Policy Overview

Centralized Policy

Centralized policy refers to policy provisioned on vSmart controllers, which are the centralized controllers in the Viptela overlay network. Centralized policy comprises two components:

• Control policy, which affects the overlay network–wide routing of traffic
• Data policy, which affects the data traffic flow throughout the VPN segments in the network

Centralized control policy applies to the network-wide routing of traffic by affecting the information that is stored in the vSmart controller's route table and that is advertised to the vEdge routers. The effects of centralized control policy are seen in how vEdge routers direct the overlay network's data traffic to its destination. The centralized control policy configuration itself remains on the vSmart controller and is never pushed to local routers.

Centralized data policy applies to the flow of data traffic throughout the VPNs in the overlay network. These policies can permit and restrict access based either on a 6-tuple match (source and destination IP addresses and ports, DSCP fields, and protocol) or on VPN membership. These policies are pushed to the affected vEdge routers.

Localized Policy

Localized policy refers to policy that is provisioned locally, on the vEdge routers in the overlay network

Localized control policy, which is also called route policy, affects the BGP and OSPF routing behavior on the site-local network.

Localized data policy allows you to provision access lists and apply them to a specific interface or interfaces on the router. Simple access lists permit and restrict access based on a 6-tuple match (source and destination IP addresses and ports, DSCP fields, and protocol), in the same way as with centralized data policy. Access lists also allow provisioning of class of service (CoS), policing, and mirroring, which control how data traffic flows out of and in to the router's interfaces and interface queues.

Control Policy

Control policy, which is similar to standard routing policy, operates on routes and routing information in the control plane of the overlay network. Centralized control policy, which is provisioned on the vSmart controller, is the Viptela technique for customizing network-wide routing decisions that determine or influence routing paths through the overlay network. Local control policy, which is provisioned on a vEdge router, allows customization of routing decisions made by BGP and OSPF on site-local branch or enterprise networks.

The routing information that forms the basis of centralized control policy is carried in Viptela route advertisements, which are transmitted on the DTLS or TLS control connections between vSmart controllers and vEdge routers. Centralized control policy determines which routes and route information are placed into the centralized route table on the vSmart controller and which routes and route information are advertised to the vEdge routers in the overlay network. Basic centralized control policy establish traffic engineering, to set the path that traffic takes through the network. Advanced control policy supports a number of features, including service chaining, which allows vEdge routers in the overlay network to share network services, such as firewalls and load balancers.

Centralized control policy affects the OMP routes that are distributed by the vSmart controller throughout the overlay network. The vSmart controller learns the overlay network topology from OMP routes that are advertised by the vEdge routers over the OMP sessions inside the DTLS or TLS connections between the vSmart controller and the routers. (The DTLS connections are shown in orange in the figure to the right).

Three types of OMP routes carry the information that the vSmart controller uses to determine the network topology:

• Viptela OMP routes, which are similar to IP route advertisements, advertise routing information that vEdge routers have learned from their local site and the local routing protocols (BGP and OSPF) to the vSmart controller. These routes are also referred to as OMP routes or vRoutes.
• TLOC routes carry overlay network–specific locator properties, including the IP address of the interface that connects to the transport network, a link color, which identifies a traffic flow, and the encapsulation type. (A TLOC, or transport location, is the physical location where a vEdge router connects to a transport network. It is identified primarily by IP address, link color, and encapsulation, but a number of other properties are associated with a TLOC.)
• Service routes advertise the network services, such as firewalls, available to VPN members at the vEdge router's local site.

By default, no centralized control policy is provisioned. In this bare, unpolicied network, all OMP routes are placed in the vSmart controller's route table as is, and the vSmart controller advertised all OMP routes, as is, to all vEdge routers in the same VPN in the network domain.

By provisioning centralized control policy, you can affect which OMP routes are placed in the vSmart controller's route table, what route information is advertised to the vEdge routers, and whether the OMP routes are modified before being put into the route table or before being advertised.

vEdge routers place all the route information learned from the vSmart controllers, as is, into their local route tables, for use when forwarding data traffic. Because the vSmart controller's role is to be the centralized routing system in the network, vEdge routers can never modify the OMP route information that they learn from the vSmart controllers.

The vSmart controller regularly receives OMP route advertisements from the vEdge routers and, after recalculating and updating the routing paths through the overlay network, it advertises new routing information to the vEdge routers.

The centralized control policy that you provision on the vSmart controller remains on the vSmart controller and is never downloaded to the vEdge routers. However, the routing decisions that result from centralized control policy are passed to the vEdge routers in the form of route advertisements, and so the affect of the control policy is reflected in how the vEdge routers direct data traffic to its destination.

A type of centralized control policy called service chaining allows data traffic to be routed through one or more network services, such as firewall, load balancer, and intrusion detection and prevention (IDP) devices, en route to its destination.

Localized control policy, which is provisioned locally on the vEdge routers, is called route policy. This policy is similar to the routing policies that you configure on a regular router, allowing you to modify the BGP and OSPF routing behavior on the site-local network. Whereas centralized control policy affects the routing behavior across the entire overlay network, route policy applies only to routing at the local branch.

Data Policy

Data policy influences the flow of data traffic traversing the network based either on fields in the IP header of packets or the router interface on which the traffic is being transmitted or received. Data traffic travels over the IPsec connections between vEdge routers, shown in purple in the adjacent figure.

The Viptela architecture implements two types of data policy:

• Centralized data policy controls the flow of data traffic based on the source and destination addresses and ports and DSCP fields in the packet's IP header (referred to as a 5-tuple), and based on network segmentation and VPN membership. These types of data policy are provisioned centrally, on the vSmart controller, and they affect traffic flow across the entire network.
• Localized data policy controls the flow of data traffic into and out of interfaces and interface queues on a vEdge router. This type of data policy is provisioned locally, on the vEdge router, using access lists. It allows you to classify traffic and map different classes to different queues. It also allows you to mirror traffic and to police the rate at which data traffic is transmitted and received. 

By default, no centralized data policy is provisioned. The result is that all prefixes within a VPN are reachable from anywhere in the VPN. Provisioning centralized data policy allows you to apply a 6-tuple filter that controls access between sources and destinations. As with centralized control policy, you provision centralized data policy on the vSmart controller, and that configuration remains on the vSmart controller. The effects of data policy are reflected in how the vEdge routers direct data traffic to its destination. Unlike control policy, however, centralized data polices are pushed to the vEdge routers in a read-only fashion. They are not added to the router's configuration file, but you can view them from the CLI on the router.

With no access lists provisioned on a vEdge router, all data traffic is transmitted at line rate and with equal importance, using one of the interface's queues. Using access lists, you can provision class of service, which allows you to classify data traffic by importance, spread it across different interface queues, and control the rate at which different classes of traffic are transmitted. You can also provision packet mirroring and policing.