Skip to main content
Viptela is now part of Cisco.
Support
Product Documentation
Viptela Documentation

action

policy app-route-policy vpn-list sequence action, policy control-policy sequence action, policy route-policy sequence action, policy data-policy vpn-list sequence action, policy vpn-membership sequence action—Configure the actions to take when the match portion of an IPv4 policy is met (on vEdge routers and vSmart controllers only).

vManage Feature Template

For vEdge routers and vSmart controllers:

Configuration ► Policies

Command Hierarchy

For Application-Aware Routing

policy
  app-route-policy policy-name
    vpn-list list-name
      default-action sla-class sla-class-name
      sequence number
        action
          backup-sla-preferred-color colors
          count counter-name
          log
          sla-class sla-class-name [strict] [preferred-color colors]

For Centralized Control Policy

Configure on vSmart controllers only.

policy
  control-policy policy-name
   default-action action
   sequence number
     action
       reject
       accept
         export-to (vpn vpn-id | vpn-list vpn-list)
         set 
           omp-tag number
           preference value
           service service-name (tloc ip-address | tloc-list list-name) [vpn vpn-id]    
           tloc ip-address color color [encap encapsulation]
           tloc-action action
           tloc-list list-name

For Centralized Data Policy

Configure on vSmart controllers only.

policy
  data-policy policy-name
    vpn-list list-name 
      default-action action
      sequence number
        action
          cflowd (not available for deep packet inspection)
          count counter-name
          drop
          log
          tcp-optimization
          accept
            nat [pool number] [use-vpn 0] (in Releases 16.2 and earlier, not available for deep packet inspection)
            redirect-dns (host | ip-address)
            set 
              dscp number
              forwarding-class class
              local-tloc color color [encap encapsulation]
              local-tloc-list color color [encap encapsulation] [restrict]
              next-hop ip-address
              policer policer-name
              service service-name local [restrict] [vpn vpn-id]
              service service-name (tloc ip-address | tloc-list list-name) [vpn vpn-id]
              tloc ip-address color color [encap encapsulation]
              tloc-list list-name
              vpn vpn-id
  vpn-membership policy-name
    default-action (accept | reject) 
      sequence number 
        action (accept | reject)

For Cflowd Traffic Flow Monitoring

policy
  data-policy policy-name
    vpn-list list-name
      sequence number
        action
          accept
            cflowd
      default-action
        (accept | drop)

For Localized Control Policy

Configure on vEdge routers only.

policy
  route-policy policy-name
    default-action action
    sequence number
      action
        reject
        accept
          set
            aggregator as-number ip-address
            as-path (exclude | prepend) as-numbers
            atomic-aggregate
            community value
            local-preference number
            metric number
            metric-type (type1 | type2)
            next-hop ip-address
            omp-tag number
            origin (egp | igp | incomplete)
            originator ip-address
            ospf-tag number
            weight number

For Localized Data Policy

Configure on vEdge routers only.

policy
  access-list acl-name
    sequence number
      default-action action
      action
        drop
          count counter-name
          log
        accept
          class class-name
          count counter-name 
          log
          mirror mirror-name
          policer policer-name
          set dscp value
          set next-hop ipv4-address

Options

Default Action for Application-Aware Routing
default-action sla-class sla-class-name
Default SLA to apply if a data packet being evaluated by the policy matches none of the match conditions.
If you configure no default action, all data packets are accepted and no SLA is applied to them.
Default Action for Control Policy and Data Policy
policy control-policy policy-name default-action (accept | reject)
policy route-policy policy-name default-action (accept | reject)
policy data-policy policy-name default-action (accept | drop)
policy vpn-membership policy-name default-action (accept | drop)
policy access-list acl-name default-action (accept | drop)
Default action to take if an item being evaluated by a policy matches none of the match conditions. If you configure no policy (specifically, if you configure no match–action sequences within a policy), the default action, by default, is to accept all items. If you configure a policy with one or more match–action sequences, the default action, by default, is to either reject or drop the item, depending on the policy type.

For Application-Aware Routing

Count of Matching Items
count counter-name
Count the packets or bytes that match the application-aware routing policy, saving the information to the specified filename.
Log Packets
log
Place a sampled set of packets that match the SLA class rule into the vsyslog and messages system logging (syslog) files.
Tunnel To Send Data Traffic
sla-class sla-class-name [strict]
sla-class sla-class-name [strict] preferred-color colors
backup-sla-preferred-color colors
Direct data packets that match the parameters in the match portion of the policy app-route-policy configuration to a tunnel interface that meets the SLA characteristics in the SLA class sla-class-name. Configure the SLA class with the policy sla-class command.
sla-class sla-class-name—When you specify an SLA class with no additional parameters, data traffic that matches the SLA is forwarded as long as one tunnel interface is available. The software first tries to send the traffic through a tunnel that matches the SLA. If a single tunnel matches the SLA, data traffic is sent through that tunnel. If two or more tunnels match, traffic is distributed among them. If no tunnel matches the SLA, data traffic is sent through one of the available tunnels.
sla-class sla-class-name preferred-color color—To set a specific tunnel to use when data traffic matches an SLA class, include the preferred-color option, specifying the color of the preferred tunnel. If more than one tunnel matches the SLA, traffic is sent to the preferred tunnel. If a tunnel of the preferred color is not available, traffic is sent through any tunnel that matches the SLA class. If no tunnel matches the SLA, data traffic is sent through any available tunnel. In this sense, color preference is considered to be a loose matching, not a strict matching, because data traffic is always forwarded, whether a tunnel of the preferred color is available or not.
sla-class sla-class-name preferred-color colors—To set multiple tunnels to use when data traffic matches an SLA class, include the preferred-color option, specifying two or more tunnel colors. Traffic is load-balanced across all tunnels. If no tunnel matches the SLA, data traffic is sent through any available tunnel. In this sense, color preference is considered to be a loose matching, not a strict matching, because data traffic is always forwarded, whether a tunnel of the preferred color is available or not.
When no tunnel matches the SLA, you can choose how to handle the data traffic:
strict—Drop the data traffic.
backup-sla-preferred-color—Direct the data traffic to a specific tunnel. Data traffic is sent out the configured tunnel if that tunnel interface is available; if that tunnel is unavailable, traffic is sent out another available tunnel. You can specify one or more tunnel colors. As with the preferred-color option, the backup SLA preferred color is loose matching.
In a single action configuration, you cannot include both the strict and backup-sla-preferred-color options.
In these options, color can be one of 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.

For Centralized Control Policy

Accept or Reject
(accept | reject)
By default, all items that match the parameters in the match portion of the policy control-policy configuration are rejected. Include reject to explicitly reject matching items. Include accept to accept matching items and to perform any specified actions.
OMP Tag
set omp-tag number
Set the tag string that is included in accepted OMP routes.
Preference Value
set preference number
Set the preference value that is included in accepted OMP routes.
Range: 1 through 256
Send to VPN
export-to (vpn vpn-id | vpn-list vpn-list)
Direct matching routes to the specified VPN or VPN list. You can configure this option only with match route match conditions.
Service
service service-name (tloc ip-address | tloc-list list-name) [vpn vpn-id]
Direct matching routes to the named service. service-name can be FW, IDS, IDP, netsvc1, netsvc2, netsvc3, and netsvc4. The IP address of one TLOC or list of TLOCs identifies the TLOCs to which the traffic should be directed to reach the service. If the list contains multiple TLOCs, the traffic is load-balanced among them. The VPN identifier is where the service is located. Configure the services themselves on the vEdge routers that are collocated with the service devices, using the vpn service configuration command.
TLOC Action
set tloc-action action
Direct matching routes or TLOCs using the mechanism specified by action, and enable end-to-end tracking of whether the ultimate destination is reachable. Setting a TLOC action is useful when traffic is first directed, via policy, to an intermediate destination, which then forwards the traffic to its ultimate destination. For example, for traffic from vEdge-A destined for vEdge-D, a policy might direct traffic from vEdge-A first to vEdge-B (the intermediate destination), and vEdge-B then sends it to the final destination, vEdge-D.
action can be one of the following:
ecmp—Equally direct matching control traffic between the intermediate destination and the ultimate destination. In our example, traffic would be sent to vEdge-B (which would then send it to vEdge-D) and directly to vEdge-D. With this action, if the intermediate destination is down, all traffic reaches the ultimate destination.
primary—First direct matching traffic to the intermediate destination. If that router is not reachable, then direct it to the final destination. In our example, traffic would first be sent to vEdge-B. If this router is down, it is sent directly to vEdge-D. With this action, if the intermediate destination is down, all traffic reaches the final destination.
backup—First direct matching traffic to the final destination. If that router is not reachable, then direct it to the intermediate destination. In our example, traffic would first be sent directly to vEdge-D. If the vEdge-A is not able to reach vEdge-D, traffic is sent to vEdge-B, which might have an operational path to reach vEdge-D. With this action, if the source is unable to reach the final destination directly, it is possible for all traffic to reach the final destination via the intermediate destination.
strict—Direct matching traffic only to the intermediate destination. In our example, traffic is sent only to vEdge-B, regardless of whether it is reachable. With this action, if the intermediate destination is down, no traffic reaches the final destination. If you do not configure a set tloc-action action in a centralized control policy, strict is the default behavior.
Setting the TLOC action option enables the vSmart controller to perform end-to-end tracking of the path to the ultimate destination router. In our example, matching traffic goes from vEdge-A to vEdge-B and then, in a single hop, goes to vEdge-D. If the tunnel between vEdge-B and vEdge-D goes down, the vSmart controller relays this information to vEdge-A, and vEdge-A removes its route to vEdge-D from its local route table. End-to-end tracking works here only because traffic goes from vEdge-B to vEdge-D in a single hop, via a single tunnel. If the traffic from vEdge-A went first to vEdge-B, then to vEdge-C, and finally to vEdge-D, the vSmart controller is unable to perform end-to-end tracking and is thus unable to keep vEdge-A informed about whether full path between it and vEdge-D is up.
TLOC List
set tloc-list list-name
Direct matching routes or TLOCs to the TLOC or TLOCs in the named TLOC list. If the list contains multiple TLOCs, the traffic is load-balanced amont them. Changing an OMP route's TLOC is one way to use policy to effect traffic engineering, which directs packets to specific vEdge routers. The color configured in the TLOC list provides a means to separate streams of traffic.

For Centralized Data Policy

Accept or Drop
(accept | drop)
By default, all packets that match the parameters in the match portion of the policy data-policy configuration are dropped. Include drop to explicitly reject matching packets. Include accept to accept matching packets and to perform any specified actions.
Count Packets
count counter-name
Count the packets that match the match criteria, saving the information to the specified filename.
Log Packets
log
Place a sampled set of packets that match the match conditions into the vsyslog and messages system logging (syslog) files.
NAT Functionality
nat use-vpn 0
Direct matching traffic to the NAT functionality so that it can be directed directly to the Internet or other external destination. In Releases 16.2 and earlier, you cannot use NAT with deep packet inspection.
Next-Hop Address
next-hop ip-address
Set the next-hop address in accepted packets.
Optimize TCP Traffic
tcp-optimization
Fine-tune TCP to decrease round-trip latency and improve throughout for TCP traffic.
Policer
policer policer-name
Policy the packets using the specified policer.
Service
service service-name [tloc ip-address | tloc-list list-name] [vpn vpn-id]
Direct matching packets to the named service. service-name can be FW, IDS, IDP, netsvc1, netsvc2, netsvc3, and netsvc4. The TLOC address or list of TLOCs identifies the TLOCs to which the traffic should be directed to reach the service. In the case of multiple TLOCs, the traffic is load-balanced among them. The VPN identifier is where the service is located. Configure the services themselves on the vEdge routers that are collocated with the service devices, using the vpn service configuration command.
Service via GRE Tunnel
service service-name local [restrict] [vpn vpn-id]
Direct matching packets to the named service that is reachable via a GRE tunnel whose source is in the transport VPN (VPN 0). If the GRE tunnel used to reach the service is down, packet routing falls back to using standard routing. To drop packets when a GRE tunnel to the service is unreachable, include the restrict option. In the service VPN, you must also advertise the service using the service command. You configure the GRE interface or interfaces in the transport VPN (VPN 0).
Split DNS Server
redirect-dns (ip-address | host)
For a policy that enables split DNS (that is, when the match condition specifies dns-app-list and dns), specify how to direct matching packets. For DNS queries (dns request), specify the IP address of the DNS server to use to resolve the DNS query. For DNS responses (dns response), specify host so that the response from the DNS server is properly forwarded to the requesting service VPN.
TLOC from a List of TLOCs
set tloc-list list-name
Direct matching packets to one of the TLOCs is the list defined with a policy lists tloc-list list. When the list contains multiple TLOCs that are available and that satisfy the match conditions, the TLOC with the lowest preference value is used. If two or more of TLOCs have the lowest preference value, traffic is sent among them in an ECMP fashion.
TLOC Identified by Color
set local-tloc color color [encap encapsulation]
set local-tloc-list color color [encap encapsulation] [restrict]
Direct matching packets to a TLOC identified by its color and, optionally, its encapsulation.
color​ can be 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.
By default, encapsulation is ipsec. It can also be gre.
By default, if the TLOC is not available, traffic is forwarded using an alternate TLOC. To drop traffic if the TLOC is unavailable, include the restrict option.
TLOC Identified IP Address and Color
set tloc ip-address color color [encap encapsulation]
Direct matching packets to a TLOC identified by its IP address and color, and optionally, by its encapsulation.
color​ can be 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.
By default, encapsulation is ipsec. It can also be gre.
VPN
set vpn vpn-id
Set the VPN Identifier that is included in accepted packets.

For Cflowd Traffic Flow Monitoring

Accept or Reject
(accept | reject)
By default, all items that match the parameters in the match portion of the policy data-policy configuration are rejected. Include reject to explicitly reject matching items. Include accept to accept matching items and to perform any specified actions.
Enable Packet Collection
cflowd
Collect packets for traffic monitoring.

For Localized Control Policy

Accept or Reject
(accept | reject)
By default, all items that match the parameters in the match portion of the policy control-policy configuration are rejected. Include reject to explicitly reject matching items. Include accept to accept matching items and to perform any specified actions.
Aggregator
set aggregator as-number ip-address
Set the AS number in which a route aggregator is located and the IP address of the route aggregator. as-number can be a value from 1 through 65535.
AS Path
set as-path (exclude | prepend) as-numbers
Exclude or append one or more AS numbers at the beginning of the AS path. Each as-number can be a value from 1 through 65535. If you specify more than one AS number, include the numbers in quotation marks.
Atomic Aggregate
set atomic-attribute
Set the BGP atomic aggregate attribute.
Community
set community value
Set the BGP community value. It can be aa:nn, internal, local-as, no-advertise, and no-export. In aa:nn, aa is the AS community number and nn is a two-byte number.
Local Preference
set local-preference number
Set the BGP local preference value. number can be a value from 0 through 4294967295.
Metric
set metric number
Set the metric. number can be a value from 0 through 4294967295.
Metric Type
set metric-type type
Set the metric type. type can be type1 or type2.
Next-Hop Address
set next-hop ip-address
Set the next-hop address.
OMP Tag Value
set omp-tag number
Set the OMP tag value. number can be a value from 0 through 4294967295.
Origin Code
set origin origin
Set the BGP origin code. origin can be egp, igp (default), and incomplete.
Originator
set originator ip-address
Set the IP address from which the route was learned.
OSPF Tag Value
set ospf-tag number
Set the OSPF tag value. number can be a value from 0 through 4294967295.
Weight
set weight number
Set the BGP weight. number can be a value from 0 through 4294967295.

For Localized Data Policy

Accept or Drop
(accept | drop)
By default, all packets that match the parameters in the match portion of the policy access-list configuration are dropped. Include drop to explicitly reject matching packets. Include accept to accept matching packets and to perform any specified actions.
Count Packets
count counter-name
Count the packets that match the match criteria, saving the information to the specified filename. If you configure a counter and additional actions, such as policing, the data packets are counted before the other actions are performed, regardless of the order in which you enter the commands in the configuration.
Class
class class-name
Assign the packets to the specified QoS class name.
DSCP
set dscp value
For QoS, set or overwrite the DSCP value in the packet. value can be a number from 0 through 63.
Log Packet Headers
log
Log the packet headers into vsyslog and messages system logging (syslog) files.
Mirroring
mirror mirror-name
Mirror the packets to the specified mirror.
Next-Hop Address
set next-hop ipv4-address
Set the next-hop address. The address must be an IPv4 address.
Policing
policer policer-name
Police the packets using the specified policer.

Operational Commands

show app log flows
show log
show logging
show running-config policy

Example

Create a centralized control policy that changes the TLOC for accepted packets:

policy
  control-policy change-tloc
    sequence 10
      action accept
        set tloc 1.1.1.2

Release Information

Command introduced in Viptela Software Release 14.1.​
Application-aware routing policy added in Release 14.2.
Cflowd traffic monitoring added in Release 14.3.
Setting GRE encapsulation and setting preferred color for an SLA class added in Release 15.2.
In Release 15.4, omp-tag match condition added for localized control policy, and tag option renamed to omp-tag.
In Release 16.1, add log option to application-aware policy action.
In Release 16.1.2, add preferred-color option to application-aware policy action.
In Release 16.3, add backup-sla-preferred-color option for application-aware routing, log action for localized data policy, and set local-tloc-list restrict option for localized data policy.
In Release 17.1, add load-balancing among multiple colors for application-aware routing; add tcp-optimization accept option to centralized data policy; add set next-hop option for localized data policy.
In Release 17.2, add redirect-dns option for centralized data policy.

Additional Information

See the Policy Overview article for your software release.
apply-policy
lists
match
policy (for IPv4)
policy ipv6

  • Was this article helpful?