Routing
Policy and Static Routes Overview
Use policy routes and static routes to override the Zyxel Device’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel.
Note: You can generally just use policy routes. You only need to use static routes if you have a large network with multiple routers where you use RIP or OSPF to propagate routing information to other routers.
What You Need to Know
Policy Routing
Traditionally, routing is based on the destination address only and the Zyxel Device takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing.
How You Can Use Policy Routing
• Source-Based Routing – Network administrators can use policy-based routing to direct traffic from different users through different connections.
• Bandwidth Shaping – You can allocate bandwidth to traffic that matches routing policies and prioritize traffic. You can also use policy routes to manage other types of traffic (like ICMP traffic) and send traffic through VPN tunnels.
• Cost Savings – IPPR allows organizations to distribute interactive traffic on high-bandwidth, high-cost paths while using low-cost paths for batch traffic.
• Load Sharing – Network administrators can use IPPR to distribute traffic among multiple paths.
• NAT - The Zyxel Device performs NAT by default for traffic going to or from the WAN interfaces. A routing policy’s SNAT allows network administrators to have traffic received on a specified interface use a specified IP address as the source IP address.
Note: The Zyxel Device automatically uses SNAT for traffic it routes from internal interfaces to external interfaces, such as LAN to WAN traffic.
Static Routes
The Zyxel Device usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet. To have the Zyxel Device send data to devices not reachable through the default gateway, use static routes. Configure static routes if you need to use RIP or OSPF to propagate the routing information to other routers. See
Routing Protocols Overview for more on RIP and OSPF.
Policy Routes Versus Static Routes
• Policy routes are more flexible than static routes. You can select more criteria for the traffic to match and can also use schedules, NAT, and bandwidth management.
• Policy routes are only used within the Zyxel Device itself. Static routes can be propagated to other routers using RIP or OSPF.
• Policy routes take priority over static routes. If you need to use a routing policy on the Zyxel Device and propagate it to other routers, you could configure a policy route and an equivalent static route.
DiffServ
QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types.
DiffServ (Differentiated Services) is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going.
DSCP Marking and Per-Hop Behavior
DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64 service levels. The following figure illustrates the DS field.
DSCP (6 bits) | Unused (2 bits) |
DSCP is backward compatible with the three precedence bits in the ToS octet so that non-DiffServ compliant, ToS-enabled network device will not conflict with the DSCP mapping.
The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior), that each packet gets across the DiffServ network. Based on the marking rule, different kinds of traffic can be marked for different kinds of forwarding. Resources can then be allocated according to the DSCP values and the configured policies.
Policy Route
Use this screen to see the configured policy routes and turn policy routing based bandwidth management on or off.
A policy route defines the matching criteria and the action to take when a packet meets the criteria. The action is taken only when all the criteria are met. The criteria can include the user name, source address and incoming interface, destination address, schedule, IP protocol (ICMP, UDP, TCP, etc.) and port.
The actions that can be taken include:
• Routing the packet to a different gateway, outgoing interface, VPN tunnel, or trunk.
• Limiting the amount of bandwidth available and setting a priority for traffic.
IPPR follows the existing packet filtering facility of RAS in style and in implementation.
If you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure policy routes used for your IPv6 networks on this screen.
Configuration > Network > Routing > Policy Route
Label | Description |
Show Advanced Settings / Hide Advanced Settings | Click this button to display a greater or lesser number of configuration fields. |
Enable BWM | This is a global setting for enabling or disabling bandwidth management on the Zyxel Device. You must enable this setting to have individual policy routes or application patrol policies apply bandwidth management. This same setting also appears in the AppPatrol > General screen. Enabling or disabling it in one screen also enables or disables it in the other screen. |
IPv4 Configuration / IPv6 Configuration | Use the IPv4 Configuration section for IPv4 network settings. Use the IPv6 Configuration section for IPv6 network settings if you connect your Zyxel Device to an IPv6 network. Both sections have similar fields as described below. |
Use IPv4/IPv6 Policy Route to Override Direct Route | Select this to have the Zyxel Device forward packets that match a policy route according to the policy route instead of sending the packets directly to a connected network. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Move | To change a rule’s position in the numbered list, select the rule and click Move to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering. |
# | This is the number of an individual policy route. |
Status | This icon is lit when the entry is active, red when the next hop’s connection is down, and dimmed when the entry is inactive. |
User | This is the name of the user (group) object from which the packets are sent. any means all users. |
Schedule | This is the name of the schedule object. none means the route is active at all times if enabled. |
Incoming | This is the interface on which the packets are received. |
Source | This is the name of the source IP address (group) object, including geographic address and FQDN (group) objects. any means all IP addresses. |
Destination | This is the name of the destination IP address (group) object, including geographic and FQDN (group) address objects. any means all IP addresses. |
DSCP Code | This is the DSCP value of incoming packets to which this policy route applies. any means all DSCP values or no DSCP marker. default means traffic with a DSCP value of 0. This is usually best effort traffic The “ af” entries stand for Assured Forwarding. The number following the “ af” identifies one of four classes and one of three drop preferences. See
Assured Forwarding (AF) PHB for DiffServ for more details. |
Service | This is the name of the service object. any means all services. |
Source Port | This is the name of a service object. The Zyxel Device applies the policy route to the packets sent from the corresponding service port. any means all service ports. |
Next-Hop | This is the next hop to which packets are directed. It helps forward packets to their destinations and can be a router, VPN tunnel, outgoing interface or trunk. |
DSCP Marking | This is how the Zyxel Device handles the DSCP value of the outgoing packets that match this route. If this field displays a DSCP value, the Zyxel Device applies that DSCP value to the route’s outgoing packets. preserve means the Zyxel Device does not modify the DSCP value of the route’s outgoing packets. default means the Zyxel Device sets the DSCP value of the route’s outgoing packets to 0. The “ af” choices stand for Assured Forwarding. The number following the “ af” identifies one of four classes and one of three drop preferences. See
Assured Forwarding (AF) PHB for DiffServ for more details. |
SNAT | This is the source IP address that the route uses. It displays none if the Zyxel Device does not perform NAT for this route. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |