Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Configuring Centralized Data Policy

  1. Last updated
  2. Save as PDF

This article provides general procedures for configuring centralized data policy on vSmart controllers. Centralized data policy can be used for different purposes, which are described in separate sections in this article:

  • To base policy decisions on source and destination prefixes and on the headers in the IP data packets, you use centralized data policy, which you configure with the policy data-policy command. The vSmart controller pushes this type of data policy to the vEdge routers. In domains with multiple vSmart controllers, all the controllers must have the same centralized data policy configuration to ensure that traffic flow within the overlay network remains synchronized.
  • To base policy decisions on the application information in the packet payload, you use centralized data policy to perform deep packet inspection. You configure this by creating lists of applications with the policy lists app-list command and then calling these lists in a policy data-policy command. To specify the path that application traffic takes through the network, you can set the local TLOC or the remote TLOC, or both, to use to send the traffic over.
  • To configure the VPNs that vEdge routers are allowed to receive routes from, you use centralized data policy, which you configure with the policy vpn-membership command. VPN membership policy affects which routes the vSmart controller sends to the vEdge router. The policy itself remains on the vSmart controller and is not pushed to the vEdge routers.

Configuring Centralized Data Policy Based on Prefixes and IP Headers

A centralized data policy based on source and destination prefixes and on headers in IP packets consists of a series of numbered (ordered) sequences of match-action pair that are evaluated in order, from lowest sequence number to highest sequence number. When a packet matches one of the match conditions, the associated action is taken and policy evaluation on that packets stops. Keep this in mind as you design your policies to ensure that the desired actions are taken on the items subject to policy.

If a packet matches no parameters in any of the sequences in the policy configuration, it is dropped and discarded by default.

To create a centralized data policy to filter based on IP prefixes and IP packet headers, you include the following components in the configuration on a vSmart controller:

Component

Description

Configuration Command

Lists

Groupings of related items that you reference in the match and action portions of the data policy configuration. For centralized data policy, you can group applications, IP prefixes, sites, TLOCs, and VPNs.

policy lists

Centralized data policy instance

Container for centralized data policy that filters packets based on IP prefix and IP packet header fields.

policy data-policy

VPN list

List of VPNs to which to apply the centralized data policy.

policy data-policy vpn-list

Numbered sequences of match–action pairs

Sequences that establish the order in which the policy components are applied

policy data-policy vpn-list sequence

Match parameters

Conditions that packets must match to be considered for a data policy.

policy data-policy vpn-list sequence match

Actions

Whether to accept or reject (and drop) matching packets, and how to process matching packets.

policy data-policy vpn-list sequence action

Default action

Action to take if a packet matches none of the policy conditions.

policy data-policy vpn-list default-action

Application of centralized data policy

For a data policy to take effect, you apply it to one or more sites in the overlay network.

apply-policy site-list data-policy

The following figure illustrates the configuration components for centralized data policy:

s00109.png

General Configuration Procedure

Following are the high-level steps for configuring a centralized data policy based on prefixes and the headers in the IP packets. By default, matching is done on the 6-tuple consisting of the source IP address, destination IP address, source port, destination port, protocol, and DSCP.

  1. Create a list of overlay network sites to which the centralized data policy is to be applied (in the apply-policy command):
    vSmart(config)# policy​
    vSmart(config-policy)# lists site-list list-name
    vSmart(config-lists-list-name)# site-id site-id
    The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–).
    Create additional site lists, as needed.
  2. Create lists of IP prefixes and VPNs, as needed:
    vSmart(config)# policy lists
    vSmart(config-lists)# data-prefix-list list-name
    vSmart(config-lists-list-name)# ip-prefix prefix/length

    vSmart(config)# policy lists
    vSmart(config-lists)# vpn-list list-name
    vSmart(config-lists-list-name)# vpn vpn-id
  3. Create lists of TLOCs, as needed:
    vSmart(config)# policy​
    vSmart(config-policy)# lists tloc-list list-name
    vSmart(config-lists-list-name)# tloc ip-address color color encap encapsulation [preference number]
  4. Create a data policy instance and associate it with a list of VPNs:
    vSmart(config)# policy data-policy policy-name
    vSmart(config-data-policy-policy-name)# vpn-list list-name
  5. Create a series of match–pair sequences:
    vSmart(config-vpn-list)# sequence number
    vSmart(config-sequence-number)#
    The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is).
  6. Define match parameters for packets:
    ​​vSmart(config-sequence-number)# match parameters
  7. Define actions to take when a match occurs:
    vSmart(config-sequence-number)# action (accept | drop) [count counter-name] [log]
    vSmart(config-sequence-number)# action acccept nat [pool number] [use-vpn 0]
    vSmart(config-sequence-number)# action accept set parameters
  8. Create additional numbered sequences of match–action pairs within the data policy, as needed.
  9. If a route does not match any of the conditions in one of the sequences, it is rejected by default. To accept nonmatching prefixed, configure the default action for the policy:
    vSmart(config-policy-name)# default-action accept
  10. Apply the policy to one or more sites in the overlay network:
    vSmart(config)# apply-policy site-list list-name data-policy policy-name (all | from-service | from-tunnel)

Structural Components of Policy Configuration for Centralized Data Policy

Following are the structural components required to configure centralized data policy based on IP addresses and prefixes. Each one is explained in more detail in the sections below.

policy
  lists
    app-list list-name
      (app applications | app-family application-families)
    data-prefix-list list-name 
      ip-prefix prefix 
    site-list list-name 
      site-id site-id 
    tloc-list list-name
      tloc ip-address color color encap encapsulation [preference value]
    vpn-list list-name 
      vpn vpn-id 
  data-policy policy-name 
    vpn-list list-name 
      sequence number 
        match
          app-list list-name
          destination-data-prefix-list list-name
          destination-ip prefix/length
          destination-port port-numbers
          dscp number
          packet-length number
          protocol number
          source-data-prefix-list list-name
          source-ip prefix/length
          source-port port-numbers
          tcp flag
        action
          cflowd (not available for deep packet inspection)
          count counter-name
          drop
          log
          accept
            nat [pool number] [use-vpn 0]
            set 
              dscp number
              forwarding-class class
              local-tloc color color [encap encapsulation] [restrict]
              next-hop ip-address
              policer policer-name
              service service-name local [restrict] [vpn vpn-id]
              service service-name [tloc ip-address | tloc-list list-name] [vpn vpn-id]
              tloc ip-address color color [encap encapsulation]
              tloc-list list-name
              vpn vpn-id
      default-action
        (accept | drop)
apply-policy site-list list-name 
  data-policy policy-name (all | from-service | from-tunnel)

Lists

Centralized data policy uses the following types of lists to group related items. You configure lists under the policy lists command hierarchy on vSmart controllers.

List Type

Description

Command

Application list

List of one or more applications or application families running on the subnets connected to the vEdge router. Each app-list can contain either applications or application families, but you cannot mix the two.
application-name is the name of one or more applications. The Viptela software supports about 2300 different applications. To list the supported applications, use the ? in the CLI.
application-family is one of the following: antivirus, application-service, audio_video, authentication, behavioral, compression, database, encrypted, erp, file-server, file-transfer, forum, game, instant-messaging, mail, microsoft-office, middleware, network-management, network-service, peer-to-peer, printer, routing, security-service, standard, telephony, terminal, thin-client, tunneling, wap, web, and webmail.

app-list list-name
(app applications|
app-family application-families)

Data prefix list

List of one or more IP prefixes.

data-prefix-list list-name
ip-prefix prefix/length

Site list

List of one or more site identifiers in the overlay network. You can specify a single site identifier (such as site-id 1) or a range of site identifiers (such as site-id 1-10).

site-list list-name
  site-id site-id

TLOC list

List of one or more TLOCs in the overlay network.

For each TLOC, specify its address, color, and encapsulation. address is the system IP address. color can be one of 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver. encapsulation can be gre or ipsec.
Optionally, set a preference value (from 0 to 232 – 1) to associate with the TLOC address. When you apply a TLOC list in an action accept condition, when multiple TLOCs are available and satisfy the match conditions, the TLOC with the lowest preference value is used. If two or more of TLOCs have the lowest preference value, traffic is sent among them in an ECMP fashion.

tloc-list list-name
  tloc ip-address color color
  encap encapsulation
  [preference value]

VPN list

List of one or more VPNs in the overlay network. For data policy, you can configure any VPNs except for VPN 0 and VPN 512. You can specify a single VPN identifier (such as vpn 1) or a range of VPN identifiers (such as vpn 1-10).

vpn-list list-name
  vpn vpn-id

In the vSmart controller configuration, you can create multiple iterations of each type of list. For example, it is common to create multiple site lists and multiple VPN lists so that you can apply data policy to different sites and different customer VPNs across the network.

You cannot apply the same type of policy to site lists that contain overlapping site IDs. That is, all data policies cannot have overlapping site lists among themselves. If you accidentally misconfigure overlapping site lists, the attempt to commit the configuration on the vSmart controller fails.

VPN Lists

Each centralized data policy is associated with a VPN list. You configure VPN lists with the policy data-policy vpn-list command. The list you specify must be one that you created with a policy lists vpn-list command.

For centralized data policy, you can include any VPNs except for VPN 0 and VPN 512. VPN 0 is reserved for control traffic, so never carries any data traffic, and VPN 512 is reserved for out-of-band network management, so also never carries any data traffic. Note that while the CLI allows you to include these two VPNs in a data policy configuration, the policy is not applied to these two VPNs.

Sequences

Each VPN list consists of sequences of match–action pairs. The sequences are numbered to set the order in which data traffic is analyzed by the match–action pairs in the policy. You configure sequences with the policy data-policy vpn-list sequence command.

Each sequence can contain one match command and one action command.

Match Parameters

Centralized data policy can match IP prefixes and fields in the IP headers. You configure the match parameters under the policy data-policy vpn-list sequence match command.

Each sequence in a policy can contain one match command.

For data policy, you can match these parameters:

Description

Command

Value or Range

Match all packets

Omit match command

Applications or application families

app-list list-name

Name of an app-list list

Group of destination prefixes

destination-data-prefix-list list-name

Name of a data-prefix-list list

Individual destination prefix

destination-ip prefix/length

IP prefix and prefix length

Destination port number

destination-port number

0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-])

DSCP value

dscp number

0 through 63

Packet length

packet-length number

0 through 65535; specify a single length, a list of lengths (with numbers separated by a space), or a range of lengths (with the two numbers separated with a hyphen [-])
Packet loss priority (PLP) plp (high | low)
By default, packets have a PLP value of& low. To set the PLP value to high, apply a policer that includes the exceed remark option.

Internet protocol number

protocol number

0 through 255

Group of source prefixes

source-data-prefix-list list-name

Name of a data-prefix-list list

Individual source prefix

source-ip prefix/length

IP prefix and prefix length

Source port number

source-port address

0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-])

TCP flag

tcp flag

syn

Action Parameters

When data traffic matches the conditions in the match portion of a centralized data policy, the packet can be accepted or dropped, and it can be counted. Then, you can associate parameters with accepted packets. You configure the action parameters under the policy data-policy vpn-list sequence action command.

Each sequence in a centralized data policy can contain on action command.

In the action, you first specify whether to accept or drop a matching data packet, and whether to count it:

Description

Command

Value or Range

Accept the packet. An accepted packet is eligible to be modified by the additional parameters configured in the action portion of the policy configuration.

accept

Enable cflowd traffic monitoring. cflowd

Count the accepted or dropped packets.

count counter-name

Name of a counter. To display counter information, use the show policy access-lists counter command on the vEdge router.

Discard the packet. This is the default action.

drop

Log the packets. Packets are placed into the messages and vsyslog system logging (syslog) files. log To view the packet logs, use the show app log flows and show log commands.

Then, for a packet that is accepted, the following parameters can be configured:

Description

Parameter

Value or Range

Enable cflowd traffic monitoring.

cflowd

Direct matching traffic to the NAT functionality so that it can be redirected directly to the Internet or other external destination.

nat [pool number] [use-vpn 0]

DSCP value.

set dscp value

0 through 63

Forwarding class.

set forwarding-class value

Name of forwarding class

Direct matching packets to a TLOC identified by its color and encapsulation
By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC.

set local-tloc color [encap encapsulation]

color​ can be 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.
By default, encapsulation is ipsec. It can also be gre.

Direct matching packets to one of the TLOCs in the list if the TLOC matches the color and encapsulation
By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC. To drop traffic if a TLOC is unavailable, include the restrict option.

set local-tloc-list color color encap encapsulation [restrict]

color​ can be 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.
By default, encapsulation is ipsec. It can also be gre.

Set the next hop to which the packet should be forwarded.

set next-hop ip-address

IP address

Apply a policer.

set policer policer-name

Name of policer configured with a policy policer command

Specify a service to redirect traffic to before delivering the traffic to its destination.

The TLOC address or list of TLOCs identifies the remote TLOCs to which the traffic should be redirected to reach the service. In the case of multiple TLOCs, the traffic is load-balanced among them.

The VPN identifier is where the service is located.

Configure the services themselves on the vEdge routers that are collocated with the service devices, using the vpn service command.

set service service-name [tloc ip-address​ | tloc-list list-name] [vpn vpn-id]

Standard services: FW, IDS, IDP
Custom services: netsvc1, netsvc2,netsvc3, netsvc4

TLOC list is configured with a policy lists tloc-list list

Direct traffic to a remote TLOC that matches the IP address, color, and encapsulation.

set tloc address color color [encap encapsulation]

TLOC address, color, and encapsulation

Direct traffic to one of the remote TLOCs in the TLOC list if it matches the IP address, color, and encapsulation of one of the TLOCs in the list. If a preference value is configured for the matching TLOC, that value is assigned to the traffic.

set tloc-list list-name

Name of a policy lists tloc-list list

Set the VPN that the packet is part of.

set vpn vpn-id

0 through 65530

Default Action

If a data packet being evaluated does not match any of the match conditions in a control policy, a default action is applied to this route. By default, the data packet is dropped. To modify this behavior, include the policy data-policy vpn-list default-action accept command.

Applying Centralized Data Policy

For a centralized data policy to take effect, you apply it to a list of sites in the overlay network:

vSmart(config)# apply-policy site-list list-name data-policy policy-name (all | from-service | from-tunnel)

By default, data policy applies to all data traffic passing through the vEdge router: the policy evaluates all data traffic going from the local site (that is, from the service side of the router) into the tunnel interface, and it evaluates all traffic entering to the local site through the tunnel interface. You can explicitly configure this behavior by including the all option. To have the data policy apply only to traffic coming from the service site and exiting from the local site through the tunnel interface, include the from-service option. To have the policy apply only to traffic entering from the tunnel interface and traveling to the service site, include the from-tunnel option. You can apply different data policies in each of the two traffic directions.

For all data-policy policies that you apply with apply-policy commands, the site IDs across all the site lists must be unique. That is, the site lists must not contain overlapping site IDs. An example of overlapping site IDs are those in the two site lists site-list 1 site-id 1-100 and site-list 2 site-id 70-130. Here, sites 70 through 100 are in both lists. If you were to apply these two site lists to two different data-policy policies, the attempt to commit the configuration on the vSmart controller would fail.

The same type of restriction also applies to the following types of policies:

  • Application-aware routing policy (app-route-policy)
  • Centralized control policy (control-policy)
  • Centralized data policy used for cflowd flow monitoring (data-policy hat includes a cflowd action and apply-policy that includes a cflowd-template command)

You can, however, have overlapping site IDs for site lists that you apply for different types of policy. For example, the sites lists for control-policy and data-policy policies can have overlapping site IDs. So for the two example site lists above, site-list 1 site-id 1-100 and site-list 2 site-id 70-130, you could apply one to a control policy and the other to a data policy.

As soon as you successfully activate the configuration by issuing a commit command, the vSmart controller pushes the data policy to the vEdge routers located in the specified sites. To view the policy as configured on the vSmart controller, use the show running-config command on the vSmart controller:

vSmart# show running-config policy
vSmart# show running-config apply-policy

To view the policy that has been pushed to the vEdge router, use the show policy from-vsmart command on the vEdge router.

vEdge# show policy from-vsmart

Configuring Deep Packet Inspection

You configure deep packet inspection using a standard centralized data policy. You define the applications of interest in a policy lists app-list command, and you call these lists in the match portion of the data policy. You can control the path of the application traffic through the network by defining, in the action portion of the data policy, the local TLOC or the remote TLOC, or for strict control, you can define both.

General Configuration Procedure

Following are the high-level steps for configuring a centralized data policy to use for deep packet inspection. The steps in the process that are required for deep packet inspection are Steps 2, 6, and

  1. Create a list of overlay network sites to which the data policy is to be applied (in the apply-policy command):
    vSmart(config)# policy​
    vSmart(config-policy)# lists site-list list-name
    vSmart(config-lists-list-name)# site-id site-id
    The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–).
    Create additional site lists, as needed.
  2. Create lists of applications and application families that are to be subject to the data policy, Each list can contain one or more application names, or one or more application families. A single list cannot contain both applications and application families.
    vSmart(config)# policy lists
    vSmart(config-lists)# app-list list-name
    vSmart(config-app-list)# app application-name

    vSmart(config)# policy lists
    vSmart(config-lists)# app-list list-name
    vSmart(config-applist)# app-family family-name
  3. Create lists of IP prefixes and VPNs, as needed:
    vSmart(config)# policy lists
    vSmart(config-lists)# data-prefix-list list-name
    vSmart(config-lists-list-name)# ip-prefix prefix/length

    vSmart(config)# policy lists
    vSmart(config-lists)# vpn-list list-name
    vSmart(config-lists-list-name)# vpn vpn-id
  4. Create lists of TLOCs, as needed:
    vSmart(config)# policy​
    vSmart(config-policy)# lists tloc-list list-name
    vSmart(config-lists-list-name)# tloc ip-address color color encap encapsulation [preference number]
  5. Create a data policy instance and associate it with a list of VPNs:
    vSmart(config)# policy data-policy policy-name
    vSmart(config-data-policy-policy-name)# vpn-list list-name
  6. Create a series of match–pair sequences:
    vSmart(config-vpn-list)# sequence number
    vSmart(config-sequence-number)#
    The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is).
  7. Define match parameters based on applications:
    vSmart(config-sequence-number)# match app-list list-name
  8. Define additional match parameters for data packets:
    ​​vSmart(config-sequence-number)# match parameters
  9. Define actions to take when a match occurs:
    vSmart(config-sequence-number)# action (accept | drop) [count]
  10. For packets that are accepted, define the actions to take. To control the tunnel over which the packets travels, define the remote or local TLOC, or for strict control over the tunnel path, set both:
    vSmart(config-action)# set tloc ip-address color color encap encapsulation
    vSmart(config-action)# set tloc-list list-name
    vSmart(config-action)# set local-tloc color color encap     encapsulation
    vSmart(config-action)# set local-tloc-list color color encap encapsulation [restrict]
  11. Define additional actions to take.
  12. Create additional numbered sequences of match–action pairs within the data policy, as needed.
  13. If a route does not match any of the conditions in one of the sequences, it is rejected by default. If you want nonmatching prefixes to be accepted, configure the default action for the policy:
    vSmart(config-policy-name)# default-action accept
  14. Apply the policy to one or more sites in the overlay network:
    vSmart(config)# apply-policy site-list list-name data-policy policy-name (all | from-service | from-tunnel)

To enable the infrastructure for deep packet inspection on the vEdge routers, include the following command in the configuration on the routers:

vEdge(config)# policy app-visibility

Structural Components of Policy Configuration for Deep Packet Inspection

Following are the structural components required to configure centralized data policy for deep packet inspection. Each one is explained in more detail in the sections below.

On the vSmart controller:
policy
  lists
    app-list list-name
      (app applications | app-family application-families)
    data-prefix-list list-name 
      ip-prefix prefix 
    site-list list-name 
      site-id site-id 
    tloc-list list-name
      tloc ip-address color color encap encapsulation [preference value]
    vpn-list list-name 
      vpn vpn-id 
  data-policy policy-name 
    vpn-list list-name 
      sequence number 
        match
          app-list list-name
          destination-data-prefix-list list-name
          destination-ip ip-addresses
          destination-port port-numbers
          dscp number
          packet-length number
          protocol protocol
          source-data-prefix-list list-name
          source-ip ip-addresses
          source-port port-numbers
          tcp flag
        action
          drop
          count counter-name
          log
          accept
            nat [pool number] [use-vpn 0]
            set 
              dscp number
              forwarding-class class
              local-tloc color color [encap encapsulation] [restrict]
              next-hop ip-address
              policer policer-name
              service service-name local [restrict] [vpn vpn-id]
              service service-name (tloc ip-address | tloc-list list-name) [vpn vpn-id]
              tloc ip-address color color encap encapsulation
              tloc-list color color encap encapsulation [restrict]
              vpn vpn-id
      default-action
        (accept | drop)
apply-policy site-list list-name 
  data-policy policy-name (all | from-service | from-tunnel) 
  
On the vEdge router:
policy
  app-visibility

Lists

Centralized data policy for deep packet inspection uses the following types of lists to group related items. You configure lists under the policy lists command hierarchy on vSmart controllers.

List Type

Description

Command

Application list

List of one or more applications or application families running on the subnets connected to the vEdge router.
application-names can be the names of one or more applications. The Viptela software supports about 2300 different applications. To list the supported applications, use the ? in the CLI.
application-families can be one or more of the following: antivirus, application-service, audio_video, authentication, behavioral, compression, database, encrypted, erp, file-server, file-transfer, forum, game, instant-messaging, mail, microsoft-office, middleware, network-management, network-service, peer-to-peer, printer, routing, security-service, standard, telephony, terminal, thin-client, tunneling, wap, web, and webmail.

app-list list-name
  (app applications|
  app-family application-families)

Prefix list

List of one or more IP prefixes.

prefix-list list-name
  ip-prefix prefix/length

Site list

List of one or more site identifiers in the overlay network. You can specify a single site identifier (such as site-id 1) or a range of site identifiers (such as site-id 1-10).

site-list list-name
  site-id site-id

TLOC list

List of one or more TLOCs in the overlay network.

For each TLOC, specify its address, color, and encapsulation. address is the system IP address. color can be one of 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver. encapsulation can be gre or ipsec.
Optionally, set a preference value (from 0 to 232 – 1) to associate with the TLOC address. When you apply a TLOC list in an action accept condition, when multiple TLOCs are available and satisfy the match conditions, the TLOC with the lowest preference value is used. If two or more of TLOCs have the lowest preference value, traffic is sent among them in an ECMP fashion.

tloc list-name
  tloc ip-address color color
  encap encapsulation
  [preference value]

VPN list

List of one or more VPNs in the overlay network. For data policy, you can configure any VPNs except for VPN 0 and VPN 512. You can specify a single VPN identifier (such as vpn 1) or a range of VPN identifiers (such as vpn 1-10).

vpn-list list-name
  vpn vpn-id

In the vSmart controller configuration, you can create multiple iterations of each type of list. For example, it is common to create multiple site lists and multiple VPN lists so that you can apply data policy to different sites and different customer VPNs across the network.

You cannot apply the same type of policy to site lists that contain overlapping site IDs. That is, all data policies cannot have overlapping site lists among themselves. If you accidentally misconfigure overlapping site lists, the attempt to commit the configuration on the vSmart controller fails.

VPN Lists

Each centralized data policy is associated with a VPN list. You configure VPN lists with the policy data-policy vpn-list command. The list you specify must be one that you created with a policy lists vpn-list command.

Yo can include any VPNs except for VPN 0, which is reserved for control traffic, so never carries any data traffic, and VPN 512, which is reserved for out-of-band network management, so also never carries any data traffic. Note that while the CLI allows you to include these two VPNs in a data policy configuration, the policy is not applied to these two VPNs.

Sequences

Within each VPN list are sequences of match–action pairs. The sequences are numbered to set the order in which data traffic is analyzed by the match–action pairs in the policy. You configure sequences with the policy data-policy vpn-list sequence command.

Each sequence can contain one match command and one action command.

Match Parameters

For deep packet inspection, centralized data policy must match one or more applications. It can also match IP prefixes and fields in the IP headers. You configure the match parameters under the policy data-policy vpn-list sequence match command.

Each sequence in a policy can contain one match command.

For data policy, you can match these parameters:

Description

Command

Value or Range

Group of applications

app-list list-name

Name of an app-list list

Group of destination prefixes

destination-data-prefix-list list-name

Name of a data-prefix-list list

Individual destination prefix

destination-ip prefix/length

IP prefix and prefix length

Destination port number

destination-port number

0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-])

DSCP value

dscp number

0 through 63

Packet length

packet-length number

0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-])

Internet Protocol number

protocol number

0 through 255

Group of source prefixes

source-data-prefix-list list-name

Name of a data-prefix-list list

Individual source prefix

source-ip prefix/length

IP prefix and prefix length

Source port number

source-port address

0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-])

TCP flag

tcp flag

syn

Action Parameters

When data traffic matches the conditions in the match portion, the data packets can be accepted or dropped, and they can be counted. Then, you can associate parameters with accepted packets. You configure the action parameters under the policy data-policy vpn-list sequence action command.

Each sequence in a centralized data policy can contain one action command.

In the action, you first specify whether to accept or drop a matching data packet, and whether to count it:

Description

Command

Value or Range

Accept the packet. An accepted packet is eligible to be modified by the additional parameters configured in the action portion of the policy configuration.

accept

Count the accepted or dropped packets.

count counter-name

Name of a counter. Use the show policy access-lists counter command on the vEdge router to display counter information.

Discard the packet. This is the default action.

drop

Place a sampled set of packets that match the match conditions into the messages and vsyslog system logging (syslog) files. log

To view the packet logs, use the show app log flows and show log commands.

Then, for a packet that is accepted, the following parameters can be configured. Note that you cannot use DPI with either cflowd or NAT.

Description

Parameter

Value or Range

DSCP value.

set dscp value

0 through 63

Forwarding class.

set forwarding-class value

Name of forwarding class

Direct matching packets to a TLOC that mathces the color and encapsulation
By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC.

set local-tloc color [encap encapsulation]

color​ can be 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.
By default, encapsulation is ipsec. It can also be gre.

Direct matching packets to one of the TLOCs in the list if the TLOC matches the color and encapsulation
By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC. To drop traffic if a TLOC is unavailable, include the restrict option.

set local-tloc-list color color  encap encapsulation [restrict]

color​ can be 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.
By default, encapsulation is ipsec. It can also be gre.

Set the next hop to which matching packets should be forwarded.

set next-hop ip-address

IP address.

Apply a policer.

set policer policer-name

Name of policer configured with a policy policer command

Direct matching packets to the name service, before delivering the traffic to its ultimate destination.

The TLOC address or list of TLOCs identifies the remote TLOCs to which the traffic should be redirected to reach the service. In the case of multiple TLOCs, the traffic is load-balanced among them.

The VPN identifier is where the service is located.

Configure the services themselves on the vEdge routers that are collocated with the service devices, using the vpn service configuration command.

set service service-name [tloc ip-address​ | tloc-list list-name] [vpn vpn-id]

Standard services: FW, IDS, IDP
Custom services: netsvc1, netsvc2,netsvc3, netsvc4

TLOC list is configured with a policy lists tloc-list command
Direct matching packets to the named service that is reachable via a GRE tunnel whose source is in the transport VPN (VPN 0). If the GRE tunnel used to reach the service is down, packet routing falls back to using standard routing. To drop packets when a GRE tunnel to the service is unreachable, include the restrict option. In the service VPN, you must also advertise the service using the service command. You configure the GRE interface or interfaces in the transport VPN (VPN 0). set service service-name local [restrict] [vpn vpn-id] Standard services: FW, IDS, IDP
Custom services: netsvc1, netsvc2,netsvc3, netsvc4

Direct traffic to a remote TLOC. The TLOC is defined by its IP address, color, and encapsulation.

set tloc address color color [encap encapsulation]

TLOC address, color, and encapsulation

Direct traffic to one of the remote TLOCs in the TLOC list.

set tloc-list list-name

Name of a policy lists tloc-lists list

Set the VPN that the packet is part of.

set vpn vpn-id

0 through 65530

Default Action

If a data packet being evaluated does not match any of the match conditions in a control policy, a default action is applied to this route. By default, the data packet is dropped. To modify this behavior, include the policy data-policy vpn-list default-action accept command.

Applying Centralized Data Policy

For a centralized data policy to take effect, you apply it to a list of sites in the overlay network:

vSmart(config)# apply-policy site-list list-name data-policy policy-name (all | from-service | from-tunnel)

By default, data policy applies to all data traffic passing through the vEdge router: the policy evaluates all data traffic going from the local site (that is, from the service side of the router) into the tunnel interface, and it evaluates all traffic entering to the local site through the tunnel interface. You can explicitly configure this behavior by including the all option. To have the data policy apply only to policy exiting from the local site, include the from-service option. To have the policy apply only to incoming traffic, include the from-tunnel option.

You cannot apply the same type of policy to site lists that contain overlapping site IDs. That is, all data policies cannot have overlapping site lists among themselves. If you accidentally misconfigure overlapping site lists, the attempt to commit the configuration on the vSmart controller fails.

As soon as you successfully activate the configuration by issuing a commit command, the vSmart controller pushes the data policy to the vEdge routers located in the specified sites. To view the policy as configured on the vSmart controller, use the show running-config command on the vSmart controller:

vSmart# show running-config policy
vSmart# ;show running-config apply-policy

To view the policy that has been pushed to the vEdge router, use the show policy from-vsmart command on the vEdge router.

vEdge># show policy from-vsmart

Monitor Running Applications

To enable the deep packet inspection infrastructure on the vEdge routers, you must enable application visibility on the routers:

vEdge(config)# policy app-visibility

To display information about the running applications, use the show app dpi supported-applications, show app dpi applications, and show app dpi flows commands on the router.

Configuring VPN Membership Policy

A VPN membership data policy consists of a series of numbered (ordered) sequences of match-action pair that are evaluated in order, from lowest sequence number to highest sequence number. When a packet matches one of the match conditions, the associated action is taken and policy evaluation on that packets stops. Keep this in mind as you design your policies to ensure that the desired actions are taken on the items subject to policy.

If a packet matches no parameters in any of the sequences in the policy configure, it is, by default, rejected and discarded.

To create a VPN membership policy, you include the following components in the configuration on a vSmart controller:

Component

Description

Configuration Command

Lists

Groupings of related items that you reference in the match and action portions of the data policy configuration. For VPN membership policy, you can group sites and VPNs.

policy lists

Centralized VPN membership policy instance

Container for VPN membership policy to filter packets based on VPN.

policy vpn-membership

Numbered sequences of match–action pairs

Sequences that establish the order in which the policy components are applied

policy vpn-membership sequence

Match parameters

Conditions that packets must match to be considered for the VPN membership policy.

policy vpn-membership sequence match

Actions

Whether to accept or reject matching packets.

policy vpn-membership sequence action

Default action

Action to take if a packet matches none of the policy conditions.

policy vpn-membership default-action

Application of VPN membership policy

For a VPN membership policy to take effect, you apply it to one or more sites in the overlay network.

apply-policy site-list vpn-membership

General Configuration Procedure

Following are the high-level steps for configuring a VPN membership data policy:

  1. Create a list of overlay network sites to which the VPN membership policy is to be applied (in the apply-policy command):
    vSmart(config)# policy​
    vSmart(config-policy)# lists site-list list-name
    vSmart(config-lists-list-name)# site-id site-id
    The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–).
    Create additional site lists, as needed.
  2. Create lists VPNs, as needed:
    vSmart(config)# policy lists
    vSmart(config-lists)# vpn-list list-name
    vSmart(config-lists-list-name)# vpn vpn-id
  3. Create a VPN membership policy instance:
    vSmart(config)# policy vpn-membership policy-name
  4. Create a series of match–pair sequences:
    vSmart(config-policy-nsme)# sequence number
    vSmart(config-sequence-number)#
    The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the packet or accepting it).
  5. Define match parameters for VPNs:
    vSmart(config-sequence-number)# match (vpn vpn-id | vpn-list list-name)
  6. Define actions to take when a match occurs:
    vSmart(config-sequence-number)# action (accept | reject)
  7. Create additional numbered sequences of match–action pairs within the data policy, as needed.
  8. If a packet does not match any of the conditions in one of the sequences, it is rejected by default. If you want nonmatching packets to be accepted, configure the default action for the policy:
    vSmart(config-policy-name)# default-action accept
  9. Apply the policy to one or more sites in the overlay network:
    vSmart(config)# apply-policy site-list list-name vpn-membership policy-name

Structural Components of VPN Membership Policy Configuration

Following are the structural components required to configure VPN membership policy. Each one is explained in more detail in the sections that follow.

policy
  lists
    site-list list-name 
      site-id site-id 
    vpn-list list-name 
      vpn vpn-id 
  vpn-membership policy-name 
    sequence number 
      match
        match-parameters 
      action
        (accept | reject)
      default-action
          (accept | reject)
apply-policy site-list list-name 
  vpn-membership policy-name

Lists

Centralized data policy uses the following types of lists to group related items. You configure lists under the policy lists command hierarchy on vSmart controllers.

List Type

Description

Command

Site list

List of site identifiers in the overlay network. You can specify a single site identifier (such as site-id 1) or a range of site identifiers (such as site-id 1-10).

site-list list-name
  site-id site-id

VPN list

List of VPNs in the overlay network

vpn-list list-name
  vpn vpn-id

In the vSmart controller configuration, you can create multiple iterations of each type of list. For VPN membership policy, you commonly create multiple site lists and multiple VPN lists so that you can apply data policy to different sites and different customer VPNs across the network.

You cannot apply the same type of policy to site lists that contain overlapping site IDs. That is, all VPN membership policies cannot have overlapping site lists among themselves. If you accidentally misconfigure overlapping site lists, the attempt to commit the configuration on the vSmart controller fails.

Match Parameters

For VPN membership policy, you can match these parameters:

Description

Command

Value or Range

Individual VPN identifier

vpn vpn-id

0 through 65535

Name of a VPN list.

vpn-list list-name

Name of a vpn-list name

Action Parameters

When data traffic matches the conditions in the match portion of a VPN membership policy, the packet can be either accepted or rejected:

Description

Command

Value or Range

Accept the packet.

accept

Reject the packet. This is the default action.

reject

Default Action

If a data packet being evaluated does not match any of the match conditions in a VPN membership policy, a default action is applied to this route. By default, the route is rejected. To modify this behavior, include the default-action accept command in the VPN membership policy.

Applying VPN Membership Policy

For a VPN membership policy to take effect, you must apply it to a list of sites in the overlay network:

vSmart(config)# apply-policy site-list list-name vpn-membership policy-name

You cannot apply the same type of policy to site lists that contain overlapping site IDs. That is, all data policies cannot have overlapping site lists among themselves. If you accidentally misconfigure overlapping site lists, the attempt to commit the configuration on the vSmart controller fails.

To display the VPN membership policy as configured on the vSmart controller, use the show running-config command on the vSmart controller:

vSmart# show running-config policy
vSmart# show running-config apply-policy