SD-WAN Viptela Policy Overview
SD-WAN Viptela Policy Overview
In Cisco Viptela, Policy influences data flow traffic between vEdge routers, In Viptela Policy it comprises of following:
- Routing policy: This policy affects the flow of routing information in control plane
- Data Policy: This policy affects the flow of data traffic in data plane
In Cisco Viptela network, policies are applied either on control plane or data plane traffic and are configured centrally on vSmart or locally on vEdge routers.
Below figure, distinguish between control and data policy and which further divides in to centralized or localized policy.
Each policy based on its configuration is categorized in two parts:
Basic Policy: These types of policy includes standard policy task such as managing traffic path , permit and block traffic based on address , ports etc , enabling class of service , monitoring , policing etc.
Advance Policy: These policy includes some advance configuration and offer specialized policy-based application. Such as:
- Service Chaning
- Application Aware Routing
- Cflowd for traffic monitoring
- Converting vEdge device to NAT
By default, no policy is configured on Viptela devices either on vSmart or vEdge. In start if there is no policy:
- All routing information is propagated by OMP from vEdge to vSmart and vSmart then share it to all other vEdge unpoliced.
- No BGP and OSPF route are there to affect route information that vEdge router propagate within local site network.
Those policy which are provisioned on vSmart controllers in Viptela Overlay network, and it has two following components.
Centralized Control Policy: This policy is configured on vSmart controller and which applies to routing traffic and affects information stored on vSmart controller route table which has to be further advertised to vEdge Router. These Policies are only present on vSmart controller and never pushed to vEdge routers.
Centralized Data Policy: These policies applies to data traffic flow throughout VPN and it can permit and restrict access based on either 6 tuple match ( source & Destination IP , ports , DSCP, protocol , VPN membership ) , these policies are pushed to affected vEdge routers.
Localized policies are those policies that are applied locally on the VEdge routers on overlay network. Localized policy are further divided in to two parts:
Localized Control policy: These Localized control policy also called route policy and affects BGP and OSPF routing behavior on site local network.
Localized data policy: This policy provision access-list and applies to specific interface or interfaces on the vEdge router. Any access will be allowed or restricted based on 6 tuple match (source & Destination IP address, Ports, DSCP Field and protocol).
Access-List allow provision of COS, Policing, and mirroring and control how data traffic will flow in and out from interfaces.
Control and Data Policy
Let’s see how control and data policy works one by one.
Control Policy: These policies work on routes or routing information in Control plane of overlay network. As soon as vEdge route send the control plane information to vSmart controller over DTLS to TLS tunnel, Centralized policy determines which routes and route information should be placed in to centralized route table on vSmart and which routes and route information should be advertised to vEdge routers in overlay network.
Each vEdge router send these there OMP routes to Vsmart controller and by which vSmart controller determines the network topology.
- OMP routes
- TLOC routes
- Service Routes