SD-WAN Viptela Policy Overview
SD-WAN Viptela Policy Overview
In Cisco Viptela, Policy influences data flow traffic between vEdge routers, In Viptela Policy it comprises of following:
- Routing policy: This policy affects the flow of routing information in control plane
- Data Policy: This policy affects the flow of data traffic in data plane
In Cisco Viptela network, policies are applied either on control plane or data plane traffic and are configured centrally on vSmart or locally on vEdge routers.
Below figure, distinguish between control and data policy and which further divides in to centralized or localized policy.
Each policy based on its configuration is categorized in two parts:
Basic Policy: These types of policy includes standard policy task such as managing traffic path , permit and block traffic based on address , ports etc , enabling class of service , monitoring , policing etc.
Advance Policy: These policy includes some advance configuration and offer specialized policy-based application. Such as:
- Service Chaning
- Application Aware Routing
- Cflowd for traffic monitoring
- Converting vEdge device to NAT
By default, no policy is configured on Viptela devices either on vSmart or vEdge. In start if there is no policy:
- All routing information is propagated by OMP from vEdge to vSmart and vSmart then share it to all other vEdge unpoliced.
- No BGP and OSPF route are there to affect route information that vEdge router propagate within local site network.
Those policy which are provisioned on vSmart controllers in Viptela Overlay network, and it has two following components.
Centralized Control Policy: This policy is configured on vSmart controller and which applies to routing traffic and affects information stored on vSmart controller route table which has to be further advertised to vEdge Router. These Policies are only present on vSmart controller and never pushed to vEdge routers.
Centralized Data Policy: These policies applies to data traffic flow throughout VPN and it can permit and restrict access based on either 6 tuple match ( source & Destination IP , ports , DSCP, protocol , VPN membership ) , these policies are pushed to affected vEdge routers.
Localized policies are those policies that are applied locally on the VEdge routers on overlay network. Localized policy are further divided in to two parts:
Localized Control policy: These Localized control policy also called route policy and affects BGP and OSPF routing behavior on site local network.
Localized data policy: This policy provision access-list and applies to specific interface or interfaces on the vEdge router. Any access will be allowed or restricted based on 6 tuple match (source & Destination IP address, Ports, DSCP Field and protocol).
Access-List allow provision of COS, Policing, and mirroring and control how data traffic will flow in and out from interfaces.
Control and Data Policy
Let’s see how control and data policy works one by one.
Control Policy: These policies work on routes or routing information in Control plane of overlay network. As soon as vEdge route send the control plane information to vSmart controller over DTLS to TLS tunnel, Centralized policy determines which routes and route information should be placed in to centralized route table on vSmart and which routes and route information should be advertised to vEdge routers in overlay network.
Each vEdge router send these there OMP routes to Vsmart controller and by which vSmart controller determines the network topology.
- OMP routes
- TLOC routes
- Service Routes
Centralized Control policy : Centralized control policy affects OMP routes which is placed in vSmart route table , this policy sees what route are to be advertised to vEdge router , which OMP routes are to be modified before being put in route table or before being advertised. Once these processing are done vSmart advertised new routing information to the vEdge routers.
These Centralized Control policy always remain on vSmart controller, and never sent or never downloaded to vEdge routers.
Example of Centralized Control Policy: Service Chaning, which allow data traffic to be routed to one or more network service such as Firewall, load balancer, IDP.
Localized Control policy: Localized control policy are configured or provisioned on vEdge Routers and are also called as route policy which is similar to policy we configure on local router.
Example: Local Control policy helps in modify BGP and SPF routing behavior on site local network.
These type of policy influences the data traffic based on IP header of any packet or router interface configuration on which traffic is sent or received.
Viptela implements two types of data policy:
Centralized data policy: These data policy control flow of data based on source and destination address, ports and DSCP field on IP header and also based on network segmentation and VPN membership.
For these activity discussed above to happen, Centralized data policy are provisioned centrally on vSmart controller and affect traffic flow across entire network. By default no Centralized policy are provisioned and is provisioned on vSmart controller , and unlike control policy Centralized data policy are pushed to vEdge router in read only fashion and ae not added to router configuration file but can be viewed by CLI.
Localized data policy: These policy affects or control how data traffic will flow in and out of any router interface. These policy are provisioned locally using access-list which further classify the traffic map it to proper Queues. It also allow traffic mirroring for policing at specified rate.