Business Policy rules are configured to steer the traffic, bandwidth management and ensure quality of service based on criterions like application, source and destination etc. Operators, Partners, and Admins of all levels can create a business policy. The business policy matches parameters such as IP addresses, ports, VLAN IDs, interfaces, domain names, protocols, operating system, object groups, applications, and DSCP tags. When a data packet matches the match conditions, the associated action or actions are taken. If a packet matches no parameters, then a default action is taken on the packet.

Before you begin: Know the IP Addresses of your devices and understand the implications of setting a wildcard mask.

To create a business policy:
  1. From the SD-WAN Orchestrator, click Configure > Profiles > Business Policy.
  2. The Business Policy page displays the existing policies. To create a new business policy, click New Rule.
  3. In the Configure Rule window that appears, configure the following:
  4. In the Rule Name box, enter a unique name for the rule.
  5. Under the Match area, configure the match conditions for the traffic flow. The option you choose may change the fields in the dialog box:
    Settings Description
    Type By default, IPv4 address type is selected. You can configure the Source and Destination IP addresses according to the selected Type, as follows:
    • Mixed – Allows to configure both IPv4 and IPv6 addresses in the matching criteria. If you choose this mode, you can choose the IP addresses from Object Groups containing Address Groups with both type of addresses.
    • IPv4 – Applies to traffic with only IPv4 address as source and destination. By default, this address type is selected.
    • IPv6 – Applies to traffic with only IPv6 address as source and destination.
      Note: To configure business policy rules with Mixed or IPv6 address type, you must use the New Orchestrator UI. For more information, see Create Business Policy Rule with New Orchestrator UI.
    Note: When you upgrade, the Business policy rules from previous versions are moved to IPv4 mode.
    Source Allows to specify match criteria for the source traffic. Select any of the following options:
    • Any - Matches all source traffic, by default.
    • Object Group - Allows you to select a combination of address group and port group to be matched for the source.

      If Address Type is IPv4, then only IPv4 address from Address Groups are considered to match the traffic source.

      If Address Type is IPv6, then only IPv6 address from Address Groups are considered to match the traffic source.

      If Address Type is Mixed, then only IPv4 and IPv6 both addresses from Address Groups are considered to match the traffic source.

      For more information, see Object Groups and Configure Business Policies with Object Groups.
      Note: If the selected address group contains any domain names, then they would be ignored when matching for the source.
    • Define - Allows you to define the matching criteria for the source traffic from a specific VLAN, Interface, IP Address, Port, or Operating System. Select one of the following options, by default, None is selected:
      • VLAN - Matches traffic from the specified VLAN, selected from the drop-down menu.
      • Interface - Matches traffic from the specified interface, selected from the drop-down menu.
        Note: If an interface cannot be selected, then the interface is either not activated or not assigned to this segment.
      • IP Address - Matches traffic from the specified IP4 or IPv6 address. This option is not available for Mixed mode. Along with the IP address, you can specify one of the following options to match the source traffic:
        • CIDR prefix - Choose this option if you want the network defined as a CIDR value (for example: 172.10.0.0 /16).
        • Subnet mask - Choose this option if you want the network defined based on a Subnet mask (for example, 172.10.0.0 255.255.0.0).
        • Wildcard mask - Choose this option if you want the ability to narrow the enforcement of a policy to a set of devices across different IP subnets that share a matching host IP address value. The Wildcard mask matches an IP or a set of IP addresses based on the inverted Subnet mask. A '0' within the binary value of the mask means the value is fixed and a '1' within the binary value of the mask means the value is wild (can be 1 or 0). For example, a Wildcard mask of 0.0.0.255 (binary equivalent = 00000000.00000000.00000000.11111111) with an IP Address of 172.0.0, the first three octets are fixed values and the last octet is a variable value. This option is available only for IPv4 address.
      • Port - Matches traffic from the specified source port or port range.
      • Operating System - Matches traffic from the specified operating system, selected from the drop-down menu.
    Destination Allows to specify match criteria for the destination traffic. Select any of the following options:
    • Any - Matches all destination traffic, by default.
    • Object Group - Allows you to select a combination of address group and port group to be matched for the destination.

      If Address Type is IPv4, then only IPv4 address from Address Groups are considered to match the traffic destination.

      If Address Type is IPv6, then only IPv6 address from Address Groups are considered to match the traffic destination.

      If Address Type is Mixed, then only IPv4 and IPv6 both addresses from Address Groups are considered to match the traffic destination.

      For more information, see Object Groups and Configure Business Policies with Object Groups.
    • Define - Allows you to define the matching criteria for the destination traffic to a specific IP Address, Domain Name, Protocol, or Port. Select one of the following options, by default, Any is selected:
      • Any - Matches all destination traffic.
      • Internet - Matches all Internet traffic (traffic that does not match an SD-WAN Route) to the destination.
      • Edge - Matches all traffic to an Edge.
      • Non SD-WAN Destination via Gateway - Matches all traffic to the specified Non SD-WAN Destination through Gateway, associated with a Profile. Ensure that you have associated your Non SD-WAN sites via Gateway at the Profile level.
      • Non SD-WAN Destination via Edge - Matches all traffic to the specified Non SD-WAN Destination through Edge, associated with an Edge or Profile. Ensure that you have associated your Non SD-WAN sites via Edge at the Profile or Edge level.
      Protocol - Matches traffic for the specified protocol, selected from the drop-down menu. The supported protocols are: GRE, ICMP, TCP, and UDP.
      Note: ICMP is not supported in Mixed mode.

      Domain - Matches traffic for the entire domain name or a portion of the domain name specified in the Domain Name field. For example, \"salesforce\" will match traffic to \"www.salesforce.com\".

    Application Select any one of the following options:
    • Any - Applies the business policy rule to any application by default.
    • Define - Allows to select a specific application to apply the business policy rule. In addition, a DSCP value can be specified to match the traffic coming in with a preset DSCP/TOS tag.
    Note:
    • When creating a business policy rule matching an application only, to apply the Network Service Action for such application, the Edge might need to use DPI (Deep Packet Inspection) Engine. Generally, the DPI does not determine the application based on the first packet. The DPI Engine usually needs the first 5-10 packets in the flow to identify the application. For the first few packets received, traffic is unclassified and matches a less specific business policy, which might cause the traffic to take a different path, i.e. 'Direct' instead of 'Multipath', depending on the policy it matches. Once DPI determines the traffic type, it matches a more specific policy configured for this type of traffic. However, that flow continues to take the path from the original policy it matched, because steering to a new path would break the flow. This can cause the first flow to a specific Destination IP and port to take one path. Once the app cache in populated, the subsequent flows to the same Destination IP and port take another path as configured in a more specific policy for this type of traffic.
    • Once the DPI classifies the traffic, it adds the Destination IP and port to the app cache, and immediately classifies any subsequent flows to that same Destination IP and port. The app cache entry expires after 10 minutes of no traffic going to that Destination IP and port. The next flow to that Destination IP and port must go through the DPI again and may take an unexpected path based on the policy it matches before the DPI identifies the application.
    Depending on your Match choices, some Actions may not be available.
  6. Under the Action area, configure the actions for the rule:
    Settings Description
    Priority Designate the priority of the rule as one of the following:
    • High
    • Normal
    • Low
    Select the Rate Limit check box to set limits for inbound and outbound traffic directions.
    Note: Rate limiting is performed per flow. Rate limiting for upstream traffic only works when you specify a link or Edge interface in the Business Policy. If you set the Steering option to Auto, Transport, or Group, the rate limit will apply to the total bandwidth of all the corresponding links. This may not enforce a strict rate limit as you expect. If you want to enforce a strict rate limit, you should steer traffic to a single link or Edge interface in the Business Policy.
    Network Service Set the Network Service to one of the following options:
    • Direct - Sends the traffic out of the WAN circuit directly to the destination, bypassing the SD-WAN Gateway.
      Note:

      The Edge by default prefers a secure route over a business policy. In practice this means the Edge will forward traffic via Multipath (Branch to Branch or Cloud via Gateway, depending on the route) even if a business policy is configured to send that traffic via the Direct path if the Edge has received either secure default routes or more specific secure routes from the Partner Gateway or another Edge.

      This behavior can be overridden for Partner Gateway secure routes by activating the "Secure Default Route Override" feature for a customer. A Partner Super User or an Operator can activate this feature which overrides all Partner Gateway secure routes that also match a business policy. "Secure Default Route Override" does not override Hub secure routes.

    • Multi-Path - Sends the traffic from one SD-WAN Edge to another SD-WAN Edge.
    • Internet Backhaul - This network service is activated only if the Destination is set as Internet.
      Note: The Internet Backhaul Network Service will only apply to Internet traffic (WAN traffic destined to network prefixes that do not match a known local route or VPN route).

      For information about these options, see Configure Network Service for Business Policy Rule.

    If Conditional Backhaul is activated at the profile level, by default it will apply for all Business Policies configured for that profile. You can turn off conditional backhaul for selected policies to exclude selected traffic (Direct, Multi-Path, and CSS) from this behavior by selecting the Turn off Conditional Backhaul check box.

    For more information about how to activate and troubleshoot the Conditional Backhaul feature, see Conditional Backhaul.

    Link Steering Select one of the following link steering modes:
    • Auto - By default, all applications are set to automatic Link Steering mode. When an application is in the automatic Link Steering mode, the DMPO automatically chooses the best links based on the application type and automatically activates on-demand remediation when necessary. Enter an Inner Packet DSCP Tag from the drop-down menu and an Outer Packet DSCP Tag from the drop-down menu.
    • Transport Group - Specify any one of the following transport group options in the steering policy so that the same Business Policy configuration can be applied across different device types or locations, which may have completely different WAN carriers and WAN interfaces:
      • Public Wired
      • Public Wireless
      • Private Wired
    • Interface - Link steering is tied to a physical interface and will be used primarily for routing purposes.
      Note: This option is only allowed at the Edge override level.
    • WAN Link - Allows to define policy rules based on specific private links. For this option, the interface configuration is separate and distinct from the WAN link configuration. You will be able to select a WAN link that was either manually configured or auto-discovered.
      Note: This option is only allowed at the Edge override level.
    Note: When the Network Service is configured as Direct, the IPv6 only Interfaces and IPv6 only WAN links are not supported in Link Steering mode.

    For more information about the link steering modes and DSCP, DSCP marking for both Underlay and Overlay traffic, see Configure Link Steering Modes.

    NAT Activate or deactivate NAT. This option is not available for Mixed mode. For more information, see Configure Policy Based NAT.
    Service Class Select one of the following Service Class options:
    • Real-time
    • Transactional
    • Bulk
    Note: This option is only for a custom application.
    VMware Apps/Categories fall in one of these categories.
  7. Click OK. The business policy rule is created for the selected profile and it appears under the Business Policy area of the Profile Business Policy page.

    For the IPv6 and Mixed modes, you can only Create Business policy rules from the Orchestrator. You can perform the rest of the operations like Update and Delete only through API.

Related Information: Overlay QoS CoS Mapping