Skip to main content
Viptela is now part of Cisco.
Support
Product Documentation
Viptela Documentation

Policy Overview

Policy is used to influence the flow of data traffic among the vEdge routers in the overlay network. Policy comprises:

  • Routing policy, which affects the flow of routing information in the network's control plane
  • Data policy, which affects the flow of data traffic in the network's data plane

To implement enterprise-specific traffic control requirements, you create basic policies, and you deploy advanced features of the Viptela software that are activated by means of the policy configuration infrastructure.

Just as the Viptela overlay network architecture clearly separates the control plane from the data plane and clearly separates control between centralized and localized functions, the Viptela policy software is cleanly separated: policies apply either to control plane or data plane traffic, and they are configured either centrally (on vSmart controllers) or locally (on vEdge routers). The following figure illustrates the division between control and data policy, and between centralized and local policy.

        s00091.png

The design of the Viptela policy software distinguishes between basic and advanced policy. Basic policy allows you to influence or determine basic traffic flow through the overlay network. Here, you perform standard policy tasks, such as managing the paths along which traffic is routed through the network, and permitting or blocking traffic based on the address, port, and DSCP fields in the packet's IP header. You can also control the flow of data traffic into and out of a vEdge router's interfaces, enabling features such as class of service and queuing, mirroring, and policing.

Advanced features of Viptela policy software offer specialized policy-based network applications. Examples of these applications include the following:

  • Service chaining, which redirects data traffic to shared devices in the network, such as firewall, intrusion detection and prevention (IDS), load balancer, and other devices, before the traffic is delivered to its destination. Service chaining obviates the need to have a separate device at each branch site.
  • Application-aware routing, which selects the best path for traffic based on real-time network and path performance characteristics.
  • Cflowd, for monitoring traffic flow.
  • Converting a vEdge router into a NAT device, to allow traffic destined for the Internet or other public network can exit directly from the vEdge router.

By default, no policy of any kind is configured on Viptela devices, either on the centralized vSmart controllers or the local vEdge routers. When control plane traffic, which distributes route information, is unpolicied:

  • All route information that OMP propagates among the Viptela devices is shared, unmodified, among all vSmart controllers and all vEdge routers in the overlay network domain.
  • No BGP or OSPF route policies are in place to affect the route information that vEdge routers propagate within their local site network.

When data plane traffic is unpolicied, all data traffic is directed towards its destination based on solely on the entries in the local vEdge router's route table, and all VPNs in the overlay network can exchange data traffic.

This article examines the structural components of routing and data policy in the Viptela overlay network.

Centralized and Localized Policy

The Viptela policy software design provides a clear separation between centralized and localized policy. In short, centralized policy is provisioned on the centralized vSmart controllers in the overlay network, and localized policy is provisioned on the vEdge routers, which sit at the network edge between a branch or enterprise site and a transport network, such as the Internet, MPLS, or metro Ethernet.

Centralized Policy

Centralized policy refers to policy provisioned on vSmart controllers, which are the centralized controllers in the Viptela overlay network. Centralized policy comprises two components:

  • Control policy, which affects the overlay network–wide routing of traffic
  • Data policy, which affects the data traffic flow throughout the VPN segments in the network

Centralized control policy applies to the network-wide routing of traffic by affecting the information that is stored in the vSmart controller's route table and that is advertised to the vEdge routers. The effects of centralized control policy are seen in how vEdge routers direct the overlay network's data traffic to its destination. The centralized control policy configuration itself remains on the vSmart controller and is never pushed to local routers.

Centralized data policy applies to the flow of data traffic throughout the VPNs in the overlay network. These policies can permit and restrict access based either on a 6-tuple match (source and destination IP addresses and ports, DSCP fields, and protocol) or on VPN membership. These policies are pushed to the affected vEdge routers.

Localized Policy

Localized policy refers to policy that is provisioned locally, on the vEdge routers in the overlay network

Localized control policy, which is also called route policy, affects the BGP and OSPF routing behavior on the site-local network.

Localized data policy allows you to provision access lists and apply them to a specific interface or interfaces on the router. Simple access lists permit and restrict access based on a 6-tuple match (source and destination IP addresses and ports, DSCP fields, and protocol), in the same way as with centralized data policy. Access lists also allow provisioning of class of service (CoS), policing, and mirroring, which control how data traffic flows out of and in to the router's interfaces and interface queues.

Control and Data Policy

The Viptela network policy design provides a clean separation between control policy and data policy, to align with the network architecture in which the control and data planes are cleanly separated. Control policy is the equivalent of routing protocol policy, and data policy is equivalent to what are commonly called access control lists (ACLs) and firewall filters.

Control Policy

Control policy, which is similar to standard routing policy, operates on routes and routing information in the control plane of the overlay network. Centralized control policy, which is provisioned on the vSmart controller, is the Viptela technique for customizing network-wide routing decisions that determine or influence routing paths through the overlay network. Local control policy, which is provisioned on a vEdge router, allows customization of routing decisions made by BGP and OSPF on site-local branch or enterprise networks.

The routing information that forms the basis of centralized control policy is carried in Viptela route advertisements, which are transmitted on the DTLS or TLS control connections between vSmart controllers and vEdge routers. Centralized control policy determines which routes and route information are placed into the centralized route table on the vSmart controller and which routes and route information are advertised to the vEdge routers in the overlay network. Basic centralized control policy establish traffic engineering, to set the path that traffic takes through the network. Advanced control policy supports a number of features, including service chaining, which allows vEdge routers in the overlay network to share network services, such as firewalls and load balancers.

s00085.pngCentralized control policy affects the OMP routes that are distributed by the vSmart controller throughout the overlay network. The vSmart controller learns the overlay network topology from OMP routes that are advertised by the vEdge routers over the OMP sessions inside the DTLS or TLS connections between the vSmart controller and the routers. (The DTLS connections are shown in orange in the figure to the right).

Three types of OMP routes carry the information that the vSmart controller uses to determine the network topology:

  • Viptela OMP routes, which are similar to IP route advertisements, advertise routing information that vEdge routers have learned from their local site and the local routing protocols (BGP and OSPF) to the vSmart controller. These routes are also referred to as OMP routes or vRoutes.
  • TLOC routes carry overlay network–specific locator properties, including the IP address of the interface that connects to the transport network, a link color, which identifies a traffic flow, and the encapsulation type. (A TLOC, or transport location, is the physical location where a vEdge router connects to a transport network. It is identified primarily by IP address, link color, and encapsulation, but a number of other properties are associated with a TLOC.)
  • Service routes advertise the network services, such as firewalls, available to VPN members at the vEdge router's local site.

s00087.pngBy default, no centralized control policy is provisioned. In this bare, unpolicied network, all OMP routes are placed in the vSmart controller's route table as is, and the vSmart controller advertised all OMP routes, as is, to all vEdge routers in the same VPN in the network domain.

By provisioning centralized control policy, you can affect which OMP routes are placed in the vSmart controller's route table, what route information is advertised to the vEdge routers, and whether the OMP routes are modified before being put into the route table or before being advertised.

vEdge routers place all the route information learned from the vSmart controllers, as is, into their local route tables, for use when forwarding data traffic. Because the vSmart controller's role is to be the centralized routing system in the network, vEdge routers can never modify the OMP route information that they learn from the vSmart controllers.

The vSmart controller regularly receives OMP route advertisements from the vEdge routers and, after recalculating and updating the routing paths through the overlay network, it advertises new routing information to the vEdge routers.

The centralized control policy that you provision on the vSmart controller remains on the vSmart controller and is never downloaded to the vEdge routers. However, the routing decisions that result from centralized control policy are passed to the vEdge routers in the form of route advertisements, and so the affect of the control policy is reflected in how the vEdge routers direct data traffic to its destination.

A type of centralized control policy called service chaining allows data traffic to be routed through one or more network services, such as firewall, load balancer, and intrusion detection and prevention (IDP) devices, en route to its destination.

Localized control policy, which is provisioned locally on the vEdge routers, is called route policy. This policy is similar to the routing policies that you configure on a regular router, allowing you to modify the BGP and OSPF routing behavior on the site-local network. Whereas centralized control policy affects the routing behavior across the entire overlay network, route policy applies only to routing at the local branch.

                     s00085.png

Data Policy

Data policy influences the flow of data traffic traversing the network based either on fields in the IP header of packets or the router interface on which the traffic is being transmitted or received. Data traffic travels over the IPsec connections between vEdge routers, shown in purple in the adjacent figure.

s00086.png

The Viptela architecture implements two types of data policy:

  • Centralized data policy controls the flow of data traffic based on the source and destination addresses and ports and DSCP fields in the packet's IP header (referred to as a 5-tuple), and based on network segmentation and VPN membership. These types of data policy are provisioned centrally, on the vSmart controller, and they affect traffic flow across the entire network.
  • Localized data policy controls the flow of data traffic into and out of interfaces and interface queues on a vEdge router. This type of data policy is provisioned locally, on the vEdge router, using access lists. It allows you to classify traffic and map different classes to different queues. It also allows you to mirror traffic and to police the rate at which data traffic is transmitted and received. 

By default, no centralized data policy is provisioned. The result is that all prefixes within a VPN are reachable from anywhere in the VPN. Provisioning centralized data policy allows you to apply a 6-tuple filter that controls access between sources and destinations.s00088.png As with centralized control policy, you provision centralized data policy on the vSmart controller, and that configuration remains on the vSmart controller. The effects of data policy are reflected in how the vEdge routers direct data traffic to its destination. Unlike control policy, however, centralized data polices are pushed to the vEdge routers in a read-only fashion. They are not added to the router's configuration file, but you can view them from the CLI on the router.

With no access lists provisioned on a vEdge router, all data traffic is transmitted at line rate and with equal importance, using one of the interface's queues. Using access lists, you can provision class of service, which allows you to classify data traffic by importance, spread it across different interface queues, and control the rate at which different classes of traffic are transmitted. You can also provision packet mirroring and policing.

Basic and Advanced Policy

Finally, the design of the Viptela policy software distinguishes between basic and advanced policy. Basic policy allows you to influence or determine basic traffic flow through the overlay network. Here, you perform standard policy tasks, such as managing the paths along which traffic is routed through the network by influencing the OMP, BGP, and OSPF routes, and permitting or blocking traffic based on the address, port, and DSCP fields in the packet's IP header. You can also control the flow of data traffic into and out of a vEdge router's interfaces, enabling features such as class of service and queuing, mirroring, and policing.

Advanced features of Viptela policy software offer specialized policy-based network applications. Examples of these applications include the following:

  • Service chaining, which allows data traffic to be redirected to shared firewall, intrusion detection and prevention (IDS), load balancer, and other devices before being delivered to its destination, rather than requiring a device at each branch site.
  • Application-aware routing, which selects the best path for traffic based on real-time network and path performance characteristics.
  • Cflowd, for monitoring traffic flow.
  • Converting a vEdge router into a NAT device, to allow traffic destined for the Internet or other public network can exit directly from the vEdge router.
  • Was this article helpful?