- An App-Route policy is a special centralized data policy used for tunnel selection. It is applied only in the from-service (LAN-to-WAN) direction.
- It uses BFD on IPsec tunnels to track packet loss, latency, and jitter in real time.
- Tunnel performance is averaged over a poll-interval (default 10 minutes). Shorter poll-intervals can react faster but can also cause instability if probe volume is too low.
- The app-route multiplier (default 6) creates a sliding window (example: 6 × 10 min = 60 min). A bigger window is more stable but reacts slower.
- App-Route does not skip routing. The router first does a normal VPN routing lookup to find the remote TLOC(s). Then it picks the best local tunnel(s) to reach those TLOCs.
- sla-class action: the router uses only tunnels that meet the SLA thresholds. If more than one tunnel meets SLA, it can load-balance across them.
- preferred-color: when multiple tunnels meet SLA, pin (or prefer) traffic to the listed color(s), often because of higher bandwidth or better reliability.
- If the preferred color does not meet SLA, the router uses other colors that meet SLA.
- backup-sla-preferred-color: when no tunnel meets SLA, pin traffic to a chosen “least-bad” transport instead of load-balancing across all.
- strict: if no tunnel meets SLA, the router drops the matched traffic.
- fallback-to-best-path (BoW): when no tunnel meets SLA, pick the best of the bad tunnels using a chosen criterion (loss, latency, or jitter).
- variance prevents flap when two tunnels are very close in the chosen BoW metric.
- default-action sla-class can apply a baseline SLA rule for traffic that does not match any sequence. It still remains a positive behavior (no strict under default-action).
- Verification tip: show sdwan policy service-path ... all shows which next-hop tunnels the router will use for a specific flow and why.
