Policies can be configured to influence the flow of traffic in the overlay network. Policies can be control plane or data plane policies, and they can be configured centrally on the vSmart controller or locally on the vEdge routers.
Centralized control policies operate on the routing and TLOC information and allow for customization of routing decisions and determination of routing paths through the overlay network. These policies can be used in configuring traffic engineering, path affinity, service insertion, and different types of VPN topologies.
Data policies influence the flow of data traffic through the network based on fields in the IP packet headers and VPN membership. Centralized data policies can be used in configuring application firewalls, service chaining, traffic engineering, and QoS. Localized data policies allow you to configure how data traffic is handled at a specific site, such as through ACLs, QoS, mirroring, or policing.
Application-Aware Routing
Application-aware routing policies are key centralized policies that affect the traffic on a vEdge router that is flowing from the LAN to the transport tunnel WAN side. Application-aware routing involves selecting the best path based on real-time performance characteristics for different traffic types. Traffic is matched and placed into an SLA class, with certain loss, jitter, and delay values. The ability to consider factors in path selection other than those used by standard routing protocols—such as route prefixes, metrics, and link-state information—is one of the main benefits of using SD-WAN.
The routing behavior is as follows:
- Traffic is load balanced across all tunnels meeting the SLA class. If no tunnels meet the SLA, the traffic is sent through any available tunnel.
- If preferred colors are specified in the policy, traffic is sent through the preferred color tunnels as long as the SLA is met. If no tunnels meet the SLA, the traffic is sent through any available tunnel.
- If a backup SLA-preferred color is specified, then that tunnel is used when there are no paths that meet the SLA. Another path is used if the backup tunnel is unavailable.
- A strict keyword can be used in the policy. If a strict keyword is used and no tunnel can meet the SLA, the traffic is dropped.
- The policy can be configured with no default action. In this case, if traffic does not match any sequence in the list, it is routed normally according to the routing protocol. Alternatively, this default traffic can be placed into an SLA class.