Cisco SD-WAN Policy Architecture..

  1. Home
  2. Blog
  3. Cisco Catalyst SD-WAN
  4. Cisco SD-WAN Policy Architecture
Cisco SD-WAN Policy Architecture | Blog | Adroit Information Technology Academy (AITA)

Cisco SD-WAN Policy Architecture

  • Posted: Mar 27, 2020
  • By: Admin
  • Category: Cisco Catalyst SD-WAN

Cisco SD-WAN policies are used to control the packet flow across the overlay fabric. We create policies on vManage and are pushed via NETCONF either to vSmart (centralized policies) or to vEdges (localized policies). 

A Cisco SD-WAN policy should have at least one list of interesting values, one policy definition with actions, and at least one application that defines where the policy will be applied.

The currently active policy is not stored but only loaded in the running-configuration of vSmart. Different policy versions with revisions are stored only on vManage. Policy roll-back, version control, and persistent policy changes across vSmart controllers are the responsibility of vManage.

Different types of policies are applied on different devices by vManage. Localized Control policies and Data policies, such as Access Control List, Classification, Marking, Policing etc. are applied directly on the WAN edge routers. But, Centralized policies, which have an effect on the entire overlay fabric, are applied to vSmart and the result is advertised to the WAN edge routers using OMP.

Cisco SD-WAN Policy Types

Centralized policies are created to control the entire overlay fabric in a centralized manner and localized policies are used to manipulate a specific device or location. As control and data plane are separated, centralized policies are also separated into centralized control policies that affect the control-plane operations and centralized data policies that directly affect the forwarding of packets.

Important Points

A policy is processed in the following order of steps:

  • All match–action are processed sequentially, starting from the lowest sequence number.
  • When there is a match, action is performed and the sequential processing is skipped and not followed.
  • If there is no match, the action is subject to the default action (deny) configured (by default it is reject).

Centralized policies (vSmart) are applied to a site list.

  • More than one pair of policies cannot be applied in each direction to a site list. 
  • Centralized control policy is unidirectional and applied either as inbound or as outbound.
  • Centralized-Data-policy is bidirectional and can be applied either to the traffic received/ sent from/ to the service side of the vEdge router or both.
  • VPN membership policy is always applied as outbound from the vSmart controller.

vEdge Router Operations

To design and implement policies in large-scale deployments, you must have a good understanding of the order of operations of the WAN edge nodes.

  1. IP Lookup: Forwarding decision should always start with IP Destination lookup.
  2. Ingress ACL: Access Control List may be used for filtering, marking, and policing.
  3. Application-Aware Routing:  If there is Application-Aware Routing policy, then the routing decision is based on the defined SLA such as packet loss, latency, and jitter.
  4. Centralized Data Policy: The centralized data policy can override the Application-Aware Routing forwarding decision.
  5. Forwarding: The destination IP address is checked against the routing table to find out the output interface.
  6. Security Policy: Security policy follows the sequence of Firewall, IPS, URL Filtering, and Advanced Malware Protection. Then tunnel encapsulations are performed with VPN label insertion.
  7. Egress ACL: Traffic may be denied by the egress ACL and changes will become effective before the forwarding of the packet.
  8. Queuing and Scheduling:  Low-Latency and Weighted Round Robin queuing services are applied finally before the packet leaves.
Share:

Tags: Cisco SD-WAN vSmart vEdge Centralized Policy Localized Policy vManage NETCONF

Adroit Information Technology Academy (AITA)