Skip to main content
Viptela is now part of Cisco.
Support
Product Documentation
Viptela Documentation

Configuring Localized Data Policy

This article provides procedures for configuring localized data policy from the CLI. Localized data policy, configured on vEdge routers, lets you affect how data traffic is sent among the vEdge routers in the network. This type of control policy is called access lists, or ACLs. You can provision simple access lists that filter traffic based on IP header fields. You also use access lists to apply QoS, mirroring, and policing to data packets.

Configuration Components

An access list consists of a series of numbered (ordered) sequences of match–action pairs that are evaluated in order, from lowest sequence number to highest sequence number. When a packet matches one of the match conditions, the associated action is taken and policy evaluation on that packets stops. Keep this in mind as you design your policies to ensure that the desired actions are taken on the items subject to policy.

If a packet matches no parameters in any of the sequences in the policy configuration, it is, by default, dropped.

To create an access list, you include the following components in the configuration on a vEdge router:

Component

Description

Configuration Command

Lists

Groupings of related items that you reference in the match and action portions of the data policy configuration. For access lists, you can group IP prefixes.

policy lists

QoS, mirroring, and policing parameters

Parameters and rules required to configure QoS, traffic mirroring, and traffic policing. For QoS, you can configure class maps, QoS maps, the QoS scheduler, and rewrite rules. For mirroring, you configure the addresses of the source of the packets to be mirrored and the mirroring site. For policing, you define transmission parameters.

policy class-map
policy qos-scheduler
​policy qos-map

policy mirror

policy policer

Access list instance

Container for an access list.

policy access-list

Numbered sequences of match–action pairs

Sequences establish the order in which the policy components are applied.

policy access-list sequence

Match parameters

Conditions that packets must match to be considered for a data policy.

policy access-list sequence match

Actions

Whether to accept or reject matching packets, and how to process matching items.

policy access-list sequence action

Default action

Action to take if a packet matches none of the match parameters in any of the sequences. By default, nonmatching packets are dropped.

policy access-list default-action

Application of access lists

For an access list to take effect, you apply it an interface. You can apply policers directly to interfaces.

vpn interface access-list

vpn interface policer

The following figure illustrates the configuration components for access lists.

s00119.png

General Configuration Procedure

Following are the high-level steps for configuring an access list:

  1. Create lists of IP prefixes, as needed:
    vEdge(config)# policy
    vEdge(config-policy)# prefix-list list-name
    vEdge(config-prefix-list)# ip-prefix prefix/length
  2. For QoS, map each forwarding class to an output queue, configure a QoS scheduler for each forwarding class, and group the QoS schedulers into a QoS map:
    vEdge(config)# policy class-map
    vEdge(config-class-map)# class class-name queue number

    vEdge(config)# policy qos-scheduler scheduler-name
    vEdge(config-qos-scheduler)# class class-name
    vEdge(config-qos-scheduler)# bandwidth-percent percentage
    vEdge(config-qos-scheduler)# buffer-percent percentage
    vEdge(config-qos-scheduler)# drops drop-type
    vEdge(config-qos-scheduler)# scheduling type


    vEdge(config)# policy qos-map map-name qos-scheduler scheduler-name
  3. For QoS, define rewrite rules to overwrite the DSCP field of a packet's outer IP header, if desired:
    vEdge(config)# policy rewrite-rule rule-name
    vEdge(config-rewrite-rule)# class class-name loss-priority dscp dscp-value

    class-name is one of the classes defined under a qos-scheduler command.
  4. Define mirroring parameters:​
    vEdge(config)# policy mirror mirror-name
    vEdge(config-mirror)# remote-dest ip-address source ip-address
  5. Define policing parameters:​
    vEdge(config)# policy policer policer-name
    vEdgeconfig-policer)# rate bandwidth
    vEdge(config-policer)# burst bytes
    vEdge(config-policer)# exceed action
  6. Create an access list instance:​
    vEdge(config)# policy access-list list-name
  7. Create a series of match–action pair sequences:
    vEdge(config-access-list-policy-name)# sequence number
    vEdge(config-sequence-number)#

    The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is).
  8. Define match parameters for packets:
    vEdge(config-sequence-number)# match match-parameter
  9. Define actions to take when a match occurs:
    vEdge(config-sequence-number)# action drop
    vEdge(config-sequence-number)# action count counter-name
    vEdge(config-sequence-number)# action log
    vEdge(config-sequence-number)# action accept class class-name
    vEdge(config-sequence-number)# action accept mirror mirror-name
    vEdge(config-sequence-number)# action accept policer policer-name
  10. Create additional numbered sequences of match–action pairs within the access list, as needed.
  11. If a packet does not match any of the conditions in one of the sequences, it is rejected by default. If you want nonmatching packets to be accepted, configure the default action for the access list:
    vEdge(config-policy-name)# default-action accept
  12. Apply the access list to an interface:
    vEdge(config)# vpn vpn-id interface interface-name
    vEdge(config-interface)# access-list list-name (in | out)

    Applying the access list in the inbound direction (in) affects packets being received on the interface. Applying it in the outbound direction (out) affects packets being transmitted on the interface.
    For QoS, apply a DSCP rewrite rule to the same egress interface:
    vEdge(config)# vpn vpn-id interface interface-name rewrite-rule rule-name
    Note that it is also possible to apply a policerdirectly to an interface, which has the effect of policing all packets transiting the interface, rather than policing only the selected packets that match the access list. You can apply the policer to either inbound or outbound packets:​
    vEdge(config)# vpn vpn-id interface interface-name
    vEdge(config-interface)# policer policer-name (in | out

Structural Components of Configuration for Access Lists

Following are the structural components required to configure access lists. Each one is explained in more detail in the sections below.

policy
  lists
    prefix-list list-name
      ip-prefix prefix/length
  class-map
    class class map map
  qos-scheduler scheduler-name
    class class-name
    bandwidth-percent percentage
    buffer-percent percentage
    drops drop-type
  qos-map map-name
    qos-scheduler scheduler-name
  rewrite-rule rule-name
    class class-name priority dscp dscp-value
  mirror mirror-name
    remote-dest ip-address source ip-address
  policer policer-name
    rate bandwidth
    burst bytes
    exceed action
  access-list list-name
    sequence number
      match
        match-parameters
      action
        drop
        count counter-name
        log
        accept
          class class-name
          mirror mirror-name
          policer policer-name
    default-action
      (accept | drop)
vpn vpn-id
  interface interface-name
    access-list list-name (in | out)
    policer policer-name (in | out)
    rewrite-rule rule-name

Lists

Access lists use prefix lists to group related prefixes. You configure lists under the policy lists command hierarchy on vEdge routers.

List Type

Description

Command

Data prefix list

List of one or more IP prefixes.

data-prefix-list list-name
  ip-prefix prefix/length

QoS Parameters

To configure QoS parameters, first define a classification:

vEdge(config)# policy class-map class class-name queue number

Each interface has eight queues, numbered from 0 through 7. The default scheduling method for all queues is weighted round-robin (WRR). However, queue 0 is reserved for low-latency queuing (LLQ), so any class that is mapped to queue 0 must be configured to use LLQ.

Then configure scheduling and assign a scheduler to a QoS map:

vEdge(config)# policy qos-scheduler scheduler-name
vEdge(config-qos-scheduler)# class class-name
vEdge(config-qos-scheduler)# bandwidth-percent percentage
vEdge(config-qos-scheduler)# buffer-percent percentage
vEdge(config-qos-scheduler)# drops (red-drop | tail-drop)
vEdge(config-qos-scheduler)# scheduling (llq | wrr)

vEdge(config-policy)# qos-map map-name qos-scheduler scheduler-name

Finally, configure DSCP rewrite rules:

vEdge(config)# policy rewrite-rule rule-name class class-name loss-priority dscp dscp-value

Mirroring Parameters

To configure mirroring parameters, define the remote destination to which to mirror the packets, and define the source of the packets:

vEdge(config)# policy mirror mirror-name
vEdge(config-mirror)# remote-dest ip-address source
ip-address

Policer Parameters

To configure policing parameters, create a policer that specifies the maximum bandwidth and burst rate for traffic on an interface, and how to handle traffic that exceeds these values:

vEdge(config)# policy policer policer-name
vEdge(config-policer)# rate bps
vEdge(config-policer)# burst bytes
vEdge(config-policer)# exceed (drop | remark)

Sequences

An access list contains sequences of match–action pairs. The sequences are numbered to set the order in which a packet is analyzed by the match–action pairs in the access lists. You configure seqences with the policy access-list sequence command.

Each sequence in an access list can contain one match command and one action command.

Match Parameters

Access lists can match IP prefixes and fields in the IP headers. You configure the match parameters under the policy access-list sequence match command.

Each sequence in an access-list must contain one match command.

For access lists, you can match these parameters:

Description

Command

Value or Range

Classification map

class class-name

Name of a class defined with a policy class-map command.

Group of destination prefixes

destination-data-prefix-list list-name

Name of a data-prefix-list list.

Individual destination prefix

destination-ip prefix/length

IP prefix and prefix length

Destination port number.

destination-port number

0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-])

DSCP value

dscp number

0 through 63

Internet Protocol number

protocol number

0 through 255

Packet length packet-length number Length of the packet. number can be from 0 through 65535. Specify a single length, a list of lengths (with numbers separated by a space), or a range of lengths (with the two numbers separated with a hyphen [-])

Group of source prefixes

source-data-prefix-list list-name

Name of a data-prefix-list list.

Individual source prefix

source-ip prefix/length

IP prefix and prefix length

Source port number.

source-portaddress

0 through 65535; specify a single port number, a list of port numbers (with numbers separated by a space), or a range of port numbers (with the two numbers separated with a hyphen [-])

TCP flag

tcp flag

syn

Action Parameters

When a packet matches the conditions in the match portion of an access list, the packet can be accepted or dropped, and it can be counted. Then, you can classify, mirror, or police accepted packets. You configure the actions parameters with the policy access-list sequence action command.

Each sequence in an access list can contain one action command.

In the action, you first specify whether to accept or drop a matching data packet, and whether to count it:

Description

Command

Value or Range

Accept the packet. An accepted packet is eligible to be modified by the additional parameters configured in the action portion of the access list.

accept

Count the accepted or dropped packets.

count counter-name

Name of a counter. To display counter information, use the show policy access-lists counters command on the vEdge router.

Discard the packet. This is the default action.

drop

Log the packet. Packets are placed into the messages and vsyslog system logging (syslog) files. log

To view the packet logs, use the show app log flows and show log commands.

For a packet that is accepted, the following actions can be configured:

Description

Command

Value or Range

Classify the packet.

class class-name

Name of a QoS class defined with a policy class-map command.

Mirror the packet.

mirror mirror-name

Name of mirror defined with a policy mirror command.

Police the packet.

police policer-name

Name of a policer defined with a policy policer command.

Set the packet's DSCP value.

set dscp value

0 through 63.

Default Action

If a packet being evaluated does not match any of the match conditions in a access list, a default action is applied to this packet. By default, the packet is dropped. To modify this behavior, include the access-list default-action accept command in the access list.

Applying Access Lists

For an access list to take effect, you must apply it to an interface:

vEdge(config)# vpn vpn-id interface interface-name
vEdge(config-interface)# access-list list-name (in | out)

Applying the policy in the inbound direction (in) affects prefixes being received on the interface. Applying it in the outbound direction (out) affects prefixes being transmitted on the interface.

For an access list that applies QoS classification, apply any DSCP rewrite rules to the same interface to which you apply the access list:

vEdge(config)# vpn vpn-id interface interface-name rewrite-rule rule-name

Note that you can also apply a policer directly to an interface, which has the effect of policing all packets transiting the interface, rather than policing only the selected packets that match the access list. You can apply the policer to either inbound or outbound packets:

vEdge(config)# vpn vpn-id interface interface-name
vEdge(config-interface)# policer policer-name (in | out) interface-name

Interaction between Explicit and Implicit Access Lists

Access lists that you configure through localized data policy using the policy access-list command are called explicit ACLs. You can apply explicit ACLs to any interface in any VPN on the router.

The router's tunnel interfaces in VPN 0 also have implicit ACLs, which are also referred to as services. Some services are enabled by default on the tunnel interface, and are in effect unless you disable them. Through configuration, you can also enable other services. You configure and modify implicit ACLs with the allow-service command:

vEdge(config)# vpn 0
vEdge(config-vpn)# interface interface-name
vEdge(config-interface)# tunnel-interface
vEdge(config-tunnel-interface)# allow-service service-name
vEdge(config-tunnel-interface)# no allow-service service-name

On vEdge routers, the following services are enabled by default: DHCP (for DHCPv4 and DHCPv6), DNS, and ICMP. These three services allow the tunnel interface to accept DHCP, DNS, and ICMP packets. You can also enable services for BGP, Netconf, NTP, OSPF, SSHD, and STUN.

When data traffic matches both an explicit ACL and an implicit ACL, how the packets are handled depends on the ACL configuration. Specifically, it depends on:

  • Whether the implicit ACL is configured as allow (allow-service allow-service) or deny (no allow-service service-name). Allowing a service in an implicit ACL is the same as specifying the accept action in an explicit ACL, and a service that is not allowed in an implicit ACL is the same as specifying the drop action in an explicit ACL
  • Whether, in an explicit ACL, the accept or deny action is configured in a policy sequence or in the default action.

The following table explains how traffic matching both an implicit and an explicit ACL is handled:

Implicit ACL Explicit ACL: Sequence Explicit ACL: Default Result
Allow (accept) Deny (drop) Deny (drop)
Allow (accept) Deny (drop) Allow (accept)
Deny (drop) Allow (accept) Allow (accept)
Deny (drop) Allow (accept) Deny (drop)

Additional Information

Localized Data Policy

  • Was this article helpful?