Localized data policy, also called access lists (ACLs), is policy that is configured on a vEdge router (hence, it is local) and affects data traffic being transmitted between the routers on the Viptela overlay network.
Localized Data Policy Overview
Data policy operates on the data plane in the Viptela overlay network and affects how data traffic is sent among the vEdge routers in the network. The Viptela architecture defines two types of data policy, centralized data policy, which controls the flow of data traffic based on the IP header fields in the data packets and based on network segmentation, and localized data policy, which controls the flow of data traffic into and out of interfaces and interface queues on a vEdge router.
Localized data policy, so called because it is provisioned on the local vEdge router, is applied on a specific router interface and affects how a specific interface handles the data traffic that it is transmitting and receiving. Localized data policy is also called access lists. With access lists, you can provision class of service (CoS), classifying data packets and prioritizing the transmission properties for different classes. You can also provision packet mirroring.
Access lists can be applied either in the outbound direction on the interface (as the data packet travels from the local service-side network into the IPsec tunnel toward the remote service-side network) or in the inbound direction (as data packets are exiting from the IPsec tunnel and being received by the local vEdge router).
Explicit and Implicit Access Lists
Access lists that you configure using localized data policy are called explicit ACLs. You can apply explicit ACLs in any VPN on the router.
Router tunnel interfaces also have implicit ACLs, which are also referred to as services. Some of these are present by default on the tunnel interface, and are in effect unless you disable them. Through configuration, you can also enable other implicit ACLs. On vEdge routers, the following services are enabled by default: DHCP (for DHCPv4 and DHCPv6), DNS, and ICMP. You can also enable services for BGP, Netconf, NTP, OSPF, SSHD, and STUN.
Perform QoS Actions
With access lists, you can provision quality of service (QoS) which allows you to classify data traffic by importance, spread it across different interface queues, and control the rate at which different classes of traffic are transmitted. See Forwarding and QoS Overview.
Mirror Data Packets
Once packets are classified, you can configure access lists to send a copy of data packets seen on a vEdge router interface to a specified destination on another network device. The Viptela software supports 1:1 mirroring; that is, a copy of every packet is sent to the alternate destination.