EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

NZ

Configuring Centralized Data Policy

Configuring Centralized Data Policy

Posted on Jan 27, 2020 (0)

Configuring Centralized Data Policy

Centralized Data policy is configured on vSmart controllers and can be used for different purpose listed below:

  • Centralized Data Policy based on Prefixes and IP Headers
  • Centralized Data Policy based on application information in packet payload
  • Configure Data Policy to VPNs from where they receive Routes from.

Configure Centralized Data Policy based on Prefixes & IP Headers.

This Policy contains Sequence of matched action and if matches occurs associated action is taken place and policy evolution stops and if packet matches no parameter, it is dropped and discarded by default.

In Match, by default matching is done based on 6 tuple which contains Source IP address, Destination IP address, Source Port, Destination port, protocol and DSCP.

Create a list of network site to which this Centralized Policy to be applied.

vSmart(config)# policy
vSmart(config-policy)# lists site-list list-name
vSmart(config-lists-list-name)# site-id site-id

Create lists of IP prefixes and VPNs:

vSmart(config)# policy lists
vSmart(config-lists)# data-prefix-list list-name
vSmart(config-lists-list-name)# ip-prefix prefix/length
vSmart(config)# policy lists
vSmart(config-lists)# vpn-list list-name
vSmart(config-lists-list-name)# vpn vpn-id

Create lists of TLOCs

vSmart(config)# policy
vSmart(config-policy)# lists tloc-list list-name
vSmart(config-lists-list-name)# tloc ip-address color color encap encapsulation [preference number]

Define policing parameters, as needed:

vSmart(config-policy)# policer policer-name
vSmart(config-policer)# rate bandwidth
vSmart(config-policer)# burst bytes
vSmart(config-policer)# exceed action

Create a data policy and associate it with a list of VPNs:

vSmart(config)# policy data-policy policy-name
vSmart(config-data-policy-policy-name)# vpn-list list-name

Create a series of match–pair sequences:

vSmart(config-vpn-list)# sequence number
vSmart(config-sequence-number)#

Define match parameters for packets:

vSmart(config-sequence-number)# match parameters
Define actions to take when a match occurs:
vSmart(config-sequence-number)# action (accept | drop) [count counter-name] [log] [tcpoptimization]
vSmart(config-sequence-number)# action acccept nat [pool number] [use-vpn 0]
vSmart(config-sequence-number)# action accept redirect-dns (host | ip-address)
vSmart(config-sequence-number)# action accept set parameters

If a route does not match any of the conditions,it is rejected by default. To accept nonmatching prefixed, configure the default action for the policy:

vSmart(config-policy-name)# default-action accept

Apply the policy to one or more sites in the overlay network:

vSmart(config)# apply-policy site-list list-name data-policy policy-name (all | fromservice | from-tunnel)

Policer Parameters

In order to configure the policing parameter, configure policer which defines maximum bandwidth, burst rate for traffic interface and what to do if traffic exceeds these values.

  • rate is the maximum traffic rate which ranges from 0 through 264 – 1 bits per second.
  • burst is the maximum traffic burst size which ranges from 15000 to 1000000 bytes
  • exceed is the action to take when the burst size or traffic rate is exceeded. action can be drop (the default) or remark . Drop action is just as to set the packet loss priority (PLP) bit to low and remark action sets PLP bit to high.

Example 1 General Centralized Data Policy

This is the general example of centralized data policy which will be configured on vSmart controller and once commit is done, this policy is pushed to affected vEdge router.

policy
data-policy dclessons-data-policy
vpn-list dclessons-vpn-list
sequence 10
match
destination-ip 10.10.0.0/24
!
action drop
count test-counter
!
!
default-action drop
!
!
lists
vpn-list dclessons-vpn-list
vpn 1
!
site-list dclessons-site-list
site-id 200
!
!
!

Now this policy is applied on vpn site list which contains site id 200.

apply-policy
site-list test-site-list
data-policy test-data-policy
!
!

Now as soon as the Data Policy is applied, and activated on vSmart Controller, vSmart will push the configuration to vEdge router in site 200. This can be verified by:

vEdge1# show omp data-policy
policy-from-vsmart
data-policy dclessons-data-policy
vpn-list dclessons-vpn-list
sequence 10
match
destination-ip 10.10.0.0/24
!
action drop
count test-counter
!
!
default-action drop
!
!
lists
vpn-list dclessons-vpn-list
vpn 1
!

Example 2 Control Access:

This example shows a data policy on which a source with IP 1.1.1.1 and site 10 can send packet only TCP packet to destination IP 2.2.2.2, when sending the Next Hop setting TLOC to be 10.10.10.10, gold. Apart from this all other traffic is accepted by default-action command.

policy
lists
site-list dclessons-site
site-id 100
vpn-list vpn-dclessons-list
vpn 100
!
data-policy tcp-only
vpn-list vpn-dclessons-list
sequence 10
match
source-ip 1.1.1.1/32
destination-ip 2.2.2.2/32
protocol tcp
action accept
set tloc 10.10.10.10 color gold
!
default-action accept
!
!
apply-policy
site dclessons-site data-policy tcp-only

Example 3 Restrict Traffic:

This example show that when a traffic is generated from 10.10.10.0/24, all data traffic is expected but only drops SMTP traffic on port 25.

policy
lists
data-prefix-list dclessons-prefix
ip-prefix 1.1.0.0/16
port 25
vpn-list dclessons-all-vpns
vpn 1
vpn 2
site-list dclessons-site
site-id 100
!
data-policy no-mail
vpn-list dclessons-all-vpns
sequence 10
match
source-data-prefix-list dclessons-prefix
action drop
!
default-action accept
!
!
apply-policy
site dclessons-site data-policy no-mail

Example 4 Allow Traffic to Exit from a vEdge Router to the Internet

Here in this example, when a data traffic is destined for these two destination 10.10.10.10 and 10.10.11.11/24, it should directly exit from local vEdge Router towards internet destination.

policy
lists
vpn-list dclessons-vpn-1
vpn 1
!
site-list dclessons-nat-sites
site-id 100,200
!
data-policy accept-nat
vpn-list dclessons-vpn-1
sequence 100
match
source-ip 10.20.20.0/24
destination-ip 10.10.10.10/24
!
action accept
count nat
nat use-vpn 0
!
!
sequence 101
match
source-ip 10.20.22.0/24
destination-ip 10.10.11.11/24
!
action accept
count nat_inet
nat use-vpn 0
!
!
default-action accept
!
!
apply-policy
site-list dclessons-nat-sites data-policy accept-nat

Now here of we will use the destination port instead on destination IP, it will give more flexibility for traffic going to internet. Let’s say port is 80 , 443.

data-policy accept-nat
vpn-list dclessons-vpn-1
sequence 100
match
source-ip 10.20.20.0/24
destination-port 80
!
action accept
count nat
nat use-vpn 0
!
!
sequence 101
match
source-ip 10.20.22.0/24
destination-port 443
!
action accept
count nat_inet
nat use-vpn 0
!
!
default-action accept
!
!


Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.