Part 2: Cisco SD-WAN Centralized and Localized Policies Exam Prep Series (ENSDWI) 300 - 415

Policies are the way through with network administrator configure the SD-WAN overlay network to meet the business requirement. In a simple words, there is default way a fabric is build automatically and if this “default” behavior needs to be changed then you need Policies. On such example could be overlay network topology which is mesh by default and if you need to change it to hub-and-spoke or partial-mesh then you need policy.

Types of policies
On a high level there are two types of polices centralized policies and the localized policies.

  • Centralized policies are those policies that impact the complete SD-WAN overlay network and has more impact which can be network-wide.
  • Localized policies are those policies that impact the individual site/device in the network may be or not part of the overlay network.
Centralized Policies
Centralized polices are further classified as control polices and data polices.

1. Centralized Control Policies:
Used to manipulate the structure of the SD-WAN overlay network by filtering the control plane information in the fabric. Centralized control policy also known as the topology policy while defining the same using the vManage. 

Example of control policy are control [preferring one site over another for a specific destination] and VPN Membership policy [limit the VPN routing distribution to specific sites – sites with guest VPNs should be able to forward traffic to internet directly].

2. Centralized Data Polices:
Used to manipulate the data plane directly by altering the forwarding of the traffic through the SD-WAN overlay network. Data policy is also known as the traffic policy while configuring the same using vManage GUI. 

Example of data policy are – traffic data policies [DIA, network service insertion, packet-duplication and FEC], application-aware routing [traffic always transported across link that meet minimum SLA] and cflowd policy [flow record export – for making flow information available for analysis].

Fig 1.1- Cisco Viptela SDWAN: Centralized Policies 

Activating the Centralized Policy:
vManage is the centralized platform to configure the entire SD-WAN fabric. All the management, monitoring, configuration, and troubleshooting are performed here. Policy configuration is not an exception. Once the policy is built in vManage, it needs to be activated. When the centralized policy is activated in vManage – vManage writes the policy to the vSmart controller (coz it is the control plane – centrally managing the fabric). NETCONF is used to perform the configuration from vManage to vSmart. Now policy becomes the persistent part of the vSmart configuration.  

Localized Policy
Similar to centralized policies localized policy can be used to modify the control and data plane. However, the scope is limited to a WAN Edge router.

Localized Control Policies  
Localized control policies are also known as route policies – used to filter and manipulate the routes exchanged or learned. This control the behavior outside the SD-WAN overlay network routing protocols such as BGP, OSPF and EIGRP. This also control the redistribution of the protocols from OMP to standard protocols or vice versa. 

Localized Data policies 
Localized data policies affect the data plane of the routers. These policies include – 
  • Quality of Service – configured on WAN edge router to perform the shaping, policing, congestion-avoidance and congestion management. 
  • Access Lists – to configure access control list to filter the traffic at interface level. This can be used to mark or remark the traffic for QoS configuration. 
  • Security Policies – all the security innovation on SD-WAN such as app-aware Firewall, IPS, URL-Filtering, AMP and DNS security part of the localized data policy. 
Fig 1.2- Cisco Viptela SDWAN: Localized policies 

One who is appearing for the exam should have fair understanding of different types of SD-WAN policies, their enforcement and configuration. For more information about Policies refer cisco documentation: 

Policy Basics
Cisco SD-WAN Policy Framework
Control Policies 
Data Policies
App-Aware Routing
Service Chaining