Back
Lesson 1 of 7

Policy Framework Overview

Objective

In this lesson we introduce the SD‑WAN policy hierarchy and demonstrate the practical difference between centralized and localized policies. You will configure a small three‑router lab that models a data‑center "central policy" device and two branch routers that implement localized policies (policy‑based routing). This matters in production because SD‑WAN separates control & management plane policy (centralized) from branch data‑path enforcement (localized): centralized decisions scale and provide consistent intent, while localized enforcement adapts to local topology and last‑mile characteristics.

Real‑world scenario: An enterprise wants all voice traffic to prefer a private MPLS path when healthy (central intent), while each branch can locally steer best‑effort traffic over broadband if the MPLS latency exceeds a threshold (localized enforcement). In this lesson we simulate the intent vs enforcement split using standard IOS features to illustrate the SD‑WAN policy model.

Topology & Device Table

ASCII topology (exact interface names and IP addresses shown):

Hub (Central) GigabitEthernet0/0 192.168.100.1/24 <----> GigabitEthernet0/0 192.168.100.2/24 Branch1 (R1) | | ---> LAN 172.16.10.0/24 on R1 GigabitEthernet0/1 172.16.10.1/24

Hub (Central) GigabitEthernet0/1 10.0.0.1/30 <----> GigabitEthernet0/2 10.0.0.2/30 Branch2 (R2) | | ---> LAN 172.16.20.0/24 on R2 GigabitEthernet0/1 172.16.20.1/24

Combined diagram:

                 [Hub-RTR]
              Gi0/0 192.168.100.1/24
              Gi0/1 10.0.0.1/30
                 /              \
                /                \
  192.168.100.2/24               10.0.0.2/30
    [Branch1 R1]                 [Branch2 R2]
    Gi0/1 172.16.10.1/24         Gi0/1 172.16.20.1/24

Device Table

DeviceInterfaceIP AddressSubnet MaskRole
Hub-RTRGigabitEthernet0/0192.168.100.1255.255.255.0Centralized policy hub
Hub-RTRGigabitEthernet0/110.0.0.1255.255.255.252WAN link to Branch2
Branch1GigabitEthernet0/0192.168.100.2255.255.255.0WAN link to hub
Branch1GigabitEthernet0/1172.16.10.1255.255.255.0Branch LAN (hosts)
Branch2GigabitEthernet0/210.0.0.2255.255.255.252WAN link to hub
Branch2GigabitEthernet0/1172.16.20.1255.255.255.0Branch LAN (hosts)

Note: Interfaces and IPs above are exact and used in all commands below. Think of the Hub-RTR as the SD‑WAN central controller (vSmart/vManage intent engine) for policy intent, and Branch routers as SD‑WAN edges that enforce localized data‑path policy.

Key Concepts (Theory & Packet Flow)

  • Policy Hierarchy (Intent vs Enforcement):

    • Centralized policies express intent (e.g., "prefer MPLS for voice"). In SD‑WAN this is authored centrally (vManage/vSmart). The central policy does not sit directly on every branch’s forwarding plane — it is distributed as instructions or route updates.
    • Localized policies are enforced on the edge box (branch) and adjust forwarding based on local metrics (latency, jitter, link status). Example: policy‑based routing (PBR) on a branch that steers HTTP over broadband when MPLS latency > 150 ms.

  • Control vs Data Plane Separation:

    • Central policy usually affects routing decisions and path selection at the control plane level (e.g., path scores, route advertisements).
    • Localized policy affects the data plane directly (e.g., next‑hop, DSCP remarking, packet steering).

  • Policy Distribution and Convergence:

    • In SD‑WAN, controllers distribute policy via control channels — branches install that policy or corresponding routes. Changes at central point propagate to edges; edges enforce them immediately without requiring manual device‑by‑device edits.

  • Packet Flow Example (Production):

    • A RTP packet originates at Host A (172.16.10.2). Branch1 evaluates local PBR: if branch detects MPLS healthy and central intent says "use MPLS", traffic follows MPLS path to Hub and onward. If link degradation detected locally, PBR can override and send RTP over broadband (localized enforcement).

  • Analogy: Think of centralized policy like a company policy document (authoritative intent). Localized policies are local managers interpreting and enforcing the policy at their site, making local adjustments when necessary.

Step-by-step configuration

Step 1: Configure basic interface IPs on all routers

What we are doing: Configure IP addresses and bring up interfaces so the three routers can exchange traffic. This establishes the management/control plane connectivity required before any policy logic can operate.

Hub-RTR# configure terminal
Hub-RTR(config)# interface GigabitEthernet0/0
Hub-RTR(config-if)# ip address 192.168.100.1 255.255.255.0
Hub-RTR(config-if)# no shutdown
Hub-RTR(config-if)# exit
Hub-RTR(config)# interface GigabitEthernet0/1
Hub-RTR(config-if)# ip address 10.0.0.1 255.255.255.252
Hub-RTR(config-if)# no shutdown
Hub-RTR(config-if)# exit
Hub-RTR(config)# exit

Branch1# configure terminal
Branch1(config)# interface GigabitEthernet0/0
Branch1(config-if)# ip address 192.168.100.2 255.255.255.0
Branch1(config-if)# no shutdown
Branch1(config-if)# exit
Branch1(config)# interface GigabitEthernet0/1
Branch1(config-if)# ip address 172.16.10.1 255.255.255.0
Branch1(config-if)# no shutdown
Branch1(config-if)# exit
Branch1(config)# exit

Branch2# configure terminal
Branch2(config)# interface GigabitEthernet0/2
Branch2(config-if)# ip address 10.0.0.2 255.255.255.252
Branch2(config-if)# no shutdown
Branch2(config-if)# exit
Branch2(config)# interface GigabitEthernet0/1
Branch2(config-if)# ip address 172.16.20.1 255.255.255.0
Branch2(config-if)# no shutdown
Branch2(config-if)# exit
Branch2(config)# exit

What just happened: Each router interface was assigned the IP shown in the Device Table and administratively enabled with no shutdown. Once interfaces are up, the routers can exchange layer‑3 packets. This forms the basis for control traffic and for testing policy enforcement.

Real-world note: In an SD‑WAN deployment, these IPs would be the management/control-plane addresses used by the controllers and edges to build secure control channels.

Verify:

Hub-RTR# show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     192.168.100.1   YES manual up                    up
GigabitEthernet0/1     10.0.0.1        YES manual up                    up

Branch1# show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     192.168.100.2   YES manual up                    up
GigabitEthernet0/1     172.16.10.1     YES manual up                    up

Branch2# show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/2     10.0.0.2        YES manual up                    up
GigabitEthernet0/1     172.16.20.1     YES manual up                    up


<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSIyNThweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjM2MnB4O2hlaWdodDoyNThweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzNjIgMjU4IiB3aWR0aD0iMzYycHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3OS4wNDg4IiB4PSIxNy43ODUyIiB5PSIxNi4xMzg3Ij5NYW5hZ2VtZW50PC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjkxLjgzNCIgeD0iNSIgeT0iMzAuMTA3NCI+MTkyLjE2OC4xLjAvMjQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzcuNzU5OCIgeD0iMTkuMDc0MiIgeT0iMTMyLjkxMjEiPkxhYl9OZXR3b3JrPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjY4LjkyOTciIHg9IjI3LjkwNDMiIHk9IjE0Ni44ODA5Ij4xMC4wLjAuMC8yNDwvdGV4dD48cmVjdCBmaWxsPSIjRTJFMkYwIiBoZWlnaHQ9IjUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiIHdpZHRoPSIxMTAuMDcwMyIgeD0iMTAxLjgzNCIgeT0iMTYuNDY4OCIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjI1My4xNjAyIiB4PSIxMDEuODM0IiB5PSIxMzMuMjQyMiIvPjxwYXRoIGQ9Ik0xNTguODY5MSwyMS40Njg4IEwxNTguODY5MSw1Ny44NzExIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzMuNDc2NiIgeD0iMTIyLjEzMDkiIHk9IjQwLjk3OCI+MTkyLjE2OC4xLjEwPC90ZXh0PjxwYXRoIGQ9Ik0xNTQuODY5MSwxMzguMjQyMiBMMTU0Ljg2OTEsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIxMzIuMTI3OSIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4xPC90ZXh0PjxwYXRoIGQ9Ik0yNDIuODkwNiwxMzguMjQyMiBMMjQyLjg5MDYsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyMjAuMTQ5NCIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4yPC90ZXh0PjxwYXRoIGQ9Ik0zMTQuNDM1NSwxMzguMjQyMiBMMzE0LjQzNTUsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyOTEuNjk0MyIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4zPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iODAuMDcwMyIgeD0iMTE2LjgzNCIgeT0iNTcuODcxMSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjYwLjA3MDMiIHg9IjEyNi44MzQiIHk9Ijc5LjAwOTgiPkFkbWluX1BDPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iMzUuOTcyNyIgeD0iMTM4Ljg4MjgiIHk9IjE3NC42NDQ1Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTUuOTcyNyIgeD0iMTQ4Ljg4MjgiIHk9IjE5NS43ODMyIj5SMTwvdGV4dD48cmVjdCBmaWxsPSIjRjFGMUYxIiBoZWlnaHQ9IjMzLjk2ODgiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MC41OyIgd2lkdGg9IjM1Ljk3MjciIHg9IjIyNi45MDQzIiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjE1Ljk3MjciIHg9IjIzNi45MDQzIiB5PSIxOTUuNzgzMiI+UjI8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI0Ny4xMTcyIiB4PSIyOTIuODc3IiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjI3LjExNzIiIHg9IjMwMi44NzciIHk9IjE5NS43ODMyIj5TVzE8L3RleHQ+PD9wbGFudHVtbC1zcmMgb29qRm9LbkNMd1pjS2IzOElvcWZwb19BTGwxRHA0akNKeXJEcElpMTJvaWU5QVFhNUFLTTVvbE9BWVdQTVhoZjZQZlB3MWRnNlVXUmNJWTFmSHJKU1pGcHVXRVM1UUFuQVpHcUs4Z3IxWWdpSFJCMjlwNGZ0V19BbmhKM0cweUN1SE80NlE4UTNQNHRYMVdCYjNSMjljcTRhbXVFbndoVDZFUWdNVzAwPz48L2c+PC9zdmc+" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>

cisco
Branch1# configure terminal
Branch1(config)# ip route 172.16.20.0 255.255.255.0 192.168.100.1
Branch1(config)# exit

Branch2# configure terminal
Branch2(config)# ip route 172.16.10.0 255.255.255.0 10.0.0.1
Branch2(config)# exit

Hub-RTR# configure terminal
Hub-RTR(config)# ip route 172.16.10.0 255.255.255.0 192.168.100.2
Hub-RTR(config)# ip route 172.16.20.0 255.255.255.0 10.0.0.2
Hub-RTR(config)# exit

What just happened: Static routes were created so each device knows how to reach the remote branch LANs via the Hub. In SD‑WAN, the control plane typically distributes such reachability; here we configure it manually so we can focus on policy behavior.

Real-world note: Static routes are acceptable for lab demonstration, but production SD‑WAN uses secure control-plane route distribution; however the concept of reachability remains identical.

Verify:

Branch1# show ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, B - BGP
Gateway of last resort is not set

S    172.16.20.0/24 [1/0] via 192.168.100.1
C    172.16.10.0/24 is directly connected, GigabitEthernet0/1
C    192.168.100.0/24 is directly connected, GigabitEthernet0/0

Hub-RTR# show ip route
C    192.168.100.0/24 is directly connected, GigabitEthernet0/0
C    10.0.0.0/30 is directly connected, GigabitEthernet0/1
S    172.16.10.0/24 [1/0] via 192.168.100.2
S    172.16.20.0/24 [1/0] via 10.0.0.2


<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSIyNThweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjM2MnB4O2hlaWdodDoyNThweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzNjIgMjU4IiB3aWR0aD0iMzYycHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3OS4wNDg4IiB4PSIxNy43ODUyIiB5PSIxNi4xMzg3Ij5NYW5hZ2VtZW50PC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjkxLjgzNCIgeD0iNSIgeT0iMzAuMTA3NCI+MTkyLjE2OC4xLjAvMjQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzcuNzU5OCIgeD0iMTkuMDc0MiIgeT0iMTMyLjkxMjEiPkxhYl9OZXR3b3JrPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjY4LjkyOTciIHg9IjI3LjkwNDMiIHk9IjE0Ni44ODA5Ij4xMC4wLjAuMC8yNDwvdGV4dD48cmVjdCBmaWxsPSIjRTJFMkYwIiBoZWlnaHQ9IjUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiIHdpZHRoPSIxMTAuMDcwMyIgeD0iMTAxLjgzNCIgeT0iMTYuNDY4OCIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjI1My4xNjAyIiB4PSIxMDEuODM0IiB5PSIxMzMuMjQyMiIvPjxwYXRoIGQ9Ik0xNTguODY5MSwyMS40Njg4IEwxNTguODY5MSw1Ny44NzExIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzMuNDc2NiIgeD0iMTIyLjEzMDkiIHk9IjQwLjk3OCI+MTkyLjE2OC4xLjEwPC90ZXh0PjxwYXRoIGQ9Ik0xNTQuODY5MSwxMzguMjQyMiBMMTU0Ljg2OTEsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIxMzIuMTI3OSIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4xPC90ZXh0PjxwYXRoIGQ9Ik0yNDIuODkwNiwxMzguMjQyMiBMMjQyLjg5MDYsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyMjAuMTQ5NCIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4yPC90ZXh0PjxwYXRoIGQ9Ik0zMTQuNDM1NSwxMzguMjQyMiBMMzE0LjQzNTUsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyOTEuNjk0MyIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4zPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iODAuMDcwMyIgeD0iMTE2LjgzNCIgeT0iNTcuODcxMSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjYwLjA3MDMiIHg9IjEyNi44MzQiIHk9Ijc5LjAwOTgiPkFkbWluX1BDPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iMzUuOTcyNyIgeD0iMTM4Ljg4MjgiIHk9IjE3NC42NDQ1Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTUuOTcyNyIgeD0iMTQ4Ljg4MjgiIHk9IjE5NS43ODMyIj5SMTwvdGV4dD48cmVjdCBmaWxsPSIjRjFGMUYxIiBoZWlnaHQ9IjMzLjk2ODgiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MC41OyIgd2lkdGg9IjM1Ljk3MjciIHg9IjIyNi45MDQzIiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjE1Ljk3MjciIHg9IjIzNi45MDQzIiB5PSIxOTUuNzgzMiI+UjI8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI0Ny4xMTcyIiB4PSIyOTIuODc3IiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjI3LjExNzIiIHg9IjMwMi44NzciIHk9IjE5NS43ODMyIj5TVzE8L3RleHQ+PD9wbGFudHVtbC1zcmMgb29qRm9LbkNMd1pjS2IzOElvcWZwb19BTGwxRHA0akNKeXJEcElpMTJvaWU5QVFhNUFLTTVvbE9BWVdQTVhoZjZQZlB3MWRnNlVXUmNJWTFmSHJKU1pGcHVXRVM1UUFuQVpHcUs4Z3IxWWdpSFJCMjlwNGZ0V19BbmhKM0cweUN1SE80NlE4UTNQNHRYMVdCYjNSMjljcTRhbXVFbndoVDZFUWdNVzAwPz48L2c+PC9zdmc+" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>

cisco
Hub-RTR# configure terminal
Hub-RTR(config)# ip prefix-list VOICE-NET permit 172.16.10.0/24
Hub-RTR(config)# ip prefix-list VOICE-NET permit 172.16.20.0/24
Hub-RTR(config)# access-list 101 permit udp any any range 16384 32767
Hub-RTR(config)# exit

What just happened: The ip prefix-list VOICE-NET defines which subnets are considered voice networks (central intent). The access-list 101 matches RTP/voice UDP ports commonly used. This combination represents a centralized policy that identifies voice traffic and could be used to apply QoS, routing preferences, or telemetry.

Real-world note: In SD‑WAN, the central controller would distribute policies referencing application identifiers or prefix lists; the hub then uses that information to tag or inspect traffic.

Verify:

Hub-RTR# show ip prefix-list VOICE-NET
ip prefix-list VOICE-NET: 2 entries
   seq 5 permit 172.16.10.0/24
   seq 10 permit 172.16.20.0/24

Hub-RTR# show access-lists 101
Extended IP access list 101
    10 permit udp any any range 16384 32767


<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSIyNThweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjM2MnB4O2hlaWdodDoyNThweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAzNjIgMjU4IiB3aWR0aD0iMzYycHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3OS4wNDg4IiB4PSIxNy43ODUyIiB5PSIxNi4xMzg3Ij5NYW5hZ2VtZW50PC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjkxLjgzNCIgeD0iNSIgeT0iMzAuMTA3NCI+MTkyLjE2OC4xLjAvMjQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzcuNzU5OCIgeD0iMTkuMDc0MiIgeT0iMTMyLjkxMjEiPkxhYl9OZXR3b3JrPC90ZXh0Pjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjY4LjkyOTciIHg9IjI3LjkwNDMiIHk9IjE0Ni44ODA5Ij4xMC4wLjAuMC8yNDwvdGV4dD48cmVjdCBmaWxsPSIjRTJFMkYwIiBoZWlnaHQ9IjUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiIHdpZHRoPSIxMTAuMDcwMyIgeD0iMTAxLjgzNCIgeT0iMTYuNDY4OCIvPjxyZWN0IGZpbGw9IiNFMkUyRjAiIGhlaWdodD0iNSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIgd2lkdGg9IjI1My4xNjAyIiB4PSIxMDEuODM0IiB5PSIxMzMuMjQyMiIvPjxwYXRoIGQ9Ik0xNTguODY5MSwyMS40Njg4IEwxNTguODY5MSw1Ny44NzExIiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iNzMuNDc2NiIgeD0iMTIyLjEzMDkiIHk9IjQwLjk3OCI+MTkyLjE2OC4xLjEwPC90ZXh0PjxwYXRoIGQ9Ik0xNTQuODY5MSwxMzguMjQyMiBMMTU0Ljg2OTEsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIxMzIuMTI3OSIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4xPC90ZXh0PjxwYXRoIGQ9Ik0yNDIuODkwNiwxMzguMjQyMiBMMjQyLjg5MDYsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyMjAuMTQ5NCIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4yPC90ZXh0PjxwYXRoIGQ9Ik0zMTQuNDM1NSwxMzguMjQyMiBMMzE0LjQzNTUsMTc0LjY0NDUiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI0NS40ODI0IiB4PSIyOTEuNjk0MyIgeT0iMTU3Ljc1MTUiPjEwLjAuMC4zPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iODAuMDcwMyIgeD0iMTE2LjgzNCIgeT0iNTcuODcxMSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjYwLjA3MDMiIHg9IjEyNi44MzQiIHk9Ijc5LjAwOTgiPkFkbWluX1BDPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iMzUuOTcyNyIgeD0iMTM4Ljg4MjgiIHk9IjE3NC42NDQ1Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTUuOTcyNyIgeD0iMTQ4Ljg4MjgiIHk9IjE5NS43ODMyIj5SMTwvdGV4dD48cmVjdCBmaWxsPSIjRjFGMUYxIiBoZWlnaHQ9IjMzLjk2ODgiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MC41OyIgd2lkdGg9IjM1Ljk3MjciIHg9IjIyNi45MDQzIiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjE1Ljk3MjciIHg9IjIzNi45MDQzIiB5PSIxOTUuNzgzMiI+UjI8L3RleHQ+PHJlY3QgZmlsbD0iI0YxRjFGMSIgaGVpZ2h0PSIzMy45Njg4IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjAuNTsiIHdpZHRoPSI0Ny4xMTcyIiB4PSIyOTIuODc3IiB5PSIxNzQuNjQ0NSIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjEyIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9IjI3LjExNzIiIHg9IjMwMi44NzciIHk9IjE5NS43ODMyIj5TVzE8L3RleHQ+PD9wbGFudHVtbC1zcmMgb29qRm9LbkNMd1pjS2IzOElvcWZwb19BTGwxRHA0akNKeXJEcElpMTJvaWU5QVFhNUFLTTVvbE9BWVdQTVhoZjZQZlB3MWRnNlVXUmNJWTFmSHJKU1pGcHVXRVM1UUFuQVpHcUs4Z3IxWWdpSFJCMjlwNGZ0V19BbmhKM0cweUN1SE80NlE4UTNQNHRYMVdCYjNSMjljcTRhbXVFbndoVDZFUWdNVzAwPz48L2c+PC9zdmc+" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>

cisco
Branch1# configure terminal
Branch1(config)# access-list 110 permit ip 172.16.10.0 0.0.0.255 any
Branch1(config)# route-map LOCAL-PBR permit 10
Branch1(config-route-map)# match ip address 110
Branch1(config-route-map)# set ip next-hop 192.168.100.1
Branch1(config-route-map)# exit
Branch1(config)# interface GigabitEthernet0/1
Branch1(config-if)# ip policy route-map LOCAL-PBR
Branch1(config-if)# exit
Branch1(config)# exit

What just happened: We created an ACL to match traffic originating from the Branch1 LAN, then a route‑map LOCAL-PBR that matches that ACL and sets the next‑hop to the Hub (192.168.100.1). Applying ip policy route-map on the ingress interface enforces the policy in the data plane. Localized PBR allows Branch1 to enforce central intent locally — for example, always steering voice to the Hub regardless of local routing changes.

Real-world note: PBR is powerful for local enforcement but must be used carefully: it bypasses normal routing logic and can impact scalability. SD‑WAN localized policies are more nuanced (e.g., metrics-based steer), but the concept is identical.

Verify:

Branch1# show route-map LOCAL-PBR
route-map LOCAL-PBR, permit, sequence 10
  Match clauses:
    IP address: access-list 110
  Set clauses:
    ip next-hop 192.168.100.1

Branch1# show ip interface GigabitEthernet0/1
GigabitEthernet0/1 is up, line protocol is up
  Internet address is 172.16.10.1/24
  IP policy routing enabled: LOCAL-PBR

Step 5: Test traffic flow to observe centralized vs localized behavior

What we are doing: Simulate a voice host on Branch1 initiating traffic to Branch2 and verify that Branch1’s localized policy sends traffic to the Hub; the Hub's centralized prefix-list identifies the voice subnets and could be used for QoS/forwarding decisions.

Branch1# ping 172.16.20.1 source 172.16.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/30/50 ms

Branch1# traceroute 172.16.20.1 source 172.16.10.2
Type escape sequence to abort.
traceroute to 172.16.20.1, 30 hops max, 40 byte packets
 1  192.168.100.1  10 ms  12 ms  11 ms
 2  10.0.0.2       25 ms  26 ms  24 ms
 3  172.16.20.1    30 ms  28 ms  30 ms

What just happened: The traceroute shows Branch1 sent traffic first to the Hub (192.168.100.1), demonstrating the localized PBR steering. The Hub sees the traffic and, because of our prefix‑list, recognizes it as "voice networks." In a real SD‑WAN, the Hub would apply centralized intent (e.g., select preferred transport, mark DSCP, or collect telemetry).

Real-world note: Use telemetry or packet captures on the Hub to validate that centralized policy is detecting and interacting with the flow as expected.

Verify on the Hub that traffic arrived and matched central policy ACL:

Hub-RTR# show access-lists 101
Extended IP access list 101
    10 permit udp any any range 16384 32767 (hitcnt=0) 
Hub-RTR# show ip traffic
IP statistics:
  Rcvd: 1000 packets, 80000 bytes
  Sent: 1000 packets, 80000 bytes
  Forwarded: 50 packets
  Localhostrefused: 0
  ICMP redirect sent: 0

(If testing with RTP-like UDP flows, the ACL hitcnt would increment showing centralized policy observed flows.)

Verification Checklist

  • Check 1: Interface status — Use show ip interface brief on all devices; interfaces should be up/up.
  • Check 2: Reachability — Ping from Branch1 to Branch2 LAN (ping 172.16.20.1 source 172.16.10.2) and verify success.
  • Check 3: Localized enforcement — On Branch1 run show ip interface GigabitEthernet0/1 and confirm IP policy routing enabled: LOCAL-PBR.
  • Check 4: Central policy detection — On Hub run show ip prefix-list VOICE-NET and show access-lists 101 to confirm central intents are present and that access‑list hit counters reflect traffic (for UDP tests).

Common Mistakes

SymptomCauseFix
Ping to remote LAN failsNo static route on Hub or Branch to remote LANAdd static routes as in Step 2 or enable a routing protocol
PBR not applied on ingressip policy route-map not configured on the correct interface or route-map emptyEnsure ip policy route-map LOCAL-PBR is on the interface facing the source and that route-map has match/set clauses
Central ACL shows zero hits for expected trafficTraffic not matching ACL (port/tuple mismatch) or traffic bypassing HubVerify ACL matches (protocol/ports). Use packet capture or traceroute to confirm traffic path to Hub
Localized policy causes asymmetric routingPBR sets next-hop but return traffic takes a different path, causing session problemsEnsure return paths are symmetric or use stateful devices/inspection that do not require symmetry; prefer control-plane distribution in production

Key Takeaways

  • Centralized SD‑WAN policies express intent centrally and are distributed; localized policies enforce decisions at the edge — both are required in production for scalable and adaptive behavior.
  • Localized enforcement (e.g., PBR) controls the data plane directly and is useful for immediate, site‑specific steering, but can introduce complexity (asymmetry, scalability).
  • Central policy identification (prefix lists, application classifiers) enables consistent intent such as prioritizing voice across the WAN; the hub/controller can then collect telemetry or instruct edges.
  • Always verify both reachability (control plane) and enforcement (data plane). Use show ip interface, show ip route, show route-map, and ACL hit counts to confirm behavior.

Final real-world insight: In production SD‑WAN deployments, you will rarely manage policies by hand on each router. Instead, central controllers author policies and push them to edges. However the underlying principles you practiced here — intent vs enforcement, classification vs steering, and the interactions between control and data planes — are directly applicable and critical for troubleshooting and designing scalable SD‑WAN policy fabrics.

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security