4.4 Data Policy Design
| Field |
Value |
| Document ID |
SDWAN-POL-4.4 |
| Version |
1.0 |
| Last Updated |
December 2025 |
| Author |
Network Architecture Team |
| Classification |
Internal Use |
1. Executive Summary
Data policies in Cisco Catalyst SD-WAN control how traffic flows through the network at the data plane level. This section defines Abhavtech's data policy design for traffic steering, service chaining, NAT operations, and advanced traffic manipulation across all 9 global sites.
1.1 Data Policy Architecture
+------------------------------------------------------------------+
| DATA POLICY FRAMEWORK |
+------------------------------------------------------------------+
| |
| Match Criteria |
| +----------------------------------------------------------+ |
| | Source IP | Dest IP | Application | DSCP | |
| | Source Port | Dest Port | Protocol | Packet Len | |
| | Source VPN | SGT | DNS | Prefix | |
| +----------------------------------------------------------+ |
| | |
| v |
| Actions |
| +----------------------------------------------------------+ |
| | Accept/Drop | NAT | Service Chain | Redirect | |
| | Set DSCP | Set Next-Hop| Mirror | Count | |
| | Log | TLOC Action | Local TLOC | Strict | |
| +----------------------------------------------------------+ |
| | |
| v |
| Policy Application |
| +----------------------------------------------------------+ |
| | From-Service: Ingress VPN | From-Tunnel: WAN Ingress | |
| | All: Bidirectional | Localized: Per-Device | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
2. Data Policy Types
2.1 Centralized vs Localized Data Policies
| Aspect |
Centralized Data Policy |
Localized Data Policy |
| Configuration |
SD-WAN Manager |
Device template |
| Distribution |
Via SD-WAN Controller (vSmart) |
Direct to WAN Edge |
| Processing |
vSmart processes policy decisions |
WAN Edge processes locally |
| Scale |
Suitable for global policies |
Suitable for site-specific |
| Use Cases |
Traffic steering, service chain |
Local NAT, ACL |
| Performance |
Slight delay for policy lookup |
Faster local processing |
2.2 Data Policy Directions
| Direction |
Description |
Use Case |
| from-service |
Traffic originating from service VPN |
LAN to WAN traffic steering |
| from-tunnel |
Traffic arriving from WAN tunnels |
WAN to LAN traffic handling |
| all |
Bidirectional policy application |
Comprehensive traffic control |
3. Traffic Steering Policies
3.1 Internet-Bound Traffic Steering
! Centralized Data Policy: Direct Internet Access (DIA)
policy
data-policy _ABHAVTECH-DIA-POLICY_
vpn-list VPN-10-EMPLOYEE
sequence 10
match
destination-data-prefix-list SAAS-PREFIXES
action accept
set
local-tloc-list
color biz-internet
encap ipsec
!
!
!
!
sequence 20
match
app-list SOCIAL-MEDIA-APPS
action accept
set
local-tloc-list
color biz-internet
encap ipsec
!
!
!
!
!
3.2 Hub-Based Traffic Steering
! Traffic to data center applications
policy
data-policy _ABHAVTECH-DC-STEERING_
vpn-list VPN-10-EMPLOYEE
sequence 10
match
destination-data-prefix-list DC-PREFIXES
action accept
set
tloc-list
tloc 10.100.1.1 color mpls encap ipsec preference 100
tloc 10.100.1.2 color mpls encap ipsec preference 90
!
!
!
!
3.3 Branch-to-Branch Direct Steering
! Direct branch connectivity for specific traffic
policy
data-policy _ABHAVTECH-BRANCH-DIRECT_
vpn-list VPN-10-EMPLOYEE
sequence 10
match
source-data-prefix-list BANGALORE-PREFIXES
destination-data-prefix-list DELHI-PREFIXES
app-list VOICE-APPS
action accept
set
tloc-list
tloc 10.100.3.1 color biz-internet encap ipsec ! Delhi direct
!
!
!
!
4. Service Chaining Policies
4.1 Firewall Service Chain
+------------------------------------------------------------------+
| SERVICE CHAIN TOPOLOGY |
+------------------------------------------------------------------+
| |
| Branch Site Hub Site (Mumbai) |
| +---------+ +--------------------------------+ |
| | WAN Edge|-------->| WAN Edge --> Palo Alto FW --> | |
| | |<--------| <-- DC | |
| +---------+ +--------------------------------+ |
| |
| Traffic Flow: Branch -> Hub WAN Edge -> Firewall -> DC |
| |
+------------------------------------------------------------------+
! Service chain configuration for firewall inspection
policy
data-policy _ABHAVTECH-FW-SERVICE-CHAIN_
vpn-list VPN-10-EMPLOYEE
sequence 10
match
destination-data-prefix-list PCI-PREFIXES
action accept
set
service FW vpn 10
local-tloc-list
color mpls
encap ipsec
!
!
!
sequence 20
match
destination-data-prefix-list INTERNET
action accept
set
service FW vpn 10
local-tloc-list
color biz-internet
encap ipsec
!
!
!
!
4.2 Service Chain Definition
! WAN Edge configuration for service chain
sdwan
service FW vrf 10
ipv4-address 10.10.100.10
tracking
!
!
!
! Interface configuration for service
interface GigabitEthernet0/0/2
description To-Palo-Alto-FW
ip address 10.10.100.1 255.255.255.252
service-insertion-type firewall
!
4.3 Service Chain with Fallback
! Service chain with fallback when firewall unavailable
policy
data-policy _ABHAVTECH-FW-FALLBACK_
vpn-list VPN-10-EMPLOYEE
sequence 10
match
destination-data-prefix-list CRITICAL-PREFIXES
action accept
set
service FW vpn 10 fall-back
local-tloc-list
color mpls
encap ipsec
!
!
! Fallback allows traffic to bypass FW if FW is down
! Use only for non-security-critical traffic
!
5. NAT Policies
5.1 NAT Policy Types
| NAT Type |
Use Case |
Configuration Level |
| DIA NAT |
Internet breakout |
Localized policy |
| NAT64 |
IPv6-to-IPv4 translation |
Centralized policy |
| Service NAT |
Service chain return |
Localized policy |
| Inter-VPN NAT |
Overlapping IP handling |
Centralized policy |
5.2 DIA NAT Configuration
! Localized data policy for DIA NAT
policy
lists
data-prefix-list INTERNET
ip-prefix 0.0.0.0/0
!
!
!
policy
data-policy _DIA-NAT-POLICY_
vpn-list VPN-10-EMPLOYEE
sequence 10
match
destination-data-prefix-list INTERNET
action accept
nat pool 1
!
!
!
!
! NAT pool configuration on WAN Edge
ip nat pool NAT-POOL-1 203.0.113.10 203.0.113.20 prefix-length 24
ip nat inside source list NAT-ACL pool NAT-POOL-1 overload
!
interface GigabitEthernet0/0/0
ip nat outside
!
interface Vlan10
ip nat inside
5.3 Inter-VPN NAT for Overlapping Subnets
! Handle overlapping IP addresses between VPNs
policy
data-policy _INTER-VPN-NAT_
vpn-list VPN-30-IOT
sequence 10
match
source-ip 172.18.10.0/24 ! IoT subnet
destination-ip 172.20.100.0/24 ! Shared services
action accept
nat use-vpn 0
nat pool 10
!
!
!
6. Traffic Mirroring and Logging
6.1 Traffic Mirror Policy
! Mirror specific traffic for analysis
policy
data-policy _TRAFFIC-MIRROR_
vpn-list VPN-10-EMPLOYEE
sequence 10
match
app-list SUSPICIOUS-APPS
action accept
mirror
destination 10.10.200.50 ! Security analysis server
!
!
!
6.2 Traffic Logging
! Enable logging for specific traffic flows
policy
data-policy _TRAFFIC-LOGGING_
vpn-list VPN-100-PCI
sequence 10
match
source-ip 0.0.0.0/0
action accept
log
count PCI-TRAFFIC-COUNTER
!
!
7. Per-VPN Data Policies
7.1 VPN 10 - Employee Network
policy
data-policy _VPN10-DATA-POLICY_
vpn-list VPN-10-EMPLOYEE
! Sequence 10: SaaS Direct Internet
sequence 10
match
app-list SAAS-APPS
action accept
set
local-tloc-list
color biz-internet
encap ipsec
!
nat use-vpn 0
nat pool 1
!
!
! Sequence 20: Business apps to DC
sequence 20
match
app-list BUSINESS-CRITICAL-APPS
action accept
set
tloc-list
tloc 10.100.1.1 color mpls encap ipsec preference 100
!
!
!
!
! Sequence 30: Inter-site voice direct
sequence 30
match
app-list VOICE-APPS
destination-data-prefix-list ALL-SITES
action accept
set
tloc-action strict
!
!
!
default-action accept
!
7.2 VPN 20 - Guest Network
policy
data-policy _VPN20-GUEST-DATA-POLICY_
vpn-list VPN-20-GUEST
! Only allow internet access
sequence 10
match
destination-data-prefix-list INTERNET
action accept
set
local-tloc-list
color biz-internet
encap ipsec
!
nat use-vpn 0
nat pool 2
!
!
! Block all internal destinations
sequence 20
match
destination-data-prefix-list RFC1918
action drop
count GUEST-BLOCKED-INTERNAL
!
!
default-action drop
!
7.3 VPN 30 - IoT Network
policy
data-policy _VPN30-IOT-DATA-POLICY_
vpn-list VPN-30-IOT
! Allow to shared services only
sequence 10
match
destination-data-prefix-list SHARED-SERVICES
action accept
set
tloc-list
tloc 10.100.1.1 color mpls encap ipsec
!
!
!
!
! Allow to cloud IoT platforms
sequence 20
match
destination-data-prefix-list IOT-CLOUD-PREFIXES
action accept
set
local-tloc-list
color biz-internet
encap ipsec
!
nat pool 3
!
!
! Block everything else
default-action drop
count IOT-DROPPED
!
7.4 VPN 100 - PCI Zone
policy
data-policy _VPN100-PCI-DATA-POLICY_
vpn-list VPN-100-PCI
! Force all traffic through firewall
sequence 10
match
source-ip 0.0.0.0/0
action accept
set
service FW-PCI vpn 100
tloc-list
tloc 10.100.1.1 color mpls encap ipsec
!
log
count PCI-TRAFFIC
!
!
default-action drop
!
8. Prefix Lists and Application Lists
8.1 Data Prefix Lists
policy
lists
data-prefix-list DC-PREFIXES
ip-prefix 10.10.0.0/16
ip-prefix 10.11.0.0/16
!
data-prefix-list BRANCH-PREFIXES
ip-prefix 172.16.0.0/12
!
data-prefix-list SHARED-SERVICES
ip-prefix 172.20.0.0/16
!
data-prefix-list SAAS-PREFIXES
ip-prefix 13.107.0.0/16 ! Microsoft
ip-prefix 52.96.0.0/14 ! Microsoft
ip-prefix 104.146.0.0/15 ! Salesforce
ip-prefix 170.114.0.0/16 ! WebEx
!
data-prefix-list IOT-CLOUD-PREFIXES
ip-prefix 52.0.0.0/8 ! AWS IoT
ip-prefix 104.0.0.0/8 ! Azure IoT
!
data-prefix-list RFC1918
ip-prefix 10.0.0.0/8
ip-prefix 172.16.0.0/12
ip-prefix 192.168.0.0/16
!
data-prefix-list INTERNET
ip-prefix 0.0.0.0/0
!
8.2 Application Lists for Data Policy
policy
lists
app-list SAAS-APPS
app ms-office-365
app salesforce
app google-workspace
app webex
!
app-list BUSINESS-CRITICAL-APPS
app sap
app oracle-erp
app citrix
app ms-sql
!
app-list VOICE-APPS
app rtp
app sip
app cisco-phone
!
app-list SUSPICIOUS-APPS
app bittorrent
app tor
app ultrasurf
!
9. Policy Application and Activation
9.1 Policy Application Syntax
! Apply data policy to sites
apply-policy
site-list ALL-SITES
data-policy _ABHAVTECH-MAIN-DATA-POLICY_
from-service
!
!
site-list BRANCH-SITES
data-policy _BRANCH-DATA-POLICY_
all
!
!
site-list HUB-SITES
data-policy _HUB-DATA-POLICY_
from-tunnel
!
!
9.2 Policy Activation Steps
1. Create policy in SD-WAN Manager
Configuration > Policies > Centralized Policy > Data Policy
2. Define match criteria and actions
3. Associate with site lists
4. Preview policy impact
- Click Preview to see affected sites
5. Activate policy
- Click Activate to push to controllers
6. Verify deployment
show sdwan policy from-vsmart
show sdwan policy data-policy
10. Monitoring and Verification
10.1 Verification Commands
! View active data policies
show sdwan policy from-vsmart
show sdwan policy data-policy
! Check policy counters
show sdwan policy data-policy counters
! View traffic statistics
show sdwan app-route statistics
! Debug data policy (use with caution)
debug sdwan data-policy
! Check NAT translations
show ip nat translations
show sdwan nat-fwd
! Verify service chain
show sdwan service
10.2 Common Issues and Resolution
| Issue |
Symptom |
Resolution |
| Policy not applied |
Traffic not steered |
Check site-list membership |
| Sequence ordering |
Wrong action taken |
Review sequence numbers |
| NAT failures |
No internet access |
Verify NAT pool config |
| Service chain down |
Traffic blackholed |
Check service tracking |
11. Best Practices
11.1 Data Policy Design Guidelines
| Guideline |
Recommendation |
| Sequence Numbers |
Use increments of 10 for flexibility |
| Default Action |
Always define explicit default |
| Logging |
Enable for security-critical flows |
| NAT Pools |
Size pools for peak concurrent sessions |
| Service Chains |
Configure fallback for non-critical traffic |
| Consideration |
Impact |
Mitigation |
| Many Sequences |
Increased processing |
Consolidate where possible |
| Logging All |
High storage/CPU |
Log selectively |
| Complex Matches |
Slower lookup |
Use specific matches |
12. Summary
| Element |
Abhavtech Configuration |
| Policy Type |
Centralized for steering, Localized for NAT |
| DIA |
Enabled for SaaS and social media |
| Service Chains |
Palo Alto FW for PCI and internet |
| NAT Pools |
3 pools (Employee, Guest, IoT) |
| Logging |
PCI zone traffic logged |
Document Version: 1.0
Last Updated: December 2025
Next Review: March 2026