BRKRST 2791

Building and Using Policies with
Cisco SD-WAN
Become Sufficiently Dangerous
Stefan Olofsson, Technical Solutions Architect
BRKRST-2791
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Cisco SD-WAN Crash Course
• Introduction to the Cisco SD-WAN Policy Framework
• Control Policies and Applications
• Data Policies and Applications
• Application Aware Routing Policies and Applications
• More Policies and Applications
• Tips, Tricks, Scalability and Best Practices
• Conclusion
Cisco SD-WAN
Crash Course
Cisco SD-WAN Architecture Overview
Applying SDN Principles Onto The Wide Area Network
vBond vManage
APIs Management / Orchestration Plane

3rd Party
Automation
Control Plane
vSmart Controllers
MPLS 4G
INET
WAN Edge Routers
Data Plane
Cloud Data Center Campus Branch SOHO
Cisco SD-WAN Terminology
• Transport Side – Controller or WAN Edge Interface connected to the underlay/WAN network
• Always VPN 0
• Traffic typically tunneled/encrypted, unless split-tunneling is used
• Service Side – WAN Edge interface attaching to the LAN

• VPN 1-511 (512 Reserved for OOB Mgmt)
• Traffic forwarded as is from original source
• TLOC – Collection of entities making up a transport side connection

• System-IP: IPv4 Address (non-routed identifier)
• Color: Interface identifier on local WAN Edge
• Private TLOC: IP Address on interface sitting on inside of NAT
• Public TLOC: IP Address on interface sitting on outside of NAT
• Private/Public can be the same if connection is not subject to NAT
• vRoute – Routes learnt/connected on Service Side

• vRoute tagged with attributes as it is picked up by OMP
Cisco SD-WAN Terminology
• OMP – Overlay Management Protocol
• Dynamic Routing Protocol managing the Overlay domain
• Integrated mechanism for distribution Routing, Encryption and Policies
• Site-ID – Identifies the Source Location of an advertised prefix
• Configured on every WAN Edge, vSmart and vManage
• Does not have to be unique, but then assumes same location
• Required configuration for OMP and TLOC to be brought up
• System-IP – Unique identifier of an OMP Endpoint
• 32 Bit dot decimal notation (an IPv4 Address)
• Logically a VPN 0 Loopback Interface, referred to as “system”
• The system interface is the termination point for OMP
Introduction to the
Cisco SD-WAN
Policy Framework
Cisco SD-WAN Policy Architecture
Policy Categories
Centralized Policies Localized Policies
Topology and VPN Traffic Rules: Local Policy:

Membership: App-Aware Routing Policy Local Control Policy
Control Policy (Routing Policies – OSPF/BGP)
Data Policy (Traffic Data) Local Data Policy
VPN Membership Policy cFlowd (QoS, ACL etc)
Policy Device
Netconf Configuration Template
Define
OMP Netconf
Volatile Storage Device
(~Policy RIB) Configuration
Suite of Policies to address different functional domains
Data Policy:
Extensive Policy-based
Control Policy: Routing and Services
App-Route Policy: Routing and Services

App-Aware SLA-based VPN 1
WAN
Routing VPN 2
VPN 1
WAN
VPN 2
• Control Policies are applied at vSmart: Tailors routing information advertised to WAN endpoints
• App-Route Policies are applied at WAN Edge: SLA-driven path selection for applications
• Data Policies are applied at WAN Edge: Extensive Policy driven routing
Cisco SD-WAN Overlay Routing
Multi-domain Routing Fabric
Overlay Routing Policy
vSmarts advertise TLOCs and
Enforcement Point
Service Prefixes to all Edges
Core SD-WAN Routing
Domain TLOC advertised to vSmarts
with set of attributes
Local Routing Policy vSmart
Service prefixes advertised to
Enforcement Point vSmarts with set of attributes
Existing Branch/DC
Routing Domain Control Plane
VPN 1 VPN 1
WAN
WAN
VPN 2 VPN 2
VPN 3
SD-WAN Fabric
VPN 3
WAN Edge WAN Edge

Site1 Site4
WAN WAN
WAN Edge WAN Edge

VPN 1
VPN 2
VPN 3
VPN 1
VPN 2
VPN 3
Site2 Site3
Overlay Management Protocol
High Level Description
• Path Vector Routing Protocol specifically designed for overlay networks
• Natively Multiprotocol, Multipath and VPN/Segment Aware
• Peer Auto-discovery w/ Zero line config for basic operation
• Inherent Route Target Constraint Capability
• Automatic Distribution of targeted local routing
• Overlay and Legacy Domain Loop Avoidance capabilities
• Reliable and Secure Transport (SSL)
• Broad Attribute Support

• Preference
• Identification
• Legacy Source Protocol Information
• Consistent Routing and Encryption Synchronization
• Multi-domain capable
Distribution of Routing Information for Topology-driven Routing
vRoutes TLOCs Services Policies
Branch Routing WAN Attachment:

Services:
into Overlay Private IP/Public IP Data Policy
Type of Service
Color / Encap App-Route Policy
Routing Encryption Keys
Location (TLOC)
VPN Membership
+ Forwarding
+ cFlowd Template
Attributes Information
Attributes
Distribution of Routing Information and Policies subject to endpoint push

Updates sent only on changes – Routing engine operates as with existing protocols (BGP)
Path Selection Route Resolvability
Next-hop TLOC is Reachable
Route Source Preference

Prefer vEdge-sourced route over vSmart-sourced
route
Admin Distance
Prefer OMP Route with lowest admin distance
Route Preference
• Default: 4 paths advertised by vSmart Prefer Route with highest route preference
omp TLOC Preference

Send-path-limit [1-16] Prefer route with highest TLOC preference
Origin
• Backup routes can be advertised to Prefer route with best origin (Connected, Static,
eBGP, OSPF Intra, OSPF Inter, OSPF External,
vEdges for faster convergence iBGP, Unknown/Unset
omp
Send-backup-paths Tiebreaker
Prefer route from highest origin Router-ID
(System-IP)
• Origin by Admin Distance and then by
Protocol Cost / Metric Tiebreaker
Prefer route from highest Private TLOC IP-address
Building, Applying
and Processing
SD-WAN Policies
Construction of SD-WAN Policies
Policy Building Blocks
Lists Policy Apply Policy
Policy Type Site-List
Policy Sequence 1 Policy <type> <name>
Match <route | tloc | Application> Direction (if applicable)
Action <Accept | Reject | set >
Policy Sequence 2
Match <route | tloc | Application>
Action <Accept | Reject | set >
Default Action
Site-ID <n>
<Accept | Reject>
Cisco SD-WAN Policy Orchestration Process
App-Route Policy: Data Policy:

vManage GUI – Control Policy:
1 App-Aware SLA-based Extensive Policy-based
Policy Orchestration Routing and Services
Routing Routing and Services
Combine and Apply per Site
vSmart controller – Execute Control Policy

2 Policy Enforcement/Advertisement Advertise AAR/Data Policies to Sites
WAN Edge router – Execute AAR and Data Policy as received

3 Policy Enforcement Dynamic Routing and Policies Combine to
dictate behavior
Service Side
Processing Policies
Policy Processing Logic
• Policies are processed sequentially. Order is important!

• When a match occurs, the matched entity is subject to the configured
action of the sequence and is then no longer subject to continued
processing.
• Entity not matched in a sequence is subject to default action for the policy.
• Any node will make use of any and all available routing information
• In a multi-vSmart deployment, every vSmart acts independently to
disseminate information to other vSmarts and vEdges
• vManage acts to ensure all vSmarts are synchronized
Cisco SD-WAN Policy Execution
Topology-driven routing and Policy execution chain
Centralized App-Route Policy Routing / Forwarding Local Egress Policy

2 SLA-based Path Selection 4 Topology Driven Forwarding 6 Access Lists
Policing
Re-marking
Service Side – Transport Side
Local Ingress Policy Centralized Data Policy Queueing / Scheduling

1 Policing Policing 5 Shaping
Admission Control
Classification & Marking
3 Admission Control
Classification & Re/Marking
WRR w/ LLQ
Congestion Avoidance
Path Selection
Services
App-Aware Routing and Data Policy Overlap
Policy Processing when packet is subject to match in both policies
Guiding Principle:
Data Policy Makes Final Decision with Consideration for AAR SLA Match
? ?
App-Route Policy Yes Data Policy No App-Route Policy
Incoming Packet
Path Matching SLA Found Local/Remote TLOC Action Follow Preferred/Backup SLA
No Yes
? ?
Yes App-Route Policy No Data Policy Yes
AAR Strict Configured Path Decision Matching AAR
Send Packet
No
? ?
Data Policy
Data Policy Yes No
Path Found Path Decision Determined by
Routing due to TLOC down
No Yes
?
Yes Data Policy No App-Route Policy
Drop Packet Local-TLOC Strict Configured Evaluate Default SLA Class
Policy Management
Ensuring Intended End-to-End Policy Application
• vManage
• vSmart
• Policy Configuration section
show running-config policy
• Apply-policy configuration section
show running-config apply-policy
• WAN Edge
• View policy as received from vSmart via OMP
Show policy from vsmart
Policy Framework:
Control Policies
Data Policy:

WAN
Routing VPN 2
VPN 1
WAN
VPN 2
Control Policies
Overlay Management Protocol Routing Policies
• Control policies are applied and executed on vSmart to influence routing in the Overlay domain
• Control policies filter or manipulate OMP Routing information to:

• Enable services
• Influence path selection
• Control Policies controls the following services:
• Service Chaining
• Traffic Engineering
• Extranet VPNs
• Service and Path affinity
• Arbitrary VPN Topologies
• and more …
• The Control Policy is one of the most powerful tools in the Cisco SD-WAN toolbox
Control Policies control-policy <name>
sequence <n>
Policy Structure match route
color <color>
control-policy <name> color-list <name>
sequence <n> ipv6-prefix-list <name>
match tloc omp-tag <tag>
carrier <carrier> origin <protocol>
color <color> originator <system-ip>
color-list <name> preference <preference>
domain-id <domain-id> - Not Supported prefix-list <name>
group-id <group-id> site-id <site-id>
omp-tag <tag> site-list <name>
originator <system-ip> tloc <tloc>
preference <preference> tloc-list <name>
site-id <site-id> vpn <vpn-id>
site-list <name> vpn-list <name>
tloc <tloc> !
tloc-list <name> action accept
! export-to <vpn> | vpn-list
action accept set
set omp-tag <tag>
omp-tag <tag> preference <preference>
preference <preference> service <service-type>
! tloc <tloc>
! tloc-action <action>
! tloc-list <name>
default-action accept !
! !
!
default-action accept
!
Control Policy Case #1
Interconnecting Dis-contiguous Data Planes
Problem:
Overlay with a dis-contiguous data plane and endpoints need to communicate end-to-end
WAN Edge100
Site-id: 100
WAN Edge1 System-IP: 100.100.100.100 WAN Edge2
Site-id: 10 Site-id: 20
System-IP: 10.10.10.10 System-IP: 20.20.20.20
VPN 1
VPN 2
VPN 1 VPN 1
VPN 2 VPN 2
Color: mpls Color: public-internet
VPN 1
VPN 2
MPLS TLOC Internet TLOC
WAN Edge101
Site-id: 101
System-IP: 101.101.101.101
Solution:
Identify one or more multi-homed sites to bridge the data plane gap and act as gateways
Use a control policy to enable distribution of routing information between domains enabling gateway-
supported paths
Legend:
Control Policy Case #1 Original Advertisement from Endpoint

Un/Modified Advertisement from Controller
Route: VPN-1: Prefix A Route: VPN-1: Prefix B

NH: TLOC 10.10.10.10 NH: TLOC 20.20.20.20
Route: VPN-1: Prefix B Route: VPN-1: Prefix A

NH: TLOC 100.100.100.100 NH: TLOC 100.100.100.100
System-IP: 100.100.100.100
VPN 1
VPN 2
VPN 1 VPN 1
VPN 2 VPN 2
VPN 1
VPN 2
MPLS TLOC Internet TLOC
System-IP: 101.101.101.101
For Your
Control Policy Case #1 Reference
Interconnecting Dis-contiguous Data Planes 3 Define the Control Policies

policy
1 Define Gateway TLOC-lists control-policy announce-internet-sites
lists sequence 10
tloc-list internet-gateways match route
tloc 100.100.100.100 color mpls encap ipsec site-list internet-sites
tloc 101.101.101.101 color mpls encap ipsec !
! action accept
tloc-list mpls-gateways set
tloc 100.100.100.100 color public-internet encap ipsec tloc-list internet-gateways
tloc 101.101.101.101 color public-internet encap ipsec !
! !
site-list internet-sites !
site-id 20 default-action accept
! 2 Declare Target Sites !
site-list mpls-sites control-policy announce-mpls-sites
site-id 10 sequence 10
match route
site-list mpls-sites
!
apply-policy action accept
site-list internet-sites set
control-policy announce-mpls-sites out tloc-list mpls-gateways
! !
site-list mpls-sites !
control-policy announce-internet-sites out !
! default-action accept
! 4 Apply Policies to the target site-lists !
!
Wait…
We’re doing what?
Color: public-internet
Dis-contiguous Data Planes Color: mpls

OMP State: C=Chosen, I=Installed, R=Resolved,
TLOC Distribution and State – No Policy Applied Red=Redistributed, Inv=Invalid, U=Unreachable
vSmart# show omp tlocs

ADDRESS BFD
FAMILY TLOC IP COLOR STATUS STATUS
-----------------------------------------------------------
WAN Edge1 ipv4 10.10.10.10 mpls C,I,R - WAN Edge2
20.20.20.20 public-internet C,I,R -
100.100.100.100 mpls C,I,R -
System-IP: 10.10.10.10 100.100.100.100 public-internet C,I,R - System-IP: 20.20.20.20
VPN 1 101.101.101.101 mpls C,I,R - VPN 1
101.101.101.101 public-internet C,I,R -
VPN
WAN Edge1# 2
show omp tlocs WAN Edge2# show omp tlocs VPN 2
ADDRESS BFD ADDRESS BFD
FAMILY TLOC IP COLOR STATUS STATUS FAMILY TLOC IP COLOR STATUS STATUS
--------------------------------------------------------- ---------------------------------------------------------
ipv4 10.10.10.10 mpls C,Red,R up ipv4 10.10.10.10 mpls C,I,R down
20.20.20.20. public-internet C,I,R down 20.20.20.20. public-internet C,Red,R up
100.100.100.100 mpls C,I,R up 100.100.100.100 mpls C,I,R down
100.100.100.100 public-internet C,I,R down 100.100.100.100 public-internet C,I,R up
101.101.101.101 mpls C,I,R up 101.101.101.101 mpls C,I,R down
101.101.101.101 public-internet C,I,R down 101.101.101.101 public-internet C,I,R up
WAN Edge100# show omp tlocs WAN Edge101# show omp tlocs
ADDRESS BFD ADDRESS BFD
FAMILY TLOC IP COLOR STATUS STATUS FAMILY TLOC IP COLOR STATUS STATUS
--------------------------------------------------------- ---------------------------------------------------------
ipv4 10.10.10.10 mpls C,I,R up ipv4 10.10.10.10 mpls C,I,R up
20.20.20.20. public-internet C,I,R up 20.20.20.20. public-internet C,I,R up
100.100.100.100 mpls C,Red,R up 100.100.100.100 mpls C,I,R up
100.100.100.100 public-internet C,Red,R up 100.100.100.100 public-internet C,I,R. up
VPN 1
VPN 1
VPN 2
VPN 2
101.101.101.101 mpls C,I,R up 101.101.101.101 mpls C,Red,R up
101.101.101.101 public-internetWAN Edge100
C,I,R up WAN Edge101
101.101.101.101 public-internet C,Red,R up

vRoute Distribution and State – No Policy Applied Red=Redistributed, Inv=Invalid, U=Unreachable
vSmart# show omp routes

VPN PREFIX STATUS TLOC IP COLOR
---------------------------------------------------------
1 10.1.1.0/24 C,R 10.10.10.10 mpls
WAN Edge1 20.1.1.0/24 C,R 20.20.20.20 public-internet WAN Edge2
Site-id: 10 100.1.1.0/24 C,R 100.100.100.100 mpls Site-id: 20
System-IP: 10.10.10.10 C,R 100.100.100.100 public-internet System-IP: 20.20.20.20
101.1.1.0/24 C,R 101.101.101.101 mpls
VPN 1 C,R 101.101.101.101 public-internet VPN 1
VPNshow
WAN Edge1# 2 omp routes WAN Edge2# show omp routes VPN 2
VPN PREFIX STATUS TLOC IP COLOR VPN PREFIX STATUS TLOC IP COLOR
----------------------------------------------------------- -----------------------------------------------------------
1 10.1.1.0/24 C,Red,R 10.10.10.10 mpls 1 10.1.1.0/24 Inv,U 10.10.10.10 mpls
20.1.1.0/24 Inv,U 20.20.20.20 public-internet 20.1.1.0/24 C,Red,R 20.20.20.20 public-internet
100.1.1.0/24 C,I,R 100.100.100.100 mpls 100.1.1.0/24 Inv,U 100.100.100.100 mpls
Inv,U 100.100.100.100 public-internet C,I,R 100.100.100.100 public-internet
101.1.1.0/24 C,I,R 101.101.101.101 mpls 101.1.1.0/24 Inv,U 101.101.101.101 mpls
Inv,U 101.101.101.101 public-internet C,I,R 101.101.101.101 public-internet
WAN Edge100# show omp routes WAN Edge101# show omp routes
----------------------------------------------------------- -----------------------------------------------------------
1 10.1.1.0/24 C,I,R 10.10.10.10 mpls 1 10.1.1.0/24 C,I,R 10.10.10.10 mpls
20.1.1.0/24 C,I,R 20.20.20.20 public-internet 20.1.1.0/24 C,I,R 20.20.20.20 public-internet
100.1.1.0/24 C,Red,R 100.100.100.100 mpls 100.1.1.0/24 C,I,R 100.100.100.100 mpls
C,Red,R 100.100.100.100 public-internet C,I,R 100.100.100.100 public-internet
101.1.1.0/24 C,I,R 101.101.101.101 mpls 101.1.1.0/24 C,Red,R 101.101.101.101 mpls
C,I,R 101.101.101.101 public-internet C,Red,R 101.101.101.101 public-internet
VPN 1
VPN 1
VPN 2
VPN 2
WAN Edge100 WAN Edge101
VPN 1 Pfx: 100.1.1.0/24 VPN 1 Pfx: 101.1.1.0/24
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

Policy Components and Application Direction Red=Redistributed, Inv=Invalid, U=Unreachable
policy
lists
tloc-list internet-gateways
tloc 100.100.100.100 color mpls encap ipsec WAN Edge100 WAN Edge101
tloc 101.101.101.101 color mpls encap ipsec
!
tloc-list mpls-gateways
tloc 100.100.100.100 color public-internet encap ipsec WAN Edge100 WAN Edge101
tloc 101.101.101.101 color public-internet encap ipsec
!
site-list internet-sites
site-id 20 WAN Edge2
!
site-id 10
WAN Edge1
apply-policy
site-list internet-sites Apply policy on outbound update
control-policy announce-mpls-sites out from vSmart to nodes in site-list WAN Edge2
!
control-policy announce-internet-sites out Apply policy on outbound update
! WAN Edge1
from vSmart to nodes in site-list
!

Policy Application and Outgoing Advertisement – Site 20 Red=Redistributed, Inv=Invalid, U=Unreachable
control-policy announce-mpls-sites WAN Edge2

sequence 10
Site-id: 20
match route
site-list mpls-sites System-IP: 20.20.20.20
!
VPN 1
action accept
set VPN 2
tloc-list mpls-gateways
!
!
!
vSmart# show omp tlocs WAN Edge2# show omp tlocs
ADDRESS BFD default-action accept ADDRESS BFD
FAMILY TLOC IP STATUS STATUS ! FAMILY TLOC IP STATUS STATUS
------------------------------------------- ! -------------------------------------------
ipv4 10.10.10.10 C,I,R - ipv4 10.10.10.10 C,I,R down
20.20.20.20. C,I,R - 20.20.20.20. C,Red,R up
100.100.100.100 C,I,R - 100.100.100.100 C,I,R up
101.101.101.101 C,I,R - 101.101.101.101 C,I,R up
vSmart# show omp routes WAN Edge2# show omp routes

--------------------------------------------------------- -----------------------------------------------------------
1 10.1.1.0/24 C,R 10.10.10.10 mpls 1 10.1.1.0/24 C,I,R 100.100.100.100 public-internet
20.1.1.0/24 C,R 20.20.20.20 public-internet C,I,R 101.101.101.101 public-internet
100.1.1.0/24 C,R 100.100.100.100 mpls 20.1.1.0/24 C,Red,R 20.20.20.20 public-internet
C,R 100.100.100.100 public-internet 100.1.1.0/24 Inv,U 100.100.100.100 mpls
101.1.1.0/24 C,R 101.101.101.101 mpls C,I,R 100.100.100.100 public-internet
C,R 101.101.101.101 public-internet 101.1.1.0/24 Inv,U 101.101.101.101 mpls
C,I,R 101.101.101.101 public-internet

Policy Application and Outgoing Advertisement – Site 10 Red=Redistributed, Inv=Invalid, U=Unreachable
control-policy announce-internet-sites WAN Edge1

sequence 10
Site-id: 10
match route
site-list internet-sites System-IP: 10.10.10.10
!
VPN 1
action accept
set VPN 2
tloc-list internet-gateways
!
!
!
vSmart# show omp tlocs WAN Edge1# show omp tlocs
ADDRESS BFD default-action accept ADDRESS BFD
FAMILY TLOC IP STATUS STATUS ! FAMILY TLOC IP STATUS STATUS
------------------------------------------- ! -------------------------------------------
ipv4 10.10.10.10 C,I,R - ipv4 10.10.10.10 C,Red,R up
20.20.20.20. C,I,R - 20.20.20.20. C,I,R down
100.100.100.100 C,I,R - 100.100.100.100 C,I,R up
101.101.101.101 C,I,R - 101.101.101.101 C,I,R up
vSmart# show omp routes WAN Edge100# show omp routes

--------------------------------------------------------- -----------------------------------------------------------
1 10.1.1.0/24 C,R 10.10.10.10 mpls 1 10.1.1.0/24 C,Red,R 10.10.10.10 mpls
20.1.1.0/24 C,R 20.20.20.20 public-internet 20.1.1.0/24 C,I,R 100.100.100.100 mpls
100.1.1.0/24 C,R 100.100.100.100 mpls C,I,R 101.101.101.101 mpls
C,R 100.100.100.100 public-internet 100.1.1.0/24 C,I,R 100.100.100.100 mpls
101.1.1.0/24 C,R 101.101.101.101 mpls Inv,U 100.100.100.100 public-internet
C,R 101.101.101.101 public-internet 101.1.1.0/24 C,I,R 101.101.101.101 mpls
Inv,U 101.101.101.101 public-internet
Back on track
Network Resource (e.g. Data Center) Preference or Active/Backup
Problem:
Data Center access must be regionalized with neighboring DCs backing each other up
WAN Edge100
Site-id: 100
System-IP: 100.100.100.100
WAN Edge1 DC-1 WAN Edge4
WAN Edge2 DC-2 WAN Edge3

WAN Edge101
Site-id: 101
Solution: System-IP: 101.101.101.101
Identify regions by Site-Id and associate Primary and Backup DC locations with the regions
A control policy is used to make the associations and defining DC preference
Legend:

Route: VPN-1: Prefix A Route: VPN-1: Prefix A

NH: TLOC 100.100.100.100 NH: TLOC 101.101.101.101
Color: mpls, Preference: 400 Color: mpls, Preference: 400
NH: TLOC 101.101.101.101 NH: TLOC 100.100.100.100
Color: mpls, Preference: 200 Color: mpls, Preference: 200
Route: VPN-1: Prefix A
NH: TLOC 100.100.100.100
Color: mpls
System-IP: 100.100.100.100
System-IP: 10.10.10.10 Route: VPN-1: Prefix A System-IP: 40.40.40.40

NH: TLOC 101.101.101.101
Color: mpls
System-IP: 101.101.101.101
For Your

policy 1 Define Data Center TLOC-lists control-policy adv-dc-preference-west
lists sequence 10
tloc-list dc-preference-west match route
tloc 100.100.100.100 color mpls encap ipsec preference 400 site-list dc-sites
tloc 101.101.101.101 color mpls encap ipsec preference 200 !
! action accept
tloc-list dc-preference-east set
tloc 100.100.100.100 color mpls encap ipsec preference 200 tloc-list dc-preference-west
tloc 101.101.101.101 color mpls encap ipsec preference 400 !
! !
site-list sites-region-west !
site-id 1-20 default-action accept
! 2 Declare Regions !
site-list sites-region-east control-policy adv-dc-preference-east
site-id 21-40 sequence 10
! match route
site-list dc-sites site-list dc-sites
site-id 100-101 3 Declare Data Centers !
action accept
apply-policy set
site-list sites-region-west tloc-list dc-preference-east
control-policy adv-dc-preference-west out !
! !
site-list sites-region-east !
control-policy adv-dc-preference-east out default-action accept
! !
! 5 Apply Policies to the target site-lists !
4 Define the Control Policies
Fabric Data Plane or VPN Plane Topologies
• Fabric Plane or Individual VPNs subject to specific topologies / connectivity models
• Fully meshed fabric data plane • Restricted fabric data plane

• Individual VPNs can use any topology • Individual VPNs restricted to
connectivity model used by
underlying fabric
Fabric Data Plane or VPN Plane Topologies
• Fabric Plane or Individual VPNs subject to specific topologies / connectivity models
Site-Id: 100
Filter/Reassign Routes / Attributes
Site-Id: 30
Site-Id: 10
Site-Id: 20
Filter/Reassign TLOCs / Attributes

Filter/Reassign Routes / Attributes
For Your
Fabric Data Plane and VPN Hub-and-Spoke Topologies

4 Define the Control Policy
policy 1 Define Hub Site TLOC-list policy
lists control-policy restricted_data_plane
tloc-list hub-site_tlocs sequence 10
tloc 1.1.1.1 color red encap ipsec preference 100 match tloc
tloc 2.2.2.2 color red encap ipsec preference 100 site-list hub_sites
tloc 3.3.3.3 color red encap ipsec ! Advertise Hub TLOCs
! action accept
!
site-list branch_sites
site-id 1000-2000
2 Declare Branches !
! sequence 20
site-list hub_sites match route
site-id 1-100 3 Declare Hubs site-list branch_sites
! !
! action accept Branch Prefixes
set
tloc-list hub_site_tlocs
!
!
!
sequence 30
apply-policy
match tloc
control-policy restricted_data_plane out
! Drop Branch TLOCs
action reject
!
!
!
5 Apply Policy to the target site-list !
For Your
VPN 1 Full Mesh and VPN 2 Hub-and-Spoke Topologies

Loose Hub-and-Spoke Strict Hub-and-Spoke
Spokes communicate via hub(s) No spoke to spoke communication
policy
policy
lists
lists
vpn-list VPN2
vpn-list VPN2
vpn 2
vpn 2
!
!
site-list hub_sites
site-id 1-2
site-id 100-200
!
!
!
!
control-policy vpn_multi-topology
control-policy vpn_multi-topology
sequence 10
sequence 10
match route
match route
site-list hub_sites Advertise Hub Prefixes
vpn-list VPN2
Branch Prefixes vpn-list VPN2
!
!
action accept
action accept
!
set
sequence 20
tloc 1.1.1.1 color red Hub site TLOC match route
!
! Drop Branch Prefixes
!
action reject
!
!
Service Chaining of Centralized Services
Single/Multi-tenant Services
WAN Edge100 Application

Site-id: 100
System-IP: 100.100.100.100 VPN 1
VPN 2
WAN Edge2
VPN 1
Site-id: 20
VPN 2
System-IP: 20.20.20.20
WAN Edge1
Site-id: 10
System-IP: 10.10.10.10
• Problem: Services to be consumed in-path for selected traffic

• Solution: Enable Service-Chaining Across the WAN
Legend:

Service Chaining of Centralized Services

VPN 1: Prefix A, Label 10 VPN 1: Prefix B, Label 20
NH: TLOC 10.10.10.10 NH: TLOC 20.20.20.20
Color: mpls Color: mpls
VPN 1: Prefix B, Label 1004 VPN 1: Prefix A, Label 1004

NH: TLOC 100.100.100.100 NH: TLOC 100.100.100.100
VPN 1: Prefix A, Label 10

VPN 1: Service FW, Label 1004 NH: TLOC 10.10.10.10
NH: TLOC 100.100.100.100 Color: mpls
VPN 1: Prefix B, Label 20
Color: mpls NH: TLOC 20.20.20.20
Color: mpls
VPN 1
VPN 2
System-IP: 100.100.100.100
System-IP: 20.20.20.20
VPN 1
VPN 2
System-IP: 10.10.10.10
For Your
Service Chaining
4 Define Upstream Service Chain
WAN-Edge-100 1 Define Central FW Service policy
control-policy service-chain-upstream
vpn 1 sequence 10
service FW address 10.0.13.150 match route
tloc 20.20.20.20 color red
vpn 1
!
action accept
set
policy lists
service FW
site-list upstream-exit
site-id 20
2 Declare Exit Point !
!
!
!
site-list service-chain-branches
site-id 10
!
! 3 Declare Attached Branches control-policy service-chain-downstream
sequence 10
match route
apply-policy site-list service-chain-branches
site-list upstream-exit !
control-policy service-chain-downstream out action accept
! set
site-list service-chain-branches service FW
control-policy service-chain-upstream out !
! ! 5 Define Downstream Service Chain
! !
6 Apply Policies to the target site-lists default-action accept
!
Wait…
How does Service Chaining Actually
work?
Legend:
Service Chaining Original Advertisement from Endpoint

Centralized Services – Setting Up a Service
vSmart# show omp services

ADDRESS PATH
FAMILY VPN SERVICE ORIGINATOR FROM PEER ID LABEL STATUS
----------------------------------------------------------------------------
ipv4 10 VPN 1.1.1.1 1.1.1.1 65 1003 C,I,R
1.1.1.1 69 1003 C,I,R
10 FW 1.1.1.1 1.1.1.1 65 1004 C,I,R
1.1.1.1 69 1004 C,I,R
VPN 10: Service FW, Label 1004
NH: TLOC 1.1.1.1, Color: mpls
VPN 10: Service FW, Label 1004
NH: TLOC 1.1.1.1, Color: public-internet
VPN 1
VPN 2
System-IP: 1.1.1.1
System-IP: 20.20.20.20
VPN 1 WAN-Edge-100
VPN 2 vpn 1
service FW address 10.0.13.150
System-IP: 10.10.10.10
SD-WAN Service Chaining
WAN Edge Forwarding Paradigm
Label Determines Lookup Context – VPN/RIB or VPN/Service
IP Lookup / Forward
VPN 1 RIB
Service Lookup Label Integrity Check Receive Packet
IF
Decrypt
VPN 1
Service
Label Lookup / Forward
Transport
IF
SD-WAN
(VPN0)
Service: 10.0.13.150
Service
IF VPN 2
WAN-Edge-100
vpn 1
service FW address 10.0.13.150
Service
IF VPN 3
Legend:

Invoking the Service – Per Direction

vSmart policy
policy control-policy service-chain-downstream
control-policy service-chain-upstream sequence 10
sequence 10 match route
match route site-list service-chain-branches
tloc 20.20.20.20 color mpls !
vpn 1 VPN 1: 10.1.1.0/24, Label 100 action accept
! NH: TLOC 10.10.10.10 set
action accept Color: mpls service FW
VPN 1: 20.1.1.0/24, Label 200
set !
NH: TLOC 20.20.20.20
service FW
! Color: mpls
VPN 10: 10.1.1.0/24, Label 1004
NH: TLOC 1.1.1.1
Color: mpls
VPN 10: 20.1.1.0/24, Label 1004
NH: TLOC 1.1.1.1
VPN 1
Color: mpls
System-IP: 1.1.1.1 VPN 2
System-IP: 20.20.20.20
VPN 1: 20.1.1.0/24
VPN 1
VPN 2
Control Policy Service Chaining:
System-IP: 10.10.10.10
VPN 1: 10.1.1.0/24 Service not advertised to WAN Edge – Applied by Routing
Legend:

Invoking the Service – Using a Data Policy

vSmart
vEdge# show policy from-vsmart policy
from-vsmart data-policy Central_Security data-policy Central_Security
direction from-service vpn-list vpn_all
vpn-list vpn_all sequence 10
sequence 10 match protocol 6
match !
protocol 6 action accept
action accept set
set service FW vpn 1
vpn-label 1004
Service Attributes Advertised !
service FW ! vSmart picked a Service
service vpn 1 !
service tloc 1.1.1.1 default-action accept
service tloc color mpls
service tloc encap ipsec
default-action accept VPN 1
from-vsmart lists vpn-list vpn_all VPN 2
vpn 1
System-IP: 20.20.20.20
System-IP: 1.1.1.1
VPN 1
VPN 2
Data Policy Service Chaining:
System-IP: 10.10.10.10
Service advertised to WAN Edge – Applied to Data Plane
Legend:

Additional Options
• Using a Local Service
• The Service Chaining framework can be used for services that are locally attached as well
• Examples in the Data Policy section coming up
• Specify the service TLOC and priority using a TLOC list
vSmart policy
policy lists
control-policy service-chain-upstream tloc-list my_firewalls
sequence 10 tloc 1.1.1.1 color mpls encap ipsec preference 100
match route tloc 2.2.2.2 color mpls encap ipsec preference 100
tloc 20.20.20.20 color mpls tloc 3.3.3.3 color mpls encap ipsec preference 50
vpn 1 !
! !
action accept !
set
service FW tloc-list my_firewalls
!
Back on track
Extranets
Shared Services / Resources
VPN 3
WAN Edge100
Site-id: 100
System-IP: 100.100.100.100 VPN 1
VPN 2
WAN Edge2
VPN 1
Site-id: 20
VPN 2
System-IP: 20.20.20.20
WAN Edge1
Site-id: 10
System-IP: 10.10.10.10
• Problem: Shared Services to be consumed from Extranet VPN hosted location

• Solution: Provision Extranet Access from other overlay VPNs
Legend:

Extranets
VPN 1: Prefix A, Label 10 VPN 1: Prefix B, Label 20
NH: TLOC 10.10.10.10 NH: TLOC 20.20.20.20
VPN 1: Prefix C, Label 100 VPN 1: Prefix C, Label 100

NH: TLOC 100.100.100.100 NH: TLOC 100.100.100.100
VPN 3: Prefix A, Label 10

VPN 3: Prefix C, Label 100 NH: TLOC 10.10.10.10
NH: TLOC 100.100.100.100 Color: mpls
VPN 3: Prefix B, Label 20
Color: mpls NH: TLOC 20.20.20.20
Color: mpls
VPN 3
VPN 1
VPN 2
System-IP: 100.100.100.100
System-IP: 20.20.20.20
VPN 1
VPN 2
System-IP: 10.10.10.10
For Your
Extranets 2 Export NAT Pool To

policy Service VPN Service Plane NAT
policy control-policy extranet NAT across sites at VPN Layer
lists sequence 10
prefix-list natpools match route policy data-policy Srvc_Plane_NAT
ip-prefix 192.168.0.0/16 le 32 prefix-list natpools vpn-list VPN1
! vpn 1 sequence 10
site-list consumers ! match source-ip 10.0.0.1/32
site-id 3002 action accept !
site-id 3003 export-to action accept
site-id 3004 vpn 3 nat pool 1
! ! !
! 1 Declare Consumers ! !
! default-action accept
sequence 20 !
apply-policy match route WAN-Edge
site-list consumers vpn 3 vpn 1
control-policy extranet in ! interface natpool1
! action accept ip address 192.168.1.1/32
! export-to no shutdown
4 Apply Control Policy vpn 1 !
!
Export Service Prefixes to
! 3
! Consumer VPN
! Optional Service Plane NAT
!
Traffic Engineering / Path Redundancy
VPN 1
VPN 2
System-IP: 30.30.30.30 VPN 1
VPN 2
System-IP: 20.20.20.20
VPN 1
VPN 2 System-IP: 40.40.40.40
VPN 1
VPN 2
System-IP: 10.10.10.10
• Problem: Backup needed for direct overlay paths to manage intermediate path issues
• Solution: Identify and Provision select indirect overlay paths for redundancy and capacity
VPN 1
VPN 2
Backup/Indirect Path
WAN Edge3 VPN 1
System-IP: 30.30.30.30 VPN 2
WAN Edge2
System-IP: 20.20.20.20
VPN 1
VPN 2 WAN Edge4
VPN 1
VPN 2
WAN Edge1 System-IP: 40.40.40.40
System-IP: 10.10.10.10
Primary/Direct Path
• Identify indirect paths for targeted sites
• Decide whether to use them as Primary, ECMP or Backup paths
For Your

5 Define Control Policy
WAN-Edge3
1 Enable TE Service for VPN 1 policy control-policy backup-node
vpn 1 sequence 10
service te match route
site-list vEdge4
vpn-list VPN1
policy !
lists action accept
vpn-list VPN1 set
vpn 1
!
2 Declare Site 3 Backup TLOC tloc-action backup
tloc-list backup-tloc
tloc-list backup-tloc !
tloc 30.30.30.30 color mpls encap ipsec !
! !
site-list vEdge1 default-action accept
site-id 10 3 Declare Application Site !
!
site-list vEdge4
site-id 40
! 4 Declare Protection Site (4)
!
!
apply-policy 6 Apply Control Policy

site-list vEdge1
control-policy backup-node out
Control Policies:
Multi-domain data
plane case study
Control Policy Case Study
Requirements
EMEA
USA
Hub/Gateway
APAC
• Support Regional Meshing for optimal connectivity
• Support remote region connectivity through Gateways Hub/Gateway
• Provide Redundant Gateway Connectivity
Definitions and Dependencies
• Site-ID assignment allowing for Site identification – 32 bits
Continent Country Site number

X YYY ZZZZ
1-7 1-999 1-9999
Europe Sweden Site
Example
5 046 1000
• TLOC Colors illustrating how sites are attached
• System-IP identifying individual nodes
Site Assignments
WAN-Edge-EU2
WAN-Edge-US2 Site-ID: 50460001
Site-ID: 60010002 WAN-Edge-EU1
Site-ID: 50440001 EMEA
WAN-Edge-US3
Site-ID: 60010003
USA
WAN-Edge-EU3 WAN-Edge-AP1
Site-ID: 50330001 Site-ID: 30810001
WAN-Edge-US1 WAN-Edge-AP3
Site-ID: 60010001 Site-ID: 30660001
APAC
WAN-Edge-AP2
Site-ID: 30610001
Hub/Gateway Hub/Gateway Hub/Gateway
WAN-Edge-EU4
Site-ID: 60019001 Site-ID: 30669001
Site-ID: 50339001
WAN-Edge-EU5
Site-ID: 60019002 Site-ID: 30669002
Site-ID: 50339002
Reachability Information Distribution Requirements
US EMEA APAC
Inbound TLOC Advertisement Inbound TLOC Advertisement Inbound TLOC Advertisement
US Region – All Colors EMEA Region – All Colors APAC Region – All Colors
US Gateways – All Colors EMEA Gateways – All Colors APAC Gateways – All Colors
EMEA Gateways– All Colors US Gateways – All Colors EMEA Gateways – All Colors
APAC Gateway – All Colors APAC Gateways – All Colors US Gateways – All Colors
Outbound TLOC Advertisement Outbound TLOC Advertisements Outbound TLOC Advertisement

US Gateways – All Colors EMEA Gateways – All Colors APAC Gateways – All Colors
Inbound vRoute Advertisement Inbound vRoute Advertisement Inbound vRoute Advertisement

US Region – Original NH EMEA Region – Original NH APAC Region – Original NH
EMEA Region – EU GW NH US Region – US GW NH EMEA Region – EU GW NH
APAC Region – APAC GW NH APAC Region – APAC GW NH US Regions – US GW NH
Outbound vRoute Advertisement Outbound vRoute Advertisement Outbound vRoute Advertisement

US Region – US GW NH EMEA Region – EU GW NH APAC Region– APAC GW NH
For Your
Control Policy Case Study Reference
Policy Definition - Lists
policy
lists policy
site-list US_branch_sites lists
site-id 60010000-60018999 tloc-list US_gateway_tlocs
! tloc 1.1.1.1 color mpls encap ipsec preference 100
site-list US_gateway_sites tloc 1.1.1.1 color biz-internet encap ipsec preference 100
site-id 60019000-60019999 tloc 2.2.2.2 color mpls encap ipsec preference 50
! tloc 2.2.2.2 color biz-internet encap ipsec preference 50
site-list EMEA_branch_sites !
site-id 50010000-50338999 tloc-list EMEA_gateway_tlocs
! tloc 3.3.3.3 color biz-internet encap ipsec preference 100
site-list EMEA_gateway_sites tloc 4.4.4.4 color mpls encap ipsec preference 50
site-id 50339000-50339999 tloc 4.4.4.4 color biz-internet encap ipsec preference 50
! !
site-list APAC_branch_sites tloc-list APAC_gateway_tlocs
site-id 30670000-39999999 tloc 5.5.5.5 color biz-internet encap ipsec preference 100
! tloc 6.6.6.6 color mpls encap ipsec preference 50
site-list APAC_gateway_sites tloc 6.6.6.6 color biz-internet encap ipsec preference 50
site-id 30669000-30669999 !
! !
! !
!
For Your
Policy Definition Cont’d – Control Policy – Applied to US Sites
sequence 50
policy match route
control-policy us_domain site-list US_branch_sites
sequence 10 !
match tloc action accept
site-list US_branch_sites !
! sequence 60
action accept match route
! site-list US_gateway_sites
! SNIP … (action accept)
sequence 20 sequence 70
match tloc match route
site-list US_gateway_sites site-list EMEA_branch_sites
SNIP … (accept) !
sequence 30 action accept
match tloc set
site-list EMEA_gateway_sites tloc-list EMEA_gateway_tlocs
SNIP … (action accept) !
sequence 40 !
match tloc !
site-list APAC_gateway_sites sequence 80
! match route
SNIP … (action accept) site-list EMEA_gateway_sites
SNIP … (action accept)
For Your
Policy Definition Cont’d – Control Policy - Applied to US Sites

sequence 90
match route
!
site-list APAC_branch_sites
• Policy Logic
action accept Sequence 10: Advertise US Branch TLOCs
set
tloc-list APAC_gateway_tlocs Sequence 20: Advertise US GW TLOCs
!
! Sequence 30: Advertise EMEA GW TLOCs
!
Sequence 40: Advertise APAC GW TLOCs
sequence 100
match route Sequence 50: Advertise US Branch routes
site-list APAC_gateway_sites
! Sequence 60: Advertise US GW routes
action accept
!
Sequence 70: Advertise EMEA Branch routes w/ NH of EMEA GW
! Sequence 80: Advertise EMEA GW routes
Sequence 90: Advertise APAC Branch routes w/ NH of APAC GW
apply-policy
site-list US_branch_sites Sequence 100: Advertise APAC GW Routes
control-policy us_domain out
!
site-list US_gateway_sites
control-policy us_domain out
!
!
Policy Framework:
Data Policies
Data Policy:

WAN
Routing VPN 2
VPN 1
WAN
VPN 2
Data Policies
Policy-driven Routing and Service Enablement
• Data policies:
• Applied on vSmart
• Advertised to and executed on WAN Edge
• A Data policy acts on an entire VPN and is not interface-specific

• Different Data Policies can be applied to different VPNs
• Data Policies are used to enable the following functions and services:
• Application Pinning
• NAT/DIA
• Classification, Policing and Marking
• and more …
• Use a Data Policy for any type of data plane centered traffic management
Data Policies
action
accept
set
Policy Structure dscp <dscp>

forwarding-class <name>
local-tloc <tloc>
data-policy <name> local-tloc-list <list>
vpn-list <name> next-hop <ip-address>
sequence <n> next-hop-ipv6 <ipv6-address>
match policer <name>
app-list <name> service <name>
destination-data-ipv6-prefix-list <name> tloc <tloc>
destination-data-prefix—list <name> tloc-list <name>
destination-ip <ip-address> vpn <vpn-id>
destination-ipv6 <ipv6-address> cflowd
destination-port <port> count <counter>
dns request | response drop
dns app-list <name> log
dscp <dscp> loss-protect-fec-always
packet-length <length> loss-protect-fec-adaptive
plp <plp> loss-protect-packet-dup
protocol <protocol> nat-pool <nat-pool>
source-data-ipv6-prefix-list <name> nat use-vpn <vpn-id>
source-data-ip-prefix-list <name> redirect dns
source-ip <ip-address> tcp-optimization
source-ipv6 <ipv6-address> !
source-port <port> !
tcp-syn !
! !
! !
!
!
!
Data Policy Application
Direction of Processing
• A Data Policy can be applied in three Upstream Traffic matched by Data-policy

modes:
From-Service
• From-service (Upstream)
• From-tunnel (Downstream) VPN 1
WAN
• All (Up and Downstream) VPN 2
• Different Data-policies can be applied to

From-Tunnel
the same site if they apply to different
directions Downstream Traffic matched by Data-policy
apply-policy site-list <name>

data-policy <name> all | from-service | from-tunnel
Data Policy Case #1
Forwarding Plane Features
Data Policy
NAT Local Breakout

VPN 1
WAN
VPN 2 VPN 2
Service Plane NAT
NAT – Local Breakout

NAT – Service Plane
cFlowd
Match statement counters
Match Statement logging
Data Policy Case #1
Forwarding Plane Features – NAT for DIA and Service VPN
Local Breakout
NAT for DIA/Split tunneling
IPv4
DST: www.cisco.com
SRC: 99.88.77.66
Internet
NAT - Local Breakout
IPv4
DST: www.cisco.com VPN 1
WAN
SRC: 10.0.0.1
VPN 2
Service Plane NAT

NAT across sites in a single VPN
IPv4 VPN 1 IPv4
WAN
DST: xyz.corp.com DST: int.corp.com
VPN 2 VPN 2
SRC: 10.0.0.1 SRC: 192.168.1.1
Service Plane NAT
For Your
Data Policy Case #1 Reference
Forwarding Plane Feature Enablement – Policy Structure
Service Plane NAT Local Breakout

NAT across sites in a single VPN NAT for DIA/Split tunneling
policy data-policy Srvc_Plane_NAT policy data-policy DIA_NAT

vpn-list VPN2 vpn-list VPN1
match source-ip 10.0.0.1/32 match source-ip 10.0.0.1/32
! !
action accept action accept
nat pool 1 nat use-vpn 0
! !
! !
default-action accept default-action accept
! !
WAN-Edge
WAN-Edge
vpn 0
vpn 2
interface ge0/0
interface natpool1
ip address 99.88.77.66/32
ip address 192.168.1.1/32
no shutdown
no shutdown
nat
!
!
For Your
Forwarding Plane Feature Enablement – Policy Structure
Local Breakout Local Breakout

cFlowd and Counting Logging breakout traffic
policy data-policy DIA_NAT

policy data-policy DIA_NAT
vpn-list VPN1
vpn-list VPN1
sequence 10
sequence 10
match source-ip 10.0.0.1/32
!
!
action accept
action accept
cflowd
log
count local-breakout-traffic
nat use-vpn 0
nat use-vpn 0
!
!
!
!
!
! WAN Edge
System
logging
• Counters visible using GUI/Realtime or via CLI server syslog.company.com
vpn 1
source-interface loopback1
show policy data-policy-filter exit
! WAN Edge
• Use cflowd template for export-destination configuration policy
log-frequency <number>*
* Default is every 1000 packets

Data Policy Case #2
Service Chaining – Local and Remote Services
3rd Party
Cloud Security
Data Policy VPN 1
VPN 2
POP1 POP2 Site-2
Internet
VPN 1
WAN
VPN 2
SD-WAN Fabric VPN 1
VPN 2
Site-1
Remote Service / OMP
Local Service BRKRST-2791 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
For Your
Service Chaining – Local Services – Policy Structure

vSmart WAN Edge 1 Define Local Service FW
policy vpn 1
data-policy Cloud_Security service FW interface gre1 gre2
vpn-list vpn_all vpn 0
sequence 10 interface ge0/0
2 Match Traffic ip address 99.88.77.66/32
match protocol 6
match destination-port 80 443 no shutdown
! nat
!
action accept
interface gre1 Primary Tunnel
set 3 Apply Local Service
service FW local ip address 12.13.14.15/24
! tunnel-source-interface ge0/0
! tunnel-destination 123.123.123.123
! no shutdown
default-action accept !
interface gre2 Backup Tunnel
ip address 16.17.18.19/24
tunnel-source-interface ge0/0
tunnel-destination 124.124.124.124
no shutdown
• Data Policy redirection to locally configured service
• Service represented by local GRE or IPsec tunnel pre-configured on each WAN Edge
For Your
Service Chaining – Remote Services – Policy Structure

1 Define Service FW for
vSmart WAN Edge – Site1
policy vpn 1 OMP Announcement
data-policy Central_Security service FW address 12.13.14.100
vpn-list vpn_all !
sequence 10 2 Match Traffic interface ge0/0
match protocol 6 ip address 12.13.14.15/24
match destination-port 80 443 no shutdown
!
action accept
set 3 Apply OMP FW Service
service FW vpn 1
!
!
!
• Data Policy redirection to remotely configured service
• Service represented by OMP advertised service identifier

• Service association can be specified via TLOC or TLOC-list (with priorities) if needed
Data Policy Case #3 Local TLOC Selection: Loose preference, falls back to
routing upon failure
Application Pinning Remote TLOC Selection: Strict preference, traffic
dropped upon failure
App1 / Path1
App2 / Path1
mpls
mpls
App1 / Path2
App3 / Path1
public-internet
public-internet
VPN 1
VPN 2
mpls
red
App2 / Path2
App1 / Path3
public-internet
lte
App3 / Path2
Data Policy Case #3
Application Pinning – Policy Structure
Local TLOC (Remote) TLOC
Prefer Local Underlay Path Prefer a remote Node/TLOC
vSmart vSmart
policy policy
data-policy local-tloc-preference data-policy local-tloc-preference
vpn-list VPN1 vpn-list VPN1
match source-ip 10.0.0.0/8 match source-ip 10.0.0.0/8
! !
action accept action accept
local—tloc red blue set
tloc 1.1.1.1 color biz-internet
Or
• local-tloc – Loose match that will fall action accept
set
back to routing if all local TLOCs in list tloc-list remote-node
are down
• tloc/tloc-list refer to specific remote policy
lists
TLOCs and will not fall back to routing tloc-list remote-node
tloc 1.1.1.1 color mpls encap ipsec preference 100
tloc 1.1.1.1 color biz-internet encap ipsec preference 50
Policy Framework:
Internet Breakout /
DIA Case Study
Internet Breakout / DIA
Routing and/or Policy-driven Capabilities
• The Cisco SD-WAN Architecture provides a lot of flexibility in enabling DIA
• Breakouts can be presented via:

• Routing
• Policy
• In combination, with Preference and Backup options
• Cloud-based Security as a Local Service using a Policy
• NAT is a required feature when providing a local breakout
• Service-side breakouts can be provided in case NAT is not needed or special care is
needed for public addressing
• Can be deployed in combination with Service Chaining for monitoring/security/processing
requirements
Internet Breakout Leverage
Most appropriate points for breakout chosen by site
• Enterprises can gradually

Internet
progress from centralized
Global Breakout
to distributed
HQ
breakouts
• Routing plane enables Internet
Internet
primary/backup as needed
• Policies further enhance DC/HQ
selection and breakout
granularity
• Align well with deployment Regional Hub Regional Hub
of Cloud-based Security
solutions Internet Internet
Branch Branch
SD-WAN Internet Breakout Options
Local Breakout using a Default Route
Internet
• Static route in Service VPN
• Can be default or more granular
Branch • Redirects traffic to interfaces in VPN 0:

vpn 0 • Interfaces must have NAT enabled
interface ge0/0
nat • Multiple interfaces enables per-flow load-sharing
tracker my_tracker • Relies on VPN 0 routing table
!
vpn 1
ip route 0.0.0.0/0 vpn 0
• Can be complemented with a Tracker to
monitor Internet availability beyond first hop
System gateway
tracker my_tracker
endpoint-ip 1.2.3.4
Interval 5
Multiplier 3
Threshold 500
Local Breakout using Data Policy
Color red
Internet
• Policy now redirects instead of static route
Color blue • In case local exit fails, lookup can fall back to
local service VPN routing table
Branch
WAN Edge • Redirects traffic to interfaces in VPN 0:
vpn 0
interface ge0/0 • Interfaces must have NAT enabled
nat • Multiple interfaces enables per-flow load-sharing
vSmart • Relies on VPN 0 routing table
policy
data-policy internet-breakout
vpn-list VPN1
• Can be complemented with a Tracker to
sequence 10 monitor Internet availability beyond first hop
match source-ip 10.0.0.0/8 gateway (ref: previous slide)
!
action accept
nat use-vpn 0 • Local TLOC to be used can be specified
local—tloc public-internet
Legend:

Original Advertisement from Endpoint
Joint Local and Regional Breakout using Data Policy + Routing

vSmart
policy
VPN 1: VPN 1: 0.0.0.0/0 data-policy internet-breakout
data-policy internet-breakout NH: TLOC Regional Hub vpn-list VPN1
Color: blue sequence 10
!
Color red action accept
Internet nat use-vpn 0
VPN 1: 0.0.0.0/0 local—tloc red blue
Color blue NH: TLOC Regional Hub
Color: blue
WAN-Edge-Regional Hub
Branch
SD-WAN VPN 1
Fabric ip route 0.0.0.0/0 null0 or
WAN-Edge-Branch default from OSPF/BGP
# show ip route
VPN 1 Regional Hub
0.0.0.0/0 via TLOC Regional Hub
• Data Policy allows for granular breakout policy matching L3/L4/L7 information
• Data Policy takes precedence
• Default route from Regional Hub acts as backup in case TLOC Red & Blue are both down
Joint Local and Regional Breakout using Data Policy and Cloud Security + Routing Preference
3rd Party
Cloud Security
Internet POP1 POP2
Regional Hub A
Branch
SD-WAN Internet
Fabric
Regional Hub B
For Your
Reference
vSmart WAN-Edge-Branch
policy vpn 1
data-policy Cloud_Security service FW interface gre1
vpn-list vpn_all vpn 0
sequence 10 Exclude Internal Prefixes interface gre1
match from Internet Breakout ip address 12.13.14.15/24
destination-data-prefix-list internal-prefixes tunnel-source-interface ge0/0
! tunnel-destination 123.123.123.123
action accept no shutdown
!
!
sequence 20
match WAN-Edge-Regional Hub A
! Any other traffic sent to vpn 1
action accept service FW interface gre1
Internet Breakout ! ip route 0.0.0.0/0 null0 or
count count_fw
set ! default from OSPF/BGP
service FW local [restrict] Drop Traffic if
! Service Down
policy ! WAN-Edge-Regional Hub B
lists! vpn 1
default-actioninternal-prefixes
data-prefix-list accept ! ip route 0.0.0.0/0 null0 or
!
ip-prefix 10.0.0.0/8 ! default from OSPF/BGP
ip-prefix 172.16.0.0/12
ip-prefix 192.168.0.0/16
For Your
Reference
vSmart Control Policy WAN Edge Static TLOC preference

vSmart WAN-Edge-Regional Hub A
Policy vpn 0
lists interface ge0/0
prefix-list default_route tunnel-interface
ip-prefix 0.0.0.0/0 encapsulation ipsec preference 100
! !
! vpn 1
control-policy default_priority ! ip route 0.0.0.0/0 null0 or
sequence 10 ! default from OSPF/BGP
match route
prefix-list default_route
WAN-Edge-Regional Hub B
site-id Regional Hub A
vpn 0
!
interface ge0/0
action accept
set Default from Hub A gets tunnel-interface
vpn 1
preference 100 higher preference ! ip route 0.0.0.0/0 null0 or
!
! default from OSPF/BGP
!
!
Application Specific Breakout
• The Data Policy construct can also be used to locally breakout specific applications with
defined DPI signatures (e.g. O365, FaceBook, Youtube)
• Example:
• Office365 to be locally broken out
• All other Internet traffic via regional exit
• Arrangements required for supporting O365
• Cloud On-Ramp SaaS recommended for breaking out locally
• Default route from regional exit for two purposes:
o Breakout for all non O365 traffic
o O365 session establishment involves quite a few protocols beyond the core O365 protocols – A default route
from somewhere is required to deal with those applications and allow for successful O365 operations
• SD-AVC support required to provide Application Recognition from the first packet
Quality of Service
WAN Edge Router Device QoS Overview
WAN Edge Router
vManage
Data Policy
Data Policy Capabilities Classification of application traffic into QoS
forwarding classes (queues)
Rewrite inner DSCP
Policing Map into FCs
Egress Interface
FC Q
In FC Q Out
FC Q
Ingress Interface
Policing Shaping QoS

QoS Forwarding
Classes Scheduler
Rewrite outer DSCP Bandwidth %
Map to
Buffer %
Egress Queue
Scheduling Priority
Drop
For Your
Data Policy for QoS Reference
Quality of Service – Policy Structure

policy
data-policy enterprise_traffic
vpn-list VPN1
sequence 10 • App-list consists of DPI signature references
match app-list audio-video
! • Forwarding-class referring to configured QoS-class
action accept
set (Ref: qos-group in Cisco IOS)
dscp 46
forwarding-class EF-class
!
!
!
!
data-policy DIA
vpn-list VPN10
sequence 10
! policy
action accept policer police_DIA
set rate 10000000
policer police_DIA burst 1000000 Policer configured as part
! exceed drop
! ! of Policy
! !
!
Policy Framework:
App-Route Policies
Data Policy:

WAN
Routing VPN 2
VPN 1
WAN
VPN 2
App-Route Policies
Centralized Policy for enabling SLA-driven routing on WAN Edge endpoints
• App-route policies:
• Applied on vSmart
• Advertised to and executed on vEdge
• Monitors SLAs for active overlay paths to direct Applications along qualified paths
• Allows for the use of L3/L4 keys or DPI Signatures for application identification
• Delivers a fully distributed SLA-driven routing mechanism
App-Aware Routing Policies
SLA-Driven Routing / Performance Routing
4G/LTE
DPI POLICY SLA

MPLS
mpls
#
VPN 1
public-internet Broadband
VPN 2
lte
App-Route Policies
App-route Components and Dependencies / Configuration
bfd
BFD Settings color <color>
BFD rx_interval and multiplier settings
hello-interval <msec>
(only rx_interval is relevant to AAR)
multiplier <number>
bfd
App-route algorithm configuration app-route
Define how SLA data is used to influence path
selection multiplier <number>
poll-interval <msec>
SLA-classes
App-route Policy Definition Policy Construct
Define SLA-classes, Application associations, VPN
applicability and Policy actions/preferences match
action
DPI Engine Enablement policy

AAR relies on DPI for L7 signatures app-visibility
*https://docs.viptela.com/Product_Documentation/Software_Features/Release_18.2/07Policy_Applications/01Application-Aware_Routing/01Configuring_Application-Aware_Routing
App-Route Policies
App-route Algorithm
Avg (B1 + B2 + B3 + B4 + B5 + B6) = Mean
Mean recalculated every Bucket completion cycle
Bucket 1: Bucket 2: Bucket 3: Bucket 4: Bucket 5: Bucket 6:

Loss Loss Loss Loss Loss Loss
Latency Latency Latency Latency Latency Latency
Jitter Jitter Jitter Jitter Jitter Jitter
Bucket Size: Bucket Update Frequency

bfd bfd
app-route poll-interval (default 600,000 ms) hello-interval (default 1000ms)
# of Buckets:
bfd
app-route multiplier (default 6)
App-Route Policies
Path Blackout / Brownout Management
BFD: 7s Default Path Down timeout
100% Loss
Application-Aware Routing
AAR Algorithm Tuning:
Bucket Size + Bucket Count
Path Quality
AAR Convergence Dependency
Spectrum (Loss)
FEC: 10-20% Consistent Loss Recovery

2-3% Loss
0% Loss
• Three Components in Complementary Working Order – BFD + FEC + AAR
• Consider Downsides of Traffic Sloshing vs Instant Convergence away from Brownout
App-Route Policies
App Route Algorithm Configuration
• Bucket Size in Packets = app-route poll-interval / hello-interval
• Consider bucket size (packets) impact on recalculation of Mean:
Bucket Size (pkts) 600 400 200 100 80 60 40 20 10
% weight of one lost packet 0.17 0.25 0.50 1 1.25 1.67 2.5 5 10
Default Sweet Spot
+ Loss Granularity -
Bucket Size: Bucket Update Frequency

bfd bfd
app-route poll-interval (default 600,000 ms) hello-interval (default 1000ms)
• Mean Loss / Latency / Jitter calculated across app-route-multiplier buckets

# of Buckets:
bfd
app-route multiplier (default 6)
Weight of new bucket relative to multiplier: 1/6, 1/4, 1/3 etc
App-Route Policies
App-route Policy Definition
Policy
sla-class <name>
SLA Classes
jitter <msec>
Loss, Latency, Jitter per Class
latency <msec>
loss <percentage>
Policy
App-list lists
Use L3/L4 or DPI Signatures app-list <name>
app <name> | app-family <family>
App-route Policy
VPN applicability and Policy actions/preferences
App-route Logging
Enable logging of packet headers
App-Route Policies 1 For traffic not explicitly matched in policy
App-route Policy Definition 2 For traffic with an SLA-class disqualified across all links
3 Drop traffic if SLA-class is disqualified
SLA Classes 4 One or more preferred colors if multiple links qualify

Loss, Latency, Jitter per Class
Policy
App-list app-route-policy <name>
Use L3/L4 or DPI Signatures vpn-list <vpn-list>
default-action sla-class <name> 1
sequence <number>
App-route Policy match
VPN applicability and Policy actions/preferences …
action
backup—sla-preferred-color [list] 2
App-route Logging count <name>
Enable logging of packet headers log
sla-class <name> [strict] [preferred-color [list]]
3 4
For Your
App-Route Policies Reference
Policy Example
Policy
policy
sla-class EF
lists
loss 1
vpn-list VPN1
latency 100
vpn 1
!
! Define SLA classes
site-list app-route-sites
sla-class Biz-apps 2
site-id 3003
loss 2 and thresholds
latency 150
!
!
app-list AVV
app-route-policy SLA-Routing
app-family audio_video
vpn-list VPN1
!
sequence 10
app-list SFDC
match app-list AVV
app salesforce
!
!
action
Declare app-lists for
1 sla-class EF
Map app-lists to SLA
policy match !
3
!
sequence 20
classes and other actions
match app-list SFDC
!
action
apply-policy sla-class Biz-apps
site-list app-route-sites !
app-route-policy SLA-Routing !
App-route Policy Path Convergence
160
140
120
SLA-Class Latency Threshold
100 Actual Latency
80
60
Mean Latency
40
20
0
Bucket 1 Bucket 2 Bucket 3 Bucket 4 Bucket 5 Bucket 6
Current Mean Latency is 20ms, when Latency jumps to 150ms as Bucket 1 collection starts
AAR Policy Use Case • App1
Application Pinning with SLA SLA-class: Business
MPLS / Public-Internet: Primary – Load-share
App1 / Path1
App2 / Path1 Red: Backup
mpls Fall back to Routing
• App2
App1 / Path2 SLA-class: EF
App3 / Path1
public-internet MPLS: Primary
Red: Primary
VPN 1
Drop on Path Unavailability
VPN 2
red • App3
App2 / Path2
App1 / Path3 SLA-class: POS
Public-Internet: Primary
LTE: Backup
lte
App3 / Path2
• Other Apps
SLA-Class: Default
For Your
App-Route Policies Policy
app-route-policy SLA-Routing
Reference
Application Pinning with SLA vpn-list VPN1

sequence 10
match app-list App1 Primary: mpls + public-internet
policy
lists
! Backup: red
action
vpn-list VPN1 Policy backup-sla-preferred-color red
vpn 1 sla-class EF sla-class Business preferred-color mpls public-internet
! loss 1 !
site-list app-route-sites latency 100 !
site-id 3003 ! sequence 20
! sla-class Business Primary: mpls + red
match app-list App2
app-list App1 loss 2
app-family <name>
! Backup: None - Drop
latency 150 action
! ! sla-class EF strict preferred-color mpls red
app-list App2 sla-class POS !
app <name> loss 1 !
! latency 200 sequence 30
app-list App3
app <name>
! match app-list App3 Primary: public-internet
sla-class Default !
! loss 5
Backup: lte
action
latency 300 backup-sla-preferred-color lte
! sla-class POS preferred-color public-internet
!
!
apply-policy sequence 40
site-list app-route-sites match Primary: Any link meeting SLA
app-route-policy SLA-Routing ! Backup: Any other link
action
sla-class Default
!
!
Other Centralized Policies:
VPN Membership
cFlowd
VPN Membership Policies
VPN Service filtering between vEdge and vSmart
Policy
lists
vpn-list restricted_vpns
vpn 1, 2
!
!
vpn-membership acme_1
No Update ✘ VPN 1 ✘ VPN 1 sequence 10
Drop
✘ VPN 2 ✘ VPN 2
match vpn-list restricted_vpns
No Update Drop action reject
✔ VPN ✔ VPN
Send 3
Accept 3 !
!
!
!
WAN
• Restricted VPNs become islands on hosting vEdge

VPN 1
VPN 2
VPN 3
• Outbound vSmart updates are not generated

• White-listing or Black-listing possible
cFlowd / Netow Template
Configuring the cFlowd Cache and Collectors
policy
cflowd-template cflowd_temp
Max Collectors: 4 collector vpn 100 address 1.1.1.1 port 4739 transport transport_udp
Flow-active-timeout: Default 600s flow-active-timeout 60
Flow-inactive-timeout: Default 60s flow-inactive-timeout 60
flow-sampling-interval
Flow-sampling-interval: Default 0 template-refresh
Template-refresh: Default 90s !
!
• cFlowd enabled by policy / flow-visibility configuration Applied on vSmart

• Populates local flow-cache only
• cFlowd Template required to configure and enable export
Tips and Tricks
For Your
Useful Policy Features Reference
Function Description Comment

Elimination statement Use Match without an action in a sequence Useful for ensuring that certain objects
Sequence 10 are eliminated from further policy
match route processing
!
action accept
Catchall statement Use ‘action accept’ without a match in a sequence Useful to ensure all traffic is matched
Generic Policy Features
Sequence 10 and to allow for use of ‘set’ or other

action accept action
Color-List Match any color using color-list Useful in control policies to match a
color-list colors selection of TLOCs with different colors
color red or routes originating from TLOCs of
color blue different colors
Counter Extremely useful for troubleshooting and policy verification To display, use:
action accept Show policy app-route-policy-filter
count <name> Show policy data-policy-filter
Default-action Applied to any traffic not matched by another statement in the Default-action is set to reject or drop by
policy default. It is always visible in the policy
default-action reject
Enable DPI vEdge and IOS-XE: IOS-XE will automatically have added:
Policy Interface x/y/z
app-visibility ip nbar protocol discovery
BRKRST-2791 © 2020 Cisco and/or its aliates. All rights reserved. Cisco Public 115
For Your
Useful Policy Features Reference
Function Description Comment

Match logic Match protocol AND ANY entry in prefix-list: Lists are used to matched any entry (or)
Match Entries in match statement are match all
protocol 6 (and)
destination-data-prefix-list
Match Route vs TLOC Match statements for routes and TLOCs have different match Related to the specific attributes
criteria and also allow ‘set’ of different attributes associated with each
Generic Polocy Features
Omp-tag Control-policy: Match and Set Equivalent to a BGP community for

Local Policy: Match and Set OMP for generically tagging and
identifying routes and TLOCs
Policy Application
Rules and Restrictions
• The minimum granularity for policy application is the Site-ID

• Multiple devices sharing the same Sit—ID is subject to the same policies being applied
• Any given Site-ID is restricted to a single policy of each type, per direction
• Example, given Site-ID 100:

• Control-Policy 1 in or out, or both
• Control-Policy 2 in or out, or both – where ever Control-Policy 1 is not applied
• App-route-policy 1 (only applied outbound – transport facing)
• Data-policy 1 from-service or from-tunnel, or all
• Data-policy 2 from-service or from-tunnel, or all (where Data-policy 1 is not applied)
• Different App-route policies and Data-policies can be applied per VPN
Regional Internet Access via Transport
Hair-pinning via Transport data-policy Internet_breakout
vpn-list vpn_all
sequence 10
• Data-policy Sequence 10 match
destination-data-prefix-list internal-pfx
Allow standard routing for !
internal prefixes action accept
• Data-policy Sequence 20 !
sequence 20
Direct all other traffic to DIA match
• Apply Data-policy in both !
directions to service up and action accept
local-tloc public-internet [restrict]
downstream traffic !
• Originate a default route to default-action accept apply-policy
attract traffic towards breakout ! site-list regional_exit
data-policy Internet_breakout all
!
vpn 2
ip route 0.0.0.0/0 null0
VPN 1
Internet
VPN 2
VPN 1
WAN
SD-WAN Fabric
VPN 2 Site-1
Regional Office
OMP Update
Cisco Umbrella Integration
Policy Generated via vManage Security Policy Configuration
policy
lists
Domains to exclude for redirection of
local-domain-list exclude-domains DNS lookups and subsequent ows
cisco.com
!
!
!
security DNSCrypt (eDNS) allows for tracking
umbrella the origin of DNS requests, in addition
token 1234567890ABCDEF
dnscrypt to encryption
!
!
vpn matchAllVpn
dns-redirect umbrella match-local-domain-to-bypass
DNS set to use Umbrella for all VPNs.
Platform Support
and Scalability
Policy Scalability and Performance
Policy Construction Guidelines
• Not different from most other parsing processes
• Eliminate objects / traffic in early and target simple policy statements

• Good example is to exclude internal prefixes from further processing in first sequence
• Simple Match statements are better

• Single Prefixes, Ports, DSCP, Protocol Ports, App-IDs
• Avoid placing long prefix lists and port lists early
• Ranges are better than lists if possible
• Fewer Set statements are better

• Forwarding redirection better than header modifications (Set Next-Hop vs set DSCP)
Policy Scalability and Performance
• Control Policies, VPN Membership

• Processed on vSmart for routing updates only
• Structure is less critical
• cFlowd Template
• Simple and sent on application and update only
• App-aware Routing and Data Policies
• Affects all traffic traversing the device (in enabled VPNs)
• Policy Structure is imperative to minimize any performance impact
Policy Scalability and Memory Consumption
• Platforms are limited in how many entities can be supported

• Policy Instances
• Sequence Instances
• Shared Memory Pools or TCAM used for Match / Set
• Memory consumption is challenging to determine upfront
• Hidden command being exposed in following releases
show policy filter-memory-usage
vEdge: 19.3 (Dec ‘19)
cEdge: 17.2.1 (Mar ’20)
Policy Scalability – The Numbers
Element vEdge-100 vEdge-1/2/5K ISR ASR
Policy Instances 256 512 512 512
Policy Sequences Filter Block Dependent Filter Block Dependent Policy Memory Chunk TCAM Dependent
Forwarding Plane Policies
Dependent
Filter Block 6/16/64 * 1024 1024 x 1024 N/A N/A

(Model dependent)
Policy Memory Chunks N/A N/A 64K N/A
TCAM N/A (Next-Gen N/A N/A 20-80MB (Platform

Models=10-20MB) dependent)
Match Statement >= 1 Filter Block >= 1 Filter Block >= 1 Policy Chunk >=1 160b Entry
depending on construct depending on construct depending on construct depending on construct
Action Statement >= 1 Filter Block >= 1 Filter Block No Limit No Limit
depending on construct depending on construct
For Your
Policy Feature Support Reference
Function Description vEdge IOS-XE

Match / Route / Color Match Routes of a given color vSmart Only vSmart Only
14.1 16.9
Color-List Match routes of any color in the list vSmart Only vSmart Only
15.4 16.9
Ipv6-prefix-list Match routes present in the prefix-list vSmart Only vSmart Only
18.4 16.9
Omp-tag Match routes with the specific omp-tag vSmart Only TBD
15.4
Control Policy
origin Match routes with the specified origin protocol vSmart Only vSmart Only
(Connected, Static, eBGP, OSPF Intra, OSPF Inter, OSPF 14.1 16.9
External, iBGP, Unknown/Unset)
originator Match routes that originated from specified system-IP (as vSmart Only vSmart Only
in originating vEdge) 14.1 16.9
preference Match routes with the specified preference vSmart Only vSmart Only
14.1 16.9
Prefix-list Match routes present in the prefix-list vSmart Only vSmart Only
14.1 16.9
Site-id Match routes originating from the specified site-id vSmart Only vSmart Only
14.1 16.9
For Your

Site-list Match Routes from any site present in the list vSmart Only vSmart Only
14.1 16.9
tloc Match routes from the specified TLOC vSmart Only vSmart Only
14.1 16.9
Tloc-list Match routes from any TLOC in the list vSmart Only vSmart Only
14.1 16.9
vpn Match routes belonging to the specified VPN vSmart Only vSmart Only
Control Policy
14.1 16.9
Vpn-list Match routes belonging to any VPN in the list vSmart Only vSmart Only
14.1 16.9
Match / Tloc / Carrier Match TLOCs with the specified carrier vSmart Only TBD
14.2
color Match TLOCs with the specified color vSmart Only vSmart Only
14.1 16.9
Color-list Match TLOCs with any color present in the list vSmart Only vSmart Only
15.4 16.9
Domain-id Match TLOCs originating from the specified domain-id Not currently Not currently
implemented implemented
For Your

Group-id Match TLOCs with the specified Group-id vSmart Only TBD
15.1
Omp-tag Match TLOCs with the specified OMP-tag vSmart Only TBD
15.4
originator Match TLOCs originating from the specific System-IP vSmart Only vSmart Only
14.1 16.9
Control Policy
preference Match TLOCs with the specified preference vSmart Only vSmart Only
14.1 16.9
Site-id Match TLOCs originating from the specified Site-ID vSmart Only vSmart Only
14.1 16.9
Site-list Match TLOCS originating from any site in the list vSmart Only vSmart Only
14.1 16.9
tloc Match the specified TLOC vSmart Only vSmart Only

14.1 16.9
Tloc-list Match any TLOC in the list vSmart Only vSmart Only
14.1 16.9
For Your

Action / Accept Accept matched route and install in RIB without further vSmart Only vSmart Only
(applicable to Match / Route) action 14.1 16.9
Export-to vpn | vpn-list Export the matched route into the specified VPN | List vSmart Only vSmart Only
14.1 16.9
Set omp-tag Set an OMP-tag on the matched route vSmart Only TBD
15.4
Control Policy
Set preference Set the preference on the matched route vSmart Only vSmart Only
14.1 16.9
Set Service <type> Associate a service with the matched route to enable 14.1 TBD
service chaining
Set service <type> [tloc] Associate the service advertised from the specified TLOC 16.3 TBD
with the matched route
Set service <type> [tloc-list] Associate the service advertised from a TLOC in the 16.3 TBD
specified list with the matched route
Set service <type> [vpn] Associate a service advertised from the specified VPN 16.3 TBD
with the matched route
For Your

Set tloc Reset the TLOC on the matched route vSmart Only vSmart Only
14.1 16.9
Set tloc-action backup | Set a TLOC action for the matched route to enable overlay 16.3 TBD
ecmp | primary | strict Traffic Engineering using Service TE
Control Policy
Set tloc-list Reset the TLOC to a list of TLOCs on the matched route vSmart Only vSmart Only
14.1 16.9
Action / Accept Accept matched TLOC and install into RIB without further vSmart Only vSmart Only
(applicable to Match / TLOC) action 14.1 16.9
Set omp-tag Set OMP-tag on the matched TLOC vSmart Only TBD
15.4
Set preference Set preference on the matched TLOC vSmart Only vSmart Only
15.4 16.9
For Your

Match / App-list Match DPI application signature(s) specified in App-list 15.4 16.9
Destination-data-ipv6- Match packet destination IP to any prefix specified in TBD 16.10

prefix-list prefix-list
Destination-data-prefix-list Match packet destination IP to any prefix specified in 14.1 16.9
prefix-list
Destination-ip Match packet destination IP to IP-address / Prefix 14.1 16.9
Data Policy
specified
Destination-ipv6 Match packet destination IP to IP-address / Prefix TBD 16.10
specified
Destination-port Match packet destination-port 14.1 16.9
Dns request | response Match on DNS traffic for intercept / redirect 17.2 16.9
Dns-app-list Match on DNS traffic for the specified set of applications 17.2 16.9
for intercept / redirect
dscp Match on packet DSCP 14.1 16.9
For Your

Packet-length Match on packet length 14.1 16.9
plp Match packet PLP 16.3 TBD
protocol Match packet protocol 14.1 16.9
Source-data-ipv6-prefix-list Match packet source IP to any prefix specified in prefix- TBD 16.10
list
Data Policy
Source-data-prefix-list Match packet source IP to any prefix specified in prefix- 14.1 16.9
list
Source-ip Match packet destination IP to IP-address / Prefix 14.1 16.9
specified
Source-ipv6 Match packet destination IP to IP-address / Prefix 18.4 16.10
specified
Source-port Match packet source port 14.1 16.9
Tcp syn Match packet TCP flag 14.1 16.9
For Your

Action / Accept Accept any matching packet for forwarding 14.1 16.9
Set dscp Set the DSCP on the matched packet 15.1 16.9
Set forwarding-class Set the packet to use a specific QoS Class within the 15.1 16.9
node without setting the DSCP (eq qos-group)
Set local-tloc color [encap] Pin the matching flow/packet to the defined TLOC 16.1 17.2.1
Data Policy
Set local-tloc-list color Pin the matching flow/packet to the list of TLOCs, using 16.1 17.2.1
[encap] [restrict] ECMP for >1. Restrict will cause drop if no chosen color is
operational, otherwise process falls back to RIB.
Set local-tloc / local-tloc-list Pin the matching flow/packet to the defined TLOC for 16.1 17.2.1
DIA/Split tunneling traffic
Set next-hop Route the matching flow/packet to the chosen IP 14.1 16.9
Set next-hop-ipv6 Route the matching flow/packet to the chosen IP 18.4 16.10
Set policer Apply the defined policer to the traffic 14.1 16.11
*Not yet Committed

For Your

Set service <type> Associate a service with the matched traffic to enable 14.1 TBD
service chaining
Set service local <type> Associate a local service with the matched route to enable 15.4.1 TBD
[restrict] vpn <n> service chaining
Set service tloc <system-ip> Associate the service advertised from the specified TLOC 16.1 TBD
<color> <encap> with the matched traffic
Set service tloc-list Associate the service advertised from a TLOC in the 16.1 TBD
Data Policy
specified list with the matched traffic

Set tloc Route the matching traffic to a remote TLOC on a different 14.1 16.12
SD-WAN Edge node across the WAN
Set tloc-list Define a list of TLOCs to be used in preference order and 14.1 16.12
with ECMP in case of multiple with equal preference
Set vpn Define a next-hop VPN for the matching traffic 14.1 16.9
Action / cflowd Enable flow-accounting for the matching traffic 14.3 16.9
count Create a counter for the matching traffic 14.1 16.9
For Your

drop Drop the matching traffic 14.1 16.9
Log Create a log entry (using the log configuration for the 16.3 TBD
*policy log-frequency 1000 (default node) for the matching traffic
nearest down power of 2 packet is
logged, so every 512th)
Loss-protect fec-adaptive Enable Adaptive FEC for the matching traffic (FEC is 18.4 TBD
enabled on >=2% path packet loss
Data Policy
Loss-protect fec-always Enable continuous FEC for the matching traffic 18.3 16.11
Loss-protect pkt-dup Enabled packet duplication for the matching traffic 18.4 16.12
Nat pool <name> NAT the matching traffic using the named NAT-pool 15.3 16.9
Nat use-vpn <0> [fallback] NAT the matching traffic as it is subject to split tunneling / 14.2 16.9
DIA via VPN 0. Fallback allows for falling back to routing
on NAT resource exhaustion
Nat use-vpn <0> pool NAT the matching traffic using the name NAT-pool as it is TBD 16.9
<name> subject to split tunneling / DIA via VPN 0.
*Introduced in 16.3 / TBD

For Your

Redirect-dns <ip> Redirect the intercepted DNS request to the server 17.2 16.9
residing at IP
Data Policy
Redirect-dns host Redirect the intercepted DNS request for resolution locally TBD TBD
on the node
Redirect-dns umbrella Redirect the intercepted DNS request to Umbrella / Open TBD 16.10
DNS
Tcp-optimization Enable TCP-optimization for the matching traffic 17.2 16.12
For Your

Match / app-list Match DPI application signature(s) specified in App-list 14.2 16.9
Cloud-saas-app-list Used for Cloud On-Ramp SaaS (orchestrated by 16.3 17.2.1

vManage)
Destination-data-ipv6- Match packet destination IP to any prefix specified in TBD 16.10
prefix-list prefix-list
App-Route Policy
Destination-data-prefix-list Match packet destination IP to any prefix specified in 14.2 16.9

prefix-list
Destination-ip Match packet destination IP to IP-address / Prefix 14.2 16.9
specified
Destination-ipv6 Match packet destination IP to IP-address / Prefix TBD 16.10
specified
Destination-port Match packet destination-port 14.2 16.9
Dns request | response Match on DNS traffic for intercept / redirect 17.2 16.9
Dns-app-list Match on DNS traffic for the specified set of applications 17.2 16.9
for intercept / redirect
*Not yet Committed

For Your

dscp Match on packet DSCP 14.2 16.9
plp Match packet PLP 16.3 TBD
protocol Match packet protocol 14.2 16.9

App-Route Policy
Source-data-ipv6-prefix-list Match packet source IP to any prefix specified in prefix- TBD 16.10
list
Source-data-prefix-list Match packet source IP to any prefix specified in prefix- 14.2 16.9
list
Source-ip Match packet destination IP to IP-address / Prefix 14.2 16.9
specified
Source-ipv6 Match packet destination IP to IP-address / Prefix 14.2 16.10
specified
Source-port Match packet source port 14.2 16.9
For Your

Action / backup-sla- Specify the TLOC to use for traffic in an SLA-class 16.3 17.2.1
preferred-color disqualified across all links
Cloud-saas Used for Cloud On-Ramp SaaS (orchestrated by 16.3 17.2.1
vManage)
count Create a counter for the matching traffic 14.2 16.9
App-Route Policy
Log Create a log entry (using the log configuration for the 16.3 TBD
*policy log-frequency 1000 (default node) for the matching traffic
nearest down power of 2 packet is
logged, so every 512th)
Sla-class <name> Associate the matching traffic with a defined SLA-class 14.2 16.9
Sla-class <name> preferred- Configure a preferred TLOC for the traffic being 15.2 / 17.1^ 16.9 / 16.9
color <n> [<n>] … associated to the SLA-class (multiple for ECMP) (^multiple colors)
Sla-class <name> strict Drop the traffic being associated with the SLA-class in 14.2 16.9
case there’s no path meeting the SLA threshold(s)
Default-action sla-class Define SLA for traffic not explicitly matched in a sequence 14.2 16.9
*Introduced in 16.3 / TBD **Not yet Committed

TECCRS-2014
SD-WAN Technical Deep Dive 8 Hours
TECRST – 2191
SD-WAN design, deploy and best 4 Hours
practices
TECCRS-3006
ENFV Deep Dive and Hands on Lab 8 Hours
Cisco SD-WAN
#CLEMEA
Tectorials
BRKRST-2791
Building and using Policies with Cisco SD-
BRKRST-2377 WAN
08:00
SD-WAN Security 08:00 BRKRST-2560
Keynote 09:30
SD-Wan Machine Analytics, Machine
08:00
Learnings and IA
BRKCRS-1579 BRKRST-2096
SD-Wan Proof Of Concept
11:00
SD-WAN Powered by 11:00 BRKRST-2095 BRKRST-2093
Meraki SD-WAN Routing 16:00 Deploy, monitor and troubleshoot
11:00 BRKRST-2091
BRKRST-2041 Migration
BRKARC-2012 SD-WAN Datacenter and Branch 09:00
WAN Architecture 11:00 ENFV Architecture, Configuration and
11:00 Integration Design
troubleshooting
and Design Principal
BRKRST-2559
BRKCRS-2110 3 Steps to design SD-WAN On Prem
14:00
Delivering Cisco Next 14:00 BRKRST-3404 BRKRST-2097 BRKOPS-2826
gen SD-WAN with How to choose the 16:00 Conquer the Cloud with SD-WAN SD-WAN as Managed Services 11:00
14:45
Viptela correct branch device BRKRST-2095
SD-WAN Routing Migrations
16:45
BRKCRS-2113 Keynote 17:00
Cloud Ready WAN for 17:00 Cisco Live
IAAS and SAASA with Celebration
Cisco SD-WAN 18:30
SD-WAN
#CLEMEA
Breakouts
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
Thank you

BRKRST 2791

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

BRKRST 2791

Hochgeladen von

Copyright:

Verfügbare Formate

Building and Using Policies with

Stefan Olofsson, Technical Solutions Architect

APIs Management / Orchestration Plane

• Service Side – WAN Edge interface attaching to the LAN

• TLOC – Collection of entities making up a transport side connection

• vRoute – Routes learnt/connected on Service Side

Centralized Policies Localized Policies

Topology and VPN Traffic Rules: Local Policy:

App-Route Policy: Routing and Services

WAN Edge WAN Edge

WAN Edge WAN Edge

• Natively Multiprotocol, Multipath and VPN/Segment Aware

• Peer Auto-discovery w/ Zero line config for basic operation

• Inherent Route Target Constraint Capability

• Automatic Distribution of targeted local routing

• Overlay and Legacy Domain Loop Avoidance capabilities

• Reliable and Secure Transport (SSL)

• Broad Attribute Support

• Consistent Routing and Encryption Synchronization

vRoutes TLOCs Services Policies

Branch Routing WAN Attachment:

Distribution of Routing Information and Policies subject to endpoint push

Route Source Preference

omp TLOC Preference

Policy Sequence 1 Policy <type> <name>

Match <route | tloc | Application> Direction (if applicable)

Action <Accept | Reject | set >

Match <route | tloc | Application>

Action <Accept | Reject | set >

App-Route Policy: Data Policy:

Combine and Apply per Site

vSmart controller – Execute Control Policy

WAN Edge router – Execute AAR and Data Policy as received

• Policies are processed sequentially. Order is important!

Centralized App-Route Policy Routing / Forwarding Local Egress Policy

Service Side – Transport Side

Local Ingress Policy Centralized Data Policy Queueing / Scheduling

App-Route Policy: Routing and Services

• Control policies filter or manipulate OMP Routing information to:

Color: mpls Color: public-internet

Control Policy Case #1 Original Advertisement from Endpoint

Interconnecting Dis-contiguous Data Planes

Route: VPN-1: Prefix A Route: VPN-1: Prefix B

Route: VPN-1: Prefix B Route: VPN-1: Prefix A

System-IP: 10.10.10.10 System-IP: 20.20.20.20

Color: mpls Color: public-internet

Interconnecting Dis-contiguous Data Planes 3 Define the Control Policies

Dis-contiguous Data Planes Color: mpls

vSmart# show omp tlocs

Dis-contiguous Data Planes Color: mpls

vSmart# show omp routes

Dis-contiguous Data Planes Color: mpls

Dis-contiguous Data Planes Color: mpls

control-policy announce-mpls-sites WAN Edge2

vSmart# show omp routes WAN Edge2# show omp routes

Dis-contiguous Data Planes Color: mpls

control-policy announce-internet-sites WAN Edge1

vSmart# show omp routes WAN Edge100# show omp routes

WAN Edge2 DC-2 WAN Edge3

Control Policy Case #2 Original Advertisement from Endpoint

Network Resource (e.g. Data Center) Preference or Active/Backup

Route: VPN-1: Prefix A Route: VPN-1: Prefix A

System-IP: 10.10.10.10 Route: VPN-1: Prefix A System-IP: 40.40.40.40