ExtremeIQ Cloud

Configure a routing policy for a VGVA(VPN Gateway Virtual Appliance) or a router.

Manage > Devices > vgva_name or router_name > Additional Device Settings > Routing Policy

A routing policy governs how Extreme Networks branch routers forward (or drop) outgoing traffic depending on a set of routing rules that you create. While the routing policy you create at the network policy level applies to all branch routers to which that network policy has been assigned, you can override the routing policy at the individual device level whenever you need to make an exception. For more information, see Routing Policy.

In addition to overriding routing policy rules for branch routers, you can also configure dynamic and static routing for Extreme Networks VPN gateways here.

You can override the following routing policy settings for a branch router. The scope of changes you can make depends on whether SD-WAN (software-defined WAN) is enabled or not in the network policy to which the router belongs. SD-WAN is supported for XR200P and XR600P routers.

When you override a routing policy in a network policy with SD-WAN enabled, only the Custom option is selectable. You can add, modify, and delete the routing policy rules for the individual router that you are configuring.

When you override a routing policy in a network policy with SD-WAN disabled, you can modify the routing policy type and, depending on the type, add, modify, and delete routing policy rules:

Split Tunnel: Although you cannot change the predefined set of three rules for this type of routing policy, you can change the forwarding action and backup forwarding action on the last rule.

Tunnel All: The predefined rule set for this routing policy type contains two simple rules. The first drops guest traffic and the second sends all non-guest traffic through a VPN tunnel to the corporate network. It cannot be modified.

Custom: The admin-defined rules for this routing policy type can be completely revised for the individual branch router that you are configuring. You have total control to add, modify, and remove any rules in the routing policy.

Note

You can learn about routing policy options and how to configure them in Routing Policy.

Configure the following routing settings for the selected VGVA (VPN Gateway Virtual Appliance):

Enable dynamic routing: Select ON to enable dynamic routing. You can enable dynamic routing using either OSPF or RIPv2 (the default).

Route Advertisement: Select the Eth0 (WAN) or Eth1 (LAN) interface, (or both) on which to advertise routes.

RIPv2: RIPv2 (Routing Information Protocol version 2) calculates the number of hops between routers. If you select Use MD5 Authentication, enter the password that RIPv2 neighbors use when generating a one-way MD5 hash as part of their authentication process.

OSPF: OSPF (Open Shortest Path First) calculates path cost and selects the shortest or least expensive route. If you select OSPF and Use MD5 Authentication, enter the password that neighboring OSPF routers use to generate an MD5 hash for authenticating exchanges between themselves. You must also define an area ID in dotted decimal notation and enter a router ID.

Note

Although the OSPF area is in dotted decimal notation like an IP address, the area is not an IP address. It is simply a 32-bit logical identifier. By default the area is 0 (0.0.0.0), and is called the "backbone area".

Internal Networks: You can also specify internal networks that you want the VPN gateway to advertise to routers through VPN tunnels.

Internal networks exist behind your VPN gateway within the corporate headquarters network, but are hidden behind a second router. Because internal routes use the VPN gateway, you only need to configure the network and the netmask in this section for each internal network. When configured here, networks are always distributed to the Extreme Networks routers.

Select to add internal networks for advertisement. Enter the IP address of the internal network (for example, 10.1.10/16).

Static Routes: In addition to dynamic routing, you can specify static routes, or use static routes only.

Static routes differ from internal networks in that internal networks exist exclusively within the corporate network and always use the VPN gateway. Static routes, on the other hand, can be routes to any network anywhere, including the public Internet. Because of this, you must configure the gateway address explicitly for each route so the VPN gateway knows which outgoing interface to use to forward the traffic. Internal networks (and the routes to them) are a subset of static routes to network destinations.

Another difference between static routes and internal networks is that you can choose whether or not to advertise static routes to routers; whereas, internal networks are always advertised.

To add a static route, select , enter the destination IP address, netmask, and gateway, select whether you want the VPN gateway to distribute the route to routers, and then select ADD. To remove a static route, select the route in the table and then select .

Path MTU (maximum transmission unit) Discovery allows a VGVA or router to monitor the value set in the MSS (maximum segment size) option in TCP SYN and SYN-ACK messages so that it can reduce the MSS value below the TCP-MSS thresholds if necessary.

For a router, you can override the routing policy Path MTU Discovery settings by changing them in this window. For a VGVA, this is where you configure the Path MTU Discovery settings.

Enable Path MTU Discovery: Select to enable the VGVA or router to use the Path MTU Discovery mechanism to learn the maximum packet size that can be sent between two hosts without fragmentation. (Path MTU Discovery is enabled by default in device templates for routers and in device settings for VGVAs.)

Monitor the MSS Option in TCP SYN and SYN-ACK Messages and Perform Clamping if the MSS Threshold is Exceeded: Select to enable the monitoring of the MSS option in TCP SYN and SYN-ACK messages and, if necessary, reduce the MSS value as determined by one of the TCP-MSS thresholds. By default, this is enabled.

MSS Threshold for All TCP Connections: Set the TCP-MSS threshold for all TCP connections passing through the Extreme Networks device. The range is from 64 to 1460 bytes. If you do not enter a TCP-MSS threshold value, TCP-MSS clamping uses the Path MTU (40 bytes) for the IP and TCP headers.

MSS Threshold for TCP Connections Through the VPN Tunnel: Set the TCP-MSS threshold for TCP connections that pass through a Layer 3 VPN tunnel. If you do not enter a TCP-MSS threshold value, the Extreme Networks device uses the value set for the MSS threshold for all TCP connections.

VGVA Routing and Routing Policy Settings Override