Label | Description |
Show Advanced Settings / Hide Advanced Settings | Click this button to display a greater or lesser number of configuration fields. |
Create new Object | Use this to configure any new settings objects that you need to use in this screen. |
Configuration | |
Enable | Select this to activate the policy. |
Description | Enter a descriptive name of up to 31 printable ASCII characters for the policy. |
Criteria | |
User | Select a user name or user group from which the packets are sent. |
Incoming | Select where the packets are coming from; any, an interface, a tunnel, an SSL VPN, or the Zyxel Device itself. For an interface, a tunnel, or an SSL VPN, you also need to select the individual interface, VPN tunnel, or SSL VPN connection. |
Source Address | Select a source IP address object, including geographic address and FQDN (group) objects, from which the packets are sent. |
Destination Address | Select a destination IP address object, including geographic address and FQDN (group) objects, to which the traffic is being sent. If the next hop is a dynamic VPN tunnel and you enable Auto Destination Address, the Zyxel Device uses the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of your configuration here. |
DSCP Code | Select a DSCP code point value of incoming packets to which this policy route applies or select User Define to specify another DSCP code point. The lower the number the higher the priority with the exception of 0 which is usually given only best-effort treatment. any means all DSCP value or no DSCP marker. default means traffic with a DSCP value of 0. This is usually best effort traffic The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. See
Assured Forwarding (AF) PHB for DiffServ for more details. |
User-Defined DSCP Code | Use this field to specify a custom DSCP code point when you select User Define in the previous field. |
Schedule | Select a schedule to control when the policy route is active. none means the route is active at all times if enabled. |
Service | Select a service or service group to identify the type of traffic to which this policy route applies. |
Source Port | Select a service or service group to identify the source port of packets to which the policy route applies. |
Next-Hop | |
Type | Select Auto to have the Zyxel Device use the routing table to find a next-hop and forward the matched packets automatically. Select Gateway to route the matched packets to the next-hop router or switch you specified in the Gateway field. You have to set up the next-hop router or switch as a HOST address object first. Select VPN Tunnel to route the matched packets via the specified VPN tunnel. Select Trunk to route the matched packets through the interfaces in the trunk group based on the load balancing algorithm. Select Interface to route the matched packets through the specified outgoing interface to a gateway (which is connected to the interface). |
Gateway | This field displays when you select Gateway in the Type field. Select a HOST address object. The gateway is an immediate neighbor of your Zyxel Device that will forward the packet to the destination. The gateway must be a router or switch on the same segment as your Zyxel Device's interface(s). |
VPN Tunnel | This field displays when you select VPN Tunnel in the Type field. Select a VPN tunnel through which the packets are sent to the remote network that is connected to the Zyxel Device directly. |
Auto Destination Address | This field displays when you select VPN Tunnel in the Type field. Select this to have the Zyxel Device use the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy. Leave this cleared if you want to manually specify the destination address. |
Trunk | This field displays when you select Trunk in the Type field. Select a trunk group to have the Zyxel Device send the packets via the interfaces in the group. |
Interface | This field displays when you select Interface in the Type field. Select an interface to have the Zyxel Device send traffic that matches the policy route through the specified interface. |
DSCP Marking | Set how the Zyxel Device handles the DSCP value of the outgoing packets that match this route. Select one of the pre-defined DSCP values to apply or select User Define to specify another DSCP value. The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. See
Assured Forwarding (AF) PHB for DiffServ for more details. Select preserve to have the Zyxel Device keep the packets’ original DSCP value. Select default to have the Zyxel Device set the DSCP value of the packets to 0. |
User-Defined DSCP Code | Use this field to specify a custom DSCP value. |
Address Translation | Use this section to configure NAT for the policy route. This section does not apply to policy routes that use a VPN tunnel as the next hop. |
Source Network Address Translation | Select none to not use NAT for the route. Select outgoing-interface to use the IP address of the outgoing interface as the source IP address of the packets that matches this route. To use SNAT for a virtual interface that is in the same WAN trunk as the physical interface to which the virtual interface is bound, the virtual interface and physical interface must be in different subnets. Otherwise, select a pre-defined address (group) to use as the source IP address(es) of the packets that match this route. Use Create new Object if you need to configure a new address (group) to use as the source IP address(es) of the packets that match this route. |
Healthy Check | Use this part of the screen to configure a route connectivity check and disable the policy if the interface is down. |
Disable policy route automatically while Interface link down | Select this to disable the policy if the interface is down or disabled. This is available for Interface and Trunk in the Type field above. |
Enable Connectivity Check | Select this to turn on the connection check. This is available for Interface and Gateway in the Type field above. |
Check Method: | Select the method that the gateway allows. Select icmp to have the Zyxel Device regularly ping the gateway you specify to make sure it is still available. Select tcp to have the Zyxel Device regularly perform a TCP handshake with the gateway you specify to make sure it is still available. |
Check Period: | Enter the number of seconds between connection check attempts (5-600 seconds). |
Check Timeout: | Enter the number of seconds to wait for a response before the attempt is a failure (1-10 seconds). |
Check Fail Tolerance: | Enter the number of consecutive failures before the Zyxel Device stops routing using this policy (1-10). |
Check Port: | This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check (1-65535). |
Check this address: | Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |
Label | Description |
IPv4 Configuration / IPv6 Configuration | Use the IPv4 Configuration section for IPv4 network settings. Use the IPv6 Configuration section for IPv6 network settings if you connect your Zyxel Device to an IPv6 network. Both sections have similar fields as described below. |
Add | Click this to create a new static route. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
# | This is the number of an individual static route. |
Destination | This is the destination IP address. |
Subnet Mask | This is the IP subnet mask. |
Prefix | This is the IPv6 prefix for the destination IP address. |
Next-Hop | This is the IP address of the next-hop gateway or the interface through which the traffic is routed. The gateway is a router or switch on the same segment as your Zyxel Device's interface(s). The gateway helps forward packets to their destinations. |
Metric | This is the route’s priority among the Zyxel Device’s routes. The smaller the number, the higher priority the route has. |
Label | Description |
Destination IP | This parameter specifies the IP network address of the final destination. Routing is always based on network number. If you need to specify a route to a single host, enter the specific IP address here and use a subnet mask of 255.255.255.255 (for IPv4) in the Subnet Mask field or a prefix of 128 (for IPv6) in the Prefix Length field to force the network number to be identical to the host ID. For IPv6, if you want to send all traffic to the gateway or interface specified in the Gateway IP or Interface field, enter :: in this field and 0 in the Prefix Length field. |
Subnet Mask | Enter the IP subnet mask here. |
Prefix Length | Enter the number of left-most digits in the destination IP address, which indicates the network prefix. Enter :: in the Destination IP field and 0 in this field if you want to send all traffic to the gateway or interface specified in the Gateway IP or Interface field. |
Gateway IP | Select the radio button and enter the IP address of the next-hop gateway. The gateway is a router or switch on the same segment as your Zyxel Device's interface(s). The gateway helps forward packets to their destinations. |
Interface | Select the radio button and a predefined interface through which the traffic is sent. |
Metric | Metric represents the “cost” of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. Enter a number that approximates the cost for this link. The number need not be precise, but it must be 0~127. In practice, 2 or 3 is usually a good number. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |
Class 1 | Class 2 | Class 3 | Class 4 | |
Low Drop Precedence | AF11 (10) | AF21 (18) | AF31 (26) | AF41 (34) |
Medium Drop Precedence | AF12 (12) | AF22 (20) | AF32 (28) | AF42 (36) |
High Drop Precedence | AF13 (14) | AF23 (22) | AF33 (30) | AF43 (38) |
RIP | OSPF | |
Network Size | Small (with up to 15 routers) | Large |
Metric | Hop count | Bandwidth, hop count, throughput, round trip time and reliability. |
Convergence | Slow | Fast |
Label | Description |
Authentication | The transmitting and receiving routers must have the same key. For RIP, authentication is not available in RIP version 1. In RIP version 2, you can only select one authentication type for all interfaces. |
Authentication | Select the authentication method used in the RIP network. This authentication protects the integrity, but not the confidentiality, of routing updates. • None uses no authentication. • Text uses a plain text password that is sent over the network (not very secure). • MD5 uses an MD5 password and authentication ID (most secure). |
Text Authentication Key | This field is available if the Authentication is Text. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. |
MD5 Authentication ID | This field is available if the Authentication is MD5. Type the ID for MD5 authentication. The ID can be between 1 and 255. |
MD5 Authentication Key | This field is available if the Authentication is MD5. Type the password for MD5 authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. |
Redistribute | |
Active OSPF | Select this to use RIP to advertise routes that were learned through OSPF. |
Metric | Type the cost for routes provided by OSPF. The metric represents the “cost” of transmission for routing purposes. RIP routing uses hop count as the measurement of cost, with 1 usually used for directly connected networks. The number does not have to be precise, but it must be between 0 and 16. In practice, 2 or 3 is usually used. |
Active Static Route | Select this to use RIP to advertise routes that were learned through the static route configuration. |
Metric | Type the cost for routes provided by the static route configuration. The metric represents the “cost” of transmission for routing purposes. RIP routing uses hop count as the measurement of cost, with 1 usually used for directly connected networks. The number does not have to be precise, but it must be between 0 and 16. In practice, 2 or 3 is usually used. |
Apply | Click this button to save your changes to the Zyxel Device. |
Reset | Click this button to return the screen to its last-saved settings. |
Source \ Type of Area | Normal | NSSA | Stub |
Static routes | Yes | Yes | No |
RIP | Yes | Yes | Yes |
Label | Description |
OSPF Router ID | Select the 32-bit ID the Zyxel Device uses in the OSPF AS. Default - the first available interface IP address is the Zyxel Device’s ID. User Defined - enter the ID (in IP address format) in the field that appears when you select User Define. |
Redistribute | |
Active RIP | Select this to advertise routes that were learned from RIP. The Zyxel Device advertises routes learned from RIP to Normal and NSSA areas but not to Stub areas. |
Type | Select how OSPF calculates the cost associated with routing information from RIP. Choices are: Type 1 and Type 2. Type 1 - cost = OSPF AS cost + external cost (Metric) Type 2 - cost = external cost (Metric); the OSPF AS cost is ignored. |
Metric | Type the external cost for routes provided by RIP. The metric represents the “cost” of transmission for routing purposes. The way this is used depends on the Type field. This value is usually the average cost in the OSPF AS, and it can be between 1 and 16777214. |
Active Static Route | Select this to advertise routes that were learned from static routes. The Zyxel Device advertises routes learned from static routes to all types of areas. |
Type | Select how OSPF calculates the cost associated with routing information from static routes. Choices are: Type 1 and Type 2. Type 1 - cost = OSPF AS cost + external cost (Metric) Type 2 - cost = external cost (Metric); the OSPF AS cost is ignored. |
Metric | Type the external cost for routes provided by static routes. The metric represents the “cost” of transmission for routing purposes. The way this is used depends on the Type field. This value is usually the average cost in the OSPF AS, and it can be between 1 and 16777214. |
Area | This section displays information about OSPF areas in the Zyxel Device. |
Add | Click this to create a new OSPF area. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
# | This field is a sequential value, and it is not associated with a specific area. |
Area | This field displays the 32-bit ID for each area in IP address format. |
Type | This field displays the type of area. This type is different from the Type field above. |
Authentication | This field displays the default authentication method in the area. |
Apply | Click this button to save your changes to the Zyxel Device. |
Reset | Click this button to return the screen to its last-saved settings. |
Label | Description |
Area ID | Type the unique, 32-bit identifier for the area in IP address format. |
Type | Select the type of OSPF area. Normal - This area is a normal area. It has routing information about the OSPF AS and about networks outside the OSPF AS. Stub - This area is an stub area. It has routing information about the OSPF AS but not about networks outside the OSPF AS. It depends on a default route to send information outside the OSPF AS. NSSA - This area is a Not So Stubby Area (NSSA), per RFC 1587. It has routing information about the OSPF AS and networks that are outside the OSPF AS and are directly connected to the NSSA. It does not have information about other networks outside the OSPF AS. |
Authentication | Select the default authentication method used in the area. This authentication protects the integrity, but not the confidentiality, of routing updates. None uses no authentication. Text uses a plain text password that is sent over the network (not very secure). MD5 uses an MD5 password and authentication ID (most secure). |
Text Authentication Key | This field is available if the Authentication is Text. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. |
MD5 Authentication ID | This field is available if the Authentication is MD5. Type the default ID for MD5 authentication in the area. The ID can be between 1 and 255. |
MD5 Authentication Key | This field is available if the Authentication is MD5. Type the default password for MD5 authentication in the area. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. |
Virtual Link | This section is displayed if the Type is Normal. Create a virtual link if you want to connect a different area (that does not have a direct connection to the backbone) to the backbone. You should set up the virtual link on the ABR that is connected to the other area and on the ABR that is connected to the backbone. |
Add | Click this to create a new virtual link. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
# | This field is a sequential value, and it is not associated with a specific area. |
Peer Router ID | This is the 32-bit ID (in IP address format) of the other ABR in the virtual link. |
Authentication | This is the authentication method the virtual link uses. This authentication protects the integrity, but not the confidentiality, of routing updates. For OSPF, the Zyxel Device supports a default authentication type by area. If you want to use this default in an interface or virtual link, you set the associated Authentication Type field to Same as Area. As a result, you only have to update the authentication information for the area to update the authentication type used by these interfaces and virtual links. Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information. None uses no authentication. Text uses a plain text password that is sent over the network (not very secure). Hover your cursor over this label to display the password. MD5 uses an MD5 password and authentication ID (most secure). Hover your cursor over this label to display the authentication ID and key. Same as Area has the virtual link also use the Authentication settings above. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |
Label | Description |
Peer Router ID | Enter the 32-bit ID (in IP address format) of the other ABR in the virtual link. |
Authentication | Select the authentication method the virtual link uses. This authentication protects the integrity, but not the confidentiality, of routing updates. For OSPF, the Zyxel Device supports a default authentication type by area. If you want to use this default in an interface or virtual link, you set the associated Authentication Type field to Same as Area. As a result, you only have to update the authentication information for the area to update the authentication type used by these interfaces and virtual links. Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information. None uses no authentication. Text uses a plain text password that is sent over the network (not very secure). MD5 uses an MD5 password and authentication ID (most secure). Same as Area has the virtual link also use the Authentication settings above. |
Text Authentication Key | This field is available if the Authentication is Text. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. |
MD5 Authentication ID | This field is available if the Authentication is MD5. Type the default ID for MD5 authentication in the area. The ID can be between 1 and 255. |
MD5 Authentication Key | This field is available if the Authentication is MD5. Type the default password for MD5 authentication in the area. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |
Label | Description |
AS Number | Type a number from 1 to 4294967295 in this field. The Zyxel Device can only belong to one AS at a time. |
Router ID | Type the IP address of the interface on the Zyxel Device. This field is optional. |
Redistribute | Select Connected to redistribute routes of directly attached devices to the Zyxel Device into the BGP Routing Information Base (RIB). |
Neighbors | This section displays information about peer BGP routers in neighboring AS’. The maximum number of neighboring BGP routers supported by the Zyxel Device is 5. |
Add | Click this to configure BGP criteria for a new peer BGP router. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
# | This field is a sequential value, and it is not associated with a specific area. |
IP Address | This displays the IPv4 address of the peer BGP router in a neighboring AS. |
AS Number | This displays the AS Number of the peer BGP router in a neighboring AS. |
Network | Use this section to add routes that will be announced to all BGP neighbors. You may configure up to 16 network routes. |
Add | Click this to configure network information for a new route. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
# | This field is a sequential value, and it is not associated with a specific area. |
Network | This displays the IP address and the number of subnet mask bits for the peer BGP route. |
Apply | Click this button to save your changes to the Zyxel Device. |
Reset | Click this button to return the screen to its last-saved settings. |
Label | Description |
IP Address | Type the IP address of the interface on the peer BGP router. |
AS Number | Type a number from 1 to 4294967295 in this field. Get the number from your service provider. |
Enable EBGP Multihop | Select this to allow the Zyxel Device to attempt BGP connections to external peers on indirectly connected networks. eBGP neighbors must also perform multihop. Multihop is not established if the only route to the multihop peer is a default route. This avoids loop formation. |
EBGP Maximum Hops | Enter a maximum hop count from <1-255>. The default is 255. |
Update Source | Use this to allow BGP sessions use the selected interface for TCP connections. • Choose Gateway and then enter the gateway IP address • Choose Interface and then select a Zyxel Device interface. • Choose None to use the closest interface. |
MDS authentication key | Type the default password for MD5 authentication of communication between the Zyxel Device and the peer BGP router. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. |
Weight | Specify a weight value for all routes learned from this peer BGP router in the specified network. The route with the highest weight gets preference. |
Keepalive Time | Keepalive messages are sent by the Zyxel Device to a peer BGP router to inform it that the BGP connection between the two is still active. The Keepalive Time is the interval between each Keepalive message sent by the Zyxel Device. We recommend Keepalive Time is 1/3 of the Hold Time time. |
Hold Time | This is the maximum time the Zyxel Device waits to receive a Keepalive message from a peer BGP router before it declares that the peer BGP router is dead. Hold Time must be greater than the Keepalive Time. |
Maximum Prefix | A prefix is a network address (IP/subnet mask) that a BGP router can reach and that it shares with its neighbors. Set the maximum number, from 1 to 4294967295, of prefixes that can be received from a neighbor. This limits the number of prefixes that the Zyxel Device is allowed to receive from a neighbor. If extra prefixes are received, the Zyxel Device ends the connection with the peer BGP router. You need to edit the peer BGP router configuration to bring the connection back. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |