Solved: Centralized Data Policy

TechnStuff · ‎12-09-2023

Hi All,

Can someone clarify how I can implement multiple data policies on a cEdge? I have a scenario where I have multiple remote sites in my sdwan topology, with multiple VPNs deployed at each site. I need to enable cflow for all sites, and all VPNs. For this, I created a centralized data policy and deployed it to all sites, and all VPNs. This works fine.

Currently, all sites and all VPNs use DCs as the centralized internet breakout. I have a requirement to route traffic to some (Not all) Internet prefixes via the local Internet breakout for a specific VPN (VPN02) for a specific site (Site-02) only. How do I go about creating a centralized policy for this scenario i.e. for Site-02 I want to have the Cflow policy applied to all VPNs but DIA policy only applied to VPN01 for this site? AFAIK I can have only one centralized data policy per site/VPN in any one direction (either from service or from tunnel) and I already have the Cflow/Netflow policy in place. Please see attached the policies I tested.

Kanan Huseynli · ‎12-10-2023

Hi,

create site specific (Site02) centralized data policy (easy way copy from existing one).

Based on your case, you should have (and already have) generic cflowd rule: match source : 0.0.0.0/0 > action : cflowd. Add new rule higher than this (with lower sequence number, because it needs to be processed first). New rule: match destination : [addresses you want] > action : both NAT and cflowd.

vpn-list VPN-02
  sequence 1

   match

    destination-data-prefix-list DPX_INTERNET

   action accept

    nat use-vpn 0

    no nat fallback

cflowd
  sequence 11

   match

    source-ip 0.0.0.0/0

   action accept

    cflowd

  default-action accept

Don't forget that evaluation logic is like access-list/ route-map : from top to down and if match exists, action is taken without further checks. Thus, specific rules should have lower seq number (evaluated before) and for the same match you should have multiple actions, otherwise only one will work (which is checked firstly).

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

Kanan Huseynli · ‎12-10-2023

Hi,

create site specific (Site02) centralized data policy (easy way copy from existing one).

Based on your case, you should have (and already have) generic cflowd rule: match source : 0.0.0.0/0 > action : cflowd. Add new rule higher than this (with lower sequence number, because it needs to be processed first). New rule: match destination : [addresses you want] > action : both NAT and cflowd.

vpn-list VPN-02
  sequence 1

   match

    destination-data-prefix-list DPX_INTERNET

   action accept

    nat use-vpn 0

    no nat fallback

cflowd
  sequence 11

   match

    source-ip 0.0.0.0/0

   action accept

    cflowd

  default-action accept

Don't forget that evaluation logic is like access-list/ route-map : from top to down and if match exists, action is taken without further checks. Thus, specific rules should have lower seq number (evaluated before) and for the same match you should have multiple actions, otherwise only one will work (which is checked firstly).

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.