Policy Applications Using CLIs

CLI commands for configuring and monitoring policy applications.

Application-Aware Routing Command Hierarchy

Configure and apply the policy on Cisco Catalyst SD-WAN Controllers:

policy
  lists
    app-list list-name
      (app application-name | app-family application-family)
    data-prefix-list list-name
      ip-prefix prefix/length
    site-list list-name
      site-id site-id
    vpn-list list-name
      vpn vpn-id
  sla-class  sla-class-name
    jitter milliseconds
    latency milliseconds
    loss percentage
policy
  app-route-policy policy-name
    vpn-list list-name      
      default-action sla-class sla-class-name
      sequence number
        match
          app-id app-id-name  
          app-list list-name
          destination-data-prefix-list list-name
          destination-ip prefix/length
          destination-port number
          dns (request | response)
          dns-app-list list-name
          dscp number
          plp (high | low)
          protocol number
          source-data-prefix-list list-name
          source-ip prefix/length
          source-port number
        action          
          backup-sla-preferred-color colors
          count
          log
          sla-class sla-class-name [strict] [preferred-color colors]
      
apply-policy  site-list list-name
  app-route-policy policy-name

Configure the data plane tunnel performance monitoring parameters on the Cisco vEdge devices:

bfd
  app-route
    multiplier number
    poll-interval milliseconds

Cflowd Traffic Flow Monitoring Command Hierarchy

Configure on Cisco Catalyst SD-WAN Controllers only:

policy
  lists
    prefix-list list-name
      ip-prefix prefix/length
    site-list list-name
      site-id site-id
    vpn-list list-name
      vpn vpn-id
  cflowd-template template-name 
    collector vpn vpn-id address ip-address port port-number transport transport-type
    flow-active-timeout seconds 
    flow-inactive-timeout seconds
    flow-sampling-interval number
    template-refresh seconds
policy
  data-policy policy-name vpn-list list-name
    default-action action
    sequence number
      match
        destination-data-prefix-list list-name
        destination-ip prefix/length
        destination-port number
        dscp number
        protocol number
        source-data-prefix-list list-name
        source-ip prefix/length
        source-port number
      action
        count counter-name
        drop
        accept
          cflowd
apply-policy 
  site-list list-name  
    data-policy policy-name direction 
    cflowd-template template-name

Local Internet Exit Command Hierarchy

Configure and apply a centralized data policy on the Cisco Catalyst SD-WAN Controller:

policy
  lists
    prefix-list list-name
      ip-prefix prefix/length
    site-list list-name
      site-id site-id
    vpn-list list-name
      vpn vpn-id
  cflowd-template template-name 
    collector vpn vpn-id address ip-address port port-number 
    flow-active-timeout seconds 
    flow-inactive-timeout seconds  
    template-refresh seconds
policy
  data-policy policy-name vpn-list list-name
    default-action action
    sequence number
      match
        destination-data-prefix-list list-name
        destination-ip prefix/length
        destination-port number
        dscp number
        protocol number
        source-data-prefix-list list-name
        source-ip prefix/length
        source-port number
      action
        count counter-name
        drop
        accept
          nat use-vpn 0
apply-policy 
  site-list list-name  
    data-policy policy-name direction

On a Cisco vEdge device, enable NAT functionality in the WAN VPN:

vpn vpn-id
  interface interface-name
    nat
      refresh (bi-directional | outbound)
      tcp-timeout minutes
      udp-timeout minutes

Zone-Based Firewalls

policy
  lists
    prefix-list list-name
      ip-prefix prefix/length
  tcp-syn-flood-limit number
  zone (destination-zone-name | source-zone-name)
    vpn vpn-id
  zone-to-no-zone-internet (allow | deny)
  zone-pair pair-name
    source-zone source-zone-name
    destination-zone destination-zone-name
    zone-policy policy-name
  zone-based-policy policy-name
    default-action action
    sequence number
      match
        destination-data-prefix-list list-name
        destination-ip prefix/length
        destination-port number
        protocol number
        source-data-prefix-list list-name
        source-ip prefix-length
        source-port number
      action
        drop
        inspect
        log
        pass

Operational Commands

clear app cflowd flow-all (on Cisco vEdge devices only)
clear app cflowd flows (on Cisco vEdge devices only)
clear app cflowd statistics (on Cisco vEdge devices only)
clear policy zbfw filter-statistics (on Cisco vEdge devices only)
clear policy zbfw global-statistics (on Cisco vEdge devices only)
clear policy zbfw sessions (on Cisco vEdge devices only)
show app-route stats (on Cisco vEdge devices only)
show app cflowd collector (on Cisco vEdge devices only)
show app cflowd flow-count (on Cisco vEdge devices only)
show app cflowd flows (on Cisco vEdge devices only)
show app cflowd statistics (on Cisco vEdge devices only)
show app cflowd template (on Cisco vEdge devices only)
show ip routes (on Cisco vEdge devices)
show policy from-vsmart (on Cisco vEdge devices only)
show policy zbfw filter-statistics (on Cisco vEdge devices only)
show policy zbfw global-statistics (on Cisco vEdge devices only)
show policy zbfw sessions (on Cisco vEdge devices only)
show running-config (on Cisco Catalyst SD-WAN Controllers only)