Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Policies

Use the Policies screen to create and activate centralized and localized control and data policies for vSmart controllers and vEdge routers.

Screen Elements

  • Top bar—On the left are the menu icon, for expanding and collapsing the vManage menu, and the vManage product name. On the right are a number of icons and the user profile drop-down.
  • Title bar—Includes the title of the screen, Policies, and the following:
    • Custom Options—Click to display, create, and edit a components for use in policy. For centralized policy, the components are CLI policies, lists, topologies, and traffic policies. For localized policy, the components are CLI policies, lists, forwarding class/QoS definitions, access control lists (ACLs), and route policies.
  • Centralized Policy tab—Create a centralized policy. When you first open the Policies screen, the Centralized Policy tab is selected.
    • Add Policy—Click to create a centralized policy using a policy configuration wizard.
  • Localized Policy tab—Create a localized policy.
    • Add Policy—Click to create a localized policy using a policy configuration wizard.
  • Search box—Includes the Search Options drop-down, for a Contains or Match string.
  • Refresh icon—Click to refresh data in the policies table with the most current data.
  • Show Table Columns icon—Click to display or hide columns from the policies table. By default, all columns are displayed.
  • Policies table—To re-arrange the columns, drag the column title to the desired position.

G00524.png

Configure Centralized Policy

You configure centralized policy with a configuration wizard. The wizard is a UI policy builder that consists of four screens to configure and modify the following centralized policy components:

  • Groups of interest, also called lists
  • Topologies and VPN membership
  • Traffic rules
  • Applying policies to sites and VPNs

You configure some or all these components depending on the specific policy you are creating. To skip a component, click the Next button at the bottom of the screen. To return to a component, click the Back button at the bottom of the screen.

You apply centralized policies by activating them, as described later in the article, to push the policies to all reachable vSmart controllers.

For more information about the centralized policy components, see Configuring Centralized Control Policy. For information about application-aware routing policy components, see Configuring Application-Aware Routing.

Step 1: Start the Policy Configuration Wizard

To start the policy configuration wizard:

  1. In vManage NMS, select the Configure ► Policies screen.
  2. Select the Centralized Policy tab.
  3. Click Add Policy.

The policy configuration wizard opens, and the Create Groups of Interest screen displays.

Step 2: Configure Groups of Interest

In Create Groups of Interest, create lists of groups to use in centralized policy:

  1. In the left pane, select the type of list to use with the localized policy. It can be one of the following:
  • Application
  • Color
  • Data Prefix
  • Policer
  • Prefix
  • Site
  • SLA Class
  • TLOC
  • VPN
  1. In the right pane, click the New button. The New List portion of the screen opens. For example:

    G00453.png
  2. Enter a name for the list, and enter or select the components to include in the list.
    For application lists, note that the Google_Apps and Microsoft_Apps lists are preconfigured, and you cannot edit or delete them.
    For example:

  3. Click Add to create the new list.
  4. Repeat Steps 1 through 4 to create additional lists.
  5. To edit, copy, or delete an existing list, click the Edit, Copy, or Trash Bin icon in the Action column.
  6. Click Next to move to Configure Topology and VPN Membership in the wizard.

Step 3: Configure Topology and VPN Membership

When you first open the Configure Topology and VPN Membership screen, the Topology tab is selected by default:

G00455.png

To configure topology and VPN membership:

  1. To configure a topology policy component:
    1. In the Topology tab, click the Add Topology drop-down.
    2. Select the desired network topology:

      G00456.png
    3. Enter a name and description for the topology, and select the VPN list to which the topology applies.
    4. Click the New button, and enter the information for the topology component.
    5. Enter a name for the topology component, and enter or select the components to include in it.
    6. Click Save.
  2. To configure a VPN membership policy component:
    1. In the VPN Membership tab, click Add VPN Membership Policy:

      G00457.png
    2. In the Update VPN Membership Policy popup, enter a name and description of the VPN membership, and select site lists and VPN lists. To create new lists, click Add List.
    3. Click Save.
  3. To edit, copy, or delete an existing topology or VPN membership policy, select it and click the Edit, Copy, or Trash Bin icon in the Action column.
  4. Click Next to move to Configure Traffic Rules in the wizard.

Step 4: Configure Traffic Rules

When you first open the Traffic Rules screen, the Application-Aware Routing tab is selected by default:

G00458.png

To configure traffic rules:

  1. In the Application-Aware Routing tab, select the desired policy type—Application-Aware Routing, Traffic Data, or Cflowd.
  2. Click the Add Policy drop-down.
  3. To import an existing policy, select Import Existing. In the Import Existing Data Policy popup, select the name of the file containing the data policy. Then click Import.
  4. To create a new policy, select Create New, and in the left pane, click Sequence Type.
  5. For an application-aware routing policy:
    1. In the right pane, click Sequence Rule.
    2. Add the match and action rules.
    3. Add additional sequences as needed. Drag and drop sequences to re-order them
    4. Click Save Application-Aware Routing Policy.
  6. For a traffic data policy:
    1. From the Add Data Policy popup, select the policy type:

      G00459.png
    2. In the right pane, click Sequence Rule.
    3. Add the match and action rules.
    4. Add additional sequences as needed. Drag and drop sequences to re-order them
    5. Click Save Data Policy.
  7. For cflowd policy:
    1. To configure the cflowd template, enter values for the active flow timeout, inactive flow timeout, flow refresh interval, and sampling interval.
    2. To configure a collector list, click Add New Collector. Enter the VPN ID where the collector is located, its IP address, port number, transport protocol, and source interface. Click Add.
    3. Click Save Cflowd Policy.
  8. Click Next to move to Apply Policies to Sites and VPNs in the wizard.

Step 5: Apply Policy to Sites and VPNs

In Apply Policies to Sites and VPNs, apply a policy to overlay network sites and VPNs:

G00460.png

  1. Enter a name for the policy. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  2. Enter a description of the policy. This field is mandatory, and it can contain any characters and spaces. It can contain up to 2048 characters.
  3. From the Topology bar, select the tab that corresponds to the type of policy block—Topology, Application-Aware Routing, Traffic Data, or Cflowd. The table then lists policies that you have created for that type of policy block.
  4. Associate the policy with VPNs and sites. The choice of VPNs and sites depends on the type of policy block:
    1. For a Topology policy block, click Add New Site List and VPN List or Add New Site. Some topology blocks might have no Add buttons. Select one or more site lists, and select one or more VPN lists. Click Add.
    2. For an Application-Aware Routing policy block, click Add New Site List and VPN list. Select one or more site lists, and select one or more VPN lists. Click Add.
    3. For a Traffic Data policy block, click Add New Site List and VPN List. Select the direction for applying the policy (From Tunnel, From Service, or All), select one or more site lists, and select one or more VPN lists. Click Add.
    4. For a cflowd policy block, click Add New Site List. Select one or more site lists, Click Add.
  5. Click Preview to view the configured policy. The policy is displayed in CLI format.
  6. Click Save Policy. The Configuration ► Policies screen opens, and the policies table includes the newly created policy.

Configure Localized Policy

You configure localized policy with a configuration wizard. The wizard is a UI policy builder that consists of five screens to configure and modify the following localized policy components:

  • Groups of interest, also called lists
  • Forwarding classes to use for QoS
  • Access control lists (ACLs)
  • Route policies
  • Policy settings

You configure some or all these components depending on the specific policy you are creating. To skip a component, click the Next button at the bottom of the screen. To return to a component, click the Back button at the bottom of the screen.

You apply localized policies to specific vEdge router interfaces. You associate a localized policy with an interface in the VPN Interface Bridge, VPN Interface Ethernet, VPN Interface GRE, VPN Interface PPP, or VPN Interface PPP Ethernet feature configuration template.

For more information about the localized policy components, see Configuring Localized Data Policy for IPv4 and Configuring Localized Data Policy for IPv6.

Step 1: Start the Policy Configuration Wizard

To start the policy configuration wizard:

  1. In vManage NMS, select the Configure ► Policies screen.
  2. Select the Localized Policy tab.
  3. Click Add Policy.

The policy configuration wizard opens, and the Create Groups of Interest screen displays.

Step 2: Configure Groups of Interest

In the Create Groups of Interest screen, create lists to use in localized policy:

G00461.png

  1. In the left pane, select the type of list to use with the localized policy. It can be one of the following:
  • AS Path
  • Community
  • Data Prefix
  • Extended Community
  • Mirror
  • Policer
  • Prefix
  1. In the right pane, click the New button. The New List portion of the screen opens. For example:

    G00462.png
  2. Enter a name for the list, and enter or select the components to include in the list. For information entering AS path, community and extended community, and data prefix and prefix values, see Configuring Localized Control Policy. For information about entering mirroring and policer parameters, see Configuring Localized Data Policy for IPv4.
  3. Click Add to create the new list.
  4. Repeat Steps 1 through 4 to create additional lists.
  5. To edit, copy, or delete an existing list, click the Edit, Copy, or Trash Bin icon in the Action column.
  6. Click Next to move to Configure Forwarding Classes/QoS in the wizard. When you first open this screen, the QoS tab is selected by default.

Step 3: Configure Forwarding Classes for QoS

When you first open the Forwarding Classes/QoS screen, the QoS tab is selected by default:

G00463.png

To configure forwarding classes for use by QoS:

  1. To create a new QoS mapping:
    1. In the QoS tab, click the Add QoS drop-down.
    2. Select Create New.
    3. Enter a name and description for the QoS mapping.
    4. Click Add Queue. The Add Queue popup displays:

      G00464.png
    5. Select the queue number from the Queue drop-down.
    6. Select the maximum bandwidth and buffer percentages, and the scheduling and drop types. Enter the forwarding class.
    7. Click Save.
  2. To import an existing QoS mapping:
    1. In the QoS tab, click the Add QoS drop-down.
    2. Select Import Existing.
    3. Select a QoS mapping.
    4. Click Import.
  3. To view or copy a QoS mapping or to remove the mapping from the localized policy, click the More Actions icon to the right of the row, and select the desired action.
  4. To configure policy rewrite rules for the QoS mapping:
    1. In the QoS tab, click the Add Rewrite Policy drop-down..
    2. Select Create New.
    3. Enter a name and description for the rewrite rule.
    4. Click Add Rewrite Rule. The Add Rule popup displays.
    5. Select a class from the Class drop-down.
    6. Select the priority (Low or High) from the Priority drop-down.
    7. Enter the DSCP value (0 through 63) in the DSCP field.
    8. Enter the class of service (CoS) value (0 through 7) in the Layer 2 Class of Service field to include an 802.1p marking in the packet.
    9. Click Save.
  5. To import an existing rewrite rule:
    1. In the QoS tab, click the Add Rewrite Policy drop-down..
    2. Select Import Existing.
    3. Select a rewrite rule.
    4. Click Import.
  6. Click Next to move to Configure Access Lists in the wizard.

Step 4: Configure ACLs

In the Configure Access Control Lists screen, configure ACLs:

G00465.png

  1. To create a new IPv4 ACL, click the Add Access Control List Policy drop-down. Then select Add IPv4 ACL Policy:

    G00466.png
  2. To create a new IPv6 ACL, click the Add Access Control List Policy drop-down. Then select Add IPv6 ACL Policy.
  3. Enter a name and description for the ACL.
  4. In the left pane, click Add ACL Sequence. An Access Control List box is displayed in the left pane.
  5. Double-click the Access Control List box, and type a name for the ACL.
  6. In the right pane, click Add Sequence Rule to create a single sequence in the ACL. The Match tab is selected by default.
  7. Click a match condition.
  8. On the left, enter the values for the match condition.
  9. On the right enter the action or actions to take if the policy matches.
  10. Repeat Steps 6 through 8 to add match–action pairs to the ACL.
  11. To rearrange match–action pairs in the ACL, in the right pane drag them to the desired position.
  12. To remove a match–action pair from the ACL, click the X in the upper right of the condition.
  13. Click Save Match and Actions to save a sequence rule.
  14. To rearrange sequence rules in an ACL, in the left pane drag the rules to the desired position.
  15. To copy, delete, or rename an ACL sequence rule, in the left pane, click More Options next to the rule's name and select the desired option.
  16. If no packets match any of the ACL sequence rules, the default action is to drop the packets. To change the default action:
    1. Click Default Action in the left pane.
    2. Click the Pencil icon.
    3. Change the default action to Accept.
    4. Click Save Match and Actions.
  17. Click Next to move to Configure Route Policy in the wizard.

Step 5: Configure Route Policies

In Configure Route Policy, configure route policies:

G00467.png

  1. In the Add Route Policy tab, select Create New.
  2. Enter a name and description for the route policy.
  3. In the left pane, click Add Sequence Type. A Route box is displayed in the left pane.
  4. Double-click the Route box, and type a name for the route policy.
  5. In the right pane, click Add Sequence Rule to create a single sequence in the policy. The Match tab is selected by default.
  6. Click a match condition.
  7. On the left, enter the values for the match condition.
  8. On the right enter the action or actions to take if the policy matches.
  9. Repeat Steps 6 through 8 to add match–action pairs to the route policy.
  10. To rearrange match–action pairs in the route policy, in the right pane drag them to the desired position.
  11. To remove a match–action pair from the route policy, click the X in the upper right of the condition.
  12. Click Save Match and Actions to save a sequence rule.
  13. To rearrange sequence rules in an route policy, in the left pane drag the rules to the desired position.
  14. To copy, delete, or rename an route policy sequence rule, in the left pane, click More Options next to the rule's name and select the desired option.
  15. If no packets match any of the route policy sequence rules, the default action is to drop the packets. To change the default action:
    1. Click Default Action in the left pane.
    2. Click the Pencil icon.
    3. Change the default action to Accept.
    4. Click Save Match and Actions.
  16. Click Next to move to Policy Overview in the wizard.

Step 6: Configure Policy Settings

In Policy Overview, configure policy settings:

G00468.png

  1. Enter a name and description for the route policy.
  2. To enable cflowd visibility so that a vEdge router can perform traffic flow monitoring on traffic coming to the router from the LAN, click Netflow.
  3. To enable application visibility so that a vEdge router can monitor and track the applications running on the LAN, click Application.
  4. To enable QoS scheduling and shaping for traffic that a vEdge Cloud router receives from transport-side interfaces, click Cloud QoS.
  5. To enable QoS scheduling and shaping for traffic that a vEdge Cloud router receives from service-side interfaces, click Cloud QoS Service Side.
  6. To log the headers of all packets that are dropped because they do not match a service configured by an Allow Service parameter on a tunnel interface, click Implicit ACL Logging.
  7. To configure how often packets flows are logged, click Log Frequency. Packet flows are those that match an access list (ACL), a cflowd flow, or an application-aware routing flow.
  8. Click Preview to view the full policy in CLI format.
  9. Click Save Policy.

View a Policy

  1. In the Centralized Policy or Localized Policy tab, select a policy.
  2. Click the More Actions icon to the right of the column and click View. Policies created with the UI policy builder are displayed in graphical format. Policies created using the CLI are displayed in text format.
  3. Click Cancel to return to the policies table.

For a policy created using the vManage policy configuration wizard, you can view the policy in text format:

  1. In the Centralized Policy or Localized Policy tab, select a policy.
  2. Click the More Actions icon to the right of the column and click Preview.
  3. Click Cancel to return to the policies table.

Copy a Policy

  1. In the Centralized Policy or Localized Policy tab, select a policy.
  2. Click the More Actions icon to the right of the column and click Copy.
  3. In the Policy Copy popup window, enter the policy name and a description of the policy.
  4. Click Copy.

Edit a Policy

For policies created using the vManage policy configuration wizard:

  1. In the Centralized Policy or Localized Policy tab, select a policy.
  2. Click the More Actions icon to the right of the column and click Edit.
  3. Edit the policy as needed.
  4. Click Save Policy Changes.

For polices created using the CLI:

  1. In the Custom Options drop-down, click CLI Policy.
  2. Click the More Actions icon to the right of the column and click Edit.
  3. Edit the policy as needed.
  4. Click Update.

Edit or Create a Policy Component

You can create individual policy components directly and then use them or import them when you are using the policy configuration wizard:

  1. In the Title bar,click the Custom Options drop-down.
  2. For centralized policy, select the policy component type:
  • CLI policy—Create the policy using the command-line interface rather than the policy configuration wizard.
  • Lists—Create groups of interest to import in the Group of Interest screen in the policy configuration wizard.
  • Topology—Create a hub-and-spoke, mesh, or custom topology or a VPN membership to import in the Topology screen in the policy configuration wizard.
  • Traffic Policy—Create an application-aware routing, traffic data, or cflowd policy to import in the Traffic Rules screen in the policy configuration wizard.
  1. For localized policy, select the policy component type:
  • CLI policy—Create the policy using the command-line interface rather than the policy configuration wizard.
  • Lists—Create groups of interest to import in the Group of Interest screen in the policy configuration wizard.
  • Forwarding Class/QoS—Create QoS mappings and rewrite rules to import in the Forwarding Classes/QoS screen in the policy configuration wizard.
  • Access Control Lists—Create ACLs of interest to import in the Configure Access Lists screen in the policy configuration wizard.
  • Route Policy—Create route policies to import in the Configure Route Policies screen in the policy configuration wizard.

Delete a Policy

  1. In the Centralized Policy or Localized Policy tab, select a policy.
  2. Click the More Actions icon to the right of the column and click Delete.
  3. Click OK to confirm deletion of the policy.

Activate a Centralized Policy on vSmart Controllers

  1. In the Centralized Policy tab, select a policy.
  2. Click the More Actions icon to the right of the column and click Activate.
  3. In the Activate Policy popup, click Activate to push the policy to all reachable vSmart controllers in the network.
  4. Click OK to confirm activation of the policy on all vSmart controllers.

Deactivate a Centralized Policy on vSmart Controllers

  1. In the Centralized Policy tab, select a policy.
  2. Click the More Actions icon to the right of the column and click Deactivate.
  3. In the Deactivate Policy popup, click Deactivate to confirm that you want to remove the policy from all reachable vSmart controllers.
  • Was this article helpful?