In the previous lesson about Application-aware (App-route) Policies, we have seen the tunnel selection process in different scenarios and policy actions. In this lesson, we are going to explore a special case that occurs when a particular data traffic matches on both App-route and Data policy.
Cisco vEdge Order of Operations
In a typical production SD-WAN deployment, it is common for WAN edge routers to have multiple SD-WAN policy types applied. In such scenarios, we should know the order of operations of a vEdge router and how the policies interact with each other.
Figure1 illustrates the order in which a WAN edge router executes each policy type.
- When a WAN edge router receives data traffic on one of its service-side interfaces, it matches the packets against the applied Local Ingress Policy, which in a sense is just an access list (ACL) applied inbound on the LAN interface. If the traffic flow is not dropped, the WAN edge router passes it for evaluation to the applied Application-aware Routing Policy.
- Then the traffic is matched against the applied application-aware routing (app-route) policy. If the traffic flow is not dropped and it does not match, pass the router passes it to the data policy for evaluation.
- Then the traffic is matched against the applied centralized data policy. If it matches a particular sequence, the specified action is executed. If it doesn't match anywhere and the default action is "accept", the traffic is forwarded according to the VPN routing table.
AAR alongside Data policy loose preference
A special use case occurs when a WAN edge router has both AAR and centralized data policy applied in a “from-service” direction. An example of such a use-case would be a WAN edge router that has the following two policies applied.
Ingress Policy 1. An Application-aware Routing (App-route) policy that matches data traffic marked with dscp 46 coming from the service-side in VPN 1. The policy specifies a loose matching action that sets preferred egress colors - mpls and lte;
app-route-policy AAR-POLICY vpn-list VPN1 sequence 11 match dscp 46 ! action sla-class VOIP-SLA preferred-color mpls lte !
Ingress Policy 2. Centralized data policy applied that matches data traffic marked with dscp 46 coming from the service-side in VPN 1. The policy specifies a loose matching action that sets preferred egress colors - mpls and biz-internet;
data-policy DATA-POLICY vpn-list VPN1 sequence 11 match dscp 46 ! action accept set local-tloc-list MPLS-BIZ-INTERNET ! default-action accept !
The question that arises is, which colors the WAN edge router will forward the data traffic through? Will it use the AAR colors or the data policy colors? The answer to this question depends on the current SLA state of the available overlay tunnels. The WAN edge router's logic is illustrated in figure 2 below:
If the App-route preferred colors meet the SLA thresholds, and some of these colors are common with data policy, the common preferred colors are chosen for forwarding*. If you look at the example shown in figure 3 below, you can see that the mpls color is common in both policies and because at the moment it is meeting SLA, only this color is used for forwarding.
* Notice that release 20.6.1 introduced this behavior. Before that, WAN edge routers ignored the application-aware routing policy preferred colors and always forward the data traffic through the data policy colors.
If the App-route preferred colors do not meet the SLA thresholds, but some of the data policy colors meet the SLA in the app-route policy, then these colors are chosen for forwarding. In the example shown below, the app-route colors (mpls and lte) do not meet the SLA. However, the biz-internet colors set in the data policy meet the SLA requirements. Therefore, it is chosen for forwarding.
If no transport colors meet the SLA, the data policy colors always take precedence and are chosen for forwarding. In the example shown in figure 5, you can see that the vEdge router load balances the traffic according to the data policy across the mpls and biz-internet colors.