Cisco CCNP Enterprise 300-415 ENSDWI – SDWAN Policy

1. SDWAN Policy Section

One of the important section we have is section four where we have to learn about various type of policy. So we have control policy, we have data policy, we have centralized policy, we have localized policy. Now you’ll come to know in upcoming sessions that control policy is nothing much, that is very much close to routing policy or you can tell control policy, routing policy. Now this control policy that we are going to build over vs. Smart that is going to provide us full capability that we can do routing, manipulations, traffic, engineering, service chaining, et cetera.

Means we can play around with routing capability inside SDWAN. The next piece here is the data policy that will provide us the capability to do the application aware routing and that’s quite a big topic we have. So here you can see that section number four is application aware routing and that’s actually something that the success of SDWAN will depend upon. That how we are going to implement the appeal routing policy later. Suppose if you are using the SDWAN firewall features then we have this option that we can provide application aware firewall policies as well.

Now going forward what we are going to do, let’s break this big policy section at least into some part. So we are going to discuss starting with four one where we’ll discuss about the control policy, data policy and then we have several examples. For example, if you want to block or allow certain prefix, if you want to use hub and spoke strategy means your branch traffic, they are going towards the data center, that’s your hub and then it is going some other place. You have various strategy to use this hub and spoke policy, then you want to use the VPN segmentation. Now this VPN segmentation, it’s very interesting here to point out that the overall SD one solution by default it is supporting segmentation. So that means you have VPN ten, you have VPN 20, you have VPN 40, VPN ten you are using for corporate traffic, 20 you are using for PCI 40 you are using for guest.

Or you can have VPN, trusted VPN, untrusted VPN, guest VPN, third party, et cetera. Means you can segment the traffic as per the category of the application traffic. Or maybe there are different ways that you can segment the traffic. Now once you segment the traffic, then that segmented traffic are they going to support multiple topology? So if you see section number four three, this is telling something that okay, you have segmentation.

Now do these segments are going to support multiple topology. So what does it mean? It means that is VPN ten can do have a spoke and 20 can go towards firewall and then it can go in or out. Do my VPN 40 directly go to the internet et cetera. Et cetera. Answer is yes. So these type of labs you will see in the upcoming session. Now once we complete that point then we’ll go and complete app route and direct internet access. So let’s start with the policy. And this policy that section four you are seeing here. They have 20% weightage for our CCNP st.

2. vSmart Policy Overview

Viptella policies are one of the key component inside the SDWAN Viptella fabric. So what type of policies we have inside the Viptella? Let me draw that. If we go and see that the policy type, we have basically two different type of policy. So first policy is control policy. You can create control policy policy and the other policy type is nothing but the data policy. Now again, this control policy we can divide into two different part. The control policy that is nothing but the routing policy, it can be centralized, it can be localized. Likewise the data policy can be centralized, it can be localized. Great.

So what’s the example of the centralized policy and localized policy with respect to control plane, the example for centralized policy is say control policy itself. So control policy name control policy is a centralized policy means globally, I can take decision related to routing updates and routing policy. The localized policy good example is say route policy itself. Whenever we go inside the routing protocols, for example OSPF, we can create some route filter route policy that will be the local. That means that you are pushing this policy with the template, with the device template and these policies you are sending, say, you can build this policy from we manage, we manage, will push to VHSmart Vsmart, will push to VH. But these policies directly you can attach with the VH from V manage to VH. Okay? Then you have centralized data policy. Centralized data policy, data policy name itself is a centralized data policy. Or you may have app route policy.

So let me draw here what’s the example of, say, data policy. And then you have two variations. One is the centralized one, one is the localized one. Now, centralized policy example is data policy itself. Then we have say, for example, C flowed template. That is nothing but the type of NetFlow that we use to build inside Cisco devices. We have very important policy that is app route policy. App route policy is also a type of data policy, centralized data policy. In this particular central policy, again, in localized policy, you may have quality of service, you may have ACL, you may have mirroring. All these things will be part of the localized data policy.

So this is the policy, this is the type of policy actually we have inside the SDWAN. So inside policy, what you have, you have control policy, you have data policy. Inside that, again, you have central policy, you have local policy, you have central policy, you have local policy. Correct? Now one by one we’ll go inside the policy and we’ll see that how it looks like, what is the structure, how we can build and apply. So let’s start with new topic, that is, what are the components of policy?

So the policy actually has three components. First of all, to whom you are writing the policy means, which is the traffic, what is the traffic class or what’s the traffic, what’s the interest in traffic? Then the second portion is policy itself, what’s the policy definition? Is it a control policy, data policy, app route, et cetera. And the third part is apply policy.

So once you bid the policy, how you are going to apply the policy, correct? Now start one by one the first part that is nothing but the interesting traffic or list. You can create list related to all the things that you want to do means for whom you are writing the policy, to whom you’re writing the policy. So list can be we know that we have different type of component in SDWAN. So we know that we have site component. We know that we have other things as well. So we know that we have VPN component in SDWAN. We know that we can define the tlock.

We have color, we have say for example prefix list, we have data prefix list. And one of the very important thing we have is the application. So with all these components say for example I can create site list, I can create VPN list, I can create tlock list, I can create color list, I can create prefix list, data prefix list applies. Okay, so these are the interesting traffic we are writing the policy for. Then the next portion we have is that policy definition. So what is the policy definition means what type of policy you have. So we may have control policy, we may have data policy, we may have app route policy, we can have C flowed policy, we can have VPN membership policy like that. We have policies. Now, whatever policy you have. So for example control policy or data policy, what is the structure, what is the construction of this?

So first of all, you go inside policy type policy keyword, go inside the name of policy. So for example control policy and then give the name. So for name for example, a PCD is the name of the policy. Then you have to go inside the sequence number you have to match. Suppose it is a control policy, I have to match the tlock or route. Once you match the tlock or route, you can match say VPN, you can match the prefix list, you can match the other attributes. Then you have to take action.

So action maybe, accept, maybe reject maybe if you want to do some other restocks we’ll see later on you can set some rules as well. But in general match action like that you can create sequence ten, sequence 20, sequence 30, et cetera. And by the end of day you have one default action and that default action will be reject by default. That you can go and accept. So this will be the policy construct. When we’ll do the lab, we’ll understand more about that. And finally the third step is apply the policy. Now, when we are applying the policy, it is 100% of time with respect to site list, we are always applying the policy with respect to site list.

So site list, for example, AB, then you call the policy. So for example, control policy that we have created ABCD, and then you have to give the direction. Direction means either in or out. And later we’ll discuss more about the direction and what’s the direction in control plane policy, data plane policy because control plane policy direction may be in or out, but data plane policy direction is bi directional. So control policy direction is unidirectional. Data plane policy is bi directional, that we can discuss. So this is the overall policy construct.

Let me quickly revise it. So you have policy, your policy can have types a control policy or it may be data policy. In control policy it can be centralized, it can be localized, same centralized and localized. Then either it’s a control policy or data plane policy. You have to define the terms inside policy. So if I go inside policy, I have to define what is the list, what is the definition of policy and how we are applying the policy, in which particular it’s always with respect to site, but in which particular direction, in or out, et cetera.

So once we know all these factors and facts, let me quickly walk you through the slide. You can see here the policy centralized, localized, then the construct of that policy, control policy, data policy. Then you have to define the list policy and you have to apply that policy. You can see the framework here for the policy, define the traffic, define the policy type, apply the policy. So once you apply this, again we’ll see that what’s the direction in the upcoming recording I’ll explain more on this what is the direction once you apply the policy, then that’s done. So let’s stop here at the moment and we’ll continue our discussion in the upcoming section.

3. vSmart Policy Overview vSmart Policy Architecture Components

Let us continue and discuss more about the architecture of the policies and the policies. So now you can see that we have the direction inside the policy. What does it mean by direction? So direction I have my Vsmart here, so I have my Vsmart, my direction will be in to the Vsmart, this is the indirection and then it can be out of the Vs Smart. So when you are sending the traffic from V Edge to Vs Smart that will be the indirection. When you are sending the traffic or the update from Vs Smart to V edge that is the out. So the traffic that is coming or the policy direction that is coming from Vs Smart to V edge that is the out direction. And if you are sending the policy from edge to A Smart that is the in direction into the Vsmart and out to the Vsmart. All right? So apart from that, if we go and discuss okay, although you told me that there are two policies, one is the control policy and one is the data policy.

So what will be the fundamental difference between the control policy and the data policy? So let us discuss that. What is the fundamental difference between the control and the data policy? Say control and data policy. We should remember these three terms CAE c stands for configure, e stands for say for example apply and E stands for execute. So execute. Now what is happening here that if you configure, apply and execute the policy at the level of VA Smart that will be control policy. But if you do the configuration and apply at the level of Vs Smart but the actual execution will happen at the level of V edge that will be data policy and since it is a data policy it will be downloaded via the VH. So VH device will go and download that policy inside it local cache since it is the control policy.

So the update will send via the Vs Smart either in and out. So now what is the difference between the control policy and the data policy? So let me list out the difference between the control policy and data policy. Say C-A-E will happen at the level of VA Smart. CA will happen at the level of Vsmart but E execution will happen at the level of VH. This will reside, the policy will reside at the level of Vsmart. This will be downloaded by VH. Okay, then this is uni directional either into out or out to in uni two policy. That means and this is by directional.

So one policy will be applied in both directions. Okay, so these are the main and fundamental difference between the control policy and the data policy. Let me go through these slides. So here clearly you can see that if it is a data policy the execution will happen at the level of VH. So that’s why your app load policy your c float policy your data policy are data policy but if you are doing the configure apply execution at the level of control plane then those are the control policy. So control policy and VPN membership policies are actually control policies then what about list? We have discussed about the list so if it is a data prefix list this will be used inside data policy.

If it is a prefix list it will be used inside the control policy. Then we can create site list, lock list, VPN list in the policy section one by one will create the policy and will utilize that again you can see the architecture. If you are in the individual policy go to the sequence number match and take action. So remember this mad match take action and the default exit. So you are in the sequence number then you are matching taking action and then the default action by default the default action will be rejected. So how you can go and create the policy? What are the construct of policy how it looks like? So here you will see your policy has three portion inside policy you have to define interest in the traffic so you have to define the list that will be part one then you have to go and define the policy construct.

So what’s the policy name call those things match take action, default action so that will be part two and third part that you have to apply the policy very straightforward. So let’s do one thing, let’s take one example and in that example what I will do as per our given diagram I will go to branch number two. I will create one loop back 77 here and that loopback at the moment I’ll go and create loop back say inside VPN ten automatically that loopback address will get advertised to all the data center devices, to all the branches devices. So what I want to do here, I want to create one policy inside say this is branch one VH two actually so inside branch one VH two second router in branch number one. So in branch one VH one you have to create one loop back with the IP address. At the moment you will create the loop back with the IP address. We know that inside OMP there is default configuration advertise connected and advertise static. So automatically this will get advertised to Vsmart. Vsmart is working as a route reflected he will send to all the devices correct? So what I need to do here with the control policy all the devices in the fabric will get this 77 network except branch two. Okay? So how we’ll build that policy? What you need to do here to build this policy you go and create first of all the list.

So you go and create list. Say you should create prefix list and that prefix list contains 70 70 70 70 I will show you in the lab. You should create VPN list because you want to apply the policy over VPN ten. You should go and create the site list because you want to apply the policy always with respect to site list. So this will be your interest string traffic. Then next what you should do you go and create the policy define the policy control policy in control policy go to sequence number ten match the route with certain VPNs VPN ten with certain prefix lists say 77 and then take the action as a reject. Then go to the default action and accept rest of the traffic. Then you go and apply this policy to only branch number two. So these are the steps. Let me stop here and in the next section I will log into the devices and I’ll create this policy.