Skip to main content
Viptela is now part of Cisco.
Support
Product Documentation
Viptela Documentation

Configuring Centralized Control Policy

Centralized control policy, which you configure on vSmart controllers, affects routing policy based on information in OMP routes and OMP TLOCs. This type of policy allows you to set actions for matching routes and TLOCs, including redirecting packets through network services, such as firewalls, a feature that is called service chaining.

In domains with multiple vSmart controllers, all the controllers must have the same centralized control policy configuration to ensure that routing within the overlay network remains stable and predictable.

This article provides procedures for configuring centralized control policy (including service chaining) from the CLI.

Configuration Components

A centralized control policy consists of a series of numbered (ordered) sequences of match-action pair that are evaluated in order, from lowest sequence number to highest sequence number. When a route or TLOC matches one of the match conditions, the associated action is taken and policy evaluation on that packets stops. Keep this in mind as you design your policies to ensure that the desired actions are taken on the items subject to policy.

If a route or TLOC matches no parameters in any of the sequences in the policy configure, it is, by default, rejected and discarded.

To create a centralized control policy, you include the following components in the configuration on a vSmart controller:

Component

Description

Configuration Command

Lists

Groupings of related items that you reference in the match and action portions of the control policy configuration. The items you can group include IP prefixes, overlay network site IDs, TLOCs, and VPNs.

policy lists

Centralized control policy instance

Container for centralized control policy.

policy control-policy

Numbered sequences of match–action pairs

Sequences establish the order in which the policy components are applied.

policy control-policy sequence

Match parameters

Conditions that the routes and TLOCs must match to be considered for a control policy.

policy control-policy sequence match route—Match properties of OMP routes, including things such as the originating protocol and IP prefixes.

policy control-policy sequence match tloc—Match transport location parameters, including things such as the domain ID and TLOC IP address.

Actions

Whether to accept or reject matching routes and TLOCs, and how to process matching items.

policy control-policy sequence action

Default action

Action to take if a route or TLOC matches none of the match parameters in any of the sequences. By default, nonmatching routes and TLOCs are rejected.

policy control-policy default-action

Application of centralized control policy

For a control policy to take effect, you apply it to one or more sites in the overlay network.

apply-policy site-list control-policy

The following figure illustrates the configuration components for centralized control policy.

s00097.png

General Configuration Procedure

Following are the high-level steps for configuring a centralized control policy:

  1. Create a list of overlay network sites to which the centralized control policy is to be applied (in the apply-policy command):​
    ​vSmart(config)# policy​
    vSmart(config-policy)# lists site-list list-name
    vSmart(config-lists-list-name)# site-id site-id

    The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–).
    Create additional site lists, as needed.
  2. Create lists of IP prefixes, TLOCs, and VPNs, as needed:​
    vSmart(config)# policy lists
    vSmart(config-lists)# prefix-list list-name
    vSmart(config-lists-list-name)# ip-prefix prefix/length 

    vSmart(config)# policy lists
    vSmart(config-lists)# tloc-list list-name
    vSmart(config-lists-list-name)# tloc address color color encap encapsulation [preference value]

    vSmart(config)# policy lists 
    vSmart(config-lists)# vpn-list list-name 
    vSmart(config-lists-list-name)# vpn vpn-id
  1. Create a control policy instance:
    vSmart(config)# policy control-policy policy-name 
    vSmart(config-control-policy-policy-name)#
  2. Create a series of match–action pair sequences:
    vSmart(config-control-policy-policy-name)# sequence number 
    vSmart(config-sequence-number)# 

    The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is).
  3. Define match parameters for routes and for TLOCs:
    ​​vSmart(config-sequence-number)#  match route route-parameter 
    vSmart(config-sequence-number)# match tloc tloc-parameter
  4. Define actions to take when a match occurs:
    vSmart(config-sequence-number)# action reject
    vSmart(config-sequence-number)# action accept export-to (vpn vpn-id | vpn-list list-name)
    vSmart(config-sequence-number)# action accept set (omp-tag number | preference value | service service-name | tloc address)
  5. Create additional numbered sequences of match–action pairs within the control policy, as needed.
  6. If a route does not match any of the conditions in one of the sequences, it is rejected by default. If you want nonmatching routes to be accepted, configure the default action for the policy:
    vSmart(config-policy-name)# default-action accept
  7. Apply the policy to one or more sites in the Viptela overlay network:
    vSmart(config)# apply-policy site-list list-name control-policy policy-name (in | out
  8. If the action you are configuring is a service, configure the required services on the vEdge routers so that the vSmart controller knows how to reach the services:
    vEdge(config)# vpn vpn-idservice service-name address ip-address
    Specify the VPN is which the service is located and one to four IP addresses to reach the service device or devices. If multiple devices provide the same service, the vEdge router load-balances the traffic among them. Note that the vEdge router keeps track of the services, advertising them to the vSmart controller only if the address (or one of the addresses) can be resolved locally, that is, at the vEdge router's local site, and not learned through OMP. If a previously advertised service becomes unavailable, the vEdge router withdraws the service advertisement.

Structural Components of Policy Configuration for Centralized Control Policy

Following are the structural components required to configure centralized control policy. Each one is explained in more detail in the sections below.

policy
  lists
    color-list list-name
      color color
    prefix-list list-name 
      ip-prefix prefix 
    site-list list-name 
      site-id site-id 
    tloc-list list-name
      tloc address color color encap encapsulation [preference value]
    vpn-list list-name 
      vpn vpn-id 
  control-policy policy-name 
    sequence number 
      match
        match-parameters 
      action
        reject
        accept
          export-to vpn
        accept
          set parameter
      default-action
        (accept | reject)
apply-policy site-list list-name 
  control-policy policy-name (in | out)

Lists

Centralized control policy uses the following types of lists to group related items. You configure lists under the policy lists command hierarchy.

List Type

Description

Command

Color list List of one or more colors. color can be 3g, biz-internet, blue, bronze, custom1 through custom3,default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver.

color-list list-name
  color color

Prefix list

List of one or more IP prefixes. Specify the IP prefixes as follows:
• prefix/length—Exactly match a single prefix–length pair.
0.0.0.0/0—Match any prefix–length pair.
• 0.0.0.0/0 le length—Match any IP prefix whose length is less than or equal to length. For example, ip-prefix 0.0.0.0/0 le 16 matches all IP prefixes with lengths from /1 through /16.
• 0.0.0.0/0 ge length—Match any IP prefix whose length is greater than or equal to length. For example, ip-prefix 0.0.0.0 ge 25 matches all IP prefixes with lengths from /25 through /32.
• 0.0.0.0/0 ge length1 le length2, or 0.0.0.0 le length2 ge length1—Match any IP prefix whose length is greater than or equal to length1 and less than or equal to length2. For example, ip-prefix 0.0.0.0/0 ge 20 le 24 matches all /20, /21, /22, /23, and /24 prefixes. Also, ip-prefix 0.0.0.0/0 le 24 ge 20 matches the same prefixes. If length1 and length2​ are the same, a single IP prefix length is matched. For example, ip-prefix 0.0.0.0/0 ge 24 le 24 matches only /24 prefixes.

prefix-list list-name
  ip-prefix prefix/length

Site list

List of one of more site identifiers in the overlay network. You can specify a single site identifier (such as site-id 1) or a range of site identifiers (such as site-id 1-10).

site-list list-name
  site-id site-id

TLOC list

List of one or more TLOC. For each TLOC you must specify its address, color, and encapsulation. The address is the system IP address. Setting a preference value is optional.

tloc-list list-name
  tloc ip‑address color color
  encap (gre | ipsec) [preference number]

VPN list

List of one or more VPNs in the overlay network. You can specify a single VPN identifier (such as vpn-id 1) or a range of VPN identifiers (such as vpn-id 1-10).

vpn-list list-name
  vpn vpn-id

Sequences

A centralized control policy contains sequences of match–action pairs. The sequences are numbered to set the order in which a route or TLOC is analyzed by the match–action pairs in the policy. You configure sequences with the policy control-policy sequence command.

Each sequence in a centralized control policy can contain one match command (either match route or match tloc​) and one action command.

Match Parameters

Centralized control policy can match OMP route (vRoute) or TLOC route attributes. You configure the OMP route attributes to match with the policy control-policy sequence match route command, and you configure the TLOC attributes to match with the policy control-policy sequence match tloc command.

Each sequence in a policy can contain one match section—either match route or match tloc​.

OMP Route Match Attributes

For OMP routes (vRoutes), you can match these attributes:

Description

Command

Value or Range

Individual color. color color 3g, biz-internet, blue, bronze, custom1 through custom3,default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver
One or more colors. color-list list-name See the colors above.

Tag value associated with the route or prefix in the routing database on the vEdge router.

omp-tag number

0 through 4294967295

Protocol from which the route was learned.

origin protocol

bgp-external, bgp-internal, connected, ospf-external1, ospf-external2, ospf-inter-area, ospf-intra-area, static

IP address from which the route was learned.

originator ip-address

IP address

How preferred a prefix is. This is the preference value that the route or prefix has in the local site, that is, in the routing database on the vEdge router. A higher preference value is more preferred.

preference number

0 through 255

One or more prefixes.

prefix-list list-name

Name of a policy lists prefix-list list.

Individual site identifier.

site-id site-id

0 through 4294967295

One or more overlay network site identifiers.

site-list list-name

Name of a policy lists site-list list.

Individual TLOC address.

tloc address

IP address

One or more TLOC addresses.

tloc-list list-name

Name of a policy lists tloc-list list.

Individual VPN identifier.

vpn vpn-id

0 through 65535

One or more VPN identifiers.

vpn-list list-name

Name of a policy lists vpn-list list.

TLOC Route Match Attributes

For TLOC routes, you can match these attributes:

Description

Command

Value or Range

Carrier for the control traffic.

carrier carrier-name

default, carrier1 through carrier8

Individual color. color color 3g, biz-internet, blue, bronze, custom1 through custom3,default, gold, green, lte, metro-ethernet, mpls, private1 through private6, public-internet, red, and silver
One or more colors. color-list list-name See the colors above.

Domain identifier associated with a TLOC.

domain-id domain-id

0 through 4294967295

Tag value associated with the route or prefix in the route table on the vEdge router.

omp-tag number

0 through 4294967295

IP address from which the route was learned.

originator ip-address

IP address

How preferred a prefix is. This is the preference value that the route or prefix has in the local site, that is, in the route table on the vEdge router. A higher preference value is more preferred.​

preference number

0 through 255

Individual site identifier.

site-id site-id

0 through 4294967295

One or more overlay network site identifiers.

site-list list-name

Name of a policy lists site-list list.

Individual TLOC address.

tloc address

IP address

One or more TLOC addresses.

tloc-list list-name

Name of a policy lists tloc-list list.

Action Parameters

For each match condition, you configure a corresponding action to take if the route or TLOC matches. You configure this with the policy control-policy action command.

Each sequence in a centralized control policy can contain one action command.

In the action, you first specify whether to accept or reject a matching route or TLOC: 

Description

Parameter

Value or Range

Accept the route. An accepted route is eligible to be modified by the additional parameters configured in the action portion of the policy configuration.

accept

Discard the packet.

reject

Then, for a route or TLOC that is accepted, you can configure the following actions:

Description

Parameter

Value or Range

Export the route the the specified VPN or list of VPNs (for match route match conditions only).

export-to (vpn vpn‑id | vpn‑list vpn‑list)

0 through 65535 or list name.

Change the preference value in the route or prefix to the specified value. A higher preference value is more preferred.

set preference number

0 through 255

Specify a service to redirect traffic to before delivering the traffic to its destination.

The TLOC address or list of TLOCs identifies the TLOCs to which the traffic should be redirected to reach the service. In the case of multiple TLOCs, the traffic is load-balanced among them.

The VPN identifier is where the service is located.

Configure the services themselves on the vEdge routers that are collocated with the service devices, using the vpn service configuration command.

set service service-name [tloc ip-address | tloc‑list list-name​] [vpn vpn‑id]

Standard services: FW, IDS, IDP
Custom services: netsvc1, netsvc2, netsvc3, netsvc4

TLOC list configured with a policy lists tloc-list command.

Change the tag string in the route or prefix.

set omp-tag number

0 through 4294967295

Change the TLOC address and color to those in the specified TLOC list.

set tloc-list list-name

Name of a policy lists tloc-list​ list.

Default Action

If a route or TLOC being evaluated does not match any of the match conditions in a centralized control policy, a default action is applied to it. By default, the route or TLOC is rejected. To modify this behavior, include the control policy default-action accept command.

Applying Centralized Control Policy

For a centralized control policy to take effect, you apply it to a list of sites in the overlay network with the following command:

vSmart(config)# apply-policy site-list list-name control-policy policy-name (in | out)

You apply the centralized control policy directionally:

  • Inbound direction (in)—The policy analyzes routes and TLOCs being received from the sites in the site list before playing the routes and TLOCs into the route table on the vSmart controller.
  • Outbound direction (out)—The policy analyzes routes and TLOCs in the vSmart controller's route table that are being advertised by the vSmart controller to the vEdge routers at the sites in the site list.

You cannot apply the same type of policy to site lists that contain overlapping site IDs. That is, all control policies cannot have overlapping site lists among themselves. If you accidentally misconfigure overlapping site lists, the attempt to commit the configuration on the vSmart controller fails.

  • Was this article helpful?