Professional Documents
Culture Documents
Cisco SD-WAN Policy - Localized Policy - IP With Ease
Cisco SD-WAN Policy - Localized Policy - IP With Ease
Policy
Rashmi Bhardwaj | | Blog, Programming & Software, Routing &
Switching
Policies are a core part of the Cisco SD-WAN solution and are used to manipulate the packet flow
across the overlay fabric. Policies are created on vManage controller by using the policy wizard tool
and pushed via NETCONF either to vSmart controllers (centralized policies) or directly to vEdges
(localized policies) device. Centralized policies allow us to manipulate the whole overlay fabric traffic
in a centralized fashion and eliminate the manual method of pushing configuration on device and
avoiding human errors.
Advertisements
In traditional method, configurations are typically applied on a device per device basis using CLI
mode. Cisco SD-WAN has been designed to overcome this by implementing a centralized
management plane that implement on all devices without any human error.
1. Centralized Policy
2. Localized Policy
Localized Policy
Localized policies are those policies that are applied locally on the vEdge routers on the overlay
network. Similar to the centralized policies, localized policies can be used to manipulate both the
control plane and the data plane traffic. The two main types of localized policy:
Route Policy:
Localized policies that affect the control plane, called route policies, can be used to filter or
manipulate routes exchanged or learned outside of the SD-WAN fabric via protocols such as BGP,
OSPF, and EIGRP. Route policies can also be used to filter routes as they are redistributed from one
protocol to another including into and out of OMP. Route policies are the only way to impact the
control plane with localized policy.
Quality of Service:
Quality of Service (QoS) can be configured on the WAN Edge routers to perform queuing, shaping,
policing, congestion avoidance, and congestion management.
Security Policy
The security policy feature set supports use cases such as compliance, guest access, Direct Cloud
Access (DCA), and Direct Internet Access (DIA). Security policies were first introduced in version 18.2
with the Zone-Based Firewall (ZBFW) feature set and have continued to expand in functionality in
subsequent releases. As of version 19.2, the Security Policy feature set currently supports
Application-Aware ZBFW, Intrusion Prevention, URL Filtering, Advanced Malware Protection (AMP),
and DNS Security. These features are used to affect traffic in the data plane.
Key Points of Cisco SD-WAN Policy
Centralized Data policy:
Centralized data policy can only be enabled per VPN site ID.
Configuration does not stay in the Edge, it gets delivered via OMP and stored in the volatile RIB,
hence, temporary not stays after reboot.
The Localized control policies also called route policy and affects BGP and OSPF routing
behavior on site local network.
Policy Application:
Data Policies can be applied in three modes on vEdge:
Provisioning of Policies:
Policies can be provisioned in two ways:
Centralized: Pushed from vManage to vSmart via a NETCONF transaction and then advertised
to Edge devices by vSmart via OMP and affects all edges matched by a list.
Localized: Pushed from vManage directly to Edge devices via a NETCONF transaction – affects
specific devices requiring tailored policies or settings (requires a feature template to reference
it).