match condition only).

Click Accept, then action Export To

export-to (vpn vpn‑id | vpn‑list vpn‑list)

0 through 65535 or list name.

Change the tag string in the route, prefix, or TLOC.

Click Accept, then action OMP Tag

set omp-tag number

0 through 4294967295

Change the preference value in the route, prefix, or TLOC to the specified value. A higher preference value is more preferred.

Click Accept, then action Preference

set preference number

0 through 255

Specify a service to redirect traffic to before delivering the traffic to its destination.

The TLOC address or list of TLOCs identifies the TLOCs to which the traffic should be redirected to reach the service. In the case of multiple TLOCs, the traffic is load-balanced among them.

The VPN identifier is where the service is located.

Configure the services themselves on the vEdge routers that are collocated with the service devices, using the vpn service configuration command.

Click Accept, then action Service

set service service-name (tloc ip-address | tloc‑list list-name) [vpn vpn‑id]

Standard services: FW, IDS, IDP
Custom services: netsvc1, netsvc2, netsvc3, netsvc4

TLOC list configured with a policy lists tloc-list command.

Change the TLOC address, color, and encapsulation to the specified address and color.

Click Accept, then action TLOC

set tloc ip-address color color [encap encapsulation]

IP address, TLOC color, and encapsulation, Color can be one of 3g, biz-internet, blue, bronze, custom1 through custom3,default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver. Encapsuation can be either gre or ipsec.

Direct matching routes or TLOCs using the mechanism specified by action, and enable end-to-end tracking of whether the ultimate destination is reachable. Setting a TLOC action is useful when traffic is first directed, via policy, to an intermediate destination, which then forwards the traffic to its ultimate destination. For example, for traffic from vEdge-A destined for vEdge-D, a policy might direct traffic from vEdge-A first to vEdge-B (the intermediate destination), and vEdge-B then sends it to the final destination, vEdge-D.

Setting the TLOC action option enables the vSmart controller to perform end-to-end tracking of the path to the ultimate destination router. In our example, matching traffic goes from vEdge-A to vEdge-B and then, in a single hop, goes to vEdge-D. If the tunnel between vEdge-B and vEdge-D goes down, the vSmart controller relays this information to vEdge-A, and vEdge-A removes its route to vEdge-D from its local route table. End-to-end tracking works here only because traffic goes from vEdge-B to vEdge-D in a single hop, via a single tunnel. If the traffic from vEdge-A went first to vEdge-B, then to vEdge-C, and finally to vEdge-D, the vSmart controller is unable to perform end-to-end tracking and is thus unable to keep vEdge-A informed about whether full path between it and vEdge-D is up.

Click Accept, then action TLOC Action

set tloc-action action

ecmp—Equally direct matching control traffic between the intermediate destination and the ultimate destination. In our example, traffic would be sent to vEdge-B (which would then send it to vEdge-D) and directly to vEdge-D. With this action, if the intermediate destination is down, all traffic reaches the ultimate destination.

primary—First direct matching traffic to the intermediate destination. If that router is not reachable, then direct it to the final destination. In our example, traffic would first be sent to vEdge-B. If this router is down, it is sent directly to vEdge-D. With this action, if the intermediate destination is down, all traffic reaches the final destination.

backup—First direct matching traffic to the final destination. If that router is not reachable, then direct it to the intermediate destination. In our example, traffic would first be sent directly to vEdge-D. If the vEdge-A is not able to reach vEdge-D, traffic is sent to vEdge-B, which might have an operational path to reach vEdge-D. With this action, if the source is unable to reach the final destination directly, it is possible for all traffic to reach the final destination via the intermediate destination.

strict—Direct matching traffic only to the intermediate destination. In our example, traffic is sent only to vEdge-B, regardless of whether it is reachable. With this action, if the intermediate destination is down, no traffic reaches the final destination. If you do not configure a set tloc-action action in a centralized control policy, strict is the default behavior.

Change the TLOC address and color to those in the specified TLOC list.

Click Accept, then action TLOC

set tloc-list list-name

Name of a policy lists tloc-list​ list.

Default Action

If a route or TLOC being evaluated does not match any of the match conditions in a centralized control policy, a default action is applied to it. By default, the route or TLOC is rejected.

In vManage NMS, you modify the default action from Configuration ► Policies ► Centralized Policy ► Add Policy ► Configure Topology and VPN Membership ► Add Topology ► Custom Control (Route and TLOC) ► Sequence Type ► (Route | TLOC) ► Sequence Rule ► Default Action.

In the CLI, you modify the default action with the control policy default-action accept command.

Applying Centralized Control Policy

For a centralized control policy to take effect, you apply it to a list of sites in the overlay network.

To apply a centralized policy in vManage NMS:

  1. In vManage NMS, select the Configure ► Policies screen.
  2. Select a policy from the policy table.
  3. Click the More Actions icon to the right of the row, and click Activate. The Activate Policy popup opens. It lists the IP addresses of the reachable vSmart controllers to which the policy is to be applied.
  4. Click Activate.

To apply a centralized policy in the CLI:

vSmart(config)# apply-policy site-list list-name control-policy policy-name (in | out)

You apply centralized control policy directionally:

  • Inbound direction (in)—The policy analyzes routes and TLOCs being received from the sites in the site list before placing the routes and TLOCs into the route table on the vSmart controller, so the specified policy actions affect the OMP routes stored in the route table.
  • Outbound direction (out)—The policy analyzes routes and TLOCs in the vSmart controller's route table after they are exported from the route table.

For all control-policy policies that you apply with apply-policy commands, the site IDs across all the site lists must be unique. That is, the site lists must not contain overlapping site IDs. An example of overlapping site IDs are those in the two site lists site-list 1 site-id 1-100 and site-list 2 site-id 70-130. Here, sites 70 through 100 are in both lists. If you were to apply these two site lists to two different control-policy policies, the attempt to commit the configuration on the vSmart controller would fail.

The same type of restriction also applies to the following types of policies:

  • Application-aware routing policy (app-route-policy)
  • Centralized data policy (data-policy)
  • Centralized data policy used for cflowd flow monitoring (data-policy hat includes a cflowd action and apply-policy that includes a cflowd-template command)

You can, however, have overlapping site IDs for site lists that you apply for different types of policy. For example, the sites lists for control-policy and data-policy policies can have overlapping site IDs. So for the two example site lists above, site-list 1 site-id 1-100 and site-list 2 site-id 70-130, you could apply one to a control policy and the other to a data policy.

  • Was this article helpful?