Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Configure Policies

Policy is used to influence the flow of data traffic among the vEdge routers in the overlay network. The Viptela overlay network separates policy into two functional groups:

  • Centralized policy, which is coordinated by the vSmart controllers. Centralized policy affects the flow of both control plane traffic, which are route and TLOC updates carried by OMP that the vSmart controllers use to determine the topology and status of the overlay network, and data plane traffic, which is the data traffic that moves between vEdge routers in the network. The vSmart controllers distributed centralized data policy to the vEdge routers affected by that policy.
  • Localized policy, which runs on vEdge routers. Localized policy affects the flow of traffic through the router and at the local site where the vEdge router is located. They include traditional access lists (ACLs) and routing policies that are associated with BGP or OSPF as well as policies that effect mirroring, policing, and QoS on router interfaces.

You create and store policy configurations on the vManage NMS. As vSmart controllers and vEdge routers join the overlay network, the vManage NMS pushes the policy configurations to the devices.

To simplify the configuration of centralized policy, the vManage NMS provides a policy configuration wizard that walks you through the configuration process and that pushes the policy to any active vSmart controllers in the overlay network.

For localized policy, you use a CLI-style interface on the vManage NMS to configure the policy components. Then, you associate the policy with an interface or with a routing protocol in a feature configuration templates.

In vManage NMS, you perform device configuration and policy configuration, for the most part, independently of each other. (You configure Viptela network devices using the templates in the Configuration ►Templates screens, while you configure policy in the Configuration ► Policies screens.) This design separates the tasks required to have a device become operational in the overlay network from the tasks required to control the flow of route and TLOC information and data traffic throughout the network.

The sections below describe how to configure policies from a vManage NMS running Release 17.2 or later.

Configure Centralized Policy

To configure centralized policies, use the vManage policy configuration wizard. The wizard consists of four sequential screens that guide you through the process of creating and editing policy components:

  • Create Applications or Groups of Interest—Create lists that group together related items and that you call in the match or action components of a policy.
  • Configure Topology—Create the network structure to which the policy applies.
  • Configure Traffic Rules—Create the match and action conditions of a policy.
  • Apply Policies to Sites and VPNs—Associate policy with sites and VPNs in the overlay network.

In the first three policy configuration wizard screens, you are creating policy components or blocks. In the last screen, you are applying policy blocks to sites and VPNs in the overlay network.

For a centralized policy to take effect, you must activate the policy.

This section describes how to start the policy configuration wizard and explains the four policy configuration wizard screens.

Start the Policy Configuration Wizard

To start the policy configuration wizard:

  1. In vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. Click Add Policy.

The policy configuration wizard opens, and the Create Applications or Groups of Interest screen is displayed.

Create Applications or Groups of Interest

To create lists of applications or groups to use in centralized policy:

  1. Start the policy configuration wizard as explained above.
  2. Create new lists, as described in the following table:
List Type Policy Usage Procedure
Application Application-aware routing policy
  1. In the left bar, click Application.
  2. Click New Application List.
  3. Enter a name for the list.
  4. Click either the Application or Application Family button.
  5. From the Select drop-down, select the desired applications or application families.
  6. Click Add.

Two application lists are preconfigured. You cannot edit or delete these lists.

  • Google_Apps—Includes Google applications, such as gmail, Google maps, and YouTube. To display a full list of Google applications, click the list in the Entries column.
  • Microsoft_Apps—Includes Microsoft applications, such as Excel, Skype, and Xbox. To display a full list of Microsoft applications, click the list in the Entries column.
Color Centralized control policy
  1. In the left bar, click Color.
  2. Click New Color List.
  3. Enter a name for the list.
  4. From the Select Color drop-down, select the desired colors.
  5. Click Add.
Data Prefix Centralized data policy
  1. In the left bar, click Data Prefix.
  2. Click New Data Prefix List.
  3. Enter a name for the list.
  4. In the Add Data Prefix field, enter one or more data prefixes separated by commas.
  5. Click Add.
Policer Centralized data policy, VPN membership
  1. In the left bar, click Policer.
  2. Click New Policer List.
  3. Enter a name for the list.
  4. Define the policing parameters:
    1. In the Burst field, enter the maximum traffic burst size, a value from 15,000 to 10,000,000 bytes.
    2. In the Exceed field, select the action to take when the burst size or traffic rate is exceeded. It can be drop, which sets the packet loss priority (PLP) to low, or remark, which sets the PLP to high.
    3. In the Rate field, enter the maximum traffic rate, a value from 0 through 264 – 1 bits per second (bps).
  5. Click Add.
Prefix Application-aware routing policy, centralized control policy
  1. In the left bar, click Prefix.
  2. Click New Prefix List.
  3. Enter a name for the list.
  4. In the Add Prefix field, enter one or more data prefixes separated by commas.
  5. Click Add.
Site Application-aware routing policy, centralized control policy, centralized data policy
  1. In the left bar, click Site.
  2. Click New Site List.
  3. Enter a name for the list.
  4. In the Add Site field, enter one or more site IDs separated by commas.
  5. Click Add.
SLA Class Application-aware routing policy
  1. In the left bar, click SLA Class.
  2. Click New SLA Class List.
  3. Enter a name for the list.
  4. Define the SLA class parameters:
    1. In the Loss field, enter the maximum packet loss on the connection, a value from 0 through 100 percent.
    2. In the Latency field, enter the maximum packet latency on the connection, a value from 0 through 1,000 milliseconds.
    3. In the Jitter field, enter the maximum jitter on the connection, a value from 1 through 1,000 milliseconds.
  5. Click Add.
TLOC Centralized control policy, centralized data policy
  1. In the left bar, click TLOC.
  2. Click New TLOC List. The TLOC List popup displays.
  3. Enter a name for the list.
  4. In the TLOC IP field, enter the system IP address for the TLOC.
  5. In the Color field, select the TLOC's color.
  6. In the Encap field, select the encapsulation type.
  7. In the Preference field, optionally select a preference to associate with the TLOC.
  8. Click Add TLOC to add another TLOC to the list.
  9. Click Save.
VPN Application-aware routing policy, centralized control policy, centralized data policy
  1. In the left bar, click VPN.
  2. Click New VPN List.
  3. Enter a name for the list.
  4. In the Add VPN field, enter one or more VPN IDs separated by commas.
  5. Click Add.
  1. Click Next to move to Configure Topology in the wizard. When you first open this screen, the Topology tab is selected by default.

Configure the Network Topology

To configure the network topology or a VPN membership to use in centralized policy:

  1. If you are already in the policy configuration wizard, skip to Step 4. Otherwise, in vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. Click Add Policy. The policy configuration wizard opens, and the Create Applications or Groups of Interest screen is displayed
  3. Click Next. The Network Topology screen opens, and in the Topology bar, the Topology tab is selected by default.
  4. Create a network topology, as described in the following table:
Network Topology Description Procedure
Hub and Spoke Policy for a topology with one or more central hub sites and with spokes connected to a hub
  1. In the Add Topology drop-down, select Hub and Spoke.
  2. Enter a name for the hub-and-spoke policy.
  3. Enter a description for the policy.
  4. In the VPN List field, select the VPN list for the policy.
  5. In the left pane, click Add Hub and Spoke. A hub-and-spoke policy component containing the text string My Hub-and-Spoke is added in the left pane.
  6. Double-click the My Hub-and-Spoke text string, and enter a name for the policy component.
  7. In the right pane, add hub sites to the network topology:
    1. Click Add Hub Sites.
    2. In the Site List Field, select a site list for the policy component.
    3. Click Add.
    4. Repeat Steps 7a, 7b, and 7c to add more hub sites to the policy component.
  8. In the right pane, add spoke sites to the network topology:
    1. Click Add Spoke Sites.
    2. In the Site List Field, select a site list for the policy component.
    3. Click Add.
    4. Repeat Steps 8a, 8b, and 8c to add more spoke sites to the policy component.
  9. Repeat Steps 5 through 8 to add more components to the hub-and-spoke policy.
  10. Click Save Hub and Spoke Policy.
Mesh Partial-mesh or full-mesh region
  1. In the Add Topology drop-down, select Mesh.
  2. Enter a name for the mesh region policy component.
  3. Enter a description for the mesh region policy component.
  4. In the VPN List field, select the VPN list for the policy.
  5. Click New Mesh Region.
  6. In the Mesh Region Name field, enter a name for the individual mesh region.
  7. In the Site List field, select one or more sites to include in the mesh region.
  8. Repeat Steps 5 through 7 to add more mesh regions to the policy.
  9. Click Save Mesh Region.
Custom Control (Route & TLOC) Centralized route control policy (for matching OMP routes)
  1. In the Add Topology drop-down, select Custom Control (Route & TLOC).
  2. Enter a name for the control policy.
  3. Enter a description for the policy.
  4. In the left pane, click Add Sequence Type. The Add Control Policy popup displays.
  5. Select Route. A policy component containing the text string Route is added in the left pane.
  6. Double-click the Route text string, and enter a name for the policy component.
  7. In the right pane, click Add Sequence Rule. The Match/Actions box opens, and Match is selected by default.
  8. From the boxes under the Match box, select the desired policy match type. Then select or enter the value for that match condition. Configure additional match conditions for the sequence rule, as desired. For an explanation of the match conditions, see the OMP Route Match Attributes section in the Configuring Centralized Control Policy article for your software release.
  9. Click Actions. The Reject radio button is selected by default. To configure actions to perform on accepted packets, click the Accept radio button. Then select the action or enter a value for the action. For an explanation of the actions, see the Action Parameters section in the Configuring Centralized Control Policy article for your software release.
  10. Click Save Match and Actions.
  11. Click Add Sequence Rules to configure more sequence rules, as desired. Drag and drop to re-order them.
  12. Click Add Sequence Type to configure more sequences, as desired. Drag and drop to re-order them.
  13. Click Save Control Policy.
  Centralized TLOC control policy (for matching TLOC routes)
  1. In the Add Topology drop-down, select Custom Control (Route & TLOC).
  2. Enter a name for the control policy.
  3. Enter a description for the policy.
  4. In the left pane, click Add Sequence Type. The Add Control Policy popup displays.
  5. Select TLOC. A policy component containing the text string TLOC is added in the left pane.
  6. Double-click the TLOC text string, and enter a name for the policy component.
  7. In the right pane, click Add Sequence Rule. The Match/Actions box opens, and Match is selected by default.
  8. From the boxes under the Match box, select the desired policy match type. Then select or enter the value for that match condition. Configure additional match conditions for the sequence rule, as desired. For an explanation of the match conditions, see the OMP TLOC Match Attributes section in the Configuring Centralized Control Policy article for your software release.
  9. Click Actions. The Reject radio button is selected by default. To configure actions to perform on accepted packets, click the Accept radio button. Then select the action or enter a value for the action. For an explanation of the actions, see the Action Parameters section in the Configuring Centralized Control Policy article for your software release.
  10. Click Save Match and Actions.
  11. Click Add Sequence Rules to configure more sequence rules, as desired. Drag and drop to re-order them.
  12. Click Add Sequence Type to configure more sequences, as desired. Drag and drop to re-order them.
  13. Click Save Control Policy.
  1. To use an existing topology:
    1. In the Add Topology drop-down, click Import Existing Topology. The Import Existing Topology popup displays.
    2. Select the type of topology.
    3. In the Policy drop-down, select the name of the topology.
    4. Click Import.
  2. To create a VPN membership policy, in the Topology bar, click VPN Membership. Then:
    1. Click Add VPN Membership Policy. The Update VPN Membership Policy popup displays.
    2. Enter a name and description for the VPN membership policy.
    3. In the Site List field, select the site list.
    4. In the VPN Lists field, select the VPN list.
    5. Click Add List to add another VPN to the VPN membership.
    6. Click Save
  3. Click Next to move to Configure Traffic Rules in the wizard. When you first open this screen, the Application-Aware Routing tab is selected by default.

Configure Traffic Rules

To create the match and action rules to apply to traffic affected by the policy:

  1. If you are already in the policy configuration wizard, skip this procedure. Otherwise, in vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. Click Add Policy. The policy configuration wizard opens, and the Create Applications or Groups of Interest screen is displayed
  3. Click Next. The Network Topology screen opens, and in the Topology bar, the Topology tab is selected by default.
  4. Click Next. The Configure Traffic Rules screen opens, and in the Application-Aware Routing bar, the Application-Aware Routing tab is selected by default.

You can configure traffic rules for the following types of routing policy:

  • Application-Aware Routing—To create an application-aware routing policy
  • Traffic Data—To create a centralized data policy
  • Cflowd—To create a policy for traffic flow monitoring with cflowd

Create an Application-Aware Routing Policy

To configure traffic rules for application-aware routing policy:

  1. In the Application-Aware Routing bar, select the Application-Aware Routing tab.
  2. Click the Add Policy drop-down.
  3. Select Create New, and in the left pane, click Sequence Type. A policy sequence containing the text string App Route is added in the left pane.
  4. Double-click the App Route text string, and enter a name for the policy sequence.The name you type is displayed both in the Sequence Type list in the left pane and in the right pane.
  5. In the right pane, click Sequence Rule. The Match/Action box opens, and Match is selected by default. The available policy match conditions are listed below the box.
  6. To select one or more Match conditions, click its box and set the values as described in the following table:
Match Condition Procedure
None (match all packets) Do not specify any match conditions.
Applications/Application Family List
  1. In the Match conditions, click Applications/Application Family List.
  2. In the drop-down, select the application family.
  3. To create an application list:
    1. Click New Application List.
    2. Enter a name for the list.
    3. Click the Application button to create a list of individual applications. Click the Application Family button to create a list of related applications.
    4. In the Select Application drop-down, select the desired applications or application families.
    5. Click Save.
Destination Data Prefix
  1. In the Match conditions, click Destination Data Prefix.
  2. To match a list of destination prefixes, select the list from the drop-down.
  3. To match an individual destination prefix, type the prefix in the Destination box.
Destination Port
  1. In the Match conditions, click Destination Port.
  2. In the Destination field, enter the port number. Specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).
DNS Application List (to enable split DNS)
  1. In the Match conditions, click DNS Application List.
  2. In the drop-down, select the application family.
DNS (to enable split DNS)
  1. In the Match conditions, click DNS.
  2. In the drop-down, select Request to process DNS requests for the DNS applications, and select Response to process DNS responses for the applications.
DSCP
  1. In the Match conditions, click DSCP.
  2. In the DSCP field, type the DSCP value, a number from 0 through 63.
PLP
  1. In the Match conditions, click PLP.
  2. In the PLP drop-down, select Low or High. To set the PLP to high, apply a policer that includes the exceed remark option.
Protocol
  1. In the Match conditions, click Protocol.
  2. In the Protocol field, type the Internet Protocol number, a number from 0 through 255.
Source Data Prefix
  1. In the Match conditions, click Source Data Prefix.
  2. To match a list of source prefixes, select the list from the drop-down.
  3. To match an individual source prefix, type the prefix in the Source box.
Source Port
  1. In the Match conditions, click Source Port.
  2. In the Source field, enter the port number. Specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).
  1. To select actions to take on matching data traffic, click the Actions box. The available policy actions are listed below the box.
  2. Set the policy action as described in the following table:

Match Condition

Description Procedure
Backup SLA Preferred Color When no tunnel matches the SLA, direct the data traffic to a specific tunnel. Data traffic is sent out the configured tunnel if that tunnel interface is available. If that tunnel interface is not available, traffic is sent out another available tunnel. You can specify one or more colors. The backup SLA preferred color is a loose matching, not a strict matching.
  1. In the Action conditions, click Backup SLA Preferred Color.
  2. In the drop-down, select one or more colors.
Counter Count matching data packets.
  1. In the Action conditions, click Counter.
  2. In the Counter Name field, enter the name of the file in which to store packet counters.
Log

Place a sampled set of packets that match the SLA class rule into system logging (syslog) files. In addition to logging the packet headers, a syslog message is generated the first time a packet header is logged and then every 5 minutes thereafter, as long as the flow is active.

  1. In the Action conditions, click Log to enable logging.
SLA Class List For the SLA class, all matching data traffic is directed to a tunnel whose performance matches the SLA parameters defined in the class. The software first tries to send the traffic through a tunnel that matches the SLA. If a single tunnel matches the SLA, data traffic is sent through that tunnel. If two or more tunnels match, traffic is distributed among them. If no tunnel matches the SLA, data traffic is sent through one of the available tunnels.
  1. In the Action conditions, click SLA Class List.
  2. In the SLA Class drop-down, select one or more SLA classes.
  3. Optionally, in the Preferred Color drop-down, select the color of the data plane tunnel or tunnels to prefer. Traffic is load-balanced across all tunnels. If no tunnels match the SLA, data traffic is sent through any available tunnel. That is, color preference is a loose matching, not a strict matching.
  4. Click Strict to perform strict matching of the SLA class. If no data plane tunnel is available that satisfies the SLA criteria, traffic is dropped.
  1. Click Save Match and Actions.
  2. Create additional sequence rules as desired. Drag and drop to re-arrange them.
  3. Create additional sequence types as desired. Drag and drop to re-arrange them.
  4. Click Save Application-Aware Routing Policy.

Click Next to move to Apply Policies to Sites and VPNs in the wizard.

Create a Traffic Data Policy

To configure traffic rules for centralized data policy:

  1. In the Application-Aware Routing bar, select the Traffic Data tab.
  2. Click the Add Policy drop-down.
  3. Select Create New. The Add Data Policy popup opens.
  4. Select the type of data policy from Application Firewall, QoS, Service Chaining, Traffic Engineering, and Custom.
  5. In the left pane, click Sequence Type. A policy sequence containing the text string Application Firewall, QoS, Service Chaining, Traffic Engineering, or Custom is added in the left pane.
  6. Double-click the text string, and enter a name for the policy sequence.The name you type is displayed both in the Sequence Type list in the left pane and in the right pane.
  7. In the right pane, click Sequence Rule. The Match/Action box opens, and Match is selected by default. The available policy match conditions are listed below the box.
  8. To select one or more Match conditions, click its box and set the values as described in the following table. Note that not all match conditions are available for all policy sequence types.
Match Condition Procedure
None (match all packets) Do not specify any match conditions.
Applications/Application Family List
  1. In the Match conditions, click Applications/Application Family List.
  2. In the drop-down, select the application family.
  3. To create an application list:
    1. Click New Application List.
    2. Enter a name for the list.
    3. Click the Application button to create a list of individual applications. Click the Application Family to create a list of related applications.
    4. In the Select Application drop-down, select the desired applications or application families.
    5. Click Save.
Destination Data Prefix
  1. In the Match conditions, click Destination Data Prefix.
  2. To match a list of destination prefixes, select the list from the drop-down.
  3. To match an individual destination prefix, type the prefix in the Destination box.
Destination Port
  1. In the Match conditions, click Destination Port.
  2. In the Destination field, enter the port number. Specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).
DNS Application List (to enable split DNS)
  1. In the Match conditions, click DNS Application List.
  2. In the drop-down, select the application family.
DNS (to enable split DNS)
  1. In the Match conditions, click DNS.
  2. In the drop-down, select Request to process DNS requests for the DNS applications, and select Response to process DNS responses for the applications.
DSCP
  1. In the Match conditions, click DSCP.
  2. In the DSCP field, type the DSCP value, a number from 0 through 63.
Packet Length
  1. In the Match conditions, click Packet Length.
  2. In the Packet Length field, type the length, a value from 0 through 65535.
PLP
  1. In the Match conditions, click PLP.
  2. In the PLP drop-down, select Low or High. To set the PLP to high, apply a policer that includes the exceed remark option.
Protocol
  1. In the Match conditions, click Protocol.
  2. In the Protocol field, type the Internet Protocol number, a number from 0 through 255.
Source Data Prefix
  1. In the Match conditions, click Source Data Prefix.
  2. To match a list of source prefixes, select the list from the drop-down.
  3. To match an individual source prefix, type the prefix in the Source box.
Source Port
  1. In the Match conditions, click Source Port.
  2. In the Source field, enter the port number. Specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-]).
TCP
  1. In the Match conditions, click TCP.
  2. In the TCP field, syn is the only option available.
  1. To select actions to take on matching data traffic, click the Actions box.
  2. To drop matching traffic, click the Drop button.
  3. To accept matching traffic, click the Accept button. The available policy actions are listed to the right of the button.
  4. Set the policy action as described in the following table:
Match Condition Description Procedure
Counter Count matching data packets.
  1. In the Action conditions, click Counter.
  2. In the Counter Name field, enter the name of the file in which to store packet counters.
DSCP Assign a DSCP value to matching data packets.
  1. In the Action conditions, click DSCP.
  2. In the DSCP field, type the DSCP value, a number from 0 through 63.
Forwarding Class Assign a forwarding class to matching data packets.
  1. In the Match conditions, click Forwarding Class.
  2. In the Forwarding Class field, type the class value, which can be up to 32 characters long.
Log

Place a sampled set of packets that match the SLA class rule into system logging (syslog) files. In addition to logging the packet headers, a syslog message is generated the first time a packet header is logged and then every 5 minutes thereafter, as long as the flow is active.

  1. In the Action conditions, click Log to enable logging.
Policer Apply a policer to matching data packets.
  1. In the Match conditions, click Policer.
  2. In the Policer drop-down field, select the name of a policer.
  1. Click Save Match and Actions.
  2. Create additional sequence rules as desired. Drag and drop to re-arrange them.
  3. Create additional sequence types as desired. Drag and drop to re-arrange them.
  4. Click Save Data Policy.

Click Next to move to Apply Policies to Sites and VPNs in the wizard.

Create a Cflowd Policy

To configure traffic rules for cflowd policy:

  1. In the Application-Aware Routing bar, select the Cflowd tab.
  2. Click the Add Policy drop-down.
  3. Select Create New. The Add Cflowd Policy popup opens.
  4. Configure timer parameters for the cflowd template:
    1. In the Active Flow Timeout field, specify how long to collect a set of flows on which traffic is actively flowing, a value from 30 through 3,600 seconds. The default is 600 seconds (10 minutes).
    2. In the Inactive Flow Timeout field, specify how long to wait to send a set of sampled flows to a collector for a flow on which no traffic is flowing, a value from 1 through 3,600 seconds. The default is 60 seconds (1 minute).
    3. In the Flow Refresh Interval field, specify how often to send the cflowd template record fields to the collector, a value from 60 through 86,400 seconds (1 minute through 1 day). The default is 90 seconds.
    4. In the Sampling Interval field, specify how many packets to wait before creating a new flow, a value from 1 through 65,536 seconds. While you can configure any integer value, the software rounds the value down to the nearest power of 2.
  5. Click Add New Collector, and configure the location of the cflowd collector. You can configure up to four collectors.
    1. In the VPN ID field, enter the number of the VPN in which the collector is located.
    2. In the IP Address field, enter the IP address of the collector.
    3. In the Port Number field, enter the collector port number. The default port is 4739.
    4. In the Transport Protocol drop-down, select the transport type to use to reach the collector, either TCP or UDP.
    5. In the Source Interface field, enter the name of the interface to use to send flows to the collector. It can be either a Gigabit Ethernet, a 10-Gigabit Ethernet interface (ge), or a loopback interface (loopbacknumber).
  6. Click Save Cflowd Policy.

Click Next to move to Apply Policies to Sites and VPNs in the wizard.

Apply Policies to Sites and VPNs

In the last screen of the policy configuration wizard, you associate the policy blocks that you created on the previous three screens with VPNs and with sites in the overlay network.

To apply a policy block to sites and VPNs in the overlay network:

  1. If you are already in the policy configuration wizard, skip to Step 6. Otherwise, in vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. Click Add Policy. The policy configuration wizard opens, and the Create Applications or Groups of Interest screen is displayed
  3. Click Next. The Network Topology screen opens, and in the Topology bar, the Topology tab is selected by default.
  4. Click Next. The Configure Traffic Rules screen opens, and in the Application-Aware Routing bar, the Application-Aware Routing tab is selected by default.
  5. Click Next. The Apply Policies to Sites and VPNs screen opens.
  6. In the Policy Name field, enter a name for the policy. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  7. In the Policy Description field, enter a description of the policy. It can contain up to 2048 characters. This field is mandatory, and it can contain any characters and spaces.
  8. From the Topology bar, select the type of policy block. The table then lists policies that you have created for that type of policy block.
  9. Associate the policy with VPNs and sites. The choice of VPNs and sites depends on the type of policy block:
    1. For a Topology policy block, click Add New Site List and VPN List or Add New Site. Some topology blocks might have no Add buttons. Select one or more site lists, and select one or more VPN lists. Click Add.
    2. For an Application-Aware Routing policy block, click Add New Site List and VPN list. Select one or more site lists, and select one or more VPN lists. Click Add.
    3. For a Traffic Data policy block, click Add New Site List and VPN List. Select the direction for applying the policy (From Tunnel, From Service, or All), select one or more site lists, and select one or more VPN lists. Click Add.
    4. For a cflowd policy block, click Add New Site List. Select one or more site lists, Click Add.
  10. Click Preview to view the configured policy. The policy is displayed in CLI format.
  11. Click Save Policy. The Configuration ► Policies screen opens, and the policies table includes the newly created policy.

Activate a Centralized Policy

Activating a centralized policy sends that policy to all connected vSmart controllers. To activate a centralized policy:

  1. In vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. Select a policy.
  3. Click the More Actions icon to the right of the row, and click Activate. The Activate Policy popup opens. It lists the IP addresses of the reachable vSmart controllers to which the policy is to be applied.
  4. Click Activate.

Configure Localized Policy

To configure localized policy, also called a route policy:

  • Create the localized policy.
  • Apply the policy in a device configuration template.

Create a Localized Policy

To create a localized policy, also called a route policy:

  1. In vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. Click Localized Policy.
  3. Click Add CLI Policy. The Add CLI Policy screen opens.
  4. In the Name field, enter a name for the policy. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  5. In the Description field, enter a description for the route policy. It can contain up to 2048 characters. This field is mandatory, and it can contain any characters and spaces.
  6. Enter the policy configuration in CLI format.
  7. Click Create Variable to create a variable to use in the configuration.
  8. Click Select a File to import a file containing policy configuration commands.
  9. Click Add. The Configuration ► Policies screen opens, and the policies table includes the newly created policy.

Apply a Localized Policy

You apply a localized control policy in a device configuration template:

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. If you are creating a new device template:
    1. In the Device tab, click Create Template.
    2. From the Create Template drop-down, select From Feature Template.
    3. From the Device Model drop-down, select one of the vEdge devices.
    4. In the Template Name field, enter a name for the device template. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
    5. In the Description field, enter a description for the device template. This field is mandatory, and it can contain any characters and spaces.
    6. Continue with Step 4.
  3. If you are editing an existing device template:
    1. In the Device tab, click the More Actions icon to the right of the desired template, and click the pencil icon.
    2. Click the Additional Templates tab. The screen scrolls to the Additional Templates section.
    3. From the Policy drop-down, select the name of a policy that you have configured.
  4. Click the Additional Templates tab located directly beneath the Description field. The screen scrolls to the Additional Templates section.
  5. From the Policy drop-down, select the name of the policy you configured in the above procedure.
  6. To apply a route policy to BGP:
    1. Scroll to the Service VPN section.
    2. In the Service VPN drop-down, type the service VPN number (a VPN number other than 0 or 512).
    3. From Additional VPN Templates, select BGP.
    4. From the BGP drop-down, click Create Template or View Template.
    5. Select the Neighbor tab, click the plus sign (+), and click More.
    6. In Address Family, change the scope to Device Specific. Then, Click On to enable Address Family, Click On to enable Route Policy In, and specify the name of a route policy to apply to prefixes received from the neighbor, or click On to enable Route Policy Out, and specify the name of a route policy to apply to prefixes sent to the neighbor. This name is one that you configured with a policy route-policy command.
    7. Click Save to save the neighbor configuration, and then click Save to save the BGP configuration.
  7. To apply a route policy to routes coming from all OSPF neighbors:
    1. Scroll to the Service VPN section.
    2. In the Service VPN drop-down, type the service VPN number (a VPN number other than 0 or 512).
    3. From Additional VPN Templates, select OSPF.
    4. Click Create Template or View Template.
    5. Select the Advanced tab.
    6. In Policy Name, specify the name of a route policy to apply to incoming routes. This name is one that you configured with a policy route-policy command.
    7. Click Save.
  8. To apply a route policy before redistributing routes into OSPF:
    1. Scroll to the Service VPN section.
    2. In the Service VPN drop-down, type the service VPN number (a VPN number other than 0 or 512).
    3. From Additional VPN Templates, select OSPF.
    4. Click Create Template or View Template.
    5. Select the Redistribute tab, click the plus sign (+), and select the protocol from which to redistribute routes into OSPF.
    6. Specify the name of a route policy to apply to the routes being redistributed. This name is one that you configured with a policy route-policy command.
    7. Click Save.
  9. Click Save (for a new template) or Update (for an existing template).

View a Policy

To view a centralized or localized policy:

  1. In vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. In the Centralized Policy or Localized Policy tab, select a policy.
  3. To view the policy, click the More Actions icon to the right of the row, and click View. For a centralized policy whose type field is UI Policy Builder, the policy blocks are displayed. For a policy whose type is CLI, the policy's CLI configuration is displayed.
  4. If the centralized policy type field is UI Policy Builder, to display the policy in CLI format, click the More Actions icon to the right of the row, and click Preview.

Copy a Policy

To copy a centralized policy:

  1. In vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. In the Centralized Policy or Localized Policy tab, select a policy whose type field is UI Policy Builder
  3. To view the policy, click the More Actions icon to the right of the row, and click Copy. The Policy Copy popup opens.
  4. Enter the name of the new policy and a description of the policy.
  5. Click Copy. The copied policy is then listed in the policy table.

Edit a Policy

To edit a centralized or localized policy.

  1. In vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. In the Centralized Policy or Localized Policy tab, select a policy.
  3. Click the More Actions icon to the right of the row, and click Edit.

Delete a Policy

To delete a centralized or localized policy.

  1. In vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. In the Centralized Policy or Localized Policy tab, select a policy.
  3. To delete the policy, click the More Actions icon to the right of the row, and click Delete.
  4. Click OK to confirm deletion of the policy.

Modify, Copy, or Delete a List in a Centralized Policy

To modify a list from the Configure ► Policies screen:

  1. In the Title bar, click the Custom Options drop-down.
  2. Select Lists. The Define List screen opens.
  3. In the left pane, select the type of list.
  4. In the lists table, select the desired list.
  5. To edit the list, click the Pencil icon to the right of the list.
  6. To copy the list, click the Duplicate icon to the right of the list.
  7. To delete the list, click the Trash icon to the right of the list.

To modify a list from within the policy configuration wizard:

  1. In vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. Click Add Policy. The policy configuration wizard opens, and the Create Applications or Groups of Interest screen is displayed.
  3. In the left pane, select the type of list.
  4. In the lists table, select the desired list.
  5. To edit the list, click the Pencil icon to the right of the list.
  6. To copy the list, click the Duplicate icon to the right of the list.
  7. To delete the list, click the Trash icon to the right of the list.

Modify, Copy, or Delete a Topology or VPN Membership Block in a Centralized Policy

To modify a network topology or VPN membership from the Configure ► Policies screen:

  1. In the Title bar, click the Custom Options drop-down.
  2. Select Topology. The Topology screen displays.
  3. In the Topology bar, select either the Topology or VPN Membership tab.
  4. Select the desired topology or VPN membership.
  5. To edit the item, click the Pencil icon to the right of the item.
  6. To copy the item, click the Duplicate icon to the right of the item.
  7. To delete the item, click the Trash icon to the right of the item.

To modify a topology or VPN membership from within the policy configuration wizard:

  1. In vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. Click Add Policy. The policy configuration wizard opens, and the Create Applications or Groups of Interest screen is displayed.
  3. Click Next. The Network Topology screen opens, and in the Topology bar, the Topology tab is selected by default.
  4. Select the desired topology or VPN membership.
  5. To edit the item, click the Pencil icon to the right of the item.
  6. To copy the item, click the Duplicate icon to the right of the item.
  7. To delete the item, click the Trash icon to the right of the item.

Modify, Copy, or Delete a Traffic Rule in a Centralized Policy

To modify a network topology or VPN membership from the Configure ► Policies screen:

  1. In the Title bar, click the Custom Options drop-down.
  2. Select Traffic Policy. The Traffic Policy screen opens.
  3. In the Application-Aware Routing bar, select either the Application-Aware Routing, Traffic Data, or Cflowd tab.
  4. Select the desired traffic policy component.
  5. To edit the item, click the Pencil icon to the right of the item.
  6. To copy the item, click the Duplicate icon to the right of the item.
  7. To delete the item, click the Trash icon to the right of the item.

To modify a traffic rule from within the policy configuration wizard:

  1. In vManage NMS, select the Configure ► Policies screen. When you first open this screen, the Centralized Policy tab is selected by default.
  2. Click Add Policy. The policy configuration wizard opens, and the Create Applications or Groups of Interest screen is displayed.
  3. Click Next. The Network Topology screen opens, and in the Topology bar, the Topology tab is selected by default.
  4. Click Next. The Traffic Rules screen opens, and in the Application-Aware Routing bar, the Application-Aware Routing tab is selected by default.
  5. Select the desired traffic policy type—Application-Aware Routing, Traffic Data, or Cflowd. The policy blocks for that traffic type are listed in the table.
  6. To edit the item, click the Pencil icon to the right of the item.
  7. To copy the item, click the Duplicate icon to the right of the item.
  8. To delete the item, click the Trash icon to the right of the item.

Configure Policies in Release 17.1

This section describes how to configure policies from a vManage NMS running Release 17.1./p>

Create an Application-Aware Routing Policy

To configure application-aware routing policy in vManage NMS, perform the following steps:

  1. Configure lists to group related items, to be called in the application-aware routing policy.
  2. Configure the application-aware routing policy policy.
  3. Apply the policy.

Configure Lists

  1. In vManage NMS, select the Configuration ► Policies screen.
  2. In the Policies title bar, click the Centralized Policy/Localized Policy drop-down. When you first open the Policy Screen, Centralized Policy is selected by default.
  3. Click Define Lists, located in the upper right corner of the screen.
  4. In the left pane, select the type of list. For application-aware routing policy, you can use Application, Data Prefix, Prefix, SLA Class, and VPN lists.
  5. To create a new list, click New List.
    To modify an existing list, click the More Actions icon to the right of the desired list, and click the pencil icon.
  6. In the List Name field, enter a name for the list. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  7. In the field below the List Name field, enter the desired values for the list. For some lists you type the desired values, and for others you select from a drop-down.
  8. Click Add (for a new list) or Save (for an existing list).

Configure an Application-Aware Routing Policy

  1. In vManage NMS, select the Configuration ► Policies screen.
  2. In the Policy title bar, click the Centralized Policy/Localized Policy drop-down. When you first open the Policy Screen, Centralized Policy is selected by default.
  3. In the Policy bar, click Traffic.
  4. To create a new application-aware routing policy, click Add App Route Policy.
    To modify an existing policy, click the More Actions icon to the right of the desired policy, and click the pencil icon.
  5. If data traffic does not match any of the conditions in one of the sequences, it is dropped by default. If you want nonmatching routes to be accepted, click the pencil icon in the Default Action, click Accept, and click Save Match And Actions.
  6. To create a match–action sequence for data traffic:
    1. Click Sequence Type.
    2. To create a match–action rule, click Sequence Rule. The Match button is selected by default.
    3. Click the desired Match button, and enter the desired values in Match Conditions. For some conditions, you type the desired values, and for others you select from a drop-down.
    4. Click the Actions button.
    5. Click the desired action, and enter the desired values for Actions.
    6. Click Save Match and Actions.
    7. Create additional Sequence Rules or Sequence Types, as needed.
  7. To rename a Sequence Type, double-click its name in the right pane, and type the new name. The name also changes in the right pane.
  8. To re-order sequence rules and types, drag and drop them them.
  9. Click Save.

You can also configure an application aware routing policy directly from the Configuration ► Policies screen:

  1. Click Assemble Full Policy.
  2. In the Policy Name field, enter a name for the policy. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  3. In the Policy Description field, enter a description for the route policy. This field is mandatory, and it can contain any characters and spaces.
  4. Click Data in the bar located directly below the Policy Description field.
  5. In the left pane, click Add App Route Policy, and follow Steps 6, 7, and 8 above.

Apply an Application-Aware Routing Policy

  1. In vManage NMS, select the Configuration ► Policies screen.
  2. Click Assemble Full Policy.
  3. In the Policy Name field, enter a name for the policy. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  4. In the Policy Description field, enter a description for the route policy. This field is mandatory, and it can contain any characters and spaces.
  5. Click App Route Policy in the bar located directly below the Policy Description field.
  6. In the left pane, select a data policy. The right pane displays the New Site List and VPN List box.
  7. Click New Site List and VPN List.
  8. Click the Select Site List field, and select a site list.
  9. Click the Select VPN List field, and select a VPN list.
  10. Click Add.
  11. To add additional components to the application-aware routing policy, repeat Steps 6 through 10.
  12. Click Save.

Create a Centralized Data Policy

To configure a centralized data policy in vManage NMS, perform the following steps:

  1. Configure lists to group related items, to be called in the centralized data policy.
  2. Configure the centralized data policy.
  3. Apply the policy.

Configure Lists

  1. In vManage NMS, select the Configuration ► Policies screen.
  2. In the Policies title bar, click the Centralized Policy/Localized Policy drop-down. When you first open the Policy Screen, Centralized Policy is selected by default.
  3. Click Define Lists, located in the upper right corner of the screen.
  4. In the left pane, select the type of list. For centralized data policy, you can use Application, Prefix, Site, TLOC, and VPN lists.
  5. To create a new list, click New List.
    To modify an existing list, click the More Actions icon to the right of the desired list, and click the pencil icon.
  6. In the List Name field, enter a name for the list. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  7. In the field below the List Name field, enter the desired values for the list. For some lists you type the desired values, and for others you select from a drop-down.
  8. Click Add (for a new list) or Save (for an existing list).

Configure a Centralized Data Policy

  1. In vManage NMS, select the Configuration ► Policies screen.
  2. In the Policies title bar, click the Centralized Policy/Localized Policy drop-down. When you first open the Policy Screen, Centralized Policy is selected by default.
  3. In the Policy bar, click Traffic.
  4. To create a new centralized data policy, click Add Data Policy.
    To modify an existing policy, click the More Actions icon to the right of the desired policy, and click the pencil icon.
  5. If data traffic does not match any of the conditions in one of the sequences, it is dropped by default. If you want nonmatching routes to be accepted, click the pencil icon in the Default Action, click Accept, and click Save Match And Actions.
  6. To create a match–action sequence for data traffic:
    1. Click Sequence Type.
    2. In the Add Data Policy dialog box, select Application Firewall, QoS, Service Chaining, Traffic Engineering, or Custom.
    3. To create a match–action rule, click Sequence Rule. The Match button is selected by default.
    4. Click the desired Match button, and enter the desired values in Match Conditions. For some conditions, you type the desired values, and for others you select from a drop-down.
    5. Click the Actions button. The default action is Reject. To accept matching packets, click the Accept radio button. Then click the desired action, and enter the desired values for Actions.
    6. Click Save Match and Actions.
    7. Create additional Sequence Rules or Sequence Types, as needed.
  7. To rename a Sequence Type, double-click its name in the right pane, and type the new name. The name also changes in the right pane.
  8. To re-order sequence rules and types, drag and drop them them.
  9. Click Save.

You can also configure a centralized data policy directly from the Configuration ► Policies screen:

  1. Click Assemble Full Policy.
  2. In the Policy Name field, enter a name for the policy. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  3. In the Policy Description field, enter a description for the route policy. This field is mandatory, and it can contain any characters and spaces.
  4. Click Data in the bar located directly below the Policy Description field.
  5. In the left pane, click Add Data Policy, and follow Steps 6, 7, and 8 above.

Apply a Centralized Data Policy

  1. In vManage NMS, select the Configuration ► Policies screen.
  2. Click Assemble Full Policy.
  3. In the Policy Name field, enter a name for the policy. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  4. In the Policy Description field, enter a description for the route policy. This field is mandatory, and it can contain any characters and spaces.
  5. Click Data in the bar located directly below the Policy Description field.
  6. In the left pane, select a data policy. The right pane displays the New Site List and VPN List box.
  7. Click New Site List and VPN List.
  8. Click the From Tunnel, From Service, or All radio button to configure which traffic the centralized data policy applies to.
  9. Click the Select Site List field, and select a site list.
  10. Click the Select VPN List field, and select a VPN list.
  11. Click Add.
  12. To add additional components to the centralized data policy, repeat Steps 6 through 11.
  13. Click Save.

Create a Centralized Control Policy

To configure a centralized control policy in vManage NMS, perform the following steps:

  1. Configure lists to group related items to be called in the centralized control policy.
  2. Configure the centralized control policy.
  3. Apply the policy.

Configure Lists

  1. In vManage NMS, select the Configuration ► Policies screen.
  2. In the Policies title bar, click the Centralized Policy/Localized Policy drop-down. When you first open the Policy Screen, Centralized Policy is selected by default.
  3. Click Define Lists, located in the upper right corner of the screen.
  4. In the left pane, select the type of list. For centralized control policy, you can use Prefix, Site, TLOC, and VPN lists.
  5. To create a new list, click New List.
    To modify an existing list, click the More Actions icon to the right of the desired list, and click the pencil icon.
  6. In the List Name field, enter a name for the list. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  7. In the field below the List Name field, enter the desired values for the list. For some lists you type the desired values, and for others you select from a drop-down.
  8. Click Add (for a new list) or Save (for an existing list).

Configure a Centralized Control Policy

  1. In vManage NMS, select the Configuration ► Policies screen.
  2. In the Policy title bar, click the Centralized Policy/Localized Policy drop-down. When you first open the Policy Screen, Centralized Policy is selected by default.
  3. In the Policy bar, click Control.
  4. To create a new centralized control policy, click Add Control Policy.
    To modify an existing policy, click the More Actions icon to the right of the desired policy, and click the pencil icon.
  5. If a route does not match any of the conditions in one of the sequences, it is rejected by default. If you want nonmatching routes to be accepted, click the pencil icon in the Default Action, click Accept, and click Save Match And Actions.
  6. To create a match–action sequence for routes or TLOCs:
    1. Click Sequence Type.
    2. In the Add Control Policy dialog box, select Route or TLOC.
    3. To create a match–action rule, click Sequence Rule. The Match button is selected by default.
    4. Click the desired Match button, and enter the desired values in Match Conditions. For some conditions, you type the desired values, and for others you select from a drop-down.
    5. Click the Actions button. The default action is Reject. To accept matching packets, click the Accept radio button. Then click the desired action, and enter the desired values for Actions.
    6. Click Save Match and Actions.
    7. Create additional Sequence Rules or Sequence Types, as needed.
  7. To rename a Sequence Type, double-click its name in the right pane, and type the new name. The name also changes in the right pane.
  8. To re-order sequence rules and types, drag and drop them them.
  9. Click Save.

You can also configure a centralized control policy directly from the Configuration ► Policies screen:

  1. Click Assemble Full Policy.
  2. In the Policy Name field, enter a name for the policy. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  3. In the Policy Description field, enter a description for the route policy. This field is mandatory, and it can contain any characters and spaces.
  4. Click Control in the bar located directly below the Policy Description field.
  5. In the left pane, click Add Control Policy, and follow Steps 6, 7, and 8 above.

Apply a Centralized Control Policy

  1. In vManage NMS, select the Configuration ► Policies screen.
  2. Click Assemble Full Policy.
  3. In the Policy Name field, enter a name for the policy. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
  4. In the Policy Description field, enter a description for the route policy. This field is mandatory, and it can contain any characters and spaces.
  5. Click Control in the bar located directly below the Policy Description field.
  6. In the left pane, select a control policy. The right pane displays the New Site List box.
  7. Click New Site List.
  8. Click the Inbound Site List or Outbound Site List field, select a site list, and click Add.
  9. To add additional components to the centralized control policy, repeat Steps 6 through 8.
  10. Click Save.

Configure vEdge Policies

Localized policies that you configure on vEdge routers affect the flow of traffic through the router and at the local site where the vEdge router is situated. Configuring vEdge policies is done in three steps:

  1. Define the policy configuration.
  2. Reference the policy in the appropriate feature template.
  3. Apply the policy to the router by attaching the master configuration template to the router.

For ease of policy management, you should configure all required vEdge policies in a single policy "bucket" on the vManage NMS.

Define a vEdge Policy

To configure a vEdge policy:

  1. In vManage NMS, select the Configuration ► Policy screen.
  2. From the Policy title bar, select vEdge.
  3. Click Add Policy.
  4. Enter a name and description of the policy. This name is used only on this screen in the vManage NMS. To avoid confusion, we refer to it as the "vManage policy name."
  5. Enter the policy configuration using CLI-style text directly on the vManage NMS. Enter all the policy components for all the types of policies required on your overlay network for all the routers in the network. Ensure that all policies and policy lists are identified by unique names.
    Click Select a File to upload a text file containing the configuration text. You can also enter the configuration directly into the CLI Configuration box, either by cutting and pasting or by typing directly.
  6. To convert an actual configuration value to a variable, select the value and click Create Variable. Enter the variable name, and click Create Variable. You can also type the variable name directly, in the format {{variable-name}}; for example, {{hostname}}. This feature is available in Releases 16.2 and later.
  7. Click Add.

Reference vEdge Policies in Feature Templates

To include a vEdge policy in a router's feature template:

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. From the Templates title bar, select Feature.
  3. Click Add Template.
  4. In the left pane, select one or more router models. You can create a single feature template for features that are available on more than one vEdge model. You must create separate feature templates for software features that are available only on one or a subset of router models.
  5. To configure BGP or OSPF policy on a vEdge router, in the right pane, select the BGP or OSPF template. You can redistribute routes learned from other protocols into BGP and OSPF.
    1. Click Redistribute.
    2. Click the plus sign (+) to add a policy.
    3. From Protocol, select the protocol from which to redistribute routes into BGP or OSPF.
    4. From Route Policy, type the name of the specific policy specified with a route policy command in the configuration that you placed in the vManage policy. For example, for a policy named "redistribute-connected" (configured with route policy redistribute-connected command), type the route policy name "redistribute-connected".
  6. To configure policies that affect traffic flow on a router's interface, select the VPN-vEdge-Interface template:
    1. Click ACL.
    2. To associate an ACL with the interface, under Ingress ACL or Egress ACL (or both), click the On button. Then type the name of the specific ACL (configured with the policy access-list command) in the corresponding Access list box.
    3. To configuring policing on the interface, under Ingress policer or Egress policer (or both), click the On button. Then type the name of the specific ACL that invokes the policer (a policy configured with a policy access-list command) in the corresponding Access list box.
    4. To associate a QoS map with the interface, under QoS map, type the name of the specific ACL that invokes the QoS map (a policy configured with the policy access-list command).
    5. To associate a rewrite rule with the interface, under Rewrite rule, type the name of the specific ACL that invokes the rewrite rule (a policy configured with the policy rewrite-rule command).
  7. Click Save.

Apply Policy to Routers

To apply policy to vEdge routers, you include the feature templates in master configuration templates, and then attach the master configuration template to the routers. See Configure a vEdge Router.

Configure Policies in Releases 16.3 and Earlier

This section describes how to configure policies from a vManage NMS running Release 16.3, 16.2, 16.1, 15.4, or 15.3.

Configure a Centralized vSmart Policy

For vSmart policies, you create a policy configuration that contains the complete centralized policy definition for the vSmart controllers. Then, you activate this configuration on all the vSmart controllers. If your overlay network has more than one vSmart controller, the activation operation occurs simultaneously on all the controllers.

You can activate only one vSmart policy configuration at a time. If you later activate a different policy, the existing one is overwritten.

You can create additional centralized vSmart policy configurations so that they are available if you need to quickly change centralized policies, for example, during a network attack of some type.

To configure a centralized vSmart policy:

  1. In vManage NMS, select the Configuration ► Policy screen.
  2. From the Policy title bar, select vSmart.
  3. From the row beneath the title bar, select Add Policy.
  4. Enter a name and description of the policy.
  5. Enter the policy configuration using CLI-style text directly on the vManage NMS. Click Select a file to upload a text file containing the configuration text. You can also enter the configuration directly into the CLI Configuration box, either by cutting and pasting or by typing directly. For information about the policy CLI configuration syntax, see the Policy Overview article your software release.
  6. Click Add.
  7. To create additional policies, repeat Steps 3 through 6.

Activate a Centralized vSmart Policy

If your overlay network has more than one vSmart controllers, the centralized vSmart policies on all the controllers must be identical. When you activate a vSmart policy, the vSmart NMS pushes it to all reachable vSmart controllers. More specifically, when you activate the policy, the vSmart NMS pushes both the policy portion of the configuration and the currently attached master configuration template to each vSmart controller.

To activate a centralized vSmart policy:

  1. In vManage NMS, select the Configuration ► Policy screen.
  2. From the Policy title bar, select vSmart.
  3. Select the vSmart policy from the list.
  4. Click the More Actions icon to the right of the row, and select Activate.
  5. Click Activate. If your network has more than one vSmart controller, the policy is activated on them all simultaneously.

Configure vEdge Policies

Localized policies that you configure on vEdge routers affect the flow of traffic through the router and at the local site where the vEdge router is situated. Configuring vEdge policies is done in three steps:

  1. Define the policy configuration.
  2. Reference the policy in the appropriate feature template.
  3. Apply the policy to the router by attaching the master configuration template to the router.

For ease of policy management, you should configure all required vEdge policies in a single policy "bucket" on the vManage NMS.

Define a vEdge Policy

To configure a vEdge policy:

  1. In vManage NMS, select the Configuration ► Policy screen.
  2. From the Policy title bar, select vEdge.
  3. Click Add Policy.
  4. Enter a name and description of the policy. This name is used only on this screen in the vManage NMS. To avoid confusion, we refer to it as the "vManage policy name."
  5. Enter the policy configuration using CLI-style text directly on the vManage NMS. Enter all the policy components for all the types of policies required on your overlay network for all the routers in the network. Ensure that all policies and policy lists are identified by unique names.
    Click Select a File to upload a text file containing the configuration text. You can also enter the configuration directly into the CLI Configuration box, either by cutting and pasting or by typing directly.
  6. To convert an actual configuration value to a variable, select the value and click Create Variable. Enter the variable name, and click Create Variable. You can also type the variable name directly, in the format {{variable-name}}; for example, {{hostname}}. This feature is available in Releases 16.2 and later.
  7. Click Add.

Reference vEdge Policies in Feature Templates

To include a vEdge policy in a router's feature template:

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. From the Templates title bar, select Feature.
  3. Click Add Template.
  4. In the left pane, select one or more router models. You can create a single feature template for features that are available on more than one vEdge model. You must create separate feature templates for software features that are available only on one or a subset of router models.
  5. To configure BGP or OSPF policy on a vEdge router, in the right pane, select the BGP or OSPF template. You can redistribute routes learned from other protocols into BGP and OSPF.
    1. Click Redistribute.
    2. Click the plus sign (+) to add a policy.
    3. From Protocol, select the protocol from which to redistribute routes into BGP or OSPF.
    4. From Route Policy, type the name of the specific policy specified with a route policy command in the configuration that you placed in the vManage policy. For example, for a policy named "redistribute-connected" (configured with route policy redistribute-connected command), type the route policy name "redistribute-connected".
  6. To configure policies that affect traffic flow on a router's interface, select the VPN-vEdge-Interface template:
    1. Click ACL.
    2. To associate an ACL with the interface, under Ingress ACL or Egress ACL (or both), click the On button. Then type the name of the specific ACL (configured with the policy access-list command) in the corresponding Access list box.
    3. To configuring policing on the interface, under Ingress policer or Egress policer (or both), click the On button. Then type the name of the specific ACL that invokes the policer (a policy configured with a policy access-list command) in the corresponding Access list box.
    4. To associate a QoS map with the interface, under QoS map, type the name of the specific ACL that invokes the QoS map (a policy configured with the policy access-list command).
    5. To associate a rewrite rule with the interface, under Rewrite rule, type the name of the specific ACL that invokes the rewrite rule (a policy configured with the policy rewrite-rule command).
  7. Click Save.

Apply Policy to Routers

To apply policy to vEdge routers, you include the feature templates in master configuration templates, and then attach the master configuration template to the routers. See Configure a vEdge Router.

Release Information

Introduced in vManage NMS in Release 15.3.
In Release 17.2, add policy configuration wizard.

  • Was this article helpful?