Home > GUI > Configuration > Routing Policy
|
Routing Policy
Configure a routing policy.
Navigate using the tab icons. Hover over an icon to see the name of the tab.
Configure > Network Policies > policy_name > Router Settings > Routing Policy > Add
There are three general configurations for policy-based routing: split tunnel, tunnel all, and custom. When routing is enabled in the network policy and SD-WAN (software-defined WAN) is disabled, you can use any of these routing policy types. When both routing and SD-WAN are enabled, you can only define custom routing rules.
The split tunnel or tunnel all options involve fewer routing considerations. If you configure the router to use split tunnel, then the router applies the split tunnel template to the traffic, forwarding corporate traffic through the VPN tunnel and forwarding Internet traffic through the preferred interface to the Internet. If you configure the router to use tunnel all, then the router forwards corporate traffic through the VPN interface, but drops Internet traffic.
Custom routing options give you much finer control over traffic routes. You can define routes based on Layer 7 application service sets, user profiles, incoming LAN interfaces, or source and destination addresses.
Configure policy-based routing profiles for routers in a network policy in which SD-WAN is disabled:
Navigate to Configure > network_policy_name > Router Settings > Routing Policy, toggle Enable Routing Policy to ON, and then select Add. Enter the following information and then select Save:
Name: Enter a name for the routing policy containing up to 32 characters without spaces.
Description: Enter an optional description for the routing policy.
Policy Type: When SD-WAN is disabled, you have the option to use a split tunnel routing policy, a policy that tunnels all non-guest traffic, or a custom policy. Regardless of which option you choose, each user profile rule set is preconfigured with its own catch-all rule that applies to all user profiles and cannot be deleted.
Split Tunnel: Select this option to make the following routing decisions:
Drop guest traffic destined for an internal resource (that is, a destination with a private IP address).
Forward all non-guest source traffic destined for an internal resource through the VPN tunnel.
Either forward traffic from any source destined for any public resource through the selected interface or drop it.
When setting up split tunnel, use the Forwarding Action drop-down list to choose the forwarding interface to drop or forward traffic to the Internet. Choose a Backup Forwarding Action secondary interface from the drop-down list to drop or forward traffic to the Internet in the event that the primary interface goes down.
For any forwarding action other than Drop, you can select a backup forwarding action. For example, you can choose Primary WAN under Forwarding Action and Backup WAN-1 under Backup Forwarding Action. If the primary WAN interface goes down, it fails over to the secondary interface to ensure that the traffic is not disrupted.
Tunnel All: Select this option to route all non-guest traffic through the VPN tunnel and drop all other traffic. All of the fields in this rule are read-only; you cannot change Forwarding Action or Backup Forwarding Action.
Custom: Select this option to define a set of custom rules that routes traffic from any source IP address network or range, ingress LAN interface, user profile, or Layer 7 application service set to any IP address or private IP address.
Select Add to create a new custom rule. Select the source traffic type and destination address type from predefined options. Then assign appropriate values or value ranges to those source and destination types.
Source: Choose the source of the traffic to which you want to apply a rule from the Type drop-down list: Any, Network Address, Interface, User Profile, Application Service Set. Then enter appropriate values for an IP range (start and end of IP addresses to define range), network (IP address and netmask), or interface (Ethernet port); choose a previously defined user profile; or choose a previously defined application service set or create a new one.
Any: Use this when you want a routing policy rule to apply to traffic from any source. For example, you might want the router to send all traffic destined for public IP addresses out the primary WAN interface to the Internet.
Network Address: Use this to apply a routing policy rule to traffic from a subnetwork or IP address range.
Network: Use this when you want a rule to apply to traffic from an entire subnetwork, for example as a network reserved for one or more types of users, such as contractors and guests.
IP Range: Use this when you want a rule to apply to traffic from a range of IP addresses, such as the addresses in a DHCP pool reserved for a specific group of users. For example, you might want a rule to apply to traffic from IP addresses assigned to the executive team at the site.
Interface: Use this to apply a rule to all traffic arriving at a specific interface. For example, for devices connected to specific Ethernet LAN ports.
User Profile: Use this when you want to apply rules to specific types of users.
Application Service Set: Use this to apply rules to specific application types.
Destination: Choose the destination of the traffic to which you want to apply a rule from the Type drop-down list: Any, Network Address (Host Name, Network, or IP Range), or Private. Enter appropriate values for host name, network, or IP range. You cannot enter values for the Any or Private destinations.
Any: Use this when you want a routing policy rule to apply to traffic to any destination. For example, you might want the router to send all traffic out the primary WAN interface.
Network Address: Use this to set a specific host name, subnet, or IP address range as the destination.
Host Name: Use this when you want a rule to apply to traffic destined for a specific domain name or a server with a specific host name.
Network: Use this when you want a rule to apply to traffic destined for an entire subnetwork.
IP Range: Use this when you want a rule to apply traffic to a range of IP addresses, such as a group of routers set in a contiguous range of static IP addresses.
Private: Use this when you want a rule to apply to traffic destined to the corporate network (VPN).
Forwarding Action: From the drop-down list, choose the primary route you want the traffic to take after the router applies a rule.
None: This option takes no forwarding action.
Primary WAN: This option routes traffic through the interface designated as the primary WAN interface in the device template. By default, the primary WAN interface on an Extreme Networks branch router is ETH0.
Backup WAN-1: This option routes traffic through the interface designated as the backup WAN interface in the device template.
Backup WAN-2: This option routes traffic through the interface designated as the secondary backup WAN interface when there are three interfaces in WAN mode. By default, the Backup WAN-2 interface on a router is the wireless USB modem.
VPN: This option routes traffic through the tunnel interface on a router that connects a branch site to the corporate site through an IPsec VPN tunnel.
Drop: This option drops traffic rather than forwarding it.
Backup Forwarding Action: If there is a network issue and the router cannot use the primary route, use the drop-down list to choose the backup route for the traffic to take after the router applies the rule: None, Primary WAN, Backup WAN-1, Backup WAN-2, VPN, or Drop.
Note
The route for the Forwarding Action and the Backup Forwarding Action cannot be the same.Select Add to add another rule, and repeat until you are satisfied with the rules. You can have up to128 rules in a single policy. Because a router applies rules in the order in which they are positioned in the routing policy list, you might need to reorder them. Select the check box of the rule you want o move and then use the up and down arrows to reposition it.
To remove a rule, select the check box and then select 
.
Enable Path MTU Discovery: Select to enable the router to use Path MTU Discovery to learn the maximum packet size that can be sent between two hosts without fragmentation. This is enabled by default. Path MTU (maximum transmission unit) Discovery allows the router to monitor the value set in the MSS (maximum segment size) option in TCP SYN and SYN-ACK messages so that it can reduce the MSS value below the TCP-MSS thresholds if necessary.
Monitor the MSS Option in TCP SYN and SYN-ACK Messages and Perform Clamping if the MSS Threshold is Exceeded: Select to enable the monitoring of the MSS option in TCP SYN and SYN-ACK messages and, if necessary, reduce the MSS value as determined by one of the TCP-MSS thresholds. This is enabled by default.
MSS Threshold for All TCP Connections: Set the TCP-MSS threshold for all TCP connections passing through the device. The range is from 64 to 1460 bytes. If you do not enter a TCP-MSS threshold value, TCP-MSS clamping uses the Path MTU (40 bytes) for the IP and TCP headers.
MSS Threshold for TCP Connections Through the VPN Tunnel: Set the TCP-MSS threshold for TCP connections that pass through a Layer 3 VPN tunnel. If you do not enter a threshold value, the device uses the value set for the MSS threshold for all TCP connections.
Configure a routing policy for XR200P routers belonging to a network policy with SD-WAN enabled using the following steps.
Note
BR200WP routers belonging to the same network policy ignore any routing policy rules that contain an application service set as a source or an SD-WAN route group as the forwarding action.Navigate to Configure > network_policy_name > Router Settings > Routing Policy, toggle Enable Routing Policy to ON, and then select Add. Enter the following information and then select Save:
Name: Enter a name for the routing policy containing up to 32 characters without spaces.
Description: Enter an optional description containing up to 64 characters, including spaces.
Policy Type:When SD-WAN is enabled, only the Custom option is available for configuration.
Custom: Use this option to define a set of custom rules that routes traffic from any source IP address network or range, ingress LAN interface, user profile, or Layer 7 application service set to any IP address or private IP address.
Select Add to create a new custom rule. Selecr the source traffic type and destination address type from predefined sets of options. Then assign appropriate values or value ranges to the source and destination types.
Note
You can map the same application to multiple user profiles to determine different forwarding actions depending on the user profile.Source: Choose the source of the traffic to which you want to apply a rule using the Type drop-down list: Any, Network Address, Interface, User Profile, Application Service Set. Then entervalues for an IP range (start and end of IP addresses to define range), network (IP address and netmask), or interface (Ethernet port); choose a previously defined user profile; or choose a previously defined application service set, or create a new one.
Any: Use when you want a routing policy rule to apply to traffic from any source. For example, you might want the router to send all traffic destined for public IP addresses out the primary WAN interface to the Internet.
Network: Use when you want a rule to apply to traffic from an entire subnetwork, such as a network reserved for one or more types of users, such as contractors and guests.
IP Range: Use when you want a rule to apply to traffic from a range of IP addresses, such as the addresses in a DHCP pool reserved for a specific group of users. For example, you might want a rule to apply to traffic from IP addresses assigned to the executive team at the site.
Interface: Use when you want to apply a rule to all traffic arriving at a specific interface. For example, for devices connected to specific Ethernet LAN ports.
User Profile: Use when you want to apply rules to specific types of users.
Application Service Set: Use to apply rules to specific application types.
Destination: Choose the destination of the traffic to which you want to apply a rule from the Type drop-down list: Any, Network Address (Host Name, Network, or IP Range), or Private. Enter appropriate values for host name, network, or IP range. You cannot enter values for the Any or Private destinations.
Any: Use when you want a routing policy rule to apply to traffic to any destination. For example, you might want the router to send all traffic out the primary WAN interface.
Network Address: Use to set a specific host name, subnet, or IP address range as the destination.
Host Name: Use when you want a rule to apply to traffic destined for a specific domain name or a server with a specific host name.
Network: Use when you want a rule to apply to traffic destined for an entire subnetwork.
IP Range: Use when you to apply traffic to a range of IP addresses, such as a group of routers set in a contiguous range of static IP addresses.
Private: Use when you want a rule to apply to traffic destined to the corporate network (VPN).
Forwarding Action: From the drop-down list, choose the primary route you want the traffic to take after the router applies a rule.
None: This option takes no forwarding action.
Primary WAN: This option routes traffic through the interface designated as the primary WAN interface in the device template. By default, the primary WAN interface on an Extreme Networks branch router is ETH0.
Backup WAN-1: This option routes traffic through the interface designated as the backup WAN interface in the device template.
Backup WAN-2: This option routes traffic through the interface designated as the secondary backup WAN interface when there are three interfaces in WAN mode. By default, the Backup WAN-2 interface on a router is the wireless USB modem.
VPN: This option routes traffic through the tunnel interface on a router that connects a branch site to the corporate site through an IPsec VPN tunnel.
Drop: This option drops traffic rather than forwarding it.
SD-WAN Route Group Name: (The name of a previously configured SD-WAN route group) This option routes traffic through primary and backup WAN interfaces according to priority settings in the selected SD-WAN route group.
Note
When you choose the SD-WAN route group, the Backup Forwarding Action becomes unavailable because the forwarding and backup forwarding actions are already specified in the route group.Backup Forwarding Action: If there is a network issue and the router cannot use the primary route, use the drop-down list to choose the backup route you want the traffic to take after the router applies the rule: None, Primary WAN, Backup WAN-1, Backup WAN-2, VPN, or Drop.
Note
The Forwarding Action and Backup Forwarding Action cannot have the same route.To add another custom rule to the routing policy, select Add. Repeat this procedure to add more rules to the routing policy. You can have up to 128 rules in a single policy. Because a router applies rules in the order in which they are positioned in the routing policy list, you might need to reorder them. Select the check box for the rule you want to move and then use the up and down arrows to reposition it.
To remove a rule from a routing policy, select the check box and then select .
Path MTU Discovery
Path MTU (maximum transmission unit) Discovery allows the router to monitor the value set in the MSS (maximum segment size) option in TCP SYN and SYN-ACK messages so that it can reduce the MSS value below the TCP-MSS thresholds if necessary.
Enable Path MTU Discovery: Select to enable the Extreme Networks router to use Path MTU Discovery to learn the maximum packet size that can be sent between two hosts without fragmentation. This is enabled by default.
Monitor the MSS Option in TCP SYN and SYN-ACK Messages and Perform Clamping if the MSS Threshold is Exceeded: Select to enable the monitoring of the MSS option in TCP SYN and SYN-ACK messages and, if necessary, reduce the MSS value as determined by one of the TCP-MSS thresholds. This is enabled by default.
MSS Threshold for All TCP Connections: Set the TCP-MSS threshold for all TCP connections passing through the device. The range is from 64 to 1460 bytes. If you do not enter a threshold value, TCP-MSS clamping uses Path MTU (40 bytes) for the IP and TCP headers.
MSS Threshold for TCP Connections Through the VPN Tunnel: Set the TCP-MSS threshold for TCP connections that pass through a Layer 3 VPN tunnel. If you do not enter a threshold value, the device uses the value set for the MSS threshold for all TCP connections.
To modify a routing policy, select the name of the active routing policy. If the routing policy you want to change is not currently the active policy, select Select, select the check box for the one you want to modify, and then select Select.
To override a routing policy for a specific router, navigate to Manage > Devices > router_name > Routing Policy and toggle Override the routing policy to ON. Edit the routing policy settings and then select Save. For more information, see VGVA Routing and Routing Policy Settings Override.
When SD-WAN is enabled for a network policy, a routing policy becomes an important part of a longer SD-WAN configuration workflow, described in the following section.
This table lists the configuration steps for SD-WAN with the corresponding Help topics for more information:
| Step | Description | Corresponding Help Topic |
|---|---|---|
| 1 |
Add routers and VGVAs (VPN Gateway Virtual Appliances) to the VHM. |
|
| 2 |
Create a network policy with routing enabled. |
Network Policies |
| 3 |
Configure device, port, and routing policy settings for the VGVA by navigating to Manage > Devices > vgva_name and editing the Device Configuration, Port Configuration, and Routing Policy sections. |
|
| 4 |
In the network policy, create a device template for the router. |
|
| 5 |
Create a VPN service for the network policy. |
VPN Service |
| 6 |
Configure network allocation with new subnetworks and corresponding VLANs for routers to use at branch sites. |
|
| 7 |
Use a predefined Layer 7 application set, or create and use a custom application set when configuring SD-WAN routing policy rules. |
Application Sets |
| 8 |
Enable SD-WAN and configure an SD-WAN route group. This group sets a priority of your WAN links when using a VPN service to connect to a specified VPN gateway, and also allows you to configure aggressive, normal, or moderate responses to operational faults, including jitter, packet loss, and latency. |
|
| 9 |
Create a routing policy that routes traffic from the router subnets through the WAN interface to the public network or through a VPN tunnel to the corporate network or data center based on Layer 7 applications, incoming LAN interfaces, source and destination addresses, and user profiles. |
Routing Policy |
| 10 |
Put the VGVAs online and upload the configuration from ExtremeCloud IQ to them. |
Upload a Configuration |
| 11 |
Add the network policy (with routing and SD-WAN enabled) to an auto provisioning profile for the routers so that when they connect to ExtremeCloud IQ, they automatically receive their configuration. Distribute the devices to the branch sites with instructions to put them on the network. After the devices connect to ExtremeCloud IQ and automatically receive their configuration, they will reboot and then reconnect to ExtremeCloud IQ and become operational. |
Auto Provisioning Settings |
Copyright © 2020 Extreme Networks. All rights reserved. Published March 2020.