Cisco SD-WAN Policy: Localized

Policy
Rashmi Bhardwaj  |   |  Blog, Programming & Software, Routing &
Switching

Introduction to Cisco SD-WAN Policy

In this article, we will discuss about the different types of Cisco SD-WAN Policy.

Policies are a core part of the Cisco SD-WAN solution and are used to manipulate the packet flow
across the overlay fabric. Policies are created on vManage controller by using the policy wizard tool
and pushed via NETCONF either to vSmart controllers (centralized policies) or directly to vEdges
(localized policies) device. Centralized policies allow us to manipulate the whole overlay fabric traffic
in a centralized fashion and eliminate the manual method of pushing configuration on device and
avoiding human errors.

Advertisements

In traditional method, configurations are typically applied on a device per device basis using CLI
mode. Cisco SD-WAN has been designed to overcome this by implementing a centralized
management plane that implement on all devices without any human error.

Types of Cisco SD-WAN Policy

There are two main types of  policies:

1. Centralized Policy
2. Localized Policy

In this article, we will discuss Localized Policy in detail.

Localized Policy
Localized policies are those policies that are applied locally on the vEdge routers on the overlay
network. Similar to the centralized policies, localized policies can be used to manipulate both the
control plane and the data plane traffic. The two main types of localized policy:

Traditional Localized Policy

 Security Policy

Traditional Localized Policy 

Traditional localized policies include Route Policy, Quality of Service (QoS), and Access Control Lists
(ACLs).

The traditional localized policies can further be categorized as:

 Traditional localized policies that affect the Control Plane: Route Policy
Traditional localized policies that affect the Data Plane: Quality of Service (QoS), and Access
Control Lists (ACLs)

Route Policy:
Localized policies that affect the control plane, called route policies, can be used to filter or
manipulate routes exchanged or learned outside of the SD-WAN fabric via protocols such as BGP,
OSPF, and EIGRP. Route policies can also be used to filter routes as they are redistributed from one
protocol to another including into and out of OMP. Route policies are the only way to impact the
control plane with localized policy.

Quality of Service:
Quality of Service (QoS) can be configured on the WAN Edge routers to perform queuing, shaping,
policing, congestion avoidance, and congestion management.

Access Control Lists:

Access control lists (ACLs) can be created with the localized policy to filter traffic at the interface
level. ACLs can also be used to mark or remark traffic for QoS purposes.

Security Policy
The security policy feature set supports use cases such as compliance, guest access, Direct Cloud
Access (DCA), and Direct Internet Access (DIA). Security policies were first introduced in version 18.2
with the Zone-Based Firewall (ZBFW) feature set and have continued to expand in functionality in
subsequent releases. As of version 19.2, the Security Policy feature set currently supports
Application-Aware ZBFW, Intrusion Prevention, URL Filtering, Advanced Malware Protection (AMP),
and DNS Security. These features are used to affect traffic in the data plane.
Key Points of Cisco SD-WAN Policy
Centralized Data policy:

Centralized data policy can only be enabled per VPN site ID.
Configuration does not stay in the Edge, it gets delivered via OMP and stored in the volatile RIB,
hence, temporary not stays after reboot.
The Localized control policies also called route policy and affects BGP and OSPF routing
behavior on site local network.

Localized Data Policy:

Localized data policy e.g. route policy, QoS, ACLs.

Configuration stays in the Edge, it gets delivered via NETCONF through command line in the
device’s CLI.
Local policy provision ACL and applies to specific interface or interfaces on the vEdge router.
Any access will be allowed or restricted based on 6 tuple match (source IP, Destination IP, Ports,
DSCP Field and Protocol).
Access-List allow provision of Class of Service (CoS), Policing, and mirroring and control how
data traffic will flow in and out from interfaces.

Policy Application:
Data Policies can be applied in three modes on vEdge:

From Service (toward upstream from WAN to the LAN)

From Tunnel (toward downstream from LAN to the WAN)
All (Both Upstream and Downstream)

Provisioning of Policies:
Policies can be provisioned in two ways:

Centralized: Pushed from vManage to vSmart via a NETCONF transaction and then advertised
to Edge devices by vSmart via OMP and affects all edges matched by a list.
Localized: Pushed from vManage directly to Edge devices via a NETCONF transaction – affects
specific devices requiring tailored policies or settings (requires a feature template to reference
it).