Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Configuring Localized Data Policy for IPv4

This article provides procedures for configuring IPv4 localized data policy This type of data policy is called access lists, or ACLs. You can provision simple access lists that filter traffic based on IP header fields. You also use access lists to apply QoS, mirroring, and policing to data packets. You can create access lists that act on unicast and multicast traffic.

In vManage NMS, you configure localized data policy from the Configuration ► Policies screen, using a policy configuration wizard. In the CLI, you configure these policies on the vEdge router.

Configuration Components

An access list consists of a sequences of match–action pairs that are evaluated in order, from lowest sequence number to highest sequence number. When a packet matches one of the match conditions, the associated action is taken and policy evaluation on that packets stops. Keep this in mind as you design your policies to ensure that the desired actions are taken on the items subject to policy.

If a packet matches no parameters in any of the sequences in the policy configuration, it is, by default, dropped.

The following figure illustrates the configuration components for access lists.

s00119.png

To create an access list, you include the following components in the configuration for a vEdge router:

Component

Description

vManage Configuration

CLI Configuration Command

Lists

Groupings of related items that you reference in the match and action portions of the data policy configuration.

Configuration ► Policies ► Localized Policy ► Add Policy ► Create Groups of Interest

or

Configuration ► Policies ► Custom Options ► Localized Policy ► Lists

policy lists

Logging frequency If you configure a logging action, log only a sample of data packet headers instead of all of them. Configuration ► Policies ► Localized Policy ► Add Policy ► Policy Overview ► Log Frequency policy logging-frequency

QoS, mirroring, and policing parameters

Parameters and rules required to configure QoS, traffic mirroring, and traffic policing. For QoS, you can configure class maps, QoS maps, the QoS scheduler, and rewrite rules. For mirroring, you configure the addresses of the source of the packets to be mirrored and the mirroring site. (You can mirror only unicast traffic.) For policing, you define transmission parameters.

Configuration ► Policies ► Localized Policy ► Add Policy ► Configure Forwarding Classes/QoS, Policy Overview

or

Configuration ► Policies ► Custom Options ► Localized Policy ► Forwarding Class/QoS

Configuration ► Policies ► Localized Policy ► Add Policy ► Create Groups of Interest

or

Configuration ► Policies ► Custom Options ► Localized Policy ► Create Groups of Interest

policy class-map
policy cloud-qos
policy-cloud-qos-service-side
policy qos-scheduler
​policy qos-map
policy rewrite-rule

policy mirror

policy policer

Access list instance

Container for an access list.

Configuration ► Policies ► Localized Policy ► Add Policy ► Configure Access Control Lists

or

Configuration ► Policies ► Custom Options ► Localized Policy ► Access Control Lists

policy access-list

Numbered sequences of match–action pairs

Sequences that establish the order in which policy components are applied.

Configuration ► Policies ► Localized Policy ► Add Policy ► Configure Access Control Lists

or

Configuration ► Policies ► Custom Options ► Localized Policy ► Access Control Lists

policy access-list sequence

Match parameters

Conditions that packets must match to be considered for a data policy.

Configuration ► Policies ► Localized Policy ► Add Policy ► Configure Access Control Lists

or

Configuration ► Policies ► Custom Options ► Localized Policy ► Access Control Lists

policy access-list sequence match

Actions

Whether to accept or reject matching packets, and how to process matching items.

Configuration ► Policies ► Localized Policy ► Add Policy ► Configure Access Control Lists

or

Configuration ► Policies ► Custom Options ► Localized Policy ► Access Control Lists

policy access-list sequence action

Default action

Action to take if a packet matches none of the match parameters in any of the sequences. By default, nonmatching packets are dropped.

Configuration ► Policies ► Localized Policy ► Add Policy ► Configure Access Control Lists

or

Configuration ► Policies ► Custom Options ► Localized Policy ► Access Control Lists

policy access-list default-action

Application of access lists

For an access list to take effect, you apply it an interface. You can also apply policers directly to interfaces.

Configuration ► Templates ► Feature ►
VPN Interface Bridge, VPN Interface Cellular, VPN Interface Ethernet, VPN Interface GRE, VPN Interface PPP, or VPN Interface PPP Ethernet

vpn interface access-list

vpn interface policer

General vManage Configuration Procedure

To configure IPv4 localized policy, use the vManage policy configuration wizard. The wizard is a UI policy builder that consists of five screens to configure IPv4 localized policy components:

  • Groups of Interest, also called lists—Create data prefix lists and mirroring and policer parameters that group together related items and that you call in the match or action components of a policy.
  • Forwarding Classes—Define forwarding classes and rewrite rules to use for QoS.
  • Access Control Lists—Define the match and action conditions of ACLs.
  • Route Policies—Define the match and action conditions of route policies.
  • Policy Settings—Define additional policy settings, including Cloud QoS settings and the frequency for logging policy-related packet headers.

You configure some or all these components depending on the specific policy you are creating. To skip a component, click the Next button at the bottom of the screen. To return to a component, click the Back button at the bottom of the screen.

Step 1: Start the Policy Configuration Wizard

To start the policy configuration wizard:

  1. In vManage NMS, select the Configure ► Policies screen.
  2. Select the Localized Policy tab.
  3. Click Add Policy.

The policy configuration wizard opens, and the Create Groups of Interest screen is displayed.

Step 2: Create Groups of Interest

In the Create Groups of interest screen create lists to use in the localized data policy:

G00461.png

  1. Create news lists of groups, as described in the following table:
List Type Procedure
Data Prefix
  1. In the left bar, click Data Prefix.
  2. Click New Data Prefix List.
  3. Enter a name for the list.
  4. Enter one or more IP prefixes.
  5. Click Add.
Mirror
  1. In the left bar, click Mirror.
  2. Click New Mirror List. The Mirror List popup displays.
  3. Enter a name for the list.
  4. In the Remote Destination IP field, enter the IP address of the destination to which to mirror the packets.
  5. In the Source IP field, enter the IP address of the source of the packets to mirror.
  6. Click Save.
Policer
  1. In the left bar, click Policer.
  2. Click New Policer List.
  3. Enter a name for the list.
  4. In the Burst field, enter maximum traffic burst size. It can be a value from 15000 to 10000000 bytes.
  5. In the Exceed field, select the action to take when the burst size or traffic rate is exceeded. Select Drop (the default) to set the packet loss priority (PLP) to low. Select Remark to set the PLP to high.
  6. In the Rate field, enter the maximum traffic rate. It can be value from 0 through 264 – 1 bps
  7. Click Add.
  1. Click Next to move to Configure Forwarding Classes/QoS in the wizard.

Step 3: Configure Forwarding Classes for QoS

When you first open the Forwarding Classes/QoS screen, the QoS tab is selected by default:

G00463.png

To configure forwarding classes for use by QoS:

  1. To create a new QoS mapping:
    1. In the QoS tab, click the Add QoS drop-down.
    2. Select Create New.
    3. Enter a name and description for the QoS mapping.
    4. Click Add Queue. The Add Queue popup displays.
    5. Select the queue number from the Queue drop-down.
    6. Select the maximum bandwidth and buffer percentages, and the scheduling and drop types. Enter the forwarding class.
    7. Click Save.
  2. To import an existing QoS mapping:
    1. In the QoS tab, click the Add QoS drop-down.
    2. Select Import Existing.
    3. Select a QoS mapping.
    4. Click Import.
  3. To view or copy a QoS mapping or to remove the mapping from the localized policy, click the More Actions icon to the right of the row, and select the desired action.
  4. To configure policy rewrite rules for the QoS mapping:
    1. In the QoS tab, click the Add Rewrite Policy drop-down..
    2. Select Create New.
    3. Enter a name and description for the rewrite rule.
    4. Click Add Rewrite Rule. The Add Rule popup displays.
    5. Select a class from the Class drop-down.
    6. Select the priority (Low or High) from the Priority drop-down.
    7. Enter the DSCP value (0 through 63) in the DSCP field.
    8. Enter the class of service (CoS) value (0 through 7) in the Layer 2 Class of Service field.
    9. Click Save.
  5. To import an existing rewrite rule:
    1. In the QoS tab, click the Add Rewrite Policy drop-down..
    2. Select Import Existing.
    3. Select a rewrite rule.
    4. Click Import.
  6. Click Next to move to Configure Access Lists in the wizard.

Step 4: Configure ACLs

In the Configure Access Control Lists screen, configure ACLs:

G00465.png

  1. In the Configure Access Control Lists screen, configure ACLs:

    G00465.png

  2. To create a new IPv4 ACL, click the Add Access Control List Policy drop-down. Then select Add IPv4 ACL Policy:

    G00466.png
  3. Enter a name and description for the ACL.
  4. In the left pane, click Add ACL Sequence. An Access Control List box is displayed in the left pane.
  5. Double-click the Access Control List box, and type a name for the ACL.
  6. In the right pane, click Add Sequence Rule to create a single sequence in the ACL. The Match tab is selected by default.
  7. Click a match condition.
  8. On the left, enter the values for the match condition.
  9. On the right enter the action or actions to take if the policy matches.
  10. Repeat Steps 6 through 8 to add match–action pairs to the ACL.
  11. To rearrange match–action pairs in the ACL, in the right pane drag them to the desired position.
  12. To remove a match–action pair from the ACL, click the X in the upper right of the condition.
  13. Click Save Match and Actions to save a sequence rule.
  14. To rearrange sequence rules in an ACL, in the left pane drag the rules to the desired position.
  15. To copy, delete, or rename an ACL sequence rule, in the left pane, click More Options next to the rule's name and select the desired option.
  16. If no packets match any of the ACL sequence rules, the default action is to drop the packets. To change the default action:
    1. Click Default Action in the left pane.
    2. Click the Pencil icon.
    3. Change the default action to Accept.
    4. Click Save Match and Actions.
  17. Click Next to move to Configure Route Policy in the wizard.
  18. Click Next to move to the Policy Overview screen.

Step 5: Configure Policy Settings

In Policy Overview, configure policy settings:

G00468.png

  1. Enter a name and description for the ACL.
  2. To enable cflowd visibility so that a vEdge router can perform traffic flow monitoring on traffic coming to the router from the LAN, click Netflow.
  3. To enable application visibility so that a vEdge router can monitor and track the applications running on the LAN, click Application.
  4. To enable QoS scheduling and shaping for traffic that a vEdge Cloud router receives from transport-side interfaces, click Cloud QoS.
  5. To enable QoS scheduling and shaping for traffic that a vEdge Cloud router receives from service-side interfaces, click Cloud QoS Service Side.
  6. To log the headers of all packets that are dropped because they do not match a service configured by an Allow Service parameter on a tunnel interface, click Implicit ACL Logging.
  7. To configure how often packets flows are logged, click Log Frequency. Packet flows are those that match an access list (ACL), a cflowd flow, or an application-aware routing flow.
  8. Click Preview to view the full policy in CLI format.
  9. Click Save Policy.

Step 6: Apply a Localized Data Policy in a Device Template

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. If you are creating a new device template:
    1. In the Device tab, click Create Template.
    2. From the Create Template drop-down, select From Feature Template.
    3. From the Device Model drop-down, select one of the vEdge devices.
    4. In the Template Name field, enter a name for the device template. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
    5. In the Description field, enter a description for the device template. This field is mandatory, and it can contain any characters and spaces.
    6. Continue with Step 4.
  3. If you are editing an existing device template:
    1. In the Device tab, click the More Actions icon to the right of the desired template, and click the pencil icon.
    2. Click the Additional Templates tab. The screen scrolls to the Additional Templates section.
    3. From the Policy drop-down, select the name of a policy that you have configured.
  4. Click the Additional Templates tab located directly beneath the Description field. The screen scrolls to the Additional Templates section.
  5. From the Policy drop-down, select the name of the policy you configured in the above procedure.
  6. Click Create (for a new template) or Update (for an existing template).

General CLI Configuration Procedure

Following are the high-level steps for configuring an access list using the CLI:

  1. Create lists of IP prefixes, as needed:
    vEdge(config)# policy
    vEdge(config-policy)# lists data-prefix-list list-name
    vEdge(config-data-prefix-list)# ip-prefix prefix/length
  2. If you configure a logging action, configure how often to log packets to the syslog files:
    vEdge(config)# policy log-frequency number
  3. For QoS, map each forwarding class to an output queue, configure a QoS scheduler for each forwarding class, and group the QoS schedulers into a QoS map:
    vEdge(config)# policy class-map
    vEdge(config-class-map)# class class-name queue number

    vEdge(config)# policy qos-scheduler scheduler-name
    vEdge(config-qos-scheduler)# class class-name
    vEdge(config-qos-scheduler)# bandwidth-percent percentage
    vEdge(config-qos-scheduler)# buffer-percent percentage
    vEdge(config-qos-scheduler)# drops drop-type
    vEdge(config-qos-scheduler)# scheduling type


    vEdge(config)# policy qos-map map-name qos-scheduler scheduler-name
  4. For QoS, define rewrite rules to overwrite the DSCP field of a packet's outer IP header, if desired:
    vEdge(config)# policy rewrite-rule rule-name
    vEdge(config-rewrite-rule)# class class-name loss-priority dscp dscp-value layer-2-cos number

    class-name is one of the classes defined under a qos-scheduler command.
  5. Define mirroring parameters (for unicast traffic only):​
    vEdge(config)# policy mirror mirror-name
    vEdge(config-mirror)# remote-dest ip-address source ip-address
  6. Define policing parameters:​
    vEdge(config)# policy policer policer-name
    vEdgeconfig-policer)# rate bandwidth
    vEdge(config-policer)# burst bytes
    vEdge(config-policer)# exceed action
  7. Create an access list instance:​
    vEdge(config)# policy access-list list-name
  8. Create a series of match–action pair sequences:
    vEdge(config-access-list)# sequence number
    vEdge(config-sequence)#

    The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is).
  9. Define match parameters for packets:
    vEdge(config-sequence-number)# match match-parameter
  10. Define actions to take when a match occurs:
    vEdge(config-sequence)# action drop
    vEdge(config-sequence)# action count counter-name
    vEdge(config-sequence)# action log
    vEdge(config-sequence)# action accept class class-name
    vEdge(config-sequence)# action accept mirror mirror-name
    vEdge(config-sequence)# action accept policer policer-name
    vEdge(config-sequence)# action accept set dscp value
    vEdge(config-sequence)# action accept set next-hop ipv4-address
  11. Create additional numbered sequences of match–action pairs within the access list, as needed.
  12. If a packet does not match any of the conditions in one of the sequences, it is rejected by default. If you want nonmatching packets to be accepted, configure the default action for the access list:
    vEdge(config-policy-name)# default-action accept
  13. Apply the access list to an interface:
    vEdge(config)# vpn vpn-id interface interface-name
    vEdge(config-interface)# access-list list-name (in | out)

    Applying the access list in the inbound direction (in) affects packets being received on the interface. Applying it in the outbound direction (out) affects packets being transmitted on the interface.
    For QoS, apply a DSCP rewrite rule to the same egress interface:
    vEdge(config)# vpn vpn-id interface interface-name rewrite-rule rule-name
  14. You can apply a policer directly to an interface, which has the effect of policing all packets transiting the interface, rather than policing only the selected packets that match the access list. You can apply the policer to either inbound or outbound packets:​
    vEdge(config)# vpn vpn-id interface interface-name
    vEdge(config-interface)# policer policer-name (in | out)

Structural Components of Configuration for Access Lists

Following are the structural components required to configure access lists, shown as they appear in the CLI and when you click Preview in the vManage localized policy configuration wizard. Each component is explained in the sections below.

policy
  lists
    data-prefix-list list-name
      ip-prefix prefix/length
  class-map
    class class map map
  cloud-qos
  cloud-qos-service-side
  implicit-acl-logging
  log-frequency number
  qos-scheduler scheduler-name
    class class-name
    bandwidth-percent percentage
    buffer-percent percentage
    drops drop-type
    scheduling (llq | wrr)
  qos-map map-name
    qos-scheduler scheduler-name
  rewrite-rule rule-name
    class class-name priority dscp dscp-value layer-2-cos number
  mirror mirror-name
    remote-dest ip-address source ip-address
  policer policer-name
    rate bandwidth
    burst bytes
    exceed action
  access-list list-name
    sequence number
      match
        match-parameters
      action
        drop
          count counter-name
          log
        accept
          class class-name 
          count counter-name
          log
          mirror mirror-name
          policer policer-name
          set dscp value
          set next-hop ipv4-address
    default-action
      (accept | drop)
vpn vpn-id
  interface interface-name
    access-list list-name (in | out)
    policer policer-name (in | out)
    rewrite-rule rule-name

Lists

Access lists use prefix lists to group related prefixes.

In vManage NMS, you configure prefix lists from:

  • Configuration ► Policies ► Localized Policy ► Add Policy ► Create Groups of Interest
  • Configuration ► Policies ► Custom Options ► Localized Policy ► Lists ► Data Prefix

In the CLI, you configure lists under the policy lists command hierarchy on vEdge routers.

List Type

Description

vManage Configuration/
CLI Configuration Command

Data prefixes

List of one or more IP prefixes. You can specify both unicast and multicast addresses. To configure multiple prefixes in a single list, include multiple ip-prefix options, specifying one prefix in each option.

Configuration ► Policies ► Localized Policy ► Add Policy ► Create Groups of Interest ► Data Prefix ► New Data Prefix List

Configuration ► Policies ► Custom Options ► Localized Policy ► Lists ► Data Prefix ► New Data Prefix List

data-prefix-list list-name
  ip-prefix prefix/length

Logging Parameters

If you configure a logging action in a data policy, by default, the vEdge router logs all data packet headers to a syslog file. You can log only a sample of the data packet headers.

In vManage NMS, you configure how often to log packet headers from:

  • Configuration ► Policies ► Localized Policy ► Add Policy ► Policy Overview ► Log Frequency field

In the CLI, you configure this as follows:

vEdge(config)# policy log-frequency number

number specifies how often to to log packet headers. The default value is 1000. number can be an integer., and the software rounds the value down to the nearest power of 2. So for example, with the default value of 1000, the logging frequency is rounded down to 512, so every 512th packet is logged.

You can log the headers of all packets that are dropped because they do not match a service configured with an Allow Service configuration or an allow-service command. You can use these logs for security purposes, for example, to monitor the flows that are being directed to a WAN interface and to determine, in the case of a DDoS attack, which IP addresses to block.

In vManage NMS, you configure this logging from:

  • Configuration ► Policies ► Localized Policy ► Add Policy ► Policy Overview ► Implicit ACL Logging field

In the CLI, you do this as follows:

vEdge(config)# policy implicit-acl-logging

When you enable implicit ACL logging, by default, the headers of all dropped packets are logged. It is recommended that you configure a limit to the number of packets logged in the Log Frequency field or with the log-frequency command.

QoS Parameters

In vManage NMS, you configure QoS parameters on vEdge routers from:

  • Configuration ► Policies ► Localized Policy ► Add Policy ► Create Groups of Interest ► Class Map, or
    Configuration ► Policies ► Custom Options ► Localized Policy ► Lists ► Class Map
  • Configuration ► Policies ► Localized Policy ► Add Policy ► Configuring Forwarding Classes/QoS, or
    Configuration ► Policies ► Custom Options ► Localized Policy ► Configuring Forwarding Classes/QoS
  • Configuration ► Policies ► Localized Policy ► Add Policy ► Policy Overview, or
    Configuration ► Policies ► Custom Options ► Localized Policy ► Policy Overview

This section explains how to configure QoS parameters from the CLI.

To configure QoS parameters on a vEdge router, first define a classification. In vManage NMS:

vEdge(config)# policy class-map class class-name queue number

class-name is the name of the class. It can be a text string from 1 through 32 characters long.

For hardware vEdge routers, each interface has eight queues, numbered from 0 through 7. Queue 0 is reserved for low-latency queuing (LLQ), so any class that is mapped to queue 0 must be configured to use LLQ. The default scheduling method for all is weighted round-robin (WRR).

For Cloud vEdge routers, each interface has four queues, numbered from 0 through 3. Queue 0 is reserved for control traffic, and queues 1, 2, and 3 are available for data traffic. The scheduling method for all four queues is WRR. LLQ is not supported.

To configure QoS parameters on a vEdge Cloud router, you must enable QoS scheduling and shaping. To enable QoS parameters for traffic that the vEdge Cloud router receives from transport-side interfaces:

vEdgeCloud(config)# policy cloud-qos

To enable QoS parameters for traffic that the vEdge Cloud router receives from service-side interfaces:

vEdgeCloud(config)# policy cloud-qos-service-side

Next, configure scheduling:

vEdge(config)# policy qos-scheduler scheduler-name
vEdge(config-qos-scheduler)# class class-name
vEdge(config-qos-scheduler)# bandwidth-percent percentage
vEdge(config-qos-scheduler)# buffer-percent percentage
vEdge(config-qos-scheduler)# drops (red-drop | tail-drop)
vEdge(config-qos-scheduler)# scheduling (llq | wrr)

scheduler-name is the name of the QoS scheduler. It can be a text string from 1 through 32 characters long.

class-name is the name of the forwarding class and can be a text string from 1 through 32 characters long. The common class names correspond to the per-hop behaviors AF (assured forwarding), BE (best effort), and EF (expedited forwarding).

The bandwidth percentage is the percentage of the interface's bandwidth to allocate to the forwarding class. The sum of the bandwidth on all forwarding classes on an interface should not exceed 100 percent.

The buffer percentage is the percentage of the interface's buffering capacity to allocate to the forwarding class. The sum of the buffering capacity of all forwarding classes on an interface should not exceed 100 percent.

Packets that exceed the bandwidth or buffer percentage are dropped either randomly, using random early detection (red-drop), or from the end of the queue (tail-drop). Low-latency queuing (LLQ) cannot use random early detection.

The algorithm to schedule interface queues can be either low-latency queuing (llq) or weighted round-robin (wrr).

Then, assign the scheduler to a QoS map:

vEdge(config-policy)# qos-map map-name qos-scheduler scheduler-name

map-name is the name of the QoS map, and scheduler-name is the name of the scheduler you configured above. Each name can be a text string from 1 through 32 characters long.

Finally, to configure a rewrite rule to overwrite the DSCP field of a packet's outer IP header:

vEdge(config)# policy rewrite-rule rule-name class class-name loss-priority dscp dscp-value layer-2-cos number

rule-name is the name of the rewrite rule. It can be a text string from 1 through 32 characters long.

class-name is the name of a class you configured with the qos-scheduler class command. The packet loss priority (PLP) can be either high or low. To have a DSCP value overwrite the DSCP field of the packet's outer IP header, set a value from 0 through 63. To include an 802.1p marking in the packet, specify a number from 0 through 7.

Mirroring Parameters

To configure mirroring parameters, define the remote destination to which to mirror the packets, and define the source of the packets.

In vManage NMS, you configure mirroring parameters from:

  • Configuration ► Policies ► Localized Policy ► Add Policy ► Create Groups of Interest ► Mirror ► New Mirror List
  • Configuration ► Policies ► Custom Options ► Localized Policy ► Lists ► Mirror ► New Mirror List

In the CLI, you configure mirroring parameters as follows:

vEdge(config)# policy mirror mirror-name
vEdge(config-mirror)# remote-dest ip-address source ip-address

Mirroring applies to unicast traffic only. It does not apply to multicast traffic.

Policer Parameters

To configure policing parameters, create a policer that specifies the maximum bandwidth and burst rate for traffic on an interface, and how to handle traffic that exceeds these values.

In vManage NMS, you configure policer parameters from:

  • Configuration ► Policies ► Localized Policy ► Add Policy ► Create Groups of Interest ► Policer ► New Policer List
  • Configuration ► Policies ► Custom Options ► Localized Policy ► Lists ► Policer ► New Policer List

In the CLI, you configure policer parameters as follows:

vEdge(config)# policy policer policer-name
vEdge(config-policer)# rate bps
vEdge(config-policer)# burst bytes
vEdge(config-policer)# exceed action

rate is the maximum traffic rate. It can be a value from 0 through 264 – 1 bits per second.

burst is the maximum traffic burst size. It can be a value from 15000 to 1000000 bytes

exceed is the action to take when the burst size or traffic rate is exceeded. action can be drop (the default) or remark. The drop action is equivalent to setting the packet loss priority (PLP) bit to low. The remark action sets the PLP bit to high. In centralized data policy, access lists, and application-aware routing policy, you can match the PLP with the match plp option.

Sequences

An access list contains sequences of match–action pairs. The sequences are numbered to set the order in which a packet is analyzed by the match–action pairs in the access lists.

In vManage NMS, you configure sequences from:

  • Configuration ► Policies ► Localized Policy ► Add Policy ► Configure Access Control Lists ► Add Access Control List Policy ► Add ACL Sequence
  • Configuration ► Policies ► Custom Options ► Localized Policy ► Access Control List Policy ► Add Access Control List Policy ► Add ACL Sequence

In the CLI, you configure sequences with the policy access-list sequence command.

Each sequence in an access list can contain one match condition and one action condition.

Match Parameters

Access lists can match IP prefixes and fields in the IP headers.

In vManage NMS, you configure match parameters from:

  • Configuration ► Policies ► Localized Policy ► Add Policy ► Configure Access Control Lists ► Add Access Control List Policy ► Add ACL Sequence ► Add Sequence Rule ► Match
  • Configuration ► Policies ► Custom Options ► Localized Policy ► Access Control List Policy ► Add Access Control List Policy ► Add ACL Sequence ► Add Sequence Rule ► Match

In the CLI, you configure the match parameters with the policy access-list sequence match command.

Each sequence in an access-list must contain one match condition.

For access lists, you can match these parameters:

Description

vManage Configuration/
CLI Configuration Command

Value or Range

Classification map

Match Class

class class-name

Name of a class defined with a policy class-map command.

Group of destination prefixes

Match Destination Data Prefix

destination-data-prefix-list list-name

Name of a data-prefix-list list.

Individual destination prefix

Not available in vManage NMS

destination-ip prefix/length

IP prefix and prefix length

Destination port number.

Match Destination Port

destination-port number

0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-])

DSCP value

Match DSCP

dscp number

0 through 63

Internet Protocol number

Match Protocol

protocol number

0 through 255

Packet length

Match Packet Length

packet-length number

Length of the packet. number can be from 0 through 65535. Specify a single length, a list of lengths (with numbers separated by a space), or a range of lengths (with the two numbers separated with a hyphen [-])

Group of source prefixes

Match Source Data Prefix

source-data-prefix-list list-name

Name of a data-prefix-list list.

Packet loss priority (PLP)

Match PLP

plp

(high | low)
By default, packets have a PLP value of low. To set the PLP value to high, apply a policer that includes the exceed remark option.

Individual source prefix

Match Source Data Prefix

source-ip prefix/length

IP prefix and prefix length

Source port number.

Match Source Port

source-port address

0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-])

TCP flag

Match TCP

tcp flag

syn

Action Parameters

When a packet matches the conditions in the match portion of an access list, the packet can be accepted or dropped, and it can be counted. Then, you can classify, mirror, or police accepted packets.

In vManage NMS, you configure match parameters from:

  • Configuration ► Policies ► Localized Policy ► Add Policy ► Configure Access Control Lists ► Add Access Control List Policy ► Add ACL Sequence ► Add Sequence Rule ► Action
  • Configuration ► Policies ► Custom Options ► Localized Policy ► Access Control List Policy ► Add Access Control List Policy ► Add ACL Sequence ► Add Sequence Rule ► Action

In the CLI, you configure the actions parameters with the policy access-list sequence action command.

Each sequence in an access list can contain one action condition.

In the action, you first specify whether to accept or drop a matching data packet, and whether to count it:

Description

vManage Configuration/
CLI Configuration Parameter

Value or Range

Accept the packet. An accepted packet is eligible to be modified by the additional parameters configured in the action portion of the access list.

Click Accept

accept

Count the accepted or dropped packets.

Action Counter

Click Accept, then action Counter

count counter-name

Name of a counter. To display counter information, use the show policy access-lists counters command on the vEdge router.

Discard the packet. This is the default action.

Click Drop

drop

Log the packet headers into the messages and vsyslog system logging (syslog) files.

In addition to logging the packet headers, a syslog message is generated the first time a packet header is logged and then every 5 minutes thereafter, as long as the flow is active.

Action Log

Click Accept, then action Log

log

To display logging information, use the show app log flow-all, show app log flows, and show log commands on the vEdge router.

For a packet that is accepted, the following actions can be configured:

Description

vManage Configuration/
CLI Configuration Parameter

Value or Range

Classify the packet.

Click Accept, then Class

class class-name

Name of a QoS class defined with a policy class-map command.

Mirror the packet.

Click Accept, then Mirror List

mirror mirror-name

Name of mirror defined with a policy mirror command.

Police the packet.

Click Accept, then Policer

policer policer-name

Name of a policer defined with a policy policer command.

Packet's DSCP value.

Click Accept, then DSCP

set dscp value

0 through 63.

Next-hop address.

Click Accept, then Next Hop

set next-hop ipv4-address

IPv4 address.

Default Action

If a packet being evaluated does not match any of the match conditions in a access list, a default action is applied to this packet. By default, the packet is dropped.

In vManage NMS, you modify the default action from:

  • Configuration ► Policies ► Localized Policy ► Add Policy ► Configure Access Control Lists ► Default Action
  • Configuration ► Policies ► Custom Options ► Localized Policy ► Access Control List Policy ► Default Action

In the CLI, you modify this behavior with the access-list default-action accept command.

Apply Access Lists

For an access list to take effect, you must apply it to an interface.

In vManage NMS, you apply the access list in one of these interface feature configuration templates:

  • Configuration ► Templates ► VPN Interface Bridge
  • Configuration ► Templates ► VPN Interface Cellular
  • Configuration ► Templates ► VPN Interface Ethernet
  • Configuration ► Templates ► VPN Interface GRE
  • Configuration ► Templates ► VPN Interface PPP
  • Configuration ► Templates ► VPN Interface PPP Ethernet

In the CLI, you apply the access list as follows:

vEdge(config)# vpn vpn-id interface interface-name
vEdge(config-interface)# access-list list-name (in | out)

Applying the policy in the inbound direction (in) affects prefixes being received on the interface. Applying it in the outbound direction (out) affects prefixes being transmitted on the interface.

For an access list that applies QoS classification, apply any DSCP rewrite rules to the same interface to which you apply the access list:

vEdge(config)# vpn vpn-id interface interface-name rewrite-rule rule-name

Note that you can also apply a policer directly to an interface, which has the effect of policing all packets transiting the interface, rather than policing only the selected packets that match the access list. You can apply the policer to either inbound or outbound packets:

vEdge(config)# vpn vpn-id interface interface-name
vEdge(config-interface)# policer policer-name (in | out) interface-name

Interaction between Explicit and Implicit Access Lists

Access lists that you configure through localized data policy using the policy access-list command are called explicit ACLs. You can apply explicit ACLs to any interface in any VPN on the router.

The router's tunnel interfaces in VPN 0 also have implicit ACLs, which are also referred to as services. Some services are enabled by default on the tunnel interface, and are in effect unless you disable them. Through configuration, you can also enable other services. You configure and modify implicit ACLs with the allow-service command:

vEdge(config)# vpn 0
vEdge(config-vpn)# interface interface-name
vEdge(config-interface)# tunnel-interface
vEdge(config-tunnel-interface)# allow-service service-name
vEdge(config-tunnel-interface)# no allow-service service-name

On vEdge routers, the following services are enabled by default: DHCP (for DHCPv4 and DHCPv6), DNS, and ICMP. These three services allow the tunnel interface to accept DHCP, DNS, and ICMP packets. You can also enable services for BGP, Netconf, NTP, OSPF, SSHD, and STUN.

When data traffic matches both an explicit ACL and an implicit ACL, how the packets are handled depends on the ACL configuration. Specifically, it depends on:

  • Whether the implicit ACL is configured as allow (allow-service allow-service) or deny (no allow-service service-name). Allowing a service in an implicit ACL is the same as specifying the accept action in an explicit ACL, and a service that is not allowed in an implicit ACL is the same as specifying the drop action in an explicit ACL
  • Whether, in an explicit ACL, the accept or deny action is configured in a policy sequence or in the default action.

The following table explains how traffic matching both an implicit and an explicit ACL is handled:

Implicit ACL Explicit ACL: Sequence Explicit ACL: Default Result
Allow (accept) Deny (drop) Deny (drop)
Allow (accept) Deny (drop) Allow (accept)
Deny (drop) Allow (accept) Allow (accept)
Deny (drop) Allow (accept) Deny (drop)
  • Was this article helpful?