Application Priority Traffic Policy

Version:

Application Priority Traffic Policy enables intelligent traffic steering and quality of service management by combining Application Aware Routing with traffic classification and action enforcement. Policies define sequences that match specific traffic patterns based on applications, IP addresses, ports, or DSCP values, and apply targeted actions such as SLA-based path selection, QoS remarking, NAT configuration, security service insertion, and application optimization to ensure optimal network performance and user experience.

Diagram

Classes

application_priority_profiles (sdwan.feature_profiles)

Name	Type	Constraint	Mandatory	Default Value
traffic_policies	List	`[traffic_policies]`	No

traffic_policies (sdwan.feature_profiles.application_priority_profiles)

Name	Type	Constraint	Mandatory
name	String	Regex: `^[^&<>! "]{1,128}$`	Yes
description	String		No
default_action	Choice	`accept`, `drop`	Yes
direction	Choice	`all`, `service`, `tunnel`	Yes
sequences	List	`[sequences]`	Yes
vpns	List	String	Yes

sequences (sdwan.feature_profiles.application_priority_profiles.traffic_policies)

Name	Type	Constraint	Mandatory	Default Value
sequence_id	Integer	min: `1`, max: `65534`	Yes
sequence_name	String	Regex: `^[^&<>! "]{1,128}$`	Yes
base_action	Choice	`accept`, `drop`	Yes
protocol	Choice	`ipv4`, `ipv6`, `all`	No	`ipv4`
match_entries	Class	`[match_entries]`	No
actions	Class	`[actions]`	No

match_entries (sdwan.feature_profiles.application_priority_profiles.traffic_policies.sequences)

Name	Type	Constraint	Mandatory
application_list	String	Regex: `^[^&<>! "]{1,128}$`	No
destination_data_ipv4_prefix_list	String	Regex: `^[^&<>! "]{1,128}$`	No
destination_data_ipv6_prefix_list	String	Regex: `^[^&<>! "]{1,128}$`	No
destination_ipv4_prefix	IP		No
destination_ipv6_prefix	IP		No
destination_ports	List	Integer[min: `0`, max: `65535`]	No
destination_region	Choice	`primary-region`, `secondary-region`, `other-region`	No
dns	Choice	`request`, `response`	No
dns_application_list	String	Regex: `^[^&<>! "]{1,128}$`	No
dscps	List	Integer[min: `0`, max: `63`]	No
icmp_messages	List	Choice[`administratively-prohibited`, `dod-host-prohibited`, `dod-net-prohibited`, `echo`, `echo-reply`, `echo-reply-no-error`, `extended-echo`, `extended-echo-reply`, `general-parameter-problem`, `host-isolated`, `host-precedence-unreachable`, `host-redirect`, `host-tos-redirect`, `host-tos-unreachable`, `host-unknown`, `host-unreachable`, `interface-error`, `malformed-query`, `multiple-interface-match`, `net-redirect`, `net-tos-redirect`, `net-tos-unreachable`, `net-unreachable`, `network-unknown`, `no-room-for-option`, `option-missing`, `packet-too-big`, `parameter-problem`, `photuris`, `port-unreachable`, `precedence-unreachable`, `protocol-unreachable`, `reassembly-timeout`, `redirect`, `router-advertisement`, `router-solicitation`, `source-route-failed`, `table-entry-error`, `time-exceeded`, `timestamp-reply`, `timestamp-request`, `ttl-exceeded`, `unreachable`]	No
icmp6_messages	List	Choice[`beyond-scope`, `cp-advertisement`, `cp-solicitation`, `destination-unreachable`, `dhaad-reply`, `dhaad-request`, `echo-reply`, `echo-request`, `header`, `hop-limit`, `ind-advertisement`, `ind-solicitation`, `mld-query`, `mld-reduction`, `mld-report`, `mldv2-report`, `mpd-advertisement`, `mpd-solicitation`, `mr-advertisement`, `mr-solicitation`, `mr-termination`, `nd-na`, `nd-ns`, `next-header-type`, `ni-query`, `ni-query-name`, `ni-query-v4-address`, `ni-query-v6-address`, `ni-response`, `ni-response-qtype-unknown`, `ni-response-refuse`, `ni-response-success`, `no-admin`, `no-route`, `packet-too-big`, `parameter-option`, `parameter-problem`, `port-unreachable`, `reassembly-timeout`, `redirect`, `reject-route`, `renum-command`, `renum-result`, `renum-seq-number`, `router-advertisement`, `router-renumbering`, `router-solicitation`, `rpl-control`, `source-policy`, `source-route-header`, `time-exceeded`, `unreachable`]	No
packet_length	Integer	min: `1`, max: `65535`	No
protocols	List	Integer[min: `0`, max: `255`]	No
saas_application_list	String	Regex: `^[^&<>! "]{1,128}$`	No
service_areas	List	Choice[`common`, `exchange`, `sharepoint`, `skype`]	No
source_data_ipv4_prefix_list	String	Regex: `^[^&<>! "]{1,128}$`	No
source_data_ipv6_prefix_list	String	Regex: `^[^&<>! "]{1,128}$`	No
source_ipv4_prefix	IP		No
source_ipv6_prefix	IP		No
source_ports	List	Integer[min: `0`, max: `65535`]	No
tcp	Choice	`syn`	No
traffic_category	Choice	`optimize-allow`, `optimize`, `all`	No
traffic_class	Choice	`gold-voip-telephony`, `gold-broadcast-video`, `gold-real-time-interactive`, `gold-multimedia-conferencing`, `gold-multimedia-streaming`, `gold-network-control`, `gold-signaling`, `gold-ops-admin-mgmt`, `gold-transactional-data`, `gold-bulk-data`, `silver`, `bronze`	No
traffic_to	Choice	`access`, `core`, `service`	No

actions (sdwan.feature_profiles.application_priority_profiles.traffic_policies.sequences)

Name	Type	Constraint	Mandatory
appqoe_optimization	Class	`[appqoe_optimization]`	No
backup_sla_preferred_colors	List	Choice[`3g`, `biz-internet`, `blue`, `bronze`, `custom1`, `custom2`, `custom3`, `default`, `gold`, `green`, `lte`, `metro-ethernet`, `mpls`, `private1`, `private2`, `private3`, `private4`, `private5`, `private6`, `public-internet`, `red`, `silver`]	No
cflowd	Boolean	`true`, `false`	No
cloud_probe	Boolean	`true`, `false`	No
cloud_saas	Boolean	`true`, `false`	No
counter_name	String	min: `1`, max: `20`	No
dscp	Integer	min: `0`, max: `63`	No
forwarding_class	String	Regex: `^[^&<>! "]{1,128}$`	No
local_tloc	Class	`[local_tloc]`	No
log	Boolean	`true`, `false`	No
loss_correct_fec_threshold	Integer	min: `1`, max: `5`	No
loss_correct_type	Choice	`fec-always`, `fec-adaptive`, `packet-duplication`	No
nat_pool	Integer	min: `1`, max: `31`	No
nat_vpn	Class	`[nat_vpn]`	No
next_hop_ipv4	IP		No
next_hop_ipv6	IP		No
next_hop_loose	Boolean	`true`, `false`	No
policer_list	String	Regex: `^[^&<>! "]{1,128}$`	No
preferred_color_group	String	Regex: `^[^&<>! "]{1,128}$`	No
preferred_remote_color_restrict	Boolean	`true`, `false`	No
preferred_remote_colors	List	Choice[`3g`, `biz-internet`, `blue`, `bronze`, `custom1`, `custom2`, `custom3`, `default`, `gold`, `green`, `lte`, `metro-ethernet`, `mpls`, `private1`, `private2`, `private3`, `private4`, `private5`, `private6`, `public-internet`, `red`, `silver`]	No
redirect_dns_type	Choice	`ip-address`, `dns-host`	No
redirect_dns_target	Choice	`umbrella`, `host`	No
sig_sse	Class	`[sig_sse]`	No
service	Class	`[service]`	No
service_chain	Class	`[service_chain]`	No
sla_class	Class	`[sla_class]`	No
tloc	Class	`[tloc]`	No
vpn	Integer	min: `0`, max: `65530`	No

appqoe_optimization (sdwan.feature_profiles.application_priority_profiles.traffic_policies.sequences.actions)

Name	Type	Constraint	Mandatory
dre_optimization	Boolean	`true`, `false`	No
service_node_group	String	Regex: `^(SNG-APPQOE\|(SNG-APPQOE([1-9]\|[1-2][0-9]\|3[0-1])))$`	No
tcp_optimization	Boolean	`true`, `false`	No

local_tloc (sdwan.feature_profiles.application_priority_profiles.traffic_policies.sequences.actions)

Name	Type	Constraint	Mandatory
colors	List	Choice[`3g`, `biz-internet`, `blue`, `bronze`, `custom1`, `custom2`, `custom3`, `default`, `gold`, `green`, `lte`, `metro-ethernet`, `mpls`, `private1`, `private2`, `private3`, `private4`, `private5`, `private6`, `public-internet`, `red`, `silver`]	No
encapsulation	Choice	`gre`, `ipsec`	No
restrict	Boolean	`true`, `false`	No

nat_vpn (sdwan.feature_profiles.application_priority_profiles.traffic_policies.sequences.actions)

Name	Type	Constraint	Mandatory
bypass	Boolean	`true`, `false`	No
dia_interfaces	List	String	No
dia_pools	List	Integer[min: `1`, max: `4095`]	No
fallback	Boolean	`true`, `false`	No
nat_vpn_0	Boolean	`true`, `false`	No

sig_sse (sdwan.feature_profiles.application_priority_profiles.traffic_policies.sequences.actions)

Name	Type	Constraint	Mandatory
fallback_to_routing	Boolean	`true`, `false`	No
internet_gateway	Boolean	`true`, `false`	No
service_edge	Boolean	`true`, `false`	No
service_edge_instance	Choice	`cisco-secure-access`, `zscaler`	No

service (sdwan.feature_profiles.application_priority_profiles.traffic_policies.sequences.actions)

Name	Type	Constraint	Mandatory
local	Boolean	`true`, `false`	No
restrict	Boolean	`true`, `false`	No
tloc_color	List	Choice[`3g`, `biz-internet`, `blue`, `bronze`, `custom1`, `custom2`, `custom3`, `default`, `gold`, `green`, `lte`, `metro-ethernet`, `mpls`, `private1`, `private2`, `private3`, `private4`, `private5`, `private6`, `public-internet`, `red`, `silver`]	No
tloc_encapsulation	Choice	`gre`, `ipsec`	No
tloc_ip	IP		No
tloc_list	String	Regex: `^[^&<>! "]{1,128}$`	No
type	Choice	`fw`, `ids`, `idp`, `netsvc1`, `netsvc2`, `netsvc3`, `netsvc4`, `appqoe`	No
vpn	Integer	min: `0`, max: `65530`	No

service_chain (sdwan.feature_profiles.application_priority_profiles.traffic_policies.sequences.actions)

Name	Type	Constraint	Mandatory
fallback_to_routing	Boolean	`true`, `false`	No
local	Boolean	`true`, `false`	No
tloc_color	List	Choice[`3g`, `biz-internet`, `blue`, `bronze`, `custom1`, `custom2`, `custom3`, `default`, `gold`, `green`, `lte`, `metro-ethernet`, `mpls`, `private1`, `private2`, `private3`, `private4`, `private5`, `private6`, `public-internet`, `red`, `silver`]	No
tloc_encapsulation	Choice	`gre`, `ipsec`	No
tloc_ip	IP		No
tloc_list	String	Regex: `^[^&<>! "]{1,128}$`	No
type	Choice	`sc1`, `sc2`, `sc4`, `sc5`, `sc6`, `sc7`, `sc8`, `sc9`, `sc10`, `sc11`, `sc12`, `sc13`, `sc14`, `sc15`, `sc16`	No
vpn	Any	Integer[min: `1`, max: `511`] or Integer[min: `513`, max: `65530`]	No

sla_class (sdwan.feature_profiles.application_priority_profiles.traffic_policies.sequences.actions)

Name	Type	Constraint	Mandatory
fallback_to_best_path	Boolean	`true`, `false`	No
preferred_colors	List	Choice[`3g`, `biz-internet`, `blue`, `bronze`, `custom1`, `custom2`, `custom3`, `default`, `gold`, `green`, `lte`, `metro-ethernet`, `mpls`, `private1`, `private2`, `private3`, `private4`, `private5`, `private6`, `public-internet`, `red`, `silver`]	No
preferred_color_group	String	Regex: `^[^&<>! "]{1,128}$`	No
preferred_remote_colors	List	Choice[`3g`, `biz-internet`, `blue`, `bronze`, `custom1`, `custom2`, `custom3`, `default`, `gold`, `green`, `lte`, `metro-ethernet`, `mpls`, `private1`, `private2`, `private3`, `private4`, `private5`, `private6`, `public-internet`, `red`, `silver`]	No
remote_color_restrict	Boolean	`true`, `false`	No
sla_class_list	String	Regex: `^[^&<>! "]{1,128}$`	No
strict	Boolean	`true`, `false`	No

tloc (sdwan.feature_profiles.application_priority_profiles.traffic_policies.sequences.actions)

Name	Type	Constraint	Mandatory
color	List	Choice[`3g`, `biz-internet`, `blue`, `bronze`, `custom1`, `custom2`, `custom3`, `default`, `gold`, `green`, `lte`, `metro-ethernet`, `mpls`, `private1`, `private2`, `private3`, `private4`, `private5`, `private6`, `public-internet`, `red`, `silver`]	No
encapsulation	Choice	`gre`, `ipsec`	No
list	String	Regex: `^[^&<>! "]{1,128}$`	No
ip	IP		No

Configuration Prerequisites

Traffic policies reference VPNs that must be defined in service profiles. The examples below reference vpn10 and vpn20, which should be configured:

sdwan:
  feature_profiles:
    service_profiles:
      - name: branch-service-profile
        lan_vpns:
          - name: vpn10
            vpn_id: 10
          - name: vpn20
            vpn_id: 20

Additionally, the examples reference policy objects that should be predefined:

Application lists (voice-apps, video-apps, business-apps, etc.)
SLA class lists (sla-voice, sla-video, sla-business, etc.)
Forwarding class lists (class-realtime, class-video, class-business, etc.)
Data prefix lists (dpl-bogon-addresses)
Color groups (color-group-mpls-biz)
Policer lists (policer-business)
Service node groups (sng-appqoe)

Examples

Example 1: This example demonstrates Application Aware Routing functionality for intelligent path selection, matching traffic based on application groups (voice-apps, business-apps, etc.) and applying SLA class steering with preferred colors or color groups, with options for strict enforcement or fallback to best path when SLA is not met. Each sequence has counter enabled for monitoring.

sdwan:
  feature_profiles:
    application_priority_profiles:
      - name: branch-app-priority-profile
        traffic_policies:
          - name: aar-branch-policy
            description: Application Aware Routing policy for branch offices
            default_action: accept
            vpns:
              - vpn10
              - vpn20
            direction: service
            sequences:
              - sequence_id: 1
                sequence_name: aar_voice
                base_action: accept
                protocol: ipv4
                match_entries:
                  application_list: voice-apps
                actions:
                  sla_class:
                    sla_class_list: sla-voice
                    preferred_colors:
                      - mpls
                      - metro-ethernet
                    strict: true
                  counter_name: aar-voice-counter
                  log: true
              - sequence_id: 2
                sequence_name: aar_video
                base_action: accept
                protocol: ipv4
                match_entries:
                  application_list: video-apps
                actions:
                  sla_class:
                    sla_class_list: sla-video
                    preferred_colors:
                      - mpls
                      - biz-internet
                    fallback_to_best_path: true
                  counter_name: aar-video-counter
                  log: true
              - sequence_id: 3
                sequence_name: aar_business
                base_action: accept
                protocol: ipv4
                match_entries:
                  application_list: business-apps
                actions:
                  sla_class:
                    sla_class_list: sla-business
                    preferred_color_group: color-group-mpls-biz
                    fallback_to_best_path: true
                  counter_name: aar-business-counter
                  log: true
              - sequence_id: 4
                sequence_name: aar_bulk
                base_action: accept
                protocol: ipv4
                match_entries:
                  application_list: bulk-apps
                actions:
                  sla_class:
                    sla_class_list: sla-bulk
                    preferred_colors:
                      - biz-internet
                    fallback_to_best_path: true
                  counter_name: aar-bulk-counter
                  log: true
              - sequence_id: 5
                sequence_name: aar_default
                base_action: accept
                protocol: ipv4
                match_entries:
                  source_ipv4_prefix: 0.0.0.0/0
                actions:
                  sla_class:
                    sla_class_list: sla-default
                    preferred_colors:
                      - biz-internet
                    fallback_to_best_path: true
                  counter_name: aar-default-counter
                  log: true

Example 2: This example demonstrates Traffic Policy configuration with Quality of Service (QoS) actions, matching traffic based on application groups (voice-apps, business-apps, etc.) and applying DSCP marking, forwarding class assignment, and for lower priority applications steering traffic to specific transport with restrict option enabled. Each sequence has counter configured for monitoring.

sdwan:
  feature_profiles:
    application_priority_profiles:
      - name: vpn10-app-priority-profile
        traffic_policies:
          - name: qos-vpn10-policy
            description: QoS traffic policy for VPN 10
            default_action: accept
            vpns:
              - vpn10
            direction: service
            sequences:
              - sequence_id: 1
                sequence_name: traffic_qos_voice
                base_action: accept
                protocol: ipv4
                match_entries:
                  application_list: voice-apps
                actions:
                  dscp: 46
                  forwarding_class: class-realtime
                  counter_name: qos-voice-counter
                  log: true
              - sequence_id: 2
                sequence_name: traffic_qos_video
                base_action: accept
                protocol: ipv4
                match_entries:
                  application_list: video-apps
                actions:
                  dscp: 34
                  forwarding_class: class-video
                  loss_correct_type: fec-adaptive
                  loss_correct_fec_threshold: 3
                  counter_name: qos-video-counter
                  log: true
              - sequence_id: 3
                sequence_name: traffic_qos_business
                base_action: accept
                protocol: ipv4
                match_entries:
                  application_list: business-apps
                actions:
                  dscp: 26
                  forwarding_class: class-business
                  policer_list: policer-business
                  counter_name: qos-business-counter
                  log: true
              - sequence_id: 4
                sequence_name: traffic_qos_bulk
                base_action: accept
                protocol: ipv4
                match_entries:
                  application_list: bulk-apps
                actions:
                  dscp: 10
                  forwarding_class: class-bulk
                  appqoe_optimization:
                    tcp_optimization: true
                    dre_optimization: true
                    service_node_group: SNG-APPQOE2
                  counter_name: qos-bulk-counter
                  log: true
              - sequence_id: 5
                sequence_name: low_priority_tloc
                base_action: accept
                protocol: ipv4
                match_entries:
                  application_list: low-priority-apps
                actions:
                  dscp: 8
                  forwarding_class: class-low-priority
                  local_tloc:
                    colors:
                      - biz-internet
                    encapsulation: ipsec
                    restrict: true
                  counter_name: qos-low-priority-counter
                  log: true

Example 3: This example demonstrates Direct Internet Access (DIA) policy for Guest VPN, matching on data prefix list to drop traffic to specific destinations (BOGON addresses) and in another sequence steering traffic to VPN 0 with NAT action for internet access.

sdwan:
  feature_profiles:
    application_priority_profiles:
      - name: guest-vpn-app-priority-profile
        traffic_policies:
          - name: dia-guest-vpn-policy
            description: DIA policy for Guest VPN
            default_action: accept
            vpns:
              - vpn20
            direction: service
            sequences:
              - sequence_id: 1
                sequence_name: bogon_drop
                base_action: drop
                protocol: ipv4
                match_entries:
                  destination_data_ipv4_prefix_list: dpl-bogon-addresses
                actions:
                  counter_name: bogon-drop-counter
                  log: true
              - sequence_id: 2
                sequence_name: dia_internet
                base_action: accept
                protocol: ipv4
                match_entries:
                  source_ipv4_prefix: 0.0.0.0/0
                actions:
                  nat_vpn:
                    nat_vpn_0: true
                  counter_name: dia-counter
                  log: true