Solved: Centralized Policy not works as expected

dragonhunt9111 · ‎12-30-2023

Dear friends,

I have an issue in with very simple centralized policy like below:

I already ping , traceroute OK between site2 to site3 as picture above.

Then I create centralized policy , make anything (IP protocol) goes from PC9 to PC10 , will prefer mpls color.

My policy is:

policy

sla-class hai-sla-class

loss 10

latency 200

jitter 300

!

app-route-policy _hai-vpn-list_any_via_mpls

vpn-list hai-vpn-list

sequence 1

match

source-ip 0.0.0.0/0

protocol 4

!

action

sla-class hai-sla-class preferred-color mpls

!

lists

vpn-list hai-vpn-list

vpn 10

!

site-list hai-site-list

site-id 2-3

!

apply-policy

site-list hai-site-list

app-route-policy _hai-vpn-list_any_via_mpls

!

But when I test by simulator tool in vmanage, it always shows that traffic goes both mpls and biz-internet

And one more thing is, when I change protocol number from 4 (IP) to 1 (ICMP), then it goes as expected (via mpls only)

Then it goes via MPLS as expected:

I don’t know why.

Please help me explain

Thanks you!!!

dragonhunt9111 · ‎01-06-2024

Finally, maybe I found the root cause, it maybe a limitation of virtual device in eve.

First, I just try a simple policy like this: ( i see from youtube clip, tks https://www.youtube.com/watch?v=KR4jqWmcRTk)

policy
sla-class hai-sla-class
loss 10
latency 200
jitter 300
!
app-route-policy _vpn10_via_mpls
vpn-list vpn10
sequence 1
match
source-ip 0.0.0.0/0
app-list voice-ip ( I include rtp and sip in this list)
!
action
sla-class hai-sla-class preferred-color mpls

===============

Then I use simulator tool (with rtp app) , it goes via exactly mpls line.

But maybe the limitation of virtual device in EVE:

- if I choose another app, ex:gmail,... (which is not in my voice-ip list), it goes via 2 line ( as expected)

- Then I choose rtp again, it also goes via both 2 lines <--Maybe this is bug of eve device

- If I refresh page, it goes via mpls as i want.

Thanks !!

View solution in original post

MHM Cisco World · ‎12-30-2023

SLA prefer is use only when both path criteria is match,
so both path have same SAL criteria or internet is better than MPLS ?

MHM

dragonhunt9111 · ‎12-30-2023

Hi MHM,

i think both lines are same, because it is in eve-ng lab, no big delay, and no packet loss

MHM Cisco World · ‎12-30-2023

MHM

dragonhunt9111 · ‎12-31-2023

HI MHM.

When I remove command "protocol 1", it works as I expected. Tks you.

But when I want to make some protocols, example: telnet prefer going via mpls. It still goes via both lines

This is my config:, pls help

P/S: I test removed command "protocol 6" (TCP) but still goes via both

MHM Cisco World · ‎01-01-2024

So NOW we agree that protocol 1 is work only for ICMP.
now for telnet
EDGE-1 telnet to EDGE-2
the telnet from TCP port to known 23
so we use centralize policy and push to both vedge it not work since we specify the TCP port to be 23

solution is push one policy

for EDGE-1
using protocol 6 (TCP)
using Port 23 as destination

and using color strict in EDGE-2
and start telnet from EDGE-1 to EDGE-2

MHM

MHM Cisco World · ‎01-03-2024

Also you can push one policy for each edge

EDGE-1/2

using protocol 6 (TCP)
using Port 23 as destination

Use source and destiantion (no 0.0.0.0)

The source and destiantion is flap for each policy match lan behind each vedge router

MHM

Kanan Huseynli · ‎12-30-2023

Hi,

because you have wrong match. Protocol number 4 means IP-in-IP encapsulation. It does not mean IP protocol, you indeed have IP procotol at later 3. IP protocol number explains what is encapsulated inside IP header (TCP, UDP, IP, GRE, ICMP, OSPF etc.).

Simple, remove protocol 4 in match criteria and it will work as expected. Right now ,you don't have matching traffic, thus it is forwared based on routing > ECMP.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Kanan Huseynli · ‎01-03-2024

Can you share latest policy and also "show app-route stats"? Plus, do you have data policy?