Solved: Control vs Data Policy

Steytler · ‎02-26-2022

I'm a little confused with something and maybe I'm not confused but the information I'm getting is wrong. I'm new to SD-WAN and drinking from a firehose. Between the gazillion pages of documentation covering 3-4 iterations of config guides and reading between the lines I can't seem to keep these concepts straight.

A data policy is based on source/dest IP, source/dest port, protocol and DSCP. Follows routes available.

A control policy is based on route and tloc. Defines the routing topology.

If I don't know how traffic from point A to point B is routed [path over a custom topology or for a lack of better terms a tloc pbr] how am I to know if the policy is a Control or Data policy?

Ideas?

svemulap@cisco.com · ‎02-27-2022

hi Steytler -

If you want to 'steer' 0r 'redirect' the traffic from A to B - it is a data policy.
Control policy - is more like your routing / topology table.
Once you have this, you can use 'data-policy' to steer the traffic from the default RIB NH.

Hope this is clear.

View solution in original post

Kanan Huseynli · ‎02-26-2022

Hi,

control policy is evaluated on vSmart and isn't sent to Edge routers.

vSmart checks, changes, filters routes based on policy and sends final result to Edge routers.

Edge router doesn't know about centralized control policy and its details, it knows what vSmart sends to it.

on the other hand centralized data policy is sent from vSmart to vEdges. It is like advanced PBR. I remember that there are certain cases where vSmart changes routing information due to centralized data policy.

Returning to your question, it is a bit unclear. Could you clarify a bit?

Regards,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

svemulap@cisco.com · ‎02-26-2022

Hi Steytler -

Control Policy:
is executed on vSmart based on the information that it receives from the edge devices.
(i.e., routing info. via OMP Updates, and TLOC attributes)
vSmart uses this to determine the topology and status of the overlay network and then advertises this to the SD-WAN devices in the network (via OMP Updates)

Data Policy:
Is configured and applied on the vSmart controller and then it is carried in OMP updates to the edge (SD-WAN) devices.
Is executed locally on the edge (SD-WAN) device.
Data policy checks the SRC/DST address(es) and ports and DSCP values, and for matching packets, it can modify the NH or apply a policier to the packets.

Please check out: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/policies/ios-xe-16/policies-book-xe/policy-framework.html#id_113325
.. which coves the Policy Operation.

More specifically, checkout: Configure and Execute Cisco vSmart Policies Section (figure 4)

HTH.

Steytler · ‎02-27-2022

Well - the question still stands. If I'm being told that traffic is being redirected from A to B and I have to decide if it is a Control or Data policy with nothing more than that statement, I don't have enough information to decide if the traffic being redirected is done so with a Control policy or a Data policy. Or am I missing something.

svemulap@cisco.com · ‎02-27-2022

hi Steytler -

If you want to 'steer' 0r 'redirect' the traffic from A to B - it is a data policy.
Control policy - is more like your routing / topology table.
Once you have this, you can use 'data-policy' to steer the traffic from the default RIB NH.

Hope this is clear.

Steytler · ‎02-27-2022

awesome - that helps a lot. The terminology is so esoteric.