Routing
Policy and Static Routes Overview
Use policy routes and static routes to override the Zyxel Device’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel.
Note: You can generally just use policy routes. You only need to use static routes if you have a large network with multiple routers where you use RIP or OSPF to propagate routing information to other routers.
What You Need to Know
Policy Routing
Traditionally, routing is based on the destination address only and the Zyxel Device takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing.
How You Can Use Policy Routing
• Source-Based Routing – Network administrators can use policy-based routing to direct traffic from different users through different connections.
• Bandwidth Shaping – You can allocate bandwidth to traffic that matches routing policies and prioritize traffic. You can also use policy routes to manage other types of traffic (like ICMP traffic) and send traffic through VPN tunnels.
• Cost Savings – IPPR allows organizations to distribute interactive traffic on high-bandwidth, high-cost paths while using low-cost paths for batch traffic.
• Load Sharing – Network administrators can use IPPR to distribute traffic among multiple paths.
• NAT - The Zyxel Device performs NAT by default for traffic going to or from the WAN interfaces. A routing policy’s SNAT allows network administrators to have traffic received on a specified interface use a specified IP address as the source IP address.
Note: The Zyxel Device automatically uses SNAT for traffic it routes from internal interfaces to external interfaces. For example LAN to WAN traffic.
Static Routes
The Zyxel Device usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet. To have the Zyxel Device send data to devices not reachable through the default gateway, use static routes. Configure static routes if you need to use RIP or OSPF to propagate the routing information to other routers. See Routing Protocols Overview for more on RIP and OSPF.
Policy Routes Versus Static Routes
• Policy routes are more flexible than static routes. You can select more criteria for the traffic to match and can also use schedules, NAT, and bandwidth management.
• Policy routes are only used within the Zyxel Device itself. Static routes can be propagated to other routers using RIP or OSPF.
• Policy routes take priority over static routes. If you need to use a routing policy on the Zyxel Device and propagate it to other routers, you could configure a policy route and an equivalent static route.
DiffServ
QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types.
DiffServ (Differentiated Services) is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going.
DSCP Marking and Per-Hop Behavior
DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64 service levels. The following figure illustrates the DS field.
DSCP (6 bits) | Unused (2 bits) |
DSCP is backward compatible with the three precedence bits in the ToS octet so that non-DiffServ compliant, ToS-enabled network device will not conflict with the DSCP mapping.
The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior), that each packet gets across the DiffServ network. Based on the marking rule, different kinds of traffic can be marked for different kinds of forwarding. Resources can then be allocated according to the DSCP values and the configured policies.
Policy Route
Use this screen to see the configured policy routes and turn policy routing based bandwidth management on or off.
A policy route defines the matching criteria and the action to take when a packet meets the criteria. The action is taken only when all the criteria are met. The criteria can include the user name, source address and incoming interface, destination address, schedule, IP protocol (ICMP, UDP, TCP, etc.) and port.
The actions that can be taken include:
• Routing the packet to a different gateway, outgoing interface, VPN tunnel, or trunk.
• Limiting the amount of bandwidth available and setting a priority for traffic.
IPPR follows the existing packet filtering facility of RAS in style and in implementation.
If you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure policy routes used for your IPv6 networks on this screen.
Label | Description |
|---|---|
Show Filter / Hide Filter | Click this button to display a greater or lesser number of configuration fields. |
IPv4 Configuration / IPv6 Configuration | Use the IPv4 Configuration section for IPv4 network settings. Use the IPv6 Configuration section for IPv6 network settings if you connect your Zyxel Device to an IPv6 network. Both sections have similar fields as described below. |
Use IPv4/IPv6 Policy Route to Override Direct Route | Select this to have the Zyxel Device forward packets that match a policy route according to the policy route instead of sending the packets directly to a connected network. |
Add | Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
Move | To change a rule’s position in the numbered list, select the rule and click Move to display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering. |
# | This is the number of an individual policy route. |
Status | This icon is lit when the entry is active, red when the next hop’s connection is down, and dimmed when the entry is inactive. |
User | This is the name of the user (group) object from which the packets are sent. any means all users. |
Schedule | This is the name of the schedule object. none means the route is active at all times if enabled. |
Incoming | This is the interface on which the packets are received. |
Source | This is the name of the source IP address (group) object, including geographic address and FQDN (group) objects. any means all IP addresses. |
Destination | This is the name of the destination IP address (group) object, including geographic and FQDN (group) address objects. any means all IP addresses. |
DSCP Code | This is the DSCP value of incoming packets to which this policy route applies. any means all DSCP values or no DSCP marker. default means traffic with a DSCP value of 0. This is usually best effort traffic The “af” entries stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ for more details. |
Service | This is the name of the service object. any means all services. |
Source Port | This is the name of a service object. The Zyxel Device applies the policy route to the packets sent from the corresponding service port. any means all service ports. |
Next-Hop | This is the next hop to which packets are directed. It helps forward packets to their destinations and can be a router, VPN tunnel, outgoing interface or trunk. |
DSCP Marking | This is how the Zyxel Device handles the DSCP value of the outgoing packets that match this route. If this field displays a DSCP value, the Zyxel Device applies that DSCP value to the route’s outgoing packets. preserve means the Zyxel Device does not modify the DSCP value of the route’s outgoing packets. default means the Zyxel Device sets the DSCP value of the route’s outgoing packets to 0. The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ for more details. |
SNAT | This is the source IP address that the route uses. It displays none if the Zyxel Device does not perform NAT for this route. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Policy Route Edit
Use this screen to configure or edit a policy route.
Label | Description |
|---|---|
Show Advanced Settings / Hide Advanced Settings | Click this button to display a greater or lesser number of configuration fields. |
Create new Object | Use this to configure any new settings objects that you need to use in this screen. |
Configuration | |
Enable | Select this to activate the policy. |
Description | Enter a descriptive name of up to 31 printable ASCII characters for the policy. |
Criteria | |
User | Select a user name or user group from which the packets are sent. |
Incoming | Select where the packets are coming from; any, an interface, a tunnel, an SSL VPN, or the Zyxel Device itself. For an interface, a tunnel, or an SSL VPN, you also need to select the individual interface, VPN tunnel, or SSL VPN connection. |
Source Address | Select a source IP address object, including geographic address and FQDN (group) objects, from which the packets are sent. |
Destination Address | Select a destination IP address object, including geographic address and FQDN (group) objects, to which the traffic is being sent. If the next hop is a dynamic VPN tunnel and you enable Auto Destination Address, the Zyxel Device uses the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of your configuration here. |
DSCP Code | Select a DSCP code point value of incoming packets to which this policy route applies or select User Define to specify another DSCP code point. The lower the number the higher the priority with the exception of 0 which is usually given only best-effort treatment. any means all DSCP value or no DSCP marker. default means traffic with a DSCP value of 0. This is usually best effort traffic The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ for more details. |
User-Defined DSCP Code | Use this field to specify a custom DSCP code point when you select User Define in the previous field. |
Schedule | Select a schedule to control when the policy route is active. none means the route is active at all times if enabled. |
Service | Select a service or service group to identify the type of traffic to which this policy route applies. |
Source Port | Select a service or service group to identify the source port of packets to which the policy route applies. |
Next-Hop | |
Type | Select Auto to have the Zyxel Device use the routing table to find a next-hop and forward the matched packets automatically. Select Gateway to route the matched packets to the next-hop router or switch you specified in the Gateway field. You have to set up the next-hop router or switch as a HOST address object first. Select VPN Tunnel to route the matched packets via the specified VPN tunnel. Select Trunk to route the matched packets through the interfaces in the trunk group based on the load balancing algorithm. Select Interface to route the matched packets through the specified outgoing interface to a gateway (which is connected to the interface). |
Gateway | This field displays when you select Gateway in the Type field. Select a HOST address object. The gateway is an immediate neighbor of your Zyxel Device that will forward the packet to the destination. The gateway must be a router or switch on the same segment as your Zyxel Device's interface(s). |
VPN Tunnel | This field displays when you select VPN Tunnel in the Type field. Select a VPN tunnel through which the packets are sent to the remote network that is connected to the Zyxel Device directly. |
Auto Destination Address | This field displays when you select VPN Tunnel in the Type field. Select this to have the Zyxel Device use the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy. Leave this cleared if you want to manually specify the destination address. |
Trunk | This field displays when you select Trunk in the Type field. Select a trunk group to have the Zyxel Device send the packets via the interfaces in the group. |
Interface | This field displays when you select Interface in the Type field. Select an interface to have the Zyxel Device send traffic that matches the policy route through the specified interface. |
DSCP Marking | Set how the Zyxel Device handles the DSCP value of the outgoing packets that match this route. Select one of the pre-defined DSCP values to apply or select User Define to specify another DSCP value. The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ for more details. Select preserve to have the Zyxel Device keep the packets’ original DSCP value. Select default to have the Zyxel Device set the DSCP value of the packets to 0. |
User-Defined DSCP Marking | Use this field to specify a custom DSCP value. |
Address Translation | Use this section to configure NAT for the policy route. This section does not apply to policy routes that use a VPN tunnel as the next hop. |
Source Network Address Translation | Select none to not use NAT for the route. Select outgoing-interface to use the IP address of the outgoing interface as the source IP address of the packets that matches this route. To use SNAT for a virtual interface that is in the same WAN trunk as the physical interface to which the virtual interface is bound, the virtual interface and physical interface must be in different subnets. Otherwise, select a pre-defined address (group) to use as the source IP address(es) of the packets that match this route. Use Create new Object if you need to configure a new address (group) to use as the source IP address(es) of the packets that match this route. |
Healthy Check | Use this part of the screen to configure a route connectivity check and disable the policy if the interface is down. |
Disable policy route automatically while Interface link down | Select this to disable the policy if the interface is down or disabled. This is available for Interface and Trunk in the Type field above. |
Enable Connectivity Check | Select this to turn on the connection check. This is available for Interface and Gateway in the Type field above. |
Check Method: | Select the method that the gateway allows. Select icmp to have the Zyxel Device regularly ping the gateway you specify to make sure it is still available. Select tcp to have the Zyxel Device regularly perform a TCP handshake with the gateway you specify to make sure it is still available. |
Check Period: | Enter the number of seconds between connection check attempts (5-600 seconds). |
Check Timeout: | Enter the number of seconds to wait for a response before the attempt is a failure (1-10 seconds). |
Check Fail Tolerance: | Enter the number of consecutive failures before the Zyxel Device stops routing using this policy (1-10). |
Check Port: | This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check (1-65535). |
Check this address: | Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |
IP Static Route
This screen displays the configured static routes. Configure static routes to be able to use RIP or OSPF to propagate the routing information to other routers. If you enabled IPv6 in the Configuration > System > IPv6 screen, you can also configure static routes used for your IPv6 networks on this screen.
Label | Description |
|---|---|
IPv4 Configuration / IPv6 Configuration | Use the IPv4 Configuration section for IPv4 network settings. Use the IPv6 Configuration section for IPv6 network settings if you connect your Zyxel Device to an IPv6 network. Both sections have similar fields as described below. |
Add | Click this to create a new static route. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
# | This is the number of an individual static route. |
Destination | This is the destination IP address. |
Subnet Mask | This is the IP subnet mask. |
Prefix | This is the IPv6 prefix for the destination IP address. |
Next-Hop | This is the IP address of the next-hop gateway or the interface through which the traffic is routed. The gateway is a router or switch on the same segment as your Zyxel Device's interface(s). The gateway helps forward packets to their destinations. |
Metric | This is the route’s priority among the Zyxel Device’s routes. The smaller the number, the higher priority the route has. |
Static Route Add/Edit
Use this screen to configure the required information for a static route.
Label | Description |
|---|---|
Destination IP | This parameter specifies the IP network address of the final destination. Routing is always based on network number. If you need to specify a route to a single host, enter the specific IP address here and use a subnet mask of 255.255.255.255 (for IPv4) in the Subnet Mask field or a prefix of 128 (for IPv6) in the Prefix Length field to force the network number to be identical to the host ID. For IPv6, if you want to send all traffic to the gateway or interface specified in the Gateway IP or Interface field, enter :: in this field and 0 in the Prefix Length field. |
Subnet Mask | Enter the IP subnet mask here. |
Prefix Length | Enter the number of left-most digits in the destination IP address, which indicates the network prefix. Enter :: in the Destination IP field and 0 in this field if you want to send all traffic to the gateway or interface specified in the Gateway IP or Interface field. |
Gateway IP | Select the radio button and enter the IP address of the next-hop gateway. The gateway is a router or switch on the same segment as your Zyxel Device's interface(s). The gateway helps forward packets to their destinations. |
Interface | Select the radio button and a predefined interface through which the traffic is sent. |
Metric | Metric represents the “cost” of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. Enter a number that approximates the cost for this link. The number need not be precise, but it must be 0~127. In practice, 2 or 3 is usually a good number. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |
Policy Routing Technical Reference
Here is more detailed information about some of the features you can configure in policy routing.
NAT and SNAT
NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in another network. Use SNAT (Source NAT) to change the source IP address in one network to a different IP address in another network.
Assured Forwarding (AF) PHB for DiffServ
Assured Forwarding (AF) behavior is defined in RFC 2597. The AF behavior group defines four AF classes. Inside each class, packets are given a high, medium or low drop precedence. The drop precedence determines the probability that routers on the network will drop packets when congestion occurs. If congestion occurs between classes, the traffic in the higher class (smaller numbered class) is generally given priority. Combining the classes and drop precedence produces the following twelve DSCP encodings from AF11 through AF43. The decimal equivalent is listed in brackets.
Class 1 | Class 2 | Class 3 | Class 4 | |
|---|---|---|---|---|
Low Drop Precedence | AF11 (10) | AF21 (18) | AF31 (26) | AF41 (34) |
Medium Drop Precedence | AF12 (12) | AF22 (20) | AF32 (28) | AF42 (36) |
High Drop Precedence | AF13 (14) | AF23 (22) | AF33 (30) | AF43 (38) |
Maximize Bandwidth Usage
The maximize bandwidth usage option allows the Zyxel Device to divide up any available bandwidth on the interface (including unallocated bandwidth and any allocated bandwidth that a policy route is not using) among the policy routes that require more bandwidth.
When you enable maximize bandwidth usage, the Zyxel Device first makes sure that each policy route gets up to its bandwidth allotment. Next, the Zyxel Device divides up an interface’s available bandwidth (bandwidth that is unbudgeted or unused by the policy routes) depending on how many policy routes require more bandwidth and on their priority levels. When only one policy route requires more bandwidth, the Zyxel Device gives the extra bandwidth to that policy route.
When multiple policy routes require more bandwidth, the Zyxel Device gives the highest priority policy routes the available bandwidth first (as much as they require, if there is enough available bandwidth), and then to lower priority policy routes if there is still bandwidth available. The Zyxel Device distributes the available bandwidth equally among policy routes with the same priority level.
Routing Protocols Overview
Routing protocols give the Zyxel Device routing information about the network from other routers. The Zyxel Device stores this routing information in the routing table it uses to make routing decisions. In turn, the Zyxel Device can also use routing protocols to propagate routing information to other routers.
Routing protocols are usually only used in networks using multiple routers like campuses or large enterprises.
What You Need to Know
The Zyxel Device supports two standards, RIP and OSPF, for routing protocols. RIP and OSPF are compared here and discussed further in the rest of the chapter.
RIP | OSPF | |
|---|---|---|
Network Size | Small (with up to 15 routers) | Large |
Metric | Hop count | Bandwidth, hop count, throughput, round trip time and reliability. |
Convergence | Slow | Fast |
RIP
RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a device to exchange routing information with other routers. RIP is a vector-space routing protocol, and, like most such protocols, it uses hop count to decide which route is the shortest. Unfortunately, it also broadcasts its routes asynchronously to the network and converges slowly. Therefore, RIP is more suitable for small networks (up to 15 routers).
• In the Zyxel Device, you can configure two sets of RIP settings before you can use it in an interface.
• First, the Authentication field specifies how to verify that the routing information that is received is the same routing information that is sent
• Second, the Zyxel Device can also redistribute routing information from non-RIP networks, specifically OSPF networks and static routes, to the RIP network. Costs might be calculated differently, however, so you use the Metric field to specify the cost in RIP terms.
• RIP uses UDP port 520.
Use the RIP screen to specify the authentication method and maintain the policies for redistribution.
Label | Description |
|---|---|
Authentication | The transmitting and receiving routers must have the same key. For RIP, authentication is not available in RIP version 1. In RIP version 2, you can only select one authentication type for all interfaces. |
Authentication | Select the authentication method used in the RIP network. This authentication protects the integrity, but not the confidentiality, of routing updates. • None uses no authentication. • Text uses a plain text password that is sent over the network (not very secure). • MD5 uses an MD5 password and authentication ID (most secure). |
Text Authentication Key | This field is available if the Authentication is Text. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. |
MD5 Authentication ID | This field is available if the Authentication is MD5. Type the ID for MD5 authentication. The ID can be between 1 and 255. |
MD5 Authentication Key | This field is available if the Authentication is MD5. Type the password for MD5 authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. |
Redistribute | |
Active OSPF | Select this to use RIP to advertise routes that were learned through OSPF. |
Metric | Type the cost for routes provided by OSPF. The metric represents the “cost” of transmission for routing purposes. RIP routing uses hop count as the measurement of cost, with 1 usually used for directly connected networks. The number does not have to be precise, but it must be between 0 and 16. In practice, 2 or 3 is usually used. |
Apply | Click this button to save your changes to the Zyxel Device. |
Reset | Click this button to return the screen to its last-saved settings. |
OSPF
OSPF (Open Shortest Path First, RFC 2328) is a link-state protocol designed to distribute routing information within a group of networks, called an Autonomous System (AS). OSPF offers some advantages over vector-space routing protocols like RIP.
• OSPF supports variable-length subnet masks, which can be set up to use available IP addresses more efficiently.
• OSPF filters and summarizes routing information, which reduces the size of routing tables throughout the network.
• OSPF responds to changes on the network, such as the loss of a router, more quickly.
• OSPF considers several factors, including bandwidth, hop count, throughput, round trip time, and reliability, when it calculates the shortest path.
• OSPF converges more quickly than RIP.
Naturally, OSPF is also more complicated than RIP, so OSPF is usually more suitable for large networks.
OSPF uses IP protocol 89.
OSPF Areas
An OSPF Autonomous System (AS) is divided into one or more areas. Each area represents a group of adjacent networks and is identified by a 32-bit ID. In OSPF, this number may be expressed as an integer or as an IP address.
There are several types of areas.
• The backbone is the transit area that routes packets between other areas. All other areas are connected to the backbone.
• A normal area is a group of adjacent networks. A normal area has routing information about the OSPF AS, any networks outside the OSPF AS to which it is directly connected, and any networks outside the OSPF AS that provide routing information to any area in the OSPF AS.
• A stub area has routing information about the OSPF AS. It does not have any routing information about any networks outside the OSPF AS, including networks to which it is directly connected. It relies on a default route to send information outside the OSPF AS.
• A Not So Stubby Area (NSSA, RFC 1587) has routing information about the OSPF AS and networks outside the OSPF AS to which the NSSA is directly connected. It does not have any routing information about other networks outside the OSPF AS.
OSPF Routers
Every router in the same area has the same routing information. They do this by exchanging Hello messages to confirm which neighbor (layer-3) devices exist, and then they exchange database descriptions (DDs) to create a synchronized link-state database. The link-state database contains records of router IDs, their associated links and path costs. The link-state database is then constantly updated through Link State Advertisements (LSA). Each router uses the link state database and the Dijkstra algorithm to compute the least cost paths to network destinations.
Like areas, each router has a unique 32-bit ID in the OSPF AS, and there are several types of routers. Each type is really just a different role, and it is possible for one router to play multiple roles at one time.
• An internal router (IR) only exchanges routing information with other routers in the same area.
• An Area Border Router (ABR) connects two or more areas. It is a member of all the areas to which it is connected, and it filters, summarizes, and exchanges routing information between them.
• An Autonomous System Boundary Router (ASBR) exchanges routing information with routers in networks outside the OSPF AS. This is called redistribution in OSPF.
Source \ Type of Area | Normal | NSSA | Stub |
|---|---|---|---|
Static routes | Yes | Yes | No |
RIP | Yes | Yes | Yes |
• A backbone router (BR) has at least one interface with area 0. By default, every router in area 0 is a backbone router, and so is every ABR.
In order to reduce the amount of traffic between routers, a group of routers that are directly connected to each other selects a designated router (DR) and a backup designated router (BDR). All of the routers only exchange information with the DR and the BDR, instead of exchanging information with all of the other routers in the group. The DR and BDR are selected by priority; if two routers have the same priority, the highest router ID is used.
The DR and BDR are selected in each group of routers that are directly connected to each other. If a router is directly connected to several groups, it might be a DR in one group, a BDR in another group, and neither in a third group all at the same time.
Virtual Links
In some OSPF AS, it is not possible for an area to be directly connected to the backbone. In this case, you can create a virtual link through an intermediate area to logically connect the area to the backbone.
You cannot create a virtual link to a router in a different area.
OSPF Configuration
Follow these steps when you configure OSPF on the Zyxel Device.
1 Enable OSPF.
2 Set up the OSPF areas.
3 Configure the appropriate interfaces.
4 Set up virtual links, as needed.
Configuring OSPF
Use the first OSPF screen to specify the OSPF router the Zyxel Device uses in the OSPF AS and maintain the policies for redistribution. In addition, it provides a summary of OSPF areas, allows you to remove them, and opens the OSPF Add/Edit screen to add or edit them.
Label | Description |
|---|---|
OSPF Router ID | Select the 32-bit ID the Zyxel Device uses in the OSPF AS. Default - the first available interface IP address is the Zyxel Device’s ID. User Defined - enter the ID (in IP address format) in the field that appears when you select User Define. |
Redistribute | |
Active RIP | Select this to advertise routes that were learned from RIP. The Zyxel Device advertises routes learned from RIP to Normal and NSSA areas but not to Stub areas. |
Type | Select how OSPF calculates the cost associated with routing information from RIP. Choices are: Type 1 and Type 2. Type 1 - cost = OSPF AS cost + external cost (Metric) Type 2 - cost = external cost (Metric); the OSPF AS cost is ignored. |
Metric | Type the external cost for routes provided by RIP. The metric represents the “cost” of transmission for routing purposes. The way this is used depends on the Type field. This value is usually the average cost in the OSPF AS, and it can be between 1 and 16777214. |
Area | This section displays information about OSPF areas in the Zyxel Device. |
Add | Click this to create a new OSPF area. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
References | Select an entry and click References to open a screen that shows which settings use the entry. Click Refresh to update information on this screen. |
# | This field is a sequential value, and it is not associated with a specific area. |
Area | This field displays the 32-bit ID for each area in IP address format. |
Type | This field displays the type of area. This type is different from the Type field above. |
Authentication | This field displays the default authentication method in the area. |
Apply | Click this button to save your changes to the Zyxel Device. |
Reset | Click this button to return the screen to its last-saved settings. |
OSPF Area Add/Edit
The OSPF Area Add/Edit screen allows you to create a new area or edit an existing one.
Label | Description |
|---|---|
Area ID | Type the unique, 32-bit identifier for the area in IP address format. |
Type | Select the type of OSPF area. Normal - This area is a normal area. It has routing information about the OSPF AS and about networks outside the OSPF AS. Stub - This area is an stub area. It has routing information about the OSPF AS but not about networks outside the OSPF AS. It depends on a default route to send information outside the OSPF AS. NSSA - This area is a Not So Stubby Area (NSSA), per RFC 1587. It has routing information about the OSPF AS and networks that are outside the OSPF AS and are directly connected to the NSSA. It does not have information about other networks outside the OSPF AS. |
Authentication | Select the default authentication method used in the area. This authentication protects the integrity, but not the confidentiality, of routing updates. None uses no authentication. Text uses a plain text password that is sent over the network (not very secure). MD5 uses an MD5 password and authentication ID (most secure). |
Text Authentication Key | This field is available if the Authentication is Text. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. |
MD5 Authentication ID | This field is available if the Authentication is MD5. Type the default ID for MD5 authentication in the area. The ID can be between 1 and 255. |
MD5 Authentication Key | This field is available if the Authentication is MD5. Type the default password for MD5 authentication in the area. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. |
Virtual Link | This section is displayed if the Type is Normal. Create a virtual link if you want to connect a different area (that does not have a direct connection to the backbone) to the backbone. You should set up the virtual link on the ABR that is connected to the other area and on the ABR that is connected to the backbone. |
Add | Click this to create a new virtual link. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
# | This field is a sequential value, and it is not associated with a specific area. |
Peer Router ID | This is the 32-bit ID (in IP address format) of the other ABR in the virtual link. |
Authentication | This is the authentication method the virtual link uses. This authentication protects the integrity, but not the confidentiality, of routing updates. For OSPF, the Zyxel Device supports a default authentication type by area. If you want to use this default in an interface or virtual link, you set the associated Authentication Type field to Same as Area. As a result, you only have to update the authentication information for the area to update the authentication type used by these interfaces and virtual links. Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information. None uses no authentication. Text uses a plain text password that is sent over the network (not very secure). Hover your cursor over this label to display the password. MD5 uses an MD5 password and authentication ID (most secure). Hover your cursor over this label to display the authentication ID and key. Same as Area has the virtual link also use the Authentication settings above. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |
Virtual Link Add/Edit
The Virtual Link Add/Edit screen allows you to create a new virtual link or edit an existing one.
Label | Description |
|---|---|
Peer Router ID | Enter the 32-bit ID (in IP address format) of the other ABR in the virtual link. |
Authentication | Select the authentication method the virtual link uses. This authentication protects the integrity, but not the confidentiality, of routing updates. For OSPF, the Zyxel Device supports a default authentication type by area. If you want to use this default in an interface or virtual link, you set the associated Authentication Type field to Same as Area. As a result, you only have to update the authentication information for the area to update the authentication type used by these interfaces and virtual links. Alternatively, you can override the default in any interface or virtual link by selecting a specific authentication method. Please see the respective interface sections for more information. None uses no authentication. Text uses a plain text password that is sent over the network (not very secure). MD5 uses an MD5 password and authentication ID (most secure). Same as Area has the virtual link also use the Authentication settings above. |
Text Authentication Key | This field is available if the Authentication is Text. Type the password for text authentication. The key can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. |
MD5 Authentication ID | This field is available if the Authentication is MD5. Type the default ID for MD5 authentication in the area. The ID can be between 1 and 255. |
MD5 Authentication Key | This field is available if the Authentication is MD5. Type the default password for MD5 authentication in the area. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |
BGP (Border Gateway Protocol)
The Zyxel Device supports eBGP (exterior Border Gate Protocol) to route IPv4 traffic between routers in different Autonomous Systems (AS). An AS number is a number from 1 to 4294967295), that identifies an autonomous system. 4200000000 – 4294967294 are private AS numbers.
See OSPF for more information on autonomous systems.
Allow BGP Packets to Enter the Zyxel Device
You must first allow BGP packets to enter the Zyxel Device from the WAN.
1 Go to Configuration > Object > Service > Service Group
2 Select the Default_Allow_WAN_To_ZyWALL rule and click Edit.
3 Move BGP from Available to Member.
4 Click OK.
Configuring BGP
Use this screen to configure BGP information about the Zyxel Device and its peer BGP routers.
Label | Description |
|---|---|
AS Number | Type a number from 1 to 4294967295 in this field.  The Zyxel Device can only belong to one AS at a time. |
Router ID | Type the IP address of the interface on the Zyxel Device. This field is optional. |
Redistribute | Select Connected to redistribute routes of directly attached devices to the Zyxel Device into the BGP Routing Information Base (RIB). |
Neighbors | This section displays information about peer BGP routers in neighboring AS’. The maximum number of neighboring BGP routers supported by the Zyxel Device is 5. |
Add | Click this to configure BGP criteria for a new peer BGP router. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
# | This field is a sequential value, and it is not associated with a specific area. |
IP Address | This displays the IPv4 address of the peer BGP router in a neighboring AS. |
AS Number | This displays the AS Number of the peer BGP router in a neighboring AS. |
Network | Use this section to add routes that will be announced to all BGP neighbors. You may configure up to 16 network routes. |
Add | Click this to configure network information for a new route. |
Edit | Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. |
Remove | To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. |
# | This field is a sequential value, and it is not associated with a specific area. |
Network | This displays the IP address and the number of subnet mask bits for the peer BGP route. |
Apply | Click this button to save your changes to the Zyxel Device. |
Reset | Click this button to return the screen to its last-saved settings. |
BGP Neighbors
Use this screen to configure BGP information about a peer BGP router.
Label | Description |
|---|---|
IP Address | Type the IP address of the interface on the peer BGP router. |
AS Number | Type a number from 1 to 4294967295 in this field. Get the number from your service provider. |
Enable EBGP Multihop | Select this to allow the Zyxel Device to attempt BGP connections to external peers on indirectly connected networks. eBGP neighbors must also perform multihop. Multihop is not established if the only route to the multihop peer is a default route. This avoids loop formation. |
EBGP Maximum Hops | Enter a maximum hop count from <1-255>. The default is 255. |
Update Source | Use this to allow BGP sessions use the selected interface for TCP connections. • Choose Gateway and then enter the gateway IP address • Choose Interface and then select a Zyxel Device interface. • Choose None to use the closest interface. |
MD5 authentication key | Type the default password for MD5 authentication of communication between the Zyxel Device and the peer BGP router. The password can consist of alphanumeric characters and the underscore, and it can be up to 63 characters long. |
Weight | Specify a weight value for all routes learned from this peer BGP router in the specified network. The route with the highest weight gets preference. |
Keepalive Time | Keepalive messages are sent by the Zyxel Device to a peer BGP router to inform it that the BGP connection between the two is still active. The Keepalive Time is the interval between each Keepalive message sent by the Zyxel Device. We recommend Keepalive Time is 1/3 of the Hold Time time. |
Hold Time | This is the maximum time the Zyxel Device waits to receive a Keepalive message from a peer BGP router before it declares that the peer BGP router is dead. Hold Time must be greater than the Keepalive Time. |
Maximum Prefix | A prefix is a network address (IP/subnet mask) that a BGP router can reach and that it shares with its neighbors. Set the maximum number, from 1 to 4294967295, of prefixes that can be received from a neighbor. This limits the number of prefixes that the Zyxel Device is allowed to receive from a neighbor. If extra prefixes are received, the Zyxel Device ends the connection with the peer BGP router. You need to edit the peer BGP router configuration to bring the connection back. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving. |
Example Scenario
This is an example scenario for using BGP on the Zyxel Device.
Scenario: CE - PE (MLPS)
In this scenario, you want to transmit BGP packets from a CE router (Zyxel Device) to a peer BGP PE router in an MPLS network.
CE - PE Configuration Process
The process for configuring BGP in this scenario is:
1 Configure the AS number for BGP on the Zyxel Device (CE) in Configuration > Network > Routing > BGP.
Note: The Zyxel Device can only belong to one AS at a time.
2 Configure the AS number and BGP criteria of the peer BGP routers (PE) in the neighboring AS in Configuration > Network > Routing > BGP > Add Neighbors.
Note: The maximum number of neighboring BGP routers supported by the Zyxel Device is 5.
3 Configure the network for BGP routes in the neighboring AS.
Note: You may configure up to 16 network routes.