EMAIL SUPPORT
dclessons@dclessons.comLOCATION
USSD-WAN Centralized & Localized Control Policy Overview
Default Behavior without Centralized Control Policy:
By default, No Centralized control policy is provisioned until or unless it is configured and applied. When there is no Centralized policy, following is the Viptela Control plane device behaves:
- All vEdge routers will sent the route prefixes which it will learn from local site network to vSmart controller via OMP protocols. If vEdge has multiple DTLS Connection to multiple vSmart, it will send OMP information to all vSmart.
- All vEdge will send all TLOC routes to vSmart controller in domain via OPM
- All vEdge Router will send all service Routes to all vSmart via OMP.
- vSmart will accept all these three routes types in route table and then further tracks OMP , TLOC and service Routes to determine to which VPN they belong. Further from these information vSmart will create the Network topology MAP and determine the routing path for data traffic
- vSmart controller will redistribute all these routes in particular VPN to all vEdge router in same VPN.
- vEdge router regularly send route update to vSmart controller
- vSmart will recalculates the routing path, will update its routing table and advertises new and changed routing information to all vEdge routers.
How Behavior Changes with Centralized Control Policy
Following are scenarios where Centralized control policies are required:
- When All routes are not planned to advertised to all vEdge Router
- If Route information is to be modified before advertising by vSmart controller
Once this policy is configured, it is activated by applying it to specific sites in overlay network either in inbound or outbound detection with respect to vSmart controller.
When we apply in inbound direction, modification or filtration of route is being done before keeping in route table of vSmart controller, Accepted routes are installed on route table of vSmart either as received routes or modified routes by control policy.
When policy is applied on outbound direction, Accepted routes are modified by control policy before they are distributed by vSmart controller, routes that are rejected by outbound policy are not advertised.
Control policies have these characteristics:
-
They are configured on vManage; enabled and enforced on vSmart controllers.
-
They are advertised by using Overlay Management Protocol (OMP).
-
Policies filter or modify OMP routing updates sent to WAN Edge devices.
-
Control policies change the routing behavior of the entire Cisco Software-Defined WAN (SD-WAN) fabric.
-
Control policies are used to enable the following:
-
Service chaining
-
Traffic engineering
-
Extranet VPNs
-
Service and path affinity
-
Arbitrary VPN topologies
-
VPN membership
-
A control policy is similar to a standard routing policy; it operates on routes and routing information in the control plane of the overlay network. A centralized control policy, which is provisioned on the Cisco vSmart controller, is the Cisco SD-WAN technique for customizing networkwide routing decisions that determine or influence routing paths through the overlay network. A local control policy is provisioned on a Cisco WAN Edge device; it allows customization of routing decisions made by Border Gateway Protocol (BGP), Open Shortest Path First (OSPF), and Enhanced Interior Gateway Routing Protocol (EIGRP) on branch or enterprise networks.
The routing information that forms the basis of a centralized control policy is carried in the Cisco SD-WAN route advertisements, which are transmitted on the Datagram Transport Layer Security (DTLS) or Transport Layer Security (TLS) control connections between Cisco vSmart controllers and Cisco WAN Edge devices. A centralized control policy determines which routes and route information are placed into the centralized route table on the Cisco vSmart controller and which routes and route information are advertised to the Cisco WAN Edge devices in the overlay network. A basic centralized control policy can be used to establish traffic engineering, which sets the path that traffic takes through the network. An advanced control policy supports several features, including service chaining, which allows Cisco WAN Edge devices in the overlay network to share network services, such as firewalls and load balancers.
A centralized control policy affects the OMP routes that are distributed by the Cisco vSmart controller throughout the overlay network. The Cisco vSmart controller learns the overlay network topology from the OMP routes that are advertised by the Cisco WAN Edge devices over the OMP sessions inside the DTLS or TLS connections between the Cisco vSmart controller and the devices.
The following three types of OMP routes carry the information that the Cisco vSmart controller uses to determine the network topology:
-
Cisco SD-WAN OMP routes, which are similar to IP route advertisements, advertise routing information that the devices have learned from their local site and the local routing protocols (BGP, OSPF, EIGRP) to the Cisco vSmart controller. These routes are also referred to as vRoutes.
-
TLOC routes carry overlay network-specific locator properties, including the IP address of the interface that connects to the transport network, a link color, which identifies a traffic flow, and the encapsulation type. (A transport location or transport locator [TLOC] is the physical location where a Cisco WAN Edge device connects to a transport network. It is identified primarily by IP address, link color, and encapsulation, but several other properties are associated with a TLOC.)
-
Service routes advertise the network services, such as firewalls, available to VPN members at the local site.
By default, no centralized control policy is provisioned. Without control policies, all OMP routes are placed in the Cisco vSmart controller's routing table as is, and the Cisco vSmart controller advertises all OMP routes, as is, to all the devices in the same VPN in the network domain.
By provisioning a centralized control policy, you can influence how the OMP routes are added in the Cisco vSmart controller's routing table, how the route information is advertised to the other devices, and whether the OMP routes need to be modified before being put into the routing table or before being advertised.
The Cisco WAN Edge devices place all the route information that is learned from the Cisco vSmart controllers, as is, into their local routing tables, for use when forwarding data traffic. Because the Cisco vSmart controller's role is to be the centralized routing system in the network, Cisco WAN Edge devices can never modify the OMP route information that they learn from the Cisco vSmart controllers.
The Cisco vSmart controller regularly receives the OMP route advertisements from the devices. After recalculating and updating the routing paths through the overlay network, it advertises new routing information to the devices.
The centralized control policy that you provision remains on the Cisco vSmart controller and is never downloaded to the devices. However, the routing decisions that result from centralized control policy are passed to the devices in the form of route advertisements, and so the effect of the control policy is reflected in how the devices direct data traffic to its destination.
Control Polify Application
A control policy can be applied both inbound, to the route advertisements that the Cisco vSmart controller receives from the WAN Edge devices, and outbound, to advertisements that it sends to them. An inbound policy controls which routes and route information are installed in the local routing database on the Cisco vSmart controller, and whether this information needs to be installed as-is or needs to be modified. An outbound control policy is applied after a route is retrieved from the routing database, but before a Cisco vSmart controller advertises it, and affects whether the route information is advertised as-is or is modified.
OMP Updates—Direction "Inbound"
Inbound Policy determines which routes are installed in the local routing database of the vSmart controller.
OMP runs between all WAN Edge devices and vSmart controllers. All control information is exchanged on the network over OMP. Initially, all WAN Edge devices announce local service-side routes to the Cisco vSmart controllers.
An inbound policy can change this incoming flow of information. Therefore, an inbound policy can change what the vSmart controllers see in their routing database.
In the diagram, WAN Edge 1, WAN Edge 2, and WAN Edge 3 each advertise to the vSmart controller a TLOC with their service-side network.
Data in the Cisco vSmart Controller Routing Database
Cisco vSmart stores all OMP information in its routing database.
The routing database holds a central view of the entire Cisco SD-WAN fabric.
After the Cisco vSmart controller receives all OMP route updates from the WAN Edges, the vSmart controller stores this information in its routing database.
If an incoming policy modifies the incoming OMP route updates, the Cisco vSmart controller stores only the modified information. This way, the routing database holds a central view of the entire Cisco SD-WAN fabric.
Additionally, the Cisco vSmart controller stores much more information than the amount of information shown in the simplified view. For example, the Cisco vSmart controller also stores the keys used for the IPsec data plane encryption.
OMP Updates—Direction "Outbound," Without Policy
Cisco vSmart pushes its routing database out to all WAN Edge devices through OMP updates.
Each WAN Edge learns about the other WAN Edges, how to reach them (the TLOCs), the key to use to encrypt data toward that WAN Edge, and so on.
The Cisco vSmart controller pushes its routing database through the OMP updates to the WAN Edge devices with the “out” direction.
By this method, each WAN Edge learns about all other WAN Edge devices in the network, how to reach them (the transport locators, or TLOCs), which key to use to encrypt data toward that WAN Edge, and so on.
The Cisco vSmart controller in the Cisco SD-WAN overlay has a similar role to that of a route reflector in a BGP network.
OMP Updates—Direction "Outbound," with Policy
Outbound Policy is applied after a route is retrieved from the routing database, but before the vSmart controller advertises it.
You can apply a single policy per direction per individual site.
An outbound policy might change the information that is distributed to the WAN Edge devices, and therefore, the view of the network on the WAN Edges. For example, you can use an outbound policy to enforce another topology.
In the example shown in the figure, a centralized control policy is applied to the Cisco vSmart controller as follows:
-
The policy applies to Site 1, so announcements to other sites remain unchanged.
-
The policy statement matches all announcements of Site 2 networks and changes the TLOC to 3.
The result is that packets from Site 1 to Site 2 are sent to Site 3 instead of directly to Site 2. As an example, you can use this mechanism to perform service insertion of a firewall or other services. Once the packets are inspected at Site 3, the authorized packets can then be forwarded to Site 2.
Examples of Modifying Traffic Flow with Centralized Control Policy
Let see some examples of centralized control policy :
Comment
-
AU
This is one of the most detailed and well-researched courses on sd wan centralized localization control policy available on the internet. They have helped me gain a deeper understanding of the concept. This is a highly recommended course for anyone who wants to master the control policy.
-
EL
SD wan a centralized localized control policy overview by DClesson is the most trustworthy online learning material available in the market. They have an excellent support team. They have a great learning environment allowing at-home study with an instructor who effectively breaks down everything. I have gained a lot from this course.
TABLE OF CONTENTS
- Onboarding & Provisioning Configuring Templates
- Authentication between vSmart & vBond
- Authentication between vSmart Controller
- Authentication between vBond & vEdge Router
- Authentication between vEdge Router & vManage NMS
- Authentication between vSmart Controller & vEdge Router
- Viptela Specific Port Terminology
- Deploy & Configure vManage & Generate Certificate
- Deploy & Configure vBond & Generate Certificate
- Deploy & Configure vSmart & Generate Certificate
- Configure vEdge & Generate Certificate
- SDWAN & NAT
- Secure DataPlane Bringup
- Enterprise CA for SDWAN Instances
- ZTP Process & PnP Overview
- Control Plane & Data Plane Operation - Unicast Routing Overview
- Configuring OMP & Its attributes
- Configure Unicast Overlay Routing
- Routing Configuration Example
- Segmentation Overview
- Configuring Segmentation
- Segmentation Configuration Example
- Data Traffic across Private WANs
- NAT in SDWAN & Data Encryption
- SD-WAN Viptela Policy Overview
- SD-WAN Centralized & Localized Control Policy Overview
- SD-WAN Centralized & Localized Data Policy
- Application – Aware Routing Overview
- Service Chaining
- Traffic Flow Monitoring
- vEdge Router as NAT Device
- Zone Based Firewalls
- Configuring Application Aware Routing
- Configure Centralized Control Policy
- Configuring Centralized Data Policy
- Configuring Cflowd Traffic Monitoring
- Configuring Zone based Firewall
- Service Chaining Configuration Example
- Configuring Service Side NAT
- Configuring Transport side NAT
- Control Policy Example 1: Hierarchical Topology
- Multi-Region Fabric
- Control Policy Example 2: Implementing Traffic Engineering
- Control Policy Example 2: Dynamic On-Demand Tunnels
RECENT POSTS
- Understanding the ENSDWI Course: Advanced Cisco SD-WAN (Viptela) Concepts
- A Complete Guide to the DCACI-A Course: Mastering Advanced Cisco ACI Concepts
- How Our Online Python Certification Will Prepare You for a Career in Network Automation
- What You'll Learn in Juniper Mist Labs: A Deep Dive into AI-Driven Wireless Networking
- 10 Benefits of Studying Cisco ISE for Network and Security Folks
- Which AWS Advanced Networking Labs Course Includes # Real World Traffic Flows and Examines Objectives?
- How Do You Practice Cisco Nexus Configuration with Online Labs, No Physical Equipment?
- Why Cisco SD-WAN Viptela Training is Necessary in the Current Cloud-First Networking Age
- 5 Best Reasons to Learn Cisco SD-Access: From Networking Issues to Automation Solutions
- What is Cisco SD-LAN? A Beginner’s Guide to Software-Defined Access
LEAVE A COMMENT
Please login here to comment.