Policy Groups

Policy Groups

Table 1. Feature History

Feature Name

Release Information

Description

Policy Groups

Cisco IOS XE 17.13.1a

This feature provides a simple, reusable, and structured approach to configuring policies for SD-Routing devices .

Information About Policy Groups

Policy groups simplify the experience of configuring and deploying various policies on SD-Routing devices. Policy groups are a collection of different policies that you can configure through workflows and associate with and deploy on different SD-Routing devices.

Overview of Policy Groups

Policy Groups provide a simple, reusable, and structured approach for configuring policies and policy objects in SD-Routing devices.

Policy groups are a collection of various policies and policy parameters that you can configure quickly through a simplified workflow. Policy groups allows you to configure the basic and necessary policies with defaults to get your systems up and running. The more advanced user can switch to the Advanced layout to take complete control and configure detailed policy parameters such as service-level agreement (SLA) class, Quality of Service (QoS) Maps, and Match-Action parameters pertaining to the traffic policy. After creating a policy group, you can associate it with one or more sites or a single device at the site in the network and deploy it on devices managed by configuration groups.

After you've configured a policy group, you can deploy it by using the Deploy Policy Group Workflow.

Overview of Policy Group Workflows

The policy group workflow guides you in creating a policy group for one or more sites or a single device at the site in the network that is managed by configuration groups in SD-Routing devices. The workflow provides you with an improved configuration and troubleshooting experience. The workflow has the following features:

  • You can review the various configuration values on a single page within the workflow.

  • You can easily identify and fix incorrect values that appear highlighted in red. In addition, an asterisk that is adjacent to a field name helps you identify the mandatory values within the workflow.

Deploy Policy Group Workflow

You can access the workflow by choosing Workflows > Deploy Policy Group menu in Cisco SD-WAN Manager.

The Deploy Policy Group workflow enables you to associate devices with a previously created policy group and deploy the policy group to the selected devices. You can review device configurations to further add Site IDs and other variables that must be provided as part of a policy group before deploying the policy group.

Benefits of Policy Groups

  • Simplified user experience through an intuitive UI that allows you to quickly configure the basic policies that are required to get your deployments up and running.

  • Option to edit policy groups based on the changing needs of your network and save the configuration. You can choose to deploy these changes only when needed - during maintenance windows or in off-production hours.

  • A Preview CLI option to preview the difference in configuration for relevant devices such as Cisco SD-WAN device and SD-Routing device in one location.

  • Workflows to deploy policy groups.

Restrictions for Policy Groups

  • You cannot deploy policy groups to devices that are not already managed by a configurations group.

Group of Interest - Policy

Group of interest provides a list of related policy objects that you can configure and call in the match or action components of a policy. Click Group of Interest to create new objects for the policy group as described in the following sections:

Application

  1. Click Application.

  2. Click Add Application .

  3. From the Application/Application family list drop-down, choose the required applications or application families.

  4. Click Save.

A few application lists are preconfigured. You cannot edit or delete these lists.

Microsoft_Apps: Includes Microsoft applications, such as Excel, Skype, and Xbox. To display a full list of Microsoft applications, click the list in the Entries column.

Google_Apps: Includes Google applications, such as Gmail, Google Maps, and YouTube. To display a full list of Google applications, click the list in the Entries column.

Color

  1. Click Color.

  2. Click New Color List and specify the following:

    Field

    Description

    Color List Name

    Enter a name for the list.

    Select Color

    Choose one or more color lists types from the drop-down list.

  3. Click Add.

To configure multiple colors in a single list, you can choose multiple colors from the drop-down list.

Community List

A community list is used to create groups of communities to use in a match clause of a route map. A community list can be used to control which routes are accepted, preferred, distributed, or advertised. You can also use a community list to set, append, or modify the communities of a route.

  1. Click Community List.

  2. Click Add Community List and specify the following:

    Field

    Description

    Community List Name

    Enter a name of the community list.

    Add Community

    Enter one or more communities separated by commas.

    • aa:nn: Autonomous System (AS) number and network number. Each number is a 2-byte value with a range from 1 to 65535. For example, 65526.

    • internet: Routes in this community are advertised to the internet community. This community comprises all BGP-speaking networking devices.

    • local-as: Routes in this community are not advertised outside the local AS number.

    • no-advertise: Attaches the NO_ADVERTISE community to routes. Routes in this community are not advertised to other BGP peers.

    • no-export: Attaches the NO_EXPORT community to routes. Routes in this community are not advertised outside the local AS or outside a BGP confederation boundary. To configure multiple BGP communities in a single list, include multiple community options, specifying one community in each option.

  3. Click Save.

Data Prefix

  1. Click Data Prefix.

  2. Click Add Data Prefix.

  3. In the Data Prefix list dialog box, specify the following:

    Field

    Description

    Data Prefix List Name

    Enter a name for the data prefix list.

    Add Data Prefix

    Enter one or more data prefixes separated by commas.

  4. Click Save.

Data Prefix IPv6

  1. Click Data Prefix IPv6.

  2. Click Add Data Prefix IPv6.

  3. In the Data Prefix List dialog box, specify the following:

    Field

    Description

    Data Prefix List Name

    Enter a name for the IPv6 data prefix list.

    Add Data Prefix

    Enter one or more IPv6 data prefixes separated by commas.

  4. Click Save.

Expanded Community List

  1. Click Expanded Community List.

  2. Click Add Expanded Community List and specify the fiollowing:

    Field

    Description

    Community List Name

    Enter a name for the community list.

    Add Community

    Specify details of the expanded community list that is used to filter communities using a regular expression.

Forwarding Class

  1. Click Add Forwarding Class and specify the following:

    Field

    Description

    Forwarding Class

    Enter a name for the forwarding class.

    Queue

    Choose a value for the queue from the drop-down list.

  2. Click Save.

Policer

  1. Click Policer.

  2. Click Add Policer and specify the following:

    Field

    Description

    Policer List Name

    Enter a name for the policer list.

    Burst (bytes)

    Enter the maximum traffic burst size. The range is from 15,000 to 10,000,000 bytes.

    Exceed

    Choose the action to take when the burst size or traffic rate is exceeded. The options are:

    • Drop: sets the packet loss priority (PLP) to low

    • Remark: sets the packet loss priority (PLP) to high

    Rate

    Enter the maximum traffic rate, a value from 8 through 10^11 bits per second (bps).

  3. Click Save.

Preferred Color Group

  1. Click Add Preferred Color Group.

  2. In the Preferred Color Group Name field, enter a name for the preferred color group.

  3. Choose the color preference and path prefernce for the primary, secondary, and tertiary colors from the Color Preference and the Path Preference drop-down lists.

    Field

    Description

    Preferred Color Group Name

    Enter a name for the preferred color group.

    Color Preference

    Choose the color preference from the drop-down list.

    You can choose multiple colors.

    Path Preference

    Choose the path preference from the drop-down list. The options are:

    • Direct Path

    • Multi Hop Path

    • All Paths

  4. Click Save.

Prefix List

  1. Click Prefix List.

  2. Click Add Prefix List and specify the following:

    Field

    Description

    Prefix List Name

    Enter a name for the IPv4 prefix list.

    Add Prefix

    Enter one or more IPv4 prefixes separated by commas.

  3. Click Save.

Prefix List IPv6

  1. Click Prefix List IPv6.

  2. Click Add Prefix List and specify the following:

    Field

    Description

    Prefix List Name

    Enter a name for the IPv6 prefix list.

    Add Prefix

    Enter one or more IPv6 prefixes separated by commas.

  3. Click Save.

SLA Class

  1. Click SLA Class.

  2. Click Add SLA Class and specify the following:

    Field

    Description

    SLA Class List Name

    Enter a name of the SLA class list.

    Loss (%)

    Enter the maximum packet loss on the connection, a value from 0 through 100.

    Latency

    Enter the maximum packet latency on the connection, a value from 1 through 1,000 milliseconds.

    Jitter

    Enter the maximum jitter on the connection, a value from 1 through 1,000 milliseconds.

    App Probe Class

    Choose the app probe class from the drop-down list or click Create New to create one.

    Fallback Best Tunnel

    		 Choose this option to enable the best tunnel criteria.

  3. Click Save.

TLOC List

  1. Click TLOC List.

  2. Click Add TLOC List and specify the following:

    Field

    Description

    List Name

    Enter a name for the TLOC list.

    TLOC IP

    Specify the IP address for TLOC.

    Color

    Choose the color from the drop-down list.

    Encapsulation

    Choose the value from the drop-down list. The options are:

    • IPSec

    • GRE

    Preference

    Choose a preference to associate with the TLOC.

    The range is 0 to 4294967295.

  3. Click Save.

Add Policy Group

To create a new policy group, click Add Policy Group and configure the values in the following table. If you have already created a policy group, click the policy group from the list of available policy groups to edit.

Table 2. Policy group parameters

Field

Description

Policy Group Name

Specify the name of the policy group.

This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.

Description

Provide a description for the policy group.

It can contain up to 2048 characters including spaces.

Policy

Application Priority & SLA

Choose an application priority for the policy group from the drop-down list. Click Create New to create a new application priority.

Embedded Security

Choose an embedded security policy from the drop-down list. Click Create New to create a new embedded security policy by selecting a configuration group, creating firewall policies, and other configuration settings.

Secure Internet Gateway

 Configure the Secure Internet Gateway (SIG) tunnels before you apply a data policy for redirecting application traffic to an SIG. Select a Secure Internet Gateway (SIG) policy from the drop-down list. Click Create New to create a new SIG policy.

DNS Security

 Select a DNS Security policy from the drop-down list. Click Create New to create a new DNS Security policy.

  1. Click Save to save your configuration.

  2. Click the pencil icon to select or unselect devices to associate or dissociate with the policy group.

  3. Click Deploy to select sites and deploy the policy group.

To delete a policy group, select the ellipsis icon (...) to the right of the policy group and click Delete.