Policy
Centralized policy can be built by either feature policy or cli policy.The focus for this example is feature policy. Centralized policy comprises of control policies , data policies and references to policy objects which is applied to all the sites.Only one centralized policy can be activated at any given instant.
Diagram
Classes
centralized_policies (sdwan)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| feature_policies | List | [feature_policies] | No |
feature_policies (sdwan.centralized_policies)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[A-Za-z0-9\-_]{1,127}$ | Yes | |
| description | String | Yes | ||
| hub_and_spoke_topology | List | [hub_and_spoke_topology] | No | |
| mesh_topology | List | [mesh_topology] | No | |
| custom_control_topology | List | [custom_control_topology] | No | |
| vpn_membership | List | [vpn_membership] | No | |
| application_aware_routing | List | [application_aware_routing] | No | |
| traffic_data | List | [traffic_data] | No | |
| cflowd | List | [cflowd] | No |
hub_and_spoke_topology (sdwan.centralized_policies.feature_policies)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| policy_definition | String | Yes |
mesh_topology (sdwan.centralized_policies.feature_policies)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| policy_definition | String | Yes |
custom_control_topology (sdwan.centralized_policies.feature_policies)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| policy_definition | String | Yes | ||
| site_region | Class | [site_region] | Yes |
vpn_membership (sdwan.centralized_policies.feature_policies)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| policy_definition | String | Yes |
application_aware_routing (sdwan.centralized_policies.feature_policies)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| policy_definition | String | Yes | ||
| site_region_vpn | Class | [site_region_vpn] | No |
traffic_data (sdwan.centralized_policies.feature_policies)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| policy_definition | String | Yes | ||
| site_region_vpn | List | [site_region_vpn] | No |
cflowd (sdwan.centralized_policies.feature_policies)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| policy_definition | String | Yes | ||
| site_lists | List | String[Regex: ^[A-Za-z0-9\-_]{1,32}$] | Yes |
site_region (sdwan.centralized_policies.feature_policies.custom_control_topology)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| site_lists_in | List | String[Regex: ^[A-Za-z0-9\-_]{1,32}$] | No | |
| site_lists_out | List | String[Regex: ^[A-Za-z0-9\-_]{1,32}$] | No | |
| region_lists_in | List | String[Regex: ^[A-Za-z0-9\-_]{1,32}$] | No | |
| region_lists_out | List | String[Regex: ^[A-Za-z0-9\-_]{1,32}$] | No | |
| region_in | Integer | min: 0, max: 63 | No | |
| region_out | Integer | min: 0, max: 63 | No |
site_region_vpn (sdwan.centralized_policies.feature_policies.application_aware_routing)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| site_lists | List | String[Regex: ^[A-Za-z0-9\-_]{1,32}$] | No | |
| region_list | String | Regex: ^[A-Za-z0-9\-_]{1,32}$ | No | |
| region | Integer | min: 0, max: 63 | No | |
| vpn_lists | List | String[Regex: ^[A-Za-z0-9\-_]{1,32}$] | Yes |
site_region_vpn (sdwan.centralized_policies.feature_policies.traffic_data)
| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| direction | Choice | service, tunnel, all | Yes | |
| site_lists | List | String[Regex: ^[A-Za-z0-9\-_]{1,32}$] | No | |
| region_list | String | Regex: ^[A-Za-z0-9\-_]{1,32}$ | No | |
| region | Integer | min: 0, max: 63 | No | |
| vpn_lists | List | String[Regex: ^[A-Za-z0-9\-_]{1,32}$] | Yes |
Examples
Example-1 : In the following example , the name of centralized policy has been configured as CP-Hub-and-Spoke-01 and is stitched together using following policies :
1.control policies.
TOPOLOGY-DC-OUT-01 which is applied to sites defined in site list CENTRAL-DC in the out direction TOPOLOGY-BR-T1-01 which is applied to sites defined in site list BR-T1 in the out direction TOPOLOGY-BR-T2-01 which is applied to sites defined in site list BR-T2 in the out direction
2.traffic data policies
DP-VPN10-01 which is applied to sites defined in site list CENTRAL-DC and BR-ALL for VPN list defined in VPN-PROD. DP-VPN11-01 which is applied to sites defined in site list CENTRAL-DC and BR-ALL for VPN list defined in VPN-Guest.
3.application aware routing
AAR-Policy-01 is applied to sites defined in site list CENTRAL-DC and BR-ALL for VPN list defined in VPN-PROD.
4.cflowd policy
CFLOW_DEFINITION_v01 is applied to sites defined in site list DC-BR-ALL
sdwan:
centralized_policies:
feature_policies:
- name: CP-Hub-and-Spoke-01
description: Hub and Spoke | AAR | DP for QoS | cFlow
custom_control_topology:
- policy_definition: TOPOLOGY-DC-OUT-01
site_region:
site_lists_out:
- CENTRAL-DC
- policy_definition: TOPOLOGY-BR-T1-01
site_region:
site_lists_out:
- BR-T1
- policy_definition: TOPOLOGY-BR-T2-01
site_region:
site_lists_out:
- BR-T2
traffic_data:
- policy_definition: DP-VPN10-01
site_region_vpn:
- direction: service
site_lists:
- CENTRAL-DC
- BR-ALL
vpn_lists:
- VPN-PROD
- policy_definition: DP-VPN11-01
site_region_vpn:
- direction: service
site_lists:
- CENTRAL-DC
- BR-ALL
vpn_lists:
- VPN-Guest
application_aware_routing:
- policy_definition: AAR-Policy-01
site_region_vpn:
site_lists:
- CENTRAL-DC
- BR-ALL
vpn_lists:
- VPN-PROD
cflowd:
- policy_definition: CFLOW_DEFINITION_v01
site_lists:
- DC-BR-ALL