Configuration
In Cisco Viptela, Policy influences data flow traffic between vEdge routers, In Viptela Policy it comprises of following:
● Routing policy: This policy affects the flow of routing information in control plane
● Data Policy: This policy affects the flow of data traffic in data plane
In Cisco Viptela network, policies are applied either on control plane or data plane traffic and are configured centrally on vSmart or locally on vEdge routers.
Below figure, distinguish between control and data policy and which further divides in to centralized or localized policy.
Each policy based on its configuration is categorized in two parts:
Basic Policy: These types of policy includes standard policy task such as managing traffic path , permit and block traffic based on address , ports etc , enabling class of service , monitoring , policing etc.
Advance Policy: These policies includes some advance configuration and offer specialized policy-based application. Such as:
Service Chaning
Application Aware Routing
Cflowd for traffic monitoring
Converting vEdge device to NAT
Note: By default, no policy is configured on Viptela devices either on vSmart or vEdge. In start if there is no policy:
All routing information is propagated by OMP from vEdge to vSmart and vSmart then share it to all other vEdge unpoliced.
Centralized and Localized Policy
The Viptela policy software design provides a clear separation between centralized and localized policy. In short, centralized policy is provisioned on the centralized vSmart controllers in the overlay network, and localized policy is provisioned on the vEdge routers, which sit at the network edge between a branch or enterprise site and a transport network, such as the Internet, MPLS, or metro Ethernet.
Centralized Policy:
● Control policy, which affects the overlay network–wide routing of traffic
● Data policy, which affects the data traffic flow throughout the VPN segments in the network
Localized Policy:
Localized control policy, which is also called route policy, affects the BGP and OSPF routing behavior on the site-local network.
Example: ACL, Route-policy (how data traffic IN & OUT) , QOS & Cflow ( Same like netflow).
Control and Data Policy:
The Viptela network policy design provides a clean separation between control policy and data policy, to align with the network architecture in which the control and data planes are cleanly separated. Control policy is the equivalent of routing protocol policy, and data policy is equivalent to what are commonly called access control lists (ACLs) and firewall filters.
Centralized control policy affects the OMP routes that are distributed by the vSmart controller throughout the overlay network. The vSmart controller learns the overlay network topology from OMP routes that are advertised by the vEdge routers over the OMP sessions inside the DTLS or TLS connections between the vSmart controller and the routers. (The DTLS connections are shown in orange in the figure
Three types of OMP routes carry the information that the vSmart controller uses to determine the network topology:
● Viptela OMP routes, which are similar to IP route advertisements, advertise routing information that vEdge routers have learned from their local site and the local routing protocols (BGP and OSPF) to the vSmart controller. These routes are also referred to as OMP routes or vRoutes.
● TLOC routes carry overlay network–specific locator properties, including the IP address of the interface that connects to the transport network, a link color, which identifies a traffic flow, and the encapsulation type. (A TLOC, or transport location, is the physical location where a vEdge router connects to a transport network. It is identified primarily by IP address, link color, and encapsulation, but a number of other properties are associated with a TLOC.)
● Service routes advertise the network services, such as firewalls, available to VPN members at
the vEdge router's local site.
Note: As vSmart controller's role is to be the centralized routing system in the network, vEdge routers can never modify the OMP route information that they learn from the vSmart controllers.
A type of centralized control policy called service chaining allows data traffic to be routed through one or more network services, such as firewall, load balancer, and intrusion detection and prevention (IDP) devices, en route to its destination.
Consolidated of Control and Data Policy:
Class Sessions
