Beruflich Dokumente
Kultur Dokumente
Cisco SD-WAN
Become Sufficiently Dangerous
BRKRST-2791
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Cisco SD-WAN Crash Course
• Introduction to the Cisco SD-WAN Policy Framework
• Control Policies and Applications
• Data Policies and Applications
• Application Aware Routing Policies and Applications
• More Policies and Applications
• Tips, Tricks, Scalability and Best Practices
• Conclusion
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cisco SD-WAN
Crash Course
Cisco SD-WAN Architecture Overview
Applying SDN Principles Onto The Wide Area Network
vBond vManage
Control Plane
vSmart Controllers
MPLS 4G
INET
WAN Edge Routers
Data Plane
Cloud Data Center Campus Branch SOHO
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco SD-WAN Terminology
• Transport Side – Controller or WAN Edge Interface connected to the underlay/WAN network
• Always VPN 0
• Traffic typically tunneled/encrypted, unless split-tunneling is used
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Cisco SD-WAN Terminology
• OMP – Overlay Management Protocol
• Dynamic Routing Protocol managing the Overlay domain
• Integrated mechanism for distribution Routing, Encryption and Policies
• Site-ID – Identifies the Source Location of an advertised prefix
• Configured on every WAN Edge, vSmart and vManage
• Does not have to be unique, but then assumes same location
• Required configuration for OMP and TLOC to be brought up
• System-IP – Unique identifier of an OMP Endpoint
• 32 Bit dot decimal notation (an IPv4 Address)
• Logically a VPN 0 Loopback Interface, referred to as “system”
• The system interface is the termination point for OMP
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Introduction to the
Cisco SD-WAN
Policy Framework
Cisco SD-WAN Policy Architecture
Policy Categories
Policy Device
Netconf Configuration Template
Define
OMP Netconf
Volatile Storage Device
(~Policy RIB) Configuration
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Cisco SD-WAN Policy Architecture
Suite of Policies to address different functional domains
Data Policy:
Extensive Policy-based
Control Policy: Routing and Services
WAN
Routing VPN 2
VPN 1
WAN
VPN 2
• Control Policies are applied at vSmart: Tailors routing information advertised to WAN endpoints
• App-Route Policies are applied at WAN Edge: SLA-driven path selection for applications
• Data Policies are applied at WAN Edge: Extensive Policy driven routing
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Cisco SD-WAN Overlay Routing
Multi-domain Routing Fabric
Overlay Routing Policy
vSmarts advertise TLOCs and
Enforcement Point
Service Prefixes to all Edges
Core SD-WAN Routing
Domain TLOC advertised to vSmarts
with set of attributes
Local Routing Policy vSmart
Service prefixes advertised to
Enforcement Point vSmarts with set of attributes
Existing Branch/DC
Routing Domain Control Plane
VPN 1 VPN 1
WAN
WAN
VPN 2 VPN 2
VPN 3
SD-WAN Fabric
VPN 3
VPN 2
VPN 3
VPN 1
VPN 2
VPN 3
Site2 Site3
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Overlay Management Protocol
High Level Description
• Path Vector Routing Protocol specifically designed for overlay networks
• Multi-domain capable
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Overlay Management Protocol
Distribution of Routing Information for Topology-driven Routing
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Overlay Management Protocol
Path Selection Route Resolvability
Next-hop TLOC is Reachable
Admin Distance
Prefer OMP Route with lowest admin distance
Route Preference
• Default: 4 paths advertised by vSmart Prefer Route with highest route preference
Origin
• Backup routes can be advertised to Prefer route with best origin (Connected, Static,
eBGP, OSPF Intra, OSPF Inter, OSPF External,
vEdges for faster convergence iBGP, Unknown/Unset
omp
Send-backup-paths Tiebreaker
Prefer route from highest origin Router-ID
(System-IP)
• Origin by Admin Distance and then by
Protocol Cost / Metric Tiebreaker
Prefer route from highest Private TLOC IP-address
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Building, Applying
and Processing
SD-WAN Policies
Construction of SD-WAN Policies
Policy Building Blocks
Lists Policy Apply Policy
Policy Type Site-List
Policy Sequence 2
Default Action
Site-ID <n>
<Accept | Reject>
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Cisco SD-WAN Policy Orchestration Process
Service Side
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Processing Policies
Policy Processing Logic
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Cisco SD-WAN Policy Execution
Topology-driven routing and Policy execution chain
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
App-Aware Routing and Data Policy Overlap
Policy Processing when packet is subject to match in both policies
Guiding Principle:
Data Policy Makes Final Decision with Consideration for AAR SLA Match
? ?
App-Route Policy Yes Data Policy No App-Route Policy
Incoming Packet
Path Matching SLA Found Local/Remote TLOC Action Follow Preferred/Backup SLA
No Yes
? ?
Yes App-Route Policy No Data Policy Yes
AAR Strict Configured Path Decision Matching AAR
Send Packet
No
? ?
Data Policy
Data Policy Yes No
Path Found Path Decision Determined by
Routing due to TLOC down
No Yes
?
Yes Data Policy No App-Route Policy
Drop Packet Local-TLOC Strict Configured Evaluate Default SLA Class
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Policy Management
Ensuring Intended End-to-End Policy Application
• vManage
• vSmart
• Policy Configuration section
show running-config policy
• Apply-policy configuration section
show running-config apply-policy
• WAN Edge
• View policy as received from vSmart via OMP
Show policy from vsmart
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Policy Framework:
Control Policies
Cisco SD-WAN Policy Architecture
Suite of Policies to address different functional domains
Data Policy:
Extensive Policy-based
Control Policy: Routing and Services
WAN
Routing VPN 2
VPN 1
WAN
VPN 2
• Control Policies are applied at vSmart: Tailors routing information advertised to WAN endpoints
• App-Route Policies are applied at WAN Edge: SLA-driven path selection for applications
• Data Policies are applied at WAN Edge: Extensive Policy driven routing
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Control Policies
Overlay Management Protocol Routing Policies
• Control policies are applied and executed on vSmart to influence routing in the Overlay domain
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Control Policies control-policy <name>
sequence <n>
Policy Structure match route
color <color>
control-policy <name> color-list <name>
sequence <n> ipv6-prefix-list <name>
match tloc omp-tag <tag>
carrier <carrier> origin <protocol>
color <color> originator <system-ip>
color-list <name> preference <preference>
domain-id <domain-id> - Not Supported prefix-list <name>
group-id <group-id> site-id <site-id>
omp-tag <tag> site-list <name>
originator <system-ip> tloc <tloc>
preference <preference> tloc-list <name>
site-id <site-id> vpn <vpn-id>
site-list <name> vpn-list <name>
tloc <tloc> !
tloc-list <name> action accept
! export-to <vpn> | vpn-list
action accept set
set omp-tag <tag>
omp-tag <tag> preference <preference>
preference <preference> service <service-type>
! tloc <tloc>
! tloc-action <action>
! tloc-list <name>
default-action accept !
! !
!
default-action accept
!
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Control Policy Case #1
Interconnecting Dis-contiguous Data Planes
Problem:
Overlay with a dis-contiguous data plane and endpoints need to communicate end-to-end
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Control Policy Case #1
Interconnecting Dis-contiguous Data Planes
WAN Edge100
Site-id: 100
WAN Edge1 System-IP: 100.100.100.100 WAN Edge2
Site-id: 10 Site-id: 20
System-IP: 10.10.10.10 System-IP: 20.20.20.20
VPN 1
VPN 2
VPN 1 VPN 1
VPN 2 VPN 2
VPN 1
VPN 2
MPLS TLOC Internet TLOC
WAN Edge101
Site-id: 101
System-IP: 101.101.101.101
Solution:
Identify one or more multi-homed sites to bridge the data plane gap and act as gateways
Use a control policy to enable distribution of routing information between domains enabling gateway-
supported paths
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Legend:
System-IP: 100.100.100.100
VPN 1
VPN 2
VPN 1 VPN 1
VPN 2 VPN 2
VPN 1
VPN 2
MPLS TLOC Internet TLOC
System-IP: 101.101.101.101
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
For Your
Control Policy Case #1 Reference
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Wait…
We’re doing what?
Color: public-internet
VPN 1
VPN 2
VPN 2
101.101.101.101 mpls C,I,R up 101.101.101.101 mpls C,Red,R up
101.101.101.101 public-internetWAN Edge100
C,I,R up WAN Edge101
101.101.101.101 public-internet C,Red,R up
Site-id: 100 Site-id: 101
System-IP: 100.100.100.100 System-IP: 101.101.101.101
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Color: public-internet
VPNshow
WAN Edge1# 2 omp routes WAN Edge2# show omp routes VPN 2
VPN PREFIX STATUS TLOC IP COLOR VPN PREFIX STATUS TLOC IP COLOR
----------------------------------------------------------- -----------------------------------------------------------
1 10.1.1.0/24 C,Red,R 10.10.10.10 mpls 1 10.1.1.0/24 Inv,U 10.10.10.10 mpls
20.1.1.0/24 Inv,U 20.20.20.20 public-internet 20.1.1.0/24 C,Red,R 20.20.20.20 public-internet
100.1.1.0/24 C,I,R 100.100.100.100 mpls 100.1.1.0/24 Inv,U 100.100.100.100 mpls
Inv,U 100.100.100.100 public-internet C,I,R 100.100.100.100 public-internet
101.1.1.0/24 C,I,R 101.101.101.101 mpls 101.1.1.0/24 Inv,U 101.101.101.101 mpls
Inv,U 101.101.101.101 public-internet C,I,R 101.101.101.101 public-internet
WAN Edge100# show omp routes WAN Edge101# show omp routes
VPN PREFIX STATUS TLOC IP COLOR VPN PREFIX STATUS TLOC IP COLOR
----------------------------------------------------------- -----------------------------------------------------------
1 10.1.1.0/24 C,I,R 10.10.10.10 mpls 1 10.1.1.0/24 C,I,R 10.10.10.10 mpls
20.1.1.0/24 C,I,R 20.20.20.20 public-internet 20.1.1.0/24 C,I,R 20.20.20.20 public-internet
100.1.1.0/24 C,Red,R 100.100.100.100 mpls 100.1.1.0/24 C,I,R 100.100.100.100 mpls
C,Red,R 100.100.100.100 public-internet C,I,R 100.100.100.100 public-internet
101.1.1.0/24 C,I,R 101.101.101.101 mpls 101.1.1.0/24 C,Red,R 101.101.101.101 mpls
C,I,R 101.101.101.101 public-internet C,Red,R 101.101.101.101 public-internet
VPN 1
VPN 1
VPN 2
VPN 2
WAN Edge100 WAN Edge101
Site-id: 100 Site-id: 101
System-IP: 100.100.100.100 System-IP: 101.101.101.101
VPN 1 Pfx: 100.1.1.0/24 VPN 1 Pfx: 101.1.1.0/24
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Color: public-internet
policy
lists
tloc-list internet-gateways
tloc 100.100.100.100 color mpls encap ipsec WAN Edge100 WAN Edge101
tloc 101.101.101.101 color mpls encap ipsec
!
tloc-list mpls-gateways
tloc 100.100.100.100 color public-internet encap ipsec WAN Edge100 WAN Edge101
tloc 101.101.101.101 color public-internet encap ipsec
!
site-list internet-sites
site-id 20 WAN Edge2
!
site-list mpls-sites
site-id 10
WAN Edge1
apply-policy
site-list internet-sites Apply policy on outbound update
control-policy announce-mpls-sites out from vSmart to nodes in site-list WAN Edge2
!
site-list mpls-sites
control-policy announce-internet-sites out Apply policy on outbound update
! WAN Edge1
from vSmart to nodes in site-list
!
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Color: public-internet
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Color: public-internet
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Back on track
Control Policy Case #2
Network Resource (e.g. Data Center) Preference or Active/Backup
Problem:
Data Center access must be regionalized with neighboring DCs backing each other up
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Control Policy Case #2
Network Resource (e.g. Data Center) Preference or Active/Backup
WAN Edge100
Site-id: 100
System-IP: 100.100.100.100
WAN Edge1 DC-1 WAN Edge4
Site-id: 10 Site-id: 40
System-IP: 10.10.10.10 System-IP: 40.40.40.40
Identify regions by Site-Id and associate Primary and Backup DC locations with the regions
A control policy is used to make the associations and defining DC preference
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Legend:
System-IP: 100.100.100.100
System-IP: 101.101.101.101
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
For Your
Control Policy Case #2 Reference
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Control Policy Case #3
Fabric Data Plane or VPN Plane Topologies
• Fabric Plane or Individual VPNs subject to specific topologies / connectivity models
Site-Id: 100
Site-Id: 30
Site-Id: 10
Site-Id: 20
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
For Your
Control Policy Case #3 Reference
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
For Your
Control Policy Case #3 Reference
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Control Policy Case #4
Service Chaining of Centralized Services
Single/Multi-tenant Services
VPN 2
WAN Edge2
VPN 1
Site-id: 20
VPN 2
System-IP: 20.20.20.20
WAN Edge1
Site-id: 10
System-IP: 10.10.10.10
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Legend:
VPN 1
VPN 2
System-IP: 100.100.100.100
System-IP: 20.20.20.20
VPN 1
VPN 2
System-IP: 10.10.10.10
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
For Your
Control Policy Case #4 Reference
Service Chaining
4 Define Upstream Service Chain
WAN-Edge-100 1 Define Central FW Service policy
control-policy service-chain-upstream
vpn 1 sequence 10
service FW address 10.0.13.150 match route
tloc 20.20.20.20 color red
vpn 1
!
action accept
set
policy lists
service FW
site-list upstream-exit
site-id 20
2 Declare Exit Point !
!
!
!
site-list service-chain-branches
default-action accept
site-id 10
!
! 3 Declare Attached Branches control-policy service-chain-downstream
sequence 10
match route
apply-policy site-list service-chain-branches
site-list upstream-exit !
control-policy service-chain-downstream out action accept
! set
site-list service-chain-branches service FW
control-policy service-chain-upstream out !
! ! 5 Define Downstream Service Chain
! !
6 Apply Policies to the target site-lists default-action accept
!
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Wait…
How does Service Chaining Actually
work?
Legend:
VPN 1
VPN 2
System-IP: 1.1.1.1
System-IP: 20.20.20.20
VPN 1 WAN-Edge-100
VPN 2 vpn 1
service FW address 10.0.13.150
System-IP: 10.10.10.10
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
SD-WAN Service Chaining
WAN Edge Forwarding Paradigm
Label Determines Lookup Context – VPN/RIB or VPN/Service
IP Lookup / Forward
VPN 1 RIB
Service Lookup Label Integrity Check Receive Packet
IF
Decrypt
VPN 1
Service
Label Lookup / Forward
Transport
IF
SD-WAN
(VPN0)
Service: 10.0.13.150
Service
IF VPN 2
WAN-Edge-100
vpn 1
service FW address 10.0.13.150
Service
IF VPN 3
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Legend:
System-IP: 20.20.20.20
VPN 1: 20.1.1.0/24
VPN 1
VPN 2
Control Policy Service Chaining:
System-IP: 10.10.10.10
VPN 1: 10.1.1.0/24 Service not advertised to WAN Edge – Applied by Routing
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Legend:
VPN 2
Data Policy Service Chaining:
System-IP: 10.10.10.10
Service advertised to WAN Edge – Applied to Data Plane
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Legend:
Additional Options
• Using a Local Service
• The Service Chaining framework can be used for services that are locally attached as well
• Examples in the Data Policy section coming up
• Specify the service TLOC and priority using a TLOC list
vSmart policy
policy lists
control-policy service-chain-upstream tloc-list my_firewalls
sequence 10 tloc 1.1.1.1 color mpls encap ipsec preference 100
match route tloc 2.2.2.2 color mpls encap ipsec preference 100
tloc 20.20.20.20 color mpls tloc 3.3.3.3 color mpls encap ipsec preference 50
vpn 1 !
! !
action accept !
set
service FW tloc-list my_firewalls
!
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Back on track
Control Policy Case #5
Extranets
Shared Services / Resources
VPN 3
WAN Edge100
Site-id: 100
System-IP: 100.100.100.100 VPN 1
VPN 2
WAN Edge2
VPN 1
Site-id: 20
VPN 2
System-IP: 20.20.20.20
WAN Edge1
Site-id: 10
System-IP: 10.10.10.10
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Legend:
Extranets
VPN 1: Prefix A, Label 10 VPN 1: Prefix B, Label 20
NH: TLOC 10.10.10.10 NH: TLOC 20.20.20.20
Color: mpls Color: mpls
VPN 3
VPN 1
VPN 2
System-IP: 100.100.100.100
System-IP: 20.20.20.20
VPN 1
VPN 2
System-IP: 10.10.10.10
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
For Your
Control Policy Case #5 Reference
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Control Policy Case #6
Traffic Engineering / Path Redundancy
VPN 1
VPN 2
System-IP: 30.30.30.30 VPN 1
VPN 2
System-IP: 20.20.20.20
VPN 1
VPN 1
VPN 2
System-IP: 10.10.10.10
• Problem: Backup needed for direct overlay paths to manage intermediate path issues
• Solution: Identify and Provision select indirect overlay paths for redundancy and capacity
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Control Policy Case #6
Traffic Engineering / Path Redundancy
VPN 1
VPN 2
Backup/Indirect Path
WAN Edge3 VPN 1
System-IP: 30.30.30.30 VPN 2
WAN Edge2
System-IP: 20.20.20.20
VPN 1
VPN 1
VPN 2
WAN Edge1 System-IP: 40.40.40.40
System-IP: 10.10.10.10
Primary/Direct Path
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
For Your
Control Policy Case #6 Reference
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Control Policies:
Multi-domain data
plane case study
Control Policy Case Study
Requirements
EMEA
USA
Hub/Gateway
APAC
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Control Policy Case Study
Definitions and Dependencies
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Control Policy Case Study
Site Assignments
WAN-Edge-EU2
WAN-Edge-US2 Site-ID: 50460001
Site-ID: 60010002 WAN-Edge-EU1
Site-ID: 50440001 EMEA
WAN-Edge-US3
Site-ID: 60010003
USA
WAN-Edge-EU3 WAN-Edge-AP1
Site-ID: 50330001 Site-ID: 30810001
WAN-Edge-US1 WAN-Edge-AP3
Site-ID: 60010001 Site-ID: 30660001
APAC
WAN-Edge-AP2
Site-ID: 30610001
Hub/Gateway Hub/Gateway Hub/Gateway
WAN-Edge-US4 WAN-Edge-AP4
WAN-Edge-EU4
Site-ID: 60019001 Site-ID: 30669001
Site-ID: 50339001
WAN-Edge-US5 WAN-Edge-AP5
WAN-Edge-EU5
Site-ID: 60019002 Site-ID: 30669002
Site-ID: 50339002
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Control Policy Case Study
Reachability Information Distribution Requirements
US EMEA APAC
Inbound TLOC Advertisement Inbound TLOC Advertisement Inbound TLOC Advertisement
US Region – All Colors EMEA Region – All Colors APAC Region – All Colors
US Gateways – All Colors EMEA Gateways – All Colors APAC Gateways – All Colors
EMEA Gateways– All Colors US Gateways – All Colors EMEA Gateways – All Colors
APAC Gateway – All Colors APAC Gateways – All Colors US Gateways – All Colors
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
For Your
Control Policy Case Study Reference
policy
lists policy
site-list US_branch_sites lists
site-id 60010000-60018999 tloc-list US_gateway_tlocs
! tloc 1.1.1.1 color mpls encap ipsec preference 100
site-list US_gateway_sites tloc 1.1.1.1 color biz-internet encap ipsec preference 100
site-id 60019000-60019999 tloc 2.2.2.2 color mpls encap ipsec preference 50
! tloc 2.2.2.2 color biz-internet encap ipsec preference 50
site-list EMEA_branch_sites !
site-id 50010000-50338999 tloc-list EMEA_gateway_tlocs
site-id 50340000-59999999 tloc 3.3.3.3 color mpls encap ipsec preference 100
! tloc 3.3.3.3 color biz-internet encap ipsec preference 100
site-list EMEA_gateway_sites tloc 4.4.4.4 color mpls encap ipsec preference 50
site-id 50339000-50339999 tloc 4.4.4.4 color biz-internet encap ipsec preference 50
! !
site-list APAC_branch_sites tloc-list APAC_gateway_tlocs
site-id 30010000-30668999 tloc 5.5.5.5 color mpls encap ipsec preference 100
site-id 30670000-39999999 tloc 5.5.5.5 color biz-internet encap ipsec preference 100
! tloc 6.6.6.6 color mpls encap ipsec preference 50
site-list APAC_gateway_sites tloc 6.6.6.6 color biz-internet encap ipsec preference 50
site-id 30669000-30669999 !
! !
! !
!
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
For Your
Control Policy Case Study Reference
sequence 50
policy match route
control-policy us_domain site-list US_branch_sites
sequence 10 !
match tloc action accept
site-list US_branch_sites !
! sequence 60
action accept match route
! site-list US_gateway_sites
! SNIP … (action accept)
sequence 20 sequence 70
match tloc match route
site-list US_gateway_sites site-list EMEA_branch_sites
SNIP … (accept) !
sequence 30 action accept
match tloc set
site-list EMEA_gateway_sites tloc-list EMEA_gateway_tlocs
SNIP … (action accept) !
sequence 40 !
match tloc !
site-list APAC_gateway_sites sequence 80
! match route
SNIP … (action accept) site-list EMEA_gateway_sites
SNIP … (action accept)
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
For Your
Control Policy Case Study Reference
!
site-list APAC_branch_sites
• Policy Logic
action accept Sequence 10: Advertise US Branch TLOCs
set
tloc-list APAC_gateway_tlocs Sequence 20: Advertise US GW TLOCs
!
! Sequence 30: Advertise EMEA GW TLOCs
!
Sequence 40: Advertise APAC GW TLOCs
sequence 100
match route Sequence 50: Advertise US Branch routes
site-list APAC_gateway_sites
! Sequence 60: Advertise US GW routes
action accept
!
Sequence 70: Advertise EMEA Branch routes w/ NH of EMEA GW
! Sequence 80: Advertise EMEA GW routes
default-action accept
Sequence 90: Advertise APAC Branch routes w/ NH of APAC GW
apply-policy
site-list US_branch_sites Sequence 100: Advertise APAC GW Routes
control-policy us_domain out
!
site-list US_gateway_sites
control-policy us_domain out
!
!
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Policy Framework:
Data Policies
Cisco SD-WAN Policy Architecture
Suite of Policies to address different functional domains
Data Policy:
Extensive Policy-based
Control Policy: Routing and Services
WAN
Routing VPN 2
VPN 1
WAN
VPN 2
• Control Policies are applied at vSmart: Tailors routing information advertised to WAN endpoints
• App-Route Policies are applied at WAN Edge: SLA-driven path selection for applications
• Data Policies are applied at WAN Edge: Extensive Policy driven routing
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Data Policies
Policy-driven Routing and Service Enablement
• Data policies:
• Applied on vSmart
• Advertised to and executed on WAN Edge
• Use a Data Policy for any type of data plane centered traffic management
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Data Policies
action
accept
set
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Data Policy Application
Direction of Processing
WAN
• All (Up and Downstream) VPN 2
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Data Policy Case #1
Forwarding Plane Features
Data Policy
WAN
VPN 2 VPN 2
Service Plane NAT
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Data Policy Case #1
Forwarding Plane Features – NAT for DIA and Service VPN
Local Breakout
NAT for DIA/Split tunneling
IPv4
DST: www.cisco.com
SRC: 99.88.77.66
Internet
NAT - Local Breakout
IPv4
DST: www.cisco.com VPN 1
WAN
SRC: 10.0.0.1
VPN 2
WAN
DST: xyz.corp.com DST: int.corp.com
VPN 2 VPN 2
SRC: 10.0.0.1 SRC: 192.168.1.1
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
For Your
Data Policy Case #1 Reference
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
For Your
Data Policy Case #1 Reference
VPN 2
Internet
VPN 1
WAN
VPN 2
VPN 2
Site-1
Remote Service / OMP
Local Service BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
For Your
Data Policy Case #2 Reference
• Service represented by local GRE or IPsec tunnel pre-configured on each WAN Edge
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
For Your
Data Policy Case #2 Reference
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Data Policy Case #3 Local TLOC Selection: Loose preference, falls back to
routing upon failure
Application Pinning Remote TLOC Selection: Strict preference, traffic
dropped upon failure
App1 / Path1
App2 / Path1
mpls
mpls
App1 / Path2
App3 / Path1
public-internet
public-internet
VPN 1
VPN 2
mpls
red
App2 / Path2
App1 / Path3
public-internet
lte
App3 / Path2
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Data Policy Case #3
Application Pinning – Policy Structure
Local TLOC (Remote) TLOC
Prefer Local Underlay Path Prefer a remote Node/TLOC
vSmart vSmart
policy policy
data-policy local-tloc-preference data-policy local-tloc-preference
vpn-list VPN1 vpn-list VPN1
sequence 10 sequence 10
match source-ip 10.0.0.0/8 match source-ip 10.0.0.0/8
! !
action accept action accept
local—tloc red blue set
tloc 1.1.1.1 color biz-internet
Or
• local-tloc – Loose match that will fall action accept
set
back to routing if all local TLOCs in list tloc-list remote-node
are down
• tloc/tloc-list refer to specific remote policy
lists
TLOCs and will not fall back to routing tloc-list remote-node
tloc 1.1.1.1 color mpls encap ipsec preference 100
tloc 1.1.1.1 color biz-internet encap ipsec preference 50
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Policy Framework:
Internet Breakout /
DIA Case Study
Internet Breakout / DIA
Routing and/or Policy-driven Capabilities
• The Cisco SD-WAN Architecture provides a lot of flexibility in enabling DIA
• Service-side breakouts can be provided in case NAT is not needed or special care is
needed for public addressing
• Can be deployed in combination with Service Chaining for monitoring/security/processing
requirements
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Internet Breakout Leverage
Most appropriate points for breakout chosen by site
Branch Branch
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
SD-WAN Internet Breakout Options
Local Breakout using a Default Route
Internet
• Static route in Service VPN
• Can be default or more granular
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
SD-WAN Internet Breakout Options
Local Breakout using Data Policy
Color red
Internet
• Policy now redirects instead of static route
Color blue • In case local exit fails, lookup can fall back to
local service VPN routing table
Branch
WAN Edge • Redirects traffic to interfaces in VPN 0:
vpn 0
interface ge0/0 • Interfaces must have NAT enabled
nat • Multiple interfaces enables per-flow load-sharing
vSmart • Relies on VPN 0 routing table
policy
data-policy internet-breakout
vpn-list VPN1
• Can be complemented with a Tracker to
sequence 10 monitor Internet availability beyond first hop
match source-ip 10.0.0.0/8 gateway (ref: previous slide)
!
action accept
nat use-vpn 0 • Local TLOC to be used can be specified
local—tloc public-internet
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Legend:
• Data Policy allows for granular breakout policy matching L3/L4/L7 information
• Data Policy takes precedence
• Default route from Regional Hub acts as backup in case TLOC Red & Blue are both down
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
SD-WAN Internet Breakout Options
Joint Local and Regional Breakout using Data Policy and Cloud Security + Routing Preference
3rd Party
Cloud Security
Regional Hub A
Branch
SD-WAN Internet
Fabric
Regional Hub B
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
SD-WAN Internet Breakout Options
For Your
Reference
Joint Local and Regional Breakout using Data Policy and Cloud Security + Routing Preference
vSmart WAN-Edge-Branch
policy vpn 1
data-policy Cloud_Security service FW interface gre1
vpn-list vpn_all vpn 0
sequence 10 Exclude Internal Prefixes interface gre1
match from Internet Breakout ip address 12.13.14.15/24
destination-data-prefix-list internal-prefixes tunnel-source-interface ge0/0
! tunnel-destination 123.123.123.123
action accept no shutdown
!
!
sequence 20
match WAN-Edge-Regional Hub A
! Any other traffic sent to vpn 1
action accept service FW interface gre1
Internet Breakout ! ip route 0.0.0.0/0 null0 or
count count_fw
set ! default from OSPF/BGP
service FW local [restrict] Drop Traffic if
! Service Down
policy ! WAN-Edge-Regional Hub B
lists! vpn 1
default-actioninternal-prefixes
data-prefix-list accept ! ip route 0.0.0.0/0 null0 or
!
ip-prefix 10.0.0.0/8 ! default from OSPF/BGP
ip-prefix 172.16.0.0/12
ip-prefix 192.168.0.0/16
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
SD-WAN Internet Breakout Options
For Your
Reference
Joint Local and Regional Breakout using Data Policy and Cloud Security + Routing Preference
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
SD-WAN Internet Breakout Options
Application Specific Breakout
• The Data Policy construct can also be used to locally breakout specific applications with
defined DPI signatures (e.g. O365, FaceBook, Youtube)
• Example:
• Office365 to be locally broken out
• All other Internet traffic via regional exit
• Arrangements required for supporting O365
• Cloud On-Ramp SaaS recommended for breaking out locally
• Default route from regional exit for two purposes:
o Breakout for all non O365 traffic
o O365 session establishment involves quite a few protocols beyond the core O365 protocols – A default route
from somewhere is required to deal with those applications and allow for successful O365 operations
• SD-AVC support required to provide Application Recognition from the first packet
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Quality of Service
WAN Edge Router Device QoS Overview
WAN Edge Router
vManage
Data Policy
Data Policy Capabilities Classification of application traffic into QoS
forwarding classes (queues)
Rewrite inner DSCP
Policing Map into FCs
Egress Interface
FC Q
In FC Q Out
FC Q
Ingress Interface
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Policy Framework:
App-Route Policies
Cisco SD-WAN Policy Architecture
Suite of Policies to address different functional domains
Data Policy:
Extensive Policy-based
Control Policy: Routing and Services
WAN
Routing VPN 2
VPN 1
WAN
VPN 2
• Control Policies are applied at vSmart: Tailors routing information advertised to WAN endpoints
• App-Route Policies are applied at WAN Edge: SLA-driven path selection for applications
• Data Policies are applied at WAN Edge: Extensive Policy driven routing
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
App-Route Policies
Centralized Policy for enabling SLA-driven routing on WAN Edge endpoints
• App-route policies:
• Applied on vSmart
• Advertised to and executed on vEdge
• Monitors SLAs for active overlay paths to direct Applications along qualified paths
• Allows for the use of L3/L4 keys or DPI Signatures for application identification
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
App-Aware Routing Policies
SLA-Driven Routing / Performance Routing
4G/LTE
mpls
#
VPN 1
public-internet Broadband
VPN 2
lte
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
App-Route Policies
App-route Components and Dependencies / Configuration
bfd
BFD Settings color <color>
BFD rx_interval and multiplier settings
hello-interval <msec>
(only rx_interval is relevant to AAR)
multiplier <number>
bfd
App-route algorithm configuration app-route
Define how SLA data is used to influence path
selection multiplier <number>
poll-interval <msec>
SLA-classes
App-route Policy Definition Policy Construct
Define SLA-classes, Application associations, VPN
applicability and Policy actions/preferences match
action
*https://docs.viptela.com/Product_Documentation/Software_Features/Release_18.2/07Policy_Applications/01Application-Aware_Routing/01Configuring_Application-Aware_Routing
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
App-Route Policies
App-route Algorithm
Avg (B1 + B2 + B3 + B4 + B5 + B6) = Mean
Mean recalculated every Bucket completion cycle
# of Buckets:
bfd
app-route multiplier (default 6)
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
App-Route Policies
Path Blackout / Brownout Management
BFD: 7s Default Path Down timeout
100% Loss
Application-Aware Routing
AAR Algorithm Tuning:
Bucket Size + Bucket Count
Path Quality
AAR Convergence Dependency
Spectrum (Loss)
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
App-Route Policies
App Route Algorithm Configuration
• Bucket Size in Packets = app-route poll-interval / hello-interval
% weight of one lost packet 0.17 0.25 0.50 1 1.25 1.67 2.5 5 10
Default Sweet Spot
+ Loss Granularity -
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
App-Route Policies
App-route Policy Definition
Policy
sla-class <name>
SLA Classes
jitter <msec>
Loss, Latency, Jitter per Class
latency <msec>
loss <percentage>
Policy
App-list lists
Use L3/L4 or DPI Signatures app-list <name>
app <name> | app-family <family>
App-route Policy
VPN applicability and Policy actions/preferences
App-route Logging
Enable logging of packet headers
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
App-Route Policies 1 For traffic not explicitly matched in policy
App-route Policy Definition 2 For traffic with an SLA-class disqualified across all links
Policy
App-list app-route-policy <name>
Use L3/L4 or DPI Signatures vpn-list <vpn-list>
default-action sla-class <name> 1
sequence <number>
App-route Policy match
VPN applicability and Policy actions/preferences …
action
backup—sla-preferred-color [list] 2
App-route Logging count <name>
Enable logging of packet headers log
sla-class <name> [strict] [preferred-color [list]]
3 4
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
For Your
App-Route Policies Reference
Policy Example
Policy
policy
sla-class EF
lists
loss 1
vpn-list VPN1
latency 100
vpn 1
!
! Define SLA classes
site-list app-route-sites
sla-class Biz-apps 2
site-id 3003
loss 2 and thresholds
latency 150
!
!
app-list AVV
app-route-policy SLA-Routing
app-family audio_video
vpn-list VPN1
!
sequence 10
app-list SFDC
match app-list AVV
app salesforce
!
!
action
Declare app-lists for
1 sla-class EF
Map app-lists to SLA
policy match !
3
!
sequence 20
classes and other actions
match app-list SFDC
!
action
apply-policy sla-class Biz-apps
site-list app-route-sites !
app-route-policy SLA-Routing !
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
App-route Policy Path Convergence
160
140
120
SLA-Class Latency Threshold
100 Actual Latency
80
60
Mean Latency
40
20
0
Bucket 1 Bucket 2 Bucket 3 Bucket 4 Bucket 5 Bucket 6
Current Mean Latency is 20ms, when Latency jumps to 150ms as Bucket 1 collection starts
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
AAR Policy Use Case • App1
Application Pinning with SLA SLA-class: Business
MPLS / Public-Internet: Primary – Load-share
App1 / Path1
App2 / Path1 Red: Backup
mpls Fall back to Routing
• App2
App1 / Path2 SLA-class: EF
App3 / Path1
public-internet MPLS: Primary
Red: Primary
VPN 1
Drop on Path Unavailability
VPN 2
red • App3
App2 / Path2
App1 / Path3 SLA-class: POS
Public-Internet: Primary
LTE: Backup
lte
App3 / Path2
• Other Apps
SLA-Class: Default
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
For Your
App-Route Policies Policy
app-route-policy SLA-Routing
Reference
Policy
lists
vpn-list restricted_vpns
vpn 1, 2
!
!
vpn-membership acme_1
No Update ✘ VPN 1 ✘ VPN 1 sequence 10
Drop
✘ VPN 2 ✘ VPN 2
match vpn-list restricted_vpns
No Update Drop action reject
✔ VPN ✔ VPN
Send 3
Accept 3 !
!
default-action accept
!
!
WAN
VPN 2
VPN 3
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
cFlowd / Netow Template
Configuring the cFlowd Cache and Collectors
policy
cflowd-template cflowd_temp
Max Collectors: 4 collector vpn 100 address 1.1.1.1 port 4739 transport transport_udp
Flow-active-timeout: Default 600s flow-active-timeout 60
Flow-inactive-timeout: Default 60s flow-inactive-timeout 60
flow-sampling-interval
Flow-sampling-interval: Default 0 template-refresh
Template-refresh: Default 90s !
!
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Tips and Tricks
For Your
Useful Policy Features Reference
Catchall statement Use ‘action accept’ without a match in a sequence Useful to ensure all traffic is matched
Generic Policy Features
Color-List Match any color using color-list Useful in control policies to match a
color-list colors selection of TLOCs with different colors
color red or routes originating from TLOCs of
color blue different colors
Counter Extremely useful for troubleshooting and policy verification To display, use:
action accept Show policy app-route-policy-filter
count <name> Show policy data-policy-filter
Default-action Applied to any traffic not matched by another statement in the Default-action is set to reject or drop by
policy default. It is always visible in the policy
default-action reject
Enable DPI vEdge and IOS-XE: IOS-XE will automatically have added:
Policy Interface x/y/z
app-visibility ip nbar protocol discovery
BRKRST-2791 © 2020 Cisco and/or its aliates. All rights reserved. Cisco Public 115
For Your
Useful Policy Features Reference
Match Route vs TLOC Match statements for routes and TLOCs have different match Related to the specific attributes
criteria and also allow ‘set’ of different attributes associated with each
Generic Polocy Features
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Policy Application
Rules and Restrictions
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Regional Internet Access via Transport
Hair-pinning via Transport data-policy Internet_breakout
vpn-list vpn_all
sequence 10
• Data-policy Sequence 10 match
destination-data-prefix-list internal-pfx
Allow standard routing for !
internal prefixes action accept
• Data-policy Sequence 20 !
sequence 20
Direct all other traffic to DIA match
• Apply Data-policy in both !
directions to service up and action accept
local-tloc public-internet [restrict]
downstream traffic !
• Originate a default route to default-action accept apply-policy
attract traffic towards breakout ! site-list regional_exit
data-policy Internet_breakout all
!
vpn 2
ip route 0.0.0.0/0 null0
VPN 1
Internet
VPN 2
VPN 1
WAN
SD-WAN Fabric
VPN 2 Site-1
Regional Office
OMP Update
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Cisco Umbrella Integration
Policy Generated via vManage Security Policy Configuration
policy
lists
Domains to exclude for redirection of
local-domain-list exclude-domains DNS lookups and subsequent ows
cisco.com
!
!
!
security DNSCrypt (eDNS) allows for tracking
umbrella the origin of DNS requests, in addition
token 1234567890ABCDEF
dnscrypt to encryption
!
!
vpn matchAllVpn
dns-redirect umbrella match-local-domain-to-bypass
DNS set to use Umbrella for all VPNs.
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Platform Support
and Scalability
Policy Scalability and Performance
Policy Construction Guidelines
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Policy Scalability and Performance
Policy Construction Guidelines
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Policy Scalability and Memory Consumption
Policy Construction Guidelines
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Policy Scalability – The Numbers
Element vEdge-100 vEdge-1/2/5K ISR ASR
Policy Instances 256 512 512 512
Policy Sequences Filter Block Dependent Filter Block Dependent Policy Memory Chunk TCAM Dependent
Forwarding Plane Policies
Dependent
Match Statement >= 1 Filter Block >= 1 Filter Block >= 1 Policy Chunk >=1 160b Entry
depending on construct depending on construct depending on construct depending on construct
Action Statement >= 1 Filter Block >= 1 Filter Block No Limit No Limit
depending on construct depending on construct
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
For Your
Policy Feature Support Reference
Color-List Match routes of any color in the list vSmart Only vSmart Only
15.4 16.9
Ipv6-prefix-list Match routes present in the prefix-list vSmart Only vSmart Only
18.4 16.9
Omp-tag Match routes with the specific omp-tag vSmart Only TBD
15.4
Control Policy
origin Match routes with the specified origin protocol vSmart Only vSmart Only
(Connected, Static, eBGP, OSPF Intra, OSPF Inter, OSPF 14.1 16.9
External, iBGP, Unknown/Unset)
originator Match routes that originated from specified system-IP (as vSmart Only vSmart Only
in originating vEdge) 14.1 16.9
preference Match routes with the specified preference vSmart Only vSmart Only
14.1 16.9
Prefix-list Match routes present in the prefix-list vSmart Only vSmart Only
14.1 16.9
Site-id Match routes originating from the specified site-id vSmart Only vSmart Only
14.1 16.9
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
For Your
Policy Feature Support Reference
tloc Match routes from the specified TLOC vSmart Only vSmart Only
14.1 16.9
Tloc-list Match routes from any TLOC in the list vSmart Only vSmart Only
14.1 16.9
vpn Match routes belonging to the specified VPN vSmart Only vSmart Only
Control Policy
14.1 16.9
Vpn-list Match routes belonging to any VPN in the list vSmart Only vSmart Only
14.1 16.9
Match / Tloc / Carrier Match TLOCs with the specified carrier vSmart Only TBD
14.2
color Match TLOCs with the specified color vSmart Only vSmart Only
14.1 16.9
Color-list Match TLOCs with any color present in the list vSmart Only vSmart Only
15.4 16.9
Domain-id Match TLOCs originating from the specified domain-id Not currently Not currently
implemented implemented
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
For Your
Policy Feature Support Reference
Omp-tag Match TLOCs with the specified OMP-tag vSmart Only TBD
15.4
originator Match TLOCs originating from the specific System-IP vSmart Only vSmart Only
14.1 16.9
Control Policy
preference Match TLOCs with the specified preference vSmart Only vSmart Only
14.1 16.9
Site-id Match TLOCs originating from the specified Site-ID vSmart Only vSmart Only
14.1 16.9
Site-list Match TLOCS originating from any site in the list vSmart Only vSmart Only
14.1 16.9
Tloc-list Match any TLOC in the list vSmart Only vSmart Only
14.1 16.9
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
For Your
Policy Feature Support Reference
Export-to vpn | vpn-list Export the matched route into the specified VPN | List vSmart Only vSmart Only
14.1 16.9
Set omp-tag Set an OMP-tag on the matched route vSmart Only TBD
15.4
Control Policy
Set preference Set the preference on the matched route vSmart Only vSmart Only
14.1 16.9
Set Service <type> Associate a service with the matched route to enable 14.1 TBD
service chaining
Set service <type> [tloc] Associate the service advertised from the specified TLOC 16.3 TBD
with the matched route
Set service <type> [tloc-list] Associate the service advertised from a TLOC in the 16.3 TBD
specified list with the matched route
Set service <type> [vpn] Associate a service advertised from the specified VPN 16.3 TBD
with the matched route
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
For Your
Policy Feature Support Reference
Set tloc-action backup | Set a TLOC action for the matched route to enable overlay 16.3 TBD
ecmp | primary | strict Traffic Engineering using Service TE
Control Policy
Set tloc-list Reset the TLOC to a list of TLOCs on the matched route vSmart Only vSmart Only
14.1 16.9
Action / Accept Accept matched TLOC and install into RIB without further vSmart Only vSmart Only
(applicable to Match / TLOC) action 14.1 16.9
Set omp-tag Set OMP-tag on the matched TLOC vSmart Only TBD
15.4
Set preference Set preference on the matched TLOC vSmart Only vSmart Only
15.4 16.9
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
For Your
Policy Feature Support Reference
specified
Destination-ipv6 Match packet destination IP to IP-address / Prefix TBD 16.10
specified
Destination-port Match packet destination-port 14.1 16.9
Dns request | response Match on DNS traffic for intercept / redirect 17.2 16.9
Dns-app-list Match on DNS traffic for the specified set of applications 17.2 16.9
for intercept / redirect
dscp Match on packet DSCP 14.1 16.9
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
For Your
Policy Feature Support Reference
Source-data-ipv6-prefix-list Match packet source IP to any prefix specified in prefix- TBD 16.10
list
Data Policy
Source-data-prefix-list Match packet source IP to any prefix specified in prefix- 14.1 16.9
list
Source-ip Match packet destination IP to IP-address / Prefix 14.1 16.9
specified
Source-ipv6 Match packet destination IP to IP-address / Prefix 18.4 16.10
specified
Source-port Match packet source port 14.1 16.9
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
For Your
Policy Feature Support Reference
Set dscp Set the DSCP on the matched packet 15.1 16.9
Set forwarding-class Set the packet to use a specific QoS Class within the 15.1 16.9
node without setting the DSCP (eq qos-group)
Set local-tloc color [encap] Pin the matching flow/packet to the defined TLOC 16.1 17.2.1
Data Policy
Set local-tloc-list color Pin the matching flow/packet to the list of TLOCs, using 16.1 17.2.1
[encap] [restrict] ECMP for >1. Restrict will cause drop if no chosen color is
operational, otherwise process falls back to RIB.
Set local-tloc / local-tloc-list Pin the matching flow/packet to the defined TLOC for 16.1 17.2.1
DIA/Split tunneling traffic
Set next-hop Route the matching flow/packet to the chosen IP 14.1 16.9
Set next-hop-ipv6 Route the matching flow/packet to the chosen IP 18.4 16.10
Set policer Apply the defined policer to the traffic 14.1 16.11
Action / cflowd Enable flow-accounting for the matching traffic 14.3 16.9
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
For Your
Policy Feature Support Reference
Log Create a log entry (using the log configuration for the 16.3 TBD
*policy log-frequency 1000 (default node) for the matching traffic
nearest down power of 2 packet is
logged, so every 512th)
Loss-protect fec-adaptive Enable Adaptive FEC for the matching traffic (FEC is 18.4 TBD
enabled on >=2% path packet loss
Data Policy
Loss-protect fec-always Enable continuous FEC for the matching traffic 18.3 16.11
Loss-protect pkt-dup Enabled packet duplication for the matching traffic 18.4 16.12
Nat pool <name> NAT the matching traffic using the named NAT-pool 15.3 16.9
Nat use-vpn <0> [fallback] NAT the matching traffic as it is subject to split tunneling / 14.2 16.9
DIA via VPN 0. Fallback allows for falling back to routing
on NAT resource exhaustion
Nat use-vpn <0> pool NAT the matching traffic using the name NAT-pool as it is TBD 16.9
<name> subject to split tunneling / DIA via VPN 0.
Redirect-dns host Redirect the intercepted DNS request for resolution locally TBD TBD
on the node
Redirect-dns umbrella Redirect the intercepted DNS request to Umbrella / Open TBD 16.10
DNS
Tcp-optimization Enable TCP-optimization for the matching traffic 17.2 16.12
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
For Your
Policy Feature Support Reference
Dns request | response Match on DNS traffic for intercept / redirect 17.2 16.9
Dns-app-list Match on DNS traffic for the specified set of applications 17.2 16.9
for intercept / redirect
Source-data-ipv6-prefix-list Match packet source IP to any prefix specified in prefix- TBD 16.10
list
Source-data-prefix-list Match packet source IP to any prefix specified in prefix- 14.2 16.9
list
Source-ip Match packet destination IP to IP-address / Prefix 14.2 16.9
specified
Source-ipv6 Match packet destination IP to IP-address / Prefix 14.2 16.10
specified
Source-port Match packet source port 14.2 16.9
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
For Your
Policy Feature Support Reference
Log Create a log entry (using the log configuration for the 16.3 TBD
*policy log-frequency 1000 (default node) for the matching traffic
nearest down power of 2 packet is
logged, so every 512th)
Sla-class <name> Associate the matching traffic with a defined SLA-class 14.2 16.9
Sla-class <name> preferred- Configure a preferred TLOC for the traffic being 15.2 / 17.1^ 16.9 / 16.9
color <n> [<n>] … associated to the SLA-class (multiple for ECMP) (^multiple colors)
Sla-class <name> strict Drop the traffic being associated with the SLA-class in 14.2 16.9
case there’s no path meeting the SLA threshold(s)
Default-action sla-class Define SLA for traffic not explicitly matched in a sequence 14.2 16.9
TECRST – 2191
SD-WAN design, deploy and best 4 Hours
practices
TECCRS-3006
ENFV Deep Dive and Hands on Lab 8 Hours
Cisco SD-WAN
#CLEMEA
Tectorials
BRKRST-2791
Building and using Policies with Cisco SD-
BRKRST-2377 WAN
08:00
SD-WAN Security 08:00 BRKRST-2560
Keynote 09:30
SD-Wan Machine Analytics, Machine
08:00
Learnings and IA
BRKCRS-1579 BRKRST-2096
SD-Wan Proof Of Concept
11:00
SD-WAN Powered by 11:00 BRKRST-2095 BRKRST-2093
Meraki SD-WAN Routing 16:00 Deploy, monitor and troubleshoot
11:00 BRKRST-2091
BRKRST-2041 Migration
BRKARC-2012 SD-WAN Datacenter and Branch 09:00
WAN Architecture 11:00 ENFV Architecture, Configuration and
11:00 Integration Design
troubleshooting
and Design Principal
BRKRST-2559
BRKCRS-2110 3 Steps to design SD-WAN On Prem
14:00
Delivering Cisco Next 14:00 BRKRST-3404 BRKRST-2097 BRKOPS-2826
gen SD-WAN with How to choose the 16:00 Conquer the Cloud with SD-WAN SD-WAN as Managed Services 11:00
14:45
Viptela correct branch device BRKRST-2095
SD-WAN Routing Migrations
16:45
BRKCRS-2113 Keynote 17:00
Cloud Ready WAN for 17:00 Cisco Live
IAAS and SAASA with Celebration
Cisco SD-WAN 18:30
SD-WAN
#CLEMEA
Breakouts
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Continue your education
Demos in the
Walk-in labs
Cisco campus
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Thank you