Question on Localised Data Policies

bahkobg85 · ‎11-05-2022

Hi, community,

Can we match and act on user traffic that goes through the data plane IPsec tunnels with an Access-list (localized data policy) applied on the local transport interface on a router? The official configuration guide is unclear whether we can only match traffic from/to the underlay or we can match and act on overlay traffic since it is IPsec encapsulated.

For example, I have the following local policy configured.

cEdge(config)#
policy
 access-list DENY-ICMP
  sequence 11
   match
    protocol 1
   !
   action drop
    count ICMP-PACKETS
  !
  default-action accept
!

I apply the policy to both local TLOCs (Gi1 and Gi2).

sdwan
 interface GigabitEthernet1
  tunnel-interface
   encapsulation ipsec
   color biz-internet
  exit    
  access-list DENY-ICMP in
  access-list DENY-ICMP out
!
 interface GigabitEthernet2
  tunnel-interface
   encapsulation ipsec
   color mpls restrict
  exit
  access-list DENY-ICMP in
  access-list DENY-ICMP out
!

I can still ping remote sites, and the counter doesn't increase. However, if I ping from the underlay to the router, ICMP is dropped, and the counter increases.

cEdge# sh sdwan policy access-list-counters 
NAME       COUNTER NAME                      PACKETS       BYTES             
-----------------------------------------------------------------------------
DENY-ICMP  ICMP-PACKETS                       5             570               
           default_action_count              75394         15503184

So localized data policy can only match underlay traffic and can't match and act on user traffic going through the IPsec tunnels?

Am I missing something? Is there a different way to apply a localised data policy to an IPsec tunnel?

Thanks in advance, Ivan.