Cisco SD-WAN Policies Introduction

I want to share with you a summary of the key points in SD-WAN Policies, their definition and implementation, to build a flexible and adaptable architecture to the needs of end-users and applications.

Policy classification

SD-WAN policies are used to meet business objectives. Policies can be classified as either centralized or localized policies.

  • Centralized policies: control routing information and data that is forwarded across the Cisco SD-WAN fabric.
    • Control Policies: are used to manipulate the structure of the SD-WAN fabric by altering the control plane information exchanged by the Overlay Management Protocol (OMP).
    • Data Policies: are used to manipulate the data plane directly by altering the forwarding of traffic through the SD-WAN fabric.
  • Localized policies: control routing and traffic forwarding at the perimeter of the SD-WAN fabric where WAN Edge routers interact with traditional routers. Localized policies can be used to manipulate both the control plane and the data plane.
    • Traditional Localized Policies: include route policy, QoS, and ACLs.
    • Security Policies: support use cases such as compliance, guest access, Direct Cloud Access (DCA), and Direct Internet Access (DIA).

Figure 1 – Cisco SD-WAN Policy Classification

Please note that colors and numbers in the image above are only relevant for “Policy Administration, Activation and Enforcement” section and not related with policy classification.

Policy Building Blocks

While most concepts are applicable to both centralized and localized policies, there are some key differences in the way localized policies are built and applied. This section focuses on centralized policies, therefore Figure 2 shows the three-step process for configuring centralized policies with Cisco SD-WAN.

Figure 2 – Cisco SD-WAN Building Blocks

Policy Administration, Activation and Enforcement

While all of the policies in the Cisco SD-WAN fabric are administered on vManage, different types of policies are enforced at different locations in the network. Figure 3 shows graphically where different policies are enforced when activated as well as the method used: NETCONF/YANG or OMP.

Figure 3 – Cisco SD-WAN Policy Configuration

The decision to use OMP for centralized data policy enforcement, rather than using NETCONF to send the configuration to WAN Edges, is as follows: An OMP routing upgrade enables large-scale changes to be implemented across the SD-WAN fabric very quickly. On the other hand, individual NETCONF transactions on potentially hundreds or thousands of devices could take anywhere from minutes to tens of minutes. Centralized data policy changes can be implemented across the fabric as quickly as the OMP routing update is propagated and processed. Typically within seconds after settings are applied to vSmarts.

Packet Forwarding

Since multiple types of policies can be applied to a given site and affect the forwarding of a single flow, it is important to understand the order in which these policies are applied and evaluated, and how they work together. First, since the control policies do not directly affect the data plane, they are processed independently of the data plane policies. Control policies instead impact the routing information that the data plane is built upon and, in this manner, they are able to impact the forwarding of traffic.

Figure 4 – SD-WAN Packet Forwarding Order of Operations


“Cisco Software-Defined Wide Area Networks: Designing, Deploying and Securing Your Next Generation WAN with Cisco SD-WAN” by Dustin Schuemann; Jason Gooley; John Curran; Dana Yanch

Subscribe to my newsletter!

Leave a Reply

Your email address will not be published. Required fields are marked *